mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-03 20:01:01 -05:00
2b19632e09
Wrapping apiObject does not work as intended as the version field is when fetching objects from the API. Thus we need to insert the target path of the signature directly.
122 lines
2.9 KiB
Go
122 lines
2.9 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package sigstore
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestNewCosignVerifier(t *testing.T) {
|
|
testCases := map[string]struct {
|
|
publicKey []byte
|
|
wantErr bool
|
|
}{
|
|
"success": {
|
|
publicKey: []byte(`-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWUhon39eAqzEC+/GP03oY4/MQg+
|
|
gCDlEzkuOCybCHf+q766bve799L7Y5y5oRsHY1MrUCUwYF/tL7Sg7EYMsA==
|
|
-----END PUBLIC KEY-----`),
|
|
},
|
|
"broken public key": {
|
|
publicKey: []byte(`-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIthisIsNotAValidPublicAtAllUhon39eAqzEC+/GP03oY4/MQg+
|
|
gCDlEzkuOCybCHf+q766bve799L7Y5y5oRsHY1MrUCUwYF/tL7Sg7EYMsA==
|
|
-----END PUBLIC KEY-----`),
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for name, tc := range testCases {
|
|
t.Run(name, func(t *testing.T) {
|
|
assert := assert.New(t)
|
|
|
|
verifier, err := NewCosignVerifier(tc.publicKey)
|
|
if tc.wantErr {
|
|
assert.Error(err)
|
|
return
|
|
}
|
|
assert.NoError(err)
|
|
assert.NotEqual(verifier, CosignVerifier{})
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestVerifySignature(t *testing.T) {
|
|
testCases := map[string]struct {
|
|
content []byte
|
|
signature []byte
|
|
publicKey []byte
|
|
wantErr bool
|
|
}{
|
|
"success": {
|
|
content: []byte("This is some content to be signed!\n"),
|
|
signature: []byte("MEUCIQDzMN3yaiO9sxLGAaSA9YD8rLwzvOaZKWa/bzkcjImUFAIgXLLGzClYUd1dGbuEiY3O/g/eiwQYlyxqLQalxjFmz+8="),
|
|
publicKey: []byte(`-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWUhon39eAqzEC+/GP03oY4/MQg+
|
|
gCDlEzkuOCybCHf+q766bve799L7Y5y5oRsHY1MrUCUwYF/tL7Sg7EYMsA==
|
|
-----END PUBLIC KEY-----`),
|
|
},
|
|
"mismatching content": {
|
|
content: []byte("This is some completely different content!\n"),
|
|
signature: []byte("MEUCIQDzMN3yaiO9sxLGAaSA9YD8rLwzvOaZKWa/bzkcjImUFAIgXLLGzClYUd1dGbuEiY3O/g/eiwQYlyxqLQalxjFmz+8="),
|
|
publicKey: []byte(`-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWUhon39eAqzEC+/GP03oY4/MQg+
|
|
gCDlEzkuOCybCHf+q766bve799L7Y5y5oRsHY1MrUCUwYF/tL7Sg7EYMsA==
|
|
-----END PUBLIC KEY-----`),
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for name, tc := range testCases {
|
|
t.Run(name, func(t *testing.T) {
|
|
assert := assert.New(t)
|
|
|
|
cosign, err := NewCosignVerifier(tc.publicKey)
|
|
require.NoError(t, err)
|
|
err = cosign.VerifySignature(tc.content, tc.signature)
|
|
if tc.wantErr {
|
|
assert.Error(err)
|
|
return
|
|
}
|
|
assert.NoError(err)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsBase64(t *testing.T) {
|
|
tests := map[string]struct {
|
|
signature []byte
|
|
wantErr bool
|
|
}{
|
|
"valid base64": {
|
|
signature: []byte("SGVsbG8gV29ybGQ="),
|
|
wantErr: false,
|
|
},
|
|
"invalid base64": {
|
|
signature: []byte("not base64"),
|
|
wantErr: true,
|
|
},
|
|
"empty input": {
|
|
signature: []byte{},
|
|
wantErr: false,
|
|
},
|
|
}
|
|
|
|
for tc, tt := range tests {
|
|
t.Run(tc, func(t *testing.T) {
|
|
err := IsBase64(tt.signature)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("IsBase64() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
})
|
|
}
|
|
}
|