github.com/google/osv-scalibr@v0.4.1/veles/secrets/gcpsak/gcpsak_test.go (about) 1 // Copyright 2025 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package gcpsak_test 16 17 import ( 18 "crypto/rand" 19 "crypto/rsa" 20 "crypto/x509" 21 "encoding/pem" 22 "testing" 23 ) 24 25 const ( 26 exampleKeyID = "123456789abcdef0123456789abcdef012345678" 27 exampleServiceAccount = "some-service-account@some-project-id.iam.gserviceaccount.com" 28 // examplePrivateKey was generated manually specifically for this test and 29 // does not actually belong to any real GCP service account. 30 // The corresponding signature is hardcoded below. 31 examplePrivateKey = `-----BEGIN PRIVATE KEY----- 32 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsQfQ524jSCtAi 33 0RbzWuo3S6jJjTydYeSO/cKouEOmhKLoUxWVEXGC70MFL/ed5XqpR82amJZwzxLN 34 tWQABwLGLkfD4aD4MAWprSjRAv9YSUI5s+NjiqgpzNulysgQmKDy3zgq4cAQtKzn 35 jWgZjMrXVQz1UhRZAiO/xDb/x6sw/4DMJptw2zHvxxMnRR/o93UM+fyJ6L99UNhC 36 zLIp9IT8JQEhQu68Pbgrhu04syrUOYPrWLtpCDc80hPW9A/UJiWYkZcxhHSEXtsN 37 dNGlB5S+jIEZDqyLaHRJ2vaud5CEd8CTRPhIM1ASnj36+FyQA2YRaFvJofw76N1W 38 J9BMrJadAgMBAAECggEACv1GLG7CAsxnzODT+wCA0rhD81/MTyoQn8K2qXbf8f6i 39 Ofoa9WCggj7rYqhVvsAGHEiVaFh1uIqtY2xADfRki+ol7+w0DcFaiyGd6f+r9KDv 40 1aiRSCdvZQNJvAD81Ho4QmZVOf8e9rHgGgGec4rU4fnuErSC0c7eIvzMmXLOjBiV 41 3ch9CHO7iKp0krLfsSnAHnK3ove5kGBA6A3sYwR+/7680i/aoC7l3gtXh0MW2E9h 42 kkLKc9VqZenrMlXoMQngI6c0Ii/AntQbb3akomnqlajIa0OibBLYTJbv26ChUlsN 43 A6SGQHIXemM+HuiAh/U6AAvlXkTSGQsO78fEtwvC7QKBgQDnlNIT3CkqTmev+p+o 44 R34RmT/c+8NLCUv8rdBtUNErY4/y/Lagg0oq6nPu/p+KLnS73ycGhsSBUbAc8+wy 45 oEgy4B4e92jzm0NxFv8i3cY29O4qxtn99kfKrfscsMcqycpxbdoTpPgRyhFGsITu 46 Z8lBqFDUUlcowENuJmDnNbQw4wKBgQC+a8g0AaMHi3QBz22KfLWe9HDy8DawY/zx 47 Hajoo+/a5c8BOl2ZWT+YdnQRWsvr370yPcSNWkg6NwmmSx1DF3PTpRTiIUFa6azB 48 m7aExYHXSumVUsDqmu2TDMRVBwb6lCQSTY0QySwvf23kPT+adYNvtLdvVN6sLpww 49 nr4f1xQyfwKBgQCk5EpQ6cpF3V3m58UWxRD25u+aIYmEvDHm0Lw/mfPVuSaeFWLU 50 F6ePtzClU5e1hC6KNvJKq1rv2YJUmznrMkU2NG4+DlwkWMFEnOM9qDuilfOfccd2 51 FQ45Ong6jYTC6rvC2D0XD7eysvZqJvX/6tZaccZb5+U3lu5sV9dXyd1rkQKBgB5h 52 Y9eoSzJw9Vk0lu15aCCsLzkTSiZqTXjKmqBDR4lNEPHJNhW5P4Q7odkC+3XuhGj3 53 odxLgyqGjWuSoGCL5VbnB6XsWFkA3yckiMI2ILkQoqPISC8l+LF1X/2Q2XQxHnAt 54 H0yGTB5n3kiD3RnvlcDEvF9u0vf1l8XKDdtWnUpRAoGAPeRvBGsTXD0c62FAQ7Ct 55 H7e7IlqS0iKfRV5/cmUDeuFD8RBK4iZFTlCAVqakdmjUlfJPb60D3xwlJpCoZSKi 56 2lY9Rj7ypRiTUoT35nVVHw8ejwYBMawo4Gkaqd198mYxUogJvOuTcGJ509DdTack 57 RsacStLCR1jUc6EzaCaj61w= 58 -----END PRIVATE KEY----- 59 ` 60 // The certificates provided by the Google Cloud Metadata server of course 61 // contain a lot more information but for the intents and purposes of this 62 // test, we can synthesize a fake. It contains the public key corresponding 63 // to examplePrivateKey. 64 exampleCertificate = `-----BEGIN CERTIFICATE----- 65 MIICkDCCAXigAwIBAgIUF71g4w7a5jGaR/NV9RboV+P+blQwDQYJKoZIhvcNAQEL 66 BQAwADAiGA8wMDAxMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAAMIIBIjAN 67 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEH0OduI0grQItEW81rqN0uoyY08 68 nWHkjv3CqLhDpoSi6FMVlRFxgu9DBS/3neV6qUfNmpiWcM8SzbVkAAcCxi5Hw+Gg 69 +DAFqa0o0QL/WElCObPjY4qoKczbpcrIEJig8t84KuHAELSs541oGYzK11UM9VIU 70 WQIjv8Q2/8erMP+AzCabcNsx78cTJ0Uf6Pd1DPn8iei/fVDYQsyyKfSE/CUBIULu 71 vD24K4btOLMq1DmD61i7aQg3PNIT1vQP1CYlmJGXMYR0hF7bDXTRpQeUvoyBGQ6s 72 i2h0Sdr2rneQhHfAk0T4SDNQEp49+vhckANmEWhbyaH8O+jdVifQTKyWnQIDAQAB 73 MA0GCSqGSIb3DQEBCwUAA4IBAQBaEQlqxmTsyequ9xxJrILB/AWTkyNIYf4iS98H 74 XSBMx1rkdWpm1dRoXHpwPA5uWvSIrlWPXEZgbYy+qUTRetwOqpCm7oLSl+VUiHol 75 sR1wAPsG2Oe23GzTXuu6OCeoJpjYCw1NETRJ4aEDpvHGYARHCPUGPGUY09eMNDk1 76 mMV2122qCuk5SXth/gxeJdDA4WaAhWUUwu2CwuTAqIe0aTs/kY5yo1nQlcO2yEnZ 77 F/WGWO49hwu0rllD9/cU4KUKIN0dGyJUU9vIzyp4fyN2IKGxmKnnfMv9Ixhnyodc 78 EECZ53cSGqXaVUy01joqpyAh+rCICumd3uAM0a2vxOYR3hV+ 79 -----END CERTIFICATE-----` 80 ) 81 82 var ( 83 // exampleSignature is the signature for examplePrivateKey obtained by using 84 // gcpsak.sign() on it. Hardcoding it here is fine because the signature logic 85 // should never change. 86 exampleSignature = []byte{ 87 78, 94, 170, 137, 175, 34, 187, 129, 234, 202, 96, 116, 144, 240, 39, 186, 88 168, 48, 27, 153, 225, 133, 242, 243, 209, 144, 25, 137, 159, 131, 57, 88, 89 135, 43, 118, 222, 162, 196, 149, 124, 31, 51, 71, 112, 217, 85, 185, 68, 90 254, 179, 241, 252, 108, 251, 153, 165, 158, 71, 194, 190, 17, 246, 12, 66, 91 16, 221, 39, 52, 111, 136, 173, 31, 20, 113, 4, 8, 26, 119, 135, 133, 202, 92 179, 205, 168, 74, 129, 238, 128, 209, 177, 119, 54, 128, 47, 34, 170, 17, 93 195, 97, 177, 58, 130, 75, 242, 186, 85, 54, 7, 207, 207, 81, 135, 139, 54, 94 79, 93, 2, 34, 194, 91, 101, 15, 87, 54, 162, 142, 184, 23, 182, 104, 32, 95 50, 20, 189, 209, 171, 188, 220, 54, 125, 108, 22, 212, 103, 7, 219, 134, 96 239, 38, 217, 140, 251, 154, 226, 85, 81, 206, 220, 136, 109, 18, 147, 217, 97 22, 57, 30, 217, 234, 174, 245, 67, 144, 80, 36, 167, 44, 116, 94, 230, 86, 98 42, 186, 94, 43, 166, 161, 17, 192, 163, 43, 56, 174, 154, 61, 248, 142, 22, 99 79, 43, 140, 13, 229, 244, 137, 228, 63, 71, 119, 142, 147, 110, 172, 253, 100 76, 150, 237, 152, 151, 255, 196, 172, 86, 109, 21, 141, 160, 29, 233, 32, 101 19, 127, 7, 80, 85, 102, 142, 165, 106, 103, 28, 31, 57, 209, 234, 43, 119, 102 247, 9, 125, 79, 25, 48, 66, 196, 23, 139, 103 } 104 ) 105 106 func genKeyAndCert(t *testing.T) (string, string) { 107 t.Helper() 108 priv, err := rsa.GenerateKey(rand.Reader, 2048) 109 if err != nil { 110 t.Fatalf("rsa.GenerateKey() error: %v", err) 111 } 112 privDER, err := x509.MarshalPKCS8PrivateKey(priv) 113 if err != nil { 114 t.Fatalf("x509.MarshalPKCS8PrivateKey() error: %v", err) 115 } 116 privPEM := pem.EncodeToMemory(&pem.Block{ 117 Type: "PRIVATE KEY", 118 Bytes: privDER, 119 }) 120 if privPEM == nil { 121 t.Fatal("pem.EncodeToMemory() failed for private key") 122 } 123 cert := x509.Certificate{} 124 certDER, err := x509.CreateCertificate(rand.Reader, &cert, &cert, priv.Public(), priv) 125 if err != nil { 126 t.Fatalf("x509.CreateCertificate() error: %v", err) 127 } 128 certPEM := pem.EncodeToMemory(&pem.Block{ 129 Type: "CERTIFICATE", 130 Bytes: certDER, 131 }) 132 if certPEM == nil { 133 t.Fatalf("pem.EncodeToMemory() failed for certificate") 134 } 135 return string(privPEM), string(certPEM) 136 }