github.com/google/trillian-examples@v0.0.0-20240520080811-0d40d35cef0e/internal/note/note_verifier_test.go (about) 1 // Copyright 2021 Google LLC. All Rights Reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License.package note 14 15 package note 16 17 import ( 18 "testing" 19 20 "golang.org/x/mod/sumdb/note" 21 ) 22 23 const ( 24 // These come from the the current SigStore Rekór key, which is an ECDSA key: 25 sigStoreKeyMaterial = "AjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNhtmPtrWm3U1eQXBogSMdGvXwBcK5AW5i0hrZLOC96l+smGNM7nwZ4QvFK/4sueRoVj//QP22Ni4Qt9DPfkWLc=" 26 sigStoreKeyHash = "c0d23d6a" 27 sigStoreKey = "rekor.sigstore.dev" + "+" + sigStoreKeyHash + "+" + sigStoreKeyMaterial 28 29 // These come from the the current Pixel6 log key, which is an ECDSA key. 30 // KeyMaterial converted from PEM contents here: https://go.dev/play/p/xKGbOGW_JHZ 31 pixelKeyMaterial = "AjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN+4x0Jk1yTwvLFI9A4NDdGZcX0aiWVdWM5XJVy0M4VWD3AvyW5Q6Hs9A0mcDkpUoYgn+KKPNzFC0H3nN3q6JQ8=" 32 pixelKeyHash = "91c16e30" 33 pixelKey = "pixel6_transparency_log" + "+" + pixelKeyHash + "+" + pixelKeyMaterial 34 ) 35 36 func TestNewVerifier(t *testing.T) { 37 for _, test := range []struct { 38 name string 39 keyType string 40 key string 41 wantErr bool 42 }{ 43 { 44 name: "note works", 45 key: "PeterNeumann+c74f20a3+ARpc2QcUPDhMQegwxbzhKqiBfsVkmqq/LDE4izWy10TW", 46 }, { 47 name: "note mismatch", 48 key: sigStoreKey, 49 wantErr: true, 50 }, { 51 name: "ECDSA works", 52 keyType: ECDSA, 53 key: sigStoreKey, 54 }, { 55 name: "ECDSA mismatch", 56 keyType: ECDSA, 57 key: "PeterNeumann+c74f20a3+ARpc2QcUPDhMQegwxbzhKqiBfsVkmqq/LDE4izWy10TW", 58 wantErr: true, 59 }, { 60 name: "unknown type fails", 61 keyType: "bananas", 62 wantErr: true, 63 }, 64 } { 65 t.Run(test.name, func(t *testing.T) { 66 _, err := NewVerifier(test.keyType, test.key) 67 if gotErr := err != nil; gotErr != test.wantErr { 68 t.Fatalf("NewVerifier: %v, wantErr %t", err, test.wantErr) 69 } 70 }) 71 } 72 } 73 74 func TestNewECDSAVerifier(t *testing.T) { 75 for _, test := range []struct { 76 name string 77 pubK string 78 wantErr bool 79 }{ 80 { 81 name: "sigStore works", 82 pubK: sigStoreKey, 83 }, { 84 name: "pixel works", 85 pubK: pixelKey, 86 }, { 87 name: "wrong number of parts", 88 pubK: "bananas.sigstore.dev+12344556", 89 wantErr: true, 90 }, { 91 name: "invalid base64", 92 pubK: "rekor.sigstore.dev+12345678+THIS_IS_NOT_BASE64!", 93 wantErr: true, 94 }, { 95 name: "invalid algo", 96 pubK: "rekor.sigstore.dev+12345678+AwEB", 97 wantErr: true, 98 }, { 99 name: "invalid keyhash", 100 pubK: "rekor.sigstore.dev+NOT_A_NUMBER+" + sigStoreKeyMaterial, 101 wantErr: true, 102 }, { 103 name: "incorrect keyhash", 104 pubK: "rekor.sigstore.dev" + "+" + "00000000" + "+" + sigStoreKeyMaterial, 105 wantErr: true, 106 }, 107 } { 108 t.Run(test.name, func(t *testing.T) { 109 _, err := NewECDSAVerifier(test.pubK) 110 if gotErr := err != nil; gotErr != test.wantErr { 111 t.Fatalf("Failed to create new ECDSA verifier from %q: %v", test.pubK, err) 112 } 113 }) 114 } 115 } 116 func TestECDSAVerifier(t *testing.T) { 117 for _, test := range []struct { 118 name string 119 pubK string 120 note []byte 121 wantErr bool 122 }{ 123 { 124 name: "sigstore works", 125 pubK: sigStoreKey, 126 note: []byte("Rekor\n798034\nf+7CoKgXKE/tNys9TTXcr/ad6U/K3xvznmzew9y6SP0=\n\n— rekor.sigstore.dev wNI9ajBEAiARInWIWyCdyG27CO6LPnPekyw20qO0YJfoaPaowGp/XgIgc+qEHS3+GKVClgqq20uDLet7MCoTURUCRdxwWBHHufk=\n"), 127 }, { 128 name: "pixel works", 129 pubK: pixelKey, 130 note: []byte("DEFAULT\n10\nbsWRucJU5xJPHb5eBdOm6+DM+VelCZBuvtI3sHERJ9Y=\n\n— pixel6_transparency_log kcFuMDBFAiEAhqMAP8P6qf6QxtUJhzMhbN+MbZ9dwfUHzGQJmffJHtoCIGD0cNe47dHWBoPwYdgBCepB06/+g5O1FmYjXl06owL4\n"), 131 }, { 132 name: "invalid name", 133 pubK: "bananas.sigstore.dev" + "+" + sigStoreKeyHash + "+" + sigStoreKeyMaterial, 134 note: []byte("Rekor\n798034\nf+7CoKgXKE/tNys9TTXcr/ad6U/K3xvznmzew9y6SP0=\n\n— rekor.sigstore.dev wNI9ajBEAiARInWIWyCdyG27CO6LPnPekyw20qO0YJfoaPaowGp/XgIgc+qEHS3+GKVClgqq20uDLet7MCoTURUCRdxwWBHHufk=\n"), 135 wantErr: true, 136 }, { 137 name: "invalid signature", 138 pubK: sigStoreKey, 139 note: []byte("Rekor\n798034\nf+7CoKgXKE/tNys9TTXcr/ad6U/K3xvznmzew9y6SP0=\n\n— rekor.sigstore.dev THIS/IS/PROBABLY/NOT/A/VALID/SIGNATURE/ANy/MOREowGp/XgIgc+qEHS3+GKVClgqq20uDLet7MCoTURUCRdxwWBHHufk=\n"), 140 wantErr: true, 141 }, 142 } { 143 t.Run(test.name, func(t *testing.T) { 144 v, err := NewECDSAVerifier(test.pubK) 145 if err != nil { 146 t.Fatalf("Failed to create new ECDSA verifier from %q: %v", test.pubK, err) 147 } 148 _, err = note.Open(test.note, note.VerifierList(v)) 149 if gotErr := err != nil; gotErr != test.wantErr { 150 t.Fatalf("Got err %v, but want error %v", err, test.wantErr) 151 } 152 }) 153 } 154 }