github.com/goreleaser/nfpm/v2@v2.44.0/internal/sign/rsa_test.go (about) 1 package sign 2 3 import ( 4 "bytes" 5 "crypto/sha1" // nolint:gosec 6 "testing" 7 8 "github.com/stretchr/testify/require" 9 ) 10 11 func TestRSASignAndVerify(t *testing.T) { 12 testData := []byte("test") 13 14 testCases := []struct { 15 name string 16 privKey string 17 pubKey string 18 passphrase string 19 }{ 20 {"unprotected pkcs1", "testdata/rsa_unprotected.priv", "testdata/rsa_unprotected.pub", ""}, 21 {"protected pkcs1", "testdata/rsa.priv", "testdata/rsa.pub", pass}, 22 {"unprotected pkcs8", "testdata/rsa_pkcs8.priv", "testdata/rsa_pkcs8.pub", ""}, 23 } 24 25 for _, testCase := range testCases { 26 testCase := testCase 27 t.Run(testCase.name, func(t *testing.T) { 28 sig, err := rsaSign(bytes.NewReader(testData), testCase.privKey, testCase.passphrase) 29 require.NoError(t, err) 30 31 err = rsaVerify(bytes.NewReader(testData), sig, testCase.pubKey) 32 require.NoError(t, err) 33 }) 34 } 35 } 36 37 func TestWrongPassphrase(t *testing.T) { 38 testData := []byte("test") 39 _, err := rsaSign(bytes.NewReader(testData), "testdata/rsa.priv", "password123") 40 require.EqualError(t, err, "decrypt private key PEM block: x509: decryption password incorrect") 41 } 42 43 func TestNoPassphrase(t *testing.T) { 44 testData := []byte("test") 45 _, err := rsaSign(bytes.NewReader(testData), "testdata/rsa.priv", "") 46 require.EqualError(t, err, "key is encrypted but no passphrase was provided") 47 } 48 49 func TestInvalidHash(t *testing.T) { 50 invalidDigest := []byte("test") 51 _, err := RSASignSHA1Digest(invalidDigest, "testdata/rsa.priv", "hunter2") 52 require.EqualError(t, err, "digest is not a SHA1 hash") 53 } 54 55 func TestRSAVerifyWrongKey(t *testing.T) { 56 digest := sha1.New().Sum(nil) // nolint:gosec 57 58 testCases := []struct { 59 name string 60 privKey string 61 pubKey string 62 }{ 63 {"pkcs1", "testdata/rsa_unprotected.priv", "testdata/rsa_unprotected.pub"}, 64 {"pkcs8", "testdata/rsa_pkcs8.priv", "testdata/rsa_pkcs8.pub"}, 65 } 66 67 for _, testCase := range testCases { 68 sig, err := rsaSign(bytes.NewReader(digest), testCase.privKey, "") 69 require.NoError(t, err) 70 71 err = RSAVerifySHA1Digest(digest, sig, testCase.pubKey) 72 require.EqualError(t, err, "verify PKCS1v15 signature: crypto/rsa: verification error") 73 } 74 } 75 76 func TestRSAVerifyWrongSignature(t *testing.T) { 77 digest := sha1.New().Sum(nil) // nolint:gosec 78 79 testCases := []struct { 80 name string 81 pubKey string 82 }{ 83 {"pkcs1", "testdata/rsa.pub"}, 84 {"pkcs8", "testdata/rsa_pkcs8.pub"}, 85 } 86 87 for _, testCase := range testCases { 88 err := RSAVerifySHA1Digest(digest, []byte{}, testCase.pubKey) 89 require.EqualError(t, err, "verify PKCS1v15 signature: crypto/rsa: verification error") 90 } 91 } 92 93 func TestRSAVerifyWrongPublicKeyFormat(t *testing.T) { 94 digest := sha1.New().Sum(nil) // nolint:gosec 95 96 sig, err := rsaSign(bytes.NewReader(digest), "testdata/rsa_unprotected.priv", "") 97 require.NoError(t, err) 98 99 err = RSAVerifySHA1Digest(digest, sig, "testdata/wrong_key_format.pub") 100 require.Equal(t, err, errNoRSAKey) 101 } 102 103 func TestRSAVerifyWrongSecretKeyFormat(t *testing.T) { 104 digest := sha1.New().Sum(nil) // nolint:gosec 105 106 _, err := rsaSign(bytes.NewReader(digest), "testdata/wrong_key_format.priv", "") 107 require.Error(t, err) 108 }