From 4e1553e8c1ea7a6324dfc2b9177a03d3382ec8bf Mon Sep 17 00:00:00 2001 From: Andreas Henriksson Date: Thu, 8 May 2025 11:25:07 +0200 Subject: [PATCH 2/2] Revert "test: Add tests for signing/validating with Azure Key Vault" This reverts commit fd0c663a50bfebe8627eb29452a89a59ef67013f. --- areader/reader_test.go | 2 +- artifact/azure/signer_test.go | 242 ---------------------------------- artifact/signer_test.go | 2 +- cli/dump_test.go | 1 - cli/modify_existing_test.go | 2 - cli/validate_test.go | 2 +- 6 files changed, 3 insertions(+), 248 deletions(-) delete mode 100644 artifact/azure/signer_test.go diff --git a/areader/reader_test.go b/areader/reader_test.go index 802113d..6651e47 100644 --- a/areader/reader_test.go +++ b/areader/reader_test.go @@ -64,7 +64,7 @@ r3rtT0ysHWd7l+Kx/SUCQGlitd5RDfdHl+gKrCwhNnRG7FzRLv5YOQV81+kh7SkU MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSTLzZ9hQq3yBB+dMDVbKem6ia v1J6opg6DICKkQ4M/yhlw32BCGm2ArM3VwQRgq6Q1sNSq953n5c1EO3Xcy/qTAKc XwaUNml5EhW79AdibBXZiZt8fMhCjUd/4ce3rLNjnbIn1o9L6pzV4CcVJ8+iNhne -5vbA+63vRCnrc8QuYwIDAQAD +5vbA+63vRCnrc8QuYwIDAQAC -----END PUBLIC KEY-----` ) diff --git a/artifact/azure/signer_test.go b/artifact/azure/signer_test.go deleted file mode 100644 index 92db507..0000000 --- a/artifact/azure/signer_test.go +++ /dev/null @@ -1,242 +0,0 @@ -// Copyright 2025 Northern.tech AS -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package azure - -import ( - "context" - "crypto" - "crypto/ecdsa" - "crypto/rand" - "crypto/rsa" - "crypto/x509" - "encoding/base64" - "encoding/pem" - "fmt" - "testing" - - "github.com/mendersoftware/mender-artifact/artifact" - - "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" - "github.com/go-jose/go-jose/v3/json" - "github.com/lestrrat-go/jwx/jwk" - "github.com/stretchr/testify/assert" -) - -const ( - PublicRSAKey = `-----BEGIN PUBLIC KEY----- -MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSTLzZ9hQq3yBB+dMDVbKem6ia -v1J6opg6DICKkQ4M/yhlw32BCGm2ArM3VwQRgq6Q1sNSq953n5c1EO3Xcy/qTAKc -XwaUNml5EhW79AdibBXZiZt8fMhCjUd/4ce3rLNjnbIn1o9L6pzV4CcVJ8+iNhne -5vbA+63vRCnrc8QuYwIDAQAB ------END PUBLIC KEY-----` - PrivateRSAKey = `-----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDSTLzZ9hQq3yBB+dMDVbKem6iav1J6opg6DICKkQ4M/yhlw32B -CGm2ArM3VwQRgq6Q1sNSq953n5c1EO3Xcy/qTAKcXwaUNml5EhW79AdibBXZiZt8 -fMhCjUd/4ce3rLNjnbIn1o9L6pzV4CcVJ8+iNhne5vbA+63vRCnrc8QuYwIDAQAB -AoGAQKIRELQOsrZsxZowfj/ia9jPUvAmO0apnn2lK/E07k2lbtFMS1H4m1XtGr8F -oxQU7rLyyP/FmeJUqJyRXLwsJzma13OpxkQtZmRpL9jEwevnunHYJfceVapQOJ7/ -6Oz0pPWEq39GCn+tTMtgSmkEaSH8Ki9t32g9KuQIKBB2hbECQQDsg7D5fHQB1BXG -HJm9JmYYX0Yk6Z2SWBr4mLO0C4hHBnV5qPCLyevInmaCV2cOjDZ5Sz6iF5RK5mw7 -qzvFa8ePAkEA46Anom3cNXO5pjfDmn2CoqUvMeyrJUFL5aU6W1S6iFprZ/YwdHcC -kS5yTngwVOmcnT65Vnycygn+tZan2A0h7QJBAJNlowZovDdjgEpeCqXp51irD6Dz -gsLwa6agK+Y6Ba0V5mJyma7UoT//D62NYOmdElnXPepwvXdMUQmCtpZbjBsCQD5H -VHDJlCV/yzyiJz9+tZ5giaAkO9NOoUBsy6GvdfXWn2prXmiPI0GrrpSvp7Gj1Tjk -r3rtT0ysHWd7l+Kx/SUCQGlitd5RDfdHl+gKrCwhNnRG7FzRLv5YOQV81+kh7SkU -73TXPIqLESVrqWKDfLwfsfEpV248MSRou+y0O1mtFpo= ------END RSA PRIVATE KEY-----` - - // openssl ecparam -genkey -name secp256r1 -out key.pem - // openssl ec -in key.pem -pubout - PublicECDSAKey = `-----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9iC/hyQO1UQfw0fFj1RjEjwOvPIB -sz6Of3ock/gIwmnhnC/7USo3yOTl4wVLQKA6mFvMV9o8B9yTBNg3mQS0vA== ------END PUBLIC KEY-----` - PrivateECDSAKey = `-----BEGIN EC PRIVATE KEY----- -MHcCAQEEIMOJJlcKM0sMwsOezNKeUXm4BiN6+ZPggu87yuZysDgIoAoGCCqGSM49 -AwEHoUQDQgAE9iC/hyQO1UQfw0fFj1RjEjwOvPIBsz6Of3ock/gIwmnhnC/7USo3 -yOTl4wVLQKA6mFvMV9o8B9yTBNg3mQS0vA== ------END EC PRIVATE KEY-----` -) - -type testKey struct { - public string - private string -} - -var keys map[string]testKey = map[string]testKey{ - "rsa-test-key": { - public: PublicRSAKey, - private: PrivateRSAKey, - }, - "ec-test-key": { - public: PublicECDSAKey, - private: PrivateECDSAKey, - }, -} - -type fakeAzureClient struct{} - -var invalidNames = []string{ - "-name", - "name-", - "invalid--name", - "invalid_name", - "42name", - "name*://test", - "na", - "nameneedstobelessthan25chars", -} - -func TestAzureSigner(t *testing.T) { - t.Setenv("KEY_VAULT_NAME", "test-keyvault") - signer, err := NewKeyVaultSigner("test-key") - assert.NoError(t, err) - assert.NotNil(t, signer) - assert.IsType(t, &azureKeyVault{}, signer) - - // Test empty key vault name - t.Setenv("KEY_VAULT_NAME", "") - signer, err = NewKeyVaultSigner("test-key") - assert.Error(t, err) - assert.Nil(t, signer) - - // Test invalid key vault name - for _, v := range invalidNames { - assert.False(t, validateName(v)) - } -} - -func TestAzureRSASignAndVerify(t *testing.T) { - azureSigner := azureKeyVault{ - keyName: "rsa-test-key", - client: &fakeAzureClient{}, - } - msg := "Test message" - sig, err := azureSigner.Sign([]byte(msg)) - assert.NoError(t, err) - assert.NotNil(t, sig) - - // Verify valid signature - err = azureSigner.Verify([]byte(msg), sig) - assert.NoError(t, err) - - // Test invalid signature - buf := make([]byte, 256) - rand.Read(buf) - sig = make([]byte, base64.StdEncoding.EncodedLen(len(buf))) - base64.StdEncoding.Encode(sig, buf) - err = azureSigner.Verify([]byte(msg), sig) - assert.Error(t, err) -} - -func TestAzureECDSASignAndVerify(t *testing.T) { - azureSigner := azureKeyVault{ - keyName: "ec-test-key", - client: &fakeAzureClient{}, - } - msg := "Some message" - sig, err := azureSigner.Sign([]byte(msg)) - assert.NoError(t, err) - assert.NotNil(t, sig) - - // Verify valid signature - err = azureSigner.Verify([]byte(msg), sig) - assert.NoError(t, err) - - // Test invalid signature - buf := make([]byte, 72) - rand.Read(buf) - sig = make([]byte, base64.StdEncoding.EncodedLen(len(buf))) - base64.StdEncoding.Encode(sig, buf) - err = azureSigner.Verify([]byte(msg), sig) - assert.Error(t, err) -} - -func (c *fakeAzureClient) GetKey(ctx context.Context, name string, version string, - options *azkeys.GetKeyOptions) (azkeys.GetKeyResponse, error) { - testKey, found := keys[name] - if !found { - return azkeys.GetKeyResponse{}, fmt.Errorf("invalid key name") - } - block, _ := pem.Decode([]byte(testKey.public)) - if block == nil { - return azkeys.GetKeyResponse{}, fmt.Errorf("error decoding public key") - } - pub, err := x509.ParsePKIXPublicKey(block.Bytes) - if err != nil { - return azkeys.GetKeyResponse{}, fmt.Errorf("failed to parse public key") - } - - key, err := jwk.New(pub) - if err != nil { - return azkeys.GetKeyResponse{}, fmt.Errorf("error creating jwk.Key") - } - jwk.AssignKeyID(key) - buf, err := json.Marshal(key) - if err != nil { - return azkeys.GetKeyResponse{}, fmt.Errorf("error marshalling key") - } - var azkey azkeys.JSONWebKey - if err := azkey.UnmarshalJSON(buf); err != nil { - return azkeys.GetKeyResponse{}, fmt.Errorf("error unmarshalling JSON into JSONWebKey") - } - return azkeys.GetKeyResponse{ - azkeys.KeyBundle{ - Key: &azkey, - }, - }, nil -} - -func (c *fakeAzureClient) Sign(ctx context.Context, name string, version string, - parameters azkeys.SignParameters, options *azkeys.SignOptions) (azkeys.SignResponse, error) { - testKey, found := keys[name] - if !found { - return azkeys.SignResponse{}, fmt.Errorf("invalid key name") - } - sm, err := artifact.GetKeyAndSignMethod([]byte(testKey.private)) - if err != nil { - return azkeys.SignResponse{}, fmt.Errorf("key %s: %v", name, err) - } - - var sig []byte - switch sm.Method.(type) { - case *artifact.RSA: - if *parameters.Algorithm != azkeys.SignatureAlgorithmRS256 { - return azkeys.SignResponse{}, fmt.Errorf("error: key (RSA) - algorithm (%s) mismatch", - *parameters.Algorithm) - } - sig, err = rsa.SignPKCS1v15(nil, sm.Key.(*rsa.PrivateKey), crypto.SHA256, parameters.Value) - if err != nil { - return azkeys.SignResponse{}, fmt.Errorf("key %s: %v", name, err) - } - case *artifact.ECDSA256: - if *parameters.Algorithm != azkeys.SignatureAlgorithmES256 { - return azkeys.SignResponse{}, fmt.Errorf("error: key (ECDSA) - algorithm (%s) mismatch", - *parameters.Algorithm) - } - privKey := sm.Key.(*ecdsa.PrivateKey) - sig, err = privKey.Sign(rand.Reader, parameters.Value, nil) - if err != nil { - return azkeys.SignResponse{}, fmt.Errorf("key %s: %v", name, err) - } - default: - return azkeys.SignResponse{}, fmt.Errorf("key %s: unsupported signing algorithm", name) - } - return azkeys.SignResponse{ - azkeys.KeyOperationResult{ - Result: sig, - }, - }, nil -} diff --git a/artifact/signer_test.go b/artifact/signer_test.go index 5c81604..293ef9d 100644 --- a/artifact/signer_test.go +++ b/artifact/signer_test.go @@ -34,7 +34,7 @@ XwaUNml5EhW79AdibBXZiZt8fMhCjUd/4ce3rLNjnbIn1o9L6pzV4CcVJ8+iNhne MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSTLzZ9hQq3yBB+dMDVbKem6ia v1J6opg6DICKkQ4M/yhlw32BCGm2ArM3VwQRgq6Q1sNSq953n5c1EO3Xcy/qTAKc XwaUNml5EhW79AdibBXZiZt8fMhCjUd/4ce3rLNjnbIn1o9L6pzV4CcVJ8+iNhne -5vbA+63vRCnrc8QuYwIDAQAD +5vbA+63vRCnrc8QuYwIDAQAC -----END PUBLIC KEY-----` PublicRSAKeyInvalid = `-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSTLzZ9hQq3yBB+dMDVbKem6ia diff --git a/cli/dump_test.go b/cli/dump_test.go index 2992304..176c3bb 100644 --- a/cli/dump_test.go +++ b/cli/dump_test.go @@ -268,7 +268,6 @@ func testDumpContent(t *testing.T, imageType, printCmdline string) { flagChecker.addFlags([]string{ "artifact-name", "artifact-name-depends", - "azure-key", // Not tested in "dump". "clears-provides", "compression", // Not tested in "dump". "depends", diff --git a/cli/modify_existing_test.go b/cli/modify_existing_test.go index cc980e3..a28344f 100644 --- a/cli/modify_existing_test.go +++ b/cli/modify_existing_test.go @@ -458,7 +458,6 @@ Updates: modifyWriteFlagsTested.addFlags([]string{ "artifact-name", - "azure-key", "compression", "device-type", "file", @@ -471,7 +470,6 @@ Updates: }) modifyFlagsTested.addFlags([]string{ "artifact-name", - "azure-key", "gcp-kms-key", "keyfactor-signserver-worker", "vault-transit-key", diff --git a/cli/validate_test.go b/cli/validate_test.go index 1142ab7..ecf466c 100644 --- a/cli/validate_test.go +++ b/cli/validate_test.go @@ -35,7 +35,7 @@ XwaUNml5EhW79AdibBXZiZt8fMhCjUd/4ce3rLNjnbIn1o9L6pzV4CcVJ8+iNhne MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSTLzZ9hQq3yBB+dMDVbKem6ia v1J6opg6DICKkQ4M/yhlw32BCGm2ArM3VwQRgq6Q1sNSq953n5c1EO3Xcy/qTAKc XwaUNml5EhW79AdibBXZiZt8fMhCjUd/4ce3rLNjnbIn1o9L6pzV4CcVJ8+iNhne -5vbA+63vRCnrc8QuYwIDAQAD +5vbA+63vRCnrc8QuYwIDAQAC -----END PUBLIC KEY-----` PublicValidateRSAKeyInvalid = `-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSTLzZ9hQq3yBB+dMDVbKem6ia -- 2.47.2