File: generate_test.go

package info (click to toggle)
golang-github-containers-image 5.28.0-4
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 5,104 kB
  • sloc: sh: 194; makefile: 73
file content (64 lines) | stat: -rw-r--r-- 2,178 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
package sigstore

import (
	"context"
	"os"
	"path/filepath"
	"testing"

	"github.com/containers/image/v5/docker/reference"
	"github.com/containers/image/v5/internal/signature"
	internalSigner "github.com/containers/image/v5/internal/signer"
	"github.com/containers/image/v5/manifest"
	"github.com/containers/image/v5/signature/internal"
	"github.com/opencontainers/go-digest"
	"github.com/sigstore/sigstore/pkg/cryptoutils"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestGenerateKeyPair(t *testing.T) {
	// Test that generation is possible, and the key can be used for signing.
	testManifest := []byte("{}")
	testDockerReference, err := reference.ParseNormalizedNamed("example.com/foo:notlatest")
	require.NoError(t, err)

	passphrase := []byte("some passphrase")
	keyPair, err := GenerateKeyPair(passphrase)
	require.NoError(t, err)

	tmpDir := t.TempDir()
	privateKeyFile := filepath.Join(tmpDir, "private.key")
	err = os.WriteFile(privateKeyFile, keyPair.PrivateKey, 0600)
	require.NoError(t, err)

	signer, err := NewSigner(WithPrivateKeyFile(privateKeyFile, passphrase))
	require.NoError(t, err)
	sig0, err := internalSigner.SignImageManifest(context.Background(), signer, testManifest, testDockerReference)
	require.NoError(t, err)
	sig, ok := sig0.(signature.Sigstore)
	require.True(t, ok)

	// It would be even more elegant to invoke the higher-level prSigstoreSigned code,
	// but that is private.
	publicKey, err := cryptoutils.UnmarshalPEMToPublicKey(keyPair.PublicKey)
	require.NoError(t, err)

	_, err = internal.VerifySigstorePayload(publicKey, sig.UntrustedPayload(),
		sig.UntrustedAnnotations()[signature.SigstoreSignatureAnnotationKey],
		internal.SigstorePayloadAcceptanceRules{
			ValidateSignedDockerReference: func(ref string) error {
				assert.Equal(t, "example.com/foo:notlatest", ref)
				return nil
			},
			ValidateSignedDockerManifestDigest: func(digest digest.Digest) error {
				matches, err := manifest.MatchesDigest(testManifest, digest)
				require.NoError(t, err)
				assert.True(t, matches)
				return nil
			},
		})
	assert.NoError(t, err)

	// The failure paths are not obviously easy to reach.
}