1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
package rekor
import (
"context"
"crypto/ecdsa"
"encoding/base64"
"io"
"net/http"
"net/url"
"os"
"testing"
"time"
"github.com/containers/image/v5/signature/internal"
"github.com/hashicorp/go-retryablehttp"
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_rekorUploadKeyOrCert(t *testing.T) {
REKOR_SERVER := os.Getenv("REKOR_SERVER_URL")
if REKOR_SERVER == "" {
t.Skip("REKOR_SERVER_URL not set or empty. This test requires a proper rekor server to run against, use signature/sigstore/rekor/scripts/start-rekor.sh to set one up quickly")
}
cosignCertBytes, err := os.ReadFile("../../internal/testdata/rekor-cert")
require.NoError(t, err)
cosignSigBase64, err := os.ReadFile("../../internal/testdata/rekor-sig")
require.NoError(t, err)
cosignPayloadBytes, err := os.ReadFile("../../internal/testdata/rekor-payload")
require.NoError(t, err)
// server needs a moment to set to retry a bit
resp, err := retryablehttp.Get(REKOR_SERVER + "/api/v1/log/publicKey")
require.NoError(t, err)
require.Equal(t, http.StatusOK, resp.StatusCode, "unexpected status code from rekor server")
rekorPubKeyPEM, err := io.ReadAll(resp.Body)
require.NoError(t, err)
resp.Body.Close()
rekorKey, err := cryptoutils.UnmarshalPEMToPublicKey(rekorPubKeyPEM)
require.NoError(t, err)
rekorKeyECDSA, ok := rekorKey.(*ecdsa.PublicKey)
require.True(t, ok)
rekorKeysECDSA := []*ecdsa.PublicKey{rekorKeyECDSA}
type args struct {
keyOrCertBytes []byte
signatureBase64 string
payloadBytes []byte
}
tests := []struct {
name string
args args
wantErr string
}{
{
name: "upload valid signature",
args: args{
keyOrCertBytes: cosignCertBytes,
signatureBase64: string(cosignSigBase64),
payloadBytes: cosignPayloadBytes,
},
},
{
name: "invalid key",
args: args{
keyOrCertBytes: []byte{1, 2, 3, 4},
signatureBase64: string(cosignSigBase64),
payloadBytes: cosignPayloadBytes,
},
wantErr: "Rekor /api/v1/log/entries failed: bad request (400), {Code:400 Message:error processing entry: invalid public key: failure decoding PEM}",
},
{
name: "invalid signature",
args: args{
keyOrCertBytes: cosignCertBytes,
signatureBase64: "AAAA" + string(cosignSigBase64),
payloadBytes: cosignPayloadBytes,
},
wantErr: "Rekor /api/v1/log/entries failed: bad request (400), {Code:400 Message:error processing entry: verifying signature: ecdsa: Invalid IEEE_P1363 encoded bytes}",
},
{
name: "invalid payload",
args: args{
keyOrCertBytes: cosignCertBytes,
signatureBase64: string(cosignSigBase64),
payloadBytes: []byte{2, 3, 4},
},
wantErr: "Rekor /api/v1/log/entries failed: bad request (400), {Code:400 Message:error processing entry: verifying signature: invalid signature when validating ASN.1 encoded signature}",
},
}
u, err := url.Parse(REKOR_SERVER)
require.NoError(t, err)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cl := newRekorClient(u)
signatureBytes, err := base64.StdEncoding.DecodeString(tt.args.signatureBase64)
require.NoError(t, err)
currentTime := time.Now()
// with go 1.24 this should use t.Context()
got, err := cl.uploadKeyOrCert(context.Background(), tt.args.keyOrCertBytes, signatureBytes, tt.args.payloadBytes)
if tt.wantErr != "" {
assert.ErrorContains(t, err, tt.wantErr)
return
}
require.NoError(t, err)
// Now verify the returned rekor set
tm, err := internal.VerifyRekorSET(rekorKeysECDSA, got, tt.args.keyOrCertBytes, tt.args.signatureBase64, tt.args.payloadBytes)
require.NoError(t, err)
// Check that the returned timestamp makes sense.
// Note that using time.After()/Before() to match will yield incorrect result.
// time.Now() has nanosecond precision while the rekor time is constructed of the unix seconds.
// That is why we can only compare the full unix seconds here.
assert.GreaterOrEqual(t, tm.Unix(), currentTime.Unix(), "time: %s after rekor time: %s", currentTime, tm)
})
}
}
|
