1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
// -*- Mode: Go; indent-tabs-mode: t -*-
//go:build !nosecboot
/*
* Copyright (C) 2024 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package keys_test
import (
"bytes"
"crypto"
"io"
"os"
"path/filepath"
. "gopkg.in/check.v1"
sb "github.com/snapcore/secboot"
"github.com/snapcore/snapd/secboot/keys"
)
type plainkeySuite struct {
}
var _ = Suite(&plainkeySuite{})
func (s *plainkeySuite) SetUpTest(c *C) {
}
type MyKeyDataWriter struct {
*bytes.Buffer
}
func NewMyKeyDataWriter() *MyKeyDataWriter {
return &MyKeyDataWriter{
Buffer: bytes.NewBuffer([]byte{}),
}
}
func (kdw *MyKeyDataWriter) Commit() error {
return nil
}
type testCase struct {
nilPrimaryKey bool
}
func (s *plainkeySuite) testPlainKey(c *C, tc *testCase) {
restore := keys.MockSbNewProtectedKey(func(rand io.Reader, protectorKey []byte, primaryKey sb.PrimaryKey) (protectedKey *sb.KeyData, primaryKeyOut sb.PrimaryKey, unlockKey sb.DiskUnlockKey, err error) {
if tc.nilPrimaryKey {
c.Check(primaryKey, IsNil)
primaryKeyOut = []byte("generated-primary-key")
} else {
c.Check(primaryKey, NotNil)
primaryKeyOut = primaryKey
}
kd, err := sb.NewKeyData(&sb.KeyParams{
Handle: nil,
Role: "run",
PlatformName: "fakePlatform",
KDFAlg: crypto.SHA256,
})
c.Assert(err, IsNil)
return kd, primaryKeyOut, []byte("unlock-key"), nil
})
defer restore()
protectorKey, err := keys.NewProtectorKey()
c.Assert(err, IsNil)
var primaryKeyIn []byte
if !tc.nilPrimaryKey {
primaryKeyIn = []byte("primary-in")
}
protectedKey, primaryKeyOut, unlockKey, err := protectorKey.CreateProtectedKey(primaryKeyIn)
c.Assert(err, IsNil)
if tc.nilPrimaryKey {
c.Check(primaryKeyOut, DeepEquals, []byte("generated-primary-key"))
} else {
c.Check(primaryKeyOut, DeepEquals, []byte("primary-in"))
}
c.Check(unlockKey, DeepEquals, []byte("unlock-key"))
kdw := NewMyKeyDataWriter()
protectedKey.Write(kdw)
c.Check(string(kdw.Bytes()), Equals, `{"generation":2,"platform_name":"fakePlatform","platform_handle":null,"role":"run","kdf_alg":"sha256","encrypted_payload":null}`+"\n")
root := c.MkDir()
path := filepath.Join(root, "somedir", "somefile")
err = protectorKey.SaveToFile(path)
c.Assert(err, IsNil)
savedKey, err := os.ReadFile(path)
c.Assert(err, IsNil)
c.Check(savedKey, DeepEquals, []byte(protectorKey))
}
func (s *plainkeySuite) TestPlainKey(c *C) {
s.testPlainKey(c, &testCase{})
}
func (s *plainkeySuite) TestPlainKeyNilPrimaryKeyIn(c *C) {
s.testPlainKey(c, &testCase{
nilPrimaryKey: true,
})
}
|
