1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
#!/bin/sh
# Create a-test environment for sopv: Stateless OpenPGP
# implementation Verification-only subset. This needs a
# signing-capable SOP implementation to work.
# https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/
# Author: Daniel Kahn Gillmor
# License: CC-0
set -e
unset USE_DEFAULT_PROFILES
if [ "$1" = "--default-profile" ]; then
USE_DEFAULT_PROFILES=true
shift
fi
SOP=$1
if [ -z "$SOP" ]; then
cat >&2 <<EOF
Usage: $0 [--default-profile] [--clean|SOP]
SOP should refer (either by \$PATH or by absolute path) to an
implementation of the Stateless OpenPGP command-line interface.
https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/
This will build a list of files in the current directory which can be
used with ./test-sopv to confirm support for the sopv subset.
If --clean is provided, destroy the list of files for testing sopv.
Normally, the default generate-key profile will be used for Alice, and
the second listed profile will be used for Bob. If --default-profile
is provided, the default profile will be used for both Alice and Bob.
EOF
exit 1
fi
objs() {
for s in .bin ''; do
printf "%s\n" alice.cert$s bob.cert$s both.cert$s
for m in text binary; do
for u in alice bob both; do
for o in sig inlinesigned; do
printf "%s\n" msg.$m.$u.$o$s
done
done
done
done
for u in alice bob both; do
printf "%s\n" msg.text.$u.csf
done
printf "%s\n" msg.text msg.binary alice.key bob.key
printf "%s\n" expired.cert valid-from-expired.sig invalid-from-expired.sig timetravel-from-expired.sig
printf "%s\n" baseline.cert baseline.sig baseline-revoked.cert
}
if [ "$SOP" = --clean ]; then
rm -f $(objs)
exit 0
fi
sop() {
"$SOP" "$@"
}
# use the first two profiles for the keys, reusing the default
# if zero or one exists
if [ "$USE_DEFAULT_PROFILES" = "true" ]; then
profiles=$(echo default && echo default)
else
profiles=$(sop list-profiles generate-key | cut -f1 -d: && \
echo default && echo default)
fi
profile_line=1
for uid in alice bob; do
profile=$(printf "%s\n" "$profiles" | sed -n ${profile_line}p)
profile_line=$(( $profile_line + 1 ))
if [ "$profile" = default ]; then
profile=
else
profile=--profile=$profile
fi
sop generate-key --signing-only $profile "$uid" \
> "$uid.key"
sop extract-cert < "$uid.key" > "$uid.cert"
sop dearmor < "$uid.cert" > "$uid.cert.bin"
done
cat alice.cert.bin bob.cert.bin > both.cert.bin
sop armor < both.cert.bin > both.cert
cat > msg.text <<EOF
This is the signed message for the sopv test suite.
It should test the following things:
- Messages using the cleartext signing framework (CSF)
- Text-based signatures (armored and non-armored)
- Binary data signatures (armored and non-armored)
- Multiple certificates per CERTS or INLINESIGNED
- Unknown signatures in a CERTS
- @ENV as CERTS or SIGNATURES input
- @FD as CERTS or SIGNATURES input
- @FD as --verifications-out
- UTF-8 data (💣)
- Armored and non-armored OpenPGP certificates
Please confirm!
EOF
base64 -d > msg.binary <<EOF
AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v
MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f
YFNPUFYgaXMgdGhlIFN0YXRlbGVzcyBPcGVuUEdQIFZlcmlmaWNhdGlvbiBTdWJz
ZXTimaVhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gIGCg4SFhoeIiYqL
jI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7
vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err
7O3u7/Dx8vP09fb3+Pn6+/z9/v8=
EOF
# generated by ./generate-sopv-test-static-objects
cat > expired.cert <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEXgvhABYJKwYBBAHaRw8BAQdAsaTsNjmaCYylGOk6y3ZghkilgqGY7Nl7XFl2
LSRSUizNFHRoaXMgY2VydCBpcyBleHBpcmVkwoEEExYIACkFgl4L4QAFCQWkl6AC
mwMCHgAWIQT+ZY0dgTiHcdLO/cnxYLD0zfFAiQAKCRDxYLD0zfFAiYtKAQChYiLC
snvVV3AZUtDIFfSPG6PqqYuTFy0CzwFgAJR6cAD6AjcVWXsOWA6PlsZ4jmoWRWDW
/XQNIGrO5KPK4K4FtQ0=
=uQei
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat > valid-from-expired.sig <<EOF
-----BEGIN PGP SIGNATURE-----
wnUEABYIAB0FgmHO8MAWIQT+ZY0dgTiHcdLO/cnxYLD0zfFAiQAKCRDxYLD0zfFA
iQ+eAP42je5wvtCN4Kfqub1bEhMi1EkioJgAWMcvE0Efa+47fgD9HYe/syBCXQWY
ARbV0lOfTMDwliWs5wPZupuOsBOryAs=
=TUXj
-----END PGP SIGNATURE-----
EOF
cat > invalid-from-expired.sig <<EOF
-----BEGIN PGP SIGNATURE-----
wnUEABYIAB0FgmWSAIAWIQT+ZY0dgTiHcdLO/cnxYLD0zfFAiQAKCRDxYLD0zfFA
iT0jAP9ZZt9UqI4PZtIiiYsXiJ55vT/54KFTnJ1xrrRxMLyeSwEAqwFfzXvpfXS5
eKVJcMG89qIkczZII32Ya+5kbU0JsQg=
=b9rH
-----END PGP SIGNATURE-----
EOF
cat > timetravel-from-expired.sig <<EOF
-----BEGIN PGP SIGNATURE-----
wnUEABYIAB0FglwqWSAWIQT+ZY0dgTiHcdLO/cnxYLD0zfFAiQAKCRDxYLD0zfFA
iWAAAP4tTANTYA6b+9m2UDEy7WhY0Q7IlBXz3Ppjuwf4i9LxJAD/epSvE8lVFHQI
w1vQvheqmIa3JOLhNDen3Wv85SwT4wo=
=zrLP
-----END PGP SIGNATURE-----
EOF
cat > baseline.cert <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEXgvhABYJKwYBBAHaRw8BAQdArUiK8psA3U3Q8mdO1DZR2UW8XgXBB3VVtHaj
r1UaUFfNJWJhc2VsaW5lIGNlcnRpZmljYXRlLCB3aWxsIGJlIHJldm9rZWTCewQT
FggAIwWCXgvhAAKbAwIeABYhBHGqmGkigo5sDdKjgjk1BkEkKnCVAAoJEDk1BkEk
KnCVUNcBANRfAasPy5lXXFXskfX4yyFx1M1kxX17vxoQEDtB6TrqAQCTyzV4vjUm
Y3tgljlN8iZZd1aJEDaHYY6thPKqE0UACg==
=WsIg
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat > baseline.sig <<EOF
-----BEGIN PGP SIGNATURE-----
wnUEABYIAB0FgmfUYiwWIQRxqphpIoKObA3So4I5NQZBJCpwlQAKCRA5NQZBJCpw
lfW7AQD+/Oc8y6Vgij/CSgZm+Bg74ezJ91K6fCSKlgMsXc/g5AEAv7/kLe1Gdu5u
IA26te6ytPfJAUoiI/Tyw5YYV+CgRQo=
=obH5
-----END PGP SIGNATURE-----
EOF
cat > baseline-revoked.cert <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEXgvhABYJKwYBBAHaRw8BAQdArUiK8psA3U3Q8mdO1DZR2UW8XgXBB3VVtHaj
r1UaUFfCeAQgFggAIAWCYc7wwAIdABYhBHGqmGkigo5sDdKjgjk1BkEkKnCVAAoJ
EDk1BkEkKnCVwgEA/RAFHGWHBjgEvthbeV13/fdrfSC+5RrrvF50a2haXBuEAQD/
Z2U5Eg/ka5LrjdPLyZfE2+j7+boVD8dQq2b0g8+0D80lYmFzZWxpbmUgY2VydGlm
aWNhdGUsIHdpbGwgYmUgcmV2b2tlZMJ7BBMWCAAjBYJeC+EAApsDAh4AFiEEcaqY
aSKCjmwN0qOCOTUGQSQqcJUACgkQOTUGQSQqcJVQ1wEA1F8Bqw/LmVdcVeyR9fjL
IXHUzWTFfXu/GhAQO0HpOuoBAJPLNXi+NSZje2CWOU3yJll3VokQNodhjq2E8qoT
RQAK
=J9fE
-----END PGP PUBLIC KEY BLOCK-----
EOF
for signer in alice bob; do
for form in text binary; do
sop sign --as=$form $signer.key < msg.$form \
> msg.$form.$signer.sig
sop dearmor < msg.$form.$signer.sig \
> msg.$form.$signer.sig.bin
sop inline-sign --as=$form $signer.key < msg.$form \
> msg.$form.$signer.inlinesigned
sop dearmor < msg.$form.$signer.inlinesigned \
> msg.$form.$signer.inlinesigned.bin
done
sop inline-sign --as=clearsigned $signer.key < msg.text \
> msg.text.$signer.csf
done
for form in text binary; do
sop sign --as=$form alice.key bob.key < msg.$form \
> msg.$form.both.sig
sop dearmor < msg.$form.both.sig > msg.$form.both.sig.bin
sop inline-sign --as=$form alice.key bob.key < msg.$form \
> msg.$form.both.inlinesigned
sop dearmor < msg.$form.both.inlinesigned \
> msg.$form.both.inlinesigned.bin
done
sop inline-sign --as=clearsigned alice.key bob.key \
< msg.text > msg.text.both.csf
if ! ls $(objs) > /dev/null; then
exit 1
fi
|
