Skip to content

Commit 09f731d

Browse files
haydentherapperhaydentherapper
committed
add e2e test
Signed-off-by: Hayden <[email protected]>
1 parent 1de6ec9 commit 09f731d

File tree

1 file changed

+97
-18
lines changed

1 file changed

+97
-18
lines changed

test/e2e_test.go

Lines changed: 97 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -2804,7 +2804,7 @@ func TestSignBlobNewBundle(t *testing.T) {
28042804
must(verifyBlobCmd.Exec(ctx, blobPath), t)
28052805
}
28062806

2807-
func TestSignBlobNewBundleNonSHA256(t *testing.T) {
2807+
func TestSignBlobNewBundleManagedKeyNonDefaultAlgorithm(t *testing.T) {
28082808
td1 := t.TempDir()
28092809

28102810
blob := "someblob"
@@ -2817,30 +2817,109 @@ func TestSignBlobNewBundleNonSHA256(t *testing.T) {
28172817

28182818
ctx := context.Background()
28192819

2820-
// Generate ecdsa-p521 key
2821-
_, privKeyPath, pubKeyPath := keypairWithAlgorithm(t, td1, v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512)
2820+
tts := []struct {
2821+
algo v1.PublicKeyDetails
2822+
}{
2823+
{v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384},
2824+
{v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512},
2825+
{v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256},
2826+
{v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256},
2827+
{v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256},
2828+
{v1.PublicKeyDetails_PKIX_ED25519_PH}, // Only prehash variant is supported
2829+
}
2830+
for _, tt := range tts {
2831+
_, privKeyPath, pubKeyPath := keypairWithAlgorithm(t, td1, tt.algo)
28222832

2823-
ko := options.KeyOpts{
2824-
KeyRef: privKeyPath,
2825-
PassFunc: passFunc,
2826-
BundlePath: bundlePath,
2827-
NewBundleFormat: true,
2833+
ko := options.KeyOpts{
2834+
KeyRef: privKeyPath,
2835+
PassFunc: passFunc,
2836+
BundlePath: bundlePath,
2837+
NewBundleFormat: true,
2838+
}
2839+
if _, err := sign.SignBlobCmd(ro, ko, blobPath, true, "", "", false); err != nil {
2840+
t.Fatal(err)
2841+
}
2842+
algDetails, err := signature.GetAlgorithmDetails(tt.algo)
2843+
if err != nil {
2844+
t.Fatal(err)
2845+
}
2846+
2847+
ko1 := options.KeyOpts{
2848+
KeyRef: pubKeyPath,
2849+
BundlePath: bundlePath,
2850+
NewBundleFormat: true,
2851+
}
2852+
verifyBlobCmd := cliverify.VerifyBlobCmd{
2853+
KeyOpts: ko1,
2854+
IgnoreTlog: true,
2855+
HashAlgorithm: algDetails.GetHashType(),
2856+
}
2857+
must(verifyBlobCmd.Exec(ctx, blobPath), t)
28282858
}
2829-
if _, err := sign.SignBlobCmd(ro, ko, blobPath, true, "", "", false); err != nil {
2859+
}
2860+
2861+
func TestAttestBlobNewBundleManagedKeyNonDefaultAlgorithm(t *testing.T) {
2862+
td := t.TempDir()
2863+
blob := "someblob"
2864+
bp := filepath.Join(td, blob)
2865+
if err := os.WriteFile(bp, []byte(blob), 0600); err != nil {
28302866
t.Fatal(err)
28312867
}
2868+
// Sign an attestation
2869+
statement := `{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"someblob","digest":{"alg":"7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"}}],"predicateType":"something","predicate":{}}`
2870+
attestDir := t.TempDir()
2871+
statementPath := filepath.Join(attestDir, "statement")
2872+
if err := os.WriteFile(statementPath, []byte(statement), 0644); err != nil {
2873+
t.Fatal(err)
2874+
}
2875+
attBundlePath := filepath.Join(attestDir, "attest.bundle.json")
28322876

2833-
ko1 := options.KeyOpts{
2834-
KeyRef: pubKeyPath,
2835-
BundlePath: bundlePath,
2836-
NewBundleFormat: true,
2877+
ctx := context.Background()
2878+
2879+
tts := []struct {
2880+
algo v1.PublicKeyDetails
2881+
}{
2882+
{v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384},
2883+
{v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512},
2884+
{v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256},
2885+
{v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256},
2886+
{v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256},
2887+
{v1.PublicKeyDetails_PKIX_ED25519}, // Only pure variant is supported
28372888
}
2838-
verifyBlobCmd := cliverify.VerifyBlobCmd{
2839-
KeyOpts: ko1,
2840-
IgnoreTlog: true,
2841-
HashAlgorithm: crypto.SHA512,
2889+
for _, tt := range tts {
2890+
_, privKeyPath, pubKeyPath := keypairWithAlgorithm(t, td, tt.algo)
2891+
2892+
ko := options.KeyOpts{
2893+
KeyRef: privKeyPath,
2894+
PassFunc: passFunc,
2895+
BundlePath: attBundlePath,
2896+
NewBundleFormat: true,
2897+
}
2898+
2899+
algDetails, err := signature.GetAlgorithmDetails(tt.algo)
2900+
if err != nil {
2901+
t.Fatal(err)
2902+
}
2903+
2904+
attestBlobCmd := attest.AttestBlobCommand{
2905+
KeyOpts: ko,
2906+
RekorEntryType: "dsse",
2907+
StatementPath: statementPath,
2908+
}
2909+
must(attestBlobCmd.Exec(ctx, bp), t)
2910+
2911+
// Verify an attestation
2912+
ko.KeyRef = pubKeyPath
2913+
verifyBlobAttestationCmd := cliverify.VerifyBlobAttestationCommand{
2914+
KeyOpts: ko,
2915+
UseSignedTimestamps: true,
2916+
Digest: "7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3",
2917+
DigestAlg: "alg",
2918+
CheckClaims: true,
2919+
HashAlgorithm: algDetails.GetHashType(),
2920+
}
2921+
must(verifyBlobAttestationCmd.Exec(ctx, ""), t)
28422922
}
2843-
must(verifyBlobCmd.Exec(ctx, blobPath), t)
28442923
}
28452924

28462925
func TestSignBlobNewBundleNonDefaultAlgorithm(t *testing.T) {

0 commit comments

Comments
 (0)