test: Add a test in the TUF client pkg for the hex to ECDSA key forma…

…t migration (#676) * wip: add testadata for migratory root Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> * test: add a test for the hex to pem ecdsa migration Signed-off-by: Asra Ali <asraa@google.com> fix Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>
sigstore · Sep 13, 2022 · 94ecfea · 94ecfea
1 parent 6c7cc8d
commit 94ecfea
Show file tree

Hide file tree

Showing 10 changed files with 415 additions and 9 deletions.
diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
@@ -61,7 +61,7 @@ func TestNewFromEnv(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	checkTargetsAndMeta(t, tuf)
+	checkTargetsAndMeta(t, tuf, targets)
 	resetForTests()
 
 	// Now try with expired targets
@@ -70,7 +70,7 @@ func TestNewFromEnv(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	checkTargetsAndMeta(t, tuf)
+	checkTargetsAndMeta(t, tuf, targets)
 	resetForTests()
 
 	if err := Initialize(ctx, DefaultRemoteRoot, nil); err != nil {
@@ -85,7 +85,7 @@ func TestNewFromEnv(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	checkTargetsAndMeta(t, tuf)
+	checkTargetsAndMeta(t, tuf, targets)
 	resetForTests()
 }
 
@@ -101,7 +101,7 @@ func TestNoCache(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	checkTargetsAndMeta(t, tuf)
+	checkTargetsAndMeta(t, tuf, targets)
 	resetForTests()
 
 	// Force expiration so we have some content to download
@@ -111,7 +111,7 @@ func TestNoCache(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	checkTargetsAndMeta(t, tuf)
+	checkTargetsAndMeta(t, tuf, targets)
 	resetForTests()
 
 	// No filesystem writes when using SIGSTORE_NO_CACHE.
@@ -138,7 +138,7 @@ func TestCache(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	checkTargetsAndMeta(t, tuf)
+	checkTargetsAndMeta(t, tuf, targets)
 	resetForTests()
 	cachedDirLen := dirLen(t, td)
 	if cachedDirLen == 0 {
@@ -167,7 +167,7 @@ func TestCache(t *testing.T) {
 	if l := dirLen(t, td); l != cachedDirLen {
 		t.Errorf("expected filesystem writes, got %d entries", l)
 	}
-	checkTargetsAndMeta(t, tuf)
+	checkTargetsAndMeta(t, tuf, targets)
 	resetForTests()
 }
 
@@ -426,10 +426,10 @@ func TestUpdatedTargetNamesEmbedded(t *testing.T) {
 	}
 }
 
-func checkTargetsAndMeta(t *testing.T, tuf *TUF) {
+func checkTargetsAndMeta(t *testing.T, tuf *TUF, expected []string) {
 	// Check the targets
 	t.Helper()
-	for _, target := range targets {
+	for _, target := range expected {
 		if _, err := tuf.GetTarget(target); err != nil {
 			t.Fatal(err)
 		}
@@ -645,3 +645,39 @@ func TestConcurrentAccess(t *testing.T) {
 	wg.Wait()
 	resetForTests()
 }
+
+func TestKeyFormatMigration(t *testing.T) {
+	// Override the expiration time so the test doesn't fail on
+	// expiration.
+	oldIsExpired := verify.IsExpired
+	verify.IsExpired = func(_ time.Time) bool { return false }
+	defer func() {
+		verify.IsExpired = oldIsExpired
+	}()
+	td := t.TempDir()
+	ctx := context.Background()
+	// Set the TUF_ROOT so we don't interact with other tests and local TUF roots.
+	t.Setenv("TUF_ROOT", td)
+
+	// Serve remote repository.
+	s := httptest.NewServer(
+		http.FileServer(http.Dir("./test_data/hex_to_ecdsa_migration")))
+	defer s.Close()
+
+	rootBytes, err := os.ReadFile("./test_data/hex_to_ecdsa_migration/1.root.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := Initialize(ctx, s.URL, rootBytes); err != nil {
+		t.Error(err)
+	}
+
+	defer resetForTests()
+
+	tuf, err := NewFromEnv(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	checkTargetsAndMeta(t, tuf, []string{"fulcio.crt.pem"})
+}
diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/1.root.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/1.root.json
@@ -0,0 +1,87 @@
+{
+  "signed": {
+    "_type": "root",
+    "spec_version": "1.0",
+    "version": 1,
+    "expires": "2022-12-08T17:26:05Z",
+    "keys": {
+      "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "bc46288ad651147bce0285b0082cb4cd934e232e9f0a2b83bfd69cbf849d7356"
+        }
+      },
+      "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "c2fffff49d7364960f59727adf0295b171709eec578700fd35a2d8123fa5747d"
+        }
+      },
+      "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4": {
+        "keytype": "ecdsa-sha2-nistp256",
+        "scheme": "ecdsa-sha2-nistp256",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "04514c95b6170cbcf1a9ffeed93def29420d9dffa6194e96d379cd37a2c858f2b6a19e91be32ac99256c5c9bcdf3c061a8faf8132177a31ced5bf1be327b932ec0"
+        }
+      },
+      "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "449f56ec5d9de1ec4c831e4cf8e6653130602ed3bdbab7f65d63442530d5f941"
+        }
+      }
+    },
+    "roles": {
+      "root": {
+        "keyids": [
+          "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4"
+        ],
+        "threshold": 1
+      },
+      "snapshot": {
+        "keyids": [
+          "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347"
+        ],
+        "threshold": 1
+      },
+      "targets": {
+        "keyids": [
+          "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79"
+        ],
+        "threshold": 1
+      },
+      "timestamp": {
+        "keyids": [
+          "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75"
+        ],
+        "threshold": 1
+      }
+    },
+    "consistent_snapshot": false
+  },
+  "signatures": [
+    {
+      "keyid": "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4",
+      "sig": "304502204f21aa89a7b8e44cf9a7a98d145831de734438d8de24ecf6dd777c1bc7762550022100fcbde7461b93b1ba1a00487cad7f102e6100257f59c0071e4a3a1f39789c10d3"
+    }
+  ]
+}
diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/2.root.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/2.root.json
@@ -0,0 +1,91 @@
+{
+  "signed": {
+    "_type": "root",
+    "spec_version": "1.0",
+    "version": 2,
+    "expires": "2023-09-08T16:26:05Z",
+    "keys": {
+      "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "bc46288ad651147bce0285b0082cb4cd934e232e9f0a2b83bfd69cbf849d7356"
+        }
+      },
+      "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "c2fffff49d7364960f59727adf0295b171709eec578700fd35a2d8123fa5747d"
+        }
+      },
+      "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "449f56ec5d9de1ec4c831e4cf8e6653130602ed3bdbab7f65d63442530d5f941"
+        }
+      },
+      "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643": {
+        "keytype": "ecdsa-sha2-nistp256",
+        "scheme": "ecdsa-sha2-nistp256",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUUyVthcMvPGp/+7ZPe8pQg2d/6YZ\nTpbTec03oshY8rahnpG+MqyZJWxcm83zwGGo+vgTIXejHO1b8b4ye5MuwA==\n-----END PUBLIC KEY-----\n"
+        }
+      }
+    },
+    "roles": {
+      "root": {
+        "keyids": [
+          "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643"
+        ],
+        "threshold": 1
+      },
+      "snapshot": {
+        "keyids": [
+          "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347"
+        ],
+        "threshold": 1
+      },
+      "targets": {
+        "keyids": [
+          "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79"
+        ],
+        "threshold": 1
+      },
+      "timestamp": {
+        "keyids": [
+          "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75"
+        ],
+        "threshold": 1
+      }
+    },
+    "consistent_snapshot": false
+  },
+  "signatures": [
+    {
+      "keyid": "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4",
+      "sig": "3044022069611604106fd24f2911ce73d27efda501e8de765f5cc9df289397a428eb095602202aa68fcb00c0ceb87d12ff1b680b8c1b9ca9aef996ebf69a46d235591878f378"
+    },
+    {
+      "keyid": "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643",
+      "sig": "30460221009da029a6837e4be205ea2a5ad1c3de59ba6612580f7248c5cd54ea232fbadf43022100dc9789013fb1d9697dc75ea098a124d3d7780b5a7b405ddbd55eb98ee5975591"
+    }
+  ]
+}
diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/root.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/root.json
@@ -0,0 +1,91 @@
+{
+  "signed": {
+    "_type": "root",
+    "spec_version": "1.0",
+    "version": 2,
+    "expires": "2023-09-08T16:26:05Z",
+    "keys": {
+      "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "bc46288ad651147bce0285b0082cb4cd934e232e9f0a2b83bfd69cbf849d7356"
+        }
+      },
+      "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "c2fffff49d7364960f59727adf0295b171709eec578700fd35a2d8123fa5747d"
+        }
+      },
+      "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79": {
+        "keytype": "ed25519",
+        "scheme": "ed25519",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "449f56ec5d9de1ec4c831e4cf8e6653130602ed3bdbab7f65d63442530d5f941"
+        }
+      },
+      "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643": {
+        "keytype": "ecdsa-sha2-nistp256",
+        "scheme": "ecdsa-sha2-nistp256",
+        "keyid_hash_algorithms": [
+          "sha256",
+          "sha512"
+        ],
+        "keyval": {
+          "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUUyVthcMvPGp/+7ZPe8pQg2d/6YZ\nTpbTec03oshY8rahnpG+MqyZJWxcm83zwGGo+vgTIXejHO1b8b4ye5MuwA==\n-----END PUBLIC KEY-----\n"
+        }
+      }
+    },
+    "roles": {
+      "root": {
+        "keyids": [
+          "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643"
+        ],
+        "threshold": 1
+      },
+      "snapshot": {
+        "keyids": [
+          "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347"
+        ],
+        "threshold": 1
+      },
+      "targets": {
+        "keyids": [
+          "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79"
+        ],
+        "threshold": 1
+      },
+      "timestamp": {
+        "keyids": [
+          "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75"
+        ],
+        "threshold": 1
+      }
+    },
+    "consistent_snapshot": false
+  },
+  "signatures": [
+    {
+      "keyid": "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4",
+      "sig": "3044022069611604106fd24f2911ce73d27efda501e8de765f5cc9df289397a428eb095602202aa68fcb00c0ceb87d12ff1b680b8c1b9ca9aef996ebf69a46d235591878f378"
+    },
+    {
+      "keyid": "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643",
+      "sig": "30460221009da029a6837e4be205ea2a5ad1c3de59ba6612580f7248c5cd54ea232fbadf43022100dc9789013fb1d9697dc75ea098a124d3d7780b5a7b405ddbd55eb98ee5975591"
+    }
+  ]
+}