diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go index be128c32f..ddb5745bd 100644 --- a/pkg/tuf/client_test.go +++ b/pkg/tuf/client_test.go @@ -62,7 +62,7 @@ func TestNewFromEnv(t *testing.T) { t.Fatal(err) } - checkTargetsAndMeta(t, tuf) + checkTargetsAndMeta(t, tuf, targets) resetForTests() // Now try with expired targets @@ -71,7 +71,7 @@ func TestNewFromEnv(t *testing.T) { if err != nil { t.Fatal(err) } - checkTargetsAndMeta(t, tuf) + checkTargetsAndMeta(t, tuf, targets) resetForTests() if err := Initialize(ctx, DefaultRemoteRoot, nil); err != nil { @@ -86,7 +86,7 @@ func TestNewFromEnv(t *testing.T) { if err != nil { t.Fatal(err) } - checkTargetsAndMeta(t, tuf) + checkTargetsAndMeta(t, tuf, targets) resetForTests() } @@ -102,7 +102,7 @@ func TestNoCache(t *testing.T) { if err != nil { t.Fatal(err) } - checkTargetsAndMeta(t, tuf) + checkTargetsAndMeta(t, tuf, targets) resetForTests() // Force expiration so we have some content to download @@ -112,7 +112,7 @@ func TestNoCache(t *testing.T) { if err != nil { t.Fatal(err) } - checkTargetsAndMeta(t, tuf) + checkTargetsAndMeta(t, tuf, targets) resetForTests() // No filesystem writes when using SIGSTORE_NO_CACHE. @@ -139,7 +139,7 @@ func TestCache(t *testing.T) { if err != nil { t.Fatal(err) } - checkTargetsAndMeta(t, tuf) + checkTargetsAndMeta(t, tuf, targets) resetForTests() cachedDirLen := dirLen(t, td) if cachedDirLen == 0 { @@ -168,7 +168,7 @@ func TestCache(t *testing.T) { if l := dirLen(t, td); l != cachedDirLen { t.Errorf("expected filesystem writes, got %d entries", l) } - checkTargetsAndMeta(t, tuf) + checkTargetsAndMeta(t, tuf, targets) resetForTests() } @@ -427,10 +427,10 @@ func TestUpdatedTargetNamesEmbedded(t *testing.T) { } } -func checkTargetsAndMeta(t *testing.T, tuf *TUF) { +func checkTargetsAndMeta(t *testing.T, tuf *TUF, expected []string) { // Check the targets t.Helper() - for _, target := range targets { + for _, target := range expected { if _, err := tuf.GetTarget(target); err != nil { t.Fatal(err) } @@ -646,3 +646,39 @@ func TestConcurrentAccess(t *testing.T) { wg.Wait() resetForTests() } + +func TestKeyFormatMigration(t *testing.T) { + // Override the expiration time so the test doesn't fail on + // expiration. + oldIsExpired := verify.IsExpired + verify.IsExpired = func(_ time.Time) bool { return false } + defer func() { + verify.IsExpired = oldIsExpired + }() + td := t.TempDir() + ctx := context.Background() + // Set the TUF_ROOT so we don't interact with other tests and local TUF roots. + t.Setenv("TUF_ROOT", td) + + // Serve remote repository. + s := httptest.NewServer( + http.FileServer(http.Dir("./test_data/hex_to_ecdsa_migration"))) + defer s.Close() + + rootBytes, err := os.ReadFile("./test_data/hex_to_ecdsa_migration/1.root.json") + if err != nil { + t.Fatal(err) + } + + if err := Initialize(ctx, s.URL, rootBytes); err != nil { + t.Error(err) + } + + defer resetForTests() + + tuf, err := NewFromEnv(ctx) + if err != nil { + t.Fatal(err) + } + checkTargetsAndMeta(t, tuf, []string{"fulcio.crt.pem"}) +} diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/1.root.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/1.root.json new file mode 100644 index 000000000..7f13e2c4f --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/1.root.json @@ -0,0 +1,87 @@ +{ + "signed": { + "_type": "root", + "spec_version": "1.0", + "version": 1, + "expires": "2022-12-08T17:26:05Z", + "keys": { + "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "bc46288ad651147bce0285b0082cb4cd934e232e9f0a2b83bfd69cbf849d7356" + } + }, + "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "c2fffff49d7364960f59727adf0295b171709eec578700fd35a2d8123fa5747d" + } + }, + "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4": { + "keytype": "ecdsa-sha2-nistp256", + "scheme": "ecdsa-sha2-nistp256", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "04514c95b6170cbcf1a9ffeed93def29420d9dffa6194e96d379cd37a2c858f2b6a19e91be32ac99256c5c9bcdf3c061a8faf8132177a31ced5bf1be327b932ec0" + } + }, + "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "449f56ec5d9de1ec4c831e4cf8e6653130602ed3bdbab7f65d63442530d5f941" + } + } + }, + "roles": { + "root": { + "keyids": [ + "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347" + ], + "threshold": 1 + }, + "targets": { + "keyids": [ + "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75" + ], + "threshold": 1 + } + }, + "consistent_snapshot": false + }, + "signatures": [ + { + "keyid": "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4", + "sig": "304502204f21aa89a7b8e44cf9a7a98d145831de734438d8de24ecf6dd777c1bc7762550022100fcbde7461b93b1ba1a00487cad7f102e6100257f59c0071e4a3a1f39789c10d3" + } + ] +} \ No newline at end of file diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/2.root.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/2.root.json new file mode 100644 index 000000000..5c72f9d0c --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/2.root.json @@ -0,0 +1,91 @@ +{ + "signed": { + "_type": "root", + "spec_version": "1.0", + "version": 2, + "expires": "2023-09-08T16:26:05Z", + "keys": { + "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "bc46288ad651147bce0285b0082cb4cd934e232e9f0a2b83bfd69cbf849d7356" + } + }, + "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "c2fffff49d7364960f59727adf0295b171709eec578700fd35a2d8123fa5747d" + } + }, + "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "449f56ec5d9de1ec4c831e4cf8e6653130602ed3bdbab7f65d63442530d5f941" + } + }, + "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643": { + "keytype": "ecdsa-sha2-nistp256", + "scheme": "ecdsa-sha2-nistp256", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUUyVthcMvPGp/+7ZPe8pQg2d/6YZ\nTpbTec03oshY8rahnpG+MqyZJWxcm83zwGGo+vgTIXejHO1b8b4ye5MuwA==\n-----END PUBLIC KEY-----\n" + } + } + }, + "roles": { + "root": { + "keyids": [ + "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347" + ], + "threshold": 1 + }, + "targets": { + "keyids": [ + "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75" + ], + "threshold": 1 + } + }, + "consistent_snapshot": false + }, + "signatures": [ + { + "keyid": "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4", + "sig": "3044022069611604106fd24f2911ce73d27efda501e8de765f5cc9df289397a428eb095602202aa68fcb00c0ceb87d12ff1b680b8c1b9ca9aef996ebf69a46d235591878f378" + }, + { + "keyid": "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643", + "sig": "30460221009da029a6837e4be205ea2a5ad1c3de59ba6612580f7248c5cd54ea232fbadf43022100dc9789013fb1d9697dc75ea098a124d3d7780b5a7b405ddbd55eb98ee5975591" + } + ] +} \ No newline at end of file diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/root.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/root.json new file mode 100644 index 000000000..5c72f9d0c --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/root.json @@ -0,0 +1,91 @@ +{ + "signed": { + "_type": "root", + "spec_version": "1.0", + "version": 2, + "expires": "2023-09-08T16:26:05Z", + "keys": { + "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "bc46288ad651147bce0285b0082cb4cd934e232e9f0a2b83bfd69cbf849d7356" + } + }, + "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "c2fffff49d7364960f59727adf0295b171709eec578700fd35a2d8123fa5747d" + } + }, + "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "449f56ec5d9de1ec4c831e4cf8e6653130602ed3bdbab7f65d63442530d5f941" + } + }, + "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643": { + "keytype": "ecdsa-sha2-nistp256", + "scheme": "ecdsa-sha2-nistp256", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUUyVthcMvPGp/+7ZPe8pQg2d/6YZ\nTpbTec03oshY8rahnpG+MqyZJWxcm83zwGGo+vgTIXejHO1b8b4ye5MuwA==\n-----END PUBLIC KEY-----\n" + } + } + }, + "roles": { + "root": { + "keyids": [ + "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347" + ], + "threshold": 1 + }, + "targets": { + "keyids": [ + "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75" + ], + "threshold": 1 + } + }, + "consistent_snapshot": false + }, + "signatures": [ + { + "keyid": "912a13157d911e2176fbeaf319b7029171490b92ca9b65fcef7006336f5929e4", + "sig": "3044022069611604106fd24f2911ce73d27efda501e8de765f5cc9df289397a428eb095602202aa68fcb00c0ceb87d12ff1b680b8c1b9ca9aef996ebf69a46d235591878f378" + }, + { + "keyid": "c4bfacf273fa543cdf24951a173d09f06d69badbd55ed8b67ff42e5a27250643", + "sig": "30460221009da029a6837e4be205ea2a5ad1c3de59ba6612580f7248c5cd54ea232fbadf43022100dc9789013fb1d9697dc75ea098a124d3d7780b5a7b405ddbd55eb98ee5975591" + } + ] +} \ No newline at end of file diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/snapshot.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/snapshot.json new file mode 100644 index 000000000..6ca76c5a2 --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/snapshot.json @@ -0,0 +1,23 @@ +{ + "signed": { + "_type": "snapshot", + "spec_version": "1.0", + "version": 2, + "expires": "2022-09-15T16:26:05Z", + "meta": { + "targets.json": { + "length": 1119, + "hashes": { + "sha512": "5c8d8232354bbbe1c41d6963abd3ab8d3eb89751c019365dc7ddfca1cad155b483f17ddadbaaae41e5f91dcd61f184d1c47437bd16fe6f7b7b6bfdfb69171aca" + }, + "version": 1 + } + } + }, + "signatures": [ + { + "keyid": "5c9ed687d43d731bb5048afcbb4f766deadbc8111255ec337637da1a45374347", + "sig": "45d3850bbe78547dc723e8405a8ab2c843998367594e72830f2d7be289e43c74683272132ca6c30046f109ef10699d6adebb65e2e25b0377944937aae9691802" + } + ] +} \ No newline at end of file diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/targets.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets.json new file mode 100644 index 000000000..abfe8cc62 --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets.json @@ -0,0 +1,34 @@ +{ + "signed": { + "_type": "targets", + "spec_version": "1.0", + "version": 1, + "expires": "2022-12-08T17:26:05Z", + "targets": { + "ctfe.pub": { + "length": 177, + "hashes": { + "sha512": "4b20747d1afe2544238ad38cc0cc3010921b177d60ac743767e0ef675b915489bd01a36606c0ff83c06448622d7160f0d866c83d20f0c0f44653dcc3f9aa0bd4" + } + }, + "fulcio.crt.pem": { + "length": 744, + "hashes": { + "sha512": "0713252a7fd17f7f3ab12f88a64accf2eb14b8ad40ca711d7fe8b4ecba3b24db9e9dffadb997b196d3867b8f9ff217faf930d80e4dab4e235c7fc3f07be69224" + } + }, + "rekor.pub": { + "length": 178, + "hashes": { + "sha512": "0ae7705e02db33e814329746a4a0e5603c5bdcd91c96d072158d71011a2695788866565a2fec0fe363eb72cbcaeda39e54c5fe8d416daf9f3101fdba4217ef35" + } + } + } + }, + "signatures": [ + { + "keyid": "959ffa7b34b7c47f351eb886e888a52fade0045c17a0a484e1c41736047f4b79", + "sig": "883a6e132755eef7d02bc8ffb804b4de32c991da2e8d4960aefb35c6a7746ab6a19cee800c0f8e38efece767293defa13ea5730b3b0285c27c26bde6e721e106" + } + ] +} \ No newline at end of file diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/ctfe.pub b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/ctfe.pub new file mode 100644 index 000000000..1bb1488c9 --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/ctfe.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3Pyu +dDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w== +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/fulcio.crt.pem b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/fulcio.crt.pem new file mode 100644 index 000000000..6a06ff300 --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/fulcio.crt.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq +MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx +MDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu +ZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy +A7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas +taRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm +MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE +FMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u +Su1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx +Ve/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup +Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/rekor.pub b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/rekor.pub new file mode 100644 index 000000000..050ef6014 --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/targets/rekor.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr +kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw== +-----END PUBLIC KEY----- diff --git a/pkg/tuf/test_data/hex_to_ecdsa_migration/timestamp.json b/pkg/tuf/test_data/hex_to_ecdsa_migration/timestamp.json new file mode 100644 index 000000000..2b8576dfa --- /dev/null +++ b/pkg/tuf/test_data/hex_to_ecdsa_migration/timestamp.json @@ -0,0 +1,23 @@ +{ + "signed": { + "_type": "timestamp", + "spec_version": "1.0", + "version": 2, + "expires": "2022-09-09T16:26:05Z", + "meta": { + "snapshot.json": { + "length": 671, + "hashes": { + "sha512": "fd7f2b734ac3d1dbef4d383aa19e3edb2c32248e953963513bf3349417aacb33c960e66f91180860d258bcea928809b00210d3dd3d3b67b0e7231ab82109501d" + }, + "version": 2 + } + } + }, + "signatures": [ + { + "keyid": "04add5f7774bed64bae1a44fddb436cd66f630a879950cd4c3c5f5a8dcb69a75", + "sig": "0d769f97992b69aec1b7582f0fe088248d9e8c02c5e8894d83ccf8c373523a09f5c6331304c5ee5bc832b5ab5f2a4cdbae5fc885d56ff9f711d50c8211327206" + } + ] +} \ No newline at end of file