cbiedl
/
tang


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473
							Subject: Add tests for key manipulation functions
Origin: v7-7-gc71df1d <https://github.com/latchset/tang/commit/v7-7-gc71df1d>
Upstream-Author: Sergio Correia <scorreia@redhat.com>
Date: Fri Nov 27 09:42:38 2020 -0300

    In this commit we add tests for the key manipulation functions added in
    src/keys.{c|h}.

--- /dev/null
+++ b/tests/keys/-bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
@@ -0,0 +1 @@
+{"alg":"ECMR","crv":"P-521","d":"AQ3u1g0L__GIGSJRX1LtjSArwJxxQz0kWXIi-X4PqwoheoeY57cw36pmWmyVsn43jDEZ6SAsiNeIw9sHDkFZe1VV","key_ops":["deriveKey"],"kty":"EC","x":"AcfowrKEKteg_jKX1CiR2RQfbUGJ73KXlcl8AgIDAgN7R6yNKWpKhZNBmV2tAxxMCQcIksqQl17UXwemvH2j2fem","y":"ACrb-y4ZhLIGX-41QYgJhniiZ85qkjILbkVUcC8gBYxOAnKWIpMGLsjrT3AYhM6jk6puwnNYbEM28s2caAEogUcA"}
--- /dev/null
+++ b/tests/keys/.r4E2wG1u_YyKUo0N0rIK7jJF5Xg.jwk
@@ -0,0 +1 @@
+{"alg":"ES512","crv":"P-521","d":"Af5SfYh_4LmBDF9dCGDQRDA52yzqnzDeo-GZU05hpnLr6bsIBTFpc8rdcCm95mhZ59ngC-6WNtmAF_nLCDcHKg0A","key_ops":["sign","verify"],"kty":"EC","x":"AUxS3DXdoONUB-6-nyzdd3V42iD7obGTJ1m40t3V6jzXfABWp_gtTidwiKyDJQXxhEzMSToo-V0RGq6Qz2XTOgPe","y":"AFrkJfkLGJz_2v-k3-wdydckVcBXql2NR66HaF0U9NlcfGLezQau7XihArm4GE3-sHoQLsRa-HvYET9zyd9Syh5y"}
--- /dev/null
+++ b/tests/keys/.uZ0s8YTXcGcuWduWWBSiR2OjOVg.jwk
@@ -0,0 +1 @@
+{"alg":"ECMR","crv":"P-521","d":"Acuk66sHvSS5TN-p0XhwHhVKyifYr-ecur-7zfgQZMzSq9SeBJjuX6Ttav-7AbnVvXU_S55BgtGL5iymXGuMguCp","key_ops":["deriveKey"],"kty":"EC","x":"AEz9EwBOIrLeV4in6M1oWVnOWVR7ubkFB0R0-AwyIL7u5-7G3u2tvPIJRQY-l1Wttn7Ar4DhflcMhnb3rk5hT5yh","y":"AZt35wqOhNsnEi-GLAgyCaiW_c6h6Zyo4xwjuvXzmQMDwh9MtdaUigFuBOTlfRj1uri_YBqdpI09nYrqqgx97Ca6"}
--- /dev/null
+++ b/tests/keys/another-bad-file
@@ -0,0 +1 @@
+foobar
--- /dev/null
+++ b/tests/keys/invalid.jwk
@@ -0,0 +1 @@
+foo
--- /dev/null
+++ b/tests/keys/qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
@@ -0,0 +1 @@
+{"alg":"ES512","crv":"P-521","d":"AUQpuWtoSqURl0OuWQ-I9i4X1F3sDak0Hbf9Ixj7uwjA20A0ABJdCHbai1Ai0t3yoxWKPYi6t2XjjeRzHIKyhXbf","key_ops":["sign","verify"],"kty":"EC","x":"ACbYnvh1EtLePkM5jCtuxLpMroOUNRfv-wQdXgT5AQ5bhSLv6wkrBzh1rwymo-fmCNWzrcTflzqWf-wXAd00lokM","y":"AEaDByxXfbee4TlPXgPRg5S4MVOqgObjX6_JJkySTudSfOygcx7dujsf32dOEI25d8bNKUgdjQt8lc5XtHeWXH3a"}
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -1,22 +1,42 @@
+incdir = include_directories(
+  join_paths('..', 'src')
+)
+
+test_data = configuration_data()
+test_data.set('testjwkdir', join_paths(meson.source_root(), 'tests','keys'))
+
+test_keys_c = configure_file(
+  input: 'test-keys.c.in',
+  output: 'test-keys.c',
+  configuration: test_data
+)
+
+test_keys = executable('test-keys',
+  test_keys_c,
+  'test-util.c',
+  dependencies: [jose],
+  include_directories: incdir
+)
+
 sd_activate = find_program(
   'systemd-socket-activate',
   'systemd-activate',
   required: false
 )
 
+env = environment()
+env.prepend('PATH',
+  join_paths(meson.source_root(), 'src'),
+  join_paths(meson.build_root(), 'src'),
+  separator: ':'
+)
+
 if sd_activate.found()
-  env = environment()
-  env.prepend('PATH',
-    join_paths(meson.source_root(), 'src'),
-    join_paths(meson.build_root(), 'src'),
-    separator: ':'
-  )
   env.set('SD_ACTIVATE', sd_activate.path() + ' --inetd')
 
-  test('adv', find_program('adv'), env: env)
+  test('adv', find_program('adv'), env: env, timeout: 60)
   test('rec', find_program('rec'), env: env)
-else
-  warning('Will not run the tests due to missing dependencies!')
 endif
+test('test-keys', test_keys, env: env, timeout: 60)
 
 # vim:set ts=2 sw=2 et:
--- /dev/null
+++ b/tests/test-keys.c.in
@@ -0,0 +1,257 @@
+/* vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: */
+/*
+ * Copyright (c) 2020 Red Hat, Inc.
+ * Author: Sergio Correia <scorreia@redhat.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "keys.c"
+#include "test-util.h"
+
+const char* jwkdir = "@testjwkdir@";
+
+struct thp_result {
+    const char* thp;
+    int valid;
+};
+
+struct test_result_int {
+    const char* data;
+    int expected;
+};
+
+static void
+test_create_new_keys(void)
+{
+   __attribute__((cleanup(cleanup_str))) char* newdir = create_tempdir();
+    ASSERT(newdir);
+    __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info* tki = read_keys(newdir);
+    ASSERT(tki);
+    ASSERT(tki->m_keys_count == 2);
+    remove_tempdir(newdir);
+}
+
+
+static void
+test_is_hash(void)
+{
+    const struct test_result_int test_data[] = {
+        {NULL, 0},
+        {"", 0},
+        {"ES512", 0},
+        {"ECMR", 0},
+        {"foobar", 0},
+        {"{", 0},
+        {"[}", 0},
+        {"[]", 0},
+        {"S1", 1},
+        {"S224", 1},
+        {"S256", 1},
+        {"S384", 1},
+        {"S512", 1},
+        {"S42", 0}
+    };
+    for (int i = 0, len = ARRAY_COUNT(test_data); i < len; i++) {
+        int ret = is_hash(test_data[i].data);
+        ASSERT_WITH_MSG(ret == test_data[i].expected, "i = %d, alg = %s", i, test_data[i].data);
+    };
+
+}
+
+static void
+test_jwk_generate(void)
+{
+    const struct test_result_int test_data[] = {
+        {NULL, 0},
+        {"", 0},
+        {"ES512", 1},
+        {"ECMR", 1},
+        {"foobar", 0},
+        {"{", 0},
+        {"[}", 0},
+        {"[]", 0}
+    };
+
+    for (int i = 0, len = ARRAY_COUNT(test_data); i < len; i++) {
+        json_auto_t* jwk = jwk_generate(test_data[i].data);
+        ASSERT_WITH_MSG(!!jwk == test_data[i].expected, "i = %d, alg = %s", i, test_data[i].data);
+    };
+}
+
+static void
+test_find_jws(void)
+{
+    const struct thp_result test_data[] = {
+        {"00BUQM4A7NYxbOrBR9QDfkzGVGj3k57Fs4jCbJxcLYAgRFHu5B7jtbL97x1T7stQ", 1},
+        {"dd5qbN1lQ6UWdZszbfx2oIcH34ShklzFL1SUQg", 1},
+        {"dOZkUtZ_gLDUP53GIlyAxHMNuyrk8vdY-XXND32GccqNbT_MKpqGC-13-GNEye48", 1},
+        {"DZrlBQvfvlwPQlvH_IieBdc_KpesEramLygVL_rFr7g", 1},
+        {"FL_Zt5fFadUL4syeMMpUnss8aKdCrPGFy3102JGR3EE", 1},
+        {"qgmqJSo6AEEuVQY7zVlklqdTMqY", 1},
+        {"r4E2wG1u_YyKUo0N0rIK7jJF5Xg", 1},
+        {"ugJ4Ula-YABQIiJ-0g3B_jpFpF2nl3W-DNpfLdXArhTusV0QCcd1vtgDeGHEPzpm7jEsyC7VYYSSOkZicK22mw", 1},
+        {"up0Z4fRhpd4O5QwBaMCXDTlrvxCmZacU0MD8kw", 1},
+        {"vllHS-M0aQFCo2yUCcAahMU4TAtXACyeuRf-zbmmTPBg7V0Pb-RRFGo5C6MnpzdirK8B3ORLOsN8RyXClvtjxA", 1},
+        {NULL, 1},
+        {"a", 0},
+        {"foo", 0},
+        {"bar", 0},
+        {"XXXXXXXXXXXXXXXXXX", 0}
+    };
+
+    __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info* tki = read_keys(jwkdir);
+    for (int i = 0, len = ARRAY_COUNT(test_data); i < len; i++) {
+        json_auto_t* jws = find_jws(tki, test_data[i].thp);
+        ASSERT_WITH_MSG(!!jws == test_data[i].valid, "i = %d, thp = %s", i, test_data[i].thp);
+    }
+
+    /* Passing NULL to find_jws should return the default advertisement */
+    json_auto_t* adv = find_jws(tki, NULL);
+    ASSERT(adv);
+
+
+    /*
+     * The default set of signing keys are the signing keys that are not
+     * rotated. The payload is made of deriving keys that are also not
+     * rotated. The default advertisement should be signed by this set of
+     * default signing keys.
+     */
+    ASSERT(jose_jws_ver(NULL, adv, NULL, tki->m_sign, 1));
+
+    /* find_jws should be able to respond to thumbprints of keys using any
+     * of jose supported hash algorithms. */
+    const char** hashes = supported_hashes();
+    size_t idx;
+    json_t* jwk;
+
+    /* Let's put together all the keys, including rotated ones. */
+    json_auto_t* keys = json_deep_copy(tki->m_keys);
+    ASSERT(keys);
+    ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
+    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
+
+    for (int i = 0; hashes[i]; i++) {
+        json_array_foreach(keys, idx, jwk) {
+            if (!jwk_valid_for_signing(jwk)) {
+                continue;
+            }
+            __attribute__((cleanup(cleanup_str))) char* thp = jwk_thumbprint(jwk, hashes[i]);
+            ASSERT_WITH_MSG(thp, "i = %d, hash = %s, key idx = %d", i, hashes[i], idx);
+            json_auto_t* jws = find_jws(tki, thp);
+            ASSERT_WITH_MSG(jws, "i = %d, hash = %s, key idx = %d, thp = %s", i, hashes[i], idx, thp);
+
+            /* Signing keys should sign the payload, in addition to the
+             * default set of signing keys. */
+            json_auto_t* sign = json_deep_copy(tki->m_sign);
+            ASSERT_WITH_MSG(sign, "i = %d, hash = %s, key idx = %d, thp = %s", i, hashes[i], idx, thp);
+            ASSERT_WITH_MSG(json_array_append(sign, jwk) == 0, "i = %d, hash = %s, key idx = %d, thp = %s", i, hashes[i], idx, thp);
+            ASSERT_WITH_MSG(jose_jws_ver(NULL, jws, NULL, sign, 1), "i = %d, hash = %s, key idx = %d, thp = %s", i, hashes[i], idx, thp);
+        }
+    }
+}
+
+static void
+test_find_jwk(void)
+{
+    const struct thp_result test_data[] = {
+        {"1HdF3XKRSsuZdkpXNurBPoL_pvxdvCOlHuhB4DP-4xWFqbZ51zo29kR4fSiT3BGy9UrHVJ26JMBLOA1vKq3lxA", 1},
+        {"9U8qgy_YjyY6Isuq6QuiKEiYZgNJShcGgJx5FJzCu6m3N6zFaIPy_HDkxkVqAZ9E", 1},
+        {"-bWkGaJi0Zdvxaj4DCp28umLcRA", 1},
+        {"Cy73glFjs6B6RU7wy6vWxAc-2bJy5VJOT9LyK80eKgZ8k27wXZ-3rjsuNU5tua_yHWtluyoSYtjoKXfI0E8ESw", 1},
+        {"kfjbqx_b3BsgPC87HwlOWL9daGMMHBzxcFLClw", 1},
+        {"L4xg2tZXTEVbsK39bzOZM1jGWn3HtOxF5gh6F9YVf5Q", 1},
+        {"LsVAV2ig5LlfstM8TRSf-c7IAkLpNYbIysNuRCVlxocRCGqAh6-f9PklM4nU4N-J", 1},
+        {"OkAcDxYHNlo7-tul8OubYuWXB8CPEhAkcacCmhTclMU", 1},
+        {"uZ0s8YTXcGcuWduWWBSiR2OjOVg", 1},
+        {"WEpfFyeoNKkE2-TosN_bP-gd9UgRvQCZpVasZQ", 1},
+        {NULL, 0},
+        {"a", 0},
+        {"foo", 0},
+        {"bar", 0},
+        {"XXXXXXXXXXXXXXXXXX", 0},
+    };
+
+    __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info* tki = read_keys(jwkdir);
+
+    for (int i = 0, len = ARRAY_COUNT(test_data); i < len; i++) {
+        json_auto_t* tjwk = find_jwk(tki, test_data[i].thp);
+        ASSERT_WITH_MSG(!!tjwk == test_data[i].valid, "i = %d, thp = %s", i, test_data[i].thp);
+    }
+    /* Passing NULL to find_jwk should fail */
+    json_auto_t* bad_jwk = find_jwk(tki, NULL);
+    ASSERT(bad_jwk == NULL);
+
+    /* find_jwk should be able to respond to thumbprints of keys using any
+     * of jose supported hash algorithms. */
+    const char** hashes = supported_hashes();
+    size_t idx;
+    json_t* jwk;
+
+    /* Let's put together all the keys, including rotated ones. */
+    json_auto_t* keys = json_deep_copy(tki->m_keys);
+    ASSERT(keys);
+    ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
+    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
+
+    for (int i = 0; hashes[i]; i++) {
+        json_array_foreach(keys, idx, jwk) {
+            if (!jwk_valid_for_deriving_keys(jwk)) {
+                continue;
+            }
+            __attribute__((cleanup(cleanup_str))) char* thp = jwk_thumbprint(jwk, hashes[i]);
+            json_auto_t* tjwk = find_jwk(tki, thp);
+            ASSERT_WITH_MSG(tjwk, "i = %d, hash = %s, key idx = %d, thp = %s", i, hashes[i], idx, thp);
+        }
+    }
+}
+
+static void
+test_read_keys(void)
+{
+    __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info* tki = read_keys(jwkdir);
+    ASSERT(tki);
+
+    /*
+     * Keys in tests/keys:
+     * - .uZ0s8YTXcGcuWduWWBSiR2OjOVg.jwk
+     * - .r4E2wG1u_YyKUo0N0rIK7jJF5Xg.jwk
+     * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
+     * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
+     */
+    ASSERT(tki->m_keys_count == 4);
+    ASSERT(json_array_size(tki->m_keys) == 2);
+    ASSERT(json_array_size(tki->m_rotated_keys) == 2);
+
+    const char* invalid_jwkdir = "foobar";
+    __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info* tki2 = read_keys(invalid_jwkdir);
+    ASSERT(tki2 == NULL);
+}
+
+static void
+run_tests(void)
+{
+    test_read_keys();
+    test_find_jwk();
+    test_find_jws();
+    test_jwk_generate();
+    test_is_hash();
+    test_create_new_keys();
+}
+
+int main(int argc, char** argv)
+{
+    run_tests();
+    return 0;
+}
--- /dev/null
+++ b/tests/test-util.c
@@ -0,0 +1,75 @@
+/* vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: */
+/*
+ * Copyright (c) 2020 Red Hat, Inc.
+ * Author: Sergio Correia <scorreia@redhat.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define  _XOPEN_SOURCE 500L
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ftw.h>
+
+#include "test-util.h"
+
+void
+assert_func(const char* filename,
+            int lineno,
+            const char* funcname,
+            const char* expr,
+            const char* fmt,
+            ...)
+{
+    char buffer[MAX_BUF_LEN] = {};
+    if (fmt) {
+        va_list ap;
+        va_start(ap, fmt);
+        vsnprintf(buffer, MAX_BUF_LEN, fmt, ap);
+        va_end(ap);
+        buffer[strcspn(buffer, "\r\n")] = '\0';
+    }
+    fprintf(stderr, "%s:%d: assertion '%s' failed in %s(). %s\n", filename,
+                                                                  lineno,
+                                                                  expr,
+                                                                  funcname,
+                                                                  buffer);
+    abort();
+}
+
+static int
+nftw_remove_callback(const char* path, const struct stat* stat,
+                     int type, struct FTW* ftw)
+{
+    return remove(path);
+}
+
+char*
+create_tempdir(void)
+{
+    char template[] = "/tmp/tang.test.XXXXXX";
+    char *tmpdir = mkdtemp(template);
+    return strdup(tmpdir);
+}
+
+int
+remove_tempdir(const char* path)
+{
+    return nftw(path, nftw_remove_callback, FOPEN_MAX, FTW_DEPTH|FTW_MOUNT|FTW_PHYS);
+}
+
--- /dev/null
+++ b/tests/test-util.h
@@ -0,0 +1,46 @@
+/* vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: */
+/*
+ * Copyright (c) 2020 Red Hat, Inc.
+ * Author: Sergio Correia <scorreia@redhat.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include <stdarg.h>
+
+#define ARRAY_COUNT(arr) (sizeof(arr)/sizeof(0[arr]))
+#define MAX_BUF_LEN 2048
+
+void
+assert_func(const char* /* filename */,
+            int /* line number */,
+            const char* /* function name */,
+            const char* /* expression */,
+            const char*  /* format */,
+            ...);
+
+#define ASSERT_WITH_MSG(expr, fmt, ...) \
+     if (!(expr)) \
+        assert_func(__FILE__, __LINE__, __FUNCTION__, #expr, fmt, ##__VA_ARGS__)
+
+#define ASSERT(expr) \
+    ASSERT_WITH_MSG(expr, NULL)
+
+char*
+create_tempdir(void);
+
+int
+remove_tempdir(const char* /* path */);