func (as *assertsSuite) TestSignFormatSanitySupportMultilineHeaderValues(c *C) { headers := map[string]string{ "authority-id": "auth-id1", "primary-key": "0", } multilineVals := []string{ "a\n", "\na", "a\n\b\nc", "a\n\b\nc\n", "\na\n", "\n\na\n\nb\n\nc", } for _, multilineVal := range multilineVals { headers["multiline"] = multilineVal if len(multilineVal)%2 == 1 { headers["odd"] = "true" } a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, asserts.OpenPGPPrivateKey(testPrivKey1)) c.Assert(err, IsNil) decoded, err := asserts.Decode(asserts.Encode(a)) c.Assert(err, IsNil) c.Check(decoded.Header("multiline"), Equals, multilineVal) } }
func (as *assertsSuite) TestAssembleRoundtrip(c *C) { encoded := []byte("type: test-only\n" + "authority-id: auth-id2\n" + "primary-key1: key1\n" + "primary-key2: key2\n" + "revision: 5\n" + "header1: value1\n" + "header2: value2\n" + "body-length: 8\n\n" + "THE-BODY" + "\n\n" + "openpgp c2ln") a, err := asserts.Decode(encoded) c.Assert(err, IsNil) cont, sig := a.Signature() reassembled, err := asserts.Assemble(a.Headers(), a.Body(), cont, sig) c.Assert(err, IsNil) c.Check(reassembled.Headers(), DeepEquals, a.Headers()) c.Check(reassembled.Body(), DeepEquals, a.Body()) reassembledEncoded := asserts.Encode(reassembled) c.Check(reassembledEncoded, DeepEquals, encoded) }
func (chks *checkSuite) TestCheckForgery(c *C) { trustedKey := testPrivKey0 cfg := &asserts.DatabaseConfig{ Backstore: chks.bs, KeypairManager: asserts.NewMemoryKeypairManager(), TrustedKeys: []*asserts.AccountKey{asserts.BootstrapAccountKeyForTest("canonical", &trustedKey.PublicKey)}, } db, err := asserts.OpenDatabase(cfg) c.Assert(err, IsNil) encoded := asserts.Encode(chks.a) content, encodedSig := chks.a.Signature() // forgery forgedSig := new(packet.Signature) forgedSig.PubKeyAlgo = testPrivKey1.PubKeyAlgo forgedSig.Hash = crypto.SHA256 forgedSig.CreationTime = time.Now() forgedSig.IssuerKeyId = &testPrivKey0.KeyId h := crypto.SHA256.New() h.Write(content) err = forgedSig.Sign(h, testPrivKey1, &packet.Config{DefaultHash: crypto.SHA256}) c.Assert(err, IsNil) buf := new(bytes.Buffer) forgedSig.Serialize(buf) forgedSigEncoded := "openpgp " + base64.StdEncoding.EncodeToString(buf.Bytes()) forgedEncoded := bytes.Replace(encoded, encodedSig, []byte(forgedSigEncoded), 1) c.Assert(forgedEncoded, Not(DeepEquals), encoded) forgedAssert, err := asserts.Decode(forgedEncoded) c.Assert(err, IsNil) err = db.Check(forgedAssert) c.Assert(err, ErrorMatches, "failed signature verification: .*") }
func (as *assertsSuite) TestSignFormatSanityEmptyBody(c *C) { headers := map[string]string{ "authority-id": "auth-id1", "primary-key": "0", } a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, asserts.OpenPGPPrivateKey(testPrivKey1)) c.Assert(err, IsNil) _, err = asserts.Decode(asserts.Encode(a)) c.Check(err, IsNil) }
func (as *assertsSuite) TestSignFormatSanityNonEmptyBody(c *C) { headers := map[string]string{ "authority-id": "auth-id1", "primary-key": "0", } body := []byte("THE-BODY") a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, body, asserts.OpenPGPPrivateKey(testPrivKey1)) c.Assert(err, IsNil) c.Check(a.Body(), DeepEquals, body) decoded, err := asserts.Decode(asserts.Encode(a)) c.Assert(err, IsNil) c.Check(decoded.Body(), DeepEquals, body) }
func (as *assertsSuite) TestEncode(c *C) { encoded := []byte("type: test-only\n" + "authority-id: auth-id2\n" + "primary-key: xyz\n" + "revision: 5\n" + "header1: value1\n" + "header2: value2\n" + "body-length: 8\n\n" + "THE-BODY" + "\n\n" + "openpgp c2ln") a, err := asserts.Decode(encoded) c.Assert(err, IsNil) encodeRes := asserts.Encode(a) c.Check(encodeRes, DeepEquals, encoded) }
func (x *accountKey) Execute(args []string) error { accID := x.Positional.AccountID if accID == "" { return fmt.Errorf("missing account-id") } years := int(x.Positional.Years) if years == 0 { return fmt.Errorf("missing validity-years") } authID := x.Positional.AuthorityID if authID == "" { fmt.Fprintln(os.Stderr, "no authority-id: assume self-signed") authID = accID } authKey, err := findPublicKey(db, authID) if err != nil { return err } accKey, err := findPublicKey(db, accID) if err != nil { return err } nowish := time.Now().Truncate(time.Hour).UTC() until := nowish.AddDate(years, 0, 0) pubKeyBody, err := asserts.EncodePublicKey(accKey) if err != nil { return err } headers := map[string]string{ "authority-id": strings.Split(authID, "/")[0], "account-id": strings.Split(accID, "/")[0], "public-key-fingerprint": accKey.Fingerprint(), "public-key-id": accKey.ID(), "since": nowish.Format(time.RFC3339), "until": until.Format(time.RFC3339), } assertion, err := db.Sign(asserts.AccountKeyType, headers, pubKeyBody, authKey.ID()) if err != nil { return err } os.Stdout.Write(asserts.Encode(assertion)) return nil }
func (x *snapBuild) Execute(args []string) error { authID := x.Positional.AuthorityID if authID == "" { return fmt.Errorf("missing devel/authority-id") } authKey, err := findPublicKey(db, authID) if err != nil { return err } snapFile := x.Positional.SnapFile if snapFile == "" { return fmt.Errorf("missing snap-file") } snap := squashfs.New(snapFile) nameParts := strings.SplitN(snap.Name(), "_", 2) snapID := nameParts[0] // XXX: cheat/guess size, hashDigest, err := snap.HashDigest(crypto.SHA256) if err != nil { return fmt.Errorf("failed to hash snap: %v", err) } formattedDigest, err := asserts.EncodeDigest(crypto.SHA256, hashDigest) if err != nil { return err } now := time.Now().UTC() headers := map[string]string{ "authority-id": strings.Split(authID, "/")[0], "snap-id": snapID, "snap-digest": formattedDigest, "snap-size": fmt.Sprintf("%d", size), "grade": "devel", "timestamp": now.Format(time.RFC3339), } snapDecl, err := db.Sign(asserts.SnapBuildType, headers, nil, authKey.ID()) if err != nil { return err } os.Stdout.Write(asserts.Encode(snapDecl)) return nil }
func (sdbs *sysDBSuite) SetUpTest(c *C) { tmpdir := c.MkDir() pk := asserts.OpenPGPPrivateKey(testPrivKey0) trustedPubKey := pk.PublicKey() trustedPubKeyEncoded, err := asserts.EncodePublicKey(trustedPubKey) c.Assert(err, IsNil) // self-signed headers := map[string]string{ "authority-id": "canonical", "account-id": "canonical", "public-key-id": trustedPubKey.ID(), "public-key-fingerprint": trustedPubKey.Fingerprint(), "since": "2015-11-20T15:04:00Z", "until": "2500-11-20T15:04:00Z", } trustedAccKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, trustedPubKeyEncoded, pk) c.Assert(err, IsNil) fakeRoot := filepath.Join(tmpdir, "root") err = os.Mkdir(fakeRoot, os.ModePerm) c.Assert(err, IsNil) dirs.SetRootDir(fakeRoot) err = os.MkdirAll(filepath.Dir(dirs.SnapTrustedAccountKey), os.ModePerm) c.Assert(err, IsNil) err = ioutil.WriteFile(dirs.SnapTrustedAccountKey, asserts.Encode(trustedAccKey), os.ModePerm) c.Assert(err, IsNil) headers = map[string]string{ "authority-id": "canonical", "primary-key": "0", } sdbs.probeAssert, err = asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, pk) c.Assert(err, IsNil) }