func getPubKeys(cs signed.CryptoService, s *data.Signed, role string) ([]data.PublicKey, error) {
var pubKeys []data.PublicKey
if role == data.CanonicalRootRole {
// if this is root metadata, we have to get the keys from the root because they
// are certs
root := &data.Root{}
if err := json.Unmarshal(*s.Signed, root); err != nil {
return nil, err
}
rootRole, ok := root.Roles[data.CanonicalRootRole]
if !ok || rootRole == nil {
return nil, tuf.ErrNotLoaded{}
}
for _, pubKeyID := range rootRole.KeyIDs {
pubKeys = append(pubKeys, root.Keys[pubKeyID])
}
} else {
pubKeyIDs := cs.ListKeys(role)
for _, pubKeyID := range pubKeyIDs {
pubKey := cs.GetKey(pubKeyID)
if pubKey != nil {
pubKeys = append(pubKeys, pubKey)
}
}
}
return pubKeys, nil
}
// CopyKeys copies keys of a particular role to a new cryptoservice, and returns that cryptoservice
func CopyKeys(t *testing.T, from signed.CryptoService, roles ...string) signed.CryptoService {
memKeyStore := trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("pass"))
for _, role := range roles {
for _, keyID := range from.ListKeys(role) {
key, _, err := from.GetPrivateKey(keyID)
require.NoError(t, err)
memKeyStore.AddKey(trustmanager.KeyInfo{Role: role}, key)
}
}
return cryptoservice.NewCryptoService(memKeyStore)
}
// EmptyCryptoServiceInterfaceBehaviorTests tests expected behavior for
// an empty signed.CryptoService:
// 1. Getting the public key of a key that doesn't exist should fail
// 2. Listing an empty cryptoservice returns no keys
// 3. Removing a non-existent key succeeds (no-op)
func EmptyCryptoServiceInterfaceBehaviorTests(t *testing.T, empty signed.CryptoService) {
for _, role := range append(data.BaseRoles, "targets/delegation", "invalid") {
keys := empty.ListKeys(role)
require.Len(t, keys, 0)
}
keys := empty.ListAllKeys()
require.Len(t, keys, 0)
require.NoError(t, empty.RemoveKey("nonexistent"))
require.Nil(t, empty.GetKey("nonexistent"))
k, role, err := empty.GetPrivateKey("nonexistent")
require.Error(t, err)
require.Nil(t, k)
require.Equal(t, "", role)
}
// The signer does not yet support listing keys or tracking roles, so skip those parts of this test if we're testing
// the signer
func testListKeys(t *testing.T, cs signed.CryptoService, expectedRolesToKeys map[string]string) {
for _, role := range append(data.BaseRoles, "targets/delegation", "invalid") {
keys := cs.ListKeys(role)
if keyID, ok := expectedRolesToKeys[role]; ok {
require.Len(t, keys, 1)
require.Equal(t, keyID, keys[0])
} else {
require.Len(t, keys, 0)
}
}
keys := cs.ListAllKeys()
require.Len(t, keys, len(expectedRolesToKeys))
for role, keyID := range expectedRolesToKeys {
require.Equal(t, role, keys[keyID])
}
}
