Exemplo n.º 1
0
func (as *assertsSuite) TestSignFormatSanitySupportMultilineHeaderValues(c *C) {
	headers := map[string]string{
		"authority-id": "auth-id1",
		"primary-key":  "0",
	}

	multilineVals := []string{
		"a\n",
		"\na",
		"a\n\b\nc",
		"a\n\b\nc\n",
		"\na\n",
		"\n\na\n\nb\n\nc",
	}

	for _, multilineVal := range multilineVals {
		headers["multiline"] = multilineVal
		if len(multilineVal)%2 == 1 {
			headers["odd"] = "true"
		}

		a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, asserts.OpenPGPPrivateKey(testPrivKey1))
		c.Assert(err, IsNil)

		decoded, err := asserts.Decode(asserts.Encode(a))
		c.Assert(err, IsNil)

		c.Check(decoded.Header("multiline"), Equals, multilineVal)
	}
}
Exemplo n.º 2
0
func (as *assertsSuite) TestAssembleRoundtrip(c *C) {
	encoded := []byte("type: test-only\n" +
		"authority-id: auth-id2\n" +
		"primary-key1: key1\n" +
		"primary-key2: key2\n" +
		"revision: 5\n" +
		"header1: value1\n" +
		"header2: value2\n" +
		"body-length: 8\n\n" +
		"THE-BODY" +
		"\n\n" +
		"openpgp c2ln")
	a, err := asserts.Decode(encoded)
	c.Assert(err, IsNil)

	cont, sig := a.Signature()
	reassembled, err := asserts.Assemble(a.Headers(), a.Body(), cont, sig)
	c.Assert(err, IsNil)

	c.Check(reassembled.Headers(), DeepEquals, a.Headers())
	c.Check(reassembled.Body(), DeepEquals, a.Body())

	reassembledEncoded := asserts.Encode(reassembled)
	c.Check(reassembledEncoded, DeepEquals, encoded)
}
Exemplo n.º 3
0
func (chks *checkSuite) TestCheckForgery(c *C) {
	trustedKey := testPrivKey0

	cfg := &asserts.DatabaseConfig{
		Backstore:      chks.bs,
		KeypairManager: asserts.NewMemoryKeypairManager(),
		TrustedKeys:    []*asserts.AccountKey{asserts.BootstrapAccountKeyForTest("canonical", &trustedKey.PublicKey)},
	}
	db, err := asserts.OpenDatabase(cfg)
	c.Assert(err, IsNil)

	encoded := asserts.Encode(chks.a)
	content, encodedSig := chks.a.Signature()
	// forgery
	forgedSig := new(packet.Signature)
	forgedSig.PubKeyAlgo = testPrivKey1.PubKeyAlgo
	forgedSig.Hash = crypto.SHA256
	forgedSig.CreationTime = time.Now()
	forgedSig.IssuerKeyId = &testPrivKey0.KeyId
	h := crypto.SHA256.New()
	h.Write(content)
	err = forgedSig.Sign(h, testPrivKey1, &packet.Config{DefaultHash: crypto.SHA256})
	c.Assert(err, IsNil)
	buf := new(bytes.Buffer)
	forgedSig.Serialize(buf)
	forgedSigEncoded := "openpgp " + base64.StdEncoding.EncodeToString(buf.Bytes())
	forgedEncoded := bytes.Replace(encoded, encodedSig, []byte(forgedSigEncoded), 1)
	c.Assert(forgedEncoded, Not(DeepEquals), encoded)

	forgedAssert, err := asserts.Decode(forgedEncoded)
	c.Assert(err, IsNil)

	err = db.Check(forgedAssert)
	c.Assert(err, ErrorMatches, "failed signature verification: .*")
}
Exemplo n.º 4
0
func (as *assertsSuite) TestSignFormatSanityEmptyBody(c *C) {
	headers := map[string]string{
		"authority-id": "auth-id1",
		"primary-key":  "0",
	}
	a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, asserts.OpenPGPPrivateKey(testPrivKey1))
	c.Assert(err, IsNil)

	_, err = asserts.Decode(asserts.Encode(a))
	c.Check(err, IsNil)
}
Exemplo n.º 5
0
func (as *assertsSuite) TestSignFormatSanityNonEmptyBody(c *C) {
	headers := map[string]string{
		"authority-id": "auth-id1",
		"primary-key":  "0",
	}
	body := []byte("THE-BODY")
	a, err := asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, body, asserts.OpenPGPPrivateKey(testPrivKey1))
	c.Assert(err, IsNil)
	c.Check(a.Body(), DeepEquals, body)

	decoded, err := asserts.Decode(asserts.Encode(a))
	c.Assert(err, IsNil)
	c.Check(decoded.Body(), DeepEquals, body)
}
Exemplo n.º 6
0
func (as *assertsSuite) TestEncode(c *C) {
	encoded := []byte("type: test-only\n" +
		"authority-id: auth-id2\n" +
		"primary-key: xyz\n" +
		"revision: 5\n" +
		"header1: value1\n" +
		"header2: value2\n" +
		"body-length: 8\n\n" +
		"THE-BODY" +
		"\n\n" +
		"openpgp c2ln")
	a, err := asserts.Decode(encoded)
	c.Assert(err, IsNil)
	encodeRes := asserts.Encode(a)
	c.Check(encodeRes, DeepEquals, encoded)
}
Exemplo n.º 7
0
func (x *accountKey) Execute(args []string) error {
	accID := x.Positional.AccountID
	if accID == "" {
		return fmt.Errorf("missing account-id")
	}
	years := int(x.Positional.Years)
	if years == 0 {
		return fmt.Errorf("missing validity-years")
	}
	authID := x.Positional.AuthorityID
	if authID == "" {
		fmt.Fprintln(os.Stderr, "no authority-id: assume self-signed")
		authID = accID
	}

	authKey, err := findPublicKey(db, authID)
	if err != nil {
		return err
	}
	accKey, err := findPublicKey(db, accID)
	if err != nil {
		return err
	}

	nowish := time.Now().Truncate(time.Hour).UTC()
	until := nowish.AddDate(years, 0, 0)
	pubKeyBody, err := asserts.EncodePublicKey(accKey)
	if err != nil {
		return err
	}
	headers := map[string]string{
		"authority-id":           strings.Split(authID, "/")[0],
		"account-id":             strings.Split(accID, "/")[0],
		"public-key-fingerprint": accKey.Fingerprint(),
		"public-key-id":          accKey.ID(),
		"since":                  nowish.Format(time.RFC3339),
		"until":                  until.Format(time.RFC3339),
	}
	assertion, err := db.Sign(asserts.AccountKeyType, headers, pubKeyBody, authKey.ID())
	if err != nil {
		return err
	}
	os.Stdout.Write(asserts.Encode(assertion))
	return nil
}
Exemplo n.º 8
0
func (x *snapBuild) Execute(args []string) error {
	authID := x.Positional.AuthorityID
	if authID == "" {
		return fmt.Errorf("missing devel/authority-id")
	}
	authKey, err := findPublicKey(db, authID)
	if err != nil {
		return err
	}

	snapFile := x.Positional.SnapFile
	if snapFile == "" {
		return fmt.Errorf("missing snap-file")
	}
	snap := squashfs.New(snapFile)
	nameParts := strings.SplitN(snap.Name(), "_", 2)
	snapID := nameParts[0] // XXX: cheat/guess
	size, hashDigest, err := snap.HashDigest(crypto.SHA256)
	if err != nil {
		return fmt.Errorf("failed to hash snap: %v", err)
	}
	formattedDigest, err := asserts.EncodeDigest(crypto.SHA256, hashDigest)
	if err != nil {
		return err
	}

	now := time.Now().UTC()
	headers := map[string]string{
		"authority-id": strings.Split(authID, "/")[0],
		"snap-id":      snapID,
		"snap-digest":  formattedDigest,
		"snap-size":    fmt.Sprintf("%d", size),
		"grade":        "devel",
		"timestamp":    now.Format(time.RFC3339),
	}
	snapDecl, err := db.Sign(asserts.SnapBuildType, headers, nil, authKey.ID())
	if err != nil {
		return err
	}
	os.Stdout.Write(asserts.Encode(snapDecl))
	return nil
}
Exemplo n.º 9
0
func (sdbs *sysDBSuite) SetUpTest(c *C) {
	tmpdir := c.MkDir()

	pk := asserts.OpenPGPPrivateKey(testPrivKey0)
	trustedPubKey := pk.PublicKey()
	trustedPubKeyEncoded, err := asserts.EncodePublicKey(trustedPubKey)
	c.Assert(err, IsNil)
	// self-signed
	headers := map[string]string{
		"authority-id":           "canonical",
		"account-id":             "canonical",
		"public-key-id":          trustedPubKey.ID(),
		"public-key-fingerprint": trustedPubKey.Fingerprint(),
		"since":                  "2015-11-20T15:04:00Z",
		"until":                  "2500-11-20T15:04:00Z",
	}
	trustedAccKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, trustedPubKeyEncoded, pk)
	c.Assert(err, IsNil)

	fakeRoot := filepath.Join(tmpdir, "root")
	err = os.Mkdir(fakeRoot, os.ModePerm)
	c.Assert(err, IsNil)
	dirs.SetRootDir(fakeRoot)

	err = os.MkdirAll(filepath.Dir(dirs.SnapTrustedAccountKey), os.ModePerm)
	c.Assert(err, IsNil)
	err = ioutil.WriteFile(dirs.SnapTrustedAccountKey, asserts.Encode(trustedAccKey), os.ModePerm)
	c.Assert(err, IsNil)

	headers = map[string]string{
		"authority-id": "canonical",
		"primary-key":  "0",
	}
	sdbs.probeAssert, err = asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, pk)
	c.Assert(err, IsNil)
}