func (safs *signAddFindSuite) SetUpTest(c *C) {
cfg0 := &asserts.DatabaseConfig{}
db0, err := asserts.OpenDatabase(cfg0)
c.Assert(err, IsNil)
safs.signingDB = db0
pk := testPrivKey0
err = db0.ImportKey(pk)
c.Assert(err, IsNil)
safs.signingKeyID = pk.PublicKey().ID()
topDir := filepath.Join(c.MkDir(), "asserts-db")
bs, err := asserts.OpenFSBackstore(topDir)
c.Assert(err, IsNil)
trustedKey := testPrivKey0
cfg := &asserts.DatabaseConfig{
Backstore: bs,
Trusted: []asserts.Assertion{
asserts.BootstrapAccountForTest("canonical"),
asserts.BootstrapAccountKeyForTest("canonical", trustedKey.PublicKey()),
},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
safs.db = db
}
func (chks *checkSuite) TestCheckForgery(c *C) {
trustedKey := testPrivKey0
cfg := &asserts.DatabaseConfig{
Backstore: chks.bs,
Trusted: []asserts.Assertion{asserts.BootstrapAccountKeyForTest("canonical", trustedKey.PublicKey())},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
encoded := asserts.Encode(chks.a)
content, encodedSig := chks.a.Signature()
// forgery
forgedSig := new(packet.Signature)
forgedSig.PubKeyAlgo = packet.PubKeyAlgoRSA
forgedSig.Hash = crypto.SHA512
forgedSig.CreationTime = time.Now()
h := crypto.SHA512.New()
h.Write(content)
pk1 := packet.NewRSAPrivateKey(time.Unix(1, 0), testPrivKey1RSA)
err = forgedSig.Sign(h, pk1, &packet.Config{DefaultHash: crypto.SHA512})
c.Assert(err, IsNil)
buf := new(bytes.Buffer)
forgedSig.Serialize(buf)
b := append([]byte{0x1}, buf.Bytes()...)
forgedSigEncoded := base64.StdEncoding.EncodeToString(b)
forgedEncoded := bytes.Replace(encoded, encodedSig, []byte(forgedSigEncoded), 1)
c.Assert(forgedEncoded, Not(DeepEquals), encoded)
forgedAssert, err := asserts.Decode(forgedEncoded)
c.Assert(err, IsNil)
err = db.Check(forgedAssert)
c.Assert(err, ErrorMatches, "failed signature verification: .*")
}
func (chks *checkSuite) TestCheckUnsupportedFormat(c *C) {
trustedKey := testPrivKey0
cfg := &asserts.DatabaseConfig{
Backstore: chks.bs,
Trusted: []asserts.Assertion{asserts.BootstrapAccountKeyForTest("canonical", trustedKey.PublicKey())},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
var a asserts.Assertion
(func() {
restore := asserts.MockMaxSupportedFormat(asserts.TestOnlyType, 77)
defer restore()
var err error
headers := map[string]interface{}{
"authority-id": "canonical",
"primary-key": "0",
"format": "77",
}
a, err = asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, trustedKey)
c.Assert(err, IsNil)
})()
err = db.Check(a)
c.Assert(err, FitsTypeOf, &asserts.UnsupportedFormatError{})
c.Check(err, ErrorMatches, `proposed "test-only" assertion has format 77 but 1 is latest supported`)
}
func (aks *accountKeySuite) openDB(c *C) *asserts.Database {
trustedKey := testPrivKey0
topDir := filepath.Join(c.MkDir(), "asserts-db")
bs, err := asserts.OpenFSBackstore(topDir)
c.Assert(err, IsNil)
cfg := &asserts.DatabaseConfig{
Backstore: bs,
Trusted: []asserts.Assertion{
asserts.BootstrapAccountForTest("canonical"),
asserts.BootstrapAccountKeyForTest("canonical", trustedKey.PublicKey()),
},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
return db
}