func (safs *signAddFindSuite) SetUpTest(c *C) {
cfg0 := &asserts.DatabaseConfig{
KeypairManager: asserts.NewMemoryKeypairManager(),
}
db0, err := asserts.OpenDatabase(cfg0)
c.Assert(err, IsNil)
safs.signingDB = db0
pk := asserts.OpenPGPPrivateKey(testPrivKey0)
err = db0.ImportKey("canonical", pk)
c.Assert(err, IsNil)
safs.signingKeyID = pk.PublicKey().ID()
topDir := filepath.Join(c.MkDir(), "asserts-db")
bs, err := asserts.OpenFSBackstore(topDir)
c.Assert(err, IsNil)
trustedKey := testPrivKey0
cfg := &asserts.DatabaseConfig{
Backstore: bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
TrustedKeys: []*asserts.AccountKey{asserts.BootstrapAccountKeyForTest("canonical", &trustedKey.PublicKey)},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
safs.db = db
}
func (aks *accountKeySuite) TestAccountKeyCheck(c *C) {
trustedKey, err := asserts.GeneratePrivateKeyInTest()
c.Assert(err, IsNil)
headers := map[string]string{
"authority-id": "canonical",
"account-id": "acc-id1",
"fingerprint": aks.fp,
"since": aks.since.Format(time.RFC3339),
"until": aks.until.Format(time.RFC3339),
}
accKey, err := asserts.BuildAndSignInTest(asserts.AccountKeyType, headers, []byte(aks.pubKeyBody), trustedKey)
c.Assert(err, IsNil)
rootDir := filepath.Join(c.MkDir(), "asserts-db")
cfg := &asserts.DatabaseConfig{
Path: rootDir,
TrustedKeys: map[string][]asserts.PublicKey{
"canonical": {asserts.WrapPublicKey(&trustedKey.PublicKey)},
},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
err = db.Check(accKey)
c.Assert(err, IsNil)
}
func main() {
topDir := "snappy-asserts-toolbelt-db"
bs, err := asserts.OpenFSBackstore(topDir)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
keypairMgr, err := asserts.OpenFSKeypairManager(topDir)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
cfg := &asserts.DatabaseConfig{
Backstore: bs,
KeypairManager: keypairMgr,
}
db, err = asserts.OpenDatabase(cfg)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
parser.AddCommand("generate-key", "Generate key pair",
"Generate key pair", &generateKey{})
parser.AddCommand("account-key", "Make an account-key assertion",
"Make an account-key assertion", &accountKey{})
parser.AddCommand("snap-build", "Make a snap-build assertion",
"Make a snap-build assertion", &snapBuild{})
if _, err := parser.Parse(); err != nil {
os.Exit(1)
}
}
func (dbs *databaseSuite) SetUpTest(c *C) {
dbs.rootDir = filepath.Join(c.MkDir(), "asserts-db")
cfg := &asserts.DatabaseConfig{Path: dbs.rootDir}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
dbs.db = db
}
func (chks *checkSuite) TestCheckForgery(c *C) {
trustedKey := testPrivKey0
cfg := &asserts.DatabaseConfig{
Backstore: chks.bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
TrustedKeys: []*asserts.AccountKey{asserts.BootstrapAccountKeyForTest("canonical", &trustedKey.PublicKey)},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
encoded := asserts.Encode(chks.a)
content, encodedSig := chks.a.Signature()
// forgery
forgedSig := new(packet.Signature)
forgedSig.PubKeyAlgo = testPrivKey1.PubKeyAlgo
forgedSig.Hash = crypto.SHA256
forgedSig.CreationTime = time.Now()
forgedSig.IssuerKeyId = &testPrivKey0.KeyId
h := crypto.SHA256.New()
h.Write(content)
err = forgedSig.Sign(h, testPrivKey1, &packet.Config{DefaultHash: crypto.SHA256})
c.Assert(err, IsNil)
buf := new(bytes.Buffer)
forgedSig.Serialize(buf)
forgedSigEncoded := "openpgp " + base64.StdEncoding.EncodeToString(buf.Bytes())
forgedEncoded := bytes.Replace(encoded, encodedSig, []byte(forgedSigEncoded), 1)
c.Assert(forgedEncoded, Not(DeepEquals), encoded)
forgedAssert, err := asserts.Decode(forgedEncoded)
c.Assert(err, IsNil)
err = db.Check(forgedAssert)
c.Assert(err, ErrorMatches, "failed signature verification: .*")
}
func makeSignAndCheckDbWithAccountKey(c *C, accountID string) (signingKeyID string, accSignDB, checkDB *asserts.Database) {
trustedKey := testPrivKey0
cfg1 := &asserts.DatabaseConfig{
KeypairManager: asserts.NewMemoryKeypairManager(),
}
accSignDB, err := asserts.OpenDatabase(cfg1)
c.Assert(err, IsNil)
pk1 := asserts.OpenPGPPrivateKey(testPrivKey1)
err = accSignDB.ImportKey(accountID, asserts.OpenPGPPrivateKey(testPrivKey1))
c.Assert(err, IsNil)
accFingerp := pk1.PublicKey().Fingerprint()
accKeyID := pk1.PublicKey().ID()
pubKey, err := accSignDB.PublicKey(accountID, accKeyID)
c.Assert(err, IsNil)
pubKeyEncoded, err := asserts.EncodePublicKey(pubKey)
c.Assert(err, IsNil)
accPubKeyBody := string(pubKeyEncoded)
headers := map[string]string{
"authority-id": "canonical",
"account-id": accountID,
"public-key-id": accKeyID,
"public-key-fingerprint": accFingerp,
"since": "2015-11-20T15:04:00Z",
"until": "2500-11-20T15:04:00Z",
}
accKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(accPubKeyBody), asserts.OpenPGPPrivateKey(trustedKey))
c.Assert(err, IsNil)
topDir := filepath.Join(c.MkDir(), "asserts-db")
bs, err := asserts.OpenFSBackstore(topDir)
c.Assert(err, IsNil)
cfg := &asserts.DatabaseConfig{
Backstore: bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
TrustedKeys: []*asserts.AccountKey{asserts.BootstrapAccountKeyForTest("canonical", &trustedKey.PublicKey)},
}
checkDB, err = asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
err = checkDB.Add(accKey)
c.Assert(err, IsNil)
return accKeyID, accSignDB, checkDB
}
func (opens *openSuite) TestOpenDatabaseOK(c *C) {
cfg := &asserts.DatabaseConfig{
KeypairManager: asserts.NewMemoryKeypairManager(),
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
c.Assert(db, NotNil)
}
func (opens *openSuite) TestOpenDatabaseRootCreateFail(c *C) {
parent := filepath.Join(c.MkDir(), "var")
// make it not writable
os.MkdirAll(parent, 555)
rootDir := filepath.Join(parent, "asserts-db")
cfg := &asserts.DatabaseConfig{Path: rootDir}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, ErrorMatches, "failed to create assert database root: .*")
c.Check(db, IsNil)
}
func (opens *openSuite) TestOpenDatabaseWorldWritableFail(c *C) {
rootDir := filepath.Join(c.MkDir(), "asserts-db")
oldUmask := syscall.Umask(0)
os.MkdirAll(rootDir, 0777)
syscall.Umask(oldUmask)
cfg := &asserts.DatabaseConfig{Path: rootDir}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, ErrorMatches, "assert database root unexpectedly world-writable: .*")
c.Check(db, IsNil)
}
func (chks *checkSuite) TestCheckNoPubKey(c *C) {
cfg := &asserts.DatabaseConfig{
Backstore: chks.bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
err = db.Check(chks.a)
c.Assert(err, ErrorMatches, `no matching public key "[a-f0-9]+" for signature by "canonical"`)
}
func (chks *checkSuite) TestCheckNoPubKey(c *C) {
cfg := &asserts.DatabaseConfig{
Backstore: chks.bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
err = db.Check(chks.a)
c.Assert(err, ErrorMatches, "no valid known public key verifies assertion")
}
func (dbs *databaseSuite) SetUpTest(c *C) {
dbs.topDir = filepath.Join(c.MkDir(), "asserts-db")
fsKeypairMgr, err := asserts.OpenFSKeypairManager(dbs.topDir)
c.Assert(err, IsNil)
cfg := &asserts.DatabaseConfig{
KeypairManager: fsKeypairMgr,
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
dbs.db = db
}
func (opens *openSuite) TestOpenDatabaseOK(c *C) {
rootDir := filepath.Join(c.MkDir(), "asserts-db")
cfg := &asserts.DatabaseConfig{Path: rootDir}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
c.Assert(db, NotNil)
info, err := os.Stat(rootDir)
c.Assert(err, IsNil)
c.Assert(info.IsDir(), Equals, true)
c.Check(info.Mode().Perm(), Equals, os.FileMode(0775))
}
func (chks *checkSuite) TestCheckExpiredPubKey(c *C) {
trustedKey := testPrivKey0
cfg := &asserts.DatabaseConfig{
Backstore: chks.bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
TrustedKeys: []*asserts.AccountKey{asserts.ExpiredAccountKeyForTest("canonical", &trustedKey.PublicKey)},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
err = db.Check(chks.a)
c.Assert(err, ErrorMatches, `assertion is signed with expired public key "[a-f0-9]+" from "canonical"`)
}
func (aks *accountKeySuite) openDB(c *C) *asserts.Database {
trustedKey := testPrivKey0
topDir := filepath.Join(c.MkDir(), "asserts-db")
bs, err := asserts.OpenFSBackstore(topDir)
c.Assert(err, IsNil)
cfg := &asserts.DatabaseConfig{
Backstore: bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
TrustedKeys: []*asserts.AccountKey{asserts.BootstrapAccountKeyForTest("canonical", &trustedKey.PublicKey)},
}
db, err := asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
return db
}
func (aks *accountKeySuite) SetUpSuite(c *C) {
cfg1 := &asserts.DatabaseConfig{
KeypairManager: asserts.NewMemoryKeypairManager(),
}
accDb, err := asserts.OpenDatabase(cfg1)
c.Assert(err, IsNil)
pk := asserts.OpenPGPPrivateKey(testPrivKey1)
err = accDb.ImportKey("acc-id1", pk)
c.Assert(err, IsNil)
aks.fp = pk.PublicKey().Fingerprint()
aks.keyid = pk.PublicKey().ID()
pubKey, err := accDb.PublicKey("acc-id1", aks.keyid)
c.Assert(err, IsNil)
pubKeyEncoded, err := asserts.EncodePublicKey(pubKey)
c.Assert(err, IsNil)
aks.pubKeyBody = string(pubKeyEncoded)
aks.since, err = time.Parse(time.RFC822, "16 Nov 15 15:04 UTC")
c.Assert(err, IsNil)
aks.until = aks.since.AddDate(1, 0, 0)
aks.sinceLine = "since: " + aks.since.Format(time.RFC3339) + "\n"
aks.untilLine = "until: " + aks.until.Format(time.RFC3339) + "\n"
}
func (opens *openSuite) TestOpenDatabasePanicOnUnsetBackstores(c *C) {
cfg := &asserts.DatabaseConfig{}
c.Assert(func() { asserts.OpenDatabase(cfg) }, PanicMatches, "database cannot be used without setting a keypair manager")
}