forked from mendersoftware/mender
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkeystore_test.go
152 lines (129 loc) · 4.57 KB
/
keystore_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
// Copyright 2016 Mender Software AS
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"bytes"
"crypto"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"testing"
"github.com/stretchr/testify/assert"
)
const (
// malformed key, sequence MIIEogIBAAKCAQEAm38 changed to
// MIIEogIBAAKCAQEAm44, this should give invalid modulus error
badPrivKey = `
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAm44qupAKSh42laaI+nO4ZLrkv0ZDSrrYDBNfFb53O7nYU42g
Ei1Ltm6o/14VfrSy/7bkjNcBHQLEni4wRdM042gOWYxXFqNMfEnL7APzWCvTFlVo
MGa4++L25PPLl+1BqQFfNuwgW/1ZM3pVyWCCQ+wgw2MCqjPMbqE5txQWfDV7dVfa
ByH1NtjhboSQB89VTmwYAbbleFRAlV9J6IWkNEsfBpDGazqUfwJJv8ToIvJNFxIw
P4LmhmcfXxFKkMsEvdvt6BiR7yiIsaoJ9ZODbnrK+VB6g+5jPJtYsApjf8MKCELe
wtTiPLV5/VcpOVZ9WwnFIQK/4yb4LWrGKcquawIDAQABAoIBAGG3w8FkPaMgY4se
EdzalhlvPctaO3Wd/6FvFwUSIdn9y42OZfamUns+BaQdmwJ6Sjba17wObZuunqMN
QbbPqN/0B3iM8jm+u5UrxyP1w5o4SDozx/sKwttAYYm2D87VAbtUqmJYd2l3x/PK
wFiB9rr6jAhdk1IkpScs2JlN3WeGNczBPhiTA/lWJ8df4Kqb1k58BhRqhST6mUcj
sX9jpjqaXtKLBOfdfxtAVH2imCwrqCPAL3GLOd1M4sE50XBdbCKQt30yQWQzgKeu
RnEb8W3OPPOrVK7ponudrc2SxqfViloQEdrdnhmwz56xmmVRZKagrKiUYmSqT9et
qEidomkCgYEAzIL78pWhw4GLN8PejfkZ5QXG6Qp1cNNLIWXaiZQaULhG/Byl6Uou
+b7yz/xXu+VOaDIsJhIzQQ5KxjeUdqWFSOIZr5XBmDippN4OO7ycK3bA96wTD0kO
Rqnf0BT844FWJ7EnrElDRWLOXxFES7LzFyV+02NX5kMwN76iUr57jr0CgYEAwqUd
QvkUjpiEVjJhSQiFVapc1v8PH1Q2Y+p8Rm4bw/o4GsC7bxvyIdDtdTauKSi/8cCQ
nTIy5taLJtlAVLqj8cZbxlTQs/41aciJ4m2JmW9D2y8ai7TQ7H+Jd/B8btP9DBz/
cAsXalhu6dhH8SSG9EKM7n0I3w0N0Mlmnqer+EcCgYBOFRyYzCSM/qLm0bPhROBs
Hr6JL2MThrjCsZ60tIUvmIwRqeZ2oco5tHwEiPX+WViMU8ujZYOILSrDb2kRu7Sd
1SW1cloOAmRS/C03BZYiyh528Y39Ygk/VZCMY9cCDdmVIgBhuT8j+MuOZItM07AY
gEph7yYaVkDMp85WBUAriQKBgAGi778LZw/X2mz7GXRKvQw+VW99T3w88gQfCZJy
BIu+Q9B9xFWnz35XSlfM8OPpsstuigi4TlNAhIT8GJ1dwFkdCNJ/Dg4lWf+crwQX
VavTkqd6GugHyiXi4J4AiJtJ7vu2FrOzdCvxuGUA64Hsg7H0CUlMBdISQwZ5WwKE
eF6rAoGAA3FBdP0qsYITb3/zHUP88XYIR88iAOSkPOGK6UsxXlLUKCiMhLygjaFa
c0Z2UxFtksT1vezCXMe6/b7+S/S+rN2FvlGen+jgz+41G4ARcyGeTDCxnKFkuhVk
AuMObwrNlzbL4utcxhadX27MmpV9z4GGIJGYkNo4gFE9hNWGmG4=
-----END RSA PRIVATE KEY-----
`
)
func TestKeystore(t *testing.T) {
ms := NewMemStore()
k := NewKeystore(nil, "")
assert.Nil(t, k)
var err error
k = NewKeystore(ms, "foo")
// keystore has no keys, save should fail
err = k.Save()
assert.Error(t, err)
assert.True(t, IsNoKeys(err))
// try to load from an entry that does not exist
err = k.Load()
assert.Error(t, err)
assert.True(t, IsNoKeys(err))
assert.Nil(t, k.Private())
// make our store inaccessible, should yield error other than IsNoKeys()
ms.Disable(true)
err = k.Load()
assert.Error(t, err)
assert.False(t, IsNoKeys(err))
assert.Nil(t, k.Private())
ms.Disable(false)
// load some bogus data into store
ms.WriteAll("foo", []byte(""))
// try using temp file, this time we should get unmarshal/load
// error
err = k.Load()
assert.Error(t, err)
assert.False(t, IsNoKeys(err))
assert.Nil(t, k.Private())
// not changing random source, so this is not expected to fail
assert.NoError(t, k.Generate())
assert.NotNil(t, k.Private())
// make the store read only
ms.ReadOnly(true)
assert.Error(t, k.Save())
ms.ReadOnly(false)
// try again
assert.NoError(t, k.Save())
// we should be able to load a saved key
assert.NoError(t, k.Load())
// check public key
pubkey := k.Public()
assert.NotNil(t, pubkey)
// serialize to PEM
buf := &bytes.Buffer{}
data, err := x509.MarshalPKIXPublicKey(pubkey)
assert.NoError(t, err)
err = pem.Encode(buf, &pem.Block{
Type: "PUBLIC KEY", // PKCS1
Bytes: data,
})
expectedaspem := buf.String()
aspem, err := k.PublicPEM()
assert.NoError(t, err)
assert.Equal(t, expectedaspem, aspem)
tosigndata := []byte("foobar")
s, err := k.Sign(tosigndata)
assert.NoError(t, err)
// generate hash of data for verification
h := crypto.SHA256.New()
h.Write(tosigndata)
hashed := h.Sum(nil)
err = rsa.VerifyPKCS1v15(&k.private.PublicKey, crypto.SHA256, hashed, s)
// signature should be valid
assert.NoError(t, err)
}
func TestKeystoreLoadPem(t *testing.T) {
// this should fail
nk, err := loadFromPem(bytes.NewBufferString(badPrivKey))
assert.Nil(t, nk)
assert.Error(t, err)
}