Add TestValidateRootKey, validates presence of x509 cert in root.json

2015-07-08 18:53:22 -07:00 · 2015-07-08 18:53:22 -07:00 · 4f6b2da44d
parent abe320307d
commit 4f6b2da44d
3 changed files with 55 additions and 4 deletions
--- a/client/client_test.go
+++ b/client/client_test.go
@ -153,7 +153,7 @@ func TestAddTarget(t *testing.T) {
 	rootKeyID, err := client.GenRootKey("passphrase")
 	assert.NoError(t, err, "error generating root key: %s", err)

-	rootKey, err := client.GetRootKey(rootKeyID, "passphrase")
+	rootKey, err := client.GetRootSigner(rootKeyID, "passphrase")
 	assert.NoError(t, err, "error retreiving root key: %s", err)

 	gun := "docker.com/notary"
@ -237,3 +237,54 @@ func TestAddTarget(t *testing.T) {

 	changelistDir.Close()
 }
+
+// TestValidateRootKey verifies that the public data in root.json for the root
+// key is a valid x509 certificate.
+func TestValidateRootKey(t *testing.T) {
+	// Temporary directory where test files will be created
+	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	client, err := NewClient(tempBaseDir)
+	assert.NoError(t, err, "error creating client: %s", err)
+
+	rootKeyID, err := client.GenRootKey("passphrase")
+	assert.NoError(t, err, "error generating root key: %s", err)
+
+	rootSigner, err := client.GetRootSigner(rootKeyID, "passphrase")
+	assert.NoError(t, err, "error retreiving root key: %s", err)
+
+	gun := "docker.com/notary"
+	_, err = client.InitRepository(gun, "", nil, rootSigner)
+	assert.NoError(t, err, "error creating repository: %s", err)
+
+	rootJSONFile := filepath.Join(tempBaseDir, "tuf", gun, "metadata", "root.json")
+
+	jsonBytes, err := ioutil.ReadFile(rootJSONFile)
+	assert.NoError(t, err, "error reading TUF metadata file %s: %s", rootJSONFile, err)
+
+	var decoded data.Signed
+	err = json.Unmarshal(jsonBytes, &decoded)
+	assert.NoError(t, err, "error parsing TUF metadata file %s: %s", rootJSONFile, err)
+
+	var decodedRoot data.Root
+	err = json.Unmarshal(decoded.Signed, &decodedRoot)
+	assert.NoError(t, err, "error parsing root.json signed section: %s", err)
+
+	keyids := []string{}
+	for role, roleData := range decodedRoot.Roles {
+		if role == "root" {
+			keyids = append(keyids, roleData.KeyIDs...)
+		}
+	}
+	assert.NotEmpty(t, keyids)
+
+	for _, keyid := range keyids {
+		if key, ok := decodedRoot.Keys[keyid]; !ok {
+			t.Fatal("key id not found in keys")
+		} else {
+			_, err := trustmanager.LoadCertFromPEM(key.Value.Public)
+			assert.NoError(t, err, "key is not a valid cert")
+		}
+	}
+}
--- a/trustmanager/x509filestore.go
+++ b/trustmanager/x509filestore.go
@ -132,7 +132,7 @@ func (s X509FileStore) RemoveCert(cert *x509.Certificate) error {
 // AddCertFromPEM adds the first certificate that it finds in the byte[], returning
 // an error if no Certificates are found
 func (s X509FileStore) AddCertFromPEM(pemBytes []byte) error {
-	cert, err := loadCertFromPEM(pemBytes)
+	cert, err := LoadCertFromPEM(pemBytes)
 	if err != nil {
 		return err
 	}
--- a/trustmanager/x509utils.go
+++ b/trustmanager/x509utils.go
@ -44,7 +44,7 @@ func GetCertFromURL(urlStr string) (*x509.Certificate, error) {
 	}

 	// Try to extract the first valid PEM certificate from the bytes
-	cert, err := loadCertFromPEM(certBytes)
+	cert, err := LoadCertFromPEM(certBytes)
 	if err != nil {
 		return nil, err
 	}
@ -98,7 +98,7 @@ func EncryptPrivateKey(key crypto.PrivateKey, passphrase string) ([]byte, error)

 // loadCertFromPEM returns the first certificate found in a bunch of bytes or error
 // if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.
-func loadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) {
+func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) {
 	for len(pemBytes) > 0 {
 		var block *pem.Block
 		block, pemBytes = pem.Decode(pemBytes)