From 4f6b2da44dc24244072f78e82e3ac964e4703335 Mon Sep 17 00:00:00 2001 From: Aaron Lehmann Date: Wed, 8 Jul 2015 18:53:22 -0700 Subject: [PATCH] Add TestValidateRootKey, validates presence of x509 cert in root.json --- client/client_test.go | 53 ++++++++++++++++++++++++++++++++++- trustmanager/x509filestore.go | 2 +- trustmanager/x509utils.go | 4 +-- 3 files changed, 55 insertions(+), 4 deletions(-) diff --git a/client/client_test.go b/client/client_test.go index f610e8afed..d07aa9b8a9 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -153,7 +153,7 @@ func TestAddTarget(t *testing.T) { rootKeyID, err := client.GenRootKey("passphrase") assert.NoError(t, err, "error generating root key: %s", err) - rootKey, err := client.GetRootKey(rootKeyID, "passphrase") + rootKey, err := client.GetRootSigner(rootKeyID, "passphrase") assert.NoError(t, err, "error retreiving root key: %s", err) gun := "docker.com/notary" @@ -237,3 +237,54 @@ func TestAddTarget(t *testing.T) { changelistDir.Close() } + +// TestValidateRootKey verifies that the public data in root.json for the root +// key is a valid x509 certificate. +func TestValidateRootKey(t *testing.T) { + // Temporary directory where test files will be created + tempBaseDir, err := ioutil.TempDir("", "notary-test-") + assert.NoError(t, err, "failed to create a temporary directory: %s", err) + + client, err := NewClient(tempBaseDir) + assert.NoError(t, err, "error creating client: %s", err) + + rootKeyID, err := client.GenRootKey("passphrase") + assert.NoError(t, err, "error generating root key: %s", err) + + rootSigner, err := client.GetRootSigner(rootKeyID, "passphrase") + assert.NoError(t, err, "error retreiving root key: %s", err) + + gun := "docker.com/notary" + _, err = client.InitRepository(gun, "", nil, rootSigner) + assert.NoError(t, err, "error creating repository: %s", err) + + rootJSONFile := filepath.Join(tempBaseDir, "tuf", gun, "metadata", "root.json") + + jsonBytes, err := ioutil.ReadFile(rootJSONFile) + assert.NoError(t, err, "error reading TUF metadata file %s: %s", rootJSONFile, err) + + var decoded data.Signed + err = json.Unmarshal(jsonBytes, &decoded) + assert.NoError(t, err, "error parsing TUF metadata file %s: %s", rootJSONFile, err) + + var decodedRoot data.Root + err = json.Unmarshal(decoded.Signed, &decodedRoot) + assert.NoError(t, err, "error parsing root.json signed section: %s", err) + + keyids := []string{} + for role, roleData := range decodedRoot.Roles { + if role == "root" { + keyids = append(keyids, roleData.KeyIDs...) + } + } + assert.NotEmpty(t, keyids) + + for _, keyid := range keyids { + if key, ok := decodedRoot.Keys[keyid]; !ok { + t.Fatal("key id not found in keys") + } else { + _, err := trustmanager.LoadCertFromPEM(key.Value.Public) + assert.NoError(t, err, "key is not a valid cert") + } + } +} diff --git a/trustmanager/x509filestore.go b/trustmanager/x509filestore.go index 2f41606164..8c476d7d29 100644 --- a/trustmanager/x509filestore.go +++ b/trustmanager/x509filestore.go @@ -132,7 +132,7 @@ func (s X509FileStore) RemoveCert(cert *x509.Certificate) error { // AddCertFromPEM adds the first certificate that it finds in the byte[], returning // an error if no Certificates are found func (s X509FileStore) AddCertFromPEM(pemBytes []byte) error { - cert, err := loadCertFromPEM(pemBytes) + cert, err := LoadCertFromPEM(pemBytes) if err != nil { return err } diff --git a/trustmanager/x509utils.go b/trustmanager/x509utils.go index 563342f65a..aeb8f8b009 100644 --- a/trustmanager/x509utils.go +++ b/trustmanager/x509utils.go @@ -44,7 +44,7 @@ func GetCertFromURL(urlStr string) (*x509.Certificate, error) { } // Try to extract the first valid PEM certificate from the bytes - cert, err := loadCertFromPEM(certBytes) + cert, err := LoadCertFromPEM(certBytes) if err != nil { return nil, err } @@ -98,7 +98,7 @@ func EncryptPrivateKey(key crypto.PrivateKey, passphrase string) ([]byte, error) // loadCertFromPEM returns the first certificate found in a bunch of bytes or error // if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85. -func loadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) { +func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) { for len(pemBytes) > 0 { var block *pem.Block block, pemBytes = pem.Decode(pemBytes)