From 60c225b3619e537277268c81cfc3e091e673276f Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Tue, 26 Apr 2016 16:59:15 -0700 Subject: [PATCH] Type check on testutil key types Signed-off-by: Riyaz Faizullabhoy --- trustpinning/certs.go | 2 +- trustpinning/certs_test.go | 1 + trustpinning/trustpin.go | 8 ++++---- tuf/testutils/repo.go | 9 +++++++-- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/trustpinning/certs.go b/trustpinning/certs.go index 03124509b5..8df8d67e42 100644 --- a/trustpinning/certs.go +++ b/trustpinning/certs.go @@ -39,7 +39,7 @@ func (err ErrRootRotationFail) Error() string { func prettyFormatCertIDs(certs map[string]*x509.Certificate) string { ids := make([]string, 0, len(certs)) - for id, _ := range certs { + for id := range certs { ids = append(ids, id) } return strings.Join(ids, ", ") diff --git a/trustpinning/certs_test.go b/trustpinning/certs_test.go index 380feb4ed3..a848c2da25 100644 --- a/trustpinning/certs_test.go +++ b/trustpinning/certs_test.go @@ -785,6 +785,7 @@ func generateExpiredTestingCertificate(rootKey data.PrivateKey, gun string) (*x5 return cryptoservice.GenerateCertificate(rootKey, gun, startTime, startTime.AddDate(1, 0, 0)) } +// Helper function for explicitly generating key IDs and unexported fields for equality testing func generateRootKeyIDs(r *data.SignedRoot) { for _, keyID := range r.Signed.Roles[data.CanonicalRootRole].KeyIDs { if k, ok := r.Signed.Keys[keyID]; ok { diff --git a/trustpinning/trustpin.go b/trustpinning/trustpin.go index 6b14531845..351aed266a 100644 --- a/trustpinning/trustpin.go +++ b/trustpinning/trustpin.go @@ -68,12 +68,12 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string) (CertChecker, func (t trustPinChecker) certsCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool { // reconstruct the leaf + intermediate cert chain, which is bundled as {leaf, intermediates...}, // in order to get the matching id in the root file - if key, err := trustmanager.CertBundleToKey(leafCert, intCerts); err == nil { - return utils.StrSliceContains(t.pinnedCertIDs, key.ID()) - } else { + key, err := trustmanager.CertBundleToKey(leafCert, intCerts) + if err != nil { logrus.Debug("error creating cert bundle: ", err.Error()) + return false } - return false + return utils.StrSliceContains(t.pinnedCertIDs, key.ID()) } func (t trustPinChecker) caCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool { diff --git a/tuf/testutils/repo.go b/tuf/testutils/repo.go index 045e5a2734..44c6ef3ed5 100644 --- a/tuf/testutils/repo.go +++ b/tuf/testutils/repo.go @@ -1,6 +1,7 @@ package testutils import ( + "fmt" "math/rand" "sort" "time" @@ -37,10 +38,14 @@ func CreateKey(cs signed.CryptoService, gun, role, keyAlgorithm string) (data.Pu return nil, err } // Keep the x509 key type consistent with the key's algorithm - if keyAlgorithm == data.RSAKey { + switch keyAlgorithm { + case data.RSAKey: key = data.NewRSAx509PublicKey(trustmanager.CertToPEM(cert)) - } else { + case data.ECDSAKey: key = data.NewECDSAx509PublicKey(trustmanager.CertToPEM(cert)) + default: + // This should be impossible because of the Create() call above, but just in case + return nil, fmt.Errorf("invalid key algorithm type") } }