test: refactor getTestSignerVerifier

Signed-off-by: Edita Kizinevic <[email protected]>

pkg/integrity/dsse_test.go

@@ -26,9 +26,6 @@ import (
 )
 
 func Test_dsseEncoder_signMessage(t *testing.T) {
-	ed25519 := getTestSignerVerifier(t, "ed25519-private.pem")
-	rsa := getTestSignerVerifier(t, "rsa-private.pem")
-
 	tests := []struct {
 		name     string
 		signers  []signature.Signer
@@ -37,39 +34,45 @@ func Test_dsseEncoder_signMessage(t *testing.T) {
 		wantHash crypto.Hash
 	}{
 		{
-			name:     "Multi",
-			signers:  []signature.Signer{ed25519, rsa},
-			wantHash: crypto.SHA256,
-		},
-		{
-			name:     "ED25519",
-			signers:  []signature.Signer{ed25519},
+			name: "Multi",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+			},
 			wantHash: crypto.SHA256,
 		},
 		{
-			name:     "RSA",
-			signers:  []signature.Signer{rsa},
-			wantHash: crypto.SHA256,
+			name: "ED25519",
+			signers: []signature.Signer{
+				getTestSigner(t, "ed25519-private.pem", crypto.Hash(0)),
+			},
+			signOpts: []signature.SignOption{
+				options.WithCryptoSignerOpts(crypto.Hash(0)),
+			},
+			wantHash: crypto.Hash(0),
 		},
 		{
-			name:    "SHA256",
-			signers: []signature.Signer{rsa},
-			signOpts: []signature.SignOption{
-				options.WithCryptoSignerOpts(crypto.SHA256),
+			name: "RSA_SHA256",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
 			},
 			wantHash: crypto.SHA256,
 		},
 		{
-			name:    "SHA384",
-			signers: []signature.Signer{rsa},
+			name: "RSA_SHA384",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA384),
+			},
 			signOpts: []signature.SignOption{
 				options.WithCryptoSignerOpts(crypto.SHA384),
 			},
 			wantHash: crypto.SHA384,
 		},
 		{
-			name:    "SHA512",
-			signers: []signature.Signer{rsa},
+			name: "RSA_SHA512",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA512),
+			},
 			signOpts: []signature.SignOption{
 				options.WithCryptoSignerOpts(crypto.SHA512),
 			},
@@ -147,25 +150,6 @@ func corruptSignatures(t *testing.T, _ *dsseEncoder, e *dsse.Envelope) {
 }
 
 func Test_dsseDecoder_verifyMessage(t *testing.T) {
-	ecdsa := getTestSignerVerifier(t, "ecdsa-private.pem")
-	ed25519 := getTestSignerVerifier(t, "ed25519-private.pem")
-	rsa := getTestSignerVerifier(t, "rsa-private.pem")
-
-	ecdsaPub, err := ecdsa.PublicKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	ed25519Pub, err := ed25519.PublicKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	rsaPub, err := rsa.PublicKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	tests := []struct {
 		name        string
 		signers     []signature.Signer
@@ -177,107 +161,157 @@ func Test_dsseDecoder_verifyMessage(t *testing.T) {
 		wantKeys    []crypto.PublicKey
 	}{
 		{
-			name:      "CorruptPayloadType",
-			signers:   []signature.Signer{rsa},
+			name: "CorruptPayloadType",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+			},
 			corrupter: corruptPayloadType,
-			de:        newDSSEDecoder(rsa),
-			wantErr:   errDSSEUnexpectedPayloadType,
-			wantKeys:  []crypto.PublicKey{rsaPub},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
+			),
+			wantErr: errDSSEUnexpectedPayloadType,
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "rsa-public.pem"),
+			},
 		},
 		{
-			name:      "CorruptPayload",
-			signers:   []signature.Signer{rsa},
+			name: "CorruptPayload",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+			},
 			corrupter: corruptPayload,
-			de:        newDSSEDecoder(rsa),
-			wantErr:   errDSSEVerifyEnvelopeFailed,
-			wantKeys:  []crypto.PublicKey{},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
+			),
+			wantErr:  errDSSEVerifyEnvelopeFailed,
+			wantKeys: []crypto.PublicKey{},
 		},
 		{
-			name:      "CorruptSignatures",
-			signers:   []signature.Signer{rsa},
+			name: "CorruptSignatures",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+			},
 			corrupter: corruptSignatures,
-			de:        newDSSEDecoder(rsa),
-			wantErr:   errDSSEVerifyEnvelopeFailed,
-			wantKeys:  []crypto.PublicKey{},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
+			),
+			wantErr:  errDSSEVerifyEnvelopeFailed,
+			wantKeys: []crypto.PublicKey{},
 		},
 		{
-			name:        "VerifyMulti",
-			signers:     []signature.Signer{ecdsa, ed25519, rsa},
-			de:          newDSSEDecoder(ecdsa, ed25519, rsa),
-			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{ecdsaPub, ed25519Pub, rsaPub},
-		},
-		{
-			name:        "ECDSAVerifyMulti",
-			signers:     []signature.Signer{ecdsa, ed25519, rsa},
-			de:          newDSSEDecoder(ecdsa),
-			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{ecdsaPub},
-		},
-		{
-			name:        "ED25519VerifyMulti",
-			signers:     []signature.Signer{ecdsa, ed25519, rsa},
-			de:          newDSSEDecoder(ed25519),
+			name: "Multi_SHA256",
+			signers: []signature.Signer{
+				getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+			},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "ecdsa-public.pem", crypto.SHA256),
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{ed25519Pub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "ecdsa-public.pem"),
+				getTestPublicKey(t, "rsa-public.pem"),
+			},
 		},
 		{
-			name:        "RSAVerifyMulti",
-			signers:     []signature.Signer{ecdsa, ed25519, rsa},
-			de:          newDSSEDecoder(rsa),
+			name: "Multi_SHA256_ECDSA",
+			signers: []signature.Signer{
+				getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+			},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "ecdsa-public.pem", crypto.SHA256),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{rsaPub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "ecdsa-public.pem"),
+			},
 		},
 		{
-			name:        "ECDSA",
-			signers:     []signature.Signer{ecdsa},
-			de:          newDSSEDecoder(ecdsa),
+			name: "Multi_SHA256_RSA",
+			signers: []signature.Signer{
+				getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
+			},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{ecdsaPub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "rsa-public.pem"),
+			},
 		},
 		{
-			name:        "ED25519",
-			signers:     []signature.Signer{ed25519},
-			de:          newDSSEDecoder(ed25519),
+			name: "ECDSA_SHA256",
+			signers: []signature.Signer{
+				getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
+			},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "ecdsa-public.pem", crypto.SHA256),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{ed25519Pub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "ecdsa-public.pem"),
+			},
 		},
 		{
-			name:        "RSA",
-			signers:     []signature.Signer{rsa},
-			de:          newDSSEDecoder(rsa),
+			name: "ED25519",
+			signers: []signature.Signer{
+				getTestSigner(t, "ed25519-private.pem", crypto.Hash(0)),
+			},
+			de: newDSSEDecoder(
+				getTestVerifier(t, "ed25519-public.pem", crypto.Hash(0)),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{rsaPub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "ed25519-public.pem"),
+			},
 		},
 		{
-			name:    "SHA256",
-			signers: []signature.Signer{rsa},
-			signOpts: []signature.SignOption{
-				options.WithCryptoSignerOpts(crypto.SHA256),
+			name: "RSA_SHA256",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA256),
 			},
-			de:          newDSSEDecoder(rsa),
+			de: newDSSEDecoder(
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{rsaPub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "rsa-public.pem"),
+			},
 		},
 		{
-			name:    "SHA384",
-			signers: []signature.Signer{rsa},
+			name: "RSA_SHA384",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA384),
+			},
 			signOpts: []signature.SignOption{
 				options.WithCryptoSignerOpts(crypto.SHA384),
 			},
-			de:          newDSSEDecoder(rsa),
+			de: newDSSEDecoder(
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA384),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{rsaPub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "rsa-public.pem"),
+			},
 		},
 		{
-			name:    "SHA512",
-			signers: []signature.Signer{rsa},
+			name: "RSA_SHA512",
+			signers: []signature.Signer{
+				getTestSigner(t, "rsa-private.pem", crypto.SHA512),
+			},
 			signOpts: []signature.SignOption{
 				options.WithCryptoSignerOpts(crypto.SHA512),
 			},
-			de:          newDSSEDecoder(rsa),
+			de: newDSSEDecoder(
+				getTestVerifier(t, "rsa-public.pem", crypto.SHA512),
+			),
 			wantMessage: testMessage,
-			wantKeys:    []crypto.PublicKey{rsaPub},
+			wantKeys: []crypto.PublicKey{
+				getTestPublicKey(t, "rsa-public.pem"),
+			},
 		},
 	}
 

pkg/integrity/main_test.go

@@ -2,7 +2,7 @@
 //   Apptainer a Series of LF Projects LLC.
 //   For website terms of use, trademark policy, privacy policy and other
 //   project policies see https://lfprojects.org/policies
-// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved.
+// Copyright (c) 2020-2023, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file
 // distributed with the sources of this project regarding your rights to use or distribute this
 // software.
@@ -46,20 +46,51 @@ func loadContainer(t *testing.T, path string) *sif.FileImage {
 	return f
 }
 
-// getTestSignerVerifier returns a SignerVerifier read from the PEM file at path.
-func getTestSignerVerifier(t *testing.T, name string) signature.SignerVerifier { //nolint:ireturn
+// getTestSigner returns a Signer read from the PEM file at path.
+func getTestSigner(t *testing.T, name string, h crypto.Hash) signature.Signer { //nolint:ireturn
 	t.Helper()
 
 	path := filepath.Join("..", "..", "test", "keys", name)
 
-	sv, err := signature.LoadSignerVerifierFromPEMFile(path, crypto.SHA256, cryptoutils.SkipPassword)
+	sv, err := signature.LoadSignerFromPEMFile(path, h, cryptoutils.SkipPassword)
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	return sv
 }
 
+// getTestVerifier returns a Verifier read from the PEM file at path.
+func getTestVerifier(t *testing.T, name string, h crypto.Hash) signature.Verifier { //nolint:ireturn
+	t.Helper()
+
+	sv, err := signature.LoadVerifier(getTestPublicKey(t, name), h)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return sv
+}
+
+// getTestPublicKey returns a PublicKey read from the PEM file at path.
+func getTestPublicKey(t *testing.T, name string) crypto.PublicKey {
+	t.Helper()
+
+	path := filepath.Join("..", "..", "test", "keys", name)
+
+	b, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pub, err := cryptoutils.UnmarshalPEMToPublicKey(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return pub
+}
+
 // getTestEntity returns a fixed test PGP entity.
 func getTestEntity(t *testing.T) *openpgp.Entity {
 	t.Helper()

pkg/integrity/sign_test.go

@@ -562,7 +562,7 @@ func TestSigner_Sign(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	sv := getTestSignerVerifier(t, "ed25519-private.pem")
+	sv := getTestSigner(t, "ed25519-private.pem", crypto.Hash(0))
 
 	tests := []struct {
 		name      string

pkg/integrity/testdata/Test_dsseEncoder_signMessage/Multi.golden

@@ -1 +1 @@
-{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:x6l8ZblpSSXGaPMCzySedWg88BwIFcz8jlPb6el0mFs","sig":"SNnYRFIhDwWjk0pxoreaNiLea6L2WAFUm4boxnv7jiBNGmvMnbCxdsHYsTRBLXvMJHwEfKGvHFJmi9VvMe4JCQ=="},{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]}
+{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="},{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]}