-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathinternal_test.go
95 lines (79 loc) · 2.48 KB
/
internal_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package sshsig
import (
"bytes"
"crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"testing"
"github.com/stretchr/testify/assert"
"golang.org/x/crypto/ssh"
)
// This file contains "white box" tests that test certain things that are not
// exposed through the public API, but are still important to test.
func TestParseSignature(t *testing.T) {
t.Run("invalid blob data", func(t *testing.T) {
got, err := ParseSignature(blob{}.Marshal())
assert.ErrorIs(t, err, ErrUnsupportedSignatureVersion)
assert.Nil(t, got)
})
t.Run("invalid signature", func(t *testing.T) {
got, err := ParseSignature(blob{
Version: sigVersion,
Signature: "invalid",
HashAlgorithm: HashSHA256.String(),
}.Marshal())
assert.ErrorContains(t, err, "ssh: unmarshal error for field Format of type Signature")
assert.Nil(t, got)
})
t.Run("invalid private key", func(t *testing.T) {
got, err := ParseSignature(blob{
Version: sigVersion,
Signature: string(ssh.Marshal(&ssh.Signature{})),
HashAlgorithm: HashSHA256.String(),
}.Marshal())
assert.ErrorContains(t, err, "ssh: short read")
assert.Nil(t, got)
})
t.Run("invalid RSA signature", func(t *testing.T) {
pk, err := rsa.GenerateKey(rand.Reader, 1024)
assert.NoError(t, err)
pub, err := ssh.NewPublicKey(&pk.PublicKey)
assert.NoError(t, err)
got, err := ParseSignature(blob{
Version: sigVersion,
PublicKey: string(pub.Marshal()),
HashAlgorithm: HashSHA256.String(),
Signature: string(ssh.Marshal(&ssh.Signature{
Format: ssh.KeyAlgoRSA,
})),
}.Marshal())
assert.ErrorContains(t, err, `invalid signature format "ssh-rsa"`)
assert.Nil(t, got)
})
}
func TestVerify_WithoutNamespace(t *testing.T) {
testMessage := []byte("And now for something completely different.")
// Deliberately generate a signature with an empty namespace,
// which is not allowed through the public API.
algo := HashSHA256
h := algo.Hash()
h.Write(testMessage)
mh := h.Sum(nil)
_, cSigner, err := ed25519.GenerateKey(rand.Reader)
assert.NoError(t, err)
signer, err := ssh.NewSignerFromKey(cSigner)
assert.NoError(t, err)
sd := signedData{
Namespace: "",
HashAlgorithm: algo.String(),
Hash: string(mh),
}
sig, err := signer.Sign(rand.Reader, sd.Marshal())
assert.NoError(t, err)
// Verify the namespace-less signature.
err = Verify(bytes.NewReader(testMessage), &Signature{
PublicKey: signer.PublicKey(),
Signature: sig,
}, signer.PublicKey(), algo, sd.Namespace)
assert.NoError(t, err)
}