correct certificate generation for e2e tests

Signed-off-by: Dmitry S <[email protected]>
sigstore · Jun 20, 2024 · 6bf62fe · 6bf62fe
1 parent 4f10008
commit 6bf62fe
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 49 deletions.
diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -146,17 +146,18 @@ func TestSignVerifyCertBundle(t *testing.T) {
 	_, _, cleanup := mkimage(t, imgName)
 	defer cleanup()
 
-	caCertFile, _ /* caPrivKeyFile */, caIntermediateCertFile, _ /* caIntermediatePrivKeyFile */, certFile, privKeyFile, pubkeyFile, certChainFile, err := generateCertificateBundleFiles(td, true, "foobar")
+	_, privKeyPath, pubKeyPath := keypair(t, td)
+	caCertFile, _ /* caPrivKeyFile */, caIntermediateCertFile, _ /* caIntermediatePrivKeyFile */, certFile, certChainFile, err := generateCertificateBundleFiles(td, true, "foobar")
 
 	ctx := context.Background()
 	// Verify should fail at first
-	must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", false), t)
+	mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", true), t)
 	// So should download
 	mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t)
 
 	// Now sign the image
 	ko := options.KeyOpts{
-		KeyRef:           privKeyFile,
+		KeyRef:           privKeyPath,
 		PassFunc:         passFunc,
 		RekorURL:         rekorURL,
 		SkipConfirmation: true,
@@ -168,13 +169,14 @@ func TestSignVerifyCertBundle(t *testing.T) {
 	must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
 
 	// Now verify and download should work!
-	must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", false), t)
+	ignoreTlog := true
+	must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", ignoreTlog), t)
 	// verification with certificate chain instead of root/intermediate files should work as well
-	must(verifyCertChain(pubkeyFile, certChainFile, certFile, imgName, true, nil, "", false), t)
+	must(verifyCertChain(pubKeyPath, certChainFile, certFile, imgName, true, nil, "", ignoreTlog), t)
 	must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t)
 
 	// Look for a specific annotation
-	mustErr(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t)
+	mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t)
 
 	so.AnnotationOptions = options.AnnotationOptions{
 		Annotations: []string{"foo=bar"},
@@ -183,10 +185,10 @@ func TestSignVerifyCertBundle(t *testing.T) {
 	must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
 
 	// It should match this time.
-	must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t)
+	must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t)
 
 	// But two doesn't work
-	mustErr(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", false), t)
+	mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", ignoreTlog), t)
 }
 
 func TestSignVerifyClean(t *testing.T) {

diff --git a/test/helpers.go b/test/helpers.go
@@ -119,9 +119,10 @@ var verifyCertBundle = func(keyRef, caCertFile, caIntermediates, certFile, image
 		MaxWorkers:    10,
 		IgnoreTlog:    skipTlogVerify,
 		CertVerifyOptions: options.CertVerifyOptions{
-			Cert:            certFile,
-			CAIntermediates: caIntermediates,
-			CARoots:         caCertFile,
+			CAIntermediates:      caIntermediates,
+			CARoots:              caCertFile,
+			CertOidcIssuerRegexp: ".*",
+			CertIdentityRegexp:   ".*",
 		},
 	}
 
@@ -503,12 +504,10 @@ func generateCertificateBundleFiles(td string, genIntermediate bool, outputSuffi
 	caIntermediateCertFile string,
 	caIntermediatePrivKeyFile string,
 	certFile string,
-	keyFile string,
-	pubKeyFile string,
 	certChainFile string,
 	err error,
 ) {
-	caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, keyBuf, pubkey, certChainBuf, err := generateCertificateBundle(genIntermediate)
+	caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, certChainBuf, err := generateCertificateBundle(genIntermediate)
 	if err != nil {
 		err = fmt.Errorf("error generating certificate bundle: %w", err)
 		return
@@ -540,30 +539,14 @@ func generateCertificateBundleFiles(td string, genIntermediate bool, outputSuffi
 		err = fmt.Errorf("error writing cert to file: %w", err)
 		return
 	}
-	err = os.WriteFile(filepath.Join(td, fmt.Sprintf("key%s.pem", outputSuffix)), keyBuf.Bytes(), 0600)
-	if err != nil {
-		err = fmt.Errorf("error writing key to file: %w", err)
-		return
-	}
+
 	// write the contents of certChainBuf to a file
 	certChainFile = filepath.Join(td, fmt.Sprintf("certchain%s.pem", outputSuffix))
 	err = os.WriteFile(certChainFile, certChainBuf.Bytes(), 0600)
 	if err != nil {
 		err = fmt.Errorf("error writing certificate chain to file: %w", err)
 		return
 	}
-	// write the public key to a file
-	pubKeyFile = filepath.Join(td, fmt.Sprintf("pubkey%s.pem", outputSuffix))
-	pubKeyBuf := &bytes.Buffer{}
-	pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubkey)
-	if err != nil {
-		err = fmt.Errorf("error marshalling public key: %w", err)
-		return
-	}
-	err = pem.Encode(pubKeyBuf, &pem.Block{
-		Type:  "PUBLIC KEY",
-		Bytes: pubKeyBytes,
-	})
 	return
 }
 
@@ -573,8 +556,6 @@ func generateCertificateBundle(genIntermediate bool) (
 	caIntermediateCertBuf *bytes.Buffer,
 	caIntermediatePrivKeyBuf *bytes.Buffer,
 	certBuf *bytes.Buffer,
-	keyBuf *bytes.Buffer,
-	pubkeyBuf *bytes.Buffer,
 	certBundleBuf *bytes.Buffer,
 	err error,
 ) {
@@ -604,7 +585,6 @@ func generateCertificateBundle(genIntermediate bool) (
 	if err != nil {
 		log.Fatal(err)
 	}
-	pubkey := &caPrivKey.PublicKey
 	// create the CA
 	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
 	if err != nil {
@@ -628,19 +608,6 @@ func generateCertificateBundle(genIntermediate bool) (
 	if err != nil {
 		log.Fatalf("unable to PEM encode private key to buffer: %v", err) //nolint:gocritic
 	}
-	pubkeyBuf = &bytes.Buffer{}
-	// PEM encode to pubkeyBuf the public key of caPrivKey
-	pubkeyBytes, err := x509.MarshalPKIXPublicKey(pubkey)
-	if err != nil {
-		log.Fatalf("failed to marshal public key: %v", err)
-	}
-	err = pem.Encode(pubkeyBuf, &pem.Block{
-		Type:  "PUBLIC KEY",
-		Bytes: pubkeyBytes,
-	})
-	if err != nil {
-		log.Fatalf("failed to PME-encode public key to buffer: %v", err)
-	}
 
 	// generate intermediate CA if requested
 	var caIntermediate *x509.Certificate
@@ -753,5 +720,5 @@ func generateCertificateBundle(genIntermediate bool) (
 		log.Fatalf("failed to write caCertBuf to certChainBuf: %v", err)
 	}
 
-	return caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, keyBuf, pubkeyBuf, certBundleBuf, nil
+	return caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, certBundleBuf, nil
 }
diff --git a/test/helpers_test.go b/test/helpers_test.go
@@ -19,7 +19,7 @@ func TestGenerateCertificateBundle(t *testing.T) {
 		},
 	} {
 		t.Run(test.name, func(t *testing.T) {
-			_, _, _, _, _, _, _, _, err := generateCertificateBundle(true)
+			_, _, _, _, _, _, err := generateCertificateBundle(true)
 			if err != nil {
 				t.Fatalf("Error generating certificate bundle: %v", err)
 			}