From 6bf62fe8d89a8536cde5e353b1ad45db20b767a8 Mon Sep 17 00:00:00 2001 From: Dmitry S Date: Thu, 20 Jun 2024 20:31:04 +0200 Subject: [PATCH] correct certificate generation for e2e tests Signed-off-by: Dmitry S --- test/e2e_test.go | 18 +++++++++-------- test/helpers.go | 47 +++++++------------------------------------- test/helpers_test.go | 2 +- 3 files changed, 18 insertions(+), 49 deletions(-) diff --git a/test/e2e_test.go b/test/e2e_test.go index 77890a0efdf4..f6ead509f970 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -146,17 +146,18 @@ func TestSignVerifyCertBundle(t *testing.T) { _, _, cleanup := mkimage(t, imgName) defer cleanup() - caCertFile, _ /* caPrivKeyFile */, caIntermediateCertFile, _ /* caIntermediatePrivKeyFile */, certFile, privKeyFile, pubkeyFile, certChainFile, err := generateCertificateBundleFiles(td, true, "foobar") + _, privKeyPath, pubKeyPath := keypair(t, td) + caCertFile, _ /* caPrivKeyFile */, caIntermediateCertFile, _ /* caIntermediatePrivKeyFile */, certFile, certChainFile, err := generateCertificateBundleFiles(td, true, "foobar") ctx := context.Background() // Verify should fail at first - must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", false), t) + mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", true), t) // So should download mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now sign the image ko := options.KeyOpts{ - KeyRef: privKeyFile, + KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL, SkipConfirmation: true, @@ -168,13 +169,14 @@ func TestSignVerifyCertBundle(t *testing.T) { must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify and download should work! - must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", false), t) + ignoreTlog := true + must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", ignoreTlog), t) // verification with certificate chain instead of root/intermediate files should work as well - must(verifyCertChain(pubkeyFile, certChainFile, certFile, imgName, true, nil, "", false), t) + must(verifyCertChain(pubKeyPath, certChainFile, certFile, imgName, true, nil, "", ignoreTlog), t) must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Look for a specific annotation - mustErr(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t) + mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) so.AnnotationOptions = options.AnnotationOptions{ Annotations: []string{"foo=bar"}, @@ -183,10 +185,10 @@ func TestSignVerifyCertBundle(t *testing.T) { must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // It should match this time. - must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t) + must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) // But two doesn't work - mustErr(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", false), t) + mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", ignoreTlog), t) } func TestSignVerifyClean(t *testing.T) { diff --git a/test/helpers.go b/test/helpers.go index 38bffaa282cd..0967e6ddaf98 100644 --- a/test/helpers.go +++ b/test/helpers.go @@ -119,9 +119,10 @@ var verifyCertBundle = func(keyRef, caCertFile, caIntermediates, certFile, image MaxWorkers: 10, IgnoreTlog: skipTlogVerify, CertVerifyOptions: options.CertVerifyOptions{ - Cert: certFile, - CAIntermediates: caIntermediates, - CARoots: caCertFile, + CAIntermediates: caIntermediates, + CARoots: caCertFile, + CertOidcIssuerRegexp: ".*", + CertIdentityRegexp: ".*", }, } @@ -503,12 +504,10 @@ func generateCertificateBundleFiles(td string, genIntermediate bool, outputSuffi caIntermediateCertFile string, caIntermediatePrivKeyFile string, certFile string, - keyFile string, - pubKeyFile string, certChainFile string, err error, ) { - caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, keyBuf, pubkey, certChainBuf, err := generateCertificateBundle(genIntermediate) + caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, certChainBuf, err := generateCertificateBundle(genIntermediate) if err != nil { err = fmt.Errorf("error generating certificate bundle: %w", err) return @@ -540,11 +539,7 @@ func generateCertificateBundleFiles(td string, genIntermediate bool, outputSuffi err = fmt.Errorf("error writing cert to file: %w", err) return } - err = os.WriteFile(filepath.Join(td, fmt.Sprintf("key%s.pem", outputSuffix)), keyBuf.Bytes(), 0600) - if err != nil { - err = fmt.Errorf("error writing key to file: %w", err) - return - } + // write the contents of certChainBuf to a file certChainFile = filepath.Join(td, fmt.Sprintf("certchain%s.pem", outputSuffix)) err = os.WriteFile(certChainFile, certChainBuf.Bytes(), 0600) @@ -552,18 +547,6 @@ func generateCertificateBundleFiles(td string, genIntermediate bool, outputSuffi err = fmt.Errorf("error writing certificate chain to file: %w", err) return } - // write the public key to a file - pubKeyFile = filepath.Join(td, fmt.Sprintf("pubkey%s.pem", outputSuffix)) - pubKeyBuf := &bytes.Buffer{} - pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubkey) - if err != nil { - err = fmt.Errorf("error marshalling public key: %w", err) - return - } - err = pem.Encode(pubKeyBuf, &pem.Block{ - Type: "PUBLIC KEY", - Bytes: pubKeyBytes, - }) return } @@ -573,8 +556,6 @@ func generateCertificateBundle(genIntermediate bool) ( caIntermediateCertBuf *bytes.Buffer, caIntermediatePrivKeyBuf *bytes.Buffer, certBuf *bytes.Buffer, - keyBuf *bytes.Buffer, - pubkeyBuf *bytes.Buffer, certBundleBuf *bytes.Buffer, err error, ) { @@ -604,7 +585,6 @@ func generateCertificateBundle(genIntermediate bool) ( if err != nil { log.Fatal(err) } - pubkey := &caPrivKey.PublicKey // create the CA caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) if err != nil { @@ -628,19 +608,6 @@ func generateCertificateBundle(genIntermediate bool) ( if err != nil { log.Fatalf("unable to PEM encode private key to buffer: %v", err) //nolint:gocritic } - pubkeyBuf = &bytes.Buffer{} - // PEM encode to pubkeyBuf the public key of caPrivKey - pubkeyBytes, err := x509.MarshalPKIXPublicKey(pubkey) - if err != nil { - log.Fatalf("failed to marshal public key: %v", err) - } - err = pem.Encode(pubkeyBuf, &pem.Block{ - Type: "PUBLIC KEY", - Bytes: pubkeyBytes, - }) - if err != nil { - log.Fatalf("failed to PME-encode public key to buffer: %v", err) - } // generate intermediate CA if requested var caIntermediate *x509.Certificate @@ -753,5 +720,5 @@ func generateCertificateBundle(genIntermediate bool) ( log.Fatalf("failed to write caCertBuf to certChainBuf: %v", err) } - return caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, keyBuf, pubkeyBuf, certBundleBuf, nil + return caCertBuf, caPrivKeyBuf, caIntermediateCertBuf, caIntermediatePrivKeyBuf, certBuf, certBundleBuf, nil } diff --git a/test/helpers_test.go b/test/helpers_test.go index 9c43468d966f..95b8872ddd88 100644 --- a/test/helpers_test.go +++ b/test/helpers_test.go @@ -19,7 +19,7 @@ func TestGenerateCertificateBundle(t *testing.T) { }, } { t.Run(test.name, func(t *testing.T) { - _, _, _, _, _, _, _, _, err := generateCertificateBundle(true) + _, _, _, _, _, _, err := generateCertificateBundle(true) if err != nil { t.Fatalf("Error generating certificate bundle: %v", err) }