This is an automated email from the ASF dual-hosted git repository. ccollins pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mynewt-artifact.git
commit d5de4c207ac0b32f733bedac0c595d5301047280 Author: Christopher Collins <ccoll...@apache.org> AuthorDate: Tue Jun 25 17:58:46 2019 -0700 image: Add tests for encrypted images --- image/image_test.go | 72 ++++++++++++++++++--- image/testdata/enc-key-pub.der | Bin 0 -> 270 bytes image/testdata/enc-key-pub.pem | 9 +++ image/testdata/enc-key.der | Bin 0 -> 1190 bytes image/testdata/enc-key.pem | 27 ++++++++ image/testdata/good-signed-encrypted.img | Bin 0 -> 9940 bytes ...od-unsigned.json => good-signed-encrypted.json} | 8 +-- ...good-signed.img => good-signed-unencrypted.img} | Bin ...od-signed.json => good-signed-unencrypted.json} | 0 ...-unsigned.img => good-unsigned-unencrypted.img} | Bin ...nsigned.json => good-unsigned-unencrypted.json} | 0 image/testdata/sign-key-pub.pem | 9 +++ image/testdata/wrong-enc-key.img | Bin 0 -> 9940 bytes .../{good-unsigned.json => wrong-enc-key.json} | 8 +-- 14 files changed, 116 insertions(+), 17 deletions(-) diff --git a/image/image_test.go b/image/image_test.go index 7cb5bf6..aa3ed13 100644 --- a/image/image_test.go +++ b/image/image_test.go @@ -24,6 +24,7 @@ import ( "io/ioutil" "testing" + "github.com/apache/mynewt-artifact/errors" "github.com/apache/mynewt-artifact/manifest" "github.com/apache/mynewt-artifact/sec" ) @@ -37,6 +38,7 @@ type entry struct { hash bool man bool sign bool + encrypted bool } func readImageData(basename string) []byte { @@ -44,7 +46,7 @@ func readImageData(basename string) []byte { data, err := ioutil.ReadFile(path) if err != nil { - panic("failed to read image file " + path) + panic(fmt.Sprintf("failed to read image file \"%s\": %s", path, err.Error())) } return data @@ -55,23 +57,34 @@ func readManifest(basename string) manifest.Manifest { man, err := manifest.ReadManifest(path) if err != nil { - panic("failed to read manifest file " + path) + panic(fmt.Sprintf("failed to read manifest file \"%s\": %s", path, err.Error())) } return man } -func readPubKey() sec.PubSignKey { +func readPubSignKey() sec.PubSignKey { path := fmt.Sprintf("%s/sign-key.pem", testdataPath) key, err := sec.ReadPrivSignKey(path) if err != nil { - panic("failed to read key file " + path) + panic(fmt.Sprintf("failed to read key file \"%s\": %s", path, err.Error())) } return key.PubKey() } +func readPrivEncKey() sec.PrivEncKey { + path := fmt.Sprintf("%s/enc-key.der", testdataPath) + + key, err := sec.ReadPrivEncKey(path) + if err != nil { + panic(fmt.Sprintf("failed to read key file \"%s\": %s", path, err.Error())) + } + + return key +} + func testOne(t *testing.T, e entry) { fatalErr := func(field string, have string, want string, err error) { s := fmt.Sprintf("image \"%s\" has unexpected `%s` status: "+ @@ -111,7 +124,9 @@ func testOne(t *testing.T, e entry) { } } - _, err = img.VerifyHash(nil) + kek := readPrivEncKey() + + kekIdx, err := img.VerifyHash([]sec.PrivEncKey{kek}) if !e.hash { if err == nil { fatalErr("hash", "good", "bad", nil) @@ -122,6 +137,19 @@ func testOne(t *testing.T, e entry) { fatalErr("hash", "bad", "good", err) return } + + var wantKekIdx int + if e.encrypted { + wantKekIdx = 0 + } else { + wantKekIdx = -1 + } + + if kekIdx != wantKekIdx { + fatalErr("hash", "good", "bad", errors.Errorf( + "wrong kek idx: have=%d want=%d", kekIdx, wantKekIdx)) + return + } } man := readManifest(e.basename) @@ -139,9 +167,9 @@ func testOne(t *testing.T, e entry) { } } - key := readPubKey() + isk := readPubSignKey() - idx, err := img.VerifySigs([]sec.PubSignKey{key}) + idx, err := img.VerifySigs([]sec.PubSignKey{isk}) if !e.sign { if err == nil && idx != -1 { fatalErr("signature", "good", "bad", nil) @@ -162,6 +190,7 @@ func TestImageVerify(t *testing.T) { structure: false, man: false, sign: false, + encrypted: false, }, entry{ basename: "truncated", @@ -169,6 +198,7 @@ func TestImageVerify(t *testing.T) { structure: false, man: false, sign: false, + encrypted: false, }, entry{ basename: "bad-hash", @@ -177,6 +207,7 @@ func TestImageVerify(t *testing.T) { hash: false, man: false, sign: false, + encrypted: false, }, entry{ basename: "mismatch-hash", @@ -185,6 +216,7 @@ func TestImageVerify(t *testing.T) { hash: true, man: false, sign: false, + encrypted: false, }, entry{ basename: "mismatch-version", @@ -193,6 +225,7 @@ func TestImageVerify(t *testing.T) { hash: true, man: false, sign: false, + encrypted: false, }, entry{ basename: "bad-signature", @@ -201,22 +234,43 @@ func TestImageVerify(t *testing.T) { hash: true, man: true, sign: false, + encrypted: false, + }, + entry{ + basename: "wrong-enc-key", + form: true, + structure: true, + hash: false, + man: true, + sign: true, + encrypted: true, }, entry{ - basename: "good-unsigned", + basename: "good-unsigned-unencrypted", form: true, structure: true, hash: true, man: true, sign: false, + encrypted: false, + }, + entry{ + basename: "good-signed-unencrypted", + form: true, + structure: true, + hash: true, + man: true, + sign: true, + encrypted: false, }, entry{ - basename: "good-signed", + basename: "good-signed-encrypted", form: true, structure: true, hash: true, man: true, sign: true, + encrypted: true, }, } diff --git a/image/testdata/enc-key-pub.der b/image/testdata/enc-key-pub.der new file mode 100644 index 0000000..9c9277b Binary files /dev/null and b/image/testdata/enc-key-pub.der differ diff --git a/image/testdata/enc-key-pub.pem b/image/testdata/enc-key-pub.pem new file mode 100644 index 0000000..6eafa46 --- /dev/null +++ b/image/testdata/enc-key-pub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAySeOBIFVjILuDa60U6UM +fdV0UFCXB2QVrIjQiqiLpldYuuyppijQkKb9tUgSXMV3gaXDfshhYx5kJakp8VHs +IvcBDGALHEt4p0gj+Q+F0/lvql5biL76cx08ZoEzzId7JhhZF1UiRMlnrnZJxcbq +jbain5HvYlSlcQItwjJW7RoSYGZwWPpPNXyZ+OYt0VVvl8Z86E/as6Crf7Y45HQw +iFf+njJm7MHnlUsJHwkULt2wD2PvXJGQYPU00SdTscpaxneqi0z2GsAVcPjk66ux +LSUhsF/dCr+vSanUcwCihdb8/woVb6fUxo4HO7f1Eu5LTLWNX2jRahbybe2Okq4x +EwIDAQAB +-----END PUBLIC KEY----- diff --git a/image/testdata/enc-key.der b/image/testdata/enc-key.der new file mode 100644 index 0000000..ea988d2 Binary files /dev/null and b/image/testdata/enc-key.der differ diff --git a/image/testdata/enc-key.pem b/image/testdata/enc-key.pem new file mode 100644 index 0000000..8345cdb --- /dev/null +++ b/image/testdata/enc-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAySeOBIFVjILuDa60U6UMfdV0UFCXB2QVrIjQiqiLpldYuuyp +pijQkKb9tUgSXMV3gaXDfshhYx5kJakp8VHsIvcBDGALHEt4p0gj+Q+F0/lvql5b +iL76cx08ZoEzzId7JhhZF1UiRMlnrnZJxcbqjbain5HvYlSlcQItwjJW7RoSYGZw +WPpPNXyZ+OYt0VVvl8Z86E/as6Crf7Y45HQwiFf+njJm7MHnlUsJHwkULt2wD2Pv +XJGQYPU00SdTscpaxneqi0z2GsAVcPjk66uxLSUhsF/dCr+vSanUcwCihdb8/woV +b6fUxo4HO7f1Eu5LTLWNX2jRahbybe2Okq4xEwIDAQABAoIBAENGBUsgbhoGF9Nf +oFNxGZJj9vh9W2VPZahEQWp+H+ZLxBMP31UAxW/7SVJ9fhaku+kSJSWbomZh3aBy +yOI6Qb0X2rPm0xBtdTaM++rp9BoGi//werBrHputJWwqvcYjcV42OmWBRWq36QMB +8H5CnmMyt4Sia+r44DPBRMhzyXqV68kcxw7c0sjYsTPhKCWg5ZmGu77ari13UXmb +XKb42pC/ijTq2TgabAwbCjlYUkNOTMKdUfysTOH+Pq7KQ/RJ7c0a5dnJymnJHWTM +GOr0mcwsyk/WsdZDQ6eAaGwGowt8wVt50xaYxAwZK6g1T47z1edgf3jHyYuJRRQH +ZgUdraECgYEA58mogN3oQZjF+dHcpnat/f9ZxDmKiweiiNMd8vzxJ5oij/zgm3SD +HHWqYLtcE5kun81nD6Lyfd14kcjH2DkQ4IfsPI4MdeeFEesObQTcUkBgbRv01xCy +QLo4+wjU/t20fBUwz8GnegkqfiOEKwmflxOyPsf55nAWG6ur96DrbysCgYEA3iq4 +O9MjaeMgPBKL5kF7vx8jAaPhTrxZt9zGu5BQxR8lcWGa4tGB25ALqkbp2/ACdQtr +Gg34YcsYRngXgIjALkQkkLee3zuTUsivI0e2TASKsoRJvUsTIfRgtWOMGky68JIS +eUbMrNDnQ6czHU+aqPj0poa3YEwgdfzEVXX7EbkCgYAovWIXnGlZNj/94+wTeiKk +1T/y5GY8f5AK2oiWD+1XF5lhk4Hq8PSmiOv0apoJe9AdGF43+l0C0G2DujWeBJG5 +1UopbpI0GwhhmN4FPWh4MIaCRvqm3nFmPRUM0oWVcmRpttPIgHIuWfQVDasKYXui +czzOGhoLbcIFBQyJzsfy1wKBgG5uTaVvDetUOnGhxmhtpFUb5QqrqxK4DOCXnTEe +Swews6voGFUmTqYUs7ewCA6K/q2vP010JEJ38VkV2JjLYLueo45Lt2y+8Dv2BRhE +TRj8KPUTTJQK/TejgW6oTLvF6CYsdYJS7un37Pxz37RyHS5gkTs1O3FiZcBAJFdW +jbYBAoGALzmoQoarI4YOJKUJBYloVdTjM/0V7rrumZZQ+/sSSaI9cJKHJ+tBeMy7 +HFi0VkgK1P5JwvJVl3aMXlQswn8+nljkIpFbOVlTzAukVOPxWnHXlpvxuMC2+fuO +8W8ZW/pUlrT7hHOiVOVb+VJyiPPS3h9Uy/Gj8U9QhfJkoIkexxI= +-----END RSA PRIVATE KEY----- diff --git a/image/testdata/good-signed-encrypted.img b/image/testdata/good-signed-encrypted.img new file mode 100644 index 0000000..f67c9f1 Binary files /dev/null and b/image/testdata/good-signed-encrypted.img differ diff --git a/image/testdata/good-unsigned.json b/image/testdata/good-signed-encrypted.json similarity index 99% copy from image/testdata/good-unsigned.json copy to image/testdata/good-signed-encrypted.json index cb9aa19..bd161c7 100644 --- a/image/testdata/good-unsigned.json +++ b/image/testdata/good-signed-encrypted.json @@ -1,10 +1,10 @@ { "name": "targets/blinky-nordic_pca10040", - "build_time": "2019-06-17T17:16:49-07:00", - "build_version": "1.0.0.0", - "id": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9", + "build_time": "2019-06-25T17:33:19-07:00", + "build_version": "1.2.3.4", + "id": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b", "image": "/Users/ccollins/proj/myproj/bin/targets/blinky-nordic_pca10040/app/apps/blinky/blinky.img", - "image_hash": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9", + "image_hash": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b", "loader": "", "loader_hash": "", "pkgs": [ diff --git a/image/testdata/good-signed.img b/image/testdata/good-signed-unencrypted.img similarity index 100% rename from image/testdata/good-signed.img rename to image/testdata/good-signed-unencrypted.img diff --git a/image/testdata/good-signed.json b/image/testdata/good-signed-unencrypted.json similarity index 100% rename from image/testdata/good-signed.json rename to image/testdata/good-signed-unencrypted.json diff --git a/image/testdata/good-unsigned.img b/image/testdata/good-unsigned-unencrypted.img similarity index 100% rename from image/testdata/good-unsigned.img rename to image/testdata/good-unsigned-unencrypted.img diff --git a/image/testdata/good-unsigned.json b/image/testdata/good-unsigned-unencrypted.json similarity index 100% copy from image/testdata/good-unsigned.json copy to image/testdata/good-unsigned-unencrypted.json diff --git a/image/testdata/sign-key-pub.pem b/image/testdata/sign-key-pub.pem new file mode 100644 index 0000000..7be0e6f --- /dev/null +++ b/image/testdata/sign-key-pub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApydXFYw0I2tS5/Z7o/e/ +AOTxcQsQA80L02KfAqMT6LsLDGLV1DKfKLLgCOdBjcafKw4updsvW9dPqCB6q4Y5 +8j99D2B7fzw+HIWH5IyL73Nt/ytIcJ0CSL/bfGpaI0dY1V92ooEq8cp2ZZCjrTCW +mg/oP5SQ9aDEbpTYh1VdHbsxObMQ6A/aaQa1hevjcE7gTFOntKN1QDLaDZXz9CqI +kiuNQuQhXA0zxDJkWwu7U18fVpxa3ozdU0nLRQp6Edo09MulskwJYF6VCbNEesn/ +7rSbwwI3Wa5RFWcQPRlO2SdqRiYlXSX2fYhp7r/tkBdJSYLns0193zTixECQwjI9 +BQIDAQAB +-----END PUBLIC KEY----- diff --git a/image/testdata/wrong-enc-key.img b/image/testdata/wrong-enc-key.img new file mode 100644 index 0000000..af28f07 Binary files /dev/null and b/image/testdata/wrong-enc-key.img differ diff --git a/image/testdata/good-unsigned.json b/image/testdata/wrong-enc-key.json similarity index 99% rename from image/testdata/good-unsigned.json rename to image/testdata/wrong-enc-key.json index cb9aa19..642681e 100644 --- a/image/testdata/good-unsigned.json +++ b/image/testdata/wrong-enc-key.json @@ -1,10 +1,10 @@ { "name": "targets/blinky-nordic_pca10040", - "build_time": "2019-06-17T17:16:49-07:00", - "build_version": "1.0.0.0", - "id": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9", + "build_time": "2019-06-25T17:55:36-07:00", + "build_version": "1.2.3.4", + "id": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b", "image": "/Users/ccollins/proj/myproj/bin/targets/blinky-nordic_pca10040/app/apps/blinky/blinky.img", - "image_hash": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9", + "image_hash": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b", "loader": "", "loader_hash": "", "pkgs": [