dd32fbe615
contains equal length History and FSLayer arrays. This is required to prevent malformed manifests being put to the registry and failing external verification checks. Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
137 lines
2.7 KiB
Go
137 lines
2.7 KiB
Go
package schema1
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"reflect"
|
|
"testing"
|
|
|
|
"github.com/docker/libtrust"
|
|
)
|
|
|
|
type testEnv struct {
|
|
name, tag string
|
|
invalidSigned *SignedManifest
|
|
signed *SignedManifest
|
|
pk libtrust.PrivateKey
|
|
}
|
|
|
|
func TestManifestMarshaling(t *testing.T) {
|
|
env := genEnv(t)
|
|
|
|
// Check that the Raw field is the same as json.MarshalIndent with these
|
|
// parameters.
|
|
p, err := json.MarshalIndent(env.signed, "", " ")
|
|
if err != nil {
|
|
t.Fatalf("error marshaling manifest: %v", err)
|
|
}
|
|
|
|
if !bytes.Equal(p, env.signed.Raw) {
|
|
t.Fatalf("manifest bytes not equal: %q != %q", string(env.signed.Raw), string(p))
|
|
}
|
|
}
|
|
|
|
func TestManifestUnmarshaling(t *testing.T) {
|
|
env := genEnv(t)
|
|
|
|
var signed SignedManifest
|
|
if err := json.Unmarshal(env.signed.Raw, &signed); err != nil {
|
|
t.Fatalf("error unmarshaling signed manifest: %v", err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(&signed, env.signed) {
|
|
t.Fatalf("manifests are different after unmarshaling: %v != %v", signed, env.signed)
|
|
}
|
|
|
|
}
|
|
|
|
func TestManifestVerification(t *testing.T) {
|
|
env := genEnv(t)
|
|
|
|
publicKeys, err := Verify(env.signed)
|
|
if err != nil {
|
|
t.Fatalf("error verifying manifest: %v", err)
|
|
}
|
|
|
|
if len(publicKeys) == 0 {
|
|
t.Fatalf("no public keys found in signature")
|
|
}
|
|
|
|
var found bool
|
|
publicKey := env.pk.PublicKey()
|
|
// ensure that one of the extracted public keys matches the private key.
|
|
for _, candidate := range publicKeys {
|
|
if candidate.KeyID() == publicKey.KeyID() {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !found {
|
|
t.Fatalf("expected public key, %v, not found in verified keys: %v", publicKey, publicKeys)
|
|
}
|
|
|
|
// Check that an invalid manifest fails verification
|
|
_, err = Verify(env.invalidSigned)
|
|
if err != nil {
|
|
t.Fatalf("Invalid manifest should not pass Verify()")
|
|
}
|
|
}
|
|
|
|
func genEnv(t *testing.T) *testEnv {
|
|
pk, err := libtrust.GenerateECP256PrivateKey()
|
|
if err != nil {
|
|
t.Fatalf("error generating test key: %v", err)
|
|
}
|
|
|
|
name, tag := "foo/bar", "test"
|
|
|
|
invalid := Manifest{
|
|
Versioned: SchemaVersion,
|
|
Name: name,
|
|
Tag: tag,
|
|
FSLayers: []FSLayer{
|
|
{
|
|
BlobSum: "asdf",
|
|
},
|
|
{
|
|
BlobSum: "qwer",
|
|
},
|
|
},
|
|
}
|
|
|
|
valid := Manifest{
|
|
Versioned: SchemaVersion,
|
|
Name: name,
|
|
Tag: tag,
|
|
FSLayers: []FSLayer{
|
|
{
|
|
BlobSum: "asdf",
|
|
},
|
|
},
|
|
History: []History{
|
|
{
|
|
V1Compatibility: "",
|
|
},
|
|
},
|
|
}
|
|
|
|
sm, err := Sign(&valid, pk)
|
|
if err != nil {
|
|
t.Fatalf("error signing manifest: %v", err)
|
|
}
|
|
|
|
invalidSigned, err := Sign(&invalid, pk)
|
|
if err != nil {
|
|
t.Fatalf("error signing manifest: %v", err)
|
|
}
|
|
|
|
return &testEnv{
|
|
name: name,
|
|
tag: tag,
|
|
invalidSigned: invalidSigned,
|
|
signed: sm,
|
|
pk: pk,
|
|
}
|
|
}
|