You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mynewt.apache.org by cc...@apache.org on 2019/06/26 18:39:44 UTC
[mynewt-artifact] 02/02: image: Add tests for encrypted images
This is an automated email from the ASF dual-hosted git repository.
ccollins pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mynewt-artifact.git
commit d5de4c207ac0b32f733bedac0c595d5301047280
Author: Christopher Collins <cc...@apache.org>
AuthorDate: Tue Jun 25 17:58:46 2019 -0700
image: Add tests for encrypted images
---
image/image_test.go | 72 ++++++++++++++++++---
image/testdata/enc-key-pub.der | Bin 0 -> 270 bytes
image/testdata/enc-key-pub.pem | 9 +++
image/testdata/enc-key.der | Bin 0 -> 1190 bytes
image/testdata/enc-key.pem | 27 ++++++++
image/testdata/good-signed-encrypted.img | Bin 0 -> 9940 bytes
...od-unsigned.json => good-signed-encrypted.json} | 8 +--
...good-signed.img => good-signed-unencrypted.img} | Bin
...od-signed.json => good-signed-unencrypted.json} | 0
...-unsigned.img => good-unsigned-unencrypted.img} | Bin
...nsigned.json => good-unsigned-unencrypted.json} | 0
image/testdata/sign-key-pub.pem | 9 +++
image/testdata/wrong-enc-key.img | Bin 0 -> 9940 bytes
.../{good-unsigned.json => wrong-enc-key.json} | 8 +--
14 files changed, 116 insertions(+), 17 deletions(-)
diff --git a/image/image_test.go b/image/image_test.go
index 7cb5bf6..aa3ed13 100644
--- a/image/image_test.go
+++ b/image/image_test.go
@@ -24,6 +24,7 @@ import (
"io/ioutil"
"testing"
+ "github.com/apache/mynewt-artifact/errors"
"github.com/apache/mynewt-artifact/manifest"
"github.com/apache/mynewt-artifact/sec"
)
@@ -37,6 +38,7 @@ type entry struct {
hash bool
man bool
sign bool
+ encrypted bool
}
func readImageData(basename string) []byte {
@@ -44,7 +46,7 @@ func readImageData(basename string) []byte {
data, err := ioutil.ReadFile(path)
if err != nil {
- panic("failed to read image file " + path)
+ panic(fmt.Sprintf("failed to read image file \"%s\": %s", path, err.Error()))
}
return data
@@ -55,23 +57,34 @@ func readManifest(basename string) manifest.Manifest {
man, err := manifest.ReadManifest(path)
if err != nil {
- panic("failed to read manifest file " + path)
+ panic(fmt.Sprintf("failed to read manifest file \"%s\": %s", path, err.Error()))
}
return man
}
-func readPubKey() sec.PubSignKey {
+func readPubSignKey() sec.PubSignKey {
path := fmt.Sprintf("%s/sign-key.pem", testdataPath)
key, err := sec.ReadPrivSignKey(path)
if err != nil {
- panic("failed to read key file " + path)
+ panic(fmt.Sprintf("failed to read key file \"%s\": %s", path, err.Error()))
}
return key.PubKey()
}
+func readPrivEncKey() sec.PrivEncKey {
+ path := fmt.Sprintf("%s/enc-key.der", testdataPath)
+
+ key, err := sec.ReadPrivEncKey(path)
+ if err != nil {
+ panic(fmt.Sprintf("failed to read key file \"%s\": %s", path, err.Error()))
+ }
+
+ return key
+}
+
func testOne(t *testing.T, e entry) {
fatalErr := func(field string, have string, want string, err error) {
s := fmt.Sprintf("image \"%s\" has unexpected `%s` status: "+
@@ -111,7 +124,9 @@ func testOne(t *testing.T, e entry) {
}
}
- _, err = img.VerifyHash(nil)
+ kek := readPrivEncKey()
+
+ kekIdx, err := img.VerifyHash([]sec.PrivEncKey{kek})
if !e.hash {
if err == nil {
fatalErr("hash", "good", "bad", nil)
@@ -122,6 +137,19 @@ func testOne(t *testing.T, e entry) {
fatalErr("hash", "bad", "good", err)
return
}
+
+ var wantKekIdx int
+ if e.encrypted {
+ wantKekIdx = 0
+ } else {
+ wantKekIdx = -1
+ }
+
+ if kekIdx != wantKekIdx {
+ fatalErr("hash", "good", "bad", errors.Errorf(
+ "wrong kek idx: have=%d want=%d", kekIdx, wantKekIdx))
+ return
+ }
}
man := readManifest(e.basename)
@@ -139,9 +167,9 @@ func testOne(t *testing.T, e entry) {
}
}
- key := readPubKey()
+ isk := readPubSignKey()
- idx, err := img.VerifySigs([]sec.PubSignKey{key})
+ idx, err := img.VerifySigs([]sec.PubSignKey{isk})
if !e.sign {
if err == nil && idx != -1 {
fatalErr("signature", "good", "bad", nil)
@@ -162,6 +190,7 @@ func TestImageVerify(t *testing.T) {
structure: false,
man: false,
sign: false,
+ encrypted: false,
},
entry{
basename: "truncated",
@@ -169,6 +198,7 @@ func TestImageVerify(t *testing.T) {
structure: false,
man: false,
sign: false,
+ encrypted: false,
},
entry{
basename: "bad-hash",
@@ -177,6 +207,7 @@ func TestImageVerify(t *testing.T) {
hash: false,
man: false,
sign: false,
+ encrypted: false,
},
entry{
basename: "mismatch-hash",
@@ -185,6 +216,7 @@ func TestImageVerify(t *testing.T) {
hash: true,
man: false,
sign: false,
+ encrypted: false,
},
entry{
basename: "mismatch-version",
@@ -193,6 +225,7 @@ func TestImageVerify(t *testing.T) {
hash: true,
man: false,
sign: false,
+ encrypted: false,
},
entry{
basename: "bad-signature",
@@ -201,22 +234,43 @@ func TestImageVerify(t *testing.T) {
hash: true,
man: true,
sign: false,
+ encrypted: false,
+ },
+ entry{
+ basename: "wrong-enc-key",
+ form: true,
+ structure: true,
+ hash: false,
+ man: true,
+ sign: true,
+ encrypted: true,
},
entry{
- basename: "good-unsigned",
+ basename: "good-unsigned-unencrypted",
form: true,
structure: true,
hash: true,
man: true,
sign: false,
+ encrypted: false,
+ },
+ entry{
+ basename: "good-signed-unencrypted",
+ form: true,
+ structure: true,
+ hash: true,
+ man: true,
+ sign: true,
+ encrypted: false,
},
entry{
- basename: "good-signed",
+ basename: "good-signed-encrypted",
form: true,
structure: true,
hash: true,
man: true,
sign: true,
+ encrypted: true,
},
}
diff --git a/image/testdata/enc-key-pub.der b/image/testdata/enc-key-pub.der
new file mode 100644
index 0000000..9c9277b
Binary files /dev/null and b/image/testdata/enc-key-pub.der differ
diff --git a/image/testdata/enc-key-pub.pem b/image/testdata/enc-key-pub.pem
new file mode 100644
index 0000000..6eafa46
--- /dev/null
+++ b/image/testdata/enc-key-pub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAySeOBIFVjILuDa60U6UM
+fdV0UFCXB2QVrIjQiqiLpldYuuyppijQkKb9tUgSXMV3gaXDfshhYx5kJakp8VHs
+IvcBDGALHEt4p0gj+Q+F0/lvql5biL76cx08ZoEzzId7JhhZF1UiRMlnrnZJxcbq
+jbain5HvYlSlcQItwjJW7RoSYGZwWPpPNXyZ+OYt0VVvl8Z86E/as6Crf7Y45HQw
+iFf+njJm7MHnlUsJHwkULt2wD2PvXJGQYPU00SdTscpaxneqi0z2GsAVcPjk66ux
+LSUhsF/dCr+vSanUcwCihdb8/woVb6fUxo4HO7f1Eu5LTLWNX2jRahbybe2Okq4x
+EwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/image/testdata/enc-key.der b/image/testdata/enc-key.der
new file mode 100644
index 0000000..ea988d2
Binary files /dev/null and b/image/testdata/enc-key.der differ
diff --git a/image/testdata/enc-key.pem b/image/testdata/enc-key.pem
new file mode 100644
index 0000000..8345cdb
--- /dev/null
+++ b/image/testdata/enc-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAySeOBIFVjILuDa60U6UMfdV0UFCXB2QVrIjQiqiLpldYuuyp
+pijQkKb9tUgSXMV3gaXDfshhYx5kJakp8VHsIvcBDGALHEt4p0gj+Q+F0/lvql5b
+iL76cx08ZoEzzId7JhhZF1UiRMlnrnZJxcbqjbain5HvYlSlcQItwjJW7RoSYGZw
+WPpPNXyZ+OYt0VVvl8Z86E/as6Crf7Y45HQwiFf+njJm7MHnlUsJHwkULt2wD2Pv
+XJGQYPU00SdTscpaxneqi0z2GsAVcPjk66uxLSUhsF/dCr+vSanUcwCihdb8/woV
+b6fUxo4HO7f1Eu5LTLWNX2jRahbybe2Okq4xEwIDAQABAoIBAENGBUsgbhoGF9Nf
+oFNxGZJj9vh9W2VPZahEQWp+H+ZLxBMP31UAxW/7SVJ9fhaku+kSJSWbomZh3aBy
+yOI6Qb0X2rPm0xBtdTaM++rp9BoGi//werBrHputJWwqvcYjcV42OmWBRWq36QMB
+8H5CnmMyt4Sia+r44DPBRMhzyXqV68kcxw7c0sjYsTPhKCWg5ZmGu77ari13UXmb
+XKb42pC/ijTq2TgabAwbCjlYUkNOTMKdUfysTOH+Pq7KQ/RJ7c0a5dnJymnJHWTM
+GOr0mcwsyk/WsdZDQ6eAaGwGowt8wVt50xaYxAwZK6g1T47z1edgf3jHyYuJRRQH
+ZgUdraECgYEA58mogN3oQZjF+dHcpnat/f9ZxDmKiweiiNMd8vzxJ5oij/zgm3SD
+HHWqYLtcE5kun81nD6Lyfd14kcjH2DkQ4IfsPI4MdeeFEesObQTcUkBgbRv01xCy
+QLo4+wjU/t20fBUwz8GnegkqfiOEKwmflxOyPsf55nAWG6ur96DrbysCgYEA3iq4
+O9MjaeMgPBKL5kF7vx8jAaPhTrxZt9zGu5BQxR8lcWGa4tGB25ALqkbp2/ACdQtr
+Gg34YcsYRngXgIjALkQkkLee3zuTUsivI0e2TASKsoRJvUsTIfRgtWOMGky68JIS
+eUbMrNDnQ6czHU+aqPj0poa3YEwgdfzEVXX7EbkCgYAovWIXnGlZNj/94+wTeiKk
+1T/y5GY8f5AK2oiWD+1XF5lhk4Hq8PSmiOv0apoJe9AdGF43+l0C0G2DujWeBJG5
+1UopbpI0GwhhmN4FPWh4MIaCRvqm3nFmPRUM0oWVcmRpttPIgHIuWfQVDasKYXui
+czzOGhoLbcIFBQyJzsfy1wKBgG5uTaVvDetUOnGhxmhtpFUb5QqrqxK4DOCXnTEe
+Swews6voGFUmTqYUs7ewCA6K/q2vP010JEJ38VkV2JjLYLueo45Lt2y+8Dv2BRhE
+TRj8KPUTTJQK/TejgW6oTLvF6CYsdYJS7un37Pxz37RyHS5gkTs1O3FiZcBAJFdW
+jbYBAoGALzmoQoarI4YOJKUJBYloVdTjM/0V7rrumZZQ+/sSSaI9cJKHJ+tBeMy7
+HFi0VkgK1P5JwvJVl3aMXlQswn8+nljkIpFbOVlTzAukVOPxWnHXlpvxuMC2+fuO
+8W8ZW/pUlrT7hHOiVOVb+VJyiPPS3h9Uy/Gj8U9QhfJkoIkexxI=
+-----END RSA PRIVATE KEY-----
diff --git a/image/testdata/good-signed-encrypted.img b/image/testdata/good-signed-encrypted.img
new file mode 100644
index 0000000..f67c9f1
Binary files /dev/null and b/image/testdata/good-signed-encrypted.img differ
diff --git a/image/testdata/good-unsigned.json b/image/testdata/good-signed-encrypted.json
similarity index 99%
copy from image/testdata/good-unsigned.json
copy to image/testdata/good-signed-encrypted.json
index cb9aa19..bd161c7 100644
--- a/image/testdata/good-unsigned.json
+++ b/image/testdata/good-signed-encrypted.json
@@ -1,10 +1,10 @@
{
"name": "targets/blinky-nordic_pca10040",
- "build_time": "2019-06-17T17:16:49-07:00",
- "build_version": "1.0.0.0",
- "id": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9",
+ "build_time": "2019-06-25T17:33:19-07:00",
+ "build_version": "1.2.3.4",
+ "id": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b",
"image": "/Users/ccollins/proj/myproj/bin/targets/blinky-nordic_pca10040/app/apps/blinky/blinky.img",
- "image_hash": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9",
+ "image_hash": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b",
"loader": "",
"loader_hash": "",
"pkgs": [
diff --git a/image/testdata/good-signed.img b/image/testdata/good-signed-unencrypted.img
similarity index 100%
rename from image/testdata/good-signed.img
rename to image/testdata/good-signed-unencrypted.img
diff --git a/image/testdata/good-signed.json b/image/testdata/good-signed-unencrypted.json
similarity index 100%
rename from image/testdata/good-signed.json
rename to image/testdata/good-signed-unencrypted.json
diff --git a/image/testdata/good-unsigned.img b/image/testdata/good-unsigned-unencrypted.img
similarity index 100%
rename from image/testdata/good-unsigned.img
rename to image/testdata/good-unsigned-unencrypted.img
diff --git a/image/testdata/good-unsigned.json b/image/testdata/good-unsigned-unencrypted.json
similarity index 100%
copy from image/testdata/good-unsigned.json
copy to image/testdata/good-unsigned-unencrypted.json
diff --git a/image/testdata/sign-key-pub.pem b/image/testdata/sign-key-pub.pem
new file mode 100644
index 0000000..7be0e6f
--- /dev/null
+++ b/image/testdata/sign-key-pub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApydXFYw0I2tS5/Z7o/e/
+AOTxcQsQA80L02KfAqMT6LsLDGLV1DKfKLLgCOdBjcafKw4updsvW9dPqCB6q4Y5
+8j99D2B7fzw+HIWH5IyL73Nt/ytIcJ0CSL/bfGpaI0dY1V92ooEq8cp2ZZCjrTCW
+mg/oP5SQ9aDEbpTYh1VdHbsxObMQ6A/aaQa1hevjcE7gTFOntKN1QDLaDZXz9CqI
+kiuNQuQhXA0zxDJkWwu7U18fVpxa3ozdU0nLRQp6Edo09MulskwJYF6VCbNEesn/
+7rSbwwI3Wa5RFWcQPRlO2SdqRiYlXSX2fYhp7r/tkBdJSYLns0193zTixECQwjI9
+BQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/image/testdata/wrong-enc-key.img b/image/testdata/wrong-enc-key.img
new file mode 100644
index 0000000..af28f07
Binary files /dev/null and b/image/testdata/wrong-enc-key.img differ
diff --git a/image/testdata/good-unsigned.json b/image/testdata/wrong-enc-key.json
similarity index 99%
rename from image/testdata/good-unsigned.json
rename to image/testdata/wrong-enc-key.json
index cb9aa19..642681e 100644
--- a/image/testdata/good-unsigned.json
+++ b/image/testdata/wrong-enc-key.json
@@ -1,10 +1,10 @@
{
"name": "targets/blinky-nordic_pca10040",
- "build_time": "2019-06-17T17:16:49-07:00",
- "build_version": "1.0.0.0",
- "id": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9",
+ "build_time": "2019-06-25T17:55:36-07:00",
+ "build_version": "1.2.3.4",
+ "id": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b",
"image": "/Users/ccollins/proj/myproj/bin/targets/blinky-nordic_pca10040/app/apps/blinky/blinky.img",
- "image_hash": "8eb006d574ace63cce18a1f2d8f0f2645f1a0e8630a39fb86bbfbb805d4cd3b9",
+ "image_hash": "1786a1d4e7d9274dfda01e1bfbca24be5f7d848a81ef3ae3dd276f438bafcc6b",
"loader": "",
"loader_hash": "",
"pkgs": [