hashedrekord: add a SHA1 backstop test for CreateFromArtifactProperties

Signed-off-by: William Woodruff <william@trailofbits.com>
sigstore · Jan 19, 2024 · 0f1f8e3 · 0f1f8e3
1 parent 6903f5f
commit 0f1f8e3
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 71 deletions.
diff --git a/pkg/types/hashedrekord/v0.0.1/e2e_test.go b/pkg/types/hashedrekord/v0.0.1/e2e_test.go
@@ -25,15 +25,11 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"os"
-	"strings"
 	"testing"
 	"time"
 
-	"github.com/go-openapi/strfmt"
-	"github.com/go-openapi/swag"
 	"github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/client/entries"
-	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/types"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -96,70 +92,3 @@ func TestSHA256HashedRekordEntry(t *testing.T) {
 		t.Fatalf("expected no errors when submitting hashedrekord entry with sha256 to rekor %s", err)
 	}
 }
-
-// TestSHA1HashedRekordEntry tests sending a proposed hashedrekord entry with
-// sha1 digests that should not be accepted by Rekor as SHA1 is considered
-// insecure.
-func TestSHA1HashedRekordEntry(t *testing.T) {
-	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatalf("error generating key: %v", err)
-	}
-	pubBytes, err := cryptoutils.MarshalPublicKeyToPEM(privKey.Public())
-	if err != nil {
-		t.Fatalf("error marshaling public key: %v", err)
-	}
-
-	data := []byte("data")
-	signer, err := signature.LoadSigner(privKey, crypto.SHA256)
-	if err != nil {
-		t.Fatalf("error loading verifier: %v", err)
-	}
-	signature, err := signer.SignMessage(bytes.NewReader(data))
-	if err != nil {
-		t.Fatalf("error signing message: %v", err)
-	}
-
-	re := V001Entry{}
-
-	// we will need artifact, public-key, signature
-	re.HashedRekordObj.Data = &models.HashedrekordV001SchemaData{}
-
-	re.HashedRekordObj.Signature = &models.HashedrekordV001SchemaSignature{}
-	re.HashedRekordObj.Signature.Content = strfmt.Base64(signature)
-
-	re.HashedRekordObj.Signature.PublicKey = &models.HashedrekordV001SchemaSignaturePublicKey{}
-	publicKeyBytes := [][]byte{pubBytes}
-
-	re.HashedRekordObj.Signature.PublicKey.Content = strfmt.Base64(publicKeyBytes[0])
-	re.HashedRekordObj.Data.Hash = &models.HashedrekordV001SchemaDataHash{
-		Algorithm: swag.String("sha1"),
-		Value:     swag.String("a17c9aaa61e80a1bf71d0d850af4e5baa9800bbd"),
-	}
-
-	hr := models.Hashedrekord{}
-	hr.APIVersion = swag.String("0.0.1")
-	hr.Spec = re.HashedRekordObj
-
-	rc, err := client.GetRekorClient(rekorServer())
-	if err != nil {
-		t.Errorf("error getting client: %v", err)
-	}
-
-	params := &entries.CreateLogEntryParams{}
-	params.SetProposedEntry(&hr)
-	params.SetContext(context.Background())
-	params.SetTimeout(5 * time.Second)
-
-	if _, err = rc.Entries.CreateLogEntry(params); err == nil {
-		t.Fatalf("expected a failure when trying to add a hashedrekord with sha1")
-	}
-
-	e, ok := err.(*entries.CreateLogEntryBadRequest)
-	if !ok {
-		t.Errorf("unexpected error returned from rekor: %v", err.Error())
-	}
-	if !strings.Contains(e.Payload.Message, "validation failure") {
-		t.Errorf("expected error message to include 'validation failure': %v", e.Payload.Message)
-	}
-}
diff --git a/pkg/types/hashedrekord/v0.0.1/entry_test.go b/pkg/types/hashedrekord/v0.0.1/entry_test.go
@@ -39,6 +39,7 @@ import (
 	"github.com/sigstore/rekor/pkg/generated/models"
 	x509r "github.com/sigstore/rekor/pkg/pki/x509"
 	"github.com/sigstore/rekor/pkg/types"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"go.uber.org/goleak"
 )
@@ -54,6 +55,41 @@ func TestNewEntryReturnType(t *testing.T) {
 	}
 }
 
+func TestRejectsSHA1(t *testing.T) {
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("error generating key: %v", err)
+	}
+	pubBytes, err := cryptoutils.MarshalPublicKeyToPEM(privKey.Public())
+	if err != nil {
+		t.Fatalf("error marshaling public key: %v", err)
+	}
+
+	data := []byte("data")
+	signer, err := signature.LoadSigner(privKey, crypto.SHA256)
+	if err != nil {
+		t.Fatalf("error loading verifier: %v", err)
+	}
+	signature, err := signer.SignMessage(bytes.NewReader(data))
+	if err != nil {
+		t.Fatalf("error signing message: %v", err)
+	}
+
+	ap := types.ArtifactProperties{
+		ArtifactBytes:  data,
+		ArtifactHash:   "sha1:a17c9aaa61e80a1bf71d0d850af4e5baa9800bbd",
+		PublicKeyBytes: [][]byte{pubBytes},
+		PKIFormat:      "x509",
+		SignatureBytes: signature,
+	}
+
+	ei := NewEntry()
+	_, err = ei.CreateFromArtifactProperties(context.Background(), ap)
+	if err == nil {
+		t.Fatalf("expected error creating entry")
+	}
+}
+
 func TestCrossFieldValidation(t *testing.T) {
 	type TestCase struct {
 		caseDesc                  string