Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test different keytypes/schemes #159

Open
jku opened this issue Aug 20, 2024 · 4 comments
Open

test different keytypes/schemes #159

jku opened this issue Aug 20, 2024 · 4 comments

Comments

@jku
Copy link
Member

jku commented Aug 20, 2024

We should use a default keytype in most tests (currently RSA, ecdsa maybe makes sense after #155). In addition we should have specific tests for support of various other keytypes. Specification does not really require support for any specific keys but these are mentioned in spec:

keytype scheme
rsa rsassa-pss-sha256
ecdsa ecdsa-sha2-nistp256
ed25519 ed25519

We should definitely test these.

Additionally potential testable keys might include

keytype scheme note
ecdsa ecdsa-sha2-nistp384
ecdsa ecdsa-sha2-nistp521
ecdsa-sha2-nistp256 ecdsa-sha2-nistp256 legacy keytype name still supported by some implementations
ecdsa-sha2-nistp384 ecdsa-sha2-nistp384 legacy keytype name still supported by some implementations
ecdsa-sha2-nistp521 ecdsa-sha2-nistp521 legacy keytype name still supported by some implementations
rsa rsassa-pss-sha224
rsa rsassa-pss-sha384
rsa rsassa-pss-sha512
rsa rsa-pkcs1v15-sha224
rsa rsa-pkcs1v15-sha256
rsa rsa-pkcs1v15-sha384
rsa rsa-pkcs1v15-sha512
@jku
Copy link
Member Author

jku commented Aug 20, 2024
edited
Loading

So I guess we should write a single parametrized test (or one test for the keys mentioned in specification, another for additional keys) that

  • builds a repository using given keytype/scheme for at least one signature
  • tests client refresh is ok
  • creates a new version of the metadata, modifies signature so it's incorrect
  • tests that client refresh fails

We could add more pre-generated keys to repository_simulator.py (like RSA_PKCS_SIGNERS) so at least the keys are ready in case we decide to use them in more than one test.

@jku jku mentioned this issue Aug 20, 2024
Draft
1 task
@jku
Copy link
Member Author

jku commented Aug 20, 2024
edited
Loading

maybe an additional test: use an incorrect but supported key like ecdsa-sha2-nistp256 but have the metadata claim that it's ecdsa-sha2-nistp521. I think a client should fail this even though it could parse the public key and correctly handle it: as it looks like the repository is trying to mislead a human reader.

@jku
Copy link
Member Author

jku commented Aug 21, 2024

I've got an initial test in #167

@jku
Copy link
Member Author

jku commented Aug 27, 2024
edited
Loading

Status:

  • test_keytype_and_scheme now tests the three keytypes named in the spec
  • we really should test other keytypes as well

The only obstacles are:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jku