mirror of
https://github.com/MedzikUser/go-github-selfupdate.git
synced 2024-08-15 03:25:29 +00:00
116dfa144d
Go-self-update lacks support for checking integrity of downloaded files. For more advanced situation it's necessary to validate the hash or verify against public signatures. This patch adds support for SHA2 hash and ECDSA PublicKey signature validation. SHA2 uses file with suffix `.sha256`, whereas ECDSA uses `.sig` file endings. See `selfupdate/validate_test.go` for examples. Signed-off-by: Tobias Kohlbau <t.kohlbau@myopenfactory.com>
114 lines
2.3 KiB
Go
114 lines
2.3 KiB
Go
package selfupdate
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"io/ioutil"
|
|
"testing"
|
|
)
|
|
|
|
func TestSHA2Validator(t *testing.T) {
|
|
validator := &SHA2Validator{}
|
|
data, err := ioutil.ReadFile("testdata/foo.zip")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
hashData, err := ioutil.ReadFile("testdata/foo.zip.sha256")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := validator.Validate(data, hashData); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestSHA2ValidatorFail(t *testing.T) {
|
|
validator := &SHA2Validator{}
|
|
data, err := ioutil.ReadFile("testdata/foo.zip")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
hashData, err := ioutil.ReadFile("testdata/foo.zip.sha256")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
hashData[0] = '0'
|
|
if err := validator.Validate(data, hashData); err == nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestECDSAValidator(t *testing.T) {
|
|
pemData, err := ioutil.ReadFile("testdata/Test.crt")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
block, _ := pem.Decode(pemData)
|
|
if block == nil || block.Type != "CERTIFICATE" {
|
|
t.Fatalf("failed to decode PEM block")
|
|
}
|
|
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
t.Fatalf("failed to parse certificate")
|
|
}
|
|
|
|
pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
|
|
if !ok {
|
|
t.Errorf("PublicKey is not ECDSA")
|
|
}
|
|
|
|
validator := &ECDSAValidator{
|
|
PublicKey: pubKey,
|
|
}
|
|
data, err := ioutil.ReadFile("testdata/foo.zip")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
signatureData, err := ioutil.ReadFile("testdata/foo.zip.sig")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := validator.Validate(data, signatureData); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestECDSAValidatorFail(t *testing.T) {
|
|
pemData, err := ioutil.ReadFile("testdata/Test.crt")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
block, _ := pem.Decode(pemData)
|
|
if block == nil || block.Type != "CERTIFICATE" {
|
|
t.Fatalf("failed to decode PEM block")
|
|
}
|
|
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
t.Fatalf("failed to parse certificate")
|
|
}
|
|
|
|
pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
|
|
if !ok {
|
|
t.Errorf("PublicKey is not ECDSA")
|
|
}
|
|
|
|
validator := &ECDSAValidator{
|
|
PublicKey: pubKey,
|
|
}
|
|
data, err := ioutil.ReadFile("testdata/foo.tar.xz")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
signatureData, err := ioutil.ReadFile("testdata/foo.zip.sig")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := validator.Validate(data, signatureData); err == nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|