notify doctors work, audit work, new product advisory sprints

2026-01-13 08:36:29 +02:00
parent b8868a5f13
commit 9ca7cb183e
343 changed files with 24492 additions and 3544 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/Witnesses/SuppressionDsseSignerTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/Witnesses/SuppressionDsseSignerTests.cs
@@ -1,7 +1,11 @@
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using System.Text.Json.Serialization;
 using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Security;
 using StellaOps.Attestor.Envelope;
+using StellaOps.Canonical.Json;
 using StellaOps.Scanner.Reachability.Witnesses;
 using StellaOps.TestKit;
 using Xunit;
@@ -286,6 +290,49 @@ public sealed class SuppressionDsseSignerTests
                     verifyResult.Witness.Evidence.Unreachability?.UnreachableSymbol);
    }

+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void SignWitness_UsesCanonicalPayloadAndDssePae()
+    {
+        // Arrange
+        var witness = CreateTestWitness();
+        var (privateKey, publicKey) = CreateTestKeyPair();
+        var signingKey = EnvelopeKey.CreateEd25519Signer(privateKey, publicKey);
+        var signer = new SuppressionDsseSigner(new EnvelopeSignatureService());
+
+        var options = new JsonSerializerOptions
+        {
+            PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower,
+            WriteIndented = false,
+            DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+            Encoder = JavaScriptEncoder.Default
+        };
+
+        // Act
+        var signResult = signer.SignWitness(witness, signingKey, TestCancellationToken);
+
+        // Assert
+        Assert.True(signResult.IsSuccess, signResult.Error);
+        Assert.NotNull(signResult.Envelope);
+        Assert.NotNull(signResult.PayloadBytes);
+
+        var payloadBytes = signResult.PayloadBytes!;
+        var expectedPayload = CanonJson.Canonicalize(witness, options);
+        Assert.Equal(expectedPayload, payloadBytes);
+
+        var verifyKey = EnvelopeKey.CreateEd25519Verifier(publicKey);
+        var signatureBytes = Convert.FromBase64String(signResult.Envelope!.Signatures[0].Signature);
+        var envelopeSignature = new EnvelopeSignature(signingKey.KeyId, signingKey.AlgorithmId, signatureBytes);
+        var verifyResult = new EnvelopeSignatureService().VerifyDsse(
+            SuppressionWitnessSchema.DssePayloadType,
+            payloadBytes,
+            envelopeSignature,
+            verifyKey,
+            TestCancellationToken);
+
+        Assert.True(verifyResult.IsSuccess);
+    }
+
    private sealed class FixedRandomGenerator : Org.BouncyCastle.Crypto.Prng.IRandomGenerator
    {
        private byte _value;