work work hard work

2025-12-18 00:47:24 +02:00
parent dee252940b
commit b4235c134c
189 changed files with 9627 additions and 3258 deletions
--- a/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/OfflineCommandHandlersTests.cs
+++ b/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/OfflineCommandHandlersTests.cs
@@ -121,15 +121,58 @@ public sealed class OfflineCommandHandlersTests
        }, new JsonSerializerOptions(JsonSerializerDefaults.Web) { WriteIndented = true });
        await File.WriteAllTextAsync(dssePath, dsseJson, CancellationToken.None);

-        var rootHash = "deadbeef";
+        static byte[] HashLeaf(byte[] leafData)
+        {
+            var buffer = new byte[1 + leafData.Length];
+            buffer[0] = 0x00;
+            leafData.CopyTo(buffer, 1);
+            return SHA256.HashData(buffer);
+        }
+
+        static byte[] HashInterior(byte[] left, byte[] right)
+        {
+            var buffer = new byte[1 + left.Length + right.Length];
+            buffer[0] = 0x01;
+            left.CopyTo(buffer, 1);
+            right.CopyTo(buffer, 1 + left.Length);
+            return SHA256.HashData(buffer);
+        }
+
+        // Deterministic DSSE digest used as the Rekor leaf input.
+        var dsseBytes = await File.ReadAllBytesAsync(dssePath, CancellationToken.None);
+        var dsseSha256 = SHA256.HashData(dsseBytes);
+
+        // Build a minimal 2-leaf RFC6962 Merkle tree proof for logIndex=0.
+        var leaf0 = HashLeaf(dsseSha256);
+        var leaf1 = HashLeaf(SHA256.HashData(Encoding.UTF8.GetBytes("other-envelope")));
+        var rootHashBytes = HashInterior(leaf0, leaf1);
+
+        using var rekorKey = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+        var checkpointOrigin = "rekor.sigstore.dev - 2605736670972794746";
+        var checkpointTimestamp = "1700000000";
+        var checkpointBody = $"{checkpointOrigin}\n2\n{Convert.ToBase64String(rootHashBytes)}\n{checkpointTimestamp}\n";
+        var checkpointSig = rekorKey.SignData(Encoding.UTF8.GetBytes(checkpointBody), HashAlgorithmName.SHA256);
+
+        var rekorPublicKeyPath = Path.Combine(bundleDir, "rekor-pub.pem");
+        await File.WriteAllTextAsync(
+            rekorPublicKeyPath,
+            WrapPem("PUBLIC KEY", rekorKey.ExportSubjectPublicKeyInfo()),
+            CancellationToken.None);
+
+        var checkpointPath = Path.Combine(bundleDir, "checkpoint.sig");
+        await File.WriteAllTextAsync(
+            checkpointPath,
+            checkpointBody + $"sig {Convert.ToBase64String(checkpointSig)}\n",
+            CancellationToken.None);
+
        var rekorPath = Path.Combine(bundleDir, "rekor-receipt.json");
        var rekorJson = JsonSerializer.Serialize(new
        {
            uuid = "rekor-test",
-            logIndex = 42,
-            rootHash,
-            hashes = new[] { "hash-1" },
-            checkpoint = $"checkpoint {rootHash}"
+            logIndex = 0,
+            rootHash = Convert.ToHexString(rootHashBytes).ToLowerInvariant(),
+            hashes = new[] { Convert.ToHexString(leaf1).ToLowerInvariant() },
+            checkpoint = "checkpoint.sig"
        }, new JsonSerializerOptions(JsonSerializerDefaults.Web) { WriteIndented = true });
        await File.WriteAllTextAsync(rekorPath, rekorJson, CancellationToken.None);