stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save progress

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-02 15:52:31 +02:00
parent 2dec7e6a04
commit f46bde5575
174 changed files with 20793 additions and 8307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleBuilderTests.cs
View File

@@ -333,4 +333,62 @@ public class SigstoreBundleBuilderTests
var decoded = Convert.FromBase64String(bundle.VerificationMaterial.Certificate!.RawBytes);
decoded.Should().BeEquivalentTo(certBytes);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void WithDsseEnvelope_InvalidPayloadBase64_Throws()
{
var builder = new SigstoreBundleBuilder();
var act = () => builder.WithDsseEnvelope(
"application/vnd.in-toto+json",
"not-base64",
new[] { new BundleSignature { Sig = Convert.ToBase64String(new byte[64]) } });
act.Should().Throw<ArgumentException>()
.WithMessage("*base64*");
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void WithDsseEnvelope_InvalidSignatureBase64_Throws()
{
var builder = new SigstoreBundleBuilder();
var act = () => builder.WithDsseEnvelope(
"application/vnd.in-toto+json",
Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes("{}")),
new[] { new BundleSignature { Sig = "not-base64" } });
act.Should().Throw<ArgumentException>()
.WithMessage("*base64*");
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void WithRekorEntry_InvalidLogIndex_Throws()
{
var builder = new SigstoreBundleBuilder();
var act = () => builder.WithRekorEntry(
logIndex: "not-a-number",
logIdKeyId: Convert.ToBase64String(new byte[32]),
integratedTime: "1703500000",
canonicalizedBody: Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes("{}")));
act.Should().Throw<ArgumentException>()
.WithMessage("*integer*");
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void WithCertificateBase64_InvalidBase64_Throws()
{
var builder = new SigstoreBundleBuilder();
var act = () => builder.WithCertificateBase64("not-base64");
act.Should().Throw<ArgumentException>()
.WithMessage("*base64*");
}
}

12
src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleSerializerTests.cs
View File

@@ -193,6 +193,18 @@ public class SigstoreBundleSerializerTests
.WithMessage("*dsseEnvelope*");
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void Deserialize_MissingVerificationKeyMaterial_ThrowsSigstoreBundleException()
{
var json = """{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{},"dsseEnvelope":{"payloadType":"test","payload":"e30=","signatures":[{"sig":"AAAA"}]}}""";
var act = () => SigstoreBundleSerializer.Deserialize(json);
act.Should().Throw<SigstoreBundleException>()
.WithMessage("*certificate*publicKey*");
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void Serialize_NullBundle_ThrowsArgumentNullException()

138
src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleVerifierTests.cs
View File

@@ -1,4 +1,4 @@
// -----------------------------------------------------------------------------
// -----------------------------------------------------------------------------
// SigstoreBundleVerifierTests.cs
// Sprint: SPRINT_8200_0001_0005 - Sigstore Bundle Implementation
// Tasks: BUNDLE-8200-020, BUNDLE-8200-021 - Bundle verification tests
@@ -36,7 +36,7 @@ public class SigstoreBundleVerifierTests
};
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.IsValid.Should().BeFalse();
@@ -61,7 +61,7 @@ public class SigstoreBundleVerifierTests
};
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.IsValid.Should().BeFalse();
@@ -89,7 +89,7 @@ public class SigstoreBundleVerifierTests
};
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.IsValid.Should().BeFalse();
@@ -104,16 +104,23 @@ public class SigstoreBundleVerifierTests
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var certBytes = CreateSelfSignedCertificateBytes(ecdsa);
var bundle = new SigstoreBundleBuilder()
.WithDsseEnvelope(
"application/vnd.in-toto+json",
Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes("{}")),
Array.Empty<BundleSignature>())
.WithCertificateBase64(Convert.ToBase64String(certBytes))
.Build();
var bundle = new SigstoreBundle
{
MediaType = SigstoreBundleConstants.MediaTypeV03,
VerificationMaterial = new VerificationMaterial
{
Certificate = new CertificateInfo { RawBytes = Convert.ToBase64String(certBytes) }
},
DsseEnvelope = new BundleDsseEnvelope
{
PayloadType = "application/vnd.in-toto+json",
Payload = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes("{}")),
Signatures = Array.Empty<BundleSignature>()
}
};
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.IsValid.Should().BeFalse();
@@ -137,7 +144,7 @@ public class SigstoreBundleVerifierTests
.Build();
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.IsValid.Should().BeFalse();
@@ -167,7 +174,7 @@ public class SigstoreBundleVerifierTests
.Build();
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.IsValid.Should().BeTrue();
@@ -199,7 +206,7 @@ public class SigstoreBundleVerifierTests
.Build();
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.IsValid.Should().BeFalse();
@@ -233,7 +240,7 @@ public class SigstoreBundleVerifierTests
};
// Act
var result = await _verifier.VerifyAsync(bundle, options);
var result = await _verifier.VerifyAsync(bundle, options, TestContext.Current.CancellationToken);
// Assert
result.Checks.CertificateChain.Should().Be(CheckResult.Failed);
@@ -262,19 +269,109 @@ public class SigstoreBundleVerifierTests
.Build();
// Act
var result = await _verifier.VerifyAsync(bundle);
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
// Assert
result.Checks.InclusionProof.Should().Be(CheckResult.Skipped);
result.Checks.TransparencyLog.Should().Be(CheckResult.Skipped);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task Verify_InclusionProofMissing_ReturnsFailed()
{
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var certBytes = CreateSelfSignedCertificateBytes(ecdsa);
var payload = System.Text.Encoding.UTF8.GetBytes("{}");
var payloadType = "application/vnd.in-toto+json";
var paeMessage = ConstructPae(payloadType, payload);
var signature = ecdsa.SignData(paeMessage, HashAlgorithmName.SHA256);
var bundle = new SigstoreBundleBuilder()
.WithDsseEnvelope(
payloadType,
Convert.ToBase64String(payload),
new[] { new BundleSignature { Sig = Convert.ToBase64String(signature) } })
.WithCertificateBase64(Convert.ToBase64String(certBytes))
.WithRekorEntry(
logIndex: "12",
logIdKeyId: Convert.ToBase64String(new byte[32]),
integratedTime: "1710000000",
canonicalizedBody: Convert.ToBase64String(new byte[16]))
.Build();
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
result.IsValid.Should().BeFalse();
result.Errors.Should().Contain(e => e.Code == BundleVerificationErrorCode.InclusionProofInvalid);
result.Checks.InclusionProof.Should().Be(CheckResult.Failed);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task Verify_InvalidPayloadBase64_ReturnsFailed()
{
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var certBytes = CreateSelfSignedCertificateBytes(ecdsa);
var payloadType = "application/vnd.in-toto+json";
var bundle = new SigstoreBundle
{
MediaType = SigstoreBundleConstants.MediaTypeV03,
VerificationMaterial = new VerificationMaterial
{
Certificate = new CertificateInfo { RawBytes = Convert.ToBase64String(certBytes) }
},
DsseEnvelope = new BundleDsseEnvelope
{
PayloadType = payloadType,
Payload = "not-base64",
Signatures = new[] { new BundleSignature { Sig = Convert.ToBase64String(new byte[64]) } }
}
};
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
result.IsValid.Should().BeFalse();
result.Errors.Should().Contain(e => e.Code == BundleVerificationErrorCode.DsseSignatureInvalid);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task Verify_InvalidSignatureBase64_ReturnsFailed()
{
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var certBytes = CreateSelfSignedCertificateBytes(ecdsa);
var payload = System.Text.Encoding.UTF8.GetBytes("{}");
var payloadType = "application/vnd.in-toto+json";
var bundle = new SigstoreBundle
{
MediaType = SigstoreBundleConstants.MediaTypeV03,
VerificationMaterial = new VerificationMaterial
{
Certificate = new CertificateInfo { RawBytes = Convert.ToBase64String(certBytes) }
},
DsseEnvelope = new BundleDsseEnvelope
{
PayloadType = payloadType,
Payload = Convert.ToBase64String(payload),
Signatures = new[] { new BundleSignature { Sig = "not-base64" } }
}
};
var result = await _verifier.VerifyAsync(bundle, cancellationToken: TestContext.Current.CancellationToken);
result.IsValid.Should().BeFalse();
result.Errors.Should().Contain(e => e.Code == BundleVerificationErrorCode.DsseSignatureInvalid);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task Verify_NullBundle_ThrowsArgumentNullException()
{
// Act
var act = async () => await _verifier.VerifyAsync(null!);
var act = async () => await _verifier.VerifyAsync(null!, cancellationToken: TestContext.Current.CancellationToken);
// Assert
await act.Should().ThrowAsync<ArgumentNullException>();
@@ -286,8 +383,8 @@ public class SigstoreBundleVerifierTests
const byte Space = 0x20;
var typeBytes = System.Text.Encoding.UTF8.GetBytes(payloadType);
var typeLenBytes = System.Text.Encoding.UTF8.GetBytes(typeBytes.Length.ToString());
var payloadLenBytes = System.Text.Encoding.UTF8.GetBytes(payload.Length.ToString());
var typeLenBytes = System.Text.Encoding.UTF8.GetBytes(typeBytes.Length.ToString(System.Globalization.CultureInfo.InvariantCulture));
var payloadLenBytes = System.Text.Encoding.UTF8.GetBytes(payload.Length.ToString(System.Globalization.CultureInfo.InvariantCulture));
var prefixBytes = System.Text.Encoding.UTF8.GetBytes(DssePrefix);
var totalLength = prefixBytes.Length + 1 + typeLenBytes.Length + 1 +
@@ -331,3 +428,4 @@ public class SigstoreBundleVerifierTests
return cert.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert);
}
}