using System.Security.Cryptography; using StellaOps.AirGap.Importer.Contracts; using StellaOps.AirGap.Importer.Validation; namespace StellaOps.AirGap.Importer.Tests; public class DsseVerifierTests { [Fact] public void FailsWhenUntrustedKey() { var verifier = new DsseVerifier(); var envelope = new DsseEnvelope("text/plain", Convert.ToBase64String("hi"u8), new[] { new DsseSignature("k1", "sig") }); var trust = TrustRootConfig.Empty("/tmp"); var result = verifier.Verify(envelope, trust); Assert.False(result.IsValid); } [Fact] public void VerifiesRsaPssSignature() { using var rsa = RSA.Create(2048); var pub = rsa.ExportSubjectPublicKeyInfo(); var payload = "hello-world"; var payloadType = "application/vnd.stella.bundle"; var pae = BuildPae(payloadType, payload); var sig = rsa.SignData(pae, HashAlgorithmName.SHA256, RSASignaturePadding.Pss); var envelope = new DsseEnvelope(payloadType, Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(payload)), new[] { new DsseSignature("k1", Convert.ToBase64String(sig)) }); var trust = new TrustRootConfig( "/tmp/root.json", new[] { Fingerprint(pub) }, new[] { "rsassa-pss-sha256" }, null, null, new Dictionary { ["k1"] = pub }); var result = new DsseVerifier().Verify(envelope, trust); Assert.True(result.IsValid); Assert.Equal("dsse-signature-verified", result.Reason); } private static byte[] BuildPae(string payloadType, string payload) { var parts = new[] { "DSSEv1", payloadType, payload }; var paeBuilder = new System.Text.StringBuilder(); paeBuilder.Append("PAE:"); paeBuilder.Append(parts.Length); foreach (var part in parts) { paeBuilder.Append(' '); paeBuilder.Append(part.Length); paeBuilder.Append(' '); paeBuilder.Append(part); } return System.Text.Encoding.UTF8.GetBytes(paeBuilder.ToString()); } private static string Fingerprint(byte[] pub) { return Convert.ToHexString(SHA256.HashData(pub)).ToLowerInvariant(); } }