git.stella-ops.org/tests/AirGap/StellaOps.AirGap.Importer.Tests/DsseVerifierTests.cs

using System.Security.Cryptography;
using StellaOps.AirGap.Importer.Contracts;
using StellaOps.AirGap.Importer.Validation;

namespace StellaOps.AirGap.Importer.Tests;

public class DsseVerifierTests
{
    [Fact]
    public void FailsWhenUntrustedKey()
    {
        var verifier = new DsseVerifier();
        var envelope = new DsseEnvelope("text/plain", Convert.ToBase64String("hi"u8), new[] { new DsseSignature("k1", "sig") });
        var trust = TrustRootConfig.Empty("/tmp");

        var result = verifier.Verify(envelope, trust);

        Assert.False(result.IsValid);
    }

    [Fact]
    public void VerifiesRsaPssSignature()
    {
        using var rsa = RSA.Create(2048);
        var pub = rsa.ExportSubjectPublicKeyInfo();
        var payload = "hello-world";
        var payloadType = "application/vnd.stella.bundle";
        var pae = BuildPae(payloadType, payload);
        var sig = rsa.SignData(pae, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);

        var envelope = new DsseEnvelope(payloadType, Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(payload)), new[]
        {
            new DsseSignature("k1", Convert.ToBase64String(sig))
        });

        var trust = new TrustRootConfig(
            "/tmp/root.json",
            new[] { Fingerprint(pub) },
            new[] { "rsassa-pss-sha256" },
            null,
            null,
            new Dictionary<string, byte[]> { ["k1"] = pub });

        var result = new DsseVerifier().Verify(envelope, trust);

        Assert.True(result.IsValid);
        Assert.Equal("dsse-signature-verified", result.Reason);
    }

    private static byte[] BuildPae(string payloadType, string payload)
    {
        var parts = new[] { "DSSEv1", payloadType, payload };
        var paeBuilder = new System.Text.StringBuilder();
        paeBuilder.Append("PAE:");
        paeBuilder.Append(parts.Length);
        foreach (var part in parts)
        {
            paeBuilder.Append(' ');
            paeBuilder.Append(part.Length);
            paeBuilder.Append(' ');
            paeBuilder.Append(part);
        }

        return System.Text.Encoding.UTF8.GetBytes(paeBuilder.ToString());
    }

    private static string Fingerprint(byte[] pub)
    {
        return Convert.ToHexString(SHA256.HashData(pub)).ToLowerInvariant();
    }
}