def test_get_config_digest_canonical(
image_config: ImageConfig,
image_config_signed: ImageConfig,
config_digest_canonical: str,
):
"""Test canonical digest calculation for signed and unsigned configurations."""
assert image_config.get_config_digest_canonical(
) == config_digest_canonical
assert image_config_signed.get_config_digest_canonical(
) == config_digest_canonical
def append_new_image_config(config: ImageConfig,
endorse: bool = False,
iteration=i):
signer = FakeSigner("<<< {0} {1}: {2} >>>".format(
iteration,
"Endorsing" if endorse else "Signing",
config.get_config_digest_canonical(),
))
config.sign(signer, endorse)
stack.append(config)
def append_new_image_config(
config: ImageConfig,
signature_type: SignatureTypes = SignatureTypes.SIGN,
iteration=i,
):
signer = FakeSigner("<<< {0} {1}: {2} >>>".format(
iteration,
"Endorsing"
if signature_type == SignatureTypes.ENDORSE else "Signing",
config.get_config_digest_canonical(),
))
config.sign(signer, signature_type)
stack.append(config)
def test_minimal():
"""Test minimal image configuration (for non-conformant labels)k."""
# Note: At a minimum, [Cc]onfig key must exist with non-null value
image_config = ImageConfig(b'{"Config":{}}')
config_digest_canonical = image_config.get_config_digest_canonical()
signer = FakeSigner()
assert image_config.sign(signer) == signer.signature_value
# A signature should always be able to be added ...
assert b"BEGIN FAKE SIGNATURE" in image_config.get_config()
signatures = image_config.get_signature_list()
assert len(signatures) == 1
assert signatures[0]["digest"] == config_digest_canonical
assert signatures[0]["signature"] == signer.signature_value
def test_sign_endorse_recursive(image_config: ImageConfig):
"""Test interlaced signatures and endorsements."""
# Stack representation of a binary tree
stack = [copy.deepcopy(image_config)]
iterations = 6
# Breadth first traversal ...
for i in range(iterations):
for _ in range(len(stack)):
# Validate the signature / endorsement permutations of the first entry on the stack ...
signatures = stack[0].get_signature_list()
assert len(signatures) == i
for sig, signature in enumerate(signatures):
if "Signing" in signature["signature"] or sig == 0:
# Signature digests should be independent of the number of signatures
assert (signature["digest"] ==
image_config.get_config_digest_canonical())
else:
# Endorsement digests should include all entities of a lower order
temp = copy.deepcopy(stack[0])
temp.set_signature_list(temp.get_signature_list()[:sig])
assert signature[
"digest"] == temp.get_config_digest_canonical()
def append_new_image_config(
config: ImageConfig,
signature_type: SignatureTypes = SignatureTypes.SIGN,
iteration=i,
):
signer = FakeSigner("<<< {0} {1}: {2} >>>".format(
iteration,
"Endorsing"
if signature_type == SignatureTypes.ENDORSE else "Signing",
config.get_config_digest_canonical(),
))
config.sign(signer, signature_type)
stack.append(config)
# TODO: Add optimization to stop appending to the stack if they will never be validated
# Push two more image configurations on to the stack: one signed, one endorsed ...
append_new_image_config(copy.deepcopy(stack[0]))
append_new_image_config(stack.pop(0), SignatureTypes.ENDORSE)