def test_get_verified_subkeys_errors(self):
"""Test _get_verified_subkeys errors with manually crafted data based on
real gpg key data (see self.raw_key_bundle). """
# Tamper with subkey (change version number) to trigger key parsing error
bad_subkey_bundle = deepcopy(self.raw_key_bundle)
packet, packet_data = bad_subkey_bundle[PACKET_TYPE_SUB_KEY].popitem()
packet = bytes(packet[:packet_data["header_len"]] + bytearray([0x03]) +
packet[packet_data["header_len"] + 1:])
bad_subkey_bundle[PACKET_TYPE_SUB_KEY][packet] = packet_data
# Add bogus sig to trigger sig parsing error
wrong_sig_bundle = deepcopy(self.raw_key_bundle)
packet, packet_data = wrong_sig_bundle[PACKET_TYPE_SUB_KEY].popitem()
# NOTE: We can't only pass the bogus sig, because that would also trigger
# the not enough sigs error (see not_enough_sigs_bundle) and mock only
# lets us assert for the most recent log statement
packet_data["signatures"].append(bytearray([0b01111111, 0]))
wrong_sig_bundle[PACKET_TYPE_SUB_KEY][packet] = packet_data
# Remove sigs to trigger not enough sigs error
not_enough_sigs_bundle = deepcopy(self.raw_key_bundle)
packet, packet_data = not_enough_sigs_bundle[
PACKET_TYPE_SUB_KEY].popitem()
packet_data["signatures"] = []
not_enough_sigs_bundle[PACKET_TYPE_SUB_KEY][packet] = packet_data
# Duplicate sig to trigger wrong amount signatures
too_many_sigs_bundle = deepcopy(self.raw_key_bundle)
packet, packet_data = too_many_sigs_bundle[
PACKET_TYPE_SUB_KEY].popitem()
packet_data["signatures"] = packet_data["signatures"] * 2
too_many_sigs_bundle[PACKET_TYPE_SUB_KEY][packet] = packet_data
# Tamper with primary key to trigger signature verification error
invalid_sig_bundle = deepcopy(self.raw_key_bundle)
invalid_sig_bundle[PACKET_TYPE_PRIMARY_KEY]["packet"] = \
invalid_sig_bundle[PACKET_TYPE_PRIMARY_KEY]["packet"][:-1]
test_data = [
(bad_subkey_bundle, "Pubkey packet version '3' not supported"),
(wrong_sig_bundle, "Expected packet 2, but got 63 instead"),
(not_enough_sigs_bundle,
"wrong amount of key binding signatures (0)"),
(too_many_sigs_bundle,
"wrong amount of key binding signatures (2)"),
(invalid_sig_bundle, "invalid key binding signature"),
]
for bundle, expected_msg in test_data:
with patch("securesystemslib.gpg.common.log") as mock_log:
_get_verified_subkeys(bundle)
msg = str(mock_log.info.call_args[0][0])
self.assertTrue(expected_msg in msg,
"'{}' not in '{}'".format(expected_msg, msg))
def test_get_verified_subkeys(self):
"""Test correct assignment of subkey expiration date in
gpg.common._get_verified_subkeys using real gpg data. """
subkeys = _get_verified_subkeys(self.raw_expired_key_bundle)
# Test subkey with validity period 175451, i.e. ~ 2 days
self.assertTrue(subkeys["0ce427fa3f0f50bc83a4a760ed95e1581691db4d"].get(
"validity_period") == 175451)
# Test subkey without validity period, i.e. it does not expire
self.assertTrue(subkeys["70cfabf1e2f1dc60ac5c7bca10cd20d3d5bcb6ef"].get(
"validity_period") == None)