[jackhill/guix/guix.git] / tests / pki.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2022 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-pki)
  #:use-module (guix pki)
  #:use-module (gcrypt pk-crypto)
  #:use-module (gcrypt hash)
  #:use-module (rnrs io ports)
  #:use-module (srfi srfi-64))

;; Test the (guix pki) module.

(define %public-key
  (call-with-input-file %public-key-file
    (compose string->canonical-sexp get-string-all)))

(define %secret-key
  (call-with-input-file %private-key-file
    (compose string->canonical-sexp get-string-all)))

(define %alternate-secret-key
  (string->canonical-sexp
   "
  (key-data
   (public-key
    (rsa
     (n #00FDBF170366AC43B7D95CF9085565C566FB1F21B17C0A36E68F35ABB500E7851E00B40D7B04C8CD25903371F38E4C298FACEFFC4C97E913B536A0672BAF99D04515AE98A1A56627CD7EB02502FCFBEEA21AF13CC1A853192AD6409B9EFBD9F549BDE32BD890AE01F9A221E81FEE1C407090550647790E0D60775B855E181C2FB5#)
     (e #010001#)))
   (private-key
    (rsa
     (n #00FDBF170366AC43B7D95CF9085565C566FB1F21B17C0A36E68F35ABB500E7851E00B40D7B04C8CD25903371F38E4C298FACEFFC4C97E913B536A0672BAF99D04515AE98A1A56627CD7EB02502FCFBEEA21AF13CC1A853192AD6409B9EFBD9F549BDE32BD890AE01F9A221E81FEE1C407090550647790E0D60775B855E181C2FB5#)
     (e #010001#)
     (d #2790250C2E74C2FD361A99288BBA19B878048F5A0F333F829CC71B3DD64582DB9DF3F4DB1EB0994DD7493225EDA4A1E1492F44D903617FA5643E47BFC7BA157EF48B492AB51229916B02DDBDA0E7DBC7B35A6B8332AB463DC61951CA694551A9760F5A836A375D39E3EA8F2C502A3B5D89CB8777A809B75D603BE7511CEB74E9#)
     (p #00FE15B1751E1C31125B724FF37462F9476239A2AFF4192FAB1550F76928C8D02407F4F5EFC83F7A0AF51BD93399DDC06A4B54DFA60A7079F160A9F618C0148AD9#)
     (q #00FFA8BE7005AAB7401B0926CD9D6AC30BC9BE7D12C8737C9438498A999F56BE9F5EA98B4D7F5364BEB6D550A5AEDDE34C1EC152C9DAF61A97FDE71740C73BAA3D#)
     (u #00FD4050EF4F31B41EC81C28E18D205DFFB3C188F15D8BBA300E30AD8B5C4D3E392EFE10269FC115A538B19F4025973AB09B6650A7FF97DA833FB726F3D8819319#))))"))

(test-begin "pki")

(test-assert "current-acl"
  (not (not (member (canonical-sexp->sexp %public-key)
                    (map canonical-sexp->sexp
                         (acl->public-keys (current-acl)))))))

(test-assert "authorized-key? public-key current-acl"
  (authorized-key? %public-key))

(test-assert "authorized-key? public-key empty-acl"
  (not (authorized-key? %public-key (public-keys->acl '()))))

(test-assert "authorized-key? public-key singleton"
  (authorized-key? %public-key (public-keys->acl (list %public-key))))

(test-equal "public-keys->acl deduplication"
  (public-keys->acl (list %public-key))
  (public-keys->acl (make-list 10 %public-key)))

(test-assert "signature-case valid-signature"
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %secret-key %public-key)))
   (signature-case (sig hash (public-keys->acl (list %public-key)))
     (valid-signature #t)
     (else #f))))

(test-eq "signature-case invalid-signature" 'i
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %alternate-secret-key %public-key)))
    (signature-case (sig hash (public-keys->acl (list %public-key)))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-eq "signature-case hash-mismatch" 'm
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %secret-key %public-key)))
    (signature-case (sig (sha256 #vu8())
                         (public-keys->acl (list %public-key)))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-eq "signature-case unauthorized-key" 'u
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %secret-key %public-key)))
    (signature-case (sig hash (public-keys->acl '()))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-eq "signature-case corrupt-signature" 'c
  (let* ((hash (sha256 #vu8(1 2 3)))
         (sig  (string->canonical-sexp "(w tf)")))
    (signature-case (sig hash (public-keys->acl (list %public-key)))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-end)
Commit	Line	Data
8b420f74	1	;;; GNU Guix --- Functional package management for GNU
3677b970	2	;;; Copyright © 2013, 2014, 2022 Ludovic Courtès <ludo@gnu.org>
8b420f74 LC	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
	19	(define-module (test-pki)
	20	#:use-module (guix pki)
ca719424 LC	21	#:use-module (gcrypt pk-crypto)
ca719424 LC	22	#:use-module (gcrypt hash)
8b420f74 LC	23	#:use-module (rnrs io ports)
	24	#:use-module (srfi srfi-64))
	25
	26	;; Test the (guix pki) module.
	27
	28	(define %public-key
	29	(call-with-input-file %public-key-file
81deef27 LC	30	(compose string->canonical-sexp get-string-all)))
	31
	32	(define %secret-key
	33	(call-with-input-file %private-key-file
	34	(compose string->canonical-sexp get-string-all)))
	35
	36	(define %alternate-secret-key
	37	(string->canonical-sexp
	38	"
	39	(key-data
	40	(public-key
	41	(rsa
	42	(n #00FDBF170366AC43B7D95CF9085565C566FB1F21B17C0A36E68F35ABB500E7851E00B40D7B04C8CD25903371F38E4C298FACEFFC4C97E913B536A0672BAF99D04515AE98A1A56627CD7EB02502FCFBEEA21AF13CC1A853192AD6409B9EFBD9F549BDE32BD890AE01F9A221E81FEE1C407090550647790E0D60775B855E181C2FB5#)
	43	(e #010001#)))
	44	(private-key
	45	(rsa
	46	(n #00FDBF170366AC43B7D95CF9085565C566FB1F21B17C0A36E68F35ABB500E7851E00B40D7B04C8CD25903371F38E4C298FACEFFC4C97E913B536A0672BAF99D04515AE98A1A56627CD7EB02502FCFBEEA21AF13CC1A853192AD6409B9EFBD9F549BDE32BD890AE01F9A221E81FEE1C407090550647790E0D60775B855E181C2FB5#)
	47	(e #010001#)
	48	(d #2790250C2E74C2FD361A99288BBA19B878048F5A0F333F829CC71B3DD64582DB9DF3F4DB1EB0994DD7493225EDA4A1E1492F44D903617FA5643E47BFC7BA157EF48B492AB51229916B02DDBDA0E7DBC7B35A6B8332AB463DC61951CA694551A9760F5A836A375D39E3EA8F2C502A3B5D89CB8777A809B75D603BE7511CEB74E9#)
	49	(p #00FE15B1751E1C31125B724FF37462F9476239A2AFF4192FAB1550F76928C8D02407F4F5EFC83F7A0AF51BD93399DDC06A4B54DFA60A7079F160A9F618C0148AD9#)
	50	(q #00FFA8BE7005AAB7401B0926CD9D6AC30BC9BE7D12C8737C9438498A999F56BE9F5EA98B4D7F5364BEB6D550A5AEDDE34C1EC152C9DAF61A97FDE71740C73BAA3D#)
	51	(u #00FD4050EF4F31B41EC81C28E18D205DFFB3C188F15D8BBA300E30AD8B5C4D3E392EFE10269FC115A538B19F4025973AB09B6650A7FF97DA833FB726F3D8819319#))))"))
8b420f74 LC	52
	53	(test-begin "pki")
	54
	55	(test-assert "current-acl"
	56	(not (not (member (canonical-sexp->sexp %public-key)
	57	(map canonical-sexp->sexp
	58	(acl->public-keys (current-acl)))))))
	59
	60	(test-assert "authorized-key? public-key current-acl"
	61	(authorized-key? %public-key))
	62
	63	(test-assert "authorized-key? public-key empty-acl"
	64	(not (authorized-key? %public-key (public-keys->acl '()))))
	65
	66	(test-assert "authorized-key? public-key singleton"
	67	(authorized-key? %public-key (public-keys->acl (list %public-key))))
	68
3677b970 LC	69	(test-equal "public-keys->acl deduplication"
	70	(public-keys->acl (list %public-key))
	71	(public-keys->acl (make-list 10 %public-key)))
	72
81deef27 LC	73	(test-assert "signature-case valid-signature"
	74	(let* ((hash (sha256 #vu8(1 2 3)))
	75	(data (bytevector->hash-data hash #:key-type (key-type %public-key)))
	76	(sig (signature-sexp data %secret-key %public-key)))
	77	(signature-case (sig hash (public-keys->acl (list %public-key)))
	78	(valid-signature #t)
	79	(else #f))))
	80
	81	(test-eq "signature-case invalid-signature" 'i
	82	(let* ((hash (sha256 #vu8(1 2 3)))
	83	(data (bytevector->hash-data hash #:key-type (key-type %public-key)))
	84	(sig (signature-sexp data %alternate-secret-key %public-key)))
	85	(signature-case (sig hash (public-keys->acl (list %public-key)))
	86	(valid-signature 'v)
	87	(invalid-signature 'i)
	88	(hash-mismatch 'm)
	89	(unauthorized-key 'u)
	90	(corrupt-signature 'c))))
	91
	92	(test-eq "signature-case hash-mismatch" 'm
	93	(let* ((hash (sha256 #vu8(1 2 3)))
	94	(data (bytevector->hash-data hash #:key-type (key-type %public-key)))
	95	(sig (signature-sexp data %secret-key %public-key)))
	96	(signature-case (sig (sha256 #vu8())
	97	(public-keys->acl (list %public-key)))
	98	(valid-signature 'v)
	99	(invalid-signature 'i)
	100	(hash-mismatch 'm)
	101	(unauthorized-key 'u)
	102	(corrupt-signature 'c))))
	103
	104	(test-eq "signature-case unauthorized-key" 'u
	105	(let* ((hash (sha256 #vu8(1 2 3)))
	106	(data (bytevector->hash-data hash #:key-type (key-type %public-key)))
	107	(sig (signature-sexp data %secret-key %public-key)))
	108	(signature-case (sig hash (public-keys->acl '()))
	109	(valid-signature 'v)
	110	(invalid-signature 'i)
	111	(hash-mismatch 'm)
	112	(unauthorized-key 'u)
	113	(corrupt-signature 'c))))
	114
	115	(test-eq "signature-case corrupt-signature" 'c
	116	(let* ((hash (sha256 #vu8(1 2 3)))
	117	(sig (string->canonical-sexp "(w tf)")))
	118	(signature-case (sig hash (public-keys->acl (list %public-key)))
	119	(valid-signature 'v)
	120	(invalid-signature 'i)
	121	(hash-mismatch 'm)
	122	(unauthorized-key 'u)
	123	(corrupt-signature 'c))))
	124
8b420f74	125	(test-end)