From adec7ac7e22372f66e3cc745febacba481052841 Mon Sep 17 00:00:00 2001 From: Sun Yimin Date: Thu, 16 Mar 2023 10:18:19 +0800 Subject: [PATCH] pkcs7: improve test coverage --- pkcs7/verify.go | 10 ++--- pkcs7/verify_test.go | 89 ++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 88 insertions(+), 11 deletions(-) diff --git a/pkcs7/verify.go b/pkcs7/verify.go index a53ffdf9..45fac22e 100644 --- a/pkcs7/verify.go +++ b/pkcs7/verify.go @@ -156,13 +156,9 @@ func parseSignedData(data []byte) (*PKCS7, error) { } } // Compound octet string - if compound.IsCompound { - if compound.Tag == 4 { - if _, err = asn1.Unmarshal(compound.Bytes, &content); err != nil { - return nil, err - } - } else { - content = compound.Bytes + if compound.IsCompound && compound.Tag == 4 { + if _, err = asn1.Unmarshal(compound.Bytes, &content); err != nil { + return nil, err } } else { // assuming this is tag 04 diff --git a/pkcs7/verify_test.go b/pkcs7/verify_test.go index af71c3f5..44a3bad3 100644 --- a/pkcs7/verify_test.go +++ b/pkcs7/verify_test.go @@ -5,6 +5,8 @@ import ( "crypto/ecdsa" "crypto/rsa" "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" "encoding/base64" "encoding/pem" "io/ioutil" @@ -254,16 +256,12 @@ func TestVerifyFirefoxAddon(t *testing.T) { t.Errorf("Verify failed with error: %v", err) } - // fake content p7.Content = []byte("bad content") if err = p7.VerifyWithChain(certPool); err == nil { t.Errorf("Verify with incorrect content did not error") } p7.Content = FirefoxAddonContent - if p7.GetOnlySigner() == nil { - t.Errorf("no only signer") - } // The chain has validity: // // EE: 2016-08-17 20:04:58 +0000 UTC 2021-08-16 20:04:58 +0000 UTC @@ -607,3 +605,86 @@ but that's not what ships are built for. } os.Remove(tmpContentFile.Name()) // clean up } + +func TestGetSignatureAlgorithm(t *testing.T) { + validtests := []struct { + digestEncryption, digest asn1.ObjectIdentifier + expected x509.SignatureAlgorithm + }{ + { + OIDDigestAlgorithmDSA, + OIDDigestAlgorithmSHA1, + x509.DSAWithSHA1, + }, + { + OIDDigestAlgorithmDSA, + OIDDigestAlgorithmSHA256, + x509.DSAWithSHA256, + }, + { + OIDEncryptionAlgorithmECDSAP256, + OIDDigestAlgorithmSHA1, + x509.ECDSAWithSHA1, + }, + { + OIDEncryptionAlgorithmECDSAP256, + OIDDigestAlgorithmSHA256, + x509.ECDSAWithSHA256, + }, + { + OIDEncryptionAlgorithmECDSAP256, + OIDDigestAlgorithmSHA384, + x509.ECDSAWithSHA384, + }, + { + OIDEncryptionAlgorithmECDSAP256, + OIDDigestAlgorithmSHA512, + x509.ECDSAWithSHA512, + }, + { + OIDEncryptionAlgorithmRSA, + OIDDigestAlgorithmSHA384, + x509.SHA384WithRSA, + }, + { + OIDEncryptionAlgorithmRSA, + OIDDigestAlgorithmSHA512, + x509.SHA512WithRSA, + }, + } + for _, test := range validtests { + s, err := getSignatureAlgorithm(pkix.AlgorithmIdentifier{Algorithm: test.digestEncryption}, pkix.AlgorithmIdentifier{Algorithm: test.digest}) + if err != nil { + t.Errorf("should return valid signature algorithm") + } + if s != test.expected { + t.Errorf("expected %v, got %v", test.expected, s) + } + } + invalidtests := []struct { + digestEncryption, digest asn1.ObjectIdentifier + }{ + { + OIDEncryptionAlgorithmRSASHA256, + OIDDigestAlgorithmSM3, + }, + { + OIDDigestAlgorithmDSA, + OIDDigestAlgorithmSHA384, + }, + { + OIDEncryptionAlgorithmECDSAP256, + OIDDigestAlgorithmSM3, + }, + { + OIDDigestAlgorithmSM9SM3, + OIDDigestAlgorithmSHA384, + }, + } + for _, test := range invalidtests { + _, err := getSignatureAlgorithm(pkix.AlgorithmIdentifier{Algorithm: test.digestEncryption}, pkix.AlgorithmIdentifier{Algorithm: test.digest}) + if err == nil { + t.Errorf("should return error") + } + } +}