bootenv/keydata_test.go: add test for deterministic derivation of ell…

…iptic key
canonical · Feb 20, 2024 · f2ffc65 · f2ffc65
1 parent 2e4c29a
commit f2ffc65
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/bootenv/export_test.go b/bootenv/export_test.go
@@ -126,6 +126,10 @@ func (d *KeyDataScope) TestMatch(KDFAlg crypto.Hash, keyIdentifier []byte) bool
 	return bytes.Equal(h.Sum(nil), keyIdentifier)
 }
 
+func (d *KeyDataScope) DeriveSigner(key secboot.PrimaryKey, role string) (crypto.Signer, error) {
+	return d.deriveSigner(key, role)
+}
+
 func NewHashAlg(alg crypto.Hash) hashAlg {
 	return hashAlg(alg)
 }

diff --git a/bootenv/keydata_test.go b/bootenv/keydata_test.go
@@ -21,6 +21,7 @@ package bootenv_test
 
 import (
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
@@ -681,3 +682,40 @@ func (s *keyDataPlatformSuite) TestEcdsaPublicKeyUnmarshalJSONInvalid(c *C) {
 	err = unmarshalledPk.UnmarshalJSON(pkBytes)
 	c.Check(err, ErrorMatches, "invalid key type")
 }
+
+func (s *keyDataPlatformSuite) TestDeriveSigner(c *C) {
+	primaryKey := s.newPrimaryKey(c, 32)
+	role := "test"
+
+	params := &KeyDataScopeParams{
+		PrimaryKey: primaryKey,
+		Role:       role,
+		KDFAlg:     crypto.SHA256,
+		MDAlg:      crypto.SHA256,
+		ModelAlg:   crypto.SHA256,
+	}
+
+	kds, err := NewKeyDataScope(params)
+	c.Assert(err, IsNil)
+	c.Check(kds, NotNil)
+
+	err = kds.IsBootEnvironmentAuthorized()
+	c.Check(err, IsNil)
+
+	signer, err := kds.DeriveSigner(primaryKey, role)
+	c.Assert(err, IsNil)
+
+	prevKey, ok := signer.(*ecdsa.PrivateKey)
+	c.Assert(ok, Equals, true)
+
+	for i := 0; i < 10; i++ {
+		signer, err := kds.DeriveSigner(primaryKey, role)
+		c.Assert(err, IsNil)
+
+		key, ok := signer.(*ecdsa.PrivateKey)
+		c.Assert(ok, Equals, true)
+		c.Check(key.Equal(prevKey), Equals, true)
+		prevKey = key
+	}
+
+}