Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify: Validation test case enumeration #30

Open
asraa opened this issue Oct 12, 2022 · 8 comments
Open

Verify: Validation test case enumeration #30

asraa opened this issue Oct 12, 2022 · 8 comments
Labels
component:tests Unit and integration tests

Comments

@asraa
Copy link
Collaborator

asraa commented Oct 12, 2022

Hi all!

I was curious about starting a list of test-cases for validation failure modes during verification. Some of these are difficult because it requires tampering with the Rekor responses, which won't be solved until #25 is done.

I wanted to take a stab at creating a list of the failure modes... I'm sure I am missing some.

Failure Mode Testcase(s)
Signature Validation Failure
  1. Mismatched artifact against a given signing certificate and signature.
  2. Mismatched signature against a given artifact and signing certificate.
  3. Mismatch signing certificate against a given artifact and certificate.
  4. Empty signature.
  5. Empty signing certificate.
  6. Empty artifact.
Certificate Validation Failure
  1. Invalid Certificate chain: not issued by configured root CA
  2. Certificate issued after Fulcio Root CA expiration [MOCK]
Short-lived certificate signature validation failure
  1. Bypass transparency log upload: no transparency log entry returned.
  2. Invalid transparency log entry returned: mismatch with entry. [MOCK]
  3. Invalid transparency log entry returned: incorrectly signed entry timestamp [MOCK]
  4. Invalid transparency log entry returning: invalid inclusion proof [MOCK]
  5. Invalid transparency log entry returning: invalid signed root hash [MOCK]
  6. Integrated time of log entry was past certificate validity period.
Offline Rekor proofs or Bundles
  1. Invalid bundle: Invalid signed entry timestamp
  2. Invalid bundle: does not match provided signature, artifact, and certificate.
  3. Integrated time of offline log entry was past certificate validity
@woodruffw
Copy link
Member

That's a great starting list, thanks for enumerating and collecting it!

I think some of these will be captured in the conformance suite, but it'll be great to have them as standalone tests within sigstore-python as well.

@woodruffw woodruffw added the component:tests Unit and integration tests label Oct 12, 2022
@tetsuo-cpp tetsuo-cpp mentioned this issue Nov 8, 2022
Merged
@tetsuo-cpp
Copy link
Collaborator

tetsuo-cpp commented Nov 8, 2022
edited
Loading

I've started filling in some of this test coverage that doesn't require mocks in the linked PR. The way I see it, 1 and 6 from "Short-lived certificate signature validation failure" probably also require mocks (though I might just be lacking imagination haha).

  • 1: Clients won't write certificates and signatures to disk until the log entry is published to Rekor. Therefore, I can't reproduce this situation where we have a legitimate signature and certificate written to disk for a given artifact and Rekor somehow doesn't know about it.
  • 6: In order to have an log entry with an integrated time after the certificate expiry, I'll need to somehow make the Sigstore client sleep for 10 min after retrieving the certificate from Fulcio. I think it'll be easier to get the mock Rekor to just forge the integrated time.

@asraa
Copy link
Collaborator Author

asraa commented Nov 9, 2022

Instead of mocking whole Rekor instances, could you use some candidate canned Rekor responses?

1: Clients won't write certificates and signatures to disk until the log entry is published to Rekor. Therefore, I can't reproduce this situation where we have a legitimate signature and certificate written to disk for a given artifact and Rekor somehow doesn't know about it.

Can you create a malicious library code that comments out the upload to Rekor, or upload to a different instance (e.g. upload to staging, try to verify against prod)?

6: In order to have an log entry with an integrated time after the certificate expiry, I'll need to somehow make the Sigstore client sleep for 10 min after retrieving the certificate from Fulcio. I think it'll be easier to get the mock Rekor to just forge the integrated time.

OH I think the issue is that you're trying to use the same clients to produce the bad entries? These will have to be canned and only on the verification path: as in, in sigstore-python or your client of choice, create this artifact, and feed it in as a test-case to the verifiers in each langauge during conformence test.
Some of these cases intentionally require tampering with the client.

@tetsuo-cpp tetsuo-cpp mentioned this issue Nov 9, 2022
Open
@tetsuo-cpp
Copy link
Collaborator

tetsuo-cpp commented Nov 10, 2022
edited
Loading

Instead of mocking whole Rekor instances, could you use some candidate canned Rekor responses?

Thanks @asraa, that's a good idea.

I was initially imagining a Rekor-like mock that can pass some basic cases and for each test, I'd be able to override the handler and make it return something different (bad SET, etc).

Your idea makes a lot more sense though. I can get away with something simple that replays canned responses and I think we'll be able to test most of what we're interested in. For some of the more tricky cases, I can edit the JSON by hand too.

Can you create a malicious library code that comments out the upload to Rekor, or upload to a different instance (e.g. upload to staging, try to verify against prod)?

I think if I upload to staging, verification will fail at the certificate check since we'll be using the production Fulcio root certificate to verify. But commenting out the Rekor upload will work.

@woodruffw
Copy link
Member

Here's another test case we'll want to include: we'll want to make sure that clients can successfully verify old signatures, even when their corresponding Fulcio cert chain/CT log key have been rotated out. This would ensure that clients aren't just vendoring the newest roots of trust, but are instead using TUF to fetch both the active and historic roots.

@steiza
Copy link
Member

steiza commented Aug 1, 2023

Today in the Sigstore clients meeting we talked about updating the CLI protocol to have the conformance tests additionally supply a trust root file, a TUF root URL, or both. This will allow us to extend our test cases, like @woodruffw mentions above, and also test that supplying the wrong trust root (or a malformed trust root) fails.

We should add these new tests with a feature flag, like we did for #81, so clients can opt-in to the updated CLI protocol on their own timeline without breaking existing users (although eventually we will require using the updated CLI protocol).

Longer-term, we might update conformance testing to make use of its own trust roots, so we can construct more complicated test scenarios.

@woodruffw
Copy link
Member

Something that @jleightcap and I noticed today: the Protobuf JSON mapping allows both camelCase and snake_case names, so we should probably add a testcase that ensures that clients accept both.

@steiza steiza mentioned this issue Sep 27, 2023
Merged
@tnytown
Copy link
Collaborator

tnytown commented Feb 2, 2024

Another case that falls under Certificate Validation Failure: Certificate that isn't included in the CT log, xref sigstore/sigstore-python#886.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:tests Unit and integration tests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@steiza @woodruffw @tnytown @asraa @tetsuo-cpp