internal/testkeys: use fixed keys in unit tests

edgelesssys · Jan 27, 2025 · e2c747f · e2c747f
1 parent 1a216f0
commit e2c747f
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 298 deletions.
diff --git a/coordinator/history/history_test.go b/coordinator/history/history_test.go
@@ -6,12 +6,11 @@ package history
 import (
 	"crypto/ecdsa"
 	"crypto/sha256"
-	"crypto/x509"
 	"encoding/hex"
-	"encoding/pem"
 	"os"
 	"testing"
 
+	"github.com/edgelesssys/contrast/internal/testkeys"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -596,15 +595,7 @@ func TestHistory_SetGet(t *testing.T) {
 }
 
 func testKey(require *require.Assertions) *ecdsa.PrivateKey {
-	const testKey = `-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIAVovia1Gq3uYyMn2MUHN7iZzB063CsASbjmeR1M4yXxoAoGCCqGSM49
-AwEHoUQDQgAEodJSQKBrTfw5S/QMPRJtNbBSuifKdEbcEV7d4a1C/HypH8Wyu/Z3
-xuwYqSFfVxr6ECQWyrTkApzVkz8b6n5BeQ==
------END EC PRIVATE KEY-----`
-	// parse the test key from pem
-	p, rest := pem.Decode([]byte(testKey))
-	require.Empty(rest)
-	key, err := x509.ParseECPrivateKey(p.Bytes)
+	key, err := testkeys.New[ecdsa.PrivateKey](testkeys.ECDSAP256Keys[0])
 	require.NoError(err)
 	return key
 }

diff --git a/coordinator/internal/authority/userapi_test.go b/coordinator/internal/authority/userapi_test.go
@@ -6,8 +6,6 @@ package authority
 import (
 	"context"
 	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/tls"
@@ -21,6 +19,7 @@ import (
 	"github.com/edgelesssys/contrast/coordinator/history"
 	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/edgelesssys/contrast/internal/platforms"
+	"github.com/edgelesssys/contrast/internal/testkeys"
 	"github.com/edgelesssys/contrast/internal/userapi"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spf13/afero"
@@ -47,9 +46,9 @@ func TestManifestSet(t *testing.T) {
 		require.NoError(t, err)
 		return b
 	}
-	trustedKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	trustedKey, err := testkeys.New[ecdsa.PrivateKey](testkeys.ECDSAP384Keys[0])
 	require.NoError(t, err)
-	untrustedKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	untrustedKey, err := testkeys.New[ecdsa.PrivateKey](testkeys.ECDSAP384Keys[1])
 	require.NoError(t, err)
 	manifestWithTrustedKey, err := manifestWithWorkloadOwnerKey(trustedKey)
 	require.NoError(t, err)
@@ -315,7 +314,7 @@ func TestRecoveryFlow(t *testing.T) {
 	a := newCoordinator()
 
 	// 2. A manifest is set and the returned seed is recorded.
-	seedShareOwnerKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	seedShareOwnerKey, err := testkeys.New[rsa.PrivateKey](testkeys.RSA2048Keys[0])
 	require.NoError(err)
 	seedShareOwnerKeyBytes := manifest.MarshalSeedShareOwnerKey(&seedShareOwnerKey.PublicKey)
 

diff --git a/internal/ca/ca_test.go b/internal/ca/ca_test.go
@@ -5,15 +5,14 @@ package ca
 
 import (
 	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"math/big"
 	"sync"
 	"testing"
 
+	"github.com/edgelesssys/contrast/internal/testkeys"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -22,8 +21,8 @@ func TestNewCA(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)
 
-	rootCAKey := newKey(require)
-	meshCAKey := newKey(require)
+	rootCAKey := newKey(require, 0)
+	meshCAKey := newKey(require, 1)
 
 	ca, err := New(rootCAKey, meshCAKey)
 	require.NoError(err)
@@ -56,12 +55,12 @@ func TestAttestedMeshCert(t *testing.T) {
 		"valid": {
 			dnsNames:   []string{"foo", "bar"},
 			extensions: []pkix.Extension{},
-			subjectPub: newKey(req).Public(),
+			subjectPub: newKey(req, 0).Public(),
 		},
 		"ips": {
 			dnsNames:   []string{"foo", "192.0.2.1"},
 			extensions: []pkix.Extension{},
-			subjectPub: newKey(req).Public(),
+			subjectPub: newKey(req, 0).Public(),
 			wantIPs:    1,
 		},
 	}
@@ -71,8 +70,8 @@ func TestAttestedMeshCert(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)
 
-			rootCAKey := newKey(require)
-			meshCAKey := newKey(require)
+			rootCAKey := newKey(require, 1)
+			meshCAKey := newKey(require, 2)
 			ca, err := New(rootCAKey, meshCAKey)
 			require.NoError(err)
 
@@ -103,38 +102,38 @@ func TestCreateCert(t *testing.T) {
 		"parent signed": {
 			template: &x509.Certificate{},
 			parent:   &x509.Certificate{},
-			pub:      newKey(req).Public(),
-			priv:     newKey(req),
+			pub:      newKey(req, 0).Public(),
+			priv:     newKey(req, 1),
 		},
 		"template nil": {
 			parent:  &x509.Certificate{},
-			pub:     newKey(req).Public(),
-			priv:    newKey(req),
+			pub:     newKey(req, 0).Public(),
+			priv:    newKey(req, 1),
 			wantErr: true,
 		},
 		"parent nil": {
 			template: &x509.Certificate{},
-			pub:      newKey(req).Public(),
-			priv:     newKey(req),
+			pub:      newKey(req, 0).Public(),
+			priv:     newKey(req, 1),
 			wantErr:  true,
 		},
 		"pub nil": {
 			template: &x509.Certificate{},
 			parent:   &x509.Certificate{},
-			priv:     newKey(req),
+			priv:     newKey(req, 0),
 			wantErr:  true,
 		},
 		"priv nil": {
 			template: &x509.Certificate{},
 			parent:   &x509.Certificate{},
-			pub:      newKey(req).Public(),
+			pub:      newKey(req, 0).Public(),
 			wantErr:  true,
 		},
 		"serial number already set": {
 			template: &x509.Certificate{SerialNumber: big.NewInt(1)},
 			parent:   &x509.Certificate{},
-			pub:      newKey(req).Public(),
-			priv:     newKey(req),
+			pub:      newKey(req, 0).Public(),
+			priv:     newKey(req, 1),
 			wantErr:  true,
 		},
 	}
@@ -164,8 +163,8 @@ func TestCAConcurrent(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)
 
-	rootCAKey := newKey(require)
-	meshCAKey := newKey(require)
+	rootCAKey := newKey(require, 0)
+	meshCAKey := newKey(require, 1)
 	ca, err := New(rootCAKey, meshCAKey)
 	require.NoError(err)
 
@@ -184,7 +183,7 @@ func TestCAConcurrent(t *testing.T) {
 	}
 	newMeshCert := func() {
 		defer wg.Done()
-		_, err := ca.NewAttestedMeshCert([]string{"foo", "bar"}, []pkix.Extension{}, newKey(require).Public())
+		_, err := ca.NewAttestedMeshCert([]string{"foo", "bar"}, []pkix.Extension{}, newKey(require, 2).Public())
 		assert.NoError(err)
 	}
 
@@ -218,9 +217,9 @@ func TestCAConcurrent(t *testing.T) {
 
 func TestCertValidity(t *testing.T) {
 	require := require.New(t)
-	rootCAKey := newKey(require)
-	meshCAKey := newKey(require)
-	key := newKey(require)
+	rootCAKey := newKey(require, 0)
+	meshCAKey := newKey(require, 1)
+	key := newKey(require, 2)
 
 	ca, err := New(rootCAKey, meshCAKey)
 	require.NoError(err)
@@ -247,16 +246,16 @@ func assertValidPEMCert(t *testing.T, pem []byte) {
 // TestCARecovery asserts that certificates issued by a CA verify correctly under a new CA using the same keys.
 func TestCARecovery(t *testing.T) {
 	require := require.New(t)
-	rootCAKey := newKey(require)
-	meshCAKey := newKey(require)
+	rootCAKey := newKey(require, 0)
+	meshCAKey := newKey(require, 1)
 
 	oldCA, err := New(rootCAKey, meshCAKey)
 	require.NoError(err)
 
 	newCA, err := New(rootCAKey, meshCAKey)
 	require.NoError(err)
 
-	key := newKey(require)
+	key := newKey(require, 2)
 	oldCert, err := oldCA.NewAttestedMeshCert([]string{"localhost"}, nil, key.Public())
 	require.NoError(err)
 	newCert, err := newCA.NewAttestedMeshCert([]string{"localhost"}, nil, key.Public())
@@ -299,8 +298,8 @@ func pool(t *testing.T, pem []byte) *x509.CertPool {
 	return pool
 }
 
-func newKey(require *require.Assertions) *ecdsa.PrivateKey {
-	key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+func newKey(require *require.Assertions, id int) *ecdsa.PrivateKey {
+	key, err := testkeys.New[ecdsa.PrivateKey](testkeys.ECDSAP384Keys[id])
 	require.NoError(err)
 	return key
 }