Add e2e tests for client-signing-algorithms server flag

Signed-off-by: Riccardo Schirone <[email protected]>

Author: ret2libc

.github/workflows/main.yml

@@ -1,4 +1,3 @@
-
 # Copyright 2021 The Sigstore Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,11 +18,11 @@ on:
   push:
     branches:
       - main
-      - 'release-**'
+      - "release-**"
   pull_request:
     branches:
       - main
-      - 'release-**'
+      - "release-**"
 
 permissions:
   contents: read
@@ -227,6 +226,31 @@ jobs:
           name: Docker Compose logs
           path: /tmp/*docker-compose.log
 
+  client-algorithms-e2e:
+    runs-on: ubuntu-latest
+    needs: build
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Docker Build
+        run: docker compose build
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOVERSION }}
+
+      - name: Test for supported client algorithms
+        run: ./tests/client-algos-e2e-test.sh
+      - name: Upload logs if they exist
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: failure()
+        with:
+          name: Docker Compose logs
+          path: /tmp/*docker-compose.log
+
   harness:
     runs-on: ubuntu-latest
     needs: build

tests/client-algos-e2e-test.sh

@@ -0,0 +1,226 @@
+#!/bin/bash
+#
+# Copyright 2025 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+docker_compose="docker compose"
+if ! ${docker_compose} version >/dev/null 2>&1; then
+    docker_compose="docker-compose"
+fi
+
+echo "* starting services with default client signing algorithms"
+${docker_compose} up -d
+
+echo "* building CLI"
+go build -o rekor-cli ./cmd/rekor-cli
+REKOR_CLI=$(pwd)/rekor-cli
+
+function waitForRekorServer () {
+  echo -n "* waiting up to 60 sec for system to start"
+  count=0
+
+  until [ $(docker ps -a | grep -c "(healthy)") == 3 ];
+  do
+      if [ $count -eq 6 ]; then
+        echo "! timeout reached"
+        exit 1
+      else
+        echo -n "."
+        sleep 10
+        let 'count+=1'
+      fi
+  done
+
+  echo
+}
+
+function check_log_index () {
+  logIndex=$1
+  # make sure we can get this log index from rekor
+  $REKOR_CLI get --log-index $logIndex --rekor_server http://localhost:3000
+  # make sure the entry index matches the log index
+  gotIndex=$($REKOR_CLI get --log-index $logIndex --rekor_server http://localhost:3000 --format json | jq -r .LogIndex)
+  if [[ "$gotIndex" == $logIndex ]]; then
+    echo "New entry has expected virtual log index $gotIndex"
+  else
+    echo "FAIL: expected virtual log index $logIndex, got $gotIndex"
+    exit 1
+  fi
+}
+
+function collectLogsOnFailure () {
+    if [[ "$1" -ne "0" ]]; then
+        echo "failure detected, collecting docker-compose logs"
+        ${docker_compose} logs --no-color > /tmp/docker-compose.log
+        exit $1
+    elif ${docker_compose} logs --no-color | grep -q "panic: runtime error:" ; then
+        # if we're here, we found a panic
+        echo "failing due to panics detected in logs"
+        ${docker_compose} logs --no-color > /tmp/docker-compose.log
+        exit 1
+    fi
+    exit 0
+}
+trap "collectLogsOnFailure \$?" EXIT
+
+# Create temp directory for test artifacts
+REKORTMPDIR="$(mktemp -d -t rekor_test.XXXXXX)"
+touch $REKORTMPDIR.rekor.yaml
+trap "rm -rf $REKORTMPDIR" EXIT
+
+waitForRekorServer
+
+# Test default behavior - should accept all supported algorithms
+echo "* testing default client signing algorithms behavior"
+
+# Test with ECDSA
+pushd tests/client-algos-testdata || exit 1
+if ! $REKOR_CLI upload --artifact file1 --artifact-hash "$(sha256sum file1 | awk '{ print $1 }')" --signature file1.ec.sig --pki-format=x509 --public-key=ec_public.pem --rekor_server http://localhost:3000 --type hashedrekord; then
+    echo "! ERROR: ECDSA upload failed"
+    exit 1
+else
+    echo "* successfully uploaded entry with ECDSA"
+fi
+popd || exit 1
+check_log_index 0
+
+pushd tests/client-algos-testdata || exit 1
+if ! $REKOR_CLI upload --artifact file2 --artifact-hash "$(sha256sum file2 | awk '{ print $1 }')" --signature file2.rsa.sig --pki-format=x509 --public-key=rsa_public.pem --rekor_server http://localhost:3000 --type hashedrekord; then
+    echo "! ERROR: RSA upload failed"
+    exit 1
+else
+    echo "* successfully uploaded entry with RSA"
+fi
+popd || exit 1
+check_log_index 1
+
+# Stop the rekor server
+echo "* stopping rekor server to reconfigure client signing algorithms"
+${docker_compose} stop rekor-server
+
+# Create a new compose file with restricted algorithms
+COMPOSE_FILE=$REKORTMPDIR/docker-compose-restricted-algos.yaml
+cat << EOF > $COMPOSE_FILE
+version: '3.4'
+services:
+  rekor-server:
+    build:
+      context: .
+      target: "deploy"
+    command: [
+      "rekor-server",
+      "serve",
+      "--trillian_log_server.address=trillian-log-server",
+      "--trillian_log_server.port=8090",
+      "--redis_server.address=redis-server",
+      "--redis_server.port=6379",
+      "--rekor_server.address=0.0.0.0",
+      "--rekor_server.signer=memory",
+      "--enable_attestation_storage",
+      "--attestation_storage_bucket=file:///var/run/attestations",
+      "--client-signing-algorithms=rsa-sign-pkcs1-2048-sha256,ed25519-ph",
+      # Uncomment this for production logging
+      # "--log_type=prod",
+      ]
+    volumes:
+    - "/var/run/attestations:/var/run/attestations:z"
+    restart: always # keep the server running
+    ports:
+      - "3000:3000"
+      - "2112:2112"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+EOF
+
+echo "* starting rekor server with restricted client signing algorithms (rsa-sign-pkcs1-2048-sha256, ed25519-ph only)"
+${docker_compose} -f $COMPOSE_FILE --project-directory=$PWD up -d
+waitForRekorServer
+
+# Test with RSA - should succeed
+pushd tests/client-algos-testdata || exit 1
+if ! $REKOR_CLI upload --artifact file1 --artifact-hash "$(sha256sum file1 | awk '{ print $1 }')" --signature file1.rsa.sig --pki-format=x509 --public-key=rsa_public.pem --rekor_server http://localhost:3000 --type hashedrekord; then
+    echo "! ERROR: RSA upload failed"
+    exit 1
+else
+    echo "* successfully uploaded entry with RSA"
+fi
+popd || exit 1
+check_log_index 0
+
+# Test with ECDSA - should fail
+echo "* testing ECDSA upload with restricted algorithms"
+pushd tests/client-algos-testdata || exit 1
+output=$($REKOR_CLI upload --artifact file1 --artifact-hash "$(sha256sum file1 | awk '{ print $1 }')" --signature file1.ec.sig --pki-format=x509 --public-key=ec_public.pem --rekor_server http://localhost:3000 --type hashedrekord 2>&1)
+if [ $? -eq 0 ]; then
+    echo "! ERROR: ECDSA upload should have failed but succeeded"
+    exit 1
+elif ! echo "$output" | grep -q "entry algorithms are not allowed"; then
+    echo "! ERROR: ECDSA upload failed but with unexpected error message:"
+    echo "$output"
+    exit 1
+else
+    echo "* ECDSA upload failed as expected with restricted algorithms"
+fi
+popd || exit 1
+
+# Test with RSA and sha512 hash - should fail
+echo "* testing RSA and sha512 hash upload with restricted algorithms"
+pushd tests/client-algos-testdata || exit 1
+output=$($REKOR_CLI upload --artifact file2 --artifact-hash "$(sha512sum file2 | awk '{ print $1 }')" --signature file2.rsa512.sig --pki-format=x509 --public-key=rsa_public.pem --rekor_server http://localhost:3000 --type hashedrekord 2>&1)
+if [ $? -eq 0 ]; then
+    echo "! ERROR: RSA with SHA512 upload should have failed but succeeded"
+    exit 1
+elif ! echo "$output" | grep -q "entry algorithms are not allowed"; then
+    echo "! ERROR: RSA with SHA512 upload failed but with unexpected error message:"
+    echo "$output"
+    exit 1
+else
+    echo "* RSA with SHA512 upload failed as expected with restricted algorithms"
+fi
+popd || exit 1
+
+# Test with ED25519-PH
+echo "* testing ED25519-PH upload with restricted algorithms"
+pushd tests/client-algos-testdata || exit 1
+if ! $REKOR_CLI upload --artifact file1 --artifact-hash "$(sha512sum file1 | awk '{ print $1 }')" --signature file1.ed25519ph.sig --pki-format=x509 --public-key=ed25519_public.pem --rekor_server http://localhost:3000 --type hashedrekord ; then
+    echo "! ERROR: ED25519-PH upload failed"
+    exit 1
+else
+    echo "* successfully uploaded entry with ED25519-PH"
+fi
+popd || exit 1
+
+
+# Test with ED25519 no ph
+echo "* testing regular ED25519 upload with restricted algorithms"
+pushd tests/client-algos-testdata || exit 1
+output=$($REKOR_CLI upload --artifact file1 --artifact-hash "$(sha512sum file1 | awk '{ print $1 }')" --signature file1.ed25519.sig --pki-format=x509 --public-key=ed25519_public.pem --rekor_server http://localhost:3000 --type hashedrekord 2>&1)
+if [ $? -eq 0 ]; then
+    echo "! ERROR: ED25519 upload should have failed but succeeded"
+    exit 1
+elif ! echo "$output" | grep -q "ed25519: invalid signature"; then
+    echo "! ERROR: ED25519 upload failed but with unexpected error message:"
+    echo "$output"
+    exit 1
+else
+    echo "* ED25519 upload failed as expected with restricted algorithms"
+fi
+popd || exit 1
+
+
+echo "* all tests passed successfully!"

tests/client-algos-testdata/README.md

@@ -0,0 +1,84 @@
+# How to recreate files in this directory
+
+## RSA
+
+```bash
+openssl genrsa -out rsa_private.pem 2048
+openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem
+openssl dgst -sha256 -sign rsa_private.pem -out file1.rsa.sig file1
+openssl dgst -sha512 -sign rsa_private.pem -out file2.rsa.sig file2
+```
+
+## ECDSA
+
+```bash
+openssl ecparam -name secp256k1 -genkey -noout -out ec_private.pem
+openssl ec -in ec_private.pem -pubout -out ec_public.pem
+openssl dgst -sha256 -sign ec_private.pem -out file1.ec.sig file1
+openssl dgst -sha512 -sign ec_private.pem -out file2.ec.sig file2
+```
+
+## ED25519/ED25519-PH
+
+```bash
+openssl genpkey -algorithm ed25519 -out ed25519_private.pem
+openssl pkey -in ed25519_private.pem -pubout -out ed25519_public.pem
+```
+
+## ED25519 signature
+
+```bash
+openssl pkeyutl -sign -inkey ed25519_private.pem  -rawin -in file1 -out file1.ed25519.sig
+```
+
+## ED25519-PH signature
+
+Generate the signature with the following Go program:
+
+```golang
+package main
+
+import (
+	"crypto"
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/sha512"
+	"crypto/x509"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"os"
+)
+
+func loadKeyFromFile(filename string) ([]byte, error) {
+	data, _ := os.ReadFile(filename)
+	block, _ := pem.Decode(data)
+	return block.Bytes, nil
+}
+
+func signMessage(privateKey ed25519.PrivateKey, message []byte) ([]byte, error) {
+	h := sha512.New()
+	h.Write(message)
+	messageHash := h.Sum(nil)
+
+	return privateKey.Sign(rand.Reader, messageHash, &ed25519.Options{
+		Hash: crypto.SHA512,
+	})
+}
+
+func main() {
+	privateKeyFile := flag.String("private-key", "private.pem", "Private key file")
+	messageFile := flag.String("message", "", "Message file")
+	signatureFile := flag.String("signature", "", "Signature file")
+
+	flag.Parse()
+
+	privKeyBytes, _ := loadKeyFromFile(*privateKeyFile)
+	message, _ := os.ReadFile(*messageFile)
+	privKey, _ := x509.ParsePKCS8PrivateKey(privKeyBytes)
+	signature, _ := signMessage(privKey.(ed25519.PrivateKey), message)
+	os.WriteFile(*signatureFile, signature, 0644)
+	fmt.Printf("Message signed successfully:\n  Signature saved to: %s\n", *signatureFile)
+	return
+}
+```

tests/client-algos-testdata/ec_public.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMOcTfRBS9jiXM81FZ8gm/1+omeMw
+mn/347/556g/lriS72uMhY9LcT+5UJ6fGBglr5Z8L0JNSuasyed9OtaRvw==
+-----END PUBLIC KEY-----

tests/client-algos-testdata/ed25519_public.pem

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAOzUw7NeN1swAooEM99Xuz+Nw7ajYA/5csFlX0YlcHdY=
+-----END PUBLIC KEY-----

tests/client-algos-testdata/file1

@@ -0,0 +1 @@
+file1

tests/client-algos-testdata/file1.ec.sig

@@ -0,0 +1,3 @@
+萙흨䳲䱤ⰼ崊菷ਯ쟙拻傳囓㨿螰멆웲杽�菲윆퟉♄銹ච돗㪬북륜㩗⌵‎
+��
+/��b�P�V�:?���F��g}ج�<�����&D�����:����\:W#5 

tests/client-algos-testdata/file1.ed25519.sig

@@ -0,0 +1 @@
+3hu¢VŸÜ„?rÂíD‰‹?çyÊA7T›Þ™Ç¤¨ö6¼¹÷M„¾ä¢±
¿®70À&±aƒÔ@sTç