ForgeBucket/internal/domain/signing/keystore_test.go

package signing_test

import (
	"encoding/json"
	"testing"

	"github.com/forgeo/forgebucket/internal/domain/signing"
)

func TestGenerateAndSign(t *testing.T) {
	ks, err := signing.Generate()
	if err != nil {
		t.Fatalf("Generate: %v", err)
	}
	if ks.KeyID() == "" {
		t.Fatal("expected non-empty key ID")
	}
	if ks.PublicKeyPEM() == "" {
		t.Fatal("expected non-empty public key PEM")
	}
}

func TestSignAndVerify(t *testing.T) {
	ks, err := signing.Generate()
	if err != nil {
		t.Fatalf("Generate: %v", err)
	}

	content := []byte("hello, forgebucket artifact")
	bundle, err := ks.Sign(42, "binary.tar.gz", content)
	if err != nil {
		t.Fatalf("Sign: %v", err)
	}

	if bundle.MediaType != "application/vnd.forgebucket.signature.bundle+json" {
		t.Errorf("unexpected media type: %s", bundle.MediaType)
	}
	if bundle.Payload.ArtifactID != 42 {
		t.Errorf("artifact ID mismatch: got %d", bundle.Payload.ArtifactID)
	}
	if bundle.Payload.Name != "binary.tar.gz" {
		t.Errorf("name mismatch: got %s", bundle.Payload.Name)
	}
	if bundle.Payload.Digest == "" {
		t.Error("expected non-empty digest")
	}
	if bundle.Signature == "" {
		t.Error("expected non-empty signature")
	}

	bundleJSON, err := json.Marshal(bundle)
	if err != nil {
		t.Fatalf("marshal bundle: %v", err)
	}

	result, err := ks.Verify(bundleJSON)
	if err != nil {
		t.Fatalf("Verify: %v", err)
	}
	if !result.Valid {
		t.Error("expected valid=true")
	}
	if !result.KeyMatches {
		t.Error("expected keyMatchesServer=true")
	}
	if result.Digest != bundle.Payload.Digest {
		t.Errorf("digest mismatch: %s vs %s", result.Digest, bundle.Payload.Digest)
	}
}

func TestVerifyTamperedSignature(t *testing.T) {
	ks, _ := signing.Generate()
	content := []byte("artifact content")
	bundle, err := ks.Sign(1, "file.bin", content)
	if err != nil {
		t.Fatalf("Sign: %v", err)
	}

	// Tamper: valid base64 but not a valid ECDSA signature over this payload.
	// "Z2FyYmFnZQ==" decodes to "garbage" which is not a valid DER ECDSA sig.
	bundle.Signature = "Z2FyYmFnZQ=="

	bundleJSON, _ := json.Marshal(bundle)
	result, err := ks.Verify(bundleJSON)
	if err != nil {
		t.Fatalf("Verify should not error on invalid sig: %v", err)
	}
	if result.Valid {
		t.Error("expected valid=false for tampered signature")
	}
}

func TestVerifyWrongKey(t *testing.T) {
	ks1, _ := signing.Generate()
	ks2, _ := signing.Generate()

	content := []byte("artifact")
	bundle, err := ks1.Sign(10, "tool", content)
	if err != nil {
		t.Fatalf("Sign: %v", err)
	}

	bundleJSON, _ := json.Marshal(bundle)

	// Verify with ks2 — key won't match.
	result, err := ks2.Verify(bundleJSON)
	if err != nil {
		t.Fatalf("Verify: %v", err)
	}
	// Cryptographic signature is still valid (uses embedded pub key), but key doesn't match server.
	if !result.Valid {
		t.Error("signature itself should still be cryptographically valid")
	}
	if result.KeyMatches {
		t.Error("expected keyMatchesServer=false when signed by a different key")
	}
}

func TestNewFromPEM(t *testing.T) {
	ks1, err := signing.Generate()
	if err != nil {
		t.Fatalf("Generate: %v", err)
	}

	pemStr, err := ks1.PrivateKeyPEM()
	if err != nil {
		t.Fatalf("PrivateKeyPEM: %v", err)
	}

	ks2, err := signing.New(pemStr)
	if err != nil {
		t.Fatalf("New from PEM: %v", err)
	}

	if ks1.KeyID() != ks2.KeyID() {
		t.Errorf("key IDs differ: %s vs %s", ks1.KeyID(), ks2.KeyID())
	}

	// Sign with ks1, verify with ks2 (same underlying key).
	bundle, _ := ks1.Sign(5, "bin", []byte("data"))
	bundleJSON, _ := json.Marshal(bundle)

	result, err := ks2.Verify(bundleJSON)
	if err != nil {
		t.Fatalf("Verify: %v", err)
	}
	if !result.Valid {
		t.Error("expected valid=true")
	}
	if !result.KeyMatches {
		t.Error("expected keyMatchesServer=true for same key material")
	}
}