oversight-rust/tests/conformance_rekor.sh

115 lines · bash

 
set -euo pipefail
 
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
REPO_ROOT="$(cd "$ROOT/.." && pwd)"
TARGET_DIR="${CARGO_TARGET_DIR:-$ROOT/target}"
HELPER_BIN="$TARGET_DIR/release/examples/conformance_helper"
 
cd "$ROOT"
echo "==> building conformance helper..."
cargo build --release -p oversight-rekor --example conformance_helper >/dev/null
test -x "$HELPER_BIN" || { echo "FAIL: helper not built at $HELPER_BIN"; exit 1; }
 
PRIV_HEX="1111111111111111111111111111111111111111111111111111111111111111"
 
PUB_HEX="$(python3 - <<PY
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
import sys
priv = bytes.fromhex("$PRIV_HEX")
sk = Ed25519PrivateKey.from_private_bytes(priv)
pk = sk.public_key().public_bytes_raw()
sys.stdout.write(pk.hex())
PY
)"
echo "==> deterministic pub: ${PUB_HEX:0:16}..."
 
echo "==> [1/4] PAE byte-identity"
PAYLOAD_TYPE="application/vnd.in-toto+json"
PAYLOAD='{"a":1}'
 
PY_HEX="$(python3 - <<PY
import sys, os
sys.path.insert(0, "$REPO_ROOT")
from oversight_core.rekor import _pae
out = _pae("$PAYLOAD_TYPE", b'$PAYLOAD')
sys.stdout.write(out.hex())
PY
)"
 
RS_HEX="$(printf '%s' "$PAYLOAD" | "$HELPER_BIN" pae "$PAYLOAD_TYPE")"
 
if [ "$PY_HEX" != "$RS_HEX" ]; then
    echo "FAIL: PAE drift"
    echo "  py: $PY_HEX"
    echo "  rs: $RS_HEX"
    exit 1
fi
echo "  OK ($PY_HEX)"
 
echo "==> [2/4] Python signs → Rust verifies"
PY_ENVELOPE="$(python3 - <<PY
import sys, json
sys.path.insert(0, "$REPO_ROOT")
from oversight_core import rekor as R
priv = bytes.fromhex("$PRIV_HEX")
stmt = {"_type": R.STATEMENT_TYPE, "x": 1}
env = R.sign_dsse(stmt, priv)
sys.stdout.write(env.to_json())
PY
)"
RS_VERDICT="$(printf '%s' "$PY_ENVELOPE" | "$HELPER_BIN" verify "$PUB_HEX" || true)"
if [ "$RS_VERDICT" != "ok" ]; then
    echo "FAIL: Rust failed to verify Python-signed envelope (got: '$RS_VERDICT')"
    echo "  envelope: $PY_ENVELOPE"
    exit 1
fi
echo "  OK"
 
echo "==> [3/4] Rust signs → Python verifies"
STMT='{"_type":"https://in-toto.io/Statement/v1","y":2}'
RS_ENVELOPE="$(printf '%s' "$STMT" | "$HELPER_BIN" sign "$PRIV_HEX")"
 
PY_VERDICT="$(python3 - <<PY
import sys, json
sys.path.insert(0, "$REPO_ROOT")
from oversight_core import rekor as R
env = R.DSSEEnvelope.from_json('$RS_ENVELOPE')
pub = bytes.fromhex("$PUB_HEX")
print("ok" if R.verify_dsse(env, pub) else "fail")
PY
)"
if [ "$PY_VERDICT" != "ok" ]; then
    echo "FAIL: Python failed to verify Rust-signed envelope (got: '$PY_VERDICT')"
    echo "  envelope: $RS_ENVELOPE"
    exit 1
fi
echo "  OK"
 
echo "==> [4/4] Canonical payload byte-identity (same key, same statement)"
SAME_STMT='{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"x","digest":{"sha256":"00"}}]}'
 
PY_PAYLOAD_HEX="$(python3 - <<PY
import sys, json, base64
sys.path.insert(0, "$REPO_ROOT")
from oversight_core import rekor as R
priv = bytes.fromhex("$PRIV_HEX")
stmt = json.loads('$SAME_STMT')
env = R.sign_dsse(stmt, priv)
sys.stdout.write(base64.b64decode(env.payload_b64).hex())
PY
)"
 
RS_ENV2="$(printf '%s' "$SAME_STMT" | "$HELPER_BIN" sign "$PRIV_HEX")"
RS_PAYLOAD_HEX="$(printf '%s' "$RS_ENV2" | "$HELPER_BIN" decode_payload | python3 -c "import sys; sys.stdout.write(sys.stdin.buffer.read().hex())")"
 
if [ "$PY_PAYLOAD_HEX" != "$RS_PAYLOAD_HEX" ]; then
    echo "FAIL: canonical payload drift"
    echo "  py: $PY_PAYLOAD_HEX"
    echo "  rs: $RS_PAYLOAD_HEX"
    exit 1
fi
echo "  OK ($PY_PAYLOAD_HEX)"
 
echo ""
echo "==> ALL CONFORMANCE CHECKS PASSED - Python ↔ Rust bit-identical (4/4)"

1
2	set -euo pipefail
3
4	ROOT="$(cd "$(dirname "$0")/.." && pwd)"
5	REPO_ROOT="$(cd "$ROOT/.." && pwd)"
6	TARGET_DIR="${CARGO_TARGET_DIR:-$ROOT/target}"
7	HELPER_BIN="$TARGET_DIR/release/examples/conformance_helper"
8
9	cd "$ROOT"
10	echo "==> building conformance helper..."
11	cargo build --release -p oversight-rekor --example conformance_helper >/dev/null
12	test -x "$HELPER_BIN" \|\| { echo "FAIL: helper not built at $HELPER_BIN"; exit 1; }
13
14	PRIV_HEX="1111111111111111111111111111111111111111111111111111111111111111"
15
16	PUB_HEX="$(python3 - <<PY
17	from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
18	import sys
19	priv = bytes.fromhex("$PRIV_HEX")
20	sk = Ed25519PrivateKey.from_private_bytes(priv)
21	pk = sk.public_key().public_bytes_raw()
22	sys.stdout.write(pk.hex())
23	PY
24	)"
25	echo "==> deterministic pub: ${PUB_HEX:0:16}..."
26
27	echo "==> [1/4] PAE byte-identity"
28	PAYLOAD_TYPE="application/vnd.in-toto+json"
29	PAYLOAD='{"a":1}'
30
31	PY_HEX="$(python3 - <<PY
32	import sys, os
33	sys.path.insert(0, "$REPO_ROOT")
34	from oversight_core.rekor import _pae
35	out = _pae("$PAYLOAD_TYPE", b'$PAYLOAD')
36	sys.stdout.write(out.hex())
37	PY
38	)"
39
40	RS_HEX="$(printf '%s' "$PAYLOAD" \| "$HELPER_BIN" pae "$PAYLOAD_TYPE")"
41
42	if [ "$PY_HEX" != "$RS_HEX" ]; then
43	echo "FAIL: PAE drift"
44	echo " py: $PY_HEX"
45	echo " rs: $RS_HEX"
46	exit 1
47	fi
48	echo " OK ($PY_HEX)"
49
50	echo "==> [2/4] Python signs → Rust verifies"
51	PY_ENVELOPE="$(python3 - <<PY
52	import sys, json
53	sys.path.insert(0, "$REPO_ROOT")
54	from oversight_core import rekor as R
55	priv = bytes.fromhex("$PRIV_HEX")
56	stmt = {"_type": R.STATEMENT_TYPE, "x": 1}
57	env = R.sign_dsse(stmt, priv)
58	sys.stdout.write(env.to_json())
59	PY
60	)"
61	RS_VERDICT="$(printf '%s' "$PY_ENVELOPE" \| "$HELPER_BIN" verify "$PUB_HEX" \|\| true)"
62	if [ "$RS_VERDICT" != "ok" ]; then
63	echo "FAIL: Rust failed to verify Python-signed envelope (got: '$RS_VERDICT')"
64	echo " envelope: $PY_ENVELOPE"
65	exit 1
66	fi
67	echo " OK"
68
69	echo "==> [3/4] Rust signs → Python verifies"
70	STMT='{"_type":"https://in-toto.io/Statement/v1","y":2}'
71	RS_ENVELOPE="$(printf '%s' "$STMT" \| "$HELPER_BIN" sign "$PRIV_HEX")"
72
73	PY_VERDICT="$(python3 - <<PY
74	import sys, json
75	sys.path.insert(0, "$REPO_ROOT")
76	from oversight_core import rekor as R
77	env = R.DSSEEnvelope.from_json('$RS_ENVELOPE')
78	pub = bytes.fromhex("$PUB_HEX")
79	print("ok" if R.verify_dsse(env, pub) else "fail")
80	PY
81	)"
82	if [ "$PY_VERDICT" != "ok" ]; then
83	echo "FAIL: Python failed to verify Rust-signed envelope (got: '$PY_VERDICT')"
84	echo " envelope: $RS_ENVELOPE"
85	exit 1
86	fi
87	echo " OK"
88
89	echo "==> [4/4] Canonical payload byte-identity (same key, same statement)"
90	SAME_STMT='{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"x","digest":{"sha256":"00"}}]}'
91
92	PY_PAYLOAD_HEX="$(python3 - <<PY
93	import sys, json, base64
94	sys.path.insert(0, "$REPO_ROOT")
95	from oversight_core import rekor as R
96	priv = bytes.fromhex("$PRIV_HEX")
97	stmt = json.loads('$SAME_STMT')
98	env = R.sign_dsse(stmt, priv)
99	sys.stdout.write(base64.b64decode(env.payload_b64).hex())
100	PY
101	)"
102
103	RS_ENV2="$(printf '%s' "$SAME_STMT" \| "$HELPER_BIN" sign "$PRIV_HEX")"
104	RS_PAYLOAD_HEX="$(printf '%s' "$RS_ENV2" \| "$HELPER_BIN" decode_payload \| python3 -c "import sys; sys.stdout.write(sys.stdin.buffer.read().hex())")"
105
106	if [ "$PY_PAYLOAD_HEX" != "$RS_PAYLOAD_HEX" ]; then
107	echo "FAIL: canonical payload drift"
108	echo " py: $PY_PAYLOAD_HEX"
109	echo " rs: $RS_PAYLOAD_HEX"
110	exit 1
111	fi
112	echo " OK ($PY_PAYLOAD_HEX)"
113
114	echo ""
115	echo "==> ALL CONFORMANCE CHECKS PASSED - Python ↔ Rust bit-identical (4/4)"