;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2022 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-pki)
  #:use-module (guix pki)
  #:use-module (gcrypt pk-crypto)
  #:use-module (gcrypt hash)
  #:use-module (rnrs io ports)
  #:use-module (srfi srfi-64))

;; Test the (guix pki) module.

(define %public-key
  (call-with-input-file %public-key-file
    (compose string->canonical-sexp get-string-all)))

(define %secret-key
  (call-with-input-file %private-key-file
    (compose string->canonical-sexp get-string-all)))

(define %alternate-secret-key
  (string->canonical-sexp
   "
  (key-data
   (public-key
    (rsa
     (n #00FDBF170366AC43B7D95CF9085565C566FB1F21B17C0A36E68F35ABB500E7851E00B40D7B04C8CD25903371F38E4C298FACEFFC4C97E913B536A0672BAF99D04515AE98A1A56627CD7EB02502FCFBEEA21AF13CC1A853192AD6409B9EFBD9F549BDE32BD890AE01F9A221E81FEE1C407090550647790E0D60775B855E181C2FB5#)
     (e #010001#)))
   (private-key
    (rsa
     (n #00FDBF170366AC43B7D95CF9085565C566FB1F21B17C0A36E68F35ABB500E7851E00B40D7B04C8CD25903371F38E4C298FACEFFC4C97E913B536A0672BAF99D04515AE98A1A56627CD7EB02502FCFBEEA21AF13CC1A853192AD6409B9EFBD9F549BDE32BD890AE01F9A221E81FEE1C407090550647790E0D60775B855E181C2FB5#)
     (e #010001#)
     (d #2790250C2E74C2FD361A99288BBA19B878048F5A0F333F829CC71B3DD64582DB9DF3F4DB1EB0994DD7493225EDA4A1E1492F44D903617FA5643E47BFC7BA157EF48B492AB51229916B02DDBDA0E7DBC7B35A6B8332AB463DC61951CA694551A9760F5A836A375D39E3EA8F2C502A3B5D89CB8777A809B75D603BE7511CEB74E9#)
     (p #00FE15B1751E1C31125B724FF37462F9476239A2AFF4192FAB1550F76928C8D02407F4F5EFC83F7A0AF51BD93399DDC06A4B54DFA60A7079F160A9F618C0148AD9#)
     (q #00FFA8BE7005AAB7401B0926CD9D6AC30BC9BE7D12C8737C9438498A999F56BE9F5EA98B4D7F5364BEB6D550A5AEDDE34C1EC152C9DAF61A97FDE71740C73BAA3D#)
     (u #00FD4050EF4F31B41EC81C28E18D205DFFB3C188F15D8BBA300E30AD8B5C4D3E392EFE10269FC115A538B19F4025973AB09B6650A7FF97DA833FB726F3D8819319#))))"))

(test-begin "pki")

(test-assert "current-acl"
  (not (not (member (canonical-sexp->sexp %public-key)
                    (map canonical-sexp->sexp
                         (acl->public-keys (current-acl)))))))

(test-assert "authorized-key? public-key current-acl"
  (authorized-key? %public-key))

(test-assert "authorized-key? public-key empty-acl"
  (not (authorized-key? %public-key (public-keys->acl '()))))

(test-assert "authorized-key? public-key singleton"
  (authorized-key? %public-key (public-keys->acl (list %public-key))))

(test-equal "public-keys->acl deduplication"
  (public-keys->acl (list %public-key))
  (public-keys->acl (make-list 10 %public-key)))

(test-assert "signature-case valid-signature"
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %secret-key %public-key)))
   (signature-case (sig hash (public-keys->acl (list %public-key)))
     (valid-signature #t)
     (else #f))))

(test-eq "signature-case invalid-signature" 'i
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %alternate-secret-key %public-key)))
    (signature-case (sig hash (public-keys->acl (list %public-key)))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-eq "signature-case hash-mismatch" 'm
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %secret-key %public-key)))
    (signature-case (sig (sha256 #vu8())
                         (public-keys->acl (list %public-key)))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-eq "signature-case unauthorized-key" 'u
  (let* ((hash (sha256 #vu8(1 2 3)))
         (data (bytevector->hash-data hash #:key-type (key-type %public-key)))
         (sig  (signature-sexp data %secret-key %public-key)))
    (signature-case (sig hash (public-keys->acl '()))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-eq "signature-case corrupt-signature" 'c
  (let* ((hash (sha256 #vu8(1 2 3)))
         (sig  (string->canonical-sexp "(w tf)")))
    (signature-case (sig hash (public-keys->acl (list %public-key)))
      (valid-signature 'v)
      (invalid-signature 'i)
      (hash-mismatch 'm)
      (unauthorized-key 'u)
      (corrupt-signature 'c))))

(test-end)
generated by cgit
ave_recent_guile_sqlite3], [GUILE_CHECK([retval], [(@ (sqlite3) sqlite-bind-arguments)]) if test "$retval" = 0; then guix_cv_have_recent_guile_sqlite3="yes" else guix_cv_have_recent_guile_sqlite3="no" fi]) ]) dnl GUIX_CHECK_GUILE_JSON dnl dnl Check whether a recent-enough Guile-JSON is available. AC_DEFUN([GUIX_CHECK_GUILE_JSON], [ dnl Check whether we're using Guile-JSON 4.3+, which provides dnl 'define-json-mapping'. AC_CACHE_CHECK([whether Guile-JSON is available and recent enough], [guix_cv_have_recent_guile_json], [GUILE_CHECK([retval], [(use-modules (json)) (define-json-mapping <frob> make-frob frob? json->frob (a frob-a) (b frob-b \"bee\")) (exit (equal? (json->frob (open-input-string \"{ \\\"a\\\": 1, \\\"bee\\\": 2 }\")) (make-frob 1 2)))]) if test "$retval" = 0; then guix_cv_have_recent_guile_json="yes" else guix_cv_have_recent_guile_json="no" fi]) ]) dnl GUIX_CHECK_GUILE_GCRYPT dnl dnl Check whether a recent-enough Guile-Gcrypt is available. AC_DEFUN([GUIX_CHECK_GUILE_GCRYPT], [ dnl Check whether we're using Guile-Gcrypt 0.2.x or later. 0.2.0 dnl introduced the 'hash-algorithm' macro and related code. AC_CACHE_CHECK([whether Guile-Gcrypt is available and recent enough], [guix_cv_have_recent_guile_gcrypt], [GUILE_CHECK([retval], [(use-modules (gcrypt hash)) (equal? (hash-algorithm sha256) (lookup-hash-algorithm 'sha256))]) if test "$retval" = 0; then guix_cv_have_recent_guile_gcrypt="yes" else guix_cv_have_recent_guile_gcrypt="no" fi]) ]) dnl GUIX_CHECK_GUILE_GIT dnl dnl Check whether a recent-enough Guile-Git is available. AC_DEFUN([GUIX_CHECK_GUILE_GIT], [ dnl Check whether we're using Guile-Git 0.3.0 or later. 0.3.0 dnl introduced SSH authentication support and more. AC_CACHE_CHECK([whether Guile-Git is available and recent enough], [guix_cv_have_recent_guile_git], [GUILE_CHECK([retval], [(use-modules (git) (git auth) (git submodule)) (let ((auth (%make-auth-ssh-agent))) repository-close! object-lookup-prefix (make-clone-options #:fetch-options (make-fetch-options auth)))]) if test "$retval" = 0; then guix_cv_have_recent_guile_git="yes" else guix_cv_have_recent_guile_git="no" fi]) ]) dnl GUIX_CHECK_GUILE_ZLIB dnl dnl Check whether a recent-enough Guile-zlib is available. AC_DEFUN([GUIX_CHECK_GUILE_ZLIB], [ dnl Check whether we're using Guile-zlib 0.1.0 or later. dnl 0.1.0 introduced the 'make-zlib-input-port' and related code. AC_CACHE_CHECK([whether Guile-zlib is available and recent enough], [guix_cv_have_recent_guile_zlib], [GUILE_CHECK([retval], [(use-modules (zlib)) make-zlib-input-port]) if test "$retval" = 0; then guix_cv_have_recent_guile_zlib="yes" else guix_cv_have_recent_guile_zlib="no" fi]) ]) dnl GUIX_TEST_ROOT_DIRECTORY AC_DEFUN([GUIX_TEST_ROOT_DIRECTORY], [ AC_CACHE_CHECK([for unit test root directory], [ac_cv_guix_test_root], [ac_cv_guix_test_root="`pwd`/test-tmp"]) ]) dnl 'BINPRM_BUF_SIZE' constant in Linux (we leave room for the trailing zero.) dnl The Hurd has a limit of about a page (see exec/hashexec.c.) m4_define([LINUX_HASH_BANG_LIMIT], 127) dnl Hardcoded 'sun_path' length in <sys/un.h>. m4_define([SOCKET_FILE_NAME_LIMIT], 108) dnl GUIX_SOCKET_FILE_NAME_LENGTH AC_DEFUN([GUIX_SOCKET_FILE_NAME_LENGTH], [ AC_CACHE_CHECK([the length of the installed socket file name], [ac_cv_guix_socket_file_name_length], [ac_cv_guix_socket_file_name_length="`echo -n "$guix_localstatedir/guix/daemon-socket/socket" | wc -c`"]) ]) dnl GUIX_TEST_SOCKET_FILE_NAME_LENGTH AC_DEFUN([GUIX_TEST_SOCKET_FILE_NAME_LENGTH], [ AC_REQUIRE([GUIX_TEST_ROOT_DIRECTORY]) AC_CACHE_CHECK([the length of the socket file name used in tests], [ac_cv_guix_test_socket_file_name_length], [ac_cv_guix_test_socket_file_name_length="`echo -n "$ac_cv_guix_test_root/var/123456/daemon-socket/socket" | wc -c`"]) ]) dnl GUIX_HASH_BANG_LENGTH AC_DEFUN([GUIX_HASH_BANG_LENGTH], [ AC_CACHE_CHECK([the length of a typical hash bang line], [ac_cv_guix_hash_bang_length], [ac_cv_guix_hash_bang_length=`echo -n "$storedir/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-bootstrap-binaries-0/bin/bash" | wc -c`]) ]) dnl GUIX_TEST_HASH_BANG_LENGTH AC_DEFUN([GUIX_TEST_HASH_BANG_LENGTH], [ AC_REQUIRE([GUIX_TEST_ROOT_DIRECTORY]) AC_CACHE_CHECK([the length of a hash bang line used in tests], [ac_cv_guix_test_hash_bang_length], [ac_cv_guix_test_hash_bang_length=`echo -n "$ac_cv_guix_test_root/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-bootstrap-binaries-0/bin/bash" | wc -c`]) ]) dnl GUIX_CHECK_FILE_NAME_LIMITS dnl dnl GNU/Linux has a couple of silly limits that we can easily run into. dnl Make sure everything is fine with the current settings. Set $1 to dnl 'yes' if tests can run, 'no' otherwise. AC_DEFUN([GUIX_CHECK_FILE_NAME_LIMITS], [ AC_REQUIRE([GUIX_SOCKET_FILE_NAME_LENGTH]) AC_REQUIRE([GUIX_TEST_SOCKET_FILE_NAME_LENGTH]) AC_REQUIRE([GUIX_HASH_BANG_LENGTH]) AC_REQUIRE([GUIX_TEST_HASH_BANG_LENGTH]) if test "$ac_cv_guix_socket_file_name_length" -ge ]SOCKET_FILE_NAME_LIMIT[; then AC_MSG_ERROR([socket file name would exceed the maximum allowed length]) fi if test "$ac_cv_guix_test_socket_file_name_length" -ge ]SOCKET_FILE_NAME_LIMIT[; then AC_MSG_WARN([socket file name limit may be exceeded when running tests]) fi $1=yes if test "$ac_cv_guix_hash_bang_length" -ge ]LINUX_HASH_BANG_LIMIT[; then $1=no AC_MSG_ERROR([store directory '$storedir' would lead to overly long hash-bang lines]) fi if test "$ac_cv_guix_test_hash_bang_length" -ge ]LINUX_HASH_BANG_LIMIT[; then $1=no AC_MSG_WARN([test directory '$ac_cv_guix_test_root' may lead to overly long hash-bang lines]) fi ]) dnl GUIX_CHECK_CXX11 dnl dnl Check whether the C++ compiler can compile a typical C++11 program. AC_DEFUN([GUIX_CHECK_CXX11], [ AC_REQUIRE([AC_PROG_CXX]) AC_CACHE_CHECK([whether $CXX supports C++11], [ac_cv_guix_cxx11_support], [save_CXXFLAGS="$CXXFLAGS" CXXFLAGS="-std=c++11 $CXXFLAGS" AC_COMPILE_IFELSE([ AC_LANG_SOURCE([ #include <functional> std::function<int(int)> return_plus_lambda (int x) { auto result = [[&]](int y) { return x + y; }; return result; } ])], [ac_cv_guix_cxx11_support=yes], [ac_cv_guix_cxx11_support=no]) CXXFLAGS="$save_CXXFLAGS" ]) ]) dnl GUIX_ASSERT_CXX11 dnl dnl Error out if the C++ compiler cannot compile C++11 code. AC_DEFUN([GUIX_ASSERT_CXX11], [ GUIX_CHECK_CXX11 if test "x$ac_cv_guix_cxx11_support" != "xyes"; then AC_MSG_ERROR([C++ compiler '$CXX' does not support the C++11 standard]) fi ]) dnl GUIX_LIBGCRYPT_LIBDIR VAR dnl dnl Attempt to determine libgcrypt's LIBDIR; store the result in VAR. AC_DEFUN([GUIX_LIBGCRYPT_LIBDIR], [ AC_PATH_PROG([LIBGCRYPT_CONFIG], [libgcrypt-config]) AC_CACHE_CHECK([libgcrypt's library directory], [guix_cv_libgcrypt_libdir], [if test "x$LIBGCRYPT_CONFIG" != "x"; then guix_cv_libgcrypt_libdir=`$LIBGCRYPT_CONFIG --libs | grep -e -L | sed -e "s/.*-L\([[^ ]]\+\)[[[:blank:]]]\+-lgcrypt.*/\1/g"` else guix_cv_libgcrypt_libdir="" fi]) $1="$guix_cv_libgcrypt_libdir" ]) dnl GUIX_CURRENT_LOCALSTATEDIR dnl dnl Determine the localstatedir of an existing Guix installation and set dnl 'guix_cv_current_localstatedir' accordingly. Set it to "none" if no dnl existing installation was found. AC_DEFUN([GUIX_CURRENT_LOCALSTATEDIR], [ AC_PATH_PROG([GUILE], [guile]) AC_CACHE_CHECK([the current installation's localstatedir], [guix_cv_current_localstatedir], [dnl Call 'dirname' because (guix config) appends "/guix" to LOCALSTATEDIR. guix_cv_current_localstatedir="`"$GUILE" \ -c '(use-modules (guix config)) (when (string=? %store-directory "'$storedir'") (display (dirname %state-directory)))' \ 2>/dev/null`" if test "x$guix_cv_current_localstatedir" = "x"; then guix_cv_current_localstatedir=none fi])]) dnl GUIX_CHECK_LOCALSTATEDIR dnl dnl Check that the LOCALSTATEDIR value is consistent with that of the existing dnl Guix installation, if any. Error out or warn if they do not match. AC_DEFUN([GUIX_CHECK_LOCALSTATEDIR], [ AC_REQUIRE([GUIX_CURRENT_LOCALSTATEDIR]) if test "x$guix_cv_current_localstatedir" != "xnone"; then if test "$guix_cv_current_localstatedir" != "$guix_localstatedir"; then case "$localstatedir" in NONE|\${prefix}*) # User kept the default value---i.e., did not pass '--localstatedir'. AC_MSG_ERROR([chosen localstatedir '$guix_localstatedir' does not match \ that of the existing installation '$guix_cv_current_localstatedir' Installing may corrupt $storedir! Use './configure --localstatedir=$guix_cv_current_localstatedir'.]) ;; *) # User passed an explicit '--localstatedir'. Assume they know what # they're doing. AC_MSG_WARN([chosen localstatedir '$guix_localstatedir' does not match \ that of the existing installation '$guix_cv_current_localstatedir']) AC_MSG_WARN([installing may corrupt $storedir!]) ;; esac fi fi]) dnl GUIX_CHANNEL_METADATA dnl dnl Provide the channel metadata for this build. This allows 'guix describe' dnl to return meaningful data, as it would for a 'guix pull'-provided 'guix'. dnl The default URL and introduction are taken from (guix channels). AC_DEFUN([GUIX_CHANNEL_METADATA], [ AC_ARG_WITH([channel-url], [AS_HELP_STRING([--with-channel-url=URL], [assert that this is built from the Git repository at URL])], [guix_channel_url="\"$withval\""], [guix_channel_url="\"https://git.savannah.gnu.org/git/guix.git\""]) AC_ARG_WITH([channel-commit], [AS_HELP_STRING([--with-channel-commit=COMMIT], [assert that this is built from COMMIT])], [guix_channel_commit="\"$withval\""], [guix_channel_commit="#f"]) AC_ARG_WITH([channel-introduction], [AS_HELP_STRING([--with-channel-introduction=COMMIT:FINGERPRINT], [specify COMMIT and FINGERPRINT as the introduction of this channel])], [guix_channel_introduction="'(\"`echo $withval | cut -f1 -d:`\" \"`echo $withval | cut -f2 -d:`\")"], [guix_channel_introduction="'(\"9edb3f66fd807b096b48283debdcddccfea34bad\" . \"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA\")"]) GUIX_CHANNEL_URL="$guix_channel_url" GUIX_CHANNEL_COMMIT="$guix_channel_commit" GUIX_CHANNEL_INTRODUCTION="$guix_channel_introduction" AC_SUBST([GUIX_CHANNEL_URL]) AC_SUBST([GUIX_CHANNEL_COMMIT]) AC_SUBST([GUIX_CHANNEL_INTRODUCTION]) ])
generated by cgit