216 lines
6.7 KiB
Go
216 lines
6.7 KiB
Go
|
package model_test
|
|||
|
|
|
|||
|
|
import (
|
|||
|
|
"testing"
|
|||
|
|
"time"
|
|||
|
|
|
|||
|
|
"github.com/stretchr/testify/assert"
|
|||
|
|
"github.com/stretchr/testify/require"
|
|||
|
|
|
|||
|
|
"go.yandata.net/iod/iod/trustlog-sdk/api/model"
|
|||
|
|
)
|
|||
|
|
|
|||
|
|
// TestSignVerifyDataConsistency 详细测试加签和验签的数据一致性.
|
|||
|
|
func TestSignVerifyDataConsistency(t *testing.T) {
|
|||
|
|
t.Parallel()
|
|||
|
|
|
|||
|
|
// 生成SM2密钥对
|
|||
|
|
keyPair, err := model.GenerateSM2KeyPair()
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 序列化为DER格式
|
|||
|
|
privateKeyDER, err := model.MarshalSM2PrivateDER(keyPair.Private)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
publicKeyDER, err := model.MarshalSM2PublicDER(keyPair.Public)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 创建签名器
|
|||
|
|
signer := model.NewSM2Signer(privateKeyDER, publicKeyDER)
|
|||
|
|
|
|||
|
|
// 测试数据1
|
|||
|
|
testData1 := []byte("test data for signing")
|
|||
|
|
|
|||
|
|
// 测试数据2(不同数据)
|
|||
|
|
testData2 := []byte("different test data")
|
|||
|
|
|
|||
|
|
// 1. 对testData1签名
|
|||
|
|
signature1, err := signer.Sign(testData1)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
require.NotNil(t, signature1)
|
|||
|
|
|
|||
|
|
// 2. 用testData1验证signature1 - 应该成功
|
|||
|
|
valid, err := signer.Verify(testData1, signature1)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
assert.True(t, valid, "使用相同数据验证应该成功")
|
|||
|
|
|
|||
|
|
// 3. 用testData2验证signature1 - 应该失败
|
|||
|
|
valid, err = signer.Verify(testData2, signature1)
|
|||
|
|
require.Error(t, err, "使用不同数据验证应该失败")
|
|||
|
|
assert.Contains(t, err.Error(), "signature verification failed")
|
|||
|
|
assert.False(t, valid)
|
|||
|
|
|
|||
|
|
// 4. 对testData2签名
|
|||
|
|
signature2, err := signer.Sign(testData2)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
require.NotNil(t, signature2)
|
|||
|
|
|
|||
|
|
// 5. 用testData2验证signature2 - 应该成功
|
|||
|
|
valid, err = signer.Verify(testData2, signature2)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
assert.True(t, valid, "使用相同数据验证应该成功")
|
|||
|
|
|
|||
|
|
// 6. 用testData1验证signature2 - 应该失败
|
|||
|
|
valid, err = signer.Verify(testData1, signature2)
|
|||
|
|
require.Error(t, err, "使用不同数据验证应该失败")
|
|||
|
|
assert.Contains(t, err.Error(), "signature verification failed")
|
|||
|
|
assert.False(t, valid)
|
|||
|
|
|
|||
|
|
t.Logf("测试完成:签名和验证逻辑正常")
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
// TestEnvelopeBodyTampering 测试修改envelope body后验签应该失败.
|
|||
|
|
func TestEnvelopeBodyTampering(t *testing.T) {
|
|||
|
|
t.Parallel()
|
|||
|
|
|
|||
|
|
// 生成SM2密钥对
|
|||
|
|
keyPair, err := model.GenerateSM2KeyPair()
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 序列化为DER格式
|
|||
|
|
privateKeyDER, err := model.MarshalSM2PrivateDER(keyPair.Private)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
publicKeyDER, err := model.MarshalSM2PublicDER(keyPair.Public)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 创建签名配置
|
|||
|
|
signConfig := model.NewSM2EnvelopeConfig(privateKeyDER, publicKeyDER)
|
|||
|
|
verifyConfig := model.NewSM2VerifyConfig(publicKeyDER)
|
|||
|
|
|
|||
|
|
// 创建测试Operation
|
|||
|
|
op := &model.Operation{
|
|||
|
|
OpID: "op-test-002",
|
|||
|
|
Timestamp: time.Now(),
|
|||
|
|
OpSource: model.OpSourceIRP,
|
|||
|
|
OpType: model.OpTypeOCCreateHandle,
|
|||
|
|
DoPrefix: "test",
|
|||
|
|
DoRepository: "repo",
|
|||
|
|
Doid: "test/repo/456",
|
|||
|
|
ProducerID: "producer-2",
|
|||
|
|
OpActor: "actor-2",
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
err = op.CheckAndInit()
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 1. 加签:序列化为Envelope
|
|||
|
|
envelopeData, err := model.MarshalOperation(op, signConfig)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
require.NotNil(t, envelopeData)
|
|||
|
|
|
|||
|
|
// 2. 验签:验证原始Envelope - 应该成功
|
|||
|
|
verifiedEnv, err := model.VerifyEnvelopeWithConfig(envelopeData, verifyConfig)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
require.NotNil(t, verifiedEnv)
|
|||
|
|
|
|||
|
|
// 3. 反序列化获取原始body
|
|||
|
|
originalEnv, err := model.UnmarshalEnvelope(envelopeData)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
originalBody := originalEnv.Body
|
|||
|
|
originalSignature := originalEnv.Signature
|
|||
|
|
|
|||
|
|
t.Logf("原始body长度: %d", len(originalBody))
|
|||
|
|
t.Logf("原始签名长度: %d", len(originalSignature))
|
|||
|
|
|
|||
|
|
// 4. 创建修改后的body(完全不同的数据)
|
|||
|
|
modifiedBody := []byte("completely different body content")
|
|||
|
|
require.NotEqual(t, originalBody, modifiedBody, "修改后的body应该不同")
|
|||
|
|
|
|||
|
|
// 5. 创建修改后的envelope(使用原始签名但修改body)
|
|||
|
|
modifiedEnv := &model.Envelope{
|
|||
|
|
ProducerID: originalEnv.ProducerID,
|
|||
|
|
Signature: originalSignature, // 使用原始签名
|
|||
|
|
Body: modifiedBody, // 使用修改后的body
|
|||
|
|
}
|
|||
|
|
modifiedData, err := model.MarshalEnvelope(modifiedEnv)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 6. 验签修改后的envelope - 应该失败
|
|||
|
|
_, err = model.VerifyEnvelopeWithConfig(modifiedData, verifyConfig)
|
|||
|
|
require.Error(t, err, "修改body后验签应该失败")
|
|||
|
|
assert.Contains(t, err.Error(), "signature verification failed")
|
|||
|
|
|
|||
|
|
t.Logf("测试完成:修改body后验签正确失败")
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
// TestEnvelopeSignatureTampering 测试修改envelope signature后验签应该失败.
|
|||
|
|
func TestEnvelopeSignatureTampering(t *testing.T) {
|
|||
|
|
t.Parallel()
|
|||
|
|
|
|||
|
|
// 生成SM2密钥对
|
|||
|
|
keyPair, err := model.GenerateSM2KeyPair()
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 序列化为DER格式
|
|||
|
|
privateKeyDER, err := model.MarshalSM2PrivateDER(keyPair.Private)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
publicKeyDER, err := model.MarshalSM2PublicDER(keyPair.Public)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 创建签名配置
|
|||
|
|
signConfig := model.NewSM2EnvelopeConfig(privateKeyDER, publicKeyDER)
|
|||
|
|
verifyConfig := model.NewSM2VerifyConfig(publicKeyDER)
|
|||
|
|
|
|||
|
|
// 创建测试Operation
|
|||
|
|
op := &model.Operation{
|
|||
|
|
OpID: "op-test-003",
|
|||
|
|
Timestamp: time.Now(),
|
|||
|
|
OpSource: model.OpSourceIRP,
|
|||
|
|
OpType: model.OpTypeOCCreateHandle,
|
|||
|
|
DoPrefix: "test",
|
|||
|
|
DoRepository: "repo",
|
|||
|
|
Doid: "test/repo/789",
|
|||
|
|
ProducerID: "producer-3",
|
|||
|
|
OpActor: "actor-3",
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
err = op.CheckAndInit()
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 1. 加签:序列化为Envelope
|
|||
|
|
envelopeData, err := model.MarshalOperation(op, signConfig)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 2. 反序列化获取原始signature
|
|||
|
|
originalEnv, err := model.UnmarshalEnvelope(envelopeData)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
originalSignature := originalEnv.Signature
|
|||
|
|
|
|||
|
|
// 3. 创建修改后的signature(完全不同的数据)
|
|||
|
|
modifiedSignature := make([]byte, len(originalSignature))
|
|||
|
|
copy(modifiedSignature, originalSignature)
|
|||
|
|
// 修改最后一个字节
|
|||
|
|
if len(modifiedSignature) > 0 {
|
|||
|
|
modifiedSignature[len(modifiedSignature)-1] ^= 0xFF
|
|||
|
|
}
|
|||
|
|
require.NotEqual(t, originalSignature, modifiedSignature, "修改后的signature应该不同")
|
|||
|
|
|
|||
|
|
// 4. 创建修改后的envelope(使用原始body但修改signature)
|
|||
|
|
modifiedEnv := &model.Envelope{
|
|||
|
|
ProducerID: originalEnv.ProducerID,
|
|||
|
|
Signature: modifiedSignature, // 使用修改后的signature
|
|||
|
|
Body: originalEnv.Body, // 使用原始body
|
|||
|
|
}
|
|||
|
|
modifiedData, err := model.MarshalEnvelope(modifiedEnv)
|
|||
|
|
require.NoError(t, err)
|
|||
|
|
|
|||
|
|
// 5. 验签修改后的envelope - 应该失败
|
|||
|
|
_, err = model.VerifyEnvelopeWithConfig(modifiedData, verifyConfig)
|
|||
|
|
require.Error(t, err, "修改signature后验签应该失败")
|
|||
|
|
assert.Contains(t, err.Error(), "signature verification failed")
|
|||
|
|
|
|||
|
|
t.Logf("测试完成:修改signature后验签正确失败")
|
|||
|
|
}
|