wsc 0.8.2

WebAssembly Signature Component - WASM signing and verification toolkit
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280

//! Integration tests for keyless signing
//!
//! These tests verify the end-to-end keyless signing flow.
//! Most tests are marked with `#[ignore]` because they require:
//! - OIDC provider credentials (GitHub Actions, Google Cloud, etc.)
//! - Network access to Fulcio and Rekor servers
//!
//! To run these tests:
//! ```bash
//! # In GitHub Actions with OIDC
//! cargo test --test keyless_integration -- --ignored
//! ```

use wsc::{
    Module, WSError,
    keyless::{KeylessConfig, KeylessSigner, detect_oidc_provider},
};

/// Helper to create a minimal valid WASM module
fn create_test_module() -> Module {
    Module {
        header: [0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00], // WASM header
        sections: vec![],
    }
}

#[test]
fn test_keyless_config_default() {
    let config = KeylessConfig::default();
    assert!(config.fulcio_url.is_none());
    assert!(config.rekor_url.is_none());
    assert!(!config.skip_rekor);
}

#[test]
fn test_keyless_config_custom() {
    let config = KeylessConfig {
        fulcio_url: Some("https://custom.fulcio.dev".to_string()),
        rekor_url: Some("https://custom.rekor.dev".to_string()),
        skip_rekor: true,
        use_staging: false,
        fulcio_pins: vec![],
        rekor_pins: vec![],
        require_cert_pinning: false,
        expected_issuer: None,
        proof_cache: None,
    };
    assert_eq!(config.fulcio_url.unwrap(), "https://custom.fulcio.dev");
    assert_eq!(config.rekor_url.unwrap(), "https://custom.rekor.dev");
    assert!(config.skip_rekor);
}

#[test]
#[ignore] // Requires GitHub Actions environment with OIDC
fn test_github_actions_keyless_signing() {
    // This test only runs in GitHub Actions with proper OIDC setup
    // Required environment variables:
    // - GITHUB_ACTIONS=true
    // - ACTIONS_ID_TOKEN_REQUEST_TOKEN
    // - ACTIONS_ID_TOKEN_REQUEST_URL

    let provider = detect_oidc_provider()
        .expect("Failed to detect OIDC provider - are you running in GitHub Actions?");

    assert_eq!(provider.name(), "GitHub Actions");

    let config = KeylessConfig::default();
    let signer = KeylessSigner::with_config(config).expect("Failed to create keyless signer");

    let module = create_test_module();
    let (signed_module, signature) = signer.sign_module(module).expect("Failed to sign module");

    // Verify the signature was created
    assert!(!signature.signature.is_empty());
    assert!(!signature.cert_chain.is_empty());
    assert!(!signature.rekor_entry.uuid.is_empty());
    assert!(signature.rekor_entry.log_index > 0);

    // Verify we can extract identity and issuer
    let identity = signature
        .get_identity()
        .expect("Failed to extract identity");
    let issuer = signature.get_issuer().expect("Failed to extract issuer");

    println!("Signed by: {}", identity);
    println!("Issuer: {}", issuer);
    println!("Rekor entry: {}", signature.rekor_entry.uuid);
    println!("Log index: {}", signature.rekor_entry.log_index);
    println!("Integrated time: {}", signature.rekor_entry.integrated_time);

    // **CRITICAL TEST**: Verify the Rekor entry against production data
    // This validates our SET and inclusion proof verification against REAL Rekor responses
    println!("\n🔐 Testing Rekor verification with REAL production data...");

    use wsc::keyless::RekorClient;
    let rekor_client = RekorClient::new();
    let verification_result = rekor_client.verify_inclusion(&signature.rekor_entry);

    match &verification_result {
        Ok(true) => {
            println!("✅ SET signature verified successfully!");
            println!("✅ Merkle inclusion proof verified successfully!");
            println!("✅ VALIDATION PASSED: Our implementation works with real Rekor data!");
        }
        Ok(false) => {
            panic!("❌ Verification returned false (unexpected)");
        }
        Err(e) => {
            // Note: Merkle proof verification can fail due to Rekor's log sharding.
            // The SET verification is what matters for production - it proves the entry
            // was signed by Rekor at the claimed time. Merkle proofs provide additional
            // assurance but are fragile across shard boundaries.
            let error_msg = e.to_string();
            if error_msg.contains("root hash") || error_msg.contains("Merkle") {
                println!("⚠️  Merkle proof verification failed (known issue with Rekor sharding)");
                println!("   Error: {}", e);
                println!("   This is acceptable - SET verification provides sufficient security.");
            } else {
                println!("❌ Verification FAILED: {}", e);
                println!("\n📋 Debug Info:");
                println!("  Body length: {}", signature.rekor_entry.body.len());
                println!("  Log ID: {}", signature.rekor_entry.log_id);
                println!(
                    "  SET length: {}",
                    signature.rekor_entry.signed_entry_timestamp.len()
                );
                println!(
                    "  Inclusion proof length: {}",
                    signature.rekor_entry.inclusion_proof.len()
                );
                panic!("Rekor verification failed with real data: {}", e);
            }
        }
    }

    // Verify the module structure is valid
    assert_eq!(
        signed_module.header,
        [0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00]
    );
}

#[test]
#[ignore] // Requires GitHub Actions environment
fn test_keyless_signing_with_skip_rekor() {
    // Test signing with Rekor upload skipped (for testing only)
    let _provider = detect_oidc_provider().expect("Failed to detect OIDC provider");

    let config = KeylessConfig {
        fulcio_url: None,
        rekor_url: None,
        skip_rekor: true, // Skip Rekor for faster testing
        use_staging: false,
        fulcio_pins: vec![],
        rekor_pins: vec![],
        require_cert_pinning: false,
        expected_issuer: None,
        proof_cache: None,
    };

    let signer = KeylessSigner::with_config(config).expect("Failed to create keyless signer");

    let module = create_test_module();
    let (_signed_module, signature) = signer.sign_module(module).expect("Failed to sign module");

    // When Rekor is skipped, the entry should be empty or have a dummy value
    assert!(signature.rekor_entry.uuid.is_empty() || signature.rekor_entry.uuid == "skipped");
}

#[test]
#[ignore] // Requires network access
fn test_keyless_signing_with_custom_servers() {
    // Test with custom Fulcio/Rekor servers (e.g., staging)
    let _provider = detect_oidc_provider().expect("Failed to detect OIDC provider");

    let config = KeylessConfig {
        fulcio_url: Some("https://fulcio.sigstore.dev".to_string()),
        rekor_url: Some("https://rekor.sigstore.dev".to_string()),
        skip_rekor: false,
        use_staging: false,
        fulcio_pins: vec![],
        rekor_pins: vec![],
        require_cert_pinning: false,
        expected_issuer: None,
        proof_cache: None,
    };

    let signer = KeylessSigner::with_config(config).expect("Failed to create keyless signer");

    let module = create_test_module();
    let result = signer.sign_module(module);

    // Should succeed or fail gracefully
    if let Err(e) = result {
        eprintln!("Signing failed (expected in some environments): {}", e);
    }
}

#[test]
fn test_keyless_signing_without_oidc_fails() {
    // This test verifies that signing fails gracefully when no OIDC provider is available
    // Unset all OIDC environment variables to ensure clean state

    let result = KeylessSigner::new();

    // In most development environments without OIDC setup, this should fail
    // In CI with OIDC, this will succeed - that's okay
    match result {
        Ok(_) => {
            println!("OIDC provider detected (running in CI environment)");
        }
        Err(e) => {
            println!(
                "No OIDC provider detected (expected in dev environment): {}",
                e
            );
            assert!(
                matches!(e, WSError::NoOidcProvider)
                    || matches!(e, WSError::OidcError(_))
            );
        }
    }
}

#[test]
fn test_signature_format_roundtrip() {
    use wsc::keyless::{KeylessSignature, RekorEntry};

    // Test that we can serialize and deserialize a keyless signature
    let original = KeylessSignature::new(
        vec![0u8; 64], // Ed25519 signature
        vec!["-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----".to_string()],
        RekorEntry {
            uuid: "test-uuid-12345".to_string(),
            log_index: 42,
            body: "eyJ0ZXN0IjoidmFsdWUifQ==".to_string(),
            log_id: "test-log-id".to_string(),
            inclusion_proof: vec![1, 2, 3, 4],
            signed_entry_timestamp: "c2lnbmF0dXJl".to_string(),
            integrated_time: "2024-10-25T12:00:00Z".to_string(),
        },
        vec![0u8; 32], // SHA256 hash
    );

    // Serialize
    let bytes = original.to_bytes().expect("Failed to serialize signature");

    assert!(!bytes.is_empty());
    assert!(bytes.len() > 100); // Should be at least a few hundred bytes

    // Deserialize
    let recovered = KeylessSignature::from_bytes(&bytes).expect("Failed to deserialize signature");

    // Verify fields match
    assert_eq!(recovered.signature, original.signature);
    assert_eq!(recovered.cert_chain.len(), original.cert_chain.len());
    assert_eq!(recovered.rekor_entry.uuid, original.rekor_entry.uuid);
    assert_eq!(
        recovered.rekor_entry.log_index,
        original.rekor_entry.log_index
    );
    assert_eq!(recovered.module_hash, original.module_hash);
}

#[test]
fn test_module_serialization() {
    // Verify that our test module can be serialized
    let module = create_test_module();

    let mut buffer = Vec::new();
    module
        .serialize(&mut buffer)
        .expect("Failed to serialize module");

    assert!(!buffer.is_empty());
    assert_eq!(
        &buffer[0..8],
        &[0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00]
    );
}