Add buildCp tests (#197)

* Add `buildCp` tests

* Unexport `RFC6962NoteSignature`

Author: roger2hk

internal/scti/signatures.go

@@ -106,8 +106,8 @@ func buildV1SCT(signer crypto.Signer, leaf *rfc6962.MerkleTreeLeaf) (*rfc6962.Si
 }
 
 type rfc6962NoteSignature struct {
-	timestamp uint64
-	signature rfc6962.DigitallySigned
+	Timestamp uint64
+	Signature rfc6962.DigitallySigned
 }
 
 // serializeSTHSignatureInput serializes the passed in STH into the correct
@@ -133,7 +133,6 @@ func serializeSTHSignatureInput(sth rfc6962.SignedTreeHead) ([]byte, error) {
 }
 
 // buildCp builds a https://c2sp.org/static-ct-api checkpoint.
-// TODO(phboneff): add tests
 func buildCp(signer crypto.Signer, size uint64, timeMilli uint64, hash []byte) ([]byte, error) {
 	sth := rfc6962.SignedTreeHead{
 		Version:   rfc6962.V1,
@@ -154,8 +153,8 @@ func buildCp(signer crypto.Signer, size uint64, timeMilli uint64, hash []byte) (
 	}
 
 	rfc6962Note := rfc6962NoteSignature{
-		timestamp: sth.Timestamp,
-		signature: rfc6962.DigitallySigned{
+		Timestamp: sth.Timestamp,
+		Signature: rfc6962.DigitallySigned{
 			Algorithm: tls.SignatureAndHashAlgorithm{
 				Hash:      tls.SHA256,
 				Signature: tls.SignatureAlgorithmFromPubKey(signer.Public()),

internal/scti/signatures_test.go

@@ -17,6 +17,7 @@ package scti
 import (
 	"bytes"
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
@@ -401,3 +402,56 @@ func setupSigner(fakeSig []byte) (crypto.Signer, error) {
 
 	return testdata.NewSignerWithFixedSig(key, fakeSig), nil
 }
+
+func TestBuildCp(t *testing.T) {
+	// Create a test signer.
+	ecdsaSigner, err := loadPEMPrivateKey("../testdata/test_ct_server_ecdsa_private_key.pem")
+	if err != nil {
+		t.Fatalf("Can't open key: %v", err)
+	}
+
+	// Define test data.
+	size := uint64(12345)
+	hash := []byte("test_hash_value_12345678901234567890")
+
+	// Build the checkpoint which is in the RFC6962NoteSignature format.
+	checkpoint, err := buildCp(ecdsaSigner, size, fixedTimeMillis, hash)
+	if err != nil {
+		t.Errorf("buildCp failed: %v", err)
+	}
+
+	// Verify whether the checkpoint is empty.
+	if len(checkpoint) == 0 {
+		t.Errorf("buildCp returned an empty checkpoint")
+	}
+
+	// Verify that the checkpoint can be parsed.
+	var sig rfc6962NoteSignature
+	_, err = tls.Unmarshal(checkpoint, &sig)
+	if err != nil {
+		t.Errorf("failed to unmarshal checkpoint: %v", err)
+	}
+	// Verify the timestamp in the note signature.
+	if sig.Timestamp != fixedTimeMillis {
+		t.Errorf("buildCp returned wrong timestamp, got %d, want %d", sig.Timestamp, fixedTimeMillis)
+	}
+
+	// Verify the signature using the public key.
+	sth := rfc6962.SignedTreeHead{
+		Version:   rfc6962.V1,
+		TreeSize:  size,
+		Timestamp: fixedTimeMillis,
+	}
+	copy(sth.SHA256RootHash[:], hash)
+
+	sthBytes, err := serializeSTHSignatureInput(sth)
+	if err != nil {
+		t.Fatalf("serializeSTHSignatureInput(): %v", err)
+	}
+
+	h := sha256.Sum256(sthBytes)
+	valid := ecdsa.VerifyASN1(ecdsaSigner.Public().(*ecdsa.PublicKey), h[:], sig.Signature.Signature)
+	if !valid {
+		t.Errorf("buildCp returned an invalid signature")
+	}
+}