fix: refactor

Author: JasonPowr

internal/controller/tsa/actions/generate_signer.go

@@ -220,7 +220,7 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Timestamp
 	return g.StatusUpdate(ctx, instance)
 }
 
-func (g generateSigner) handleSignerKeys(instance *v1alpha1.TimestampAuthority, config *tsaUtils.TsaCertChainConfig) (*tsaUtils.TsaCertChainConfig, error) {
+func (g generateSigner) handleSignerKeys(instance *v1alpha1.TimestampAuthority, config *tsaUtils.TsaCertChainConfig) (*tsaUtils.TsaCertChainConfig, error) { //nolint:gocyclo
 	if instance.Spec.Signer.File != nil {
 		if instance.Spec.Signer.File.PrivateKeyRef != nil {
 			key, err := kubernetes.GetSecretData(g.Client, instance.Namespace, instance.Spec.Signer.File.PrivateKeyRef)

internal/controller/tsa/actions/generate_signer_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/securesign/operator/internal/constants"
 	"github.com/securesign/operator/internal/labels"
 	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/test/e2e/support"
 	"github.com/securesign/operator/test/e2e/support/tas/tsa"
@@ -189,7 +190,7 @@ func Test_SignerHandle(t *testing.T) {
 					},
 				}
 
-				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret", elliptic.P256())
+				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret")
 				return common.TsaTestSetup(instance, t, nil, NewGenerateSignerAction(), secret)
 			},
 			testCase: func(g Gomega, a action.Action[*rhtasv1alpha1.TimestampAuthority], client client.WithWatch, instance *rhtasv1alpha1.TimestampAuthority) bool {
@@ -236,10 +237,7 @@ func Test_SignerHandle(t *testing.T) {
 						},
 					},
 				}
-				_, priv, _, err := support.CreateCertificates(elliptic.P224(), true)
-				if err != nil {
-					t.Fatalf("failed to create test certificates: %v", err)
-				}
+				priv := fipsTest.GenerateECPrivateKeyPEM(t, elliptic.P224())
 				secret := &v1.Secret{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "tsa-invalid-secret",
@@ -295,7 +293,7 @@ func Test_SignerHandle(t *testing.T) {
 						},
 					},
 				}
-				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret", elliptic.P256())
+				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret")
 				return common.TsaTestSetup(instance, t, nil, NewGenerateSignerAction(), secret)
 			},
 			testCase: func(g Gomega, a action.Action[*rhtasv1alpha1.TimestampAuthority], client client.WithWatch, instance *rhtasv1alpha1.TimestampAuthority) bool {
@@ -366,8 +364,8 @@ func Test_SignerHandle(t *testing.T) {
 					},
 				}
 
-				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret", elliptic.P256())
-				old := tsa.CreateSecrets(instance.Namespace, "old", elliptic.P256())
+				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret")
+				old := tsa.CreateSecrets(instance.Namespace, "old")
 				old.Annotations = generateSecretAnnotations(*instance.Status.Signer)
 				return common.TsaTestSetup(instance, t, nil, NewGenerateSignerAction(), secret, old)
 			},
@@ -435,7 +433,7 @@ func Test_SignerHandle(t *testing.T) {
 					},
 				}
 
-				old := tsa.CreateSecrets(instance.Namespace, "old", elliptic.P256())
+				old := tsa.CreateSecrets(instance.Namespace, "old")
 				old.Annotations = generateSecretAnnotations(*instance.Status.Signer)
 				return common.TsaTestSetup(instance, t, nil, NewGenerateSignerAction(), old)
 			},
@@ -479,7 +477,7 @@ func Test_SignerHandle(t *testing.T) {
 					},
 				}
 
-				secret := tsa.CreateSecrets(instance.Namespace, "secret", elliptic.P256())
+				secret := tsa.CreateSecrets(instance.Namespace, "secret")
 				secret.Annotations = generateSecretAnnotations(instance.Spec.Signer)
 				secret.Labels = map[string]string{TSACertCALabel: "fake"}
 				return common.TsaTestSetup(instance, t, nil, NewGenerateSignerAction(), secret)

internal/controller/tsa/tsa_hot_update_test.go

@@ -18,7 +18,6 @@ limitations under the License.
 
 import (
 	"context"
-	"crypto/elliptic"
 	"time"
 
 	"github.com/securesign/operator/internal/constants"
@@ -188,7 +187,7 @@ var _ = Describe("Timestamp Authority hot update", func() {
 			}).Should(Equal(constants.Pending))
 
 			By("Creating new certificate chain and signer keys")
-			secret := tsa.CreateSecrets(Namespace, "tsa-test-secret", elliptic.P256())
+			secret := tsa.CreateSecrets(Namespace, "tsa-test-secret")
 			Expect(suite.Client().Create(context.TODO(), secret)).NotTo(HaveOccurred())
 
 			By("Status field changed for cert chain")

test/e2e/fips/ctlog_signer_test.go

@@ -4,11 +4,13 @@ package fips
 
 import (
 	"crypto/elliptic"
+	"testing"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/securesign/operator/api/v1alpha1"
 	ctlogactions "github.com/securesign/operator/internal/controller/ctlog/actions"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
 	"github.com/securesign/operator/test/e2e/support"
 	"github.com/securesign/operator/test/e2e/support/steps"
 	"github.com/securesign/operator/test/e2e/support/tas/ctlog"
@@ -18,6 +20,7 @@ import (
 	"github.com/securesign/operator/test/e2e/support/tas/tsa"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 
@@ -80,11 +83,11 @@ var _ = Describe("Securesign FIPS - ctlog signer test", Ordered, func() {
 
 	Describe("Reject non-FIPS ctlog key then accept FIPS-compliant key", func() {
 		BeforeAll(func(ctx SpecContext) {
-			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret", elliptic.P224()))).To(Succeed())
-			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-tuf-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret", elliptic.P256()))).To(Succeed())
+			Expect(cli.Create(ctx, createCustomCtlogSecret(namespace.Name, "my-ctlog-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-tuf-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret"))).To(Succeed())
 			Expect(cli.Create(ctx, s)).To(Succeed())
 		})
 
@@ -120,3 +123,18 @@ var _ = Describe("Securesign FIPS - ctlog signer test", Ordered, func() {
 		})
 	})
 })
+
+func createCustomCtlogSecret(ns string, name string) *v1.Secret {
+	private := fipsTest.GenerateECPrivateKeyPEM(&testing.T{}, elliptic.P224())
+	public := fipsTest.GenerateECPublicKeyPEM(&testing.T{}, elliptic.P224())
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+		},
+		Data: map[string][]byte{
+			"private": private,
+			"public":  public,
+		},
+	}
+}

test/e2e/fips/fulcio_cert_test.go

@@ -4,12 +4,14 @@ package fips
 
 import (
 	"crypto/elliptic"
+	"testing"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/constants"
 	fulcioactions "github.com/securesign/operator/internal/controller/fulcio/actions"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
 	"github.com/securesign/operator/test/e2e/support"
 	"github.com/securesign/operator/test/e2e/support/steps"
 	"github.com/securesign/operator/test/e2e/support/tas/ctlog"
@@ -19,6 +21,7 @@ import (
 	"github.com/securesign/operator/test/e2e/support/tas/tsa"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 
@@ -81,11 +84,11 @@ var _ = Describe("Securesign FIPS - fulcio cert test", Ordered, func() {
 
 	Describe("Reject non-FIPS fulcio key and cert then accept FIPS-compliant key and cert", func() {
 		BeforeAll(func(ctx SpecContext) {
-			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, fulciohelpers.CreateSecret(namespace.Name, "my-fulcio-secret", elliptic.P224()))).To(Succeed())
-			Expect(cli.Create(ctx, fulciohelpers.CreateSecret(namespace.Name, "my-fulcio-tuf-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret", elliptic.P256()))).To(Succeed())
+			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, createCustomFulcioSecret(namespace.Name, "my-fulcio-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, fulciohelpers.CreateSecret(namespace.Name, "my-fulcio-tuf-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret"))).To(Succeed())
 			Expect(cli.Create(ctx, s)).To(Succeed())
 		})
 
@@ -132,3 +135,20 @@ var _ = Describe("Securesign FIPS - fulcio cert test", Ordered, func() {
 	})
 
 })
+
+func createCustomFulcioSecret(ns, name string) *v1.Secret {
+	priv := fipsTest.GenerateECPrivateKeyPEM(&testing.T{}, elliptic.P224())
+	cert := fipsTest.GenerateECCertificatePEM(&testing.T{}, elliptic.P224())
+
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+		},
+		Data: map[string][]byte{
+			"password": []byte(support.CertPassword),
+			"private":  priv,
+			"cert":     cert,
+		},
+	}
+}

test/e2e/fips/rekor_signer_test.go

@@ -4,12 +4,14 @@ package fips
 
 import (
 	"crypto/elliptic"
+	"testing"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/constants"
 	rekoractions "github.com/securesign/operator/internal/controller/rekor/actions"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
 	"github.com/securesign/operator/test/e2e/support"
 	"github.com/securesign/operator/test/e2e/support/steps"
 	"github.com/securesign/operator/test/e2e/support/tas/ctlog"
@@ -19,6 +21,7 @@ import (
 	"github.com/securesign/operator/test/e2e/support/tas/tsa"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 
@@ -82,11 +85,11 @@ var _ = Describe("Securesign FIPS - rekor signer test", Ordered, func() {
 
 	Describe("Reject non-FIPS Rekor private key then accept FIPS-compliant key", func() {
 		BeforeAll(func(ctx SpecContext) {
-			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret", elliptic.P224()))).To(Succeed())
-			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-tuf-rekor-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret", elliptic.P256()))).To(Succeed())
+			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, createCustomRekorSecret(namespace.Name, "my-rekor-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-tuf-rekor-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret"))).To(Succeed())
 			Expect(cli.Create(ctx, s)).To(Succeed())
 		})
 
@@ -121,3 +124,18 @@ var _ = Describe("Securesign FIPS - rekor signer test", Ordered, func() {
 	})
 
 })
+
+func createCustomRekorSecret(ns string, name string) *v1.Secret {
+	private := fipsTest.GenerateECPrivateKeyPEM(&testing.T{}, elliptic.P224())
+	public := fipsTest.GenerateECPublicKeyPEM(&testing.T{}, elliptic.P224())
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+		},
+		Data: map[string][]byte{
+			"private": private,
+			"public":  public,
+		},
+	}
+}

test/e2e/fips/tsa_cert_chain_test.go

@@ -4,12 +4,14 @@ package fips
 
 import (
 	"crypto/elliptic"
+	"testing"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/constants"
 	tsaactions "github.com/securesign/operator/internal/controller/tsa/actions"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
 	"github.com/securesign/operator/test/e2e/support"
 	"github.com/securesign/operator/test/e2e/support/steps"
 	"github.com/securesign/operator/test/e2e/support/tas/ctlog"
@@ -19,6 +21,7 @@ import (
 	"github.com/securesign/operator/test/e2e/support/tas/tsa"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 
@@ -82,11 +85,11 @@ var _ = Describe("Securesign FIPS - TSA Cert chain", Ordered, func() {
 
 	Describe("Reject non-FIPS TSA Cert chain and key then accept FIPS-compliant key", func() {
 		BeforeAll(func(ctx SpecContext) {
-			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tuf-tsa-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret", elliptic.P224()))).To(Succeed())
+			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tuf-tsa-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, createCustomTsaSecret(namespace.Name, "test-tsa-secret"))).To(Succeed())
 			Expect(cli.Create(ctx, s)).To(Succeed())
 		})
 
@@ -133,3 +136,20 @@ var _ = Describe("Securesign FIPS - TSA Cert chain", Ordered, func() {
 		})
 	})
 })
+
+func createCustomTsaSecret(ns, name string) *v1.Secret {
+	leafPriv := fipsTest.GenerateECPrivateKeyPEM(&testing.T{}, elliptic.P224())
+	chain := fipsTest.GenerateECCertificatePEM(&testing.T{}, elliptic.P256())
+
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+		},
+		Data: map[string][]byte{
+			"leafPrivateKey":         leafPriv,
+			"leafPrivateKeyPassword": []byte(support.CertPassword),
+			"certificateChain":       chain,
+		},
+	}
+}

test/e2e/fulcio_key_rotation_test.go

@@ -3,7 +3,6 @@
 package e2e
 
 import (
-	"crypto/elliptic"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -85,7 +84,7 @@ var _ = Describe("Fulcio cert rotation test", Ordered, func() {
 
 		It("Update fulcio cert", func(ctx SpecContext) {
 			secretName := "new-fulcio-cert"
-			newCert = fulcio.CreateSecret(namespace.Name, secretName, elliptic.P256())
+			newCert = fulcio.CreateSecret(namespace.Name, secretName)
 			Expect(cli.Create(ctx, newCert)).To(Succeed())
 
 			Eventually(func(g Gomega) error {

test/e2e/key_autodiscovery_test.go

@@ -3,8 +3,6 @@
 package e2e
 
 import (
-	"crypto/elliptic"
-
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/test/e2e/support/steps"
 	"github.com/securesign/operator/test/e2e/support/tas/securesign"
@@ -47,10 +45,10 @@ var _ = Describe("Securesign key autodiscovery test", Ordered, func() {
 
 	Describe("Install with provided certificates", func() {
 		BeforeAll(func(ctx SpecContext) {
-			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret", elliptic.P256()))).To(Succeed())
-			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret", elliptic.P256()))).To(Succeed())
+			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tsa-secret"))).To(Succeed())
 			Expect(cli.Create(ctx, s)).To(Succeed())
 		})