more cov

Signed-off-by: William Woodruff <[email protected]>
trailofbits · Jun 6, 2024 · 84b5522 · 84b5522
1 parent 40c46f8
commit 84b5522
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/src/pypi_attestation_models/_impl.py b/src/pypi_attestation_models/_impl.py
@@ -196,12 +196,12 @@ def pypi_to_sigstore(pypi_attestation: Attestation) -> Bundle:
     try:
         certificate = x509.load_der_x509_certificate(cert_bytes)
     except ValueError as err:
-        raise ConversionError(str(err)) from err
+        raise ConversionError("invalid X.509 certificate") from err
 
     try:
         log_entry = LogEntry._from_dict_rekor(tlog_entry)  # noqa: SLF001
     except (ValidationError, sigstore.errors.Error) as err:
-        raise ConversionError(str(err)) from err
+        raise ConversionError("invalid transparency log entry") from err
 
     return Bundle._from_parts(  # noqa: SLF001
         cert=certificate,

diff --git a/test/test_impl.py b/test/test_impl.py
@@ -7,6 +7,7 @@
 import pypi_attestation_models._impl as impl
 import pytest
 from sigstore.dsse import _DigestSet, _StatementBuilder, _Subject
+from sigstore.models import Bundle
 from sigstore.oidc import IdentityToken
 from sigstore.sign import SigningContext
 from sigstore.verify import Verifier, policy
@@ -148,3 +149,27 @@ def test_verify_too_many_subjects(self) -> None:
 
         with pytest.raises(impl.VerificationError, match="too many subjects in statement"):
             attestation.verify(verifier, pol, artifact_path)
+
+
+def test_sigstore_to_pypi_missing_signatures() -> None:
+    bundle = Bundle.from_json(bundle_path.read_bytes())
+    bundle._inner.dsse_envelope.signatures = []  # noqa: SLF001
+
+    with pytest.raises(impl.ConversionError, match="expected exactly one signature, got 0"):
+        impl.sigstore_to_pypi(bundle)
+
+
+def test_pypi_to_sigstore_invalid_cert() -> None:
+    attestation = impl.Attestation.model_validate_json(attestation_path.read_bytes())
+    attestation.verification_material.certificate = b"foo"
+
+    with pytest.raises(impl.ConversionError, match="invalid X.509 certificate"):
+        impl.pypi_to_sigstore(attestation)
+
+
+def test_pypi_to_sigstore_invalid_tlog_entry() -> None:
+    attestation = impl.Attestation.model_validate_json(attestation_path.read_bytes())
+    attestation.verification_material.transparency_entries[0].clear()
+
+    with pytest.raises(impl.ConversionError, match="invalid transparency log entry"):
+        impl.pypi_to_sigstore(attestation)