should be it

external/duckdb/test/mbedtls/CMakeLists.txt

@@ -0,0 +1,4 @@
+add_library_unity(test_mbedtls OBJECT test_mbedtls.cpp)
+set(ALL_OBJECT_FILES
+    ${ALL_OBJECT_FILES} $<TARGET_OBJECTS:test_mbedtls>
+    PARENT_SCOPE)

external/duckdb/test/mbedtls/create_files.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+rm dummy_file* *.pem 
+head -c 100000 </dev/urandom > dummy_file
+openssl genrsa -out private.pem 2048
+openssl rsa -in private.pem -outform PEM -pubout -out public.pem
+openssl dgst -binary -sha256 dummy_file > dummy_file.sha256
+openssl pkeyutl -sign -in dummy_file.sha256 -inkey private.pem -pkeyopt digest:sha256 -out dummy_file.signature

external/duckdb/test/mbedtls/dummy_file.sha256

@@ -0,0 +1 @@
+<EFBFBD>!<21>:<3A><>6<EFBFBD><36><EFBFBD>6^a<><61>
<01> <20><>=<3D><>/<11>F8})

external/duckdb/test/mbedtls/dummy_file.signature

@@ -0,0 +1 @@
+i#<23><><EFBFBD>e<02><><EFBFBD><EFBFBD><EFBFBD>e<>6ĥ<36><C4A5>yW<79><57><EFBFBD>d<EFBFBD>C<EFBFBD>"y<19><0F>b<1A><>y<EFBFBD>CS{0<0F>˪<EFBFBD>B<EFBFBD><0B><>8VN><3E><>Ý<59><CD81>Sl<53>C<EFBFBD>G<EFBFBD><47><EFBFBD><EFBFBD><EFBFBD>ӿ2;<07><><EFBFBD>dż<64><C5BC>(<28><>IS<49>S2<53><32><06>*3y<33>::J;<3B><><EFBFBD>ߡ<EFBFBD><DFA1>=}}<7D>ѯ0<0C>ҶS<D2B6><0F>]`W<>{<7B><>C<10><>E8<45>t'wVW<56>^:<3A>}<7D><>o<><6F>p=--1e]<5D>C<EFBFBD><43><EFBFBD>i<EFBFBD>O?<12><> ڢ7U<37>>Q<><51><EFBFBD><EFBFBD>P<EFBFBD><50>	<09>e<EFBFBD>SO<>'~j<><6A><EFBFBD> <20><>hX4<58>"<22><>(&<04>#<23><>k<EFBFBD>5<EFBFBD>c<02>E2<>‰<10><><EFBFBD>

external/duckdb/test/mbedtls/private.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA4EX5LT9FCzmRj4HITMSALc6J8ImxZkGXF2ihx4sm2D/rusc+
+qnIC2na0/NiSssgTCUnL79Yp2uby5FOmr3xfzkcpu6Zv1vplnECfzpnzl7xiaUHl
+eMZaCRddD5BjaoTOJjHxNSnLO3V8eUkp8nLcpm8XW8k18LVSGezgBHy4ExnRiVsG
+1JJ7W+QUdCHXs5Nn5b8SQR3TdhsyJhL6tlmlXynb/I+gAHGLiencTn4S7P8C5X5H
+S03Np1itaEp81S+yqSuxBCelGn1mNKE8R84/bRuiDHF1RWdl/S31XIAGPjWIOhsG
+wpFoJpIkHsMKUgl7YZVduupF4lzCVjLDbffbCwIDAQABAoIBAQC3spjWpuw2tYC0
+uukFeC5FVtdFXoMf7rmDQwDAIQpANpsu8eQyWBBeQL0eHYaLSbXN9dRFLnY6BtEM
+lDgDpSwUGdXlDf6tZ4uy4HwFDbSopHU3IfKDanR03d4r0Wic5wqz3lRj50e//Ato
+jLT/EXYKHRRU6gp0jxAgjBUxl7ZubT7BB6lMQ+QYj30Fj8ZMi5pQ+/Sm4x8zrtkT
+jUkidTUO1nucaivBZDAaWr47yk7dm/l3XNHTqiQFJJFzK5j+d9TvkxVbJAq2Pb3q
+V11VkfOMMjGqKFXefmOI5uCbZ9UvE+Ys/V3qoy4biW1s6QL4XjTJzDHyDfgzWp4D
+WvCIy6cBAoGBAPVK2SwpsDNGBSRmTNxeK+JvxCrsQ/XFcx+GM0MPjsATlGyBCir4
+c/NvMpaHx2ASBqybIoS8ByIgF/HLR2OUe62DVqrq7+BQAcTORogS3iPmlX93RfjU
+gLaT/1TECMQK7NC0+HJAPiz8WKmIX7qWkjpziz9cV+OlXF9CWeicS+DpAoGBAOoQ
+PIVXRKLAZKwLBiQsfxEJhax8zBoqrQxHotezUHfbIgOTJeKzhbaiBwutfhtHHhLl
+6ZC7GAL55Zgr3gh+gWoQDBeBGV8uZqCFnSDNUgnU7+cVPJP8hGVcd0y5/9cJWY4V
+LiBWEEVRylZjnXSoJ8Imk3x169bmnKaxS8AEvMPTAoGAIl+6z1WIO6c0UUWEv9zy
+iWjgNKOnYmmpGGHWDS/A8WnNAueSZTMsDJEopa+hYPUlukqDK9atqTqWIGw8NNg5
+/LbLDmid9PFBTjMZ7ze1qZJGoPY1+AjPgMZ8oYRXNiHRze2OY3RdQjCavCdAQwWW
+uFo4yUhHiL9DkpXZw58jgwECgYAdvyyB4cJmUL86ojgIluMbPjOP5VhnJu9RNTV7
+5l0ermnXPHc/JYOj31m34Te6rcIjsraJX03A6xOD0GdqevFlkl6HCjA4SYRfeDus
+9IstlrNakfdd82S8IRFEXgsmwBhylzyCfY2Z0bg+XHChZ9GNuitaUP5FFI/qG3Q+
+FhwLYwKBgBfQCqnQOab/ZLb5cYwWTEfkHZvds+XKB61jMSx0NRLTPuGAxq6KYgzI
+ZA2GtEP3pjRDLVF6PDy4fjf5zXN3lvVuDHnhj71Goq7PEja4ZNyR8WOdgTeoQeR9
+ojcT04KbAYrTldtmZKfCjjkivx6Hp9SXtIejzbPPDFRyz3v7zz4c
+-----END RSA PRIVATE KEY-----

external/duckdb/test/mbedtls/public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4EX5LT9FCzmRj4HITMSA
+Lc6J8ImxZkGXF2ihx4sm2D/rusc+qnIC2na0/NiSssgTCUnL79Yp2uby5FOmr3xf
+zkcpu6Zv1vplnECfzpnzl7xiaUHleMZaCRddD5BjaoTOJjHxNSnLO3V8eUkp8nLc
+pm8XW8k18LVSGezgBHy4ExnRiVsG1JJ7W+QUdCHXs5Nn5b8SQR3TdhsyJhL6tlml
+Xynb/I+gAHGLiencTn4S7P8C5X5HS03Np1itaEp81S+yqSuxBCelGn1mNKE8R84/
+bRuiDHF1RWdl/S31XIAGPjWIOhsGwpFoJpIkHsMKUgl7YZVduupF4lzCVjLDbffb
+CwIDAQAB
+-----END PUBLIC KEY-----

external/duckdb/test/mbedtls/test_mbedtls.cpp

@@ -0,0 +1,58 @@
+#include "catch.hpp"
+#include "mbedtls_wrapper.hpp"
+
+#include <chrono>
+#include <thread>
+#include <fstream>
+#include <sstream>
+
+using namespace duckdb_mbedtls;
+using namespace std;
+
+static string file_to_string(string filename) {
+	std::ifstream stream(filename, ios_base::binary);
+	duckdb::stringstream buffer;
+	buffer << stream.rdbuf();
+	return buffer.str();
+}
+
+TEST_CASE("Test that we can verify a signature", "[mbedtls]") {
+	// those files are created with the create_files.sh script
+	auto file_content = file_to_string("test/mbedtls/dummy_file");
+	auto signature = file_to_string("test/mbedtls/dummy_file.signature");
+	auto pubkey = file_to_string("test/mbedtls/public.pem");
+
+	auto hash = MbedTlsWrapper::ComputeSha256Hash(file_content);
+	REQUIRE(MbedTlsWrapper::IsValidSha256Signature(pubkey, signature, hash));
+	string empty_string = "";
+
+	auto borked_pubkey = pubkey;
+	borked_pubkey[10]++;
+
+	// a borked public key is an exception, this should never happen
+	REQUIRE_THROWS(MbedTlsWrapper::IsValidSha256Signature(borked_pubkey, signature, hash));
+	REQUIRE_THROWS(MbedTlsWrapper::IsValidSha256Signature(empty_string, signature, hash));
+
+	// wrong-length signatures or hashes should never happen either
+	REQUIRE_THROWS(MbedTlsWrapper::IsValidSha256Signature(pubkey, empty_string, hash));
+	REQUIRE_THROWS(MbedTlsWrapper::IsValidSha256Signature(pubkey, signature, empty_string));
+
+	// lets flip some bits in the file, it should not validate
+	auto borked_file = file_content;
+	borked_file[10]++;
+	auto hash2 = MbedTlsWrapper::ComputeSha256Hash(borked_file);
+	REQUIRE(!MbedTlsWrapper::IsValidSha256Signature(pubkey, signature, hash2));
+
+	auto borked_signature = signature;
+	borked_signature[10]++;
+	REQUIRE(!MbedTlsWrapper::IsValidSha256Signature(pubkey, borked_signature, hash));
+
+	auto borked_hash = hash;
+	borked_hash[10]++;
+	auto hash3 = MbedTlsWrapper::ComputeSha256Hash(empty_string);
+	REQUIRE(!MbedTlsWrapper::IsValidSha256Signature(pubkey, signature, hash3));
+	REQUIRE(!MbedTlsWrapper::IsValidSha256Signature(pubkey, signature, borked_hash));
+
+	// seems all right!
+	REQUIRE(MbedTlsWrapper::IsValidSha256Signature(pubkey, signature, hash));
+}