|
@@ -27,6 +27,10 @@ export TMP=`mktemp -d`
|
|
|
mkdir -p $TMP/db
|
|
|
|
|
|
tangd-keygen $TMP/db sig exc
|
|
|
+# Make sure keys generated by tangd-keygen have proper permissions.
|
|
|
+valid_key_perm "${TMP}/db/sig.jwk"
|
|
|
+valid_key_perm "${TMP}/db/exc.jwk"
|
|
|
+
|
|
|
jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
|
|
|
jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
|
|
|
|
|
@@ -36,11 +40,11 @@ export PID=$!
|
|
|
sleep 0.5
|
|
|
|
|
|
# Make sure requests on the root fail
|
|
|
-! fetch /
|
|
|
+fetch / && expected_fail
|
|
|
|
|
|
# The request should fail (404) for non-signature key IDs
|
|
|
-! fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk`
|
|
|
-! fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk`
|
|
|
+fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk` && expected_fail
|
|
|
+fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` && expected_fail
|
|
|
|
|
|
# The default advertisement fetch should succeed and pass verification
|
|
|
fetch /adv
|
|
@@ -52,17 +56,17 @@ fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
|
|
|
fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
|
|
|
|
|
|
# Requesting an adv by an advertised key ID should't be signed by hidden keys
|
|
|
-! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk
|
|
|
-! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk
|
|
|
+fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk && expected_fail
|
|
|
+fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
|
|
|
|
|
|
# Verify that the default advertisement is not signed with hidden signature keys
|
|
|
-! fetch /adv/ | ver $TMP/db/.oth.jwk
|
|
|
-! fetch /adv/ | ver $TMP/db/.sig.jwk
|
|
|
+fetch /adv/ | ver $TMP/db/.oth.jwk && expected_fail
|
|
|
+fetch /adv/ | ver $TMP/db/.sig.jwk && expected_fail
|
|
|
|
|
|
# A private key advertisement is signed by all advertised keys and the requested private key
|
|
|
fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
|
|
|
fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
|
|
|
-! fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk
|
|
|
+fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
|
|
|
|
|
|
# Verify that the advertisements contain the cty parameter
|
|
|
fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
|
|
@@ -93,6 +97,13 @@ fetch /adv
|
|
|
# Lets's now test with multiple pairs of keys.
|
|
|
for i in 1 2 3 4 5 6 7 8 9; do
|
|
|
tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
|
|
|
+ # Make sure the requested keys exist and are valid.
|
|
|
+ validate_sig "${TMP}/db/other-sig-${i}.jwk"
|
|
|
+ validate_exc "${TMP}/db/other-exc-${i}.jwk"
|
|
|
+
|
|
|
+ # Make sure keys generated by tangd-keygen have proper permissions.
|
|
|
+ valid_key_perm "${TMP}/db/other-sig-${i}.jwk"
|
|
|
+ valid_key_perm "${TMP}/db/other-exc-${i}.jwk"
|
|
|
done
|
|
|
|
|
|
# Verify the advertisement is correct.
|
|
@@ -104,3 +115,23 @@ for jwk in "${TMP}"/db/other-sig-*.jwk; do
|
|
|
fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
|
|
|
done
|
|
|
done
|
|
|
+
|
|
|
+# Now let's test keys rotation.
|
|
|
+tangd-rotate-keys -d "${TMP}/db"
|
|
|
+for i in 1 2 3 4 5 6 7 8 9; do
|
|
|
+ # Make sure keys were excluded from advertisement.
|
|
|
+ validate_sig "${TMP}/db/.other-sig-${i}.jwk"
|
|
|
+ validate_exc "${TMP}/db/.other-exc-${i}.jwk"
|
|
|
+done
|
|
|
+
|
|
|
+# And test also that we have valid keys after rotation.
|
|
|
+thp=
|
|
|
+for jwk in "${TMP}"/db/*.jwk; do
|
|
|
+ validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
|
|
|
+ -i "${jwk}")"
|
|
|
+
|
|
|
+ # Make sure keys generated by tangd-rotate-keys have proper permissions.
|
|
|
+ valid_key_perm "${jwk}"
|
|
|
+done
|
|
|
+[ -z "${thp}" ] && die "There should be valid keys after rotation"
|
|
|
+test "$(tang-show-keys $PORT)" = "${thp}"
|