#!/bin/bash -x # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: # # Copyright (c) 2016 Red Hat, Inc. # Author: Nathaniel McCallum # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # function on_exit() { if [ "$PID" ]; then kill $PID; wait $PID || true; fi [ -d "$TMP" ] && rm -rf $TMP } trap 'on_exit' EXIT trap 'exit' ERR export TMP=`mktemp -d` mkdir -p $TMP/db mkdir -p $TMP/cache tangd-keygen $TMP/db sig exc jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk tangd-update $TMP/db $TMP/cache for addr in "127.0.0.1" "[::1]"; do port=`shuf -i 1024-65536 -n 1` $SD_ACTIVATE -l "$addr:$port" -a $VALGRIND tangd $TMP/cache & export PID=$! sleep 0.5 # Make sure requests on the root fail ! curl -sfg http://$addr:$port/ # The request should fail (404) for non-signature key IDs ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/exc.jwk` ! curl -sfg http://$addr:$port/adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` # The default advertisement fetch should succeed and pass verification curl -sfg http://$addr:$port/adv curl -sfg http://$addr:$port/adv | jose jws ver -i- -k $TMP/db/sig.jwk curl -sfg http://$addr:$port/adv/ | jose jws ver -i- -k $TMP/db/sig.jwk # Fetching by any thumbprint should work curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/sig.jwk curl -sfg http://$addr:$port/adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/sig.jwk # Requesting an adv by an advertised key ID should't be signed by hidden keys ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/.sig.jwk ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/.oth.jwk # Verify that the default advertisement is not signed with hidden signature keys ! curl -sfg http://$addr:$port/adv/ | jose jws ver -i- -k $TMP/db/.oth.jwk ! curl -sfg http://$addr:$port/adv/ | jose jws ver -i- -k $TMP/db/.sig.jwk # A private key advertisement is signed by all advertised keys and the requested private key curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | jose jws ver -i- -k $TMP/db/sig.jwk curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | jose jws ver -i- -k $TMP/db/.sig.jwk ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | jose jws ver -i- -k $TMP/db/.oth.jwk # Verify that the advertisements contain the cty parameter curl -sfg http://$addr:$port/adv \ | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` \ | jose fmt -j- -Og signatures -A \ -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \ -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU kill $PID wait $PID || true unset PID done