#!/bin/bash -x # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: # # Copyright (c) 2016 Red Hat, Inc. # Author: Nathaniel McCallum # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # function fetch() { curl -sfg http://127.0.0.1:$PORT$1 } function ver() { jose jws ver -i- -k "$1" } function on_exit() { if [ "$PID" ]; then kill $PID; wait $PID || true; fi [ -d "$TMP" ] && rm -rf $TMP } trap 'on_exit' EXIT trap 'exit' ERR export TMP=`mktemp -d` mkdir -p $TMP/db mkdir -p $TMP/cache tangd-keygen $TMP/db sig exc jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk tangd-update $TMP/db $TMP/cache export PORT=`shuf -i 1024-65536 -n 1` $SD_ACTIVATE -l "127.0.0.1:$PORT" -a $VALGRIND tangd $TMP/cache & export PID=$! sleep 0.5 # Make sure requests on the root fail ! fetch / # The request should fail (404) for non-signature key IDs ! fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk` ! fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` # The default advertisement fetch should succeed and pass verification fetch /adv fetch /adv | ver $TMP/db/sig.jwk fetch /adv/ | ver $TMP/db/sig.jwk # Fetching by any thumbprint should work fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk # Requesting an adv by an advertised key ID should't be signed by hidden keys ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk # Verify that the default advertisement is not signed with hidden signature keys ! fetch /adv/ | ver $TMP/db/.oth.jwk ! fetch /adv/ | ver $TMP/db/.sig.jwk # A private key advertisement is signed by all advertised keys and the requested private key fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk ! fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk # Verify that the advertisements contain the cty parameter fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \ | jose fmt -j- -Og signatures -A \ -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \ -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU test $(tang-show-keys $PORT) == $(jose jwk thp -i $TMP/db/sig.jwk)