1
0

adv 3.0 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485
  1. #!/bin/bash -x
  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2016 Red Hat, Inc.
  5. # Author: Nathaniel McCallum <npmccallum@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. function fetch() {
  21. curl -sfg http://127.0.0.1:$PORT$1
  22. }
  23. function ver() {
  24. jose jws ver -i- -k "$1"
  25. }
  26. function on_exit() {
  27. if [ "$PID" ]; then kill $PID; wait $PID || true; fi
  28. [ -d "$TMP" ] && rm -rf $TMP
  29. }
  30. trap 'on_exit' EXIT
  31. trap 'exit' ERR
  32. export TMP=`mktemp -d`
  33. mkdir -p $TMP/db
  34. tangd-keygen $TMP/db sig exc
  35. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
  36. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
  37. export PORT=`shuf -i 1024-65536 -n 1`
  38. $SD_ACTIVATE -l "127.0.0.1:$PORT" -a $VALGRIND tangd $TMP/db &
  39. export PID=$!
  40. sleep 0.5
  41. # Make sure requests on the root fail
  42. ! fetch /
  43. # The request should fail (404) for non-signature key IDs
  44. ! fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk`
  45. ! fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk`
  46. # The default advertisement fetch should succeed and pass verification
  47. fetch /adv
  48. fetch /adv | ver $TMP/db/sig.jwk
  49. fetch /adv/ | ver $TMP/db/sig.jwk
  50. # Fetching by any thumbprint should work
  51. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  52. fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  53. # Requesting an adv by an advertised key ID should't be signed by hidden keys
  54. ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk
  55. ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk
  56. # Verify that the default advertisement is not signed with hidden signature keys
  57. ! fetch /adv/ | ver $TMP/db/.oth.jwk
  58. ! fetch /adv/ | ver $TMP/db/.sig.jwk
  59. # A private key advertisement is signed by all advertised keys and the requested private key
  60. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
  61. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
  62. ! fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk
  63. # Verify that the advertisements contain the cty parameter
  64. fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
  65. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
  66. | jose fmt -j- -Og signatures -A \
  67. -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
  68. -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
  69. test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"