git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
tang
1
0
Fork 0
Files
Tree: 7561ffb4a8
Branches Tags
tang
/
debian
/
patches
/
cherry-pick
/
1619793024.v9-2-gafb6055.keys-fix-signature-generation.patch

1619793024.v9-2-gafb6055.keys-fix-signature-generation.patch 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. Subject: Keys: fix signature generation
    2. 

  2. Origin: v9-2-gafb6055 <https://github.com/latchset/tang/commit/v9-2-gafb6055>
    3. 

  3. Upstream-Author: Sergio Correia <scorreia@redhat.com>
    4. 

  4. Date: Fri Apr 30 11:30:24 2021 -0300
    5. 

  5. 

  6.     No need to create and pass an array with our template option.
    7. 

  7.     This was causing issues when we had multiple (>2) pairs of keys.
    8. 

  8. 

  9.     Tests added to cover this scenario.
    10. 

  10. 

  11. --- a/src/keys.c
    12. 

  12. +++ b/src/keys.c
    13. 

  13. @@ -233,21 +233,11 @@
    14. 

  14.      json_auto_t* sig_template = json_pack("{s:{s:s}}",
    15. 

  15.                                            "protected", "cty", "jwk-set+json");
    16. 

  16.  
    17. 

  17. -    /* Use the template with the signing keys. */
    18. 

  18. -    json_auto_t* sig_template_arr = json_array();
    19. 

  19. -    size_t arr_size = json_array_size(sig_keys);
    20. 

  20. -    for (size_t i = 0; i < arr_size; i++) {
    21. 

  21. -        if (json_array_append(sig_template_arr, sig_template) == -1) {
    22. 

  22. -            fprintf(stderr, "Unable to append sig template to array\n");
    23. 

  23. -            return NULL;
    24. 

  24. -        }
    25. 

  25. -    }
    26. 

  26. -
    27. 

  27.      __attribute__ ((__cleanup__(cleanup_str))) char* data_to_sign = json_dumps(payload, 0);
    28. 

  28.      json_auto_t* jws = json_pack("{s:o}", "payload",
    29. 

  29.                                   jose_b64_enc(data_to_sign, strlen(data_to_sign)));
    30. 

  30.  
    31. 

  31. -    if (!jose_jws_sig(NULL, jws, sig_template_arr, sig_keys)) {
    32. 

  32. +    if (!jose_jws_sig(NULL, jws, sig_template, sig_keys)) {
    33. 

  33.          fprintf(stderr, "Error trying to jose_jws_sign\n");
    34. 

  34.          return NULL;
    35. 

  35.      }
    36. 

  36. --- a/tests/adv
    37. 

  37. +++ b/tests/adv
    38. 

  38. @@ -31,6 +31,19 @@
    39. 

  39.      [ -d "$TMP" ] && rm -rf $TMP
    40. 

  40.  }
    41. 

  41.  
    42. 

  42. +validate() {
    43. 

  43. +    if ! _jwks="$(jose fmt --json="${1}" -Og payload -SyOg keys \
    44. 

  44. +                 -AUo- 2>/dev/null)"; then
    45. 

  45. +        echo "Advertisement is malformed" >&2
    46. 

  46. +        exit 1
    47. 

  47. +    fi
    48. 

  48. +    _ver="$(printf '%s' "${_jwks}" | jose jwk use -i- -r -u verify -o-)"
    49. 

  49. +    if ! printf '%s' "${_ver}" | jose jws ver -i "${1}" -k- -a; then
    50. 

  50. +        echo "Advertisement is missing signatures" >&2
    51. 

  51. +        exit 1
    52. 

  52. +    fi
    53. 

  53. +}
    54. 

  54. +
    55. 

  55.  trap 'on_exit' EXIT
    56. 

  56.  trap 'exit' ERR
    57. 

  57.  
    58. 

  58. @@ -95,3 +108,18 @@
    59. 

  59.  done
    60. 

  60.  cd -
    61. 

  61.  fetch /adv
    62. 

  62. +
    63. 

  63. +# Lets's now test with multiple pairs of keys.
    64. 

  64. +for i in 1 2 3 4 5 6 7 8 9; do
    65. 

  65. +    tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
    66. 

  66. +done
    67. 

  67. +
    68. 

  68. +# Verify the advertisement is correct.
    69. 

  69. +validate "$(fetch /adv)"
    70. 

  70. +
    71. 

  71. +# And make sure we can fetch an adv by its thumbprint.
    72. 

  72. +for jwk in "${TMP}"/db/other-sig-*.jwk; do
    73. 

  73. +    for alg in $(jose alg -k hash); do
    74. 

  74. +        fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
    75. 

  75. +    done
    76. 

  76. +done
    77.