| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 |
- #!/bin/bash -x
- # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- #
- # Copyright (c) 2016 Red Hat, Inc.
- # Author: Nathaniel McCallum <npmccallum@redhat.com>
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
- function fetch() {
- curl -sfg http://127.0.0.1:$PORT$1
- }
- function ver() {
- jose jws ver -i- -k "$1"
- }
- function on_exit() {
- if [ "$PID" ]; then kill $PID; wait $PID || true; fi
- [ -d "$TMP" ] && rm -rf $TMP
- }
- trap 'on_exit' EXIT
- trap 'exit' ERR
- export TMP=`mktemp -d`
- mkdir -p $TMP/db
- mkdir -p $TMP/cache
- tangd-keygen $TMP/db sig exc
- jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
- jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
- tangd-update $TMP/db $TMP/cache
- export PORT=`shuf -i 1024-65536 -n 1`
- $SD_ACTIVATE -l "127.0.0.1:$PORT" -a $VALGRIND tangd $TMP/cache &
- export PID=$!
- sleep 0.5
- # Make sure requests on the root fail
- ! fetch /
- # The request should fail (404) for non-signature key IDs
- ! fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk`
- ! fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk`
- # The default advertisement fetch should succeed and pass verification
- fetch /adv
- fetch /adv | ver $TMP/db/sig.jwk
- fetch /adv/ | ver $TMP/db/sig.jwk
- # Fetching by any thumbprint should work
- fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
- fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
- # Requesting an adv by an advertised key ID should't be signed by hidden keys
- ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk
- ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk
- # Verify that the default advertisement is not signed with hidden signature keys
- ! fetch /adv/ | ver $TMP/db/.oth.jwk
- ! fetch /adv/ | ver $TMP/db/.sig.jwk
- # A private key advertisement is signed by all advertised keys and the requested private key
- fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
- fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
- ! fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk
- # Verify that the advertisements contain the cty parameter
- fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
- fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
- | jose fmt -j- -Og signatures -A \
- -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
- -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
- test $(tang-show-keys $PORT) == $(jose jwk thp -i $TMP/db/sig.jwk)
|
