1619793024.v9-2-gafb6055.keys-fix-signature-generation.patch 2.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
  1. Subject: Keys: fix signature generation
  2. Origin: upstream, v9-2-gafb6055 <https://github.com/latchset/tang/commit/v9-2-gafb6055>
  3. Upstream-Author: Sergio Correia <scorreia@redhat.com>
  4. Date: Fri Apr 30 11:30:24 2021 -0300
  5. No need to create and pass an array with our template option.
  6. This was causing issues when we had multiple (>2) pairs of keys.
  7. Tests added to cover this scenario.
  8. --- a/src/keys.c
  9. +++ b/src/keys.c
  10. @@ -233,21 +233,11 @@
  11. json_auto_t* sig_template = json_pack("{s:{s:s}}",
  12. "protected", "cty", "jwk-set+json");
  13. - /* Use the template with the signing keys. */
  14. - json_auto_t* sig_template_arr = json_array();
  15. - size_t arr_size = json_array_size(sig_keys);
  16. - for (size_t i = 0; i < arr_size; i++) {
  17. - if (json_array_append(sig_template_arr, sig_template) == -1) {
  18. - fprintf(stderr, "Unable to append sig template to array\n");
  19. - return NULL;
  20. - }
  21. - }
  22. -
  23. __attribute__ ((__cleanup__(cleanup_str))) char* data_to_sign = json_dumps(payload, 0);
  24. json_auto_t* jws = json_pack("{s:o}", "payload",
  25. jose_b64_enc(data_to_sign, strlen(data_to_sign)));
  26. - if (!jose_jws_sig(NULL, jws, sig_template_arr, sig_keys)) {
  27. + if (!jose_jws_sig(NULL, jws, sig_template, sig_keys)) {
  28. fprintf(stderr, "Error trying to jose_jws_sign\n");
  29. return NULL;
  30. }
  31. --- a/tests/adv
  32. +++ b/tests/adv
  33. @@ -31,6 +31,19 @@
  34. [ -d "$TMP" ] && rm -rf $TMP
  35. }
  36. +validate() {
  37. + if ! _jwks="$(jose fmt --json="${1}" -Og payload -SyOg keys \
  38. + -AUo- 2>/dev/null)"; then
  39. + echo "Advertisement is malformed" >&2
  40. + exit 1
  41. + fi
  42. + _ver="$(printf '%s' "${_jwks}" | jose jwk use -i- -r -u verify -o-)"
  43. + if ! printf '%s' "${_ver}" | jose jws ver -i "${1}" -k- -a; then
  44. + echo "Advertisement is missing signatures" >&2
  45. + exit 1
  46. + fi
  47. +}
  48. +
  49. trap 'on_exit' EXIT
  50. trap 'exit' ERR
  51. @@ -95,3 +108,18 @@
  52. done
  53. cd -
  54. fetch /adv
  55. +
  56. +# Lets's now test with multiple pairs of keys.
  57. +for i in 1 2 3 4 5 6 7 8 9; do
  58. + tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
  59. +done
  60. +
  61. +# Verify the advertisement is correct.
  62. +validate "$(fetch /adv)"
  63. +
  64. +# And make sure we can fetch an adv by its thumbprint.
  65. +for jwk in "${TMP}"/db/other-sig-*.jwk; do
  66. + for alg in $(jose alg -k hash); do
  67. + fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
  68. + done
  69. +done