adv 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. #!/bin/sh -ex
  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2016 Red Hat, Inc.
  5. # Author: Nathaniel McCallum <npmccallum@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. . helpers
  21. sanity_check
  22. trap 'on_exit' EXIT
  23. export TMP=`mktemp -d`
  24. mkdir -p $TMP/db
  25. tangd-keygen $TMP/db sig exc
  26. # Make sure keys generated by tangd-keygen have proper permissions.
  27. valid_key_perm "${TMP}/db/sig.jwk"
  28. valid_key_perm "${TMP}/db/exc.jwk"
  29. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
  30. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
  31. export PORT=$(random_port)
  32. start_server "${PORT}"
  33. export PID=$!
  34. sleep 0.5
  35. # Make sure requests on the root fail
  36. fetch / && expected_fail
  37. # The request should fail (404) for non-signature key IDs
  38. fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk` && expected_fail
  39. fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` && expected_fail
  40. # The default advertisement fetch should succeed and pass verification
  41. fetch /adv
  42. fetch /adv | ver $TMP/db/sig.jwk
  43. fetch /adv/ | ver $TMP/db/sig.jwk
  44. # Fetching by any thumbprint should work
  45. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  46. fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  47. # Requesting an adv by an advertised key ID should't be signed by hidden keys
  48. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk && expected_fail
  49. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
  50. # Verify that the default advertisement is not signed with hidden signature keys
  51. fetch /adv/ | ver $TMP/db/.oth.jwk && expected_fail
  52. fetch /adv/ | ver $TMP/db/.sig.jwk && expected_fail
  53. # A private key advertisement is signed by all advertised keys and the requested private key
  54. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
  55. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
  56. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
  57. # Verify that the advertisements contain the cty parameter
  58. fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
  59. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
  60. | jose fmt -j- -Og signatures -A \
  61. -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
  62. -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
  63. THP_DEFAULT_HASH=S256 # SHA-256.
  64. test "$(tang-show-keys $PORT)" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i $TMP/db/sig.jwk)"
  65. # Check that new keys will be created if none exist.
  66. rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
  67. fetch /adv
  68. # Now let's make sure the new keys were named using our default thumbprint
  69. # hash and then rotate them and check if we still create new keys.
  70. cd "${TMP}/db"
  71. for k in *.jwk; do
  72. # Check for the key name (SHA-256).
  73. test "${k}" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i "${k}")".jwk
  74. # Rotate the key.
  75. mv -f -- "${k}" ".${k}"
  76. done
  77. cd -
  78. fetch /adv
  79. # Lets's now test with multiple pairs of keys.
  80. for i in 1 2 3 4 5 6 7 8 9; do
  81. tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
  82. # Make sure the requested keys exist and are valid.
  83. validate_sig "${TMP}/db/other-sig-${i}.jwk"
  84. validate_exc "${TMP}/db/other-exc-${i}.jwk"
  85. # Make sure keys generated by tangd-keygen have proper permissions.
  86. valid_key_perm "${TMP}/db/other-sig-${i}.jwk"
  87. valid_key_perm "${TMP}/db/other-exc-${i}.jwk"
  88. done
  89. # Verify the advertisement is correct.
  90. validate "$(fetch /adv)"
  91. # And make sure we can fetch an adv by its thumbprint.
  92. for jwk in "${TMP}"/db/other-sig-*.jwk; do
  93. for alg in $(jose alg -k hash); do
  94. fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
  95. done
  96. done
  97. # Now let's test keys rotation.
  98. tangd-rotate-keys -d "${TMP}/db"
  99. for i in 1 2 3 4 5 6 7 8 9; do
  100. # Make sure keys were excluded from advertisement.
  101. validate_sig "${TMP}/db/.other-sig-${i}.jwk"
  102. validate_exc "${TMP}/db/.other-exc-${i}.jwk"
  103. done
  104. # And test also that we have valid keys after rotation.
  105. thp=
  106. for jwk in "${TMP}"/db/*.jwk; do
  107. validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
  108. -i "${jwk}")"
  109. # Make sure keys generated by tangd-rotate-keys have proper permissions.
  110. valid_key_perm "${jwk}"
  111. done
  112. [ -z "${thp}" ] && die "There should be valid keys after rotation"
  113. test "$(tang-show-keys $PORT)" = "${thp}"