adv 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134
  1. #!/bin/sh -ex
  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2016 Red Hat, Inc.
  5. # Author: Nathaniel McCallum <npmccallum@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. . helpers
  21. trap 'on_exit' EXIT
  22. export TMP=`mktemp -d`
  23. mkdir -p $TMP/db
  24. adv_startup () {
  25. tangd-keygen $TMP/db sig exc
  26. # Make sure keys generated by tangd-keygen have proper permissions.
  27. valid_key_perm "${TMP}/db/sig.jwk"
  28. valid_key_perm "${TMP}/db/exc.jwk"
  29. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
  30. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
  31. }
  32. adv_second_phase () {
  33. # Make sure requests on the root fail
  34. fetch / && expected_fail
  35. # The request should fail (404) for non-signature key IDs
  36. fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk` && expected_fail
  37. fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` && expected_fail
  38. # The default advertisement fetch should succeed and pass verification
  39. fetch /adv
  40. fetch /adv | ver $TMP/db/sig.jwk
  41. fetch /adv/ | ver $TMP/db/sig.jwk
  42. # Fetching by any thumbprint should work
  43. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  44. fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  45. # Requesting an adv by an advertised key ID should't be signed by hidden keys
  46. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk && expected_fail
  47. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
  48. # Verify that the default advertisement is not signed with hidden signature keys
  49. fetch /adv/ | ver $TMP/db/.oth.jwk && expected_fail
  50. fetch /adv/ | ver $TMP/db/.sig.jwk && expected_fail
  51. # A private key advertisement is signed by all advertised keys and the requested private key
  52. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
  53. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
  54. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
  55. # Verify that the advertisements contain the cty parameter
  56. fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
  57. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
  58. | jose fmt -j- -Og signatures -A \
  59. -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
  60. -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
  61. THP_DEFAULT_HASH=S256 # SHA-256.
  62. test "$(tang-show-keys $PORT)" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i $TMP/db/sig.jwk)"
  63. # Check that new keys will be created if none exist.
  64. rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
  65. fetch /adv
  66. # Now let's make sure the new keys were named using our default thumbprint
  67. # hash and then rotate them and check if we still create new keys.
  68. cd "${TMP}/db"
  69. for k in *.jwk; do
  70. # Check for the key name (SHA-256).
  71. test "${k}" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i "${k}")".jwk
  72. # Rotate the key.
  73. mv -f -- "${k}" ".${k}"
  74. done
  75. cd -
  76. fetch /adv
  77. # Lets's now test with multiple pairs of keys.
  78. for i in 1 2 3 4 5 6 7 8 9; do
  79. tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
  80. # Make sure the requested keys exist and are valid.
  81. validate_sig "${TMP}/db/other-sig-${i}.jwk"
  82. validate_exc "${TMP}/db/other-exc-${i}.jwk"
  83. # Make sure keys generated by tangd-keygen have proper permissions.
  84. valid_key_perm "${TMP}/db/other-sig-${i}.jwk"
  85. valid_key_perm "${TMP}/db/other-exc-${i}.jwk"
  86. done
  87. # Verify the advertisement is correct.
  88. validate "$(fetch /adv)"
  89. # And make sure we can fetch an adv by its thumbprint.
  90. for jwk in "${TMP}"/db/other-sig-*.jwk; do
  91. for alg in $(jose alg -k hash); do
  92. fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
  93. done
  94. done
  95. # Now let's test keys rotation.
  96. tangd-rotate-keys -d "${TMP}/db"
  97. for i in 1 2 3 4 5 6 7 8 9; do
  98. # Make sure keys were excluded from advertisement.
  99. validate_sig "${TMP}/db/.other-sig-${i}.jwk"
  100. validate_exc "${TMP}/db/.other-exc-${i}.jwk"
  101. done
  102. # And test also that we have valid keys after rotation.
  103. thp=
  104. for jwk in "${TMP}"/db/*.jwk; do
  105. validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
  106. -i "${jwk}")"
  107. # Make sure keys generated by tangd-rotate-keys have proper permissions.
  108. valid_key_perm "${jwk}"
  109. done
  110. [ -z "${thp}" ] && die "There should be valid keys after rotation"
  111. test "$(tang-show-keys $PORT)" = "${thp}"
  112. }