adv 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
  1. #!/bin/bash -x
  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2016 Red Hat, Inc.
  5. # Author: Nathaniel McCallum <npmccallum@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. function fetch() {
  21. curl -sfg http://127.0.0.1:$PORT$1
  22. }
  23. function ver() {
  24. jose jws ver -i- -k "$1"
  25. }
  26. function on_exit() {
  27. if [ "$PID" ]; then kill $PID; wait $PID || true; fi
  28. [ -d "$TMP" ] && rm -rf $TMP
  29. }
  30. trap 'on_exit' EXIT
  31. trap 'exit' ERR
  32. export TMP=`mktemp -d`
  33. mkdir -p $TMP/db
  34. mkdir -p $TMP/cache
  35. tangd-keygen $TMP/db sig exc
  36. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
  37. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
  38. tangd-update $TMP/db $TMP/cache
  39. export PORT=`shuf -i 1024-65536 -n 1`
  40. $SD_ACTIVATE -l "127.0.0.1:$PORT" -a $VALGRIND tangd $TMP/cache &
  41. export PID=$!
  42. sleep 0.5
  43. # Make sure requests on the root fail
  44. ! fetch /
  45. # The request should fail (404) for non-signature key IDs
  46. ! fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk`
  47. ! fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk`
  48. # The default advertisement fetch should succeed and pass verification
  49. fetch /adv
  50. fetch /adv | ver $TMP/db/sig.jwk
  51. fetch /adv/ | ver $TMP/db/sig.jwk
  52. # Fetching by any thumbprint should work
  53. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  54. fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  55. # Requesting an adv by an advertised key ID should't be signed by hidden keys
  56. ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk
  57. ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk
  58. # Verify that the default advertisement is not signed with hidden signature keys
  59. ! fetch /adv/ | ver $TMP/db/.oth.jwk
  60. ! fetch /adv/ | ver $TMP/db/.sig.jwk
  61. # A private key advertisement is signed by all advertised keys and the requested private key
  62. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
  63. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
  64. ! fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk
  65. # Verify that the advertisements contain the cty parameter
  66. fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
  67. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
  68. | jose fmt -j- -Og signatures -A \
  69. -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
  70. -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
  71. test $(tang-show-keys $PORT) == $(jose jwk thp -i $TMP/db/sig.jwk)