adv 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106
  1. #!/bin/sh -ex
  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2016 Red Hat, Inc.
  5. # Author: Nathaniel McCallum <npmccallum@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. . helpers
  21. sanity_check
  22. trap 'on_exit' EXIT
  23. export TMP=`mktemp -d`
  24. mkdir -p $TMP/db
  25. tangd-keygen $TMP/db sig exc
  26. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
  27. jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
  28. export PORT=$(random_port)
  29. start_server "${PORT}"
  30. export PID=$!
  31. sleep 0.5
  32. # Make sure requests on the root fail
  33. ! fetch /
  34. # The request should fail (404) for non-signature key IDs
  35. ! fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk`
  36. ! fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk`
  37. # The default advertisement fetch should succeed and pass verification
  38. fetch /adv
  39. fetch /adv | ver $TMP/db/sig.jwk
  40. fetch /adv/ | ver $TMP/db/sig.jwk
  41. # Fetching by any thumbprint should work
  42. fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  43. fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
  44. # Requesting an adv by an advertised key ID should't be signed by hidden keys
  45. ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk
  46. ! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk
  47. # Verify that the default advertisement is not signed with hidden signature keys
  48. ! fetch /adv/ | ver $TMP/db/.oth.jwk
  49. ! fetch /adv/ | ver $TMP/db/.sig.jwk
  50. # A private key advertisement is signed by all advertised keys and the requested private key
  51. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
  52. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
  53. ! fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk
  54. # Verify that the advertisements contain the cty parameter
  55. fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
  56. fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
  57. | jose fmt -j- -Og signatures -A \
  58. -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
  59. -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
  60. THP_DEFAULT_HASH=S256 # SHA-256.
  61. test "$(tang-show-keys $PORT)" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i $TMP/db/sig.jwk)"
  62. # Check that new keys will be created if none exist.
  63. rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
  64. fetch /adv
  65. # Now let's make sure the new keys were named using our default thumbprint
  66. # hash and then rotate them and check if we still create new keys.
  67. cd "${TMP}/db"
  68. for k in *.jwk; do
  69. # Check for the key name (SHA-256).
  70. test "${k}" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i "${k}")".jwk
  71. # Rotate the key.
  72. mv -f -- "${k}" ".${k}"
  73. done
  74. cd -
  75. fetch /adv
  76. # Lets's now test with multiple pairs of keys.
  77. for i in 1 2 3 4 5 6 7 8 9; do
  78. tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
  79. done
  80. # Verify the advertisement is correct.
  81. validate "$(fetch /adv)"
  82. # And make sure we can fetch an adv by its thumbprint.
  83. for jwk in "${TMP}"/db/other-sig-*.jwk; do
  84. for alg in $(jose alg -k hash); do
  85. fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
  86. done
  87. done