Example #1
0
func TestSign_HeaderValues(t *testing.T) {
	const jwksrc = `{
    "kty":"EC",
    "crv":"P-256",
    "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
    "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
    "d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"
  }`

	privkey, err := ecdsautil.PrivateKeyFromJSON([]byte(jwksrc))
	if !assert.NoError(t, err, "parsing jwk should be successful") {
		return
	}

	payload := []byte("Hello, World!")

	hdr := NewHeader()
	hdr.KeyID = "helloworld01"
	encoded, err := Sign(payload, jwa.ES256, privkey, hdr)
	if !assert.NoError(t, err, "Sign should succeed") {
		return
	}

	// Although we set KeyID to the public header, in compact serialization
	// there's no difference
	msg, err := Parse(encoded)
	if !assert.Equal(t, hdr.KeyID, msg.Signatures[0].ProtectedHeader.KeyID, "KeyID should match") {
		return
	}

	verified, err := Verify(encoded, jwa.ES256, &privkey.PublicKey)
	if !assert.NoError(t, err, "Verify should succeed") {
		return
	}
	if !assert.Equal(t, verified, payload, "Payload should match") {
		return
	}
}
Example #2
0
// TestEncode_ES256Compact tests that https://tools.ietf.org/html/rfc7515#appendix-A.3 works
func TestEncode_ES256Compact(t *testing.T) {
	const hdr = `{"alg":"ES256"}`
	const jwksrc = `{
    "kty":"EC",
    "crv":"P-256",
    "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
    "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
    "d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"
  }`

	privkey, err := ecdsautil.PrivateKeyFromJSON([]byte(jwksrc))
	if !assert.NoError(t, err, "parsing jwk should be successful") {
		return
	}

	sign, err := NewEcdsaSign(jwa.ES256, privkey)
	if !assert.NoError(t, err, "RsaSign created successfully") {
		return
	}

	hdrbuf, err := buffer.Buffer(hdr).Base64Encode()
	if !assert.NoError(t, err, "base64 encode successful") {
		return
	}
	payload, err := buffer.Buffer(examplePayload).Base64Encode()
	if !assert.NoError(t, err, "base64 encode successful") {
		return
	}

	signingInput := bytes.Join(
		[][]byte{
			hdrbuf,
			payload,
		},
		[]byte{'.'},
	)
	signature, err := sign.PayloadSign(signingInput)
	if !assert.NoError(t, err, "PayloadSign is successful") {
		return
	}
	sigbuf, err := buffer.Buffer(signature).Base64Encode()
	if !assert.NoError(t, err, "base64 encode successful") {
		return
	}

	encoded := bytes.Join(
		[][]byte{
			signingInput,
			sigbuf,
		},
		[]byte{'.'},
	)

	// The signature contains random factor, so unfortunately we can't match
	// the output against a fixed expected outcome. We'll wave doing an
	// exact match, and just try to verify using the signature

	msg, err := Parse(encoded)
	if !assert.NoError(t, err, "Parsing compact encoded serialization succeeds") {
		return
	}

	hdrs := msg.Signatures[0].MergedHeaders()
	if !assert.Equal(t, hdrs.Algorithm(), jwa.ES256, "Algorithm in header matches") {
		return
	}

	v, err := NewEcdsaVerify(jwa.ES256, &privkey.PublicKey)
	if !assert.NoError(t, err, "EcdsaVerify created") {
		return
	}
	if !assert.NoError(t, v.Verify(msg), "Verify succeeds") {
		return
	}
}