Example #1
0
// checkTokenWithTime checks token using the given time.
func checkTokenWithTime(c context.Context, token, user, action string, now time.Time) error {
	if token == "" {
		return fmt.Errorf("token is not given")
	}
	d, err := base64.URLEncoding.DecodeString(token)
	sig := &sigData{}
	if err = json.Unmarshal(d, sig); err != nil {
		return err
	}

	issueTime := time.Unix(0, sig.IssueTime)
	if now.Sub(issueTime) >= Timeout {
		return fmt.Errorf("signature has already expired")
	}
	if issueTime.After(now.Add(validFuture)) {
		return fmt.Errorf("token come from future")
	}

	toVerify := toData(user, action, sig.IssueTime)

	certs, err := signature.PublicCerts(c)
	if err != nil {
		return err
	}
	cert := signature.X509CertByName(certs, sig.Key)
	if cert == nil {
		return fmt.Errorf("cannot find cert")
	}

	return signature.Check(toVerify, cert, sig.Signature)
}
Example #2
0
// verifySignature verifies the signature for blob.
func verifySignature(c context.Context, keyName string, blob, sig []byte) error {
	rs := &model.AuthReplicationState{}
	if err := model.GetReplicationState(c, rs); err != nil {
		return err
	}
	certs, err := signature.PrimaryPublicCertificates(c, rs.PrimaryURL)
	if err != nil {
		return err
	}
	pem := signature.X509CertByName(certs, keyName)
	if pem == nil {
		return fmt.Errorf("failed to find cert")
	}
	return signature.Check(blob, pem, sig)
}
Example #3
0
func TestCheckShouldFailWithWrongSignature(t *testing.T) {
	encodedBlob := "CiIKFWNocm9tZS1pbmZyYS1hdXRoLWRldhAJGI+qwor9pMYCEr0DCgASACKVAQoOYWRtaW5pc3RyYXRvcnMSFXVzZXI6dGVzdEBleGFtcGxlLmNvbSocVXNlcnMgdGhhdCBjYW4gbWFuYWdlIGdyb3VwczDh07Gz+KLGAjodc2VydmljZTpjaHJvbWUtaW5mcmEtYXV0aC1kZXZA19Oxs/iixgJKHXNlcnZpY2U6Y2hyb21lLWluZnJhLWF1dGgtZGV2IqoBCgR0ZXN0Ehd1c2VyOmV4YW1wbGVAZ29vZ2xlLmNvbRIZdXNlcjpleGFtcGxlMkBleGFtcGxlLmNvbRIZdXNlcjpleGFtcGxlM0BleGFtcGxlLm5ldCoTVGhpcyBpcyB0ZXN0IGdyb3VwLjCnhria0aTGAjoVdXNlcjp0ZXN0QGV4YW1wbGUuY29tQJyGuJrRpMYCShV1c2VyOnRlc3RAZXhhbXBsZS5jb20icgoFdGVzdDISFXVzZXI6bmVzdEBleGFtcGxlLmNvbSIEdGVzdCoMbmVzdGVkIGdyb3VwMK6N0aTRpMYCOhV1c2VyOnRlc3RAZXhhbXBsZS5jb21An43RpNGkxgJKFXVzZXI6dGVzdEBleGFtcGxlLmNvbRoFMS4xLjI="
	pem := "\n-----BEGIN CERTIFICATE-----\nMIIC/jCCAeagAwIBAgIIQTBFcRw3moMwDQYJKoZIhvcNAQEFBQAwIjEgMB4GA1UE\nAxMXcm9ib3RqYXZhLmEuYXBwc3BvdC5jb20wHhcNMTEwMjIzMTUwNzQ5WhcNMTEw\nMjI0MTYwNzQ5WjAiMSAwHgYDVQQDExdyb2JvdGphdmEuYS5hcHBzcG90LmNvbTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJd0YJCQWvQMa+7L/orCt3D0\nhVtkdAkeGSikuT4U7mNrxBuOaAbxCIGhRbUe2p+uvRF6MZtLvoU1h9qEFo/wAVDO\nHN4WHhw3VLl/OVuredRfe8bBTi0KqdgUBrKr8V61n26N3B4Ma9dkTMbcODC/XCfP\nIRJnTIf4Z1vnoEfWQEJDfW9QLJFyJF17hpp9l5S1uuMJBxjYMsZ3ExLqSFhM7IbN\n1PDBAb6zGtI7b9AVP+gxS1hjXiJoZA32IWINAZiPV+0k925ecsV0BkI0zV4Ta06F\nJexNx040y5ivr4C214GRUM3UKihirTcEOBS1a7SRi5wCPh/wT0A8gN6NNbTNjc0C\nAwEAAaM4MDYwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/\nBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAD+h2D+XGIHWMwPCA2DN\nJgMhN1yTTJ8dtwbiQIhfy8xjOJbrzZaSEX8g2gDm50qaEl5TYHHr2zvAI1UMWdR4\nnx9TN7I9u3GoOcQsmn9TaOKkBDpMv8sPtFBal3AR5PwR5Sq8/4L/M22LX/TN0eIF\nY4LnkW+X/h442N8a1oXn05UYtFo+p/6emZb1S84WZAnONGtF5D1Z6HuX4ikDI5m+\niZbwm47mLkV8yuTZGKI1gJsWmAsElPkoWVy2X0t69ecBOYyn3wMmQhkLk2+7lLlD\n/c4kygP/941fe1Wb/T9yGeBXFwEvJ4jWbX93Q4Xhk9UgHlso9xkCu9QeWFvJqufR\n5Cc=\n-----END CERTIFICATE-----\n"

	blob, err := base64.StdEncoding.DecodeString(encodedBlob)
	if err != nil {
		t.Fatal(err)
	}

	sig := []byte("wrong")
	err = signature.Check(blob, []byte(pem), sig)
	if err == nil {
		t.Errorf("Check(%q, %q, %q) = <nil>; want err", blob, pem, sig)
	}
}
Example #4
0
func TestCheckRuns(t *testing.T) {
	encodedSig := "KCdriOOYuQeTa0KJYdsfaLrbn6LjaJlLJRpWO25Xif+3G8hvrpCntFkNsH/n99hW8tDv6+reZDQDFsAxPx1tS7MeCKDAAlbEox9SkejcPAq+o9w9ql0BY6hukrz2oNmXIoywZdl2dxEqYV02CvpU4S3ZsI+QSlsju49Bddid7q4Dg5jD63RI2FZE1UEGxDPIeF2W2aMtzKMi2TZfTr5HGXEOeTutzB16oFgUlRYikH0KlufiwbrmgyIs5ltU5bgu5flJX5+rgq0ofW/M3OeqWu4eCrWnY7SMxTpkTq+JbYMn41I7WiJvRBU/Kbm+EEugHgOhfYTYCnr9tWQEXzDylw=="
	encodedBlob := "CiIKFWNocm9tZS1pbmZyYS1hdXRoLWRldhAJGI+qwor9pMYCEr0DCgASACKVAQoOYWRtaW5pc3RyYXRvcnMSFXVzZXI6dGVzdEBleGFtcGxlLmNvbSocVXNlcnMgdGhhdCBjYW4gbWFuYWdlIGdyb3VwczDh07Gz+KLGAjodc2VydmljZTpjaHJvbWUtaW5mcmEtYXV0aC1kZXZA19Oxs/iixgJKHXNlcnZpY2U6Y2hyb21lLWluZnJhLWF1dGgtZGV2IqoBCgR0ZXN0Ehd1c2VyOmV4YW1wbGVAZ29vZ2xlLmNvbRIZdXNlcjpleGFtcGxlMkBleGFtcGxlLmNvbRIZdXNlcjpleGFtcGxlM0BleGFtcGxlLm5ldCoTVGhpcyBpcyB0ZXN0IGdyb3VwLjCnhria0aTGAjoVdXNlcjp0ZXN0QGV4YW1wbGUuY29tQJyGuJrRpMYCShV1c2VyOnRlc3RAZXhhbXBsZS5jb20icgoFdGVzdDISFXVzZXI6bmVzdEBleGFtcGxlLmNvbSIEdGVzdCoMbmVzdGVkIGdyb3VwMK6N0aTRpMYCOhV1c2VyOnRlc3RAZXhhbXBsZS5jb21An43RpNGkxgJKFXVzZXI6dGVzdEBleGFtcGxlLmNvbRoFMS4xLjI="
	pem := "\n-----BEGIN CERTIFICATE-----\nMIIC/jCCAeagAwIBAgIIQTBFcRw3moMwDQYJKoZIhvcNAQEFBQAwIjEgMB4GA1UE\nAxMXcm9ib3RqYXZhLmEuYXBwc3BvdC5jb20wHhcNMTEwMjIzMTUwNzQ5WhcNMTEw\nMjI0MTYwNzQ5WjAiMSAwHgYDVQQDExdyb2JvdGphdmEuYS5hcHBzcG90LmNvbTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJd0YJCQWvQMa+7L/orCt3D0\nhVtkdAkeGSikuT4U7mNrxBuOaAbxCIGhRbUe2p+uvRF6MZtLvoU1h9qEFo/wAVDO\nHN4WHhw3VLl/OVuredRfe8bBTi0KqdgUBrKr8V61n26N3B4Ma9dkTMbcODC/XCfP\nIRJnTIf4Z1vnoEfWQEJDfW9QLJFyJF17hpp9l5S1uuMJBxjYMsZ3ExLqSFhM7IbN\n1PDBAb6zGtI7b9AVP+gxS1hjXiJoZA32IWINAZiPV+0k925ecsV0BkI0zV4Ta06F\nJexNx040y5ivr4C214GRUM3UKihirTcEOBS1a7SRi5wCPh/wT0A8gN6NNbTNjc0C\nAwEAAaM4MDYwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/\nBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAD+h2D+XGIHWMwPCA2DN\nJgMhN1yTTJ8dtwbiQIhfy8xjOJbrzZaSEX8g2gDm50qaEl5TYHHr2zvAI1UMWdR4\nnx9TN7I9u3GoOcQsmn9TaOKkBDpMv8sPtFBal3AR5PwR5Sq8/4L/M22LX/TN0eIF\nY4LnkW+X/h442N8a1oXn05UYtFo+p/6emZb1S84WZAnONGtF5D1Z6HuX4ikDI5m+\niZbwm47mLkV8yuTZGKI1gJsWmAsElPkoWVy2X0t69ecBOYyn3wMmQhkLk2+7lLlD\n/c4kygP/941fe1Wb/T9yGeBXFwEvJ4jWbX93Q4Xhk9UgHlso9xkCu9QeWFvJqufR\n5Cc=\n-----END CERTIFICATE-----\n"

	sig, err := base64.StdEncoding.DecodeString(encodedSig)
	if err != nil {
		t.Fatal(err)
	}
	blob, err := base64.StdEncoding.DecodeString(encodedBlob)
	if err != nil {
		t.Fatal(err)
	}

	err = signature.Check(blob, []byte(pem), sig)
	if err != nil {
		t.Errorf("Check(%q, %q, %q) = %v; want <nil>", blob, pem, sig, err)
	}
}
Example #5
0
func TestShouldSignAndCheck(t *testing.T) {
	c := context.Background()
	blob := []byte("blob")
	key, sig, err := signature.Sign(c, blob)
	if err != nil {
		t.Fatalf("Sign(_, %v)=_,_,%v; want <nil>", blob, err)
	}

	pc, err := signature.PublicCerts(c)
	if err != nil {
		t.Fatalf("PublicCerts(_)=%v; want <nil>", err)
	}

	cert := signature.X509CertByName(pc, key)
	if cert == nil {
		t.Fatalf("X509CertByName(%v, %v)=<nil>; want non nil", pc, key)
	}

	err = signature.Check(blob, cert, sig)
	if err != nil {
		t.Errorf("Check(%v, %v, %v)=%v; want <nil>", blob, cert, sig, err)
	}
}