Exemple #1
0
// checkTokenWithTime checks token using the given time.
func checkTokenWithTime(c context.Context, token, user, action string, now time.Time) error {
	if token == "" {
		return fmt.Errorf("token is not given")
	}
	d, err := base64.URLEncoding.DecodeString(token)
	sig := &sigData{}
	if err = json.Unmarshal(d, sig); err != nil {
		return err
	}

	issueTime := time.Unix(0, sig.IssueTime)
	if now.Sub(issueTime) >= Timeout {
		return fmt.Errorf("signature has already expired")
	}
	if issueTime.After(now.Add(validFuture)) {
		return fmt.Errorf("token come from future")
	}

	toVerify := toData(user, action, sig.IssueTime)

	certs, err := signature.PublicCerts(c)
	if err != nil {
		return err
	}
	cert := signature.X509CertByName(certs, sig.Key)
	if cert == nil {
		return fmt.Errorf("cannot find cert")
	}

	return signature.Check(toVerify, cert, sig.Signature)
}
Exemple #2
0
func TestX509CertByNameShouldReturnNilIfNotFound(t *testing.T) {
	pc := &signature.PublicCertificates{}
	actual := signature.X509CertByName(pc, "nonexist")
	if actual != nil {
		t.Errorf(`X509CertByName("nonexist")=%v; want <nil>`, actual)
	}
}
Exemple #3
0
// verifySignature verifies the signature for blob.
func verifySignature(c context.Context, keyName string, blob, sig []byte) error {
	rs := &model.AuthReplicationState{}
	if err := model.GetReplicationState(c, rs); err != nil {
		return err
	}
	certs, err := signature.PrimaryPublicCertificates(c, rs.PrimaryURL)
	if err != nil {
		return err
	}
	pem := signature.X509CertByName(certs, keyName)
	if pem == nil {
		return fmt.Errorf("failed to find cert")
	}
	return signature.Check(blob, pem, sig)
}
Exemple #4
0
func TestX509CertByNameShouldFindIfExist(t *testing.T) {
	key := "dummy"
	expected := []byte("dummy_pem")
	pc := &signature.PublicCertificates{
		Certificates: []signature.Certificate{
			{
				KeyName:            key,
				X509CertificatePEM: string(expected),
			},
		},
	}
	actual := signature.X509CertByName(pc, key)
	if !reflect.DeepEqual(actual, expected) {
		t.Errorf(`X509CertByName(%q)=%q; want %q`, key, actual, expected)
	}
}
Exemple #5
0
func TestShouldSignAndCheck(t *testing.T) {
	c := context.Background()
	blob := []byte("blob")
	key, sig, err := signature.Sign(c, blob)
	if err != nil {
		t.Fatalf("Sign(_, %v)=_,_,%v; want <nil>", blob, err)
	}

	pc, err := signature.PublicCerts(c)
	if err != nil {
		t.Fatalf("PublicCerts(_)=%v; want <nil>", err)
	}

	cert := signature.X509CertByName(pc, key)
	if cert == nil {
		t.Fatalf("X509CertByName(%v, %v)=<nil>; want non nil", pc, key)
	}

	err = signature.Check(blob, cert, sig)
	if err != nil {
		t.Errorf("Check(%v, %v, %v)=%v; want <nil>", blob, cert, sig, err)
	}
}