// checkTokenWithTime checks token using the given time.
func checkTokenWithTime(c context.Context, token, user, action string, now time.Time) error {
if token == "" {
return fmt.Errorf("token is not given")
}
d, err := base64.URLEncoding.DecodeString(token)
sig := &sigData{}
if err = json.Unmarshal(d, sig); err != nil {
return err
}
issueTime := time.Unix(0, sig.IssueTime)
if now.Sub(issueTime) >= Timeout {
return fmt.Errorf("signature has already expired")
}
if issueTime.After(now.Add(validFuture)) {
return fmt.Errorf("token come from future")
}
toVerify := toData(user, action, sig.IssueTime)
certs, err := signature.PublicCerts(c)
if err != nil {
return err
}
cert := signature.X509CertByName(certs, sig.Key)
if cert == nil {
return fmt.Errorf("cannot find cert")
}
return signature.Check(toVerify, cert, sig.Signature)
}
func TestX509CertByNameShouldReturnNilIfNotFound(t *testing.T) {
pc := &signature.PublicCertificates{}
actual := signature.X509CertByName(pc, "nonexist")
if actual != nil {
t.Errorf(`X509CertByName("nonexist")=%v; want <nil>`, actual)
}
}
// verifySignature verifies the signature for blob.
func verifySignature(c context.Context, keyName string, blob, sig []byte) error {
rs := &model.AuthReplicationState{}
if err := model.GetReplicationState(c, rs); err != nil {
return err
}
certs, err := signature.PrimaryPublicCertificates(c, rs.PrimaryURL)
if err != nil {
return err
}
pem := signature.X509CertByName(certs, keyName)
if pem == nil {
return fmt.Errorf("failed to find cert")
}
return signature.Check(blob, pem, sig)
}
func TestX509CertByNameShouldFindIfExist(t *testing.T) {
key := "dummy"
expected := []byte("dummy_pem")
pc := &signature.PublicCertificates{
Certificates: []signature.Certificate{
{
KeyName: key,
X509CertificatePEM: string(expected),
},
},
}
actual := signature.X509CertByName(pc, key)
if !reflect.DeepEqual(actual, expected) {
t.Errorf(`X509CertByName(%q)=%q; want %q`, key, actual, expected)
}
}
func TestShouldSignAndCheck(t *testing.T) {
c := context.Background()
blob := []byte("blob")
key, sig, err := signature.Sign(c, blob)
if err != nil {
t.Fatalf("Sign(_, %v)=_,_,%v; want <nil>", blob, err)
}
pc, err := signature.PublicCerts(c)
if err != nil {
t.Fatalf("PublicCerts(_)=%v; want <nil>", err)
}
cert := signature.X509CertByName(pc, key)
if cert == nil {
t.Fatalf("X509CertByName(%v, %v)=<nil>; want non nil", pc, key)
}
err = signature.Check(blob, cert, sig)
if err != nil {
t.Errorf("Check(%v, %v, %v)=%v; want <nil>", blob, cert, sig, err)
}
}