// Test that SignToString() signs the given message with the device
// signing key and that the signature is verifiable and contains the message.
func TestCryptoSignToString(t *testing.T) {
tc := SetupEngineTest(t, "crypto")
defer tc.Cleanup()
u := CreateAndSignupFakeUser(tc, "fu")
f := func() libkb.SecretUI {
return &libkb.TestSecretUI{Passphrase: u.Passphrase}
}
msg := []byte("test message")
signature, err := SignToString(tc.G, f, keybase1.SignToStringArg{
Msg: msg,
})
if err != nil {
t.Fatal(err)
}
_, msg2, _, err := libkb.NaclVerifyAndExtract(signature)
if err != nil {
t.Fatal(err)
}
if !bytes.Equal(msg, msg2) {
t.Fatal(fmt.Errorf("message mismatch, expected: %s, got: %s",
string(msg), string(msg2)))
}
}
func VerifyToken(signature, server, challenge string, maxExpireIn int) (*Token, error) {
var t *Token
key, token, _, err := libkb.NaclVerifyAndExtract(signature)
if err != nil {
return nil, err
}
if t, err = parseToken(token); err != nil {
return nil, err
}
if key.GetKID() != t.KID() {
return nil, InvalidTokenKeyError{
expected: key.GetKID().String(),
received: t.KID().String(),
}
}
if TokenType != t.Type() {
return nil, InvalidTokenTypeError{
expected: TokenType,
received: t.Type(),
}
}
if server != t.Server() {
return nil, InvalidTokenServerError{
expected: server,
received: t.Server(),
}
}
if challenge != t.Challenge() {
return nil, InvalidTokenChallengeError{
expected: challenge,
received: t.Challenge(),
}
}
remaining := t.TimeRemaining()
if remaining > maxExpireIn {
return nil, MaxTokenExpiresError{
creationTime: t.CreationTime,
expireIn: t.ExpireIn,
now: time.Now().Unix(),
maxExpireIn: maxExpireIn,
remaining: remaining,
}
}
if remaining <= 0 {
return nil, TokenExpiredError{
creationTime: t.CreationTime,
expireIn: t.ExpireIn,
now: time.Now().Unix(),
}
}
return t, nil
}
