func TestSign_HeaderValues(t *testing.T) {
const jwksrc = `{
"kty":"EC",
"crv":"P-256",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"
}`
privkey, err := ecdsautil.PrivateKeyFromJSON([]byte(jwksrc))
if !assert.NoError(t, err, "parsing jwk should be successful") {
return
}
payload := []byte("Hello, World!")
hdr := NewHeader()
hdr.KeyID = "helloworld01"
encoded, err := Sign(payload, jwa.ES256, privkey, hdr)
if !assert.NoError(t, err, "Sign should succeed") {
return
}
// Although we set KeyID to the public header, in compact serialization
// there's no difference
msg, err := Parse(encoded)
if !assert.Equal(t, hdr.KeyID, msg.Signatures[0].ProtectedHeader.KeyID, "KeyID should match") {
return
}
verified, err := Verify(encoded, jwa.ES256, &privkey.PublicKey)
if !assert.NoError(t, err, "Verify should succeed") {
return
}
if !assert.Equal(t, verified, payload, "Payload should match") {
return
}
}
// TestEncode_ES256Compact tests that https://tools.ietf.org/html/rfc7515#appendix-A.3 works
func TestEncode_ES256Compact(t *testing.T) {
const hdr = `{"alg":"ES256"}`
const jwksrc = `{
"kty":"EC",
"crv":"P-256",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"
}`
privkey, err := ecdsautil.PrivateKeyFromJSON([]byte(jwksrc))
if !assert.NoError(t, err, "parsing jwk should be successful") {
return
}
sign, err := NewEcdsaSign(jwa.ES256, privkey)
if !assert.NoError(t, err, "RsaSign created successfully") {
return
}
hdrbuf, err := buffer.Buffer(hdr).Base64Encode()
if !assert.NoError(t, err, "base64 encode successful") {
return
}
payload, err := buffer.Buffer(examplePayload).Base64Encode()
if !assert.NoError(t, err, "base64 encode successful") {
return
}
signingInput := bytes.Join(
[][]byte{
hdrbuf,
payload,
},
[]byte{'.'},
)
signature, err := sign.PayloadSign(signingInput)
if !assert.NoError(t, err, "PayloadSign is successful") {
return
}
sigbuf, err := buffer.Buffer(signature).Base64Encode()
if !assert.NoError(t, err, "base64 encode successful") {
return
}
encoded := bytes.Join(
[][]byte{
signingInput,
sigbuf,
},
[]byte{'.'},
)
// The signature contains random factor, so unfortunately we can't match
// the output against a fixed expected outcome. We'll wave doing an
// exact match, and just try to verify using the signature
msg, err := Parse(encoded)
if !assert.NoError(t, err, "Parsing compact encoded serialization succeeds") {
return
}
hdrs := msg.Signatures[0].MergedHeaders()
if !assert.Equal(t, hdrs.Algorithm(), jwa.ES256, "Algorithm in header matches") {
return
}
v, err := NewEcdsaVerify(jwa.ES256, &privkey.PublicKey)
if !assert.NoError(t, err, "EcdsaVerify created") {
return
}
if !assert.NoError(t, v.Verify(msg), "Verify succeeds") {
return
}
}