// checkTokenWithTime checks token using the given time. func checkTokenWithTime(c context.Context, token, user, action string, now time.Time) error { if token == "" { return fmt.Errorf("token is not given") } d, err := base64.URLEncoding.DecodeString(token) sig := &sigData{} if err = json.Unmarshal(d, sig); err != nil { return err } issueTime := time.Unix(0, sig.IssueTime) if now.Sub(issueTime) >= Timeout { return fmt.Errorf("signature has already expired") } if issueTime.After(now.Add(validFuture)) { return fmt.Errorf("token come from future") } toVerify := toData(user, action, sig.IssueTime) certs, err := signature.PublicCerts(c) if err != nil { return err } cert := signature.X509CertByName(certs, sig.Key) if cert == nil { return fmt.Errorf("cannot find cert") } return signature.Check(toVerify, cert, sig.Signature) }
func TestX509CertByNameShouldReturnNilIfNotFound(t *testing.T) { pc := &signature.PublicCertificates{} actual := signature.X509CertByName(pc, "nonexist") if actual != nil { t.Errorf(`X509CertByName("nonexist")=%v; want <nil>`, actual) } }
// verifySignature verifies the signature for blob. func verifySignature(c context.Context, keyName string, blob, sig []byte) error { rs := &model.AuthReplicationState{} if err := model.GetReplicationState(c, rs); err != nil { return err } certs, err := signature.PrimaryPublicCertificates(c, rs.PrimaryURL) if err != nil { return err } pem := signature.X509CertByName(certs, keyName) if pem == nil { return fmt.Errorf("failed to find cert") } return signature.Check(blob, pem, sig) }
func TestX509CertByNameShouldFindIfExist(t *testing.T) { key := "dummy" expected := []byte("dummy_pem") pc := &signature.PublicCertificates{ Certificates: []signature.Certificate{ { KeyName: key, X509CertificatePEM: string(expected), }, }, } actual := signature.X509CertByName(pc, key) if !reflect.DeepEqual(actual, expected) { t.Errorf(`X509CertByName(%q)=%q; want %q`, key, actual, expected) } }
func TestShouldSignAndCheck(t *testing.T) { c := context.Background() blob := []byte("blob") key, sig, err := signature.Sign(c, blob) if err != nil { t.Fatalf("Sign(_, %v)=_,_,%v; want <nil>", blob, err) } pc, err := signature.PublicCerts(c) if err != nil { t.Fatalf("PublicCerts(_)=%v; want <nil>", err) } cert := signature.X509CertByName(pc, key) if cert == nil { t.Fatalf("X509CertByName(%v, %v)=<nil>; want non nil", pc, key) } err = signature.Check(blob, cert, sig) if err != nil { t.Errorf("Check(%v, %v, %v)=%v; want <nil>", blob, cert, sig, err) } }