Add response signature per the new Sec. 2.4

yaronf · yaronf · commit 08e7c578b9c7 · 2023-05-27T18:01:00.000+03:00
diff --git a/signatures_test.go b/signatures_test.go
@@ -1750,6 +1750,7 @@ Signature: sig1=:vR1E+sDgh0J3dZyVdPc7mK0ZbEMW3N47eDpFjXLE9g95Gx1KQLpdOmDQfedgdLz
 `
 
 // ";req" use case from draft, Sec. 2.3 of draft -10
+// Note this has been changed with draft -17, see TestRequestBinding17
 func TestRequestBinding(t *testing.T) {
 	req := readRequest(httpreq6)
 	contentDigest := req.Header.Values("Content-Digest")
@@ -1993,3 +1994,59 @@ func TestQPEncoding(t *testing.T) {
 "@signature-params": ("@query-param";name="var" "@query-param";name="bar" "@query-param";name="fa%C3%A7ade%22%3A%20");created=8888;alg="hmac-sha256";keyid="key1"`
 	assert.Equal(t, expected, sigBase)
 }
+
+// TODO: this is changed from the example in the draft, specifically the Host header is different
+var httpreq11 = `POST /foo?param=Value&Pet=dog HTTP/1.1
+Host: origin.host.internal.example
+Date: Tue, 20 Apr 2021 02:07:55 GMT
+Content-Type: application/json
+Content-Digest: sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX+TaPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==:
+Content-Length: 18
+
+{"hello": "world"}
+`
+
+var httpres9 = `HTTP/1.1 503 Service Unavailable
+Date: Tue, 20 Apr 2021 02:07:56 GMT
+Content-Type: application/json
+Content-Length: 62
+Content-Digest: sha-512=:0Y6iCBzGg5rZtoXS95Ijz03mslf6KAMCloESHObfwnHJDbkkWWQz6PhhU9kxsTbARtY2PTBOzq24uJFpHsMuAg==:
+Signature-Input: reqres=("@status" "content-digest" "content-type" "@authority";req "@method";req "@path";req "content-digest";req);created=1618884479;keyid="test-key-ecc-p256"
+Signature: reqres=:9MG6AOgykOZTc/h2rnDc/g8L+/aXgdkV4hNDvpCxfbVrmLevWPfyvEC/8jBh+3XnVwBqqcJyhUXoFgWv1SMI7A==:
+
+{"busy": true, "message": "Your call is very important to us"}
+`
+
+// ";req" use case from draft, with the latest draft -17 corrections (Sec. 2.4)
+func TestRequestBinding17(t *testing.T) {
+	req := readRequest(httpreq11)
+	reqContentDigest := req.Header.Values("Content-Digest")
+	err := ValidateContentDigestHeader(reqContentDigest, &req.Body, []string{DigestSha512})
+	assert.NoError(t, err, "validate request digest")
+
+	res := readResponse(httpres9)
+	pubKey2, err := parseECPublicKeyFromPemStr(p256PubKey2)
+	assert.NoError(t, err, "read pub key")
+	fields2 := *NewFields().AddHeaders("@status", "content-digest", "content-type").
+		AddHeaderExt("@authority", false, false, true, false).
+		AddHeaderExt("@method", false, false, true, false).
+		AddHeaderExt("@path", false, false, true, false).
+		AddHeaderExt("content-digest", false, false, true, false)
+	verifier2, err := NewP256Verifier("test-key-ecc-p256", *pubKey2, NewVerifyConfig().SetVerifyCreated(false), fields2)
+	assert.NoError(t, err, "create verifier")
+	sigBase, err := verifyResponseDebug("reqres", *verifier2, res, req)
+	expected := `"@status": 503
+"content-digest": sha-512=:0Y6iCBzGg5rZtoXS95Ijz03mslf6KAMCloESHObfwnHJDbkkWWQz6PhhU9kxsTbARtY2PTBOzq24uJFpHsMuAg==:
+"content-type": application/json
+"@authority";req: origin.host.internal.example
+"@method";req: POST
+"@path";req: /foo
+"content-digest";req: sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX+TaPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==:
+"@signature-params": ("@status" "content-digest" "content-type" "@authority";req "@method";req "@path";req "content-digest";req);created=1618884479;keyid="test-key-ecc-p256"`
+	assert.NoError(t, err, "verify response")
+	assert.Equal(t, expected, sigBase, "Incorrect signature base for response")
+
+	responseContentDigest := res.Header.Values("Content-Digest")
+	err = ValidateContentDigestHeader(responseContentDigest, &res.Body, []string{DigestSha512})
+	assert.NoError(t, err, "validate response digest")
+}
