Skip to content

Commit 0f7036f

Browse files
yaronfyaronf
committed
Coverage
1 parent 92c6fe6 commit 0f7036f

File tree

2 files changed

+43
-5
lines changed

2 files changed

+43
-5
lines changed

crypto.go

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -222,6 +222,9 @@ func NewHMACSHA256Verifier(keyID string, key []byte, config *VerifyConfig, field
222222
if config == nil {
223223
config = NewVerifyConfig()
224224
}
225+
if config.verifyKeyID && keyID == "" {
226+
return nil, fmt.Errorf("keyID should not be empty")
227+
}
225228
return &Verifier{
226229
keyID: keyID,
227230
key: key,
@@ -237,6 +240,9 @@ func NewRSAVerifier(keyID string, key rsa.PublicKey, config *VerifyConfig, field
237240
if config == nil {
238241
config = NewVerifyConfig()
239242
}
243+
if config.verifyKeyID && keyID == "" {
244+
return nil, fmt.Errorf("keyID should not be empty")
245+
}
240246
return &Verifier{
241247
keyID: keyID,
242248
key: key,
@@ -252,6 +258,9 @@ func NewRSAPSSVerifier(keyID string, key rsa.PublicKey, config *VerifyConfig, fi
252258
if config == nil {
253259
config = NewVerifyConfig()
254260
}
261+
if config.verifyKeyID && keyID == "" {
262+
return nil, fmt.Errorf("keyID should not be empty")
263+
}
255264
return &Verifier{
256265
keyID: keyID,
257266
key: key,
@@ -267,6 +276,9 @@ func NewP256Verifier(keyID string, key ecdsa.PublicKey, config *VerifyConfig, fi
267276
if config == nil {
268277
config = NewVerifyConfig()
269278
}
279+
if config.verifyKeyID && keyID == "" {
280+
return nil, fmt.Errorf("keyID should not be empty")
281+
}
270282
return &Verifier{
271283
keyID: keyID,
272284
key: key,
@@ -285,6 +297,9 @@ func NewEd25519Verifier(keyID string, key ed25519.PublicKey, config *VerifyConfi
285297
if config == nil {
286298
config = NewVerifyConfig()
287299
}
300+
if config.verifyKeyID && keyID == "" {
301+
return nil, fmt.Errorf("keyID should not be empty")
302+
}
288303
return &Verifier{
289304
keyID: keyID,
290305
key: key,
@@ -301,6 +316,12 @@ func NewJWSVerifier(alg jwa.SignatureAlgorithm, key interface{}, keyID string, c
301316
if key == nil {
302317
return nil, fmt.Errorf("key must not be nil")
303318
}
319+
if config == nil {
320+
config = NewVerifyConfig()
321+
}
322+
if config.verifyKeyID && keyID == "" {
323+
return nil, fmt.Errorf("keyID should not be empty")
324+
}
304325
if alg == jwa.NoSignature {
305326
return nil, fmt.Errorf("the NONE signing algorithm is expressly disallowed")
306327
}

signatures_test.go

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -939,7 +939,7 @@ func TestVerifyRequest(t *testing.T) {
939939
name: "test case B.2.1",
940940
args: args{
941941
signatureName: "sig-b21",
942-
verifier: makeRSAVerifier(t, *NewFields()),
942+
verifier: makeRSAVerifier(t, "test-key-rsa-pss", *NewFields()),
943943
req: readRequest(httpreq1pssMinimal),
944944
},
945945
want: true,
@@ -1001,7 +1001,7 @@ func TestVerifyRequest(t *testing.T) {
10011001
name: "verify bad sig (not base64)",
10021002
args: args{
10031003
signatureName: "sig1",
1004-
verifier: makeRSAVerifier(t, *NewFields()),
1004+
verifier: makeRSAVerifier(t, "test-key-rsa-pss", *NewFields()),
10051005
req: readRequest(httpreq1pssSelectiveBad),
10061006
},
10071007
want: false,
@@ -1011,12 +1011,29 @@ func TestVerifyRequest(t *testing.T) {
10111011
name: "missing fields",
10121012
args: args{
10131013
signatureName: "sig1",
1014-
verifier: makeRSAVerifier(t, *NewFields().AddQueryParam("missing")),
1014+
verifier: makeRSAVerifier(t, "test-key-rsa-pss", *NewFields().AddQueryParam("missing")),
10151015
req: readRequest(httpreq1pssMinimal),
10161016
},
10171017
want: false,
10181018
wantErr: true,
10191019
},
1020+
{
1021+
name: "bad keyID",
1022+
args: args{
1023+
signatureName: "sig-b22",
1024+
verifier: (func() Verifier {
1025+
pubKey, err := parseRsaPublicKeyFromPemStr(rsaPSSPubKey)
1026+
if err != nil {
1027+
t.Errorf("cannot parse public key: %v", err)
1028+
}
1029+
verifier, _ := NewRSAPSSVerifier("bad-key-id", *pubKey, NewVerifyConfig().SetVerifyCreated(false), *NewFields())
1030+
return *verifier
1031+
})(),
1032+
req: readRequest(httpreq1pssSelective),
1033+
},
1034+
want: false,
1035+
wantErr: true,
1036+
},
10201037
}
10211038
for _, tt := range tests {
10221039
t.Run(tt.name, func(t *testing.T) {
@@ -1029,13 +1046,13 @@ func TestVerifyRequest(t *testing.T) {
10291046
}
10301047
}
10311048

1032-
func makeRSAVerifier(t *testing.T, fields Fields) Verifier {
1049+
func makeRSAVerifier(t *testing.T, keyID string, fields Fields) Verifier {
10331050
return (func() Verifier {
10341051
pubKey, err := parseRsaPublicKeyFromPemStr(rsaPSSPubKey)
10351052
if err != nil {
10361053
t.Errorf("cannot parse public key: %v", err)
10371054
}
1038-
verifier, _ := NewRSAPSSVerifier("test-key-rsa-pss", *pubKey, NewVerifyConfig().SetVerifyCreated(false), fields)
1055+
verifier, _ := NewRSAPSSVerifier(keyID, *pubKey, NewVerifyConfig().SetVerifyCreated(false), fields)
10391056
return *verifier
10401057
})()
10411058
}

0 commit comments

Comments
 (0)