More testing

yaronf · yaronf · commit a873bb09031c · 2022-02-02T01:25:52.000+02:00
diff --git a/crypto.go b/crypto.go
@@ -336,6 +336,9 @@ func NewEd25519Verifier(keyID string, key *ed25519.PublicKey, config *VerifyConf
 // is documented in that package. Set config to nil for a default configuration.
 // Fields is the list of required headers and fields, which may be empty (but this is typically insecure).
 func NewJWSVerifier(alg jwa.SignatureAlgorithm, key interface{}, keyID string, config *VerifyConfig, fields Fields) (*Verifier, error) {
+	if alg == jwa.NoSignature {
+		return nil, fmt.Errorf("the NONE signing algorithm is expressly disallowed")
+	}
 	verifier, err := jws.NewVerifier(alg)
 	if err != nil {
 		return nil, err
diff --git a/crypto_test.go b/crypto_test.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/jws"
 	"reflect"
 	"strings"
 	"testing"
@@ -210,3 +211,144 @@ func TestForeignSigner(t *testing.T) {
 		t.Errorf("verification error: %s", err)
 	}
 }
+
+func makeRSAPrivateKey() *rsa.PrivateKey {
+	priv, _ := rsa.GenerateKey(rand.Reader, 2048)
+	return priv
+}
+func TestNewRSASigner1(t *testing.T) {
+	type args struct {
+		keyID  string
+		key    *rsa.PrivateKey
+		config *SignConfig
+		fields Fields
+	}
+	key := makeRSAPrivateKey()
+	tests := []struct {
+		name    string
+		args    args
+		want    *Signer
+		wantErr bool
+	}{
+		{
+			name: "happy path",
+			args: args{
+				keyID:  "key100",
+				key:    key,
+				config: nil,
+				fields: *NewFields(),
+			},
+			want: &Signer{
+				keyID:         "key100",
+				key:           key,
+				alg:           "rsa-v1_5-sha256",
+				config:        NewSignConfig(),
+				fields:        Fields{},
+				foreignSigner: nil,
+			},
+			wantErr: false,
+		},
+		{
+			name: "nil fields",
+			args: args{
+				keyID:  "key100",
+				key:    key,
+				config: nil,
+				fields: nil,
+			},
+			want:    nil,
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := NewRSASigner(tt.args.keyID, tt.args.key, tt.args.config, tt.args.fields)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewRSASigner() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("NewRSASigner() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestNewJWSVerifier(t *testing.T) {
+	type args struct {
+		alg    jwa.SignatureAlgorithm
+		key    interface{}
+		keyID  string
+		config *VerifyConfig
+		fields Fields
+	}
+	verifier, _ := jws.NewVerifier("HS256")
+	tests := []struct {
+		name    string
+		args    args
+		want    *Verifier
+		wantErr bool
+	}{
+		{
+			name: "happy path",
+			args: args{
+				alg:    jwa.SignatureAlgorithm("HS256"),
+				key:    "1234",
+				keyID:  "key200",
+				config: NewVerifyConfig(),
+				fields: *NewFields(),
+			},
+			want: &Verifier{
+				keyID:           "key200",
+				key:             "1234",
+				alg:             "HS256",
+				config:          NewVerifyConfig(),
+				fields:          *NewFields(),
+				foreignVerifier: verifier,
+			},
+			wantErr: false,
+		},
+		{
+			name: "none",
+			args: args{
+				alg:    jwa.NoSignature,
+				key:    "1234",
+				keyID:  "key200",
+				config: NewVerifyConfig(),
+				fields: *NewFields(),
+			},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "bad verifier",
+			args: args{
+				alg:    jwa.SignatureAlgorithm("bad"),
+				key:    "1234",
+				keyID:  "key200",
+				config: NewVerifyConfig(),
+				fields: *NewFields(),
+			},
+			want:    nil,
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := NewJWSVerifier(tt.args.alg, tt.args.key, tt.args.keyID, tt.args.config, tt.args.fields)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewJWSVerifier() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != nil {
+				got.foreignVerifier = nil
+			}
+			if tt.want != nil {
+				tt.want.foreignVerifier = nil
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("NewJWSVerifier() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/fields.go b/fields.go
@@ -10,6 +10,7 @@ import (
 // cases, NewFields followed by a chain of Add... methods.
 type Fields []field
 
+// The SFV representation of a field is name;flagName="flagValue"
 type field struct {
 	name                string
 	flagName, flagValue string
@@ -27,8 +28,7 @@ func (f *field) String() string {
 func HeaderList(hs []string) Fields {
 	var f []field
 	for _, h := range hs {
-		hd := strings.ToLower(h) // loop variable scope pitfall!
-		f = append(f, field{hd, "", ""})
+		f = append(f, *fromHeaderName(h))
 	}
 	return f
 }
@@ -52,21 +52,9 @@ func (fs *Fields) AddHeader(hdr string) *Fields {
 	return fs
 }
 
-// addHeaderAndFlag appends a header name, a flag and a value. This eventually results
-// in the signature input "header-name";name="val"
-func (fs *Fields) addHeaderAndFlag(hdr, flagName, flagValue string) *Fields {
-	h := strings.ToLower(hdr)
-	fn := strings.ToLower(flagName)
-	fv := flagValue
-	*fs = append(*fs, field{h, fn, fv})
-	return fs
-}
-
 func fromQueryParam(qp string) *field {
 	q := strings.ToLower(qp)
-	name := "@query-params"
-	flagName := "name"
-	f := field{name, flagName, q}
+	f := field{"@query-params", "name", q}
 	return &f
 }
 
diff --git a/signatures.go b/signatures.go
@@ -1,8 +1,8 @@
 // Package httpsign signs HTTP requests and responses as defined in draft-ietf-httpbis-message-signatures.
 // See https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-07.html.
 //
-// For client-side message signing, use the Client wrapper. Alternatively, use SignRequest, VerifyResponse directly,
-// but this is more complicated.
+// For client-side message signing and verification, use the Client wrapper.
+// Alternatively, use SignRequest, VerifyResponse directly, but this is more complicated.
 // For server-side operation,
 // WrapHandler installs a wrapper around a normal HTTP message handler.
 package httpsign
@@ -17,21 +17,21 @@ import (
 )
 
 func signMessage(config SignConfig, signatureName string, signer Signer, parsedMessage parsedMessage,
-	fields Fields) (sigInputHeader string, signature string, err error) {
+	fields Fields) (signatureInputHeader, signature, signatureInput string, err error) {
 	sigParams, err := generateSigParams(&config, signer.keyID, signer.alg, signer.foreignSigner, fields)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
-	sigInputHeader = fmt.Sprintf("%s=%s", signatureName, sigParams)
-	signatureInput, err := generateSignatureInput(parsedMessage, fields, sigParams)
+	signatureInputHeader = fmt.Sprintf("%s=%s", signatureName, sigParams)
+	signatureInput, err = generateSignatureInput(parsedMessage, fields, sigParams)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
 	signature, err = generateSignature(signatureName, signer, signatureInput)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
-	return sigInputHeader, signature, nil
+	return signatureInputHeader, signature, signatureInput, nil
 }
 
 func generateSignature(name string, signer Signer, input string) (string, error) {
@@ -155,19 +155,25 @@ func generateSigParams(config *SignConfig, keyID, alg string, foreignSigner inte
 //
 // SignRequest signs an HTTP request. Returns the Signature-Input and the Signature header values.
 //
-func SignRequest(signatureName string, signer Signer, req *http.Request) (signatureInput, signature string, err error) {
+func SignRequest(signatureName string, signer Signer, req *http.Request) (signatureInputHeader, signature string, err error) {
+	signatureInputHeader, signature, _, err = signRequestDebug(signatureName, signer, req)
+	return
+}
+
+// Same as SignRequest, but also returns the raw signature input string
+func signRequestDebug(signatureName string, signer Signer, req *http.Request) (signatureInputHeader, signature, signatureInput string, err error) {
 	if req == nil {
-		return "", "", fmt.Errorf("nil request")
+		return "", "", "", fmt.Errorf("nil request")
 	}
 	if signatureName == "" {
-		return "", "", fmt.Errorf("empty signature name")
+		return "", "", "", fmt.Errorf("empty signature name")
 	}
 	if signer.config.requestResponse != nil {
-		return "", "", fmt.Errorf("use request-response only to sign responses")
+		return "", "", "", fmt.Errorf("use request-response only to sign responses")
 	}
 	parsedMessage, err := parseRequest(req)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
 	return signMessage(*signer.config, signatureName, signer, *parsedMessage, signer.fields)
 }
@@ -187,7 +193,8 @@ func SignResponse(signatureName string, signer Signer, res *http.Response) (sign
 		return "", "", err
 	}
 	extendedFields := addPseudoHeaders(parsedMessage, signer.config.requestResponse, signer.fields)
-	return signMessage(*signer.config, signatureName, signer, *parsedMessage, extendedFields)
+	signatureInput, signature, _, err = signMessage(*signer.config, signatureName, signer, *parsedMessage, extendedFields)
+	return
 }
 
 // Handle the special header-like @request-response
diff --git a/signatures_test.go b/signatures_test.go
