53 lines
1.7 KiB
Go
53 lines
1.7 KiB
Go
package authority
|
|
|
|
import (
|
|
"crypto/ed25519"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"testing"
|
|
)
|
|
|
|
func TestVerifyRawAcceptsSignedPayload(t *testing.T) {
|
|
publicKey, privateKey, err := ed25519.GenerateKey(nil)
|
|
if err != nil {
|
|
t.Fatalf("GenerateKey: %v", err)
|
|
}
|
|
payload := json.RawMessage(`{"cluster_id":"cluster-1","schema_version":"test.v1"}`)
|
|
canonical, err := CanonicalJSON(payload)
|
|
if err != nil {
|
|
t.Fatalf("CanonicalJSON: %v", err)
|
|
}
|
|
signature := Signature{
|
|
SchemaVersion: SignatureSchemaVersion,
|
|
Algorithm: AlgorithmEd25519,
|
|
KeyFingerprint: Fingerprint(publicKey),
|
|
Signature: base64.StdEncoding.EncodeToString(ed25519.Sign(privateKey, canonical)),
|
|
}
|
|
if err := VerifyRaw(base64.StdEncoding.EncodeToString(publicKey), payload, signature); err != nil {
|
|
t.Fatalf("VerifyRaw: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyRawRejectsTamperedPayload(t *testing.T) {
|
|
publicKey, privateKey, err := ed25519.GenerateKey(nil)
|
|
if err != nil {
|
|
t.Fatalf("GenerateKey: %v", err)
|
|
}
|
|
payload := json.RawMessage(`{"cluster_id":"cluster-1","schema_version":"test.v1"}`)
|
|
canonical, err := CanonicalJSON(payload)
|
|
if err != nil {
|
|
t.Fatalf("CanonicalJSON: %v", err)
|
|
}
|
|
signature := Signature{
|
|
SchemaVersion: SignatureSchemaVersion,
|
|
Algorithm: AlgorithmEd25519,
|
|
KeyFingerprint: Fingerprint(publicKey),
|
|
Signature: base64.StdEncoding.EncodeToString(ed25519.Sign(privateKey, canonical)),
|
|
}
|
|
tampered := json.RawMessage(`{"cluster_id":"cluster-2","schema_version":"test.v1"}`)
|
|
if err := VerifyRaw(base64.StdEncoding.EncodeToString(publicKey), tampered, signature); !errors.Is(err, ErrInvalidSignature) {
|
|
t.Fatalf("err = %v, want ErrInvalidSignature", err)
|
|
}
|
|
}
|