test: keystore verify

2026-05-23 06:18:58 +00:00 · 2019-02-16 14:12:47 +01:00 · 2019-02-16 14:12:47 +01:00 · bcd920600d
commit bcd920600d
parent dca4969c4f
9 changed files with 129 additions and 27 deletions
--- a/lib/jwk/import.js
+++ b/lib/jwk/import.js
@ -13,7 +13,7 @@ const importable = new Set(['string', 'buffer', 'object'])
 const parametersTypes = new Set(['object', 'undefined'])

 const mergedParameters = (target = {}, source = {}) => {
-  return Object.assign({}, { alg: source.alg, use: source.use }, target)
+  return Object.assign({}, { alg: source.alg, use: source.use, kid: source.kid }, target)
 }

 const importKey = (key, parameters) => {
--- a/lib/jws/verify.js
+++ b/lib/jws/verify.js
@ -40,19 +40,22 @@ const jwsVerify = (skipValidateHeaders = false, serialization, jws, key) => {
      const keystore = key
      const combinedHeader = { ...parsedProt, ...header }
      const keys = keystore.all(combinedHeader)
-
-      for (const key of keys) {
-        try {
-          return jwsVerify(true, serialization, jws, key)
-        } catch (err) {
-          if (err instanceof JWSVerificationFailed) {
-            continue
+      if (keys.length === 1) {
+        key = keys[0]
+      } else {
+        for (const key of keys) {
+          try {
+            return jwsVerify(true, serialization, jws, key)
+          } catch (err) {
+            if (err instanceof JWSVerificationFailed) {
+              continue
+            }
+            throw err
          }
-          throw err
        }
-      }

-      throw new JWSVerificationFailed()
+        throw new JWSVerificationFailed()
+      }
    }

    alg = parsedProt.alg || header.alg
--- a/test/cookbook/4_1.rsa_v15_signature.test.js
+++ b/test/cookbook/4_1.rsa_v15_signature.test.js
@ -2,11 +2,14 @@ const test = require('ava')

 const recipe = require('./recipes').get('4.1')

-const { JWS, JWK } = require('../..')
+const { JWS, JWK: { importKey, generateSync }, JWKS: { KeyStore } } = require('../..')

 const { input: { payload, key: jwk }, signing: { protected: header } } = recipe

-const key = JWK.importKey(jwk)
+const key = importKey(jwk)
+
+const keystoreMatchOne = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use }), key)
+const keystoreMatchMore = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use, kid: key.kid }), key, importKey(key))

 test(`${recipe.title} - compact sign`, t => {
  t.is(JWS.sign(payload, key, header), recipe.output.compact)
@ -20,14 +23,28 @@ test(`${recipe.title} - general sign`, t => {
  t.deepEqual(JWS.sign.general(payload, key, header), recipe.output.json)
 })

-test(`${recipe.title} - compact verify`, t => {
+test(`${recipe.title} - compact verify (using key)`, t => {
  t.is(JWS.verify(recipe.output.compact, key), payload)
 })

-test(`${recipe.title} - flattened verify`, t => {
+test(`${recipe.title} - flattened verify (using key)`, t => {
  t.is(JWS.verify(recipe.output.json_flat, key), payload)
 })

-test(`${recipe.title} - general verify`, t => {
+test(`${recipe.title} - general verify (using key)`, t => {
  t.is(JWS.verify(recipe.output.json, key), payload)
 })
+
+;[keystoreMatchOne, keystoreMatchMore].forEach((keystore, i) => {
+  test(`${recipe.title} - compact verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.compact, keystore), payload)
+  })
+
+  test(`${recipe.title} - flattened verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json_flat, keystore), payload)
+  })
+
+  test(`${recipe.title} - general verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json, keystore), payload)
+  })
+})
--- a/test/cookbook/4_2.rsa-pss_signature.test.js
+++ b/test/cookbook/4_2.rsa-pss_signature.test.js
@ -2,11 +2,14 @@ const test = require('ava')

 const recipe = require('./recipes').get('4.2')

-const { JWS, JWK } = require('../..')
+const { JWS, JWK: { importKey, generateSync }, JWKS: { KeyStore } } = require('../..')

 const { input: { payload, key: jwk }, signing: { protected: header } } = recipe

-const key = JWK.importKey(jwk)
+const key = importKey(jwk)
+
+const keystoreMatchOne = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use }), key)
+const keystoreMatchMore = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use, kid: key.kid }), key, importKey(key))

 test(`${recipe.title} - compact sign (random)`, t => {
  const res = JWS.sign(payload, key, header)
@ -37,3 +40,17 @@ test(`${recipe.title} - flattened verify`, t => {
 test(`${recipe.title} - general verify`, t => {
  t.is(JWS.verify(recipe.output.json, key), payload)
 })
+
+;[keystoreMatchOne, keystoreMatchMore].forEach((keystore, i) => {
+  test(`${recipe.title} - compact verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.compact, keystore), payload)
+  })
+
+  test(`${recipe.title} - flattened verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json_flat, keystore), payload)
+  })
+
+  test(`${recipe.title} - general verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json, keystore), payload)
+  })
+})
--- a/test/cookbook/4_3.ecdsa_signature.test.js
+++ b/test/cookbook/4_3.ecdsa_signature.test.js
@ -2,11 +2,14 @@ const test = require('ava')

 const recipe = require('./recipes').get('4.3')

-const { JWS, JWK } = require('../..')
+const { JWS, JWK: { importKey, generateSync }, JWKS: { KeyStore } } = require('../..')

 const { input: { payload, key: jwk }, signing: { protected: header } } = recipe

-const key = JWK.importKey(jwk)
+const key = importKey(jwk)
+
+const keystoreMatchOne = new KeyStore(generateSync(key.kty, key.crv, { alg: key.alg, use: key.use }), key)
+const keystoreMatchMore = new KeyStore(generateSync(key.kty, key.crv, { alg: key.alg, use: key.use, kid: key.kid }), key, importKey(key))

 test(`${recipe.title} - compact sign (random)`, t => {
  const res = JWS.sign(payload, key, header)
@ -37,3 +40,17 @@ test(`${recipe.title} - flattened verify`, t => {
 test(`${recipe.title} - general verify`, t => {
  t.is(JWS.verify(recipe.output.json, key), payload)
 })
+
+;[keystoreMatchOne, keystoreMatchMore].forEach((keystore, i) => {
+  test(`${recipe.title} - compact verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.compact, keystore), payload)
+  })
+
+  test(`${recipe.title} - flattened verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json_flat, keystore), payload)
+  })
+
+  test(`${recipe.title} - general verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json, keystore), payload)
+  })
+})
--- a/test/cookbook/4_4.hmac-sha2_integrity_protection.test.js
+++ b/test/cookbook/4_4.hmac-sha2_integrity_protection.test.js
@ -2,11 +2,14 @@ const test = require('ava')

 const recipe = require('./recipes').get('4.4')

-const { JWS, JWK } = require('../..')
+const { JWS, JWK: { importKey, generateSync }, JWKS: { KeyStore } } = require('../..')

 const { input: { payload, key: jwk }, signing: { protected: header } } = recipe

-const key = JWK.importKey(jwk)
+const key = importKey(jwk)
+
+const keystoreMatchOne = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use }), key)
+const keystoreMatchMore = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use, kid: key.kid }), key, importKey(key))

 test(`${recipe.title} - compact sign`, t => {
  t.is(JWS.sign(payload, key, header), recipe.output.compact)
@ -31,3 +34,17 @@ test(`${recipe.title} - flattened verify`, t => {
 test(`${recipe.title} - general verify`, t => {
  t.is(JWS.verify(recipe.output.json, key), payload)
 })
+
+;[keystoreMatchOne, keystoreMatchMore].forEach((keystore, i) => {
+  test(`${recipe.title} - compact verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.compact, keystore), payload)
+  })
+
+  test(`${recipe.title} - flattened verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json_flat, keystore), payload)
+  })
+
+  test(`${recipe.title} - general verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json, keystore), payload)
+  })
+})
--- a/test/cookbook/4_6.protecting_specific_header_fields.test.js
+++ b/test/cookbook/4_6.protecting_specific_header_fields.test.js
@ -2,11 +2,14 @@ const test = require('ava')

 const recipe = require('./recipes').get('4.6')

-const { JWS, JWK } = require('../..')
+const { JWS, JWK: { importKey, generateSync }, JWKS: { KeyStore } } = require('../..')

 const { input: { payload, key: jwk }, signing: { protected: protec, unprotected } } = recipe

-const key = JWK.importKey(jwk)
+const key = importKey(jwk)
+
+const keystoreMatchOne = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use }), key)
+const keystoreMatchMore = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use, kid: key.kid }), key, importKey(key))

 test(`${recipe.title} - flattened sign`, t => {
  t.deepEqual(JWS.sign.flattened(payload, key, protec, unprotected), recipe.output.json_flat)
@ -23,3 +26,13 @@ test(`${recipe.title} - flattened verify`, t => {
 test(`${recipe.title} - general verify`, t => {
  t.is(JWS.verify(recipe.output.json, key), payload)
 })
+
+;[keystoreMatchOne, keystoreMatchMore].forEach((keystore, i) => {
+  test(`${recipe.title} - flattened verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json_flat, keystore), payload)
+  })
+
+  test(`${recipe.title} - general verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json, keystore), payload)
+  })
+})
--- a/test/cookbook/4_7.protecting_content_only.test.js
+++ b/test/cookbook/4_7.protecting_content_only.test.js
@ -2,11 +2,14 @@ const test = require('ava')

 const recipe = require('./recipes').get('4.7')

-const { JWS, JWK } = require('../..')
+const { JWS, JWK: { importKey, generateSync }, JWKS: { KeyStore } } = require('../..')

 const { input: { payload, key: jwk }, signing: { unprotected } } = recipe

-const key = JWK.importKey(jwk)
+const key = importKey(jwk)
+
+const keystoreMatchOne = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use }), key)
+const keystoreMatchMore = new KeyStore(generateSync(key.kty, key.length, { alg: key.alg, use: key.use, kid: key.kid }), key, importKey(key))

 test(`${recipe.title} - flattened sign`, t => {
  t.deepEqual(JWS.sign.flattened(payload, key, undefined, unprotected), recipe.output.json_flat)
@ -23,3 +26,13 @@ test(`${recipe.title} - flattened verify`, t => {
 test(`${recipe.title} - general verify`, t => {
  t.is(JWS.verify(recipe.output.json, key), payload)
 })
+
+;[keystoreMatchOne, keystoreMatchMore].forEach((keystore, i) => {
+  test(`${recipe.title} - flattened verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json_flat, keystore), payload)
+  })
+
+  test(`${recipe.title} - general verify (using keystore ${i + 1}/2)`, t => {
+    t.is(JWS.verify(recipe.output.json, keystore), payload)
+  })
+})
--- a/test/cookbook/4_8.multiple_signatures.test.js
+++ b/test/cookbook/4_8.multiple_signatures.test.js
@ -2,11 +2,12 @@ const test = require('ava')

 const recipe = require('./recipes').get('4.8')

-const { JWS, JWK } = require('../..')
+const { JWS, JWK, JWKS: { KeyStore } } = require('../..')

 const { input: { payload, key: jwks }, signing: recipients } = recipe

 const keys = jwks.map((jwk) => JWK.importKey(jwk))
+const keystore = new KeyStore(...keys)

 test(`${recipe.title} - general sign`, t => {
  const jws = new JWS.Sign(payload)
@ -34,3 +35,7 @@ keys.forEach((key, i) => {
    t.is(JWS.verify(recipe.output.json, key), payload)
  })
 })
+
+test(`${recipe.title} - general verify - keystore`, t => {
+  t.is(JWS.verify(recipe.output.json, keystore), payload)
+})