Software / code / prosody
Annotate
spec/util_paseto_spec.lua @ 13801:a5d5fefb8b68 13.0
mod_tls: Enable Prosody's certificate checking for incoming s2s connections (fixes #1916) (thanks Damian, Zash)
Various options in Prosody allow control over the behaviour of the certificate
verification process For example, some deployments choose to allow falling
back to traditional "dialback" authentication (XEP-0220), while others verify
via DANE, hard-coded fingerprints, or other custom plugins.
Implementing this flexibility requires us to override OpenSSL's default
certificate verification, to allow Prosody to verify the certificate itself,
apply custom policies and make decisions based on the outcome.
To enable our custom logic, we have to suppress OpenSSL's default behaviour of
aborting the connection with a TLS alert message. With LuaSec, this can be
achieved by using the verifyext "lsec_continue" flag.
We also need to use the lsec_ignore_purpose flag, because XMPP s2s uses server
certificates as "client" certificates (for mutual TLS verification in outgoing
s2s connections).
Commit 99d2100d2918 moved these settings out of the defaults and into mod_s2s,
because we only really need these changes for s2s, and they should be opt-in,
rather than automatically applied to all TLS services we offer.
That commit was incomplete, because it only added the flags for incoming
direct TLS connections. StartTLS connections are handled by mod_tls, which was
not applying the lsec_* flags. It previously worked because they were already
in the defaults.
This resulted in incoming s2s connections with "invalid" certificates being
aborted early by OpenSSL, even if settings such as `s2s_secure_auth = false`
or DANE were present in the config.
Outgoing s2s connections inherit verify "none" from the defaults, which means
OpenSSL will receive the cert but will not terminate the connection when it is
deemed invalid. This means we don't need lsec_continue there, and we also
don't need lsec_ignore_purpose (because the remote peer is a "server").
Wondering why we can't just use verify "none" for incoming s2s? It's because
in that mode, OpenSSL won't request a certificate from the peer for incoming
connections. Setting verify "peer" is how you ask OpenSSL to request a
certificate from the client, but also what triggers its built-in verification.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 01 Apr 2025 17:26:56 +0100 |
| parent | 12841:8b06d7c73090 |
| rev | line source |
|---|---|
|
12712
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 -- Ignore long lines in this file |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 --luacheck: ignore 631 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 describe("util.paseto", function () |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local paseto = require "util.paseto"; |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 local json = require "util.json"; |
|
12840
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
7 local hex = require "util.hex"; |
|
12712
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
12840
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
9 describe("v3.local", function () |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
10 local function parse_test_cases(json_test_cases) |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
11 local input_cases = json.decode(json_test_cases); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
12 local output_cases = {}; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
13 for _, case in ipairs(input_cases) do |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
14 assert.is_string(case.name, "Bad test case: expected name"); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
15 assert.is_nil(output_cases[case.name], "Bad test case: duplicate name"); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
16 output_cases[case.name] = function () |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
17 local key = hex.decode(case.key); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
18 local payload, err = paseto.v3_local.decrypt(case.token, key, case.footer, case["implicit-assertion"]); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
19 if case["expect-fail"] then |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
20 assert.is_nil(payload); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
21 else |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
22 assert.is_nil(err); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
23 assert.same(json.decode(case.payload), payload); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
24 end |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
25 end; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
26 end |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
27 return output_cases; |
|
12712
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 end |
|
12840
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
29 |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
30 local test_cases = parse_test_cases [=[[ |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
31 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
32 "name": "3-E-1", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
33 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
34 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
35 "nonce": "0000000000000000000000000000000000000000000000000000000000000000", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
36 "token": "v3.local.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADbfcIURX_0pVZVU1mAESUzrKZAsRm2EsD6yBoZYn6cpVZNzSJOhSDN-sRaWjfLU-yn9OJH1J_B8GKtOQ9gSQlb8yk9Iza7teRdkiR89ZFyvPPsVjjFiepFUVcMa-LP18zV77f_crJrVXWa5PDNRkCSeHfBBeg", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
37 "payload": "{\"data\":\"this is a secret message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
38 "footer": "", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
39 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
40 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
41 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
42 "name": "3-E-2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
43 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
44 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
45 "nonce": "0000000000000000000000000000000000000000000000000000000000000000", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
46 "token": "v3.local.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADbfcIURX_0pVZVU1mAESUzrKZAqhWxBMDgyBoZYn6cpVZNzSJOhSDN-sRaWjfLU-yn9OJH1J_B8GKtOQ9gSQlb8yk9IzZfaZpReVpHlDSwfuygx1riVXYVs-UjcrG_apl9oz3jCVmmJbRuKn5ZfD8mHz2db0A", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
47 "payload": "{\"data\":\"this is a hidden message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
48 "footer": "", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
49 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
50 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
51 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
52 "name": "3-E-3", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
53 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
54 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
55 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
56 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0ROIIykcrGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJlxnt5xyhQjFJomwnt7WW_7r2VT0G704ifult011-TgLCyQ2X8imQhniG_hAQ4BydM", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
57 "payload": "{\"data\":\"this is a secret message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
58 "footer": "", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
59 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
60 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
61 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
62 "name": "3-E-4", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
63 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
64 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
65 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
66 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0X-4P3EcxGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJlBZa_gOpVj4gv0M9lV6Pwjp8JS_MmaZaTA1LLTULXybOBZ2S4xMbYqYmDRhh3IgEk", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
67 "payload": "{\"data\":\"this is a hidden message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
68 "footer": "", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
69 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
70 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
71 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
72 "name": "3-E-5", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
73 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
74 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
75 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
76 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0ROIIykcrGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJlkYSIbXOgVuIQL65UMdW9WcjOpmqvjqD40NNzed-XPqn1T3w-bJvitYpUJL_rmihc.eyJraWQiOiJVYmtLOFk2aXY0R1poRnA2VHgzSVdMV0xmTlhTRXZKY2RUM3pkUjY1WVp4byJ9", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
77 "payload": "{\"data\":\"this is a secret message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
78 "footer": "{\"kid\":\"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
79 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
80 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
81 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
82 "name": "3-E-6", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
83 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
84 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
85 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
86 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0X-4P3EcxGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJmSeEMphEWHiwtDKJftg41O1F8Hat-8kQ82ZIAMFqkx9q5VkWlxZke9ZzMBbb3Znfo.eyJraWQiOiJVYmtLOFk2aXY0R1poRnA2VHgzSVdMV0xmTlhTRXZKY2RUM3pkUjY1WVp4byJ9", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
87 "payload": "{\"data\":\"this is a hidden message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
88 "footer": "{\"kid\":\"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
89 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
90 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
91 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
92 "name": "3-E-7", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
93 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
94 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
95 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
96 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0ROIIykcrGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJkzWACWAIoVa0bz7EWSBoTEnS8MvGBYHHo6t6mJunPrFR9JKXFCc0obwz5N-pxFLOc.eyJraWQiOiJVYmtLOFk2aXY0R1poRnA2VHgzSVdMV0xmTlhTRXZKY2RUM3pkUjY1WVp4byJ9", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
97 "payload": "{\"data\":\"this is a secret message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
98 "footer": "{\"kid\":\"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
99 "implicit-assertion": "{\"test-vector\":\"3-E-7\"}" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
100 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
101 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
102 "name": "3-E-8", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
103 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
104 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
105 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
106 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0X-4P3EcxGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJmZHSSKYR6AnPYJV6gpHtx6dLakIG_AOPhu8vKexNyrv5_1qoom6_NaPGecoiz6fR8.eyJraWQiOiJVYmtLOFk2aXY0R1poRnA2VHgzSVdMV0xmTlhTRXZKY2RUM3pkUjY1WVp4byJ9", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
107 "payload": "{\"data\":\"this is a hidden message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
108 "footer": "{\"kid\":\"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
109 "implicit-assertion": "{\"test-vector\":\"3-E-8\"}" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
110 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
111 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
112 "name": "3-E-9", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
113 "expect-fail": false, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
114 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
115 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
116 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0X-4P3EcxGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJlk1nli0_wijTH_vCuRwckEDc82QWK8-lG2fT9wQF271sgbVRVPjm0LwMQZkvvamqU.YXJiaXRyYXJ5LXN0cmluZy10aGF0LWlzbid0LWpzb24", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
117 "payload": "{\"data\":\"this is a hidden message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
118 "footer": "arbitrary-string-that-isn't-json", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
119 "implicit-assertion": "{\"test-vector\":\"3-E-9\"}" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
120 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
121 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
122 "name": "3-F-3", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
123 "expect-fail": true, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
124 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
125 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
126 "token": "v4.local.1JgN1UG8TFAYS49qsx8rxlwh-9E4ONUm3slJXYi5EibmzxpF0Q-du6gakjuyKCBX8TvnSLOKqCPu8Yh3WSa5yJWigPy33z9XZTJF2HQ9wlLDPtVn_Mu1pPxkTU50ZaBKblJBufRA.YXJiaXRyYXJ5LXN0cmluZy10aGF0LWlzbid0LWpzb24", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
127 "payload": null, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
128 "footer": "arbitrary-string-that-isn't-json", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
129 "implicit-assertion": "{\"test-vector\":\"3-F-3\"}" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
130 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
131 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
132 "name": "3-F-4", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
133 "expect-fail": true, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
134 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
135 "nonce": "0000000000000000000000000000000000000000000000000000000000000000", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
136 "token": "v3.local.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADbfcIURX_0pVZVU1mAESUzrKZAsRm2EsD6yBoZYn6cpVZNzSJOhSDN-sRaWjfLU-yn9OJH1J_B8GKtOQ9gSQlb8yk9Iza7teRdkiR89ZFyvPPsVjjFiepFUVcMa-LP18zV77f_crJrVXWa5PDNRkCSeHfBBeh", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
137 "payload": null, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
138 "footer": "", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
139 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
140 }, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
141 { |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
142 "name": "3-F-5", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
143 "expect-fail": true, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
144 "nonce": "26f7553354482a1d91d4784627854b8da6b8042a7966523c2b404e8dbbe7f7f2", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
145 "key": "707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
146 "token": "v3.local.JvdVM1RIKh2R1HhGJ4VLjaa4BCp5ZlI8K0BOjbvn9_LwY78vQnDait-Q-sjhF88dG2B0ROIIykcrGHn8wzPbTrqObHhyoKpjy3cwZQzLdiwRsdEK5SDvl02_HjWKJW2oqGMOQJlkYSIbXOgVuIQL65UMdW9WcjOpmqvjqD40NNzed-XPqn1T3w-bJvitYpUJL_rmihc=.eyJraWQiOiJVYmtLOFk2aXY0R1poRnA2VHgzSVdMV0xmTlhTRXZKY2RUM3pkUjY1WVp4byJ9", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
147 "payload": null, |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
148 "footer": "{\"kid\":\"UbkK8Y6iv4GZhFp6Tx3IWLWLfNXSEvJcdT3zdR65YZxo\"}", |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
149 "implicit-assertion": "" |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
150 } |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
151 ]]=]; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
152 for name, test in pairs(test_cases) do |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
153 it("test case "..name, test); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
154 end |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
155 |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
156 describe("basic sign/verify", function () |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
157 local key = paseto.v3_local.new_key(); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
158 local sign, verify = paseto.v3_local.init(key); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
159 |
|
12841
8b06d7c73090
spec: Suppress some harmless luacheck warnings in tests
Matthew Wild <mwild1@gmail.com>
parents:
12840
diff
changeset
|
160 --luacheck: ignore 211/sign2 |
|
12840
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
161 local key2 = paseto.v3_local.new_key(); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
162 local sign2, verify2 = paseto.v3_local.init(key2); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
163 |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
164 it("works", function () |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
165 local payload = { foo = "hello world", b = { 1, 2, 3 } }; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
166 |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
167 local tok = sign(payload); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
168 assert.same(payload, verify(tok)); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
169 assert.is_nil(verify2(tok)); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
170 end); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
171 |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
172 it("rejects tokens if implicit assertion fails", function () |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
173 local payload = { foo = "hello world", b = { 1, 2, 3 } }; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
174 local tok = sign(payload, nil, "my-custom-assertion"); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
175 assert.is_nil(verify(tok, nil, "my-incorrect-assertion")); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
176 assert.is_nil(verify(tok, nil, nil)); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
177 assert.same(payload, verify(tok, nil, "my-custom-assertion")); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
178 end); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
179 end); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
180 end); |
|
12712
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
181 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
182 describe("v4.public", function () |
|
12840
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
183 local function parse_test_cases(json_test_cases) |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
184 local input_cases = json.decode(json_test_cases); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
185 local output_cases = {}; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
186 for _, case in ipairs(input_cases) do |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
187 assert.is_string(case.name, "Bad test case: expected name"); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
188 assert.is_nil(output_cases[case.name], "Bad test case: duplicate name"); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
189 output_cases[case.name] = function () |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
190 local verify_key = paseto.v4_public.import_public_key(case["public-key-pem"]); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
191 local payload, err = paseto.v4_public.verify(case.token, verify_key, case.footer, case["implicit-assertion"]); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
192 if case["expect-fail"] then |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
193 assert.is_nil(payload); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
194 else |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
195 assert.is_nil(err); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
196 assert.same(json.decode(case.payload), payload); |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
197 end |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
198 end; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
199 end |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
200 return output_cases; |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
201 end |
|
33d902b093f0
util.paseto: Add support for v3.local tokens
Matthew Wild <mwild1@gmail.com>
parents:
12713
diff
changeset
|
202 |
|
12712
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
203 local test_cases = parse_test_cases [=[[ |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
204 { |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
205 "name": "4-S-1", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
206 "expect-fail": false, |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
207 "public-key": "1eb9dbbbbc047c03fd70604e0071f0987e16b28b757225c11f00415d0e20b1a2", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
208 "secret-key": "b4cbfb43df4ce210727d953e4a713307fa19bb7d9f85041438d9e11b942a37741eb9dbbbbc047c03fd70604e0071f0987e16b28b757225c11f00415d0e20b1a2", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
209 "secret-key-seed": "b4cbfb43df4ce210727d953e4a713307fa19bb7d9f85041438d9e11b942a3774", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
210 "secret-key-pem": "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
211 "public-key-pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
212 "token": "v4.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiwiZXhwIjoiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9bg_XBBzds8lTZShVlwwKSgeKpLT3yukTw6JUz3W4h_ExsQV-P0V54zemZDcAxFaSeef1QlXEFtkqxT1ciiQEDA", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
213 "payload": "{\"data\":\"this is a signed message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
214 "footer": "", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
215 "implicit-assertion": "" |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
216 }, |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
217 { |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
218 "name": "4-S-2", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
219 "expect-fail": false, |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
220 "public-key": "1eb9dbbbbc047c03fd70604e0071f0987e16b28b757225c11f00415d0e20b1a2", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
221 "secret-key": "b4cbfb43df4ce210727d953e4a713307fa19bb7d9f85041438d9e11b942a37741eb9dbbbbc047c03fd70604e0071f0987e16b28b757225c11f00415d0e20b1a2", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
222 "secret-key-seed": "b4cbfb43df4ce210727d953e4a713307fa19bb7d9f85041438d9e11b942a3774", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
223 "secret-key-pem": "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
224 "public-key-pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
225 "token": "v4.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiwiZXhwIjoiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9v3Jt8mx_TdM2ceTGoqwrh4yDFn0XsHvvV_D0DtwQxVrJEBMl0F2caAdgnpKlt4p7xBnx1HcO-SPo8FPp214HDw.eyJraWQiOiJ6VmhNaVBCUDlmUmYyc25FY1Q3Z0ZUaW9lQTlDT2NOeTlEZmdMMVc2MGhhTiJ9", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
226 "payload": "{\"data\":\"this is a signed message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
227 "footer": "{\"kid\":\"zVhMiPBP9fRf2snEcT7gFTioeA9COcNy9DfgL1W60haN\"}", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
228 "implicit-assertion": "" |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
229 }, |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
230 { |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
231 "name": "4-S-3", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
232 "expect-fail": false, |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
233 "public-key": "1eb9dbbbbc047c03fd70604e0071f0987e16b28b757225c11f00415d0e20b1a2", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
234 "secret-key": "b4cbfb43df4ce210727d953e4a713307fa19bb7d9f85041438d9e11b942a37741eb9dbbbbc047c03fd70604e0071f0987e16b28b757225c11f00415d0e20b1a2", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
235 "secret-key-seed": "b4cbfb43df4ce210727d953e4a713307fa19bb7d9f85041438d9e11b942a3774", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
236 "secret-key-pem": "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
237 "public-key-pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
238 "token": "v4.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiwiZXhwIjoiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9NPWciuD3d0o5eXJXG5pJy-DiVEoyPYWs1YSTwWHNJq6DZD3je5gf-0M4JR9ipdUSJbIovzmBECeaWmaqcaP0DQ.eyJraWQiOiJ6VmhNaVBCUDlmUmYyc25FY1Q3Z0ZUaW9lQTlDT2NOeTlEZmdMMVc2MGhhTiJ9", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
239 "payload": "{\"data\":\"this is a signed message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
240 "footer": "{\"kid\":\"zVhMiPBP9fRf2snEcT7gFTioeA9COcNy9DfgL1W60haN\"}", |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
241 "implicit-assertion": "{\"test-vector\":\"4-S-3\"}" |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
242 }]]=]; |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
243 for name, test in pairs(test_cases) do |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
244 it("test case "..name, test); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
245 end |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
246 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 describe("basic sign/verify", function () |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
248 local function new_keypair() |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
249 local kp = paseto.v4_public.new_keypair(); |
|
12713
52eead170bb8
util.paseto: Drop custom wrappers around key objects
Matthew Wild <mwild1@gmail.com>
parents:
12712
diff
changeset
|
250 return kp:private_pem(), kp:public_pem(); |
|
12712
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
251 end |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
252 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
253 local privkey1, pubkey1 = new_keypair(); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
254 local privkey2, pubkey2 = new_keypair(); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
255 local sign1, verify1 = paseto.v4_public.init(privkey1, pubkey1); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
256 local sign2, verify2 = paseto.v4_public.init(privkey2, pubkey2); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
257 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
258 it("works", function () |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
259 local payload = { foo = "hello world", b = { 1, 2, 3 } }; |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
260 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
261 local tok1 = sign1(payload); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
262 assert.same(payload, verify1(tok1)); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
263 assert.is_nil(verify2(tok1)); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
264 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
265 local tok2 = sign2(payload); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
266 assert.same(payload, verify2(tok2)); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
267 assert.is_nil(verify1(tok2)); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
268 end); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
269 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
270 it("rejects tokens if implicit assertion fails", function () |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
271 local payload = { foo = "hello world", b = { 1, 2, 3 } }; |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
272 local tok = sign1(payload, nil, "my-custom-assertion"); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
273 assert.is_nil(verify1(tok, nil, "my-incorrect-assertion")); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
274 assert.is_nil(verify1(tok, nil, nil)); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
275 assert.same(payload, verify1(tok, nil, "my-custom-assertion")); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
276 end); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
277 end); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
278 end); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
279 |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
280 describe("pae", function () |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
281 it("encodes correctly", function () |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
282 -- These test cases are taken from the PASETO docs |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
283 -- https://github.com/paseto-standard/paseto-spec/blob/master/docs/01-Protocol-Versions/Common.md |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
284 assert.equal("\x00\x00\x00\x00\x00\x00\x00\x00", paseto.pae{}); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
285 assert.equal("\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", paseto.pae{''}); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
286 assert.equal("\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00test", paseto.pae{'test'}); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
287 assert.has_errors(function () |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
288 paseto.pae("test"); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
289 end); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
290 end); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
291 end); |
|
719a72f14e90
util.paseto: Add tests based on official PASETO test vectors
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
292 end); |
