52d68216c0
This bumps go-jose to the latest available version: v4.0.3. This slightly breaks the backwards compatibility with the existing registry deployments but brings more security with it. We now require the users to specify the list of token signing algorithms in the configuration. We do strive to maintain the b/w compat by providing a list of supported algorithms, though, this isn't something we recommend due to security issues, see: * https://github.com/go-jose/go-jose/issues/64 * https://github.com/go-jose/go-jose/pull/69 As part of this change we now return to the original flow of the token signature validation: 1. X2C (tls) headers 2. JWKS 3. KeyID Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
53 lines
1 KiB
Go
53 lines
1 KiB
Go
package token
|
|
|
|
import (
|
|
"testing"
|
|
|
|
fuzz "github.com/AdaLogics/go-fuzz-headers"
|
|
"github.com/go-jose/go-jose/v4"
|
|
)
|
|
|
|
func FuzzToken1(f *testing.F) {
|
|
f.Fuzz(func(t *testing.T, data []byte) {
|
|
ff := fuzz.NewConsumer(data)
|
|
rawToken, err := ff.GetString()
|
|
if err != nil {
|
|
return
|
|
}
|
|
verifyOps := VerifyOptions{}
|
|
err = ff.GenerateStruct(&verifyOps)
|
|
if err != nil {
|
|
return
|
|
}
|
|
token, err := NewToken(rawToken, []jose.SignatureAlgorithm{jose.EdDSA, jose.RS384})
|
|
if err != nil {
|
|
return
|
|
}
|
|
_, err = token.Verify(verifyOps)
|
|
if err != nil {
|
|
return
|
|
}
|
|
_, _ = token.VerifySigningKey(verifyOps)
|
|
})
|
|
}
|
|
|
|
func FuzzToken2(f *testing.F) {
|
|
f.Fuzz(func(t *testing.T, data []byte) {
|
|
ff := fuzz.NewConsumer(data)
|
|
verifyOps := VerifyOptions{}
|
|
err := ff.GenerateStruct(&verifyOps)
|
|
if err != nil {
|
|
return
|
|
}
|
|
token := &Token{}
|
|
err = ff.GenerateStruct(token)
|
|
if err != nil {
|
|
return
|
|
}
|
|
_, err = token.Verify(verifyOps)
|
|
if err != nil {
|
|
return
|
|
}
|
|
_, _ = token.VerifySigningKey(verifyOps)
|
|
})
|
|
}
|