Test coverage for httpbis spec

dhensby · dhensby · commit ec3d2c9dbbfe · 2023-08-02T18:01:41.000+02:00
diff --git a/src/algorithm/index.ts b/src/algorithm/index.ts
@@ -14,6 +14,7 @@ import {
 } from 'crypto';
 import { RSA_PKCS1_PADDING, RSA_PKCS1_PSS_PADDING } from 'constants';
 import { SigningKey, Algorithm, Verifier } from '../types';
+import { UnknownAlgorithmError } from '../errors';
 
 /**
  * A helper method for easier consumption of the library.
@@ -59,7 +60,7 @@ export function createSigner(key: BinaryLike | KeyLike | SignKeyObjectInput | Si
             // signer.sign = async (data: Buffer) => createSign('ed25519').update(data).sign(key as KeyLike);
             break;
         default:
-            throw new Error(`Unsupported signing algorithm ${alg}`);
+            throw new UnknownAlgorithmError(`Unsupported signing algorithm ${alg}`);
     }
     if (id) {
         signer.id = id;
@@ -116,7 +117,7 @@ export function createVerifier(key: BinaryLike | KeyLike | VerifyKeyObjectInput
             verifier = async (data: Buffer, signature: Buffer) => verify(null, data, key as KeyLike, signature) as unknown as boolean;
             break;
         default:
-            throw new Error(`Unsupported signing algorithm ${alg}`);
+            throw new UnknownAlgorithmError(`Unsupported signing algorithm ${alg}`);
     }
     return Object.assign(verifier, { alg });
 }
diff --git a/src/errors/expired-error.ts b/src/errors/expired-error.ts
@@ -0,0 +1,4 @@
+import { VerificationError } from './verification-error';
+
+export class ExpiredError extends VerificationError {
+}
diff --git a/src/errors/index.ts b/src/errors/index.ts
@@ -1 +1,7 @@
+export { ExpiredError } from './expired-error';
+export { MalformedSignatureError } from './malformed-signature-error';
+export { UnacceptableSignatureError } from './unacceptable-signature-error';
+export { UnknownAlgorithmError } from './unknown-algorithm-error';
+export { UnknownKeyError } from './unknown-key-error';
 export { UnsupportedAlgorithmError } from './unsupported-algorithm-error';
+export { VerificationError } from './verification-error';
diff --git a/src/errors/malformed-signature-error.ts b/src/errors/malformed-signature-error.ts
@@ -0,0 +1,4 @@
+import { VerificationError } from './verification-error';
+
+export class MalformedSignatureError extends VerificationError {
+}
diff --git a/src/errors/unacceptable-signature-error.ts b/src/errors/unacceptable-signature-error.ts
@@ -0,0 +1,4 @@
+import { VerificationError } from './verification-error';
+
+export class UnacceptableSignatureError extends VerificationError {
+}
diff --git a/src/errors/unknown-algorithm-error.ts b/src/errors/unknown-algorithm-error.ts
@@ -0,0 +1,5 @@
+/**
+ * Thrown when a verifier/signer is created with an unknown algorithm
+ */
+export class UnknownAlgorithmError extends Error {
+}
diff --git a/src/errors/unknown-key-error.ts b/src/errors/unknown-key-error.ts
@@ -0,0 +1,4 @@
+import { VerificationError } from './verification-error';
+
+export class UnknownKeyError extends VerificationError {
+}
diff --git a/src/errors/unsupported-algorithm-error.ts b/src/errors/unsupported-algorithm-error.ts
@@ -1,6 +1,8 @@
+import { VerificationError } from './verification-error';
+
 /**
  * Thrown when a key is presented to verify a signature with
  * an algorithm that is not supported
  */
-export class UnsupportedAlgorithmError extends Error {
+export class UnsupportedAlgorithmError extends VerificationError {
 }
diff --git a/src/errors/verification-error.ts b/src/errors/verification-error.ts
@@ -0,0 +1,2 @@
+export class VerificationError extends Error {
+}
diff --git a/src/httpbis/index.ts b/src/httpbis/index.ts
@@ -17,14 +17,21 @@ import { Dictionary, parseHeader, quoteString } from '../structured-header';
 import {
     Request,
     Response,
+    SignatureParameters,
     SignConfig,
     VerifyConfig,
     defaultParams,
     isRequest,
     CommonConfig,
     VerifyingKey,
 } from '../types';
-import { UnsupportedAlgorithmError } from '../errors';
+import {
+    ExpiredError,
+    MalformedSignatureError,
+    UnacceptableSignatureError,
+    UnknownKeyError,
+    UnsupportedAlgorithmError,
+} from '../errors';
 
 export function deriveComponent(component: string, params: Map<string, string | number | boolean>, res: Response, req?: Request): string[];
 export function deriveComponent(component: string, params: Map<string, string | number | boolean>, req: Request): string[];
@@ -49,7 +56,7 @@ export function deriveComponent(component: string, params: Map<string, string |
             return [context.method.toUpperCase()];
         case '@target-uri': {
             if (!isRequest(context)) {
-                throw new Error('Cannot derive @target-url on response');
+                throw new Error('Cannot derive @target-uri on response');
             }
             return [context.url.toString()];
         }
@@ -248,7 +255,7 @@ export function createSigningParameters(config: SignConfig): Parameters {
             }
             default:
                 if (config.paramValues?.[paramName] instanceof Date) {
-                    value = Math.floor((config.paramValues[paramName] as Date).getTime() / 1000).toString();
+                    value = Math.floor((config.paramValues[paramName] as Date).getTime() / 1000);
                 } else if (config.paramValues?.[paramName]) {
                     value = config.paramValues[paramName] as string;
                 }
@@ -287,7 +294,7 @@ export function augmentHeaders(headers: Record<string, string | string[]>, signa
     let signatureName = name ?? 'sig';
     if (signatureHeader.has(signatureName) || inputHeader.has(signatureName)) {
         let count = 0;
-        while (signatureHeader?.has(`${signatureName}${count}`) || inputHeader?.has(`${signatureName}${count}`)) {
+        while (signatureHeader.has(`${signatureName}${count}`) || inputHeader.has(`${signatureName}${count}`)) {
             count++;
         }
         signatureName += count.toString();
@@ -308,7 +315,7 @@ export async function signMessage<T extends Request = Request>(config: SignConfi
 export async function signMessage<T extends Request | Response = Request | Response, U extends Request = Request>(config: SignConfig, message: T, req?: U): Promise<T> {
     const signingParameters = createSigningParameters(config);
     const signatureBase = createSignatureBase({
-        fields: config?.fields ?? [],
+        fields: config.fields ?? [],
         componentParser: config.componentParser,
     }, message as Response, req);
     const signatureInput = serializeList([
@@ -323,7 +330,7 @@ export async function signMessage<T extends Request | Response = Request | Respo
     const signature = await config.key.sign(Buffer.from(base));
     return {
         ...message,
-        headers: augmentHeaders({...message.headers}, signature, signatureInput, config.name),
+        headers: augmentHeaders({ ...message.headers }, signature, signatureInput, config.name),
     };
 }
 
@@ -360,70 +367,68 @@ export async function verifyMessage(config: VerifyConfig, message: Request | Res
     const requiredParams = config.requiredParams ?? [];
     const requiredFields = config.requiredFields ?? [];
     return Array.from(signatureInputs.entries()).reduce<Promise<boolean | null>>(async (prev, [name, input]) => {
-        const [result, key]: [Error | boolean | null, VerifyingKey] = await Promise.all([
+        const signatureParams: SignatureParameters = Array.from(input[1].entries()).reduce((params, [key, value]) => {
+            if (value instanceof ByteSequence) {
+                Object.assign(params, {
+                    [key]: value.toBase64(),
+                });
+            } else if (value instanceof Token) {
+                Object.assign(params, {
+                    [key]: value.toString(),
+                });
+            } else if (key === 'created' || key === 'expired') {
+                Object.assign(params, {
+                    [key]: new Date((value as number) * 1000),
+                });
+            } else {
+                Object.assign(params, {
+                    [key]: value,
+                });
+            }
+            return params;
+        }, {});
+        const [result, key]: [Error | boolean | null, VerifyingKey | null] = await Promise.all([
             prev.catch((e) => e),
-            config.keyLookup(Array.from(input[1].entries()).reduce((params, [key, value]) => {
-                if (value instanceof ByteSequence) {
-                    Object.assign(params, {
-                        [key]: value.toBase64(),
-                    });
-                } else if (value instanceof Token) {
-                    Object.assign(params, {
-                        [key]: value.toString(),
-                    });
-                } else {
-                    Object.assign(params, {
-                        [key]: value,
-                    });
-                }
-                return params;
-            }, {})),
+            config.keyLookup(signatureParams),
         ]);
-        if (input[1].has('alg') && key.algs?.includes(input[1].get('alg') as string) === false) {
-            throw new UnsupportedAlgorithmError('Unsupported key algorithm');
-        }
         // @todo - confirm this is all working as expected
-        if (!config.all && !key) {
-            return null;
-        }
-        if (!config.all && result === true) {
-            return result;
+        if (config.all && !key) {
+            throw new UnknownKeyError('Unknown key');
         }
-        if (config.all && result !== true && result !== null) {
+        if (!key) {
             if (result instanceof Error) {
                 throw result;
             }
             return result;
         }
+        if (input[1].has('alg') && key.algs?.includes(input[1].get('alg') as string) === false) {
+            throw new UnsupportedAlgorithmError('Unsupported key algorithm');
+        }
         if (!isInnerList(input)) {
-            throw new Error('Malformed signature input');
+            throw new MalformedSignatureError('Malformed signature input');
         }
         const hasRequiredParams = requiredParams.every((param) => input[1].has(param));
         if (!hasRequiredParams) {
-            return false;
+            throw new UnacceptableSignatureError('Missing required signature parameters');
         }
         // this could be tricky, what if we say "@method" but there is "@method;req"
         const hasRequiredFields = requiredFields.every((field) => input[0].some(([fieldName]) => fieldName === field));
         if (!hasRequiredFields) {
-            return false;
+            throw new UnacceptableSignatureError('Missing required signed fields');
         }
         if (input[1].has('created')) {
             const created = input[1].get('created') as number - tolerance;
             // maxAge overrides expires.
             // signature is older than maxAge
-            if (maxAge && created - now > maxAge) {
-                return false;
-            }
-            // created after the allowed time (ie: created in the future)
-            if (created > notAfter) {
-                return false;
+            if ((maxAge && now - created > maxAge) || created > notAfter) {
+                throw new ExpiredError('Signature is too old');
             }
         }
         if (input[1].has('expires')) {
             const expires = input[1].get('expires') as number + tolerance;
             // expired signature
-            if (expires > now) {
-                return false;
+            if (now > expires) {
+                throw new ExpiredError('Signature has expired');
             }
         }
 
@@ -434,29 +439,11 @@ export async function verifyMessage(config: VerifyConfig, message: Request | Res
         const base = formatSignatureBase(signingBase);
         const signature = signatures.get(name);
         if (!signature) {
-            throw new Error('No signature found for inputs');
+            throw new MalformedSignatureError('No corresponding signature for input');
         }
         if (!isByteSequence(signature[0] as BareItem)) {
-            throw new Error('Malformed signature');
+            throw new MalformedSignatureError('Malformed signature');
         }
-        return key.verify(Buffer.from(base), Buffer.from((signature[0] as ByteSequence).toBase64(), 'base64'), Array.from(input[1].entries()).reduce((params, [key, value]) => {
-            let val: Date | number | string;
-            switch (key.toLowerCase()) {
-                case 'created':
-                case 'expires':
-                    val = new Date((value as number) * 1000);
-                    break;
-                default: {
-                    if (typeof value === 'string' || typeof value=== 'number') {
-                        val = value;
-                    } else {
-                        val = value.toString();
-                    }
-                }
-            }
-            return Object.assign(params, {
-                [key]: val,
-            });
-        }, {}));
+        return key.verify(Buffer.from(base), Buffer.from((signature[0] as ByteSequence).toBase64(), 'base64'), signatureParams);
     }, Promise.resolve(null));
 }
diff --git a/src/index.ts b/src/index.ts
@@ -1,5 +1,6 @@
 export * from './algorithm';
 export * from './types';
+export * from './errors';
 export * as default from './httpbis';
-export * as httpis from './httpbis';
+export * as httpbis from './httpbis';
 export * as cavage from './cavage';
diff --git a/src/types/index.ts b/src/types/index.ts
@@ -11,7 +11,7 @@ export interface Response {
 
 export type Signer = (data: Buffer) => Promise<Buffer>;
 export type Verifier = (data: Buffer, signature: Buffer, parameters?: SignatureParameters) => Promise<boolean | null>;
-export type VerifierFinder = (parameters: SignatureParameters) => Promise<VerifyingKey>;
+export type VerifierFinder = (parameters: SignatureParameters) => Promise<VerifyingKey | null>;
 
 export type Algorithm = 'rsa-v1_5-sha256' | 'ecdsa-p256-sha256' | 'hmac-sha256' | 'rsa-pss-sha512' | string;
 
diff --git a/test/algorithm/algorithm.spec.ts b/test/algorithm/algorithm.spec.ts
@@ -0,0 +1,35 @@
+import { expect } from 'chai';
+import { createSigner, createVerifier, UnknownAlgorithmError } from '../../src';
+
+describe('algorithm', () => {
+    describe('.createSigner', () => {
+        it('throws for unknown algs', () => {
+            try {
+                createSigner(Buffer.from(''), 'unknown-alg');
+            } catch (e) {
+                expect(e).to.be.instanceOf(UnknownAlgorithmError);
+                return;
+            }
+            expect.fail('Expected to throw');
+        });
+        it('adds the id prop if provided', () => {
+            const signer = createSigner(Buffer.from(''), 'hmac-sha256', 'my-id');
+            expect(signer).to.have.property('id', 'my-id');
+        });
+        it('has no id prop if not provided', () => {
+            const signer = createSigner(Buffer.from(''), 'hmac-sha256');
+            expect(signer).to.not.have.property('id');
+        });
+    });
+    describe('.createVerifier', () => {
+        it('throws for unknown algs', () => {
+            try {
+                createVerifier(Buffer.from(''), 'unknown-alg');
+            } catch (e) {
+                expect(e).to.be.instanceOf(UnknownAlgorithmError);
+                return;
+            }
+            expect.fail('Expected to throw');
+        });
+    });
+});
diff --git a/test/algorithm/ecdsa-p256-sha256.ts b/test/algorithm/ecdsa-p256-sha256.ts
@@ -41,23 +41,23 @@ describe('ecdsa-p256-sha256', () => {
     });
     describe('specification examples', () => {
         let ecKeyPem: string;
-        before('load rsa key', async () => {
-            ecKeyPem = (await promisify(readFile)(join(__dirname, '../etc/ecdsa-p256.pem'))).toString();
+        before('load key', async () => {
+            ecKeyPem = (await promisify(readFile)(join(__dirname, '../etc/test-key-ecc-p256.pem'))).toString();
         });
         describe('response signing', () => {
-            const data = Buffer.from('"content-type": application/json\n' +
-                '"digest": SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=\n' +
-                '"content-length": 18\n' +
-                '"@signature-params": ("content-type" "digest" "content-length");created=1618884475;keyid="test-key-ecc-p256"');
+            const data = Buffer.from('"@status": 200\n' +
+                '"content-type": application/json\n' +
+                '"content-digest": sha-512=:mEWXIS7MaLRuGgxOBdODa3xqM1XdEvxoYhvlCFJ41QJgJc4GTsPp29l5oGX69wWdXymyU0rjJuahq4l5aGgfLQ==:\n' +
+                '"content-length": 23\n' +
+                '"@signature-params": ("@status" "content-type" "content-digest" "content-length");created=1618884473;keyid="test-key-ecc-p256"');
             it('successfully signs a payload', async () => {
                 const sig = await (createSigner(ecKeyPem, 'ecdsa-p256-sha256').sign(data));
                 expect(sig).to.satisfy((arg: Buffer) => verify('sha256', data, ecKeyPem, arg));
             });
-            // seems to be broken in node - Error: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
+            // seems to be broken in node - Error: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
             // could be to do with https://stackoverflow.com/a/39575576
             it.skip('successfully verifies a signature', async () => {
-                const sig = Buffer.from('n8RKXkj0iseWDmC6PNSQ1GX2R9650v+lhbb6rTGoSrSSx18zmn6fPOtBx48/WffYLO0n1RHHf9scvNGAgGq52Q==', 'base64');
-                expect(sig).to.satisfy((arg: Buffer) => verify('sha256', Buffer.from(data), ecKeyPem, arg));
+                const sig = Buffer.from('wNmSUAhwb5LxtOtOpNa6W5xj067m5hFrj0XQ4fvpaCLx0NKocgPquLgyahnzDnDAUy5eCdlYUEkLIj+32oiasw==', 'base64');
                 expect(await (createVerifier(ecKeyPem, 'ecdsa-p256-sha256')(data, sig))).to.equal(true);
             });
         });
diff --git a/test/algorithm/ed25519.ts b/test/algorithm/ed25519.ts
@@ -41,7 +41,7 @@ describe('ed25519', () => {
     describe('specification examples', () => {
         let ecKeyPem: string;
         before('load rsa key', async () => {
-            ecKeyPem = (await promisify(readFile)(join(__dirname, '../etc/ed25519.pem'))).toString();
+            ecKeyPem = (await promisify(readFile)(join(__dirname, '../etc/test-key-ed25519.pem'))).toString();
         });
         describe('response signing', () => {
             const data = Buffer.from('"date": Tue, 20 Apr 2021 02:07:55 GMT\n' +
diff --git a/test/algorithm/rsa-pss-sha512.ts b/test/algorithm/rsa-pss-sha512.ts
@@ -49,7 +49,7 @@ describe('rsa-pss-sha512', () => {
     describe('specification examples', () => {
         let rsaKeyPem: string;
         before('load rsa key', async () => {
-            rsaKeyPem = (await promisify(readFile)(join(__dirname, '../etc/rsa-pss.pem'))).toString();
+            rsaKeyPem = (await promisify(readFile)(join(__dirname, '../etc/test-key-rsa-pss.pem'))).toString();
         });
         describe('minimal example', () => {
             const data = Buffer.from('"@signature-params": ();created=1618884475;keyid="test-key-rsa-pss";alg="rsa-pss-sha512"');
diff --git a/test/errors/errors.spec.ts b/test/errors/errors.spec.ts
@@ -0,0 +1,8 @@
+import * as errors from '../../src/errors';
+import { expect } from 'chai';
+
+describe('errors', () => {
+    it('has all errors', () => {
+        expect(Object.values(errors)).to.have.lengthOf(7);
+    });
+});
diff --git a/test/etc/test-key-ecc-p256.pem b/test/etc/test-key-ecc-p256.pem
diff --git a/test/etc/test-key-ed25519.pem b/test/etc/test-key-ed25519.pem
diff --git a/test/etc/test-key-rsa-pss.pem b/test/etc/test-key-rsa-pss.pem
diff --git a/test/etc/test-key-rsa.pem b/test/etc/test-key-rsa.pem
diff --git a/test/etc/test-shared-secret.txt b/test/etc/test-shared-secret.txt
@@ -0,0 +1 @@
+uzvJfB4u3N0Jy4T7NZ75MDVcr8zSTInedJtkgcu46YW4XByzNJjxBdtjUkdJPBtbmHhIDi6pcl8jsasjlTMtDQ==
diff --git a/test/httpbis/httpbis.int.ts b/test/httpbis/httpbis.int.ts
diff --git a/test/httpbis/httpbis.spec.ts b/test/httpbis/httpbis.spec.ts
diff --git a/test/structured-headers.spec.ts b/test/structured-headers.spec.ts

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +import { VerificationError } from './verification-error';
++
 +export class ExpiredError extends VerificationError {
 +}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+export class VerificationError extends Error {`
	`2`	`+}`