xref: /aosp_15_r20/external/tink/python/examples/jwt/jwt_signature_test.sh (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1#!/bin/bash
2# Copyright 2021 Google LLC
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8#      http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15################################################################################
16
17set -euo pipefail
18
19#############################################################################
20##### Tests for digital signature example.
21
22SIGN_CLI="$1"
23GEN_PUBLIC_JWK_SET_CLI="$2"
24VERIFY_CLI="$3"
25PRIVATE_KEYSET_PATH="$4"
26PUBLIC_KEYSET_PATH="$5"
27
28AUDIENCE="audience"
29TOKEN_PATH="${TEST_TMPDIR}/token.txt"
30PUBLIC_JWK_SET_PATH="${TEST_TMPDIR}/public_jwk_set.json"
31
32#############################################################################
33
34# A helper function for getting the return code of a command that may fail
35# Temporarily disables error safety and stores return value in $TEST_STATUS
36# Usage:
37# % test_command somecommand some args
38# % echo $TEST_STATUS
39test_command() {
40  set +e
41  "$@"
42  TEST_STATUS=$?
43  set -e
44}
45
46print_test() {
47  echo "+++ Starting test $1..."
48}
49
50
51#############################################################################
52
53print_test "generate_token"
54
55# Generate a signed token
56test_command ${SIGN_CLI} \
57  --private_keyset_path "${PRIVATE_KEYSET_PATH}" \
58  --audience "${AUDIENCE}" \
59  --token_path "${TOKEN_PATH}"
60
61if (( TEST_STATUS == 0 )); then
62  echo "+++ Success: Generating the token succeeded."
63else
64  echo "--- Failure: Generating the token failed."
65  exit 1
66fi
67
68#############################################################################
69
70print_test "generate_public_jwk_set"
71
72# Generate the public keyset in JWK format
73test_command ${GEN_PUBLIC_JWK_SET_CLI} \
74  --public_keyset_path "${PUBLIC_KEYSET_PATH}" \
75  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}"
76
77if (( TEST_STATUS == 0 )); then
78  echo "+++ Success: Generating the public JWK set succeeded."
79else
80  echo "--- Failure: Generating the public JWK set failed."
81  exit 1
82fi
83
84#############################################################################
85
86print_test "verification_with_public_jwt_set"
87
88# Verify the token
89test_command ${VERIFY_CLI} \
90  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}" \
91  --audience "${AUDIENCE}" \
92  --token_path "${TOKEN_PATH}"
93
94if (( TEST_STATUS == 0 )); then
95  echo "+++ Success: Verification passed for a valid token."
96else
97  echo "--- Failure: Verification failed for a valid token."
98  exit 1
99fi
100
101
102#############################################################################
103
104print_test "verification_fails_with_invalid_token"
105
106# Create an invalid token.
107INVALID_TOKEN_PATH="${TEST_TMPDIR}/invalid_token.txt"
108echo "ABCABCABCD" > $INVALID_TOKEN_PATH
109
110# Verify the invalid token
111test_command ${VERIFY_CLI} \
112  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}" \
113  --audience "${AUDIENCE}" \
114  --token_path "${INVALID_TOKEN_PATH}"
115
116if (( TEST_STATUS != 0 )); then
117  echo "+++ Success: Verification failed for an invalid token."
118else
119  echo "--- Failure: Verification passed for an invalid token."
120  exit 1
121fi
122
123
124#############################################################################
125
126print_test "verification_fails_with_incorrect_audience"
127
128# Verify the token with an invalid audience
129test_command ${VERIFY_CLI} \
130  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}" \
131  --audience "invalid audience" \
132  --token_path "${TOKEN_PATH}"
133
134if (( TEST_STATUS != 0 )); then
135  echo "+++ Success: Verification failed with an invalid audience."
136else
137  echo "--- Failure: Verification passed with an invalid audience."
138  exit 1
139fi
140
141
142#############################################################################
143
144print_test "generating_token_fails_with_invalid_keyset"
145
146# Use a different token path
147TOKEN2_PATH="${TEST_TMPDIR}/token2.txt"
148
149# Try to generate a signed token using the public keyset
150test_command ${SIGN_CLI} \
151  --private_keyset_path "${PUBLIC_JWK_SET_PATH}" \
152  --audience "${AUDIENCE}" \
153  --token_path "${TOKEN2_PATH} "
154
155if (( TEST_STATUS != 0 )); then
156  echo "+++ Success: Generating a token failed with invalid keyset."
157else
158  echo "--- Failure: Generating a token did not fail with invalid keyset."
159  exit 1
160fi
161
162
163#############################################################################
164
165print_test "verify_fails_with_a_invalid_keyset"
166
167# Try to verify the token using the private key
168test_command ${VERIFY_CLI} \
169  --public_jwk_set_path "${PRIVATE_KEYSET_PATH}" \
170  --audience "${AUDIENCE}" \
171  --token_path "${TOKEN_PATH}"
172
173if (( TEST_STATUS != 0 )); then
174  echo "+++ Success: Verification failed with invalid keyset."
175else
176  echo "--- Failure: Verification did not fail with invalid keyset."
177  exit 1
178fi
179