keys: fix signature generation

No need to create and pass an array with our template option. This was causing issues when we had multiple (>2) pairs of keys. Tests added to cover this scenario.
latchset · Apr 30, 2021 · afb6055 · afb6055
1 parent 5482313
commit afb6055
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 11 deletions.
diff --git a/src/keys.c b/src/keys.c
@@ -233,21 +233,11 @@ jwk_sign(const json_t* to_sign, const json_t* sig_keys)
     json_auto_t* sig_template = json_pack("{s:{s:s}}",
                                           "protected", "cty", "jwk-set+json");
 
-    /* Use the template with the signing keys. */
-    json_auto_t* sig_template_arr = json_array();
-    size_t arr_size = json_array_size(sig_keys);
-    for (size_t i = 0; i < arr_size; i++) {
-        if (json_array_append(sig_template_arr, sig_template) == -1) {
-            fprintf(stderr, "Unable to append sig template to array\n");
-            return NULL;
-        }
-    }
-
     __attribute__ ((__cleanup__(cleanup_str))) char* data_to_sign = json_dumps(payload, 0);
     json_auto_t* jws = json_pack("{s:o}", "payload",
                                  jose_b64_enc(data_to_sign, strlen(data_to_sign)));
 
-    if (!jose_jws_sig(NULL, jws, sig_template_arr, sig_keys)) {
+    if (!jose_jws_sig(NULL, jws, sig_template, sig_keys)) {
         fprintf(stderr, "Error trying to jose_jws_sign\n");
         return NULL;
     }

diff --git a/tests/adv b/tests/adv
@@ -31,6 +31,19 @@ function on_exit() {
     [ -d "$TMP" ] && rm -rf $TMP
 }
 
+validate() {
+    if ! _jwks="$(jose fmt --json="${1}" -Og payload -SyOg keys \
+                 -AUo- 2>/dev/null)"; then
+        echo "Advertisement is malformed" >&2
+        exit 1
+    fi
+    _ver="$(printf '%s' "${_jwks}" | jose jwk use -i- -r -u verify -o-)"
+    if ! printf '%s' "${_ver}" | jose jws ver -i "${1}" -k- -a; then
+        echo "Advertisement is missing signatures" >&2
+        exit 1
+    fi
+}
+
 trap 'on_exit' EXIT
 trap 'exit' ERR
 
@@ -96,3 +109,18 @@ for k in *.jwk; do
 done
 cd -
 fetch /adv
+
+# Lets's now test with multiple pairs of keys.
+for i in 1 2 3 4 5 6 7 8 9; do
+    tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
+done
+
+# Verify the advertisement is correct.
+validate "$(fetch /adv)"
+
+# And make sure we can fetch an adv by its thumbprint.
+for jwk in "${TMP}"/db/other-sig-*.jwk; do
+    for alg in $(jose alg -k hash); do
+        fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
+    done
+done