Improve test coverage

square · Dec 19, 2014 · 5e4ca0b · 5e4ca0b
1 parent 24181ea
commit 5e4ca0b
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 4 deletions.
diff --git a/encoding_test.go b/encoding_test.go
@@ -70,6 +70,11 @@ func TestBase64URLDecode(t *testing.T) {
 	if err != nil || !bytes.Equal(val, []byte{0, 1, 2, 3}) {
 		t.Error("failed to decode [0x00, 0x01, 0x02, 0x03]")
 	}
+
+	val, err = base64URLDecode(nil)
+	if err == nil {
+		t.Error("should not decode nil value")
+	}
 }
 
 func TestDeflateRoundtrip(t *testing.T) {

diff --git a/jws.go b/jws.go
@@ -74,7 +74,7 @@ func (sig signatureInfo) getHeader(name string) (value interface{}, present bool
 func (obj JwsObject) computeAuthData(signature *signatureInfo) []byte {
 	var serializedProtected string
 
-	if signature.original != nil {
+	if signature.original == nil {
 		raw, err := json.Marshal(signature.protected)
 		if err != nil {
 			// Should never happen, since we control the input.
@@ -129,8 +129,11 @@ func parseSignedFull(input string) (*JwsObject, error) {
 			return nil, err
 		}
 
+		// Copy value of sig
+		original := sig
+
 		obj.signatures[i].header = sig.Header
-		obj.signatures[i].original = &sig
+		obj.signatures[i].original = &original
 	}
 
 	return obj, nil

diff --git a/signing.go b/signing.go
@@ -131,7 +131,7 @@ func (ctx *genericSigner) Sign(payload []byte) (*JwsObject, error) {
 		serializedProtected, err := json.Marshal(protected)
 		if err != nil {
 			// We have full control over the input, so this should never happen.
-			panic("Error when serializing message header")
+			panic("error when serializing message header")
 		}
 
 		input := []byte(fmt.Sprintf("%s.%s",

diff --git a/signing_test.go b/signing_test.go
@@ -125,7 +125,7 @@ func TestRoundtripsJWSCorruptSignature(t *testing.T) {
 	}
 }
 
-func TestMultieRecipientJWS(t *testing.T) {
+func TestMultiRecipientJWS(t *testing.T) {
 	signer := NewMultiSigner()
 
 	sharedKey := []byte{
@@ -224,3 +224,56 @@ func TestInvalidSignerAlg(t *testing.T) {
 		t.Error("should not accept invalid algorithm")
 	}
 }
+
+type allowAllVerifier struct{}
+
+// Dummy verifier that allows everything
+func (ctx allowAllVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
+	return nil
+}
+
+func TestInvalidJWS(t *testing.T) {
+	signer, err := NewSigner(PS256, rsaTestKey)
+	if err != nil {
+		panic(err)
+	}
+
+	obj, err := signer.Sign([]byte("Lorem ipsum dolor sit amet"))
+	obj.signatures[0].header = map[string]interface{}{
+		"crit": []string{"TEST"},
+	}
+
+	ver, err := NewVerifier(&rsaTestKey.PublicKey)
+	if err != nil {
+		panic(err)
+	}
+
+	verifier := ver.(*genericVerifier)
+
+	// Mock out verifier
+	verifier.verifier = allowAllVerifier{}
+
+	_, err = verifier.Verify(obj)
+	if err == nil {
+		t.Error("should not verify message with unknown crit header")
+	}
+
+	// Try without alg header
+	obj.signatures[0].protected = map[string]interface{}{}
+	obj.signatures[0].header = map[string]interface{}{}
+
+	_, err = verifier.Verify(obj)
+	if err == nil {
+		t.Error("should not verify message with missing headers")
+	}
+
+	// Set an invalid header
+	obj.signatures[0].protected = map[string]interface{}{
+		"alg": []string{"X", "Y", "Z"},
+	}
+
+	_, err = verifier.Verify(obj)
+	if err == nil {
+		t.Error("should not verify message with invalid headers")
+	}
+}