signed-integrity: working on implementing JWT processing (ref. #28)

2022-01-12 00:14:31 +00:00 · 2022-01-12 00:14:31 +00:00 · 6180f8b96a
commit 6180f8b96a
--- a/tests/plugins/signed-integrity.test.js
+++ b/tests/plugins/signed-integrity.test.js
@ -11,6 +11,9 @@ describe("plugin: signed-integrity", () => {
    global.btoa = (bin) => {
        return Buffer.from(bin, 'binary').toString('base64')
    }
+    global.atob = (ascii) => {
+        return Buffer.from(ascii, 'base64').toString('binary')
+    }
    
    global.LibResilientPluginConstructors = new Map()
    LR = {
@ -19,12 +22,16 @@ describe("plugin: signed-integrity", () => {
        }
    }
    
+    header = btoa('{"alg": "ES384"}').replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
+    payload = btoa('{"integrity": "sha256-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0="}').replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
+    signature = btoa('FIXME').replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
+    
    global.resolvingFetch = jest.fn((url, init)=>{
                                var content = '{"test": "success"}'
                                var status = 200
                                var statusText = "OK"
                                if (url == 'https://resilient.is/test.json.integrity') {
-                                    content = '{"integrity": "sha256-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0="}'
+                                    content = header + '.' + payload + '.' + signature
                                } else if (url == 'https://resilient.is/fail.json.integrity') {
                                    content = '{"test": "fail"}'
                                    status = 404
--- a/plugins/signed-integrity.js
+++ b/plugins/signed-integrity.js
@ -46,6 +46,31 @@
            throw new Error(`Expected exactly one plugin to wrap, but ${config.uses.length} configured.`)
        }
        
+        /**
+         * utility function
+         * base64url decode
+         */
+        let b64urlDecode = (data) => {
+            // figure out the padding to add
+            var pad = 4 - (data.length % 4);
+            // that's no bueno
+            if (pad == 3) {
+                throw new Error(`Invalid base64-encoded string!`)
+            }
+            // no padding, then
+            if (pad == 4) {
+                pad = 0
+            }
+            // we're done, atob that thing
+            return atob(
+                data
+                    .replace(/_/g, '/')
+                    .replace(/-/g, '+')
+                    + '='.repeat(pad)
+            )
+        }
+        
+        
        /**
         * getting content using the configured plugin,
         * but also making sure integrity data file is fetched, signature checked,
@ -64,8 +89,20 @@
                
                // did we get anything sane?
                if (integrityResponse.status == 200) {
-                    LR.log(pluginName, `fetched integrity data file`)
+                    
                    // this is where magic happens
+                    LR.log(pluginName, `fetched integrity data file`)
+                    
+                    // get the JWT
+                    var jwt = await integrityResponse.text()
+                    console.log('jwt: ' + jwt)
+                    jwt = jwt.split('.')
+                    
+                    // unpack it
+                    var header = b64urlDecode(jwt[0])
+                    var payload = b64urlDecode(jwt[1])
+                    var signature = jwt[2]
+                    LR.log(pluginName, `got a JWT:\n- header : ${header}\n- payload: ${payload}`)
                } else {
                    LR.log(pluginName, `fetching integrity data failed: ${integrityResponse.status} ${integrityResponse.statusText}`)
                }