forked from jwx-go/crypto-signer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws_test.go
116 lines (97 loc) · 2.58 KB
/
aws_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package awssigner_test
import (
"bytes"
"context"
"crypto"
"os"
"time"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/kms/types"
awssigner "github.com/jwx-go/crypto-signer/aws/v2"
"github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jws"
)
var _ crypto.Signer = &awssigner.RSA{}
func ExampleRSA() {
kid := os.Getenv(`AWS_KMS_KEY_ID_RSA`)
if kid == "" {
// Don't run unless we're given the Key ID
return
}
// Make sure to set AWS_* environment variable, if you
// need to configure them.
awscfg, err := config.LoadDefaultConfig(
context.Background(),
)
if err != nil {
panic(err.Error())
}
payload := []byte("obla-di-obla-da")
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
sv := awssigner.NewRSA(kms.NewFromConfig(awscfg)).
WithAlgorithm(types.SigningAlgorithmSpecRsassaPkcs1V15Sha256).
WithKeyID(kid)
signed, err := jws.Sign(payload, jws.WithKey(jwa.RS256, sv.WithContext(ctx)))
if err != nil {
panic(err.Error())
}
verified, err := jws.Verify(signed, jws.WithKey(jwa.RS256, sv.WithContext(ctx)))
if err != nil {
panic(err.Error())
}
if bytes.Compare(payload, verified) != 0 {
panic("payload and verified does not match")
}
//OUTPUT:
}
type DumbCache struct {
storage map[interface{}]interface{}
}
func NewDumbCache() *DumbCache {
return &DumbCache{
storage: make(map[interface{}]interface{}),
}
}
func (c *DumbCache) Get(key interface{}) (interface{}, bool) {
v, ok := c.storage[key]
return v, ok
}
func (c *DumbCache) Set(key, value interface{}) {
c.storage[key] = value
}
func ExampleECDSA() {
kid := os.Getenv(`AWS_KMS_KEY_ID_ECDSA`)
if kid == "" {
// Don't run unless we're given the Key ID
return
}
// Make sure to set AWS_* environment variable, if you
// need to configure them.
awscfg, err := config.LoadDefaultConfig(
context.Background(),
)
if err != nil {
panic(err.Error())
}
payload := []byte("obla-di-obla-da")
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
sv := awssigner.NewECDSA(kms.NewFromConfig(awscfg)).
WithAlgorithm(types.SigningAlgorithmSpecEcdsaSha256).
WithKeyID(kid).
WithCache(NewDumbCache())
signed, err := jws.Sign(payload, jws.WithKey(jwa.ES256, sv.WithContext(ctx)))
if err != nil {
panic(err.Error())
}
verified, err := jws.Verify(signed, jws.WithKey(jwa.ES256, sv.WithContext(ctx)))
if err != nil {
panic(err.Error())
}
if bytes.Compare(payload, verified) != 0 {
panic("payload and verified does not match")
}
//OUTPUT:
}