diff --git a/lib/verifier/certassertion.js b/lib/verifier/certassertion.js index 12fd622dd3de338232b81acee8237033dc0ea543..0a954a76c72f07e8ccc9013318d6a9fac7b4f807 100644 --- a/lib/verifier/certassertion.js +++ b/lib/verifier/certassertion.js @@ -120,7 +120,11 @@ function compareAudiences(want, got) { // audience is a web origin, e.g. https://foo.com or http://foo.org:81 function verify(assertion, audience, successCB, errorCB) { // assertion is bundle - var bundle = vep.unbundleCertsAndAssertion(assertion); + try { + var bundle = vep.unbundleCertsAndAssertion(assertion); + } catch(e) { + return errorCB("malformed assertion"); + } jwcert.JWCert.verifyChain( bundle.certificates, diff --git a/tests/verifier-test.js b/tests/verifier-test.js index c6ca1a276e8d5be04cf4ef676ae5b918ef4cee7d..83dd06853e76e316f699102eafc10ae4c75c748f 100755 --- a/tests/verifier-test.js +++ b/tests/verifier-test.js @@ -524,7 +524,83 @@ suite.addBatch({ }); // now let's really get down and screw with the assertion -// XXX +suite.addBatch({ + "using an email address as an assertion (which is bogus)": { + topic: function() { + wsapi.post('/verify', { + audience: TEST_ORIGIN, + assertion: "test@example.com" + }).call(this); + }, + "fails with a nice error": function(r, err) { + var resp = JSON.parse(r.body); + assert.strictEqual(resp.status, 'failure'); + assert.strictEqual(resp.reason, 'malformed assertion'); + } + }, + "using an integer as an assertion (which is bogus)": { + topic: function() { + wsapi.post('/verify', { + audience: TEST_ORIGIN, + assertion: 777 + }).call(this); + }, + "fails with a nice error": function(r, err) { + var resp = JSON.parse(r.body); + assert.strictEqual(resp.status, 'failure'); + assert.strictEqual(resp.reason, 'malformed assertion'); + } + }, + "generating a valid assertion": { + topic: function() { + var expirationDate = new Date(new Date().getTime() + (2 * 60 * 1000)); + var tok = new jwt.JWT(null, expirationDate, TEST_ORIGIN); + return vep.bundleCertsAndAssertion([g_cert], tok.sign(g_keypair.secretKey)); + }, + "and removing the last char from it": { + topic: function(assertion) { + assertion = assertion.substr(0, assertion.length - 1); + wsapi.post('/verify', { + audience: TEST_ORIGIN, + assertion: assertion + }).call(this); + }, + "fails with a nice error": function(r, err) { + var resp = JSON.parse(r.body); + assert.strictEqual(resp.status, 'failure'); + assert.strictEqual(resp.reason, 'malformed assertion'); + } + }, + "and removing the first char from it": { + topic: function(assertion) { + assertion = assertion.substr(1); + wsapi.post('/verify', { + audience: TEST_ORIGIN, + assertion: assertion + }).call(this); + }, + "fails with a nice error": function(r, err) { + var resp = JSON.parse(r.body); + assert.strictEqual(resp.status, 'failure'); + assert.strictEqual(resp.reason, 'malformed assertion'); + } + }, + "and appending gunk to it": { + topic: function(assertion) { + assertion += "gunk"; + wsapi.post('/verify', { + audience: TEST_ORIGIN, + assertion: assertion + }).call(this); + }, + "fails with a nice error": function(r, err) { + var resp = JSON.parse(r.body); + assert.strictEqual(resp.status, 'failure'); + assert.strictEqual(resp.reason, 'malformed assertion'); + } + } + } +}); // now verify that no-one other than browserid is allowed to issue assertions // (until primary support is implemented)