FuzzAlgorithmConfusion tests that tokens with wrong algorithms are rejected.
(f *testing.F)
| 115 | |
| 116 | // FuzzAlgorithmConfusion tests that tokens with wrong algorithms are rejected. |
| 117 | func FuzzAlgorithmConfusion(f *testing.F) { |
| 118 | fuzz.Seed(f) |
| 119 | |
| 120 | secret := []byte("test-secret-key-at-least-32-bytes-long") |
| 121 | hs256Verifier, _ := NewHS256Verifier[RegisteredClaims](secret) |
| 122 | |
| 123 | privateKeyPEM, publicKeyPEM := generateFuzzKeyPair(f) |
| 124 | rs256Verifier, _ := NewRS256Verifier[RegisteredClaims](publicKeyPEM) |
| 125 | |
| 126 | hs256Signer, _ := NewHS256Signer[RegisteredClaims](secret) |
| 127 | rs256Signer, _ := NewRS256Signer[RegisteredClaims](privateKeyPEM) |
| 128 | |
| 129 | f.Fuzz(func(t *testing.T, data []byte) { |
| 130 | c := fuzz.New(t, data) |
| 131 | |
| 132 | claims := RegisteredClaims{ |
| 133 | Issuer: c.String(), |
| 134 | ExpiresAt: time.Now().Add(time.Hour).Unix(), |
| 135 | } |
| 136 | |
| 137 | // Create tokens with both algorithms |
| 138 | hs256Token, err := hs256Signer.Sign(claims) |
| 139 | require.NoError(t, err) |
| 140 | |
| 141 | rs256Token, err := rs256Signer.Sign(claims) |
| 142 | require.NoError(t, err) |
| 143 | |
| 144 | // HS256 token should not verify with RS256 verifier |
| 145 | _, err = rs256Verifier.Verify(hs256Token) |
| 146 | require.Error(t, err, "HS256 token should not verify with RS256 verifier") |
| 147 | |
| 148 | // RS256 token should not verify with HS256 verifier |
| 149 | _, err = hs256Verifier.Verify(rs256Token) |
| 150 | require.Error(t, err, "RS256 token should not verify with HS256 verifier") |
| 151 | }) |
| 152 | } |