vk-call-proxy/internal/scripts/verify_test.go at master · Fokir/vk-call-proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package scripts

import (
	"bytes"
	"crypto/ed25519"
	"crypto/rand"
	"encoding/base64"
	"encoding/json"
	"sort"
	"testing"
)

func signManifestForTest(t *testing.T, mf map[string]any, priv ed25519.PrivateKey) []byte {
	t.Helper()
	raw, err := json.Marshal(mf)
	if err != nil {
		t.Fatalf("marshal: %v", err)
	}
	var obj map[string]json.RawMessage
	if err := json.Unmarshal(raw, &obj); err != nil {
		t.Fatalf("parse: %v", err)
	}
	delete(obj, "signature")

	keys := make([]string, 0, len(obj))
	for k := range obj {
		keys = append(keys, k)
	}
	sort.Strings(keys)

	var buf bytes.Buffer
	buf.WriteByte('{')
	for i, k := range keys {
		if i > 0 {
			buf.WriteByte(',')
		}
		kb, _ := json.Marshal(k)
		buf.Write(kb)
		buf.WriteByte(':')
		var val any
		_ = json.Unmarshal(obj[k], &val)
		vb, _ := json.Marshal(val)
		buf.Write(vb)
	}
	buf.WriteByte('}')

	sig := ed25519.Sign(priv, buf.Bytes())
	mf["signature"] = base64.StdEncoding.EncodeToString(sig)
	out, err := json.MarshalIndent(mf, "", "  ")
	if err != nil {
		t.Fatalf("marshal signed: %v", err)
	}
	return out
}

func TestVerifyManifest_SignedWithIndentation(t *testing.T) {
	pub, priv, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatalf("keygen: %v", err)
	}
	mf := map[string]any{
		"version":      "1",
		"published_at": "2026-04-15T10:00:00Z",
		"scripts": map[string]any{
			"stealth.js": map[string]any{
				"url":    "https://example.com/stealth.js",
				"sha256": "deadbeef",
				"size":   42,
			},
		},
	}
	signed := signManifestForTest(t, mf, priv)

	pubB64 := base64.StdEncoding.EncodeToString(pub)
	got, err := verifyManifest(signed, pubB64)
	if err != nil {
		t.Fatalf("verifyManifest: %v", err)
	}
	if got.Version != "1" {
		t.Fatalf("version: %q", got.Version)
	}
	if len(got.Scripts) != 1 {
		t.Fatalf("scripts: %d", len(got.Scripts))
	}
}

func TestVerifyManifest_TamperedFails(t *testing.T) {
	pub, priv, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatalf("keygen: %v", err)
	}
	mf := map[string]any{
		"version":      "1",
		"published_at": "2026-04-15T10:00:00Z",
		"scripts":      map[string]any{},
	}
	signed := signManifestForTest(t, mf, priv)
	tampered := bytes.Replace(signed, []byte(`"1"`), []byte(`"2"`), 1)

	pubB64 := base64.StdEncoding.EncodeToString(pub)
	if _, err := verifyManifest(tampered, pubB64); err == nil {
		t.Fatal("expected verify failure on tampered manifest")
	}
}