# JWS Signing Input (RFC 7515) validation

# missing or empty protected header
printf "\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]"
printf ".foo\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]"

# invalid base64url-encoded protected header
printf "foo/bar.baz\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]"

# missing payload
printf "foo\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
grepstderr -Fq "] NOSIGN [malformed JWS Payload]"

# invalid base64url-encoded payload
printf "foo.bar/baz\\r\\n" | lacme-accountd --stdio 2>"$STDERR"
grepstderr -Fq "] NOSIGN [malformed JWS Payload]"

# invalid JWS Protected Header: not a JSON object; missing fields "alg",
# "nonce", "url", or either "jwk" or "kid"
for s in "null" "\"str\"" "{}" "{\"alg\":\"\",\"nonce\":\"\",\"url\":\"\"}" "{\"jwk\":{}}"; do
    s="$(printf "%s" "$s" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")"
    printf "%s.\\r\\n" "$s" | lacme-accountd --stdio 2>"$STDERR"
    grepstderr -F "] NOSIGN [invalid JWS Protected Header]"
done

# valid JWS Protected Header and Payload
h="{\"alg\":\"\",\"nonce\":\"\",\"url\":\"\",\"jwk\":{}}"
s="$(printf "%s" "$h" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")"
p="$(printf "%s" "JWS Payload" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")"
printf "%s.%s\\r\\n" "$s" "$p" | lacme-accountd --stdio 2>"$STDERR"
grepstderr -F "] SIGNED header=base64url($h) playload=base64url(JWS Payload)"

# vim: set filetype=sh :