summaryrefslogtreecommitdiffstats
path: root/reg-tests/jwt/jws_verify.vtc
blob: d9a6328f3d8ace8462ee29350b74179e949cf146 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
#REGTEST_TYPE=devel

# This reg-test uses the JSON Web Token (JWT) converters to verify a token's signature.
# It uses the http_auth_bearer sample fetch to fetch a token contained in an
# HTTP Authorization header (with the Bearer scheme) which is the common way of
# transmitting a token (see RFC6750). It then uses the jwt_header_query
# converter to get the "alg" field declared in the token's JOSE header and
# gives it to the jwt_verify converter with the appropriate certificate.
#
# All the supported algorithms are tested at least once (HMAC, RSA and ECDSA)
# and the errors codes returned by jwt_verify are tested as well.

varnishtest "Test the 'set ssl ca-file' feature of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature cmd "command -v socat"
feature ignore_unknown_macro

server s1 -repeat 22 {
  rxreq
  txresp
} -start

haproxy h1 -conf {
    global
        tune.ssl.default-dh-param 2048
        tune.ssl.capture-buffer-size 1
        stats socket "${tmpdir}/h1/stats" level admin

    defaults
        mode http
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    listen main-fe
        bind "fd@${mainfe}"

        use_backend hsXXX_be if { path_beg /hs }
        use_backend rsXXX_be if { path_beg /rs }
        use_backend esXXX_be if { path_beg /es }
        use_backend auth_bearer_be if { path /auth_bearer }
        default_backend dflt_be


    backend hsXXX_be
        http-request set-var(txn.bearer) http_auth_bearer
        http-request set-var(txn.jwt_alg) var(txn.bearer),jwt_header_query('$.alg')

        http-request deny unless { var(txn.jwt_alg) -m beg "HS" }

        http-response set-header x-jwt-token %[var(txn.bearer)]
        http-response set-header x-jwt-alg %[var(txn.jwt_alg)]

        http-response set-header x-jwt-verify-HS256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"hmac key hs256")] if { var(txn.jwt_alg) -m str "HS256" }
        http-response set-header x-jwt-verify-HS384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"hmac key hs384")] if { var(txn.jwt_alg) -m str "HS384" }
        http-response set-header x-jwt-verify-HS512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"hmac key hs512")] if { var(txn.jwt_alg) -m str "HS512" }
        server s1 ${s1_addr}:${s1_port}

    backend rsXXX_be
        http-request set-var(txn.bearer) http_auth_bearer
        http-request set-var(txn.jwt_alg) var(txn.bearer),jwt_header_query('$.alg')

        http-request deny unless { var(txn.jwt_alg) -m beg "RS" }

        http-response set-header x-jwt-token %[var(txn.bearer)]
        http-response set-header x-jwt-alg %[var(txn.jwt_alg)]

        http-response set-header x-jwt-verify-RS256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS256" }
        http-response set-header x-jwt-verify-RS384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS384" }
        http-response set-header x-jwt-verify-RS512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS512" }
        server s1 ${s1_addr}:${s1_port}

    backend esXXX_be
        http-request set-var(txn.bearer) http_auth_bearer
        http-request set-var(txn.jwt_alg) var(txn.bearer),jwt_header_query('$.alg')

        http-request deny unless { var(txn.jwt_alg) -m beg "ES" }

        http-response set-header x-jwt-token %[var(txn.bearer)]
        http-response set-header x-jwt-alg %[var(txn.jwt_alg)]

        http-response set-header x-jwt-verify-ES256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es256-public.pem")] if { var(txn.jwt_alg) -m str "ES256" }
        http-response set-header x-jwt-verify-ES384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es384-public.pem")] if { var(txn.jwt_alg) -m str "ES384" }
        http-response set-header x-jwt-verify-ES512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es512-public.pem")] if { var(txn.jwt_alg) -m str "ES512" }
        server s1 ${s1_addr}:${s1_port}


    # This backend will only be used to test the http_auth_bearer sample fetch.
    # No jwt_verify will then be performed.
    backend auth_bearer_be
        http-request set-var(txn.bearer) http_auth_bearer("Custom-Authorization")

        http-response set-header x-jwt-token %[var(txn.bearer)]

        server s1 ${s1_addr}:${s1_port}

    # This backend will mostly be used to test error cases (invalid tokens, algorithm and so on)
    backend dflt_be
        http-request set-var(txn.bearer) http_auth_bearer
        http-request set-var(txn.jwt_alg) var(txn.bearer),jwt_header_query('$.alg')

        http-request set-var(txn.jwt_verify) var(txn.bearer),jwt_verify(txn.jwt_alg,"unknown_cert.pem")

        http-response set-header x-jwt-token %[var(txn.bearer)]
        http-response set-header x-jwt-alg %[var(txn.jwt_alg)]
        http-response set-header x-jwt-verify %[var(txn.jwt_verify)]

        server s1 ${s1_addr}:${s1_port}

} -start


client c1 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"HS256","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # HMAC key : 'hmac key hs256'
    # OpenSSL cmd : openssl dgst -sha256 -mac HMAC -macopt key:'hmac key hs256' data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/hs256" -hdr "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.hhj1mbYgezxFoYwinThsZQbckYHt4jJlRoQ7W8ksrFM"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "HS256"
    expect resp.http.x-jwt-verify-HS256 == "1"
} -run

client c2 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"HS384","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # HMAC key : 'hmac key hs384'
    # OpenSSL cmd : openssl dgst -sha384 -mac HMAC -macopt key:'hmac key hs384' data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/hs384" -hdr "Authorization: Bearer eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.3EsbLfl6DDh5nZMkLWg3ssCurFHyOhXP28a4PDS48aPAIoYLzHchtXmNaYI8He-R"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "HS384"
    expect resp.http.x-jwt-verify-HS384 == "1"
} -run

client c3 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"HS512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # HMAC key : 'hmac key hs512'
    # OpenSSL cmd : openssl dgst -sha512 -mac HMAC -macopt key:'hmac key hs512' data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/hs512" -hdr "Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.K4Yze5N7jeJrDbJymphaH1YsFlYph5F-U75HzBRKDybrN7WBO494EgNG77mAQj4CVci_xbTD_IsqY2umO0f47A"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "HS512"
    expect resp.http.x-jwt-verify-HS512 == "1"
} -run

# The following token is invalid (it has three extra characters at the end of the signature)
client c4 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"HS512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # HMAC key : 'hmac key hs512'
    # OpenSSL cmd : openssl dgst -sha512 -mac HMAC -macopt key:'hmac key hs512' data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/hs512" -hdr "Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.K4Yze5N7jeJrDbJymphaH1YsFlYph5F-U75HzBRKDybrN7WBO494EgNG77mAQj4CVci_xbTD_IsqY2umO0f47AAAA"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "HS512"
    expect resp.http.x-jwt-verify-HS512 == "-3"
} -run


client c5 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"RS256","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # OpenSSL cmd : openssl dgst -sha256 -sign rsa-private.pem data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/rs256" -hdr "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.hRqFM87JzV_YinYhdERp2E9BLhl6s7I5J37GTXAeT5fixJx-OCjTFvwKssyVo7fWAFcQMdQU7vGEXDOiWbNaMUFGIsMxx0Uflk0BeNwk6pWvNGk8KZGMtiqOv-IuPdAiaSW_xhxLHIk7eOwVefvBfk8j2hgU9yoHN87AYnl8oEnzrkzwWvEt-x-P2zB4s_VwhF0gbL1G4FsP5hxWL1HWmSFLBpvWaL5Lx3OJE7mLRLRf8TpMwEe4ROakzMpiv9Xk1H3mZth6d2a91F5Bm65MIJpJ7P2kEL3tdS62VRx8DM_SlsFuWcsqryO3CDQquMbwzAvfRgLPy8PBLRLT64wM3mZtue5GI2KUlqSYsSwKwK580b4drosLvAS75l_4jJwdwuQEvVd8Gry3DWS2mKJSMefmGfD-cdty1vvszs5sUa96Gf7Ro5DvkgXtVCKYk8KJLI62YgZd5S3M0ucP5NLBc_flUi4A2B_aSkd7NDM0ELddk0y48pcF95tejcvliGIy1GRRwevdqensXXQrFweFSZVvuKo8c9pcCBVfKTSllgL0lFGyI_vz6dUYt69I1gqWBDeGcA2XQUBJqfX3o9nkhZspA7b7QxMESatoATsM_XmfhbwsyY-sTq25XIGC4awaZHViZr1YFVD6BwNZWBCEBvW5zObiD5h5A5AgWoBv14E"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "RS256"
    expect resp.http.x-jwt-verify-RS256 == "1"
} -run

client c6 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"RS384","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # OpenSSL cmd : openssl dgst -sha384 -sign rsa-private.pem data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/rs384" -hdr "Authorization: Bearer eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.GuR-v91EMCVvvTTLiE56O0oDAKeQ5JdLqvHtrgOp2MbUtF7zCDutV0LTmMo4qDNVpvTnD3GZfTTGaVUTvW7kIQ3_1iEVAg61qVWkT9rtHHxifDX70RDBKkvNcMWyQH-dFP_FUvCmhCu7q-AzgBT6PHvs5ZqYyQvlQ1gSWZEPFi184dhvcUQrQC6CySEAdOzIryIHH2oQjN_a9lA9V9M_CH3P-AAwFE7NwUE1H1SGIYM4NHcngEZ3B4lBCHOhhgQMpfagcxQjjXv7VfeSqza6OZDpupwlOl34bb0gnFDGMh4hHSS6iHvvwCeCkclbyvKV0Vq0MaRtJuoKRF-_Oww-nKT_bfNtbF6MeOQLNRlYjGCHerWoBtjv3w2KjoLvQ5iGIFI3cEguyrrKNimpovF4Y5uINH0pWdRF99zOwVUlcJBk3RivIb--Y6s47aNFIVWimUpSn-8MSHTla20TYbcdVaZaMur09Cw500jPrOy6jFqVydSnmU6r13NkmCD5-Bl0mgwGtpZcOQExrnIcPQky12kQJAIrffVblvtkd-8FIBPBy1uBKCgkE-q9_suEvBTdvaoTocBmPcIxfPjZUVXeU3UmnRrXEz17pue0YfrwK9CUR9UoP0F5C7O5eSbAtZNm4Hpkiah0w7qugWG3esMgku3-xx0B2xwg6Ul7bAgEJFg"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "RS384"
    expect resp.http.x-jwt-verify-RS384 == "1"
} -run

client c7 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"RS512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # OpenSSL cmd : openssl dgst -sha512 -sign rsa-private.pem data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/rs512" -hdr "Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.dgUDvxbWXV-q9lVFDVDt6zffrAjCMkKL7UURz-vvc6utCNMEgt8jSkDWi-mt-jmttkD5mwHqUf3HxWPhfjYNmkTok_XL79F5RXhiF_cu_2oDLDc-RuXdrHaRt9xjUIyZhVJMhaMLdmpcAokQlZxc2W6aj92HKzk3EjyHwfdwfKQNgMooXNzxjE9vCHUbahyLZvtPwiqDtYUSnvN_XOpAMUilxByJStwNqdB7MaOxeAzn76nITh6DqD1bNtxBiLzA7MxYdfsUSmXHMLpkWNAhlrcEIJui9PKm9E0OLFD3M7cCqi6rVvzDxvHqXz3-fcXiSJSRrSmSTu1_ok35TT4WwA9SkHpGe2MJ3uc-8CRlYmjDTcLyXWs_d8i3iNozo6xgiwqIkty4HqScTjhXndRQdmiK-RcUfNLM0Iqm6wYgOifWj728_9GCtdjup-C2uVPdwVwuOjwLbzctZLlFqH3i5IGrCfuOOCAcc_vN3REFqSrDEi4-9qpXuh7yk5pOaiCZYr3-uVhmY5neo55_eV8N3NooDyztwkzRtB_DdbaNrqxk3WEHU79Hseg7c1mkXGm6Djqt3dkkrdpbltzRLrnGKxA4-FzccKOT_P27UYmxQSkyfpAQhfH3jpOE0n9-UYyULbMOY7ZIypXUTquJnrZM3rD_NypU7Jg8uBBGqcziZFc"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "RS512"
    expect resp.http.x-jwt-verify-RS512 == "1"
} -run

# The following token is invalid (the signature used SHA384 instead of SHA512)
client c8 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"RS512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # OpenSSL cmd : openssl dgst -sha512 -sign rsa-private.pem data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/rs512" -hdr "Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.GuR-v91EMCVvvTTLiE56O0oDAKeQ5JdLqvHtrgOp2MbUtF7zCDutV0LTmMo4qDNVpvTnD3GZfTTGaVUTvW7kIQ3_1iEVAg61qVWkT9rtHHxifDX70RDBKkvNcMWyQH-dFP_FUvCmhCu7q-AzgBT6PHvs5ZqYyQvlQ1gSWZEPFi184dhvcUQrQC6CySEAdOzIryIHH2oQjN_a9lA9V9M_CH3P-AAwFE7NwUE1H1SGIYM4NHcngEZ3B4lBCHOhhgQMpfagcxQjjXv7VfeSqza6OZDpupwlOl34bb0gnFDGMh4hHSS6iHvvwCeCkclbyvKV0Vq0MaRtJuoKRF-_Oww-nKT_bfNtbF6MeOQLNRlYjGCHerWoBtjv3w2KjoLvQ5iGIFI3cEguyrrKNimpovF4Y5uINH0pWdRF99zOwVUlcJBk3RivIb--Y6s47aNFIVWimUpSn-8MSHTla20TYbcdVaZaMur09Cw500jPrOy6jFqVydSnmU6r13NkmCD5-Bl0mgwGtpZcOQExrnIcPQky12kQJAIrffVblvtkd-8FIBPBy1uBKCgkE-q9_suEvBTdvaoTocBmPcIxfPjZUVXeU3UmnRrXEz17pue0YfrwK9CUR9UoP0F5C7O5eSbAtZNm4Hpkiah0w7qugWG3esMgku3-xx0B2xwg6Ul7bAgEJFg"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "RS512"
    expect resp.http.x-jwt-verify-RS512 == "0"
} -run



client c9 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES256","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # Key gen process : openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out es256-private.pem; openssl ec -in es256-private.pem -pubout -out es256-public.pem
    # Token creation : ./build_token.py ES256 '{"sub":"1234567890","name":"John Doe","iat":1516239022}' es256-private.pem

    txreq -url "/es256" -hdr "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pNI_c5mHE3mLV0YDpstlP4l3t5XARLl6OmcKLuvF5r60m-C63mbgfKWdPjmJPMTCmX_y50YW_v2SKw0ju0tJHw"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES256"
    expect resp.http.x-jwt-verify-ES256 == "1"
} -run

client c10 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES384","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # Key gen process : openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -out es384-private.pem; openssl ec -in es384-private.pem -pubout -out es384-public.pem
    # Token creation : ./build_token.py ES384 '{"sub":"1234567890","name":"John Doe","iat":1516239022}' es384-private.pem

    txreq -url "/es384" -hdr "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.cs59CQiCI_Pl8J-PKQ2y73L5IJascZXkf7MfRXycO1HkT9pqDW2bFr1bh7pFyPA85GaML4BPYVH_zDhcmjSMn_EIvUV8cPDuuUu69Au7n9LYGVkVJ-k7qN4DAR5eLCiU"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES384"
    expect resp.http.x-jwt-verify-ES384 == "1"
} -run

client c11 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # Key gen process : openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-521 -out es512-private.pem; openssl ec -in es512-private.pem -pubout -out es512-public.pem
    # Token creation : ./build_token.py ES512 '{"sub":"1234567890","name":"John Doe","iat":1516239022}' es512-private.pem

    txreq -url "/es512" -hdr "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.AJcyt0OYf2wg7SggJJVKYysLUkBQA0f0Zc0EbKgud2fQLeT65n42A9l9hhGje79VLWhEyisQmDpFXTpfFXeD_NiaAXyNnX5b8TbZALqxbjx8iIpbcObgUh_g5Gi81bKmRmfXUHW7L5iAwoNjYbUpXGipCpCD0N6-8zCrjcFD2UX01f0Y"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES512"
    expect resp.http.x-jwt-verify-ES512 == "1"
} -run

# The following token is invalid (too short)
client c12 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # OpenSSL cmd : openssl dgst -sha512 -sign es512-private.pem data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/es512" -hdr "Authorization: Bearer eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.MIGHAkEEPEgIrFKIDofBpFKX_mtya55QboGr09P6--v8uO85DwQWR0iKgMNSzYkL3K1lwyExG0Vtwfnife0lNe7Fn5TigAJCAY95NShiTn3tvleXVGCkkD0-HcribnMhd34QPGRc4rlwTkUg9umIUhxnEhPR--OohlmhJyIYGHuH8Ksm5f"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES512"
    # Invalid token
    expect resp.http.x-jwt-verify-ES512 == "-3"
} -run


# Unmanaged algorithm
client c13 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"PS512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    txreq -url "/errors" -hdr "Authorization: Bearer eyJhbGciOiJQUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.MIGHAkEEPEgIrFKIDofBpFKX_mtya55QboGr09P6--v8uO85DwQWR0iKgMNSzYkL3K1lwyExG0Vtwfnife0lNe7Fn5TigAJCAY95NShiTn3tvleXVGCkkD0-HcribnMhd34QPGRc4rlwTkUg9umIUhxnEhPR--OohlmhJyIYGHuH8Ksm5f"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "PS512"
    # Unmanaged algorithm
    expect resp.http.x-jwt-verify == "-2"
} -run

# Unknown algorithm
client c14 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"UNKNOWN_ALG","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    txreq -url "/errors" -hdr "Authorization: Bearer eyJhbGciOiJVTktOT1dOX0FMRyIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.MIGHAkEEPEgIrFKIDofBpFKX_mtya55QboGr09P6--v8uO85DwQWR0iKgMNSzYkL3K1lwyExG0Vtwfnife0lNe7Fn5TigAJCAY95NShiTn3tvleXVGCkkD0-HcribnMhd34QPGRc4rlwTkUg9umIUhxnEhPR--OohlmhJyIYGHuH8Ksm5f"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "UNKNOWN_ALG"
    # Unmanaged algorithm
    expect resp.http.x-jwt-verify == "-1"
} -run

# Invalid token (not enough fields)
client c15 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    txreq -url "/errors" -hdr "Authorization: Bearer eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES512"
    # Invalid token
    expect resp.http.x-jwt-verify == "-3"
} -run

# Invalid token (too many fields)
client c16 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    txreq -url "/errors" -hdr "Authorization: Bearer eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.MIGHAkEEPEgIrFKIDofBpFKX_mtya55QboGr09P6--v8uO85DwQWR0iKgMNSzYkL3K1lwyExG0Vtwfnife0lNe7Fn5TigAJCAY95NShiTn3tvleXVGCkkD0-HcribnMhd34QPGRc4rlwTkUg9umIUhxnEhPR--OohlmhJyIYGHuH8Ksm5f.unexpectedextrafield"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES512"
    # Invalid token
    expect resp.http.x-jwt-verify == "-3"
} -run

# Invalid token (empty signature)
client c17 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    txreq -url "/errors" -hdr "Authorization: Bearer eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ."
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES512"
    # Invalid token
    expect resp.http.x-jwt-verify == "-3"
} -run

# Unknown certificate
client c18 -connect ${h1_mainfe_sock} {
    # Token content : {"alg":"ES512","typ":"JWT"}
    #                 {"sub":"1234567890","name":"John Doe","iat":1516239022}
    # Key gen process : openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-521 -out es512-private.pem; openssl ec -in es512-private.pem -pubout -out es512-public.pem
    # OpenSSL cmd : openssl dgst -sha512 -sign es512-private.pem data.txt | base64 | tr -d '=\n' | tr '/+' '_-'

    txreq -url "/errors" -hdr "Authorization: Bearer eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.MIGHAkEEPEgIrFKIDofBpFKX_mtya55QboGr09P6--v8uO85DwQWR0iKgMNSzYkL3K1lwyExG0Vtwfnife0lNe7Fn5TigAJCAY95NShiTn3tvleXVGCkkD0-HcribnMhd34QPGRc4rlwTkUg9umIUhxnEhPR--OohlmhJyIYGHuH8Ksm5fSIWfRa"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-alg == "ES512"
    # Unknown certificate
    expect resp.http.x-jwt-verify == "-5"
} -run


# Test the http_auth_bearer special cases (other header than the default "Authorization" one)
client c19 -connect ${h1_mainfe_sock} {
    txreq -url "/auth_bearer" -hdr "Custom-Authorization: Bearer random_value"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-token == "random_value"
} -run

# Test the http_auth_bearer special cases (multiple spaces after the scheme)
client c20 -connect ${h1_mainfe_sock} {
    txreq -url "/auth_bearer" -hdr "Custom-Authorization: Bearer    random_value"
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-token == "random_value"
} -run

# Test the http_auth_bearer special cases (no value after the scheme)
client c21 -connect ${h1_mainfe_sock} {
    txreq -url "/auth_bearer" -hdr "Custom-Authorization: Bearer    "
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-token == ""
} -run

# Test the http_auth_bearer special cases (no value after the scheme)
client c22 -connect ${h1_mainfe_sock} {
    txreq -url "/errors" -hdr "Authorization: Bearer    "
    rxresp
    expect resp.status == 200
    expect resp.http.x-jwt-token == ""
} -run