irmago_test.go 14 KB
Newer Older
Sietse Ringers's avatar
Sietse Ringers committed
1
package irmago
2
3

import (
4
5
	"fmt"
	"math/big"
Sietse Ringers's avatar
Sietse Ringers committed
6
	"os"
7
8
	"testing"
	"time"
Sietse Ringers's avatar
Sietse Ringers committed
9

10
11
	"encoding/json"

Sietse Ringers's avatar
Sietse Ringers committed
12
	"github.com/mhe/gabi"
Sietse Ringers's avatar
Sietse Ringers committed
13
	"github.com/stretchr/testify/require"
14
15
)

Sietse Ringers's avatar
Sietse Ringers committed
16
func TestMain(m *testing.M) {
Sietse Ringers's avatar
Sietse Ringers committed
17
18
	retCode := m.Run()

Sietse Ringers's avatar
Sietse Ringers committed
19
20
	// TODO make testdata/storage

Sietse Ringers's avatar
Sietse Ringers committed
21
22
	err := os.RemoveAll("testdata/storage/test")
	if err != nil {
Sietse Ringers's avatar
Sietse Ringers committed
23
		fmt.Println("Could not delete test storage")
Sietse Ringers's avatar
Sietse Ringers committed
24
25
26
		os.Exit(1)
	}

Sietse Ringers's avatar
Sietse Ringers committed
27
28
	os.Exit(retCode)
}
Sietse Ringers's avatar
Sietse Ringers committed
29

Sietse Ringers's avatar
Sietse Ringers committed
30
type IgnoringClientHandler struct{}
Sietse Ringers's avatar
Sietse Ringers committed
31

32
33
34
35
func (i *IgnoringClientHandler) UpdateConfigurationStore(new *IrmaIdentifierSet)            {}
func (i *IgnoringClientHandler) UpdateAttributes()                                          {}
func (i *IgnoringClientHandler) EnrollmentError(manager SchemeManagerIdentifier, err error) {}
func (i *IgnoringClientHandler) EnrollmentSuccess(manager SchemeManagerIdentifier)          {}
Sietse Ringers's avatar
Sietse Ringers committed
36

37
func parseStorage(t *testing.T) *Client {
38
	exists, err := PathExists("testdata/storage/test")
Sietse Ringers's avatar
Sietse Ringers committed
39
40
41
	require.NoError(t, err, "pathexists() failed")
	if !exists {
		require.NoError(t, os.Mkdir("testdata/storage/test", 0755), "Could not create test storage")
Sietse Ringers's avatar
Sietse Ringers committed
42
	}
43
	manager, err := NewClient(
44
45
		"testdata/storage/test",
		"testdata/irma_configuration",
46
		"testdata/oldstorage",
Sietse Ringers's avatar
Sietse Ringers committed
47
		&IgnoringClientHandler{},
48
49
50
	)
	require.NoError(t, err)
	return manager
Sietse Ringers's avatar
Sietse Ringers committed
51
52
53
}

func teardown(t *testing.T) {
54
	require.NoError(t, os.RemoveAll("testdata/storage/test"))
Sietse Ringers's avatar
Sietse Ringers committed
55
56
}

57
58
59
60
61
62
63
// A convenience function for initializing big integers from known correct (10
// base) strings. Use with care, errors are ignored.
func s2big(s string) (r *big.Int) {
	r, _ = new(big.Int).SetString(s, 10)
	return
}

64
65
func verifyManagerIsUnmarshaled(t *testing.T, client *Client) {
	cred, err := client.credential(NewCredentialTypeIdentifier("irma-demo.RU.studentCard"), 0)
66
67
68
	require.NoError(t, err, "could not fetch credential")
	require.NotNil(t, cred, "Credential should exist")
	require.NotNil(t, cred.Attributes[0], "Metadata attribute of irma-demo.RU.studentCard should not be nil")
69

70
	cred, err = client.credential(NewCredentialTypeIdentifier("test.test.mijnirma"), 0)
71
72
73
	require.NoError(t, err, "could not fetch credential")
	require.NotNil(t, cred, "Credential should exist")
	require.NotNil(t, cred.Signature.KeyshareP)
74

75
	require.NotEmpty(t, client.CredentialInfoList())
76

77
78
79
80
	pk, err := cred.PublicKey()
	require.NoError(t, err)
	require.True(t,
		cred.Signature.Verify(pk, cred.Attributes),
81
82
83
		"Credential should be valid",
	)
}
Sietse Ringers's avatar
Sietse Ringers committed
84

85
func verifyCredentials(t *testing.T, client *Client) {
86
87
	var pk *gabi.PublicKey
	var err error
88
	for credtype, credsmap := range client.credentials {
89
		for index, cred := range credsmap {
90
91
			pk, err = cred.PublicKey()
			require.NoError(t, err)
92
			require.True(t,
93
				cred.Credential.Signature.Verify(pk, cred.Attributes),
94
95
				"Credential %s-%d was invalid", credtype.String(), index,
			)
96
			require.Equal(t, cred.Attributes[0], client.secretkey.Key,
97
98
99
				"Secret key of credential %s-%d unequal to main secret key",
				cred.CredentialType().Identifier().String(), index,
			)
100
101
102
103
		}
	}
}

104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
func verifyPaillierKey(t *testing.T, PrivateKey *paillierPrivateKey) {
	require.NotNil(t, PrivateKey)
	require.NotNil(t, PrivateKey.L)
	require.NotNil(t, PrivateKey.U)
	require.NotNil(t, PrivateKey.PublicKey.N)

	require.Equal(t, big.NewInt(1), new(big.Int).Exp(big.NewInt(2), PrivateKey.L, PrivateKey.N))
	require.Equal(t, PrivateKey.NSquared, new(big.Int).Exp(PrivateKey.N, big.NewInt(2), nil))

	plaintext := "Hello Paillier!"
	ciphertext, err := PrivateKey.Encrypt([]byte(plaintext))
	require.NoError(t, err)
	decrypted, err := PrivateKey.Decrypt(ciphertext)
	require.NoError(t, err)
	require.Equal(t, plaintext, string(decrypted))
}

121
122
123
func verifyKeyshareIsUnmarshaled(t *testing.T, client *Client) {
	require.NotNil(t, client.paillierKeyCache)
	require.NotNil(t, client.keyshareServers)
124
	test := NewSchemeManagerIdentifier("test")
125
126
	require.Contains(t, client.keyshareServers, test)
	kss := client.keyshareServers[test]
127
128
129
	require.NotEmpty(t, kss.Nonce)

	verifyPaillierKey(t, kss.PrivateKey)
130
	verifyPaillierKey(t, client.paillierKeyCache)
131
132
}

133
134
135
136
137
138
139
func verifyStoreIsLoaded(t *testing.T, store *ConfigurationStore, android bool) {
	require.Contains(t, store.SchemeManagers, NewSchemeManagerIdentifier("irma-demo"))
	require.Contains(t, store.SchemeManagers, NewSchemeManagerIdentifier("test"))
	if android {
		require.Contains(t, store.SchemeManagers, NewSchemeManagerIdentifier("test2"))
	}

140
141
142
143
144
	pk, err := store.PublicKey(NewIssuerIdentifier("irma-demo.RU"), 0)
	require.NoError(t, err)
	require.NotNil(t, pk)
	require.NotNil(t, pk.N, "irma-demo.RU public key has no modulus")
	require.Equal(t,
145
		"Irma Demo",
146
		store.SchemeManagers[NewSchemeManagerIdentifier("irma-demo")].Name["en"],
147
		"irma-demo scheme manager has unexpected name")
148
	require.Equal(t,
149
		"Radboud University Nijmegen",
150
		store.Issuers[NewIssuerIdentifier("irma-demo.RU")].Name["en"],
151
		"irma-demo.RU issuer has unexpected name")
152
	require.Equal(t,
153
		"Student Card",
154
		store.CredentialTypes[NewCredentialTypeIdentifier("irma-demo.RU.studentCard")].ShortName["en"],
155
156
		"irma-demo.RU.studentCard has unexpected name")

157
	require.Equal(t,
158
		"studentID",
159
		store.CredentialTypes[NewCredentialTypeIdentifier("irma-demo.RU.studentCard")].Attributes[2].ID,
160
161
162
163
		"irma-demo.RU.studentCard.studentID has unexpected name")

	// Hash algorithm pseudocode:
	// Base64(SHA256("irma-demo.RU.studentCard")[0:16])
164
	require.Contains(t, store.reverseHashes, "1stqlPad5edpfS1Na1U+DA==",
165
		"irma-demo.RU.studentCard had improper hash")
166
	require.Contains(t, store.reverseHashes, "CLjnADMBYlFcuGOT7Z0xRg==",
167
		"irma-demo.MijnOverheid.root had improper hash")
168
169
170
}

func TestAndroidParse(t *testing.T) {
171
172
173
174
175
	client := parseStorage(t)
	verifyStoreIsLoaded(t, client.ConfigurationStore, true)
	verifyManagerIsUnmarshaled(t, client)
	verifyCredentials(t, client)
	verifyKeyshareIsUnmarshaled(t, client)
176
177
178
179
180

	teardown(t)
}

func TestUnmarshaling(t *testing.T) {
181
	client := parseStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
182
183

	// Do session so we can examine its log item later
184
	logs, err := client.Logs()
Sietse Ringers's avatar
Sietse Ringers committed
185
186
	require.NoError(t, err)
	jwt := getIssuanceJwt("testip", NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID"))
187
	sessionHelper(t, jwt, "issue", client)
Sietse Ringers's avatar
Sietse Ringers committed
188

189
	newclient, err := NewClient("testdata/storage/test", "testdata/irma_configuration", "testdata/oldstorage", nil)
190
	require.NoError(t, err)
191
192
193
	verifyManagerIsUnmarshaled(t, newclient)
	verifyCredentials(t, newclient)
	verifyKeyshareIsUnmarshaled(t, newclient)
Sietse Ringers's avatar
Sietse Ringers committed
194

195
	newlogs, err := newclient.Logs()
Sietse Ringers's avatar
Sietse Ringers committed
196
197
198
199
200
	require.NoError(t, err)
	require.True(t, len(newlogs) == len(logs)+1)

	entry := newlogs[len(newlogs)-1]
	require.NotNil(t, entry)
201
	sessionjwt, err := entry.Jwt()
Sietse Ringers's avatar
Sietse Ringers committed
202
203
	require.NoError(t, err)
	require.Equal(t, "testip", sessionjwt.(*IdentityProviderJwt).ServerName)
Sietse Ringers's avatar
Sietse Ringers committed
204
205
206
	require.NoError(t, err)
	require.NotEmpty(t, entry.Disclosed)
	require.NotEmpty(t, entry.Received)
Sietse Ringers's avatar
Sietse Ringers committed
207
208
	response, err := entry.GetResponse()
	require.NoError(t, err)
Sietse Ringers's avatar
Sietse Ringers committed
209
210
	require.NotNil(t, response)
	require.IsType(t, &gabi.IssueCommitmentMessage{}, response)
Sietse Ringers's avatar
Sietse Ringers committed
211

Sietse Ringers's avatar
Sietse Ringers committed
212
	teardown(t)
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
}

func TestMetadataAttribute(t *testing.T) {
	metadata := NewMetadataAttribute()
	if metadata.Version() != 0x02 {
		t.Errorf("Unexpected metadata version: %d", metadata.Version())
	}

	expiry := metadata.SigningDate().Unix() + int64(metadata.ValidityDuration()*ExpiryFactor)
	if !time.Unix(expiry, 0).Equal(metadata.Expiry()) {
		t.Errorf("Invalid signing date")
	}

	if metadata.KeyCounter() != 0 {
		t.Errorf("Unexpected key counter")
	}
}

func TestMetadataCompatibility(t *testing.T) {
232
233
	store, err := NewConfigurationStore("testdata/irma_configuration", "")
	require.NoError(t, err)
234
	require.NoError(t, store.ParseFolder())
235
236

	// An actual metadata attribute of an IRMA credential extracted from the IRMA app
Sietse Ringers's avatar
Sietse Ringers committed
237
	attr := MetadataFromInt(s2big("49043481832371145193140299771658227036446546573739245068"), store)
238
	require.NotNil(t, attr.CredentialType(), "attr.CredentialType() should not be nil")
239

240
	require.Equal(t,
241
		NewCredentialTypeIdentifier("irma-demo.RU.studentCard"),
242
243
244
		attr.CredentialType().Identifier(),
		"Metadata credential type was not irma-demo.RU.studentCard",
	)
245
246
247
248
	require.Equal(t, byte(0x02), attr.Version(), "Unexpected metadata version")
	require.Equal(t, time.Unix(1499904000, 0), attr.SigningDate(), "Unexpected signing date")
	require.Equal(t, time.Unix(1516233600, 0), attr.Expiry(), "Unexpected expiry date")
	require.Equal(t, 2, attr.KeyCounter(), "Unexpected key counter")
Sietse Ringers's avatar
Sietse Ringers committed
249
250

	teardown(t)
251
}
252
253

func TestAttributeDisjunctionMarshaling(t *testing.T) {
254
255
256
	store, err := NewConfigurationStore("testdata/irma_configuration", "")
	require.NoError(t, err)
	require.NoError(t, store.ParseFolder())
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
	disjunction := AttributeDisjunction{}

	var _ json.Unmarshaler = &disjunction
	var _ json.Marshaler = &disjunction

	id := NewAttributeTypeIdentifier("MijnOverheid.ageLower.over18")

	attrsjson := `
	{
		"label": "Over 18",
		"attributes": {
			"MijnOverheid.ageLower.over18": "yes",
			"Thalia.age.over18": "Yes"
		}
	}`
	require.NoError(t, json.Unmarshal([]byte(attrsjson), &disjunction))
	require.True(t, disjunction.HasValues())
	require.Contains(t, disjunction.Attributes, id)
	require.Contains(t, disjunction.Values, id)
	require.Equal(t, disjunction.Values[id], "yes")

	disjunction = AttributeDisjunction{}
	attrsjson = `
	{
		"label": "Over 18",
		"attributes": [
			"MijnOverheid.ageLower.over18",
			"Thalia.age.over18"
		]
	}`
	require.NoError(t, json.Unmarshal([]byte(attrsjson), &disjunction))
	require.False(t, disjunction.HasValues())
	require.Contains(t, disjunction.Attributes, id)

Sietse Ringers's avatar
Sietse Ringers committed
291
	require.True(t, disjunction.MatchesStore(store))
292
293
294
295
296

	require.False(t, disjunction.Satisfied())
	disjunction.selected = &disjunction.Attributes[0]
	require.True(t, disjunction.Satisfied())
}
297
298

func TestCandidates(t *testing.T) {
299
	client := parseStorage(t)
300
301
302
303
304

	attrtype := NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID")
	disjunction := &AttributeDisjunction{
		Attributes: []AttributeTypeIdentifier{attrtype},
	}
305
	attrs := client.Candidates(disjunction)
306
307
308
309
310
311
312
313
314
	require.NotNil(t, attrs)
	require.Len(t, attrs, 1)

	attr := attrs[0]
	require.NotNil(t, attr)
	require.Equal(t, attr.Type, attrtype)

	disjunction = &AttributeDisjunction{
		Attributes: []AttributeTypeIdentifier{attrtype},
315
		Values:     map[AttributeTypeIdentifier]string{attrtype: "456"},
316
	}
317
	attrs = client.Candidates(disjunction)
318
319
320
321
322
323
324
	require.NotNil(t, attrs)
	require.Len(t, attrs, 1)

	disjunction = &AttributeDisjunction{
		Attributes: []AttributeTypeIdentifier{attrtype},
		Values:     map[AttributeTypeIdentifier]string{attrtype: "foobarbaz"},
	}
325
	attrs = client.Candidates(disjunction)
326
327
328
329
330
	require.NotNil(t, attrs)
	require.Empty(t, attrs)

	teardown(t)
}
331
332

func TestTimestamp(t *testing.T) {
333
334
	mytime := Timestamp(time.Unix(1500000000, 0))
	timestruct := struct{ Time *Timestamp }{Time: &mytime}
335
336
337
	bytes, err := json.Marshal(timestruct)
	require.NoError(t, err)

338
	timestruct = struct{ Time *Timestamp }{}
339
340
341
	require.NoError(t, json.Unmarshal(bytes, &timestruct))
	require.Equal(t, time.Time(*timestruct.Time).Unix(), int64(1500000000))
}
Sietse Ringers's avatar
Sietse Ringers committed
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385

func TestServiceProvider(t *testing.T) {
	var spjwt ServiceProviderJwt

	var spjson = `{
		"sprequest": {
			"validity": 60,
			"timeout": 60,
			"request": {
				"content": [
					{
						"label": "ID",
						"attributes": ["irma-demo.RU.studentCard.studentID"]
					}
				]
			}
		}
	}`

	require.NoError(t, json.Unmarshal([]byte(spjson), &spjwt))
	require.NotNil(t, spjwt.Request.Request.Content)
	require.NotEmpty(t, spjwt.Request.Request.Content)
	require.NotNil(t, spjwt.Request.Request.Content[0])
	require.NotEmpty(t, spjwt.Request.Request.Content[0])
	require.NotNil(t, spjwt.Request.Request.Content[0].Attributes)
	require.NotEmpty(t, spjwt.Request.Request.Content[0].Attributes)
	require.Equal(t, spjwt.Request.Request.Content[0].Attributes[0].Name(), "studentID")

	require.NotNil(t, spjwt.Request.Request.Content.Find(NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID")))
}

func TestTransport(t *testing.T) {
	transport := NewHTTPTransport("https://xkcd.com")
	obj := &struct {
		Num   int    `json:"num"`
		Img   string `json:"img"`
		Title string `json:"title"`
	}{}

	err := transport.Get("614/info.0.json", obj)
	if err != nil { // require.NoError() does not work because of the type of err
		t.Fatalf("%+v\n", err)
	}
}
Sietse Ringers's avatar
Sietse Ringers committed
386
387

func TestPaillier(t *testing.T) {
388
	client := parseStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
389
390
391
392
393

	challenge, _ := gabi.RandomBigInt(256)
	comm, _ := gabi.RandomBigInt(1000)
	resp, _ := gabi.RandomBigInt(1000)

394
	sk := client.paillierKey(true)
Sietse Ringers's avatar
Sietse Ringers committed
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
	bytes, err := sk.Encrypt(challenge.Bytes())
	require.NoError(t, err)
	cipher := new(big.Int).SetBytes(bytes)

	bytes, err = sk.Encrypt(comm.Bytes())
	require.NoError(t, err)
	commcipher := new(big.Int).SetBytes(bytes)

	// [[ c ]]^resp * [[ comm ]]
	cipher.Exp(cipher, resp, sk.NSquared).Mul(cipher, commcipher).Mod(cipher, sk.NSquared)

	bytes, err = sk.Decrypt(cipher.Bytes())
	require.NoError(t, err)
	plaintext := new(big.Int).SetBytes(bytes)
	expected := new(big.Int).Set(challenge)
	expected.Mul(expected, resp).Add(expected, comm)

	require.Equal(t, plaintext, expected)

	teardown(t)
}
416
417

func TestCredentialRemoval(t *testing.T) {
418
	client := parseStorage(t)
419
420
421
	id := NewCredentialTypeIdentifier("irma-demo.RU.studentCard")
	id2 := NewCredentialTypeIdentifier("test.test.mijnirma")

422
	cred, err := client.credential(id, 0)
423
424
	require.NoError(t, err)
	require.NotNil(t, cred)
425
	err = client.RemoveCredentialByHash(cred.AttributeList().hash())
426
	require.NoError(t, err)
427
	cred, err = client.credential(id, 0)
428
429
430
	require.NoError(t, err)
	require.Nil(t, cred)

431
	cred, err = client.credential(id2, 0)
432
433
	require.NoError(t, err)
	require.NotNil(t, cred)
434
	err = client.RemoveCredential(id2, 0)
435
	require.NoError(t, err)
436
	cred, err = client.credential(id2, 0)
437
438
439
440
441
	require.NoError(t, err)
	require.Nil(t, cred)

	teardown(t)
}
442
443

func TestDownloadSchemeManager(t *testing.T) {
444
445
	client := parseStorage(t)
	require.NoError(t, client.ConfigurationStore.RemoveSchemeManager(NewSchemeManagerIdentifier("irma-demo")))
446
	url := "https://raw.githubusercontent.com/credentials/irma_configuration/translate/irma-demo"
447
	sm, err := client.ConfigurationStore.DownloadSchemeManager(url)
448
449
	require.NoError(t, err)
	require.NotNil(t, sm)
450

451
	require.NoError(t, client.ConfigurationStore.AddSchemeManager(sm))
452
453

	jwt := getIssuanceJwt("testip", NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID"))
454
	sessionHelper(t, jwt, "issue", client)
455
456

	teardown(t)
457
}