irmaclient_test.go 11.8 KB
Newer Older
Sietse Ringers's avatar
Sietse Ringers committed
1
2
3
package irmaclient

import (
4
	"encoding/json"
Sietse Ringers's avatar
Sietse Ringers committed
5
6
7
8
	"math/big"
	"os"
	"testing"

9
	"github.com/mhe/gabi"
10
11
	"github.com/privacybydesign/irmago"
	"github.com/privacybydesign/irmago/internal/fs"
12
	"github.com/privacybydesign/irmago/internal/test"
Sietse Ringers's avatar
Sietse Ringers committed
13
14
15
16
	"github.com/stretchr/testify/require"
)

func TestMain(m *testing.M) {
17
18
	test.ClearTestStorage(nil)
	test.CreateTestStorage(nil)
19
	retCode := m.Run()
20
	test.ClearTestStorage(nil)
Sietse Ringers's avatar
Sietse Ringers committed
21
22
23
	os.Exit(retCode)
}

24
25
26
27
type TestClientHandler struct {
	t *testing.T
	c chan error
}
Sietse Ringers's avatar
Sietse Ringers committed
28

29
30
31
32
33
34
35
36
func (i *TestClientHandler) UpdateConfiguration(new *irma.IrmaIdentifierSet) {}
func (i *TestClientHandler) UpdateAttributes()                               {}
func (i *TestClientHandler) EnrollmentSuccess(manager irma.SchemeManagerIdentifier) {
	select {
	case i.c <- nil: // nop
	default: // nop
	}
}
Tomas's avatar
Tomas committed
37
func (i *TestClientHandler) EnrollmentFailure(manager irma.SchemeManagerIdentifier, err error) {
38
39
40
41
42
43
	select {
	case i.c <- err: // nop
	default:
		i.t.Fatal(err)
	}
}
44
45
46
47
48
49
50
51
52
53
54
55
56
func (i *TestClientHandler) ChangepinSuccess(manager irma.SchemeManagerIdentifier) {
	select {
	case i.c <- nil: // nop
	default: // nop
	}
}
func (i *TestClientHandler) ChangepinFailure(manager irma.SchemeManagerIdentifier, err error) {
	select {
	case i.c <- err: //nop
	default:
		i.t.Fatal(err)
	}
}
Sietse Ringers's avatar
Sietse Ringers committed
57
58

func parseStorage(t *testing.T) *Client {
59
	require.NoError(t, fs.CopyDirectory("../testdata/teststorage", "../testdata/storage/test"))
60
	manager, err := New(
61
62
		"../testdata/storage/test",
		"../testdata/irma_configuration",
63
		"",
64
		&TestClientHandler{t: t},
Sietse Ringers's avatar
Sietse Ringers committed
65
66
67
68
69
	)
	require.NoError(t, err)
	return manager
}

Sietse Ringers's avatar
Sietse Ringers committed
70
func verifyClientIsUnmarshaled(t *testing.T, client *Client) {
71
	cred, err := client.credential(irma.NewCredentialTypeIdentifier("irma-demo.RU.studentCard"), 0)
Sietse Ringers's avatar
Sietse Ringers committed
72
73
74
75
	require.NoError(t, err, "could not fetch credential")
	require.NotNil(t, cred, "Credential should exist")
	require.NotNil(t, cred.Attributes[0], "Metadata attribute of irma-demo.RU.studentCard should not be nil")

76
	cred, err = client.credential(irma.NewCredentialTypeIdentifier("test.test.mijnirma"), 0)
Sietse Ringers's avatar
Sietse Ringers committed
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
	require.NoError(t, err, "could not fetch credential")
	require.NotNil(t, cred, "Credential should exist")
	require.NotNil(t, cred.Signature.KeyshareP)

	require.NotEmpty(t, client.CredentialInfoList())

	pk, err := cred.PublicKey()
	require.NoError(t, err)
	require.True(t,
		cred.Signature.Verify(pk, cred.Attributes),
		"Credential should be valid",
	)
}

func verifyCredentials(t *testing.T, client *Client) {
	var pk *gabi.PublicKey
	var err error
	for credtype, credsmap := range client.credentials {
		for index, cred := range credsmap {
			pk, err = cred.PublicKey()
			require.NoError(t, err)
			require.True(t,
				cred.Credential.Signature.Verify(pk, cred.Attributes),
				"Credential %s-%d was invalid", credtype.String(), index,
			)
			require.Equal(t, cred.Attributes[0], client.secretkey.Key,
				"Secret key of credential %s-%d unequal to main secret key",
				cred.CredentialType().Identifier().String(), index,
			)
		}
	}
}

func verifyPaillierKey(t *testing.T, PrivateKey *paillierPrivateKey) {
	require.NotNil(t, PrivateKey)
	require.NotNil(t, PrivateKey.L)
	require.NotNil(t, PrivateKey.U)
	require.NotNil(t, PrivateKey.PublicKey.N)

	require.Equal(t, big.NewInt(1), new(big.Int).Exp(big.NewInt(2), PrivateKey.L, PrivateKey.N))
	require.Equal(t, PrivateKey.NSquared, new(big.Int).Exp(PrivateKey.N, big.NewInt(2), nil))

	plaintext := "Hello Paillier!"
	ciphertext, err := PrivateKey.Encrypt([]byte(plaintext))
	require.NoError(t, err)
	decrypted, err := PrivateKey.Decrypt(ciphertext)
	require.NoError(t, err)
	require.Equal(t, plaintext, string(decrypted))
}

func verifyKeyshareIsUnmarshaled(t *testing.T, client *Client) {
	require.NotNil(t, client.paillierKeyCache)
	require.NotNil(t, client.keyshareServers)
130
131
132
	testManager := irma.NewSchemeManagerIdentifier("test")
	require.Contains(t, client.keyshareServers, testManager)
	kss := client.keyshareServers[testManager]
Sietse Ringers's avatar
Sietse Ringers committed
133
134
135
136
137
138
	require.NotEmpty(t, kss.Nonce)

	verifyPaillierKey(t, kss.PrivateKey)
	verifyPaillierKey(t, client.paillierKeyCache)
}

139
func TestStorageDeserialization(t *testing.T) {
Sietse Ringers's avatar
Sietse Ringers committed
140
	client := parseStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
141
	verifyClientIsUnmarshaled(t, client)
Sietse Ringers's avatar
Sietse Ringers committed
142
143
144
	verifyCredentials(t, client)
	verifyKeyshareIsUnmarshaled(t, client)

145
	test.ClearTestStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
146
147
}

148
func TestLogging(t *testing.T) {
Sietse Ringers's avatar
Sietse Ringers committed
149
150
151
	client := parseStorage(t)

	logs, err := client.Logs()
152
	oldLogLength := len(logs)
Sietse Ringers's avatar
Sietse Ringers committed
153
	require.NoError(t, err)
154
155

	// Do session so we can examine its log item later
156
	jwt := getCombinedJwt("testip", irma.NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID"))
Sietse Ringers's avatar
Sietse Ringers committed
157
158
	sessionHelper(t, jwt, "issue", client)

159
	logs, err = client.Logs()
Sietse Ringers's avatar
Sietse Ringers committed
160
	require.NoError(t, err)
161
	require.True(t, len(logs) == oldLogLength+1)
Sietse Ringers's avatar
Sietse Ringers committed
162

163
	entry := logs[len(logs)-1]
Sietse Ringers's avatar
Sietse Ringers committed
164
165
166
	require.NotNil(t, entry)
	sessionjwt, err := entry.Jwt()
	require.NoError(t, err)
167
	require.Equal(t, "testip", sessionjwt.(*irma.IdentityProviderJwt).ServerName)
Sietse Ringers's avatar
Sietse Ringers committed
168
169
170
171
172
173
174
175
	require.NoError(t, err)
	require.NotEmpty(t, entry.Disclosed)
	require.NotEmpty(t, entry.Received)
	response, err := entry.GetResponse()
	require.NoError(t, err)
	require.NotNil(t, response)
	require.IsType(t, &gabi.IssueCommitmentMessage{}, response)

176
	test.ClearTestStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
177
178
}

179
180
181
// TestCandidates tests the correctness of the function of the client that, given a disjunction of attributes
// requested by the verifier, calculates a list of candidate attributes contained by the client that would
// satisfy the attribute disjunction.
Sietse Ringers's avatar
Sietse Ringers committed
182
183
184
func TestCandidates(t *testing.T) {
	client := parseStorage(t)

185
	// client contains one instance of the studentCard credential, whose studentID attribute is 456.
186
	attrtype := irma.NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID")
187
188

	// If the disjunction contains no required values at all, then our attribute is a candidate
189
190
	disjunction := &irma.AttributeDisjunction{
		Attributes: []irma.AttributeTypeIdentifier{attrtype},
Sietse Ringers's avatar
Sietse Ringers committed
191
192
193
194
	}
	attrs := client.Candidates(disjunction)
	require.NotNil(t, attrs)
	require.Len(t, attrs, 1)
195
196
	require.NotNil(t, attrs[0])
	require.Equal(t, attrs[0].Type, attrtype)
Sietse Ringers's avatar
Sietse Ringers committed
197

198
199
200
	// If the disjunction requires our attribute to have 456 as value, which it does,
	// then our attribute is a candidate
	reqval := "456"
201
202
	disjunction = &irma.AttributeDisjunction{
		Attributes: []irma.AttributeTypeIdentifier{attrtype},
203
		Values:     map[irma.AttributeTypeIdentifier]*string{attrtype: &reqval},
Sietse Ringers's avatar
Sietse Ringers committed
204
205
206
207
	}
	attrs = client.Candidates(disjunction)
	require.NotNil(t, attrs)
	require.Len(t, attrs, 1)
208
209
	require.NotNil(t, attrs[0])
	require.Equal(t, attrs[0].Type, attrtype)
Sietse Ringers's avatar
Sietse Ringers committed
210

211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
	// If the disjunction requires our attribute to have a different value than it does,
	// then it is NOT a match.
	reqval = "foobarbaz"
	disjunction.Values[attrtype] = &reqval
	attrs = client.Candidates(disjunction)
	require.NotNil(t, attrs)
	require.Empty(t, attrs)

	// A required value of nil counts as no requirement on the value, so our attribute is a candidate
	disjunction.Values[attrtype] = nil
	attrs = client.Candidates(disjunction)
	require.NotNil(t, attrs)
	require.Len(t, attrs, 1)
	require.NotNil(t, attrs[0])
	require.Equal(t, attrs[0].Type, attrtype)

	// This test should be equivalent to the one above
	disjunction = &irma.AttributeDisjunction{}
	json.Unmarshal([]byte(`{"attributes":{"irma-demo.RU.studentCard.studentID":null}}`), &disjunction)
Sietse Ringers's avatar
Sietse Ringers committed
230
231
	attrs = client.Candidates(disjunction)
	require.NotNil(t, attrs)
232
233
234
235
236
237
238
239
240
	require.Len(t, attrs, 1)
	require.NotNil(t, attrs[0])
	require.Equal(t, attrs[0].Type, attrtype)

	// A required value of null counts as no requirement on the value, but we must still satisfy the disjunction
	// We do not have an instance of this attribute so we have no candidate
	disjunction = &irma.AttributeDisjunction{}
	json.Unmarshal([]byte(`{"attributes":{"irma-demo.MijnOverheid.ageLower.over12":null}}`), &disjunction)
	attrs = client.Candidates(disjunction)
Sietse Ringers's avatar
Sietse Ringers committed
241
242
	require.Empty(t, attrs)

243
	test.ClearTestStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
}

func TestPaillier(t *testing.T) {
	client := parseStorage(t)

	challenge, _ := gabi.RandomBigInt(256)
	comm, _ := gabi.RandomBigInt(1000)
	resp, _ := gabi.RandomBigInt(1000)

	sk := client.paillierKey(true)
	bytes, err := sk.Encrypt(challenge.Bytes())
	require.NoError(t, err)
	cipher := new(big.Int).SetBytes(bytes)

	bytes, err = sk.Encrypt(comm.Bytes())
	require.NoError(t, err)
	commcipher := new(big.Int).SetBytes(bytes)

	// [[ c ]]^resp * [[ comm ]]
	cipher.Exp(cipher, resp, sk.NSquared).Mul(cipher, commcipher).Mod(cipher, sk.NSquared)

	bytes, err = sk.Decrypt(cipher.Bytes())
	require.NoError(t, err)
	plaintext := new(big.Int).SetBytes(bytes)
	expected := new(big.Int).Set(challenge)
	expected.Mul(expected, resp).Add(expected, comm)

	require.Equal(t, plaintext, expected)

273
	test.ClearTestStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
274
275
276
277
}

func TestCredentialRemoval(t *testing.T) {
	client := parseStorage(t)
278

279
280
	id := irma.NewCredentialTypeIdentifier("irma-demo.RU.studentCard")
	id2 := irma.NewCredentialTypeIdentifier("test.test.mijnirma")
Sietse Ringers's avatar
Sietse Ringers committed
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299

	cred, err := client.credential(id, 0)
	require.NoError(t, err)
	require.NotNil(t, cred)
	err = client.RemoveCredentialByHash(cred.AttributeList().Hash())
	require.NoError(t, err)
	cred, err = client.credential(id, 0)
	require.NoError(t, err)
	require.Nil(t, cred)

	cred, err = client.credential(id2, 0)
	require.NoError(t, err)
	require.NotNil(t, cred)
	err = client.RemoveCredential(id2, 0)
	require.NoError(t, err)
	cred, err = client.credential(id2, 0)
	require.NoError(t, err)
	require.Nil(t, cred)

300
	test.ClearTestStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
301
302
}

303
304
305
306
307
func TestWrongSchemeManager(t *testing.T) {
	client := parseStorage(t)

	irmademo := irma.NewSchemeManagerIdentifier("irma-demo")
	require.Contains(t, client.Configuration.SchemeManagers, irmademo)
308
	require.NoError(t, os.Remove("../testdata/storage/test/irma_configuration/irma-demo/index"))
309
310
311
312
313

	err := client.Configuration.ParseFolder()
	_, ok := err.(*irma.SchemeManagerError)
	require.True(t, ok)
	require.Contains(t, client.Configuration.DisabledSchemeManagers, irmademo)
314
315
316
317
318
	require.Contains(t, client.Configuration.SchemeManagers, irmademo)
	require.NotEqual(t,
		client.Configuration.SchemeManagers[irmademo].Status,
		irma.SchemeManagerStatusValid,
	)
319

320
	test.ClearTestStorage(t)
321
322
}

323
324
325
// Test installing a new scheme manager from a qr, and do a(n issuance) session
// within this manager to test the autmatic downloading of credential definitions,
// issuers, and public keys.
Sietse Ringers's avatar
Sietse Ringers committed
326
327
328
func TestDownloadSchemeManager(t *testing.T) {
	client := parseStorage(t)

329
330
331
	// Remove irma-demo scheme manager as we need to test adding it
	irmademo := irma.NewSchemeManagerIdentifier("irma-demo")
	require.Contains(t, client.Configuration.SchemeManagers, irmademo)
332
	require.NoError(t, client.Configuration.RemoveSchemeManager(irmademo, true))
333
334
335
336
337
	require.NotContains(t, client.Configuration.SchemeManagers, irmademo)

	// Do an add-scheme-manager-session
	qr := &irma.Qr{
		Type: irma.ActionSchemeManager,
338
		URL:  "https://raw.githubusercontent.com/credentials/irma-demo-schememanager/master",
339
340
341
342
343
344
345
	}
	c := make(chan *irma.SessionError)
	client.NewSession(qr, TestHandler{t, c, client})
	if err := <-c; err != nil {
		t.Fatal(*err)
	}
	require.Contains(t, client.Configuration.SchemeManagers, irmademo)
Sietse Ringers's avatar
Sietse Ringers committed
346

347
	// Do a session to test downloading of cred types, issuers and keys
348
	jwt := getCombinedJwt("testip", irma.NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID"))
Sietse Ringers's avatar
Sietse Ringers committed
349
350
	sessionHelper(t, jwt, "issue", client)

351
352
353
354
	require.Contains(t, client.Configuration.SchemeManagers, irmademo)
	require.Contains(t, client.Configuration.Issuers, irma.NewIssuerIdentifier("irma-demo.RU"))
	require.Contains(t, client.Configuration.CredentialTypes, irma.NewCredentialTypeIdentifier("irma-demo.RU.studentCard"))

355
	basepath := "../testdata/storage/test/irma_configuration/irma-demo"
356
357
358
359
360
361
362
363
364
365
	exists, err := fs.PathExists(basepath + "/description.xml")
	require.NoError(t, err)
	require.True(t, exists)
	exists, err = fs.PathExists(basepath + "/RU/description.xml")
	require.NoError(t, err)
	require.True(t, exists)
	exists, err = fs.PathExists(basepath + "/RU/Issues/studentCard/description.xml")
	require.NoError(t, err)
	require.True(t, exists)

366
	test.ClearTestStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
367
}