irmago_test.go 11.5 KB
Newer Older
Sietse Ringers's avatar
Sietse Ringers committed
1
package irmago
2
3

import (
4
5
	"fmt"
	"math/big"
Sietse Ringers's avatar
Sietse Ringers committed
6
	"os"
7
8
	"testing"
	"time"
Sietse Ringers's avatar
Sietse Ringers committed
9

10
11
	"encoding/json"

Sietse Ringers's avatar
Sietse Ringers committed
12
	"github.com/mhe/gabi"
Sietse Ringers's avatar
Sietse Ringers committed
13
	"github.com/stretchr/testify/require"
14
15
)

Sietse Ringers's avatar
Sietse Ringers committed
16
func TestMain(m *testing.M) {
Sietse Ringers's avatar
Sietse Ringers committed
17
18
	retCode := m.Run()

Sietse Ringers's avatar
Sietse Ringers committed
19
20
	err := os.RemoveAll("testdata/storage/test")
	if err != nil {
Sietse Ringers's avatar
Sietse Ringers committed
21
		fmt.Println("Could not delete test storage")
Sietse Ringers's avatar
Sietse Ringers committed
22
23
24
		os.Exit(1)
	}

Sietse Ringers's avatar
Sietse Ringers committed
25
26
	os.Exit(retCode)
}
Sietse Ringers's avatar
Sietse Ringers committed
27

Sietse Ringers's avatar
Sietse Ringers committed
28
29
type IgnoringKeyshareHandler struct{}

30
func (i *IgnoringKeyshareHandler) StartRegistration(m *SchemeManager, callback func(e, p string)) {
Sietse Ringers's avatar
Sietse Ringers committed
31
}
Sietse Ringers's avatar
Sietse Ringers committed
32

33
func parseStorage(t *testing.T) *CredentialManager {
34
	exists, err := PathExists("testdata/storage/test")
Sietse Ringers's avatar
Sietse Ringers committed
35
36
37
	require.NoError(t, err, "pathexists() failed")
	if !exists {
		require.NoError(t, os.Mkdir("testdata/storage/test", 0755), "Could not create test storage")
Sietse Ringers's avatar
Sietse Ringers committed
38
	}
39
	manager, err := NewCredentialManager(
40
41
		"testdata/storage/test",
		"testdata/irma_configuration",
42
		"testdata/oldstorage",
43
		&IgnoringKeyshareHandler{},
44
45
46
	)
	require.NoError(t, err)
	return manager
Sietse Ringers's avatar
Sietse Ringers committed
47
48
49
}

func teardown(t *testing.T) {
50
	require.NoError(t, os.RemoveAll("testdata/storage/test"))
Sietse Ringers's avatar
Sietse Ringers committed
51
52
}

53
54
55
56
57
58
59
// A convenience function for initializing big integers from known correct (10
// base) strings. Use with care, errors are ignored.
func s2big(s string) (r *big.Int) {
	r, _ = new(big.Int).SetString(s, 10)
	return
}

60
61
func verifyManagerIsUnmarshaled(t *testing.T, manager *CredentialManager) {
	cred, err := manager.credential(NewCredentialTypeIdentifier("irma-demo.RU.studentCard"), 0)
62
63
64
	require.NoError(t, err, "could not fetch credential")
	require.NotNil(t, cred, "Credential should exist")
	require.NotNil(t, cred.Attributes[0], "Metadata attribute of irma-demo.RU.studentCard should not be nil")
65

Sietse Ringers's avatar
Sietse Ringers committed
66
	cred, err = manager.credential(NewCredentialTypeIdentifier("test.test.mijnirma"), 0)
67
68
69
	require.NoError(t, err, "could not fetch credential")
	require.NotNil(t, cred, "Credential should exist")
	require.NotNil(t, cred.Signature.KeyshareP)
70

71
	require.NotEmpty(t, manager.CredentialInfoList())
72

73
74
75
76
	pk, err := cred.PublicKey()
	require.NoError(t, err)
	require.True(t,
		cred.Signature.Verify(pk, cred.Attributes),
77
78
79
		"Credential should be valid",
	)
}
Sietse Ringers's avatar
Sietse Ringers committed
80

Sietse Ringers's avatar
Sietse Ringers committed
81
func verifyCredentials(t *testing.T, manager *CredentialManager) {
82
83
	var pk *gabi.PublicKey
	var err error
Sietse Ringers's avatar
Sietse Ringers committed
84
	for credtype, credsmap := range manager.credentials {
85
		for index, cred := range credsmap {
86
87
			pk, err = cred.PublicKey()
			require.NoError(t, err)
88
			require.True(t,
89
				cred.Credential.Signature.Verify(pk, cred.Attributes),
90
91
				"Credential %s-%d was invalid", credtype.String(), index,
			)
Sietse Ringers's avatar
Sietse Ringers committed
92
			require.Equal(t, cred.Attributes[0], manager.secretkey,
93
94
95
96
97
				"Secret key of credential %s-%d unequal to main secret key")
		}
	}
}

98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
func verifyPaillierKey(t *testing.T, PrivateKey *paillierPrivateKey) {
	require.NotNil(t, PrivateKey)
	require.NotNil(t, PrivateKey.L)
	require.NotNil(t, PrivateKey.U)
	require.NotNil(t, PrivateKey.PublicKey.N)

	require.Equal(t, big.NewInt(1), new(big.Int).Exp(big.NewInt(2), PrivateKey.L, PrivateKey.N))
	require.Equal(t, PrivateKey.NSquared, new(big.Int).Exp(PrivateKey.N, big.NewInt(2), nil))

	plaintext := "Hello Paillier!"
	ciphertext, err := PrivateKey.Encrypt([]byte(plaintext))
	require.NoError(t, err)
	decrypted, err := PrivateKey.Decrypt(ciphertext)
	require.NoError(t, err)
	require.Equal(t, plaintext, string(decrypted))
}

115
116
117
func verifyKeyshareIsUnmarshaled(t *testing.T, manager *CredentialManager) {
	require.NotNil(t, manager.paillierKeyCache)
	require.NotNil(t, manager.keyshareServers)
118
	test := NewSchemeManagerIdentifier("test")
119
120
	require.Contains(t, manager.keyshareServers, test)
	kss := manager.keyshareServers[test]
121
122
123
	require.NotEmpty(t, kss.Nonce)

	verifyPaillierKey(t, kss.PrivateKey)
124
	verifyPaillierKey(t, manager.paillierKeyCache)
125
126
}

127
128
129
130
131
132
133
func verifyStoreIsLoaded(t *testing.T, store *ConfigurationStore, android bool) {
	require.Contains(t, store.SchemeManagers, NewSchemeManagerIdentifier("irma-demo"))
	require.Contains(t, store.SchemeManagers, NewSchemeManagerIdentifier("test"))
	if android {
		require.Contains(t, store.SchemeManagers, NewSchemeManagerIdentifier("test2"))
	}

134
135
136
137
138
	pk, err := store.PublicKey(NewIssuerIdentifier("irma-demo.RU"), 0)
	require.NoError(t, err)
	require.NotNil(t, pk)
	require.NotNil(t, pk.N, "irma-demo.RU public key has no modulus")
	require.Equal(t,
139
		"Irma Demo",
140
		store.SchemeManagers[NewSchemeManagerIdentifier("irma-demo")].Name["en"],
141
		"irma-demo scheme manager has unexpected name")
142
	require.Equal(t,
143
		"Radboud Universiteit Nijmegen",
144
		store.Issuers[NewIssuerIdentifier("irma-demo.RU")].Name["en"],
145
		"irma-demo.RU issuer has unexpected name")
146
	require.Equal(t,
147
		"Student Card",
148
		store.Credentials[NewCredentialTypeIdentifier("irma-demo.RU.studentCard")].ShortName["en"],
149
150
		"irma-demo.RU.studentCard has unexpected name")

151
	require.Equal(t,
152
		"studentID",
153
		store.Credentials[NewCredentialTypeIdentifier("irma-demo.RU.studentCard")].Attributes[2].ID,
154
155
156
157
		"irma-demo.RU.studentCard.studentID has unexpected name")

	// Hash algorithm pseudocode:
	// Base64(SHA256("irma-demo.RU.studentCard")[0:16])
158
	require.Contains(t, store.reverseHashes, "1stqlPad5edpfS1Na1U+DA==",
159
		"irma-demo.RU.studentCard had improper hash")
160
	require.Contains(t, store.reverseHashes, "CLjnADMBYlFcuGOT7Z0xRg==",
161
		"irma-demo.MijnOverheid.root had improper hash")
162
163
164
}

func TestAndroidParse(t *testing.T) {
165
	manager := parseStorage(t)
166
	verifyStoreIsLoaded(t, manager.Store, true)
167
	verifyManagerIsUnmarshaled(t, manager)
Sietse Ringers's avatar
Sietse Ringers committed
168
	verifyCredentials(t, manager)
169
	verifyKeyshareIsUnmarshaled(t, manager)
170
171
172
173
174

	teardown(t)
}

func TestUnmarshaling(t *testing.T) {
175
176
	parseStorage(t)
	newmanager, err := NewCredentialManager("testdata/storage/test", "testdata/irma_configuration", "testdata/oldstorage", nil)
177
	require.NoError(t, err)
178
	verifyManagerIsUnmarshaled(t, newmanager)
Sietse Ringers's avatar
Sietse Ringers committed
179
	verifyCredentials(t, newmanager)
180
	verifyKeyshareIsUnmarshaled(t, newmanager)
Sietse Ringers's avatar
Sietse Ringers committed
181
182

	teardown(t)
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
}

func TestMetadataAttribute(t *testing.T) {
	metadata := NewMetadataAttribute()
	if metadata.Version() != 0x02 {
		t.Errorf("Unexpected metadata version: %d", metadata.Version())
	}

	expiry := metadata.SigningDate().Unix() + int64(metadata.ValidityDuration()*ExpiryFactor)
	if !time.Unix(expiry, 0).Equal(metadata.Expiry()) {
		t.Errorf("Invalid signing date")
	}

	if metadata.KeyCounter() != 0 {
		t.Errorf("Unexpected key counter")
	}
}

func TestMetadataCompatibility(t *testing.T) {
202
	store := NewConfigurationStore("testdata/irma_configuration")
203
	require.NoError(t, store.ParseFolder())
204
205

	// An actual metadata attribute of an IRMA credential extracted from the IRMA app
Sietse Ringers's avatar
Sietse Ringers committed
206
	attr := MetadataFromInt(s2big("49043481832371145193140299771658227036446546573739245068"), store)
207
	require.NotNil(t, attr.CredentialType(), "attr.CredentialType() should not be nil")
208

209
	require.Equal(t,
210
		NewCredentialTypeIdentifier("irma-demo.RU.studentCard"),
211
212
213
		attr.CredentialType().Identifier(),
		"Metadata credential type was not irma-demo.RU.studentCard",
	)
214
215
216
217
	require.Equal(t, byte(0x02), attr.Version(), "Unexpected metadata version")
	require.Equal(t, time.Unix(1499904000, 0), attr.SigningDate(), "Unexpected signing date")
	require.Equal(t, time.Unix(1516233600, 0), attr.Expiry(), "Unexpected expiry date")
	require.Equal(t, 2, attr.KeyCounter(), "Unexpected key counter")
Sietse Ringers's avatar
Sietse Ringers committed
218
219

	teardown(t)
220
}
221
222

func TestAttributeDisjunctionMarshaling(t *testing.T) {
223
	store := NewConfigurationStore("testdata/irma_configuration")
224
	store.ParseFolder()
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
	disjunction := AttributeDisjunction{}

	var _ json.Unmarshaler = &disjunction
	var _ json.Marshaler = &disjunction

	id := NewAttributeTypeIdentifier("MijnOverheid.ageLower.over18")

	attrsjson := `
	{
		"label": "Over 18",
		"attributes": {
			"MijnOverheid.ageLower.over18": "yes",
			"Thalia.age.over18": "Yes"
		}
	}`
	require.NoError(t, json.Unmarshal([]byte(attrsjson), &disjunction))
	require.True(t, disjunction.HasValues())
	require.Contains(t, disjunction.Attributes, id)
	require.Contains(t, disjunction.Values, id)
	require.Equal(t, disjunction.Values[id], "yes")

	disjunction = AttributeDisjunction{}
	attrsjson = `
	{
		"label": "Over 18",
		"attributes": [
			"MijnOverheid.ageLower.over18",
			"Thalia.age.over18"
		]
	}`
	require.NoError(t, json.Unmarshal([]byte(attrsjson), &disjunction))
	require.False(t, disjunction.HasValues())
	require.Contains(t, disjunction.Attributes, id)

Sietse Ringers's avatar
Sietse Ringers committed
259
	require.True(t, disjunction.MatchesStore(store))
260
261
262
263
264

	require.False(t, disjunction.Satisfied())
	disjunction.selected = &disjunction.Attributes[0]
	require.True(t, disjunction.Satisfied())
}
265
266

func TestCandidates(t *testing.T) {
267
	manager := parseStorage(t)
268
269
270
271
272

	attrtype := NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID")
	disjunction := &AttributeDisjunction{
		Attributes: []AttributeTypeIdentifier{attrtype},
	}
273
	attrs := manager.Candidates(disjunction)
274
275
276
277
278
279
280
281
282
	require.NotNil(t, attrs)
	require.Len(t, attrs, 1)

	attr := attrs[0]
	require.NotNil(t, attr)
	require.Equal(t, attr.Type, attrtype)

	disjunction = &AttributeDisjunction{
		Attributes: []AttributeTypeIdentifier{attrtype},
283
		Values:     map[AttributeTypeIdentifier]string{attrtype: "456"},
284
	}
285
	attrs = manager.Candidates(disjunction)
286
287
288
289
290
291
292
	require.NotNil(t, attrs)
	require.Len(t, attrs, 1)

	disjunction = &AttributeDisjunction{
		Attributes: []AttributeTypeIdentifier{attrtype},
		Values:     map[AttributeTypeIdentifier]string{attrtype: "foobarbaz"},
	}
293
	attrs = manager.Candidates(disjunction)
294
295
296
297
298
	require.NotNil(t, attrs)
	require.Empty(t, attrs)

	teardown(t)
}
299
300

func TestTimestamp(t *testing.T) {
301
302
	mytime := Timestamp(time.Unix(1500000000, 0))
	timestruct := struct{ Time *Timestamp }{Time: &mytime}
303
304
305
	bytes, err := json.Marshal(timestruct)
	require.NoError(t, err)

306
	timestruct = struct{ Time *Timestamp }{}
307
308
309
	require.NoError(t, json.Unmarshal(bytes, &timestruct))
	require.Equal(t, time.Time(*timestruct.Time).Unix(), int64(1500000000))
}
Sietse Ringers's avatar
Sietse Ringers committed
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353

func TestServiceProvider(t *testing.T) {
	var spjwt ServiceProviderJwt

	var spjson = `{
		"sprequest": {
			"validity": 60,
			"timeout": 60,
			"request": {
				"content": [
					{
						"label": "ID",
						"attributes": ["irma-demo.RU.studentCard.studentID"]
					}
				]
			}
		}
	}`

	require.NoError(t, json.Unmarshal([]byte(spjson), &spjwt))
	require.NotNil(t, spjwt.Request.Request.Content)
	require.NotEmpty(t, spjwt.Request.Request.Content)
	require.NotNil(t, spjwt.Request.Request.Content[0])
	require.NotEmpty(t, spjwt.Request.Request.Content[0])
	require.NotNil(t, spjwt.Request.Request.Content[0].Attributes)
	require.NotEmpty(t, spjwt.Request.Request.Content[0].Attributes)
	require.Equal(t, spjwt.Request.Request.Content[0].Attributes[0].Name(), "studentID")

	require.NotNil(t, spjwt.Request.Request.Content.Find(NewAttributeTypeIdentifier("irma-demo.RU.studentCard.studentID")))
}

func TestTransport(t *testing.T) {
	transport := NewHTTPTransport("https://xkcd.com")
	obj := &struct {
		Num   int    `json:"num"`
		Img   string `json:"img"`
		Title string `json:"title"`
	}{}

	err := transport.Get("614/info.0.json", obj)
	if err != nil { // require.NoError() does not work because of the type of err
		t.Fatalf("%+v\n", err)
	}
}
Sietse Ringers's avatar
Sietse Ringers committed
354
355

func TestPaillier(t *testing.T) {
356
	manager := parseStorage(t)
Sietse Ringers's avatar
Sietse Ringers committed
357
358
359
360
361

	challenge, _ := gabi.RandomBigInt(256)
	comm, _ := gabi.RandomBigInt(1000)
	resp, _ := gabi.RandomBigInt(1000)

362
	sk := manager.paillierKey(true)
Sietse Ringers's avatar
Sietse Ringers committed
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
	bytes, err := sk.Encrypt(challenge.Bytes())
	require.NoError(t, err)
	cipher := new(big.Int).SetBytes(bytes)

	bytes, err = sk.Encrypt(comm.Bytes())
	require.NoError(t, err)
	commcipher := new(big.Int).SetBytes(bytes)

	// [[ c ]]^resp * [[ comm ]]
	cipher.Exp(cipher, resp, sk.NSquared).Mul(cipher, commcipher).Mod(cipher, sk.NSquared)

	bytes, err = sk.Decrypt(cipher.Bytes())
	require.NoError(t, err)
	plaintext := new(big.Int).SetBytes(bytes)
	expected := new(big.Int).Set(challenge)
	expected.Mul(expected, resp).Add(expected, comm)

	require.Equal(t, plaintext, expected)

	teardown(t)
}