Commit bf351908 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Refuse to perform sessions with invalid scheme managers

parent c0bdcc3d
......@@ -290,6 +290,9 @@ func TestWrongSchemeManager(t *testing.T) {
// within this manager to test the autmatic downloading of credential definitions,
// issuers, and public keys.
func TestDownloadSchemeManager(t *testing.T) {
// Disabled
//return
client := parseStorage(t)
// Remove irma-demo scheme manager as we need to test adding it
......
......@@ -170,6 +170,39 @@ func (session *session) panicFailure() {
}
}
func (session *session) checkAndUpateConfiguration(client *Client) bool {
var err error
for id := range session.irmaSession.Identifiers().SchemeManagers {
manager, contains := client.Configuration.SchemeManagers[id]
if !contains {
session.fail(&irma.SessionError{
ErrorType: irma.ErrorUnknownSchemeManager,
Info: id.String(),
})
return false
}
if !manager.Valid {
session.fail(&irma.SessionError{
ErrorType: irma.ErrorInvalidSchemeManager,
Info: string(manager.Status),
})
return false
}
}
// Check if we are enrolled into all involved keyshare servers
if !session.checkKeyshareEnrollment() {
return false
}
// Download missing credential types/issuers/public keys from the scheme manager
if session.downloaded, err = session.client.Configuration.Download(session.irmaSession.Identifiers()); err != nil {
session.fail(&irma.SessionError{ErrorType: irma.ErrorConfigurationDownload, Err: err})
return false
}
return true
}
// NewManualSession starts a manual session, given a signature request in JSON and a handler to pass messages to
func (client *Client) NewManualSession(sigrequestJSONString string, handler Handler) {
var err error
......@@ -189,14 +222,7 @@ func (client *Client) NewManualSession(sigrequestJSONString string, handler Hand
session.Handler.StatusUpdate(session.Action, irma.StatusManualStarted)
// Check if we are enrolled into all involved keyshare servers
if !session.checkKeyshareEnrollment() {
return
}
// Download missing credential types/issuers/public keys from the scheme manager
if session.downloaded, err = session.client.Configuration.Download(session.irmaSession.Identifiers()); err != nil {
session.fail(&irma.SessionError{ErrorType: irma.ErrorConfigurationDownload, Err: err})
if !session.checkAndUpateConfiguration(client) {
return
}
......@@ -293,14 +319,7 @@ func (session *session) start() {
}
}
// Check if we are enrolled into all involved keyshare servers
if !session.checkKeyshareEnrollment() {
return
}
// Download missing credential types/issuers/public keys from the scheme manager
if session.downloaded, err = session.client.Configuration.Download(session.irmaSession.Identifiers()); err != nil {
session.fail(&irma.SessionError{ErrorType: irma.ErrorConfigurationDownload, Err: err})
if !session.checkAndUpateConfiguration(session.client) {
return
}
......
......@@ -167,7 +167,7 @@ func (conf *Configuration) parseSchemeManagerFolder(dir string) (err error, mana
return
}
err = conf.VerifySchemeManager(manager.Identifier())
err = conf.VerifySchemeManager(manager)
if err != nil {
manager.Status = SchemeManagerStatusInvalidSignature
return
......@@ -388,7 +388,7 @@ func (conf *Configuration) DownloadSchemeManager(url string) (*SchemeManager, er
if err != nil {
return nil, err
}
manager := &SchemeManager{}
manager := &SchemeManager{Status: SchemeManagerStatusUnprocessed, Valid: false}
if err = xml.Unmarshal(b, manager); err != nil {
return nil, err
}
......@@ -444,6 +444,14 @@ func (conf *Configuration) AddSchemeManager(manager *SchemeManager) error {
return err
}
if err := conf.VerifySchemeManager(manager); err != nil {
manager.Status = SchemeManagerStatusInvalidSignature
manager.Valid = false
} else {
manager.Status = SchemeManagerStatusValid
manager.Valid = true
}
conf.SchemeManagers[NewSchemeManagerIdentifier(name)] = manager
return nil
}
......@@ -639,12 +647,15 @@ func (conf *Configuration) parseIndex(name string, manager *SchemeManager) error
return manager.Index.FromString(string(indexbts))
}
func (conf *Configuration) VerifySchemeManager(id SchemeManagerIdentifier) error {
manager := conf.SchemeManagers[id]
if manager == nil {
return errors.New("Can't verify unknown scheme manager")
}
func (conf *Configuration) VerifySchemeManager(manager *SchemeManager) error {
for file := range manager.Index {
exists, err := fs.PathExists(filepath.Join(conf.path, file))
if err != nil {
return err
}
if !exists {
continue
}
// Don't care about the actual bytes
if _, err := conf.ReadAuthenticatedFile(manager, file); err != nil {
return err
......
......@@ -118,6 +118,8 @@ const (
ErrorConfigurationDownload = ErrorType("configurationDownload")
// IRMA requests refers to unknown scheme manager
ErrorUnknownSchemeManager = ErrorType("unknownSchemeManager")
// A session is requested involving a scheme manager that has some problem
ErrorInvalidSchemeManager = ErrorType("invalidSchemeManager")
// Recovered panic
ErrorPanic = ErrorType("panic")
)
......
......@@ -43,7 +43,7 @@ func RunVerify(path string) error {
}
for _, manager := range conf.SchemeManagers {
if err := conf.VerifySchemeManager(manager.Identifier()); err != nil {
if err := conf.VerifySchemeManager(manager); err != nil {
return err
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment