Commit bf351908 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Refuse to perform sessions with invalid scheme managers

parent c0bdcc3d
...@@ -290,6 +290,9 @@ func TestWrongSchemeManager(t *testing.T) { ...@@ -290,6 +290,9 @@ func TestWrongSchemeManager(t *testing.T) {
// within this manager to test the autmatic downloading of credential definitions, // within this manager to test the autmatic downloading of credential definitions,
// issuers, and public keys. // issuers, and public keys.
func TestDownloadSchemeManager(t *testing.T) { func TestDownloadSchemeManager(t *testing.T) {
// Disabled
//return
client := parseStorage(t) client := parseStorage(t)
// Remove irma-demo scheme manager as we need to test adding it // Remove irma-demo scheme manager as we need to test adding it
......
...@@ -170,6 +170,39 @@ func (session *session) panicFailure() { ...@@ -170,6 +170,39 @@ func (session *session) panicFailure() {
} }
} }
func (session *session) checkAndUpateConfiguration(client *Client) bool {
var err error
for id := range session.irmaSession.Identifiers().SchemeManagers {
manager, contains := client.Configuration.SchemeManagers[id]
if !contains {
session.fail(&irma.SessionError{
ErrorType: irma.ErrorUnknownSchemeManager,
Info: id.String(),
})
return false
}
if !manager.Valid {
session.fail(&irma.SessionError{
ErrorType: irma.ErrorInvalidSchemeManager,
Info: string(manager.Status),
})
return false
}
}
// Check if we are enrolled into all involved keyshare servers
if !session.checkKeyshareEnrollment() {
return false
}
// Download missing credential types/issuers/public keys from the scheme manager
if session.downloaded, err = session.client.Configuration.Download(session.irmaSession.Identifiers()); err != nil {
session.fail(&irma.SessionError{ErrorType: irma.ErrorConfigurationDownload, Err: err})
return false
}
return true
}
// NewManualSession starts a manual session, given a signature request in JSON and a handler to pass messages to // NewManualSession starts a manual session, given a signature request in JSON and a handler to pass messages to
func (client *Client) NewManualSession(sigrequestJSONString string, handler Handler) { func (client *Client) NewManualSession(sigrequestJSONString string, handler Handler) {
var err error var err error
...@@ -189,14 +222,7 @@ func (client *Client) NewManualSession(sigrequestJSONString string, handler Hand ...@@ -189,14 +222,7 @@ func (client *Client) NewManualSession(sigrequestJSONString string, handler Hand
session.Handler.StatusUpdate(session.Action, irma.StatusManualStarted) session.Handler.StatusUpdate(session.Action, irma.StatusManualStarted)
// Check if we are enrolled into all involved keyshare servers if !session.checkAndUpateConfiguration(client) {
if !session.checkKeyshareEnrollment() {
return
}
// Download missing credential types/issuers/public keys from the scheme manager
if session.downloaded, err = session.client.Configuration.Download(session.irmaSession.Identifiers()); err != nil {
session.fail(&irma.SessionError{ErrorType: irma.ErrorConfigurationDownload, Err: err})
return return
} }
...@@ -293,14 +319,7 @@ func (session *session) start() { ...@@ -293,14 +319,7 @@ func (session *session) start() {
} }
} }
// Check if we are enrolled into all involved keyshare servers if !session.checkAndUpateConfiguration(session.client) {
if !session.checkKeyshareEnrollment() {
return
}
// Download missing credential types/issuers/public keys from the scheme manager
if session.downloaded, err = session.client.Configuration.Download(session.irmaSession.Identifiers()); err != nil {
session.fail(&irma.SessionError{ErrorType: irma.ErrorConfigurationDownload, Err: err})
return return
} }
......
...@@ -167,7 +167,7 @@ func (conf *Configuration) parseSchemeManagerFolder(dir string) (err error, mana ...@@ -167,7 +167,7 @@ func (conf *Configuration) parseSchemeManagerFolder(dir string) (err error, mana
return return
} }
err = conf.VerifySchemeManager(manager.Identifier()) err = conf.VerifySchemeManager(manager)
if err != nil { if err != nil {
manager.Status = SchemeManagerStatusInvalidSignature manager.Status = SchemeManagerStatusInvalidSignature
return return
...@@ -388,7 +388,7 @@ func (conf *Configuration) DownloadSchemeManager(url string) (*SchemeManager, er ...@@ -388,7 +388,7 @@ func (conf *Configuration) DownloadSchemeManager(url string) (*SchemeManager, er
if err != nil { if err != nil {
return nil, err return nil, err
} }
manager := &SchemeManager{} manager := &SchemeManager{Status: SchemeManagerStatusUnprocessed, Valid: false}
if err = xml.Unmarshal(b, manager); err != nil { if err = xml.Unmarshal(b, manager); err != nil {
return nil, err return nil, err
} }
...@@ -444,6 +444,14 @@ func (conf *Configuration) AddSchemeManager(manager *SchemeManager) error { ...@@ -444,6 +444,14 @@ func (conf *Configuration) AddSchemeManager(manager *SchemeManager) error {
return err return err
} }
if err := conf.VerifySchemeManager(manager); err != nil {
manager.Status = SchemeManagerStatusInvalidSignature
manager.Valid = false
} else {
manager.Status = SchemeManagerStatusValid
manager.Valid = true
}
conf.SchemeManagers[NewSchemeManagerIdentifier(name)] = manager conf.SchemeManagers[NewSchemeManagerIdentifier(name)] = manager
return nil return nil
} }
...@@ -639,12 +647,15 @@ func (conf *Configuration) parseIndex(name string, manager *SchemeManager) error ...@@ -639,12 +647,15 @@ func (conf *Configuration) parseIndex(name string, manager *SchemeManager) error
return manager.Index.FromString(string(indexbts)) return manager.Index.FromString(string(indexbts))
} }
func (conf *Configuration) VerifySchemeManager(id SchemeManagerIdentifier) error { func (conf *Configuration) VerifySchemeManager(manager *SchemeManager) error {
manager := conf.SchemeManagers[id]
if manager == nil {
return errors.New("Can't verify unknown scheme manager")
}
for file := range manager.Index { for file := range manager.Index {
exists, err := fs.PathExists(filepath.Join(conf.path, file))
if err != nil {
return err
}
if !exists {
continue
}
// Don't care about the actual bytes // Don't care about the actual bytes
if _, err := conf.ReadAuthenticatedFile(manager, file); err != nil { if _, err := conf.ReadAuthenticatedFile(manager, file); err != nil {
return err return err
......
...@@ -118,6 +118,8 @@ const ( ...@@ -118,6 +118,8 @@ const (
ErrorConfigurationDownload = ErrorType("configurationDownload") ErrorConfigurationDownload = ErrorType("configurationDownload")
// IRMA requests refers to unknown scheme manager // IRMA requests refers to unknown scheme manager
ErrorUnknownSchemeManager = ErrorType("unknownSchemeManager") ErrorUnknownSchemeManager = ErrorType("unknownSchemeManager")
// A session is requested involving a scheme manager that has some problem
ErrorInvalidSchemeManager = ErrorType("invalidSchemeManager")
// Recovered panic // Recovered panic
ErrorPanic = ErrorType("panic") ErrorPanic = ErrorType("panic")
) )
......
...@@ -43,7 +43,7 @@ func RunVerify(path string) error { ...@@ -43,7 +43,7 @@ func RunVerify(path string) error {
} }
for _, manager := range conf.SchemeManagers { for _, manager := range conf.SchemeManagers {
if err := conf.VerifySchemeManager(manager.Identifier()); err != nil { if err := conf.VerifySchemeManager(manager); err != nil {
return err return err
} }
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment