Commit c0bdcc3d authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Add unit test for invalid scheme manager signature

parent f53348ef
......@@ -166,6 +166,13 @@ func (conf *Configuration) parseSchemeManagerFolder(dir string) (err error, mana
manager.Status = SchemeManagerStatusInvalidIndex
return
}
err = conf.VerifySchemeManager(manager.Identifier())
if err != nil {
manager.Status = SchemeManagerStatusInvalidSignature
return
}
_, err = conf.pathToDescription(manager, dir+"/description.xml", manager)
if err != nil {
manager.Status = SchemeManagerStatusParsingError
......@@ -176,15 +183,6 @@ func (conf *Configuration) parseSchemeManagerFolder(dir string) (err error, mana
manager.Status = SchemeManagerStatusParsingError
return errors.New("Unsupported scheme manager description"), manager
}
valid, err := conf.VerifySignature(manager.Identifier())
if err != nil {
manager.Status = SchemeManagerStatusInvalidSignature
return
}
if !valid {
manager.Status = SchemeManagerStatusInvalidSignature
return errors.New("Scheme manager signature was invalid"), manager
}
err = conf.parseIssuerFolders(manager, dir)
if err != nil {
......@@ -641,6 +639,21 @@ func (conf *Configuration) parseIndex(name string, manager *SchemeManager) error
return manager.Index.FromString(string(indexbts))
}
func (conf *Configuration) VerifySchemeManager(id SchemeManagerIdentifier) error {
manager := conf.SchemeManagers[id]
if manager == nil {
return errors.New("Can't verify unknown scheme manager")
}
for file := range manager.Index {
// Don't care about the actual bytes
if _, err := conf.ReadAuthenticatedFile(manager, file); err != nil {
return err
}
}
return nil
}
// ReadAuthenticatedFile reads the file at the specified path
// and verifies its authenticity by checking that the file hash
// is present in the (signed) scheme manager index file.
......
......@@ -23,6 +23,26 @@ func s2big(s string) (r *big.Int) {
return
}
func TestParseInvalidIrmaConfiguration(t *testing.T) {
// The description.xml of the scheme manager under this folder has been edited
// to invalidate the scheme manager signature
conf, err := NewConfiguration("testdata/irma_configuration_invalid", "")
require.NoError(t, err)
// Parsing it should return a SchemeManagerError
err = conf.ParseFolder()
require.Error(t, err)
smerr, ok := err.(*SchemeManagerError)
require.True(t, ok)
require.Equal(t, SchemeManagerStatusInvalidSignature, smerr.Status)
// The manager should still be in conf.SchemeManagers, but also in DisabledSchemeManagers
require.Contains(t, conf.SchemeManagers, smerr.Manager)
require.Contains(t, conf.DisabledSchemeManagers, smerr.Manager)
require.Equal(t, SchemeManagerStatusInvalidSignature, conf.SchemeManagers[smerr.Manager].Status)
require.Equal(t, false, conf.SchemeManagers[smerr.Manager].Valid)
}
func TestParseIrmaConfiguration(t *testing.T) {
conf := parseConfiguration(t)
......
......@@ -43,11 +43,8 @@ func RunVerify(path string) error {
}
for _, manager := range conf.SchemeManagers {
for file := range manager.Index {
// Don't care about the actual bytes
if _, err := conf.ReadAuthenticatedFile(manager, file); err != nil {
return err
}
if err := conf.VerifySchemeManager(manager.Identifier()); err != nil {
return err
}
}
return nil
......
<SchemeManager version="7">
<Id>irma-demo</Id>
<Url>https://credentials.github.io/irma_configuration/irma-demo</Url>
<Name>
<en>Irma Demo</en>
<nl>Irma Demo</nl>
</Name>
<Description>
<en>Demo credentials within the IRMA domain</en>
<nl>Demo IRMA-credentials</nl>
</Description>
<Contact>https://www.irmacard.org
phone@demo.irmacard.org
This line was added after signing to invalidate the signature</Contact>
</SchemeManager>
d9f04a4b5ddf96e90d19c3baca10fcab2af56baa33eee7dcc9f6d10232f2b80a irma-demo/description.xml
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3FUAXtr8L/CT7WofXXcl7yiYI59r
z8ZSb+60UrkIn/ktBlOPlg1SYBNTXP4ITL0x0K4hHDF1DPXyH1F0rpVtCw==
-----END PUBLIC KEY-----
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment