479 lines
13 KiB
Go
479 lines
13 KiB
Go
package jess
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/safing/jess/hashtools"
|
|
"github.com/safing/jess/tools"
|
|
)
|
|
|
|
func getSuite(t *testing.T, suiteID string) (suite *Suite) {
|
|
t.Helper()
|
|
|
|
suite, ok := GetSuite(suiteID)
|
|
if !ok {
|
|
t.Fatalf("suite %s does not exist", suiteID)
|
|
return nil
|
|
}
|
|
return suite
|
|
}
|
|
|
|
func TestSuites(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
for _, suite := range Suites() {
|
|
|
|
err := suiteBullshitCheck(suite)
|
|
if err != nil {
|
|
t.Errorf("suite %s has incorrect property: %s", suite.ID, err)
|
|
continue
|
|
}
|
|
|
|
envelope, err := setupEnvelopeAndTrustStore(t, suite)
|
|
if err != nil {
|
|
t.Errorf("failed to setup test envelope for suite %s: %s", suite.ID, err)
|
|
continue
|
|
}
|
|
if envelope == nil {
|
|
t.Errorf("suite %s has an invalid toolset", suite.ID)
|
|
continue
|
|
}
|
|
|
|
session, err := envelope.Correspondence(testTrustStore)
|
|
if err != nil {
|
|
t.Errorf("failed to init session for suite %s: %s", suite.ID, err)
|
|
continue
|
|
}
|
|
|
|
letter, err := session.Close([]byte(testData1))
|
|
if err != nil {
|
|
tErrorf(t, "suite %s failed to close (1): %s", suite.ID, err)
|
|
continue
|
|
}
|
|
|
|
msg, err := letter.ToJSON()
|
|
if err != nil {
|
|
tErrorf(t, "suite %s failed to json encode (1): %s", suite.ID, err)
|
|
continue
|
|
}
|
|
|
|
// test 2: open
|
|
|
|
letter2, err := LetterFromJSON(msg)
|
|
if err != nil {
|
|
tErrorf(t, "suite %s failed to json decode (2): %s", suite.ID, err)
|
|
continue
|
|
}
|
|
|
|
origData2, err := letter2.Open(envelope.suite.Provides, testTrustStore)
|
|
if err != nil {
|
|
tErrorf(t, "suite %s failed to open (2): %s", suite.ID, err)
|
|
continue
|
|
}
|
|
if string(origData2) != testData1 {
|
|
tErrorf(t, "%v original data mismatch (2): %s", suite.ID, string(origData2))
|
|
continue
|
|
}
|
|
|
|
// test 2.1: verify
|
|
|
|
letter21, err := LetterFromJSON(msg)
|
|
if err != nil {
|
|
tErrorf(t, "suite %s failed to json decode (2): %s", suite.ID, err)
|
|
continue
|
|
}
|
|
|
|
if len(letter21.Signatures) > 0 {
|
|
err = letter21.Verify(envelope.suite.Provides, testTrustStore)
|
|
if err != nil {
|
|
tErrorf(t, "suite %s failed to verify (2): %s", suite.ID, err)
|
|
continue
|
|
}
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
func suiteBullshitCheck(suite *Suite) error { //nolint:maintidx
|
|
// pre checks
|
|
if suite.Provides == nil {
|
|
return errors.New("provides no requirement attributes")
|
|
}
|
|
if suite.SecurityLevel == 0 {
|
|
return errors.New("does not specify security level")
|
|
}
|
|
|
|
// create session struct for holding information
|
|
s := &Session{
|
|
envelope: &Envelope{
|
|
suite: suite,
|
|
},
|
|
toolRequirements: newEmptyRequirements(),
|
|
}
|
|
|
|
// check if we are assuming we have a key
|
|
assumeKey := strings.Contains(suite.ID, "key")
|
|
if assumeKey {
|
|
s.toolRequirements.Add(SenderAuthentication)
|
|
s.toolRequirements.Add(RecipientAuthentication)
|
|
}
|
|
|
|
// tool check loop: start
|
|
for i, toolID := range suite.Tools {
|
|
|
|
// =====================================
|
|
// tool check loop: check for duplicates
|
|
// =====================================
|
|
|
|
for j, dupeToolID := range suite.Tools {
|
|
if i != j && toolID == dupeToolID {
|
|
return fmt.Errorf("cannot use tool %s twice, each tool may be only specified once", toolID)
|
|
}
|
|
}
|
|
|
|
// ====================================
|
|
// tool check loop: parse, prep and get
|
|
// ====================================
|
|
|
|
var (
|
|
hashTool *hashtools.HashTool
|
|
hashSumFn func() ([]byte, error)
|
|
)
|
|
|
|
// parse ID for args
|
|
var arg string
|
|
if strings.Contains(toolID, "(") {
|
|
splitted := strings.Split(toolID, "(")
|
|
toolID = splitted[0]
|
|
arg = strings.Trim(splitted[1], "()")
|
|
}
|
|
|
|
// get tool
|
|
tool, err := tools.Get(toolID)
|
|
if err != nil {
|
|
return fmt.Errorf("the specified tool %s could not be found", toolID)
|
|
}
|
|
|
|
// create logic instance and add to logic and state lists
|
|
logic := tool.Factory()
|
|
s.all = append(s.all, logic)
|
|
if tool.Info.HasOption(tools.OptionHasState) {
|
|
s.toolsWithState = append(s.toolsWithState, logic)
|
|
}
|
|
|
|
// ============================================================
|
|
// tool check loop: assign tools to queues and add requirements
|
|
// ============================================================
|
|
|
|
switch tool.Info.Purpose {
|
|
case tools.PurposeKeyDerivation:
|
|
if s.kdf != nil {
|
|
return fmt.Errorf("cannot use %s, you may only specify one key derivation tool and %s was already specified", tool.Info.Name, s.kdf.Info().Name)
|
|
}
|
|
s.kdf = logic
|
|
|
|
case tools.PurposePassDerivation:
|
|
if s.passDerivator != nil {
|
|
return fmt.Errorf("cannot use %s, you may only specify one password derivation tool and %s was already specified", tool.Info.Name, s.passDerivator.Info().Name)
|
|
}
|
|
s.passDerivator = logic
|
|
s.toolRequirements.Add(SenderAuthentication)
|
|
s.toolRequirements.Add(RecipientAuthentication)
|
|
|
|
case tools.PurposeKeyExchange:
|
|
s.keyExchangers = append(s.keyExchangers, logic)
|
|
s.toolRequirements.Add(RecipientAuthentication)
|
|
|
|
case tools.PurposeKeyEncapsulation:
|
|
s.keyEncapsulators = append(s.keyEncapsulators, logic)
|
|
s.toolRequirements.Add(RecipientAuthentication)
|
|
|
|
case tools.PurposeSigning:
|
|
s.signers = append(s.signers, logic)
|
|
s.toolRequirements.Add(Integrity)
|
|
s.toolRequirements.Add(SenderAuthentication)
|
|
|
|
case tools.PurposeIntegratedCipher:
|
|
s.integratedCiphers = append(s.integratedCiphers, logic)
|
|
s.toolRequirements.Add(Confidentiality)
|
|
s.toolRequirements.Add(Integrity)
|
|
|
|
case tools.PurposeCipher:
|
|
s.ciphers = append(s.ciphers, logic)
|
|
s.toolRequirements.Add(Confidentiality)
|
|
|
|
case tools.PurposeMAC:
|
|
s.macs = append(s.macs, logic)
|
|
s.toolRequirements.Add(Integrity)
|
|
}
|
|
|
|
// =============================================
|
|
// tool check loop: process options, get hashers
|
|
// =============================================
|
|
|
|
for _, option := range tool.Info.Options {
|
|
switch option {
|
|
|
|
case tools.OptionNeedsManagedHasher:
|
|
// get managed hasher list
|
|
var managedHashers map[string]*managedHasher
|
|
switch tool.Info.Purpose {
|
|
case tools.PurposeMAC:
|
|
if s.managedMACHashers == nil {
|
|
s.managedMACHashers = make(map[string]*managedHasher)
|
|
}
|
|
managedHashers = s.managedMACHashers
|
|
case tools.PurposeSigning:
|
|
if s.managedSigningHashers == nil {
|
|
s.managedSigningHashers = make(map[string]*managedHasher)
|
|
}
|
|
managedHashers = s.managedSigningHashers
|
|
default:
|
|
return fmt.Errorf("only MAC and Signing tools may use managed hashers")
|
|
}
|
|
|
|
// get or assign a new managed hasher
|
|
mngdHasher, ok := managedHashers[arg]
|
|
if !ok {
|
|
// get hashtool
|
|
ht, err := hashtools.Get(arg)
|
|
if err != nil {
|
|
return fmt.Errorf("the specified hashtool for %s(%s) could not be found", toolID, arg)
|
|
}
|
|
|
|
// save to managed hashers
|
|
mngdHasher = &managedHasher{
|
|
tool: ht,
|
|
hash: ht.New(),
|
|
}
|
|
managedHashers[arg] = mngdHasher
|
|
}
|
|
|
|
hashTool = mngdHasher.tool
|
|
hashSumFn = mngdHasher.Sum
|
|
|
|
case tools.OptionNeedsDedicatedHasher:
|
|
hashTool, err = hashtools.Get(arg)
|
|
if err != nil {
|
|
return fmt.Errorf("the specified hashtool for %s(%s) could not be found", toolID, arg)
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
// ================================
|
|
// tool check loop: initialize tool
|
|
// ================================
|
|
|
|
// init tool
|
|
logic.Init(
|
|
tool,
|
|
&Helper{
|
|
session: s,
|
|
info: tool.Info,
|
|
},
|
|
hashTool,
|
|
hashSumFn,
|
|
)
|
|
|
|
// ===============================================
|
|
// tool check loop: calc and check security levels
|
|
// ===============================================
|
|
|
|
err = s.calcAndCheckSecurityLevel(logic, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
} // tool check loop: end
|
|
|
|
// ============
|
|
// final checks
|
|
// ============
|
|
|
|
// check requirements
|
|
if s.toolRequirements.Empty() {
|
|
return errors.New("suite does not provide any security attributes")
|
|
}
|
|
|
|
// check if we have recipient auth without confidentiality
|
|
if s.toolRequirements.Has(RecipientAuthentication) &&
|
|
!s.toolRequirements.Has(Confidentiality) {
|
|
return errors.New("having recipient authentication without confidentiality does not make sense")
|
|
}
|
|
|
|
// check if we have confidentiality without integrity
|
|
if s.toolRequirements.Has(Confidentiality) &&
|
|
!s.toolRequirements.Has(Integrity) {
|
|
return errors.New("having confidentiality without integrity does not make sense")
|
|
}
|
|
|
|
// check if we are missing a kdf, but need one
|
|
if s.kdf == nil && len(s.signers) != len(s.envelope.suite.Tools) {
|
|
return errors.New("missing a key derivation tool")
|
|
}
|
|
|
|
// check if have a kdf, even if we don't need one
|
|
if len(s.integratedCiphers) == 0 &&
|
|
len(s.ciphers) == 0 &&
|
|
len(s.macs) == 0 &&
|
|
s.kdf != nil {
|
|
return errors.New("key derivation tool specified, but not needed")
|
|
}
|
|
|
|
// ======================================
|
|
// check if values match suite definition
|
|
// ======================================
|
|
|
|
// check if security level matches
|
|
if s.SecurityLevel != suite.SecurityLevel {
|
|
return fmt.Errorf("suite has incorrect security level: %d (expected %d)", suite.SecurityLevel, s.SecurityLevel)
|
|
}
|
|
|
|
// check if requirements match
|
|
if s.toolRequirements.SerializeToNoSpec() != suite.Provides.SerializeToNoSpec() {
|
|
return fmt.Errorf(
|
|
"suite has incorrect attributes: no %s (expected no %s)",
|
|
suite.Provides.SerializeToNoSpec(),
|
|
s.toolRequirements.SerializeToNoSpec(),
|
|
)
|
|
}
|
|
|
|
// ========================================================
|
|
// check if computeSuiteAttributes returns the same results
|
|
// ========================================================
|
|
|
|
computedSuite := computeSuiteAttributes(suite.Tools, assumeKey)
|
|
if computedSuite == nil {
|
|
return errors.New("internal error: could not compute suite attributes")
|
|
}
|
|
if suite.SecurityLevel != computedSuite.SecurityLevel {
|
|
return fmt.Errorf("internal error: computeSuiteAttributes error: security level: suite=%d computed=%d", suite.SecurityLevel, computedSuite.SecurityLevel)
|
|
}
|
|
if suite.Provides.SerializeToNoSpec() != computedSuite.Provides.SerializeToNoSpec() {
|
|
return fmt.Errorf(
|
|
"internal error: computeSuiteAttributes error: attributes: suite=no %s compute=no %s)",
|
|
suite.Provides.SerializeToNoSpec(),
|
|
computedSuite.Provides.SerializeToNoSpec(),
|
|
)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func computeSuiteAttributes(toolIDs []string, assumeKey bool) *Suite {
|
|
newSuite := &Suite{
|
|
Provides: newEmptyRequirements(),
|
|
SecurityLevel: 0,
|
|
}
|
|
|
|
// if we have a key
|
|
if assumeKey {
|
|
newSuite.Provides.Add(SenderAuthentication)
|
|
newSuite.Provides.Add(RecipientAuthentication)
|
|
}
|
|
|
|
// check all security levels and collect attributes
|
|
for _, toolID := range toolIDs {
|
|
|
|
// ====================================
|
|
// tool check loop: parse, prep and get
|
|
// ====================================
|
|
|
|
var hashTool *hashtools.HashTool
|
|
|
|
// parse ID for args
|
|
var arg string
|
|
if strings.Contains(toolID, "(") {
|
|
splitted := strings.Split(toolID, "(")
|
|
toolID = splitted[0]
|
|
arg = strings.Trim(splitted[1], "()")
|
|
}
|
|
|
|
// get tool
|
|
tool, err := tools.Get(toolID)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
// create logic instance and add to logic and state lists
|
|
logic := tool.Factory()
|
|
|
|
// ===================================
|
|
// tool check loop: collect attributes
|
|
// ===================================
|
|
|
|
switch tool.Info.Purpose {
|
|
case tools.PurposePassDerivation:
|
|
newSuite.Provides.Add(SenderAuthentication)
|
|
newSuite.Provides.Add(RecipientAuthentication)
|
|
|
|
case tools.PurposeKeyExchange:
|
|
newSuite.Provides.Add(RecipientAuthentication)
|
|
|
|
case tools.PurposeKeyEncapsulation:
|
|
newSuite.Provides.Add(RecipientAuthentication)
|
|
|
|
case tools.PurposeSigning:
|
|
newSuite.Provides.Add(Integrity)
|
|
newSuite.Provides.Add(SenderAuthentication)
|
|
|
|
case tools.PurposeIntegratedCipher:
|
|
newSuite.Provides.Add(Confidentiality)
|
|
newSuite.Provides.Add(Integrity)
|
|
|
|
case tools.PurposeCipher:
|
|
newSuite.Provides.Add(Confidentiality)
|
|
|
|
case tools.PurposeMAC:
|
|
newSuite.Provides.Add(Integrity)
|
|
}
|
|
|
|
// =============================================
|
|
// tool check loop: process options, get hashers
|
|
// =============================================
|
|
|
|
for _, option := range tool.Info.Options {
|
|
switch option {
|
|
case tools.OptionNeedsManagedHasher,
|
|
tools.OptionNeedsDedicatedHasher:
|
|
hashTool, err = hashtools.Get(arg)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
|
|
// ================================
|
|
// tool check loop: initialize tool
|
|
// ================================
|
|
|
|
// init tool
|
|
logic.Init(
|
|
tool,
|
|
&Helper{
|
|
info: tool.Info,
|
|
},
|
|
hashTool,
|
|
nil,
|
|
)
|
|
|
|
// =======================================
|
|
// tool check loop: compute security level
|
|
// =======================================
|
|
|
|
toolSecurityLevel, err := logic.SecurityLevel(nil)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
if newSuite.SecurityLevel == 0 || toolSecurityLevel < newSuite.SecurityLevel {
|
|
newSuite.SecurityLevel = toolSecurityLevel
|
|
}
|
|
|
|
}
|
|
|
|
return newSuite
|
|
}
|