Google Git
Sign in
boringssl / boringssl / 46af2431214c4d5f76ebd4a47526715bd95f1a08 / . / crypto / trust_token / trust_token_test.cc
blob: 5ab80cddcf913777cbdd15d6b62430a345e38200 [file] [log] [blame]
Steven Valdez0b710a32020-02-14 10:34:53 -0500[diff] [blame]1/* Copyright (c) 2020, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]15#include <stdio.h>
16#include <string.h>
17#include <time.h>
18
19#include <algorithm>
20#include <limits>
21#include <string>
22#include <tuple>
23#include <utility>
24#include <vector>
25
Steven Valdez0b710a32020-02-14 10:34:53 -0500[diff] [blame]26#include <gtest/gtest.h>
27
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]28#include <openssl/bytestring.h>
29#include <openssl/curve25519.h>
30#include <openssl/evp.h>
31#include <openssl/mem.h>
32#include <openssl/rand.h>
Steven Valdez54304732020-05-04 11:56:12 -0400[diff] [blame]33#include <openssl/sha.h>
Steven Valdez0b710a32020-02-14 10:34:53 -0500[diff] [blame]34#include <openssl/trust_token.h>
35
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]36#include "../ec_extra/internal.h"
37#include "../fipsmodule/ec/internal.h"
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]38#include "../internal.h"
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]39#include "../test/test_util.h"
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]40#include "internal.h"
41
42
43BSSL_NAMESPACE_BEGIN
44
45namespace {
Steven Valdez0b710a32020-02-14 10:34:53 -0500[diff] [blame]46
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]47TEST(TrustTokenTest, KeyGenExp1) {
48 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
49 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
50 size_t priv_key_len, pub_key_len;
51 ASSERT_TRUE(TRUST_TOKEN_generate_key(
52 TRUST_TOKEN_experiment_v1(), priv_key, &priv_key_len,
53 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
54 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
55 ASSERT_EQ(292u, priv_key_len);
56 ASSERT_EQ(301u, pub_key_len);
Steven Valdezaa5f6012022-06-14 11:16:02 -0400[diff] [blame]57
58 const uint8_t kKeygenSecret[] = "SEED";
59 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
60 TRUST_TOKEN_experiment_v1(), priv_key, &priv_key_len,
61 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
62 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
63 sizeof(kKeygenSecret) - 1));
64
65 const uint8_t kExpectedPriv[] = {
66 0x00, 0x00, 0x00, 0x01, 0x98, 0xaa, 0x32, 0xfc, 0x5f, 0x83, 0x35, 0xea,
67 0x57, 0x4f, 0x9e, 0x61, 0x48, 0x6e, 0x89, 0x9d, 0x3d, 0xaa, 0x38, 0x5d,
68 0xd0, 0x06, 0x96, 0x62, 0xe8, 0x0b, 0xd6, 0x5f, 0x12, 0xa4, 0xcc, 0xa9,
69 0xb5, 0x20, 0x1b, 0x13, 0x8c, 0x1c, 0xaf, 0x36, 0x1b, 0xab, 0x0c, 0xc6,
70 0xac, 0x38, 0xae, 0x96, 0x3d, 0x14, 0x9d, 0xb8, 0x8d, 0xf4, 0x7f, 0xe2,
71 0x7d, 0xeb, 0x17, 0xc2, 0xbc, 0x63, 0x42, 0x93, 0x94, 0xe4, 0x97, 0xbf,
72 0x97, 0xea, 0x02, 0x40, 0xac, 0xb6, 0xa5, 0x03, 0x4c, 0x6b, 0x4c, 0xb8,
73 0x8c, 0xf4, 0x66, 0x1b, 0x4e, 0x02, 0x45, 0xf9, 0xcd, 0xb6, 0x0f, 0x59,
74 0x09, 0x21, 0x03, 0x7e, 0x92, 0x1f, 0x3f, 0x40, 0x83, 0x50, 0xe3, 0xdc,
75 0x9e, 0x6f, 0x65, 0xc5, 0xbd, 0x2c, 0x7d, 0xab, 0x74, 0x49, 0xc8, 0xa2,
76 0x3c, 0xab, 0xcb, 0x4d, 0x63, 0x73, 0x81, 0x2b, 0xb2, 0x1e, 0x00, 0x8f,
77 0x00, 0xb8, 0xd8, 0xb4, 0x5d, 0xc4, 0x3f, 0x3d, 0xa8, 0x4f, 0x4c, 0x72,
78 0x0e, 0x20, 0x17, 0x4b, 0xac, 0x14, 0x8f, 0xb2, 0xa5, 0x20, 0x41, 0x2b,
79 0xf7, 0x62, 0x25, 0x6a, 0xd6, 0x41, 0x26, 0x62, 0x10, 0xc1, 0xbc, 0x42,
80 0xac, 0x54, 0x1b, 0x75, 0x05, 0xd6, 0x53, 0xb1, 0x7b, 0x84, 0x6a, 0x7b,
81 0x5b, 0x2a, 0x34, 0x6e, 0x43, 0x4b, 0x43, 0xcc, 0x6c, 0xdb, 0x1d, 0x02,
82 0x34, 0x7f, 0xd1, 0xe8, 0xfd, 0x42, 0x2c, 0xd9, 0x14, 0xdb, 0xd6, 0xf4,
83 0xad, 0xb5, 0xe4, 0xac, 0xdd, 0x7e, 0xb5, 0x4c, 0x3f, 0x59, 0x24, 0xfa,
84 0x04, 0xd9, 0xb6, 0xd2, 0xb7, 0x7d, 0xf1, 0xfa, 0x13, 0xc0, 0x4d, 0xd5,
85 0xca, 0x3a, 0x4e, 0xa8, 0xdd, 0xa9, 0xfc, 0xcb, 0x06, 0xb2, 0xde, 0x4b,
86 0x2a, 0x86, 0xbb, 0x0d, 0x41, 0xb6, 0x3d, 0xfb, 0x49, 0xc8, 0xdf, 0x9a,
87 0x48, 0xe5, 0x68, 0x8a, 0xfc, 0x86, 0x9c, 0x79, 0x5a, 0x79, 0xc1, 0x09,
88 0x33, 0x53, 0xdc, 0x3d, 0xe9, 0x93, 0x7c, 0x5b, 0x72, 0xf7, 0xa0, 0x8a,
89 0x1f, 0x07, 0x6c, 0x38, 0x3c, 0x99, 0x0b, 0xe4, 0x4e, 0xa4, 0xbd, 0x41,
90 0x1f, 0x83, 0xa6, 0xd3
91 };
92 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
93 Bytes(priv_key, priv_key_len));
94
95 const uint8_t kExpectedPub[] = {
96 0x00, 0x00, 0x00, 0x01, 0x00, 0x61, 0x04, 0x5e, 0x06, 0x6b, 0x7b, 0xfd,
97 0x54, 0x01, 0xe0, 0xd2, 0xb5, 0x12, 0xce, 0x48, 0x16, 0x66, 0xb2, 0xdf,
98 0xfd, 0xa8, 0x38, 0x7c, 0x1f, 0x45, 0x1a, 0xb8, 0x21, 0x52, 0x17, 0x25,
99 0xbb, 0x0b, 0x00, 0xd4, 0xa1, 0xbc, 0x28, 0xd9, 0x08, 0x36, 0x98, 0xb2,
100 0x17, 0xd3, 0xb5, 0xad, 0xb6, 0x4e, 0x03, 0x5f, 0xd3, 0x66, 0x2c, 0x58,
101 0x1c, 0xcc, 0xc6, 0x23, 0xa4, 0xf9, 0xa2, 0x7e, 0xb0, 0xe4, 0xd3, 0x95,
102 0x41, 0x6f, 0xba, 0x23, 0x4a, 0x82, 0x93, 0x29, 0x73, 0x75, 0x38, 0x85,
103 0x64, 0x9c, 0xaa, 0x12, 0x6d, 0x7d, 0xcd, 0x52, 0x02, 0x91, 0x9f, 0xa9,
104 0xee, 0x4b, 0xfd, 0x68, 0x97, 0x40, 0xdc, 0x00, 0x61, 0x04, 0x14, 0x16,
105 0x39, 0xf9, 0x63, 0x66, 0x94, 0x03, 0xfa, 0x0b, 0xbf, 0xca, 0x5a, 0x39,
106 0x9f, 0x27, 0x5b, 0x3f, 0x69, 0x7a, 0xc9, 0xf7, 0x25, 0x7c, 0x84, 0x9e,
107 0x1d, 0x61, 0x5a, 0x24, 0x53, 0xf2, 0x4a, 0x9d, 0xe9, 0x05, 0x53, 0xfd,
108 0x12, 0x01, 0x2d, 0x9a, 0x69, 0x50, 0x74, 0x82, 0xa3, 0x45, 0x73, 0xdc,
109 0x34, 0x36, 0x31, 0x44, 0x07, 0x0c, 0xda, 0x13, 0xbe, 0x94, 0x37, 0x65,
110 0xa0, 0xab, 0x16, 0x52, 0x90, 0xe5, 0x8a, 0x03, 0xe5, 0x98, 0x79, 0x14,
111 0x79, 0xd5, 0x17, 0xee, 0xd4, 0xb8, 0xda, 0x77, 0x76, 0x03, 0x20, 0x2a,
112 0x7e, 0x3b, 0x76, 0x0b, 0x23, 0xb7, 0x72, 0x77, 0xb2, 0xeb, 0x00, 0x61,
113 0x04, 0x68, 0x18, 0x4d, 0x23, 0x23, 0xf4, 0x45, 0xb8, 0x81, 0x0d, 0xa4,
114 0x5d, 0x0b, 0x9e, 0x08, 0xfb, 0x45, 0xfb, 0x96, 0x29, 0x43, 0x2f, 0xab,
115 0x93, 0x04, 0x4c, 0x04, 0xb6, 0x5e, 0x27, 0xf5, 0x39, 0x66, 0x94, 0x15,
116 0x1d, 0xb1, 0x1c, 0x7c, 0x27, 0x6f, 0xa5, 0x19, 0x0c, 0x30, 0x12, 0xcc,
117 0x77, 0x7f, 0x10, 0xa9, 0x7c, 0xe4, 0x08, 0x77, 0x3c, 0xd3, 0x6f, 0xa4,
118 0xf4, 0xaf, 0xf1, 0x9d, 0x14, 0x1d, 0xd0, 0x02, 0x33, 0x50, 0x55, 0x00,
119 0x6a, 0x47, 0x96, 0xe1, 0x8b, 0x4e, 0x44, 0x41, 0xad, 0xb3, 0xea, 0x0d,
120 0x0d, 0xd5, 0x73, 0x8e, 0x62, 0x67, 0x8a, 0xb4, 0xe7, 0x5d, 0x17, 0xa9,
121 0x24};
122 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
123 Bytes(pub_key, pub_key_len));
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]124}
125
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]126TEST(TrustTokenTest, KeyGenExp2VOPRF) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]127 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
128 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
129 size_t priv_key_len, pub_key_len;
130 ASSERT_TRUE(TRUST_TOKEN_generate_key(
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]131 TRUST_TOKEN_experiment_v2_voprf(), priv_key, &priv_key_len,
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]132 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
133 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]134 ASSERT_EQ(52u, priv_key_len);
135 ASSERT_EQ(101u, pub_key_len);
Steven Valdezaa5f6012022-06-14 11:16:02 -0400[diff] [blame]136
137 const uint8_t kKeygenSecret[] = "SEED";
138 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
139 TRUST_TOKEN_experiment_v2_voprf(), priv_key, &priv_key_len,
140 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
141 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
142 sizeof(kKeygenSecret) - 1));
143
144 const uint8_t kExpectedPriv[] = {
145 0x00, 0x00, 0x00, 0x01, 0x0b, 0xe2, 0xc4, 0x73, 0x92, 0xe7, 0xf8,
146 0x3e, 0xba, 0xab, 0x85, 0xa7, 0x77, 0xd7, 0x0a, 0x02, 0xc5, 0x36,
147 0xfe, 0x62, 0xa3, 0xca, 0x01, 0x75, 0xc7, 0x62, 0x19, 0xc7, 0xf0,
148 0x30, 0xc5, 0x14, 0x60, 0x13, 0x97, 0x4f, 0x63, 0x05, 0x37, 0x92,
149 0x7b, 0x76, 0x8e, 0x9f, 0xd0, 0x1a, 0x74, 0x44
150 };
151 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
152 Bytes(priv_key, priv_key_len));
153
154 const uint8_t kExpectedPub[] = {
155 0x00, 0x00, 0x00, 0x01, 0x04, 0x2c, 0x9c, 0x11, 0xc1, 0xe5, 0x52, 0x59,
156 0x0b, 0x6d, 0x88, 0x8b, 0x6e, 0x28, 0xe8, 0xc5, 0xa3, 0xbe, 0x48, 0x18,
157 0xf7, 0x1d, 0x31, 0xcf, 0xa2, 0x6e, 0x2a, 0xd6, 0xcb, 0x83, 0x26, 0x04,
158 0xbd, 0x93, 0x67, 0xe4, 0x53, 0xf6, 0x11, 0x7d, 0x45, 0xe9, 0xfe, 0x27,
159 0x33, 0x90, 0xdb, 0x1b, 0xfc, 0x9b, 0x31, 0x4d, 0x39, 0x1f, 0x1f, 0x8c,
160 0x43, 0x06, 0x70, 0x2c, 0x84, 0xdc, 0x23, 0x18, 0xc7, 0x6a, 0x58, 0xcf,
161 0x9e, 0xc1, 0xfa, 0xf2, 0x30, 0xdd, 0xad, 0x62, 0x24, 0xde, 0x11, 0xc1,
162 0xba, 0x8d, 0xc3, 0x4f, 0xfb, 0xe5, 0xa5, 0xd4, 0x37, 0xba, 0x3b, 0x70,
163 0xc0, 0xc3, 0xef, 0x20, 0x43
164 };
165 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
166 Bytes(pub_key, pub_key_len));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]167}
168
169TEST(TrustTokenTest, KeyGenExp2PMB) {
170 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
171 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
172 size_t priv_key_len, pub_key_len;
173 ASSERT_TRUE(TRUST_TOKEN_generate_key(
174 TRUST_TOKEN_experiment_v2_pmb(), priv_key, &priv_key_len,
175 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
176 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
177 ASSERT_EQ(292u, priv_key_len);
178 ASSERT_EQ(295u, pub_key_len);
Steven Valdezaa5f6012022-06-14 11:16:02 -0400[diff] [blame]179
180 const uint8_t kKeygenSecret[] = "SEED";
181 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
182 TRUST_TOKEN_experiment_v2_pmb(), priv_key, &priv_key_len,
183 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
184 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
185 sizeof(kKeygenSecret) - 1));
186
187 const uint8_t kExpectedPriv[] = {
188 0x00, 0x00, 0x00, 0x01, 0x1b, 0x74, 0xdc, 0xf0, 0xa9, 0xa7, 0x6c, 0xfb,
189 0x41, 0xef, 0xfa, 0x65, 0x52, 0xc9, 0x86, 0x4e, 0xfb, 0x16, 0x9d, 0xea,
190 0x62, 0x3f, 0x47, 0xab, 0x1f, 0x1b, 0x05, 0xf2, 0x4f, 0x05, 0xfe, 0x64,
191 0xb7, 0xe8, 0xcd, 0x2a, 0x10, 0xfa, 0xa2, 0x48, 0x3f, 0x0e, 0x8b, 0x94,
192 0x39, 0xf1, 0xe7, 0x53, 0xe9, 0x50, 0x29, 0xe2, 0xb7, 0x0e, 0xc0, 0x94,
193 0xa9, 0xd3, 0xef, 0x64, 0x10, 0x1d, 0x08, 0xd0, 0x60, 0xcb, 0x6d, 0x97,
194 0x68, 0xc7, 0x04, 0x92, 0x07, 0xb2, 0x22, 0x83, 0xf7, 0xd9, 0x9b, 0x2c,
195 0xf2, 0x52, 0x34, 0x0c, 0x42, 0x31, 0x47, 0x41, 0x19, 0xb9, 0xee, 0xfc,
196 0x46, 0xbd, 0x14, 0xce, 0x42, 0xd7, 0x43, 0xc8, 0x32, 0x3b, 0x24, 0xed,
197 0xdc, 0x69, 0xa3, 0x8e, 0x29, 0x01, 0xbe, 0xae, 0x24, 0x39, 0x14, 0xa7,
198 0x52, 0xe5, 0xd5, 0xff, 0x9a, 0xc4, 0x15, 0x79, 0x29, 0x4c, 0x9b, 0x4e,
199 0xfc, 0x61, 0xf2, 0x12, 0x6f, 0x4f, 0xd3, 0x96, 0x28, 0xb0, 0x79, 0xf0,
200 0x4e, 0x6e, 0x7d, 0x56, 0x19, 0x1b, 0xc2, 0xd7, 0xf9, 0x3a, 0x58, 0x06,
201 0xe5, 0xec, 0xa4, 0x33, 0x14, 0x1c, 0x78, 0x0c, 0x83, 0x94, 0x34, 0x22,
202 0x5a, 0x8e, 0x2e, 0xa1, 0x72, 0x4a, 0x03, 0x35, 0xfe, 0x46, 0x92, 0x41,
203 0x6b, 0xe6, 0x4b, 0x3f, 0xf0, 0xe7, 0x0b, 0xb5, 0xf3, 0x66, 0x6c, 0xc6,
204 0x14, 0xcf, 0xce, 0x32, 0x0a, 0x2c, 0x28, 0xba, 0x4e, 0xb9, 0x75, 0x4a,
205 0xa9, 0x2d, 0xb0, 0x8c, 0xd0, 0x62, 0x52, 0x29, 0x1f, 0x12, 0xfd, 0xfb,
206 0xd3, 0x2a, 0x36, 0x0f, 0x89, 0x32, 0x86, 0x25, 0x56, 0xb9, 0xe7, 0x3c,
207 0xeb, 0xb4, 0x84, 0x41, 0x2b, 0xa8, 0xf3, 0xa5, 0x3d, 0xfe, 0x56, 0x94,
208 0x5b, 0x74, 0xb3, 0x5b, 0x27, 0x3f, 0xe7, 0xcf, 0xe4, 0xf8, 0x15, 0x95,
209 0x2a, 0xd2, 0x5f, 0x92, 0xb4, 0x6a, 0x89, 0xa5, 0x54, 0xbd, 0x27, 0x5e,
210 0xeb, 0x43, 0x07, 0x9b, 0x2b, 0x8b, 0x22, 0x59, 0x13, 0x4b, 0x9c, 0x56,
211 0xd8, 0x63, 0xd9, 0xe6, 0x85, 0x15, 0x2c, 0x82, 0x52, 0x40, 0x8f, 0xb1,
212 0xe7, 0x56, 0x07, 0x98
213 };
214 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
215 Bytes(priv_key, priv_key_len));
216
217 const uint8_t kExpectedPub[] = {
218 0x00, 0x00, 0x00, 0x01, 0x04, 0x48, 0xb1, 0x2d, 0xdd, 0x03, 0x32, 0xeb,
219 0x93, 0x31, 0x3d, 0x59, 0x74, 0xf0, 0xcf, 0xaa, 0xa5, 0x39, 0x5f, 0x53,
220 0xc4, 0x94, 0x98, 0xbe, 0x8f, 0x22, 0xd7, 0x30, 0xde, 0x1e, 0xb4, 0xf3,
221 0x32, 0x23, 0x90, 0x0b, 0xa6, 0x37, 0x4a, 0x4b, 0x44, 0xb3, 0x26, 0x52,
222 0x93, 0x7b, 0x4b, 0xa4, 0x79, 0xe8, 0x77, 0x6a, 0x19, 0x81, 0x2a, 0xdd,
223 0x91, 0xfb, 0x90, 0x8b, 0x24, 0xb5, 0xbe, 0x20, 0x2e, 0xe8, 0xbc, 0xd3,
224 0x83, 0x6c, 0xa8, 0xc5, 0xa1, 0x9a, 0x5b, 0x5e, 0x60, 0xda, 0x45, 0x2e,
225 0x31, 0x7f, 0x54, 0x0e, 0x14, 0x40, 0xd2, 0x4d, 0x40, 0x2e, 0x21, 0x79,
226 0xfc, 0x77, 0xdd, 0xc7, 0x2d, 0x04, 0xfe, 0xc6, 0xe3, 0xcf, 0x99, 0xef,
227 0x88, 0xab, 0x76, 0x86, 0x16, 0x14, 0xed, 0x72, 0x35, 0xa7, 0x05, 0x13,
228 0x9f, 0x2c, 0x53, 0xd5, 0xdf, 0x66, 0x75, 0x2e, 0x68, 0xdc, 0xd4, 0xc4,
229 0x00, 0x36, 0x08, 0x6d, 0xb7, 0x15, 0xf7, 0xe5, 0x32, 0x59, 0x81, 0x16,
230 0x57, 0xaa, 0x72, 0x06, 0xf0, 0xad, 0xd1, 0x85, 0xa0, 0x04, 0xd4, 0x11,
231 0x95, 0x1d, 0xac, 0x0b, 0x25, 0xbe, 0x59, 0xa2, 0xb3, 0x30, 0xee, 0x97,
232 0x07, 0x2a, 0x51, 0x15, 0xc1, 0x8d, 0xa8, 0xa6, 0x57, 0x9a, 0x4e, 0xbf,
233 0xd7, 0x2d, 0x35, 0x07, 0x6b, 0xd6, 0xc9, 0x3c, 0xe4, 0xcf, 0x0b, 0x14,
234 0x3e, 0x10, 0x51, 0x77, 0xd6, 0x84, 0x04, 0xbe, 0xd1, 0xd5, 0xa8, 0xf3,
235 0x9d, 0x1d, 0x4f, 0xc1, 0xc9, 0xf1, 0x0c, 0x6d, 0xb6, 0xcb, 0xe2, 0x05,
236 0x0b, 0x9c, 0x7a, 0x3a, 0x9a, 0x99, 0xe9, 0xa1, 0x93, 0xdc, 0x72, 0x2e,
237 0xef, 0xf3, 0x8d, 0xb9, 0x7b, 0xb0, 0x19, 0x24, 0x95, 0x0d, 0x68, 0xa7,
238 0xe0, 0xaa, 0x0b, 0xb1, 0xd1, 0xcc, 0x52, 0x14, 0xf9, 0x6c, 0x91, 0x59,
239 0xe4, 0xe1, 0x9b, 0xf9, 0x12, 0x39, 0xb1, 0x79, 0xbb, 0x21, 0x92, 0x00,
240 0xa4, 0x89, 0xf5, 0xbd, 0xd7, 0x89, 0x27, 0x40, 0xdc, 0xb1, 0x09, 0x38,
241 0x63, 0x91, 0x8c, 0xa5, 0x27, 0x27, 0x97, 0x39, 0x35, 0xfa, 0x1a, 0x8a,
242 0xa7, 0xe5, 0xc4, 0xd8, 0xbf, 0xe7, 0xbe
243 };
244 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
245 Bytes(pub_key, pub_key_len));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]246}
247
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]248// Test that H in |TRUST_TOKEN_experiment_v1| was computed correctly.
249TEST(TrustTokenTest, HExp1) {
250 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
251 ASSERT_TRUE(group);
252
253 const uint8_t kHGen[] = "generator";
254 const uint8_t kHLabel[] = "PMBTokens Experiment V1 HashH";
255
David Benjamin802523a2020-04-22 14:51:20 -0400[diff] [blame]256 bssl::UniquePtr<EC_POINT> expected_h(EC_POINT_new(group));
257 ASSERT_TRUE(expected_h);
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]258 ASSERT_TRUE(ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
David Benjamin802523a2020-04-22 14:51:20 -0400[diff] [blame]259 group, &expected_h->raw, kHLabel, sizeof(kHLabel), kHGen, sizeof(kHGen)));
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]260 uint8_t expected_bytes[1 + 2 * EC_MAX_BYTES];
261 size_t expected_len =
David Benjamin802523a2020-04-22 14:51:20 -0400[diff] [blame]262 EC_POINT_point2oct(group, expected_h.get(), POINT_CONVERSION_UNCOMPRESSED,
263 expected_bytes, sizeof(expected_bytes), nullptr);
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]264
265 uint8_t h[97];
266 ASSERT_TRUE(pmbtoken_exp1_get_h_for_testing(h));
267 EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
268}
269
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]270// Test that H in |TRUST_TOKEN_experiment_v2_pmb| was computed correctly.
271TEST(TrustTokenTest, HExp2) {
272 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
273 ASSERT_TRUE(group);
274
275 const uint8_t kHGen[] = "generator";
276 const uint8_t kHLabel[] = "PMBTokens Experiment V2 HashH";
277
278 bssl::UniquePtr<EC_POINT> expected_h(EC_POINT_new(group));
279 ASSERT_TRUE(expected_h);
280 ASSERT_TRUE(ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
281 group, &expected_h->raw, kHLabel, sizeof(kHLabel), kHGen, sizeof(kHGen)));
282 uint8_t expected_bytes[1 + 2 * EC_MAX_BYTES];
283 size_t expected_len =
284 EC_POINT_point2oct(group, expected_h.get(), POINT_CONVERSION_UNCOMPRESSED,
285 expected_bytes, sizeof(expected_bytes), nullptr);
286
287 uint8_t h[97];
288 ASSERT_TRUE(pmbtoken_exp2_get_h_for_testing(h));
289 EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
290}
291
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]292static std::vector<const TRUST_TOKEN_METHOD *> AllMethods() {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]293 return {
294 TRUST_TOKEN_experiment_v1(),
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]295 TRUST_TOKEN_experiment_v2_voprf(),
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]296 TRUST_TOKEN_experiment_v2_pmb()
297 };
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]298}
299
300class TrustTokenProtocolTestBase : public ::testing::Test {
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]301 public:
David Benjamin043fba22020-10-21 11:14:59 -0400[diff] [blame]302 explicit TrustTokenProtocolTestBase(const TRUST_TOKEN_METHOD *method_arg)
303 : method_(method_arg) {}
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]304
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]305 // KeyID returns the key ID associated with key index |i|.
306 static uint32_t KeyID(size_t i) {
307 // Use a different value from the indices to that we do not mix them up.
308 return 7 + i;
309 }
310
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]311 const TRUST_TOKEN_METHOD *method() { return method_; }
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]312
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]313 protected:
314 void SetupContexts() {
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]315 client.reset(TRUST_TOKEN_CLIENT_new(method(), client_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]316 ASSERT_TRUE(client);
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]317 issuer.reset(TRUST_TOKEN_ISSUER_new(method(), issuer_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]318 ASSERT_TRUE(issuer);
319
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]320 for (size_t i = 0; i < method()->max_keys; i++) {
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]321 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
322 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
323 size_t priv_key_len, pub_key_len, key_index;
324 ASSERT_TRUE(TRUST_TOKEN_generate_key(
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]325 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
326 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, KeyID(i)));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]327 ASSERT_TRUE(TRUST_TOKEN_CLIENT_add_key(client.get(), &key_index, pub_key,
328 pub_key_len));
329 ASSERT_EQ(i, key_index);
330 ASSERT_TRUE(
331 TRUST_TOKEN_ISSUER_add_key(issuer.get(), priv_key, priv_key_len));
332 }
333
334 uint8_t public_key[32], private_key[64];
335 ED25519_keypair(public_key, private_key);
336 bssl::UniquePtr<EVP_PKEY> priv(EVP_PKEY_new_raw_private_key(
337 EVP_PKEY_ED25519, nullptr, private_key, 32));
338 ASSERT_TRUE(priv);
339 bssl::UniquePtr<EVP_PKEY> pub(
340 EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, public_key, 32));
341 ASSERT_TRUE(pub);
342
343 TRUST_TOKEN_CLIENT_set_srr_key(client.get(), pub.get());
344 TRUST_TOKEN_ISSUER_set_srr_key(issuer.get(), priv.get());
345 RAND_bytes(metadata_key, sizeof(metadata_key));
346 ASSERT_TRUE(TRUST_TOKEN_ISSUER_set_metadata_key(issuer.get(), metadata_key,
347 sizeof(metadata_key)));
348 }
349
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]350 const TRUST_TOKEN_METHOD *method_;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]351 uint16_t client_max_batchsize = 10;
352 uint16_t issuer_max_batchsize = 10;
353 bssl::UniquePtr<TRUST_TOKEN_CLIENT> client;
354 bssl::UniquePtr<TRUST_TOKEN_ISSUER> issuer;
355 uint8_t metadata_key[32];
356};
357
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]358class TrustTokenProtocolTest
359 : public TrustTokenProtocolTestBase,
360 public testing::WithParamInterface<const TRUST_TOKEN_METHOD *> {
361 public:
362 TrustTokenProtocolTest() : TrustTokenProtocolTestBase(GetParam()) {}
363};
364
365INSTANTIATE_TEST_SUITE_P(TrustTokenAllProtocolTest, TrustTokenProtocolTest,
366 testing::ValuesIn(AllMethods()));
367
368TEST_P(TrustTokenProtocolTest, InvalidToken) {
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]369 ASSERT_NO_FATAL_FAILURE(SetupContexts());
370
371 uint8_t *issue_msg = NULL, *issue_resp = NULL;
372 size_t msg_len, resp_len;
373
374 size_t key_index;
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]375 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]376 ASSERT_TRUE(
377 TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg, &msg_len, 1));
378 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
379 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
380 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]381 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]382 /*max_issuance=*/10));
383 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
384 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
385 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
386 resp_len));
387 ASSERT_TRUE(tokens);
388
389 for (TRUST_TOKEN *token : tokens.get()) {
390 // Corrupt the token.
391 token->data[0] ^= 0x42;
392
393 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
394 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
395 client.get(), &redeem_msg, &msg_len, token, NULL, 0, 0));
396 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
397 TRUST_TOKEN *rtoken;
398 uint8_t *client_data;
399 size_t client_data_len;
400 uint64_t redemption_time;
401 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem(
402 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
403 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
404 bssl::UniquePtr<uint8_t> free_redeem_resp(redeem_resp);
405 }
406}
407
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]408TEST_P(TrustTokenProtocolTest, TruncatedIssuanceRequest) {
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]409 ASSERT_NO_FATAL_FAILURE(SetupContexts());
410
411 uint8_t *issue_msg = NULL, *issue_resp = NULL;
412 size_t msg_len, resp_len;
413 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
414 &msg_len, 10));
415 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
416 msg_len = 10;
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]417 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]418 ASSERT_FALSE(TRUST_TOKEN_ISSUER_issue(
419 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
420 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
421 /*max_issuance=*/10));
422 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
423}
424
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]425TEST_P(TrustTokenProtocolTest, TruncatedIssuanceResponse) {
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]426 ASSERT_NO_FATAL_FAILURE(SetupContexts());
427
428 uint8_t *issue_msg = NULL, *issue_resp = NULL;
429 size_t msg_len, resp_len;
430 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
431 &msg_len, 10));
432 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]433 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]434 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
435 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
436 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
437 /*max_issuance=*/10));
438 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
439 resp_len = 10;
440 size_t key_index;
441 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
442 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
443 resp_len));
444 ASSERT_FALSE(tokens);
445}
446
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]447TEST_P(TrustTokenProtocolTest, ExtraDataIssuanceResponse) {
David Benjamincbe128b2020-04-21 23:05:27 -0400[diff] [blame]448 ASSERT_NO_FATAL_FAILURE(SetupContexts());
449
450 uint8_t *request = NULL, *response = NULL;
451 size_t request_len, response_len;
452 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &request,
453 &request_len, 10));
454 bssl::UniquePtr<uint8_t> free_request(request);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]455 size_t tokens_issued;
David Benjamincbe128b2020-04-21 23:05:27 -0400[diff] [blame]456 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(issuer.get(), &response, &response_len,
457 &tokens_issued, request, request_len,
458 /*public_metadata=*/KeyID(0),
459 /*private_metadata=*/0,
460 /*max_issuance=*/10));
461 bssl::UniquePtr<uint8_t> free_response(response);
462 std::vector<uint8_t> response2(response, response + response_len);
463 response2.push_back(0);
464 size_t key_index;
465 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
466 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index,
467 response2.data(), response2.size()));
468 ASSERT_FALSE(tokens);
469}
470
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]471TEST_P(TrustTokenProtocolTest, TruncatedRedemptionRequest) {
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]472 ASSERT_NO_FATAL_FAILURE(SetupContexts());
473
474 uint8_t *issue_msg = NULL, *issue_resp = NULL;
475 size_t msg_len, resp_len;
476 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
477 &msg_len, 10));
478 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]479 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]480 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
481 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
482 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
483 /*max_issuance=*/10));
484 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
485 size_t key_index;
486 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
487 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
488 resp_len));
489 ASSERT_TRUE(tokens);
490
491 for (TRUST_TOKEN *token : tokens.get()) {
Steven Valdez8f3019e2020-04-17 09:36:06 -0400[diff] [blame]492 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]493 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]494
495 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
496 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
497 client.get(), &redeem_msg, &msg_len, token, kClientData,
498 sizeof(kClientData) - 1, kRedemptionTime));
499 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
500 msg_len = 10;
501
502 TRUST_TOKEN *rtoken;
503 uint8_t *client_data;
504 size_t client_data_len;
505 uint64_t redemption_time;
506 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem(
507 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
508 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
509 }
510}
511
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]512TEST_P(TrustTokenProtocolTest, TruncatedRedemptionResponse) {
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]513 ASSERT_NO_FATAL_FAILURE(SetupContexts());
514
515 uint8_t *issue_msg = NULL, *issue_resp = NULL;
516 size_t msg_len, resp_len;
517 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
518 &msg_len, 10));
519 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]520 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]521 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
522 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
523 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
524 /*max_issuance=*/10));
525 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
526 size_t key_index;
527 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
528 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
529 resp_len));
530 ASSERT_TRUE(tokens);
531
532 for (TRUST_TOKEN *token : tokens.get()) {
Steven Valdez8f3019e2020-04-17 09:36:06 -0400[diff] [blame]533 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]534 uint64_t kRedemptionTime = 0;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]535
536 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
537 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
538 client.get(), &redeem_msg, &msg_len, token, kClientData,
539 sizeof(kClientData) - 1, kRedemptionTime));
540 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
541 TRUST_TOKEN *rtoken;
542 uint8_t *client_data;
543 size_t client_data_len;
544 uint64_t redemption_time;
545 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem(
546 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
547 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
548 bssl::UniquePtr<uint8_t> free_redeem_resp(redeem_resp);
549 bssl::UniquePtr<uint8_t> free_client_data(client_data);
550 bssl::UniquePtr<TRUST_TOKEN> free_rtoken(rtoken);
551
552 ASSERT_EQ(redemption_time, kRedemptionTime);
Steven Valdez54304732020-05-04 11:56:12 -0400[diff] [blame]553 ASSERT_EQ(Bytes(kClientData, sizeof(kClientData) - 1),
554 Bytes(client_data, client_data_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]555 resp_len = 10;
556
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]557 // If the protocol doesn't use SRRs, TRUST_TOKEN_CLIENT_finish_redemtpion
558 // leaves all SRR validation to the caller.
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]559 uint8_t *srr = NULL, *sig = NULL;
560 size_t srr_len, sig_len;
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]561 bool expect_failure = !method()->has_srr;
562 ASSERT_EQ(expect_failure, TRUST_TOKEN_CLIENT_finish_redemption(
563 client.get(), &srr, &srr_len, &sig, &sig_len,
564 redeem_resp, resp_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]565 bssl::UniquePtr<uint8_t> free_srr(srr);
566 bssl::UniquePtr<uint8_t> free_sig(sig);
567 }
568}
569
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]570TEST_P(TrustTokenProtocolTest, IssuedWithBadKeyID) {
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]571 client.reset(TRUST_TOKEN_CLIENT_new(method(), client_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]572 ASSERT_TRUE(client);
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]573 issuer.reset(TRUST_TOKEN_ISSUER_new(method(), issuer_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]574 ASSERT_TRUE(issuer);
575
576 // We configure the client and the issuer with different key IDs and test
577 // that the client notices.
578 const uint32_t kClientKeyID = 0;
579 const uint32_t kIssuerKeyID = 42;
580
581 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
582 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
583 size_t priv_key_len, pub_key_len, key_index;
584 ASSERT_TRUE(TRUST_TOKEN_generate_key(
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]585 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
586 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, kClientKeyID));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]587 ASSERT_TRUE(TRUST_TOKEN_CLIENT_add_key(client.get(), &key_index, pub_key,
588 pub_key_len));
589 ASSERT_EQ(0UL, key_index);
590
591 ASSERT_TRUE(TRUST_TOKEN_generate_key(
David Benjamin239634d2020-04-29 11:17:51 -0400[diff] [blame]592 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
593 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, kIssuerKeyID));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]594 ASSERT_TRUE(TRUST_TOKEN_ISSUER_add_key(issuer.get(), priv_key, priv_key_len));
595
596
597 uint8_t public_key[32], private_key[64];
598 ED25519_keypair(public_key, private_key);
599 bssl::UniquePtr<EVP_PKEY> priv(
600 EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, nullptr, private_key, 32));
601 ASSERT_TRUE(priv);
602 bssl::UniquePtr<EVP_PKEY> pub(
603 EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, public_key, 32));
604 ASSERT_TRUE(pub);
605
606 TRUST_TOKEN_CLIENT_set_srr_key(client.get(), pub.get());
607 TRUST_TOKEN_ISSUER_set_srr_key(issuer.get(), priv.get());
608 RAND_bytes(metadata_key, sizeof(metadata_key));
609 ASSERT_TRUE(TRUST_TOKEN_ISSUER_set_metadata_key(issuer.get(), metadata_key,
610 sizeof(metadata_key)));
611
612
613 uint8_t *issue_msg = NULL, *issue_resp = NULL;
614 size_t msg_len, resp_len;
615 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
616 &msg_len, 10));
617 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]618 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]619 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
620 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
621 /*public_metadata=*/42, /*private_metadata=*/0, /*max_issuance=*/10));
622 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
623 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
624 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
625 resp_len));
626 ASSERT_FALSE(tokens);
627}
628
629class TrustTokenMetadataTest
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]630 : public TrustTokenProtocolTestBase,
631 public testing::WithParamInterface<
632 std::tuple<const TRUST_TOKEN_METHOD *, int, bool>> {
633 public:
634 TrustTokenMetadataTest()
635 : TrustTokenProtocolTestBase(std::get<0>(GetParam())) {}
636
637 int public_metadata() { return std::get<1>(GetParam()); }
638 bool private_metadata() { return std::get<2>(GetParam()); }
639};
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]640
641TEST_P(TrustTokenMetadataTest, SetAndGetMetadata) {
642 ASSERT_NO_FATAL_FAILURE(SetupContexts());
643
644 uint8_t *issue_msg = NULL, *issue_resp = NULL;
645 size_t msg_len, resp_len;
646 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
647 &msg_len, 10));
648 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]649 size_t tokens_issued;
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]650 bool result = TRUST_TOKEN_ISSUER_issue(
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]651 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]652 public_metadata(), private_metadata(), /*max_issuance=*/1);
653 if (!method()->has_private_metadata && private_metadata()) {
654 ASSERT_FALSE(result);
655 return;
656 }
657 ASSERT_TRUE(result);
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]658 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
659 size_t key_index;
660 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
661 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
662 resp_len));
663 ASSERT_TRUE(tokens);
664
665 for (TRUST_TOKEN *token : tokens.get()) {
Steven Valdez8f3019e2020-04-17 09:36:06 -0400[diff] [blame]666 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]667 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]668
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]669 const uint8_t kExpectedSRRV1[] =
Steven Valdez78b33372020-05-14 15:00:28 -0400[diff] [blame]670 "\xa4\x68\x6d\x65\x74\x61\x64\x61\x74\x61\xa2\x66\x70\x75\x62\x6c\x69"
Steven Valdez54304732020-05-04 11:56:12 -0400[diff] [blame]671 "\x63\x00\x67\x70\x72\x69\x76\x61\x74\x65\x00\x6a\x74\x6f\x6b\x65\x6e"
672 "\x2d\x68\x61\x73\x68\x58\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
673 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
674 "\x00\x00\x00\x00\x00\x6b\x63\x6c\x69\x65\x6e\x74\x2d\x64\x61\x74\x61"
675 "\x70\x54\x45\x53\x54\x20\x43\x4c\x49\x45\x4e\x54\x20\x44\x41\x54\x41"
676 "\x70\x65\x78\x70\x69\x72\x79\x2d\x74\x69\x6d\x65\x73\x74\x61\x6d\x70"
677 "\x1a\x00\xcc\x15\x7a";
678
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]679 const uint8_t kExpectedSRRV2[] =
680 "\xa4\x68\x6d\x65\x74\x61\x64\x61\x74\x61\xa2\x66\x70\x75\x62\x6c\x69"
681 "\x63\x00\x67\x70\x72\x69\x76\x61\x74\x65\x00\x6a\x74\x6f\x6b\x65\x6e"
682 "\x2d\x68\x61\x73\x68\x58\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
683 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
684 "\x00\x00\x00\x00\x00\x6b\x63\x6c\x69\x65\x6e\x74\x2d\x64\x61\x74\x61"
685 "\x70\x54\x45\x53\x54\x20\x43\x4c\x49\x45\x4e\x54\x20\x44\x41\x54\x41"
686 "\x70\x65\x78\x70\x69\x72\x79\x2d\x74\x69\x6d\x65\x73\x74\x61\x6d\x70"
687 "\x00";
688
689 const uint8_t *expected_srr = kExpectedSRRV1;
690 size_t expected_srr_len = sizeof(kExpectedSRRV1) - 1;
691 if (!method()->has_srr) {
692 expected_srr = kExpectedSRRV2;
693 expected_srr_len = sizeof(kExpectedSRRV2) - 1;
694 }
695
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]696 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
697 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
698 client.get(), &redeem_msg, &msg_len, token, kClientData,
699 sizeof(kClientData) - 1, kRedemptionTime));
700 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
701 TRUST_TOKEN *rtoken;
702 uint8_t *client_data;
703 size_t client_data_len;
704 uint64_t redemption_time;
705 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem(
706 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
707 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
708 bssl::UniquePtr<uint8_t> free_redeem_resp(redeem_resp);
709 bssl::UniquePtr<uint8_t> free_client_data(client_data);
710 bssl::UniquePtr<TRUST_TOKEN> free_rtoken(rtoken);
711
712 ASSERT_EQ(redemption_time, kRedemptionTime);
Steven Valdez54304732020-05-04 11:56:12 -0400[diff] [blame]713 ASSERT_EQ(Bytes(kClientData, sizeof(kClientData) - 1),
714 Bytes(client_data, client_data_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]715
716 uint8_t *srr = NULL, *sig = NULL;
717 size_t srr_len, sig_len;
718 ASSERT_TRUE(TRUST_TOKEN_CLIENT_finish_redemption(
719 client.get(), &srr, &srr_len, &sig, &sig_len, redeem_resp, resp_len));
720 bssl::UniquePtr<uint8_t> free_srr(srr);
721 bssl::UniquePtr<uint8_t> free_sig(sig);
722
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]723 if (!method()->has_srr) {
724 size_t b64_len;
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]725 ASSERT_TRUE(EVP_EncodedLength(&b64_len, expected_srr_len));
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]726 b64_len -= 1;
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]727 const char kSRRHeader[] = "body=:";
728 ASSERT_LT(sizeof(kSRRHeader) - 1 + b64_len, srr_len);
729
730 ASSERT_EQ(Bytes(kSRRHeader, sizeof(kSRRHeader) - 1),
731 Bytes(srr, sizeof(kSRRHeader) - 1));
732 uint8_t *decoded_srr =
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]733 (uint8_t *)OPENSSL_malloc(expected_srr_len + 2);
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]734 ASSERT_TRUE(decoded_srr);
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]735 ASSERT_LE(
736 int(expected_srr_len),
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]737 EVP_DecodeBlock(decoded_srr, srr + sizeof(kSRRHeader) - 1, b64_len));
738 srr = decoded_srr;
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]739 srr_len = expected_srr_len;
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]740 free_srr.reset(srr);
741 }
742
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]743 const uint8_t kTokenHashDSTLabel[] = "TrustTokenV0 TokenHash";
744 uint8_t token_hash[SHA256_DIGEST_LENGTH];
745 SHA256_CTX sha_ctx;
746 SHA256_Init(&sha_ctx);
747 SHA256_Update(&sha_ctx, kTokenHashDSTLabel, sizeof(kTokenHashDSTLabel));
748 SHA256_Update(&sha_ctx, token->data, token->len);
749 SHA256_Final(token_hash, &sha_ctx);
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]750
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]751 // Check the token hash is in the SRR.
752 ASSERT_EQ(Bytes(token_hash), Bytes(srr + 41, sizeof(token_hash)));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]753
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]754 uint8_t decode_private_metadata;
755 ASSERT_TRUE(TRUST_TOKEN_decode_private_metadata(
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]756 method(), &decode_private_metadata, metadata_key,
757 sizeof(metadata_key), token_hash, sizeof(token_hash), srr[27]));
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]758 ASSERT_EQ(srr[18], public_metadata());
759 ASSERT_EQ(decode_private_metadata, private_metadata());
Steven Valdez54304732020-05-04 11:56:12 -0400[diff] [blame]760
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]761 // Clear out the metadata bits.
762 srr[18] = 0;
763 srr[27] = 0;
Steven Valdez54304732020-05-04 11:56:12 -0400[diff] [blame]764
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]765 // Clear out the token hash.
766 OPENSSL_memset(srr + 41, 0, sizeof(token_hash));
Steven Valdez54304732020-05-04 11:56:12 -0400[diff] [blame]767
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]768 ASSERT_EQ(Bytes(expected_srr, expected_srr_len),
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]769 Bytes(srr, srr_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]770 }
771}
772
Steven Valdez07827152020-10-13 11:04:33 -0400[diff] [blame]773TEST_P(TrustTokenMetadataTest, RawSetAndGetMetadata) {
774 ASSERT_NO_FATAL_FAILURE(SetupContexts());
775
776 uint8_t *issue_msg = NULL, *issue_resp = NULL;
777 size_t msg_len, resp_len;
778 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
779 &msg_len, 10));
780 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
781 size_t tokens_issued;
782 bool result = TRUST_TOKEN_ISSUER_issue(
783 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
784 public_metadata(), private_metadata(), /*max_issuance=*/1);
785 if (!method()->has_private_metadata && private_metadata()) {
786 ASSERT_FALSE(result);
787 return;
788 }
789 ASSERT_TRUE(result);
790 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
791 size_t key_index;
792 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
793 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
794 resp_len));
795 ASSERT_TRUE(tokens);
796 EXPECT_EQ(1u, sk_TRUST_TOKEN_num(tokens.get()));
797
798 for (TRUST_TOKEN *token : tokens.get()) {
799 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
800 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
801
802 uint8_t *redeem_msg = NULL;
803 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
804 client.get(), &redeem_msg, &msg_len, token, kClientData,
805 sizeof(kClientData) - 1, kRedemptionTime));
806 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
807 uint32_t public_value;
808 uint8_t private_value;
809 TRUST_TOKEN *rtoken;
810 uint8_t *client_data;
811 size_t client_data_len;
812 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem_raw(
813 issuer.get(), &public_value, &private_value, &rtoken,
814 &client_data, &client_data_len, redeem_msg, msg_len));
815 bssl::UniquePtr<uint8_t> free_client_data(client_data);
816 bssl::UniquePtr<TRUST_TOKEN> free_rtoken(rtoken);
817
818 ASSERT_EQ(Bytes(kClientData, sizeof(kClientData) - 1),
819 Bytes(client_data, client_data_len));
820 ASSERT_EQ(public_value, static_cast<uint32_t>(public_metadata()));
821 ASSERT_EQ(private_value, private_metadata());
822 }
823}
824
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]825TEST_P(TrustTokenMetadataTest, TooManyRequests) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]826 if (!method()->has_private_metadata && private_metadata()) {
827 return;
828 }
829
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]830 issuer_max_batchsize = 1;
831 ASSERT_NO_FATAL_FAILURE(SetupContexts());
832
833 uint8_t *issue_msg = NULL, *issue_resp = NULL;
834 size_t msg_len, resp_len;
835 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
836 &msg_len, 10));
837 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]838 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]839 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
840 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]841 public_metadata(), private_metadata(), /*max_issuance=*/1));
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]842 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
843 ASSERT_EQ(tokens_issued, issuer_max_batchsize);
844 size_t key_index;
845 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
846 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
847 resp_len));
848 ASSERT_TRUE(tokens);
849 ASSERT_EQ(sk_TRUST_TOKEN_num(tokens.get()), 1UL);
850}
851
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]852
853TEST_P(TrustTokenMetadataTest, TruncatedProof) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]854 if (!method()->has_private_metadata && private_metadata()) {
855 return;
856 }
857
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]858 ASSERT_NO_FATAL_FAILURE(SetupContexts());
859
860 uint8_t *issue_msg = NULL, *issue_resp = NULL;
861 size_t msg_len, resp_len;
862 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
863 &msg_len, 10));
864 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]865 size_t tokens_issued;
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]866 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
867 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]868 public_metadata(), private_metadata(), /*max_issuance=*/1));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]869 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
870
871 CBS real_response;
872 CBS_init(&real_response, issue_resp, resp_len);
873 uint16_t count;
David Benjamin043fba22020-10-21 11:14:59 -0400[diff] [blame]874 uint32_t parsed_public_metadata;
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]875 bssl::ScopedCBB bad_response;
876 ASSERT_TRUE(CBB_init(bad_response.get(), 0));
877 ASSERT_TRUE(CBS_get_u16(&real_response, &count));
878 ASSERT_TRUE(CBB_add_u16(bad_response.get(), count));
David Benjamin043fba22020-10-21 11:14:59 -0400[diff] [blame]879 ASSERT_TRUE(CBS_get_u32(&real_response, &parsed_public_metadata));
880 ASSERT_TRUE(CBB_add_u32(bad_response.get(), parsed_public_metadata));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]881
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]882 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
883 size_t token_length =
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]884 TRUST_TOKEN_NONCE_SIZE + 2 * (1 + 2 * BN_num_bytes(&group->field));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]885 if (method() == TRUST_TOKEN_experiment_v1()) {
886 token_length += 4;
887 }
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]888 if (method() == TRUST_TOKEN_experiment_v2_voprf()) {
889 token_length = 1 + 2 * BN_num_bytes(&group->field);
890 }
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]891 for (size_t i = 0; i < count; i++) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]892 ASSERT_TRUE(CBB_add_bytes(bad_response.get(), CBS_data(&real_response),
893 token_length));
894 ASSERT_TRUE(CBS_skip(&real_response, token_length));
Steven Valdezb55a8c12020-05-08 14:22:14 -0400[diff] [blame]895 }
896
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]897 CBS tmp;
898 ASSERT_TRUE(CBS_get_u16_length_prefixed(&real_response, &tmp));
899 CBB dleq;
900 ASSERT_TRUE(CBB_add_u16_length_prefixed(bad_response.get(), &dleq));
901 ASSERT_TRUE(CBB_add_bytes(&dleq, CBS_data(&tmp), CBS_len(&tmp) - 2));
902 ASSERT_TRUE(CBB_flush(bad_response.get()));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]903
904 uint8_t *bad_buf;
905 size_t bad_len;
906 ASSERT_TRUE(CBB_finish(bad_response.get(), &bad_buf, &bad_len));
907 bssl::UniquePtr<uint8_t> free_bad(bad_buf);
908
909 size_t key_index;
910 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]911 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, bad_buf,
912 bad_len));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]913 ASSERT_FALSE(tokens);
914}
915
916TEST_P(TrustTokenMetadataTest, ExcessDataProof) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]917 if (!method()->has_private_metadata && private_metadata()) {
918 return;
919 }
920
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]921 ASSERT_NO_FATAL_FAILURE(SetupContexts());
922
923 uint8_t *issue_msg = NULL, *issue_resp = NULL;
924 size_t msg_len, resp_len;
925 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
926 &msg_len, 10));
927 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]928 size_t tokens_issued;
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]929 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
930 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]931 public_metadata(), private_metadata(), /*max_issuance=*/1));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]932 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
933
934 CBS real_response;
935 CBS_init(&real_response, issue_resp, resp_len);
936 uint16_t count;
David Benjamin043fba22020-10-21 11:14:59 -0400[diff] [blame]937 uint32_t parsed_public_metadata;
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]938 bssl::ScopedCBB bad_response;
939 ASSERT_TRUE(CBB_init(bad_response.get(), 0));
940 ASSERT_TRUE(CBS_get_u16(&real_response, &count));
941 ASSERT_TRUE(CBB_add_u16(bad_response.get(), count));
David Benjamin043fba22020-10-21 11:14:59 -0400[diff] [blame]942 ASSERT_TRUE(CBS_get_u32(&real_response, &parsed_public_metadata));
943 ASSERT_TRUE(CBB_add_u32(bad_response.get(), parsed_public_metadata));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]944
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]945 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
946 size_t token_length =
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]947 TRUST_TOKEN_NONCE_SIZE + 2 * (1 + 2 * BN_num_bytes(&group->field));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]948 if (method() == TRUST_TOKEN_experiment_v1()) {
949 token_length += 4;
950 }
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]951 if (method() == TRUST_TOKEN_experiment_v2_voprf()) {
952 token_length = 1 + 2 * BN_num_bytes(&group->field);
953 }
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]954 for (size_t i = 0; i < count; i++) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]955 ASSERT_TRUE(CBB_add_bytes(bad_response.get(), CBS_data(&real_response),
956 token_length));
957 ASSERT_TRUE(CBS_skip(&real_response, token_length));
Steven Valdezb55a8c12020-05-08 14:22:14 -0400[diff] [blame]958 }
959
Steven Valdezd0637e92020-06-03 15:43:49 -0400[diff] [blame]960 CBS tmp;
961 ASSERT_TRUE(CBS_get_u16_length_prefixed(&real_response, &tmp));
962 CBB dleq;
963 ASSERT_TRUE(CBB_add_u16_length_prefixed(bad_response.get(), &dleq));
964 ASSERT_TRUE(CBB_add_bytes(&dleq, CBS_data(&tmp), CBS_len(&tmp)));
965 ASSERT_TRUE(CBB_add_u16(&dleq, 42));
966 ASSERT_TRUE(CBB_flush(bad_response.get()));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]967
968 uint8_t *bad_buf;
969 size_t bad_len;
970 ASSERT_TRUE(CBB_finish(bad_response.get(), &bad_buf, &bad_len));
971 bssl::UniquePtr<uint8_t> free_bad(bad_buf);
972
973 size_t key_index;
974 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
975 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, bad_buf,
976 bad_len));
977 ASSERT_FALSE(tokens);
978}
979
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]980INSTANTIATE_TEST_SUITE_P(
981 TrustTokenAllMetadataTest, TrustTokenMetadataTest,
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]982 testing::Combine(testing::ValuesIn(AllMethods()),
983 testing::Values(TrustTokenProtocolTest::KeyID(0),
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]984 TrustTokenProtocolTest::KeyID(1),
985 TrustTokenProtocolTest::KeyID(2)),
986 testing::Bool()));
987
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]988class TrustTokenBadKeyTest
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]989 : public TrustTokenProtocolTestBase,
990 public testing::WithParamInterface<
991 std::tuple<const TRUST_TOKEN_METHOD *, bool, int>> {
992 public:
993 TrustTokenBadKeyTest()
994 : TrustTokenProtocolTestBase(std::get<0>(GetParam())) {}
995
996 bool private_metadata() { return std::get<1>(GetParam()); }
997 int corrupted_key() { return std::get<2>(GetParam()); }
998};
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]999
1000TEST_P(TrustTokenBadKeyTest, BadKey) {
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400[diff] [blame]1001 // For versions without private metadata, only corruptions of 'xs' (the 4th
1002 // entry in |scalars| below) result in a bad key, as the other scalars are
1003 // unused internally.
1004 if (!method()->has_private_metadata &&
1005 (private_metadata() || corrupted_key() != 4)) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400[diff] [blame]1006 return;
1007 }
1008
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]1009 ASSERT_NO_FATAL_FAILURE(SetupContexts());
1010
1011 uint8_t *issue_msg = NULL, *issue_resp = NULL;
1012 size_t msg_len, resp_len;
1013 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
1014 &msg_len, 10));
1015 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
1016
1017 struct trust_token_issuer_key_st *key = &issuer->keys[0];
David Benjamin090ee962020-04-28 17:08:37 -0400[diff] [blame]1018 EC_SCALAR *scalars[] = {&key->key.x0, &key->key.y0, &key->key.x1,
1019 &key->key.y1, &key->key.xs, &key->key.ys};
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]1020
1021 // Corrupt private key scalar.
David Benjamin227ff6e2022-05-05 08:43:27 -0400[diff] [blame]1022 scalars[corrupted_key()]->words[0] ^= 42;
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]1023
David Benjamin17078f22020-04-28 17:50:13 -0400[diff] [blame]1024 size_t tokens_issued;
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]1025 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
1026 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]1027 /*public_metadata=*/7, private_metadata(), /*max_issuance=*/1));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]1028 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
1029 size_t key_index;
1030 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
1031 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
1032 resp_len));
1033
1034 // If the unused private key is corrupted, then the DLEQ proof should succeed.
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]1035 if ((corrupted_key() / 2 == 0 && private_metadata() == true) ||
1036 (corrupted_key() / 2 == 1 && private_metadata() == false)) {
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]1037 ASSERT_TRUE(tokens);
1038 } else {
1039 ASSERT_FALSE(tokens);
1040 }
1041}
1042
David Benjaminaa764c42020-04-29 12:39:10 -0400[diff] [blame]1043INSTANTIATE_TEST_SUITE_P(TrustTokenAllBadKeyTest, TrustTokenBadKeyTest,
1044 testing::Combine(testing::ValuesIn(AllMethods()),
1045 testing::Bool(),
1046 testing::Values(0, 1, 2, 3, 4, 5)));
Steven Valdez78987bb2020-04-09 14:57:31 -0400[diff] [blame]1047
Steven Valdez538a1242019-12-16 12:12:31 -0500[diff] [blame]1048} // namespace
1049BSSL_NAMESPACE_END