blob: 5ab80cddcf913777cbdd15d6b62430a345e38200 [file] [log] [blame]
Steven Valdez0b710a32020-02-14 10:34:53 -05001/* Copyright (c) 2020, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
Steven Valdez538a1242019-12-16 12:12:31 -050015#include <stdio.h>
16#include <string.h>
17#include <time.h>
18
19#include <algorithm>
20#include <limits>
21#include <string>
22#include <tuple>
23#include <utility>
24#include <vector>
25
Steven Valdez0b710a32020-02-14 10:34:53 -050026#include <gtest/gtest.h>
27
Steven Valdez538a1242019-12-16 12:12:31 -050028#include <openssl/bytestring.h>
29#include <openssl/curve25519.h>
30#include <openssl/evp.h>
31#include <openssl/mem.h>
32#include <openssl/rand.h>
Steven Valdez54304732020-05-04 11:56:12 -040033#include <openssl/sha.h>
Steven Valdez0b710a32020-02-14 10:34:53 -050034#include <openssl/trust_token.h>
35
David Benjaminaa764c42020-04-29 12:39:10 -040036#include "../ec_extra/internal.h"
37#include "../fipsmodule/ec/internal.h"
Steven Valdez538a1242019-12-16 12:12:31 -050038#include "../internal.h"
David Benjaminaa764c42020-04-29 12:39:10 -040039#include "../test/test_util.h"
Steven Valdez538a1242019-12-16 12:12:31 -050040#include "internal.h"
41
42
43BSSL_NAMESPACE_BEGIN
44
45namespace {
Steven Valdez0b710a32020-02-14 10:34:53 -050046
David Benjaminaa764c42020-04-29 12:39:10 -040047TEST(TrustTokenTest, KeyGenExp1) {
48 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
49 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
50 size_t priv_key_len, pub_key_len;
51 ASSERT_TRUE(TRUST_TOKEN_generate_key(
52 TRUST_TOKEN_experiment_v1(), priv_key, &priv_key_len,
53 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
54 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
55 ASSERT_EQ(292u, priv_key_len);
56 ASSERT_EQ(301u, pub_key_len);
Steven Valdezaa5f6012022-06-14 11:16:02 -040057
58 const uint8_t kKeygenSecret[] = "SEED";
59 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
60 TRUST_TOKEN_experiment_v1(), priv_key, &priv_key_len,
61 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
62 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
63 sizeof(kKeygenSecret) - 1));
64
65 const uint8_t kExpectedPriv[] = {
66 0x00, 0x00, 0x00, 0x01, 0x98, 0xaa, 0x32, 0xfc, 0x5f, 0x83, 0x35, 0xea,
67 0x57, 0x4f, 0x9e, 0x61, 0x48, 0x6e, 0x89, 0x9d, 0x3d, 0xaa, 0x38, 0x5d,
68 0xd0, 0x06, 0x96, 0x62, 0xe8, 0x0b, 0xd6, 0x5f, 0x12, 0xa4, 0xcc, 0xa9,
69 0xb5, 0x20, 0x1b, 0x13, 0x8c, 0x1c, 0xaf, 0x36, 0x1b, 0xab, 0x0c, 0xc6,
70 0xac, 0x38, 0xae, 0x96, 0x3d, 0x14, 0x9d, 0xb8, 0x8d, 0xf4, 0x7f, 0xe2,
71 0x7d, 0xeb, 0x17, 0xc2, 0xbc, 0x63, 0x42, 0x93, 0x94, 0xe4, 0x97, 0xbf,
72 0x97, 0xea, 0x02, 0x40, 0xac, 0xb6, 0xa5, 0x03, 0x4c, 0x6b, 0x4c, 0xb8,
73 0x8c, 0xf4, 0x66, 0x1b, 0x4e, 0x02, 0x45, 0xf9, 0xcd, 0xb6, 0x0f, 0x59,
74 0x09, 0x21, 0x03, 0x7e, 0x92, 0x1f, 0x3f, 0x40, 0x83, 0x50, 0xe3, 0xdc,
75 0x9e, 0x6f, 0x65, 0xc5, 0xbd, 0x2c, 0x7d, 0xab, 0x74, 0x49, 0xc8, 0xa2,
76 0x3c, 0xab, 0xcb, 0x4d, 0x63, 0x73, 0x81, 0x2b, 0xb2, 0x1e, 0x00, 0x8f,
77 0x00, 0xb8, 0xd8, 0xb4, 0x5d, 0xc4, 0x3f, 0x3d, 0xa8, 0x4f, 0x4c, 0x72,
78 0x0e, 0x20, 0x17, 0x4b, 0xac, 0x14, 0x8f, 0xb2, 0xa5, 0x20, 0x41, 0x2b,
79 0xf7, 0x62, 0x25, 0x6a, 0xd6, 0x41, 0x26, 0x62, 0x10, 0xc1, 0xbc, 0x42,
80 0xac, 0x54, 0x1b, 0x75, 0x05, 0xd6, 0x53, 0xb1, 0x7b, 0x84, 0x6a, 0x7b,
81 0x5b, 0x2a, 0x34, 0x6e, 0x43, 0x4b, 0x43, 0xcc, 0x6c, 0xdb, 0x1d, 0x02,
82 0x34, 0x7f, 0xd1, 0xe8, 0xfd, 0x42, 0x2c, 0xd9, 0x14, 0xdb, 0xd6, 0xf4,
83 0xad, 0xb5, 0xe4, 0xac, 0xdd, 0x7e, 0xb5, 0x4c, 0x3f, 0x59, 0x24, 0xfa,
84 0x04, 0xd9, 0xb6, 0xd2, 0xb7, 0x7d, 0xf1, 0xfa, 0x13, 0xc0, 0x4d, 0xd5,
85 0xca, 0x3a, 0x4e, 0xa8, 0xdd, 0xa9, 0xfc, 0xcb, 0x06, 0xb2, 0xde, 0x4b,
86 0x2a, 0x86, 0xbb, 0x0d, 0x41, 0xb6, 0x3d, 0xfb, 0x49, 0xc8, 0xdf, 0x9a,
87 0x48, 0xe5, 0x68, 0x8a, 0xfc, 0x86, 0x9c, 0x79, 0x5a, 0x79, 0xc1, 0x09,
88 0x33, 0x53, 0xdc, 0x3d, 0xe9, 0x93, 0x7c, 0x5b, 0x72, 0xf7, 0xa0, 0x8a,
89 0x1f, 0x07, 0x6c, 0x38, 0x3c, 0x99, 0x0b, 0xe4, 0x4e, 0xa4, 0xbd, 0x41,
90 0x1f, 0x83, 0xa6, 0xd3
91 };
92 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
93 Bytes(priv_key, priv_key_len));
94
95 const uint8_t kExpectedPub[] = {
96 0x00, 0x00, 0x00, 0x01, 0x00, 0x61, 0x04, 0x5e, 0x06, 0x6b, 0x7b, 0xfd,
97 0x54, 0x01, 0xe0, 0xd2, 0xb5, 0x12, 0xce, 0x48, 0x16, 0x66, 0xb2, 0xdf,
98 0xfd, 0xa8, 0x38, 0x7c, 0x1f, 0x45, 0x1a, 0xb8, 0x21, 0x52, 0x17, 0x25,
99 0xbb, 0x0b, 0x00, 0xd4, 0xa1, 0xbc, 0x28, 0xd9, 0x08, 0x36, 0x98, 0xb2,
100 0x17, 0xd3, 0xb5, 0xad, 0xb6, 0x4e, 0x03, 0x5f, 0xd3, 0x66, 0x2c, 0x58,
101 0x1c, 0xcc, 0xc6, 0x23, 0xa4, 0xf9, 0xa2, 0x7e, 0xb0, 0xe4, 0xd3, 0x95,
102 0x41, 0x6f, 0xba, 0x23, 0x4a, 0x82, 0x93, 0x29, 0x73, 0x75, 0x38, 0x85,
103 0x64, 0x9c, 0xaa, 0x12, 0x6d, 0x7d, 0xcd, 0x52, 0x02, 0x91, 0x9f, 0xa9,
104 0xee, 0x4b, 0xfd, 0x68, 0x97, 0x40, 0xdc, 0x00, 0x61, 0x04, 0x14, 0x16,
105 0x39, 0xf9, 0x63, 0x66, 0x94, 0x03, 0xfa, 0x0b, 0xbf, 0xca, 0x5a, 0x39,
106 0x9f, 0x27, 0x5b, 0x3f, 0x69, 0x7a, 0xc9, 0xf7, 0x25, 0x7c, 0x84, 0x9e,
107 0x1d, 0x61, 0x5a, 0x24, 0x53, 0xf2, 0x4a, 0x9d, 0xe9, 0x05, 0x53, 0xfd,
108 0x12, 0x01, 0x2d, 0x9a, 0x69, 0x50, 0x74, 0x82, 0xa3, 0x45, 0x73, 0xdc,
109 0x34, 0x36, 0x31, 0x44, 0x07, 0x0c, 0xda, 0x13, 0xbe, 0x94, 0x37, 0x65,
110 0xa0, 0xab, 0x16, 0x52, 0x90, 0xe5, 0x8a, 0x03, 0xe5, 0x98, 0x79, 0x14,
111 0x79, 0xd5, 0x17, 0xee, 0xd4, 0xb8, 0xda, 0x77, 0x76, 0x03, 0x20, 0x2a,
112 0x7e, 0x3b, 0x76, 0x0b, 0x23, 0xb7, 0x72, 0x77, 0xb2, 0xeb, 0x00, 0x61,
113 0x04, 0x68, 0x18, 0x4d, 0x23, 0x23, 0xf4, 0x45, 0xb8, 0x81, 0x0d, 0xa4,
114 0x5d, 0x0b, 0x9e, 0x08, 0xfb, 0x45, 0xfb, 0x96, 0x29, 0x43, 0x2f, 0xab,
115 0x93, 0x04, 0x4c, 0x04, 0xb6, 0x5e, 0x27, 0xf5, 0x39, 0x66, 0x94, 0x15,
116 0x1d, 0xb1, 0x1c, 0x7c, 0x27, 0x6f, 0xa5, 0x19, 0x0c, 0x30, 0x12, 0xcc,
117 0x77, 0x7f, 0x10, 0xa9, 0x7c, 0xe4, 0x08, 0x77, 0x3c, 0xd3, 0x6f, 0xa4,
118 0xf4, 0xaf, 0xf1, 0x9d, 0x14, 0x1d, 0xd0, 0x02, 0x33, 0x50, 0x55, 0x00,
119 0x6a, 0x47, 0x96, 0xe1, 0x8b, 0x4e, 0x44, 0x41, 0xad, 0xb3, 0xea, 0x0d,
120 0x0d, 0xd5, 0x73, 0x8e, 0x62, 0x67, 0x8a, 0xb4, 0xe7, 0x5d, 0x17, 0xa9,
121 0x24};
122 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
123 Bytes(pub_key, pub_key_len));
David Benjaminaa764c42020-04-29 12:39:10 -0400124}
125
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400126TEST(TrustTokenTest, KeyGenExp2VOPRF) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400127 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
128 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
129 size_t priv_key_len, pub_key_len;
130 ASSERT_TRUE(TRUST_TOKEN_generate_key(
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400131 TRUST_TOKEN_experiment_v2_voprf(), priv_key, &priv_key_len,
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400132 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
133 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400134 ASSERT_EQ(52u, priv_key_len);
135 ASSERT_EQ(101u, pub_key_len);
Steven Valdezaa5f6012022-06-14 11:16:02 -0400136
137 const uint8_t kKeygenSecret[] = "SEED";
138 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
139 TRUST_TOKEN_experiment_v2_voprf(), priv_key, &priv_key_len,
140 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
141 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
142 sizeof(kKeygenSecret) - 1));
143
144 const uint8_t kExpectedPriv[] = {
145 0x00, 0x00, 0x00, 0x01, 0x0b, 0xe2, 0xc4, 0x73, 0x92, 0xe7, 0xf8,
146 0x3e, 0xba, 0xab, 0x85, 0xa7, 0x77, 0xd7, 0x0a, 0x02, 0xc5, 0x36,
147 0xfe, 0x62, 0xa3, 0xca, 0x01, 0x75, 0xc7, 0x62, 0x19, 0xc7, 0xf0,
148 0x30, 0xc5, 0x14, 0x60, 0x13, 0x97, 0x4f, 0x63, 0x05, 0x37, 0x92,
149 0x7b, 0x76, 0x8e, 0x9f, 0xd0, 0x1a, 0x74, 0x44
150 };
151 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
152 Bytes(priv_key, priv_key_len));
153
154 const uint8_t kExpectedPub[] = {
155 0x00, 0x00, 0x00, 0x01, 0x04, 0x2c, 0x9c, 0x11, 0xc1, 0xe5, 0x52, 0x59,
156 0x0b, 0x6d, 0x88, 0x8b, 0x6e, 0x28, 0xe8, 0xc5, 0xa3, 0xbe, 0x48, 0x18,
157 0xf7, 0x1d, 0x31, 0xcf, 0xa2, 0x6e, 0x2a, 0xd6, 0xcb, 0x83, 0x26, 0x04,
158 0xbd, 0x93, 0x67, 0xe4, 0x53, 0xf6, 0x11, 0x7d, 0x45, 0xe9, 0xfe, 0x27,
159 0x33, 0x90, 0xdb, 0x1b, 0xfc, 0x9b, 0x31, 0x4d, 0x39, 0x1f, 0x1f, 0x8c,
160 0x43, 0x06, 0x70, 0x2c, 0x84, 0xdc, 0x23, 0x18, 0xc7, 0x6a, 0x58, 0xcf,
161 0x9e, 0xc1, 0xfa, 0xf2, 0x30, 0xdd, 0xad, 0x62, 0x24, 0xde, 0x11, 0xc1,
162 0xba, 0x8d, 0xc3, 0x4f, 0xfb, 0xe5, 0xa5, 0xd4, 0x37, 0xba, 0x3b, 0x70,
163 0xc0, 0xc3, 0xef, 0x20, 0x43
164 };
165 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
166 Bytes(pub_key, pub_key_len));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400167}
168
169TEST(TrustTokenTest, KeyGenExp2PMB) {
170 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
171 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
172 size_t priv_key_len, pub_key_len;
173 ASSERT_TRUE(TRUST_TOKEN_generate_key(
174 TRUST_TOKEN_experiment_v2_pmb(), priv_key, &priv_key_len,
175 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
176 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
177 ASSERT_EQ(292u, priv_key_len);
178 ASSERT_EQ(295u, pub_key_len);
Steven Valdezaa5f6012022-06-14 11:16:02 -0400179
180 const uint8_t kKeygenSecret[] = "SEED";
181 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
182 TRUST_TOKEN_experiment_v2_pmb(), priv_key, &priv_key_len,
183 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
184 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
185 sizeof(kKeygenSecret) - 1));
186
187 const uint8_t kExpectedPriv[] = {
188 0x00, 0x00, 0x00, 0x01, 0x1b, 0x74, 0xdc, 0xf0, 0xa9, 0xa7, 0x6c, 0xfb,
189 0x41, 0xef, 0xfa, 0x65, 0x52, 0xc9, 0x86, 0x4e, 0xfb, 0x16, 0x9d, 0xea,
190 0x62, 0x3f, 0x47, 0xab, 0x1f, 0x1b, 0x05, 0xf2, 0x4f, 0x05, 0xfe, 0x64,
191 0xb7, 0xe8, 0xcd, 0x2a, 0x10, 0xfa, 0xa2, 0x48, 0x3f, 0x0e, 0x8b, 0x94,
192 0x39, 0xf1, 0xe7, 0x53, 0xe9, 0x50, 0x29, 0xe2, 0xb7, 0x0e, 0xc0, 0x94,
193 0xa9, 0xd3, 0xef, 0x64, 0x10, 0x1d, 0x08, 0xd0, 0x60, 0xcb, 0x6d, 0x97,
194 0x68, 0xc7, 0x04, 0x92, 0x07, 0xb2, 0x22, 0x83, 0xf7, 0xd9, 0x9b, 0x2c,
195 0xf2, 0x52, 0x34, 0x0c, 0x42, 0x31, 0x47, 0x41, 0x19, 0xb9, 0xee, 0xfc,
196 0x46, 0xbd, 0x14, 0xce, 0x42, 0xd7, 0x43, 0xc8, 0x32, 0x3b, 0x24, 0xed,
197 0xdc, 0x69, 0xa3, 0x8e, 0x29, 0x01, 0xbe, 0xae, 0x24, 0x39, 0x14, 0xa7,
198 0x52, 0xe5, 0xd5, 0xff, 0x9a, 0xc4, 0x15, 0x79, 0x29, 0x4c, 0x9b, 0x4e,
199 0xfc, 0x61, 0xf2, 0x12, 0x6f, 0x4f, 0xd3, 0x96, 0x28, 0xb0, 0x79, 0xf0,
200 0x4e, 0x6e, 0x7d, 0x56, 0x19, 0x1b, 0xc2, 0xd7, 0xf9, 0x3a, 0x58, 0x06,
201 0xe5, 0xec, 0xa4, 0x33, 0x14, 0x1c, 0x78, 0x0c, 0x83, 0x94, 0x34, 0x22,
202 0x5a, 0x8e, 0x2e, 0xa1, 0x72, 0x4a, 0x03, 0x35, 0xfe, 0x46, 0x92, 0x41,
203 0x6b, 0xe6, 0x4b, 0x3f, 0xf0, 0xe7, 0x0b, 0xb5, 0xf3, 0x66, 0x6c, 0xc6,
204 0x14, 0xcf, 0xce, 0x32, 0x0a, 0x2c, 0x28, 0xba, 0x4e, 0xb9, 0x75, 0x4a,
205 0xa9, 0x2d, 0xb0, 0x8c, 0xd0, 0x62, 0x52, 0x29, 0x1f, 0x12, 0xfd, 0xfb,
206 0xd3, 0x2a, 0x36, 0x0f, 0x89, 0x32, 0x86, 0x25, 0x56, 0xb9, 0xe7, 0x3c,
207 0xeb, 0xb4, 0x84, 0x41, 0x2b, 0xa8, 0xf3, 0xa5, 0x3d, 0xfe, 0x56, 0x94,
208 0x5b, 0x74, 0xb3, 0x5b, 0x27, 0x3f, 0xe7, 0xcf, 0xe4, 0xf8, 0x15, 0x95,
209 0x2a, 0xd2, 0x5f, 0x92, 0xb4, 0x6a, 0x89, 0xa5, 0x54, 0xbd, 0x27, 0x5e,
210 0xeb, 0x43, 0x07, 0x9b, 0x2b, 0x8b, 0x22, 0x59, 0x13, 0x4b, 0x9c, 0x56,
211 0xd8, 0x63, 0xd9, 0xe6, 0x85, 0x15, 0x2c, 0x82, 0x52, 0x40, 0x8f, 0xb1,
212 0xe7, 0x56, 0x07, 0x98
213 };
214 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
215 Bytes(priv_key, priv_key_len));
216
217 const uint8_t kExpectedPub[] = {
218 0x00, 0x00, 0x00, 0x01, 0x04, 0x48, 0xb1, 0x2d, 0xdd, 0x03, 0x32, 0xeb,
219 0x93, 0x31, 0x3d, 0x59, 0x74, 0xf0, 0xcf, 0xaa, 0xa5, 0x39, 0x5f, 0x53,
220 0xc4, 0x94, 0x98, 0xbe, 0x8f, 0x22, 0xd7, 0x30, 0xde, 0x1e, 0xb4, 0xf3,
221 0x32, 0x23, 0x90, 0x0b, 0xa6, 0x37, 0x4a, 0x4b, 0x44, 0xb3, 0x26, 0x52,
222 0x93, 0x7b, 0x4b, 0xa4, 0x79, 0xe8, 0x77, 0x6a, 0x19, 0x81, 0x2a, 0xdd,
223 0x91, 0xfb, 0x90, 0x8b, 0x24, 0xb5, 0xbe, 0x20, 0x2e, 0xe8, 0xbc, 0xd3,
224 0x83, 0x6c, 0xa8, 0xc5, 0xa1, 0x9a, 0x5b, 0x5e, 0x60, 0xda, 0x45, 0x2e,
225 0x31, 0x7f, 0x54, 0x0e, 0x14, 0x40, 0xd2, 0x4d, 0x40, 0x2e, 0x21, 0x79,
226 0xfc, 0x77, 0xdd, 0xc7, 0x2d, 0x04, 0xfe, 0xc6, 0xe3, 0xcf, 0x99, 0xef,
227 0x88, 0xab, 0x76, 0x86, 0x16, 0x14, 0xed, 0x72, 0x35, 0xa7, 0x05, 0x13,
228 0x9f, 0x2c, 0x53, 0xd5, 0xdf, 0x66, 0x75, 0x2e, 0x68, 0xdc, 0xd4, 0xc4,
229 0x00, 0x36, 0x08, 0x6d, 0xb7, 0x15, 0xf7, 0xe5, 0x32, 0x59, 0x81, 0x16,
230 0x57, 0xaa, 0x72, 0x06, 0xf0, 0xad, 0xd1, 0x85, 0xa0, 0x04, 0xd4, 0x11,
231 0x95, 0x1d, 0xac, 0x0b, 0x25, 0xbe, 0x59, 0xa2, 0xb3, 0x30, 0xee, 0x97,
232 0x07, 0x2a, 0x51, 0x15, 0xc1, 0x8d, 0xa8, 0xa6, 0x57, 0x9a, 0x4e, 0xbf,
233 0xd7, 0x2d, 0x35, 0x07, 0x6b, 0xd6, 0xc9, 0x3c, 0xe4, 0xcf, 0x0b, 0x14,
234 0x3e, 0x10, 0x51, 0x77, 0xd6, 0x84, 0x04, 0xbe, 0xd1, 0xd5, 0xa8, 0xf3,
235 0x9d, 0x1d, 0x4f, 0xc1, 0xc9, 0xf1, 0x0c, 0x6d, 0xb6, 0xcb, 0xe2, 0x05,
236 0x0b, 0x9c, 0x7a, 0x3a, 0x9a, 0x99, 0xe9, 0xa1, 0x93, 0xdc, 0x72, 0x2e,
237 0xef, 0xf3, 0x8d, 0xb9, 0x7b, 0xb0, 0x19, 0x24, 0x95, 0x0d, 0x68, 0xa7,
238 0xe0, 0xaa, 0x0b, 0xb1, 0xd1, 0xcc, 0x52, 0x14, 0xf9, 0x6c, 0x91, 0x59,
239 0xe4, 0xe1, 0x9b, 0xf9, 0x12, 0x39, 0xb1, 0x79, 0xbb, 0x21, 0x92, 0x00,
240 0xa4, 0x89, 0xf5, 0xbd, 0xd7, 0x89, 0x27, 0x40, 0xdc, 0xb1, 0x09, 0x38,
241 0x63, 0x91, 0x8c, 0xa5, 0x27, 0x27, 0x97, 0x39, 0x35, 0xfa, 0x1a, 0x8a,
242 0xa7, 0xe5, 0xc4, 0xd8, 0xbf, 0xe7, 0xbe
243 };
244 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
245 Bytes(pub_key, pub_key_len));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400246}
247
David Benjaminaa764c42020-04-29 12:39:10 -0400248// Test that H in |TRUST_TOKEN_experiment_v1| was computed correctly.
249TEST(TrustTokenTest, HExp1) {
250 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
251 ASSERT_TRUE(group);
252
253 const uint8_t kHGen[] = "generator";
254 const uint8_t kHLabel[] = "PMBTokens Experiment V1 HashH";
255
David Benjamin802523a2020-04-22 14:51:20 -0400256 bssl::UniquePtr<EC_POINT> expected_h(EC_POINT_new(group));
257 ASSERT_TRUE(expected_h);
David Benjaminaa764c42020-04-29 12:39:10 -0400258 ASSERT_TRUE(ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
David Benjamin802523a2020-04-22 14:51:20 -0400259 group, &expected_h->raw, kHLabel, sizeof(kHLabel), kHGen, sizeof(kHGen)));
David Benjaminaa764c42020-04-29 12:39:10 -0400260 uint8_t expected_bytes[1 + 2 * EC_MAX_BYTES];
261 size_t expected_len =
David Benjamin802523a2020-04-22 14:51:20 -0400262 EC_POINT_point2oct(group, expected_h.get(), POINT_CONVERSION_UNCOMPRESSED,
263 expected_bytes, sizeof(expected_bytes), nullptr);
David Benjaminaa764c42020-04-29 12:39:10 -0400264
265 uint8_t h[97];
266 ASSERT_TRUE(pmbtoken_exp1_get_h_for_testing(h));
267 EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
268}
269
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400270// Test that H in |TRUST_TOKEN_experiment_v2_pmb| was computed correctly.
271TEST(TrustTokenTest, HExp2) {
272 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
273 ASSERT_TRUE(group);
274
275 const uint8_t kHGen[] = "generator";
276 const uint8_t kHLabel[] = "PMBTokens Experiment V2 HashH";
277
278 bssl::UniquePtr<EC_POINT> expected_h(EC_POINT_new(group));
279 ASSERT_TRUE(expected_h);
280 ASSERT_TRUE(ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
281 group, &expected_h->raw, kHLabel, sizeof(kHLabel), kHGen, sizeof(kHGen)));
282 uint8_t expected_bytes[1 + 2 * EC_MAX_BYTES];
283 size_t expected_len =
284 EC_POINT_point2oct(group, expected_h.get(), POINT_CONVERSION_UNCOMPRESSED,
285 expected_bytes, sizeof(expected_bytes), nullptr);
286
287 uint8_t h[97];
288 ASSERT_TRUE(pmbtoken_exp2_get_h_for_testing(h));
289 EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
290}
291
David Benjaminaa764c42020-04-29 12:39:10 -0400292static std::vector<const TRUST_TOKEN_METHOD *> AllMethods() {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400293 return {
294 TRUST_TOKEN_experiment_v1(),
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400295 TRUST_TOKEN_experiment_v2_voprf(),
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400296 TRUST_TOKEN_experiment_v2_pmb()
297 };
David Benjaminaa764c42020-04-29 12:39:10 -0400298}
299
300class TrustTokenProtocolTestBase : public ::testing::Test {
Steven Valdez538a1242019-12-16 12:12:31 -0500301 public:
David Benjamin043fba22020-10-21 11:14:59 -0400302 explicit TrustTokenProtocolTestBase(const TRUST_TOKEN_METHOD *method_arg)
303 : method_(method_arg) {}
David Benjaminaa764c42020-04-29 12:39:10 -0400304
Steven Valdez538a1242019-12-16 12:12:31 -0500305 // KeyID returns the key ID associated with key index |i|.
306 static uint32_t KeyID(size_t i) {
307 // Use a different value from the indices to that we do not mix them up.
308 return 7 + i;
309 }
310
David Benjaminaa764c42020-04-29 12:39:10 -0400311 const TRUST_TOKEN_METHOD *method() { return method_; }
David Benjamin239634d2020-04-29 11:17:51 -0400312
Steven Valdez538a1242019-12-16 12:12:31 -0500313 protected:
314 void SetupContexts() {
David Benjamin239634d2020-04-29 11:17:51 -0400315 client.reset(TRUST_TOKEN_CLIENT_new(method(), client_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500316 ASSERT_TRUE(client);
David Benjamin239634d2020-04-29 11:17:51 -0400317 issuer.reset(TRUST_TOKEN_ISSUER_new(method(), issuer_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500318 ASSERT_TRUE(issuer);
319
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400320 for (size_t i = 0; i < method()->max_keys; i++) {
Steven Valdez538a1242019-12-16 12:12:31 -0500321 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
322 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
323 size_t priv_key_len, pub_key_len, key_index;
324 ASSERT_TRUE(TRUST_TOKEN_generate_key(
David Benjamin239634d2020-04-29 11:17:51 -0400325 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
326 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, KeyID(i)));
Steven Valdez538a1242019-12-16 12:12:31 -0500327 ASSERT_TRUE(TRUST_TOKEN_CLIENT_add_key(client.get(), &key_index, pub_key,
328 pub_key_len));
329 ASSERT_EQ(i, key_index);
330 ASSERT_TRUE(
331 TRUST_TOKEN_ISSUER_add_key(issuer.get(), priv_key, priv_key_len));
332 }
333
334 uint8_t public_key[32], private_key[64];
335 ED25519_keypair(public_key, private_key);
336 bssl::UniquePtr<EVP_PKEY> priv(EVP_PKEY_new_raw_private_key(
337 EVP_PKEY_ED25519, nullptr, private_key, 32));
338 ASSERT_TRUE(priv);
339 bssl::UniquePtr<EVP_PKEY> pub(
340 EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, public_key, 32));
341 ASSERT_TRUE(pub);
342
343 TRUST_TOKEN_CLIENT_set_srr_key(client.get(), pub.get());
344 TRUST_TOKEN_ISSUER_set_srr_key(issuer.get(), priv.get());
345 RAND_bytes(metadata_key, sizeof(metadata_key));
346 ASSERT_TRUE(TRUST_TOKEN_ISSUER_set_metadata_key(issuer.get(), metadata_key,
347 sizeof(metadata_key)));
348 }
349
David Benjaminaa764c42020-04-29 12:39:10 -0400350 const TRUST_TOKEN_METHOD *method_;
Steven Valdez538a1242019-12-16 12:12:31 -0500351 uint16_t client_max_batchsize = 10;
352 uint16_t issuer_max_batchsize = 10;
353 bssl::UniquePtr<TRUST_TOKEN_CLIENT> client;
354 bssl::UniquePtr<TRUST_TOKEN_ISSUER> issuer;
355 uint8_t metadata_key[32];
356};
357
David Benjaminaa764c42020-04-29 12:39:10 -0400358class TrustTokenProtocolTest
359 : public TrustTokenProtocolTestBase,
360 public testing::WithParamInterface<const TRUST_TOKEN_METHOD *> {
361 public:
362 TrustTokenProtocolTest() : TrustTokenProtocolTestBase(GetParam()) {}
363};
364
365INSTANTIATE_TEST_SUITE_P(TrustTokenAllProtocolTest, TrustTokenProtocolTest,
366 testing::ValuesIn(AllMethods()));
367
368TEST_P(TrustTokenProtocolTest, InvalidToken) {
Steven Valdez538a1242019-12-16 12:12:31 -0500369 ASSERT_NO_FATAL_FAILURE(SetupContexts());
370
371 uint8_t *issue_msg = NULL, *issue_resp = NULL;
372 size_t msg_len, resp_len;
373
374 size_t key_index;
David Benjamin17078f22020-04-28 17:50:13 -0400375 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500376 ASSERT_TRUE(
377 TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg, &msg_len, 1));
378 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
379 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
380 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400381 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
Steven Valdez538a1242019-12-16 12:12:31 -0500382 /*max_issuance=*/10));
383 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
384 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
385 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
386 resp_len));
387 ASSERT_TRUE(tokens);
388
389 for (TRUST_TOKEN *token : tokens.get()) {
390 // Corrupt the token.
391 token->data[0] ^= 0x42;
392
393 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
394 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
395 client.get(), &redeem_msg, &msg_len, token, NULL, 0, 0));
396 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
397 TRUST_TOKEN *rtoken;
398 uint8_t *client_data;
399 size_t client_data_len;
400 uint64_t redemption_time;
401 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem(
402 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
403 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
404 bssl::UniquePtr<uint8_t> free_redeem_resp(redeem_resp);
405 }
406}
407
David Benjaminaa764c42020-04-29 12:39:10 -0400408TEST_P(TrustTokenProtocolTest, TruncatedIssuanceRequest) {
Steven Valdez538a1242019-12-16 12:12:31 -0500409 ASSERT_NO_FATAL_FAILURE(SetupContexts());
410
411 uint8_t *issue_msg = NULL, *issue_resp = NULL;
412 size_t msg_len, resp_len;
413 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
414 &msg_len, 10));
415 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
416 msg_len = 10;
David Benjamin17078f22020-04-28 17:50:13 -0400417 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500418 ASSERT_FALSE(TRUST_TOKEN_ISSUER_issue(
419 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
420 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
421 /*max_issuance=*/10));
422 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
423}
424
David Benjaminaa764c42020-04-29 12:39:10 -0400425TEST_P(TrustTokenProtocolTest, TruncatedIssuanceResponse) {
Steven Valdez538a1242019-12-16 12:12:31 -0500426 ASSERT_NO_FATAL_FAILURE(SetupContexts());
427
428 uint8_t *issue_msg = NULL, *issue_resp = NULL;
429 size_t msg_len, resp_len;
430 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
431 &msg_len, 10));
432 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400433 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500434 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
435 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
436 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
437 /*max_issuance=*/10));
438 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
439 resp_len = 10;
440 size_t key_index;
441 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
442 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
443 resp_len));
444 ASSERT_FALSE(tokens);
445}
446
David Benjaminaa764c42020-04-29 12:39:10 -0400447TEST_P(TrustTokenProtocolTest, ExtraDataIssuanceResponse) {
David Benjamincbe128b2020-04-21 23:05:27 -0400448 ASSERT_NO_FATAL_FAILURE(SetupContexts());
449
450 uint8_t *request = NULL, *response = NULL;
451 size_t request_len, response_len;
452 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &request,
453 &request_len, 10));
454 bssl::UniquePtr<uint8_t> free_request(request);
David Benjamin17078f22020-04-28 17:50:13 -0400455 size_t tokens_issued;
David Benjamincbe128b2020-04-21 23:05:27 -0400456 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(issuer.get(), &response, &response_len,
457 &tokens_issued, request, request_len,
458 /*public_metadata=*/KeyID(0),
459 /*private_metadata=*/0,
460 /*max_issuance=*/10));
461 bssl::UniquePtr<uint8_t> free_response(response);
462 std::vector<uint8_t> response2(response, response + response_len);
463 response2.push_back(0);
464 size_t key_index;
465 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
466 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index,
467 response2.data(), response2.size()));
468 ASSERT_FALSE(tokens);
469}
470
David Benjaminaa764c42020-04-29 12:39:10 -0400471TEST_P(TrustTokenProtocolTest, TruncatedRedemptionRequest) {
Steven Valdez538a1242019-12-16 12:12:31 -0500472 ASSERT_NO_FATAL_FAILURE(SetupContexts());
473
474 uint8_t *issue_msg = NULL, *issue_resp = NULL;
475 size_t msg_len, resp_len;
476 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
477 &msg_len, 10));
478 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400479 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500480 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
481 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
482 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
483 /*max_issuance=*/10));
484 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
485 size_t key_index;
486 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
487 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
488 resp_len));
489 ASSERT_TRUE(tokens);
490
491 for (TRUST_TOKEN *token : tokens.get()) {
Steven Valdez8f3019e2020-04-17 09:36:06 -0400492 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
Steven Valdez07827152020-10-13 11:04:33 -0400493 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
Steven Valdez538a1242019-12-16 12:12:31 -0500494
495 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
496 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
497 client.get(), &redeem_msg, &msg_len, token, kClientData,
498 sizeof(kClientData) - 1, kRedemptionTime));
499 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
500 msg_len = 10;
501
502 TRUST_TOKEN *rtoken;
503 uint8_t *client_data;
504 size_t client_data_len;
505 uint64_t redemption_time;
506 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem(
507 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
508 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
509 }
510}
511
David Benjaminaa764c42020-04-29 12:39:10 -0400512TEST_P(TrustTokenProtocolTest, TruncatedRedemptionResponse) {
Steven Valdez538a1242019-12-16 12:12:31 -0500513 ASSERT_NO_FATAL_FAILURE(SetupContexts());
514
515 uint8_t *issue_msg = NULL, *issue_resp = NULL;
516 size_t msg_len, resp_len;
517 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
518 &msg_len, 10));
519 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400520 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500521 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
522 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
523 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
524 /*max_issuance=*/10));
525 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
526 size_t key_index;
527 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
528 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
529 resp_len));
530 ASSERT_TRUE(tokens);
531
532 for (TRUST_TOKEN *token : tokens.get()) {
Steven Valdez8f3019e2020-04-17 09:36:06 -0400533 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
Steven Valdez07827152020-10-13 11:04:33 -0400534 uint64_t kRedemptionTime = 0;
Steven Valdez538a1242019-12-16 12:12:31 -0500535
536 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
537 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
538 client.get(), &redeem_msg, &msg_len, token, kClientData,
539 sizeof(kClientData) - 1, kRedemptionTime));
540 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
541 TRUST_TOKEN *rtoken;
542 uint8_t *client_data;
543 size_t client_data_len;
544 uint64_t redemption_time;
545 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem(
546 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
547 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
548 bssl::UniquePtr<uint8_t> free_redeem_resp(redeem_resp);
549 bssl::UniquePtr<uint8_t> free_client_data(client_data);
550 bssl::UniquePtr<TRUST_TOKEN> free_rtoken(rtoken);
551
552 ASSERT_EQ(redemption_time, kRedemptionTime);
Steven Valdez54304732020-05-04 11:56:12 -0400553 ASSERT_EQ(Bytes(kClientData, sizeof(kClientData) - 1),
554 Bytes(client_data, client_data_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500555 resp_len = 10;
556
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400557 // If the protocol doesn't use SRRs, TRUST_TOKEN_CLIENT_finish_redemtpion
558 // leaves all SRR validation to the caller.
Steven Valdez538a1242019-12-16 12:12:31 -0500559 uint8_t *srr = NULL, *sig = NULL;
560 size_t srr_len, sig_len;
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400561 bool expect_failure = !method()->has_srr;
562 ASSERT_EQ(expect_failure, TRUST_TOKEN_CLIENT_finish_redemption(
563 client.get(), &srr, &srr_len, &sig, &sig_len,
564 redeem_resp, resp_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500565 bssl::UniquePtr<uint8_t> free_srr(srr);
566 bssl::UniquePtr<uint8_t> free_sig(sig);
567 }
568}
569
David Benjaminaa764c42020-04-29 12:39:10 -0400570TEST_P(TrustTokenProtocolTest, IssuedWithBadKeyID) {
David Benjamin239634d2020-04-29 11:17:51 -0400571 client.reset(TRUST_TOKEN_CLIENT_new(method(), client_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500572 ASSERT_TRUE(client);
David Benjamin239634d2020-04-29 11:17:51 -0400573 issuer.reset(TRUST_TOKEN_ISSUER_new(method(), issuer_max_batchsize));
Steven Valdez538a1242019-12-16 12:12:31 -0500574 ASSERT_TRUE(issuer);
575
576 // We configure the client and the issuer with different key IDs and test
577 // that the client notices.
578 const uint32_t kClientKeyID = 0;
579 const uint32_t kIssuerKeyID = 42;
580
581 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
582 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
583 size_t priv_key_len, pub_key_len, key_index;
584 ASSERT_TRUE(TRUST_TOKEN_generate_key(
David Benjamin239634d2020-04-29 11:17:51 -0400585 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
586 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, kClientKeyID));
Steven Valdez538a1242019-12-16 12:12:31 -0500587 ASSERT_TRUE(TRUST_TOKEN_CLIENT_add_key(client.get(), &key_index, pub_key,
588 pub_key_len));
589 ASSERT_EQ(0UL, key_index);
590
591 ASSERT_TRUE(TRUST_TOKEN_generate_key(
David Benjamin239634d2020-04-29 11:17:51 -0400592 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
593 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, kIssuerKeyID));
Steven Valdez538a1242019-12-16 12:12:31 -0500594 ASSERT_TRUE(TRUST_TOKEN_ISSUER_add_key(issuer.get(), priv_key, priv_key_len));
595
596
597 uint8_t public_key[32], private_key[64];
598 ED25519_keypair(public_key, private_key);
599 bssl::UniquePtr<EVP_PKEY> priv(
600 EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, nullptr, private_key, 32));
601 ASSERT_TRUE(priv);
602 bssl::UniquePtr<EVP_PKEY> pub(
603 EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, public_key, 32));
604 ASSERT_TRUE(pub);
605
606 TRUST_TOKEN_CLIENT_set_srr_key(client.get(), pub.get());
607 TRUST_TOKEN_ISSUER_set_srr_key(issuer.get(), priv.get());
608 RAND_bytes(metadata_key, sizeof(metadata_key));
609 ASSERT_TRUE(TRUST_TOKEN_ISSUER_set_metadata_key(issuer.get(), metadata_key,
610 sizeof(metadata_key)));
611
612
613 uint8_t *issue_msg = NULL, *issue_resp = NULL;
614 size_t msg_len, resp_len;
615 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
616 &msg_len, 10));
617 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400618 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500619 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
620 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
621 /*public_metadata=*/42, /*private_metadata=*/0, /*max_issuance=*/10));
622 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
623 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
624 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
625 resp_len));
626 ASSERT_FALSE(tokens);
627}
628
629class TrustTokenMetadataTest
David Benjaminaa764c42020-04-29 12:39:10 -0400630 : public TrustTokenProtocolTestBase,
631 public testing::WithParamInterface<
632 std::tuple<const TRUST_TOKEN_METHOD *, int, bool>> {
633 public:
634 TrustTokenMetadataTest()
635 : TrustTokenProtocolTestBase(std::get<0>(GetParam())) {}
636
637 int public_metadata() { return std::get<1>(GetParam()); }
638 bool private_metadata() { return std::get<2>(GetParam()); }
639};
Steven Valdez538a1242019-12-16 12:12:31 -0500640
641TEST_P(TrustTokenMetadataTest, SetAndGetMetadata) {
642 ASSERT_NO_FATAL_FAILURE(SetupContexts());
643
644 uint8_t *issue_msg = NULL, *issue_resp = NULL;
645 size_t msg_len, resp_len;
646 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
647 &msg_len, 10));
648 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400649 size_t tokens_issued;
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400650 bool result = TRUST_TOKEN_ISSUER_issue(
Steven Valdez538a1242019-12-16 12:12:31 -0500651 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400652 public_metadata(), private_metadata(), /*max_issuance=*/1);
653 if (!method()->has_private_metadata && private_metadata()) {
654 ASSERT_FALSE(result);
655 return;
656 }
657 ASSERT_TRUE(result);
Steven Valdez538a1242019-12-16 12:12:31 -0500658 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
659 size_t key_index;
660 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
661 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
662 resp_len));
663 ASSERT_TRUE(tokens);
664
665 for (TRUST_TOKEN *token : tokens.get()) {
Steven Valdez8f3019e2020-04-17 09:36:06 -0400666 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
Steven Valdez07827152020-10-13 11:04:33 -0400667 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
Steven Valdez538a1242019-12-16 12:12:31 -0500668
Steven Valdez07827152020-10-13 11:04:33 -0400669 const uint8_t kExpectedSRRV1[] =
Steven Valdez78b33372020-05-14 15:00:28 -0400670 "\xa4\x68\x6d\x65\x74\x61\x64\x61\x74\x61\xa2\x66\x70\x75\x62\x6c\x69"
Steven Valdez54304732020-05-04 11:56:12 -0400671 "\x63\x00\x67\x70\x72\x69\x76\x61\x74\x65\x00\x6a\x74\x6f\x6b\x65\x6e"
672 "\x2d\x68\x61\x73\x68\x58\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
673 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
674 "\x00\x00\x00\x00\x00\x6b\x63\x6c\x69\x65\x6e\x74\x2d\x64\x61\x74\x61"
675 "\x70\x54\x45\x53\x54\x20\x43\x4c\x49\x45\x4e\x54\x20\x44\x41\x54\x41"
676 "\x70\x65\x78\x70\x69\x72\x79\x2d\x74\x69\x6d\x65\x73\x74\x61\x6d\x70"
677 "\x1a\x00\xcc\x15\x7a";
678
Steven Valdez07827152020-10-13 11:04:33 -0400679 const uint8_t kExpectedSRRV2[] =
680 "\xa4\x68\x6d\x65\x74\x61\x64\x61\x74\x61\xa2\x66\x70\x75\x62\x6c\x69"
681 "\x63\x00\x67\x70\x72\x69\x76\x61\x74\x65\x00\x6a\x74\x6f\x6b\x65\x6e"
682 "\x2d\x68\x61\x73\x68\x58\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
683 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
684 "\x00\x00\x00\x00\x00\x6b\x63\x6c\x69\x65\x6e\x74\x2d\x64\x61\x74\x61"
685 "\x70\x54\x45\x53\x54\x20\x43\x4c\x49\x45\x4e\x54\x20\x44\x41\x54\x41"
686 "\x70\x65\x78\x70\x69\x72\x79\x2d\x74\x69\x6d\x65\x73\x74\x61\x6d\x70"
687 "\x00";
688
689 const uint8_t *expected_srr = kExpectedSRRV1;
690 size_t expected_srr_len = sizeof(kExpectedSRRV1) - 1;
691 if (!method()->has_srr) {
692 expected_srr = kExpectedSRRV2;
693 expected_srr_len = sizeof(kExpectedSRRV2) - 1;
694 }
695
Steven Valdez538a1242019-12-16 12:12:31 -0500696 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
697 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
698 client.get(), &redeem_msg, &msg_len, token, kClientData,
699 sizeof(kClientData) - 1, kRedemptionTime));
700 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
701 TRUST_TOKEN *rtoken;
702 uint8_t *client_data;
703 size_t client_data_len;
704 uint64_t redemption_time;
705 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem(
706 issuer.get(), &redeem_resp, &resp_len, &rtoken, &client_data,
707 &client_data_len, &redemption_time, redeem_msg, msg_len, 600));
708 bssl::UniquePtr<uint8_t> free_redeem_resp(redeem_resp);
709 bssl::UniquePtr<uint8_t> free_client_data(client_data);
710 bssl::UniquePtr<TRUST_TOKEN> free_rtoken(rtoken);
711
712 ASSERT_EQ(redemption_time, kRedemptionTime);
Steven Valdez54304732020-05-04 11:56:12 -0400713 ASSERT_EQ(Bytes(kClientData, sizeof(kClientData) - 1),
714 Bytes(client_data, client_data_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500715
716 uint8_t *srr = NULL, *sig = NULL;
717 size_t srr_len, sig_len;
718 ASSERT_TRUE(TRUST_TOKEN_CLIENT_finish_redemption(
719 client.get(), &srr, &srr_len, &sig, &sig_len, redeem_resp, resp_len));
720 bssl::UniquePtr<uint8_t> free_srr(srr);
721 bssl::UniquePtr<uint8_t> free_sig(sig);
722
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400723 if (!method()->has_srr) {
724 size_t b64_len;
Steven Valdez07827152020-10-13 11:04:33 -0400725 ASSERT_TRUE(EVP_EncodedLength(&b64_len, expected_srr_len));
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400726 b64_len -= 1;
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400727 const char kSRRHeader[] = "body=:";
728 ASSERT_LT(sizeof(kSRRHeader) - 1 + b64_len, srr_len);
729
730 ASSERT_EQ(Bytes(kSRRHeader, sizeof(kSRRHeader) - 1),
731 Bytes(srr, sizeof(kSRRHeader) - 1));
732 uint8_t *decoded_srr =
Steven Valdez07827152020-10-13 11:04:33 -0400733 (uint8_t *)OPENSSL_malloc(expected_srr_len + 2);
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400734 ASSERT_TRUE(decoded_srr);
Steven Valdez07827152020-10-13 11:04:33 -0400735 ASSERT_LE(
736 int(expected_srr_len),
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400737 EVP_DecodeBlock(decoded_srr, srr + sizeof(kSRRHeader) - 1, b64_len));
738 srr = decoded_srr;
Steven Valdez07827152020-10-13 11:04:33 -0400739 srr_len = expected_srr_len;
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400740 free_srr.reset(srr);
741 }
742
Steven Valdezd0637e92020-06-03 15:43:49 -0400743 const uint8_t kTokenHashDSTLabel[] = "TrustTokenV0 TokenHash";
744 uint8_t token_hash[SHA256_DIGEST_LENGTH];
745 SHA256_CTX sha_ctx;
746 SHA256_Init(&sha_ctx);
747 SHA256_Update(&sha_ctx, kTokenHashDSTLabel, sizeof(kTokenHashDSTLabel));
748 SHA256_Update(&sha_ctx, token->data, token->len);
749 SHA256_Final(token_hash, &sha_ctx);
Steven Valdez538a1242019-12-16 12:12:31 -0500750
Steven Valdezd0637e92020-06-03 15:43:49 -0400751 // Check the token hash is in the SRR.
752 ASSERT_EQ(Bytes(token_hash), Bytes(srr + 41, sizeof(token_hash)));
Steven Valdez538a1242019-12-16 12:12:31 -0500753
Steven Valdezd0637e92020-06-03 15:43:49 -0400754 uint8_t decode_private_metadata;
755 ASSERT_TRUE(TRUST_TOKEN_decode_private_metadata(
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400756 method(), &decode_private_metadata, metadata_key,
757 sizeof(metadata_key), token_hash, sizeof(token_hash), srr[27]));
Steven Valdezd0637e92020-06-03 15:43:49 -0400758 ASSERT_EQ(srr[18], public_metadata());
759 ASSERT_EQ(decode_private_metadata, private_metadata());
Steven Valdez54304732020-05-04 11:56:12 -0400760
Steven Valdezd0637e92020-06-03 15:43:49 -0400761 // Clear out the metadata bits.
762 srr[18] = 0;
763 srr[27] = 0;
Steven Valdez54304732020-05-04 11:56:12 -0400764
Steven Valdezd0637e92020-06-03 15:43:49 -0400765 // Clear out the token hash.
766 OPENSSL_memset(srr + 41, 0, sizeof(token_hash));
Steven Valdez54304732020-05-04 11:56:12 -0400767
Steven Valdez07827152020-10-13 11:04:33 -0400768 ASSERT_EQ(Bytes(expected_srr, expected_srr_len),
Steven Valdezd0637e92020-06-03 15:43:49 -0400769 Bytes(srr, srr_len));
Steven Valdez538a1242019-12-16 12:12:31 -0500770 }
771}
772
Steven Valdez07827152020-10-13 11:04:33 -0400773TEST_P(TrustTokenMetadataTest, RawSetAndGetMetadata) {
774 ASSERT_NO_FATAL_FAILURE(SetupContexts());
775
776 uint8_t *issue_msg = NULL, *issue_resp = NULL;
777 size_t msg_len, resp_len;
778 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
779 &msg_len, 10));
780 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
781 size_t tokens_issued;
782 bool result = TRUST_TOKEN_ISSUER_issue(
783 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
784 public_metadata(), private_metadata(), /*max_issuance=*/1);
785 if (!method()->has_private_metadata && private_metadata()) {
786 ASSERT_FALSE(result);
787 return;
788 }
789 ASSERT_TRUE(result);
790 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
791 size_t key_index;
792 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
793 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
794 resp_len));
795 ASSERT_TRUE(tokens);
796 EXPECT_EQ(1u, sk_TRUST_TOKEN_num(tokens.get()));
797
798 for (TRUST_TOKEN *token : tokens.get()) {
799 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
800 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
801
802 uint8_t *redeem_msg = NULL;
803 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
804 client.get(), &redeem_msg, &msg_len, token, kClientData,
805 sizeof(kClientData) - 1, kRedemptionTime));
806 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
807 uint32_t public_value;
808 uint8_t private_value;
809 TRUST_TOKEN *rtoken;
810 uint8_t *client_data;
811 size_t client_data_len;
812 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem_raw(
813 issuer.get(), &public_value, &private_value, &rtoken,
814 &client_data, &client_data_len, redeem_msg, msg_len));
815 bssl::UniquePtr<uint8_t> free_client_data(client_data);
816 bssl::UniquePtr<TRUST_TOKEN> free_rtoken(rtoken);
817
818 ASSERT_EQ(Bytes(kClientData, sizeof(kClientData) - 1),
819 Bytes(client_data, client_data_len));
820 ASSERT_EQ(public_value, static_cast<uint32_t>(public_metadata()));
821 ASSERT_EQ(private_value, private_metadata());
822 }
823}
824
Steven Valdez538a1242019-12-16 12:12:31 -0500825TEST_P(TrustTokenMetadataTest, TooManyRequests) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400826 if (!method()->has_private_metadata && private_metadata()) {
827 return;
828 }
829
Steven Valdez538a1242019-12-16 12:12:31 -0500830 issuer_max_batchsize = 1;
831 ASSERT_NO_FATAL_FAILURE(SetupContexts());
832
833 uint8_t *issue_msg = NULL, *issue_resp = NULL;
834 size_t msg_len, resp_len;
835 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
836 &msg_len, 10));
837 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400838 size_t tokens_issued;
Steven Valdez538a1242019-12-16 12:12:31 -0500839 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
840 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -0400841 public_metadata(), private_metadata(), /*max_issuance=*/1));
Steven Valdez538a1242019-12-16 12:12:31 -0500842 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
843 ASSERT_EQ(tokens_issued, issuer_max_batchsize);
844 size_t key_index;
845 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
846 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
847 resp_len));
848 ASSERT_TRUE(tokens);
849 ASSERT_EQ(sk_TRUST_TOKEN_num(tokens.get()), 1UL);
850}
851
Steven Valdez78987bb2020-04-09 14:57:31 -0400852
853TEST_P(TrustTokenMetadataTest, TruncatedProof) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400854 if (!method()->has_private_metadata && private_metadata()) {
855 return;
856 }
857
Steven Valdez78987bb2020-04-09 14:57:31 -0400858 ASSERT_NO_FATAL_FAILURE(SetupContexts());
859
860 uint8_t *issue_msg = NULL, *issue_resp = NULL;
861 size_t msg_len, resp_len;
862 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
863 &msg_len, 10));
864 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400865 size_t tokens_issued;
Steven Valdez78987bb2020-04-09 14:57:31 -0400866 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
867 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -0400868 public_metadata(), private_metadata(), /*max_issuance=*/1));
Steven Valdez78987bb2020-04-09 14:57:31 -0400869 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
870
871 CBS real_response;
872 CBS_init(&real_response, issue_resp, resp_len);
873 uint16_t count;
David Benjamin043fba22020-10-21 11:14:59 -0400874 uint32_t parsed_public_metadata;
Steven Valdez78987bb2020-04-09 14:57:31 -0400875 bssl::ScopedCBB bad_response;
876 ASSERT_TRUE(CBB_init(bad_response.get(), 0));
877 ASSERT_TRUE(CBS_get_u16(&real_response, &count));
878 ASSERT_TRUE(CBB_add_u16(bad_response.get(), count));
David Benjamin043fba22020-10-21 11:14:59 -0400879 ASSERT_TRUE(CBS_get_u32(&real_response, &parsed_public_metadata));
880 ASSERT_TRUE(CBB_add_u32(bad_response.get(), parsed_public_metadata));
Steven Valdez78987bb2020-04-09 14:57:31 -0400881
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400882 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
883 size_t token_length =
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400884 TRUST_TOKEN_NONCE_SIZE + 2 * (1 + 2 * BN_num_bytes(&group->field));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400885 if (method() == TRUST_TOKEN_experiment_v1()) {
886 token_length += 4;
887 }
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400888 if (method() == TRUST_TOKEN_experiment_v2_voprf()) {
889 token_length = 1 + 2 * BN_num_bytes(&group->field);
890 }
Steven Valdez78987bb2020-04-09 14:57:31 -0400891 for (size_t i = 0; i < count; i++) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400892 ASSERT_TRUE(CBB_add_bytes(bad_response.get(), CBS_data(&real_response),
893 token_length));
894 ASSERT_TRUE(CBS_skip(&real_response, token_length));
Steven Valdezb55a8c12020-05-08 14:22:14 -0400895 }
896
Steven Valdezd0637e92020-06-03 15:43:49 -0400897 CBS tmp;
898 ASSERT_TRUE(CBS_get_u16_length_prefixed(&real_response, &tmp));
899 CBB dleq;
900 ASSERT_TRUE(CBB_add_u16_length_prefixed(bad_response.get(), &dleq));
901 ASSERT_TRUE(CBB_add_bytes(&dleq, CBS_data(&tmp), CBS_len(&tmp) - 2));
902 ASSERT_TRUE(CBB_flush(bad_response.get()));
Steven Valdez78987bb2020-04-09 14:57:31 -0400903
904 uint8_t *bad_buf;
905 size_t bad_len;
906 ASSERT_TRUE(CBB_finish(bad_response.get(), &bad_buf, &bad_len));
907 bssl::UniquePtr<uint8_t> free_bad(bad_buf);
908
909 size_t key_index;
910 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
David Benjaminaa764c42020-04-29 12:39:10 -0400911 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, bad_buf,
912 bad_len));
Steven Valdez78987bb2020-04-09 14:57:31 -0400913 ASSERT_FALSE(tokens);
914}
915
916TEST_P(TrustTokenMetadataTest, ExcessDataProof) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400917 if (!method()->has_private_metadata && private_metadata()) {
918 return;
919 }
920
Steven Valdez78987bb2020-04-09 14:57:31 -0400921 ASSERT_NO_FATAL_FAILURE(SetupContexts());
922
923 uint8_t *issue_msg = NULL, *issue_resp = NULL;
924 size_t msg_len, resp_len;
925 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
926 &msg_len, 10));
927 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
David Benjamin17078f22020-04-28 17:50:13 -0400928 size_t tokens_issued;
Steven Valdez78987bb2020-04-09 14:57:31 -0400929 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
930 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -0400931 public_metadata(), private_metadata(), /*max_issuance=*/1));
Steven Valdez78987bb2020-04-09 14:57:31 -0400932 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
933
934 CBS real_response;
935 CBS_init(&real_response, issue_resp, resp_len);
936 uint16_t count;
David Benjamin043fba22020-10-21 11:14:59 -0400937 uint32_t parsed_public_metadata;
Steven Valdez78987bb2020-04-09 14:57:31 -0400938 bssl::ScopedCBB bad_response;
939 ASSERT_TRUE(CBB_init(bad_response.get(), 0));
940 ASSERT_TRUE(CBS_get_u16(&real_response, &count));
941 ASSERT_TRUE(CBB_add_u16(bad_response.get(), count));
David Benjamin043fba22020-10-21 11:14:59 -0400942 ASSERT_TRUE(CBS_get_u32(&real_response, &parsed_public_metadata));
943 ASSERT_TRUE(CBB_add_u32(bad_response.get(), parsed_public_metadata));
Steven Valdez78987bb2020-04-09 14:57:31 -0400944
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400945 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
946 size_t token_length =
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400947 TRUST_TOKEN_NONCE_SIZE + 2 * (1 + 2 * BN_num_bytes(&group->field));
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400948 if (method() == TRUST_TOKEN_experiment_v1()) {
949 token_length += 4;
950 }
Steven Valdezf2b2ef82020-09-21 11:39:22 -0400951 if (method() == TRUST_TOKEN_experiment_v2_voprf()) {
952 token_length = 1 + 2 * BN_num_bytes(&group->field);
953 }
Steven Valdez78987bb2020-04-09 14:57:31 -0400954 for (size_t i = 0; i < count; i++) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -0400955 ASSERT_TRUE(CBB_add_bytes(bad_response.get(), CBS_data(&real_response),
956 token_length));
957 ASSERT_TRUE(CBS_skip(&real_response, token_length));
Steven Valdezb55a8c12020-05-08 14:22:14 -0400958 }
959
Steven Valdezd0637e92020-06-03 15:43:49 -0400960 CBS tmp;
961 ASSERT_TRUE(CBS_get_u16_length_prefixed(&real_response, &tmp));
962 CBB dleq;
963 ASSERT_TRUE(CBB_add_u16_length_prefixed(bad_response.get(), &dleq));
964 ASSERT_TRUE(CBB_add_bytes(&dleq, CBS_data(&tmp), CBS_len(&tmp)));
965 ASSERT_TRUE(CBB_add_u16(&dleq, 42));
966 ASSERT_TRUE(CBB_flush(bad_response.get()));
Steven Valdez78987bb2020-04-09 14:57:31 -0400967
968 uint8_t *bad_buf;
969 size_t bad_len;
970 ASSERT_TRUE(CBB_finish(bad_response.get(), &bad_buf, &bad_len));
971 bssl::UniquePtr<uint8_t> free_bad(bad_buf);
972
973 size_t key_index;
974 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
975 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, bad_buf,
976 bad_len));
977 ASSERT_FALSE(tokens);
978}
979
Steven Valdez538a1242019-12-16 12:12:31 -0500980INSTANTIATE_TEST_SUITE_P(
981 TrustTokenAllMetadataTest, TrustTokenMetadataTest,
David Benjaminaa764c42020-04-29 12:39:10 -0400982 testing::Combine(testing::ValuesIn(AllMethods()),
983 testing::Values(TrustTokenProtocolTest::KeyID(0),
Steven Valdez538a1242019-12-16 12:12:31 -0500984 TrustTokenProtocolTest::KeyID(1),
985 TrustTokenProtocolTest::KeyID(2)),
986 testing::Bool()));
987
Steven Valdez78987bb2020-04-09 14:57:31 -0400988class TrustTokenBadKeyTest
David Benjaminaa764c42020-04-29 12:39:10 -0400989 : public TrustTokenProtocolTestBase,
990 public testing::WithParamInterface<
991 std::tuple<const TRUST_TOKEN_METHOD *, bool, int>> {
992 public:
993 TrustTokenBadKeyTest()
994 : TrustTokenProtocolTestBase(std::get<0>(GetParam())) {}
995
996 bool private_metadata() { return std::get<1>(GetParam()); }
997 int corrupted_key() { return std::get<2>(GetParam()); }
998};
Steven Valdez78987bb2020-04-09 14:57:31 -0400999
1000TEST_P(TrustTokenBadKeyTest, BadKey) {
Steven Valdezf2b2ef82020-09-21 11:39:22 -04001001 // For versions without private metadata, only corruptions of 'xs' (the 4th
1002 // entry in |scalars| below) result in a bad key, as the other scalars are
1003 // unused internally.
1004 if (!method()->has_private_metadata &&
1005 (private_metadata() || corrupted_key() != 4)) {
Steven Valdez9adcb0a2020-09-10 10:59:15 -04001006 return;
1007 }
1008
Steven Valdez78987bb2020-04-09 14:57:31 -04001009 ASSERT_NO_FATAL_FAILURE(SetupContexts());
1010
1011 uint8_t *issue_msg = NULL, *issue_resp = NULL;
1012 size_t msg_len, resp_len;
1013 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
1014 &msg_len, 10));
1015 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
1016
1017 struct trust_token_issuer_key_st *key = &issuer->keys[0];
David Benjamin090ee962020-04-28 17:08:37 -04001018 EC_SCALAR *scalars[] = {&key->key.x0, &key->key.y0, &key->key.x1,
1019 &key->key.y1, &key->key.xs, &key->key.ys};
Steven Valdez78987bb2020-04-09 14:57:31 -04001020
1021 // Corrupt private key scalar.
David Benjamin227ff6e2022-05-05 08:43:27 -04001022 scalars[corrupted_key()]->words[0] ^= 42;
Steven Valdez78987bb2020-04-09 14:57:31 -04001023
David Benjamin17078f22020-04-28 17:50:13 -04001024 size_t tokens_issued;
Steven Valdez78987bb2020-04-09 14:57:31 -04001025 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
1026 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
David Benjaminaa764c42020-04-29 12:39:10 -04001027 /*public_metadata=*/7, private_metadata(), /*max_issuance=*/1));
Steven Valdez78987bb2020-04-09 14:57:31 -04001028 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
1029 size_t key_index;
1030 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
1031 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
1032 resp_len));
1033
1034 // If the unused private key is corrupted, then the DLEQ proof should succeed.
David Benjaminaa764c42020-04-29 12:39:10 -04001035 if ((corrupted_key() / 2 == 0 && private_metadata() == true) ||
1036 (corrupted_key() / 2 == 1 && private_metadata() == false)) {
Steven Valdez78987bb2020-04-09 14:57:31 -04001037 ASSERT_TRUE(tokens);
1038 } else {
1039 ASSERT_FALSE(tokens);
1040 }
1041}
1042
David Benjaminaa764c42020-04-29 12:39:10 -04001043INSTANTIATE_TEST_SUITE_P(TrustTokenAllBadKeyTest, TrustTokenBadKeyTest,
1044 testing::Combine(testing::ValuesIn(AllMethods()),
1045 testing::Bool(),
1046 testing::Values(0, 1, 2, 3, 4, 5)));
Steven Valdez78987bb2020-04-09 14:57:31 -04001047
Steven Valdez538a1242019-12-16 12:12:31 -05001048} // namespace
1049BSSL_NAMESPACE_END