// Check that if not on a revoked device that LogoutIfRevoked doesn't do anything.
func TestLogoutIfRevokedNoop(t *testing.T) {
tc := SetupEngineTest(t, "rev")
defer tc.Cleanup()
u := CreateAndSignupFakeUser(tc, "rev")
AssertLoggedIn(tc)
if err := tc.G.LogoutIfRevoked(); err != nil {
t.Fatal(err)
}
AssertLoggedIn(tc)
f := func() libkb.SecretUI {
return u.NewSecretUI()
}
msg := []byte("test message")
ret, err := SignED25519(tc.G, f, keybase1.SignED25519Arg{
Msg: msg,
})
if err != nil {
t.Fatal(err)
}
publicKey := libkb.NaclSigningKeyPublic(ret.PublicKey)
if !publicKey.Verify(msg, (*libkb.NaclSignature)(&ret.Sig)) {
t.Error(libkb.VerificationError{})
}
}
// Sign implements the Crypto interface for CryptoClient.
func (c *CryptoClient) Sign(ctx context.Context, msg []byte) (
sigInfo SignatureInfo, err error) {
c.log.CDebugf(ctx, "Signing %d-byte message", len(msg))
defer func() {
c.deferLog.CDebugf(ctx, "Signed %d-byte message with %s: err=%v", len(msg),
sigInfo, err)
}()
timer := c.logAboutLongRPCUnlessCancelled(ctx, "SignED25519")
defer timer.Stop()
ed25519SigInfo, err := c.client.SignED25519(ctx, keybase1.SignED25519Arg{
Msg: msg,
Reason: "to use kbfs",
})
if err != nil {
return
}
sigInfo = SignatureInfo{
Version: SigED25519,
Signature: ed25519SigInfo.Sig[:],
VerifyingKey: MakeVerifyingKey(libkb.NaclSigningKeyPublic(ed25519SigInfo.PublicKey).GetKID()),
}
return
}
// Test that SignED25519() signs the given message with the device
// signing key, and that the signature is verifiable by the returned
// public key.
//
// (For general tests that valid signatures are accepted and invalid
// signatures are rejected, see naclwrap_test.go.)
func TestCryptoSignED25519(t *testing.T) {
tc := SetupEngineTest(t, "crypto")
defer tc.Cleanup()
u := CreateAndSignupFakeUser(tc, "fu")
secretUI := &libkb.TestSecretUI{Passphrase: u.Passphrase}
msg := []byte("test message")
ret, err := SignED25519(tc.G, secretUI, keybase1.SignED25519Arg{
Msg: msg,
})
if err != nil {
t.Fatal(err)
}
publicKey := libkb.NaclSigningKeyPublic(ret.PublicKey)
if !publicKey.Verify(msg, (*libkb.NaclSignature)(&ret.Sig)) {
t.Error(libkb.VerificationError{})
}
}
func TestSignAfterRevoke(t *testing.T) {
tc1 := SetupEngineTest(t, "rev")
defer tc1.Cleanup()
// We need two devices. Going to use GPG to sign second device.
// Sign up on tc1:
u := CreateAndSignupFakeUserGPG(tc1, "pgp")
// Redo SetupEngineTest to get a new home directory...should look like a new device.
tc2 := SetupEngineTest(t, "login")
defer tc2.Cleanup()
// We need the gpg keyring that's in the first device homedir:
if err := tc1.MoveGpgKeyringTo(tc2); err != nil {
t.Fatal(err)
}
// Login on device tc2. It will use gpg to sign the device.
ctx := &Context{
ProvisionUI: newTestProvisionUIGPGImport(),
LogUI: tc2.G.UI.GetLogUI(),
SecretUI: u.NewSecretUI(),
LoginUI: &libkb.TestLoginUI{Username: u.Username},
GPGUI: &gpgtestui{},
}
li := NewLogin(tc2.G, libkb.DeviceTypeDesktop, "", keybase1.ClientType_CLI)
if err := RunEngine(li, ctx); err != nil {
t.Fatal(err)
}
// tc2 revokes tc1 device:
err := doRevokeDevice(tc2, u, tc1.G.Env.GetDeviceID(), false)
if err != nil {
tc2.T.Fatal(err)
}
// Still logged in on tc1, a revoked device.
f := func() libkb.SecretUI {
return u.NewSecretUI()
}
// Test signing with (revoked) device key on tc1, which works...
msg := []byte("test message")
ret, err := SignED25519(tc1.G, f, keybase1.SignED25519Arg{
Msg: msg,
})
if err != nil {
t.Fatal(err)
}
publicKey := libkb.NaclSigningKeyPublic(ret.PublicKey)
if !publicKey.Verify(msg, (*libkb.NaclSignature)(&ret.Sig)) {
t.Error(libkb.VerificationError{})
}
// This should log out tc1:
if err := tc1.G.LogoutIfRevoked(); err != nil {
t.Fatal(err)
}
AssertLoggedOut(tc1)
// And now this should fail.
ret, err = SignED25519(tc1.G, f, keybase1.SignED25519Arg{
Msg: msg,
})
if err == nil {
t.Fatal("nil error signing after LogoutIfRevoked")
}
if _, ok := err.(libkb.KeyRevokedError); !ok {
t.Errorf("error type: %T, expected libkb.KeyRevokedError", err)
}
}
