// Check that if not on a revoked device that LogoutIfRevoked doesn't do anything. func TestLogoutIfRevokedNoop(t *testing.T) { tc := SetupEngineTest(t, "rev") defer tc.Cleanup() u := CreateAndSignupFakeUser(tc, "rev") AssertLoggedIn(tc) if err := tc.G.LogoutIfRevoked(); err != nil { t.Fatal(err) } AssertLoggedIn(tc) f := func() libkb.SecretUI { return u.NewSecretUI() } msg := []byte("test message") ret, err := SignED25519(tc.G, f, keybase1.SignED25519Arg{ Msg: msg, }) if err != nil { t.Fatal(err) } publicKey := libkb.NaclSigningKeyPublic(ret.PublicKey) if !publicKey.Verify(msg, (*libkb.NaclSignature)(&ret.Sig)) { t.Error(libkb.VerificationError{}) } }
// Sign implements the Crypto interface for CryptoClient. func (c *CryptoClient) Sign(ctx context.Context, msg []byte) ( sigInfo SignatureInfo, err error) { c.log.CDebugf(ctx, "Signing %d-byte message", len(msg)) defer func() { c.deferLog.CDebugf(ctx, "Signed %d-byte message with %s: err=%v", len(msg), sigInfo, err) }() timer := c.logAboutLongRPCUnlessCancelled(ctx, "SignED25519") defer timer.Stop() ed25519SigInfo, err := c.client.SignED25519(ctx, keybase1.SignED25519Arg{ Msg: msg, Reason: "to use kbfs", }) if err != nil { return } sigInfo = SignatureInfo{ Version: SigED25519, Signature: ed25519SigInfo.Sig[:], VerifyingKey: MakeVerifyingKey(libkb.NaclSigningKeyPublic(ed25519SigInfo.PublicKey).GetKID()), } return }
// Test that SignED25519() signs the given message with the device // signing key, and that the signature is verifiable by the returned // public key. // // (For general tests that valid signatures are accepted and invalid // signatures are rejected, see naclwrap_test.go.) func TestCryptoSignED25519(t *testing.T) { tc := SetupEngineTest(t, "crypto") defer tc.Cleanup() u := CreateAndSignupFakeUser(tc, "fu") secretUI := &libkb.TestSecretUI{Passphrase: u.Passphrase} msg := []byte("test message") ret, err := SignED25519(tc.G, secretUI, keybase1.SignED25519Arg{ Msg: msg, }) if err != nil { t.Fatal(err) } publicKey := libkb.NaclSigningKeyPublic(ret.PublicKey) if !publicKey.Verify(msg, (*libkb.NaclSignature)(&ret.Sig)) { t.Error(libkb.VerificationError{}) } }
func TestSignAfterRevoke(t *testing.T) { tc1 := SetupEngineTest(t, "rev") defer tc1.Cleanup() // We need two devices. Going to use GPG to sign second device. // Sign up on tc1: u := CreateAndSignupFakeUserGPG(tc1, "pgp") // Redo SetupEngineTest to get a new home directory...should look like a new device. tc2 := SetupEngineTest(t, "login") defer tc2.Cleanup() // We need the gpg keyring that's in the first device homedir: if err := tc1.MoveGpgKeyringTo(tc2); err != nil { t.Fatal(err) } // Login on device tc2. It will use gpg to sign the device. ctx := &Context{ ProvisionUI: newTestProvisionUIGPGImport(), LogUI: tc2.G.UI.GetLogUI(), SecretUI: u.NewSecretUI(), LoginUI: &libkb.TestLoginUI{Username: u.Username}, GPGUI: &gpgtestui{}, } li := NewLogin(tc2.G, libkb.DeviceTypeDesktop, "", keybase1.ClientType_CLI) if err := RunEngine(li, ctx); err != nil { t.Fatal(err) } // tc2 revokes tc1 device: err := doRevokeDevice(tc2, u, tc1.G.Env.GetDeviceID(), false) if err != nil { tc2.T.Fatal(err) } // Still logged in on tc1, a revoked device. f := func() libkb.SecretUI { return u.NewSecretUI() } // Test signing with (revoked) device key on tc1, which works... msg := []byte("test message") ret, err := SignED25519(tc1.G, f, keybase1.SignED25519Arg{ Msg: msg, }) if err != nil { t.Fatal(err) } publicKey := libkb.NaclSigningKeyPublic(ret.PublicKey) if !publicKey.Verify(msg, (*libkb.NaclSignature)(&ret.Sig)) { t.Error(libkb.VerificationError{}) } // This should log out tc1: if err := tc1.G.LogoutIfRevoked(); err != nil { t.Fatal(err) } AssertLoggedOut(tc1) // And now this should fail. ret, err = SignED25519(tc1.G, f, keybase1.SignED25519Arg{ Msg: msg, }) if err == nil { t.Fatal("nil error signing after LogoutIfRevoked") } if _, ok := err.(libkb.KeyRevokedError); !ok { t.Errorf("error type: %T, expected libkb.KeyRevokedError", err) } }