func (as *assertsSuite) TestSignWithoutAuthorityMisuse(c *C) {
_, err := asserts.SignWithoutAuthority(asserts.TestOnlyType, nil, nil, testPrivKey1)
c.Check(err, ErrorMatches, `cannot sign assertions needing a definite authority with SignWithoutAuthority`)
_, err = asserts.SignWithoutAuthority(asserts.TestOnlyNoAuthorityType,
map[string]interface{}{
"authority-id": "auth-id1",
"hdr": "FOO",
}, nil, testPrivKey1)
c.Check(err, ErrorMatches, `"test-only-no-authority" assertion cannot have authority-id set`)
}
func (ss *serialSuite) TestSerialRequestHappy(c *C) {
sreq, err := asserts.SignWithoutAuthority(asserts.SerialRequestType,
map[string]interface{}{
"brand-id": "brand-id1",
"model": "baz-3000",
"device-key": ss.encodedDevKey,
"request-id": "REQID",
}, []byte("HW-DETAILS"), ss.deviceKey)
c.Assert(err, IsNil)
// roundtrip
a, err := asserts.Decode(asserts.Encode(sreq))
c.Assert(err, IsNil)
sreq2, ok := a.(*asserts.SerialRequest)
c.Assert(ok, Equals, true)
// standalone signature check
err = asserts.SignatureCheck(sreq2, sreq2.DeviceKey())
c.Check(err, IsNil)
c.Check(sreq2.BrandID(), Equals, "brand-id1")
c.Check(sreq2.Model(), Equals, "baz-3000")
c.Check(sreq2.RequestID(), Equals, "REQID")
c.Check(sreq2.Serial(), Equals, "")
}
func (ss *serialSuite) TestDeviceSessionRequest(c *C) {
ts := time.Now().UTC().Round(time.Second)
sessReq, err := asserts.SignWithoutAuthority(asserts.DeviceSessionRequestType,
map[string]interface{}{
"brand-id": "brand-id1",
"model": "baz-3000",
"serial": "99990",
"nonce": "NONCE",
"timestamp": ts.Format(time.RFC3339),
}, nil, ss.deviceKey)
c.Assert(err, IsNil)
// roundtrip
a, err := asserts.Decode(asserts.Encode(sessReq))
c.Assert(err, IsNil)
sessReq2, ok := a.(*asserts.DeviceSessionRequest)
c.Assert(ok, Equals, true)
// standalone signature check
err = asserts.SignatureCheck(sessReq2, ss.deviceKey.PublicKey())
c.Check(err, IsNil)
c.Check(sessReq2.BrandID(), Equals, "brand-id1")
c.Check(sessReq2.Model(), Equals, "baz-3000")
c.Check(sessReq2.Serial(), Equals, "99990")
c.Check(sessReq2.Nonce(), Equals, "NONCE")
c.Check(sessReq2.Timestamp().Equal(ts), Equals, true)
}
func (aks *accountKeySuite) TestAccountKeyRequestUntil(c *C) {
db := aks.openDB(c)
aks.prereqAccount(c, db)
tests := []struct {
untilHeader string
until time.Time
}{
{"", time.Time{}}, // zero time default
{aks.until.Format(time.RFC3339), aks.until}, // in the future
{aks.since.Format(time.RFC3339), aks.since}, // same as since
}
for _, test := range tests {
c.Log(test)
headers := map[string]interface{}{
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
}
if test.untilHeader != "" {
headers["until"] = test.untilHeader
}
akr, err := asserts.SignWithoutAuthority(asserts.AccountKeyRequestType, headers, []byte(aks.pubKeyBody), aks.privKey)
c.Assert(err, IsNil)
a, err := asserts.Decode(asserts.Encode(akr))
c.Assert(err, IsNil)
akr2 := a.(*asserts.AccountKeyRequest)
c.Check(akr2.Until(), Equals, test.until)
err = db.Check(akr2)
c.Check(err, IsNil)
}
}
func (aks *accountKeySuite) TestAccountKeyRequestHappy(c *C) {
akr, err := asserts.SignWithoutAuthority(asserts.AccountKeyRequestType,
map[string]interface{}{
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
}, []byte(aks.pubKeyBody), aks.privKey)
c.Assert(err, IsNil)
// roundtrip
a, err := asserts.Decode(asserts.Encode(akr))
c.Assert(err, IsNil)
akr2, ok := a.(*asserts.AccountKeyRequest)
c.Assert(ok, Equals, true)
db := aks.openDB(c)
aks.prereqAccount(c, db)
err = db.Check(akr2)
c.Check(err, IsNil)
c.Check(akr2.AccountID(), Equals, "acc-id1")
c.Check(akr2.Name(), Equals, "default")
c.Check(akr2.PublicKeyID(), Equals, aks.keyID)
c.Check(akr2.Since(), Equals, aks.since)
}
func generateSerialRequestAssertion() (string, error) {
privateKey, err := generatePrivateKey()
if err != nil {
return "", err
}
encodedPubKey, err := asserts.EncodePublicKey(privateKey.PublicKey())
if err != nil {
return "", err
}
// Generate a request-id
r, _ := getRequestID()
headers := map[string]interface{}{
"brand-id": request.Brand,
"device-key": string(encodedPubKey),
"request-id": r,
"model": request.Model,
"serial": request.SerialNumber,
}
sreq, err := asserts.SignWithoutAuthority(asserts.SerialRequestType, headers, []byte(""), privateKey)
if err != nil {
return "", err
}
assertSR := asserts.Encode(sreq)
return string(assertSR), nil
}
// DeviceSessionRequest produces a device-session-request with the given nonce, it also returns the device serial assertion.
func (m *DeviceManager) DeviceSessionRequest(nonce string) (*asserts.DeviceSessionRequest, *asserts.Serial, error) {
m.state.Lock()
defer m.state.Unlock()
serial, err := Serial(m.state)
if err != nil {
return nil, nil, err
}
privKey, err := m.keyPair()
if err != nil {
return nil, nil, err
}
a, err := asserts.SignWithoutAuthority(asserts.DeviceSessionRequestType, map[string]interface{}{
"brand-id": serial.BrandID(),
"model": serial.Model(),
"serial": serial.Serial(),
"nonce": nonce,
"timestamp": time.Now().UTC().Format(time.RFC3339),
}, nil, privKey)
if err != nil {
return nil, nil, err
}
return a.(*asserts.DeviceSessionRequest), serial, err
}
func (safs *signAddFindSuite) TestAddNoAuthorityNoPrimaryKey(c *C) {
headers := map[string]interface{}{
"hdr": "FOO",
}
a, err := asserts.SignWithoutAuthority(asserts.TestOnlyNoAuthorityType, headers, nil, testPrivKey0)
c.Assert(err, IsNil)
err = safs.db.Add(a)
c.Assert(err, ErrorMatches, `internal error: assertion type "test-only-no-authority" has no primary key`)
}
func (ss *serialSuite) TestSignatureCheckError(c *C) {
sreq, err := asserts.SignWithoutAuthority(asserts.TestOnlyNoAuthorityType,
map[string]interface{}{
"hdr": "FOO",
}, nil, testPrivKey1)
c.Assert(err, IsNil)
err = asserts.SignatureCheck(sreq, testPrivKey2.PublicKey())
c.Check(err, ErrorMatches, `failed signature verification:.*`)
}
func (safs *signAddFindSuite) TestAddNoAuthorityButPrimaryKey(c *C) {
headers := map[string]interface{}{
"pk": "primary",
}
a, err := asserts.SignWithoutAuthority(asserts.TestOnlyNoAuthorityPKType, headers, nil, testPrivKey0)
c.Assert(err, IsNil)
err = safs.db.Add(a)
c.Assert(err, ErrorMatches, `cannot check no-authority assertion type "test-only-no-authority-pk"`)
}
func prepareSerialRequest(t *state.Task, privKey asserts.PrivateKey, device *auth.DeviceState, client *http.Client, cfg *serialRequestConfig) (string, error) {
st := t.State()
st.Unlock()
defer st.Lock()
req, err := http.NewRequest("POST", cfg.requestIDURL, nil)
if err != nil {
return "", fmt.Errorf("internal error: cannot create request-id request %q", cfg.requestIDURL)
}
cfg.applyHeaders(req)
resp, err := client.Do(req)
if err != nil {
return "", retryErr(t, "cannot retrieve request-id for making a request for a serial: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
return "", retryErr(t, "cannot retrieve request-id for making a request for a serial: unexpected status %d", resp.StatusCode)
}
dec := json.NewDecoder(resp.Body)
var requestID requestIDResp
err = dec.Decode(&requestID)
if err != nil { // assume broken i/o
return "", retryErr(t, "cannot read response with request-id for making a request for a serial: %v", err)
}
encodedPubKey, err := asserts.EncodePublicKey(privKey.PublicKey())
if err != nil {
return "", fmt.Errorf("internal error: cannot encode device public key: %v", err)
}
headers := map[string]interface{}{
"brand-id": device.Brand,
"model": device.Model,
"request-id": requestID.RequestID,
"device-key": string(encodedPubKey),
}
if cfg.proposedSerial != "" {
headers["serial"] = cfg.proposedSerial
}
serialReq, err := asserts.SignWithoutAuthority(asserts.SerialRequestType, headers, cfg.body, privKey)
if err != nil {
return "", err
}
return string(asserts.Encode(serialReq)), nil
}
func (aks *accountKeySuite) TestAccountKeyRequestNoAccount(c *C) {
headers := map[string]interface{}{
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
}
akr, err := asserts.SignWithoutAuthority(asserts.AccountKeyRequestType, headers, []byte(aks.pubKeyBody), aks.privKey)
c.Assert(err, IsNil)
db := aks.openDB(c)
err = db.Check(akr)
c.Assert(err, ErrorMatches, `account-key-request assertion for "acc-id1" does not have a matching account assertion`)
}
func (x *cmdExportKey) Execute(args []string) error {
if len(args) > 0 {
return ErrExtraArgs
}
keyName := string(x.Positional.KeyName)
if keyName == "" {
keyName = "default"
}
manager := asserts.NewGPGKeypairManager()
if x.Account != "" {
privKey, err := manager.GetByName(keyName)
if err != nil {
return err
}
pubKey := privKey.PublicKey()
headers := map[string]interface{}{
"account-id": x.Account,
"name": keyName,
"public-key-sha3-384": pubKey.ID(),
"since": time.Now().UTC().Format(time.RFC3339),
// XXX: To support revocation, we need to check for matching known assertions and set a suitable revision if we find one.
}
body, err := asserts.EncodePublicKey(pubKey)
if err != nil {
return err
}
assertion, err := asserts.SignWithoutAuthority(asserts.AccountKeyRequestType, headers, body, privKey)
if err != nil {
return err
}
fmt.Fprint(Stdout, string(asserts.Encode(assertion)))
} else {
encoded, err := manager.Export(keyName)
if err != nil {
return err
}
fmt.Fprintf(Stdout, "%s\n", encoded)
}
return nil
}
func (ss *serialSuite) TestSerialProofHappy(c *C) {
sproof, err := asserts.SignWithoutAuthority(asserts.SerialProofType,
map[string]interface{}{
"nonce": "NONCE",
}, nil, ss.deviceKey)
c.Assert(err, IsNil)
// roundtrip
a, err := asserts.Decode(asserts.Encode(sproof))
c.Assert(err, IsNil)
sproof2, ok := a.(*asserts.SerialProof)
c.Assert(ok, Equals, true)
// standalone signature check
err = asserts.SignatureCheck(sproof2, ss.deviceKey.PublicKey())
c.Check(err, IsNil)
c.Check(sproof2.Nonce(), Equals, "NONCE")
}
func generateSerialRequestAssertion(model, serial string) (string, error) {
privateKey, _ := generatePrivateKey()
encodedPubKey, _ := asserts.EncodePublicKey(privateKey.PublicKey())
headers := map[string]interface{}{
"brand-id": "System",
"device-key": string(encodedPubKey),
"request-id": "REQID",
"model": model,
}
body := fmt.Sprintf("serial: %s", serial)
sreq, err := asserts.SignWithoutAuthority(asserts.SerialRequestType, headers, []byte(body), privateKey)
if err != nil {
return "", err
}
assertSR := asserts.Encode(sreq)
return string(assertSR), nil
}
func prepareSerialRequest(t *state.Task, privKey asserts.PrivateKey, device *auth.DeviceState, client *http.Client) (string, error) {
st := t.State()
st.Unlock()
defer st.Lock()
resp, err := client.Post(requestIDURL, "", nil)
if err != nil {
return "", retryErr(t, "cannot retrieve request-id for making a request for a serial: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
return "", retryErr(t, "cannot retrieve request-id for making a request for a serial: unexpected status %d", resp.StatusCode)
}
dec := json.NewDecoder(resp.Body)
var requestID requestIDResp
err = dec.Decode(&requestID)
if err != nil { // assume broken i/o
return "", retryErr(t, "cannot read response with request-id for making a request for a serial: %v", err)
}
encodedPubKey, err := asserts.EncodePublicKey(privKey.PublicKey())
if err != nil {
return "", fmt.Errorf("internal error: cannot encode device public key: %v", err)
}
serialReq, err := asserts.SignWithoutAuthority(asserts.SerialRequestType, map[string]interface{}{
"brand-id": device.Brand,
"model": device.Model,
"request-id": requestID.RequestID,
"device-key": string(encodedPubKey),
}, nil, privKey) // XXX: fill body with some agreed hardware details
if err != nil {
return "", err
}
return string(asserts.Encode(serialReq)), nil
}
func (aks *accountKeySuite) TestAccountKeyRequestAddAndFind(c *C) {
akr, err := asserts.SignWithoutAuthority(asserts.AccountKeyRequestType,
map[string]interface{}{
"account-id": "acc-id1",
"name": "default",
"public-key-sha3-384": aks.keyID,
"since": aks.since.Format(time.RFC3339),
}, []byte(aks.pubKeyBody), aks.privKey)
c.Assert(err, IsNil)
db := aks.openDB(c)
aks.prereqAccount(c, db)
err = db.Add(akr)
c.Assert(err, IsNil)
found, err := db.Find(asserts.AccountKeyRequestType, map[string]string{
"account-id": "acc-id1",
"public-key-sha3-384": aks.keyID,
})
c.Assert(err, IsNil)
c.Assert(found, NotNil)
c.Check(found.Body(), DeepEquals, []byte(aks.pubKeyBody))
}