From b93f1cb85a9e61418c9418462ac7549e04c7edaa Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Mon, 30 Nov 2020 21:39:32 +0100 Subject: Implement the DPoP proof --- tests/Makefile.am | 9 ++++++++- tests/dpop-proof-iat-in-future.scm | 37 +++++++++++++++++++++++++++++++++++ tests/dpop-proof-iat-too-late.scm | 37 +++++++++++++++++++++++++++++++++++ tests/dpop-proof-replay.scm | 40 ++++++++++++++++++++++++++++++++++++++ tests/dpop-proof-valid.scm | 30 ++++++++++++++++++++++++++++ tests/dpop-proof-wrong-htm.scm | 37 +++++++++++++++++++++++++++++++++++ tests/dpop-proof-wrong-htu.scm | 37 +++++++++++++++++++++++++++++++++++ tests/dpop-proof-wrong-key.scm | 37 +++++++++++++++++++++++++++++++++++ 8 files changed, 263 insertions(+), 1 deletion(-) create mode 100644 tests/dpop-proof-iat-in-future.scm create mode 100644 tests/dpop-proof-iat-too-late.scm create mode 100644 tests/dpop-proof-replay.scm create mode 100644 tests/dpop-proof-valid.scm create mode 100644 tests/dpop-proof-wrong-htm.scm create mode 100644 tests/dpop-proof-wrong-htu.scm create mode 100644 tests/dpop-proof-wrong-key.scm (limited to 'tests') diff --git a/tests/Makefile.am b/tests/Makefile.am index 1959c84..37a4a82 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -16,7 +16,14 @@ TESTS = %reldir%/load-library.scm \ %reldir%/jws.scm \ %reldir%/cache-valid.scm \ %reldir%/cache-revalidate.scm \ - %reldir%/oidc-configuration.scm + %reldir%/oidc-configuration.scm \ + %reldir%/dpop-proof-valid.scm \ + %reldir%/dpop-proof-wrong-htm.scm \ + %reldir%/dpop-proof-wrong-htu.scm \ + %reldir%/dpop-proof-iat-in-future.scm \ + %reldir%/dpop-proof-iat-too-late.scm \ + %reldir%/dpop-proof-wrong-key.scm \ + %reldir%/dpop-proof-replay.scm EXTRA_DIST += $(TESTS) diff --git a/tests/dpop-proof-iat-in-future.scm b/tests/dpop-proof-iat-in-future.scm new file mode 100644 index 0000000..7444a02 --- /dev/null +++ b/tests/dpop-proof-iat-in-future.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-iat-in-future" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 10)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-signed-in-future) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 0)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-iat-too-late.scm b/tests/dpop-proof-iat-too-late.scm new file mode 100644 index 0000000..1a56f22 --- /dev/null +++ b/tests/dpop-proof-iat-too-late.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-iat-too-late" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-too-old) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 600)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-replay.scm b/tests/dpop-proof-replay.scm new file mode 100644 index 0000000..b527dce --- /dev/null +++ b/tests/dpop-proof-replay.scm @@ -0,0 +1,40 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-replay" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (define (decode) + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf)) + (define decoded-once (decode)) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &jti-found) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (decode) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-valid.scm b/tests/dpop-proof-valid.scm new file mode 100644 index 0000000..a05a223 --- /dev/null +++ b/tests/dpop-proof-valid.scm @@ -0,0 +1,30 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-valid" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (define decoded + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf)) + (unless decoded + (exit 1)))) diff --git a/tests/dpop-proof-wrong-htm.scm b/tests/dpop-proof-wrong-htm.scm new file mode 100644 index 0000000..4531a44 --- /dev/null +++ b/tests/dpop-proof-wrong-htm.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-wrong-htm" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'POST + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-method-mismatch) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-wrong-htu.scm b/tests/dpop-proof-wrong-htu.scm new file mode 100644 index 0000000..f8ecb29 --- /dev/null +++ b/tests/dpop-proof-wrong-htu.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-wrong-htu" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/other-res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-uri-mismatch) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-wrong-key.scm b/tests/dpop-proof-wrong-key.scm new file mode 100644 index 0000000..9ea98ee --- /dev/null +++ b/tests/dpop-proof-wrong-key.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-wrong-key" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt (generate-key #:n-size 2048))) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-unconfirmed-key) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) -- cgit v1.2.3