def check_issuer_cert(testcase, issuer_cert, expected_trc_version=None):
"""
Check that the issuer certificate can be verified with a TRC.
Check that the certificate is issued by the expected_trc_version, if set.
"""
testcase.assertIsNotNone(issuer_cert)
cert = issuer_cert.certificate
cert_pld = jws.decode_payload(cert)
testcase.assertEqual(cert_pld["version"], issuer_cert.version)
testcase.assertEqual(cert_pld["subject"], issuer_cert.AS.isd_as_str())
subject_ia = cert_pld["subject"]
subject_as = subject_ia.split('-')[1]
trc_version = cert_pld["issuer"]["trc_version"]
if expected_trc_version is not None:
testcase.assertEqual(trc_version, expected_trc_version)
trc = TRC.objects.get(isd=issuer_cert.AS.isd, version=trc_version)
trc_pld = jws.decode_payload(trc.trc)
issuing_grant_pub_key = trc_pld["primary_ases"][subject_as]["keys"][
"issuing_grant"]["key"]
sig_valid = jws.verify(cert["payload"], cert["protected"],
cert["signature"], issuing_grant_pub_key)
testcase.assertTrue(sig_valid)
def check_cert_chain(testcase, cert_chain):
"""
Check that the AS's certificate chain can be verified with the issuer certificate.
"""
testcase.assertIsNotNone(cert_chain)
leaf = cert_chain.certificate[1]
leaf_pld = jws.decode_payload(leaf)
testcase.assertEqual(leaf_pld["version"], cert_chain.version)
testcase.assertEqual(leaf_pld["subject"], cert_chain.AS.isd_as_str())
issuer = leaf_pld["issuer"]
issuer_ia = issuer["isd_as"]
issuer_as = issuer_ia.split('-')[1]
issuer_ver = issuer["certificate_version"]
# Check that the issuer certificate in the chain is identical to the issuer cert in the DB:
issuer_cert = Certificate.objects.get(type=Certificate.ISSUER,
AS__as_id=issuer_as,
version=issuer_ver)
testcase.assertEqual(issuer_cert.certificate, cert_chain.certificate[0])
# Verify the signature
issuer_pld = jws.decode_payload(issuer_cert.certificate)
issuer_pub_key = issuer_pld["keys"]["issuing"]["key"]
sig_valid = jws.verify(leaf["payload"], leaf["protected"],
leaf["signature"], issuer_pub_key)
testcase.assertTrue(sig_valid)
def test_verify(trc,
expected_votes: List[Tuple[str, str, Key]],
expected_pops: List[Tuple[str, str, Key]]) -> bool:
"""
Verify that the TRC was signed with (exactly) the given signing keys.
WARNING: for testing only!
"""
payload_enc = trc['payload']
signatures = trc['signatures']
expected_signatures = [
(as_id, 'vote', usage, key) for as_id, usage, key in expected_votes
] + [
(as_id, 'proof_of_possession', usage, key) for as_id, usage, key in expected_pops
]
remaining_signatures = {(as_id, type, usage, key.version): key.pub_key
for as_id, type, usage, key in expected_signatures}
for signature in signatures:
protected_enc = signature['protected']
protected = jws.decode(protected_enc)
as_id = protected['as']
type = protected['type']
key_usage = protected['key_type']
key_version = protected['key_version']
# assume that other fields in protected header are fine.
pub_key = remaining_signatures.pop((as_id, type, key_usage, key_version))
if not pub_key:
return False
if not jws.verify(payload_enc, protected_enc, signature['signature'], pub_key):
return False
if remaining_signatures:
return False
return True