Add trust-promo tests

Cargo.lock

@@ -125,9 +125,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "cc"
-version = "1.2.29"
+version = "1.2.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c1599538de2394445747c8cf7935946e3cc27e9625f889d979bfb2aaf569362"
+checksum = "c3a42d84bb6b69d3a8b3eaacf0d88f179e1929695e1ad012b6cf64d9caaa5fd2"
 dependencies = [
  "shlex",
 ]
@@ -226,9 +226,9 @@ dependencies = [
 
 [[package]]
 name = "curve25519-dalek"
-version = "4.2.0"
+version = "4.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "373b7c5dbd637569a2cca66e8d66b8c446a1e7bf064ea321d265d7b3dfe7c97e"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
 dependencies = [
  "cfg-if",
  "cpufeatures",
@@ -310,9 +310,9 @@ dependencies = [
 
 [[package]]
 name = "dyn-clone"
-version = "1.0.19"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c7a8fb8a9fbf66c1f703fe16184d10ca0ee9d23be5b4436400408ba54a95005"
+checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
 
 [[package]]
 name = "ed25519"
@@ -374,9 +374,9 @@ dependencies = [
 
 [[package]]
 name = "fiat-crypto"
-version = "0.3.0"
+version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64cd1e32ddd350061ae6edb1b082d7c54915b5c672c389143b9a63403a109f24"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
 [[package]]
 name = "fnv"
@@ -837,9 +837,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.140"
+version = "1.0.142"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
+checksum = "030fedb782600dcbd6f02d479bf0d817ac3bb40d644745b769d6a96bc3afc5a7"
 dependencies = [
  "itoa",
  "memchr",
@@ -928,6 +928,7 @@ dependencies = [
  "num-traits",
  "rand",
  "sha3",
+ "subtle",
  "thiserror 1.0.69",
  "zerocopy",
  "zeroize",

src/migration_table.rs

@@ -94,7 +94,7 @@ pub fn encrypt_cred(
     let mut K = MigrationKey::using_privkey(migrationkey_priv);
     K.lox_id = Some(id);
     K.from_bucket = Some(from_bucket);
-    let coeff: Scalar = K.compute_MAC_coeff(&migrationkey_priv).unwrap();
+    let coeff: Scalar = K.compute_MAC_coeff(migrationkey_priv).unwrap();
     K.MAC.Q = Pktable * &WnafScalar::new(&coeff);
 
     // Compute a MAC (P, Q) on the Migration credential
@@ -249,8 +249,8 @@ pub fn decrypt_cred(
     let mut to_bucket_bytes: [u8; 32] = [0; 32];
     to_bucket_bytes.copy_from_slice(&plaintextbytes[..32]);
     let to_bucket = Scalar::from_bytes_mod_order(to_bucket_bytes);
-    let mut rng = rand::rngs::OsRng;
-    let r = Scalar::random(&mut rng);
+    let rng = &mut rand::thread_rng();
+    let r = Scalar::random(rng);
     let P = r * CompressedRistretto::from_slice(&plaintextbytes[32..64])
         .expect("Unable to extract P from bucket")
         .decompress()?;

src/mock_auth.rs

@@ -47,9 +47,11 @@ impl TestHarness {
         Self { bdb, ba }
     }
 
-    // pub fn advance_days(&mut self, days: u16) {
-    //     self.ba.advance_days(days);
-    // }
+    pub fn advance_days(&mut self, days: u32) {
+        if days > 0 {
+            self.ba.time_offset += time::Duration::days(days.into());
+        }
+    }
 
     /// Verify the two MACs on a Lox credential
     pub fn verify_lox(&self, cred: &lox_creds::Lox) {

src/proto/trust_promotion.rs

@@ -68,7 +68,7 @@ muCMZProtocol! { trust_promotion<credential_expiry, eligibility_max_age>,
 pub fn request(
     rng: &mut (impl CryptoRng + RngCore),
     L: Lox,
-    mig_pubkeys: CMZPubkey<G>,
+    migkey_pubkeys: CMZPubkey<G>,
     today: u32,
 ) -> Result<(trust_promotion::Request, trust_promotion::ClientState), CredentialError> {
     cmz_group_init(G::hash_from_bytes::<Sha512>(b"CMZ Generator A"));
@@ -108,14 +108,10 @@ pub fn request(
         credential_expiry: (eligibility_max_age - 511).into(),
         eligibility_max_age: eligibility_max_age.into(),
     };
-
-    match trust_promotion::prepare(
-        rng,
-        SESSION_ID,
-        &L,
-        MigrationKey::using_pubkey(&mig_pubkeys),
-        &params,
-    ) {
+    let mut M = MigrationKey::using_pubkey(&migkey_pubkeys);
+    M.lox_id = L.id;
+    M.from_bucket = L.bucket;
+    match trust_promotion::prepare(rng, SESSION_ID, &L, M, &params) {
         Ok(req_state) => Ok(req_state),
         Err(e) => Err(CredentialError::CMZError(e)),
     }
@@ -144,7 +140,6 @@ impl BridgeAuth {
             |L: &mut Lox, M: &mut MigrationKey| {
                 L.set_privkey(&self.lox_priv);
                 M.set_privkey(&self.migrationkey_priv);
-                M.lox_id = L.id;
                 let eligibility_max_age = today - UNTRUSTED_INTERVAL;
                 Ok(trust_promotion::Params {
                     credential_expiry: (eligibility_max_age - 511).into(),
@@ -198,3 +193,59 @@ pub fn handle_response(
         None => Err(CMZError::Unknown),
     }
 }
+
+#[cfg(all(test, feature = "bridgeauth"))]
+mod tests {
+    use super::*;
+    use crate::mock_auth::TestHarness;
+    use crate::proto::{open_invite, trust_promotion};
+
+    #[test]
+    fn test_trust_promotion() {
+        let mut th = TestHarness::new();
+        let rng = &mut rand::thread_rng();
+        let open_invitation_request = open_invite::request(rng, th.ba.lox_pub.clone());
+        assert!(
+            open_invitation_request.is_ok(),
+            "Open invitation request should succeed"
+        );
+        let (request, client_state) = open_invitation_request.unwrap();
+        let invite = th.bdb.invite();
+        let open_invitation_response = th.ba.open_invitation(request, &invite.unwrap());
+        assert!(
+            open_invitation_response.is_ok(),
+            "Open invitation response from server should succeed"
+        );
+        let (response, _) = open_invitation_response.unwrap();
+        let creds = open_invite::handle_response(client_state, response);
+        println!("{}", th.ba.today());
+        assert!(creds.is_ok(), "Handle response should succeed");
+        th.advance_days((UNTRUSTED_INTERVAL + 1).try_into().unwrap());
+        println!("{}", th.ba.today());
+        let trust_promo_request = trust_promotion::request(
+            rng,
+            creds.unwrap(),
+            th.ba.migrationkey_pub.clone(),
+            th.ba.today(),
+        );
+        assert!(
+            trust_promo_request.is_ok(),
+            "Trust Promotion request should succeed"
+        );
+        let (tp_request, tp_client_state) = trust_promo_request.unwrap();
+        let trust_promo_response = th.ba.handle_trust_promotion(tp_request);
+        assert!(
+            trust_promo_response.is_ok(),
+            "Trust promotion response from server should succeed"
+        );
+        let (response, enc) = trust_promo_response.unwrap();
+        let creds = trust_promotion::handle_response(
+            th.ba.migration_pub.clone(),
+            tp_client_state,
+            response,
+            enc,
+        );
+        assert!(creds.is_ok(), "Handle response should succeed");
+        th.verify_migration(&creds.unwrap());
+    }
+}