github.com/jcmturner/gokrb5/v8@v8.4.4/gssapi/MICToken_test.go (about)

     1  package gssapi
     2  
     3  import (
     4  	"encoding/binary"
     5  	"encoding/hex"
     6  	"testing"
     7  
     8  	"github.com/jcmturner/gokrb5/v8/iana/keyusage"
     9  	"github.com/jcmturner/gokrb5/v8/types"
    10  	"github.com/stretchr/testify/assert"
    11  )
    12  
    13  const (
    14  	testMICPayload = "deadbeef"
    15  	// What a kerberized server might send
    16  	testMICChallengeFromAcceptor = "040401ffffffffff00000000575e85d6c34d12ba3e5b1b1310cd9cb3"
    17  	// What an initiator client could reply
    18  	testMICChallengeReplyFromInitiator = "040400ffffffffff00000000000000009649ca09d2f1bc51ff6e5ca3"
    19  
    20  	acceptorSign  = keyusage.GSSAPI_ACCEPTOR_SIGN
    21  	initiatorSign = keyusage.GSSAPI_INITIATOR_SIGN
    22  )
    23  
    24  func getMICChallengeReference() *MICToken {
    25  	challenge, _ := hex.DecodeString(testMICChallengeFromAcceptor)
    26  	return &MICToken{
    27  		Flags:     MICTokenFlagSentByAcceptor,
    28  		SndSeqNum: binary.BigEndian.Uint64(challenge[8:16]),
    29  		Payload:   nil,
    30  		Checksum:  challenge[16:],
    31  	}
    32  }
    33  
    34  func getMICChallengeReferenceNoChksum() *MICToken {
    35  	c := getMICChallengeReference()
    36  	c.Checksum = nil
    37  	return c
    38  }
    39  
    40  func getMICResponseReference() *MICToken {
    41  	response, _ := hex.DecodeString(testMICChallengeReplyFromInitiator)
    42  	return &MICToken{
    43  		Flags:     0x00,
    44  		SndSeqNum: 0,
    45  		Payload:   nil,
    46  		Checksum:  response[16:],
    47  	}
    48  }
    49  
    50  func getMICResponseReferenceNoChkSum() *MICToken {
    51  	r := getMICResponseReference()
    52  	r.Checksum = nil
    53  	return r
    54  }
    55  
    56  func TestUnmarshal_MICChallenge(t *testing.T) {
    57  	t.Parallel()
    58  	challenge, _ := hex.DecodeString(testMICChallengeFromAcceptor)
    59  	var mt MICToken
    60  	err := mt.Unmarshal(challenge, true)
    61  	assert.Nil(t, err, "Unexpected error occurred.")
    62  	assert.Equal(t, getMICChallengeReference(), &mt, "Token not decoded as expected.")
    63  }
    64  
    65  func TestUnmarshalFailure_MICChallenge(t *testing.T) {
    66  	t.Parallel()
    67  	challenge, _ := hex.DecodeString(testMICChallengeFromAcceptor)
    68  	var mt MICToken
    69  	err := mt.Unmarshal(challenge, false)
    70  	assert.NotNil(t, err, "Expected error did not occur: a message from the acceptor cannot be expected to be sent from the initiator.")
    71  	assert.Nil(t, mt.Payload, "Token fields should not have been initialised")
    72  	assert.Nil(t, mt.Checksum, "Token fields should not have been initialised")
    73  	assert.Equal(t, byte(0x00), mt.Flags, "Token fields should not have been initialised")
    74  	assert.Equal(t, uint64(0), mt.SndSeqNum, "Token fields should not have been initialised")
    75  }
    76  
    77  func TestUnmarshal_MICChallengeReply(t *testing.T) {
    78  	t.Parallel()
    79  	response, _ := hex.DecodeString(testMICChallengeReplyFromInitiator)
    80  	var mt MICToken
    81  	err := mt.Unmarshal(response, false)
    82  	assert.Nil(t, err, "Unexpected error occurred.")
    83  	assert.Equal(t, getMICResponseReference(), &mt, "Token not decoded as expected.")
    84  }
    85  
    86  func TestUnmarshalFailure_MICChallengeReply(t *testing.T) {
    87  	t.Parallel()
    88  	response, _ := hex.DecodeString(testMICChallengeReplyFromInitiator)
    89  	var mt MICToken
    90  	err := mt.Unmarshal(response, true)
    91  	assert.NotNil(t, err, "Expected error did not occur: a message from the initiator cannot be expected to be sent from the acceptor.")
    92  	assert.Nil(t, mt.Payload, "Token fields should not have been initialised")
    93  	assert.Nil(t, mt.Checksum, "Token fields should not have been initialised")
    94  	assert.Equal(t, byte(0x00), mt.Flags, "Token fields should not have been initialised")
    95  	assert.Equal(t, uint64(0), mt.SndSeqNum, "Token fields should not have been initialised")
    96  }
    97  
    98  func TestMICChallengeChecksumVerification(t *testing.T) {
    99  	t.Parallel()
   100  	challenge, _ := hex.DecodeString(testMICChallengeFromAcceptor)
   101  	var mt MICToken
   102  	mt.Unmarshal(challenge, true)
   103  	mt.Payload, _ = hex.DecodeString(testMICPayload)
   104  	challengeOk, cErr := mt.Verify(getSessionKey(), acceptorSign)
   105  	assert.Nil(t, cErr, "Error occurred during checksum verification.")
   106  	assert.True(t, challengeOk, "Checksum verification failed.")
   107  }
   108  
   109  func TestMICResponseChecksumVerification(t *testing.T) {
   110  	t.Parallel()
   111  	reply, _ := hex.DecodeString(testMICChallengeReplyFromInitiator)
   112  	var mt MICToken
   113  	mt.Unmarshal(reply, false)
   114  	mt.Payload, _ = hex.DecodeString(testMICPayload)
   115  	replyOk, rErr := mt.Verify(getSessionKey(), initiatorSign)
   116  	assert.Nil(t, rErr, "Error occurred during checksum verification.")
   117  	assert.True(t, replyOk, "Checksum verification failed.")
   118  }
   119  
   120  func TestMICChecksumVerificationFailure(t *testing.T) {
   121  	t.Parallel()
   122  	challenge, _ := hex.DecodeString(testMICChallengeFromAcceptor)
   123  	var mt MICToken
   124  	mt.Unmarshal(challenge, true)
   125  
   126  	// Test a failure with the correct key but wrong keyusage:
   127  	challengeOk, cErr := mt.Verify(getSessionKey(), initiatorSign)
   128  	assert.NotNil(t, cErr, "Expected error did not occur.")
   129  	assert.False(t, challengeOk, "Checksum verification succeeded when it should have failed.")
   130  
   131  	wrongKeyVal, _ := hex.DecodeString("14f9bde6b50ec508201a97f74c4effff")
   132  	badKey := types.EncryptionKey{
   133  		KeyType:  sessionKeyType,
   134  		KeyValue: wrongKeyVal,
   135  	}
   136  	// Test a failure with the wrong key but correct keyusage:
   137  	wrongKeyOk, wkErr := mt.Verify(badKey, acceptorSign)
   138  	assert.NotNil(t, wkErr, "Expected error did not occur.")
   139  	assert.False(t, wrongKeyOk, "Checksum verification succeeded when it should have failed.")
   140  }
   141  
   142  func TestMarshal_MICChallenge(t *testing.T) {
   143  	t.Parallel()
   144  	bytes, _ := getMICChallengeReference().Marshal()
   145  	assert.Equal(t, testMICChallengeFromAcceptor, hex.EncodeToString(bytes),
   146  		"Marshalling did not yield the expected result.")
   147  }
   148  
   149  func TestMarshal_MICChallengeReply(t *testing.T) {
   150  	t.Parallel()
   151  	bytes, _ := getMICResponseReference().Marshal()
   152  	assert.Equal(t, testMICChallengeReplyFromInitiator, hex.EncodeToString(bytes),
   153  		"Marshalling did not yield the expected result.")
   154  }
   155  
   156  func TestMarshal_MICFailures(t *testing.T) {
   157  	t.Parallel()
   158  	noChkSum := getMICResponseReferenceNoChkSum()
   159  	chkBytes, chkErr := noChkSum.Marshal()
   160  	assert.Nil(t, chkBytes, "No bytes should be returned.")
   161  	assert.NotNil(t, chkErr, "Expected an error as no checksum was set")
   162  }
   163  
   164  func TestNewInitiatorMICTokenSignatureAndMarshalling(t *testing.T) {
   165  	t.Parallel()
   166  	bytes, _ := hex.DecodeString(testMICPayload)
   167  	token, tErr := NewInitiatorMICToken(bytes, getSessionKey())
   168  	token.Payload = nil
   169  	assert.Nil(t, tErr, "Unexpected error.")
   170  	assert.Equal(t, getMICResponseReference(), token, "Token failed to be marshalled to the expected bytes.")
   171  }