|
12 | 12 | }; |
13 | 13 | use FediE2EE\PKD\Crypto\Protocol\Actions\{ |
14 | 14 | AddKey, |
15 | | - RevokeKey |
| 15 | + RevokeKey, |
| 16 | + RevokeKeyThirdParty |
16 | 17 | }; |
| 18 | +use FediE2EE\PKD\Crypto\Revocation; |
17 | 19 | use FediE2EE\PKD\Crypto\Exceptions\{ |
18 | 20 | BundleException, |
19 | 21 | CryptoException, |
@@ -373,31 +375,45 @@ public function testRevokeKeyWithPeerRewrapping(): void |
373 | 375 | ]); |
374 | 376 | $peerId = (int) $db->lastInsertId(); |
375 | 377 |
|
376 | | - // 2. Setup actor and add key |
| 378 | + // 2. Setup actor and add two keys |
377 | 379 | [, $canonical] = $this->makeDummyActor('example.net'); |
378 | | - $keypair = SecretKey::generate(); |
| 380 | + $keypair1 = SecretKey::generate(); |
| 381 | + $keypair2 = SecretKey::generate(); |
379 | 382 |
|
380 | 383 | $this->clearOldTransaction($config); |
381 | 384 | $protocol = new Protocol($config); |
382 | | - $protocol->setWebFinger($this->createWebFingerMock($config, $canonical, 2)); |
| 385 | + $protocol->setWebFinger($this->createWebFingerMock($config, $canonical, 4)); |
383 | 386 |
|
384 | | - $this->addKeyForActor($canonical, $keypair, $protocol, $config); |
| 387 | + // Add key1 (self-signed) |
| 388 | + $this->addKeyForActor($canonical, $keypair1, $protocol, $config); |
385 | 389 | $this->assertNotInTransaction(); |
386 | 390 |
|
387 | | - // Clear rewrapped keys from addKey to check revokeKey's work |
388 | | - $db->safeQuery("DELETE FROM pkd_merkle_leaf_rewrapped_keys"); |
389 | | - |
390 | | - // 3. Revoke key |
| 391 | + // Add key2 (signed by key1) |
391 | 392 | /** @var MerkleState $merkleState */ |
392 | 393 | $merkleState = $this->table('MerkleState'); |
393 | | - $latestRoot = $merkleState->getLatestRoot(); |
394 | 394 | $serverHpke = $config->getHPKE(); |
395 | 395 | $handler = new Handler(); |
396 | | - $revokeKey = new \FediE2EE\PKD\Crypto\Protocol\Actions\RevokeKey($canonical, $keypair->getPublicKey()); |
| 396 | + |
| 397 | + $latestRoot = $merkleState->getLatestRoot(); |
| 398 | + $addKey2 = new AddKey($canonical, $keypair2->getPublicKey()); |
| 399 | + $akm2 = new AttributeKeyMap() |
| 400 | + ->addKey('actor', SymmetricKey::generate()) |
| 401 | + ->addKey('public-key', SymmetricKey::generate()); |
| 402 | + $bundle2 = $handler->handle($addKey2->encrypt($akm2), $keypair1, $akm2, $latestRoot); |
| 403 | + $encrypted2 = $handler->hpkeEncrypt($bundle2, $serverHpke->encapsKey, $serverHpke->cs); |
| 404 | + $protocol->addKey($encrypted2, $canonical); |
| 405 | + $this->assertNotInTransaction(); |
| 406 | + |
| 407 | + // Clear rewrapped keys from addKey to check revokeKey's work |
| 408 | + $db->safeQuery("DELETE FROM pkd_merkle_leaf_rewrapped_keys"); |
| 409 | + |
| 410 | + // 3. Revoke key2 (signed by key1) |
| 411 | + $latestRoot = $merkleState->getLatestRoot(); |
| 412 | + $revokeKey = new RevokeKey($canonical, $keypair2->getPublicKey()); |
397 | 413 | $akm = new AttributeKeyMap(); |
398 | 414 | $akm->addKey('actor', SymmetricKey::generate()); |
399 | 415 | $akm->addKey('public-key', SymmetricKey::generate()); |
400 | | - $bundle = $handler->handle($revokeKey->encrypt($akm), $keypair, $akm, $latestRoot); |
| 416 | + $bundle = $handler->handle($revokeKey->encrypt($akm), $keypair1, $akm, $latestRoot); |
401 | 417 | $encrypted = $handler->hpkeEncrypt($bundle, $serverHpke->encapsKey, $serverHpke->cs); |
402 | 418 | $protocol->revokeKey($encrypted, $canonical); |
403 | 419 |
|
@@ -663,21 +679,19 @@ public function testAddAndRevoke(): void |
663 | 679 | $this->assertCount(1, $body['public-keys']); |
664 | 680 | $this->assertSame($keypair1->getPublicKey()->toString(), $body['public-keys'][0]['public-key']); |
665 | 681 |
|
666 | | - // 2. RevokeKey (signed by key 1) |
| 682 | + // 2. RevokeKeyThirdParty (uses revocation token to revoke last key) |
667 | 683 | $latestRoot2 = $merkleState->getLatestRoot(); |
668 | | - $revokeKey = new RevokeKey($canonical, $keypair1->getPublicKey()); |
669 | | - $akm2 = new AttributeKeyMap() |
670 | | - ->addKey('actor', SymmetricKey::generate()) |
671 | | - ->addKey('public-key', SymmetricKey::generate()); |
672 | | - $encryptedMsg2 = $revokeKey->encrypt($akm2); |
673 | | - $bundle2 = $handler->handle($encryptedMsg2, $keypair1, $akm2, $latestRoot2); |
674 | | - $encryptedForServer2 = $handler->hpkeEncrypt( |
675 | | - $bundle2, |
676 | | - $serverHpke->encapsKey, |
677 | | - $serverHpke->cs, |
| 684 | + $revocation = new Revocation(); |
| 685 | + $token = $revocation->revokeThirdParty($keypair1); |
| 686 | + $revokeAction = new RevokeKeyThirdParty($token); |
| 687 | + $bundle2 = $handler->handle( |
| 688 | + $revokeAction, |
| 689 | + $keypair1, |
| 690 | + new AttributeKeyMap(), |
| 691 | + $latestRoot2 |
678 | 692 | ); |
679 | 693 | $this->assertNotInTransaction(); |
680 | | - $protocol->revokeKey($encryptedForServer2, $canonical); |
| 694 | + $protocol->revokeKeyThirdParty($bundle2->toString()); |
681 | 695 | $this->assertNotInTransaction(); |
682 | 696 |
|
683 | 697 | // Verify with HTTP request |
|
0 commit comments