lakers_ead_authz/
lib.rs

1#![no_std]
2
3mod authenticator;
4mod device;
5mod server;
6mod shared;
7#[cfg(test)]
8mod test_vectors;
9
10pub use authenticator::{ZeroTouchAuthenticator, ZeroTouchAuthenticatorWaitVoucherResp};
11pub use device::{ZeroTouchDevice, ZeroTouchDeviceDone, ZeroTouchDeviceWaitEAD2};
12pub use server::{ZeroTouchServer, ZeroTouchServerUserAcl};
13
14pub mod consts {
15    pub const EAD_AUTHZ_LABEL: u16 = 0x1; // NOTE: in lake-authz-draft-01 it is still TBD1
16    pub const EAD_AUTHZ_INFO_K_1_LABEL: u8 = 0x0;
17    pub const EAD_AUTHZ_INFO_IV_1_LABEL: u8 = 0x1;
18    pub const EAD_AUTHZ_ENC_STRUCTURE_LEN: usize = 2 + 8 + 3;
19}
20
21#[derive(PartialEq, Debug)]
22#[repr(C)]
23pub enum ZeroTouchError {
24    InvalidEADLabel,
25    EmptyEADValue,
26    VoucherVerificationFailed,
27}
28
29#[cfg(test)]
30mod test_authz {
31    use crate::{
32        authenticator::ZeroTouchAuthenticator, device::ZeroTouchDevice, server::ZeroTouchServer,
33        test_vectors::*,
34    };
35    use lakers_crypto::default_crypto;
36    use lakers_shared::EDHOCError;
37
38    #[test]
39    fn test_complete_flow() {
40        let device = ZeroTouchDevice::new(
41            ID_U_TV.try_into().unwrap(),
42            G_W_TV.try_into().unwrap(),
43            LOC_W_TV.try_into().unwrap(),
44        );
45        let authenticator = ZeroTouchAuthenticator::default();
46        let server = ZeroTouchServer::new(
47            W_TV.try_into().unwrap(),
48            CRED_V_TV.try_into().unwrap(),
49            Some(ACL_TV.try_into().unwrap()),
50        );
51
52        // using .unwrap below since detailed errors are tested in each entity's tests
53
54        let (mut device, ead_1) =
55            device.prepare_ead_1(&mut default_crypto(), G_XW_TV.try_into().unwrap(), SS_TV);
56        device.set_h_message_1(H_MESSAGE_1_TV.try_into().unwrap());
57
58        // ead_1 will be transported within message_1
59
60        let (authenticator, _loc_w, voucher_request) = authenticator
61            .process_ead_1(&ead_1, &MESSAGE_1_WITH_EAD_TV.try_into().unwrap())
62            .unwrap();
63
64        // network request would be: let Ok(voucher_response) = auth_client.post(loc_w, voucher_request)
65
66        let voucher_response = server
67            .handle_voucher_request(&mut default_crypto(), &voucher_request)
68            .unwrap();
69
70        let ead_2 = authenticator.prepare_ead_2(&voucher_response).unwrap();
71
72        // ead_2 will be transported within message_2
73
74        let result = device.process_ead_2(&mut default_crypto(), ead_2, CRED_V_TV);
75        assert!(result.is_ok());
76    }
77
78    #[test]
79    fn test_complete_flow_unauthorized() {
80        let device = ZeroTouchDevice::new(
81            ID_U_TV.try_into().unwrap(),
82            G_W_TV.try_into().unwrap(),
83            LOC_W_TV.try_into().unwrap(),
84        );
85        let authenticator = ZeroTouchAuthenticator::default();
86        let server = ZeroTouchServer::new(
87            W_TV.try_into().unwrap(),
88            CRED_V_TV.try_into().unwrap(),
89            Some(ACL_INVALID_TV.try_into().unwrap()),
90        );
91
92        let (mut device, ead_1) =
93            device.prepare_ead_1(&mut default_crypto(), G_XW_TV.try_into().unwrap(), SS_TV);
94        device.set_h_message_1(H_MESSAGE_1_TV.try_into().unwrap());
95
96        let (_authenticator, _loc_w, voucher_request) = authenticator
97            .process_ead_1(&ead_1, &MESSAGE_1_WITH_EAD_TV.try_into().unwrap())
98            .unwrap();
99
100        let voucher_response =
101            server.handle_voucher_request(&mut default_crypto(), &voucher_request);
102        assert_eq!(voucher_response.unwrap_err(), EDHOCError::AccessDenied);
103    }
104}