fix: add test for advanced sign/verify for bitstring status list

Signed-off-by: Athan Massouras <[email protected]>

Author: Athan Massouras

src/bitstring_status_list/verifier.py

@@ -96,11 +96,11 @@ def verify_jwt(
             # Enveloping proof
 
             # Check that message is in valid JWT format 
-            headers_bytes, payload_bytes, signature = sl_response.split(b".")
+            headers_bytes, payload_bytes, signature = sl_response.split(b".", maxsplit=3)
             assert headers_bytes and payload_bytes and signature
 
             # Verify signature. verifier must be of type EnvelopingTokenVerifier
-            if not verifier(headers_bytes + b"." + payload_bytes, b64url_decode(signature)):
+            if not verifier(headers_bytes + b"." + payload_bytes, signature):
                 raise StatusVerificationError("Invalid signature on payload.")
 
             # Extract data

tests/test_bitstring_status_list.py

@@ -1,13 +1,11 @@
 import pytest
-from time import time
 
 from google.auth.crypt.es256 import ES256Signer, ES256Verifier
 from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
 
-from bit_array import BitArray
-from bitstring_status_list.issuer import BitstringStatusListIssuer, MIN_LIST_LENGTH
-from bitstring_status_list.verifier import BitstringStatusListVerifier
+from bit_array import b64url_encode, b64url_decode
+from bitstring_status_list.issuer import BitstringStatusListIssuer, EmbeddingTokenSigner, EnvelopingTokenSigner, MIN_LIST_LENGTH
+from bitstring_status_list.verifier import BitstringStatusListVerifier, EmbeddingTokenVerifier, EnvelopingTokenVerifier
 
 @pytest.fixture
 def status():
@@ -31,6 +29,38 @@ def trivial_embedding_verifier(payload: bytes, signature: dict) -> bool:
     """ Trivial verifier: always says that the signature is valid. """
     return True
 
+
+# More advanced verification
+ES256_KEY = ec.generate_private_key(ec.SECT233K1())
+
+@pytest.fixture
+def es256_enveloping_signer():
+    signer = ES256Signer(ES256_KEY)
+    def sign(payload: bytes) -> bytes:
+        return signer.sign(payload)
+    yield sign
+
+@pytest.fixture
+def es256_enveloping_verifier():
+    verifier = ES256Verifier(ES256_KEY.public_key())
+    def verify(payload: bytes, signature: bytes) -> bool:
+        return verifier.verify(payload, signature)
+    yield verify
+
+@pytest.fixture
+def es256_embedding_signer():
+    signer = ES256Signer(ES256_KEY)
+    def sign(payload: bytes) -> dict:
+        return {"proofValue": b64url_encode(signer.sign(payload)).decode()}
+    yield sign
+
+@pytest.fixture
+def es256_embedding_verifier():
+    verifier = ES256Verifier(ES256_KEY.public_key())
+    def verify(payload: bytes, signature: dict) -> bool:
+        return verifier.verify(payload, b64url_decode(signature["proofValue"].encode()))
+    yield verify
+
 def test_verify_jwt_basic_enveloping(status: BitstringStatusListIssuer):
     encoded_jwt = status.sign_jwt_enveloping(
         signer=trivial_enveloping_signer,
@@ -157,3 +187,59 @@ def test_status_message():
             "valid": not bool(bitstring[i]),
             "message": str(bitstring[i]),
         }
+
+def test_verify_es256_enveloping(
+        status: BitstringStatusListIssuer, 
+        es256_enveloping_signer: EnvelopingTokenSigner, 
+        es256_enveloping_verifier: EnvelopingTokenVerifier,
+):
+    encoded_jwt = status.sign_jwt_enveloping(
+        signer=es256_enveloping_signer,
+        alg="ES256",
+        kid="12",
+        status_purpose="revocation",
+    )
+
+    credential_status = {
+        "id": "https://example.com/credentials/status/3#94567",
+        "type": "BitstringStatusListEntry",
+        "statusPurpose": "revocation",
+        "statusListIndex": "0",
+        "statusListCredential": "https://example.com/credentials/status/3"
+    }
+
+    verifier = BitstringStatusListVerifier(credential_status)
+    verifier.verify_jwt(encoded_jwt, verifier=es256_enveloping_verifier)
+
+    for i in range(status.status_list.size):
+        assert verifier.get_status(i) == {
+            "status": status[i],
+            "valid": not bool(status[i])
+        }
+
+def test_verify_es256_embedding(
+        status: BitstringStatusListIssuer, 
+        es256_embedding_signer: EmbeddingTokenSigner, 
+        es256_embedding_verifier: EmbeddingTokenVerifier,
+):
+    encoded_jwt = status.sign_jwt_embedding(
+        signer=es256_embedding_signer,
+        status_purpose="revocation",
+    )
+
+    credential_status = {
+        "id": "https://example.com/credentials/status/3#94567",
+        "type": "BitstringStatusListEntry",
+        "statusPurpose": "revocation",
+        "statusListIndex": "0",
+        "statusListCredential": "https://example.com/credentials/status/3"
+    }
+
+    verifier = BitstringStatusListVerifier(credential_status)
+    verifier.verify_jwt(encoded_jwt, verifier=es256_embedding_verifier)
+
+    for i in range(status.status_list.size):
+        assert verifier.get_status(i) == {
+            "status": status[i],
+            "valid": not bool(status[i])
+        }

tests/test_token_status_list_verifier.py

@@ -5,7 +5,6 @@
 
 from google.auth.crypt.es256 import ES256Signer, ES256Verifier
 from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
 
 from bit_array import BitArray
 from token_status_list.issuer import TokenStatusListIssuer, ALG, KID, TYP, ISS, SUB, AUD, EXP, NBF, IAT, CTI, STATUS_LIST, TTL, KNOWN_ALGS_TO_CWT_ALG
@@ -38,14 +37,6 @@ def sign(payload: bytes) -> bytes:
 @pytest.fixture
 def es256_verifier():
     verifier = ES256Verifier(ES256_KEY.public_key())
-
-    p_key = ES256_KEY.public_key()
-    public_key_b = p_key.public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
-    print(public_key_b)
-
-    public_key_ds = ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT233K1(), public_key_b)
-    print(p_key == public_key_ds)
-    
     def verify(payload: bytes, signature: bytes) -> bool:
         return verifier.verify(payload, signature)
     yield verify