Swift Oberon support (#224)

fundthmcalculus · web-flow · commit 1a53a238f53d · 2021-10-22T11:39:24.000-04:00
diff --git a/python/tests/test_oberon.py b/python/tests/test_oberon.py
@@ -17,7 +17,7 @@ def test_oberon_demo(self):
 
         self.assertTrue(result.valid, "Proof should verify")
 
-    def test_demo_with_binding(self):
+    def test_demo_with_blinding(self):
         key = Oberon.create_key(CreateOberonKeyRequest())
         data = bytes("alice", "utf8")
         nonce = bytes("1234", "utf8")
@@ -58,4 +58,4 @@ def test_demo_with_binding(self):
         proof = Oberon.create_proof(proof_request)
         # Verifies tries to verify proof, fails
         result = Oberon.verify_proof(VerifyOberonProofRequest(data=data, nonce=nonce, pk=key.pk, proof=proof.proof))
-        self.assertFalse(result.valid)
+        self.assertFalse(result.valid)
diff --git a/swift/Okapi/Sources/OkapiSwift/Okapi.swift b/swift/Okapi/Sources/OkapiSwift/Okapi.swift
@@ -69,3 +69,53 @@ public struct DidComm {
         return response;
     }
 }
+
+public struct Oberon {
+    public static func createKey(request: Okapi_Security_V1_CreateOberonKeyRequest) throws -> Okapi_Security_V1_CreateOberonKeyResponse {
+        let response: Okapi_Security_V1_CreateOberonKeyResponse = try OkapiNative.nativeCall(request: request,
+                nativeFunction: { (requestBuffer, responseBufferPtr, errorBufferPtr) in
+                    oberon_create_key(requestBuffer, responseBufferPtr, errorBufferPtr)
+                });
+        return response;
+    }
+
+    public static func createProof(request: Okapi_Security_V1_CreateOberonProofRequest) throws -> Okapi_Security_V1_CreateOberonProofResponse {
+        let response: Okapi_Security_V1_CreateOberonProofResponse = try OkapiNative.nativeCall(request: request,
+                nativeFunction: { (requestBuffer, responseBufferPtr, errorBufferPtr) in
+                    oberon_create_proof(requestBuffer, responseBufferPtr, errorBufferPtr)
+                });
+        return response;
+    }
+
+    public static func createToken(request: Okapi_Security_V1_CreateOberonTokenRequest) throws -> Okapi_Security_V1_CreateOberonTokenResponse {
+        let response: Okapi_Security_V1_CreateOberonTokenResponse = try OkapiNative.nativeCall(request: request,
+                nativeFunction: { (requestBuffer, responseBufferPtr, errorBufferPtr) in
+                    oberon_create_token(requestBuffer, responseBufferPtr, errorBufferPtr)
+                });
+        return response;
+    }
+
+    public static func blindToken(request: Okapi_Security_V1_BlindOberonTokenRequest) throws -> Okapi_Security_V1_BlindOberonTokenResponse {
+        let response: Okapi_Security_V1_BlindOberonTokenResponse = try OkapiNative.nativeCall(request: request,
+                nativeFunction: { (requestBuffer, responseBufferPtr, errorBufferPtr) in
+                    oberon_blind_token(requestBuffer, responseBufferPtr, errorBufferPtr)
+                });
+        return response;
+    }
+
+    public static func unblindToken(request: Okapi_Security_V1_UnBlindOberonTokenRequest) throws -> Okapi_Security_V1_UnBlindOberonTokenResponse {
+        let response: Okapi_Security_V1_UnBlindOberonTokenResponse = try OkapiNative.nativeCall(request: request,
+                nativeFunction: { (requestBuffer, responseBufferPtr, errorBufferPtr) in
+                    oberon_unblind_token(requestBuffer, responseBufferPtr, errorBufferPtr)
+                });
+        return response;
+    }
+
+    public static func verifyProof(request: Okapi_Security_V1_VerifyOberonProofRequest) throws -> Okapi_Security_V1_VerifyOberonProofResponse {
+        let response: Okapi_Security_V1_VerifyOberonProofResponse = try OkapiNative.nativeCall(request: request,
+                nativeFunction: { (requestBuffer, responseBufferPtr, errorBufferPtr) in
+                    oberon_verify_proof(requestBuffer, responseBufferPtr, errorBufferPtr)
+                });
+        return response;
+    }
+}
diff --git a/swift/Okapi/Tests/OkapiTests/OberonTests.swift b/swift/Okapi/Tests/OkapiTests/OberonTests.swift
@@ -0,0 +1,106 @@
+//
+// Created by Scott Phillips on 9/8/21.
+//
+
+import XCTest
+import SwiftProtobuf
+import Foundation
+
+@testable import OkapiSwift
+
+final class OberonTests: XCTestCase {
+    func testOberonDemo() throws {
+        let key = try Oberon.createKey(request: Okapi_Security_V1_CreateOberonKeyRequest())
+        let data = "alice".data(using: .utf8) ?? Data()
+        let nonce = "1234".data(using: .utf8) ?? Data()
+        var createTokenRequest = Okapi_Security_V1_CreateOberonTokenRequest()
+        createTokenRequest.data = data
+        createTokenRequest.sk = key.sk
+        let token = try Oberon.createToken(request: createTokenRequest)
+        var createProofRequest = Okapi_Security_V1_CreateOberonProofRequest()
+        createProofRequest.data = data
+        createProofRequest.nonce = nonce
+        createProofRequest.token = token.token
+        let proof = try Oberon.createProof(request: createProofRequest)
+        var verifyProofRequest = Okapi_Security_V1_VerifyOberonProofRequest()
+        verifyProofRequest.data = data
+        verifyProofRequest.nonce = nonce
+        verifyProofRequest.pk = key.pk
+        verifyProofRequest.proof = proof.proof
+        let result = try Oberon.verifyProof(request: verifyProofRequest)
+
+        XCTAssertTrue(result.valid, "Proof should verify")
+    }
+
+    func testDemoWithBlinding() throws {
+        let key = try Oberon.createKey(request: Okapi_Security_V1_CreateOberonKeyRequest())
+        let data = "alice".data(using: .utf8) ?? Data()
+        let nonce = "1234".data(using: .utf8) ?? Data()
+
+        let issuer_2fa = "issuer code".data(using: .utf8) ?? Data()
+        var tokenRequest = Okapi_Security_V1_CreateOberonTokenRequest()
+        tokenRequest.data = data
+        tokenRequest.sk = key.sk
+        tokenRequest.blinding.append(issuer_2fa)
+        let blindedToken = try Oberon.createToken(request: tokenRequest)
+
+        // Holder unblinds the token
+        var unblindRequest = Okapi_Security_V1_UnBlindOberonTokenRequest()
+        unblindRequest.token = blindedToken.token
+        unblindRequest.blinding.append(issuer_2fa)
+        let token = try Oberon.unblindToken(request: unblindRequest)
+
+        // Holder prepares a proof without blinding
+        var createProofRequest = Okapi_Security_V1_CreateOberonProofRequest()
+        createProofRequest.data = data
+        createProofRequest.nonce = nonce
+        createProofRequest.token = token.token
+        var proof = try Oberon.createProof(request: createProofRequest)
+        // Verifier verifies the proof
+        var verifyProofRequest = Okapi_Security_V1_VerifyOberonProofRequest()
+        verifyProofRequest.data = data
+        verifyProofRequest.nonce = nonce
+        verifyProofRequest.pk = key.pk
+        verifyProofRequest.proof = proof.proof
+        var result = try Oberon.verifyProof(request: verifyProofRequest)
+        XCTAssertTrue(result.valid)
+
+        // Holder blinds the token with a personal pin
+        let userPin = "0042".data(using: .utf8) ?? Data()
+        var blindRequest = Okapi_Security_V1_BlindOberonTokenRequest()
+        blindRequest.token = token.token
+        blindRequest.blinding.append(userPin)
+
+        var userBlindedToken = try Oberon.blindToken(request: blindRequest)
+        var proofRequest = Okapi_Security_V1_CreateOberonProofRequest()
+        proofRequest.data = data
+        proofRequest.nonce = nonce
+        proofRequest.token = userBlindedToken.token
+        // Verifier verifies the proof
+        verifyProofRequest = Okapi_Security_V1_VerifyOberonProofRequest()
+        verifyProofRequest.data = data
+        verifyProofRequest.nonce = nonce
+        verifyProofRequest.pk = key.pk
+        verifyProofRequest.proof = proof.proof
+        result = try Oberon.verifyProof(request: verifyProofRequest)
+        XCTAssertTrue(result.valid)
+
+        // Bad actor creates a proof with incorrect blinding pin
+        let badPin = "invalid pin".data(using: .utf8) ?? Data()
+        proofRequest = Okapi_Security_V1_CreateOberonProofRequest()
+        proofRequest.data = data
+        proofRequest.nonce = nonce
+        proofRequest.token = userBlindedToken.token
+        proofRequest.blinding.append(badPin)
+
+        proof = try Oberon.createProof(request: proofRequest)
+        // Verify tries to verify proof, fails
+        verifyProofRequest = Okapi_Security_V1_VerifyOberonProofRequest()
+        verifyProofRequest.data = data
+        verifyProofRequest.nonce = nonce
+        verifyProofRequest.pk = key.pk
+        verifyProofRequest.proof = proof.proof
+        result = try Oberon.verifyProof(request: verifyProofRequest)
+        XCTAssertFalse(result.valid, "Bad actor cannot verify")
+    }
+}
