Google Git
Sign in
fuchsia / third_party / tink / 837cb690988e5ce1b929bfdf6fb4cafdb44a2531 / . / cc / jwt / internal / jwt_rsa_ssa_pss_sign_verify_key_manager_test.cc
blob: cb835ff0f3234b5c0d68dd89ec56fcfdc0c3e956 [file] [log] [blame]
// Copyright 2021 Google LLC.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "openssl/bn.h"
#include "openssl/rsa.h"
#include "tink/jwt/internal/jwt_rsa_ssa_pss_sign_key_manager.h"
#include "tink/jwt/internal/jwt_rsa_ssa_pss_verify_key_manager.h"
#include "tink/subtle/subtle_util_boringssl.h"
#include "tink/util/status.h"
#include "tink/util/statusor.h"
#include "tink/util/test_matchers.h"
namespace crypto {
namespace tink {
namespace jwt_internal {
using ::crypto::tink::test::IsOk;
using ::crypto::tink::util::StatusOr;
using ::google::crypto::tink::JwtRsaSsaPssAlgorithm;
using ::google::crypto::tink::JwtRsaSsaPssKeyFormat;
using ::google::crypto::tink::JwtRsaSsaPssPrivateKey;
using ::google::crypto::tink::JwtRsaSsaPssPublicKey;
using ::google::crypto::tink::KeyData;
using ::testing::Not;
namespace {
JwtRsaSsaPssKeyFormat CreateKeyFormat(JwtRsaSsaPssAlgorithm algorithm,
int modulus_size_in_bits,
int public_exponent) {
JwtRsaSsaPssKeyFormat key_format;
key_format.set_algorithm(algorithm);
key_format.set_modulus_size_in_bits(modulus_size_in_bits);
bssl::UniquePtr<BIGNUM> e(BN_new());
BN_set_word(e.get(), public_exponent);
key_format.set_public_exponent(
subtle::SubtleUtilBoringSSL::bn2str(e.get(), BN_num_bytes(e.get()))
.ValueOrDie());
return key_format;
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, BasicsSign) {
EXPECT_EQ(JwtRsaSsaPssSignKeyManager().get_version(), 0);
EXPECT_EQ(JwtRsaSsaPssSignKeyManager().get_key_type(),
"type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPrivateKey");
EXPECT_EQ(JwtRsaSsaPssSignKeyManager().key_material_type(),
google::crypto::tink::KeyData::ASYMMETRIC_PRIVATE);
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, BasicsVerify) {
EXPECT_EQ(JwtRsaSsaPssVerifyKeyManager().get_version(), 0);
EXPECT_EQ(JwtRsaSsaPssVerifyKeyManager().get_key_type(),
"type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPublicKey");
EXPECT_EQ(JwtRsaSsaPssVerifyKeyManager().key_material_type(),
google::crypto::tink::KeyData::ASYMMETRIC_PUBLIC);
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, ValidateEmptyPrivateKey) {
EXPECT_THAT(
JwtRsaSsaPssSignKeyManager().ValidateKey(JwtRsaSsaPssPrivateKey()),
Not(IsOk()));
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, ValidateEmptyPublicKey) {
EXPECT_THAT(
JwtRsaSsaPssVerifyKeyManager().ValidateKey(JwtRsaSsaPssPublicKey()),
Not(IsOk()));
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, ValidateEmptyKeyFormat) {
EXPECT_THAT(
JwtRsaSsaPssSignKeyManager().ValidateKeyFormat(JwtRsaSsaPssKeyFormat()),
Not(IsOk()));
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, ValidKeyFormatPS256) {
JwtRsaSsaPssKeyFormat key_format =
CreateKeyFormat(JwtRsaSsaPssAlgorithm::PS256, 2048, RSA_F4);
EXPECT_THAT(JwtRsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
IsOk());
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, ValidateKeyFormatRS384) {
JwtRsaSsaPssKeyFormat key_format =
CreateKeyFormat(JwtRsaSsaPssAlgorithm::PS384, 3072, RSA_F4);
EXPECT_THAT(JwtRsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
IsOk());
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, ValidateKeyFormatRS512) {
JwtRsaSsaPssKeyFormat key_format =
CreateKeyFormat(JwtRsaSsaPssAlgorithm::PS512, 4096, RSA_F4);
EXPECT_THAT(JwtRsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
IsOk());
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, CreatePrivateKeyAndValidate) {
JwtRsaSsaPssKeyFormat key_format =
CreateKeyFormat(JwtRsaSsaPssAlgorithm::PS256, 2048, RSA_F4);
auto key_or = JwtRsaSsaPssSignKeyManager().CreateKey(key_format);
ASSERT_THAT(key_or.status(), IsOk());
auto key = key_or.ValueOrDie();
EXPECT_EQ(key.version(), 0);
EXPECT_EQ(key.public_key().algorithm(), key_format.algorithm());
EXPECT_THAT(JwtRsaSsaPssSignKeyManager().ValidateKey(key), IsOk());
// Change key to an invalid algorithm.
key.mutable_public_key()->set_algorithm(JwtRsaSsaPssAlgorithm::PS_UNKNOWN);
EXPECT_FALSE(JwtRsaSsaPssSignKeyManager().ValidateKey(key).ok());
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, CreatePublicKeyAndValidate) {
JwtRsaSsaPssKeyFormat key_format =
CreateKeyFormat(JwtRsaSsaPssAlgorithm::PS256, 2048, RSA_F4);
auto key_or = JwtRsaSsaPssSignKeyManager().CreateKey(key_format);
ASSERT_THAT(key_or.status(), IsOk());
auto public_key_or =
JwtRsaSsaPssSignKeyManager().GetPublicKey(key_or.ValueOrDie());
auto public_key = public_key_or.ValueOrDie();
EXPECT_THAT(JwtRsaSsaPssVerifyKeyManager().ValidateKey(public_key), IsOk());
// Change key to an invalid algorithm.
public_key.set_algorithm(JwtRsaSsaPssAlgorithm::PS_UNKNOWN);
EXPECT_FALSE(JwtRsaSsaPssVerifyKeyManager().ValidateKey(public_key).ok());
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, GetAndUsePrimitive) {
JwtRsaSsaPssKeyFormat key_format =
CreateKeyFormat(JwtRsaSsaPssAlgorithm::PS256, 2048, RSA_F4);
auto key_or = JwtRsaSsaPssSignKeyManager().CreateKey(key_format);
ASSERT_THAT(key_or.status(), IsOk());
auto key = key_or.ValueOrDie();
auto sign_or =
JwtRsaSsaPssSignKeyManager().GetPrimitive<JwtPublicKeySign>(key);
ASSERT_THAT(sign_or.status(), IsOk());
auto sign = std::move(sign_or.ValueOrDie());
auto raw_jwt_or = RawJwtBuilder().SetIssuer("issuer").Build();
ASSERT_THAT(raw_jwt_or.status(), IsOk());
auto raw_jwt = raw_jwt_or.ValueOrDie();
util::StatusOr<std::string> compact_or = sign->SignAndEncode(raw_jwt);
ASSERT_THAT(compact_or.status(), IsOk());
auto compact = compact_or.ValueOrDie();
JwtValidator validator = JwtValidatorBuilder().SetIssuer("issuer").Build();
auto verify_or =
JwtRsaSsaPssVerifyKeyManager().GetPrimitive<JwtPublicKeyVerify>(
key.public_key());
ASSERT_THAT(verify_or.status(), IsOk());
auto verify = std::move(verify_or.ValueOrDie());
util::StatusOr<VerifiedJwt> verified_jwt_or =
verify->VerifyAndDecode(compact, validator);
ASSERT_THAT(verified_jwt_or.status(), IsOk());
util::StatusOr<std::string> issuer_or =
verified_jwt_or.ValueOrDie().GetIssuer();
ASSERT_THAT(issuer_or.status(), IsOk());
EXPECT_THAT(issuer_or.ValueOrDie(), testing::Eq("issuer"));
JwtValidator validator2 = JwtValidatorBuilder().SetIssuer("unknown").Build();
EXPECT_FALSE(verify->VerifyAndDecode(compact, validator2).ok());
}
TEST(JwtRsaSsaPssSignVerifyKeyManagerTest, VerifyFailsWithDifferentKey) {
JwtRsaSsaPssKeyFormat key_format =
CreateKeyFormat(JwtRsaSsaPssAlgorithm::PS256, 2048, RSA_F4);
auto key1_or = JwtRsaSsaPssSignKeyManager().CreateKey(key_format);
ASSERT_THAT(key1_or.status(), IsOk());
auto key1 = key1_or.ValueOrDie();
auto key2_or = JwtRsaSsaPssSignKeyManager().CreateKey(key_format);
ASSERT_THAT(key2_or.status(), IsOk());
auto key2 = key2_or.ValueOrDie();
auto sign1_or =
JwtRsaSsaPssSignKeyManager().GetPrimitive<JwtPublicKeySign>(key1);
ASSERT_THAT(sign1_or.status(), IsOk());
auto sign1 = std::move(sign1_or.ValueOrDie());
auto raw_jwt_or = RawJwtBuilder().SetIssuer("issuer").Build();
ASSERT_THAT(raw_jwt_or.status(), IsOk());
auto raw_jwt = raw_jwt_or.ValueOrDie();
util::StatusOr<std::string> compact_or = sign1->SignAndEncode(raw_jwt);
ASSERT_THAT(compact_or.status(), IsOk());
auto compact = compact_or.ValueOrDie();
JwtValidator validator = JwtValidatorBuilder().Build();
auto verify2_or =
JwtRsaSsaPssVerifyKeyManager().GetPrimitive<JwtPublicKeyVerify>(
key2.public_key());
ASSERT_THAT(verify2_or.status(), IsOk());
auto verify2 = std::move(verify2_or.ValueOrDie());
EXPECT_FALSE(verify2->VerifyAndDecode(compact, validator).ok());
}
} // namespace
} // namespace jwt_internal
} // namespace tink
} // namespace crypto