blob: a8fa3a9f2e85fa55d47b96f40f36c558230756ac [file] [log] [blame]
// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
#include "tink/signature/rsa_ssa_pss_verify_key_manager.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "absl/strings/escaping.h"
#include "openssl/rsa.h"
#include "tink/public_key_sign.h"
#include "tink/public_key_verify.h"
#include "tink/signature/rsa_ssa_pss_sign_key_manager.h"
#include "tink/subtle/rsa_ssa_pss_sign_boringssl.h"
#include "tink/subtle/subtle_util_boringssl.h"
#include "tink/util/status.h"
#include "tink/util/statusor.h"
#include "tink/util/test_matchers.h"
#include "tink/util/test_util.h"
#include "proto/rsa_ssa_pss.pb.h"
namespace crypto {
namespace tink {
namespace {
using ::crypto::tink::test::IsOk;
using ::crypto::tink::test::StatusIs;
using ::crypto::tink::util::StatusOr;
using ::google::crypto::tink::HashType;
using ::google::crypto::tink::KeyData;
using ::google::crypto::tink::RsaSsaPssKeyFormat;
using ::google::crypto::tink::RsaSsaPssPrivateKey;
using ::google::crypto::tink::RsaSsaPssPublicKey;
using ::testing::Eq;
using ::testing::Not;
using ::testing::HasSubstr;
TEST(RsaSsaPssVerifyKeyManagerTest, Basics) {
EXPECT_THAT(RsaSsaPssVerifyKeyManager().get_version(), Eq(0));
EXPECT_THAT(RsaSsaPssVerifyKeyManager().key_material_type(),
Eq(KeyData::ASYMMETRIC_PUBLIC));
EXPECT_THAT(RsaSsaPssVerifyKeyManager().get_key_type(),
Eq("type.googleapis.com/google.crypto.tink.RsaSsaPssPublicKey"));
}
TEST(RsaSsaPssVerifyKeyManagerTest, ValidateEmptyKey) {
EXPECT_THAT(RsaSsaPssVerifyKeyManager().ValidateKey(RsaSsaPssPublicKey()),
Not(IsOk()));
}
RsaSsaPssKeyFormat CreateKeyFormat(HashType sig_hash, HashType mgf1_hash,
int salt_length, int modulus_size_in_bits,
int public_exponent) {
RsaSsaPssKeyFormat key_format;
auto params = key_format.mutable_params();
params->set_sig_hash(sig_hash);
params->set_mgf1_hash(mgf1_hash);
params->set_salt_length(salt_length);
key_format.set_modulus_size_in_bits(modulus_size_in_bits);
bssl::UniquePtr<BIGNUM> e(BN_new());
BN_set_word(e.get(), public_exponent);
key_format.set_public_exponent(
subtle::SubtleUtilBoringSSL::bn2str(e.get(), BN_num_bytes(e.get()))
.ValueOrDie());
return key_format;
}
RsaSsaPssKeyFormat ValidKeyFormat() {
return CreateKeyFormat(HashType::SHA256, HashType::SHA256, 32, 3072, RSA_F4);
}
RsaSsaPssPrivateKey CreateValidPrivateKey() {
return RsaSsaPssSignKeyManager().CreateKey(ValidKeyFormat()).ValueOrDie();
}
RsaSsaPssPublicKey CreateValidPublicKey() {
return RsaSsaPssSignKeyManager()
.GetPublicKey(CreateValidPrivateKey())
.ValueOrDie();
}
// Checks that a public key generaed by the SignKeyManager is considered valid.
TEST(RsaSsaPssVerifyKeyManagerTest, PublicKeyValid) {
RsaSsaPssPublicKey key = CreateValidPublicKey();
EXPECT_THAT(RsaSsaPssVerifyKeyManager().ValidateKey(key), IsOk());
}
TEST(RsaSsaPssVerifyKeyManagerTest, PublicKeyWrongVersion) {
RsaSsaPssPublicKey key = CreateValidPublicKey();
key.set_version(1);
EXPECT_THAT(RsaSsaPssVerifyKeyManager().ValidateKey(key), Not(IsOk()));
}
TEST(RsaSsaPssVerifyKeyManagerTest, PublicKeyHashMismatchDisallowed) {
RsaSsaPssPublicKey key = CreateValidPublicKey();
key.mutable_params()->set_sig_hash(HashType::SHA512);
key.mutable_params()->set_mgf1_hash(HashType::SHA256);
EXPECT_THAT(RsaSsaPssVerifyKeyManager().ValidateKey(key), Not(IsOk()));
}
TEST(RsaSsaPssVerifyKeyManagerTest, PublicKeyHashMismatchDisallowed2) {
RsaSsaPssPublicKey key = CreateValidPublicKey();
key.mutable_params()->set_sig_hash(HashType::SHA256);
key.mutable_params()->set_mgf1_hash(HashType::SHA512);
EXPECT_THAT(RsaSsaPssVerifyKeyManager().ValidateKey(key), Not(IsOk()));
}
TEST(RsaSsaPssVerifyKeyManagerTest, PublicKeyUnkownHashDisallowed) {
RsaSsaPssPublicKey key = CreateValidPublicKey();
key.mutable_params()->set_sig_hash(HashType::UNKNOWN_HASH);
key.mutable_params()->set_mgf1_hash(HashType::UNKNOWN_HASH);
EXPECT_THAT(RsaSsaPssVerifyKeyManager().ValidateKey(key), Not(IsOk()));
}
TEST(RsaSsaPssVerifyKeyManagerTest, ValidateKeyFormatSmallModulusDisallowed) {
RsaSsaPssPublicKey key = CreateValidPublicKey();
key.set_n("\x23");
key.set_e("\x3");
EXPECT_THAT(RsaSsaPssVerifyKeyManager().ValidateKey(key),
StatusIs(util::error::INVALID_ARGUMENT,
HasSubstr("only modulus size >= 2048")));
}
TEST(RsaSsaPssSignKeyManagerTest, Create) {
RsaSsaPssKeyFormat key_format =
CreateKeyFormat(HashType::SHA256, HashType::SHA256, 32, 3072, RSA_F4);
StatusOr<RsaSsaPssPrivateKey> private_key_or =
RsaSsaPssSignKeyManager().CreateKey(key_format);
ASSERT_THAT(private_key_or.status(), IsOk());
RsaSsaPssPrivateKey private_key = private_key_or.ValueOrDie();
RsaSsaPssPublicKey public_key =
RsaSsaPssSignKeyManager().GetPublicKey(private_key).ValueOrDie();
subtle::SubtleUtilBoringSSL::RsaPrivateKey private_key_subtle;
private_key_subtle.n = private_key.public_key().n();
private_key_subtle.e = private_key.public_key().e();
private_key_subtle.d = private_key.d();
private_key_subtle.p = private_key.p();
private_key_subtle.q = private_key.q();
private_key_subtle.dp = private_key.dp();
private_key_subtle.dq = private_key.dq();
private_key_subtle.crt = private_key.crt();
auto direct_signer_or = subtle::RsaSsaPssSignBoringSsl::New(
private_key_subtle, {crypto::tink::subtle::HashType::SHA256,
crypto::tink::subtle::HashType::SHA256, 32});
auto verifier_or =
RsaSsaPssVerifyKeyManager().GetPrimitive<PublicKeyVerify>(public_key);
ASSERT_THAT(verifier_or.status(), IsOk());
std::string message = "Some message";
EXPECT_THAT(
verifier_or.ValueOrDie()->Verify(
direct_signer_or.ValueOrDie()->Sign(message).ValueOrDie(), message),
IsOk());
}
// Test vector from
// https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Digital-Signatures
struct NistTestVector {
std::string n;
std::string e;
std::string message;
std::string signature;
HashType sig_hash;
HashType mgf1_hash;
int salt_length;
};
// clang-format off
static const NistTestVector* nist_test_vector = new NistTestVector({
absl::HexStringToBytes(
"a47d04e7cacdba4ea26eca8a4c6e14563c2ce03b623b768c0d49868a57121301dbf783"
"d82f4c055e73960e70550187d0af62ac3496f0a3d9103c2eb7919a72752fa7ce8c688d"
"81e3aee99468887a15288afbb7acb845b7c522b5c64e678fcd3d22feb84b44272700be"
"527d2b2025a3f83c2383bf6a39cf5b4e48b3cf2f56eef0dfff18555e31037b91524869"
"4876f3047814415164f2c660881e694b58c28038a032ad25634aad7b39171dee368e3d"
"59bfb7299e4601d4587e68caaf8db457b75af42fc0cf1ae7caced286d77fac6cedb03a"
"d94f1433d2c94d08e60bc1fdef0543cd2951e765b38230fdd18de5d2ca627ddc032fe0"
"5bbd2ff21e2db1c2f94d8b"),
absl::HexStringToBytes("10e43f"),
absl::HexStringToBytes(
"e002377affb04f0fe4598de9d92d31d6c786040d5776976556a2cfc55e54a1dcb3cb1b"
"126bd6a4bed2a184990ccea773fcc79d246553e6c64f686d21ad4152673cafec22aeb4"
"0f6a084e8a5b4991f4c64cf8a927effd0fd775e71e8329e41fdd4457b3911173187b4f"
"09a817d79ea2397fc12dfe3d9c9a0290c8ead31b6690a6"),
absl::HexStringToBytes(
"4f9b425c2058460e4ab2f5c96384da2327fd29150f01955a76b4efe956af06dc08779a"
"374ee4607eab61a93adc5608f4ec36e47f2a0f754e8ff839a8a19b1db1e884ea4cf348"
"cd455069eb87afd53645b44e28a0a56808f5031da5ba9112768dfbfca44ebe63a0c057"
"2b731d66122fb71609be1480faa4e4f75e43955159d70f081e2a32fbb19a48b9f162cf"
"6b2fb445d2d6994bc58910a26b5943477803cdaaa1bd74b0da0a5d053d8b1dc593091d"
"b5388383c26079f344e2aea600d0e324164b450f7b9b465111b7265f3b1b063089ae7e"
"2623fc0fda8052cf4bf3379102fbf71d7c98e8258664ceed637d20f95ff0111881e650"
"ce61f251d9c3a629ef222d"),
HashType::SHA256,
HashType::SHA256,
32});
// clang-format on
TEST(RsaSsaPssVerifyKeyManagerTest, TestVector) {
RsaSsaPssPublicKey key;
key.mutable_params()->set_mgf1_hash(nist_test_vector->mgf1_hash);
key.mutable_params()->set_sig_hash(nist_test_vector->sig_hash);
key.mutable_params()->set_salt_length(nist_test_vector->salt_length);
key.set_version(0);
key.set_n(nist_test_vector->n);
key.set_e(nist_test_vector->e);
auto result = RsaSsaPssVerifyKeyManager().GetPrimitive<PublicKeyVerify>(key);
ASSERT_THAT(result.status(), IsOk());
EXPECT_THAT(result.ValueOrDie()->Verify(nist_test_vector->signature,
nist_test_vector->message),
IsOk());
}
} // namespace
} // namespace tink
} // namespace crypto