diff options
Diffstat (limited to 'security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc')
-rw-r--r-- | security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc | 329 |
1 files changed, 329 insertions, 0 deletions
diff --git a/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc new file mode 100644 index 0000000000..cf35958d92 --- /dev/null +++ b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc @@ -0,0 +1,329 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <memory> +#include "nss.h" +#include "pk11pub.h" +#include "sechash.h" +#include "cryptohi.h" + +#include "cpputil.h" +#include "gtest/gtest.h" +#include "json_reader.h" +#include "nss_scoped_ptrs.h" +#include "testvectors/curve25519-vectors.h" + +#include "pk11_ecdsa_vectors.h" +#include "pk11_signature_test.h" +#include "pk11_keygen.h" + +namespace nss_test { + +CK_MECHANISM_TYPE +EcHashToComboMech(SECOidTag hash) { + switch (hash) { + case SEC_OID_SHA1: + return CKM_ECDSA_SHA1; + case SEC_OID_SHA224: + return CKM_ECDSA_SHA224; + case SEC_OID_SHA256: + return CKM_ECDSA_SHA256; + case SEC_OID_SHA384: + return CKM_ECDSA_SHA384; + case SEC_OID_SHA512: + return CKM_ECDSA_SHA512; + default: + break; + } + return CKM_INVALID_MECHANISM; +} + +class Pkcs11EcdsaTestBase : public Pk11SignatureTest { + protected: + Pkcs11EcdsaTestBase(SECOidTag hash_oid) + : Pk11SignatureTest(CKM_ECDSA, hash_oid, EcHashToComboMech(hash_oid)) {} +}; + +struct Pkcs11EcdsaTestParams { + SECOidTag hash_oid_; + Pkcs11SignatureTestParams sig_params_; +}; + +class Pkcs11EcdsaTest + : public Pkcs11EcdsaTestBase, + public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> { + public: + Pkcs11EcdsaTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {} +}; + +TEST_P(Pkcs11EcdsaTest, Verify) { Verify(GetParam().sig_params_); } + +TEST_P(Pkcs11EcdsaTest, SignAndVerify) { + SignAndVerify(GetParam().sig_params_); +} + +TEST_P(Pkcs11EcdsaTest, ImportExport) { + ImportExport(GetParam().sig_params_.pkcs8_); +} + +static const Pkcs11EcdsaTestParams kEcdsaVectors[] = { + {SEC_OID_SHA256, + {DataBuffer(kP256Pkcs8, sizeof(kP256Pkcs8)), + DataBuffer(kP256Spki, sizeof(kP256Spki)), + DataBuffer(kP256Data, sizeof(kP256Data)), + DataBuffer(kP256Signature, sizeof(kP256Signature))}}, + {SEC_OID_SHA256, + {DataBuffer(kP256Pkcs8ZeroPad, sizeof(kP256Pkcs8ZeroPad)), + DataBuffer(kP256SpkiZeroPad, sizeof(kP256SpkiZeroPad)), + DataBuffer(kP256DataZeroPad, sizeof(kP256DataZeroPad)), + DataBuffer(kP256SignatureZeroPad, sizeof(kP256SignatureZeroPad))}}, + {SEC_OID_SHA384, + {DataBuffer(kP384Pkcs8, sizeof(kP384Pkcs8)), + DataBuffer(kP384Spki, sizeof(kP384Spki)), + DataBuffer(kP384Data, sizeof(kP384Data)), + DataBuffer(kP384Signature, sizeof(kP384Signature))}}, + {SEC_OID_SHA512, + {DataBuffer(kP521Pkcs8, sizeof(kP521Pkcs8)), + DataBuffer(kP521Spki, sizeof(kP521Spki)), + DataBuffer(kP521Data, sizeof(kP521Data)), + DataBuffer(kP521Signature, sizeof(kP521Signature))}}}; + +INSTANTIATE_TEST_SUITE_P(EcdsaSignVerify, Pkcs11EcdsaTest, + ::testing::ValuesIn(kEcdsaVectors)); + +class Pkcs11EcdsaSha256Test : public Pkcs11EcdsaTestBase { + public: + Pkcs11EcdsaSha256Test() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {} +}; + +// Importing a private key in PKCS#8 format must fail when the outer AlgID +// struct contains neither id-ecPublicKey nor a namedCurve parameter. +TEST_F(Pkcs11EcdsaSha256Test, ImportNoCurveOIDOrAlgorithmParams) { + DataBuffer k(kP256Pkcs8NoCurveOIDOrAlgorithmParams, + sizeof(kP256Pkcs8NoCurveOIDOrAlgorithmParams)); + EXPECT_FALSE(ImportPrivateKey(k)); +}; + +// Importing a private key in PKCS#8 format must succeed when only the outer +// AlgID struct contains the namedCurve parameters. +TEST_F(Pkcs11EcdsaSha256Test, ImportOnlyAlgorithmParams) { + DataBuffer k(kP256Pkcs8OnlyAlgorithmParams, + sizeof(kP256Pkcs8OnlyAlgorithmParams)); + DataBuffer data(kP256Data, sizeof(kP256Data)); + DataBuffer sig; + DataBuffer sig2; + EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig, &sig2)); +}; + +// Importing a private key in PKCS#8 format must succeed when the outer AlgID +// struct and the inner ECPrivateKey contain the same namedCurve parameters. +// The inner curveOID is always ignored, so only the outer one will be used. +TEST_F(Pkcs11EcdsaSha256Test, ImportMatchingCurveOIDAndAlgorithmParams) { + DataBuffer k(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams, + sizeof(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams)); + DataBuffer data(kP256Data, sizeof(kP256Data)); + DataBuffer sig; + DataBuffer sig2; + EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig, &sig2)); +}; + +// Importing a private key in PKCS#8 format must succeed when the outer AlgID +// struct and the inner ECPrivateKey contain dissimilar namedCurve parameters. +// The inner curveOID is always ignored, so only the outer one will be used. +TEST_F(Pkcs11EcdsaSha256Test, ImportDissimilarCurveOIDAndAlgorithmParams) { + DataBuffer k(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams, + sizeof(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams)); + DataBuffer data(kP256Data, sizeof(kP256Data)); + DataBuffer sig; + DataBuffer sig2; + EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig, &sig2)); +}; + +// Importing a private key in PKCS#8 format must fail when the outer ASN.1 +// AlgorithmID struct contains only id-ecPublicKey but no namedCurve parameter. +TEST_F(Pkcs11EcdsaSha256Test, ImportNoAlgorithmParams) { + DataBuffer k(kP256Pkcs8NoAlgorithmParams, + sizeof(kP256Pkcs8NoAlgorithmParams)); + EXPECT_FALSE(ImportPrivateKey(k)); +}; + +// Importing a private key in PKCS#8 format must fail when id-ecPublicKey is +// given (so we know it's an EC key) but the namedCurve parameter is unknown. +TEST_F(Pkcs11EcdsaSha256Test, ImportInvalidAlgorithmParams) { + DataBuffer k(kP256Pkcs8InvalidAlgorithmParams, + sizeof(kP256Pkcs8InvalidAlgorithmParams)); + EXPECT_FALSE(ImportPrivateKey(k)); +}; + +// Importing a private key in PKCS#8 format with a point not on the curve will +// succeed. Using the contained public key however will fail when trying to +// import it before using it for any operation. +TEST_F(Pkcs11EcdsaSha256Test, ImportPointNotOnCurve) { + DataBuffer k(kP256Pkcs8PointNotOnCurve, sizeof(kP256Pkcs8PointNotOnCurve)); + ScopedSECKEYPrivateKey privKey(ImportPrivateKey(k)); + ASSERT_TRUE(privKey); + + ScopedSECKEYPublicKey pubKey(SECKEY_ConvertToPublicKey(privKey.get())); + ASSERT_TRUE(pubKey); + + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ASSERT_TRUE(slot); + + auto handle = PK11_ImportPublicKey(slot.get(), pubKey.get(), false); + EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE)); +}; + +// Importing a private key in PKCS#8 format must fail when no point is given. +// PK11 currently offers no APIs to derive raw public keys from private values. +TEST_F(Pkcs11EcdsaSha256Test, ImportNoPublicKey) { + DataBuffer k(kP256Pkcs8NoPublicKey, sizeof(kP256Pkcs8NoPublicKey)); + EXPECT_FALSE(ImportPrivateKey(k)); +}; + +// Importing a public key in SPKI format must fail when id-ecPublicKey is +// given (so we know it's an EC key) but the namedCurve parameter is missing. +TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiNoAlgorithmParams) { + DataBuffer k(kP256SpkiNoAlgorithmParams, sizeof(kP256SpkiNoAlgorithmParams)); + EXPECT_FALSE(ImportPublicKey(k)); +} + +// Importing a public key in SPKI format with a point not on the curve will +// succeed. Using the public key however will fail when trying to import +// it before using it for any operation. +TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiPointNotOnCurve) { + DataBuffer k(kP256SpkiPointNotOnCurve, sizeof(kP256SpkiPointNotOnCurve)); + ScopedSECKEYPublicKey pubKey(ImportPublicKey(k)); + ASSERT_TRUE(pubKey); + + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ASSERT_TRUE(slot); + + auto handle = PK11_ImportPublicKey(slot.get(), pubKey.get(), false); + EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE)); +} + +class Pkcs11EcdsaWycheproofTest : public ::testing::Test { + protected: + void Run(const std::string& name) { + WycheproofHeader(name, "ECDSA", "ecdsa_verify_schema.json", + [this](JsonReader& r) { RunGroup(r); }); + } + + private: + void RunGroup(JsonReader& r) { + std::vector<EcdsaTestVector> tests; + std::vector<uint8_t> public_key; + SECOidTag hash_oid = SEC_OID_UNKNOWN; + + while (r.NextItem()) { + std::string n = r.ReadLabel(); + if (n == "") { + break; + } + + if (n == "key" || n == "keyPem") { + r.SkipValue(); + } else if (n == "keyDer") { + public_key = r.ReadHex(); + } else if (n == "sha") { + hash_oid = r.ReadHash(); + } else if (n == "type") { + ASSERT_EQ("EcdsaVerify", r.ReadString()); + } else if (n == "tests") { + WycheproofReadTests(r, &tests, ReadTestAttr); + } else { + FAIL() << "unknown label in group: " << n; + } + } + + for (auto& t : tests) { + std::cout << "Running test " << t.id << std::endl; + t.public_key = public_key; + t.hash_oid = hash_oid; + Derive(t); + } + } + + static void ReadTestAttr(EcdsaTestVector& t, const std::string& n, + JsonReader& r) { + if (n == "msg") { + t.msg = r.ReadHex(); + } else if (n == "sig") { + t.sig = r.ReadHex(); + } else { + FAIL() << "unknown test key: " << n; + } + } + + void Derive(const EcdsaTestVector& vec) { + SECItem spki_item = {siBuffer, toUcharPtr(vec.public_key.data()), + static_cast<unsigned int>(vec.public_key.size())}; + SECItem sig_item = {siBuffer, toUcharPtr(vec.sig.data()), + static_cast<unsigned int>(vec.sig.size())}; + + DataBuffer hash; + hash.Allocate(static_cast<size_t>(HASH_ResultLenByOidTag(vec.hash_oid))); + SECStatus rv = PK11_HashBuf(vec.hash_oid, toUcharPtr(hash.data()), + toUcharPtr(vec.msg.data()), vec.msg.size()); + ASSERT_EQ(rv, SECSuccess); + SECItem hash_item = {siBuffer, toUcharPtr(hash.data()), + static_cast<unsigned int>(hash.len())}; + + ScopedCERTSubjectPublicKeyInfo cert_spki( + SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item)); + ASSERT_TRUE(cert_spki); + ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get())); + ASSERT_TRUE(pub_key); + + rv = VFY_VerifyDigestDirect(&hash_item, pub_key.get(), &sig_item, + SEC_OID_ANSIX962_EC_PUBLIC_KEY, vec.hash_oid, + nullptr); + EXPECT_EQ(rv, vec.valid ? SECSuccess : SECFailure); + }; +}; + +TEST_F(Pkcs11EcdsaWycheproofTest, P256) { Run("ecdsa_secp256r1_sha256"); } +TEST_F(Pkcs11EcdsaWycheproofTest, P256Sha512) { Run("ecdsa_secp256r1_sha512"); } +TEST_F(Pkcs11EcdsaWycheproofTest, P384) { Run("ecdsa_secp384r1_sha384"); } +TEST_F(Pkcs11EcdsaWycheproofTest, P384Sha512) { Run("ecdsa_secp384r1_sha512"); } +TEST_F(Pkcs11EcdsaWycheproofTest, P521) { Run("ecdsa_secp521r1_sha512"); } + +class Pkcs11EcdsaRoundtripTest + : public Pkcs11EcdsaTestBase, + public ::testing::WithParamInterface<SECOidTag> { + public: + Pkcs11EcdsaRoundtripTest() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {} + + protected: + void GenerateExportImportSignVerify(SECOidTag tag) { + Pkcs11KeyPairGenerator generator(CKM_EC_KEY_PAIR_GEN, tag); + ScopedSECKEYPrivateKey priv; + ScopedSECKEYPublicKey pub; + generator.GenerateKey(&priv, &pub, false); + + DataBuffer exported; + ExportPrivateKey(&priv, exported); + + if (tag != SEC_OID_CURVE25519) { + DataBuffer sig; + DataBuffer sig2; + DataBuffer data(kP256Data, sizeof(kP256Data)); + ASSERT_TRUE( + ImportPrivateKeyAndSignHashedData(exported, data, &sig, &sig2)); + + Verify(pub, data, sig); + } + } +}; + +TEST_P(Pkcs11EcdsaRoundtripTest, GenerateExportImportSignVerify) { + GenerateExportImportSignVerify(GetParam()); +} +INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoundtripTest, Pkcs11EcdsaRoundtripTest, + ::testing::Values(SEC_OID_SECG_EC_SECP256R1, + SEC_OID_SECG_EC_SECP384R1, + SEC_OID_SECG_EC_SECP521R1, + SEC_OID_CURVE25519)); + +} // namespace nss_test |