1 // Copyright 2021 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/unexportable_key.h"
6
7 #include <optional>
8 #include <tuple>
9
10 #include "base/logging.h"
11 #include "base/test/scoped_feature_list.h"
12 #include "base/time/time.h"
13 #include "crypto/features.h"
14 #include "crypto/scoped_mock_unexportable_key_provider.h"
15 #include "testing/gtest/include/gtest/gtest.h"
16
17 #if BUILDFLAG(IS_MAC)
18 #include "crypto/scoped_fake_apple_keychain_v2.h"
19 #endif // BUILDFLAG(IS_MAC)
20
21 namespace {
22
23 const crypto::SignatureVerifier::SignatureAlgorithm kAllAlgorithms[] = {
24 crypto::SignatureVerifier::SignatureAlgorithm::ECDSA_SHA256,
25 crypto::SignatureVerifier::SignatureAlgorithm::RSA_PKCS1_SHA256,
26 };
27
28 #if BUILDFLAG(IS_MAC)
29 constexpr char kTestKeychainAccessGroup[] = "test-keychain-access-group";
30 #endif // BUILDFLAG(IS_MAC)
31
32 class UnexportableKeySigningTest
33 : public testing::TestWithParam<
34 std::tuple<crypto::SignatureVerifier::SignatureAlgorithm, bool>> {
35 private:
36 #if BUILDFLAG(IS_MAC)
37 crypto::ScopedFakeAppleKeychainV2 scoped_fake_apple_keychain_{
38 kTestKeychainAccessGroup};
39
40 base::test::ScopedFeatureList scoped_feature_list_{
41 crypto::kEnableMacUnexportableKeys};
42 #endif // BUILDFLAG(IS_MAC)
43 };
44
45 INSTANTIATE_TEST_SUITE_P(All,
46 UnexportableKeySigningTest,
47 testing::Combine(testing::ValuesIn(kAllAlgorithms),
48 testing::Bool()));
49
TEST_P(UnexportableKeySigningTest,RoundTrip)50 TEST_P(UnexportableKeySigningTest, RoundTrip) {
51 const crypto::SignatureVerifier::SignatureAlgorithm algo =
52 std::get<0>(GetParam());
53 const bool mock_enabled = std::get<1>(GetParam());
54
55 switch (algo) {
56 case crypto::SignatureVerifier::SignatureAlgorithm::ECDSA_SHA256:
57 LOG(INFO) << "ECDSA P-256, mock=" << mock_enabled;
58 break;
59 case crypto::SignatureVerifier::SignatureAlgorithm::RSA_PKCS1_SHA256:
60 LOG(INFO) << "RSA, mock=" << mock_enabled;
61 break;
62 default:
63 ASSERT_TRUE(false);
64 }
65
66 SCOPED_TRACE(static_cast<int>(algo));
67 SCOPED_TRACE(mock_enabled);
68
69 std::optional<crypto::ScopedMockUnexportableKeyProvider> mock;
70 if (mock_enabled) {
71 mock.emplace();
72 }
73
74 const crypto::SignatureVerifier::SignatureAlgorithm algorithms[] = {algo};
75
76 crypto::UnexportableKeyProvider::Config config{
77 #if BUILDFLAG(IS_MAC)
78 .keychain_access_group = kTestKeychainAccessGroup
79 #endif // BUILDLFAG(IS_MAC)
80 };
81 std::unique_ptr<crypto::UnexportableKeyProvider> provider =
82 crypto::GetUnexportableKeyProvider(std::move(config));
83 if (!provider) {
84 LOG(INFO) << "Skipping test because of lack of hardware support.";
85 return;
86 }
87
88 if (!provider->SelectAlgorithm(algorithms)) {
89 LOG(INFO) << "Skipping test because of lack of support for this key type.";
90 return;
91 }
92
93 const base::TimeTicks generate_start = base::TimeTicks::Now();
94 std::unique_ptr<crypto::UnexportableSigningKey> key =
95 provider->GenerateSigningKeySlowly(algorithms);
96 if (algo == crypto::SignatureVerifier::SignatureAlgorithm::ECDSA_SHA256) {
97 if (!key) {
98 GTEST_SKIP()
99 << "Workaround for https://issues.chromium.org/issues/41494935";
100 }
101 }
102
103 ASSERT_TRUE(key);
104 LOG(INFO) << "Generation took " << (base::TimeTicks::Now() - generate_start);
105
106 ASSERT_EQ(key->Algorithm(), algo);
107 const std::vector<uint8_t> wrapped = key->GetWrappedKey();
108 const std::vector<uint8_t> spki = key->GetSubjectPublicKeyInfo();
109 const uint8_t msg[] = {1, 2, 3, 4};
110
111 const base::TimeTicks sign_start = base::TimeTicks::Now();
112 const std::optional<std::vector<uint8_t>> sig = key->SignSlowly(msg);
113 LOG(INFO) << "Signing took " << (base::TimeTicks::Now() - sign_start);
114 ASSERT_TRUE(sig);
115
116 crypto::SignatureVerifier verifier;
117 ASSERT_TRUE(verifier.VerifyInit(algo, *sig, spki));
118 verifier.VerifyUpdate(msg);
119 ASSERT_TRUE(verifier.VerifyFinal());
120
121 const base::TimeTicks import2_start = base::TimeTicks::Now();
122 std::unique_ptr<crypto::UnexportableSigningKey> key2 =
123 provider->FromWrappedSigningKeySlowly(wrapped);
124 ASSERT_TRUE(key2);
125 LOG(INFO) << "Import took " << (base::TimeTicks::Now() - import2_start);
126
127 const base::TimeTicks sign2_start = base::TimeTicks::Now();
128 const std::optional<std::vector<uint8_t>> sig2 = key->SignSlowly(msg);
129 LOG(INFO) << "Signing took " << (base::TimeTicks::Now() - sign2_start);
130 ASSERT_TRUE(sig2);
131
132 crypto::SignatureVerifier verifier2;
133 ASSERT_TRUE(verifier2.VerifyInit(algo, *sig2, spki));
134 verifier2.VerifyUpdate(msg);
135 ASSERT_TRUE(verifier2.VerifyFinal());
136
137 EXPECT_TRUE(provider->DeleteSigningKey(wrapped));
138 }
139 } // namespace
140