1 // Copyright 2017 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/signature/ecdsa_sign_key_manager.h"
18
19 #include <memory>
20 #include <sstream>
21 #include <string>
22 #include <tuple>
23
24 #include "gmock/gmock.h"
25 #include "gtest/gtest.h"
26 #include "absl/status/status.h"
27 #include "absl/strings/string_view.h"
28 #include "tink/internal/ec_util.h"
29 #include "tink/internal/ssl_util.h"
30 #include "tink/public_key_sign.h"
31 #include "tink/public_key_verify.h"
32 #include "tink/signature/ecdsa_verify_key_manager.h"
33 #include "tink/subtle/ecdsa_verify_boringssl.h"
34 #include "tink/util/enums.h"
35 #include "tink/util/istream_input_stream.h"
36 #include "tink/util/status.h"
37 #include "tink/util/statusor.h"
38 #include "tink/util/test_matchers.h"
39 #include "tink/util/test_util.h"
40 #include "proto/ecdsa.pb.h"
41
42 namespace crypto {
43 namespace tink {
44
45 using ::crypto::tink::test::IsOk;
46 using ::crypto::tink::test::StatusIs;
47 using ::crypto::tink::util::Enums;
48 using ::crypto::tink::util::StatusOr;
49 using ::google::crypto::tink::EcdsaKeyFormat;
50 using ::google::crypto::tink::EcdsaParams;
51 using ::google::crypto::tink::EcdsaPrivateKey;
52 using ::google::crypto::tink::EcdsaPublicKey;
53 using ::google::crypto::tink::EcdsaSignatureEncoding;
54 using ::google::crypto::tink::EllipticCurveType;
55 using ::google::crypto::tink::HashType;
56 using ::google::crypto::tink::KeyData;
57 using ::testing::Eq;
58 using ::testing::Gt;
59 using ::testing::Not;
60 using ::testing::SizeIs;
61
62 namespace {
63
TEST(EcdsaSignKeyManagerTest,Basic)64 TEST(EcdsaSignKeyManagerTest, Basic) {
65 EXPECT_THAT(EcdsaSignKeyManager().get_version(), Eq(0));
66 EXPECT_THAT(EcdsaSignKeyManager().key_material_type(),
67 Eq(KeyData::ASYMMETRIC_PRIVATE));
68 EXPECT_THAT(EcdsaSignKeyManager().get_key_type(),
69 Eq("type.googleapis.com/google.crypto.tink.EcdsaPrivateKey"));
70 }
71
TEST(EcdsaSignKeyManagerTest,ValidateEmptyKeyFormat)72 TEST(EcdsaSignKeyManagerTest, ValidateEmptyKeyFormat) {
73 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(EcdsaKeyFormat()),
74 Not(IsOk()));
75 }
76
CreateValidKeyFormat()77 EcdsaKeyFormat CreateValidKeyFormat() {
78 EcdsaKeyFormat key_format;
79 EcdsaParams* params = key_format.mutable_params();
80 params->set_hash_type(HashType::SHA256);
81 params->set_curve(EllipticCurveType::NIST_P256);
82 params->set_encoding(EcdsaSignatureEncoding::DER);
83 return key_format;
84 }
85
TEST(EcdsaSignKeyManagerTest,ValidateKeyFormat)86 TEST(EcdsaSignKeyManagerTest, ValidateKeyFormat) {
87 EcdsaKeyFormat format = CreateValidKeyFormat();
88 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format), IsOk());
89 }
90
TEST(EcdsaSignKeyManagerTest,ValidateKeyFormatUnknownCurve)91 TEST(EcdsaSignKeyManagerTest, ValidateKeyFormatUnknownCurve) {
92 EcdsaKeyFormat format = CreateValidKeyFormat();
93 EcdsaParams* params = format.mutable_params();
94 params->set_curve(EllipticCurveType::UNKNOWN_CURVE);
95 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format), Not(IsOk()));
96 }
97
TEST(EcdsaSignKeyManagerTest,ValidateKeyFormatBadHashP256)98 TEST(EcdsaSignKeyManagerTest, ValidateKeyFormatBadHashP256) {
99 EcdsaKeyFormat format = CreateValidKeyFormat();
100 EcdsaParams* params = format.mutable_params();
101 params->set_curve(EllipticCurveType::NIST_P256);
102 params->set_hash_type(HashType::SHA512);
103 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format), Not(IsOk()));
104 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format),
105 StatusIs(absl::StatusCode::kInvalidArgument));
106 }
107
TEST(EcdsaSignKeyManagerTest,ValidateKeyFormatBadHashP384)108 TEST(EcdsaSignKeyManagerTest, ValidateKeyFormatBadHashP384) {
109 EcdsaKeyFormat format = CreateValidKeyFormat();
110 EcdsaParams* params = format.mutable_params();
111 params->set_curve(EllipticCurveType::NIST_P384);
112 params->set_hash_type(HashType::SHA256);
113 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format), Not(IsOk()));
114 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format),
115 StatusIs(absl::StatusCode::kInvalidArgument));
116 }
117
TEST(EcdsaSignKeyManagerTest,ValidateKeyFormatBadHashP521)118 TEST(EcdsaSignKeyManagerTest, ValidateKeyFormatBadHashP521) {
119 EcdsaKeyFormat format = CreateValidKeyFormat();
120 EcdsaParams* params = format.mutable_params();
121 params->set_curve(EllipticCurveType::NIST_P521);
122 params->set_hash_type(HashType::SHA256);
123 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format), Not(IsOk()));
124 EXPECT_THAT(EcdsaSignKeyManager().ValidateKeyFormat(format),
125 StatusIs(absl::StatusCode::kInvalidArgument));
126 }
127
TEST(EcdsaSignKeyManagerTest,CreateKey)128 TEST(EcdsaSignKeyManagerTest, CreateKey) {
129 EcdsaKeyFormat format = CreateValidKeyFormat();
130 StatusOr<EcdsaPrivateKey> key_or = EcdsaSignKeyManager().CreateKey(format);
131 ASSERT_THAT(key_or, IsOk());
132 EcdsaPrivateKey key = key_or.value();
133
134 EXPECT_THAT(key.version(), Eq(0));
135
136 EXPECT_THAT(key.public_key().version(), Eq(key.version()));
137 EXPECT_THAT(key.public_key().params().hash_type(),
138 Eq(format.params().hash_type()));
139 EXPECT_THAT(key.public_key().params().curve(), Eq(format.params().curve()));
140 EXPECT_THAT(key.public_key().params().encoding(),
141 Eq(format.params().encoding()));
142
143 EXPECT_THAT(key.public_key().x(), SizeIs(Gt(0)));
144 EXPECT_THAT(key.public_key().y(), SizeIs(Gt(0)));
145
146 EXPECT_THAT(key.key_value(), SizeIs(Gt(0)));
147 }
148
TEST(EcdsaSignKeyManagerTest,CreateKeyValid)149 TEST(EcdsaSignKeyManagerTest, CreateKeyValid) {
150 EcdsaKeyFormat format = CreateValidKeyFormat();
151 StatusOr<EcdsaPrivateKey> key_or = EcdsaSignKeyManager().CreateKey(format);
152 ASSERT_THAT(key_or, IsOk());
153 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key_or.value()), IsOk());
154 }
155
CreateValidKey()156 EcdsaPrivateKey CreateValidKey() {
157 EcdsaKeyFormat format = CreateValidKeyFormat();
158 return EcdsaSignKeyManager().CreateKey(format).value();
159 }
160
TEST(EcdsaSignKeyManagerTest,ValidateKey)161 TEST(EcdsaSignKeyManagerTest, ValidateKey) {
162 EcdsaPrivateKey key = CreateValidKey();
163 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key), IsOk());
164 }
165
TEST(EcdsaSignKeyManagerTest,ValidateKeyBadHashP256)166 TEST(EcdsaSignKeyManagerTest, ValidateKeyBadHashP256) {
167 EcdsaPrivateKey key = CreateValidKey();
168 EcdsaParams* params = key.mutable_public_key()->mutable_params();
169 params->set_curve(EllipticCurveType::NIST_P256);
170 params->set_hash_type(HashType::SHA512);
171 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key), Not(IsOk()));
172 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key),
173 StatusIs(absl::StatusCode::kInvalidArgument));
174 }
175
TEST(EcdsaSignKeyManagerTest,ValidateKeyBadHashP384)176 TEST(EcdsaSignKeyManagerTest, ValidateKeyBadHashP384) {
177 EcdsaPrivateKey key = CreateValidKey();
178 EcdsaParams* params = key.mutable_public_key()->mutable_params();
179 params->set_curve(EllipticCurveType::NIST_P384);
180 params->set_hash_type(HashType::SHA256);
181 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key), Not(IsOk()));
182 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key),
183 StatusIs(absl::StatusCode::kInvalidArgument));
184 }
185
TEST(EcdsaSignKeyManagerTest,ValidateKeyBadHashP521)186 TEST(EcdsaSignKeyManagerTest, ValidateKeyBadHashP521) {
187 EcdsaPrivateKey key = CreateValidKey();
188 EcdsaParams* params = key.mutable_public_key()->mutable_params();
189 params->set_curve(EllipticCurveType::NIST_P521);
190 params->set_hash_type(HashType::SHA256);
191 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key), Not(IsOk()));
192 EXPECT_THAT(EcdsaSignKeyManager().ValidateKey(key),
193 StatusIs(absl::StatusCode::kInvalidArgument));
194 }
195
TEST(EcdsaSignKeyManagerTest,GetPublicKey)196 TEST(EcdsaSignKeyManagerTest, GetPublicKey) {
197 EcdsaPrivateKey key = CreateValidKey();
198 StatusOr<EcdsaPublicKey> public_key_or =
199 EcdsaSignKeyManager().GetPublicKey(key);
200
201 ASSERT_THAT(public_key_or, IsOk());
202 EcdsaPublicKey public_key = public_key_or.value();
203
204 EXPECT_THAT(public_key.version(), Eq(key.public_key().version()));
205 EXPECT_THAT(public_key.params().hash_type(),
206 Eq(key.public_key().params().hash_type()));
207 EXPECT_THAT(public_key.params().curve(),
208 Eq(key.public_key().params().curve()));
209 EXPECT_THAT(public_key.params().encoding(),
210 Eq(key.public_key().params().encoding()));
211
212 EXPECT_THAT(public_key.x(), Eq(key.public_key().x()));
213 EXPECT_THAT(public_key.y(), Eq(key.public_key().y()));
214 }
215
TEST(EcdsaSignKeyManagerTest,Create)216 TEST(EcdsaSignKeyManagerTest, Create) {
217 EcdsaPrivateKey private_key = CreateValidKey();
218 EcdsaPublicKey public_key =
219 EcdsaSignKeyManager().GetPublicKey(private_key).value();
220
221 auto signer_or =
222 EcdsaSignKeyManager().GetPrimitive<PublicKeySign>(private_key);
223 ASSERT_THAT(signer_or, IsOk());
224
225 internal::EcKey ec_key;
226 ec_key.curve = Enums::ProtoToSubtle(public_key.params().curve());
227 ec_key.pub_x = public_key.x();
228 ec_key.pub_y = public_key.y();
229 auto direct_verifier_or = subtle::EcdsaVerifyBoringSsl::New(
230 ec_key, Enums::ProtoToSubtle(public_key.params().hash_type()),
231 Enums::ProtoToSubtle(public_key.params().encoding()));
232 ASSERT_THAT(direct_verifier_or, IsOk());
233
234 std::string message = "Some message";
235 EXPECT_THAT(direct_verifier_or.value()->Verify(
236 signer_or.value()->Sign(message).value(), message),
237 IsOk());
238 }
239
TEST(EcdsaSignKeyManagerTest,CreateDifferentKey)240 TEST(EcdsaSignKeyManagerTest, CreateDifferentKey) {
241 EcdsaPrivateKey private_key = CreateValidKey();
242 // Note: we create a new key in the next line.
243 EcdsaPublicKey public_key =
244 EcdsaSignKeyManager().GetPublicKey(CreateValidKey()).value();
245
246 auto signer_or =
247 EcdsaSignKeyManager().GetPrimitive<PublicKeySign>(private_key);
248 ASSERT_THAT(signer_or, IsOk());
249
250 internal::EcKey ec_key;
251 ec_key.curve = Enums::ProtoToSubtle(public_key.params().curve());
252 ec_key.pub_x = public_key.x();
253 ec_key.pub_y = public_key.y();
254 auto direct_verifier_or = subtle::EcdsaVerifyBoringSsl::New(
255 ec_key, Enums::ProtoToSubtle(public_key.params().hash_type()),
256 Enums::ProtoToSubtle(public_key.params().encoding()));
257 ASSERT_THAT(direct_verifier_or, IsOk());
258
259 std::string message = "Some message";
260 EXPECT_THAT(direct_verifier_or.value()->Verify(
261 signer_or.value()->Sign(message).value(), message),
262 Not(IsOk()));
263 }
264
TEST(EcdsaSignKeyManagerTest,DeriveKeyFailsWithOpenSsl)265 TEST(EcdsaSignKeyManagerTest, DeriveKeyFailsWithOpenSsl) {
266 if (internal::IsBoringSsl()) {
267 GTEST_SKIP()
268 << "OpenSSL-only test, skipping because Tink is using BoringSSL";
269 }
270 EcdsaKeyFormat format = CreateValidKeyFormat();
271 util::IstreamInputStream input_stream{
272 absl::make_unique<std::stringstream>("0123456789abcdef0123456789abcdef")};
273 EXPECT_THAT(EcdsaSignKeyManager().DeriveKey(format, &input_stream).status(),
274 Not(IsOk()));
275 }
276
TEST(EcdsaSignKeyManagerTest,DeriveKeySignVerifySucceedsWithBoringSsl)277 TEST(EcdsaSignKeyManagerTest, DeriveKeySignVerifySucceedsWithBoringSsl) {
278 if (!internal::IsBoringSsl()) {
279 GTEST_SKIP()
280 << "Key derivation from an input stream is not supported with OpenSSL";
281 }
282 EcdsaKeyFormat format = CreateValidKeyFormat();
283
284 util::IstreamInputStream input_stream{
285 absl::make_unique<std::stringstream>("0123456789abcdef0123456789abcdef")};
286
287 util::StatusOr<EcdsaPrivateKey> key =
288 EcdsaSignKeyManager().DeriveKey(format, &input_stream);
289 ASSERT_THAT(key, IsOk());
290
291 util::StatusOr<std::unique_ptr<PublicKeySign>> signer =
292 EcdsaSignKeyManager().GetPrimitive<PublicKeySign>(*key);
293 ASSERT_THAT(signer, IsOk());
294
295 constexpr absl::string_view kMessage = "Some message";
296 util::StatusOr<std::string> signature = (*signer)->Sign(kMessage);
297 ASSERT_THAT(signature, IsOk());
298
299 util::StatusOr<std::unique_ptr<PublicKeyVerify>> verifier =
300 EcdsaVerifyKeyManager().GetPrimitive<PublicKeyVerify>(key->public_key());
301 ASSERT_THAT(verifier, IsOk());
302 EXPECT_THAT((*verifier)->Verify(*signature, kMessage), IsOk());
303 }
304
TEST(EcdsaSignKeyManagerTest,DeriveKeyNotEnoughRandomness)305 TEST(EcdsaSignKeyManagerTest, DeriveKeyNotEnoughRandomness) {
306 if (!internal::IsBoringSsl()) {
307 GTEST_SKIP()
308 << "Key derivation from an input stream is not supported with OpenSSL";
309 }
310 EcdsaKeyFormat format = CreateValidKeyFormat();
311
312 util::IstreamInputStream input_stream{
313 absl::make_unique<std::stringstream>("tooshort")};
314
315 ASSERT_THAT(EcdsaSignKeyManager().DeriveKey(format, &input_stream).status(),
316 test::StatusIs(absl::StatusCode::kInvalidArgument));
317 }
318
TEST(EcdsaSignKeyManagerTest,DeriveKeyWithInvalidKeyTemplateVersionFails)319 TEST(EcdsaSignKeyManagerTest, DeriveKeyWithInvalidKeyTemplateVersionFails) {
320 if (!internal::IsBoringSsl()) {
321 GTEST_SKIP()
322 << "Key derivation from an input stream is not supported with OpenSSL";
323 }
324 EcdsaKeyFormat format;
325 format.set_version(1);
326 EcdsaParams* params = format.mutable_params();
327 params->set_hash_type(HashType::SHA256);
328 params->set_curve(EllipticCurveType::NIST_P256);
329 params->set_encoding(EcdsaSignatureEncoding::DER);
330
331 util::IstreamInputStream input_stream{
332 absl::make_unique<std::stringstream>("tooshort")};
333
334 ASSERT_THAT(EcdsaSignKeyManager().DeriveKey(format, &input_stream).status(),
335 test::StatusIs(absl::StatusCode::kInvalidArgument));
336 }
337
TEST(EcdsaSignKeyManagerTest,DeriveKeyInvalidCurve)338 TEST(EcdsaSignKeyManagerTest, DeriveKeyInvalidCurve) {
339 if (!internal::IsBoringSsl()) {
340 GTEST_SKIP()
341 << "Key derivation from an input stream is not supported with OpenSSL";
342 }
343 EcdsaKeyFormat format = CreateValidKeyFormat();
344 EcdsaParams* params = format.mutable_params();
345 params->set_curve(EllipticCurveType::CURVE25519);
346
347 util::IstreamInputStream input_stream{
348 absl::make_unique<std::stringstream>("0123456789abcdef0123456789abcdef")};
349
350 ASSERT_THAT(EcdsaSignKeyManager().DeriveKey(format, &input_stream).status(),
351 test::StatusIs(absl::StatusCode::kInvalidArgument));
352 }
353
354 // Test vectors have been manually generated based on BoringSSL
355 // Date: 2021/06/03 commit: 88df13d73d5a74505f046f0bf37fb2fb3e1f1a58
356 using NistCurveParamsDeriveTest = ::testing::TestWithParam<
357 std::tuple<EllipticCurveType, std::string, std::string>>;
358 INSTANTIATE_TEST_SUITE_P(
359 NistCurvesParams, NistCurveParamsDeriveTest,
360 ::testing::Values(
361 std::make_tuple(
362 EllipticCurveType::NIST_P256, "0123456789abcdef0123456789abcdef",
363 "ed615ab1a0a8bc0412a02f097e747f33c61c5d1f0c720f3e232213ce4a4b7c38"),
364 std::make_tuple(
365 EllipticCurveType::NIST_P256, "0000000000000000",
366 "19d85dacc6634391175a26a692af2230a1de00860bda799d90e2df6ed8e1e5c6"),
367 std::make_tuple(
368 EllipticCurveType::NIST_P256, "4242424242424242",
369 "055d555a117782553a01a93544ffeced88bc08a50a22138b54c422c4a8cfb3ec"),
370 std::make_tuple(EllipticCurveType::NIST_P384,
371 "0123456789abcdef0123456789abcdef",
372 "4c2204d997b64a288ce7c8dbcb9d9543f45c7de458410cd996f28a"
373 "d123e45a146367c2d2100a4336bad949535d1d9e89"),
374 std::make_tuple(EllipticCurveType::NIST_P384,
375 "000000000000000000000000",
376 "88d0af7371ae92b3aa2daea3d68d514a5c335ac6c6e5af2a7cf60a"
377 "f71364241d318c022f7846b261c6345bc0c810d816"),
378 std::make_tuple(EllipticCurveType::NIST_P384,
379 "424242424242424242424242",
380 "53cfa0a8205c69cd56173a76a99caf19b15bd56ce9a08c6d26067e"
381 "b6b48925bd445cdf213e35b69330e47535ff8f27ad"),
382 std::make_tuple(EllipticCurveType::NIST_P521,
383 "0123456789abcdef0123456789abcdef",
384 "014ef526b2a9e965227e83396387a34a441d471f5ab3fe62607e78"
385 "e56619a698ad73bba12e42459e457c08dfa8492daaf8188f72f707"
386 "6b8bc902d4c68729a3330b8f"),
387 std::make_tuple(EllipticCurveType::NIST_P521,
388 "00000000000000000000000000000000",
389 "01effa21f65dda9fe6eacd5d4a1865a4117db0ac5617cdaaaae1cf"
390 "f17b261a5fd1804e75e49d8cca288bd3f0a7b77d39bb230c9c5192"
391 "c70e1af9f93403e3705a49d6"),
392 std::make_tuple(EllipticCurveType::NIST_P521,
393 "42424242424242424242424242424242",
394 "013fa619e3ea1f71f923b6716619d0044d168637d36e44b828901e"
395 "cef00f6fabcffbd6b5c2c24468a35fed8611aaeeb36b2af7be1eff"
396 "d393151c6b5135a07789f8a4")));
397
TEST_P(NistCurveParamsDeriveTest,TestVectors)398 TEST_P(NistCurveParamsDeriveTest, TestVectors) {
399 if (!internal::IsBoringSsl()) {
400 GTEST_SKIP()
401 << "Key derivation from an input stream is not supported with OpenSSL";
402 }
403 EcdsaKeyFormat key_format;
404 key_format.mutable_params()->set_curve(std::get<0>(GetParam()));
405
406 util::IstreamInputStream input_stream{
407 absl::make_unique<std::stringstream>(std::get<1>(GetParam()))};
408
409 util::StatusOr<EcdsaPrivateKey> private_key =
410 EcdsaSignKeyManager().DeriveKey(key_format, &input_stream);
411 ASSERT_THAT(private_key, IsOk());
412 EXPECT_THAT(private_key->key_value(),
413 Eq(test::HexDecodeOrDie(std::get<2>(GetParam()))));
414 }
415
416 } // namespace
417 } // namespace tink
418 } // namespace crypto
419