1// Copyright 2017 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5//go:build boringcrypto 6 7// Note: Can run these tests against the non-BoringCrypto 8// version of the code by using "CGO_ENABLED=0 go test". 9 10package rsa 11 12import ( 13 "crypto" 14 "crypto/rand" 15 "encoding/asn1" 16 "encoding/hex" 17 "math/big" 18 "runtime" 19 "runtime/debug" 20 "sync" 21 "testing" 22) 23 24func TestBoringASN1Marshal(t *testing.T) { 25 k, err := GenerateKey(rand.Reader, 128) 26 if err != nil { 27 t.Fatal(err) 28 } 29 _, err = asn1.Marshal(k.PublicKey) 30 if err != nil { 31 t.Fatal(err) 32 } 33} 34 35func TestBoringVerify(t *testing.T) { 36 // Check that signatures that lack leading zeroes don't verify. 37 key := &PublicKey{ 38 N: bigFromHex("c4fdf7b40a5477f206e6ee278eaef888ca73bf9128a9eef9f2f1ddb8b7b71a4c07cfa241f028a04edb405e4d916c61d6beabc333813dc7b484d2b3c52ee233c6a79b1eea4e9cc51596ba9cd5ac5aeb9df62d86ea051055b79d03f8a4fa9f38386f5bd17529138f3325d46801514ea9047977e0829ed728e68636802796801be1"), 39 E: 65537, 40 } 41 42 hash := fromHex("019c5571724fb5d0e47a4260c940e9803ba05a44") 43 paddedHash := fromHex("3021300906052b0e03021a05000414019c5571724fb5d0e47a4260c940e9803ba05a44") 44 45 // signature is one byte shorter than key.N. 46 sig := fromHex("5edfbeb6a73e7225ad3cc52724e2872e04260d7daf0d693c170d8c4b243b8767bc7785763533febc62ec2600c30603c433c095453ede59ff2fcabeb84ce32e0ed9d5cf15ffcbc816202b64370d4d77c1e9077d74e94a16fb4fa2e5bec23a56d7a73cf275f91691ae1801a976fcde09e981a2f6327ac27ea1fecf3185df0d56") 47 48 err := VerifyPKCS1v15(key, 0, paddedHash, sig) 49 if err == nil { 50 t.Errorf("raw: expected verification error") 51 } 52 53 err = VerifyPKCS1v15(key, crypto.SHA1, hash, sig) 54 if err == nil { 55 t.Errorf("sha1: expected verification error") 56 } 57} 58 59func BenchmarkBoringVerify(b *testing.B) { 60 // Check that signatures that lack leading zeroes don't verify. 61 key := &PublicKey{ 62 N: bigFromHex("c4fdf7b40a5477f206e6ee278eaef888ca73bf9128a9eef9f2f1ddb8b7b71a4c07cfa241f028a04edb405e4d916c61d6beabc333813dc7b484d2b3c52ee233c6a79b1eea4e9cc51596ba9cd5ac5aeb9df62d86ea051055b79d03f8a4fa9f38386f5bd17529138f3325d46801514ea9047977e0829ed728e68636802796801be1"), 63 E: 65537, 64 } 65 66 hash := fromHex("019c5571724fb5d0e47a4260c940e9803ba05a44") 67 68 // signature is one byte shorter than key.N. 69 sig := fromHex("5edfbeb6a73e7225ad3cc52724e2872e04260d7daf0d693c170d8c4b243b8767bc7785763533febc62ec2600c30603c433c095453ede59ff2fcabeb84ce32e0ed9d5cf15ffcbc816202b64370d4d77c1e9077d74e94a16fb4fa2e5bec23a56d7a73cf275f91691ae1801a976fcde09e981a2f6327ac27ea1fecf3185df0d56") 70 71 b.ReportAllocs() 72 73 for i := 0; i < b.N; i++ { 74 err := VerifyPKCS1v15(key, crypto.SHA1, hash, sig) 75 if err == nil { 76 b.Fatalf("sha1: expected verification error") 77 } 78 } 79} 80 81func TestBoringGenerateKey(t *testing.T) { 82 k, err := GenerateKey(rand.Reader, 2048) // 2048 is smallest size BoringCrypto might kick in for 83 if err != nil { 84 t.Fatal(err) 85 } 86 87 // Non-Boring GenerateKey always sets CRTValues to a non-nil (possibly empty) slice. 88 if k.Precomputed.CRTValues == nil { 89 t.Fatalf("GenerateKey: Precomputed.CRTValues = nil") 90 } 91} 92 93func TestBoringFinalizers(t *testing.T) { 94 if runtime.GOOS == "nacl" || runtime.GOOS == "js" { 95 // Times out on nacl and js/wasm (without BoringCrypto) 96 // but not clear why - probably consuming rand.Reader too quickly 97 // and being throttled. Also doesn't really matter. 98 t.Skipf("skipping on %s/%s", runtime.GOOS, runtime.GOARCH) 99 } 100 101 k, err := GenerateKey(rand.Reader, 2048) 102 if err != nil { 103 t.Fatal(err) 104 } 105 106 // Run test with GOGC=10, to make bug more likely. 107 // Without the KeepAlives, the loop usually dies after 108 // about 30 iterations. 109 defer debug.SetGCPercent(debug.SetGCPercent(10)) 110 for n := 0; n < 200; n++ { 111 // Clear the underlying BoringCrypto object cache. 112 privCache.Clear() 113 114 // Race to create the underlying BoringCrypto object. 115 // The ones that lose the race are prime candidates for 116 // being GC'ed too early if the finalizers are not being 117 // used correctly. 118 var wg sync.WaitGroup 119 for i := 0; i < 10; i++ { 120 wg.Add(1) 121 go func() { 122 defer wg.Done() 123 sum := make([]byte, 32) 124 _, err := SignPKCS1v15(rand.Reader, k, crypto.SHA256, sum) 125 if err != nil { 126 panic(err) // usually caused by memory corruption, so hard stop 127 } 128 }() 129 } 130 wg.Wait() 131 } 132} 133 134func bigFromHex(hex string) *big.Int { 135 n, ok := new(big.Int).SetString(hex, 16) 136 if !ok { 137 panic("bad hex: " + hex) 138 } 139 return n 140} 141 142func fromHex(hexStr string) []byte { 143 s, err := hex.DecodeString(hexStr) 144 if err != nil { 145 panic(err) 146 } 147 return s 148} 149