tor-browser

pk11_ecdsa_unittest.cc (16046B)

---

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */

#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include "sechash.h"
#include "cryptohi.h"

#include "cpputil.h"
#include "gtest/gtest.h"
#include "json_reader.h"
#include "nss_scoped_ptrs.h"
#include "testvectors/curve25519-vectors.h"

#include "pk11_ecdsa_vectors.h"
#include "pk11_signature_test.h"
#include "pk11_keygen.h"

namespace nss_test {

CK_MECHANISM_TYPE
EcHashToComboMech(SECOidTag hash) {
 switch (hash) {
   case SEC_OID_SHA1:
     return CKM_ECDSA_SHA1;
   case SEC_OID_SHA224:
     return CKM_ECDSA_SHA224;
   case SEC_OID_SHA256:
     return CKM_ECDSA_SHA256;
   case SEC_OID_SHA384:
     return CKM_ECDSA_SHA384;
   case SEC_OID_SHA512:
     return CKM_ECDSA_SHA512;
   default:
     break;
 }
 return CKM_INVALID_MECHANISM;
}

class Pkcs11EcdsaTestBase : public Pk11SignatureTest {
protected:
 Pkcs11EcdsaTestBase(SECOidTag hash_oid)
     : Pk11SignatureTest(CKM_ECDSA, hash_oid, EcHashToComboMech(hash_oid)) {}
};

struct Pkcs11EcdsaTestParams {
 SECOidTag hash_oid_;
 Pkcs11SignatureTestParams sig_params_;
};

class Pkcs11EcdsaTest
   : public Pkcs11EcdsaTestBase,
     public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
public:
 Pkcs11EcdsaTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
};

TEST_P(Pkcs11EcdsaTest, Verify) { Verify(GetParam().sig_params_); }

TEST_P(Pkcs11EcdsaTest, SignAndVerify) {
 SignAndVerify(GetParam().sig_params_);
}

TEST_P(Pkcs11EcdsaTest, ImportExport) {
 ImportExport(GetParam().sig_params_.pkcs8_);
}

static const Pkcs11EcdsaTestParams kEcdsaVectors[] = {
   {SEC_OID_SHA256,
    {DataBuffer(kP256Pkcs8, sizeof(kP256Pkcs8)),
     DataBuffer(kP256Spki, sizeof(kP256Spki)),
     DataBuffer(kP256Data, sizeof(kP256Data)),
     DataBuffer(kP256Signature, sizeof(kP256Signature))}},
   {SEC_OID_SHA256,
    {DataBuffer(kP256Pkcs8KeyLen30, sizeof(kP256Pkcs8KeyLen30)),
     DataBuffer(kP256SpkiKeyLen, sizeof(kP256SpkiKeyLen)),
     DataBuffer(kP256DataKeyLen, sizeof(kP256DataKeyLen)),
     DataBuffer(kP256SignatureKeyLen, sizeof(kP256SignatureKeyLen))}},
   {SEC_OID_SHA256,
    {DataBuffer(kP256Pkcs8KeyLen33, sizeof(kP256Pkcs8KeyLen33)),
     DataBuffer(kP256SpkiKeyLen, sizeof(kP256SpkiKeyLen)),
     DataBuffer(kP256DataKeyLen, sizeof(kP256DataKeyLen)),
     DataBuffer(kP256SignatureKeyLen, sizeof(kP256SignatureKeyLen))}},
   {SEC_OID_SHA384,
    {DataBuffer(kP384Pkcs8, sizeof(kP384Pkcs8)),
     DataBuffer(kP384Spki, sizeof(kP384Spki)),
     DataBuffer(kP384Data, sizeof(kP384Data)),
     DataBuffer(kP384Signature, sizeof(kP384Signature))}},
   {SEC_OID_SHA256,
    {DataBuffer(kP384Pkcs8KeyLen46, sizeof(kP384Pkcs8KeyLen46)),
     DataBuffer(kP384SpkiKeyLen, sizeof(kP384SpkiKeyLen)),
     DataBuffer(kP384DataKeyLen, sizeof(kP384DataKeyLen)),
     DataBuffer(kP384SignatureKeyLen, sizeof(kP384SignatureKeyLen))}},
   {SEC_OID_SHA256,
    {DataBuffer(kP384Pkcs8KeyLen49, sizeof(kP384Pkcs8KeyLen49)),
     DataBuffer(kP384SpkiKeyLen, sizeof(kP384SpkiKeyLen)),
     DataBuffer(kP384DataKeyLen, sizeof(kP384DataKeyLen)),
     DataBuffer(kP384SignatureKeyLen, sizeof(kP384SignatureKeyLen))}},
   {SEC_OID_SHA512,
    {DataBuffer(kP521Pkcs8, sizeof(kP521Pkcs8)),
     DataBuffer(kP521Spki, sizeof(kP521Spki)),
     DataBuffer(kP521Data, sizeof(kP521Data)),
     DataBuffer(kP521Signature, sizeof(kP521Signature))}},
   {SEC_OID_SHA256,
    {DataBuffer(kP521Pkcs8KeyLen64, sizeof(kP521Pkcs8KeyLen64)),
     DataBuffer(kP521SpkiKeyLen, sizeof(kP521SpkiKeyLen)),
     DataBuffer(kP521DataKeyLen, sizeof(kP521DataKeyLen)),
     DataBuffer(kP521SignatureKeyLen, sizeof(kP521SignatureKeyLen))}},
   {SEC_OID_SHA256,
    {DataBuffer(kP521Pkcs8KeyLen67, sizeof(kP521Pkcs8KeyLen67)),
     DataBuffer(kP521SpkiKeyLen, sizeof(kP521SpkiKeyLen)),
     DataBuffer(kP521DataKeyLen, sizeof(kP521DataKeyLen)),
     DataBuffer(kP521SignatureKeyLen, sizeof(kP521SignatureKeyLen))}}};

INSTANTIATE_TEST_SUITE_P(EcdsaSignVerify, Pkcs11EcdsaTest,
                        ::testing::ValuesIn(kEcdsaVectors));

class Pkcs11EcdsaSha256Test : public Pkcs11EcdsaTestBase {
public:
 Pkcs11EcdsaSha256Test() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {}
};

// Importing a private key in PKCS#8 format must fail when the outer AlgID
// struct contains neither id-ecPublicKey nor a namedCurve parameter.
TEST_F(Pkcs11EcdsaSha256Test, ImportNoCurveOIDOrAlgorithmParams) {
 DataBuffer k(kP256Pkcs8NoCurveOIDOrAlgorithmParams,
              sizeof(kP256Pkcs8NoCurveOIDOrAlgorithmParams));
 EXPECT_FALSE(ImportPrivateKey(k));
};

// Importing a private key in PKCS#8 format must succeed when only the outer
// AlgID struct contains the namedCurve parameters.
TEST_F(Pkcs11EcdsaSha256Test, ImportOnlyAlgorithmParams) {
 DataBuffer k(kP256Pkcs8OnlyAlgorithmParams,
              sizeof(kP256Pkcs8OnlyAlgorithmParams));
 DataBuffer data(kP256Data, sizeof(kP256Data));
 DataBuffer sig;
 DataBuffer sig2;
 EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig, &sig2));
};

// Importing a private key in PKCS#8 format must succeed when the outer AlgID
// struct and the inner ECPrivateKey contain the same namedCurve parameters.
// The inner curveOID is always ignored, so only the outer one will be used.
TEST_F(Pkcs11EcdsaSha256Test, ImportMatchingCurveOIDAndAlgorithmParams) {
 DataBuffer k(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams,
              sizeof(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams));
 DataBuffer data(kP256Data, sizeof(kP256Data));
 DataBuffer sig;
 DataBuffer sig2;
 EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig, &sig2));
};

// Importing a private key in PKCS#8 format must succeed when the outer AlgID
// struct and the inner ECPrivateKey contain dissimilar namedCurve parameters.
// The inner curveOID is always ignored, so only the outer one will be used.
TEST_F(Pkcs11EcdsaSha256Test, ImportDissimilarCurveOIDAndAlgorithmParams) {
 DataBuffer k(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams,
              sizeof(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams));
 DataBuffer data(kP256Data, sizeof(kP256Data));
 DataBuffer sig;
 DataBuffer sig2;
 EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig, &sig2));
};

// Importing a private key in PKCS#8 format must fail when the outer ASN.1
// AlgorithmID struct contains only id-ecPublicKey but no namedCurve parameter.
TEST_F(Pkcs11EcdsaSha256Test, ImportNoAlgorithmParams) {
 DataBuffer k(kP256Pkcs8NoAlgorithmParams,
              sizeof(kP256Pkcs8NoAlgorithmParams));
 EXPECT_FALSE(ImportPrivateKey(k));
};

// Importing a private key in PKCS#8 format must fail when id-ecPublicKey is
// given (so we know it's an EC key) but the namedCurve parameter is unknown.
TEST_F(Pkcs11EcdsaSha256Test, ImportInvalidAlgorithmParams) {
 DataBuffer k(kP256Pkcs8InvalidAlgorithmParams,
              sizeof(kP256Pkcs8InvalidAlgorithmParams));
 EXPECT_FALSE(ImportPrivateKey(k));
};

// Importing a private key in PKCS#8 format with a point not on the curve will
// succeed. Using the contained public key however will fail when trying to
// import it before using it for any operation.
TEST_F(Pkcs11EcdsaSha256Test, ImportPointNotOnCurve) {
 DataBuffer k(kP256Pkcs8PointNotOnCurve, sizeof(kP256Pkcs8PointNotOnCurve));
 ScopedSECKEYPrivateKey privKey(ImportPrivateKey(k));
 ASSERT_TRUE(privKey);

 ScopedSECKEYPublicKey pubKey(SECKEY_ConvertToPublicKey(privKey.get()));
 ASSERT_TRUE(pubKey);

 ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
 ASSERT_TRUE(slot);

 auto handle = PK11_ImportPublicKey(slot.get(), pubKey.get(), false);
 EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
};

// Importing a private key in PKCS#8 without a public key will succeed
// if NSS supports public key derivation for this curve (P-256, P-384, P-521).
TEST_F(Pkcs11EcdsaSha256Test, ImportNoPublicKey) {
 DataBuffer k(kP256Pkcs8NoPublicKey, sizeof(kP256Pkcs8NoPublicKey));
 ScopedSECKEYPrivateKey privKey(ImportPrivateKey(k));
 ASSERT_TRUE(privKey);

 ScopedSECKEYPublicKey pubKey(SECKEY_ConvertToPublicKey(privKey.get()));
 ASSERT_TRUE(pubKey);

 ASSERT_NE(pubKey->u.ec.publicValue.len, 0ul);
};

// Importing a public key in SPKI format must fail when id-ecPublicKey is
// given (so we know it's an EC key) but the namedCurve parameter is missing.
TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiNoAlgorithmParams) {
 DataBuffer k(kP256SpkiNoAlgorithmParams, sizeof(kP256SpkiNoAlgorithmParams));
 EXPECT_FALSE(ImportPublicKey(k));
}

// Importing a public key in SPKI format with a point not on the curve will
// succeed. Using the public key however will fail when trying to import
// it before using it for any operation.
TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiPointNotOnCurve) {
 DataBuffer k(kP256SpkiPointNotOnCurve, sizeof(kP256SpkiPointNotOnCurve));
 ScopedSECKEYPublicKey pubKey(ImportPublicKey(k));
 ASSERT_TRUE(pubKey);

 ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
 ASSERT_TRUE(slot);

 auto handle = PK11_ImportPublicKey(slot.get(), pubKey.get(), false);
 EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
}

class Pkcs11EcdsaWycheproofTest : public ::testing::Test {
protected:
 void Run(const std::string& name) {
   WycheproofHeader(name, "ECDSA", "ecdsa_verify_schema.json",
                    [this](JsonReader& r) { RunGroup(r); });
 }

private:
 void RunGroup(JsonReader& r) {
   std::vector<EcdsaTestVector> tests;
   std::vector<uint8_t> public_key;
   SECOidTag hash_oid = SEC_OID_UNKNOWN;

   while (r.NextItem()) {
     std::string n = r.ReadLabel();
     if (n == "") {
       break;
     }

     if (n == "key" || n == "keyPem") {
       r.SkipValue();
     } else if (n == "keyDer") {
       public_key = r.ReadHex();
     } else if (n == "sha") {
       hash_oid = r.ReadHash();
     } else if (n == "type") {
       ASSERT_EQ("EcdsaVerify", r.ReadString());
     } else if (n == "tests") {
       WycheproofReadTests(r, &tests, ReadTestAttr);
     } else {
       FAIL() << "unknown label in group: " << n;
     }
   }

   for (auto& t : tests) {
     std::cout << "Running test " << t.id << std::endl;
     t.public_key = public_key;
     t.hash_oid = hash_oid;
     Derive(t);
   }
 }

 static void ReadTestAttr(EcdsaTestVector& t, const std::string& n,
                          JsonReader& r) {
   if (n == "msg") {
     t.msg = r.ReadHex();
   } else if (n == "sig") {
     t.sig = r.ReadHex();
   } else {
     FAIL() << "unknown test key: " << n;
   }
 }

 void Derive(const EcdsaTestVector& vec) {
   SECItem spki_item = {siBuffer, toUcharPtr(vec.public_key.data()),
                        static_cast<unsigned int>(vec.public_key.size())};
   SECItem sig_item = {siBuffer, toUcharPtr(vec.sig.data()),
                       static_cast<unsigned int>(vec.sig.size())};

   DataBuffer hash;
   hash.Allocate(static_cast<size_t>(HASH_ResultLenByOidTag(vec.hash_oid)));
   SECStatus rv = PK11_HashBuf(vec.hash_oid, toUcharPtr(hash.data()),
                               toUcharPtr(vec.msg.data()), vec.msg.size());
   ASSERT_EQ(rv, SECSuccess);
   SECItem hash_item = {siBuffer, toUcharPtr(hash.data()),
                        static_cast<unsigned int>(hash.len())};

   ScopedCERTSubjectPublicKeyInfo cert_spki(
       SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
   ASSERT_TRUE(cert_spki);
   ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get()));
   ASSERT_TRUE(pub_key);

   rv = VFY_VerifyDigestDirect(&hash_item, pub_key.get(), &sig_item,
                               SEC_OID_ANSIX962_EC_PUBLIC_KEY, vec.hash_oid,
                               nullptr);
   EXPECT_EQ(rv, vec.valid ? SECSuccess : SECFailure);
 };
};

TEST_F(Pkcs11EcdsaWycheproofTest, P256) { Run("ecdsa_secp256r1_sha256"); }
TEST_F(Pkcs11EcdsaWycheproofTest, P256Sha512) { Run("ecdsa_secp256r1_sha512"); }
TEST_F(Pkcs11EcdsaWycheproofTest, P384) { Run("ecdsa_secp384r1_sha384"); }
TEST_F(Pkcs11EcdsaWycheproofTest, P384Sha512) { Run("ecdsa_secp384r1_sha512"); }
TEST_F(Pkcs11EcdsaWycheproofTest, P521) { Run("ecdsa_secp521r1_sha512"); }

class Pkcs11EcdsaRoundtripTest
   : public Pkcs11EcdsaTestBase,
     public ::testing::WithParamInterface<SECOidTag> {
public:
 Pkcs11EcdsaRoundtripTest() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {}

protected:
 void GenerateExportImportSignVerify(SECOidTag tag) {
   Pkcs11KeyPairGenerator generator(CKM_EC_KEY_PAIR_GEN, tag);
   ScopedSECKEYPrivateKey priv;
   ScopedSECKEYPublicKey pub;
   generator.GenerateKey(&priv, &pub, false);

   DataBuffer exported;
   ExportPrivateKey(&priv, exported);

   if (tag != SEC_OID_CURVE25519) {
     DataBuffer sig;
     DataBuffer sig2;
     DataBuffer data(kP256Data, sizeof(kP256Data));
     ASSERT_TRUE(
         ImportPrivateKeyAndSignHashedData(exported, data, &sig, &sig2));

     Verify(pub, data, sig);
   }
 }
};

TEST_P(Pkcs11EcdsaRoundtripTest, GenerateExportImportSignVerify) {
 GenerateExportImportSignVerify(GetParam());
}
INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoundtripTest, Pkcs11EcdsaRoundtripTest,
                        ::testing::Values(SEC_OID_SECG_EC_SECP256R1,
                                          SEC_OID_SECG_EC_SECP384R1,
                                          SEC_OID_SECG_EC_SECP521R1,
                                          SEC_OID_CURVE25519));

class Pkcs11EcdsaUnpaddedSignatureTest
   : public Pkcs11EcdsaTestBase,
     public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
public:
 Pkcs11EcdsaUnpaddedSignatureTest()
     : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
};

static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
   {SEC_OID_SHA512,
    {DataBuffer(NULL, 0),
     DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
     DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
     DataBuffer(kP256SignatureUnpaddedSigLong,
                sizeof(kP256SignatureUnpaddedSigLong))}},
   {SEC_OID_SHA512,
    {DataBuffer(NULL, 0),
     DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
     DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
     DataBuffer(kP256SignatureUnpaddedSigShort,
                sizeof(kP256SignatureUnpaddedSigShort))}},
   {SEC_OID_SHA512,
    {DataBuffer(NULL, 0),
     DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
     DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
     DataBuffer(kP384SignatureUnpaddedSigLong,
                sizeof(kP384SignatureUnpaddedSigLong))}},
   {SEC_OID_SHA512,
    {DataBuffer(NULL, 0),
     DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
     DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
     DataBuffer(kP384SignatureUnpaddedSigShort,
                sizeof(kP384SignatureUnpaddedSigShort))}},
   {SEC_OID_SHA512,
    {DataBuffer(NULL, 0),
     DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
     DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
     DataBuffer(kP521SignatureUnpaddedSigLong,
                sizeof(kP521SignatureUnpaddedSigLong))}},
   {SEC_OID_SHA512,
    {DataBuffer(NULL, 0),
     DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
     DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
     DataBuffer(kP521SignatureUnpaddedSigShort,
                sizeof(kP521SignatureUnpaddedSigShort))}}};

TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) {
 Verify(GetParam().sig_params_);
}
INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures,
                        Pkcs11EcdsaUnpaddedSignatureTest,
                        ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
}  // namespace nss_test