github.com/kchristidis/fabric@v1.0.4-0.20171028114726-837acd08cde1/bccsp/pkcs11/impl_test.go (about) 1 /* 2 Copyright IBM Corp. 2016 All Rights Reserved. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 package pkcs11 17 18 import ( 19 "bytes" 20 "crypto" 21 "crypto/ecdsa" 22 "crypto/elliptic" 23 "crypto/rand" 24 "crypto/rsa" 25 "crypto/sha256" 26 "crypto/sha512" 27 "crypto/x509" 28 "crypto/x509/pkix" 29 "encoding/asn1" 30 "fmt" 31 "hash" 32 "math/big" 33 "net" 34 "os" 35 "strings" 36 "testing" 37 "time" 38 39 "github.com/hyperledger/fabric/bccsp" 40 "github.com/hyperledger/fabric/bccsp/signer" 41 "github.com/hyperledger/fabric/bccsp/sw" 42 "github.com/hyperledger/fabric/bccsp/utils" 43 "github.com/op/go-logging" 44 "github.com/stretchr/testify/assert" 45 "golang.org/x/crypto/sha3" 46 ) 47 48 var ( 49 currentKS bccsp.KeyStore 50 currentBCCSP bccsp.BCCSP 51 currentTestConfig testConfig 52 ) 53 54 type testConfig struct { 55 securityLevel int 56 hashFamily string 57 softVerify bool 58 noKeyImport bool 59 } 60 61 func TestMain(m *testing.M) { 62 // Activate DEBUG level to cover listAttrs function 63 logging.SetLevel(logging.DEBUG, "bccsp_p11") 64 65 ks, err := sw.NewFileBasedKeyStore(nil, os.TempDir(), false) 66 if err != nil { 67 fmt.Printf("Failed initiliazing KeyStore [%s]", err) 68 os.Exit(-1) 69 } 70 currentKS = ks 71 72 lib, pin, label := FindPKCS11Lib() 73 tests := []testConfig{ 74 {256, "SHA2", true, true}, 75 {256, "SHA3", false, true}, 76 {384, "SHA2", false, true}, 77 {384, "SHA3", false, true}, 78 {384, "SHA3", true, true}, 79 } 80 81 if strings.Contains(lib, "softhsm") { 82 tests = append(tests, []testConfig{ 83 {256, "SHA2", true, false}, 84 }...) 85 } 86 87 opts := PKCS11Opts{ 88 Library: lib, 89 Label: label, 90 Pin: pin, 91 } 92 for _, config := range tests { 93 var err error 94 currentTestConfig = config 95 96 opts.HashFamily = config.hashFamily 97 opts.SecLevel = config.securityLevel 98 opts.SoftVerify = config.softVerify 99 opts.Sensitive = config.noKeyImport 100 currentBCCSP, err = New(opts, currentKS) 101 if err != nil { 102 fmt.Printf("Failed initiliazing BCCSP at [%+v]: [%s]", opts, err) 103 os.Exit(-1) 104 } 105 106 ret := m.Run() 107 if ret != 0 { 108 fmt.Printf("Failed testing at [%+v]", opts) 109 os.Exit(-1) 110 } 111 } 112 os.Exit(0) 113 } 114 115 func TestNew(t *testing.T) { 116 opts := PKCS11Opts{ 117 HashFamily: "SHA2", 118 SecLevel: 256, 119 SoftVerify: false, 120 Sensitive: true, 121 Library: "lib", 122 Label: "ForFabric", 123 Pin: "98765432", 124 } 125 126 // Setup PKCS11 library and provide initial set of values 127 lib, _, _ := FindPKCS11Lib() 128 opts.Library = lib 129 130 // Test for nil keystore 131 _, err := New(opts, nil) 132 assert.Error(t, err) 133 assert.Contains(t, err.Error(), "Invalid bccsp.KeyStore instance. It must be different from nil.") 134 135 // Test for invalid PKCS11 loadLib 136 opts.Library = "" 137 _, err = New(opts, currentKS) 138 assert.Error(t, err) 139 assert.Contains(t, err.Error(), "Failed initializing PKCS11 library") 140 } 141 142 func TestFindPKCS11LibEnvVars(t *testing.T) { 143 const ( 144 dummy_PKCS11_LIB = "/usr/lib/pkcs11" 145 dummy_PKCS11_PIN = "98765432" 146 dummy_PKCS11_LABEL = "testing" 147 ) 148 149 // Set environment variables used for test and preserve 150 // original values for restoration after test completion 151 orig_PKCS11_LIB := os.Getenv("PKCS11_LIB") 152 os.Setenv("PKCS11_LIB", dummy_PKCS11_LIB) 153 154 orig_PKCS11_PIN := os.Getenv("PKCS11_PIN") 155 os.Setenv("PKCS11_PIN", dummy_PKCS11_PIN) 156 157 orig_PKCS11_LABEL := os.Getenv("PKCS11_LABEL") 158 os.Setenv("PKCS11_LABEL", dummy_PKCS11_LABEL) 159 160 lib, pin, label := FindPKCS11Lib() 161 assert.EqualValues(t, dummy_PKCS11_LIB, lib, "FindPKCS11Lib did not return expected library") 162 assert.EqualValues(t, dummy_PKCS11_PIN, pin, "FindPKCS11Lib did not return expected pin") 163 assert.EqualValues(t, dummy_PKCS11_LABEL, label, "FindPKCS11Lib did not return expected label") 164 165 os.Setenv("PKCS11_LIB", orig_PKCS11_LIB) 166 os.Setenv("PKCS11_PIN", orig_PKCS11_PIN) 167 os.Setenv("PKCS11_LABEL", orig_PKCS11_LABEL) 168 } 169 170 func TestInvalidNewParameter(t *testing.T) { 171 lib, pin, label := FindPKCS11Lib() 172 opts := PKCS11Opts{ 173 Library: lib, 174 Label: label, 175 Pin: pin, 176 SoftVerify: true, 177 Sensitive: true, 178 } 179 180 opts.HashFamily = "SHA2" 181 opts.SecLevel = 0 182 r, err := New(opts, currentKS) 183 if err == nil { 184 t.Fatal("Error should be different from nil in this case") 185 } 186 if r != nil { 187 t.Fatal("Return value should be equal to nil in this case") 188 } 189 190 opts.HashFamily = "SHA8" 191 opts.SecLevel = 256 192 r, err = New(opts, currentKS) 193 if err == nil { 194 t.Fatal("Error should be different from nil in this case") 195 } 196 if r != nil { 197 t.Fatal("Return value should be equal to nil in this case") 198 } 199 200 opts.HashFamily = "SHA2" 201 opts.SecLevel = 256 202 r, err = New(opts, nil) 203 if err == nil { 204 t.Fatal("Error should be different from nil in this case") 205 } 206 if r != nil { 207 t.Fatal("Return value should be equal to nil in this case") 208 } 209 210 opts.HashFamily = "SHA3" 211 opts.SecLevel = 0 212 r, err = New(opts, nil) 213 if err == nil { 214 t.Fatal("Error should be different from nil in this case") 215 } 216 if r != nil { 217 t.Fatal("Return value should be equal to nil in this case") 218 } 219 } 220 221 func TestInvalidSKI(t *testing.T) { 222 k, err := currentBCCSP.GetKey(nil) 223 if err == nil { 224 t.Fatal("Error should be different from nil in this case") 225 } 226 if k != nil { 227 t.Fatal("Return value should be equal to nil in this case") 228 } 229 230 k, err = currentBCCSP.GetKey([]byte{0, 1, 2, 3, 4, 5, 6}) 231 if err == nil { 232 t.Fatal("Error should be different from nil in this case") 233 } 234 if k != nil { 235 t.Fatal("Return value should be equal to nil in this case") 236 } 237 } 238 239 func TestKeyGenECDSAOpts(t *testing.T) { 240 // Curve P256 241 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAP256KeyGenOpts{Temporary: false}) 242 if err != nil { 243 t.Fatalf("Failed generating ECDSA P256 key [%s]", err) 244 } 245 if k == nil { 246 t.Fatal("Failed generating ECDSA P256 key. Key must be different from nil") 247 } 248 if !k.Private() { 249 t.Fatal("Failed generating ECDSA P256 key. Key should be private") 250 } 251 if k.Symmetric() { 252 t.Fatal("Failed generating ECDSA P256 key. Key should be asymmetric") 253 } 254 255 ecdsaKey := k.(*ecdsaPrivateKey).pub 256 if elliptic.P256() != ecdsaKey.pub.Curve { 257 t.Fatal("P256 generated key in invalid. The curve must be P256.") 258 } 259 260 // Curve P384 261 k, err = currentBCCSP.KeyGen(&bccsp.ECDSAP384KeyGenOpts{Temporary: false}) 262 if err != nil { 263 t.Fatalf("Failed generating ECDSA P384 key [%s]", err) 264 } 265 if k == nil { 266 t.Fatal("Failed generating ECDSA P384 key. Key must be different from nil") 267 } 268 if !k.Private() { 269 t.Fatal("Failed generating ECDSA P384 key. Key should be private") 270 } 271 if k.Symmetric() { 272 t.Fatal("Failed generating ECDSA P384 key. Key should be asymmetric") 273 } 274 275 ecdsaKey = k.(*ecdsaPrivateKey).pub 276 if elliptic.P384() != ecdsaKey.pub.Curve { 277 t.Fatal("P256 generated key in invalid. The curve must be P384.") 278 } 279 } 280 281 func TestKeyGenRSAOpts(t *testing.T) { 282 // 1024 283 k, err := currentBCCSP.KeyGen(&bccsp.RSA1024KeyGenOpts{Temporary: false}) 284 if err != nil { 285 t.Fatalf("Failed generating RSA 1024 key [%s]", err) 286 } 287 if k == nil { 288 t.Fatal("Failed generating RSA 1024 key. Key must be different from nil") 289 } 290 if !k.Private() { 291 t.Fatal("Failed generating RSA 1024 key. Key should be private") 292 } 293 if k.Symmetric() { 294 t.Fatal("Failed generating RSA 1024 key. Key should be asymmetric") 295 } 296 297 // 2048 298 k, err = currentBCCSP.KeyGen(&bccsp.RSA2048KeyGenOpts{Temporary: false}) 299 if err != nil { 300 t.Fatalf("Failed generating RSA 2048 key [%s]", err) 301 } 302 if k == nil { 303 t.Fatal("Failed generating RSA 2048 key. Key must be different from nil") 304 } 305 if !k.Private() { 306 t.Fatal("Failed generating RSA 2048 key. Key should be private") 307 } 308 if k.Symmetric() { 309 t.Fatal("Failed generating RSA 2048 key. Key should be asymmetric") 310 } 311 } 312 313 func TestKeyGenAESOpts(t *testing.T) { 314 // AES 128 315 k, err := currentBCCSP.KeyGen(&bccsp.AES128KeyGenOpts{Temporary: false}) 316 if err != nil { 317 t.Fatalf("Failed generating AES 128 key [%s]", err) 318 } 319 if k == nil { 320 t.Fatal("Failed generating AES 128 key. Key must be different from nil") 321 } 322 if !k.Private() { 323 t.Fatal("Failed generating AES 128 key. Key should be private") 324 } 325 if !k.Symmetric() { 326 t.Fatal("Failed generating AES 128 key. Key should be symmetric") 327 } 328 329 // AES 192 330 k, err = currentBCCSP.KeyGen(&bccsp.AES192KeyGenOpts{Temporary: false}) 331 if err != nil { 332 t.Fatalf("Failed generating AES 192 key [%s]", err) 333 } 334 if k == nil { 335 t.Fatal("Failed generating AES 192 key. Key must be different from nil") 336 } 337 if !k.Private() { 338 t.Fatal("Failed generating AES 192 key. Key should be private") 339 } 340 if !k.Symmetric() { 341 t.Fatal("Failed generating AES 192 key. Key should be symmetric") 342 } 343 344 // AES 256 345 k, err = currentBCCSP.KeyGen(&bccsp.AES256KeyGenOpts{Temporary: false}) 346 if err != nil { 347 t.Fatalf("Failed generating AES 256 key [%s]", err) 348 } 349 if k == nil { 350 t.Fatal("Failed generating AES 256 key. Key must be different from nil") 351 } 352 if !k.Private() { 353 t.Fatal("Failed generating AES 256 key. Key should be private") 354 } 355 if !k.Symmetric() { 356 t.Fatal("Failed generating AES 256 key. Key should be symmetric") 357 } 358 } 359 360 func TestHashOpts(t *testing.T) { 361 msg := []byte("abcd") 362 363 // SHA256 364 digest1, err := currentBCCSP.Hash(msg, &bccsp.SHA256Opts{}) 365 if err != nil { 366 t.Fatalf("Failed computing SHA256 [%s]", err) 367 } 368 369 h := sha256.New() 370 h.Write(msg) 371 digest2 := h.Sum(nil) 372 373 if !bytes.Equal(digest1, digest2) { 374 t.Fatalf("Different SHA256 computed. [%x][%x]", digest1, digest2) 375 } 376 377 // SHA384 378 digest1, err = currentBCCSP.Hash(msg, &bccsp.SHA384Opts{}) 379 if err != nil { 380 t.Fatalf("Failed computing SHA384 [%s]", err) 381 } 382 383 h = sha512.New384() 384 h.Write(msg) 385 digest2 = h.Sum(nil) 386 387 if !bytes.Equal(digest1, digest2) { 388 t.Fatalf("Different SHA384 computed. [%x][%x]", digest1, digest2) 389 } 390 391 // SHA3_256O 392 digest1, err = currentBCCSP.Hash(msg, &bccsp.SHA3_256Opts{}) 393 if err != nil { 394 t.Fatalf("Failed computing SHA3_256 [%s]", err) 395 } 396 397 h = sha3.New256() 398 h.Write(msg) 399 digest2 = h.Sum(nil) 400 401 if !bytes.Equal(digest1, digest2) { 402 t.Fatalf("Different SHA3_256 computed. [%x][%x]", digest1, digest2) 403 } 404 405 // SHA3_384 406 digest1, err = currentBCCSP.Hash(msg, &bccsp.SHA3_384Opts{}) 407 if err != nil { 408 t.Fatalf("Failed computing SHA3_384 [%s]", err) 409 } 410 411 h = sha3.New384() 412 h.Write(msg) 413 digest2 = h.Sum(nil) 414 415 if !bytes.Equal(digest1, digest2) { 416 t.Fatalf("Different SHA3_384 computed. [%x][%x]", digest1, digest2) 417 } 418 } 419 420 func TestECDSAKeyGenEphemeral(t *testing.T) { 421 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: true}) 422 if err != nil { 423 t.Fatalf("Failed generating ECDSA key [%s]", err) 424 } 425 if k == nil { 426 t.Fatal("Failed generating ECDSA key. Key must be different from nil") 427 } 428 if !k.Private() { 429 t.Fatal("Failed generating ECDSA key. Key should be private") 430 } 431 if k.Symmetric() { 432 t.Fatal("Failed generating ECDSA key. Key should be asymmetric") 433 } 434 raw, err := k.Bytes() 435 if err == nil { 436 t.Fatal("Failed marshalling to bytes. Marshalling must fail.") 437 } 438 if len(raw) != 0 { 439 t.Fatal("Failed marshalling to bytes. Output should be 0 bytes") 440 } 441 pk, err := k.PublicKey() 442 if err != nil { 443 t.Fatalf("Failed getting corresponding public key [%s]", err) 444 } 445 if pk == nil { 446 t.Fatal("Public key must be different from nil.") 447 } 448 } 449 450 func TestECDSAPrivateKeySKI(t *testing.T) { 451 452 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 453 if err != nil { 454 t.Fatalf("Failed generating ECDSA key [%s]", err) 455 } 456 457 ski := k.SKI() 458 if len(ski) == 0 { 459 t.Fatal("SKI not valid. Zero length.") 460 } 461 } 462 463 func TestECDSAKeyGenNonEphemeral(t *testing.T) { 464 465 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 466 if err != nil { 467 t.Fatalf("Failed generating ECDSA key [%s]", err) 468 } 469 if k == nil { 470 t.Fatal("Failed generating ECDSA key. Key must be different from nil") 471 } 472 if !k.Private() { 473 t.Fatal("Failed generating ECDSA key. Key should be private") 474 } 475 if k.Symmetric() { 476 t.Fatal("Failed generating ECDSA key. Key should be asymmetric") 477 } 478 } 479 480 func TestECDSAGetKeyBySKI(t *testing.T) { 481 482 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 483 if err != nil { 484 t.Fatalf("Failed generating ECDSA key [%s]", err) 485 } 486 487 k2, err := currentBCCSP.GetKey(k.SKI()) 488 if err != nil { 489 t.Fatalf("Failed getting ECDSA key [%s]", err) 490 } 491 if k2 == nil { 492 t.Fatal("Failed getting ECDSA key. Key must be different from nil") 493 } 494 if !k2.Private() { 495 t.Fatal("Failed getting ECDSA key. Key should be private") 496 } 497 if k2.Symmetric() { 498 t.Fatal("Failed getting ECDSA key. Key should be asymmetric") 499 } 500 501 // Check that the SKIs are the same 502 if !bytes.Equal(k.SKI(), k2.SKI()) { 503 t.Fatalf("SKIs are different [%x]!=[%x]", k.SKI(), k2.SKI()) 504 } 505 } 506 507 func TestECDSAPublicKeyFromPrivateKey(t *testing.T) { 508 509 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 510 if err != nil { 511 t.Fatalf("Failed generating ECDSA key [%s]", err) 512 } 513 514 pk, err := k.PublicKey() 515 if err != nil { 516 t.Fatalf("Failed getting public key from private ECDSA key [%s]", err) 517 } 518 if pk == nil { 519 t.Fatal("Failed getting public key from private ECDSA key. Key must be different from nil") 520 } 521 if pk.Private() { 522 t.Fatal("Failed generating ECDSA key. Key should be public") 523 } 524 if pk.Symmetric() { 525 t.Fatal("Failed generating ECDSA key. Key should be asymmetric") 526 } 527 } 528 529 func TestECDSAPublicKeyBytes(t *testing.T) { 530 531 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 532 if err != nil { 533 t.Fatalf("Failed generating ECDSA key [%s]", err) 534 } 535 536 pk, err := k.PublicKey() 537 if err != nil { 538 t.Fatalf("Failed getting public key from private ECDSA key [%s]", err) 539 } 540 541 raw, err := pk.Bytes() 542 if err != nil { 543 t.Fatalf("Failed marshalling ECDSA public key [%s]", err) 544 } 545 if len(raw) == 0 { 546 t.Fatal("Failed marshalling ECDSA public key. Zero length") 547 } 548 } 549 550 func TestECDSAPublicKeySKI(t *testing.T) { 551 552 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 553 if err != nil { 554 t.Fatalf("Failed generating ECDSA key [%s]", err) 555 } 556 557 pk, err := k.PublicKey() 558 if err != nil { 559 t.Fatalf("Failed getting public key from private ECDSA key [%s]", err) 560 } 561 562 ski := pk.SKI() 563 if len(ski) == 0 { 564 t.Fatal("SKI not valid. Zero length.") 565 } 566 } 567 568 func TestECDSAKeyReRand(t *testing.T) { 569 570 if currentBCCSP.(*impl).noPrivImport { 571 t.Skip("Key import turned off. Skipping Derivation tests as they currently require Key Import.") 572 } 573 574 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 575 if err != nil { 576 t.Fatalf("Failed generating ECDSA key [%s]", err) 577 } 578 if k == nil { 579 t.Fatal("Failed re-randomizing ECDSA key. Re-randomized Key must be different from nil") 580 } 581 582 reRandomizedKey, err := currentBCCSP.KeyDeriv(k, &bccsp.ECDSAReRandKeyOpts{Temporary: false, Expansion: []byte{1}}) 583 if err != nil { 584 t.Fatalf("Failed re-randomizing ECDSA key [%s]", err) 585 } 586 if !reRandomizedKey.Private() { 587 t.Fatal("Failed re-randomizing ECDSA key. Re-randomized Key should be private") 588 } 589 if reRandomizedKey.Symmetric() { 590 t.Fatal("Failed re-randomizing ECDSA key. Re-randomized Key should be asymmetric") 591 } 592 593 k2, err := k.PublicKey() 594 if err != nil { 595 t.Fatalf("Failed getting public ECDSA key from private [%s]", err) 596 } 597 if k2 == nil { 598 t.Fatal("Failed re-randomizing ECDSA key. Re-randomized Key must be different from nil") 599 } 600 601 reRandomizedKey2, err := currentBCCSP.KeyDeriv(k2, &bccsp.ECDSAReRandKeyOpts{Temporary: false, Expansion: []byte{1}}) 602 if err != nil { 603 t.Fatalf("Failed re-randomizing ECDSA key [%s]", err) 604 } 605 606 if reRandomizedKey2.Private() { 607 t.Fatal("Re-randomized public Key must remain public") 608 } 609 if reRandomizedKey2.Symmetric() { 610 t.Fatal("Re-randomized ECDSA asymmetric key must remain asymmetric") 611 } 612 613 if false == bytes.Equal(reRandomizedKey.SKI(), reRandomizedKey2.SKI()) { 614 t.Fatal("Re-randomized ECDSA Private- or Public-Keys must end up having the same SKI") 615 } 616 } 617 618 func TestECDSASign(t *testing.T) { 619 620 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 621 if err != nil { 622 t.Fatalf("Failed generating ECDSA key [%s]", err) 623 } 624 625 msg := []byte("Hello World") 626 627 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 628 if err != nil { 629 t.Fatalf("Failed computing HASH [%s]", err) 630 } 631 632 signature, err := currentBCCSP.Sign(k, digest, nil) 633 if err != nil { 634 t.Fatalf("Failed generating ECDSA signature [%s]", err) 635 } 636 if len(signature) == 0 { 637 t.Fatal("Failed generating ECDSA key. Signature must be different from nil") 638 } 639 640 _, err = currentBCCSP.Sign(nil, digest, nil) 641 assert.Error(t, err) 642 assert.Contains(t, err.Error(), "Invalid Key. It must not be nil.") 643 644 _, err = currentBCCSP.Sign(k, nil, nil) 645 assert.Error(t, err) 646 assert.Contains(t, err.Error(), "Invalid digest. Cannot be empty.") 647 } 648 649 func TestECDSAVerify(t *testing.T) { 650 651 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 652 if err != nil { 653 t.Fatalf("Failed generating ECDSA key [%s]", err) 654 } 655 656 msg := []byte("Hello World") 657 658 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 659 if err != nil { 660 t.Fatalf("Failed computing HASH [%s]", err) 661 } 662 663 signature, err := currentBCCSP.Sign(k, digest, nil) 664 if err != nil { 665 t.Fatalf("Failed generating ECDSA signature [%s]", err) 666 } 667 668 valid, err := currentBCCSP.Verify(k, signature, digest, nil) 669 if err != nil { 670 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 671 } 672 if !valid { 673 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 674 } 675 676 pk, err := k.PublicKey() 677 if err != nil { 678 t.Fatalf("Failed getting corresponding public key [%s]", err) 679 } 680 681 valid, err = currentBCCSP.Verify(pk, signature, digest, nil) 682 if err != nil { 683 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 684 } 685 if !valid { 686 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 687 } 688 689 _, err = currentBCCSP.Verify(nil, signature, digest, nil) 690 assert.Error(t, err) 691 assert.Contains(t, err.Error(), "Invalid Key. It must not be nil.") 692 693 _, err = currentBCCSP.Verify(pk, nil, digest, nil) 694 assert.Error(t, err) 695 assert.Contains(t, err.Error(), "Invalid signature. Cannot be empty.") 696 697 _, err = currentBCCSP.Verify(pk, signature, nil, nil) 698 assert.Error(t, err) 699 assert.Contains(t, err.Error(), "Invalid digest. Cannot be empty.") 700 701 // Import the exported public key 702 pkRaw, err := pk.Bytes() 703 if err != nil { 704 t.Fatalf("Failed getting ECDSA raw public key [%s]", err) 705 } 706 707 // Store public key 708 _, err = currentBCCSP.KeyImport(pkRaw, &bccsp.ECDSAPKIXPublicKeyImportOpts{Temporary: false}) 709 if err != nil { 710 t.Fatalf("Failed storing corresponding public key [%s]", err) 711 } 712 713 pk2, err := currentBCCSP.GetKey(pk.SKI()) 714 if err != nil { 715 t.Fatalf("Failed retrieving corresponding public key [%s]", err) 716 } 717 718 valid, err = currentBCCSP.Verify(pk2, signature, digest, nil) 719 if err != nil { 720 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 721 } 722 if !valid { 723 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 724 } 725 } 726 727 func TestECDSAKeyDeriv(t *testing.T) { 728 729 if currentBCCSP.(*impl).noPrivImport { 730 t.Skip("Key import turned off. Skipping Derivation tests as they currently require Key Import.") 731 } 732 733 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 734 if err != nil { 735 t.Fatalf("Failed generating ECDSA key [%s]", err) 736 } 737 738 reRandomizedKey, err := currentBCCSP.KeyDeriv(k, &bccsp.ECDSAReRandKeyOpts{Temporary: false, Expansion: []byte{1}}) 739 if err != nil { 740 t.Fatalf("Failed re-randomizing ECDSA key [%s]", err) 741 } 742 743 _, err = currentBCCSP.KeyDeriv(nil, &bccsp.ECDSAReRandKeyOpts{Temporary: false, Expansion: []byte{1}}) 744 assert.Error(t, err) 745 assert.Contains(t, err.Error(), "Invalid Key. It must not be nil.") 746 747 _, err = currentBCCSP.KeyDeriv(k, nil) 748 assert.Error(t, err) 749 assert.Contains(t, err.Error(), "Invalid Opts parameter. It must not be nil.") 750 751 msg := []byte("Hello World") 752 753 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 754 if err != nil { 755 t.Fatalf("Failed computing HASH [%s]", err) 756 } 757 758 signature, err := currentBCCSP.Sign(reRandomizedKey, digest, nil) 759 if err != nil { 760 t.Fatalf("Failed generating ECDSA signature [%s]", err) 761 } 762 763 valid, err := currentBCCSP.Verify(reRandomizedKey, signature, digest, nil) 764 if err != nil { 765 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 766 } 767 if !valid { 768 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 769 } 770 } 771 772 func TestECDSAKeyImportFromExportedKey(t *testing.T) { 773 774 // Generate an ECDSA key 775 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 776 if err != nil { 777 t.Fatalf("Failed generating ECDSA key [%s]", err) 778 } 779 780 // Export the public key 781 pk, err := k.PublicKey() 782 if err != nil { 783 t.Fatalf("Failed getting ECDSA public key [%s]", err) 784 } 785 786 pkRaw, err := pk.Bytes() 787 if err != nil { 788 t.Fatalf("Failed getting ECDSA raw public key [%s]", err) 789 } 790 791 // Import the exported public key 792 pk2, err := currentBCCSP.KeyImport(pkRaw, &bccsp.ECDSAPKIXPublicKeyImportOpts{Temporary: false}) 793 if err != nil { 794 t.Fatalf("Failed importing ECDSA public key [%s]", err) 795 } 796 if pk2 == nil { 797 t.Fatal("Failed importing ECDSA public key. Return BCCSP key cannot be nil.") 798 } 799 800 // Sign and verify with the imported public key 801 msg := []byte("Hello World") 802 803 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 804 if err != nil { 805 t.Fatalf("Failed computing HASH [%s]", err) 806 } 807 808 signature, err := currentBCCSP.Sign(k, digest, nil) 809 if err != nil { 810 t.Fatalf("Failed generating ECDSA signature [%s]", err) 811 } 812 813 valid, err := currentBCCSP.Verify(pk2, signature, digest, nil) 814 if err != nil { 815 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 816 } 817 if !valid { 818 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 819 } 820 } 821 822 func TestECDSAKeyImportFromECDSAPublicKey(t *testing.T) { 823 824 // Generate an ECDSA key 825 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 826 if err != nil { 827 t.Fatalf("Failed generating ECDSA key [%s]", err) 828 } 829 830 // Export the public key 831 pk, err := k.PublicKey() 832 if err != nil { 833 t.Fatalf("Failed getting ECDSA public key [%s]", err) 834 } 835 836 pkRaw, err := pk.Bytes() 837 if err != nil { 838 t.Fatalf("Failed getting ECDSA raw public key [%s]", err) 839 } 840 841 pub, err := utils.DERToPublicKey(pkRaw) 842 if err != nil { 843 t.Fatalf("Failed converting raw to ecdsa.PublicKey [%s]", err) 844 } 845 846 // Import the ecdsa.PublicKey 847 pk2, err := currentBCCSP.KeyImport(pub, &bccsp.ECDSAGoPublicKeyImportOpts{Temporary: false}) 848 if err != nil { 849 t.Fatalf("Failed importing ECDSA public key [%s]", err) 850 } 851 if pk2 == nil { 852 t.Fatal("Failed importing ECDSA public key. Return BCCSP key cannot be nil.") 853 } 854 855 // Sign and verify with the imported public key 856 msg := []byte("Hello World") 857 858 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 859 if err != nil { 860 t.Fatalf("Failed computing HASH [%s]", err) 861 } 862 863 signature, err := currentBCCSP.Sign(k, digest, nil) 864 if err != nil { 865 t.Fatalf("Failed generating ECDSA signature [%s]", err) 866 } 867 868 valid, err := currentBCCSP.Verify(pk2, signature, digest, nil) 869 if err != nil { 870 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 871 } 872 if !valid { 873 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 874 } 875 } 876 877 func TestECDSAKeyImportFromECDSAPrivateKey(t *testing.T) { 878 if currentBCCSP.(*impl).noPrivImport { 879 t.Skip("Key import turned off. Skipping Derivation tests as they currently require Key Import.") 880 } 881 882 // Generate an ECDSA key, default is P256 883 key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 884 if err != nil { 885 t.Fatalf("Failed generating ECDSA key [%s]", err) 886 } 887 888 // Import the ecdsa.PrivateKey 889 priv, err := utils.PrivateKeyToDER(key) 890 if err != nil { 891 t.Fatalf("Failed converting raw to ecdsa.PrivateKey [%s]", err) 892 } 893 894 sk, err := currentBCCSP.KeyImport(priv, &bccsp.ECDSAPrivateKeyImportOpts{Temporary: false}) 895 if err != nil { 896 t.Fatalf("Failed importing ECDSA private key [%s]", err) 897 } 898 if sk == nil { 899 t.Fatal("Failed importing ECDSA private key. Return BCCSP key cannot be nil.") 900 } 901 902 // Import the ecdsa.PublicKey 903 pub, err := utils.PublicKeyToDER(&key.PublicKey) 904 if err != nil { 905 t.Fatalf("Failed converting raw to ecdsa.PublicKey [%s]", err) 906 } 907 908 pk, err := currentBCCSP.KeyImport(pub, &bccsp.ECDSAPKIXPublicKeyImportOpts{Temporary: false}) 909 910 if err != nil { 911 t.Fatalf("Failed importing ECDSA public key [%s]", err) 912 } 913 if pk == nil { 914 t.Fatal("Failed importing ECDSA public key. Return BCCSP key cannot be nil.") 915 } 916 917 // Sign and verify with the imported public key 918 msg := []byte("Hello World") 919 920 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 921 if err != nil { 922 t.Fatalf("Failed computing HASH [%s]", err) 923 } 924 925 signature, err := currentBCCSP.Sign(sk, digest, nil) 926 if err != nil { 927 t.Fatalf("Failed generating ECDSA signature [%s]", err) 928 } 929 930 valid, err := currentBCCSP.Verify(pk, signature, digest, nil) 931 if err != nil { 932 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 933 } 934 if !valid { 935 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 936 } 937 } 938 939 func TestKeyImportFromX509ECDSAPublicKey(t *testing.T) { 940 941 // Generate an ECDSA key 942 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 943 if err != nil { 944 t.Fatalf("Failed generating ECDSA key [%s]", err) 945 } 946 947 // Generate a self-signed certificate 948 testExtKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} 949 testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}} 950 extraExtensionData := []byte("extra extension") 951 commonName := "test.example.com" 952 template := x509.Certificate{ 953 SerialNumber: big.NewInt(1), 954 Subject: pkix.Name{ 955 CommonName: commonName, 956 Organization: []string{"Σ Acme Co"}, 957 Country: []string{"US"}, 958 ExtraNames: []pkix.AttributeTypeAndValue{ 959 { 960 Type: []int{2, 5, 4, 42}, 961 Value: "Gopher", 962 }, 963 // This should override the Country, above. 964 { 965 Type: []int{2, 5, 4, 6}, 966 Value: "NL", 967 }, 968 }, 969 }, 970 NotBefore: time.Now().Add(-1 * time.Hour), 971 NotAfter: time.Now().Add(1 * time.Hour), 972 973 SignatureAlgorithm: x509.ECDSAWithSHA256, 974 975 SubjectKeyId: []byte{1, 2, 3, 4}, 976 KeyUsage: x509.KeyUsageCertSign, 977 978 ExtKeyUsage: testExtKeyUsage, 979 UnknownExtKeyUsage: testUnknownExtKeyUsage, 980 981 BasicConstraintsValid: true, 982 IsCA: true, 983 984 OCSPServer: []string{"http://ocurrentBCCSP.example.com"}, 985 IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"}, 986 987 DNSNames: []string{"test.example.com"}, 988 EmailAddresses: []string{"gopher@golang.org"}, 989 IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")}, 990 991 PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{1, 2, 3}}, 992 PermittedDNSDomains: []string{".example.com", "example.com"}, 993 994 CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"}, 995 996 ExtraExtensions: []pkix.Extension{ 997 { 998 Id: []int{1, 2, 3, 4}, 999 Value: extraExtensionData, 1000 }, 1001 }, 1002 } 1003 1004 cryptoSigner, err := signer.New(currentBCCSP, k) 1005 if err != nil { 1006 t.Fatalf("Failed initializing CyrptoSigner [%s]", err) 1007 } 1008 1009 // Export the public key 1010 pk, err := k.PublicKey() 1011 if err != nil { 1012 t.Fatalf("Failed getting ECDSA public key [%s]", err) 1013 } 1014 1015 pkRaw, err := pk.Bytes() 1016 if err != nil { 1017 t.Fatalf("Failed getting ECDSA raw public key [%s]", err) 1018 } 1019 1020 pub, err := utils.DERToPublicKey(pkRaw) 1021 if err != nil { 1022 t.Fatalf("Failed converting raw to ECDSA.PublicKey [%s]", err) 1023 } 1024 1025 certRaw, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, cryptoSigner) 1026 if err != nil { 1027 t.Fatalf("Failed generating self-signed certificate [%s]", err) 1028 } 1029 1030 cert, err := utils.DERToX509Certificate(certRaw) 1031 if err != nil { 1032 t.Fatalf("Failed generating X509 certificate object from raw [%s]", err) 1033 } 1034 1035 // Import the certificate's public key 1036 pk2, err := currentBCCSP.KeyImport(cert, &bccsp.X509PublicKeyImportOpts{Temporary: false}) 1037 1038 if err != nil { 1039 t.Fatalf("Failed importing ECDSA public key [%s]", err) 1040 } 1041 if pk2 == nil { 1042 t.Fatal("Failed importing ECDSA public key. Return BCCSP key cannot be nil.") 1043 } 1044 1045 // Sign and verify with the imported public key 1046 msg := []byte("Hello World") 1047 1048 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 1049 if err != nil { 1050 t.Fatalf("Failed computing HASH [%s]", err) 1051 } 1052 1053 signature, err := currentBCCSP.Sign(k, digest, nil) 1054 if err != nil { 1055 t.Fatalf("Failed generating ECDSA signature [%s]", err) 1056 } 1057 1058 valid, err := currentBCCSP.Verify(pk2, signature, digest, nil) 1059 if err != nil { 1060 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 1061 } 1062 if !valid { 1063 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 1064 } 1065 } 1066 1067 func TestECDSASignatureEncoding(t *testing.T) { 1068 v := []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x02, 0xff, 0xf1} 1069 _, err := asn1.Unmarshal(v, &ecdsaSignature{}) 1070 if err == nil { 1071 t.Fatalf("Unmarshalling should fail for [% x]", v) 1072 } 1073 t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err) 1074 1075 v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x02, 0x00, 0x01} 1076 _, err = asn1.Unmarshal(v, &ecdsaSignature{}) 1077 if err == nil { 1078 t.Fatalf("Unmarshalling should fail for [% x]", v) 1079 } 1080 t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err) 1081 1082 v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x81, 0x01, 0x01} 1083 _, err = asn1.Unmarshal(v, &ecdsaSignature{}) 1084 if err == nil { 1085 t.Fatalf("Unmarshalling should fail for [% x]", v) 1086 } 1087 t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err) 1088 1089 v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x81, 0x01, 0x8F} 1090 _, err = asn1.Unmarshal(v, &ecdsaSignature{}) 1091 if err == nil { 1092 t.Fatalf("Unmarshalling should fail for [% x]", v) 1093 } 1094 t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err) 1095 1096 v = []byte{0x30, 0x0A, 0x02, 0x01, 0x8F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x00, 0x8F} 1097 _, err = asn1.Unmarshal(v, &ecdsaSignature{}) 1098 if err == nil { 1099 t.Fatalf("Unmarshalling should fail for [% x]", v) 1100 } 1101 t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err) 1102 1103 } 1104 1105 func TestECDSALowS(t *testing.T) { 1106 // Ensure that signature with low-S are generated 1107 k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false}) 1108 if err != nil { 1109 t.Fatalf("Failed generating ECDSA key [%s]", err) 1110 } 1111 1112 msg := []byte("Hello World") 1113 1114 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 1115 if err != nil { 1116 t.Fatalf("Failed computing HASH [%s]", err) 1117 } 1118 1119 signature, err := currentBCCSP.Sign(k, digest, nil) 1120 if err != nil { 1121 t.Fatalf("Failed generating ECDSA signature [%s]", err) 1122 } 1123 1124 R, S, err := unmarshalECDSASignature(signature) 1125 if err != nil { 1126 t.Fatalf("Failed unmarshalling signature [%s]", err) 1127 } 1128 1129 if S.Cmp(curveHalfOrders[k.(*ecdsaPrivateKey).pub.pub.Curve]) >= 0 { 1130 t.Fatal("Invalid signature. It must have low-S") 1131 } 1132 1133 valid, err := currentBCCSP.Verify(k, signature, digest, nil) 1134 if err != nil { 1135 t.Fatalf("Failed verifying ECDSA signature [%s]", err) 1136 } 1137 if !valid { 1138 t.Fatal("Failed verifying ECDSA signature. Signature not valid.") 1139 } 1140 1141 // Ensure that signature with high-S are rejected. 1142 for { 1143 R, S, err = currentBCCSP.(*impl).signP11ECDSA(k.SKI(), digest) 1144 if err != nil { 1145 t.Fatalf("Failed generating signature [%s]", err) 1146 } 1147 1148 if S.Cmp(curveHalfOrders[k.(*ecdsaPrivateKey).pub.pub.Curve]) > 0 { 1149 break 1150 } 1151 } 1152 1153 sig, err := marshalECDSASignature(R, S) 1154 if err != nil { 1155 t.Fatalf("Failing unmarshalling signature [%s]", err) 1156 } 1157 1158 valid, err = currentBCCSP.Verify(k, sig, digest, nil) 1159 if err == nil { 1160 t.Fatal("Failed verifying ECDSA signature. It must fail for a signature with high-S") 1161 } 1162 if valid { 1163 t.Fatal("Failed verifying ECDSA signature. It must fail for a signature with high-S") 1164 } 1165 } 1166 1167 func TestAESKeyGen(t *testing.T) { 1168 1169 k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false}) 1170 if err != nil { 1171 t.Fatalf("Failed generating AES_256 key [%s]", err) 1172 } 1173 if k == nil { 1174 t.Fatal("Failed generating AES_256 key. Key must be different from nil") 1175 } 1176 if !k.Private() { 1177 t.Fatal("Failed generating AES_256 key. Key should be private") 1178 } 1179 if !k.Symmetric() { 1180 t.Fatal("Failed generating AES_256 key. Key should be symmetric") 1181 } 1182 1183 pk, err := k.PublicKey() 1184 if err == nil { 1185 t.Fatal("Error should be different from nil in this case") 1186 } 1187 if pk != nil { 1188 t.Fatal("Return value should be equal to nil in this case") 1189 } 1190 } 1191 1192 func TestAESEncrypt(t *testing.T) { 1193 1194 k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false}) 1195 if err != nil { 1196 t.Fatalf("Failed generating AES_256 key [%s]", err) 1197 } 1198 1199 ct, err := currentBCCSP.Encrypt(k, []byte("Hello World"), &bccsp.AESCBCPKCS7ModeOpts{}) 1200 if err != nil { 1201 t.Fatalf("Failed encrypting [%s]", err) 1202 } 1203 if len(ct) == 0 { 1204 t.Fatal("Failed encrypting. Nil ciphertext") 1205 } 1206 } 1207 1208 func TestAESDecrypt(t *testing.T) { 1209 1210 k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false}) 1211 if err != nil { 1212 t.Fatalf("Failed generating AES_256 key [%s]", err) 1213 } 1214 1215 msg := []byte("Hello World") 1216 1217 ct, err := currentBCCSP.Encrypt(k, msg, &bccsp.AESCBCPKCS7ModeOpts{}) 1218 if err != nil { 1219 t.Fatalf("Failed encrypting [%s]", err) 1220 } 1221 1222 pt, err := currentBCCSP.Decrypt(k, ct, bccsp.AESCBCPKCS7ModeOpts{}) 1223 if err != nil { 1224 t.Fatalf("Failed decrypting [%s]", err) 1225 } 1226 if len(ct) == 0 { 1227 t.Fatal("Failed decrypting. Nil plaintext") 1228 } 1229 1230 if !bytes.Equal(msg, pt) { 1231 t.Fatalf("Failed decrypting. Decrypted plaintext is different from the original. [%x][%x]", msg, pt) 1232 } 1233 } 1234 1235 func TestHMACTruncated256KeyDerivOverAES256Key(t *testing.T) { 1236 1237 k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false}) 1238 if err != nil { 1239 t.Fatalf("Failed generating AES_256 key [%s]", err) 1240 } 1241 1242 hmcaedKey, err := currentBCCSP.KeyDeriv(k, &bccsp.HMACTruncated256AESDeriveKeyOpts{Temporary: false, Arg: []byte{1}}) 1243 if err != nil { 1244 t.Fatalf("Failed HMACing AES_256 key [%s]", err) 1245 } 1246 if k == nil { 1247 t.Fatal("Failed HMACing AES_256 key. HMACed Key must be different from nil") 1248 } 1249 if !hmcaedKey.Private() { 1250 t.Fatal("Failed HMACing AES_256 key. HMACed Key should be private") 1251 } 1252 if !hmcaedKey.Symmetric() { 1253 t.Fatal("Failed HMACing AES_256 key. HMACed Key should be asymmetric") 1254 } 1255 raw, err := hmcaedKey.Bytes() 1256 if err == nil { 1257 t.Fatal("Failed marshalling to bytes. Operation must be forbidden") 1258 } 1259 if len(raw) != 0 { 1260 t.Fatal("Failed marshalling to bytes. Operation must return 0 bytes") 1261 } 1262 1263 msg := []byte("Hello World") 1264 1265 ct, err := currentBCCSP.Encrypt(hmcaedKey, msg, &bccsp.AESCBCPKCS7ModeOpts{}) 1266 if err != nil { 1267 t.Fatalf("Failed encrypting [%s]", err) 1268 } 1269 1270 pt, err := currentBCCSP.Decrypt(hmcaedKey, ct, bccsp.AESCBCPKCS7ModeOpts{}) 1271 if err != nil { 1272 t.Fatalf("Failed decrypting [%s]", err) 1273 } 1274 if len(ct) == 0 { 1275 t.Fatal("Failed decrypting. Nil plaintext") 1276 } 1277 1278 if !bytes.Equal(msg, pt) { 1279 t.Fatalf("Failed decrypting. Decrypted plaintext is different from the original. [%x][%x]", msg, pt) 1280 } 1281 1282 } 1283 1284 func TestHMACKeyDerivOverAES256Key(t *testing.T) { 1285 1286 k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false}) 1287 if err != nil { 1288 t.Fatalf("Failed generating AES_256 key [%s]", err) 1289 } 1290 1291 hmcaedKey, err := currentBCCSP.KeyDeriv(k, &bccsp.HMACDeriveKeyOpts{Temporary: false, Arg: []byte{1}}) 1292 1293 if err != nil { 1294 t.Fatalf("Failed HMACing AES_256 key [%s]", err) 1295 } 1296 if k == nil { 1297 t.Fatal("Failed HMACing AES_256 key. HMACed Key must be different from nil") 1298 } 1299 if !hmcaedKey.Private() { 1300 t.Fatal("Failed HMACing AES_256 key. HMACed Key should be private") 1301 } 1302 if !hmcaedKey.Symmetric() { 1303 t.Fatal("Failed HMACing AES_256 key. HMACed Key should be asymmetric") 1304 } 1305 raw, err := hmcaedKey.Bytes() 1306 if err != nil { 1307 t.Fatalf("Failed marshalling to bytes [%s]", err) 1308 } 1309 if len(raw) == 0 { 1310 t.Fatal("Failed marshalling to bytes. 0 bytes") 1311 } 1312 } 1313 1314 func TestAES256KeyImport(t *testing.T) { 1315 1316 raw, err := sw.GetRandomBytes(32) 1317 if err != nil { 1318 t.Fatalf("Failed generating AES key [%s]", err) 1319 } 1320 1321 k, err := currentBCCSP.KeyImport(raw, &bccsp.AES256ImportKeyOpts{Temporary: false}) 1322 if err != nil { 1323 t.Fatalf("Failed importing AES_256 key [%s]", err) 1324 } 1325 if k == nil { 1326 t.Fatal("Failed importing AES_256 key. Imported Key must be different from nil") 1327 } 1328 if !k.Private() { 1329 t.Fatal("Failed HMACing AES_256 key. Imported Key should be private") 1330 } 1331 if !k.Symmetric() { 1332 t.Fatal("Failed HMACing AES_256 key. Imported Key should be asymmetric") 1333 } 1334 raw, err = k.Bytes() 1335 if err == nil { 1336 t.Fatal("Failed marshalling to bytes. Marshalling must fail.") 1337 } 1338 if len(raw) != 0 { 1339 t.Fatal("Failed marshalling to bytes. Output should be 0 bytes") 1340 } 1341 1342 msg := []byte("Hello World") 1343 1344 ct, err := currentBCCSP.Encrypt(k, msg, &bccsp.AESCBCPKCS7ModeOpts{}) 1345 if err != nil { 1346 t.Fatalf("Failed encrypting [%s]", err) 1347 } 1348 1349 pt, err := currentBCCSP.Decrypt(k, ct, bccsp.AESCBCPKCS7ModeOpts{}) 1350 if err != nil { 1351 t.Fatalf("Failed decrypting [%s]", err) 1352 } 1353 if len(ct) == 0 { 1354 t.Fatal("Failed decrypting. Nil plaintext") 1355 } 1356 1357 if !bytes.Equal(msg, pt) { 1358 t.Fatalf("Failed decrypting. Decrypted plaintext is different from the original. [%x][%x]", msg, pt) 1359 } 1360 } 1361 1362 func TestAES256KeyImportBadPaths(t *testing.T) { 1363 1364 _, err := currentBCCSP.KeyImport(nil, &bccsp.AES256ImportKeyOpts{Temporary: false}) 1365 if err == nil { 1366 t.Fatal("Failed importing key. Must fail on importing nil key") 1367 } 1368 1369 _, err = currentBCCSP.KeyImport([]byte{1}, &bccsp.AES256ImportKeyOpts{Temporary: false}) 1370 if err == nil { 1371 t.Fatal("Failed importing key. Must fail on importing a key with an invalid length") 1372 } 1373 } 1374 1375 func TestAES256KeyGenSKI(t *testing.T) { 1376 1377 k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false}) 1378 if err != nil { 1379 t.Fatalf("Failed generating AES_256 key [%s]", err) 1380 } 1381 1382 k2, err := currentBCCSP.GetKey(k.SKI()) 1383 if err != nil { 1384 t.Fatalf("Failed getting AES_256 key [%s]", err) 1385 } 1386 if k2 == nil { 1387 t.Fatal("Failed getting AES_256 key. Key must be different from nil") 1388 } 1389 if !k2.Private() { 1390 t.Fatal("Failed getting AES_256 key. Key should be private") 1391 } 1392 if !k2.Symmetric() { 1393 t.Fatal("Failed getting AES_256 key. Key should be symmetric") 1394 } 1395 1396 // Check that the SKIs are the same 1397 if !bytes.Equal(k.SKI(), k2.SKI()) { 1398 t.Fatalf("SKIs are different [%x]!=[%x]", k.SKI(), k2.SKI()) 1399 } 1400 1401 } 1402 1403 func TestSHA(t *testing.T) { 1404 1405 for i := 0; i < 100; i++ { 1406 b, err := sw.GetRandomBytes(i) 1407 if err != nil { 1408 t.Fatalf("Failed getting random bytes [%s]", err) 1409 } 1410 1411 h1, err := currentBCCSP.Hash(b, &bccsp.SHAOpts{}) 1412 if err != nil { 1413 t.Fatalf("Failed computing SHA [%s]", err) 1414 } 1415 1416 var h hash.Hash 1417 switch currentTestConfig.hashFamily { 1418 case "SHA2": 1419 switch currentTestConfig.securityLevel { 1420 case 256: 1421 h = sha256.New() 1422 case 384: 1423 h = sha512.New384() 1424 default: 1425 t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel) 1426 } 1427 case "SHA3": 1428 switch currentTestConfig.securityLevel { 1429 case 256: 1430 h = sha3.New256() 1431 case 384: 1432 h = sha3.New384() 1433 default: 1434 t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel) 1435 } 1436 default: 1437 t.Fatalf("Invalid hash family [%s]", currentTestConfig.hashFamily) 1438 } 1439 1440 h.Write(b) 1441 h2 := h.Sum(nil) 1442 if !bytes.Equal(h1, h2) { 1443 t.Fatalf("Discrempancy found in HASH result [%x], [%x]!=[%x]", b, h1, h2) 1444 } 1445 } 1446 } 1447 1448 func TestRSAKeyGenEphemeral(t *testing.T) { 1449 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: true}) 1450 if err != nil { 1451 t.Fatalf("Failed generating RSA key [%s]", err) 1452 } 1453 if k == nil { 1454 t.Fatal("Failed generating RSA key. Key must be different from nil") 1455 } 1456 if !k.Private() { 1457 t.Fatal("Failed generating RSA key. Key should be private") 1458 } 1459 if k.Symmetric() { 1460 t.Fatal("Failed generating RSA key. Key should be asymmetric") 1461 } 1462 1463 pk, err := k.PublicKey() 1464 if err != nil { 1465 t.Fatalf("Failed generating RSA corresponding public key [%s]", err) 1466 } 1467 if pk == nil { 1468 t.Fatal("PK must be different from nil") 1469 } 1470 1471 b, err := k.Bytes() 1472 if err == nil { 1473 t.Fatal("Secret keys cannot be exported. It must fail in this case") 1474 } 1475 if len(b) != 0 { 1476 t.Fatal("Secret keys cannot be exported. It must be nil") 1477 } 1478 1479 } 1480 1481 func TestRSAPrivateKeySKI(t *testing.T) { 1482 1483 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1484 if err != nil { 1485 t.Fatalf("Failed generating RSA key [%s]", err) 1486 } 1487 1488 ski := k.SKI() 1489 if len(ski) == 0 { 1490 t.Fatal("SKI not valid. Zero length.") 1491 } 1492 } 1493 1494 func TestRSAKeyGenNonEphemeral(t *testing.T) { 1495 1496 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1497 if err != nil { 1498 t.Fatalf("Failed generating RSA key [%s]", err) 1499 } 1500 if k == nil { 1501 t.Fatal("Failed generating RSA key. Key must be different from nil") 1502 } 1503 if !k.Private() { 1504 t.Fatal("Failed generating RSA key. Key should be private") 1505 } 1506 if k.Symmetric() { 1507 t.Fatal("Failed generating RSA key. Key should be asymmetric") 1508 } 1509 } 1510 1511 func TestRSAGetKeyBySKI(t *testing.T) { 1512 1513 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1514 if err != nil { 1515 t.Fatalf("Failed generating RSA key [%s]", err) 1516 } 1517 1518 k2, err := currentBCCSP.GetKey(k.SKI()) 1519 if err != nil { 1520 t.Fatalf("Failed getting RSA key [%s]", err) 1521 } 1522 if k2 == nil { 1523 t.Fatal("Failed getting RSA key. Key must be different from nil") 1524 } 1525 if !k2.Private() { 1526 t.Fatal("Failed getting RSA key. Key should be private") 1527 } 1528 if k2.Symmetric() { 1529 t.Fatal("Failed getting RSA key. Key should be asymmetric") 1530 } 1531 1532 // Check that the SKIs are the same 1533 if !bytes.Equal(k.SKI(), k2.SKI()) { 1534 t.Fatalf("SKIs are different [%x]!=[%x]", k.SKI(), k2.SKI()) 1535 } 1536 } 1537 1538 func TestRSAPublicKeyFromPrivateKey(t *testing.T) { 1539 1540 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1541 if err != nil { 1542 t.Fatalf("Failed generating RSA key [%s]", err) 1543 } 1544 1545 pk, err := k.PublicKey() 1546 if err != nil { 1547 t.Fatalf("Failed getting public key from private RSA key [%s]", err) 1548 } 1549 if pk == nil { 1550 t.Fatal("Failed getting public key from private RSA key. Key must be different from nil") 1551 } 1552 if pk.Private() { 1553 t.Fatal("Failed generating RSA key. Key should be public") 1554 } 1555 if pk.Symmetric() { 1556 t.Fatal("Failed generating RSA key. Key should be asymmetric") 1557 } 1558 } 1559 1560 func TestRSAPublicKeyBytes(t *testing.T) { 1561 1562 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1563 if err != nil { 1564 t.Fatalf("Failed generating RSA key [%s]", err) 1565 } 1566 1567 pk, err := k.PublicKey() 1568 if err != nil { 1569 t.Fatalf("Failed getting public key from private RSA key [%s]", err) 1570 } 1571 1572 raw, err := pk.Bytes() 1573 if err != nil { 1574 t.Fatalf("Failed marshalling RSA public key [%s]", err) 1575 } 1576 if len(raw) == 0 { 1577 t.Fatal("Failed marshalling RSA public key. Zero length") 1578 } 1579 } 1580 1581 func TestRSAPublicKeySKI(t *testing.T) { 1582 1583 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1584 if err != nil { 1585 t.Fatalf("Failed generating RSA key [%s]", err) 1586 } 1587 1588 pk, err := k.PublicKey() 1589 if err != nil { 1590 t.Fatalf("Failed getting public key from private RSA key [%s]", err) 1591 } 1592 1593 ski := pk.SKI() 1594 if len(ski) == 0 { 1595 t.Fatal("SKI not valid. Zero length.") 1596 } 1597 } 1598 1599 func TestRSASign(t *testing.T) { 1600 1601 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1602 if err != nil { 1603 t.Fatalf("Failed generating RSA key [%s]", err) 1604 } 1605 1606 msg := []byte("Hello World") 1607 1608 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 1609 if err != nil { 1610 t.Fatalf("Failed computing HASH [%s]", err) 1611 } 1612 1613 signature, err := currentBCCSP.Sign(k, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1614 if err != nil { 1615 t.Fatalf("Failed generating RSA signature [%s]", err) 1616 } 1617 if len(signature) == 0 { 1618 t.Fatal("Failed generating RSA key. Signature must be different from nil") 1619 } 1620 } 1621 1622 func TestRSAVerify(t *testing.T) { 1623 1624 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1625 if err != nil { 1626 t.Fatalf("Failed generating RSA key [%s]", err) 1627 } 1628 1629 msg := []byte("Hello World") 1630 1631 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 1632 if err != nil { 1633 t.Fatalf("Failed computing HASH [%s]", err) 1634 } 1635 1636 signature, err := currentBCCSP.Sign(k, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1637 if err != nil { 1638 t.Fatalf("Failed generating RSA signature [%s]", err) 1639 } 1640 1641 valid, err := currentBCCSP.Verify(k, signature, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1642 if err != nil { 1643 t.Fatalf("Failed verifying RSA signature [%s]", err) 1644 } 1645 if !valid { 1646 t.Fatal("Failed verifying RSA signature. Signature not valid.") 1647 } 1648 1649 pk, err := k.PublicKey() 1650 if err != nil { 1651 t.Fatalf("Failed getting corresponding public key [%s]", err) 1652 } 1653 1654 valid, err = currentBCCSP.Verify(pk, signature, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1655 if err != nil { 1656 t.Fatalf("Failed verifying RSA signature [%s]", err) 1657 } 1658 if !valid { 1659 t.Fatal("Failed verifying RSA signature. Signature not valid.") 1660 } 1661 1662 // Store public key 1663 err = currentKS.StoreKey(pk) 1664 if err != nil { 1665 t.Fatalf("Failed storing corresponding public key [%s]", err) 1666 } 1667 1668 pk2, err := currentKS.GetKey(pk.SKI()) 1669 if err != nil { 1670 t.Fatalf("Failed retrieving corresponding public key [%s]", err) 1671 } 1672 1673 valid, err = currentBCCSP.Verify(pk2, signature, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1674 if err != nil { 1675 t.Fatalf("Failed verifying RSA signature [%s]", err) 1676 } 1677 if !valid { 1678 t.Fatal("Failed verifying RSA signature. Signature not valid.") 1679 } 1680 1681 } 1682 1683 func TestRSAKeyImportFromRSAPublicKey(t *testing.T) { 1684 1685 // Generate an RSA key 1686 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1687 if err != nil { 1688 t.Fatalf("Failed generating RSA key [%s]", err) 1689 } 1690 1691 // Export the public key 1692 pk, err := k.PublicKey() 1693 if err != nil { 1694 t.Fatalf("Failed getting RSA public key [%s]", err) 1695 } 1696 1697 pkRaw, err := pk.Bytes() 1698 if err != nil { 1699 t.Fatalf("Failed getting RSA raw public key [%s]", err) 1700 } 1701 1702 pub, err := utils.DERToPublicKey(pkRaw) 1703 if err != nil { 1704 t.Fatalf("Failed converting raw to RSA.PublicKey [%s]", err) 1705 } 1706 1707 // Import the RSA.PublicKey 1708 pk2, err := currentBCCSP.KeyImport(pub, &bccsp.RSAGoPublicKeyImportOpts{Temporary: false}) 1709 if err != nil { 1710 t.Fatalf("Failed importing RSA public key [%s]", err) 1711 } 1712 if pk2 == nil { 1713 t.Fatal("Failed importing RSA public key. Return BCCSP key cannot be nil.") 1714 } 1715 1716 // Sign and verify with the imported public key 1717 msg := []byte("Hello World") 1718 1719 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 1720 if err != nil { 1721 t.Fatalf("Failed computing HASH [%s]", err) 1722 } 1723 1724 signature, err := currentBCCSP.Sign(k, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1725 if err != nil { 1726 t.Fatalf("Failed generating RSA signature [%s]", err) 1727 } 1728 1729 valid, err := currentBCCSP.Verify(pk2, signature, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1730 if err != nil { 1731 t.Fatalf("Failed verifying RSA signature [%s]", err) 1732 } 1733 if !valid { 1734 t.Fatal("Failed verifying RSA signature. Signature not valid.") 1735 } 1736 } 1737 1738 func TestKeyImportFromX509RSAPublicKey(t *testing.T) { 1739 1740 // Generate an RSA key 1741 k, err := currentBCCSP.KeyGen(&bccsp.RSAKeyGenOpts{Temporary: false}) 1742 if err != nil { 1743 t.Fatalf("Failed generating RSA key [%s]", err) 1744 } 1745 1746 // Generate a self-signed certificate 1747 testExtKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} 1748 testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}} 1749 extraExtensionData := []byte("extra extension") 1750 commonName := "test.example.com" 1751 template := x509.Certificate{ 1752 SerialNumber: big.NewInt(1), 1753 Subject: pkix.Name{ 1754 CommonName: commonName, 1755 Organization: []string{"Σ Acme Co"}, 1756 Country: []string{"US"}, 1757 ExtraNames: []pkix.AttributeTypeAndValue{ 1758 { 1759 Type: []int{2, 5, 4, 42}, 1760 Value: "Gopher", 1761 }, 1762 // This should override the Country, above. 1763 { 1764 Type: []int{2, 5, 4, 6}, 1765 Value: "NL", 1766 }, 1767 }, 1768 }, 1769 NotBefore: time.Now().Add(-1 * time.Hour), 1770 NotAfter: time.Now().Add(1 * time.Hour), 1771 1772 SignatureAlgorithm: x509.SHA256WithRSA, 1773 1774 SubjectKeyId: []byte{1, 2, 3, 4}, 1775 KeyUsage: x509.KeyUsageCertSign, 1776 1777 ExtKeyUsage: testExtKeyUsage, 1778 UnknownExtKeyUsage: testUnknownExtKeyUsage, 1779 1780 BasicConstraintsValid: true, 1781 IsCA: true, 1782 1783 OCSPServer: []string{"http://ocurrentBCCSP.example.com"}, 1784 IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"}, 1785 1786 DNSNames: []string{"test.example.com"}, 1787 EmailAddresses: []string{"gopher@golang.org"}, 1788 IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")}, 1789 1790 PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{1, 2, 3}}, 1791 PermittedDNSDomains: []string{".example.com", "example.com"}, 1792 1793 CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"}, 1794 1795 ExtraExtensions: []pkix.Extension{ 1796 { 1797 Id: []int{1, 2, 3, 4}, 1798 Value: extraExtensionData, 1799 }, 1800 }, 1801 } 1802 1803 cryptoSigner, err := signer.New(currentBCCSP, k) 1804 if err != nil { 1805 t.Fatalf("Failed initializing CyrptoSigner [%s]", err) 1806 } 1807 1808 // Export the public key 1809 pk, err := k.PublicKey() 1810 if err != nil { 1811 t.Fatalf("Failed getting RSA public key [%s]", err) 1812 } 1813 1814 pkRaw, err := pk.Bytes() 1815 if err != nil { 1816 t.Fatalf("Failed getting RSA raw public key [%s]", err) 1817 } 1818 1819 pub, err := utils.DERToPublicKey(pkRaw) 1820 if err != nil { 1821 t.Fatalf("Failed converting raw to RSA.PublicKey [%s]", err) 1822 } 1823 1824 certRaw, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, cryptoSigner) 1825 if err != nil { 1826 t.Fatalf("Failed generating self-signed certificate [%s]", err) 1827 } 1828 1829 cert, err := utils.DERToX509Certificate(certRaw) 1830 if err != nil { 1831 t.Fatalf("Failed generating X509 certificate object from raw [%s]", err) 1832 } 1833 1834 // Import the certificate's public key 1835 pk2, err := currentBCCSP.KeyImport(cert, &bccsp.X509PublicKeyImportOpts{Temporary: false}) 1836 1837 if err != nil { 1838 t.Fatalf("Failed importing RSA public key [%s]", err) 1839 } 1840 if pk2 == nil { 1841 t.Fatal("Failed importing RSA public key. Return BCCSP key cannot be nil.") 1842 } 1843 1844 // Sign and verify with the imported public key 1845 msg := []byte("Hello World") 1846 1847 digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{}) 1848 if err != nil { 1849 t.Fatalf("Failed computing HASH [%s]", err) 1850 } 1851 1852 signature, err := currentBCCSP.Sign(k, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1853 if err != nil { 1854 t.Fatalf("Failed generating RSA signature [%s]", err) 1855 } 1856 1857 valid, err := currentBCCSP.Verify(pk2, signature, digest, &rsa.PSSOptions{SaltLength: 32, Hash: getCryptoHashIndex(t)}) 1858 if err != nil { 1859 t.Fatalf("Failed verifying RSA signature [%s]", err) 1860 } 1861 if !valid { 1862 t.Fatal("Failed verifying RSA signature. Signature not valid.") 1863 } 1864 } 1865 1866 func getCryptoHashIndex(t *testing.T) crypto.Hash { 1867 switch currentTestConfig.hashFamily { 1868 case "SHA2": 1869 switch currentTestConfig.securityLevel { 1870 case 256: 1871 return crypto.SHA256 1872 case 384: 1873 return crypto.SHA384 1874 default: 1875 t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel) 1876 } 1877 case "SHA3": 1878 switch currentTestConfig.securityLevel { 1879 case 256: 1880 return crypto.SHA3_256 1881 case 384: 1882 return crypto.SHA3_384 1883 default: 1884 t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel) 1885 } 1886 default: 1887 t.Fatalf("Invalid hash family [%s]", currentTestConfig.hashFamily) 1888 } 1889 1890 return crypto.SHA3_256 1891 }