github.com/letsencrypt/boulder@v0.20251208.0/cmd/ceremony/rsa_test.go (about) 1 package main 2 3 import ( 4 "crypto" 5 "crypto/rand" 6 "crypto/rsa" 7 "errors" 8 "math/big" 9 "testing" 10 11 "github.com/miekg/pkcs11" 12 13 "github.com/letsencrypt/boulder/pkcs11helpers" 14 "github.com/letsencrypt/boulder/test" 15 ) 16 17 func TestRSAPub(t *testing.T) { 18 s, ctx := pkcs11helpers.NewSessionWithMock() 19 20 // test we fail to construct key with non-matching modulus 21 ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) { 22 return []*pkcs11.Attribute{ 23 pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, []byte{1, 0, 1}), 24 pkcs11.NewAttribute(pkcs11.CKA_MODULUS, []byte{255}), 25 }, nil 26 } 27 _, err := rsaPub(s, 0, 16) 28 test.AssertError(t, err, "rsaPub didn't fail with non-matching modulus size") 29 30 // test we don't fail with the correct attributes 31 ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) { 32 return []*pkcs11.Attribute{ 33 pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, []byte{1, 0, 1}), 34 pkcs11.NewAttribute(pkcs11.CKA_MODULUS, []byte{255}), 35 }, nil 36 } 37 _, err = rsaPub(s, 0, 8) 38 test.AssertNotError(t, err, "rsaPub failed with valid attributes") 39 } 40 41 func TestRSAGenerate(t *testing.T) { 42 s, ctx := pkcs11helpers.NewSessionWithMock() 43 ctx.GenerateRandomFunc = func(pkcs11.SessionHandle, int) ([]byte, error) { 44 return []byte{1, 2, 3}, nil 45 } 46 47 priv, err := rsa.GenerateKey(rand.Reader, 1024) 48 test.AssertNotError(t, err, "Failed to generate a RSA test key") 49 50 // Test rsaGenerate fails when GenerateKeyPair fails 51 ctx.GenerateKeyPairFunc = func(pkcs11.SessionHandle, []*pkcs11.Mechanism, []*pkcs11.Attribute, []*pkcs11.Attribute) (pkcs11.ObjectHandle, pkcs11.ObjectHandle, error) { 52 return 0, 0, errors.New("bad") 53 } 54 _, _, err = rsaGenerate(s, "", 1024) 55 test.AssertError(t, err, "rsaGenerate didn't fail on GenerateKeyPair error") 56 57 // Test rsaGenerate fails when rsaPub fails 58 ctx.GenerateKeyPairFunc = func(pkcs11.SessionHandle, []*pkcs11.Mechanism, []*pkcs11.Attribute, []*pkcs11.Attribute) (pkcs11.ObjectHandle, pkcs11.ObjectHandle, error) { 59 return 0, 0, nil 60 } 61 ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) { 62 return nil, errors.New("bad") 63 } 64 _, _, err = rsaGenerate(s, "", 1024) 65 test.AssertError(t, err, "rsaGenerate didn't fail on rsaPub error") 66 67 // Test rsaGenerate fails when rsaVerify fails 68 ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) { 69 return []*pkcs11.Attribute{ 70 pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, big.NewInt(int64(priv.E)).Bytes()), 71 pkcs11.NewAttribute(pkcs11.CKA_MODULUS, priv.N.Bytes()), 72 }, nil 73 } 74 ctx.GenerateRandomFunc = func(pkcs11.SessionHandle, int) ([]byte, error) { 75 return nil, errors.New("yup") 76 } 77 _, _, err = rsaGenerate(s, "", 1024) 78 test.AssertError(t, err, "rsaGenerate didn't fail on rsaVerify error") 79 80 // Test rsaGenerate doesn't fail when everything works 81 ctx.SignInitFunc = func(pkcs11.SessionHandle, []*pkcs11.Mechanism, pkcs11.ObjectHandle) error { 82 return nil 83 } 84 ctx.GenerateRandomFunc = func(pkcs11.SessionHandle, int) ([]byte, error) { 85 return []byte{1, 2, 3}, nil 86 } 87 ctx.SignFunc = func(_ pkcs11.SessionHandle, msg []byte) ([]byte, error) { 88 // Chop of the hash identifier and feed back into rsa.SignPKCS1v15 89 return rsa.SignPKCS1v15(rand.Reader, priv, crypto.SHA256, msg[19:]) 90 } 91 _, _, err = rsaGenerate(s, "", 1024) 92 test.AssertNotError(t, err, "rsaGenerate didn't succeed when everything worked as expected") 93 }