github.com/lzy4123/fabric@v2.1.1+incompatible/bccsp/pkcs11/impl_test.go (about)

     1  // +build pkcs11
     2  
     3  /*
     4  Copyright IBM Corp. All Rights Reserved.
     5  
     6  SPDX-License-Identifier: Apache-2.0
     7  */
     8  
     9  package pkcs11
    10  
    11  import (
    12  	"bytes"
    13  	"crypto"
    14  	"crypto/elliptic"
    15  	"crypto/rand"
    16  	"crypto/sha256"
    17  	"crypto/sha512"
    18  	"crypto/x509"
    19  	"crypto/x509/pkix"
    20  	"encoding/asn1"
    21  	"fmt"
    22  	"hash"
    23  	"io/ioutil"
    24  	"math/big"
    25  	"net"
    26  	"os"
    27  	"strings"
    28  	"testing"
    29  	"time"
    30  
    31  	"github.com/hyperledger/fabric/bccsp"
    32  	"github.com/hyperledger/fabric/bccsp/signer"
    33  	"github.com/hyperledger/fabric/bccsp/sw"
    34  	"github.com/hyperledger/fabric/bccsp/utils"
    35  	"github.com/stretchr/testify/assert"
    36  	"golang.org/x/crypto/sha3"
    37  )
    38  
    39  var (
    40  	currentKS         bccsp.KeyStore
    41  	currentBCCSP      bccsp.BCCSP
    42  	currentTestConfig testConfig
    43  )
    44  
    45  type testConfig struct {
    46  	securityLevel int
    47  	hashFamily    string
    48  	softVerify    bool
    49  	immutable     bool
    50  }
    51  
    52  func TestMain(m *testing.M) {
    53  	os.Exit(testMain(m))
    54  }
    55  
    56  func testMain(m *testing.M) int {
    57  	tmpDir, err := ioutil.TempDir("", "pkcs11_ks")
    58  	if err != nil {
    59  		fmt.Printf("Failed to create keystore directory [%s]\n", err)
    60  		return -1
    61  	}
    62  	defer os.RemoveAll(tmpDir)
    63  
    64  	keyStore, err := sw.NewFileBasedKeyStore(nil, tmpDir, false)
    65  	if err != nil {
    66  		fmt.Printf("Failed initiliazing KeyStore [%s]\n", err)
    67  		return -1
    68  	}
    69  	currentKS = keyStore
    70  
    71  	lib, pin, label := FindPKCS11Lib()
    72  	tests := []testConfig{
    73  		{256, "SHA2", true, false},
    74  		{256, "SHA3", false, false},
    75  		{384, "SHA2", false, false},
    76  		{384, "SHA3", false, false},
    77  		{384, "SHA3", true, false},
    78  	}
    79  
    80  	if strings.Contains(lib, "softhsm") {
    81  		tests = append(tests, []testConfig{
    82  			{256, "SHA2", true, false},
    83  			{256, "SHA2", true, true},
    84  		}...)
    85  	}
    86  
    87  	opts := PKCS11Opts{
    88  		Library: lib,
    89  		Label:   label,
    90  		Pin:     pin,
    91  	}
    92  
    93  	for _, config := range tests {
    94  		currentTestConfig = config
    95  
    96  		opts.HashFamily = config.hashFamily
    97  		opts.SecLevel = config.securityLevel
    98  		opts.SoftVerify = config.softVerify
    99  		opts.Immutable = config.immutable
   100  		fmt.Printf("Immutable = [%v]\n", opts.Immutable)
   101  		currentBCCSP, err = New(opts, keyStore)
   102  		if err != nil {
   103  			fmt.Printf("Failed initiliazing BCCSP at [%+v] \n%s\n", opts, err)
   104  			return -1
   105  		}
   106  
   107  		ret := m.Run()
   108  		if ret != 0 {
   109  			fmt.Printf("Failed testing at [%+v]\n", opts)
   110  			return -1
   111  		}
   112  	}
   113  	return 0
   114  }
   115  
   116  func TestNew(t *testing.T) {
   117  	opts := PKCS11Opts{
   118  		HashFamily: "SHA2",
   119  		SecLevel:   256,
   120  		SoftVerify: false,
   121  		Library:    "lib",
   122  		Label:      "ForFabric",
   123  		Pin:        "98765432",
   124  	}
   125  
   126  	// Setup PKCS11 library and provide initial set of values
   127  	lib, _, _ := FindPKCS11Lib()
   128  	opts.Library = lib
   129  
   130  	// Test for nil keystore
   131  	_, err := New(opts, nil)
   132  	assert.Error(t, err)
   133  	assert.Contains(t, err.Error(), "Invalid bccsp.KeyStore instance. It must be different from nil")
   134  
   135  	// Test for invalid PKCS11 loadLib
   136  	opts.Library = ""
   137  	_, err = New(opts, currentKS)
   138  	assert.Error(t, err)
   139  	assert.Contains(t, err.Error(), "Failed initializing PKCS11 library")
   140  }
   141  
   142  func TestFindPKCS11LibEnvVars(t *testing.T) {
   143  	const (
   144  		dummy_PKCS11_LIB   = "/usr/lib/pkcs11"
   145  		dummy_PKCS11_PIN   = "98765432"
   146  		dummy_PKCS11_LABEL = "testing"
   147  	)
   148  
   149  	// Set environment variables used for test and preserve
   150  	// original values for restoration after test completion
   151  	orig_PKCS11_LIB := os.Getenv("PKCS11_LIB")
   152  	os.Setenv("PKCS11_LIB", dummy_PKCS11_LIB)
   153  
   154  	orig_PKCS11_PIN := os.Getenv("PKCS11_PIN")
   155  	os.Setenv("PKCS11_PIN", dummy_PKCS11_PIN)
   156  
   157  	orig_PKCS11_LABEL := os.Getenv("PKCS11_LABEL")
   158  	os.Setenv("PKCS11_LABEL", dummy_PKCS11_LABEL)
   159  
   160  	lib, pin, label := FindPKCS11Lib()
   161  	assert.EqualValues(t, dummy_PKCS11_LIB, lib, "FindPKCS11Lib did not return expected library")
   162  	assert.EqualValues(t, dummy_PKCS11_PIN, pin, "FindPKCS11Lib did not return expected pin")
   163  	assert.EqualValues(t, dummy_PKCS11_LABEL, label, "FindPKCS11Lib did not return expected label")
   164  
   165  	os.Setenv("PKCS11_LIB", orig_PKCS11_LIB)
   166  	os.Setenv("PKCS11_PIN", orig_PKCS11_PIN)
   167  	os.Setenv("PKCS11_LABEL", orig_PKCS11_LABEL)
   168  }
   169  
   170  func TestInvalidNewParameter(t *testing.T) {
   171  	lib, pin, label := FindPKCS11Lib()
   172  	opts := PKCS11Opts{
   173  		Library:    lib,
   174  		Label:      label,
   175  		Pin:        pin,
   176  		SoftVerify: true,
   177  	}
   178  
   179  	opts.HashFamily = "SHA2"
   180  	opts.SecLevel = 0
   181  	r, err := New(opts, currentKS)
   182  	if err == nil {
   183  		t.Fatal("Error should be different from nil in this case")
   184  	}
   185  	if r != nil {
   186  		t.Fatal("Return value should be equal to nil in this case")
   187  	}
   188  
   189  	opts.HashFamily = "SHA8"
   190  	opts.SecLevel = 256
   191  	r, err = New(opts, currentKS)
   192  	if err == nil {
   193  		t.Fatal("Error should be different from nil in this case")
   194  	}
   195  	if r != nil {
   196  		t.Fatal("Return value should be equal to nil in this case")
   197  	}
   198  
   199  	opts.HashFamily = "SHA2"
   200  	opts.SecLevel = 256
   201  	r, err = New(opts, nil)
   202  	if err == nil {
   203  		t.Fatal("Error should be different from nil in this case")
   204  	}
   205  	if r != nil {
   206  		t.Fatal("Return value should be equal to nil in this case")
   207  	}
   208  
   209  	opts.HashFamily = "SHA3"
   210  	opts.SecLevel = 0
   211  	r, err = New(opts, nil)
   212  	if err == nil {
   213  		t.Fatal("Error should be different from nil in this case")
   214  	}
   215  	if r != nil {
   216  		t.Fatal("Return value should be equal to nil in this case")
   217  	}
   218  }
   219  
   220  func TestInvalidSKI(t *testing.T) {
   221  	k, err := currentBCCSP.GetKey(nil)
   222  	if err == nil {
   223  		t.Fatal("Error should be different from nil in this case")
   224  	}
   225  	if k != nil {
   226  		t.Fatal("Return value should be equal to nil in this case")
   227  	}
   228  
   229  	k, err = currentBCCSP.GetKey([]byte{0, 1, 2, 3, 4, 5, 6})
   230  	if err == nil {
   231  		t.Fatal("Error should be different from nil in this case")
   232  	}
   233  	if k != nil {
   234  		t.Fatal("Return value should be equal to nil in this case")
   235  	}
   236  }
   237  
   238  func TestKeyGenECDSAOpts(t *testing.T) {
   239  	if testing.Short() {
   240  		t.Skip("Skipping TestKeyGenECDSAOpts")
   241  	}
   242  	// Curve P256
   243  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAP256KeyGenOpts{Temporary: false})
   244  	if err != nil {
   245  		t.Fatalf("Failed generating ECDSA P256 key [%s]", err)
   246  	}
   247  	if k == nil {
   248  		t.Fatal("Failed generating ECDSA P256 key. Key must be different from nil")
   249  	}
   250  	if !k.Private() {
   251  		t.Fatal("Failed generating ECDSA P256 key. Key should be private")
   252  	}
   253  	if k.Symmetric() {
   254  		t.Fatal("Failed generating ECDSA P256 key. Key should be asymmetric")
   255  	}
   256  
   257  	ecdsaKey := k.(*ecdsaPrivateKey).pub
   258  	if elliptic.P256() != ecdsaKey.pub.Curve {
   259  		t.Fatal("P256 generated key in invalid. The curve must be P256.")
   260  	}
   261  
   262  	// Curve P384
   263  	k, err = currentBCCSP.KeyGen(&bccsp.ECDSAP384KeyGenOpts{Temporary: false})
   264  	if err != nil {
   265  		t.Fatalf("Failed generating ECDSA P384 key [%s]", err)
   266  	}
   267  	if k == nil {
   268  		t.Fatal("Failed generating ECDSA P384 key. Key must be different from nil")
   269  	}
   270  	if !k.Private() {
   271  		t.Fatal("Failed generating ECDSA P384 key. Key should be private")
   272  	}
   273  	if k.Symmetric() {
   274  		t.Fatal("Failed generating ECDSA P384 key. Key should be asymmetric")
   275  	}
   276  
   277  	ecdsaKey = k.(*ecdsaPrivateKey).pub
   278  	if elliptic.P384() != ecdsaKey.pub.Curve {
   279  		t.Fatal("P256 generated key in invalid. The curve must be P384.")
   280  	}
   281  }
   282  
   283  func TestKeyGenAESOpts(t *testing.T) {
   284  	if testing.Short() {
   285  		t.Skip("Skipping TestKeyGenAESOpts")
   286  	}
   287  	// AES 128
   288  	k, err := currentBCCSP.KeyGen(&bccsp.AES128KeyGenOpts{Temporary: false})
   289  	if err != nil {
   290  		t.Fatalf("Failed generating AES 128 key [%s]", err)
   291  	}
   292  	if k == nil {
   293  		t.Fatal("Failed generating AES 128 key. Key must be different from nil")
   294  	}
   295  	if !k.Private() {
   296  		t.Fatal("Failed generating AES 128 key. Key should be private")
   297  	}
   298  	if !k.Symmetric() {
   299  		t.Fatal("Failed generating AES 128 key. Key should be symmetric")
   300  	}
   301  
   302  	// AES 192
   303  	k, err = currentBCCSP.KeyGen(&bccsp.AES192KeyGenOpts{Temporary: false})
   304  	if err != nil {
   305  		t.Fatalf("Failed generating AES 192 key [%s]", err)
   306  	}
   307  	if k == nil {
   308  		t.Fatal("Failed generating AES 192 key. Key must be different from nil")
   309  	}
   310  	if !k.Private() {
   311  		t.Fatal("Failed generating AES 192 key. Key should be private")
   312  	}
   313  	if !k.Symmetric() {
   314  		t.Fatal("Failed generating AES 192 key. Key should be symmetric")
   315  	}
   316  
   317  	// AES 256
   318  	k, err = currentBCCSP.KeyGen(&bccsp.AES256KeyGenOpts{Temporary: false})
   319  	if err != nil {
   320  		t.Fatalf("Failed generating AES 256 key [%s]", err)
   321  	}
   322  	if k == nil {
   323  		t.Fatal("Failed generating AES 256 key. Key must be different from nil")
   324  	}
   325  	if !k.Private() {
   326  		t.Fatal("Failed generating AES 256 key. Key should be private")
   327  	}
   328  	if !k.Symmetric() {
   329  		t.Fatal("Failed generating AES 256 key. Key should be symmetric")
   330  	}
   331  }
   332  
   333  func TestHashOpts(t *testing.T) {
   334  	if testing.Short() {
   335  		t.Skip("Skipping TestHashOpts")
   336  	}
   337  	msg := []byte("abcd")
   338  
   339  	// SHA256
   340  	digest1, err := currentBCCSP.Hash(msg, &bccsp.SHA256Opts{})
   341  	if err != nil {
   342  		t.Fatalf("Failed computing SHA256 [%s]", err)
   343  	}
   344  
   345  	h := sha256.New()
   346  	h.Write(msg)
   347  	digest2 := h.Sum(nil)
   348  
   349  	if !bytes.Equal(digest1, digest2) {
   350  		t.Fatalf("Different SHA256 computed. [%x][%x]", digest1, digest2)
   351  	}
   352  
   353  	// SHA384
   354  	digest1, err = currentBCCSP.Hash(msg, &bccsp.SHA384Opts{})
   355  	if err != nil {
   356  		t.Fatalf("Failed computing SHA384 [%s]", err)
   357  	}
   358  
   359  	h = sha512.New384()
   360  	h.Write(msg)
   361  	digest2 = h.Sum(nil)
   362  
   363  	if !bytes.Equal(digest1, digest2) {
   364  		t.Fatalf("Different SHA384 computed. [%x][%x]", digest1, digest2)
   365  	}
   366  
   367  	// SHA3_256O
   368  	digest1, err = currentBCCSP.Hash(msg, &bccsp.SHA3_256Opts{})
   369  	if err != nil {
   370  		t.Fatalf("Failed computing SHA3_256 [%s]", err)
   371  	}
   372  
   373  	h = sha3.New256()
   374  	h.Write(msg)
   375  	digest2 = h.Sum(nil)
   376  
   377  	if !bytes.Equal(digest1, digest2) {
   378  		t.Fatalf("Different SHA3_256 computed. [%x][%x]", digest1, digest2)
   379  	}
   380  
   381  	// SHA3_384
   382  	digest1, err = currentBCCSP.Hash(msg, &bccsp.SHA3_384Opts{})
   383  	if err != nil {
   384  		t.Fatalf("Failed computing SHA3_384 [%s]", err)
   385  	}
   386  
   387  	h = sha3.New384()
   388  	h.Write(msg)
   389  	digest2 = h.Sum(nil)
   390  
   391  	if !bytes.Equal(digest1, digest2) {
   392  		t.Fatalf("Different SHA3_384 computed. [%x][%x]", digest1, digest2)
   393  	}
   394  }
   395  
   396  func TestECDSAKeyGenEphemeral(t *testing.T) {
   397  	if testing.Short() {
   398  		t.Skip("Skipping TestECDSAKeyGenEphemeral")
   399  	}
   400  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: true})
   401  	if err != nil {
   402  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   403  	}
   404  	if k == nil {
   405  		t.Fatal("Failed generating ECDSA key. Key must be different from nil")
   406  	}
   407  	if !k.Private() {
   408  		t.Fatal("Failed generating ECDSA key. Key should be private")
   409  	}
   410  	if k.Symmetric() {
   411  		t.Fatal("Failed generating ECDSA key. Key should be asymmetric")
   412  	}
   413  	raw, err := k.Bytes()
   414  	if err == nil {
   415  		t.Fatal("Failed marshalling to bytes. Marshalling must fail.")
   416  	}
   417  	if len(raw) != 0 {
   418  		t.Fatal("Failed marshalling to bytes. Output should be 0 bytes")
   419  	}
   420  	pk, err := k.PublicKey()
   421  	if err != nil {
   422  		t.Fatalf("Failed getting corresponding public key [%s]", err)
   423  	}
   424  	if pk == nil {
   425  		t.Fatal("Public key must be different from nil.")
   426  	}
   427  }
   428  
   429  func TestECDSAPrivateKeySKI(t *testing.T) {
   430  	if testing.Short() {
   431  		t.Skip("Skipping TestECDSAPrivateKeySKI")
   432  	}
   433  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   434  	if err != nil {
   435  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   436  	}
   437  
   438  	ski := k.SKI()
   439  	if len(ski) == 0 {
   440  		t.Fatal("SKI not valid. Zero length.")
   441  	}
   442  }
   443  
   444  func TestECDSAKeyGenNonEphemeral(t *testing.T) {
   445  	if testing.Short() {
   446  		t.Skip("Skipping TestECDSAKeyGenNonEphemeral")
   447  	}
   448  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   449  	if err != nil {
   450  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   451  	}
   452  	if k == nil {
   453  		t.Fatal("Failed generating ECDSA key. Key must be different from nil")
   454  	}
   455  	if !k.Private() {
   456  		t.Fatal("Failed generating ECDSA key. Key should be private")
   457  	}
   458  	if k.Symmetric() {
   459  		t.Fatal("Failed generating ECDSA key. Key should be asymmetric")
   460  	}
   461  }
   462  
   463  func TestECDSAGetKeyBySKI(t *testing.T) {
   464  	if testing.Short() {
   465  		t.Skip("Skipping TestECDSAGetKeyBySKI")
   466  	}
   467  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   468  	if err != nil {
   469  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   470  	}
   471  
   472  	k2, err := currentBCCSP.GetKey(k.SKI())
   473  	if err != nil {
   474  		t.Fatalf("Failed getting ECDSA key [%s]", err)
   475  	}
   476  	if k2 == nil {
   477  		t.Fatal("Failed getting ECDSA key. Key must be different from nil")
   478  	}
   479  	if !k2.Private() {
   480  		t.Fatal("Failed getting ECDSA key. Key should be private")
   481  	}
   482  	if k2.Symmetric() {
   483  		t.Fatal("Failed getting ECDSA key. Key should be asymmetric")
   484  	}
   485  
   486  	// Check that the SKIs are the same
   487  	if !bytes.Equal(k.SKI(), k2.SKI()) {
   488  		t.Fatalf("SKIs are different [%x]!=[%x]", k.SKI(), k2.SKI())
   489  	}
   490  }
   491  
   492  func TestECDSAPublicKeyFromPrivateKey(t *testing.T) {
   493  	if testing.Short() {
   494  		t.Skip("Skipping TestECDSAPublicKeyFromPrivateKey")
   495  	}
   496  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   497  	if err != nil {
   498  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   499  	}
   500  
   501  	pk, err := k.PublicKey()
   502  	if err != nil {
   503  		t.Fatalf("Failed getting public key from private ECDSA key [%s]", err)
   504  	}
   505  	if pk == nil {
   506  		t.Fatal("Failed getting public key from private ECDSA key. Key must be different from nil")
   507  	}
   508  	if pk.Private() {
   509  		t.Fatal("Failed generating ECDSA key. Key should be public")
   510  	}
   511  	if pk.Symmetric() {
   512  		t.Fatal("Failed generating ECDSA key. Key should be asymmetric")
   513  	}
   514  }
   515  
   516  func TestECDSAPublicKeyBytes(t *testing.T) {
   517  	if testing.Short() {
   518  		t.Skip("Skipping TestECDSAPublicKeyBytes")
   519  	}
   520  
   521  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   522  	if err != nil {
   523  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   524  	}
   525  
   526  	pk, err := k.PublicKey()
   527  	if err != nil {
   528  		t.Fatalf("Failed getting public key from private ECDSA key [%s]", err)
   529  	}
   530  
   531  	raw, err := pk.Bytes()
   532  	if err != nil {
   533  		t.Fatalf("Failed marshalling ECDSA public key [%s]", err)
   534  	}
   535  	if len(raw) == 0 {
   536  		t.Fatal("Failed marshalling ECDSA public key. Zero length")
   537  	}
   538  }
   539  
   540  func TestECDSAPublicKeySKI(t *testing.T) {
   541  	if testing.Short() {
   542  		t.Skip("Skipping TestECDSAPublicKeySKI")
   543  	}
   544  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   545  	if err != nil {
   546  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   547  	}
   548  
   549  	pk, err := k.PublicKey()
   550  	if err != nil {
   551  		t.Fatalf("Failed getting public key from private ECDSA key [%s]", err)
   552  	}
   553  
   554  	ski := pk.SKI()
   555  	if len(ski) == 0 {
   556  		t.Fatal("SKI not valid. Zero length.")
   557  	}
   558  }
   559  
   560  func TestECDSASign(t *testing.T) {
   561  	if testing.Short() {
   562  		t.Skip("Skipping TestECDSASign")
   563  	}
   564  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   565  	if err != nil {
   566  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   567  	}
   568  
   569  	msg := []byte("Hello World")
   570  
   571  	digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{})
   572  	if err != nil {
   573  		t.Fatalf("Failed computing HASH [%s]", err)
   574  	}
   575  
   576  	signature, err := currentBCCSP.Sign(k, digest, nil)
   577  	if err != nil {
   578  		t.Fatalf("Failed generating ECDSA signature [%s]", err)
   579  	}
   580  	if len(signature) == 0 {
   581  		t.Fatal("Failed generating ECDSA key. Signature must be different from nil")
   582  	}
   583  
   584  	_, err = currentBCCSP.Sign(nil, digest, nil)
   585  	assert.Error(t, err)
   586  	assert.Contains(t, err.Error(), "Invalid Key. It must not be nil")
   587  
   588  	_, err = currentBCCSP.Sign(k, nil, nil)
   589  	assert.Error(t, err)
   590  	assert.Contains(t, err.Error(), "Invalid digest. Cannot be empty")
   591  }
   592  
   593  func TestECDSAVerify(t *testing.T) {
   594  	if testing.Short() {
   595  		t.Skip("Skipping TestECDSAVerify")
   596  	}
   597  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   598  	if err != nil {
   599  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   600  	}
   601  
   602  	msg := []byte("Hello World")
   603  
   604  	digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{})
   605  	if err != nil {
   606  		t.Fatalf("Failed computing HASH [%s]", err)
   607  	}
   608  
   609  	signature, err := currentBCCSP.Sign(k, digest, nil)
   610  	if err != nil {
   611  		t.Fatalf("Failed generating ECDSA signature  [%s]", err)
   612  	}
   613  
   614  	valid, err := currentBCCSP.Verify(k, signature, digest, nil)
   615  	if err != nil {
   616  		t.Fatalf("Failed verifying ECDSA signature [%s]", err)
   617  	}
   618  	if !valid {
   619  		t.Fatal("Failed verifying ECDSA signature. Signature not valid.")
   620  	}
   621  
   622  	pk, err := k.PublicKey()
   623  	if err != nil {
   624  		t.Fatalf("Failed getting corresponding public key [%s]", err)
   625  	}
   626  
   627  	valid, err = currentBCCSP.Verify(pk, signature, digest, nil)
   628  	if err != nil {
   629  		t.Fatalf("Failed verifying ECDSA signature [%s]", err)
   630  	}
   631  	if !valid {
   632  		t.Fatal("Failed verifying ECDSA signature. Signature not valid.")
   633  	}
   634  
   635  	_, err = currentBCCSP.Verify(nil, signature, digest, nil)
   636  	assert.Error(t, err)
   637  	assert.Contains(t, err.Error(), "Invalid Key. It must not be nil")
   638  
   639  	_, err = currentBCCSP.Verify(pk, nil, digest, nil)
   640  	assert.Error(t, err)
   641  	assert.Contains(t, err.Error(), "Invalid signature. Cannot be empty")
   642  
   643  	_, err = currentBCCSP.Verify(pk, signature, nil, nil)
   644  	assert.Error(t, err)
   645  	assert.Contains(t, err.Error(), "Invalid digest. Cannot be empty")
   646  
   647  	// Import the exported public key
   648  	pkRaw, err := pk.Bytes()
   649  	if err != nil {
   650  		t.Fatalf("Failed getting ECDSA raw public key [%s]", err)
   651  	}
   652  
   653  	// Store public key
   654  	_, err = currentBCCSP.KeyImport(pkRaw, &bccsp.ECDSAPKIXPublicKeyImportOpts{Temporary: false})
   655  	if err != nil {
   656  		t.Fatalf("Failed storing corresponding public key [%s]", err)
   657  	}
   658  
   659  	pk2, err := currentBCCSP.GetKey(pk.SKI())
   660  	if err != nil {
   661  		t.Fatalf("Failed retrieving corresponding public key [%s]", err)
   662  	}
   663  
   664  	valid, err = currentBCCSP.Verify(pk2, signature, digest, nil)
   665  	if err != nil {
   666  		t.Fatalf("Failed verifying ECDSA signature [%s]", err)
   667  	}
   668  	if !valid {
   669  		t.Fatal("Failed verifying ECDSA signature. Signature not valid.")
   670  	}
   671  }
   672  
   673  func TestECDSAKeyImportFromExportedKey(t *testing.T) {
   674  	if testing.Short() {
   675  		t.Skip("Skipping TestECDSAKeyImportFromExportedKey")
   676  	}
   677  	// Generate an ECDSA key
   678  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   679  	if err != nil {
   680  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   681  	}
   682  
   683  	// Export the public key
   684  	pk, err := k.PublicKey()
   685  	if err != nil {
   686  		t.Fatalf("Failed getting ECDSA public key [%s]", err)
   687  	}
   688  
   689  	pkRaw, err := pk.Bytes()
   690  	if err != nil {
   691  		t.Fatalf("Failed getting ECDSA raw public key [%s]", err)
   692  	}
   693  
   694  	// Import the exported public key
   695  	pk2, err := currentBCCSP.KeyImport(pkRaw, &bccsp.ECDSAPKIXPublicKeyImportOpts{Temporary: false})
   696  	if err != nil {
   697  		t.Fatalf("Failed importing ECDSA public key [%s]", err)
   698  	}
   699  	if pk2 == nil {
   700  		t.Fatal("Failed importing ECDSA public key. Return BCCSP key cannot be nil.")
   701  	}
   702  
   703  	// Sign and verify with the imported public key
   704  	msg := []byte("Hello World")
   705  
   706  	digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{})
   707  	if err != nil {
   708  		t.Fatalf("Failed computing HASH [%s]", err)
   709  	}
   710  
   711  	signature, err := currentBCCSP.Sign(k, digest, nil)
   712  	if err != nil {
   713  		t.Fatalf("Failed generating ECDSA signature [%s]", err)
   714  	}
   715  
   716  	valid, err := currentBCCSP.Verify(pk2, signature, digest, nil)
   717  	if err != nil {
   718  		t.Fatalf("Failed verifying ECDSA signature [%s]", err)
   719  	}
   720  	if !valid {
   721  		t.Fatal("Failed verifying ECDSA signature. Signature not valid.")
   722  	}
   723  }
   724  
   725  func TestECDSAKeyImportFromECDSAPublicKey(t *testing.T) {
   726  	if testing.Short() {
   727  		t.Skip("Skipping TestECDSAKeyImportFromECDSAPublicKey")
   728  	}
   729  	// Generate an ECDSA key
   730  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   731  	if err != nil {
   732  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   733  	}
   734  
   735  	// Export the public key
   736  	pk, err := k.PublicKey()
   737  	if err != nil {
   738  		t.Fatalf("Failed getting ECDSA public key [%s]", err)
   739  	}
   740  
   741  	pkRaw, err := pk.Bytes()
   742  	if err != nil {
   743  		t.Fatalf("Failed getting ECDSA raw public key [%s]", err)
   744  	}
   745  
   746  	pub, err := utils.DERToPublicKey(pkRaw)
   747  	if err != nil {
   748  		t.Fatalf("Failed converting raw to ecdsa.PublicKey [%s]", err)
   749  	}
   750  
   751  	// Import the ecdsa.PublicKey
   752  	pk2, err := currentBCCSP.KeyImport(pub, &bccsp.ECDSAGoPublicKeyImportOpts{Temporary: false})
   753  	if err != nil {
   754  		t.Fatalf("Failed importing ECDSA public key [%s]", err)
   755  	}
   756  	if pk2 == nil {
   757  		t.Fatal("Failed importing ECDSA public key. Return BCCSP key cannot be nil.")
   758  	}
   759  
   760  	// Sign and verify with the imported public key
   761  	msg := []byte("Hello World")
   762  
   763  	digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{})
   764  	if err != nil {
   765  		t.Fatalf("Failed computing HASH [%s]", err)
   766  	}
   767  
   768  	signature, err := currentBCCSP.Sign(k, digest, nil)
   769  	if err != nil {
   770  		t.Fatalf("Failed generating ECDSA signature [%s]", err)
   771  	}
   772  
   773  	valid, err := currentBCCSP.Verify(pk2, signature, digest, nil)
   774  	if err != nil {
   775  		t.Fatalf("Failed verifying ECDSA signature [%s]", err)
   776  	}
   777  	if !valid {
   778  		t.Fatal("Failed verifying ECDSA signature. Signature not valid.")
   779  	}
   780  }
   781  
   782  func TestKeyImportFromX509ECDSAPublicKey(t *testing.T) {
   783  	if testing.Short() {
   784  		t.Skip("Skipping TestKeyImportFromX509ECDSAPublicKey")
   785  	}
   786  	// Generate an ECDSA key
   787  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   788  	if err != nil {
   789  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   790  	}
   791  
   792  	// Generate a self-signed certificate
   793  	testExtKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
   794  	testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}}
   795  	extraExtensionData := []byte("extra extension")
   796  	commonName := "test.example.com"
   797  	template := x509.Certificate{
   798  		SerialNumber: big.NewInt(1),
   799  		Subject: pkix.Name{
   800  			CommonName:   commonName,
   801  			Organization: []string{"Σ Acme Co"},
   802  			Country:      []string{"US"},
   803  			ExtraNames: []pkix.AttributeTypeAndValue{
   804  				{
   805  					Type:  []int{2, 5, 4, 42},
   806  					Value: "Gopher",
   807  				},
   808  				// This should override the Country, above.
   809  				{
   810  					Type:  []int{2, 5, 4, 6},
   811  					Value: "NL",
   812  				},
   813  			},
   814  		},
   815  		NotBefore: time.Now().Add(-1 * time.Hour),
   816  		NotAfter:  time.Now().Add(1 * time.Hour),
   817  
   818  		SignatureAlgorithm: x509.ECDSAWithSHA256,
   819  
   820  		SubjectKeyId: []byte{1, 2, 3, 4},
   821  		KeyUsage:     x509.KeyUsageCertSign,
   822  
   823  		ExtKeyUsage:        testExtKeyUsage,
   824  		UnknownExtKeyUsage: testUnknownExtKeyUsage,
   825  
   826  		BasicConstraintsValid: true,
   827  		IsCA:                  true,
   828  
   829  		OCSPServer:            []string{"http://ocurrentBCCSP.example.com"},
   830  		IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"},
   831  
   832  		DNSNames:       []string{"test.example.com"},
   833  		EmailAddresses: []string{"gopher@golang.org"},
   834  		IPAddresses:    []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")},
   835  
   836  		PolicyIdentifiers:   []asn1.ObjectIdentifier{[]int{1, 2, 3}},
   837  		PermittedDNSDomains: []string{".example.com", "example.com"},
   838  
   839  		CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"},
   840  
   841  		ExtraExtensions: []pkix.Extension{
   842  			{
   843  				Id:    []int{1, 2, 3, 4},
   844  				Value: extraExtensionData,
   845  			},
   846  		},
   847  	}
   848  
   849  	cryptoSigner, err := signer.New(currentBCCSP, k)
   850  	if err != nil {
   851  		t.Fatalf("Failed initializing CyrptoSigner [%s]", err)
   852  	}
   853  
   854  	// Export the public key
   855  	pk, err := k.PublicKey()
   856  	if err != nil {
   857  		t.Fatalf("Failed getting ECDSA public key [%s]", err)
   858  	}
   859  
   860  	pkRaw, err := pk.Bytes()
   861  	if err != nil {
   862  		t.Fatalf("Failed getting ECDSA raw public key [%s]", err)
   863  	}
   864  
   865  	pub, err := utils.DERToPublicKey(pkRaw)
   866  	if err != nil {
   867  		t.Fatalf("Failed converting raw to ECDSA.PublicKey [%s]", err)
   868  	}
   869  
   870  	certRaw, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, cryptoSigner)
   871  	if err != nil {
   872  		t.Fatalf("Failed generating self-signed certificate [%s]", err)
   873  	}
   874  
   875  	cert, err := x509.ParseCertificate(certRaw)
   876  	if err != nil {
   877  		t.Fatalf("Failed generating X509 certificate object from raw [%s]", err)
   878  	}
   879  
   880  	// Import the certificate's public key
   881  	pk2, err := currentBCCSP.KeyImport(cert, &bccsp.X509PublicKeyImportOpts{Temporary: false})
   882  
   883  	if err != nil {
   884  		t.Fatalf("Failed importing ECDSA public key [%s]", err)
   885  	}
   886  	if pk2 == nil {
   887  		t.Fatal("Failed importing ECDSA public key. Return BCCSP key cannot be nil.")
   888  	}
   889  
   890  	// Sign and verify with the imported public key
   891  	msg := []byte("Hello World")
   892  
   893  	digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{})
   894  	if err != nil {
   895  		t.Fatalf("Failed computing HASH [%s]", err)
   896  	}
   897  
   898  	signature, err := currentBCCSP.Sign(k, digest, nil)
   899  	if err != nil {
   900  		t.Fatalf("Failed generating ECDSA signature [%s]", err)
   901  	}
   902  
   903  	valid, err := currentBCCSP.Verify(pk2, signature, digest, nil)
   904  	if err != nil {
   905  		t.Fatalf("Failed verifying ECDSA signature [%s]", err)
   906  	}
   907  	if !valid {
   908  		t.Fatal("Failed verifying ECDSA signature. Signature not valid.")
   909  	}
   910  }
   911  
   912  func TestECDSASignatureEncoding(t *testing.T) {
   913  	if testing.Short() {
   914  		t.Skip("Skipping TestECDSASignatureEncoding")
   915  	}
   916  	v := []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x02, 0xff, 0xf1}
   917  	_, err := asn1.Unmarshal(v, &utils.ECDSASignature{})
   918  	if err == nil {
   919  		t.Fatalf("Unmarshalling should fail for [% x]", v)
   920  	}
   921  	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
   922  
   923  	v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x02, 0x00, 0x01}
   924  	_, err = asn1.Unmarshal(v, &utils.ECDSASignature{})
   925  	if err == nil {
   926  		t.Fatalf("Unmarshalling should fail for [% x]", v)
   927  	}
   928  	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
   929  
   930  	v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x81, 0x01, 0x01}
   931  	_, err = asn1.Unmarshal(v, &utils.ECDSASignature{})
   932  	if err == nil {
   933  		t.Fatalf("Unmarshalling should fail for [% x]", v)
   934  	}
   935  	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
   936  
   937  	v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x81, 0x01, 0x8F}
   938  	_, err = asn1.Unmarshal(v, &utils.ECDSASignature{})
   939  	if err == nil {
   940  		t.Fatalf("Unmarshalling should fail for [% x]", v)
   941  	}
   942  	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
   943  
   944  	v = []byte{0x30, 0x0A, 0x02, 0x01, 0x8F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x00, 0x8F}
   945  	_, err = asn1.Unmarshal(v, &utils.ECDSASignature{})
   946  	if err == nil {
   947  		t.Fatalf("Unmarshalling should fail for [% x]", v)
   948  	}
   949  	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
   950  
   951  }
   952  
   953  func TestECDSALowS(t *testing.T) {
   954  	if testing.Short() {
   955  		t.Skip("Skipping TestECDSALowS")
   956  	}
   957  	// Ensure that signature with low-S are generated
   958  	k, err := currentBCCSP.KeyGen(&bccsp.ECDSAKeyGenOpts{Temporary: false})
   959  	if err != nil {
   960  		t.Fatalf("Failed generating ECDSA key [%s]", err)
   961  	}
   962  
   963  	msg := []byte("Hello World")
   964  
   965  	digest, err := currentBCCSP.Hash(msg, &bccsp.SHAOpts{})
   966  	if err != nil {
   967  		t.Fatalf("Failed computing HASH [%s]", err)
   968  	}
   969  
   970  	signature, err := currentBCCSP.Sign(k, digest, nil)
   971  	if err != nil {
   972  		t.Fatalf("Failed generating ECDSA signature [%s]", err)
   973  	}
   974  
   975  	R, S, err := utils.UnmarshalECDSASignature(signature)
   976  	if err != nil {
   977  		t.Fatalf("Failed unmarshalling signature [%s]", err)
   978  	}
   979  
   980  	if S.Cmp(utils.GetCurveHalfOrdersAt(k.(*ecdsaPrivateKey).pub.pub.Curve)) >= 0 {
   981  		t.Fatal("Invalid signature. It must have low-S")
   982  	}
   983  
   984  	valid, err := currentBCCSP.Verify(k, signature, digest, nil)
   985  	if err != nil {
   986  		t.Fatalf("Failed verifying ECDSA signature [%s]", err)
   987  	}
   988  	if !valid {
   989  		t.Fatal("Failed verifying ECDSA signature. Signature not valid.")
   990  	}
   991  
   992  	// Ensure that signature with high-S are rejected.
   993  	for {
   994  		R, S, err = currentBCCSP.(*impl).signP11ECDSA(k.SKI(), digest)
   995  		if err != nil {
   996  			t.Fatalf("Failed generating signature [%s]", err)
   997  		}
   998  
   999  		if S.Cmp(utils.GetCurveHalfOrdersAt(k.(*ecdsaPrivateKey).pub.pub.Curve)) > 0 {
  1000  			break
  1001  		}
  1002  	}
  1003  
  1004  	sig, err := utils.MarshalECDSASignature(R, S)
  1005  	if err != nil {
  1006  		t.Fatalf("Failing unmarshalling signature [%s]", err)
  1007  	}
  1008  
  1009  	valid, err = currentBCCSP.Verify(k, sig, digest, nil)
  1010  	if err == nil {
  1011  		t.Fatal("Failed verifying ECDSA signature. It must fail for a signature with high-S")
  1012  	}
  1013  	if valid {
  1014  		t.Fatal("Failed verifying ECDSA signature. It must fail for a signature with high-S")
  1015  	}
  1016  }
  1017  
  1018  func TestAESKeyGen(t *testing.T) {
  1019  	if testing.Short() {
  1020  		t.Skip("Skipping TestAESKeyGen")
  1021  	}
  1022  	k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false})
  1023  	if err != nil {
  1024  		t.Fatalf("Failed generating AES_256 key [%s]", err)
  1025  	}
  1026  	if k == nil {
  1027  		t.Fatal("Failed generating AES_256 key. Key must be different from nil")
  1028  	}
  1029  	if !k.Private() {
  1030  		t.Fatal("Failed generating AES_256 key. Key should be private")
  1031  	}
  1032  	if !k.Symmetric() {
  1033  		t.Fatal("Failed generating AES_256 key. Key should be symmetric")
  1034  	}
  1035  
  1036  	pk, err := k.PublicKey()
  1037  	if err == nil {
  1038  		t.Fatal("Error should be different from nil in this case")
  1039  	}
  1040  	if pk != nil {
  1041  		t.Fatal("Return value should be equal to nil in this case")
  1042  	}
  1043  }
  1044  
  1045  func TestAESEncrypt(t *testing.T) {
  1046  	if testing.Short() {
  1047  		t.Skip("Skipping TestAESEncrypt")
  1048  	}
  1049  	k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false})
  1050  	if err != nil {
  1051  		t.Fatalf("Failed generating AES_256 key [%s]", err)
  1052  	}
  1053  
  1054  	ct, err := currentBCCSP.Encrypt(k, []byte("Hello World"), &bccsp.AESCBCPKCS7ModeOpts{})
  1055  	if err != nil {
  1056  		t.Fatalf("Failed encrypting [%s]", err)
  1057  	}
  1058  	if len(ct) == 0 {
  1059  		t.Fatal("Failed encrypting. Nil ciphertext")
  1060  	}
  1061  }
  1062  
  1063  func TestAESDecrypt(t *testing.T) {
  1064  	if testing.Short() {
  1065  		t.Skip("Skipping TestAESDecrypt")
  1066  	}
  1067  	k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false})
  1068  	if err != nil {
  1069  		t.Fatalf("Failed generating AES_256 key [%s]", err)
  1070  	}
  1071  
  1072  	msg := []byte("Hello World")
  1073  
  1074  	ct, err := currentBCCSP.Encrypt(k, msg, &bccsp.AESCBCPKCS7ModeOpts{})
  1075  	if err != nil {
  1076  		t.Fatalf("Failed encrypting [%s]", err)
  1077  	}
  1078  
  1079  	pt, err := currentBCCSP.Decrypt(k, ct, bccsp.AESCBCPKCS7ModeOpts{})
  1080  	if err != nil {
  1081  		t.Fatalf("Failed decrypting [%s]", err)
  1082  	}
  1083  	if len(ct) == 0 {
  1084  		t.Fatal("Failed decrypting. Nil plaintext")
  1085  	}
  1086  
  1087  	if !bytes.Equal(msg, pt) {
  1088  		t.Fatalf("Failed decrypting. Decrypted plaintext is different from the original. [%x][%x]", msg, pt)
  1089  	}
  1090  }
  1091  
  1092  func TestHMACTruncated256KeyDerivOverAES256Key(t *testing.T) {
  1093  	if testing.Short() {
  1094  		t.Skip("Skipping TestHMACTruncated256KeyDerivOverAES256Key")
  1095  	}
  1096  	k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false})
  1097  	if err != nil {
  1098  		t.Fatalf("Failed generating AES_256 key [%s]", err)
  1099  	}
  1100  
  1101  	hmcaedKey, err := currentBCCSP.KeyDeriv(k, &bccsp.HMACTruncated256AESDeriveKeyOpts{Temporary: false, Arg: []byte{1}})
  1102  	if err != nil {
  1103  		t.Fatalf("Failed HMACing AES_256 key [%s]", err)
  1104  	}
  1105  	if k == nil {
  1106  		t.Fatal("Failed HMACing AES_256 key. HMACed Key must be different from nil")
  1107  	}
  1108  	if !hmcaedKey.Private() {
  1109  		t.Fatal("Failed HMACing AES_256 key. HMACed Key should be private")
  1110  	}
  1111  	if !hmcaedKey.Symmetric() {
  1112  		t.Fatal("Failed HMACing AES_256 key. HMACed Key should be asymmetric")
  1113  	}
  1114  	raw, err := hmcaedKey.Bytes()
  1115  	if err == nil {
  1116  		t.Fatal("Failed marshalling to bytes. Operation must be forbidden")
  1117  	}
  1118  	if len(raw) != 0 {
  1119  		t.Fatal("Failed marshalling to bytes. Operation must return 0 bytes")
  1120  	}
  1121  
  1122  	msg := []byte("Hello World")
  1123  
  1124  	ct, err := currentBCCSP.Encrypt(hmcaedKey, msg, &bccsp.AESCBCPKCS7ModeOpts{})
  1125  	if err != nil {
  1126  		t.Fatalf("Failed encrypting [%s]", err)
  1127  	}
  1128  
  1129  	pt, err := currentBCCSP.Decrypt(hmcaedKey, ct, bccsp.AESCBCPKCS7ModeOpts{})
  1130  	if err != nil {
  1131  		t.Fatalf("Failed decrypting [%s]", err)
  1132  	}
  1133  	if len(ct) == 0 {
  1134  		t.Fatal("Failed decrypting. Nil plaintext")
  1135  	}
  1136  
  1137  	if !bytes.Equal(msg, pt) {
  1138  		t.Fatalf("Failed decrypting. Decrypted plaintext is different from the original. [%x][%x]", msg, pt)
  1139  	}
  1140  
  1141  }
  1142  
  1143  func TestHMACKeyDerivOverAES256Key(t *testing.T) {
  1144  	if testing.Short() {
  1145  		t.Skip("Skipping TestHMACKeyDerivOverAES256Key")
  1146  	}
  1147  	k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false})
  1148  	if err != nil {
  1149  		t.Fatalf("Failed generating AES_256 key [%s]", err)
  1150  	}
  1151  
  1152  	hmcaedKey, err := currentBCCSP.KeyDeriv(k, &bccsp.HMACDeriveKeyOpts{Temporary: false, Arg: []byte{1}})
  1153  
  1154  	if err != nil {
  1155  		t.Fatalf("Failed HMACing AES_256 key [%s]", err)
  1156  	}
  1157  	if k == nil {
  1158  		t.Fatal("Failed HMACing AES_256 key. HMACed Key must be different from nil")
  1159  	}
  1160  	if !hmcaedKey.Private() {
  1161  		t.Fatal("Failed HMACing AES_256 key. HMACed Key should be private")
  1162  	}
  1163  	if !hmcaedKey.Symmetric() {
  1164  		t.Fatal("Failed HMACing AES_256 key. HMACed Key should be asymmetric")
  1165  	}
  1166  	raw, err := hmcaedKey.Bytes()
  1167  	if err != nil {
  1168  		t.Fatalf("Failed marshalling to bytes [%s]", err)
  1169  	}
  1170  	if len(raw) == 0 {
  1171  		t.Fatal("Failed marshalling to bytes. 0 bytes")
  1172  	}
  1173  }
  1174  
  1175  func TestAES256KeyImport(t *testing.T) {
  1176  	if testing.Short() {
  1177  		t.Skip("Skipping TestAES256KeyImport")
  1178  	}
  1179  	raw, err := sw.GetRandomBytes(32)
  1180  	if err != nil {
  1181  		t.Fatalf("Failed generating AES key [%s]", err)
  1182  	}
  1183  
  1184  	k, err := currentBCCSP.KeyImport(raw, &bccsp.AES256ImportKeyOpts{Temporary: false})
  1185  	if err != nil {
  1186  		t.Fatalf("Failed importing AES_256 key [%s]", err)
  1187  	}
  1188  	if k == nil {
  1189  		t.Fatal("Failed importing AES_256 key. Imported Key must be different from nil")
  1190  	}
  1191  	if !k.Private() {
  1192  		t.Fatal("Failed HMACing AES_256 key. Imported Key should be private")
  1193  	}
  1194  	if !k.Symmetric() {
  1195  		t.Fatal("Failed HMACing AES_256 key. Imported Key should be asymmetric")
  1196  	}
  1197  	raw, err = k.Bytes()
  1198  	if err == nil {
  1199  		t.Fatal("Failed marshalling to bytes. Marshalling must fail.")
  1200  	}
  1201  	if len(raw) != 0 {
  1202  		t.Fatal("Failed marshalling to bytes. Output should be 0 bytes")
  1203  	}
  1204  
  1205  	msg := []byte("Hello World")
  1206  
  1207  	ct, err := currentBCCSP.Encrypt(k, msg, &bccsp.AESCBCPKCS7ModeOpts{})
  1208  	if err != nil {
  1209  		t.Fatalf("Failed encrypting [%s]", err)
  1210  	}
  1211  
  1212  	pt, err := currentBCCSP.Decrypt(k, ct, bccsp.AESCBCPKCS7ModeOpts{})
  1213  	if err != nil {
  1214  		t.Fatalf("Failed decrypting [%s]", err)
  1215  	}
  1216  	if len(ct) == 0 {
  1217  		t.Fatal("Failed decrypting. Nil plaintext")
  1218  	}
  1219  
  1220  	if !bytes.Equal(msg, pt) {
  1221  		t.Fatalf("Failed decrypting. Decrypted plaintext is different from the original. [%x][%x]", msg, pt)
  1222  	}
  1223  }
  1224  
  1225  func TestAES256KeyImportBadPaths(t *testing.T) {
  1226  	if testing.Short() {
  1227  		t.Skip("Skipping TestAES256KeyImportBadPaths")
  1228  	}
  1229  	_, err := currentBCCSP.KeyImport(nil, &bccsp.AES256ImportKeyOpts{Temporary: false})
  1230  	if err == nil {
  1231  		t.Fatal("Failed importing key. Must fail on importing nil key")
  1232  	}
  1233  
  1234  	_, err = currentBCCSP.KeyImport([]byte{1}, &bccsp.AES256ImportKeyOpts{Temporary: false})
  1235  	if err == nil {
  1236  		t.Fatal("Failed importing key. Must fail on importing a key with an invalid length")
  1237  	}
  1238  }
  1239  
  1240  func TestAES256KeyGenSKI(t *testing.T) {
  1241  	if testing.Short() {
  1242  		t.Skip("Skipping TestAES256KeyGenSKI")
  1243  	}
  1244  	k, err := currentBCCSP.KeyGen(&bccsp.AESKeyGenOpts{Temporary: false})
  1245  	if err != nil {
  1246  		t.Fatalf("Failed generating AES_256 key [%s]", err)
  1247  	}
  1248  
  1249  	k2, err := currentBCCSP.GetKey(k.SKI())
  1250  	if err != nil {
  1251  		t.Fatalf("Failed getting AES_256 key [%s]", err)
  1252  	}
  1253  	if k2 == nil {
  1254  		t.Fatal("Failed getting AES_256 key. Key must be different from nil")
  1255  	}
  1256  	if !k2.Private() {
  1257  		t.Fatal("Failed getting AES_256 key. Key should be private")
  1258  	}
  1259  	if !k2.Symmetric() {
  1260  		t.Fatal("Failed getting AES_256 key. Key should be symmetric")
  1261  	}
  1262  
  1263  	// Check that the SKIs are the same
  1264  	if !bytes.Equal(k.SKI(), k2.SKI()) {
  1265  		t.Fatalf("SKIs are different [%x]!=[%x]", k.SKI(), k2.SKI())
  1266  	}
  1267  
  1268  }
  1269  
  1270  func TestSHA(t *testing.T) {
  1271  	if testing.Short() {
  1272  		t.Skip("Skipping TestSHA")
  1273  	}
  1274  	for i := 0; i < 100; i++ {
  1275  		b, err := sw.GetRandomBytes(i)
  1276  		if err != nil {
  1277  			t.Fatalf("Failed getting random bytes [%s]", err)
  1278  		}
  1279  
  1280  		h1, err := currentBCCSP.Hash(b, &bccsp.SHAOpts{})
  1281  		if err != nil {
  1282  			t.Fatalf("Failed computing SHA [%s]", err)
  1283  		}
  1284  
  1285  		var h hash.Hash
  1286  		switch currentTestConfig.hashFamily {
  1287  		case "SHA2":
  1288  			switch currentTestConfig.securityLevel {
  1289  			case 256:
  1290  				h = sha256.New()
  1291  			case 384:
  1292  				h = sha512.New384()
  1293  			default:
  1294  				t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel)
  1295  			}
  1296  		case "SHA3":
  1297  			switch currentTestConfig.securityLevel {
  1298  			case 256:
  1299  				h = sha3.New256()
  1300  			case 384:
  1301  				h = sha3.New384()
  1302  			default:
  1303  				t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel)
  1304  			}
  1305  		default:
  1306  			t.Fatalf("Invalid hash family [%s]", currentTestConfig.hashFamily)
  1307  		}
  1308  
  1309  		h.Write(b)
  1310  		h2 := h.Sum(nil)
  1311  		if !bytes.Equal(h1, h2) {
  1312  			t.Fatalf("Discrempancy found in HASH result [%x], [%x]!=[%x]", b, h1, h2)
  1313  		}
  1314  	}
  1315  }
  1316  
  1317  func getCryptoHashIndex(t *testing.T) crypto.Hash {
  1318  	switch currentTestConfig.hashFamily {
  1319  	case "SHA2":
  1320  		switch currentTestConfig.securityLevel {
  1321  		case 256:
  1322  			return crypto.SHA256
  1323  		case 384:
  1324  			return crypto.SHA384
  1325  		default:
  1326  			t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel)
  1327  		}
  1328  	case "SHA3":
  1329  		switch currentTestConfig.securityLevel {
  1330  		case 256:
  1331  			return crypto.SHA3_256
  1332  		case 384:
  1333  			return crypto.SHA3_384
  1334  		default:
  1335  			t.Fatalf("Invalid security level [%d]", currentTestConfig.securityLevel)
  1336  		}
  1337  	default:
  1338  		t.Fatalf("Invalid hash family [%s]", currentTestConfig.hashFamily)
  1339  	}
  1340  
  1341  	return crypto.SHA3_256
  1342  }