...

Source file src/golang.org/x/crypto/internal/wycheproof/rsa_pss_test.go

Documentation: golang.org/x/crypto/internal/wycheproof 

     1  // Copyright 2019 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package wycheproof
     6  
     7  import (
     8  	"crypto/rsa"
     9  	"testing"
    10  )
    11  
    12  func TestRsaPss(t *testing.T) {
    13  	// KeyJwk Public key in JWK format
    14  	type KeyJwk struct {
    15  	}
    16  
    17  	// Notes a description of the labels used in the test vectors
    18  	type Notes struct {
    19  	}
    20  
    21  	// SignatureTestVector
    22  	type SignatureTestVector struct {
    23  
    24  		// A brief description of the test case
    25  		Comment string `json:"comment,omitempty"`
    26  
    27  		// A list of flags
    28  		Flags []string `json:"flags,omitempty"`
    29  
    30  		// The message to sign
    31  		Msg string `json:"msg,omitempty"`
    32  
    33  		// Test result
    34  		Result string `json:"result,omitempty"`
    35  
    36  		// A signature for msg
    37  		Sig string `json:"sig,omitempty"`
    38  
    39  		// Identifier of the test case
    40  		TcId int `json:"tcId,omitempty"`
    41  	}
    42  
    43  	// RsassaPkcs1TestGroup
    44  	type RsassaPkcs1TestGroup struct {
    45  
    46  		// The private exponent
    47  		D string `json:"d,omitempty"`
    48  
    49  		// The public exponent
    50  		E string `json:"e,omitempty"`
    51  
    52  		// ASN encoding of the sequence [n, e]
    53  		KeyAsn string `json:"keyAsn,omitempty"`
    54  
    55  		// ASN encoding of the public key
    56  		KeyDer string `json:"keyDer,omitempty"`
    57  
    58  		// Public key in JWK format
    59  		KeyJwk *KeyJwk `json:"keyJwk,omitempty"`
    60  
    61  		// Pem encoded public key
    62  		KeyPem string `json:"keyPem,omitempty"`
    63  
    64  		// the size of the modulus in bits
    65  		KeySize int `json:"keySize,omitempty"`
    66  
    67  		// The modulus of the key
    68  		N string `json:"n,omitempty"`
    69  
    70  		// The salt length
    71  		SLen int `json:"sLen,omitempty"`
    72  
    73  		// the hash function used for the message
    74  		Sha   string                 `json:"sha,omitempty"`
    75  		Tests []*SignatureTestVector `json:"tests,omitempty"`
    76  		Type  interface{}            `json:"type,omitempty"`
    77  	}
    78  
    79  	// Root
    80  	type Root struct {
    81  
    82  		// the primitive tested in the test file
    83  		Algorithm string `json:"algorithm,omitempty"`
    84  
    85  		// the version of the test vectors.
    86  		GeneratorVersion string `json:"generatorVersion,omitempty"`
    87  
    88  		// additional documentation
    89  		Header []string `json:"header,omitempty"`
    90  
    91  		// a description of the labels used in the test vectors
    92  		Notes *Notes `json:"notes,omitempty"`
    93  
    94  		// the number of test vectors in this test
    95  		NumberOfTests int                     `json:"numberOfTests,omitempty"`
    96  		Schema        interface{}             `json:"schema,omitempty"`
    97  		TestGroups    []*RsassaPkcs1TestGroup `json:"testGroups,omitempty"`
    98  	}
    99  
   100  	flagsShouldPass := map[string]bool{
   101  		// A signature using a weaker hash than the EC params is not a security risk, as long as the hash is secure.
   102  		// https://www.imperialviolet.org/2014/05/25/strengthmatching.html
   103  		"WeakHash": true,
   104  	}
   105  
   106  	// filesOverrideToPassZeroSLen is a map of all test files
   107  	// and which TcIds that should be overridden to pass if the
   108  	// rsa.PSSOptions.SaltLength is zero.
   109  	// These tests expect a failure with a PSSOptions.SaltLength: 0
   110  	// and a signature that uses a different salt length. However,
   111  	// a salt length of 0 is defined as rsa.PSSSaltLengthAuto which
   112  	// works deterministically to auto-detect the length when
   113  	// verifying, so these tests actually pass as they should.
   114  	filesOverrideToPassZeroSLen := map[string][]int{
   115  		"rsa_pss_2048_sha1_mgf1_20_test.json":   []int{46, 47},
   116  		"rsa_pss_2048_sha256_mgf1_0_test.json":  []int{67, 68},
   117  		"rsa_pss_2048_sha256_mgf1_32_test.json": []int{67, 68},
   118  		"rsa_pss_3072_sha256_mgf1_32_test.json": []int{67, 68},
   119  		"rsa_pss_4096_sha256_mgf1_32_test.json": []int{67, 68},
   120  		"rsa_pss_4096_sha512_mgf1_32_test.json": []int{136, 137},
   121  		// "rsa_pss_misc_test.json": nil,  // TODO: This ones seems to be broken right now, but can enable later on.
   122  	}
   123  
   124  	if !boringcryptoEnabled {
   125  		// boringcrypto doesn't support the truncated SHA-512 hashes, so only
   126  		// test them if boringcrypto isn't enabled.
   127  		filesOverrideToPassZeroSLen["rsa_pss_2048_sha512_256_mgf1_28_test.json"] = []int{13, 14, 15}
   128  		filesOverrideToPassZeroSLen["rsa_pss_2048_sha512_256_mgf1_32_test.json"] = []int{13, 14}
   129  	}
   130  
   131  	for f := range filesOverrideToPassZeroSLen {
   132  		var root Root
   133  		readTestVector(t, f, &root)
   134  		for _, tg := range root.TestGroups {
   135  			pub := decodePublicKey(tg.KeyDer).(*rsa.PublicKey)
   136  			ch := parseHash(tg.Sha)
   137  			h := ch.New()
   138  			opts := &rsa.PSSOptions{
   139  				Hash:       ch,
   140  				SaltLength: rsa.PSSSaltLengthAuto,
   141  			}
   142  			// Run all the tests twice: the first time with the salt length
   143  			// as PSSSaltLengthAuto, and the second time with the salt length
   144  			// explictily set to tg.SLen.
   145  			for i := 0; i < 2; i++ {
   146  				for _, sig := range tg.Tests {
   147  					h.Reset()
   148  					h.Write(decodeHex(sig.Msg))
   149  					hashed := h.Sum(nil)
   150  					err := rsa.VerifyPSS(pub, ch, hashed, decodeHex(sig.Sig), opts)
   151  					want := shouldPass(sig.Result, sig.Flags, flagsShouldPass)
   152  					if opts.SaltLength == 0 {
   153  						for _, id := range filesOverrideToPassZeroSLen[f] {
   154  							if sig.TcId == id {
   155  								want = true
   156  								break
   157  							}
   158  						}
   159  					}
   160  					if (err == nil) != want {
   161  						t.Errorf("file: %v, tcid: %d, type: %s, opts.SaltLength: %v, comment: %q, wanted success: %t", f, sig.TcId, sig.Result, opts.SaltLength, sig.Comment, want)
   162  					}
   163  				}
   164  				// Update opts.SaltLength for the second run of the tests.
   165  				opts.SaltLength = tg.SLen
   166  			}
   167  		}
   168  	}
   169  }
   170  

View as plain text