pss_test.go

     1  // Copyright 2013 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package rsa
     6  
     7  import (
     8  	"bufio"
     9  	"bytes"
    10  	"compress/bzip2"
    11  	"crypto"
    12  	_ "crypto/md5"
    13  	"crypto/rand"
    14  	"crypto/sha1"
    15  	"crypto/sha256"
    16  	"encoding/hex"
    17  	"math/big"
    18  	"os"
    19  	"strconv"
    20  	"strings"
    21  	"testing"
    22  )
    23  
    24  func TestEMSAPSS(t *testing.T) {
    25  	// Test vector in file pss-int.txt from: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
    26  	msg := []byte{
    27  		0x85, 0x9e, 0xef, 0x2f, 0xd7, 0x8a, 0xca, 0x00, 0x30, 0x8b,
    28  		0xdc, 0x47, 0x11, 0x93, 0xbf, 0x55, 0xbf, 0x9d, 0x78, 0xdb,
    29  		0x8f, 0x8a, 0x67, 0x2b, 0x48, 0x46, 0x34, 0xf3, 0xc9, 0xc2,
    30  		0x6e, 0x64, 0x78, 0xae, 0x10, 0x26, 0x0f, 0xe0, 0xdd, 0x8c,
    31  		0x08, 0x2e, 0x53, 0xa5, 0x29, 0x3a, 0xf2, 0x17, 0x3c, 0xd5,
    32  		0x0c, 0x6d, 0x5d, 0x35, 0x4f, 0xeb, 0xf7, 0x8b, 0x26, 0x02,
    33  		0x1c, 0x25, 0xc0, 0x27, 0x12, 0xe7, 0x8c, 0xd4, 0x69, 0x4c,
    34  		0x9f, 0x46, 0x97, 0x77, 0xe4, 0x51, 0xe7, 0xf8, 0xe9, 0xe0,
    35  		0x4c, 0xd3, 0x73, 0x9c, 0x6b, 0xbf, 0xed, 0xae, 0x48, 0x7f,
    36  		0xb5, 0x56, 0x44, 0xe9, 0xca, 0x74, 0xff, 0x77, 0xa5, 0x3c,
    37  		0xb7, 0x29, 0x80, 0x2f, 0x6e, 0xd4, 0xa5, 0xff, 0xa8, 0xba,
    38  		0x15, 0x98, 0x90, 0xfc,
    39  	}
    40  	salt := []byte{
    41  		0xe3, 0xb5, 0xd5, 0xd0, 0x02, 0xc1, 0xbc, 0xe5, 0x0c, 0x2b,
    42  		0x65, 0xef, 0x88, 0xa1, 0x88, 0xd8, 0x3b, 0xce, 0x7e, 0x61,
    43  	}
    44  	expected := []byte{
    45  		0x66, 0xe4, 0x67, 0x2e, 0x83, 0x6a, 0xd1, 0x21, 0xba, 0x24,
    46  		0x4b, 0xed, 0x65, 0x76, 0xb8, 0x67, 0xd9, 0xa4, 0x47, 0xc2,
    47  		0x8a, 0x6e, 0x66, 0xa5, 0xb8, 0x7d, 0xee, 0x7f, 0xbc, 0x7e,
    48  		0x65, 0xaf, 0x50, 0x57, 0xf8, 0x6f, 0xae, 0x89, 0x84, 0xd9,
    49  		0xba, 0x7f, 0x96, 0x9a, 0xd6, 0xfe, 0x02, 0xa4, 0xd7, 0x5f,
    50  		0x74, 0x45, 0xfe, 0xfd, 0xd8, 0x5b, 0x6d, 0x3a, 0x47, 0x7c,
    51  		0x28, 0xd2, 0x4b, 0xa1, 0xe3, 0x75, 0x6f, 0x79, 0x2d, 0xd1,
    52  		0xdc, 0xe8, 0xca, 0x94, 0x44, 0x0e, 0xcb, 0x52, 0x79, 0xec,
    53  		0xd3, 0x18, 0x3a, 0x31, 0x1f, 0xc8, 0x96, 0xda, 0x1c, 0xb3,
    54  		0x93, 0x11, 0xaf, 0x37, 0xea, 0x4a, 0x75, 0xe2, 0x4b, 0xdb,
    55  		0xfd, 0x5c, 0x1d, 0xa0, 0xde, 0x7c, 0xec, 0xdf, 0x1a, 0x89,
    56  		0x6f, 0x9d, 0x8b, 0xc8, 0x16, 0xd9, 0x7c, 0xd7, 0xa2, 0xc4,
    57  		0x3b, 0xad, 0x54, 0x6f, 0xbe, 0x8c, 0xfe, 0xbc,
    58  	}
    59  
    60  	hash := sha1.New()
    61  	hash.Write(msg)
    62  	hashed := hash.Sum(nil)
    63  
    64  	encoded, err := emsaPSSEncode(hashed, 1023, salt, sha1.New())
    65  	if err != nil {
    66  		t.Errorf("Error from emsaPSSEncode: %s\n", err)
    67  	}
    68  	if !bytes.Equal(encoded, expected) {
    69  		t.Errorf("Bad encoding. got %x, want %x", encoded, expected)
    70  	}
    71  
    72  	if err = emsaPSSVerify(hashed, encoded, 1023, len(salt), sha1.New()); err != nil {
    73  		t.Errorf("Bad verification: %s", err)
    74  	}
    75  }
    76  
    77  // TestPSSGolden tests all the test vectors in pss-vect.txt from
    78  // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
    79  func TestPSSGolden(t *testing.T) {
    80  	inFile, err := os.Open("testdata/pss-vect.txt.bz2")
    81  	if err != nil {
    82  		t.Fatalf("Failed to open input file: %s", err)
    83  	}
    84  	defer inFile.Close()
    85  
    86  	// The pss-vect.txt file contains RSA keys and then a series of
    87  	// signatures. A goroutine is used to preprocess the input by merging
    88  	// lines, removing spaces in hex values and identifying the start of
    89  	// new keys and signature blocks.
    90  	const newKeyMarker = "START NEW KEY"
    91  	const newSignatureMarker = "START NEW SIGNATURE"
    92  
    93  	values := make(chan string)
    94  
    95  	go func() {
    96  		defer close(values)
    97  		scanner := bufio.NewScanner(bzip2.NewReader(inFile))
    98  		var partialValue string
    99  		lastWasValue := true
   100  
   101  		for scanner.Scan() {
   102  			line := scanner.Text()
   103  			switch {
   104  			case len(line) == 0:
   105  				if len(partialValue) > 0 {
   106  					values <- strings.ReplaceAll(partialValue, " ", "")
   107  					partialValue = ""
   108  					lastWasValue = true
   109  				}
   110  				continue
   111  			case strings.HasPrefix(line, "# ======") && lastWasValue:
   112  				values <- newKeyMarker
   113  				lastWasValue = false
   114  			case strings.HasPrefix(line, "# ------") && lastWasValue:
   115  				values <- newSignatureMarker
   116  				lastWasValue = false
   117  			case strings.HasPrefix(line, "#"):
   118  				continue
   119  			default:
   120  				partialValue += line
   121  			}
   122  		}
   123  		if err := scanner.Err(); err != nil {
   124  			panic(err)
   125  		}
   126  	}()
   127  
   128  	var key *PublicKey
   129  	var hashed []byte
   130  	hash := crypto.SHA1
   131  	h := hash.New()
   132  	opts := &PSSOptions{
   133  		SaltLength: PSSSaltLengthEqualsHash,
   134  	}
   135  
   136  	for marker := range values {
   137  		switch marker {
   138  		case newKeyMarker:
   139  			key = new(PublicKey)
   140  			nHex, ok := <-values
   141  			if !ok {
   142  				continue
   143  			}
   144  			key.N = bigFromHex(nHex)
   145  			key.E = intFromHex(<-values)
   146  			// We don't care for d, p, q, dP, dQ or qInv.
   147  			for i := 0; i < 6; i++ {
   148  				<-values
   149  			}
   150  		case newSignatureMarker:
   151  			msg := fromHex(<-values)
   152  			<-values // skip salt
   153  			sig := fromHex(<-values)
   154  
   155  			h.Reset()
   156  			h.Write(msg)
   157  			hashed = h.Sum(hashed[:0])
   158  
   159  			if err := VerifyPSS(key, hash, hashed, sig, opts); err != nil {
   160  				t.Error(err)
   161  			}
   162  		default:
   163  			t.Fatalf("unknown marker: " + marker)
   164  		}
   165  	}
   166  }
   167  
   168  // TestPSSOpenSSL ensures that we can verify a PSS signature from OpenSSL with
   169  // the default options. OpenSSL sets the salt length to be maximal.
   170  func TestPSSOpenSSL(t *testing.T) {
   171  	hash := crypto.SHA256
   172  	h := hash.New()
   173  	h.Write([]byte("testing"))
   174  	hashed := h.Sum(nil)
   175  
   176  	// Generated with `echo -n testing | openssl dgst -sign key.pem -sigopt rsa_padding_mode:pss -sha256 > sig`
   177  	sig := []byte{
   178  		0x95, 0x59, 0x6f, 0xd3, 0x10, 0xa2, 0xe7, 0xa2, 0x92, 0x9d,
   179  		0x4a, 0x07, 0x2e, 0x2b, 0x27, 0xcc, 0x06, 0xc2, 0x87, 0x2c,
   180  		0x52, 0xf0, 0x4a, 0xcc, 0x05, 0x94, 0xf2, 0xc3, 0x2e, 0x20,
   181  		0xd7, 0x3e, 0x66, 0x62, 0xb5, 0x95, 0x2b, 0xa3, 0x93, 0x9a,
   182  		0x66, 0x64, 0x25, 0xe0, 0x74, 0x66, 0x8c, 0x3e, 0x92, 0xeb,
   183  		0xc6, 0xe6, 0xc0, 0x44, 0xf3, 0xb4, 0xb4, 0x2e, 0x8c, 0x66,
   184  		0x0a, 0x37, 0x9c, 0x69,
   185  	}
   186  
   187  	if err := VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, nil); err != nil {
   188  		t.Error(err)
   189  	}
   190  }
   191  
   192  func TestPSSNilOpts(t *testing.T) {
   193  	hash := crypto.SHA256
   194  	h := hash.New()
   195  	h.Write([]byte("testing"))
   196  	hashed := h.Sum(nil)
   197  
   198  	SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, nil)
   199  }
   200  
   201  func TestPSSSigning(t *testing.T) {
   202  	var saltLengthCombinations = []struct {
   203  		signSaltLength, verifySaltLength int
   204  		good                             bool
   205  	}{
   206  		{PSSSaltLengthAuto, PSSSaltLengthAuto, true},
   207  		{PSSSaltLengthEqualsHash, PSSSaltLengthAuto, true},
   208  		{PSSSaltLengthEqualsHash, PSSSaltLengthEqualsHash, true},
   209  		{PSSSaltLengthEqualsHash, 8, false},
   210  		{PSSSaltLengthAuto, PSSSaltLengthEqualsHash, false},
   211  		{8, 8, true},
   212  	}
   213  
   214  	hash := crypto.MD5
   215  	h := hash.New()
   216  	h.Write([]byte("testing"))
   217  	hashed := h.Sum(nil)
   218  	var opts PSSOptions
   219  
   220  	for i, test := range saltLengthCombinations {
   221  		opts.SaltLength = test.signSaltLength
   222  		sig, err := SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, &opts)
   223  		if err != nil {
   224  			t.Errorf("#%d: error while signing: %s", i, err)
   225  			continue
   226  		}
   227  
   228  		opts.SaltLength = test.verifySaltLength
   229  		err = VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, &opts)
   230  		if (err == nil) != test.good {
   231  			t.Errorf("#%d: bad result, wanted: %t, got: %s", i, test.good, err)
   232  		}
   233  	}
   234  }
   235  
   236  func TestSignWithPSSSaltLengthAuto(t *testing.T) {
   237  	key, err := GenerateKey(rand.Reader, 513)
   238  	if err != nil {
   239  		t.Fatal(err)
   240  	}
   241  	digest := sha256.Sum256([]byte("message"))
   242  	signature, err := key.Sign(rand.Reader, digest[:], &PSSOptions{
   243  		SaltLength: PSSSaltLengthAuto,
   244  		Hash:       crypto.SHA256,
   245  	})
   246  	if err != nil {
   247  		t.Fatal(err)
   248  	}
   249  	if len(signature) == 0 {
   250  		t.Fatal("empty signature returned")
   251  	}
   252  }
   253  
   254  func bigFromHex(hex string) *big.Int {
   255  	n, ok := new(big.Int).SetString(hex, 16)
   256  	if !ok {
   257  		panic("bad hex: " + hex)
   258  	}
   259  	return n
   260  }
   261  
   262  func intFromHex(hex string) int {
   263  	i, err := strconv.ParseInt(hex, 16, 32)
   264  	if err != nil {
   265  		panic(err)
   266  	}
   267  	return int(i)
   268  }
   269  
   270  func fromHex(hexStr string) []byte {
   271  	s, err := hex.DecodeString(hexStr)
   272  	if err != nil {
   273  		panic(err)
   274  	}
   275  	return s
   276  }
   277
View as plain text