1 // Copyright 2018 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/signature/rsa_ssa_pkcs1_sign_key_manager.h"
18
19 #include <string>
20
21 #include "gmock/gmock.h"
22 #include "gtest/gtest.h"
23 #include "absl/container/flat_hash_set.h"
24 #include "openssl/rsa.h"
25 #include "tink/internal/bn_util.h"
26 #include "tink/internal/ssl_unique_ptr.h"
27 #include "tink/public_key_sign.h"
28 #include "tink/signature/rsa_ssa_pkcs1_verify_key_manager.h"
29 #include "tink/subtle/rsa_ssa_pkcs1_verify_boringssl.h"
30 #include "tink/util/status.h"
31 #include "tink/util/statusor.h"
32 #include "tink/util/test_matchers.h"
33 #include "tink/util/test_util.h"
34 #include "proto/rsa_ssa_pkcs1.pb.h"
35 #include "proto/tink.pb.h"
36
37 namespace crypto {
38 namespace tink {
39 namespace {
40
41 using ::crypto::tink::test::IsOk;
42 using ::crypto::tink::util::StatusOr;
43 using ::google::crypto::tink::HashType;
44 using ::google::crypto::tink::KeyData;
45 using ::google::crypto::tink::RsaSsaPkcs1KeyFormat;
46 using ::google::crypto::tink::RsaSsaPkcs1PrivateKey;
47 using ::google::crypto::tink::RsaSsaPkcs1PublicKey;
48 using ::testing::Eq;
49 using ::testing::Not;
50 using ::testing::SizeIs;
51
TEST(RsaSsaPkcsSignKeyManagerTest,Basic)52 TEST(RsaSsaPkcsSignKeyManagerTest, Basic) {
53 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().get_version(), Eq(0));
54 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().key_material_type(),
55 Eq(KeyData::ASYMMETRIC_PRIVATE));
56 EXPECT_THAT(
57 RsaSsaPkcs1SignKeyManager().get_key_type(),
58 Eq("type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PrivateKey"));
59 }
60
CreateKeyFormat(HashType hash_type,int modulus_size_in_bits,int public_exponent)61 RsaSsaPkcs1KeyFormat CreateKeyFormat(HashType hash_type,
62 int modulus_size_in_bits,
63 int public_exponent) {
64 RsaSsaPkcs1KeyFormat key_format;
65 auto params = key_format.mutable_params();
66 params->set_hash_type(hash_type);
67 key_format.set_modulus_size_in_bits(modulus_size_in_bits);
68 internal::SslUniquePtr<BIGNUM> e(BN_new());
69 BN_set_word(e.get(), public_exponent);
70 key_format.set_public_exponent(
71 internal::BignumToString(e.get(), BN_num_bytes(e.get())).value());
72 return key_format;
73 }
74
ValidKeyFormat()75 RsaSsaPkcs1KeyFormat ValidKeyFormat() {
76 return CreateKeyFormat(HashType::SHA256, 3072, RSA_F4);
77 }
78
TEST(RsaSsaPkcs1SignKeyManagerTest,ValidateKeyFormat)79 TEST(RsaSsaPkcs1SignKeyManagerTest, ValidateKeyFormat) {
80 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().ValidateKeyFormat(ValidKeyFormat()),
81 IsOk());
82 }
83
TEST(RsaSsaPkcs1SignKeyManagerTest,ValidateKeyFormatSha384Allowed)84 TEST(RsaSsaPkcs1SignKeyManagerTest, ValidateKeyFormatSha384Allowed) {
85 RsaSsaPkcs1KeyFormat key_format = ValidKeyFormat();
86 key_format.mutable_params()->set_hash_type(HashType::SHA384);
87 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().ValidateKeyFormat(key_format),
88 IsOk());
89 }
90
TEST(RsaSsaPkcs1SignKeyManagerTest,ValidateKeyFormatSha512Allowed)91 TEST(RsaSsaPkcs1SignKeyManagerTest, ValidateKeyFormatSha512Allowed) {
92 RsaSsaPkcs1KeyFormat key_format = ValidKeyFormat();
93 key_format.mutable_params()->set_hash_type(HashType::SHA512);
94 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().ValidateKeyFormat(key_format),
95 IsOk());
96 }
97
TEST(RsaSsaPkcs1SignKeyManagerTest,ValidateKeyFormatSha1Disallowed)98 TEST(RsaSsaPkcs1SignKeyManagerTest, ValidateKeyFormatSha1Disallowed) {
99 RsaSsaPkcs1KeyFormat key_format = ValidKeyFormat();
100 key_format.mutable_params()->set_hash_type(HashType::SHA1);
101 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().ValidateKeyFormat(key_format),
102 Not(IsOk()));
103 }
104
TEST(RsaSsaPkcs1SignKeyManagerTest,ValidateKeyFormatUnkownHashDisallowed)105 TEST(RsaSsaPkcs1SignKeyManagerTest, ValidateKeyFormatUnkownHashDisallowed) {
106 RsaSsaPkcs1KeyFormat key_format = ValidKeyFormat();
107 key_format.mutable_params()->set_hash_type(HashType::UNKNOWN_HASH);
108 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().ValidateKeyFormat(key_format),
109 Not(IsOk()));
110 }
111
TEST(RsaSsaPkcs1SignKeyManagerTest,ValidateKeyFormatSmallModulusDisallowed)112 TEST(RsaSsaPkcs1SignKeyManagerTest, ValidateKeyFormatSmallModulusDisallowed) {
113 RsaSsaPkcs1KeyFormat key_format = ValidKeyFormat();
114 key_format.set_modulus_size_in_bits(2047);
115 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().ValidateKeyFormat(key_format),
116 Not(IsOk()));
117 }
118
119 // Checks whether given key is compatible with the given format.
CheckNewKey(const RsaSsaPkcs1PrivateKey & private_key,const RsaSsaPkcs1KeyFormat & key_format)120 void CheckNewKey(const RsaSsaPkcs1PrivateKey& private_key,
121 const RsaSsaPkcs1KeyFormat& key_format) {
122 RsaSsaPkcs1SignKeyManager key_manager;
123 RsaSsaPkcs1PublicKey public_key = private_key.public_key();
124 EXPECT_EQ(0, private_key.version());
125 EXPECT_TRUE(private_key.has_public_key());
126 EXPECT_EQ(0, public_key.version());
127 EXPECT_GT(public_key.n().length(), 0);
128 EXPECT_GT(public_key.e().length(), 0);
129 EXPECT_EQ(public_key.params().SerializeAsString(),
130 key_format.params().SerializeAsString());
131 EXPECT_EQ(key_format.public_exponent(), public_key.e());
132 util::StatusOr<internal::SslUniquePtr<BIGNUM>> n =
133 internal::StringToBignum(public_key.n());
134 ASSERT_THAT(n, IsOk());
135 util::StatusOr<internal::SslUniquePtr<BIGNUM>> d =
136 internal::StringToBignum(private_key.d());
137 ASSERT_THAT(d, IsOk());
138 util::StatusOr<internal::SslUniquePtr<BIGNUM>> p =
139 internal::StringToBignum(private_key.p());
140 ASSERT_THAT(p, IsOk());
141 util::StatusOr<internal::SslUniquePtr<BIGNUM>> q =
142 internal::StringToBignum(private_key.q());
143 ASSERT_THAT(q, IsOk());
144 util::StatusOr<internal::SslUniquePtr<BIGNUM>> dp =
145 internal::StringToBignum(private_key.dp());
146 ASSERT_THAT(dp, IsOk());
147 util::StatusOr<internal::SslUniquePtr<BIGNUM>> dq =
148 internal::StringToBignum(private_key.dq());
149 ASSERT_THAT(dq, IsOk());
150 internal::SslUniquePtr<BN_CTX> ctx(BN_CTX_new());
151
152 // Check n = p * q.
153 auto n_calc = internal::SslUniquePtr<BIGNUM>(BN_new());
154 EXPECT_TRUE(BN_mul(n_calc.get(), p->get(), q->get(), ctx.get()));
155 EXPECT_EQ(BN_cmp(n_calc.get(), n->get()), 0);
156
157 // Check n size >= modulus_size_in_bits bit.
158 EXPECT_GE(BN_num_bits(n->get()), key_format.modulus_size_in_bits());
159
160 // dp = d mod (p - 1)
161 auto pm1 = internal::SslUniquePtr<BIGNUM>(BN_dup(p->get()));
162 EXPECT_TRUE(BN_sub_word(pm1.get(), 1));
163 auto dp_calc = internal::SslUniquePtr<BIGNUM>(BN_new());
164 EXPECT_TRUE(BN_mod(dp_calc.get(), d->get(), pm1.get(), ctx.get()));
165 EXPECT_EQ(BN_cmp(dp_calc.get(), dp->get()), 0);
166
167 // dq = d mod (q - 1)
168 auto qm1 = internal::SslUniquePtr<BIGNUM>(BN_dup(q->get()));
169 EXPECT_TRUE(BN_sub_word(qm1.get(), 1));
170 auto dq_calc = internal::SslUniquePtr<BIGNUM>(BN_new());
171 EXPECT_TRUE(BN_mod(dq_calc.get(), d->get(), qm1.get(), ctx.get()));
172 EXPECT_EQ(BN_cmp(dq_calc.get(), dq->get()), 0);
173 }
174
TEST(RsaSsaPkcs1SignKeyManagerTest,CreateKey)175 TEST(RsaSsaPkcs1SignKeyManagerTest, CreateKey) {
176 RsaSsaPkcs1KeyFormat key_format =
177 CreateKeyFormat(HashType::SHA256, 3072, RSA_F4);
178 StatusOr<RsaSsaPkcs1PrivateKey> private_key_or =
179 RsaSsaPkcs1SignKeyManager().CreateKey(key_format);
180 ASSERT_THAT(private_key_or, IsOk());
181 CheckNewKey(private_key_or.value(), key_format);
182 }
183
TEST(RsaSsaPkcs1SignKeyManagerTest,CreateKeySmallKey)184 TEST(RsaSsaPkcs1SignKeyManagerTest, CreateKeySmallKey) {
185 RsaSsaPkcs1KeyFormat key_format =
186 CreateKeyFormat(HashType::SHA256, 2048, RSA_F4);
187
188 StatusOr<RsaSsaPkcs1PrivateKey> private_key_or =
189 RsaSsaPkcs1SignKeyManager().CreateKey(key_format);
190 ASSERT_THAT(private_key_or, IsOk());
191 CheckNewKey(private_key_or.value(), key_format);
192 }
193
TEST(RsaSsaPkcs1SignKeyManagerTest,CreateKeyLargeKey)194 TEST(RsaSsaPkcs1SignKeyManagerTest, CreateKeyLargeKey) {
195 RsaSsaPkcs1KeyFormat key_format =
196 CreateKeyFormat(HashType::SHA512, 4096, RSA_F4);
197
198 StatusOr<RsaSsaPkcs1PrivateKey> private_key_or =
199 RsaSsaPkcs1SignKeyManager().CreateKey(key_format);
200 ASSERT_THAT(private_key_or, IsOk());
201 CheckNewKey(private_key_or.value(), key_format);
202 }
203
TEST(RsaSsaPkcs1SignKeyManagerTest,CreateKeyValid)204 TEST(RsaSsaPkcs1SignKeyManagerTest, CreateKeyValid) {
205 StatusOr<RsaSsaPkcs1PrivateKey> key_or =
206 RsaSsaPkcs1SignKeyManager().CreateKey(ValidKeyFormat());
207 ASSERT_THAT(key_or, IsOk());
208 EXPECT_THAT(RsaSsaPkcs1SignKeyManager().ValidateKey(key_or.value()), IsOk());
209 }
210
211 // Check that in a bunch of CreateKey calls all generated primes are distinct.
TEST(RsaSsaPkcs1SignKeyManagerTest,CreateKeyAlwaysNewRsaPair)212 TEST(RsaSsaPkcs1SignKeyManagerTest, CreateKeyAlwaysNewRsaPair) {
213 absl::flat_hash_set<std::string> keys;
214 // This test takes about a second per key.
215 int num_generated_keys = 5;
216 for (int i = 0; i < num_generated_keys; ++i) {
217 StatusOr<RsaSsaPkcs1PrivateKey> key_or =
218 RsaSsaPkcs1SignKeyManager().CreateKey(ValidKeyFormat());
219 ASSERT_THAT(key_or, IsOk());
220 keys.insert(key_or.value().p());
221 keys.insert(key_or.value().q());
222 }
223 EXPECT_THAT(keys, SizeIs(2 * num_generated_keys));
224 }
225
TEST(RsaSsaPkcs1SignKeyManagerTest,GetPublicKey)226 TEST(RsaSsaPkcs1SignKeyManagerTest, GetPublicKey) {
227 StatusOr<RsaSsaPkcs1PrivateKey> key_or =
228 RsaSsaPkcs1SignKeyManager().CreateKey(ValidKeyFormat());
229 ASSERT_THAT(key_or, IsOk());
230 StatusOr<RsaSsaPkcs1PublicKey> public_key_or =
231 RsaSsaPkcs1SignKeyManager().GetPublicKey(key_or.value());
232 ASSERT_THAT(public_key_or, IsOk());
233 EXPECT_THAT(public_key_or.value().version(),
234 Eq(key_or.value().public_key().version()));
235 EXPECT_THAT(public_key_or.value().params().hash_type(),
236 Eq(key_or.value().public_key().params().hash_type()));
237 EXPECT_THAT(public_key_or.value().n(), Eq(key_or.value().public_key().n()));
238 EXPECT_THAT(public_key_or.value().e(), Eq(key_or.value().public_key().e()));
239 }
240
TEST(EcdsaSignKeyManagerTest,Create)241 TEST(EcdsaSignKeyManagerTest, Create) {
242 RsaSsaPkcs1KeyFormat key_format =
243 CreateKeyFormat(HashType::SHA256, 3072, RSA_F4);
244 StatusOr<RsaSsaPkcs1PrivateKey> key_or =
245 RsaSsaPkcs1SignKeyManager().CreateKey(key_format);
246 ASSERT_THAT(key_or, IsOk());
247 RsaSsaPkcs1PrivateKey key = key_or.value();
248
249 auto signer_or = RsaSsaPkcs1SignKeyManager().GetPrimitive<PublicKeySign>(key);
250 ASSERT_THAT(signer_or, IsOk());
251
252 auto direct_verifier_or = subtle::RsaSsaPkcs1VerifyBoringSsl::New(
253 {key.public_key().n(), key.public_key().e()}, {subtle::HashType::SHA256});
254 ASSERT_THAT(direct_verifier_or, IsOk());
255
256 std::string message = "Some message";
257 EXPECT_THAT(direct_verifier_or.value()->Verify(
258 signer_or.value()->Sign(message).value(), message),
259 IsOk());
260 }
261
262 } // namespace
263 } // namespace tink
264 } // namespace crypto
265