1 // Copyright 2018 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/signature/rsa_ssa_pss_sign_key_manager.h"
18
19 #include <string>
20
21 #include "gmock/gmock.h"
22 #include "gtest/gtest.h"
23 #include "absl/container/flat_hash_set.h"
24 #include "openssl/rsa.h"
25 #include "tink/internal/bn_util.h"
26 #include "tink/internal/rsa_util.h"
27 #include "tink/internal/ssl_unique_ptr.h"
28 #include "tink/public_key_sign.h"
29 #include "tink/signature/rsa_ssa_pss_verify_key_manager.h"
30 #include "tink/signature/signature_key_templates.h"
31 #include "tink/subtle/rsa_ssa_pss_verify_boringssl.h"
32 #include "tink/util/status.h"
33 #include "tink/util/statusor.h"
34 #include "tink/util/test_matchers.h"
35 #include "tink/util/test_util.h"
36 #include "proto/rsa_ssa_pss.pb.h"
37
38 namespace crypto {
39 namespace tink {
40 namespace {
41
42 using ::crypto::tink::test::IsOk;
43 using ::crypto::tink::util::StatusOr;
44 using ::google::crypto::tink::HashType;
45 using ::google::crypto::tink::KeyData;
46 using ::google::crypto::tink::RsaSsaPssKeyFormat;
47 using ::google::crypto::tink::RsaSsaPssPrivateKey;
48 using ::google::crypto::tink::RsaSsaPssPublicKey;
49 using ::testing::Eq;
50 using ::testing::Gt;
51 using ::testing::Not;
52 using ::testing::SizeIs;
53
TEST(RsaSsaPssSignKeyManagerTest,Basic)54 TEST(RsaSsaPssSignKeyManagerTest, Basic) {
55 EXPECT_THAT(RsaSsaPssSignKeyManager().get_version(), Eq(0));
56 EXPECT_THAT(RsaSsaPssSignKeyManager().key_material_type(),
57 Eq(KeyData::ASYMMETRIC_PRIVATE));
58 EXPECT_THAT(RsaSsaPssSignKeyManager().get_key_type(),
59 Eq("type.googleapis.com/google.crypto.tink.RsaSsaPssPrivateKey"));
60 }
61
CreateKeyFormat(HashType sig_hash,HashType mgf1_hash,int salt_length,int modulus_size_in_bits,int public_exponent)62 RsaSsaPssKeyFormat CreateKeyFormat(HashType sig_hash, HashType mgf1_hash,
63 int salt_length, int modulus_size_in_bits,
64 int public_exponent) {
65 RsaSsaPssKeyFormat key_format;
66 auto params = key_format.mutable_params();
67 params->set_sig_hash(sig_hash);
68 params->set_mgf1_hash(mgf1_hash);
69 params->set_salt_length(salt_length);
70 key_format.set_modulus_size_in_bits(modulus_size_in_bits);
71
72 internal::SslUniquePtr<BIGNUM> e(BN_new());
73 BN_set_word(e.get(), public_exponent);
74 key_format.set_public_exponent(
75 internal::BignumToString(e.get(), BN_num_bytes(e.get())).value());
76
77 return key_format;
78 }
79
ValidKeyFormat()80 RsaSsaPssKeyFormat ValidKeyFormat() {
81 return CreateKeyFormat(HashType::SHA256, HashType::SHA256, 32, 3072, RSA_F4);
82 }
83
TEST(RsaSsaPssSignKeyManagerTest,ValidateKeyFormat)84 TEST(RsaSsaPssSignKeyManagerTest, ValidateKeyFormat) {
85 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKeyFormat(ValidKeyFormat()),
86 IsOk());
87 }
88
TEST(RsaSsaPssSignKeyManagerTest,ValidateKeyFormatSha512Allowed)89 TEST(RsaSsaPssSignKeyManagerTest, ValidateKeyFormatSha512Allowed) {
90 RsaSsaPssKeyFormat key_format = ValidKeyFormat();
91 key_format.mutable_params()->set_sig_hash(HashType::SHA512);
92 key_format.mutable_params()->set_mgf1_hash(HashType::SHA512);
93 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKeyFormat(ValidKeyFormat()),
94 IsOk());
95 }
96
TEST(RsaSsaPssSignKeyManagerTest,ValidateKeyFormatSha1Disallowed)97 TEST(RsaSsaPssSignKeyManagerTest, ValidateKeyFormatSha1Disallowed) {
98 RsaSsaPssKeyFormat key_format = ValidKeyFormat();
99 key_format.mutable_params()->set_sig_hash(HashType::SHA1);
100 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
101 Not(IsOk()));
102 }
103
TEST(RsaSsaPssSignKeyManagerTest,ValidateKeyFormatSmallModulusDisallowed)104 TEST(RsaSsaPssSignKeyManagerTest, ValidateKeyFormatSmallModulusDisallowed) {
105 RsaSsaPssKeyFormat key_format = ValidKeyFormat();
106 key_format.set_modulus_size_in_bits(512);
107 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
108 Not(IsOk()));
109 }
110
TEST(RsaSsaPssSignKeyManagerTest,ValidateKeyFormatHashMismatchDisallowed)111 TEST(RsaSsaPssSignKeyManagerTest, ValidateKeyFormatHashMismatchDisallowed) {
112 RsaSsaPssKeyFormat key_format = ValidKeyFormat();
113 key_format.mutable_params()->set_sig_hash(HashType::SHA512);
114 key_format.mutable_params()->set_mgf1_hash(HashType::SHA256);
115 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
116 Not(IsOk()));
117 }
118
TEST(RsaSsaPssSignKeyManagerTest,ValidateKeyFormatHashMismatchDisallowed2)119 TEST(RsaSsaPssSignKeyManagerTest, ValidateKeyFormatHashMismatchDisallowed2) {
120 RsaSsaPssKeyFormat key_format = ValidKeyFormat();
121 key_format.mutable_params()->set_sig_hash(HashType::SHA256);
122 key_format.mutable_params()->set_mgf1_hash(HashType::SHA512);
123 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
124 Not(IsOk()));
125 }
126
TEST(RsaSsaPssSignKeyManagerTest,ValidateKeyFormatUnkownHashDisallowed)127 TEST(RsaSsaPssSignKeyManagerTest, ValidateKeyFormatUnkownHashDisallowed) {
128 RsaSsaPssKeyFormat key_format = ValidKeyFormat();
129 key_format.mutable_params()->set_sig_hash(HashType::UNKNOWN_HASH);
130 key_format.mutable_params()->set_mgf1_hash(HashType::UNKNOWN_HASH);
131 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKeyFormat(key_format),
132 Not(IsOk()));
133 }
134
135 // Runs several sanity checks, checking if a given private key fits a format.
CheckNewKey(const RsaSsaPssPrivateKey & private_key,const RsaSsaPssKeyFormat & key_format)136 void CheckNewKey(const RsaSsaPssPrivateKey& private_key,
137 const RsaSsaPssKeyFormat& key_format) {
138 RsaSsaPssPublicKey public_key = private_key.public_key();
139
140 EXPECT_THAT(private_key.version(), Eq(0));
141 EXPECT_THAT(private_key.version(), Eq(public_key.version()));
142 EXPECT_THAT(public_key.n().length(), Gt(0));
143 EXPECT_THAT(public_key.e().length(), Gt(0));
144 EXPECT_THAT(public_key.params().sig_hash(),
145 Eq(key_format.params().sig_hash()));
146 EXPECT_THAT(public_key.params().mgf1_hash(),
147 Eq(key_format.params().mgf1_hash()));
148 EXPECT_THAT(public_key.params().salt_length(),
149 Eq(key_format.params().salt_length()));
150
151 EXPECT_THAT(key_format.public_exponent(), Eq(public_key.e()));
152
153 util::StatusOr<internal::SslUniquePtr<BIGNUM>> n =
154 internal::StringToBignum(public_key.n());
155 ASSERT_THAT(n, IsOk());
156 util::StatusOr<internal::SslUniquePtr<BIGNUM>> d =
157 internal::StringToBignum(private_key.d());
158 ASSERT_THAT(d, IsOk());
159 util::StatusOr<internal::SslUniquePtr<BIGNUM>> p =
160 internal::StringToBignum(private_key.p());
161 ASSERT_THAT(p, IsOk());
162 util::StatusOr<internal::SslUniquePtr<BIGNUM>> q =
163 internal::StringToBignum(private_key.q());
164 ASSERT_THAT(q, IsOk());
165 util::StatusOr<internal::SslUniquePtr<BIGNUM>> dp =
166 internal::StringToBignum(private_key.dp());
167 ASSERT_THAT(dp, IsOk());
168 util::StatusOr<internal::SslUniquePtr<BIGNUM>> dq =
169 internal::StringToBignum(private_key.dq());
170 ASSERT_THAT(dq, IsOk());
171
172 internal::SslUniquePtr<BN_CTX> ctx(BN_CTX_new());
173
174 // Check n = p * q.
175 auto n_calc = internal::SslUniquePtr<BIGNUM>(BN_new());
176 EXPECT_TRUE(BN_mul(n_calc.get(), p->get(), q->get(), ctx.get()));
177 EXPECT_EQ(BN_cmp(n_calc.get(), n->get()), 0);
178
179 // Check n size >= modulus_size_in_bits bit.
180 EXPECT_GE(BN_num_bits(n->get()), key_format.modulus_size_in_bits());
181
182 // dp = d mod (p - 1)
183 auto pm1 = internal::SslUniquePtr<BIGNUM>(BN_dup(p->get()));
184 EXPECT_TRUE(BN_sub_word(pm1.get(), 1));
185 auto dp_calc = internal::SslUniquePtr<BIGNUM>(BN_new());
186 EXPECT_TRUE(BN_mod(dp_calc.get(), d->get(), pm1.get(), ctx.get()));
187 EXPECT_EQ(BN_cmp(dp_calc.get(), dp->get()), 0);
188
189 // dq = d mod (q - 1)
190 auto qm1 = internal::SslUniquePtr<BIGNUM>(BN_dup(q->get()));
191 EXPECT_TRUE(BN_sub_word(qm1.get(), 1));
192 auto dq_calc = internal::SslUniquePtr<BIGNUM>(BN_new());
193 EXPECT_TRUE(BN_mod(dq_calc.get(), d->get(), qm1.get(), ctx.get()));
194 EXPECT_EQ(BN_cmp(dq_calc.get(), dq->get()), 0);
195 }
196
TEST(RsaSsaPssSignKeyManagerTest,CreateKey)197 TEST(RsaSsaPssSignKeyManagerTest, CreateKey) {
198 RsaSsaPssKeyFormat key_format = ValidKeyFormat();
199 StatusOr<RsaSsaPssPrivateKey> private_key_or =
200 RsaSsaPssSignKeyManager().CreateKey(key_format);
201 ASSERT_THAT(private_key_or, IsOk());
202 CheckNewKey(private_key_or.value(), key_format);
203 }
204
TEST(RsaSsaPssSignKeyManagerTest,CreateKeySmallKey)205 TEST(RsaSsaPssSignKeyManagerTest, CreateKeySmallKey) {
206 RsaSsaPssKeyFormat key_format =
207 CreateKeyFormat(HashType::SHA256, HashType::SHA256, 32, 3072, RSA_F4);
208
209 StatusOr<RsaSsaPssPrivateKey> private_key_or =
210 RsaSsaPssSignKeyManager().CreateKey(key_format);
211 ASSERT_THAT(private_key_or, IsOk());
212 CheckNewKey(private_key_or.value(), key_format);
213 }
214
TEST(RsaSsaPssSignKeyManagerTest,CreateKeyLargeKey)215 TEST(RsaSsaPssSignKeyManagerTest, CreateKeyLargeKey) {
216 RsaSsaPssKeyFormat key_format =
217 CreateKeyFormat(HashType::SHA512, HashType::SHA512, 64, 4096, RSA_F4);
218
219 StatusOr<RsaSsaPssPrivateKey> private_key_or =
220 RsaSsaPssSignKeyManager().CreateKey(key_format);
221 ASSERT_THAT(private_key_or, IsOk());
222 CheckNewKey(private_key_or.value(), key_format);
223 }
224
TEST(RsaSsaPssSignKeyManagerTest,CreateKeyValid)225 TEST(RsaSsaPssSignKeyManagerTest, CreateKeyValid) {
226 StatusOr<RsaSsaPssPrivateKey> key_or =
227 RsaSsaPssSignKeyManager().CreateKey(ValidKeyFormat());
228 ASSERT_THAT(key_or, IsOk());
229 EXPECT_THAT(RsaSsaPssSignKeyManager().ValidateKey(key_or.value()), IsOk());
230 }
231
232 // Check that in a bunch of CreateKey calls all generated primes are distinct.
TEST(RsaSsaPssSignKeyManagerTest,CreateKeyAlwaysNewRsaPair)233 TEST(RsaSsaPssSignKeyManagerTest, CreateKeyAlwaysNewRsaPair) {
234 absl::flat_hash_set<std::string> keys;
235 // This test takes about a second per key.
236 int num_generated_keys = 5;
237 for (int i = 0; i < num_generated_keys; ++i) {
238 StatusOr<RsaSsaPssPrivateKey> key_or =
239 RsaSsaPssSignKeyManager().CreateKey(ValidKeyFormat());
240 ASSERT_THAT(key_or, IsOk());
241 keys.insert(key_or.value().p());
242 keys.insert(key_or.value().q());
243 }
244 EXPECT_THAT(keys, SizeIs(2 * num_generated_keys));
245 }
246
TEST(RsaSsaPssSignKeyManagerTest,GetPublicKey)247 TEST(RsaSsaPssSignKeyManagerTest, GetPublicKey) {
248 StatusOr<RsaSsaPssPrivateKey> key_or =
249 RsaSsaPssSignKeyManager().CreateKey(ValidKeyFormat());
250 ASSERT_THAT(key_or, IsOk());
251 StatusOr<RsaSsaPssPublicKey> public_key_or =
252 RsaSsaPssSignKeyManager().GetPublicKey(key_or.value());
253 ASSERT_THAT(public_key_or, IsOk());
254 EXPECT_THAT(public_key_or.value().version(),
255 Eq(key_or.value().public_key().version()));
256 EXPECT_THAT(public_key_or.value().n(), Eq(key_or.value().public_key().n()));
257 EXPECT_THAT(public_key_or.value().e(), Eq(key_or.value().public_key().e()));
258 }
259
TEST(RsaSsaPssSignKeyManagerTest,Create)260 TEST(RsaSsaPssSignKeyManagerTest, Create) {
261 RsaSsaPssKeyFormat key_format =
262 CreateKeyFormat(HashType::SHA256, HashType::SHA256, 32, 3072, RSA_F4);
263 StatusOr<RsaSsaPssPrivateKey> key_or =
264 RsaSsaPssSignKeyManager().CreateKey(key_format);
265 ASSERT_THAT(key_or, IsOk());
266 RsaSsaPssPrivateKey key = key_or.value();
267
268 auto signer_or = RsaSsaPssSignKeyManager().GetPrimitive<PublicKeySign>(key);
269 ASSERT_THAT(signer_or, IsOk());
270
271 internal::RsaSsaPssParams params;
272 params.sig_hash = subtle::HashType::SHA256;
273 params.mgf1_hash = subtle::HashType::SHA256;
274 params.salt_length = 32;
275 auto direct_verifier_or = subtle::RsaSsaPssVerifyBoringSsl::New(
276 {key.public_key().n(), key.public_key().e()}, params);
277
278 ASSERT_THAT(direct_verifier_or, IsOk());
279
280 std::string message = "Some message";
281 EXPECT_THAT(direct_verifier_or.value()->Verify(
282 signer_or.value()->Sign(message).value(), message),
283 IsOk());
284 }
285
TEST(RsaSsaPssSignKeyManagerTest,CreateWrongKey)286 TEST(RsaSsaPssSignKeyManagerTest, CreateWrongKey) {
287 RsaSsaPssKeyFormat key_format =
288 CreateKeyFormat(HashType::SHA256, HashType::SHA256, 32, 3072, RSA_F4);
289 StatusOr<RsaSsaPssPrivateKey> key_or =
290 RsaSsaPssSignKeyManager().CreateKey(key_format);
291 ASSERT_THAT(key_or, IsOk());
292 RsaSsaPssPrivateKey key = key_or.value();
293
294 auto signer_or = RsaSsaPssSignKeyManager().GetPrimitive<PublicKeySign>(key);
295
296 StatusOr<RsaSsaPssPrivateKey> second_key_or =
297 RsaSsaPssSignKeyManager().CreateKey(key_format);
298 ASSERT_THAT(second_key_or, IsOk());
299 RsaSsaPssPrivateKey second_key = second_key_or.value();
300
301 ASSERT_THAT(signer_or, IsOk());
302
303 internal::RsaSsaPssParams params;
304 params.sig_hash = subtle::HashType::SHA256;
305 params.mgf1_hash = subtle::HashType::SHA256;
306 params.salt_length = 32;
307 auto direct_verifier_or = subtle::RsaSsaPssVerifyBoringSsl::New(
308 {second_key.public_key().n(), second_key.public_key().e()}, params);
309
310 ASSERT_THAT(direct_verifier_or, IsOk());
311
312 std::string message = "Some message";
313 EXPECT_THAT(direct_verifier_or.value()->Verify(
314 signer_or.value()->Sign(message).value(), message),
315 Not(IsOk()));
316 }
317
318 } // namespace
319 } // namespace tink
320 } // namespace crypto
321