crypto-self-tests-pk: added RSA-PSS sign/verify tests

This also corrects the GOST R 34.10-2012-512-TC26-512-A self test. Relates: #597 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2018-11-19 14:07:39 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2018-11-20 16:43:03 +0100
commit: 360f0b4f835a1b41796b0e518af168ae0598df2e (patch)
tree: 010bb1d65384aa694296e903b8998c45754d938e
parent: b2d8134916595b7be1f4ceb9bf1f3ce7fc09753d (diff)
download: gnutls-360f0b4f835a1b41796b0e518af168ae0598df2e.tar.gz
1 files changed, 28 insertions, 16 deletions
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index c7d1934f28..e42367a93f 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -184,7 +184,7 @@ static int test_rsa_enc(gnutls_pk_algorithm_t pk,
 }
 
 static int test_sig(gnutls_pk_algorithm_t pk,
-		    unsigned bits, gnutls_digest_algorithm_t dig)
+		    unsigned bits, gnutls_sign_algorithm_t sigalgo)
 {
 	int ret;
 	gnutls_datum_t sig = { NULL, 0 };
@@ -219,6 +219,8 @@ static int test_sig(gnutls_pk_algorithm_t pk,
 
 	if (pk == GNUTLS_PK_RSA) {
 		ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
+	} else if (pk == GNUTLS_PK_RSA_PSS) {
+		ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
 	} else if (pk == GNUTLS_PK_DSA) {
 		ret = gnutls_privkey_import_x509_raw(key, &raw_dsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
 	} else if (pk == GNUTLS_PK_ECC) {
@@ -245,14 +247,14 @@ static int test_sig(gnutls_pk_algorithm_t pk,
 		goto cleanup;
 	}
 
-	ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig);
+	ret = gnutls_privkey_sign_data2(key, sigalgo, 0, &signed_data, &sig);
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
 	}
 
 	ret =
-	    gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
+	    gnutls_pubkey_verify_data2(pub, sigalgo, 0,
 				       &signed_data, &sig);
 	if (ret < 0) {
 		ret = GNUTLS_E_SELF_TEST_ERROR;
@@ -261,7 +263,7 @@ static int test_sig(gnutls_pk_algorithm_t pk,
 	}
 
 	ret =
-	    gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
+	    gnutls_pubkey_verify_data2(pub, sigalgo, 0,
 				       &bad_data, &sig);
 
 	if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) {
@@ -526,8 +528,8 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
 	return ret;
 }
 
-#define PK_TEST(pk, func, bits, dig) \
-			ret = func(pk, bits, dig); \
+#define PK_TEST(pk, func, bits, sigalgo) \
+			ret = func(pk, bits, sigalgo); \
 			if (ret < 0) { \
 				gnutls_assert(); \
 				goto cleanup; \
@@ -775,7 +777,14 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 		PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256,
 			      rsa_key2048, rsa_sig);
 		PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0);
-		PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_DIG_SHA256);
+		PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
+
+		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
+			return 0;
+
+		FALLTHROUGH;
+	case GNUTLS_PK_RSA_PSS:
+		PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256);
 
 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
 			return 0;
@@ -784,7 +793,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 	case GNUTLS_PK_DSA:
 		PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256,
 			      dsa_privkey, dsa_sig);
-		PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_DIG_SHA256);
+		PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
 
 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
 			return 0;
@@ -808,7 +817,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 			      ecdsa_secp256r1_sig);
 		PK_TEST(GNUTLS_PK_EC, test_sig,
 			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
-			GNUTLS_DIG_SHA256);
+			GNUTLS_SIGN_ECDSA_SHA256);
 
 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
 			return 0;
@@ -820,7 +829,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 			      ecdsa_secp384r1_sig);
 		PK_TEST(GNUTLS_PK_EC, test_sig,
 			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1),
-			GNUTLS_DIG_SHA384);
+			GNUTLS_SIGN_ECDSA_SHA384);
 
 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
 			      GNUTLS_CURVE_TO_BITS
@@ -829,7 +838,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 			      ecdsa_secp521r1_sig);
 		PK_TEST(GNUTLS_PK_EC, test_sig,
 			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1),
-			GNUTLS_DIG_SHA512);
+			GNUTLS_SIGN_ECDSA_SHA512);
 
 #ifdef ENABLE_NON_SUITEB_CURVES
 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
@@ -839,7 +848,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 			      ecdsa_secp192r1_sig);
 		PK_TEST(GNUTLS_PK_EC, test_sig,
 			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
-			GNUTLS_DIG_SHA256);
+			GNUTLS_SIGN_ECDSA_SHA256);
 
 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
 			      GNUTLS_CURVE_TO_BITS
@@ -848,7 +857,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 			      ecdsa_secp224r1_sig);
 		PK_TEST(GNUTLS_PK_EC, test_sig,
 			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
-			GNUTLS_DIG_SHA256);
+			GNUTLS_SIGN_ECDSA_SHA256);
 #endif
 
 #if ENABLE_GOST
@@ -856,7 +865,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 	case GNUTLS_PK_GOST_01:
 		PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94,
 			      gost01_privkey, gost01_sig);
-		PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), GNUTLS_DIG_GOSTR_94);
+		PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
+			GNUTLS_SIGN_GOST_94);
 
 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
 			return 0;
@@ -865,7 +875,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 	case GNUTLS_PK_GOST_12_256:
 		PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256,
 			      gost12_256_privkey, gost12_256_sig);
-		PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), GNUTLS_DIG_STREEBOG_256);
+		PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
+			GNUTLS_SIGN_GOST_256);
 
 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
 			return 0;
@@ -874,7 +885,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
 	case GNUTLS_PK_GOST_12_512:
 		PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512,
 			      gost12_512_privkey, gost12_512_sig);
-		PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), GNUTLS_DIG_STREEBOG_256);
+		PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A),
+			GNUTLS_SIGN_GOST_512);
 
 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
 			return 0;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2018-11-19 14:07:39 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2018-11-20 16:43:03 +0100
commit	360f0b4f835a1b41796b0e518af168ae0598df2e (patch)
tree	010bb1d65384aa694296e903b8998c45754d938e
parent	b2d8134916595b7be1f4ceb9bf1f3ce7fc09753d (diff)
download	gnutls-360f0b4f835a1b41796b0e518af168ae0598df2e.tar.gz