From 43c62273361f94cf1b63f41913ac15f24616e1ee Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 30 May 2017 16:43:28 +0200 Subject: tests: added unit tests for the gnutls_x509_* sign/verify APIs Signed-off-by: Nikos Mavrogiannopoulos --- tests/Makefile.am | 4 +- tests/sign-verify-data.c | 200 ++++++++++++++++++++++++++++ tests/sign-verify.c | 307 +++++++++++++++++++++++++++++++++++++++++++ tests/x509sign-verify-data.c | 200 ---------------------------- tests/x509sign-verify.c | 188 +++++--------------------- 5 files changed, 545 insertions(+), 354 deletions(-) create mode 100644 tests/sign-verify-data.c create mode 100644 tests/sign-verify.c delete mode 100644 tests/x509sign-verify-data.c diff --git a/tests/Makefile.am b/tests/Makefile.am index 4fe1247fe0..8e73ee7392 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -88,7 +88,7 @@ libutils_la_LIBADD = ../lib/libgnutls.la ctests = mini-record-2 simple gc set_pkcs12_cred cert certuniqueid \ mpi certificate_set_x509_crl dn parse_ca x509-dn x509-dn-decode record-sizes \ hostname-check cve-2008-4989 pkcs12_s2k chainverify record-sizes-range \ - crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \ + crq_key_id x509sign-verify sign-verify cve-2009-1415 cve-2009-1416 \ crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain tls-rehandshake-cert-3 \ nul-in-x509-names x509_altname pkcs12_encode mini-x509 \ tls-rehandshake-cert rng-fork mini-eagain-dtls resume-dtls \ @@ -99,7 +99,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred cert certuniqueid \ mini-dtls-heartbeat mini-x509-callbacks key-openssl priorities \ mini-dtls-srtp rsa-encrypt-decrypt mini-loss-time gnutls-strcodes \ mini-record mini-dtls-record mini-handshake-timeout mini-record-range \ - mini-cert-status rsa-psk global-init sec-params x509sign-verify-data \ + mini-cert-status rsa-psk global-init sec-params sign-verify-data \ fips-test mini-global-load name-constraints x509-extensions \ long-session-id mini-x509-callbacks-intr mini-dtls-lowmtu \ crlverify mini-dtls-discard init_fds mini-record-failure \ diff --git a/tests/sign-verify-data.c b/tests/sign-verify-data.c new file mode 100644 index 0000000000..b638146cc3 --- /dev/null +++ b/tests/sign-verify-data.c @@ -0,0 +1,200 @@ +/* + * Copyright (C) 2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#ifndef _WIN32 +# include +# include +# include +#endif +#include +#include +#include +#include +#include "cert-common.h" +#include "utils.h" + +/* verifies whether the sign-data and verify-data APIs + * operate as expected */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d> %s", level, str); +} + +/* sha1 hash of "hello" string */ +const gnutls_datum_t raw_data = { + (void *) + "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" + "\xde\x0f\x3b\x48\x2c\xd9\xae\xa9\x43\x4d", + 20 +}; + +const gnutls_datum_t invalid_raw_data = { + (void *) + "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" + "\xde\x0f\x3b\x48\x3c\xd9\xae\xa9\x43\x4d", + 20 +}; + +struct tests_st { + const char *name; + gnutls_datum_t key; + gnutls_datum_t cert; + gnutls_pk_algorithm_t pk; + unsigned digest; + unsigned sigalgo; + unsigned sign_flags; +}; + +struct tests_st tests[] = { + { + .name = "rsa key", + .cert = {(void *) cli_ca3_cert_pem, sizeof(cli_ca3_cert_pem)-1}, + .key = {(void *) cli_ca3_key_pem, sizeof(cli_ca3_key_pem)-1}, + .pk = GNUTLS_PK_RSA, + .digest = GNUTLS_DIG_SHA256, + .sigalgo = GNUTLS_SIGN_RSA_SHA256 + }, + { + .name = "ecdsa key", + .key = {(void *) server_ca3_ecc_key_pem, sizeof(server_ca3_ecc_key_pem)-1}, + .cert = {(void *) server_localhost_ca3_ecc_cert_pem, sizeof(server_localhost_ca3_ecc_cert_pem)-1}, + .pk = GNUTLS_PK_ECDSA, + .digest = GNUTLS_DIG_SHA256, + .sigalgo = GNUTLS_SIGN_ECDSA_SHA256 + }, + { + .name = "rsa pss key", + .key = {(void *) server_ca3_rsa_pss_key_pem, sizeof(server_ca3_rsa_pss_key_pem)-1}, + .cert = {(void *) server_ca3_rsa_pss_cert_pem, sizeof(server_ca3_rsa_pss_cert_pem)-1}, + .pk = GNUTLS_PK_RSA_PSS, + .digest = GNUTLS_DIG_SHA256, + .sign_flags = GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS, + .sigalgo = GNUTLS_SIGN_RSA_PSS_SHA256 + } +}; + +#define testfail(fmt, ...) \ + fail("%s: "fmt, tests[i].name, ##__VA_ARGS__) + +void doit(void) +{ + gnutls_x509_crt_t crt; + gnutls_pubkey_t pubkey; + gnutls_privkey_t privkey; + gnutls_sign_algorithm_t sign_algo; + gnutls_datum_t signature; + int ret; + size_t i; + + global_init(); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { + if (debug) + success("loop %d\n", (int) i); + + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) + testfail("gnutls_privkey_init\n"); + + ret = gnutls_privkey_init(&privkey); + if (ret < 0) + testfail("gnutls_pubkey_init\n"); + + ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + testfail("gnutls_privkey_import_x509\n"); + + ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, + &raw_data, &signature); + if (ret < 0) + testfail("gnutls_x509_privkey_sign_hash\n"); + + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) + testfail("gnutls_x509_crt_init\n"); + + ret = + gnutls_x509_crt_import(crt, &tests[i].cert, + GNUTLS_X509_FMT_PEM); + if (ret < 0) + testfail("gnutls_x509_crt_import\n"); + + ret = gnutls_pubkey_import_x509(pubkey, crt, 0); + if (ret < 0) + testfail("gnutls_x509_pubkey_import\n"); + + ret = + gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &raw_data, + &signature); + if (ret < 0) + testfail("gnutls_x509_pubkey_verify_data2\n"); + + /* should fail */ + ret = + gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, + &invalid_raw_data, + &signature); + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) + testfail("gnutls_x509_pubkey_verify_data2-2 (hashed data)\n"); + + sign_algo = + gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm + (pubkey, NULL), tests[i].digest); + ret = + gnutls_pubkey_verify_data2(pubkey, sign_algo, 0, + &raw_data, &signature); + if (ret < 0) + testfail("gnutls_x509_pubkey_verify_data2-1 (hashed data)\n"); + + /* should fail */ + ret = + gnutls_pubkey_verify_data2(pubkey, sign_algo, 0, + &invalid_raw_data, + &signature); + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) + testfail("gnutls_x509_pubkey_verify_data2-2 (hashed data)\n"); + + /* test the raw interface */ + gnutls_free(signature.data); + signature.data = NULL; + + gnutls_free(signature.data); + gnutls_x509_crt_deinit(crt); + gnutls_privkey_deinit(privkey); + gnutls_pubkey_deinit(pubkey); + } + + gnutls_global_deinit(); +} diff --git a/tests/sign-verify.c b/tests/sign-verify.c new file mode 100644 index 0000000000..69b004f427 --- /dev/null +++ b/tests/sign-verify.c @@ -0,0 +1,307 @@ +/* + * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * + * Author: Nikos Mavrogiannopoulos, Simon Josefsson + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#ifndef _WIN32 +# include +# include +# include +#endif +#include +#include +#include +#include +#include "cert-common.h" +#include "utils.h" + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d> %s", level, str); +} + +/* sha1 hash of "hello" string */ +const gnutls_datum_t sha1_hash_data = { + (void *) + "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" + "\xde\x0f\x3b\x48\x2c\xd9\xae\xa9\x43\x4d", + 20 +}; + +const gnutls_datum_t sha256_hash_data = { + (void *) + "\x2c\xf2\x4d\xba\x5f\xb0\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e" + "\x1b\x16\x1e\x5c\x1f\xa7\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24", + 32 +}; + +const gnutls_datum_t sha256_invalid_hash_data = { + (void *) + "\x2c\xf2\x4d\xba\x5f\xb1\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e" + "\x1b\x16\x1e\x5c\x1f\xa3\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24", + 32 +}; + +const gnutls_datum_t sha1_invalid_hash_data = { + (void *) + "\xaa\xf4\xc6\x1d\xdc\xca\xe8\xa2\xda\xbe" + "\xde\x0f\x3b\x48\x2c\xb9\xae\xa9\x43\x4d", + 20 +}; + +const gnutls_datum_t raw_data = { + (void *) "hello", + 5 +}; + +struct tests_st { + const char *name; + gnutls_datum_t key; + gnutls_datum_t cert; + gnutls_pk_algorithm_t pk; + unsigned digest; + unsigned sigalgo; + unsigned sign_flags; +}; + +struct tests_st tests[] = { + { + .name = "rsa key", + .cert = {(void *) cli_ca3_cert_pem, sizeof(cli_ca3_cert_pem)-1}, + .key = {(void *) cli_ca3_key_pem, sizeof(cli_ca3_key_pem)-1}, + .pk = GNUTLS_PK_RSA, + .digest = GNUTLS_DIG_SHA256, + .sigalgo = GNUTLS_SIGN_RSA_SHA256 + }, + { + .name = "dsa key", + .key = {(void *) clidsa_ca3_key_pem, sizeof(clidsa_ca3_key_pem)-1}, + .cert = {(void *) clidsa_ca3_cert_pem, sizeof(clidsa_ca3_cert_pem)-1}, + .pk = GNUTLS_PK_DSA, + .digest = GNUTLS_DIG_SHA1, + .sigalgo = GNUTLS_SIGN_DSA_SHA1 + }, + { + .name = "ecdsa key", + .key = {(void *) server_ca3_ecc_key_pem, sizeof(server_ca3_ecc_key_pem)-1}, + .cert = {(void *) server_localhost_ca3_ecc_cert_pem, sizeof(server_localhost_ca3_ecc_cert_pem)-1}, + .pk = GNUTLS_PK_ECDSA, + .digest = GNUTLS_DIG_SHA256, + .sigalgo = GNUTLS_SIGN_ECDSA_SHA256 + }, + { + .name = "rsa pss key", + .key = {(void *) server_ca3_rsa_pss_key_pem, sizeof(server_ca3_rsa_pss_key_pem)-1}, + .cert = {(void *) server_ca3_rsa_pss_cert_pem, sizeof(server_ca3_rsa_pss_cert_pem)-1}, + .pk = GNUTLS_PK_RSA_PSS, + .digest = GNUTLS_DIG_SHA256, + .sign_flags = GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS, + .sigalgo = GNUTLS_SIGN_RSA_PSS_SHA256 + } +}; + +#define testfail(fmt, ...) \ + fail("%s: "fmt, tests[i].name, ##__VA_ARGS__) + +void doit(void) +{ + gnutls_x509_privkey_t key; + gnutls_x509_crt_t crt; + gnutls_pubkey_t pubkey; + gnutls_privkey_t privkey; + gnutls_sign_algorithm_t sign_algo; + gnutls_datum_t signature; + gnutls_datum_t signature2; + int ret; + size_t i; + const gnutls_datum_t *hash_data; + const gnutls_datum_t *invalid_hash_data; + + global_init(); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { + if (debug) + success("loop %d\n", (int) i); + + if (tests[i].digest == GNUTLS_DIG_SHA1) { + hash_data = &sha1_hash_data; + invalid_hash_data = &sha1_invalid_hash_data; + } else { + hash_data = &sha256_hash_data; + invalid_hash_data = &sha256_invalid_hash_data; + } + + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) + testfail("gnutls_x509_privkey_init\n"); + + ret = + gnutls_x509_privkey_import(key, &tests[i].key, + GNUTLS_X509_FMT_PEM); + if (ret < 0) + testfail("gnutls_x509_privkey_import\n"); + + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) + testfail("gnutls_privkey_init\n"); + + ret = gnutls_privkey_init(&privkey); + if (ret < 0) + testfail("gnutls_pubkey_init\n"); + + ret = gnutls_privkey_import_x509(privkey, key, 0); + if (ret < 0) + testfail("gnutls_privkey_import_x509\n"); + + ret = gnutls_privkey_sign_hash(privkey, tests[i].digest, tests[i].sign_flags, + hash_data, &signature2); + if (ret < 0) + testfail("gnutls_privkey_sign_hash\n"); + + ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, + &raw_data, &signature); + if (ret < 0) + testfail("gnutls_x509_privkey_sign_hash\n"); + + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) + testfail("gnutls_x509_crt_init\n"); + + ret = + gnutls_x509_crt_import(crt, &tests[i].cert, + GNUTLS_X509_FMT_PEM); + if (ret < 0) + testfail("gnutls_x509_crt_import\n"); + + ret = gnutls_pubkey_import_x509(pubkey, crt, 0); + if (ret < 0) + testfail("gnutls_x509_pubkey_import\n"); + + ret = + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data, + &signature); + if (ret < 0) + testfail("gnutls_x509_pubkey_verify_hash2\n"); + + ret = + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data, + &signature2); + if (ret < 0) + testfail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n"); + + /* should fail */ + ret = + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, + GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, + invalid_hash_data, + &signature2); + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) + testfail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n"); + + sign_algo = + gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm + (pubkey, NULL), tests[i].digest); + + ret = + gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, + hash_data, &signature2); + if (ret < 0) + testfail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n"); + + /* should fail */ + ret = + gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, + invalid_hash_data, + &signature2); + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) + testfail("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n"); + + /* test the raw interface */ + gnutls_free(signature.data); + signature.data = NULL; + + if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) == + GNUTLS_PK_RSA) { + + ret = + gnutls_privkey_sign_hash(privkey, + tests[i].digest, + GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, + hash_data, + &signature); + if (ret < 0) + testfail("gnutls_privkey_sign_hash: %s\n", + gnutls_strerror(ret)); + + sign_algo = + gnutls_pk_to_sign + (gnutls_pubkey_get_pk_algorithm(pubkey, NULL), + tests[i].digest); + + ret = + gnutls_pubkey_verify_hash2(pubkey, sign_algo, + GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, + hash_data, + &signature); + if (ret < 0) + testfail("gnutls_pubkey_verify_hash-3 (raw hashed data)\n"); + + gnutls_free(signature.data); + /* test the legacy API */ + ret = + gnutls_privkey_sign_raw_data(privkey, 0, + hash_data, + &signature); + if (ret < 0) + testfail("gnutls_privkey_sign_raw_data: %s\n", + gnutls_strerror(ret)); + + ret = + gnutls_pubkey_verify_hash2(pubkey, sign_algo, + GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, + hash_data, + &signature); + if (ret < 0) + testfail("gnutls_pubkey_verify_hash-4 (legacy raw hashed data)\n"); + } + gnutls_free(signature.data); + gnutls_free(signature2.data); + gnutls_x509_privkey_deinit(key); + gnutls_x509_crt_deinit(crt); + gnutls_privkey_deinit(privkey); + gnutls_pubkey_deinit(pubkey); + } + + gnutls_global_deinit(); +} diff --git a/tests/x509sign-verify-data.c b/tests/x509sign-verify-data.c deleted file mode 100644 index b638146cc3..0000000000 --- a/tests/x509sign-verify-data.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - * Copyright (C) 2017 Red Hat, Inc. - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * GnuTLS is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * GnuTLS is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with GnuTLS; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#ifndef _WIN32 -# include -# include -# include -#endif -#include -#include -#include -#include -#include "cert-common.h" -#include "utils.h" - -/* verifies whether the sign-data and verify-data APIs - * operate as expected */ - -static void tls_log_func(int level, const char *str) -{ - fprintf(stderr, "<%d> %s", level, str); -} - -/* sha1 hash of "hello" string */ -const gnutls_datum_t raw_data = { - (void *) - "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" - "\xde\x0f\x3b\x48\x2c\xd9\xae\xa9\x43\x4d", - 20 -}; - -const gnutls_datum_t invalid_raw_data = { - (void *) - "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" - "\xde\x0f\x3b\x48\x3c\xd9\xae\xa9\x43\x4d", - 20 -}; - -struct tests_st { - const char *name; - gnutls_datum_t key; - gnutls_datum_t cert; - gnutls_pk_algorithm_t pk; - unsigned digest; - unsigned sigalgo; - unsigned sign_flags; -}; - -struct tests_st tests[] = { - { - .name = "rsa key", - .cert = {(void *) cli_ca3_cert_pem, sizeof(cli_ca3_cert_pem)-1}, - .key = {(void *) cli_ca3_key_pem, sizeof(cli_ca3_key_pem)-1}, - .pk = GNUTLS_PK_RSA, - .digest = GNUTLS_DIG_SHA256, - .sigalgo = GNUTLS_SIGN_RSA_SHA256 - }, - { - .name = "ecdsa key", - .key = {(void *) server_ca3_ecc_key_pem, sizeof(server_ca3_ecc_key_pem)-1}, - .cert = {(void *) server_localhost_ca3_ecc_cert_pem, sizeof(server_localhost_ca3_ecc_cert_pem)-1}, - .pk = GNUTLS_PK_ECDSA, - .digest = GNUTLS_DIG_SHA256, - .sigalgo = GNUTLS_SIGN_ECDSA_SHA256 - }, - { - .name = "rsa pss key", - .key = {(void *) server_ca3_rsa_pss_key_pem, sizeof(server_ca3_rsa_pss_key_pem)-1}, - .cert = {(void *) server_ca3_rsa_pss_cert_pem, sizeof(server_ca3_rsa_pss_cert_pem)-1}, - .pk = GNUTLS_PK_RSA_PSS, - .digest = GNUTLS_DIG_SHA256, - .sign_flags = GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS, - .sigalgo = GNUTLS_SIGN_RSA_PSS_SHA256 - } -}; - -#define testfail(fmt, ...) \ - fail("%s: "fmt, tests[i].name, ##__VA_ARGS__) - -void doit(void) -{ - gnutls_x509_crt_t crt; - gnutls_pubkey_t pubkey; - gnutls_privkey_t privkey; - gnutls_sign_algorithm_t sign_algo; - gnutls_datum_t signature; - int ret; - size_t i; - - global_init(); - - gnutls_global_set_log_function(tls_log_func); - if (debug) - gnutls_global_set_log_level(6); - - for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { - if (debug) - success("loop %d\n", (int) i); - - ret = gnutls_pubkey_init(&pubkey); - if (ret < 0) - testfail("gnutls_privkey_init\n"); - - ret = gnutls_privkey_init(&privkey); - if (ret < 0) - testfail("gnutls_pubkey_init\n"); - - ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0); - if (ret < 0) - testfail("gnutls_privkey_import_x509\n"); - - ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, - &raw_data, &signature); - if (ret < 0) - testfail("gnutls_x509_privkey_sign_hash\n"); - - ret = gnutls_x509_crt_init(&crt); - if (ret < 0) - testfail("gnutls_x509_crt_init\n"); - - ret = - gnutls_x509_crt_import(crt, &tests[i].cert, - GNUTLS_X509_FMT_PEM); - if (ret < 0) - testfail("gnutls_x509_crt_import\n"); - - ret = gnutls_pubkey_import_x509(pubkey, crt, 0); - if (ret < 0) - testfail("gnutls_x509_pubkey_import\n"); - - ret = - gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &raw_data, - &signature); - if (ret < 0) - testfail("gnutls_x509_pubkey_verify_data2\n"); - - /* should fail */ - ret = - gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, - &invalid_raw_data, - &signature); - if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) - testfail("gnutls_x509_pubkey_verify_data2-2 (hashed data)\n"); - - sign_algo = - gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm - (pubkey, NULL), tests[i].digest); - ret = - gnutls_pubkey_verify_data2(pubkey, sign_algo, 0, - &raw_data, &signature); - if (ret < 0) - testfail("gnutls_x509_pubkey_verify_data2-1 (hashed data)\n"); - - /* should fail */ - ret = - gnutls_pubkey_verify_data2(pubkey, sign_algo, 0, - &invalid_raw_data, - &signature); - if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) - testfail("gnutls_x509_pubkey_verify_data2-2 (hashed data)\n"); - - /* test the raw interface */ - gnutls_free(signature.data); - signature.data = NULL; - - gnutls_free(signature.data); - gnutls_x509_crt_deinit(crt); - gnutls_privkey_deinit(privkey); - gnutls_pubkey_deinit(pubkey); - } - - gnutls_global_deinit(); -} diff --git a/tests/x509sign-verify.c b/tests/x509sign-verify.c index 69b004f427..55633c8319 100644 --- a/tests/x509sign-verify.c +++ b/tests/x509sign-verify.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. * - * Author: Nikos Mavrogiannopoulos, Simon Josefsson + * Author: Nikos Mavrogiannopoulos * * This file is part of GnuTLS. * @@ -20,8 +20,6 @@ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -/* Parts copied from GnuTLS example programs. */ - #ifdef HAVE_CONFIG_H #include #endif @@ -42,45 +40,29 @@ #include "cert-common.h" #include "utils.h" +/* verifies whether the sign-data and verify-data APIs + * operate as expected */ + static void tls_log_func(int level, const char *str) { fprintf(stderr, "<%d> %s", level, str); } /* sha1 hash of "hello" string */ -const gnutls_datum_t sha1_hash_data = { +const gnutls_datum_t raw_data = { (void *) "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" "\xde\x0f\x3b\x48\x2c\xd9\xae\xa9\x43\x4d", 20 }; -const gnutls_datum_t sha256_hash_data = { - (void *) - "\x2c\xf2\x4d\xba\x5f\xb0\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e" - "\x1b\x16\x1e\x5c\x1f\xa7\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24", - 32 -}; - -const gnutls_datum_t sha256_invalid_hash_data = { +const gnutls_datum_t invalid_raw_data = { (void *) - "\x2c\xf2\x4d\xba\x5f\xb1\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e" - "\x1b\x16\x1e\x5c\x1f\xa3\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24", - 32 -}; - -const gnutls_datum_t sha1_invalid_hash_data = { - (void *) - "\xaa\xf4\xc6\x1d\xdc\xca\xe8\xa2\xda\xbe" - "\xde\x0f\x3b\x48\x2c\xb9\xae\xa9\x43\x4d", + "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" + "\xde\x0f\x3b\x48\x3c\xd9\xae\xa9\x43\x4d", 20 }; -const gnutls_datum_t raw_data = { - (void *) "hello", - 5 -}; - struct tests_st { const char *name; gnutls_datum_t key; @@ -100,14 +82,6 @@ struct tests_st tests[] = { .digest = GNUTLS_DIG_SHA256, .sigalgo = GNUTLS_SIGN_RSA_SHA256 }, - { - .name = "dsa key", - .key = {(void *) clidsa_ca3_key_pem, sizeof(clidsa_ca3_key_pem)-1}, - .cert = {(void *) clidsa_ca3_cert_pem, sizeof(clidsa_ca3_cert_pem)-1}, - .pk = GNUTLS_PK_DSA, - .digest = GNUTLS_DIG_SHA1, - .sigalgo = GNUTLS_SIGN_DSA_SHA1 - }, { .name = "ecdsa key", .key = {(void *) server_ca3_ecc_key_pem, sizeof(server_ca3_ecc_key_pem)-1}, @@ -132,17 +106,14 @@ struct tests_st tests[] = { void doit(void) { - gnutls_x509_privkey_t key; gnutls_x509_crt_t crt; - gnutls_pubkey_t pubkey; - gnutls_privkey_t privkey; + gnutls_x509_privkey_t privkey; gnutls_sign_algorithm_t sign_algo; + char signature_data[512]; + size_t signature_size; gnutls_datum_t signature; - gnutls_datum_t signature2; int ret; size_t i; - const gnutls_datum_t *hash_data; - const gnutls_datum_t *invalid_hash_data; global_init(); @@ -154,45 +125,19 @@ void doit(void) if (debug) success("loop %d\n", (int) i); - if (tests[i].digest == GNUTLS_DIG_SHA1) { - hash_data = &sha1_hash_data; - invalid_hash_data = &sha1_invalid_hash_data; - } else { - hash_data = &sha256_hash_data; - invalid_hash_data = &sha256_invalid_hash_data; - } - - ret = gnutls_x509_privkey_init(&key); - if (ret < 0) - testfail("gnutls_x509_privkey_init\n"); - - ret = - gnutls_x509_privkey_import(key, &tests[i].key, - GNUTLS_X509_FMT_PEM); - if (ret < 0) - testfail("gnutls_x509_privkey_import\n"); - - ret = gnutls_pubkey_init(&pubkey); - if (ret < 0) - testfail("gnutls_privkey_init\n"); - - ret = gnutls_privkey_init(&privkey); + ret = gnutls_x509_privkey_init(&privkey); if (ret < 0) testfail("gnutls_pubkey_init\n"); - ret = gnutls_privkey_import_x509(privkey, key, 0); + ret = gnutls_x509_privkey_import(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM); if (ret < 0) testfail("gnutls_privkey_import_x509\n"); - ret = gnutls_privkey_sign_hash(privkey, tests[i].digest, tests[i].sign_flags, - hash_data, &signature2); - if (ret < 0) - testfail("gnutls_privkey_sign_hash\n"); - - ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, - &raw_data, &signature); + signature_size = sizeof(signature_data); + ret = gnutls_x509_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, + &raw_data, signature_data, &signature_size); if (ret < 0) - testfail("gnutls_x509_privkey_sign_hash\n"); + testfail("gnutls_x509_privkey_sign_data\n"); ret = gnutls_x509_crt_init(&crt); if (ret < 0) @@ -204,103 +149,42 @@ void doit(void) if (ret < 0) testfail("gnutls_x509_crt_import\n"); - ret = gnutls_pubkey_import_x509(pubkey, crt, 0); - if (ret < 0) - testfail("gnutls_x509_pubkey_import\n"); + signature.data = (unsigned char*)signature_data; + signature.size = signature_size; ret = - gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data, + gnutls_x509_crt_verify_data2(crt, tests[i].sigalgo, 0, &raw_data, &signature); if (ret < 0) - testfail("gnutls_x509_pubkey_verify_hash2\n"); - - ret = - gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data, - &signature2); - if (ret < 0) - testfail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n"); + testfail("gnutls_x509_crt_verify_data2\n"); /* should fail */ ret = - gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, - GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, - invalid_hash_data, - &signature2); + gnutls_x509_crt_verify_data2(crt, tests[i].sigalgo, 0, + &invalid_raw_data, + &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) - testfail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n"); + testfail("gnutls_x509_crt_verify_data2-2 (hashed data)\n"); sign_algo = - gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm - (pubkey, NULL), tests[i].digest); - + gnutls_pk_to_sign(gnutls_x509_crt_get_pk_algorithm + (crt, NULL), tests[i].digest); ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, - hash_data, &signature2); + gnutls_x509_crt_verify_data2(crt, sign_algo, 0, + &raw_data, &signature); if (ret < 0) - testfail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n"); + testfail("gnutls_x509_crt_verify_data2-1 (hashed data)\n"); /* should fail */ ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, - invalid_hash_data, - &signature2); + gnutls_x509_crt_verify_data2(crt, sign_algo, 0, + &invalid_raw_data, + &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) - testfail("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n"); - - /* test the raw interface */ - gnutls_free(signature.data); - signature.data = NULL; - - if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) == - GNUTLS_PK_RSA) { - - ret = - gnutls_privkey_sign_hash(privkey, - tests[i].digest, - GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, - hash_data, - &signature); - if (ret < 0) - testfail("gnutls_privkey_sign_hash: %s\n", - gnutls_strerror(ret)); - - sign_algo = - gnutls_pk_to_sign - (gnutls_pubkey_get_pk_algorithm(pubkey, NULL), - tests[i].digest); - - ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, - GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, - hash_data, - &signature); - if (ret < 0) - testfail("gnutls_pubkey_verify_hash-3 (raw hashed data)\n"); - - gnutls_free(signature.data); - /* test the legacy API */ - ret = - gnutls_privkey_sign_raw_data(privkey, 0, - hash_data, - &signature); - if (ret < 0) - testfail("gnutls_privkey_sign_raw_data: %s\n", - gnutls_strerror(ret)); + testfail("gnutls_x509_crt_verify_data2-2 (hashed data)\n"); - ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, - GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, - hash_data, - &signature); - if (ret < 0) - testfail("gnutls_pubkey_verify_hash-4 (legacy raw hashed data)\n"); - } - gnutls_free(signature.data); - gnutls_free(signature2.data); - gnutls_x509_privkey_deinit(key); gnutls_x509_crt_deinit(crt); - gnutls_privkey_deinit(privkey); - gnutls_pubkey_deinit(pubkey); + gnutls_x509_privkey_deinit(privkey); } gnutls_global_deinit(); -- cgit v1.2.1