Merge Bug 1473806 3.38 certutil -R cannot use EC orphan key

onto tip
author: Robert Relyea <rrelyea@redhat.com> 2019-06-06 14:49:28 -0700
committer: Robert Relyea <rrelyea@redhat.com> 2019-06-06 14:49:28 -0700
commit: c93463d134c11b89cc622cc7472990068b3f8d56 (patch)
tree: aec6050283e34de00440d21df2c82df475d0bb4e /gtests/pk11_gtest
parent: 0280ec37dc2525a06468911825edd1497187c215 (diff)
parent: d5b4513b83b39994b68c5f9dd5d3a58376f71bcb (diff)
download: nss-hg-c93463d134c11b89cc622cc7472990068b3f8d56.tar.gz
1 files changed, 80 insertions, 17 deletions
diff --git a/gtests/pk11_gtest/pk11_import_unittest.cc b/gtests/pk11_gtest/pk11_import_unittest.cc
index a155bbd73..5ffa92e64 100644
--- a/gtests/pk11_gtest/pk11_import_unittest.cc
+++ b/gtests/pk11_gtest/pk11_import_unittest.cc
@@ -48,8 +48,15 @@ class Pk11KeyImportTestBase : public ::testing::Test {
     ScopedSECKEYEncryptedPrivateKeyInfo key_info;
     ScopedSECItem public_value;
     GenerateAndExport(&key_type, &key_info, &public_value);
-    ASSERT_NE(nullptr, key_info);
+
     ASSERT_NE(nullptr, public_value);
+    // Note: NSS is currently unable export wrapped DH keys, so this doesn't
+    // test
+    // CKM_DH_PKCS_KEY_PAIR_GEN beyond generate and verify
+    if (key_type == dhKey) {
+      return;
+    }
+    ASSERT_NE(nullptr, key_info);
 
     // Now import the encrypted key.
     static const uint8_t nick[] = "nick";
@@ -78,17 +85,41 @@ class Pk11KeyImportTestBase : public ::testing::Test {
   CK_MECHANISM_TYPE mech_;
 
  private:
+  SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
+    SECItem null = {siBuffer, NULL, 0};
+    switch (SECKEY_GetPublicKeyType(pub_key.get())) {
+      case rsaKey:
+      case rsaPssKey:
+      case rsaOaepKey:
+        return pub_key->u.rsa.modulus;
+      case keaKey:
+        return pub_key->u.kea.publicValue;
+      case dsaKey:
+        return pub_key->u.dsa.publicValue;
+      case dhKey:
+        return pub_key->u.dh.publicValue;
+      case ecKey:
+        return pub_key->u.ec.publicValue;
+      case fortezzaKey: /* depricated */
+      case nullKey:
+        /* didn't use default here so we can catch new key types at compile time
+         */
+        break;
+    }
+    return null;
+  }
   void CheckForPublicKey(const ScopedSECKEYPrivateKey& priv_key,
                          const SECItem* expected_public) {
     // Verify the public key exists.
     StackSECItem priv_id;
+    KeyType type = SECKEY_GetPrivateKeyType(priv_key.get());
     SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, priv_key.get(),
                                          CKA_ID, &priv_id);
     ASSERT_EQ(SECSuccess, rv) << "Couldn't read CKA_ID from private key: "
                               << PORT_ErrorToName(PORT_GetError());
 
     CK_ATTRIBUTE_TYPE value_type = CKA_VALUE;
-    switch (SECKEY_GetPrivateKeyType(priv_key.get())) {
+    switch (type) {
       case rsaKey:
         value_type = CKA_MODULUS;
         break;
@@ -106,6 +137,8 @@ class Pk11KeyImportTestBase : public ::testing::Test {
         FAIL() << "unknown key type";
     }
 
+    // Scan public key objects until we find one with the same CKA_ID as
+    // priv_key
     std::unique_ptr<PK11GenericObject, PK11GenericObjectsDeleter> objs(
         PK11_FindGenericObjects(slot_.get(), CKO_PUBLIC_KEY));
     ASSERT_NE(nullptr, objs);
@@ -128,20 +161,44 @@ class Pk11KeyImportTestBase : public ::testing::Test {
       ASSERT_EQ(1U, token.len);
       ASSERT_NE(0, token.data[0]);
 
-      StackSECItem value;
-      rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &value);
+      StackSECItem raw_value;
+      SECItem decoded_value;
+      rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &raw_value);
       ASSERT_EQ(SECSuccess, rv);
+      SECItem value = raw_value;
 
+      // Decode the EC_POINT and check the output against expected.
       // CKA_EC_POINT isn't stable, see Bug 1520649.
+      ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+      ASSERT_TRUE(arena);
       if (value_type == CKA_EC_POINT) {
-        continue;
+        // If this fails due to the noted inconsistency, we may need to
+        // check the whole raw_value, or remove a leading UNCOMPRESSED_POINT tag
+        rv = SEC_QuickDERDecodeItem(arena.get(), &decoded_value,
+                                    SEC_ASN1_GET(SEC_OctetStringTemplate),
+                                    &raw_value);
+        ASSERT_EQ(SECSuccess, rv);
+        value = decoded_value;
       }
-
       ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &value))
           << "expected: "
           << DataBuffer(expected_public->data, expected_public->len)
           << std::endl
           << "actual: " << DataBuffer(value.data, value.len) << std::endl;
+
+      // Finally, convert the private to public and ensure it matches.
+      ScopedSECKEYPublicKey pub_key(SECKEY_ConvertToPublicKey(priv_key.get()));
+      ASSERT_TRUE(pub_key);
+      SECItem converted_public = GetPublicComponent(pub_key);
+      ASSERT_TRUE(converted_public.len != 0);
+
+      ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &converted_public))
+          << "expected: "
+          << DataBuffer(expected_public->data, expected_public->len)
+          << std::endl
+          << "actual: "
+          << DataBuffer(converted_public.data, converted_public.len)
+          << std::endl;
     }
   }
 
@@ -160,13 +217,6 @@ class Pk11KeyImportTestBase : public ::testing::Test {
     ScopedSECKEYPublicKey pub_key(pub_tmp);
     ASSERT_NE(nullptr, pub_key);
 
-    // Wrap and export the key.
-    ScopedSECKEYEncryptedPrivateKeyInfo epki(PK11_ExportEncryptedPrivKeyInfo(
-        slot_.get(), SEC_OID_AES_256_CBC, password_.get(), priv_key.get(), 1,
-        nullptr));
-    ASSERT_NE(nullptr, epki) << "PK11_ExportEncryptedPrivKeyInfo failed: "
-                             << PORT_ErrorToName(PORT_GetError());
-
     // Save the public value, which we will need on import */
     SECItem* pub_val;
     KeyType t = SECKEY_GetPublicKeyType(pub_key.get());
@@ -190,8 +240,22 @@ class Pk11KeyImportTestBase : public ::testing::Test {
     CheckForPublicKey(priv_key, pub_val);
 
     *key_type = t;
-    key_info->swap(epki);
     public_value->reset(SECITEM_DupItem(pub_val));
+
+    // Note: NSS is currently unable export wrapped DH keys, so this doesn't
+    // test
+    // CKM_DH_PKCS_KEY_PAIR_GEN beyond generate and verify
+    if (mech_ == CKM_DH_PKCS_KEY_PAIR_GEN) {
+      return;
+    }
+    // Wrap and export the key.
+    ScopedSECKEYEncryptedPrivateKeyInfo epki(PK11_ExportEncryptedPrivKeyInfo(
+        slot_.get(), SEC_OID_AES_256_CBC, password_.get(), priv_key.get(), 1,
+        nullptr));
+    ASSERT_NE(nullptr, epki) << "PK11_ExportEncryptedPrivKeyInfo failed: "
+                             << PORT_ErrorToName(PORT_GetError());
+
+    key_info->swap(epki);
   }
 
   ScopedPK11SlotInfo slot_;
@@ -281,9 +345,8 @@ TEST_P(Pk11KeyImportTest, GenerateExportImport) { Test(); }
 
 INSTANTIATE_TEST_CASE_P(Pk11KeyImportTest, Pk11KeyImportTest,
                         ::testing::Values(CKM_RSA_PKCS_KEY_PAIR_GEN,
-                                          CKM_DSA_KEY_PAIR_GEN));
-// Note: NSS is currently unable export wrapped DH keys, so this doesn't test
-// CKM_DH_PKCS_KEY_PAIR_GEN.
+                                          CKM_DSA_KEY_PAIR_GEN,
+                                          CKM_DH_PKCS_KEY_PAIR_GEN));
 
 class Pk11KeyImportTestEC : public Pk11KeyImportTestBase,
                             public ::testing::WithParamInterface<SECOidTag> {
author	Robert Relyea <rrelyea@redhat.com>	2019-06-06 14:49:28 -0700
committer	Robert Relyea <rrelyea@redhat.com>	2019-06-06 14:49:28 -0700
commit	c93463d134c11b89cc622cc7472990068b3f8d56 (patch)
tree	aec6050283e34de00440d21df2c82df475d0bb4e /gtests/pk11_gtest
parent	0280ec37dc2525a06468911825edd1497187c215 (diff)
parent	d5b4513b83b39994b68c5f9dd5d3a58376f71bcb (diff)
download	nss-hg-c93463d134c11b89cc622cc7472990068b3f8d56.tar.gz