diff options
Diffstat (limited to 'gtests/pk11_gtest')
-rw-r--r-- | gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc | 2 | ||||
-rw-r--r-- | gtests/pk11_gtest/pk11_ecdsa_unittest.cc | 42 | ||||
-rw-r--r-- | gtests/pk11_gtest/pk11_keygen.cc | 8 | ||||
-rw-r--r-- | gtests/pk11_gtest/pk11_keygen.h | 2 | ||||
-rw-r--r-- | gtests/pk11_gtest/pk11_signature_test.cc | 12 | ||||
-rw-r--r-- | gtests/pk11_gtest/pk11_signature_test.h | 36 |
6 files changed, 89 insertions, 13 deletions
diff --git a/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc b/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc index ef78f7b0e..9ab172bed 100644 --- a/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc +++ b/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc @@ -420,4 +420,4 @@ TEST_F(Pkcs11AESKeyWrapPadTest, WrapUnwrapRandom_ShortValidPadding) { ASSERT_EQ(0, memcmp(buf, unwrapped_key.data(), out_len)); } -} /* nss_test */ +} // namespace nss_test diff --git a/gtests/pk11_gtest/pk11_ecdsa_unittest.cc b/gtests/pk11_gtest/pk11_ecdsa_unittest.cc index 9f4bf6a2b..2d0cf6823 100644 --- a/gtests/pk11_gtest/pk11_ecdsa_unittest.cc +++ b/gtests/pk11_gtest/pk11_ecdsa_unittest.cc @@ -14,6 +14,7 @@ #include "pk11_ecdsa_vectors.h" #include "pk11_signature_test.h" +#include "pk11_keygen.h" #include "testvectors/p256ecdsa-sha256-vectors.h" #include "testvectors/p384ecdsa-sha384-vectors.h" #include "testvectors/p521ecdsa-sha512-vectors.h" @@ -63,6 +64,10 @@ TEST_P(Pkcs11EcdsaTest, SignAndVerify) { SignAndVerify(GetParam().sig_params_); } +TEST_P(Pkcs11EcdsaTest, ImportExport) { + ImportExport(GetParam().sig_params_.pkcs8_); +} + static const Pkcs11EcdsaTestParams kEcdsaVectors[] = { {SEC_OID_SHA256, {DataBuffer(kP256Pkcs8, sizeof(kP256Pkcs8)), @@ -243,4 +248,41 @@ INSTANTIATE_TEST_SUITE_P(WycheproofP521SignatureSha512Test, Pkcs11EcdsaWycheproofTest, ::testing::ValuesIn(kP521EcdsaSha512Vectors)); +class Pkcs11EcdsaRoundtripTest + : public Pkcs11EcdsaTestBase, + public ::testing::WithParamInterface<SECOidTag> { + public: + Pkcs11EcdsaRoundtripTest() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {} + + protected: + void GenerateExportImportSignVerify(SECOidTag tag) { + Pkcs11KeyPairGenerator generator(CKM_EC_KEY_PAIR_GEN, tag); + ScopedSECKEYPrivateKey priv; + ScopedSECKEYPublicKey pub; + generator.GenerateKey(&priv, &pub, false); + + DataBuffer exported; + ExportPrivateKey(&priv, exported); + + if (tag != SEC_OID_CURVE25519) { + DataBuffer sig; + DataBuffer sig2; + DataBuffer data(kP256Data, sizeof(kP256Data)); + ASSERT_TRUE( + ImportPrivateKeyAndSignHashedData(exported, data, &sig, &sig2)); + + Verify(pub, data, sig); + } + } +}; + +TEST_P(Pkcs11EcdsaRoundtripTest, GenerateExportImportSignVerify) { + GenerateExportImportSignVerify(GetParam()); +} +INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoundtripTest, Pkcs11EcdsaRoundtripTest, + ::testing::Values(SEC_OID_SECG_EC_SECP256R1, + SEC_OID_SECG_EC_SECP384R1, + SEC_OID_SECG_EC_SECP521R1, + SEC_OID_CURVE25519)); + } // namespace nss_test diff --git a/gtests/pk11_gtest/pk11_keygen.cc b/gtests/pk11_gtest/pk11_keygen.cc index d96cd38f6..5b4de29de 100644 --- a/gtests/pk11_gtest/pk11_keygen.cc +++ b/gtests/pk11_gtest/pk11_keygen.cc @@ -22,7 +22,8 @@ class ParamHolder { }; void Pkcs11KeyPairGenerator::GenerateKey(ScopedSECKEYPrivateKey* priv_key, - ScopedSECKEYPublicKey* pub_key) const { + ScopedSECKEYPublicKey* pub_key, + bool sensitive) const { // This function returns if an assertion fails, so don't leak anything. priv_key->reset(nullptr); pub_key->reset(nullptr); @@ -34,8 +35,9 @@ void Pkcs11KeyPairGenerator::GenerateKey(ScopedSECKEYPrivateKey* priv_key, ASSERT_TRUE(slot); SECKEYPublicKey* pub_tmp; - ScopedSECKEYPrivateKey priv_tmp(PK11_GenerateKeyPair( - slot.get(), mech_, params->get(), &pub_tmp, PR_FALSE, PR_TRUE, nullptr)); + ScopedSECKEYPrivateKey priv_tmp( + PK11_GenerateKeyPair(slot.get(), mech_, params->get(), &pub_tmp, PR_FALSE, + sensitive ? PR_TRUE : PR_FALSE, nullptr)); ASSERT_NE(nullptr, priv_tmp) << "PK11_GenerateKeyPair failed: " << PORT_ErrorToName(PORT_GetError()); ASSERT_NE(nullptr, pub_tmp); diff --git a/gtests/pk11_gtest/pk11_keygen.h b/gtests/pk11_gtest/pk11_keygen.h index 05ff97210..2c1ec5249 100644 --- a/gtests/pk11_gtest/pk11_keygen.h +++ b/gtests/pk11_gtest/pk11_keygen.h @@ -22,7 +22,7 @@ class Pkcs11KeyPairGenerator { SECOidTag curve() const { return curve_; } void GenerateKey(ScopedSECKEYPrivateKey* priv_key, - ScopedSECKEYPublicKey* pub_key) const; + ScopedSECKEYPublicKey* pub_key, bool sensitive = true) const; private: std::unique_ptr<ParamHolder> MakeParams() const; diff --git a/gtests/pk11_gtest/pk11_signature_test.cc b/gtests/pk11_gtest/pk11_signature_test.cc index 7ef51812c..c9700707f 100644 --- a/gtests/pk11_gtest/pk11_signature_test.cc +++ b/gtests/pk11_gtest/pk11_signature_test.cc @@ -134,11 +134,9 @@ bool Pk11SignatureTest::ImportPrivateKeyAndSignHashedData( return true; } -void Pk11SignatureTest::Verify(const Pkcs11SignatureTestParams& params, - const DataBuffer& sig, bool valid) { - ScopedSECKEYPublicKey pubKey(ImportPublicKey(params.spki_)); - ASSERT_TRUE(pubKey); - +void Pk11SignatureTest::Verify(ScopedSECKEYPublicKey& pubKey, + const DataBuffer& data, const DataBuffer& sig, + bool valid) { SECStatus rv; DataBuffer hash; @@ -150,7 +148,7 @@ void Pk11SignatureTest::Verify(const Pkcs11SignatureTestParams& params, * with the VFY_ interface, so just do the combined hash/Verify * in that case */ if (!skip_raw_) { - ASSERT_TRUE(ComputeHash(params.data_, &hash)); + ASSERT_TRUE(ComputeHash(data, &hash)); // Verify. SECItem hashItem = {siBuffer, toUcharPtr(hash.data()), @@ -168,7 +166,7 @@ void Pk11SignatureTest::Verify(const Pkcs11SignatureTestParams& params, ASSERT_NE((void*)context, (void*)NULL) << "CreateContext failed Error:" << PORT_ErrorToString(PORT_GetError()) << "\n"; - rv = PK11_DigestOp(context, params.data_.data(), params.data_.len()); + rv = PK11_DigestOp(context, data.data(), data.len()); /* expect success unconditionally here */ EXPECT_EQ(rv, SECSuccess); unsigned int len; diff --git a/gtests/pk11_gtest/pk11_signature_test.h b/gtests/pk11_gtest/pk11_signature_test.h index 82ef03896..c4a8c52c3 100644 --- a/gtests/pk11_gtest/pk11_signature_test.h +++ b/gtests/pk11_gtest/pk11_signature_test.h @@ -34,6 +34,16 @@ class Pk11SignatureTest : public ::testing::Test { CK_MECHANISM_TYPE mechanism() const { return mechanism_; } void setSkipRaw(bool skip_raw) { skip_raw_ = true; } + bool ExportPrivateKey(ScopedSECKEYPrivateKey* key, DataBuffer& pkcs8) { + SECItem* pkcs8Item = PK11_ExportDERPrivateKeyInfo(key->get(), nullptr); + if (!pkcs8Item) { + return false; + } + pkcs8.Assign(pkcs8Item->data, pkcs8Item->len); + SECITEM_ZfreeItem(pkcs8Item, PR_TRUE); + return true; + } + ScopedSECKEYPrivateKey ImportPrivateKey(const DataBuffer& pkcs8); ScopedSECKEYPublicKey ImportPublicKey(const DataBuffer& spki); @@ -51,8 +61,23 @@ class Pk11SignatureTest : public ::testing::Test { bool ImportPrivateKeyAndSignHashedData(const DataBuffer& pkcs8, const DataBuffer& data, DataBuffer* sig, DataBuffer* sig2); + + /* most primitive verify implemented in pk11_signature_test.cpp */ + void Verify(ScopedSECKEYPublicKey& pubKey, const DataBuffer& data, + const DataBuffer& sig, bool valid); + + /* quick helper functions that use the primitive verify */ + void Verify(ScopedSECKEYPublicKey& pubKey, const DataBuffer& data, + const DataBuffer& sig) { + Verify(pubKey, data, sig, true); + } + void Verify(const Pkcs11SignatureTestParams& params, const DataBuffer& sig, - bool valid); + bool valid) { + ScopedSECKEYPublicKey pubKey(ImportPublicKey(params.spki_)); + ASSERT_TRUE(pubKey); + Verify(pubKey, params.data_, sig, valid); + } void Verify(const Pkcs11SignatureTestParams& params, bool valid) { Verify(params, params.signature_, valid); @@ -71,6 +96,15 @@ class Pk11SignatureTest : public ::testing::Test { Verify(params, sig2, true); } + // Importing a private key in PKCS#8 format and reexporting it should + // result in the same binary representation. + void ImportExport(const DataBuffer& k) { + DataBuffer exported; + ScopedSECKEYPrivateKey key = ImportPrivateKey(k); + ExportPrivateKey(&key, exported); + EXPECT_EQ(k, exported); + } + private: CK_MECHANISM_TYPE mechanism_; SECOidTag hash_oid_; |