package keys import ( "crypto" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/sha256" "encoding/json" "errors" "github.com/theupdateframework/go-tuf/data" . "gopkg.in/check.v1" ) type DeprecatedECDSASuite struct{} var _ = Suite(DeprecatedECDSASuite{}) type deprecatedEcdsaSigner struct { *ecdsa.PrivateKey } type deprecatedEcdsaPublic struct { PublicKey data.HexBytes `json:"public"` } func (s deprecatedEcdsaSigner) PublicData() *data.PublicKey { pub := s.Public().(*ecdsa.PublicKey) keyValBytes, _ := json.Marshal(deprecatedEcdsaPublic{ PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)}) return &data.PublicKey{ Type: data.KeyTypeECDSA_SHA2_P256, Scheme: data.KeySchemeECDSA_SHA2_P256, Algorithms: data.HashAlgorithms, Value: keyValBytes, } } func (s deprecatedEcdsaSigner) SignMessage(message []byte) ([]byte, error) { hash := sha256.Sum256(message) return s.PrivateKey.Sign(rand.Reader, hash[:], crypto.SHA256) } func (s deprecatedEcdsaSigner) ContainsID(id string) bool { return s.PublicData().ContainsID(id) } func (deprecatedEcdsaSigner) MarshalPrivateKey() (*data.PrivateKey, error) { return nil, errors.New("not implemented for test") } func (deprecatedEcdsaSigner) UnmarshalPrivateKey(key *data.PrivateKey) error { return errors.New("not implemented for test") } func generatedDeprecatedSigner() (*deprecatedEcdsaSigner, error) { privkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { return nil, err } return &deprecatedEcdsaSigner{privkey}, nil } func (DeprecatedECDSASuite) TestSignVerifyDeprecatedFormat(c *C) { // Create an ecdsa key with a deprecated format. signer, err := generatedDeprecatedSigner() c.Assert(err, IsNil) msg := []byte("foo") sig, err := signer.SignMessage(msg) c.Assert(err, IsNil) pub := signer.PublicKey keyValBytes, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)}) c.Assert(err, IsNil) publicData := &data.PublicKey{ Type: data.KeyTypeECDSA_SHA2_P256, Scheme: data.KeySchemeECDSA_SHA2_P256, Algorithms: data.HashAlgorithms, Value: keyValBytes, } deprecatedEcdsa := NewDeprecatedEcdsaVerifier() err = deprecatedEcdsa.UnmarshalPublicKey(publicData) c.Assert(err, IsNil) c.Assert(deprecatedEcdsa.Verify(msg, sig), IsNil) } func (DeprecatedECDSASuite) TestECDSAVerifyMismatchMessage(c *C) { signer, err := generatedDeprecatedSigner() c.Assert(err, IsNil) msg := []byte("foo") sig, err := signer.SignMessage(msg) c.Assert(err, IsNil) publicData := signer.PublicData() deprecatedEcdsa := NewDeprecatedEcdsaVerifier() err = deprecatedEcdsa.UnmarshalPublicKey(publicData) c.Assert(err, IsNil) c.Assert(deprecatedEcdsa.Verify([]byte("notfoo"), sig), ErrorMatches, "tuf: deprecated ecdsa signature verification failed") } func (DeprecatedECDSASuite) TestECDSAVerifyMismatchPubKey(c *C) { signer, err := generatedDeprecatedSigner() c.Assert(err, IsNil) msg := []byte("foo") sig, err := signer.SignMessage(msg) c.Assert(err, IsNil) signerNew, err := generatedDeprecatedSigner() c.Assert(err, IsNil) deprecatedEcdsa := NewDeprecatedEcdsaVerifier() err = deprecatedEcdsa.UnmarshalPublicKey(signerNew.PublicData()) c.Assert(err, IsNil) c.Assert(deprecatedEcdsa.Verify([]byte("notfoo"), sig), ErrorMatches, "tuf: deprecated ecdsa signature verification failed") } func (DeprecatedECDSASuite) TestMarshalUnmarshalPublicKey(c *C) { signer, err := generatedDeprecatedSigner() c.Assert(err, IsNil) pub := signer.PublicData() deprecatedEcdsa := NewDeprecatedEcdsaVerifier() err = deprecatedEcdsa.UnmarshalPublicKey(pub) c.Assert(err, IsNil) c.Assert(deprecatedEcdsa.MarshalPublicKey(), DeepEquals, pub) }