1 package keys
2
3 import (
4 "crypto/ecdsa"
5 "crypto/elliptic"
6 "crypto/rand"
7 "encoding/hex"
8 "encoding/json"
9 "errors"
10 "io"
11 "strings"
12
13 fuzz "github.com/google/gofuzz"
14 "github.com/theupdateframework/go-tuf/data"
15 . "gopkg.in/check.v1"
16 )
17
18 type ECDSASuite struct{}
19
20 var _ = Suite(ECDSASuite{})
21
22 func (ECDSASuite) TestSignVerify(c *C) {
23 signer, err := GenerateEcdsaKey()
24 c.Assert(err, IsNil)
25 msg := []byte("foo")
26 sig, err := signer.SignMessage(msg)
27 c.Assert(err, IsNil)
28 publicData := signer.PublicData()
29 pubKey, err := GetVerifier(publicData)
30 c.Assert(err, IsNil)
31 c.Assert(pubKey.Verify(msg, sig), IsNil)
32 }
33
34 func (ECDSASuite) TestECDSAVerifyMismatchMessage(c *C) {
35 signer, err := GenerateEcdsaKey()
36 c.Assert(err, IsNil)
37 msg := []byte("foo")
38 sig, err := signer.SignMessage(msg)
39 c.Assert(err, IsNil)
40 publicData := signer.PublicData()
41 pubKey, err := GetVerifier(publicData)
42 c.Assert(err, IsNil)
43 c.Assert(pubKey.Verify([]byte("notfoo"), sig), ErrorMatches, "tuf: ecdsa signature verification failed")
44 }
45
46 func (ECDSASuite) TestECDSAVerifyMismatchPubKey(c *C) {
47 signer, err := GenerateEcdsaKey()
48 c.Assert(err, IsNil)
49 msg := []byte("foo")
50 sig, err := signer.SignMessage(msg)
51 c.Assert(err, IsNil)
52
53 signerNew, err := GenerateEcdsaKey()
54 c.Assert(err, IsNil)
55 pubKey, err := GetVerifier(signerNew.PublicData())
56 c.Assert(err, IsNil)
57 c.Assert(pubKey.Verify([]byte("notfoo"), sig), ErrorMatches, "tuf: ecdsa signature verification failed")
58 }
59
60 func (ECDSASuite) TestSignVerifyDeprecatedFails(c *C) {
61
62 signer, err := GenerateEcdsaKey()
63 c.Assert(err, IsNil)
64
65 type deprecatedP256Verifier struct {
66 PublicKey data.HexBytes `json:"public"`
67 }
68 pub := signer.PublicKey
69 keyValBytes, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)})
70 c.Assert(err, IsNil)
71 publicData := &data.PublicKey{
72 Type: data.KeyTypeECDSA_SHA2_P256,
73 Scheme: data.KeySchemeECDSA_SHA2_P256,
74 Algorithms: data.HashAlgorithms,
75 Value: keyValBytes,
76 }
77
78 _, err = GetVerifier(publicData)
79 c.Assert(err, ErrorMatches, "tuf: error unmarshalling key: invalid PEM value")
80 }
81
82 func (ECDSASuite) TestMarshalUnmarshalPublicKey(c *C) {
83 signer, err := GenerateEcdsaKey()
84 c.Assert(err, IsNil)
85 publicData := signer.PublicData()
86 pubKey, err := GetVerifier(publicData)
87 c.Assert(err, IsNil)
88 c.Assert(pubKey.MarshalPublicKey(), DeepEquals, publicData)
89 }
90
91 func (ECDSASuite) TestMarshalUnmarshalPrivateKey(c *C) {
92 signer, err := GenerateEcdsaKey()
93 c.Assert(err, IsNil)
94 privateData, err := signer.MarshalPrivateKey()
95 c.Assert(err, IsNil)
96 c.Assert(privateData.Type, Equals, data.KeyTypeECDSA_SHA2_P256)
97 c.Assert(privateData.Scheme, Equals, data.KeySchemeECDSA_SHA2_P256)
98 c.Assert(privateData.Algorithms, DeepEquals, data.HashAlgorithms)
99 s, err := GetSigner(privateData)
100 c.Assert(err, IsNil)
101 c.Assert(s, DeepEquals, signer)
102 }
103
104 func (ECDSASuite) TestUnmarshalECDSA(c *C) {
105 priv, err := ecdsa.GenerateKey(elliptic.P256(), strings.NewReader("00001-deterministic-buffer-for-key-generation"))
106 c.Assert(err, IsNil)
107
108 signer := &ecdsaSigner{priv}
109 goodKey := signer.PublicData()
110
111 verifier := NewEcdsaVerifier()
112 c.Assert(verifier.UnmarshalPublicKey(goodKey), IsNil)
113 }
114
115 func (ECDSASuite) TestUnmarshalECDSA_Invalid(c *C) {
116 badKeyValue, err := json.Marshal(true)
117 c.Assert(err, IsNil)
118
119 badKey := &data.PublicKey{
120 Type: data.KeyTypeECDSA_SHA2_P256,
121 Scheme: data.KeySchemeECDSA_SHA2_P256,
122 Algorithms: data.HashAlgorithms,
123 Value: badKeyValue,
124 }
125 verifier := NewEcdsaVerifier()
126 c.Assert(verifier.UnmarshalPublicKey(badKey), ErrorMatches, "json: cannot unmarshal.*")
127 }
128
129 func (ECDSASuite) TestUnmarshalECDSA_FastFuzz(c *C) {
130 verifier := NewEcdsaVerifier()
131 for i := 0; i < 50; i++ {
132
133
134 f := fuzz.New()
135 var publicData data.PublicKey
136 f.Fuzz(&publicData)
137
138 verifier.UnmarshalPublicKey(&publicData)
139 }
140 }
141
142 func (ECDSASuite) TestUnmarshalECDSA_TooLongContent(c *C) {
143 randomSeed := make([]byte, MaxJSONKeySize)
144 _, err := io.ReadFull(rand.Reader, randomSeed)
145 c.Assert(err, IsNil)
146
147 tooLongPayload, err := json.Marshal(
148 &ed25519Verifier{
149 PublicKey: data.HexBytes(hex.EncodeToString(randomSeed)),
150 },
151 )
152 c.Assert(err, IsNil)
153
154 badKey := &data.PublicKey{
155 Type: data.KeyTypeECDSA_SHA2_P256,
156 Scheme: data.KeySchemeECDSA_SHA2_P256,
157 Algorithms: data.HashAlgorithms,
158 Value: tooLongPayload,
159 }
160 verifier := NewEcdsaVerifier()
161 err = verifier.UnmarshalPublicKey(badKey)
162 c.Assert(errors.Is(err, io.ErrUnexpectedEOF), Equals, true)
163 }
164
View as plain text