Chromium Code Reviews Chromium Code Reviews
Issue 1209283004:
Implement VerifySignedData() for ECDSA, RSA PKCS#1 and RSA PSS. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@parse_pss| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/internal/verify_signed_data.h" | |
| 6 | |
| 7 #include "base/base_paths.h" | |
| 8 #include "base/files/file_util.h" | |
| 9 #include "base/path_service.h" | |
| 10 #include "net/cert/internal/signature_algorithm.h" | |
| 11 #include "net/cert/pem_tokenizer.h" | |
| 12 #include "net/der/input.h" | |
| 13 #include "testing/gtest/include/gtest/gtest.h" | |
| 14 | |
| 15 namespace net { | |
| 16 | |
| 17 namespace { | |
| 18 | |
| 19 // Reads a signature verification test file. | |
| 20 // | |
| 21 // The test file is a series of PEM blocks (PEM is just base64 data) with | |
| 22 // headings of: | |
| 23 // | |
| 24 // "PUBLIC KEY" - DER encoding of the SubjectPublicKeyInfo | |
| 25 // "ALGORITHM" - DER encoding of the AlgorithmIdentifier for the signature | |
| 26 // algorithm (signatureAlgorithm in x509) | |
|
Ryan Sleevi
2015/07/07 14:07:31
s/x509/X.509/
(and throughout)
eroman
2015/07/07 18:07:00
Done.
| |
| 27 // "DATA" - The data that was signed (tbsCertificate in x509) | |
| 28 // "SIGNATURE" - The result of signing DATA. | |
| 29 ::testing::AssertionResult ParseTestDataFile(const std::string& file_data, | |
| 30 std::string* public_key, | |
| 31 std::string* algorithm, | |
| 32 std::string* signed_data, | |
| 33 std::string* signature_value) { | |
| 34 const char kPublicKeyBlock[] = "PUBLIC KEY"; | |
| 35 const char kAlgorithmBlock[] = "ALGORITHM"; | |
| 36 const char kSignedDataBlock[] = "DATA"; | |
| 37 const char kSignatureBlock[] = "SIGNATURE"; | |
| 38 | |
| 39 std::vector<std::string> pem_headers; | |
| 40 pem_headers.push_back(kPublicKeyBlock); | |
| 41 pem_headers.push_back(kAlgorithmBlock); | |
| 42 pem_headers.push_back(kSignedDataBlock); | |
| 43 pem_headers.push_back(kSignatureBlock); | |
| 44 | |
| 45 PEMTokenizer pem_tok(file_data, pem_headers); | |
|
Ryan Sleevi
2015/07/07 14:07:31
nit: s/pem_tok/pem_tokenizer/ - the tok abbreviati
eroman
2015/07/07 18:07:00
Done.
| |
| 46 for (size_t cur_index = 0; pem_tok.GetNext(); cur_index++) { | |
|
Ryan Sleevi
2015/07/07 14:07:31
|cur_index| is unused. Why not
while (pem_tok.Get
eroman
2015/07/07 18:07:00
Fixed (was a left-over from older version when I c
| |
| 47 if (pem_tok.block_type() == kPublicKeyBlock) { | |
| 48 public_key->assign(pem_tok.data()); | |
| 49 } else if (pem_tok.block_type() == kAlgorithmBlock) { | |
| 50 algorithm->assign(pem_tok.data()); | |
| 51 } else if (pem_tok.block_type() == kSignedDataBlock) { | |
| 52 signed_data->assign(pem_tok.data()); | |
| 53 } else if (pem_tok.block_type() == kSignatureBlock) { | |
| 54 signature_value->assign(pem_tok.data()); | |
| 55 } | |
| 56 } | |
| 57 | |
| 58 return ::testing::AssertionSuccess(); | |
| 59 } | |
| 60 | |
| 61 // Returns a path to the file |file_name| within the unittest data directory. | |
| 62 base::FilePath GetTestFilePath(const char* file_name) { | |
| 63 base::FilePath src_root; | |
| 64 PathService::Get(base::DIR_SOURCE_ROOT, &src_root); | |
| 65 return src_root.Append( | |
| 66 FILE_PATH_LITERAL("net/data/verify_signed_data_unittest")) | |
| 67 .AppendASCII(file_name); | |
| 68 } | |
| 69 | |
| 70 enum VerifyResult { | |
| 71 SUCCESS, | |
| 72 FAILURE, | |
| 73 }; | |
| 74 | |
| 75 // Reads test data from |file_name| and runs VerifySignedData() over its inputs. | |
| 76 // | |
| 77 // If expected_result was SUCCESS then the test will only succeed if | |
| 78 // VerifySignedData() returns true. | |
| 79 // | |
| 80 // If expected_result was FAILURE then the test will only succeed if | |
| 81 // VerifySignedData() returns false. | |
| 82 void RunTestCase(VerifyResult expected_result, const char* file_name) { | |
| 83 #if !defined(USE_OPENSSL) | |
| 84 LOG(INFO) << "Skipping test, only implemented for BoringSSL"; | |
| 85 return; | |
| 86 #endif | |
| 87 | |
| 88 base::FilePath test_file_path = GetTestFilePath(file_name); | |
| 89 | |
| 90 std::string file_data; | |
| 91 if (!base::ReadFileToString(test_file_path, &file_data)) { | |
|
Ryan Sleevi
2015/07/07 14:07:31
Why not ASSERT_TRUE(base::ReadFileToString(...)) <
eroman
2015/07/07 18:07:00
Done.
(Left-over from when RunTestCase used to ha
| |
| 92 FAIL() << "Couldn't read file: " << test_file_path.value(); | |
| 93 return; | |
| 94 } | |
| 95 | |
| 96 std::string public_key; | |
| 97 std::string algorithm; | |
| 98 std::string signed_data; | |
| 99 std::string signature_value; | |
| 100 | |
| 101 ASSERT_TRUE(ParseTestDataFile(file_data, &public_key, &algorithm, | |
| 102 &signed_data, &signature_value)); | |
| 103 | |
| 104 SignatureAlgorithm signature_algorithm; | |
| 105 ASSERT_TRUE(signature_algorithm.ParseDer(der::Input(algorithm))); | |
| 106 | |
| 107 bool expected_result_bool = expected_result == SUCCESS; | |
| 108 | |
| 109 ASSERT_EQ( | |
| 110 expected_result_bool, | |
| 111 VerifySignedData(signature_algorithm, der::Input(signed_data), | |
| 112 der::Input(signature_value), der::Input(public_key))); | |
| 113 } | |
| 114 | |
| 115 // Read the descriptions in the test files themselves for details on what is | |
| 116 // being tested. | |
| 117 | |
| 118 TEST(VerifySignedDataTest, RsaPkcs1_Sha1) { | |
| 119 RunTestCase(SUCCESS, "rsa-pkcs1-sha1.pem"); | |
|
Ryan Sleevi
2015/07/07 14:07:31
In looking at the enum & such, why not do
EXPECT_
eroman
2015/07/07 18:07:00
I experimented with this earlier, but found it had
| |
| 120 } | |
| 121 | |
| 122 TEST(VerifySignedDataTest, RsaPkcs1_Sha256) { | |
| 123 RunTestCase(SUCCESS, "rsa-pkcs1-sha256.pem"); | |
| 124 } | |
| 125 | |
| 126 TEST(VerifySignedDataTest, Ecdsa_Secp384r1_Sha256) { | |
| 127 RunTestCase(SUCCESS, "ecdsa-secp384r1-sha256.pem"); | |
| 128 } | |
| 129 | |
| 130 TEST(VerifySignedDataTest, Ecdsa_prime256v1_Sha512) { | |
| 131 RunTestCase(SUCCESS, "ecdsa-prime256v1-sha512.pem"); | |
| 132 } | |
| 133 | |
| 134 TEST(VerifySignedDataTest, RsaPss_Sha1) { | |
| 135 RunTestCase(SUCCESS, "rsa-pss-sha1-salt20.pem"); | |
| 136 } | |
| 137 | |
| 138 TEST(VerifySignedDataTest, RsaPss_Sha256) { | |
| 139 RunTestCase(SUCCESS, "rsa-pss-sha256-salt10.pem"); | |
| 140 } | |
| 141 | |
| 142 TEST(VerifySignedDataTest, RsaPss_Sha1_WrongSalt) { | |
| 143 RunTestCase(FAILURE, "rsa-pss-sha1-wrong-salt.pem"); | |
| 144 } | |
| 145 | |
| 146 TEST(VerifySignedDataTest, Ecdsa_Secp384r1_Sha256_CorruptedData) { | |
| 147 RunTestCase(FAILURE, "ecdsa-secp384r1-sha256-corrupted-data.pem"); | |
| 148 } | |
| 149 | |
| 150 TEST(VerifySignedDataTest, RsaPkcs1_Sha1_WrongAlgorithm) { | |
| 151 RunTestCase(FAILURE, "rsa-pkcs1-sha1-wrong-algorithm.pem"); | |
| 152 } | |
| 153 | |
| 154 TEST(VerifySignedDataTest, Ecdsa_prime256v1_Sha512_WrongSignatureFormat) { | |
| 155 RunTestCase(FAILURE, "ecdsa-prime256v1-sha512-wrong-signature-format.pem"); | |
| 156 } | |
| 157 | |
| 158 TEST(VerifySignedDataTest, EcdsaUsingRsaKey) { | |
| 159 RunTestCase(FAILURE, "ecdsa-using-rsa-key.pem"); | |
| 160 } | |
| 161 | |
| 162 TEST(VerifySignedDataTest, RsaUsingEcKey) { | |
| 163 RunTestCase(FAILURE, "rsa-using-ec-key.pem"); | |
| 164 } | |
| 165 | |
| 166 TEST(VerifySignedDataTest, RsaPkcs1_Sha1_BadKeyDerNull) { | |
| 167 RunTestCase(FAILURE, "rsa-pkcs1-sha1-bad-key-der-null.pem"); | |
| 168 } | |
| 169 | |
| 170 TEST(VerifySignedDataTest, RsaPkcs1_Sha1_BadKeyDerLength) { | |
| 171 RunTestCase(FAILURE, "rsa-pkcs1-sha1-bad-key-der-length.pem"); | |
| 172 } | |
| 173 | |
| 174 } // namespace | |
| 175 | |
| 176 } // namespace net | |
| OLD | NEW |
