Google Git
Sign in
quiche / quiche / cef048466f4357f30059b69b5b3ff304e199f13e / . / quiche / blind_sign_auth / anonymous_tokens / cpp / crypto / rsa_ssa_pss_verifier_test.cc
blob: 2732c75f6ca843987f2a5fd7d3b642a9776ac861 [file] [log] [blame]
// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.h"
#include <memory>
#include <string>
#include <utility>
#include "quiche/common/platform/api/quiche_test.h"
#include "quiche/common/test_tools/quiche_test_utils.h"
#include "absl/status/status.h"
#include "absl/status/statusor.h"
#include "absl/strings/string_view.h"
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/constants.h"
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h"
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/testing/utils.h"
#include "quiche/blind_sign_auth/anonymous_tokens/proto/anonymous_tokens.pb.h"
#include "openssl/rsa.h"
namespace private_membership {
namespace anonymous_tokens {
namespace {
// TODO(b/259581423): Add tests incorporating blinder and signer.
// TODO(b/275956922): Consolidate all tests that use IETF test vectors into one
// E2E test.
TEST(RsaSsaPssVerifier, SuccessfulVerification) {
const IetfStandardRsaBlindSignatureTestVector test_vec =
GetIetfStandardRsaBlindSignatureTestVector();
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(const auto test_keys,
GetIetfStandardRsaBlindSignatureTestKeys());
const EVP_MD *sig_hash = EVP_sha384(); // Owned by BoringSSL
const EVP_MD *mgf1_hash = EVP_sha384(); // Owned by BoringSSL
const int salt_length = kSaltLengthInBytes48;
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
const auto verifier, RsaSsaPssVerifier::New(salt_length, sig_hash,
mgf1_hash, test_keys.first));
EXPECT_TRUE(verifier->Verify(test_vec.signature, test_vec.message).ok());
}
TEST(RsaSsaPssVerifier, InvalidSignature) {
const IetfStandardRsaBlindSignatureTestVector test_vec =
GetIetfStandardRsaBlindSignatureTestVector();
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(const auto test_keys,
GetIetfStandardRsaBlindSignatureTestKeys());
const EVP_MD *sig_hash = EVP_sha384(); // Owned by BoringSSL
const EVP_MD *mgf1_hash = EVP_sha384(); // Owned by BoringSSL
const int salt_length = kSaltLengthInBytes48;
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
const auto verifier, RsaSsaPssVerifier::New(salt_length, sig_hash,
mgf1_hash, test_keys.first));
// corrupt signature
std::string wrong_sig = test_vec.signature;
wrong_sig.replace(10, 1, "x");
absl::Status verification_result =
verifier->Verify(wrong_sig, test_vec.message);
EXPECT_EQ(verification_result.code(), absl::StatusCode::kInvalidArgument);
EXPECT_THAT(verification_result.message(),
testing::HasSubstr("verification failed"));
}
TEST(RsaSsaPssVerifier, InvalidVerificationKey) {
const IetfStandardRsaBlindSignatureTestVector test_vec =
GetIetfStandardRsaBlindSignatureTestVector();
const EVP_MD *sig_hash = EVP_sha384(); // Owned by BoringSSL
const EVP_MD *mgf1_hash = EVP_sha384(); // Owned by BoringSSL
const int salt_length = kSaltLengthInBytes48;
// wrong key
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(auto new_keys_pair, GetStandardRsaKeyPair());
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
const auto verifier,
RsaSsaPssVerifier::New(salt_length, sig_hash, mgf1_hash,
new_keys_pair.first));
absl::Status verification_result =
verifier->Verify(test_vec.signature, test_vec.message);
EXPECT_EQ(verification_result.code(), absl::StatusCode::kInvalidArgument);
EXPECT_THAT(verification_result.message(),
testing::HasSubstr("verification failed"));
}
TEST(RsaSsaPssVerifierTestWithPublicMetadata,
EmptyMessageStandardVerificationSuccess) {
absl::string_view message = "";
const EVP_MD *sig_hash = EVP_sha384(); // Owned by BoringSSL
const EVP_MD *mgf1_hash = EVP_sha384(); // Owned by BoringSSL
const int salt_length = kSaltLengthInBytes48;
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(const auto test_key,
GetStandardRsaKeyPair());
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto private_key, AnonymousTokensRSAPrivateKeyToRSA(test_key.second));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string encoded_message,
EncodeMessageForTests(message, test_key.first, sig_hash, mgf1_hash,
salt_length));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string potentially_insecure_signature,
TestSign(encoded_message, private_key.get()));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto verifier,
RsaSsaPssVerifier::New(salt_length, sig_hash, mgf1_hash, test_key.first));
EXPECT_TRUE(verifier->Verify(potentially_insecure_signature, message).ok());
}
// TODO(b/275956922): Consolidate all tests that use IETF test vectors into one
// E2E test.
TEST(RsaSsaPssVerifierTestWithPublicMetadata,
IetfRsaBlindSignaturesWithPublicMetadataTestVectorsSuccess) {
auto test_vectors = GetIetfRsaBlindSignatureWithPublicMetadataTestVectors();
const EVP_MD *sig_hash = EVP_sha384(); // Owned by BoringSSL
const EVP_MD *mgf1_hash = EVP_sha384(); // Owned by BoringSSL
const int salt_length = kSaltLengthInBytes48;
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
const auto test_key,
GetIetfRsaBlindSignatureWithPublicMetadataTestKeys());
for (const auto &test_vector : test_vectors) {
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto verifier,
RsaSsaPssVerifier::New(salt_length, sig_hash, mgf1_hash, test_key.first,
test_vector.public_metadata));
EXPECT_TRUE(verifier
->Verify(test_vector.signature,
MaskMessageConcat(test_vector.message_mask,
test_vector.message))
.ok());
}
}
using CreateTestKeyPairFunction =
absl::StatusOr<std::pair<RSAPublicKey, RSAPrivateKey>>();
class RsaSsaPssVerifierTestWithPublicMetadata
: public ::testing::TestWithParam<CreateTestKeyPairFunction *> {
protected:
void SetUp() override {
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(auto keys_pair, (*GetParam())());
public_key_ = std::move(keys_pair.first);
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
private_key_, AnonymousTokensRSAPrivateKeyToRSA(keys_pair.second));
// NOTE: using recommended RsaSsaPssParams
sig_hash_ = EVP_sha384();
mgf1_hash_ = EVP_sha384();
salt_length_ = kSaltLengthInBytes48;
}
RSAPublicKey public_key_;
bssl::UniquePtr<RSA> private_key_;
const EVP_MD *sig_hash_; // Owned by BoringSSL.
const EVP_MD *mgf1_hash_; // Owned by BoringSSL.
int salt_length_;
};
// This test only tests whether the implemented verfier 'verifies' properly
// under some public metadata. The outline of method calls in this test should
// not be assumed a secure signature scheme (and used in other places) as the
// security has not been proven/analyzed.
TEST_P(RsaSsaPssVerifierTestWithPublicMetadata,
VerifierWorksWithPublicMetadata) {
absl::string_view message = "Hello World!";
absl::string_view public_metadata = "pubmd!";
std::string augmented_message =
EncodeMessagePublicMetadata(message, public_metadata);
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string encoded_message,
EncodeMessageForTests(augmented_message, public_key_, sig_hash_,
mgf1_hash_, salt_length_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string potentially_insecure_signature,
TestSignWithPublicMetadata(encoded_message, public_metadata,
*private_key_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto verifier, RsaSsaPssVerifier::New(salt_length_, sig_hash_, mgf1_hash_,
public_key_, public_metadata));
EXPECT_TRUE(verifier->Verify(potentially_insecure_signature, message).ok());
}
TEST_P(RsaSsaPssVerifierTestWithPublicMetadata,
VerifierFailsToVerifyWithWrongPublicMetadata) {
absl::string_view message = "Hello World!";
absl::string_view public_metadata = "pubmd!";
absl::string_view public_metadata_2 = "pubmd2";
std::string augmented_message =
EncodeMessagePublicMetadata(message, public_metadata);
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string encoded_message,
EncodeMessageForTests(augmented_message, public_key_, sig_hash_,
mgf1_hash_, salt_length_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string potentially_insecure_signature,
TestSignWithPublicMetadata(encoded_message, public_metadata,
*private_key_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto verifier, RsaSsaPssVerifier::New(salt_length_, sig_hash_, mgf1_hash_,
public_key_, public_metadata_2));
absl::Status verification_result =
verifier->Verify(potentially_insecure_signature, message);
EXPECT_EQ(verification_result.code(), absl::StatusCode::kInvalidArgument);
EXPECT_THAT(verification_result.message(),
testing::HasSubstr("verification failed"));
}
TEST_P(RsaSsaPssVerifierTestWithPublicMetadata,
VerifierFailsToVerifyWithEmptyPublicMetadata) {
absl::string_view message = "Hello World!";
absl::string_view public_metadata = "pubmd!";
absl::string_view empty_public_metadata = "";
std::string augmented_message =
EncodeMessagePublicMetadata(message, public_metadata);
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string encoded_message,
EncodeMessageForTests(augmented_message, public_key_, sig_hash_,
mgf1_hash_, salt_length_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string potentially_insecure_signature,
TestSignWithPublicMetadata(encoded_message, public_metadata,
*private_key_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto verifier,
RsaSsaPssVerifier::New(salt_length_, sig_hash_, mgf1_hash_, public_key_,
empty_public_metadata));
absl::Status verification_result =
verifier->Verify(potentially_insecure_signature, message);
EXPECT_EQ(verification_result.code(), absl::StatusCode::kInvalidArgument);
EXPECT_THAT(verification_result.message(),
testing::HasSubstr("verification failed"));
}
TEST_P(RsaSsaPssVerifierTestWithPublicMetadata,
VerifierFailsToVerifyWithoutPublicMetadataSupport) {
absl::string_view message = "Hello World!";
absl::string_view public_metadata = "pubmd!";
std::string augmented_message =
EncodeMessagePublicMetadata(message, public_metadata);
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string encoded_message,
EncodeMessageForTests(augmented_message, public_key_, sig_hash_,
mgf1_hash_, salt_length_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string potentially_insecure_signature,
TestSignWithPublicMetadata(encoded_message, public_metadata,
*private_key_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto verifier,
RsaSsaPssVerifier::New(salt_length_, sig_hash_, mgf1_hash_, public_key_));
absl::Status verification_result =
verifier->Verify(potentially_insecure_signature, message);
EXPECT_EQ(verification_result.code(), absl::StatusCode::kInvalidArgument);
EXPECT_THAT(verification_result.message(),
testing::HasSubstr("verification failed"));
}
TEST_P(RsaSsaPssVerifierTestWithPublicMetadata,
EmptyMessageEmptyPublicMetadataVerificationSuccess) {
absl::string_view message = "";
absl::string_view public_metadata = "";
std::string augmented_message =
EncodeMessagePublicMetadata(message, public_metadata);
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string encoded_message,
EncodeMessageForTests(augmented_message, public_key_, sig_hash_,
mgf1_hash_, salt_length_));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
std::string potentially_insecure_signature,
TestSignWithPublicMetadata(encoded_message, public_metadata,
*private_key_.get()));
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto verifier, RsaSsaPssVerifier::New(salt_length_, sig_hash_, mgf1_hash_,
public_key_, public_metadata));
EXPECT_TRUE(verifier->Verify(potentially_insecure_signature, message).ok());
}
INSTANTIATE_TEST_SUITE_P(RsaSsaPssVerifierTestWithPublicMetadata,
RsaSsaPssVerifierTestWithPublicMetadata,
::testing::Values(&GetStrongRsaKeys2048,
&GetAnotherStrongRsaKeys2048,
&GetStrongRsaKeys3072,
&GetStrongRsaKeys4096));
} // namespace
} // namespace anonymous_tokens
} // namespace private_membership