// Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package ecdsa import ( "bufio" "compress/bzip2" "crypto/elliptic" "crypto/rand" "crypto/sha1" "crypto/sha256" "crypto/sha512" "encoding/hex" "hash" "io" "math/big" "os" "strings" "testing" ) func testKeyGeneration(t *testing.T, c elliptic.Curve, tag string) { priv, err := GenerateKey(c, rand.Reader) if err != nil { t.Errorf("%s: error: %s", tag, err) return } if !c.IsOnCurve(priv.PublicKey.X, priv.PublicKey.Y) { t.Errorf("%s: public key invalid: %s", tag, err) } } func TestKeyGeneration(t *testing.T) { testKeyGeneration(t, elliptic.P224(), "p224") if testing.Short() { return } testKeyGeneration(t, elliptic.P256(), "p256") testKeyGeneration(t, elliptic.P384(), "p384") testKeyGeneration(t, elliptic.P521(), "p521") } func BenchmarkSignP256(b *testing.B) { b.ResetTimer() p256 := elliptic.P256() hashed := []byte("testing") priv, _ := GenerateKey(p256, rand.Reader) b.ReportAllocs() b.ResetTimer() b.RunParallel(func(pb *testing.PB) { for pb.Next() { _, _, _ = Sign(rand.Reader, priv, hashed) } }) } func BenchmarkSignP384(b *testing.B) { b.ResetTimer() p384 := elliptic.P384() hashed := []byte("testing") priv, _ := GenerateKey(p384, rand.Reader) b.ReportAllocs() b.ResetTimer() b.RunParallel(func(pb *testing.PB) { for pb.Next() { _, _, _ = Sign(rand.Reader, priv, hashed) } }) } func BenchmarkVerifyP256(b *testing.B) { b.ResetTimer() p256 := elliptic.P256() hashed := []byte("testing") priv, _ := GenerateKey(p256, rand.Reader) r, s, _ := Sign(rand.Reader, priv, hashed) b.ReportAllocs() b.ResetTimer() b.RunParallel(func(pb *testing.PB) { for pb.Next() { Verify(&priv.PublicKey, hashed, r, s) } }) } func BenchmarkKeyGeneration(b *testing.B) { b.ResetTimer() p256 := elliptic.P256() b.ReportAllocs() b.ResetTimer() b.RunParallel(func(pb *testing.PB) { for pb.Next() { GenerateKey(p256, rand.Reader) } }) } func testSignAndVerify(t *testing.T, c elliptic.Curve, tag string) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r, s, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } if !Verify(&priv.PublicKey, hashed, r, s) { t.Errorf("%s: Verify failed", tag) } hashed[0] ^= 0xff if Verify(&priv.PublicKey, hashed, r, s) { t.Errorf("%s: Verify always works!", tag) } } func TestSignAndVerify(t *testing.T) { testSignAndVerify(t, elliptic.P224(), "p224") if testing.Short() { return } testSignAndVerify(t, elliptic.P256(), "p256") testSignAndVerify(t, elliptic.P384(), "p384") testSignAndVerify(t, elliptic.P521(), "p521") } func testNonceSafety(t *testing.T, c elliptic.Curve, tag string) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r0, s0, err := Sign(zeroReader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } hashed = []byte("testing...") r1, s1, err := Sign(zeroReader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } if s0.Cmp(s1) == 0 { // This should never happen. t.Errorf("%s: the signatures on two different messages were the same", tag) } if r0.Cmp(r1) == 0 { t.Errorf("%s: the nonce used for two different messages was the same", tag) } } func TestNonceSafety(t *testing.T) { testNonceSafety(t, elliptic.P224(), "p224") if testing.Short() { return } testNonceSafety(t, elliptic.P256(), "p256") testNonceSafety(t, elliptic.P384(), "p384") testNonceSafety(t, elliptic.P521(), "p521") } func testINDCCA(t *testing.T, c elliptic.Curve, tag string) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r0, s0, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } r1, s1, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } if s0.Cmp(s1) == 0 { t.Errorf("%s: two signatures of the same message produced the same result", tag) } if r0.Cmp(r1) == 0 { t.Errorf("%s: two signatures of the same message produced the same nonce", tag) } } func TestINDCCA(t *testing.T) { testINDCCA(t, elliptic.P224(), "p224") if testing.Short() { return } testINDCCA(t, elliptic.P256(), "p256") testINDCCA(t, elliptic.P384(), "p384") testINDCCA(t, elliptic.P521(), "p521") } func fromHex(s string) *big.Int { r, ok := new(big.Int).SetString(s, 16) if !ok { panic("bad hex") } return r } func TestVectors(t *testing.T) { // This test runs the full set of NIST test vectors from // http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3ecdsatestvectors.zip // // The SigVer.rsp file has been edited to remove test vectors for // unsupported algorithms and has been compressed. if testing.Short() { return } f, err := os.Open("testdata/SigVer.rsp.bz2") if err != nil { t.Fatal(err) } buf := bufio.NewReader(bzip2.NewReader(f)) lineNo := 1 var h hash.Hash var msg []byte var hashed []byte var r, s *big.Int pub := new(PublicKey) for { line, err := buf.ReadString('\n') if len(line) == 0 { if err == io.EOF { break } t.Fatalf("error reading from input: %s", err) } lineNo++ // Need to remove \r\n from the end of the line. if !strings.HasSuffix(line, "\r\n") { t.Fatalf("bad line ending (expected \\r\\n) on line %d", lineNo) } line = line[:len(line)-2] if len(line) == 0 || line[0] == '#' { continue } if line[0] == '[' { line = line[1 : len(line)-1] parts := strings.SplitN(line, ",", 2) switch parts[0] { case "P-224": pub.Curve = elliptic.P224() case "P-256": pub.Curve = elliptic.P256() case "P-384": pub.Curve = elliptic.P384() case "P-521": pub.Curve = elliptic.P521() default: pub.Curve = nil } switch parts[1] { case "SHA-1": h = sha1.New() case "SHA-224": h = sha256.New224() case "SHA-256": h = sha256.New() case "SHA-384": h = sha512.New384() case "SHA-512": h = sha512.New() default: h = nil } continue } if h == nil || pub.Curve == nil { continue } switch { case strings.HasPrefix(line, "Msg = "): if msg, err = hex.DecodeString(line[6:]); err != nil { t.Fatalf("failed to decode message on line %d: %s", lineNo, err) } case strings.HasPrefix(line, "Qx = "): pub.X = fromHex(line[5:]) case strings.HasPrefix(line, "Qy = "): pub.Y = fromHex(line[5:]) case strings.HasPrefix(line, "R = "): r = fromHex(line[4:]) case strings.HasPrefix(line, "S = "): s = fromHex(line[4:]) case strings.HasPrefix(line, "Result = "): expected := line[9] == 'P' h.Reset() h.Write(msg) hashed := h.Sum(hashed[:0]) if Verify(pub, hashed, r, s) != expected { t.Fatalf("incorrect result on line %d", lineNo) } default: t.Fatalf("unknown variable on line %d: %s", lineNo, line) } } } func testNegativeInputs(t *testing.T, curve elliptic.Curve, tag string) { key, err := GenerateKey(curve, rand.Reader) if err != nil { t.Errorf("failed to generate key for %q", tag) } var hash [32]byte r := new(big.Int).SetInt64(1) r.Lsh(r, 550 /* larger than any supported curve */) r.Neg(r) if Verify(&key.PublicKey, hash[:], r, r) { t.Errorf("bogus signature accepted for %q", tag) } } func TestNegativeInputs(t *testing.T) { testNegativeInputs(t, elliptic.P224(), "p224") testNegativeInputs(t, elliptic.P256(), "p256") testNegativeInputs(t, elliptic.P384(), "p384") testNegativeInputs(t, elliptic.P521(), "p521") } func TestZeroHashSignature(t *testing.T) { zeroHash := make([]byte, 64) for _, curve := range []elliptic.Curve{elliptic.P224(), elliptic.P256(), elliptic.P384(), elliptic.P521()} { privKey, err := GenerateKey(curve, rand.Reader) if err != nil { panic(err) } // Sign a hash consisting of all zeros. r, s, err := Sign(rand.Reader, privKey, zeroHash) if err != nil { panic(err) } // Confirm that it can be verified. if !Verify(&privKey.PublicKey, zeroHash, r, s) { t.Errorf("zero hash signature verify failed for %T", curve) } } }