1// Copyright 2011 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package packet 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/dsa" 11 "crypto/ecdsa" 12 "crypto/elliptic" 13 "crypto/rand" 14 "crypto/rsa" 15 "crypto/x509" 16 "encoding/hex" 17 "hash" 18 "math/big" 19 mathrand "math/rand" 20 "testing" 21 "time" 22 23 "github.com/ProtonMail/go-crypto/openpgp/ecdh" 24 "github.com/ProtonMail/go-crypto/openpgp/elgamal" 25 "github.com/ProtonMail/go-crypto/openpgp/internal/algorithm" 26 "golang.org/x/crypto/ed25519" 27) 28 29const maxMessageLength = 1 << 10 30 31var privateKeyTests = []struct { 32 privateKeyHex string 33 creationTime time.Time 34}{ 35 { 36 privKeyRSAHex, 37 time.Unix(0x4cc349a8, 0), 38 }, 39 { 40 privKeyElGamalHex, 41 time.Unix(0x4df9ee1a, 0), 42 }, 43} 44 45func TestExternalPrivateKeyRead(t *testing.T) { 46 for i, test := range privateKeyTests { 47 packet, err := Read(readerFromHex(test.privateKeyHex)) 48 if err != nil { 49 t.Errorf("#%d: failed to parse: %s", i, err) 50 continue 51 } 52 53 privKey := packet.(*PrivateKey) 54 55 if !privKey.Encrypted { 56 t.Errorf("#%d: private key isn't encrypted", i) 57 continue 58 } 59 60 err = privKey.Decrypt([]byte("wrong password")) 61 if err == nil { 62 t.Errorf("#%d: decrypted with incorrect key", i) 63 continue 64 } 65 66 err = privKey.Decrypt([]byte("testing")) 67 if err != nil { 68 t.Errorf("#%d: failed to decrypt: %s", i, err) 69 continue 70 } 71 72 if !privKey.CreationTime.Equal(test.creationTime) || privKey.Encrypted { 73 t.Errorf("#%d: bad result, got: %#v", i, privKey) 74 } 75 } 76} 77 78// En/decryption of private keys provided externally, with random passwords 79func TestExternalPrivateKeyEncryptDecryptRandomizeSlow(t *testing.T) { 80 for i, test := range privateKeyTests { 81 packet, err := Read(readerFromHex(test.privateKeyHex)) 82 if err != nil { 83 t.Errorf("#%d: failed to parse: %s", i, err) 84 continue 85 } 86 87 privKey := packet.(*PrivateKey) 88 89 if !privKey.Encrypted { 90 t.Errorf("#%d: private key isn't encrypted", i) 91 continue 92 } 93 94 // Decrypt with the correct password 95 err = privKey.Decrypt([]byte("testing")) 96 if err != nil { 97 t.Errorf("#%d: failed to decrypt: %s", i, err) 98 continue 99 } 100 101 // Encrypt with another (possibly empty) password 102 randomPassword := make([]byte, mathrand.Intn(30)) 103 rand.Read(randomPassword) 104 err = privKey.Encrypt(randomPassword) 105 if err != nil { 106 t.Errorf("#%d: failed to encrypt: %s", i, err) 107 continue 108 } 109 110 // Try to decrypt with incorrect password 111 incorrect := make([]byte, 1+mathrand.Intn(30)) 112 for rand.Read(incorrect); bytes.Equal(incorrect, randomPassword); { 113 rand.Read(incorrect) 114 } 115 err = privKey.Decrypt(incorrect) 116 if err == nil { 117 t.Errorf("#%d: decrypted with incorrect password\nPassword is:%vDecrypted with:%v", i, randomPassword, incorrect) 118 continue 119 } 120 121 // Try to decrypt with old password 122 err = privKey.Decrypt([]byte("testing")) 123 if err == nil { 124 t.Errorf("#%d: decrypted with old password", i) 125 continue 126 } 127 128 // Decrypt with correct password 129 err = privKey.Decrypt(randomPassword) 130 if err != nil { 131 t.Errorf("#%d: failed to decrypt: %s", i, err) 132 continue 133 } 134 135 if !privKey.CreationTime.Equal(test.creationTime) || privKey.Encrypted { 136 t.Errorf("#%d: bad result, got: %#v", i, privKey) 137 } 138 } 139} 140 141func populateHash(hashFunc crypto.Hash, msg []byte) (hash.Hash, error) { 142 h := hashFunc.New() 143 if _, err := h.Write(msg); err != nil { 144 return nil, err 145 } 146 return h, nil 147} 148 149func TestExternalRSAPrivateKey(t *testing.T) { 150 privKeyDER, _ := hex.DecodeString(pkcs1PrivKeyHex) 151 rsaPriv, err := x509.ParsePKCS1PrivateKey(privKeyDER) 152 if err != nil { 153 t.Fatal(err) 154 } 155 156 var buf bytes.Buffer 157 xrsaPriv := &rsa.PrivateKey{ 158 PublicKey: rsa.PublicKey{ 159 E: rsaPriv.PublicKey.E, 160 N: rsaPriv.PublicKey.N, 161 }, 162 D: rsaPriv.D, 163 Primes: rsaPriv.Primes, 164 } 165 xrsaPriv.Precompute() 166 if err := NewRSAPrivateKey(time.Now(), xrsaPriv).Serialize(&buf); err != nil { 167 t.Fatal(err) 168 } 169 170 p, err := Read(&buf) 171 if err != nil { 172 t.Fatal(err) 173 } 174 175 priv, ok := p.(*PrivateKey) 176 if !ok { 177 t.Fatal("didn't parse private key") 178 } 179 180 sig := &Signature{ 181 Version: 4, 182 PubKeyAlgo: PubKeyAlgoRSA, 183 Hash: crypto.SHA256, 184 } 185 for j := 0; j < 256; j++ { 186 msg := make([]byte, maxMessageLength) 187 rand.Read(msg) 188 189 h, err := populateHash(sig.Hash, msg) 190 if err != nil { 191 t.Fatal(err) 192 } 193 if err := sig.Sign(h, priv, nil); err != nil { 194 t.Fatal(err) 195 } 196 197 if h, err = populateHash(sig.Hash, msg); err != nil { 198 t.Fatal(err) 199 } 200 if err := priv.VerifySignature(h, sig); err != nil { 201 t.Fatal(err) 202 } 203 } 204} 205 206func TestECDSAPrivateKeysRandomizeFast(t *testing.T) { 207 ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 208 if err != nil { 209 t.Fatal(err) 210 } 211 212 var buf bytes.Buffer 213 if err := NewECDSAPrivateKey(time.Now(), ecdsaPriv).Serialize(&buf); err != nil { 214 t.Fatal(err) 215 } 216 217 p, err := Read(&buf) 218 if err != nil { 219 t.Fatal(err) 220 } 221 222 priv, ok := p.(*PrivateKey) 223 if !ok { 224 t.Fatal("didn't parse private key") 225 } 226 227 sig := &Signature{ 228 Version: 4, 229 PubKeyAlgo: PubKeyAlgoECDSA, 230 Hash: crypto.SHA256, 231 } 232 msg := make([]byte, mathrand.Intn(maxMessageLength)) 233 rand.Read(msg) 234 235 h, err := populateHash(sig.Hash, msg) 236 if err != nil { 237 t.Fatal(err) 238 } 239 if err := sig.Sign(h, priv, nil); err != nil { 240 t.Fatal(err) 241 } 242 243 if h, err = populateHash(sig.Hash, msg); err != nil { 244 t.Fatal(err) 245 } 246 if err := priv.VerifySignature(h, sig); err != nil { 247 t.Fatal(err) 248 } 249} 250 251type rsaSigner struct { 252 *rsa.PrivateKey 253} 254 255func TestRSASignerPrivateKeysRandomizeSlow(t *testing.T) { 256 // Generate random key 257 rsaPriv, err := rsa.GenerateKey(rand.Reader, 1024) 258 if err != nil { 259 t.Fatal(err) 260 } 261 262 priv := NewSignerPrivateKey(time.Now(), &rsaSigner{rsaPriv}) 263 264 sig := &Signature{ 265 Version: 4, 266 PubKeyAlgo: PubKeyAlgoRSA, 267 Hash: crypto.SHA256, 268 } 269 270 // Sign random message 271 msg := make([]byte, maxMessageLength) 272 h, err := populateHash(sig.Hash, msg) 273 274 if err != nil { 275 t.Fatal(err) 276 } 277 if err := sig.Sign(h, priv, nil); err != nil { 278 t.Fatal(err) 279 } 280 281 if h, err = populateHash(sig.Hash, msg); err != nil { 282 t.Fatal(err) 283 } 284 285 // Verify signature 286 if err := priv.VerifySignature(h, sig); err != nil { 287 t.Fatal(err) 288 } 289 290 // Try to verify signature with wrong key 291 incorrectRsaPriv, err := rsa.GenerateKey(rand.Reader, 1024) 292 if err != nil { 293 t.Fatal(err) 294 } 295 incorrectPriv := NewSignerPrivateKey(time.Now(), &rsaSigner{incorrectRsaPriv}) 296 if err = incorrectPriv.VerifySignature(h, sig); err == nil { 297 t.Fatalf( 298 "Verified signature with incorrect key.\nCorrect key: \n%v\nIncorrect key:\n%v\nSignature:%v", 299 priv, incorrectPriv, sig) 300 } 301} 302 303type ecdsaSigner struct { 304 *ecdsa.PrivateKey 305} 306 307func TestECDSASignerPrivateKeysRandomizeFast(t *testing.T) { 308 ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 309 if err != nil { 310 t.Fatal(err) 311 } 312 313 priv := NewSignerPrivateKey(time.Now(), &ecdsaSigner{ecdsaPriv}) 314 315 if priv.PubKeyAlgo != PubKeyAlgoECDSA { 316 t.Fatal("NewSignerPrivateKey should have made an ECSDA private key") 317 } 318 319 sig := &Signature{ 320 Version: 4, 321 PubKeyAlgo: PubKeyAlgoECDSA, 322 Hash: crypto.SHA256, 323 } 324 msg := make([]byte, mathrand.Intn(maxMessageLength)) 325 rand.Read(msg) 326 327 h, err := populateHash(sig.Hash, msg) 328 if err != nil { 329 t.Fatal(err) 330 } 331 if err := sig.Sign(h, priv, nil); err != nil { 332 t.Fatal(err) 333 } 334 335 if h, err = populateHash(sig.Hash, msg); err != nil { 336 t.Fatal(err) 337 } 338 if err := priv.VerifySignature(h, sig); err != nil { 339 t.Fatal(err) 340 } 341} 342 343func TestEdDSASignerPrivateKeyRandomizeFast(t *testing.T) { 344 _, eddsaPriv, err := ed25519.GenerateKey(rand.Reader) 345 if err != nil { 346 t.Fatal(err) 347 } 348 349 priv := NewSignerPrivateKey(time.Now(), eddsaPriv) 350 351 if priv.PubKeyAlgo != PubKeyAlgoEdDSA { 352 t.Fatal("NewSignerPrivateKey should have made a EdDSA private key") 353 } 354 355 sig := &Signature{ 356 Version: 4, 357 PubKeyAlgo: PubKeyAlgoEdDSA, 358 Hash: crypto.SHA256, 359 } 360 msg := make([]byte, maxMessageLength) 361 rand.Read(msg) 362 363 h, err := populateHash(sig.Hash, msg) 364 if err != nil { 365 t.Fatal(err) 366 } 367 if err := sig.Sign(h, priv, nil); err != nil { 368 t.Fatal(err) 369 } 370 if h, err = populateHash(sig.Hash, msg); err != nil { 371 t.Fatal(err) 372 } 373 if err := priv.VerifySignature(h, sig); err != nil { 374 t.Fatal(err) 375 } 376} 377 378// Tests correctness when encrypting an EdDSA private key with a password. 379func TestEncryptDecryptEdDSAPrivateKeyRandomizeFast(t *testing.T) { 380 password := make([]byte, 20) 381 _, err := rand.Read(password) 382 if err != nil { 383 panic(err) 384 } 385 _, primaryKey, err := ed25519.GenerateKey(rand.Reader) 386 if err != nil { 387 panic(err) 388 } 389 privKey := *NewEdDSAPrivateKey(time.Now(), &primaryKey) 390 copiedPrivKey := make([]byte, len(primaryKey)) 391 copy(copiedPrivKey, *privKey.PrivateKey.(*ed25519.PrivateKey)) 392 // Encrypt private key with random passphrase 393 privKey.Encrypt(password) 394 // Decrypt and check correctness 395 privKey.Decrypt(password) 396 if !bytes.Equal(*privKey.PrivateKey.(*ed25519.PrivateKey), copiedPrivKey) { 397 t.Fatalf("Private key was not correctly decrypted:\ngot:\n%v\nwant:\n%v", privKey.PrivateKey, copiedPrivKey) 398 } 399} 400 401func TestIssue11505(t *testing.T) { 402 // parsing a rsa private key with p or q == 1 used to panic due to a divide by zero 403 _, _ = Read(readerFromHex("9c3004303030300100000011303030000000000000010130303030303030303030303030303030303030303030303030303030303030303030303030303030303030")) 404} 405 406func TestEdDSAValidation(t *testing.T) { 407 _, priv, err := ed25519.GenerateKey(rand.Reader) 408 if err != nil { 409 t.Fatalf("could not generate test key: %s", err) 410 } 411 if err = validateEdDSAParameters(&priv); err != nil { 412 t.Fatalf("valid key marked as invalid: %s", err) 413 } 414 priv[33] ^= 1 415 if err = validateEdDSAParameters(&priv); err == nil { 416 t.Fatalf("failed to detect invalid key") 417 } 418} 419 420func TestECDSAValidation(t *testing.T) { 421 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 422 if err != nil { 423 t.Fatalf("could not generate test key: %s", err) 424 } 425 if err = validateECDSAParameters(priv); err != nil { 426 t.Fatalf("valid key marked as invalid: %s", err) 427 } 428 priv.X.Sub(priv.X, big.NewInt(1)) 429 if err = validateECDSAParameters(priv); err == nil { 430 t.Fatalf("failed to detect invalid key") 431 } 432} 433 434func TestECDHValidation(t *testing.T) { 435 kdf := ecdh.KDF{ 436 Hash: algorithm.SHA512, 437 Cipher: algorithm.AES256, 438 } 439 priv, err := ecdh.GenerateKey(elliptic.P256(), kdf, rand.Reader) 440 if err != nil { 441 t.Fatalf("could not generate test key: %s", err) 442 } 443 if err = validateECDHParameters(priv); err != nil { 444 t.Fatalf("valid key marked as invalid: %s", err) 445 } 446 priv.X.Sub(priv.X, big.NewInt(1)) 447 if err = validateECDHParameters(priv); err == nil { 448 t.Fatalf("failed to detect invalid key") 449 } 450} 451 452func TestDSAValidation(t *testing.T) { 453 var priv dsa.PrivateKey 454 params := &priv.Parameters 455 err := dsa.GenerateParameters(params, rand.Reader, dsa.L1024N160) 456 if err != nil { 457 t.Fatalf("could not generate test params: %s", err) 458 } 459 err = dsa.GenerateKey(&priv, rand.Reader) 460 if err != nil { 461 t.Fatalf("could not generate test key: %s", err) 462 } 463 if err = validateDSAParameters(&priv); err != nil { 464 t.Fatalf("valid key marked as invalid: %s", err) 465 } 466 // g = 1 467 g := *priv.G 468 priv.G = big.NewInt(1) 469 if err = validateDSAParameters(&priv); err == nil { 470 t.Fatalf("failed to detect invalid key (g)") 471 } 472 priv.G = &g 473 // corrupt q 474 q := *priv.Q 475 priv.Q.Sub(priv.Q, big.NewInt(1)) 476 if err = validateDSAParameters(&priv); err == nil { 477 t.Fatalf("failed to detect invalid key (q)") 478 } 479 priv.Q = &q 480 // corrupt y 481 y := *priv.Y 482 priv.Y.Sub(priv.Y, big.NewInt(1)) 483 if err = validateDSAParameters(&priv); err == nil { 484 t.Fatalf("failed to detect invalid key (y)") 485 } 486 priv.Y = &y 487} 488 489func TestElGamalValidation(t *testing.T) { 490 // we generate dsa key and then reuse values for elgamal 491 var dsaPriv dsa.PrivateKey 492 params := &dsaPriv.Parameters 493 err := dsa.GenerateParameters(params, rand.Reader, dsa.L1024N160) 494 if err != nil { 495 t.Fatalf("could not generate test params: %s", err) 496 } 497 err = dsa.GenerateKey(&dsaPriv, rand.Reader) 498 if err != nil { 499 t.Fatalf("could not generate test key: %s", err) 500 } 501 // this elgamal key is technically not valid since g has order q < p-1 502 // but q is large enough and tests should pass 503 var priv elgamal.PrivateKey 504 priv.G = dsaPriv.G 505 priv.P = dsaPriv.P 506 priv.X = dsaPriv.X 507 priv.Y = dsaPriv.Y 508 if err = validateElGamalParameters(&priv); err != nil { 509 t.Fatalf("valid key marked as invalid: %s", err) 510 } 511 // g = 1 512 g := *priv.G 513 priv.G = big.NewInt(1) 514 if err = validateElGamalParameters(&priv); err == nil { 515 t.Fatalf("failed to detect invalid key (g)") 516 } 517 // g of order 2: g**(p-1)/2 518 pSub1 := new(big.Int).Sub(priv.P, big.NewInt(1)) 519 pSub1Div2 := new(big.Int).Rsh(pSub1, 1) 520 priv.G = new(big.Int).Exp(&g, pSub1Div2, priv.P) 521 if err = validateElGamalParameters(&priv); err == nil { 522 t.Fatalf("failed to detect invalid key (g small order)") 523 } 524 priv.G = &g 525 // corrupt y 526 y := *priv.Y 527 priv.Y.Sub(priv.Y, big.NewInt(1)) 528 if err = validateElGamalParameters(&priv); err == nil { 529 t.Fatalf("failed to detect invalid key (y)") 530 } 531 priv.Y = &y 532} 533