1/*- 2 * Copyright 2014 Square Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package jose 18 19import ( 20 "bytes" 21 "crypto/ecdsa" 22 "crypto/elliptic" 23 "crypto/rand" 24 "crypto/rsa" 25 "errors" 26 "io" 27 "math/big" 28 "testing" 29) 30 31func TestVectorsRSA(t *testing.T) { 32 // Sources: 33 // http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-rsa-cryptography-standard.htm 34 // ftp://ftp.rsa.com/pub/rsalabs/tmp/pkcs1v15crypt-vectors.txt 35 priv := &rsa.PrivateKey{ 36 PublicKey: rsa.PublicKey{ 37 N: fromHexInt(` 38 a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8 39 ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0c 40 bc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bd 41 bf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93 42 ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb`), 43 E: 65537, 44 }, 45 D: fromHexInt(` 46 53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf1195 47 17ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d 48 4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d6 49 5a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb 50 04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1`), 51 Primes: []*big.Int{ 52 fromHexInt(` 53 d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262 54 864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c 55 2f26a471dcad212eac7ca39d`), 56 fromHexInt(` 57 cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb3 58 3d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af 59 72bfe9a030e860b0288b5d77`), 60 }, 61 } 62 63 input := fromHexBytes( 64 "6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34") 65 66 expectedPKCS := fromHexBytes(` 67 50b4c14136bd198c2f3c3ed243fce036e168d56517984a263cd66492b808 68 04f169d210f2b9bdfb48b12f9ea05009c77da257cc600ccefe3a6283789d 69 8ea0e607ac58e2690ec4ebc10146e8cbaa5ed4d5cce6fe7b0ff9efc1eabb 70 564dbf498285f449ee61dd7b42ee5b5892cb90601f30cda07bf26489310b 71 cd23b528ceab3c31`) 72 73 expectedOAEP := fromHexBytes(` 74 354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad4 75 68fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618 76 c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e6 77 57a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5 78 210035d47ac72e8a`) 79 80 // Mock random reader 81 randReader = bytes.NewReader(fromHexBytes(` 82 017341ae3875d5f87101f8cc4fa9b9bc156bb04628fccdb2f4f11e905bd3 83 a155d376f593bd7304210874eba08a5e22bcccb4c9d3882a93a54db022f5 84 03d16338b6b7ce16dc7f4bbf9a96b59772d6606e9747c7649bf9e083db98 85 1884a954ab3c6f18b776ea21069d69776a33e96bad48e1dda0a5ef`)) 86 defer resetRandReader() 87 88 // RSA-PKCS1v1.5 encrypt 89 enc := new(rsaEncrypterVerifier) 90 enc.publicKey = &priv.PublicKey 91 encryptedPKCS, err := enc.encrypt(input, RSA1_5) 92 if err != nil { 93 t.Error("Encryption failed:", err) 94 return 95 } 96 97 if bytes.Compare(encryptedPKCS, expectedPKCS) != 0 { 98 t.Error("Output does not match expected value (PKCS1v1.5)") 99 } 100 101 // RSA-OAEP encrypt 102 encryptedOAEP, err := enc.encrypt(input, RSA_OAEP) 103 if err != nil { 104 t.Error("Encryption failed:", err) 105 return 106 } 107 108 if bytes.Compare(encryptedOAEP, expectedOAEP) != 0 { 109 t.Error("Output does not match expected value (OAEP)") 110 } 111 112 // Need fake cipher for PKCS1v1.5 decrypt 113 resetRandReader() 114 aes := newAESGCM(len(input)) 115 116 keygen := randomKeyGenerator{ 117 size: aes.keySize(), 118 } 119 120 // RSA-PKCS1v1.5 decrypt 121 dec := new(rsaDecrypterSigner) 122 dec.privateKey = priv 123 decryptedPKCS, err := dec.decrypt(encryptedPKCS, RSA1_5, keygen) 124 if err != nil { 125 t.Error("Decryption failed:", err) 126 return 127 } 128 129 if bytes.Compare(input, decryptedPKCS) != 0 { 130 t.Error("Output does not match expected value (PKCS1v1.5)") 131 } 132 133 // RSA-OAEP decrypt 134 decryptedOAEP, err := dec.decrypt(encryptedOAEP, RSA_OAEP, keygen) 135 if err != nil { 136 t.Error("decryption failed:", err) 137 return 138 } 139 140 if bytes.Compare(input, decryptedOAEP) != 0 { 141 t.Error("output does not match expected value (OAEP)") 142 } 143} 144 145func TestInvalidAlgorithmsRSA(t *testing.T) { 146 _, err := newRSARecipient("XYZ", nil) 147 if err != ErrUnsupportedAlgorithm { 148 t.Error("should return error on invalid algorithm") 149 } 150 151 _, err = newRSASigner("XYZ", nil) 152 if err != ErrUnsupportedAlgorithm { 153 t.Error("should return error on invalid algorithm") 154 } 155 156 enc := new(rsaEncrypterVerifier) 157 enc.publicKey = &rsaTestKey.PublicKey 158 _, err = enc.encryptKey([]byte{}, "XYZ") 159 if err != ErrUnsupportedAlgorithm { 160 t.Error("should return error on invalid algorithm") 161 } 162 163 err = enc.verifyPayload([]byte{}, []byte{}, "XYZ") 164 if err != ErrUnsupportedAlgorithm { 165 t.Error("should return error on invalid algorithm") 166 } 167 168 dec := new(rsaDecrypterSigner) 169 dec.privateKey = rsaTestKey 170 _, err = dec.decrypt(make([]byte, 256), "XYZ", randomKeyGenerator{size: 16}) 171 if err != ErrUnsupportedAlgorithm { 172 t.Error("should return error on invalid algorithm") 173 } 174 175 _, err = dec.signPayload([]byte{}, "XYZ") 176 if err != ErrUnsupportedAlgorithm { 177 t.Error("should return error on invalid algorithm") 178 } 179} 180 181type failingKeyGenerator struct{} 182 183func (ctx failingKeyGenerator) keySize() int { 184 return 0 185} 186 187func (ctx failingKeyGenerator) genKey() ([]byte, rawHeader, error) { 188 return nil, rawHeader{}, errors.New("failed to generate key") 189} 190 191func TestPKCSKeyGeneratorFailure(t *testing.T) { 192 dec := new(rsaDecrypterSigner) 193 dec.privateKey = rsaTestKey 194 generator := failingKeyGenerator{} 195 _, err := dec.decrypt(make([]byte, 256), RSA1_5, generator) 196 if err != ErrCryptoFailure { 197 t.Error("should return error on invalid algorithm") 198 } 199} 200 201func TestInvalidAlgorithmsEC(t *testing.T) { 202 _, err := newECDHRecipient("XYZ", nil) 203 if err != ErrUnsupportedAlgorithm { 204 t.Error("should return error on invalid algorithm") 205 } 206 207 _, err = newECDSASigner("XYZ", nil) 208 if err != ErrUnsupportedAlgorithm { 209 t.Error("should return error on invalid algorithm") 210 } 211 212 enc := new(ecEncrypterVerifier) 213 enc.publicKey = &ecTestKey256.PublicKey 214 _, err = enc.encryptKey([]byte{}, "XYZ") 215 if err != ErrUnsupportedAlgorithm { 216 t.Error("should return error on invalid algorithm") 217 } 218} 219 220func TestInvalidECKeyGen(t *testing.T) { 221 gen := ecKeyGenerator{ 222 size: 16, 223 algID: "A128GCM", 224 publicKey: &ecTestKey256.PublicKey, 225 } 226 227 if gen.keySize() != 16 { 228 t.Error("ec key generator reported incorrect key size") 229 } 230 231 _, _, err := gen.genKey() 232 if err != nil { 233 t.Error("ec key generator failed to generate key", err) 234 } 235} 236 237func TestInvalidECDecrypt(t *testing.T) { 238 dec := ecDecrypterSigner{ 239 privateKey: ecTestKey256, 240 } 241 242 generator := randomKeyGenerator{size: 16} 243 244 // Missing epk header 245 headers := rawHeader{ 246 Alg: string(ECDH_ES), 247 } 248 249 _, err := dec.decryptKey(headers, nil, generator) 250 if err == nil { 251 t.Error("ec decrypter accepted object with missing epk header") 252 } 253 254 // Invalid epk header 255 headers.Epk = &JsonWebKey{} 256 257 _, err = dec.decryptKey(headers, nil, generator) 258 if err == nil { 259 t.Error("ec decrypter accepted object with invalid epk header") 260 } 261} 262 263func TestDecryptWithIncorrectSize(t *testing.T) { 264 priv, err := rsa.GenerateKey(rand.Reader, 2048) 265 if err != nil { 266 t.Error(err) 267 return 268 } 269 270 dec := new(rsaDecrypterSigner) 271 dec.privateKey = priv 272 aes := newAESGCM(16) 273 274 keygen := randomKeyGenerator{ 275 size: aes.keySize(), 276 } 277 278 payload := make([]byte, 254) 279 _, err = dec.decrypt(payload, RSA1_5, keygen) 280 if err == nil { 281 t.Error("Invalid payload size should return error") 282 } 283 284 payload = make([]byte, 257) 285 _, err = dec.decrypt(payload, RSA1_5, keygen) 286 if err == nil { 287 t.Error("Invalid payload size should return error") 288 } 289} 290 291func TestPKCSDecryptNeverFails(t *testing.T) { 292 // We don't want RSA-PKCS1 v1.5 decryption to ever fail, in order to prevent 293 // side-channel timing attacks (Bleichenbacher attack in particular). 294 priv, err := rsa.GenerateKey(rand.Reader, 2048) 295 if err != nil { 296 t.Error(err) 297 return 298 } 299 300 dec := new(rsaDecrypterSigner) 301 dec.privateKey = priv 302 aes := newAESGCM(16) 303 304 keygen := randomKeyGenerator{ 305 size: aes.keySize(), 306 } 307 308 for i := 1; i < 50; i++ { 309 payload := make([]byte, 256) 310 _, err := io.ReadFull(rand.Reader, payload) 311 if err != nil { 312 t.Error("Unable to get random data:", err) 313 return 314 } 315 _, err = dec.decrypt(payload, RSA1_5, keygen) 316 if err != nil { 317 t.Error("PKCS1v1.5 decrypt should never fail:", err) 318 return 319 } 320 } 321} 322 323func BenchmarkPKCSDecryptWithValidPayloads(b *testing.B) { 324 priv, err := rsa.GenerateKey(rand.Reader, 2048) 325 if err != nil { 326 panic(err) 327 } 328 329 enc := new(rsaEncrypterVerifier) 330 enc.publicKey = &priv.PublicKey 331 dec := new(rsaDecrypterSigner) 332 dec.privateKey = priv 333 aes := newAESGCM(32) 334 335 b.StopTimer() 336 b.ResetTimer() 337 for i := 0; i < b.N; i++ { 338 plaintext := make([]byte, 32) 339 _, err = io.ReadFull(rand.Reader, plaintext) 340 if err != nil { 341 panic(err) 342 } 343 344 ciphertext, err := enc.encrypt(plaintext, RSA1_5) 345 if err != nil { 346 panic(err) 347 } 348 349 keygen := randomKeyGenerator{ 350 size: aes.keySize(), 351 } 352 353 b.StartTimer() 354 _, err = dec.decrypt(ciphertext, RSA1_5, keygen) 355 b.StopTimer() 356 if err != nil { 357 panic(err) 358 } 359 } 360} 361 362func BenchmarkPKCSDecryptWithInvalidPayloads(b *testing.B) { 363 priv, err := rsa.GenerateKey(rand.Reader, 2048) 364 if err != nil { 365 panic(err) 366 } 367 368 enc := new(rsaEncrypterVerifier) 369 enc.publicKey = &priv.PublicKey 370 dec := new(rsaDecrypterSigner) 371 dec.privateKey = priv 372 aes := newAESGCM(16) 373 374 keygen := randomKeyGenerator{ 375 size: aes.keySize(), 376 } 377 378 b.StopTimer() 379 b.ResetTimer() 380 for i := 0; i < b.N; i++ { 381 plaintext := make([]byte, 16) 382 _, err = io.ReadFull(rand.Reader, plaintext) 383 if err != nil { 384 panic(err) 385 } 386 387 ciphertext, err := enc.encrypt(plaintext, RSA1_5) 388 if err != nil { 389 panic(err) 390 } 391 392 // Do some simple scrambling 393 ciphertext[128] ^= 0xFF 394 395 b.StartTimer() 396 _, err = dec.decrypt(ciphertext, RSA1_5, keygen) 397 b.StopTimer() 398 if err != nil { 399 panic(err) 400 } 401 } 402} 403 404func TestInvalidEllipticCurve(t *testing.T) { 405 signer256 := ecDecrypterSigner{privateKey: ecTestKey256} 406 signer384 := ecDecrypterSigner{privateKey: ecTestKey384} 407 signer521 := ecDecrypterSigner{privateKey: ecTestKey521} 408 409 _, err := signer256.signPayload([]byte{}, ES384) 410 if err == nil { 411 t.Error("should not generate ES384 signature with P-256 key") 412 } 413 _, err = signer256.signPayload([]byte{}, ES512) 414 if err == nil { 415 t.Error("should not generate ES512 signature with P-256 key") 416 } 417 _, err = signer384.signPayload([]byte{}, ES256) 418 if err == nil { 419 t.Error("should not generate ES256 signature with P-384 key") 420 } 421 _, err = signer384.signPayload([]byte{}, ES512) 422 if err == nil { 423 t.Error("should not generate ES512 signature with P-384 key") 424 } 425 _, err = signer521.signPayload([]byte{}, ES256) 426 if err == nil { 427 t.Error("should not generate ES256 signature with P-521 key") 428 } 429 _, err = signer521.signPayload([]byte{}, ES384) 430 if err == nil { 431 t.Error("should not generate ES384 signature with P-521 key") 432 } 433} 434 435func TestInvalidECPublicKey(t *testing.T) { 436 // Invalid key 437 invalid := &ecdsa.PrivateKey{ 438 PublicKey: ecdsa.PublicKey{ 439 Curve: elliptic.P256(), 440 X: fromBase64Int("MTEx"), 441 Y: fromBase64Int("MTEx"), 442 }, 443 D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo="), 444 } 445 446 headers := rawHeader{ 447 Alg: string(ECDH_ES), 448 Epk: &JsonWebKey{ 449 Key: &invalid.PublicKey, 450 }, 451 } 452 453 dec := ecDecrypterSigner{ 454 privateKey: ecTestKey256, 455 } 456 457 _, err := dec.decryptKey(headers, nil, randomKeyGenerator{size: 16}) 458 if err == nil { 459 t.Fatal("decrypter accepted JWS with invalid ECDH public key") 460 } 461} 462 463func TestInvalidAlgorithmEC(t *testing.T) { 464 err := ecEncrypterVerifier{publicKey: &ecTestKey256.PublicKey}.verifyPayload([]byte{}, []byte{}, "XYZ") 465 if err != ErrUnsupportedAlgorithm { 466 t.Fatal("should not accept invalid/unsupported algorithm") 467 } 468} 469