1/*-
2 * Copyright 2014 Square Inc.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *     http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package jose
18
19import (
20	"bytes"
21	"crypto/ecdsa"
22	"crypto/elliptic"
23	"crypto/rand"
24	"crypto/rsa"
25	"errors"
26	"io"
27	"math/big"
28	"testing"
29)
30
31func TestVectorsRSA(t *testing.T) {
32	// Sources:
33	//   http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-rsa-cryptography-standard.htm
34	//   ftp://ftp.rsa.com/pub/rsalabs/tmp/pkcs1v15crypt-vectors.txt
35	priv := &rsa.PrivateKey{
36		PublicKey: rsa.PublicKey{
37			N: fromHexInt(`
38				a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8
39				ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0c
40				bc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bd
41				bf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93
42				ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb`),
43			E: 65537,
44		},
45		D: fromHexInt(`
46				53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf1195
47				17ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d
48				4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d6
49				5a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb
50				04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1`),
51		Primes: []*big.Int{
52			fromHexInt(`
53				d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262
54				864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c
55				2f26a471dcad212eac7ca39d`),
56			fromHexInt(`
57				cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb3
58				3d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af
59				72bfe9a030e860b0288b5d77`),
60		},
61	}
62
63	input := fromHexBytes(
64		"6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34")
65
66	expectedPKCS := fromHexBytes(`
67		50b4c14136bd198c2f3c3ed243fce036e168d56517984a263cd66492b808
68		04f169d210f2b9bdfb48b12f9ea05009c77da257cc600ccefe3a6283789d
69		8ea0e607ac58e2690ec4ebc10146e8cbaa5ed4d5cce6fe7b0ff9efc1eabb
70		564dbf498285f449ee61dd7b42ee5b5892cb90601f30cda07bf26489310b
71		cd23b528ceab3c31`)
72
73	expectedOAEP := fromHexBytes(`
74		354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad4
75		68fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618
76		c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e6
77		57a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5
78		210035d47ac72e8a`)
79
80	// Mock random reader
81	randReader = bytes.NewReader(fromHexBytes(`
82		017341ae3875d5f87101f8cc4fa9b9bc156bb04628fccdb2f4f11e905bd3
83		a155d376f593bd7304210874eba08a5e22bcccb4c9d3882a93a54db022f5
84		03d16338b6b7ce16dc7f4bbf9a96b59772d6606e9747c7649bf9e083db98
85		1884a954ab3c6f18b776ea21069d69776a33e96bad48e1dda0a5ef`))
86	defer resetRandReader()
87
88	// RSA-PKCS1v1.5 encrypt
89	enc := new(rsaEncrypterVerifier)
90	enc.publicKey = &priv.PublicKey
91	encryptedPKCS, err := enc.encrypt(input, RSA1_5)
92	if err != nil {
93		t.Error("Encryption failed:", err)
94		return
95	}
96
97	if bytes.Compare(encryptedPKCS, expectedPKCS) != 0 {
98		t.Error("Output does not match expected value (PKCS1v1.5)")
99	}
100
101	// RSA-OAEP encrypt
102	encryptedOAEP, err := enc.encrypt(input, RSA_OAEP)
103	if err != nil {
104		t.Error("Encryption failed:", err)
105		return
106	}
107
108	if bytes.Compare(encryptedOAEP, expectedOAEP) != 0 {
109		t.Error("Output does not match expected value (OAEP)")
110	}
111
112	// Need fake cipher for PKCS1v1.5 decrypt
113	resetRandReader()
114	aes := newAESGCM(len(input))
115
116	keygen := randomKeyGenerator{
117		size: aes.keySize(),
118	}
119
120	// RSA-PKCS1v1.5 decrypt
121	dec := new(rsaDecrypterSigner)
122	dec.privateKey = priv
123	decryptedPKCS, err := dec.decrypt(encryptedPKCS, RSA1_5, keygen)
124	if err != nil {
125		t.Error("Decryption failed:", err)
126		return
127	}
128
129	if bytes.Compare(input, decryptedPKCS) != 0 {
130		t.Error("Output does not match expected value (PKCS1v1.5)")
131	}
132
133	// RSA-OAEP decrypt
134	decryptedOAEP, err := dec.decrypt(encryptedOAEP, RSA_OAEP, keygen)
135	if err != nil {
136		t.Error("decryption failed:", err)
137		return
138	}
139
140	if bytes.Compare(input, decryptedOAEP) != 0 {
141		t.Error("output does not match expected value (OAEP)")
142	}
143}
144
145func TestInvalidAlgorithmsRSA(t *testing.T) {
146	_, err := newRSARecipient("XYZ", nil)
147	if err != ErrUnsupportedAlgorithm {
148		t.Error("should return error on invalid algorithm")
149	}
150
151	_, err = newRSASigner("XYZ", nil)
152	if err != ErrUnsupportedAlgorithm {
153		t.Error("should return error on invalid algorithm")
154	}
155
156	enc := new(rsaEncrypterVerifier)
157	enc.publicKey = &rsaTestKey.PublicKey
158	_, err = enc.encryptKey([]byte{}, "XYZ")
159	if err != ErrUnsupportedAlgorithm {
160		t.Error("should return error on invalid algorithm")
161	}
162
163	err = enc.verifyPayload([]byte{}, []byte{}, "XYZ")
164	if err != ErrUnsupportedAlgorithm {
165		t.Error("should return error on invalid algorithm")
166	}
167
168	dec := new(rsaDecrypterSigner)
169	dec.privateKey = rsaTestKey
170	_, err = dec.decrypt(make([]byte, 256), "XYZ", randomKeyGenerator{size: 16})
171	if err != ErrUnsupportedAlgorithm {
172		t.Error("should return error on invalid algorithm")
173	}
174
175	_, err = dec.signPayload([]byte{}, "XYZ")
176	if err != ErrUnsupportedAlgorithm {
177		t.Error("should return error on invalid algorithm")
178	}
179}
180
181type failingKeyGenerator struct{}
182
183func (ctx failingKeyGenerator) keySize() int {
184	return 0
185}
186
187func (ctx failingKeyGenerator) genKey() ([]byte, rawHeader, error) {
188	return nil, rawHeader{}, errors.New("failed to generate key")
189}
190
191func TestPKCSKeyGeneratorFailure(t *testing.T) {
192	dec := new(rsaDecrypterSigner)
193	dec.privateKey = rsaTestKey
194	generator := failingKeyGenerator{}
195	_, err := dec.decrypt(make([]byte, 256), RSA1_5, generator)
196	if err != ErrCryptoFailure {
197		t.Error("should return error on invalid algorithm")
198	}
199}
200
201func TestInvalidAlgorithmsEC(t *testing.T) {
202	_, err := newECDHRecipient("XYZ", nil)
203	if err != ErrUnsupportedAlgorithm {
204		t.Error("should return error on invalid algorithm")
205	}
206
207	_, err = newECDSASigner("XYZ", nil)
208	if err != ErrUnsupportedAlgorithm {
209		t.Error("should return error on invalid algorithm")
210	}
211
212	enc := new(ecEncrypterVerifier)
213	enc.publicKey = &ecTestKey256.PublicKey
214	_, err = enc.encryptKey([]byte{}, "XYZ")
215	if err != ErrUnsupportedAlgorithm {
216		t.Error("should return error on invalid algorithm")
217	}
218}
219
220func TestInvalidECKeyGen(t *testing.T) {
221	gen := ecKeyGenerator{
222		size:      16,
223		algID:     "A128GCM",
224		publicKey: &ecTestKey256.PublicKey,
225	}
226
227	if gen.keySize() != 16 {
228		t.Error("ec key generator reported incorrect key size")
229	}
230
231	_, _, err := gen.genKey()
232	if err != nil {
233		t.Error("ec key generator failed to generate key", err)
234	}
235}
236
237func TestInvalidECDecrypt(t *testing.T) {
238	dec := ecDecrypterSigner{
239		privateKey: ecTestKey256,
240	}
241
242	generator := randomKeyGenerator{size: 16}
243
244	// Missing epk header
245	headers := rawHeader{
246		Alg: string(ECDH_ES),
247	}
248
249	_, err := dec.decryptKey(headers, nil, generator)
250	if err == nil {
251		t.Error("ec decrypter accepted object with missing epk header")
252	}
253
254	// Invalid epk header
255	headers.Epk = &JsonWebKey{}
256
257	_, err = dec.decryptKey(headers, nil, generator)
258	if err == nil {
259		t.Error("ec decrypter accepted object with invalid epk header")
260	}
261}
262
263func TestDecryptWithIncorrectSize(t *testing.T) {
264	priv, err := rsa.GenerateKey(rand.Reader, 2048)
265	if err != nil {
266		t.Error(err)
267		return
268	}
269
270	dec := new(rsaDecrypterSigner)
271	dec.privateKey = priv
272	aes := newAESGCM(16)
273
274	keygen := randomKeyGenerator{
275		size: aes.keySize(),
276	}
277
278	payload := make([]byte, 254)
279	_, err = dec.decrypt(payload, RSA1_5, keygen)
280	if err == nil {
281		t.Error("Invalid payload size should return error")
282	}
283
284	payload = make([]byte, 257)
285	_, err = dec.decrypt(payload, RSA1_5, keygen)
286	if err == nil {
287		t.Error("Invalid payload size should return error")
288	}
289}
290
291func TestPKCSDecryptNeverFails(t *testing.T) {
292	// We don't want RSA-PKCS1 v1.5 decryption to ever fail, in order to prevent
293	// side-channel timing attacks (Bleichenbacher attack in particular).
294	priv, err := rsa.GenerateKey(rand.Reader, 2048)
295	if err != nil {
296		t.Error(err)
297		return
298	}
299
300	dec := new(rsaDecrypterSigner)
301	dec.privateKey = priv
302	aes := newAESGCM(16)
303
304	keygen := randomKeyGenerator{
305		size: aes.keySize(),
306	}
307
308	for i := 1; i < 50; i++ {
309		payload := make([]byte, 256)
310		_, err := io.ReadFull(rand.Reader, payload)
311		if err != nil {
312			t.Error("Unable to get random data:", err)
313			return
314		}
315		_, err = dec.decrypt(payload, RSA1_5, keygen)
316		if err != nil {
317			t.Error("PKCS1v1.5 decrypt should never fail:", err)
318			return
319		}
320	}
321}
322
323func BenchmarkPKCSDecryptWithValidPayloads(b *testing.B) {
324	priv, err := rsa.GenerateKey(rand.Reader, 2048)
325	if err != nil {
326		panic(err)
327	}
328
329	enc := new(rsaEncrypterVerifier)
330	enc.publicKey = &priv.PublicKey
331	dec := new(rsaDecrypterSigner)
332	dec.privateKey = priv
333	aes := newAESGCM(32)
334
335	b.StopTimer()
336	b.ResetTimer()
337	for i := 0; i < b.N; i++ {
338		plaintext := make([]byte, 32)
339		_, err = io.ReadFull(rand.Reader, plaintext)
340		if err != nil {
341			panic(err)
342		}
343
344		ciphertext, err := enc.encrypt(plaintext, RSA1_5)
345		if err != nil {
346			panic(err)
347		}
348
349		keygen := randomKeyGenerator{
350			size: aes.keySize(),
351		}
352
353		b.StartTimer()
354		_, err = dec.decrypt(ciphertext, RSA1_5, keygen)
355		b.StopTimer()
356		if err != nil {
357			panic(err)
358		}
359	}
360}
361
362func BenchmarkPKCSDecryptWithInvalidPayloads(b *testing.B) {
363	priv, err := rsa.GenerateKey(rand.Reader, 2048)
364	if err != nil {
365		panic(err)
366	}
367
368	enc := new(rsaEncrypterVerifier)
369	enc.publicKey = &priv.PublicKey
370	dec := new(rsaDecrypterSigner)
371	dec.privateKey = priv
372	aes := newAESGCM(16)
373
374	keygen := randomKeyGenerator{
375		size: aes.keySize(),
376	}
377
378	b.StopTimer()
379	b.ResetTimer()
380	for i := 0; i < b.N; i++ {
381		plaintext := make([]byte, 16)
382		_, err = io.ReadFull(rand.Reader, plaintext)
383		if err != nil {
384			panic(err)
385		}
386
387		ciphertext, err := enc.encrypt(plaintext, RSA1_5)
388		if err != nil {
389			panic(err)
390		}
391
392		// Do some simple scrambling
393		ciphertext[128] ^= 0xFF
394
395		b.StartTimer()
396		_, err = dec.decrypt(ciphertext, RSA1_5, keygen)
397		b.StopTimer()
398		if err != nil {
399			panic(err)
400		}
401	}
402}
403
404func TestInvalidEllipticCurve(t *testing.T) {
405	signer256 := ecDecrypterSigner{privateKey: ecTestKey256}
406	signer384 := ecDecrypterSigner{privateKey: ecTestKey384}
407	signer521 := ecDecrypterSigner{privateKey: ecTestKey521}
408
409	_, err := signer256.signPayload([]byte{}, ES384)
410	if err == nil {
411		t.Error("should not generate ES384 signature with P-256 key")
412	}
413	_, err = signer256.signPayload([]byte{}, ES512)
414	if err == nil {
415		t.Error("should not generate ES512 signature with P-256 key")
416	}
417	_, err = signer384.signPayload([]byte{}, ES256)
418	if err == nil {
419		t.Error("should not generate ES256 signature with P-384 key")
420	}
421	_, err = signer384.signPayload([]byte{}, ES512)
422	if err == nil {
423		t.Error("should not generate ES512 signature with P-384 key")
424	}
425	_, err = signer521.signPayload([]byte{}, ES256)
426	if err == nil {
427		t.Error("should not generate ES256 signature with P-521 key")
428	}
429	_, err = signer521.signPayload([]byte{}, ES384)
430	if err == nil {
431		t.Error("should not generate ES384 signature with P-521 key")
432	}
433}
434
435func TestInvalidECPublicKey(t *testing.T) {
436	// Invalid key
437	invalid := &ecdsa.PrivateKey{
438		PublicKey: ecdsa.PublicKey{
439			Curve: elliptic.P256(),
440			X:     fromBase64Int("MTEx"),
441			Y:     fromBase64Int("MTEx"),
442		},
443		D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo="),
444	}
445
446	headers := rawHeader{
447		Alg: string(ECDH_ES),
448		Epk: &JsonWebKey{
449			Key: &invalid.PublicKey,
450		},
451	}
452
453	dec := ecDecrypterSigner{
454		privateKey: ecTestKey256,
455	}
456
457	_, err := dec.decryptKey(headers, nil, randomKeyGenerator{size: 16})
458	if err == nil {
459		t.Fatal("decrypter accepted JWS with invalid ECDH public key")
460	}
461}
462
463func TestInvalidAlgorithmEC(t *testing.T) {
464	err := ecEncrypterVerifier{publicKey: &ecTestKey256.PublicKey}.verifyPayload([]byte{}, []byte{}, "XYZ")
465	if err != ErrUnsupportedAlgorithm {
466		t.Fatal("should not accept invalid/unsupported algorithm")
467	}
468}
469