1/*- 2 * Copyright 2014 Square Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package jose 18 19import ( 20 "crypto/ecdsa" 21 "crypto/elliptic" 22 "crypto/rand" 23 "crypto/rsa" 24 "errors" 25 "io" 26 "testing" 27) 28 29func TestEd25519(t *testing.T) { 30 _, err := newEd25519Signer("XYZ", nil) 31 if err != ErrUnsupportedAlgorithm { 32 t.Error("should return error on invalid algorithm") 33 } 34 35 enc := new(edEncrypterVerifier) 36 enc.publicKey = ed25519PublicKey 37 err = enc.verifyPayload([]byte{}, []byte{}, "XYZ") 38 if err != ErrUnsupportedAlgorithm { 39 t.Error("should return error on invalid algorithm") 40 } 41 42 dec := new(edDecrypterSigner) 43 dec.privateKey = ed25519PrivateKey 44 _, err = dec.signPayload([]byte{}, "XYZ") 45 if err != ErrUnsupportedAlgorithm { 46 t.Error("should return error on invalid algorithm") 47 } 48 49 sig, err := dec.signPayload([]byte("This is a test"), "EdDSA") 50 if err != nil { 51 t.Error("should not error trying to sign payload") 52 } 53 if sig.Signature == nil { 54 t.Error("Check the signature") 55 } 56 err = enc.verifyPayload([]byte("This is a test"), sig.Signature, "EdDSA") 57 if err != nil { 58 t.Error("should not error trying to verify payload") 59 } 60 61 err = enc.verifyPayload([]byte("This is test number 2"), sig.Signature, "EdDSA") 62 if err == nil { 63 t.Error("should not error trying to verify payload") 64 } 65} 66 67func TestInvalidAlgorithmsRSA(t *testing.T) { 68 _, err := newRSARecipient("XYZ", nil) 69 if err != ErrUnsupportedAlgorithm { 70 t.Error("should return error on invalid algorithm") 71 } 72 73 _, err = newRSASigner("XYZ", nil) 74 if err != ErrUnsupportedAlgorithm { 75 t.Error("should return error on invalid algorithm") 76 } 77 78 enc := new(rsaEncrypterVerifier) 79 enc.publicKey = &rsaTestKey.PublicKey 80 _, err = enc.encryptKey([]byte{}, "XYZ") 81 if err != ErrUnsupportedAlgorithm { 82 t.Error("should return error on invalid algorithm") 83 } 84 85 err = enc.verifyPayload([]byte{}, []byte{}, "XYZ") 86 if err != ErrUnsupportedAlgorithm { 87 t.Error("should return error on invalid algorithm") 88 } 89 90 dec := new(rsaDecrypterSigner) 91 dec.privateKey = rsaTestKey 92 _, err = dec.decrypt(make([]byte, 256), "XYZ", randomKeyGenerator{size: 16}) 93 if err != ErrUnsupportedAlgorithm { 94 t.Error("should return error on invalid algorithm") 95 } 96 97 _, err = dec.signPayload([]byte{}, "XYZ") 98 if err != ErrUnsupportedAlgorithm { 99 t.Error("should return error on invalid algorithm") 100 } 101} 102 103type failingKeyGenerator struct{} 104 105func (ctx failingKeyGenerator) keySize() int { 106 return 0 107} 108 109func (ctx failingKeyGenerator) genKey() ([]byte, rawHeader, error) { 110 return nil, rawHeader{}, errors.New("failed to generate key") 111} 112 113func TestPKCSKeyGeneratorFailure(t *testing.T) { 114 dec := new(rsaDecrypterSigner) 115 dec.privateKey = rsaTestKey 116 generator := failingKeyGenerator{} 117 _, err := dec.decrypt(make([]byte, 256), RSA1_5, generator) 118 if err != ErrCryptoFailure { 119 t.Error("should return error on invalid algorithm") 120 } 121} 122 123func TestInvalidAlgorithmsEC(t *testing.T) { 124 _, err := newECDHRecipient("XYZ", nil) 125 if err != ErrUnsupportedAlgorithm { 126 t.Error("should return error on invalid algorithm") 127 } 128 129 _, err = newECDSASigner("XYZ", nil) 130 if err != ErrUnsupportedAlgorithm { 131 t.Error("should return error on invalid algorithm") 132 } 133 134 enc := new(ecEncrypterVerifier) 135 enc.publicKey = &ecTestKey256.PublicKey 136 _, err = enc.encryptKey([]byte{}, "XYZ") 137 if err != ErrUnsupportedAlgorithm { 138 t.Error("should return error on invalid algorithm") 139 } 140} 141 142func TestInvalidECKeyGen(t *testing.T) { 143 gen := ecKeyGenerator{ 144 size: 16, 145 algID: "A128GCM", 146 publicKey: &ecTestKey256.PublicKey, 147 } 148 149 if gen.keySize() != 16 { 150 t.Error("ec key generator reported incorrect key size") 151 } 152 153 _, _, err := gen.genKey() 154 if err != nil { 155 t.Error("ec key generator failed to generate key", err) 156 } 157} 158 159func TestInvalidECDecrypt(t *testing.T) { 160 dec := ecDecrypterSigner{ 161 privateKey: ecTestKey256, 162 } 163 164 generator := randomKeyGenerator{size: 16} 165 166 // Missing epk header 167 headers := rawHeader{} 168 headers.set(headerAlgorithm, ECDH_ES) 169 170 _, err := dec.decryptKey(headers, nil, generator) 171 if err == nil { 172 t.Error("ec decrypter accepted object with missing epk header") 173 } 174 175 // Invalid epk header 176 headers.set(headerEPK, &JSONWebKey{}) 177 178 _, err = dec.decryptKey(headers, nil, generator) 179 if err == nil { 180 t.Error("ec decrypter accepted object with invalid epk header") 181 } 182} 183 184func TestDecryptWithIncorrectSize(t *testing.T) { 185 priv, err := rsa.GenerateKey(rand.Reader, 2048) 186 if err != nil { 187 t.Error(err) 188 return 189 } 190 191 dec := new(rsaDecrypterSigner) 192 dec.privateKey = priv 193 aes := newAESGCM(16) 194 195 keygen := randomKeyGenerator{ 196 size: aes.keySize(), 197 } 198 199 payload := make([]byte, 254) 200 _, err = dec.decrypt(payload, RSA1_5, keygen) 201 if err == nil { 202 t.Error("Invalid payload size should return error") 203 } 204 205 payload = make([]byte, 257) 206 _, err = dec.decrypt(payload, RSA1_5, keygen) 207 if err == nil { 208 t.Error("Invalid payload size should return error") 209 } 210} 211 212func TestPKCSDecryptNeverFails(t *testing.T) { 213 // We don't want RSA-PKCS1 v1.5 decryption to ever fail, in order to prevent 214 // side-channel timing attacks (Bleichenbacher attack in particular). 215 priv, err := rsa.GenerateKey(rand.Reader, 2048) 216 if err != nil { 217 t.Error(err) 218 return 219 } 220 221 dec := new(rsaDecrypterSigner) 222 dec.privateKey = priv 223 aes := newAESGCM(16) 224 225 keygen := randomKeyGenerator{ 226 size: aes.keySize(), 227 } 228 229 for i := 1; i < 50; i++ { 230 payload := make([]byte, 256) 231 _, err := io.ReadFull(rand.Reader, payload) 232 if err != nil { 233 t.Error("Unable to get random data:", err) 234 return 235 } 236 _, err = dec.decrypt(payload, RSA1_5, keygen) 237 if err != nil { 238 t.Error("PKCS1v1.5 decrypt should never fail:", err) 239 return 240 } 241 } 242} 243 244func BenchmarkPKCSDecryptWithValidPayloads(b *testing.B) { 245 priv, err := rsa.GenerateKey(rand.Reader, 2048) 246 if err != nil { 247 panic(err) 248 } 249 250 enc := new(rsaEncrypterVerifier) 251 enc.publicKey = &priv.PublicKey 252 dec := new(rsaDecrypterSigner) 253 dec.privateKey = priv 254 aes := newAESGCM(32) 255 256 b.StopTimer() 257 b.ResetTimer() 258 for i := 0; i < b.N; i++ { 259 plaintext := make([]byte, 32) 260 _, err = io.ReadFull(rand.Reader, plaintext) 261 if err != nil { 262 panic(err) 263 } 264 265 ciphertext, err := enc.encrypt(plaintext, RSA1_5) 266 if err != nil { 267 panic(err) 268 } 269 270 keygen := randomKeyGenerator{ 271 size: aes.keySize(), 272 } 273 274 b.StartTimer() 275 _, err = dec.decrypt(ciphertext, RSA1_5, keygen) 276 b.StopTimer() 277 if err != nil { 278 panic(err) 279 } 280 } 281} 282 283func BenchmarkPKCSDecryptWithInvalidPayloads(b *testing.B) { 284 priv, err := rsa.GenerateKey(rand.Reader, 2048) 285 if err != nil { 286 panic(err) 287 } 288 289 enc := new(rsaEncrypterVerifier) 290 enc.publicKey = &priv.PublicKey 291 dec := new(rsaDecrypterSigner) 292 dec.privateKey = priv 293 aes := newAESGCM(16) 294 295 keygen := randomKeyGenerator{ 296 size: aes.keySize(), 297 } 298 299 b.StopTimer() 300 b.ResetTimer() 301 for i := 0; i < b.N; i++ { 302 plaintext := make([]byte, 16) 303 _, err = io.ReadFull(rand.Reader, plaintext) 304 if err != nil { 305 panic(err) 306 } 307 308 ciphertext, err := enc.encrypt(plaintext, RSA1_5) 309 if err != nil { 310 panic(err) 311 } 312 313 // Do some simple scrambling 314 ciphertext[128] ^= 0xFF 315 316 b.StartTimer() 317 _, err = dec.decrypt(ciphertext, RSA1_5, keygen) 318 b.StopTimer() 319 if err != nil { 320 panic(err) 321 } 322 } 323} 324 325func TestInvalidEllipticCurve(t *testing.T) { 326 signer256 := ecDecrypterSigner{privateKey: ecTestKey256} 327 signer384 := ecDecrypterSigner{privateKey: ecTestKey384} 328 signer521 := ecDecrypterSigner{privateKey: ecTestKey521} 329 330 _, err := signer256.signPayload([]byte{}, ES384) 331 if err == nil { 332 t.Error("should not generate ES384 signature with P-256 key") 333 } 334 _, err = signer256.signPayload([]byte{}, ES512) 335 if err == nil { 336 t.Error("should not generate ES512 signature with P-256 key") 337 } 338 _, err = signer384.signPayload([]byte{}, ES256) 339 if err == nil { 340 t.Error("should not generate ES256 signature with P-384 key") 341 } 342 _, err = signer384.signPayload([]byte{}, ES512) 343 if err == nil { 344 t.Error("should not generate ES512 signature with P-384 key") 345 } 346 _, err = signer521.signPayload([]byte{}, ES256) 347 if err == nil { 348 t.Error("should not generate ES256 signature with P-521 key") 349 } 350 _, err = signer521.signPayload([]byte{}, ES384) 351 if err == nil { 352 t.Error("should not generate ES384 signature with P-521 key") 353 } 354} 355 356func estInvalidECPublicKey(t *testing.T) { 357 // Invalid key 358 invalid := &ecdsa.PrivateKey{ 359 PublicKey: ecdsa.PublicKey{ 360 Curve: elliptic.P256(), 361 X: fromBase64Int("MTEx"), 362 Y: fromBase64Int("MTEx"), 363 }, 364 D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo"), 365 } 366 367 headers := rawHeader{} 368 headers.set(headerAlgorithm, ECDH_ES) 369 headers.set(headerEPK, &JSONWebKey{ 370 Key: &invalid.PublicKey, 371 }) 372 373 dec := ecDecrypterSigner{ 374 privateKey: ecTestKey256, 375 } 376 377 _, err := dec.decryptKey(headers, nil, randomKeyGenerator{size: 16}) 378 if err == nil { 379 t.Fatal("decrypter accepted JWS with invalid ECDH public key") 380 } 381} 382 383func TestInvalidAlgorithmEC(t *testing.T) { 384 err := ecEncrypterVerifier{publicKey: &ecTestKey256.PublicKey}.verifyPayload([]byte{}, []byte{}, "XYZ") 385 if err != ErrUnsupportedAlgorithm { 386 t.Fatal("should not accept invalid/unsupported algorithm") 387 } 388} 389