// Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package ecdsa import ( "bufio" "compress/bzip2" "crypto/elliptic" "crypto/rand" "crypto/sha1" "crypto/sha256" "crypto/sha512" "encoding/hex" "hash" "io" "math/big" "os" "strings" "testing" ) func testKeyGeneration(t *testing.T, c elliptic.Curve, tag string) { priv, err := GenerateKey(c, rand.Reader) if err != nil { t.Errorf("%s: error: %s", tag, err) return } if !c.IsOnCurve(priv.PublicKey.X, priv.PublicKey.Y) { t.Errorf("%s: public key invalid: %s", tag, err) } } func TestKeyGeneration(t *testing.T) { testKeyGeneration(t, elliptic.P224(), "p224") if testing.Short() { return } testKeyGeneration(t, elliptic.P256(), "p256") testKeyGeneration(t, elliptic.P384(), "p384") testKeyGeneration(t, elliptic.P521(), "p521") } func testSignAndVerify(t *testing.T, c elliptic.Curve, tag string) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r, s, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } if !Verify(&priv.PublicKey, hashed, r, s) { t.Errorf("%s: Verify failed", tag) } hashed[0] ^= 0xff if Verify(&priv.PublicKey, hashed, r, s) { t.Errorf("%s: Verify always works!", tag) } } func TestSignAndVerify(t *testing.T) { testSignAndVerify(t, elliptic.P224(), "p224") if testing.Short() { return } testSignAndVerify(t, elliptic.P256(), "p256") testSignAndVerify(t, elliptic.P384(), "p384") testSignAndVerify(t, elliptic.P521(), "p521") } func testNonceSafety(t *testing.T, c elliptic.Curve, tag string) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r0, s0, err := Sign(zeroReader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } hashed = []byte("testing...") r1, s1, err := Sign(zeroReader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } if s0.Cmp(s1) == 0 { // This should never happen. t.Errorf("%s: the signatures on two different messages were the same") } if r0.Cmp(r1) == 0 { t.Errorf("%s: the nonce used for two diferent messages was the same") } } func TestNonceSafety(t *testing.T) { testNonceSafety(t, elliptic.P224(), "p224") if testing.Short() { return } testNonceSafety(t, elliptic.P256(), "p256") testNonceSafety(t, elliptic.P384(), "p384") testNonceSafety(t, elliptic.P521(), "p521") } func testINDCCA(t *testing.T, c elliptic.Curve, tag string) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r0, s0, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } r1, s1, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("%s: error signing: %s", tag, err) return } if s0.Cmp(s1) == 0 { t.Errorf("%s: two signatures of the same message produced the same result") } if r0.Cmp(r1) == 0 { t.Errorf("%s: two signatures of the same message produced the same nonce") } } func TestINDCCA(t *testing.T) { testINDCCA(t, elliptic.P224(), "p224") if testing.Short() { return } testINDCCA(t, elliptic.P256(), "p256") testINDCCA(t, elliptic.P384(), "p384") testINDCCA(t, elliptic.P521(), "p521") } func fromHex(s string) *big.Int { r, ok := new(big.Int).SetString(s, 16) if !ok { panic("bad hex") } return r } func TestVectors(t *testing.T) { // This test runs the full set of NIST test vectors from // http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3ecdsatestvectors.zip // // The SigVer.rsp file has been edited to remove test vectors for // unsupported algorithms and has been compressed. if testing.Short() { return } f, err := os.Open("testdata/SigVer.rsp.bz2") if err != nil { t.Fatal(err) } buf := bufio.NewReader(bzip2.NewReader(f)) lineNo := 1 var h hash.Hash var msg []byte var hashed []byte var r, s *big.Int pub := new(PublicKey) for { line, err := buf.ReadString('\n') if len(line) == 0 { if err == io.EOF { break } t.Fatalf("error reading from input: %s", err) } lineNo++ // Need to remove \r\n from the end of the line. if !strings.HasSuffix(line, "\r\n") { t.Fatalf("bad line ending (expected \\r\\n) on line %d", lineNo) } line = line[:len(line)-2] if len(line) == 0 || line[0] == '#' { continue } if line[0] == '[' { line = line[1 : len(line)-1] parts := strings.SplitN(line, ",", 2) switch parts[0] { case "P-224": pub.Curve = elliptic.P224() case "P-256": pub.Curve = elliptic.P256() case "P-384": pub.Curve = elliptic.P384() case "P-521": pub.Curve = elliptic.P521() default: pub.Curve = nil } switch parts[1] { case "SHA-1": h = sha1.New() case "SHA-224": h = sha256.New224() case "SHA-256": h = sha256.New() case "SHA-384": h = sha512.New384() case "SHA-512": h = sha512.New() default: h = nil } continue } if h == nil || pub.Curve == nil { continue } switch { case strings.HasPrefix(line, "Msg = "): if msg, err = hex.DecodeString(line[6:]); err != nil { t.Fatalf("failed to decode message on line %d: %s", lineNo, err) } case strings.HasPrefix(line, "Qx = "): pub.X = fromHex(line[5:]) case strings.HasPrefix(line, "Qy = "): pub.Y = fromHex(line[5:]) case strings.HasPrefix(line, "R = "): r = fromHex(line[4:]) case strings.HasPrefix(line, "S = "): s = fromHex(line[4:]) case strings.HasPrefix(line, "Result = "): expected := line[9] == 'P' h.Reset() h.Write(msg) hashed := h.Sum(hashed[:0]) if Verify(pub, hashed, r, s) != expected { t.Fatalf("incorrect result on line %d", lineNo) } default: t.Fatalf("unknown variable on line %d: %s", lineNo, line) } } }