aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--crypto_test.go67
1 files changed, 66 insertions, 1 deletions
diff --git a/crypto_test.go b/crypto_test.go
index b7179f3..b6c168b 100644
--- a/crypto_test.go
+++ b/crypto_test.go
@@ -6,6 +6,9 @@ import (
"fmt"
"testing"
+ "crypto/ed25519"
+ "crypto/tls"
+
cttestdata "github.com/google/certificate-transparency-go/trillian/testdata"
"github.com/system-transparency/stfe/x509util"
"github.com/system-transparency/stfe/x509util/testdata"
@@ -100,8 +103,70 @@ func TestBuildChainFromDerList(t *testing.T) {
}
}
-// TODO: TestVerifySignature
func TestVerifySignature(t *testing.T) {
+ lp := makeTestLogParameters(t, nil)
+ for _, table := range []struct {
+ description string
+ certificate []byte // pem
+ key []byte // pem
+ scheme tls.SignatureScheme
+ wantErr bool
+ }{
+ {
+ description: "invalid signature scheme",
+ certificate: testdata.EndEntityCertificate,
+ key: testdata.EndEntityPrivateKey,
+ scheme: tls.ECDSAWithP256AndSHA256,
+ wantErr: true,
+ },
+ {
+ description: "invalid signature: certificate and key mismatch",
+ certificate: testdata.EndEntityCertificate,
+ key: testdata.EndEntityPrivateKey2,
+ scheme: tls.Ed25519,
+ wantErr: true,
+ },
+ {
+ description: "valid signature",
+ certificate: testdata.EndEntityCertificate,
+ key: testdata.EndEntityPrivateKey,
+ scheme: tls.Ed25519,
+ },
+ } {
+ msg := []byte("msg")
+ key, err := x509util.NewEd25519PrivateKey(table.key)
+ if err != nil {
+ t.Fatalf("must make ed25519 signing key: %v", err)
+ }
+ list, err := x509util.NewCertificateList(table.certificate)
+ if err != nil {
+ t.Fatalf("must make certificate list: %v", err)
+ }
+ if len(list) != 1 {
+ t.Fatalf("must make one certificate: got %d", len(list))
+ }
+ certificate := list[0]
+ sig := ed25519.Sign(key, msg)
+
+ err = lp.verifySignature(certificate, table.scheme, msg, sig)
+ if got, want := err != nil, table.wantErr; got != want {
+ t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err)
+ }
+ if err != nil {
+ continue
+ }
+
+ msg[0] += 1 // modify message
+ if err = lp.verifySignature(certificate, table.scheme, msg, sig); err == nil {
+ t.Errorf("got no error for modified msg in test %q", table.description)
+ }
+
+ msg[0] -= 1 // restore message
+ sig[0] += 1 // modify signature
+ if err = lp.verifySignature(certificate, table.scheme, msg, sig); err == nil {
+ t.Errorf("got no error for modified signature in test %q", table.description)
+ }
+ }
}
// TestGenV1Sdi tests that a signature failure works as expected, and that