diff options
Diffstat (limited to 'crypto_test.go')
-rw-r--r-- | crypto_test.go | 67 |
1 files changed, 66 insertions, 1 deletions
diff --git a/crypto_test.go b/crypto_test.go index b7179f3..b6c168b 100644 --- a/crypto_test.go +++ b/crypto_test.go @@ -6,6 +6,9 @@ import ( "fmt" "testing" + "crypto/ed25519" + "crypto/tls" + cttestdata "github.com/google/certificate-transparency-go/trillian/testdata" "github.com/system-transparency/stfe/x509util" "github.com/system-transparency/stfe/x509util/testdata" @@ -100,8 +103,70 @@ func TestBuildChainFromDerList(t *testing.T) { } } -// TODO: TestVerifySignature func TestVerifySignature(t *testing.T) { + lp := makeTestLogParameters(t, nil) + for _, table := range []struct { + description string + certificate []byte // pem + key []byte // pem + scheme tls.SignatureScheme + wantErr bool + }{ + { + description: "invalid signature scheme", + certificate: testdata.EndEntityCertificate, + key: testdata.EndEntityPrivateKey, + scheme: tls.ECDSAWithP256AndSHA256, + wantErr: true, + }, + { + description: "invalid signature: certificate and key mismatch", + certificate: testdata.EndEntityCertificate, + key: testdata.EndEntityPrivateKey2, + scheme: tls.Ed25519, + wantErr: true, + }, + { + description: "valid signature", + certificate: testdata.EndEntityCertificate, + key: testdata.EndEntityPrivateKey, + scheme: tls.Ed25519, + }, + } { + msg := []byte("msg") + key, err := x509util.NewEd25519PrivateKey(table.key) + if err != nil { + t.Fatalf("must make ed25519 signing key: %v", err) + } + list, err := x509util.NewCertificateList(table.certificate) + if err != nil { + t.Fatalf("must make certificate list: %v", err) + } + if len(list) != 1 { + t.Fatalf("must make one certificate: got %d", len(list)) + } + certificate := list[0] + sig := ed25519.Sign(key, msg) + + err = lp.verifySignature(certificate, table.scheme, msg, sig) + if got, want := err != nil, table.wantErr; got != want { + t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err) + } + if err != nil { + continue + } + + msg[0] += 1 // modify message + if err = lp.verifySignature(certificate, table.scheme, msg, sig); err == nil { + t.Errorf("got no error for modified msg in test %q", table.description) + } + + msg[0] -= 1 // restore message + sig[0] += 1 // modify signature + if err = lp.verifySignature(certificate, table.scheme, msg, sig); err == nil { + t.Errorf("got no error for modified signature in test %q", table.description) + } + } } // TestGenV1Sdi tests that a signature failure works as expected, and that |