// Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package ecdsa import ( "bufio" "bytes" "compress/bzip2" "crypto/elliptic" "crypto/internal/bigmod" "crypto/rand" "crypto/sha1" "crypto/sha256" "crypto/sha512" "encoding/hex" "hash" "io" "math/big" "os" "strings" "testing" ) func testAllCurves(t *testing.T, f func(*testing.T, elliptic.Curve)) { tests := []struct { name string curve elliptic.Curve }{ {"P256", elliptic.P256()}, {"P224", elliptic.P224()}, {"P384", elliptic.P384()}, {"P521", elliptic.P521()}, {"P256/Generic", genericParamsForCurve(elliptic.P256())}, } if testing.Short() { tests = tests[:1] } for _, test := range tests { curve := test.curve t.Run(test.name, func(t *testing.T) { t.Parallel() f(t, curve) }) } } // genericParamsForCurve returns the dereferenced CurveParams for // the specified curve. This is used to avoid the logic for // upgrading a curve to its specific implementation, forcing // usage of the generic implementation. func genericParamsForCurve(c elliptic.Curve) *elliptic.CurveParams { d := *(c.Params()) return &d } func TestKeyGeneration(t *testing.T) { testAllCurves(t, testKeyGeneration) } func testKeyGeneration(t *testing.T, c elliptic.Curve) { priv, err := GenerateKey(c, rand.Reader) if err != nil { t.Fatal(err) } if !c.IsOnCurve(priv.PublicKey.X, priv.PublicKey.Y) { t.Errorf("public key invalid: %s", err) } } func TestSignAndVerify(t *testing.T) { testAllCurves(t, testSignAndVerify) } func testSignAndVerify(t *testing.T, c elliptic.Curve) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r, s, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("error signing: %s", err) return } if !Verify(&priv.PublicKey, hashed, r, s) { t.Errorf("Verify failed") } hashed[0] ^= 0xff if Verify(&priv.PublicKey, hashed, r, s) { t.Errorf("Verify always works!") } } func TestSignAndVerifyASN1(t *testing.T) { testAllCurves(t, testSignAndVerifyASN1) } func testSignAndVerifyASN1(t *testing.T, c elliptic.Curve) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") sig, err := SignASN1(rand.Reader, priv, hashed) if err != nil { t.Errorf("error signing: %s", err) return } if !VerifyASN1(&priv.PublicKey, hashed, sig) { t.Errorf("VerifyASN1 failed") } hashed[0] ^= 0xff if VerifyASN1(&priv.PublicKey, hashed, sig) { t.Errorf("VerifyASN1 always works!") } } func TestNonceSafety(t *testing.T) { testAllCurves(t, testNonceSafety) } func testNonceSafety(t *testing.T, c elliptic.Curve) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r0, s0, err := Sign(zeroReader, priv, hashed) if err != nil { t.Errorf("error signing: %s", err) return } hashed = []byte("testing...") r1, s1, err := Sign(zeroReader, priv, hashed) if err != nil { t.Errorf("error signing: %s", err) return } if s0.Cmp(s1) == 0 { // This should never happen. t.Errorf("the signatures on two different messages were the same") } if r0.Cmp(r1) == 0 { t.Errorf("the nonce used for two different messages was the same") } } func TestINDCCA(t *testing.T) { testAllCurves(t, testINDCCA) } func testINDCCA(t *testing.T, c elliptic.Curve) { priv, _ := GenerateKey(c, rand.Reader) hashed := []byte("testing") r0, s0, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("error signing: %s", err) return } r1, s1, err := Sign(rand.Reader, priv, hashed) if err != nil { t.Errorf("error signing: %s", err) return } if s0.Cmp(s1) == 0 { t.Errorf("two signatures of the same message produced the same result") } if r0.Cmp(r1) == 0 { t.Errorf("two signatures of the same message produced the same nonce") } } func fromHex(s string) *big.Int { r, ok := new(big.Int).SetString(s, 16) if !ok { panic("bad hex") } return r } func TestVectors(t *testing.T) { // This test runs the full set of NIST test vectors from // https://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3ecdsatestvectors.zip // // The SigVer.rsp file has been edited to remove test vectors for // unsupported algorithms and has been compressed. if testing.Short() { return } f, err := os.Open("testdata/SigVer.rsp.bz2") if err != nil { t.Fatal(err) } buf := bufio.NewReader(bzip2.NewReader(f)) lineNo := 1 var h hash.Hash var msg []byte var hashed []byte var r, s *big.Int pub := new(PublicKey) for { line, err := buf.ReadString('\n') if len(line) == 0 { if err == io.EOF { break } t.Fatalf("error reading from input: %s", err) } lineNo++ // Need to remove \r\n from the end of the line. if !strings.HasSuffix(line, "\r\n") { t.Fatalf("bad line ending (expected \\r\\n) on line %d", lineNo) } line = line[:len(line)-2] if len(line) == 0 || line[0] == '#' { continue } if line[0] == '[' { line = line[1 : len(line)-1] curve, hash, _ := strings.Cut(line, ",") switch curve { case "P-224": pub.Curve = elliptic.P224() case "P-256": pub.Curve = elliptic.P256() case "P-384": pub.Curve = elliptic.P384() case "P-521": pub.Curve = elliptic.P521() default: pub.Curve = nil } switch hash { case "SHA-1": h = sha1.New() case "SHA-224": h = sha256.New224() case "SHA-256": h = sha256.New() case "SHA-384": h = sha512.New384() case "SHA-512": h = sha512.New() default: h = nil } continue } if h == nil || pub.Curve == nil { continue } switch { case strings.HasPrefix(line, "Msg = "): if msg, err = hex.DecodeString(line[6:]); err != nil { t.Fatalf("failed to decode message on line %d: %s", lineNo, err) } case strings.HasPrefix(line, "Qx = "): pub.X = fromHex(line[5:]) case strings.HasPrefix(line, "Qy = "): pub.Y = fromHex(line[5:]) case strings.HasPrefix(line, "R = "): r = fromHex(line[4:]) case strings.HasPrefix(line, "S = "): s = fromHex(line[4:]) case strings.HasPrefix(line, "Result = "): expected := line[9] == 'P' h.Reset() h.Write(msg) hashed := h.Sum(hashed[:0]) if Verify(pub, hashed, r, s) != expected { t.Fatalf("incorrect result on line %d", lineNo) } default: t.Fatalf("unknown variable on line %d: %s", lineNo, line) } } } func TestNegativeInputs(t *testing.T) { testAllCurves(t, testNegativeInputs) } func testNegativeInputs(t *testing.T, curve elliptic.Curve) { key, err := GenerateKey(curve, rand.Reader) if err != nil { t.Errorf("failed to generate key") } var hash [32]byte r := new(big.Int).SetInt64(1) r.Lsh(r, 550 /* larger than any supported curve */) r.Neg(r) if Verify(&key.PublicKey, hash[:], r, r) { t.Errorf("bogus signature accepted") } } func TestZeroHashSignature(t *testing.T) { testAllCurves(t, testZeroHashSignature) } func testZeroHashSignature(t *testing.T, curve elliptic.Curve) { zeroHash := make([]byte, 64) privKey, err := GenerateKey(curve, rand.Reader) if err != nil { panic(err) } // Sign a hash consisting of all zeros. r, s, err := Sign(rand.Reader, privKey, zeroHash) if err != nil { panic(err) } // Confirm that it can be verified. if !Verify(&privKey.PublicKey, zeroHash, r, s) { t.Errorf("zero hash signature verify failed for %T", curve) } } func TestRandomPoint(t *testing.T) { t.Run("P-224", func(t *testing.T) { testRandomPoint(t, p224()) }) t.Run("P-256", func(t *testing.T) { testRandomPoint(t, p256()) }) t.Run("P-384", func(t *testing.T) { testRandomPoint(t, p384()) }) t.Run("P-521", func(t *testing.T) { testRandomPoint(t, p521()) }) } func testRandomPoint[Point nistPoint[Point]](t *testing.T, c *nistCurve[Point]) { t.Cleanup(func() { testingOnlyRejectionSamplingLooped = nil }) var loopCount int testingOnlyRejectionSamplingLooped = func() { loopCount++ } // A sequence of all ones will generate 2^N-1, which should be rejected. // (Unless, for example, we are masking too many bits.) r := io.MultiReader(bytes.NewReader(bytes.Repeat([]byte{0xff}, 100)), rand.Reader) if k, p, err := randomPoint(c, r); err != nil { t.Fatal(err) } else if k.IsZero() == 1 { t.Error("k is zero") } else if p.Bytes()[0] != 4 { t.Error("p is infinity") } if loopCount == 0 { t.Error("overflow was not rejected") } loopCount = 0 // A sequence of all zeroes will generate zero, which should be rejected. r = io.MultiReader(bytes.NewReader(bytes.Repeat([]byte{0}, 100)), rand.Reader) if k, p, err := randomPoint(c, r); err != nil { t.Fatal(err) } else if k.IsZero() == 1 { t.Error("k is zero") } else if p.Bytes()[0] != 4 { t.Error("p is infinity") } if loopCount == 0 { t.Error("zero was not rejected") } loopCount = 0 // P-256 has a 2⁻³² chance or randomly hitting a rejection. For P-224 it's // 2⁻¹¹², for P-384 it's 2⁻¹⁹⁴, and for P-521 it's 2⁻²⁶², so if we hit in // tests, something is horribly wrong. (For example, we are masking the // wrong bits.) if c.curve == elliptic.P256() { return } if k, p, err := randomPoint(c, rand.Reader); err != nil { t.Fatal(err) } else if k.IsZero() == 1 { t.Error("k is zero") } else if p.Bytes()[0] != 4 { t.Error("p is infinity") } if loopCount > 0 { t.Error("unexpected rejection") } } func TestHashToNat(t *testing.T) { t.Run("P-224", func(t *testing.T) { testHashToNat(t, p224()) }) t.Run("P-256", func(t *testing.T) { testHashToNat(t, p256()) }) t.Run("P-384", func(t *testing.T) { testHashToNat(t, p384()) }) t.Run("P-521", func(t *testing.T) { testHashToNat(t, p521()) }) } func testHashToNat[Point nistPoint[Point]](t *testing.T, c *nistCurve[Point]) { for l := 0; l < 600; l++ { h := bytes.Repeat([]byte{0xff}, l) hashToNat(c, bigmod.NewNat(), h) } } func TestZeroSignature(t *testing.T) { testAllCurves(t, testZeroSignature) } func testZeroSignature(t *testing.T, curve elliptic.Curve) { privKey, err := GenerateKey(curve, rand.Reader) if err != nil { panic(err) } if Verify(&privKey.PublicKey, make([]byte, 64), big.NewInt(0), big.NewInt(0)) { t.Errorf("Verify with r,s=0 succeeded: %T", curve) } } func TestNegtativeSignature(t *testing.T) { testAllCurves(t, testNegativeSignature) } func testNegativeSignature(t *testing.T, curve elliptic.Curve) { zeroHash := make([]byte, 64) privKey, err := GenerateKey(curve, rand.Reader) if err != nil { panic(err) } r, s, err := Sign(rand.Reader, privKey, zeroHash) if err != nil { panic(err) } r = r.Neg(r) if Verify(&privKey.PublicKey, zeroHash, r, s) { t.Errorf("Verify with r=-r succeeded: %T", curve) } } func TestRPlusNSignature(t *testing.T) { testAllCurves(t, testRPlusNSignature) } func testRPlusNSignature(t *testing.T, curve elliptic.Curve) { zeroHash := make([]byte, 64) privKey, err := GenerateKey(curve, rand.Reader) if err != nil { panic(err) } r, s, err := Sign(rand.Reader, privKey, zeroHash) if err != nil { panic(err) } r = r.Add(r, curve.Params().N) if Verify(&privKey.PublicKey, zeroHash, r, s) { t.Errorf("Verify with r=r+n succeeded: %T", curve) } } func TestRMinusNSignature(t *testing.T) { testAllCurves(t, testRMinusNSignature) } func testRMinusNSignature(t *testing.T, curve elliptic.Curve) { zeroHash := make([]byte, 64) privKey, err := GenerateKey(curve, rand.Reader) if err != nil { panic(err) } r, s, err := Sign(rand.Reader, privKey, zeroHash) if err != nil { panic(err) } r = r.Sub(r, curve.Params().N) if Verify(&privKey.PublicKey, zeroHash, r, s) { t.Errorf("Verify with r=r-n succeeded: %T", curve) } } func randomPointForCurve(curve elliptic.Curve, rand io.Reader) error { switch curve.Params() { case elliptic.P224().Params(): _, _, err := randomPoint(p224(), rand) return err case elliptic.P256().Params(): _, _, err := randomPoint(p256(), rand) return err case elliptic.P384().Params(): _, _, err := randomPoint(p384(), rand) return err case elliptic.P521().Params(): _, _, err := randomPoint(p521(), rand) return err default: panic("unknown curve") } } func benchmarkAllCurves(b *testing.B, f func(*testing.B, elliptic.Curve)) { tests := []struct { name string curve elliptic.Curve }{ {"P256", elliptic.P256()}, {"P384", elliptic.P384()}, {"P521", elliptic.P521()}, } for _, test := range tests { curve := test.curve b.Run(test.name, func(b *testing.B) { f(b, curve) }) } } func BenchmarkSign(b *testing.B) { benchmarkAllCurves(b, func(b *testing.B, curve elliptic.Curve) { r := bufio.NewReaderSize(rand.Reader, 1<<15) priv, err := GenerateKey(curve, r) if err != nil { b.Fatal(err) } hashed := []byte("testing") b.ReportAllocs() b.ResetTimer() for i := 0; i < b.N; i++ { sig, err := SignASN1(r, priv, hashed) if err != nil { b.Fatal(err) } // Prevent the compiler from optimizing out the operation. hashed[0] = sig[0] } }) } func BenchmarkVerify(b *testing.B) { benchmarkAllCurves(b, func(b *testing.B, curve elliptic.Curve) { r := bufio.NewReaderSize(rand.Reader, 1<<15) priv, err := GenerateKey(curve, r) if err != nil { b.Fatal(err) } hashed := []byte("testing") sig, err := SignASN1(r, priv, hashed) if err != nil { b.Fatal(err) } b.ReportAllocs() b.ResetTimer() for i := 0; i < b.N; i++ { if !VerifyASN1(&priv.PublicKey, hashed, sig) { b.Fatal("verify failed") } } }) } func BenchmarkGenerateKey(b *testing.B) { benchmarkAllCurves(b, func(b *testing.B, curve elliptic.Curve) { r := bufio.NewReaderSize(rand.Reader, 1<<15) b.ReportAllocs() b.ResetTimer() for i := 0; i < b.N; i++ { if _, err := GenerateKey(curve, r); err != nil { b.Fatal(err) } } }) }