// Copyright 2017 Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // //////////////////////////////////////////////////////////////////////////////// #include "tink/signature/public_key_verify_wrapper.h" #include #include #include #include "gtest/gtest.h" #include "tink/primitive_set.h" #include "tink/public_key_verify.h" #include "tink/internal/registry_impl.h" #include "tink/monitoring/monitoring.h" #include "tink/monitoring/monitoring_client_mocks.h" #include "tink/signature/failing_signature.h" #include "tink/util/status.h" #include "tink/util/test_matchers.h" #include "tink/util/test_util.h" namespace crypto { namespace tink { namespace { using ::crypto::tink::test::DummyPublicKeySign; using ::crypto::tink::test::DummyPublicKeyVerify; using ::crypto::tink::test::IsOk; using ::crypto::tink::test::IsOkAndHolds; using ::crypto::tink::test::StatusIs; using ::google::crypto::tink::KeysetInfo; using ::google::crypto::tink::KeyStatusType; using ::google::crypto::tink::OutputPrefixType; using ::testing::_; using ::testing::ByMove; using ::testing::IsNull; using ::testing::StrictMock; using ::testing::Not; using ::testing::NotNull; using ::testing::Return; using ::testing::Test; class PublicKeyVerifySetWrapperTest : public ::testing::Test { protected: void SetUp() override { } void TearDown() override { } }; TEST_F(PublicKeyVerifySetWrapperTest, testBasic) { { // pk_verify_set is nullptr. auto pk_verify_result = PublicKeyVerifyWrapper().Wrap(nullptr); EXPECT_FALSE(pk_verify_result.ok()); EXPECT_EQ(absl::StatusCode::kInternal, pk_verify_result.status().code()); EXPECT_PRED_FORMAT2(testing::IsSubstring, "non-NULL", std::string(pk_verify_result.status().message())); } { // pk_verify_set has no primary primitive. std::unique_ptr> pk_verify_set(new PrimitiveSet()); auto pk_verify_result = PublicKeyVerifyWrapper().Wrap(std::move(pk_verify_set)); EXPECT_FALSE(pk_verify_result.ok()); EXPECT_EQ(absl::StatusCode::kInvalidArgument, pk_verify_result.status().code()); EXPECT_PRED_FORMAT2(testing::IsSubstring, "no primary", std::string(pk_verify_result.status().message())); } { // Correct pk_verify_set; KeysetInfo::KeyInfo* key_info; KeysetInfo keyset_info; uint32_t key_id_0 = 1234543; key_info = keyset_info.add_key_info(); key_info->set_output_prefix_type(OutputPrefixType::RAW); key_info->set_key_id(key_id_0); key_info->set_status(KeyStatusType::ENABLED); uint32_t key_id_1 = 726329; key_info = keyset_info.add_key_info(); key_info->set_output_prefix_type(OutputPrefixType::LEGACY); key_info->set_key_id(key_id_1); key_info->set_status(KeyStatusType::ENABLED); uint32_t key_id_2 = 7213743; key_info = keyset_info.add_key_info(); key_info->set_output_prefix_type(OutputPrefixType::TINK); key_info->set_key_id(key_id_2); key_info->set_status(KeyStatusType::ENABLED); std::string signature_name_0 = "signature_0"; std::string signature_name_1 = "signature_1"; std::string signature_name_2 = "signature_2"; std::unique_ptr> pk_verify_set( new PrimitiveSet()); std::unique_ptr pk_verify( new DummyPublicKeyVerify(signature_name_0)); auto entry_result = pk_verify_set->AddPrimitive(std::move(pk_verify), keyset_info.key_info(0)); ASSERT_TRUE(entry_result.ok()); pk_verify = std::make_unique(signature_name_1); entry_result = pk_verify_set->AddPrimitive(std::move(pk_verify), keyset_info.key_info(1)); ASSERT_TRUE(entry_result.ok()); pk_verify = std::make_unique(signature_name_2); entry_result = pk_verify_set->AddPrimitive(std::move(pk_verify), keyset_info.key_info(2)); ASSERT_TRUE(entry_result.ok()); // The last key is the primary. ASSERT_THAT(pk_verify_set->set_primary(entry_result.value()), IsOk()); // Wrap pk_verify_set and test the resulting PublicKeyVerify. auto pk_verify_result = PublicKeyVerifyWrapper().Wrap(std::move(pk_verify_set)); EXPECT_TRUE(pk_verify_result.ok()) << pk_verify_result.status(); pk_verify = std::move(pk_verify_result.value()); std::string data = "some data to sign"; std::unique_ptr pk_sign( new DummyPublicKeySign(signature_name_0)); std::string signature = pk_sign->Sign(data).value(); util::Status status = pk_verify->Verify(signature, data); EXPECT_TRUE(status.ok()) << status; } } KeysetInfo::KeyInfo PopulateKeyInfo(uint32_t key_id, OutputPrefixType out_prefix_type, KeyStatusType status) { KeysetInfo::KeyInfo key_info; key_info.set_output_prefix_type(out_prefix_type); key_info.set_key_id(key_id); key_info.set_status(status); return key_info; } // Creates a test keyset info object. KeysetInfo CreateTestKeysetInfo() { KeysetInfo keyset_info; *keyset_info.add_key_info() = PopulateKeyInfo(/*key_id=*/1234543, OutputPrefixType::TINK, /*status=*/KeyStatusType::ENABLED); *keyset_info.add_key_info() = PopulateKeyInfo(/*key_id=*/726329, OutputPrefixType::LEGACY, /*status=*/KeyStatusType::ENABLED); *keyset_info.add_key_info() = PopulateKeyInfo(/*key_id=*/7213743, OutputPrefixType::TINK, /*status=*/KeyStatusType::ENABLED); return keyset_info; } // Tests for the monitoring behavior. class PublicKeyVerifySetWrapperWithMonitoringTest : public Test { protected: // Perform some common initialization: reset the global registry, set expected // calls for the mock monitoring factory and the returned clients. void SetUp() override { Registry::Reset(); // Setup mocks for catching Monitoring calls. auto monitoring_client_factory = absl::make_unique(); auto verify_monitoring_client = absl::make_unique>(); verify_monitoring_client_ = verify_monitoring_client.get(); // Monitoring tests expect that the client factory will create the // corresponding MockMonitoringClients. EXPECT_CALL(*monitoring_client_factory, New(_)) .WillOnce( Return(ByMove(util::StatusOr>( std::move(verify_monitoring_client))))); ASSERT_THAT(internal::RegistryImpl::GlobalInstance() .RegisterMonitoringClientFactory( std::move(monitoring_client_factory)), IsOk()); ASSERT_THAT( internal::RegistryImpl::GlobalInstance().GetMonitoringClientFactory(), Not(IsNull())); } // Cleanup the registry to avoid mock leaks. ~PublicKeyVerifySetWrapperWithMonitoringTest() override { Registry::Reset(); } MockMonitoringClient* verify_monitoring_client_; }; // Test that successful sign operations are logged. TEST_F(PublicKeyVerifySetWrapperWithMonitoringTest, WrapKeysetWithMonitoringVerifySuccess) { // Create a primitive set and fill it with some entries KeysetInfo keyset_info = CreateTestKeysetInfo(); const absl::flat_hash_map kAnnotations = { {"key1", "value1"}, {"key2", "value2"}, {"key3", "value3"}}; auto public_key_verify_primitive_set = absl::make_unique>(kAnnotations); ASSERT_THAT( public_key_verify_primitive_set ->AddPrimitive(absl::make_unique("verify0"), keyset_info.key_info(0)) .status(), IsOk()); ASSERT_THAT( public_key_verify_primitive_set ->AddPrimitive(absl::make_unique("sign1"), keyset_info.key_info(1)) .status(), IsOk()); // Set the last as primary. util::StatusOr::Entry*> last = public_key_verify_primitive_set->AddPrimitive( absl::make_unique("sign2"), keyset_info.key_info(2)); ASSERT_THAT(last.status(), IsOk()); ASSERT_THAT(public_key_verify_primitive_set->set_primary(*last), IsOk()); // Record the ID of the primary key. const uint32_t primary_key_id = keyset_info.key_info(2).key_id(); // Create a PublicKeyVerify primitive to verify a signature. util::StatusOr> public_key_verify = PublicKeyVerifyWrapper().Wrap(std::move(public_key_verify_primitive_set)); ASSERT_THAT(public_key_verify, IsOkAndHolds(NotNull())); // Create a PublicKeySign primitive and sign some data we can verify. constexpr absl::string_view message = "This is some message!"; std::string signature = absl::StrCat((*last)->get_identifier(), DummyPublicKeySign("sign2").Sign(message).value()); // Check that calling Verify triggers a Log() call. EXPECT_CALL(*verify_monitoring_client_, Log(primary_key_id, message.size())); EXPECT_THAT((*public_key_verify)->Verify(signature, message), IsOk()); } TEST_F(PublicKeyVerifySetWrapperWithMonitoringTest, WrapKeysetWithMonitoringVerifyFailures) { // Create a primitive set and fill it with some entries KeysetInfo keyset_info = CreateTestKeysetInfo(); const absl::flat_hash_map kAnnotations = { {"key1", "value1"}, {"key2", "value2"}, {"key3", "value3"}}; auto public_key_verify_primitive_set = absl::make_unique>(kAnnotations); ASSERT_THAT(public_key_verify_primitive_set ->AddPrimitive(CreateAlwaysFailingPublicKeyVerify("sign0"), keyset_info.key_info(0)) .status(), IsOk()); ASSERT_THAT(public_key_verify_primitive_set ->AddPrimitive(CreateAlwaysFailingPublicKeyVerify("sign1"), keyset_info.key_info(1)) .status(), IsOk()); // Set the last as primary. util::StatusOr::Entry*> last = public_key_verify_primitive_set->AddPrimitive( CreateAlwaysFailingPublicKeyVerify("sign2"), keyset_info.key_info(2)); ASSERT_THAT(last.status(), IsOk()); ASSERT_THAT(public_key_verify_primitive_set->set_primary(*last), IsOk()); // Create a PublicKeySign and sign some data we can verify. util::StatusOr> public_key_verify = PublicKeyVerifyWrapper().Wrap(std::move(public_key_verify_primitive_set)); ASSERT_THAT(public_key_verify, IsOkAndHolds(NotNull())); constexpr absl::string_view message = "This is some message!"; constexpr absl::string_view signature = "This is some invalid signature!"; // Check that calling Verify triggers a LogFailure() call. EXPECT_CALL(*verify_monitoring_client_, LogFailure()); EXPECT_THAT((*public_key_verify)->Verify(signature, message), StatusIs(absl::StatusCode::kInvalidArgument)); } } // namespace } // namespace tink } // namespace crypto