1 /* Copyright (c) 2020, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <assert.h>
16 #include <stdio.h>
17 #include <string.h>
18 #include <time.h>
19
20 #include <algorithm>
21 #include <limits>
22 #include <string>
23 #include <tuple>
24 #include <utility>
25 #include <vector>
26
27 #include <gtest/gtest.h>
28
29 #include <openssl/bytestring.h>
30 #include <openssl/curve25519.h>
31 #include <openssl/evp.h>
32 #include <openssl/mem.h>
33 #include <openssl/rand.h>
34 #include <openssl/sha.h>
35 #include <openssl/trust_token.h>
36
37 #include "../ec_extra/internal.h"
38 #include "../fipsmodule/ec/internal.h"
39 #include "../internal.h"
40 #include "../test/test_util.h"
41 #include "internal.h"
42
43
44 BSSL_NAMESPACE_BEGIN
45
46 namespace {
47
48 const uint8_t kMessage[] = "MSG";
49
TEST(TrustTokenTest,KeyGenExp1)50 TEST(TrustTokenTest, KeyGenExp1) {
51 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
52 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
53 size_t priv_key_len, pub_key_len;
54 ASSERT_TRUE(TRUST_TOKEN_generate_key(
55 TRUST_TOKEN_experiment_v1(), priv_key, &priv_key_len,
56 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
57 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
58 ASSERT_EQ(292u, priv_key_len);
59 ASSERT_EQ(301u, pub_key_len);
60
61 const uint8_t kKeygenSecret[] = "SEED";
62 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
63 TRUST_TOKEN_experiment_v1(), priv_key, &priv_key_len,
64 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
65 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
66 sizeof(kKeygenSecret) - 1));
67
68 const uint8_t kExpectedPriv[] = {
69 0x00, 0x00, 0x00, 0x01, 0x98, 0xaa, 0x32, 0xfc, 0x5f, 0x83, 0x35, 0xea,
70 0x57, 0x4f, 0x9e, 0x61, 0x48, 0x6e, 0x89, 0x9d, 0x3d, 0xaa, 0x38, 0x5d,
71 0xd0, 0x06, 0x96, 0x62, 0xe8, 0x0b, 0xd6, 0x5f, 0x12, 0xa4, 0xcc, 0xa9,
72 0xb5, 0x20, 0x1b, 0x13, 0x8c, 0x1c, 0xaf, 0x36, 0x1b, 0xab, 0x0c, 0xc6,
73 0xac, 0x38, 0xae, 0x96, 0x3d, 0x14, 0x9d, 0xb8, 0x8d, 0xf4, 0x7f, 0xe2,
74 0x7d, 0xeb, 0x17, 0xc2, 0xbc, 0x63, 0x42, 0x93, 0x94, 0xe4, 0x97, 0xbf,
75 0x97, 0xea, 0x02, 0x40, 0xac, 0xb6, 0xa5, 0x03, 0x4c, 0x6b, 0x4c, 0xb8,
76 0x8c, 0xf4, 0x66, 0x1b, 0x4e, 0x02, 0x45, 0xf9, 0xcd, 0xb6, 0x0f, 0x59,
77 0x09, 0x21, 0x03, 0x7e, 0x92, 0x1f, 0x3f, 0x40, 0x83, 0x50, 0xe3, 0xdc,
78 0x9e, 0x6f, 0x65, 0xc5, 0xbd, 0x2c, 0x7d, 0xab, 0x74, 0x49, 0xc8, 0xa2,
79 0x3c, 0xab, 0xcb, 0x4d, 0x63, 0x73, 0x81, 0x2b, 0xb2, 0x1e, 0x00, 0x8f,
80 0x00, 0xb8, 0xd8, 0xb4, 0x5d, 0xc4, 0x3f, 0x3d, 0xa8, 0x4f, 0x4c, 0x72,
81 0x0e, 0x20, 0x17, 0x4b, 0xac, 0x14, 0x8f, 0xb2, 0xa5, 0x20, 0x41, 0x2b,
82 0xf7, 0x62, 0x25, 0x6a, 0xd6, 0x41, 0x26, 0x62, 0x10, 0xc1, 0xbc, 0x42,
83 0xac, 0x54, 0x1b, 0x75, 0x05, 0xd6, 0x53, 0xb1, 0x7b, 0x84, 0x6a, 0x7b,
84 0x5b, 0x2a, 0x34, 0x6e, 0x43, 0x4b, 0x43, 0xcc, 0x6c, 0xdb, 0x1d, 0x02,
85 0x34, 0x7f, 0xd1, 0xe8, 0xfd, 0x42, 0x2c, 0xd9, 0x14, 0xdb, 0xd6, 0xf4,
86 0xad, 0xb5, 0xe4, 0xac, 0xdd, 0x7e, 0xb5, 0x4c, 0x3f, 0x59, 0x24, 0xfa,
87 0x04, 0xd9, 0xb6, 0xd2, 0xb7, 0x7d, 0xf1, 0xfa, 0x13, 0xc0, 0x4d, 0xd5,
88 0xca, 0x3a, 0x4e, 0xa8, 0xdd, 0xa9, 0xfc, 0xcb, 0x06, 0xb2, 0xde, 0x4b,
89 0x2a, 0x86, 0xbb, 0x0d, 0x41, 0xb6, 0x3d, 0xfb, 0x49, 0xc8, 0xdf, 0x9a,
90 0x48, 0xe5, 0x68, 0x8a, 0xfc, 0x86, 0x9c, 0x79, 0x5a, 0x79, 0xc1, 0x09,
91 0x33, 0x53, 0xdc, 0x3d, 0xe9, 0x93, 0x7c, 0x5b, 0x72, 0xf7, 0xa0, 0x8a,
92 0x1f, 0x07, 0x6c, 0x38, 0x3c, 0x99, 0x0b, 0xe4, 0x4e, 0xa4, 0xbd, 0x41,
93 0x1f, 0x83, 0xa6, 0xd3
94 };
95 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
96 Bytes(priv_key, priv_key_len));
97
98 const uint8_t kExpectedPub[] = {
99 0x00, 0x00, 0x00, 0x01, 0x00, 0x61, 0x04, 0x5e, 0x06, 0x6b, 0x7b, 0xfd,
100 0x54, 0x01, 0xe0, 0xd2, 0xb5, 0x12, 0xce, 0x48, 0x16, 0x66, 0xb2, 0xdf,
101 0xfd, 0xa8, 0x38, 0x7c, 0x1f, 0x45, 0x1a, 0xb8, 0x21, 0x52, 0x17, 0x25,
102 0xbb, 0x0b, 0x00, 0xd4, 0xa1, 0xbc, 0x28, 0xd9, 0x08, 0x36, 0x98, 0xb2,
103 0x17, 0xd3, 0xb5, 0xad, 0xb6, 0x4e, 0x03, 0x5f, 0xd3, 0x66, 0x2c, 0x58,
104 0x1c, 0xcc, 0xc6, 0x23, 0xa4, 0xf9, 0xa2, 0x7e, 0xb0, 0xe4, 0xd3, 0x95,
105 0x41, 0x6f, 0xba, 0x23, 0x4a, 0x82, 0x93, 0x29, 0x73, 0x75, 0x38, 0x85,
106 0x64, 0x9c, 0xaa, 0x12, 0x6d, 0x7d, 0xcd, 0x52, 0x02, 0x91, 0x9f, 0xa9,
107 0xee, 0x4b, 0xfd, 0x68, 0x97, 0x40, 0xdc, 0x00, 0x61, 0x04, 0x14, 0x16,
108 0x39, 0xf9, 0x63, 0x66, 0x94, 0x03, 0xfa, 0x0b, 0xbf, 0xca, 0x5a, 0x39,
109 0x9f, 0x27, 0x5b, 0x3f, 0x69, 0x7a, 0xc9, 0xf7, 0x25, 0x7c, 0x84, 0x9e,
110 0x1d, 0x61, 0x5a, 0x24, 0x53, 0xf2, 0x4a, 0x9d, 0xe9, 0x05, 0x53, 0xfd,
111 0x12, 0x01, 0x2d, 0x9a, 0x69, 0x50, 0x74, 0x82, 0xa3, 0x45, 0x73, 0xdc,
112 0x34, 0x36, 0x31, 0x44, 0x07, 0x0c, 0xda, 0x13, 0xbe, 0x94, 0x37, 0x65,
113 0xa0, 0xab, 0x16, 0x52, 0x90, 0xe5, 0x8a, 0x03, 0xe5, 0x98, 0x79, 0x14,
114 0x79, 0xd5, 0x17, 0xee, 0xd4, 0xb8, 0xda, 0x77, 0x76, 0x03, 0x20, 0x2a,
115 0x7e, 0x3b, 0x76, 0x0b, 0x23, 0xb7, 0x72, 0x77, 0xb2, 0xeb, 0x00, 0x61,
116 0x04, 0x68, 0x18, 0x4d, 0x23, 0x23, 0xf4, 0x45, 0xb8, 0x81, 0x0d, 0xa4,
117 0x5d, 0x0b, 0x9e, 0x08, 0xfb, 0x45, 0xfb, 0x96, 0x29, 0x43, 0x2f, 0xab,
118 0x93, 0x04, 0x4c, 0x04, 0xb6, 0x5e, 0x27, 0xf5, 0x39, 0x66, 0x94, 0x15,
119 0x1d, 0xb1, 0x1c, 0x7c, 0x27, 0x6f, 0xa5, 0x19, 0x0c, 0x30, 0x12, 0xcc,
120 0x77, 0x7f, 0x10, 0xa9, 0x7c, 0xe4, 0x08, 0x77, 0x3c, 0xd3, 0x6f, 0xa4,
121 0xf4, 0xaf, 0xf1, 0x9d, 0x14, 0x1d, 0xd0, 0x02, 0x33, 0x50, 0x55, 0x00,
122 0x6a, 0x47, 0x96, 0xe1, 0x8b, 0x4e, 0x44, 0x41, 0xad, 0xb3, 0xea, 0x0d,
123 0x0d, 0xd5, 0x73, 0x8e, 0x62, 0x67, 0x8a, 0xb4, 0xe7, 0x5d, 0x17, 0xa9,
124 0x24};
125 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
126 Bytes(pub_key, pub_key_len));
127 }
128
TEST(TrustTokenTest,KeyGenExp2VOPRF)129 TEST(TrustTokenTest, KeyGenExp2VOPRF) {
130 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
131 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
132 size_t priv_key_len, pub_key_len;
133 ASSERT_TRUE(TRUST_TOKEN_generate_key(
134 TRUST_TOKEN_experiment_v2_voprf(), priv_key, &priv_key_len,
135 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
136 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
137 ASSERT_EQ(52u, priv_key_len);
138 ASSERT_EQ(101u, pub_key_len);
139
140 const uint8_t kKeygenSecret[] = "SEED";
141 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
142 TRUST_TOKEN_experiment_v2_voprf(), priv_key, &priv_key_len,
143 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
144 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
145 sizeof(kKeygenSecret) - 1));
146
147 const uint8_t kExpectedPriv[] = {
148 0x00, 0x00, 0x00, 0x01, 0x0b, 0xe2, 0xc4, 0x73, 0x92, 0xe7, 0xf8,
149 0x3e, 0xba, 0xab, 0x85, 0xa7, 0x77, 0xd7, 0x0a, 0x02, 0xc5, 0x36,
150 0xfe, 0x62, 0xa3, 0xca, 0x01, 0x75, 0xc7, 0x62, 0x19, 0xc7, 0xf0,
151 0x30, 0xc5, 0x14, 0x60, 0x13, 0x97, 0x4f, 0x63, 0x05, 0x37, 0x92,
152 0x7b, 0x76, 0x8e, 0x9f, 0xd0, 0x1a, 0x74, 0x44
153 };
154 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
155 Bytes(priv_key, priv_key_len));
156
157 const uint8_t kExpectedPub[] = {
158 0x00, 0x00, 0x00, 0x01, 0x04, 0x2c, 0x9c, 0x11, 0xc1, 0xe5, 0x52, 0x59,
159 0x0b, 0x6d, 0x88, 0x8b, 0x6e, 0x28, 0xe8, 0xc5, 0xa3, 0xbe, 0x48, 0x18,
160 0xf7, 0x1d, 0x31, 0xcf, 0xa2, 0x6e, 0x2a, 0xd6, 0xcb, 0x83, 0x26, 0x04,
161 0xbd, 0x93, 0x67, 0xe4, 0x53, 0xf6, 0x11, 0x7d, 0x45, 0xe9, 0xfe, 0x27,
162 0x33, 0x90, 0xdb, 0x1b, 0xfc, 0x9b, 0x31, 0x4d, 0x39, 0x1f, 0x1f, 0x8c,
163 0x43, 0x06, 0x70, 0x2c, 0x84, 0xdc, 0x23, 0x18, 0xc7, 0x6a, 0x58, 0xcf,
164 0x9e, 0xc1, 0xfa, 0xf2, 0x30, 0xdd, 0xad, 0x62, 0x24, 0xde, 0x11, 0xc1,
165 0xba, 0x8d, 0xc3, 0x4f, 0xfb, 0xe5, 0xa5, 0xd4, 0x37, 0xba, 0x3b, 0x70,
166 0xc0, 0xc3, 0xef, 0x20, 0x43
167 };
168 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
169 Bytes(pub_key, pub_key_len));
170 }
171
TEST(TrustTokenTest,KeyGenExp2PMB)172 TEST(TrustTokenTest, KeyGenExp2PMB) {
173 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
174 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
175 size_t priv_key_len, pub_key_len;
176 ASSERT_TRUE(TRUST_TOKEN_generate_key(
177 TRUST_TOKEN_experiment_v2_pmb(), priv_key, &priv_key_len,
178 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
179 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001));
180 ASSERT_EQ(292u, priv_key_len);
181 ASSERT_EQ(295u, pub_key_len);
182
183 const uint8_t kKeygenSecret[] = "SEED";
184 ASSERT_TRUE(TRUST_TOKEN_derive_key_from_secret(
185 TRUST_TOKEN_experiment_v2_pmb(), priv_key, &priv_key_len,
186 TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE, pub_key, &pub_key_len,
187 TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, 0x0001, kKeygenSecret,
188 sizeof(kKeygenSecret) - 1));
189
190 const uint8_t kExpectedPriv[] = {
191 0x00, 0x00, 0x00, 0x01, 0x1b, 0x74, 0xdc, 0xf0, 0xa9, 0xa7, 0x6c, 0xfb,
192 0x41, 0xef, 0xfa, 0x65, 0x52, 0xc9, 0x86, 0x4e, 0xfb, 0x16, 0x9d, 0xea,
193 0x62, 0x3f, 0x47, 0xab, 0x1f, 0x1b, 0x05, 0xf2, 0x4f, 0x05, 0xfe, 0x64,
194 0xb7, 0xe8, 0xcd, 0x2a, 0x10, 0xfa, 0xa2, 0x48, 0x3f, 0x0e, 0x8b, 0x94,
195 0x39, 0xf1, 0xe7, 0x53, 0xe9, 0x50, 0x29, 0xe2, 0xb7, 0x0e, 0xc0, 0x94,
196 0xa9, 0xd3, 0xef, 0x64, 0x10, 0x1d, 0x08, 0xd0, 0x60, 0xcb, 0x6d, 0x97,
197 0x68, 0xc7, 0x04, 0x92, 0x07, 0xb2, 0x22, 0x83, 0xf7, 0xd9, 0x9b, 0x2c,
198 0xf2, 0x52, 0x34, 0x0c, 0x42, 0x31, 0x47, 0x41, 0x19, 0xb9, 0xee, 0xfc,
199 0x46, 0xbd, 0x14, 0xce, 0x42, 0xd7, 0x43, 0xc8, 0x32, 0x3b, 0x24, 0xed,
200 0xdc, 0x69, 0xa3, 0x8e, 0x29, 0x01, 0xbe, 0xae, 0x24, 0x39, 0x14, 0xa7,
201 0x52, 0xe5, 0xd5, 0xff, 0x9a, 0xc4, 0x15, 0x79, 0x29, 0x4c, 0x9b, 0x4e,
202 0xfc, 0x61, 0xf2, 0x12, 0x6f, 0x4f, 0xd3, 0x96, 0x28, 0xb0, 0x79, 0xf0,
203 0x4e, 0x6e, 0x7d, 0x56, 0x19, 0x1b, 0xc2, 0xd7, 0xf9, 0x3a, 0x58, 0x06,
204 0xe5, 0xec, 0xa4, 0x33, 0x14, 0x1c, 0x78, 0x0c, 0x83, 0x94, 0x34, 0x22,
205 0x5a, 0x8e, 0x2e, 0xa1, 0x72, 0x4a, 0x03, 0x35, 0xfe, 0x46, 0x92, 0x41,
206 0x6b, 0xe6, 0x4b, 0x3f, 0xf0, 0xe7, 0x0b, 0xb5, 0xf3, 0x66, 0x6c, 0xc6,
207 0x14, 0xcf, 0xce, 0x32, 0x0a, 0x2c, 0x28, 0xba, 0x4e, 0xb9, 0x75, 0x4a,
208 0xa9, 0x2d, 0xb0, 0x8c, 0xd0, 0x62, 0x52, 0x29, 0x1f, 0x12, 0xfd, 0xfb,
209 0xd3, 0x2a, 0x36, 0x0f, 0x89, 0x32, 0x86, 0x25, 0x56, 0xb9, 0xe7, 0x3c,
210 0xeb, 0xb4, 0x84, 0x41, 0x2b, 0xa8, 0xf3, 0xa5, 0x3d, 0xfe, 0x56, 0x94,
211 0x5b, 0x74, 0xb3, 0x5b, 0x27, 0x3f, 0xe7, 0xcf, 0xe4, 0xf8, 0x15, 0x95,
212 0x2a, 0xd2, 0x5f, 0x92, 0xb4, 0x6a, 0x89, 0xa5, 0x54, 0xbd, 0x27, 0x5e,
213 0xeb, 0x43, 0x07, 0x9b, 0x2b, 0x8b, 0x22, 0x59, 0x13, 0x4b, 0x9c, 0x56,
214 0xd8, 0x63, 0xd9, 0xe6, 0x85, 0x15, 0x2c, 0x82, 0x52, 0x40, 0x8f, 0xb1,
215 0xe7, 0x56, 0x07, 0x98
216 };
217 ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)),
218 Bytes(priv_key, priv_key_len));
219
220 const uint8_t kExpectedPub[] = {
221 0x00, 0x00, 0x00, 0x01, 0x04, 0x48, 0xb1, 0x2d, 0xdd, 0x03, 0x32, 0xeb,
222 0x93, 0x31, 0x3d, 0x59, 0x74, 0xf0, 0xcf, 0xaa, 0xa5, 0x39, 0x5f, 0x53,
223 0xc4, 0x94, 0x98, 0xbe, 0x8f, 0x22, 0xd7, 0x30, 0xde, 0x1e, 0xb4, 0xf3,
224 0x32, 0x23, 0x90, 0x0b, 0xa6, 0x37, 0x4a, 0x4b, 0x44, 0xb3, 0x26, 0x52,
225 0x93, 0x7b, 0x4b, 0xa4, 0x79, 0xe8, 0x77, 0x6a, 0x19, 0x81, 0x2a, 0xdd,
226 0x91, 0xfb, 0x90, 0x8b, 0x24, 0xb5, 0xbe, 0x20, 0x2e, 0xe8, 0xbc, 0xd3,
227 0x83, 0x6c, 0xa8, 0xc5, 0xa1, 0x9a, 0x5b, 0x5e, 0x60, 0xda, 0x45, 0x2e,
228 0x31, 0x7f, 0x54, 0x0e, 0x14, 0x40, 0xd2, 0x4d, 0x40, 0x2e, 0x21, 0x79,
229 0xfc, 0x77, 0xdd, 0xc7, 0x2d, 0x04, 0xfe, 0xc6, 0xe3, 0xcf, 0x99, 0xef,
230 0x88, 0xab, 0x76, 0x86, 0x16, 0x14, 0xed, 0x72, 0x35, 0xa7, 0x05, 0x13,
231 0x9f, 0x2c, 0x53, 0xd5, 0xdf, 0x66, 0x75, 0x2e, 0x68, 0xdc, 0xd4, 0xc4,
232 0x00, 0x36, 0x08, 0x6d, 0xb7, 0x15, 0xf7, 0xe5, 0x32, 0x59, 0x81, 0x16,
233 0x57, 0xaa, 0x72, 0x06, 0xf0, 0xad, 0xd1, 0x85, 0xa0, 0x04, 0xd4, 0x11,
234 0x95, 0x1d, 0xac, 0x0b, 0x25, 0xbe, 0x59, 0xa2, 0xb3, 0x30, 0xee, 0x97,
235 0x07, 0x2a, 0x51, 0x15, 0xc1, 0x8d, 0xa8, 0xa6, 0x57, 0x9a, 0x4e, 0xbf,
236 0xd7, 0x2d, 0x35, 0x07, 0x6b, 0xd6, 0xc9, 0x3c, 0xe4, 0xcf, 0x0b, 0x14,
237 0x3e, 0x10, 0x51, 0x77, 0xd6, 0x84, 0x04, 0xbe, 0xd1, 0xd5, 0xa8, 0xf3,
238 0x9d, 0x1d, 0x4f, 0xc1, 0xc9, 0xf1, 0x0c, 0x6d, 0xb6, 0xcb, 0xe2, 0x05,
239 0x0b, 0x9c, 0x7a, 0x3a, 0x9a, 0x99, 0xe9, 0xa1, 0x93, 0xdc, 0x72, 0x2e,
240 0xef, 0xf3, 0x8d, 0xb9, 0x7b, 0xb0, 0x19, 0x24, 0x95, 0x0d, 0x68, 0xa7,
241 0xe0, 0xaa, 0x0b, 0xb1, 0xd1, 0xcc, 0x52, 0x14, 0xf9, 0x6c, 0x91, 0x59,
242 0xe4, 0xe1, 0x9b, 0xf9, 0x12, 0x39, 0xb1, 0x79, 0xbb, 0x21, 0x92, 0x00,
243 0xa4, 0x89, 0xf5, 0xbd, 0xd7, 0x89, 0x27, 0x40, 0xdc, 0xb1, 0x09, 0x38,
244 0x63, 0x91, 0x8c, 0xa5, 0x27, 0x27, 0x97, 0x39, 0x35, 0xfa, 0x1a, 0x8a,
245 0xa7, 0xe5, 0xc4, 0xd8, 0xbf, 0xe7, 0xbe
246 };
247 ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)),
248 Bytes(pub_key, pub_key_len));
249 }
250
251 // Test that H in |TRUST_TOKEN_experiment_v1| was computed correctly.
TEST(TrustTokenTest,HExp1)252 TEST(TrustTokenTest, HExp1) {
253 const EC_GROUP *group = EC_group_p384();
254 const uint8_t kHGen[] = "generator";
255 const uint8_t kHLabel[] = "PMBTokens Experiment V1 HashH";
256
257 bssl::UniquePtr<EC_POINT> expected_h(EC_POINT_new(group));
258 ASSERT_TRUE(expected_h);
259 ASSERT_TRUE(ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
260 group, &expected_h->raw, kHLabel, sizeof(kHLabel), kHGen, sizeof(kHGen)));
261 uint8_t expected_bytes[1 + 2 * EC_MAX_BYTES];
262 size_t expected_len =
263 EC_POINT_point2oct(group, expected_h.get(), POINT_CONVERSION_UNCOMPRESSED,
264 expected_bytes, sizeof(expected_bytes), nullptr);
265
266 uint8_t h[97];
267 ASSERT_TRUE(pmbtoken_exp1_get_h_for_testing(h));
268 EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
269 }
270
271 // Test that H in |TRUST_TOKEN_experiment_v2_pmb| was computed correctly.
TEST(TrustTokenTest,HExp2)272 TEST(TrustTokenTest, HExp2) {
273 const EC_GROUP *group = EC_group_p384();
274 const uint8_t kHGen[] = "generator";
275 const uint8_t kHLabel[] = "PMBTokens Experiment V2 HashH";
276
277 bssl::UniquePtr<EC_POINT> expected_h(EC_POINT_new(group));
278 ASSERT_TRUE(expected_h);
279 ASSERT_TRUE(ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
280 group, &expected_h->raw, kHLabel, sizeof(kHLabel), kHGen, sizeof(kHGen)));
281 uint8_t expected_bytes[1 + 2 * EC_MAX_BYTES];
282 size_t expected_len =
283 EC_POINT_point2oct(group, expected_h.get(), POINT_CONVERSION_UNCOMPRESSED,
284 expected_bytes, sizeof(expected_bytes), nullptr);
285
286 uint8_t h[97];
287 ASSERT_TRUE(pmbtoken_exp2_get_h_for_testing(h));
288 EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
289 }
290
291 // Test that H in |TRUST_TOKEN_pst_v1_pmb| was computed correctly.
TEST(TrustTokenTest,HPST1)292 TEST(TrustTokenTest, HPST1) {
293 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
294 ASSERT_TRUE(group);
295
296 const uint8_t kHGen[] = "generator";
297 const uint8_t kHLabel[] = "PMBTokens PST V1 HashH";
298
299 bssl::UniquePtr<EC_POINT> expected_h(EC_POINT_new(group));
300 ASSERT_TRUE(expected_h);
301 ASSERT_TRUE(ec_hash_to_curve_p384_xmd_sha384_sswu(
302 group, &expected_h->raw, kHLabel, sizeof(kHLabel), kHGen, sizeof(kHGen)));
303 uint8_t expected_bytes[1 + 2 * EC_MAX_BYTES];
304 size_t expected_len =
305 EC_POINT_point2oct(group, expected_h.get(), POINT_CONVERSION_UNCOMPRESSED,
306 expected_bytes, sizeof(expected_bytes), nullptr);
307
308 uint8_t h[97];
309 ASSERT_TRUE(pmbtoken_pst1_get_h_for_testing(h));
310 EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len));
311 }
312
ec_point_uncompressed_from_compressed(const EC_GROUP * group,uint8_t out[EC_MAX_UNCOMPRESSED],size_t * out_len,const uint8_t * in,size_t len)313 static int ec_point_uncompressed_from_compressed(
314 const EC_GROUP *group, uint8_t out[EC_MAX_UNCOMPRESSED], size_t *out_len,
315 const uint8_t *in, size_t len) {
316 bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group));
317 if (!point ||
318 !EC_POINT_oct2point(group, point.get(), in, len, nullptr)) {
319 return 0;
320 }
321
322 *out_len =
323 EC_POINT_point2oct(group, point.get(), POINT_CONVERSION_UNCOMPRESSED, out,
324 EC_MAX_UNCOMPRESSED, nullptr);
325 return 1;
326 }
327
setup_voprf_test_key(const EC_GROUP * group,TRUST_TOKEN_ISSUER_KEY * out)328 static bool setup_voprf_test_key(const EC_GROUP *group,
329 TRUST_TOKEN_ISSUER_KEY *out) {
330 static const uint8_t kPrivateKey[] = {
331 0x05, 0x16, 0x46, 0xb9, 0xe6, 0xe7, 0xa7, 0x1a, 0xe2, 0x7c, 0x1e, 0x1d,
332 0x0b, 0x87, 0xb4, 0x38, 0x1d, 0xb6, 0xd3, 0x59, 0x5e, 0xee, 0xb1, 0xad,
333 0xb4, 0x15, 0x79, 0xad, 0xbf, 0x99, 0x2f, 0x42, 0x78, 0xf9, 0x01, 0x6e,
334 0xaf, 0xc9, 0x44, 0xed, 0xaa, 0x2b, 0x43, 0x18, 0x35, 0x81, 0x77, 0x9d
335 };
336
337 static const uint8_t kPublicKey[] = {
338 0x03, 0x1d, 0x68, 0x96, 0x86, 0xc6, 0x11, 0x99, 0x1b, 0x55,
339 0xf1, 0xa1, 0xd8, 0xf4, 0x30, 0x5c, 0xcd, 0x6c, 0xb7, 0x19,
340 0x44, 0x6f, 0x66, 0x0a, 0x30, 0xdb, 0x61, 0xb7, 0xaa, 0x87,
341 0xb4, 0x6a, 0xcf, 0x59, 0xb7, 0xc0, 0xd4, 0xa9, 0x07, 0x7b,
342 0x3d, 0xa2, 0x1c, 0x25, 0xdd, 0x48, 0x22, 0x29, 0xa0
343 };
344
345 if (!ec_scalar_from_bytes(group, &out->xs, kPrivateKey,
346 sizeof(kPrivateKey))) {
347 return false;
348 }
349
350 bssl::UniquePtr<EC_POINT> pub(EC_POINT_new(group));
351 return pub &&
352 EC_POINT_oct2point(group, pub.get(), kPublicKey, sizeof(kPublicKey),
353 nullptr) &&
354 ec_jacobian_to_affine(group, &out->pubs, &pub->raw);
355 }
356
TEST(TrustTokenTest,PSTV1VOPRFTestVector1)357 TEST(TrustTokenTest, PSTV1VOPRFTestVector1) {
358 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
359 TRUST_TOKEN_ISSUER_KEY key;
360 ASSERT_TRUE(setup_voprf_test_key(group, &key));
361
362 static const uint8_t kBlindedElement[] = {
363 0x02, 0xd3, 0x38, 0xc0, 0x5c, 0xbe, 0xcb, 0x82, 0xde, 0x13,
364 0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7,
365 0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56,
366 0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99,
367 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9
368 };
369
370 static const uint8_t kEvaluatedElement[] = {
371 0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1,
372 0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10,
373 0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee,
374 0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62,
375 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6
376 };
377
378 static const uint8_t kProof[] = {
379 0xbf, 0xc6, 0xcf, 0x38, 0x59, 0x12, 0x7f, 0x5f, 0xe2, 0x55, 0x48, 0x85,
380 0x98, 0x56, 0xd6, 0xb7, 0xfa, 0x1c, 0x74, 0x59, 0xf0, 0xba, 0x57, 0x12,
381 0xa8, 0x06, 0xfc, 0x09, 0x1a, 0x30, 0x00, 0xc4, 0x2d, 0x8b, 0xa3, 0x4f,
382 0xf4, 0x5f, 0x32, 0xa5, 0x2e, 0x40, 0x53, 0x3e, 0xfd, 0x2a, 0x03, 0xbc,
383 0x87, 0xf3, 0xbf, 0x4f, 0x9f, 0x58, 0x02, 0x82, 0x97, 0xcc, 0xb9, 0xcc,
384 0xb1, 0x8a, 0xe7, 0x18, 0x2b, 0xcd, 0x1e, 0xf2, 0x39, 0xdf, 0x77, 0xe3,
385 0xbe, 0x65, 0xef, 0x14, 0x7f, 0x3a, 0xcf, 0x8b, 0xc9, 0xcb, 0xfc, 0x55,
386 0x24, 0xb7, 0x02, 0x26, 0x34, 0x14, 0xf0, 0x43, 0xe3, 0xb7, 0xca, 0x2e
387 };
388
389 static const uint8_t kProofScalar[] = {
390 0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3,
391 0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62,
392 0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d,
393 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1
394 };
395
396 uint8_t blinded_buf[EC_MAX_UNCOMPRESSED];
397 size_t blinded_len;
398 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
399 group, blinded_buf, &blinded_len, kBlindedElement,
400 sizeof(kBlindedElement)));
401
402 CBS sign_input;
403 CBS_init(&sign_input, blinded_buf, blinded_len);
404 bssl::ScopedCBB response;
405 ASSERT_TRUE(CBB_init(response.get(), 0));
406 ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing(
407 &key, response.get(), &sign_input, /*num_requested=*/1,
408 /*num_to_issue=*/1,
409 /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar)));
410
411 uint8_t evaluated_buf[EC_MAX_UNCOMPRESSED];
412 size_t evaluated_len;
413 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
414 group, evaluated_buf, &evaluated_len, kEvaluatedElement,
415 sizeof(kEvaluatedElement)));
416
417 bssl::ScopedCBB expected_response;
418 ASSERT_TRUE(CBB_init(expected_response.get(), 0));
419 ASSERT_TRUE(
420 CBB_add_bytes(expected_response.get(), evaluated_buf, evaluated_len));
421 ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof)));
422 ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof)));
423 ASSERT_TRUE(CBB_flush(expected_response.get()));
424
425 ASSERT_EQ(Bytes(CBB_data(expected_response.get()),
426 CBB_len(expected_response.get())),
427 Bytes(CBB_data(response.get()), CBB_len(response.get())));
428 }
429
TEST(TrustTokenTest,PSTV1VOPRFTestVector2)430 TEST(TrustTokenTest, PSTV1VOPRFTestVector2) {
431 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
432 TRUST_TOKEN_ISSUER_KEY key;
433 ASSERT_TRUE(setup_voprf_test_key(group, &key));
434
435 static const uint8_t kBlindedElement[] = {
436 0x02, 0xf2, 0x74, 0x69, 0xe0, 0x59, 0x88, 0x6f, 0x22, 0x1b,
437 0xe5, 0xf2, 0xcc, 0xa0, 0x3d, 0x2b, 0xdc, 0x61, 0xe5, 0x52,
438 0x21, 0x72, 0x1c, 0x3b, 0x3e, 0x56, 0xfc, 0x01, 0x2e, 0x36,
439 0xd3, 0x1a, 0xe5, 0xf8, 0xdc, 0x05, 0x81, 0x09, 0x59, 0x15,
440 0x56, 0xa6, 0xdb, 0xd3, 0xa8, 0xc6, 0x9c, 0x43, 0x3b
441 };
442
443 static const uint8_t kEvaluatedElement[] = {
444 0x03, 0xf1, 0x6f, 0x90, 0x39, 0x47, 0x03, 0x54, 0x00, 0xe9,
445 0x6b, 0x7f, 0x53, 0x1a, 0x38, 0xd4, 0xa0, 0x7a, 0xc8, 0x9a,
446 0x80, 0xf8, 0x9d, 0x86, 0xa1, 0xbf, 0x08, 0x9c, 0x52, 0x5a,
447 0x92, 0xc7, 0xf4, 0x73, 0x37, 0x29, 0xca, 0x30, 0xc5, 0x6c,
448 0xe7, 0x8b, 0x1a, 0xb4, 0xf7, 0xd9, 0x2d, 0xb8, 0xb4
449 };
450
451 static const uint8_t kProof[] = {
452 0xd0, 0x05, 0xd6, 0xda, 0xaa, 0xd7, 0x57, 0x14, 0x14, 0xc1, 0xe0,
453 0xc7, 0x5f, 0x7e, 0x57, 0xf2, 0x11, 0x3c, 0xa9, 0xf4, 0x60, 0x4e,
454 0x84, 0xbc, 0x90, 0xf9, 0xbe, 0x52, 0xda, 0x89, 0x6f, 0xff, 0x3b,
455 0xee, 0x49, 0x6d, 0xcd, 0xe2, 0xa5, 0x78, 0xae, 0x9d, 0xf3, 0x15,
456 0x03, 0x25, 0x85, 0xf8, 0x01, 0xfb, 0x21, 0xc6, 0x08, 0x0a, 0xc0,
457 0x56, 0x72, 0xb2, 0x91, 0xe5, 0x75, 0xa4, 0x02, 0x95, 0xb3, 0x06,
458 0xd9, 0x67, 0x71, 0x7b, 0x28, 0xe0, 0x8f, 0xcc, 0x8a, 0xd1, 0xca,
459 0xb4, 0x78, 0x45, 0xd1, 0x6a, 0xf7, 0x3b, 0x3e, 0x64, 0x3d, 0xdc,
460 0xc1, 0x91, 0x20, 0x8e, 0x71, 0xc6, 0x46, 0x30
461 };
462
463 static const uint8_t kProofScalar[] = {
464 0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3,
465 0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62,
466 0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d,
467 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1
468 };
469
470 uint8_t blinded_buf[EC_MAX_UNCOMPRESSED];
471 size_t blinded_len;
472 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
473 group, blinded_buf, &blinded_len, kBlindedElement,
474 sizeof(kBlindedElement)));
475
476 CBS sign_input;
477 CBS_init(&sign_input, blinded_buf, blinded_len);
478 bssl::ScopedCBB response;
479 ASSERT_TRUE(CBB_init(response.get(), 0));
480 ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing(
481 &key, response.get(), &sign_input, /*num_requested=*/1,
482 /*num_to_issue=*/1,
483 /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar)));
484
485 uint8_t evaluated_buf[EC_MAX_UNCOMPRESSED];
486 size_t evaluated_len;
487 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
488 group, evaluated_buf, &evaluated_len, kEvaluatedElement,
489 sizeof(kEvaluatedElement)));
490
491 bssl::ScopedCBB expected_response;
492 ASSERT_TRUE(CBB_init(expected_response.get(), 0));
493 ASSERT_TRUE(
494 CBB_add_bytes(expected_response.get(), evaluated_buf, evaluated_len));
495 ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof)));
496 ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof)));
497 ASSERT_TRUE(CBB_flush(expected_response.get()));
498
499 ASSERT_EQ(Bytes(CBB_data(expected_response.get()),
500 CBB_len(expected_response.get())),
501 Bytes(CBB_data(response.get()), CBB_len(response.get())));
502 }
503
TEST(TrustTokenTest,PSTV1VOPRFTestVector3)504 TEST(TrustTokenTest, PSTV1VOPRFTestVector3) {
505 const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1);
506 TRUST_TOKEN_ISSUER_KEY key;
507 ASSERT_TRUE(setup_voprf_test_key(group, &key));
508
509 static const uint8_t kBlindedElement1[] = {
510 0x02, 0xd3, 0x38, 0xc0, 0x5c, 0xbe, 0xcb, 0x82, 0xde, 0x13,
511 0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7,
512 0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56,
513 0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99,
514 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9
515 };
516 static const uint8_t kBlindedElement2[] = {
517 0x02, 0xfa, 0x02, 0x47, 0x0d, 0x7f, 0x15, 0x10, 0x18, 0xb4,
518 0x1e, 0x82, 0x22, 0x3c, 0x32, 0xfa, 0xd8, 0x24, 0xde, 0x6a,
519 0xd4, 0xb5, 0xce, 0x9f, 0x8e, 0x9f, 0x98, 0x08, 0x3c, 0x9a,
520 0x72, 0x6d, 0xe9, 0xa1, 0xfc, 0x39, 0xd7, 0xa0, 0xcb, 0x6f,
521 0x4f, 0x18, 0x8d, 0xd9, 0xce, 0xa0, 0x14, 0x74, 0xcd
522 };
523
524 static const uint8_t kEvaluatedElement1[] = {
525 0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1,
526 0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10,
527 0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee,
528 0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62,
529 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6
530 };
531
532 static const uint8_t kEvaluatedElement2[] = {
533 0x02, 0x8e, 0x9e, 0x11, 0x56, 0x25, 0xff, 0x4c, 0x2f, 0x07,
534 0xbf, 0x87, 0xce, 0x3f, 0xd7, 0x3f, 0xc7, 0x79, 0x94, 0xa7,
535 0xa0, 0xc1, 0xdf, 0x03, 0xd2, 0xa6, 0x30, 0xa3, 0xd8, 0x45,
536 0x93, 0x0e, 0x2e, 0x63, 0xa1, 0x65, 0xb1, 0x14, 0xd9, 0x8f,
537 0xe3, 0x4e, 0x61, 0xb6, 0x8d, 0x23, 0xc0, 0xb5, 0x0a
538 };
539
540 static const uint8_t kProof[] = {
541 0x6d, 0x8d, 0xcb, 0xd2, 0xfc, 0x95, 0x55, 0x0a, 0x02, 0x21, 0x1f,
542 0xb7, 0x8a, 0xfd, 0x01, 0x39, 0x33, 0xf3, 0x07, 0xd2, 0x1e, 0x7d,
543 0x85, 0x5b, 0x0b, 0x1e, 0xd0, 0xaf, 0x78, 0x07, 0x6d, 0x81, 0x37,
544 0xad, 0x8b, 0x0a, 0x1b, 0xfa, 0x05, 0x67, 0x6d, 0x32, 0x52, 0x49,
545 0xc1, 0xdb, 0xb9, 0xa5, 0x2b, 0xd8, 0x1b, 0x1c, 0x2b, 0x7b, 0x0e,
546 0xfc, 0x77, 0xcf, 0x7b, 0x27, 0x8e, 0x1c, 0x94, 0x7f, 0x62, 0x83,
547 0xf1, 0xd4, 0xc5, 0x13, 0x05, 0x3f, 0xc0, 0xad, 0x19, 0xe0, 0x26,
548 0xfb, 0x0c, 0x30, 0x65, 0x4b, 0x53, 0xd9, 0xce, 0xa4, 0xb8, 0x7b,
549 0x03, 0x72, 0x71, 0xb5, 0xd2, 0xe2, 0xd0, 0xea
550 };
551
552 static const uint8_t kProofScalar[] = {
553 0xa0, 0x97, 0xe7, 0x22, 0xed, 0x24, 0x27, 0xde, 0x86, 0x96,
554 0x69, 0x10, 0xac, 0xba, 0x9f, 0x5c, 0x35, 0x0e, 0x80, 0x40,
555 0xf8, 0x28, 0xbf, 0x6c, 0xec, 0xa2, 0x74, 0x05, 0x42, 0x0c,
556 0xdf, 0x3d, 0x63, 0xcb, 0x3a, 0xef, 0x00, 0x5f, 0x40, 0xba,
557 0x51, 0x94, 0x3c, 0x80, 0x26, 0x87, 0x79, 0x63
558 };
559
560 uint8_t blinded_buf[2*EC_MAX_UNCOMPRESSED];
561 size_t blinded_len;
562 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
563 group, blinded_buf, &blinded_len, kBlindedElement1,
564 sizeof(kBlindedElement1)));
565 size_t offset = blinded_len;
566 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
567 group, blinded_buf + offset, &blinded_len, kBlindedElement2,
568 sizeof(kBlindedElement2)));
569
570 CBS sign_input;
571 CBS_init(&sign_input, blinded_buf, offset + blinded_len);
572 bssl::ScopedCBB response;
573 ASSERT_TRUE(CBB_init(response.get(), 0));
574 ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing(
575 &key, response.get(), &sign_input, /*num_requested=*/2,
576 /*num_to_issue=*/2,
577 /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar)));
578
579 uint8_t evaluated_buf[2 * EC_MAX_UNCOMPRESSED];
580 size_t evaluated_len;
581 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
582 group, evaluated_buf, &evaluated_len, kEvaluatedElement1,
583 sizeof(kEvaluatedElement1)));
584 offset = evaluated_len;
585 ASSERT_TRUE(ec_point_uncompressed_from_compressed(
586 group, evaluated_buf + offset, &evaluated_len, kEvaluatedElement2,
587 sizeof(kEvaluatedElement2)));
588
589 bssl::ScopedCBB expected_response;
590 ASSERT_TRUE(CBB_init(expected_response.get(), 0));
591 ASSERT_TRUE(CBB_add_bytes(expected_response.get(), evaluated_buf,
592 offset + evaluated_len));
593 ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof)));
594 ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof)));
595 ASSERT_TRUE(CBB_flush(expected_response.get()));
596
597 ASSERT_EQ(Bytes(CBB_data(expected_response.get()),
598 CBB_len(expected_response.get())),
599 Bytes(CBB_data(response.get()), CBB_len(response.get())));
600 }
601
AllMethods()602 static std::vector<const TRUST_TOKEN_METHOD *> AllMethods() {
603 return {
604 TRUST_TOKEN_experiment_v1(),
605 TRUST_TOKEN_experiment_v2_voprf(),
606 TRUST_TOKEN_experiment_v2_pmb(),
607 TRUST_TOKEN_pst_v1_voprf(),
608 TRUST_TOKEN_pst_v1_pmb()
609 };
610 }
611
612 class TrustTokenProtocolTestBase : public ::testing::Test {
613 public:
TrustTokenProtocolTestBase(const TRUST_TOKEN_METHOD * method_arg,bool use_msg)614 explicit TrustTokenProtocolTestBase(const TRUST_TOKEN_METHOD *method_arg,
615 bool use_msg)
616 : method_(method_arg), use_msg_(use_msg) {}
617
618 // KeyID returns the key ID associated with key index |i|.
KeyID(size_t i)619 static uint32_t KeyID(size_t i) {
620 assert(i <= UINT32_MAX);
621 // Use a different value from the indices to that we do not mix them up.
622 return static_cast<uint32_t>(7 + i);
623 }
624
method() const625 const TRUST_TOKEN_METHOD *method() const { return method_; }
626
use_message() const627 bool use_message() const { return use_msg_; }
628
629 protected:
SetupContexts()630 void SetupContexts() {
631 client.reset(TRUST_TOKEN_CLIENT_new(method(), client_max_batchsize));
632 ASSERT_TRUE(client);
633 issuer.reset(TRUST_TOKEN_ISSUER_new(method(), issuer_max_batchsize));
634 ASSERT_TRUE(issuer);
635
636 for (size_t i = 0; i < method()->max_keys; i++) {
637 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
638 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
639 size_t priv_key_len, pub_key_len, key_index;
640 ASSERT_TRUE(TRUST_TOKEN_generate_key(
641 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
642 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, KeyID(i)));
643 ASSERT_TRUE(TRUST_TOKEN_CLIENT_add_key(client.get(), &key_index, pub_key,
644 pub_key_len));
645 ASSERT_EQ(i, key_index);
646 ASSERT_TRUE(
647 TRUST_TOKEN_ISSUER_add_key(issuer.get(), priv_key, priv_key_len));
648 }
649
650 uint8_t public_key[32], private_key[64];
651 ED25519_keypair(public_key, private_key);
652 bssl::UniquePtr<EVP_PKEY> priv(EVP_PKEY_new_raw_private_key(
653 EVP_PKEY_ED25519, nullptr, private_key, 32));
654 ASSERT_TRUE(priv);
655 bssl::UniquePtr<EVP_PKEY> pub(
656 EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, public_key, 32));
657 ASSERT_TRUE(pub);
658
659 TRUST_TOKEN_CLIENT_set_srr_key(client.get(), pub.get());
660 TRUST_TOKEN_ISSUER_set_srr_key(issuer.get(), priv.get());
661 RAND_bytes(metadata_key, sizeof(metadata_key));
662 ASSERT_TRUE(TRUST_TOKEN_ISSUER_set_metadata_key(issuer.get(), metadata_key,
663 sizeof(metadata_key)));
664 }
665
666 const TRUST_TOKEN_METHOD *method_;
667 bool use_msg_;
668 uint16_t client_max_batchsize = 10;
669 uint16_t issuer_max_batchsize = 10;
670 bssl::UniquePtr<TRUST_TOKEN_CLIENT> client;
671 bssl::UniquePtr<TRUST_TOKEN_ISSUER> issuer;
672 uint8_t metadata_key[32];
673 };
674
675 class TrustTokenProtocolTest
676 : public TrustTokenProtocolTestBase,
677 public testing::WithParamInterface<
678 std::tuple<const TRUST_TOKEN_METHOD *, bool>> {
679 public:
TrustTokenProtocolTest()680 TrustTokenProtocolTest()
681 : TrustTokenProtocolTestBase(std::get<0>(GetParam()),
682 std::get<1>(GetParam())) {}
683 };
684
685 INSTANTIATE_TEST_SUITE_P(TrustTokenAllProtocolTest, TrustTokenProtocolTest,
686 testing::Combine(testing::ValuesIn(AllMethods()),
687 testing::Bool()));
688
TEST_P(TrustTokenProtocolTest,InvalidToken)689 TEST_P(TrustTokenProtocolTest, InvalidToken) {
690 ASSERT_NO_FATAL_FAILURE(SetupContexts());
691
692 uint8_t *issue_msg = NULL, *issue_resp = NULL;
693 size_t msg_len, resp_len;
694
695 size_t key_index;
696 size_t tokens_issued;
697 if (use_message()) {
698 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
699 client.get(), &issue_msg, &msg_len, 1, kMessage, sizeof(kMessage)));
700 } else {
701 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
702 &msg_len, 1));
703 }
704 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
705 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
706 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
707 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
708 /*max_issuance=*/10));
709 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
710 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
711 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
712 resp_len));
713 ASSERT_TRUE(tokens);
714
715 for (TRUST_TOKEN *token : tokens.get()) {
716 // Corrupt the token.
717 token->data[0] ^= 0x42;
718
719 uint8_t *redeem_msg = NULL, *redeem_resp = NULL;
720 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
721 client.get(), &redeem_msg, &msg_len, token, NULL, 0, 0));
722 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
723 uint32_t public_value;
724 uint8_t private_value;
725 TRUST_TOKEN *rtoken;
726 uint8_t *client_data;
727 size_t client_data_len;
728 if (use_message()) {
729 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem_over_message(
730 issuer.get(), &public_value, &private_value, &rtoken, &client_data,
731 &client_data_len, redeem_msg, msg_len, kMessage, sizeof(kMessage)));
732 } else {
733 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem(
734 issuer.get(), &public_value, &private_value, &rtoken, &client_data,
735 &client_data_len, redeem_msg, msg_len));
736 }
737 bssl::UniquePtr<uint8_t> free_redeem_resp(redeem_resp);
738 }
739 }
740
TEST_P(TrustTokenProtocolTest,TruncatedIssuanceRequest)741 TEST_P(TrustTokenProtocolTest, TruncatedIssuanceRequest) {
742 ASSERT_NO_FATAL_FAILURE(SetupContexts());
743
744 uint8_t *issue_msg = NULL, *issue_resp = NULL;
745 size_t msg_len, resp_len;
746 if (use_message()) {
747 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
748 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
749 } else {
750 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
751 &msg_len, 10));
752 }
753 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
754 msg_len = 10;
755 size_t tokens_issued;
756 ASSERT_FALSE(TRUST_TOKEN_ISSUER_issue(
757 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
758 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
759 /*max_issuance=*/10));
760 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
761 }
762
TEST_P(TrustTokenProtocolTest,TruncatedIssuanceResponse)763 TEST_P(TrustTokenProtocolTest, TruncatedIssuanceResponse) {
764 ASSERT_NO_FATAL_FAILURE(SetupContexts());
765
766 uint8_t *issue_msg = NULL, *issue_resp = NULL;
767 size_t msg_len, resp_len;
768 if (use_message()) {
769 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
770 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
771 } else {
772 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
773 &msg_len, 10));
774 }
775 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
776 size_t tokens_issued;
777 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
778 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
779 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
780 /*max_issuance=*/10));
781 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
782 resp_len = 10;
783 size_t key_index;
784 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
785 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
786 resp_len));
787 ASSERT_FALSE(tokens);
788 }
789
TEST_P(TrustTokenProtocolTest,ExtraDataIssuanceResponse)790 TEST_P(TrustTokenProtocolTest, ExtraDataIssuanceResponse) {
791 ASSERT_NO_FATAL_FAILURE(SetupContexts());
792
793 uint8_t *request = NULL, *response = NULL;
794 size_t request_len, response_len;
795 if (use_message()) {
796 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
797 client.get(), &request, &request_len, 10, kMessage, sizeof(kMessage)));
798 } else {
799 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &request,
800 &request_len, 10));
801 }
802 bssl::UniquePtr<uint8_t> free_request(request);
803 size_t tokens_issued;
804 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(issuer.get(), &response, &response_len,
805 &tokens_issued, request, request_len,
806 /*public_metadata=*/KeyID(0),
807 /*private_metadata=*/0,
808 /*max_issuance=*/10));
809 bssl::UniquePtr<uint8_t> free_response(response);
810 std::vector<uint8_t> response2(response, response + response_len);
811 response2.push_back(0);
812 size_t key_index;
813 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
814 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index,
815 response2.data(), response2.size()));
816 ASSERT_FALSE(tokens);
817 }
818
TEST_P(TrustTokenProtocolTest,TruncatedRedemptionRequest)819 TEST_P(TrustTokenProtocolTest, TruncatedRedemptionRequest) {
820 ASSERT_NO_FATAL_FAILURE(SetupContexts());
821
822 uint8_t *issue_msg = NULL, *issue_resp = NULL;
823 size_t msg_len, resp_len;
824 if (use_message()) {
825 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
826 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
827 } else {
828 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
829 &msg_len, 10));
830 }
831 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
832 size_t tokens_issued;
833 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
834 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
835 /*public_metadata=*/KeyID(0), /*private_metadata=*/0,
836 /*max_issuance=*/10));
837 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
838 size_t key_index;
839 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
840 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
841 resp_len));
842 ASSERT_TRUE(tokens);
843
844 for (TRUST_TOKEN *token : tokens.get()) {
845 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
846 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
847
848 uint8_t *redeem_msg = NULL;
849 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
850 client.get(), &redeem_msg, &msg_len, token, kClientData,
851 sizeof(kClientData) - 1, kRedemptionTime));
852 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
853 msg_len = 10;
854
855 uint32_t public_value;
856 uint8_t private_value;
857 TRUST_TOKEN *rtoken;
858 uint8_t *client_data;
859 size_t client_data_len;
860 if (use_message()) {
861 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem_over_message(
862 issuer.get(), &public_value, &private_value, &rtoken, &client_data,
863 &client_data_len, redeem_msg, msg_len, kMessage, sizeof(kMessage)));
864 } else {
865 ASSERT_FALSE(TRUST_TOKEN_ISSUER_redeem(
866 issuer.get(), &public_value, &private_value, &rtoken, &client_data,
867 &client_data_len, redeem_msg, msg_len));
868 }
869 }
870 }
871
TEST_P(TrustTokenProtocolTest,IssuedWithBadKeyID)872 TEST_P(TrustTokenProtocolTest, IssuedWithBadKeyID) {
873 client.reset(TRUST_TOKEN_CLIENT_new(method(), client_max_batchsize));
874 ASSERT_TRUE(client);
875 issuer.reset(TRUST_TOKEN_ISSUER_new(method(), issuer_max_batchsize));
876 ASSERT_TRUE(issuer);
877
878 // We configure the client and the issuer with different key IDs and test
879 // that the client notices.
880 const uint32_t kClientKeyID = 0;
881 const uint32_t kIssuerKeyID = 42;
882
883 uint8_t priv_key[TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE];
884 uint8_t pub_key[TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE];
885 size_t priv_key_len, pub_key_len, key_index;
886 ASSERT_TRUE(TRUST_TOKEN_generate_key(
887 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
888 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, kClientKeyID));
889 ASSERT_TRUE(TRUST_TOKEN_CLIENT_add_key(client.get(), &key_index, pub_key,
890 pub_key_len));
891 ASSERT_EQ(0UL, key_index);
892
893 ASSERT_TRUE(TRUST_TOKEN_generate_key(
894 method(), priv_key, &priv_key_len, TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE,
895 pub_key, &pub_key_len, TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE, kIssuerKeyID));
896 ASSERT_TRUE(TRUST_TOKEN_ISSUER_add_key(issuer.get(), priv_key, priv_key_len));
897
898
899 uint8_t public_key[32], private_key[64];
900 ED25519_keypair(public_key, private_key);
901 bssl::UniquePtr<EVP_PKEY> priv(
902 EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, nullptr, private_key, 32));
903 ASSERT_TRUE(priv);
904 bssl::UniquePtr<EVP_PKEY> pub(
905 EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, public_key, 32));
906 ASSERT_TRUE(pub);
907
908 TRUST_TOKEN_CLIENT_set_srr_key(client.get(), pub.get());
909 TRUST_TOKEN_ISSUER_set_srr_key(issuer.get(), priv.get());
910 RAND_bytes(metadata_key, sizeof(metadata_key));
911 ASSERT_TRUE(TRUST_TOKEN_ISSUER_set_metadata_key(issuer.get(), metadata_key,
912 sizeof(metadata_key)));
913
914
915 uint8_t *issue_msg = NULL, *issue_resp = NULL;
916 size_t msg_len, resp_len;
917 if (use_message()) {
918 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
919 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
920 } else {
921 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
922 &msg_len, 10));
923 }
924 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
925 size_t tokens_issued;
926 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
927 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
928 /*public_metadata=*/42, /*private_metadata=*/0, /*max_issuance=*/10));
929 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
930 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
931 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
932 resp_len));
933 ASSERT_FALSE(tokens);
934 }
935
936 class TrustTokenMetadataTest
937 : public TrustTokenProtocolTestBase,
938 public testing::WithParamInterface<
939 std::tuple<const TRUST_TOKEN_METHOD *, bool, int, bool>> {
940 public:
TrustTokenMetadataTest()941 TrustTokenMetadataTest()
942 : TrustTokenProtocolTestBase(std::get<0>(GetParam()),
943 std::get<1>(GetParam())) {}
944
public_metadata()945 int public_metadata() { return std::get<2>(GetParam()); }
private_metadata()946 bool private_metadata() { return std::get<3>(GetParam()); }
947 };
948
TEST_P(TrustTokenMetadataTest,SetAndGetMetadata)949 TEST_P(TrustTokenMetadataTest, SetAndGetMetadata) {
950 ASSERT_NO_FATAL_FAILURE(SetupContexts());
951
952 uint8_t *issue_msg = NULL, *issue_resp = NULL;
953 size_t msg_len, resp_len;
954 if (use_message()) {
955 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
956 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
957 } else {
958 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
959 &msg_len, 10));
960 }
961 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
962 size_t tokens_issued;
963 bool result = TRUST_TOKEN_ISSUER_issue(
964 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
965 public_metadata(), private_metadata(), /*max_issuance=*/1);
966 if (!method()->has_private_metadata && private_metadata()) {
967 ASSERT_FALSE(result);
968 return;
969 }
970 ASSERT_TRUE(result);
971 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
972 size_t key_index;
973 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
974 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
975 resp_len));
976 ASSERT_TRUE(tokens);
977 EXPECT_EQ(1u, sk_TRUST_TOKEN_num(tokens.get()));
978
979 for (TRUST_TOKEN *token : tokens.get()) {
980 const uint8_t kClientData[] = "\x70TEST CLIENT DATA";
981 uint64_t kRedemptionTime = (method()->has_srr ? 13374242 : 0);
982
983 uint8_t *redeem_msg = NULL;
984 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_redemption(
985 client.get(), &redeem_msg, &msg_len, token, kClientData,
986 sizeof(kClientData) - 1, kRedemptionTime));
987 bssl::UniquePtr<uint8_t> free_redeem_msg(redeem_msg);
988 uint32_t public_value;
989 uint8_t private_value;
990 TRUST_TOKEN *rtoken;
991 uint8_t *client_data;
992 size_t client_data_len;
993 if (use_message()) {
994 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem_over_message(
995 issuer.get(), &public_value, &private_value, &rtoken, &client_data,
996 &client_data_len, redeem_msg, msg_len, kMessage, sizeof(kMessage)));
997 } else {
998 ASSERT_TRUE(TRUST_TOKEN_ISSUER_redeem(
999 issuer.get(), &public_value, &private_value, &rtoken, &client_data,
1000 &client_data_len, redeem_msg, msg_len));
1001 }
1002 bssl::UniquePtr<uint8_t> free_client_data(client_data);
1003 bssl::UniquePtr<TRUST_TOKEN> free_rtoken(rtoken);
1004
1005 ASSERT_EQ(Bytes(kClientData, sizeof(kClientData) - 1),
1006 Bytes(client_data, client_data_len));
1007 ASSERT_EQ(public_value, static_cast<uint32_t>(public_metadata()));
1008 ASSERT_EQ(private_value, private_metadata());
1009 }
1010 }
1011
TEST_P(TrustTokenMetadataTest,TooManyRequests)1012 TEST_P(TrustTokenMetadataTest, TooManyRequests) {
1013 if (!method()->has_private_metadata && private_metadata()) {
1014 return;
1015 }
1016
1017 issuer_max_batchsize = 1;
1018 ASSERT_NO_FATAL_FAILURE(SetupContexts());
1019
1020 uint8_t *issue_msg = NULL, *issue_resp = NULL;
1021 size_t msg_len, resp_len;
1022 if (use_message()) {
1023 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
1024 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
1025 } else {
1026 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
1027 &msg_len, 10));
1028 }
1029 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
1030 size_t tokens_issued;
1031 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
1032 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
1033 public_metadata(), private_metadata(), /*max_issuance=*/1));
1034 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
1035 ASSERT_EQ(tokens_issued, issuer_max_batchsize);
1036 size_t key_index;
1037 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
1038 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
1039 resp_len));
1040 ASSERT_TRUE(tokens);
1041 ASSERT_EQ(sk_TRUST_TOKEN_num(tokens.get()), 1UL);
1042 }
1043
1044
TEST_P(TrustTokenMetadataTest,TruncatedProof)1045 TEST_P(TrustTokenMetadataTest, TruncatedProof) {
1046 if (!method()->has_private_metadata && private_metadata()) {
1047 return;
1048 }
1049
1050 ASSERT_NO_FATAL_FAILURE(SetupContexts());
1051
1052 uint8_t *issue_msg = NULL, *issue_resp = NULL;
1053 size_t msg_len, resp_len;
1054 if (use_message()) {
1055 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
1056 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
1057 } else {
1058 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
1059 &msg_len, 10));
1060 }
1061 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
1062 size_t tokens_issued;
1063 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
1064 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
1065 public_metadata(), private_metadata(), /*max_issuance=*/1));
1066 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
1067
1068 CBS real_response;
1069 CBS_init(&real_response, issue_resp, resp_len);
1070 uint16_t count;
1071 uint32_t parsed_public_metadata;
1072 bssl::ScopedCBB bad_response;
1073 ASSERT_TRUE(CBB_init(bad_response.get(), 0));
1074 ASSERT_TRUE(CBS_get_u16(&real_response, &count));
1075 ASSERT_TRUE(CBB_add_u16(bad_response.get(), count));
1076 ASSERT_TRUE(CBS_get_u32(&real_response, &parsed_public_metadata));
1077 ASSERT_TRUE(CBB_add_u32(bad_response.get(), parsed_public_metadata));
1078
1079 const size_t kP384PointLen = 1 + 2 * (384 / 8);
1080 size_t token_length = TRUST_TOKEN_NONCE_SIZE + 2 * kP384PointLen;
1081 if (method() == TRUST_TOKEN_experiment_v1()) {
1082 token_length += 4;
1083 }
1084 if (method() == TRUST_TOKEN_experiment_v2_voprf() ||
1085 method() == TRUST_TOKEN_pst_v1_voprf()) {
1086 token_length = kP384PointLen;
1087 }
1088 for (size_t i = 0; i < count; i++) {
1089 ASSERT_TRUE(CBB_add_bytes(bad_response.get(), CBS_data(&real_response),
1090 token_length));
1091 ASSERT_TRUE(CBS_skip(&real_response, token_length));
1092 }
1093
1094 CBS tmp;
1095 ASSERT_TRUE(CBS_get_u16_length_prefixed(&real_response, &tmp));
1096 CBB dleq;
1097 ASSERT_TRUE(CBB_add_u16_length_prefixed(bad_response.get(), &dleq));
1098 ASSERT_TRUE(CBB_add_bytes(&dleq, CBS_data(&tmp), CBS_len(&tmp) - 2));
1099 ASSERT_TRUE(CBB_flush(bad_response.get()));
1100
1101 uint8_t *bad_buf;
1102 size_t bad_len;
1103 ASSERT_TRUE(CBB_finish(bad_response.get(), &bad_buf, &bad_len));
1104 bssl::UniquePtr<uint8_t> free_bad(bad_buf);
1105
1106 size_t key_index;
1107 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
1108 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, bad_buf,
1109 bad_len));
1110 ASSERT_FALSE(tokens);
1111 }
1112
TEST_P(TrustTokenMetadataTest,ExcessDataProof)1113 TEST_P(TrustTokenMetadataTest, ExcessDataProof) {
1114 if (!method()->has_private_metadata && private_metadata()) {
1115 return;
1116 }
1117
1118 ASSERT_NO_FATAL_FAILURE(SetupContexts());
1119
1120 uint8_t *issue_msg = NULL, *issue_resp = NULL;
1121 size_t msg_len, resp_len;
1122 if (use_message()) {
1123 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
1124 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
1125 } else {
1126 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
1127 &msg_len, 10));
1128 }
1129 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
1130 size_t tokens_issued;
1131 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
1132 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
1133 public_metadata(), private_metadata(), /*max_issuance=*/1));
1134 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
1135
1136 CBS real_response;
1137 CBS_init(&real_response, issue_resp, resp_len);
1138 uint16_t count;
1139 uint32_t parsed_public_metadata;
1140 bssl::ScopedCBB bad_response;
1141 ASSERT_TRUE(CBB_init(bad_response.get(), 0));
1142 ASSERT_TRUE(CBS_get_u16(&real_response, &count));
1143 ASSERT_TRUE(CBB_add_u16(bad_response.get(), count));
1144 ASSERT_TRUE(CBS_get_u32(&real_response, &parsed_public_metadata));
1145 ASSERT_TRUE(CBB_add_u32(bad_response.get(), parsed_public_metadata));
1146
1147 const size_t kP384PointLen = 1 + 2 * (384 / 8);
1148 size_t token_length = TRUST_TOKEN_NONCE_SIZE + 2 * kP384PointLen;
1149 if (method() == TRUST_TOKEN_experiment_v1()) {
1150 token_length += 4;
1151 }
1152 if (method() == TRUST_TOKEN_experiment_v2_voprf() ||
1153 method() == TRUST_TOKEN_pst_v1_voprf()) {
1154 token_length = kP384PointLen;
1155 }
1156 for (size_t i = 0; i < count; i++) {
1157 ASSERT_TRUE(CBB_add_bytes(bad_response.get(), CBS_data(&real_response),
1158 token_length));
1159 ASSERT_TRUE(CBS_skip(&real_response, token_length));
1160 }
1161
1162 CBS tmp;
1163 ASSERT_TRUE(CBS_get_u16_length_prefixed(&real_response, &tmp));
1164 CBB dleq;
1165 ASSERT_TRUE(CBB_add_u16_length_prefixed(bad_response.get(), &dleq));
1166 ASSERT_TRUE(CBB_add_bytes(&dleq, CBS_data(&tmp), CBS_len(&tmp)));
1167 ASSERT_TRUE(CBB_add_u16(&dleq, 42));
1168 ASSERT_TRUE(CBB_flush(bad_response.get()));
1169
1170 uint8_t *bad_buf;
1171 size_t bad_len;
1172 ASSERT_TRUE(CBB_finish(bad_response.get(), &bad_buf, &bad_len));
1173 bssl::UniquePtr<uint8_t> free_bad(bad_buf);
1174
1175 size_t key_index;
1176 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
1177 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, bad_buf,
1178 bad_len));
1179 ASSERT_FALSE(tokens);
1180 }
1181
1182 INSTANTIATE_TEST_SUITE_P(
1183 TrustTokenAllMetadataTest, TrustTokenMetadataTest,
1184 testing::Combine(testing::ValuesIn(AllMethods()),
1185 testing::Bool(),
1186 testing::Values(TrustTokenProtocolTest::KeyID(0),
1187 TrustTokenProtocolTest::KeyID(1),
1188 TrustTokenProtocolTest::KeyID(2)),
1189 testing::Bool()));
1190
1191 class TrustTokenBadKeyTest
1192 : public TrustTokenProtocolTestBase,
1193 public testing::WithParamInterface<
1194 std::tuple<const TRUST_TOKEN_METHOD *, bool, bool, int>> {
1195 public:
TrustTokenBadKeyTest()1196 TrustTokenBadKeyTest()
1197 : TrustTokenProtocolTestBase(std::get<0>(GetParam()),
1198 std::get<1>(GetParam())) {}
1199
private_metadata()1200 bool private_metadata() { return std::get<2>(GetParam()); }
corrupted_key()1201 int corrupted_key() { return std::get<3>(GetParam()); }
1202 };
1203
TEST_P(TrustTokenBadKeyTest,BadKey)1204 TEST_P(TrustTokenBadKeyTest, BadKey) {
1205 // For versions without private metadata, only corruptions of 'xs' (the 4th
1206 // entry in |scalars| below) result in a bad key, as the other scalars are
1207 // unused internally.
1208 if (!method()->has_private_metadata &&
1209 (private_metadata() || corrupted_key() != 4)) {
1210 return;
1211 }
1212
1213 ASSERT_NO_FATAL_FAILURE(SetupContexts());
1214
1215 uint8_t *issue_msg = NULL, *issue_resp = NULL;
1216 size_t msg_len, resp_len;
1217 if (use_message()) {
1218 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance_over_message(
1219 client.get(), &issue_msg, &msg_len, 10, kMessage, sizeof(kMessage)));
1220 } else {
1221 ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
1222 &msg_len, 10));
1223 }
1224 bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
1225
1226 struct trust_token_issuer_key_st *key = &issuer->keys[0];
1227 EC_SCALAR *scalars[] = {&key->key.x0, &key->key.y0, &key->key.x1,
1228 &key->key.y1, &key->key.xs, &key->key.ys};
1229
1230 // Corrupt private key scalar.
1231 scalars[corrupted_key()]->words[0] ^= 42;
1232
1233 size_t tokens_issued;
1234 ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
1235 issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
1236 /*public_metadata=*/7, private_metadata(), /*max_issuance=*/1));
1237 bssl::UniquePtr<uint8_t> free_msg(issue_resp);
1238 size_t key_index;
1239 bssl::UniquePtr<STACK_OF(TRUST_TOKEN)> tokens(
1240 TRUST_TOKEN_CLIENT_finish_issuance(client.get(), &key_index, issue_resp,
1241 resp_len));
1242
1243 // If the unused private key is corrupted, then the DLEQ proof should succeed.
1244 if ((corrupted_key() / 2 == 0 && private_metadata() == true) ||
1245 (corrupted_key() / 2 == 1 && private_metadata() == false)) {
1246 ASSERT_TRUE(tokens);
1247 } else {
1248 ASSERT_FALSE(tokens);
1249 }
1250 }
1251
1252 INSTANTIATE_TEST_SUITE_P(TrustTokenAllBadKeyTest, TrustTokenBadKeyTest,
1253 testing::Combine(testing::ValuesIn(AllMethods()),
1254 testing::Bool(),
1255 testing::Bool(),
1256 testing::Values(0, 1, 2, 3, 4, 5)));
1257
1258 } // namespace
1259 BSSL_NAMESPACE_END
1260