1 // Copyright 2021 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/unexportable_key.h"
6
7 #include <tuple>
8
9 #include <optional>
10 #include "base/logging.h"
11 #include "base/time/time.h"
12 #include "crypto/scoped_mock_unexportable_key_provider.h"
13 #include "testing/gtest/include/gtest/gtest.h"
14
15 namespace {
16
17 const crypto::SignatureVerifier::SignatureAlgorithm kAllAlgorithms[] = {
18 crypto::SignatureVerifier::SignatureAlgorithm::ECDSA_SHA256,
19 crypto::SignatureVerifier::SignatureAlgorithm::RSA_PKCS1_SHA256,
20 };
21
22 class UnexportableKeySigningTest
23 : public testing::TestWithParam<
24 std::tuple<crypto::SignatureVerifier::SignatureAlgorithm, bool>> {};
25
26 INSTANTIATE_TEST_SUITE_P(All,
27 UnexportableKeySigningTest,
28 testing::Combine(testing::ValuesIn(kAllAlgorithms),
29 testing::Bool()));
30
TEST_P(UnexportableKeySigningTest,RoundTrip)31 TEST_P(UnexportableKeySigningTest, RoundTrip) {
32 const crypto::SignatureVerifier::SignatureAlgorithm algo =
33 std::get<0>(GetParam());
34 const bool mock_enabled = std::get<1>(GetParam());
35
36 switch (algo) {
37 case crypto::SignatureVerifier::SignatureAlgorithm::ECDSA_SHA256:
38 LOG(INFO) << "ECDSA P-256, mock=" << mock_enabled;
39 break;
40 case crypto::SignatureVerifier::SignatureAlgorithm::RSA_PKCS1_SHA256:
41 LOG(INFO) << "RSA, mock=" << mock_enabled;
42 break;
43 default:
44 ASSERT_TRUE(false);
45 }
46
47 SCOPED_TRACE(static_cast<int>(algo));
48 SCOPED_TRACE(mock_enabled);
49
50 std::optional<crypto::ScopedMockUnexportableKeyProvider> mock;
51 if (mock_enabled) {
52 mock.emplace();
53 }
54
55 const crypto::SignatureVerifier::SignatureAlgorithm algorithms[] = {algo};
56
57 std::unique_ptr<crypto::UnexportableKeyProvider> provider =
58 crypto::GetUnexportableKeyProvider();
59 if (!provider) {
60 LOG(INFO) << "Skipping test because of lack of hardware support.";
61 return;
62 }
63
64 if (!provider->SelectAlgorithm(algorithms)) {
65 LOG(INFO) << "Skipping test because of lack of support for this key type.";
66 return;
67 }
68
69 const base::TimeTicks generate_start = base::TimeTicks::Now();
70 std::unique_ptr<crypto::UnexportableSigningKey> key =
71 provider->GenerateSigningKeySlowly(algorithms);
72 ASSERT_TRUE(key);
73 LOG(INFO) << "Generation took " << (base::TimeTicks::Now() - generate_start);
74
75 ASSERT_EQ(key->Algorithm(), algo);
76 const std::vector<uint8_t> wrapped = key->GetWrappedKey();
77 const std::vector<uint8_t> spki = key->GetSubjectPublicKeyInfo();
78 const uint8_t msg[] = {1, 2, 3, 4};
79
80 const base::TimeTicks sign_start = base::TimeTicks::Now();
81 const std::optional<std::vector<uint8_t>> sig = key->SignSlowly(msg);
82 LOG(INFO) << "Signing took " << (base::TimeTicks::Now() - sign_start);
83 ASSERT_TRUE(sig);
84
85 crypto::SignatureVerifier verifier;
86 ASSERT_TRUE(verifier.VerifyInit(algo, *sig, spki));
87 verifier.VerifyUpdate(msg);
88 ASSERT_TRUE(verifier.VerifyFinal());
89
90 const base::TimeTicks import2_start = base::TimeTicks::Now();
91 std::unique_ptr<crypto::UnexportableSigningKey> key2 =
92 provider->FromWrappedSigningKeySlowly(wrapped);
93 ASSERT_TRUE(key2);
94 LOG(INFO) << "Import took " << (base::TimeTicks::Now() - import2_start);
95
96 const base::TimeTicks sign2_start = base::TimeTicks::Now();
97 const std::optional<std::vector<uint8_t>> sig2 = key->SignSlowly(msg);
98 LOG(INFO) << "Signing took " << (base::TimeTicks::Now() - sign2_start);
99 ASSERT_TRUE(sig2);
100
101 crypto::SignatureVerifier verifier2;
102 ASSERT_TRUE(verifier2.VerifyInit(algo, *sig2, spki));
103 verifier2.VerifyUpdate(msg);
104 ASSERT_TRUE(verifier2.VerifyFinal());
105 }
106 } // namespace
107