diff options
author | wconner <wconner@google.com> | 2023-08-08 05:46:20 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-08-08 05:47:38 -0700 |
commit | 910ca26d415377832177ea5a9dc6c86882a8dddd (patch) | |
tree | 8f6c778bb62776ee12c3fc73e6f2d0c959f2a0a1 | |
parent | d43eeeb2a63be3e1f2e1b608c8cd278b51e04f58 (diff) | |
download | tink-910ca26d415377832177ea5a9dc6c86882a8dddd.tar.gz |
Register Ed25519 proto serialization.
PiperOrigin-RevId: 554793018
-rw-r--r-- | cc/signature/BUILD.bazel | 18 | ||||
-rw-r--r-- | cc/signature/CMakeLists.txt | 18 | ||||
-rw-r--r-- | cc/signature/signature_config.cc | 4 | ||||
-rw-r--r-- | cc/signature/signature_config_test.cc | 186 |
4 files changed, 225 insertions, 1 deletions
diff --git a/cc/signature/BUILD.bazel b/cc/signature/BUILD.bazel index fed82d4d4..e5d48a1e9 100644 --- a/cc/signature/BUILD.bazel +++ b/cc/signature/BUILD.bazel @@ -340,6 +340,7 @@ cc_library( deps = [ ":ecdsa_sign_key_manager", ":ecdsa_verify_key_manager", + ":ed25519_proto_serialization", ":ed25519_sign_key_manager", ":ed25519_verify_key_manager", ":public_key_sign_wrapper", @@ -794,16 +795,33 @@ cc_test( srcs = ["signature_config_test.cc"], tags = ["fips"], deps = [ + ":ed25519_parameters", + ":ed25519_private_key", + ":ed25519_public_key", ":rsa_ssa_pss_sign_key_manager", ":rsa_ssa_pss_verify_key_manager", ":signature_config", ":signature_key_templates", + "//:insecure_secret_key_access", + "//:key", "//:keyset_handle", + "//:parameters", + "//:partial_key_access", "//:public_key_sign", "//:public_key_verify", "//:registry", + "//:restricted_data", + "//internal:ec_util", "//internal:fips_utils", + "//internal:mutable_serialization_registry", + "//internal:proto_key_serialization", + "//internal:proto_parameters_serialization", + "//internal:serialization", + "//proto:ed25519_cc_proto", + "//proto:tink_cc_proto", + "//subtle:random", "//util:status", + "//util:statusor", "//util:test_matchers", "//util:test_util", "@boringssl//:crypto", diff --git a/cc/signature/CMakeLists.txt b/cc/signature/CMakeLists.txt index 571eb4481..83017fedf 100644 --- a/cc/signature/CMakeLists.txt +++ b/cc/signature/CMakeLists.txt @@ -323,6 +323,7 @@ tink_cc_library( signature_config.h DEPS tink::signature::ecdsa_verify_key_manager + tink::signature::ed25519_proto_serialization tink::signature::ed25519_sign_key_manager tink::signature::ed25519_verify_key_manager tink::signature::public_key_sign_wrapper @@ -757,6 +758,9 @@ tink_cc_test( SRCS signature_config_test.cc DEPS + tink::signature::ed25519_parameters + tink::signature::ed25519_private_key + tink::signature::ed25519_public_key tink::signature::rsa_ssa_pss_sign_key_manager tink::signature::rsa_ssa_pss_verify_key_manager tink::signature::signature_config @@ -765,14 +769,28 @@ tink_cc_test( absl::memory absl::status crypto + tink::core::insecure_secret_key_access + tink::core::key tink::core::keyset_handle + tink::core::parameters + tink::core::partial_key_access tink::core::public_key_sign tink::core::public_key_verify tink::core::registry + tink::core::restricted_data + tink::internal::ec_util tink::internal::fips_utils + tink::internal::mutable_serialization_registry + tink::internal::proto_key_serialization + tink::internal::proto_parameters_serialization + tink::internal::serialization + tink::subtle::random tink::util::status + tink::util::statusor tink::util::test_matchers tink::util::test_util + tink::proto::ed25519_cc_proto + tink::proto::tink_cc_proto ) tink_cc_test( diff --git a/cc/signature/signature_config.cc b/cc/signature/signature_config.cc index 206b3f18f..4bc8657a7 100644 --- a/cc/signature/signature_config.cc +++ b/cc/signature/signature_config.cc @@ -21,6 +21,7 @@ #include "tink/config/tink_fips.h" #include "tink/registry.h" #include "tink/signature/ecdsa_verify_key_manager.h" +#include "tink/signature/ed25519_proto_serialization.h" #include "tink/signature/ed25519_sign_key_manager.h" #include "tink/signature/ed25519_verify_key_manager.h" #include "tink/signature/public_key_sign_wrapper.h" @@ -76,6 +77,9 @@ util::Status SignatureConfig::Register() { absl::make_unique<Ed25519VerifyKeyManager>(), true); if (!status.ok()) return status; + status = RegisterEd25519ProtoSerialization(); + if (!status.ok()) return status; + return util::OkStatus(); } diff --git a/cc/signature/signature_config_test.cc b/cc/signature/signature_config_test.cc index d0f9b0251..62dcbd38e 100644 --- a/cc/signature/signature_config_test.cc +++ b/cc/signature/signature_config_test.cc @@ -17,6 +17,7 @@ #include "tink/signature/signature_config.h" #include <list> +#include <memory> #include <string> #include <utility> @@ -25,17 +26,34 @@ #include "absl/memory/memory.h" #include "absl/status/status.h" #include "openssl/crypto.h" +#include "tink/insecure_secret_key_access.h" +#include "tink/internal/ec_util.h" #include "tink/internal/fips_utils.h" +#include "tink/internal/mutable_serialization_registry.h" +#include "tink/internal/proto_key_serialization.h" +#include "tink/internal/proto_parameters_serialization.h" +#include "tink/internal/serialization.h" +#include "tink/key.h" #include "tink/keyset_handle.h" +#include "tink/parameters.h" +#include "tink/partial_key_access.h" #include "tink/public_key_sign.h" #include "tink/public_key_verify.h" #include "tink/registry.h" +#include "tink/restricted_data.h" +#include "tink/signature/ed25519_parameters.h" +#include "tink/signature/ed25519_private_key.h" +#include "tink/signature/ed25519_public_key.h" #include "tink/signature/rsa_ssa_pss_sign_key_manager.h" #include "tink/signature/rsa_ssa_pss_verify_key_manager.h" #include "tink/signature/signature_key_templates.h" +#include "tink/subtle/random.h" #include "tink/util/status.h" +#include "tink/util/statusor.h" #include "tink/util/test_matchers.h" #include "tink/util/test_util.h" +#include "proto/ed25519.pb.h" +#include "proto/tink.pb.h" namespace crypto { namespace tink { @@ -45,11 +63,16 @@ using ::crypto::tink::test::DummyPublicKeySign; using ::crypto::tink::test::DummyPublicKeyVerify; using ::crypto::tink::test::IsOk; using ::crypto::tink::test::StatusIs; +using ::google::crypto::tink::KeyData; +using ::google::crypto::tink::OutputPrefixType; using ::testing::Not; class SignatureConfigTest : public ::testing::Test { protected: - void SetUp() override { Registry::Reset(); } + void SetUp() override { + Registry::Reset(); + internal::MutableSerializationRegistry::GlobalInstance().Reset(); + } }; TEST_F(SignatureConfigTest, testBasic) { @@ -196,6 +219,167 @@ TEST_F(SignatureConfigTest, RegisterFipsValidTemplates) { } } +TEST_F(SignatureConfigTest, Ed25519ProtoParamsSerializationRegistered) { + if (internal::IsFipsModeEnabled()) { + GTEST_SKIP() << "Not supported in FIPS-only mode"; + } + + util::StatusOr<internal::ProtoParametersSerialization> + proto_params_serialization = + internal::ProtoParametersSerialization::Create( + SignatureKeyTemplates::Ed25519()); + ASSERT_THAT(proto_params_serialization, IsOk()); + + util::StatusOr<std::unique_ptr<Parameters>> parsed_params = + internal::MutableSerializationRegistry::GlobalInstance().ParseParameters( + *proto_params_serialization); + ASSERT_THAT(parsed_params.status(), StatusIs(absl::StatusCode::kNotFound)); + + util::StatusOr<Ed25519Parameters> params = + Ed25519Parameters::Create(Ed25519Parameters::Variant::kTink); + ASSERT_THAT(params, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_params = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeParameters<internal::ProtoParametersSerialization>(*params); + ASSERT_THAT(serialized_params.status(), + StatusIs(absl::StatusCode::kNotFound)); + + ASSERT_THAT(SignatureConfig::Register(), IsOk()); + + util::StatusOr<std::unique_ptr<Parameters>> parsed_params2 = + internal::MutableSerializationRegistry::GlobalInstance().ParseParameters( + *proto_params_serialization); + ASSERT_THAT(parsed_params2, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_params2 = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeParameters<internal::ProtoParametersSerialization>(*params); + ASSERT_THAT(serialized_params2, IsOk()); +} + +TEST_F(SignatureConfigTest, Ed25519ProtoPublicKeySerializationRegistered) { + if (internal::IsFipsModeEnabled()) { + GTEST_SKIP() << "Not supported in FIPS-only mode"; + } + + const std::string raw_key = subtle::Random::GetRandomBytes(32); + + google::crypto::tink::Ed25519PublicKey key_proto; + key_proto.set_version(0); + key_proto.set_key_value(raw_key); + + util::StatusOr<internal::ProtoKeySerialization> proto_key_serialization = + internal::ProtoKeySerialization::Create( + "type.googleapis.com/google.crypto.tink.Ed25519PublicKey", + RestrictedData(key_proto.SerializeAsString(), + InsecureSecretKeyAccess::Get()), + KeyData::ASYMMETRIC_PUBLIC, OutputPrefixType::TINK, + /*id_requirement=*/123); + ASSERT_THAT(proto_key_serialization, IsOk()); + + util::StatusOr<std::unique_ptr<Key>> parsed_key = + internal::MutableSerializationRegistry::GlobalInstance().ParseKey( + *proto_key_serialization, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(parsed_key.status(), StatusIs(absl::StatusCode::kNotFound)); + + util::StatusOr<Ed25519Parameters> params = + Ed25519Parameters::Create(Ed25519Parameters::Variant::kTink); + ASSERT_THAT(params, IsOk()); + + util::StatusOr<Ed25519PublicKey> key = + Ed25519PublicKey::Create(*params, raw_key, + /*id_requirement=*/123, GetPartialKeyAccess()); + ASSERT_THAT(key, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_key = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeKey<internal::ProtoKeySerialization>( + *key, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(serialized_key.status(), StatusIs(absl::StatusCode::kNotFound)); + + ASSERT_THAT(SignatureConfig::Register(), IsOk()); + + util::StatusOr<std::unique_ptr<Key>> parsed_key2 = + internal::MutableSerializationRegistry::GlobalInstance().ParseKey( + *proto_key_serialization, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(parsed_key2, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_key2 = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeKey<internal::ProtoKeySerialization>( + *key, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(serialized_key2, IsOk()); +} + +TEST_F(SignatureConfigTest, Ed25519ProtoPrivateKeySerializationRegistered) { + if (internal::IsFipsModeEnabled()) { + GTEST_SKIP() << "Not supported in FIPS-only mode"; + } + + util::StatusOr<std::unique_ptr<internal::Ed25519Key>> key_pair = + internal::NewEd25519Key(); + ASSERT_THAT(key_pair, IsOk()); + + google::crypto::tink::Ed25519PublicKey public_key_proto; + public_key_proto.set_version(0); + public_key_proto.set_key_value((*key_pair)->public_key); + + google::crypto::tink::Ed25519PrivateKey private_key_proto; + private_key_proto.set_version(0); + private_key_proto.set_key_value((*key_pair)->private_key); + *private_key_proto.mutable_public_key() = public_key_proto; + + util::StatusOr<internal::ProtoKeySerialization> proto_key_serialization = + internal::ProtoKeySerialization::Create( + "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey", + RestrictedData(private_key_proto.SerializeAsString(), + InsecureSecretKeyAccess::Get()), + KeyData::ASYMMETRIC_PRIVATE, OutputPrefixType::TINK, + /*id_requirement=*/123); + ASSERT_THAT(proto_key_serialization, IsOk()); + + util::StatusOr<std::unique_ptr<Key>> parsed_key = + internal::MutableSerializationRegistry::GlobalInstance().ParseKey( + *proto_key_serialization, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(parsed_key.status(), StatusIs(absl::StatusCode::kNotFound)); + + util::StatusOr<Ed25519Parameters> params = + Ed25519Parameters::Create(Ed25519Parameters::Variant::kTink); + ASSERT_THAT(params, IsOk()); + + util::StatusOr<Ed25519PublicKey> public_key = + Ed25519PublicKey::Create(*params, (*key_pair)->public_key, + /*id_requirement=*/123, GetPartialKeyAccess()); + ASSERT_THAT(public_key, IsOk()); + + RestrictedData private_key_bytes = + RestrictedData((*key_pair)->private_key, InsecureSecretKeyAccess::Get()); + + util::StatusOr<Ed25519PrivateKey> private_key = Ed25519PrivateKey::Create( + *public_key, private_key_bytes, GetPartialKeyAccess()); + ASSERT_THAT(private_key, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_key = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeKey<internal::ProtoKeySerialization>( + *private_key, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(serialized_key.status(), StatusIs(absl::StatusCode::kNotFound)); + + ASSERT_THAT(SignatureConfig::Register(), IsOk()); + + util::StatusOr<std::unique_ptr<Key>> parsed_key2 = + internal::MutableSerializationRegistry::GlobalInstance().ParseKey( + *proto_key_serialization, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(parsed_key2, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_key2 = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeKey<internal::ProtoKeySerialization>( + *private_key, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(serialized_key2, IsOk()); +} + } // namespace } // namespace tink } // namespace crypto |