add verify tests; remove internal monitoring

Signed-off-by: sal rashid <salrashid123@gmail.com>
salrashid123 · Sep 3, 2024 · a003c17 · a003c17
1 parent 22342f3
commit a003c17
Show file tree

Hide file tree

Showing 7 changed files with 195 additions and 57 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -73,6 +73,12 @@ jobs:
       - name: Run TestAeadOwnerPasswordFail
         run: go test -v ./aead -run ^TestAeadOwnerPasswordFail$
 
+      - name: Run TestSign
+        run: go test -v ./signature -run ^TestSign$
+
+      - name: Run TestSignFail
+        run: go test -v ./signature -run ^TestSignFail
+
       - name: Run TestSignVerify
         run: go test -v ./signature -run ^TestSignVerify$
 

diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ import (
 	"github.com/tink-crypto/tink-go/v2/keyset"
 )
 
-// create a policy session to define any constraints (eg, password or pcr policy), the folloing example doesn't use any
+// create a policy session to define any constraints (eg, password or pcr policy), the following example doesn't use any
 	sess, cleanup1, err := tpm2.PolicySession(rwr, tpm2.TPMAlgSHA256, 16, tpm2.Trial())
 	defer cleanup1()
 
@@ -154,6 +154,7 @@ $ go run hmac/nopassword/verify/main.go \
 
 ### Signature: RSA-SSA-PKCS1
 
+
 Internally, this generates an RSA inside the tpm and uses the tpm itself to create the signature.
 
 The public key is also written to a tink keyset and it can be used without a TPM to verify
@@ -520,7 +521,6 @@ Signing
 }
 ```
 
-
 Where the "Value" field is the proto keys shown in `proto/tinktpm.proto`
 
 #### Parent Key
@@ -552,33 +552,26 @@ Due to the limitation of the singleton keymanager auth call back configs, each t
 ## hmac tests
 go test -v ./mac -run ^TestMac$
 go test -v ./mac -run ^TestMacFail$
-
 go test -v ./mac -run ^TestMacPassword$
 go test -v ./mac -run ^TestMacPasswordFail$
-
 go test -v ./mac -run ^TestMacPCR$
 go test -v ./mac -run ^TestMacPCRFail$
-
 go test -v ./mac -run ^TestMacOwnerPassword$
 go test -v ./mac -run ^TestMacOwnerPasswordFail$
 
-
 ### aead tests
-
 go test -v ./aead -run ^TestAead$
 go test -v ./aead -run ^TestAeadFail$
-
 go test -v ./aead -run ^TestAeadPassword$
 go test -v ./aead -run ^TestAeadPasswordFail$
-
 go test -v ./aead -run ^TestAeadPCR$
 go test -v ./aead -run ^TestAeadPCRFail$
-
 go test -v ./aead -run ^TestAeadOwnerPassword$
 go test -v ./aead -run ^TestAeadOwnerPasswordFail$
 
 ### rsa tests
-
+go test -v ./signature -run ^TestSign$
+go test -v ./signature -run ^TestSignFail$
 go test -v ./signature -run ^TestSignVerify$
 go test -v ./signature -run ^TestSignVerifyFail$
-```
+```
diff --git a/aead/subtle/aes_ctr_tpm.go b/aead/subtle/aes_ctr_tpm.go
@@ -11,6 +11,7 @@ import (
 	keyfile "github.com/foxboron/go-tpm-keyfiles"
 	"github.com/google/go-tpm/tpm2"
 	"github.com/google/go-tpm/tpm2/transport"
+	"github.com/tink-crypto/tink-go/aead/subtle"
 
 	tinkcommon "github.com/salrashid123/tink-go-tpm/v2/common"
 	tinktpmprotopb "github.com/salrashid123/tink-go-tpm/v2/proto"
@@ -36,6 +37,8 @@ type TpmAesCtr struct {
 
 var ()
 
+var _ subtle.INDCPACipher = (*TpmAesCtr)(nil)
+
 const maxDigestBuffer = 1024
 
 func NewTPMAESCTR(ctx context.Context, conf *TpmAesCtr) (*TpmAesCtr, error) {

diff --git a/signature/signer_factory.go b/signature/signer_factory.go
@@ -6,7 +6,6 @@ import (
 	"github.com/tink-crypto/tink-go/v2/core/primitiveset"
 
 	"github.com/tink-crypto/tink-go/v2/keyset"
-	"github.com/tink-crypto/tink-go/v2/monitoring"
 	tinkpb "github.com/tink-crypto/tink-go/v2/proto/tink_go_proto"
 	"github.com/tink-crypto/tink-go/v2/tink"
 )
@@ -22,8 +21,7 @@ func NewSigner(handle *keyset.Handle) (tink.Signer, error) {
 
 // wrappedSigner is an Signer implementation that uses the underlying primitive set for signing.
 type wrappedSigner struct {
-	ps     *primitiveset.PrimitiveSet
-	logger monitoring.Logger
+	ps *primitiveset.PrimitiveSet
 }
 
 // Asserts that wrappedSigner implements the Signer interface.
@@ -42,8 +40,7 @@ func newWrappedSigner(ps *primitiveset.PrimitiveSet) (*wrappedSigner, error) {
 		}
 	}
 	return &wrappedSigner{
-		ps:     ps,
-		logger: nil,
+		ps: ps,
 	}, nil
 }
 
@@ -67,7 +64,7 @@ func (s *wrappedSigner) Sign(data []byte) ([]byte, error) {
 
 	signature, err := signer.Sign(signedData)
 	if err != nil {
-		s.logger.LogFailure()
+		//s.logger.LogFailure()
 		return nil, err
 	}
 

diff --git a/signature/tpm_rsassapkcs1_signer_key_manager_test.go b/signature/tpm_rsassapkcs1_signer_key_manager_test.go
@@ -14,7 +14,7 @@ import (
 	tinkpb "github.com/tink-crypto/tink-go/v2/proto/tink_go_proto"
 )
 
-func TestSignVerify(t *testing.T) {
+func TestSign(t *testing.T) {
 	//tpmDevice, err := tinkcommon.OpenTPM("127.0.0.1:2321")  // rsa keys larger than 2048 work with this
 	//   but not the go-tpm-tools simulator below... i have to figure this out later
 	tpmDevice, err := simulator.Get()
@@ -47,10 +47,6 @@ func TestSignVerify(t *testing.T) {
 	err = registry.RegisterKeyManager(rsaKeyManager)
 	require.NoError(t, err)
 
-	rsaVerifierKeyManager := NewRSASSAPKCS1VerifierTpmKeyManager(nil, nil)
-	err = registry.RegisterKeyManager(rsaVerifierKeyManager)
-	require.NoError(t, err)
-
 	tests := []struct {
 		name     string
 		template *tinkpb.KeyTemplate
@@ -71,24 +67,13 @@ func TestSignVerify(t *testing.T) {
 			require.NoError(t, err)
 
 			msg := []byte([]byte(plaintext))
-			sig, err := s.Sign(msg)
-			require.NoError(t, err)
-
-			pubkh, err := kh1.Public()
-			require.NoError(t, err)
-
-			// verify
-			v, err := NewVerifier(pubkh)
-			require.NoError(t, err)
-
-			err = v.Verify(sig, msg)
+			_, err = s.Sign(msg)
 			require.NoError(t, err)
-
 		})
 	}
 }
 
-func TestSignVerifyFail(t *testing.T) {
+func TestSignFail(t *testing.T) {
 	//tpmDevice, err := tinkcommon.OpenTPM("127.0.0.1:2321")
 	tpmDevice, err := simulator.Get()
 	require.NoError(t, err)
@@ -120,10 +105,6 @@ func TestSignVerifyFail(t *testing.T) {
 	err = registry.RegisterKeyManager(rsaKeyManager)
 	require.NoError(t, err)
 
-	rsaVerifierKeyManager := NewRSASSAPKCS1VerifierTpmKeyManager(nil, nil)
-	err = registry.RegisterKeyManager(rsaVerifierKeyManager)
-	require.NoError(t, err)
-
 	tests := []struct {
 		name     string
 		template *tinkpb.KeyTemplate
@@ -140,21 +121,22 @@ func TestSignVerifyFail(t *testing.T) {
 			s, err := NewSigner(kh1)
 			require.NoError(t, err)
 
-			msg := []byte([]byte(plaintext))
-			_, err = s.Sign(msg)
-			require.NoError(t, err)
-
-			pubkh, err := kh1.Public()
+			// abruptly change the owner auth
+			ownerPwd := "bar"
+			_, err = tpm2.HierarchyChangeAuth{
+				AuthHandle: tpm2.AuthHandle{
+					Handle: tpm2.TPMRHOwner,
+					Auth:   tpm2.PasswordAuth(nil),
+				},
+				NewAuth: tpm2.TPM2BAuth{
+					Buffer: []byte(ownerPwd),
+				},
+			}.Execute(rwr)
 			require.NoError(t, err)
 
-			// verify
-			v, err := NewVerifier(pubkh)
-			require.NoError(t, err)
-
-			badsig := []byte("bar")
-			err = v.Verify(badsig, msg)
+			msg := []byte([]byte(plaintext))
+			_, err = s.Sign(msg)
 			require.Error(t, err)
-
 		})
 	}
 }
diff --git a/signature/tpm_rsassapkcs1_verifier_key_manager_test.go b/signature/tpm_rsassapkcs1_verifier_key_manager_test.go
@@ -0,0 +1,160 @@
+package signature
+
+import (
+	"testing"
+
+	"github.com/google/go-tpm-tools/simulator"
+	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpm2/transport"
+	"github.com/stretchr/testify/require"
+
+	tinkcommon "github.com/salrashid123/tink-go-tpm/v2/common"
+	"github.com/tink-crypto/tink-go/v2/core/registry"
+	"github.com/tink-crypto/tink-go/v2/keyset"
+	tinkpb "github.com/tink-crypto/tink-go/v2/proto/tink_go_proto"
+)
+
+func TestSignVerify(t *testing.T) {
+	//tpmDevice, err := tinkcommon.OpenTPM("127.0.0.1:2321")  // rsa keys larger than 2048 work with this
+	//   but not the go-tpm-tools simulator below... i have to figure this out later
+	tpmDevice, err := simulator.Get()
+	require.NoError(t, err)
+	defer tpmDevice.Close()
+
+	plaintext := "foo"
+
+	rwr := transport.FromReadWriter(tpmDevice)
+
+	sess, cleanup1, err := tpm2.PolicySession(rwr, tpm2.TPMAlgSHA256, 16, tpm2.Trial())
+	require.NoError(t, err)
+	defer cleanup1()
+
+	pav := tpm2.PolicyAuthValue{
+		PolicySession: sess.Handle(),
+	}
+	_, err = pav.Execute(rwr)
+	require.NoError(t, err)
+
+	pgd, err := tpm2.PolicyGetDigest{
+		PolicySession: sess.Handle(),
+	}.Execute(rwr)
+	require.NoError(t, err)
+
+	se, err := tinkcommon.NewPasswordSession(rwr, nil, nil, pgd.PolicyDigest.Buffer)
+	require.NoError(t, err)
+
+	rsaKeyManager := NewRSASSAPKCS1SignerTpmKeyManager(tpmDevice, se)
+	err = registry.RegisterKeyManager(rsaKeyManager)
+	require.NoError(t, err)
+
+	rsaVerifierKeyManager := NewRSASSAPKCS1VerifierTpmKeyManager(nil, nil)
+	err = registry.RegisterKeyManager(rsaVerifierKeyManager)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name     string
+		template *tinkpb.KeyTemplate
+	}{
+		{"RSA_SSA_PKCS1_2048_SHA256_F4_Key_Template", RSA_SSA_PKCS1_2048_SHA256_F4_Key_Template()},
+
+		// {"RSA_SSA_PKCS1_3072_SHA256_F4_Key_Template", RSA_SSA_PKCS1_3072_SHA256_F4_Key_Template()},
+		// {"RSA_SSA_PKCS1_3072_SHA256_F4_RAW_Key_Template", RSA_SSA_PKCS1_3072_SHA256_F4_RAW_Key_Template()},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+
+			kh1, err := keyset.NewHandle(tc.template)
+			require.NoError(t, err)
+
+			s, err := NewSigner(kh1)
+			require.NoError(t, err)
+
+			msg := []byte([]byte(plaintext))
+			sig, err := s.Sign(msg)
+			require.NoError(t, err)
+
+			pubkh, err := kh1.Public()
+			require.NoError(t, err)
+
+			// verify
+			v, err := NewVerifier(pubkh)
+			require.NoError(t, err)
+
+			err = v.Verify(sig, msg)
+			require.NoError(t, err)
+
+		})
+	}
+}
+
+func TestSignVerifyFail(t *testing.T) {
+	//tpmDevice, err := tinkcommon.OpenTPM("127.0.0.1:2321")
+	tpmDevice, err := simulator.Get()
+	require.NoError(t, err)
+	defer tpmDevice.Close()
+
+	plaintext := "foo"
+
+	rwr := transport.FromReadWriter(tpmDevice)
+
+	sess, cleanup1, err := tpm2.PolicySession(rwr, tpm2.TPMAlgSHA256, 16, tpm2.Trial())
+	require.NoError(t, err)
+	defer cleanup1()
+
+	pav := tpm2.PolicyAuthValue{
+		PolicySession: sess.Handle(),
+	}
+	_, err = pav.Execute(rwr)
+	require.NoError(t, err)
+
+	pgd, err := tpm2.PolicyGetDigest{
+		PolicySession: sess.Handle(),
+	}.Execute(rwr)
+	require.NoError(t, err)
+
+	se, err := tinkcommon.NewPasswordSession(rwr, nil, nil, pgd.PolicyDigest.Buffer)
+	require.NoError(t, err)
+
+	rsaKeyManager := NewRSASSAPKCS1SignerTpmKeyManager(tpmDevice, se)
+	err = registry.RegisterKeyManager(rsaKeyManager)
+	require.NoError(t, err)
+
+	rsaVerifierKeyManager := NewRSASSAPKCS1VerifierTpmKeyManager(nil, nil)
+	err = registry.RegisterKeyManager(rsaVerifierKeyManager)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name     string
+		template *tinkpb.KeyTemplate
+	}{
+		{"RSA_SSA_PKCS1_2048_SHA256_F4_Key_Template", RSA_SSA_PKCS1_2048_SHA256_F4_Key_Template()},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+
+			kh1, err := keyset.NewHandle(tc.template)
+			require.NoError(t, err)
+
+			s, err := NewSigner(kh1)
+			require.NoError(t, err)
+
+			msg := []byte([]byte(plaintext))
+			_, err = s.Sign(msg)
+			require.NoError(t, err)
+
+			pubkh, err := kh1.Public()
+			require.NoError(t, err)
+
+			// verify
+			v, err := NewVerifier(pubkh)
+			require.NoError(t, err)
+
+			badsig := []byte("bar")
+			err = v.Verify(badsig, msg)
+			require.Error(t, err)
+
+		})
+	}
+}