From cfcd85989a143fa67f2bdb06349a3a5e558a59ed6d799e0b5f3ae1aac826b7bf Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Wed, 12 Feb 2025 17:32:06 +0300 Subject: [PATCH] More actualised integration tests --- go/cm/cmd/enctool/main.go | 9 +++ go/cm/cmd/enctool/passphrase.t | 17 ++++++ go/cm/cmd/enctool/pub.t | 61 +++++++++++++++++++ .../cmd/keytool/{basic.t => certification.t} | 38 ++++++------ go/cm/cmd/keytool/kem-generation.t | 18 ++++++ go/cm/cmd/sigtool/basic.t | 51 +++++++++------- 6 files changed, 152 insertions(+), 42 deletions(-) create mode 100755 go/cm/cmd/enctool/passphrase.t create mode 100755 go/cm/cmd/enctool/pub.t rename go/cm/cmd/keytool/{basic.t => certification.t} (52%) create mode 100755 go/cm/cmd/keytool/kem-generation.t diff --git a/go/cm/cmd/enctool/main.go b/go/cm/cmd/enctool/main.go index cbf11ca..761af30 100644 --- a/go/cm/cmd/enctool/main.go +++ b/go/cm/cmd/enctool/main.go @@ -56,6 +56,9 @@ func blake2b256() hash.Hash { } func readPasswd(prompt string) (passwd []byte) { + if raw := os.Getenv("ENCTOOL_PASSPHRASE"); raw != "" { + return []byte(raw) + } tty, err := os.OpenFile("/dev/tty", os.O_RDWR, 0) if err != nil { log.Fatal(err) @@ -204,6 +207,9 @@ func main() { log.Fatalln("invalid encap len") } for _, prv := range prvs { + if prv.A != cm.SNTRUP4591761X25519 { + continue + } if len(prv.V) != sntrup4591761.PrivateKeySize+32 { log.Fatalln("invalid private keys len") } @@ -274,6 +280,9 @@ func main() { log.Fatalln("invalid encap len") } for _, prv := range prvs { + if prv.A != cm.ClassicMcEliece6960119X25519 { + continue + } if len(prv.V) != scheme.PrivateKeySize()+32 { log.Fatalln("invalid private keys len") } diff --git a/go/cm/cmd/enctool/passphrase.t b/go/cm/cmd/enctool/passphrase.t new file mode 100755 index 0000000..a1e40c2 --- /dev/null +++ b/go/cm/cmd/enctool/passphrase.t @@ -0,0 +1,17 @@ +#!/bin/sh + +test_description="Check that basic passphrase encryption functionality works" +. $SHARNESS_TEST_SRCDIR/sharness.sh + +TMPDIR=${TMPDIR:-/tmp} + +dd if=/dev/urandom of=$TMPDIR/enc.data bs=300K count=1 2>/dev/null +export ENCTOOL_PASSPHRASE=$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | xxd -p) +test_expect_success "encrypting" "enctool -p \ + <$TMPDIR/enc.data >$TMPDIR/enc.enc" +test_expect_success "decrypting" "enctool -d -p \ + <$TMPDIR/enc.enc >$TMPDIR/enc.data.got" +test_expect_success "comparing" \ + "test_cmp $TMPDIR/enc.data $TMPDIR/enc.data.got" + +test_done diff --git a/go/cm/cmd/enctool/pub.t b/go/cm/cmd/enctool/pub.t new file mode 100755 index 0000000..19d98cb --- /dev/null +++ b/go/cm/cmd/enctool/pub.t @@ -0,0 +1,61 @@ +#!/bin/sh + +test_description="Check that basic public-key encryption functionality works" +. $SHARNESS_TEST_SRCDIR/sharness.sh + +TMPDIR=${TMPDIR:-/tmp} + +dd if=/dev/urandom of=$TMPDIR/enc.data bs=300K count=1 2>/dev/null +bind=$(uuidgen) + +algo=mceliece6960119-x25519 +algo0=$algo +test_expect_success "$algo: pub generation" "keytool \ + -algo $algo -ku kem -subj A=$algo \ + -prv $TMPDIR/enc.$algo.prv -pub $TMPDIR/enc.$algo.pub" +algo=sntrup4591761-x25519 +algo1=$algo +test_expect_success "$algo: pub generation" "keytool \ + -algo $algo -ku kem -subj A=$algo \ + -prv $TMPDIR/enc.$algo.prv -pub $TMPDIR/enc.$algo.pub" + +test_expect_success "encrypting" "enctool -bind $bind \ + -pub $TMPDIR/enc.$algo0.pub -pub $TMPDIR/enc.$algo1.pub \ + <$TMPDIR/enc.data >$TMPDIR/enc.enc" + +test_expect_success "any: decrypting" "enctool -d \ + -prv $TMPDIR/enc.$algo0.prv -prv $TMPDIR/enc.$algo1.prv \ + <$TMPDIR/enc.enc >$TMPDIR/enc.data.got 4>$TMPDIR/bind.got" +test_expect_success "comparing" \ + "test_cmp $TMPDIR/enc.data $TMPDIR/enc.data.got" +echo $bind >$TMPDIR/bind +test_expect_success "comparing bind" \ + "test_cmp $TMPDIR/bind $TMPDIR/bind.got" + +test_expect_success "$algo0: decrypting" "enctool -d \ + -prv $TMPDIR/enc.$algo0.prv \ + <$TMPDIR/enc.enc >$TMPDIR/enc.data.got" +test_expect_success "$algo0: comparing" \ + "test_cmp $TMPDIR/enc.data $TMPDIR/enc.data.got" + +test_expect_success "$algo1: decrypting" "enctool -d \ + -prv $TMPDIR/enc.$algo1.prv \ + <$TMPDIR/enc.enc >$TMPDIR/enc.data.got" +test_expect_success "$algo1: comparing" \ + "test_cmp $TMPDIR/enc.data $TMPDIR/enc.data.got" + +export ENCTOOL_PASSPHRASE=$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | xxd -p) +test_expect_success "encrypting also with passphrase" "enctool \ + -pub $TMPDIR/enc.$algo0.pub -pub $TMPDIR/enc.$algo1.pub -p \ + <$TMPDIR/enc.data >$TMPDIR/enc.enc" +test_expect_success "any: decrypting" "enctool -d \ + -prv $TMPDIR/enc.$algo0.prv -prv $TMPDIR/enc.$algo1.prv \ + <$TMPDIR/enc.enc >$TMPDIR/enc.data.got" +test_expect_success "comparing" \ + "test_cmp $TMPDIR/enc.data $TMPDIR/enc.data.got" +test_expect_success "passphrase: decrypting" "enctool -d -p \ + <$TMPDIR/enc.enc >$TMPDIR/enc.data.got" +test_expect_success "comparing" \ + "test_cmp $TMPDIR/enc.data $TMPDIR/enc.data.got" + +test_done diff --git a/go/cm/cmd/keytool/basic.t b/go/cm/cmd/keytool/certification.t similarity index 52% rename from go/cm/cmd/keytool/basic.t rename to go/cm/cmd/keytool/certification.t index 913ff63..f2780bb 100755 --- a/go/cm/cmd/keytool/basic.t +++ b/go/cm/cmd/keytool/certification.t @@ -1,6 +1,6 @@ #!/bin/sh -test_description="Check that basic GOST-related functionality works" +test_description="Check that basic certification functionality works" . $SHARNESS_TEST_SRCDIR/sharness.sh TMPDIR=${TMPDIR:-/tmp} @@ -12,42 +12,42 @@ subj="-subj CN=CA -subj C=RU" test_expect_success "$caAlgo: CA load generation" "keytool \ -algo $caAlgo \ -ku sig $subj \ - -prv $TMPDIR/ca.prv -pub $TMPDIR/ca.pub" + -prv $TMPDIR/ca.$caAlgo.prv -pub $TMPDIR/ca.$caAlgo.pub" test_expect_success "$caAlgo: CA generation" "keytool \ - -pub $TMPDIR/ca.pub \ - -ca-prv $TMPDIR/ca.prv -ca-pub $TMPDIR/ca.pub" + -pub $TMPDIR/ca.$caAlgo.pub \ + -ca-prv $TMPDIR/ca.$caAlgo.prv -ca-pub $TMPDIR/ca.$caAlgo.pub" test_expect_success "$caAlgo: CA regeneration" "keytool \ - -pub $TMPDIR/ca.pub \ - -ca-prv $TMPDIR/ca.prv -ca-pub $TMPDIR/ca.pub" + -pub $TMPDIR/ca.$caAlgo.pub \ + -ca-prv $TMPDIR/ca.$caAlgo.prv -ca-pub $TMPDIR/ca.$caAlgo.pub" test_expect_success "$caAlgo: CA self-signature" "keytool \ - -ca-pub $TMPDIR/ca.pub \ - -pub $TMPDIR/ca.pub \ + -ca-pub $TMPDIR/ca.$caAlgo.pub \ + -pub $TMPDIR/ca.$caAlgo.pub \ -verify" subj="-subj CN=SubCA -subj C=RU" test_expect_success "$eeAlgo: SubCA load generation" "keytool \ -algo $eeAlgo \ -ku sig $subj \ - -prv $TMPDIR/subca.prv -pub $TMPDIR/subca.pub" + -prv $TMPDIR/subca.$eeAlgo.prv -pub $TMPDIR/subca.$eeAlgo.pub" test_expect_success "$eeAlgo: SubCA generation" "keytool \ - -pub $TMPDIR/subca.pub \ - -ca-pub $TMPDIR/ca.pub -ca-prv $TMPDIR/ca.prv" + -pub $TMPDIR/subca.$eeAlgo.pub \ + -ca-pub $TMPDIR/ca.$caAlgo.pub -ca-prv $TMPDIR/ca.$caAlgo.prv" test_expect_success "$eeAlgo: SubCA signature" "keytool \ - -ca-pub $TMPDIR/ca.pub \ - -pub $TMPDIR/subca.pub \ + -ca-pub $TMPDIR/ca.$caAlgo.pub \ + -pub $TMPDIR/subca.$eeAlgo.pub \ -verify" subj="-subj CN=EE -subj C=RU" test_expect_success "$eeAlgo: EE load generation" "keytool \ -algo $eeAlgo $subj \ - -prv $TMPDIR/ee.prv -pub $TMPDIR/ee.pub" + -prv $TMPDIR/ee.$eeAlgo.prv -pub $TMPDIR/ee.$eeAlgo.pub" test_expect_success "$eeAlgo: EE generation" "keytool \ - -ca-prv $TMPDIR/subca.prv -ca-pub $TMPDIR/subca.pub \ - -pub $TMPDIR/ee.pub" + -ca-prv $TMPDIR/subca.$eeAlgo.prv -ca-pub $TMPDIR/subca.$eeAlgo.pub \ + -pub $TMPDIR/ee.$eeAlgo.pub" test_expect_success "$eeAlgo: EE chain" "keytool \ - -ca-pub $TMPDIR/ca.pub \ - -ca-pub $TMPDIR/subca.pub \ - -pub $TMPDIR/ee.pub \ + -ca-pub $TMPDIR/ca.$caAlgo.pub \ + -ca-pub $TMPDIR/subca.$eeAlgo.pub \ + -pub $TMPDIR/ee.$eeAlgo.pub \ -verify" done diff --git a/go/cm/cmd/keytool/kem-generation.t b/go/cm/cmd/keytool/kem-generation.t new file mode 100755 index 0000000..6cb90c9 --- /dev/null +++ b/go/cm/cmd/keytool/kem-generation.t @@ -0,0 +1,18 @@ +#!/bin/sh + +test_description="Check that KEM certificates generation works" +. $SHARNESS_TEST_SRCDIR/sharness.sh + +TMPDIR=${TMPDIR:-/tmp} + +echo "mceliece6960119-x25519 +sntrup4591761-x25519" | while read algo ; do + +test_expect_success "$algo: generation" "keytool \ + -algo $algo \ + -ku kem -subj CN=DH \ + -prv $TMPDIR/kem.$algo.prv -pub $TMPDIR/kem.$algo.pub" + +done + +test_done diff --git a/go/cm/cmd/sigtool/basic.t b/go/cm/cmd/sigtool/basic.t index e4931d6..7c0b001 100755 --- a/go/cm/cmd/sigtool/basic.t +++ b/go/cm/cmd/sigtool/basic.t @@ -1,50 +1,55 @@ #!/bin/sh -test_description="TODO" +test_description="Check that basic signing functionality works" . $SHARNESS_TEST_SRCDIR/sharness.sh TMPDIR=${TMPDIR:-/tmp} echo "gost3410-512C gost3410-256A -ed25519-blake2b" | while read algo ; do +ed25519-blake2b" | while read keyalgo ; do subj="-subj what=ever" typ="some-different-type" -test_expect_success "$algo: pub generation" "keytool \ - -algo $algo -ku sig $subj \ - -prv $TMPDIR/sign.prv -pub $TMPDIR/sign.pub" -dd if=/dev/urandom of=$TMPDIR/sign.data bs=300K count=1 2>/dev/null +test_expect_success "$keyalgo: pub generation" "keytool \ + -algo $keyalgo -ku sig $subj \ + -prv $TMPDIR/sign.$keyalgo.prv -pub $TMPDIR/sign.$keyalgo.pub" +dd if=/dev/urandom of=$TMPDIR/sign.$keyalgo.data bs=300K count=1 2>/dev/null bind="-encrypted-binding $(uuidgen)" badBind="-encrypted-binding $(uuidgen)" -test_expect_success "$algo: signing" "sigtool \ - -prv $TMPDIR/sign.prv -pub $TMPDIR/sign.pub -type $typ \ - $bind <$TMPDIR/sign.data >$TMPDIR/sign.sig" +for merkle in "" "-merkle" ; do + +algo=${keyalgo}${merkle} +test_expect_success "$algo: signing" "sigtool $merkle \ + -prv $TMPDIR/sign.$keyalgo.prv -pub $TMPDIR/sign.$keyalgo.pub -type $typ \ + $bind <$TMPDIR/sign.$keyalgo.data >$TMPDIR/sign.$algo.sig" test_expect_success "$algo: verifying" "sigtool \ - -verify -pub $TMPDIR/sign.pub -type $typ \ - <$TMPDIR/sign.sig >$TMPDIR/sign.data.got" + -verify -pub $TMPDIR/sign.$keyalgo.pub -type $typ \ + <$TMPDIR/sign.$algo.sig >$TMPDIR/sign.data.got" test_expect_success "$algo: comparing" \ - "test_cmp $TMPDIR/sign.data $TMPDIR/sign.data.got" + "test_cmp $TMPDIR/sign.$keyalgo.data $TMPDIR/sign.data.got" test_expect_success "$algo: differing type" "! sigtool \ - -verify -pub $TMPDIR/sign.pub <$TMPDIR/sign.sig >/dev/null" + -verify -pub $TMPDIR/sign.$keyalgo.pub <$TMPDIR/sign.$algo.sig >/dev/null" test_expect_success "$algo: good bind" "! sigtool \ - -verify -pub $TMPDIR/sign.pub $bind <$TMPDIR/sign.sig >/dev/null" + -verify -pub $TMPDIR/sign.$keyalgo.pub $bind <$TMPDIR/sign.$algo.sig >/dev/null" test_expect_success "$algo: bad bind" "! sigtool \ - -verify -pub $TMPDIR/sign.pub $badBind <$TMPDIR/sign.sig >/dev/null" + -verify -pub $TMPDIR/sign.$keyalgo.pub $badBind <$TMPDIR/sign.$algo.sig >/dev/null" -test_expect_success "$algo: detached signing" "sigtool -detached \ - -prv $TMPDIR/sign.prv -pub $TMPDIR/sign.pub -type $typ \ - <$TMPDIR/sign.data >$TMPDIR/sign.sig" +test_expect_success "$algo: detached signing" "sigtool -detached $merkle \ + -prv $TMPDIR/sign.$keyalgo.prv -pub $TMPDIR/sign.$keyalgo.pub -type $typ \ + <$TMPDIR/sign.$keyalgo.data >$TMPDIR/sign.$algo.detached.sig" test_expect_success "$algo: detached verifying" \ - "cat $TMPDIR/sign.sig $TMPDIR/sign.data | - sigtool -detached -verify -pub $TMPDIR/sign.pub -type $typ" + "cat $TMPDIR/sign.$algo.detached.sig $TMPDIR/sign.$keyalgo.data | + sigtool -detached -verify -pub $TMPDIR/sign.$keyalgo.pub -type $typ" test_expect_success "$algo: differing type" "! sigtool -detached \ - -verify -pub $TMPDIR/sign.pub <$TMPDIR/sign.sig >/dev/null" + -verify -pub $TMPDIR/sign.$keyalgo.pub <$TMPDIR/sign.$algo.detached.sig >/dev/null" test_expect_success "$algo: good bind" "! sigtool -detached \ - -verify -pub $TMPDIR/sign.pub $bind <$TMPDIR/sign.sig >/dev/null" + -verify -pub $TMPDIR/sign.$keyalgo.pub $bind <$TMPDIR/sign.$algo.detached.sig >/dev/null" test_expect_success "$algo: bad bind" "! sigtool -detached \ - -verify -pub $TMPDIR/sign.pub $badBind <$TMPDIR/sign.sig >/dev/null" + -verify -pub $TMPDIR/sign.$keyalgo.pub $badBind <$TMPDIR/sign.$algo.detached.sig >/dev/null" + +done done -- 2.48.1