ecdsa: webapi test cases

grafana · Apr 11, 2024 · 3851c78 · 3851c78
1 parent 44a9e53
commit 3851c78
Show file tree

Hide file tree

Showing 7 changed files with 829 additions and 6 deletions.
diff --git a/examples/import_export/export-ecdsa-keys.js b/examples/import_export/export-ecdsa-keys.js
@@ -27,3 +27,4 @@ const printArrayBuffer = (buffer) => {
   let view = new Uint8Array(buffer);
   return Array.from(view);
 };
+
diff --git a/examples/sign_verify/verify-spki-ecdsa-invalid.js b/examples/sign_verify/verify-spki-ecdsa-invalid.js
@@ -0,0 +1,59 @@
+import { crypto } from "k6/x/webcrypto";
+
+export default async function () {
+  const publicKey = await crypto.subtle.importKey(
+    "spki",
+    new Uint8Array([
+      48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0,
+      34, 3, 98, 0, 4, 29, 49, 157, 105, 45, 202, 95, 87, 84, 186, 123, 50, 193,
+      22, 66, 198, 216, 210, 180, 251, 130, 73, 195, 242, 20, 215, 30, 144, 181,
+      37, 41, 102, 217, 127, 123, 235, 31, 170, 177, 228, 243, 226, 96, 85, 73,
+      194, 238, 219, 82, 3, 41, 179, 190, 166, 181, 229, 86, 36, 161, 81, 80,
+      161, 105, 102, 99, 95, 25, 22, 239, 4, 221, 117, 142, 105, 64, 157, 6, 51,
+      203, 75, 37, 153, 65, 121, 178, 42, 118, 156, 116, 52, 54, 145, 14, 121,
+      153, 81,
+    ]),
+    { name: "ECDSA", namedCurve: "P-384" },
+    true,
+    ["verify"]
+  );
+
+  let plaintText = new Uint8Array([
+    95, 77, 186, 79, 50, 12, 12, 232, 118, 114, 90, 252, 229, 251, 210, 91, 248,
+    62, 90, 113, 37, 160, 140, 175, 231, 60, 62, 186, 196, 33, 119, 157, 249,
+    213, 93, 24, 12, 58, 233, 148, 38, 69, 225, 216, 47, 238, 140, 157, 41, 75,
+    60, 177, 160, 138, 153, 49, 32, 27, 60, 14, 129, 252, 71, 202, 207, 131, 21,
+    162, 175, 102, 50, 65, 19, 195, 182, 98, 48, 195, 70, 8, 196, 244, 89, 54,
+    52, 206, 2, 178, 103, 54, 34, 119, 240, 168, 64, 202, 116, 188, 61, 26, 98,
+    54, 149, 44, 94, 215, 170, 248, 168, 254, 203, 221, 250, 117, 132, 230, 151,
+    140, 234, 93, 42, 91, 159, 183, 241, 180, 140, 139, 11, 229, 138, 48, 82, 2,
+    117, 77, 131, 118, 16, 115, 116, 121, 60, 240, 38, 170, 238, 83, 0, 114,
+    125, 131, 108, 215, 30, 113, 179, 69, 221, 178, 228, 68, 70, 255, 197, 185,
+    1, 99, 84, 19, 137, 13, 145, 14, 163, 128, 152, 74, 144, 25, 16, 49, 50, 63,
+    22, 219, 204, 157, 107, 225, 104, 184, 72, 133, 56, 76, 160, 62, 18, 96, 10,
+    193, 194, 72, 2, 138, 243, 114, 108, 201, 52, 99, 136, 46, 168, 192, 42,
+    171,
+  ]);
+
+  let signature1 = new Uint8Array([
+    13, 217, 194, 199, 240, 182, 244, 217, 50, 130, 84, 169, 2, 232, 115, 116,
+    179, 192, 146, 25, 94, 107, 226, 26, 161, 166, 220, 216, 235, 166, 15, 123,
+    11, 56, 196, 0, 109, 250, 33, 70, 212, 233, 253, 35, 220, 51, 97, 121, 151,
+    64, 23, 73, 58, 31, 79, 116, 238, 207, 228, 85, 190, 61, 169, 237, 153, 100,
+    29, 129, 97, 13, 254, 180, 104, 182, 7, 218, 148, 29, 87, 20, 231, 181, 26,
+    238, 44, 69, 170, 14, 156, 77, 160, 33, 178, 55, 0,
+  ]);
+
+  //Verifies the signature of the encoded data with the provided key
+  const verified = await crypto.subtle.verify(
+    {
+      name: "ECDSA",
+      hash: "SHA-384",
+    },
+    publicKey,
+    signature1,
+    plaintText
+  );
+
+  console.log("verified: ", verified);
+}
diff --git a/examples/sign_verify/verify-spki-ecdsa-valid.js b/examples/sign_verify/verify-spki-ecdsa-valid.js
@@ -0,0 +1,55 @@
+import { crypto } from "k6/x/webcrypto";
+
+export default async function () {
+  const publicKey = await crypto.subtle.importKey(
+    "spki",
+    new Uint8Array([
+      48, 89, 48, 19, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206,
+      61, 3, 1, 7, 3, 66, 0, 4, 10, 5, 30, 56, 111, 103, 196, 166, 225, 229,
+      203, 238, 125, 55, 116, 91, 88, 142, 190, 114, 15, 117, 89, 22, 40, 111,
+      150, 41, 105, 122, 57, 23, 17, 216, 106, 234, 201, 103, 8, 210, 58, 38,
+      35, 216, 198, 237, 187, 84, 217, 164, 63, 100, 6, 105, 49, 128, 15, 53,
+      29, 158, 117, 235, 238, 30,
+    ]),
+    { name: "ECDSA", namedCurve: "P-256" },
+    true,
+    ["verify"]
+  );
+
+  let plaintText = new Uint8Array([
+    95, 77, 186, 79, 50, 12, 12, 232, 118, 114, 90, 252, 229, 251, 210, 91, 248,
+    62, 90, 113, 37, 160, 140, 175, 231, 60, 62, 186, 196, 33, 119, 157, 249,
+    213, 93, 24, 12, 58, 233, 148, 38, 69, 225, 216, 47, 238, 140, 157, 41, 75,
+    60, 177, 160, 138, 153, 49, 32, 27, 60, 14, 129, 252, 71, 202, 207, 131, 21,
+    162, 175, 102, 50, 65, 19, 195, 182, 98, 48, 195, 70, 8, 196, 244, 89, 54,
+    52, 206, 2, 178, 103, 54, 34, 119, 240, 168, 64, 202, 116, 188, 61, 26, 98,
+    54, 149, 44, 94, 215, 170, 248, 168, 254, 203, 221, 250, 117, 132, 230, 151,
+    140, 234, 93, 42, 91, 159, 183, 241, 180, 140, 139, 11, 229, 138, 48, 82, 2,
+    117, 77, 131, 118, 16, 115, 116, 121, 60, 240, 38, 170, 238, 83, 0, 114,
+    125, 131, 108, 215, 30, 113, 179, 69, 221, 178, 228, 68, 70, 255, 197, 185,
+    1, 99, 84, 19, 137, 13, 145, 14, 163, 128, 152, 74, 144, 25, 16, 49, 50, 63,
+    22, 219, 204, 157, 107, 225, 104, 184, 72, 133, 56, 76, 160, 62, 18, 96, 10,
+    193, 194, 72, 2, 138, 243, 114, 108, 201, 52, 99, 136, 46, 168, 192, 42,
+    171,
+  ]);
+
+  let signature1 = new Uint8Array([
+    83, 223, 63, 226, 42, 29, 106, 105, 225, 145, 197, 180, 118, 154, 109, 110,
+    66, 67, 47, 251, 53, 190, 203, 65, 207, 36, 19, 57, 49, 122, 124, 118, 59,
+    74, 222, 134, 42, 235, 180, 229, 134, 24, 205, 81, 171, 156, 100, 218, 127,
+    242, 126, 53, 27, 77, 249, 101, 157, 132, 244, 30, 67, 30, 64, 12,
+  ]);
+
+  //Verifies the signature of the encoded data with the provided key
+  const verified = await crypto.subtle.verify(
+    {
+      name: "ECDSA",
+      hash: "SHA-256",
+    },
+    publicKey,
+    signature1,
+    plaintText
+  );
+
+  console.log("verified: ", verified);
+}
diff --git a/webcrypto/elliptic_curve.go b/webcrypto/elliptic_curve.go
@@ -218,7 +218,7 @@ func importECDSAPublicKey(curve EllipticCurveKind, keyData []byte) (any, error)
 		return nil, NewError(DataError, "unable to import ECDSA public key data")
 	}
 
-	return ecdsa.PublicKey{
+	return &ecdsa.PublicKey{
 		Curve: c,
 		X:     x,
 		Y:     y,
@@ -364,7 +364,7 @@ func generateECDSAKeyPair(curve EllipticCurveKind, keyUsages []CryptoKeyUsage) (
 		return nil, nil, NewError(OperationError, "unable to generate a ECDSA key pair")
 	}
 
-	return rawPrivateKey, rawPrivateKey.PublicKey, nil
+	return rawPrivateKey, &rawPrivateKey.PublicKey, nil
 }
 
 // isValidEllipticCurve returns true if the given elliptic curve is supported,
@@ -456,7 +456,7 @@ func extractPublicKeyBytes(alg string, handle any) ([]byte, error) {
 	}
 
 	if alg == ECDSA {
-		k, ok := handle.(ecdsa.PublicKey)
+		k, ok := handle.(*ecdsa.PublicKey)
 		if !ok {
 			return nil, NewError(OperationError, "key data isn't a valid elliptic curve public key")
 		}
@@ -529,7 +529,10 @@ func (edsa *ECDSAParams) Sign(key CryptoKey, data []byte) ([]byte, error) {
 		return nil, NewError(NotSupportedError, "unsupported hash algorithm: "+edsa.Hash.Name)
 	}
 
-	r, s, err := ecdsa.Sign(rand.Reader, k, hashFn().Sum(data))
+	hasher := hashFn()
+	hasher.Write(data)
+
+	r, s, err := ecdsa.Sign(rand.Reader, k, hasher.Sum(nil))
 	if err != nil {
 		return nil, NewError(OperationError, "unable to sign data: "+err.Error())
 	}
@@ -560,7 +563,7 @@ func (edsa *ECDSAParams) Verify(key CryptoKey, signature []byte, data []byte) (b
 		return false, NewError(InvalidAccessError, "key is not a valid ECDSA public key")
 	}
 
-	k, ok := key.handle.(ecdsa.PublicKey)
+	k, ok := key.handle.(*ecdsa.PublicKey)
 	if !ok {
 		return false, NewError(InvalidAccessError, "key is not a valid ECDSA public key")
 	}
@@ -573,8 +576,15 @@ func (edsa *ECDSAParams) Verify(key CryptoKey, signature []byte, data []byte) (b
 	bitSize := k.Curve.Params().BitSize
 	n := (bitSize + 7) / 8
 
+	if len(signature) != 2*n {
+		return false, nil
+	}
+
+	hasher := hashFn()
+	hasher.Write(data)
+
 	r := new(big.Int).SetBytes(signature[:n])
 	s := new(big.Int).SetBytes(signature[n:])
 
-	return ecdsa.Verify(&k, hashFn().Sum(data), r, s), nil
+	return ecdsa.Verify(k, hasher.Sum(nil), r, s), nil
 }
diff --git a/webcrypto/subtle_crypto_test.go b/webcrypto/subtle_crypto_test.go
@@ -163,6 +163,23 @@ func TestSubtleCryptoSignVerify(t *testing.T) {
 
 		assert.NoError(t, gotErr)
 	})
+
+	t.Run("ECDSA", func(t *testing.T) {
+		t.Parallel()
+
+		ts := newConfiguredRuntime(t)
+
+		gotErr := ts.EventLoop.Start(func() error {
+			err := executeTestScripts(ts.VU.Runtime(), "./tests/sign_verify", "ecdsa_vectors.js", "ecdsa.js")
+			require.NoError(t, err)
+
+			_, err = ts.VU.Runtime().RunString(`run_test()`)
+
+			return err
+		})
+
+		assert.NoError(t, gotErr)
+	})
 }
 
 func executeTestScripts(rt *goja.Runtime, base string, scripts ...string) error {