pss, pkcs1v15: check that invalid signatures fail verification

lumag · lumag · commit 3114b7dd55e3 · 2022-08-14T13:00:45.000+03:00
Add tests for pkcs1v15 and pss signature verification functions to check
that verifying invalid signatures returns an error.

Signed-off-by: Dmitry Baryshkov &lt;dmitry.baryshkov@linaro.org&gt;
diff --git a/src/pkcs1v15.rs b/src/pkcs1v15.rs
@@ -352,25 +352,41 @@ mod tests {
     fn test_verify_pkcs1v15() {
         let priv_key = get_private_key();
 
-        let tests = [(
-            "Test.\n",
-            hex!(
-                "a4f3fa6ea93bcdd0c57be020c1193ecbfd6f200a3d95c409769b029578fa0e33"
-                "6ad9a347600e40d3ae823b8c7e6bad88cc07c1d54c3a1523cbbb6d58efc362ae"
+        let tests = [
+            (
+                "Test.\n",
+                hex!(
+                    "a4f3fa6ea93bcdd0c57be020c1193ecbfd6f200a3d95c409769b029578fa0e33"
+                    "6ad9a347600e40d3ae823b8c7e6bad88cc07c1d54c3a1523cbbb6d58efc362ae"
+                ),
+                true,
             ),
-        )];
+            (
+                "Test.\n",
+                hex!(
+                    "a4f3fa6ea93bcdd0c57be020c1193ecbfd6f200a3d95c409769b029578fa0e33"
+                    "6ad9a347600e40d3ae823b8c7e6bad88cc07c1d54c3a1523cbbb6d58efc362af"
+                ),
+                false,
+            ),
+        ];
         let pub_key: RsaPublicKey = priv_key.into();
 
-        for (text, sig) in &tests {
+        for (text, sig, expected) in &tests {
             let digest = Sha1::digest(text.as_bytes()).to_vec();
 
-            pub_key
-                .verify(
-                    PaddingScheme::new_pkcs1v15_sign(Some(Hash::SHA1)),
-                    &digest,
-                    sig,
-                )
-                .expect("failed to verify");
+            let result = pub_key.verify(
+                PaddingScheme::new_pkcs1v15_sign(Some(Hash::SHA1)),
+                &digest,
+                sig,
+            );
+            match expected {
+                true => result.expect("failed to verify"),
+                false => {
+                    result.expect_err("expected verifying error");
+                    ()
+                }
+            }
         }
     }
 
diff --git a/src/pss.rs b/src/pss.rs
@@ -272,21 +272,37 @@ mod test {
     fn test_verify_pss() {
         let priv_key = get_private_key();
 
-        let tests = [(
-            "test\n",
-            hex!(
-                "6f86f26b14372b2279f79fb6807c49889835c204f71e38249b4c5601462da8ae"
-                "30f26ffdd9c13f1c75eee172bebe7b7c89f2f1526c722833b9737d6c172a962f"
+        let tests = [
+            (
+                "test\n",
+                hex!(
+                    "6f86f26b14372b2279f79fb6807c49889835c204f71e38249b4c5601462da8ae"
+                    "30f26ffdd9c13f1c75eee172bebe7b7c89f2f1526c722833b9737d6c172a962f"
+                ),
+                true,
             ),
-        )];
+            (
+                "test\n",
+                hex!(
+                    "6f86f26b14372b2279f79fb6807c49889835c204f71e38249b4c5601462da8ae"
+                    "30f26ffdd9c13f1c75eee172bebe7b7c89f2f1526c722833b9737d6c172a962e"
+                ),
+                false,
+            ),
+        ];
         let pub_key: RsaPublicKey = priv_key.into();
 
-        for (text, sig) in &tests {
+        for (text, sig, expected) in &tests {
             let digest = Sha1::digest(text.as_bytes()).to_vec();
             let rng = ChaCha8Rng::from_seed([42; 32]);
-            pub_key
-                .verify(PaddingScheme::new_pss::<Sha1, _>(rng), &digest, sig)
-                .expect("failed to verify");
+            let result = pub_key.verify(PaddingScheme::new_pss::<Sha1, _>(rng), &digest, sig);
+            match expected {
+                true => result.expect("failed to verify"),
+                false => {
+                    result.expect_err("expected verifying error");
+                    ()
+                }
+            }
         }
     }
 
