mirror of
https://github.com/emmansun/gmsm.git
synced 2025-04-22 02:06:18 +08:00
728 lines
25 KiB
Go
728 lines
25 KiB
Go
package pkcs8_test
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/pem"
|
|
"testing"
|
|
|
|
"github.com/emmansun/gmsm/pkcs"
|
|
"github.com/emmansun/gmsm/pkcs8"
|
|
"github.com/emmansun/gmsm/sm2"
|
|
"github.com/emmansun/gmsm/sm9"
|
|
)
|
|
|
|
const rsa2048 = `-----BEGIN PRIVATE KEY-----
|
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBMF0LikTFOU/T
|
|
8DUDSvORootvhUD67f6AXmEnntfXRvQ3O91+qt40tevS8JtFaq4gKxugRjjZRtni
|
|
50aUGcEZ4leq3DboBL9XH089IEmxxLbJeJIXxgPeRHrXRINvUSspwRrJkX6fnXyi
|
|
MdRhqdH2tG1yrXKkt9UvdSHfRYimDcJ+ry2zYlcbz9aoLDO1vEdS/IBu0jXAZ/Z/
|
|
xaEVfkoWMzZM2SU+lfJeyzobii00VXGuSQKnI8E/e16kDpBXJ6PFSm6EyZmAad6O
|
|
f+B9d/ZEXGQlbaooG54v5sGj54mg7m/75qMaxL2H8NER31gAeyvoyovfXI0vbswH
|
|
8AozxGwDAgMBAAECggEAautIY62nt/urKaIExQjDWvO59gOq3fW/5+3UGWh5DqUv
|
|
Xi5cvND2X/fbR4hwdu++5QDWrlKO/fmPd1wGnMrQK3IwkNiF7s1J1H74jN0EzEUR
|
|
4NlBCbVGyMnfrqo1j/M9T0OXfr1udgpkQyQO5epl0QM0m8ZQ78bqTvSlxXsnULbQ
|
|
py0Tx0uCWaP6FzDsZ+t2rj/SVH7hQNf8ITfQJhVol/n5Hza4+NRfp/DPXWZEvPlo
|
|
GeMs9PDCa16tw8wI9EUnmFaeFlmtJPdTs5rVo9Ya/zmtoxN6AGTCG0IE6YRvh3Qn
|
|
jttIp2QitOSBKmXpu1ZI6UTtimGgnfiJKK1BGVaMOQKBgQDfF6ZBMY/tLmDg1mgS
|
|
QQKAOWMB0/3CvzcM96R0VACO2vr1BbePMXQQ/i27rD001Xl2wNTsETRk1Ji6btwQ
|
|
64m4uxRSZCJmYyBAcJjfBtMWIDiihQTL55NFTd9YIPmqGmbj1ASQgtpQR5Cq/5YR
|
|
9Vu0kTxMmADoiq1tR2VGZeScnwKBgQDdr4ITDFGSpqWKnyHQaQgTIW4uxQ5pQKIx
|
|
aKbCNZOtSgJfqUCY+8gJMkFOtQzawrburD4qllFxdqhHLiXSx6/8zSTrsiexml2i
|
|
7HxUZaSmn5Q4HFNngKKHXd4NGsWp237k8fJ2953KX89yEov8FpIiq6qvZH/LS8DN
|
|
+GORAPSSHQKBgCHobUuRZefN2cmyrOTBXsjwb/zyJKq593sQFL3dmqwb2nLtaIXq
|
|
JVMD3x2cQz1JiQmkq3gp8UW2DnSfrvEfa7JZNPCE6bmYLWm9825KkkDVquYAw8be
|
|
LsMk3+J8OJZDJwpPylXQnbAAAJwM9tlJ6qNaQ8j8fX7avRtT86+sgv/PAoGABjJp
|
|
yG6HuTm/Vuir4U+OUjqVAemwRXDxF8B9KOCmiCmRd2sbyyr+pIMrIDAfc94Njw5x
|
|
jm81R56xhYvcss+yM7boWU5ZnbVa+LrznshYme/MDOV9z17hLDeLhYJCFEV2fp/k
|
|
zz6MwqN7AQ1TrHBVFXMHCnAcwmoTsa5H2j3UmGECgYEAvvJ+o5+FPnBs+VU5FJxF
|
|
fAGFpF3AwfbSCm2ARZOxMHAkpsz/FBXlo+rVZv6loTKTPQFMxIB15il7ls0CGI9q
|
|
6UaZ5hkKjEOQUW8UYc8Cv0xpSkcuxcGrWzw4AMdc84XXi6F1+48ab9Gt0pN3tgUG
|
|
qg+KU+JDsQLHHmykZ92cHPA=
|
|
-----END PRIVATE KEY-----
|
|
`
|
|
|
|
const encryptedRSA2048aes = `-----BEGIN ENCRYPTED PRIVATE KEY-----
|
|
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIrrW09+9XumECAggA
|
|
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAxglavSPtrKNsM9cDXmrS1BIIE
|
|
0Gy226c9+zxZ8jUsUIbDdsq1mPbqAWs1xImAj4nA7NMv6G/5QH9CrsmB+4r4GIiy
|
|
CafN1W9YvFg3SISUbe+h156Pt2iKoZlVCbSa4XVo4diwmjloZIHM4Jk0Pu28CbJo
|
|
QDVwPCuWMKppkfwr63RT+FBSfBEBaRCi4eXz6tOcMduBOlaiQvSREvDCCOeY9gja
|
|
RgvyUa2Hf8oHNkSG9yXoMrvz0FayMWK/i7LU+2NqiPZVTvfGkqNkJJF/M7INKgLs
|
|
d6A1hgyA7HVv4czQOPQJCArXeCycI1EJ4uSthJxqd/iYX0z52Tfa7q/0oAZ4HZt+
|
|
wmcov8GwqfAg7Cu9soifYwfMYTghXOX2UKmQa/0UNK5ibj5cC9+oA09Ucx5twKDs
|
|
nwSGEIb+7qNhZSRtEXtOL7bxQL8PUvAXWrTXluvZ+bv/9S53XYPL4E95rrLnTF/L
|
|
csEYleNIpY/6HkPFtqPZiWCsVUZep9uPjZo29kh/246yKBFjsw5mXtm1S6ha4Xb9
|
|
gUxqKQiWe9+tCkPHRVo2KJX1H4Al7UB9GqDR5oUhIayp6nYCeI/dLwPpikq1F8HO
|
|
iJva/qV2iltxwyQHhEenyM9TPkPawqOOUKvDd1hZR0wzABcC3koLtwwKyEGzQPPW
|
|
bxp5GBim9Pu/EGWY1d1H38eVu44jRP/3ONk8wvZcsIbn6U8bOeToUFmcjuuQ3cxf
|
|
pDUruIA9PjWL9Se6TI3CytTUCbCb4bKRP+eE0B2LPwq6+dyvcY2yidYj9C2D25tb
|
|
F+E1Wr7ro97OXQ8grMWwrTpZ9rUzmz5wzYWmOFaKJRiepkuUpx4HWl+fKn5r5LyV
|
|
+cyYoSjApNgHe/9Pz7mNXNdeSmWcn4BVs1XgKi1MiJNWn5tNlKB3kz1kgraKOWbs
|
|
9/dspegd5fQ6Lzvlt7CsJh/I76rE+90LAbXWVlQ/jm/4jrWownjW1oVIj0Xfxx7i
|
|
UlmtTFoCIvNWRyoyK5pfL0JvxOtd5leHZniJoww0CPKYS0mibxYLc883Q5Hq5ZH/
|
|
C7iBJN0aDJfVfkl0o4EQWaWQS0rAInhe7xTHmFFe5NP9lVTEwQt+C/fz7qalHe9P
|
|
ulV8MsT/vg2/9twvxKbVCSzaDyta/TyhX76LTULprPr6ahDhP9rybmmK548m86kZ
|
|
IxWdmed7Pt3YPeEImoLBoXh8eaWpYDlX2Be5/eqjw2wbg6srBKoA7swSkMsFXm5q
|
|
+HgF4X6R9lfmLjs/UMOi9SM6ODh4xgq1DxX+bJZLfJwXj90i56Ij8OhjcBJ+DwUi
|
|
ntosYkXp6lMZIyfI3jWG4IZwE9nt8oXJZfUtIU5mYF9DAV92fRwm1mCLMx0iznv1
|
|
bvCu7yJ51nWB3xkIOqCYbzbREWmL+6/akGOqu1KDrFKBu0IyAqUWt0XrY3b4V5jm
|
|
WjTXywDkCcGC6W0t4yhu1Yz8QhE5Giw2PHwwZ3940QZQsFcBM6RJOcnkbYTu8TFm
|
|
7s9ZItSShwAN/i1nN1daF9lgdm4WKHWd/jqHIgl2NijiDgb5F5YaWgurKg9tOrEK
|
|
oGJlPmBUiNynhqcz69ljjW6q4U2cfF4g6Onl2sucLdsFXejgVdsKBVXw+gjGr2TS
|
|
lgmeHTcvZmTShvbN/TrHETjO7jEB4V2I4a4L7uybuWF/
|
|
-----END ENCRYPTED PRIVATE KEY-----
|
|
`
|
|
|
|
const encryptedRSA2048des3 = `-----BEGIN ENCRYPTED PRIVATE KEY-----
|
|
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIKXB+OWAc6pwCAggA
|
|
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCeQ2z+ohlaTBIIEyAbgxv69udAD
|
|
N0JzM0+E/dYKTRxEVED1cyY+fcROfxkJvT3FOOWS65vaPo5i8n0e7pFHvm/ezkoL
|
|
mNRYhoyd45pog4ALJ6O03bUBTLJPiowz90uHC7GWQelMl7LeNyX/7/5s2jOpgW82
|
|
oB6JizF9SjZzCTzKTmZLOAz3GjIERWHmoIczy40nxP7zmHzVrxTp1V6gnzxgUIuA
|
|
X/7FTMRlWvEbX9gzODx7stI/5/bLla1Y7PDWEs2aJCnsN7pXJSd0Ry2/iBnQKe6n
|
|
p4RW7jRAiFTGXbR1E5ZoFsSUs0K9JLEJA+kq6x+smRGxioV3I/r6MLaeumNZ37Bx
|
|
9OfiJAWk0Ei9EUjM4ZLWjnhgRyI2mThEXTbCevv2GonwG9G968QEMjfbXcLA6Opt
|
|
0mmRutT6IgvflEZRi9BlmCGOecNHl+cojVCwmAPZKkk2e9lZe+x9+TXW66GJVFiK
|
|
6BlgRwTcNPKePCYWPjsV5wUZACq0Y61nksBViyRUFsEkEEYMXIbh6bbUTTlJg/tk
|
|
tCp/LF9oTf1XacJ8a/s6oLuz95R07u9E/liibzVavK0nVNSR5Xdo7QDivWxnaSLd
|
|
wt8qUOnVbW0eSyq2BAKK7yvZfhz44D9WS8M8jp8gwj7Eti81LGqeh5IvqekDYmoz
|
|
BFiY24PnRcZnpETA/e6v5dNrpE/OLHmdY1ag6aifIJCc1UG84Oi/nPBTZ7eHLGCd
|
|
Kn4/9xdCVHd4077Qx9JLW9LutZXkqYaBckOEHtvaMfyWUaXiNty/N5RECGvn5wmM
|
|
dwC6td6CqtojiHOB7GAUiwjHgbQLpNoIz1BiVTIo1eoD32+4RHYUxNmhsk0r22Zf
|
|
ZnfnKBGgV7KKNKP3eFQnzSeNE0qFd5AtSpeJX0G0IsbuvXOE/7P0pj7DhD4HoYS7
|
|
Mf2za6Wm/CVWNM4ekc3MsKb9D+ogzdQ4VYI2mzBdLulrYvfPCE6SHZlZ+ePE4LSr
|
|
jexB6LYLZJU7Bxnslt9E/mjSzWHctF9LhHf7sl7NUhCHdDvij6Hd0l4+noQlDTtd
|
|
rnXgL9fTjSfaVDv3Rt+AmNN9Cu9Y1FSBLYMe8LfGXXUPg86bTbGk3uFjkyIY3hE2
|
|
/Kz1re4KXdDdjYe4ja5qZK8fWx0704NkzH1UO/HMd4Cnx3agyVeyJVG3iRSIesRG
|
|
vI1ESJMMv1+MMGiWwRzHYvv7yrqp2steAVwjGu26/s1vwkZrvy8SjzYAXo1RLT9o
|
|
cNnlPra6N7xReSohOibAp0kx1d81JqvEOvJIhR7KDXSRutgIPlqQgHXtmDW/VlCb
|
|
w05Ptg3SXaCE0+pY0T+FYHusA3JEmyU0e629Ed/dl/j7Xpynl1V6/ndf3gdRGX0l
|
|
d2IGneJsnj8yvP0dUsB2l71W/ZIM3HERDLxP9JByyINCBQ1BFsN81qUXpj6vGYjb
|
|
hPyUmmsAGibXJOiGzmaP3nGgF9qbe1XiTRdbm2AZ3pEaJxkkFWsT+Yivz9yzZE0P
|
|
3/w14HvS94X/Z2+yDLtQQgsLNkfw/Gpc4O0GMnLuOl4KSaTA37IdJR2jOFP7LtHR
|
|
9Egbm93atZWSAyTO7OtZGmna6k6eGUsk8Dxp7cWOUkLf7C5sL6l3bBH7omlQHx9P
|
|
RIiDkxAd7hbpm4/C/DoUZQ==
|
|
-----END ENCRYPTED PRIVATE KEY-----
|
|
`
|
|
|
|
const encryptedRSA2048scrypt = `-----BEGIN ENCRYPTED PRIVATE KEY-----
|
|
MIIFJTBPBgkqhkiG9w0BBQ0wQjAhBgkrBgEEAdpHBAswFAQIY6+u2Dcq3hwCAkAA
|
|
AgEIAgEBMB0GCWCGSAFlAwQBKgQQ6Kut7Q560w1e+fqSiF6uUgSCBNBWRJP19DiT
|
|
m/ZWEh4ukxTnrBpx59ATbuiBZjjty9vw/dkusUivNLsIoJDezuv4YxjxNx4zZsv+
|
|
vI5/gWT78XdF0XHgrRKjB0AvQ4rdVSUhV2/sxMa8P5bwE7NikovkzP1rM0cPCLRE
|
|
K5J81+pEOVKumJJg3jNtK18HtCiH0D4n276xK6fJ2BptA1BMNhlDkoz99kmwPfhg
|
|
gMiJxbcGrYHMvCZAL8towTRomI82fjRwpEtT8eZ7aLUALDM53JXzhiz/bO2cKCRx
|
|
4oLx6rChrqCTS4bZ++PPBS9klwW1kx5eMTGdv3IS+/Y7wvPtZ9jbwcjkSKpOsALv
|
|
h/6CzUuTo5dIPDaOidLLHS4bfgKCC/da/uuow/ET7K6KBOZ6kCnXi300D+hZE8cJ
|
|
GYjIQGVY3FtrtZx55hjeqyRsVrdKP0e83wNEnGgofsgeJ+H88zUxaMqIiz3e773M
|
|
zshNXcCko9jAgr8PwRg7ARPql+TcS3fJ+HPBA1mDlT4xMXyFOgckMkz8xR08EA0M
|
|
UcvtGAxLJYtsiMJigdrCI7lGmWZbj8tB2sS0JD95QsbR5CcsqzaELzoKMdOpG5MP
|
|
4ZdgHpeGNtw15aAIdxfoFGGcNgLiZ+y7BC0fM9xYAPARrb64A3e3gmsJ3ZKEkZzR
|
|
MbK9a08S+6VI68T9M0f3i53p/e09CYZ0TN3yMN/g/usxERzpji7zCjEYf6yuUeRF
|
|
c3ceVVaxldexAOV0dEIUq8xehUhvhV129/hUHUyqsx1XiURWSx2TRSjuZ3SE63Sc
|
|
LO81rijz4rFa69JXPGWNrzR0IS0CY8aMF79fwqpcLaRHIpfQLiIQ19qDHiipXCs/
|
|
ZLli5MZQZ7AHoXqbHBQOqhiT2LLEgeVF4uEi0qM1ULfmmZMoJQg+ugRXPEJR0fa0
|
|
ji6Hb/ZTDGwsdrNZGfTD4lJeiel3IPVcOzfeZqb6OsdkUSQzZZSvAET95qkKn/CN
|
|
diPkX96iYuhjcace/f8xLnVY3TJ6WRpDW9oBzVFEm5jXtlHhVltau2Qmoi28pthE
|
|
25QrNfoOs4qr2gaGA37VXSEW4yLU3jyqlP1esXxyEiqg9CKPnk/K/XxREjGJXElr
|
|
FQtRif9b4QDBrZc38Y5ct7x+Ce7llJ3kKslVdF2rbVEn4nPIHIqw8oKDv/6+CNwo
|
|
8O1B4u16WUqj2Th6hOQcmWb9Nb6Js5TSRtIJxrif6PTfTczSB9bZgU1fTxgr0tTI
|
|
AERJLqFA9dvCxAehWrlegsSOwvJ/E8FwbGJLhiJs6aFk1fJ6NPkp62UkmvBMDq1w
|
|
qYuwLSr920KrPsCYBa09Ldm9e88+nCQz5QWcJt2vvdIz0UQUqtsjUo8DWL0qNXgU
|
|
JVSRrfE+64II2sxt3/9oywLCk9DG+dcWZH6SRjSt7y9KhWfhdGq1S6Og1Mjc+U4A
|
|
L/TgycaVTBodGTmw5YlsbSBYzAwSBCaR7GLThhZqIlPrk6P3w8VZJ1B14nEcTP9Y
|
|
GVdcEOqE0mwNtWZYcuy1cqPj6g/p9NOmLOnT8HGbjw9qtdl+iEGN/ZDWfu+En7ES
|
|
Dv4v0MiWAMArKY8rAMWa9/phbWXVEtNz6RnJ460qxIax5GR0QPce3+lrswhmXSm4
|
|
RNXdI4NIGtOdg8zwuKI5AefoLlWjt56Pzg==
|
|
-----END ENCRYPTED PRIVATE KEY-----
|
|
`
|
|
|
|
const ec256 = `-----BEGIN PRIVATE KEY-----
|
|
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgjLFzKb/8hsdSmPft
|
|
s98RZ7AWzQnLDsMhy6v+/3BZlZ6hRANCAASKkodoH+hHmBfwoFfrvv1E+iMLt3g1
|
|
s6hxOUMbkv6ZTVFXND/3z9zlJli6/YGrlSnsHOJc0GbwSYD1AMwZyr0T
|
|
-----END PRIVATE KEY-----
|
|
`
|
|
|
|
const encryptedEC256aes = `-----BEGIN ENCRYPTED PRIVATE KEY-----
|
|
MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAjVvKZtHlmIbAICCAAw
|
|
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEL3jdkBvObn+QELgKVE2cnMEgZAl
|
|
wgo3AjtXevJaGgep5GsW2krw9S7dC7xG9dR33Z/a9nBnO1rKm7Htf0+986w/1vmj
|
|
4k3M2QiI/VY+tnDFE+46DLLKYtJGRT1aoAH+mwhzaQGwzJnKhbeA23aE0f7KWCAK
|
|
+f999+SeHWro7FiRZjHEYVVLGQr/I7K5Wyh24YjN2nR4CU4X+GQU25My/pgSRog=
|
|
-----END ENCRYPTED PRIVATE KEY-----
|
|
`
|
|
|
|
const ec128 = `-----BEGIN PRIVATE KEY-----
|
|
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgjLFzKb/8hsdSmPft
|
|
s98RZ7AWzQnLDsMhy6v+/3BZlZ6hRANCAASKkodoH+hHmBfwoFfrvv1E+iMLt3g1
|
|
s6hxOUMbkv6ZTVFXND/3z9zlJli6/YGrlSnsHOJc0GbwSYD1AMwZyr0T
|
|
-----END PRIVATE KEY-----`
|
|
|
|
const encryptedEC128aes = `-----BEGIN ENCRYPTED PRIVATE KEY-----
|
|
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAg7qE4RYQEEugICCAAw
|
|
HQYJYIZIAWUDBAECBBBa+6eKv6il/iEjOw8/AmEHBIGQ24YmBiMfzjJjFU+PAwXr
|
|
zCfR3NPOHBwn3+BkpyivaezSrFWIF919cnDyI15Omd+Iz2oljrT/R4IDC9NOmoAy
|
|
5uKixYGAOi74Qr9kdgrT2Bfvu9wq+dYqPwLjR4WFHl2ofrLn7RCaOa8mOh3bgfHP
|
|
SnXPiACchx53PDh6bZTIZ0V9v0ymcMuXf758OXbUmSGN
|
|
-----END ENCRYPTED PRIVATE KEY-----`
|
|
|
|
const encryptedEC256aes128sha1 = `-----BEGIN ENCRYPTED PRIVATE KEY-----
|
|
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAgEoFG3x07DbQICCAAw
|
|
HQYJYIZIAWUDBAECBBCRN9PNX9rBqXhaHLUOsv7YBIGQFfXAPPV+COWABJdSarog
|
|
eUHFNaQ+R6x55Tz/mquNIwiOrP9DNoEd1PGtKaHaO+ACSEQwMfrGeh8BuNV69EwP
|
|
bhsob/MZeexRbrLe2YN7Y7/Y0wpujalGlliMvs35f1fpq/9RfVU+qRpFED2lT4dm
|
|
zOuhMC9Oo3oMYlbEXAT9mq33MkGKMUth2ek/bQIvnCHG
|
|
-----END ENCRYPTED PRIVATE KEY-----
|
|
`
|
|
|
|
func TestParsePKCS8PrivateKeyRSA(t *testing.T) {
|
|
keyList := []struct {
|
|
name string
|
|
clear string
|
|
encrypted string
|
|
}{
|
|
{
|
|
name: "encryptedRSA2048aes",
|
|
clear: rsa2048,
|
|
encrypted: encryptedRSA2048aes,
|
|
},
|
|
{
|
|
name: "encryptedRSA2048des3",
|
|
clear: rsa2048,
|
|
encrypted: encryptedRSA2048des3,
|
|
},
|
|
}
|
|
for i, key := range keyList {
|
|
t.Run(key.name, func(t *testing.T) {
|
|
block, _ := pem.Decode([]byte(key.encrypted))
|
|
_, err := pkcs8.ParsePKCS8PrivateKeyRSA(block.Bytes, []byte("password"))
|
|
if err != nil {
|
|
t.Errorf("%d: ParsePKCS8PrivateKeyRSA returned: %s", i, err)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyRSA(block.Bytes, []byte("wrong password"))
|
|
if err == nil {
|
|
t.Errorf("%d: should have failed", i)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyRSA(block.Bytes)
|
|
if err == nil {
|
|
t.Errorf("%d: should have failed", i)
|
|
}
|
|
|
|
block, _ = pem.Decode([]byte(key.clear))
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyRSA(block.Bytes)
|
|
if err != nil {
|
|
t.Errorf("%d: ParsePKCS8PrivateKeyRSA returned: %s", i, err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestParsePKCS8PrivateKeyECDSA(t *testing.T) {
|
|
keyList := []struct {
|
|
name string
|
|
clear string
|
|
encrypted string
|
|
}{
|
|
{
|
|
name: "encryptedEC256aes",
|
|
clear: ec256,
|
|
encrypted: encryptedEC256aes,
|
|
},
|
|
}
|
|
for i, key := range keyList {
|
|
t.Run(key.name, func(t *testing.T) {
|
|
block, _ := pem.Decode([]byte(key.encrypted))
|
|
_, err := pkcs8.ParsePKCS8PrivateKeyECDSA(block.Bytes, []byte("password"))
|
|
if err != nil {
|
|
t.Errorf("%d: ParsePKCS8PrivateKeyECDSA returned: %s", i, err)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyECDSA(block.Bytes, []byte("wrong password"))
|
|
if err == nil {
|
|
t.Errorf("%d: should have failed", i)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyECDSA(block.Bytes)
|
|
if err == nil {
|
|
t.Errorf("%d: should have failed", i)
|
|
}
|
|
|
|
block, _ = pem.Decode([]byte(key.clear))
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyECDSA(block.Bytes)
|
|
if err != nil {
|
|
t.Errorf("%d: ParsePKCS8PrivateKeyECDSA returned: %s", i, err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
type testPrivateKey struct {
|
|
name string
|
|
clear string
|
|
encrypted string
|
|
password string
|
|
}
|
|
|
|
func testParsePKCS8PrivateKey(t *testing.T, i int, key *testPrivateKey) {
|
|
block, _ := pem.Decode([]byte(key.encrypted))
|
|
_, err := pkcs8.ParsePKCS8PrivateKey(block.Bytes, []byte(key.password))
|
|
if err != nil {
|
|
t.Errorf("%d: ParsePKCS8PrivateKey returned: %s", i, err)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKey(block.Bytes, []byte("wrong password"))
|
|
if err == nil {
|
|
t.Errorf("%d: should have failed", i)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKey(block.Bytes)
|
|
if err == nil {
|
|
t.Errorf("%d: should have failed", i)
|
|
}
|
|
|
|
if key.clear != "" {
|
|
block, _ = pem.Decode([]byte(key.clear))
|
|
_, err = pkcs8.ParsePKCS8PrivateKey(block.Bytes)
|
|
if err != nil {
|
|
t.Errorf("%d: ParsePKCS8PrivateKey returned: %s", i, err)
|
|
}
|
|
}
|
|
}
|
|
func TestParsePKCS8PrivateKey(t *testing.T) {
|
|
keyList := []testPrivateKey{
|
|
{
|
|
name: "encryptedRSA2048aes",
|
|
clear: rsa2048,
|
|
encrypted: encryptedRSA2048aes,
|
|
password: "password",
|
|
},
|
|
{
|
|
name: "encryptedRSA2048des3",
|
|
clear: rsa2048,
|
|
encrypted: encryptedRSA2048des3,
|
|
password: "password",
|
|
},
|
|
{
|
|
name: "encryptedRSA2048scrypt",
|
|
clear: rsa2048,
|
|
encrypted: encryptedRSA2048scrypt,
|
|
password: "password",
|
|
},
|
|
{
|
|
name: "encryptedEC256aes",
|
|
clear: ec256,
|
|
encrypted: encryptedEC256aes,
|
|
password: "password",
|
|
},
|
|
{
|
|
name: "encryptedEC256aes128sha1",
|
|
clear: ec256,
|
|
encrypted: encryptedEC256aes128sha1,
|
|
password: "password",
|
|
},
|
|
{
|
|
name: "encryptedEC128aes",
|
|
clear: ec128,
|
|
encrypted: encryptedEC128aes,
|
|
password: "password",
|
|
},
|
|
}
|
|
for i, key := range keyList {
|
|
t.Run(key.name, func(t *testing.T) {
|
|
testParsePKCS8PrivateKey(t, i, &key)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestConvertPrivateKeyToPKCS8(t *testing.T) {
|
|
for i, password := range [][]byte{nil, []byte("password")} {
|
|
var args [][]byte
|
|
if password != nil {
|
|
args = append(args, password)
|
|
}
|
|
rsaPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
t.Fatalf("%d: GenerateKey returned: %s", i, err)
|
|
}
|
|
der, err := pkcs8.ConvertPrivateKeyToPKCS8(rsaPrivateKey, args...)
|
|
if err != nil {
|
|
t.Fatalf("%d: ConvertPrivateKeyToPKCS8 returned: %s", i, err)
|
|
}
|
|
decodedRSAPrivateKey, err := pkcs8.ParsePKCS8PrivateKey(der, args...)
|
|
if err != nil {
|
|
t.Fatalf("%d: ParsePKCS8PrivateKey returned: %s", i, err)
|
|
}
|
|
if rsaPrivateKey.D.Cmp(decodedRSAPrivateKey.(*rsa.PrivateKey).D) != 0 {
|
|
t.Fatalf("%d: Decoded key does not match original key", i)
|
|
}
|
|
|
|
for _, curve := range []elliptic.Curve{
|
|
elliptic.P224(), elliptic.P256(), elliptic.P384(), elliptic.P521(),
|
|
} {
|
|
ecPrivateKey, err := ecdsa.GenerateKey(curve, rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("%d, %s: GenerateKey returned: %s", i, curve, err)
|
|
}
|
|
der, err = pkcs8.ConvertPrivateKeyToPKCS8(ecPrivateKey, args...)
|
|
if err != nil {
|
|
t.Fatalf("%d, %s: ConvertPrivateKeyToPKCS8 returned: %s", i, curve, err)
|
|
}
|
|
decodedECPrivateKey, err := pkcs8.ParsePKCS8PrivateKey(der, args...)
|
|
if err != nil {
|
|
t.Fatalf("%d, %s: ParsePKCS8PrivateKey returned: %s", i, curve, err)
|
|
}
|
|
if ecPrivateKey.D.Cmp(decodedECPrivateKey.(*ecdsa.PrivateKey).D) != 0 {
|
|
t.Fatalf("%d, %s: Decoded key does not match original key", i, curve)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestMarshalPrivateKey(t *testing.T) {
|
|
for i, tt := range []struct {
|
|
password []byte
|
|
opts *pkcs8.Opts
|
|
}{
|
|
{
|
|
password: nil,
|
|
opts: nil,
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.SM4CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SM3,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.SM4GCM,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SM3,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES128CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SHA224,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES128CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SHA256,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES128CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SHA512,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES128CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SHA384,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES128CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SHA512_224,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES128CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SHA512_256,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES192CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 1000, HMACHash: pkcs8.SHA256,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES256CBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 16, IterationCount: 2000, HMACHash: pkcs8.SHA256,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES128GCM,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 2048, HMACHash: pkcs8.SHA256,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES192GCM,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 8, IterationCount: 10000, HMACHash: pkcs8.SHA256,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES256GCM,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 16, IterationCount: 16, HMACHash: pkcs8.SHA256,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.DESCBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 16, IterationCount: 16, HMACHash: pkcs8.SHA1,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.TripleDESCBC,
|
|
KDFOpts: pkcs8.PBKDF2Opts{
|
|
SaltSize: 16, IterationCount: 16, HMACHash: pkcs8.SHA1,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
password: []byte("password"),
|
|
opts: &pkcs8.Opts{
|
|
Cipher: pkcs.AES256CBC,
|
|
KDFOpts: pkcs8.ScryptOpts{
|
|
CostParameter: 1 << 2,
|
|
BlockSize: 8,
|
|
ParallelizationParameter: 1,
|
|
SaltSize: 16,
|
|
},
|
|
},
|
|
},
|
|
} {
|
|
rsaPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
t.Fatalf("%d: GenerateKey returned: %s", i, err)
|
|
}
|
|
der, err := pkcs8.MarshalPrivateKey(rsaPrivateKey, tt.password, tt.opts)
|
|
if err != nil {
|
|
t.Fatalf("%d: MarshalPrivateKey returned: %s", i, err)
|
|
}
|
|
decodedRSAPrivateKey, _, err := pkcs8.ParsePrivateKey(der, tt.password)
|
|
if err != nil {
|
|
t.Fatalf("%d: ParsePKCS8PrivateKey returned: %s", i, err)
|
|
}
|
|
if rsaPrivateKey.D.Cmp(decodedRSAPrivateKey.(*rsa.PrivateKey).D) != 0 {
|
|
t.Fatalf("%d: Decoded key does not match original key", i)
|
|
}
|
|
|
|
sm2PrivateKey, err := sm2.GenerateKey(rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("%d: GenerateKey returned: %s", i, err)
|
|
}
|
|
|
|
der, err = pkcs8.MarshalPrivateKey(sm2PrivateKey, tt.password, tt.opts)
|
|
if err != nil {
|
|
t.Fatalf("%d: MarshalPrivateKey returned: %s", i, err)
|
|
}
|
|
|
|
decodedSM2PrivateKey, err := pkcs8.ParsePKCS8PrivateKeySM2(der, tt.password)
|
|
if err != nil {
|
|
t.Fatalf("%d: ParsePKCS8PrivateKey returned: %s", i, err)
|
|
}
|
|
if !sm2PrivateKey.Equal(decodedSM2PrivateKey) {
|
|
t.Fatalf("%d: Decoded key does not match original key", i)
|
|
}
|
|
|
|
sm9SignMasterPrivateKey, err := sm9.GenerateSignMasterKey(rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("%d: GenerateKey returned: %s", i, err)
|
|
}
|
|
|
|
der, err = pkcs8.MarshalPrivateKey(sm9SignMasterPrivateKey, tt.password, tt.opts)
|
|
if err != nil {
|
|
t.Fatalf("%d: MarshalPrivateKey returned: %s", i, err)
|
|
}
|
|
decodedSM9SignMasterPrivateKey, err := pkcs8.ParseSM9SignMasterPrivateKey(der, tt.password)
|
|
if err != nil {
|
|
t.Fatalf("%d: ParseSM9SignMasterPrivateKey returned: %s", i, err)
|
|
}
|
|
|
|
_, err = pkcs8.ParseSM9SignPrivateKey(der, tt.password)
|
|
if err == nil {
|
|
t.Fatalf("%d: ParseSM9SignPrivateKey should return error", i)
|
|
}
|
|
|
|
if sm9SignMasterPrivateKey.D.Cmp(decodedSM9SignMasterPrivateKey.D) != 0 {
|
|
t.Fatalf("%d: Decoded key does not match original key", i)
|
|
}
|
|
|
|
sm9SignPrivateKey, err := sm9SignMasterPrivateKey.GenerateUserKey([]byte("emmansun"), 0x01)
|
|
if err != nil {
|
|
t.Fatalf("%d: GenerateUserKey returned: %s", i, err)
|
|
}
|
|
der, err = pkcs8.MarshalPrivateKey(sm9SignPrivateKey, tt.password, tt.opts)
|
|
if err != nil {
|
|
t.Fatalf("%d: MarshalPrivateKey returned: %s", i, err)
|
|
}
|
|
decodedSM9SignPrivateKey, err := pkcs8.ParseSM9SignPrivateKey(der, tt.password)
|
|
if err != nil {
|
|
t.Fatalf("%d: ParseSM9SignPrivateKey returned: %s", i, err)
|
|
}
|
|
_, err = pkcs8.ParseSM9SignMasterPrivateKey(der, tt.password)
|
|
if err == nil {
|
|
t.Fatalf("%d: ParseSM9SignMasterPrivateKey should return error", i)
|
|
}
|
|
if !sm9SignPrivateKey.PrivateKey.Equal(decodedSM9SignPrivateKey.PrivateKey) {
|
|
t.Fatalf("%d: Decoded key does not match original key", i)
|
|
}
|
|
|
|
sm9EncMasterPrivateKey, err := sm9.GenerateEncryptMasterKey(rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("%d: GenerateKey returned: %s", i, err)
|
|
}
|
|
|
|
der, err = pkcs8.MarshalPrivateKey(sm9EncMasterPrivateKey, tt.password, tt.opts)
|
|
if err != nil {
|
|
t.Fatalf("%d: MarshalPrivateKey returned: %s", i, err)
|
|
}
|
|
decodedSM9EncMasterPrivateKey, err := pkcs8.ParseSM9EncryptMasterPrivateKey(der, tt.password)
|
|
if err != nil {
|
|
t.Fatalf("%d: ParseSM9EncryptMasterPrivateKey returned: %s", i, err)
|
|
}
|
|
_, err = pkcs8.ParseSM9EncryptPrivateKey(der, tt.password)
|
|
if err == nil {
|
|
t.Fatalf("%d: ParseSM9EncryptPrivateKey should return error", i)
|
|
}
|
|
if sm9EncMasterPrivateKey.D.Cmp(decodedSM9EncMasterPrivateKey.D) != 0 {
|
|
t.Fatalf("%d: Decoded key does not match original key", i)
|
|
}
|
|
|
|
sm9EncPrivateKey, err := sm9EncMasterPrivateKey.GenerateUserKey([]byte("emmansun"), 0x02)
|
|
if err != nil {
|
|
t.Fatalf("%d: GenerateUserKey returned: %s", i, err)
|
|
}
|
|
der, err = pkcs8.MarshalPrivateKey(sm9EncPrivateKey, tt.password, tt.opts)
|
|
if err != nil {
|
|
t.Fatalf("%d: MarshalPrivateKey returned: %s", i, err)
|
|
}
|
|
decodedSM9EncPrivateKey, err := pkcs8.ParseSM9EncryptPrivateKey(der, tt.password)
|
|
if err != nil {
|
|
t.Fatalf("%d: ParseSM9EncryptPrivateKey returned: %s", i, err)
|
|
}
|
|
_, err = pkcs8.ParseSM9EncryptMasterPrivateKey(der, tt.password)
|
|
if err == nil {
|
|
t.Fatalf("%d: ParseSM9EncryptMasterPrivateKey should return error", i)
|
|
}
|
|
if !sm9EncPrivateKey.PrivateKey.Equal(decodedSM9EncPrivateKey.PrivateKey) {
|
|
t.Fatalf("%d: Decoded key does not match original key", i)
|
|
}
|
|
|
|
for _, curve := range []elliptic.Curve{
|
|
elliptic.P224(), elliptic.P256(), elliptic.P384(), elliptic.P521(),
|
|
} {
|
|
ecPrivateKey, err := ecdsa.GenerateKey(curve, rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("%d, %s: ConvertPrivateKeyToPKCS8 returned: %s", i, curve, err)
|
|
}
|
|
der, err = pkcs8.MarshalPrivateKey(ecPrivateKey, tt.password, tt.opts)
|
|
if err != nil {
|
|
t.Fatalf("%d, %s: ConvertPrivateKeyToPKCS8 returned: %s", i, curve, err)
|
|
}
|
|
decodedECPrivateKey, _, err := pkcs8.ParsePrivateKey(der, tt.password)
|
|
if err != nil {
|
|
t.Fatalf("%d, %s: ParsePKCS8PrivateKey returned: %s", i, curve, err)
|
|
}
|
|
if ecPrivateKey.D.Cmp(decodedECPrivateKey.(*ecdsa.PrivateKey).D) != 0 {
|
|
t.Fatalf("%d, %s: Decoded key does not match original key", i, curve)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
type unknown int
|
|
|
|
func TestUnknownTypeFailure(t *testing.T) {
|
|
badInput := unknown(0)
|
|
_, err := pkcs8.ConvertPrivateKeyToPKCS8(badInput, []byte("password"))
|
|
if err == nil {
|
|
t.Fatal("expected error")
|
|
}
|
|
}
|
|
|
|
// for encrypted private-key information
|
|
type encryptedPrivateKeyInfo struct {
|
|
EncryptionAlgorithm pkix.AlgorithmIdentifier
|
|
EncryptedData []byte
|
|
}
|
|
|
|
func TestParseInvalidPrivateKey(t *testing.T) {
|
|
// test parse pem directly
|
|
_, err := pkcs8.ParsePKCS8PrivateKeyECDSA([]byte(encryptedEC256aes), []byte("password"))
|
|
if err == nil || err.Error() != "pkcs8: this method just supports DER-encoded key" {
|
|
t.Errorf("should be error: pkcs8: this method just supports DER-encoded key")
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyECDSA(nil, []byte("password"))
|
|
if err == nil || err.Error() != "pkcs8: only PKCS #5 v2.0 supported" {
|
|
t.Errorf("should be error: pkcs8: only PKCS #5 v2.0 supported")
|
|
}
|
|
|
|
var privKey encryptedPrivateKeyInfo
|
|
privKey.EncryptionAlgorithm.Algorithm = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 5, 1}
|
|
data, err := asn1.Marshal(privKey)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyECDSA(data, []byte("password"))
|
|
if err == nil || err.Error() != "pkcs8: only PBES2 supported" {
|
|
t.Errorf("should be error: pkcs8: only PBES2 supported")
|
|
}
|
|
|
|
privKey.EncryptionAlgorithm.Algorithm = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 5, 13}
|
|
data, err = asn1.Marshal(privKey)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
_, err = pkcs8.ParsePKCS8PrivateKeyECDSA(data, []byte("password"))
|
|
if err == nil || err.Error() != "pkcs8: invalid PBES2 parameters" {
|
|
t.Errorf("should be error: pkcs8: invalid PBES2 parameters")
|
|
}
|
|
}
|