wolfcrypt 0.2.0

RustCrypto trait implementations backed by wolfCrypt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

//! LMS/HSS hash-based signature tests.
//!
//! Tests cover both the verification-only API and the full sign/verify
//! round-trip using in-memory private-key persistence.

#![cfg(all(feature = "lms", wolfssl_lms))]

use wolfcrypt::lms::{LmsParams, LmsSigningKey, LmsVerifyingKey};

/// The smallest/fastest parameter set for testing.
const TEST_PARAMS: LmsParams = LmsParams::L1_H5_W8;

/// `pub_len()` must return a non-zero value consistent with the parameter set.
#[test]
fn pub_len_is_nonzero() {
    // We need a validly-constructed key to query lengths. Since we cannot
    // know the exact expected public key size a priori (it depends on the
    // wolfCrypt build), we create a temporary key just to query the length,
    // then construct one with the right-sized (but invalid) public key bytes.
    //
    // Alternatively, we can test that wrong-length input is rejected.

    // A zero-length public key must be rejected.
    let result = LmsVerifyingKey::from_public_bytes(TEST_PARAMS, &[]);
    assert!(result.is_err(), "empty public key should be rejected");
}

/// A public key of the wrong length must be rejected.
#[test]
fn wrong_pub_key_length_rejected() {
    // Try a 1-byte public key — this should always be too short.
    let result = LmsVerifyingKey::from_public_bytes(TEST_PARAMS, &[0x42]);
    assert!(result.is_err(), "1-byte public key should be rejected");

    // Try a very long public key — should also be rejected.
    let long = vec![0u8; 4096];
    let result = LmsVerifyingKey::from_public_bytes(TEST_PARAMS, &long);
    assert!(result.is_err(), "4096-byte public key should be rejected");
}

/// `LmsParams` constants should have sensible values.
#[test]
fn params_constants_are_sensible() {
    assert_eq!(LmsParams::L1_H5_W8.levels, 1);
    assert_eq!(LmsParams::L1_H5_W8.height, 5);
    assert_eq!(LmsParams::L1_H5_W8.winternitz, 8);

    assert_eq!(LmsParams::L2_H5_W8.levels, 2);
    assert_eq!(LmsParams::L2_H5_W8.height, 5);
    assert_eq!(LmsParams::L2_H5_W8.winternitz, 8);

    assert_eq!(LmsParams::L1_H10_W4.levels, 1);
    assert_eq!(LmsParams::L1_H10_W4.height, 10);
    assert_eq!(LmsParams::L1_H10_W4.winternitz, 4);

    assert_eq!(LmsParams::L2_H10_W4.levels, 2);
    assert_eq!(LmsParams::L2_H10_W4.height, 10);
    assert_eq!(LmsParams::L2_H10_W4.winternitz, 4);
}

/// Verification with a garbage signature must fail.
///
/// We construct a key with a correctly-sized public key (all zeros), then
/// attempt to verify a garbage signature. This may fail at import (if
/// wolfCrypt validates the public key on import) or at verify time.
/// Either way, the operation must not succeed.
#[test]
fn verify_garbage_signature_fails() {
    // First, figure out the expected public key length by trying to import
    // and inspecting the error. We use a brute approach: try a range of
    // plausible sizes. LMS public keys are typically 56-60 bytes
    // (4-byte type ID + 4-byte LMOTS type ID + 16-byte I + 32-byte root).
    // The exact size is 60 bytes for SHA-256 based LMS.
    //
    // If we can't construct a key at all (wolfCrypt rejects all-zeros as
    // an invalid public key), that's fine — the test still passes because
    // we're verifying that invalid operations fail.
    let sizes_to_try = [56, 60, 64, 48];
    let mut key_opt = None;

    for &size in &sizes_to_try {
        let fake_pub = vec![0u8; size];
        if let Ok(key) = LmsVerifyingKey::from_public_bytes(TEST_PARAMS, &fake_pub) {
            key_opt = Some(key);
            break;
        }
    }

    if let Some(key) = key_opt {
        let msg = b"test message";
        let garbage_sig = vec![0xAA; 128];
        let result = key.verify(msg, &garbage_sig);
        assert!(result.is_err(), "garbage signature must not verify");
    }
    // If no size worked, wolfCrypt validates public keys strictly on import,
    // which is also correct behavior — the test passes either way.
}

/// Two LmsParams with different values must not be equal.
#[test]
fn params_equality() {
    assert_eq!(LmsParams::L1_H5_W8, LmsParams::L1_H5_W8);
    assert_ne!(LmsParams::L1_H5_W8, LmsParams::L2_H5_W8);
    assert_ne!(LmsParams::L1_H5_W8, LmsParams::L1_H10_W4);
}

// ---------------------------------------------------------------------------
// Signing tests (require rand feature)
// ---------------------------------------------------------------------------

#[cfg(feature = "rand")]
mod signing {
    use super::*;
    use wolfcrypt::rand::WolfRng;

    /// Full round-trip: generate key, sign, verify.
    #[test]
    fn sign_then_verify() {
        let mut rng = WolfRng::new().expect("RNG init");
        let mut sk = LmsSigningKey::generate(TEST_PARAMS, &mut rng).expect("keygen");

        let msg = b"LMS round-trip test";
        let sig = sk.sign(msg).expect("sign");

        // Export public key and verify with a separate verifying key.
        let pub_bytes = sk.export_public().expect("export pub");
        let vk = LmsVerifyingKey::from_public_bytes(TEST_PARAMS, &pub_bytes).expect("import pub");
        vk.verify(msg, &sig).expect("verify must succeed");
    }

    /// Verification with wrong message must fail.
    #[test]
    fn verify_wrong_message_fails() {
        let mut rng = WolfRng::new().expect("RNG init");
        let mut sk = LmsSigningKey::generate(TEST_PARAMS, &mut rng).expect("keygen");

        let sig = sk.sign(b"correct message").expect("sign");

        let pub_bytes = sk.export_public().expect("export pub");
        let vk = LmsVerifyingKey::from_public_bytes(TEST_PARAMS, &pub_bytes).expect("import pub");

        let result = vk.verify(b"wrong message", &sig);
        assert!(result.is_err(), "wrong message must not verify");
    }

    /// `remaining_signatures` should be positive after keygen.
    #[test]
    fn remaining_signatures_positive() {
        let mut rng = WolfRng::new().expect("RNG init");
        let sk = LmsSigningKey::generate(TEST_PARAMS, &mut rng).expect("keygen");
        assert!(
            sk.remaining_signatures() > 0,
            "freshly generated key should have sigs left"
        );
    }
}