Merge branch 'andrea-crp-1097' into 'master'

test(crypto): CRP-1097 Add unit tests for FS key update This MR extend the test coverage around FS key update in the CSP layer and crypto library. Several tests were already added as part of previous MR, this closes the ticket. See merge request dfinity-lab/public/ic!16576
dfinity · Dec 12, 2023 · 9b1e237 · 9b1e237
2 parents a6bc5b7 + ef46b20
commit 9b1e237
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 0 deletions.
diff --git a/...ernal/crypto_lib/threshold_sig/bls12_381/src/ni_dkg/groth20_bls12_381/encryption/tests.rs b/...ernal/crypto_lib/threshold_sig/bls12_381/src/ni_dkg/groth20_bls12_381/encryption/tests.rs
@@ -1,5 +1,6 @@
 #![allow(clippy::unwrap_used)]
 //! Tests for the CLib NiDKG forward secure encryption
+use ic_crypto_test_utils_reproducible_rng::reproducible_rng;
 pub use rand::{Rng, RngCore, SeedableRng};
 pub use rand_chacha::ChaChaRng;
 pub use std::collections::BTreeMap;
@@ -79,6 +80,29 @@ fn single_stepping_a_key_should_increment_current_epoch() {
     }
 }
 
+#[test]
+fn should_not_update_key_on_current_or_past_epoch() {
+    let rng = &mut reproducible_rng();
+    let mut associated_data = [0u8; 4];
+    rng.fill_bytes(&mut associated_data[..]);
+
+    let key_with_pop = create_forward_secure_key_pair(Seed::from_rng(rng), &associated_data);
+    let mut secret_key = SecretKey::deserialize(&key_with_pop.secret_key);
+    let secret_key_epoch = Epoch::from(10);
+    update_key_inplace_to_epoch(&mut secret_key, secret_key_epoch, Seed::from_rng(rng));
+    assert_eq!(secret_key.current_epoch(), Some(secret_key_epoch));
+
+    let past_epoch = Epoch::from(9);
+    let key_before_update = secret_key.serialize();
+
+    // Update key to a previous epoch
+    update_key_inplace_to_epoch(&mut secret_key, past_epoch, Seed::from_rng(rng));
+    assert_eq!(secret_key.serialize(), key_before_update);
+    // Update key to current epoch
+    update_key_inplace_to_epoch(&mut secret_key, secret_key_epoch, Seed::from_rng(rng));
+    assert_eq!(secret_key.serialize(), key_before_update);
+}
+
 #[test]
 fn correct_keys_should_verify() {
     const KEY_GEN_ASSOCIATED_DATA: &[u8] = &[11u8, 2u8, 19u8, 31u8];

diff --git a/rs/crypto/internal/crypto_service_provider/src/vault/local_csp_vault/ni_dkg/tests.rs b/rs/crypto/internal/crypto_service_provider/src/vault/local_csp_vault/ni_dkg/tests.rs
@@ -19,6 +19,7 @@ use crate::vault::test_utils;
 use crate::vault::test_utils::ni_dkg::fixtures::MockNetwork;
 use assert_matches::assert_matches;
 use ic_crypto_internal_threshold_sig_bls12381::api::dkg_errors::InternalError;
+use ic_crypto_internal_threshold_sig_bls12381::api::ni_dkg_errors::CspDkgUpdateFsEpochError;
 use ic_crypto_internal_threshold_sig_bls12381::api::ni_dkg_errors::{
     CspDkgCreateFsKeyError, CspDkgLoadPrivateKeyError,
 };
@@ -28,6 +29,7 @@ use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::ni_dkg_groth20_bls12_
 use ic_crypto_internal_types::sign::threshold_sig::public_coefficients::bls12_381::PublicCoefficientsBytes;
 use ic_crypto_test_utils::set_of;
 use ic_crypto_test_utils_reproducible_rng::{reproducible_rng, ReproducibleRng};
+use ic_types::crypto::error::KeyNotFoundError;
 use ic_types::crypto::AlgorithmId;
 use ic_types_test_utils::ids::NODE_42;
 
@@ -253,6 +255,56 @@ fn should_return_transient_internal_error_from_load_threshold_signing_key_if_nid
     );
 }
 
+#[test]
+fn should_return_error_if_update_forward_secure_key_with_wrong_algorithm_id() {
+    let mut sks = MockSecretKeyStore::new();
+    let key_id = KeyId::from([0u8; 32]);
+    sks.expect_get().never();
+    sks.expect_insert_or_replace().never();
+    let csp = LocalCspVault::builder_for_test()
+        .with_node_secret_key_store(sks)
+        .build();
+    let epoch_to_update_to = Epoch::from(2);
+
+    let wrong_algorithm = AlgorithmId::from(0);
+
+    let result = csp.update_forward_secure_epoch(wrong_algorithm, key_id, epoch_to_update_to);
+    assert_matches!(
+        result,
+        Err(CspDkgUpdateFsEpochError::UnsupportedAlgorithmId(
+            AlgorithmId::Placeholder
+        ))
+    );
+}
+
+#[test]
+fn should_not_update_forward_secure_key_if_key_is_missing() {
+    const INTERNAL_ERROR: &str = "Cannot update forward secure key if it is missing";
+    let mut sks = MockSecretKeyStore::new();
+    let sks_key_id = KeyId::from([0u8; 32]);
+    sks.expect_get()
+        .withf(move |key_id_| key_id_ == &sks_key_id)
+        .times(1)
+        .return_const(None);
+    sks.expect_insert_or_replace().never();
+    let csp = LocalCspVault::builder_for_test()
+        .with_node_secret_key_store(sks)
+        .build();
+    let epoch_to_update_to = Epoch::from(2);
+
+    let result = csp.update_forward_secure_epoch(
+        AlgorithmId::NiDkg_Groth20_Bls12_381,
+        sks_key_id,
+        epoch_to_update_to,
+    );
+
+    assert_matches!(
+        result,
+        Err(CspDkgUpdateFsEpochError::FsKeyNotInSecretKeyStoreError(KeyNotFoundError{internal_error, key_id}))
+        if internal_error.contains(INTERNAL_ERROR) && key_id.contains(&sks_key_id.to_string())
+    );
+}
+
 #[test]
 fn should_not_update_forward_secure_key_if_epoch_in_sks_is_newer_than_the_one_to_update_to() {
     let mut sks = MockSecretKeyStore::new();