internal/wycheproof: add Wycheproof tests for verifying signatures

https://github.com/google/wycheproof provides test vectors exposing
vulnerabilities in crypto packages. This change creates a new package
called internal/wycheproof that runs these Wycheproof tests against
a number of pacakages in the standard library (and in the future,
x/crypto).

Directory structure:
 - interal/wycheproof/internal/ecdsa: internal version of ecdsa package which
includes a new function that verifies ASN encoded signatures directly
 - interal/wycheproof/internal/dsa: internal version of dsa package which
includes a new function that verifies ASN encoded signatures directly
 - internal/wycheproof: all tests

internal/wycheproof/wycheproof_test.go provides utility functions that are
common to many tests in the package, and contains the TestMain which
fetches github.com/google/wycheproof from the source.

This change includes tests for signature verification with dsa, ecdsa,
eddsa, and rsa (both PKCS#1 v1.5 and PSS signatures).

Note that these tests download testdata from github.com/google/wycheproof
by running `go mod download` in the TestMain. This means that internet
access will be necessary in order to run these tests if the testdata is
not already in your module cache.

More tests will be added incrementally.

Change-Id: I0378d4be24b5679fdc186e9fc94c1cc0068e81f7
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209221
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

Author: katiehockman

internal/wycheproof/README.md

@@ -0,0 +1,12 @@
+This package runs a set of the Wycheproof tests provided by
+https://github.com/google/wycheproof.
+
+The JSON test files live in
+https://github.com/google/wycheproof/tree/master/testvectors
+and are being fetched and cached at a pinned version every time
+these tests are run. To change the version of the wycheproof
+repository that is being used for testing, update wycheproofModVer.
+
+The structs for these tests are generated from the
+schemas provided in https://github.com/google/wycheproof/tree/master/schemas
+using https://github.com/a-h/generate.

internal/wycheproof/dsa_test.go

@@ -0,0 +1,123 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wycheproof
+
+import (
+	"crypto/dsa"
+	"testing"
+
+	wdsa "golang.org/x/crypto/internal/wycheproof/internal/dsa"
+)
+
+func TestDsa(t *testing.T) {
+	// AsnSignatureTestVector
+	type AsnSignatureTestVector struct {
+
+		// A brief description of the test case
+		Comment string `json:"comment,omitempty"`
+
+		// A list of flags
+		Flags []string `json:"flags,omitempty"`
+
+		// The message to sign
+		Msg string `json:"msg,omitempty"`
+
+		// Test result
+		Result string `json:"result,omitempty"`
+
+		// An ASN encoded signature for msg
+		Sig string `json:"sig,omitempty"`
+
+		// Identifier of the test case
+		TcId int `json:"tcId,omitempty"`
+	}
+
+	// DsaPublicKey
+	type DsaPublicKey struct {
+
+		// the generator of the multiplicative subgroup
+		G string `json:"g,omitempty"`
+
+		// the key size in bits
+		KeySize int `json:"keySize,omitempty"`
+
+		// the modulus p
+		P string `json:"p,omitempty"`
+
+		// the order of the generator g
+		Q string `json:"q,omitempty"`
+
+		// the key type
+		Type string `json:"type,omitempty"`
+
+		// the public key value
+		Y string `json:"y,omitempty"`
+	}
+
+	// DsaTestGroup
+	type DsaTestGroup struct {
+
+		// unenocded DSA public key
+		Key *DsaPublicKey `json:"key,omitempty"`
+
+		// DER encoded public key
+		KeyDer string `json:"keyDer,omitempty"`
+
+		// Pem encoded public key
+		KeyPem string `json:"keyPem,omitempty"`
+
+		// the hash function used for DSA
+		Sha   string                    `json:"sha,omitempty"`
+		Tests []*AsnSignatureTestVector `json:"tests,omitempty"`
+		Type  interface{}               `json:"type,omitempty"`
+	}
+
+	// Notes a description of the labels used in the test vectors
+	type Notes struct {
+	}
+
+	// Root
+	type Root struct {
+
+		// the primitive tested in the test file
+		Algorithm string `json:"algorithm,omitempty"`
+
+		// the version of the test vectors.
+		GeneratorVersion string `json:"generatorVersion,omitempty"`
+
+		// additional documentation
+		Header []string `json:"header,omitempty"`
+
+		// a description of the labels used in the test vectors
+		Notes *Notes `json:"notes,omitempty"`
+
+		// the number of test vectors in this test
+		NumberOfTests int             `json:"numberOfTests,omitempty"`
+		Schema        interface{}     `json:"schema,omitempty"`
+		TestGroups    []*DsaTestGroup `json:"testGroups,omitempty"`
+	}
+
+	flagsShouldPass := map[string]bool{
+		// An encoded ASN.1 integer missing a leading zero is invalid, but accepted by some implementations.
+		"NoLeadingZero": false,
+	}
+
+	var root Root
+	readTestVector(t, "dsa_test.json", &root)
+	for _, tg := range root.TestGroups {
+		pub := decodePublicKey(tg.KeyDer).(*dsa.PublicKey)
+		h := parseHash(tg.Sha).New()
+		for _, sig := range tg.Tests {
+			h.Reset()
+			h.Write(decodeHex(sig.Msg))
+			hashed := h.Sum(nil)
+			hashed = hashed[:pub.Q.BitLen()/8] // Truncate to the byte-length of the subgroup (Q)
+			got := wdsa.VerifyASN1(pub, hashed, decodeHex(sig.Sig))
+			if want := shouldPass(sig.Result, sig.Flags, flagsShouldPass); got != want {
+				t.Errorf("tcid: %d, type: %s, comment: %q, wanted success: %t", sig.TcId, sig.Result, sig.Comment, want)
+			}
+		}
+	}
+}

internal/wycheproof/ecdsa_test.go

@@ -0,0 +1,166 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wycheproof
+
+import (
+	"crypto/ecdsa"
+	"testing"
+
+	wecdsa "golang.org/x/crypto/internal/wycheproof/internal/ecdsa"
+)
+
+func TestEcdsa(t *testing.T) {
+	// AsnSignatureTestVector
+	type AsnSignatureTestVector struct {
+
+		// A brief description of the test case
+		Comment string `json:"comment,omitempty"`
+
+		// A list of flags
+		Flags []string `json:"flags,omitempty"`
+
+		// The message to sign
+		Msg string `json:"msg,omitempty"`
+
+		// Test result
+		Result string `json:"result,omitempty"`
+
+		// An ASN encoded signature for msg
+		Sig string `json:"sig,omitempty"`
+
+		// Identifier of the test case
+		TcId int `json:"tcId,omitempty"`
+	}
+
+	// EcPublicKey
+	type EcPublicKey struct {
+
+		// the EC group used by this public key
+		Curve interface{} `json:"curve,omitempty"`
+
+		// the key size in bits
+		KeySize int `json:"keySize,omitempty"`
+
+		// the key type
+		Type string `json:"type,omitempty"`
+
+		// encoded public key point
+		Uncompressed string `json:"uncompressed,omitempty"`
+
+		// the x-coordinate of the public key point
+		Wx string `json:"wx,omitempty"`
+
+		// the y-coordinate of the public key point
+		Wy string `json:"wy,omitempty"`
+	}
+
+	// EcUnnamedGroup
+	type EcUnnamedGroup struct {
+
+		// coefficient a of the elliptic curve equation
+		A string `json:"a,omitempty"`
+
+		// coefficient b of the elliptic curve equation
+		B string `json:"b,omitempty"`
+
+		// the x-coordinate of the generator
+		Gx string `json:"gx,omitempty"`
+
+		// the y-coordinate of the generator
+		Gy string `json:"gy,omitempty"`
+
+		// the cofactor
+		H int `json:"h,omitempty"`
+
+		// the order of the generator
+		N string `json:"n,omitempty"`
+
+		// the order of the underlying field
+		P string `json:"p,omitempty"`
+
+		// an unnamed EC group over a prime field in Weierstrass form
+		Type string `json:"type,omitempty"`
+	}
+
+	// EcdsaTestGroup
+	type EcdsaTestGroup struct {
+
+		// unenocded EC public key
+		Key *EcPublicKey `json:"key,omitempty"`
+
+		// DER encoded public key
+		KeyDer string `json:"keyDer,omitempty"`
+
+		// Pem encoded public key
+		KeyPem string `json:"keyPem,omitempty"`
+
+		// the hash function used for ECDSA
+		Sha   string                    `json:"sha,omitempty"`
+		Tests []*AsnSignatureTestVector `json:"tests,omitempty"`
+		Type  interface{}               `json:"type,omitempty"`
+	}
+
+	// Notes a description of the labels used in the test vectors
+	type Notes struct {
+	}
+
+	// Root
+	type Root struct {
+
+		// the primitive tested in the test file
+		Algorithm string `json:"algorithm,omitempty"`
+
+		// the version of the test vectors.
+		GeneratorVersion string `json:"generatorVersion,omitempty"`
+
+		// additional documentation
+		Header []string `json:"header,omitempty"`
+
+		// a description of the labels used in the test vectors
+		Notes *Notes `json:"notes,omitempty"`
+
+		// the number of test vectors in this test
+		NumberOfTests int               `json:"numberOfTests,omitempty"`
+		Schema        interface{}       `json:"schema,omitempty"`
+		TestGroups    []*EcdsaTestGroup `json:"testGroups,omitempty"`
+	}
+
+	flagsShouldPass := map[string]bool{
+		// An encoded ASN.1 integer missing a leading zero is invalid, but accepted by some implementations.
+		"MissingZero": false,
+		// A signature using a weaker hash than the EC params is not a security risk, as long as the hash is secure.
+		// https://www.imperialviolet.org/2014/05/25/strengthmatching.html
+		"WeakHash": true,
+	}
+
+	// supportedCurves is a map of all elliptic curves supported
+	// by crypto/elliptic, which can subsequently be parsed and tested.
+	supportedCurves := map[string]bool{
+		"secp224r1": true,
+		"secp256r1": true,
+		"secp384r1": true,
+		"secp521r1": true,
+	}
+
+	var root Root
+	readTestVector(t, "ecdsa_test.json", &root)
+	for _, tg := range root.TestGroups {
+		curve := tg.Key.Curve.(string)
+		if !supportedCurves[curve] {
+			continue
+		}
+		pub := decodePublicKey(tg.KeyDer).(*ecdsa.PublicKey)
+		h := parseHash(tg.Sha).New()
+		for _, sig := range tg.Tests {
+			h.Reset()
+			h.Write(decodeHex(sig.Msg))
+			hashed := h.Sum(nil)
+			got := wecdsa.VerifyASN1(pub, hashed, decodeHex(sig.Sig))
+			if want := shouldPass(sig.Result, sig.Flags, flagsShouldPass); got != want {
+				t.Errorf("tcid: %d, type: %s, comment: %q, wanted success: %t", sig.TcId, sig.Result, sig.Comment, want)
+			}
+		}
+	}
+}