Improve cryptographic key material tests (#498)

Author: veikkoeeva

src/Verifiable.BouncyCastle/BouncyCastleCryptographicFunctions.cs

@@ -1,4 +1,5 @@
-using Org.BouncyCastle.Asn1.Sec;
+using Org.BouncyCastle.Asn1.Pkcs;
+using Org.BouncyCastle.Asn1.Sec;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Parameters;
@@ -91,7 +92,7 @@ public static PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory> Create
             return new PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory>(publicKeyMemory, privateKeyMemory);
         }
 
-        
+
         private static PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory> CreateEcKeys(
             string secCurveName,
             Tag publicKeyTag,
@@ -157,25 +158,31 @@ private static PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory> Creat
             generator.Init(keyGenParam);
             var keyPair = generator.GenerateKeyPair();
 
-            // Cast to RsaPublic/PrivateKeyParameters
             var publicKeyParam = (RsaKeyParameters)keyPair.Public;
             var privateKeyParam = (RsaPrivateCrtKeyParameters)keyPair.Private;
 
-            // Get public key modulus and private key 'D' bytes
-            byte[] modulusBytes = publicKeyParam.Modulus.ToByteArray();
-            byte[] privateKeyBytes = privateKeyParam.Exponent.ToByteArray();
-
-            // Encode public key modulus
+            //Encode the public key modulus in the DID-compatible format.
+            byte[] modulusBytes = publicKeyParam.Modulus.ToByteArrayUnsigned();
             byte[] derEncodedPublicKey = RsaUtilities.Encode(modulusBytes);
 
+            //Serialize the private key as PKCS#1 DER, compatible with both backends.
+            byte[] privateKeyBytes = RsaPrivateKeyStructure.GetInstance(new RsaPrivateKeyStructure(
+                privateKeyParam.Modulus,
+                privateKeyParam.PublicExponent,
+                privateKeyParam.Exponent,
+                privateKeyParam.P,
+                privateKeyParam.Q,
+                privateKeyParam.DP,
+                privateKeyParam.DQ,
+                privateKeyParam.QInv)).GetDerEncoded();
+
             var (publicKeyTag, privateKeyTag) = GetTags(keySizeInBits);
             var publicKeyMemory = new PublicKeyMemory(AsPooledMemory(derEncodedPublicKey, memoryPool), publicKeyTag);
             var privateKeyMemory = new PrivateKeyMemory(AsPooledMemory(privateKeyBytes, memoryPool), privateKeyTag);
 
-            // Clear sensitive data from memory
             Array.Clear(modulusBytes, 0, modulusBytes.Length);
-            Array.Clear(privateKeyBytes, 0, privateKeyBytes.Length);
             Array.Clear(derEncodedPublicKey, 0, derEncodedPublicKey.Length);
+            Array.Clear(privateKeyBytes, 0, privateKeyBytes.Length);
 
             return new PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory>(publicKeyMemory, privateKeyMemory);
         }

src/Verifiable.BouncyCastle/BouncyCastleKeyMaterialCreator.cs

@@ -170,7 +170,7 @@ private static ValueTask<bool> VerifyECDsa(ReadOnlySpan<byte> dataToVerify, Read
             return ValueTask.FromResult(false);
         }
 
-        
+
         private static ValueTask<Signature> SignECDsa(ReadOnlySpan<byte> privateKeyBytes, ReadOnlySpan<byte> dataToSign, MemoryPool<byte> signaturePool, ECCurve curve, HashAlgorithmName hashAlgorithmName, Tag signatureTag)
         {
             var key = ECDsa.Create(new ECParameters

src/Verifiable.Microsoft/MicrosoftCryptographicFunctions.cs

@@ -10,10 +10,10 @@
 namespace Verifiable.NSec;
 
 /// <summary>
-/// Adapter functions for NSec cryptographic operations matching <see cref="SigningDelegate"/> 
+/// Adapter functions for NSec cryptographic operations matching <see cref="SigningDelegate"/>
 /// and <see cref="VerificationDelegate"/> signatures.
 /// </summary>
-public static class NSecAlgorithms
+public static class NSecCryptographicFunctions
 {
     /// <summary>
     /// Signs data using Ed25519 via NSec.
@@ -60,4 +60,4 @@ public static ValueTask<bool> VerifyEd25519Async(
         var publicKey = PublicKey.Import(SignatureAlgorithm.Ed25519, publicKeyMaterial.Span, KeyBlobFormat.RawPublicKey);
         return ValueTask.FromResult(SignatureAlgorithm.Ed25519.Verify(publicKey, dataToVerify.Span, signature.Span));
     }
-}
+}

src/Verifiable.NSec/NSecAlgorithms.cs …iable.NSec/NSecCryptographicFunctions.cssrc/Verifiable.NSec/NSecAlgorithms.cs renamed to src/Verifiable.NSec/NSecCryptographicFunctions.cs src/Verifiable.NSec/NSecAlgorithms.cs renamed to src/Verifiable.NSec/NSecCryptographicFunctions.cs

@@ -7,21 +7,40 @@
 
 namespace Verifiable.NSec
 {
+    /// <summary>
+    /// Creates key material for NSec-supported algorithms. The caller is responsible
+    /// for disposing the individual <see cref="PublicKeyMemory"/> and <see cref="PrivateKeyMemory"/>
+    /// instances returned within the key material.
+    /// </summary>
     [SuppressMessage("Reliability", "CA2000:Dispose objects before losing scope", Justification = "The caller is responsible for disposing the returned key material instances.")]
-    public static class NSecKeyCreator
+    public static class NSecKeyMaterialCreator
     {
+        /// <summary>
+        /// Creates fresh Ed25519 key material using the NSec cryptographic backend.
+        /// </summary>
+        /// <param name="memoryPool">The memory pool to allocate key buffers from.</param>
+        /// <returns>A new key pair. The caller is responsible for disposing each key individually.</returns>
         public static PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory> CreateEd25519Keys(MemoryPool<byte> memoryPool)
         {
             return CreateKeys(SignatureAlgorithm.Ed25519, memoryPool, CryptoTags.Ed25519PublicKey, CryptoTags.Ed25519PrivateKey);
         }
 
+
+        /// <summary>
+        /// Creates fresh X25519 key material using the NSec cryptographic backend.
+        /// </summary>
+        /// <param name="memoryPool">The memory pool to allocate key buffers from.</param>
+        /// <returns>A new key pair. The caller is responsible for disposing each key individually.</returns>
         public static PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory> CreateX25519Keys(MemoryPool<byte> memoryPool)
         {
             return CreateKeys(KeyAgreementAlgorithm.X25519, memoryPool, CryptoTags.X25519PublicKey, CryptoTags.X25519PrivateKey);
         }
 
-        
 
+        /// <summary>
+        /// Creates key material for the given NSec algorithm by generating a key pair,
+        /// exporting the raw bytes, and wrapping them in pooled memory.
+        /// </summary>
         private static PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory> CreateKeys(
             Algorithm algorithm,
             MemoryPool<byte> memoryPool,
@@ -32,7 +51,7 @@ private static PublicPrivateKeyMaterial<PublicKeyMemory, PrivateKeyMemory> Creat
             {
                 var publicKeyBytes = key.Export(KeyBlobFormat.RawPublicKey);
                 var privateKeyBytes = key.Export(KeyBlobFormat.RawPrivateKey);
-                
+
                 var publicKeyMemory = new PublicKeyMemory(AsPooledMemory(publicKeyBytes, memoryPool), publicKeyTag);
                 var privateKeyMemory = new PrivateKeyMemory(AsPooledMemory(privateKeyBytes, memoryPool), privateKeyTag);
                 Array.Clear(publicKeyBytes, 0, publicKeyBytes.Length);
@@ -56,4 +75,4 @@ private static IMemoryOwner<byte> AsPooledMemory(byte[] keyBytes, MemoryPool<byt
             return keyBuffer;
         }
     }
-}
+}

src/Verifiable.NSec/NSecKeyGenerator.cs …erifiable.NSec/NSecKeyMaterialCreator.cssrc/Verifiable.NSec/NSecKeyGenerator.cs renamed to src/Verifiable.NSec/NSecKeyMaterialCreator.cs src/Verifiable.NSec/NSecKeyGenerator.cs renamed to src/Verifiable.NSec/NSecKeyMaterialCreator.cs

@@ -1,57 +1,221 @@
-using System.Buffers;
 using System.Text;
 using Verifiable.BouncyCastle;
 using Verifiable.Cryptography;
 
 namespace Verifiable.Tests.Cryptography
 {
     /// <summary>
-    /// These test specifically BouncyCastle as the cryptographic provider.
+    /// Tests BouncyCastle as the cryptographic provider across all supported algorithms.
     /// </summary>
     [TestClass]
     internal sealed class BouncyCastleCryptographicTests
     {
+        public TestContext TestContext { get; set; } = null!;
+
         /// <summary>
-        /// Used in tests as test data.
+        /// Shared test payload used for all sign-and-verify tests.
         /// </summary>
-        private byte[] TestData { get; } = Encoding.UTF8.GetBytes("This is a test string.");
+        private static byte[] TestData { get; } = Encoding.UTF8.GetBytes("BouncyCastle cryptographic test payload.");
 
 
         [TestMethod]
-        public void CanGenerateKeyPairEd255019()
+        public void Ed25519KeyPairHasNonEmptyMaterial()
         {
-            var keys = BouncyCastleKeyMaterialCreator.CreateEd25519Keys(MemoryPool<byte>.Shared);
-            Assert.IsGreaterThan(0, keys.PublicKey.AsReadOnlySpan().Length);
-            Assert.IsGreaterThan(0, keys.PrivateKey.AsReadOnlySpan().Length);
+            var keys = BouncyCastleKeyMaterialCreator.CreateEd25519Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            Assert.IsGreaterThan(0, publicKey.AsReadOnlySpan().Length);
+            Assert.IsGreaterThan(0, privateKey.AsReadOnlySpan().Length);
         }
 
 
         [TestMethod]
-        public async ValueTask CanSignAndVerifyEd255019()
+        public async Task Ed25519SignatureVerifies()
         {
-            var keys = BouncyCastleKeyMaterialCreator.CreateEd25519Keys(MemoryPool<byte>.Shared);
-            var publicKey = keys.PublicKey;
-            var privateKey = keys.PrivateKey;
+            var keys = BouncyCastleKeyMaterialCreator.CreateEd25519Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await BouncyCastleCryptographicFunctions
+                .SignEd25519Async(privateKey.AsReadOnlyMemory(), data, SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
 
-            var data = (ReadOnlyMemory<byte>)TestData;
-            using var signature = await privateKey.SignAsync(data, BouncyCastleCryptographicFunctions.SignEd25519Async, MemoryPool<byte>.Shared)
+            bool isVerified = await BouncyCastleCryptographicFunctions
+                .VerifyEd25519Async(data, signature.AsReadOnlyMemory(), publicKey.AsReadOnlyMemory())
                 .ConfigureAwait(false);
-            Assert.IsTrue(await publicKey.VerifyAsync(data, signature, BouncyCastleCryptographicFunctions.VerifyEd25519Async)
-                .ConfigureAwait(false));
+
+            Assert.IsTrue(isVerified);
         }
 
 
         [TestMethod]
-        public async ValueTask CanCreateIdentifiedKeyAndVerify()
+        public async Task Ed25519IdentifiedKeySignatureVerifies()
         {
-            var keys = BouncyCastleKeyMaterialCreator.CreateEd25519Keys(MemoryPool<byte>.Shared);
+            var keys = BouncyCastleKeyMaterialCreator.CreateEd25519Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = new PublicKey(keys.PublicKey, "ed25519-test", BouncyCastleCryptographicFunctions.VerifyEd25519Async);
+            using var privateKey = new PrivateKey(keys.PrivateKey, "ed25519-test", BouncyCastleCryptographicFunctions.SignEd25519Async);
 
-            using var publicKey = new PublicKey(keys.PublicKey, "Test-1", BouncyCastleCryptographicFunctions.VerifyEd25519Async);
-            using var privateKey = new PrivateKey(keys.PrivateKey, "Test-1", BouncyCastleCryptographicFunctions.SignEd25519Async);
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await privateKey.SignAsync(data, SensitiveMemoryPool<byte>.Shared).ConfigureAwait(false);
 
-            var data = (ReadOnlyMemory<byte>)TestData;
-            using var signature = await privateKey.SignAsync(data, MemoryPool<byte>.Shared).ConfigureAwait(false);
             Assert.IsTrue(await publicKey.VerifyAsync(data, signature).ConfigureAwait(false));
         }
+
+
+        [TestMethod]
+        public async Task P256SignatureVerifies()
+        {
+            var keys = BouncyCastleKeyMaterialCreator.CreateP256Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await BouncyCastleCryptographicFunctions
+                .SignP256Async(privateKey.AsReadOnlyMemory(), data, SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            bool isVerified = await BouncyCastleCryptographicFunctions
+                .VerifyP256Async(data, signature.AsReadOnlyMemory(), publicKey.AsReadOnlyMemory())
+                .ConfigureAwait(false);
+
+            Assert.IsTrue(isVerified);
+        }
+
+
+        [TestMethod]
+        public async Task P384SignatureVerifies()
+        {
+            var keys = BouncyCastleKeyMaterialCreator.CreateP384Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await BouncyCastleCryptographicFunctions
+                .SignP384Async(privateKey.AsReadOnlyMemory(), data, SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            bool isVerified = await BouncyCastleCryptographicFunctions
+                .VerifyP384Async(data, signature.AsReadOnlyMemory(), publicKey.AsReadOnlyMemory())
+                .ConfigureAwait(false);
+
+            Assert.IsTrue(isVerified);
+        }
+
+
+        [TestMethod]
+        public async Task P521SignatureVerifies()
+        {
+            var keys = BouncyCastleKeyMaterialCreator.CreateP521Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await BouncyCastleCryptographicFunctions
+                .SignP521Async(privateKey.AsReadOnlyMemory(), data, SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            bool isVerified = await BouncyCastleCryptographicFunctions
+                .VerifyP521Async(data, signature.AsReadOnlyMemory(), publicKey.AsReadOnlyMemory())
+                .ConfigureAwait(false);
+
+            Assert.IsTrue(isVerified);
+        }
+
+
+        [TestMethod]
+        public async Task Secp256k1SignatureVerifies()
+        {
+            var keys = BouncyCastleKeyMaterialCreator.CreateSecp256k1Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await BouncyCastleCryptographicFunctions
+                .SignSecp256k1Async(privateKey.AsReadOnlyMemory(), data, SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            bool isVerified = await BouncyCastleCryptographicFunctions
+                .VerifySecp256k1Async(data, signature.AsReadOnlyMemory(), publicKey.AsReadOnlyMemory())
+                .ConfigureAwait(false);
+
+            Assert.IsTrue(isVerified);
+        }
+
+
+        [TestMethod]
+        public async Task Rsa2048SignatureVerifies()
+        {
+            var keys = BouncyCastleKeyMaterialCreator.CreateRsa2048Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await BouncyCastleCryptographicFunctions
+                .SignRsa2048Async(privateKey.AsReadOnlyMemory(), data, SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            bool isVerified = await BouncyCastleCryptographicFunctions
+                .VerifyRsa2048Async(data, signature.AsReadOnlyMemory(), publicKey.AsReadOnlyMemory())
+                .ConfigureAwait(false);
+
+            Assert.IsTrue(isVerified);
+        }
+
+
+        [TestMethod]
+        public async Task Rsa4096SignatureVerifies()
+        {
+            var keys = BouncyCastleKeyMaterialCreator.CreateRsa4096Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            ReadOnlyMemory<byte> data = TestData;
+            using var signature = await BouncyCastleCryptographicFunctions
+                .SignRsa4096Async(privateKey.AsReadOnlyMemory(), data, SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            bool isVerified = await BouncyCastleCryptographicFunctions
+                .VerifyRsa4096Async(data, signature.AsReadOnlyMemory(), publicKey.AsReadOnlyMemory())
+                .ConfigureAwait(false);
+
+            Assert.IsTrue(isVerified);
+        }
+
+
+        [TestMethod]
+        public void X25519KeyPairHasNonEmptyMaterial()
+        {
+            var keys = BouncyCastleKeyMaterialCreator.CreateX25519Keys(SensitiveMemoryPool<byte>.Shared);
+            using var publicKey = keys.PublicKey;
+            using var privateKey = keys.PrivateKey;
+
+            Assert.IsGreaterThan(0, publicKey.AsReadOnlySpan().Length);
+            Assert.IsGreaterThan(0, privateKey.AsReadOnlySpan().Length);
+        }
+
+
+        [TestMethod]
+        public async Task X25519SharedSecretDerivationProducesSameResultForBothParties()
+        {
+            var aliceKeys = BouncyCastleKeyMaterialCreator.CreateX25519Keys(SensitiveMemoryPool<byte>.Shared);
+            using var alicePublicKey = aliceKeys.PublicKey;
+            using var alicePrivateKey = aliceKeys.PrivateKey;
+
+            var bobKeys = BouncyCastleKeyMaterialCreator.CreateX25519Keys(SensitiveMemoryPool<byte>.Shared);
+            using var bobPublicKey = bobKeys.PublicKey;
+            using var bobPrivateKey = bobKeys.PrivateKey;
+
+            using var aliceSecret = await BouncyCastleCryptographicFunctions
+                .DeriveX25519SharedSecretAsync(alicePrivateKey.AsReadOnlyMemory(), bobPublicKey.AsReadOnlyMemory(), SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            using var bobSecret = await BouncyCastleCryptographicFunctions
+                .DeriveX25519SharedSecretAsync(bobPrivateKey.AsReadOnlyMemory(), alicePublicKey.AsReadOnlyMemory(), SensitiveMemoryPool<byte>.Shared)
+                .ConfigureAwait(false);
+
+            Assert.IsTrue(aliceSecret.Memory.Span.SequenceEqual(bobSecret.Memory.Span));
+        }
     }
-}
+}