CMS: Basic tests for ML-DSA SignedData examples

Author: peterdettman

pkix/src/main/java/org/bouncycastle/cms/SignerInformation.java

@@ -341,6 +341,8 @@ private boolean doVerify(
         SignerInformationVerifier verifier)
         throws CMSException
     {
+        // TODO[cms] For pure signature algorithms, restrict digest algorithm to permitted set
+
         String encName = CMSSignedHelper.INSTANCE.getEncryptionAlgName(this.getEncryptionAlgOID());
         AlgorithmIdentifier realDigestAlgorithm = signedAttributeSet != null ?
             info.getDigestAlgorithm() : translateBrokenRSAPkcs7(encryptionAlgorithm, info.getDigestAlgorithm());

pkix/src/test/java/org/bouncycastle/cert/test/AllTests.java

@@ -23,8 +23,20 @@ public void setUp()
 
     public void testSimpleTests()
     {
-        org.bouncycastle.util.test.Test[] tests = new org.bouncycastle.util.test.Test[] { new CertTest(), new DANETest(), new PKCS10Test(), new AttrCertSelectorTest(), new AttrCertTest(), new X509ExtensionUtilsTest(),
-            new CertPathLoopTest(), new GOST3410_2012CMSTest(), new ExternalKeyTest() };
+        org.bouncycastle.util.test.Test[] tests = new org.bouncycastle.util.test.Test[]
+        {
+            new AttrCertSelectorTest(),
+            new AttrCertTest(),
+            new CertPathLoopTest(),
+            new CertTest(),
+            new DANETest(),
+            new ExternalKeyTest(),
+            new GOST3410_2012CMSTest(),
+            new GOSTR3410_2012_256GenerateCertificate(),
+            new MLDSACredentialsTest(),
+            new PKCS10Test(),
+            new X509ExtensionUtilsTest(),
+        };
 
         for (int i = 0; i != tests.length; i++)
         {

pkix/src/test/java/org/bouncycastle/cert/test/MLDSACredentialsTest.java

@@ -0,0 +1,41 @@
+package org.bouncycastle.cert.test;
+
+import java.security.GeneralSecurityException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.util.test.SimpleTest;
+
+public class MLDSACredentialsTest
+    extends SimpleTest
+{
+    public String getName()
+    {
+        return "MLDSACredentials";
+    }
+
+    public void performTest()
+        throws Exception
+    {
+        checkSampleCredentials(SampleCredentials.ML_DSA_44);
+        checkSampleCredentials(SampleCredentials.ML_DSA_65);
+        checkSampleCredentials(SampleCredentials.ML_DSA_87);
+    }
+
+    private static void checkSampleCredentials(SampleCredentials creds)
+        throws GeneralSecurityException
+    {
+        X509Certificate cert = creds.getCertificate();
+        PublicKey pubKey = cert.getPublicKey();
+        cert.verify(pubKey, BouncyCastleProvider.PROVIDER_NAME);
+    }
+
+    public static void main(String[] args)
+    {
+        Security.addProvider(new BouncyCastleProvider());
+
+        runTest(new MLDSACredentialsTest());
+    }
+}

pkix/src/test/java/org/bouncycastle/cert/test/SampleCredentials.java

@@ -0,0 +1,98 @@
+package org.bouncycastle.cert.test;
+
+import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.test.TestResourceFinder;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
+import org.junit.Assert;
+
+public class SampleCredentials
+{
+    public static final SampleCredentials ML_DSA_44 = load("ML-DSA-44", "pkix/cert/mldsa", "ML-DSA-44.pem");
+    public static final SampleCredentials ML_DSA_65 = load("ML-DSA-65", "pkix/cert/mldsa", "ML-DSA-65.pem");
+    public static final SampleCredentials ML_DSA_87 = load("ML-DSA-87", "pkix/cert/mldsa", "ML-DSA-87.pem");
+
+    private static PemObject expectPemObject(PemReader pemReader, String type)
+        throws IOException
+    {
+        PemObject result = pemReader.readPemObject();
+        if (!type.equals(result.getType()))
+        {
+            throw new IllegalStateException();
+        }
+        return result;
+    }
+
+    private static SampleCredentials load(String algorithm, String path, String name)
+    {
+        try
+        {
+            if (Security.getProvider("BC") == null)
+            {
+                Security.addProvider(new BouncyCastleProvider());
+            }
+
+            InputStream input = new BufferedInputStream(TestResourceFinder.findTestResource(path, name));
+            Reader reader = new InputStreamReader(input);
+
+            PemReader pemReader = new PemReader(reader);
+            PemObject pemPub = expectPemObject(pemReader, "PRIVATE KEY");
+            PemObject pemPriv = expectPemObject(pemReader, "PUBLIC KEY");
+            PemObject pemCert = expectPemObject(pemReader, "CERTIFICATE");
+            pemReader.close();
+
+            KeyFactory kf = KeyFactory.getInstance(algorithm, BouncyCastleProvider.PROVIDER_NAME);
+            CertificateFactory cf = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME);
+
+            PrivateKey privateKey = kf.generatePrivate(new PKCS8EncodedKeySpec(pemPub.getContent()));
+            PublicKey publicKey = kf.generatePublic(new X509EncodedKeySpec(pemPriv.getContent()));
+            KeyPair keyPair = new KeyPair(publicKey, privateKey);
+
+            X509Certificate certificate = (X509Certificate)cf.generateCertificate(
+                new ByteArrayInputStream(pemCert.getContent()));
+
+            Assert.assertEquals(publicKey, certificate.getPublicKey());
+
+            return new SampleCredentials(keyPair, certificate);
+        }
+        catch (Exception e)
+        {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private final KeyPair keyPair;
+    private final X509Certificate certificate;
+
+    private SampleCredentials(KeyPair keyPair, X509Certificate certificate)
+    {
+        this.keyPair = keyPair;
+        this.certificate = certificate;
+    }
+
+    public X509Certificate getCertificate()
+    {
+        return certificate;
+    }
+
+    public KeyPair getKeyPair()
+    {
+        return keyPair;
+    }
+}

pkix/src/test/java/org/bouncycastle/cms/test/NewSignedDataTest.java

@@ -1,8 +1,12 @@
 package org.bouncycastle.cms.test;
 
+import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.io.OutputStream;
+import java.io.Reader;
 import java.security.KeyFactory;
 import java.security.KeyPair;
 import java.security.MessageDigest;
@@ -68,6 +72,7 @@
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
 import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.bouncycastle.cert.test.SampleCredentials;
 import org.bouncycastle.cms.CMSAbsentContent;
 import org.bouncycastle.cms.CMSAlgorithm;
 import org.bouncycastle.cms.CMSAttributeTableGenerationException;
@@ -106,10 +111,13 @@
 import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.bouncycastle.test.TestResourceFinder;
 import org.bouncycastle.util.CollectionStore;
 import org.bouncycastle.util.Store;
 import org.bouncycastle.util.encoders.Base64;
 import org.bouncycastle.util.io.Streams;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 public class NewSignedDataTest
     extends TestCase
@@ -689,6 +697,29 @@ public class NewSignedDataTest
             "CiwhMCLDeeEBOdxWZHVbIiFnnRTQqyIDGAOSSIUmjE/pMPKpPvumkCGq2r9GxPV9\n" +
             "YlpnThaYbDCnWg8tbWYAAAAAAAA=");
 
+    private static byte[] signedData_mldsa44 = loadPemContents("pkix/cms/mldsa", "SignedData_ML-DSA-44.pem");
+    private static byte[] signedData_mldsa65 = loadPemContents("pkix/cms/mldsa", "SignedData_ML-DSA-65.pem");
+    private static byte[] signedData_mldsa87 = loadPemContents("pkix/cms/mldsa", "SignedData_ML-DSA-87.pem");
+
+    private static byte[] loadPemContents(String path, String name)
+    {
+        try
+        {
+            InputStream input = new BufferedInputStream(TestResourceFinder.findTestResource(path, name));
+            Reader reader = new InputStreamReader(input);
+
+            PemReader pemReader = new PemReader(reader);
+            PemObject pemObject = pemReader.readPemObject();
+            pemReader.close();
+
+            return pemObject.getContent();
+        }
+        catch (Exception e)
+        {
+            throw new RuntimeException(e);
+        }
+    }
+
     static
     {
         noParams.add(X9ObjectIdentifiers.ecdsa_with_SHA1);
@@ -3447,6 +3478,24 @@ public void testForMultipleCounterSignatures()
         }
     }
 
+    public void testVerifySignedDataMLDsa44()
+        throws Exception
+    {
+        implTestVerifySignedData(signedData_mldsa44, SampleCredentials.ML_DSA_44);
+    }
+
+    public void testVerifySignedDataMLDsa65()
+        throws Exception
+    {
+        implTestVerifySignedData(signedData_mldsa65, SampleCredentials.ML_DSA_65);
+    }
+
+    public void testVerifySignedDataMLDsa87()
+        throws Exception
+    {
+        implTestVerifySignedData(signedData_mldsa87, SampleCredentials.ML_DSA_87);
+    }
+
     private void verifySignatures(CMSSignedDataParser sp)
         throws Exception
     {
@@ -3468,6 +3517,21 @@ private void verifySignatures(CMSSignedDataParser sp)
         }
     }
 
+    private static void implTestVerifySignedData(byte[] signedData, SampleCredentials credentials)
+        throws Exception
+    {
+        CMSSignedData sd = new CMSSignedData(signedData);
+
+        assertTrue(sd.verifySignatures(new SignerInformationVerifierProvider()
+        {
+            public SignerInformationVerifier get(SignerId signerId)
+                throws OperatorCreationException
+            {
+                return new JcaSimpleSignerInfoVerifierBuilder().setProvider(BC).build(credentials.getCertificate());
+            }
+        }));
+    }
+
     private static class TestCMSSignatureAlgorithmNameGenerator
         extends DefaultCMSSignatureAlgorithmNameGenerator
     {