|
| 1 | +// SPDX-FileCopyrightText: 2026 The Pion community <https://pion.ly> |
| 2 | +// SPDX-License-Identifier: MIT |
| 3 | + |
| 4 | +package signaturehash |
| 5 | + |
| 6 | +import ( |
| 7 | + "testing" |
| 8 | + |
| 9 | + "github.com/pion/dtls/v3/pkg/crypto/hash" |
| 10 | + "github.com/pion/dtls/v3/pkg/crypto/signature" |
| 11 | + "github.com/stretchr/testify/assert" |
| 12 | +) |
| 13 | + |
| 14 | +func TestAlgorithms13(t *testing.T) { |
| 15 | + algos := Algorithms13() |
| 16 | + |
| 17 | + // Verify we got expected number of algorithms |
| 18 | + // ECDSA (3) + Ed25519 (1) + RSA-PSS (3) + RSA PKCS#1 (3) = 10 |
| 19 | + assert.Len(t, algos, 10, "Algorithms13 should return 10 signature schemes") |
| 20 | + |
| 21 | + // Verify ECDSA schemes come first (industry standard preference) |
| 22 | + assert.Equal(t, Algorithm{hash.SHA256, signature.ECDSA}, algos[0]) |
| 23 | + assert.Equal(t, Algorithm{hash.SHA384, signature.ECDSA}, algos[1]) |
| 24 | + assert.Equal(t, Algorithm{hash.SHA512, signature.ECDSA}, algos[2]) |
| 25 | + |
| 26 | + // Verify Ed25519 |
| 27 | + assert.Equal(t, Algorithm{hash.Ed25519, signature.Ed25519}, algos[3]) |
| 28 | + |
| 29 | + // Verify RSA-PSS schemes (TLS 1.3 preference for RSA) |
| 30 | + assert.Equal(t, Algorithm{hash.SHA256, signature.RSA_PSS_RSAE_SHA256}, algos[4]) |
| 31 | + assert.Equal(t, Algorithm{hash.SHA384, signature.RSA_PSS_RSAE_SHA384}, algos[5]) |
| 32 | + assert.Equal(t, Algorithm{hash.SHA512, signature.RSA_PSS_RSAE_SHA512}, algos[6]) |
| 33 | + |
| 34 | + // Verify RSA PKCS#1 v1.5 schemes come last (TLS 1.2 compatibility) |
| 35 | + assert.Equal(t, Algorithm{hash.SHA256, signature.RSA}, algos[7]) |
| 36 | + assert.Equal(t, Algorithm{hash.SHA384, signature.RSA}, algos[8]) |
| 37 | + assert.Equal(t, Algorithm{hash.SHA512, signature.RSA}, algos[9]) |
| 38 | +} |
| 39 | + |
| 40 | +func TestAlgorithms_DTLS12_ExcludesRSAPSS(t *testing.T) { |
| 41 | + algos := Algorithms() |
| 42 | + |
| 43 | + // Verify DTLS 1.2 algorithms exclude RSA-PSS schemes |
| 44 | + for _, algo := range algos { |
| 45 | + assert.False(t, algo.Signature.IsPSS(), |
| 46 | + "Algorithms() for DTLS 1.2 should not include RSA-PSS schemes (found %v)", algo) |
| 47 | + } |
| 48 | + |
| 49 | + // Verify we still have RSA PKCS#1 v1.5 |
| 50 | + hasRSA := false |
| 51 | + for _, algo := range algos { |
| 52 | + if algo.Signature == signature.RSA { |
| 53 | + hasRSA = true |
| 54 | + |
| 55 | + break |
| 56 | + } |
| 57 | + } |
| 58 | + assert.True(t, hasRSA, "Algorithms() should include RSA PKCS#1 v1.5 schemes") |
| 59 | +} |
| 60 | + |
| 61 | +func TestAlgorithms13_IncludesRSAPSS(t *testing.T) { |
| 62 | + algos := Algorithms13() |
| 63 | + |
| 64 | + // Verify DTLS 1.3 algorithms include RSA-PSS schemes |
| 65 | + hasRSAPSS := false |
| 66 | + for _, algo := range algos { |
| 67 | + if algo.Signature.IsPSS() { |
| 68 | + hasRSAPSS = true |
| 69 | + |
| 70 | + break |
| 71 | + } |
| 72 | + } |
| 73 | + assert.True(t, hasRSAPSS, "Algorithms13() should include RSA-PSS schemes") |
| 74 | + |
| 75 | + // Verify we still have RSA PKCS#1 v1.5 for backward compatibility |
| 76 | + hasRSA := false |
| 77 | + for _, algo := range algos { |
| 78 | + if algo.Signature == signature.RSA { |
| 79 | + hasRSA = true |
| 80 | + |
| 81 | + break |
| 82 | + } |
| 83 | + } |
| 84 | + assert.True(t, hasRSA, "Algorithms13() should include RSA PKCS#1 v1.5 for backward compatibility") |
| 85 | +} |
| 86 | + |
| 87 | +func TestAlgorithms13_RSAPSSBeforePKCS1(t *testing.T) { |
| 88 | + algos := Algorithms13() |
| 89 | + |
| 90 | + // Find positions of first RSA-PSS and first RSA PKCS#1 schemes |
| 91 | + firstRSAPSS := -1 |
| 92 | + firstRSA := -1 |
| 93 | + |
| 94 | + for i, algo := range algos { |
| 95 | + if firstRSAPSS == -1 && algo.Signature.IsPSS() { |
| 96 | + firstRSAPSS = i |
| 97 | + } |
| 98 | + if firstRSA == -1 && algo.Signature == signature.RSA { |
| 99 | + firstRSA = i |
| 100 | + } |
| 101 | + } |
| 102 | + |
| 103 | + // In TLS 1.3, RSA-PSS should be preferred over RSA PKCS#1 v1.5 |
| 104 | + assert.NotEqual(t, -1, firstRSAPSS, "Should find RSA-PSS schemes") |
| 105 | + assert.NotEqual(t, -1, firstRSA, "Should find RSA PKCS#1 schemes") |
| 106 | + assert.Less(t, firstRSAPSS, firstRSA, |
| 107 | + "RSA-PSS schemes should come before RSA PKCS#1 in Algorithms13() for TLS 1.3 preference") |
| 108 | +} |
0 commit comments