Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

g3bench: allow to verify all keyless result #570

Merged
merged 2 commits into from
Feb 21, 2025
Merged

g3bench: allow to verify all keyless result #570

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2c627ff
g3bench: allow to verify all keyless result
zh-jq-b Feb 21, 2025
a2b86a8
g3bench: fix https proxy support for h2 target
zh-jq-b Feb 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion g3bench/src/target/h2/opts.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -449,7 +449,12 @@ pub(super) fn parse_h2_args(args: &ArgMatches) -> anyhow::Result<BenchH2Args> {
if let Some(v) = args.get_one::<String>(HTTP_ARG_PROXY) {
let url = Url::parse(v).context(format!("invalid {HTTP_ARG_PROXY} value"))?;
let proxy = Proxy::try_from(&url).map_err(|e| anyhow!("invalid proxy: {e}"))?;
h2_args.connect_proxy = Some(proxy);
if let Proxy::Http(mut http_proxy) = proxy {
h2_args.proxy_tls.config = http_proxy.tls_config.take();
h2_args.connect_proxy = Some(Proxy::Http(http_proxy));
} else {
h2_args.connect_proxy = Some(proxy);
}
}

if args.get_flag(HTTP_ARG_NO_MULTIPLEX) {
Expand Down
164 changes: 146 additions & 18 deletions g3bench/src/target/keyless/opts.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
const ARG_PAYLOAD: &str = "payload";
const ARG_DUMP_RESULT: &str = "dump-result";
const ARG_VERIFY: &str = "verify";
const ARG_VERIFY_DATA: &str = "verify-data";

const DIGEST_TYPES: [&str; 6] = ["md5sha1", "sha1", "sha224", "sha256", "sha384", "sha512"];
const RSA_PADDING_VALUES: [&str; 5] = ["PKCS1", "OAEP", "PSS", "X931", "NONE"];
Expand Down Expand Up @@ -172,7 +173,8 @@
pub(super) action: KeylessAction,
pub(super) payload: Vec<u8>,
dump_result: bool,
verify_result: Vec<u8>,
verify: bool,
verify_data: Vec<u8>,
}

impl KeylessGlobalArgs {
Expand Down Expand Up @@ -295,8 +297,9 @@
};

let dump_result = args.get_flag(ARG_DUMP_RESULT);
let verify_result = if let Some(s) = args.get_one::<String>(ARG_VERIFY) {
hex::decode(s.as_bytes()).map_err(|e| anyhow!("invalid verify value: {e}"))?
let verify = args.get_flag(ARG_VERIFY);
let verify_data = if let Some(s) = args.get_one::<String>(ARG_VERIFY_DATA) {
hex::decode(s.as_bytes()).map_err(|e| anyhow!("invalid verify data: {e}"))?
} else {
vec![]
};
Expand All @@ -308,7 +311,8 @@
action,
payload,
dump_result,
verify_result,
verify,
verify_data,
})
}

Expand All @@ -317,11 +321,56 @@
let hex_str = hex::encode(&data);
println!("== Output of task {task_id}:\n{hex_str}");
}
if !self.verify_result.is_empty() && self.verify_result != data {
return Err(anyhow!("result verify failed"));

if !self.verify {
return Ok(());

Check warning on line 326 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L326 

Added line #L326 was not covered by tests
}

Ok(())
match self.action {
KeylessAction::RsaSign(digest, padding) => self.verify_rsa(digest, padding, &data),
KeylessAction::EcdsaSign(digest) => self.verify(digest, &data),
KeylessAction::Ed25519Sign => self.verify_ed(&data),

Check warning on line 332 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L332 

Added line #L332 was not covered by tests
KeylessAction::Encrypt => {
let decrypted = self.decrypt_data(&data)?;
if decrypted != self.payload {
println!(" original: {data:?}\ndecrypted: {decrypted:?}");
Err(anyhow!("result data can't be decrypted to original"))

Check warning on line 337 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L334-L337 

Added lines #L334 - L337 were not covered by tests
} else {
Ok(())

Check warning on line 339 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L339 

Added line #L339 was not covered by tests
}
}
KeylessAction::RsaEncrypt(padding) => {
let decrypted = self.decrypt_rsa_data(padding, &data)?;
if decrypted != self.payload {
println!(" original: {data:?}\ndecrypted: {decrypted:?}");
Err(anyhow!("result data can't be decrypted to original"))

Check warning on line 346 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L345-L346 

Added lines #L345 - L346 were not covered by tests
} else {
Ok(())
}
}
KeylessAction::RsaPrivateEncrypt(padding) => {
let decrypted = self.rsa_public_decrypt_data(padding, &data)?;
if decrypted != self.payload {
Err(anyhow!("result data can't be decrypted to original"))

Check warning on line 354 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L354 

Added line #L354 was not covered by tests
} else {
Ok(())
}
}
_ => {
if self.verify_data.is_empty() {
return Err(anyhow!("expected data is needed to verify the result"));

Check warning on line 361 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L361 

Added line #L361 was not covered by tests
}
if self.verify_data != data {
Err(anyhow!(
"result data not match:\nexpected: {:?}\n found: {:?}",
self.verify_data,
data
))
} else {
Ok(())

Check warning on line 370 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L370 

Added line #L370 was not covered by tests
}
}
}
}

#[inline]
Expand All @@ -336,9 +385,8 @@
}

pub(super) fn encrypt(&self) -> anyhow::Result<Vec<u8>> {
let pkey = self.get_private_key()?;
let mut ctx =
PkeyCtx::new(pkey).map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
let mut ctx = PkeyCtx::new(&self.public_key)
.map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;

Check warning on line 389 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L388-L389 

Added lines #L388 - L389 were not covered by tests
ctx.encrypt_init()
.map_err(|e| anyhow!("encrypt init failed: {e}"))?;

Expand All @@ -349,9 +397,8 @@
}

pub(super) fn encrypt_rsa(&self, padding: KeylessRsaPadding) -> anyhow::Result<Vec<u8>> {
let pkey = self.get_private_key()?;
let mut ctx =
PkeyCtx::new(pkey).map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
let mut ctx = PkeyCtx::new(&self.public_key)
.map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
ctx.encrypt_init()
.map_err(|e| anyhow!("encrypt init failed: {e}"))?;
ctx.set_rsa_padding(padding.into())
Expand All @@ -364,19 +411,27 @@
}

pub(super) fn decrypt(&self) -> anyhow::Result<Vec<u8>> {
self.decrypt_data(&self.payload)
}

Check warning on line 415 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L414-L415 

Added lines #L414 - L415 were not covered by tests

fn decrypt_data(&self, from: &[u8]) -> anyhow::Result<Vec<u8>> {

Check warning on line 417 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L417 

Added line #L417 was not covered by tests
let pkey = self.get_private_key()?;
let mut ctx =
PkeyCtx::new(pkey).map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
ctx.decrypt_init()
.map_err(|e| anyhow!("decrypt init failed: {e}"))?;

let mut buf = Vec::new();
ctx.decrypt_to_vec(&self.payload, &mut buf)
ctx.decrypt_to_vec(from, &mut buf)

Check warning on line 425 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L425 

Added line #L425 was not covered by tests
.map_err(|e| anyhow!("decrypt failed: {e}"))?;
Ok(buf)
}

pub(super) fn decrypt_rsa(&self, padding: KeylessRsaPadding) -> anyhow::Result<Vec<u8>> {
self.decrypt_rsa_data(padding, &self.payload)
}

fn decrypt_rsa_data(&self, padding: KeylessRsaPadding, from: &[u8]) -> anyhow::Result<Vec<u8>> {
let pkey = self.get_private_key()?;
let mut ctx =
PkeyCtx::new(pkey).map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
Expand All @@ -386,7 +441,7 @@
.map_err(|e| anyhow!("failed to set rsa padding: {e}"))?;

let mut buf = Vec::new();
ctx.decrypt_to_vec(&self.payload, &mut buf)
ctx.decrypt_to_vec(from, &mut buf)
.map_err(|e| anyhow!("decrypt failed: {e}"))?;
Ok(buf)
}
Expand All @@ -406,6 +461,24 @@
Ok(buf)
}

fn verify(&self, digest: KeylessSignDigest, sig: &[u8]) -> anyhow::Result<()> {
let mut ctx = PkeyCtx::new(&self.public_key)
.map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
ctx.verify_init()
.map_err(|e| anyhow!("verify init failed: {e}"))?;
ctx.set_signature_md(digest.md())
.map_err(|e| anyhow!("failed to set signature digest type: {e}"))?;

let verified = ctx
.verify(&self.payload, sig)
.map_err(|e| anyhow!("verify failed: {e}"))?;
if verified {
Ok(())
} else {
Err(anyhow!("sign verify data failed"))

Check warning on line 478 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L478 

Added line #L478 was not covered by tests
}
}

pub(super) fn sign_rsa(
&self,
digest: KeylessSignDigest,
Expand All @@ -427,6 +500,31 @@
Ok(buf)
}

fn verify_rsa(
&self,
digest: KeylessSignDigest,
padding: KeylessRsaPadding,
sig: &[u8],
) -> anyhow::Result<()> {
let mut ctx = PkeyCtx::new(&self.public_key)
.map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
ctx.verify_init()
.map_err(|e| anyhow!("verify init failed: {e}"))?;
ctx.set_signature_md(digest.md())
.map_err(|e| anyhow!("failed to set signature digest type: {e}"))?;
ctx.set_rsa_padding(padding.into())
.map_err(|e| anyhow!("failed to set rsa padding type: {e}"))?;

let verified = ctx
.verify(&self.payload, sig)
.map_err(|e| anyhow!("verify failed: {e}"))?;
if verified {
Ok(())
} else {
Err(anyhow!("sign verify data failed"))

Check warning on line 524 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L524 

Added line #L524 was not covered by tests
}
}

pub(super) fn sign_ed(&self) -> anyhow::Result<Vec<u8>> {
let pkey = self.get_private_key()?;
let mut ctx =
Expand All @@ -440,6 +538,22 @@
Ok(buf)
}

fn verify_ed(&self, sig: &[u8]) -> anyhow::Result<()> {
let mut ctx = PkeyCtx::new(&self.public_key)
.map_err(|e| anyhow!("failed to create EVP_PKEY_CTX: {e}"))?;
ctx.verify_init()
.map_err(|e| anyhow!("verify init failed: {e}"))?;

Check warning on line 545 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L541-L545 

Added lines #L541 - L545 were not covered by tests

let verified = ctx
.verify(&self.payload, sig)
.map_err(|e| anyhow!("verify failed: {e}"))?;
if verified {
Ok(())

Check warning on line 551 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L547-L551 

Added lines #L547 - L551 were not covered by tests
} else {
Err(anyhow!("sign verify data failed"))

Check warning on line 553 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L553 

Added line #L553 was not covered by tests
}
}

Check warning on line 555 in g3bench/src/target/keyless/opts.rs

View check run for this annotation

Codecov / codecov/patch

g3bench/src/target/keyless/opts.rs#L555 

Added line #L555 was not covered by tests

pub(super) fn rsa_private_encrypt(
&self,
padding: KeylessRsaPadding,
Expand Down Expand Up @@ -467,6 +581,14 @@
}

pub(super) fn rsa_public_decrypt(&self, padding: KeylessRsaPadding) -> anyhow::Result<Vec<u8>> {
self.rsa_public_decrypt_data(padding, &self.payload)
}

fn rsa_public_decrypt_data(
&self,
padding: KeylessRsaPadding,
from: &[u8],
) -> anyhow::Result<Vec<u8>> {
let rsa = self
.public_key
.rsa()
Expand All @@ -475,15 +597,15 @@
let rsa_size = rsa.size() as usize;
let mut output_buf = vec![0u8; rsa_size];

let payload_len = self.payload.len();
let payload_len = from.len();
if payload_len != rsa_size {
return Err(anyhow!(
"payload length {payload_len} is not equal to RSA size {rsa_size}"
));
}

let len = rsa
.public_decrypt(&self.payload, &mut output_buf, padding.into())
.public_decrypt(from, &mut output_buf, padding.into())
.map_err(|e| anyhow!("rsa public decrypt failed: {e}"))?;
output_buf.truncate(len);
Ok(output_buf)
Expand Down Expand Up @@ -589,9 +711,15 @@
.arg(
Arg::new(ARG_VERIFY)
.help("Verify the result")
.num_args(1)
.action(ArgAction::SetTrue)
.long(ARG_VERIFY),
)
.arg(
Arg::new(ARG_VERIFY_DATA)
.help("Verify the result with the same data")
.num_args(1)
.long(ARG_VERIFY_DATA),
)
}

impl AppendKeylessArgs for Command {
Expand Down
7 changes: 7 additions & 0 deletions scripts/coverage/g3bench/mkcert.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,14 @@ cd "${SCRIPT_DIR}"

MKCERT="../../../target/debug/g3mkcert"

# for TLS

$MKCERT --root --common-name "g3 root" --output-cert rootCA.pem --output-key rootCA-key.pem

$MKCERT --tls-server --ca-cert rootCA.pem --ca-key rootCA-key.pem --host g3proxy.local --output-cert g3proxy.local.pem --output-key g3proxy.local-key.pem
$MKCERT --tls-server --ca-cert rootCA.pem --ca-key rootCA-key.pem --host httpbin.local --output-cert httpbin.local.pem --output-key httpbin.local-key.pem

# for Keyless

$MKCERT --root --common-name "g3 root" --output-cert rootCA-RSA.pem --output-key rootCA-RSA-key.pem --rsa 2048
$MKCERT --root --common-name "g3 root" --output-cert rootCA-EC.pem --output-key rootCA-EC-key.pem --ec256
2 changes: 2 additions & 0 deletions scripts/coverage/g3bench/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ PROXY_PID=$!
# run g3bench integration tests

export SSL_CERT_FILE="${RUN_DIR}/rootCA.pem"
export RSA_KEY_FILE="${RUN_DIR}/rootCA-RSA-key.pem"
export EC_KEY_FILE="${RUN_DIR}/rootCA-EC-key.pem"

g3bench()
{
Expand Down
14 changes: 14 additions & 0 deletions scripts/coverage/g3bench/target_keyless_openssl.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@

# RSA

g3bench keyless openssl --key ${RSA_KEY_FILE} --sign --digest-type sha256 --verify "4d4dfb668f8c6ddd0227c03907515c58779914098a1bf8c169faafdea4d1b91d"

g3bench keyless openssl --key ${RSA_KEY_FILE} --encrypt --verify "abcdef"
g3bench keyless openssl --key ${RSA_KEY_FILE} --decrypt --verify --verify-data "abcdef" "540c543665ec51c75b2311f507a01336f2f527831f2294d354ae04642c5f26cf97dd91a9213384c1b991f04e8ce98053394e3d835c5892c42b0494637948d585830fa774e65566385ed91fa6da3277004469d9b3ed54e7ba19738e6e73ed286399d583cde6f2e73d21144b166c345f7f12355b58d5259d2ea4206f9fced27192d287285f0d988a1d400be4c27cc0a563fb6d82b1bfd77bcd2a916cd7f4473f4c13377aa8259e5994fe40f72689fb6e717eb6dbb48e08a5fefb8e09f57bcab29c83c8392cd641d66f73ccd6254f5286b3e61611d97a40209f79cbb6479a613b17e746a3559a33f756a13a9467f3eddba3f7939bd719085df04bed64ba9b59ef75"

g3bench keyless openssl --key ${RSA_KEY_FILE} --rsa-padding PKCS1 --rsa-private-encrypt --verify "abcdef"
g3bench keyless openssl --key ${RSA_KEY_FILE} --rsa-padding PKCS1 --rsa-public-decrypt --verify --verify-data "abcdef" "742e92ef67e6f1f0e37e2415172ec2e177e6ac688a7290bcf8c12a92f87f7ac82060e47a2d2d03c08cc82b369b495ddee2d37626424dcacef970632e1ef6ca2315c71910d0dc28feb9831dc7b13d7ee93fad650917bfeb674ff23720c8889aebe95b818d121837c1d4ef101837e88d02cb5599f3858162d0283701683102b5b5c9daf27d25820be740091704e038689855dea9e3fd75b1dcc8942d0f708d1a175584c9304b8e8e720b8c4d78b356f37a4bd908713d3bf3d74bf8c6b8f657d2158239eee621ec6f45c7bdd1f92bb2f9fcd71a39481d7bf7f4d0b439434bb2c9e3d9213400a36edf12222849e023393bccdb20113b0c800b71ce0f8e3a6f81720d"

# EC

g3bench keyless openssl --key ${EC_KEY_FILE} --sign --digest-type sha256 --verify "4d4dfb668f8c6ddd0227c03907515c58779914098a1bf8c169faafdea4d1b91d"
Loading