Add integration test for wrong ECC signature scenario

yosuke-wolfssl · yosuke-wolfssl · commit 80ee84e1315c · 2026-05-11T16:37:48.000+09:00
diff --git a/tests/auth.c b/tests/auth.c
@@ -707,6 +707,56 @@ static void test_pubkey_auth_ecc(void)
 
     run_pubkey_test(&sCtx, &cCtx, WS_SUCCESS);
 }
+
+/* Negative test: correct ECC public key presented (passes the authorized-key
+ * hash check) but the client signs with a corrupted private key.  The wrong
+ * signature must reach and be rejected by DoUserAuthRequestEcc rather than
+ * failing on the earlier key-type mismatch path.
+ */
+static void test_pubkey_auth_ecc_bad_sig(void)
+{
+    PubkeyServerCtx sCtx;
+    PubkeyClientCtx cCtx;
+    byte  pubKeyBuf[256];
+    byte* p = pubKeyBuf;
+    word32 pubKeySz = sizeof(pubKeyBuf);
+    const byte* pubKeyType   = NULL;
+    word32      pubKeyTypeSz = 0;
+    /* Flip one byte inside the private scalar of the DER blob.
+     * Byte 10 lands in the scalar for all three NIST curves:
+     * P-256 scalar starts at DER byte 7; P-384/P-521 start at byte 8.
+     * So the value remains within the curve order
+     * and the key remains signable */
+    byte  badPrivDer[sizeof(hanselPrivateEcc)];
+    byte  badPrivBuf[256];
+    byte* badPrivPtr = badPrivBuf;
+    word32 badPrivSz = sizeof(badPrivBuf);
+    const byte* badPrivType   = NULL;
+    word32      badPrivTypeSz = 0;
+
+    printf("Testing ECC pubkey auth rejection with tampered signature\n");
+
+    AssertIntEQ(wolfSSH_ReadKey_buffer((const byte*)hanselPublicEcc,
+            (word32)WSTRLEN(hanselPublicEcc), WOLFSSH_FORMAT_SSH,
+            &p, &pubKeySz, &pubKeyType, &pubKeyTypeSz, NULL), WS_SUCCESS);
+    AssertIntEQ(wc_Sha256Hash(pubKeyBuf, pubKeySz, sCtx.hash), 0);
+
+    WMEMCPY(badPrivDer, hanselPrivateEcc, hanselPrivateEccSz);
+    badPrivDer[10] ^= 0xFF;
+    AssertIntEQ(wolfSSH_ReadKey_buffer(badPrivDer, hanselPrivateEccSz,
+            WOLFSSH_FORMAT_ASN1,
+            &badPrivPtr, &badPrivSz, &badPrivType, &badPrivTypeSz, NULL),
+            WS_SUCCESS);
+
+    cCtx.publicKeyType   = pubKeyType;
+    cCtx.publicKeyTypeSz = pubKeyTypeSz;
+    cCtx.publicKey       = pubKeyBuf;
+    cCtx.publicKeySz     = pubKeySz;
+    cCtx.privateKey      = badPrivBuf;
+    cCtx.privateKeySz    = badPrivSz;
+
+    run_pubkey_test(&sCtx, &cCtx, WS_FATAL_ERROR);
+}
 #endif /* WOLFSSH_NO_ECC */
 
 #if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECC)
@@ -1511,6 +1561,7 @@ int wolfSSH_AuthTest(int argc, char** argv)
 #endif
 #ifndef WOLFSSH_NO_ECC
     test_pubkey_auth_ecc();
+    test_pubkey_auth_ecc_bad_sig();
 #endif
 #if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECC)
     test_pubkey_auth_wrong_key();
