diff options
Diffstat (limited to 'keystore-cts/java')
19 files changed, 0 insertions, 8736 deletions
diff --git a/keystore-cts/java/com/google/security/wycheproof/CertificateUtil.java b/keystore-cts/java/com/google/security/wycheproof/CertificateUtil.java deleted file mode 100644 index d5d343a..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/CertificateUtil.java +++ /dev/null @@ -1,83 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.X509v3CertificateBuilder; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.SecureRandom; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import java.util.Date; -import javax.security.auth.x500.X500Principal; - -/** Certificate utilities */ -public class CertificateUtil { - - public static X509Certificate createCertificate( - KeyPair keyPair, X500Principal subject, X500Principal issuer) - throws OperatorCreationException, CertificateException, IOException { - // Make the certificate valid for two days. - long millisPerDay = 24 * 60 * 60 * 1000; - long now = System.currentTimeMillis(); - Date start = new Date(now - millisPerDay); - Date end = new Date(now + millisPerDay); - - // Assign a random serial number. - byte[] serialBytes = new byte[16]; - new SecureRandom().nextBytes(serialBytes); - BigInteger serialNumber = new BigInteger(1, serialBytes); - - // Create the certificate builder - X509v3CertificateBuilder x509cg = - new X509v3CertificateBuilder( - X500Name.getInstance(issuer.getEncoded()), - serialNumber, - start, - end, - X500Name.getInstance(subject.getEncoded()), - SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); - - // Choose a signature algorithm matching the key format. - String keyAlgorithm = keyPair.getPrivate().getAlgorithm(); - String signatureAlgorithm; - if (keyAlgorithm.equals("RSA")) { - signatureAlgorithm = "SHA256withRSA"; - } else if (keyAlgorithm.equals("EC")) { - signatureAlgorithm = "SHA256withECDSA"; - } else { - throw new IllegalArgumentException("Unknown key algorithm " + keyAlgorithm); - } - - // Sign the certificate and generate it. - X509CertificateHolder x509holder = - x509cg.build( - new JcaContentSignerBuilder(signatureAlgorithm) - .build(keyPair.getPrivate())); - CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); - X509Certificate x509c = - (X509Certificate) - certFactory.generateCertificate( - new ByteArrayInputStream(x509holder.getEncoded())); - return x509c; - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/EcUtil.java b/keystore-cts/java/com/google/security/wycheproof/EcUtil.java deleted file mode 100644 index 56c6548..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/EcUtil.java +++ /dev/null @@ -1,525 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import java.math.BigInteger; -import java.security.AlgorithmParameters; -import java.security.GeneralSecurityException; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.interfaces.ECPublicKey; -import java.security.spec.ECField; -import java.security.spec.ECFieldFp; -import java.security.spec.ECGenParameterSpec; -import java.security.spec.ECParameterSpec; -import java.security.spec.ECPoint; -import java.security.spec.ECPublicKeySpec; -import java.security.spec.EllipticCurve; -import java.security.spec.InvalidParameterSpecException; -import java.util.Arrays; - -/** - * Some utilities for testing Elliptic curve crypto. This code is for testing only and hasn't been - * reviewed for production. - */ -public class EcUtil { - /** - * Returns the ECParameterSpec for a named curve. Not every provider implements the - * AlgorithmParameters. Therefore, most tests use alternative functions. - */ - public static ECParameterSpec getCurveSpec(String name) - throws NoSuchAlgorithmException, InvalidParameterSpecException { - AlgorithmParameters parameters = AlgorithmParameters.getInstance("EC"); - parameters.init(new ECGenParameterSpec(name)); - return parameters.getParameterSpec(ECParameterSpec.class); - } - - public static void printParameters(ECParameterSpec spec) { - System.out.println("cofactor:" + spec.getCofactor()); - EllipticCurve curve = spec.getCurve(); - System.out.println("A:" + curve.getA()); - System.out.println("B:" + curve.getB()); - ECField field = curve.getField(); - System.out.println("field size:" + field.getFieldSize()); - if (field instanceof ECFieldFp) { - ECFieldFp fp = (ECFieldFp) field; - System.out.println("P:" + fp.getP()); - } - ECPoint generator = spec.getGenerator(); - System.out.println("Gx:" + generator.getAffineX()); - System.out.println("Gy:" + generator.getAffineY()); - System.out.println("order:" + spec.getOrder()); - } - - /** Returns the bit size of a given curve. TODO(bleichen): add all curves that are tested. */ - public static int getCurveSize(String name) throws NoSuchAlgorithmException { - name = name.toLowerCase(); - if (name.equals("secp224r1")) { - return 224; - } else if (name.equals("secp256r1")) { - return 256; - } else if (name.equals("secp384r1")) { - return 384; - } else if (name.equals("secp521r1")) { - return 521; - } else if (name.equals("secp256k1")) { - return 256; - } else if (name.equals("brainpoolp224r1")) { - return 224; - } else if (name.equals("brainpoolp224t1")) { - return 224; - } else if (name.equals("brainpoolp256r1")) { - return 256; - } else if (name.equals("brainpoolp256t1")) { - return 256; - } else if (name.equals("brainpoolp320r1")) { - return 320; - } else if (name.equals("brainpoolp320t1")) { - return 320; - } else if (name.equals("brainpoolp384r1")) { - return 384; - } else if (name.equals("brainpoolp384t1")) { - return 384; - } else if (name.equals("brainpoolp512r1")) { - return 512; - } else if (name.equals("brainpoolp512t1")) { - return 512; - } else { - throw new NoSuchAlgorithmException("Curve not implemented:" + name); - } - } - - /** - * Returns the ECParameterSpec for a named curve. Only a handful curves that are used in the tests - * are implemented. - */ - public static ECParameterSpec getCurveSpecRef(String name) throws NoSuchAlgorithmException { - if (name.equals("secp224r1")) { - return getNistP224Params(); - } else if (name.equals("secp256r1")) { - return getNistP256Params(); - } else if (name.equals("secp384r1")) { - return getNistP384Params(); - } else if (name.equals("secp521r1")) { - return getNistP521Params(); - } else if (name.equals("brainpoolp224r1")) { - return getBrainpoolP224r1Params(); - } else if (name.equals("brainpoolp256r1")) { - return getBrainpoolP256r1Params(); - } else { - throw new NoSuchAlgorithmException("Curve not implemented:" + name); - } - } - - public static ECParameterSpec getNistCurveSpec( - String decimalP, String decimalN, String hexB, String hexGX, String hexGY) { - final BigInteger p = new BigInteger(decimalP); - final BigInteger n = new BigInteger(decimalN); - final BigInteger three = new BigInteger("3"); - final BigInteger a = p.subtract(three); - final BigInteger b = new BigInteger(hexB, 16); - final BigInteger gx = new BigInteger(hexGX, 16); - final BigInteger gy = new BigInteger(hexGY, 16); - final int h = 1; - ECFieldFp fp = new ECFieldFp(p); - java.security.spec.EllipticCurve curveSpec = new java.security.spec.EllipticCurve(fp, a, b); - ECPoint g = new ECPoint(gx, gy); - ECParameterSpec ecSpec = new ECParameterSpec(curveSpec, g, n, h); - return ecSpec; - } - - public static ECParameterSpec getNistP224Params() { - return getNistCurveSpec( - "26959946667150639794667015087019630673557916260026308143510066298881", - "26959946667150639794667015087019625940457807714424391721682722368061", - "b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4", - "b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", - "bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34"); - } - - public static ECParameterSpec getNistP256Params() { - return getNistCurveSpec( - "115792089210356248762697446949407573530086143415290314195533631308867097853951", - "115792089210356248762697446949407573529996955224135760342422259061068512044369", - "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"); - } - - public static ECParameterSpec getNistP384Params() { - return getNistCurveSpec( - "3940200619639447921227904010014361380507973927046544666794829340" - + "4245721771496870329047266088258938001861606973112319", - "3940200619639447921227904010014361380507973927046544666794690527" - + "9627659399113263569398956308152294913554433653942643", - "b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a" - + "c656398d8a2ed19d2a85c8edd3ec2aef", - "aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" - + "5502f25dbf55296c3a545e3872760ab7", - "3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" - + "0a60b1ce1d7e819d7a431d7c90ea0e5f"); - } - - public static ECParameterSpec getNistP521Params() { - return getNistCurveSpec( - "6864797660130609714981900799081393217269435300143305409394463459" - + "18554318339765605212255964066145455497729631139148085803712198" - + "7999716643812574028291115057151", - "6864797660130609714981900799081393217269435300143305409394463459" - + "18554318339765539424505774633321719753296399637136332111386476" - + "8612440380340372808892707005449", - "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10" - + "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d" - + "baa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6" - + "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650"); - } - - public static ECParameterSpec getBrainpoolP224r1Params() { - // name = "brainpoolP224r1", - // oid = '2b2403030208010105', - // ref = "RFC 5639", - BigInteger p = new BigInteger("D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF", 16); - BigInteger a = new BigInteger("68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43", 16); - BigInteger b = new BigInteger("2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B", 16); - BigInteger x = new BigInteger("0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D", 16); - BigInteger y = new BigInteger("58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD", 16); - BigInteger n = new BigInteger("D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", 16); - final int h = 1; - ECFieldFp fp = new ECFieldFp(p); - EllipticCurve curve = new EllipticCurve(fp, a, b); - ECPoint g = new ECPoint(x, y); - return new ECParameterSpec(curve, g, n, h); - } - - public static ECParameterSpec getBrainpoolP256r1Params() { - BigInteger p = - new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16); - BigInteger a = - new BigInteger("7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", 16); - BigInteger b = - new BigInteger("26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", 16); - BigInteger x = - new BigInteger("8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", 16); - BigInteger y = - new BigInteger("547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", 16); - BigInteger n = - new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16); - final int h = 1; - ECFieldFp fp = new ECFieldFp(p); - EllipticCurve curve = new EllipticCurve(fp, a, b); - ECPoint g = new ECPoint(x, y); - return new ECParameterSpec(curve, g, n, h); - } - - /** - * Compute the Legendre symbol of x mod p. This implementation is slow. Faster would be the - * computation for the Jacobi symbol. - * - * @param x an integer - * @param p a prime modulus - * @returns 1 if x is a quadratic residue, -1 if x is a non-quadratic residue and 0 if x and p are - * not coprime. - * @throws GeneralSecurityException when the computation shows that p is not prime. - */ - public static int legendre(BigInteger x, BigInteger p) throws GeneralSecurityException { - BigInteger q = p.subtract(BigInteger.ONE).shiftRight(1); - BigInteger t = x.modPow(q, p); - if (t.equals(BigInteger.ONE)) { - return 1; - } else if (t.equals(BigInteger.ZERO)) { - return 0; - } else if (t.add(BigInteger.ONE).equals(p)) { - return -1; - } else { - throw new GeneralSecurityException("p is not prime"); - } - } - - /** - * Computes a modular square root. Timing and exceptions can leak information about the inputs. - * Therefore this method must only be used in tests. - * - * @param x the square - * @param p the prime modulus - * @returns a value s such that s^2 mod p == x mod p - * @throws GeneralSecurityException if the square root could not be found. - */ - public static BigInteger modSqrt(BigInteger x, BigInteger p) throws GeneralSecurityException { - if (p.signum() != 1) { - throw new GeneralSecurityException("p must be positive"); - } - x = x.mod(p); - BigInteger squareRoot = null; - // Special case for x == 0. - // This check is necessary for Cipolla's algorithm. - if (x.equals(BigInteger.ZERO)) { - return x; - } - if (p.testBit(0) && p.testBit(1)) { - // Case p % 4 == 3 - // q = (p + 1) / 4 - BigInteger q = p.add(BigInteger.ONE).shiftRight(2); - squareRoot = x.modPow(q, p); - } else if (p.testBit(0) && !p.testBit(1)) { - // Case p % 4 == 1 - // For this case we use Cipolla's algorithm. - // This alogorithm is preferrable to Tonelli-Shanks for primes p where p-1 is divisible by - // a large power of 2, which is a frequent choice since it simplifies modular reduction. - BigInteger a = BigInteger.ONE; - BigInteger d = null; - while (true) { - d = a.multiply(a).subtract(x).mod(p); - // Computes the Legendre symbol. Using the Jacobi symbol would be a faster. Using Legendre - // has the advantage, that it detects a non prime p with high probability. - // On the other hand if p = q^2 then the Jacobi (d/p)==1 for almost all d's and thus - // using the Jacobi symbol here can result in an endless loop with invalid inputs. - int t = legendre(d, p); - if (t == -1) { - break; - } else { - a = a.add(BigInteger.ONE); - } - } - // Since d = a^2 - n is a non-residue modulo p, we have - // a - sqrt(d) == (a+sqrt(d))^p (mod p), - // and hence - // n == (a + sqrt(d))(a - sqrt(d) == (a+sqrt(d))^(p+1) (mod p). - // Thus if n is square then (a+sqrt(d))^((p+1)/2) (mod p) is a square root of n. - BigInteger q = p.add(BigInteger.ONE).shiftRight(1); - BigInteger u = a; - BigInteger v = BigInteger.ONE; - for (int bit = q.bitLength() - 2; bit >= 0; bit--) { - // Compute (u + v sqrt(d))^2 - BigInteger tmp = u.multiply(v); - u = u.multiply(u).add(v.multiply(v).mod(p).multiply(d)).mod(p); - v = tmp.add(tmp).mod(p); - if (q.testBit(bit)) { - tmp = u.multiply(a).add(v.multiply(d)).mod(p); - v = a.multiply(v).add(u).mod(p); - u = tmp; - } - } - squareRoot = u; - } - // The methods used to compute the square root only guarantee a correct result if the - // preconditions (i.e. p prime and x is a square) are satisfied. Otherwise the value is - // undefined. Hence, it is important to verify that squareRoot is indeed a square root. - if (squareRoot != null && squareRoot.multiply(squareRoot).mod(p).compareTo(x) != 0) { - throw new GeneralSecurityException("Could not find square root"); - } - return squareRoot; - } - - /** - * Returns the modulus of the field used by the curve specified in ecParams. - * - * @param curve must be a prime order elliptic curve - * @return the order of the finite field over which curve is defined. - */ - public static BigInteger getModulus(EllipticCurve curve) throws GeneralSecurityException { - java.security.spec.ECField field = curve.getField(); - if (field instanceof java.security.spec.ECFieldFp) { - return ((java.security.spec.ECFieldFp) field).getP(); - } else { - throw new GeneralSecurityException("Only curves over prime order fields are supported"); - } - } - - /** - * Returns the size of an element of the field over which the curve is defined. - * - * @param curve must be a prime order elliptic curve - * @return the size of an element in bits - */ - public static int fieldSizeInBits(EllipticCurve curve) throws GeneralSecurityException { - return getModulus(curve).subtract(BigInteger.ONE).bitLength(); - } - - /** - * Returns the size of an element of the field over which the curve is defined. - * - * @param curve must be a prime order elliptic curve - * @return the size of an element in bytes. - */ - public static int fieldSizeInBytes(EllipticCurve curve) throws GeneralSecurityException { - return (fieldSizeInBits(curve) + 7) / 8; - } - - /** - * Checks that a point is on a given elliptic curve. This method implements the partial public key - * validation routine from Section 5.6.2.6 of NIST SP 800-56A - * http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf A partial - * public key validation is sufficient for curves with cofactor 1. See Section B.3 of - * http://www.nsa.gov/ia/_files/SuiteB_Implementer_G-113808.pdf The point validations above are - * taken from recommendations for ECDH, because parameter checks in ECDH are much more important - * than for the case of ECDSA. Performing this test for ECDSA keys is mainly a sanity check. - * - * @param point the point that needs verification - * @param ec the elliptic curve. This must be a curve over a prime order field. - * @throws GeneralSecurityException if the field is binary or if the point is not on the curve. - */ - public static void checkPointOnCurve(ECPoint point, EllipticCurve ec) - throws GeneralSecurityException { - BigInteger p = getModulus(ec); - BigInteger x = point.getAffineX(); - BigInteger y = point.getAffineY(); - if (x == null || y == null) { - throw new GeneralSecurityException("point is at infinity"); - } - // Check 0 <= x < p and 0 <= y < p. - if (x.signum() == -1 || x.compareTo(p) != -1) { - throw new GeneralSecurityException("x is out of range"); - } - if (y.signum() == -1 || y.compareTo(p) != -1) { - throw new GeneralSecurityException("y is out of range"); - } - // Check y^2 == x^3 + a x + b (mod p) - BigInteger lhs = y.multiply(y).mod(p); - BigInteger rhs = x.multiply(x).add(ec.getA()).multiply(x).add(ec.getB()).mod(p); - if (!lhs.equals(rhs)) { - throw new GeneralSecurityException("Point is not on curve"); - } - } - - /** - * Checks a public key. I.e. this checks that the point defining the public key is on the curve. - * - * @param key must be a key defined over a curve using a prime order field. - * @throws GeneralSecurityException if the key is not valid. - */ - public static void checkPublicKey(ECPublicKey key) throws GeneralSecurityException { - checkPointOnCurve(key.getW(), key.getParams().getCurve()); - } - - /** - * Decompress a point - * - * @param x The x-coordinate of the point - * @param bit0 true if the least significant bit of y is set. - * @param ecParams contains the curve of the point. This must be over a prime order field. - */ - public static ECPoint getPoint(BigInteger x, boolean bit0, ECParameterSpec ecParams) - throws GeneralSecurityException { - EllipticCurve ec = ecParams.getCurve(); - ECField field = ec.getField(); - if (!(field instanceof ECFieldFp)) { - throw new GeneralSecurityException("Only curves over prime order fields are supported"); - } - BigInteger p = ((java.security.spec.ECFieldFp) field).getP(); - if (x.compareTo(BigInteger.ZERO) == -1 || x.compareTo(p) != -1) { - throw new GeneralSecurityException("x is out of range"); - } - // Compute rhs == x^3 + a x + b (mod p) - BigInteger rhs = x.multiply(x).add(ec.getA()).multiply(x).add(ec.getB()).mod(p); - BigInteger y = modSqrt(rhs, p); - if (bit0 != y.testBit(0)) { - y = p.subtract(y).mod(p); - } - return new ECPoint(x, y); - } - - /** - * Decompress a point on an elliptic curve. - * - * @param bytes The compressed point. Its representation is z || x where z is 2+lsb(y) and x is - * using a unsigned fixed length big-endian representation. - * @param ecParams the specification of the curve. Only Weierstrass curves over prime order fields - * are implemented. - */ - public static ECPoint decompressPoint(byte[] bytes, ECParameterSpec ecParams) - throws GeneralSecurityException { - EllipticCurve ec = ecParams.getCurve(); - ECField field = ec.getField(); - if (!(field instanceof ECFieldFp)) { - throw new GeneralSecurityException("Only curves over prime order fields are supported"); - } - BigInteger p = ((java.security.spec.ECFieldFp) field).getP(); - int expectedLength = 1 + (p.bitLength() + 7) / 8; - if (bytes.length != expectedLength) { - throw new GeneralSecurityException("compressed point has wrong length"); - } - boolean lsb; - switch (bytes[0]) { - case 2: - lsb = false; - break; - case 3: - lsb = true; - break; - default: - throw new GeneralSecurityException("Invalid format"); - } - BigInteger x = new BigInteger(1, Arrays.copyOfRange(bytes, 1, bytes.length)); - if (x.compareTo(BigInteger.ZERO) == -1 || x.compareTo(p) != -1) { - throw new GeneralSecurityException("x is out of range"); - } - // Compute rhs == x^3 + a x + b (mod p) - BigInteger rhs = x.multiply(x).add(ec.getA()).multiply(x).add(ec.getB()).mod(p); - BigInteger y = modSqrt(rhs, p); - if (lsb != y.testBit(0)) { - y = p.subtract(y).mod(p); - } - return new ECPoint(x, y); - } - - /** - * Returns a weak public key of order 3 such that the public key point is on the curve specified - * in ecParams. This method is used to check ECC implementations for missing step in the - * verification of the public key. E.g. implementations of ECDH must verify that the public key - * contains a point on the curve as well as public and secret key are using the same curve. - * - * @param ecParams the parameters of the key to attack. This must be a curve in Weierstrass form - * over a prime order field. - * @return a weak EC group with a genrator of order 3. - */ - public static ECPublicKeySpec getWeakPublicKey(ECParameterSpec ecParams) - throws GeneralSecurityException { - EllipticCurve curve = ecParams.getCurve(); - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - keyGen.initialize(ecParams); - BigInteger p = getModulus(curve); - BigInteger three = new BigInteger("3"); - while (true) { - // Generate a point on the original curve - KeyPair keyPair = keyGen.generateKeyPair(); - ECPublicKey pub = (ECPublicKey) keyPair.getPublic(); - ECPoint w = pub.getW(); - BigInteger x = w.getAffineX(); - BigInteger y = w.getAffineY(); - // Find the curve parameters a,b such that 3*w = infinity. - // This is the case if the following equations are satisfied: - // 3x == l^2 (mod p) - // l == (3x^2 + a) / 2*y (mod p) - // y^2 == x^3 + ax + b (mod p) - BigInteger l; - try { - l = modSqrt(x.multiply(three), p); - } catch (GeneralSecurityException ex) { - continue; - } - BigInteger xSqr = x.multiply(x).mod(p); - BigInteger a = l.multiply(y.add(y)).subtract(xSqr.multiply(three)).mod(p); - BigInteger b = y.multiply(y).subtract(x.multiply(xSqr.add(a))).mod(p); - EllipticCurve newCurve = new EllipticCurve(curve.getField(), a, b); - // Just a sanity check. - checkPointOnCurve(w, newCurve); - // Cofactor and order are of course wrong. - ECParameterSpec spec = new ECParameterSpec(newCurve, w, p, 1); - return new ECPublicKeySpec(w, spec); - } - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/JsonUtil.java b/keystore-cts/java/com/google/security/wycheproof/JsonUtil.java deleted file mode 100644 index 6ff9e2f..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/JsonUtil.java +++ /dev/null @@ -1,91 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static java.nio.charset.StandardCharsets.UTF_8; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParseException; -import com.google.gson.JsonParser; -import com.google.gson.stream.JsonReader; -import java.io.FileInputStream; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.IOException; -import java.math.BigInteger; - -/** Utilities for reading test vectors in JSON format */ -public class JsonUtil { - - /** - * Reads a set of test vectors from a file. - * @param filename the name of the file, local to the directory with the - * the test vectors. - * @return a JsonObject with a test - * @throws IOException if the test vectors could not be read. - * @throws JsonParseException if the file is not valid JSON. - */ - public static JsonObject getTestVectors(Class ref, String filename) throws - IOException { - // The directory where the test vectors are. - String testVectorsDir = "/"; - try (InputStream is = ref.getResourceAsStream(testVectorsDir + filename)) { - JsonReader reader = new JsonReader(new InputStreamReader(is, UTF_8)); - JsonParser parser = new JsonParser(); - JsonElement elem = parser.parse(reader); - return elem.getAsJsonObject(); - } - } - - /** - * Converts a JsonElement into a byte array. - * @param element a JsonElement containing an encoded byte array. - * Wycheproof represents byte arrays as hexadeciamal strings. - * @throws ClassCastException if element is not a valid string value. - * @throws IllegalStateException - if element contains an array. - */ - public static byte[] asByteArray(JsonElement element) { - String hex = element.getAsString(); - return TestUtil.hexToBytes(hex); - } - - /** - * Converts a JsonElement into a BigInteger. - * @param element a JsonElement containing a BigInteger. - * Wycheproof represents BigIntegers as hexadecimal strings using - * twos complement representation. - * <p> E.g., 31 is represented as "1f", -1 is represented as "f", and - * 255 is represented as "0ff". - * @throws ClassCastException if element is not a valid string value. - * @throws IllegalStateException if element contains an array. - * @throws NumberFormatException if representation of the BigInteger is invalid. - */ - public static BigInteger asBigInteger(JsonElement element) { - String hex = element.getAsString(); - return asBigInteger(hex); - } - public static BigInteger asBigInteger(String hex) { - // TODO(bleichen): Consider to change the representation of BigIntegers in - // Wycheproof as hexadecimal string with a sign. - if (hex.length() % 2 == 1) { - if (hex.charAt(0) >= '0' && hex.charAt(0) <= '7') { - hex = "0" + hex; - } else { - hex = "f" + hex; - } - } - return new BigInteger(TestUtil.hexToBytes(hex)); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/TestUtil.java b/keystore-cts/java/com/google/security/wycheproof/TestUtil.java deleted file mode 100644 index 213bf5e..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/TestUtil.java +++ /dev/null @@ -1,71 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import java.nio.ByteBuffer; -import java.security.Provider; -import java.security.Security; - -/** Test utilities */ -public class TestUtil { - public static final String EXPECTED_PROVIDER_NAME = "AndroidKeyStore"; - public static final String EXPECTED_CRYPTO_OP_PROVIDER_NAME = "AndroidKeyStoreBCWorkaround"; - - public static String bytesToHex(byte[] bytes) { - // bytesToHex is used to convert output from Cipher. - // cipher.update can return null, which is equivalent to returning - // no plaitext rsp. ciphertext. - if (bytes == null) { - return ""; - } - String chars = "0123456789abcdef"; - StringBuilder result = new StringBuilder(2 * bytes.length); - for (byte b : bytes) { - // convert to unsigned - int val = b & 0xff; - result.append(chars.charAt(val / 16)); - result.append(chars.charAt(val % 16)); - } - return result.toString(); - } - - /** - * Returns a hexadecimal representation of the bytes written to ByteBuffer (i.e. all the bytes - * before position()). - */ - public static String byteBufferToHex(ByteBuffer buffer) { - ByteBuffer tmp = buffer.duplicate(); - tmp.flip(); - byte[] bytes = new byte[tmp.remaining()]; - tmp.get(bytes); - return bytesToHex(bytes); - } - - public static byte[] hexToBytes(String hex) throws IllegalArgumentException { - if (hex.length() % 2 != 0) { - throw new IllegalArgumentException("Expected a string of even length"); - } - int size = hex.length() / 2; - byte[] result = new byte[size]; - for (int i = 0; i < size; i++) { - int hi = Character.digit(hex.charAt(2 * i), 16); - int lo = Character.digit(hex.charAt(2 * i + 1), 16); - if ((hi == -1) || (lo == -1)) { - throw new IllegalArgumentException("input is not hexadecimal"); - } - result[i] = (byte) (16 * hi + lo); - } - return result; - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/AesGcmTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/AesGcmTest.java deleted file mode 100644 index d02b4f1..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/AesGcmTest.java +++ /dev/null @@ -1,984 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertArrayEquals; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.fail; - -import java.nio.ByteBuffer; -import java.security.AlgorithmParameterGenerator; -import java.security.AlgorithmParameters; -import java.security.GeneralSecurityException; -import java.security.InvalidAlgorithmParameterException; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.util.ArrayList; -import java.util.Arrays; -import javax.crypto.Cipher; -import javax.crypto.SecretKey; -import javax.crypto.ShortBufferException; -import javax.crypto.spec.GCMParameterSpec; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.SecretKeySpec; -import org.junit.Test; -import org.junit.Ignore; -import org.junit.Before; -import android.security.keystore.KeyProtection; -import android.security.keystore.KeyProperties; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.UnrecoverableKeyException; - -// TODO(bleichen): -// - For EAX I was able to derive some special cases by inverting OMAC. -// Not sure if that is possible here. -/** - * Testing AES-GCM - * - * <p>Other tests using AES-GCM are: CipherInputStreamTest.java CipherOutputStreamTest.java - */ -public class AesGcmTest { - private static final String EXPECTED_PROVIDER_NAME = TestUtil.EXPECTED_CRYPTO_OP_PROVIDER_NAME; - private KeyStore keyStore; - - @Before - public void setup() throws Exception { - keyStore = KeyStore.getInstance("AndroidKeyStore"); - keyStore.load(null); - for (GcmTestVector test : GCM_TEST_VECTORS) { - setKeystoreEntry(test.alias, test.key); - } - } - - private SecretKey setKeystoreEntry(String alias, SecretKeySpec key) - throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException { - keyStore.setEntry( - alias, - new KeyStore.SecretKeyEntry(key), - new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) - .setBlockModes(KeyProperties.BLOCK_MODE_ECB, KeyProperties.BLOCK_MODE_GCM) - .setRandomizedEncryptionRequired(false) - .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) - .build()); - // Key imported, obtain a reference to it. - return (SecretKey) keyStore.getKey(alias, null); - } - - /** Test vectors */ - public static class GcmTestVector { - final byte[] pt; - final byte[] aad; - final byte[] ct; - final String ptHex; - final String ctHex; - final GCMParameterSpec parameters; - final SecretKeySpec key; - final int nonceLengthInBits; - final int tagLengthInBits; - final String alias; - - public GcmTestVector( - String message, - String keyMaterial, - String nonce, - String aad, - String ciphertext, - String tag, - String alias) { - this.ptHex = message; - this.pt = TestUtil.hexToBytes(message); - this.aad = TestUtil.hexToBytes(aad); - this.ct = TestUtil.hexToBytes(ciphertext + tag); - this.ctHex = ciphertext + tag; - this.tagLengthInBits = 4 * tag.length(); - this.nonceLengthInBits = 4 * nonce.length(); - this.parameters = new GCMParameterSpec(tagLengthInBits, TestUtil.hexToBytes(nonce)); - this.key = new SecretKeySpec(TestUtil.hexToBytes(keyMaterial), "AES"); - this.alias = alias; - } - }; - - private static final GcmTestVector[] GCM_TEST_VECTORS = { - new GcmTestVector( - "001d0c231287c1182784554ca3a21908", - "5b9604fe14eadba931b0ccf34843dab9", - "028318abc1824029138141a2", - "", - "26073cc1d851beff176384dc9896d5ff", - "0a3ea7a5487cb5f7d70fb6c58d038554", "Key1"), - new GcmTestVector( - "001d0c231287c1182784554ca3a21908", - "5b9604fe14eadba931b0ccf34843dab9", - "921d2507fa8007b7bd067d34", - "00112233445566778899aabbccddeeff", - "49d8b9783e911913d87094d1f63cc765", - "1e348ba07cca2cf04c618cb4", "Key2"), - new GcmTestVector( - "2035af313d1346ab00154fea78322105", - "aa023d0478dcb2b2312498293d9a9129", - "0432bc49ac34412081288127", - "aac39231129872a2", - "eea945f3d0f98cc0fbab472a0cf24e87", - "4bb9b4812519dadf9e1232016d068133", "Key3"), - new GcmTestVector( - "2035af313d1346ab00154fea78322105", - "aa023d0478dcb2b2312498293d9a9129", - "0432bc49ac344120", - "aac39231129872a2", - "64c36bb3b732034e3a7d04efc5197785", - "b7d0dd70b00d65b97cfd080ff4b819d1", "Key4"), - new GcmTestVector( - "02efd2e5782312827ed5d230189a2a342b277ce048462193", - "2034a82547276c83dd3212a813572bce", - "3254202d854734812398127a3d134421", - "1a0293d8f90219058902139013908190bc490890d3ff12a3", - "64069c2d58690561f27ee199e6b479b6369eec688672bde9", - "9b7abadd6e69c1d9ec925786534f5075", "Key5"), - // GCM uses GHASH to compute the initial counter J0 if the nonce is not 12 bytes long. - // The counter is incremented modulo 2^32 in counter mode. The following test vectors verify - // the behavior of an implementation for initial counter values J0 close to a 2^32 limit. - // J0:00000000000000000000000000000000 - new GcmTestVector( - "00000000000000000000000000000000000000000000000000000000000000000000000000000000", - "00112233445566778899aabbccddeeff", - "7b95b8c356810a84711d68150a1b7750", - "", - "84d4c9c08b4f482861e3a9c6c35bc4d91df927374513bfd49f436bd73f325285daef4ff7e13d46a6", - "213a3cb93855d18e69337eee66aeec07", "Key6"), - // J0:ffffffffffffffffffffffffffffffff - new GcmTestVector( - "00000000000000000000000000000000000000000000000000000000000000000000000000000000", - "00112233445566778899aabbccddeeff", - "1a552e67cdc4dc1a33b824874ebf0bed", - "", - "948ca37a8e6649e88aeffb1c598f3607007702417ea0e0bc3c60ad5a949886de968cf53ea6462aed", - "99b381bfa2af9751c39d1b6e86d1be6a", "Key6"), - // J0:000102030405060708090a0bffffffff - new GcmTestVector( - "00000000000000000000000000000000000000000000000000000000000000000000000000000000", - "00112233445566778899aabbccddeeff", - "99821c2dd5daecded07300f577f7aff1", - "", - "127af9b39ecdfc57bb11a2847c7c2d3d8f938f40f877e0c4af37d0fe9af033052bd537c4ae978f60", - "07eb2fe4a958f8434d40684899507c7c", "Key7"), - // J0:000102030405060708090a0bfffffffe - new GcmTestVector( - "00000000000000000000000000000000000000000000000000000000000000000000000000000000", - "00112233445566778899aabbccddeeff", - "5e4a3900142358d1c774d8d124d8d27d", - "", - "0cf6ae47156b14dce03c8a07a2e172b1127af9b39ecdfc57bb11a2847c7c2d3d8f938f40f877e0c4", - "f145c2dcaf339eede427be934357eac0", "Key8"), - }; - - /** - * Returns the GCM test vectors supported by the current provider. This is necessary since not - * every provider supports all parameters sizes. For example SUNJCE does not support 8 byte tags - * and Conscrypt only supports 12 byte nonces. Such restrictions are often made because AES-GCM is - * a relatively weak algorithm and especially small parameter sizes can lead to easy attacks. - * Avoiding such small parameter sizes should not be seen as a bug in the library. - * - * <p>The only assumption we make here is that all test vectors with 128 bit tags and nonces with - * at least 96 bits are supported. - */ - private Iterable<GcmTestVector> getTestVectors() throws Exception { - ArrayList<GcmTestVector> supported = new ArrayList<GcmTestVector>(); - for (GcmTestVector test : GCM_TEST_VECTORS) { - if (test.nonceLengthInBits != 96 || test.tagLengthInBits != 128) { - try { - // Checks whether the parameter size is supported. - // It would be nice if there was a way to check this without trying to encrypt. - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - } catch (InvalidKeyException | InvalidAlgorithmParameterException ex) { - // Not supported - continue; - } - } - supported.add(test); - } - return supported; - } - - @Test - public void testVectors() throws Exception { - for (GcmTestVector test : getTestVectors()) { - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(test.aad); - byte[] ct = cipher.doFinal(test.pt); - assertEquals(test.ctHex, TestUtil.bytesToHex(ct)); - } - } - - /** Test encryption when update and doFinal are done with empty byte arrays. */ - @Test - public void testEncryptWithEmptyArrays() throws Exception { - for (GcmTestVector test : getTestVectors()) { - // Encryption - byte[] empty = new byte[0]; - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.pt.length); - ByteBuffer ctBuffer = ByteBuffer.allocate(outputSize); - cipher.updateAAD(empty); - cipher.updateAAD(test.aad); - byte[] res = cipher.update(empty); - if (res != null) { - ctBuffer.put(res); - } - res = cipher.update(test.pt); - if (res != null) { - ctBuffer.put(res); - } - res = cipher.doFinal(empty); - if (res != null) { - ctBuffer.put(res); - } - assertEquals(test.ctHex, TestUtil.byteBufferToHex(ctBuffer)); - } - } - - @Test - public void testDecryptWithEmptyArrays() throws Exception { - for (GcmTestVector test : getTestVectors()) { - byte[] empty = new byte[0]; - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.ct.length); - ByteBuffer ptBuffer = ByteBuffer.allocate(outputSize); - cipher.updateAAD(empty); - cipher.updateAAD(test.aad); - byte[] res = cipher.update(empty); - if (res != null) { - ptBuffer.put(res); - } - res = cipher.update(test.ct); - if (res != null) { - ptBuffer.put(res); - } - res = cipher.doFinal(empty); - if (res != null) { - ptBuffer.put(res); - } - assertEquals(test.ptHex, TestUtil.byteBufferToHex(ptBuffer)); - - // Simple test that a modified ciphertext fails. - ptBuffer.clear(); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(empty); - cipher.updateAAD(test.aad); - cipher.updateAAD(new byte[1]); - res = cipher.update(empty); - if (res != null) { - ptBuffer.put(res); - } - res = cipher.update(test.ct); - if (res != null) { - ptBuffer.put(res); - } - try { - cipher.doFinal(empty); - fail("Accepted modified ciphertext."); - } catch (GeneralSecurityException ex) { - // Expected - } - } - } - - /** - * Typically one should always call updateAAD before any call to update. This test checks what - * happens if the order is reversed. The test expects that a correct implementation either - * computes the tag correctly or throws an exception. - * - * <p>For example, OpenJdk did compute incorrect tags in this case. The bug has been fixed in - * http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/89c06ca1e6cc - * - * <p>For example BouncyCastle computes correct tags if the calls are reversed, SunJCE and OpenJdk - * now throw exceptions. - */ - @Test - public void testLateUpdateAAD() throws Exception { - for (GcmTestVector test : getTestVectors()) { - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - byte[] c0 = cipher.update(test.pt); - try { - cipher.updateAAD(test.aad); - } catch (java.lang.IllegalStateException ex) { - // Throwing an exception is valid behaviour. - continue; - } - byte[] c1 = cipher.doFinal(); - String result = TestUtil.bytesToHex(c0) + TestUtil.bytesToHex(c1); - assertEquals(test.ctHex, result); - } - } - - /** - * JCE has a dangerous feature: after a doFinal the cipher is typically reinitialized using the - * previous IV. This "feature" can easily break AES-GCM usages, because encrypting twice with the - * same key and IV leaks the authentication key. Hence any reasonable implementation of AES-GCM - * should not allow this. The expected behaviour of OpenJDK can be derived from the tests in - * jdk/test/com/sun/crypto/provider/Cipher/AES/TestGCMKeyAndIvCheck.java. OpenJDK does not allow - * two consecutive initializations for encryption with the same key and IV. - * - * <p>The test here is weaker than the restrictions in OpenJDK. The only requirement here is that - * reusing a Cipher without an explicit init() is caught. - * - * <p>BouncyCastle 1.52 failed this test - * - * <p>Conscrypt failed this test - */ - @Test - public void testIvReuse() throws Exception { - for (GcmTestVector test : getTestVectors()) { - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(test.aad); - byte[] ct1 = cipher.doFinal(test.pt); - try { - byte[] ct2 = cipher.doFinal(test.pt); - fail( - "It should not possible to reuse an IV." - + " ct1:" - + TestUtil.bytesToHex(ct1) - + " ct2:" - + TestUtil.bytesToHex(ct2)); - } catch (java.lang.IllegalStateException ex) { - // This is expected. - } - } - } - - /** - * Checks whether the implementation requires larger ByteBuffers than necessary. This test has - * been added mostly for debugging. E.g., conscrypt failed during decryption with ByteBuffers - * simply because the necessary outputSize was computed incorrectly. - */ - @Test - public void testByteBufferSize() throws Exception { - for (GcmTestVector test : getTestVectors()) { - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - // Encryption - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.pt.length); - assertEquals("plaintext size:" + test.pt.length, test.ct.length, outputSize); - // Decryption - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - outputSize = cipher.getOutputSize(test.ct.length); - assertEquals("ciphertext size:" + test.ct.length, test.pt.length, outputSize); - } - } - - /** Encryption with ByteBuffers. */ - @Test - public void testByteBuffer() throws Exception { - for (GcmTestVector test : getTestVectors()) { - // Encryption - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - ByteBuffer ptBuffer = ByteBuffer.wrap(test.pt); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.pt.length); - ByteBuffer ctBuffer = ByteBuffer.allocate(outputSize); - cipher.updateAAD(test.aad); - cipher.doFinal(ptBuffer, ctBuffer); - assertEquals(test.ctHex, TestUtil.byteBufferToHex(ctBuffer)); - - // Decryption - ctBuffer.flip(); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - outputSize = cipher.getOutputSize(test.ct.length); - ByteBuffer decrypted = ByteBuffer.allocate(outputSize); - cipher.updateAAD(test.aad); - cipher.doFinal(ctBuffer, decrypted); - assertEquals(test.ptHex, TestUtil.byteBufferToHex(decrypted)); - } - } - - /** Encryption with ByteBuffers should be copy-safe. */ - @Test - public void testByteBufferAlias() throws Exception { - for (GcmTestVector test : getTestVectors()) { - // Encryption - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.pt.length); - byte[] backingArray = new byte[outputSize]; - ByteBuffer ptBuffer = ByteBuffer.wrap(backingArray); - ptBuffer.put(test.pt); - ptBuffer.flip(); - ByteBuffer ctBuffer = ByteBuffer.wrap(backingArray); - cipher.updateAAD(test.aad); - cipher.doFinal(ptBuffer, ctBuffer); - assertEquals(test.ctHex, TestUtil.byteBufferToHex(ctBuffer)); - - // Decryption - ByteBuffer decrypted = ByteBuffer.wrap(backingArray); - ctBuffer.flip(); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(test.aad); - cipher.doFinal(ctBuffer, decrypted); - assertEquals(test.ptHex, TestUtil.byteBufferToHex(decrypted)); - } - } - - /** Encryption and decryption with large arrays should be copy-safe. */ - @Test - public void testLargeArrayAlias() throws Exception { - byte[] ptVector = new byte[8192]; - - // this offset is relative to the start of the input, not the start of the buffer. - for (int outputOffset = -32; outputOffset <= 32; outputOffset++) { - // try with doFinal directly as well as with update followed by doFinal - for (int useUpdate = 0; useUpdate <= 1; useUpdate++) { - SecretKey secretKey = null; - try { - String alias = "TestKey" + 1; - SecretKeySpec keySpec = new SecretKeySpec(new byte[16], "AES"); - secretKey = setKeystoreEntry(alias, keySpec); - } catch (Exception e) { - fail("Failed to set secret key entry in KeyStore."); - } - GCMParameterSpec parameters = new GCMParameterSpec(128, new byte[12]); - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameters); - - // these offsets are relative to the start of the buffer - int inputOffsetInBuffer = 32; - int outputOffsetInBuffer = inputOffsetInBuffer + outputOffset; - int sliceLength = cipher.getOutputSize(ptVector.length); - - byte[] inBuf = new byte[sliceLength + Math.max(inputOffsetInBuffer, outputOffsetInBuffer)]; - byte[] outBuf = inBuf; - - System.arraycopy(ptVector, 0, inBuf, inputOffsetInBuffer, ptVector.length); - - try { - int ctLength = 0; - if (useUpdate > 0) { - ctLength += - cipher.update( - inBuf, inputOffsetInBuffer, ptVector.length, outBuf, outputOffsetInBuffer); - ctLength += cipher.doFinal(inBuf, 0, 0, outBuf, outputOffsetInBuffer + ctLength); - } else { - ctLength += - cipher.doFinal( - inBuf, inputOffsetInBuffer, ptVector.length, outBuf, outputOffsetInBuffer); - } - - System.arraycopy(outBuf, outputOffsetInBuffer, inBuf, inputOffsetInBuffer, ctLength); - - cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.DECRYPT_MODE, secretKey, parameters); - - int resultPtLength = 0; - if (useUpdate > 0) { - resultPtLength += - cipher.update(inBuf, inputOffsetInBuffer, ctLength, outBuf, outputOffsetInBuffer); - resultPtLength += - cipher.doFinal(inBuf, 0, 0, outBuf, outputOffsetInBuffer + resultPtLength); - } else { - resultPtLength += - cipher.doFinal(inBuf, inputOffsetInBuffer, ctLength, outBuf, outputOffsetInBuffer); - } - - assertEquals(resultPtLength, ptVector.length); - assertArrayEquals( - ptVector, - Arrays.copyOfRange( - outBuf, outputOffsetInBuffer, outputOffsetInBuffer + resultPtLength)); - } catch (Throwable t) { - throw new AssertionError( - "testLargeByteBufferAlias failed with outputOffset=" + outputOffset, t); - } - } - } - } - - /** - * Encryption with ByteBuffers should be copy-safe even if the buffers have different starting - * offsets and/or do not make the backing array visible. - * - * <p>Note that bugs in this often require a sizeable input to reproduce; the default - * implementation of engineUpdate(ByteBuffer, ByteBuffer) copies through 4KB bounce buffers, so we - * need to use something larger to see any problems - 8KB is what we use here. - * - * @see https://bugs.openjdk.java.net/browse/JDK-8181386 - */ - @Test - public void testByteBufferShiftedAlias() throws Exception { - byte[] ptVector = new byte[8192]; - - for (int i = 0; i < 3; i++) { - // outputOffset = offset relative to start of input. - for (int outputOffset = -1; outputOffset <= 1; outputOffset++) { - - SecretKey secretKey = null; - try { - String alias = "TestKey" + 1; - SecretKeySpec keySpec = new SecretKeySpec(new byte[16], "AES"); - secretKey = setKeystoreEntry(alias, keySpec); - } catch (Exception e) { - fail("Failed to set secret key entry in KeyStore."); - } - GCMParameterSpec parameters = new GCMParameterSpec(128, new byte[12]); - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameters); - - ByteBuffer output, input, inputRO; - - // We'll try three scenarios: Ordinary array backed buffers, array backed buffers where one - // is read-only, and direct byte buffers. - String mode; - // offsets relative to start of buffer - int inputOffsetInBuffer = 1; - int outputOffsetInBuffer = inputOffsetInBuffer + outputOffset; - int sliceLength = cipher.getOutputSize(ptVector.length); - int bufferSize = sliceLength + Math.max(inputOffsetInBuffer, outputOffsetInBuffer); - switch (i) { - case 0: - case 1: - { - byte[] buffer = new byte[bufferSize]; - // It's important to slice() here as otherwise later when we flip() position will be - // reset to 0. - output = ByteBuffer.wrap(buffer, outputOffsetInBuffer, sliceLength).slice(); - input = ByteBuffer.wrap(buffer, inputOffsetInBuffer, sliceLength).slice(); - - if (i == 1) { - mode = "array backed buffers with RO buffer"; - inputRO = input.asReadOnlyBuffer(); - } else { - mode = "array backed buffers"; - inputRO = input.duplicate(); - } - - break; - } - case 2: - { - mode = "direct buffers"; - ByteBuffer buf = ByteBuffer.allocateDirect(bufferSize); - output = buf.duplicate(); - output.position(outputOffsetInBuffer); - output.limit(sliceLength + outputOffsetInBuffer); - output = output.slice(); - - input = buf.duplicate(); - input.position(inputOffsetInBuffer); - input.limit(sliceLength + inputOffsetInBuffer); - input = input.slice(); - - inputRO = input.duplicate(); - break; - } - default: - { - throw new AssertionError("Unknown test index " + i); - } - } - - // Now that we have our overlapping 'input' and 'output' buffers, we can write our plaintext - // into the input buffer. - input.put(ptVector); - input.flip(); - // Make sure the RO input buffer has the same limit in case the plaintext is shorter than - // sliceLength (which it generally will be for anything other than ECB or CTR mode) - inputRO.limit(input.limit()); - - try { - int ctSize = cipher.doFinal(inputRO, output); - - // Now flip the buffers around and undo everything - byte[] tmp = new byte[ctSize]; - output.flip(); - output.get(tmp); - - output.clear(); - input.clear(); - inputRO.clear(); - - input.put(tmp); - input.flip(); - inputRO.limit(input.limit()); - - cipher.init(Cipher.DECRYPT_MODE, secretKey, parameters); - cipher.doFinal(inputRO, output); - - output.flip(); - assertEquals(ByteBuffer.wrap(ptVector), output); - } catch (Throwable t) { - throw new AssertionError( - "Overlapping buffers test failed with buffer type: " - + mode - + " and output offset " - + outputOffset, - t); - } - } - } - } - - @Test - public void testReadOnlyByteBuffer() throws Exception { - for (GcmTestVector test : getTestVectors()) { - // Encryption - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - ByteBuffer ptBuffer = ByteBuffer.wrap(test.pt).asReadOnlyBuffer(); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.pt.length); - ByteBuffer ctBuffer = ByteBuffer.allocate(outputSize); - cipher.updateAAD(test.aad); - cipher.doFinal(ptBuffer, ctBuffer); - assertEquals(test.ctHex, TestUtil.byteBufferToHex(ctBuffer)); - - // Decryption - ctBuffer.flip(); - ctBuffer = ctBuffer.asReadOnlyBuffer(); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - outputSize = cipher.getOutputSize(test.ct.length); - ByteBuffer decrypted = ByteBuffer.allocate(outputSize); - cipher.updateAAD(test.aad); - cipher.doFinal(ctBuffer, decrypted); - assertEquals(test.ptHex, TestUtil.byteBufferToHex(decrypted)); - } - } - - /** - * If a ByteBuffer is backed by an array and not readonly, then it is possible to access the data - * through the .array() method. An implementation using this possibility must ensure that it - * considers the offset. - */ - @Test - public void testByteBufferWithOffset() throws Exception { - for (GcmTestVector test : getTestVectors()) { - // Encryption - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - ByteBuffer ptBuffer = ByteBuffer.wrap(new byte[test.pt.length + 50]); - ptBuffer.position(5); - ptBuffer = ptBuffer.slice(); - ptBuffer.put(test.pt); - ptBuffer.flip(); - - ByteBuffer ctBuffer = ByteBuffer.wrap(new byte[test.ct.length + 50]); - ctBuffer.position(8); - ctBuffer = ctBuffer.slice(); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(test.aad); - cipher.doFinal(ptBuffer, ctBuffer); - assertEquals(test.ctHex, TestUtil.byteBufferToHex(ctBuffer)); - ctBuffer.flip(); - - // Decryption - ByteBuffer decBuffer = ByteBuffer.wrap(new byte[test.pt.length + 50]); - decBuffer.position(6); - decBuffer = decBuffer.slice(); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(test.aad); - cipher.doFinal(ctBuffer, decBuffer); - assertEquals(test.ptHex, TestUtil.byteBufferToHex(decBuffer)); - } - } - - @Test - public void testByteBufferTooShort() throws Exception { - for (GcmTestVector test : getTestVectors()) { - // Encryption - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - ByteBuffer ptBuffer = ByteBuffer.wrap(test.pt); - ByteBuffer ctBuffer = ByteBuffer.allocate(test.ct.length - 1); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(test.aad); - try { - cipher.doFinal(ptBuffer, ctBuffer); - fail("This should not work"); - } catch (ShortBufferException ex) { - // expected - } - - // Decryption - ctBuffer = ByteBuffer.wrap(test.ct); - ByteBuffer decrypted = ByteBuffer.allocate(test.pt.length - 1); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(test.aad); - try { - cipher.doFinal(ctBuffer, decrypted); - fail("This should not work"); - } catch (ShortBufferException ex) { - // expected - } - } - } - - /** - * Test encryption when update and doFinal are done with empty ByteBuffers. Conscrypt ignored - * calls to doFinal() when the ByteBuffer was empty. - */ - @Test - public void testEncryptWithEmptyByteBuffer() throws Exception { - for (GcmTestVector test : getTestVectors()) { - // Encryption - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - ByteBuffer empty = ByteBuffer.allocate(0); - ByteBuffer ptBuffer = ByteBuffer.wrap(test.pt); - cipher.init(Cipher.ENCRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.pt.length); - ByteBuffer ctBuffer = ByteBuffer.allocate(outputSize); - cipher.updateAAD(empty); - cipher.updateAAD(test.aad); - cipher.update(empty, ctBuffer); - cipher.update(ptBuffer, ctBuffer); - cipher.doFinal(empty, ctBuffer); - assertEquals(test.ctHex, TestUtil.byteBufferToHex(ctBuffer)); - } - } - - @Test - public void testDecryptWithEmptyBuffer() throws Exception { - for (GcmTestVector test : getTestVectors()) { - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - ByteBuffer empty = ByteBuffer.allocate(0); - ByteBuffer ctBuffer = ByteBuffer.wrap(test.ct); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - int outputSize = cipher.getOutputSize(test.ct.length); - ByteBuffer ptBuffer = ByteBuffer.allocate(outputSize); - cipher.updateAAD(empty); - cipher.updateAAD(test.aad); - cipher.update(empty, ptBuffer); - cipher.update(ctBuffer, ptBuffer); - cipher.doFinal(empty, ptBuffer); - assertEquals(test.ptHex, TestUtil.byteBufferToHex(ptBuffer)); - - // Simple test that a modified ciphertext fails. - ctBuffer.flip(); - ptBuffer.clear(); - cipher.init(Cipher.DECRYPT_MODE, (SecretKey) keyStore.getKey(test.alias, null), test.parameters); - cipher.updateAAD(empty); - cipher.updateAAD(test.aad); - cipher.updateAAD(new byte[1]); - cipher.update(empty, ptBuffer); - cipher.update(ctBuffer, ptBuffer); - try { - cipher.doFinal(empty, ptBuffer); - fail("Accepted modified ciphertext."); - } catch (GeneralSecurityException ex) { - // Expected - } - } - } - - /** - * The default authentication tag size should be 128-bit by default for the following reasons: - * <br> - * (1) Security: Ferguson, N., Authentication Weaknesses in GCM, Natl. Inst. Stand. Technol. [Web - * page], http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/ - * CWC-GCM/Ferguson2.pdf, May 20, 2005. This paper points out that a n-bit tag has lower strength - * than expected. <br> - * (2) Compatibility: Assume an implementer tests some code using one provider than switches to - * another provider. Such a switch should ideally not lower the security. <br> - * Conscrypt used to have only 12-byte authentication tag (b/26186727). - */ - @Test - @Ignore // IvParameterSpec is not supported in AndroidKeyStore AES/GCM cipher - public void testDefaultTagSizeIvParameterSpec() throws Exception { - byte[] counter = new byte[12]; - byte[] input = new byte[16]; - SecretKey secretKey = null; - try { - String alias = "TestKey" + 1; - SecretKeySpec keySpec = new SecretKeySpec(new byte[16], "AES"); - secretKey = setKeystoreEntry(alias, keySpec); - } catch (Exception e) { - fail("Failed to set secret key entry in KeyStore."); - } - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - try { - cipher.init(Cipher.ENCRYPT_MODE, secretKey, new IvParameterSpec(counter)); - } catch (InvalidAlgorithmParameterException ex) { - // OpenJDK8 does not support IvParameterSpec for GCM. - throw ex; - } - byte[] output = cipher.doFinal(input); - assertEquals(input.length + 16, output.length); - } - - /** - * The default authentication tag size should be 128-bit by default for the following reasons: - * <br> - * (1) Security: Ferguson, N., Authentication Weaknesses in GCM, Natl. Inst. Stand. Technol. [Web - * page], http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/ - * CWC-GCM/Ferguson2.pdf, May 20, 2005. This paper points out that a n-bit tag has lower strength - * than expected. <br> - * (2) Compatibility: Assume an implementer tests some code using one provider than switches to - * another provider. Such a switch should ideally not lower the security. <br> - * BouncyCastle used to have only 12-byte authentication tag (b/26186727). - */ - @Test - @Ignore // GCM AlgorithmParameterGenerator is not available. - public void testDefaultTagSizeAlgorithmParameterGenerator() throws Exception { - byte[] input = new byte[10]; - SecretKey secretKey = null; - try { - String alias = "TestKey" + 1; - SecretKeySpec keySpec = new SecretKeySpec(new byte[16], "AES"); - secretKey = setKeystoreEntry(alias, keySpec); - } catch (Exception e) { - fail("Failed to set secret key entry in KeyStore."); - } - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - try { - AlgorithmParameterGenerator.getInstance("GCM"); - } catch (NoSuchAlgorithmException ex) { - // Conscrypt does not support AlgorithmParameterGenerator for GCM. - throw ex; - } - AlgorithmParameters param = AlgorithmParameterGenerator.getInstance("GCM").generateParameters(); - cipher.init(Cipher.ENCRYPT_MODE, secretKey, param); - byte[] output = cipher.doFinal(input); - assertEquals(input.length + 16, output.length); - } - - /** - * Test AES-GCM wrapped around counter bug which leaks plaintext and authentication key. Let's - * consider 12-byte IV, counter = IV || 0^31 || 1. For each encryption block, the last 4 bytes of - * the counter is increased by 1. After 2^32 blocks, the counter will be wrapped around causing - * counter collision and hence, leaking plaintext and authentication key as explained below. The - * library must make a check to make sure that the plaintext's length never exceeds 2^32 - 2 - * blocks. Note that this is different from usual IV collisions because it happens even if users - * use different IVs. <br> - * We have: <br> - * J0 = IV || 0^31 || 1 <br> - * Plaintext: P[0], P[1], P[2], .... <br> - * Ciphertext: <br> - * C[0] = Enc(K, (J0 + 1) % 2^32) XOR P[0] <br> - * C[1] = Enc(K, (J0 + 2) % 2^32) XOR P[1] <br> - * C[2] = Enc(K, (J0 + 3) % 2^32) XOR P[2] <br> - * ... <br> - * C[2^32 - 1] = Enc(K, J0) XOR P[2^32 - 1] <br> - * C[2^32] = Enc(K, (J0 + 1)% 2^32) XOR P[2^32] <br> - * It means that after 2^32 blocks, the counter is wrapped around causing counter collisions. In - * counter mode, once the counter is collided then it's reasonable to assume that the plaintext is - * leaked. As the ciphertext is already known to attacker, Enc(K, J0) is leaked. <br> - * Now, as the authentication tag T is computed as GHASH(H, {}, C) XOR E(K, J0), the attacker can - * learn GHASH(H, {}, C}. It essentially means that the attacker finds a polynomial where H is the - * root (see Joux attack http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf). - * Solving polynomial equation in GF(2^128) is enough to extract the authentication key. - * - * <p>BouncyCastle used to have this bug (CVE-2015-6644). - * - * <p>OpenJDK8 used to have this bug (http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/0c3ed12cdaf5) - * - * <p>The test is slow as we have to encrypt 2^32 blocks. - */ - @Test - @Ignore // This test takes very long time and CTS is timed out hence ignored for now. - public void testWrappedAroundCounter() throws Exception { - try { - byte[] iv = new byte[12]; - byte[] input = new byte[16]; - byte[] key = new byte[16]; - (new SecureRandom()).nextBytes(key); - SecretKey secretKey = null; - try { - String alias = "TestKey" + 1; - SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); - secretKey = setKeystoreEntry(alias, keySpec); - } catch (Exception e) { - fail("Failed to set secret key entry in KeyStore."); - } - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - cipher.init( - Cipher.ENCRYPT_MODE, secretKey, new GCMParameterSpec(16 * 8, iv)); - byte[] output = cipher.update(input); - for (long i = 0; i < 4294967296L + 2; i++) { - byte[] output1 = cipher.update(input); - assertFalse("GCM Wrapped Around Counter" + i, Arrays.equals(output, output1)); - } - fail("Expected Exception"); - } catch (Exception expected) { - } - } - - /** - * AES-GCM allows IVs of bit length 1 .. 2^64-1. See NIST SP 800 38d, Section 5.2.1.1 - * http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf - * - * <p>Disallowing IVs of length 0 is necessary for the following reason: if an empty IV is used - * then the tag is an evaluation of a polynomial with the hash subkey as the value. Since the - * polynomial can be derived from the ciphertext it is known to an attacker. Therefore, any - * message encrypted with an empty IV leaks the hash subkey. In particular, encrypting an empty - * plaintext with an empty IV results in a ciphertext having a tag that is equal to the hash - * subkey used in AES-GCM. I.e. both are the same as encrypting an all zero block. - * - * <p>OpenJDK fails this test. - */ - @Test - public void testEncryptEmptyPlaintextWithEmptyIv() throws Exception { - byte[] emptyIv = new byte[0]; - byte[] input = new byte[0]; - byte[] key = TestUtil.hexToBytes("56aae7bd5cbefc71d31c4338e6ddd6c5"); - SecretKey secretKey = null; - try { - String alias = "TestKey" + 1; - SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); - secretKey = setKeystoreEntry(alias, keySpec); - } catch (Exception e) { - fail("Failed to set secret key entry in KeyStore."); - } - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - Cipher block = Cipher.getInstance("AES/ECB/NoPadding", EXPECTED_PROVIDER_NAME); - block.init(Cipher.ENCRYPT_MODE, secretKey); - byte[] hashkey = block.doFinal(new byte[16]); - try { - cipher.init(Cipher.ENCRYPT_MODE, secretKey, new GCMParameterSpec(16 * 8, emptyIv)); - byte[] ct = cipher.doFinal(input); - // If the encryption above is not rejected then the hash key and the ciphertext are the same. - // Both are d1bdd948ddc5a7f7a9250cf78229b84d. - fail("Encrypting with an empty IV leaks the hash subkey."); - } catch (GeneralSecurityException expected) { - // expected behavior - } - } - - @Test - public void testDecryptWithEmptyIv() throws Exception { - byte[] emptyIv = new byte[0]; - byte[] key = TestUtil.hexToBytes("56aae7bd5cbefc71d31c4338e6ddd6c5"); - SecretKey secretKey = null; - try { - String alias = "TestKey" + 1; - SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); - secretKey = setKeystoreEntry(alias, keySpec); - } catch (Exception e) { - fail("Failed to set secret key entry in KeyStore."); - } - Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", EXPECTED_PROVIDER_NAME); - try { - cipher.init(Cipher.DECRYPT_MODE, secretKey, new GCMParameterSpec(16 * 8, emptyIv)); - String ciphertext = "2b65876c00d77facf8f3d0e5be792b129bab10b25bcb739b92d6e2eab241245ff449"; - String tag = "c2b2d7086e7fa84ca795a881b540"; - byte[] pt1 = cipher.update(TestUtil.hexToBytes(ciphertext)); - byte[] pt2 = cipher.doFinal(TestUtil.hexToBytes(tag)); - // We shouldn't get here. If a provider releases unverified plaintext additionally to - // accepting empty IVs then chosen ciphertext attacks might be possible. - fail("AES-GCM must not accept an IV of size 0."); - } catch (GeneralSecurityException expected) { - //Expected - } - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/CipherInputStreamTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/CipherInputStreamTest.java deleted file mode 100644 index 3698e4e..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/CipherInputStreamTest.java +++ /dev/null @@ -1,286 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.security.spec.AlgorithmParameterSpec; -import java.util.ArrayList; -import java.util.Arrays; -import javax.crypto.Cipher; -import javax.crypto.CipherInputStream; -import javax.crypto.spec.GCMParameterSpec; -import javax.crypto.spec.SecretKeySpec; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * CipherInputStream tests - * - * <p>CipherInputStream is a class that is basically unsuitable for authenticated encryption - * and hence should be avoided whenever possible. The class is unsuitable, because the interface - * does not provide a method to tell the caller when decryption failed. I.e. the specification - * now explicitly claims that it catches exceptions thrown by the Cipher class such as - * BadPaddingException and that it does not rethrow them. - * http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html - * - * <p>The Jdk implementation still has the property that no unauthenticated plaintext is released. - * In the case of an authentication failure the implementation simply returns an empty plaintext. - * This allows a trivial attack where the attacker substitutes any message with an empty message. - * - * <p>The tests in this class have been adapted to this unfortunate situation. testEmptyPlaintext - * checks whether corrupting the tag of an empty message is detected. This test currently fails. - * All other tests run under the assumption that returning an empty plaintext is acceptable - * behaviour, so that the tests are able to catch additional problems. - */ -@RunWith(JUnit4.class) -public class CipherInputStreamTest { - static final SecureRandom rand = new SecureRandom(); - - static byte[] randomBytes(int size) { - byte[] bytes = new byte[size]; - rand.nextBytes(bytes); - return bytes; - } - - static SecretKeySpec randomKey(String algorithm, int keySizeInBytes) { - return new SecretKeySpec(randomBytes(keySizeInBytes), "AES"); - } - - static AlgorithmParameterSpec randomParameters( - String algorithm, int ivSizeInBytes, int tagSizeInBytes) { - if ("AES/GCM/NoPadding".equals(algorithm) || "AES/EAX/NoPadding".equals(algorithm)) { - return new GCMParameterSpec(8 * tagSizeInBytes, randomBytes(ivSizeInBytes)); - } - return null; - } - - /** Test vectors */ - public static class TestVector { - public String algorithm; - public SecretKeySpec key; - public AlgorithmParameterSpec params; - public byte[] pt; - public byte[] aad; - public byte[] ct; - - @SuppressWarnings("InsecureCryptoUsage") - public TestVector( - String algorithm, int keySize, int ivSize, int tagSize, int ptSize, int aadSize) - throws Exception { - this.algorithm = algorithm; - this.key = randomKey(algorithm, keySize); - this.params = randomParameters(algorithm, ivSize, tagSize); - this.pt = randomBytes(ptSize); - this.aad = randomBytes(aadSize); - Cipher cipher = Cipher.getInstance(algorithm); - cipher.init(Cipher.ENCRYPT_MODE, this.key, this.params); - cipher.updateAAD(aad); - this.ct = cipher.doFinal(pt); - } - } - - Iterable<TestVector> getTestVectors( - String algorithm, - int[] keySizes, - int[] ivSizes, - int[] tagSizes, - int[] ptSizes, - int[] aadSizes) - throws Exception { - ArrayList<TestVector> result = new ArrayList<TestVector>(); - for (int keySize : keySizes) { - for (int ivSize : ivSizes) { - for (int tagSize : tagSizes) { - for (int ptSize : ptSizes) { - for (int aadSize : aadSizes) { - result.add(new TestVector(algorithm, keySize, ivSize, tagSize, ptSize, aadSize)); - } - } - } - } - } - return result; - } - - @SuppressWarnings("InsecureCryptoUsage") - public void testEncrypt(Iterable<TestVector> tests) throws Exception { - for (TestVector t : tests) { - Cipher cipher = Cipher.getInstance(t.algorithm); - cipher.init(Cipher.ENCRYPT_MODE, t.key, t.params); - cipher.updateAAD(t.aad); - InputStream is = new ByteArrayInputStream(t.pt); - CipherInputStream cis = new CipherInputStream(is, cipher); - byte[] result = new byte[t.ct.length]; - int totalLength = 0; - int length = 0; - do { - length = cis.read(result, totalLength, result.length - totalLength); - if (length > 0) { - totalLength += length; - } - } while (length >= 0 && totalLength != result.length); - assertEquals(-1, cis.read()); - assertEquals(TestUtil.bytesToHex(t.ct), TestUtil.bytesToHex(result)); - cis.close(); - } - } - - /** JDK-8016249: CipherInputStream in decrypt mode fails on close with AEAD ciphers */ - @SuppressWarnings("InsecureCryptoUsage") - public void testDecrypt(Iterable<TestVector> tests) throws Exception { - for (TestVector t : tests) { - Cipher cipher = Cipher.getInstance(t.algorithm); - cipher.init(Cipher.DECRYPT_MODE, t.key, t.params); - cipher.updateAAD(t.aad); - InputStream is = new ByteArrayInputStream(t.ct); - CipherInputStream cis = new CipherInputStream(is, cipher); - byte[] result = new byte[t.pt.length]; - int totalLength = 0; - int length = 0; - do { - length = cis.read(result, totalLength, result.length - totalLength); - if (length > 0) { - totalLength += length; - } - } while (length >= 0 && totalLength != result.length); - assertEquals(-1, cis.read()); - cis.close(); - assertEquals(TestUtil.bytesToHex(t.pt), TestUtil.bytesToHex(result)); - } - } - - /** - * JDK-8016171 : CipherInputStream masks ciphertext tampering with AEAD ciphers in decrypt mode - * Further description of the bug is here: - * https://blog.heckel.xyz/2014/03/01/cipherinputstream-for-aead-modes-is-broken-in-jdk7-gcm/ - * BouncyCastle claims that this bug is fixed in version 1.51. However, the test below still fails - * with BouncyCastle v 1.52. A possible explanation is that BouncyCastle has its own - * implemenatation of CipherInputStream (org.bouncycastle.crypto.io.CipherInputStream). - * - * @param tests an iterable with valid test vectors, that will be corrupted for the test - * @param acceptEmptyPlaintext determines whether an empty plaintext instead of an exception - * is acceptable. - */ - @SuppressWarnings("InsecureCryptoUsage") - public void testCorruptDecrypt(Iterable<TestVector> tests, boolean acceptEmptyPlaintext) - throws Exception { - for (TestVector t : tests) { - Cipher cipher = Cipher.getInstance(t.algorithm); - cipher.init(Cipher.DECRYPT_MODE, t.key, t.params); - cipher.updateAAD(t.aad); - byte[] ct = Arrays.copyOf(t.ct, t.ct.length); - ct[ct.length - 1] ^= (byte) 1; - InputStream is = new ByteArrayInputStream(ct); - CipherInputStream cis = new CipherInputStream(is, cipher); - try { - byte[] result = new byte[t.pt.length]; - int totalLength = 0; - int length = 0; - do { - length = cis.read(result, totalLength, result.length - totalLength); - if (length > 0) { - totalLength += length; - } - } while (length >= 0 && totalLength != result.length); - cis.close(); - if (result.length > 0) { - fail( - "this should fail; decrypted:" - + TestUtil.bytesToHex(result) - + " pt: " - + TestUtil.bytesToHex(t.pt)); - } else if (result.length == 0 && !acceptEmptyPlaintext) { - fail("Corrupted ciphertext returns empty plaintext"); - } - } catch (IOException ex) { - // expected - } - } - } - - @Test - public void testAesGcm() throws Exception { - final int[] keySizes = {16, 32}; - final int[] ivSizes = {12}; - final int[] tagSizes = {12, 16}; - final int[] ptSizes = {0, 8, 16, 65, 8100}; - final int[] aadSizes = {0, 8, 24}; - Iterable<TestVector> v = - getTestVectors("AES/GCM/NoPadding", keySizes, ivSizes, tagSizes, ptSizes, aadSizes); - testEncrypt(v); - testDecrypt(v); - } - - @Test - public void testCorruptAesGcm() throws Exception { - final int[] keySizes = {16, 32}; - final int[] ivSizes = {12}; - final int[] tagSizes = {12, 16}; - final int[] ptSizes = {8, 16, 65, 8100}; - final int[] aadSizes = {0, 8, 24}; - Iterable<TestVector> v = - getTestVectors("AES/GCM/NoPadding", keySizes, ivSizes, tagSizes, ptSizes, aadSizes); - boolean acceptEmptyPlaintext = true; - testCorruptDecrypt(v, acceptEmptyPlaintext); - } - - /** - * Tests the behaviour for corrupt plaintext more strictly than in the tests above. - * This test does not accept that an implementation returns an empty plaintext when the - * ciphertext has been corrupted. - */ - @Test - public void testEmptyPlaintext() throws Exception { - final int[] keySizes = {16, 32}; - final int[] ivSizes = {12}; - final int[] tagSizes = {12, 16}; - final int[] ptSizes = {0}; - final int[] aadSizes = {0, 8, 24}; - Iterable<TestVector> v = - getTestVectors("AES/GCM/NoPadding", keySizes, ivSizes, tagSizes, ptSizes, aadSizes); - boolean acceptEmptyPlaintext = false; - testCorruptDecrypt(v, acceptEmptyPlaintext); - } - - /** Tests CipherOutputStream with AES-EAX if this algorithm is supported by the provider. */ - @Test - public void testAesEax() throws Exception { - final String algorithm = "AES/EAX/NoPadding"; - final int[] keySizes = {16, 32}; - final int[] ivSizes = {12, 16}; - final int[] tagSizes = {12, 16}; - final int[] ptSizes = {0, 8, 16, 65, 8100}; - final int[] aadSizes = {0, 8, 24}; - try { - Cipher.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Skipping testAesEax"); - return; - } - Iterable<TestVector> v = - getTestVectors(algorithm, keySizes, ivSizes, tagSizes, ptSizes, aadSizes); - testEncrypt(v); - testDecrypt(v); - boolean acceptEmptyPlaintext = true; - testCorruptDecrypt(v, acceptEmptyPlaintext); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/CipherOutputStreamTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/CipherOutputStreamTest.java deleted file mode 100644 index d016941..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/CipherOutputStreamTest.java +++ /dev/null @@ -1,251 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.security.spec.AlgorithmParameterSpec; -import java.util.ArrayList; -import java.util.Arrays; -import javax.crypto.Cipher; -import javax.crypto.CipherOutputStream; -import javax.crypto.spec.GCMParameterSpec; -import javax.crypto.spec.SecretKeySpec; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * CipherOutputStream tests - * - * <p>CipherOutputStream is a class that is basically unsuitable for authenticated encryption - * and hence should be avoided whenever possible. The class is unsuitable, because the interface - * does not provide a method to tell the caller when decryption failed. I.e. the specification - * now explicitly claims that it catches exceptions thrown by the Cipher class such as - * BadPaddingException and that it does not rethrow them. - * http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html - * - * <p>The Jdk implementation has the property that no unauthenticated plaintext is released. - * In the case of an authentication failure the implementation simply returns an empty plaintext. - * This allows a trivial attack where the attacker substitutes any message with an empty message. - * - * <p>The tests in this class have been adapted to this unfortunate situation. testEmptyPlaintext - * checks whether corrupting the tag of an empty message is detected. This test currently fails. - * All other tests run under the assumption that returning an empty plaintext is acceptable - * behaviour, so that the tests are able to catch additional problems. - */ - -@RunWith(JUnit4.class) -public class CipherOutputStreamTest { - static final SecureRandom rand = new SecureRandom(); - - static byte[] randomBytes(int size) { - byte[] bytes = new byte[size]; - rand.nextBytes(bytes); - return bytes; - } - - static SecretKeySpec randomKey(String algorithm, int keySizeInBytes) { - return new SecretKeySpec(randomBytes(keySizeInBytes), "AES"); - } - - static AlgorithmParameterSpec randomParameters( - String algorithm, int ivSizeInBytes, int tagSizeInBytes) { - if ("AES/GCM/NoPadding".equals(algorithm) || "AES/EAX/NoPadding".equals(algorithm)) { - return new GCMParameterSpec(8 * tagSizeInBytes, randomBytes(ivSizeInBytes)); - } - return null; - } - - /** Test vectors */ - @SuppressWarnings("InsecureCryptoUsage") - public static class TestVector { - public String algorithm; - public SecretKeySpec key; - public AlgorithmParameterSpec params; - public byte[] pt; - public byte[] aad; - public byte[] ct; - - public TestVector( - String algorithm, int keySize, int ivSize, int tagSize, int ptSize, int aadSize) - throws Exception { - this.algorithm = algorithm; - this.key = randomKey(algorithm, keySize); - this.params = randomParameters(algorithm, ivSize, tagSize); - this.pt = randomBytes(ptSize); - this.aad = randomBytes(aadSize); - Cipher cipher = Cipher.getInstance(algorithm); - cipher.init(Cipher.ENCRYPT_MODE, this.key, this.params); - cipher.updateAAD(aad); - this.ct = cipher.doFinal(pt); - } - } - - Iterable<TestVector> getTestVectors( - String algorithm, - int[] keySizes, - int[] ivSizes, - int[] tagSizes, - int[] ptSizes, - int[] aadSizes) - throws Exception { - ArrayList<TestVector> result = new ArrayList<TestVector>(); - for (int keySize : keySizes) { - for (int ivSize : ivSizes) { - for (int tagSize : tagSizes) { - for (int ptSize : ptSizes) { - for (int aadSize : aadSizes) { - result.add(new TestVector(algorithm, keySize, ivSize, tagSize, ptSize, aadSize)); - } - } - } - } - } - return result; - } - - @SuppressWarnings("InsecureCryptoUsage") - public void testEncrypt(Iterable<TestVector> tests) throws Exception { - for (TestVector t : tests) { - Cipher cipher = Cipher.getInstance(t.algorithm); - cipher.init(Cipher.ENCRYPT_MODE, t.key, t.params); - cipher.updateAAD(t.aad); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - CipherOutputStream cos = new CipherOutputStream(os, cipher); - cos.write(t.pt); - cos.close(); - assertEquals(TestUtil.bytesToHex(t.ct), TestUtil.bytesToHex(os.toByteArray())); - } - } - - @SuppressWarnings("InsecureCryptoUsage") - public void testDecrypt(Iterable<TestVector> tests) throws Exception { - for (TestVector t : tests) { - Cipher cipher = Cipher.getInstance(t.algorithm); - cipher.init(Cipher.DECRYPT_MODE, t.key, t.params); - cipher.updateAAD(t.aad); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - CipherOutputStream cos = new CipherOutputStream(os, cipher); - cos.write(t.ct); - cos.close(); - assertEquals(TestUtil.bytesToHex(t.pt), TestUtil.bytesToHex(os.toByteArray())); - } - } - - /** - * Tests decryption of corrupted ciphertext. The test may accept empty plaintext as valid - * result because of the problem with CipherOutputStream described in the header of this file. - * @param tests an iterable with valid test vectors, that will be corrupted for the test - * @param acceptEmptyPlaintext determines whether an empty plaintext instead of an exception - * is acceptable. - */ - @SuppressWarnings("InsecureCryptoUsage") - public void testCorruptDecrypt(Iterable<TestVector> tests, boolean acceptEmptyPlaintext) - throws Exception { - for (TestVector t : tests) { - Cipher cipher = Cipher.getInstance(t.algorithm); - cipher.init(Cipher.DECRYPT_MODE, t.key, t.params); - cipher.updateAAD(t.aad); - byte[] ct = Arrays.copyOf(t.ct, t.ct.length); - ct[ct.length - 1] ^= (byte) 1; - ByteArrayOutputStream os = new ByteArrayOutputStream(); - CipherOutputStream cos = new CipherOutputStream(os, cipher); - cos.write(ct); - try { - // cos.close() should call cipher.doFinal(). - cos.close(); - byte[] decrypted = os.toByteArray(); - // Unfortunately Oracle thinks that returning an empty array is valid behaviour. - // We accept empty results here, but flag them in the next test, so that we can distinguish - // between beheviour considered acceptable by Oracle and more serious flaws. - if (decrypted.length > 0) { - fail( - "this should fail; decrypted:" - + TestUtil.bytesToHex(decrypted) - + " pt: " - + TestUtil.bytesToHex(t.pt)); - } else if (decrypted.length == 0 && !acceptEmptyPlaintext) { - fail("Corrupted ciphertext returns empty plaintext"); - } - } catch (IOException ex) { - // expected - } - } - } - - @Test - public void testAesGcm() throws Exception { - final int[] keySizes = {16, 32}; - final int[] ivSizes = {12}; - final int[] tagSizes = {12, 16}; - final int[] ptSizes = {8, 16, 65, 8100}; - final int[] aadSizes = {0, 8, 24}; - Iterable<TestVector> v = - getTestVectors("AES/GCM/NoPadding", keySizes, ivSizes, tagSizes, ptSizes, aadSizes); - testEncrypt(v); - testDecrypt(v); - boolean acceptEmptyPlaintext = true; - testCorruptDecrypt(v, acceptEmptyPlaintext); - } - - /** - * Tests the behaviour for corrupt plaintext more strictly than in the tests above. - * This test does not accept that an implementation returns an empty plaintext when the - * ciphertext has been corrupted. - */ - @Test - public void testEmptyPlaintext() throws Exception { - final int[] keySizes = {16, 32}; - final int[] ivSizes = {12}; - final int[] tagSizes = {12, 16}; - final int[] ptSizes = {0}; - final int[] aadSizes = {0, 8, 24}; - Iterable<TestVector> v = - getTestVectors("AES/GCM/NoPadding", keySizes, ivSizes, tagSizes, ptSizes, aadSizes); - testEncrypt(v); - testDecrypt(v); - boolean acceptEmptyPlaintext = false; - testCorruptDecrypt(v, acceptEmptyPlaintext); - } - - /** Tests CipherOutputStream with AES-EAX if AES-EAS is supported by the provider. */ - @SuppressWarnings("InsecureCryptoUsage") - @Test - public void testAesEax() throws Exception { - final String algorithm = "AES/EAX/NoPadding"; - final int[] keySizes = {16, 32}; - final int[] ivSizes = {12, 16}; - final int[] tagSizes = {12, 16}; - final int[] ptSizes = {8, 16, 65, 8100}; - final int[] aadSizes = {0, 8, 24}; - try { - Cipher.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Skipping testAesEax"); - return; - } - Iterable<TestVector> v = - getTestVectors(algorithm, keySizes, ivSizes, tagSizes, ptSizes, aadSizes); - testEncrypt(v); - testDecrypt(v); - boolean acceptEmptyPlaintext = true; - testCorruptDecrypt(v, acceptEmptyPlaintext); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java deleted file mode 100644 index 517d23b..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java +++ /dev/null @@ -1,1072 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest; -import com.google.security.wycheproof.WycheproofRunner.ProviderType; -import com.google.security.wycheproof.WycheproofRunner.SlowTest; -import java.lang.management.ManagementFactory; -import java.lang.management.ThreadMXBean; -import java.math.BigInteger; -import java.security.GeneralSecurityException; -import java.security.InvalidKeyException; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.SecureRandom; -import java.security.interfaces.ECPrivateKey; -import java.security.interfaces.ECPublicKey; -import java.security.spec.ECFieldFp; -import java.security.spec.ECGenParameterSpec; -import java.security.spec.ECParameterSpec; -import java.security.spec.ECPoint; -import java.security.spec.ECPrivateKeySpec; -import java.security.spec.ECPublicKeySpec; -import java.security.spec.EllipticCurve; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.X509EncodedKeySpec; -import javax.crypto.KeyAgreement; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * Testing ECDH. - * - * <p><b>Defense in depth</b>: The tests for ECDH assume that a attacker has control over all - * aspects of the public key in an exchange. That means that the attacker can potentially send weak - * or invalid public keys. For example, invalid public keys can contain points not on the curve, - * curves that have been deliberately chosen so that DLs are easy to compute as well as orders or - * cofactors that are wrong. It is expected that implementations validate the inputs of a key - * agreement and that in no case information about the private key is leaked. - * - * <p><b>References:</b> Ingrid Biehl, Bernd Meyer, Volker Müller, "Differential Fault Attacks on - * Elliptic Curve Cryptosystems", Crypto '00, pp. 131-164 - * - * <p>Adrian Antipa, Daniel Brown, Alfred Menezes, Rene Struik, and Scott Vanstone, "Validation of - * Elliptic Curve Public Keys", PKC 2003, https://www.iacr.org/archive/pkc2003/25670211/25670211.pdf - * - * <p><b>Bugs:</b> CVE-2015-7940: BouncyCastle before 1.51 does not validate a point is on the - * curve. BouncyCastle v.1.52 checks that the public key point is on the public key curve but does - * not check whether public key and private key use the same curve. BouncyCastle v.1.53 is still - * vulnerable to attacks with modified public keys. An attacker can change the order of the curve - * used by the public key. ECDHC would then reduce the private key modulo this order, which can be - * used to find the private key. - * - * <p>CVE-2015-6924: Utimaco HSMs vulnerable to invalid curve attacks, which made the private key - * extraction possible. - * - * <p>CVE-2015-7940: Issue with elliptic curve addition in mixed Jacobian-affine coordinates - * - * @author bleichen@google.com (Daniel Bleichenbacher) - */ -// TODO(bleichen): Stuff we haven't implemented: -// - timing attacks -// Stuff we are delaying because there are more important bugs: -// - testWrongOrder using BouncyCastle with ECDHWithSHA1Kdf throws -// java.lang.UnsupportedOperationException: KDF can only be used when algorithm is known -// Not sure if that is expected or another bug. -// CVEs for ECDH we haven't used anywhere. -// - CVE-2014-3470: OpenSSL anonymous ECDH denial of service: triggered by NULL value in -// certificate. -// - CVE-2014-3572: OpenSSL downgrades ECDHE to ECDH -// - CVE-2011-3210: OpenSSL was not thread safe -@RunWith(JUnit4.class) -public class EcdhTest { - - static final String[] ECDH_VARIANTS = { - // Raw ECDH. The shared secret is the x-coordinate of the ECDH computation. - // The tests below assume that this variant is implemenented. - "ECDH", - // ECDHC is a variant described in P1363 7.2.2 ECSVDP-DHC. - // BouncyCastle implements this variant. - "ECDHC", - // A variant with an explicit key derivation function. - // This is implemented by BouncyCastle. - "ECDHWITHSHA1KDF", - }; - - /** Test vectors */ - public static class EcPublicKeyTestVector { - final String comment; - final String encoded; // hexadecimal representation of the X509 encoding - final BigInteger p; // characteristic of the field - final BigInteger n; // order of the subgroup - final BigInteger a; // parameter a of the Weierstrass representation - final BigInteger b; // parameter b of the Weierstrass represnetation - final BigInteger gx; // x-coordinate of the generator - final BigInteger gy; // y-coordainat of the generator - final Integer h; // cofactor: may be null - final BigInteger pubx; // x-coordinate of the public point - final BigInteger puby; // y-coordinate of the public point - - public EcPublicKeyTestVector( - String comment, - String encoded, - BigInteger p, - BigInteger n, - BigInteger a, - BigInteger b, - BigInteger gx, - BigInteger gy, - Integer h, - BigInteger pubx, - BigInteger puby) { - this.comment = comment; - this.encoded = encoded; - this.p = p; - this.n = n; - this.a = a; - this.b = b; - this.gx = gx; - this.gy = gy; - this.h = h; - this.pubx = pubx; - this.puby = puby; - } - - /** - * Returns this key as ECPublicKeySpec or null if the key cannot be represented as - * ECPublicKeySpec. The later happens for example if the order of cofactor are not positive. - */ - public ECPublicKeySpec getSpec() { - try { - ECFieldFp fp = new ECFieldFp(p); - EllipticCurve curve = new EllipticCurve(fp, a, b); - ECPoint g = new ECPoint(gx, gy); - // ECParameterSpec requires that the cofactor h is specified. - if (h == null) { - return null; - } - ECParameterSpec params = new ECParameterSpec(curve, g, n, h); - ECPoint pubPoint = new ECPoint(pubx, puby); - ECPublicKeySpec pub = new ECPublicKeySpec(pubPoint, params); - return pub; - } catch (Exception ex) { - System.out.println(comment + " throws " + ex.toString()); - return null; - } - } - - public X509EncodedKeySpec getX509EncodedKeySpec() { - return new X509EncodedKeySpec(TestUtil.hexToBytes(encoded)); - } - } - -public static final EcPublicKeyTestVector EC_VALID_PUBLIC_KEY = - new EcPublicKeyTestVector( - "unmodified", - "3059301306072a8648ce3d020106082a8648ce3d03010703420004cdeb39edd0" - + "3e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b84" - + "29598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)); - - public static final EcPublicKeyTestVector[] EC_MODIFIED_PUBLIC_KEYS = { - // Modified keys - new EcPublicKeyTestVector( - "public point not on curve", - "3059301306072a8648ce3d020106082a8648ce3d03010703420004cdeb39edd0" - + "3e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b84" - + "29598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebaca", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebaca", 16)), - new EcPublicKeyTestVector( - "public point = (0,0)", - "3059301306072a8648ce3d020106082a8648ce3d030107034200040000000000" - + "0000000000000000000000000000000000000000000000000000000000000000" - + "000000000000000000000000000000000000000000000000000000", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 1, - new BigInteger("0"), - new BigInteger("0")), - new EcPublicKeyTestVector( - "order = 1", - "308201133081cc06072a8648ce3d02013081c0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f502010102010103420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("01", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "order = 26959946660873538060741835960514744168612397095220107664918121663170", - "3082012f3081e806072a8648ce3d02013081dc020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f5021d00ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac202010103420004cdeb39edd03e2b1a11a5e134ec" - + "99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b49bbb85c" - + "3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "generator = (0,0)", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b04410400000000000000000000000000000000000000" - + "0000000000000000000000000000000000000000000000000000000000000000" - + "00000000000000000000000000022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc63255102010103420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("0"), - new BigInteger("0"), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "generator not on curve", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f7022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc63255102010103420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f7", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "cofactor = 2", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc63255102010203420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 2, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "cofactor = None", - "308201303081e906072a8648ce3d02013081dd020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc63255103420004cdeb39edd03e2b1a11a5e134" - + "ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b49bbb8" - + "5c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - null, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "modified prime", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100fd091059a6893635f900e9449d63f572b2aebc4cff7b4e5e33f1b200" - + "e8bbc1453044042002f6efa55976c9cb06ff16bb629c0a8d4d5143b40084b1a1" - + "cc0e4dff17443eb704205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441040000000000000000000006597fa94b1fd90000" - + "000000000000000000000000021b8c7dd77f9a95627922eceefea73f028f1ec9" - + "5ba9b8fa95a3ad24bdf9fff414022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc63255102010103420004000000000000000000" - + "0006597fa94b1fd90000000000000000000000000000021b8c7dd77f9a956279" - + "22eceefea73f028f1ec95ba9b8fa95a3ad24bdf9fff414", - new BigInteger("fd091059a6893635f900e9449d63f572b2aebc4cff7b4e5e33f1b200e8bbc145", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("06597fa94b1fd9000000000000000000000000000002", 16), - new BigInteger("1b8c7dd77f9a95627922eceefea73f028f1ec95ba9b8fa95a3ad24bdf9fff414", 16), - 1, - new BigInteger("06597fa94b1fd9000000000000000000000000000002", 16), - new BigInteger("1b8c7dd77f9a95627922eceefea73f028f1ec95ba9b8fa95a3ad24bdf9fff414", 16)), - new EcPublicKeyTestVector( - "using secp224r1", - "304e301006072a8648ce3d020106052b81040021033a0004074f56dc2ea648ef" - + "89c3b72e23bbd2da36f60243e4d2067b70604af1c2165cec2f86603d60c8a611" - + "d5b84ba3d91dfe1a480825bcc4af3bcf", - new BigInteger("ffffffffffffffffffffffffffffffff000000000000000000000001", 16), - new BigInteger("ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d", 16), - new BigInteger("fffffffffffffffffffffffffffffffefffffffffffffffffffffffe", 16), - new BigInteger("b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4", 16), - new BigInteger("b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", 16), - new BigInteger("bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34", 16), - 1, - new BigInteger("074f56dc2ea648ef89c3b72e23bbd2da36f60243e4d2067b70604af1", 16), - new BigInteger("c2165cec2f86603d60c8a611d5b84ba3d91dfe1a480825bcc4af3bcf", 16)), - new EcPublicKeyTestVector( - "a = 0", - "308201143081cd06072a8648ce3d02013081c1020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30250401000420f104880c3980129c7efa19b6b0cb04e547b8d0fc0b" - + "95f4946496dd4ac4a7c440044104cdeb39edd03e2b1a11a5e134ec99d5f25f21" - + "673d403f3ecb47bd1fa676638958ea58493b8429598c0b49bbb85c3303ddb155" - + "3c3b761c2caacca71606ba9ebac8022100ffffffff00000000ffffffffffffff" - + "ffbce6faada7179e84f3b9cac2fc63255102010103420004cdeb39edd03e2b1a" - + "11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c" - + "0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("0"), - new BigInteger("f104880c3980129c7efa19b6b0cb04e547b8d0fc0b95f4946496dd4ac4a7c440", 16), - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "new curve with generator of order 3 that is also on secp256r1", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff3044042046dc879a5c2995d0e6f682468ea95791b7bbd0225cfdb251" - + "3fb10a737afece170420bea6c109251bfe4acf2eeda7c24c4ab70a1473335dec" - + "28b244d4d823d15935e2044104701c05255026aa4630b78fc6b769e388059ab1" - + "443cbdd1f8348bedc3be589dc34cfdab998ad27738ae382aa013986ade0f4859" - + "2a9a1ae37ca61d25ec5356f1bd022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc63255102010103420004701c05255026aa4630" - + "b78fc6b769e388059ab1443cbdd1f8348bedc3be589dc3b3025465752d88c851" - + "c7d55fec679521f0b7a6d665e51c8359e2da13aca90e42", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("46dc879a5c2995d0e6f682468ea95791b7bbd0225cfdb2513fb10a737afece17", 16), - new BigInteger("bea6c109251bfe4acf2eeda7c24c4ab70a1473335dec28b244d4d823d15935e2", 16), - new BigInteger("701c05255026aa4630b78fc6b769e388059ab1443cbdd1f8348bedc3be589dc3", 16), - new BigInteger("4cfdab998ad27738ae382aa013986ade0f48592a9a1ae37ca61d25ec5356f1bd", 16), - 1, - new BigInteger("701c05255026aa4630b78fc6b769e388059ab1443cbdd1f8348bedc3be589dc3", 16), - new BigInteger("b3025465752d88c851c7d55fec679521f0b7a6d665e51c8359e2da13aca90e42", 16)), - // Invalid keys - new EcPublicKeyTestVector( - "order = -1157920892103562487626974469494075735299969552241357603" - + "42422259061068512044369", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f50221ff00000000ffffffff0000000000000000" - + "4319055258e8617b0c46353d039cdaaf02010103420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger( - "-115792089210356248762697446949407573529996955224135760342422259061068512044369"), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "order = 0", - "308201133081cc06072a8648ce3d02013081c0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f502010002010103420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("0"), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "cofactor = -1", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc6325510201ff03420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - -1, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - new EcPublicKeyTestVector( - "cofactor = 0", - "308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d01" - + "01022100ffffffff00000001000000000000000000000000ffffffffffffffff" - + "ffffffff30440420ffffffff00000001000000000000000000000000ffffffff" - + "fffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53" - + "b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d" - + "812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33" - + "576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffff" - + "bce6faada7179e84f3b9cac2fc63255102010003420004cdeb39edd03e2b1a11" - + "a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b" - + "49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", - new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), - new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16), - new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16), - 0, - new BigInteger("cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958", 16), - new BigInteger("ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebac8", 16)), - }; - - /** Checks that key agreement using ECDH works. */ - @Test - public void testBasic() throws Exception { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1"); - keyGen.initialize(ecSpec); - KeyPair keyPairA = keyGen.generateKeyPair(); - KeyPair keyPairB = keyGen.generateKeyPair(); - - KeyAgreement kaA = KeyAgreement.getInstance("ECDH"); - KeyAgreement kaB = KeyAgreement.getInstance("ECDH"); - kaA.init(keyPairA.getPrivate()); - kaB.init(keyPairB.getPrivate()); - kaA.doPhase(keyPairB.getPublic(), true); - kaB.doPhase(keyPairA.getPublic(), true); - byte[] kAB = kaA.generateSecret(); - byte[] kBA = kaB.generateSecret(); - assertEquals(TestUtil.bytesToHex(kAB), TestUtil.bytesToHex(kBA)); - } - - @NoPresubmitTest( - providers = {ProviderType.BOUNCY_CASTLE}, - bugs = {"BouncyCastle uses long encoding. Is this a bug?"} - ) - @Test - public void testEncode() throws Exception { - KeyFactory kf = KeyFactory.getInstance("EC"); - ECPublicKey valid = (ECPublicKey) kf.generatePublic(EC_VALID_PUBLIC_KEY.getSpec()); - assertEquals(TestUtil.bytesToHex(valid.getEncoded()), EC_VALID_PUBLIC_KEY.encoded); - } - - @Test - public void testDecode() throws Exception { - KeyFactory kf = KeyFactory.getInstance("EC"); - ECPublicKey key1 = (ECPublicKey) kf.generatePublic(EC_VALID_PUBLIC_KEY.getSpec()); - ECPublicKey key2 = (ECPublicKey) kf.generatePublic(EC_VALID_PUBLIC_KEY.getX509EncodedKeySpec()); - ECParameterSpec params1 = key1.getParams(); - ECParameterSpec params2 = key2.getParams(); - assertEquals(params1.getCofactor(), params2.getCofactor()); - assertEquals(params1.getCurve(), params2.getCurve()); - assertEquals(params1.getGenerator(), params2.getGenerator()); - assertEquals(params1.getOrder(), params2.getOrder()); - assertEquals(key1.getW(), key2.getW()); - } - - /** - * This test modifies the order of group in the public key. A severe bug would be an - * implementation that leaks information whether the private key is larger than the order given in - * the public key. Also a severe bug would be to reduce the private key modulo the order given in - * the public key parameters. - */ - @SuppressWarnings("InsecureCryptoUsage") - public void testModifiedPublic(String algorithm) throws Exception { - KeyAgreement ka; - try { - ka = KeyAgreement.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("testWrongOrder: " + algorithm + " not supported"); - return; - } - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - keyGen.initialize(EcUtil.getNistP256Params()); - ECPrivateKey priv = (ECPrivateKey) keyGen.generateKeyPair().getPrivate(); - KeyFactory kf = KeyFactory.getInstance("EC"); - ECPublicKey validKey = (ECPublicKey) kf.generatePublic(EC_VALID_PUBLIC_KEY.getSpec()); - ka.init(priv); - ka.doPhase(validKey, true); - String expected = TestUtil.bytesToHex(ka.generateSecret()); - for (EcPublicKeyTestVector test : EC_MODIFIED_PUBLIC_KEYS) { - try { - X509EncodedKeySpec spec = test.getX509EncodedKeySpec(); - ECPublicKey modifiedKey = (ECPublicKey) kf.generatePublic(spec); - ka.init(priv); - ka.doPhase(modifiedKey, true); - String shared = TestUtil.bytesToHex(ka.generateSecret()); - // The implementation did not notice that the public key was modified. - // This is not nice, but at the moment we only fail the test if the - // modification was essential for computing the shared secret. - // - // BouncyCastle v.1.53 fails this test, for ECDHC with modified order. - // This implementation reduces the product s*h modulo the order given - // in the public key. An attacker who can modify the order of the public key - // and who can learn whether such a modification changes the shared secret is - // able to learn the private key with a simple binary search. - assertEquals("algorithm:" + algorithm + " test:" + test.comment, expected, shared); - } catch (GeneralSecurityException ex) { - // OK, since the public keys have been modified. - System.out.println("testModifiedPublic:" + test.comment + " throws " + ex.toString()); - } - } - } - - /** - * This is a similar test as testModifiedPublic. However, this test uses test vectors - * ECPublicKeySpec - */ - @SuppressWarnings("InsecureCryptoUsage") - public void testModifiedPublicSpec(String algorithm) throws Exception { - KeyAgreement ka; - try { - ka = KeyAgreement.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("testWrongOrder: " + algorithm + " not supported"); - return; - } - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - keyGen.initialize(EcUtil.getNistP256Params()); - ECPrivateKey priv = (ECPrivateKey) keyGen.generateKeyPair().getPrivate(); - KeyFactory kf = KeyFactory.getInstance("EC"); - ECPublicKey validKey = (ECPublicKey) kf.generatePublic(EC_VALID_PUBLIC_KEY.getSpec()); - ka.init(priv); - ka.doPhase(validKey, true); - String expected = TestUtil.bytesToHex(ka.generateSecret()); - for (EcPublicKeyTestVector test : EC_MODIFIED_PUBLIC_KEYS) { - ECPublicKeySpec spec = test.getSpec(); - if (spec == null) { - // The constructor of EcPublicKeySpec performs some very minor validity checks. - // spec == null if one of these validity checks fails. Of course such a failure is OK. - continue; - } - try { - ECPublicKey modifiedKey = (ECPublicKey) kf.generatePublic(spec); - ka.init(priv); - ka.doPhase(modifiedKey, true); - String shared = TestUtil.bytesToHex(ka.generateSecret()); - // The implementation did not notice that the public key was modified. - // This is not nice, but at the moment we only fail the test if the - // modification was essential for computing the shared secret. - // - // BouncyCastle v.1.53 fails this test, for ECDHC with modified order. - // This implementation reduces the product s*h modulo the order given - // in the public key. An attacker who can modify the order of the public key - // and who can learn whether such a modification changes the shared secret is - // able to learn the private key with a simple binary search. - assertEquals("algorithm:" + algorithm + " test:" + test.comment, expected, shared); - } catch (GeneralSecurityException ex) { - // OK, since the public keys have been modified. - System.out.println("testModifiedPublic:" + test.comment + " throws " + ex.toString()); - } - } - } - - @Test - public void testModifiedPublic() throws Exception { - testModifiedPublic("ECDH"); - testModifiedPublic("ECDHC"); - } - - @Test - public void testModifiedPublicSpec() throws Exception { - testModifiedPublicSpec("ECDH"); - testModifiedPublicSpec("ECDHC"); - } - - @SuppressWarnings("InsecureCryptoUsage") - public void testDistinctCurves(String algorithm, ECPrivateKey priv, ECPublicKey pub) - throws Exception { - KeyAgreement kaA; - try { - kaA = KeyAgreement.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Algorithm not supported: " + algorithm); - return; - } - byte[] shared; - try { - kaA.init(priv); - kaA.doPhase(pub, true); - shared = kaA.generateSecret(); - } catch (InvalidKeyException ex) { - // This is expected. - return; - } - // Printing some information to determine what might have gone wrong: - // E.g., if the generated secret is the same as the x-coordinate of the public key - // then it is likely that the ECDH computation was using a fake group with small order. - // Such a situation is probably exploitable. - // This probably is exploitable. If the curve of the private key was used for the ECDH - // then the generated secret and the x-coordinate of the public key are likely - // distinct. - EllipticCurve pubCurve = pub.getParams().getCurve(); - EllipticCurve privCurve = priv.getParams().getCurve(); - ECPoint pubW = pub.getW(); - System.out.println("testDistinctCurves: algorithm=" + algorithm); - System.out.println( - "Private key: a=" - + privCurve.getA() - + " b=" - + privCurve.getB() - + " p" - + EcUtil.getModulus(privCurve)); - System.out.println(" s =" + priv.getS()); - System.out.println( - "Public key: a=" - + pubCurve.getA() - + " b=" - + pubCurve.getB() - + " p" - + EcUtil.getModulus(pubCurve)); - System.out.println(" w = (" + pubW.getAffineX() + ", " + pubW.getAffineY() + ")"); - System.out.println( - " = (" - + pubW.getAffineX().toString(16) - + ", " - + pubW.getAffineY().toString(16) - + ")"); - System.out.println("generated shared secret:" + TestUtil.bytesToHex(shared)); - fail("Generated secret with distinct Curves using " + algorithm); - } - - /** - * This test modifies the order of group in the public key. A severe bug would be an - * implementation that leaks information whether the private key is larger than the order given in - * the public key. Also a severe bug would be to reduce the private key modulo the order given in - * the public key parameters. - */ - // TODO(bleichen): This can be merged with testModifiedPublic once this is fixed. - @SuppressWarnings("InsecureCryptoUsage") - public void testWrongOrder(String algorithm, ECParameterSpec spec) throws Exception { - KeyAgreement ka; - try { - ka = KeyAgreement.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("testWrongOrder: " + algorithm + " not supported"); - return; - } - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - ECPrivateKey priv; - ECPublicKey pub; - try { - keyGen.initialize(spec); - priv = (ECPrivateKey) keyGen.generateKeyPair().getPrivate(); - pub = (ECPublicKey) keyGen.generateKeyPair().getPublic(); - } catch (GeneralSecurityException ex) { - // This is OK, since not all provider support Brainpool curves - System.out.println("testWrongOrder: could not generate keys for curve"); - return; - } - // Get the shared secret for the unmodified keys. - ka.init(priv); - ka.doPhase(pub, true); - byte[] shared = ka.generateSecret(); - // Generate a modified public key. - ECParameterSpec modifiedParams = - new ECParameterSpec( - spec.getCurve(), spec.getGenerator(), spec.getOrder().shiftRight(16), 1); - ECPublicKeySpec modifiedPubSpec = new ECPublicKeySpec(pub.getW(), modifiedParams); - KeyFactory kf = KeyFactory.getInstance("EC"); - ECPublicKey modifiedPub; - try { - modifiedPub = (ECPublicKey) kf.generatePublic(modifiedPubSpec); - } catch (GeneralSecurityException ex) { - // The provider does not support non-standard curves or did a validity check. - // Both would be correct. - System.out.println("testWrongOrder: can't modify order."); - return; - } - byte[] shared2; - try { - ka.init(priv); - ka.doPhase(modifiedPub, true); - shared2 = ka.generateSecret(); - } catch (GeneralSecurityException ex) { - // This is the expected behavior - System.out.println("testWrongOrder:" + ex.toString()); - return; - } - // TODO(bleichen): Getting here is already a bug and we might flag this later. - // At the moment we are only interested in really bad behavior of a library, that potentially - // leaks the secret key. This is the case when the shared secrets are different, since this - // suggests that the implementation reduces the multiplier modulo the given order of the curve - // or some other behaviour that is dependent on the private key. - // An attacker who can check whether a DH computation was done correctly or incorrectly because - // of modular reduction, can determine the private key, either by a binary search or by trying - // to guess the private key modulo some small "order". - // BouncyCastle v.1.53 fails this test, and leaks the private key. - System.out.println( - "Generated shared secret with a modified order:" - + algorithm - + "\n" - + "expected:" - + TestUtil.bytesToHex(shared) - + " computed:" - + TestUtil.bytesToHex(shared2)); - assertEquals( - "Algorithm:" + algorithm, TestUtil.bytesToHex(shared), TestUtil.bytesToHex(shared2)); - } - - @Test - public void testWrongOrderEcdh() throws Exception { - testWrongOrder("ECDH", EcUtil.getNistP256Params()); - testWrongOrder("ECDH", EcUtil.getBrainpoolP256r1Params()); - } - - @Test - public void testWrongOrderEcdhc() throws Exception { - testWrongOrder("ECDHC", EcUtil.getNistP256Params()); - testWrongOrder("ECDHC", EcUtil.getBrainpoolP256r1Params()); - } - - /** - * Tests for the problem detected by CVE-2017-10176. - * - * <p>Some libraries do not compute P + (-P) correctly and return 2 * P or throw exceptions. When - * the library uses addition-subtraction chains for the point multiplication then such cases can - * occur for example when the private key is close to the order of the curve. - */ - private void testLargePrivateKey(ECParameterSpec spec) throws Exception { - BigInteger order = spec.getOrder(); - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - ECPublicKey pub; - try { - keyGen.initialize(spec); - pub = (ECPublicKey) keyGen.generateKeyPair().getPublic(); - } catch (GeneralSecurityException ex) { - // curve is not supported - return; - } - KeyFactory kf = KeyFactory.getInstance("EC"); - KeyAgreement ka = KeyAgreement.getInstance("ECDH"); - for (int i = 1; i <= 64; i++) { - BigInteger p1 = BigInteger.valueOf(i); - ECPrivateKeySpec spec1 = new ECPrivateKeySpec(p1, spec); - ECPrivateKeySpec spec2 = new ECPrivateKeySpec(order.subtract(p1), spec); - ka.init(kf.generatePrivate(spec1)); - ka.doPhase(pub, true); - byte[] shared1 = ka.generateSecret(); - ka.init(kf.generatePrivate(spec2)); - ka.doPhase(pub, true); - byte[] shared2 = ka.generateSecret(); - // The private keys p1 and p2 are equivalent, since only the x-coordinate of the - // shared point is used to generate the shared secret. - assertEquals(TestUtil.bytesToHex(shared1), TestUtil.bytesToHex(shared2)); - } - } - - @Test - public void testLargePrivateKey() throws Exception { - testLargePrivateKey(EcUtil.getNistP224Params()); - testLargePrivateKey(EcUtil.getNistP256Params()); - testLargePrivateKey(EcUtil.getNistP384Params()); - // This test failed before CVE-2017-10176 was fixed. - testLargePrivateKey(EcUtil.getNistP521Params()); - testLargePrivateKey(EcUtil.getBrainpoolP256r1Params()); - } - - /** - * This test tries to determine whether point multipliplication using two distinct - * points leads to distinguishable timings. - * - * The main goal here is to determine if the attack by Toru Akishita and Tsuyoshi Takagi - * in https://www-old.cdc.informatik.tu-darmstadt.de/reports/TR/TI-03-01.zvp.pdf - * might be applicable. I.e. one of the points contains a zero value when multiplied - * by mul, the other one does not. - * - * In its current form the test here is quite weak for a number of reasons: - * (1) The timing is often noisy, because the test is run as a unit test. - * (2) The test is executed with only a small number of input points. - * (3) The number of samples is rather low. Running this test with a larger sample - * size would detect more timing differences. Unfortunately - * (4) The test does not determine if a variable run time is exploitable. For example - * if the tested provider uses windowed exponentiation and the special point is - * in the precomputation table then timing differences are easy to spot, but more - * difficult to exploit and hence additional experiments would be necessary. - * - * @param spec the specification of the curve - * @param p0 This is a special point. I.e. multiplying this point by mul - * may lead to a zero value that may be observable. - * @param p1 a random point on the curve - * @param mul an integer, such that multiplying p0 with this value may lead to a timing - * difference - * @param privKeySize the size of the private key in bits - * @param comment describes the test case - */ - private void testTiming(ECParameterSpec spec, ECPoint p0, ECPoint p1, - BigInteger mul, int privKeySize, String comment) throws Exception { - ThreadMXBean bean = ManagementFactory.getThreadMXBean(); - if (!bean.isCurrentThreadCpuTimeSupported()) { - System.out.println("getCurrentThreadCpuTime is not supported. Skipping"); - return; - } - SecureRandom random = new SecureRandom(); - int fixedSize = mul.bitLength(); - int missingBits = privKeySize - 2 * fixedSize; - assertTrue(missingBits > 0); - // possible values for tests, minCount: - // 1024, 410 - // 2048, 880 - // 4096, 1845 - // 10000, 4682 - // I.e. these are values, such that doing 'tests' coin flips results in <= minCount heads or - // tails with a probability smaller than 2^-32. - // - // def min_count(n, b=33): - // res, sum, k = 1,1,0 - // bnd = 2**(n-b) - // while sum < bnd: - // res *= n - k - // res //= 1 + k - // k += 1 - // sum += res - // return k - 1 - final int tests = 2048; - final int minCount = 880; - // the number of measurements done with each point - final int repetitions = 8; - // the number of warmup experiments that are ignored - final int warmup = 8; - final int sampleSize = warmup + tests; - KeyFactory kf = KeyFactory.getInstance("EC"); - PublicKey[] publicKeys = new PublicKey[2]; - try { - publicKeys[0] = kf.generatePublic(new ECPublicKeySpec(p0, spec)); - publicKeys[1] = kf.generatePublic(new ECPublicKeySpec(p1, spec)); - } catch (InvalidKeySpecException ex) { - // unsupported curve - return; - } - PrivateKey[] privKeys = new PrivateKey[sampleSize]; - for (int i = 0; i < sampleSize; i++) { - BigInteger m = new BigInteger(missingBits, random); - m = mul.shiftLeft(missingBits).add(m); - m = m.shiftLeft(fixedSize).add(mul); - ECPrivateKeySpec privSpec = new ECPrivateKeySpec(m, spec); - privKeys[i] = kf.generatePrivate(privSpec); - } - KeyAgreement ka = KeyAgreement.getInstance("ECDH"); - long[][] timings = new long[2][sampleSize]; - for (int i = 0; i < sampleSize; i++) { - for (int j = 0; j < 2 * repetitions; j++) { - // idx determines which key to use. - int idx = (j ^ i) & 1; - ka.init(privKeys[i]); - long start = bean.getCurrentThreadCpuTime(); - ka.doPhase(publicKeys[idx], true); - byte[] unused = ka.generateSecret(); - long time = bean.getCurrentThreadCpuTime() - start; - timings[idx][i] += time; - } - } - for (int i = 0; i < sampleSize; i++) { - for (int j = 0; j < 2; j++) { - timings[j][i] /= repetitions; - } - } - - // Performs some statistics. - boolean noisy = false; // Set to true, if the timings have a large variance. - System.out.println("ECDH timing test:" + comment); - double[] avg = new double[2]; - double[] var = new double[2]; - for (int i = 0; i < 2; i++) { - double sum = 0.0; - double sumSqr = 0.0; - for (int j = warmup; j < sampleSize; j++) { - double val = (double) timings[i][j]; - sum += val; - sumSqr += val * val; - } - avg[i] = sum / tests; - var[i] = (sumSqr - avg[i] * sum) / (tests - 1); - double stdDev = Math.sqrt(var[i]); - double cv = stdDev / avg[i]; - System.out.println("Timing for point " + i + " avg: " + avg[i] + " std dev: " + stdDev - + " cv:" + cv); - // The ratio 0.05 below is a somewhat arbitrary value that tries to determine if the noise - // is too big to detect even larger timing differences. - if (cv > 0.05) { - noisy = true; - } - } - // Paired Z-test: - // The outcome of this value can be significantly influenced by extreme outliers, such - // as slow timings because of things like a garbage collection. - double sigmas = Math.abs(avg[0] - avg[1]) / Math.sqrt((var[0] + var[1]) / tests); - System.out.println("Sigmas: " + sigmas); - - // Pairwise comparison: - // this comparison has the property that it compares timings done with the same - // private key, hence timing differences from using different addition chain sizes - // are ignored. Extreme outliers should not influence the result a lot, as long as the - // number of outliers is small. - int point0Faster = 0; - int equal = 0; - for (int i = 0; i < sampleSize; i++) { - if (timings[0][i] < timings[1][i]) { - point0Faster += 1; - } else if (timings[0][i] < timings[1][i]) { - equal += 1; - } - } - point0Faster += equal / 2; - System.out.println("Point 0 multiplication is faster: " + point0Faster); - if (point0Faster < minCount || point0Faster > sampleSize - minCount) { - fail("Timing differences in ECDH computation detected"); - } else if (noisy) { - System.out.println("Timing was too noisy to expect results."); - } - } - - @SlowTest(providers = - {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE, ProviderType.OPENJDK}) - @Test - public void testTimingSecp256r1() throws Exception { - // edge case for projective coordinates - BigInteger x1 = - new BigInteger("81bfb55b010b1bdf08b8d9d8590087aa278e28febff3b05632eeff09011c5579", 16); - BigInteger y1 = - new BigInteger("732d0e65267ea28b7af8cfcb148936c2af8664cbb4f04e188148a1457400c2a7", 16); - ECPoint p1 = new ECPoint(x1, y1); - // random point - BigInteger x2 = - new BigInteger("8608e36a91f1fba12e4074972af446176b5608c9c58dc318bd0742754c3dcee7", 16); - BigInteger y2 = - new BigInteger("bc2c9ecd44af916ca58d9e3ef1257f698d350ef486eb86137fe69a7375bcc191", 16); - ECPoint p2 = new ECPoint(x2, y2); - testTiming(EcUtil.getNistP256Params(), p1, p2, new BigInteger("2"), 256, "secp256r1"); - } - - @SlowTest(providers = - {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE, ProviderType.OPENJDK}) - @Test - public void testTimingSecp384r1() throws Exception { - // edge case for projective coordinates - BigInteger x1 = - new BigInteger("7a6fadfee03eb09554f2a04fe08300aca88bb3a46e8f6347bace672cfe427698" - + "8541cef8dc10536a84580215f5f90a3b", 16); - BigInteger y1 = - new BigInteger("6d243d5d9de1cdddd04cbeabdc7a0f6c244391f7cb2d5738fe13c334add4b458" - + "5fef61ffd446db33b39402278713ae78", 16); - ECPoint p1 = new ECPoint(x1, y1); - // random point - BigInteger x2 = - new BigInteger("71f3c57d6a879889e582af2c7c5444b0eb6ba95d88365b21ca9549475273ecdd" - + "3930aa0bebbd1cf084e4049667278602", 16); - BigInteger y2 = - new BigInteger("9dcbc4d843af8944eb4ba018d369b351a9ea0f7b9e3561df2ee218d54e198f7c" - + "837a3abaa41dffd2d2cb771a7599ed9e", 16); - ECPoint p2 = new ECPoint(x2, y2); - testTiming(EcUtil.getNistP384Params(), p1, p2, new BigInteger("2"), 384, "secp384r1"); - } - - @SlowTest(providers = - {ProviderType.BOUNCY_CASTLE, ProviderType.SPONGY_CASTLE, ProviderType.OPENJDK}) - @Test - public void testTimingBrainpoolP256r1() throws Exception { - // edge case for Jacobian and projective coordinates - BigInteger x1 = - new BigInteger("79838c22d2b8dc9af2e6cf56f8826dc3dfe10fcb17b6aaaf551ee52bef12f826", 16); - BigInteger y1 = - new BigInteger("1e2ed3d453088c8552c6feecf898667bc1e15905002edec6b269feb7bea09d5b", 16); - ECPoint p1 = new ECPoint(x1, y1); - - // random point - BigInteger x2 = - new BigInteger("2720b2e821b2ac8209b573bca755a68821e1e09deb580666702570dd527dd4c1", 16); - BigInteger y2 = - new BigInteger("25cdd610243c7e693fad7bd69b43ae3e63e94317c4c6b717d9c8bc3be8c996fb", 16); - ECPoint p2 = new ECPoint(x2, y2); - testTiming(EcUtil.getBrainpoolP256r1Params(), p1, p2, new BigInteger("2"), 255, - "brainpoolP256r1"); - } -} - diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/EcdsaTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/EcdsaTest.java deleted file mode 100644 index a6ce23a..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/EcdsaTest.java +++ /dev/null @@ -1,417 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import com.google.security.wycheproof.WycheproofRunner.ProviderType; -import com.google.security.wycheproof.WycheproofRunner.SlowTest; -import java.lang.management.ManagementFactory; -import java.lang.management.ThreadMXBean; -import java.math.BigInteger; -import java.security.InvalidAlgorithmParameterException; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.Signature; -import java.security.interfaces.ECPrivateKey; -import java.security.interfaces.ECPublicKey; -import java.security.spec.ECGenParameterSpec; -import java.security.spec.ECParameterSpec; -import java.util.Arrays; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * Tests ECDSA signatures. - * - * <p>Tests for signature verification with test vectors are in JsonSignatureTest.java toghether - * with other signature schemes. - * - * @author bleichen@google.com (Daniel Bleichenbacher) - */ -@RunWith(JUnit4.class) -public class EcdsaTest { - - /** - * Determines the Hash name from the ECDSA algorithm. There is a small inconsistency in the naming - * of algorithms. The Oracle standard use no hyphen in SHA256WithECDSA but uses a hyphen in the - * message digest, i.e., SHA-256. - */ - private String getHashAlgorithm(String ecdsaAlgorithm) { - ecdsaAlgorithm = ecdsaAlgorithm.toUpperCase(); - int idx = ecdsaAlgorithm.indexOf("WITH"); - if (idx > 0) { - if (ecdsaAlgorithm.startsWith("SHA")) { - return "SHA-" + ecdsaAlgorithm.substring(3, idx); - } else { - return ecdsaAlgorithm.substring(0, idx); - } - } - return ""; - } - - /** - * Extract the integer r from an ECDSA signature. This method implicitely assumes that the ECDSA - * signature is DER encoded. and that the order of the curve is smaller than 2^1024. - */ - BigInteger extractR(byte[] signature) throws Exception { - int startR = (signature[1] & 0x80) != 0 ? 3 : 2; - int lengthR = signature[startR + 1]; - return new BigInteger(Arrays.copyOfRange(signature, startR + 2, startR + 2 + lengthR)); - } - - BigInteger extractS(byte[] signature) throws Exception { - int startR = (signature[1] & 0x80) != 0 ? 3 : 2; - int lengthR = signature[startR + 1]; - int startS = startR + 2 + lengthR; - int lengthS = signature[startS + 1]; - return new BigInteger(Arrays.copyOfRange(signature, startS + 2, startS + 2 + lengthS)); - } - - /** Extract the k that was used to sign the signature. */ - BigInteger extractK(byte[] signature, BigInteger h, ECPrivateKey priv) throws Exception { - BigInteger x = priv.getS(); - BigInteger n = priv.getParams().getOrder(); - BigInteger r = extractR(signature); - BigInteger s = extractS(signature); - BigInteger k = x.multiply(r).add(h).multiply(s.modInverse(n)).mod(n); - return k; - } - - /** - * Computes the bias of samples as - * - * abs(sum(e^(2 pi i s m / modulus) for s in samples) / sqrt(samples.length). - * - * If the samples are taken from a uniform distribution in the range 0 .. modulus - 1 - * and the number of samples is significantly larger than L^2 - * then the probability that the result is larger than L is approximately e^(-L^2). - * The approximation can be derived from the assumption that samples taken from - * a uniform distribution give a result that approximates a standard complex normal - * distribution Z. I.e. Z has a density f_Z(z) = exp(-abs(z)^2) / pi. - * https://en.wikipedia.org/wiki/Complex_normal_distribution - */ - double bias(BigInteger[] samples, BigInteger modulus, BigInteger m) { - double sumReal = 0.0; - double sumImag = 0.0; - for (BigInteger s : samples) { - BigInteger r = s.multiply(m).mod(modulus); - // multiplier = 2 * pi / 2^52 - double multiplier = 1.3951473992034527e-15; - // computes the quotent 2 * pi * r / modulus - double quot = r.shiftLeft(52).divide(modulus).doubleValue() * multiplier; - sumReal += Math.cos(quot); - sumImag += Math.sin(quot); - } - return Math.sqrt((sumReal * sumReal + sumImag * sumImag) / samples.length); - } - - /** - * This test checks the basic functionality of ECDSA. It simply tries to generate a key, sign and - * verify a message for a given, algorithm and curve. - * - * @param algorithm the algorithm to test (e.g. "SHA256WithECDSA") - * @param curve the curve to test (e.g. "secp256r1") - * @return whether the algorithm and curve are supported. - * @throws Exception if an unexpected error occurred. - */ - boolean testParameters(String algorithm, String curve) throws Exception { - String message = "123400"; - - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec = new ECGenParameterSpec(curve); - KeyPair keyPair; - try { - keyGen.initialize(ecSpec); - keyPair = keyGen.generateKeyPair(); - } catch (InvalidAlgorithmParameterException ex) { - // The curve is not supported. - // The documentation does not specify whether the method initialize - // has to reject unsupported curves or if only generateKeyPair checks - // whether the curve is supported. - return false; - } - ECPublicKey pub = (ECPublicKey) keyPair.getPublic(); - ECPrivateKey priv = (ECPrivateKey) keyPair.getPrivate(); - - // Print the parameters. - System.out.println("Parameters for curve:" + curve); - EcUtil.printParameters(pub.getParams()); - - Signature signer; - Signature verifier; - try { - signer = Signature.getInstance(algorithm); - verifier = Signature.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - // The algorithm is not supported. - return false; - } - // Both algorithm and curve are supported. - // Hence, we expect that signing and verifying properly works. - byte[] messageBytes = message.getBytes("UTF-8"); - signer.initSign(priv); - signer.update(messageBytes); - byte[] signature = signer.sign(); - verifier.initVerify(pub); - verifier.update(messageBytes); - assertTrue(verifier.verify(signature)); - return true; - } - - /** - * This test checks the basic functionality of ECDSA. This mainly checks that the provider follows - * the JCA interface. - */ - @Test - public void testBasic() throws Exception { - String algorithm = "SHA256WithECDSA"; - String curve = "secp256r1"; - assertTrue(testParameters(algorithm, curve)); - } - - /** Checks whether the one time key k in ECDSA is biased. */ - public void testBias(String algorithm, String curve, ECParameterSpec ecParams) throws Exception { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - try { - keyGen.initialize(ecParams); - } catch (InvalidAlgorithmParameterException ex) { - System.out.println("This provider does not support curve:" + curve); - return; - } - KeyPair keyPair = keyGen.generateKeyPair(); - ECPrivateKey priv = (ECPrivateKey) keyPair.getPrivate(); - // If we throw a fair coin tests times then the probability that - // either heads or tails appears less than mincount is less than 2^{-32}. - // Therefore the test below is not expected to fail unless the generation - // of the one time keys is indeed biased. - final int tests = 1024; - final int mincount = 410; - - String hashAlgorithm = getHashAlgorithm(algorithm); - String message = "Hello"; - byte[] messageBytes = message.getBytes("UTF-8"); - byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); - - // TODO(bleichen): Truncate the digest if the digest size is larger than the - // curve size. - BigInteger h = new BigInteger(1, digest); - BigInteger q = priv.getParams().getOrder(); - BigInteger qHalf = q.shiftRight(1); - - Signature signer = Signature.getInstance(algorithm); - signer.initSign(priv); - BigInteger[] kList = new BigInteger[tests]; - for (int i = 0; i < tests; i++) { - signer.update(messageBytes); - byte[] signature = signer.sign(); - kList[i] = extractK(signature, h, priv); - } - - // Checks whether the most significant bits and the least significant bits - // of the value k are unbiased. - int countMsb = 0; // count the number of k's with lsb set - int countLsb = 0; // count the number of k's with msb set - for (BigInteger k : kList) { - if (k.testBit(0)) { - countLsb++; - } - if (k.compareTo(qHalf) > 0) { - countMsb++; - } - } - if (countLsb < mincount || countLsb > tests - mincount) { - fail("Bias detected in the least significant bit of k:" + countLsb); - } - if (countMsb < mincount || countMsb > tests - mincount) { - fail("Bias detected in the most significant bit of k:" + countMsb); - } - - // One situation where the bits above are not biased even if k itself is - // badly distributed is the case where the signer replaces s by - // min(s, q - s). Such a replacement is sometimes done to avoid signature - // malleability of ECDSA. - // Breitner and Heninger describe such cases in the paper - // "Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies", - // https://eprint.iacr.org/2019/023.pdf - // The following tests should catch the bugs described in this paper. - // The threshold below has been chosen to give false positives with probability < 2^{-32}. - double threshold = 5; - - // This test detects for example the case when either k or q-k is small. - double bias1 = bias(kList, q, BigInteger.ONE); - if (bias1 > threshold) { - fail("Bias for k detected. bias1 = " + bias1); - } - // Same as above but shifing by one bit. - double bias2 = bias(kList, q, BigInteger.valueOf(2)); - if (bias2 > threshold) { - fail("Bias for k detected. bias2 = " + bias2); - } - double bias3 = bias(kList, q, qHalf); - if (bias3 > threshold) { - fail("Bias for k detected. bias3 = " + bias3); - } - // Checks whether most significant bytes, words, dwords or qwords are strongly correlated. - for (int bits : new int[] {8, 16, 32, 64}) { - BigInteger multiplier = BigInteger.ONE.shiftLeft(bits).subtract(BigInteger.ONE); - double bias4 = bias(kList, q, multiplier); - if (bias4 > threshold) { - fail("Bias for k detected. bits = " + bits + " bias4 = " + bias4); - } - } - } - - @SlowTest( - providers = { - ProviderType.BOUNCY_CASTLE, - ProviderType.CONSCRYPT, - ProviderType.OPENJDK, - ProviderType.SPONGY_CASTLE - } - ) - @Test - public void testBiasAll() throws Exception { - testBias("SHA256WithECDSA", "secp256r1", EcUtil.getNistP256Params()); - testBias("SHA224WithECDSA", "secp224r1", EcUtil.getNistP224Params()); - testBias("SHA384WithECDSA", "secp384r1", EcUtil.getNistP384Params()); - testBias("SHA512WithECDSA", "secp521r1", EcUtil.getNistP521Params()); - testBias("SHA256WithECDSA", "brainpoolP256r1", EcUtil.getBrainpoolP256r1Params()); - } - - /** - * Tests for a potential timing attack. This test checks if there is a correlation between the - * timing of signature generation and the size of the one-time key k. This is for example the case - * if a double and add method is used for the point multiplication. The test fails if such a - * correlation can be shown with high confidence. Further analysis will be necessary to determine - * how easy it is to exploit the bias in a timing attack. - */ - // TODO(bleichen): Determine if there are exploitable providers. - // - // SunEC currently fails this test. Since ECDSA typically is used with EC groups whose order - // is 224 bits or larger, it is unclear whether the same attacks that apply to DSA are practical. - // - // The ECDSA implementation in BouncyCastle leaks information about k through timing too. - // The test has not been optimized to detect this bias. It would require about 5'000'000 samples, - // which is too much for a simple unit test. - // - // BouncyCastle uses FixedPointCombMultiplier for ECDSA. This is a method using - // precomputation. The implementation is not constant time, since the precomputation table - // contains the point at infinity and adding this point is faster than ordinary point additions. - // The timing leak only has a small correlation to the size of k and at the moment it is is very - // unclear if the can be exploited. (Randomizing the precomputation table by adding the same - // random point to each element in the table and precomputing the necessary offset to undo the - // precomputation seems much easier than analyzing this.) - public void testTiming(String algorithm, String curve, ECParameterSpec ecParams) - throws Exception { - ThreadMXBean bean = ManagementFactory.getThreadMXBean(); - if (!bean.isCurrentThreadCpuTimeSupported()) { - System.out.println("getCurrentThreadCpuTime is not supported. Skipping"); - return; - } - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - try { - keyGen.initialize(ecParams); - } catch (InvalidAlgorithmParameterException ex) { - System.out.println("This provider does not support curve:" + curve); - return; - } - KeyPair keyPair = keyGen.generateKeyPair(); - ECPrivateKey priv = (ECPrivateKey) keyPair.getPrivate(); - - String message = "Hello"; - String hashAlgorithm = getHashAlgorithm(algorithm); - byte[] messageBytes = message.getBytes("UTF-8"); - byte[] digest = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); - BigInteger h = new BigInteger(1, digest); - Signature signer = Signature.getInstance(algorithm); - signer.initSign(priv); - // The number of samples used for the test. This number is a bit low. - // I.e. it just barely detects that SunEC leaks information about the size of k. - int samples = 50000; - long[] timing = new long[samples]; - BigInteger[] k = new BigInteger[samples]; - for (int i = 0; i < samples; i++) { - long start = bean.getCurrentThreadCpuTime(); - signer.update(messageBytes); - byte[] signature = signer.sign(); - timing[i] = bean.getCurrentThreadCpuTime() - start; - k[i] = extractK(signature, h, priv); - } - long[] sorted = Arrays.copyOf(timing, timing.length); - Arrays.sort(sorted); - double n = priv.getParams().getOrder().doubleValue(); - double expectedAverage = n / 2; - double maxSigma = 0; - System.out.println("testTiming algorithm:" + algorithm); - for (int idx = samples - 1; idx > 10; idx /= 2) { - long cutoff = sorted[idx]; - int count = 0; - BigInteger total = BigInteger.ZERO; - for (int i = 0; i < samples; i++) { - if (timing[i] <= cutoff) { - total = total.add(k[i]); - count += 1; - } - } - double expectedStdDev = n / Math.sqrt(12 * count); - double average = total.doubleValue() / count; - // Number of standard deviations that the average is away from - // the expected value: - double sigmas = Math.abs(expectedAverage - average) / expectedStdDev; - if (sigmas > maxSigma) { - maxSigma = sigmas; - } - System.out.println( - "count:" - + count - + " cutoff:" - + cutoff - + " relative average:" - + (average / expectedAverage) - + " sigmas:" - + sigmas); - } - // Checks if the signatures with a small timing have a biased k. - // We use 7 standard deviations, so that the probability of a false positive is smaller - // than 10^{-10}. - if (maxSigma >= 7) { - fail("Signatures with short timing have a biased k"); - } - } - - @SlowTest( - providers = { - ProviderType.BOUNCY_CASTLE, - ProviderType.CONSCRYPT, - ProviderType.OPENJDK, - ProviderType.SPONGY_CASTLE - } - ) - @Test - public void testTimingAll() throws Exception { - testTiming("SHA256WithECDSA", "secp256r1", EcUtil.getNistP256Params()); - // TODO(bleichen): crypto libraries sometimes use optimized code for curves that are frequently - // used. Hence it would make sense to test distinct curves. But at the moment testing many - // curves is not practical since one test alone is already quite time consuming. - // testTiming("SHA224WithECDSA", "secp224r1", EcUtil.getNistP224Params()); - // testTiming("SHA384WithECDSA", "secp384r1", EcUtil.getNistP384Params()); - // testTiming("SHA512WithECDSA", "secp521r1", EcUtil.getNistP521Params()); - // testTiming("SHA256WithECDSA", "brainpoolP256r1", EcUtil.getBrainpoolP256r1Params()); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonAeadTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/JsonAeadTest.java deleted file mode 100644 index c34f3f7..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonAeadTest.java +++ /dev/null @@ -1,303 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import java.security.AlgorithmParameters; -import java.security.GeneralSecurityException; -import java.security.NoSuchAlgorithmException; -import javax.crypto.Cipher; -import javax.crypto.SecretKey; -import javax.crypto.spec.GCMParameterSpec; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.SecretKeySpec; -import org.junit.Test; -import org.junit.Ignore; -import android.security.keystore.KeyProtection; -import android.security.keystore.KeyProperties; -import java.security.KeyStore; - -/** This test uses test vectors in JSON format to test AEAD schemes. */ -public class JsonAeadTest { - - private static final String EXPECTED_PROVIDER_NAME = TestUtil.EXPECTED_PROVIDER_NAME; - private static final String EXPECTED_CRYPTO_PROVIDER_NAME = TestUtil.EXPECTED_CRYPTO_OP_PROVIDER_NAME; - - /** Joins two bytearrays. */ - protected static byte[] join(byte[] head, byte[] tail) { - byte[] res = new byte[head.length + tail.length]; - System.arraycopy(head, 0, res, 0, head.length); - System.arraycopy(tail, 0, res, head.length, tail.length); - return res; - } - - /** Convenience method to get a byte array from an JsonObject */ - protected static byte[] getBytes(JsonObject obj, String name) throws Exception { - return JsonUtil.asByteArray(obj.get(name)); - } - - protected static boolean arrayEquals(byte[] a, byte[] b) { - if (a.length != b.length) { - return false; - } - byte res = 0; - for (int i = 0; i < a.length; i++) { - res |= (byte) (a[i] ^ b[i]); - } - return res == 0; - } - - /** - * Returns an initialized instance of Cipher. Typically it is somewhat - * time consuming to generate a new instance of Cipher for each encryption. - * However, some implementations of ciphers (e.g. AES-GCM in jdk) check that - * the same key and nonce are not reused twice in a row to catch simple - * programming errors. This precaution can interfere with the tests, since - * the test vectors do sometimes repeat nonces. To avoid such problems cipher - * instances are not reused. - * @param algorithm the cipher algorithm including encryption mode and padding. - * @param opmode one of Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE - * @param key the key bytes - * @param iv the bytes of the initialization vector - * @param tagSize the expected size of the tag - * @return an initialized instance of Cipher - * @throws Exception if the initialization failed. - */ - protected static Cipher getInitializedCipher( - String algorithm, int opmode, byte[] key, byte[] iv, int tagSize) - throws Exception { - Cipher cipher = Cipher.getInstance(algorithm, EXPECTED_CRYPTO_PROVIDER_NAME); - if (algorithm.equalsIgnoreCase("AES/GCM/NoPadding")) { - SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); - - KeyStore keyStore = KeyStore.getInstance(EXPECTED_PROVIDER_NAME); - keyStore.load(null); - keyStore.setEntry( - "key1", - new KeyStore.SecretKeyEntry(keySpec), - new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) - .setBlockModes(KeyProperties.BLOCK_MODE_GCM) - .setRandomizedEncryptionRequired(false) - .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) - .build()); - // Key imported, obtain a reference to it. - SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null); - - AlgorithmParameters params = AlgorithmParameters.getInstance("GCM"); - params.init(new GCMParameterSpec(tagSize, iv)); - cipher.init(opmode, keyStoreKey, params); - } else if (algorithm.equalsIgnoreCase("AES/EAX/NoPadding") - || algorithm.equalsIgnoreCase("AES/CCM/NoPadding")) { - SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); - // TODO(bleichen): This works for BouncyCastle but looks non-standard. - // org.bouncycastle.crypto.params.AEADParameters works too, but would add a dependency that - // we want to avoid. - GCMParameterSpec parameters = new GCMParameterSpec(tagSize, iv); - cipher.init(opmode, keySpec, parameters); - } else if (algorithm.toUpperCase().startsWith("CHACHA")) { - SecretKeySpec keySpec = new SecretKeySpec(key, "ChaCha20"); - IvParameterSpec parameters = new IvParameterSpec(iv); - cipher.init(opmode, keySpec, parameters); - } else { - fail("Algorithm not supported:" + algorithm); - } - return cipher; - } - - /** Example format for test vectors - * { - * "algorithm" : "AES-EAX", - * "generatorVersion" : "0.0a14", - * "numberOfTests" : 143, - * "testGroups" : [ - * { - * "ivSize" : 128, - * "keySize" : 128, - * "tagSize" : 128, - * "type" : "AES-EAX", - * "tests" : [ - * { - * "aad" : "6bfb914fd07eae6b", - * "comment" : "eprint.iacr.org/2003/069", - * "ct" : "", - * "iv" : "62ec67f9c3a4a407fcb2a8c49031a8b3", - * "key" : "233952dee4d5ed5f9b9c6d6ff80ff478", - * "msg" : "", - * "result" : "valid", - * "tag" : "e037830e8389f27b025a2d6527e79d01", - * "tcId" : 1 - * }, - * ... - **/ - // This is a false positive, since errorprone cannot track values passed into a method. - @SuppressWarnings("InsecureCryptoUsage") - public void testAead(String filename, String algorithm) throws Exception { - // Version number have the format major.minor[.subversion]. - // Versions before 1.0 are experimental and use formats that are expected to change. - // Versions after 1.0 change the major number if the format changes and change - // the minor number if only the test vectors (but not the format) changes. - // Subversions are release candidate for the next version. - // - // Relevant version changes: - // <ul> - // <li> Version 0.5 adds test vectors for CCM. - // <li> Version 0.6 adds test vectors for Chacha20-Poly1305. - // Chacha20-Poly1305 is a new cipher added in jdk11. - // </ul> - final String expectedVersion = "0.6"; - - // Checking preconditions. - try { - Cipher.getInstance(algorithm, EXPECTED_CRYPTO_PROVIDER_NAME); - } catch (NoSuchAlgorithmException ex) { - throw ex; - } - - JsonObject test = JsonUtil.getTestVectors(this.getClass(), filename); - String generatorVersion = test.get("generatorVersion").getAsString(); - int numTests = test.get("numberOfTests").getAsInt(); - int cntTests = 0; - int errors = 0; - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - int tagSize = group.get("tagSize").getAsInt(); - for (JsonElement t : group.getAsJsonArray("tests")) { - cntTests++; - JsonObject testcase = t.getAsJsonObject(); - int tcid = testcase.get("tcId").getAsInt(); - String tc = "tcId: " + tcid + " " + testcase.get("comment").getAsString(); - byte[] key = getBytes(testcase, "key"); - byte[] iv = getBytes(testcase, "iv"); - byte[] msg = getBytes(testcase, "msg"); - byte[] aad = getBytes(testcase, "aad"); - byte[] ciphertext = join(getBytes(testcase, "ct"), getBytes(testcase, "tag")); - // Result is one of "valid", "invalid", "acceptable". - // "valid" are test vectors with matching plaintext, ciphertext and tag. - // "invalid" are test vectors with invalid parameters or invalid ciphertext and tag. - // "acceptable" are test vectors with weak parameters or legacy formats. - String result = testcase.get("result").getAsString(); - - // Test encryption - Cipher cipher; - try { - cipher = getInitializedCipher(algorithm, Cipher.ENCRYPT_MODE, key, iv, tagSize); - } catch (GeneralSecurityException ex) { - // Some libraries restrict key size, iv size and tag size. - // Because of the initialization of the cipher might fail. - continue; - } - try { - cipher.updateAAD(aad); - byte[] encrypted = cipher.doFinal(msg); - boolean eq = arrayEquals(ciphertext, encrypted); - if (result.equals("invalid")) { - if (eq) { - // Some test vectors use invalid parameters that should be rejected. - // E.g. an implementation must never encrypt using AES-GCM with an IV of length 0, - // since this leaks the authentication key. - errors++; - } - } else { - if (!eq) { - errors++; - } - } - } catch (GeneralSecurityException ex) { - if (result.equals("valid")) { - errors++; - } - } - - // Test decryption - Cipher decCipher; - try { - decCipher = getInitializedCipher(algorithm, Cipher.DECRYPT_MODE, key, iv, tagSize); - } catch (GeneralSecurityException ex) { - errors++; - continue; - } - try { - decCipher.updateAAD(aad); - byte[] decrypted = decCipher.doFinal(ciphertext); - boolean eq = arrayEquals(decrypted, msg); - if (result.equals("invalid")) { - errors++; - } else { - if (!eq) { - errors++; - } - } - } catch (GeneralSecurityException ex) { - if (result.equals("valid")) { - errors++; - } - } - } - } - assertEquals(0, errors); - assertEquals(numTests, cntTests); - } - - @Test - public void testAesGcm() throws Exception { - testAead("aes_gcm_test.json", "AES/GCM/NoPadding"); - } - - @Test - @Ignore // Ignored due to AES/EAX algorithm not supported in AndroidKeyStore. - public void testAesEax() throws Exception { - testAead("aes_eax_test.json", "AES/EAX/NoPadding"); - } - - @Test - @Ignore // Ignored due to AES/CCM algorithm not supported in AndroidKeyStore. - public void testAesCcm() throws Exception { - testAead("aes_ccm_test.json", "AES/CCM/NoPadding"); - } - - /** - * Tests ChaCha20-Poly1305 defined in RFC 7539. - * - * <p>The algorithm name for ChaCha20-Poly1305 is not well defined: - * jdk11 uses "ChaCha20-Poly1305". - * ConsCrypt uses "ChaCha20/Poly1305/NoPadding". - * These two implementations implement RFC 7539. - * - * <p>BouncyCastle has a cipher "ChaCha7539". This implementation - * only implements ChaCha20 with a 12 byte IV. An implementation - * of RFC 7539 is the class JceChaCha20Poly1305. It is unclear - * whether this class can be accessed through the JCA interface. - */ - @Test - @Ignore // Ignored due to ChaCha20 algorithm not supported in AndroidKeyStore. - public void testChaCha20Poly1305() throws Exception { - // A list of potential algorithm names for ChaCha20-Poly1305. - String[] algorithms = - new String[]{"ChaCha20-Poly1305", - "ChaCha20/Poly1305/NoPadding"}; - for (String name : algorithms) { - try { - Cipher.getInstance(name, EXPECTED_CRYPTO_PROVIDER_NAME); - } catch (NoSuchAlgorithmException ex) { - continue; - } - testAead("chacha20_poly1305_test.json", name); - return; - } - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonCipherTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/JsonCipherTest.java deleted file mode 100644 index a072989..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonCipherTest.java +++ /dev/null @@ -1,242 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import java.security.GeneralSecurityException; -import java.security.NoSuchAlgorithmException; -import java.util.Set; -import java.util.TreeSet; -import javax.crypto.Cipher; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.SecretKeySpec; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * This test uses test vectors in JSON format to test symmetric ciphers. - * - * <p>Ciphers tested in this class are unauthenticated ciphers (i.e. don't have additional data) and - * are randomized using an initialization vector as long as the JSON test vectors are represented - * with the type "IndCpaTest". - */ -@RunWith(JUnit4.class) -public class JsonCipherTest { - - /** Convenience method to get a byte array from a JsonObject. */ - protected static byte[] getBytes(JsonObject object, String name) throws Exception { - return JsonUtil.asByteArray(object.get(name)); - } - - protected static boolean arrayEquals(byte[] a, byte[] b) { - if (a.length != b.length) { - return false; - } - byte res = 0; - for (int i = 0; i < a.length; i++) { - res |= (byte) (a[i] ^ b[i]); - } - return res == 0; - } - - /** - * Initialize a Cipher instance. - * - * @param cipher an instance of a symmetric cipher that will be initialized. - * @param algorithm the name of the algorithm used (e.g. 'AES') - * @param opmode either Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE - * @param key raw key bytes - * @param iv the initialisation vector - */ - protected static void initCipher( - Cipher cipher, String algorithm, int opmode, byte[] key, byte[] iv) throws Exception { - SecretKeySpec keySpec = null; - if (algorithm.startsWith("AES/")) { - keySpec = new SecretKeySpec(key, "AES"); - } else { - fail("Unsupported algorithm:" + algorithm); - } - IvParameterSpec ivSpec = new IvParameterSpec(iv); - cipher.init(opmode, keySpec, ivSpec); - } - - - /** Example format for test vectors - * { - * "algorithm" : "AES-CBC-PKCS5", - * "generatorVersion" : "0.2.1", - * "numberOfTests" : 183, - * "header" : [ - * ], - * "testGroups" : [ - * { - * "ivSize" : 128, - * "keySize" : 128, - * "type" : "IndCpaTest", - * "tests" : [ - * { - * "tcId" : 1, - * "comment" : "empty message", - * "key" : "e34f15c7bd819930fe9d66e0c166e61c", - * "iv" : "da9520f7d3520277035173299388bee2", - * "msg" : "", - * "ct" : "b10ab60153276941361000414aed0a9d", - * "result" : "valid" - * }, - * ... - **/ - // This is a false positive, since errorprone cannot track values passed into a method. - @SuppressWarnings("InsecureCryptoUsage") - public void testCipher(String filename, String algorithm) throws Exception { - // Testing with old test vectors may a reason for a test failure. - // Version number have the format major.minor[status]. - // Versions before 1.0 are experimental and use formats that are expected to change. - // Versions after 1.0 change the major number if the format changes and change - // the minor number if only the test vectors (but not the format) changes. - // Versions meant for distribution have no status. - final String expectedVersion = "0.4"; - JsonObject test = JsonUtil.getTestVectors(filename); - Set<String> exceptions = new TreeSet<String>(); - String generatorVersion = test.get("generatorVersion").getAsString(); - if (!generatorVersion.equals(expectedVersion)) { - System.out.println( - algorithm - + ": expecting test vectors with version " - + expectedVersion - + " found vectors with version " - + generatorVersion); - } - int numTests = test.get("numberOfTests").getAsInt(); - int cntTests = 0; - int errors = 0; - Cipher cipher; - try { - cipher = Cipher.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Algorithm is not supported. Skipping test for " + algorithm); - return; - } - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - for (JsonElement t : group.getAsJsonArray("tests")) { - cntTests++; - JsonObject testcase = t.getAsJsonObject(); - int tcid = testcase.get("tcId").getAsInt(); - String tc = "tcId: " + tcid + " " + testcase.get("comment").getAsString(); - byte[] key = getBytes(testcase, "key"); - byte[] iv = getBytes(testcase, "iv"); - byte[] msg = getBytes(testcase, "msg"); - byte[] ciphertext = getBytes(testcase, "ct"); - // Result is one of "valid", "invalid", "acceptable". - // "valid" are test vectors with matching plaintext, ciphertext and tag. - // "invalid" are test vectors with invalid parameters or invalid ciphertext and tag. - // "acceptable" are test vectors with weak parameters or legacy formats. - String result = testcase.get("result").getAsString(); - - // Test encryption - try { - initCipher(cipher, algorithm, Cipher.ENCRYPT_MODE, key, iv); - } catch (GeneralSecurityException ex) { - // Some libraries restrict key size, iv size and tag size. - // Because of the initialization of the cipher might fail. - System.out.println(ex.toString()); - continue; - } - try { - byte[] encrypted = cipher.doFinal(msg); - boolean eq = arrayEquals(ciphertext, encrypted); - if (result.equals("invalid")) { - if (eq) { - // Some test vectors use invalid parameters that should be rejected. - System.out.println("Encrypted " + tc); - errors++; - } - } else { - if (!eq) { - System.out.println( - "Incorrect ciphertext for " - + tc - + " ciphertext:" - + TestUtil.bytesToHex(encrypted)); - errors++; - } - } - } catch (GeneralSecurityException ex) { - if (result.equals("valid")) { - System.out.println("Failed to encrypt " + tc); - errors++; - } - } - - // Test decryption - // The algorithms tested in this class are typically malleable. Hence, it is in possible - // that modifying ciphertext randomly results in some other valid ciphertext. - // However, all the test vectors in Wycheproof are constructed such that they have - // invalid padding. If this changes then the test below is too strict. - try { - initCipher(cipher, algorithm, Cipher.DECRYPT_MODE, key, iv); - } catch (GeneralSecurityException ex) { - System.out.println("Parameters accepted for encryption but not decryption " + tc); - errors++; - continue; - } - try { - byte[] decrypted = cipher.doFinal(ciphertext); - boolean eq = arrayEquals(decrypted, msg); - if (result.equals("invalid")) { - System.out.println("Decrypted invalid ciphertext " + tc + " eq:" + eq); - errors++; - } else { - if (!eq) { - System.out.println( - "Incorrect decryption " + tc + " decrypted:" + TestUtil.bytesToHex(decrypted)); - } - } - } catch (GeneralSecurityException ex) { - exceptions.add(ex.getMessage()); - if (result.equals("valid")) { - System.out.println("Failed to decrypt " + tc); - errors++; - } - } - } - } - assertEquals(0, errors); - assertEquals(numTests, cntTests); - // Generally it is preferable if trying to decrypt ciphertexts with incorrect paddings - // does not leak information about invalid paddings through exceptions. - // Such information could simplify padding attacks. Ideally, providers should not include - // any distinguishing features in the exception. Hence, we expect just one exception here. - // - // Seeing distinguishable exception, doesn't necessarily mean that protocols using - // AES/CBC/PKCS5Padding with the tested provider are vulnerable to attacks. Rather it means - // that the provider might simplify attacks if the protocol is using AES/CBC/PKCS5Padding - // incorrectly. - System.out.println("Number of distinct exceptions:" + exceptions.size()); - for (String ex : exceptions) { - System.out.println(ex); - } - assertEquals(1, exceptions.size()); - } - - @Test - public void testAesCbcPkcs5() throws Exception { - testCipher("aes_cbc_pkcs5_test.json", "AES/CBC/PKCS5Padding"); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonEcdhTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/JsonEcdhTest.java deleted file mode 100644 index 5a8b877..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonEcdhTest.java +++ /dev/null @@ -1,209 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import java.math.BigInteger; -import java.security.InvalidKeyException; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.spec.ECPrivateKeySpec; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.X509EncodedKeySpec; -import javax.crypto.KeyAgreement; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** This test uses test vectors in JSON format to check implementations of ECDH. */ -@RunWith(JUnit4.class) -public class JsonEcdhTest { - - /** Convenience mehtod to get a String from a JsonObject */ - protected static String getString(JsonObject object, String name) throws Exception { - return object.get(name).getAsString(); - } - - /** Convenience method to get a BigInteger from a JsonObject */ - protected static BigInteger getBigInteger(JsonObject object, String name) throws Exception { - return JsonUtil.asBigInteger(object.get(name)); - } - - /** Convenience method to get a byte array from a JsonObject */ - protected static byte[] getBytes(JsonObject object, String name) throws Exception { - return JsonUtil.asByteArray(object.get(name)); - } - - /** - * Example for test vector - * { - * "algorithm" : "ECDH", - * "header" : [], - * "notes" : { - * "AddSubChain" : "The private key has a special value....", - * } - * "generatorVersion" : "0.7", - * "numberOfTests" : 308, - * "testGroups" : [ - * { - * "type" : "EcdhTest", - * "tests" : [ - * { - * "comment" : "normal case", - * "curve" : "secp224r1", - * "private" : "565577a49415ca761a0322ad54e4ad0ae7625174baf372c2816f5328", - * "public" : "30...", - * "result" : "valid", - * "shared" : "b8ecdb552d39228ee332bafe4886dbff272f7109edf933bc7542bd4f", - * "tcId" : 1 - * }, - * ... - **/ - public void testEcdhComp(String filename) throws Exception { - JsonObject test = JsonUtil.getTestVectors(filename); - - // This test expects test vectors as defined in wycheproof/schemas/ecdh_test_schema.json. - // In particular, this means that the public keys use X509 encoding. - // Test vectors with different encodings of the keys have a different schema. - final String expectedSchema = "ecdh_test_schema.json"; - String schema = test.get("schema").getAsString(); - assertEquals("Unexpected schema in file:" + filename, expectedSchema, schema); - - int numTests = test.get("numberOfTests").getAsInt(); - int passedTests = 0; - int rejectedTests = 0; // invalid test vectors leading to exceptions - int skippedTests = 0; // valid test vectors leading to exceptions - int errors = 0; - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - String curve = getString(group, "curve"); - for (JsonElement t : group.getAsJsonArray("tests")) { - JsonObject testcase = t.getAsJsonObject(); - int tcid = testcase.get("tcId").getAsInt(); - String comment = getString(testcase, "comment"); - BigInteger priv = getBigInteger(testcase, "private"); - byte[] publicEncoded = getBytes(testcase, "public"); - String result = getString(testcase, "result"); - String expectedHex = getString(testcase, "shared"); - KeyFactory kf = KeyFactory.getInstance("EC"); - try { - ECPrivateKeySpec spec = new ECPrivateKeySpec(priv, EcUtil.getCurveSpecRef(curve)); - PrivateKey privKey = kf.generatePrivate(spec); - X509EncodedKeySpec x509keySpec = new X509EncodedKeySpec(publicEncoded); - PublicKey pubKey = kf.generatePublic(x509keySpec); - KeyAgreement ka = KeyAgreement.getInstance("ECDH"); - ka.init(privKey); - ka.doPhase(pubKey, true); - String sharedHex = TestUtil.bytesToHex(ka.generateSecret()); - if (result.equals("invalid")) { - System.out.println( - "Computed ECDH with invalid parameters" - + " tcId:" - + tcid - + " comment:" - + comment - + " shared:" - + sharedHex); - errors++; - } else if (!expectedHex.equals(sharedHex)) { - System.out.println( - "Incorrect ECDH computation" - + " tcId:" - + tcid - + " comment:" - + comment - + "\nshared:" - + sharedHex - + "\nexpected:" - + expectedHex); - errors++; - } else { - passedTests++; - } - } catch (InvalidKeySpecException | InvalidKeyException | NoSuchAlgorithmException ex) { - // These are the exception that we expect to see when a curve is not implemented - // or when a key is not valid. - if (result.equals("valid")) { - skippedTests++; - } else { - rejectedTests++; - } - } catch (Exception ex) { - // Other exceptions typically indicate that something is wrong with the implementation. - System.out.println( - "Test vector with tcId:" + tcid + " comment:" + comment + " throws:" + ex.toString()); - errors++; - } - } - } - assertEquals(0, errors); - assertEquals(numTests, passedTests + rejectedTests + skippedTests); - } - - @Test - public void testSecp224r1() throws Exception { - testEcdhComp("ecdh_secp224r1_test.json"); - } - - @Test - public void testSecp256r1() throws Exception { - testEcdhComp("ecdh_secp256r1_test.json"); - } - - @Test - public void testSecp384r1() throws Exception { - testEcdhComp("ecdh_secp384r1_test.json"); - } - - @Test - public void testSecp521r1() throws Exception { - testEcdhComp("ecdh_secp521r1_test.json"); - } - - @Test - public void testSecp256k1() throws Exception { - testEcdhComp("ecdh_secp256k1_test.json"); - } - - @Test - public void testBrainpoolP224r1() throws Exception { - testEcdhComp("ecdh_brainpoolP224r1_test.json"); - } - - @Test - public void testBrainpoolP256r1() throws Exception { - testEcdhComp("ecdh_brainpoolP256r1_test.json"); - } - - @Test - public void testBrainpoolP320r1() throws Exception { - testEcdhComp("ecdh_brainpoolP320r1_test.json"); - } - - @Test - public void testBrainpoolP384r1() throws Exception { - testEcdhComp("ecdh_brainpoolP384r1_test.json"); - } - - @Test - public void testBrainpoolP512r1() throws Exception { - testEcdhComp("ecdh_brainpoolP512r1_test.json"); - } - -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonMacTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/JsonMacTest.java deleted file mode 100644 index eeb48ec..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonMacTest.java +++ /dev/null @@ -1,332 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * <p>http://www.apache.org/licenses/LICENSE-2.0 - * - * <p>Unless required by applicable law or agreed to in writing, software distributed under the - * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import java.security.GeneralSecurityException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; -import java.util.Arrays; -import java.util.Locale; -import javax.crypto.Mac; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.SecretKeySpec; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** This test uses test vectors in JSON format to test MAC primitives. */ -@RunWith(JUnit4.class) -public class JsonMacTest { - - /** Convenience method to get a byte array from an JsonObject */ - protected static byte[] getBytes(JsonObject obj, String name) throws Exception { - return JsonUtil.asByteArray(obj.get(name)); - } - - protected static boolean arrayEquals(byte[] a, byte[] b) { - if (a.length != b.length) { - return false; - } - byte res = 0; - for (int i = 0; i < a.length; i++) { - res |= (byte) (a[i] ^ b[i]); - } - return res == 0; - } - - /** - * Computes a MAC. - * - * @param algorithm the algorithm. - * @param key the key bytes - * @param msg the message to MAC. - * @param tagSize the expected size of the tag in bits. - * @return the tag - * @throws GeneralSecurityException if the algorithm or the parameter sizes are not supported or - * if the initialization failed. For example one case are GMACs with a tag size othe than 128 - * bits, since the JCE interface does not seem to support such a specification. - */ - protected static byte[] computeMac(String algorithm, byte[] key, byte[] msg, int tagSize) - throws GeneralSecurityException { - Mac mac = Mac.getInstance(algorithm); - algorithm = algorithm.toUpperCase(Locale.ENGLISH); - if (algorithm.startsWith("HMAC")) { - SecretKeySpec keySpec = new SecretKeySpec(key, algorithm); - // TODO(bleichen): Is there a provider independent truncation? - // The class javax.xml.crypto.dsig.spec.HMACParameterSpec would allow to - // truncate HMAC tags as follows: - // <pre> - // HMACParameterSpec params = new HMACParameterSpec(tagSize); - // mac.init(keySpec, params); - // mac.update(msg); - // return mac.doFinal(); - // </pre> - // But this class is often not supported. Hence the computation here, just computes a - // full length tag and truncates it. The drawback of having to truncate tags is that - // the caller has to compare truncated tags during verification. - mac.init(keySpec); - mac.update(msg); - byte[] tag = mac.doFinal(); - return Arrays.copyOf(tag, tagSize / 8); - } else { - throw new NoSuchAlgorithmException(algorithm); - } - } - - /** - * Tests a randomized MAC (i.e. a message authetication that takes an additional IV as parameter) - * against test vectors. - * - * @param filename the JSON file with the test vectors. - */ - public void testMac(String filename) throws Exception { - // Checking preconditions. - JsonObject test = JsonUtil.getTestVectors(filename); - String algorithm = test.get("algorithm").getAsString(); - try { - Mac.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Algorithm is not supported. Skipping test for " + algorithm); - return; - } - - int numTests = test.get("numberOfTests").getAsInt(); - int cntTests = 0; - int passedTests = 0; - int errors = 0; - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - int tagSize = group.get("tagSize").getAsInt(); - for (JsonElement t : group.getAsJsonArray("tests")) { - cntTests++; - JsonObject testcase = t.getAsJsonObject(); - int tcid = testcase.get("tcId").getAsInt(); - String tc = "tcId: " + tcid + " " + testcase.get("comment").getAsString(); - byte[] key = getBytes(testcase, "key"); - byte[] msg = getBytes(testcase, "msg"); - byte[] expectedTag = getBytes(testcase, "tag"); - // Result is one of "valid", "invalid", "acceptable". - // "valid" are test vectors with matching plaintext, ciphertext and tag. - // "invalid" are test vectors with invalid parameters or invalid ciphertext and tag. - // "acceptable" are test vectors with weak parameters or legacy formats. - String result = testcase.get("result").getAsString(); - - byte[] computedTag = null; - try { - computedTag = computeMac(algorithm, key, msg, tagSize); - } catch (GeneralSecurityException ex) { - // Some libraries restrict key size or tag size. Hence valid MACs might be - // rejected. - continue; - } catch (IllegalArgumentException ex) { - // Thrown by javax.crypto.spec.SecretKeySpec (e.g. when the key is empty). - continue; - } - - boolean eq = arrayEquals(expectedTag, computedTag); - if (result.equals("invalid")) { - if (eq) { - // Some test vectors use invalid parameters that should be rejected. - // E.g. an implementation must not allow AES-GMAC with an IV of length 0, - // since this leaks the authentication key. - System.out.println("Computed mac for test case " + tc); - errors++; - } - } else { - if (eq) { - passedTests++; - } else { - System.out.println( - "Incorrect tag for " - + tc - + " expected:" - + TestUtil.bytesToHex(expectedTag) - + " computed:" - + TestUtil.bytesToHex(computedTag)); - errors++; - } - } - } - } - System.out.println("passed Tests for " + algorithm + ":" + passedTests); - assertEquals(0, errors); - assertEquals(numTests, cntTests); - } - - /** - * Returns an initialized instance of a randomized MAC. - * - * @param algorithm the algorithm. - * @param key the key bytes - * @param iv the bytes of the initialization vector - * @param tagSize the expected size of the tag in bits. - * @return an initialized instance of a MAC. - * @throws GeneralSecurityException if the algorithm or the parameter sizes are not supported or - * if the initialization failed. For example one case are GMACs with a tag size othe than 128 - * bits, since the JCE interface does not seem to support such a specification. - */ - protected static Mac getInitializedMacWithIv(String algorithm, byte[] key, byte[] iv, int tagSize) - throws GeneralSecurityException { - Mac mac = Mac.getInstance(algorithm); - algorithm = algorithm.toUpperCase(Locale.ENGLISH); - if (algorithm.equals("AES-GMAC")) { - SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); - if (tagSize != 128) { - throw new InvalidAlgorithmParameterException("only 128-bit tag is supported"); - } - IvParameterSpec params = new IvParameterSpec(iv); - // TODO(bleichen): I'm unaware of a method that allows to specify the tag size in JCE. - // E.g. the following parameter specification does not work (at least not in BC): - // GCMParameterSpec params = new GCMParameterSpec(tagSize, iv); - mac.init(keySpec, params); - return mac; - } else { - throw new NoSuchAlgorithmException(algorithm); - } - } - - /** - * Tests a randomized MAC (i.e. a message authetication that takes an additional IV as - * parameter) against test vectors. - * - * @param filename the JSON file with the test vectors. - * @param algorithm the JCE name of the algorithm to test. - */ - public void testMacWithIv(String filename, String algorithm) throws Exception { - // Checking preconditions. - try { - Mac.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Algorithm is not supported. Skipping test for " + algorithm); - return; - } - - JsonObject test = JsonUtil.getTestVectors(filename); - int numTests = test.get("numberOfTests").getAsInt(); - int cntTests = 0; - int passedTests = 0; - int errors = 0; - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - int tagSize = group.get("tagSize").getAsInt(); - for (JsonElement t : group.getAsJsonArray("tests")) { - cntTests++; - JsonObject testcase = t.getAsJsonObject(); - int tcid = testcase.get("tcId").getAsInt(); - String tc = "tcId: " + tcid + " " + testcase.get("comment").getAsString(); - byte[] key = getBytes(testcase, "key"); - byte[] iv = getBytes(testcase, "iv"); - byte[] msg = getBytes(testcase, "msg"); - byte[] expectedTag = getBytes(testcase, "tag"); - // Result is one of "valid", "invalid", "acceptable". - // "valid" are test vectors with matching plaintext, ciphertext and tag. - // "invalid" are test vectors with invalid parameters or invalid ciphertext and tag. - // "acceptable" are test vectors with weak parameters or legacy formats. - String result = testcase.get("result").getAsString(); - - Mac mac; - try { - mac = getInitializedMacWithIv(algorithm, key, iv, tagSize); - } catch (GeneralSecurityException ex) { - // Some libraries restrict key size, iv size and tag size. - // Because of the initialization of the Mac might fail. - continue; - } catch (IllegalArgumentException ex) { - // Thrown by javax.crypto.spec.SecretKeySpec (e.g. when the key is empty). - continue; - } - - byte[] computedTag = mac.doFinal(msg); - boolean eq = arrayEquals(expectedTag, computedTag); - if (result.equals("invalid")) { - if (eq) { - // Some test vectors use invalid parameters that should be rejected. - // E.g. an implementation must not allow AES-GMAC with an IV of length 0, - // since this leaks the authentication key. - System.out.println("Computed mac for test case " + tc); - errors++; - } - } else { - if (eq) { - passedTests++; - } else { - System.out.println( - "Incorrect tag for " - + tc - + " expected:" - + TestUtil.bytesToHex(expectedTag) - + " computed:" - + TestUtil.bytesToHex(computedTag)); - errors++; - } - } - } - } - System.out.println("passed Tests for " + algorithm + ":" + passedTests); - assertEquals(0, errors); - assertEquals(numTests, cntTests); - } - - @Test - public void testHmacSha1() throws Exception { - testMac("hmac_sha1_test.json"); - } - - @Test - public void testHmacSha224() throws Exception { - testMac("hmac_sha224_test.json"); - } - - @Test - public void testHmacSha256() throws Exception { - testMac("hmac_sha256_test.json"); - } - - @Test - public void testHmacSha384() throws Exception { - testMac("hmac_sha384_test.json"); - } - - @Test - public void testHmacSha512() throws Exception { - testMac("hmac_sha512_test.json"); - } - - @Test - public void testHmacSha3_224() throws Exception { - testMac("hmac_sha3_224_test.json"); - } - - @Test - public void testHmacSha3_256() throws Exception { - testMac("hmac_sha3_256_test.json"); - } - - @Test - public void testHmacSha3_384() throws Exception { - testMac("hmac_sha3_384_test.json"); - } - - @Test - public void testHmacSha3_512() throws Exception { - testMac("hmac_sha3_512_test.json"); - } - - @Test - public void testAesGmac() throws Exception { - testMacWithIv("gmac_test.json", "AES-GMAC"); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonSignatureTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/JsonSignatureTest.java deleted file mode 100644 index 21bf0d5..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/JsonSignatureTest.java +++ /dev/null @@ -1,966 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.security.wycheproof.WycheproofRunner.ExcludedTest; -import com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest; -import com.google.security.wycheproof.WycheproofRunner.ProviderType; -import java.security.GeneralSecurityException; -import java.security.InvalidKeyException; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.Signature; -import java.security.SignatureException; -import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.X509EncodedKeySpec; -import java.util.HashSet; -import java.util.Set; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * This test uses test vectors in JSON format to check digital signature schemes. There are still a - * lot of open questions, e.g. the format for the test vectors is not yet finalized. Therefore, we - * are not integrating the tests here into other tests - */ -@RunWith(JUnit4.class) -public class JsonSignatureTest { - - /** - * Defines the format of the signatures. RAW is used when the signature scheme already - * defines an encoding (e.g. this is used for RSA signatures). - */ - public enum Format { RAW, ASN, P1363 }; - - /** Convenience method to get a String from a JsonObject */ - protected static String getString(JsonObject object, String name) { - return object.get(name).getAsString(); - } - - /** Convenience method to get a byte array from a JsonObject */ - protected static byte[] getBytes(JsonObject object, String name) throws Exception { - return JsonUtil.asByteArray(object.get(name)); - } - - /** - * Convert hash names, so that they can be used in an algorithm name for a signature. The - * algorithm names used in JCA are a bit inconsequential. E.g. a dash is necessary for message - * digests (e.g. "SHA-256") but are not used in the corresponding names for digital signatures - * (e.g. "SHA256WITHECDSA"). Providers sometimes use distinct algorithm names for the same - * cryptographic primitive. On the other hand, the dash remains for SHA-3. Hence, the correct - * name for ECDSA with SHA3-256 is "SHA3-256WithECDSA". - * - * <p>See https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html - * - * @param md the name of a message digest - * @return the name of the message digest when used in a signature algorithm. - */ - protected static String convertMdName(String md) { - if (md.equalsIgnoreCase("SHA-1")) { - return "SHA1"; - } else if (md.equalsIgnoreCase("SHA-224")) { - return "SHA224"; - } else if (md.equalsIgnoreCase("SHA-256")) { - return "SHA256"; - } else if (md.equalsIgnoreCase("SHA-384")) { - return "SHA384"; - } else if (md.equalsIgnoreCase("SHA-512")) { - return "SHA512"; - } else if (md.equalsIgnoreCase("SHA-512/224")) { - return "SHA512/224"; - } else if (md.equalsIgnoreCase("SHA-512/256")) { - return "SHA512/256"; - } - return md; - } - - /** - * Returns an instance of java.security.Signature for an algorithm name, a digest name and a - * signature format. - * - * @param md the name of the message digest (e.g. "SHA-256") - * @param signatureAlgorithm the name of the signature algorithm (e.g. "ECDSA") - * @param signatureFormat the format of the signatures. - * @return an instance of java.security.Signature if the algorithm is known - * @throws NoSuchAlgorithmException if the algorithm is not known - */ - protected static Signature getSignatureInstance( - JsonObject group, String signatureAlgorithm, Format signatureFormat) - throws NoSuchAlgorithmException { - String md = ""; - if (group.has("sha")) { - md = convertMdName(getString(group, "sha")); - } - if (signatureAlgorithm.equals("ECDSA") || signatureAlgorithm.equals("DSA")) { - if (signatureFormat == Format.ASN) { - return Signature.getInstance(md + "WITH" + signatureAlgorithm); - } else if (signatureFormat == Format.P1363) { - // The algorithm names for signature schemes with P1363 format have distinct names - // in distinct providers. This is mainly the case since the P1363 format has only - // been added in jdk11, while providers such as BouncyCastle added the format earlier - // than that. Hence the code below just tries known algorithm names. - try { - String jdkName = md + "WITH" + signatureAlgorithm + "inP1363Format"; - return Signature.getInstance(jdkName); - } catch (NoSuchAlgorithmException ex) { - // jdkName is not known. - } - try { - String bcName = md + "WITHPLAIN-" + signatureAlgorithm; - return Signature.getInstance(bcName); - } catch (NoSuchAlgorithmException ex) { - // bcName is not known. - } - } - } else if (signatureAlgorithm.equals("RSA")) { - if (signatureFormat == Format.RAW) { - return Signature.getInstance(md + "WITH" + signatureAlgorithm); - } - } else if (signatureAlgorithm.equals("ED25519") || signatureAlgorithm.equals("ED448")) { - if (signatureFormat == Format.RAW) { - // http://openjdk.java.net/jeps/339 - try { - return Signature.getInstance(signatureAlgorithm); - } catch (NoSuchAlgorithmException ex) { - // signatureAlgorithm is not known. - } - // An alternative name (e.g. used by BouncyCastle) is "EDDSA". - try { - return Signature.getInstance("EDDSA"); - } catch (NoSuchAlgorithmException ex) { - // "EDDSA" is not known either. - } - } - } - throw new NoSuchAlgorithmException( - "Algorithm " - + signatureAlgorithm - + " with format " - + signatureFormat - + " is not supported"); - } - - /** - * Returns the expected JSON schema for a given test or "" if the schema is undefined. - * The purpose of this function is to perform a sanity test with the goal to recognize - * incorrect test setups. - * @param signatureAlgorithm the signataure algorithm (e.g. "ECDSA") - * @param signatureFormat the format of the signatures - * @param verify true if verification is tested, false if signature generations is tested. - */ - protected static String expectedSchema(String signatureAlgorithm, Format signatureFormat, - boolean verify) { - if (verify) { - if (signatureAlgorithm.equals("ECDSA")) { - switch (signatureFormat) { - case ASN: return "ecdsa_verify_schema.json"; - case P1363: return "ecdsa_p1363_verify_schema.json"; - default: break; - } - } else if (signatureAlgorithm.equals("DSA")) { - switch (signatureFormat) { - case ASN: return "dsa_verify_schema.json"; - case P1363: return "dsa_p1363_verify_schema.json"; - default: break; - } - } else if (signatureAlgorithm.equals("RSA")) { - // Only RSA-PKCS1 is implemented in this unit test. - // RSA-PSS signatures have their own unit test, because the algorithm parameters - // require a setup that is a little different. - switch (signatureFormat) { - case RAW: return "rsassa_pkcs1_verify_schema.json"; - default: break; - } - } else if (signatureAlgorithm.equals("ED25519") || signatureAlgorithm.equals("ED448")) { - switch (signatureFormat) { - case RAW: - return "eddsa_verify_schema.json"; - default: - break; - } - } - } else { - // signature generation - if (signatureAlgorithm.equals("RSA")) { - return "rsassa_pkcs1_generate_schema.json"; - } else if (signatureAlgorithm.equals("ED25519") || signatureAlgorithm.equals("ED448")) { - // TODO(bleichen): - switch (signatureFormat) { - case RAW: - return "eddsa_verify_schema.json"; - default: - break; - } - } - } - // If the schema is not defined then the tests below still run. The only drawback is that - // incorrect test setups are not recognized and will probably lead to failures later. - return ""; - } - /** - * Get a PublicKey from a JsonObject. - * - * <p>object contains the key in multiple formats: "key" : elements of the public key "keyDer": - * the key in ASN encoding encoded hexadecimal "keyPem": the key in Pem format encoded hexadecimal - * The test can use the format that is most convenient. - */ - // This is a false positive, since errorprone cannot track values passed into a method. - @SuppressWarnings("InsecureCryptoUsage") - protected static PublicKey getPublicKey(JsonObject group, String algorithm) throws Exception { - KeyFactory kf; - if (algorithm.equals("ECDSA")) { - kf = KeyFactory.getInstance("EC"); - } else if (algorithm.equals("ED25519") || algorithm.equals("ED448")) { - // http://openjdk.java.net/jeps/339 - kf = KeyFactory.getInstance("EdDSA"); - } else { - kf = KeyFactory.getInstance(algorithm); - } - byte[] encoded = TestUtil.hexToBytes(getString(group, "keyDer")); - X509EncodedKeySpec x509keySpec = new X509EncodedKeySpec(encoded); - return kf.generatePublic(x509keySpec); - } - - /** - * Get a PrivateKey from a JsonObject. - */ - // This is a false positive, since errorprone cannot track values passed into a method. - @SuppressWarnings("InsecureCryptoUsage") - protected static PrivateKey getPrivateKey(JsonObject object, String algorithm) throws Exception { - if (algorithm.equals("RSA")) { - KeyFactory kf = KeyFactory.getInstance(algorithm); - byte[] encoded = TestUtil.hexToBytes(getString(object, "privateKeyPkcs8")); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded); - return kf.generatePrivate(keySpec); - } else { - throw new NoSuchAlgorithmException("Algorithm " + algorithm + " is not supported"); - } - } - - /** - * Tests the signature verification with test vectors in a given JSON file. - * - * <p> Example format for test vectors - * { - * "algorithm": "ECDSA", - * "generatorVersion": "0.0a13", - * "numberOfTests": 217, - * "testGroups": [ - * { - * "key": { - * "curve": "secp256r1", - * "type": "ECPublicKey", - * "wx": "0c9c4bc2617c81eb2dcbfda2db2a370a955be86a0d2e95fcb86a99f90cf046573", - * "wy": "0c400363b1b6bcc3595a7d6d3575ccebcbb03f90ba8e58da2bc4824272f4fecff" - * }, - * "keyDer": <X509encoded key> - * "keyPem": "-----BEGIN PUBLIC KEY-----\ ... \n-----END PUBLIC KEY-----", - * "sha": "SHA-256", - * "tests": [ - * { - * "comment": "random signature", - * "msg": "48656c6c6f", - * "result": "valid", - * "sig": "...", - * "tcId": 1 - * }, - * ... - * } - * - * @param filename the filename of the test vectors - * @param signatureAlgorithm the algorithm name of the test vectors - * @param signatureFormat the format of the signatures. This should be Format.P1363 for - * P1363 encoded signatures Format.ASN for ASN.1 encoded signature and Format.RAW - otherwise. - * @param allowSkippingKeys if true then keys that cannot be constructed will not fail the test. - * This is for example used for files with test vectors that use elliptic curves that are not - * commonly supported. - **/ - public void testVerification( - String filename, String signatureAlgorithm, Format signatureFormat, boolean allowSkippingKeys) - throws Exception { - JsonObject test = JsonUtil.getTestVectors(filename); - // Checks whether the test vectors in the file use the expected algorithm and the expected - // format for the signatures. - String schema = expectedSchema(signatureAlgorithm, signatureFormat, true); - String actualSchema = getString(test, "schema"); - if (!schema.isEmpty() && !schema.equals(actualSchema)) { - System.out.println( - signatureAlgorithm - + ": expecting test vectors with schema " - + schema - + " found vectors with schema " - + actualSchema); - } - int numTests = test.get("numberOfTests").getAsInt(); - int cntTests = 0; - int verifiedSignatures = 0; - int errors = 0; - int skippedKeys = 0; - int skippedAlgorithms = 0; - int supportedKeys = 0; - Set<String> skippedGroups = new HashSet<String>(); - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - PublicKey key; - try { - key = getPublicKey(group, signatureAlgorithm); - } catch (GeneralSecurityException ex) { - if (!allowSkippingKeys) { - throw ex; - } - if (group.has("key")) { - JsonObject keyStruct = group.getAsJsonObject("key"); - if (keyStruct.has("curve")) { - skippedGroups.add("curve = " + getString(keyStruct, "curve")); - } - } - skippedKeys++; - continue; - } - Signature verifier; - try { - verifier = getSignatureInstance(group, signatureAlgorithm, signatureFormat); - } catch (NoSuchAlgorithmException ex) { - if (!allowSkippingKeys) { - throw ex; - } - skippedAlgorithms++; - continue; - } - supportedKeys++; - for (JsonElement t : group.getAsJsonArray("tests")) { - cntTests++; - JsonObject testcase = t.getAsJsonObject(); - byte[] message = getBytes(testcase, "msg"); - byte[] signature = getBytes(testcase, "sig"); - int tcid = testcase.get("tcId").getAsInt(); - String sig = TestUtil.bytesToHex(signature); - String result = getString(testcase, "result"); - verifier.initVerify(key); - verifier.update(message); - boolean verified = false; - Exception failure = null; - try { - verified = verifier.verify(signature); - } catch (SignatureException ex) { - // verify can throw SignatureExceptions if the signature is malformed. - // We don't flag these cases and simply consider the signature as invalid. - verified = false; - failure = ex; - } catch (java.lang.ArithmeticException ex) { - // b/33446454 The Sun provider may throw an ArithmeticException instead of - // the expected SignatureException for DSA signatures. - // We should eventually remove this. - verified = false; - failure = ex; - } catch (Exception ex) { - // Other exceptions (i.e. unchecked exceptions) are considered as error - // since a third party should never be able to cause such exceptions. - System.out.println( - signatureAlgorithm - + " signature throws " - + ex.toString() - + " " - + filename - + " tcId:" - + tcid - + " sig:" - + sig); - verified = false; - failure = ex; - errors++; - } - if (!verified && result.equals("valid")) { - String reason = ""; - if (failure != null) { - reason = " reason:" + failure; - } - System.out.println( - "Valid " - + signatureAlgorithm - + " signature not verified." - + " " - + filename - + " tcId:" - + tcid - + " sig:" - + sig - + reason); - errors++; - } else if (verified) { - if (result.equals("invalid")) { - System.out.println( - "Invalid" - + signatureAlgorithm - + " signature verified." - + " " - + filename - + " tcId:" - + tcid - + " sig:" - + sig); - errors++; - } else { - verifiedSignatures++; - } - } - } - } - // Prints some information if tests were skipped. This avoids giving - // the impression that algorithms are supported. - if (skippedKeys > 0 || skippedAlgorithms > 0 || verifiedSignatures == 0) { - System.out.println( - "File:" - + filename - + " number of skipped keys:" - + skippedKeys - + " number of skipped algorithms:" - + skippedAlgorithms - + " number of supported keys:" - + supportedKeys - + " verified signatures:" - + verifiedSignatures); - for (String s : skippedGroups) { - System.out.println("Skipped groups where " + s); - } - } - assertEquals(0, errors); - if (skippedKeys == 0 && skippedAlgorithms == 0) { - assertEquals(numTests, cntTests); - } - } - - /** - * Tests signature generation of deterministic signature schemes such as RSA-PKCS#1 v1.5. - * - * <p>The test expects that signatures are fully complying with the standards. - * E.g. it is acceptable when RSA-PKCS#1 verification considers ASN encodings of the - * digest name with a missing NULL value for legacy reasons. However, it is considered not - * acceptable when the signature generation does not include the NULL value. - * - * @param filename the filename of the test vectors - * @param signatureAlgorithm the algorithm name of the test vectors (e.g. "RSA") - * @param signatureFormat the format of the signatures. - * @param allowSkippingKeys if true then keys that cannot be constructed will not fail the test. - */ - public void testSigning( - String filename, String signatureAlgorithm, Format signatureFormat, - boolean allowSkippingKeys) throws Exception { - JsonObject test = JsonUtil.getTestVectors(filename); - // Checks whether the test vectors in the file use the expected algorithm and the expected - // format for the signatures. - String schema = expectedSchema(signatureAlgorithm, signatureFormat, false); - String actualSchema = getString(test, "schema"); - if (!schema.isEmpty() && !schema.equals(actualSchema)) { - System.out.println( - signatureAlgorithm - + ": expecting test vectors with schema " - + schema - + " found vectors with schema " - + actualSchema); - } - int cntTests = 0; - int errors = 0; - int skippedKeys = 0; - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - PrivateKey key; - try { - key = getPrivateKey(group, signatureAlgorithm); - } catch (GeneralSecurityException ex) { - skippedKeys++; - continue; - } - Signature signer; - try { - signer = getSignatureInstance(group, signatureAlgorithm, signatureFormat); - } catch (NoSuchAlgorithmException ex) { - skippedKeys++; - continue; - } - for (JsonElement t : group.getAsJsonArray("tests")) { - JsonObject testcase = t.getAsJsonObject(); - String result = getString(testcase, "result"); - byte[] message = getBytes(testcase, "msg"); - byte[] signature = getBytes(testcase, "sig"); - int tcid = testcase.get("tcId").getAsInt(); - String expectedSig = TestUtil.bytesToHex(signature); - try { - signer.initSign(key); - signer.update(message); - String sig = TestUtil.bytesToHex(signer.sign()); - if (!sig.equals(expectedSig)) { - System.out.println( - "Incorrect signature generated " - + filename - + " tcId:" - + tcid - + " expected:" - + expectedSig - + " sig:" - + sig); - errors++; - } else { - cntTests++; - } - } catch (InvalidKeyException | SignatureException ex) { - if (result.equals("valid")) { - System.out.println( - "Failed to sign " - + filename - + " tcId:" - + tcid - + " with exception:" - + ex); - - errors++; - } - } - } - } - assertEquals(0, errors); - if (skippedKeys > 0) { - System.out.println("File:" + filename); - System.out.println("Number of signatures verified:" + cntTests); - System.out.println("Number of skipped keys:" + skippedKeys); - assertTrue(allowSkippingKeys); - } - } - - @Test - public void testEcdsa() throws Exception { - testVerification("ecdsa_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp224r1Sha224() throws Exception { - testVerification("ecdsa_secp224r1_sha224_test.json", "ECDSA", Format.ASN, false); - } - - @Test - public void testSecp224r1Sha256() throws Exception { - testVerification("ecdsa_secp224r1_sha256_test.json", "ECDSA", Format.ASN, false); - } - - @Test - public void testSecp224r1Sha512() throws Exception { - testVerification("ecdsa_secp224r1_sha512_test.json", "ECDSA", Format.ASN, false); - } - - @Test - public void testSecp256r1Sha256() throws Exception { - testVerification("ecdsa_secp256r1_sha256_test.json", "ECDSA", Format.ASN, false); - } - - @Test - public void testSecp256r1Sha512() throws Exception { - testVerification("ecdsa_secp256r1_sha512_test.json", "ECDSA", Format.ASN, false); - } - - @Test - public void testSecp384r1Sha384() throws Exception { - testVerification("ecdsa_secp384r1_sha384_test.json", "ECDSA", Format.ASN, false); - } - - @Test - public void testSecp384r1Sha512() throws Exception { - testVerification("ecdsa_secp384r1_sha512_test.json", "ECDSA", Format.ASN, false); - } - - @Test - public void testSecp521r1Sha512() throws Exception { - testVerification("ecdsa_secp521r1_sha512_test.json", "ECDSA", Format.ASN, false); - } - - // Testing curves that may not be supported by a provider. - @Test - public void testSecp256k1Sha256() throws Exception { - testVerification("ecdsa_secp256k1_sha256_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp256k1Sha512() throws Exception { - testVerification("ecdsa_secp256k1_sha512_test.json", "ECDSA", Format.ASN, true); - } - - @NoPresubmitTest( - providers = {ProviderType.OPENJDK}, - bugs = {"b/117643131"} - ) - @Test - public void testBrainpoolP224r1Sha224() throws Exception { - testVerification("ecdsa_brainpoolP224r1_sha224_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testBrainpoolP256r1Sha256() throws Exception { - testVerification("ecdsa_brainpoolP256r1_sha256_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testBrainpoolP320r1Sha384() throws Exception { - testVerification("ecdsa_brainpoolP320r1_sha384_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testBrainpoolP384r1Sha384() throws Exception { - testVerification("ecdsa_brainpoolP384r1_sha384_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testBrainpoolP512r1Sha512() throws Exception { - testVerification("ecdsa_brainpoolP512r1_sha512_test.json", "ECDSA", Format.ASN, true); - } - - // SHA-3 signatures - @Test - public void testSecp224r1Sha3_224 () throws Exception { - testVerification("ecdsa_secp224r1_sha3_224_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp224r1Sha3_256 () throws Exception { - testVerification("ecdsa_secp224r1_sha3_256_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp224r1Sha3_512 () throws Exception { - testVerification("ecdsa_secp224r1_sha3_512_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp256r1Sha3_256 () throws Exception { - testVerification("ecdsa_secp256r1_sha3_256_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp256r1Sha3_512 () throws Exception { - testVerification("ecdsa_secp256r1_sha3_512_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp256k1Sha3_256 () throws Exception { - testVerification("ecdsa_secp256k1_sha3_256_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp256k1Sha3_512 () throws Exception { - testVerification("ecdsa_secp256k1_sha3_512_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp384r1Sha3_384 () throws Exception { - testVerification("ecdsa_secp384r1_sha3_384_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp384r1Sha3_512 () throws Exception { - testVerification("ecdsa_secp384r1_sha3_512_test.json", "ECDSA", Format.ASN, true); - } - - @Test - public void testSecp521r1Sha3_512 () throws Exception { - testVerification("ecdsa_secp521r1_sha3_512_test.json", "ECDSA", Format.ASN, true); - } - - // jdk11 adds P1363 encoded signatures. - @Test - public void testSecp224r1Sha224inP1363Format() throws Exception { - testVerification("ecdsa_secp224r1_sha224_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp224r1Sha256inP1363Format() throws Exception { - testVerification("ecdsa_secp224r1_sha256_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp224r1Sha512inP1363Format() throws Exception { - testVerification("ecdsa_secp224r1_sha512_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp256r1Sha256inP1363Format() throws Exception { - testVerification("ecdsa_secp256r1_sha256_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp256r1Sha512inP1363Format() throws Exception { - testVerification("ecdsa_secp256r1_sha512_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp384r1Sha384inP1363Format() throws Exception { - testVerification("ecdsa_secp384r1_sha384_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp384r1Sha512inP1363Format() throws Exception { - testVerification("ecdsa_secp384r1_sha512_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp521r1Sha512inP1363Format() throws Exception { - testVerification("ecdsa_secp521r1_sha512_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp256k1Sha256inP1363Format() throws Exception { - testVerification("ecdsa_secp256k1_sha256_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testSecp256k1Sha512inP1363Format() throws Exception { - testVerification("ecdsa_secp256k1_sha512_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @NoPresubmitTest( - providers = {ProviderType.OPENJDK}, - bugs = {"b/117643131"} - ) - @Test - public void testBrainpoolP224r1Sha224inP1363Format() throws Exception { - testVerification("ecdsa_brainpoolP224r1_sha224_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testBrainpoolP256r1Sha256inP1363Format() throws Exception { - testVerification("ecdsa_brainpoolP256r1_sha256_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testBrainpoolP320r1Sha384inP1363Format() throws Exception { - testVerification("ecdsa_brainpoolP320r1_sha384_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testBrainpoolP384r1Sha384inP1363Format() throws Exception { - testVerification("ecdsa_brainpoolP384r1_sha384_p1363_test.json", "ECDSA", Format.P1363, true); - } - - @Test - public void testBrainpoolP512r1Sha512inP1363Format() throws Exception { - testVerification("ecdsa_brainpoolP512r1_sha512_p1363_test.json", "ECDSA", Format.P1363, true); - } - - // Testing RSA PKCS#1 v1.5 signatures. - @Test - public void testRsaSigning() throws Exception { - testSigning("rsa_sig_gen_misc_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures() throws Exception { - testVerification("rsa_signature_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignature2048sha224() throws Exception { - testVerification("rsa_signature_2048_sha224_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures2048sha256() throws Exception { - testVerification("rsa_signature_2048_sha256_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures2048sha384() throws Exception { - testVerification("rsa_signature_2048_sha384_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures2048sha512() throws Exception { - testVerification("rsa_signature_2048_sha512_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures3072sha256() throws Exception { - testVerification("rsa_signature_3072_sha256_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures3072sha384() throws Exception { - testVerification("rsa_signature_3072_sha384_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures3072sha512() throws Exception { - testVerification("rsa_signature_3072_sha512_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures4096sha384() throws Exception { - testVerification("rsa_signature_4096_sha384_test.json", "RSA", Format.RAW, false); - } - - @Test - public void testRsaSignatures4096sha512() throws Exception { - testVerification("rsa_signature_4096_sha512_test.json", "RSA", Format.RAW, false); - } - - // RSA signatures with truncated hashes. Tests may be skipped if the provider - // does not support the hash. - @Test - public void testRsaSignatures2048sha512_224() throws Exception { - testVerification("rsa_signature_2048_sha512_224_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures2048sha512_256() throws Exception { - testVerification("rsa_signature_2048_sha512_256_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures3072sha512_256() throws Exception { - testVerification("rsa_signature_3072_sha512_256_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures4096sha512_256() throws Exception { - testVerification("rsa_signature_4096_sha512_256_test.json", "RSA", Format.RAW, true); - } - - // RSA signatures with SHA-3. Not every provider supports SHA-3. Hence the tests - // may be skipped. - @Test - public void testRsaSignature2048sha3_224() throws Exception { - testVerification("rsa_signature_2048_sha3_224_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures2048sha3_256() throws Exception { - testVerification("rsa_signature_2048_sha3_256_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures2048sha3_512() throws Exception { - testVerification("rsa_signature_2048_sha3_512_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures3072sha3_256() throws Exception { - testVerification("rsa_signature_3072_sha3_256_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures3072sha3_384() throws Exception { - testVerification("rsa_signature_3072_sha3_384_test.json", "RSA", Format.RAW, true); - } - - @Test - public void testRsaSignatures3072sha3_512() throws Exception { - testVerification("rsa_signature_3072_sha3_512_test.json", "RSA", Format.RAW, true); - } - - // EdDSA - @NoPresubmitTest( - providers = {ProviderType.BOUNCY_CASTLE}, - bugs = {"https://github.com/bcgit/bc-java/issues/508"}) - @Test - public void testEd25519Verify() throws Exception { - testVerification("eddsa_test.json", "ED25519", Format.RAW, true); - } - - @NoPresubmitTest( - providers = {ProviderType.BOUNCY_CASTLE}, - bugs = {"https://github.com/bcgit/bc-java/issues/508"}) - @Test - public void testEd448Verify() throws Exception { - testVerification("ed448_test.json", "ED448", Format.RAW, true); - } - - // DSA - // Two signature encodings for DSA are tested below: ASN encoded signatures - // and P1363 encoded signatures. - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa2048Sha224() throws Exception { - testVerification("dsa_2048_224_sha224_test.json", "DSA", Format.ASN, true); - } - - // NIST allows 2048-bit DSA keys with either a 224-bit q or a 256-bit q. - // In both cases the security level is 112-bit. - // Jdk generates DSA keys with a 224-bit q (unless specified). - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa2048JdkSha256() throws Exception { - testVerification("dsa_2048_224_sha256_test.json", "DSA", Format.ASN, true); - } - - // OpenSSL generates DSA keys with a 256-bit q (unless specified). - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa2048Sha256() throws Exception { - testVerification("dsa_2048_256_sha256_test.json", "DSA", Format.ASN, true); - } - - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa3072Sha256() throws Exception { - testVerification("dsa_3072_256_sha256_test.json", "DSA", Format.ASN, true); - } - - // DSA tests using P1363 formated signatures. - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa2048Sha224inP1363Format() throws Exception { - testVerification("dsa_2048_224_sha224_p1363_test.json", "DSA", Format.P1363, true); - } - - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa2048JdkSha256inP1363Format() throws Exception { - testVerification("dsa_2048_224_sha256_p1363_test.json", "DSA", Format.P1363, true); - } - - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa2048Sha256inP1363Format() throws Exception { - testVerification("dsa_2048_256_sha256_p1363_test.json", "DSA", Format.P1363, true); - } - - @ExcludedTest( - providers = {ProviderType.CONSCRYPT}, - comment = "Conscrypt does not support DSA.") - @Test - public void testDsa3072Sha256inP1363Format() throws Exception { - testVerification("dsa_3072_256_sha256_p1363_test.json", "DSA", Format.P1363, true); - } - -} - diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/MacTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/MacTest.java deleted file mode 100644 index 34b6115..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/MacTest.java +++ /dev/null @@ -1,398 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * <p>http://www.apache.org/licenses/LICENSE-2.0 - * - * <p>Unless required by applicable law or agreed to in writing, software distributed under the - * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static java.nio.charset.StandardCharsets.UTF_8; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import com.google.security.wycheproof.WycheproofRunner.ProviderType; -import com.google.security.wycheproof.WycheproofRunner.SlowTest; -import java.nio.ByteBuffer; -import java.security.GeneralSecurityException; -import java.security.Key; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import javax.crypto.Mac; -import javax.crypto.spec.SecretKeySpec; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * Tests for MACs. - * - * <p>TODO(bleichen): The tests are quite incomplete. Some of the missing stuff: More test vectors - * with known results are necessary. So far only simple test vectors for long messages are - * available. - */ -@RunWith(JUnit4.class) -public class MacTest { - - /** - * Computes the maximum of an array with at least one element. - * - * @param values the values from which the max is computed. - * @return the maximum - * @throws IllegalArgumentException if values is empty of null. - */ - private static int max(int[] values) { - if (values == null || values.length == 0) { - throw new IllegalArgumentException("Expecting an array with at least one element"); - } - int result = Integer.MIN_VALUE; - for (int value : values) { - result = Math.max(result, value); - } - return result; - } - - protected static boolean arrayEquals(byte[] a, byte[] b) { - if (a.length != b.length) { - return false; - } - byte res = 0; - for (int i = 0; i < a.length; i++) { - res |= (byte) (a[i] ^ b[i]); - } - return res == 0; - } - - /** - * Tests computing a MAC by computing it multiple times. The test passes all the results are the - * same in all cases. - * - * @param algorithm the name of the MAC (e.g. "HMACSHA1") - * @param key the key of the MAC - * @param data input data for the MAC. The size of the data must be at least as long as the sum of - * all chunkSizes. - * @param chunkSizes the sizes of the chunks used in the calls of update - */ - private void testUpdateWithChunks(String algorithm, Key key, byte[] data, int... chunkSizes) - throws Exception { - Mac mac = Mac.getInstance(algorithm); - - // First evaluation: compute MAC in one piece. - int totalLength = 0; - for (int chunkSize : chunkSizes) { - totalLength += chunkSize; - } - mac.init(key); - mac.update(data, 0, totalLength); - byte[] mac1 = mac.doFinal(); - - // Second evaluation: using multiple chunks - mac.init(key); - int start = 0; - for (int chunkSize : chunkSizes) { - mac.update(data, start, chunkSize); - start += chunkSize; - } - byte[] mac2 = mac.doFinal(); - if (!arrayEquals(mac1, mac2)) { - fail( - "Different MACs for same input:" - + " computed as one piece:" - + TestUtil.bytesToHex(mac1) - + " computed with multiple array segments:" - + TestUtil.bytesToHex(mac2)); - } - // Third evaluation: using ByteBuffers - mac.init(key); - start = 0; - for (int chunkSize : chunkSizes) { - ByteBuffer chunk = ByteBuffer.wrap(data, start, chunkSize); - mac.update(chunk); - start += chunkSize; - } - byte[] mac3 = mac.doFinal(); - if (!arrayEquals(mac1, mac3)) { - fail( - "Different MACs for same input:" - + " computed as one piece:" - + TestUtil.bytesToHex(mac1) - + " computed with wrapped chunks:" - + TestUtil.bytesToHex(mac3)); - } - // Forth evaluation: using ByteBuffer slices. - // The effect of using slice() is that the resulting ByteBuffer has - // position 0, but possibly an non-zero value for arrayOffset(). - mac.init(key); - start = 0; - for (int chunkSize : chunkSizes) { - ByteBuffer chunk = ByteBuffer.wrap(data, start, chunkSize).slice(); - mac.update(chunk); - start += chunkSize; - } - byte[] mac4 = mac.doFinal(); - if (!arrayEquals(mac1, mac4)) { - fail( - "Different MACs for same input:" - + " computed as one piece:" - + TestUtil.bytesToHex(mac1) - + " computed with ByteBuffer slices:" - + TestUtil.bytesToHex(mac4)); - } - } - - /** - * The paper "Finding Bugs in Cryptographic Hash Function Implementations" by Mouha, Raunak, Kuhn, - * and Kacker, https://eprint.iacr.org/2017/891.pdf contains an analysis of implementations - * submitted to the SHA-3 competition. Many of the implementations contain bugs. The authors - * propose some tests for cryptographic libraries. The test here implements a check for - * incremental updates with the values proposed in Table 3. - */ - private void testUpdate(String algorithm, Key key) throws Exception { - int[] chunkSize1 = {0, 8, 16, 24, 32, 40, 48, 56, 64}; - int[] chunkSize2 = {0, 8, 16, 24, 32, 40, 48, 56, 64}; - int[] chunkSize3 = {0, 8, 16, 32, 64, 128, 256, 512, 1024, 2048}; - int[] chunkSize4 = { - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, - 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, - 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 127, 128, 129, 255, 256, - 257, 511, 512, 513 - }; - int maxSize = max(chunkSize1) + max(chunkSize2) + max(chunkSize3) + max(chunkSize4); - byte[] data = new byte[maxSize]; - SecureRandom rand = new SecureRandom(); - rand.nextBytes(data); - for (int size1 : chunkSize1) { - for (int size2 : chunkSize2) { - for (int size3 : chunkSize3) { - for (int size4 : chunkSize4) { - testUpdateWithChunks(algorithm, key, data, size1, size2, size3, size4); - } - } - } - } - } - - public void testMac(String algorithm, int keySize) throws Exception { - try { - Mac.getInstance(algorithm); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Algorithm " + algorithm + " is not supported. Skipping test."); - return; - } - byte[] key = new byte[keySize]; - SecureRandom rand = new SecureRandom(); - rand.nextBytes(key); - testUpdate(algorithm, new SecretKeySpec(key, algorithm)); - } - - @Test - public void testHmacSha1() throws Exception { - testMac("HMACSHA1", 20); - } - - @Test - public void testHmacSha224() throws Exception { - testMac("HMACSHA224", 28); - } - - @Test - public void testHmacSha256() throws Exception { - testMac("HMACSHA256", 32); - } - - @Test - public void testHmacSha384() throws Exception { - testMac("HMACSHA384", 48); - } - - @Test - public void testHmacSha512() throws Exception { - testMac("HMACSHA512", 64); - } - - @Test - public void testHmacSha3_224() throws Exception { - testMac("HMACSHA3-224", 28); - } - - @Test - public void testHmacSha3_256() throws Exception { - testMac("HMACSHA3-256", 32); - } - - @Test - public void testHmacSha3_384() throws Exception { - testMac("HMACSHA3-384", 48); - } - - @Test - public void testHmacSha3_512() throws Exception { - testMac("HMACSHA3-512", 64); - } - - /** - * Computes the mac of a message repeated multiple times. - * - * @param algorithm the message digest (e.g. "HMACSHA1") - * @param message the bytes to mac - * @param repetitions the number of repetitions of the message - * @return the digest - * @throws GeneralSecurityException if the computation of the mac fails (e.g. because the - * algorithm is unknown). - */ - public byte[] macRepeatedMessage(String algorithm, Key key, byte[] message, long repetitions) - throws Exception { - Mac mac = Mac.getInstance(algorithm); - mac.init(key); - // If the message is short then it is more efficient to collect multiple copies - // of the message in one chunk and call update with the larger chunk. - final int maxChunkSize = 1 << 16; - if (message.length != 0 && 2 * message.length < maxChunkSize) { - int repetitionsPerChunk = maxChunkSize / message.length; - byte[] chunk = new byte[message.length * repetitionsPerChunk]; - for (int i = 0; i < repetitionsPerChunk; i++) { - System.arraycopy(message, 0, chunk, i * message.length, message.length); - } - while (repetitions >= repetitionsPerChunk) { - mac.update(chunk); - repetitions -= repetitionsPerChunk; - } - } - - for (int i = 0; i < repetitions; i++) { - mac.update(message); - } - return mac.doFinal(); - } - - /** - * A test for hashing long messages. - * - * <p>Java does not allow strings or arrays of size 2^31 or longer. However, it is still possible - * to compute a MAC of a long message by repeatedly calling Mac.update(). To compute correct MACs - * the total message length must be known. This length can be bigger than 2^32 bytes. - * - * <p>Reference: http://www-01.ibm.com/support/docview.wss?uid=swg1PK62549 IBMJCE SHA-1 - * IMPLEMENTATION RETURNS INCORRECT HASH FOR LARGE SETS OF DATA - */ - private void testLongMac( - String algorithm, String keyhex, String message, long repetitions, String expected) - throws Exception { - - Key key = new SecretKeySpec(TestUtil.hexToBytes(keyhex), algorithm); - byte[] bytes = message.getBytes(UTF_8); - byte[] mac = null; - try { - mac = macRepeatedMessage(algorithm, key, bytes, repetitions); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Algorithm " + algorithm + " is not supported. Skipping test."); - return; - } - String hexmac = TestUtil.bytesToHex(mac); - assertEquals(expected, hexmac); - } - - @SlowTest( - providers = { - ProviderType.OPENJDK, - ProviderType.BOUNCY_CASTLE, - ProviderType.SPONGY_CASTLE, - ProviderType.CONSCRYPT - }) - @Test - public void testLongMacSha1() throws Exception { - testLongMac( - "HMACSHA1", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", - "a", - 2147483647L, - "703925f6dceb9c602969ad39bba9b1eb49472071"); - testLongMac( - "HMACSHA1", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", - "a", - 5000000000L, - "d7f4c387f2237ea119fcc27cd7520fc5132b6230"); - } - - @SlowTest( - providers = { - ProviderType.OPENJDK, - ProviderType.BOUNCY_CASTLE, - ProviderType.SPONGY_CASTLE, - ProviderType.CONSCRYPT - }) - @Test - public void testLongMacSha256() throws Exception { - testLongMac( - "HMACSHA256", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", - "a", - 2147483647L, - "84f213c9bb5b329d547bc31dabed41939754b1af7482365ec74380c45f6ea0a7"); - testLongMac( - "HMACSHA256", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", - "a", - 5000000000L, - "59a75754df7093fa4339aa618b64b104f153a5b42cc85394fdb8735b13ea684a"); - } - - @SlowTest( - providers = { - ProviderType.OPENJDK, - ProviderType.BOUNCY_CASTLE, - ProviderType.SPONGY_CASTLE, - ProviderType.CONSCRYPT - }) - @Test - public void testLongMacSha384() throws Exception { - testLongMac( - "HMACSHA384", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" - + "202122232425262728292a2b2c2d2e2f", - "a", - 2147483647L, - "aea987905f64791691b3fdea06f8e4125f396ebb73f37894e961b1a7522a55da" - + "ecd856a70c92c6646e6f8c3fcb935528"); - testLongMac( - "HMACSHA384", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" - + "202122232425262728292a2b2c2d2e2f", - "a", - 5000000000L, - "88485c9c5714d43a99dacbc861988c7ea39c02d82104bf93e55ec1b8a24fe15a" - + "a477e6a84d159d8b7a3daaa89c4f2372"); - } - - @SlowTest( - providers = { - ProviderType.OPENJDK, - ProviderType.BOUNCY_CASTLE, - ProviderType.SPONGY_CASTLE, - ProviderType.CONSCRYPT - }) - @Test - public void testLongMacSha512() throws Exception { - testLongMac( - "HMACSHA512", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" - + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", - "a", - 2147483647L, - "fc68fbc294951c691e5bc085c3af026099f39a57230b242aaf1fc5ca691e05da" - + "d1a5de7d4f30e1c958c6a2cee6159218dab683187e6d56bab824a3adefde9102"); - testLongMac( - "HMACSHA512", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" - + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", - "a", - 5000000000L, - "31b1d721b958203bff7d7ddf50d48b17fc760a80a99a7f23ec966ce3bbefff29" - + "0d176eebbb6a440960024be0726c94960bbf75816548a7fd4552c7baba4585ee"); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaEncryptionTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaEncryptionTest.java deleted file mode 100644 index 5f82420..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaEncryptionTest.java +++ /dev/null @@ -1,225 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.spec.PKCS8EncodedKeySpec; -import java.util.Set; -import java.util.TreeSet; -import javax.crypto.Cipher; -import javax.crypto.NoSuchPaddingException; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * RSA encryption tests - * - * @author bleichen@google.com (Daniel Bleichenbacher) - */ -@RunWith(JUnit4.class) -public class RsaEncryptionTest { - - /** - * Providers that implement RSA with PKCS1Padding but not OAEP are outdated and should be avoided - * even if RSA is currently not used in a project. Such providers promote using an insecure - * cipher. There is a great danger that PKCS1Padding is used as a temporary workaround, but later - * stays in the project for much longer than necessary. - */ - @Test - public void testOutdatedProvider() throws Exception { - try { - Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding"); - try { - Cipher.getInstance("RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING"); - } catch (NoSuchPaddingException | NoSuchAlgorithmException ex) { - fail("Provider " + c.getProvider().getName() + " is outdated and should not be used."); - } - } catch (NoSuchPaddingException | NoSuchAlgorithmException ex) { - System.out.println("RSA/ECB/PKCS1Padding is not implemented"); - } - } - - /** - * Get a PublicKey from a JsonObject. - * - * <p>object contains the key in multiple formats: "key" : elements of the public key "keyDer": - * the key in ASN encoding encoded hexadecimal "keyPem": the key in Pem format encoded hexadecimal - * The test can use the format that is most convenient. - */ - // This is a false positive, since errorprone cannot track values passed into a method. - @SuppressWarnings("InsecureCryptoUsage") - protected static PrivateKey getPrivateKey(JsonObject object) throws Exception { - KeyFactory kf; - kf = KeyFactory.getInstance("RSA"); - byte[] encoded = TestUtil.hexToBytes(object.get("privateKeyPkcs8").getAsString()); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded); - return kf.generatePrivate(keySpec); - } - - /** Convenience method to get a byte array from a JsonObject */ - protected static byte[] getBytes(JsonObject object, String name) throws Exception { - return JsonUtil.asByteArray(object.get(name)); - } - - /** - * Tries decrypting RSA-PKCS #1 v 1.5 encrypted ciphertext. - * RSA-PKCS #1 v 1.5 is susceptible to chosen ciphertext attacks. The seriousness of the - * attack depends on how much information is leaked when decrypting an invalid ciphertext. - * The test vectors with invalid padding contain a flag "InvalidPkcs1Padding". - * The test below expects that all test vectors with this flag throw an indistinguishable - * exception. - * - * <p><b>References:</b> - * - * <ul> - * <li>Bleichenbacher, "Chosen ciphertext attacks against protocols based on the RSA encryption - * standard PKCS# 1" Crypto 98 - * <li>Manger, "A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) - * as standardized in PKCS# 1 v2.0", Crypto 2001 This paper shows that OAEP is susceptible - * to a chosen ciphertext attack if error messages distinguish between different failure - * condidtions. - * <li>Bardou, Focardi, Kawamoto, Simionato, Steel, Tsay "Efficient Padding Oracle Attacks on - * Cryptographic Hardware", Crypto 2012 The paper shows that small differences on what - * information an attacker receives can make a big difference on the number of chosen - * message necessary for an attack. - * <li>Smart, "Errors matter: Breaking RSA-based PIN encryption with thirty ciphertext validity - * queries" RSA conference, 2010 This paper shows that padding oracle attacks can be - * successful with even a small number of queries. - * </ul> - * - * <p><b>Some recent bugs:</b> CVE-2012-5081: Java JSSE provider leaked information through - * exceptions and timing. Both the PKCS #1 padding and the OAEP padding were broken: - * http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/MeyerChristopher/diss.pdf - * - * <p><b>What this test does not (yet) cover:</b> - * - * <ul> - * <li>A previous version of one of the provider leaked the block type. (when was this fixed?) - * <li>Some attacks require a large number of ciphertexts to be detected if random ciphertexts - * are used. Such problems require specifically crafted ciphertexts to run in a unit test. - * E.g. "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny, and T. Rosa: - * https://eprint.iacr.org/2003/052/ - * <li>Timing leakages because of differences in parsing the padding (e.g. CVE-2015-7827) Such - * differences are too small to be reliably detectable in unit tests. - * </ul> - */ - @SuppressWarnings("InsecureCryptoUsage") - public void testDecryption(String filename) throws Exception { - final String expectedSchema = "rsaes_pkcs1_decrypt_schema.json"; - JsonObject test = JsonUtil.getTestVectors(filename); - String schema = test.get("schema").getAsString(); - if (!schema.equals(expectedSchema)) { - System.out.println( - "Expecting test vectors with schema " - + expectedSchema - + " found vectors with schema " - + schema); - } - // Padding oracle attacks become simpler when the decryption leaks detailed information about - // invalid paddings. Hence implementations are expected to not include such information in the - // exception thrown in the case of an invalid padding. - // Test vectors with an invalid padding have a flag "InvalidPkcs1Padding". - // Invalid test vectors without this flag are cases where the error are detected before - // the ciphertext is decrypted, e.g. if the size of the ciphertext is incorrect. - final String invalidPkcs1Padding = "InvalidPkcs1Padding"; - Set<String> exceptions = new TreeSet<String>(); - - int errors = 0; - Cipher decrypter = Cipher.getInstance("RSA/ECB/PKCS1Padding"); - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - PrivateKey key = getPrivateKey(group); - for (JsonElement t : group.getAsJsonArray("tests")) { - JsonObject testcase = t.getAsJsonObject(); - int tcid = testcase.get("tcId").getAsInt(); - String messageHex = TestUtil.bytesToHex(getBytes(testcase, "msg")); - byte[] ciphertext = getBytes(testcase, "ct"); - String ciphertextHex = TestUtil.bytesToHex(ciphertext); - String result = testcase.get("result").getAsString(); - decrypter.init(Cipher.DECRYPT_MODE, key); - byte[] decrypted = null; - String exception = ""; - try { - decrypted = decrypter.doFinal(ciphertext); - } catch (Exception ex) { - // TODO(bleichen): The exception thrown should always be - // a GeneralSecurityException. - // However, BouncyCastle throws some non-conforming exceptions. - // For the moment we do not count this as a problem to avoid that - // more serious bugs remain hidden. In particular, the test expects - // that all ciphertexts with an invalid padding throw the same - // indistinguishable exception. - decrypted = null; - exception = ex.toString(); - for (JsonElement flag : testcase.getAsJsonArray("flags")) { - if (flag.getAsString().equals(invalidPkcs1Padding)) { - exceptions.add(exception); - break; - } - } - } - if (decrypted == null && result.equals("valid")) { - System.out.printf( - "Valid ciphertext not decrypted. filename:%s tcId:%d ct:%s cause:%s\n", - filename, tcid, ciphertextHex, exception); - errors++; - } else if (decrypted != null) { - String decryptedHex = TestUtil.bytesToHex(decrypted); - if (result.equals("invalid")) { - System.out.printf( - "Invalid ciphertext decrypted. filename:%s tcId:%d expected:%s decrypted:%s\n", - filename, tcid, messageHex, decryptedHex); - errors++; - } else if (!decryptedHex.equals(messageHex)) { - System.out.printf( - "Incorrect decryption. filename:%s tcId:%d expected:%s decrypted:%s\n", - filename, tcid, messageHex, decryptedHex); - errors++; - } - } - } - } - if (exceptions.size() != 1) { - System.out.println("Exceptions for RSA/ECB/PKCS1Padding"); - for (String s : exceptions) { - System.out.println(s); - } - fail("Exceptions leak information about the padding"); - } - assertEquals(0, errors); - } - - @Test - public void testDecryption2048() throws Exception { - testDecryption("rsa_pkcs1_2048_test.json"); - } - - @Test - public void testDecryption3072() throws Exception { - testDecryption("rsa_pkcs1_3072_test.json"); - } - - @Test - public void testDecryption4096() throws Exception { - testDecryption("rsa_pkcs1_4096_test.json"); - } -} diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaOaepTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaOaepTest.java deleted file mode 100644 index 201dfbc..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaOaepTest.java +++ /dev/null @@ -1,390 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import java.security.AlgorithmParameters; -import java.security.GeneralSecurityException; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.spec.AlgorithmParameterSpec; -import java.security.spec.MGF1ParameterSpec; -import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.X509EncodedKeySpec; -import javax.crypto.Cipher; -import javax.crypto.spec.OAEPParameterSpec; -import javax.crypto.spec.PSource; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * Checks implementations of RSA-OAEP. - */ -@RunWith(JUnit4.class) -public class RsaOaepTest { - - /** - * A list of algorithm names for RSA-OAEP. - * - * The standard algorithm names for RSA-OAEP are defined in - * https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html - */ - static String[] OaepAlgorithmNames = { - "RSA/None/OAEPPadding", - "RSA/None/OAEPwithSHA-1andMGF1Padding", - "RSA/None/OAEPwithSHA-224andMGF1Padding", - "RSA/None/OAEPwithSHA-256andMGF1Padding", - "RSA/None/OAEPwithSHA-384andMGF1Padding", - "RSA/None/OAEPwithSHA-512andMGF1Padding", - }; - - protected static void printParameters(AlgorithmParameterSpec params) { - if (params instanceof OAEPParameterSpec) { - OAEPParameterSpec oaepParams = (OAEPParameterSpec) params; - System.out.println("OAEPParameterSpec"); - System.out.println("digestAlgorithm:" + oaepParams.getDigestAlgorithm()); - System.out.println("mgfAlgorithm:" + oaepParams.getMGFAlgorithm()); - printParameters(oaepParams.getMGFParameters()); - } else if (params instanceof MGF1ParameterSpec) { - MGF1ParameterSpec mgf1Params = (MGF1ParameterSpec) params; - System.out.println("MGF1ParameterSpec"); - System.out.println("digestAlgorithm:" + mgf1Params.getDigestAlgorithm()); - } else { - System.out.println(params.toString()); - } - } - - /** - * This is not a real test. The JCE algorithm names only specify one hash algorithm. But OAEP - * uses two hases. One hash algorithm is used to hash the labels. The other hash algorithm is - * used for the mask generation function. - * - * <p>Different provider use different default values for the hash function that is not specified - * in the algorithm name. Jdk uses mgfsha1 as default. BouncyCastle and Conscrypt use the same - * hash for labels and mgf. Every provider allows to specify all the parameters using - * an OAEPParameterSpec instance. - * - * <p>This test simply tries a number of algorithm names for RSA-OAEP and prints the OAEP - * parameters for the case where no OAEPParameterSpec is used. - */ - // TODO(bleichen): jdk11 will also add parameters to the RSA keys. This will need more tests. - @Test - public void testDefaults() throws Exception { - String pubKey = - "30820122300d06092a864886f70d01010105000382010f003082010a02820101" - + "00bdf90898577911c71c4d9520c5f75108548e8dfd389afdbf9c997769b8594e" - + "7dc51c6a1b88d1670ec4bb03fa550ba6a13d02c430bfe88ae4e2075163017f4d" - + "8926ce2e46e068e88962f38112fc2dbd033e84e648d4a816c0f5bd89cadba0b4" - + "d6cac01832103061cbb704ebacd895def6cff9d988c5395f2169a6807207333d" - + "569150d7f569f7ebf4718ddbfa2cdbde4d82a9d5d8caeb467f71bfc0099b0625" - + "a59d2bad12e3ff48f2fd50867b89f5f876ce6c126ced25f28b1996ee21142235" - + "fb3aef9fe58d9e4ef6e4922711a3bbcd8adcfe868481fd1aa9c13e5c658f5172" - + "617204314665092b4d8dca1b05dc7f4ecd7578b61edeb949275be8751a5a1fab" - + "c30203010001"; - KeyFactory kf; - kf = KeyFactory.getInstance("RSA"); - X509EncodedKeySpec x509keySpec = new X509EncodedKeySpec(TestUtil.hexToBytes(pubKey)); - PublicKey key = kf.generatePublic(x509keySpec); - for (String oaepName : OaepAlgorithmNames) { - try { - Cipher c = Cipher.getInstance(oaepName); - c.init(Cipher.ENCRYPT_MODE, key); - System.out.println("Algorithm " + oaepName + " uses the following defaults"); - AlgorithmParameters params = c.getParameters(); - printParameters(params.getParameterSpec(OAEPParameterSpec.class)); - } catch (NoSuchAlgorithmException ex) { - continue; - } - } - } - - /** Convenience mehtod to get a String from a JsonObject */ - protected static String getString(JsonObject object, String name) throws Exception { - return object.get(name).getAsString(); - } - - /** Convenience method to get a byte array from a JsonObject */ - protected static byte[] getBytes(JsonObject object, String name) throws Exception { - return JsonUtil.asByteArray(object.get(name)); - } - - /** - * Get a PublicKey from a JsonObject. - * - * <p>object contains the key in multiple formats: "key" : elements of the public key "keyDer": - * the key in ASN encoding encoded hexadecimal "keyPem": the key in Pem format encoded hexadecimal - * The test can use the format that is most convenient. - */ - // This is a false positive, since errorprone cannot track values passed into a method. - @SuppressWarnings("InsecureCryptoUsage") - protected static PrivateKey getPrivateKey(JsonObject object) throws Exception { - KeyFactory kf; - kf = KeyFactory.getInstance("RSA"); - byte[] encoded = TestUtil.hexToBytes(getString(object, "privateKeyPkcs8")); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded); - return kf.generatePrivate(keySpec); - } - - protected static String getOaepAlgorithmName(JsonObject group) throws Exception { - String mgf = getString(group, "mgf"); - String mgfSha = getString(group, "mgfSha"); - return "RSA/ECB/OAEPwith" + mgfSha + "and" + mgf + "Padding"; - } - - protected static OAEPParameterSpec getOaepParameters(JsonObject group, - JsonObject test) throws Exception { - String sha = getString(group, "sha"); - String mgf = getString(group, "mgf"); - String mgfSha = getString(group, "mgfSha"); - PSource p = PSource.PSpecified.DEFAULT; - if (test.has("label")) { - p = new PSource.PSpecified(getBytes(test, "label")); - } - return new OAEPParameterSpec(sha, mgf, new MGF1ParameterSpec(mgfSha), p); - } - - /** - * Tests the signature verification with test vectors in a given JSON file. - * - * <p> Example format for test vectors - * { "algorithm" : "RSA-OAEP", - * "schema" : "rsaes_oaep_decrypt_schema.json", - * "generatorVersion" : "0.7", - * ... - * "testGroups" : [ - * { - * "d" : "...", - * "e" : "10001", - * "n" : "...", - * "keysize" : 2048, - * "sha" : "SHA-256", - * "mgf" : "MGF1", - * "mgfSha" : "SHA-256", - * "privateKeyPem" : "-----BEGIN RSA PRIVATE KEY-----\n...", - * "privateKeyPkcs8" : "...", - * "type" : "RSAES", - * "tests" : [ - * { - * "tcId" : 1, - * "comment" : "", - * "msg" : "30313233343030", - * "ct" : "...", - * "label" : "", - * "result" : "valid", - * "flags" : [], - * }, - * ... - * - * @param filename the filename of the test vectors - * @param allowSkippingKeys if true then keys that cannot be constructed will not fail the test. - * Most of the tests below are using allowSkippingKeys == false. The reason for doing this - * is that providers have distinctive defaults. E.g., no OAEPParameterSpec is given then - * BouncyCastle and Conscrypt use the same hash function for hashing the label and for the - * mask generation function, while jdk uses MGF1SHA1. This is unfortunate and probably - * difficult to fix. Hence, the tests below simply require that providers support each - * others default parameters under the assumption that the OAEPParameterSpec is fully - * specified. - **/ - public void testOaep(String filename, boolean allowSkippingKeys) - throws Exception { - JsonObject test = JsonUtil.getTestVectors(filename); - - // Compares the expected and actual JSON schema of the test vector file. - // Mismatched JSON schemas will likely lead to a test failure. - String generatorVersion = getString(test, "generatorVersion"); - String expectedSchema = "rsaes_oaep_decrypt_schema.json"; - String actualSchema = getString(test, "schema"); - if (!expectedSchema.equals(actualSchema)) { - System.out.println( - "Expecting test vectors with schema " - + expectedSchema - + " found vectors with schema " - + actualSchema - + " generatorVersion:" - + generatorVersion); - } - - int numTests = test.get("numberOfTests").getAsInt(); - int cntTests = 0; - int errors = 0; - int skippedKeys = 0; - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - PrivateKey key; - try { - key = getPrivateKey(group); - } catch (GeneralSecurityException ex) { - skippedKeys++; - if (!allowSkippingKeys) { - System.out.printf("Key generation throws:%s\n", ex.toString()); - } - continue; - } - String algorithm = getOaepAlgorithmName(group); - Cipher decrypter = Cipher.getInstance(algorithm); - for (JsonElement t : group.getAsJsonArray("tests")) { - cntTests++; - JsonObject testcase = t.getAsJsonObject(); - int tcid = testcase.get("tcId").getAsInt(); - String messageHex = TestUtil.bytesToHex(getBytes(testcase, "msg")); - OAEPParameterSpec params = getOaepParameters(group, testcase); - byte[] ciphertext = getBytes(testcase, "ct"); - String ciphertextHex = TestUtil.bytesToHex(ciphertext); - String result = getString(testcase, "result"); - decrypter.init(Cipher.DECRYPT_MODE, key, params); - byte[] decrypted = null; - try { - decrypted = decrypter.doFinal(ciphertext); - } catch (GeneralSecurityException ex) { - decrypted = null; - } catch (Exception ex) { - // Other exceptions (i.e. unchecked exceptions) are considered as error - // since a third party should never be able to cause such exceptions. - System.out.printf("Decryption throws %s. filename:%s tcId:%d ct:%s\n", - ex.toString(), filename, tcid, ciphertextHex); - decrypted = null; - // TODO(bleichen): BouncyCastle throws some non-conforming exceptions. - // For the moment we do not count this as a problem to avoid that - // more serious bugs remain hidden. - // errors++; - } - if (decrypted == null && result.equals("valid")) { - System.out.printf( - "Valid ciphertext not decrypted. filename:%s tcId:%d ct:%s\n", - filename, tcid, ciphertextHex); - errors++; - } else if (decrypted != null) { - String decryptedHex = TestUtil.bytesToHex(decrypted); - if (result.equals("invalid")) { - System.out.printf( - "Invalid ciphertext decrypted. filename:%s tcId:%d expected:%s decrypted:%s\n", - filename, tcid, messageHex, decryptedHex); - errors++; - } else if (!decryptedHex.equals(messageHex)) { - System.out.printf( - "Incorrect decryption. filename:%s tcId:%d expected:%s decrypted:%s\n", - filename, tcid, messageHex, decryptedHex); - errors++; - } - } - } - } - assertEquals(0, errors); - if (skippedKeys > 0) { - System.out.println("RSAES-OAEP: file:" + filename + " skipped key:" + skippedKeys); - assertTrue(allowSkippingKeys); - } else { - assertEquals(numTests, cntTests); - } - } - - @Test - public void testRsaOaep2048Sha1Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_2048_sha1_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep2048Sha224Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_2048_sha224_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep2048Sha224Mgf1Sha224() throws Exception { - testOaep("rsa_oaep_2048_sha224_mgf1sha224_test.json", false); - } - - @Test - public void testRsaOaep2048Sha256Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_2048_sha256_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep2048Sha256Mgf1Sha256() throws Exception { - testOaep("rsa_oaep_2048_sha256_mgf1sha256_test.json", false); - } - - @Test - public void testRsaOaep2048Sha384Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_2048_sha384_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep2048Sha384Mgf1Sha384() throws Exception { - testOaep("rsa_oaep_2048_sha384_mgf1sha384_test.json", false); - } - - @Test - public void testRsaOaep2048Sha512Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_2048_sha512_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep2048Sha512Mgf1Sha512() throws Exception { - testOaep("rsa_oaep_2048_sha512_mgf1sha512_test.json", false); - } - - @Test - public void testRsaOaep3072Sha256Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_3072_sha256_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep3072Sha256Mgf1Sha256() throws Exception { - testOaep("rsa_oaep_3072_sha256_mgf1sha256_test.json", false); - } - - @Test - public void testRsaOaep3072Sha512Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_3072_sha512_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep3072Sha512Mgf1Sha512() throws Exception { - testOaep("rsa_oaep_3072_sha512_mgf1sha512_test.json", false); - } - - @Test - public void testRsaOaep4096Sha256Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_4096_sha256_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep4096Sha256Mgf1Sha256() throws Exception { - testOaep("rsa_oaep_4096_sha256_mgf1sha256_test.json", false); - } - - @Test - public void testRsaOaep4096Sha512Mgf1Sha1() throws Exception { - testOaep("rsa_oaep_4096_sha512_mgf1sha1_test.json", false); - } - - @Test - public void testRsaOaep4096Sha512Mgf1Sha512() throws Exception { - testOaep("rsa_oaep_4096_sha512_mgf1sha512_test.json", false); - } - - @Test - public void testRsaOaepMisc() throws Exception { - testOaep("rsa_oaep_misc_test.json", false); - } - -} - diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaPssTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaPssTest.java deleted file mode 100644 index 8868c23..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaPssTest.java +++ /dev/null @@ -1,568 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest; -import com.google.security.wycheproof.WycheproofRunner.ProviderType; -import java.lang.reflect.Constructor; -import java.math.BigInteger; -import java.security.AlgorithmParameters; -import java.security.GeneralSecurityException; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.PublicKey; -import java.security.Signature; -import java.security.SignatureException; -import java.security.spec.AlgorithmParameterSpec; -import java.security.spec.MGF1ParameterSpec; -import java.security.spec.PSSParameterSpec; -import java.security.spec.RSAKeyGenParameterSpec; -import java.security.spec.X509EncodedKeySpec; -import java.util.HashSet; -import java.util.Set; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** - * Tests for RSA-PSS. - */ -@RunWith(JUnit4.class) -public class RsaPssTest { - - /** - * Returns an AlgorithmParameterSpec for generating a RSASSA-PSS key, - * which include the PSSParameters. - * Requires jdk11. - * - * @param keySizeInBits the size of the modulus in bits. - * @param sha the name of the hash function for hashing the input (e.g. "SHA-256") - * @param mgf the name of the mask generating function (typically "MGF1") - * @param mgfSha the name of the hash function for the mask generating function - * (typically the same as sha). - * @param saltLength the length of the salt in bytes (typically the digest size of sha, - * i.e. 32 for "SHA-256") - * @throws NoSuchMethodException if the AlgorithmParameterSpec is not - * supported (i.e. this happens before jdk11). - */ - public RSAKeyGenParameterSpec getPssAlgorithmParameters( - int keySizeInBits, - String sha, - String mgf, - String mgfSha, - int saltLength) throws Exception { - BigInteger publicExponent = new BigInteger("65537"); - PSSParameterSpec params = - new PSSParameterSpec(sha, mgf, new MGF1ParameterSpec(mgfSha), saltLength, 1); - // Uses reflection to call - // public RSAKeyGenParameterSpec(int keysize, BigInteger publicExponent, - // AlgorithmParameterSpec keyParams) - // because this method is only supported in jdk11. This throws a NoSuchMethodException - // for older jdks. - Constructor<RSAKeyGenParameterSpec> c = - RSAKeyGenParameterSpec.class.getConstructor( - int.class, BigInteger.class, AlgorithmParameterSpec.class); - return c.newInstance(keySizeInBits, publicExponent, params); - } - - /** - * Tries encoding and decoding of RSASSA-PSS keys generated with RSASSA-PSS. - * - * RSASSA-PSS keys contain the PSSParameters, hence their encodings are - * somewhat different than plain RSA keys. - */ - @NoPresubmitTest( - providers = {ProviderType.OPENJDK}, - bugs = {"b/120406853"} - ) - @Test - public void testEncodeDecodePublic() throws Exception { - int keySizeInBits = 2048; - PublicKey pub; - try { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSASSA-PSS"); - keyGen.initialize(keySizeInBits); - KeyPair keypair = keyGen.genKeyPair(); - pub = keypair.getPublic(); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Key generation for RSASSA-PSS is not supported."); - return; - } - byte[] encoded = pub.getEncoded(); - assertEquals( - "The test assumes that the public key is in X.509 format", "X.509", pub.getFormat()); - System.out.println("Generated RSA-PSS key"); - System.out.println(TestUtil.bytesToHex(encoded)); - KeyFactory kf = KeyFactory.getInstance("RSASSA-PSS"); - X509EncodedKeySpec spec = new X509EncodedKeySpec(encoded); - kf.generatePublic(spec); - - // Tries to generate another pair or keys. This time the generator is given an - // RSAKeyGenParameterSpec containing the key size an the PSS parameters. - String sha = "SHA-256"; - String mgf = "MGF1"; - int saltLength = 20; - try { - RSAKeyGenParameterSpec params = - getPssAlgorithmParameters(keySizeInBits, sha, mgf, sha, saltLength); - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSASSA-PSS"); - keyGen.initialize(params); - KeyPair keypair = keyGen.genKeyPair(); - pub = keypair.getPublic(); - } catch (NoSuchAlgorithmException | NoSuchMethodException ex) { - System.out.println("Key generation for RSASSA-PSS is not supported."); - return; - } - byte[] encoded2 = pub.getEncoded(); - System.out.println("Generated RSA-PSS key with PSS parameters"); - System.out.println(TestUtil.bytesToHex(encoded2)); - X509EncodedKeySpec spec2 = new X509EncodedKeySpec(encoded2); - kf.generatePublic(spec2); - } - - /** - * Tests the default parameters used for a given algorithm name. - * - * @param algorithm the algorithm name for an RSA-PSS instance. (e.g. "SHA256WithRSAandMGF1") - * @param expectedHash the hash algorithm expected for the given algorithm - * @param expectedMgf the mask generation function expected for the given algorithm (e.g. "MGF1") - * @param expectedMgfHash the hash algorithm exptected for the mask generation function - * @param expectedSaltLength the expected salt length in bytes for the given algorithm - * @param expectedTrailerField the expected value for the tailer field (e.g. 1 for 0xbc). - */ - protected void testDefaultForAlgorithm( - String algorithm, - String expectedHash, - String expectedMgf, - String expectedMgfHash, - int expectedSaltLength, - int expectedTrailerField) throws Exception { - // An X509 encoded 2048-bit RSA public key. - String pubKey = - "30820122300d06092a864886f70d01010105000382010f003082010a02820101" - + "00bdf90898577911c71c4d9520c5f75108548e8dfd389afdbf9c997769b8594e" - + "7dc51c6a1b88d1670ec4bb03fa550ba6a13d02c430bfe88ae4e2075163017f4d" - + "8926ce2e46e068e88962f38112fc2dbd033e84e648d4a816c0f5bd89cadba0b4" - + "d6cac01832103061cbb704ebacd895def6cff9d988c5395f2169a6807207333d" - + "569150d7f569f7ebf4718ddbfa2cdbde4d82a9d5d8caeb467f71bfc0099b0625" - + "a59d2bad12e3ff48f2fd50867b89f5f876ce6c126ced25f28b1996ee21142235" - + "fb3aef9fe58d9e4ef6e4922711a3bbcd8adcfe868481fd1aa9c13e5c658f5172" - + "617204314665092b4d8dca1b05dc7f4ecd7578b61edeb949275be8751a5a1fab" - + "c30203010001"; - KeyFactory kf; - kf = KeyFactory.getInstance("RSA"); - X509EncodedKeySpec x509keySpec = new X509EncodedKeySpec(TestUtil.hexToBytes(pubKey)); - PublicKey key = kf.generatePublic(x509keySpec); - Signature verifier; - try { - verifier = Signature.getInstance(algorithm); - verifier.initVerify(key); - } catch (NoSuchAlgorithmException ex) { - System.out.println("Unsupported algorithm:" + algorithm); - return; - } - AlgorithmParameters params = verifier.getParameters(); - if (params == null) { - // No defaults are specified. This is a good choice since this avoid - // incompatible implementations. - return; - } - PSSParameterSpec pssParams = params.getParameterSpec(PSSParameterSpec.class); - assertEquals("digestAlgorithm", expectedHash, pssParams.getDigestAlgorithm()); - assertEquals("mgfAlgorithm", expectedMgf, pssParams.getMGFAlgorithm()); - assertEquals("saltLength", expectedSaltLength, pssParams.getSaltLength()); - assertEquals("trailerField", expectedTrailerField, pssParams.getTrailerField()); - if (expectedMgf.equals("MGF1")) { - MGF1ParameterSpec mgf1Params = (MGF1ParameterSpec) pssParams.getMGFParameters(); - assertEquals("mgf1 digestAlgorithm", expectedMgfHash, mgf1Params.getDigestAlgorithm()); - } - } - - /** - * Tests the default values for PSS parameters. - * - * <p>RSA-PSS has a number of parameters. RFC 8017 specifies the parameters as follows: - * - * <pre> - * RSASSA-PSS-params :: = SEQUENCE { - * hashAlgorithm [0] HashAlgorithm DEFAULT sha1, - * maskGenerationAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1, - * saltLength [2] INTEGER DEFAULT 20, - * trailerField [3] TrailerField DEFAULT trailerFieldBC - * } - * </pre> - * - * <p>The algorithm name for RSA-PSS used in jdk11 is "RSASSA-PSS". Previously, the algorithm - * names for RSA-PSS were defined in the section "Signature Algorithms" of - * https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html - * I.e. the proposed standard names had the format <digest>with<encryption>and<mgf>, e.g., - * SHA256withRSAandMGF1. This name only specifies the hashAlgorithm and the mask generation - * algorithm, but not the hash used for the mask generation algorithm, the salt length and - * the trailerField. The missing parameters can be explicitly specified with and instance - * of PSSParameterSpec. The test below checks that distinct providers use the same default values - * when no PSSParameterSpec is given. - * - * <p>In particular, the test expects that the two hash algorithm (for message hashing and mgf) - * are the same. It expects that the saltLength is the same as the size of the message digest. - * It expects that the default for the trailerField is 1. These expectations are based on - * existing implementations. They differ from the ASN defaults in RFC 8017. - * - * <p>There is no test for defaults for the algorithm name "RSASSA-PSS". - * "RSASSA-PSS" does not specify any parameters. Using the default values from RFC 8017 - * (i.e. SHA-1 for both hashes) leads to potential weaknesses and hence is of course a bad - * choice. Other defaults lead to incompatibilities and hence isn't a reasonable choice either. - * jdk11 requires that the parameters are always specified. BouncyCastle however uses the SHA-1 - * default. The behaviour in jdk11 is preferable, since it requires that an implementor chooses - * PSSParameters explicitly, and does not default to weak behaviour. - */ - @Test - public void testDefaults() throws Exception { - testDefaultForAlgorithm("SHA1withRSAandMGF1", "SHA-1", "MGF1", "SHA-1", 20, 1); - testDefaultForAlgorithm("SHA224withRSAandMGF1", "SHA-224", "MGF1", "SHA-224", 28, 1); - testDefaultForAlgorithm("SHA256withRSAandMGF1", "SHA-256", "MGF1", "SHA-256", 32, 1); - testDefaultForAlgorithm("SHA384withRSAandMGF1", "SHA-384", "MGF1", "SHA-384", 48, 1); - testDefaultForAlgorithm("SHA512withRSAandMGF1", "SHA-512", "MGF1", "SHA-512", 64, 1); - testDefaultForAlgorithm( - "SHA512/224withRSAandMGF1", "SHA-512/224", "MGF1", "SHA-512/224", 28, 1); - testDefaultForAlgorithm( - "SHA512/256withRSAandMGF1", "SHA-512/256", "MGF1", "SHA-512/256", 32, 1); - testDefaultForAlgorithm("SHA3-224withRSAandMGF1", "SHA3-224", "MGF1", "SHA3-224", 28, 1); - testDefaultForAlgorithm("SHA3-256withRSAandMGF1", "SHA3-256", "MGF1", "SHA3-256", 32, 1); - testDefaultForAlgorithm("SHA3-384withRSAandMGF1", "SHA3-384", "MGF1", "SHA3-384", 48, 1); - testDefaultForAlgorithm("SHA3-512withRSAandMGF1", "SHA3-512", "MGF1", "SHA3-512", 64, 1); - } - - /** Convenience mehtod to get a String from a JsonObject */ - protected static String getString(JsonObject object, String name) throws Exception { - return object.get(name).getAsString(); - } - - /** Convenience method to get a byte array from a JsonObject */ - protected static byte[] getBytes(JsonObject object, String name) throws Exception { - return JsonUtil.asByteArray(object.get(name)); - } - - /** - * Returns the algorithm name for the RSA-PSS signature scheme. - * Oracle previously specified that algorithm names for RSA-PSS are strings like - * "SHA256WITHRSAandMGF1". - * See http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html - * These algorithm names fail to specify the hash function for the MGF. A cleaner solution - * in jdk11 is to use the algorithm name "RSASSA-PSS" and specify the parameters separately. - * This function simply attempts to return an algorithm name that works. - * - * @param group A json dictionary containing a field "sha" with message digest (e.g. "SHA-256") - * and the a field "mgf" for the mask generation function (e.g. "MGF1"). - * @return the algorithm name - */ - protected static String getAlgorithmName(JsonObject group) throws Exception { - try { - Signature.getInstance("RSASSA-PSS"); - return "RSASSA-PSS"; - } catch (NoSuchAlgorithmException ex) { - // RSASSA-PSS is not known. Try the other option. - } - String md = getString(group, "sha"); - String mgf = getString(group, "mgf"); - if (md.equals("SHA-1")) { - md = "SHA1"; - } else if (md.equals("SHA-224")) { - md = "SHA224"; - } else if (md.equals("SHA-256")) { - md = "SHA256"; - } else if (md.equals("SHA-384")) { - md = "SHA384"; - } else if (md.equals("SHA-512")) { - md = "SHA512"; - } else if (md.equals("SHA-512/224")) { - md = "SHA512/224"; - } else if (md.equals("SHA-512/256")) { - md = "SHA512/256"; - } - return md + "WITHRSAand" + mgf; - } - - /** - * Get a PublicKey from a JsonObject. - * - * <p>object contains the key in multiple formats: "key" : elements of the public key "keyDer": - * the key in ASN encoding encoded hexadecimal "keyPem": the key in Pem format encoded hexadecimal - * The test can use the format that is most convenient. - */ - protected static PublicKey getPublicKey(JsonObject object, boolean pssParamsIncluded) - throws Exception { - KeyFactory kf; - if (pssParamsIncluded) { - kf = KeyFactory.getInstance("RSASSA-PSS"); - } else { - kf = KeyFactory.getInstance("RSA"); - } - byte[] encoded = TestUtil.hexToBytes(getString(object, "keyDer")); - X509EncodedKeySpec x509keySpec = new X509EncodedKeySpec(encoded); - return kf.generatePublic(x509keySpec); - } - - protected static PSSParameterSpec getPSSParams(JsonObject group) throws Exception { - String mgf = getString(group, "mgf"); - String mgfSha = getString(group, "mgfSha"); - int saltLen = group.get("sLen").getAsInt(); - return new PSSParameterSpec(mgfSha, mgf, new MGF1ParameterSpec(mgfSha), saltLen, 1); - } - - /** - * Tests the signature verification with test vectors in a given JSON file. - * - * <p> Example format for test vectors - * { - * "algorithm" : "RSASSA-PSS", - * "generatorVersion" : "0.4.12", - * "numberOfTests" : 37, - * "header" : [], - * "testGroups" : [ - * { - * "e" : "10001", - * "keyAsn" : "3082010a02820101...", - * "keyDer" : "30820122300d0609...", - * "keyPem" : "-----BEGIN PUBLIC KEY-----\n...", - * "keysize" : 2048, - * "mgf" : "MGF1", - * "mgfSha" : "SHA-256", - * "n" : "0a2b451a07d0aa5f...", - * "saltLen" : 20, - * "sha" : "SHA-256", - * "type" : "RSASigVer", - * "tests" : [ - * { - * "tcId" : 1, - * "comment" : "", - * "msg" : "313133343030", - * "sig" : "577dfef111ae9a39..." - * "result" : "valid", - * "flags" : [] - * }, - * ... - * - * @param filename the filename of the test vectors - * @param allowSkippingKeys if true then keys that cannot be constructed will not fail the test. - * This is for example used for files with test vectors that use elliptic curves that are not - * commonly supported. - * @param paramsIncluded if true then the enoding of the public key contains the PSS parameters. - * The algorithm parameters of PSS are defined in appendix A.2 of RFC 8017. One option is not - * to include the parameters and use { OID rsaEncryption PARAMETERS NULL } for the algorithm - * identifier. Another option is to include the parameters by using - * { OID id-RSASSA-PSS PARAMETERS RSASSA-PSS-params } as algorithm identifier. - * The second option requires that an RSAKey contains an AlgorithmParameterSpec. The - * AlgorithmParameterSpec is a recent addition made in jdk11. Hence many providers are - * currently not supporting this. - **/ - public void testRsaPss(String filename, boolean allowSkippingKeys, boolean paramsIncluded) - throws Exception { - // Testing with old test vectors may be a reason for a test failure. - // Generally mismatched version numbers are of little or no concern, since - // the test vector version change much more frequently than the format. - // - // Version numbers have the format major.minor[status]. - // Versions before 1.0 are experimental and use formats that are expected to change. - // Versions after 1.0 change the major number if the format changes and change - // the minor number if only the test vectors (but not the format) changes. - // Versions meant for distribution have no status. - final String expectedVersion = "0.6"; - JsonObject test = JsonUtil.getTestVectors(filename); - String generatorVersion = getString(test, "generatorVersion"); - if (!generatorVersion.equals(expectedVersion)) { - System.out.println( - "Expecting test vectors with version " - + expectedVersion - + " found vectors with version " - + generatorVersion); - } - int numTests = test.get("numberOfTests").getAsInt(); - int cntTests = 0; - int errors = 0; - int skippedKeys = 0; - int verifiedTests = 0; - Set<String> skippedAlgorithms = new HashSet<String>(); - for (JsonElement g : test.getAsJsonArray("testGroups")) { - JsonObject group = g.getAsJsonObject(); - String algorithm = getAlgorithmName(group); - PublicKey key = null; - Signature verifier = null; - try { - key = getPublicKey(group, paramsIncluded); - verifier = Signature.getInstance(algorithm); - if (!paramsIncluded) { - PSSParameterSpec pssParams = getPSSParams(group); - verifier.setParameter(pssParams); - } - } catch (GeneralSecurityException ex) { - if (allowSkippingKeys) { - skippedKeys++; - skippedAlgorithms.add(algorithm); - } else { - System.out.println("Failed to generate verifier for " + algorithm + ex); - errors++; - } - continue; - } - for (JsonElement t : group.getAsJsonArray("tests")) { - cntTests++; - JsonObject testcase = t.getAsJsonObject(); - byte[] message = getBytes(testcase, "msg"); - byte[] signature = getBytes(testcase, "sig"); - int tcid = testcase.get("tcId").getAsInt(); - String sig = TestUtil.bytesToHex(signature); - String result = getString(testcase, "result"); - verifier.initVerify(key); - verifier.update(message); - boolean verified = false; - Exception reason = null; - try { - verified = verifier.verify(signature); - } catch (SignatureException ex) { - // verify can throw SignatureExceptions if the signature is malformed. - // We don't flag these cases and simply consider the signature as invalid. - verified = false; - reason = ex; - } catch (Exception ex) { - // Other exceptions (i.e. unchecked exceptions) are considered as error - // since a third party should never be able to cause such exceptions. - System.out.println( - "Signature verification throws " - + ex.toString() - + " " - + filename - + " tcId:" - + tcid - + " sig:" - + sig); - verified = false; - errors++; - } - if (!verified && result.equals("valid")) { - String comment = ""; - if (reason != null) { - comment = " exception:" + reason; - } - System.out.println( - "Valid signature not verified. " - + filename - + " tcId:" - + tcid - + " sig:" - + sig - + comment); - errors++; - } else if (verified && result.equals("invalid")) { - System.out.println( - "Invalid signature verified. " - + filename - + " tcId:" - + tcid - + " sig:" - + sig); - errors++; - } else if (verified) { - verifiedTests++; - } - } - } - - // Prints some information if tests were skipped. This avoids giving - // the impression that algorithms are supported. - if (skippedKeys > 0 || verifiedTests == 0) { - System.out.println( - "File:" - + filename - + " number of skipped keys:" - + skippedKeys - + " verified signatures:" - + verifiedTests); - for (String s : skippedAlgorithms) { - System.out.println("Skipped algorithms " + s); - } - } - - assertEquals(0, errors); - if (skippedKeys == 0) { - assertEquals(numTests, cntTests); - } else { - assertTrue(allowSkippingKeys); - } - } - - @Test - public void testRsaPss2048Sha256() throws Exception { - testRsaPss("rsa_pss_2048_sha256_mgf1_32_test.json", true, false); - } - - @NoPresubmitTest( - providers = {ProviderType.BOUNCY_CASTLE}, - bugs = {"b/111634359"} - ) - @Test - public void testRsaPss3072Sha256() throws Exception { - testRsaPss("rsa_pss_3072_sha256_mgf1_32_test.json", true, false); - } - - @Test - public void testRsaPss4096Sha256() throws Exception { - testRsaPss("rsa_pss_4096_sha256_mgf1_32_test.json", true, false); - } - - @Test - public void testRsaPss4096Sha512() throws Exception { - testRsaPss("rsa_pss_4096_sha512_mgf1_32_test.json", true, false); - } - - @Test - public void testRsaPss2048Sha256NoSalt() throws Exception { - testRsaPss("rsa_pss_2048_sha256_mgf1_0_test.json", true, false); - } - - @Test - public void testRsaPss2048Sha512_224() throws Exception { - testRsaPss("rsa_pss_2048_sha512_256_mgf1_28_test.json", true, false); - } - - @Test - public void testRsaPss2048Sha512_256() throws Exception { - testRsaPss("rsa_pss_2048_sha512_256_mgf1_32_test.json", true, false); - } - - // BouncyCastle and Conscrypt do not support RSA-PSS Parameters in the - // encoding of the key. jdk11 should support this, but as long as - // testEncodeDecodePublic fails it makes no sense to try this test. - /* - @ExcludedTest( - providers = {ProviderType.BOUNCY_CASTLE, ProviderType.CONSCRYPT}, - comment = "RSA-PSS parameters in RSAKeys is added in jdk11" - ) - @NoPresubmitTest( - providers = {ProviderType.OPENJDK}, - bugs={"jdk can't read the keys"} - ) - @Test - public void testRsaPss2048Sha256WithParams() throws Exception { - testRsaPss("rsa_pss_2048_sha256_mgf1_32_params_test.json", false, true); - } - */ -} - diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaSignatureTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaSignatureTest.java deleted file mode 100644 index 32ea493..0000000 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaSignatureTest.java +++ /dev/null @@ -1,1323 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.security.wycheproof; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import java.math.BigInteger; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.MessageDigest; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.Signature; -import java.security.SignatureException; -import java.security.interfaces.RSAPrivateKey; -import java.security.interfaces.RSAPublicKey; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.RSAPrivateCrtKeySpec; -import java.security.spec.RSAPublicKeySpec; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** Tests PKCS #1 v 1.5 signatures */ -// TODO(bleichen): -// - document stuff -// - Join other RSA tests -@RunWith(JUnit4.class) -public class RsaSignatureTest { - static final RSAPublicKeySpec RSA_KEY1 = - new RSAPublicKeySpec( - new BigInteger( - "ab9014dc47d44b6d260fc1fef9ab022042fd9566e9d7b60c54100cb6e1d4edc9" - + "8590467d0502c17fce69d00ac5efb40b2cb167d8a44ab93d73c4d0f109fb5a26" - + "c2f8823236ff517cf84412e173679cfae42e043b6fec81f9d984b562517e6feb" - + "e1f72295dbc3fdfc19d3240aa75515563f31dad83563f3a315acf9a0b351a23f", - 16), - new BigInteger("65537")); - static final String ALGORITHM_KEY1 = "SHA256WithRSA"; - - /** - * Test signatures for RSA_KEY1 and MESSAGE = "Test". The first signature is valid. All other - * signatures are invalid. The signatures were generated by modifying the PKCS #1 padding in - * various ways. I.e. while the generation of the false signature did require the private RSA key, - * failing the test often is a sign that signatures can be forged. Such forgeries are much too - * frequent. The following list is just an incomplete selection of past vulnerabilities: - * - * <ul> - * <li>CVE-2006-4339: OpenSSL before 0.9.7 was vulnerable to signature forgeries. After the - * hasty patch OpenSSL still accepted at least 2^800 false 2048-bit signatures for each - * valid one. Even though unclear whether this was exploitable it was only fixed around - * 2014. - * <li>CVE-2006-4340: Mozilla NSS before 3.11.3. - * <li>CVE-2006-4790: GnuTLS before version 1.4.4. - * <li>CVE-2012-2388: StrongSwan - * <li>CVE-2016-1494: Python-RSA before version 3.3 failed to correclty verify RSA signatures. - * <li>BouncyCastle was vulnerable at least until version 1.47. The bug was silently fixed - * around 2012. - * <li>Berserk: http://www.intelsecurity.com/advanced-threat-research/berserk.html - * <li>Truncated comparison of hashes e.g.: http://wiibrew.org/wiki/Signing_bug - * <li>CVE-2016-5547: OpenJDK8 RSA signature's throws an OutOfMemoryError for some invalid - * signatures - * </ul> - */ - static final String[] SIGNATURES_KEY1 = { - // Message:Test - // Digest:sha256 - // Key size:1024 - - // Correct signature - // padding:3031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "68ea71ee1911687eb54b3d19cedcfd44719d0b24accccc59bdafd84e4eba48ef" - + "0be7f115e7073f9f273286a7dcee3b94cdbe208e30ae496987479d3aa12ab0e1" - + "2685ab592d7693a494e6ad27d526ed3ab5912c7f81e09983931794c2165c22fd" - + "859e0f9af1a93a4dfe144098c562731e6059d236b52cb865996c87a9baf7f103", - - // long form encoding of length - // padding:308131300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "52f46d508e31f030b17c537888585f919037562e15f1924543601a41f9b701ee" - + "416ad73d6576b4eaaa64e685289dc478751dfe2d7e588252bfe2d43f4b3a31c6" - + "c6c39a9df884a2fc2e45f09c2150a830974b1c9d26090830b37bf06f1d57be1d" - + "a34ebb016e9db7ce2c34e94872c89567ff6f2ab35a1a9fb6632e100c7d7af834", - // padding:303230810d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "3f34017b3172aaeec72d208308e9b83150699f86634b948847eab56f0169fef5" - + "1b5636a96866f4f0f4c649400489e047803a91f2b2f32ab715065e20770c4e27" - + "88946b85aca5c90efdd6a9458dd9b6f797f96a3de88d2e4896afe147d8c03899" - + "43828100061903a30eaff1dadd98d3e49dba56cdcfa5f215d9c615f974f4a0bc", - // padding:3032300e06810960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "1478337676aa47ca72ea7557facff06f6c777f56063f4487d345e43dc56a6bc5" - + "f8a891085d53a32c9d1c3cf7f469e7f56847b0b1b9b5b784526078271f21d055" - + "0afc40f81e2b8e8dec851d87511cace965edceb83cb96c8d6616e1ee75bb22c5" - + "4412fc942a6f71c9fc609a31a69d34b774a97c1ba4f85cca28d9993db8543f75", - // padding:3032300e06096086480165030402010581000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "77ba423e600bdd761ed10e7c00698a87fe1322f5f42b2902a0be7a24b1cf44f6" - + "13fa55edeb2ded0475f8e1a13e5368f9a2bfc4f2f926ef289a2207bf3689fc1c" - + "8ec3e5463064a7f51bbc993966cc4016319b7c95f282372f1ff848d7fca753a8" - + "1d905b3341b0fbf60ba186e750f3171cfc84288eff8742bda432bd6c8dc04f9f", - // padding:3032300d06096086480165030402010500048120532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "9460ee79bb990bc3fe28cfca92363e6ff6900e3b61b3a402f06024a72b7a65d6" - + "2094b4419e93900995eb121327f72b26b139bab3e5e2bd0c82e0cf6357f3b16f" - + "1c1dd4407a9a820f20e3baaa2259614d9ee3e015e1c1778befa13aff1e545ea1" - + "758cba4713631d63180a91b52df394294441642964a024f45b2251c90e002ec0", - - // length contains leading 0 - // padding:30820031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "96ac043d3cada45aed0dbdc4662dcf7855553a5effa1077048b51c7e9bfff7c2" - + "bb3486ea42894d4b4afb26a3b3bd32cb68d5c4d8ca2622f50d8c56fdc25baf83" - + "b9909ecb096419ddc13578dcc8121007f7204ee82c517ae03de70fa23ef23906" - + "02029a0cbc8a96c5b781d857dbf12802aa561f5f41ea35aa0babb91b9f891762", - // padding:30333082000d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "2a70643572a7cda975d9e2c0827837e60eaa78c297b1ff75b84f654a91fe3329" - + "4ccbeda52676ece50fcc03018151e66c24940bd0574ab85a6599231d587f4a6e" - + "0ae841cb6696e7dcfd182cb75001304e36887bc4fe3b373828f8b0e62ac2300a" - + "626c9e6a2cd05bb7910e74da2978dae1948f855b3b455cd30367160e21581cab", - // padding:3033300f0682000960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "27778e39b45dee1e7003f1d315d3466fc111791187ddc056784c158df92097e1" - + "23021e11918b6df8d905304db732e83d904bc914271b03def4ee129c3fc8adcc" - + "4f81b690e09e70e46c8b920093f304e64ecb7358740e976d28538a9eecf09ec1" - + "e1cd47df9107968207b21538cabe076bcc07c3862c46a793fcf638c70a972885", - // padding:3033300f0609608648016503040201058200000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "3a879e9f883b158908014f3617cae3315d47afdadd30840494f68d91c04dfe81" - + "bd16a40c7d21238cd1816928d989a232a3492325ab0f95d4426e3fb7d58c9908" - + "191dc557d8779dabb282287b7860c30e0796283428e0276447235809882ee990" - + "deb0f4312c01e7ddf0690406eeacb660acc6957bb670904cfd8d04df5e3ebda2", - // padding:3033300d0609608648016503040201050004820020532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "2b82155f363a3b283ae455f59e41c29dec2fbd8c7438b0e347aec5b38c7c895c" - + "b7d326870e4fbdb935fcbb561f223bd926dbe8b95ef5eaab27920dbe30c641e9" - + "9f526a9bc356af54198b459b59383135a82cd5b6edab7da0b1a51d939b2f9951" - + "e1432d637c4f04a3546ed9c890143ae364602b94eabdaa2a45e4bdf0b5bdfa71", - - // wrong length - // padding:3032300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "1dda56dc953aeee7fd76ae7166d92ab9e3d1d9759e76f8f1d7634a73cbf69e39" - + "d8249153d7c2d83c9664db13552f0c78df34b8a67e7b6c10bcc61b5ead7ba62c" - + "e0ec7ba8ac78d146f7e4cadee6f6250e0bc3100660e7afbe3afa17fa288d9754" - + "9b4c8cacc00ac5c942673485739f89c9e5e63ad2be97a8f2313f5c5b095e7542", - // padding:3030300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "692c143b82196a391a3546607336e6f3bc047412645cf0def0d62d1b42234c14" - + "da138bb7f451b45073bbda2aba23412e83bc40d4e7de3e0684f2cad7d059f2d6" - + "831aa3d2ece4964ca75cd41dce23c5ba495c15345b36947b4b5a051fe1b84e14" - + "8b5ae21f112d2245b1acbaeef9dc4a0c408829b9d2b1b5ab1d3a40af0a27b99e", - // padding:3031300e060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "66c31a45b2287425a20f65c3eba9cc58c370882f5fc62921935491fbd516df9b" - + "af9b28304a21d9008b61a92779ecfb3b0c03f6d74354f5159956e3fc1d35bd73" - + "76289378f05d7a71e05ab32794f2566a54635e8dc64740acbe10a293ceddbebe" - + "8499b520f406023a134eb9927ebb788b92488f036d109ec0a40ac52372e847b3", - // padding:3031300c060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "7b85536bdcda4ad3fc40129f2ff9dc85d9ec049913784064e735868664044627" - + "8a2006d93fb33429407597e5d8c783e3f7aee8a7791d69139f3c802a6547f01b" - + "f987415eec2447b0e8c4f3aee7ae2085d141fa34ca6634bc109dede93285d5c4" - + "0cfcd98bd47ceb9cc1890dfff53b7ebb8038533580c7a67fe14c0c422e20cd64", - // padding:3031300d060a60864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "5d77fba3cbb1905d83aa532fcc3227a95d7931bf0c2ab51f8118824de9dc029b" - + "d2470adf48b41c694ec7359d00a1336990c30ee368dd40bd681ba74794415d39" - + "97e7a756659397bf6abd44ca91c12a8580a3f5d1cdbc7f3be0c23c72334ce9b1" - + "419e6540dab73f5ff8ab57d0bbbe92b688bd3495f9344822b622042c2491bc41", - // padding:3031300d060860864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "7b5476fb78f389d1131764e7a13322f86008924c8c098f6d74f2df4dcc5a504c" - + "d786b3eaae33295cd1e87a2bbd1a06cb385674d465110a9a990d52de9a67f1c1" - + "3ecaaa86383d489423c084fae9ecd2e9b109f4f04b8c013e3409128f3a079c06" - + "8c1ad27bc2a20e76ad149325b7b0f0bd804a4e33949a98aac49076260702b0b0", - // padding:3031300d060960864801650304020105010420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "6034e1253e4860a29096e392076794cfcea166a30b340cc09f77baa5952c06d1" - + "48bd89b750c3112930ef210a50a7d3f6569da89912b5e50e824116e73a155369" - + "58f75779506d07e67ec9c0cd8de4b51dfbb0fe56926feed18ffbd83b0cdd50d5" - + "6326c54adf97e629378ae5f0f02fcda3da1aa98cb1d1990946edec711a85a0d8", - // padding:3031300d060960864801650304020105000421532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "a44cd265e1ecea83fc74e9eef746ef173277cc96f69a1798590ddee7ce5b5c34" - + "a82ad58a5c042db19005e04eec4159900ea764c0d008c52b94577d1c438661fb" - + "767902d9d1bbd6a90bdc4df685ec5951eac81d8b4dd36bceef7b6f919e85b6c9" - + "94c7cf22a804f15cebe63b77f47b3bc2c2aaa68c6362c27a574b849efafe72e9", - // padding:3031300d06096086480165030402010500041f532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "a160aa43f4873cada34bea5ccd2be9dce07940ee1c08eaad524a5019993bc753" - + "ce92cccada706b483f106ff20b327b35e7c83955ad3bbff3f26ced3489877d1b" - + "5bf285d61afcb30219c02a440da61030e301aadb901a525345d1a651a21c31a6" - + "2ac9fb71738c3e215a8941ca9a3c4910679c5e774530c28788f6eddd7a31c024", - - // uint32 overflow in length - // padding:30850100000031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20 - // a6ec113d682299550d7a6e0f345e25 - "1369c78f816a9baf027e255de0c258125be90f35b8daafee87f2ffef2d465e06" - + "94af4401cc5cdc7ca78b08d5688ceefbddc02abc5495d47c6829d696f8370ea4" - + "27e7e0225eaf22cda720bbb5881edd16b19bbf2ca86654c65b4ad481c13fb38a" - + "f00d77922f46b311f936c51f4610f6bdb514b366aa05f029c1e63e3cfcf9763d", - // padding:30363085010000000d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20 - // a6ec113d682299550d7a6e0f345e25 - "41d4c1ea43cb207af8bfc1552e31da7ca5744b68c4e00c3bf55f4edd4c81e91c" - + "01f44fa05290dbaa1fdcdcc775f6032a049b4965345c16aac6994b06cda9e038" - + "7dbff96cdb115e014f69bb057faca2f618c70a31edd0beaef7acdcc0fb7c83b2" - + "f07a8b9de48aa04b7c973920af5b8dc20aac343251ddf4c2277985c3db1dac2f", - // padding:303630120685010000000960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20 - // a6ec113d682299550d7a6e0f345e25 - "76bae6c330b9ab33aa9f2abe8559c51fb95f953a75e48053ab99078069214b50" - + "9dd1b5080ac6819e32912619372d71a9ff1a67449dd699e5bc6ec0e18d1893df" - + "b5bd571d933926d05b0d9fd7036ba4556e209369d1c57ec49cd9075e583c257c" - + "6fd4899c2a8bbb157547812cc692f264bf54712c71ee090b974d99b4d1629696", - // padding:303630120609608648016503040201058501000000000420532eaabd9574880dbf76b9b8cc00832c20 - // a6ec113d682299550d7a6e0f345e25 - "3480a5c22f092f259b5bc4fdb9a33c044c24a645b57d61920effde1dc0bbfe53" - + "738023f16025841f9323b40f72c11091941bbdfaf7c2fbf77ad6626dbd6a3b7a" - + "bb3ee916d96a922b11c86ce80ee67dec619bb98e9246d35a33b11b3a4e2a3a13" - + "0e8b57ed4bcdd4b4e73aec3f9e3d50d3db5e29cffeb186846c72d09468d018ed", - // padding:3036300d0609608648016503040201050004850100000020532eaabd9574880dbf76b9b8cc00832c20 - // a6ec113d682299550d7a6e0f345e25 - "5b3d3a198d4b36c6d9641db181fff59407a25bf1571f85e47bad1eaf13807987" - + "2b93b9eb51aae09b48d6f4ef56badd96a6584277d8f3c6e4a4e11275f72021b5" - + "0a1665ddaaa56a2a7caa7da6b4d502c5214e17042811154d411dd2197c250264" - + "bb69ba43adf668d4f7b81d932afa55e378214bb19ddeb431f702a91dd11e23bb", - - // uint64 overflow in length - // padding:3089010000000000000031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc - // 00832c20a6ec113d682299550d7a6e0f345e25 - "1cc5577d04e34550e7f3d136064547efa30b9413e2c423b5a320eaaaf11cbebb" - + "91e13bbe3874e4650e057a8e38c8a366c473f35e0de82b22f846721a09e3f279" - + "ebdf54c8df395a9041333f09cb7bed5291bc1842857c4ce6ad5a1c2c476c1efd" - + "dd5fe42824c25e0581aa7bb8f621d3b53566637c6266bb1bd0a5b7fb79c72616", - // padding:303a308901000000000000000d060960864801650304020105000420532eaabd9574880dbf76b9b8cc - // 00832c20a6ec113d682299550d7a6e0f345e25 - "6e56d1746105344b34fb8299d173f4a5032cbce3556ca9d1eee35f8b31818efc" - + "121a1a9599c24fef8531243016dd6288d67b4bf9fdbf2c90fba5b1661be03531" - + "b5e15385ea465d1376010f0af761e8fb1afff7823dcef8dc100d97c192e9a7d0" - + "3c82321d83fd8ecf67207c65cf182e1104ec5669536070cf1e3fe73c5e27edeb", - // padding:303a3016068901000000000000000960864801650304020105000420532eaabd9574880dbf76b9b8cc - // 00832c20a6ec113d682299550d7a6e0f345e25 - "37a413f9202591b8860cd9d68515ab522ae800e9a71793b479f1fb74ab8c9b07" - + "e72fe82dabe1189d028b813610e5e57c055af2d32837551fdb0cd93d7669a3c0" - + "2a14c460f4c92136a4d11cfb7dcc76401bb5b699fbc64d302736d68c3591ecd5" - + "9220107cd63f55c83edd38c4568e6f7749c0d9baebfb7c8ae1bf2179101745a9", - // padding:303a3016060960864801650304020105890100000000000000000420532eaabd9574880dbf76b9b8cc - // 00832c20a6ec113d682299550d7a6e0f345e25 - "9fa8aac224bb50697103d457e7fc870853b23670ee5b8c7395d68ed82b30db18" - + "ae34a569abdcdf19238ffca8f5e435327dbe605bdc1a6dd3eaa3c2beb33f0064" - + "2984a2034bf3b3e8de3ec7009e35069d5b27253c4aadcb4f163148e157252e3b" - + "9334abb6cf0299161c12908529f52de9416ec6218af7a6963fcc987c5024ea71", - // padding:303a300d060960864801650304020105000489010000000000000020532eaabd9574880dbf76b9b8cc - // 00832c20a6ec113d682299550d7a6e0f345e25 - "0f50bc6b1b94aeb6805dee51c92860693de47c4925ab90b57a46e0485a9afeed" - + "45083eade73bee684cd07048e632d1dd24aa2efc42c1f85e4fd7b7058dbeafb5" - + "3a3d5b1cb1e7dded3352c3c92ded891839263a501afaa78fedfd04546c43d16f" - + "7a52b800abc9ab1ef827ae0eb19d9b52def2435f1477a48dff61800b4db830e4", - - // length = 2**31 - 1 - // padding:30847fffffff300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "9dcc651cc0a1b4d406112c0d1ebd7a9fb5a2c9d9f9cffbeab2d2821e5ed01efa" - + "9d191665794649bd1f588b729e8fba1eaa37a5a736a5863973c338a92b2665d6" - + "ead13b72a19d2da778febb94b150e8d750340a3b856fca8b3b6e3cbfecb9c397" - + "c23f46912ba546ab0f64ed88404ce317f8fb2278b68950e9712d6b11f5cdfcaa", - // padding:303530847fffffff060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "0397d14205c2f52423ef69c874294dc2b37d5be5d5647f7e83f1dd6783cb41cc" - + "e52e6de1dc8c9e93ca1ef887d4c0ea79cd8b26391d638bbd8080bce830bf1bd7" - + "fb1de31346f28d609874fafd4a34fb7bee900441f55589ec3c5e190106d8816c" - + "adfcfb445834739cafaaa3903ed93cedc41a76aa0ce18fb49a3a73b7b5928735", - // padding:3035301106847fffffff60864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "2c3ffd881c1c0ce2e4c98282d6011179a89b1e84b17072bcbbb64164e5e05410" - + "d0414a1fdbbc04564f3d80f3891f28c3f02e92bf97b4339b5bd4699614e236d4" - + "223cef0688c44b297eb9c0e22246b4cb28983b102a446dc76671206c3b77af68" - + "97f2f445512abda37bc9c37257dd4f1c6f0e6ec40929eb6b0058682b9d2f6c66", - // padding:30353011060960864801650304020105847fffffff0420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "668bd06eafe953fca6a17b0da0f9006ceadb09ad904786b7530148df7eedc146" - + "d20a5472c39677d65e59934c00227fb662b3474596e6072f56d2c00c3d31e66f" - + "0da85f4670e75c3f2c910c0fec8c98bc31fb2eceff80350b78aec0d316e9bbb3" - + "31544d8a3d0b1649291396c717e350bebba3d3c3a0b1d55f010879b8c7b7d4f9", - // padding:3035300d0609608648016503040201050004847fffffff532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "87482257ae1d18d0357428b756ae35a48549536a3439ca3c148eee64f4c096d8" - + "96219097d55c14a25eb1490779f6b1471aed238cc0d6aaf265c12ac086d04de9" - + "b79a37518056dfacc12cb4916c17505fc7e2e6c1e0db720a286ea65bde4d3da1" - + "d2dcb8d0276e8ce73f3f923209149955285c602572cfd24c82e8d96d45f569e6", - - // length = 2**32 - 1 - // padding:3084ffffffff300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "03aadd447f36952dfe73ae89e5c656b7d37ec92535e547cca62a7747f3831f2f" - + "613c7dc094f3d5c4c6b9e02b21ed4626930ef3948b42ed41f4cf468d2474acad" - + "f1c75599c5619e4872e6d3dfd93abe92234165135ed265e0c0f64fddf23e50c1" - + "f9fdcede8778a8ca008ab00f8afa887da3f4699df9f1140953232f36d035b03f", - // padding:30353084ffffffff060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "31afd9a0d827755352b16de04de42e98a8c72f08919ed475530a00c762b8a03b" - + "de22634dd856a7eede4b4947d780cb3efe55775e16d7f46f209dbcb5569b2d94" - + "69cc271aa850f74960f7c741928055925349821e32e1e0fe5a040010a39a4b6a" - + "343f7f35c204106b3617e528a99dcaea8a93766adcfe7be31cdb98f7f7f14669", - // padding:303530110684ffffffff60864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "16ac0aa2d727ef5fbf0305259ee6fa40827c92419f819673fd64cc2dc2dbfe7c" - + "e1cfcf06e26d45f59cb3d9afd30d7a6265863fe856e0a0b1b9508b1e7a2dfb0f" - + "87f5ebfc444bbdae504abde7daa33bffb991551940df682c8e2c45edef0563b3" - + "4d4f11e1955e83c2145ee321165517d1532abd64dc613a280fc30670bba1f898", - // padding:3035301106096086480165030402010584ffffffff0420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "0fe0c75dae62462e66e7277b03c9113727419f7d4db7b2a567c0c189fb6328e1" - + "f73d5d44e2196b436f4c2f0f12950d419774c8a51c55f9b2217f904c4f03d5f5" - + "754174719dfb85f62795ef75e6d54e703bf231fd8472250f529f85294f29f6c5" - + "653ef585079c3b3d8f931da80a46c8afeef37696fb0e7986d413bb1996b8ad57", - // padding:3035300d060960864801650304020105000484ffffffff532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "9ef993e6ccf015b0b0de75b51213a1c3efcaf66bf83655287484ef28d9848062" - + "26a7af1704fa6a7fc02984b44449f83ae24761021e49ba6117505c1e609406b0" - + "02215de27d696643c3354fb48e6c64e7300944edaeb96e4872275f75532f5aab" - + "94358d4954522fc7903439e99223d8124e79a3f519050b6b576b77d5abe7c3e3", - - // length = 2**64 - 1 - // padding:3088ffffffffffffffff300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "97c602416f2131d34f2a57acecf26365a30c12f77e5beac095533848ce227302" - + "092c6f44b47f011d6eb0a91f8024d1935d8bb274c42b57875115a94281fd3cb1" - + "98f9334758d3200c1c721f6babef332c02a89968a7089f7783993bdd54f809f8" - + "372437798d2364040c1faabfb00faabf28cd6ae4ffea29ae2c08a6a7e6074700", - // padding:30393088ffffffffffffffff060960864801650304020105000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "2a970dc291a1dc935cca6985dda703bcc1ece2e40817ce8fa79b6e8fe84e1136" - + "86e6e65570d46bf22147bcbc389cb5f86f92dc185f556d15e7614cef119fcd73" - + "05a31fd2f8710812f35f9f0bd8a1a6e5be3163de644370c67181b7575635dfb9" - + "f717f78631d62db714b2a19cea7079ff13c8926ae0c601e4befb6541b02a7e20", - // padding:303930150688ffffffffffffffff60864801650304020105000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "6e16d110235cd11e32b114ca9dac0cd6a1b041a6d2c61941d49bb458241281f6" - + "2a4e2b1bf3cebc3e67e8c062ec67a51a599a553b09732e23e1d09fb2b20be7fd" - + "311a7122414d535651718a1421d4239276c227b96506729a09e3ff2779dd1c79" - + "de4d402623039b826e2bb4d26d1b56775fce14ed0203a9ebd8f042d981705a77", - // padding:3039301506096086480165030402010588ffffffffffffffff0420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "0716d252488e08f10a25cec94714e6105bd4e13ff019431190864cb0f4378d31" - + "5f4bd0fdf186e1f2d45a6e97eb04fb2013273e178ce4f82a0b67bf9d021b1d8a" - + "b73d753adf2073ee1ad6190b2163139db63778a3670b7cce23f45efb601bd596" - + "44a431cbe534ecdf4c4c58ed02ed03863ee32d296b5736c010305fec655b1a44", - // padding:3039300d060960864801650304020105000488ffffffffffffffff532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "03e52a2ed638bfb9184a0ee3698502af3a19bb959a984957de5101e6f7a62ccc" - + "c2ec2a6293fa9d76fabf3ce7e4bf35c65a5f864bc003686a1e05b57c5af6ad58" - + "8e05a5225479422d7b78c5bedddaec7f4b8c1e9ab7478c1ee253847324e02543" - + "4b76a01b82a40123ab31ec9862c6016885dc6cbfe97801503369fd3688bdaaf8", - - // removing sequence - // padding: - "5df1c4a701c6fc1f2daf6f4538f29c3452667424c05edcbdaba4a1678c8b5bc0" - + "e89656a0e48aef46642e0bb597813688904e9d74cbd377a3d9d2c965bd3ed06f" - + "136f10367ea3eecf89a97508389448a31ae0e79ed3725d0c4e99a516daa41164" - + "79bc53da5d7c2f26c7ec6310d4cb4174bb781405630a9b1c147b0e1da3a7faf9", - // padding:30220420532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25 - "3e43837b92ebe4df08586fced3dce46aeb2fdb6ec2bd0c58e823f6e6363b9b67" - + "6786929d13ede60a8d8d0daaf71f0de8880ed0fdac8706eb2f324394145818b6" - + "41d1049cc7552bc6273d86e901099c78297381faec5c518fb6de429700f3bbfe" - + "f76cdecbb60088b9f2a77d75b8ff86f06cf23850e3183a267c0ea34f4f839015", - - // appending 0's to sequence - // padding:3033300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e250000 - "26d20fecdcf0b7d6a0472754aecbe115c39d580ce9d78b67d1a6395aa6ce6689" - + "bf6d0d96545341fbf04956a48c47f7d30bda017acb1d8e24ce596aacd3e05b1a" - + "fa571d19f5316142557f765e4c5d080bc5336b79e2c02d8833d076ac9d7794ff" - + "be85c66d0db97e1f5bd2ecb46afb15c19a8fe083fa593420e996a483c2a3a766", - // padding:3033300f0609608648016503040201050000000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "1163082ba8d48352df7eab96a0067539faff24374a630aa4393461a0aac71660" - + "6625d706699dfc22cf3aff89fcc278f83a0adac87aa0bf192dd86a97031515de" - + "1933a23849478ebed20e4203abfb47345bc18f38da5d45e829997b10107c5369" - + "99b2ce10b2781e1db03e10cc2bdbc2e0ff4c3db5d271ce83c1e7e267e7c1e107", - - // prepending 0's to sequence - // padding:30330000300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "0ded592bef1fa809841e0d7365e66af12f4239be0928656e7c49a043b9f2b18b" - + "9bd2dfe93a810c6e6c8ae6cb8a5c9d6e9d39a96a10b3bbdb92a7b8f575c2db48" - + "41c1b628160f956f54e0c58d3b6fd4d640b0a06d39476daba7be04b63a75f38b" - + "bf7517d9751d2b12d2dc00e44de7263275dce6b0c0af65d3c04878d6fc1be2ac", - // padding:3033300f0000060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "95a42e5d9bd9ad5a8579444e8167bdecec16116a7900117b298c82d5560f1d16" - + "e9fbe963764727fef9111f2465e66177b576bdb8c70a58e3df6ff69edd2d6827" - + "c97d626b09c24cc49f223cd5d2db2916c54fd8f2ac7301723449b1823f2ff48c" - + "56849f7d608312d4bb7a97f90ba218f99cb773fba0a34909618f5d25854d7687", - - // appending unused 0's - // padding:3031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e250000 - "2344c598a8905b350f20de5cf0cee60253729a54be45b0b19acc109ac15862ef" - + "ab2e7c96e92bc990ed6959a40d725c24c25c8d223a46f490905c1448d8dbf7c9" - + "c427bc2e896bdce6d2c1daabdc93ce177f9525ac69d899bded12443338834a16" - + "d885456057461740c5140cb9a89a017851f9e99e38c1727fe5ccad9a7a8709d6", - // padding:3033300d0609608648016503040201050000000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "a08cbe4009080f73cef03116ea949d1dbacce7025f7f61040fb4e052754d5b2d" - + "74c2dd06c0dfe1d09b97aa5739c809bec6d8cb27e852e9fef353bfa32964b994" - + "95a6dc63d6ce77460ac280c74c0cabdef794f74930f7f8827af1c6690d22ec2d" - + "f3af497837bbe900a890e3feeaca2c0d16b0017155390ff0396a35ecb62b5992", - // padding:3033300f0609608648016503040201000005000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "500df36bd7d0b56642e2d5dab6e4ec0b148e7b8673cfab40e45c5dad5efc469b" - + "3321ce027a3a7ff5689366a18a32267d161a1266491b055f11557c35bd0d4f43" - + "df11b8a26f7b13c54be423b87b30b1dca956151c3ec3df03b30918a413179b0e" - + "064bf434736b323408e3f1330743c8bdbbb9d466dc1e21710c12e2e3b638b172", - - // appending null value - // padding:3033300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e250500 - "11a382fe570e0cfeb515955b70ec89a9353cda0c5a5d3cfa3e16e41340eccaa1" - + "8ba21ad87c4a54a7131c4a7cf9afed68b1c1645568bab9b0fe7dfe0437abbe1f" - + "b6cf06bb690f46aa2eca034093ded661c38954341f3f35abe484015150307eca" - + "fd06d4309836771dfe29bfe56350d68725e0cd02b1479c6f99eeba2d59f40626", - // padding:3033300f0609608648016503040201050005000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "110f3f188df46da58cdd46b5d460ba3d2f8d00d907289634d52a3ce693eb232c" - + "d6db738c48c8aa22d923d4f81d55925b3d4ff29ad9869f97a244d37b860cbd46" - + "46c6318c041729a7aaf473b61a93cccd62fe223d1be00364f03d722f43c7beff" - + "98c3fde573e7e6a0ce7d4a2a4bcf279765e29769bd4f884ce41fb808ac3d541a", - // padding:3033300f060b608648016503040201050005000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "470416ee76f0bbdbd2812b533813e4463b799f4036e6955f3e174f6287e3c73d" - + "57c32875607e2eaf06d612cc85170ba5df31286edb645ae9ceb9e62064050f3e" - + "7f6b36fe8fdae7a3bd89b6acc523c923b9d3f3e5f57d80c9100b39dde75caf46" - + "adcae56668149ce0b80762bc459ac598241dd79c6b4fe0220ad53e3c591243fe", - // padding:3033300f0609608648016503040201050205000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "100714ee0d38c541c2632e96885a7ce0afcb22f0cbd84c556f19d1b44bce75a8" - + "fdf141e975dda1812b4465050d4615a51c3b9816606c7ac88d6b684df938e7a8" - + "852835dcf5bf0ee45f2e413290691832095af77eef0e7a86f72167dbb03758e6" - + "8561f7f06afc6e902ba19fad57e00cb43c0fb2a5ead689a146c79c9e6188bd85", - // padding:3033300d060960864801650304020105000422532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e250500 - "44eaf5ded57ac5c25c17eb31c2e071400b46b9022641347b2edb0b14efbd4eac" - + "5f71e4bfbe791e164c003667387e57ae22c6b00e69971d7245e381f6459e5f88" - + "d9dc0fdb385b777fe99e5e4d79aec057e41a1e457fe2b91a5f4a8878d2eaa1c3" - + "ad8393d281eca07ebd287364a19045029fa7ed0e62a21e5e42a88a52ea4abc8b", - - // including garbage - // padding:303549803031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "236a815c2441d111d254172149ab2429cc4e6caf3335579bf438f22723de0a4a" - + "5e532ed71f24c0fc6032c60aebb2b7e76cd0d14f262d1d9bba80a53dbdb12c9b" - + "89902fc5f5511125d21b7df32e9b303c4b393fd6add6ac7536901ea8ae5785dc" - + "fe90e85ad0c16146b1f15036c31d7758a364fb54cc1d183b8566bda592ba446c", - // padding:303525003031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "762d30b302cd76b021e237f28017e48488ff3bb30ff9e92db5b1e76eec2ee91c" - + "9af03e1c5038afc22591b1cd8cfae648a33ab77901f9f3736e50eea83f7c7a45" - + "46dc55c0265fb17dfdd30250fa3881e34e51b4f2e54554ad098eee952ec888e9" - + "11a0ea5df42c0560bcb4bdd718c88d834b534917e555c38fd1ec3593b2f25b39", - // padding:30333031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e250004deadbeef - "8cbf9d425abef67ff0a7fb648e70b82b1556ac80e46dcff37145b9041bee2bbb" - + "fa56817e04994c9cf1123c6df2aeeb1637595eb1e20adef51d657943fd67826a" - + "c5d5dfba106ae9cd243f12746917a446ce955034b46ceb0f4d542b7bcd06ad3e" - + "6e10899d5338e6d8caf3d4de3cbf45d45a58d946a64d0bc13e97a4ab4e6b6016", - // padding:303530114980300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "6477bd3337d601fe92e19e7f6b216f73eaca68aa408c5a570876ad8db6113505" - + "43d1dd458b511e3095e57996ca589c00f2beb6b6fe4564f4373571d904958acd" - + "1bcd33f57959a231bb126bb2b37bf1403d52836752198b6954567f07b31ed110" - + "5dcc50004e4cd7e897516c536c205b339ff0d35463ca6871ea5dce7a8daed8d7", - // padding:303530112500300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "975d07b7295268a8662aedbd2b65b5eb10bb496077f41b90d12d34ebc7e492f0" - + "c7f3a41d4164a279f06ea616f91968628be4ceecd4a554477bc76cc6b2e6bda4" - + "042dc253327c4b8fc40e9242cbc8b835114a7379a3081bae4b2803a99deb4a54" - + "0f8c149ca5db3a61c7bc9f61cd7e55521660a06603849896c791a18d1c7360e1", - // padding:3039300f300d060960864801650304020105000004deadbeef0420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "37352cd11eb5ff7380bfb7c0d3e8d9979ae7cb489a71c31a077d59496547b0c9" - + "5a760387ed50eefde0b762222f05a6033740f6e010693edf3ef8ab5f9c57f4eb" - + "1f6ccd83287dcc2e90857defe5ba4109bf79ad84ab069c85a25758d22536c688" - + "2919245fa2d7e7921b3635d984deeb6555cabdfc46a42c75875d55924c8bac62", - // padding:30353011260d4980060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "0c783603c7af53df27538b983fb7368e9f62d4552f008f2920a21cff3186d2ac" - + "7de451fe8c28b71d38c657c41c79174c84004deffc69e69cebf2aba2a43ccbf0" - + "52f6fbdc3c9d3683275913c4583dced686291bd1c0217a015d9ce732eb410c8b" - + "27f2fa7c9ff516a81577490f5bffc8121c7ac674caa464956942786c5dca6b4d", - // padding:30353011260d2500060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "1fb1960934683292a4c92cf3d582cd5fe68888a5b0f6c2e64538289da7f96a9e" - + "fcc36bdbf1fdc0cc0b3b36c6af608309de58c6151112f3a78599ade4a718b359" - + "547a4cac9a020e5e7e7117d1bfeb3ec21bfe9732825e624b27ddf8a946eb858b" - + "30461706f769a54b0478e0753388951d98129383590186b80836608f7e06c72f", - // padding:30393015260b06096086480165030402010004deadbeef05000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "7e4f953b288c20fd5bec56a00745db9be03590efcb637e2ce2119a0a1846e9f3" - + "8c0ebc5f2498ebde6217d81c9939b6d6a6f35ba54ee50d6313d3f2579751e7ae" - + "8d31ef4b0e99ca2e96c80459a7e5ff51f6f31e9c965be19097de13017c90037a" - + "a482d197c986f50bf2d5e1acb3f3024605e46d963410a4a623c898d0d773a78e", - // padding:3035301106096086480165030402012504498005000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "03e121f5766771a65a400b354f78ca27c9a04a25d4ab80fcd6ee91bbca3baf27" - + "752abe5cfb7959779644c064bdbaede14847fc035a3a19523d83cae3c31a64ef" - + "7538805e398e196ed8ee9ef6b3f58f10e7e16c95495f82ba430e5d997d165564" - + "44bb1447ebb17829ab879e61ac297ebfd4b94aa99b68b0b498d8e434d4fb3c6b", - // padding:3035301106096086480165030402012504250005000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "90a5d10e2e19f7e016d5126a3d3eb91432611ebfd411b07a4be15aa48c39df33" - + "f3a2855f1e150ad34c7f83973bd73eca6575dcbac4086aa0a38db3d6e6ee2e9f" - + "419768493fb4829f1f6d67f80359f82d95483d6057de17fd388ae46687c429de" - + "a4d9f7a286c95fb1b9df0f1ba40a4263307789952b1bd07cdcb3b5cef10d9d2e", - // padding:303930150609608648016503040201250205000004deadbeef0420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "a88d38e8c765b7e439f42294e71c1689a318ed5414efdf474196989829d4989f" - + "ce8910798f4d7873fb43d3a501fa15c8019813104e4699597246db66f96c838e" - + "45aa3596a1d26cbe9f6ee91c077422953b402f7e11f8768a2f132295bff79a0d" - + "10ab843cbcf2c921113992336638f4052446f52815328ba4946510a6b701d448", - // padding:3035300d06096086480165030402010500242449800420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "34508ce63c502b3f8185f7cc61c724185aab2c1bac68cf2a7e7f4234edcc0e38" - + "cd15f73e73d02431c62c28a2241f629382ac5e9329ab71dd7e9152b10bf86b55" - + "0c855aade6a5941ffacafb4bfd57066bd6e39bd0d8ecf57ad9a6f3ba48831800" - + "bd8e6e9773a0ba3770cfb9ae329bb4451f450ee35796b5578104b7ff5ae2dc31", - // padding:3035300d06096086480165030402010500242425000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "7f642b5702c331dd76b7ff66578a2c0547d91c556b7b9751443d911729fb5ce8" - + "426515ba068e2839cfdc956eb813c25d65a2d5213b59302c0ed5e6fb95c49002" - + "edb1605f8f622912fdc309d92e6e3f188ba19e991fab0a7018ae4f6e70927d91" - + "cffec51b2dcc8113908faa1173ec9ed72350aa93a8cadef8bfa7305bae22bdf9", - // padding:3039300d0609608648016503040201050024220420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e250004deadbeef - "0abb75f2fac084da0b99bc823c021c4872e23302a6a25e400b6f25d60f7c9038" - + "99a69dc548676106b44f37c1e6d2604eb995a16880a2a8e2cc9e0ccb2b984ae4" - + "82036f69a6ad31a2b5836e73e0d30c3e10f8b93c7587d7c0f2371183edc3b8cd" - + "0fd7bc325b1cf75e1079f8d6df53fe495722cc1ce707cca49bc6f4ed2ca6c4f9", - - // including undefined tags - // padding:3039aa00bb00cd003031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "9f2234b108a45abaed850e19d2f9576f59bb83dbc6165da61c4798638f9c9858" - + "7c7eb92a8c901dc4430e4a47dc05681ae811ffcad6f7a604c43551cd0f5d1235" - + "49435d622f7efec578301efd49dc6b139abbc3c7d6a26858f6d18f09b863a145" - + "d6483c9efc6c322fec1341b6362dc1d752c714efcdfb09097a0ce6df7dbe88a9", - // padding:3037aa02aabb3031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c - // 20a6ec113d682299550d7a6e0f345e25 - "24ba137a293599ab7e50a0a4f8c7a5cd02dda6a4568c93f84d00ff4729656456" - + "3c9051b334db2fd2c081b23d322d4870a61b2435d651d7efb4e1b0920e759f7f" - + "d81a937bbc85ff43dbe2b702dec3acf4db68d5fd7b8a2f6d32cc49a7300dd659" - + "623b391927a2442d69c6c3c29e59eb80b1d0a95bec6d18a6223cf4357eb7cc96", - // padding:30393015aa00bb00cd00300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "04023dd35fa479f8156794d02935f8669c023c774b95c5a0e02837e32ccaf7a4" - + "ba5195835a15de6a21796eb96bdaed868f9e8b7f0a5a21c1a3058f53aadb62d6" - + "ee74cd70b2c38f17e42a1f7ffd88955731b4e15368211ad53f617aacbb54a7e7" - + "078740ba6daaca81c1b321b748ea1d13f7aece490226636ecac41bdc275175d6", - // padding:30373013aa02aabb300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c - // 20a6ec113d682299550d7a6e0f345e25 - "253bed76e4b8465ebfffd1b7214ce586294d3bea290517ca2bfc417ba9d8e72d" - + "286570c348dc6084fd379c2bf4dae424189964639533e17c409ae18e445210ed" - + "4dc98de4ad7336554740d1532d5010a1bd7ebbc33ba48a3365d50669e4f4522d" - + "0e5ff7a3bdb1c42c42dee647a8a3ce16633eb33bbc0a869e12cf99f9481dcf85", - // padding:303930152611aa00bb00cd00060960864801650304020105000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "0775598491297eb9004eed66234ded82e047ea2f06837425e6bd27f33b137366" - + "7f3ff4961d60f85edede88ec2bba2680151da3763f0df9785b31771da7e64386" - + "2ff9ba944ab54bb1356ee113e420002a873f1eb381660f3eb84b1d6b25ccb8b8" - + "2ad12ad0a449c4de205144873329e80ae8a84d1d3c1660b3303cbef28b48a553", - // padding:30373013260faa02aabb060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c - // 20a6ec113d682299550d7a6e0f345e25 - "a73df043d06ae53a37773016a4e21d3f1093c50e079b189c4bd7db3e2e9875b1" - + "4e5374cb8e7394a9f1b45c7e4e9dd516198bf5055b30ea4d205f39fddaab3da0" - + "cec63524bdae2ae166a3874c59057d93855d6e6314fc5da8111ff58666a73c00" - + "a105311859f27d2fb92f507531b9d681e219861e4f0b2b979c185af2690eb4f7", - // padding:3039301506096086480165030402012508aa00bb00cd0005000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "17e5a889b8139593e192f7af684c918f2751f157214863f88984ff3d8c9e381d" - + "1bee5ee788fc82869f4c3d8483e3c17c873a850a7a5c85e4518cbd8531b331a3" - + "08a0368a868bb7995ce0f8a7ac5ba53b88c31c958dfabb36ed461472505b5984" - + "18185b864f381342c29dc80e55ca7c2095e7788e7e8d385d61de605f74e431b9", - // padding:3037301306096086480165030402012506aa02aabb05000420532eaabd9574880dbf76b9b8cc00832c - // 20a6ec113d682299550d7a6e0f345e25 - "a659f7c44e4589e9f6658b0b57e82e65d5ee9fbe2376894f558a7ca4b6e3c503" - + "2f953d1dccfb9b76bbc53dd5d1a52cfc092c6ca279b37c0a43c99ec0553d7ef4" - + "d9bf9361a1c4a3fb7496aa58c0af518312e18819fffdafd1a230a38440a6fbb0" - + "e69babaa977b8b5fe08ed7c6d59c0391ccd80b42a0c0102264b0ed6af8524e9e", - // padding:3039300d060960864801650304020105002428aa00bb00cd000420532eaabd9574880dbf76b9b8cc00 - // 832c20a6ec113d682299550d7a6e0f345e25 - "83fd4599a47bc0852ee1a12b2d97fceae6d8442fd089df1d21ecc252a4109824" - + "10bbd2cc6bbca219502c2934ac593a09beefdeb54b0692b3e5724b79b0f5c535" - + "41b62b0c4bf80a658af71d5964fc6a1fd7823370d00e24dcead4bdc86bcd883f" - + "e3f48dc7f8468ce99b7580306007021b68b48ace274e3c09a1b5e21fc7542ef0", - // padding:3037300d060960864801650304020105002426aa02aabb0420532eaabd9574880dbf76b9b8cc00832c - // 20a6ec113d682299550d7a6e0f345e25 - "4bab6fc6948143f8ec7c8ad86a0c5cda5bd8151c24ca7916857778729c882581" - + "603363fde0ae2a28b6f8f2c8ce8d5f6b6e731bf8ef735bd31318069544295b54" - + "b04ff2abd1e11900373931164586d7c830bae704f7314eebf1d32b3a171274ed" - + "456e335d2a0b998ac441053ef096a037bfa6e5cdf3835c45ede383f0ee8feeec", - - // changing tag value - // padding:2e31300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "5770bbbb883f93f7c29bdab32e496f2e9063110fe648705fd0b1dc927052fc9a" - + "ce9b36d898d19cd4f862b777b7c790d767b8313f735ff567c34cfb31f2964454" - + "0645beea182cabdf789ff9ac3f68cc20444af0b9d4ec0bc8992945063fdb733c" - + "ccef7590a10bdf491bc21c38f25ff65a581b40343e30529c3dbb71f62189ba3f", - // padding:3231300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "359dfbf40d3c2383f58bef1d518abe9852ca80d797393e4e1a9380ef08aa851d" - + "585213e8897c6f701ab680b0f63ccf5ea4216331918ca9a984fb6ba549f4bd06" - + "6ec1fc4f1ed053fa5658b01df674a21322ba7e21fba6cbb3a8eb5565fb7bc269" - + "f99c65981efa650dde613ccd6d3927cdae45922d94dcf7ca5188bf5acf84035f", - // padding:ff31300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "24a61067121e9b4363b816b7c5750584c23f3c3200ca929fdedbe95d7504c56e" - + "a7dffd762074e44e96e22147943f2b704003967270b2be1bd1baadc3861c4cae" - + "91bd41530c67220349db4481d324d9927d52fe85618ddab2598996c5813f3299" - + "e1afb020b24003fa94f94a0c6c02b3183295e0de79eda021dccc5539cd7874ce", - // padding:30312e0d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "11b8d1dc2fa2afbc32f048d7454ba032b432a2ecd438506aa72c697a5c118e9e" - + "231a0c6b6340b5564402b7e837c59dd36f726fd626621b8f543964198484087e" - + "ded70e7bb1dd63df2cea33198b9d02dd28e3b8bd006ba991a8b3bf06ac928bef" - + "45cba2362f2e11a5fbfb0310e84e8b7ba1e17c315adc1f34519134c36689619d", - // padding:3031320d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "8748f029d5294dc917cf4fb347e0046f903c088fd976ca97b1322738549df7c5" - + "6cd67349d66596338fe418b29de9e8af8872fcdbb55e1a6f74e9965fe7a365b8" - + "46b667d0ae50df23083be73cceb59db545a3e1a560f6ce0e9eaee57b5f95b848" - + "7a3987c00f364d0f148ead6d7e6a37b05456b913b7a79c0547b80da2a2893881", - // padding:3031ff0d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "2bfc087003f3b98f0c8c5273de34f5e4d5047e909cd80e222072f6a7926ced5a" - + "e169131342640f2be11bde2f7565c3c63d0335614dd278915514de8421f4521f" - + "0138109a5c9778f86647b8a42815b6b861f173f5a6df893873f99c5e62bc3c08" - + "6150e3b7d7abb943ecbe5806068abc433e9052d9bdfa19a58d19da463dbf3b23", - // padding:3031300d040960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "0fe03eea6c50ab664bebc7d64346762aa29b08b61f2877973cd543c9533c9d04" - + "51db8d836eb46e8d64283306efd7ef6387cdc3c794f7474f2e7d51b9df078095" - + "adc85fb810cae52434c9cee5048fbff72610778397fd83204f44bb87f7637373" - + "d111dd16e18287bd9ffe816683bc3663f586082fe0811ff6a06c0264b67f7716", - // padding:3031300d080960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "748b9e64195314003ca31f726bb3d3294abd8eb376365acc5b1cd36934bbe1a9" - + "bae99ceb7c1a40c910bca6007ced7961ecc9ac74c7a6424cc87b6b9610320ab9" - + "c5b527d986c6e8ed21e677bbe2ee7752e2dbcfceecc2dd6da3f6c6b9c81435e9" - + "e060dcd67ba834729761dfc9570b79bb1b8ead7bc1325c2233e445eeed12dcad", - // padding:3031300dff0960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "7379bc96dd40d37a7f8e58f87c10fb94f250a964a55b2abead479b368e60e442" - + "e6eb864952308eb45eef1d318b6a5ffce634fcb886dbfa062060b9809cf89a09" - + "a26fd334ca22a1917fd219900ec0c68164c308cb9cbca3fb2b89ed8637c5540f" - + "7a5886ab1e52c503e20edd6316e41c746e53917e107ef5308590800ad378ac97", - // padding:3031300d060960864801650304020103000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "4a2478918565be6b46fe61e5f66cd1befb7a3026b5a1502e9a42636b0b924a02" - + "e85d7ffdfd8671b1d6d3e604e3ac6a5302db4e0ae0975d0661efa018d6ba0c63" - + "2a6381368dcb75926542c74823a8c6d8732619764d5a61062fb3b17ae243bd69" - + "1c97c8f9821af9526abcb522ec8e9dca32de1989e576e336af9dddc3e766541b", - // padding:3031300d060960864801650304020107000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "5ec392c91cc165ae59013337e7f7d5f2f9b3a6d45b6f6beee6dbf93e7b960790" - + "0f4672555a57de6e9e1aee1fc9b7adfc0dc00e122e84b0233c0d615dd0d79764" - + "fdc9d1b0e541f2de0083ab479f313a07f55f51390d1c2274858b219b1ec0601b" - + "82a2f7648ae95ec17099067a173e3e83959b6c06f149af0e4610761aab5be1a5", - // padding:3031300d0609608648016503040201ff000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "6173aef07a7057c3e97f6b7d4d7266918876f9fad86000b4c8ec7f83ee491563" - + "115b0cb5d580df8c97feb0d95866eabb79147926f5395c5189554749f4a2c75c" - + "0d96325971635be029062e1f27536c5041bb42f42e1fa10e21bb8e9a2e2502f2" - + "a7299dfe3bd8720ecb8a57238056ab0eb546de8dc0e56b317c73ab1e19772596", - // padding:3031300d060960864801650304020105000220532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "3b80c72f3b7ada8b38b30527bca41180b4a89b066f44a17b9df5963dca46517d" - + "9160326afee7a34b650b9e7746e764958ce6a0a6268481a8df40e0a95a81ab0f" - + "0bd20c050becfc0c4b03ebda19749a4a1dd3ce925fafd9a4006a835eedf221a6" - + "ceab6aac6bc74f743fe171ef8c01935f8901e1ec9ff6e33ae8311851fa14a65e", - // padding:3031300d060960864801650304020105000620532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "4b0eaf3ae1c7a3322dcfabee0569aaafba51e0f34fa6afc325bacc853ccd2daa" - + "3dca56c918325bf553af02ddd19fb597c368dd18892d52d9e935dc51d38347eb" - + "ae2a7f90c78504355f6899ab4452d5f51d2025381d81042a08582dc50bc10782" - + "46ee69652043bb747969a7450659e333193990f34a8ce3f036221193e700489c", - // padding:3031300d06096086480165030402010500ff20532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "1fe7b390bcbd5bc1904e676111653e14e581e7817b45294bb790e4e62f3010aa" - + "aa77e246b29729f2b7da65a2f437b8d9c4fe3b26baad367a19fd7b1758d04c2f" - + "788c45e5309a833522b46d7255dd5ef70ed006ef966aa7c648bd0b893b8e1566" - + "961c16e9554fb729ec81819f1b3da890d413a153f487c030c7581da9531bf134", - - // dropping value of sequence - // padding:3000 - "317379f37cb7f21fd03259a27db3575d491a248df82e67b39d4956a1c619094f" - + "cde001544f0fa70c64dc0d0440fb21d2860a20a911cbb397792bf3eafa5cc050" - + "e78b1e7bb29d041cfa0287bdf54a90a7a8bff5c870e898fe34bb522477daf8e0" - + "03bc22891b789ff215869cceb92610c4b03210d19506058d941e6fce7a3cd786", - // padding:302430000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25 - "2de802ddacb7e47e27875943d5098419bca3b170bf74f1c4b4a8ac420d4469d9" - + "aea97592fbeaaa1dcb5fd20bb97afc5f7abae17a9bb85c5490db97010c5217c8" - + "8f9f52b5e209cf5fba5f0594f4e4450114dd0348ece336870a1333f7660caf95" - + "9056ba13b77d35239eea164ddbc8808f8e7e1beb070f551b6e95f90d5bdbd925", - - // using composition - // padding:303530013030300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "09342a8fb8402b5e50fbf8c5d1cae415ce02c0a803adfed88188982129e84809" - + "18dc21616bb5f8381e8dfe13f63234090c32e542a005df70df5e8e00dd2a478d" - + "10fff1b61efbdcf0e410236f7c031c9a5f7cd0db9098f8a32a6a49f408e72c4a" - + "29b7d27e8041ba605bf089bbdb9777e19b31ecca0d49b90d54701721af79cf3a", - // padding:30353011300106300c0960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "3ef90c414a64601c538c286f2c35f32445039799b8c266eed605027578edda79" - + "6a409d905a751bf5c1cdea97840437fa82733d8f27efbbc05da732887078a8f5" - + "47bbfb54607a54f893df7dde0c35c45f9c2402bed0405c72e98175e5b9d6f902" - + "24e07d12e8c1bbad2fc8b1a14c42dd5fb7e554db5edae89d335705c672cd7b55", - // padding:30353011260d0601600608864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "3ad3e4ec3636b5eb8aac2161c04d228491ca0d9da2abd69d8904054373940b39" - + "b5c025c011c9b9508a25ec25b24a0837cdd6a27cb5c8ba3683d90ba5912ede9a" - + "21f2f7e851dc49dfebea8807576be703a6a87ca44c370db76812b9929a54fb8e" - + "2259453ccaf47da1b8ddc5b7322c20197604b9e028ec00bd7eb48012274d5b81", - // padding:3035300d060960864801650304020105002424040153041f2eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "778d93be708d56defbb6dedcfec2a917a3772b2810e26143db1f9d0f26c4fbb8" - + "de8db5818aa32ebb2cdcd7960e593ace2c3c3eb682c930cbffcfa6b34438ee2a" - + "786a9707d5d10902f7f4d8fc677106275fcb6cb08f56f341e0f52af590e0bdfa" - + "2f2bf95693265e87f5046bcf3e6de34810e8eaa479f3afa2b0a98b175007c209", - - // truncate sequence - // padding:3030300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e - "a3e0e0cb9f7cdf8a2b95139f7c475f274bb63252385f62e66f82158f429e74d8" - + "3df9ab1040717d34b6a5e009b6ac95960826ee83bb298ecf900425ff03a8f156" - + "053b57eac6086d61dd3a8085b84c83bebbe3270164e3147ddee8966a02679640" - + "1fa48da70f5d949386eccad26b0016543f3f90c8ac2874100dce13f03845509c", - // padding:30300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d6822 - // 99550d7a6e0f345e25 - "84345c9d3de7b5da2156d3669a731c4baf6726c4c231bc8bcaef950d7ac37ca8" - + "d86e9c9558404f313de3fdf09024d25491b0a933cc3958033210b1c4f90070dd" - + "d083005873762566ff2cd7f6915b4cb430f5e7e1bca8c2ec32b4ddee48aba667" - + "f9d614a27c3bb40c6cb7f0cd77d3d17257f197974d1871cc09c9583cc6af8e15", - // padding:3030300c0609608648016503040201050420532eaabd9574880dbf76b9b8cc00832c20a6ec113d6822 - // 99550d7a6e0f345e25 - "227aaebca262d2189c479ab46d8715a34100bc1975c2d3991a4ade27376f0687" - + "56cc9d89e903713bc28394d202d81b32126d7eb09154261841227cba6ea0a60d" - + "0ed9302f816fb4dd241dcd2d746d5c1b068c42c0b2bd567ef799cbfd0a83e8a3" - + "0c4fa2f7296dceca38c36ab597ba992f658ef7955d32d38847870afbca35d836", - // padding:3030300c0960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d6822 - // 99550d7a6e0f345e25 - "a4316d438c7091b3bd5ec09aeea9095cb5046d8f08642b087c34985c34377bda" - + "fe74285d00862fba20572ce7a06dfe62b4fc08704d1cfb161cd88478e7e1c545" - + "1e0bdcce0fdd83c0e37fba5168ae03fcf4ccf60fa12c9b0acb39fe99b06933b9" - + "e0774f41151e0564ef805144c0cb76101672c287912197155d91bf036e84d1ce", - - // prepend empty sequence - // padding:30333000300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "361f80a57ddb48796e50b3e6467cb00a9e1e193330ecd2cd6a31f649b49eac27" - + "e295450efe03e09e59f1829cc661d36b0fe904602c644aad7ec8cb2ca3099078" - + "b6d4f7b9233dc159fd1a6189451fedbd176e436f6605f2b889fc7197ebb520ac" - + "cd7f90e543da44453c7ba1948e83e31f5907d1989d982acbb348ca2216fe050d", - // padding:3033300f3000060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "674c01596bf71fccd36aa81b000be007f6cff713e5f6ffe58b25e790f9a1f654" - + "2ba3f68e1eeaf1bb1ac6c3d55aeaf08140f6cc3d0474f6bd87ee442568346553" - + "ceb34efb5301a4d3a5b3f28a5fb038ccfe8444524d18adfa042aa1685fc3a5f9" - + "005da5688853b8660ba74f0e32c5be38c743b0048ca9b9fc19a35a5ff4e2c48f", - - // append empty sequence - // padding:3033300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e253000 - "07ba2b5d519b1f60dc455d6ad90b4135cb45c5da5a2a2c9b8cb954165394a0f4" - + "0145ebf2b1a3ff1d47f5031d542d25041fe9b6d78aab623c40eedcd846761816" - + "8ad02af8a696573c5c63cae0b2c26583b0240848d663fdd0195322bc2c8dbf9b" - + "5db2ff9cc3e75e70480e51da0d6dd402fa87772ddef5256467205cf41a42d18a", - // padding:3033300f0609608648016503040201050030000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "9fd302307455d4e946c1ccee65b0941c3550c823279cc52c4f29ecff72a12ac4" - + "0ef6b7e37b7dd774b7735bbae89b0792908bafc47f0b0a11637042fc8541b346" - + "151bdadc3990e64b6d1807dd0e7f9266ceb3f686a9813341f835562d3c8c8486" - + "8a1f98db97d3e695ce4a25fce80b828d010d6323120362ac48700abff8a7116e", - - // sequence of sequence - // padding:30333031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "247aa1cb69ccb72795c93809d7c3a5e52de98ec5285196058a6ab18ec2f5d9fe" - + "f5545ab5df923f63bd58f5f247b3d824bf161bcb56d325d4e2fc7eb3765dd81b" - + "5580422abf2a3bca8d8af94cf6a9a3133b1494f66d5cbe938d30b9308b5ce2cc" - + "6d3df37d3299b6a7616d40afcc7935d80225e1a89a7a63ebff13a66e21280a6a", - // padding:3033300f300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "6d6248f823020a9604bbafe5acc103d9bd020624585c95805533de22afa3b6b1" - + "b511f8805296ee4d3e96d707c91e55df8959464ddb6d6a3d62b1cb248754302b" - + "2833406300f4975d913f1b90f95e3673e2c57d6181d73a360e8c818b8a9dd1e7" - + "a4fdcd68683f11dd47c2d395f20b0ce9c59eede6ae6aa58a707c4ea8d1a73a9a", - - // truncated sequence - // padding:300f300d06096086480165030402010500 - "941d41c39aa8bf3879d16cb78c5486589e7b97e56a0249c4f613060d26b78659" - + "8fd2d34bc4e99cc8888137975937307d6a328059a09f3b994bf955c7de4a2841" - + "a0d10bbbebb2db3b332656f258c66c8d50cf9155ba94e1cb21a78e6147af7695" - + "8ddd997665b6d8f67ea8f5e1fdbebd7df635f20494489c895d33ae4c7f248bad", - - // repeat element in sequence - // padding:3053300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e250420532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25 - "a32afeafa2c3b58bef55776ef6daaac6647485dde100d968e0449d1a2d5a1218" - + "07ca2fdd70e2e9cf524cae4f263e11837000df85f0886b718ff45cd316c8d031" - + "b746dabfb956dd6118a37e0dabcda1ce9c728afd9a5f2448f5b15d2798221888" - + "8d457752485119f53219315bf63141c9c0802327226a096403ece022cb27c0df", - - // removing oid - // padding:3026300205000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25 - "6098a732419cd71887548ccf4fbf3edeaf9fe7b220bd747ae1b995b746de1f4d" - + "7b48c73ddb71903f50ccf7c93be9c8219de5a75ecc302ab50356069dfaf642f3" - + "2ec580a283519fbcf04784860b0660174dfb7e1e527bb320960bde8f6c605bc3" - + "c1055b878d2adbb44e1b6c41add15cb603345c4fe2d1c0158fa03f21b4c015e0", - - // appending 0's to oid - // padding:3033300f060b608648016503040201000005000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "2f08cdca4d621007acd15b1f4e3c39882a8aef706878e8f101e7fb250798a352" - + "8dcbf4d3327ceb0754a2ca0850794094dde8a875cb947d624d386ddb9593259c" - + "53ef2311260ac3c9cd1277050ec98d105188f590f198ba908ddcf3f9ed18f5a9" - + "6cc6b353fadde007658f87ff4c201db7621d69c8278305f3e9f2041a2dddfad0", - - // prepending 0's to oid - // padding:3033300f060b000060864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "10078ea73abb9bbb879c9d8139b1758170fb73b34f39cdc83e6a725439e315a5" - + "cba4421fe15e8c80d8fda0a9aba9a12c23aab41f7328d4191e6c7c3a53a505ab" - + "518dce078439347945671ab06a2cd5375457b3bf181c40a1a4be1ea8305c9a40" - + "1488532c7cdc1150fb9c46a2e846ce4a2fd9ee863d0b0b8af7f10360acc47f10", - - // dropping value of oid - // padding:30283004060005000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e - // 25 - "69a74665f61787b54b522937c534e95e91917f5dd4fa9e3472add6e21dc033a2" - + "75408f35c71ff6cc029e25986fe6dced8ed053a9040aac32fc444e9252d2bd40" - + "81fe3e51ace15a0f694c0b8953dd6afa7f8cac67f4d8e17513b415c14b439a63" - + "4274893885907e2ea428a6e242154a58a031fedae31c73df7cd4e2f5591496cb", - - // modify first byte of oid - // padding:3031300d060961864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "8f3b544724810d462cc9b19f356e61efe7c192dd63511a9f1f63286ca81f8947" - + "7c2b464f8e51a97ee138dcf8c6709d79a78591081384af7cb5e182c9867b8260" - + "13e6191efddddcc39909d3ffbb18944503b69d774c959831a8092f4790a49335" - + "21100c3e9741c3b58e1d24b75425ee28fde4e40c249b4dccd726cb06cb9ad2e3", - - // modify last byte of oid - // padding:3031300d060960864801650304020005000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "3933d6937e977caac37a07a5c4ae503565af57e6c4e830004147f8bbf6784f79" - + "666d89cb4cac60e3f0aff2d5ed6a182921e490c958bfa49c86fcf0270914c102" - + "275b0878f01795c7a2f44a8a6f5306aa67a81f9294089876801503989e749d15" - + "2c3e34906291f1f54bb6232fdd3d51e807f70927bf38ef70bd2ba45f0323acf2", - - // truncate oid - // padding:3030300c0608608648016503040205000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d6822 - // 99550d7a6e0f345e25 - "7b2f6581fb0b4f913ed38c0ea20dff2bd60723f2bc3f1022ceb946e48adb75b1" - + "e0be031dd8b706d82967f93c6b6ba496d8c4b49aea9970e139b18fefdce30a4e" - + "c04f77625eaca4c7d1265cebbbcf53b63a113cf06bc50e4a416a771cd28785a0" - + "075631a3ef60c9212e224aaa063e7d8109c27e248e6422b26acd02ec012b7bf3", - // padding:3030300c0608864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d6822 - // 99550d7a6e0f345e25 - "4dc9e86e076a395b530868d9fec9f858bd6e8c10cc1e32cae7653abb3f23991c" - + "677e970ee468c7f35022f3241f5d35673a8cf4ce9134b1e63a994dc7abc8cf4b" - + "9dbbb126b314312539931a0163c911f0234f5c3f683c9376f2ecaa3294d71a12" - + "74f6c63b84ea8faf826eacb05e4fa5459b787ff384b2cfe0f1f4c755f32b5c50", - - // wrong oid - // padding:302d300906052b0e03021a05000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d - // 7a6e0f345e25 - "8bbc9167821885a728260bf9831120ecc42c14b2b07854169c86421146367d1b" - + "ec66d8c3daadd115f16a29754e7fa8fb70a63966f7838484615d4364311b6c3f" - + "6e73ecd8ced0adb52db2c374297119f5fe571bd5396529d13b7225e87db5b5b0" - + "df38e4c56f2349071b09ff5c1ded919b398d4aff38c6ae29af6f6ff99d3e8836", - - // longer oid - // padding:3032300e060a6086480165030402010105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "2054d402bf6a148b52972b830c8c8a16a6aeddbcd5c2ae3fd83de67c666e712f" - + "a98650308658837a67ab87b2c444bedc7cf995c19af433da9343f260049b1bcb" - + "436ebe27d8a502728dfb0daac5d2710e2c39fa000b909aede07ad7a0d27629e0" - + "ac27ed9fcd41a39e09f7acdec4c2df77f38c535f46e3b96f2772a81e65e74bb8", - - // oid with modified node - // padding:3031300d060960864801650304021105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "3a94d241563a2ad97574ec82baefccd9dd114e21fa9169d0f54c4d0f57826224" - + "804ddc9b29c1905c59f39bd6aa3366705a85f5e6e18c0eb0f67986b5265e7371" - + "865b618e90e5c5313f0b6fce2343aa12d4ed44d6770fa08d4f1342608a4fb627" - + "a273f3a1f1340d1f5c55957ce51048e3690a845851009cbfe38d3c96e96d4172", - // padding:30353011060d6086480165030402888080800105000420532eaabd9574880dbf76b9b8cc00832c20a6 - // ec113d682299550d7a6e0f345e25 - "079cb62831dbeb40a638402865cc92cb49913dae214babc3f4f8d69d64cf1436" - + "2c23c8dd6ebcee9c44633dd54a62bb2f0042c20033728fc2f8ff482cf0be3ee1" - + "03bacf757b50319495d9a838844ea1064f4bd1f1ebdc1b71a318c3c8f7d76ebd" - + "79ef2f3991d4d87e110d60e5fc655adfa4a8e792e46c1c7aa96156b884e2f7a9", - - // large integer in oid - // padding:303a3016061260864801650304028280808080808080800105000420532eaabd9574880dbf76b9b8cc - // 00832c20a6ec113d682299550d7a6e0f345e25 - "2c9083459ba6504dc10e0e63edf8ede8bdb4a9728673306908ad4e8f25656d48" - + "65f0748b9fd2cf7b51db0a2c659e0ce021fef3d2d3d0cf7c45343729c2001a19" - + "d37e29398a9a7e92d7f62693252261f1f7406b54af5447db6e846f981722059b" - + "7bb09ba95268c321c156ff659e0ce8e709d2819d5ce15f5dcfa54c55114a611a", - - // oid with invalid node - // padding:3032300e060a608648016503040201e005000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "9a76669c75f0f11399699f76e7bfbefc0d29feb5a8d86de1f751eedbb5c9e7b8" - + "1ecbc224534db67cfe1b611951a6ff499d86e11cac4a1725e2ff707085a81a76" - + "c73d5b53d1b0b2c4fab2d2eebe57eca83242a261cfca768abcd8e1f42e3841d6" - + "98bef3d4f16ac2dfab0fd42ef0abb0463474367dff7ec99d665a9838f2cfc24c", - // padding:3032300e060a6080864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d - // 682299550d7a6e0f345e25 - "6674ec2352f0d3e90f4b72086f39815db11b056babc57644c8a703014f439baa" - + "46e8ed961714d5c7b5f0ec97ba3fe5ab867c16b7e1de089868dcb195fc20cc42" - + "fa1b3d3060f50cca77281bb6be18d65a1ee8e5a381e21e7f02e819752b71327a" - + "28719c7284f6425bc9241abb08d000faf58d48848d7f4b8d68b28266e663f36b", - - // appending 0's to null - // padding:3033300f0609608648016503040201050200000420532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "8d18a5e0a81522b56eb9e4f43bee15475cdfc7881006150cc230e76028283375" - + "a13425fe5a106f2626346a65817010a5510b157b234a16fcb9426909a524a288" - + "161537be91ab13033ed296f5f8c1e5c3bdb963f12d7b5eded46106f7c2dc1ae9" - + "c451415303cb7e6a3f59809b922183b9638197909d5730e5b1e89705fbbe8464", - - // appending 0's to digest - // padding:3033300d060960864801650304020105000422532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e250000 - "51640e26e8764936a7d9d709b3e0f52a5f1843453f2c6107a8e7fd6dad8b1c02" - + "ecc71659cd4134be952c03ee83c190bea4ea7260e5472c3cdf87b6ad45b5c974" - + "957ee9b4bf6f30152c2d939f722cff32e5482db96f3e283532b96716d3624daf" - + "16767e0ecdad16c97e56e4e076d64b92af329d2d6a2f8d14b59d1b84853659ab", - - // prepending 0's to digest - // padding:3033300d0609608648016503040201050004220000532eaabd9574880dbf76b9b8cc00832c20a6ec11 - // 3d682299550d7a6e0f345e25 - "9080bd4ac03b7ecedd45f8165360d4848bdfe1c9212ee1a4debc1aa92886cd79" - + "47a2df5435789bbb0b3e8f78815aac80e2cff14e1939e9ec32f42e7c29ed4029" - + "c88cafb64e8523dc85217c40d1bba900468a69c5bd4d12ac67401698fbffaa51" - + "59907ad459d3843e12487b3b2315c585881bc42e45543f7cf25110ab7e0a19f4", - - // dropping value of digest - // padding:3011300d060960864801650304020105000400 - "5f66f645307346216d3ba9c3d8b29e96270cb3b2e686a676fe975c10b8c26fda" - + "8d8eb172628bb3dcd726160c13ab8c5afb1d6ae943ea4c18d00465d97c0d2bcc" - + "27a63c18457ff8d6e3f5ba373b4be7b6f4c610f83578613f4fe41a40d86230af" - + "ce0bb8d4496425a5bf0a80c6b1b1e2a981cd44c31a9aa603748c3d2fd2b85478", - - // modify first byte of digest - // padding:3031300d060960864801650304020105000420522eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "8ccff4ab4fd8534b6b50593f775bf6684391225adc37745e7ff25a4c4baff78a" - + "252aa1177ea3f3f09d2791da50ba19cef40ab8915379f128bba3271069cc2c02" - + "725e09f0b2cdfa0d313eba3f5a7e231588fd617b7d90b285e88a944d7d0a7fe9" - + "cc558dfe8103391ab2e6fbf762d829a55ed4486b5d888957078ffcf49e8ec352", - - // modify last byte of digest - // padding:3031300d060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e24 - "694b90d259b8dbe290f5851ede2ebf3bb718c1674ab1d3b7b6418e8ef7ea0760" - + "bf3ce69d98a7a3baae5aee488cddfb877972fa88ad05996879d0ce15aca53591" - + "423bf1b1b3ff02f823cdbb26bb80e3f7b83c3b7ac01ad7806335f871cd7b7e9e" - + "64708c200a9cd092589131aeb7db15655174000cf7db782bd54325ea956a1a15", - - // truncate digest - // padding:3030300d06096086480165030402010500041f532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e - "888cd9bdece5ceeef0fea92727ef1a1d996960f3f551bf108682f81035903236" - + "69ba1ab48becd14a49b87a900434d0ca7670d094b08b2f851834757bef580d2d" - + "3278d85b88036ea90d4c2a673dfafeb0c3701332c2b77493110d9b28dade7e98" - + "5ec27240c90498372fc00ac8e0e5547e4d59cdd19022b8d961f3b63630b5448d", - // padding:3030300d06096086480165030402010500041f2eaabd9574880dbf76b9b8cc00832c20a6ec113d6822 - // 99550d7a6e0f345e25 - "762c745262627d0df634d6cce41fb8af3cb855fc2d974b8093b035e9d11e510b" - + "9b7e7d61581b8f262fc1c4b8a6da3f6d609512e32f16416c7449c623c1773417" - + "032ddf2a559d7eb3af129fd02f83b5e35f5b5c065b1e0bc6481f38b6361f0b01" - + "8b5e7166e8e67dddcf1550222f125efde241a27b0e7f670d15346dde082a8c4e", - - // wrong hash in padding - // padding:3030300c06082a864886f70d020505000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d6822 - // 99550d7a6e0f345e25 - "27830ed405bc9d34009ec6258b766100273b4dcf2a9b3cf6ae31029837c6e24c" - + "f6e819734c1fd10c2c23db34d227d98d3498850f083ecd78b648baccfd4647a5" - + "72607dedbc2b8ab7a595c0594ece904380e7f395ba4840a81367e99275cde106" - + "4fc6f7fbd564c5f26ddd0103991ae8262eaf16623685b43f77ea7a05d080166a", - // padding:3031300d060960864801650304020205000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "4cdfa8cd615bcdefa253d75212e4ed0a1fd60841656c6a749690cb0c6c3cd723" - + "b518560c3b11a734010acf6e38f0526338351d9b58351826b360c851d3c86429" - + "f38eb689e8555aa2a23157e197faebdd29bc49f84c10dacca655cd5fa50fdec8" - + "6a72f0ff1c7f8feeec31fee188fbfa72776a7b5cdae1c1506830bd3a00181b13", - // padding:3031300d060960864801650304020305000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d68 - // 2299550d7a6e0f345e25 - "024746d8dd71ecfe33cf0ad7ab8ddab9dfeb5740ec47b8ddd668f07b8f7610f7" - + "26692404ac14c3a1947ff4246fe0a9e216131489125e71df68d60930fac06a20" - + "e948a3e4948aff5e3f9772155f8bd6772b1cefd8180ae719afc061e2f0d68a69" - + "769930b8d90ca4ecd6c7b20d04f0cc939502e698ad1c500403763c0205f6870d", - - // wrong hash in signature - // padding:3020300c06082a864886f70d0205050004100cbc6611f5540bd0809a388dc95a615b - "3a152ced8b5e0efa33cd57d4afe67f31ed3b9fb22e7b0ff32795cd9510374fa0" - + "9fc63a3366465f83ba4d44e36418a5c1d171b6ca05d8c74a242983d5e5912cd0" - + "5bdbd75fcfd5b4eda7cadab21e6dcefca8e2ab7303871ef360beff45564a01bd" - + "c887d9e849e407c6aa5b12055647f6c9df49758d1272f7cb476f51088e21f246", - // padding:3021300906052b0e03021a05000414640ab2bae07bedc4c163f679a746f7ab7fb5d1fa - "3765b8800e6ccf29544d834034e39f8fe7a2e6dfd7e6b4a8f81df091bbfd7aa1" - + "7edfa6005024fe04d35c340a2215fd3f1cf4b4dfdd3c8ad09e6df2c2256c7541" - + "e19c2e80051d1ef5df5c384bfb6be88c4415eb2740db2d9fb3214890a8a0f191" - + "46dfb7897bacc02700a89139dc8fb21b2a7bbfbd43604d7f384cc00aecefb4ef", - // padding:3041300d0609608648016503040202050004307b8f4654076b80eb963911f19cfad1aaf4285ed48e82 - // 6f6cde1b01a79aa73fadb5446e667fc4f90417782c91270540f3 - "5c5b097c21ac2eb156de39d1eaebe3b96082f54b0171469a94edf7d2027ebfde" - + "bc0837f766cfefec577e7b797c7a082df2ecc826e55d39927b01c2da26f8f681" - + "4ec993e3b93ee87a3418322b65ac652b3bba6d34373a13fd40b66be489938fad" - + "f67bbda762f6ee09a1ddc41382051d4a9a946e0df832bc65b7d5dd58cc5a402b", - // padding:3051300d060960864801650304020305000440c6ee9e33cf5c6715a1d148fd73f7318884b41adcb916 - // 021e2bc0e800a5c5dd97f5142178f6ae88c8fdd98e1afb0ce4c8d2c54b5f37b30b7da1997bb33b0b8a31 - "0ede4ac9ffcb6d3d42c75cf73303a28ba6089941f68dcf392a75b071f6c149a1" - + "09cab95b80a679ca3b29ae44e51c18a2db4c72211ae6b959c7f22e854c45f20f" - + "5560446f33be4819f08d981d2fb176d48039ac4acd28127d593f9e219ad40e2a" - + "5ee911b334b3b8bb290f2327524e3faae2c028745e03d58882bfe503c4ff04b2", - - // using PKCS#1 encryption padding - // padding:0002ff...00<asn wrapped hash> - "6c0b3edf5f6e5d3f07057d0b752e89cfdd1c289ad18a0ba94670cd36547734e2" - + "c7bb32dd49709f0f7149944c450c23b7f2d360e3602cad5ddff7fd9d711eef6d" - + "d4c32e66c4433f041fffefe112024a655bc5bacbd0914bbb2b2a41a91b1293fe" - + "9478ddca926a13e6131cc5e9b70625eac1e533ce8171a2dc7b2c4a490e966445", - // padding:0002ff...00<hash> - "1acce04e348a5c8377c54d8ddd8ec2d8c5cb9b195863c32eb716745f3462b5f2" - + "49b612aefb31ba484949d0a0cb5cb8e1f06c1cec58fe5ffff6ba796218c46c3e" - + "527c7ab0c4276ccbafd133812faec33721a08542e7e3a34449bebbb28bd0f289" - + "94c6801ba5c971991004e31de8f728f6bc37a4ec7b049c1f2dc64d4be9415462", - - // invalid PKCS#1 signature padding - // padding:0001ff...ee00 - "61a4066d0b64964100ecf583325cad10b53912aba1bf3606720d2bdd8e21120b" - + "b0b5e4323987d96039819ccce0e5e90854bc0e5c239ab198f75b00355a04e4eb" - + "1f855f76697cd65732820575306eb9323954bc5913568a7278fcdeff8e8acad4" - + "481e3559f8c44a0be3bc02bae437c3146e4516632b3fe788c3a0e44171155728", - - // PKCS#1 padding too short - // padding:000001ff... - "979a313677883b0980997f1cb525f43401739945860149dcad80f602df8abed4" - + "fd85bcd6e174d9183a5a44008fd77b5a5abcffbcfd4f47ccd2dabef963d9b228" - + "310d99000ed0cebbf61438cbe586985bcffb3923a8467a97ae791d0b04925c08" - + "94b5a41583d6de72d4369f481f66abce41a577fb128fc0b0aeec746ec089d834", - - // invalid length - // padding:2 bytes too long - "ab9014dc47d44b6d260fc1fef9ab022042fd9566e9d7b60c54100cb6e1d4edc9" - + "8590467d0502c17fce69d00ac5efb40b2cb167d8a44ab93d73c4d0f109fb5a26" - + "c2f8823236ff517cf84412e173679cfae42e043b6fec81f9d984b562517e6feb" - + "e1f72295dbc3fdfc19d3240aa75515563f31dad83563f3a315acf9a0b351a23f" - + "0000", - }; - - @Test - public void testBasic() throws Exception { - String algorithm = "SHA256WithRSA"; - String hashAlgorithm = "SHA-256"; - String message = "Hello"; - int keysize = 2048; - - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(keysize); - KeyPair keyPair = keyGen.generateKeyPair(); - RSAPublicKey pub = (RSAPublicKey) keyPair.getPublic(); - RSAPrivateKey priv = (RSAPrivateKey) keyPair.getPrivate(); - - byte[] messageBytes = message.getBytes("UTF-8"); - Signature signer = Signature.getInstance(algorithm); - Signature verifier = Signature.getInstance(algorithm); - signer.initSign(priv); - signer.update(messageBytes); - byte[] signature = signer.sign(); - verifier.initVerify(pub); - verifier.update(messageBytes); - assertTrue(verifier.verify(signature)); - - // Extract some parameters. - byte[] rawHash = MessageDigest.getInstance(hashAlgorithm).digest(messageBytes); - - // Print keys and signature, so that it can be used to generate new test vectors. - System.out.println("Message:" + message); - System.out.println("Hash:" + TestUtil.bytesToHex(rawHash)); - System.out.println("Public key:"); - System.out.println("Modulus:" + pub.getModulus().toString()); - System.out.println("E:" + pub.getPublicExponent().toString()); - System.out.println("encoded:" + TestUtil.bytesToHex(pub.getEncoded())); - System.out.println("Private key:"); - System.out.println("D:" + priv.getPrivateExponent().toString()); - System.out.println("encoded:" + TestUtil.bytesToHex(priv.getEncoded())); - System.out.println("Signature:" + TestUtil.bytesToHex(signature)); - } - - /** - * Tests an RSA signature implementation with a number of vectors. The test assumes that the first - * test vector is valid, but everything else is invalid. Many of the test vectors are derived by - * signing modified ASN encodings. Hence accepting an invalid signature does not mean by itself - * that the implementation can be broken, but often points to a bigger problem. The test expects - * that verifying an invalid signature either leads to a return value False or will result in a - * SignatureException. Verifying an RSA signature should not result in an RuntimeException, so - * that reasonably implementated applications can be expected to catch and treat invalid - * signatures appropriately. While RuntimeExceptions may not be exploitable, they often indicate - * an oversight in the implementation of the provider. - * https://docs.oracle.com/javase/tutorial/essential/exceptions/runtime.html - */ - private void testVectors(RSAPublicKeySpec key, String algorithm, String[] testvectors) - throws Exception { - byte[] message = "Test".getBytes("UTF-8"); - Signature verifier = Signature.getInstance(algorithm); - KeyFactory kf = KeyFactory.getInstance("RSA"); - PublicKey pub = kf.generatePublic(key); - int errors = 0; - boolean first = true; - for (String signature : testvectors) { - byte[] signatureBytes = TestUtil.hexToBytes(signature); - verifier.initVerify(pub); - verifier.update(message); - boolean verified = false; - try { - verified = verifier.verify(signatureBytes); - } catch (SignatureException ex) { - // verify can throw SignatureExceptions if the signature is malformed. - } - if (first && !verified) { - System.out.println("Valid signature not verified:" + signature); - errors++; - } else if (!first && verified) { - System.out.println("Incorrect signature verified:" + signature); - errors++; - } - first = false; - } - assertEquals(0, errors); - } - - /** SunJCE threw an OutOfMemoryError with one of the signatures. */ - @Test - public void testVectorsAll() throws Exception { - testVectors(RSA_KEY1, ALGORITHM_KEY1, SIGNATURES_KEY1); - } - - /** - * Signatures with legacy encoding. Such signatures are sometimes accepted to be compatible with - * previously buggy implementations. - */ - static final String[] LEGACY_SIGNATURES_KEY1 = { - // A signature where the NULL parameter is missing in the ASN encoding. - // padding = 302f300b06096086480165030402010420532eaabd9574880dbf - // 76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25 - "253e1d19bbe91064f2364c1e7db3ba8eb6dc5b19202e440eab6fbdf28c8c6ec0" - + "5b812983713c338c72b6e99b8edf506a89ff9fc8e5c2c52362097a56dc228060" - + "eca01e1ff318c6c81617691438703411c1f953b21cd74331f87c9b8b189fdffd" - + "fe8550bd2bd1d47be915f8604a0f472199dd705e19b1b815f99b68d60bc257c7", - }; - - /** - * Tests legacy signatures. In this context we use the term legacy signatures for signatures that - * are not conforming to the PKCS #1 standard, but are sometimes generated by buggy signers. So - * far this test considers both accepting and rejecting such signatures as valid behavior. - * - * <p>Currently we check for just one type of legacy signatures: i.e., a missing NULL parameter in - * the ASN encoding of the hash. BouncyCastle and the SunJCE accept this signature, Conscrypt does - * not. - * - * <p>Some references that support accepting this signature: - * https://codereview.chromium.org/1690123002/ - * https://groups.google.com/a/chromium.org/forum/#!topic/chromium-reviews/Jo5S7HtEABI claims that - * 7% of the responses in the Online Certificate Status Protocol (OCSP) miss the NULL parameter - */ - @Test - public void testLegacySignatures() throws Exception { - RSAPublicKeySpec key = RSA_KEY1; - String algorithm = ALGORITHM_KEY1; - byte[] message = "Test".getBytes("UTF-8"); - Signature verifier = Signature.getInstance(algorithm); - KeyFactory kf = KeyFactory.getInstance("RSA"); - PublicKey pub = kf.generatePublic(key); - for (String signature : LEGACY_SIGNATURES_KEY1) { - byte[] signatureBytes = TestUtil.hexToBytes(signature); - verifier.initVerify(pub); - verifier.update(message); - boolean verified = false; - try { - verified = verifier.verify(signatureBytes); - } catch (SignatureException ex) { - verified = false; - } - if (verified) { - System.out.println("Verfied legacy signature:" + signature); - } else { - System.out.println("Rejected legacy signature:" + signature); - } - } - } - - /** - * Faults during the generation of a signature can leak the information about the private key. - * A. K. Lenstra showed in "Memo on RSA signature generation in the presence of faults", - * (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF) that PKCS #1 signatures are - * especially susceptible to faults when the Chinese Remainder Theorem is used to compute the - * signature: one single faulty signature is sufficient to leak the private key. - * - * One countermeasure that is often used in libraries is to blind the RSA computation and - * verify the signature before returning it. Nowadays, libraries are expected to have at least - * some countermeasures against faulty computations. In some cases (e.g. OpenSSL) the library - * tries to fix a faulty computation by generating a correct signature without using Chinese - * remaindering. - * - * The test here does not induce a fault. Instead it tries to sign with a faulty private key. - * The expected outcome of the test is that underlying provider either detects that the fault - * or generates a valid signature by ignoring the faulty CRT parameter. - * - * Since the test only simulates a fault, but does not actually induce a fault it is somewhat - * incomplete. It does not detect all vulnerable implementations. The test should nonetheless - * detect implementations that include no verification at all. - */ - @Test - public void testFaultySigner() throws Exception { - BigInteger e = new BigInteger("65537"); - BigInteger d = new BigInteger( - "1491581187972832788084570222215155297353839087630599492610691218" - + "6098027383804966741416365668088258821394558334495197493887270311" - + "7558637148793177374456685063919969705672268324029058661801838398" - + "1099187046803818325657704350675941092582695993374867459573741707" - + "2513551423973482044545986645893321692393572214394692273248819124" - + "5866638922766330300631727125395012955305761836925591665625409882" - + "5987442083465656021724458811783361811914866856391248003733867121" - + "5531501554906114868306919889638573670925006068497222709802245970" - + "0014474779292382225845722344584808716054088377124806520166137504" - + "58797849822813881641713404303944154638273"); - BigInteger q = new BigInteger( - "1327930250247153291239240833779228146841620599139480980326615632" - + "6868823273498280322301518048955331731683358443542450740927959439" - + "3056349447047388914345605165927201322192706870545643991584573901" - + "9099563807204264522234257863225478717589651408831271029849307682" - + "13198832542217762257092135384802889866043941823057701"); - BigInteger p = new BigInteger( - "1546732137638443281784728718025150988901748595222448633054370906" - + "7724307988669542799529278238746541544956234718616481585427107180" - + "6134464028933334724614223213582911567222033332353858049787180486" - + "8311341830570208335451999930773903649599388066890163502238099141" - + "76306676019969635213034585825883528127235874684082417"); - - BigInteger n = p.multiply(q); - BigInteger dp = d.mod(p.subtract(BigInteger.ONE)); - BigInteger dq = d.mod(q.subtract(BigInteger.ONE)); - BigInteger crt = q.modInverse(p); - RSAPrivateCrtKeySpec validKey = new RSAPrivateCrtKeySpec(n, e, d, p, q, dp, dq, crt); - RSAPrivateCrtKeySpec invalidKey = - new RSAPrivateCrtKeySpec(n, e, d, p, q, dp.add(BigInteger.valueOf(2)), dq, crt); - byte[] message = "Test".getBytes("UTF-8"); - KeyFactory kf = KeyFactory.getInstance("RSA"); - PrivateKey validPrivKey = kf.generatePrivate(validKey); - Signature signer = Signature.getInstance("SHA256WithRSA"); - signer.initSign(validPrivKey); - signer.update(message); - byte[] signature = signer.sign(); - PrivateKey invalidPrivKey = null; - try { - invalidPrivKey = kf.generatePrivate(invalidKey); - } catch (InvalidKeySpecException ex) { - // The provider checks the private key and notices a mismatch. - // This is a good sign, though of course in this case it means that we can't - // check for faults. - System.out.println("Provider catches invalid RSA key:" + ex); - return; - } - byte[] invalidSignature = null; - try { - signer.initSign(invalidPrivKey); - signer.update(message); - invalidSignature = signer.sign(); - } catch (Exception ex) { - // We do not necessarily expect a checked exception here, since generating - // an invalid signature typically indicates a programming error. - // Though RuntimeExceptions are fine here. - System.out.println("Generating PKCS#1 signature with faulty key throws:" + ex); - return; - } - String signatureHex = TestUtil.bytesToHex(signature); - String invalidSignatureHex = TestUtil.bytesToHex(invalidSignature); - if (signatureHex.equals(invalidSignatureHex)) { - // The provider generated a correct signature. This can for example happen if the provider - // does not use the CRT parameters. - System.out.println("Signature generation did not use faulty parameter"); - return; - } - fail("Generated faulty PKCS #1 signature with faulty parameters" - + " valid signature:" - + signatureHex - + " invalid signature:" - + invalidSignatureHex); - } -} |