Validate received digital signature

Bug: 124233517 Test: atest FrameworksIkeTests(new tests passed) Change-Id: I149c5d73ffa0562374f009ec2f3e7da2db33f4aa
author: evitayan <evitayan@google.com> 2019-09-24 13:21:26 -0700
committer: evitayan <evitayan@google.com> 2019-10-07 11:57:38 -0700
commit: 7b28df935eab7255e03f6553de7241ddc90b751f (patch)
tree: 1c93e6cdec2dd656ac564b090a90d9c27d1f0085 /tests/iketests
parent: f955dbc56431a4c985c1d3341c665ade1c6ea8f1 (diff)
download: ike-7b28df935eab7255e03f6553de7241ddc90b751f.tar.gz
2 files changed, 102 insertions, 12 deletions
diff --git a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java
index 00490f73..52f9259a 100644
--- a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java
+++ b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java
@@ -16,26 +16,73 @@
 
 package com.android.ike.ikev2.message;
 
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 import com.android.ike.TestUtils;
+import com.android.ike.ikev2.SaProposal;
+import com.android.ike.ikev2.crypto.IkeMacPrf;
+import com.android.ike.ikev2.exceptions.AuthenticationFailedException;
+import com.android.ike.ikev2.message.IkeSaPayload.PrfTransform;
+import com.android.ike.ikev2.testutils.CertUtils;
 
+import org.junit.Before;
 import org.junit.Test;
 
+import java.security.cert.X509Certificate;
+
 public final class IkeAuthDigitalSignPayloadTest {
+    // TODO: Build a RSA_SHA1 signature and add tests for it.
 
+    // RSA_SHA2_256
     private static final String AUTH_PAYLOAD_BODY_GENERIC_DIGITAL_SIGN_HEX_STRING =
-            "0e0000000f300d06092a864886f70d01010b05007b2f4456878b1344e803f094"
-                    + "159a59361bc639071b69de41915452c478b77a46ce4a2c96ddc7ba2c18d08406"
-                    + "50ce51c77124605423a2f75d8ed4b5a1ec5944c3396221a39e25def09abe5c9f"
-                    + "6d9cd70e8f6254d4c835015256c9d6c26f0c6d31ac96a2ed802ccb16e48e7ff3"
-                    + "daf736221b18c2a972130a69edb197a505a312882baed95d38a47bf6784533f2"
-                    + "ffee671d742b5ae463216e46ef970ee6a335ffb3fc9c170a680fb802bb950cb0"
-                    + "5601339be8869a73f8f85254d792b6e91697d8893ccd34b5fb6aad6268c4ab0f"
-                    + "9ead7b3f8a4a255e1b2eabfa3da0de284f3954cf49271918dd2d2db95c8e7812"
-                    + "9aea77e5761ac5683a0b5af300ceb52f5e8d8168";
-    // TODO: Build a RSA_SHA1 signature and add tests for it.
+            "0e0000000f300d06092a864886f70d01010b05006f76af4150d653c5d4136b9f"
+                    + "69d905849bf075c563e6d14ccda42361ec3e7d12c72e2dece5711ea1d952f7b8"
+                    + "e12c5d982aa4efdaeac36a02b222aa96242cc424";
+    private static final String SIGNATURE =
+            "6f76af4150d653c5d4136b9f69d905849bf075c563e6d14ccda42361ec3e7d12"
+                    + "c72e2dece5711ea1d952f7b8e12c5d982aa4efdaeac36a02b222aa96242cc424";
+
+    private static final String IKE_INIT_RESP_HEX_STRING =
+            "02458497587b09d488d5b76480bce53d2120222000000000000001cc2200002c"
+                    + "00000028010100040300000801000003030000080300000203000008020000020"
+                    + "00000080400000e28000108000e000013d60e51c40922cb121e395bacbd627cdd"
+                    + "d3240baa4fcefd29f65f8dd37329d68d4fb4854f8b8f07cfb60900e276d99a396"
+                    + "1112ee866b5456cf588dc1092fd3bc19668fb8fa42872f51c0ee748bdb665dcbe"
+                    + "15ac454f6ed966149954dac5187638d1ab61869d97a4873c4733c48cbe3acc8a6"
+                    + "5cfea3ce83fd09fba174bf0ec56d73a0585859399e61c2c38e695841f8df8a511"
+                    + "aadd438f56634165ad9b88e858c1585f1bee646943b8a96f5397721079a127b87"
+                    + "fd286e8f869ae021ce82adf91fa360217ac32268b39b698bf06a4e89b8d0267af"
+                    + "1c5b979b6493adb10a0e14aa707309e914b8d377903e75cb13cffbfde9c26842f"
+                    + "b49a07a4497c9907d39515b290000244b8aed6297c09a5a0dda06c873f5573b34"
+                    + "886dd779e90c19beca3fc54ab3cae02900001c00004004d8e7cb9d1e689ae8c84"
+                    + "c5078355436f3347376ff2900001c0000400545bc3f2113770de91c769094f1bd"
+                    + "614534e765ea290000080000402e290000100000402f000100020003000400000"
+                    + "00800004014";
+    private static final String NONCE_INIT_HEX_STRING =
+            "a5dded450b5ffd2670f37954367fce28279a085c830a03358b10b0872c0578f9";
+    private static final String ID_RESP_PAYLOAD_BODY_HEX_STRING = "01000000c0a82b8a";
+    private static final String SKP_RESP_HEX_STRING = "8FE8EC3153EDE924C23D6630D3C992A494E2F256";
+
+    private static final byte[] IKE_INIT_RESP_REQUEST =
+            TestUtils.hexStringToByteArray(IKE_INIT_RESP_HEX_STRING);
+    private static final byte[] NONCE_INIT_RESP =
+            TestUtils.hexStringToByteArray(NONCE_INIT_HEX_STRING);
+    private static final byte[] ID_RESP_PAYLOAD_BODY =
+            TestUtils.hexStringToByteArray(ID_RESP_PAYLOAD_BODY_HEX_STRING);
+    private static final byte[] PRF_RESP_KEY = TestUtils.hexStringToByteArray(SKP_RESP_HEX_STRING);
+
+    private IkeMacPrf mIkeHmacSha1Prf;
+
+    @Before
+    public void setUp() throws Exception {
+        mIkeHmacSha1Prf =
+                IkeMacPrf.create(
+                        new PrfTransform(SaProposal.PSEUDORANDOM_FUNCTION_HMAC_SHA1),
+                        IkeMessage.getSecurityProvider());
+    }
 
     @Test
     public void testDecodeGenericDigitalSignPayload() throws Exception {
@@ -48,5 +95,48 @@ public final class IkeAuthDigitalSignPayloadTest {
         assertEquals(
                 IkeAuthDigitalSignPayload.SIGNATURE_ALGO_RSA_SHA2_256,
                 dsPayload.signatureAlgoAndHash);
+        assertArrayEquals(dsPayload.signature, TestUtils.hexStringToByteArray(SIGNATURE));
+    }
+
+    @Test
+    public void testVerifyInboundSignature() throws Exception {
+        byte[] inputPacket =
+                TestUtils.hexStringToByteArray(AUTH_PAYLOAD_BODY_GENERIC_DIGITAL_SIGN_HEX_STRING);
+        IkeAuthDigitalSignPayload payload =
+                (IkeAuthDigitalSignPayload) IkeAuthPayload.getIkeAuthPayload(false, inputPacket);
+
+        X509Certificate cert = CertUtils.createCertFromPemFile("end-cert-small.pem");
+
+        payload.verifyInboundSignature(
+                cert,
+                IKE_INIT_RESP_REQUEST,
+                NONCE_INIT_RESP,
+                ID_RESP_PAYLOAD_BODY,
+                mIkeHmacSha1Prf,
+                PRF_RESP_KEY);
+    }
+
+    @Test
+    public void testVerifyInboundSignatureFail() throws Exception {
+        byte[] inputPacket =
+                TestUtils.hexStringToByteArray(AUTH_PAYLOAD_BODY_GENERIC_DIGITAL_SIGN_HEX_STRING);
+        IkeAuthDigitalSignPayload payload =
+                (IkeAuthDigitalSignPayload) IkeAuthPayload.getIkeAuthPayload(false, inputPacket);
+
+        assertArrayEquals(payload.signature, TestUtils.hexStringToByteArray(SIGNATURE));
+        X509Certificate cert = CertUtils.createCertFromPemFile("end-cert-a.pem");
+
+        try {
+            payload.verifyInboundSignature(
+                    cert,
+                    IKE_INIT_RESP_REQUEST,
+                    NONCE_INIT_RESP,
+                    ID_RESP_PAYLOAD_BODY,
+                    mIkeHmacSha1Prf,
+                    PRF_RESP_KEY);
+            fail("Expected to fail due to wrong certificate.");
+        } catch (AuthenticationFailedException expected) {
+
+        }
     }
 }
diff --git a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java
index a511d905..f2de2607 100644
--- a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java
+++ b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java
@@ -24,6 +24,7 @@ import static org.junit.Assert.fail;
 import com.android.ike.TestUtils;
 import com.android.ike.ikev2.SaProposal;
 import com.android.ike.ikev2.crypto.IkeMacPrf;
+import com.android.ike.ikev2.exceptions.AuthenticationFailedException;
 import com.android.ike.ikev2.message.IkeSaPayload.PrfTransform;
 
 import org.junit.Before;
@@ -112,8 +113,7 @@ public final class IkeAuthPayloadTest {
         try {
             IkeAuthPayload payload = IkeAuthPayload.getIkeAuthPayload(false, inputPacket);
             fail("Expected Exception: authentication method is not supported");
-        } catch (UnsupportedOperationException e) {
-            // TODO: Catch AuthenticationFailedException after it is implemented.
+        } catch (AuthenticationFailedException e) {
         }
     }
author	evitayan <evitayan@google.com>	2019-09-24 13:21:26 -0700
committer	evitayan <evitayan@google.com>	2019-10-07 11:57:38 -0700
commit	7b28df935eab7255e03f6553de7241ddc90b751f (patch)
tree	1c93e6cdec2dd656ac564b090a90d9c27d1f0085 /tests/iketests
parent	f955dbc56431a4c985c1d3341c665ade1c6ea8f1 (diff)
download	ike-7b28df935eab7255e03f6553de7241ddc90b751f.tar.gz