diff options
author | evitayan <evitayan@google.com> | 2019-09-24 13:21:26 -0700 |
---|---|---|
committer | evitayan <evitayan@google.com> | 2019-10-07 11:57:38 -0700 |
commit | 7b28df935eab7255e03f6553de7241ddc90b751f (patch) | |
tree | 1c93e6cdec2dd656ac564b090a90d9c27d1f0085 /tests/iketests | |
parent | f955dbc56431a4c985c1d3341c665ade1c6ea8f1 (diff) | |
download | ike-7b28df935eab7255e03f6553de7241ddc90b751f.tar.gz |
Validate received digital signature
Bug: 124233517
Test: atest FrameworksIkeTests(new tests passed)
Change-Id: I149c5d73ffa0562374f009ec2f3e7da2db33f4aa
Diffstat (limited to 'tests/iketests')
-rw-r--r-- | tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java | 110 | ||||
-rw-r--r-- | tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java | 4 |
2 files changed, 102 insertions, 12 deletions
diff --git a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java index 00490f73..52f9259a 100644 --- a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java +++ b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthDigitalSignPayloadTest.java @@ -16,26 +16,73 @@ package com.android.ike.ikev2.message; +import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; import com.android.ike.TestUtils; +import com.android.ike.ikev2.SaProposal; +import com.android.ike.ikev2.crypto.IkeMacPrf; +import com.android.ike.ikev2.exceptions.AuthenticationFailedException; +import com.android.ike.ikev2.message.IkeSaPayload.PrfTransform; +import com.android.ike.ikev2.testutils.CertUtils; +import org.junit.Before; import org.junit.Test; +import java.security.cert.X509Certificate; + public final class IkeAuthDigitalSignPayloadTest { + // TODO: Build a RSA_SHA1 signature and add tests for it. + // RSA_SHA2_256 private static final String AUTH_PAYLOAD_BODY_GENERIC_DIGITAL_SIGN_HEX_STRING = - "0e0000000f300d06092a864886f70d01010b05007b2f4456878b1344e803f094" - + "159a59361bc639071b69de41915452c478b77a46ce4a2c96ddc7ba2c18d08406" - + "50ce51c77124605423a2f75d8ed4b5a1ec5944c3396221a39e25def09abe5c9f" - + "6d9cd70e8f6254d4c835015256c9d6c26f0c6d31ac96a2ed802ccb16e48e7ff3" - + "daf736221b18c2a972130a69edb197a505a312882baed95d38a47bf6784533f2" - + "ffee671d742b5ae463216e46ef970ee6a335ffb3fc9c170a680fb802bb950cb0" - + "5601339be8869a73f8f85254d792b6e91697d8893ccd34b5fb6aad6268c4ab0f" - + "9ead7b3f8a4a255e1b2eabfa3da0de284f3954cf49271918dd2d2db95c8e7812" - + "9aea77e5761ac5683a0b5af300ceb52f5e8d8168"; - // TODO: Build a RSA_SHA1 signature and add tests for it. + "0e0000000f300d06092a864886f70d01010b05006f76af4150d653c5d4136b9f" + + "69d905849bf075c563e6d14ccda42361ec3e7d12c72e2dece5711ea1d952f7b8" + + "e12c5d982aa4efdaeac36a02b222aa96242cc424"; + private static final String SIGNATURE = + "6f76af4150d653c5d4136b9f69d905849bf075c563e6d14ccda42361ec3e7d12" + + "c72e2dece5711ea1d952f7b8e12c5d982aa4efdaeac36a02b222aa96242cc424"; + + private static final String IKE_INIT_RESP_HEX_STRING = + "02458497587b09d488d5b76480bce53d2120222000000000000001cc2200002c" + + "00000028010100040300000801000003030000080300000203000008020000020" + + "00000080400000e28000108000e000013d60e51c40922cb121e395bacbd627cdd" + + "d3240baa4fcefd29f65f8dd37329d68d4fb4854f8b8f07cfb60900e276d99a396" + + "1112ee866b5456cf588dc1092fd3bc19668fb8fa42872f51c0ee748bdb665dcbe" + + "15ac454f6ed966149954dac5187638d1ab61869d97a4873c4733c48cbe3acc8a6" + + "5cfea3ce83fd09fba174bf0ec56d73a0585859399e61c2c38e695841f8df8a511" + + "aadd438f56634165ad9b88e858c1585f1bee646943b8a96f5397721079a127b87" + + "fd286e8f869ae021ce82adf91fa360217ac32268b39b698bf06a4e89b8d0267af" + + "1c5b979b6493adb10a0e14aa707309e914b8d377903e75cb13cffbfde9c26842f" + + "b49a07a4497c9907d39515b290000244b8aed6297c09a5a0dda06c873f5573b34" + + "886dd779e90c19beca3fc54ab3cae02900001c00004004d8e7cb9d1e689ae8c84" + + "c5078355436f3347376ff2900001c0000400545bc3f2113770de91c769094f1bd" + + "614534e765ea290000080000402e290000100000402f000100020003000400000" + + "00800004014"; + private static final String NONCE_INIT_HEX_STRING = + "a5dded450b5ffd2670f37954367fce28279a085c830a03358b10b0872c0578f9"; + private static final String ID_RESP_PAYLOAD_BODY_HEX_STRING = "01000000c0a82b8a"; + private static final String SKP_RESP_HEX_STRING = "8FE8EC3153EDE924C23D6630D3C992A494E2F256"; + + private static final byte[] IKE_INIT_RESP_REQUEST = + TestUtils.hexStringToByteArray(IKE_INIT_RESP_HEX_STRING); + private static final byte[] NONCE_INIT_RESP = + TestUtils.hexStringToByteArray(NONCE_INIT_HEX_STRING); + private static final byte[] ID_RESP_PAYLOAD_BODY = + TestUtils.hexStringToByteArray(ID_RESP_PAYLOAD_BODY_HEX_STRING); + private static final byte[] PRF_RESP_KEY = TestUtils.hexStringToByteArray(SKP_RESP_HEX_STRING); + + private IkeMacPrf mIkeHmacSha1Prf; + + @Before + public void setUp() throws Exception { + mIkeHmacSha1Prf = + IkeMacPrf.create( + new PrfTransform(SaProposal.PSEUDORANDOM_FUNCTION_HMAC_SHA1), + IkeMessage.getSecurityProvider()); + } @Test public void testDecodeGenericDigitalSignPayload() throws Exception { @@ -48,5 +95,48 @@ public final class IkeAuthDigitalSignPayloadTest { assertEquals( IkeAuthDigitalSignPayload.SIGNATURE_ALGO_RSA_SHA2_256, dsPayload.signatureAlgoAndHash); + assertArrayEquals(dsPayload.signature, TestUtils.hexStringToByteArray(SIGNATURE)); + } + + @Test + public void testVerifyInboundSignature() throws Exception { + byte[] inputPacket = + TestUtils.hexStringToByteArray(AUTH_PAYLOAD_BODY_GENERIC_DIGITAL_SIGN_HEX_STRING); + IkeAuthDigitalSignPayload payload = + (IkeAuthDigitalSignPayload) IkeAuthPayload.getIkeAuthPayload(false, inputPacket); + + X509Certificate cert = CertUtils.createCertFromPemFile("end-cert-small.pem"); + + payload.verifyInboundSignature( + cert, + IKE_INIT_RESP_REQUEST, + NONCE_INIT_RESP, + ID_RESP_PAYLOAD_BODY, + mIkeHmacSha1Prf, + PRF_RESP_KEY); + } + + @Test + public void testVerifyInboundSignatureFail() throws Exception { + byte[] inputPacket = + TestUtils.hexStringToByteArray(AUTH_PAYLOAD_BODY_GENERIC_DIGITAL_SIGN_HEX_STRING); + IkeAuthDigitalSignPayload payload = + (IkeAuthDigitalSignPayload) IkeAuthPayload.getIkeAuthPayload(false, inputPacket); + + assertArrayEquals(payload.signature, TestUtils.hexStringToByteArray(SIGNATURE)); + X509Certificate cert = CertUtils.createCertFromPemFile("end-cert-a.pem"); + + try { + payload.verifyInboundSignature( + cert, + IKE_INIT_RESP_REQUEST, + NONCE_INIT_RESP, + ID_RESP_PAYLOAD_BODY, + mIkeHmacSha1Prf, + PRF_RESP_KEY); + fail("Expected to fail due to wrong certificate."); + } catch (AuthenticationFailedException expected) { + + } } } diff --git a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java index a511d905..f2de2607 100644 --- a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java +++ b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeAuthPayloadTest.java @@ -24,6 +24,7 @@ import static org.junit.Assert.fail; import com.android.ike.TestUtils; import com.android.ike.ikev2.SaProposal; import com.android.ike.ikev2.crypto.IkeMacPrf; +import com.android.ike.ikev2.exceptions.AuthenticationFailedException; import com.android.ike.ikev2.message.IkeSaPayload.PrfTransform; import org.junit.Before; @@ -112,8 +113,7 @@ public final class IkeAuthPayloadTest { try { IkeAuthPayload payload = IkeAuthPayload.getIkeAuthPayload(false, inputPacket); fail("Expected Exception: authentication method is not supported"); - } catch (UnsupportedOperationException e) { - // TODO: Catch AuthenticationFailedException after it is implemented. + } catch (AuthenticationFailedException e) { } } |