use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.
the class AesGcmTest method testByteBufferShiftedAlias.
/**
* Encryption with ByteBuffers should be copy-safe even if the buffers have different starting
* offsets and/or do not make the backing array visible.
*
* <p>Note that bugs in this often require a sizeable input to reproduce; the default
* implementation of engineUpdate(ByteBuffer, ByteBuffer) copies through 4KB bounce buffers, so we
* need to use something larger to see any problems - 8KB is what we use here.
*
* @see https://bugs.openjdk.java.net/browse/JDK-8181386
*/
@NoPresubmitTest(providers = { ProviderType.BOUNCY_CASTLE, ProviderType.OPENJDK }, bugs = { "b/64378943" })
@Test
public void testByteBufferShiftedAlias() throws Exception {
byte[] ptVector = new byte[8192];
for (int i = 0; i < 3; i++) {
// outputOffset = offset relative to start of input.
for (int outputOffset = -1; outputOffset <= 1; outputOffset++) {
SecretKeySpec key = new SecretKeySpec(new byte[16], "AES");
GCMParameterSpec parameters = new GCMParameterSpec(128, new byte[12]);
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, key, parameters);
ByteBuffer output, input, inputRO;
// We'll try three scenarios: Ordinary array backed buffers, array backed buffers where one
// is read-only, and direct byte buffers.
String mode;
// offsets relative to start of buffer
int inputOffsetInBuffer = 1;
int outputOffsetInBuffer = inputOffsetInBuffer + outputOffset;
int sliceLength = cipher.getOutputSize(ptVector.length);
int bufferSize = sliceLength + Math.max(inputOffsetInBuffer, outputOffsetInBuffer);
switch(i) {
case 0:
case 1:
{
byte[] buffer = new byte[bufferSize];
// It's important to slice() here as otherwise later when we flip() position will be
// reset to 0.
output = ByteBuffer.wrap(buffer, outputOffsetInBuffer, sliceLength).slice();
input = ByteBuffer.wrap(buffer, inputOffsetInBuffer, sliceLength).slice();
if (i == 1) {
mode = "array backed buffers with RO buffer";
inputRO = input.asReadOnlyBuffer();
} else {
mode = "array backed buffers";
inputRO = input.duplicate();
}
break;
}
case 2:
{
mode = "direct buffers";
ByteBuffer buf = ByteBuffer.allocateDirect(bufferSize);
output = buf.duplicate();
output.position(outputOffsetInBuffer);
output.limit(sliceLength + outputOffsetInBuffer);
output = output.slice();
input = buf.duplicate();
input.position(inputOffsetInBuffer);
input.limit(sliceLength + inputOffsetInBuffer);
input = input.slice();
inputRO = input.duplicate();
break;
}
default:
{
throw new AssertionError("Unknown test index " + i);
}
}
// Now that we have our overlapping 'input' and 'output' buffers, we can write our plaintext
// into the input buffer.
input.put(ptVector);
input.flip();
// Make sure the RO input buffer has the same limit in case the plaintext is shorter than
// sliceLength (which it generally will be for anything other than ECB or CTR mode)
inputRO.limit(input.limit());
try {
int ctSize = cipher.doFinal(inputRO, output);
// Now flip the buffers around and undo everything
byte[] tmp = new byte[ctSize];
output.flip();
output.get(tmp);
output.clear();
input.clear();
inputRO.clear();
input.put(tmp);
input.flip();
inputRO.limit(input.limit());
cipher.init(Cipher.DECRYPT_MODE, key, parameters);
cipher.doFinal(inputRO, output);
output.flip();
assertEquals(ByteBuffer.wrap(ptVector), output);
} catch (Throwable t) {
throw new AssertionError("Overlapping buffers test failed with buffer type: " + mode + " and output offset " + outputOffset, t);
}
}
}
}
use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.
the class AesGcmTest method testEncryptEmptyPlaintextWithEmptyIv.
/**
* AES-GCM allows IVs of bit length 1 .. 2^64-1. See NIST SP 800 38d, Section 5.2.1.1
* http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
*
* <p>Disallowing IVs of length 0 is necessary for the following reason: if an empty IV is used
* then the tag is an evaluation of a polynomial with the hash subkey as the value. Since the
* polynomial can be derived from the ciphertext it is known to an attacker. Therefore, any
* message encrypted with an empty IV leaks the hash subkey. In particular, encrypting an empty
* plaintext with an empty IV results in a ciphertext having a tag that is equal to the hash
* subkey used in AES-GCM. I.e. both are the same as encrypting an all zero block.
*
* <p>OpenJDK fails this test.
*/
@NoPresubmitTest(providers = { ProviderType.OPENJDK }, bugs = { "b/35746778" })
@Test
public void testEncryptEmptyPlaintextWithEmptyIv() throws Exception {
byte[] emptyIv = new byte[0];
byte[] input = new byte[0];
byte[] key = TestUtil.hexToBytes("56aae7bd5cbefc71d31c4338e6ddd6c5");
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
Cipher block = Cipher.getInstance("AES/ECB/NoPadding");
block.init(Cipher.ENCRYPT_MODE, keySpec);
byte[] hashkey = block.doFinal(new byte[16]);
try {
cipher.init(Cipher.ENCRYPT_MODE, keySpec, new GCMParameterSpec(16 * 8, emptyIv));
byte[] ct = cipher.doFinal(input);
// If the encryption above is not rejected then the hash key and the ciphertext are the same.
// Both are d1bdd948ddc5a7f7a9250cf78229b84d.
System.out.println("testEncryptEmptyPlaintextWithEmptyIv:");
System.out.println("Encrypt with empty IV:" + TestUtil.bytesToHex(ct));
System.out.println("Hash subkey :" + TestUtil.bytesToHex(hashkey));
fail("Encrypting with an empty IV leaks the hash subkey.");
} catch (GeneralSecurityException expected) {
System.out.println("testEncryptWithEmptyIv:" + expected.toString());
// expected behavior
}
}
use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.
the class JsonXdhTest method testKeyGeneration.
@NoPresubmitTest(providers = { ProviderType.BOUNCY_CASTLE }, bugs = { "b/138722408" })
@Test
public void testKeyGeneration() throws Exception {
KeyPairGenerator kpg;
try {
kpg = KeyPairGenerator.getInstance("XDH");
} catch (NoSuchAlgorithmException ex) {
System.out.println("XDH not supported");
return;
}
// An alternative is
// NamedParameterSpec paramSpec = new NamedParameterSpec("X25519");
// kpg.initialize(paramSpec);
// But this only compiles with jdk11.
kpg.initialize(255);
KeyPair kp = kpg.generateKeyPair();
PrivateKey priv = kp.getPrivate();
PublicKey pub = kp.getPublic();
// Encodings are a bit of a problem.
byte[] privEncoded = priv.getEncoded();
System.out.println("X25519 privat key format:" + priv.getFormat() + " encoded:" + TestUtil.bytesToHex(privEncoded));
byte[] pubEncoded = pub.getEncoded();
System.out.println("X25519 public key format:" + pub.getFormat() + " encoded:" + TestUtil.bytesToHex(pubEncoded));
}
use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.
the class RsaKeyTest method testDefaultKeySize.
/**
* Checks the default key size used for RSA key generation.
*
* <p>This test fails if the default key size for RSA is below the minimum recommendation of NIST
* SP 800-57 part1 revision 4, Table 2, page 53 in
* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf . NIST recommends
* a minimal security strength of 112 bits for keys used until 2030. This translates to a minimal
* key size of 2048 bits.
*
* <p>Enisa, Algorithms, key size and parameters report – 2014, Section 3.6
* https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 Enisa,
* also suggests that 2048-bit RSA keys provide a security strength of about 112 bits. However,
* the recommendation for near term systems is more conservative than NIST. Enisa recommends a
* minimal key size of 3072 bits.
*
* <p>ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012), Section 13.3
* http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf Suggests at least 2432 bits for new
* keys and at least 1024 bits for legacy keys.
*
* <p>All the references above clearly state that keys smaller than 2048 bits should only be used
* in legacy cases. Therefore, it seems wrong to use a default key size smaller than 2048 bits. If
* a user really wants a small RSA key then such a choice should be made by explicitly providing
* the desired key length during the initalization of the KeyPairGenerator.
*
* <p>According to https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html every
* implementation of the Java platform is required to implement RSA with both 1024 and 2048 bit
* key sizes. Hence a 2048 bit default should not lead to compatibility problems.
*/
@NoPresubmitTest(providers = { ProviderType.OPENJDK }, bugs = { "b/33190530" })
@Test
public void testDefaultKeySize() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keypair = keyGen.genKeyPair();
RSAPublicKey pub = (RSAPublicKey) keypair.getPublic();
int keySizeInBits = pub.getModulus().bitLength();
System.out.println("testDefaultSize: keysize=" + keySizeInBits);
checkKeyPair(keypair, keySizeInBits);
if (keySizeInBits < 2048) {
fail("RSA default key size too small:" + keySizeInBits);
}
}
use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.
the class EcdhTest method testEncode.
@NoPresubmitTest(providers = { ProviderType.BOUNCY_CASTLE }, bugs = { "BouncyCastle uses long encoding. Is this a bug?" })
@Test
public void testEncode() throws Exception {
KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey valid = (ECPublicKey) kf.generatePublic(EC_VALID_PUBLIC_KEY.getSpec());
assertEquals(TestUtil.bytesToHex(valid.getEncoded()), EC_VALID_PUBLIC_KEY.encoded);
}
Aggregations