Examples with NoPresubmitTest com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest used on opensource projects

Example 1 with NoPresubmitTest

use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.

the class AesGcmTest method testByteBufferShiftedAlias.

/**
 * Encryption with ByteBuffers should be copy-safe even if the buffers have different starting
 * offsets and/or do not make the backing array visible.
 *
 * <p>Note that bugs in this often require a sizeable input to reproduce; the default
 * implementation of engineUpdate(ByteBuffer, ByteBuffer) copies through 4KB bounce buffers, so we
 * need to use something larger to see any problems - 8KB is what we use here.
 *
 * @see https://bugs.openjdk.java.net/browse/JDK-8181386
 */
@NoPresubmitTest(providers = { ProviderType.BOUNCY_CASTLE, ProviderType.OPENJDK }, bugs = { "b/64378943" })
@Test
public void testByteBufferShiftedAlias() throws Exception {
    byte[] ptVector = new byte[8192];
    for (int i = 0; i < 3; i++) {
        // outputOffset = offset relative to start of input.
        for (int outputOffset = -1; outputOffset <= 1; outputOffset++) {
            SecretKeySpec key = new SecretKeySpec(new byte[16], "AES");
            GCMParameterSpec parameters = new GCMParameterSpec(128, new byte[12]);
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(Cipher.ENCRYPT_MODE, key, parameters);
            ByteBuffer output, input, inputRO;
            // We'll try three scenarios: Ordinary array backed buffers, array backed buffers where one
            // is read-only, and direct byte buffers.
            String mode;
            // offsets relative to start of buffer
            int inputOffsetInBuffer = 1;
            int outputOffsetInBuffer = inputOffsetInBuffer + outputOffset;
            int sliceLength = cipher.getOutputSize(ptVector.length);
            int bufferSize = sliceLength + Math.max(inputOffsetInBuffer, outputOffsetInBuffer);
            switch(i) {
                case 0:
                case 1:
                    {
                        byte[] buffer = new byte[bufferSize];
                        // It's important to slice() here as otherwise later when we flip() position will be
                        // reset to 0.
                        output = ByteBuffer.wrap(buffer, outputOffsetInBuffer, sliceLength).slice();
                        input = ByteBuffer.wrap(buffer, inputOffsetInBuffer, sliceLength).slice();
                        if (i == 1) {
                            mode = "array backed buffers with RO buffer";
                            inputRO = input.asReadOnlyBuffer();
                        } else {
                            mode = "array backed buffers";
                            inputRO = input.duplicate();
                        }
                        break;
                    }
                case 2:
                    {
                        mode = "direct buffers";
                        ByteBuffer buf = ByteBuffer.allocateDirect(bufferSize);
                        output = buf.duplicate();
                        output.position(outputOffsetInBuffer);
                        output.limit(sliceLength + outputOffsetInBuffer);
                        output = output.slice();
                        input = buf.duplicate();
                        input.position(inputOffsetInBuffer);
                        input.limit(sliceLength + inputOffsetInBuffer);
                        input = input.slice();
                        inputRO = input.duplicate();
                        break;
                    }
                default:
                    {
                        throw new AssertionError("Unknown test index " + i);
                    }
            }
            // Now that we have our overlapping 'input' and 'output' buffers, we can write our plaintext
            // into the input buffer.
            input.put(ptVector);
            input.flip();
            // Make sure the RO input buffer has the same limit in case the plaintext is shorter than
            // sliceLength (which it generally will be for anything other than ECB or CTR mode)
            inputRO.limit(input.limit());
            try {
                int ctSize = cipher.doFinal(inputRO, output);
                // Now flip the buffers around and undo everything
                byte[] tmp = new byte[ctSize];
                output.flip();
                output.get(tmp);
                output.clear();
                input.clear();
                inputRO.clear();
                input.put(tmp);
                input.flip();
                inputRO.limit(input.limit());
                cipher.init(Cipher.DECRYPT_MODE, key, parameters);
                cipher.doFinal(inputRO, output);
                output.flip();
                assertEquals(ByteBuffer.wrap(ptVector), output);
            } catch (Throwable t) {
                throw new AssertionError("Overlapping buffers test failed with buffer type: " + mode + " and output offset " + outputOffset, t);
            }
        }
    }
}

Example 2 with NoPresubmitTest

use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.

the class AesGcmTest method testEncryptEmptyPlaintextWithEmptyIv.

/**
 * AES-GCM allows IVs of bit length 1 .. 2^64-1. See NIST SP 800 38d, Section 5.2.1.1
 * http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 *
 * <p>Disallowing IVs of length 0 is necessary for the following reason: if an empty IV is used
 * then the tag is an evaluation of a polynomial with the hash subkey as the value. Since the
 * polynomial can be derived from the ciphertext it is known to an attacker. Therefore, any
 * message encrypted with an empty IV leaks the hash subkey. In particular, encrypting an empty
 * plaintext with an empty IV results in a ciphertext having a tag that is equal to the hash
 * subkey used in AES-GCM. I.e. both are the same as encrypting an all zero block.
 *
 * <p>OpenJDK fails this test.
 */
@NoPresubmitTest(providers = { ProviderType.OPENJDK }, bugs = { "b/35746778" })
@Test
public void testEncryptEmptyPlaintextWithEmptyIv() throws Exception {
    byte[] emptyIv = new byte[0];
    byte[] input = new byte[0];
    byte[] key = TestUtil.hexToBytes("56aae7bd5cbefc71d31c4338e6ddd6c5");
    SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
    Cipher block = Cipher.getInstance("AES/ECB/NoPadding");
    block.init(Cipher.ENCRYPT_MODE, keySpec);
    byte[] hashkey = block.doFinal(new byte[16]);
    try {
        cipher.init(Cipher.ENCRYPT_MODE, keySpec, new GCMParameterSpec(16 * 8, emptyIv));
        byte[] ct = cipher.doFinal(input);
        // If the encryption above is not rejected then the hash key and the ciphertext are the same.
        // Both are d1bdd948ddc5a7f7a9250cf78229b84d.
        System.out.println("testEncryptEmptyPlaintextWithEmptyIv:");
        System.out.println("Encrypt with empty IV:" + TestUtil.bytesToHex(ct));
        System.out.println("Hash subkey          :" + TestUtil.bytesToHex(hashkey));
        fail("Encrypting with an empty IV leaks the hash subkey.");
    } catch (GeneralSecurityException expected) {
        System.out.println("testEncryptWithEmptyIv:" + expected.toString());
    // expected behavior
    }
}

Example 3 with NoPresubmitTest

use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.

the class JsonXdhTest method testKeyGeneration.

@NoPresubmitTest(providers = { ProviderType.BOUNCY_CASTLE }, bugs = { "b/138722408" })
@Test
public void testKeyGeneration() throws Exception {
    KeyPairGenerator kpg;
    try {
        kpg = KeyPairGenerator.getInstance("XDH");
    } catch (NoSuchAlgorithmException ex) {
        System.out.println("XDH not supported");
        return;
    }
    // An alternative is
    // NamedParameterSpec paramSpec = new NamedParameterSpec("X25519");
    // kpg.initialize(paramSpec);
    // But this only compiles with jdk11.
    kpg.initialize(255);
    KeyPair kp = kpg.generateKeyPair();
    PrivateKey priv = kp.getPrivate();
    PublicKey pub = kp.getPublic();
    // Encodings are a bit of a problem.
    byte[] privEncoded = priv.getEncoded();
    System.out.println("X25519 privat key format:" + priv.getFormat() + " encoded:" + TestUtil.bytesToHex(privEncoded));
    byte[] pubEncoded = pub.getEncoded();
    System.out.println("X25519 public key format:" + pub.getFormat() + " encoded:" + TestUtil.bytesToHex(pubEncoded));
}

Example 4 with NoPresubmitTest

use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.

the class RsaKeyTest method testDefaultKeySize.

/**
 * Checks the default key size used for RSA key generation.
 *
 * <p>This test fails if the default key size for RSA is below the minimum recommendation of NIST
 * SP 800-57 part1 revision 4, Table 2, page 53 in
 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf . NIST recommends
 * a minimal security strength of 112 bits for keys used until 2030. This translates to a minimal
 * key size of 2048 bits.
 *
 * <p>Enisa, Algorithms, key size and parameters report – 2014, Section 3.6
 * https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 Enisa,
 * also suggests that 2048-bit RSA keys provide a security strength of about 112 bits. However,
 * the recommendation for near term systems is more conservative than NIST. Enisa recommends a
 * minimal key size of 3072 bits.
 *
 * <p>ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012), Section 13.3
 * http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf Suggests at least 2432 bits for new
 * keys and at least 1024 bits for legacy keys.
 *
 * <p>All the references above clearly state that keys smaller than 2048 bits should only be used
 * in legacy cases. Therefore, it seems wrong to use a default key size smaller than 2048 bits. If
 * a user really wants a small RSA key then such a choice should be made by explicitly providing
 * the desired key length during the initalization of the KeyPairGenerator.
 *
 * <p>According to https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html every
 * implementation of the Java platform is required to implement RSA with both 1024 and 2048 bit
 * key sizes. Hence a 2048 bit default should not lead to compatibility problems.
 */
@NoPresubmitTest(providers = { ProviderType.OPENJDK }, bugs = { "b/33190530" })
@Test
public void testDefaultKeySize() throws Exception {
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    KeyPair keypair = keyGen.genKeyPair();
    RSAPublicKey pub = (RSAPublicKey) keypair.getPublic();
    int keySizeInBits = pub.getModulus().bitLength();
    System.out.println("testDefaultSize: keysize=" + keySizeInBits);
    checkKeyPair(keypair, keySizeInBits);
    if (keySizeInBits < 2048) {
        fail("RSA default key size too small:" + keySizeInBits);
    }
}

Example 5 with NoPresubmitTest

use of com.google.security.wycheproof.WycheproofRunner.NoPresubmitTest in project wycheproof by google.

the class EcdhTest method testEncode.

@NoPresubmitTest(providers = { ProviderType.BOUNCY_CASTLE }, bugs = { "BouncyCastle uses long encoding. Is this a bug?" })
@Test
public void testEncode() throws Exception {
    KeyFactory kf = KeyFactory.getInstance("EC");
    ECPublicKey valid = (ECPublicKey) kf.generatePublic(EC_VALID_PUBLIC_KEY.getSpec());
    assertEquals(TestUtil.bytesToHex(valid.getEncoded()), EC_VALID_PUBLIC_KEY.encoded);
}