dsa_2048_256_sha224_p1363_test.json and dsa_2048_256_sha224_test.json don't exist.
While I'm here, update testvectors/BUILD.bazel to include new files. This makes them available for Tink and other Bazel users.
NOKEYCHECK=True
PiperOrigin-RevId: 285887952
GitOrigin-RevId: faadf65f788bb5b446ff67b8c0a02e83d7284843
The main focus are:
* incremental updates
* long inputs
* using ByteBuffers
Tested providers: jdk8, jdk11, BouncyCastle, Conscrypt, hazmat, pythons implementation of
hmac.
Resuts:
- all implementations are compatible.
- all implementations support HMAC with SHA-1 and SHA-2.
- BouncyCastle and python 3.7 support SHA-3
- jdk8 doesn't support SHA-3 and hence not HMAC with SHA-3
- jdk11 implements SHA-3, but not HMAC with SHA-3
- hazmat would support HMAC with SHA-3 if the backend were supporting the hashes,
but the defaultbackend does not.
NOKEYCHECK=True
PiperOrigin-RevId: 285161934
GitOrigin-RevId: 604eac41416d9dffc916c474a19ec7690401b22c
There are differences between the NIST standard and RFC 8017.
NIST requires d < lcm(p-1, q-1), RFC 8017 only requires d < n
jdk does follows RFC 8017, but not the NIST standard.
Adding a test for PKCS8 encoding and decoding.
BouncyCastle returns an OpenSSLRSAPrivateKey instead of
OpenSSLRSAPrivateCrtKey
Moving test vectors that were previously excluded because
the were causing runtime exceptions. This was b/32656910
All SpongyCastle tests fail. This is likely not caused by this CL.
The old SpongyCastle version in google3 is likely not compatible with
some jdk11 feature.
NOKEYCHECK=True
PiperOrigin-RevId: 282341997
GitOrigin-RevId: 1ee6a7df7d8ec6ca612ccc349fcea0e9a9f4f273
Splitting DSA test vectors into several files depending on key size and hash.
I'm only adding files for DSA parameters that are supported by libraries that are used in google3. Most projects now prefer ECDSA.
Tests with additional parameters (e.g. 4096-bit keys or other hash functions) can be added, if there is a reason for doing so.
Tested providers:
jdk8 supports DSA with ASN encoding.
jdk11 supports DSA with ASN and P1363 encoding.
BouncyCastle only supports DSA with ASN encoding.
(P1363 format is only supported for ECDSA).
ConsCrypt does not support DSA at all.
b/33446454: The tests ignore this issue to avoid missing bigger mistakes.
NOKEYCHECK=True
PiperOrigin-RevId: 281068296
GitOrigin-RevId: 7c4178527d940fccbcfcfdd88f1cb850a17746db
This test does not check if SecureRandom is weak or predictable.
It simply checks whether the seeding follows the claims in the API.
The test attempts to ensure that the rules used in error prone
(see b/26583170) hold for all instances of SecureRandom.
An old version of this test is here:
depot/google3/experimental/users/bleichen/javatests/com/google/security/keymaster/JceTest.java
NOKEYCHECK=True
PiperOrigin-RevId: 279931348
GitOrigin-RevId: f9931f9a5fe122a59e7b4ec35d3db888e969eb81
Motivation: tink implements this KDF.
Other libraries that support HKDF with SHA-384 and were tested:
(1) boringssl
(2) hazmat (which apparently uses a boringssl based backend)
References:
RFC 5869 defines HKDF generically, but does not mention SHA-384 as a potential
hash function.
RFC 6234 extends HMAC and KDF to other hash functions, but is unclear what should
be supported.
https://tools.ietf.org/html/draft-housley-hkdf-oids-01
appears to be the first RFC that concretely mentions HKDF with SHA-384
this is still a draft. This document does not mention SHA-224, hence
I'm not adding hkdf with SHA-224.
NOKEYCHECK=True
PiperOrigin-RevId: 278363773
GitOrigin-RevId: 79bd2681f0c3bb12ce5c9c555710fad6b20c6221
Adding more tests:
- the previous test did not include any primes. Hence arithmetic
errors in a primality test would likely remain undetected.
- some primes have been generated so that the multiplier for a
Montgomery reduction is an edge case (e.g. high or low Hamming weight).
- adding negatives of primes. Different libraries disagree, whether such
integers are prime or not. The corresponding test vectors have a flag
and result "acceptable".
The following libraries have been tested:
java.math.BigInteger: primality testing is not part of JCA and hence is
provider independent.
sympy: Old versions of sympy used a weak set of bases and was deterministic.
This is no longer the case.
NOKEYCHECK=True
PiperOrigin-RevId: 278337837
GitOrigin-RevId: 02debe45343e8da38b21a6e7a56a4a2b1c050bd8
The full list of failures is longer (~2800 cases).
They should be tested separately.
NOKEYCHECK=True
PiperOrigin-RevId: 276078119
GitOrigin-RevId: 06cbec6bed9413992b14a766134cbfc9bd826259
E.g., since HMAC simply pads the key with 0s, it does not matter
whether the salt is a empty byte array or any other array of size <= 64.
NOKEYCHECK=True
PiperOrigin-RevId: 275468663
GitOrigin-RevId: 9982a2f0675aee0035a78ea1889d2b23b9ede597
SHA-512/224 and SHA-512/256.
I don't expect these hashes to be heavily used. But there is
some potential for incompatibilities. E.g. BouncyCastle
previously used algorithm names such as "SHA512(224)WITHRSA"
while jdk uses "SHA512/224WithRSA".
RSA-OAEP would in principle allow the same hashes as RSA-PSS,
but the algorithm name in JCA is not well-defined,
using truncated hashes with OAEP doesn't make much sense,
and providers don't seem to implement it.
Test results:
jdk11 supports the truncated signatures.
BouncyCastle does not support the algorithm names
ConsCrypt does not support the algorithms.
Tested in a different CL:
boringSSL does not implement the algorithms.
Bugs: b/120406853 is about an alternative ASN encoding
of PSS-keys. This is an encoding that contains all the
parameters of signature scheme. This will be added by
jdk11. But so far, jdk11 fails to read its own key encodings.
I have test vectors for this encoding, but can't add them
without having at least one library accepting them.
NOKEYCHECK=True
PiperOrigin-RevId: 275018282
GitOrigin-RevId: 42c8b6d8e768858b6ec5a273d53f1e111268ecd7
BouncyCastle: supports SHA-3 an passes the tests.
jdk8: does not support SHA-3 (and hence also not ECDSA signatures with SHA-3)
jdk11: supports SHA-3, but currently does not support ECDSA with SHA-3.
ConsCrypt: does not support ECDSA with SHA-3 at this time.
Tested elsewhere:
hazmat: does not support SHA-3 (since it is using boringssl)
NOKEYCHECK=True
PiperOrigin-RevId: 273530767
GitOrigin-RevId: 0f6daacc167dd8944e9f4ce549899d9b08b3ce00
The test vectors allow to check libraries that read PEM
files against bugs similar to:
https://bugs.openjdk.java.net/browse/JDK-8213363
Testing:
So far I'm testing against hazmat (i.e. a python wrapper
around openssl).
The version in google3
google3/third_party/py/cryptography/hazmat/
only supports x25519, hence the x448 test vectors are not tested.
The test vectors are essentially the same as in x448_asn_test.json,
which pass BouncyCastle (with some fixes for overflow).
NOKEYCHECK=True
PiperOrigin-RevId: 269317802
GitOrigin-RevId: f29c60bccd75d3a9a16f833e108bdf83e385fc87
Main changes:
BigInteger encoding is now always a multiple of 2.
Comments try to be a bit more precise. This leads to a different
grouping of the test vectors.
All test vectors with result="acceptable" have at least one
flag.
New vectors:
AEGIS: adding test vectors with the same tag (basically just
answers the question: is AEGIS a hash?)
Test vectors from old versions of the cipher now have ciphertext.
I.e. both encrypting or decrypting should tell testers that they
are using old versions.
AES-CMAC: more test vectors with 128-bit tag.
DSA, ECDSA: better description of the ASN modifications (this reorders
the test vectors) and a few more ASN modifications
KWP: adding modified paddings
XDH: adding more edge cases, no longer using the same private key for multiple
test vectors.
RSA-PSS: adding more valid test vectors. The new test vectors have an edge case
message digest.
NOKEYCHECK=True
PiperOrigin-RevId: 264817632
GitOrigin-RevId: 0c8e6eec11db1ca7088f89d0c1de48c5af892e47
BouncyCastle had an implementation for X25519 and X448 for some time.
But the JCA interface has been added only recently in version 1.61.
There is an overflow bug in this version that will be fixed
upstream in verion 1.63.
The tests ignore some minor bugs (Runtime exceptions instead of
checked exceptions) so that the test against BouncyCastle can be
added as a presubmit test.
Changing the ASN encoding of XDH keys.
Previously they used the jdk encoding.
This encoding was wrong.
NOKEYCHECK=True
PiperOrigin-RevId: 264348566
GitOrigin-RevId: 6564f188a3ed50f73c48cb8c41833d8c3798ab78
These functions are all trivial one-liners that inline to clearer code that is nearly as small (and in some cases even smaller) than the function call.
See go/lsc-goog-isdef
Tested:
TAP --sample ran all affected tests and none failed
http://test/OCL:263067138:BASE:263057012:1565671265213:a988ea45
NOKEYCHECK=True
PiperOrigin-RevId: 263257614
GitOrigin-RevId: b9879442a887349646d064825c5c86ce904ab6f9
jdk11 did add ED25519 and ED448.
BC supports ED25519, but is slightly malleable.
Conscrypt supports none (rsp. uses different algorithm names).
This is related to
https://github.com/google/tink/issues/224
However, tests for signatures are still missing.
NOKEYCHECK=True
PiperOrigin-RevId: 260726100
GitOrigin-RevId: c4c5855aa3e86c0e47ad88f16e6496b98149364f
https://github.com/google/tink/issues/224
So far I haven't been able to reproduce the bug.
However, a lot of tests just check the signature verification.
NOKEYCHECK=True
PiperOrigin-RevId: 260466789
GitOrigin-RevId: bc252d53eaede4ec4eb89fef072dc5d19d17dbf5
AES-GMAC is equivalent to encrypting with AES-GCM an empty plaintext, using passing the
data to authenticate as additional data.
AES-GMAC is supported by keymaster and BouncyCastle.
keymaster has fixed nonce sizes and tag sizes (128-bits).
BouncyCastle has a fixed tag size (128-bit) when used through the JCE
interface.
NOKEYCHECK=True
PiperOrigin-RevId: 257385648
GitOrigin-RevId: d6947fd3604ca782078b7a02bab2a95160df2501
The main purpose is to test / explore the robustness of the VMAC implementation
such as the one in security/util (e.g. CL 254384251) as well as finding potential weaknesses if VMAC is used in an unconventional way. VMAC is widely used in
Google, but so far there is no list of test vector that check corner cases,
such as carry propagation.
VMAC has a number of odd features, which are tested with these vectors:
- The nonce is at most 127-bit long. This is necessary, because VMAC uses
an AES-block cipher. Inputs with the most significant bit set are used
for the key derivation. The same inputs must not be used for encrypting
the nonce.
- VMAC requires 128-bit integer arithmetic for some of its temporary results.
This leaves a lot of opportunities for overflow and carry errors.
The test vectors contain a fairly large number of edge cases to check
for such problems.
- VMAC lacks "plaintext awareness". A valid VMAC does not prove that the
sender knows the plaintext. An example is this: if the VMAC is computed
over eg. tag = VMAC(msg || password) then it would be possible for the
sender to choose msg, such that is valid for any password.
NOKEYCHECK=True
PiperOrigin-RevId: 255599337
GitOrigin-RevId: 22d336b66c370dae251f1fa119cf952035f9c8d5
AEGIS256 is described here:
https://eprint.iacr.org/2013/695.pdfhttps://competitions.cr.yp.to/round3/aegisv11.pdf
Test vector generation:
I'm using a python version for the generation of the test vectors:
CL 252436459
The test vectors are then compared against a second implementation:
CL 252613429
Third party test vectors:
I don't have any third party test vectors.
https://eprint.iacr.org/2013/695.pdf contains some test vectors.
But, these test vectors can only be reproduced if the number of rounds
in finalize is reduced from 7 to 6.
Both papers describe AEGIS256 with 7 rounds in finalize.
All third party implementations I've found use 7 rounds, such as
this one:
https://github.com/torvalds/linux/blob/master/crypto/aegis256.c
NOKEYCHECK=True
PiperOrigin-RevId: 252811267
GitOrigin-RevId: 1de1fb2cb2c4e7d33a1ab8a23ddd63c79b143d3a