139 Commits

Author SHA1 Message Date
bleichen cf457615e3 Updating documentation.
* including new primitives
* more detailed description of JSON types.
* adding links for algorithms

NOKEYCHECK=True
PiperOrigin-RevId: 252799091
GitOrigin-RevId: ebf54ad59ebc55f4cbee010d67867ee9a95ce987
2019-11-25 17:41:39 -08:00
bleichen 763b2b03ea Adding test vectors for Aegis128 and Aegis128L to third_party/wycheproof.
Versions:
Aegis128 and Aegis128L use
https://competitions.cr.yp.to/round3/aegisv11.pdf
The eprint version of Aegis128L in
https://eprint.iacr.org/2013/695.pdf
is slightly different, since the tag is computed differently.
To make this difference easier to spot, I'm including
the test vectors from the eprint version (the result is
of course invalid).

Generation:
The test vectors were generated with a 2nd implementation
(in python). This would hopefully allow to spot boundary
errors.
NOKEYCHECK=True
PiperOrigin-RevId: 251426918
GitOrigin-RevId: 3fc993aa9e84495cefd1f20bcc5a0fb3a3179883
2019-11-25 17:41:31 -08:00
bleichen 29ccd8ecac Updating Wycheproof documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 247415707
GitOrigin-RevId: 8efba735f6dd1f735aa1ee0a963453e2801bf3fb
2019-11-25 17:41:22 -08:00
bleichen 8bc50bbb51 Updating the test vectors.
Changes:
* Unused flags are no longer listed in "notes:"
* Added some new invalid encoding containing special values such as NaN.
* Adding jwk keys to RSA-OAEP test vectors if the jwk key is defined.
* Adding a flag InvalidOaepPadding to RSA-OAEP test vectors to test vectors
  where leaking padding information might allow Manger's attack.
* Adding test vectors for invalid padding: PKCS-1 padding for PSS signatures
  signatures without hashing.
* Adding test vectors from RFC 8037 to XDH. (There is not enough cross checking
  otherwise, since most libraries don't implement XDH).

NOKEYCHECK=True
PiperOrigin-RevId: 237066566
GitOrigin-RevId: 44dd5c1fda5d152b6741824ad9d5400b4cffd6aa
2019-11-25 17:41:11 -08:00
bleichen e36f091b42 Making another doc file more? compatible.
NOKEYCHECK=True
PiperOrigin-RevId: 236832376
GitOrigin-RevId: 0548eea608460e635a820293a6d2100944addb12
2019-11-25 17:41:03 -08:00
bleichen 6e734f1166 Reverting some mdformat features off
to avoid making tables incompatible with other
markdown dialects.

NOKEYCHECK=True
PiperOrigin-RevId: 236831405
GitOrigin-RevId: 25641287cde9b5ba7b631d5d4b6c26c226c3cc18
2019-11-25 17:40:55 -08:00
bleichen 3255146de3 Adding test vectors for RSA PKCS #1 v 1.5.
The test vectors replace the previous test for padding oracles, which
had to generate a new key. The test vectors add some new
test cases that are edge cases for the modular exponentiation.

NOKEYCHECK=True
PiperOrigin-RevId: 236813461
GitOrigin-RevId: a92ab2a6af48d3285735fbf5c8ecb66c0750f46b
2019-11-25 17:40:47 -08:00
bleichen 4cd199592b Minor updates to documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 234783631
GitOrigin-RevId: da809b7f5aecc3bf184fdfe1788399cd8316c329
2019-11-25 17:40:39 -08:00
bleichen bfb11c57f3 Updating documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 234606518
GitOrigin-RevId: 1afaee2eaa4c9a9daad23f57569e035facbb8243
2019-11-25 17:40:32 -08:00
bleichen e2178c755a Adding tests for RSA key generation to the plans for version 0.8.
NOKEYCHECK=True
PiperOrigin-RevId: 234466663
GitOrigin-RevId: 89986698fa5eee07927d34d651479007d173923f
2019-11-25 17:40:24 -08:00
bleichen 386767b289 Adding more links to type names.
NOKEYCHECK=True
PiperOrigin-RevId: 233588531
GitOrigin-RevId: eb79f2b0c494cc9b993f7391494074bd98e442d7
2019-11-25 17:40:16 -08:00
bleichen 441894f256 Updating documentation
NOKEYCHECK=True
PiperOrigin-RevId: 233075077
GitOrigin-RevId: 59df0b095f9640e9f1e9f0a31e699c8396b189e7
2019-11-25 17:40:08 -08:00
bleichen 851de3dd9c Adding more links to the documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 233071591
GitOrigin-RevId: 4a3c72335c61b0d5b2e3715b139bfb62de4f0eb1
2019-11-25 17:40:01 -08:00
bleichen cb98c9f432 Adding references to types in the documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 233065086
GitOrigin-RevId: a4af2453b9798b7e14bd14c2b4c5e07a1e9d72d0
2019-11-25 17:39:53 -08:00
bleichen 7ca8c8d16f Updating files.md
NOKEYCHECK=True
PiperOrigin-RevId: 233042755
GitOrigin-RevId: 3bd24145ecdd0f6c9d4a6e7716ca188d1fa0dd19
2019-11-25 17:39:45 -08:00
bleichen 2cf601145e Adding some forgotten cases:
Adding test vectors for AES-SIV-CMAC for AEAD.
I.e. these are test vectors for AES-SIV-CMAC where encryption takes
two AAD arguments: one argument acting as the nonce and one argument
acting as the additional data.

Adding test vectors for XDH where the keys use jwk encoding.
These are mostly the same test vectors as used for other XDH tests,
but the keys are enocded according to RFC 8037.
The test vectors include two test vectors from RFC 8037 section A.6 and
A.7 to ensure that the same encoding is used.

Fixing the algorithm name for AES-GCM-SIV.

NOKEYCHECK=True
PiperOrigin-RevId: 232840812
GitOrigin-RevId: cc0604472074630f0b00894c4234e06ac0bc4f0a
2019-11-25 17:39:37 -08:00
bleichen 89b996d789 Some updates to the documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 232680784
GitOrigin-RevId: b94a428ffce59724af70395a8f859d9f02841f6b
2019-11-25 17:39:30 -08:00
bleichen 35fe41359d Updating tests for DSA, ECDSA and RSA-OAEP.
Extending the tests for signature bias.
E.g. biased signature generations that
choose s' as min(s, q-s) because of
signature malleability will not be detected.
Such implementations exist:
https://eprint.iacr.org/2019/023.pdf

Removing test vectors in the tests.
These test vectors are no longer necessary, since there
are more test vectors in the JSON files. Additionally,
the test vectors here are old and have not been updated.

Replacing comparisons for test vector version with comparisons
for the JSON schema. A new schema (with a different name) will
be used whenever the format of the test vectors changes without
backwards compatibility. Hence the JSON schema should change less
frequently than the version and give a better indication whether
test vectors and test match.

Reducing the log size a bit.

Bugs:

b/33190860: default key size for DSA is now 2048. This has been
fixed by Oracle.

NOKEYCHECK=True
PiperOrigin-RevId: 232647129
GitOrigin-RevId: 76f43890f0115a2ff72c6078a3376a96882a1504
2019-11-25 17:39:22 -08:00
bleichen 2d2290c28e Updating ECDH test vectors:
Changing incorrect documentation in the header:
The public keys are X509 encoded. Private keys are just integers.

Adding some more edge cases:
These are mostly cases where the y coordinate is a special case.
Such special cases can lead to overflows if the point is normalized
during the ECDH compuation. A normalization is sometimes done in
precomputations.

Somewhat better comments: I.e. explain what the edge case is.

Removing unnecessary notes: Sometimes test vectors with labels are generated,
but not used because encoding can't handle the test vectors. Previously the
label would still end up in the notes section. This has been removed.

NOKEYCHECK=True
PiperOrigin-RevId: 232640195
GitOrigin-RevId: b2bae8ea496a482297ea92f125d7762990015a33
2019-11-25 17:39:14 -08:00
bleichen 8ca57ca2b9 Just adding a reference.
There might be some test cases not covered yet. That will be done
later.

NOKEYCHECK=True
PiperOrigin-RevId: 232472199
GitOrigin-RevId: 8821bbd10f7917f161b83e26edc19a213d67c8c0
2019-11-25 17:39:06 -08:00
bleichen 1ab23e11b0 Refactoring the documentation.
index.md is now an index.

NOKEYCHECK=True
PiperOrigin-RevId: 232468414
GitOrigin-RevId: 7dde78d93627c14c213ce5c5d8f62429cd9e4a64
2019-11-25 17:38:58 -08:00
bleichen 0fef006165 Refactoring ECDH tests:
Switching to test vector files that contain vectors for one curve only.
This covers more test cases, allows to skip test vectors for curves not
supported by a library.
ecdh_test.json contains tests for multiple curves, but is somewhat limited
in coverage.

Sanity checks for using expected files are now based on the JSON schema.
I.e. if the expected and actual JSON schema of the test vector file match,
then the test should pass, otherwise there is a problem with the test setup.

Removing tests covered by test vectors from EcdhTest.java.

Adding timing test for ECDH:
The tests require to run on a system without much noise:
E.g. running a regular unit test is too noisy.
The confidence level is too low to fail the test:
ECDH timing test:secp256r1
Timing for point 0 avg: 4062844.9155273438 std dev: 452064.39579909603 cv:0.11126794283271814
Timing for point 1 avg: 4077776.20703125 std dev: 457662.5685428607 cv:0.1122333706675025
Point 0 multiplication is faster: 1152

Running the same test locally adds less noise.
The ratio avg / std dev is 10 times smaller.
Here the test run shows that time of a point multiplication depends on the
point that is multiplied.

ECDH timing test:secp256r1
Timing for point 0 avg: 1611269.970703125 std dev: 30329.312528547747 cv:0.018823234516877802
Timing for point 1 avg: 1618931.3715820312 std dev: 29267.753517245954 cv:0.01807843990857086
Point 0 multiplication is faster: 1655

NOKEYCHECK=True
PiperOrigin-RevId: 232286329
GitOrigin-RevId: 1bbbd6422c8fd64f3d5ea2fc3ecb94c6bd7bc171
2019-11-25 17:38:50 -08:00
bleichen 30c04bdbda Refactoring ecdh.md.
Adding some references to dh.md and dsa.md
Adding a bibliography.
There does not seem to be any simple support for references in g3doc.

NOKEYCHECK=True
PiperOrigin-RevId: 231400389
GitOrigin-RevId: db928a9f57d11ee736348c468412a320e03698d4
2019-11-25 17:38:43 -08:00
bleichen 1025b43dd7 Adding timing analysis to the plans for version 0.8.
NOKEYCHECK=True
PiperOrigin-RevId: 231194032
GitOrigin-RevId: bbe9af9542f60547f7ebbfeb4efe879327e06f50
2019-11-25 17:38:35 -08:00
Wycheproof Team ec8cac4845 Fix wycheproof build.
* migrate from deprecated http_archive/new_http_archive rules
 * update io_bazel_closure_rules dependency to fix recent bazel version compatibility issues

NOKEYCHECK=True
PiperOrigin-RevId: 229606647
GitOrigin-RevId: 75f81fae2fa095ce04cad88610f77c7ba1706d6e
2019-11-25 17:38:27 -08:00
bleichen 8d36c35a19 Adding documentation for the test vector files.
NOKEYCHECK=True
PiperOrigin-RevId: 228866607
GitOrigin-RevId: a04fbc5b6604b399e1943a04713cc19e909f9905
2019-11-25 17:38:20 -08:00
bleichen 18175b38da Adding JSON schemas for the test vectors.
Requires test vectors with version 0.7 or higher.

NOKEYCHECK=True
PiperOrigin-RevId: 228853889
GitOrigin-RevId: d669cb263964511c7c95cb32f83e1f07f4bf6b51
2019-11-25 17:38:12 -08:00
bleichen 7c9c6db85c Test vectors version 0.7
There are format changes:
* All test vector files contain a new field schema,
  which points to a JSON schema definition
  in the directory wycheproof/schema.
* More consistent type definition:
  E.g. the field "type" in a testGroup is now describing the
  type of the test the vectors are intended for. The type of
  the test defines formatting (e.g. whether signatures use
  P1363 encoding or ASN encoding) and the tested operation
  (e.g. whether the test vectors signatures are primarily
  are meant for verification or signature generation)
  The test types will also be included in the documentation.
* More unified test vectors:
  RSA-PKCS#1 v1.5 signature no longer have a field "padding".
* Added public and private keys in jwk format.
  This is done when the jwk format is defined and
  where the key format is not part of the test.

Additional test vectors:
* Added vectors for edge cases that can occur
  in ECDH computations with projective or Jacobian
  coordinates. In particular this implements a detection for the
  attack in "Zero-Value Point Attacks on Elliptic Curve Cryptosystem"
  by T.Akishita and T Takagi, ISC 2003
* Added more edge cases for Xdh.
* Added more test cases for ASN parsing (e.g. high number tags)
* Added test vectors for CVE-2017-18330 to CCM and EAX.
* Added more edge cases for poly1305
* Added test vectors for HKDF.
* Removed some duplicates in the test vectors.

NOKEYCHECK=True
PiperOrigin-RevId: 228700977
GitOrigin-RevId: 5708361fc71a2089a5c102be7d73adbc3b3b8efd
2019-11-25 17:37:59 -08:00
bleichen 37bb634f23 Adding new test vector files:
ed448_test.json
Test vectors for EDDSA over the curve edwards448

xchacha20_poly1305_test.json
Test vectors for Xchacha20 with poly1305 as defined in
https://datatracker.ietf.org/doc/draft-arciszewski-xchacha

NOKEYCHECK=True
PiperOrigin-RevId: 224343437
GitOrigin-RevId: 0b9a4eb9074b6ea1f76d0ff435dac215323024a1
2019-11-25 17:37:50 -08:00
bleichen eab248dd02 Adding RFC 4055 (which has some unused definitions).
NOKEYCHECK=True
PiperOrigin-RevId: 224315053
GitOrigin-RevId: 98aa28833a26c3223c4c37c8a9847823cc699701
2019-11-25 17:37:42 -08:00
bleichen d6a8486784 Adding documentation for RSA-PSS.
NOKEYCHECK=True
PiperOrigin-RevId: 223961711
GitOrigin-RevId: 9c352efc3d75473b942597a7752651a824329672
2019-11-25 17:37:35 -08:00
bleichen ebb8e84653 Adding tests for SHA-3.
BouncyCastle, jdk11 and hashlib in python 3.6 support SHA-3.
All libraries give the same result.

Some test runs:

blaze test :BouncyCastleAllTests
http://sponge/087b2160-0d69-47b2-b679-2f95c64fd205

blaze test //third_party/wycheproof:OpenJDKAllTests --javabase=//third_party/java/jdk:jdk11
http://sponge/4b1e9175-cb3f-421d-9d3f-dee6483a4a0d

NOKEYCHECK=True
PiperOrigin-RevId: 222516231
GitOrigin-RevId: f03a46bd3f92ed0a977180e68c0fbfb198edb3de
2019-11-25 17:37:26 -08:00
bleichen 3fb47e7403 Adding documentation for Key-wrap tests.
NOKEYCHECK=True
PiperOrigin-RevId: 222393282
GitOrigin-RevId: 3b3559b215aa7bd121611c501860db3a937b9e03
2019-11-25 17:37:18 -08:00
bleichen 95552fc2e2 Wycheproof version 0.6
NOKEYCHECK=True
PiperOrigin-RevId: 222384581
Change-Id: I1749fc9e570634e5429c3162787de0539cbcfd4d
GitOrigin-RevId: 4f8bfc19eb425f6a1083637b2810002dc0ae5b41
2019-11-25 17:37:09 -08:00
Daniel Bleichenbacher 9035918140 Checking defaults for PSS.
The goal of this test is to ensure that all providers use the same default values
for RSA-PSS. At the moment BouncyCastle and Conscrypt implement RSA-PSS using the
same parameters (jdk has an update that has not yet imported to google3 yet).
At least some other provider seem to support the same defaults:
http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/security/rsa/SHA256withRSAandMGF1Signature.html

PiperOrigin-RevId: 207679073
GitOrigin-RevId: 8196db8d6326f28c07c0434925079236ad76e589
2019-11-25 16:57:07 -08:00
Daniel Bleichenbacher 8e7e87adb8 Adding a test for faulty RSA signature generation.
Instead of inducing a fault (I don't know how to do this), the test uses
faulty CRT parameters.
Results:
All Java providers pass.

OpenJdk: Generating PKCS#1 signature with faulty key throws:java.security.SignatureException: Could not sign data
BouncyCastle: Generating PKCS#1 signature with faulty key throws:java.security.SignatureException: java.lang.IllegalStateException: RSA engine faulty decryption/signing detected
Conscrypt: Generating PKCS#1 signature with faulty key throws:java.security.SignatureException: java.lang.RuntimeException: error:04000044:RSA routines:OPENSSL_internal:internal error
PiperOrigin-RevId: 207514657
GitOrigin-RevId: ced32b741745a87fb13672eeb2e0ef17ab778d78
2019-11-25 16:56:59 -08:00
Alex Gaynor c313761979 Added two additional findings (#63) 2018-09-20 17:31:11 -07:00
Daniel Bleichenbacher f89f4c53a8 Adding test with RSA-PSS test vectors where signature hash, mgf hash and
salt length do not match. Applications typically used RSA-PSS such
that signature hash and mgf hash are the same and the salt length
is either 0 or the size of the hash.
RFC 8017 allows other combinations. These test check that such
combinations are either rejected or are implemented correctly.
The test file contains just one valid signature for each combination
of mgf-hash signature-hash, salt length that is tested.

Results:
BoringSSL accepts all signatures.
BouncyCastle rejects signatures where mgf and signature hash do not match.
Conscrypt rejects signatures where mgf and signature hash do not match.
Jdk (i.e. the version we have in google3) does not implement RSA-PSS yet.
PiperOrigin-RevId: 206761543
GitOrigin-RevId: f5cffdf23fc04cc0b15925c34c0cb74dfda51737
2018-07-31 10:48:32 -07:00
Daniel Bleichenbacher 4d6cead1bb Modifying some tests because of BC version 1.59.
google3 switched from version 1.52 to 1.59.
Hence some tests no longer fail.

- DSA now has a 2048 bit default
- Ecies with AES-CBC no longer has a padding oracle.

BC fixed more bugs between version 1.52 and 1.59.
But most of these bugs were were already fixed internally in google3.

PiperOrigin-RevId: 206161567
GitOrigin-RevId: 5cc85701f13635f4bfca70d5f0cd285125b70999
2018-07-31 10:48:23 -07:00
Daniel Bleichenbacher d59a68af04 Using the new test vectors.
This mainly adds tests for RSA-PSS.
BoringSSL is OK.
BouncyCastle has a minor bug.
OpenJdk is adding PSS, but we don't have that version yet.

Some test run:
http://sponge/a0f74aa9-cbf9-4e8c-8328-7763a8c202dc

PiperOrigin-RevId: 206120374
GitOrigin-RevId: 77979cd774420794645b988bc8e71d3d727f0ddd
2018-07-31 10:48:14 -07:00
Wycheproof Team 6eeb70e249 Automated g4 rollback of changelist 205815425.
Please note that this was created with g4 rollback, but the version number in the Wycheproof file regresses. I'm unsure whether that's desired. The BoringSSL change works for both the old and new files so can be landed without touching Wycheproof if that's better.

*** Reason for rollback ***

Fix to BoringSSL scripts now included.

*** Original change description ***

Adding the curve back to the test cases to avoid failing BoringSSL tests.

***

PiperOrigin-RevId: 205957468
GitOrigin-RevId: c0afaa191d5509050bbea307265b07bca61b4714
2018-07-31 10:48:02 -07:00
Daniel Bleichenbacher 012a83f4fe Adding the curve back to the test cases to avoid failing BoringSSL tests.
PiperOrigin-RevId: 205815425
GitOrigin-RevId: 4b439ccf90d0aa5f2259f9d30253918f5332bc36
2018-07-31 10:47:52 -07:00
Daniel Bleichenbacher 8f2cba4d3f Test vectors version 0.4.12.
Tests using the new test vectors will be added in another CL.

Changes:
AES-GCM has test vectors for modified tags, which were previously missing.
ECDSA has more test vectors for potential arithmetic errors.
  There are no more random test vectors.
Webcrypto has a few test vectors with the bitcoin curve (since some libraries
  want to add this).
DSA and ECDSA have more invalid test vectors with r,s = ((q-1)/2 or q-1).
This is motivated by some weak ElGamal implementation in beecrypt.
ECDH test vectors have some new files where the public key is just a point
using SEC 1 / X9.62 format.
All tests for ASN modifications are removed from ecdh_test.json, so that
this file has a more resonable size. These test vectors are included in
the files ecdh_curve_test.json.
EDDSA has a few more invalid test vectors for malformed signatures.
(I.e. the python implementation in the RFC has a small bug).
Adding test vectors for AES-CCM. (tested against BouncyCastle, which sort of
abuses the JCE interface)
There are some test vectors for RSA-PSS (so far tested with BouncyCastle and boringSSL)
More tests will be added when we have an idea what is actually being used.
PiperOrigin-RevId: 205802874
GitOrigin-RevId: 250ab89370a0dcfc56e887fb185a494f45f9a3f5
2018-07-31 10:47:42 -07:00
Thai Duong f1b3b3429b Fixing Wycheproof ECDH tests. There's no bug, the tests are incorrect.
First, background and history:

In Java, an ECDH public key can be encoded as a SubjectPublicKeyInfo spec [1]. This spec contains the public point, and a named curve or curve parameters [2]. To test ECDH libraries, Wycheproof generates public key specs with modified curve parameters, and checks that the libraries must reject them [3].

Android M and N (and possibly other versions) do not reject said public keys specs. Given a spec Android just takes the field ID, and derives the rest of the parameters. This leads to a somewhat interesting situation: not only Android accepts Wycheproof's modified public key specs, but it also computes the shared secrets correctly and securely. So we changed Wycheproof to accept Android's behavior, and added to each test case the expected shared secret, had the public key spec not been modified.

What went wrong:

The expected shared secrets for "modified prime" and "public key of order 3" test are incorrect. I found that the public key specs (the "public" field in the ecdh_test.json) don't contain the same public point as in other tests. I'm not sure this is intentional, but because the public point is different the expected shared secret must be different too.

Let's look at test case #336. Its expected shared secret is the same as test case #335. Yet two test cases contain two different public points, as shown below (
the public point is the last BIT STRING, it starts with 04):

# Test case 335

  0 304: SEQUENCE {
  4 233:   SEQUENCE {
  7   7:     OBJECT IDENTIFIER '1 2 840 10045 2 1'
 16 221:     SEQUENCE {
 19   1:       INTEGER 1
 22  44:       SEQUENCE {
 24   7:         OBJECT IDENTIFIER '1 2 840 10045 1 1'
 33  33:         INTEGER
       :           00 FF FF FF FF 00 00 00 01 00 00 00 00 00 00 00
       :           00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF
       :           FF
       :         }
 68  68:       SEQUENCE {
 70  32:         OCTET STRING
       :           FF FF FF FF 00 00 00 01 00 00 00 00 00 00 00 00
       :           00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FC
104  32:         OCTET STRING
       :           5A C6 35 D8 AA 3A 93 E7 B3 EB BD 55 76 98 86 BC
       :           65 1D 06 B0 CC 53 B0 F6 3B CE 3C 3E 27 D2 60 4B
       :         }
138  65:       OCTET STRING
       :         04 6B 17 D1 F2 E1 2C 42 47 F8 BC E6 E5 63 A4 40
       :         F2 77 03 7D 81 2D EB 33 A0 F4 A1 39 45 D8 98 C2
       :         96 4F E3 42 E2 FE 1A 7F 9B 8E E7 EB 4A 7C 0F 9E
       :         16 2B CE 33 57 6B 31 5E CE CB B6 40 68 37 BF 51
       :         F5
205  33:       INTEGER
       :         00 FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF
       :         FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25
       :         51
       :       }
       :     }
240  66:   BIT STRING
       :     04 15 10 26 4C 18 9C 3D 52 3F F9 91 6A BD 70 69
       :     EF A6 96 8D 8D C7 DD B6 45 7D 78 69 B5 3E A6 0C
       :     DC FA FB 7E D4 78 6D A1 5D 29 EE 59 25 6F 53 6D
       :     A3 57 5A 48 88 C1 BB 0A 95 B2 56 F4 A7 E9 FD 76
       :     4A
       :   }

# Test case 336:

  0 307: SEQUENCE {
  4 236:   SEQUENCE {
  7   7:     OBJECT IDENTIFIER '1 2 840 10045 2 1'
 16 224:     SEQUENCE {
 19   1:       INTEGER 1
 22  44:       SEQUENCE {
 24   7:         OBJECT IDENTIFIER '1 2 840 10045 1 1'
 33  33:         INTEGER
       :           00 FD 09 10 59 A6 89 36 35 F9 00 E9 44 9D 63 F5
       :           72 B2 AE BC 4C FF 7B 4E 5E 33 F1 B2 00 E8 BB C1
       :           45
       :         }
 68  68:       SEQUENCE {
 70  32:         OCTET STRING
       :           02 F6 EF A5 59 76 C9 CB 06 FF 16 BB 62 9C 0A 8D
       :           4D 51 43 B4 00 84 B1 A1 CC 0E 4D FF 17 44 3E B7
104  32:         OCTET STRING
       :           5A C6 35 D8 AA 3A 93 E7 B3 EB BD 55 76 98 86 BC
       :           65 1D 06 B0 CC 53 B0 F6 3B CE 3C 3E 27 D2 60 4B
       :         }
138  65:       OCTET STRING
       :         04 00 00 00 00 00 00 00 00 00 00 06 59 7F A9 4B
       :         1F D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       :         02 1B 8C 7D D7 7F 9A 95 62 79 22 EC EE FE A7 3F
       :         02 8F 1E C9 5B A9 B8 FA 95 A3 AD 24 BD F9 FF F4
       :         14
205  33:       INTEGER
       :         00 FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF
       :         FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25
       :         51
240   1:       INTEGER 1
       :       }
       :     }
243  66:   BIT STRING
       :     04 00 00 00 00 00 00 00 00 00 00 06 59 7F A9 4B
       :     1F D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       :     02 1B 8C 7D D7 7F 9A 95 62 79 22 EC EE FE A7 3F
       :     02 8F 1E C9 5B A9 B8 FA 95 A3 AD 24 BD F9 FF F4
       :     14
       :   }

[1] https://tools.ietf.org/html/rfc5280#section-4.1.2.7.
[2] https://tools.ietf.org/html/rfc3279#section-2.3.5
[3] Many libraries don't, and usually that leads to vulnerabilities that leak the private key.

PiperOrigin-RevId: 204515375
GitOrigin-RevId: 26b6eb30145d94209b9d828db7c6a0b0ed6be695
2018-07-31 10:47:33 -07:00
Thai Duong abb656f1a3 Release empty IV tests.
PiperOrigin-RevId: 204463594
GitOrigin-RevId: 105ad708ed85d47635e3859b0a4e2b062c154033
2018-07-31 10:47:24 -07:00
Wycheproof Team 202ec7ef23 Format .bzl files with buildifier
This is a part of a large-scale change: go/lsc-format-bzl-files . All .bzl files are being formatted with buildifier.

To format a file manually run `buildifier path/to/file.bzl`. Integration with `g4 fix` will be available later, but you can try using `g4 fix --format=bzl`.

Tested:
    tap_presubmit
    Some tests failed; test failures are believed to be unrelated to this CL

BEGIN_PUBLIC
Format .bzl files with buildifier
END_PUBLIC

PiperOrigin-RevId: 203461813
GitOrigin-RevId: 079b58e5340b57819c361af79e4b820f4c66e590
2018-07-31 10:47:15 -07:00
Daniel Bleichenbacher f22bfc7c3d This CL is mainly documenting that Oracle is not fixing CipherInputStream
and CipherOutputStream. The test code is slightly refactored.

PiperOrigin-RevId: 203082697
GitOrigin-RevId: aa26a3d92f94b5f79780ebc2d0674f47ca0d223d
2018-07-31 10:47:03 -07:00
Thai Duong 2904be69e9 Stop scrubbing @NoPresubmitTest annotation to make it easier to import external changes.
Also fixing a typo in Java transformation rules.

PiperOrigin-RevId: 199870545
GitOrigin-RevId: b2bf283c8f782205598503e14b0f13278ac0b4db
2018-06-27 12:04:44 -04:00
Daniel Bleichenbacher b9b3b2119c Adding JSON test vectors for version 0.4.6.
This CL only adds test vectors.
Changes using the new test vectors are in CL 199130745.

There are the following changes to version 0.4:
ECDSA test vectors with a valid signature but non-DER encoding
have "result":"invalid" and have the flag "BER".

Version 0.4.4 has some additional test vectors:
- Tests for invalid encoding of the INTEGER 0 (i.e. "0200" instead
of "020100")
- Truncation after the ASN tag.
- ECDH test vectors now include shared secrets in invalid test vectors.
  This allows to check if an implementation is just sloppy at comparing
  public keys (i.e. ignoring parameters) or vulnerable (i.e. using
  modified parameters for ECDH computation)
- More tests vectors like the unexplained test vector in b/74209208
- ECDH now has tests vectors where public and private keys are
  on different, but isomorphic curves. The result is invalid, since
  the encoding of the shared secret is undefined.
- ECDH has test vectors with modified ASN. Again the shared secret
  computed with the original public key is included so that it is
  a bit easier to distinguish between serious and non-serious cases.
- Some third party test cases were added to all files. They are
  removed.

Version 0.4.5:
- adds more test vectors for ECDSA.
- adds more test vectors for RSA signatures and splits the signatures
  into more files, sorted by key size and hash.
Version 0.4.6:
- adds an uncompressed encoding to EC keys.
- rsa_signature_test.json now contains more keys for size 1024 to 4096.
  Most keys only contain a small number of tests.
  More extensive tests are done with a 2048 bit key only.

New bugs:
BouncyCastle and ConsCrypt both accepts some invalid keys (with
additional garbage) as valid. These bugs are currently silenced
by marking the test vectors as acceptable. I.e. the first goal is
to verify that invalid ECDH keys cannot be used to find the private
key.

PiperOrigin-RevId: 199611433
GitOrigin-RevId: f1f99cc52617e18224ec98f84dcaa55c42df9b46
2018-06-27 12:04:31 -04:00
Wycheproof Team 127d8022a2 Integrate test fix from GitHub PR
https://github.com/google/wycheproof/pull/45

PiperOrigin-RevId: 199395510
GitOrigin-RevId: 1ad1df83ae6f0ae915cdfd3174fa9cb755961980
2018-06-27 12:04:19 -04:00