* including new primitives
* more detailed description of JSON types.
* adding links for algorithms
NOKEYCHECK=True
PiperOrigin-RevId: 252799091
GitOrigin-RevId: ebf54ad59ebc55f4cbee010d67867ee9a95ce987
Versions:
Aegis128 and Aegis128L use
https://competitions.cr.yp.to/round3/aegisv11.pdf
The eprint version of Aegis128L in
https://eprint.iacr.org/2013/695.pdf
is slightly different, since the tag is computed differently.
To make this difference easier to spot, I'm including
the test vectors from the eprint version (the result is
of course invalid).
Generation:
The test vectors were generated with a 2nd implementation
(in python). This would hopefully allow to spot boundary
errors.
NOKEYCHECK=True
PiperOrigin-RevId: 251426918
GitOrigin-RevId: 3fc993aa9e84495cefd1f20bcc5a0fb3a3179883
Changes:
* Unused flags are no longer listed in "notes:"
* Added some new invalid encoding containing special values such as NaN.
* Adding jwk keys to RSA-OAEP test vectors if the jwk key is defined.
* Adding a flag InvalidOaepPadding to RSA-OAEP test vectors to test vectors
where leaking padding information might allow Manger's attack.
* Adding test vectors for invalid padding: PKCS-1 padding for PSS signatures
signatures without hashing.
* Adding test vectors from RFC 8037 to XDH. (There is not enough cross checking
otherwise, since most libraries don't implement XDH).
NOKEYCHECK=True
PiperOrigin-RevId: 237066566
GitOrigin-RevId: 44dd5c1fda5d152b6741824ad9d5400b4cffd6aa
to avoid making tables incompatible with other
markdown dialects.
NOKEYCHECK=True
PiperOrigin-RevId: 236831405
GitOrigin-RevId: 25641287cde9b5ba7b631d5d4b6c26c226c3cc18
The test vectors replace the previous test for padding oracles, which
had to generate a new key. The test vectors add some new
test cases that are edge cases for the modular exponentiation.
NOKEYCHECK=True
PiperOrigin-RevId: 236813461
GitOrigin-RevId: a92ab2a6af48d3285735fbf5c8ecb66c0750f46b
Adding test vectors for AES-SIV-CMAC for AEAD.
I.e. these are test vectors for AES-SIV-CMAC where encryption takes
two AAD arguments: one argument acting as the nonce and one argument
acting as the additional data.
Adding test vectors for XDH where the keys use jwk encoding.
These are mostly the same test vectors as used for other XDH tests,
but the keys are enocded according to RFC 8037.
The test vectors include two test vectors from RFC 8037 section A.6 and
A.7 to ensure that the same encoding is used.
Fixing the algorithm name for AES-GCM-SIV.
NOKEYCHECK=True
PiperOrigin-RevId: 232840812
GitOrigin-RevId: cc0604472074630f0b00894c4234e06ac0bc4f0a
Extending the tests for signature bias.
E.g. biased signature generations that
choose s' as min(s, q-s) because of
signature malleability will not be detected.
Such implementations exist:
https://eprint.iacr.org/2019/023.pdf
Removing test vectors in the tests.
These test vectors are no longer necessary, since there
are more test vectors in the JSON files. Additionally,
the test vectors here are old and have not been updated.
Replacing comparisons for test vector version with comparisons
for the JSON schema. A new schema (with a different name) will
be used whenever the format of the test vectors changes without
backwards compatibility. Hence the JSON schema should change less
frequently than the version and give a better indication whether
test vectors and test match.
Reducing the log size a bit.
Bugs:
b/33190860: default key size for DSA is now 2048. This has been
fixed by Oracle.
NOKEYCHECK=True
PiperOrigin-RevId: 232647129
GitOrigin-RevId: 76f43890f0115a2ff72c6078a3376a96882a1504
Changing incorrect documentation in the header:
The public keys are X509 encoded. Private keys are just integers.
Adding some more edge cases:
These are mostly cases where the y coordinate is a special case.
Such special cases can lead to overflows if the point is normalized
during the ECDH compuation. A normalization is sometimes done in
precomputations.
Somewhat better comments: I.e. explain what the edge case is.
Removing unnecessary notes: Sometimes test vectors with labels are generated,
but not used because encoding can't handle the test vectors. Previously the
label would still end up in the notes section. This has been removed.
NOKEYCHECK=True
PiperOrigin-RevId: 232640195
GitOrigin-RevId: b2bae8ea496a482297ea92f125d7762990015a33
There might be some test cases not covered yet. That will be done
later.
NOKEYCHECK=True
PiperOrigin-RevId: 232472199
GitOrigin-RevId: 8821bbd10f7917f161b83e26edc19a213d67c8c0
Switching to test vector files that contain vectors for one curve only.
This covers more test cases, allows to skip test vectors for curves not
supported by a library.
ecdh_test.json contains tests for multiple curves, but is somewhat limited
in coverage.
Sanity checks for using expected files are now based on the JSON schema.
I.e. if the expected and actual JSON schema of the test vector file match,
then the test should pass, otherwise there is a problem with the test setup.
Removing tests covered by test vectors from EcdhTest.java.
Adding timing test for ECDH:
The tests require to run on a system without much noise:
E.g. running a regular unit test is too noisy.
The confidence level is too low to fail the test:
ECDH timing test:secp256r1
Timing for point 0 avg: 4062844.9155273438 std dev: 452064.39579909603 cv:0.11126794283271814
Timing for point 1 avg: 4077776.20703125 std dev: 457662.5685428607 cv:0.1122333706675025
Point 0 multiplication is faster: 1152
Running the same test locally adds less noise.
The ratio avg / std dev is 10 times smaller.
Here the test run shows that time of a point multiplication depends on the
point that is multiplied.
ECDH timing test:secp256r1
Timing for point 0 avg: 1611269.970703125 std dev: 30329.312528547747 cv:0.018823234516877802
Timing for point 1 avg: 1618931.3715820312 std dev: 29267.753517245954 cv:0.01807843990857086
Point 0 multiplication is faster: 1655
NOKEYCHECK=True
PiperOrigin-RevId: 232286329
GitOrigin-RevId: 1bbbd6422c8fd64f3d5ea2fc3ecb94c6bd7bc171
Adding some references to dh.md and dsa.md
Adding a bibliography.
There does not seem to be any simple support for references in g3doc.
NOKEYCHECK=True
PiperOrigin-RevId: 231400389
GitOrigin-RevId: db928a9f57d11ee736348c468412a320e03698d4
Requires test vectors with version 0.7 or higher.
NOKEYCHECK=True
PiperOrigin-RevId: 228853889
GitOrigin-RevId: d669cb263964511c7c95cb32f83e1f07f4bf6b51
There are format changes:
* All test vector files contain a new field schema,
which points to a JSON schema definition
in the directory wycheproof/schema.
* More consistent type definition:
E.g. the field "type" in a testGroup is now describing the
type of the test the vectors are intended for. The type of
the test defines formatting (e.g. whether signatures use
P1363 encoding or ASN encoding) and the tested operation
(e.g. whether the test vectors signatures are primarily
are meant for verification or signature generation)
The test types will also be included in the documentation.
* More unified test vectors:
RSA-PKCS#1 v1.5 signature no longer have a field "padding".
* Added public and private keys in jwk format.
This is done when the jwk format is defined and
where the key format is not part of the test.
Additional test vectors:
* Added vectors for edge cases that can occur
in ECDH computations with projective or Jacobian
coordinates. In particular this implements a detection for the
attack in "Zero-Value Point Attacks on Elliptic Curve Cryptosystem"
by T.Akishita and T Takagi, ISC 2003
* Added more edge cases for Xdh.
* Added more test cases for ASN parsing (e.g. high number tags)
* Added test vectors for CVE-2017-18330 to CCM and EAX.
* Added more edge cases for poly1305
* Added test vectors for HKDF.
* Removed some duplicates in the test vectors.
NOKEYCHECK=True
PiperOrigin-RevId: 228700977
GitOrigin-RevId: 5708361fc71a2089a5c102be7d73adbc3b3b8efd
ed448_test.json
Test vectors for EDDSA over the curve edwards448
xchacha20_poly1305_test.json
Test vectors for Xchacha20 with poly1305 as defined in
https://datatracker.ietf.org/doc/draft-arciszewski-xchacha
NOKEYCHECK=True
PiperOrigin-RevId: 224343437
GitOrigin-RevId: 0b9a4eb9074b6ea1f76d0ff435dac215323024a1
BouncyCastle, jdk11 and hashlib in python 3.6 support SHA-3.
All libraries give the same result.
Some test runs:
blaze test :BouncyCastleAllTests
http://sponge/087b2160-0d69-47b2-b679-2f95c64fd205
blaze test //third_party/wycheproof:OpenJDKAllTests --javabase=//third_party/java/jdk:jdk11
http://sponge/4b1e9175-cb3f-421d-9d3f-dee6483a4a0d
NOKEYCHECK=True
PiperOrigin-RevId: 222516231
GitOrigin-RevId: f03a46bd3f92ed0a977180e68c0fbfb198edb3de
The goal of this test is to ensure that all providers use the same default values
for RSA-PSS. At the moment BouncyCastle and Conscrypt implement RSA-PSS using the
same parameters (jdk has an update that has not yet imported to google3 yet).
At least some other provider seem to support the same defaults:
http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/security/rsa/SHA256withRSAandMGF1Signature.html
PiperOrigin-RevId: 207679073
GitOrigin-RevId: 8196db8d6326f28c07c0434925079236ad76e589
Instead of inducing a fault (I don't know how to do this), the test uses
faulty CRT parameters.
Results:
All Java providers pass.
OpenJdk: Generating PKCS#1 signature with faulty key throws:java.security.SignatureException: Could not sign data
BouncyCastle: Generating PKCS#1 signature with faulty key throws:java.security.SignatureException: java.lang.IllegalStateException: RSA engine faulty decryption/signing detected
Conscrypt: Generating PKCS#1 signature with faulty key throws:java.security.SignatureException: java.lang.RuntimeException: error:04000044:RSA routines:OPENSSL_internal:internal error
PiperOrigin-RevId: 207514657
GitOrigin-RevId: ced32b741745a87fb13672eeb2e0ef17ab778d78
salt length do not match. Applications typically used RSA-PSS such
that signature hash and mgf hash are the same and the salt length
is either 0 or the size of the hash.
RFC 8017 allows other combinations. These test check that such
combinations are either rejected or are implemented correctly.
The test file contains just one valid signature for each combination
of mgf-hash signature-hash, salt length that is tested.
Results:
BoringSSL accepts all signatures.
BouncyCastle rejects signatures where mgf and signature hash do not match.
Conscrypt rejects signatures where mgf and signature hash do not match.
Jdk (i.e. the version we have in google3) does not implement RSA-PSS yet.
PiperOrigin-RevId: 206761543
GitOrigin-RevId: f5cffdf23fc04cc0b15925c34c0cb74dfda51737
google3 switched from version 1.52 to 1.59.
Hence some tests no longer fail.
- DSA now has a 2048 bit default
- Ecies with AES-CBC no longer has a padding oracle.
BC fixed more bugs between version 1.52 and 1.59.
But most of these bugs were were already fixed internally in google3.
PiperOrigin-RevId: 206161567
GitOrigin-RevId: 5cc85701f13635f4bfca70d5f0cd285125b70999
This mainly adds tests for RSA-PSS.
BoringSSL is OK.
BouncyCastle has a minor bug.
OpenJdk is adding PSS, but we don't have that version yet.
Some test run:
http://sponge/a0f74aa9-cbf9-4e8c-8328-7763a8c202dc
PiperOrigin-RevId: 206120374
GitOrigin-RevId: 77979cd774420794645b988bc8e71d3d727f0ddd
Please note that this was created with g4 rollback, but the version number in the Wycheproof file regresses. I'm unsure whether that's desired. The BoringSSL change works for both the old and new files so can be landed without touching Wycheproof if that's better.
*** Reason for rollback ***
Fix to BoringSSL scripts now included.
*** Original change description ***
Adding the curve back to the test cases to avoid failing BoringSSL tests.
***
PiperOrigin-RevId: 205957468
GitOrigin-RevId: c0afaa191d5509050bbea307265b07bca61b4714
Tests using the new test vectors will be added in another CL.
Changes:
AES-GCM has test vectors for modified tags, which were previously missing.
ECDSA has more test vectors for potential arithmetic errors.
There are no more random test vectors.
Webcrypto has a few test vectors with the bitcoin curve (since some libraries
want to add this).
DSA and ECDSA have more invalid test vectors with r,s = ((q-1)/2 or q-1).
This is motivated by some weak ElGamal implementation in beecrypt.
ECDH test vectors have some new files where the public key is just a point
using SEC 1 / X9.62 format.
All tests for ASN modifications are removed from ecdh_test.json, so that
this file has a more resonable size. These test vectors are included in
the files ecdh_curve_test.json.
EDDSA has a few more invalid test vectors for malformed signatures.
(I.e. the python implementation in the RFC has a small bug).
Adding test vectors for AES-CCM. (tested against BouncyCastle, which sort of
abuses the JCE interface)
There are some test vectors for RSA-PSS (so far tested with BouncyCastle and boringSSL)
More tests will be added when we have an idea what is actually being used.
PiperOrigin-RevId: 205802874
GitOrigin-RevId: 250ab89370a0dcfc56e887fb185a494f45f9a3f5
First, background and history:
In Java, an ECDH public key can be encoded as a SubjectPublicKeyInfo spec [1]. This spec contains the public point, and a named curve or curve parameters [2]. To test ECDH libraries, Wycheproof generates public key specs with modified curve parameters, and checks that the libraries must reject them [3].
Android M and N (and possibly other versions) do not reject said public keys specs. Given a spec Android just takes the field ID, and derives the rest of the parameters. This leads to a somewhat interesting situation: not only Android accepts Wycheproof's modified public key specs, but it also computes the shared secrets correctly and securely. So we changed Wycheproof to accept Android's behavior, and added to each test case the expected shared secret, had the public key spec not been modified.
What went wrong:
The expected shared secrets for "modified prime" and "public key of order 3" test are incorrect. I found that the public key specs (the "public" field in the ecdh_test.json) don't contain the same public point as in other tests. I'm not sure this is intentional, but because the public point is different the expected shared secret must be different too.
Let's look at test case #336. Its expected shared secret is the same as test case #335. Yet two test cases contain two different public points, as shown below (
the public point is the last BIT STRING, it starts with 04):
# Test case 335
0 304: SEQUENCE {
4 233: SEQUENCE {
7 7: OBJECT IDENTIFIER '1 2 840 10045 2 1'
16 221: SEQUENCE {
19 1: INTEGER 1
22 44: SEQUENCE {
24 7: OBJECT IDENTIFIER '1 2 840 10045 1 1'
33 33: INTEGER
: 00 FF FF FF FF 00 00 00 01 00 00 00 00 00 00 00
: 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF
: FF
: }
68 68: SEQUENCE {
70 32: OCTET STRING
: FF FF FF FF 00 00 00 01 00 00 00 00 00 00 00 00
: 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FC
104 32: OCTET STRING
: 5A C6 35 D8 AA 3A 93 E7 B3 EB BD 55 76 98 86 BC
: 65 1D 06 B0 CC 53 B0 F6 3B CE 3C 3E 27 D2 60 4B
: }
138 65: OCTET STRING
: 04 6B 17 D1 F2 E1 2C 42 47 F8 BC E6 E5 63 A4 40
: F2 77 03 7D 81 2D EB 33 A0 F4 A1 39 45 D8 98 C2
: 96 4F E3 42 E2 FE 1A 7F 9B 8E E7 EB 4A 7C 0F 9E
: 16 2B CE 33 57 6B 31 5E CE CB B6 40 68 37 BF 51
: F5
205 33: INTEGER
: 00 FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF
: FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25
: 51
: }
: }
240 66: BIT STRING
: 04 15 10 26 4C 18 9C 3D 52 3F F9 91 6A BD 70 69
: EF A6 96 8D 8D C7 DD B6 45 7D 78 69 B5 3E A6 0C
: DC FA FB 7E D4 78 6D A1 5D 29 EE 59 25 6F 53 6D
: A3 57 5A 48 88 C1 BB 0A 95 B2 56 F4 A7 E9 FD 76
: 4A
: }
# Test case 336:
0 307: SEQUENCE {
4 236: SEQUENCE {
7 7: OBJECT IDENTIFIER '1 2 840 10045 2 1'
16 224: SEQUENCE {
19 1: INTEGER 1
22 44: SEQUENCE {
24 7: OBJECT IDENTIFIER '1 2 840 10045 1 1'
33 33: INTEGER
: 00 FD 09 10 59 A6 89 36 35 F9 00 E9 44 9D 63 F5
: 72 B2 AE BC 4C FF 7B 4E 5E 33 F1 B2 00 E8 BB C1
: 45
: }
68 68: SEQUENCE {
70 32: OCTET STRING
: 02 F6 EF A5 59 76 C9 CB 06 FF 16 BB 62 9C 0A 8D
: 4D 51 43 B4 00 84 B1 A1 CC 0E 4D FF 17 44 3E B7
104 32: OCTET STRING
: 5A C6 35 D8 AA 3A 93 E7 B3 EB BD 55 76 98 86 BC
: 65 1D 06 B0 CC 53 B0 F6 3B CE 3C 3E 27 D2 60 4B
: }
138 65: OCTET STRING
: 04 00 00 00 00 00 00 00 00 00 00 06 59 7F A9 4B
: 1F D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 02 1B 8C 7D D7 7F 9A 95 62 79 22 EC EE FE A7 3F
: 02 8F 1E C9 5B A9 B8 FA 95 A3 AD 24 BD F9 FF F4
: 14
205 33: INTEGER
: 00 FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF
: FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25
: 51
240 1: INTEGER 1
: }
: }
243 66: BIT STRING
: 04 00 00 00 00 00 00 00 00 00 00 06 59 7F A9 4B
: 1F D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 02 1B 8C 7D D7 7F 9A 95 62 79 22 EC EE FE A7 3F
: 02 8F 1E C9 5B A9 B8 FA 95 A3 AD 24 BD F9 FF F4
: 14
: }
[1] https://tools.ietf.org/html/rfc5280#section-4.1.2.7.
[2] https://tools.ietf.org/html/rfc3279#section-2.3.5
[3] Many libraries don't, and usually that leads to vulnerabilities that leak the private key.
PiperOrigin-RevId: 204515375
GitOrigin-RevId: 26b6eb30145d94209b9d828db7c6a0b0ed6be695
This is a part of a large-scale change: go/lsc-format-bzl-files . All .bzl files are being formatted with buildifier.
To format a file manually run `buildifier path/to/file.bzl`. Integration with `g4 fix` will be available later, but you can try using `g4 fix --format=bzl`.
Tested:
tap_presubmit
Some tests failed; test failures are believed to be unrelated to this CL
BEGIN_PUBLIC
Format .bzl files with buildifier
END_PUBLIC
PiperOrigin-RevId: 203461813
GitOrigin-RevId: 079b58e5340b57819c361af79e4b820f4c66e590
This CL only adds test vectors.
Changes using the new test vectors are in CL 199130745.
There are the following changes to version 0.4:
ECDSA test vectors with a valid signature but non-DER encoding
have "result":"invalid" and have the flag "BER".
Version 0.4.4 has some additional test vectors:
- Tests for invalid encoding of the INTEGER 0 (i.e. "0200" instead
of "020100")
- Truncation after the ASN tag.
- ECDH test vectors now include shared secrets in invalid test vectors.
This allows to check if an implementation is just sloppy at comparing
public keys (i.e. ignoring parameters) or vulnerable (i.e. using
modified parameters for ECDH computation)
- More tests vectors like the unexplained test vector in b/74209208
- ECDH now has tests vectors where public and private keys are
on different, but isomorphic curves. The result is invalid, since
the encoding of the shared secret is undefined.
- ECDH has test vectors with modified ASN. Again the shared secret
computed with the original public key is included so that it is
a bit easier to distinguish between serious and non-serious cases.
- Some third party test cases were added to all files. They are
removed.
Version 0.4.5:
- adds more test vectors for ECDSA.
- adds more test vectors for RSA signatures and splits the signatures
into more files, sorted by key size and hash.
Version 0.4.6:
- adds an uncompressed encoding to EC keys.
- rsa_signature_test.json now contains more keys for size 1024 to 4096.
Most keys only contain a small number of tests.
More extensive tests are done with a 2048 bit key only.
New bugs:
BouncyCastle and ConsCrypt both accepts some invalid keys (with
additional garbage) as valid. These bugs are currently silenced
by marking the test vectors as acceptable. I.e. the first goal is
to verify that invalid ECDH keys cannot be used to find the private
key.
PiperOrigin-RevId: 199611433
GitOrigin-RevId: f1f99cc52617e18224ec98f84dcaa55c42df9b46