139 Commits

Author SHA1 Message Date
thaidn 2196000605 Correct the credits of CVE-2019-6486.
NOKEYCHECK=True
PiperOrigin-RevId: 286306111
GitOrigin-RevId: 81778d59afbddcd9965b355e6dc6c1e349df07e3
2019-12-18 21:27:05 -05:00
thaidn d8ed1ba95a Merge #57: fix Ecdsa.generateKey in WebCrypto tests.
While I'm here, fix a bunch of Lint errors.

NOKEYCHECK=True
PiperOrigin-RevId: 286042650
GitOrigin-RevId: d644e50fa0b8246d679f1e5b6daa32a76a130ebf
2019-12-17 13:12:37 -08:00
SalusaSecondus e6d7461b3c Add support for AmazonCorrettoCryptoProvider (#72)
* Add support for AmazonCorrettoCryptoProvider

* Add support for ACCP 1.1.1 and 1.2.0

* Make all ACCP tests enormous so they complete
2019-12-16 18:01:46 -08:00
thaidn fb72abc097 Merge #72: Add support for AmazonCorrettoCryptoProvider.
NOKEYCHECK=True
PiperOrigin-RevId: 285889021
GitOrigin-RevId: 5c275cb55af7e77e50e40ab4e811965ee2e8d6bb
2019-12-16 17:59:03 -08:00
thaidn be388ef334 Fix Wycheproof BUILD.
dsa_2048_256_sha224_p1363_test.json and dsa_2048_256_sha224_test.json don't exist.

While I'm here, update testvectors/BUILD.bazel to include new files. This makes them available for Tink and other Bazel users.

NOKEYCHECK=True
PiperOrigin-RevId: 285887952
GitOrigin-RevId: faadf65f788bb5b446ff67b8c0a02e83d7284843
2019-12-16 17:58:55 -08:00
thaidn 26eaf6f79c Merge #68: add CVE-2019-6486
NOKEYCHECK=True
PiperOrigin-RevId: 285855046
GitOrigin-RevId: 6c855f0510d4208fdaf2e0fd176d9fabc20a0b9c
2019-12-16 14:48:07 -08:00
Filippo Valsorda 12b6761676 Add CVE-2019-6486 to bugs.md (#68)
* Add CVE-2019-6486 to Hall of Bugs

* Revert change to README Hall of Bugs

* docs/bug.md: add CVE-2019-6486
2019-12-16 14:46:53 -08:00
thaidn eb35c25e05 Merging #65: new bug found by wycheproof
NOKEYCHECK=True
PiperOrigin-RevId: 285505795
GitOrigin-RevId: aa00b795c50270c761d5ca7c03362215e73db96d
2019-12-13 17:54:01 -08:00
Paul Kehrer d0a0cfe664 new bug found by wycheproof (#65) 2019-12-13 17:49:37 -08:00
bleichen e91db8abc2 Updating documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 285162744
GitOrigin-RevId: fd709fdf7c1cd94636064e8c16fb68aa7cc820c0
2019-12-13 17:43:08 -08:00
bleichen 2fb91a6923 Adding a test for HMACs to Wycheproof.
The main focus are:
* incremental updates
* long inputs
* using ByteBuffers
Tested providers: jdk8, jdk11, BouncyCastle, Conscrypt, hazmat, pythons implementation of
hmac.
Resuts:
  - all implementations are compatible.
  - all implementations support HMAC with SHA-1 and SHA-2.
  - BouncyCastle and python 3.7 support SHA-3
  - jdk8 doesn't support SHA-3 and hence not HMAC with SHA-3
  - jdk11 implements SHA-3, but not HMAC with SHA-3
  - hazmat would support HMAC with SHA-3 if the backend were supporting the hashes,
    but the defaultbackend does not.

NOKEYCHECK=True
PiperOrigin-RevId: 285161934
GitOrigin-RevId: 604eac41416d9dffc916c474a19ec7690401b22c
2019-12-13 17:42:58 -08:00
thaidn 5cf58d2985 Allow Wycheproof to contain all kind of secrets.
NOKEYCHECK=True
PiperOrigin-RevId: 283723053
GitOrigin-RevId: 281f2a09ebd4727328f797caac76f6aa0c92285d
2019-12-06 17:04:36 -08:00
thaidn aa1451f6c5 Upgrade rules_closures dependency.
This fixes https://github.com/google/wycheproof/issues/71. We can also close https://github.com/google/wycheproof/pull/69 which is made obsolete by this change.

NOKEYCHECK=True
PiperOrigin-RevId: 283722865
GitOrigin-RevId: 90b48d33030dd23da019b4e83687ae2f7635d085
2019-12-06 17:04:28 -08:00
bleichen 93171c2770 Fixing changed links in documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 282922514
GitOrigin-RevId: 54e35849cfda977d7cdcc2f3a7e9fb3bcdffe1f3
2019-12-06 17:04:20 -08:00
bleichen 93c29044f2 Removing non-compatible anchors from documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 282922265
GitOrigin-RevId: 77e90640a2df4095cb31bde798b9e1208f86f478
2019-12-06 17:04:12 -08:00
bleichen 1349cee066 Testing alternative link format.
Adding some missing files and tests.

NOKEYCHECK=True
PiperOrigin-RevId: 282921484
GitOrigin-RevId: 24aeec21aa731a7386c15541d796144feda00f03
2019-12-06 17:04:03 -08:00
bleichen c1cbf80387 Alternative format for md links.
Maybe this one is more compatible with github.

NOKEYCHECK=True
PiperOrigin-RevId: 282920749
GitOrigin-RevId: 3b0342b7798be79eebdd9b8b11b65872674263a6
2019-12-06 17:03:56 -08:00
Wycheproof Team 91ee28e1c4 third_party/wycheproof: add a missing sLen value to rsassa_pss_verify_schema.json
NOKEYCHECK=True
PiperOrigin-RevId: 282561885
GitOrigin-RevId: 38893647f278ff09f4c47a729168bfdfe442a80e
2019-12-06 17:03:48 -08:00
bleichen 06e5e105ee Modifying RSA Key test:
There are differences between the NIST standard and RFC 8017.
NIST requires d < lcm(p-1, q-1), RFC 8017 only requires d < n
jdk does follows RFC 8017, but not the NIST standard.

Adding a test for PKCS8 encoding and decoding.
BouncyCastle returns an OpenSSLRSAPrivateKey instead of
OpenSSLRSAPrivateCrtKey

Moving test vectors that were previously excluded because
the were causing runtime exceptions. This was b/32656910

All SpongyCastle tests fail. This is likely not caused by this CL.
The old SpongyCastle version in google3 is likely not compatible with
some jdk11 feature.

NOKEYCHECK=True
PiperOrigin-RevId: 282341997
GitOrigin-RevId: 1ee6a7df7d8ec6ca612ccc349fcea0e9a9f4f273
2019-11-25 17:45:59 -08:00
bleichen 044cfbea26 Documentation
NOKEYCHECK=True
PiperOrigin-RevId: 281712273
GitOrigin-RevId: de1b278ef6898c9762f063ab2a08423fed033c4c
2019-11-25 17:45:51 -08:00
Wycheproof Team fe3dba2640 wycheproof/testvectors/dsa_test: Small typo fixes
NOKEYCHECK=True
PiperOrigin-RevId: 281551579
GitOrigin-RevId: 41f93acb7124c5f3e02669277e358ac5ad9866f3
2019-11-25 17:45:42 -08:00
bleichen a8b9d3d935 Adding test vectors and tests for DSA with P1363 encoding.
Splitting DSA test vectors into several files depending on key size and hash.

I'm only adding files for DSA parameters that are supported by libraries that are used in google3. Most projects now prefer ECDSA.
Tests with additional parameters (e.g. 4096-bit keys or other hash functions) can be added, if there is a reason for doing so.

Tested providers:
  jdk8 supports DSA with ASN encoding.
  jdk11 supports DSA with ASN and P1363 encoding.
  BouncyCastle only supports DSA with ASN encoding.
    (P1363 format is only supported for ECDSA).
  ConsCrypt does not support DSA at all.

b/33446454: The tests ignore this issue to avoid missing bigger mistakes.

NOKEYCHECK=True
PiperOrigin-RevId: 281068296
GitOrigin-RevId: 7c4178527d940fccbcfcfdd88f1cb850a17746db
2019-11-25 17:45:33 -08:00
bleichen f4112b2d18 Fixing links
NOKEYCHECK=True
PiperOrigin-RevId: 281037853
GitOrigin-RevId: c642ca08a7ac9cc4d1f0daefc6b3fba67efc3d55
2019-11-25 17:45:25 -08:00
bleichen c6604764cf Fixing references
NOKEYCHECK=True
PiperOrigin-RevId: 280831367
GitOrigin-RevId: abcf7e3cb16cb49fbfbe3dd8f8eca08a34fefbd8
2019-11-25 17:45:17 -08:00
bleichen 0c9a698536 Extending documentation of elliptic curves:
- adding OIDs
- completing list.

NOKEYCHECK=True
PiperOrigin-RevId: 280178779
GitOrigin-RevId: 51693b067bc3bf009496db2a4211d4de044c4b24
2019-11-25 17:45:08 -08:00
bleichen 20ff4847ae Adding a test for the API of SecureRandom.
This test does not check if SecureRandom is weak or predictable.
It simply checks whether the seeding follows the claims in the API.

The test attempts to ensure that the rules used in error prone
(see b/26583170) hold for all instances of SecureRandom.

An old version of this test is here:
depot/google3/experimental/users/bleichen/javatests/com/google/security/keymaster/JceTest.java

NOKEYCHECK=True
PiperOrigin-RevId: 279931348
GitOrigin-RevId: f9931f9a5fe122a59e7b4ec35d3db888e969eb81
2019-11-25 17:44:59 -08:00
bleichen ee5a73dbff Adding test vectors for HKDF with maximal output size,
and output size that is too large.

NOKEYCHECK=True
PiperOrigin-RevId: 278393879
GitOrigin-RevId: 1f1374113d335d120ea11f3af2e494f5c3bffc51
2019-11-25 17:44:51 -08:00
bleichen 13af3d7d29 Adding HKDF with SHA-384.
Motivation: tink implements this KDF.

Other libraries that support HKDF with SHA-384 and were tested:
(1) boringssl
(2) hazmat (which apparently uses a boringssl based backend)

References:
RFC 5869 defines HKDF generically, but does not mention SHA-384 as a potential
hash function.
RFC 6234 extends HMAC and KDF to other hash functions, but is unclear what should
be supported.
https://tools.ietf.org/html/draft-housley-hkdf-oids-01
appears to be the first RFC that concretely mentions HKDF with SHA-384
this is still a draft. This document does not mention SHA-224, hence
I'm not adding hkdf with SHA-224.
NOKEYCHECK=True
PiperOrigin-RevId: 278363773
GitOrigin-RevId: 79bd2681f0c3bb12ce5c9c555710fad6b20c6221
2019-11-25 17:44:43 -08:00
bleichen 70e9c3d98f Updating documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 278352044
GitOrigin-RevId: 941c9bc63eac1ada29f92e035f69e1b36007eb48
2019-11-25 17:44:36 -08:00
bleichen 68482d5d8d Moving test vectors for primality test into a JSON file.
Adding more tests:
- the previous test did not include any primes. Hence arithmetic
  errors in a primality test would likely remain undetected.
- some primes have been generated so that the multiplier for a
  Montgomery reduction is an edge case (e.g. high or low Hamming weight).
- adding negatives of primes. Different libraries disagree, whether such
  integers are prime or not. The corresponding test vectors have a flag
  and result "acceptable".

The following libraries have been tested:

java.math.BigInteger: primality testing is not part of JCA and hence is
    provider independent.
sympy: Old versions of sympy used a weak set of bases and was deterministic.
    This is no longer the case.
NOKEYCHECK=True
PiperOrigin-RevId: 278337837
GitOrigin-RevId: 02debe45343e8da38b21a6e7a56a4a2b1c050bd8
2019-11-25 17:44:27 -08:00
bleichen f63678bb71 Including some of the tink failures for EDDSA.
The full list of failures is longer (~2800 cases).
They should be tested separately.

NOKEYCHECK=True
PiperOrigin-RevId: 276078119
GitOrigin-RevId: 06cbec6bed9413992b14a766134cbfc9bd826259
2019-11-25 17:44:19 -08:00
bleichen a5b8266776 New versions for HKDF.
E.g., since HMAC simply pads the key with 0s, it does not matter
whether the salt is a empty byte array or any other array of size <= 64.

NOKEYCHECK=True
PiperOrigin-RevId: 275468663
GitOrigin-RevId: 9982a2f0675aee0035a78ea1889d2b23b9ede597
2019-11-25 17:44:11 -08:00
bleichen 04b8adc7ba Adding test vectors RSA primitives with truncated hashes:
SHA-512/224 and SHA-512/256.

I don't expect these hashes to be heavily used. But there is
some potential for incompatibilities. E.g. BouncyCastle
previously used algorithm names such as "SHA512(224)WITHRSA"
while jdk uses "SHA512/224WithRSA".

RSA-OAEP would in principle allow the same hashes as RSA-PSS,
but the algorithm name in JCA is not well-defined,
using truncated hashes with OAEP doesn't make much sense,
and providers don't seem to implement it.

Test results:
jdk11 supports the truncated signatures.
BouncyCastle does not support the algorithm names
ConsCrypt does not support the algorithms.

Tested in a different CL:
boringSSL does not implement the algorithms.

Bugs: b/120406853 is about an alternative ASN encoding
of PSS-keys. This is an encoding that contains all the
parameters of signature scheme. This will be added by
jdk11. But so far, jdk11 fails to read its own key encodings.
I have test vectors for this encoding, but can't add them
without having at least one library accepting them.
NOKEYCHECK=True
PiperOrigin-RevId: 275018282
GitOrigin-RevId: 42c8b6d8e768858b6ec5a273d53f1e111268ecd7
2019-11-25 17:44:03 -08:00
bleichen e50b5bf1dd Adding truncated hashes.
NOKEYCHECK=True
PiperOrigin-RevId: 274586173
GitOrigin-RevId: 8fe2fc1e432ee4c5b6835335c25d421acaa9ff67
2019-11-25 17:43:55 -08:00
bleichen 65e05340c6 Adding tests for ECDSA with SHA-3.
BouncyCastle: supports SHA-3 an passes the tests.
jdk8: does not support SHA-3 (and hence also not ECDSA signatures with SHA-3)
jdk11: supports SHA-3, but currently does not support ECDSA with SHA-3.
ConsCrypt: does not support ECDSA with SHA-3 at this time.

Tested elsewhere:
hazmat: does not support SHA-3 (since it is using boringssl)
NOKEYCHECK=True
PiperOrigin-RevId: 273530767
GitOrigin-RevId: 0f6daacc167dd8944e9f4ce549899d9b08b3ce00
2019-11-25 17:43:47 -08:00
bleichen 3373b63f27 Updating documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 271746606
GitOrigin-RevId: b87303d019b6453402a8a1babf99539bb867d6ad
2019-11-25 17:43:40 -08:00
bleichen 7172b0fce8 Adding RSA signatures with SHA-3.
Test results:
BouncyCastle: the tests pass
jdk8: fails since the algorithms are not supported
jdk11: Supports SHA3, but does not support SHA3-xxxWithRSA.
ConsCrypt: does not support SHA3.

In a different CL, I also tried the following:
OpenSSL/BoringSSL can't verify the signatures, since functions such as EVP_sha3_256()
are not supported.
hazmat: can't verify the signatures since the backend does not support SHA3.

References used:

https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html
Defines the algorithm names in jdk for RSA PKCS #1 signatures.

https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration#Hash
Defines the OIDs for the hash functions.

https://csrc.nist.rip/groups/ST/crypto_apps_infra/csor/algorithms.html
Defines the OIDs for the Signature algorithms.

NOKEYCHECK=True
PiperOrigin-RevId: 271367540
GitOrigin-RevId: fde524837d16b118a8e18fd15e39dd7ed26e7b46
2019-11-25 17:43:32 -08:00
bleichen 0d659a5d4f Adding PEM encoded test vectors for XDH.
The test vectors allow to check libraries that read PEM
files against bugs similar to:
https://bugs.openjdk.java.net/browse/JDK-8213363

Testing:
So far I'm testing against hazmat (i.e. a python wrapper
around openssl).
The version in google3
google3/third_party/py/cryptography/hazmat/
only supports x25519, hence the x448 test vectors are not tested.
The test vectors are essentially the same as in x448_asn_test.json,
which pass BouncyCastle (with some fixes for overflow).
NOKEYCHECK=True
PiperOrigin-RevId: 269317802
GitOrigin-RevId: f29c60bccd75d3a9a16f833e108bdf83e385fc87
2019-11-25 17:43:24 -08:00
bleichen e4219aa4c8 Updating documentation.
NOKEYCHECK=True
PiperOrigin-RevId: 267625688
GitOrigin-RevId: 4df73e541c5ef5164fe76a6aa985c095c5ff88fb
2019-11-25 17:43:16 -08:00
bleichen c2f1a59591 Adding difference between NIST standard and RFC for KeyWrap.
NOKEYCHECK=True
PiperOrigin-RevId: 265045010
GitOrigin-RevId: e6a7420bac93cc3e0e610f8f511a3c5f36309f7f
2019-11-25 17:43:09 -08:00
bleichen 4672ff74d6 New version of the test vectors.
Main changes:
BigInteger encoding is now always a multiple of 2.
Comments try to be a bit more precise. This leads to a different
grouping of the test vectors.
All test vectors with result="acceptable" have at least one
flag.

New vectors:
AEGIS: adding test vectors with the same tag (basically just
answers the question: is AEGIS a hash?)
Test vectors from old versions of the cipher now have ciphertext.
I.e. both encrypting or decrypting should tell testers that they
are using old versions.
AES-CMAC: more test vectors with 128-bit tag.
DSA, ECDSA: better description of the ASN modifications (this reorders
  the test vectors) and a few more ASN modifications
KWP: adding modified paddings
XDH: adding more edge cases, no longer using the same private key for multiple
  test vectors.
RSA-PSS: adding more valid test vectors. The new test vectors have an edge case
  message digest.
NOKEYCHECK=True
PiperOrigin-RevId: 264817632
GitOrigin-RevId: 0c8e6eec11db1ca7088f89d0c1de48c5af892e47
2019-11-25 17:42:59 -08:00
bleichen 06b80c9dcd Adding test vectors and tests for the bug fix in CL 264115794.
BouncyCastle had an implementation for X25519 and X448 for some time.
But the JCA interface has been added only recently in version 1.61.
There is an overflow bug in this version that will be fixed
upstream in verion 1.63.
The tests ignore some minor bugs (Runtime exceptions instead of
checked exceptions) so that the test against BouncyCastle can be
added as a presubmit test.

Changing the ASN encoding of XDH keys.
Previously they used the jdk encoding.
This encoding was wrong.

NOKEYCHECK=True
PiperOrigin-RevId: 264348566
GitOrigin-RevId: 6564f188a3ed50f73c48cb8c41833d8c3798ab78
2019-11-25 17:42:50 -08:00
Wycheproof Team 2f40e86f93 LSC: Delete uses of goog.isDefAndNotNull, goog.isDef, goog.isNull, goog.isString, goog.isBoolean, and goog.isNumber.
These functions are all trivial one-liners that inline to clearer code that is nearly as small (and in some cases even smaller) than the function call.

See go/lsc-goog-isdef

Tested:
    TAP --sample ran all affected tests and none failed
    http://test/OCL:263067138:BASE:263057012:1565671265213:a988ea45
NOKEYCHECK=True
PiperOrigin-RevId: 263257614
GitOrigin-RevId: b9879442a887349646d064825c5c86ce904ab6f9
2019-11-25 17:42:42 -08:00
bleichen 3bab7ff533 Adding tests for EDDSA to Wycheproof.
jdk11 did add ED25519 and ED448.
BC supports ED25519, but is slightly malleable.
Conscrypt supports none (rsp. uses different algorithm names).

This is related to
https://github.com/google/tink/issues/224

However, tests for signatures are still missing.

NOKEYCHECK=True
PiperOrigin-RevId: 260726100
GitOrigin-RevId: c4c5855aa3e86c0e47ad88f16e6496b98149364f
2019-11-25 17:42:34 -08:00
bleichen 2927eee6ed Adding a new test vector.
https://github.com/google/tink/issues/224
So far I haven't been able to reproduce the bug.
However, a lot of tests just check the signature verification.

NOKEYCHECK=True
PiperOrigin-RevId: 260466789
GitOrigin-RevId: bc252d53eaede4ec4eb89fef072dc5d19d17dbf5
2019-11-25 17:42:27 -08:00
bleichen 90b33e27b2 Updating documentation:
New algorithms are GMAC and VMAC.

NOKEYCHECK=True
PiperOrigin-RevId: 257602522
GitOrigin-RevId: d5c7564b2fc364a38f05fef328308f21af7334f7
2019-11-25 17:42:19 -08:00
bleichen 0941e7b012 Adding test vectors for AES-GMAC to Wycheproof.
AES-GMAC is equivalent to encrypting with AES-GCM an empty plaintext, using passing the
data to authenticate as additional data.

AES-GMAC is supported by keymaster and BouncyCastle.
keymaster has fixed nonce sizes and tag sizes (128-bits).
BouncyCastle has a fixed tag size (128-bit) when used through the JCE
interface.

NOKEYCHECK=True
PiperOrigin-RevId: 257385648
GitOrigin-RevId: d6947fd3604ca782078b7a02bab2a95160df2501
2019-11-25 17:42:11 -08:00
bleichen e9f9b7b234 Adding test vectors for VMAC.
The main purpose is to test / explore the robustness of the VMAC implementation
such as the one in security/util (e.g. CL 254384251) as well as finding potential weaknesses if VMAC is used in an unconventional way. VMAC is widely used in
Google, but so far there is no list of test vector that check corner cases,
such as carry propagation.

VMAC has a number of odd features, which are tested with these vectors:
- The nonce is at most 127-bit long. This is necessary, because VMAC uses
  an AES-block cipher. Inputs with the most significant bit set are used
  for the key derivation. The same inputs must not be used for encrypting
  the nonce.
- VMAC requires 128-bit integer arithmetic for some of its temporary results.
  This leaves a lot of opportunities for overflow and carry errors.
  The test vectors contain a fairly large number of edge cases to check
  for such problems.
- VMAC lacks "plaintext awareness". A valid VMAC does not prove that the
  sender knows the plaintext. An example is this: if the VMAC is computed
  over eg.  tag = VMAC(msg || password) then it would be possible for the
  sender to choose msg, such that is valid for any password.

NOKEYCHECK=True
PiperOrigin-RevId: 255599337
GitOrigin-RevId: 22d336b66c370dae251f1fa119cf952035f9c8d5
2019-11-25 17:42:03 -08:00
Wycheproof Team 098eeb5616 Wycheproof g3doc: Fix typo and add link to GitHub source-code
NOKEYCHECK=True
PiperOrigin-RevId: 253518500
GitOrigin-RevId: 4b56508500c5d535c5a033b3d40ef3098cb61b79
2019-11-25 17:41:55 -08:00
bleichen df9b1f3811 Adding test vectors for AEGIS256 to wycheproof.
AEGIS256 is described here:
https://eprint.iacr.org/2013/695.pdf
https://competitions.cr.yp.to/round3/aegisv11.pdf

Test vector generation:
I'm using a python version for the generation of the test vectors:
CL 252436459
The test vectors are then compared against a second implementation:
CL 252613429

Third party test vectors:
I don't have any third party test vectors.
https://eprint.iacr.org/2013/695.pdf contains some test vectors.
But, these test vectors can only be reproduced if the number of rounds
in finalize is reduced from 7 to 6.
Both papers describe AEGIS256 with 7 rounds in finalize.
All third party implementations I've found use 7 rounds, such as
this one:

https://github.com/torvalds/linux/blob/master/crypto/aegis256.c

NOKEYCHECK=True
PiperOrigin-RevId: 252811267
GitOrigin-RevId: 1de1fb2cb2c4e7d33a1ab8a23ddd63c79b143d3a
2019-11-25 17:41:47 -08:00