Implement support for draft-ietf-webpush-encryption-08

components/gcm_driver/crypto/gcm_message_cryptographer_unittest.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/gcm_driver/crypto/gcm_message_cryptographer.h"
 
 #include <memory>
 
 #include "base/base64url.h"
+#include "base/big_endian.h"
 #include "base/memory/ptr_util.h"
+#include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "components/gcm_driver/crypto/p256_key_util.h"
 #include "crypto/random.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace gcm {
 
 namespace {
 
 // Example plaintext data to use in the tests.
 const char kExamplePlaintext[] = "Example plaintext";
 
 // Expected sizes of the different input given to the cryptographer.
+constexpr size_t kUncompressedPointSize = 65;
 constexpr size_t kEcdhSharedSecretSize = 32;
 constexpr size_t kAuthSecretSize = 16;
 constexpr size_t kSaltSize = 16;
 
 // Keying material for both parties as P-256 EC points. Used to make sure that
 // the test vectors are reproducible.
 const unsigned char kCommonSenderPublicKey[] = {
     0x04, 0x05, 0x3C, 0xA1, 0xB9, 0xA5, 0xAB, 0xB8, 0x2D, 0x88, 0x48,
     0x82, 0xC9, 0x49, 0x19, 0x91, 0xD5, 0xFD, 0xD1, 0x92, 0xDB, 0xA7,
     0x7E, 0x70, 0x48, 0x37, 0x41, 0xCD, 0x90, 0x05, 0x80, 0xDF, 0x65,
@@ skipping 144 matching lines @@
       0xAB, 0xAC, 0x37, 0x61, 0xF4, 0xCB, 0x98, 0xFF, 0x00, 0x51},
      {0xAE, 0xDA, 0x86, 0xDF, 0x6B, 0x03, 0x88, 0xDE, 0x90, 0xBB, 0xB7, 0xA0,
       0x78, 0x91, 0x3A, 0x36},
      {0x4C, 0x4E, 0x2A, 0x8D, 0x88, 0x82, 0xCF, 0xC2, 0xF9, 0x8A, 0xFD, 0x31,
       0xF8, 0xD1, 0xF6, 0xB5},
      8,
      nullptr}};
 
 }  // namespace
 
-class GCMMessageCryptographerTest : public ::testing::Test {
+class GCMMessageCryptographerTestBase : public ::testing::Test {
  public:
   void SetUp() override {
-    cryptographer_ = base::MakeUnique<GCMMessageCryptographer>(
-        GCMMessageCryptographer::Version::DRAFT_03);
-
     recipient_public_key_.assign(
         kCommonRecipientPublicKey,
         kCommonRecipientPublicKey + arraysize(kCommonRecipientPublicKey));
     sender_public_key_.assign(
         kCommonSenderPublicKey,
         kCommonSenderPublicKey + arraysize(kCommonSenderPublicKey));
 
     std::string recipient_private_key(
         kCommonRecipientPrivateKey,
         kCommonRecipientPrivateKey + arraysize(kCommonRecipientPrivateKey));
 
     // TODO(peter): Remove the dependency on the x509 keying material when
     // crbug.com/618025 has been resolved.
     std::string recipient_public_key_x509(
         kCommonRecipientPublicKeyX509,
         kCommonRecipientPublicKeyX509 +
             arraysize(kCommonRecipientPublicKeyX509));
 
     ASSERT_TRUE(ComputeSharedP256Secret(
         recipient_private_key, recipient_public_key_x509, sender_public_key_,
         &ecdh_shared_secret_));
 
     auth_secret_.assign(kCommonAuthSecret,
                         kCommonAuthSecret + arraysize(kCommonAuthSecret));
   }
 
  protected:
-  // Generates a cryptographically secure random salt of 16-octets in size, the
-  // required length as expected by the HKDF.
-  std::string GenerateRandomSalt() {
-    std::string salt;
-
-    crypto::RandBytes(base::WriteInto(&salt, kSaltSize + 1), kSaltSize);
-    return salt;
-  }
-
   // Public keys of the recipient and sender as uncompressed P-256 EC points.
   std::string recipient_public_key_;
   std::string sender_public_key_;
 
   // Shared secret to use in transformations. Associated with the keys above.
   std::string ecdh_shared_secret_;
 
   // Authentication secret to use in tests where no specific value is expected.
   std::string auth_secret_;
+};
+
+class GCMMessageCryptographerTest
+    : public GCMMessageCryptographerTestBase,
+      public testing::WithParamInterface<GCMMessageCryptographer::Version> {
+ public:
+  void SetUp() override {
+    GCMMessageCryptographerTestBase::SetUp();
+
+    cryptographer_ = base::MakeUnique<GCMMessageCryptographer>(GetParam());
+  }
+
+ protected:
+  // Generates a cryptographically secure random salt of 16-octets in size, the
+  // required length as expected by the HKDF.
+  std::string GenerateRandomSalt() {
+    std::string salt;
+
+    crypto::RandBytes(base::WriteInto(&salt, kSaltSize + 1), kSaltSize);
+    return salt;
+  }
 
   // The GCMMessageCryptographer instance to use for the tests.
   std::unique_ptr<GCMMessageCryptographer> cryptographer_;
 };
 
-TEST_F(GCMMessageCryptographerTest, RoundTrip) {
+TEST_P(GCMMessageCryptographerTest, RoundTrip) {
   const std::string salt = GenerateRandomSalt();
 
   size_t record_size = 0;
 
   std::string ciphertext, plaintext;
   ASSERT_TRUE(cryptographer_->Encrypt(
       recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
       auth_secret_, salt, kExamplePlaintext, &record_size, &ciphertext));
 
   EXPECT_GT(record_size, ciphertext.size() - 16);
   EXPECT_GT(ciphertext.size(), 0u);
 
   ASSERT_TRUE(cryptographer_->Decrypt(recipient_public_key_, sender_public_key_,
                                       ecdh_shared_secret_, auth_secret_, salt,
                                       ciphertext, record_size, &plaintext));
 
   EXPECT_EQ(kExamplePlaintext, plaintext);
 }
 
-TEST_F(GCMMessageCryptographerTest, RoundTripEmptyMessage) {
+TEST_P(GCMMessageCryptographerTest, RoundTripEmptyMessage) {
   const std::string salt = GenerateRandomSalt();
   const std::string message = "";
 
   size_t record_size = 0;
 
   std::string ciphertext, plaintext;
   ASSERT_TRUE(cryptographer_->Encrypt(recipient_public_key_, sender_public_key_,
                                       ecdh_shared_secret_, auth_secret_, salt,
                                       message, &record_size, &ciphertext));
 
   EXPECT_GT(record_size, ciphertext.size() - 16);
   EXPECT_GT(ciphertext.size(), 0u);
 
   ASSERT_TRUE(cryptographer_->Decrypt(recipient_public_key_, sender_public_key_,
                                       ecdh_shared_secret_, auth_secret_, salt,
                                       ciphertext, record_size, &plaintext));
 
   EXPECT_EQ(message, plaintext);
 }
 
-TEST_F(GCMMessageCryptographerTest, InvalidRecordSize) {
+TEST_P(GCMMessageCryptographerTest, InvalidRecordSize) {
   const std::string salt = GenerateRandomSalt();
 
   size_t record_size = 0;
 
   std::string ciphertext, plaintext;
   ASSERT_TRUE(cryptographer_->Encrypt(
       recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
       auth_secret_, salt, kExamplePlaintext, &record_size, &ciphertext));
 
   EXPECT_GT(record_size, ciphertext.size() - 16);
 
   EXPECT_FALSE(cryptographer_->Decrypt(
       recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
       auth_secret_, salt, ciphertext, 0 /* record_size */, &plaintext));
 
   EXPECT_FALSE(cryptographer_->Decrypt(
       recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
       auth_secret_, salt, ciphertext, ciphertext.size() - 17, &plaintext));
 
   EXPECT_TRUE(cryptographer_->Decrypt(
       recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
       auth_secret_, salt, ciphertext, ciphertext.size() - 16, &plaintext));
 }
 
-TEST_F(GCMMessageCryptographerTest, InvalidRecordPadding) {
-  std::string message = std::string(sizeof(uint16_t), '\0') + kExamplePlaintext;
+TEST_P(GCMMessageCryptographerTest, InvalidRecordPadding) {
+  std::string message;
+  switch (GetParam()) {
+    case GCMMessageCryptographer::Version::DRAFT_03:
+      message.append(sizeof(uint8_t), '\00');  // padding length octets
+      message.append(sizeof(uint8_t), '\01');
+
+      message.append(sizeof(uint8_t), '\00');  // padding octet
+      message.append(kExamplePlaintext);
+      break;
+    case GCMMessageCryptographer::Version::DRAFT_08:
+      message.append(kExamplePlaintext);
+      message.append(sizeof(uint8_t), '\x02');  // padding delimiter octet
+      message.append(sizeof(uint8_t), '\x00');  // padding octet
+      break;
+  }
 
   const std::string salt = GenerateRandomSalt();
 
   const std::string prk =
       cryptographer_->encryption_scheme_->DerivePseudoRandomKey(
-          ecdh_shared_secret_, auth_secret_);
+          recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
+          auth_secret_);
   const std::string content_encryption_key =
       cryptographer_->DeriveContentEncryptionKey(recipient_public_key_,
                                                  sender_public_key_, prk, salt);
   const std::string nonce = cryptographer_->DeriveNonce(
       recipient_public_key_, sender_public_key_, prk, salt);
 
-  ASSERT_GT(message.size(), 1u);
+  ASSERT_GT(message.size(), 2u);
   const size_t record_size = message.size() + 1;
 
   std::string ciphertext, plaintext;
   ASSERT_TRUE(cryptographer_->TransformRecord(
       GCMMessageCryptographer::Direction::ENCRYPT, message,
       content_encryption_key, nonce, &ciphertext));
 
   ASSERT_TRUE(cryptographer_->Decrypt(recipient_public_key_, sender_public_key_,
                                       ecdh_shared_secret_, auth_secret_, salt,
                                       ciphertext, record_size, &plaintext));
 
   // Note that GCMMessageCryptographer::Decrypt removes the padding.
   EXPECT_EQ(kExamplePlaintext, plaintext);
 
-  // Now run the same steps again, but say that there are four padding octets.
-  // This should be rejected because the padding will not be all zeros.
-  message[0] = 4;
+  // Now run the same steps again, but have invalid padding length indicators.
+  // (Only applicable to draft-ietf-webpush-encryption-03.)
+  if (GetParam() == GCMMessageCryptographer::Version::DRAFT_03) {
+    // Padding that will spill over in the payload.
+    {
+      message[1] = 4;
+
+      ASSERT_TRUE(cryptographer_->TransformRecord(
+          GCMMessageCryptographer::Direction::ENCRYPT, message,
+          content_encryption_key, nonce, &ciphertext));
+
+      ASSERT_FALSE(cryptographer_->Decrypt(
+          recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
+          auth_secret_, salt, ciphertext, record_size, &plaintext));
+    }
+
+    // More padding octets than the length of the message.
+    {
+      message[1] = 64;
+
+      ASSERT_TRUE(cryptographer_->TransformRecord(
+          GCMMessageCryptographer::Direction::ENCRYPT, message,
+          content_encryption_key, nonce, &ciphertext));
+
+      ASSERT_FALSE(cryptographer_->Decrypt(
+          recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
+          auth_secret_, salt, ciphertext, record_size, &plaintext));
+    }
+
+    // Correct the |message| to be valid again. (A single byte of padding.)
+    message[1] = 1;
+  }
+
+  // Run tests for a missing delimiter in the record.
+  // (Only applicable to draft-ietf-webpush-encryption-03.)
+  if (GetParam() == GCMMessageCryptographer::Version::DRAFT_08) {
+    message[message.size() - 2] = 0x00;
+
+    ASSERT_TRUE(cryptographer_->TransformRecord(
+        GCMMessageCryptographer::Direction::ENCRYPT, message,
+        content_encryption_key, nonce, &ciphertext));
+
+    ASSERT_FALSE(cryptographer_->Decrypt(
+        recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
+        auth_secret_, salt, ciphertext, record_size, &plaintext));
+
+    // Correct the |message| to be valid again. (Proper padding delimiter.)
+    message[message.size() - 2] = 0x02;
+  }
+
+  // Finally run a test to make sure that we validate that all padding bytes are
+  // set to zeros. The position of the padding byte depends on the version.
+  switch (GetParam()) {
+    case GCMMessageCryptographer::Version::DRAFT_03:
+      message[2] = 0x80;
+      break;
+    case GCMMessageCryptographer::Version::DRAFT_08:
+      message[message.size() - 1] = 0x80;
+      break;
+  }
 
   ASSERT_TRUE(cryptographer_->TransformRecord(
       GCMMessageCryptographer::Direction::ENCRYPT, message,
       content_encryption_key, nonce, &ciphertext));
-
-  ASSERT_FALSE(cryptographer_->Decrypt(
-      recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
-      auth_secret_, salt, ciphertext, record_size, &plaintext));
-
-  // Do the same but changing the second octet indicating padding size, leaving
-  // the first octet at zero.
-  message[0] = 0;
-  message[1] = 4;
-
-  ASSERT_TRUE(cryptographer_->TransformRecord(
-      GCMMessageCryptographer::Direction::ENCRYPT, message,
-      content_encryption_key, nonce, &ciphertext));
-
-  ASSERT_FALSE(cryptographer_->Decrypt(
-      recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
-      auth_secret_, salt, ciphertext, record_size, &plaintext));
-
-  // Run the same steps again, but say that there are more padding octets than
-  // the length of the message.
-  message[0] = 64;
-
-  EXPECT_GT(static_cast<size_t>(message[0]), message.size());
-  ASSERT_TRUE(cryptographer_->TransformRecord(
-      GCMMessageCryptographer::Direction::ENCRYPT, message,
-      content_encryption_key, nonce, &ciphertext));
 
   ASSERT_FALSE(cryptographer_->Decrypt(
       recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
       auth_secret_, salt, ciphertext, record_size, &plaintext));
 }
 
-TEST_F(GCMMessageCryptographerTest, AuthSecretAffectsPRK) {
+TEST_P(GCMMessageCryptographerTest, AuthSecretAffectsPRK) {
   std::string first_auth_secret, second_auth_secret;
 
   crypto::RandBytes(base::WriteInto(&first_auth_secret, kAuthSecretSize + 1),
                     kAuthSecretSize);
   crypto::RandBytes(base::WriteInto(&second_auth_secret, kAuthSecretSize + 1),
                     kAuthSecretSize);
 
   ASSERT_NE(cryptographer_->encryption_scheme_->DerivePseudoRandomKey(
-                ecdh_shared_secret_, first_auth_secret),
+                recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
+                first_auth_secret),
             cryptographer_->encryption_scheme_->DerivePseudoRandomKey(
-                ecdh_shared_secret_, second_auth_secret));
+                recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
+                second_auth_secret));
 
   std::string salt = GenerateRandomSalt();
 
   // Verify that the IKM actually gets used by the transformations.
   size_t first_record_size, second_record_size;
   std::string first_ciphertext, second_ciphertext;
 
   ASSERT_TRUE(cryptographer_->Encrypt(recipient_public_key_, sender_public_key_,
                                       ecdh_shared_secret_, first_auth_secret,
                                       salt, kExamplePlaintext,
@@ skipping 19 matching lines @@
 
   ASSERT_TRUE(cryptographer_->Decrypt(recipient_public_key_, sender_public_key_,
                                       ecdh_shared_secret_, second_auth_secret,
                                       salt, second_ciphertext,
                                       second_record_size, &second_plaintext));
 
   EXPECT_EQ(kExamplePlaintext, first_plaintext);
   EXPECT_EQ(kExamplePlaintext, second_plaintext);
 }
 
+INSTANTIATE_TEST_CASE_P(
+    GCMMessageCryptographerTestBase,
+    GCMMessageCryptographerTest,
+    ::testing::Values(GCMMessageCryptographer::Version::DRAFT_03,
+                      GCMMessageCryptographer::Version::DRAFT_08));
+
 class GCMMessageCryptographerTestVectorTest
-    : public GCMMessageCryptographerTest {};
+    : public GCMMessageCryptographerTestBase {};
 
 TEST_F(GCMMessageCryptographerTestVectorTest, EncryptionVectorsDraft03) {
+  GCMMessageCryptographer cryptographer(
+      GCMMessageCryptographer::Version::DRAFT_03);
+
   std::string ecdh_shared_secret, auth_secret, salt, ciphertext, output;
   size_t record_size = 0;
 
   for (size_t i = 0; i < arraysize(kEncryptionTestVectorsDraft03); ++i) {
     SCOPED_TRACE(i);
 
     ecdh_shared_secret.assign(
         kEncryptionTestVectorsDraft03[i].ecdh_shared_secret,
         kEncryptionTestVectorsDraft03[i].ecdh_shared_secret +
             kEcdhSharedSecretSize);
 
     auth_secret.assign(
         kEncryptionTestVectorsDraft03[i].auth_secret,
         kEncryptionTestVectorsDraft03[i].auth_secret + kAuthSecretSize);
 
     salt.assign(kEncryptionTestVectorsDraft03[i].salt,
                 kEncryptionTestVectorsDraft03[i].salt + kSaltSize);
 
-    ASSERT_TRUE(cryptographer_->Encrypt(
-        recipient_public_key_, sender_public_key_, ecdh_shared_secret,
-        auth_secret, salt, kEncryptionTestVectorsDraft03[i].input, &record_size,
-        &ciphertext));
+    ASSERT_TRUE(cryptographer.Encrypt(recipient_public_key_, sender_public_key_,
+                                      ecdh_shared_secret, auth_secret, salt,
+                                      kEncryptionTestVectorsDraft03[i].input,
+                                      &record_size, &ciphertext));
 
     base::Base64UrlEncode(ciphertext, base::Base64UrlEncodePolicy::OMIT_PADDING,
                           &output);
 
     EXPECT_EQ(kEncryptionTestVectorsDraft03[i].record_size, record_size);
     EXPECT_EQ(kEncryptionTestVectorsDraft03[i].output, output);
   }
 }
 
 TEST_F(GCMMessageCryptographerTestVectorTest, DecryptionVectorsDraft03) {
+  GCMMessageCryptographer cryptographer(
+      GCMMessageCryptographer::Version::DRAFT_03);
+
   std::string input, ecdh_shared_secret, auth_secret, salt, plaintext;
   for (size_t i = 0; i < arraysize(kDecryptionTestVectorsDraft03); ++i) {
     SCOPED_TRACE(i);
 
     ASSERT_TRUE(base::Base64UrlDecode(
         kDecryptionTestVectorsDraft03[i].input,
         base::Base64UrlDecodePolicy::IGNORE_PADDING, &input));
 
     ecdh_shared_secret.assign(
         kDecryptionTestVectorsDraft03[i].ecdh_shared_secret,
         kDecryptionTestVectorsDraft03[i].ecdh_shared_secret +
             kEcdhSharedSecretSize);
 
     auth_secret.assign(
         kDecryptionTestVectorsDraft03[i].auth_secret,
         kDecryptionTestVectorsDraft03[i].auth_secret + kAuthSecretSize);
 
     salt.assign(kDecryptionTestVectorsDraft03[i].salt,
                 kDecryptionTestVectorsDraft03[i].salt + kSaltSize);
 
     const bool has_output = kDecryptionTestVectorsDraft03[i].output;
-    const bool result = cryptographer_->Decrypt(
+    const bool result = cryptographer.Decrypt(
         recipient_public_key_, sender_public_key_, ecdh_shared_secret,
         auth_secret, salt, input, kDecryptionTestVectorsDraft03[i].record_size,
         &plaintext);
 
     if (!has_output) {
       EXPECT_FALSE(result);
       continue;
     }
 
     EXPECT_TRUE(result);
     EXPECT_EQ(kDecryptionTestVectorsDraft03[i].output, plaintext);
   }
 }
 
 class GCMMessageCryptographerReferenceTest : public ::testing::Test {
  protected:
   // Computes the shared secret between the sender and the receiver. The sender
   // must have a key-pair containing a X.509 SubjectPublicKeyInfo block and a
   // ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo block, whereas the receiver
   // must have a public key in uncompressed EC point format.
-  void ComputeSharedSecret(const char* encoded_sender_private_key,
-                           const char* encoded_sender_public_key_x509,
-                           const char* encoded_receiver_public_key,
-                           std::string* shared_secret) const {
+  void ComputeSharedSecret(
+      const base::StringPiece& encoded_sender_private_key,
+      const base::StringPiece& encoded_sender_public_key_x509,
+      const base::StringPiece& encoded_receiver_public_key,
+      std::string* shared_secret) const {
     std::string sender_private_key, sender_public_key_x509, receiver_public_key;
     ASSERT_TRUE(base::Base64UrlDecode(
         encoded_sender_private_key,
         base::Base64UrlDecodePolicy::IGNORE_PADDING, &sender_private_key));
     ASSERT_TRUE(base::Base64UrlDecode(
         encoded_sender_public_key_x509,
         base::Base64UrlDecodePolicy::IGNORE_PADDING, &sender_public_key_x509));
     ASSERT_TRUE(base::Base64UrlDecode(
         encoded_receiver_public_key,
         base::Base64UrlDecodePolicy::IGNORE_PADDING, &receiver_public_key));
@@ skipping 87 matching lines @@
   ASSERT_EQ(kCiphertext, encoded_ciphertext);
 
   // And verify that decrypting themessageyields the plaintext again.
   ASSERT_TRUE(cryptographer.Decrypt(recipient_public_key, sender_public_key,
                                     sender_shared_secret, auth_secret, salt,
                                     ciphertext, record_size, &plaintext));
 
   ASSERT_EQ(kPlaintext, plaintext);
 }
 
+// Reference test included for the Version::DRAFT_08 implementation.
+// https://tools.ietf.org/html/draft-ietf-webpush-encryption-08
+// https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-07
+TEST_F(GCMMessageCryptographerReferenceTest, ReferenceDraft08) {
+  // The 16-byte prearranged secret between the sender and receiver.
+  const char kAuthSecret[] = "BTBZMqHH6r4Tts7J_aSIgg";
+
+  // The keying material used by the sender to encrypt the |kCiphertext|.
+  const char kSenderPrivate[] =
+      "MIGxMBwGCiqGSIb3DQEMAQMwDgQIScUGT5GSrLoCAggABIGQMr4LCZNVg8uqAo5MSUrI5cCV"
+      "AyQzjG7jdSXooDx_yPXgwMskoNzKhBXIG0AZF7MBimdXFTg_wlv38empWRr_-x4fnQiIBKya"
+      "pt6uBOfYVuE_nnhqudqvSxiiv6hikBvxS2zabgph8-vFPQG10uUv8xkAO6vPdtTABCUzCXQU"
+      "p1QmuP471ZdaNAMuCPmxry-C";
+  const char kSenderPublicX509[] =
+      "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE_jP0qw3qcZFNtVgj9ztUlI9BMG2SBzLbuaWa"
+      "UyhkgiAOWXp7e8JguhwieZhYCZLpOXMALzASooro8Gu7eOXsDw";
+
+  // The keying material used by the recipient to decrypt the |kCiphertext|.
+  const char kRecipientPrivate[] =
+      "MIGxMBwGCiqGSIb3DQEMAQMwDgQIFMj5PQ6zlvwCAggABIGQfr9ZUZd5kr5Wf3AnThoNI8mr"
+      "V3dkpfaKWc725soIIny8V1l_-8AkfbsisM7VpEmZMWKhjSoCKtq970vb-27xUGUCtxy6Mhij"
+      "r4suUqirpM1noA1oKd0O0ap7_zHG4X6j2iA-4UPC0T4lSIscgmRZJWKQeA_7U0pUfryhTolM"
+      "o175tTl399amT66tOGI2wn3O";
+  const char kRecipientPublicKeyUncompressed[] =
+      "BCVxsr7N_eNgVRqvHtD0zTZsEc6-VV-JvLexhqUzORcxaOzi6-AYWXvTBHm4bjyPjs7Vd8pZ"
+      "GH6SRpkNtoIAiw4";
+  const char kRecipientPublicX509[] =
+      "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJXGyvs3942BVGq8e0PTNNmwRzr5VX4m8t7GG"
+      "pTM5FzFo7OLr4BhZe9MEebhuPI-OztV3ylkYfpJGmQ22ggCLDg";
+
+  // The plain text of the message, as well as the encrypted reference message.
+  const char kPlaintext[] = "When I grow up, I want to be a watermelon";
+  const char kReferenceMessage[] =
+      "DGv6ra1nlYgDCS1FRnbzlwAAEABBBP4z9KsN6nGRTbVYI_"
+      "c7VJSPQTBtkgcy27mlmlMoZIIgDll6e3vCYLocInmYWAmS6TlzAC8wEqKK6PBru3jl7A_"
+      "yl95bQpu6cVPTpK4Mqgkf1CXztLVBSt2Ks3oZwbuwXPXLWyouBWLVWGNWQexSgSxsj_"
+      "Qulcy4a-fN";
+
+  std::string message;
+  ASSERT_TRUE(base::Base64UrlDecode(kReferenceMessage,
+                                    base::Base64UrlDecodePolicy::IGNORE_PADDING,
+                                    &message));
+
+  // TODO(peter): Break out the following in a separate message parser class so
+  // that it can be reused by the GCMEncryptionProvider (on the receiving path)
+  // and the gcm_crypto_test_helpers.cc file (on the sending path) too.
+  //
+  // The message contains a binary header in the following format:
+  //     [ salt(16) | record_size(4) | sender_public_key_len(1) |
+  //       sender_public_key(sender_public_key_len) ]
+  //
+  // For Web Push Encryption, which uses a P-256 sender key as uncompressed
+  // P-256 EC points, the length of the sender key is 65 bytes, making the
+  // total, fixed length of the header 86 bytes.
+  //
+  // The regular AEAD_AES_128_GCM ciphertext follows immediately after this. The
+  // minimum overhead for a single record is 18 bytes. This means that an
+  // incoming message must be at least 104 bytes in size.
+  ASSERT_GE(message.size(), 104u);
+
+  const char* current = &message.front();
+
+  uint32_t record_size;
+  uint8_t sender_public_key_length;
+
+  base::StringPiece salt(current, kSaltSize);
+  current += kSaltSize;
+
+  base::ReadBigEndian(current, &record_size);
+  current += sizeof(record_size);
+
+  base::ReadBigEndian(current, &sender_public_key_length);
+  current += sizeof(sender_public_key_length);
+
+  ASSERT_EQ(sender_public_key_length, kUncompressedPointSize);
+
+  base::StringPiece sender_public_key(current, sender_public_key_length);
+  current += sender_public_key_length;
+
+  base::StringPiece ciphertext(
+      current,
+      message.size() - kSaltSize - sizeof(record_size) -
+          sizeof(sender_public_key_length) - sender_public_key_length);
+
+  std::string sender_shared_secret, receiver_shared_secret;
+
+  // Compute the shared secrets between the sender and receiver's keys.
+  ASSERT_NO_FATAL_FAILURE(ComputeSharedSecret(kSenderPrivate, kSenderPublicX509,
+                                              kRecipientPublicKeyUncompressed,
+                                              &sender_shared_secret));
+
+  // Compute the shared secret based on the sender's public key, which isn't a
+  // constant but instead is included in the message's binary header.
+  std::string sender_private_key, sender_public_key_x509;
+  ASSERT_TRUE(base::Base64UrlDecode(kRecipientPrivate,
+                                    base::Base64UrlDecodePolicy::IGNORE_PADDING,
+                                    &sender_private_key));
+  ASSERT_TRUE(base::Base64UrlDecode(kRecipientPublicX509,
+                                    base::Base64UrlDecodePolicy::IGNORE_PADDING,
+                                    &sender_public_key_x509));
+
+  ASSERT_TRUE(ComputeSharedP256Secret(sender_private_key,
+                                      sender_public_key_x509, sender_public_key,
+                                      &receiver_shared_secret));
+
+  ASSERT_GT(sender_shared_secret.size(), 0u);
+  ASSERT_EQ(sender_shared_secret, receiver_shared_secret);
+
+  // Decode the public keys of both parties and the auth secret.
+  std::string recipient_public_key, auth_secret;
+  ASSERT_TRUE(base::Base64UrlDecode(kRecipientPublicKeyUncompressed,
+                                    base::Base64UrlDecodePolicy::IGNORE_PADDING,
+                                    &recipient_public_key));
+  ASSERT_TRUE(base::Base64UrlDecode(
+      kAuthSecret, base::Base64UrlDecodePolicy::IGNORE_PADDING, &auth_secret));
+
+  // Attempt to decrypt the message using a GCMMessageCryptographer for this
+  // version of the draft, and then re-encrypt it agian to make sure it matches.
+  GCMMessageCryptographer cryptographer(
+      GCMMessageCryptographer::Version::DRAFT_08);
+
+  std::string plaintext;
+
+  ASSERT_TRUE(cryptographer.Decrypt(recipient_public_key, sender_public_key,
+                                    sender_shared_secret, auth_secret, salt,
+                                    ciphertext, record_size, &plaintext));
+  ASSERT_EQ(kPlaintext, plaintext);
+
+  size_t record_size2;
+  std::string ciphertext2;
+
+  ASSERT_TRUE(cryptographer.Encrypt(recipient_public_key, sender_public_key,
+                                    sender_shared_secret, auth_secret, salt,
+                                    kPlaintext, &record_size2, &ciphertext2));
+
+  EXPECT_GE(record_size2, record_size);
+  EXPECT_EQ(ciphertext2, ciphertext);
+}
+
 }  // namespace gcm