| Index: components/gcm_driver/crypto/gcm_message_cryptographer_unittest.cc
|
| diff --git a/components/gcm_driver/crypto/gcm_message_cryptographer_unittest.cc b/components/gcm_driver/crypto/gcm_message_cryptographer_unittest.cc
|
| index d445cbd6839e682e7a5ab0b13cc3164e8e49a9fc..ea1c95f52f29107a12dbf0dc75f709c5d0dd9cd0 100644
|
| --- a/components/gcm_driver/crypto/gcm_message_cryptographer_unittest.cc
|
| +++ b/components/gcm_driver/crypto/gcm_message_cryptographer_unittest.cc
|
| @@ -7,7 +7,9 @@
|
| #include <memory>
|
|
|
| #include "base/base64url.h"
|
| +#include "base/big_endian.h"
|
| #include "base/memory/ptr_util.h"
|
| +#include "base/strings/string_piece.h"
|
| #include "base/strings/string_util.h"
|
| #include "components/gcm_driver/crypto/p256_key_util.h"
|
| #include "crypto/random.h"
|
| @@ -21,6 +23,7 @@ namespace {
|
| const char kExamplePlaintext[] = "Example plaintext";
|
|
|
| // Expected sizes of the different input given to the cryptographer.
|
| +constexpr size_t kUncompressedPointSize = 65;
|
| constexpr size_t kEcdhSharedSecretSize = 32;
|
| constexpr size_t kAuthSecretSize = 16;
|
| constexpr size_t kSaltSize = 16;
|
| @@ -80,7 +83,7 @@ const unsigned char kCommonAuthSecret[] = {0x25, 0xF2, 0xC2, 0xB8, 0x19, 0xD8,
|
| static_assert(arraysize(kCommonAuthSecret) == 16,
|
| "Auth secrets must be 16 bytes in size.");
|
|
|
| -// Test vectors containing reference input for draft-ietf-webpush-encryption-03
|
| +// Test vectors containing reference input for draft-ietf-webpush-encryption
|
| // that was created using an separate JavaScript implementation of the draft.
|
| struct TestVector {
|
| const char* const input;
|
| @@ -115,6 +118,30 @@ const TestVector kEncryptionTestVectorsDraft03[] = {
|
| 4096,
|
| "8s-Tzq8Cn_eobL6uEcNDXL7K"}};
|
|
|
| +const TestVector kEncryptionTestVectorsDraft08[] = {
|
| + // Simple message.
|
| + {"Hello, world!",
|
| + {0x0B, 0x32, 0xE2, 0xD1, 0x6A, 0xBF, 0x4F, 0x2C, 0x49, 0xEA, 0xF7,
|
| + 0x5D, 0x71, 0x7D, 0x89, 0xA9, 0xA7, 0x5E, 0x21, 0xB2, 0xB5, 0x51,
|
| + 0xE6, 0x4C, 0x08, 0x68, 0xD3, 0x6F, 0x8F, 0x72, 0x7E, 0x14},
|
| + {0xD3, 0xF2, 0x78, 0xBD, 0x8D, 0xDD, 0x84, 0x99, 0x66, 0x08, 0xD7, 0x0F,
|
| + 0xBA, 0x9B, 0x60, 0xFC},
|
| + {0x15, 0x4A, 0xD7, 0x73, 0x92, 0xBD, 0x3B, 0xCF, 0x6F, 0x98, 0xDC, 0x9B,
|
| + 0x8B, 0x56, 0xFB, 0xBD},
|
| + 4096,
|
| + "3biYN3Aa30D30bKJMdGlEyYPrz7Wg293NYc31rb6"},
|
| + // Empty message.
|
| + {"",
|
| + {0x3F, 0xD8, 0x95, 0x2C, 0xA2, 0x11, 0xBD, 0x7B, 0x57, 0xB2, 0x00,
|
| + 0xBD, 0x57, 0x68, 0x3F, 0xF0, 0x14, 0x57, 0x5F, 0xB1, 0x9F, 0x15,
|
| + 0x4F, 0x11, 0xF0, 0x4D, 0xA2, 0xE8, 0x4C, 0xEA, 0x74, 0x3B},
|
| + {0xB1, 0xE1, 0xC7, 0x32, 0x4C, 0xAA, 0x56, 0x32, 0x68, 0x20, 0x0F, 0x26,
|
| + 0x3F, 0x48, 0x4D, 0x99},
|
| + {0xE9, 0x39, 0x45, 0xBC, 0x96, 0x96, 0x88, 0x76, 0xFC, 0xA1, 0xAD, 0xE4,
|
| + 0x9D, 0x28, 0xF3, 0x73},
|
| + 4096,
|
| + "5OXY345WYPyIvsF7hx4swuA"}};
|
| +
|
| const TestVector kDecryptionTestVectorsDraft03[] = {
|
| // Simple message.
|
| {"lsemWwzlFoJzoidHCnVuxRiJpotTcYokJHKzmQ2FsA",
|
| @@ -183,14 +210,46 @@ const TestVector kDecryptionTestVectorsDraft03[] = {
|
| 8,
|
| nullptr}};
|
|
|
| +const TestVector kDecryptionTestVectorsDraft08[] = {
|
| + // Simple message.
|
| + {"baIDPDv-Do_x1RVtlFDex2uCvd3Ugrv-gJG3sWeg",
|
| + {0x4D, 0x3A, 0x6C, 0xBA, 0xD8, 0x1D, 0x8E, 0x68, 0x8B, 0xE6, 0x76,
|
| + 0xA7, 0xFF, 0x60, 0xC7, 0xFE, 0x77, 0xE2, 0x6D, 0x37, 0xF6, 0x12,
|
| + 0x44, 0xE2, 0x25, 0xFE, 0xE1, 0xD8, 0xCF, 0x8A, 0xA8, 0x33},
|
| + {0x62, 0x36, 0xAC, 0xCA, 0x74, 0xD4, 0x49, 0x49, 0x6B, 0x27, 0xB4, 0xF7,
|
| + 0xC1, 0xE5, 0x30, 0x9A},
|
| + {0x1C, 0xA7, 0xFD, 0x98, 0x1A, 0xE4, 0xA7, 0x92, 0xE1, 0xB6, 0xA1, 0xE3,
|
| + 0x41, 0x63, 0x87, 0x76},
|
| + 4096,
|
| + "Hello, world!"},
|
| + // Simple message with 16 bytes of padding.
|
| + {"6Zq7GKQ7zRxeOWoYR71Nx7xJzCZUUNhz6bhV1-ZIg6dVra0x1uWXms5gHp6F6A",
|
| + {0x8B, 0x38, 0x8E, 0x22, 0xD5, 0xC4, 0xFD, 0x65, 0x8A, 0xBB, 0xD9,
|
| + 0x58, 0xBD, 0xF5, 0xFF, 0x79, 0xCF, 0x9D, 0xBD, 0x87, 0x16, 0x7E,
|
| + 0x93, 0x84, 0x20, 0x8E, 0x8D, 0x49, 0x41, 0x7D, 0x8E, 0x8F},
|
| + {0x3E, 0x65, 0xC7, 0x1F, 0x75, 0x7A, 0x43, 0xC4, 0x78, 0x6C, 0x64, 0x99,
|
| + 0x49, 0xA0, 0xC4, 0xB2},
|
| + {0x43, 0x4D, 0x30, 0x8E, 0xE4, 0x76, 0xB5, 0xD0, 0x87, 0xFC, 0x04, 0xD1,
|
| + 0x2E, 0x35, 0x75, 0x63},
|
| + 4096,
|
| + "Hello, world!"},
|
| + // Empty message.
|
| + {"bHU7ponA7WAGB0onUybG9nQ",
|
| + {0x68, 0x72, 0x3D, 0x13, 0xE7, 0x50, 0xFA, 0x3E, 0xA0, 0x59, 0x33,
|
| + 0xF1, 0x73, 0xA8, 0xE8, 0xCD, 0x8D, 0xD4, 0x3C, 0xDC, 0xDE, 0x06,
|
| + 0x35, 0x5F, 0x51, 0xBB, 0xB2, 0x57, 0x97, 0x72, 0x9D, 0xFB},
|
| + {0x84, 0xB2, 0x2A, 0xE7, 0xC6, 0xC0, 0xCE, 0x5F, 0xAD, 0x37, 0x06, 0x7F,
|
| + 0xD1, 0xFD, 0x10, 0x87},
|
| + {0x9B, 0xC5, 0x8D, 0x5F, 0xD6, 0xD2, 0xA6, 0xBD, 0xAF, 0x4B, 0xD9, 0x60,
|
| + 0xC6, 0xB4, 0x50, 0x0F},
|
| + 4096,
|
| + ""}};
|
| +
|
| } // namespace
|
|
|
| -class GCMMessageCryptographerTest : public ::testing::Test {
|
| +class GCMMessageCryptographerTestBase : public ::testing::Test {
|
| public:
|
| void SetUp() override {
|
| - cryptographer_ = base::MakeUnique<GCMMessageCryptographer>(
|
| - GCMMessageCryptographer::Version::DRAFT_03);
|
| -
|
| recipient_public_key_.assign(
|
| kCommonRecipientPublicKey,
|
| kCommonRecipientPublicKey + arraysize(kCommonRecipientPublicKey));
|
| @@ -218,15 +277,6 @@ class GCMMessageCryptographerTest : public ::testing::Test {
|
| }
|
|
|
| protected:
|
| - // Generates a cryptographically secure random salt of 16-octets in size, the
|
| - // required length as expected by the HKDF.
|
| - std::string GenerateRandomSalt() {
|
| - std::string salt;
|
| -
|
| - crypto::RandBytes(base::WriteInto(&salt, kSaltSize + 1), kSaltSize);
|
| - return salt;
|
| - }
|
| -
|
| // Public keys of the recipient and sender as uncompressed P-256 EC points.
|
| std::string recipient_public_key_;
|
| std::string sender_public_key_;
|
| @@ -236,12 +286,33 @@ class GCMMessageCryptographerTest : public ::testing::Test {
|
|
|
| // Authentication secret to use in tests where no specific value is expected.
|
| std::string auth_secret_;
|
| +};
|
| +
|
| +class GCMMessageCryptographerTest
|
| + : public GCMMessageCryptographerTestBase,
|
| + public testing::WithParamInterface<GCMMessageCryptographer::Version> {
|
| + public:
|
| + void SetUp() override {
|
| + GCMMessageCryptographerTestBase::SetUp();
|
| +
|
| + cryptographer_ = base::MakeUnique<GCMMessageCryptographer>(GetParam());
|
| + }
|
| +
|
| + protected:
|
| + // Generates a cryptographically secure random salt of 16-octets in size, the
|
| + // required length as expected by the HKDF.
|
| + std::string GenerateRandomSalt() {
|
| + std::string salt;
|
| +
|
| + crypto::RandBytes(base::WriteInto(&salt, kSaltSize + 1), kSaltSize);
|
| + return salt;
|
| + }
|
|
|
| // The GCMMessageCryptographer instance to use for the tests.
|
| std::unique_ptr<GCMMessageCryptographer> cryptographer_;
|
| };
|
|
|
| -TEST_F(GCMMessageCryptographerTest, RoundTrip) {
|
| +TEST_P(GCMMessageCryptographerTest, RoundTrip) {
|
| const std::string salt = GenerateRandomSalt();
|
|
|
| size_t record_size = 0;
|
| @@ -261,7 +332,7 @@ TEST_F(GCMMessageCryptographerTest, RoundTrip) {
|
| EXPECT_EQ(kExamplePlaintext, plaintext);
|
| }
|
|
|
| -TEST_F(GCMMessageCryptographerTest, RoundTripEmptyMessage) {
|
| +TEST_P(GCMMessageCryptographerTest, RoundTripEmptyMessage) {
|
| const std::string salt = GenerateRandomSalt();
|
| const std::string message = "";
|
|
|
| @@ -282,7 +353,7 @@ TEST_F(GCMMessageCryptographerTest, RoundTripEmptyMessage) {
|
| EXPECT_EQ(message, plaintext);
|
| }
|
|
|
| -TEST_F(GCMMessageCryptographerTest, InvalidRecordSize) {
|
| +TEST_P(GCMMessageCryptographerTest, InvalidRecordSize) {
|
| const std::string salt = GenerateRandomSalt();
|
|
|
| size_t record_size = 0;
|
| @@ -307,21 +378,36 @@ TEST_F(GCMMessageCryptographerTest, InvalidRecordSize) {
|
| auth_secret_, salt, ciphertext, ciphertext.size() - 16, &plaintext));
|
| }
|
|
|
| -TEST_F(GCMMessageCryptographerTest, InvalidRecordPadding) {
|
| - std::string message = std::string(sizeof(uint16_t), '\0') + kExamplePlaintext;
|
| +TEST_P(GCMMessageCryptographerTest, InvalidRecordPadding) {
|
| + std::string message;
|
| + switch (GetParam()) {
|
| + case GCMMessageCryptographer::Version::DRAFT_03:
|
| + message.append(sizeof(uint8_t), '\00'); // padding length octets
|
| + message.append(sizeof(uint8_t), '\01');
|
| +
|
| + message.append(sizeof(uint8_t), '\00'); // padding octet
|
| + message.append(kExamplePlaintext);
|
| + break;
|
| + case GCMMessageCryptographer::Version::DRAFT_08:
|
| + message.append(kExamplePlaintext);
|
| + message.append(sizeof(uint8_t), '\x02'); // padding delimiter octet
|
| + message.append(sizeof(uint8_t), '\x00'); // padding octet
|
| + break;
|
| + }
|
|
|
| const std::string salt = GenerateRandomSalt();
|
|
|
| const std::string prk =
|
| cryptographer_->encryption_scheme_->DerivePseudoRandomKey(
|
| - ecdh_shared_secret_, auth_secret_);
|
| + recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| + auth_secret_);
|
| const std::string content_encryption_key =
|
| cryptographer_->DeriveContentEncryptionKey(recipient_public_key_,
|
| sender_public_key_, prk, salt);
|
| const std::string nonce = cryptographer_->DeriveNonce(
|
| recipient_public_key_, sender_public_key_, prk, salt);
|
|
|
| - ASSERT_GT(message.size(), 1u);
|
| + ASSERT_GT(message.size(), 2u);
|
| const size_t record_size = message.size() + 1;
|
|
|
| std::string ciphertext, plaintext;
|
| @@ -336,36 +422,67 @@ TEST_F(GCMMessageCryptographerTest, InvalidRecordPadding) {
|
| // Note that GCMMessageCryptographer::Decrypt removes the padding.
|
| EXPECT_EQ(kExamplePlaintext, plaintext);
|
|
|
| - // Now run the same steps again, but say that there are four padding octets.
|
| - // This should be rejected because the padding will not be all zeros.
|
| - message[0] = 4;
|
| + // Now run the same steps again, but have invalid padding length indicators.
|
| + // (Only applicable to draft-ietf-webpush-encryption-03.)
|
| + if (GetParam() == GCMMessageCryptographer::Version::DRAFT_03) {
|
| + // Padding that will spill over in the payload.
|
| + {
|
| + message[1] = 4;
|
|
|
| - ASSERT_TRUE(cryptographer_->TransformRecord(
|
| - GCMMessageCryptographer::Direction::ENCRYPT, message,
|
| - content_encryption_key, nonce, &ciphertext));
|
| + ASSERT_TRUE(cryptographer_->TransformRecord(
|
| + GCMMessageCryptographer::Direction::ENCRYPT, message,
|
| + content_encryption_key, nonce, &ciphertext));
|
|
|
| - ASSERT_FALSE(cryptographer_->Decrypt(
|
| - recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| - auth_secret_, salt, ciphertext, record_size, &plaintext));
|
| + ASSERT_FALSE(cryptographer_->Decrypt(
|
| + recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| + auth_secret_, salt, ciphertext, record_size, &plaintext));
|
| + }
|
|
|
| - // Do the same but changing the second octet indicating padding size, leaving
|
| - // the first octet at zero.
|
| - message[0] = 0;
|
| - message[1] = 4;
|
| + // More padding octets than the length of the message.
|
| + {
|
| + message[1] = 64;
|
|
|
| - ASSERT_TRUE(cryptographer_->TransformRecord(
|
| - GCMMessageCryptographer::Direction::ENCRYPT, message,
|
| - content_encryption_key, nonce, &ciphertext));
|
| + ASSERT_TRUE(cryptographer_->TransformRecord(
|
| + GCMMessageCryptographer::Direction::ENCRYPT, message,
|
| + content_encryption_key, nonce, &ciphertext));
|
|
|
| - ASSERT_FALSE(cryptographer_->Decrypt(
|
| - recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| - auth_secret_, salt, ciphertext, record_size, &plaintext));
|
| + ASSERT_FALSE(cryptographer_->Decrypt(
|
| + recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| + auth_secret_, salt, ciphertext, record_size, &plaintext));
|
| + }
|
|
|
| - // Run the same steps again, but say that there are more padding octets than
|
| - // the length of the message.
|
| - message[0] = 64;
|
| + // Correct the |message| to be valid again. (A single byte of padding.)
|
| + message[1] = 1;
|
| + }
|
| +
|
| + // Run tests for a missing delimiter in the record.
|
| + // (Only applicable to draft-ietf-webpush-encryption-03.)
|
| + if (GetParam() == GCMMessageCryptographer::Version::DRAFT_08) {
|
| + message[message.size() - 2] = 0x00;
|
| +
|
| + ASSERT_TRUE(cryptographer_->TransformRecord(
|
| + GCMMessageCryptographer::Direction::ENCRYPT, message,
|
| + content_encryption_key, nonce, &ciphertext));
|
| +
|
| + ASSERT_FALSE(cryptographer_->Decrypt(
|
| + recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| + auth_secret_, salt, ciphertext, record_size, &plaintext));
|
| +
|
| + // Correct the |message| to be valid again. (Proper padding delimiter.)
|
| + message[message.size() - 2] = 0x02;
|
| + }
|
| +
|
| + // Finally run a test to make sure that we validate that all padding bytes are
|
| + // set to zeros. The position of the padding byte depends on the version.
|
| + switch (GetParam()) {
|
| + case GCMMessageCryptographer::Version::DRAFT_03:
|
| + message[2] = 0x13;
|
| + break;
|
| + case GCMMessageCryptographer::Version::DRAFT_08:
|
| + message[message.size() - 1] = 0x13;
|
| + break;
|
| + }
|
|
|
| - EXPECT_GT(static_cast<size_t>(message[0]), message.size());
|
| ASSERT_TRUE(cryptographer_->TransformRecord(
|
| GCMMessageCryptographer::Direction::ENCRYPT, message,
|
| content_encryption_key, nonce, &ciphertext));
|
| @@ -375,7 +492,7 @@ TEST_F(GCMMessageCryptographerTest, InvalidRecordPadding) {
|
| auth_secret_, salt, ciphertext, record_size, &plaintext));
|
| }
|
|
|
| -TEST_F(GCMMessageCryptographerTest, AuthSecretAffectsPRK) {
|
| +TEST_P(GCMMessageCryptographerTest, AuthSecretAffectsPRK) {
|
| std::string first_auth_secret, second_auth_secret;
|
|
|
| crypto::RandBytes(base::WriteInto(&first_auth_secret, kAuthSecretSize + 1),
|
| @@ -384,9 +501,11 @@ TEST_F(GCMMessageCryptographerTest, AuthSecretAffectsPRK) {
|
| kAuthSecretSize);
|
|
|
| ASSERT_NE(cryptographer_->encryption_scheme_->DerivePseudoRandomKey(
|
| - ecdh_shared_secret_, first_auth_secret),
|
| + recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| + first_auth_secret),
|
| cryptographer_->encryption_scheme_->DerivePseudoRandomKey(
|
| - ecdh_shared_secret_, second_auth_secret));
|
| + recipient_public_key_, sender_public_key_, ecdh_shared_secret_,
|
| + second_auth_secret));
|
|
|
| std::string salt = GenerateRandomSalt();
|
|
|
| @@ -426,10 +545,19 @@ TEST_F(GCMMessageCryptographerTest, AuthSecretAffectsPRK) {
|
| EXPECT_EQ(kExamplePlaintext, second_plaintext);
|
| }
|
|
|
| +INSTANTIATE_TEST_CASE_P(
|
| + GCMMessageCryptographerTestBase,
|
| + GCMMessageCryptographerTest,
|
| + ::testing::Values(GCMMessageCryptographer::Version::DRAFT_03,
|
| + GCMMessageCryptographer::Version::DRAFT_08));
|
| +
|
| class GCMMessageCryptographerTestVectorTest
|
| - : public GCMMessageCryptographerTest {};
|
| + : public GCMMessageCryptographerTestBase {};
|
|
|
| TEST_F(GCMMessageCryptographerTestVectorTest, EncryptionVectorsDraft03) {
|
| + GCMMessageCryptographer cryptographer(
|
| + GCMMessageCryptographer::Version::DRAFT_03);
|
| +
|
| std::string ecdh_shared_secret, auth_secret, salt, ciphertext, output;
|
| size_t record_size = 0;
|
|
|
| @@ -448,10 +576,10 @@ TEST_F(GCMMessageCryptographerTestVectorTest, EncryptionVectorsDraft03) {
|
| salt.assign(kEncryptionTestVectorsDraft03[i].salt,
|
| kEncryptionTestVectorsDraft03[i].salt + kSaltSize);
|
|
|
| - ASSERT_TRUE(cryptographer_->Encrypt(
|
| - recipient_public_key_, sender_public_key_, ecdh_shared_secret,
|
| - auth_secret, salt, kEncryptionTestVectorsDraft03[i].input, &record_size,
|
| - &ciphertext));
|
| + ASSERT_TRUE(cryptographer.Encrypt(recipient_public_key_, sender_public_key_,
|
| + ecdh_shared_secret, auth_secret, salt,
|
| + kEncryptionTestVectorsDraft03[i].input,
|
| + &record_size, &ciphertext));
|
|
|
| base::Base64UrlEncode(ciphertext, base::Base64UrlEncodePolicy::OMIT_PADDING,
|
| &output);
|
| @@ -462,6 +590,9 @@ TEST_F(GCMMessageCryptographerTestVectorTest, EncryptionVectorsDraft03) {
|
| }
|
|
|
| TEST_F(GCMMessageCryptographerTestVectorTest, DecryptionVectorsDraft03) {
|
| + GCMMessageCryptographer cryptographer(
|
| + GCMMessageCryptographer::Version::DRAFT_03);
|
| +
|
| std::string input, ecdh_shared_secret, auth_secret, salt, plaintext;
|
| for (size_t i = 0; i < arraysize(kDecryptionTestVectorsDraft03); ++i) {
|
| SCOPED_TRACE(i);
|
| @@ -483,7 +614,7 @@ TEST_F(GCMMessageCryptographerTestVectorTest, DecryptionVectorsDraft03) {
|
| kDecryptionTestVectorsDraft03[i].salt + kSaltSize);
|
|
|
| const bool has_output = kDecryptionTestVectorsDraft03[i].output;
|
| - const bool result = cryptographer_->Decrypt(
|
| + const bool result = cryptographer.Decrypt(
|
| recipient_public_key_, sender_public_key_, ecdh_shared_secret,
|
| auth_secret, salt, input, kDecryptionTestVectorsDraft03[i].record_size,
|
| &plaintext);
|
| @@ -498,16 +629,93 @@ TEST_F(GCMMessageCryptographerTestVectorTest, DecryptionVectorsDraft03) {
|
| }
|
| }
|
|
|
| +TEST_F(GCMMessageCryptographerTestVectorTest, EncryptionVectorsDraft08) {
|
| + GCMMessageCryptographer cryptographer(
|
| + GCMMessageCryptographer::Version::DRAFT_08);
|
| +
|
| + std::string ecdh_shared_secret, auth_secret, salt, ciphertext, output;
|
| + size_t record_size = 0;
|
| +
|
| + for (size_t i = 0; i < arraysize(kEncryptionTestVectorsDraft08); ++i) {
|
| + SCOPED_TRACE(i);
|
| +
|
| + ecdh_shared_secret.assign(
|
| + kEncryptionTestVectorsDraft08[i].ecdh_shared_secret,
|
| + kEncryptionTestVectorsDraft08[i].ecdh_shared_secret +
|
| + kEcdhSharedSecretSize);
|
| +
|
| + auth_secret.assign(
|
| + kEncryptionTestVectorsDraft08[i].auth_secret,
|
| + kEncryptionTestVectorsDraft08[i].auth_secret + kAuthSecretSize);
|
| +
|
| + salt.assign(kEncryptionTestVectorsDraft08[i].salt,
|
| + kEncryptionTestVectorsDraft08[i].salt + kSaltSize);
|
| +
|
| + ASSERT_TRUE(cryptographer.Encrypt(recipient_public_key_, sender_public_key_,
|
| + ecdh_shared_secret, auth_secret, salt,
|
| + kEncryptionTestVectorsDraft08[i].input,
|
| + &record_size, &ciphertext));
|
| +
|
| + base::Base64UrlEncode(ciphertext, base::Base64UrlEncodePolicy::OMIT_PADDING,
|
| + &output);
|
| +
|
| + EXPECT_EQ(kEncryptionTestVectorsDraft08[i].record_size, record_size);
|
| + EXPECT_EQ(kEncryptionTestVectorsDraft08[i].output, output);
|
| + }
|
| +}
|
| +
|
| +TEST_F(GCMMessageCryptographerTestVectorTest, DecryptionVectorsDraft08) {
|
| + GCMMessageCryptographer cryptographer(
|
| + GCMMessageCryptographer::Version::DRAFT_08);
|
| +
|
| + std::string input, ecdh_shared_secret, auth_secret, salt, plaintext;
|
| +
|
| + for (size_t i = 0; i < arraysize(kDecryptionTestVectorsDraft08); ++i) {
|
| + SCOPED_TRACE(i);
|
| +
|
| + ASSERT_TRUE(base::Base64UrlDecode(
|
| + kDecryptionTestVectorsDraft08[i].input,
|
| + base::Base64UrlDecodePolicy::IGNORE_PADDING, &input));
|
| +
|
| + ecdh_shared_secret.assign(
|
| + kDecryptionTestVectorsDraft08[i].ecdh_shared_secret,
|
| + kDecryptionTestVectorsDraft08[i].ecdh_shared_secret +
|
| + kEcdhSharedSecretSize);
|
| +
|
| + auth_secret.assign(
|
| + kDecryptionTestVectorsDraft08[i].auth_secret,
|
| + kDecryptionTestVectorsDraft08[i].auth_secret + kAuthSecretSize);
|
| +
|
| + salt.assign(kDecryptionTestVectorsDraft08[i].salt,
|
| + kDecryptionTestVectorsDraft08[i].salt + kSaltSize);
|
| +
|
| + const bool has_output = kDecryptionTestVectorsDraft08[i].output;
|
| + const bool result = cryptographer.Decrypt(
|
| + recipient_public_key_, sender_public_key_, ecdh_shared_secret,
|
| + auth_secret, salt, input, kDecryptionTestVectorsDraft08[i].record_size,
|
| + &plaintext);
|
| +
|
| + if (!has_output) {
|
| + EXPECT_FALSE(result);
|
| + continue;
|
| + }
|
| +
|
| + EXPECT_TRUE(result);
|
| + EXPECT_EQ(kDecryptionTestVectorsDraft08[i].output, plaintext);
|
| + }
|
| +}
|
| +
|
| class GCMMessageCryptographerReferenceTest : public ::testing::Test {
|
| protected:
|
| // Computes the shared secret between the sender and the receiver. The sender
|
| // must have a key-pair containing a X.509 SubjectPublicKeyInfo block and a
|
| // ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo block, whereas the receiver
|
| // must have a public key in uncompressed EC point format.
|
| - void ComputeSharedSecret(const char* encoded_sender_private_key,
|
| - const char* encoded_sender_public_key_x509,
|
| - const char* encoded_receiver_public_key,
|
| - std::string* shared_secret) const {
|
| + void ComputeSharedSecret(
|
| + const base::StringPiece& encoded_sender_private_key,
|
| + const base::StringPiece& encoded_sender_public_key_x509,
|
| + const base::StringPiece& encoded_receiver_public_key,
|
| + std::string* shared_secret) const {
|
| std::string sender_private_key, sender_public_key_x509, receiver_public_key;
|
| ASSERT_TRUE(base::Base64UrlDecode(
|
| encoded_sender_private_key,
|
| @@ -615,4 +823,142 @@ TEST_F(GCMMessageCryptographerReferenceTest, ReferenceDraft03) {
|
| ASSERT_EQ(kPlaintext, plaintext);
|
| }
|
|
|
| +// Reference test included for the Version::DRAFT_08 implementation.
|
| +// https://tools.ietf.org/html/draft-ietf-webpush-encryption-08
|
| +// https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-07
|
| +TEST_F(GCMMessageCryptographerReferenceTest, ReferenceDraft08) {
|
| + // The 16-byte prearranged secret between the sender and receiver.
|
| + const char kAuthSecret[] = "BTBZMqHH6r4Tts7J_aSIgg";
|
| +
|
| + // The keying material used by the sender to encrypt the |kCiphertext|.
|
| + const char kSenderPrivate[] =
|
| + "MIGxMBwGCiqGSIb3DQEMAQMwDgQIScUGT5GSrLoCAggABIGQMr4LCZNVg8uqAo5MSUrI5cCV"
|
| + "AyQzjG7jdSXooDx_yPXgwMskoNzKhBXIG0AZF7MBimdXFTg_wlv38empWRr_-x4fnQiIBKya"
|
| + "pt6uBOfYVuE_nnhqudqvSxiiv6hikBvxS2zabgph8-vFPQG10uUv8xkAO6vPdtTABCUzCXQU"
|
| + "p1QmuP471ZdaNAMuCPmxry-C";
|
| + const char kSenderPublicX509[] =
|
| + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE_jP0qw3qcZFNtVgj9ztUlI9BMG2SBzLbuaWa"
|
| + "UyhkgiAOWXp7e8JguhwieZhYCZLpOXMALzASooro8Gu7eOXsDw";
|
| +
|
| + // The keying material used by the recipient to decrypt the |kCiphertext|.
|
| + const char kRecipientPrivate[] =
|
| + "MIGxMBwGCiqGSIb3DQEMAQMwDgQIFMj5PQ6zlvwCAggABIGQfr9ZUZd5kr5Wf3AnThoNI8mr"
|
| + "V3dkpfaKWc725soIIny8V1l_-8AkfbsisM7VpEmZMWKhjSoCKtq970vb-27xUGUCtxy6Mhij"
|
| + "r4suUqirpM1noA1oKd0O0ap7_zHG4X6j2iA-4UPC0T4lSIscgmRZJWKQeA_7U0pUfryhTolM"
|
| + "o175tTl399amT66tOGI2wn3O";
|
| + const char kRecipientPublicKeyUncompressed[] =
|
| + "BCVxsr7N_eNgVRqvHtD0zTZsEc6-VV-JvLexhqUzORcxaOzi6-AYWXvTBHm4bjyPjs7Vd8pZ"
|
| + "GH6SRpkNtoIAiw4";
|
| + const char kRecipientPublicX509[] =
|
| + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJXGyvs3942BVGq8e0PTNNmwRzr5VX4m8t7GG"
|
| + "pTM5FzFo7OLr4BhZe9MEebhuPI-OztV3ylkYfpJGmQ22ggCLDg";
|
| +
|
| + // The plain text of the message, as well as the encrypted reference message.
|
| + const char kPlaintext[] = "When I grow up, I want to be a watermelon";
|
| + const char kReferenceMessage[] =
|
| + "DGv6ra1nlYgDCS1FRnbzlwAAEABBBP4z9KsN6nGRTbVYI_"
|
| + "c7VJSPQTBtkgcy27mlmlMoZIIgDll6e3vCYLocInmYWAmS6TlzAC8wEqKK6PBru3jl7A_"
|
| + "yl95bQpu6cVPTpK4Mqgkf1CXztLVBSt2Ks3oZwbuwXPXLWyouBWLVWGNWQexSgSxsj_"
|
| + "Qulcy4a-fN";
|
| +
|
| + std::string message;
|
| + ASSERT_TRUE(base::Base64UrlDecode(kReferenceMessage,
|
| + base::Base64UrlDecodePolicy::IGNORE_PADDING,
|
| + &message));
|
| +
|
| + // TODO(peter): Break out the following in a separate message parser class so
|
| + // that it can be reused by the GCMEncryptionProvider (on the receiving path)
|
| + // and the gcm_crypto_test_helpers.cc file (on the sending path) too.
|
| + //
|
| + // The message contains a binary header in the following format:
|
| + // [ salt(16) | record_size(4) | sender_public_key_len(1) |
|
| + // sender_public_key(sender_public_key_len) ]
|
| + //
|
| + // For Web Push Encryption, which uses a P-256 sender key as uncompressed
|
| + // P-256 EC points, the length of the sender key is 65 bytes, making the
|
| + // total, fixed length of the header 86 bytes.
|
| + //
|
| + // The regular AEAD_AES_128_GCM ciphertext follows immediately after this. The
|
| + // minimum overhead for a single record is 18 bytes. This means that an
|
| + // incoming message must be at least 104 bytes in size.
|
| + ASSERT_GE(message.size(), 104u);
|
| +
|
| + const char* current = &message.front();
|
| +
|
| + uint32_t record_size;
|
| + uint8_t sender_public_key_length;
|
| +
|
| + base::StringPiece salt(current, kSaltSize);
|
| + current += kSaltSize;
|
| +
|
| + base::ReadBigEndian(current, &record_size);
|
| + current += sizeof(record_size);
|
| +
|
| + base::ReadBigEndian(current, &sender_public_key_length);
|
| + current += sizeof(sender_public_key_length);
|
| +
|
| + ASSERT_EQ(sender_public_key_length, kUncompressedPointSize);
|
| +
|
| + base::StringPiece sender_public_key(current, sender_public_key_length);
|
| + current += sender_public_key_length;
|
| +
|
| + base::StringPiece ciphertext(
|
| + current, message.size() - kSaltSize - sizeof(record_size) -
|
| + sizeof(sender_public_key_length) - sender_public_key_length);
|
| +
|
| + std::string sender_shared_secret, receiver_shared_secret;
|
| +
|
| + // Compute the shared secrets between the sender and receiver's keys.
|
| + ASSERT_NO_FATAL_FAILURE(ComputeSharedSecret(kSenderPrivate, kSenderPublicX509,
|
| + kRecipientPublicKeyUncompressed,
|
| + &sender_shared_secret));
|
| +
|
| + // Compute the shared secret based on the sender's public key, which isn't a
|
| + // constant but instead is included in the message's binary header.
|
| + std::string sender_private_key, sender_public_key_x509;
|
| + ASSERT_TRUE(base::Base64UrlDecode(kRecipientPrivate,
|
| + base::Base64UrlDecodePolicy::IGNORE_PADDING,
|
| + &sender_private_key));
|
| + ASSERT_TRUE(base::Base64UrlDecode(kRecipientPublicX509,
|
| + base::Base64UrlDecodePolicy::IGNORE_PADDING,
|
| + &sender_public_key_x509));
|
| +
|
| + ASSERT_TRUE(ComputeSharedP256Secret(sender_private_key,
|
| + sender_public_key_x509, sender_public_key,
|
| + &receiver_shared_secret));
|
| +
|
| + ASSERT_GT(sender_shared_secret.size(), 0u);
|
| + ASSERT_EQ(sender_shared_secret, receiver_shared_secret);
|
| +
|
| + // Decode the public keys of both parties and the auth secret.
|
| + std::string recipient_public_key, auth_secret;
|
| + ASSERT_TRUE(base::Base64UrlDecode(kRecipientPublicKeyUncompressed,
|
| + base::Base64UrlDecodePolicy::IGNORE_PADDING,
|
| + &recipient_public_key));
|
| + ASSERT_TRUE(base::Base64UrlDecode(
|
| + kAuthSecret, base::Base64UrlDecodePolicy::IGNORE_PADDING, &auth_secret));
|
| +
|
| + // Attempt to decrypt the message using a GCMMessageCryptographer for this
|
| + // version of the draft, and then re-encrypt it agian to make sure it matches.
|
| + GCMMessageCryptographer cryptographer(
|
| + GCMMessageCryptographer::Version::DRAFT_08);
|
| +
|
| + std::string plaintext;
|
| +
|
| + ASSERT_TRUE(cryptographer.Decrypt(recipient_public_key, sender_public_key,
|
| + sender_shared_secret, auth_secret, salt,
|
| + ciphertext, record_size, &plaintext));
|
| + ASSERT_EQ(kPlaintext, plaintext);
|
| +
|
| + size_t record_size2;
|
| + std::string ciphertext2;
|
| +
|
| + ASSERT_TRUE(cryptographer.Encrypt(recipient_public_key, sender_public_key,
|
| + sender_shared_secret, auth_secret, salt,
|
| + kPlaintext, &record_size2, &ciphertext2));
|
| +
|
| + EXPECT_GE(record_size2, record_size);
|
| + EXPECT_EQ(ciphertext2, ciphertext);
|
| +}
|
| +
|
| } // namespace gcm
|
|
|
Chromium Code Reviews
Issue 2716443002:
Implement support for draft-ietf-webpush-encryption-08 (Closed)
