2 * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file encryption-decryption.cpp
18 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
25 #include <unordered_map>
27 #include <dpl/test/test_runner.h>
28 #include <ckm-common.h>
29 #include <ckmc/ckmc-manager.h>
30 #include <ckmc/ckmc-control.h>
31 #include <ckm/ckm-type.h>
32 #include <ckm/ckm-manager.h>
33 #include <encryption-decryption-env.h>
39 const char* PASSWORD = "test-password";
40 const uid_t UID = 5001;
41 const size_t CTR_DEFAULT_LEN = 16*8;
42 const size_t DEFAULT_IV_LEN = 16;
43 const size_t BUF_LEN = 86; // must be less than 1024/8-41 to support RSA OAEP 1024
49 EncryptionApi* g_api = &g_syncApi;
51 EncryptionError apiEncrypt(ckmc_param_list_h params,
52 const char *key_alias,
54 const ckmc_raw_buffer_s decrypted,
55 ckmc_raw_buffer_s **ppencrypted) {
56 RUNNER_ASSERT_MSG(g_api, "No encryption API is connected");
57 return g_api->encrypt(params, key_alias, password, decrypted, ppencrypted);
60 inline CKM::Password _tostring(const char *str)
62 return (str == nullptr) ? Password() : Password(str);
65 inline CKM::Policy _toCkmPolicy(const ckmc_policy_s &policy, PolicyBackend backend)
67 return CKM::Policy(_tostring(policy.password), policy.extractable, backend);
70 EncryptionError apiDecrypt(ckmc_param_list_h params,
71 const char *key_alias,
73 const ckmc_raw_buffer_s encrypted,
74 ckmc_raw_buffer_s **ppdecrypted) {
75 RUNNER_ASSERT_MSG(g_api, "No encryption API is connected");
76 return g_api->decrypt(params, key_alias, password, encrypted, ppdecrypted);
80 template <typename F, typename... Args>
81 void assert_crypto_result(EncryptionError expected, F&& func, Args... args)
83 EncryptionError ret = func(args...);
84 RUNNER_ASSERT_MSG(ret == expected,
85 "Expected: " << static_cast<int>(expected) <<
86 " got: " << static_cast<int>(ret));
89 template <typename F, typename... Args>
90 void assert_crypto_positive(F&& func, Args... args)
92 assert_crypto_result(EncryptionError::SUCCESS, std::move(func), args...);
95 template <typename F, typename... Args>
96 void assert_crypto_invalid_param(F&& func, Args... args)
98 assert_crypto_result(EncryptionError::INVALID_PARAM, std::move(func), args...);
103 EncryptionError expected;
113 void init(const std::string&) {
121 static std::string suffix() { return "_sync"; }
125 void init(const std::string&) {
133 static std::string suffix() { return "_async"; }
137 ckmc_algo_type_e type;
141 std::unordered_map<size_t, std::vector<Alias>> g_symKeys;
142 std::unordered_map<size_t, std::vector<KeyAliasPair>> g_asymKeys;
146 PASSWORD_PROTECTED = 1,
151 RawBufferPtr PLAIN_DATA;
152 RawBufferPtr BIG_DATA;
153 ckmc_raw_buffer_s* DEFAULT_IV;
154 ckmc_raw_buffer_s* IV11;
155 ckmc_raw_buffer_s* IV12;
156 ckmc_raw_buffer_s* IV15;
157 ckmc_raw_buffer_s* IV17;
158 ckmc_raw_buffer_s* IV128;
159 ckmc_raw_buffer_s* AAD32;
160 ckmc_raw_buffer_s* AAD64;
162 void generateSymmetricKeys(ManagerShPtr& manager, PolicyBackend backend, size_t bitLen)
164 for (int i = 0; i < KEY_IDX_MAX; i++)
166 Policy p(Password(), false, backend);
167 if (i == PASSWORD_PROTECTED)
168 p.password.assign(PASSWORD);
170 std::string alias = std::string("skey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
171 int ret = manager->createKeyAES(bitLen, alias, p);
172 if (ret != CKM_API_SUCCESS)
173 RUNNER_ERROR_MSG("AES key creation failed");
175 g_symKeys[bitLen].push_back(alias);
179 void generateRsaKeys(ManagerShPtr& manager, PolicyBackend backend, size_t bitLen)
181 for (int i = 0; i < KEY_IDX_MAX; i++)
183 Policy prvPolicy(Password(), false, backend);
184 Policy pubPolicy(Password(), true, backend);
185 if (i == PASSWORD_PROTECTED) {
186 prvPolicy.password.assign(PASSWORD);
187 pubPolicy.password.assign(PASSWORD);
191 alias.prv = std::string("akey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
192 alias.pub = std::string("pub") + alias.prv;
193 int ret = manager->createKeyPairRSA(bitLen, alias.prv, alias.pub, prvPolicy, pubPolicy);
194 if (ret != CKM_API_SUCCESS)
195 RUNNER_ERROR_MSG("RSA key creation failed");
197 g_asymKeys[bitLen].push_back(alias);
201 KeyAliasPair getKey(const Algo& algo, KeyIdx idx)
203 if (algo.type == CKMC_ALGO_RSA_OAEP)
204 return g_asymKeys[algo.keyLen][idx];
207 pair.prv = g_symKeys[algo.keyLen][idx];
212 class EncGroupFixture: public DPL::Test::TestGroup
217 remove_user_data(UID);
218 int ret = ckmc_unlock_user_key(UID, "db-pass");
219 if (ret != CKMC_ERROR_NONE)
220 RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret));
222 // Policy backend to use in subsequent operations (global for each test case)
224 PolicyBackend backend = PolicyBackend::FORCE_HARDWARE;
226 PolicyBackend backend = PolicyBackend::FORCE_SOFTWARE;
230 auto manager = Manager::create();
231 generateSymmetricKeys(manager, 128);
232 generateSymmetricKeys(manager, 192);
233 generateSymmetricKeys(manager, 256);
234 generateRsaKeys(manager, 1024);
235 generateRsaKeys(manager, 2048);
236 generateRsaKeys(manager, 4096);
238 PLAIN_DATA = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
240 BIG_DATA = create_raw_buffer(createRandomBufferCAPI(100000));
242 BIG_DATA = create_raw_buffer(createRandomBufferCAPI(5000000));
244 DEFAULT_IV = createRandomBufferCAPI(DEFAULT_IV_LEN);
245 IV11 = createRandomBufferCAPI(11);
246 IV12 = createRandomBufferCAPI(12);
247 IV15 = createRandomBufferCAPI(15);
248 IV17 = createRandomBufferCAPI(17);
249 IV128 = createRandomBufferCAPI(128);
250 AAD32 = createRandomBufferCAPI(32);
251 AAD64 = createRandomBufferCAPI(64);
254 void Finish() override
258 ckmc_buffer_free(AAD64);
259 ckmc_buffer_free(AAD32);
260 ckmc_buffer_free(IV128);
261 ckmc_buffer_free(IV17);
262 ckmc_buffer_free(IV15);
263 ckmc_buffer_free(IV12);
264 ckmc_buffer_free(IV11);
265 ckmc_buffer_free(DEFAULT_IV);
267 int ret = ckmc_lock_user_key(UID);
268 if (ret != CKMC_ERROR_NONE)
269 RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
270 remove_user_data(UID);
275 void setParam(ParamListPtr& params, ckmc_param_name_e name, ckmc_raw_buffer_s* buffer)
277 int ret = ckmc_param_list_set_buffer(params.get(), name, buffer);
278 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE,
279 "Failed to set param " << name << " error: " << CKMCErrorToString(ret));
282 void setParam(ParamListPtr& params, ckmc_param_name_e name, int integer)
284 int ret = ckmc_param_list_set_integer(params.get(), name, integer);
285 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE,
286 "Failed to set param " << name << " error: " << CKMCErrorToString(ret));
289 struct EncryptionResult
291 RawBufferPtr encrypted;
297 EncryptionResult encrypt(const Algo& algo,
298 const RawBufferPtr& plain,
299 const char* pass = nullptr)
301 EncryptionResult ret;
302 ckmc_raw_buffer_s* encrypted = nullptr;
303 KeyAliasPair aliases = getKey(algo, pass == nullptr ? PRIMARY : PASSWORD_PROTECTED);
305 ckmc_param_list_h handle = NULL;
306 assert_positive(ckmc_generate_new_params, algo.type, &handle);
307 ret.params = ParamListPtr(handle, ckmc_param_list_free);
308 setParam(ret.params, CKMC_PARAM_ED_IV, DEFAULT_IV);
310 assert_crypto_positive(apiEncrypt,
317 ret.encrypted = create_raw_buffer(encrypted);
318 ret.prvKey = aliases.prv;
319 ret.pubKey = aliases.pub;
323 void testAllAlgorithms(
324 const std::function<void(const Algo& algo)>& test)
326 test( { CKMC_ALGO_AES_CBC, 128 });
327 test( { CKMC_ALGO_AES_CBC, 192 });
328 test( { CKMC_ALGO_AES_CBC, 256 });
329 test( { CKMC_ALGO_AES_GCM, 128 });
330 test( { CKMC_ALGO_AES_GCM, 192 });
331 test( { CKMC_ALGO_AES_GCM, 256 });
332 test( { CKMC_ALGO_AES_CTR, 128 });
333 test( { CKMC_ALGO_AES_CTR, 192 });
334 test( { CKMC_ALGO_AES_CTR, 256 });
335 test( { CKMC_ALGO_AES_CFB, 128 });
336 test( { CKMC_ALGO_AES_CFB, 192 });
337 test( { CKMC_ALGO_AES_CFB, 256 });
338 test( { CKMC_ALGO_RSA_OAEP, 1024 });
339 test( { CKMC_ALGO_RSA_OAEP, 2048 });
340 test( { CKMC_ALGO_RSA_OAEP, 4096 });
343 void testNoIvEnc(const Algo& algo)
346 ckmc_raw_buffer_s* encrypted = nullptr;
349 KeyAliasPair aliases = getKey(algo, PRIMARY);
351 // param list with algo type only
352 ParamListPtr params = createParamListPtr();
353 setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
354 assert_crypto_invalid_param(apiEncrypt,
362 void testNoIvDec(const Algo& algo)
365 ckmc_raw_buffer_s* decrypted = nullptr;
368 auto ret = encrypt(algo, PLAIN_DATA);
370 // param list with algo type only
371 ParamListPtr params = createParamListPtr();
372 setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
373 assert_crypto_invalid_param(apiDecrypt,
377 *ret.encrypted.get(),
381 void testInvalidIvEnc(const Algo& algo)
384 ckmc_raw_buffer_s* encryptedTmp = nullptr;
387 KeyAliasPair aliases = getKey(algo, PRIMARY);
390 ckmc_param_list_h handle = NULL;
391 assert_positive(ckmc_generate_new_params, algo.type, &handle);
392 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
394 // invalid encryption
396 assert_crypto_invalid_param(apiEncrypt,
402 ckmc_buffer_free(encryptedTmp);
403 encryptedTmp = nullptr;
406 setParam(params, CKMC_PARAM_ED_IV, IV15);
408 setParam(params, CKMC_PARAM_ED_IV, IV17);
412 void testInvalidIvDec(const Algo& algo)
415 ckmc_raw_buffer_s* decrypted = nullptr;
418 auto ret = encrypt(algo, PLAIN_DATA);
422 assert_crypto_invalid_param(apiDecrypt,
426 *ret.encrypted.get(),
428 ckmc_buffer_free(decrypted);
433 setParam(ret.params, CKMC_PARAM_ED_IV, IV15);
435 setParam(ret.params, CKMC_PARAM_ED_IV, IV17);
439 void encryptionWithCustomData(const Algo& algo, ckmc_param_name_e name)
442 ckmc_raw_buffer_s* encrypted = nullptr;
443 ckmc_raw_buffer_s* decrypted = nullptr;
446 KeyAliasPair aliases = getKey(algo, PRIMARY);
449 ckmc_param_list_h handle = NULL;
450 assert_positive(ckmc_generate_new_params, algo.type, &handle);
451 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
453 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
456 setParam(params, name, AAD64);
459 assert_crypto_positive(apiEncrypt,
465 RawBufferPtr tmpEnc = create_raw_buffer(encrypted);
468 assert_crypto_positive(apiDecrypt,
474 RawBufferPtr tmpDec = create_raw_buffer(decrypted);
477 assert_buffers_equal(*PLAIN_DATA.get(), *tmpDec.get());
482 setParam(params, name, AAD32);
485 assert_crypto_result(EncryptionError::INVALID_PARAM,
494 void testGcmIvSize(ckmc_raw_buffer_s* iv,
495 const KeyAliasPair& aliases,
496 EncryptionError error = EncryptionError::SUCCESS)
499 RawBufferPtr encrypted;
500 RawBufferPtr decrypted;
501 ckmc_raw_buffer_s* encryptedTmp = nullptr;
502 ckmc_raw_buffer_s* decryptedTmp = nullptr;
505 ckmc_param_list_h handle = NULL;
506 assert_positive(ckmc_generate_new_params, CKMC_ALGO_AES_GCM, &handle);
507 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
508 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
509 setParam(params, CKMC_PARAM_ED_IV, iv);
512 assert_crypto_result(error,
520 if(error != EncryptionError::SUCCESS)
522 encrypted = create_raw_buffer(encryptedTmp);
525 assert_crypto_positive(apiDecrypt,
531 decrypted = create_raw_buffer(decryptedTmp);
533 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted.get());
536 void testIntegrity(const Algo& algo)
539 ckmc_raw_buffer_s* decrypted = nullptr;
542 auto ret = encrypt(algo, PLAIN_DATA);
544 // break the encrypted data
545 ret.encrypted->data[BUF_LEN/2]++;
547 // no data integrity check
548 assert_crypto_positive(apiDecrypt,
552 *ret.encrypted.get(),
555 RawBufferPtr tmp = create_raw_buffer(decrypted);
556 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
559 void testCtrEncryptionInvalidLength(const Algo& algo)
562 ckmc_raw_buffer_s* encryptedTmp = nullptr;
565 KeyAliasPair aliases = getKey(algo, PRIMARY);
568 ckmc_param_list_h handle = NULL;
569 assert_positive(ckmc_generate_new_params, algo.type, &handle);
570 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
571 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
575 assert_crypto_invalid_param(apiEncrypt,
581 ckmc_buffer_free(encryptedTmp);
582 encryptedTmp = nullptr;
584 // invalid counter size
585 setParam(params, CKMC_PARAM_ED_CTR_LEN, -1);
587 setParam(params, CKMC_PARAM_ED_CTR_LEN, 0);
589 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN+1);
593 void testCtrEncryptionValidLength(const Algo& algo)
596 ckmc_raw_buffer_s* encryptedTmp = nullptr;
599 KeyAliasPair aliases = getKey(algo, PRIMARY);
602 ckmc_param_list_h handle = NULL;
603 assert_positive(ckmc_generate_new_params, algo.type, &handle);
604 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
605 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
609 assert_crypto_positive(apiEncrypt,
615 ckmc_buffer_free(encryptedTmp);
616 encryptedTmp = nullptr;
618 // valid counter sizez
619 setParam(params, CKMC_PARAM_ED_CTR_LEN, 1);
621 setParam(params, CKMC_PARAM_ED_CTR_LEN, 4);
623 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN-1);
625 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN);
629 void testCtrDecryptionInvalidLength(const Algo& algo)
632 ckmc_raw_buffer_s* decrypted = nullptr;
634 // add AES CTR key & encrypt
635 auto ret = encrypt(algo, PLAIN_DATA);
639 assert_crypto_invalid_param(apiDecrypt,
643 *ret.encrypted.get(),
645 ckmc_buffer_free(decrypted);
648 // invalid counter size
649 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, -1);
651 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 0);
653 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN+1);
657 void testCtrDecryptionValidLength(const Algo& algo)
660 ckmc_raw_buffer_s* decrypted = nullptr;
662 // add AES CTR key & encrypt
663 auto ret = encrypt(algo, PLAIN_DATA);
667 assert_crypto_positive(apiDecrypt,
671 *ret.encrypted.get(),
673 ckmc_buffer_free(decrypted);
674 RawBufferPtr tmp = create_raw_buffer(decrypted);
675 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
677 // invalid counter size
678 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 1);
680 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 4);
682 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN-1);
684 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN);
688 void testGcmEncryptionTagLen(const Algo& algo)
691 ckmc_raw_buffer_s* encryptedTmp = nullptr;
694 KeyAliasPair aliases = getKey(algo, PRIMARY);
697 ckmc_param_list_h handle = NULL;
698 assert_positive(ckmc_generate_new_params, algo.type, &handle);
699 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
700 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
702 std::vector<TagTest> testData = {
703 // illegal tag lengths
704 { -1, EncryptionError::INVALID_PARAM },
705 { 0, EncryptionError::INVALID_PARAM },
706 { 16, EncryptionError::INVALID_PARAM },
707 { 48, EncryptionError::INVALID_PARAM },
708 { 72, EncryptionError::INVALID_PARAM },
709 { 100, EncryptionError::INVALID_PARAM },
710 { 108, EncryptionError::INVALID_PARAM },
711 { 116, EncryptionError::INVALID_PARAM },
712 { 124, EncryptionError::INVALID_PARAM },
713 { 256, EncryptionError::INVALID_PARAM },
715 { 32, EncryptionError::SUCCESS },
716 { 64, EncryptionError::SUCCESS },
717 { 96, EncryptionError::SUCCESS },
718 { 104, EncryptionError::SUCCESS },
719 { 112, EncryptionError::SUCCESS },
720 { 120, EncryptionError::SUCCESS },
721 { 128, EncryptionError::SUCCESS },
725 for(const auto& it : testData)
727 setParam(params, CKMC_PARAM_ED_TAG_LEN, it.tagLen);
728 assert_crypto_result(it.expected,
735 ckmc_buffer_free(encryptedTmp);
736 encryptedTmp = nullptr;
740 void testGcmDecryptionTagLen(const Algo& algo)
743 ckmc_raw_buffer_s* decrypted = nullptr;
745 // add AES GCM key & encrypt
746 auto ret = encrypt(algo, PLAIN_DATA);
748 std::vector<TagTest> testData = {
749 // illegal tag lengths
750 { -1, EncryptionError::INVALID_PARAM },
751 { 0, EncryptionError::INVALID_PARAM },
752 { 16, EncryptionError::INVALID_PARAM },
753 { 48, EncryptionError::INVALID_PARAM },
754 { 72, EncryptionError::INVALID_PARAM },
755 { 100, EncryptionError::INVALID_PARAM },
756 { 108, EncryptionError::INVALID_PARAM },
757 { 116, EncryptionError::INVALID_PARAM },
758 { 124, EncryptionError::INVALID_PARAM },
759 { 256, EncryptionError::INVALID_PARAM },
760 // legal tag lengths but different than the one used for encryption
761 { 32, EncryptionError::INVALID_PARAM },
762 { 64, EncryptionError::INVALID_PARAM },
763 { 96, EncryptionError::INVALID_PARAM },
764 { 104, EncryptionError::INVALID_PARAM },
765 { 112, EncryptionError::INVALID_PARAM },
766 { 120, EncryptionError::INVALID_PARAM },
767 // legal tag length that was actually used for encryption (default)
768 { 128, EncryptionError::SUCCESS },
772 for(const auto& it : testData)
774 setParam(ret.params, CKMC_PARAM_ED_TAG_LEN, it.tagLen);
775 assert_crypto_result(it.expected,
780 *ret.encrypted.get(),
782 ckmc_buffer_free(decrypted);
787 void testGcmWrongTag(const Algo& algo)
790 ckmc_raw_buffer_s* decrypted = nullptr;
792 // encrypt with AES GCM
793 auto ret = encrypt(algo, PLAIN_DATA);
795 // modify tag (last 16B of encrypted message)
796 ret.encrypted->data[ret.encrypted->size-1]++;
798 // EVP_CipherFinal fails because of an authentication error
799 assert_crypto_result(EncryptionError::INVALID_PARAM,
804 *ret.encrypted.get(),
808 void testGcmDifferentIvSizes(const Algo& algo)
811 KeyAliasPair aliases = getKey(algo, PRIMARY);
813 testGcmIvSize(IV11, aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest
814 testGcmIvSize(IV12, aliases);
815 testGcmIvSize(IV17, aliases);
816 testGcmIvSize(IV128, aliases);
819 void testEncryptDecryptBigData(const Algo& algo)
822 ckmc_raw_buffer_s* decrypted = nullptr;
825 auto ret = encrypt(algo, BIG_DATA);
827 assert_positive(apiDecrypt,
831 *ret.encrypted.get(),
833 RawBufferPtr tmp = create_raw_buffer(decrypted);
835 assert_buffers_equal(*BIG_DATA.get(), *decrypted);
838 void testEncryptDecryptDifferentKeys(const Algo& algo, bool success)
841 ckmc_raw_buffer_s* decrypted = nullptr;
844 auto ret = encrypt(algo, PLAIN_DATA);
846 // get different keys
847 KeyAliasPair differentKeys = getKey(algo, PASSWORD_PROTECTED);
850 // some algorithms don't verify key validity
851 assert_crypto_positive(apiDecrypt,
853 differentKeys.prv.c_str(),
855 *ret.encrypted.get(),
857 RawBufferPtr tmp = create_raw_buffer(decrypted);
859 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
861 assert_crypto_result(EncryptionError::INVALID_PARAM,
864 differentKeys.prv.c_str(),
866 *ret.encrypted.get(),
871 void testRsaLongestData(const Algo& algo, size_t dataSize)
874 RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
875 ckmc_raw_buffer_s* decrypted = nullptr;
878 auto ret = encrypt(algo, plain);
880 assert_crypto_positive(apiDecrypt,
884 *ret.encrypted.get(),
886 RawBufferPtr tmp = create_raw_buffer(decrypted);
888 assert_buffers_equal(*plain.get(), *decrypted);
891 void testRsaDataTooLong(const Algo& algo, size_t dataSize)
894 RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
897 EncryptionResult ret;
898 ckmc_raw_buffer_s* encrypted = nullptr;
899 KeyAliasPair aliases = getKey(algo, PRIMARY);
901 ckmc_param_list_h handle = NULL;
902 assert_positive(ckmc_generate_new_params, algo.type, &handle);
903 ret.params = ParamListPtr(handle, ckmc_param_list_free);
904 assert_crypto_result(EncryptionError::INVALID_PARAM,
913 } // namespace anonymous
915 RUNNER_TEST_GROUP_INIT_ENV(CKM_ENCRYPTION_DECRYPTION, EncGroupFixture);
917 /////////////////////////////////////////
918 // Generic encryption decryption tests
919 /////////////////////////////////////////
921 RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv)
923 testAllAlgorithms([](const Algo& algo){
925 ckmc_raw_buffer_s* encrypted = nullptr;
928 KeyAliasPair aliases = getKey(algo, PRIMARY);
931 assert_crypto_invalid_param(apiEncrypt,
939 ParamListPtr params = createParamListPtr();
940 assert_crypto_invalid_param(apiEncrypt,
949 RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv)
951 testAllAlgorithms([](const Algo& algo){
953 ckmc_raw_buffer_s* encrypted = nullptr;
956 ckmc_param_list_h handle = NULL;
957 assert_positive(ckmc_generate_new_params, algo.type, &handle);
958 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
959 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
961 assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
964 "non-existing-key-alias",
971 RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv)
973 testAllAlgorithms([](const Algo& algo){
975 ckmc_raw_buffer_s plain = { nullptr, 0 };
976 ckmc_raw_buffer_s* encrypted = nullptr;
979 KeyAliasPair aliases = getKey(algo, PRIMARY);
982 ckmc_param_list_h handle = NULL;
983 assert_positive(ckmc_generate_new_params, algo.type, &handle);
984 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
985 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
987 assert_crypto_invalid_param(apiEncrypt,
996 RUNNER_TEST_MULTIPLE(TED_0040_encrypt_no_output_buffer, SyncEnv, AsyncEnv)
998 testAllAlgorithms([](const Algo& algo){
1000 ckmc_raw_buffer_s** encrypted = nullptr;
1003 KeyAliasPair aliases = getKey(algo, PRIMARY);
1006 ckmc_param_list_h handle = NULL;
1007 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1008 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1009 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1011 assert_crypto_invalid_param(apiEncrypt,
1013 aliases.pub.c_str(),
1020 RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv)
1022 testAllAlgorithms([](const Algo& algo){
1024 ckmc_raw_buffer_s* decrypted = nullptr;
1027 auto ret = encrypt(algo, PLAIN_DATA);
1030 assert_crypto_invalid_param(apiDecrypt,
1034 *ret.encrypted.get(),
1038 ParamListPtr params = createParamListPtr();
1039 assert_crypto_invalid_param(apiDecrypt,
1043 *ret.encrypted.get(),
1048 RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv)
1050 testAllAlgorithms([](const Algo& algo){
1052 ckmc_raw_buffer_s* decrypted = nullptr;
1055 auto ret = encrypt(algo, PLAIN_DATA);
1058 assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
1063 *ret.encrypted.get(),
1068 RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv)
1070 testAllAlgorithms([](const Algo& algo){
1072 ckmc_raw_buffer_s encrypted = { nullptr, 0 };
1073 ckmc_raw_buffer_s* decrypted = nullptr;
1076 KeyAliasPair aliases = getKey(algo, PRIMARY);
1079 ckmc_param_list_h handle = NULL;
1080 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1081 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1082 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1084 assert_crypto_invalid_param(apiDecrypt,
1086 aliases.prv.c_str(),
1093 RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv)
1095 testAllAlgorithms([](const Algo& algo){
1097 ckmc_raw_buffer_s** decrypted = nullptr;
1100 auto ret = encrypt(algo, PLAIN_DATA);
1102 assert_crypto_invalid_param(apiDecrypt,
1106 *ret.encrypted.get(),
1111 RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv)
1113 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 128}, false);
1114 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 192}, false);
1115 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 256}, false);
1116 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 128}, true);
1117 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 192}, true);
1118 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 256}, true);
1119 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 128}, true);
1120 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 192}, true);
1121 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 256}, true);
1122 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false);
1123 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false);
1124 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false);
1127 RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv)
1129 testAllAlgorithms([](const Algo& algo){
1131 ckmc_raw_buffer_s* decrypted = nullptr;
1134 auto ret = encrypt(algo, PLAIN_DATA);
1136 assert_crypto_positive(apiDecrypt,
1140 *ret.encrypted.get(),
1142 RawBufferPtr tmp = create_raw_buffer(decrypted);
1144 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
1148 RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv)
1150 testAllAlgorithms([](const Algo& algo){
1152 ckmc_raw_buffer_s* decrypted = nullptr;
1155 auto ret = encrypt(algo, PLAIN_DATA, PASSWORD);
1158 assert_crypto_result(EncryptionError::AUTH_FAILED,
1163 *ret.encrypted.get(),
1167 assert_crypto_positive(apiDecrypt,
1171 *ret.encrypted.get(),
1173 RawBufferPtr tmp = create_raw_buffer(decrypted); // guarantees deletion
1175 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
1179 // long test split into smaller ones
1180 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv)
1182 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 128});
1185 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv)
1187 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 192});
1190 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv)
1192 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256});
1195 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv)
1197 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 128});
1200 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv)
1202 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 192});
1205 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv)
1207 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 256});
1210 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv)
1212 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 128});
1215 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv)
1217 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 192});
1220 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv)
1222 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 256});
1225 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv)
1227 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 128});
1230 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv)
1232 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 192});
1235 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv)
1237 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 256});
1240 /////////////////////////////////////////
1241 // Algorithm specific tests
1242 /////////////////////////////////////////
1244 RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv)
1246 testNoIvEnc({CKMC_ALGO_AES_CTR, 128});
1247 testNoIvEnc({CKMC_ALGO_AES_CTR, 192});
1248 testNoIvEnc({CKMC_ALGO_AES_CTR, 256});
1249 testNoIvEnc({CKMC_ALGO_AES_CBC, 128});
1250 testNoIvEnc({CKMC_ALGO_AES_CBC, 192});
1251 testNoIvEnc({CKMC_ALGO_AES_CBC, 256});
1252 testNoIvEnc({CKMC_ALGO_AES_CFB, 128});
1253 testNoIvEnc({CKMC_ALGO_AES_CFB, 192});
1254 testNoIvEnc({CKMC_ALGO_AES_CFB, 256});
1255 testNoIvEnc({CKMC_ALGO_AES_GCM, 128});
1256 testNoIvEnc({CKMC_ALGO_AES_GCM, 192});
1257 testNoIvEnc({CKMC_ALGO_AES_GCM, 256});
1260 RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv)
1262 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 128});
1263 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 192});
1264 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 256});
1265 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 128});
1266 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 192});
1267 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 256});
1268 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 128});
1269 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 192});
1270 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 256});
1273 RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv)
1275 testNoIvDec({CKMC_ALGO_AES_CTR, 128});
1276 testNoIvDec({CKMC_ALGO_AES_CTR, 192});
1277 testNoIvDec({CKMC_ALGO_AES_CTR, 256});
1278 testNoIvDec({CKMC_ALGO_AES_CBC, 128});
1279 testNoIvDec({CKMC_ALGO_AES_CBC, 192});
1280 testNoIvDec({CKMC_ALGO_AES_CBC, 256});
1281 testNoIvDec({CKMC_ALGO_AES_CFB, 128});
1282 testNoIvDec({CKMC_ALGO_AES_CFB, 192});
1283 testNoIvDec({CKMC_ALGO_AES_CFB, 256});
1284 testNoIvDec({CKMC_ALGO_AES_GCM, 128});
1285 testNoIvDec({CKMC_ALGO_AES_GCM, 192});
1286 testNoIvDec({CKMC_ALGO_AES_GCM, 256});
1289 RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv)
1291 testInvalidIvDec({CKMC_ALGO_AES_CTR, 128});
1292 testInvalidIvDec({CKMC_ALGO_AES_CTR, 192});
1293 testInvalidIvDec({CKMC_ALGO_AES_CTR, 256});
1294 testInvalidIvDec({CKMC_ALGO_AES_CBC, 128});
1295 testInvalidIvDec({CKMC_ALGO_AES_CBC, 192});
1296 testInvalidIvDec({CKMC_ALGO_AES_CBC, 256});
1297 testInvalidIvDec({CKMC_ALGO_AES_CFB, 128});
1298 testInvalidIvDec({CKMC_ALGO_AES_CFB, 192});
1299 testInvalidIvDec({CKMC_ALGO_AES_CFB, 256});
1302 RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv)
1304 testIntegrity({CKMC_ALGO_AES_CTR, 128});
1305 testIntegrity({CKMC_ALGO_AES_CTR, 192});
1306 testIntegrity({CKMC_ALGO_AES_CTR, 256});
1307 testIntegrity({CKMC_ALGO_AES_CBC, 128});
1308 testIntegrity({CKMC_ALGO_AES_CBC, 192});
1309 testIntegrity({CKMC_ALGO_AES_CBC, 256});
1310 testIntegrity({CKMC_ALGO_AES_CFB, 128});
1311 testIntegrity({CKMC_ALGO_AES_CFB, 192});
1312 testIntegrity({CKMC_ALGO_AES_CFB, 256});
1315 RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv)
1317 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
1318 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
1319 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
1322 RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv)
1324 RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
1325 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 128});
1326 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 192});
1327 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 256});
1330 RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv)
1332 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
1333 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
1334 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
1337 RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv)
1339 RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
1340 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 128});
1341 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 192});
1342 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 256});
1345 RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv)
1347 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 128});
1348 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 192});
1349 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 256});
1352 RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv)
1354 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 128});
1355 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 192});
1356 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 256});
1359 RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv)
1361 testGcmWrongTag({CKMC_ALGO_AES_GCM, 128});
1362 testGcmWrongTag({CKMC_ALGO_AES_GCM, 192});
1363 testGcmWrongTag({CKMC_ALGO_AES_GCM, 256});
1366 RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv)
1368 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 128});
1369 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 192});
1370 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 256});
1373 RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv)
1375 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 128}, CKMC_PARAM_ED_AAD);
1376 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 192}, CKMC_PARAM_ED_AAD);
1377 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 256}, CKMC_PARAM_ED_AAD);
1380 RUNNER_TEST_MULTIPLE(TED_1300_rsa_label, SyncEnv, AsyncEnv)
1382 RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl");
1383 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 1024}, CKMC_PARAM_ED_LABEL);
1384 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 2048}, CKMC_PARAM_ED_LABEL);
1385 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 4096}, CKMC_PARAM_ED_LABEL);
1388 RUNNER_TEST_MULTIPLE(TED_1330_rsa_longest_data, SyncEnv, AsyncEnv)
1390 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 1024}, 86);
1391 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 2048}, 214);
1392 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 4096}, 470);
1395 RUNNER_TEST_MULTIPLE(TED_1350_rsa_data_too_long, SyncEnv, AsyncEnv)
1397 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 1024}, 87);
1398 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 2048}, 215);
1399 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 4096}, 471);
1402 /////////////////////////////////////////
1403 // Asynchronous only tests
1404 /////////////////////////////////////////
1405 RUNNER_TEST(TED_2000_enc_no_observer_async, AsyncEnv)
1407 testAllAlgorithms([](const Algo& algo){
1409 RawBuffer plain = createRandomBuffer(BUF_LEN);
1412 KeyAliasPair aliases = getKey(algo, PRIMARY);
1415 ckmc_param_list_h handle = NULL;
1416 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1417 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1418 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1421 test_no_observer(&ManagerAsync::encrypt,
1422 *reinterpret_cast<CryptoAlgorithm*>(params.get()),
1429 RUNNER_TEST(TED_2010_dec_no_observer_async, AsyncEnv)
1431 testAllAlgorithms([](const Algo& algo){
1433 auto ret = encrypt(algo, PLAIN_DATA);
1434 RawBuffer encrypted(ret.encrypted->data, ret.encrypted->data + ret.encrypted->size);
1437 test_no_observer(&ManagerAsync::decrypt,
1438 *reinterpret_cast<CryptoAlgorithm*>(ret.params.get()),