KeyShPtr key;
if (dataType.isSymmetricKey())
key = CKM::Key::createAES(data);
+ else if (dataType.isKemPrivateKey())
+ key = CKM::Key::createKEM(KeyType::KEY_KEM_PRIVATE, data);
+ else if (dataType.isKemPublicKey())
+ key = CKM::Key::createKEM(KeyType::KEY_KEM_PUBLIC, data);
else
key = CKM::Key::create(data);
gen.setParam(ParamName::ALGO_TYPE, algo);
if (algo == AlgoType::ECDSA_GEN)
gen.setParam(ParamName::GEN_EC, param);
+ else if (algo == AlgoType::KEM_GEN)
+ gen.setParam(ParamName::GEN_KEM_TYPE, param);
else
gen.setParam(ParamName::GEN_KEY_LEN, param);
return AKeyHelper::getEvps(objs, DataType::KEY_DSA_PRIVATE, DataType::KEY_DSA_PUBLIC);
case AlgoType::ECDSA_GEN:
return AKeyHelper::getEvps(objs, DataType::KEY_ECDSA_PRIVATE, DataType::KEY_ECDSA_PUBLIC);
+ case AlgoType::KEM_GEN:
+ return AKeyHelper::getEvps(objs, DataType::KEY_KEM_PRIVATE, DataType::KEY_KEM_PUBLIC);
}
}
static const std::unordered_map<AlgoType, std::pair<KeyType, KeyType>> algo2types = {
{ AlgoType::RSA_GEN, { KeyType::KEY_RSA_PRIVATE, KeyType::KEY_RSA_PUBLIC } },
{ AlgoType::DSA_GEN, { KeyType::KEY_DSA_PRIVATE, KeyType::KEY_DSA_PUBLIC } },
- { AlgoType::ECDSA_GEN, { KeyType::KEY_ECDSA_PRIVATE, KeyType::KEY_ECDSA_PUBLIC } }
+ { AlgoType::ECDSA_GEN, { KeyType::KEY_ECDSA_PRIVATE, KeyType::KEY_ECDSA_PUBLIC } },
+ { AlgoType::KEM_GEN, { KeyType::KEY_KEM_PRIVATE, KeyType::KEY_KEM_PUBLIC } }
};
CryptoAlgorithm ca;
testAKey();
ca.setParam(ParamName::GEN_EC, ElipticCurve::secp384r1);
testAKey();
+
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::KEM_GEN);
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_768);
+ testAKey();
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_1024);
+ testAKey();
}
-NEGATIVE_TEST_CASE(generateAKey)
+NEGATIVE_TEST_CASE(generateAKeyRsa)
{
auto invalidGenParams = [&] (CryptoAlgorithm ca)
{
};
CryptoAlgorithm ca;
-
invalidGenParams(ca);
-
ca.setParam(ParamName::ALGO_TYPE, AlgoType::RSA_GEN);
invalidGenParams(ca);
ca.setParam(ParamName::GEN_KEY_LEN, keyLen);
invalidGenParams(ca);
}
+}
- ca.setParam(ParamName::ALGO_TYPE, AlgoType::DSA_GEN);
+NEGATIVE_TEST_CASE(generateAKeyDsa)
+{
+ auto invalidGenParams = [&] (CryptoAlgorithm ca)
+ {
+ BOOST_REQUIRE_THROW(validateParams<IsAsymGeneration>(ca, g_validators), Exc::Crypto::InputParam);
+ };
+ CryptoAlgorithm ca;
+ invalidGenParams(ca);
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::DSA_GEN);
for (int keyLen : { 0, 512, 1023, 1025, 4097, 8192 }) {
ca.setParam(ParamName::GEN_KEY_LEN, keyLen);
invalidGenParams(ca);
}
+}
+
+NEGATIVE_TEST_CASE(generateAKeyEcdsa)
+{
+ auto invalidGenParams = [&] (CryptoAlgorithm ca)
+ {
+ BOOST_REQUIRE_THROW(validateParams<IsAsymGeneration>(ca, g_validators), Exc::Crypto::InputParam);
+ };
+ CryptoAlgorithm ca;
+ invalidGenParams(ca);
ca.setParam(ParamName::ALGO_TYPE, AlgoType::ECDSA_GEN);
invalidGenParams(ca);
ca.setParam(ParamName::GEN_EC, static_cast<ElipticCurve>(-1));
invalidGenParams(ca);
CryptoAlgorithm ca2;
-
ca2.setParam(ParamName::GEN_KEY_LEN, 1024);
ca2.setParam(ParamName::GEN_EC, ElipticCurve::prime192v1);
invalidGenParams(ca2);
invalidGenParams(ca2);
}
+NEGATIVE_TEST_CASE(generateAKeyKem)
+{
+ auto invalidGenParams = [&] (CryptoAlgorithm ca)
+ {
+ BOOST_REQUIRE_THROW(validateParams<IsAsymGeneration>(ca, g_validators), Exc::Crypto::InputParam);
+ };
+
+ CryptoAlgorithm ca;
+ invalidGenParams(ca);
+ ca.setParam(ParamName::GEN_KEM_TYPE, static_cast<KemType>(2));
+ invalidGenParams(ca);
+ CryptoAlgorithm ca2;
+ ca2.setParam(ParamName::ALGO_TYPE, AlgoType::KEM_GEN);
+ invalidGenParams(ca2);
+}
+
POSITIVE_TEST_CASE(generateSKey)
{
CryptoAlgorithm ca;
BOOST_REQUIRE(oursDerivedObj->getBinary() == peersDerivedObj->getBinary());
}
-NEGATIVE_TEST_CASE(deriveECDH)
+NEGATIVE_TEST_CASE(deriveECDHincorrectAlgorithm)
+{
+ auto invalidEcdhParams = [&] (CryptoAlgorithm ca)
+ {
+ BOOST_REQUIRE_THROW(validateParams<IsEcdh>(ca, g_validators), Exc::Crypto::InputParam);
+ };
+
+ CryptoAlgorithm ca;
+
+ // no algorithm
+ invalidEcdhParams(ca);
+
+ // wrong algorithm
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::ECDSA_GEN);
+ invalidEcdhParams(ca);
+}
+
+NEGATIVE_TEST_CASE(deriveECDHincorrectKey)
{
CryptoAlgorithm gen;
gen.setParam(ParamName::ALGO_TYPE, AlgoType::ECDSA_GEN);
CryptoAlgorithm ca;
- // no algorithm
- invalidEcdhParams(ca);
-
- // wrong algorithm
- ca.setParam(ParamName::ALGO_TYPE, AlgoType::ECDSA_GEN);
- invalidEcdhParams(ca);
-
// no pubkey
ca.setParam(ParamName::ALGO_TYPE, AlgoType::ECDH);
invalidEcdhParams(ca);
BOOST_REQUIRE_THROW(secret->derive(derive, "", RawBuffer()), Exc::Crypto::InputParam);
}
-NEGATIVE_TEST_CASE(deriveKBKDFHMACwrongParams)
+NEGATIVE_TEST_CASE(deriveKBKDFHMACmissingParams)
{
KbkdfParamTester test;
- // missing parameters
test.Fail(NO_SIZE, HMAC256, COUNTER, BEFORE, CTX, LAB, NO_BUF, NO_SIZE, NO_SIZE, true);
test.Fail(32, NO_PRF, COUNTER, BEFORE, CTX, LAB, NO_BUF, NO_SIZE, NO_SIZE, true);
test.Fail(32, HMAC256, NO_MODE, BEFORE, CTX, LAB, NO_BUF, NO_SIZE, NO_SIZE, true);
test.Fail(32, HMAC256, COUNTER, NO_LOC, CTX, LAB, NO_BUF, NO_SIZE, NO_SIZE, true);
test.Fail(32, HMAC256, COUNTER, BEFORE, NO_BUF, LAB, NO_BUF, NO_SIZE, NO_SIZE);
test.Fail(32, HMAC256, COUNTER, BEFORE, CTX, NO_BUF, NO_BUF, NO_SIZE, NO_SIZE);
+}
- // conflicting parameters
+NEGATIVE_TEST_CASE(deriveKBKDFHMACconflictingParams)
+{
+ KbkdfParamTester test;
test.Fail(32, HMAC256, COUNTER, BEFORE, CTX, LAB, FIX, NO_SIZE, NO_SIZE);
test.Fail(32, HMAC256, COUNTER, BEFORE, NO_BUF, LAB, FIX, NO_SIZE, NO_SIZE);
test.Fail(32, HMAC256, COUNTER, BEFORE, CTX, NO_BUF, FIX, NO_SIZE, NO_SIZE);
test.Fail(32, HMAC256, COUNTER, MIDDLE, NO_BUF, NO_BUF, FIX, NO_SIZE, 32);
test.Fail(32, HMAC256, COUNTER, MIDDLE, NO_BUF, NO_BUF, FIX, NO_SIZE, 0);
test.Fail(32, HMAC256, COUNTER, MIDDLE, NO_BUF, NO_BUF, FIX, NO_SIZE, NO_SIZE, false, true);
+}
- // invalid values
+NEGATIVE_TEST_CASE(deriveKBKDFHMACinvalidValues)
+{
+ KbkdfParamTester test;
test.Fail(0, HMAC256, COUNTER, BEFORE, CTX, LAB, NO_BUF, NO_SIZE, NO_SIZE, true);
test.Fail(1, HMAC256, COUNTER, BEFORE, CTX, LAB, NO_BUF, NO_SIZE, NO_SIZE, true);
test.Fail(8, HMAC256, COUNTER, BEFORE, CTX, LAB, NO_BUF, NO_SIZE, NO_SIZE, true);
BOOST_REQUIRE_NO_THROW(errorDump());
}
+POSITIVE_TEST_CASE(wrapUnwrap)
+{
+ const auto key = generateAes(128);
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GCM);
+ ca.setParam(ParamName::ED_IV, createRandom(11));
+
+ RawBuffer encrypted;
+ BOOST_REQUIRE_NO_THROW(encrypted = key->encrypt(ca, createRandom(32)));
+
+ Token unwrappedKey;
+ BOOST_REQUIRE_NO_THROW(unwrappedKey =
+ key->unwrap(ca, Data(DataType::KEY_AES, encrypted), "", RawBuffer()));
+
+ RawBuffer wrappedKey;
+ BOOST_REQUIRE_NO_THROW(wrappedKey = key->wrap(ca, unwrappedKey, ""));
+}
+
+NEGATIVE_TEST_CASE(wrapUnwrap)
+{
+ const auto key = generateAes(128);
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GCM);
+ ca.setParam(ParamName::ED_IV, createRandom(11));
+
+ RawBuffer encrypted;
+ BOOST_REQUIRE_NO_THROW(encrypted = key->encrypt(ca, createRandom(32)));
+
+ Token unwrappedKey;
+ BOOST_REQUIRE_THROW(unwrappedKey =
+ key->unwrap(ca, Data(DataType::BINARY_DATA, encrypted), "", RawBuffer()), Exc::Crypto::InputParam);
+}
+
+POSITIVE_TEST_CASE(wrapUnwrapConcatenated)
+{
+ auto& rsaKeys = generateObjUPtrPair(AlgoType::RSA_GEN, 2048);
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
+ ca.setParam(ParamName::GEN_KEY_LEN, 128);
+
+ Token keyToWrap;
+ const auto digest = makeTestDigest();
+
+ BOOST_REQUIRE_NO_THROW(keyToWrap = STORE.generateSKey(ca, "", digest));
+
+ CryptoAlgorithm ca2;
+ ca2.setParam(ParamName::ALGO_TYPE, AlgoType::RSA_OAEP);
+ ca2.setParam(ParamName::ED_OAEP_HASH, HashAlgorithm::SHA1);
+
+ RawBuffer wrappedKey;
+ BOOST_REQUIRE_NO_THROW(wrappedKey =
+ rsaKeys.pub->wrapConcatenated(ca2, keyToWrap, "", createRandom(16)));
+
+ std::tuple<Token, RawBuffer> unwrappedKey;
+ BOOST_REQUIRE_NO_THROW(unwrappedKey =
+ rsaKeys.prv->unwrapConcatenated(ca2, Data(DataType::KEY_AES, wrappedKey), "", 128, RawBuffer()));
+}
+
+NEGATIVE_TEST_CASE(wrapUnwrapConcatenated)
+{
+ auto& rsaKeys = generateObjUPtrPair(AlgoType::RSA_GEN, 2048);
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
+ ca.setParam(ParamName::GEN_KEY_LEN, 128);
+
+ Token keyToWrap;
+ const auto digest = makeTestDigest();
+
+ BOOST_REQUIRE_NO_THROW(keyToWrap = STORE.generateSKey(ca, "", digest));
+
+ CryptoAlgorithm ca2;
+ ca2.setParam(ParamName::ALGO_TYPE, AlgoType::RSA_OAEP);
+ ca2.setParam(ParamName::ED_OAEP_HASH, HashAlgorithm::SHA1);
+
+ RawBuffer wrappedKey;
+ BOOST_REQUIRE_NO_THROW(wrappedKey =
+ rsaKeys.pub->wrapConcatenated(ca2, keyToWrap, "", createRandom(16)));
+
+ std::tuple<Token, RawBuffer> unwrappedKey;
+ BOOST_REQUIRE_THROW(unwrappedKey =
+ rsaKeys.prv->unwrapConcatenated(ca2, Data(DataType::KEY_RSA_PUBLIC, wrappedKey), "", 128, RawBuffer()),
+ Exc::Crypto::InputParam);
+}
+
+POSITIVE_TEST_CASE(encapsulateDecapsulate)
+{
+ auto& rsaKeys = generateObjUPtrPair(AlgoType::RSA_GEN, 2048);
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::KEM_GEN);
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_768);
+
+ TokenPair tokenPair;
+ const auto [digestPub, digestPriv] = makePubPrivTestDigest();
+
+ BOOST_REQUIRE_NO_THROW(tokenPair = STORE.generateAKey(ca, "", "", digestPriv, digestPub));
+
+ std::tuple<Token, RawBuffer> encapsulatedKey;
+ Token decapsulatedKey;
+ BOOST_REQUIRE_NO_THROW(encapsulatedKey =
+ rsaKeys.pub->encapsulateKey(ca, tokenPair.second, "", "", RawBuffer()));
+
+ BOOST_REQUIRE_NO_THROW(decapsulatedKey =
+ rsaKeys.prv->decapsulateKey(ca, tokenPair.first, "", "", std::get<1>(encapsulatedKey), RawBuffer()));
+}
+
+NEGATIVE_TEST_CASE(encapsulateDecapsulate)
+{
+ auto& rsaKeys = generateObjUPtrPair(AlgoType::RSA_GEN, 2048);
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::KEM_GEN);
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_768);
+
+ TokenPair tokenPair;
+ const auto [digestPub, digestPriv] = makePubPrivTestDigest();
+
+ BOOST_REQUIRE_NO_THROW(tokenPair = STORE.generateAKey(ca, "", "", digestPriv, digestPub));
+
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_1024);
+ std::tuple<Token, RawBuffer> encapsulatedKey;
+ Token decapsulatedKey;
+ BOOST_REQUIRE_THROW(encapsulatedKey =
+ rsaKeys.pub->encapsulateKey(ca, tokenPair.second, "", "", RawBuffer()), Exc::Crypto::InputParam);
+
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_768);
+ BOOST_REQUIRE_NO_THROW(encapsulatedKey =
+ rsaKeys.pub->encapsulateKey(ca, tokenPair.second, "", "", RawBuffer()));
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_1024);
+ BOOST_REQUIRE_THROW(decapsulatedKey =
+ rsaKeys.prv->decapsulateKey(ca, tokenPair.first, "", "", std::get<1>(encapsulatedKey), RawBuffer()),
+ Exc::Crypto::InputParam);
+}
+
+POSITIVE_TEST_CASE(deriveHybrid)
+{
+ Token token;
+ BOOST_REQUIRE_NO_THROW(token = STORE.import(Data(DataType::BINARY_DATA, RawBuffer(16)),
+ "",
+ EncryptionParams(),
+ RawBuffer()));
+
+ GObjUPtr secret;
+ BOOST_REQUIRE_NO_THROW(secret = STORE.getObject(token, ""));
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::KEM_GEN);
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_768);
+
+ TokenPair tokenPair;
+ const auto [digestPub, digestPriv] = makePubPrivTestDigest();
+
+ BOOST_REQUIRE_NO_THROW(tokenPair = STORE.generateAKey(ca, "", "", digestPriv, digestPub));
+
+ Token derived;
+ CryptoAlgorithm deriveParams;
+ deriveParams.setParam(ParamName::ALGO_TYPE, AlgoType::KBKDF);
+ deriveParams.setParam(ParamName::KDF_LEN, 32);
+ deriveParams.setParam(ParamName::KDF_PRF, HMAC256);
+ deriveParams.setParam(ParamName::KBKDF_MODE, COUNTER);
+ deriveParams.setParam(ParamName::KBKDF_COUNTER_LOCATION, BEFORE);
+ deriveParams.setParam(ParamName::KBKDF_CONTEXT, CTX);
+ deriveParams.setParam(ParamName::KBKDF_LABEL, LAB);
+
+ BOOST_REQUIRE_NO_THROW(derived =
+ secret->deriveHybrid(deriveParams, tokenPair.first, "", tokenPair.second, "", "", RawBuffer()));
+}
+
+NEGATIVE_TEST_CASE(deriveHybrid)
+{
+ Token token;
+ BOOST_REQUIRE_NO_THROW(token = STORE.import(Data(DataType::BINARY_DATA, RawBuffer(16)),
+ "",
+ EncryptionParams(),
+ RawBuffer()));
+
+ GObjUPtr secret;
+ BOOST_REQUIRE_NO_THROW(secret = STORE.getObject(token, ""));
+
+ CryptoAlgorithm ca;
+ ca.setParam(ParamName::ALGO_TYPE, AlgoType::KEM_GEN);
+ ca.setParam(ParamName::GEN_KEM_TYPE, KemType::ML_KEM_768);
+
+ TokenPair tokenPair;
+ const auto [digestPub, digestPriv] = makePubPrivTestDigest();
+
+ BOOST_REQUIRE_NO_THROW(tokenPair = STORE.generateAKey(ca, "", "", digestPriv, digestPub));
+
+ Token derived;
+ CryptoAlgorithm deriveParams;
+
+ BOOST_REQUIRE_THROW(derived =
+ secret->deriveHybrid(deriveParams, tokenPair.first, "", tokenPair.second, "", "", RawBuffer()),
+ Exc::Crypto::InputParam);
+}
+
BOOST_AUTO_TEST_SUITE_END()
projects / platform / core / security / key-manager.git / commitdiff