2 * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file encryption-decryption.cpp
18 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
25 #include <unordered_map>
28 #include <dpl/test/test_runner.h>
29 #include <ckm-common.h>
30 #include <ckmc/ckmc-manager.h>
31 #include <ckmc/ckmc-control.h>
32 #include <ckm/ckm-type.h>
33 #include <ckm/ckm-manager.h>
34 #include <encryption-decryption-env.h>
40 const char* PASSWORD = "test-password";
41 const uid_t UID = 5001;
42 const size_t CTR_DEFAULT_LEN = 16*8;
43 const size_t DEFAULT_IV_LEN = 16;
44 const size_t BUF_LEN = 86; // must be less than 1024/8-41 to support RSA OAEP 1024
50 EncryptionApi* g_api = &g_syncApi;
52 EncryptionError apiEncrypt(ckmc_param_list_h params,
53 const char *key_alias,
55 const ckmc_raw_buffer_s decrypted,
56 ckmc_raw_buffer_s **ppencrypted) {
57 RUNNER_ASSERT_MSG(g_api, "No encryption API is connected");
58 return g_api->encrypt(params, key_alias, password, decrypted, ppencrypted);
61 inline CKM::Password _tostring(const char *str)
63 return (str == nullptr) ? Password() : Password(str);
66 inline CKM::Policy _toCkmPolicy(const ckmc_policy_s &policy, PolicyBackend backend)
68 return CKM::Policy(_tostring(policy.password), policy.extractable, backend);
71 EncryptionError apiDecrypt(ckmc_param_list_h params,
72 const char *key_alias,
74 const ckmc_raw_buffer_s encrypted,
75 ckmc_raw_buffer_s **ppdecrypted) {
76 RUNNER_ASSERT_MSG(g_api, "No encryption API is connected");
77 return g_api->decrypt(params, key_alias, password, encrypted, ppdecrypted);
81 template <typename F, typename... Args>
82 void assert_crypto_result(EncryptionError expected, F&& func, Args... args)
84 EncryptionError ret = func(args...);
85 RUNNER_ASSERT_MSG(ret == expected,
86 "Expected: " << static_cast<int>(expected) <<
87 " got: " << static_cast<int>(ret));
90 template <typename F, typename... Args>
91 void assert_crypto_positive(F&& func, Args... args)
93 assert_crypto_result(EncryptionError::SUCCESS, std::move(func), args...);
96 template <typename F, typename... Args>
97 void assert_crypto_invalid_param(F&& func, Args... args)
99 assert_crypto_result(EncryptionError::INVALID_PARAM, std::move(func), args...);
104 EncryptionError expected;
114 void init(const std::string&) {
122 static std::string suffix() { return "_sync"; }
126 void init(const std::string&) {
134 static std::string suffix() { return "_async"; }
138 ckmc_algo_type_e type;
142 std::unordered_map<size_t, std::vector<Alias>> g_symKeys;
143 std::unordered_map<size_t, std::vector<KeyAliasPair>> g_asymKeys;
147 PASSWORD_PROTECTED = 1,
152 RawBufferPtr PLAIN_DATA;
153 RawBufferPtr BIG_DATA;
154 ckmc_raw_buffer_s* DEFAULT_IV;
155 ckmc_raw_buffer_s* IV11;
156 ckmc_raw_buffer_s* IV12;
157 ckmc_raw_buffer_s* IV15;
158 ckmc_raw_buffer_s* IV17;
159 ckmc_raw_buffer_s* IV128;
160 ckmc_raw_buffer_s* AAD32;
161 ckmc_raw_buffer_s* AAD64;
163 KeyAliasPair getKey(const Algo& algo, KeyIdx idx)
165 if (algo.type == CKMC_ALGO_RSA_OAEP)
166 return g_asymKeys[algo.keyLen][idx];
169 pair.prv = g_symKeys[algo.keyLen][idx];
174 class EncGroupFixture: public DPL::Test::TestGroup
179 remove_user_data(UID);
180 int ret = ckmc_unlock_user_key(UID, "db-pass");
181 if (ret != CKMC_ERROR_NONE)
182 RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret));
184 // Policy backend to use in subsequent operations (global for each test case)
186 m_backend = PolicyBackend::FORCE_HARDWARE;
188 m_backend = PolicyBackend::FORCE_SOFTWARE;
192 m_manager = Manager::create();
193 generateSymmetricKeys(128);
194 generateSymmetricKeys(192);
195 generateSymmetricKeys(256);
196 generateRsaKeys(1024);
197 generateRsaKeys(2048);
198 generateRsaKeys(4096);
200 PLAIN_DATA = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
202 BIG_DATA = create_raw_buffer(createRandomBufferCAPI(1000));
204 BIG_DATA = create_raw_buffer(createRandomBufferCAPI(5000000));
206 DEFAULT_IV = createRandomBufferCAPI(DEFAULT_IV_LEN);
207 IV11 = createRandomBufferCAPI(11);
208 IV12 = createRandomBufferCAPI(12);
209 IV15 = createRandomBufferCAPI(15);
210 IV17 = createRandomBufferCAPI(17);
211 IV128 = createRandomBufferCAPI(128);
212 AAD32 = createRandomBufferCAPI(32);
213 AAD64 = createRandomBufferCAPI(64);
216 void generateSymmetricKeys(size_t bitLen)
218 for (int i = 0; i < KEY_IDX_MAX; i++)
220 Policy p(Password(), false, m_backend);
221 if (i == PASSWORD_PROTECTED)
222 p.password.assign(PASSWORD);
224 std::string alias = std::string("skey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
225 int ret = m_manager->createKeyAES(bitLen, alias, p);
226 if (ret != CKM_API_SUCCESS)
227 RUNNER_ERROR_MSG("AES key creation failed");
229 g_symKeys[bitLen].push_back(alias);
233 void generateRsaKeys(size_t bitLen)
235 for (int i = 0; i < KEY_IDX_MAX; i++)
237 Policy prvPolicy(Password(), false, m_backend);
238 Policy pubPolicy(Password(), true, m_backend);
239 if (i == PASSWORD_PROTECTED) {
240 prvPolicy.password.assign(PASSWORD);
241 pubPolicy.password.assign(PASSWORD);
245 alias.prv = std::string("akey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
246 alias.pub = std::string("pub") + alias.prv;
247 int ret = m_manager->createKeyPairRSA(bitLen, alias.prv, alias.pub, prvPolicy, pubPolicy);
248 if (ret != CKM_API_SUCCESS)
249 RUNNER_ERROR_MSG("RSA key creation failed");
251 g_asymKeys[bitLen].push_back(alias);
255 void Finish() override
257 for (const auto &entry : g_asymKeys) {
258 for (const auto &keyPair : entry.second) {
259 m_manager->removeAlias(keyPair.prv);
260 m_manager->removeAlias(keyPair.pub);
264 for (const auto &entry : g_symKeys) {
265 for (const auto &key : entry.second) {
266 m_manager->removeAlias(key);
272 ckmc_buffer_free(AAD64);
273 ckmc_buffer_free(AAD32);
274 ckmc_buffer_free(IV128);
275 ckmc_buffer_free(IV17);
276 ckmc_buffer_free(IV15);
277 ckmc_buffer_free(IV12);
278 ckmc_buffer_free(IV11);
279 ckmc_buffer_free(DEFAULT_IV);
281 int ret = ckmc_lock_user_key(UID);
282 if (ret != CKMC_ERROR_NONE)
283 RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
284 remove_user_data(UID);
287 ManagerShPtr m_manager;
288 PolicyBackend m_backend;
292 void setParam(ParamListPtr& params, ckmc_param_name_e name, ckmc_raw_buffer_s* buffer)
294 int ret = ckmc_param_list_set_buffer(params.get(), name, buffer);
295 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE,
296 "Failed to set param " << name << " error: " << CKMCErrorToString(ret));
299 void setParam(ParamListPtr& params, ckmc_param_name_e name, int integer)
301 int ret = ckmc_param_list_set_integer(params.get(), name, integer);
302 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE,
303 "Failed to set param " << name << " error: " << CKMCErrorToString(ret));
306 struct EncryptionResult
308 RawBufferPtr encrypted;
314 EncryptionResult encrypt(const Algo& algo,
315 const RawBufferPtr& plain,
316 const char* pass = nullptr)
318 EncryptionResult ret;
319 ckmc_raw_buffer_s* encrypted = nullptr;
320 KeyAliasPair aliases = getKey(algo, pass == nullptr ? PRIMARY : PASSWORD_PROTECTED);
322 ckmc_param_list_h handle = NULL;
323 assert_positive(ckmc_generate_new_params, algo.type, &handle);
324 ret.params = ParamListPtr(handle, ckmc_param_list_free);
325 setParam(ret.params, CKMC_PARAM_ED_IV, DEFAULT_IV);
327 assert_crypto_positive(apiEncrypt,
334 ret.encrypted = create_raw_buffer(encrypted);
335 ret.prvKey = aliases.prv;
336 ret.pubKey = aliases.pub;
340 void testAllAlgorithms(
341 const std::function<void(const Algo& algo)>& test)
343 test( { CKMC_ALGO_AES_CBC, 128 });
344 test( { CKMC_ALGO_AES_CBC, 192 });
345 test( { CKMC_ALGO_AES_CBC, 256 });
346 test( { CKMC_ALGO_AES_GCM, 128 });
347 test( { CKMC_ALGO_AES_GCM, 192 });
348 test( { CKMC_ALGO_AES_GCM, 256 });
349 test( { CKMC_ALGO_AES_CTR, 128 });
350 test( { CKMC_ALGO_AES_CTR, 192 });
351 test( { CKMC_ALGO_AES_CTR, 256 });
352 test( { CKMC_ALGO_AES_CFB, 128 });
353 test( { CKMC_ALGO_AES_CFB, 192 });
354 test( { CKMC_ALGO_AES_CFB, 256 });
355 test( { CKMC_ALGO_RSA_OAEP, 1024 });
356 test( { CKMC_ALGO_RSA_OAEP, 2048 });
357 test( { CKMC_ALGO_RSA_OAEP, 4096 });
360 void testNoIvEnc(const Algo& algo)
363 ckmc_raw_buffer_s* encrypted = nullptr;
366 KeyAliasPair aliases = getKey(algo, PRIMARY);
368 // param list with algo type only
369 ParamListPtr params = createParamListPtr();
370 setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
371 assert_crypto_invalid_param(apiEncrypt,
379 void testNoIvDec(const Algo& algo)
382 ckmc_raw_buffer_s* decrypted = nullptr;
385 auto ret = encrypt(algo, PLAIN_DATA);
387 // param list with algo type only
388 ParamListPtr params = createParamListPtr();
389 setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
390 assert_crypto_invalid_param(apiDecrypt,
394 *ret.encrypted.get(),
398 void testInvalidIvEnc(const Algo& algo)
401 ckmc_raw_buffer_s* encryptedTmp = nullptr;
404 KeyAliasPair aliases = getKey(algo, PRIMARY);
407 ckmc_param_list_h handle = NULL;
408 assert_positive(ckmc_generate_new_params, algo.type, &handle);
409 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
411 // invalid encryption
413 assert_crypto_invalid_param(apiEncrypt,
419 ckmc_buffer_free(encryptedTmp);
420 encryptedTmp = nullptr;
423 setParam(params, CKMC_PARAM_ED_IV, IV15);
425 setParam(params, CKMC_PARAM_ED_IV, IV17);
429 void testInvalidIvDec(const Algo& algo)
432 ckmc_raw_buffer_s* decrypted = nullptr;
435 auto ret = encrypt(algo, PLAIN_DATA);
439 assert_crypto_invalid_param(apiDecrypt,
443 *ret.encrypted.get(),
445 ckmc_buffer_free(decrypted);
450 setParam(ret.params, CKMC_PARAM_ED_IV, IV15);
452 setParam(ret.params, CKMC_PARAM_ED_IV, IV17);
456 void encryptionWithCustomData(const Algo& algo, ckmc_param_name_e name)
459 ckmc_raw_buffer_s* encrypted = nullptr;
460 ckmc_raw_buffer_s* decrypted = nullptr;
463 KeyAliasPair aliases = getKey(algo, PRIMARY);
466 ckmc_param_list_h handle = NULL;
467 assert_positive(ckmc_generate_new_params, algo.type, &handle);
468 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
470 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
473 setParam(params, name, AAD64);
476 assert_crypto_positive(apiEncrypt,
482 RawBufferPtr tmpEnc = create_raw_buffer(encrypted);
485 assert_crypto_positive(apiDecrypt,
491 RawBufferPtr tmpDec = create_raw_buffer(decrypted);
494 assert_buffers_equal(*PLAIN_DATA.get(), *tmpDec.get());
499 setParam(params, name, AAD32);
502 assert_crypto_result(EncryptionError::INVALID_PARAM,
511 void testGcmIvSize(ckmc_raw_buffer_s* iv,
512 const KeyAliasPair& aliases,
513 EncryptionError error = EncryptionError::SUCCESS)
516 RawBufferPtr encrypted;
517 RawBufferPtr decrypted;
518 ckmc_raw_buffer_s* encryptedTmp = nullptr;
519 ckmc_raw_buffer_s* decryptedTmp = nullptr;
522 ckmc_param_list_h handle = NULL;
523 assert_positive(ckmc_generate_new_params, CKMC_ALGO_AES_GCM, &handle);
524 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
525 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
526 setParam(params, CKMC_PARAM_ED_IV, iv);
529 assert_crypto_result(error,
537 if(error != EncryptionError::SUCCESS)
539 encrypted = create_raw_buffer(encryptedTmp);
542 assert_crypto_positive(apiDecrypt,
548 decrypted = create_raw_buffer(decryptedTmp);
550 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted.get());
553 void testIntegrity(const Algo& algo)
556 ckmc_raw_buffer_s* decrypted = nullptr;
559 auto ret = encrypt(algo, PLAIN_DATA);
561 // break the encrypted data
562 ret.encrypted->data[BUF_LEN/2]++;
564 // no data integrity check
565 assert_crypto_positive(apiDecrypt,
569 *ret.encrypted.get(),
572 RawBufferPtr tmp = create_raw_buffer(decrypted);
573 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
576 void testCtrEncryptionInvalidLength(const Algo& algo)
579 ckmc_raw_buffer_s* encryptedTmp = nullptr;
582 KeyAliasPair aliases = getKey(algo, PRIMARY);
585 ckmc_param_list_h handle = NULL;
586 assert_positive(ckmc_generate_new_params, algo.type, &handle);
587 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
588 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
592 assert_crypto_invalid_param(apiEncrypt,
598 ckmc_buffer_free(encryptedTmp);
599 encryptedTmp = nullptr;
601 // invalid counter size
602 setParam(params, CKMC_PARAM_ED_CTR_LEN, -1);
604 setParam(params, CKMC_PARAM_ED_CTR_LEN, 0);
606 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN+1);
610 void testCtrEncryptionValidLength(const Algo& algo)
613 ckmc_raw_buffer_s* encryptedTmp = nullptr;
616 KeyAliasPair aliases = getKey(algo, PRIMARY);
619 ckmc_param_list_h handle = NULL;
620 assert_positive(ckmc_generate_new_params, algo.type, &handle);
621 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
622 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
626 assert_crypto_positive(apiEncrypt,
632 ckmc_buffer_free(encryptedTmp);
633 encryptedTmp = nullptr;
635 // valid counter sizez
636 setParam(params, CKMC_PARAM_ED_CTR_LEN, 1);
638 setParam(params, CKMC_PARAM_ED_CTR_LEN, 4);
640 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN-1);
642 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN);
646 void testCtrDecryptionInvalidLength(const Algo& algo)
649 ckmc_raw_buffer_s* decrypted = nullptr;
651 // add AES CTR key & encrypt
652 auto ret = encrypt(algo, PLAIN_DATA);
656 assert_crypto_invalid_param(apiDecrypt,
660 *ret.encrypted.get(),
662 ckmc_buffer_free(decrypted);
665 // invalid counter size
666 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, -1);
668 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 0);
670 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN+1);
674 void testCtrDecryptionValidLength(const Algo& algo)
677 ckmc_raw_buffer_s* decrypted = nullptr;
679 // add AES CTR key & encrypt
680 auto ret = encrypt(algo, PLAIN_DATA);
684 assert_crypto_positive(apiDecrypt,
688 *ret.encrypted.get(),
690 ckmc_buffer_free(decrypted);
691 RawBufferPtr tmp = create_raw_buffer(decrypted);
692 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
694 // invalid counter size
695 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 1);
697 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 4);
699 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN-1);
701 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN);
705 void testGcmEncryptionTagLen(const Algo& algo)
708 ckmc_raw_buffer_s* encryptedTmp = nullptr;
711 KeyAliasPair aliases = getKey(algo, PRIMARY);
714 ckmc_param_list_h handle = NULL;
715 assert_positive(ckmc_generate_new_params, algo.type, &handle);
716 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
717 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
719 std::vector<TagTest> testData = {
720 // illegal tag lengths
721 { -1, EncryptionError::INVALID_PARAM },
722 { 0, EncryptionError::INVALID_PARAM },
723 { 16, EncryptionError::INVALID_PARAM },
724 { 48, EncryptionError::INVALID_PARAM },
725 { 72, EncryptionError::INVALID_PARAM },
726 { 100, EncryptionError::INVALID_PARAM },
727 { 108, EncryptionError::INVALID_PARAM },
728 { 116, EncryptionError::INVALID_PARAM },
729 { 124, EncryptionError::INVALID_PARAM },
730 { 256, EncryptionError::INVALID_PARAM },
732 { 32, EncryptionError::INVALID_PARAM },
733 { 64, EncryptionError::INVALID_PARAM },
737 { 32, EncryptionError::SUCCESS },
738 { 64, EncryptionError::SUCCESS },
741 { 96, EncryptionError::SUCCESS },
742 { 104, EncryptionError::SUCCESS },
743 { 112, EncryptionError::SUCCESS },
744 { 120, EncryptionError::SUCCESS },
745 { 128, EncryptionError::SUCCESS },
749 for(const auto& it : testData)
751 setParam(params, CKMC_PARAM_ED_TAG_LEN, it.tagLen);
752 assert_crypto_result(it.expected,
759 ckmc_buffer_free(encryptedTmp);
760 encryptedTmp = nullptr;
764 void testGcmDecryptionTagLen(const Algo& algo)
767 ckmc_raw_buffer_s* decrypted = nullptr;
769 // add AES GCM key & encrypt
770 auto ret = encrypt(algo, PLAIN_DATA);
772 std::vector<TagTest> testData = {
773 // illegal tag lengths
774 { -1, EncryptionError::INVALID_PARAM },
775 { 0, EncryptionError::INVALID_PARAM },
776 { 16, EncryptionError::INVALID_PARAM },
777 { 48, EncryptionError::INVALID_PARAM },
778 { 72, EncryptionError::INVALID_PARAM },
779 { 100, EncryptionError::INVALID_PARAM },
780 { 108, EncryptionError::INVALID_PARAM },
781 { 116, EncryptionError::INVALID_PARAM },
782 { 124, EncryptionError::INVALID_PARAM },
783 { 256, EncryptionError::INVALID_PARAM },
784 // legal tag lengths but different than the one used for encryption
785 { 32, EncryptionError::INVALID_PARAM },
786 { 64, EncryptionError::INVALID_PARAM },
787 { 96, EncryptionError::INVALID_PARAM },
788 { 104, EncryptionError::INVALID_PARAM },
789 { 112, EncryptionError::INVALID_PARAM },
790 { 120, EncryptionError::INVALID_PARAM },
791 // legal tag length that was actually used for encryption (default)
792 { 128, EncryptionError::SUCCESS },
796 for(const auto& it : testData)
798 setParam(ret.params, CKMC_PARAM_ED_TAG_LEN, it.tagLen);
799 assert_crypto_result(it.expected,
804 *ret.encrypted.get(),
806 ckmc_buffer_free(decrypted);
811 void testGcmWrongTag(const Algo& algo)
814 ckmc_raw_buffer_s* decrypted = nullptr;
816 // encrypt with AES GCM
817 auto ret = encrypt(algo, PLAIN_DATA);
819 // modify tag (last 16B of encrypted message)
820 ret.encrypted->data[ret.encrypted->size-1]++;
822 // EVP_CipherFinal fails because of an authentication error
823 assert_crypto_result(EncryptionError::INVALID_PARAM,
828 *ret.encrypted.get(),
832 void testGcmDifferentIvSizes(const Algo& algo)
835 KeyAliasPair aliases = getKey(algo, PRIMARY);
837 testGcmIvSize(IV11, aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest
838 testGcmIvSize(IV12, aliases);
839 testGcmIvSize(IV17, aliases);
840 testGcmIvSize(IV128, aliases);
843 void testEncryptDecryptBigData(const Algo& algo)
846 ckmc_raw_buffer_s* decrypted = nullptr;
849 auto ret = encrypt(algo, BIG_DATA);
851 assert_positive(apiDecrypt,
855 *ret.encrypted.get(),
857 RawBufferPtr tmp = create_raw_buffer(decrypted);
859 assert_buffers_equal(*BIG_DATA.get(), *decrypted);
862 void testEncryptDecryptDifferentKeys(const Algo& algo, bool success)
865 ckmc_raw_buffer_s* decrypted = nullptr;
868 auto ret = encrypt(algo, PLAIN_DATA);
870 // get different keys
871 KeyAliasPair differentKeys = getKey(algo, PASSWORD_PROTECTED);
874 // some algorithms don't verify key validity
875 assert_crypto_positive(apiDecrypt,
877 differentKeys.prv.c_str(),
879 *ret.encrypted.get(),
881 RawBufferPtr tmp = create_raw_buffer(decrypted);
883 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
885 assert_crypto_result(EncryptionError::INVALID_PARAM,
888 differentKeys.prv.c_str(),
890 *ret.encrypted.get(),
895 void testRsaLongestData(const Algo& algo, size_t dataSize)
898 RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
899 ckmc_raw_buffer_s* decrypted = nullptr;
902 auto ret = encrypt(algo, plain);
904 assert_crypto_positive(apiDecrypt,
908 *ret.encrypted.get(),
910 RawBufferPtr tmp = create_raw_buffer(decrypted);
912 assert_buffers_equal(*plain.get(), *decrypted);
915 void testRsaDataTooLong(const Algo& algo, size_t dataSize)
918 RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
921 EncryptionResult ret;
922 ckmc_raw_buffer_s* encrypted = nullptr;
923 KeyAliasPair aliases = getKey(algo, PRIMARY);
925 ckmc_param_list_h handle = NULL;
926 assert_positive(ckmc_generate_new_params, algo.type, &handle);
927 ret.params = ParamListPtr(handle, ckmc_param_list_free);
928 assert_crypto_result(EncryptionError::INVALID_PARAM,
937 } // namespace anonymous
939 RUNNER_TEST_GROUP_INIT_ENV(CKM_ENCRYPTION_DECRYPTION, EncGroupFixture);
941 /////////////////////////////////////////
942 // Generic encryption decryption tests
943 /////////////////////////////////////////
945 RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv)
947 testAllAlgorithms([](const Algo& algo){
949 ckmc_raw_buffer_s* encrypted = nullptr;
952 KeyAliasPair aliases = getKey(algo, PRIMARY);
955 assert_crypto_invalid_param(apiEncrypt,
963 ParamListPtr params = createParamListPtr();
964 assert_crypto_invalid_param(apiEncrypt,
973 RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv)
975 testAllAlgorithms([](const Algo& algo){
977 ckmc_raw_buffer_s* encrypted = nullptr;
980 ckmc_param_list_h handle = NULL;
981 assert_positive(ckmc_generate_new_params, algo.type, &handle);
982 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
983 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
985 assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
988 "non-existing-key-alias",
995 RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv)
997 testAllAlgorithms([](const Algo& algo){
999 ckmc_raw_buffer_s plain = { nullptr, 0 };
1000 ckmc_raw_buffer_s* encrypted = nullptr;
1003 KeyAliasPair aliases = getKey(algo, PRIMARY);
1006 ckmc_param_list_h handle = NULL;
1007 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1008 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1009 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1011 assert_crypto_invalid_param(apiEncrypt,
1013 aliases.pub.c_str(),
1020 RUNNER_TEST_MULTIPLE(TED_0040_encrypt_no_output_buffer, SyncEnv, AsyncEnv)
1022 testAllAlgorithms([](const Algo& algo){
1024 ckmc_raw_buffer_s** encrypted = nullptr;
1027 KeyAliasPair aliases = getKey(algo, PRIMARY);
1030 ckmc_param_list_h handle = NULL;
1031 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1032 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1033 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1035 assert_crypto_invalid_param(apiEncrypt,
1037 aliases.pub.c_str(),
1044 RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv)
1046 testAllAlgorithms([](const Algo& algo){
1048 ckmc_raw_buffer_s* decrypted = nullptr;
1051 auto ret = encrypt(algo, PLAIN_DATA);
1054 assert_crypto_invalid_param(apiDecrypt,
1058 *ret.encrypted.get(),
1062 ParamListPtr params = createParamListPtr();
1063 assert_crypto_invalid_param(apiDecrypt,
1067 *ret.encrypted.get(),
1072 RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv)
1074 testAllAlgorithms([](const Algo& algo){
1076 ckmc_raw_buffer_s* decrypted = nullptr;
1079 auto ret = encrypt(algo, PLAIN_DATA);
1082 assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
1087 *ret.encrypted.get(),
1092 RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv)
1094 testAllAlgorithms([](const Algo& algo){
1096 ckmc_raw_buffer_s encrypted = { nullptr, 0 };
1097 ckmc_raw_buffer_s* decrypted = nullptr;
1100 KeyAliasPair aliases = getKey(algo, PRIMARY);
1103 ckmc_param_list_h handle = NULL;
1104 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1105 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1106 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1108 assert_crypto_invalid_param(apiDecrypt,
1110 aliases.prv.c_str(),
1117 RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv)
1119 testAllAlgorithms([](const Algo& algo){
1121 ckmc_raw_buffer_s** decrypted = nullptr;
1124 auto ret = encrypt(algo, PLAIN_DATA);
1126 assert_crypto_invalid_param(apiDecrypt,
1130 *ret.encrypted.get(),
1135 RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv)
1137 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 128}, false);
1138 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 192}, false);
1139 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 256}, false);
1140 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 128}, true);
1141 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 192}, true);
1142 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 256}, true);
1143 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 128}, true);
1144 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 192}, true);
1145 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 256}, true);
1146 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false);
1147 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false);
1148 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false);
1151 RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv)
1153 testAllAlgorithms([](const Algo& algo){
1155 ckmc_raw_buffer_s* decrypted = nullptr;
1158 auto ret = encrypt(algo, PLAIN_DATA);
1160 assert_crypto_positive(apiDecrypt,
1164 *ret.encrypted.get(),
1166 RawBufferPtr tmp = create_raw_buffer(decrypted);
1168 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
1172 RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv)
1174 testAllAlgorithms([](const Algo& algo){
1176 ckmc_raw_buffer_s* decrypted = nullptr;
1179 auto ret = encrypt(algo, PLAIN_DATA, PASSWORD);
1182 assert_crypto_result(EncryptionError::AUTH_FAILED,
1187 *ret.encrypted.get(),
1191 assert_crypto_positive(apiDecrypt,
1195 *ret.encrypted.get(),
1197 RawBufferPtr tmp = create_raw_buffer(decrypted); // guarantees deletion
1199 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
1203 // long test split into smaller ones
1204 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv)
1206 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 128});
1209 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv)
1211 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 192});
1214 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv)
1216 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256});
1219 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv)
1221 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 128});
1224 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv)
1226 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 192});
1229 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv)
1231 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 256});
1234 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv)
1236 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 128});
1239 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv)
1241 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 192});
1244 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv)
1246 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 256});
1249 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv)
1251 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 128});
1254 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv)
1256 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 192});
1259 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv)
1261 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 256});
1264 /////////////////////////////////////////
1265 // Algorithm specific tests
1266 /////////////////////////////////////////
1268 RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv)
1270 testNoIvEnc({CKMC_ALGO_AES_CTR, 128});
1271 testNoIvEnc({CKMC_ALGO_AES_CTR, 192});
1272 testNoIvEnc({CKMC_ALGO_AES_CTR, 256});
1273 testNoIvEnc({CKMC_ALGO_AES_CBC, 128});
1274 testNoIvEnc({CKMC_ALGO_AES_CBC, 192});
1275 testNoIvEnc({CKMC_ALGO_AES_CBC, 256});
1276 testNoIvEnc({CKMC_ALGO_AES_CFB, 128});
1277 testNoIvEnc({CKMC_ALGO_AES_CFB, 192});
1278 testNoIvEnc({CKMC_ALGO_AES_CFB, 256});
1279 testNoIvEnc({CKMC_ALGO_AES_GCM, 128});
1280 testNoIvEnc({CKMC_ALGO_AES_GCM, 192});
1281 testNoIvEnc({CKMC_ALGO_AES_GCM, 256});
1284 RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv)
1286 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 128});
1287 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 192});
1288 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 256});
1289 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 128});
1290 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 192});
1291 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 256});
1292 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 128});
1293 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 192});
1294 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 256});
1297 RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv)
1299 testNoIvDec({CKMC_ALGO_AES_CTR, 128});
1300 testNoIvDec({CKMC_ALGO_AES_CTR, 192});
1301 testNoIvDec({CKMC_ALGO_AES_CTR, 256});
1302 testNoIvDec({CKMC_ALGO_AES_CBC, 128});
1303 testNoIvDec({CKMC_ALGO_AES_CBC, 192});
1304 testNoIvDec({CKMC_ALGO_AES_CBC, 256});
1305 testNoIvDec({CKMC_ALGO_AES_CFB, 128});
1306 testNoIvDec({CKMC_ALGO_AES_CFB, 192});
1307 testNoIvDec({CKMC_ALGO_AES_CFB, 256});
1308 testNoIvDec({CKMC_ALGO_AES_GCM, 128});
1309 testNoIvDec({CKMC_ALGO_AES_GCM, 192});
1310 testNoIvDec({CKMC_ALGO_AES_GCM, 256});
1313 RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv)
1315 testInvalidIvDec({CKMC_ALGO_AES_CTR, 128});
1316 testInvalidIvDec({CKMC_ALGO_AES_CTR, 192});
1317 testInvalidIvDec({CKMC_ALGO_AES_CTR, 256});
1318 testInvalidIvDec({CKMC_ALGO_AES_CBC, 128});
1319 testInvalidIvDec({CKMC_ALGO_AES_CBC, 192});
1320 testInvalidIvDec({CKMC_ALGO_AES_CBC, 256});
1321 testInvalidIvDec({CKMC_ALGO_AES_CFB, 128});
1322 testInvalidIvDec({CKMC_ALGO_AES_CFB, 192});
1323 testInvalidIvDec({CKMC_ALGO_AES_CFB, 256});
1326 RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv)
1328 testIntegrity({CKMC_ALGO_AES_CTR, 128});
1329 testIntegrity({CKMC_ALGO_AES_CTR, 192});
1330 testIntegrity({CKMC_ALGO_AES_CTR, 256});
1331 testIntegrity({CKMC_ALGO_AES_CBC, 128});
1332 testIntegrity({CKMC_ALGO_AES_CBC, 192});
1333 testIntegrity({CKMC_ALGO_AES_CBC, 256});
1334 testIntegrity({CKMC_ALGO_AES_CFB, 128});
1335 testIntegrity({CKMC_ALGO_AES_CFB, 192});
1336 testIntegrity({CKMC_ALGO_AES_CFB, 256});
1339 RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv)
1341 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
1342 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
1343 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
1346 RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv)
1348 RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
1349 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 128});
1350 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 192});
1351 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 256});
1354 RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv)
1356 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
1357 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
1358 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
1361 RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv)
1363 RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
1364 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 128});
1365 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 192});
1366 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 256});
1369 RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv)
1371 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 128});
1372 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 192});
1373 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 256});
1376 RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv)
1378 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 128});
1379 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 192});
1380 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 256});
1383 RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv)
1385 testGcmWrongTag({CKMC_ALGO_AES_GCM, 128});
1386 testGcmWrongTag({CKMC_ALGO_AES_GCM, 192});
1387 testGcmWrongTag({CKMC_ALGO_AES_GCM, 256});
1390 RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv)
1392 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 128});
1393 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 192});
1394 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 256});
1397 RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv)
1399 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 128}, CKMC_PARAM_ED_AAD);
1400 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 192}, CKMC_PARAM_ED_AAD);
1401 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 256}, CKMC_PARAM_ED_AAD);
1404 RUNNER_TEST_MULTIPLE(TED_1300_rsa_label, SyncEnv, AsyncEnv)
1406 RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl");
1407 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 1024}, CKMC_PARAM_ED_LABEL);
1408 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 2048}, CKMC_PARAM_ED_LABEL);
1409 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 4096}, CKMC_PARAM_ED_LABEL);
1412 RUNNER_TEST_MULTIPLE(TED_1330_rsa_longest_data, SyncEnv, AsyncEnv)
1414 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 1024}, 86);
1415 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 2048}, 214);
1416 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 4096}, 470);
1419 RUNNER_TEST_MULTIPLE(TED_1350_rsa_data_too_long, SyncEnv, AsyncEnv)
1421 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 1024}, 87);
1422 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 2048}, 215);
1423 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 4096}, 471);
1426 /////////////////////////////////////////
1427 // Asynchronous only tests
1428 /////////////////////////////////////////
1429 RUNNER_TEST(TED_2000_enc_no_observer_async, AsyncEnv)
1431 testAllAlgorithms([](const Algo& algo){
1433 RawBuffer plain = createRandomBuffer(BUF_LEN);
1436 KeyAliasPair aliases = getKey(algo, PRIMARY);
1439 ckmc_param_list_h handle = NULL;
1440 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1441 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1442 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1445 test_no_observer(&ManagerAsync::encrypt,
1446 *reinterpret_cast<CryptoAlgorithm*>(params.get()),
1453 RUNNER_TEST(TED_2010_dec_no_observer_async, AsyncEnv)
1455 testAllAlgorithms([](const Algo& algo){
1457 auto ret = encrypt(algo, PLAIN_DATA);
1458 RawBuffer encrypted(ret.encrypted->data, ret.encrypted->data + ret.encrypted->size);
1461 test_no_observer(&ManagerAsync::decrypt,
1462 *reinterpret_cast<CryptoAlgorithm*>(ret.params.get()),
1469 /////////////////////////////////////////
1470 // Mulithreaded test for synchronous API
1471 /////////////////////////////////////////
1472 RUNNER_TEST(TED_3000_muliple_threads, SyncEnv)
1474 std::vector<std::thread> threads;
1475 threads.reserve(10);
1476 for(unsigned i = 0; i < 10;++i)
1477 threads.emplace_back([]{ testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256}); });
1478 for (auto& thread : threads)