2 * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file encryption-decryption.cpp
18 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
25 #include <unordered_map>
27 #include <dpl/test/test_runner.h>
28 #include <ckm-common.h>
29 #include <ckmc/ckmc-manager.h>
30 #include <ckmc/ckmc-control.h>
31 #include <ckm/ckm-type.h>
32 #include <ckm/ckm-manager.h>
33 #include <encryption-decryption-env.h>
39 const char* PASSWORD = "test-password";
40 const uid_t UID = 5001;
41 const size_t CTR_DEFAULT_LEN = 16*8;
42 const size_t DEFAULT_IV_LEN = 16;
43 const size_t BUF_LEN = 86; // must be less than 1024/8-41 to support RSA OAEP 1024
49 EncryptionApi* g_api = &g_syncApi;
51 EncryptionError apiEncrypt(ckmc_param_list_h params,
52 const char *key_alias,
54 const ckmc_raw_buffer_s decrypted,
55 ckmc_raw_buffer_s **ppencrypted) {
56 RUNNER_ASSERT_MSG(g_api, "No encryption API is connected");
57 return g_api->encrypt(params, key_alias, password, decrypted, ppencrypted);
60 inline CKM::Password _tostring(const char *str)
62 return (str == nullptr) ? Password() : Password(str);
65 inline CKM::Policy _toCkmPolicy(const ckmc_policy_s &policy, PolicyBackend backend)
67 return CKM::Policy(_tostring(policy.password), policy.extractable, backend);
70 EncryptionError apiDecrypt(ckmc_param_list_h params,
71 const char *key_alias,
73 const ckmc_raw_buffer_s encrypted,
74 ckmc_raw_buffer_s **ppdecrypted) {
75 RUNNER_ASSERT_MSG(g_api, "No encryption API is connected");
76 return g_api->decrypt(params, key_alias, password, encrypted, ppdecrypted);
80 template <typename F, typename... Args>
81 void assert_crypto_result(EncryptionError expected, F&& func, Args... args)
83 EncryptionError ret = func(args...);
84 RUNNER_ASSERT_MSG(ret == expected,
85 "Expected: " << static_cast<int>(expected) <<
86 " got: " << static_cast<int>(ret));
89 template <typename F, typename... Args>
90 void assert_crypto_positive(F&& func, Args... args)
92 assert_crypto_result(EncryptionError::SUCCESS, std::move(func), args...);
95 template <typename F, typename... Args>
96 void assert_crypto_invalid_param(F&& func, Args... args)
98 assert_crypto_result(EncryptionError::INVALID_PARAM, std::move(func), args...);
103 EncryptionError expected;
113 void init(const std::string&) {
121 static std::string suffix() { return "_sync"; }
125 void init(const std::string&) {
133 static std::string suffix() { return "_async"; }
137 ckmc_algo_type_e type;
141 std::unordered_map<size_t, std::vector<Alias>> g_symKeys;
142 std::unordered_map<size_t, std::vector<KeyAliasPair>> g_asymKeys;
146 PASSWORD_PROTECTED = 1,
151 RawBufferPtr PLAIN_DATA;
152 RawBufferPtr BIG_DATA;
153 ckmc_raw_buffer_s* DEFAULT_IV;
154 ckmc_raw_buffer_s* IV11;
155 ckmc_raw_buffer_s* IV12;
156 ckmc_raw_buffer_s* IV15;
157 ckmc_raw_buffer_s* IV17;
158 ckmc_raw_buffer_s* IV128;
159 ckmc_raw_buffer_s* AAD32;
160 ckmc_raw_buffer_s* AAD64;
162 KeyAliasPair getKey(const Algo& algo, KeyIdx idx)
164 if (algo.type == CKMC_ALGO_RSA_OAEP)
165 return g_asymKeys[algo.keyLen][idx];
168 pair.prv = g_symKeys[algo.keyLen][idx];
173 class EncGroupFixture: public DPL::Test::TestGroup
178 remove_user_data(UID);
179 int ret = ckmc_unlock_user_key(UID, "db-pass");
180 if (ret != CKMC_ERROR_NONE)
181 RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret));
183 // Policy backend to use in subsequent operations (global for each test case)
185 m_backend = PolicyBackend::FORCE_HARDWARE;
187 m_backend = PolicyBackend::FORCE_SOFTWARE;
191 m_manager = Manager::create();
192 generateSymmetricKeys(128);
193 generateSymmetricKeys(192);
194 generateSymmetricKeys(256);
195 generateRsaKeys(1024);
196 generateRsaKeys(2048);
197 generateRsaKeys(4096);
199 PLAIN_DATA = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
201 BIG_DATA = create_raw_buffer(createRandomBufferCAPI(1000));
203 BIG_DATA = create_raw_buffer(createRandomBufferCAPI(5000000));
205 DEFAULT_IV = createRandomBufferCAPI(DEFAULT_IV_LEN);
206 IV11 = createRandomBufferCAPI(11);
207 IV12 = createRandomBufferCAPI(12);
208 IV15 = createRandomBufferCAPI(15);
209 IV17 = createRandomBufferCAPI(17);
210 IV128 = createRandomBufferCAPI(128);
211 AAD32 = createRandomBufferCAPI(32);
212 AAD64 = createRandomBufferCAPI(64);
215 void generateSymmetricKeys(size_t bitLen)
217 for (int i = 0; i < KEY_IDX_MAX; i++)
219 Policy p(Password(), false, m_backend);
220 if (i == PASSWORD_PROTECTED)
221 p.password.assign(PASSWORD);
223 std::string alias = std::string("skey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
224 int ret = m_manager->createKeyAES(bitLen, alias, p);
225 if (ret != CKM_API_SUCCESS)
226 RUNNER_ERROR_MSG("AES key creation failed");
228 g_symKeys[bitLen].push_back(alias);
232 void generateRsaKeys(size_t bitLen)
234 for (int i = 0; i < KEY_IDX_MAX; i++)
236 Policy prvPolicy(Password(), false, m_backend);
237 Policy pubPolicy(Password(), true, m_backend);
238 if (i == PASSWORD_PROTECTED) {
239 prvPolicy.password.assign(PASSWORD);
240 pubPolicy.password.assign(PASSWORD);
244 alias.prv = std::string("akey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
245 alias.pub = std::string("pub") + alias.prv;
246 int ret = m_manager->createKeyPairRSA(bitLen, alias.prv, alias.pub, prvPolicy, pubPolicy);
247 if (ret != CKM_API_SUCCESS)
248 RUNNER_ERROR_MSG("RSA key creation failed");
250 g_asymKeys[bitLen].push_back(alias);
254 void Finish() override
256 for (const auto &entry : g_asymKeys) {
257 for (const auto &keyPair : entry.second) {
258 m_manager->removeAlias(keyPair.prv);
259 m_manager->removeAlias(keyPair.pub);
263 for (const auto &entry : g_symKeys) {
264 for (const auto &key : entry.second) {
265 m_manager->removeAlias(key);
271 ckmc_buffer_free(AAD64);
272 ckmc_buffer_free(AAD32);
273 ckmc_buffer_free(IV128);
274 ckmc_buffer_free(IV17);
275 ckmc_buffer_free(IV15);
276 ckmc_buffer_free(IV12);
277 ckmc_buffer_free(IV11);
278 ckmc_buffer_free(DEFAULT_IV);
280 int ret = ckmc_lock_user_key(UID);
281 if (ret != CKMC_ERROR_NONE)
282 RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
283 remove_user_data(UID);
286 ManagerShPtr m_manager;
287 PolicyBackend m_backend;
291 void setParam(ParamListPtr& params, ckmc_param_name_e name, ckmc_raw_buffer_s* buffer)
293 int ret = ckmc_param_list_set_buffer(params.get(), name, buffer);
294 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE,
295 "Failed to set param " << name << " error: " << CKMCErrorToString(ret));
298 void setParam(ParamListPtr& params, ckmc_param_name_e name, int integer)
300 int ret = ckmc_param_list_set_integer(params.get(), name, integer);
301 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE,
302 "Failed to set param " << name << " error: " << CKMCErrorToString(ret));
305 struct EncryptionResult
307 RawBufferPtr encrypted;
313 EncryptionResult encrypt(const Algo& algo,
314 const RawBufferPtr& plain,
315 const char* pass = nullptr)
317 EncryptionResult ret;
318 ckmc_raw_buffer_s* encrypted = nullptr;
319 KeyAliasPair aliases = getKey(algo, pass == nullptr ? PRIMARY : PASSWORD_PROTECTED);
321 ckmc_param_list_h handle = NULL;
322 assert_positive(ckmc_generate_new_params, algo.type, &handle);
323 ret.params = ParamListPtr(handle, ckmc_param_list_free);
324 setParam(ret.params, CKMC_PARAM_ED_IV, DEFAULT_IV);
326 assert_crypto_positive(apiEncrypt,
333 ret.encrypted = create_raw_buffer(encrypted);
334 ret.prvKey = aliases.prv;
335 ret.pubKey = aliases.pub;
339 void testAllAlgorithms(
340 const std::function<void(const Algo& algo)>& test)
342 test( { CKMC_ALGO_AES_CBC, 128 });
343 test( { CKMC_ALGO_AES_CBC, 192 });
344 test( { CKMC_ALGO_AES_CBC, 256 });
345 test( { CKMC_ALGO_AES_GCM, 128 });
346 test( { CKMC_ALGO_AES_GCM, 192 });
347 test( { CKMC_ALGO_AES_GCM, 256 });
348 test( { CKMC_ALGO_AES_CTR, 128 });
349 test( { CKMC_ALGO_AES_CTR, 192 });
350 test( { CKMC_ALGO_AES_CTR, 256 });
351 test( { CKMC_ALGO_AES_CFB, 128 });
352 test( { CKMC_ALGO_AES_CFB, 192 });
353 test( { CKMC_ALGO_AES_CFB, 256 });
354 test( { CKMC_ALGO_RSA_OAEP, 1024 });
355 test( { CKMC_ALGO_RSA_OAEP, 2048 });
356 test( { CKMC_ALGO_RSA_OAEP, 4096 });
359 void testNoIvEnc(const Algo& algo)
362 ckmc_raw_buffer_s* encrypted = nullptr;
365 KeyAliasPair aliases = getKey(algo, PRIMARY);
367 // param list with algo type only
368 ParamListPtr params = createParamListPtr();
369 setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
370 assert_crypto_invalid_param(apiEncrypt,
378 void testNoIvDec(const Algo& algo)
381 ckmc_raw_buffer_s* decrypted = nullptr;
384 auto ret = encrypt(algo, PLAIN_DATA);
386 // param list with algo type only
387 ParamListPtr params = createParamListPtr();
388 setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
389 assert_crypto_invalid_param(apiDecrypt,
393 *ret.encrypted.get(),
397 void testInvalidIvEnc(const Algo& algo)
400 ckmc_raw_buffer_s* encryptedTmp = nullptr;
403 KeyAliasPair aliases = getKey(algo, PRIMARY);
406 ckmc_param_list_h handle = NULL;
407 assert_positive(ckmc_generate_new_params, algo.type, &handle);
408 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
410 // invalid encryption
412 assert_crypto_invalid_param(apiEncrypt,
418 ckmc_buffer_free(encryptedTmp);
419 encryptedTmp = nullptr;
422 setParam(params, CKMC_PARAM_ED_IV, IV15);
424 setParam(params, CKMC_PARAM_ED_IV, IV17);
428 void testInvalidIvDec(const Algo& algo)
431 ckmc_raw_buffer_s* decrypted = nullptr;
434 auto ret = encrypt(algo, PLAIN_DATA);
438 assert_crypto_invalid_param(apiDecrypt,
442 *ret.encrypted.get(),
444 ckmc_buffer_free(decrypted);
449 setParam(ret.params, CKMC_PARAM_ED_IV, IV15);
451 setParam(ret.params, CKMC_PARAM_ED_IV, IV17);
455 void encryptionWithCustomData(const Algo& algo, ckmc_param_name_e name)
458 ckmc_raw_buffer_s* encrypted = nullptr;
459 ckmc_raw_buffer_s* decrypted = nullptr;
462 KeyAliasPair aliases = getKey(algo, PRIMARY);
465 ckmc_param_list_h handle = NULL;
466 assert_positive(ckmc_generate_new_params, algo.type, &handle);
467 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
469 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
472 setParam(params, name, AAD64);
475 assert_crypto_positive(apiEncrypt,
481 RawBufferPtr tmpEnc = create_raw_buffer(encrypted);
484 assert_crypto_positive(apiDecrypt,
490 RawBufferPtr tmpDec = create_raw_buffer(decrypted);
493 assert_buffers_equal(*PLAIN_DATA.get(), *tmpDec.get());
498 setParam(params, name, AAD32);
501 assert_crypto_result(EncryptionError::INVALID_PARAM,
510 void testGcmIvSize(ckmc_raw_buffer_s* iv,
511 const KeyAliasPair& aliases,
512 EncryptionError error = EncryptionError::SUCCESS)
515 RawBufferPtr encrypted;
516 RawBufferPtr decrypted;
517 ckmc_raw_buffer_s* encryptedTmp = nullptr;
518 ckmc_raw_buffer_s* decryptedTmp = nullptr;
521 ckmc_param_list_h handle = NULL;
522 assert_positive(ckmc_generate_new_params, CKMC_ALGO_AES_GCM, &handle);
523 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
524 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
525 setParam(params, CKMC_PARAM_ED_IV, iv);
528 assert_crypto_result(error,
536 if(error != EncryptionError::SUCCESS)
538 encrypted = create_raw_buffer(encryptedTmp);
541 assert_crypto_positive(apiDecrypt,
547 decrypted = create_raw_buffer(decryptedTmp);
549 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted.get());
552 void testIntegrity(const Algo& algo)
555 ckmc_raw_buffer_s* decrypted = nullptr;
558 auto ret = encrypt(algo, PLAIN_DATA);
560 // break the encrypted data
561 ret.encrypted->data[BUF_LEN/2]++;
563 // no data integrity check
564 assert_crypto_positive(apiDecrypt,
568 *ret.encrypted.get(),
571 RawBufferPtr tmp = create_raw_buffer(decrypted);
572 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
575 void testCtrEncryptionInvalidLength(const Algo& algo)
578 ckmc_raw_buffer_s* encryptedTmp = nullptr;
581 KeyAliasPair aliases = getKey(algo, PRIMARY);
584 ckmc_param_list_h handle = NULL;
585 assert_positive(ckmc_generate_new_params, algo.type, &handle);
586 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
587 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
591 assert_crypto_invalid_param(apiEncrypt,
597 ckmc_buffer_free(encryptedTmp);
598 encryptedTmp = nullptr;
600 // invalid counter size
601 setParam(params, CKMC_PARAM_ED_CTR_LEN, -1);
603 setParam(params, CKMC_PARAM_ED_CTR_LEN, 0);
605 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN+1);
609 void testCtrEncryptionValidLength(const Algo& algo)
612 ckmc_raw_buffer_s* encryptedTmp = nullptr;
615 KeyAliasPair aliases = getKey(algo, PRIMARY);
618 ckmc_param_list_h handle = NULL;
619 assert_positive(ckmc_generate_new_params, algo.type, &handle);
620 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
621 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
625 assert_crypto_positive(apiEncrypt,
631 ckmc_buffer_free(encryptedTmp);
632 encryptedTmp = nullptr;
634 // valid counter sizez
635 setParam(params, CKMC_PARAM_ED_CTR_LEN, 1);
637 setParam(params, CKMC_PARAM_ED_CTR_LEN, 4);
639 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN-1);
641 setParam(params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN);
645 void testCtrDecryptionInvalidLength(const Algo& algo)
648 ckmc_raw_buffer_s* decrypted = nullptr;
650 // add AES CTR key & encrypt
651 auto ret = encrypt(algo, PLAIN_DATA);
655 assert_crypto_invalid_param(apiDecrypt,
659 *ret.encrypted.get(),
661 ckmc_buffer_free(decrypted);
664 // invalid counter size
665 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, -1);
667 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 0);
669 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN+1);
673 void testCtrDecryptionValidLength(const Algo& algo)
676 ckmc_raw_buffer_s* decrypted = nullptr;
678 // add AES CTR key & encrypt
679 auto ret = encrypt(algo, PLAIN_DATA);
683 assert_crypto_positive(apiDecrypt,
687 *ret.encrypted.get(),
689 ckmc_buffer_free(decrypted);
690 RawBufferPtr tmp = create_raw_buffer(decrypted);
691 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
693 // invalid counter size
694 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 1);
696 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 4);
698 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN-1);
700 setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, CTR_DEFAULT_LEN);
704 void testGcmEncryptionTagLen(const Algo& algo)
707 ckmc_raw_buffer_s* encryptedTmp = nullptr;
710 KeyAliasPair aliases = getKey(algo, PRIMARY);
713 ckmc_param_list_h handle = NULL;
714 assert_positive(ckmc_generate_new_params, algo.type, &handle);
715 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
716 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
718 std::vector<TagTest> testData = {
719 // illegal tag lengths
720 { -1, EncryptionError::INVALID_PARAM },
721 { 0, EncryptionError::INVALID_PARAM },
722 { 16, EncryptionError::INVALID_PARAM },
723 { 48, EncryptionError::INVALID_PARAM },
724 { 72, EncryptionError::INVALID_PARAM },
725 { 100, EncryptionError::INVALID_PARAM },
726 { 108, EncryptionError::INVALID_PARAM },
727 { 116, EncryptionError::INVALID_PARAM },
728 { 124, EncryptionError::INVALID_PARAM },
729 { 256, EncryptionError::INVALID_PARAM },
731 { 32, EncryptionError::INVALID_PARAM },
732 { 64, EncryptionError::INVALID_PARAM },
736 { 32, EncryptionError::SUCCESS },
737 { 64, EncryptionError::SUCCESS },
740 { 96, EncryptionError::SUCCESS },
741 { 104, EncryptionError::SUCCESS },
742 { 112, EncryptionError::SUCCESS },
743 { 120, EncryptionError::SUCCESS },
744 { 128, EncryptionError::SUCCESS },
748 for(const auto& it : testData)
750 setParam(params, CKMC_PARAM_ED_TAG_LEN, it.tagLen);
751 assert_crypto_result(it.expected,
758 ckmc_buffer_free(encryptedTmp);
759 encryptedTmp = nullptr;
763 void testGcmDecryptionTagLen(const Algo& algo)
766 ckmc_raw_buffer_s* decrypted = nullptr;
768 // add AES GCM key & encrypt
769 auto ret = encrypt(algo, PLAIN_DATA);
771 std::vector<TagTest> testData = {
772 // illegal tag lengths
773 { -1, EncryptionError::INVALID_PARAM },
774 { 0, EncryptionError::INVALID_PARAM },
775 { 16, EncryptionError::INVALID_PARAM },
776 { 48, EncryptionError::INVALID_PARAM },
777 { 72, EncryptionError::INVALID_PARAM },
778 { 100, EncryptionError::INVALID_PARAM },
779 { 108, EncryptionError::INVALID_PARAM },
780 { 116, EncryptionError::INVALID_PARAM },
781 { 124, EncryptionError::INVALID_PARAM },
782 { 256, EncryptionError::INVALID_PARAM },
783 // legal tag lengths but different than the one used for encryption
784 { 32, EncryptionError::INVALID_PARAM },
785 { 64, EncryptionError::INVALID_PARAM },
786 { 96, EncryptionError::INVALID_PARAM },
787 { 104, EncryptionError::INVALID_PARAM },
788 { 112, EncryptionError::INVALID_PARAM },
789 { 120, EncryptionError::INVALID_PARAM },
790 // legal tag length that was actually used for encryption (default)
791 { 128, EncryptionError::SUCCESS },
795 for(const auto& it : testData)
797 setParam(ret.params, CKMC_PARAM_ED_TAG_LEN, it.tagLen);
798 assert_crypto_result(it.expected,
803 *ret.encrypted.get(),
805 ckmc_buffer_free(decrypted);
810 void testGcmWrongTag(const Algo& algo)
813 ckmc_raw_buffer_s* decrypted = nullptr;
815 // encrypt with AES GCM
816 auto ret = encrypt(algo, PLAIN_DATA);
818 // modify tag (last 16B of encrypted message)
819 ret.encrypted->data[ret.encrypted->size-1]++;
821 // EVP_CipherFinal fails because of an authentication error
822 assert_crypto_result(EncryptionError::INVALID_PARAM,
827 *ret.encrypted.get(),
831 void testGcmDifferentIvSizes(const Algo& algo)
834 KeyAliasPair aliases = getKey(algo, PRIMARY);
836 testGcmIvSize(IV11, aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest
837 testGcmIvSize(IV12, aliases);
838 testGcmIvSize(IV17, aliases);
839 testGcmIvSize(IV128, aliases);
842 void testEncryptDecryptBigData(const Algo& algo)
845 ckmc_raw_buffer_s* decrypted = nullptr;
848 auto ret = encrypt(algo, BIG_DATA);
850 assert_positive(apiDecrypt,
854 *ret.encrypted.get(),
856 RawBufferPtr tmp = create_raw_buffer(decrypted);
858 assert_buffers_equal(*BIG_DATA.get(), *decrypted);
861 void testEncryptDecryptDifferentKeys(const Algo& algo, bool success)
864 ckmc_raw_buffer_s* decrypted = nullptr;
867 auto ret = encrypt(algo, PLAIN_DATA);
869 // get different keys
870 KeyAliasPair differentKeys = getKey(algo, PASSWORD_PROTECTED);
873 // some algorithms don't verify key validity
874 assert_crypto_positive(apiDecrypt,
876 differentKeys.prv.c_str(),
878 *ret.encrypted.get(),
880 RawBufferPtr tmp = create_raw_buffer(decrypted);
882 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
884 assert_crypto_result(EncryptionError::INVALID_PARAM,
887 differentKeys.prv.c_str(),
889 *ret.encrypted.get(),
894 void testRsaLongestData(const Algo& algo, size_t dataSize)
897 RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
898 ckmc_raw_buffer_s* decrypted = nullptr;
901 auto ret = encrypt(algo, plain);
903 assert_crypto_positive(apiDecrypt,
907 *ret.encrypted.get(),
909 RawBufferPtr tmp = create_raw_buffer(decrypted);
911 assert_buffers_equal(*plain.get(), *decrypted);
914 void testRsaDataTooLong(const Algo& algo, size_t dataSize)
917 RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
920 EncryptionResult ret;
921 ckmc_raw_buffer_s* encrypted = nullptr;
922 KeyAliasPair aliases = getKey(algo, PRIMARY);
924 ckmc_param_list_h handle = NULL;
925 assert_positive(ckmc_generate_new_params, algo.type, &handle);
926 ret.params = ParamListPtr(handle, ckmc_param_list_free);
927 assert_crypto_result(EncryptionError::INVALID_PARAM,
936 } // namespace anonymous
938 RUNNER_TEST_GROUP_INIT_ENV(CKM_ENCRYPTION_DECRYPTION, EncGroupFixture);
940 /////////////////////////////////////////
941 // Generic encryption decryption tests
942 /////////////////////////////////////////
944 RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv)
946 testAllAlgorithms([](const Algo& algo){
948 ckmc_raw_buffer_s* encrypted = nullptr;
951 KeyAliasPair aliases = getKey(algo, PRIMARY);
954 assert_crypto_invalid_param(apiEncrypt,
962 ParamListPtr params = createParamListPtr();
963 assert_crypto_invalid_param(apiEncrypt,
972 RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv)
974 testAllAlgorithms([](const Algo& algo){
976 ckmc_raw_buffer_s* encrypted = nullptr;
979 ckmc_param_list_h handle = NULL;
980 assert_positive(ckmc_generate_new_params, algo.type, &handle);
981 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
982 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
984 assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
987 "non-existing-key-alias",
994 RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv)
996 testAllAlgorithms([](const Algo& algo){
998 ckmc_raw_buffer_s plain = { nullptr, 0 };
999 ckmc_raw_buffer_s* encrypted = nullptr;
1002 KeyAliasPair aliases = getKey(algo, PRIMARY);
1005 ckmc_param_list_h handle = NULL;
1006 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1007 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1008 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1010 assert_crypto_invalid_param(apiEncrypt,
1012 aliases.pub.c_str(),
1019 RUNNER_TEST_MULTIPLE(TED_0040_encrypt_no_output_buffer, SyncEnv, AsyncEnv)
1021 testAllAlgorithms([](const Algo& algo){
1023 ckmc_raw_buffer_s** encrypted = nullptr;
1026 KeyAliasPair aliases = getKey(algo, PRIMARY);
1029 ckmc_param_list_h handle = NULL;
1030 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1031 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1032 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1034 assert_crypto_invalid_param(apiEncrypt,
1036 aliases.pub.c_str(),
1043 RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv)
1045 testAllAlgorithms([](const Algo& algo){
1047 ckmc_raw_buffer_s* decrypted = nullptr;
1050 auto ret = encrypt(algo, PLAIN_DATA);
1053 assert_crypto_invalid_param(apiDecrypt,
1057 *ret.encrypted.get(),
1061 ParamListPtr params = createParamListPtr();
1062 assert_crypto_invalid_param(apiDecrypt,
1066 *ret.encrypted.get(),
1071 RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv)
1073 testAllAlgorithms([](const Algo& algo){
1075 ckmc_raw_buffer_s* decrypted = nullptr;
1078 auto ret = encrypt(algo, PLAIN_DATA);
1081 assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
1086 *ret.encrypted.get(),
1091 RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv)
1093 testAllAlgorithms([](const Algo& algo){
1095 ckmc_raw_buffer_s encrypted = { nullptr, 0 };
1096 ckmc_raw_buffer_s* decrypted = nullptr;
1099 KeyAliasPair aliases = getKey(algo, PRIMARY);
1102 ckmc_param_list_h handle = NULL;
1103 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1104 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1105 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1107 assert_crypto_invalid_param(apiDecrypt,
1109 aliases.prv.c_str(),
1116 RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv)
1118 testAllAlgorithms([](const Algo& algo){
1120 ckmc_raw_buffer_s** decrypted = nullptr;
1123 auto ret = encrypt(algo, PLAIN_DATA);
1125 assert_crypto_invalid_param(apiDecrypt,
1129 *ret.encrypted.get(),
1134 RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv)
1136 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 128}, false);
1137 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 192}, false);
1138 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 256}, false);
1139 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 128}, true);
1140 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 192}, true);
1141 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 256}, true);
1142 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 128}, true);
1143 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 192}, true);
1144 testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 256}, true);
1145 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false);
1146 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false);
1147 testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false);
1150 RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv)
1152 testAllAlgorithms([](const Algo& algo){
1154 ckmc_raw_buffer_s* decrypted = nullptr;
1157 auto ret = encrypt(algo, PLAIN_DATA);
1159 assert_crypto_positive(apiDecrypt,
1163 *ret.encrypted.get(),
1165 RawBufferPtr tmp = create_raw_buffer(decrypted);
1167 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
1171 RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv)
1173 testAllAlgorithms([](const Algo& algo){
1175 ckmc_raw_buffer_s* decrypted = nullptr;
1178 auto ret = encrypt(algo, PLAIN_DATA, PASSWORD);
1181 assert_crypto_result(EncryptionError::AUTH_FAILED,
1186 *ret.encrypted.get(),
1190 assert_crypto_positive(apiDecrypt,
1194 *ret.encrypted.get(),
1196 RawBufferPtr tmp = create_raw_buffer(decrypted); // guarantees deletion
1198 assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
1202 // long test split into smaller ones
1203 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv)
1205 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 128});
1208 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv)
1210 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 192});
1213 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv)
1215 testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256});
1218 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv)
1220 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 128});
1223 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv)
1225 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 192});
1228 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv)
1230 testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 256});
1233 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv)
1235 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 128});
1238 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv)
1240 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 192});
1243 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv)
1245 testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 256});
1248 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv)
1250 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 128});
1253 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv)
1255 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 192});
1258 RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv)
1260 testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 256});
1263 /////////////////////////////////////////
1264 // Algorithm specific tests
1265 /////////////////////////////////////////
1267 RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv)
1269 testNoIvEnc({CKMC_ALGO_AES_CTR, 128});
1270 testNoIvEnc({CKMC_ALGO_AES_CTR, 192});
1271 testNoIvEnc({CKMC_ALGO_AES_CTR, 256});
1272 testNoIvEnc({CKMC_ALGO_AES_CBC, 128});
1273 testNoIvEnc({CKMC_ALGO_AES_CBC, 192});
1274 testNoIvEnc({CKMC_ALGO_AES_CBC, 256});
1275 testNoIvEnc({CKMC_ALGO_AES_CFB, 128});
1276 testNoIvEnc({CKMC_ALGO_AES_CFB, 192});
1277 testNoIvEnc({CKMC_ALGO_AES_CFB, 256});
1278 testNoIvEnc({CKMC_ALGO_AES_GCM, 128});
1279 testNoIvEnc({CKMC_ALGO_AES_GCM, 192});
1280 testNoIvEnc({CKMC_ALGO_AES_GCM, 256});
1283 RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv)
1285 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 128});
1286 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 192});
1287 testInvalidIvEnc({CKMC_ALGO_AES_CTR, 256});
1288 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 128});
1289 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 192});
1290 testInvalidIvEnc({CKMC_ALGO_AES_CBC, 256});
1291 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 128});
1292 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 192});
1293 testInvalidIvEnc({CKMC_ALGO_AES_CFB, 256});
1296 RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv)
1298 testNoIvDec({CKMC_ALGO_AES_CTR, 128});
1299 testNoIvDec({CKMC_ALGO_AES_CTR, 192});
1300 testNoIvDec({CKMC_ALGO_AES_CTR, 256});
1301 testNoIvDec({CKMC_ALGO_AES_CBC, 128});
1302 testNoIvDec({CKMC_ALGO_AES_CBC, 192});
1303 testNoIvDec({CKMC_ALGO_AES_CBC, 256});
1304 testNoIvDec({CKMC_ALGO_AES_CFB, 128});
1305 testNoIvDec({CKMC_ALGO_AES_CFB, 192});
1306 testNoIvDec({CKMC_ALGO_AES_CFB, 256});
1307 testNoIvDec({CKMC_ALGO_AES_GCM, 128});
1308 testNoIvDec({CKMC_ALGO_AES_GCM, 192});
1309 testNoIvDec({CKMC_ALGO_AES_GCM, 256});
1312 RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv)
1314 testInvalidIvDec({CKMC_ALGO_AES_CTR, 128});
1315 testInvalidIvDec({CKMC_ALGO_AES_CTR, 192});
1316 testInvalidIvDec({CKMC_ALGO_AES_CTR, 256});
1317 testInvalidIvDec({CKMC_ALGO_AES_CBC, 128});
1318 testInvalidIvDec({CKMC_ALGO_AES_CBC, 192});
1319 testInvalidIvDec({CKMC_ALGO_AES_CBC, 256});
1320 testInvalidIvDec({CKMC_ALGO_AES_CFB, 128});
1321 testInvalidIvDec({CKMC_ALGO_AES_CFB, 192});
1322 testInvalidIvDec({CKMC_ALGO_AES_CFB, 256});
1325 RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv)
1327 testIntegrity({CKMC_ALGO_AES_CTR, 128});
1328 testIntegrity({CKMC_ALGO_AES_CTR, 192});
1329 testIntegrity({CKMC_ALGO_AES_CTR, 256});
1330 testIntegrity({CKMC_ALGO_AES_CBC, 128});
1331 testIntegrity({CKMC_ALGO_AES_CBC, 192});
1332 testIntegrity({CKMC_ALGO_AES_CBC, 256});
1333 testIntegrity({CKMC_ALGO_AES_CFB, 128});
1334 testIntegrity({CKMC_ALGO_AES_CFB, 192});
1335 testIntegrity({CKMC_ALGO_AES_CFB, 256});
1338 RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv)
1340 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
1341 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
1342 testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
1345 RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv)
1347 RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
1348 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 128});
1349 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 192});
1350 testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 256});
1353 RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv)
1355 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
1356 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
1357 testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
1360 RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv)
1362 RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
1363 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 128});
1364 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 192});
1365 testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 256});
1368 RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv)
1370 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 128});
1371 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 192});
1372 testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 256});
1375 RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv)
1377 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 128});
1378 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 192});
1379 testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 256});
1382 RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv)
1384 testGcmWrongTag({CKMC_ALGO_AES_GCM, 128});
1385 testGcmWrongTag({CKMC_ALGO_AES_GCM, 192});
1386 testGcmWrongTag({CKMC_ALGO_AES_GCM, 256});
1389 RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv)
1391 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 128});
1392 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 192});
1393 testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 256});
1396 RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv)
1398 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 128}, CKMC_PARAM_ED_AAD);
1399 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 192}, CKMC_PARAM_ED_AAD);
1400 encryptionWithCustomData({CKMC_ALGO_AES_GCM, 256}, CKMC_PARAM_ED_AAD);
1403 RUNNER_TEST_MULTIPLE(TED_1300_rsa_label, SyncEnv, AsyncEnv)
1405 RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl");
1406 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 1024}, CKMC_PARAM_ED_LABEL);
1407 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 2048}, CKMC_PARAM_ED_LABEL);
1408 encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 4096}, CKMC_PARAM_ED_LABEL);
1411 RUNNER_TEST_MULTIPLE(TED_1330_rsa_longest_data, SyncEnv, AsyncEnv)
1413 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 1024}, 86);
1414 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 2048}, 214);
1415 testRsaLongestData({CKMC_ALGO_RSA_OAEP, 4096}, 470);
1418 RUNNER_TEST_MULTIPLE(TED_1350_rsa_data_too_long, SyncEnv, AsyncEnv)
1420 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 1024}, 87);
1421 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 2048}, 215);
1422 testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 4096}, 471);
1425 /////////////////////////////////////////
1426 // Asynchronous only tests
1427 /////////////////////////////////////////
1428 RUNNER_TEST(TED_2000_enc_no_observer_async, AsyncEnv)
1430 testAllAlgorithms([](const Algo& algo){
1432 RawBuffer plain = createRandomBuffer(BUF_LEN);
1435 KeyAliasPair aliases = getKey(algo, PRIMARY);
1438 ckmc_param_list_h handle = NULL;
1439 assert_positive(ckmc_generate_new_params, algo.type, &handle);
1440 ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
1441 setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
1444 test_no_observer(&ManagerAsync::encrypt,
1445 *reinterpret_cast<CryptoAlgorithm*>(params.get()),
1452 RUNNER_TEST(TED_2010_dec_no_observer_async, AsyncEnv)
1454 testAllAlgorithms([](const Algo& algo){
1456 auto ret = encrypt(algo, PLAIN_DATA);
1457 RawBuffer encrypted(ret.encrypted->data, ret.encrypted->data + ret.encrypted->size);
1460 test_no_observer(&ManagerAsync::decrypt,
1461 *reinterpret_cast<CryptoAlgorithm*>(ret.params.get()),