1 /*
2 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /**
25 * @test
26 * @bug 8153029
27 * @library /test/lib
28 * @build jdk.test.lib.Convert
29 * @run main ChaCha20KAT
30 * @summary ChaCha20 Cipher Implementation (KAT)
31 */
32
33 import java.util.*;
34 import java.security.GeneralSecurityException;
35 import javax.crypto.Cipher;
36 import javax.crypto.spec.ChaCha20ParameterSpec;
37 import javax.crypto.spec.IvParameterSpec;
38 import javax.crypto.spec.SecretKeySpec;
39 import javax.crypto.AEADBadTagException;
40 import java.nio.ByteBuffer;
41 import jdk.test.lib.Convert;
42
43 public class ChaCha20KAT {
44 public static class TestData {
45 public TestData(String name, String keyStr, String nonceStr, int ctr,
46 int dir, String inputStr, String aadStr, String outStr) {
47 testName = Objects.requireNonNull(name);
48 key = Convert.hexStringToByteArray(Objects.requireNonNull(keyStr));
49 nonce = Convert.hexStringToByteArray(
50 Objects.requireNonNull(nonceStr));
51 if ((counter = ctr) < 0) {
52 throw new IllegalArgumentException(
53 "counter must be 0 or greater");
54 }
55 direction = dir;
56 if ((direction != Cipher.ENCRYPT_MODE) &&
57 (direction != Cipher.DECRYPT_MODE)) {
58 throw new IllegalArgumentException(
59 "Direction must be ENCRYPT_MODE or DECRYPT_MODE");
60 }
61 input = Convert.hexStringToByteArray(
62 Objects.requireNonNull(inputStr));
63 aad = (aadStr != null) ?
64 Convert.hexStringToByteArray(aadStr) : null;
65 expOutput = Convert.hexStringToByteArray(
66 Objects.requireNonNull(outStr));
67 }
68
69 public final String testName;
70 public final byte[] key;
71 public final byte[] nonce;
72 public final int counter;
73 public final int direction;
74 public final byte[] input;
75 public final byte[] aad;
76 public final byte[] expOutput;
77 }
78
79 public static final List<TestData> testList = new LinkedList<TestData>() {{
80 add(new TestData("RFC 7539 Sample Test Vector",
81 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
82 "000000000000004a00000000",
83 1, Cipher.ENCRYPT_MODE,
84 "4c616469657320616e642047656e746c656d656e206f662074686520636c6173" +
85 "73206f66202739393a204966204920636f756c64206f6666657220796f75206f" +
86 "6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73" +
87 "637265656e20776f756c642062652069742e",
88 null,
89 "6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0b" +
90 "f91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d8" +
91 "07ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab7793736" +
92 "5af90bbf74a35be6b40b8eedf2785e42874d"));
93 add(new TestData("RFC 7539 Test Vector 1 (all zeroes)",
94 "0000000000000000000000000000000000000000000000000000000000000000",
95 "000000000000000000000000",
96 0, Cipher.ENCRYPT_MODE,
97 "0000000000000000000000000000000000000000000000000000000000000000" +
98 "0000000000000000000000000000000000000000000000000000000000000000",
99 null,
100 "76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7" +
101 "da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586"));
102 add(new TestData("RFC 7539 Test Vector 2",
103 "0000000000000000000000000000000000000000000000000000000000000001",
104 "000000000000000000000002",
105 1, Cipher.ENCRYPT_MODE,
106 "416e79207375626d697373696f6e20746f20746865204945544620696e74656e" +
107 "6465642062792074686520436f6e7472696275746f7220666f72207075626c69" +
108 "636174696f6e20617320616c6c206f722070617274206f6620616e2049455446" +
109 "20496e7465726e65742d4472616674206f722052464320616e6420616e792073" +
110 "746174656d656e74206d6164652077697468696e2074686520636f6e74657874" +
111 "206f6620616e204945544620616374697669747920697320636f6e7369646572" +
112 "656420616e20224945544620436f6e747269627574696f6e222e205375636820" +
113 "73746174656d656e747320696e636c756465206f72616c2073746174656d656e" +
114 "747320696e20494554462073657373696f6e732c2061732077656c6c20617320" +
115 "7772697474656e20616e6420656c656374726f6e696320636f6d6d756e696361" +
116 "74696f6e73206d61646520617420616e792074696d65206f7220706c6163652c" +
117 "207768696368206172652061646472657373656420746f",
118 null,
119 "a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec" +
120 "2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d" +
121 "4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e527950" +
122 "42bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85a" +
123 "d00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259d" +
124 "c4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b" +
125 "0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6c" +
126 "cc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0b" +
127 "c39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f" +
128 "5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e6" +
129 "98ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab" +
130 "7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221"));
131 add(new TestData("RFC 7539 Test Vector 3",
132 "1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0",
133 "000000000000000000000002",
134 42, Cipher.ENCRYPT_MODE,
135 "2754776173206272696c6c69672c20616e642074686520736c6974687920746f" +
136 "7665730a446964206779726520616e642067696d626c6520696e207468652077" +
137 "6162653a0a416c6c206d696d737920776572652074686520626f726f676f7665" +
138 "732c0a416e6420746865206d6f6d65207261746873206f757467726162652e",
139 null,
140 "62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf" +
141 "166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553eb" +
142 "f39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f77" +
143 "04c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1"));
144 }};
145
146 public static final List<TestData> aeadTestList =
147 new LinkedList<TestData>() {{
148 add(new TestData("RFC 7539 Sample AEAD Test Vector",
149 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
150 "070000004041424344454647",
151 1, Cipher.ENCRYPT_MODE,
152 "4c616469657320616e642047656e746c656d656e206f662074686520636c6173" +
153 "73206f66202739393a204966204920636f756c64206f6666657220796f75206f" +
154 "6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73" +
155 "637265656e20776f756c642062652069742e",
156 "50515253c0c1c2c3c4c5c6c7",
157 "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d6" +
158 "3dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b36" +
159 "92ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc" +
160 "3ff4def08e4b7a9de576d26586cec64b61161ae10b594f09e26a7e902ecbd060" +
161 "0691"));
162 add(new TestData("RFC 7539 A.5 Sample Decryption",
163 "1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0",
164 "000000000102030405060708",
165 1, Cipher.DECRYPT_MODE,
166 "64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb2" +
167 "4c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf" +
168 "332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c855" +
169 "9797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4" +
170 "b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523e" +
171 "af4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a" +
172 "0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a10" +
173 "49e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29" +
174 "a6ad5cb4022b02709beead9d67890cbb22392336fea1851f38",
175 "f33388860000000000004e91",
176 "496e7465726e65742d4472616674732061726520647261667420646f63756d65" +
177 "6e74732076616c696420666f722061206d6178696d756d206f6620736978206d" +
178 "6f6e74687320616e64206d617920626520757064617465642c207265706c6163" +
179 "65642c206f72206f62736f6c65746564206279206f7468657220646f63756d65" +
180 "6e747320617420616e792074696d652e20497420697320696e617070726f7072" +
181 "6961746520746f2075736520496e7465726e65742d4472616674732061732072" +
182 "65666572656e6365206d6174657269616c206f7220746f206369746520746865" +
183 "6d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67" +
184 "726573732e2fe2809d"));
185 }};
186
187
188 public static void main(String args[]) throws Exception {
189 int testsPassed = 0;
190 int testNumber = 0;
191
192 System.out.println("----- Single-part (byte[]) Tests -----");
193 for (TestData test : testList) {
194 System.out.println("*** Test " + ++testNumber + ": " +
195 test.testName);
196 if (runSinglePartTest(test)) {
197 testsPassed++;
198 }
199 }
200 System.out.println();
201
202 System.out.println("----- Single-part (ByteBuffer) Tests -----");
203 for (TestData test : testList) {
204 System.out.println("*** Test " + ++testNumber + ": " +
205 test.testName);
206 if (runByteBuffer(test)) {
207 testsPassed++;
208 }
209 }
210 System.out.println();
211
212 System.out.println("----- Multi-part Tests -----");
213 for (TestData test : testList) {
214 System.out.println("*** Test " + ++testNumber + ": " +
215 test.testName);
216 if (runMultiPartTest(test)) {
217 testsPassed++;
218 }
219 }
220 System.out.println();
221
222 System.out.println("----- AEAD Tests -----");
223 for (TestData test : aeadTestList) {
224 System.out.println("*** Test " + ++testNumber + ": " +
225 test.testName);
226 if (runAEADTest(test)) {
227 testsPassed++;
228 }
229 }
230 System.out.println();
231
232 System.out.println("Total tests: " + testNumber +
233 ", Passed: " + testsPassed + ", Failed: " +
234 (testNumber - testsPassed));
235 if (testsPassed != testNumber) {
236 throw new RuntimeException("One or more tests failed. " +
237 "Check output for details");
238 }
239 }
240
241 private static boolean runSinglePartTest(TestData testData)
242 throws GeneralSecurityException {
243 boolean encRes = false;
244 boolean decRes = false;
245 byte[] encryptedResult;
246 byte[] decryptedResult;
247
248 // Get a Cipher instance and set up the parameters
249 Cipher mambo = Cipher.getInstance("ChaCha20");
250 SecretKeySpec mamboKey = new SecretKeySpec(testData.key, "ChaCha20");
251 ChaCha20ParameterSpec mamboSpec = new ChaCha20ParameterSpec(
252 testData.nonce, testData.counter);
253
254 // Encrypt our input
255 mambo.init(Cipher.ENCRYPT_MODE, mamboKey, mamboSpec);
256 encryptedResult = mambo.doFinal(testData.input);
257
258 if (!Arrays.equals(encryptedResult, testData.expOutput)) {
259 System.out.println("ERROR - Output Mismatch!");
260 System.out.println("Expected:\n" +
261 dumpHexBytes(testData.expOutput, 16, "\n", " "));
262 System.out.println("Actual:\n" +
263 dumpHexBytes(encryptedResult, 16, "\n", " "));
264 System.out.println();
265 } else {
266 encRes = true;
267 }
268
269 // Decrypt the result of the encryption operation
270 mambo = Cipher.getInstance("ChaCha20");
271 mambo.init(Cipher.DECRYPT_MODE, mamboKey, mamboSpec);
272 decryptedResult = mambo.doFinal(encryptedResult);
273
274 if (!Arrays.equals(decryptedResult, testData.input)) {
275 System.out.println("ERROR - Output Mismatch!");
276 System.out.println("Expected:\n" +
277 dumpHexBytes(testData.input, 16, "\n", " "));
278 System.out.println("Actual:\n" +
279 dumpHexBytes(decryptedResult, 16, "\n", " "));
280 System.out.println();
281 } else {
282 decRes = true;
283 }
284
285 return (encRes && decRes);
286 }
287
288 private static boolean runMultiPartTest(TestData testData)
289 throws GeneralSecurityException {
290 boolean encRes = false;
291 boolean decRes = false;
292
293 // Get a cipher instance and initialize it
294 Cipher mambo = Cipher.getInstance("ChaCha20");
295 SecretKeySpec mamboKey = new SecretKeySpec(testData.key, "ChaCha20");
296 ChaCha20ParameterSpec mamboSpec = new ChaCha20ParameterSpec(
297 testData.nonce, testData.counter);
298
299 byte[] encryptedResult = new byte[testData.input.length];
300 mambo.init(Cipher.ENCRYPT_MODE, mamboKey, mamboSpec);
301 System.out.print("Encrypt - ");
302 doMulti(mambo, testData.input, encryptedResult);
303
304 if (!Arrays.equals(encryptedResult, testData.expOutput)) {
305 System.out.println("ERROR - Output Mismatch!");
306 System.out.println("Expected:\n" +
307 dumpHexBytes(testData.expOutput, 16, "\n", " "));
308 System.out.println("Actual:\n" +
309 dumpHexBytes(encryptedResult, 16, "\n", " "));
310 System.out.println();
311 } else {
312 encRes = true;
313 }
314
315 // Decrypt the result of the encryption operation
316 mambo = Cipher.getInstance("ChaCha20");
317 byte[] decryptedResult = new byte[encryptedResult.length];
318 mambo.init(Cipher.DECRYPT_MODE, mamboKey, mamboSpec);
319 System.out.print("Decrypt - ");
320 doMulti(mambo, encryptedResult, decryptedResult);
321
322 if (!Arrays.equals(decryptedResult, testData.input)) {
323 System.out.println("ERROR - Output Mismatch!");
324 System.out.println("Expected:\n" +
325 dumpHexBytes(testData.input, 16, "\n", " "));
326 System.out.println("Actual:\n" +
327 dumpHexBytes(decryptedResult, 16, "\n", " "));
328 System.out.println();
329 } else {
330 decRes = true;
331 }
332
333 return (encRes && decRes);
334 }
335
336 private static void doMulti(Cipher c, byte[] input, byte[] output)
337 throws GeneralSecurityException {
338 int offset = 0;
339 boolean done = false;
340 Random randIn = new Random(System.currentTimeMillis());
341
342 // Send small updates between 1 - 8 bytes in length until we get
343 // 8 or less bytes from the end of the input, then finalize.
344 System.out.println("Input length: " + input.length);
345 System.out.print("Multipart (bytes in/out): ");
346 while (!done) {
347 int mPartLen = randIn.nextInt(8) + 1;
348 int bytesLeft = input.length - offset;
349 int processed;
350 if (mPartLen < bytesLeft) {
351 System.out.print(mPartLen + "/");
352 processed = c.update(input, offset, mPartLen,
353 output, offset);
354 offset += processed;
355 System.out.print(processed + " ");
356 } else {
357 processed = c.doFinal(input, offset, bytesLeft,
358 output, offset);
359 System.out.print(bytesLeft + "/" + processed + " ");
360 done = true;
361 }
362 }
363 System.out.println();
364 }
365
366 private static boolean runByteBuffer(TestData testData)
367 throws GeneralSecurityException {
368 boolean encRes = false;
369 boolean decRes = false;
370
371 // Get a cipher instance and initialize it
372 Cipher mambo = Cipher.getInstance("ChaCha20");
373 SecretKeySpec mamboKey = new SecretKeySpec(testData.key, "ChaCha20");
374 ChaCha20ParameterSpec mamboSpec = new ChaCha20ParameterSpec(
375 testData.nonce, testData.counter);
376 mambo.init(Cipher.ENCRYPT_MODE, mamboKey, mamboSpec);
377
378 ByteBuffer bbIn = ByteBuffer.wrap(testData.input);
379 ByteBuffer bbEncOut = ByteBuffer.allocate(
380 mambo.getOutputSize(testData.input.length));
381 ByteBuffer bbExpOut = ByteBuffer.wrap(testData.expOutput);
382
383 mambo.doFinal(bbIn, bbEncOut);
384 bbIn.rewind();
385 bbEncOut.rewind();
386
387 if (bbEncOut.compareTo(bbExpOut) != 0) {
388 System.out.println("ERROR - Output Mismatch!");
389 System.out.println("Expected:\n" +
390 dumpHexBytes(bbExpOut, 16, "\n", " "));
391 System.out.println("Actual:\n" +
392 dumpHexBytes(bbEncOut, 16, "\n", " "));
393 System.out.println();
394 } else {
395 encRes = true;
396 }
397
398 // Decrypt the result of the encryption operation
399 mambo = Cipher.getInstance("ChaCha20");
400 mambo.init(Cipher.DECRYPT_MODE, mamboKey, mamboSpec);
401 System.out.print("Decrypt - ");
402 ByteBuffer bbDecOut = ByteBuffer.allocate(
403 mambo.getOutputSize(bbEncOut.remaining()));
404
405 mambo.doFinal(bbEncOut, bbDecOut);
406 bbEncOut.rewind();
407 bbDecOut.rewind();
408
409 if (bbDecOut.compareTo(bbIn) != 0) {
410 System.out.println("ERROR - Output Mismatch!");
411 System.out.println("Expected:\n" +
412 dumpHexBytes(bbIn, 16, "\n", " "));
413 System.out.println("Actual:\n" +
414 dumpHexBytes(bbDecOut, 16, "\n", " "));
415 System.out.println();
416 } else {
417 decRes = true;
418 }
419
420 return (encRes && decRes);
421 }
422
423 private static boolean runAEADTest(TestData testData)
424 throws GeneralSecurityException {
425 boolean result = false;
426
427 Cipher mambo = Cipher.getInstance("ChaCha20-Poly1305");
428 SecretKeySpec mamboKey = new SecretKeySpec(testData.key, "ChaCha20");
429 IvParameterSpec mamboSpec = new IvParameterSpec(testData.nonce);
430
431 mambo.init(testData.direction, mamboKey, mamboSpec);
432
433 byte[] out = new byte[mambo.getOutputSize(testData.input.length)];
434 int outOff = 0;
435 try {
436 mambo.updateAAD(testData.aad);
437 outOff += mambo.update(testData.input, 0, testData.input.length,
438 out, outOff);
439 outOff += mambo.doFinal(out, outOff);
440 } catch (AEADBadTagException abte) {
441 // If we get a bad tag or derive a tag mismatch, log it
442 // and register it as a failure
443 System.out.println("FAIL: " + abte);
444 return false;
445 }
446
447 if (!Arrays.equals(out, testData.expOutput)) {
448 System.out.println("ERROR - Output Mismatch!");
449 System.out.println("Expected:\n" +
450 dumpHexBytes(testData.expOutput, 16, "\n", " "));
451 System.out.println("Actual:\n" +
452 dumpHexBytes(out, 16, "\n", " "));
453 System.out.println();
454 } else {
455 result = true;
456 }
457
458 return result;
459 }
460
461 /**
462 * Dump the hex bytes of a buffer into string form.
463 *
464 * @param data The array of bytes to dump to stdout.
465 * @param itemsPerLine The number of bytes to display per line
466 * if the {@code lineDelim} character is blank then all bytes
467 * will be printed on a single line.
468 * @param lineDelim The delimiter between lines
469 * @param itemDelim The delimiter between bytes
470 *
471 * @return The hexdump of the byte array
472 */
473 private static String dumpHexBytes(byte[] data, int itemsPerLine,
474 String lineDelim, String itemDelim) {
475 return dumpHexBytes(ByteBuffer.wrap(data), itemsPerLine, lineDelim,
476 itemDelim);
477 }
478
479 private static String dumpHexBytes(ByteBuffer data, int itemsPerLine,
480 String lineDelim, String itemDelim) {
481 StringBuilder sb = new StringBuilder();
482 if (data != null) {
483 data.mark();
484 int i = 0;
485 while (data.remaining() > 0) {
486 if (i % itemsPerLine == 0 && i != 0) {
487 sb.append(lineDelim);
488 }
489 sb.append(String.format("%02X", data.get())).append(itemDelim);
490 i++;
491 }
492 data.reset();
493 }
494
495 return sb.toString();
496 }
497 }
498