1 /*
2 * Copyright (c) 2017, 2020, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23 /*
24 * @test
25 * @bug 8014628
26 * @library /test/lib
27 * @modules java.base/sun.security.util
28 * java.security.jgss/sun.security.krb5.internal.crypto.dk:+open
29 * @summary https://tools.ietf.org/html/rfc8009 Test Vectors
30 */
31
32 import javax.crypto.Cipher;
33 import java.lang.reflect.Method;
34 import java.util.Arrays;
35
36 import sun.security.krb5.internal.crypto.dk.AesSha2DkCrypto;
37 import jdk.test.lib.hexdump.HexPrinter;
38
39 public class KerberosAesSha2 {
40
41 public static void main(String[] args) throws Exception {
42
43 AesSha2DkCrypto dk128 = new AesSha2DkCrypto(128);
44 AesSha2DkCrypto dk256 = new AesSha2DkCrypto(256);
45
46 boolean aes256ok = Cipher.getMaxAllowedKeyLength("AES") >= 256;
47
48 // Sample results for string-to-key conversion:
49 char[] pass = "password".toCharArray();
50 byte[] salt = cat(
51 hex("10 DF 9D D7 83 E5 BC 8A CE A1 73 0E 74 35 5F 61"),
52 "ATHENA.MIT.EDUraeburn".getBytes());
53
54 check(stringToKey(dk128, pass, salt, null),
55 hex("08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7"));
56
57 check(stringToKey(dk256, pass, salt, null),
58 hex("45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22\n" +
59 "36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67"));
60
61 // Sample results for key derivation:
62 byte[] bk16 = hex("37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C");
63
64 check(deriveKey(dk128, bk16, 2, (byte) 0x99),
65 hex("B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3"));
66 check(deriveKey(dk128, bk16, 2, (byte) 0xaa),
67 hex("9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E"));
68 check(deriveKey(dk128, bk16, 2, (byte) 0x55),
69 hex("9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C"));
70
71 byte[] bk32 = hex(
72 "6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98\n" +
73 "00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52");
74
75 check(deriveKey(dk256, bk32, 2, (byte) 0x99), hex(
76 "EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4\n" +
77 "BA 41 F2 8F AF 69 E7 3D"));
78 check(deriveKey(dk256, bk32, 2, (byte) 0xaa), hex(
79 "56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7\n" +
80 "A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49"));
81 check(deriveKey(dk256, bk32, 2, (byte) 0x55), hex(
82 "69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6\n" +
83 "22 C4 D0 0F FC 23 ED 1F"));
84
85 // Sample encryptions (all using the default cipher state):
86
87 check(enc(dk128, hex("7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48"),
88 bk16, hex("")),
89 hex("EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D\n" +
90 "AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18"));
91
92 check(enc(dk128, hex("7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24"),
93 bk16, hex("00 01 02 03 04 05")),
94 hex("84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF\n" +
95 "B5 54 02 CE F7 E6 87 7C E9 9E 24 7E 52 D1 6E D4\n" +
96 "42 1D FD F8 97 6C"));
97
98 check(enc(dk128, hex("56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F"),
99 bk16, hex("00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F")),
100 hex("35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A\n" +
101 "E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2\n" +
102 "95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3"));
103
104 check(enc(dk128, hex("A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC"),
105 bk16, hex("00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n" +
106 "10 11 12 13 14")),
107 hex("72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36\n" +
108 "C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC\n" +
109 "E1 E6 D0 72 C1 86 B3 9A 41 3C 2F 92 CA 9B 83 34\n" +
110 "A2 87 FF CB FC\n"));
111
112 if (aes256ok) {
113 check(enc(dk256, hex("F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4"),
114 bk32, hex("")),
115 hex("41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0\n" +
116 "58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74\n" +
117 "8B 9B BF BE 7E B4 CE 3C\n"));
118
119 check(enc(dk256, hex("B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A"),
120 bk32, hex("00 01 02 03 04 05")),
121 hex("4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7\n" +
122 "B7 5F B3 F6 37 B9 F5 59 C7 F6 64 F6 9E AB 7B 60\n" +
123 "92 23 75 26 EA 0D 1F 61 CB 20 D6 9D 10 F2\n"));
124
125 check(enc(dk256, hex("53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63"),
126 bk32, hex("00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F")),
127 hex("BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B\n" +
128 "BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6\n" +
129 "8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E\n" +
130 "40 C4 FF 25 5B 36 A2 66\n"));
131
132 check(enc(dk256, hex("76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1"),
133 bk32, hex("00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n" +
134 "10 11 12 13 14")),
135 hex("40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE\n" +
136 "10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2\n" +
137 "B2 A6 02 AC 86 FE F6 EC B6 47 D6 29 5F AE 07 7A\n" +
138 "1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62\n"));
139 }
140
141 // Sample checksums:
142
143 byte[] msg = hex(
144 "00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n" +
145 "10 11 12 13 14");
146
147 check(checksum(dk128, bk16, msg), hex(
148 "D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE"));
149
150 check(checksum(dk256, bk32, msg), hex(
151 "45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D\n" +
152 "43 C3 BF A0 66 99 67 2A"));
153
154 // Sample pseudorandom function (PRF) invocations:
155 // Java does not support PRF. Skipped.
156 }
157
158 private static byte[] stringToKey(AesSha2DkCrypto dk,
159 char[] pass, byte[] salt, byte[] params) throws Exception {
160 Method m = AesSha2DkCrypto.class.getDeclaredMethod("stringToKey",
161 char[].class, byte[].class, byte[].class);
162 m.setAccessible(true);
163 return (byte[])m.invoke(dk, pass, salt, params);
164 }
165
166 private static byte[] deriveKey(AesSha2DkCrypto dk, byte[] baseKey,
167 int usage, byte type) throws Exception {
168 Method m = AesSha2DkCrypto.class.getDeclaredMethod("deriveKey",
169 byte[].class, int.class, byte.class);
170 m.setAccessible(true);
171 return (byte[]) m.invoke(dk, baseKey, usage, type);
172 }
173
174 private static byte[] cat(byte[] b1, byte[] b2) {
175 byte[] result = Arrays.copyOf(b1, b1.length + b2.length);
176 System.arraycopy(b2, 0, result, b1.length, b2.length);
177 return result;
178 }
179
180 private static byte[] enc(AesSha2DkCrypto dk, byte[] confounder,
181 byte[] bk, byte[] text) throws Exception {
182 return dk.encryptRaw(bk, 2, new byte[16], cat(confounder, text),
183 0, confounder.length + text.length);
184 }
185
186 private static byte[] checksum(AesSha2DkCrypto dk, byte[] baseKey, byte[] text)
187 throws Exception {
188 return dk.calculateChecksum(baseKey, 2, text, 0, text.length);
189 }
190
191 private static byte[] hex(String var) {
192 var = var.replaceAll("\\s", "");
193 byte[] data = new byte[var.length()/2];
194 for (int i=0; i<data.length; i++) {
195 data[i] = Integer.valueOf(var.substring(2*i,2*i+2), 16).byteValue();
196 }
197 return data;
198 }
199
200 private static void check(byte[] b1, byte[] b2) throws Exception {
201 if (!Arrays.equals(b1, b2)) {
202 dump(b1); dump(b2);
203 throw new Exception("Failure");
204 }
205 }
206
207 private static void dump(byte[] data) throws Exception {
208 HexPrinter.simple().dest(System.err).format(data);
209 }
210 }