1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/experimental/pqcrypto/kem/subtle/cecpq2_aead_hkdf_hybrid_decrypt.h"
18
19 #include <memory>
20 #include <string>
21 #include <utility>
22 #include <vector>
23
24 #include "gmock/gmock.h"
25 #include "gtest/gtest.h"
26 #include "absl/memory/memory.h"
27 #include "absl/status/status.h"
28 #include "absl/strings/match.h"
29 #include "openssl/curve25519.h"
30 #include "openssl/hrss.h"
31 #include "tink/aead/aes_ctr_hmac_aead_key_manager.h"
32 #include "tink/aead/aes_gcm_key_manager.h"
33 #include "tink/aead/xchacha20_poly1305_key_manager.h"
34 #include "tink/config/tink_config.h"
35 #include "tink/daead/aes_siv_key_manager.h"
36 #include "tink/experimental/pqcrypto/kem/subtle/cecpq2_aead_hkdf_hybrid_encrypt.h"
37 #include "tink/experimental/pqcrypto/kem/subtle/cecpq2_subtle_boringssl_util.h"
38 #include "tink/experimental/pqcrypto/kem/util/test_util.h"
39 #include "tink/hybrid_decrypt.h"
40 #include "tink/registry.h"
41 #include "tink/subtle/common_enums.h"
42 #include "tink/subtle/random.h"
43 #include "tink/subtle/subtle_util.h"
44 #include "tink/util/enums.h"
45 #include "tink/util/secret_data.h"
46 #include "tink/util/status.h"
47 #include "tink/util/statusor.h"
48 #include "tink/util/test_matchers.h"
49 #include "tink/util/test_util.h"
50 #include "proto/experimental/pqcrypto/cecpq2_aead_hkdf.pb.h"
51
52 using crypto::tink::subtle::Random;
53 using ::crypto::tink::test::IsOk;
54 using ::crypto::tink::test::StatusIs;
55 using ::testing::HasSubstr;
56
57 namespace crypto {
58 namespace tink {
59 namespace {
60
61 class Cecpq2AeadHkdfHybridDecryptTest : public ::testing::Test {
62 protected:
63 struct CommonHybridKeyParams {
64 subtle::EllipticCurveType ec_curve;
65 subtle::EcPointFormat ec_point_format;
66 subtle::HashType hash_type;
67 };
68
GetCommonHybridKeyParamsList()69 std::vector<CommonHybridKeyParams> GetCommonHybridKeyParamsList() {
70 std::vector<CommonHybridKeyParams> params_list;
71 for (auto ec_curve : {subtle::EllipticCurveType::CURVE25519}) {
72 for (auto ec_point_format : {subtle::EcPointFormat::COMPRESSED}) {
73 for (auto hash_type :
74 {subtle::HashType::SHA256, subtle::HashType::SHA512}) {
75 CommonHybridKeyParams params;
76 params.ec_curve = ec_curve;
77 params.ec_point_format = ec_point_format;
78 params.hash_type = hash_type;
79 params_list.push_back(params);
80 }
81 }
82 }
83 return params_list;
84 }
85
CheckKeyValidity(const google::crypto::tink::Cecpq2AeadHkdfPrivateKey & cecpq2_key)86 util::Status CheckKeyValidity(
87 const google::crypto::tink::Cecpq2AeadHkdfPrivateKey& cecpq2_key) {
88 auto result = Cecpq2AeadHkdfHybridDecrypt::New(cecpq2_key);
89 if (!result.ok()) return result.status();
90
91 std::unique_ptr<HybridDecrypt> hybrid_decrypt(std::move(result.value()));
92 std::unique_ptr<HybridEncrypt> hybrid_encrypt(std::move(
93 Cecpq2AeadHkdfHybridEncrypt::New(cecpq2_key.public_key()).value()));
94
95 std::string context_info = "some context info";
96 for (uint32_t plaintext_size : {0, 1, 10, 100, 1000}) {
97 // Use the primitive
98 std::string plaintext = Random::GetRandomBytes(plaintext_size);
99 auto ciphertext_or = hybrid_encrypt->Encrypt(plaintext, context_info);
100 if (!ciphertext_or.ok()) return ciphertext_or.status();
101 auto ciphertext = ciphertext_or.value();
102 { // Regular decryption
103 auto decrypt_result = hybrid_decrypt->Decrypt(ciphertext, context_info);
104 if (!decrypt_result.ok()) {
105 return decrypt_result.status();
106 }
107 if (plaintext != decrypt_result.value())
108 return crypto::tink::util::Status(
109 absl::StatusCode::kInternal,
110 "Regular Encryption-Decryption failed:"
111 "ciphertext differs from plaintext");
112 }
113 { // Encryption and decryption with empty context info
114 const absl::string_view empty_context_info;
115 auto ciphertext =
116 hybrid_encrypt->Encrypt(plaintext, empty_context_info).value();
117 auto decrypt_result =
118 hybrid_decrypt->Decrypt(ciphertext, empty_context_info);
119
120 if (!decrypt_result.ok()) {
121 return decrypt_result.status();
122 }
123 if (plaintext != decrypt_result.value())
124 return crypto::tink::util::Status(
125 absl::StatusCode::kInternal,
126 "Empty Context Info Encryption-Decryption failed:"
127 "ciphertext differs from plaintext");
128 }
129 { // Encryption and decryption w/ empty msg & context info
130 const absl::string_view empty_plaintext;
131 const absl::string_view empty_context_info;
132 auto ciphertext =
133 hybrid_encrypt->Encrypt(empty_plaintext, empty_context_info)
134 .value();
135 auto decrypt_result =
136 hybrid_decrypt->Decrypt(ciphertext, empty_context_info);
137 if (!decrypt_result.ok()) {
138 return decrypt_result.status();
139 }
140 if (empty_plaintext != decrypt_result.value())
141 return crypto::tink::util::Status(
142 absl::StatusCode::kInternal,
143 "Empty Context Info and Message Encryption-Decryption failed:"
144 "ciphertext differs from plaintext");
145 }
146 { // Short bad ciphertext
147 auto decrypt_result =
148 hybrid_decrypt->Decrypt(Random::GetRandomBytes(16), context_info);
149 if (decrypt_result.status().code() !=
150 absl::StatusCode::kInvalidArgument ||
151 !absl::StrContains(decrypt_result.status().message(),
152 "ciphertext too short")) {
153 return decrypt_result.status();
154 }
155 }
156 { // Long but still bad ciphertext
157 auto decrypt_result =
158 hybrid_decrypt->Decrypt(Random::GetRandomBytes(1198), context_info);
159 if (decrypt_result.ok()) {
160 return crypto::tink::util::Status(absl::StatusCode::kInternal,
161 "Decrypted random ciphertext");
162 }
163 }
164 { // Bad context info
165 auto decrypt_result =
166 hybrid_decrypt->Decrypt(ciphertext, Random::GetRandomBytes(14));
167 if (decrypt_result.ok()) {
168 return crypto::tink::util::Status(
169 absl::StatusCode::kInternal,
170 "Decrypted ciphertext with random context info");
171 }
172 }
173 }
174 return util::OkStatus();
175 }
176 };
177
CreateValidKey()178 google::crypto::tink::Cecpq2AeadHkdfPrivateKey CreateValidKey() {
179 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key;
180
181 auto cecp2_key_pair = crypto::tink::pqc::GenerateCecpq2Keypair(
182 subtle::EllipticCurveType::CURVE25519)
183 .value();
184
185 recipient_key.set_x25519_private_key(std::string(
186 util::SecretDataAsStringView(cecp2_key_pair.x25519_key_pair.priv)));
187 recipient_key.set_hrss_private_key_seed(
188 std::string(util::SecretDataAsStringView(
189 cecp2_key_pair.hrss_key_pair.hrss_private_key_seed)));
190
191 recipient_key.mutable_public_key()->set_x25519_public_key_x(
192 cecp2_key_pair.x25519_key_pair.pub_x);
193 recipient_key.mutable_public_key()->set_hrss_public_key_marshalled(
194 cecp2_key_pair.hrss_key_pair.hrss_public_key_marshaled);
195
196 recipient_key.mutable_public_key()
197 ->mutable_params()
198 ->mutable_kem_params()
199 ->set_curve_type(google::crypto::tink::EllipticCurveType::CURVE25519);
200 recipient_key.mutable_public_key()
201 ->mutable_params()
202 ->mutable_kem_params()
203 ->set_ec_point_format(google::crypto::tink::EcPointFormat::COMPRESSED);
204 recipient_key.mutable_public_key()
205 ->mutable_params()
206 ->mutable_kem_params()
207 ->set_hkdf_hash_type(google::crypto::tink::HashType::SHA256);
208
209 google::crypto::tink::AesGcmKeyFormat key_format;
210 key_format.set_key_size(32);
211 std::string dem_key_type = absl::StrCat(
212 kTypeGoogleapisCom, google::crypto::tink::AesGcmKey().GetTypeName());
213 recipient_key.mutable_public_key()
214 ->mutable_params()
215 ->mutable_dem_params()
216 ->mutable_aead_dem()
217 ->set_type_url(dem_key_type);
218 recipient_key.mutable_public_key()
219 ->mutable_params()
220 ->mutable_dem_params()
221 ->mutable_aead_dem()
222 ->set_value(key_format.SerializeAsString());
223
224 return recipient_key;
225 }
226
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,ValidKey)227 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, ValidKey) {
228 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key =
229 CreateValidKey();
230 EXPECT_THAT(Cecpq2AeadHkdfHybridDecrypt::New(recipient_key), IsOk());
231 }
232
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,InvalidKeyNoFieldsSet)233 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, InvalidKeyNoFieldsSet) {
234 EXPECT_THAT(Cecpq2AeadHkdfHybridDecrypt::New(
235 google::crypto::tink::Cecpq2AeadHkdfPrivateKey())
236 .status(),
237 StatusIs(absl::StatusCode::kInvalidArgument,
238 HasSubstr("missing KEM required fields")));
239 }
240
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,InvalidKeyX25519PrivKeyFieldMissing)241 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, InvalidKeyX25519PrivKeyFieldMissing) {
242 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key =
243 CreateValidKey();
244 recipient_key.set_x25519_private_key("");
245 EXPECT_THAT(Cecpq2AeadHkdfHybridDecrypt::New(recipient_key).status(),
246 StatusIs(absl::StatusCode::kInvalidArgument,
247 HasSubstr("missing KEM required fields")));
248 }
249
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,InvalidKeyX25519PubKeyFieldMissing)250 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, InvalidKeyX25519PubKeyFieldMissing) {
251 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key =
252 CreateValidKey();
253 recipient_key.mutable_public_key()->set_x25519_public_key_x("");
254 EXPECT_THAT(Cecpq2AeadHkdfHybridDecrypt::New(recipient_key).status(),
255 StatusIs(absl::StatusCode::kInvalidArgument,
256 HasSubstr("missing KEM required fields")));
257 }
258
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,InvalidKeyHrssPrivKeyFieldMissing)259 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, InvalidKeyHrssPrivKeyFieldMissing) {
260 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key =
261 CreateValidKey();
262 recipient_key.set_hrss_private_key_seed("");
263 EXPECT_THAT(Cecpq2AeadHkdfHybridDecrypt::New(recipient_key).status(),
264 StatusIs(absl::StatusCode::kInvalidArgument,
265 HasSubstr("missing KEM required fields")));
266 }
267
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,InvalidKeyHrssPubKeyFieldMissing)268 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, InvalidKeyHrssPubKeyFieldMissing) {
269 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key =
270 CreateValidKey();
271 recipient_key.mutable_public_key()->set_hrss_public_key_marshalled("");
272 EXPECT_THAT(Cecpq2AeadHkdfHybridDecrypt::New(recipient_key).status(),
273 StatusIs(absl::StatusCode::kInvalidArgument,
274 HasSubstr("missing KEM required fields")));
275 }
276
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,InvalidKeyWrongEcType)277 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, InvalidKeyWrongEcType) {
278 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key =
279 CreateValidKey();
280 recipient_key.mutable_public_key()
281 ->mutable_params()
282 ->mutable_kem_params()
283 ->set_curve_type(google::crypto::tink::EllipticCurveType::NIST_P256);
284 auto result(Cecpq2AeadHkdfHybridDecrypt::New(recipient_key));
285 EXPECT_THAT(result.status(),
286 StatusIs(absl::StatusCode::kUnimplemented,
287 HasSubstr("Unsupported elliptic curve")));
288 }
289
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,InvalidKeyUnsupportedDem)290 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, InvalidKeyUnsupportedDem) {
291 google::crypto::tink::Cecpq2AeadHkdfPrivateKey recipient_key =
292 CreateValidKey();
293 recipient_key.mutable_public_key()
294 ->mutable_params()
295 ->mutable_kem_params()
296 ->set_curve_type(google::crypto::tink::EllipticCurveType::CURVE25519);
297 recipient_key.mutable_public_key()
298 ->mutable_params()
299 ->mutable_kem_params()
300 ->set_hkdf_hash_type(google::crypto::tink::HashType::SHA256);
301 recipient_key.mutable_public_key()
302 ->mutable_params()
303 ->mutable_dem_params()
304 ->mutable_aead_dem()
305 ->set_type_url("some.type.url/that.is.not.supported");
306 auto result(Cecpq2AeadHkdfHybridDecrypt::New(recipient_key));
307 EXPECT_THAT(result.status(), StatusIs(absl::StatusCode::kInvalidArgument,
308 HasSubstr("Unsupported DEM")));
309 }
310
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,AesGcmHybridDecryption)311 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, AesGcmHybridDecryption) {
312 // Register DEM key manager
313 ASSERT_TRUE(Registry::RegisterKeyTypeManager(
314 absl::make_unique<AesGcmKeyManager>(), true)
315 .ok());
316
317 // Generate and test many keys with various parameters
318 for (auto key_params : GetCommonHybridKeyParamsList()) {
319 for (uint32_t aes_gcm_key_size : {16, 32}) {
320 SCOPED_TRACE(absl::StrCat(key_params.ec_curve, ":",
321 key_params.ec_point_format, ":",
322 key_params.hash_type, ":", aes_gcm_key_size));
323 auto cecpq2_key_pair_or_status =
324 pqc::GenerateCecpq2Keypair(key_params.ec_curve);
325 auto cecpq2_key_pair = std::move(cecpq2_key_pair_or_status.value());
326 google::crypto::tink::Cecpq2AeadHkdfPrivateKey cecpq2_key;
327 cecpq2_key.set_hrss_private_key_seed(
328 std::string(util::SecretDataAsStringView(
329 cecpq2_key_pair.hrss_key_pair.hrss_private_key_seed)));
330 cecpq2_key.set_x25519_private_key(std::string(
331 util::SecretDataAsStringView(cecpq2_key_pair.x25519_key_pair.priv)));
332 cecpq2_key.mutable_public_key()->set_hrss_public_key_marshalled(
333 cecpq2_key_pair.hrss_key_pair.hrss_public_key_marshaled);
334 cecpq2_key.mutable_public_key()->set_x25519_public_key_x(
335 cecpq2_key_pair.x25519_key_pair.pub_x);
336 cecpq2_key.mutable_public_key()
337 ->mutable_params()
338 ->mutable_kem_params()
339 ->set_curve_type(util::Enums::SubtleToProto(key_params.ec_curve));
340 cecpq2_key.mutable_public_key()
341 ->mutable_params()
342 ->mutable_kem_params()
343 ->set_ec_point_format(
344 util::Enums::SubtleToProto(key_params.ec_point_format));
345 cecpq2_key.mutable_public_key()
346 ->mutable_params()
347 ->mutable_kem_params()
348 ->set_hkdf_hash_type(
349 util::Enums::SubtleToProto(key_params.hash_type));
350 google::crypto::tink::AesGcmKeyFormat key_format;
351 key_format.set_key_size(aes_gcm_key_size);
352 std::unique_ptr<AesGcmKeyManager> key_manager(new AesGcmKeyManager());
353 std::string dem_key_type = key_manager->get_key_type();
354 cecpq2_key.mutable_public_key()
355 ->mutable_params()
356 ->mutable_dem_params()
357 ->mutable_aead_dem()
358 ->set_type_url(dem_key_type);
359 cecpq2_key.mutable_public_key()
360 ->mutable_params()
361 ->mutable_dem_params()
362 ->mutable_aead_dem()
363 ->set_value(key_format.SerializeAsString());
364
365 EXPECT_THAT(CheckKeyValidity(cecpq2_key), IsOk());
366 }
367 }
368 }
369
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,XChaCha20Poly1305HybridDecryption)370 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, XChaCha20Poly1305HybridDecryption) {
371 // Register DEM key manager
372 ASSERT_TRUE(Registry::RegisterKeyTypeManager(
373 absl::make_unique<XChaCha20Poly1305KeyManager>(), true)
374 .ok());
375
376 // Generate and test many keys with various parameters
377 for (auto key_params : GetCommonHybridKeyParamsList()) {
378 SCOPED_TRACE(absl::StrCat(key_params.ec_curve, ":",
379 key_params.ec_point_format, ":",
380 key_params.hash_type));
381 auto cecpq2_key_pair_or_status =
382 pqc::GenerateCecpq2Keypair(key_params.ec_curve);
383 auto cecpq2_key_pair = std::move(cecpq2_key_pair_or_status.value());
384 google::crypto::tink::Cecpq2AeadHkdfPrivateKey cecpq2_key;
385 cecpq2_key.set_hrss_private_key_seed(
386 std::string(util::SecretDataAsStringView(
387 cecpq2_key_pair.hrss_key_pair.hrss_private_key_seed)));
388 cecpq2_key.set_x25519_private_key(std::string(
389 util::SecretDataAsStringView(cecpq2_key_pair.x25519_key_pair.priv)));
390 cecpq2_key.mutable_public_key()->set_hrss_public_key_marshalled(
391 cecpq2_key_pair.hrss_key_pair.hrss_public_key_marshaled);
392 cecpq2_key.mutable_public_key()->set_x25519_public_key_x(
393 cecpq2_key_pair.x25519_key_pair.pub_x);
394 cecpq2_key.mutable_public_key()
395 ->mutable_params()
396 ->mutable_kem_params()
397 ->set_curve_type(util::Enums::SubtleToProto(key_params.ec_curve));
398 cecpq2_key.mutable_public_key()
399 ->mutable_params()
400 ->mutable_kem_params()
401 ->set_ec_point_format(
402 util::Enums::SubtleToProto(key_params.ec_point_format));
403 cecpq2_key.mutable_public_key()
404 ->mutable_params()
405 ->mutable_kem_params()
406 ->set_hkdf_hash_type(util::Enums::SubtleToProto(key_params.hash_type));
407
408 google::crypto::tink::XChaCha20Poly1305KeyFormat key_format;
409 std::unique_ptr<XChaCha20Poly1305KeyManager> key_manager(
410 new XChaCha20Poly1305KeyManager());
411 std::string dem_key_type = key_manager->get_key_type();
412 cecpq2_key.mutable_public_key()
413 ->mutable_params()
414 ->mutable_dem_params()
415 ->mutable_aead_dem()
416 ->set_type_url(dem_key_type);
417 cecpq2_key.mutable_public_key()
418 ->mutable_params()
419 ->mutable_dem_params()
420 ->mutable_aead_dem()
421 ->set_value(key_format.SerializeAsString());
422
423 EXPECT_THAT(CheckKeyValidity(cecpq2_key), IsOk());
424 }
425 }
426
TEST_F(Cecpq2AeadHkdfHybridDecryptTest,AesSivHybridDecryption)427 TEST_F(Cecpq2AeadHkdfHybridDecryptTest, AesSivHybridDecryption) {
428 // Register DEM key manager
429 ASSERT_TRUE(Registry::RegisterKeyTypeManager(
430 absl::make_unique<AesSivKeyManager>(), true)
431 .ok());
432
433 // Generate and test many keys with various parameters
434 for (auto key_params : GetCommonHybridKeyParamsList()) {
435 auto cecpq2_key_pair_or_status =
436 pqc::GenerateCecpq2Keypair(key_params.ec_curve);
437 auto cecpq2_key_pair = std::move(cecpq2_key_pair_or_status.value());
438 google::crypto::tink::Cecpq2AeadHkdfPrivateKey cecpq2_key;
439 cecpq2_key.set_hrss_private_key_seed(
440 std::string(util::SecretDataAsStringView(
441 cecpq2_key_pair.hrss_key_pair.hrss_private_key_seed)));
442 cecpq2_key.set_x25519_private_key(std::string(
443 util::SecretDataAsStringView(cecpq2_key_pair.x25519_key_pair.priv)));
444 cecpq2_key.mutable_public_key()->set_hrss_public_key_marshalled(
445 cecpq2_key_pair.hrss_key_pair.hrss_public_key_marshaled);
446 cecpq2_key.mutable_public_key()->set_x25519_public_key_x(
447 cecpq2_key_pair.x25519_key_pair.pub_x);
448 cecpq2_key.mutable_public_key()
449 ->mutable_params()
450 ->mutable_kem_params()
451 ->set_curve_type(util::Enums::SubtleToProto(key_params.ec_curve));
452 cecpq2_key.mutable_public_key()
453 ->mutable_params()
454 ->mutable_kem_params()
455 ->set_ec_point_format(
456 util::Enums::SubtleToProto(key_params.ec_point_format));
457 cecpq2_key.mutable_public_key()
458 ->mutable_params()
459 ->mutable_kem_params()
460 ->set_hkdf_hash_type(util::Enums::SubtleToProto(key_params.hash_type));
461
462 google::crypto::tink::AesSivKeyFormat key_format;
463 key_format.set_key_size(64);
464 std::unique_ptr<AesSivKeyManager> key_manager(new AesSivKeyManager());
465 std::string dem_key_type = key_manager->get_key_type();
466 cecpq2_key.mutable_public_key()
467 ->mutable_params()
468 ->mutable_dem_params()
469 ->mutable_aead_dem()
470 ->set_type_url(dem_key_type);
471 cecpq2_key.mutable_public_key()
472 ->mutable_params()
473 ->mutable_dem_params()
474 ->mutable_aead_dem()
475 ->set_value(key_format.SerializeAsString());
476
477 EXPECT_THAT(CheckKeyValidity(cecpq2_key), IsOk());
478 }
479 }
480
481 } // namespace
482 } // namespace tink
483 } // namespace crypto
484