/*
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
import java.util.HashMap;
/*
* @test
* @bug 8220165
* @summary Verify correctness of large data sizes for GCM.
*/
/**
* This test stores the MD5 hash of correctly encrypted AES/GCM data for
* particular data lengths. Those lengths are run on SunJCE to verify returns
* the same MD5 hash of the encrypted data. These are not NIST data sets or
* provided by any other organization. The data sets are known good values,
* verified with two different JCE providers (solaris-sparcv9 ucrypto and
* linux SunJCE).
*
* Lengths around 64k are chosen because 64k is the point where
* com.sun.crypto.provider.GaloisCounterMode#doLastBlock() starts it's
* intrinsic warmup
*
* Plaintext is all zeros. Preset key and IV.
*
* The choice of MD5 is for speed. Shortcoming of the algorithm are
* not relevant for this test.
*/
public class GCMLargeDataKAT {
// Hash of encrypted results of AES/GCM for particular lengths.
// <data size, hash>
static final HashMap<Integer, String> results = new HashMap<>() {{
put(65534, "1397b91c31ce793895edace4e175bfee"); //64k-2
put(65535, "4ad101c9f450e686668b3f8f05db96f0"); //64k-1
put(65536, "fbfaee3451acd3f603200d6be0f39b24"); //64k
put(65537, "e7dfca4a71495c65d20982c3c9b9813f"); //64k+1
put(67583, "c8ebdcb3532ec6c165de961341af7635"); //66k-1
put(67584, "36559d108dfd25dd29da3fec3455b9e5"); //66k
put(67585, "1d21b42d80ea179810744fc23dc228b6"); //66k+1
put(102400, "0d1544fcab20bbd4c8103b9d273f2c82"); //100k
put(102401, "f2d53ef65fd12d0a861368659b23ea2e"); //100k+1
put(102402, "97f0f524cf63d2d9d23d81e64d416ee0"); //100k+2
put(102403, "4a6b4af55b7d9016b64114d6813d639c"); //100k+3
put(102404, "ba63cc131fcde2f12ddf2ac634201be8"); //100k+4
put(102405, "673d05c7fe5e283e42e5c0d049fdcea6"); //100k+5
put(102406, "76cc99a7850ce857eb3cb43049cf9877"); //100k+6
put(102407, "65863f99072cf2eb7fce18bd78b33f4e"); //100k+7
put(102408, "b9184f0f272682cc1f791fa7070eddd4"); //100k+8
put(102409, "45fe36afef43cc665bf22a9ca200c3c2"); //100k+9
put(102410, "67249e41646edcb37a78a61b0743cf11"); //100k+0
put(102411, "ffdc611e29c8849842e81ec78f32c415"); //100k+11
put(102412, "b7fde7fd52221057dccc1c181a140125"); //100k+12
put(102413, "4b1d6c64d56448105e5613157e69c0ae"); //100k+13
put(102414, "6d2c0b26c0c8785c8eec3298a5f0080c"); //100k+14
put(102415, "1df2061b114fbe56bdf3717e3ee61ef9"); //100k+15
put(102416, "a691742692c683ac9d1254df5fc5f768"); //100k+16
}};
static final int HIGHLEN = 102416;
static final int GCM_TAG_LENGTH = 16;
static final byte[] iv = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11};
static final byte[] key_code = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
};
static final GCMParameterSpec spec =
new GCMParameterSpec(GCM_TAG_LENGTH * 8, iv);
static final SecretKey key = new SecretKeySpec(key_code, "AES");
static boolean testresult = true;
static byte[] plaintext = new byte[HIGHLEN];
static MessageDigest md5;
Cipher cipher;
GCMLargeDataKAT() {
}
byte[] encrypt(int inLen) {
try {
cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
cipher.init(Cipher.ENCRYPT_MODE, key, spec);
return cipher.doFinal(plaintext, 0, inLen);
} catch (Exception e) {
System.err.println("Encrypt Failure (length = " + inLen + ") : " +
e.getMessage());
e.printStackTrace();
}
return new byte[0];
}
static byte[] hash(byte[] data) {
return md5.digest(data);
}
// Decrypt the data and return a boolean if the plaintext is all 0's.
boolean decrypt(byte[] data) {
byte[] result = null;
int len = data.length - GCM_TAG_LENGTH;
if (data.length == 0) {
return false;
}
try {
cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
cipher.init(Cipher.DECRYPT_MODE, key, spec);
result = cipher.doFinal(data);
} catch (Exception e) {
System.err.println("Decrypt Failure (length = " + len + ") : " +
e.getMessage());
e.printStackTrace();
return false;
}
if (result.length != len) {
System.err.println("Decrypt Failure (length = " + len +
") : plaintext length invalid = " + result.length);
}
// Return false if we find a non zero.
int i = 0;
while (result.length > i) {
if (result[i++] != 0) {
System.err.println("Decrypt Failure (length = " + len +
") : plaintext invalid, char index " + i);
return false;
}
}
return true;
}
void test() throws Exception {
// results order is not important
for (int l : results.keySet()) {
byte[] enc = new GCMLargeDataKAT().encrypt(l);
// verify hash with stored hash of that length
String hashstr = toHex(hash(enc));
boolean r = (hashstr.compareTo(results.get(l)) == 0);
System.out.println("---------------------------------------------");
// Encrypted test & results
System.out.println("Encrypt data size " + l + " \tResult: " +
(r ? "Pass" : "Fail"));
if (!r) {
if (enc.length != 0) {
System.out.println("\tExpected: " + results.get(l));
System.out.println("\tReturned: " + hashstr);
}
testresult = false;
continue;
}
// Decrypted test & results
r = decrypt(enc);
System.out.println("Decrypt data size " + l + " \tResult: " +
(r ? "Pass" : "Fail"));
if (!r) {
testresult = false;
}
}
// After test complete, throw an error if there was a failure
if (!testresult) {
throw new Exception("Tests failed");
}
}
/**
* With no argument, the test will run the predefined data lengths
*
* With an integer argument, this test will print the hash of the encrypted
* data of that integer length.
*
*/
public static void main(String args[]) throws Exception {
md5 = MessageDigest.getInstance("MD5");
if (args.length > 0) {
int len = Integer.parseInt(args[0]);
byte[] e = new GCMLargeDataKAT().encrypt(len);
System.out.println(toHex(hash(e)));
return;
}
new GCMLargeDataKAT().test();
}
// bytes to hex string
static String toHex(byte[] bytes) {
StringBuffer hexStringBuffer = new StringBuffer(32);
for (int i = 0; i < bytes.length; i++) {
hexStringBuffer.append(byteToHex(bytes[i]));
}
return hexStringBuffer.toString();
}
// byte to hex
static String byteToHex(byte num) {
char[] hexDigits = new char[2];
hexDigits[0] = Character.forDigit((num >> 4) & 0xF, 16);
hexDigits[1] = Character.forDigit((num & 0xF), 16);
return new String(hexDigits);
}
}