1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
import Codec.Crypto.RSA.Pure
import Control.Monad
import Data.Binary
import Data.ByteString.Lazy(ByteString)
import qualified Data.ByteString.Lazy as BS
import Data.Digest.Pure.SHA
import System.IO
import Test.QuickCheck
import Crypto.Random
import Test.Framework (defaultMain, testGroup)
import Test.Framework.Providers.QuickCheck2 (testProperty)
type KeyPairs = [(PublicKey, PrivateKey)]
numRandomKeyPairs :: Int
numRandomKeyPairs = length keySizes * 2
keySizes :: [Int]
keySizes = [128,256,512,1024,2048,4096]
main :: IO ()
main = do
putStr "Generating testing keys ... "
hFlush stdout
g :: SystemRandom <- newGenIO
let (keys, g') = buildRandomKeyPairs g (cycle keySizes) numRandomKeyPairs
unless (all ((> 5) . public_n . fst) keys) $ fail "Something odd."
putStrLn "done!"
defaultMain
[ testGroup "Random functions" [
testProperty "RandomBS generates the right length" (prop_randomBSLen g')
, testProperty "RandomNZBS generates good data" (prop_randomNZBS g')
]
, testGroup "Testing basic helper functions" [
testProperty "ByteString chunking works" prop_chunkifyWorks
, testProperty "Modular exponentiation works" prop_modExpWorks
, testProperty "Modular inversion works" (prop_modInvWorks g')
]
, testGroup "Testing RSA core functions" [
testProperty "Can roundtrip from Integer to BS and back" prop_i2o2iIdent
, testProperty "Can roundtrip from BS to Integer and back" prop_o2i2oIdent
, testProperty "Can roundtrip RSA's EP and DP functions"
(prop_epDpIdent keys)
, testProperty "Can roundtrip RSA's SP and VP functions"
(prop_spVpIdent keys)
]
, testGroup "Testing fixed-width RSA functions" [
testProperty "RSA PKCS sign/verify works"
(prop_pkcsSignVerifies keys)
, testProperty "RSA PKCS encrypt/decrypt works" (prop_pkcsInverts keys g)
, testProperty "RSA OAEP encrypt/decrypt works" (prop_oaepInverts keys g)
]
, testGroup "Testing top-level, arbitrary-width RSA functions" [
testProperty "Checking encrypt/decrypt roundtrips" (prop_encDec keys g)
, testProperty "Checking OAEP encrypt/decrypt roundtrips"
(prop_encDecO keys g)
, testProperty "Checking PKCS encrypt/decrypt roundtrips"
(prop_encDecP keys g)
, testProperty "Checking verify verifies sign" (propSignVerifies keys)
]
]
buildRandomKeyPairs :: CryptoRandomGen g => g -> [Int] -> Int -> (KeyPairs, g)
buildRandomKeyPairs g _ 0 = ([], g)
buildRandomKeyPairs _ [] _ = error "The world has gone insane."
buildRandomKeyPairs g (keySize:rest) x =
case generateKeyPair g keySize of
Left _ -> error "Couldn't generate initial random key pairs! (1)"
Right (pub, priv, g') ->
let (acc, g'') = buildRandomKeyPairs g' rest (x - 1)
in ((pub, priv) : acc, g'')
-- --------------------------------------------------------------------------
instance Arbitrary ByteString where
arbitrary = BS.pack `fmap` arbitrary
instance Show HashInfo where
show (HashInfo ident _)
| ident == algorithmIdent hashSHA1 = "<SHA1>"
| ident == algorithmIdent hashSHA224 = "<SHA224>"
| ident == algorithmIdent hashSHA256 = "<SHA256>"
| ident == algorithmIdent hashSHA384 = "<SHA384>"
| ident == algorithmIdent hashSHA512 = "<SHA512>"
| otherwise = "<unknownHASH>"
instance Arbitrary HashInfo where
arbitrary = elements [hashSHA1, hashSHA224,
hashSHA256, hashSHA384, hashSHA512]
data KeyPairIdx = KPI Int
deriving (Show)
instance Arbitrary KeyPairIdx where
arbitrary = KPI `fmap` choose (0, numRandomKeyPairs - 1)
data HashFun = HF String (ByteString -> ByteString)
instance Show HashFun where
show (HF s _) = "<" ++ s ++ ">"
instance Arbitrary HashFun where
arbitrary = elements [HF "SHA1" (bytestringDigest . sha1),
HF "SHA256" (bytestringDigest . sha256),
HF "SHA384" (bytestringDigest . sha384),
HF "SHA512" (bytestringDigest . sha512)]
prop_randomBSLen :: CryptoRandomGen g => g -> Positive Word16 -> Bool
prop_randomBSLen g x =
case randomBS g (fromIntegral (getPositive x)) of
Left _ -> False
Right (bstr, _) -> fromIntegral (BS.length bstr) == getPositive x
prop_randomNZBS :: CryptoRandomGen g => g -> Positive Word16 -> Bool
prop_randomNZBS g x =
case randomNZBS g (fromIntegral (getPositive x)) of
Left _ -> False
Right (bstr, _) ->
(fromIntegral (BS.length bstr) == getPositive x) && BS.all (/= 0) bstr
prop_chunkifyWorks :: ByteString -> Positive Integer -> Bool
prop_chunkifyWorks x l = all (\ bs -> BS.length bs <= l') chunks &&
(sum (map BS.length chunks) == BS.length x)
where
l' = fromIntegral (getPositive l)
chunks = chunkify x (fromIntegral l')
prop_modExpWorks :: Positive Integer -> Positive Integer -> Positive Integer ->
Bool
prop_modExpWorks b e m = ((b' ^ e') `mod` m') == modular_exponentiation b' e' m'
where
b' = getPositive b
e' = getPositive e
m' = getPositive m
prop_modInvWorks :: CryptoRandomGen g => g -> Word16 -> Bool
prop_modInvWorks g0 x =
let (p, g1) = primeGen (x `mod` 512) g0
(q, _) = primeGen (x `mod` 512) g1
e = 65537
phi = (p - 1) * (q - 1)
d = modular_inverse e phi
in (e * d) `mod` phi == 1
where
primeGen pre g =
case randomBS g (fromIntegral pre) of
Left e -> error ("Error prefetching bytestring:" ++ show e)
Right (_, g') ->
case largeRandomPrime g' 64 of
Left _ -> error "Large prime generation failure."
Right res -> res
prop_i2o2iIdent :: Positive Integer -> Bool
prop_i2o2iIdent px =
case i2osp x l of
Left _ -> False
Right x' -> os2ip x' == x
where
x = getPositive px
l = findLen 1 256
--
findLen b t | t > x = b
| otherwise = findLen (b + 1) (t * 256)
prop_o2i2oIdent :: ByteString -> Bool
prop_o2i2oIdent bs =
case i2osp (os2ip bs) (fromIntegral (BS.length bs)) of
Left _ -> False
Right bs' -> bs == bs'
prop_epDpIdent :: KeyPairs -> KeyPairIdx ->
Positive Integer ->
Bool
prop_epDpIdent kps (KPI idx) x = fromEither $
do let n = public_n pub
e = public_e pub
d = private_d priv
m = getPositive x `mod` n
ep <- rsa_ep n e m
m' <- rsa_dp n d ep
return (m == m')
where (pub, priv) = kps !! idx
prop_spVpIdent :: KeyPairs -> KeyPairIdx ->
Positive Integer ->
Bool
prop_spVpIdent kps (KPI idx) x = fromEither $
do let n = public_n pub
e = public_e pub
d = private_d priv
m = getPositive x `mod` n
sp <- rsa_sp1 n d m
m' <- rsa_vp1 n e sp
return (m == m')
where (pub, priv) = kps !! idx
prop_oaepInverts :: CryptoRandomGen g =>
KeyPairs -> g ->
HashFun -> KeyPairIdx ->
ByteString -> ByteString ->
Property
prop_oaepInverts kps g (HF _ hash) (KPI idx) l m = wellSized ==> fromEither $
do let mgf = generateMGF1 hash
(enc,_) <- rsaes_oaep_encrypt g hash mgf pub l m
m' <- rsaes_oaep_decrypt hash mgf priv l enc
return (m == m')
where
(pub, priv) = kps !! idx
hashLength = fromIntegral (BS.length (hash BS.empty))
keySize = public_size pub
msgLength = fromIntegral (BS.length m)
wellSized = (msgLength <= (keySize - (2 * hashLength) - 2)) && (msgLength>0)
prop_pkcsInverts :: CryptoRandomGen g =>
KeyPairs -> g -> KeyPairIdx ->
ByteString ->
Property
prop_pkcsInverts kps g (KPI idx) m = wellSized ==> fromEither $
do (enc,_) <- rsaes_pkcs1_v1_5_encrypt g pub m
m' <- rsaes_pkcs1_v1_5_decrypt priv enc
return (m == m')
where
(pub, priv) = kps !! idx
wellSized = (fromIntegral (BS.length m) < (public_size pub - 11)) &&
(BS.length m > 0)
prop_pkcsSignVerifies :: KeyPairs -> KeyPairIdx ->
HashInfo -> ByteString ->
Property
prop_pkcsSignVerifies kps (KPI idx) hash m = wellSized ==> fromEither $
do sig <- rsassa_pkcs1_v1_5_sign hash priv m
rsassa_pkcs1_v1_5_verify hash pub m sig
where
(pub, priv) = kps !! idx
wellSized = fromIntegral (public_size pub) > (algSize + hashLen + 1)
algSize = BS.length (algorithmIdent hash)
hashLen = BS.length (hashFunction hash BS.empty)
prop_encDec :: CryptoRandomGen g =>
KeyPairs -> g ->
KeyPairIdx -> ByteString ->
Bool
prop_encDec kps g (KPI idx) m = fromEither $
do (c, _) <- encrypt g pub m
m' <- decrypt priv c
return (m == m')
where (pub, priv) = findKeySized 66 kps idx
prop_encDecO :: CryptoRandomGen g =>
KeyPairs -> g ->
HashFun -> KeyPairIdx -> ByteString -> ByteString ->
Property
prop_encDecO kps g (HF _ hash) (KPI idx) l m = wellSized ==> fromEither $
do (c, _) <- encryptOAEP g hash (generateMGF1 hash) l pub m
m' <- decryptOAEP hash (generateMGF1 hash) l priv c
return (m == m')
where
(pub, priv) = kps !! idx
hashLength = fromIntegral (BS.length (hash BS.empty))
keySize = public_size pub
wellSized = (keySize - (2 * hashLength) - 2) > 0
prop_encDecP :: CryptoRandomGen g =>
KeyPairs -> g -> KeyPairIdx -> ByteString ->
Bool
prop_encDecP kps g (KPI idx) m = fromEither $
do (c, _) <- encryptPKCS g pub m
m' <- decryptPKCS priv c
return (m == m')
where (pub, priv) = findKeySized 11 kps idx
propSignVerifies :: KeyPairs -> KeyPairIdx -> ByteString -> Bool
propSignVerifies kps (KPI idx) m = fromEither $
do sig <- sign priv m
verify pub m sig
where (pub, priv) = findKeySized 64 kps idx
findKeySized :: Int -> KeyPairs -> Int -> (PublicKey, PrivateKey)
findKeySized size kps idx =
let pair@(pub, _) = kps !! idx
in if public_size pub >= size
then pair
else findKeySized size kps ((idx + 1) `mod` length kps)
-- --------------------------------------------------------------------------
fromEither :: Either a Bool -> Bool
fromEither (Left _) = False
fromEither (Right res) = res
|
