1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
//===----------------------------------------------------------------------===//
//
// This source file is part of the SwiftCrypto open source project
//
// Copyright (c) 2022 Apple Inc. and the SwiftCrypto project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
// See CONTRIBUTORS.md for the list of SwiftCrypto project authors
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//
import Foundation
import XCTest
import Crypto
import _CryptoExtras
struct AEADTestGroup: Codable {
let ivSize: Int
let keySize: UInt16
let tagSize: UInt16
let type: String
let tests: [AESGCMTestVector]
}
struct AESGCMTestVector: Codable {
let key: String
let iv: String
let aad: String
let msg: String
let ct: String
let tag: String
let result: String
}
class AESGCMSIVTests: XCTestCase {
func testPropertiesStayTheSameAfterFailedOpening() throws {
let message = Data("this is a message".utf8)
let sealed = try AES.GCM._SIV.seal(message, using: SymmetricKey(size: .bits128))
// We copy the bytes of these fields out here to ensure they're saved.
let originalCiphertext = Array(sealed.ciphertext)
let originalNonce = Array(sealed.nonce)
let originalTag = Array(sealed.tag)
XCTAssertThrowsError(try AES.GCM._SIV.open(sealed, using: SymmetricKey(size: .bits128)))
// The fields must all be unchanged.
XCTAssertEqual(originalCiphertext, Array(sealed.ciphertext))
XCTAssertEqual(originalNonce, Array(sealed.nonce))
XCTAssertEqual(originalTag, Array(sealed.tag))
}
func testBadKeySize() {
let plaintext: Data = "Some Super Secret Message".data(using: String.Encoding.utf8)!
let key = SymmetricKey(size: .init(bitCount: 304))
let nonce = AES.GCM._SIV.Nonce()
XCTAssertThrowsError(try AES.GCM._SIV.seal(plaintext, using: key, nonce: nonce))
}
func testEncryptDecrypt() throws {
let plaintext: Data = "Some Super Secret Message".data(using: String.Encoding.utf8)!
let key = SymmetricKey(size: .bits256)
let nonce = AES.GCM._SIV.Nonce()
let ciphertext = try AES.GCM._SIV.seal(plaintext, using: key, nonce: nonce)
let recoveredPlaintext = try AES.GCM._SIV.open(ciphertext, using: key, authenticating: Data())
let recoveredPlaintextWithoutAAD = try AES.GCM._SIV.open(ciphertext, using: key)
XCTAssertEqual(recoveredPlaintext, plaintext)
XCTAssertEqual(recoveredPlaintextWithoutAAD, plaintext)
}
func testExtractingBytesFromNonce() throws {
let nonce = AES.GCM._SIV.Nonce()
XCTAssertEqual(Array(nonce), nonce.withUnsafeBytes { Array($0) })
let testNonceBytes = Array(UInt8(0)..<UInt8(12))
let (contiguousNonceBytes, discontiguousNonceBytes) = testNonceBytes.asDataProtocols()
let nonceFromContiguous = try AES.GCM._SIV.Nonce(data: contiguousNonceBytes)
let nonceFromDiscontiguous = try AES.GCM._SIV.Nonce(data: discontiguousNonceBytes)
XCTAssertEqual(Array(nonceFromContiguous), testNonceBytes)
XCTAssertEqual(Array(nonceFromDiscontiguous), testNonceBytes)
XCTAssertThrowsError(try AES.GCM._SIV.Nonce(data: DispatchData.empty)) { error in
guard case .some(.incorrectParameterSize) = error as? CryptoKitError else {
XCTFail("Unexpected error")
return
}
}
}
func testUserConstructedSealedBoxesCombined() throws {
let ciphertext = Array("This pretty clearly isn't ciphertext, but sure why not".utf8)
let (contiguousCiphertext, discontiguousCiphertext) = ciphertext.asDataProtocols()
let contiguousSB = try AES.GCM._SIV.SealedBox(combined: contiguousCiphertext)
let discontiguousSB = try AES.GCM._SIV.SealedBox(combined: discontiguousCiphertext)
XCTAssertEqual(contiguousSB.combined, discontiguousSB.combined)
XCTAssertEqual(Array(contiguousSB.nonce), Array(discontiguousSB.nonce))
XCTAssertEqual(contiguousSB.ciphertext, discontiguousSB.ciphertext)
XCTAssertEqual(contiguousSB.tag, discontiguousSB.tag)
// Empty dispatchdatas don't work, they are too small.
XCTAssertThrowsError(try AES.GCM._SIV.SealedBox(combined: DispatchData.empty)) { error in
guard case .some(.incorrectParameterSize) = error as? CryptoKitError else {
XCTFail("Unexpected error: \(error)")
return
}
}
}
func testUserConstructedSealedBoxesSplit() throws {
let tag = Array(repeating: UInt8(0), count: 16)
let ciphertext = Array("This pretty clearly isn't ciphertext, but sure why not".utf8)
let nonce = AES.GCM._SIV.Nonce()
let (contiguousCiphertext, discontiguousCiphertext) = ciphertext.asDataProtocols()
let (contiguousTag, discontiguousTag) = tag.asDataProtocols()
// Two separate data protocol inputs means we end up with 4 boxes.
let contiguousContiguous = try AES.GCM._SIV.SealedBox(nonce: nonce, ciphertext: contiguousCiphertext, tag: contiguousTag)
let discontiguousContiguous = try AES.GCM._SIV.SealedBox(nonce: nonce, ciphertext: discontiguousCiphertext, tag: contiguousTag)
let contiguousDiscontiguous = try AES.GCM._SIV.SealedBox(nonce: nonce, ciphertext: contiguousCiphertext, tag: discontiguousTag)
let discontiguousDiscontiguous = try AES.GCM._SIV.SealedBox(nonce: nonce, ciphertext: discontiguousCiphertext, tag: discontiguousTag)
// To avoid the comparison count getting too nuts, we use the combined representation. By the transitive
// property we only need three comparisons.
XCTAssertEqual(contiguousContiguous.combined, discontiguousContiguous.combined)
XCTAssertEqual(discontiguousContiguous.combined, contiguousDiscontiguous.combined)
XCTAssertEqual(contiguousDiscontiguous.combined, discontiguousDiscontiguous.combined)
// Empty dispatchdatas for the tag don't work, they are too small.
XCTAssertThrowsError(try AES.GCM._SIV.SealedBox(nonce: nonce, ciphertext: ciphertext, tag: DispatchData.empty)) { error in
guard case .some(.incorrectParameterSize) = error as? CryptoKitError else {
XCTFail("Unexpected error: \(error)")
return
}
}
// They work fine for the ciphertext though.
let weirdBox = try AES.GCM._SIV.SealedBox(nonce: nonce, ciphertext: DispatchData.empty, tag: tag)
XCTAssertEqual(weirdBox.ciphertext, Data())
}
func testRoundTripDataProtocols() throws {
func roundTrip<Message: DataProtocol, AAD: DataProtocol>(message: Message, aad: AAD, file: StaticString = (#file), line: UInt = #line) throws {
let key = SymmetricKey(size: .bits256)
let nonce = AES.GCM._SIV.Nonce()
let ciphertext = try AES.GCM._SIV.seal(message, using: key, nonce: nonce, authenticating: aad)
let recoveredPlaintext = try AES.GCM._SIV.open(ciphertext, using: key, authenticating: aad)
XCTAssertEqual(Array(recoveredPlaintext), Array(message), file: file, line: line)
}
let message = Array("Hello, world, it's AES-GCM!".utf8)
let aad = Array("I heard you like Counter Mode, so I put a Galois on it".utf8)
let (contiguousMessage, discontiguousMessage) = message.asDataProtocols()
let (contiguousAad, discontiguousAad) = aad.asDataProtocols()
_ = try roundTrip(message: contiguousMessage, aad: contiguousAad)
_ = try roundTrip(message: discontiguousMessage, aad: contiguousAad)
_ = try roundTrip(message: contiguousMessage, aad: discontiguousAad)
_ = try roundTrip(message: discontiguousMessage, aad: discontiguousAad)
}
func testWycheproof() throws {
try wycheproofTest(
jsonName: "aes_gcm_siv_test",
testFunction: { (group: AEADTestGroup) in
_ = try testGroup(group: group)
})
}
func testGroup(group: AEADTestGroup) throws {
for testVector in group.tests {
var msg: Data = Data()
var aad: Data = Data()
var ct: [UInt8] = []
var tag: [UInt8] = []
var nonce: AES.GCM._SIV.Nonce
do {
nonce = try AES.GCM._SIV.Nonce(data: Array(hexString: testVector.iv))
} catch {
XCTAssertEqual(testVector.result, "invalid")
return
}
if testVector.ct.count > 0 {
ct = try Array(hexString: testVector.ct)
}
if testVector.msg.count > 0 {
msg = try Data(hexString: testVector.msg)
}
if testVector.aad.count > 0 {
aad = try Data(hexString: testVector.aad)
}
if testVector.tag.count > 0 {
tag = try Array(hexString: testVector.tag)
}
let key = try SymmetricKey(data: Array(hexString: testVector.key))
XCTAssertNotNil(key)
let sb = try AES.GCM._SIV.seal(msg, using: key, nonce: nonce, authenticating: aad)
if testVector.result == "valid" {
XCTAssertEqual(Data(ct), sb.ciphertext)
XCTAssertEqual(Data(tag), sb.tag)
}
do {
let recovered_pt = try AES.GCM._SIV.open(AES.GCM._SIV.SealedBox(nonce: nonce, ciphertext: ct, tag: tag), using: key, authenticating: aad)
if testVector.result == "valid" || testVector.result == "acceptable" {
XCTAssertEqual(recovered_pt, msg)
}
} catch {
XCTAssertEqual(testVector.result, "invalid")
}
}
}
}
|
