2014-01-19 14:42:02 +00:00
|
|
|
/*
|
|
|
|
This file is part of cpp-ethereum.
|
|
|
|
|
|
|
|
cpp-ethereum is free software: you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
2014-02-06 18:53:46 +00:00
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
2014-01-19 14:42:02 +00:00
|
|
|
(at your option) any later version.
|
|
|
|
|
2014-02-16 10:20:55 +00:00
|
|
|
cpp-ethereum is distributed in the hope that it will be useful,
|
2014-01-19 14:42:02 +00:00
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
2014-02-16 10:41:15 +00:00
|
|
|
along with cpp-ethereum. If not, see <http://www.gnu.org/licenses/>.
|
2014-01-19 14:42:02 +00:00
|
|
|
*/
|
|
|
|
/** @file crypto.cpp
|
|
|
|
* @author Gav Wood <i@gavwood.com>
|
|
|
|
* @date 2014
|
|
|
|
* Crypto test functions.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <random>
|
2014-04-23 14:08:11 +00:00
|
|
|
#include <secp256k1/secp256k1.h>
|
2014-09-05 16:24:29 +00:00
|
|
|
#include <libdevcore/Common.h>
|
|
|
|
#include <libdevcore/RLP.h>
|
|
|
|
#include <libdevcore/Log.h>
|
2014-04-23 14:08:11 +00:00
|
|
|
#include <libethereum/Transaction.h>
|
2014-04-19 17:53:48 +00:00
|
|
|
#include <boost/test/unit_test.hpp>
|
2014-11-13 01:00:19 +00:00
|
|
|
#include <libdevcrypto/SHA3.h>
|
2014-11-11 17:31:23 +00:00
|
|
|
#include <libdevcrypto/ECDHE.h>
|
|
|
|
#include <libdevcrypto/CryptoPP.h>
|
2014-04-19 17:53:48 +00:00
|
|
|
|
2014-01-19 14:42:02 +00:00
|
|
|
using namespace std;
|
2014-09-05 15:09:58 +00:00
|
|
|
using namespace dev;
|
2014-10-18 03:11:36 +00:00
|
|
|
using namespace dev::crypto;
|
|
|
|
using namespace CryptoPP;
|
2014-01-19 14:42:02 +00:00
|
|
|
|
2014-10-18 03:11:36 +00:00
|
|
|
BOOST_AUTO_TEST_SUITE(devcrypto)
|
|
|
|
|
2014-11-13 01:00:19 +00:00
|
|
|
static Secp256k1 s_secp256k1;
|
|
|
|
static CryptoPP::AutoSeededRandomPool s_rng;
|
|
|
|
static CryptoPP::OID s_curveOID(CryptoPP::ASN1::secp256k1());
|
|
|
|
static CryptoPP::DL_GroupParameters_EC<CryptoPP::ECP> s_params(s_curveOID);
|
|
|
|
static CryptoPP::DL_GroupParameters_EC<CryptoPP::ECP>::EllipticCurve s_curve(s_params.GetCurve());
|
|
|
|
|
2014-12-09 17:52:04 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(emptySHA3Types)
|
|
|
|
{
|
|
|
|
h256 emptyListSHA3(fromHex("1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347"));
|
|
|
|
BOOST_REQUIRE_EQUAL(emptyListSHA3, EmptyListSHA3);
|
|
|
|
|
|
|
|
h256 emptySHA3(fromHex("c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470"));
|
|
|
|
BOOST_REQUIRE_EQUAL(emptySHA3, EmptySHA3);
|
|
|
|
}
|
|
|
|
|
2014-12-08 13:41:04 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(cryptopp_patch)
|
|
|
|
{
|
|
|
|
KeyPair k = KeyPair::create();
|
|
|
|
bytes io_text;
|
|
|
|
s_secp256k1.decrypt(k.sec(), io_text);
|
|
|
|
BOOST_REQUIRE_EQUAL(io_text.size(), 0);
|
|
|
|
}
|
|
|
|
|
2014-11-13 01:00:19 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(verify_secert)
|
|
|
|
{
|
|
|
|
h256 empty;
|
|
|
|
KeyPair kNot(empty);
|
|
|
|
BOOST_REQUIRE(!kNot.address());
|
|
|
|
KeyPair k(sha3(empty));
|
|
|
|
BOOST_REQUIRE(k.address());
|
|
|
|
}
|
|
|
|
|
2014-10-23 17:19:02 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(common_encrypt_decrypt)
|
2014-10-23 17:06:31 +00:00
|
|
|
{
|
2014-11-11 17:31:23 +00:00
|
|
|
string message("Now is the time for all good persons to come to the aid of humanity.");
|
2014-10-23 17:06:31 +00:00
|
|
|
bytes m = asBytes(message);
|
|
|
|
bytesConstRef bcr(&m);
|
|
|
|
|
2014-10-23 20:12:47 +00:00
|
|
|
KeyPair k = KeyPair::create();
|
2014-10-23 17:06:31 +00:00
|
|
|
bytes cipher;
|
|
|
|
encrypt(k.pub(), bcr, cipher);
|
2014-10-27 03:17:03 +00:00
|
|
|
BOOST_REQUIRE(cipher != asBytes(message) && cipher.size() > 0);
|
2014-10-23 17:06:31 +00:00
|
|
|
|
|
|
|
bytes plain;
|
|
|
|
decrypt(k.sec(), bytesConstRef(&cipher), plain);
|
|
|
|
|
2014-10-27 03:17:03 +00:00
|
|
|
BOOST_REQUIRE(asString(plain) == message);
|
|
|
|
BOOST_REQUIRE(plain == asBytes(message));
|
2014-10-23 17:06:31 +00:00
|
|
|
}
|
|
|
|
|
2014-11-05 13:13:27 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(cryptopp_cryptopp_secp256k1libport)
|
2014-10-29 17:46:57 +00:00
|
|
|
{
|
2014-11-13 01:00:19 +00:00
|
|
|
secp256k1_start();
|
|
|
|
|
2014-10-29 18:24:23 +00:00
|
|
|
// base secret
|
2014-10-29 17:46:57 +00:00
|
|
|
Secret secret(sha3("privacy"));
|
|
|
|
|
2014-10-29 18:24:23 +00:00
|
|
|
// we get ec params from signer
|
|
|
|
ECDSA<ECP, SHA3_256>::Signer signer;
|
|
|
|
|
2014-10-29 17:46:57 +00:00
|
|
|
// e := sha3(msg)
|
|
|
|
bytes e(fromHex("0x01"));
|
|
|
|
e.resize(32);
|
2014-11-13 01:00:19 +00:00
|
|
|
int tests = 2;
|
2014-10-29 17:46:57 +00:00
|
|
|
while (sha3(&e, &e), secret = sha3(secret.asBytes()), tests--)
|
|
|
|
{
|
|
|
|
KeyPair key(secret);
|
2014-10-29 18:24:23 +00:00
|
|
|
Public pkey = key.pub();
|
2014-11-13 01:00:19 +00:00
|
|
|
signer.AccessKey().Initialize(s_params, secretToExponent(secret));
|
2014-10-29 17:46:57 +00:00
|
|
|
|
|
|
|
h256 he(sha3(e));
|
|
|
|
Integer heInt(he.asBytes().data(), 32);
|
2014-11-02 03:41:16 +00:00
|
|
|
h256 k(crypto::kdf(secret, he));
|
2014-10-29 17:46:57 +00:00
|
|
|
Integer kInt(k.asBytes().data(), 32);
|
2014-11-13 01:00:19 +00:00
|
|
|
kInt %= s_params.GetSubgroupOrder()-1;
|
2014-10-29 17:46:57 +00:00
|
|
|
|
2014-11-13 01:00:19 +00:00
|
|
|
ECP::Point rp = s_params.ExponentiateBase(kInt);
|
|
|
|
Integer const& q = s_params.GetGroupOrder();
|
|
|
|
Integer r = s_params.ConvertElementToInteger(rp);
|
2014-10-29 18:24:23 +00:00
|
|
|
|
2014-10-29 17:46:57 +00:00
|
|
|
Integer kInv = kInt.InverseMod(q);
|
2014-10-29 18:24:23 +00:00
|
|
|
Integer s = (kInv * (Integer(secret.asBytes().data(), 32)*r + heInt)) % q;
|
2014-10-29 17:46:57 +00:00
|
|
|
BOOST_REQUIRE(!!r && !!s);
|
|
|
|
|
|
|
|
Signature sig;
|
2014-11-13 01:00:19 +00:00
|
|
|
sig[64] = rp.y.IsOdd() ? 1 : 0;
|
2014-10-29 17:46:57 +00:00
|
|
|
r.Encode(sig.data(), 32);
|
2014-11-04 09:54:46 +00:00
|
|
|
s.Encode(sig.data() + 32, 32);
|
2014-10-29 17:46:57 +00:00
|
|
|
|
|
|
|
Public p = dev::recover(sig, he);
|
|
|
|
BOOST_REQUIRE(p == pkey);
|
|
|
|
|
|
|
|
// verify w/cryptopp
|
2014-11-13 01:00:19 +00:00
|
|
|
BOOST_REQUIRE(s_secp256k1.verify(pkey, sig, bytesConstRef(&e)));
|
2014-10-29 17:46:57 +00:00
|
|
|
|
|
|
|
// verify with secp256k1lib
|
|
|
|
byte encpub[65] = {0x04};
|
2014-10-29 18:24:23 +00:00
|
|
|
memcpy(&encpub[1], pkey.data(), 64);
|
2014-10-29 17:46:57 +00:00
|
|
|
byte dersig[72];
|
|
|
|
size_t cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, sig.data(), 64, DSA_P1363);
|
|
|
|
BOOST_CHECK(cssz <= 72);
|
|
|
|
BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(he.data(), sizeof(he), dersig, cssz, encpub, 65));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-10-25 16:23:19 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(cryptopp_ecdsa_sipaseckp256k1)
|
2014-10-23 00:40:02 +00:00
|
|
|
{
|
2014-11-13 01:00:19 +00:00
|
|
|
secp256k1_start();
|
|
|
|
|
2014-10-27 03:17:03 +00:00
|
|
|
// cryptopp integer encoding
|
|
|
|
Integer nHex("f2ee15ea639b73fa3db9b34a245bdfa015c260c598b211bf05a1ecc4b3e3b4f2H");
|
|
|
|
Integer nB(fromHex("f2ee15ea639b73fa3db9b34a245bdfa015c260c598b211bf05a1ecc4b3e3b4f2").data(), 32);
|
|
|
|
BOOST_REQUIRE(nHex == nB);
|
2014-10-23 14:59:01 +00:00
|
|
|
|
2014-11-12 01:01:27 +00:00
|
|
|
bytes sbytes(fromHex("0xFFFF"));
|
2014-11-13 01:00:19 +00:00
|
|
|
Secret secret(sha3(sbytes));
|
2014-10-27 03:17:03 +00:00
|
|
|
KeyPair key(secret);
|
|
|
|
|
2014-11-16 22:02:53 +00:00
|
|
|
bytes m(1, 0xff);
|
2014-11-18 11:01:25 +00:00
|
|
|
int tests = 2;
|
2014-10-27 16:21:01 +00:00
|
|
|
while (m[0]++, tests--)
|
2014-10-27 04:15:44 +00:00
|
|
|
{
|
|
|
|
h256 hm(sha3(m));
|
|
|
|
Integer hInt(hm.asBytes().data(), 32);
|
|
|
|
h256 k(hm ^ key.sec());
|
|
|
|
Integer kInt(k.asBytes().data(), 32);
|
2014-11-12 01:01:27 +00:00
|
|
|
|
2014-10-27 04:15:44 +00:00
|
|
|
// raw sign w/cryptopp (doesn't pass through cryptopp hash filter)
|
|
|
|
ECDSA<ECP, SHA3_256>::Signer signer;
|
2014-11-13 01:00:19 +00:00
|
|
|
signer.AccessKey().Initialize(s_params, secretToExponent(key.sec()));
|
2014-10-27 04:15:44 +00:00
|
|
|
Integer r, s;
|
|
|
|
signer.RawSign(kInt, hInt, r, s);
|
|
|
|
|
|
|
|
// verify cryptopp raw-signature w/cryptopp
|
|
|
|
ECDSA<ECP, SHA3_256>::Verifier verifier;
|
2014-11-13 01:00:19 +00:00
|
|
|
verifier.AccessKey().Initialize(s_params, publicToPoint(key.pub()));
|
2014-10-27 04:15:44 +00:00
|
|
|
Signature sigppraw;
|
|
|
|
r.Encode(sigppraw.data(), 32);
|
2014-11-04 09:54:46 +00:00
|
|
|
s.Encode(sigppraw.data() + 32, 32);
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), sigppraw.data(), 64));
|
2014-11-13 01:00:19 +00:00
|
|
|
// BOOST_REQUIRE(crypto::verify(key.pub(), sigppraw, bytesConstRef(&m)));
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(dev::verify(key.pub(), sigppraw, hm));
|
|
|
|
|
2014-11-02 03:41:16 +00:00
|
|
|
// sign with cryptopp, verify, recover w/sec256lib
|
2014-10-27 04:15:44 +00:00
|
|
|
Signature seclibsig(dev::sign(key.sec(), hm));
|
|
|
|
BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), seclibsig.data(), 64));
|
2014-11-13 01:00:19 +00:00
|
|
|
// BOOST_REQUIRE(crypto::verify(key.pub(), seclibsig, bytesConstRef(&m)));
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(dev::verify(key.pub(), seclibsig, hm));
|
2014-11-02 03:41:16 +00:00
|
|
|
BOOST_REQUIRE(dev::recover(seclibsig, hm) == key.pub());
|
2014-10-27 04:15:44 +00:00
|
|
|
|
|
|
|
// sign with cryptopp (w/hash filter?), verify with cryptopp
|
|
|
|
bytes sigppb(signer.MaxSignatureLength());
|
2014-11-13 01:00:19 +00:00
|
|
|
size_t ssz = signer.SignMessage(s_rng, m.data(), m.size(), sigppb.data());
|
2014-10-27 04:15:44 +00:00
|
|
|
Signature sigpp;
|
|
|
|
memcpy(sigpp.data(), sigppb.data(), 64);
|
|
|
|
BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), sigppb.data(), ssz));
|
2014-11-13 01:00:19 +00:00
|
|
|
// BOOST_REQUIRE(crypto::verify(key.pub(), sigpp, bytesConstRef(&m)));
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(dev::verify(key.pub(), sigpp, hm));
|
|
|
|
|
|
|
|
// sign with cryptopp and stringsource hash filter
|
|
|
|
string sigstr;
|
2014-11-13 01:00:19 +00:00
|
|
|
StringSource ssrc(asString(m), true, new SignerFilter(s_rng, signer, new StringSink(sigstr)));
|
2014-10-27 04:15:44 +00:00
|
|
|
FixedHash<sizeof(Signature)> retsig((byte const*)sigstr.data(), Signature::ConstructFromPointer);
|
|
|
|
BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), retsig.data(), 64));
|
2014-11-13 01:00:19 +00:00
|
|
|
// BOOST_REQUIRE(crypto::verify(key.pub(), retsig, bytesConstRef(&m)));
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(dev::verify(key.pub(), retsig, hm));
|
|
|
|
|
|
|
|
/// verification w/sec256lib
|
|
|
|
// requires public key and sig in standard format
|
|
|
|
byte encpub[65] = {0x04};
|
|
|
|
memcpy(&encpub[1], key.pub().data(), 64);
|
|
|
|
byte dersig[72];
|
|
|
|
|
|
|
|
// verify sec256lib sig w/sec256lib
|
|
|
|
size_t cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, seclibsig.data(), 64, DSA_P1363);
|
|
|
|
BOOST_CHECK(cssz <= 72);
|
|
|
|
BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(hm.data(), sizeof(hm), dersig, cssz, encpub, 65));
|
|
|
|
|
|
|
|
// verify cryptopp-raw sig w/sec256lib
|
|
|
|
cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, sigppraw.data(), 64, DSA_P1363);
|
|
|
|
BOOST_CHECK(cssz <= 72);
|
|
|
|
BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(hm.data(), sizeof(hm), dersig, cssz, encpub, 65));
|
|
|
|
|
|
|
|
// verify cryptopp sig w/sec256lib
|
|
|
|
cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, sigppb.data(), 64, DSA_P1363);
|
|
|
|
BOOST_CHECK(cssz <= 72);
|
|
|
|
BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(hm.data(), sizeof(hm), dersig, cssz, encpub, 65));
|
|
|
|
}
|
2014-10-23 00:40:02 +00:00
|
|
|
}
|
|
|
|
|
2015-03-03 01:23:48 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(ecies_interop_test)
|
|
|
|
{
|
2015-03-03 12:01:47 +00:00
|
|
|
CryptoPP::SHA256 sha256ctx;
|
|
|
|
bytes emptyExpected(fromHex("0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
|
|
|
|
bytes empty;
|
|
|
|
sha256ctx.Update(empty.data(), 0);
|
|
|
|
bytes emptyTestOut(32);
|
|
|
|
sha256ctx.Final(emptyTestOut.data());
|
|
|
|
BOOST_REQUIRE(emptyExpected == emptyTestOut);
|
|
|
|
|
|
|
|
bytes hash1Expected(fromHex("0x8949b278bbafb8da1aaa18cb724175c5952280f74be5d29ab4b37d1b45c84b08"));
|
|
|
|
bytes hash1input(fromHex("0x55a53b55afb12affff3c"));
|
|
|
|
sha256ctx.Update(hash1input.data(), hash1input.size());
|
|
|
|
bytes hash1Out(32);
|
|
|
|
sha256ctx.Final(hash1Out.data());
|
|
|
|
BOOST_REQUIRE(hash1Out == hash1Expected);
|
|
|
|
|
|
|
|
h128 hmack(fromHex("0x07a4b6dfa06369a570f2dcba2f11a18f"));
|
|
|
|
CryptoPP::HMAC<SHA256> hmacctx(hmack.data(), h128::size);
|
|
|
|
bytes input(fromHex("0x4dcb92ed4fc67fe86832"));
|
|
|
|
hmacctx.Update(input.data(), input.size());
|
|
|
|
bytes hmacExpected(fromHex("0xc90b62b1a673b47df8e395e671a68bfa68070d6e2ef039598bb829398b89b9a9"));
|
|
|
|
bytes hmacOut(hmacExpected.size());
|
|
|
|
hmacctx.Final(hmacOut.data());
|
|
|
|
BOOST_REQUIRE(hmacExpected == hmacOut);
|
|
|
|
|
|
|
|
// go messageTag
|
|
|
|
bytes tagSecret(fromHex("0xaf6623e52208c596e17c72cea6f1cb09"));
|
|
|
|
bytes tagInput(fromHex("0x3461282bcedace970df2"));
|
|
|
|
bytes tagExpected(fromHex("0xb3ce623bce08d5793677ba9441b22bb34d3e8a7de964206d26589df3e8eb5183"));
|
|
|
|
CryptoPP::HMAC<SHA256> hmactagctx(tagSecret.data(), tagSecret.size());
|
|
|
|
hmactagctx.Update(tagInput.data(), tagInput.size());
|
|
|
|
h256 mac;
|
|
|
|
hmactagctx.Final(mac.data());
|
|
|
|
BOOST_REQUIRE(mac.asBytes() == tagExpected);
|
|
|
|
|
2015-03-03 01:23:48 +00:00
|
|
|
Secret input1(fromHex("0x0de72f1223915fa8b8bf45dffef67aef8d89792d116eb61c9a1eb02c422a4663"));
|
|
|
|
bytes expect1(fromHex("0x1d0c446f9899a3426f2b89a8cb75c14b"));
|
|
|
|
bytes test1;
|
|
|
|
test1 = s_secp256k1.eciesKDF(input1, bytes(), 16);
|
|
|
|
BOOST_REQUIRE(test1 == expect1);
|
|
|
|
|
2015-03-03 12:01:47 +00:00
|
|
|
Secret kdfInput2(fromHex("0x961c065873443014e0371f1ed656c586c6730bf927415757f389d92acf8268df"));
|
|
|
|
bytes kdfExpect2(fromHex("0x4050c52e6d9c08755e5a818ac66fabe478b825b1836fd5efc4d44e40d04dabcc"));
|
|
|
|
bytes kdfTest2;
|
|
|
|
kdfTest2 = s_secp256k1.eciesKDF(kdfInput2, bytes(), 32);
|
|
|
|
BOOST_REQUIRE(kdfTest2 == kdfExpect2);
|
|
|
|
|
2015-03-03 01:23:48 +00:00
|
|
|
KeyPair k(Secret(fromHex("0x332143e9629eedff7d142d741f896258f5a1bfab54dab2121d3ec5000093d74b")));
|
|
|
|
Public p(fromHex("0xf0d2b97981bd0d415a843b5dfe8ab77a30300daab3658c578f2340308a2da1a07f0821367332598b6aa4e180a41e92f4ebbae3518da847f0b1c0bbfe20bcf4e1"));
|
|
|
|
Secret agreeExpected(fromHex("0xee1418607c2fcfb57fda40380e885a707f49000a5dda056d828b7d9bd1f29a08"));
|
|
|
|
Secret agreeTest;
|
|
|
|
s_secp256k1.agree(k.sec(), p, agreeTest);
|
|
|
|
BOOST_REQUIRE(agreeExpected == agreeTest);
|
|
|
|
|
2015-03-03 12:01:47 +00:00
|
|
|
KeyPair kmK(Secret(fromHex("0x57baf2c62005ddec64c357d96183ebc90bf9100583280e848aa31d683cad73cb")));
|
|
|
|
bytes kmCipher(fromHex("0x04ff2c874d0a47917c84eea0b2a4141ca95233720b5c70f81a8415bae1dc7b746b61df7558811c1d6054333907333ef9bb0cc2fbf8b34abb9730d14e0140f4553f4b15d705120af46cf653a1dc5b95b312cf8444714f95a4f7a0425b67fc064d18f4d0a528761565ca02d97faffdac23de10"));
|
|
|
|
bytes kmPlain = kmCipher;
|
|
|
|
bytes kmExpected(asBytes("a"));
|
|
|
|
BOOST_REQUIRE(s_secp256k1.decryptECIES(kmK.sec(), kmPlain));
|
|
|
|
BOOST_REQUIRE(kmExpected == kmPlain);
|
|
|
|
|
2015-03-03 01:23:48 +00:00
|
|
|
KeyPair kenc(Secret(fromHex("0x472413e97f1fd58d84e28a559479e6b6902d2e8a0cee672ef38a3a35d263886b")));
|
|
|
|
Public penc(Public(fromHex("0x7a2aa2951282279dc1171549a7112b07c38c0d97c0fe2c0ae6c4588ba15be74a04efc4f7da443f6d61f68a9279bc82b73e0cc8d090048e9f87e838ae65dd8d4c")));
|
|
|
|
BOOST_REQUIRE(penc == kenc.pub());
|
|
|
|
|
|
|
|
bytes cipher1(fromHex("0x046f647e1bd8a5cd1446d31513bac233e18bdc28ec0e59d46de453137a72599533f1e97c98154343420d5f16e171e5107999a7c7f1a6e26f57bcb0d2280655d08fb148d36f1d4b28642d3bb4a136f0e33e3dd2e3cffe4b45a03fb7c5b5ea5e65617250fdc89e1a315563c20504b9d3a72555"));
|
|
|
|
bytes plainTest1 = cipher1;
|
|
|
|
bytes expectedPlain1 = asBytes("a");
|
|
|
|
BOOST_REQUIRE(s_secp256k1.decryptECIES(kenc.sec(), plainTest1));
|
|
|
|
BOOST_REQUIRE(plainTest1 == expectedPlain1);
|
|
|
|
|
|
|
|
bytes cipher2(fromHex("0x0443c24d6ccef3ad095140760bb143078b3880557a06392f17c5e368502d79532bc18903d59ced4bbe858e870610ab0d5f8b7963dd5c9c4cf81128d10efd7c7aa80091563c273e996578403694673581829e25a865191bdc9954db14285b56eb0043b6288172e0d003c10f42fe413222e273d1d4340c38a2d8344d7aadcbc846ee"));
|
|
|
|
bytes plainTest2 = cipher2;
|
|
|
|
bytes expectedPlain2 = asBytes("aaaaaaaaaaaaaaaa");
|
|
|
|
BOOST_REQUIRE(s_secp256k1.decryptECIES(kenc.sec(), plainTest2));
|
|
|
|
BOOST_REQUIRE(plainTest2 == expectedPlain2);
|
|
|
|
|
|
|
|
bytes cipher3(fromHex("0x04c4e40c86bb5324e017e598c6d48c19362ae527af8ab21b077284a4656c8735e62d73fb3d740acefbec30ca4c024739a1fcdff69ecaf03301eebf156eb5f17cca6f9d7a7e214a1f3f6e34d1ee0ec00ce0ef7d2b242fbfec0f276e17941f9f1bfbe26de10a15a6fac3cda039904ddd1d7e06e7b96b4878f61860e47f0b84c8ceb64f6a900ff23844f4359ae49b44154980a626d3c73226c19e"));
|
|
|
|
bytes plainTest3 = cipher3;
|
|
|
|
bytes expectedPlain3 = asBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
|
|
|
|
BOOST_REQUIRE(s_secp256k1.decryptECIES(kenc.sec(), plainTest3));
|
|
|
|
BOOST_REQUIRE(plainTest3 == expectedPlain3);
|
|
|
|
}
|
|
|
|
|
2015-03-01 21:17:17 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(ecies_kdf)
|
|
|
|
{
|
|
|
|
KeyPair local = KeyPair::create();
|
|
|
|
KeyPair remote = KeyPair::create();
|
|
|
|
// nonce
|
|
|
|
Secret z1;
|
|
|
|
ecdh::agree(local.sec(), remote.pub(), z1);
|
|
|
|
auto key1 = s_secp256k1.eciesKDF(z1, bytes(), 512);
|
|
|
|
bytesConstRef eKey1 = bytesConstRef(&key1).cropped(0, 32);
|
|
|
|
bytesRef mKey1 = bytesRef(&key1).cropped(32, 32);
|
|
|
|
sha3(mKey1, mKey1);
|
|
|
|
|
|
|
|
Secret z2;
|
|
|
|
ecdh::agree(remote.sec(), local.pub(), z2);
|
|
|
|
auto key2 = s_secp256k1.eciesKDF(z2, bytes(), 512);
|
|
|
|
bytesConstRef eKey2 = bytesConstRef(&key2).cropped(0, 32);
|
|
|
|
bytesRef mKey2 = bytesRef(&key2).cropped(32, 32);
|
|
|
|
sha3(mKey2, mKey2);
|
|
|
|
|
|
|
|
BOOST_REQUIRE(eKey1.toBytes() == eKey2.toBytes());
|
|
|
|
BOOST_REQUIRE(mKey1.toBytes() == mKey2.toBytes());
|
|
|
|
|
|
|
|
BOOST_REQUIRE((u256)h256(z1) > 0);
|
|
|
|
BOOST_REQUIRE(z1 == z2);
|
|
|
|
|
|
|
|
BOOST_REQUIRE(key1.size() > 0 && ((u512)h512(key1)) > 0);
|
|
|
|
BOOST_REQUIRE(key1 == key2);
|
|
|
|
}
|
|
|
|
|
|
|
|
BOOST_AUTO_TEST_CASE(ecies_standard)
|
|
|
|
{
|
|
|
|
KeyPair k = KeyPair::create();
|
|
|
|
|
|
|
|
string message("Now is the time for all good persons to come to the aid of humanity.");
|
|
|
|
string original = message;
|
|
|
|
bytes b = asBytes(message);
|
|
|
|
|
|
|
|
s_secp256k1.encryptECIES(k.pub(), b);
|
|
|
|
BOOST_REQUIRE(b != asBytes(original));
|
|
|
|
BOOST_REQUIRE(b.size() > 0 && ((u128)h128(b)) > 0);
|
|
|
|
|
|
|
|
s_secp256k1.decryptECIES(k.sec(), b);
|
|
|
|
BOOST_REQUIRE(bytesConstRef(&b).cropped(0, original.size()).toBytes() == asBytes(original));
|
|
|
|
}
|
|
|
|
|
2014-10-23 00:40:02 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(ecies_eckeypair)
|
2014-10-14 17:30:20 +00:00
|
|
|
{
|
2014-10-23 20:12:47 +00:00
|
|
|
KeyPair k = KeyPair::create();
|
2014-10-23 14:38:50 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
string message("Now is the time for all good persons to come to the aid of humanity.");
|
2014-10-22 20:57:41 +00:00
|
|
|
string original = message;
|
|
|
|
|
|
|
|
bytes b = asBytes(message);
|
2014-11-13 01:00:19 +00:00
|
|
|
s_secp256k1.encrypt(k.pub(), b);
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(b != asBytes(original));
|
2014-10-22 21:59:00 +00:00
|
|
|
|
2014-11-13 01:00:19 +00:00
|
|
|
s_secp256k1.decrypt(k.sec(), b);
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(b == asBytes(original));
|
2014-10-14 17:30:20 +00:00
|
|
|
}
|
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(ecdh)
|
2014-10-18 03:11:36 +00:00
|
|
|
{
|
2014-11-11 17:31:23 +00:00
|
|
|
cnote << "Testing ecdh...";
|
|
|
|
|
2014-11-13 01:00:19 +00:00
|
|
|
ECDH<ECP>::Domain dhLocal(s_curveOID);
|
2014-11-11 17:31:23 +00:00
|
|
|
SecByteBlock privLocal(dhLocal.PrivateKeyLength());
|
|
|
|
SecByteBlock pubLocal(dhLocal.PublicKeyLength());
|
2014-11-13 01:00:19 +00:00
|
|
|
dhLocal.GenerateKeyPair(s_rng, privLocal, pubLocal);
|
2014-11-11 17:31:23 +00:00
|
|
|
|
2014-11-13 01:00:19 +00:00
|
|
|
ECDH<ECP>::Domain dhRemote(s_curveOID);
|
2014-11-11 17:31:23 +00:00
|
|
|
SecByteBlock privRemote(dhRemote.PrivateKeyLength());
|
|
|
|
SecByteBlock pubRemote(dhRemote.PublicKeyLength());
|
2014-11-13 01:00:19 +00:00
|
|
|
dhRemote.GenerateKeyPair(s_rng, privRemote, pubRemote);
|
2014-10-22 13:57:52 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
assert(dhLocal.AgreedValueLength() == dhRemote.AgreedValueLength());
|
2014-10-22 13:57:52 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
// local: send public to remote; remote: send public to local
|
|
|
|
|
|
|
|
// Local
|
|
|
|
SecByteBlock sharedLocal(dhLocal.AgreedValueLength());
|
|
|
|
assert(dhLocal.Agree(sharedLocal, privLocal, pubRemote));
|
|
|
|
|
|
|
|
// Remote
|
|
|
|
SecByteBlock sharedRemote(dhRemote.AgreedValueLength());
|
|
|
|
assert(dhRemote.Agree(sharedRemote, privRemote, pubLocal));
|
|
|
|
|
|
|
|
// Test
|
|
|
|
Integer ssLocal, ssRemote;
|
|
|
|
ssLocal.Decode(sharedLocal.BytePtr(), sharedLocal.SizeInBytes());
|
|
|
|
ssRemote.Decode(sharedRemote.BytePtr(), sharedRemote.SizeInBytes());
|
|
|
|
|
|
|
|
assert(ssLocal != 0);
|
|
|
|
assert(ssLocal == ssRemote);
|
|
|
|
|
|
|
|
|
|
|
|
// Now use our keys
|
|
|
|
KeyPair a = KeyPair::create();
|
|
|
|
byte puba[65] = {0x04};
|
|
|
|
memcpy(&puba[1], a.pub().data(), 64);
|
|
|
|
|
|
|
|
KeyPair b = KeyPair::create();
|
|
|
|
byte pubb[65] = {0x04};
|
|
|
|
memcpy(&pubb[1], b.pub().data(), 64);
|
|
|
|
|
2014-11-13 01:00:19 +00:00
|
|
|
ECDH<ECP>::Domain dhA(s_curveOID);
|
2014-11-11 17:31:23 +00:00
|
|
|
Secret shared;
|
|
|
|
BOOST_REQUIRE(dhA.Agree(shared.data(), a.sec().data(), pubb));
|
|
|
|
BOOST_REQUIRE(shared);
|
2014-10-18 03:11:36 +00:00
|
|
|
}
|
2014-10-14 17:30:20 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(ecdhe)
|
2014-10-14 17:30:20 +00:00
|
|
|
{
|
2014-11-11 17:31:23 +00:00
|
|
|
cnote << "Testing ecdhe...";
|
2014-10-14 17:30:20 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
ECDHE a, b;
|
|
|
|
BOOST_CHECK_NE(a.pubkey(), b.pubkey());
|
2014-10-14 17:30:20 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
ECDHE local;
|
|
|
|
ECDHE remote;
|
2014-10-14 17:30:20 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
// local tx pubkey -> remote
|
|
|
|
Secret sremote;
|
|
|
|
remote.agree(local.pubkey(), sremote);
|
2014-10-14 17:30:20 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
// remote tx pbukey -> local
|
|
|
|
Secret slocal;
|
|
|
|
local.agree(remote.pubkey(), slocal);
|
|
|
|
|
|
|
|
BOOST_REQUIRE(sremote);
|
|
|
|
BOOST_REQUIRE(slocal);
|
|
|
|
BOOST_REQUIRE_EQUAL(sremote, slocal);
|
|
|
|
}
|
|
|
|
|
2015-02-13 07:48:33 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(handshakeNew)
|
|
|
|
{
|
|
|
|
// authInitiator -> E(remote-pubk, S(ecdhe-random, ecdh-shared-secret^nonce) || H(ecdhe-random-pubk) || pubk || nonce || 0x0)
|
|
|
|
// authRecipient -> E(remote-pubk, ecdhe-random-pubk || nonce || 0x0)
|
|
|
|
|
2015-02-17 12:16:56 +00:00
|
|
|
h256 base(sha3("privacy"));
|
|
|
|
sha3(base.ref(), base.ref());
|
|
|
|
Secret nodeAsecret(base);
|
2015-02-13 07:48:33 +00:00
|
|
|
KeyPair nodeA(nodeAsecret);
|
2015-02-14 01:45:03 +00:00
|
|
|
BOOST_REQUIRE(nodeA.pub());
|
2015-02-13 07:48:33 +00:00
|
|
|
|
2015-02-17 12:16:56 +00:00
|
|
|
sha3(base.ref(), base.ref());
|
|
|
|
Secret nodeBsecret(base);
|
2015-02-13 07:48:33 +00:00
|
|
|
KeyPair nodeB(nodeBsecret);
|
2015-02-17 12:16:56 +00:00
|
|
|
BOOST_REQUIRE(nodeB.pub());
|
2015-02-14 01:45:03 +00:00
|
|
|
|
|
|
|
BOOST_REQUIRE_NE(nodeA.sec(), nodeB.sec());
|
2015-02-13 07:48:33 +00:00
|
|
|
|
|
|
|
// Initiator is Alice (nodeA)
|
|
|
|
ECDHE eA;
|
|
|
|
bytes nAbytes(fromHex("0xAAAA"));
|
|
|
|
h256 nonceA(sha3(nAbytes));
|
|
|
|
bytes auth(Signature::size + h256::size + Public::size + h256::size + 1);
|
2015-02-13 21:05:20 +00:00
|
|
|
Secret ssA;
|
2015-02-13 07:48:33 +00:00
|
|
|
{
|
2015-03-01 21:17:17 +00:00
|
|
|
bytesRef sig(&auth[0], Signature::size);
|
|
|
|
bytesRef hepubk(&auth[Signature::size], h256::size);
|
|
|
|
bytesRef pubk(&auth[Signature::size + h256::size], Public::size);
|
|
|
|
bytesRef nonce(&auth[Signature::size + h256::size + Public::size], h256::size);
|
2015-02-13 07:48:33 +00:00
|
|
|
|
2015-02-17 12:16:56 +00:00
|
|
|
crypto::ecdh::agree(nodeA.sec(), nodeB.pub(), ssA);
|
2015-02-13 21:05:20 +00:00
|
|
|
sign(eA.seckey(), ssA ^ nonceA).ref().copyTo(sig);
|
2015-02-13 07:48:33 +00:00
|
|
|
sha3(eA.pubkey().ref(), hepubk);
|
|
|
|
nodeA.pub().ref().copyTo(pubk);
|
|
|
|
nonceA.ref().copyTo(nonce);
|
|
|
|
auth[auth.size() - 1] = 0x0;
|
|
|
|
}
|
2015-02-13 07:57:26 +00:00
|
|
|
bytes authcipher;
|
|
|
|
encrypt(nodeB.pub(), &auth, authcipher);
|
2015-02-17 12:16:56 +00:00
|
|
|
BOOST_REQUIRE_EQUAL(authcipher.size(), 279);
|
2015-02-13 07:57:26 +00:00
|
|
|
|
2015-02-14 03:11:23 +00:00
|
|
|
// Receipient is Bob (nodeB)
|
2015-02-13 07:57:26 +00:00
|
|
|
ECDHE eB;
|
|
|
|
bytes nBbytes(fromHex("0xBBBB"));
|
|
|
|
h256 nonceB(sha3(nAbytes));
|
2015-02-14 03:11:23 +00:00
|
|
|
bytes ack(Public::size + h256::size + 1);
|
2015-02-13 07:57:26 +00:00
|
|
|
{
|
2015-02-17 12:16:56 +00:00
|
|
|
// todo: replace nodeA.pub() in encrypt()
|
|
|
|
// decrypt public key from auth
|
|
|
|
bytes authdecrypted;
|
|
|
|
decrypt(nodeB.sec(), &authcipher, authdecrypted);
|
|
|
|
Public node;
|
|
|
|
bytesConstRef pubk(&authdecrypted[Signature::size + h256::size], Public::size);
|
|
|
|
pubk.copyTo(node.ref());
|
|
|
|
|
2015-03-01 21:17:17 +00:00
|
|
|
bytesRef epubk(&ack[0], Public::size);
|
|
|
|
bytesRef nonce(&ack[Public::size], h256::size);
|
2015-02-13 07:57:26 +00:00
|
|
|
|
|
|
|
eB.pubkey().ref().copyTo(epubk);
|
|
|
|
nonceB.ref().copyTo(nonce);
|
|
|
|
auth[auth.size() - 1] = 0x0;
|
|
|
|
}
|
|
|
|
bytes ackcipher;
|
|
|
|
encrypt(nodeA.pub(), &ack, ackcipher);
|
2015-02-17 12:16:56 +00:00
|
|
|
BOOST_REQUIRE_EQUAL(ackcipher.size(), 182);
|
2015-02-14 01:45:03 +00:00
|
|
|
|
|
|
|
BOOST_REQUIRE(eA.pubkey());
|
|
|
|
BOOST_REQUIRE(eB.pubkey());
|
|
|
|
BOOST_REQUIRE_NE(eA.seckey(), eB.seckey());
|
2015-02-13 21:05:20 +00:00
|
|
|
|
2015-02-14 03:11:23 +00:00
|
|
|
/// Alice (after receiving ack)
|
2015-02-13 21:05:20 +00:00
|
|
|
Secret aEncryptK;
|
|
|
|
Secret aMacK;
|
|
|
|
Secret aEgressMac;
|
|
|
|
Secret aIngressMac;
|
|
|
|
{
|
2015-02-14 03:11:23 +00:00
|
|
|
bytes ackdecrypted;
|
|
|
|
decrypt(nodeA.sec(), &ackcipher, ackdecrypted);
|
|
|
|
BOOST_REQUIRE(ackdecrypted.size());
|
|
|
|
bytesConstRef ackRef(&ackdecrypted);
|
|
|
|
Public eBAck;
|
|
|
|
h256 nonceBAck;
|
2015-03-01 21:17:17 +00:00
|
|
|
ackRef.cropped(0, Public::size).copyTo(bytesRef(eBAck.data(), Public::size));
|
2015-02-14 03:11:23 +00:00
|
|
|
ackRef.cropped(Public::size, h256::size).copyTo(nonceBAck.ref());
|
|
|
|
BOOST_REQUIRE_EQUAL(eBAck, eB.pubkey());
|
|
|
|
BOOST_REQUIRE_EQUAL(nonceBAck, nonceB);
|
|
|
|
|
2015-02-14 01:45:03 +00:00
|
|
|
// TODO: export ess and require equal to b
|
|
|
|
|
|
|
|
bytes keyMaterialBytes(512);
|
2015-03-01 21:17:17 +00:00
|
|
|
bytesRef keyMaterial(&keyMaterialBytes);
|
2015-02-13 21:05:20 +00:00
|
|
|
|
|
|
|
h256 ess;
|
|
|
|
// todo: ecdh-agree should be able to output bytes
|
2015-02-17 12:16:56 +00:00
|
|
|
eA.agree(eBAck, ess);
|
2015-02-14 01:45:03 +00:00
|
|
|
ess.ref().copyTo(keyMaterial.cropped(0, h256::size));
|
|
|
|
ssA.ref().copyTo(keyMaterial.cropped(h256::size, h256::size));
|
2015-02-13 21:05:20 +00:00
|
|
|
// auto token = sha3(ssA);
|
|
|
|
aEncryptK = sha3(keyMaterial);
|
2015-02-14 01:45:03 +00:00
|
|
|
aEncryptK.ref().copyTo(keyMaterial.cropped(h256::size, h256::size));
|
2015-02-13 21:05:20 +00:00
|
|
|
aMacK = sha3(keyMaterial);
|
2015-02-14 03:11:23 +00:00
|
|
|
|
2015-02-14 01:45:03 +00:00
|
|
|
keyMaterialBytes.resize(h256::size + authcipher.size());
|
|
|
|
keyMaterial.retarget(keyMaterialBytes.data(), keyMaterialBytes.size());
|
2015-02-14 03:11:23 +00:00
|
|
|
(aMacK ^ nonceBAck).ref().copyTo(keyMaterial);
|
2015-02-14 01:45:03 +00:00
|
|
|
bytesConstRef(&authcipher).copyTo(keyMaterial.cropped(h256::size, authcipher.size()));
|
2015-02-13 21:05:20 +00:00
|
|
|
aEgressMac = sha3(keyMaterial);
|
2015-02-14 01:45:03 +00:00
|
|
|
|
|
|
|
keyMaterialBytes.resize(h256::size + ackcipher.size());
|
|
|
|
keyMaterial.retarget(keyMaterialBytes.data(), keyMaterialBytes.size());
|
|
|
|
(aMacK ^ nonceA).ref().copyTo(keyMaterial);
|
|
|
|
bytesConstRef(&ackcipher).copyTo(keyMaterial.cropped(h256::size, ackcipher.size()));
|
2015-02-13 21:05:20 +00:00
|
|
|
aIngressMac = sha3(keyMaterial);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-02-14 03:11:23 +00:00
|
|
|
/// Bob (after sending ack)
|
2015-02-14 01:45:03 +00:00
|
|
|
Secret ssB;
|
2015-02-17 12:16:56 +00:00
|
|
|
crypto::ecdh::agree(nodeB.sec(), nodeA.pub(), ssB);
|
2015-02-14 01:45:03 +00:00
|
|
|
BOOST_REQUIRE_EQUAL(ssA, ssB);
|
|
|
|
|
|
|
|
Secret bEncryptK;
|
|
|
|
Secret bMacK;
|
|
|
|
Secret bEgressMac;
|
|
|
|
Secret bIngressMac;
|
|
|
|
{
|
2015-02-14 03:11:23 +00:00
|
|
|
bytes authdecrypted;
|
|
|
|
decrypt(nodeB.sec(), &authcipher, authdecrypted);
|
|
|
|
BOOST_REQUIRE(authdecrypted.size());
|
|
|
|
bytesConstRef ackRef(&authdecrypted);
|
|
|
|
Signature sigAuth;
|
|
|
|
h256 heA;
|
|
|
|
Public eAAuth;
|
|
|
|
Public nodeAAuth;
|
|
|
|
h256 nonceAAuth;
|
|
|
|
bytesConstRef sig(&authdecrypted[0], Signature::size);
|
|
|
|
bytesConstRef hepubk(&authdecrypted[Signature::size], h256::size);
|
|
|
|
bytesConstRef pubk(&authdecrypted[Signature::size + h256::size], Public::size);
|
|
|
|
bytesConstRef nonce(&authdecrypted[Signature::size + h256::size + Public::size], h256::size);
|
|
|
|
|
|
|
|
nonce.copyTo(nonceAAuth.ref());
|
|
|
|
pubk.copyTo(nodeAAuth.ref());
|
|
|
|
BOOST_REQUIRE(nonceAAuth);
|
|
|
|
BOOST_REQUIRE_EQUAL(nonceA, nonceAAuth);
|
|
|
|
BOOST_REQUIRE(nodeAAuth);
|
|
|
|
BOOST_REQUIRE_EQUAL(nodeA.pub(), nodeAAuth); // bad test, bad!!!
|
|
|
|
hepubk.copyTo(heA.ref());
|
|
|
|
sig.copyTo(sigAuth.ref());
|
|
|
|
|
|
|
|
Secret ss;
|
|
|
|
s_secp256k1.agree(nodeB.sec(), nodeAAuth, ss);
|
|
|
|
eAAuth = recover(sigAuth, ss ^ nonceAAuth);
|
|
|
|
// todo: test when this fails; means remote is bad or packet bits were flipped
|
|
|
|
BOOST_REQUIRE_EQUAL(heA, sha3(eAAuth));
|
|
|
|
BOOST_REQUIRE_EQUAL(eAAuth, eA.pubkey());
|
|
|
|
|
2015-02-14 01:45:03 +00:00
|
|
|
bytes keyMaterialBytes(512);
|
2015-03-01 21:17:17 +00:00
|
|
|
bytesRef keyMaterial(&keyMaterialBytes);
|
2015-02-14 01:45:03 +00:00
|
|
|
|
|
|
|
h256 ess;
|
|
|
|
// todo: ecdh-agree should be able to output bytes
|
2015-02-17 12:16:56 +00:00
|
|
|
eB.agree(eAAuth, ess);
|
|
|
|
// s_secp256k1.agree(eB.seckey(), eAAuth, ess);
|
2015-02-14 01:45:03 +00:00
|
|
|
ess.ref().copyTo(keyMaterial.cropped(0, h256::size));
|
|
|
|
ssB.ref().copyTo(keyMaterial.cropped(h256::size, h256::size));
|
|
|
|
// auto token = sha3(ssA);
|
|
|
|
bEncryptK = sha3(keyMaterial);
|
|
|
|
bEncryptK.ref().copyTo(keyMaterial.cropped(h256::size, h256::size));
|
|
|
|
bMacK = sha3(keyMaterial);
|
|
|
|
|
|
|
|
// todo: replace nonceB with decrypted nonceB
|
|
|
|
keyMaterialBytes.resize(h256::size + ackcipher.size());
|
|
|
|
keyMaterial.retarget(keyMaterialBytes.data(), keyMaterialBytes.size());
|
2015-02-14 03:11:23 +00:00
|
|
|
(bMacK ^ nonceAAuth).ref().copyTo(keyMaterial);
|
2015-02-14 01:45:03 +00:00
|
|
|
bytesConstRef(&ackcipher).copyTo(keyMaterial.cropped(h256::size, ackcipher.size()));
|
|
|
|
bEgressMac = sha3(keyMaterial);
|
|
|
|
|
|
|
|
keyMaterialBytes.resize(h256::size + authcipher.size());
|
|
|
|
keyMaterial.retarget(keyMaterialBytes.data(), keyMaterialBytes.size());
|
|
|
|
(bMacK ^ nonceB).ref().copyTo(keyMaterial);
|
|
|
|
bytesConstRef(&authcipher).copyTo(keyMaterial.cropped(h256::size, authcipher.size()));
|
|
|
|
bIngressMac = sha3(keyMaterial);
|
|
|
|
}
|
2015-02-13 21:05:20 +00:00
|
|
|
|
2015-02-14 01:45:03 +00:00
|
|
|
BOOST_REQUIRE_EQUAL(aEncryptK, bEncryptK);
|
|
|
|
BOOST_REQUIRE_EQUAL(aMacK, bMacK);
|
|
|
|
BOOST_REQUIRE_EQUAL(aEgressMac, bIngressMac);
|
|
|
|
BOOST_REQUIRE_EQUAL(bEgressMac, aIngressMac);
|
2015-02-17 12:16:56 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
2014-10-14 17:30:20 +00:00
|
|
|
}
|
|
|
|
|
2015-03-01 21:17:17 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(ecies_aes128_ctr_unaligned)
|
2015-02-17 12:16:56 +00:00
|
|
|
{
|
|
|
|
Secret encryptK(sha3("..."));
|
|
|
|
h256 egressMac(sha3("+++"));
|
|
|
|
// TESTING: send encrypt magic sequence
|
|
|
|
bytes magic {0x22,0x40,0x08,0x91};
|
|
|
|
bytes magicCipherAndMac;
|
2015-03-01 21:17:17 +00:00
|
|
|
encryptSymNoAuth(encryptK, &magic, magicCipherAndMac, h128());
|
|
|
|
|
2015-02-17 12:16:56 +00:00
|
|
|
magicCipherAndMac.resize(magicCipherAndMac.size() + 32);
|
|
|
|
sha3mac(egressMac.ref(), &magic, egressMac.ref());
|
2015-03-01 21:17:17 +00:00
|
|
|
egressMac.ref().copyTo(bytesRef(&magicCipherAndMac).cropped(magicCipherAndMac.size() - 32, 32));
|
2015-02-17 12:16:56 +00:00
|
|
|
|
|
|
|
bytes plaintext;
|
|
|
|
bytesConstRef cipher(&magicCipherAndMac[0], magicCipherAndMac.size() - 32);
|
2015-03-01 21:17:17 +00:00
|
|
|
decryptSymNoAuth(encryptK, h128(), cipher, plaintext);
|
|
|
|
|
|
|
|
plaintext.resize(magic.size());
|
|
|
|
BOOST_REQUIRE(plaintext.size() > 0);
|
|
|
|
BOOST_REQUIRE(magic == plaintext);
|
2015-02-17 12:16:56 +00:00
|
|
|
}
|
|
|
|
|
2015-03-01 21:17:17 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(ecies_aes128_ctr)
|
2015-02-17 12:16:56 +00:00
|
|
|
{
|
|
|
|
Secret k(sha3("0xAAAA"));
|
|
|
|
string m = "AAAAAAAAAAAAAAAA";
|
|
|
|
bytesConstRef msg((byte*)m.data(), m.size());
|
|
|
|
|
|
|
|
bytes ciphertext;
|
|
|
|
auto iv = encryptSymNoAuth(k, msg, ciphertext);
|
|
|
|
|
|
|
|
bytes plaintext;
|
|
|
|
decryptSymNoAuth(k, iv, &ciphertext, plaintext);
|
|
|
|
BOOST_REQUIRE_EQUAL(asString(plaintext), m);
|
|
|
|
}
|
|
|
|
|
2014-10-22 13:57:52 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(cryptopp_aes128_ctr)
|
|
|
|
{
|
|
|
|
const int aesKeyLen = 16;
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(sizeof(char) == sizeof(byte));
|
2014-10-22 13:57:52 +00:00
|
|
|
|
|
|
|
// generate test key
|
|
|
|
AutoSeededRandomPool rng;
|
|
|
|
SecByteBlock key(0x00, aesKeyLen);
|
|
|
|
rng.GenerateBlock(key, key.size());
|
|
|
|
|
|
|
|
// cryptopp uses IV as nonce/counter which is same as using nonce w/0 ctr
|
2014-11-11 17:31:23 +00:00
|
|
|
FixedHash<AES::BLOCKSIZE> ctr;
|
|
|
|
rng.GenerateBlock(ctr.data(), sizeof(ctr));
|
|
|
|
|
|
|
|
// used for decrypt
|
|
|
|
FixedHash<AES::BLOCKSIZE> ctrcopy(ctr);
|
2014-10-22 13:57:52 +00:00
|
|
|
|
2014-11-11 17:31:23 +00:00
|
|
|
string text = "Now is the time for all good persons to come to the aid of humanity.";
|
2014-10-22 13:57:52 +00:00
|
|
|
unsigned char const* in = (unsigned char*)&text[0];
|
|
|
|
unsigned char* out = (unsigned char*)&text[0];
|
|
|
|
string original = text;
|
2014-11-11 17:31:23 +00:00
|
|
|
string doublespeak = text + text;
|
2014-10-22 13:57:52 +00:00
|
|
|
|
|
|
|
string cipherCopy;
|
|
|
|
try
|
|
|
|
{
|
2014-10-23 19:59:05 +00:00
|
|
|
CTR_Mode<AES>::Encryption e;
|
2014-11-11 17:31:23 +00:00
|
|
|
e.SetKeyWithIV(key, key.size(), ctr.data());
|
|
|
|
|
|
|
|
// 68 % 255 should be difference of counter
|
2014-10-22 13:57:52 +00:00
|
|
|
e.ProcessData(out, in, text.size());
|
2015-02-17 12:16:56 +00:00
|
|
|
ctr = h128(u128(ctr) + text.size() / 16);
|
2014-11-11 17:31:23 +00:00
|
|
|
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(text != original);
|
2014-10-22 13:57:52 +00:00
|
|
|
cipherCopy = text;
|
|
|
|
}
|
2014-10-23 19:59:05 +00:00
|
|
|
catch(CryptoPP::Exception& e)
|
2014-10-22 13:57:52 +00:00
|
|
|
{
|
|
|
|
cerr << e.what() << endl;
|
|
|
|
}
|
|
|
|
|
|
|
|
try
|
|
|
|
{
|
|
|
|
CTR_Mode< AES >::Decryption d;
|
2014-11-11 17:31:23 +00:00
|
|
|
d.SetKeyWithIV(key, key.size(), ctrcopy.data());
|
2014-10-22 13:57:52 +00:00
|
|
|
d.ProcessData(out, in, text.size());
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(text == original);
|
2014-10-22 13:57:52 +00:00
|
|
|
}
|
2014-10-23 19:59:05 +00:00
|
|
|
catch(CryptoPP::Exception& e)
|
2014-10-22 13:57:52 +00:00
|
|
|
{
|
|
|
|
cerr << e.what() << endl;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// reencrypt ciphertext...
|
|
|
|
try
|
|
|
|
{
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(cipherCopy != text);
|
2014-10-22 13:57:52 +00:00
|
|
|
in = (unsigned char*)&cipherCopy[0];
|
|
|
|
out = (unsigned char*)&cipherCopy[0];
|
|
|
|
|
2014-10-23 19:59:05 +00:00
|
|
|
CTR_Mode<AES>::Encryption e;
|
2014-11-11 17:31:23 +00:00
|
|
|
e.SetKeyWithIV(key, key.size(), ctrcopy.data());
|
2014-10-22 13:57:52 +00:00
|
|
|
e.ProcessData(out, in, text.size());
|
|
|
|
|
|
|
|
// yep, ctr mode.
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(cipherCopy == original);
|
2014-10-22 13:57:52 +00:00
|
|
|
}
|
2014-10-23 19:59:05 +00:00
|
|
|
catch(CryptoPP::Exception& e)
|
2014-10-22 13:57:52 +00:00
|
|
|
{
|
|
|
|
cerr << e.what() << endl;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2014-10-15 09:58:27 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(cryptopp_aes128_cbc)
|
|
|
|
{
|
|
|
|
const int aesKeyLen = 16;
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(sizeof(char) == sizeof(byte));
|
2014-10-15 09:58:27 +00:00
|
|
|
|
|
|
|
AutoSeededRandomPool rng;
|
|
|
|
SecByteBlock key(0x00, aesKeyLen);
|
|
|
|
rng.GenerateBlock(key, key.size());
|
|
|
|
|
|
|
|
// Generate random IV
|
|
|
|
byte iv[AES::BLOCKSIZE];
|
|
|
|
rng.GenerateBlock(iv, AES::BLOCKSIZE);
|
|
|
|
|
|
|
|
string string128("AAAAAAAAAAAAAAAA");
|
|
|
|
string plainOriginal = string128;
|
|
|
|
|
|
|
|
CryptoPP::CBC_Mode<Rijndael>::Encryption cbcEncryption(key, key.size(), iv);
|
|
|
|
cbcEncryption.ProcessData((byte*)&string128[0], (byte*)&string128[0], string128.size());
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(string128 != plainOriginal);
|
2014-10-15 09:58:27 +00:00
|
|
|
|
|
|
|
CBC_Mode<Rijndael>::Decryption cbcDecryption(key, key.size(), iv);
|
|
|
|
cbcDecryption.ProcessData((byte*)&string128[0], (byte*)&string128[0], string128.size());
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(plainOriginal == string128);
|
2014-10-15 09:58:27 +00:00
|
|
|
|
|
|
|
|
|
|
|
// plaintext whose size isn't divisible by block size must use stream filter for padding
|
|
|
|
string string192("AAAAAAAAAAAAAAAABBBBBBBB");
|
|
|
|
plainOriginal = string192;
|
|
|
|
|
|
|
|
string cipher;
|
|
|
|
StreamTransformationFilter* aesStream = new StreamTransformationFilter(cbcEncryption, new StringSink(cipher));
|
|
|
|
StringSource source(string192, true, aesStream);
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(cipher.size() == 32);
|
2014-10-15 09:58:27 +00:00
|
|
|
|
|
|
|
cbcDecryption.ProcessData((byte*)&cipher[0], (byte*)&string192[0], cipher.size());
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(string192 == plainOriginal);
|
2014-10-15 09:58:27 +00:00
|
|
|
}
|
|
|
|
|
2014-10-14 17:30:20 +00:00
|
|
|
BOOST_AUTO_TEST_CASE(eth_keypairs)
|
2014-04-19 17:53:48 +00:00
|
|
|
{
|
|
|
|
cnote << "Testing Crypto...";
|
|
|
|
secp256k1_start();
|
|
|
|
|
|
|
|
KeyPair p(Secret(fromHex("3ecb44df2159c26e0f995712d4f39b6f6e499b40749b1cf1246c37f9516cb6a4")));
|
|
|
|
BOOST_REQUIRE(p.pub() == Public(fromHex("97466f2b32bc3bb76d4741ae51cd1d8578b48d3f1e68da206d47321aec267ce78549b514e4453d74ef11b0cd5e4e4c364effddac8b51bcfc8de80682f952896f")));
|
|
|
|
BOOST_REQUIRE(p.address() == Address(fromHex("8a40bfaa73256b60764c1bf40675a99083efb075")));
|
|
|
|
{
|
2014-11-05 13:45:19 +00:00
|
|
|
eth::Transaction t(1000, 0, 0, h160(fromHex("944400f4b88ac9589a0f17ed4671da26bddb668b")), bytes(), 0, p.secret());
|
2014-11-05 14:32:23 +00:00
|
|
|
auto rlp = t.rlp(eth::WithoutSignature);
|
2014-10-03 13:53:04 +00:00
|
|
|
cnote << RLP(rlp);
|
|
|
|
cnote << toHex(rlp);
|
2014-11-05 14:32:23 +00:00
|
|
|
cnote << t.sha3(eth::WithoutSignature);
|
|
|
|
rlp = t.rlp(eth::WithSignature);
|
2014-10-03 13:53:04 +00:00
|
|
|
cnote << RLP(rlp);
|
|
|
|
cnote << toHex(rlp);
|
2014-11-05 14:32:23 +00:00
|
|
|
cnote << t.sha3(eth::WithSignature);
|
2014-04-19 17:53:48 +00:00
|
|
|
BOOST_REQUIRE(t.sender() == p.address());
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-01-19 14:42:02 +00:00
|
|
|
int cryptoTest()
|
|
|
|
{
|
2014-02-28 12:55:30 +00:00
|
|
|
cnote << "Testing Crypto...";
|
2014-02-11 17:43:37 +00:00
|
|
|
secp256k1_start();
|
|
|
|
|
2014-03-04 17:46:26 +00:00
|
|
|
KeyPair p(Secret(fromHex("3ecb44df2159c26e0f995712d4f39b6f6e499b40749b1cf1246c37f9516cb6a4")));
|
2014-10-27 04:15:44 +00:00
|
|
|
BOOST_REQUIRE(p.pub() == Public(fromHex("97466f2b32bc3bb76d4741ae51cd1d8578b48d3f1e68da206d47321aec267ce78549b514e4453d74ef11b0cd5e4e4c364effddac8b51bcfc8de80682f952896f")));
|
|
|
|
BOOST_REQUIRE(p.address() == Address(fromHex("8a40bfaa73256b60764c1bf40675a99083efb075")));
|
2014-02-11 17:43:37 +00:00
|
|
|
{
|
2014-11-05 13:45:19 +00:00
|
|
|
eth::Transaction t(1000, 0, 0, h160(fromHex("944400f4b88ac9589a0f17ed4671da26bddb668b")), bytes(), 0, p.secret());
|
2014-11-05 14:32:23 +00:00
|
|
|
auto rlp = t.rlp(eth::WithoutSignature);
|
2014-10-03 13:53:04 +00:00
|
|
|
cnote << RLP(rlp);
|
|
|
|
cnote << toHex(rlp);
|
2014-11-05 14:32:23 +00:00
|
|
|
cnote << t.sha3(eth::WithoutSignature);
|
|
|
|
rlp = t.rlp(eth::WithSignature);
|
2014-10-03 13:53:04 +00:00
|
|
|
cnote << RLP(rlp);
|
|
|
|
cnote << toHex(rlp);
|
2014-11-05 14:32:23 +00:00
|
|
|
cnote << t.sha3(eth::WithSignature);
|
2014-02-11 17:43:37 +00:00
|
|
|
assert(t.sender() == p.address());
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#if 0
|
2014-01-19 14:42:02 +00:00
|
|
|
// Test transaction.
|
2014-03-04 17:46:26 +00:00
|
|
|
bytes tx = fromHex("88005401010101010101010101010101010101010101011f0de0b6b3a76400001ce8d4a5100080181c373130a009ba1f10285d4e659568bfcfec85067855c5a3c150100815dad4ef98fd37cf0593828c89db94bd6c64e210a32ef8956eaa81ea9307194996a3b879441f5d");
|
2014-01-19 14:42:02 +00:00
|
|
|
cout << "TX: " << RLP(tx) << endl;
|
|
|
|
|
2014-01-20 14:53:02 +00:00
|
|
|
Transaction t2(tx);
|
2014-01-31 14:10:05 +00:00
|
|
|
cout << "SENDER: " << hex << t2.sender() << dec << endl;
|
2014-01-20 14:53:02 +00:00
|
|
|
|
|
|
|
secp256k1_start();
|
|
|
|
|
|
|
|
Transaction t;
|
|
|
|
t.nonce = 0;
|
|
|
|
t.value = 1; // 1 wei.
|
2014-10-27 13:13:16 +00:00
|
|
|
t.type = eth::Transaction::MessageCall;
|
2014-01-20 14:53:02 +00:00
|
|
|
t.receiveAddress = toAddress(sha3("123"));
|
2014-01-19 14:42:02 +00:00
|
|
|
|
|
|
|
bytes sig64 = toBigEndian(t.vrs.r) + toBigEndian(t.vrs.s);
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << "SIG: " << sig64.size() << " " << toHex(sig64) << " " << t.vrs.v << endl;
|
2014-01-19 14:42:02 +00:00
|
|
|
|
|
|
|
auto msg = t.rlp(false);
|
|
|
|
cout << "TX w/o SIG: " << RLP(msg) << endl;
|
2014-11-05 14:28:29 +00:00
|
|
|
cout << "RLP(TX w/o SIG): " << toHex(t.rlp(false)) << endl;
|
|
|
|
std::string hmsg = sha3(t.rlp(false), false);
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << "SHA256(RLP(TX w/o SIG)): 0x" << toHex(hmsg) << endl;
|
2014-01-19 14:42:02 +00:00
|
|
|
|
|
|
|
bytes privkey = sha3Bytes("123");
|
|
|
|
|
|
|
|
{
|
|
|
|
bytes pubkey(65);
|
|
|
|
int pubkeylen = 65;
|
|
|
|
|
|
|
|
int ret = secp256k1_ecdsa_seckey_verify(privkey.data());
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << "SEC: " << dec << ret << " " << toHex(privkey) << endl;
|
2014-01-19 14:42:02 +00:00
|
|
|
|
|
|
|
ret = secp256k1_ecdsa_pubkey_create(pubkey.data(), &pubkeylen, privkey.data(), 1);
|
|
|
|
pubkey.resize(pubkeylen);
|
2014-02-11 19:13:31 +00:00
|
|
|
int good = secp256k1_ecdsa_pubkey_verify(pubkey.data(), (int)pubkey.size());
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << "PUB: " << dec << ret << " " << pubkeylen << " " << toHex(pubkey) << (good ? " GOOD" : " BAD") << endl;
|
2014-01-19 14:42:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Test roundtrip...
|
|
|
|
{
|
|
|
|
bytes sig(64);
|
|
|
|
u256 nonce = 0;
|
|
|
|
int v = 0;
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << toHex(hmsg) << endl;
|
|
|
|
cout << toHex(privkey) << endl;
|
2014-01-31 14:10:05 +00:00
|
|
|
cout << hex << nonce << dec << endl;
|
2014-02-11 19:13:31 +00:00
|
|
|
int ret = secp256k1_ecdsa_sign_compact((byte const*)hmsg.data(), (int)hmsg.size(), sig.data(), privkey.data(), (byte const*)&nonce, &v);
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << "MYSIG: " << dec << ret << " " << sig.size() << " " << toHex(sig) << " " << v << endl;
|
2014-01-19 14:42:02 +00:00
|
|
|
|
|
|
|
bytes pubkey(65);
|
|
|
|
int pubkeylen = 65;
|
2014-02-11 19:13:31 +00:00
|
|
|
ret = secp256k1_ecdsa_recover_compact((byte const*)hmsg.data(), (int)hmsg.size(), (byte const*)sig.data(), pubkey.data(), &pubkeylen, 0, v);
|
2014-01-19 14:42:02 +00:00
|
|
|
pubkey.resize(pubkeylen);
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << "MYREC: " << dec << ret << " " << pubkeylen << " " << toHex(pubkey) << endl;
|
2014-01-19 14:42:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
bytes pubkey(65);
|
|
|
|
int pubkeylen = 65;
|
2014-02-11 19:13:31 +00:00
|
|
|
int ret = secp256k1_ecdsa_recover_compact((byte const*)hmsg.data(), (int)hmsg.size(), (byte const*)sig64.data(), pubkey.data(), &pubkeylen, 0, (int)t.vrs.v - 27);
|
2014-01-19 14:42:02 +00:00
|
|
|
pubkey.resize(pubkeylen);
|
2014-03-04 17:46:26 +00:00
|
|
|
cout << "RECPUB: " << dec << ret << " " << pubkeylen << " " << toHex(pubkey) << endl;
|
2014-10-16 16:43:48 +00:00
|
|
|
cout << "SENDER: " << hex << toAddress(dev::sha3(bytesConstRef(&pubkey).cropped(1))) << dec << endl;
|
2014-01-19 14:42:02 +00:00
|
|
|
}
|
2014-02-11 17:43:37 +00:00
|
|
|
#endif
|
2014-01-19 14:42:02 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-10-14 17:30:20 +00:00
|
|
|
BOOST_AUTO_TEST_SUITE_END()
|
|
|
|
|