/* This file is part of cpp-ethereum. cpp-ethereum is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. cpp-ethereum is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with cpp-ethereum. If not, see . */ /** @file crypto.cpp * @author Gav Wood * @date 2014 * Crypto test functions. */ #include #include #include #include #include #include #include #include #include #include #include using namespace std; using namespace dev; using namespace dev::crypto; using namespace CryptoPP; BOOST_AUTO_TEST_SUITE(devcrypto) BOOST_AUTO_TEST_CASE(common_encrypt_decrypt) { string message("Now is the time for all good persons to come to the aid of humanity."); bytes m = asBytes(message); bytesConstRef bcr(&m); KeyPair k = KeyPair::create(); bytes cipher; encrypt(k.pub(), bcr, cipher); BOOST_REQUIRE(cipher != asBytes(message) && cipher.size() > 0); bytes plain; decrypt(k.sec(), bytesConstRef(&cipher), plain); BOOST_REQUIRE(asString(plain) == message); BOOST_REQUIRE(plain == asBytes(message)); } BOOST_AUTO_TEST_CASE(cryptopp_vs_secp256k1) { ECIES::Decryptor d(pp::PRNG, pp::secp256k1Curve); ECIES::Encryptor e(d.GetKey()); Secret s; pp::exportPrivateKey(d.GetKey(), s); Public p; pp::exportPublicKey(e.GetKey(), p); BOOST_REQUIRE(dev::toAddress(s) == right160(dev::sha3(p.ref()))); Secret previous = s; for (auto i = 0; i < 2; i++) { ECIES::Decryptor d(pp::PRNG, pp::secp256k1Curve); ECIES::Encryptor e(d.GetKey()); Secret s; pp::exportPrivateKey(d.GetKey(), s); BOOST_REQUIRE(s != previous); Public p; pp::exportPublicKey(e.GetKey(), p); h160 secp256k1Addr = dev::toAddress(s); h160 cryptoppAddr = right160(dev::sha3(p.ref())); if (secp256k1Addr != cryptoppAddr) { BOOST_REQUIRE(secp256k1Addr == cryptoppAddr); break; } } } BOOST_AUTO_TEST_CASE(cryptopp_cryptopp_secp256k1libport) { // cryptopp implementation of secp256k1lib sign_compact w/recid parameter and recovery of public key from signature // base secret Secret secret(sha3("privacy")); // we get ec params from signer const CryptoPP::DL_GroupParameters_EC params = pp::secp256k1Params; ECDSA::Signer signer; // e := sha3(msg) bytes e(fromHex("0x01")); e.resize(32); int tests = 2; // Oct 29: successful @ 1500 while (sha3(&e, &e), secret = sha3(secret.asBytes()), tests--) { KeyPair key(secret); Public pkey = key.pub(); pp::initializeDLScheme(secret, signer); h256 he(sha3(e)); Integer heInt(he.asBytes().data(), 32); h256 k(crypto::kdf(secret, he)); Integer kInt(k.asBytes().data(), 32); kInt %= params.GetSubgroupOrder()-1; ECP::Point rp = params.ExponentiateBase(kInt); Integer const& q = params.GetGroupOrder(); Integer r = params.ConvertElementToInteger(rp); int recid = ((r >= q) ? 2 : 0) | (rp.y.IsOdd() ? 1 : 0); Integer kInv = kInt.InverseMod(q); Integer s = (kInv * (Integer(secret.asBytes().data(), 32)*r + heInt)) % q; BOOST_REQUIRE(!!r && !!s); /* // For future reference: // According to maths, this codepath can't be reached, however, it's in secp256k1. // Commenting this out diverges from codebase implementation. // To be removed after upstream PR and proof are evaulated. if (s > params.GetSubgroupOrder()) { // note: this rarely happens s = params.GetGroupOrder() - s; if (recid) recid ^= 1; } */ Signature sig; r.Encode(sig.data(), 32); s.Encode(sig.data() + 32, 32); sig[64] = recid; Public p = dev::recover(sig, he); BOOST_REQUIRE(p == pkey); // verify w/cryptopp BOOST_REQUIRE(crypto::verify(pkey, sig, bytesConstRef(&e))); // verify with secp256k1lib byte encpub[65] = {0x04}; memcpy(&encpub[1], pkey.data(), 64); byte dersig[72]; size_t cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, sig.data(), 64, DSA_P1363); BOOST_CHECK(cssz <= 72); BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(he.data(), sizeof(he), dersig, cssz, encpub, 65)); } } BOOST_AUTO_TEST_CASE(cryptopp_ecdsa_sipaseckp256k1) { // cryptopp integer encoding Integer nHex("f2ee15ea639b73fa3db9b34a245bdfa015c260c598b211bf05a1ecc4b3e3b4f2H"); Integer nB(fromHex("f2ee15ea639b73fa3db9b34a245bdfa015c260c598b211bf05a1ecc4b3e3b4f2").data(), 32); BOOST_REQUIRE(nHex == nB); bytes sbytes(fromHex("0xFFFF")); Secret secret(sha3(sbytes)); // 5fe7f977e71dba2ea1a68e21057beebb9be2ac30c6410aa38d4f3fbe41dcffd2 KeyPair key(secret); bytes m(fromHex("0xFF")); int tests = 3; while (m[0]++, tests--) { h256 hm(sha3(m)); Integer hInt(hm.asBytes().data(), 32); h256 k(hm ^ key.sec()); Integer kInt(k.asBytes().data(), 32); // raw sign w/cryptopp (doesn't pass through cryptopp hash filter) ECDSA::Signer signer; pp::initializeDLScheme(key.sec(), signer); Integer r, s; signer.RawSign(kInt, hInt, r, s); // verify cryptopp raw-signature w/cryptopp ECDSA::Verifier verifier; pp::initializeDLScheme(key.pub(), verifier); Signature sigppraw; r.Encode(sigppraw.data(), 32); s.Encode(sigppraw.data() + 32, 32); BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), sigppraw.data(), 64)); BOOST_REQUIRE(crypto::verify(key.pub(), sigppraw, bytesConstRef(&m))); BOOST_REQUIRE(dev::verify(key.pub(), sigppraw, hm)); // sign with cryptopp, verify, recover w/sec256lib Signature seclibsig(dev::sign(key.sec(), hm)); BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), seclibsig.data(), 64)); BOOST_REQUIRE(crypto::verify(key.pub(), seclibsig, bytesConstRef(&m))); BOOST_REQUIRE(dev::verify(key.pub(), seclibsig, hm)); BOOST_REQUIRE(dev::recover(seclibsig, hm) == key.pub()); // sign with cryptopp (w/hash filter?), verify with cryptopp bytes sigppb(signer.MaxSignatureLength()); size_t ssz = signer.SignMessage(pp::PRNG, m.data(), m.size(), sigppb.data()); Signature sigpp; memcpy(sigpp.data(), sigppb.data(), 64); BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), sigppb.data(), ssz)); BOOST_REQUIRE(crypto::verify(key.pub(), sigpp, bytesConstRef(&m))); BOOST_REQUIRE(dev::verify(key.pub(), sigpp, hm)); // sign with cryptopp and stringsource hash filter string sigstr; StringSource ssrc(asString(m), true, new SignerFilter(pp::PRNG, signer, new StringSink(sigstr))); FixedHash retsig((byte const*)sigstr.data(), Signature::ConstructFromPointer); BOOST_REQUIRE(verifier.VerifyMessage(m.data(), m.size(), retsig.data(), 64)); BOOST_REQUIRE(crypto::verify(key.pub(), retsig, bytesConstRef(&m))); BOOST_REQUIRE(dev::verify(key.pub(), retsig, hm)); /// verification w/sec256lib // requires public key and sig in standard format byte encpub[65] = {0x04}; memcpy(&encpub[1], key.pub().data(), 64); byte dersig[72]; // verify sec256lib sig w/sec256lib size_t cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, seclibsig.data(), 64, DSA_P1363); BOOST_CHECK(cssz <= 72); BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(hm.data(), sizeof(hm), dersig, cssz, encpub, 65)); // verify cryptopp-raw sig w/sec256lib cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, sigppraw.data(), 64, DSA_P1363); BOOST_CHECK(cssz <= 72); BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(hm.data(), sizeof(hm), dersig, cssz, encpub, 65)); // verify cryptopp sig w/sec256lib cssz = DSAConvertSignatureFormat(dersig, 72, DSA_DER, sigppb.data(), 64, DSA_P1363); BOOST_CHECK(cssz <= 72); BOOST_REQUIRE(1 == secp256k1_ecdsa_verify(hm.data(), sizeof(hm), dersig, cssz, encpub, 65)); } } BOOST_AUTO_TEST_CASE(cryptopp_public_export_import) { ECIES::Decryptor d(pp::PRNG, pp::secp256k1Curve); ECIES::Encryptor e(d.GetKey()); Secret s; pp::exportPrivateKey(d.GetKey(), s); Public p; pp::exportPublicKey(e.GetKey(), p); Address addr = right160(dev::sha3(p.ref())); BOOST_REQUIRE(toAddress(s) == addr); KeyPair l(s); BOOST_REQUIRE(l.address() == addr); } BOOST_AUTO_TEST_CASE(ecies_eckeypair) { KeyPair k = KeyPair::create(); string message("Now is the time for all good persons to come to the aid of humanity."); string original = message; bytes b = asBytes(message); encrypt(k.pub(), b); BOOST_REQUIRE(b != asBytes(original)); decrypt(k.sec(), b); BOOST_REQUIRE(b == asBytes(original)); } BOOST_AUTO_TEST_CASE(ecdh) { cnote << "Testing ecdh..."; ECDH::Domain dhLocal(pp::secp256k1Curve); SecByteBlock privLocal(dhLocal.PrivateKeyLength()); SecByteBlock pubLocal(dhLocal.PublicKeyLength()); dhLocal.GenerateKeyPair(pp::PRNG, privLocal, pubLocal); ECDH::Domain dhRemote(pp::secp256k1Curve); SecByteBlock privRemote(dhRemote.PrivateKeyLength()); SecByteBlock pubRemote(dhRemote.PublicKeyLength()); dhRemote.GenerateKeyPair(pp::PRNG, privRemote, pubRemote); assert(dhLocal.AgreedValueLength() == dhRemote.AgreedValueLength()); // local: send public to remote; remote: send public to local // Local SecByteBlock sharedLocal(dhLocal.AgreedValueLength()); assert(dhLocal.Agree(sharedLocal, privLocal, pubRemote)); // Remote SecByteBlock sharedRemote(dhRemote.AgreedValueLength()); assert(dhRemote.Agree(sharedRemote, privRemote, pubLocal)); // Test Integer ssLocal, ssRemote; ssLocal.Decode(sharedLocal.BytePtr(), sharedLocal.SizeInBytes()); ssRemote.Decode(sharedRemote.BytePtr(), sharedRemote.SizeInBytes()); assert(ssLocal != 0); assert(ssLocal == ssRemote); // Now use our keys KeyPair a = KeyPair::create(); byte puba[65] = {0x04}; memcpy(&puba[1], a.pub().data(), 64); KeyPair b = KeyPair::create(); byte pubb[65] = {0x04}; memcpy(&pubb[1], b.pub().data(), 64); ECDH::Domain dhA(pp::secp256k1Curve); Secret shared; BOOST_REQUIRE(dhA.Agree(shared.data(), a.sec().data(), pubb)); BOOST_REQUIRE(shared); } BOOST_AUTO_TEST_CASE(ecdhe) { cnote << "Testing ecdhe..."; ECDHE a, b; BOOST_CHECK_NE(a.pubkey(), b.pubkey()); ECDHE local; ECDHE remote; // local tx pubkey -> remote Secret sremote; remote.agree(local.pubkey(), sremote); // remote tx pbukey -> local Secret slocal; local.agree(remote.pubkey(), slocal); BOOST_REQUIRE(sremote); BOOST_REQUIRE(slocal); BOOST_REQUIRE_EQUAL(sremote, slocal); } BOOST_AUTO_TEST_CASE(ecdhe_aes128_ctr_sha3mac) { // New connections require new ECDH keypairs // Every new connection requires a new EC keypair // Every new trust requires a new EC keypair // All connections should share seed for PRF (or PRNG) for nonces } BOOST_AUTO_TEST_CASE(cryptopp_aes128_ctr) { const int aesKeyLen = 16; BOOST_REQUIRE(sizeof(char) == sizeof(byte)); // generate test key AutoSeededRandomPool rng; SecByteBlock key(0x00, aesKeyLen); rng.GenerateBlock(key, key.size()); // cryptopp uses IV as nonce/counter which is same as using nonce w/0 ctr FixedHash ctr; rng.GenerateBlock(ctr.data(), sizeof(ctr)); // used for decrypt FixedHash ctrcopy(ctr); string text = "Now is the time for all good persons to come to the aid of humanity."; unsigned char const* in = (unsigned char*)&text[0]; unsigned char* out = (unsigned char*)&text[0]; string original = text; string doublespeak = text + text; string cipherCopy; try { CTR_Mode::Encryption e; e.SetKeyWithIV(key, key.size(), ctr.data()); // 68 % 255 should be difference of counter e.ProcessData(out, in, text.size()); (u128)ctr += (u128)(text.size() % 16); BOOST_REQUIRE(text != original); cipherCopy = text; } catch(CryptoPP::Exception& e) { cerr << e.what() << endl; } try { CTR_Mode< AES >::Decryption d; d.SetKeyWithIV(key, key.size(), ctrcopy.data()); d.ProcessData(out, in, text.size()); BOOST_REQUIRE(text == original); } catch(CryptoPP::Exception& e) { cerr << e.what() << endl; } // reencrypt ciphertext... try { BOOST_REQUIRE(cipherCopy != text); in = (unsigned char*)&cipherCopy[0]; out = (unsigned char*)&cipherCopy[0]; CTR_Mode::Encryption e; e.SetKeyWithIV(key, key.size(), ctrcopy.data()); e.ProcessData(out, in, text.size()); // yep, ctr mode. BOOST_REQUIRE(cipherCopy == original); } catch(CryptoPP::Exception& e) { cerr << e.what() << endl; } } BOOST_AUTO_TEST_CASE(cryptopp_aes128_cbc) { const int aesKeyLen = 16; BOOST_REQUIRE(sizeof(char) == sizeof(byte)); AutoSeededRandomPool rng; SecByteBlock key(0x00, aesKeyLen); rng.GenerateBlock(key, key.size()); // Generate random IV byte iv[AES::BLOCKSIZE]; rng.GenerateBlock(iv, AES::BLOCKSIZE); string string128("AAAAAAAAAAAAAAAA"); string plainOriginal = string128; CryptoPP::CBC_Mode::Encryption cbcEncryption(key, key.size(), iv); cbcEncryption.ProcessData((byte*)&string128[0], (byte*)&string128[0], string128.size()); BOOST_REQUIRE(string128 != plainOriginal); CBC_Mode::Decryption cbcDecryption(key, key.size(), iv); cbcDecryption.ProcessData((byte*)&string128[0], (byte*)&string128[0], string128.size()); BOOST_REQUIRE(plainOriginal == string128); // plaintext whose size isn't divisible by block size must use stream filter for padding string string192("AAAAAAAAAAAAAAAABBBBBBBB"); plainOriginal = string192; string cipher; StreamTransformationFilter* aesStream = new StreamTransformationFilter(cbcEncryption, new StringSink(cipher)); StringSource source(string192, true, aesStream); BOOST_REQUIRE(cipher.size() == 32); cbcDecryption.ProcessData((byte*)&cipher[0], (byte*)&string192[0], cipher.size()); BOOST_REQUIRE(string192 == plainOriginal); } BOOST_AUTO_TEST_CASE(eth_keypairs) { cnote << "Testing Crypto..."; secp256k1_start(); KeyPair p(Secret(fromHex("3ecb44df2159c26e0f995712d4f39b6f6e499b40749b1cf1246c37f9516cb6a4"))); BOOST_REQUIRE(p.pub() == Public(fromHex("97466f2b32bc3bb76d4741ae51cd1d8578b48d3f1e68da206d47321aec267ce78549b514e4453d74ef11b0cd5e4e4c364effddac8b51bcfc8de80682f952896f"))); BOOST_REQUIRE(p.address() == Address(fromHex("8a40bfaa73256b60764c1bf40675a99083efb075"))); { eth::Transaction t(1000, 0, 0, h160(fromHex("944400f4b88ac9589a0f17ed4671da26bddb668b")), bytes(), 0, p.secret()); auto rlp = t.rlp(eth::WithoutSignature); cnote << RLP(rlp); cnote << toHex(rlp); cnote << t.sha3(eth::WithoutSignature); rlp = t.rlp(eth::WithSignature); cnote << RLP(rlp); cnote << toHex(rlp); cnote << t.sha3(eth::WithSignature); BOOST_REQUIRE(t.sender() == p.address()); } } int cryptoTest() { cnote << "Testing Crypto..."; secp256k1_start(); KeyPair p(Secret(fromHex("3ecb44df2159c26e0f995712d4f39b6f6e499b40749b1cf1246c37f9516cb6a4"))); BOOST_REQUIRE(p.pub() == Public(fromHex("97466f2b32bc3bb76d4741ae51cd1d8578b48d3f1e68da206d47321aec267ce78549b514e4453d74ef11b0cd5e4e4c364effddac8b51bcfc8de80682f952896f"))); BOOST_REQUIRE(p.address() == Address(fromHex("8a40bfaa73256b60764c1bf40675a99083efb075"))); { eth::Transaction t(1000, 0, 0, h160(fromHex("944400f4b88ac9589a0f17ed4671da26bddb668b")), bytes(), 0, p.secret()); auto rlp = t.rlp(eth::WithoutSignature); cnote << RLP(rlp); cnote << toHex(rlp); cnote << t.sha3(eth::WithoutSignature); rlp = t.rlp(eth::WithSignature); cnote << RLP(rlp); cnote << toHex(rlp); cnote << t.sha3(eth::WithSignature); assert(t.sender() == p.address()); } #if 0 // Test transaction. bytes tx = fromHex("88005401010101010101010101010101010101010101011f0de0b6b3a76400001ce8d4a5100080181c373130a009ba1f10285d4e659568bfcfec85067855c5a3c150100815dad4ef98fd37cf0593828c89db94bd6c64e210a32ef8956eaa81ea9307194996a3b879441f5d"); cout << "TX: " << RLP(tx) << endl; Transaction t2(tx); cout << "SENDER: " << hex << t2.sender() << dec << endl; secp256k1_start(); Transaction t; t.nonce = 0; t.value = 1; // 1 wei. t.type = eth::Transaction::MessageCall; t.receiveAddress = toAddress(sha3("123")); bytes sig64 = toBigEndian(t.vrs.r) + toBigEndian(t.vrs.s); cout << "SIG: " << sig64.size() << " " << toHex(sig64) << " " << t.vrs.v << endl; auto msg = t.rlp(false); cout << "TX w/o SIG: " << RLP(msg) << endl; cout << "RLP(TX w/o SIG): " << toHex(t.rlp(false)) << endl; std::string hmsg = sha3(t.rlp(false), false); cout << "SHA256(RLP(TX w/o SIG)): 0x" << toHex(hmsg) << endl; bytes privkey = sha3Bytes("123"); { bytes pubkey(65); int pubkeylen = 65; int ret = secp256k1_ecdsa_seckey_verify(privkey.data()); cout << "SEC: " << dec << ret << " " << toHex(privkey) << endl; ret = secp256k1_ecdsa_pubkey_create(pubkey.data(), &pubkeylen, privkey.data(), 1); pubkey.resize(pubkeylen); int good = secp256k1_ecdsa_pubkey_verify(pubkey.data(), (int)pubkey.size()); cout << "PUB: " << dec << ret << " " << pubkeylen << " " << toHex(pubkey) << (good ? " GOOD" : " BAD") << endl; } // Test roundtrip... { bytes sig(64); u256 nonce = 0; int v = 0; cout << toHex(hmsg) << endl; cout << toHex(privkey) << endl; cout << hex << nonce << dec << endl; int ret = secp256k1_ecdsa_sign_compact((byte const*)hmsg.data(), (int)hmsg.size(), sig.data(), privkey.data(), (byte const*)&nonce, &v); cout << "MYSIG: " << dec << ret << " " << sig.size() << " " << toHex(sig) << " " << v << endl; bytes pubkey(65); int pubkeylen = 65; ret = secp256k1_ecdsa_recover_compact((byte const*)hmsg.data(), (int)hmsg.size(), (byte const*)sig.data(), pubkey.data(), &pubkeylen, 0, v); pubkey.resize(pubkeylen); cout << "MYREC: " << dec << ret << " " << pubkeylen << " " << toHex(pubkey) << endl; } { bytes pubkey(65); int pubkeylen = 65; int ret = secp256k1_ecdsa_recover_compact((byte const*)hmsg.data(), (int)hmsg.size(), (byte const*)sig64.data(), pubkey.data(), &pubkeylen, 0, (int)t.vrs.v - 27); pubkey.resize(pubkeylen); cout << "RECPUB: " << dec << ret << " " << pubkeylen << " " << toHex(pubkey) << endl; cout << "SENDER: " << hex << toAddress(dev::sha3(bytesConstRef(&pubkey).cropped(1))) << dec << endl; } #endif return 0; } BOOST_AUTO_TEST_SUITE_END()