1 /*

     2  * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.

     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

     4  *

     5  * This code is free software; you can redistribute it and/or modify it

     6  * under the terms of the GNU General Public License version 2 only, as

     7  * published by the Free Software Foundation.

     8  *

     9  * This code is distributed in the hope that it will be useful, but WITHOUT

    10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

    11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

    12  * version 2 for more details (a copy is included in the LICENSE file that

    13  * accompanied this code).

    14  *

    15  * You should have received a copy of the GNU General Public License version

    16  * 2 along with this work; if not, write to the Free Software Foundation,

    17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

    18  *

    19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

    20  * or visit www.oracle.com if you need additional information or have any

    21  * questions.

    22  */

    23 

    24 /*

    25  * @test

    26  * @bug 8014374

    27  * @summary Ensure that same key+iv can't be repeatedly used for encryption.

    28  * @author Valerie Peng

    29  */

    30 

    31 import java.security.*;

    32 import javax.crypto.*;

    33 import javax.crypto.spec.*;

    34 import java.math.*;

    35 import com.sun.crypto.provider.*;

    36 

    37 import java.util.*;

    38 

    39 public class TestGCMKeyAndIvCheck extends UcryptoTest {

    40 

    41     private static final byte[] AAD = new byte[5];

    42     private static final byte[] PT = new byte[33];

    43 

    44     private static void checkISE(Cipher c) throws Exception {

    45         // Subsequent encryptions should fail

    46         try {

    47             c.updateAAD(AAD);

    48             throw new Exception("Should throw ISE for updateAAD()");

    49         } catch (IllegalStateException ise) {

    50             // expected

    51         }

    52 

    53         try {

    54             c.update(PT);

    55             throw new Exception("Should throw ISE for update()");

    56         } catch (IllegalStateException ise) {

    57             // expected

    58         }

    59         try {

    60             c.doFinal(PT);

    61             throw new Exception("Should throw ISE for doFinal()");

    62         } catch (IllegalStateException ise) {

    63             // expected

    64         }

    65     }

    66 

    67     public static void main(String[] args) throws Exception {

    68         main(new TestGCMKeyAndIvCheck(), null);

    69     }

    70 

    71     public void doTest(Provider p) throws Exception {

    72         Cipher c;

    73         try {

    74             c = Cipher.getInstance("AES/GCM/NoPadding", p);

    75         } catch (NoSuchAlgorithmException nsae) {

    76             System.out.println("Skipping Test due to No GCM support");

    77             return;

    78         }

    79 

    80         SecretKey key = new SecretKeySpec(new byte[16], "AES");

    81         // First try parameter-less init.

    82         c.init(Cipher.ENCRYPT_MODE, key);

    83         c.updateAAD(AAD);

    84         byte[] ctPlusTag = c.doFinal(PT);

    85 

    86         // subsequent encryption should fail unless re-init w/ different key+iv

    87         checkISE(c);

    88 

    89         // Validate the retrieved parameters against the IV and tag length.

    90         AlgorithmParameters params = c.getParameters();

    91         if (params == null) {

    92             throw new Exception("getParameters() should not return null");

    93         }

    94         GCMParameterSpec spec = params.getParameterSpec(GCMParameterSpec.class);

    95         if (spec.getTLen() != (ctPlusTag.length - PT.length)*8) {

    96             throw new Exception("Parameters contains incorrect TLen value");

    97         }

    98         if (!Arrays.equals(spec.getIV(), c.getIV())) {

    99             throw new Exception("Parameters contains incorrect IV value");

   100         }

   101 

   102         // Should be ok to use the same key+iv for decryption

   103         c.init(Cipher.DECRYPT_MODE, key, params);

   104         c.updateAAD(AAD);

   105         byte[] recovered = c.doFinal(ctPlusTag);

   106         if (!Arrays.equals(recovered, PT)) {

   107             throw new Exception("decryption result mismatch");

   108         }

   109 

   110         // Now try to encrypt again using the same key+iv; should fail also

   111         try {

   112             c.init(Cipher.ENCRYPT_MODE, key, params);

   113             throw new Exception("Should throw exception when same key+iv is used");

   114         } catch (InvalidAlgorithmParameterException iape) {

   115             // expected

   116         }

   117 

   118         // Now try to encrypt again using parameter-less init; should work

   119         c.init(Cipher.ENCRYPT_MODE, key);

   120         c.doFinal(PT);

   121 

   122         // make sure a different iv is used

   123         byte[] iv = c.getIV();

   124         if (Arrays.equals(spec.getIV(), iv)) {

   125             throw new Exception("IV should be different now");

   126         }

   127 

   128         // Now try to encrypt again using a different parameter; should work

   129         c.init(Cipher.ENCRYPT_MODE, key, new GCMParameterSpec(128, new byte[30]));

   130         c.updateAAD(AAD);

   131         c.doFinal(PT);

   132         // subsequent encryption should fail unless re-init w/ different key+iv

   133         checkISE(c);

   134 

   135         // Now try decryption twice in a row; no re-init required and

   136         // same parameters is used.

   137         c.init(Cipher.DECRYPT_MODE, key, params);

   138         c.updateAAD(AAD);

   139         recovered = c.doFinal(ctPlusTag);

   140 

   141         c.updateAAD(AAD);

   142         recovered = c.doFinal(ctPlusTag);

   143         if (!Arrays.equals(recovered, PT)) {

   144             throw new Exception("decryption result mismatch");

   145         }

   146 

   147         // Now try decryption again and re-init using the same parameters

   148         c.init(Cipher.DECRYPT_MODE, key, params);

   149         c.updateAAD(AAD);

   150         recovered = c.doFinal(ctPlusTag);

   151 

   152         // init to decrypt w/o parameters; should fail with IKE as

   153         // javadoc specified

   154         try {

   155             c.init(Cipher.DECRYPT_MODE, key);

   156             throw new Exception("Should throw IKE for dec w/o params");

   157         } catch (InvalidKeyException ike) {

   158             // expected

   159         }

   160 

   161         // Lastly, try encryption AND decryption w/ wrong type of parameters,

   162         // e.g. IvParameterSpec

   163         try {

   164             c.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));

   165             throw new Exception("Should throw IAPE");

   166         } catch (InvalidAlgorithmParameterException iape) {

   167             // expected

   168         }

   169         try {

   170             c.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));

   171             throw new Exception("Should throw IAPE");

   172         } catch (InvalidAlgorithmParameterException iape) {

   173             // expected

   174         }

   175 

   176         System.out.println("Test Passed!");

   177     }

   178 }

   179