From fdbd8ea661537fcd443448d1c5c25191b1d40946 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sun, 6 Nov 2022 13:40:13 +0700 Subject: Rename HKDF files - see https://github.com/bcgit/bc-csharp/pull/325 --- crypto/src/crypto/generators/HKdfBytesGenerator.cs | 176 ------------ crypto/src/crypto/generators/HkdfBytesGenerator.cs | 176 ++++++++++++ crypto/src/crypto/parameters/HKdfParameters.cs | 119 -------- crypto/src/crypto/parameters/HkdfParameters.cs | 119 ++++++++ crypto/test/src/crypto/test/HKDFGeneratorTest.cs | 305 --------------------- crypto/test/src/crypto/test/HkdfGeneratorTest.cs | 305 +++++++++++++++++++++ 6 files changed, 600 insertions(+), 600 deletions(-) delete mode 100644 crypto/src/crypto/generators/HKdfBytesGenerator.cs create mode 100644 crypto/src/crypto/generators/HkdfBytesGenerator.cs delete mode 100644 crypto/src/crypto/parameters/HKdfParameters.cs create mode 100644 crypto/src/crypto/parameters/HkdfParameters.cs delete mode 100644 crypto/test/src/crypto/test/HKDFGeneratorTest.cs create mode 100644 crypto/test/src/crypto/test/HkdfGeneratorTest.cs diff --git a/crypto/src/crypto/generators/HKdfBytesGenerator.cs b/crypto/src/crypto/generators/HKdfBytesGenerator.cs deleted file mode 100644 index 43cd66525..000000000 --- a/crypto/src/crypto/generators/HKdfBytesGenerator.cs +++ /dev/null @@ -1,176 +0,0 @@ -using System; - -using Org.BouncyCastle.Crypto.Macs; -using Org.BouncyCastle.Crypto.Parameters; -using Org.BouncyCastle.Utilities; - -namespace Org.BouncyCastle.Crypto.Generators -{ - /** - * HMAC-based Extract-and-Expand Key Derivation Function (HKDF) implemented - * according to IETF RFC 5869, May 2010 as specified by H. Krawczyk, IBM - * Research & P. Eronen, Nokia. It uses a HMac internally to compute de OKM - * (output keying material) and is likely to have better security properties - * than KDF's based on just a hash function. - */ - public sealed class HkdfBytesGenerator - : IDerivationFunction - { - private HMac hMacHash; - private int hashLen; - - private byte[] info; - private byte[] currentT; - - private int generatedBytes; - - /** - * Creates a HKDFBytesGenerator based on the given hash function. - * - * @param hash the digest to be used as the source of generatedBytes bytes - */ - public HkdfBytesGenerator(IDigest hash) - { - this.hMacHash = new HMac(hash); - this.hashLen = hash.GetDigestSize(); - } - - public void Init(IDerivationParameters parameters) - { - if (!(parameters is HkdfParameters hkdfParameters)) - throw new ArgumentException("HKDF parameters required for HkdfBytesGenerator", "parameters"); - - if (hkdfParameters.SkipExtract) - { - // use IKM directly as PRK - hMacHash.Init(new KeyParameter(hkdfParameters.GetIkm())); - } - else - { - hMacHash.Init(Extract(hkdfParameters.GetSalt(), hkdfParameters.GetIkm())); - } - - info = hkdfParameters.GetInfo(); - - generatedBytes = 0; - currentT = new byte[hashLen]; - } - - /** - * Performs the extract part of the key derivation function. - * - * @param salt the salt to use - * @param ikm the input keying material - * @return the PRK as KeyParameter - */ - private KeyParameter Extract(byte[] salt, byte[] ikm) - { - if (salt == null) - { - // TODO check if hashLen is indeed same as HMAC size - hMacHash.Init(new KeyParameter(new byte[hashLen])); - } - else - { - hMacHash.Init(new KeyParameter(salt)); - } - - hMacHash.BlockUpdate(ikm, 0, ikm.Length); - - byte[] prk = new byte[hashLen]; - hMacHash.DoFinal(prk, 0); - return new KeyParameter(prk); - } - - /** - * Performs the expand part of the key derivation function, using currentT - * as input and output buffer. - * - * @throws DataLengthException if the total number of bytes generated is larger than the one - * specified by RFC 5869 (255 * HashLen) - */ - private void ExpandNext() - { - int n = generatedBytes / hashLen + 1; - if (n >= 256) - { - throw new DataLengthException( - "HKDF cannot generate more than 255 blocks of HashLen size"); - } - // special case for T(0): T(0) is empty, so no update - if (generatedBytes != 0) - { - hMacHash.BlockUpdate(currentT, 0, hashLen); - } - hMacHash.BlockUpdate(info, 0, info.Length); - hMacHash.Update((byte)n); - hMacHash.DoFinal(currentT, 0); - } - - public IDigest Digest => hMacHash.GetUnderlyingDigest(); - - public int GenerateBytes(byte[] output, int outOff, int length) - { -#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER - return GenerateBytes(output.AsSpan(outOff, length)); -#else - if (generatedBytes > 255 * hashLen - length) - throw new DataLengthException("HKDF may only be used for 255 * HashLen bytes of output"); - - int toGenerate = length; - int posInT = generatedBytes % hashLen; - if (posInT != 0) - { - // copy what is left in the currentT (1..hash - int toCopy = System.Math.Min(hashLen - posInT, toGenerate); - Array.Copy(currentT, posInT, output, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - } - - while (toGenerate > 0) - { - ExpandNext(); - int toCopy = System.Math.Min(hashLen, toGenerate); - Array.Copy(currentT, 0, output, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - } - - return length; -#endif - } - -#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER - public int GenerateBytes(Span output) - { - int length = output.Length; - if (generatedBytes > 255 * hashLen - length) - throw new DataLengthException("HKDF may only be used for 255 * HashLen bytes of output"); - - int posInT = generatedBytes % hashLen; - if (posInT != 0) - { - // copy what is left in the currentT (1..hash - int toCopy = System.Math.Min(hashLen - posInT, output.Length); - currentT.AsSpan(posInT, toCopy).CopyTo(output); - generatedBytes += toCopy; - output = output[toCopy..]; - } - - while (!output.IsEmpty) - { - ExpandNext(); - int toCopy = System.Math.Min(hashLen, output.Length); - currentT.AsSpan(0, toCopy).CopyTo(output); - generatedBytes += toCopy; - output = output[toCopy..]; - } - - return length; - } -#endif - } -} diff --git a/crypto/src/crypto/generators/HkdfBytesGenerator.cs b/crypto/src/crypto/generators/HkdfBytesGenerator.cs new file mode 100644 index 000000000..43cd66525 --- /dev/null +++ b/crypto/src/crypto/generators/HkdfBytesGenerator.cs @@ -0,0 +1,176 @@ +using System; + +using Org.BouncyCastle.Crypto.Macs; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Utilities; + +namespace Org.BouncyCastle.Crypto.Generators +{ + /** + * HMAC-based Extract-and-Expand Key Derivation Function (HKDF) implemented + * according to IETF RFC 5869, May 2010 as specified by H. Krawczyk, IBM + * Research & P. Eronen, Nokia. It uses a HMac internally to compute de OKM + * (output keying material) and is likely to have better security properties + * than KDF's based on just a hash function. + */ + public sealed class HkdfBytesGenerator + : IDerivationFunction + { + private HMac hMacHash; + private int hashLen; + + private byte[] info; + private byte[] currentT; + + private int generatedBytes; + + /** + * Creates a HKDFBytesGenerator based on the given hash function. + * + * @param hash the digest to be used as the source of generatedBytes bytes + */ + public HkdfBytesGenerator(IDigest hash) + { + this.hMacHash = new HMac(hash); + this.hashLen = hash.GetDigestSize(); + } + + public void Init(IDerivationParameters parameters) + { + if (!(parameters is HkdfParameters hkdfParameters)) + throw new ArgumentException("HKDF parameters required for HkdfBytesGenerator", "parameters"); + + if (hkdfParameters.SkipExtract) + { + // use IKM directly as PRK + hMacHash.Init(new KeyParameter(hkdfParameters.GetIkm())); + } + else + { + hMacHash.Init(Extract(hkdfParameters.GetSalt(), hkdfParameters.GetIkm())); + } + + info = hkdfParameters.GetInfo(); + + generatedBytes = 0; + currentT = new byte[hashLen]; + } + + /** + * Performs the extract part of the key derivation function. + * + * @param salt the salt to use + * @param ikm the input keying material + * @return the PRK as KeyParameter + */ + private KeyParameter Extract(byte[] salt, byte[] ikm) + { + if (salt == null) + { + // TODO check if hashLen is indeed same as HMAC size + hMacHash.Init(new KeyParameter(new byte[hashLen])); + } + else + { + hMacHash.Init(new KeyParameter(salt)); + } + + hMacHash.BlockUpdate(ikm, 0, ikm.Length); + + byte[] prk = new byte[hashLen]; + hMacHash.DoFinal(prk, 0); + return new KeyParameter(prk); + } + + /** + * Performs the expand part of the key derivation function, using currentT + * as input and output buffer. + * + * @throws DataLengthException if the total number of bytes generated is larger than the one + * specified by RFC 5869 (255 * HashLen) + */ + private void ExpandNext() + { + int n = generatedBytes / hashLen + 1; + if (n >= 256) + { + throw new DataLengthException( + "HKDF cannot generate more than 255 blocks of HashLen size"); + } + // special case for T(0): T(0) is empty, so no update + if (generatedBytes != 0) + { + hMacHash.BlockUpdate(currentT, 0, hashLen); + } + hMacHash.BlockUpdate(info, 0, info.Length); + hMacHash.Update((byte)n); + hMacHash.DoFinal(currentT, 0); + } + + public IDigest Digest => hMacHash.GetUnderlyingDigest(); + + public int GenerateBytes(byte[] output, int outOff, int length) + { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return GenerateBytes(output.AsSpan(outOff, length)); +#else + if (generatedBytes > 255 * hashLen - length) + throw new DataLengthException("HKDF may only be used for 255 * HashLen bytes of output"); + + int toGenerate = length; + int posInT = generatedBytes % hashLen; + if (posInT != 0) + { + // copy what is left in the currentT (1..hash + int toCopy = System.Math.Min(hashLen - posInT, toGenerate); + Array.Copy(currentT, posInT, output, outOff, toCopy); + generatedBytes += toCopy; + toGenerate -= toCopy; + outOff += toCopy; + } + + while (toGenerate > 0) + { + ExpandNext(); + int toCopy = System.Math.Min(hashLen, toGenerate); + Array.Copy(currentT, 0, output, outOff, toCopy); + generatedBytes += toCopy; + toGenerate -= toCopy; + outOff += toCopy; + } + + return length; +#endif + } + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + public int GenerateBytes(Span output) + { + int length = output.Length; + if (generatedBytes > 255 * hashLen - length) + throw new DataLengthException("HKDF may only be used for 255 * HashLen bytes of output"); + + int posInT = generatedBytes % hashLen; + if (posInT != 0) + { + // copy what is left in the currentT (1..hash + int toCopy = System.Math.Min(hashLen - posInT, output.Length); + currentT.AsSpan(posInT, toCopy).CopyTo(output); + generatedBytes += toCopy; + output = output[toCopy..]; + } + + while (!output.IsEmpty) + { + ExpandNext(); + int toCopy = System.Math.Min(hashLen, output.Length); + currentT.AsSpan(0, toCopy).CopyTo(output); + generatedBytes += toCopy; + output = output[toCopy..]; + } + + return length; + } +#endif + } +} diff --git a/crypto/src/crypto/parameters/HKdfParameters.cs b/crypto/src/crypto/parameters/HKdfParameters.cs deleted file mode 100644 index 6d1465e4c..000000000 --- a/crypto/src/crypto/parameters/HKdfParameters.cs +++ /dev/null @@ -1,119 +0,0 @@ -using System; - -using Org.BouncyCastle.Crypto.Macs; -using Org.BouncyCastle.Utilities; - -namespace Org.BouncyCastle.Crypto.Parameters -{ - /** - * Parameter class for the HkdfBytesGenerator class. - */ - public class HkdfParameters - : IDerivationParameters - { - private readonly byte[] ikm; - private readonly bool skipExpand; - private readonly byte[] salt; - private readonly byte[] info; - - private HkdfParameters(byte[] ikm, bool skip, byte[] salt, byte[] info) - { - if (ikm == null) - throw new ArgumentNullException("ikm"); - - this.ikm = Arrays.Clone(ikm); - this.skipExpand = skip; - - if (salt == null || salt.Length == 0) - { - this.salt = null; - } - else - { - this.salt = Arrays.Clone(salt); - } - - if (info == null) - { - this.info = new byte[0]; - } - else - { - this.info = Arrays.Clone(info); - } - } - - /** - * Generates parameters for HKDF, specifying both the optional salt and - * optional info. Step 1: Extract won't be skipped. - * - * @param ikm the input keying material or seed - * @param salt the salt to use, may be null for a salt for hashLen zeros - * @param info the info to use, may be null for an info field of zero bytes - */ - public HkdfParameters(byte[] ikm, byte[] salt, byte[] info) - : this(ikm, false, salt, info) - { - } - - /** - * Factory method that makes the HKDF skip the extract part of the key - * derivation function. - * - * @param ikm the input keying material or seed, directly used for step 2: - * Expand - * @param info the info to use, may be null for an info field of zero bytes - * @return HKDFParameters that makes the implementation skip step 1 - */ - public static HkdfParameters SkipExtractParameters(byte[] ikm, byte[] info) - { - return new HkdfParameters(ikm, true, null, info); - } - - public static HkdfParameters DefaultParameters(byte[] ikm) - { - return new HkdfParameters(ikm, false, null, null); - } - - /** - * Returns the input keying material or seed. - * - * @return the keying material - */ - public virtual byte[] GetIkm() - { - return Arrays.Clone(ikm); - } - - /** - * Returns if step 1: extract has to be skipped or not - * - * @return true for skipping, false for no skipping of step 1 - */ - public virtual bool SkipExtract - { - get { return skipExpand; } - } - - /** - * Returns the salt, or null if the salt should be generated as a byte array - * of HashLen zeros. - * - * @return the salt, or null - */ - public virtual byte[] GetSalt() - { - return Arrays.Clone(salt); - } - - /** - * Returns the info field, which may be empty (null is converted to empty). - * - * @return the info field, never null - */ - public virtual byte[] GetInfo() - { - return Arrays.Clone(info); - } - } -} diff --git a/crypto/src/crypto/parameters/HkdfParameters.cs b/crypto/src/crypto/parameters/HkdfParameters.cs new file mode 100644 index 000000000..6d1465e4c --- /dev/null +++ b/crypto/src/crypto/parameters/HkdfParameters.cs @@ -0,0 +1,119 @@ +using System; + +using Org.BouncyCastle.Crypto.Macs; +using Org.BouncyCastle.Utilities; + +namespace Org.BouncyCastle.Crypto.Parameters +{ + /** + * Parameter class for the HkdfBytesGenerator class. + */ + public class HkdfParameters + : IDerivationParameters + { + private readonly byte[] ikm; + private readonly bool skipExpand; + private readonly byte[] salt; + private readonly byte[] info; + + private HkdfParameters(byte[] ikm, bool skip, byte[] salt, byte[] info) + { + if (ikm == null) + throw new ArgumentNullException("ikm"); + + this.ikm = Arrays.Clone(ikm); + this.skipExpand = skip; + + if (salt == null || salt.Length == 0) + { + this.salt = null; + } + else + { + this.salt = Arrays.Clone(salt); + } + + if (info == null) + { + this.info = new byte[0]; + } + else + { + this.info = Arrays.Clone(info); + } + } + + /** + * Generates parameters for HKDF, specifying both the optional salt and + * optional info. Step 1: Extract won't be skipped. + * + * @param ikm the input keying material or seed + * @param salt the salt to use, may be null for a salt for hashLen zeros + * @param info the info to use, may be null for an info field of zero bytes + */ + public HkdfParameters(byte[] ikm, byte[] salt, byte[] info) + : this(ikm, false, salt, info) + { + } + + /** + * Factory method that makes the HKDF skip the extract part of the key + * derivation function. + * + * @param ikm the input keying material or seed, directly used for step 2: + * Expand + * @param info the info to use, may be null for an info field of zero bytes + * @return HKDFParameters that makes the implementation skip step 1 + */ + public static HkdfParameters SkipExtractParameters(byte[] ikm, byte[] info) + { + return new HkdfParameters(ikm, true, null, info); + } + + public static HkdfParameters DefaultParameters(byte[] ikm) + { + return new HkdfParameters(ikm, false, null, null); + } + + /** + * Returns the input keying material or seed. + * + * @return the keying material + */ + public virtual byte[] GetIkm() + { + return Arrays.Clone(ikm); + } + + /** + * Returns if step 1: extract has to be skipped or not + * + * @return true for skipping, false for no skipping of step 1 + */ + public virtual bool SkipExtract + { + get { return skipExpand; } + } + + /** + * Returns the salt, or null if the salt should be generated as a byte array + * of HashLen zeros. + * + * @return the salt, or null + */ + public virtual byte[] GetSalt() + { + return Arrays.Clone(salt); + } + + /** + * Returns the info field, which may be empty (null is converted to empty). + * + * @return the info field, never null + */ + public virtual byte[] GetInfo() + { + return Arrays.Clone(info); + } + } +} diff --git a/crypto/test/src/crypto/test/HKDFGeneratorTest.cs b/crypto/test/src/crypto/test/HKDFGeneratorTest.cs deleted file mode 100644 index fa540e41e..000000000 --- a/crypto/test/src/crypto/test/HKDFGeneratorTest.cs +++ /dev/null @@ -1,305 +0,0 @@ -using System; - -using NUnit.Framework; - -using Org.BouncyCastle.Crypto.Digests; -using Org.BouncyCastle.Crypto.Generators; -using Org.BouncyCastle.Crypto.Parameters; - -using Org.BouncyCastle.Utilities.Encoders; -using Org.BouncyCastle.Utilities.Test; - -namespace Org.BouncyCastle.Crypto.Tests -{ - /** - * HKDF tests - vectors from RFC 5869, + 2 more, 101 and 102 - */ - [TestFixture] - public class HkdfGeneratorTest - : SimpleTest - { - public HkdfGeneratorTest() - { - } - - private void CompareOkm(int test, byte[] calculatedOkm, byte[] testOkm) - { - if (!AreEqual(calculatedOkm, testOkm)) - { - Fail("HKDF failed generator test " + test); - } - } - - public override void PerformTest() - { - { - // === A.1. Test Case 1 - Basic test case with SHA-256 === - - IDigest hash = new Sha256Digest(); - byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); - byte[] salt = Hex.Decode("000102030405060708090a0b0c"); - byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9"); - int l = 42; - byte[] okm = new byte[l]; - - HkdfParameters parameters = new HkdfParameters(ikm, salt, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(1, okm, Hex.Decode( - "3cb25f25faacd57a90434f64d0362f2a" + - "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" + - "34007208d5b887185865")); - } - - // === A.2. Test Case 2 - Test with SHA-256 and longer inputs/outputs - // === - { - IDigest hash = new Sha256Digest(); - byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f" - + "101112131415161718191a1b1c1d1e1f" - + "202122232425262728292a2b2c2d2e2f" - + "303132333435363738393a3b3c3d3e3f" - + "404142434445464748494a4b4c4d4e4f"); - byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f" - + "707172737475767778797a7b7c7d7e7f" - + "808182838485868788898a8b8c8d8e8f" - + "909192939495969798999a9b9c9d9e9f" - + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf"); - byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" - + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" - + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" - + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef" - + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); - int l = 82; - byte[] okm = new byte[l]; - - HkdfParameters parameters = new HkdfParameters(ikm, salt, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(2, okm, Hex.Decode( - "b11e398dc80327a1c8e7f78c596a4934" + - "4f012eda2d4efad8a050cc4c19afa97c" + - "59045a99cac7827271cb41c65e590e09" + - "da3275600c2f09b8367793a9aca3db71" + - "cc30c58179ec3e87c14c01d5c1f3434f" + - "1d87")); - } - - { - // === A.3. Test Case 3 - Test with SHA-256 and zero-length - // salt/info === - - // setting salt to an empty byte array means that the salt is set to - // HashLen zero valued bytes - // setting info to null generates an empty byte array as info - // structure - - IDigest hash = new Sha256Digest(); - byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); - byte[] salt = new byte[0]; - byte[] info = null; - int l = 42; - byte[] okm = new byte[l]; - - HkdfParameters parameters = new HkdfParameters(ikm, salt, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(3, okm, Hex.Decode( - "8da4e775a563c18f715f802a063c5a31" + - "b8a11f5c5ee1879ec3454e5f3c738d2d" + - "9d201395faa4b61a96c8")); - } - - { - // === A.4. Test Case 4 - Basic test case with SHA-1 === - - IDigest hash = new Sha1Digest(); - byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b"); - byte[] salt = Hex.Decode("000102030405060708090a0b0c"); - byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9"); - int l = 42; - byte[] okm = new byte[l]; - - HkdfParameters parameters = new HkdfParameters(ikm, salt, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(4, okm, Hex.Decode( - "085a01ea1b10f36933068b56efa5ad81" + - "a4f14b822f5b091568a9cdd4f155fda2" + - "c22e422478d305f3f896")); - } - - // === A.5. Test Case 5 - Test with SHA-1 and longer inputs/outputs === - { - IDigest hash = new Sha1Digest(); - byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f" - + "101112131415161718191a1b1c1d1e1f" - + "202122232425262728292a2b2c2d2e2f" - + "303132333435363738393a3b3c3d3e3f" - + "404142434445464748494a4b4c4d4e4f"); - byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f" - + "707172737475767778797a7b7c7d7e7f" - + "808182838485868788898a8b8c8d8e8f" - + "909192939495969798999a9b9c9d9e9f" - + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf"); - byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" - + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" - + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" - + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef" - + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); - int l = 82; - byte[] okm = new byte[l]; - - HkdfParameters parameters = new HkdfParameters(ikm, salt, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(5, okm, Hex.Decode( - "0bd770a74d1160f7c9f12cd5912a06eb" + - "ff6adcae899d92191fe4305673ba2ffe" + - "8fa3f1a4e5ad79f3f334b3b202b2173c" + - "486ea37ce3d397ed034c7f9dfeb15c5e" + - "927336d0441f4c4300e2cff0d0900b52" + - "d3b4")); - } - - { - // === A.6. Test Case 6 - Test with SHA-1 and zero-length salt/info - // === - - // setting salt to null should generate a new salt of HashLen zero - // valued bytes - - IDigest hash = new Sha1Digest(); - byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); - byte[] salt = null; - byte[] info = new byte[0]; - int l = 42; - byte[] okm = new byte[l]; - - HkdfParameters parameters = new HkdfParameters(ikm, salt, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(6, okm, Hex.Decode( - "0ac1af7002b3d761d1e55298da9d0506" + - "b9ae52057220a306e07b6b87e8df21d0" + - "ea00033de03984d34918")); - } - - { - // === A.7. Test Case 7 - Test with SHA-1, salt not provided, - // zero-length info === - // (salt defaults to HashLen zero octets) - - // this test is identical to test 6 in all ways bar the IKM value - - IDigest hash = new Sha1Digest(); - byte[] ikm = Hex.Decode("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"); - byte[] salt = null; - byte[] info = new byte[0]; - int l = 42; - byte[] okm = new byte[l]; - - HkdfParameters parameters = new HkdfParameters(ikm, salt, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(7, okm, Hex.Decode( - "2c91117204d745f3500d636a62f64f0a" + - "b3bae548aa53d423b0d1f27ebba6f5e5" + - "673a081d70cce7acfc48")); - } - - { - // === A.101. Additional Test Case - Test with SHA-1, skipping extract - // zero-length info === - // (salt defaults to HashLen zero octets) - - // this test is identical to test 7 in all ways bar the IKM value - // which is set to the PRK value - - IDigest hash = new Sha1Digest(); - byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd"); - byte[] info = new byte[0]; - int l = 42; - byte[] okm = new byte[l]; - - HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - CompareOkm(101, okm, Hex.Decode( - "2c91117204d745f3500d636a62f64f0a" + - "b3bae548aa53d423b0d1f27ebba6f5e5" + - "673a081d70cce7acfc48")); - } - - { - // === A.102. Additional Test Case - Test with SHA-1, maximum output === - // (salt defaults to HashLen zero octets) - - // this test is identical to test 7 in all ways bar the IKM value - - IDigest hash = new Sha1Digest(); - byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd"); - byte[] info = new byte[0]; - int l = 255 * hash.GetDigestSize(); - byte[] okm = new byte[l]; - - HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info); - - HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); - hkdf.Init(parameters); - hkdf.GenerateBytes(okm, 0, l); - - int zeros = 0; - for (int i = 0; i < hash.GetDigestSize(); i++) - { - if (okm[i] == 0) - { - zeros++; - } - } - - if (zeros == hash.GetDigestSize()) - { - Fail("HKDF failed generator test " + 102); - } - } - } - - public override string Name - { - get { return "HKDF"; } - } - - [Test] - public void TestFunction() - { - string resultText = Perform().ToString(); - - Assert.AreEqual(Name + ": Okay", resultText); - } - } -} diff --git a/crypto/test/src/crypto/test/HkdfGeneratorTest.cs b/crypto/test/src/crypto/test/HkdfGeneratorTest.cs new file mode 100644 index 000000000..fa540e41e --- /dev/null +++ b/crypto/test/src/crypto/test/HkdfGeneratorTest.cs @@ -0,0 +1,305 @@ +using System; + +using NUnit.Framework; + +using Org.BouncyCastle.Crypto.Digests; +using Org.BouncyCastle.Crypto.Generators; +using Org.BouncyCastle.Crypto.Parameters; + +using Org.BouncyCastle.Utilities.Encoders; +using Org.BouncyCastle.Utilities.Test; + +namespace Org.BouncyCastle.Crypto.Tests +{ + /** + * HKDF tests - vectors from RFC 5869, + 2 more, 101 and 102 + */ + [TestFixture] + public class HkdfGeneratorTest + : SimpleTest + { + public HkdfGeneratorTest() + { + } + + private void CompareOkm(int test, byte[] calculatedOkm, byte[] testOkm) + { + if (!AreEqual(calculatedOkm, testOkm)) + { + Fail("HKDF failed generator test " + test); + } + } + + public override void PerformTest() + { + { + // === A.1. Test Case 1 - Basic test case with SHA-256 === + + IDigest hash = new Sha256Digest(); + byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + byte[] salt = Hex.Decode("000102030405060708090a0b0c"); + byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9"); + int l = 42; + byte[] okm = new byte[l]; + + HkdfParameters parameters = new HkdfParameters(ikm, salt, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(1, okm, Hex.Decode( + "3cb25f25faacd57a90434f64d0362f2a" + + "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" + + "34007208d5b887185865")); + } + + // === A.2. Test Case 2 - Test with SHA-256 and longer inputs/outputs + // === + { + IDigest hash = new Sha256Digest(); + byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f" + + "101112131415161718191a1b1c1d1e1f" + + "202122232425262728292a2b2c2d2e2f" + + "303132333435363738393a3b3c3d3e3f" + + "404142434445464748494a4b4c4d4e4f"); + byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f" + + "707172737475767778797a7b7c7d7e7f" + + "808182838485868788898a8b8c8d8e8f" + + "909192939495969798999a9b9c9d9e9f" + + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf"); + byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" + + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef" + + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); + int l = 82; + byte[] okm = new byte[l]; + + HkdfParameters parameters = new HkdfParameters(ikm, salt, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(2, okm, Hex.Decode( + "b11e398dc80327a1c8e7f78c596a4934" + + "4f012eda2d4efad8a050cc4c19afa97c" + + "59045a99cac7827271cb41c65e590e09" + + "da3275600c2f09b8367793a9aca3db71" + + "cc30c58179ec3e87c14c01d5c1f3434f" + + "1d87")); + } + + { + // === A.3. Test Case 3 - Test with SHA-256 and zero-length + // salt/info === + + // setting salt to an empty byte array means that the salt is set to + // HashLen zero valued bytes + // setting info to null generates an empty byte array as info + // structure + + IDigest hash = new Sha256Digest(); + byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + byte[] salt = new byte[0]; + byte[] info = null; + int l = 42; + byte[] okm = new byte[l]; + + HkdfParameters parameters = new HkdfParameters(ikm, salt, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(3, okm, Hex.Decode( + "8da4e775a563c18f715f802a063c5a31" + + "b8a11f5c5ee1879ec3454e5f3c738d2d" + + "9d201395faa4b61a96c8")); + } + + { + // === A.4. Test Case 4 - Basic test case with SHA-1 === + + IDigest hash = new Sha1Digest(); + byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b"); + byte[] salt = Hex.Decode("000102030405060708090a0b0c"); + byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9"); + int l = 42; + byte[] okm = new byte[l]; + + HkdfParameters parameters = new HkdfParameters(ikm, salt, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(4, okm, Hex.Decode( + "085a01ea1b10f36933068b56efa5ad81" + + "a4f14b822f5b091568a9cdd4f155fda2" + + "c22e422478d305f3f896")); + } + + // === A.5. Test Case 5 - Test with SHA-1 and longer inputs/outputs === + { + IDigest hash = new Sha1Digest(); + byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f" + + "101112131415161718191a1b1c1d1e1f" + + "202122232425262728292a2b2c2d2e2f" + + "303132333435363738393a3b3c3d3e3f" + + "404142434445464748494a4b4c4d4e4f"); + byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f" + + "707172737475767778797a7b7c7d7e7f" + + "808182838485868788898a8b8c8d8e8f" + + "909192939495969798999a9b9c9d9e9f" + + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf"); + byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" + + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef" + + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); + int l = 82; + byte[] okm = new byte[l]; + + HkdfParameters parameters = new HkdfParameters(ikm, salt, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(5, okm, Hex.Decode( + "0bd770a74d1160f7c9f12cd5912a06eb" + + "ff6adcae899d92191fe4305673ba2ffe" + + "8fa3f1a4e5ad79f3f334b3b202b2173c" + + "486ea37ce3d397ed034c7f9dfeb15c5e" + + "927336d0441f4c4300e2cff0d0900b52" + + "d3b4")); + } + + { + // === A.6. Test Case 6 - Test with SHA-1 and zero-length salt/info + // === + + // setting salt to null should generate a new salt of HashLen zero + // valued bytes + + IDigest hash = new Sha1Digest(); + byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + byte[] salt = null; + byte[] info = new byte[0]; + int l = 42; + byte[] okm = new byte[l]; + + HkdfParameters parameters = new HkdfParameters(ikm, salt, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(6, okm, Hex.Decode( + "0ac1af7002b3d761d1e55298da9d0506" + + "b9ae52057220a306e07b6b87e8df21d0" + + "ea00033de03984d34918")); + } + + { + // === A.7. Test Case 7 - Test with SHA-1, salt not provided, + // zero-length info === + // (salt defaults to HashLen zero octets) + + // this test is identical to test 6 in all ways bar the IKM value + + IDigest hash = new Sha1Digest(); + byte[] ikm = Hex.Decode("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"); + byte[] salt = null; + byte[] info = new byte[0]; + int l = 42; + byte[] okm = new byte[l]; + + HkdfParameters parameters = new HkdfParameters(ikm, salt, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(7, okm, Hex.Decode( + "2c91117204d745f3500d636a62f64f0a" + + "b3bae548aa53d423b0d1f27ebba6f5e5" + + "673a081d70cce7acfc48")); + } + + { + // === A.101. Additional Test Case - Test with SHA-1, skipping extract + // zero-length info === + // (salt defaults to HashLen zero octets) + + // this test is identical to test 7 in all ways bar the IKM value + // which is set to the PRK value + + IDigest hash = new Sha1Digest(); + byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd"); + byte[] info = new byte[0]; + int l = 42; + byte[] okm = new byte[l]; + + HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + CompareOkm(101, okm, Hex.Decode( + "2c91117204d745f3500d636a62f64f0a" + + "b3bae548aa53d423b0d1f27ebba6f5e5" + + "673a081d70cce7acfc48")); + } + + { + // === A.102. Additional Test Case - Test with SHA-1, maximum output === + // (salt defaults to HashLen zero octets) + + // this test is identical to test 7 in all ways bar the IKM value + + IDigest hash = new Sha1Digest(); + byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd"); + byte[] info = new byte[0]; + int l = 255 * hash.GetDigestSize(); + byte[] okm = new byte[l]; + + HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info); + + HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash); + hkdf.Init(parameters); + hkdf.GenerateBytes(okm, 0, l); + + int zeros = 0; + for (int i = 0; i < hash.GetDigestSize(); i++) + { + if (okm[i] == 0) + { + zeros++; + } + } + + if (zeros == hash.GetDigestSize()) + { + Fail("HKDF failed generator test " + 102); + } + } + } + + public override string Name + { + get { return "HKDF"; } + } + + [Test] + public void TestFunction() + { + string resultText = Perform().ToString(); + + Assert.AreEqual(Name + ": Okay", resultText); + } + } +} -- cgit 1.4.1