def test_gcm_tag_decrypt_finalize_tag_length(self, backend):
decryptor = base.Cipher(
algorithms.AES(b"0" * 16),
modes.GCM(b"0" * 12),
backend=backend
).decryptor()
with pytest.raises(ValueError):
decryptor.finalize_with_tag(b"tagtooshort")
def test_buffer_protocol(self, backend):
data = bytearray(b"helloworld")
enc = base.Cipher(
algorithms.AES(bytearray(b"\x00" * 16)),
modes.GCM(bytearray(b"\x00" * 12)),
backend,
).encryptor()
enc.authenticate_additional_data(bytearray(b"foo"))
ct = enc.update(data) + enc.finalize()
dec = base.Cipher(
algorithms.AES(bytearray(b"\x00" * 16)),
modes.GCM(bytearray(b"\x00" * 12), enc.tag),
backend,
).decryptor()
dec.authenticate_additional_data(bytearray(b"foo"))
pt = dec.update(ct) + dec.finalize()
assert pt == data
def test_gcm_tag_decrypt_mode(self, backend):
key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
encryptor = base.Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=backend).encryptor()
encryptor.authenticate_additional_data(aad)
encryptor.finalize()
tag = encryptor.tag
decryptor = base.Cipher(algorithms.AES(key),
modes.GCM(iv, tag),
backend=backend).decryptor()
decryptor.authenticate_additional_data(aad)
decryptor.finalize()
def test_gcm_aad_increments(self, backend):
encryptor = base.Cipher(algorithms.AES(b"\x00" * 16),
modes.GCM(b"\x01" * 16),
backend=backend).encryptor()
encryptor.authenticate_additional_data(b"0" * 8)
assert encryptor._aad_bytes_processed == 8
encryptor.authenticate_additional_data(b"0" * 18)
assert encryptor._aad_bytes_processed == 26
def test_gcm_tag_decrypt_finalize(self, backend):
key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
encryptor = base.Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=backend
).encryptor()
encryptor.authenticate_additional_data(aad)
encryptor.finalize()
tag = encryptor.tag
if (
backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
):
with pytest.raises(NotImplementedError):
decryptor = base.Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=backend
).decryptor()
decryptor = base.Cipher(
algorithms.AES(key),
modes.GCM(iv, tag=encryptor.tag),
backend=backend
).decryptor()
else:
decryptor = base.Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=backend
).decryptor()
decryptor.authenticate_additional_data(aad)
if (
backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
):
with pytest.raises(NotImplementedError):
decryptor.finalize_with_tag(tag)
decryptor.finalize()
else:
decryptor.finalize_with_tag(tag)
def test_buffer_protocol_alternate_modes(mode, backend):
data = bytearray(b"sixteen_byte_msg")
cipher = base.Cipher(algorithms.AES(bytearray(b"\x00" * 32)), mode,
backend)
enc = cipher.encryptor()
ct = enc.update(data) + enc.finalize()
dec = cipher.decryptor()
pt = dec.update(ct) + dec.finalize()
assert pt == data
def test_gcm_ciphertext_limit(self, backend):
encryptor = base.Cipher(algorithms.AES(b"\x00" * 16),
modes.GCM(b"\x01" * 16),
backend=backend).encryptor()
encryptor._bytes_processed = modes.GCM._MAX_ENCRYPTED_BYTES - 16
encryptor.update(b"0" * 16)
assert (encryptor._bytes_processed == modes.GCM._MAX_ENCRYPTED_BYTES)
with pytest.raises(ValueError):
encryptor.update(b"0")
def test_gcm_aad_limit(self, backend):
encryptor = base.Cipher(algorithms.AES(b"\x00" * 16),
modes.GCM(b"\x01" * 16),
backend=backend).encryptor()
encryptor._aad_bytes_processed = modes.GCM._MAX_AAD_BYTES - 16
encryptor.authenticate_additional_data(b"0" * 16)
assert encryptor._aad_bytes_processed == modes.GCM._MAX_AAD_BYTES
with pytest.raises(ValueError):
encryptor.authenticate_additional_data(b"0")
def encrypt(mode, key, iv, plaintext):
cipher = base.Cipher(
algorithms.IDEA(binascii.unhexlify(key)),
mode(binascii.unhexlify(iv)),
)
encryptor = cipher.encryptor()
ct = encryptor.update(binascii.unhexlify(plaintext))
ct += encryptor.finalize()
return binascii.hexlify(ct)
def test_gcm_ciphertext_increments(self, backend):
encryptor = base.Cipher(algorithms.AES(b"\x00" * 16),
modes.GCM(b"\x01" * 16),
backend=backend).encryptor()
encryptor.update(b"0" * 8)
assert encryptor._bytes_processed == 8
encryptor.update(b"0" * 7)
assert encryptor._bytes_processed == 15
encryptor.update(b"0" * 18)
assert encryptor._bytes_processed == 33
def test_buffer_protocol_alternate_modes(mode, backend):
data = bytearray(b"sixteen_byte_msg")
key = algorithms.AES(bytearray(os.urandom(32)))
if not backend.cipher_supported(key, mode):
pytest.skip("AES in {} mode not supported".format(mode.name))
cipher = base.Cipher(key, mode, backend)
enc = cipher.encryptor()
ct = enc.update(data) + enc.finalize()
dec = cipher.decryptor()
pt = dec.update(ct) + dec.finalize()
assert pt == data
def decrypt(key, txt):
mode = modes.ECB()
cipher = base.Cipher(
algorithms.SEED(key),
mode,
backend
)
decryptor = cipher.decryptor()
ct = decryptor.update(txt)
ct += decryptor.finalize()
return ct
def test_gcm_min_max_iv(self, size, backend):
if backend._fips_enabled:
# Red Hat disables non-96-bit IV support as part of its FIPS
# patches.
pytest.skip("Non-96-bit IVs unsupported in FIPS mode.")
key = os.urandom(16)
iv = b"\x00" * size
payload = b"data"
encryptor = base.Cipher(algorithms.AES(key), modes.GCM(iv)).encryptor()
ct = encryptor.update(payload)
encryptor.finalize()
tag = encryptor.tag
decryptor = base.Cipher(algorithms.AES(key), modes.GCM(iv)).decryptor()
pt = decryptor.update(ct)
decryptor.finalize_with_tag(tag)
assert pt == payload
def test_xts_vectors(self, vector, backend):
key = binascii.unhexlify(vector["key"])
tweak = binascii.unhexlify(vector["i"])
pt = binascii.unhexlify(vector["pt"])
ct = binascii.unhexlify(vector["ct"])
cipher = base.Cipher(algorithms.AES(key), modes.XTS(tweak), backend)
enc = cipher.encryptor()
computed_ct = enc.update(pt) + enc.finalize()
assert computed_ct == ct
dec = cipher.decryptor()
computed_pt = dec.update(ct) + dec.finalize()
assert computed_pt == pt
def test_gcm_ciphertext_limit(self, backend):
encryptor = base.Cipher(
algorithms.AES(b"\x00" * 16),
modes.GCM(b"\x01" * 16),
backend=backend,
).encryptor()
new_max = modes.GCM._MAX_ENCRYPTED_BYTES - 16
encryptor._bytes_processed = new_max # type: ignore[attr-defined]
encryptor.update(b"0" * 16)
max = modes.GCM._MAX_ENCRYPTED_BYTES
assert encryptor._bytes_processed == max # type: ignore[attr-defined]
with pytest.raises(ValueError):
encryptor.update(b"0")
def test_gcm_tag_with_only_aad(self, backend):
key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
tag = binascii.unhexlify(b"0f247e7f9c2505de374006738018493b")
cipher = base.Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=backend)
encryptor = cipher.encryptor()
encryptor.authenticate_additional_data(aad)
encryptor.finalize()
assert encryptor.tag == tag
def test_gcm_ciphertext_with_no_aad(self, backend):
key = binascii.unhexlify(b"e98b72a9881a84ca6b76e0f43e68647a")
iv = binascii.unhexlify(b"8b23299fde174053f3d652ba")
ct = binascii.unhexlify(b"5a3c1cf1985dbb8bed818036fdd5ab42")
tag = binascii.unhexlify(b"23c7ab0f952b7091cd324835043b5eb5")
pt = binascii.unhexlify(b"28286a321293253c3e0aa2704a278032")
cipher = base.Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=backend)
encryptor = cipher.encryptor()
computed_ct = encryptor.update(pt) + encryptor.finalize()
assert computed_ct == ct
assert encryptor.tag == tag
def test_gcm_tag_decrypt_none(self, backend):
key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
encryptor = base.Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=backend).encryptor()
encryptor.authenticate_additional_data(aad)
encryptor.finalize()
if backend.name == "openssl" and \
backend.openssl_version_number() < 0x10002000:
with pytest.raises(NotImplementedError):
decryptor = base.Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=backend).decryptor()
else:
decryptor = base.Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=backend).decryptor()
decryptor.authenticate_additional_data(aad)
with pytest.raises(ValueError):
decryptor.finalize()
def test_gcm_aad_limit(self, backend):
encryptor = base.Cipher(
algorithms.AES(b"\x00" * 16),
modes.GCM(b"\x01" * 16),
backend=backend,
).encryptor()
new_max = modes.GCM._MAX_AAD_BYTES - 16
encryptor._aad_bytes_processed = new_max # type: ignore[attr-defined]
encryptor.authenticate_additional_data(b"0" * 16)
max = modes.GCM._MAX_AAD_BYTES
assert (encryptor._aad_bytes_processed ==
max # type: ignore[attr-defined]
)
with pytest.raises(ValueError):
encryptor.authenticate_additional_data(b"0")
def decrypt(key, associated_data, iv, ciphertext, tag):
# Construct a Cipher object, with the key, iv, and additionally the
# GCM tag used for authenticating the message.
decryptor = base.Cipher(
algorithms.AES(key),
modes.GCM(iv, tag),
backend=default_backend()
).decryptor()
# We put associated_data back in or the tag will fail to verify
# when we finalize the decryptor.
decryptor.authenticate_additional_data(associated_data)
# Decryption gets us the authenticated plaintext.
# If the tag does not match an InvalidTag exception will be raised.
return decryptor.update(ciphertext) + decryptor.finalize()
def encrypt(key, plaintext, associated_data):
# Generate a random 96-bit IV.
iv = os.urandom(12)
# Construct an AES-GCM Cipher object with the given key and a
# randomly generated IV.
encryptor = base.Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=default_backend()
).encryptor()
# associated_data will be authenticated but not encrypted,
# it must also be passed in on decryption.
encryptor.authenticate_additional_data(associated_data)
# Encrypt the plaintext and get the associated ciphertext.
# GCM does not require padding.
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return iv, ciphertext, encryptor.tag
def auth_apdu(system_title, frame_counter, encryption_key, authentication_key,
stoc):
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import algorithms, modes, Cipher
from cryptography.hazmat.backends.interfaces import CipherBackend
from cryptography.hazmat.primitives.ciphers import algorithms, base, modes
aad = SECURITY_HEADER[0] + authentication_key + stoc
cipher = base.Cipher(algorithms.AES(unhexlify(encryption_key)),
modes.GCM(create_iv(frame_counter, system_title)),
backend=default_backend())
encryptor = cipher.encryptor()
encryptor.authenticate_additional_data(unhexlify(aad))
encryptor.finalize()
data = encryptor.tag.hex()
return data[:-8]
def test_xts_no_duplicate_keys_encryption(self, backend):
key = bytes(range(16)) * 2
tweak = b"\x00" * 16
cipher = base.Cipher(algorithms.AES(key), modes.XTS(tweak))
with pytest.raises(ValueError, match="duplicated keys"):
cipher.encryptor()
def btn_encrypt_decrypt_clicked(self):
if self.ui.cmb_security_control_byte.currentText(
) == "30 - Encrypted and Authenticated":
cipher_apdu = self.ui.txt_apdu.toPlainText().replace(
"\n", "").replace(" ", "") # Remove newline and space
string_chiper_apdu = check_input(cipher_apdu)
if string_chiper_apdu == False:
return # Exit btn_clicked function
encryption_key = check_input(self.ui.txt_encryption_key.text())
if encryption_key == False:
return
# Create the AAD
aad = check_input(security_control_byte[0] +
self.ui.txt_authentication_key.text())
if aad == False:
return
# Create init vector
init_vector = check_input(
self.create_iv(self.ui.txt_frame_counter.text()))
if init_vector == False:
return
# Encrypt or Decrypt
aesgcm = AESGCM(encryption_key)
apdu = aesgcm.encrypt(init_vector, string_chiper_apdu, aad)
apdu_to_string = apdu.hex()
# TAG start from index -32 and end at index -8 (it's long 12 bytes)
self.ui.txt_result.setPlainText("APDU: " + apdu_to_string[:-32] +
"\nTAG: " + apdu_to_string[-32:-8])
else:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import algorithms, modes, Cipher
from cryptography.hazmat.backends.interfaces import CipherBackend
from cryptography.hazmat.primitives.ciphers import algorithms, base, modes
# Create the AAD
aad = check_input(security_control_byte[1] +
self.ui.txt_authentication_key.text())
if aad == False:
return
encryption_key = check_input(self.ui.txt_encryption_key.text())
if encryption_key == False:
return
# Create init vector
init_vector = check_input(
self.create_iv(self.ui.txt_frame_counter.text()))
if init_vector == False:
return
cipher = base.Cipher(algorithms.AES(encryption_key),
modes.GCM(init_vector),
backend=default_backend())
encryptor = cipher.encryptor()
encryptor.authenticate_additional_data(aad)
encryptor.finalize()
data = encryptor.tag.hex()
self.ui.txt_result.setPlainText(data[:-8])
