From 45dfcd8e3ad5dc7c3a41b75451594877f022b93f Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Tue, 19 Feb 2019 11:42:53 +1000 Subject: [PATCH] Add testing and sample for AES-CBC --- .gitignore | 1 + pkcs11/opencryptoki.sh | 3 + pkcs11/pkcs11_aescbc.c | 122 +++++++++++++++++++++++++++++++++++++++++ pkcs11/pkcs11_test.c | 120 ++++++++++++++++++++++++++++++++++++++++ pkcs11/softhsm2.sh | 4 ++ 5 files changed, 250 insertions(+) create mode 100644 pkcs11/pkcs11_aescbc.c diff --git a/.gitignore b/.gitignore index adbd1f7f..4d9b22e6 100644 --- a/.gitignore +++ b/.gitignore @@ -141,6 +141,7 @@ pkcs11/pkcs11_rsa pkcs11/pkcs11_ecc pkcs11/pkcs11_genecc pkcs11/pkcs11_aesgcm +pkcs11/pkcs11_aescbc pkcs11/server-tls-pkcs11 pkcs11/softhsm2.conf pkcs11/softhsm2 diff --git a/pkcs11/opencryptoki.sh b/pkcs11/opencryptoki.sh index c6167b87..1cc6094e 100755 --- a/pkcs11/opencryptoki.sh +++ b/pkcs11/opencryptoki.sh @@ -15,6 +15,9 @@ echo echo "# AES-GCM example" ./pkcs11_aesgcm /usr/local/lib/opencryptoki/libopencryptoki.so 3 SoftToken cryptoki echo +echo "# AES-CBC example" +./pkcs11_aescbc /usr/local/lib/opencryptoki/libopencryptoki.so 3 SoftToken cryptoki +echo echo "# PKCS #11 test" ./pkcs11_test /usr/local/lib/opencryptoki/libopencryptoki.so 3 SoftToken cryptoki diff --git a/pkcs11/pkcs11_aescbc.c b/pkcs11/pkcs11_aescbc.c new file mode 100644 index 00000000..a8844689 --- /dev/null +++ b/pkcs11/pkcs11_aescbc.c @@ -0,0 +1,122 @@ + + +#include +#include +#include +#include +#include +#include + +#if !defined(NO_AES) && defined(HAVE_AES_CBC) +int aescbc_enc_dec(int devId) +{ + Aes aesEnc; + Aes aesDec; + unsigned char key[AES_256_KEY_SIZE]; + int ret = 0; + unsigned char data[32]; + unsigned char enc[32]; + unsigned char dec[32]; + unsigned char iv[AES_BLOCK_SIZE]; + + memset(key, 9, sizeof(key)); + memset(data, 9, sizeof(data)); + memset(iv, 9, sizeof(iv)); + + fprintf(stderr, "Encrypt with AES128-CBC\n"); + ret = wc_AesInit_Id(&aesEnc, NULL, 0, NULL, devId); + if (ret == 0) { + ret = wc_AesSetKey(&aesEnc, key, AES_128_KEY_SIZE, iv, AES_ENCRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcEncrypt(&aesEnc, enc, data, sizeof(data)); + if (ret != 0) + fprintf(stderr, "Encrypt failed: %d\n", ret); + } + + if (ret == 0) { + fprintf(stderr, "Decrypt with AES128-CBC\n"); + ret = wc_AesInit_Id(&aesDec, NULL, 0, NULL, devId); + } + if (ret == 0) { + ret = wc_AesSetKey(&aesDec, key, AES_128_KEY_SIZE, iv, AES_DECRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcDecrypt(&aesDec, dec, enc, sizeof(enc)); + if (ret != 0) + fprintf(stderr, "Decrypt failed: %d\n", ret); + } + + return ret; +} +#endif + +int main(int argc, char* argv[]) +{ + int ret; + const char* library; + const char* slot; + const char* tokenName; + const char* userPin; + Pkcs11Dev dev; + Pkcs11Token token; + int slotId; + int devId = 1; + + if (argc != 5) { + fprintf(stderr, + "Usage: pkcs11_aescbc \n"); + return 1; + } + + library = argv[1]; + slot = argv[2]; + tokenName = argv[3]; + userPin = argv[4]; + slotId = atoi(slot); + +#if defined(DEBUG_WOLFSSL) + wolfSSL_Debugging_ON(); +#endif + wolfCrypt_Init(); + + ret = wc_Pkcs11_Initialize(&dev, library, NULL); + if (ret != 0) { + fprintf(stderr, "Failed to initialize PKCS#11 library\n"); + ret = 2; + } + if (ret == 0) { + ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, + (byte*)userPin, strlen(userPin)); + if (ret != 0) { + fprintf(stderr, "Failed to initialize PKCS#11 token\n"); + ret = 2; + } + if (ret == 0) { + ret = wc_CryptoDev_RegisterDevice(devId, wc_Pkcs11_CryptoDevCb, + &token); + if (ret != 0) { + fprintf(stderr, "Failed to register PKCS#11 token\n"); + ret = 2; + } + if (ret == 0) { + #if !defined(NO_AES) && defined(HAVE_AES_CBC) + ret = aescbc_enc_dec(devId); + if (ret != 0) + ret = 1; + #endif + } + wc_Pkcs11Token_Final(&token); + } + wc_Pkcs11_Finalize(&dev); + } + + wolfCrypt_Cleanup(); + + return ret; +} + diff --git a/pkcs11/pkcs11_test.c b/pkcs11/pkcs11_test.c index b26d3f33..2613bf50 100644 --- a/pkcs11/pkcs11_test.c +++ b/pkcs11/pkcs11_test.c @@ -667,6 +667,120 @@ int aesgcm_test(int devId, Pkcs11Token* token) } #endif +#if !defined(NO_AES) && defined(HAVE_AES_CBC) +int aescbc_test(int devId, Pkcs11Token* token) +{ + Aes aes; + unsigned char key[AES_256_KEY_SIZE]; + int ret = 0; + unsigned char data[32]; + unsigned char enc[32]; + unsigned char dec[32]; + unsigned char iv[AES_BLOCK_SIZE]; + unsigned char exp[32] = { + 0x84, 0xf9, 0xc2, 0x0e, 0x61, 0x4f, 0x86, 0x07, + 0xbc, 0x13, 0xef, 0xeb, 0x59, 0x4b, 0xdf, 0x5a, + 0x34, 0xa8, 0xbd, 0xc7, 0x29, 0x66, 0xa4, 0x03, + 0x5f, 0x8a, 0x7d, 0x85, 0xda, 0xc8, 0x9a, 0xc1 + }; + unsigned char exp256[32] = { + 0x3f, 0xb8, 0x65, 0xa2, 0xe2, 0x74, 0x04, 0x94, + 0xff, 0xff, 0x67, 0xa0, 0x3e, 0x83, 0x0e, 0xa3, + 0xa3, 0x9a, 0x4f, 0xd2, 0x33, 0x58, 0xf5, 0x90, + 0x04, 0x8c, 0xd8, 0x9a, 0xd6, 0x61, 0x19, 0x4a + }; + + memset(key, 9, sizeof(key)); + memset(data, 9, sizeof(data)); + memset(iv, 9, sizeof(iv)); + + /* AES128-CBC */ + ret = wc_AesInit_Id(&aes, NULL, 0, NULL, devId); + if (ret == 0) { + ret = wc_AesSetKey(&aes, key, AES_128_KEY_SIZE, iv, AES_ENCRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcEncrypt(&aes, enc, data, sizeof(data)); + if (ret != 0) + fprintf(stderr, "Encrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(enc, exp, sizeof(exp)) != 0) { + fprintf(stderr, "Encrypted data didn't match expected\n"); + ret = -1; + } + } + if (ret == 0) { + ret = wc_AesSetKey(&aes, key, AES_128_KEY_SIZE, iv, AES_DECRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcDecrypt(&aes, dec, enc, sizeof(enc)); + if (ret != 0) + fprintf(stderr, "Decrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(dec, data, ret) != 0) { + fprintf(stderr, "Decrypted data didn't match plaintext\n"); + ret = -1; + } + } + + if (ret == 0) { + wc_Pkcs11Token_Open(token, 1); + /* AES256-CBC */ + if (ret == 0) + ret = wc_AesInit_Id(&aes, (unsigned char*)"AES123", 6, NULL, devId); + if (ret == 0) { + ret = wc_AesSetKey(&aes, key, AES_256_KEY_SIZE, iv, AES_ENCRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_Pkcs11StoreKey(token, PKCS11_KEY_TYPE_AES_CBC, 1, + (void*)&aes); + if (ret == NOT_COMPILED_IN) + ret = 0; + if (ret != 0) + fprintf(stderr, "Store Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcEncrypt(&aes, enc, data, sizeof(data)); + if (ret != 0) + fprintf(stderr, "Encrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(enc, exp256, sizeof(exp256)) != 0) { + fprintf(stderr, "Encrypted data didn't match expected\n"); + ret = -1; + } + } + if (ret == 0) { + ret = wc_AesSetKey(&aes, key, AES_256_KEY_SIZE, iv, AES_DECRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcDecrypt(&aes, dec, enc, sizeof(enc)); + if (ret != 0) + fprintf(stderr, "Decrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(dec, data, ret) != 0) { + fprintf(stderr, "Decrypted data didn't match plaintext\n"); + ret = -1; + } + } + wc_Pkcs11Token_Close(token); + } + + return ret; +} +#endif + int pkcs11_test(int devId, Pkcs11Token* token) { int ret = 0; @@ -801,6 +915,12 @@ int pkcs11_test(int devId, Pkcs11Token* token) ret = aesgcm_test(devId, token); } #endif +#if !defined(NO_AES) && defined(HAVE_AES_CBC) + if (ret == 0) { + fprintf(stderr, "AES-CBC encrypt/decrypt\n"); + ret = aescbc_test(devId, token); + } +#endif if (ret == 0) fprintf(stderr, "Success\n"); diff --git a/pkcs11/softhsm2.sh b/pkcs11/softhsm2.sh index 299a17ea..330210b1 100755 --- a/pkcs11/softhsm2.sh +++ b/pkcs11/softhsm2.sh @@ -19,6 +19,10 @@ echo echo "# AES-GCM example" ./pkcs11_aesgcm /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki echo +echo "# AES-CBC example" +./pkcs11_aescbc /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki +echo +echo echo "# PKCS#11 test" ./pkcs11_test /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki