tests: add X25519 low order point tests

2025-12-23 13:35:14 +00:00 · 2022-06-16 11:47:27 +02:00
parent 92713afd1e
commit bb4493a7cd
8 changed files with 99 additions and 4 deletions
--- a/testdata/testkit/hmac_bad
+++ b/testdata/testkit/hmac_bad
--- a/testdata/testkit/stanza_valid_characters
+++ b/testdata/testkit/stanza_valid_characters
@@ -4,9 +4,11 @@ file key: 59454c4c4f57205355424d4152494e45
 identity: AGE-SECRET-KEY-1XMWWC06LY3EE5RYTXM9MFLAZ2U56JJJ36S0MYPDRWSVLUL66MV4QX3S7F6

 age-encryption.org/v1
-> !"#$%&' ()*+,-./ 01234567 89:;<=>? @ABCDEFG HIJKLMNO PQRSTUVW XYZ[\]^_ `abcdefg hijklmno pqrstuvw xyz{|}~
+-> !"#$%&' ()*+,-./ 01234567 89:;<=>? @ABCDEFG HIJKLMNO
+
+-> PQRSTUVW XYZ[\]^_ `abcdefg hijklmno pqrstuvw xyz{|}~

 -> X25519 TEiF0ypqr+bpvcqXNyCVJpL7OuwPdVwPL7KQEbFDOCc
 EmECAEcKN+n/Vs9SbWiV+Hu0r+E8R77DdWYyd83nw7U
--- XdSsgCFKtyPBxU0ard+ElUYUfOp6XQtDhzDGFUCLbjo
+--- x538z9xJq9XEK1aTTTv80aWDVvVdROvaXn2tpqXPC8g
 îÏbÇÎ‘´3'NhÔòùL·L[þ÷¾ªRÈð¼™,ƒ1ûf
--- a/testdata/testkit/x25519_identity
+++ b/testdata/testkit/x25519_identity
@@ -0,0 +1,10 @@
+expect: header failure
+file key: 59454c4c4f57205355424d4152494e45
+identity: AGE-SECRET-KEY-1EGTZVFFV20835NWYV6270LXYVK2VKNX2MMDKWYKLMGR48UAWX40Q2P2LM0
+comment: the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value
+
+age-encryption.org/v1
+-> X25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+W3E/OCRme9TiTY97JoK31Z71arNur77WIIdB90XnN3M
+--- Pne3IPMDvBj7wRbPMcNViffpVZAx814tgMxp8AwyMhs
+¬]?7åPqÓ¦ F—¹	•Â÷õÛ®è
zŒ(rŠóÎ|
--- a/testdata/testkit/x25519_low_order
+++ b/testdata/testkit/x25519_low_order
@@ -0,0 +1,10 @@
+expect: header failure
+file key: 59454c4c4f57205355424d4152494e45
+identity: AGE-SECRET-KEY-1EGTZVFFV20835NWYV6270LXYVK2VKNX2MMDKWYKLMGR48UAWX40Q2P2LM0
+comment: the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value
+
+age-encryption.org/v1
+-> X25519 X5yVvKNQjCSx0LFVnIPvWwREXMRYHI6G2CJO3dCfEdc
+3E0NpFans/m0WLWF7+54ZBdNj3iqQqpraGDFiaRkvBA
+--- sXw327YMT1/ULXe+ZyRMbMY0Z2jnWHGgI9j1we6yQ8A
+¬]?7åPqÓ¦ F—¹	•Â÷õÛ®è
zŒ(rŠóÎ|
--- a/tests/hmac_bad.go
+++ b/tests/hmac_bad.go
--- a/tests/stanza_valid_characters.go
+++ b/tests/stanza_valid_characters.go
@@ -11,8 +11,9 @@ import "filippo.io/age/internal/testkit"
 func main() {
 	f := testkit.NewTestFile()
 	f.VersionLine("v1")
-	f.ArgsLine("!\"#$%&'", "()*+,-./", "01234567", "89:;<=>?", "@ABCDEFG",
-		"HIJKLMNO", "PQRSTUVW", "XYZ[\\]^_", "`abcdefg", "hijklmno", "pqrstuvw", "xyz{|}~")
+	f.ArgsLine("!\"#$%&'", "()*+,-./", "01234567", "89:;<=>?", "@ABCDEFG", "HIJKLMNO")
+	f.Body([]byte(""))
+	f.ArgsLine("PQRSTUVW", "XYZ[\\]^_", "`abcdefg", "hijklmno", "pqrstuvw", "xyz{|}~")
 	f.Body([]byte(""))
 	f.X25519(testkit.TestX25519Recipient)
 	f.HMAC()
--- a/tests/x25519_identity.go
+++ b/tests/x25519_identity.go
@@ -0,0 +1,34 @@
+// Copyright 2022 The age Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build ignore
+
+package main
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+
+	"filippo.io/age/internal/testkit"
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/hkdf"
+)
+
+func main() {
+	f := testkit.NewTestFile()
+	f.VersionLine("v1")
+	f.X25519RecordIdentity(testkit.TestX25519Identity)
+	share := make([]byte, curve25519.PointSize)
+	f.ArgsLine("X25519", base64.RawStdEncoding.EncodeToString(share))
+	secret := make([]byte, curve25519.PointSize)
+	key := make([]byte, 32)
+	hkdf.New(sha256.New, secret, append(share, testkit.TestX25519Recipient...),
+		[]byte("age-encryption.org/v1/X25519")).Read(key)
+	f.AEADBody(key, testkit.TestFileKey)
+	f.HMAC()
+	f.Payload("age")
+	f.ExpectHeaderFailure()
+	f.Comment("the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value")
+	f.Generate()
+}
--- a/tests/x25519_low_order.go
+++ b/tests/x25519_low_order.go
@@ -0,0 +1,38 @@
+// Copyright 2022 The age Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build ignore
+
+package main
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+
+	"filippo.io/age/internal/testkit"
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/hkdf"
+)
+
+func main() {
+	f := testkit.NewTestFile()
+	f.VersionLine("v1")
+	f.X25519RecordIdentity(testkit.TestX25519Identity)
+	// Point of order 8 on Curve25519, chosen to be the least likely to be
+	// flagged by hardcoded list exclusions.
+	share := []byte{0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0,
+		0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c,
+		0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7}
+	f.ArgsLine("X25519", base64.RawStdEncoding.EncodeToString(share))
+	secret := make([]byte, curve25519.PointSize)
+	key := make([]byte, 32)
+	hkdf.New(sha256.New, secret, append(share, testkit.TestX25519Recipient...),
+		[]byte("age-encryption.org/v1/X25519")).Read(key)
+	f.AEADBody(key, testkit.TestFileKey)
+	f.HMAC()
+	f.Payload("age")
+	f.ExpectHeaderFailure()
+	f.Comment("the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value")
+	f.Generate()
+}