From 7f7ffb8d08fe8193f9abfa39a62049e82291a77c Mon Sep 17 00:00:00 2001 From: Viacheslav Rud Date: Wed, 15 Jan 2025 20:47:23 +0200 Subject: [PATCH 1/2] [CSL3-2519] Add test case for AES CBC --- .../vendor_tests/jose/test_jose.star | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/larky/src/test/resources/vendor_tests/jose/test_jose.star b/larky/src/test/resources/vendor_tests/jose/test_jose.star index 841d39be..c363471e 100644 --- a/larky/src/test/resources/vendor_tests/jose/test_jose.star +++ b/larky/src/test/resources/vendor_tests/jose/test_jose.star @@ -307,6 +307,71 @@ def test_encrypt_and_decrypt_with_certificate(): asserts.assert_that(decrypted).is_equal_to(payload) +def test_encrypt_and_decrypt_with_certificate_AES_CBC(): + certificate = """-----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUHX5scwWw/5q3CzXVV2fjNun9/L0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjA5MTkxNTU1MzJaFw0yNTA2 + MTUxNTU1MzJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQCsRBjGoF0D9XemfmiC+VNGRRcveDKCiQu4VEYa7J+q + fUSevUQfgqTXdp0VezPtfHnU/Y7iZmrHqspvrElyq4jqCyx9nRTVGuq2/Byi9w76 + L1A8X5vh198sXk1cmsbQJhuct4B7vaglkPrXnE9z0yIuSP3rpVwDcTMdmrXO685O + jS2BQyM9svQMsk8xgEZ+AKZ9ck3kQGL3O+M7DU5abUqIJ2VVL0MaHI16ovsWnU86 + r9DM/k+PCB9V6Q0rz64Ch+C0Xk25RCAJ+vTSHtoosSnKc9VpZ6A9qYZARhDeihqw + kHS3nAQjiFZwWahaPSZ342EYlmLYOTOyWp78QswxCI8BAgMBAAGjUzBRMB0GA1Ud + DgQWBBQccX0IKYxq5B1Z+iw5h7RZMUlg5jAfBgNVHSMEGDAWgBQccX0IKYxq5B1Z + +iw5h7RZMUlg5jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAD + ayMFSwHIEKtfgR9e7ZTc/ZleLjSKblNTFHOM5rGOXemsL8ObqH/ndKbdZ6lERxtF + Lj+GkWoHNHRKSGhHYDHl7YNj5fA68k3bNwbrnf22c3kjISpgyjbGHHrhiHzLQpfS + A3fVFXcNdGmjZTQbJNd1dQOvpCR6bIALOshvjZ8v239pWU1SugvciwU7NVb/0U2o + FCGMKgwbq+sP25drieztv6Gr56+fjHXG0lhVtYjI9/Ig9xG33+FZMXsaG4uag0QT + KeQ4gDJgCc/gGBA0OumvV5efjiAVYl4uLmSUP/2YiOUgO0eAnX3Xz8CFeVOCBq4B + y3W7mjvEN6bJaR544JNF + -----END CERTIFICATE-----""" + + payload = b"Test JWE Payload" + + encrypted = jwe.encrypt(payload, certificate, encryption="A128CBC-HS256", algorithm="RSA-OAEP") + jwe_header = encrypted.split(b".")[0] + enc_header = json.loads(base64url_decode(jwe_header).decode("utf-8")) + + asserts.assert_that(enc_header['alg']).is_equal_to("RSA-OAEP") + asserts.assert_that(enc_header['enc']).is_equal_to("A128CBC-HS256") + + rsa_private_key = """-----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsRBjGoF0D9Xem + fmiC+VNGRRcveDKCiQu4VEYa7J+qfUSevUQfgqTXdp0VezPtfHnU/Y7iZmrHqspv + rElyq4jqCyx9nRTVGuq2/Byi9w76L1A8X5vh198sXk1cmsbQJhuct4B7vaglkPrX + nE9z0yIuSP3rpVwDcTMdmrXO685OjS2BQyM9svQMsk8xgEZ+AKZ9ck3kQGL3O+M7 + DU5abUqIJ2VVL0MaHI16ovsWnU86r9DM/k+PCB9V6Q0rz64Ch+C0Xk25RCAJ+vTS + HtoosSnKc9VpZ6A9qYZARhDeihqwkHS3nAQjiFZwWahaPSZ342EYlmLYOTOyWp78 + QswxCI8BAgMBAAECggEAB8cfU0CEUpxvpY3JjDhToTWXYWZM6YXkiJMNg0OxxdHY + Gk6zV7TfWncZipHAe3WGTq6QF/rF0XQNpdMikdHa4a5VeOpxuVl4xYBGjrkW7Qbb + 2Y37jMvhYLB1T7wRQ+6kioPigjPC9sc//CIrmDAtN+fFxzD1IZan1ytYEBqnevZj + 42lvmlARnBpwmjNqtRuDnDkJ4GqTI+RRLqAQHDU+Sk2P7IWl727R5jJZIUqDNsAE + I3VM5qFE5xybObqjBK8tNENEqNn7uTAmik0JzCpbTHvBj+cY23YVE5g1bpk/h7WZ + QuRf09D5ShXQdigQCftUjlmyF2doI+vfNHb9pFB+0QKBgQDO2FzUMNfKsqpiwjzQ + 03HA55w3Hzwa150SwGi1xqXnXPsLntvXxOxVZ1Ux8CMP4oSWgEmxa/hh0OzDbdyA + 0B3WzuEZ6YJqcUTCFGZLW2tBEXfgERABZOdaVOuEx/TABRbRYgSQvpyqrMYcD2YW + hGss/I29EPvXKOtqMX7N31nhpQKBgQDVNBNLsqYMLlYSnn/bBG3JJPayXzw1kZvH + qNI2ceuuTbSt+KJIM0udpLciNMiWRR2RYUIgWWDutsZF6AIqZpD6+kxqC+p+uxHB + Xc+8Sp7655yHEStYX+a4nzH4E5VBq6MU4xOJ3y87B2VNI24aEc37CWk/VcZEzZuT + 7iIzJ11BLQKBgQC0+v6N8oZ9JkKK0qTfmoJHZN98I2o1mj4m8A8uLTdv7h0CF+cH + LZgTSaxzW0dyWKHmBS11faEABQuEGxX55x6UmsK+J2AiviSJI8w1VzHK5vvaI1O7 + xIvgr7i6nzH46PsEDR0tgHoXo8BbQOX0Aby8yeVCbh/MLFN+wPvQKgK8uQKBgGlQ + qPtqivVXajMWUkfo/yYt+SKRQpefjpjovrYgPfBC+C47tEX/+KktdT0TX8ZC6+El + btm17NjeNkDP40n4kkM3osl7i2EAnTusUHJNVgzQnhRmGcg0zy6BjNhjLAZdd1hY + 9wzSz2zUMWkSSE/eXaZUtsWPZDoWanR/XCtylXEdAoGAZVQNPZ2mfiw6yQsRCaz5 + ooM2PY1wa4FW47EYCVDEMrdr4Ri7twSoZj304BaQcFtFpk0OlHPWYzuiLBvUYjXy + z1+6y3A1leW114pIsrFPlDaBrCC6ZaBk89fATsuWexS9AAecqy/cCCsv/FviFvV+ + 6mSOrqb9AIY0fottKPSxjW4= + -----END PRIVATE KEY-----""" + + decrypted = jwe.decrypt(encrypted, rsa_private_key) + + asserts.assert_that(decrypted).is_equal_to(payload) + def test_encrypt_with_extra_headers(): certificate = """-----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIUHX5scwWw/5q3CzXVV2fjNun9/L0wDQYJKoZIhvcNAQEL @@ -374,6 +439,7 @@ def _testsuite(): _suite.addTest(unittest.FunctionTestCase(test_sign_with_ecc)) _suite.addTest(unittest.FunctionTestCase(test_sign_with_rsa)) _suite.addTest(unittest.FunctionTestCase(test_encrypt_and_decrypt_with_certificate)) + _suite.addTest(unittest.FunctionTestCase(test_encrypt_and_decrypt_with_certificate_AES_CBC)) _suite.addTest(unittest.FunctionTestCase(test_encrypt_with_extra_headers)) return _suite From 001586604b4e10a64d3b7ea51aaa55a9d299f8ee Mon Sep 17 00:00:00 2001 From: Viacheslav Rud Date: Wed, 15 Jan 2025 20:58:06 +0200 Subject: [PATCH 2/2] Use correct IV length for AES CBC --- .../main/resources/vendor/jose/backends/pycrypto_backend.star | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/larky/src/main/resources/vendor/jose/backends/pycrypto_backend.star b/larky/src/main/resources/vendor/jose/backends/pycrypto_backend.star index a7a5e696..8833fa9e 100644 --- a/larky/src/main/resources/vendor/jose/backends/pycrypto_backend.star +++ b/larky/src/main/resources/vendor/jose/backends/pycrypto_backend.star @@ -377,7 +377,7 @@ def AESKey(key, algorithm): ALGORITHMS.A256GCM: AES.MODE_GCM, } - self.IV_BYTE_LENGTH_MODE_MAP = {AES.MODE_CBC: AES.block_size // 8, AES.MODE_GCM: 96 // 8} + self.IV_BYTE_LENGTH_MODE_MAP = {AES.MODE_CBC: AES.block_size, AES.MODE_GCM: 96 // 8} def __init__(key, algorithm): if not operator.contains(ALGORITHMS.AES, algorithm):