CryptTest.php 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. namespace OCA\Encryption\Tests\Crypto;
  8. use OCA\Encryption\Crypto\Crypt;
  9. use OCP\IConfig;
  10. use OCP\IL10N;
  11. use OCP\IUserSession;
  12. use Psr\Log\LoggerInterface;
  13. use Test\TestCase;
  14. class CryptTest extends TestCase {
  15. /** @var LoggerInterface|\PHPUnit\Framework\MockObject\MockObject */
  16. private $logger;
  17. /** @var \OCP\IUserSession|\PHPUnit\Framework\MockObject\MockObject */
  18. private $userSession;
  19. /** @var \OCP\IConfig|\PHPUnit\Framework\MockObject\MockObject */
  20. private $config;
  21. /** @var \OCP\IL10N|\PHPUnit\Framework\MockObject\MockObject */
  22. private $l;
  23. /** @var Crypt */
  24. private $crypt;
  25. protected function setUp(): void {
  26. parent::setUp();
  27. $this->logger = $this->getMockBuilder(LoggerInterface::class)
  28. ->disableOriginalConstructor()
  29. ->getMock();
  30. $this->logger->expects($this->any())
  31. ->method('warning')
  32. ->willReturn(true);
  33. $this->userSession = $this->getMockBuilder(IUserSession::class)
  34. ->disableOriginalConstructor()
  35. ->getMock();
  36. $this->config = $this->getMockBuilder(IConfig::class)
  37. ->disableOriginalConstructor()
  38. ->getMock();
  39. $this->l = $this->createMock(IL10N::class);
  40. $this->crypt = new Crypt($this->logger, $this->userSession, $this->config, $this->l);
  41. }
  42. /**
  43. * test getOpenSSLConfig without any additional parameters
  44. */
  45. public function testGetOpenSSLConfigBasic(): void {
  46. $this->config->expects($this->once())
  47. ->method('getSystemValue')
  48. ->with($this->equalTo('openssl'), $this->equalTo([]))
  49. ->willReturn([]);
  50. $result = self::invokePrivate($this->crypt, 'getOpenSSLConfig');
  51. $this->assertSame(1, count($result));
  52. $this->assertArrayHasKey('private_key_bits', $result);
  53. $this->assertSame(4096, $result['private_key_bits']);
  54. }
  55. /**
  56. * test getOpenSSLConfig with additional parameters defined in config.php
  57. */
  58. public function testGetOpenSSLConfig(): void {
  59. $this->config->expects($this->once())
  60. ->method('getSystemValue')
  61. ->with($this->equalTo('openssl'), $this->equalTo([]))
  62. ->willReturn(['foo' => 'bar', 'private_key_bits' => 1028]);
  63. $result = self::invokePrivate($this->crypt, 'getOpenSSLConfig');
  64. $this->assertSame(2, count($result));
  65. $this->assertArrayHasKey('private_key_bits', $result);
  66. $this->assertArrayHasKey('foo', $result);
  67. $this->assertSame(1028, $result['private_key_bits']);
  68. $this->assertSame('bar', $result['foo']);
  69. }
  70. /**
  71. * test generateHeader with valid key formats
  72. *
  73. * @dataProvider dataTestGenerateHeader
  74. */
  75. public function testGenerateHeader($keyFormat, $expected): void {
  76. $this->config->expects($this->once())
  77. ->method('getSystemValueString')
  78. ->with($this->equalTo('cipher'), $this->equalTo('AES-256-CTR'))
  79. ->willReturn('AES-128-CFB');
  80. if ($keyFormat) {
  81. $result = $this->crypt->generateHeader($keyFormat);
  82. } else {
  83. $result = $this->crypt->generateHeader();
  84. }
  85. $this->assertSame($expected, $result);
  86. }
  87. /**
  88. * test generateHeader with invalid key format
  89. *
  90. */
  91. public function testGenerateHeaderInvalid(): void {
  92. $this->expectException(\InvalidArgumentException::class);
  93. $this->crypt->generateHeader('unknown');
  94. }
  95. /**
  96. * @return array
  97. */
  98. public function dataTestGenerateHeader() {
  99. return [
  100. [null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash2:encoding:binary:HEND'],
  101. ['password', 'HBEGIN:cipher:AES-128-CFB:keyFormat:password:encoding:binary:HEND'],
  102. ['hash', 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:encoding:binary:HEND']
  103. ];
  104. }
  105. public function testGetCipherWithInvalidCipher(): void {
  106. $this->config->expects($this->once())
  107. ->method('getSystemValueString')
  108. ->with($this->equalTo('cipher'), $this->equalTo('AES-256-CTR'))
  109. ->willReturn('Not-Existing-Cipher');
  110. $this->logger
  111. ->expects($this->once())
  112. ->method('warning')
  113. ->with('Unsupported cipher (Not-Existing-Cipher) defined in config.php supported. Falling back to AES-256-CTR');
  114. $this->assertSame('AES-256-CTR', $this->crypt->getCipher());
  115. }
  116. /**
  117. * @dataProvider dataProviderGetCipher
  118. * @param string $configValue
  119. * @param string $expected
  120. */
  121. public function testGetCipher($configValue, $expected): void {
  122. $this->config->expects($this->once())
  123. ->method('getSystemValueString')
  124. ->with($this->equalTo('cipher'), $this->equalTo('AES-256-CTR'))
  125. ->willReturn($configValue);
  126. $this->assertSame($expected,
  127. $this->crypt->getCipher()
  128. );
  129. }
  130. /**
  131. * data provider for testGetCipher
  132. *
  133. * @return array
  134. */
  135. public function dataProviderGetCipher() {
  136. return [
  137. ['AES-128-CFB', 'AES-128-CFB'],
  138. ['AES-256-CFB', 'AES-256-CFB'],
  139. ['AES-128-CTR', 'AES-128-CTR'],
  140. ['AES-256-CTR', 'AES-256-CTR'],
  141. ['unknown', 'AES-256-CTR']
  142. ];
  143. }
  144. /**
  145. * test concatIV()
  146. */
  147. public function testConcatIV(): void {
  148. $result = self::invokePrivate(
  149. $this->crypt,
  150. 'concatIV',
  151. ['content', 'my_iv']);
  152. $this->assertSame('content00iv00my_iv',
  153. $result
  154. );
  155. }
  156. /**
  157. * @dataProvider dataTestSplitMetaData
  158. */
  159. public function testSplitMetaData($data, $expected): void {
  160. $this->config->method('getSystemValueBool')
  161. ->with('encryption_skip_signature_check', false)
  162. ->willReturn(true);
  163. $result = self::invokePrivate($this->crypt, 'splitMetaData', [$data, 'AES-256-CFB']);
  164. $this->assertTrue(is_array($result));
  165. $this->assertSame(3, count($result));
  166. $this->assertArrayHasKey('encrypted', $result);
  167. $this->assertArrayHasKey('iv', $result);
  168. $this->assertArrayHasKey('signature', $result);
  169. $this->assertSame($expected['encrypted'], $result['encrypted']);
  170. $this->assertSame($expected['iv'], $result['iv']);
  171. $this->assertSame($expected['signature'], $result['signature']);
  172. }
  173. public function dataTestSplitMetaData() {
  174. return [
  175. ['encryptedContent00iv001234567890123456xx',
  176. ['encrypted' => 'encryptedContent', 'iv' => '1234567890123456', 'signature' => false]],
  177. ['encryptedContent00iv00123456789012345600sig00e1992521e437f6915f9173b190a512cfc38a00ac24502db44e0ba10c2bb0cc86xxx',
  178. ['encrypted' => 'encryptedContent', 'iv' => '1234567890123456', 'signature' => 'e1992521e437f6915f9173b190a512cfc38a00ac24502db44e0ba10c2bb0cc86']],
  179. ];
  180. }
  181. /**
  182. * @dataProvider dataTestHasSignature
  183. */
  184. public function testHasSignature($data, $expected): void {
  185. $this->config->method('getSystemValueBool')
  186. ->with('encryption_skip_signature_check', false)
  187. ->willReturn(true);
  188. $this->assertSame($expected,
  189. $this->invokePrivate($this->crypt, 'hasSignature', [$data, 'AES-256-CFB'])
  190. );
  191. }
  192. public function dataTestHasSignature() {
  193. return [
  194. ['encryptedContent00iv001234567890123456xx', false],
  195. ['encryptedContent00iv00123456789012345600sig00e1992521e437f6915f9173b190a512cfc38a00ac24502db44e0ba10c2bb0cc86xxx', true]
  196. ];
  197. }
  198. /**
  199. * @dataProvider dataTestHasSignatureFail
  200. */
  201. public function testHasSignatureFail($cipher): void {
  202. $this->expectException(\OCP\Encryption\Exceptions\GenericEncryptionException::class);
  203. $data = 'encryptedContent00iv001234567890123456xx';
  204. $this->invokePrivate($this->crypt, 'hasSignature', [$data, $cipher]);
  205. }
  206. public function dataTestHasSignatureFail() {
  207. return [
  208. ['AES-256-CTR'],
  209. ['aes-256-ctr'],
  210. ['AES-128-CTR'],
  211. ['ctr-256-ctr']
  212. ];
  213. }
  214. /**
  215. * test addPadding()
  216. */
  217. public function testAddPadding(): void {
  218. $result = self::invokePrivate($this->crypt, 'addPadding', ['data']);
  219. $this->assertSame('dataxxx', $result);
  220. }
  221. /**
  222. * test removePadding()
  223. *
  224. * @dataProvider dataProviderRemovePadding
  225. * @param $data
  226. * @param $expected
  227. */
  228. public function testRemovePadding($data, $expected): void {
  229. $result = self::invokePrivate($this->crypt, 'removePadding', [$data]);
  230. $this->assertSame($expected, $result);
  231. }
  232. /**
  233. * data provider for testRemovePadding
  234. *
  235. * @return array
  236. */
  237. public function dataProviderRemovePadding() {
  238. return [
  239. ['dataxx', 'data'],
  240. ['data', false]
  241. ];
  242. }
  243. /**
  244. * test parseHeader()
  245. */
  246. public function testParseHeader(): void {
  247. $header = 'HBEGIN:foo:bar:cipher:AES-256-CFB:encoding:binary:HEND';
  248. $result = self::invokePrivate($this->crypt, 'parseHeader', [$header]);
  249. $this->assertTrue(is_array($result));
  250. $this->assertSame(3, count($result));
  251. $this->assertArrayHasKey('foo', $result);
  252. $this->assertArrayHasKey('cipher', $result);
  253. $this->assertArrayHasKey('encoding', $result);
  254. $this->assertSame('bar', $result['foo']);
  255. $this->assertSame('AES-256-CFB', $result['cipher']);
  256. $this->assertSame('binary', $result['encoding']);
  257. }
  258. /**
  259. * test encrypt()
  260. *
  261. * @return string
  262. */
  263. public function testEncrypt() {
  264. $decrypted = 'content';
  265. $password = 'password';
  266. $cipher = 'AES-256-CTR';
  267. $iv = self::invokePrivate($this->crypt, 'generateIv');
  268. $this->assertTrue(is_string($iv));
  269. $this->assertSame(16, strlen($iv));
  270. $result = self::invokePrivate($this->crypt, 'encrypt', [$decrypted, $iv, $password, $cipher]);
  271. $this->assertTrue(is_string($result));
  272. return [
  273. 'password' => $password,
  274. 'iv' => $iv,
  275. 'cipher' => $cipher,
  276. 'encrypted' => $result,
  277. 'decrypted' => $decrypted];
  278. }
  279. /**
  280. * test decrypt()
  281. *
  282. * @depends testEncrypt
  283. */
  284. public function testDecrypt($data): void {
  285. $result = self::invokePrivate(
  286. $this->crypt,
  287. 'decrypt',
  288. [$data['encrypted'], $data['iv'], $data['password'], $data['cipher'], true]);
  289. $this->assertSame($data['decrypted'], $result);
  290. }
  291. /**
  292. * test return values of valid ciphers
  293. *
  294. * @dataProvider dataTestGetKeySize
  295. */
  296. public function testGetKeySize($cipher, $expected): void {
  297. $result = $this->invokePrivate($this->crypt, 'getKeySize', [$cipher]);
  298. $this->assertSame($expected, $result);
  299. }
  300. /**
  301. * test exception if cipher is unknown
  302. *
  303. */
  304. public function testGetKeySizeFailure(): void {
  305. $this->expectException(\InvalidArgumentException::class);
  306. $this->invokePrivate($this->crypt, 'getKeySize', ['foo']);
  307. }
  308. /**
  309. * @return array
  310. */
  311. public function dataTestGetKeySize() {
  312. return [
  313. ['AES-256-CFB', 32],
  314. ['AES-128-CFB', 16],
  315. ['AES-256-CTR', 32],
  316. ['AES-128-CTR', 16],
  317. ];
  318. }
  319. /**
  320. * @dataProvider dataTestDecryptPrivateKey
  321. */
  322. public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected): void {
  323. $this->config->method('getSystemValueBool')
  324. ->withConsecutive(['encryption.legacy_format_support', false],
  325. ['encryption.use_legacy_base64_encoding', false])
  326. ->willReturnOnConsecutiveCalls(true, false);
  327. /** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit\Framework\MockObject\MockObject $crypt */
  328. $crypt = $this->getMockBuilder(Crypt::class)
  329. ->setConstructorArgs(
  330. [
  331. $this->logger,
  332. $this->userSession,
  333. $this->config,
  334. $this->l
  335. ]
  336. )
  337. ->setMethods(
  338. [
  339. 'parseHeader',
  340. 'generatePasswordHash',
  341. 'symmetricDecryptFileContent',
  342. 'isValidPrivateKey'
  343. ]
  344. )
  345. ->getMock();
  346. $crypt->expects($this->once())->method('parseHeader')->willReturn($header);
  347. if (isset($header['keyFormat']) && $header['keyFormat'] === 'hash') {
  348. $crypt->expects($this->once())->method('generatePasswordHash')->willReturn('hash');
  349. $password = 'hash';
  350. } else {
  351. $crypt->expects($this->never())->method('generatePasswordHash');
  352. $password = 'password';
  353. }
  354. $crypt->expects($this->once())->method('symmetricDecryptFileContent')
  355. ->with('privateKey', $password, $expectedCipher)->willReturn('key');
  356. $crypt->expects($this->once())->method('isValidPrivateKey')->willReturn($isValidKey);
  357. $result = $crypt->decryptPrivateKey($privateKey, 'password');
  358. $this->assertSame($expected, $result);
  359. }
  360. /**
  361. * @return array
  362. */
  363. public function dataTestDecryptPrivateKey() {
  364. return [
  365. [['cipher' => 'AES-128-CFB', 'keyFormat' => 'password'], 'HBEGIN:HENDprivateKey', 'AES-128-CFB', true, 'key'],
  366. [['cipher' => 'AES-256-CFB', 'keyFormat' => 'password'], 'HBEGIN:HENDprivateKey', 'AES-256-CFB', true, 'key'],
  367. [['cipher' => 'AES-256-CFB', 'keyFormat' => 'password'], 'HBEGIN:HENDprivateKey', 'AES-256-CFB', false, false],
  368. [['cipher' => 'AES-256-CFB', 'keyFormat' => 'hash'], 'HBEGIN:HENDprivateKey', 'AES-256-CFB', true, 'key'],
  369. [['cipher' => 'AES-256-CFB'], 'HBEGIN:HENDprivateKey', 'AES-256-CFB', true, 'key'],
  370. [[], 'privateKey', 'AES-128-CFB', true, 'key'],
  371. ];
  372. }
  373. public function testIsValidPrivateKey(): void {
  374. $res = openssl_pkey_new();
  375. openssl_pkey_export($res, $privateKey);
  376. // valid private key
  377. $this->assertTrue(
  378. $this->invokePrivate($this->crypt, 'isValidPrivateKey', [$privateKey])
  379. );
  380. // invalid private key
  381. $this->assertFalse(
  382. $this->invokePrivate($this->crypt, 'isValidPrivateKey', ['foo'])
  383. );
  384. }
  385. public function testMultiKeyEncrypt(): void {
  386. $res = openssl_pkey_new();
  387. openssl_pkey_export($res, $privateKey);
  388. $publicKeyPem = openssl_pkey_get_details($res)['key'];
  389. $publicKey = openssl_pkey_get_public($publicKeyPem);
  390. $shareKeys = $this->crypt->multiKeyEncrypt('content', ['user1' => $publicKey]);
  391. $this->assertEquals(
  392. 'content',
  393. $this->crypt->multiKeyDecrypt($shareKeys['user1'], $privateKey)
  394. );
  395. }
  396. }