/test/org/owasp/esapi/crypto/CipherSpecTest.cfc

https://github.com/damonmiller/esapi4cf · ColdFusion CFScript · 252 lines · 169 code · 32 blank · 51 comment · 29 complexity · ce414ceaf097d5844265c14f1c160b91 MD5 · raw file 

    

  1. /*
    2. 

  2.  * OWASP Enterprise Security API for ColdFusion/CFML (ESAPI4CF)
    3. 

  3.  *
    4. 

  4.  * This file is part of the Open Web Application Security Project (OWASP)
    5. 

  5.  * Enterprise Security API (ESAPI) project. For details, please see
    6. 

  6.  * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
    7. 

  7.  *
    8. 

  8.  * Copyright (c) 2011 - The OWASP Foundation
    9. 

  9.  *
    10. 

  10.  * The ESAPI is published by OWASP under the BSD license. You should read and accept the
    11. 

  11.  * LICENSE before you use, modify, and/or redistribute this software.
    12. 

  12.  */
    13. 

  13. import "org.owasp.esapi.crypto.CipherSpec";
    14. 

  14. 

  15. /** JUnit test to test CipherSpec class. */
    16. 

  16. component extends="esapi4cf.test.org.owasp.esapi.util.TestCase" {
    17. 

  17. 	pageEncoding "utf-8";
    18. 

  18. 

  19. 	variables.dfltAESCipher = "";
    20. 

  20. 	variables.dfltECBCipher = "";	// will be "AES/ECB/NoPadding";
    21. 

  21. 	variables.dfltOtherCipher = "";
    22. 

  22. 	variables.cipherSpec = "";
    23. 

  23. 	variables.myIV = "";
    24. 

  24. 

  25. 	public void function setUp() {
    26. 

  26. 		// This will throw ConfigurationException if IV type is not set to
    27. 

  27. 		// 'fixed', which it's not. (We have it set to 'random'.)
    28. 

  28. 		// myIV = Hex.decode( ESAPI.securityConfiguration().getFixedIV() );
    29. 

  29. 		variables.myIV = createObject("java", "org.owasp.esapi.codecs.Hex").decode( "0x000102030405060708090a0b0c0d0e0f" );
    30. 

  30. 

  31. 		variables.dfltAESCipher   = createObject("java", "javax.crypto.Cipher").getInstance("AES");
    32. 

  32. 		variables.dfltECBCipher   = createObject("java", "javax.crypto.Cipher").getInstance("AES/ECB/NoPadding");
    33. 

  33. 		variables.dfltOtherCipher = createObject("java", "javax.crypto.Cipher").getInstance("Blowfish/OFB8/PKCS5Padding");
    34. 

  34. 

  35. 		assertTrue(!isNull(variables.dfltAESCipher));
    36. 

  36. 		assertTrue(!isNull(variables.dfltECBCipher));
    37. 

  37. 		assertTrue(!isNull(variables.dfltOtherCipher));
    38. 

  38. 

  39. 		variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltOtherCipher);
    40. 

  40. 		assertTrue(!isNull(variables.cipherSpec));
    41. 

  41. 	}
    42. 

  42. 

  43. 	/** Test CipherSpec(String cipherXform, int keySize, int blockSize, final byte[] iv) */
    44. 

  44. 	public void function testCipherSpecStringIntIntByteArray() {
    45. 

  45. 

  46. 		variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="AES/CBC/NoPadding", keySize=128, blockSize=8, iv=variables.myIV);
    47. 

  47. 		assertTrue(!isNull(variables.cipherSpec));
    48. 

  48. 		variables.cipherSpec = "";
    49. 

  49. 		var caughtException = false;
    50. 

  50. 		try {
    51. 

  51. 			// Invalid cipher xform -- empty
    52. 

  52. 			variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="", keySize=128, blockSize=8, iv=variables.myIV);
    53. 

  53. 		}
    54. 

  54. 		catch(java.lang.IllegalArgumentException t) {
    55. 

  55. 			caughtException = true;
    56. 

  56. 		}
    57. 

  57. 		assertTrue(caughtException && (variables.cipherSpec == ""));
    58. 

  58. 		caughtException = false;
    59. 

  59. 		try {
    60. 

  60. 			// Invalid cipher xform -- missing padding scheme
    61. 

  61. 			variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="AES/CBC", keySize=128, blockSize=8, iv=variables.myIV);
    62. 

  62. 		}
    63. 

  63. 		catch(java.lang.IllegalArgumentException t) {
    64. 

  64. 		    caughtException = true;
    65. 

  65. 		}
    66. 

  66.         assertTrue(caughtException && (variables.cipherSpec == ""));
    67. 

  67. 	}
    68. 

  68. 

  69. 	/** CipherSpec(final Cipher cipher, int keySize) */
    70. 

  70. 	public void function testCipherSpecCipherInt() {
    71. 

  71.     	variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltOtherCipher, keySize=112);
    72. 

  72.     	assertTrue(!isNull(variables.cipherSpec));
    73. 

  73.     	assertTrue( variables.cipherSpec.getCipherAlgorithm() == "Blowfish");
    74. 

  74.     	assertTrue( variables.cipherSpec.getCipherMode() == "OFB8");
    75. 

  75. 

  76.     	variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltAESCipher, keySize=256);
    77. 

  77.     	assertTrue(!isNull(variables.cipherSpec));
    78. 

  78.     	assertTrue( variables.cipherSpec.getCipherAlgorithm() == "AES");
    79. 

  79.     	assertTrue( variables.cipherSpec.getCipherMode() == "ECB");
    80. 

  80.     	assertTrue( variables.cipherSpec.getPaddingScheme() == "NoPadding");
    81. 

  81.     	// System.out.println("testCipherSpecInt(): " & variables.cipherSpec);
    82. 

  82. 	}
    83. 

  83. 

  84. 	/** Test CipherSpec(final byte[] iv) */
    85. 

  85. 	public void function testCipherSpecByteArray() {
    86. 

  86. 		assertTrue(!isNull(variables.myIV));
    87. 

  87. 		assertTrue(arrayLen(variables.myIV) > 0);
    88. 

  88. 		variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, iv=variables.myIV);
    89. 

  89. 		assertTrue(variables.cipherSpec.getKeySize() == variables.ESAPI.securityConfiguration().getEncryptionKeyLength());
    90. 

  90. 		assertTrue(variables.cipherSpec.getCipherTransformation() == variables.ESAPI.securityConfiguration().getCipherTransformation());
    91. 

  91. 	}
    92. 

  92. 

  93. 	/** Test CipherSpec() */
    94. 

  94. 	public void function testCipherSpec() {
    95. 

  95. 		variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltECBCipher);
    96. 

  96. 		assertTrue(variables.cipherSpec.getCipherTransformation() == "AES/ECB/NoPadding");
    97. 

  97. 		assertTrue(variables.cipherSpec.getIV() == "");
    98. 

  98. 

  99. 		variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltOtherCipher);
    100. 

  100. 		assertTrue(variables.cipherSpec.getCipherMode() == "OFB8");
    101. 

  101. 	}
    102. 

  102. 

  103. 	/** Test setCipherTransformation(String cipherXform) */
    104. 

  104. 	public void function testSetCipherTransformation() {
    105. 

  105. 		variables.cipherSpec = new CipherSpec(variables.ESAPI);
    106. 

  106. 		variables.cipherSpec.setCipherTransformation("AlgName/Mode/Padding");
    107. 

  107. 		variables.cipherSpec.getCipherAlgorithm() == "AlgName/Mode/Padding";
    108. 

  108. 

  109. 		try {
    110. 

  110. 			// Don't use null here as compiling JUnit tests disables assertion
    111. 

  111. 			// checking so we get a NullPointerException here instead.
    112. 

  112. 			variables.cipherSpec.setCipherTransformation(""); // Throws IllegalArgumentException
    113. 

  113. 		} catch (java.lang.IllegalArgumentException e) {
    114. 

  114. 			assertTrue(true);	// Doesn't work w/ @Test(expected=IllegalArgumentException.class)
    115. 

  115. 		}
    116. 

  116. 	}
    117. 

  117. 

  118. 	/** Test getCipherTransformation() */
    119. 

  119. 	public void function testGetCipherTransformation() {
    120. 

  120. 		assertTrue(new CipherSpec(variables.ESAPI).getCipherTransformation() == "AES/CBC/PKCS5Padding");
    121. 

  121. 	}
    122. 

  122. 

  123. 	/** Test setKeySize() */
    124. 

  124. 	public void function testSetKeySize() {
    125. 

  125. 		assertTrue(new CipherSpec(variables.ESAPI).setKeySize(56).getKeySize() == 56);
    126. 

  126. 	}
    127. 

  127. 

  128. 	/** Test getKeySize() */
    129. 

  129. 	public void function testGetKeySize() {
    130. 

  130. 		assertTrue(new CipherSpec(variables.ESAPI).getKeySize() == variables.ESAPI.securityConfiguration().getEncryptionKeyLength());
    131. 

  131. 	}
    132. 

  132. 

  133. 	/** Test setBlockSize() */
    134. 

  134. 	public void function testSetBlockSize() {
    135. 

  135. 		try {
    136. 

  136. 			variables.cipherSpec.setBlockSize(0); // Throws AssertionError
    137. 

  137. 		} catch (AssertionError e) {
    138. 

  138. 			assertTrue(true);	// Doesn't work w/ @Test(expected=AssertionError.class)
    139. 

  139. 		}
    140. 

  140. 		try {
    141. 

  141. 			variables.cipherSpec.setBlockSize(-1); // Throws AssertionError
    142. 

  142. 		} catch (AssertionError e) {
    143. 

  143. 			assertTrue(true);	// Doesn't work w/ @Test(expected=AssertionError.class)
    144. 

  144. 		}
    145. 

  145. 		assertTrue( variables.cipherSpec.setBlockSize(4).getBlockSize() == 4 );
    146. 

  146. 	}
    147. 

  147. 

  148. 	/** Test getBlockSize() */
    149. 

  149. 	public void function testGetBlockSize() {
    150. 

  150. 		assertTrue( variables.cipherSpec.getBlockSize() == 8 );
    151. 

  151. 	}
    152. 

  152. 

  153. 	/** Test getCipherAlgorithm() */
    154. 

  154. 	public void function testGetCipherAlgorithm() {
    155. 

  155. 		assertTrue( variables.cipherSpec.getCipherAlgorithm() == "Blowfish");
    156. 

  156. 	}
    157. 

  157. 

  158. 	/** Test getCipherMode */
    159. 

  159. 	public void function testGetCipherMode() {
    160. 

  160. 		assertTrue( variables.cipherSpec.getCipherMode() == "OFB8");
    161. 

  161. 	}
    162. 

  162. 

  163. 	/** Test getPaddingScheme() */
    164. 

  164. 	public void function testGetPaddingScheme() {
    165. 

  165. 		assertTrue( variables.cipherSpec.getPaddingScheme() == "PKCS5Padding");
    166. 

  166. 	}
    167. 

  167. 

  168. 	/** Test setIV() */
    169. 

  169. 	public void function testSetIV() {
    170. 

  170. 		try {
    171. 

  171. 			// Test that ECB mode allows a null IV
    172. 

  172. 			variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltECBCipher);
    173. 

  173. 			variables.cipherSpec.setIV("");
    174. 

  174. 			assertTrue(true);
    175. 

  175. 		} catch ( AssertionError e) {
    176. 

  176. 			assertFalse("Test failed; unexpected exception", false);
    177. 

  177. 		}
    178. 

  178. 		try {
    179. 

  179. 			// Test that CBC mode does allows a null IV
    180. 

  180. 			variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltAESCipher);
    181. 

  181. 			variables.cipherSpec.setIV("");
    182. 

  182. 			assertFalse(false, "Test failed; Expected exception not thrown");
    183. 

  183. 		} catch ( AssertionError e) {
    184. 

  184. 			assertTrue(true);
    185. 

  185. 		}
    186. 

  186. 	}
    187. 

  187. 

  188. 	/** Test requiresIV() */
    189. 

  189. 	public void function testRequiresIV() {
    190. 

  190. 		assertTrue(new CipherSpec(variables.ESAPI, variables.dfltECBCipher).requiresIV() == false);
    191. 

  191. 		variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltAESCipher);
    192. 

  192. 		assertTrue(variables.cipherSpec.getCipherMode() == "ECB");
    193. 

  193. 		assertTrue(variables.cipherSpec.requiresIV() == false );
    194. 

  194. 		assertTrue(new CipherSpec(variables.ESAPI, variables.dfltOtherCipher).requiresIV() );
    195. 

  195. 	}
    196. 

  196. 

  197. 	/** Test serialization */
    198. 

  198. 	public void function testSerialization() {
    199. 

  199.         var filename = "cipherspec.ser";
    200. 

  200.         var serializedFile = createObject("java", "java.io.File").init(filename);
    201. 

  201.         var success = false;
    202. 

  202.         try {
    203. 

  203.             // Delete any old serialized file. If it fails, it's not
    204. 

  204.             // a big deal. If we can't overwrite it later, we'll get
    205. 

  205.             // an IOException.
    206. 

  206.             //
    207. 

  207.             // NOTE: FindBugs complains we are not checking return value here.
    208. 

  208.             //       Guess what? We don't care!!!
    209. 

  209.             serializedFile.delete();
    210. 

  210. 

  211. 

  212.             variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="AES/CBC/NoPadding", keySize=128, blockSize=8, iv=variables.myIV);
    213. 

  213.             var fos = createObject("java", "java.io.FileOutputStream").init(filename);
    214. 

  214.             var out = createObject("java", "java.io.ObjectOutputStream").init(fos);
    215. 

  215.             out.writeObject(variables.cipherSpec);
    216. 

  216.             out.close();
    217. 

  217.             fos.close();
    218. 

  218. 

  219.             var fis = createObject("java", "java.io.FileInputStream").init(filename);
    220. 

  220.             var ins = createObject("java", "java.io.ObjectInputStream").init(fis);
    221. 

  221.             var restoredCipherSpec = ins.readObject();
    222. 

  222.             ins.close();
    223. 

  223.             fis.close();
    224. 

  224. 

  225.             // check that cipherSpec and restoredCipherSpec are equal. Just
    226. 

  226.             // compare them via their string representations.
    227. 

  227.             assertEquals("Serialized restored CipherSpec differs from saved CipherSpec", variables.cipherSpec.toString(), restoredCipherSpec.toString() );
    228. 

  228. 

  229.             success = true;
    230. 

  230.         } catch(java.io.IOException ex) {
    231. 

  231.             //ex.printStackTrace(System.err);
    232. 

  232.             fail("testSerialization(): Unexpected IOException: " & ex);
    233. 

  233.         } catch(java.lang.ClassNotFoundException ex) {
    234. 

  234.             //ex.printStackTrace(System.err);
    235. 

  235.             fail("testSerialization(): Unexpected ClassNotFoundException: " & ex);
    236. 

  236.         } finally {
    237. 

  237.             // If test succeeds, remove the file. If it fails, leave it behind
    238. 

  238.             // for further analysis.
    239. 

  239.             if ( success && serializedFile.exists() ) {
    240. 

  240.                 var deleted = serializedFile.delete();
    241. 

  241.                 if ( !deleted ) {
    242. 

  242.                     try {
    243. 

  243.                         variables.System.err.println("Unable to delete file: " & serializedFile.getCanonicalPath() );
    244. 

  244.                     } catch (IOException e) {
    245. 

  245.                         ; // Ignore
    246. 

  246.                     }
    247. 

  247.                 }
    248. 

  248.             }
    249. 

  249.         }
    250. 

  250. 	}
    251. 

  251. 

  252. }
    253.