PageRenderTime 70ms CodeModel.GetById 39ms RepoModel.GetById 0ms app.codeStats 1ms

/test/org/owasp/esapi/crypto/CipherSpecTest.cfc

https://github.com/damonmiller/esapi4cf
ColdFusion CFScript | 252 lines | 169 code | 32 blank | 51 comment | 29 complexity | ce414ceaf097d5844265c14f1c160b91 MD5 | raw file
  1. /*
  2. * OWASP Enterprise Security API for ColdFusion/CFML (ESAPI4CF)
  3. *
  4. * This file is part of the Open Web Application Security Project (OWASP)
  5. * Enterprise Security API (ESAPI) project. For details, please see
  6. * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
  7. *
  8. * Copyright (c) 2011 - The OWASP Foundation
  9. *
  10. * The ESAPI is published by OWASP under the BSD license. You should read and accept the
  11. * LICENSE before you use, modify, and/or redistribute this software.
  12. */
  13. import "org.owasp.esapi.crypto.CipherSpec";
  14. /** JUnit test to test CipherSpec class. */
  15. component extends="esapi4cf.test.org.owasp.esapi.util.TestCase" {
  16. pageEncoding "utf-8";
  17. variables.dfltAESCipher = "";
  18. variables.dfltECBCipher = ""; // will be "AES/ECB/NoPadding";
  19. variables.dfltOtherCipher = "";
  20. variables.cipherSpec = "";
  21. variables.myIV = "";
  22. public void function setUp() {
  23. // This will throw ConfigurationException if IV type is not set to
  24. // 'fixed', which it's not. (We have it set to 'random'.)
  25. // myIV = Hex.decode( ESAPI.securityConfiguration().getFixedIV() );
  26. variables.myIV = createObject("java", "org.owasp.esapi.codecs.Hex").decode( "0x000102030405060708090a0b0c0d0e0f" );
  27. variables.dfltAESCipher = createObject("java", "javax.crypto.Cipher").getInstance("AES");
  28. variables.dfltECBCipher = createObject("java", "javax.crypto.Cipher").getInstance("AES/ECB/NoPadding");
  29. variables.dfltOtherCipher = createObject("java", "javax.crypto.Cipher").getInstance("Blowfish/OFB8/PKCS5Padding");
  30. assertTrue(!isNull(variables.dfltAESCipher));
  31. assertTrue(!isNull(variables.dfltECBCipher));
  32. assertTrue(!isNull(variables.dfltOtherCipher));
  33. variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltOtherCipher);
  34. assertTrue(!isNull(variables.cipherSpec));
  35. }
  36. /** Test CipherSpec(String cipherXform, int keySize, int blockSize, final byte[] iv) */
  37. public void function testCipherSpecStringIntIntByteArray() {
  38. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="AES/CBC/NoPadding", keySize=128, blockSize=8, iv=variables.myIV);
  39. assertTrue(!isNull(variables.cipherSpec));
  40. variables.cipherSpec = "";
  41. var caughtException = false;
  42. try {
  43. // Invalid cipher xform -- empty
  44. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="", keySize=128, blockSize=8, iv=variables.myIV);
  45. }
  46. catch(java.lang.IllegalArgumentException t) {
  47. caughtException = true;
  48. }
  49. assertTrue(caughtException && (variables.cipherSpec == ""));
  50. caughtException = false;
  51. try {
  52. // Invalid cipher xform -- missing padding scheme
  53. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="AES/CBC", keySize=128, blockSize=8, iv=variables.myIV);
  54. }
  55. catch(java.lang.IllegalArgumentException t) {
  56. caughtException = true;
  57. }
  58. assertTrue(caughtException && (variables.cipherSpec == ""));
  59. }
  60. /** CipherSpec(final Cipher cipher, int keySize) */
  61. public void function testCipherSpecCipherInt() {
  62. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltOtherCipher, keySize=112);
  63. assertTrue(!isNull(variables.cipherSpec));
  64. assertTrue( variables.cipherSpec.getCipherAlgorithm() == "Blowfish");
  65. assertTrue( variables.cipherSpec.getCipherMode() == "OFB8");
  66. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltAESCipher, keySize=256);
  67. assertTrue(!isNull(variables.cipherSpec));
  68. assertTrue( variables.cipherSpec.getCipherAlgorithm() == "AES");
  69. assertTrue( variables.cipherSpec.getCipherMode() == "ECB");
  70. assertTrue( variables.cipherSpec.getPaddingScheme() == "NoPadding");
  71. // System.out.println("testCipherSpecInt(): " & variables.cipherSpec);
  72. }
  73. /** Test CipherSpec(final byte[] iv) */
  74. public void function testCipherSpecByteArray() {
  75. assertTrue(!isNull(variables.myIV));
  76. assertTrue(arrayLen(variables.myIV) > 0);
  77. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, iv=variables.myIV);
  78. assertTrue(variables.cipherSpec.getKeySize() == variables.ESAPI.securityConfiguration().getEncryptionKeyLength());
  79. assertTrue(variables.cipherSpec.getCipherTransformation() == variables.ESAPI.securityConfiguration().getCipherTransformation());
  80. }
  81. /** Test CipherSpec() */
  82. public void function testCipherSpec() {
  83. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltECBCipher);
  84. assertTrue(variables.cipherSpec.getCipherTransformation() == "AES/ECB/NoPadding");
  85. assertTrue(variables.cipherSpec.getIV() == "");
  86. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipher=variables.dfltOtherCipher);
  87. assertTrue(variables.cipherSpec.getCipherMode() == "OFB8");
  88. }
  89. /** Test setCipherTransformation(String cipherXform) */
  90. public void function testSetCipherTransformation() {
  91. variables.cipherSpec = new CipherSpec(variables.ESAPI);
  92. variables.cipherSpec.setCipherTransformation("AlgName/Mode/Padding");
  93. variables.cipherSpec.getCipherAlgorithm() == "AlgName/Mode/Padding";
  94. try {
  95. // Don't use null here as compiling JUnit tests disables assertion
  96. // checking so we get a NullPointerException here instead.
  97. variables.cipherSpec.setCipherTransformation(""); // Throws IllegalArgumentException
  98. } catch (java.lang.IllegalArgumentException e) {
  99. assertTrue(true); // Doesn't work w/ @Test(expected=IllegalArgumentException.class)
  100. }
  101. }
  102. /** Test getCipherTransformation() */
  103. public void function testGetCipherTransformation() {
  104. assertTrue(new CipherSpec(variables.ESAPI).getCipherTransformation() == "AES/CBC/PKCS5Padding");
  105. }
  106. /** Test setKeySize() */
  107. public void function testSetKeySize() {
  108. assertTrue(new CipherSpec(variables.ESAPI).setKeySize(56).getKeySize() == 56);
  109. }
  110. /** Test getKeySize() */
  111. public void function testGetKeySize() {
  112. assertTrue(new CipherSpec(variables.ESAPI).getKeySize() == variables.ESAPI.securityConfiguration().getEncryptionKeyLength());
  113. }
  114. /** Test setBlockSize() */
  115. public void function testSetBlockSize() {
  116. try {
  117. variables.cipherSpec.setBlockSize(0); // Throws AssertionError
  118. } catch (AssertionError e) {
  119. assertTrue(true); // Doesn't work w/ @Test(expected=AssertionError.class)
  120. }
  121. try {
  122. variables.cipherSpec.setBlockSize(-1); // Throws AssertionError
  123. } catch (AssertionError e) {
  124. assertTrue(true); // Doesn't work w/ @Test(expected=AssertionError.class)
  125. }
  126. assertTrue( variables.cipherSpec.setBlockSize(4).getBlockSize() == 4 );
  127. }
  128. /** Test getBlockSize() */
  129. public void function testGetBlockSize() {
  130. assertTrue( variables.cipherSpec.getBlockSize() == 8 );
  131. }
  132. /** Test getCipherAlgorithm() */
  133. public void function testGetCipherAlgorithm() {
  134. assertTrue( variables.cipherSpec.getCipherAlgorithm() == "Blowfish");
  135. }
  136. /** Test getCipherMode */
  137. public void function testGetCipherMode() {
  138. assertTrue( variables.cipherSpec.getCipherMode() == "OFB8");
  139. }
  140. /** Test getPaddingScheme() */
  141. public void function testGetPaddingScheme() {
  142. assertTrue( variables.cipherSpec.getPaddingScheme() == "PKCS5Padding");
  143. }
  144. /** Test setIV() */
  145. public void function testSetIV() {
  146. try {
  147. // Test that ECB mode allows a null IV
  148. variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltECBCipher);
  149. variables.cipherSpec.setIV("");
  150. assertTrue(true);
  151. } catch ( AssertionError e) {
  152. assertFalse("Test failed; unexpected exception", false);
  153. }
  154. try {
  155. // Test that CBC mode does allows a null IV
  156. variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltAESCipher);
  157. variables.cipherSpec.setIV("");
  158. assertFalse(false, "Test failed; Expected exception not thrown");
  159. } catch ( AssertionError e) {
  160. assertTrue(true);
  161. }
  162. }
  163. /** Test requiresIV() */
  164. public void function testRequiresIV() {
  165. assertTrue(new CipherSpec(variables.ESAPI, variables.dfltECBCipher).requiresIV() == false);
  166. variables.cipherSpec = new CipherSpec(variables.ESAPI, variables.dfltAESCipher);
  167. assertTrue(variables.cipherSpec.getCipherMode() == "ECB");
  168. assertTrue(variables.cipherSpec.requiresIV() == false );
  169. assertTrue(new CipherSpec(variables.ESAPI, variables.dfltOtherCipher).requiresIV() );
  170. }
  171. /** Test serialization */
  172. public void function testSerialization() {
  173. var filename = "cipherspec.ser";
  174. var serializedFile = createObject("java", "java.io.File").init(filename);
  175. var success = false;
  176. try {
  177. // Delete any old serialized file. If it fails, it's not
  178. // a big deal. If we can't overwrite it later, we'll get
  179. // an IOException.
  180. //
  181. // NOTE: FindBugs complains we are not checking return value here.
  182. // Guess what? We don't care!!!
  183. serializedFile.delete();
  184. variables.cipherSpec = new CipherSpec(ESAPI=variables.ESAPI, cipherXform="AES/CBC/NoPadding", keySize=128, blockSize=8, iv=variables.myIV);
  185. var fos = createObject("java", "java.io.FileOutputStream").init(filename);
  186. var out = createObject("java", "java.io.ObjectOutputStream").init(fos);
  187. out.writeObject(variables.cipherSpec);
  188. out.close();
  189. fos.close();
  190. var fis = createObject("java", "java.io.FileInputStream").init(filename);
  191. var ins = createObject("java", "java.io.ObjectInputStream").init(fis);
  192. var restoredCipherSpec = ins.readObject();
  193. ins.close();
  194. fis.close();
  195. // check that cipherSpec and restoredCipherSpec are equal. Just
  196. // compare them via their string representations.
  197. assertEquals("Serialized restored CipherSpec differs from saved CipherSpec", variables.cipherSpec.toString(), restoredCipherSpec.toString() );
  198. success = true;
  199. } catch(java.io.IOException ex) {
  200. //ex.printStackTrace(System.err);
  201. fail("testSerialization(): Unexpected IOException: " & ex);
  202. } catch(java.lang.ClassNotFoundException ex) {
  203. //ex.printStackTrace(System.err);
  204. fail("testSerialization(): Unexpected ClassNotFoundException: " & ex);
  205. } finally {
  206. // If test succeeds, remove the file. If it fails, leave it behind
  207. // for further analysis.
  208. if ( success && serializedFile.exists() ) {
  209. var deleted = serializedFile.delete();
  210. if ( !deleted ) {
  211. try {
  212. variables.System.err.println("Unable to delete file: " & serializedFile.getCanonicalPath() );
  213. } catch (IOException e) {
  214. ; // Ignore
  215. }
  216. }
  217. }
  218. }
  219. }
  220. }