Merge branch 'devel'

.travis.yml

@@ -19,6 +19,7 @@ script:
   - ant -f build-applet.xml build
   - ant -f build-reader.xml package
   - ant -f build-standalone.xml package
+  - ./util/test.sh
 
 before_deploy:
   - zip "dist/ECTester.zip" "dist/ECTesterReader-dist.jar" "dist/ECTesterReader.jar" "applet/ectester.cap" "dist/ECTesterStandalone-dist.jar" "dist/ECTesterStandalone.jar"

README.md

@@ -115,6 +115,9 @@ For format of this file see [FORMAT](docs/FORMAT.md).
 
 Perform support,performance and vulnerability tests of ECC.
 
+To select which tests will be performed, it is possible to enter the test suite name with a suffix
+which specifies the number of the first test to be run, and optionally the number of the last test to be run as `-t <test_suite>[:start_index[:stop_index]]`.
+
 Use with `-o / --output [out_type:]<out_file>` to output the test results to a file.
 For possible formats of this file see [FORMAT](docs/FORMAT.md).
 For more info about the test suites see [TESTS](docs/TESTS.md).

build.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project basedir="." default="build" name="ECTester">
+    <target name="build">
+        <ant antfile="build-applet.xml" target="build"/>
+        <ant antfile="build-reader.xml" target="jar"/>
+        <ant antfile="build-standalone.xml" target="jar"/>
+    </target>
+    <target name="package">
+        <ant antfile="build-applet.xml" target="build"/>
+        <ant antfile="build-reader.xml" target="package"/>
+        <ant antfile="build-standalone.xml" target="package"/>
+    </target>
+    <target name="clean">
+        <ant antfile="build-applet.xml" target="clean"/>
+        <ant antfile="build-reader.xml" target="clean"/>
+        <ant antfile="build-standalone.xml" target="clean"/>
+    </target>
+    <target name="help">
+        <echo message="ECTester is built using three ant files:"/>
+        <echo message=" - build-applet.xml - For building the JavaCard applet."/>
+        <echo message="     -> build: Build the applet."/>
+        <echo message="     -> upload: Upload the applet using the GPPro tool."/>
+        <echo message="     -> upload-emv: Uploat the applet using the GPPro tool and the EMV key protocol."/>
+        <echo message=" - build-reader.xml - For building the reader app."/>
+        <echo message="     -> jar: Build the reader app."/>
+        <echo message="     -> package: Build the reader app into a distributable single jar, along with dependencies."/>
+        <echo message=" - build-standalone.xml - For building the standalone app."/>
+        <echo message="     -> jar: Build the standalone app."/>
+        <echo message="     -> headers: Build the JNI header for testing native libraries."/>
+        <echo message="     -> libs: Build the JNI shims for testing native libraries."/>
+        <echo message="     -> libs-try: Build the JNI shims for testing native libraries, but do not fail if some are not available."/>
+        <echo message="     -> package: Build the standalone app into a distributable single jar, along with dependencies."/>
+        <echo message=""/>
+        <echo message="Finally, this file provides four targets:"/>
+        <echo message="     -> build: "/>
+        <echo message="     -> package: "/>
+        <echo message="     -> clean: "/>
+        <echo message="     -> help: "/>
+    </target>
+</project>

docs/LIBS.md

@@ -2,11 +2,12 @@
 
 Popular libraries with at least some ECC support:
 
+ - [NSS](https://hg.mozilla.org/projects/nss)
  - [libgcrypt](https://www.gnupg.org/related_software/libgcrypt/)
  - [mbedTLS](https://tls.mbed.org/)
  - [Nettle](http://www.lysator.liu.se/~nisse/nettle/)
  - [OpenSSL (FIPS mode)](https://www.openssl.org/docs/fipsnotes.html)
- - BoringSSL
+ - [BoringSSL](https://boringssl.googlesource.com/boringssl)
  - [Microsoft .NET crypto](https://docs.microsoft.com/en-us/dotnet/standard/security/cryptography-model)
 
 # Supported libraries

docs/TESTS.md

@@ -4,14 +4,15 @@
  - `test-vectors`
  - `compression`
  - `miscellaneous`
+ - `signature`
  - `wrong`*
- - `composite`*
  - `invalid`*
  - `twist`*
  - `degenerate`*
+ - `composite`*
  - `cofactor`*
  - `edge-cases`*
- 
+
 **\*NOTE: The `wrong`, `composite`, `invalid`,`twist`, `cofactor`, `edge-cases` and `degenerate` test suites caused temporary/permanent DoS of some cards. These test suites prompt you for
 confirmation before running, be cautious.**
 
@@ -22,12 +23,6 @@ with a compressed public key to test support for compressed points.
 
 This test suite is run if no argument is provided to `-t / --test`.
 
-For example:
-```bash
-java -jar ECTester.jar -t
-```
-tests prime field and binary field curves, using the default test suite.
-
 
 ## Test-Vectors
 Tests using known test vectors provided by NIST/SECG/Brainpool:
@@ -40,70 +35,82 @@ Tests using known test vectors provided by NIST/SECG/Brainpool:
 
 [Brainpool - RFC7027](https://tools.ietf.org/html/rfc7027#appendix-A)
 
-For example:
-```bash
-java -jar ECTester.jar -t test-vectors
-```
-tests all curves for which test-vectors are provided.
 
 ## Compression
 Tests support for compression of public points in ECDH as specified in ANSI X9.62. Tests ECDH with points in compressed
 and hybrid form. Also tests card response to a hybrid point with wrong `y` coordinate and to the point at infinity(as public key in ECDH).
 
-For example:
-```bash
-java -jar ECTester.jar -t compression
-```
+
+## Miscellaneous
+Some miscellaneous tests, tries ECDH and ECDSA over supersingular curves, anomalous curves and Barreto-Naehrig curves with small embedding degree and CM discriminant.
+
+
+## Signature
+Tests ECDSA verification, with invalid signatures.
+
+   - Well-formed(DER) invalid signatures:
+       - r = random, s = random
+       - r = 0, s = random
+       - r = random, s = 0
+       - r = 1, s = random
+       - r = random, s = 1
+       - r = 0, s = 0
+       - r = 0, s = 1
+       - r = 1, s = 0
+       - r = 1, s = 1
+       - s = p
+       - s = 2 * p
+   - Invalid signatures:
+       - Signature shorter than specified in ASN.1 SEQUENCE header.
+       - Signature longer than specified in ASN.1 SEQUENCE header.
+       - r shorter/longer than specified in its ASN.1 header.
+       - s shorter/longer than specified in its ASN.1 header.
+
 
 ## Wrong
 Tests on a category of wrong curves. These curves are not really curves as they have:
+
  - non-prime field in the prime-field case
  - reducible polynomial as the field polynomial in the binary case
 
 This test suite also does some additional tests with corrupting the parameters:
- - Fp:
-   - p = 0
-   - p = 1
-   - p = q^2; q prime
-   - p = q * s; q and s prime
-   - G = random point not on curve
-   - G = random data
-   - G = infinity
-   - r = 0
-   - r = 1
-   - r = some prime larger than original r (and \[r\]G != infinity)
-   - r = some prime smaller than original r (and \[r\]G != infninity)
-   - r = some composite number (and \[r\]G != infinity)
-   - k = 0xff
-   - k = 0
- - F2m:
-   - e1 = e2 = e3 = 0
-   - m < e1 < e2 < e3
 
-These tests should fail generally.
+ - Fp:
+    - p = 0
+    - p = 1
+    - p = q^2; q prime
+    - p = q * s; q and s prime
+    - G = random point not on curve
+    - G = random data
+    - G = infinity
+    - r = 0
+    - r = 1
+    - r = some prime larger than original r (and \[r\]G != infinity)
+    - r = some prime smaller than original r (and \[r\]G != infninity)
+    - r = some composite number (and \[r\]G != infinity)
+    - k = 0xff
+    - k = 0
 
-For example:
-```bash
-java -jar ECTester.jar -t wrong
-```
-does all wrong curve tests.
+ - F2m:
+    - e1 = e2 = e3 = 0
+    - m < e1 < e2 < e3
 
 
 ## Composite
 Tests using curves that don't have a prime order/nearly prime order.
 These tests should generally fail, a success here implies the card will use a non-secure curve if such curve is set
 by the applet. Operations over such curves are susceptible to small-subgroup attacks.
 
-   - r = quite a smooth number, many small factors, r = |G|
-   - r = small prime(of increasing bit lengths), r = |G|
-   - r = p * q = |G|
+   - r = quite a smooth number, many small factors, r = \|G\|
+   - r = prime(of increasing bit lengths), r = \|G\|
+
+     This is performed over a 160 bit field size, in two passes:
+      - First pass tests the full range from 2 bits to 152, with more frequent tests towards the beginning and end.
+      - The second pass tests the range 140 - 158 bits with one bit steps.
+
+   - r = p * q = \|G\|
    - r = G = Carmichael number = p * q * s
-   - \[r\]G = infinity but r != |G|, so |G| divides r
-
-For example:
-```bash
-java -jar ECTester.jar -t composite
-```
+   - \[r\]G = infinity but r != \|G\|, so \|G\| divides r
 
 
 ## Invalid
@@ -112,12 +119,6 @@ ECDH should definitely fail, a success here implies the card is susceptible to i
 
 See [Practical Invalid Curve Attacks on TLS-ECDH](https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/09/14/main-full.pdf) for more information.
 
-For example:
-```bash
-java -jar ECTester.jar -t invalid
-```
-tests using all curves with pregenerated *invalid* public keys for these curves.
-
 
 ## Twist
 Tests using known named curves froms several categories(SECG/NIST) against pre-generated points on twists of said curves.
@@ -126,10 +127,6 @@ the card might compute on the twist, if a point on the twist is supplied.
 
 See [SafeCurves on twist security](https://safecurves.cr.yp.to/twist.html) for more information.
 
-For example:
-```bash
-java -jar ECTester.jar -t twist
-```
 
 ## Degenerate
 Tests using known named curves froms several categories(SECG/NIST) against pre-generated points on the degenerate line
@@ -138,46 +135,31 @@ and uses a curve model vulnerable to such degenerate points.
 
 See [Degenerate Curve Attacks - Extending Invalid Curve Attacks to Edwards Curves and Other Models](https://eprint.iacr.org/2015/1233.pdf) for more information.
 
-For example:
-```bash
-java -jar ECTester.jar -t degenerate
-```
 
 ## Cofactor
 Tests whether the card correctly rejects points that lie on the curve but not on the subgroup generated by the specified generator
 during ECDH. Does this with curves where the cofactor subgroup has small order, then with curves that have order equal to the product
 of two large primes, sets the generator with order of one prime and tries points on the subgroup of the other prime order.
 
-For example:
-```bash
-java -jar ECTester.jar -t cofactor
-```
 
 ## Edge-Cases
-Tests various inputs to ECDH which may cause an implementation to achieve a certain edge-case state during ECDH. 
-Some of the data is from the google/Wycheproof project. Tests include [CVE-2017-10176](https://nvd.nist.gov/vuln/detail/CVE-2017-10176) and [CVE-2017-8932](https://nvd.nist.gov/vuln/detail/CVE-2017-8932).
+Tests various inputs to ECDH which may cause an implementation to achieve a certain edge-case state during ECDH.
+Some of the data is from the google/Wycheproof project. Tests include [CVE-2017-10176](https://nvd.nist.gov/vuln/detail/CVE-2017-10176) and [CVE-2017-8932](https://nvd.nist.gov/vuln/detail/CVE-2017-8932) and an OpenSSL modular reduction bug
+presented in [Practical realisation and elimination of an ECC-related software bug attack](https://eprint.iacr.org/2011/633).
 Various custom edge private key values are also tested.
 
-CVE-2017-10176 was in implementation issue in the SunEC Java library that caused the implementation to reach the point at infinity during ECDH computation.
+CVE-2017-10176 was in implementation issue in the SunEC Java library (and NSS ([CVE-2017-7781](https://nvd.nist.gov/vuln/detail/CVE-2017-7781)), thus also anything that used it) that caused the implementation to reach the point at infinity during ECDH computation.
+See [blog](http://blog.intothesymmetry.com/2017/08/cve-2017-7781cve-2017-10176-issue-with.html) for more info.
 
 CVE-2017-8932 was an implementation issue in the Go standard library, in particular its scalar multiplication algorithm on the
 P-256 curve which leaked information about the private key.
 
-Custom private key values over SECG curves are tested:
+Custom edge-case private key values over SECG curves are tested:
+
    - s = 0, s = 1
    - s < r, s = r, s > r
    - s = r - 1, s = r + 1
-   - s = k\*r - 1, s = k\*r, s = k\*r + 1 
-
-For example:
-```bash
-java -jar ECTester.jar -t edge-cases
-```
-
-## Miscellaneous
-Some miscellaneous tests, tries ECDH and ECDSA over supersingular curves and Barreto-Naehrig curves with small embedding degree and CM discriminant.
-
-For example:
-```bash
-java -jar ECTester.jar -t miscellaneous
-```
+   - s = k\*r - 1, s = k\*r, s = k\*r + 1
+   - s around r (s < r, on a curve where \|r\| > \|p\|)
+   - s around p (on a curve where where \|r\| > \|p\|)
+   - s around 0 (s > 0, on a curve where \|r\| > \|p\|)

src/cz/crcs/ectester/applet/ECKeyGenerator.java

@@ -39,7 +39,6 @@ public KeyPair allocatePair(byte keyClass, short keyLength) {
     }
 
     /**
-     *
      * @param keypair
      * @param key
      * @return
@@ -70,7 +69,6 @@ public short generatePair(KeyPair keypair) {
     }
 
     /**
-     *
      * @param keypair
      * @param curve
      * @param buffer
@@ -82,7 +80,6 @@ public short setCurve(KeyPair keypair, byte curve, byte[] buffer, short offset)
     }
 
     /**
-     *
      * @param keypair
      * @param curve
      * @param params
@@ -95,7 +92,6 @@ public short setCurve(KeyPair keypair, byte curve, short params, byte[] buffer,
     }
 
     /**
-     *
      * @param keypair
      * @param key
      * @param curve

src/cz/crcs/ectester/applet/ECKeyTester.java

@@ -46,13 +46,13 @@ public short allocateSig(byte algorithm) {
      * Uses {@code pubkeyBuffer} at {@code pubkeyOffset} for computations.
      * Output should equal with ECDHC output.
      *
-     * @param privatePair  KeyPair from which the private key is used
-     * @param publicPair   KeyPair from which the public key is used
-     * @param pubkeyBuffer buffer to be used for the public key
-     * @param pubkeyOffset offset into pubkeyBuffer that can be used for the public key
-     * @param outputBuffer buffer to be used for the secret output
-     * @param outputOffset offset into the outputBuffer
-     * @param transformation   (EC_Consts.TRANSFORMATION_* | ...)
+     * @param privatePair    KeyPair from which the private key is used
+     * @param publicPair     KeyPair from which the public key is used
+     * @param pubkeyBuffer   buffer to be used for the public key
+     * @param pubkeyOffset   offset into pubkeyBuffer that can be used for the public key
+     * @param outputBuffer   buffer to be used for the secret output
+     * @param outputOffset   offset into the outputBuffer
+     * @param transformation (EC_Consts.TRANSFORMATION_* | ...)
      * @return derived secret length
      **/
     public short testKA(KeyPair privatePair, KeyPair publicPair, byte[] pubkeyBuffer, short pubkeyOffset, byte[] outputBuffer, short outputOffset, short transformation) {
@@ -131,7 +131,6 @@ public short testECDSA(ECPrivateKey signKey, ECPublicKey verifyKey, byte[] input
     }
 
     /**
-     *
      * @param signKey
      * @param inputBuffer
      * @param inputOffset
@@ -154,7 +153,6 @@ public short testECDSA_sign(ECPrivateKey signKey, byte[] inputBuffer, short inpu
     }
 
     /**
-     *
      * @param verifyKey
      * @param inputBuffer
      * @param inputOffset