Skip to content

Commit a03dbee

Browse files
author
kevin.w.wall
committed
Moved tests to new crypto package and extended tests for new crypto functionality.
1 parent 87f9ec2 commit a03dbee

4 files changed

Lines changed: 830 additions & 0 deletions

File tree

src/test/java/org/owasp/esapi/reference/crypto/CryptoPolicy.java

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
package org.owasp.esapi.reference.crypto;
2+
3+
import java.security.*;
4+
import javax.crypto.*;
5+
import javax.crypto.spec.*;
6+
7+
/**
8+
* Helper class to see if unlimited strength crypto is available. If it is
9+
* not, then symmetric encryption algorithms are restricted to 128-bit
10+
* key size or the encryption must provide key weakening or key escrow.
11+
* <p>
12+
* This program attempts to generate a 256-bit AES key and use it to do
13+
* to a simple encryption. If the encryption succeeds, the assumption is
14+
* that the JVM being used has the "unlimited" strength JCE jurisdiction
15+
* policy files installed.
16+
* </p><p>
17+
* We use this for JUnit tests. If unlimited strength crypto is not available,
18+
* we simply skip certain JUnit tests that would require it.
19+
*/
20+
public class CryptoPolicy {
21+
22+
private static boolean checked = false;
23+
private static boolean unlimited = false;
24+
25+
/**
26+
* Check to see if unlimited strength crypto is available.
27+
* There is an implicit assumption that the JCE jurisdiction policy
28+
* files are not going to be changing while this given JVM is running.
29+
*
30+
* @return True if we can provide keys longer than 128 bits.
31+
*/
32+
public synchronized static boolean isUnlimitedStrengthCryptoAvailable()
33+
{
34+
if ( checked == false ) {
35+
unlimited = checkCrypto();
36+
checked = true;
37+
}
38+
return unlimited;
39+
}
40+
41+
private static boolean checkCrypto()
42+
{
43+
try {
44+
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
45+
keyGen.init(256); // Max sym key size is 128 unless unlimited
46+
// strength jurisdiction policy files installed.
47+
SecretKey skey = keyGen.generateKey();
48+
byte[] raw = skey.getEncoded();
49+
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
50+
Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
51+
52+
// This usually will throw InvalidKeyException unless the
53+
// unlimited jurisdiction policy files are installed. However,
54+
// it can succeed even if it's not a provider chooses to use
55+
// an exemption mechanism such as key escrow, key recovery, or
56+
// key weakening for this cipher instead.
57+
cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
58+
59+
// Try the encryption on dummy string to make sure it works.
60+
// Not using padding so # bytes must be multiple of AES cipher
61+
// block size which is 16 bytes. Also, OK not to use UTF-8 here.
62+
@SuppressWarnings("unused")
63+
byte[] encrypted = cipher.doFinal("1234567890123456".getBytes());
64+
ExemptionMechanism em = cipher.getExemptionMechanism();
65+
if ( em != null ) {
66+
System.out.println("Cipher uses exemption mechanism " + em.getName());
67+
return false; // This is actually an indeterminant case, but
68+
// we can't bank on it at least for this
69+
// (default) provider.
70+
}
71+
} catch( InvalidKeyException ikex ) {
72+
System.out.println("Invalid key size - unlimited strength crypto NOT installed!");
73+
return false;
74+
} catch( Exception ex ) {
75+
System.out.println("Caught unexpected exception: " + ex);
76+
ex.printStackTrace(System.out);
77+
return false;
78+
}
79+
return true;
80+
}
81+
82+
public static void main(String[] args)
83+
{
84+
if ( isUnlimitedStrengthCryptoAvailable() ) {
85+
System.out.println("Unlimited strength crypto IS available.");
86+
} else {
87+
System.out.println("Unlimited strength crypto is NOT available.");
88+
}
89+
System.exit( isUnlimitedStrengthCryptoAvailable() ? 0 : 1 );
90+
}
91+
}

src/test/java/org/owasp/esapi/reference/crypto/EncryptedPropertiesTest.java

Lines changed: 205 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,205 @@
1+
/**
2+
* OWASP Enterprise Security API (ESAPI)
3+
*
4+
* This file is part of the Open Web Application Security Project (OWASP)
5+
* Enterprise Security API (ESAPI) project. For details, please see
6+
* <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
7+
*
8+
* Copyright (c) 2007 - The OWASP Foundation
9+
*
10+
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
11+
* LICENSE before you use, modify, and/or redistribute this software.
12+
*
13+
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
14+
* @created 2007
15+
*/
16+
package org.owasp.esapi.reference.crypto;
17+
18+
import java.io.ByteArrayInputStream;
19+
import java.io.ByteArrayOutputStream;
20+
import java.io.InputStream;
21+
import java.io.StringBufferInputStream;
22+
import java.util.Iterator;
23+
24+
import junit.framework.Test;
25+
import junit.framework.TestCase;
26+
import junit.framework.TestSuite;
27+
28+
import org.owasp.esapi.ESAPI;
29+
import org.owasp.esapi.errors.EncryptionException;
30+
import org.owasp.esapi.reference.crypto.DefaultEncryptedProperties;
31+
32+
/**
33+
* The Class EncryptedPropertiesTest.
34+
*
35+
* @author Jeff Williams (jeff.williams@aspectsecurity.com)
36+
*/
37+
public class EncryptedPropertiesTest extends TestCase {
38+
39+
/**
40+
* Instantiates a new encrypted properties test.
41+
*
42+
* @param testName
43+
* the test name
44+
*/
45+
public EncryptedPropertiesTest(String testName) {
46+
super(testName);
47+
}
48+
49+
/**
50+
* {@inheritDoc}
51+
*/
52+
protected void setUp() throws Exception {
53+
// none
54+
}
55+
56+
/**
57+
* {@inheritDoc}
58+
*/
59+
protected void tearDown() throws Exception {
60+
// none
61+
}
62+
63+
/**
64+
* Suite.
65+
*
66+
* @return the test
67+
*/
68+
public static Test suite() {
69+
TestSuite suite = new TestSuite(EncryptedPropertiesTest.class);
70+
71+
return suite;
72+
}
73+
74+
/**
75+
* Test of getProperty method, of class org.owasp.esapi.EncryptedProperties.
76+
*
77+
* @throws EncryptionException
78+
* the encryption exception
79+
*/
80+
public void testGetProperty() throws EncryptionException {
81+
System.out.println("getProperty");
82+
DefaultEncryptedProperties instance = new DefaultEncryptedProperties();
83+
String name = "name";
84+
String value = "value";
85+
instance.setProperty(name, value);
86+
String result = instance.getProperty(name);
87+
assertEquals(value, result);
88+
assertNull(instance.getProperty("ridiculous"));
89+
}
90+
91+
/**
92+
* Test of setProperty method, of class org.owasp.esapi.EncryptedProperties.
93+
*
94+
* @throws EncryptionException
95+
* the encryption exception
96+
*/
97+
public void testSetProperty() throws EncryptionException {
98+
System.out.println("setProperty");
99+
DefaultEncryptedProperties instance = new DefaultEncryptedProperties();
100+
String name = "name";
101+
String value = "value";
102+
instance.setProperty(name, value);
103+
String result = instance.getProperty(name);
104+
assertEquals(value, result);
105+
try {
106+
instance.setProperty(null, null);
107+
fail();
108+
} catch( Exception e ) {
109+
// expected
110+
}
111+
}
112+
113+
/**
114+
* Test the behavior when the requested key does not exist.
115+
*/
116+
public void testNonExistantKeyValue() throws Exception
117+
{
118+
DefaultEncryptedProperties instance = new DefaultEncryptedProperties();
119+
assertNull(instance.getProperty("not.there"));
120+
}
121+
122+
/**
123+
* Test of keySet method, of class org.owasp.esapi.EncryptedProperties.
124+
*/
125+
public void testKeySet() throws Exception
126+
{
127+
boolean sawTwo = false;
128+
boolean sawOne = false;
129+
130+
System.out.println("keySet");
131+
DefaultEncryptedProperties instance = new DefaultEncryptedProperties();
132+
instance.setProperty("one", "two");
133+
instance.setProperty("two", "three");
134+
Iterator i = instance.keySet().iterator();
135+
while(i.hasNext())
136+
{
137+
String key = (String)i.next();
138+
139+
assertNotNull("key returned from keySet() iterator was null", key);
140+
if(key.equals("one"))
141+
if(sawOne)
142+
fail("Key one seen more than once.");
143+
else
144+
sawOne = true;
145+
else if(key.equals("two"))
146+
if(sawTwo)
147+
fail("Key two seen more than once.");
148+
else
149+
sawTwo = true;
150+
else
151+
fail("Unset key " + key + " returned from keySet().iterator()");
152+
}
153+
assertTrue("Key one was never seen", sawOne);
154+
assertTrue("Key two was never seen", sawTwo);
155+
}
156+
157+
/**
158+
* Test storing and loading of encrypted properties.
159+
*/
160+
public void testStoreLoad() throws Exception
161+
{
162+
DefaultEncryptedProperties toStore = new DefaultEncryptedProperties();
163+
DefaultEncryptedProperties toLoad = new DefaultEncryptedProperties();
164+
ByteArrayOutputStream baos = new ByteArrayOutputStream();
165+
ByteArrayInputStream bais;
166+
boolean sawOne = false;
167+
boolean sawTwo = false;
168+
169+
toStore = new DefaultEncryptedProperties();
170+
toStore.setProperty("one", "two");
171+
toStore.setProperty("two", "three");
172+
toStore.store(baos, "testStore");
173+
174+
bais = new ByteArrayInputStream(baos.toByteArray());
175+
toLoad.load(bais);
176+
177+
for(Iterator i=toLoad.keySet().iterator();i.hasNext();)
178+
{
179+
String key = (String)i.next();
180+
181+
assertNotNull("key returned from keySet() iterator was null", key);
182+
if(key.equals("one"))
183+
if(sawOne)
184+
fail("Key one seen more than once.");
185+
else
186+
{
187+
sawOne = true;
188+
assertEquals("Key one's value was not two", "two", toLoad.getProperty("one"));
189+
}
190+
else if(key.equals("two"))
191+
if(sawTwo)
192+
fail("Key two seen more than once.");
193+
else
194+
{
195+
sawTwo = true;
196+
assertEquals("Key two's value was not three", "three", toLoad.getProperty("two"));
197+
}
198+
else
199+
fail("Unset key " + key + " returned from keySet().iterator()");
200+
}
201+
assertTrue("Key one was never seen", sawOne);
202+
assertTrue("Key two was never seen", sawTwo);
203+
}
204+
205+
}

0 commit comments

Comments
 (0)