search

C2SP / CCTV

Community Cryptography Test Vectors
https://c2sp.org/CCTV
64 stars 6 forks source link

Correctness of the x25519 test vector data #10

Closed marekyggdrasil closed 7 months ago

marekyggdrasil commented 7 months ago

Hey. I have been playing with AGE and using your comprehensive test vectors to try my code.

I tried this one

https://github.com/C2SP/CCTV/blob/3ec4d716e80597545ed285cf62af3dded3a14f65/age/testdata/x25519#L1-L10

I had difficulties decrypting it using pyage library, HMAC verification and file key were reproduced but there was just payload problem. Details here https://github.com/jojonas/pyage/issues/13#issue-2221087189

I downloaded the file and investigated it using a hex editor. Copying the encrypted payload otherwise leads to tag issues, probably because github and other file browsers attempt to decode the binary payload.

I find the hex encoded payload to be decryptable it has to be

eecf62c7ce91b433274e68d4f2f9134cb74c5bfef7beaa52c8f0bc0e992c1e8331fb66

so the 16 byte nonce is eecf62c7ce91b433274e68d4f2f9134c and ciphertext is b74c5bfef7beaa52c8f0bc0e992c1e8331fb66. This is not at all equal to

https://github.com/C2SP/CCTV/blob/3ec4d716e80597545ed285cf62af3dded3a14f65/age/testdata/x25519#L2

if I attempt to decrypt 013f54400c82da08037759ada907a8b864e97de81c088a182062c4b5622fd2ab I find the tag is invalid. However if I decrypt eecf62c7ce91b433274e68d4f2f9134cb74c5bfef7beaa52c8f0bc0e992c1e8331fb66 I get valid tag and decrypted payload is age string (three bytes 616765 hex encoded).

I assume this is correct because of

https://github.com/C2SP/CCTV/blob/3ec4d716e80597545ed285cf62af3dded3a14f65/age/internal/tests/x25519.go#L12-L19

could you double check this test vector and see if the payload 013f54400c82da08037759ada907a8b864e97de81c088a182062c4b5622fd2ab shouldn't be replaced by eecf62c7ce91b433274e68d4f2f9134cb74c5bfef7beaa52c8f0bc0e992c1e8331fb66?

The code that decrypts the payload and gives age plaintext is available here https://github.com/jojonas/pyage/issues/13#issuecomment-2033998048

marekyggdrasil commented 7 months ago

Ok nevermind, I found SHA256(age)=013f54400c82da08037759ada907a8b864e97de81c088a182062c4b5622fd2ab, that makes sense and all is working now.

Just a suggestion, would be good to indicate somewhere this is a hash of the payload, not the payload.

FiloSottile commented 7 months ago

Hello! Thanks for experimenting with the test suite, I’m glad it’s useful.

The format is documented here https://github.com/C2SP/CCTV/tree/main/age#test-file-format

marekyggdrasil commented 7 months ago

Thank you!