cisco / libacvp

The libacvp library is a client-side implementation of the draft ACVP protocol (github.com/usnistgov/ACVP).
Apache License 2.0
66 stars 69 forks source link

A couple of questions while using Cisco runtime libacvp #337

Closed richardzqwang closed 4 years ago

richardzqwang commented 4 years ago

Hello,

Currently, I am able to talk with ACVP demo server by using Cisco Runtime libacvp app and successfully perform AES, TDES, CMAC, SHA and HMAC tests (the Crypto Module is OpenSSL 1.1.1). How ever, I ran into a couple questions about how to find out the vendorID and how to create a new testSession.

Question 1: Regarding how to find out the newly created VendorID, below is the details of what I did:

  1. Went to /libacvp/metadata# path and modified original vendor.json file to match the new vendor information and saved the edits.
  2. Ran command './app/acvp_app --post ./metadata/vendor.json /acvp/v1/vendors' to ask for creating a new vendor at ACVP demo server.
  3. Obtained the response as below. "acvVersion" : "1.0" }, { "url" : "/acvp/v1/requests/1484", "status" : "initial" } ]

(My understanding is that the number 1484 is the new Vendor Request ID. Please correct me if i am wrong.)

  1. Issued the command './app/acvp_app --get /acvp/v1/vendors/1484' to check if the new vendor information that was edited in the vendor.json file has been accepted by ACVP server.
  2. However, I got the following response: ***ACVP [STATUS][log_network_status:1362]--> GET... Status: 200 Url: https://demo.acvts.nist.gov:443/acvp/v1/vendors/1484 Resp: [ { "acvVersion" : "1.0" }, { "url" : "/acvp/v1/vendors/1484", "name" : "INTEGRITY Security Services", "website" : "www.ghs.com", "emails" : [ ], "phoneNumbers" : [ ], "contactsUrl" : "/acvp/v1/vendors/1484/contacts", "addresses" : [ { "url" : "/acvp/v1/vendors/1484/addresses/1484", "street1" : "7585 Irvine Center Dr.", "street2" : "Suite 250", "street3" : null, "locality" : "Irvine", "region" : "CA", "country" : "USA", "postalCode" : "92618" } ] } ]

It looks like the vendor information displayed after command '--get /acvp/v1/vendors/1484' is not the one that i edited in my vendor.json. Any suggestions?

Question 2: To create a New testSession intended for a demo server certificate, can you please provide me with an example command? I used command '--post testSessions', but it reported an error. Please see below.

root@acvp1:~/richard-libacvp/libacvp# ./app/acvp_app --post testSessions

Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    /root/libacvp-master/certs/acvp.nist.gov.crt
ACV_CERT_FILE:  /root/libacvp-master/GSS-ACVP.cer
ACV_KEY_FILE:   /root/libacvp-master/GSS-ACVP.pem

***ACVP [STATUS][log_network_status:1397]--> POST Login... Status: 200 Url: https://demo.acvts.nist.gov:443/acvp/v1/login Resp: [ { "acvVersion" : "1.0" }, { "accessToken" : "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJjNDI5NWYwMC1jZGJjLTRkYTYtYWJjNy0xMjJmNTlmYzYyZDMiLCJpYXQiOjE1NzU3NTE2MDQsInN1YiI6IjEuMi44NDAuMTEzNTQ5LjEuOS4xPSMxNjE4NDU2NDRkNmY3MjcyNjk3MzQwNDc2ZjczNzM2MTZkNjU3MjUzNjU2MzJlNjM2ZjZkLENOPU5WTEFQIExhYiBDb2RlIDIwMDk5Ny0wLE9VPUNTVEwsTz1Hb3NzYW1lcixMPUNhdG9uc3ZpbGxlLFNUPU1hcnlsYW5kLEM9VVMiLCJpc3MiOiJOSVNUIEFDVlRTIiwiZXhwIjoxNTc1NzUzNDA0fQ.BVgMfjhDPov8DXU2KfPMbYVLeoH4YNYdgmfFNc8Mzcc", "largeEndpointRequired" : true, "sizeConstraint" : 4194304 } ]

ACVP [STATUS][acvp_parse_login:1713]--> JWT: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJjNDI5NWYwMC1jZGJjLTRkYTYtYWJjNy0xMjJmNTlmYzYyZDMiLCJpYXQiOjE1NzU3NTE2MDQsInN1YiI6IjEuMi44NDAuMTEzNTQ5LjEuOS4xPSMxNjE4NDU2NDRkNmY3MjcyNjk3MzQwNDc2ZjczNzM2MTZkNjU3MjUzNjU2MzJlNjM2ZjZkLENOPU5WTEFQIExhYiBDb2RlIDIwMDk5Ny0wLE9VPUNTVEwsTz1Hb3NzYW1lcixMPUNhdG9uc3ZpbGxlLFNUPU1hcnlsYW5kLEM9VVMiLCJpc3MiOiJOSVNUIEFDVlRTIiwiZXhwIjoxNTc1NzUzNDA0fQ.BVgMfjhDPov8DXU2KfPMbYVLeoH4YNYdgmfFNc8Mzcc ACVP [ERR][acvp_post_data:2480]--> JSON val parse error root@acvp1:~/richard-libacvp/libacvp#

It would be very appreciated for any suggestions.

Thanks!

bfussell commented 4 years ago

(My understanding is that the number 1484 is the new Vendor Request ID. Please correct me if i am wrong.) That is the ID associated with the POST request. You can get the vendorID by issuing a GET on that request ID like this:

./acvp_app --get /acvp/v1/requests/1484

You'll get something like this back:

}, { "url" : "/acvp/v1/requests/10", "status" : "approved", "approvedUrl" : "/acvp/v1/vendors/11444" <--- your vendorID will be here. } ]

So #4 and #5 should give you the proper vendor info if you use the correct vendorID

There are 2 ways to request a certificate. First is to submit your vendor and person metadata and then run your test with --fips_validation metadata/<file with vendor, person, module and oe info> See metadata/validation.json for an example. After the test completes a PUT is made to request the cert. There will be a similar request ID you'll need to do a GET on to see when the cert is generated.

See #328 for a good description of these steps with example commands.

The other way is to POST vendor, person, module and oe at some point and then run the test. Once the test is complete there is a file generated called testSession_.json. You can add your module and oe info to that file and then perform a PUT. The command line will look like this:

app/acvp_app --put testSession_24254.json

And you have to add your module and oe to the testSession file so it looks something like this:

[ { "url": "\/acvp\/v1\/testSessions\/24254", "jwt": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiI3ZDEyMWFkYS04OTlmLTRlYTEtOWJjMi04NDY5OTgyM2U0NTMiLCJpYXQiOjE1NjgxNTAxNzYsInN1YiI6IjEuMi44NDAuMTEzNTQ5LjEuOS4xPSMxNjEyNjI2Njc1NzM3MzY1NmM2YzQwNjM2OTczNjM2ZjJlNjM2ZjZkLENOPUFDVlBfQ2lzY28sT1U9U1RPLE89Q2lzY28sTD1SVFAsU1Q9TkMsQz1VUyIsImlzcyI6Ik5JU1QgQUNWVFMiLCJleHAiOjE1NjgxNTE5NzYsInZzSWQiOiJbNDg1NjEsIDQ4NTYyLCA0ODU2MywgNDg1NjQsIDQ4NTY1LCA0ODU2NiwgNDg1NjcsIDQ4NTY4LCA0ODU2OSwgNDg1NzAsIDQ4NTcxLCA0ODU3MiwgNDg1NzMsIDQ4NTc0LCA0ODU3NSwgNDg1NzYsIDQ4NTc3LCA0ODU3OCwgNDg1NzksIDQ4NTgwLCA0ODU4MSwgNDg1ODIsIDQ4NTgzLCA0ODU4NCwgNDg1ODUsIDQ4NTg2LCA0ODU4NywgNDg1ODgsIDQ4NTg5LCA0ODU5MCwgNDg1OTEsIDQ4NTkyLCA0ODU5MywgNDg1OTQsIDQ4NTk1LCA0ODU5NiwgNDg1OTcsIDQ4NTk4LCA0ODU5OSwgNDg2MDAsIDQ4NjAxLCA0ODYwMiwgNDg2MDMsIDQ4NjA0LCA0ODYwNSwgNDg2MDYsIDQ4NjA3LCA0ODYwOCwgNDg2MDksIDQ4NjEwLCA0ODYxMSwgNDg2MTIsIDQ4NjEzLCA0ODYxNCwgNDg2MTVdIiwidHNJZCI6IjI0MjU0In0.-wJlSRuC5xBaAmtZU4SKT6SKGHUAMoB83HAwzLJFZHs" }, { "oeUrl": "/acvp/v1/oes/21274", <--- add this and "moduleUrl": "/acvp/v1/modules/11230" <--- add this } ]

richardzqwang commented 4 years ago

Thanks much @bfussell for the quick turnaround, even on the Saturday evening time !

After reading your message, I used the first method and successfully received the "validationId" : "A10079" for my HMAC test on the ACVP demo server. Really appreciate your help !!!

In addition, the testSession ID I received is 42812. By using the first method, if i gave the command './app/acvp_app --put testSession_42812.json', the system would report "error" : "Test Session has already been published.". Please see the output below.

root@acvp1:~/richard-libacvp-demo/libacvp# ./app/acvp_app --put testSession_42812.json

Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    /root/libacvp-master/certs/acvp.nist.gov.crt
ACV_CERT_FILE:  /root/libacvp-master/GSS-ACVP.cer
ACV_KEY_FILE:   /root/libacvp-master/GSS-ACVP.pem

***ACVP [STATUS][log_network_status:1413]--> PUT testSession Validation... Status: 400 Url: https://demo.acvts.nist.gov:443/acvp/v1/testSessions/42812 Resp: { "acvVersion" : "1.0", "error" : "Test Session has already been published." }

***ACVP [STATUS][acvp_put_data_from_file:2772]--> Failed to perform PUT root@acvp1:~/richard-libacvp-demo/libacvp#

Thus, my understanding is that by using the first method to request the algo cert., the tester doesn't need to issue a PUT command. It was automatically conducted by the libacvp. Is my understanding correct?

Last question: Before stepping up to take the algo testing on ACVP Production Server, ACVP team sent us the following requirement:

"We need the JSON that you sent when you performed the “certify” step specifically, as outlined in section 11.15.4.1."

Does it mean we need to send the generated testSessions_42812 file to ACVP for review?

Thanks, -Richard

bfussell commented 4 years ago

Correct, you either use --fips_validation or --put not both. You probably need to send the json file you used with --fips_validation, but they may also want the testSession number. You should ask them what they want to be certain.

richardzqwang commented 4 years ago

Again, thanks much @bfussell .

One more question: While reviewing the HMAC algo testing result, I noticed that the parameter of prerequisites is empty. Below is the example from HMAC-SHA2-512 testing.

"algorithmCapabilities" : [ { "algorithm" : { "name" : "HMAC-SHA2-512", "mode" : null, "revision" : "1.0" }, "capabilities" : { "macLen" : [ { "min" : 32, "max" : 512, "increment" : 8 } ], "keyLen" : [ { "min" : 256, "max" : 448, "increment" : 8 } ] }, "prerequisites" : [ ] }, As the prerequisite algorithm for HMAC-SHA-512 is SHA-512, what file shall i go to fill in the prerequisite information?

Thanks, -Richard

bfussell commented 4 years ago

You'd have to ask NIST, mine does not show a prerequisite either. You can ask questions or open issues here:

https://github.com/usnistgov/ACVP

richardzqwang commented 4 years ago

Hi Berry,

Thanks for the clarification. I looked back into the draft ACVP (draft-fussell-acvp-spec-00) and found out that section 11.15.4.1 has the following requirements to the algo prerequisites:

"algorithmPrerequisites - array of algorithm prerequiste objects, optional, for any algorithm that has a prerequisite that was not included in testing, the prerequisite MUST be provided by adding an element to this array algorithm - string, name of the algorithm mode - string, mode of the algorithm, optional, not all algorithms have a mode prerequisites - [CREF8] string, array of prerequiste objects algorithm - string, required validationId - string, required [ {"acvVersion": }, { "moduleUrl": "/acvp/v1/modules/20", "oeUrl": "/acvp/v1/oes/60", "algorithmPrerequisites": [{ "algorithm": "TEST_ALGO_1", "prerequisites": [ { "algorithm": "TEST_ALGO_0", "validationId": "123456" }, { "algorithm": "TEST_ALGO_0.1", "validationId": "123456" } ] }] } ]

Question: what file does a libacvp User need to go so as to fill in the prerequisites information?

Thanks a lot, -Richard

bfussell commented 4 years ago

app/app_main.c in the registration code. They are all presently set to "same" which means the prerequisite algorithm is part of the same module that is under test. For the openssl FOM thaqt is an accurate registration. The only time you need something other than "same" is if your prerequisite (SHA in this case) implementation is not part of the module under test. I see no issue other than how the NIST server presents that information when you GET the validation information.

richardzqwang commented 4 years ago

Berry,

For the 2nd case mentioned in your message, if the prerequisite algo was implemented by the other module (not the same algo implementation), the libacvp User needs to go to app/app_main.c to make the updates to fill in the prerequisite information and then to recompile the ./app/acvp_app. Is it the correct process?

Thanks, -Richard

bfussell commented 4 years ago

yes

richardzqwang commented 4 years ago

Thanks @bfussell -Richard

richardzqwang commented 4 years ago

Hi Berry,

A follow up question regarding the output from command './app/acvp_app --get /acvp/v1/validations/41256', detailed as below.

My module supports multiple algorithms, (AES, TDES, HMAC, SHA, etc.). After having HMAC tested first, i ran the tests for AES by using the command './app/acvp_app --aes --fips_validation metadata/validation.json', then followed up the similar steps as i did on testing HMAC to request the algo cert for AES. During the tests, I received the different requestID, but got the same validationID. Eventually, I received same algo cert as I received from HMAC testing. It kind of made sense to me because both HMAC and AES were implemented by the same module, leading the same algo certificate to cover both algorithms. However, after giving the command './app/acvp_app --get /acvp/v1/validations/41256', the output just showed the detailed HMAC algorithm, no AES algorithm. Please see the details below.

Step 1: root@acvp1:~/richard-libacvp-demo/libacvp# ./app/acvp_app --aes --fips_validation metadata/validation.json Response: "url" : "/acvp/v1/requests/1505",

Step 2: ./app/acvp_app --get /acvp/v1/requests/1505 Response: "approvedUrl" : "/acvp/v1/validations/41256"

Step 3: ./app/acvp_app --get /acvp/v1/validations/41256 Response: "acvVersion" : "1.0" }, { "url" : "/acvp/v1/validations/41256", "validationId" : "A10079", "productUrl" : "/acvp/v1/modules/11523", "scenarios" : [ { "operatingEnvironments" : [ { "url" : "/acvp/v1/oes/21348", "name" : "Ubuntu Linux 4.15.0-60-generic x86_64", "dependencies" : [ { "url" : "/acvp/v1/dependencies/23021", "name" : "Linux 4.15.0", "type" : "software", "description" : "Ubuntu Linux Distribution 3.1" } ] } ], "algorithmCapabilities" : [ { "algorithm" : { "name" : "HMAC-SHA2-512", "mode" : null, "revision" : "1.0" }, "capabilities" : { "keyLen" : [ { "min" : 256, "max" : 448, "increment" : 8 } ], "macLen" : [ { "min" : 32, "max" : 512, "increment" : 8 } ] }, "prerequisites" : [ ] }, { "algorithm" : { "name" : "HMAC-SHA2-384", "mode" : null, "revision" : "1.0" }, "capabilities" : { "keyLen" : [ { "min" : 256, "max" : 448, "increment" : 8 } ], "macLen" : [ { "min" : 32, "max" : 384, "increment" : 8 } ] }, "prerequisites" : [ ] }, { "algorithm" : { "name" : "HMAC-SHA2-256", "mode" : null, "revision" : "1.0" }, "capabilities" : { "keyLen" : [ { "min" : 256, "max" : 448, "increment" : 8 } ], "macLen" : [ { "min" : 32, "max" : 256, "increment" : 8 } ] }, "prerequisites" : [ ] }, { "algorithm" : { "name" : "HMAC-SHA2-224", "mode" : null,

Step 4, I confirmed that I received a new testSession_42818.json file after running AES test.

Question: Why does the output from the command './app/acvp_app --get /acvp/v1/validations/41256 just show the algorithm tested at the first place? In my case, the output just showed the HMAC, but no AES. How can I check all tested algorithm under the same validationID?

Thanks, -Richard

Any thoughts?

Thanks, -Richard

bfussell commented 4 years ago

No command responses dump all the data unless you use --verbose.

richardzqwang commented 4 years ago

It works.

Thanks Berry ! -Richard

richardzqwang commented 4 years ago

Hello Berry,

One more question:

I submitted the testSession_42812.json file generated by libacvp to CAVP team and received the following feedback:

"The JSON we were asking for was what was sent to our API, not the libacvp client files. In the future, for any troubleshooting to take place, we will need the actual JSON submitted to the API."

Question: Does libacvp Runtime application create such a JSON file used to communicate with ACVP server API?

Thanks, -Richard

bfussell commented 4 years ago

I don't have enough context to go on.
Did you have an issue you wanted them to help you with ? If so, please describe it.

Every ACVP message sent from the libacvp client to the NIST server contains json.

richardzqwang commented 4 years ago

Berry,

First of all, I don't have an issue that I wanted ACVP team to help with. The reason made a submission to AVCP was because I wanted to obtain the credentials for logging on their ACVP Prod Server.

Second, my understanding to ACVP's question is to find out a JSON file containing the following information:

ACVP [STATUS][acvp_parse_login:1713]--> JWT: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJlMDM3ODE1MC1lOWQ2LTQwMmEtYTc5ZS0zNGY4ZWZhMjQ3NTgiLCJpYXQiOjE1NzU3Nzk5OTgsInN1YiI6IjEuMi44NDAuMTEzNTQ5LjEuOS4xPSMxNjE4NDU2NDRkNmY3MjcyNjk3MzQwNDc2ZjczNzM2MTZkNjU3MjUzNjU2MzJlNjM2ZjZkLENOPU5WTEFQIExhYiBDb2RlIDIwMDk5Ny0wLE9VPUNTVEwsTz1Hb3NzYW1lcixMPUNhdG9uc3ZpbGxlLFNUPU1hcnlsYW5kLEM9VVMiLCJpc3MiOiJOSVNUIEFDVlRTIiwiZXhwIjoxNTc1NzgxNzk4fQ.bHMiY8xjxqIpdzy5Ih-1Ocj_aEzY-bBIr1lGV01Jocw ACVP [STATUS][log_network_status:1362]--> GET... Status: 200 Url: https://demo.acvts.nist.gov:443/acvp/v1/validations/41256 Resp: [ { "acvVersion" : "1.0" }, { "url" : "/acvp/v1/validations/41256", "validationId" : "A10079", "productUrl" : "/acvp/v1/modules/11523", "scenarios" : [ { "operatingEnvironments" : [ { "url" : "/acvp/v1/oes/21348", "name" : "Ubuntu Linux 4.15.0-60-generic x86_64", "dependencies" : [ { "url" : "/acvp/v1/dependencies/23021", "name" : "Linux 4.15.0", "type" : "software", "description" : "Ubuntu Linux Distribution 3.1" } ] } ], "algorithmCapabilities" : [ { "algorithm" : { "name" : "HMAC-SHA2-512", "mode" : null, "revision" : "1.0" }, "capabilities" : { "macLen" : [ { "min" : 32, "max" : 512, "increment" : 8 } ], "keyLen" : [ { "min" : 256, "max" : 448, "increment" : 8 } ] }, "prerequisites" : [ ] }, { "algorithm" : { "name" : "HMAC-SHA2-384", "mode" : null, "revision" : "1.0" }, "capabilities" : { "macLen" : [ { "min" : 32, "max" : 384, "increment" : 8 } ], "keyLen" : [ { "min" : 256, "max" : 448, "increment" : 8 } ] }, "prerequisites" : [ ] }, { "algorithm" : { "name" : "HMAC-SHA2-256", "mode" : null, "revision" : "1.0" }, "capabilities" : { "keyLen" : [ { "min" : 256, "max" : 448, "increment" : 8 } ], "macLen" : [ { "min" : 32, "max" : 256, "increment" : 8 } ] }, "prerequisites" : [ ] }, { "algorithm" : { "name" : "HMAC-SHA2-224", "mode" : null, "revision

But, due to the use of libacvp runtime application, the test vectors request and response validation was done automatically. There might not a separate JSON file that was created during the testing.

If i am using libacvp non-runtime application, there could be existing such a JSON file used to talk with ACVP server API.

Do you agree?

Thanks, -Richard

bfussell commented 4 years ago

There is no difference between runtime and non-runtime with respect to any capabilities json file, we don't create one. That's what you're showing in your validation output - the capabilities and registration. If that's what they want you can put that output in a file and send it to CAVP.

richardzqwang commented 4 years ago

Thanks Berry for the clarification.

-Richard

richardzqwang commented 4 years ago

Hi Berry,

A quick question: There is a file named "creation.json" under "/libacvp/metadata". I reviewed the contents of this file and found out that it included the Vendor and Person information. During the algo testing, it looks like the user doesn't need to manipulate this creation.json file.

Question: When and where this creation.json file was created and used during the algo testing?

Thanks, -Richard

bfussell commented 4 years ago

I don't use it but it is part of the repo. It was not created as part of any operation. There is a description in the metadata/README.md, however I'm not the person to help you with that part of the metadata generation.

richardzqwang commented 4 years ago

That's fair enough.

Thanks Berry !

-Richard