1ACVP Client 2=========== 3 4[ACVP](https://github.com/usnistgov/ACVP) is the next version of NIST's [CAVP](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program)—a program for running cryptographic implementations against a set of test vectors. CAVP involved emailing around zip files of somewhat-INI-like test vectors where no two files had quite the same format. ACVP is supposed to replace that with a) TLS connections rather than email (but not yet) and b) JSON rather than bespoke formats. 5 6The tool in this directory can speak to ACVP servers, fetch test vectors, and lower the operations to a simpler protocol. A wrapper around the FIPS module in question implements that protocol for testing. Test vectors can also come from files on disk. 7 8The tool also provides an interface for querying and manipulating the ACVP database, which contains lists of modules, vendors, contacts, operating environments, etc. 9 10For an alternative, see [libacvp](https://github.com/cisco/libacvp). 11 12## Building 13 14This tool builds independently of the rest of the BoringSSL: just run `go build` within the `acvptool` directory. 15 16## File-based operation 17 18While ACVP hopes to replace emailing files around at some point, emailing is still common practice with most NVLAP labs. To process a file of test vectors, use the `-json` flag: 19 20``` 21% ./acvptool -json input.json > output.json 22``` 23 24The top-level structure of these JSON files is not specified by NIST. This tool consumes the form that appears to be most commonly used. 25 26The lab will need to know the configuration of the module to generate tests. Obtain that with the `-regcap` option and redirect the output to a file. 27 28### Testing other FIPS modules 29 30Lowering ACVP to a simpler form might be useful for other modules so the protocol is described here. The tool has far from complete coverage of ACVP's mountain of options, but common cases are handled. If you have additional needs then it's hopefully straightforward to extend the tool yourself. 31 32The FIPS module being tested needs to be wrapped such that the tool can fork and exec a binary that speaks this protocol over stdin/stdout. For BoringSSL that binary is in the `modulewrapper` directory and serves as a reference implementation if you have questions about the protocol that aren't answered below. BoringSSL's modulewrapper contains the FIPS module itself, but your binary could forward the communication over, e.g., a serial link to a hardware module. Specify the path to the binary with the `-wrapper` option. 33 34The protocol is request–response: the subprocess only speaks in response to a request and there is exactly one response for every request. Requests consist of one or more byte strings and responses consist of zero or more byte strings. 35 36A request contains: the number of byte strings, the length of each byte string, and the contents of each byte string. All numbers are 32-bit little-endian and values are concatenated in the order specified. The first byte string is mandatory and is the name of the command to perform. A response has the same format except that there may be zero byte strings and the first byte string has no special meaning. 37 38All implementations must support the `getConfig` command which takes no arguments and returns a single byte string which is a JSON blob of ACVP algorithm configuration. This blob describes all the algorithms and capabilities that the module supports and is an array of JSON objects suitable for including as the `algorithms` value when [creating an ACVP vector set](http://usnistgov.github.io/ACVP/artifacts/draft-fussell-acvp-spec-00.html#rfc.section.11.15.2.1). 39 40Crafting this JSON is an art. You can get some information from reading the [NIST documentation](https://github.com/usnistgov/ACVP#supported-algorithms) but you might also want to crib from the BoringSSL wrapper in `modulewrapper`. 41 42The other commands are as follows. (Note that you only need to implement the commands required by the ACVP configuration returned.) 43 44| Command | Arguments | Outputs | 45|----------------------|---------------------------|---------| 46| 3DES-CBC/decrypt | Key, ciphertext, IV, num iterations¹ | Result, Previous result | 47| 3DES-CBC/encrypt | Key, plaintext, IV, num iterations¹ | Result, Previous result | 48| 3DES/decrypt | Key, input block, num iterations¹ | Result, Previous result | 49| 3DES/encrypt | Key, input block, num iterations¹ | Result, Previous result | 50| AES-CBC/decrypt | Key, ciphertext, IV, num iterations¹ | Result, Previous result | 51| AES-CBC/encrypt | Key, plaintext, IV, num iterations¹ | Result, Previous result | 52| AES-CCM/open | Tag length, key, ciphertext, nonce, ad | One-byte success flag, plaintext or empty | 53| AES-CCM/seal | Tag length, key, plaintext, nonce, ad | Ciphertext | 54| AES-CTR/decrypt | Key, ciphertext, initial counter, constant 1 | Plaintext | 55| AES-CTR/encrypt | Key, plaintexttext, initial counter, constant 1 | Ciphertext | 56| AES-GCM/open | Tag length, key, ciphertext, nonce, ad | One-byte success flag, plaintext or empty | 57| AES-GCM/seal | Tag length, key, plaintext, nonce, ad | Ciphertext | 58| AES-KW/open | (dummy), key, ciphertext, (dummy), (dummy) | One-byte success flag, plaintext or empty | 59| AES-KW/seal | (dummy), key, plaintext, (dummy), (dummy) | Ciphertext | 60| AES-KWP/open | (dummy), key, ciphertext, (dummy), (dummy) | One-byte success flag, plaintext or empty | 61| AES-KWP/seal | (dummy), key, plaintext, (dummy), (dummy) | Ciphertext | 62| AES-XTS/decrypt | Key, ciphertext, tweak | Plaintext | 63| AES-XTS/encrypt | Key, plaintext, tweak | Ciphertext | 64| AES/decrypt | Key, input block, num iterations¹ | Result, Previous result | 65| AES/encrypt | Key, input block, num iterations¹ | Result, Previous result | 66| CMAC-AES | Number output bytes, key, message | MAC | 67| CMAC-AES/verify | Key, message, claimed MAC | One-byte success flag | 68| ctrDRBG/AES-256 | Output length, entropy, personalisation, ad1, ad2, nonce | Output | 69| ECDH/<CURVE> | X, Y, private key | X, Y, shared key | 70| ECDSA/keyGen | Curve name | Private key, X, Y | 71| ECDSA/keyVer | Curve name, X, Y | Single-byte valid flag | 72| ECDSA/sigGen | Curve name, private key, hash name, message | R, S | 73| ECDSA/sigVer | Curve name, hash name, message, X, Y, R, S | Single-byte validity flag | 74| FFDH | p, q, g, peer public key, local private key (or empty), local public key (or empty) | Local public key, shared key | 75| HMAC-SHA-1 | Value to hash, key | Digest | 76| HMAC-SHA2-224 | Value to hash, key | Digest | 77| HMAC-SHA2-256 | Value to hash, key | Digest | 78| HMAC-SHA2-384 | Value to hash, key | Digest | 79| HMAC-SHA2-512 | Value to hash, key | Digest | 80| HMAC-SHA2-512/256 | Value to hash, key | Digest | 81| KDF-counter | Number output bytes, PRF name, counter location string, key, number of counter bits | Counter, output | 82| RSA/keyGen | Modulus bit-size | e, p, q, n, d | 83| RSA/sigGen/<HASH>/pkcs1v1.5 | Modulus bit-size | n, e, signature | 84| RSA/sigGen/<HASH>/pss | Modulus bit-size | n, e, signature | 85| RSA/sigVer/<HASH>/pkcs1v1.5 | n, e, message, signature | Single-byte validity flag | 86| RSA/sigVer/<HASH>/pss | n, e, message, signature | Single-byte validity flag | 87| SHA-1 | Value to hash | Digest | 88| SHA2-224 | Value to hash | Digest | 89| SHA2-256 | Value to hash | Digest | 90| SHA2-384 | Value to hash | Digest | 91| SHA2-512 | Value to hash | Digest | 92| SHA2-512/256 | Value to hash | Digest | 93| TLSKDF/<1.0\|1.2>/<HASH> | Number output bytes, secret, label, seed1, seed2 | Output | 94 95¹ The iterated block-cipher tests would result in excessive numbers of round trips if the module wrapper handled only basic operations. Thus some ACVP logic is pushed down for these tests so that the inner loop can be handled locally. Either read the [NIST documentation](https://usnistgov.github.io/ACVP/draft-celi-acvp-symmetric.html#name-monte-carlo-tests-for-block) to understand the iteration count and return values or, probably more fruitfully, see how these functions are handled in the `modulewrapper` directory. 96 97## Online operation 98 99If you have credentials to speak to either of the NIST ACVP servers then you can run the tool in online mode. 100 101Configuration is done via a `config.json` file in the current working directory. Here's a template: 102 103``` 104{ 105 "ACVPServer": "https://demo.acvts.nist.gov/", 106 "CertPEMFile": "certificate_from_nist.pem", 107 "PrivateKeyFile": "your_private_key.key", 108 "TOTPSecret": "<base64 from NIST goes here>", 109 "SessionTokensCache": "~/.cache/acvp-session-tokens", 110 "LogFile": "log" 111} 112``` 113 114NIST's ACVP servers use both TLS client certificates and TOTP for authentication. When registering with NIST they'll sign a CSR and return a certificate in PEM format, which is pointed to by `CertPEMFile`. The corresponding private key is expected in `PrivateKeyFile`. Lastly, NIST will provide a file that contains the base64-encoded TOTP seed, which must be pasted in as the value of `TOTPSecret`. 115 116NIST's ACVP server provides special access tokens for each test session and test sessions can _only_ be accessed via those tokens. The reasoning behind this is unclear but this client can, optionally, keep records of these access tokens in the directory named by `SessionTokensCache`. If that directory name begins with `~/` then that prefix will be replaced with the value of `$HOME`. 117 118Lastly, a log of all HTTP traffic will be written to the file named by `LogFile`, if provided. This is useful for debugging. 119 120### Interactive Use 121 122ACVP provides a fairly complex interface to a database of several types of objects. A rough UI is provided for this which is triggered when the client is invoked with no command-line arguments. 123 124The simplest objects in ACVP are request objects. These record the status of requested changes to the database and, in practice, changes to the NIST demo database never succeed. The set of pending requests for the current user can be enumerated just by evaluating the `requests` object: 125 126``` 127> requests 128[ 129 { 130 "url": "/acvp/v1/requests/374", 131 "status": "processing" 132 }, 133 { 134 "url": "/acvp/v1/requests/218", 135 "status": "processing" 136 } 137] 138``` 139 140A specific request can be evaluated by using indexing syntax: 141 142``` 143> requests[374] 144{ 145 "url": "/acvp/v1/requests/374", 146 "status": "processing" 147} 148``` 149 150The list of vendors provides a more complex example. Since there are large number of duplicates in NIST's database, there are more than 10 000 vendor objects and enumerating them all takes a long time. Thus evaluating the `vendors` object doesn't do that: 151 152``` 153> vendors 154[object set vendors] 155``` 156 157It is still possible to use indexing syntax to read a specific vendor object if you know the ID: 158 159``` 160> vendors[1234] 161{ 162 "url": "/acvp/v1/vendors/1234", 163 "name": "Apple Inc.", 164 "website": "www.apple.com", 165 "contactsUrl": "/acvp/v1/vendors/1234/contacts", 166 "addresses": [ 167 { 168 "url": "/acvp/v1/vendors/1234/addresses/1234", 169 "street1": "1 Infinite Loop", 170 "locality": "Cupertino", 171 "region": "CA", 172 "country": "USA", 173 "postalCode": "95014" 174 } 175 ] 176} 177``` 178 179Finding a vendor when the ID is not known requires searching and the ACVP spec [documents](http://usnistgov.github.io/ACVP/artifacts/draft-fussell-acvp-spec-00.html#rfc.section.11.8.1), for each object type, what values and what relations can be searched on. This is reflected in a variant of the indexing syntax: 180 181``` 182> vendors[where name contains "Google LLC"] 183[ 184 { 185 "url": "/acvp/v1/vendors/11136", 186 "name": "Google LLC", 187 "website": "www.google.com", 188 "contactsUrl": "/acvp/v1/vendors/11136/contacts", 189 "addresses": [ 190 { 191 "url": "/acvp/v1/vendors/11136/addresses/11136", 192 "street1": "1600 Amphitheatre Parkway", 193 "locality": "Mountain View", 194 "region": "CA", 195 "country": "USA", 196 "postalCode": "94043" 197 } 198 ] 199 }, 200 { 201 "url": "/acvp/v1/vendors/11137", 202 "name": "Google LLC", 203 "website": "www.google.com", 204 "contactsUrl": "/acvp/v1/vendors/11137/contacts", 205 "addresses": [ 206 { 207 "url": "/acvp/v1/vendors/11137/addresses/11137", 208 "street1": "1600 Amphitheatre Parkway", 209 "locality": "Mountain View", 210 "region": "CA", 211 "country": "USA", 212 "postalCode": "94043" 213 } 214 ] 215 } 216] 217``` 218 219In general, `&&` and `||` can be used as in C and the relationships are `==`, `!=`, `contains`, `startsWith`, and `endsWith`. Only values and relations listed in the ACVP spec for a given object can be used. 220 221More complex interaction remains to be fleshed out. However, it is generally possible to create new objects by evaluating, for example, `vendors.new()`. That will invoke `$EDITOR` to edit the JSON to be submitted. (For now, however, no helpful templates are provided.) 222 223The current list of objects is: 224 225* `requests` 226* `vendors` 227* `persons` 228* `modules` 229* `oes` (operating environments) 230* `deps` 231* `algos` 232* `sessions` 233 234### Running test sessions 235 236In online mode, a given algorithm can be run by using the `-run` option. For example, `-run SHA2-256`. This will fetch a vector set, have the module-under-test answer it, and upload the answer. If you want to just fetch the vector set for later use with the `-json` option (documented above) then you can use `-fetch` instead of `-run`. 237 238The tool doesn't currently support the sorts of operations that a lab would need, like uploading results from a file. 239