sharedHcuCuTrustedDetailTest.php

<?php

use PHPUnit\Framework\TestCase;

require_once 'cutrusted.i';


/**
 * Test EncryptCredentials and DecryptCredentials encryption
 * functionalities and their migration from MCRYPT to OPENSSL.
 */
class HcuCuTrustedCredentialsEncryptionTest extends TestCase {
    function setUp() {
        // to be compatible with mcrypt_generic_init(): key size is 16 bytes max
        $this->test_credential = "s0m3p@ssw0rd!";
        $this->key_suffix = "venfBWHOrtest839";
        $this->test_iv = "oY0i74hthwNoF90l";
    }

    function test_default_credentials_encryptions() {
        // test openssl based credential encryption
        // encrypt with openssl
        list($ciphertext_openssl,
             $iv_enc_openssl) = EncryptCredentials($this->test_credential,
                                                   $this->key_suffix,
                                                   $this->test_iv);

        // decrypt with openssl
        if(function_exists("DecryptCredentialsOpenssl")) {
            // temporary openssl decryption function
            // check CREDENTIALS_ENCDEC_CIPHER_MODE value in cutrusted.i
            // for correct cipher_method
            $obtained_decrypted_text_openssl = DecryptCredentialsOpenssl($ciphertext_openssl,
                                                                         $this->key_suffix,
                                                                         $iv_enc_openssl,
                                                                         "aes-128-cbc");
        } else { // general decryption function
            $obtained_decrypted_text_openssl = DecryptCredentials($ciphertext_openssl,
                                                                  $this->key_suffix,
                                                                  $iv_enc_openssl);
        }

        $this->assertEquals($obtained_decrypted_text_openssl, $this->test_credential);

        // test mcrypt based encryption, if present
        if(function_exists("EncryptCredentialsMcrypt") && function_exists("DecryptCredentialsMcrypt")) {

            // encrypt with mcrypt
            list($ciphertext, $iv_enc) = EncryptCredentialsMcrypt($this->test_credential,
                                                                  $this->key_suffix,
                                                                  $this->test_iv);

            // Since both mcrypt and openssl are using the same IV and
            // encryption key, the generated ciphertexts should be same
            $this->assertEquals($ciphertext_openssl, $ciphertext);

            // decrypt with mcrypt
            $obtained_decrypted_text = DecryptCredentialsMcrypt($ciphertext,
                                                                $this->key_suffix,
                                                                $iv_enc);
            $this->assertEquals($obtained_decrypted_text, $this->test_credential);
        }

        // decrypt with mcrypt
        // get decrypted content using mcrypt; if function available
        // this makes sure that the ciphertext generated by openssl can be
        // decrypted using mcrypt with known IV and key
        if(function_exists("DecryptCredentialsMcrypt")) {
            $obtained_decrypted_text_mcrypt = DecryptCredentialsMcrypt($ciphertext_openssl,
                                                                       $this->key_suffix,
                                                                       $iv_enc_openssl);
            $this->assertEquals($obtained_decrypted_text_mcrypt, $this->test_credential);
        }


    }

    /**
     * Test Credentials encryption migration from mcrypt to openssl
     */
    function test_credentials_encryption_mcrypt_comptability() {
        // encrypt with mcrypt based encryption function
        if(function_exists("EncryptCredentialsMcrypt")) {
            // encrypt with mcrypt if applicable
            list($ciphertext,
                 $iv_enc) = EncryptCredentialsMcrypt($this->test_credential,
                                                     $this->key_suffix);
        } else {
            // encrypt with openssl
            list($ciphertext,
                 $iv_enc) = EncryptCredentials($this->test_credential,
                                                     $this->key_suffix);
        }
        // decryption function should be able to decrypt the data
        // regardless of the library used for encryption
        // decrypt with openssl
        $obtained_decrypted_text = DecryptCredentials($ciphertext,
                                                      $this->key_suffix,
                                                      $iv_enc);

        $this->assertEquals($obtained_decrypted_text, $this->test_credential);
    }

    function tearDown() {

    }
}

/**
 * Test parmencrypt and parmdecrypt encryption functionalities
 * and their migration from MCRYPT to OPENSSL.
 */
class HcuCuTrustedParmEncryptionTest extends TestCase {
    function setUp() {
        $this->Cu = "SCRUBCU";
        $this->key_suffix = sha1($this->Cu.":testkeysuffix");

        $this->hcu_standard_encryption_mode_for_parm = "aes-256-cbc";
        $this->hcu_standard_auth_hash_algo = "sha256";

        // taken from the database, but changed substantially
        $this->trusted_data = HCU_JsonEncode(
            array("pilot" => "1",
                  "pilotUser" => "11221122-33bc-5f5b-aggc-c91eef53e9e1",
                  "pilotPass" => "Am1HcuHcuHc6LFuhaU3Dg",
                  "piloturl" => "https:\/\/demo.demo.com\/services\/resources.ashx\/fis\/HomeCuXyCu\/consumers",
                  "pilotlender" => "HomeCuXyCU\u201dN7q\u2206\u00ba\u20acm\u02da\u02da\u00d38\u203a\u203a=\u00c1\u00f7\u00f9}\u02db[\u25caw\u03c0\u00d5\u00d5\u2022\u00a2w\u00a8\u203a\u204a\u2039\u212b\u00f4\u2023",
                  "pilotsso" => "https:\/\/demo.demo.com\/partners\/HomeCuXyCu\/loginconsumer.aspx",
                  "prodUser" => "",
                  "prodPass" => "",
                  "produrl" => "",
                  "prodlender" => "",
                  "prodsso" => "",
                  "hcuLogging" => "-1"));

        // [openssl] with ECB mode, output ciphertext is always the same for a given
        // data when run with the same secret key
        $this->expected_trusted_data_openssl_ecb_cipher_base64 = "G1qPAyD/VutfubF97UN2cD7VDl0x9w86k4nvU8lLa77ILiZTqYXH9sBNEyyMMU0m4z3TRUQ/Q3GLK3CSrZBCvuN5x74Yw8Ryp5sx+WcnC2Q00AttHkiM+3vnvF0sCPi9pHGrdbIp8E7SN+N4FZzkdG7beIaoJcwvZp3ovIItMhxcUVmThrVusM3vl377w6hsN7DTtmIS2RBDTvDGxx7A7EsGEP1LulOYDblk9hX9KXdGPaaJ651hYAHuYDDe6B4QuYVJMu50vh1J9FKM6HjaQytyXVWbZqeku5S8su1RQa9Wc9BLf+UzNySw+6MNyRnEmCIc9olUsHVJwcbAeW+m5CcM/YiEGI1WW/rfeBbVy2B2n2WVvb+rF+JtcsXO5XOb8Axl3fKfyCePvdIP2tfMD+uCa0C7xJUeaJsGao6I9McBY7GgE6ze7QH4BjYcHhs1sKUKPM82sCBKXMaBAhj4xaD4d+TkujQ1uOvASTOPN8CGbvIdiNkITaWLbjjVgRoWb/HeAdAZbLP/zu5DWDiLCg2xAnzDNxyixHceK9+dDt4ZKA+3/S7i4EEPcMKPpF/hEUOPMVmfGSB8OX07v+Wklduhl1+5zxOremvhcvEos2j44kYKmMRGSR+SviAt2gBejPXSSntY2cDvbEnLWtZLgtkID4s+jcA3anMCV9AQh3EfPG0y1a7tThk4tpEmZfOt0y0LZYEHcJ4fFgiheLQJGuGPHiiykOb6vsSN8ZIM4FeqtilXx+fIF7tfIXBcXWUHln4VfvyQoEh/Iq189hCokFli5/P1fXq6X1JehKZCOv/Bm4ZXntSldD3A2BVV87Fs/MLEOFewG4oCUqnmRGQ+4Q==";

        // [mcrypt-MCRYPT_RIJNDAEL_128 + MCRYPT_MODE_ECB] with ECB mode, output ciphertext
        // is always the same for a given data when run with the same secret key
         $this->expected_trusted_data_mcrypt_ecb_cipher_base64 = "WsKpzTsT7rsUMfhrEWlHjFsgCINnlGPPdzpzZ6YR8CTdIi+XTgscznsaUi6OtqwbT9UXLfS9HvcmzbX5EZHrxxo21XfY6pFAXcIArigtZVYCiqoBXxgYZki9+SiFIgzuaM8Py8ktxdJFep4DaukNOPoGXzUBF1umqjtB/rZqLASjQdTR+yxurzpG4YzXMuhcfg3MZBfR+Wc4+GY1+XdYs5NrOGKN3ntt3Tw0Ifug8rzHdknoLY1HxRIlIPRhVrgHGCNo3TDU8sgCPPg3fRHdChHBsfCbHPOGaDxx03fllxTrvM9D4YemIEftspPXGq2U7AZqswxwrUN/EAobG9z8ffpSdy5SSO7ZvxhAMJWz6n0TzFJn/LsEMrP4NYbijJ55sAPiocC4PzWCCn9ADIQ2nqpg5JNbGhIYn0fb1fwLOjXxZitd+grZn2PlCJ5zm1q4Nt3PYmzI9q8EAxhsihCNB8/gzrgxrPXYnesz4qnBvq+xEo5et9IH2l6rjy4QFM/2qAuVDS4J52xEhIjG8e9lqfooHEwnEJ4cQzeaiyMilDT4kOQ2jZjSOIip4QvlYnC4okY1SxYUrhvnv8GigU1iSs9yZRhdzD9k2hXrczk1cU5QoJy4sHd05DIe9x/7KWxC9va6NjCvbdwHDS9moEt2D5255LM3AI1OScG280cyizUQAnpOFt/jeIL8dBNNZDzjgHesrLSLtEiMdniL4xylCqBbdFMjh6LQ+4SbbDe+eU8kQFKBPUewcDt5CwEHLbYp+RVyyX8cEkfIL5pJpfCxv6OCoPR5ZTwTGGSDTTLYzaM=";
    }

    /**
     * We still use ECB mode of operations mainly due to vendor/interfaces
     * requirements and specifications. Wherever possible, these must
     * be upgraded based on the latest crypto standards and guidelines.
     */
    function test_parmecrypt_mcrypt_to_openssl_transition_with_ecb() {
        // if the previous mcrypt based function also exists, test it
        if(function_exists("parmencrypt_mcrypt")) {
            // With [mcrypt-MCRYPT_RIJNDAEL_128 + MCRYPT_MODE_ECB] ECB mode,
            // output ciphertext is always the same for a given data when run
            // with the same secret key
            // ENCRYPTION
            $obtained_ciphertext_mcrypt = parmencrypt_mcrypt($this->trusted_data,
                                                    $this->key_suffix);

            $this->assertEquals($obtained_ciphertext_mcrypt,
                                $this->expected_trusted_data_mcrypt_ecb_cipher_base64);

            //DECRYPTION
            $obtained_decrypted_data_mcrypt = parmdecrypt($obtained_ciphertext_mcrypt,
                                                          $this->key_suffix,
                                                          $cipher_method="aes-256-ecb");

            $this->assertEquals($obtained_decrypted_data_mcrypt,
                                $this->trusted_data);
        }

        // test  openssl aes-256-ecb based encrypted base64 output
        // [openssl] with ECB mode, output ciphertext is always the same for a given
        // data when run with the same secret key
        // ENCRYPTION
        $obtained_ciphertext_openssl = parmencrypt($this->trusted_data,
                                          $this->key_suffix,
                                          $cipher_method="aes-256-ecb");
        $this->assertEquals($obtained_ciphertext_openssl,
                            $this->expected_trusted_data_openssl_ecb_cipher_base64);

        // DECRYPTION
        $obtained_decrypted_data_openssl = parmdecrypt($obtained_ciphertext_openssl,
                                                       $this->key_suffix,
                                                       $cipher_method="aes-256-ecb");
        $this->assertEquals($obtained_decrypted_data_openssl, $this->trusted_data);

        // also verify that the decrypted data using the both methods were same
        if(function_exists("paramencrypt_mcrypt")) {
            $this->assertEquals($obtained_decrypted_data_openssl, $obtained_decrypted_data_mcrypt);
        }
    }

    /**
     * Verify that the current standard is maintained eg. we are upgrading from
     * mcrypt ecb to aes-256-cbc on March, 2019. Current standard for parm encryption
     * is therefore aes-256-cbc.
     */
    function test_current_standard_openssl_encryption_mode() {
        $this->assertEquals($this->hcu_standard_encryption_mode_for_parm, PARMENCDEC_CIPHER_MODE);
        $this->assertEquals($this->hcu_standard_auth_hash_algo, PARMENCDEC_AUTH_HASH_ALGO);
    }

    /**
     * Test parmencrypt and parmdecrypt with default arguments
     */
    function test_parm_with_current_default_encryption_mode() {
        // Note that the default encryption mode being used by the following functions
        // is determined by PARMENCDEC_CIPHER_MODE constant in cutrusted.i script.
        $openssl_ciphertext = parmencrypt($this->trusted_data,
                                          $this->key_suffix);

        $obtained_decrypted_text = parmdecrypt($openssl_ciphertext,
                                               $this->key_suffix);

        $this->assertEquals($obtained_decrypted_text, $this->trusted_data);
    }

    /**
     * Test parm encryption with several popular aes 256bits key size
     * based aes encryption modes with openssl. Our openssl encryption
     * implementation is expected to work properly for the listed
     * encryption modes at the least.
     *
     */
    function test_current_openssl_encryption_mode_agnostic_nature_parm() {
        // supported encryption modes
        $openssl_aes_256_modes = array("aes-256-ctr",
                                       "aes-256-ofb",
                                       "aes-256-cfb",
                                       "aes-256-cfb1",
                                       "aes-256-cfb8",
                                       "aes-256-ofb",
                                       "aes-256-xts",
                                       "aes-256-ecb");
        $previous_decrypted_data = "";
        foreach($openssl_aes_256_modes as $aes_cipher_mode) {
            $openssl_ciphertext = "";
            $obtained_decrypted_text = "";

            // encrypt with openssl with $aes_cipher_mode mode
            $openssl_ciphertext = parmencrypt($this->trusted_data,
                                               $this->key_suffix,
                                               $cipher_method=$aes_cipher_mode);

            // creates different ciphertext and different base64_encoded output
            // for each of the mode of operation, but they should decrypt the original
            // text just fine.
            $obtained_decrypted_text = parmdecrypt($openssl_ciphertext,
                                                    $this->key_suffix,
                                                    $cipher_method=$aes_cipher_mode);

            $this->assertEquals($obtained_decrypted_text, $this->trusted_data);
            // also assert the decrypted value from the previous mode
            if ($previous_decrypted_data != "") {
                $this->assertEquals($previous_decrypted_data, $obtained_decrypted_text);
            }
            // update previous with the current decrypt
            $previous_decrypted_dat = $obtained_decrypted_text;

        }

    }

    function tearDown(){

    }
}

?>