[Cryptography] CMS or S/MIME test vectors

Stephan Neuhaus stephan.neuhaus at zhaw.ch
Mon May 25 01:39:34 EDT 2020



On 5/23/20 6:43 AM, Peter Gutmann wrote:
> Dmitry Baryshkov <dbaryshkov at gmail.com> writes:
> 
>> I have been looking for good CMS or S/MIME test corpora. Does anyone know a
>> suitable set of messages? Well, other than RFC 4134.
> 
> [...] >
> In terms of RFC 4134, that's not very useful since it exercises every weird
> mechanism and oddball corner case in the spec, none of which you'll ever
> encounter.  What you need to test most is all of the million ways of creating
> theoretically valid but unexpected signatures on data, which is what you need
> to scrape together from public sources.

Or you could adapt techniques from fuzzing to make your code fail and 
then see if the thing they failed on was really invalid or just an odd 
corner case. Fuzzing is really, really good these days at creating 
inputs that, when you squint, look valid but aren't. Or, of course, vice 
versa.

Of course you still need to check that the things your code *didn't* 
flag up as invalid are really all valid cases. That's going to be tough.

Fun,

Stephan


More information about the cryptography mailing list