- Home
- Skills
- Trailofbits
- Skills
- Wycheproof
wycheproof_skill
- Python
3k
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill trailofbits/skills --skill wycheproof- SKILL.md19.9 KB
Overview
This skill provides integration guidance and test vectors from Wycheproof to validate cryptographic implementations against known attacks and edge cases. It helps security engineers and QA teams automate correctness checks for common algorithms and discover implementation-specific vulnerabilities. Use it to prevent signature malleability, invalid-curve, padding, and tag-forgery issues before they reach production.
How this skill works
Wycheproof supplies JSON test files grouped by algorithm and test group. Each test vector contains inputs, expected outputs, flags, and an expected result (valid/acceptable/invalid). The skill shows how to load, convert hex fields to bytes, filter groups by constraints, and run parameterized unit tests that assert correct acceptance or rejection behavior.
When to use it
- Adding cryptographic correctness tests to CI for libraries or services
- Auditing third-party crypto code to verify edge-case handling
- Validating implementations of AES-GCM, ECDSA, ECDH, RSA, ChaCha20-Poly1305, EdDSA
- Detecting known vulnerabilities like signature malleability or invalid-curve attacks
- Regression testing after crypto-related bug fixes or library upgrades
Best practices
- Add Wycheproof as a submodule or fetch specific JSON files before running tests in CI
- Convert hex string fields to binary and apply implementation-specific filters (e.g., IV size)
- Parameterize tests so every test vector is an isolated test case with tcId and comment
- Treat 'acceptable' separately from 'valid' and 'invalid' to document non-ideal but allowed behavior
- Schedule regular updates of test vectors to pick up new attack patterns
Example use cases
- Run aes_gcm_test.json vectors against an AES-GCM implementation to catch tag forgery and IV handling issues
- Validate ECDSA and EdDSA signature parsing to detect DER or length-encoding acceptance bugs
- Exercise ECDH code with invalid-curve test vectors to detect shared-secret validation flaws
- Integrate vector parsing and tests into pytest or Mocha to surface regressions in CI
- Audit an npm or pip dependency by running the relevant Wycheproof JSON for its supported algorithms
FAQ
No. Use it as a git submodule for automatic updates or fetch only the specific JSON files you need for targeted testing.
How do I handle 'acceptable' results?
'Acceptable' indicates non-ideal but permitted behavior. Flag these cases for review and decide if stricter validation is required for your threat model.