1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/rsa.h> 58 59 #include <stdlib.h> 60 #include <string.h> 61 62 #include <gtest/gtest.h> 63 64 #include <openssl/bn.h> 65 #include <openssl/bytestring.h> 66 #include <openssl/crypto.h> 67 #include <openssl/err.h> 68 #include <openssl/nid.h> 69 70 #include "../fipsmodule/bn/internal.h" 71 #include "../fipsmodule/rsa/internal.h" 72 #include "../internal.h" 73 #include "../test/test_util.h" 74 75 #if defined(OPENSSL_THREADS) 76 #include <thread> 77 #include <vector> 78 #endif 79 80 81 // kPlaintext is a sample plaintext. 82 static const uint8_t kPlaintext[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; 83 static const size_t kPlaintextLen = sizeof(kPlaintext) - 1; 84 85 // kKey1 is a DER-encoded RSAPrivateKey. 86 static const uint8_t kKey1[] = 87 "\x30\x82\x01\x38\x02\x01\x00\x02\x41\x00\xaa\x36\xab\xce\x88\xac\xfd\xff" 88 "\x55\x52\x3c\x7f\xc4\x52\x3f\x90\xef\xa0\x0d\xf3\x77\x4a\x25\x9f\x2e\x62" 89 "\xb4\xc5\xd9\x9c\xb5\xad\xb3\x00\xa0\x28\x5e\x53\x01\x93\x0e\x0c\x70\xfb" 90 "\x68\x76\x93\x9c\xe6\x16\xce\x62\x4a\x11\xe0\x08\x6d\x34\x1e\xbc\xac\xa0" 91 "\xa1\xf5\x02\x01\x11\x02\x40\x0a\x03\x37\x48\x62\x64\x87\x69\x5f\x5f\x30" 92 "\xbc\x38\xb9\x8b\x44\xc2\xcd\x2d\xff\x43\x40\x98\xcd\x20\xd8\xa1\x38\xd0" 93 "\x90\xbf\x64\x79\x7c\x3f\xa7\xa2\xcd\xcb\x3c\xd1\xe0\xbd\xba\x26\x54\xb4" 94 "\xf9\xdf\x8e\x8a\xe5\x9d\x73\x3d\x9f\x33\xb3\x01\x62\x4a\xfd\x1d\x51\x02" 95 "\x21\x00\xd8\x40\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf" 96 "\xce\x33\x52\x52\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x12\x0d\x02\x21" 97 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f" 98 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x89\x02\x20\x59" 99 "\x0b\x95\x72\xa2\xc2\xa9\xc4\x06\x05\x9d\xc2\xab\x2f\x1d\xaf\xeb\x7e\x8b" 100 "\x4f\x10\xa7\x54\x9e\x8e\xed\xf5\xb4\xfc\xe0\x9e\x05\x02\x21\x00\x8e\x3c" 101 "\x05\x21\xfe\x15\xe0\xea\x06\xa3\x6f\xf0\xf1\x0c\x99\x52\xc3\x5b\x7a\x75" 102 "\x14\xfd\x32\x38\xb8\x0a\xad\x52\x98\x62\x8d\x51\x02\x20\x36\x3f\xf7\x18" 103 "\x9d\xa8\xe9\x0b\x1d\x34\x1f\x71\xd0\x9b\x76\xa8\xa9\x43\xe1\x1d\x10\xb2" 104 "\x4d\x24\x9f\x2d\xea\xfe\xf8\x0c\x18\x26"; 105 106 // kFIPSKey is a DER-encoded RSAPrivateKey that is FIPS-compliant. 107 static const uint8_t kFIPSKey[] = 108 "\x30\x82\x02\x5c\x02\x01\x00\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7" 109 "\xb8\xfc\x2a\x45\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09" 110 "\x6b\x05\x4d\xec\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed" 111 "\x9a\x30\xf3\x14\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65" 112 "\xbf\xca\x45\xd9\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12" 113 "\xaf\xa5\xec\x9b\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24" 114 "\x3c\x82\x6f\xee\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81" 115 "\x59\xa7\x90\x56\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01" 116 "\x02\x81\x80\x60\x82\xcd\x44\x46\xcf\xeb\xf9\x6f\xf5\xad\x3b\xfd\x90\x18" 117 "\x57\xe7\x74\xdb\x91\xd0\xd3\x68\xa6\xaa\x38\xaa\x21\x1d\x06\xf9\x34\x8d" 118 "\xa0\x35\xb0\x24\xe0\xd0\x2f\x75\x9b\xdd\xfe\x91\x48\x9f\x5c\x5e\x57\x54" 119 "\x00\xc8\x0f\xe6\x1e\x52\x84\xd9\xc9\xa5\x55\xf4\x0a\xbe\x88\x46\x7a\xfb" 120 "\x18\x37\x8e\xe6\x6e\xa2\x5f\x80\x48\x34\x3f\x5c\xbe\x0e\x1e\xe8\x2f\x50" 121 "\xba\x14\x96\x3c\xea\xfb\xd2\x49\x33\xdc\x12\xb8\xa7\x8a\xb5\x27\xf9\x00" 122 "\x4b\xf5\xd2\x2a\xd0\x2c\x1d\x9b\xd5\x6c\x3e\x4b\xb9\x7e\x39\xf7\x3e\x39" 123 "\xc9\x47\x5e\xbe\x91\x02\x41\x00\xcd\x33\xcf\x37\x01\xd7\x59\xcc\xbe\xa0" 124 "\x1c\xb9\xf5\xe7\x44\x9f\x62\x91\xa7\xa7\x7b\x0c\x52\xcd\x7e\xe6\x31\x11" 125 "\x8b\xd8\x2c\x8a\x63\xe1\x07\xc9\xcb\xce\x01\x45\x63\xf5\x5d\x44\xfb\xeb" 126 "\x8d\x74\x16\x20\x7d\x3b\xb4\xa1\x61\xb0\xa8\x29\x51\xc9\xef\xb6\xa1\xd5" 127 "\x02\x41\x00\xc9\x68\xa6\xd3\x88\xd5\x49\x9d\x6b\x44\x96\xfd\xbf\x66\x27" 128 "\xb4\x1f\x90\x76\x86\x2f\xe2\xce\x20\x5d\xee\x9b\xeb\xc4\xb4\x62\x47\x79" 129 "\x99\xb1\x99\xbc\xa2\xa6\xb6\x96\x64\xd5\x77\x9b\x45\xd4\xf0\x99\xb5\x9e" 130 "\x61\x4d\xf5\x12\xdd\x84\x14\xaf\x1e\xdd\x83\x24\x43\x02\x40\x60\x29\x7f" 131 "\x59\xcf\xcb\x13\x92\x17\x63\x01\x13\x44\x61\x74\x8f\x1c\xaa\x15\x5f\x2f" 132 "\x12\xbf\x5a\xfd\xb4\xf2\x19\xbe\xe7\x37\x38\x43\x46\x19\x58\x3f\xe1\xf2" 133 "\x46\x8a\x69\x59\xa4\x12\x4a\x78\xa7\x86\x17\x03\x99\x0f\x34\xf1\x8a\xcf" 134 "\xc3\x4d\x48\xcc\xc5\x51\x61\x02\x41\x00\xc2\x12\xb3\x5d\xf5\xe5\xff\xcf" 135 "\x4e\x43\x83\x72\xf2\xf1\x4e\xa4\xc4\x1d\x81\xf7\xff\x40\x7e\xfa\xb5\x48" 136 "\x6c\xba\x1c\x8a\xec\x80\x8e\xed\xc8\x32\xa9\x8f\xd9\x30\xeb\x6e\x32\x3b" 137 "\xd4\x44\xcf\xd1\x1f\x6b\xe0\x37\x46\xd5\x35\xde\x79\x9d\x2c\xb9\x83\x1d" 138 "\x10\xdd\x02\x40\x0f\x14\x95\x96\xa0\xe2\x6c\xd4\x88\xa7\x0b\x82\x14\x10" 139 "\xad\x26\x0d\xe4\xa1\x5e\x01\x3d\x21\xd2\xfb\x0e\xf9\x58\xa5\xca\x1e\x21" 140 "\xb3\xf5\x9a\x6c\x3d\x5a\x72\xb1\x2d\xfe\xac\x09\x4f\xdd\xe5\x44\xd1\x4e" 141 "\xf8\x59\x85\x3a\x65\xe2\xcd\xbc\x27\x1d\x9b\x48\x9f\xb9"; 142 143 static const uint8_t kFIPSPublicKey[] = 144 "\x30\x81\x89\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7\xb8\xfc\x2a\x45" 145 "\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09\x6b\x05\x4d\xec" 146 "\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed\x9a\x30\xf3\x14" 147 "\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65\xbf\xca\x45\xd9" 148 "\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12\xaf\xa5\xec\x9b" 149 "\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24\x3c\x82\x6f\xee" 150 "\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81\x59\xa7\x90\x56" 151 "\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01"; 152 153 // kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using 154 // RSA OAEP. 155 static const uint8_t kOAEPCiphertext1[] = 156 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89\x2b\xfb" 157 "\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52\x33\x89\x5c\x74" 158 "\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44\xb0\x05\xc3\x9e\xd8\x27" 159 "\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2"; 160 161 // kKey2 is a DER-encoded RSAPrivateKey. 162 static const uint8_t kKey2[] = 163 "\x30\x81\xfb\x02\x01\x00\x02\x33\x00\xa3\x07\x9a\x90\xdf\x0d\xfd\x72\xac" 164 "\x09\x0c\xcc\x2a\x78\xb8\x74\x13\x13\x3e\x40\x75\x9c\x98\xfa\xf8\x20\x4f" 165 "\x35\x8a\x0b\x26\x3c\x67\x70\xe7\x83\xa9\x3b\x69\x71\xb7\x37\x79\xd2\x71" 166 "\x7b\xe8\x34\x77\xcf\x02\x01\x03\x02\x32\x6c\xaf\xbc\x60\x94\xb3\xfe\x4c" 167 "\x72\xb0\xb3\x32\xc6\xfb\x25\xa2\xb7\x62\x29\x80\x4e\x68\x65\xfc\xa4\x5a" 168 "\x74\xdf\x0f\x8f\xb8\x41\x3b\x52\xc0\xd0\xe5\x3d\x9b\x59\x0f\xf1\x9b\xe7" 169 "\x9f\x49\xdd\x21\xe5\xeb\x02\x1a\x00\xcf\x20\x35\x02\x8b\x9d\x86\x98\x40" 170 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x91\x02\x1a" 171 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f" 172 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5f\x02\x1a\x00\x8a\x15\x78\xac\x5d\x13\xaf" 173 "\x10\x2b\x22\xb9\x99\xcd\x74\x61\xf1\x5e\x6d\x22\xcc\x03\x23\xdf\xdf\x0b" 174 "\x02\x1a\x00\x86\x55\x21\x4a\xc5\x4d\x8d\x4e\xcd\x61\x77\xf1\xc7\x36\x90" 175 "\xce\x2a\x48\x2c\x8b\x05\x99\xcb\xe0\x3f\x02\x1a\x00\x83\xef\xef\xb8\xa9" 176 "\xa4\x0d\x1d\xb6\xed\x98\xad\x84\xed\x13\x35\xdc\xc1\x08\xf3\x22\xd0\x57" 177 "\xcf\x8d"; 178 179 // kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using 180 // RSA OAEP. 181 static const uint8_t kOAEPCiphertext2[] = 182 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a\x8b\x40" 183 "\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4\x17\x53\x03\x29" 184 "\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52\x62\x51"; 185 186 // kKey3 is a DER-encoded RSAPrivateKey. 187 static const uint8_t kKey3[] = 188 "\x30\x82\x02\x5b\x02\x01\x00\x02\x81\x81\x00\xbb\xf8\x2f\x09\x06\x82\xce" 189 "\x9c\x23\x38\xac\x2b\x9d\xa8\x71\xf7\x36\x8d\x07\xee\xd4\x10\x43\xa4\x40" 190 "\xd6\xb6\xf0\x74\x54\xf5\x1f\xb8\xdf\xba\xaf\x03\x5c\x02\xab\x61\xea\x48" 191 "\xce\xeb\x6f\xcd\x48\x76\xed\x52\x0d\x60\xe1\xec\x46\x19\x71\x9d\x8a\x5b" 192 "\x8b\x80\x7f\xaf\xb8\xe0\xa3\xdf\xc7\x37\x72\x3e\xe6\xb4\xb7\xd9\x3a\x25" 193 "\x84\xee\x6a\x64\x9d\x06\x09\x53\x74\x88\x34\xb2\x45\x45\x98\x39\x4e\xe0" 194 "\xaa\xb1\x2d\x7b\x61\xa5\x1f\x52\x7a\x9a\x41\xf6\xc1\x68\x7f\xe2\x53\x72" 195 "\x98\xca\x2a\x8f\x59\x46\xf8\xe5\xfd\x09\x1d\xbd\xcb\x02\x01\x11\x02\x81" 196 "\x81\x00\xa5\xda\xfc\x53\x41\xfa\xf2\x89\xc4\xb9\x88\xdb\x30\xc1\xcd\xf8" 197 "\x3f\x31\x25\x1e\x06\x68\xb4\x27\x84\x81\x38\x01\x57\x96\x41\xb2\x94\x10" 198 "\xb3\xc7\x99\x8d\x6b\xc4\x65\x74\x5e\x5c\x39\x26\x69\xd6\x87\x0d\xa2\xc0" 199 "\x82\xa9\x39\xe3\x7f\xdc\xb8\x2e\xc9\x3e\xda\xc9\x7f\xf3\xad\x59\x50\xac" 200 "\xcf\xbc\x11\x1c\x76\xf1\xa9\x52\x94\x44\xe5\x6a\xaf\x68\xc5\x6c\x09\x2c" 201 "\xd3\x8d\xc3\xbe\xf5\xd2\x0a\x93\x99\x26\xed\x4f\x74\xa1\x3e\xdd\xfb\xe1" 202 "\xa1\xce\xcc\x48\x94\xaf\x94\x28\xc2\xb7\xb8\x88\x3f\xe4\x46\x3a\x4b\xc8" 203 "\x5b\x1c\xb3\xc1\x02\x41\x00\xee\xcf\xae\x81\xb1\xb9\xb3\xc9\x08\x81\x0b" 204 "\x10\xa1\xb5\x60\x01\x99\xeb\x9f\x44\xae\xf4\xfd\xa4\x93\xb8\x1a\x9e\x3d" 205 "\x84\xf6\x32\x12\x4e\xf0\x23\x6e\x5d\x1e\x3b\x7e\x28\xfa\xe7\xaa\x04\x0a" 206 "\x2d\x5b\x25\x21\x76\x45\x9d\x1f\x39\x75\x41\xba\x2a\x58\xfb\x65\x99\x02" 207 "\x41\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35" 208 "\x3f\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x86\x98\x40" 209 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x33\x52\x52" 210 "\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x15\x03\x02\x40\x54\x49\x4c\xa6" 211 "\x3e\xba\x03\x37\xe4\xe2\x40\x23\xfc\xd6\x9a\x5a\xeb\x07\xdd\xdc\x01\x83" 212 "\xa4\xd0\xac\x9b\x54\xb0\x51\xf2\xb1\x3e\xd9\x49\x09\x75\xea\xb7\x74\x14" 213 "\xff\x59\xc1\xf7\x69\x2e\x9a\x2e\x20\x2b\x38\xfc\x91\x0a\x47\x41\x74\xad" 214 "\xc9\x3c\x1f\x67\xc9\x81\x02\x40\x47\x1e\x02\x90\xff\x0a\xf0\x75\x03\x51" 215 "\xb7\xf8\x78\x86\x4c\xa9\x61\xad\xbd\x3a\x8a\x7e\x99\x1c\x5c\x05\x56\xa9" 216 "\x4c\x31\x46\xa7\xf9\x80\x3f\x8f\x6f\x8a\xe3\x42\xe9\x31\xfd\x8a\xe4\x7a" 217 "\x22\x0d\x1b\x99\xa4\x95\x84\x98\x07\xfe\x39\xf9\x24\x5a\x98\x36\xda\x3d" 218 "\x02\x41\x00\xb0\x6c\x4f\xda\xbb\x63\x01\x19\x8d\x26\x5b\xdb\xae\x94\x23" 219 "\xb3\x80\xf2\x71\xf7\x34\x53\x88\x50\x93\x07\x7f\xcd\x39\xe2\x11\x9f\xc9" 220 "\x86\x32\x15\x4f\x58\x83\xb1\x67\xa9\x67\xbf\x40\x2b\x4e\x9e\x2e\x0f\x96" 221 "\x56\xe6\x98\xea\x36\x66\xed\xfb\x25\x79\x80\x39\xf7"; 222 223 // kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using 224 // RSA OAEP. 225 static const uint8_t kOAEPCiphertext3[] = 226 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7\x90\xc4" 227 "\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce\xf0\xc4\x36\x6f" 228 "\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3\xf2\xf1\x92\xdb\xea\xca" 229 "\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06\x69\xac\x22\xe9\xf3\xa7\x85\x2e" 230 "\x3c\x15\xd9\x13\xca\xb0\xb8\x86\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49" 231 "\x54\x61\x03\x46\xf4\xd4\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a" 232 "\x1f\xc4\x02\x6a\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20" 233 "\x2f\xb1"; 234 235 static const uint8_t kTwoPrimeKey[] = 236 "\x30\x82\x04\xa1\x02\x01\x00\x02\x82\x01\x01\x00\x93\x3a\x4f\xc9\x6a\x0a" 237 "\x6b\x28\x04\xfa\xb7\x05\x56\xdf\xa0\xaa\x4f\xaa\xab\x94\xa0\xa9\x25\xef" 238 "\xc5\x96\xd2\xd4\x66\x16\x62\x2c\x13\x7b\x91\xd0\x36\x0a\x10\x11\x6d\x7a" 239 "\x91\xb6\xe4\x74\x57\xc1\x3d\x7a\xbe\x24\x05\x3a\x04\x0b\x73\x91\x53\xb1" 240 "\x74\x10\xe1\x87\xdc\x91\x28\x9c\x1e\xe5\xf2\xb9\xfc\xa2\x48\x34\xb6\x78" 241 "\xed\x6d\x95\xfb\xf2\xc0\x4e\x1c\xa4\x15\x00\x3c\x8a\x68\x2b\xd6\xce\xd5" 242 "\xb3\x9f\x66\x02\xa7\x0d\x08\xa3\x23\x9b\xe5\x36\x96\x13\x22\xf9\x69\xa6" 243 "\x87\x88\x9b\x85\x3f\x83\x9c\xab\x1a\x1b\x6d\x8d\x16\xf4\x5e\xbd\xee\x4b" 244 "\x59\x56\xf8\x9d\x58\xcd\xd2\x83\x85\x59\x43\x84\x63\x4f\xe6\x1a\x86\x66" 245 "\x0d\xb5\xa0\x87\x89\xb6\x13\x82\x43\xda\x34\x92\x3b\x68\xc4\x95\x71\x2f" 246 "\x15\xc2\xe0\x43\x67\x3c\x08\x00\x36\x10\xc3\xb4\x46\x4c\x4e\x6e\xf5\x44" 247 "\xa9\x04\x44\x9d\xce\xc7\x05\x79\xee\x11\xcf\xaf\x2c\xd7\x9a\x32\xd3\xa5" 248 "\x30\xd4\x3a\x78\x43\x37\x74\x22\x90\x24\x04\x11\xd7\x95\x08\x52\xa4\x71" 249 "\x41\x68\x94\xb0\xa0\xc3\xec\x4e\xd2\xc4\x30\x71\x98\x64\x9c\xe3\x7c\x76" 250 "\xef\x33\xa3\x2b\xb1\x87\x63\xd2\x5c\x09\xfc\x90\x2d\x92\xf4\x57\x02\x01" 251 "\x03\x02\x82\x01\x00\x62\x26\xdf\xdb\x9c\x06\xf2\x1a\xad\xfc\x7a\x03\x8f" 252 "\x3f\xc0\x71\x8a\x71\xc7\xb8\x6b\x1b\x6e\x9f\xd9\x0f\x37\x38\x44\x0e\xec" 253 "\x1d\x62\x52\x61\x35\x79\x5c\x0a\xb6\x48\xfc\x61\x24\x98\x4d\x8f\xd6\x28" 254 "\xfc\x7e\xc2\xae\x26\xad\x5c\xf7\xb6\x37\xcb\xa2\xb5\xeb\xaf\xe8\x60\xc5" 255 "\xbd\x69\xee\xa1\xd1\x53\x16\xda\xcd\xce\xfb\x48\xf3\xb9\x52\xa1\xd5\x89" 256 "\x68\x6d\x63\x55\x7d\xb1\x9a\xc7\xe4\x89\xe3\xcd\x14\xee\xac\x6f\x5e\x05" 257 "\xc2\x17\xbd\x43\x79\xb9\x62\x17\x50\xf1\x19\xaf\xb0\x67\xae\x2a\x57\xbd" 258 "\xc7\x66\xbc\xf3\xb3\x64\xa1\xe3\x16\x74\x9e\xea\x02\x5c\xab\x94\xd8\x97" 259 "\x02\x42\x0c\x2c\xba\x54\xb9\xaf\xe0\x45\x93\xad\x7f\xb3\x10\x6a\x96\x50" 260 "\x4b\xaf\xcf\xc8\x27\x62\x2d\x83\xe9\x26\xc6\x94\xc1\xef\x5c\x8e\x06\x42" 261 "\x53\xe5\x56\xaf\xc2\x99\x01\xaa\x9a\x71\xbc\xe8\x21\x33\x2a\x2d\xa3\x36" 262 "\xac\x1b\x86\x19\xf8\xcd\x1f\x80\xa4\x26\x98\xb8\x9f\x62\x62\xd5\x1a\x7f" 263 "\xee\xdb\xdf\x81\xd3\x21\xdb\x33\x92\xee\xff\xe2\x2f\x32\x77\x73\x6a\x58" 264 "\xab\x21\xf3\xe3\xe1\xbc\x4f\x12\x72\xa6\xb5\xc2\xfb\x27\x9e\xc8\xca\xab" 265 "\x64\xa0\x87\x07\x9d\xef\xca\x0f\xdb\x02\x81\x81\x00\xe6\xd3\x4d\xc0\xa1" 266 "\x91\x0e\x62\xfd\xb0\xdd\xc6\x30\xb8\x8c\xcb\x14\xc1\x4b\x69\x30\xdd\xcd" 267 "\x86\x67\xcb\x37\x14\xc5\x03\xd2\xb4\x69\xab\x3d\xe5\x16\x81\x0f\xe5\x50" 268 "\xf4\x18\xb1\xec\xbc\x71\xe9\x80\x99\x06\xe4\xa3\xfe\x44\x84\x4a\x2d\x1e" 269 "\x07\x7f\x22\x70\x6d\x4f\xd4\x93\x0b\x8b\x99\xce\x1e\xab\xcd\x4c\xd2\xd3" 270 "\x10\x47\x5c\x09\x9f\x6d\x82\xc0\x08\x75\xe3\x3d\x83\xc2\x19\x50\x29\xec" 271 "\x1f\x84\x29\xcc\xf1\x56\xee\xbd\x54\x5d\xe6\x19\xdf\x0d\x1c\xa4\xbb\x0a" 272 "\xfe\x84\x44\x29\x1d\xf9\x5c\x80\x96\x5b\x24\xb4\xf7\x02\x1b\x02\x81\x81" 273 "\x00\xa3\x48\xf1\x9c\x58\xc2\x5f\x38\xfb\xd8\x12\x39\xf1\x8e\x73\xa1\xcf" 274 "\x78\x12\xe0\xed\x2a\xbb\xef\xac\x23\xb2\xbf\xd6\x0c\xe9\x6e\x1e\xab\xea" 275 "\x3f\x68\x36\xa7\x1f\xe5\xab\xe0\x86\xa5\x76\x32\x98\xdd\x75\xb5\x2b\xbc" 276 "\xcb\x8a\x03\x00\x7c\x2e\xca\xf8\xbc\x19\xe4\xe3\xa3\x31\xbd\x1d\x20\x2b" 277 "\x09\xad\x6f\x4c\xed\x48\xd4\xdf\x87\xf9\xf0\x46\xb9\x86\x4c\x4b\x71\xe7" 278 "\x48\x78\xdc\xed\xc7\x82\x02\x44\xd3\xa6\xb3\x10\x5f\x62\x81\xfc\xb8\xe4" 279 "\x0e\xf4\x1a\xdd\xab\x3f\xbc\x63\x79\x5b\x39\x69\x5e\xea\xa9\x15\xfe\x90" 280 "\xec\xda\x75\x02\x81\x81\x00\x99\xe2\x33\xd5\xc1\x0b\x5e\xec\xa9\x20\x93" 281 "\xd9\x75\xd0\x5d\xdc\xb8\x80\xdc\xf0\xcb\x3e\x89\x04\x45\x32\x24\xb8\x83" 282 "\x57\xe1\xcd\x9b\xc7\x7e\x98\xb9\xab\x5f\xee\x35\xf8\x10\x76\x9d\xd2\xf6" 283 "\x9b\xab\x10\xaf\x43\x17\xfe\xd8\x58\x31\x73\x69\x5a\x54\xc1\xa0\x48\xdf" 284 "\xe3\x0c\xb2\x5d\x11\x34\x14\x72\x88\xdd\xe1\xe2\x0a\xda\x3d\x5b\xbf\x9e" 285 "\x57\x2a\xb0\x4e\x97\x7e\x57\xd6\xbb\x8a\xc6\x9d\x6a\x58\x1b\xdd\xf6\x39" 286 "\xf4\x7e\x38\x3e\x99\x66\x94\xb3\x68\x6d\xd2\x07\x54\x58\x2d\x70\xbe\xa6" 287 "\x3d\xab\x0e\xe7\x6d\xcd\xfa\x01\x67\x02\x81\x80\x6c\xdb\x4b\xbd\x90\x81" 288 "\x94\xd0\xa7\xe5\x61\x7b\xf6\x5e\xf7\xc1\x34\xfa\xb7\x40\x9e\x1c\x7d\x4a" 289 "\x72\xc2\x77\x2a\x8e\xb3\x46\x49\x69\xc7\xf1\x7f\x9a\xcf\x1a\x15\x43\xc7" 290 "\xeb\x04\x6e\x4e\xcc\x65\xe8\xf9\x23\x72\x7d\xdd\x06\xac\xaa\xfd\x74\x87" 291 "\x50\x7d\x66\x98\x97\xc2\x21\x28\xbe\x15\x72\x06\x73\x9f\x88\x9e\x30\x8d" 292 "\xea\x5a\xa6\xa0\x2f\x26\x59\x88\x32\x4b\xef\x85\xa5\xe8\x9e\x85\x01\x56" 293 "\xd8\x8d\x19\xcc\xb5\x94\xec\x56\xa8\x7b\x42\xb4\xa2\xbc\x93\xc7\x7f\xd2" 294 "\xec\xfb\x92\x26\x46\x3f\x47\x1b\x63\xff\x0b\x48\x91\xa3\x02\x81\x80\x2c" 295 "\x4a\xb9\xa4\x46\x7b\xff\x50\x7e\xbf\x60\x47\x3b\x2b\x66\x82\xdc\x0e\x53" 296 "\x65\x71\xe9\xda\x2a\xb8\x32\x93\x42\xb7\xff\xea\x67\x66\xf1\xbc\x87\x28" 297 "\x65\x29\x79\xca\xab\x93\x56\xda\x95\xc1\x26\x44\x3d\x27\xc1\x91\xc6\x9b" 298 "\xd9\xec\x9d\xb7\x49\xe7\x16\xee\x99\x87\x50\x95\x81\xd4\x5c\x5b\x5a\x5d" 299 "\x0a\x43\xa5\xa7\x8f\x5a\x80\x49\xa0\xb7\x10\x85\xc7\xf4\x42\x34\x86\xb6" 300 "\x5f\x3f\x88\x9e\xc7\xf5\x59\x29\x39\x68\x48\xf2\xd7\x08\x5b\x92\x8e\x6b" 301 "\xea\xa5\x63\x5f\xc0\xfb\xe4\xe1\xb2\x7d\xb7\x40\xe9\x55\x06\xbf\x58\x25" 302 "\x6f"; 303 304 static const uint8_t kTwoPrimeEncryptedMessage[] = { 305 0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35, 306 0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c, 307 0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0, 308 0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3, 309 0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46, 310 0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54, 311 0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a, 312 0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78, 313 0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8, 314 0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83, 315 0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31, 316 0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45, 317 0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75, 318 0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11, 319 0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f, 320 0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2, 321 0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3, 322 0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca, 323 0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c, 324 0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4, 325 0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b, 326 0x6a, 0xce, 0x9f, 0xc8, 327 }; 328 329 // kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See 330 // https://crbug.com/532048. 331 static const uint8_t kEstonianRSAKey[] = { 332 0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c, 333 0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c, 334 0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80, 335 0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8, 336 0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29, 337 0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95, 338 0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea, 339 0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c, 340 0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac, 341 0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25, 342 0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a, 343 0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88, 344 0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17, 345 0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf, 346 0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c, 347 0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f, 348 0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc, 349 0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e, 350 0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87, 351 0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30, 352 0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94, 353 0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49, 354 0x02, 0x03, 0x01, 0x00, 0x01, 355 }; 356 357 // kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See 358 // https://crbug.com/541257 359 static const uint8_t kExponent1RSAKey[] = { 360 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a, 361 0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5, 362 0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa, 363 0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b, 364 0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64, 365 0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7, 366 0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d, 367 0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a, 368 0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a, 369 0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b, 370 0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c, 371 0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9, 372 0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad, 373 0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41, 374 0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91, 375 0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a, 376 0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d, 377 0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98, 378 0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9, 379 0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d, 380 0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0, 381 0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98, 382 0xdd, 0x02, 0x01, 0x01, 383 }; 384 385 struct RSAEncryptParam { 386 const uint8_t *der; 387 size_t der_len; 388 const uint8_t *oaep_ciphertext; 389 size_t oaep_ciphertext_len; 390 } kRSAEncryptParams[] = { 391 {kKey1, sizeof(kKey1) - 1, kOAEPCiphertext1, sizeof(kOAEPCiphertext1) - 1}, 392 {kKey2, sizeof(kKey2) - 1, kOAEPCiphertext2, sizeof(kOAEPCiphertext2) - 1}, 393 {kKey3, sizeof(kKey3) - 1, kOAEPCiphertext3, sizeof(kOAEPCiphertext3) - 1}, 394 }; 395 396 class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {}; 397 398 TEST_P(RSAEncryptTest, TestKey) { 399 const auto ¶m = GetParam(); 400 bssl::UniquePtr<RSA> key( 401 RSA_private_key_from_bytes(param.der, param.der_len)); 402 ASSERT_TRUE(key); 403 404 EXPECT_TRUE(RSA_check_key(key.get())); 405 406 uint8_t ciphertext[256]; 407 408 // Test that PKCS#1 v1.5 encryption round-trips. 409 size_t ciphertext_len = 0; 410 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext, 411 sizeof(ciphertext), kPlaintext, kPlaintextLen, 412 RSA_PKCS1_PADDING)); 413 EXPECT_EQ(RSA_size(key.get()), ciphertext_len); 414 415 uint8_t plaintext[256]; 416 size_t plaintext_len = 0; 417 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 418 sizeof(plaintext), ciphertext, ciphertext_len, 419 RSA_PKCS1_PADDING)); 420 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len)); 421 422 // Test that OAEP encryption round-trips. 423 ciphertext_len = 0; 424 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext, 425 sizeof(ciphertext), kPlaintext, kPlaintextLen, 426 RSA_PKCS1_OAEP_PADDING)); 427 EXPECT_EQ(RSA_size(key.get()), ciphertext_len); 428 429 plaintext_len = 0; 430 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 431 sizeof(plaintext), ciphertext, ciphertext_len, 432 RSA_PKCS1_OAEP_PADDING)); 433 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len)); 434 435 // |oaep_ciphertext| should decrypt to |kPlaintext|. 436 plaintext_len = 0; 437 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 438 sizeof(plaintext), param.oaep_ciphertext, 439 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING)); 440 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len)); 441 442 // Try decrypting corrupted ciphertexts. 443 OPENSSL_memcpy(ciphertext, param.oaep_ciphertext, param.oaep_ciphertext_len); 444 for (size_t i = 0; i < param.oaep_ciphertext_len; i++) { 445 SCOPED_TRACE(i); 446 ciphertext[i] ^= 1; 447 EXPECT_FALSE(RSA_decrypt( 448 key.get(), &plaintext_len, plaintext, sizeof(plaintext), ciphertext, 449 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING)); 450 ERR_clear_error(); 451 ciphertext[i] ^= 1; 452 } 453 454 // Test truncated ciphertexts. 455 for (size_t len = 0; len < param.oaep_ciphertext_len; len++) { 456 SCOPED_TRACE(len); 457 EXPECT_FALSE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 458 sizeof(plaintext), ciphertext, len, 459 RSA_PKCS1_OAEP_PADDING)); 460 ERR_clear_error(); 461 } 462 } 463 464 INSTANTIATE_TEST_CASE_P(, RSAEncryptTest, testing::ValuesIn(kRSAEncryptParams)); 465 466 TEST(RSATest, TestDecrypt) { 467 bssl::UniquePtr<RSA> rsa( 468 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1)); 469 ASSERT_TRUE(rsa); 470 471 EXPECT_TRUE(RSA_check_key(rsa.get())); 472 473 uint8_t out[256]; 474 size_t out_len; 475 ASSERT_TRUE(RSA_decrypt( 476 rsa.get(), &out_len, out, sizeof(out), kTwoPrimeEncryptedMessage, 477 sizeof(kTwoPrimeEncryptedMessage), RSA_PKCS1_PADDING)); 478 EXPECT_EQ(Bytes("hello world"), Bytes(out, out_len)); 479 } 480 481 TEST(RSATest, CheckFIPS) { 482 bssl::UniquePtr<RSA> rsa( 483 RSA_private_key_from_bytes(kFIPSKey, sizeof(kFIPSKey) - 1)); 484 ASSERT_TRUE(rsa); 485 EXPECT_TRUE(RSA_check_fips(rsa.get())); 486 487 // Check that RSA_check_fips works on a public key. 488 bssl::UniquePtr<RSA> pub( 489 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1)); 490 ASSERT_TRUE(pub); 491 EXPECT_TRUE(RSA_check_fips(pub.get())); 492 } 493 494 TEST(RSATest, GenerateFIPS) { 495 bssl::UniquePtr<RSA> rsa(RSA_new()); 496 ASSERT_TRUE(rsa); 497 498 // RSA_generate_key_fips may only be used for 2048-bit and 3072-bit keys. 499 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr)); 500 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr)); 501 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr)); 502 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr)); 503 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr)); 504 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr)); 505 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4096, nullptr)); 506 ERR_clear_error(); 507 508 // Test that we can generate 2048-bit and 3072-bit RSA keys. 509 ASSERT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr)); 510 EXPECT_EQ(2048u, BN_num_bits(rsa->n)); 511 512 rsa.reset(RSA_new()); 513 ASSERT_TRUE(rsa); 514 ASSERT_TRUE(RSA_generate_key_fips(rsa.get(), 3072, nullptr)); 515 EXPECT_EQ(3072u, BN_num_bits(rsa->n)); 516 } 517 518 TEST(RSATest, BadKey) { 519 bssl::UniquePtr<RSA> key(RSA_new()); 520 bssl::UniquePtr<BIGNUM> e(BN_new()); 521 ASSERT_TRUE(key); 522 ASSERT_TRUE(e); 523 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 524 525 // Generate a bad key. 526 ASSERT_TRUE(RSA_generate_key_ex(key.get(), 512, e.get(), nullptr)); 527 ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one())); 528 529 // Bad keys are detected. 530 EXPECT_FALSE(RSA_check_key(key.get())); 531 EXPECT_FALSE(RSA_check_fips(key.get())); 532 533 // Bad keys may not be parsed. 534 uint8_t *der; 535 size_t der_len; 536 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get())); 537 bssl::UniquePtr<uint8_t> delete_der(der); 538 key.reset(RSA_private_key_from_bytes(der, der_len)); 539 EXPECT_FALSE(key); 540 } 541 542 TEST(RSATest, OnlyDGiven) { 543 static const char kN[] = 544 "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662" 545 "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659"; 546 static const char kE[] = "010001"; 547 static const char kD[] = 548 "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a" 549 "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01"; 550 551 bssl::UniquePtr<RSA> key(RSA_new()); 552 ASSERT_TRUE(key); 553 ASSERT_TRUE(BN_hex2bn(&key->n, kN)); 554 ASSERT_TRUE(BN_hex2bn(&key->e, kE)); 555 ASSERT_TRUE(BN_hex2bn(&key->d, kD)); 556 557 // Keys with only n, e, and d are functional. 558 EXPECT_TRUE(RSA_check_key(key.get())); 559 560 const uint8_t kDummyHash[32] = {0}; 561 uint8_t buf[64]; 562 unsigned buf_len = sizeof(buf); 563 ASSERT_LE(RSA_size(key.get()), sizeof(buf)); 564 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 565 &buf_len, key.get())); 566 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 567 buf_len, key.get())); 568 569 // Keys without the public exponent must continue to work when blinding is 570 // disabled to support Java's RSAPrivateKeySpec API. See 571 // https://bugs.chromium.org/p/boringssl/issues/detail?id=12. 572 bssl::UniquePtr<RSA> key2(RSA_new()); 573 ASSERT_TRUE(key2); 574 ASSERT_TRUE(BN_hex2bn(&key2->n, kN)); 575 ASSERT_TRUE(BN_hex2bn(&key2->d, kD)); 576 key2->flags |= RSA_FLAG_NO_BLINDING; 577 578 ASSERT_LE(RSA_size(key2.get()), sizeof(buf)); 579 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 580 &buf_len, key2.get())); 581 582 // Verify the signature with |key|. |key2| has no public exponent. 583 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 584 buf_len, key.get())); 585 } 586 587 TEST(RSATest, ASN1) { 588 // Test that private keys may be decoded. 589 bssl::UniquePtr<RSA> rsa( 590 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1)); 591 ASSERT_TRUE(rsa); 592 593 // Test that the serialization round-trips. 594 uint8_t *der; 595 size_t der_len; 596 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get())); 597 bssl::UniquePtr<uint8_t> delete_der(der); 598 EXPECT_EQ(Bytes(kKey1, sizeof(kKey1) - 1), Bytes(der, der_len)); 599 600 // Test that serializing public keys works. 601 ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get())); 602 delete_der.reset(der); 603 604 // Public keys may be parsed back out. 605 rsa.reset(RSA_public_key_from_bytes(der, der_len)); 606 ASSERT_TRUE(rsa); 607 EXPECT_FALSE(rsa->p); 608 EXPECT_FALSE(rsa->q); 609 610 // Serializing the result round-trips. 611 uint8_t *der2; 612 size_t der2_len; 613 ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get())); 614 bssl::UniquePtr<uint8_t> delete_der2(der2); 615 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len)); 616 617 // Public keys cannot be serialized as private keys. 618 int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get()); 619 if (ok) { 620 OPENSSL_free(der); 621 } 622 EXPECT_FALSE(ok); 623 ERR_clear_error(); 624 625 // Public keys with negative moduli are invalid. 626 rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey, 627 sizeof(kEstonianRSAKey))); 628 EXPECT_FALSE(rsa); 629 ERR_clear_error(); 630 } 631 632 TEST(RSATest, BadExponent) { 633 bssl::UniquePtr<RSA> rsa( 634 RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey))); 635 EXPECT_FALSE(rsa); 636 ERR_clear_error(); 637 } 638 639 // Attempting to generate an excessively small key should fail. 640 TEST(RSATest, GenerateSmallKey) { 641 bssl::UniquePtr<RSA> rsa(RSA_new()); 642 ASSERT_TRUE(rsa); 643 bssl::UniquePtr<BIGNUM> e(BN_new()); 644 ASSERT_TRUE(e); 645 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 646 647 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr)); 648 uint32_t err = ERR_get_error(); 649 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err)); 650 EXPECT_EQ(RSA_R_KEY_SIZE_TOO_SMALL, ERR_GET_REASON(err)); 651 } 652 653 // Attempting to generate an funny RSA key length should round down. 654 TEST(RSATest, RoundKeyLengths) { 655 bssl::UniquePtr<BIGNUM> e(BN_new()); 656 ASSERT_TRUE(e); 657 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 658 659 bssl::UniquePtr<RSA> rsa(RSA_new()); 660 ASSERT_TRUE(rsa); 661 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr)); 662 EXPECT_EQ(1024u, BN_num_bits(rsa->n)); 663 664 rsa.reset(RSA_new()); 665 ASSERT_TRUE(rsa); 666 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr)); 667 EXPECT_EQ(1024u, BN_num_bits(rsa->n)); 668 669 rsa.reset(RSA_new()); 670 ASSERT_TRUE(rsa); 671 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr)); 672 EXPECT_EQ(1024u, BN_num_bits(rsa->n)); 673 674 rsa.reset(RSA_new()); 675 ASSERT_TRUE(rsa); 676 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr)); 677 EXPECT_EQ(1152u, BN_num_bits(rsa->n)); 678 } 679 680 TEST(RSATest, BlindingDisabled) { 681 bssl::UniquePtr<RSA> rsa( 682 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1)); 683 ASSERT_TRUE(rsa); 684 685 rsa->flags |= RSA_FLAG_NO_BLINDING; 686 687 uint8_t sig[256]; 688 ASSERT_GE(sizeof(sig), RSA_size(rsa.get())); 689 690 static const uint8_t kZeros[32] = {0}; 691 unsigned sig_len; 692 ASSERT_TRUE( 693 RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig, &sig_len, rsa.get())); 694 EXPECT_TRUE( 695 RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig, sig_len, rsa.get())); 696 } 697 698 // Test that decrypting with a public key fails gracefully rather than crashing. 699 TEST(RSATest, DecryptPublic) { 700 bssl::UniquePtr<RSA> pub( 701 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1)); 702 ASSERT_TRUE(pub); 703 ASSERT_EQ(1024u / 8u, RSA_size(pub.get())); 704 705 size_t len; 706 uint8_t in[1024 / 8] = {0}, out[1024 / 8]; 707 EXPECT_FALSE(RSA_decrypt(pub.get(), &len, out, sizeof(out), in, sizeof(in), 708 RSA_PKCS1_PADDING)); 709 uint32_t err = ERR_get_error(); 710 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err)); 711 EXPECT_EQ(RSA_R_VALUE_MISSING, ERR_GET_REASON(err)); 712 } 713 714 TEST(RSATest, CheckKey) { 715 static const char kN[] = 716 "b5a5651bc2e15ce31d789f0984053a2ea0cf8f964a78068c45acfdf078c57fd62d5a287c" 717 "32f3baa879f5dfea27d7a3077c9d3a2a728368c3d90164690c3d82f660ffebc7f13fed45" 718 "4eb5103df943c10dc32ec60b0d9b6e307bfd7f9b943e0dc3901e42501765365f7286eff2" 719 "f1f728774aa6a371e108a3a7dd00d7bcd4c1a186c2865d4b370ea38cc89c0b23b318dbca" 720 "fbd872b4f9b833dfb2a4ca7fcc23298020044e8130bfe930adfb3e5cab8d324547adf4b2" 721 "ce34d7cea4298f0b613d85f2bf1df03da44aee0784a1a20a15ee0c38a0f8e84962f1f61b" 722 "18bd43781c7385f3c2b8e2aebd3c560b4faad208ad3938bad27ddda9ed9e933dba088021" 723 "2dd9e28d"; 724 static const char kE[] = "10001"; 725 static const char kD[] = 726 "fb9c6afd9568ce5ddac8e6a32bb881eb6cdd962bbc639dce5805548bf0fec2214f18ffd3" 727 "6a50aa520cfe4477f9507d87355a24e3ff537f9f29ccffe5730b11896ebb9142982ed0df" 728 "9c32ba98dddab863f3e5aa764d16ebff4500d3ee11de12fabd7aeca83c7ffa5d242b3ddc" 729 "ecc64bcb5220996e79249a6d3f78975dfde769710569812dee59c0f56e4650d02a939d9c" 730 "853e2cba9b0c2447a8757951ae9a0336dfa64c3d5476df9b20f200cfb52e3fbd2d4e3f34" 731 "200b1171cbac367096f23366e74592025875efb6a7e3b1dd365abb0d86f34ee65ddbfa93" 732 "90460da0d346833d6aa6277c0216b20073ba2f18471549c309e82d12e10714d0e0dbf146" 733 "6fcd1f1"; 734 static const char kP[] = 735 "edbe476fe8989f3966e72a20348ec6d8e924f44e1d9fa2c3485ea8a2ffd39f68574a5cef" 736 "ffbb92d6764789ac0f67149127239c2027fbc55b5268a1dac6588de44e614f3bdce00f0a" 737 "56d138800ad772d159a583c6548e37cadbfcf1b4ebfd50d01508986a516f36ed827b94ef" 738 "1f9b4e233bf5762b3a903d2dfbbbce1fba30e9f1"; 739 static const char kQ[] = 740 "c398518790a166dbe50498f04940d14c87ded09313fb0f69f69255c688142802ba3d4f9e" 741 "f9425dadc462170635593c06a332cfc5fc9e6e1c05281950a5ce3bad4fd7cc83a38bd4ad" 742 "6865594275af424f47c64c04af1caab2e261e95b975097c887d587dc8150df34cbeccd7d" 743 "0688c392d9f1c617810043c9b93b884bf6ed465d"; 744 static const char kDMP1[] = 745 "b44db5d1fa7e1d6ba44e36d59be6988a132f7294f7c484e543b27e84b82e9fdbbb2feb92" 746 "1cc9fe0fe63e54fc07e66e63b3623f5ae7d7fb124a4a8e4de4556eaf327e7c5ff3207e67" 747 "a1f624ba7efe6cd6b6fd5f160034a7bd92df9fd44d919d436260556f74793b181ff867b8" 748 "7ea9033697978e5a349d05b9250c86c3eb2a8391"; 749 static const char kDMQ1[] = 750 "7c06d9240265264927a6cba80a7b4c7c9fe77d10d669abb38083f85a24adcb55376d6b50" 751 "9e34241cecdb5a483889f6132b672bf31aa607a242eed3669d4cf1f08b2186f0ae431bc0" 752 "3de38e3f234ad7dc57e1f9103b4e0d3bd36b4cc324671968322207bd9e4e7ecb06c888e0" 753 "cfc4e766f646665b3f14c0e7684ac4b98ec1948d"; 754 static const char kIQMP[] = 755 "2887a5cb0c1bf6710e91c25da141dad92134a927431471c2d4a8b78036026d21182990e1" 756 "2c1d70635f07ee551383899365a69b33d4db23e5ff7371ff4244d2c3290ce2b91ac11adc" 757 "a54bb61ea5e64b9423102933ea100c12dad809fbf9589515e9d28e867f6b95c2d307f792" 758 "cac28c6d7d23f441cb5b62798233db29b5cc0348"; 759 760 bssl::UniquePtr<RSA> rsa(RSA_new()); 761 ASSERT_TRUE(rsa); 762 763 // Missing n or e does not pass. 764 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN)); 765 EXPECT_FALSE(RSA_check_key(rsa.get())); 766 ERR_clear_error(); 767 768 BN_free(rsa->n); 769 rsa->n = nullptr; 770 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE)); 771 EXPECT_FALSE(RSA_check_key(rsa.get())); 772 ERR_clear_error(); 773 774 // Public keys pass. 775 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN)); 776 EXPECT_TRUE(RSA_check_key(rsa.get())); 777 778 // Configuring d also passes. 779 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD)); 780 EXPECT_TRUE(RSA_check_key(rsa.get())); 781 782 // p and q must be provided together. 783 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP)); 784 EXPECT_FALSE(RSA_check_key(rsa.get())); 785 ERR_clear_error(); 786 787 BN_free(rsa->p); 788 rsa->p = nullptr; 789 ASSERT_TRUE(BN_hex2bn(&rsa->q, kQ)); 790 EXPECT_FALSE(RSA_check_key(rsa.get())); 791 ERR_clear_error(); 792 793 // Supplying p and q without CRT parameters passes. 794 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP)); 795 EXPECT_TRUE(RSA_check_key(rsa.get())); 796 797 // With p and q together, it is sufficient to check d against e. 798 ASSERT_TRUE(BN_add_word(rsa->d, 1)); 799 EXPECT_FALSE(RSA_check_key(rsa.get())); 800 ERR_clear_error(); 801 802 // Test another invalid d. p-1 is divisible by 3, so there is no valid value 803 // of d here if e = 111. Set d to what extended GCD would have given if it 804 // forgot to check the inverse existed. 805 static const char kDBogus[] = 806 "140be923edb928cf4340a08ada19f23da680ff20275a81e033825ee8605afc3bf6039b87" 807 "f0ddc7ea3b95f214a6fdda1064d0c66b50ac7bfe8cfe6c85d3cd217ae6f5094cd72a39e5" 808 "a17a9ce43eae1ba5d7d8c3fb743d8cbcb3bcd74edd0b75fcca23a0b00bcea119864c0243" 809 "bf9ab32b25a4d73a1e062482f538055bc2258369353647d4325aec7a28dc1a6798e85fae" 810 "85850558868468d60015927cb10b2a893e23aa16b1f9278d4413f64d0a3122218f9000ae" 811 "cd8743b8e9e50bd9de81eebc4e0230d1f4f7bffc1e6f903606afba9ee694c2b40022f171" 812 "a760e7c63e736e31d7c7ff8b77dc206c2a3aa5afd540073060ebb9050bddce1ff1917630" 813 "47fff51d"; 814 ASSERT_TRUE(BN_set_word(rsa->e, 111)); 815 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDBogus)); 816 EXPECT_FALSE(RSA_check_key(rsa.get())); 817 ERR_clear_error(); 818 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE)); 819 820 // d computed via the Euler totient rather than the Carmichael totient is also 821 // acceptable. 822 static const char kDEuler[] = 823 "3d231ff6ca0ee41ea50ab62c93bcd6aa5f01bd484e643b7ff6eb94c4dd414c17a0481a1c" 824 "4361f94f3f4d5c42098af09a527cf0d8dc96122ae8dd29189a4011d62f2bb40625d2e85f" 825 "4d706fb90c2e9bc9b00a0c2a28384a4c134f6d25c62d64a08fdf3f5e89a14d3daee46fda" 826 "8b4a2eda87cbb2735fd47290cb37bf65150edef854a28927ce5ac36d36107711cffb8ac3" 827 "2b090e409bb822b117744a9aabf878b8b1998d406337ec24cee3877795061c67322ac626" 828 "6c675a2cefe0f85f06b4d24eb6ad8e3fae7f218f5bd8ff2fb8bf8176d8527b0dfdaf8490" 829 "8f9bfaf3f37dcf8aa0211311bac07b1a478c3ed8a6369e5d5fc42b2afa93f5de8f520981" 830 "c62bbe81"; 831 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDEuler)); 832 EXPECT_TRUE(RSA_check_key(rsa.get())); 833 834 // If d is completely out of range but otherwise valid, it is rejected. 835 static const char kDTooLarge[] = 836 "f2c885128cf04101c283553617c210d8ffd14cde98dc420c3c9892b55606cbedcda24298" 837 "7655b3f7b9433c2c316293a1cf1a2b034f197aeec1de8d81a67d94cc902b9fce1712d5a4" 838 "9c257ff705725cd77338d23535d3b87c8f4cecc15a6b72641ffd81aea106839d216b5fcd" 839 "7d415751d27255e540dd1638a8389721e9d0807d65d24d7b8c2f60e4b2c0bf250544ce68" 840 "b5ddbc1463d5a4638b2816b0f033dacdc0162f329af9e4d142352521fbd2fe14af824ef3" 841 "1601fe843c79cc3efbcb8eafd79262bdd25e2bdf21440f774e26d88ed7df938c5cf6982d" 842 "e9fa635b8ca36ce5c5fbd579a53cbb0348ceae752d4bc5621c5acc922ca2082494633337" 843 "42e770c1"; 844 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDTooLarge)); 845 EXPECT_FALSE(RSA_check_key(rsa.get())); 846 ERR_clear_error(); 847 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD)); 848 849 // CRT value must either all be provided or all missing. 850 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1)); 851 EXPECT_FALSE(RSA_check_key(rsa.get())); 852 ERR_clear_error(); 853 BN_free(rsa->dmp1); 854 rsa->dmp1 = nullptr; 855 856 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1)); 857 EXPECT_FALSE(RSA_check_key(rsa.get())); 858 ERR_clear_error(); 859 BN_free(rsa->dmq1); 860 rsa->dmq1 = nullptr; 861 862 ASSERT_TRUE(BN_hex2bn(&rsa->iqmp, kIQMP)); 863 EXPECT_FALSE(RSA_check_key(rsa.get())); 864 ERR_clear_error(); 865 866 // The full key is accepted. 867 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1)); 868 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1)); 869 EXPECT_TRUE(RSA_check_key(rsa.get())); 870 871 // Incorrect CRT values are rejected. 872 ASSERT_TRUE(BN_add_word(rsa->dmp1, 1)); 873 EXPECT_FALSE(RSA_check_key(rsa.get())); 874 ERR_clear_error(); 875 ASSERT_TRUE(BN_sub_word(rsa->dmp1, 1)); 876 877 ASSERT_TRUE(BN_add_word(rsa->dmq1, 1)); 878 EXPECT_FALSE(RSA_check_key(rsa.get())); 879 ERR_clear_error(); 880 ASSERT_TRUE(BN_sub_word(rsa->dmq1, 1)); 881 882 ASSERT_TRUE(BN_add_word(rsa->iqmp, 1)); 883 EXPECT_FALSE(RSA_check_key(rsa.get())); 884 ERR_clear_error(); 885 ASSERT_TRUE(BN_sub_word(rsa->iqmp, 1)); 886 887 // Non-reduced CRT values are rejected. 888 ASSERT_TRUE(BN_add(rsa->dmp1, rsa->dmp1, rsa->p)); 889 EXPECT_FALSE(RSA_check_key(rsa.get())); 890 ERR_clear_error(); 891 ASSERT_TRUE(BN_sub(rsa->dmp1, rsa->dmp1, rsa->p)); 892 893 ASSERT_TRUE(BN_add(rsa->dmq1, rsa->dmq1, rsa->q)); 894 EXPECT_FALSE(RSA_check_key(rsa.get())); 895 ERR_clear_error(); 896 ASSERT_TRUE(BN_sub(rsa->dmq1, rsa->dmq1, rsa->q)); 897 898 ASSERT_TRUE(BN_add(rsa->iqmp, rsa->iqmp, rsa->p)); 899 EXPECT_FALSE(RSA_check_key(rsa.get())); 900 ERR_clear_error(); 901 ASSERT_TRUE(BN_sub(rsa->iqmp, rsa->iqmp, rsa->p)); 902 } 903 904 TEST(RSATest, KeygenFail) { 905 bssl::UniquePtr<RSA> rsa(RSA_new()); 906 ASSERT_TRUE(rsa); 907 908 // Cause RSA key generation after a prime has been generated, to test that 909 // |rsa| is left alone. 910 BN_GENCB cb; 911 BN_GENCB_set(&cb, 912 [](int event, int, BN_GENCB *) -> int { return event != 3; }, 913 nullptr); 914 915 bssl::UniquePtr<BIGNUM> e(BN_new()); 916 ASSERT_TRUE(e); 917 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 918 919 // Key generation should fail. 920 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb)); 921 922 // Failed key generations do not leave garbage in |rsa|. 923 EXPECT_FALSE(rsa->n); 924 EXPECT_FALSE(rsa->e); 925 EXPECT_FALSE(rsa->d); 926 EXPECT_FALSE(rsa->p); 927 EXPECT_FALSE(rsa->q); 928 EXPECT_FALSE(rsa->dmp1); 929 EXPECT_FALSE(rsa->dmq1); 930 EXPECT_FALSE(rsa->iqmp); 931 EXPECT_FALSE(rsa->mont_n); 932 EXPECT_FALSE(rsa->mont_p); 933 EXPECT_FALSE(rsa->mont_q); 934 EXPECT_FALSE(rsa->d_fixed); 935 EXPECT_FALSE(rsa->dmp1_fixed); 936 EXPECT_FALSE(rsa->dmq1_fixed); 937 EXPECT_FALSE(rsa->inv_small_mod_large_mont); 938 EXPECT_FALSE(rsa->private_key_frozen); 939 940 // Failed key generations leave the previous contents alone. 941 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr)); 942 uint8_t *der; 943 size_t der_len; 944 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get())); 945 bssl::UniquePtr<uint8_t> delete_der(der); 946 947 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb)); 948 949 uint8_t *der2; 950 size_t der2_len; 951 ASSERT_TRUE(RSA_private_key_to_bytes(&der2, &der2_len, rsa.get())); 952 bssl::UniquePtr<uint8_t> delete_der2(der2); 953 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len)); 954 955 // Generating a key over an existing key works, despite any cached state. 956 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr)); 957 EXPECT_TRUE(RSA_check_key(rsa.get())); 958 uint8_t *der3; 959 size_t der3_len; 960 ASSERT_TRUE(RSA_private_key_to_bytes(&der3, &der3_len, rsa.get())); 961 bssl::UniquePtr<uint8_t> delete_der3(der3); 962 EXPECT_NE(Bytes(der, der_len), Bytes(der3, der3_len)); 963 } 964 965 TEST(RSATest, KeygenFailOnce) { 966 bssl::UniquePtr<RSA> rsa(RSA_new()); 967 ASSERT_TRUE(rsa); 968 969 // Cause only the first iteration of RSA key generation to fail. 970 bool failed = false; 971 BN_GENCB cb; 972 BN_GENCB_set(&cb, 973 [](int event, int n, BN_GENCB *cb_ptr) -> int { 974 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg); 975 if (*failed_ptr) { 976 ADD_FAILURE() << "Callback called multiple times."; 977 return 1; 978 } 979 *failed_ptr = true; 980 return 0; 981 }, 982 &failed); 983 984 // Although key generation internally retries, the external behavior of 985 // |BN_GENCB| is preserved. 986 bssl::UniquePtr<BIGNUM> e(BN_new()); 987 ASSERT_TRUE(e); 988 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 989 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb)); 990 } 991 992 TEST(RSATest, KeygenInternalRetry) { 993 bssl::UniquePtr<RSA> rsa(RSA_new()); 994 ASSERT_TRUE(rsa); 995 996 // Simulate one internal attempt at key generation failing. 997 bool failed = false; 998 BN_GENCB cb; 999 BN_GENCB_set(&cb, 1000 [](int event, int n, BN_GENCB *cb_ptr) -> int { 1001 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg); 1002 if (*failed_ptr) { 1003 return 1; 1004 } 1005 *failed_ptr = true; 1006 // This test does not test any public API behavior. It is just 1007 // a hack to exercise the retry codepath and make sure it 1008 // works. 1009 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); 1010 return 0; 1011 }, 1012 &failed); 1013 1014 // Key generation internally retries on RSA_R_TOO_MANY_ITERATIONS. 1015 bssl::UniquePtr<BIGNUM> e(BN_new()); 1016 ASSERT_TRUE(e); 1017 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 1018 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb)); 1019 } 1020 1021 #if !defined(BORINGSSL_SHARED_LIBRARY) 1022 TEST(RSATest, SqrtTwo) { 1023 bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new()); 1024 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new()); 1025 ASSERT_TRUE(sqrt); 1026 ASSERT_TRUE(pow2); 1027 ASSERT_TRUE(ctx); 1028 1029 size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2; 1030 ASSERT_TRUE(BN_one(pow2.get())); 1031 ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1)); 1032 1033 // Check that sqrt < pow2. 1034 ASSERT_TRUE( 1035 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)); 1036 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get())); 1037 EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0); 1038 1039 // Check that pow2 < (sqrt + 1). 1040 ASSERT_TRUE( 1041 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)); 1042 ASSERT_TRUE(BN_add_word(sqrt.get(), 1)); 1043 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get())); 1044 EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0); 1045 1046 // Check the kBoringSSLRSASqrtTwo is sized for a 3072-bit RSA key. 1047 EXPECT_EQ(3072u / 2u, bits); 1048 } 1049 #endif // !BORINGSSL_SHARED_LIBRARY 1050 1051 #if defined(OPENSSL_THREADS) 1052 TEST(RSATest, Threads) { 1053 bssl::UniquePtr<RSA> rsa_template( 1054 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1)); 1055 ASSERT_TRUE(rsa_template); 1056 1057 const uint8_t kDummyHash[32] = {0}; 1058 uint8_t sig[256]; 1059 unsigned sig_len = sizeof(sig); 1060 ASSERT_LE(RSA_size(rsa_template.get()), sizeof(sig)); 1061 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig, 1062 &sig_len, rsa_template.get())); 1063 1064 // RSA keys may be assembled piece-meal and then used in parallel between 1065 // threads, which requires internal locking to create some derived properties. 1066 bssl::UniquePtr<RSA> rsa(RSA_new()); 1067 rsa->n = BN_dup(rsa_template->n); 1068 ASSERT_TRUE(rsa->n); 1069 rsa->e = BN_dup(rsa_template->e); 1070 ASSERT_TRUE(rsa->e); 1071 rsa->d = BN_dup(rsa_template->d); 1072 ASSERT_TRUE(rsa->d); 1073 rsa->p = BN_dup(rsa_template->p); 1074 ASSERT_TRUE(rsa->p); 1075 rsa->q = BN_dup(rsa_template->q); 1076 ASSERT_TRUE(rsa->q); 1077 rsa->dmp1 = BN_dup(rsa_template->dmp1); 1078 ASSERT_TRUE(rsa->dmp1); 1079 rsa->dmq1 = BN_dup(rsa_template->dmq1); 1080 ASSERT_TRUE(rsa->dmq1); 1081 rsa->iqmp = BN_dup(rsa_template->iqmp); 1082 ASSERT_TRUE(rsa->iqmp); 1083 1084 // Each of these operations must be safe to do concurrently on different 1085 // threads. 1086 auto raw_access = [&] { EXPECT_EQ(0, BN_cmp(rsa->d, rsa_template->d)); }; 1087 auto getter = [&] { 1088 const BIGNUM *d; 1089 RSA_get0_key(rsa.get(), nullptr, nullptr, &d); 1090 EXPECT_EQ(0, BN_cmp(d, rsa_template->d)); 1091 }; 1092 auto sign = [&] { 1093 uint8_t sig2[256]; 1094 unsigned sig2_len = sizeof(sig2); 1095 ASSERT_LE(RSA_size(rsa.get()), sizeof(sig2)); 1096 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig2, 1097 &sig2_len, rsa.get())); 1098 // RSASSA-PKCS1-v1_5 is deterministic. 1099 EXPECT_EQ(Bytes(sig, sig_len), Bytes(sig2, sig2_len)); 1100 }; 1101 auto verify = [&] { 1102 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), sig, 1103 sig_len, rsa.get())); 1104 }; 1105 1106 std::vector<std::thread> threads; 1107 threads.emplace_back(raw_access); 1108 threads.emplace_back(raw_access); 1109 threads.emplace_back(getter); 1110 threads.emplace_back(getter); 1111 threads.emplace_back(sign); 1112 threads.emplace_back(sign); 1113 threads.emplace_back(verify); 1114 threads.emplace_back(verify); 1115 for (auto &thread : threads) { 1116 thread.join(); 1117 } 1118 } 1119 #endif 1120