Home | History | Annotate | Download | only in crypto
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "crypto/signature_verifier.h"
      6 
      7 #include <stddef.h>
      8 #include <stdint.h>
      9 
     10 #include "base/macros.h"
     11 #include "base/numerics/safe_conversions.h"
     12 #include "testing/gtest/include/gtest/gtest.h"
     13 
     14 TEST(SignatureVerifierTest, BasicTest) {
     15   // The input data in this test comes from real certificates.
     16   //
     17   // tbs_certificate ("to-be-signed certificate", the part of a certificate
     18   // that is signed), signature_algorithm, and algorithm come from the
     19   // certificate of bugs.webkit.org.
     20   //
     21   // public_key_info comes from the certificate of the issuer, Go Daddy Secure
     22   // Certification Authority.
     23   //
     24   // The bytes in the array initializers are formatted to expose the DER
     25   // encoding of the ASN.1 structures.
     26 
     27   // The data that is signed is the following ASN.1 structure:
     28   //    TBSCertificate  ::=  SEQUENCE  {
     29   //        ...  -- omitted, not important
     30   //        }
     31   const uint8_t tbs_certificate[1017] = {
     32       0x30, 0x82, 0x03, 0xf5,  // a SEQUENCE of length 1013 (0x3f5)
     33       0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x43, 0xdd, 0x63, 0x30, 0x0d,
     34       0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
     35       0x00, 0x30, 0x81, 0xca, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
     36       0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55,
     37       0x04, 0x08, 0x13, 0x07, 0x41, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x61, 0x31,
     38       0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x63,
     39       0x6f, 0x74, 0x74, 0x73, 0x64, 0x61, 0x6c, 0x65, 0x31, 0x1a, 0x30, 0x18,
     40       0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x47, 0x6f, 0x44, 0x61, 0x64,
     41       0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
     42       0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x68,
     43       0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
     44       0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64,
     45       0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73,
     46       0x69, 0x74, 0x6f, 0x72, 0x79, 0x31, 0x30, 0x30, 0x2e, 0x06, 0x03, 0x55,
     47       0x04, 0x03, 0x13, 0x27, 0x47, 0x6f, 0x20, 0x44, 0x61, 0x64, 0x64, 0x79,
     48       0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
     49       0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
     50       0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x11, 0x30, 0x0f, 0x06,
     51       0x03, 0x55, 0x04, 0x05, 0x13, 0x08, 0x30, 0x37, 0x39, 0x36, 0x39, 0x32,
     52       0x38, 0x37, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x33, 0x31, 0x38,
     53       0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30,
     54       0x33, 0x31, 0x38, 0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x30, 0x79,
     55       0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
     56       0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
     57       0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12,
     58       0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70,
     59       0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
     60       0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
     61       0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0b,
     62       0x13, 0x0c, 0x4d, 0x61, 0x63, 0x20, 0x4f, 0x53, 0x20, 0x46, 0x6f, 0x72,
     63       0x67, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
     64       0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69, 0x74, 0x2e, 0x6f, 0x72,
     65       0x67, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
     66       0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
     67       0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xa7, 0x62, 0x79, 0x41, 0xda, 0x28,
     68       0xf2, 0xc0, 0x4f, 0xe0, 0x25, 0xaa, 0xa1, 0x2e, 0x3b, 0x30, 0x94, 0xb5,
     69       0xc9, 0x26, 0x3a, 0x1b, 0xe2, 0xd0, 0xcc, 0xa2, 0x95, 0xe2, 0x91, 0xc0,
     70       0xf0, 0x40, 0x9e, 0x27, 0x6e, 0xbd, 0x6e, 0xde, 0x7c, 0xb6, 0x30, 0x5c,
     71       0xb8, 0x9b, 0x01, 0x2f, 0x92, 0x04, 0xa1, 0xef, 0x4a, 0xb1, 0x6c, 0xb1,
     72       0x7e, 0x8e, 0xcd, 0xa6, 0xf4, 0x40, 0x73, 0x1f, 0x2c, 0x96, 0xad, 0xff,
     73       0x2a, 0x6d, 0x0e, 0xba, 0x52, 0x84, 0x83, 0xb0, 0x39, 0xee, 0xc9, 0x39,
     74       0xdc, 0x1e, 0x34, 0xd0, 0xd8, 0x5d, 0x7a, 0x09, 0xac, 0xa9, 0xee, 0xca,
     75       0x65, 0xf6, 0x85, 0x3a, 0x6b, 0xee, 0xe4, 0x5c, 0x5e, 0xf8, 0xda, 0xd1,
     76       0xce, 0x88, 0x47, 0xcd, 0x06, 0x21, 0xe0, 0xb9, 0x4b, 0xe4, 0x07, 0xcb,
     77       0x57, 0xdc, 0xca, 0x99, 0x54, 0xf7, 0x0e, 0xd5, 0x17, 0x95, 0x05, 0x2e,
     78       0xe9, 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xce, 0x30,
     79       0x82, 0x01, 0xca, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02,
     80       0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03,
     81       0x02, 0x05, 0xa0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16,
     82       0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
     83       0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x57,
     84       0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x50, 0x30, 0x4e, 0x30, 0x4c, 0xa0,
     85       0x4a, 0xa0, 0x48, 0x86, 0x46, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
     86       0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73,
     87       0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
     88       0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x2f,
     89       0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x65, 0x78, 0x74, 0x65, 0x6e,
     90       0x64, 0x65, 0x64, 0x69, 0x73, 0x73, 0x75, 0x69, 0x6e, 0x67, 0x33, 0x2e,
     91       0x63, 0x72, 0x6c, 0x30, 0x52, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x4b,
     92       0x30, 0x49, 0x30, 0x47, 0x06, 0x0b, 0x60, 0x86, 0x48, 0x01, 0x86, 0xfd,
     93       0x6d, 0x01, 0x07, 0x17, 0x02, 0x30, 0x38, 0x30, 0x36, 0x06, 0x08, 0x2b,
     94       0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x2a, 0x68, 0x74, 0x74,
     95       0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
     96       0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79,
     97       0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74,
     98       0x6f, 0x72, 0x79, 0x30, 0x7f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
     99       0x07, 0x01, 0x01, 0x04, 0x73, 0x30, 0x71, 0x30, 0x23, 0x06, 0x08, 0x2b,
    100       0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74,
    101       0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x67, 0x6f, 0x64,
    102       0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x4a, 0x06, 0x08,
    103       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74,
    104       0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
    105       0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64,
    106       0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69,
    107       0x74, 0x6f, 0x72, 0x79, 0x2f, 0x67, 0x64, 0x5f, 0x69, 0x6e, 0x74, 0x65,
    108       0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x2e, 0x63, 0x72, 0x74,
    109       0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x48,
    110       0xdf, 0x60, 0x32, 0xcc, 0x89, 0x01, 0xb6, 0xdc, 0x2f, 0xe3, 0x73, 0xb5,
    111       0x9c, 0x16, 0x58, 0x32, 0x68, 0xa9, 0xc3, 0x30, 0x1f, 0x06, 0x03, 0x55,
    112       0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xfd, 0xac, 0x61, 0x32,
    113       0x93, 0x6c, 0x45, 0xd6, 0xe2, 0xee, 0x85, 0x5f, 0x9a, 0xba, 0xe7, 0x76,
    114       0x99, 0x68, 0xcc, 0xe7, 0x30, 0x23, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04,
    115       0x1c, 0x30, 0x1a, 0x82, 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69,
    116       0x74, 0x2e, 0x6f, 0x72, 0x67, 0x82, 0x0a, 0x77, 0x65, 0x62, 0x6b, 0x69,
    117       0x74, 0x2e, 0x6f, 0x72, 0x67};
    118 
    119   // The signature algorithm is specified as the following ASN.1 structure:
    120   //    AlgorithmIdentifier  ::=  SEQUENCE  {
    121   //        algorithm               OBJECT IDENTIFIER,
    122   //        parameters              ANY DEFINED BY algorithm OPTIONAL  }
    123   //
    124   const uint8_t signature_algorithm[15] = {
    125       0x30, 0x0d,  // a SEQUENCE of length 13 (0xd)
    126       0x06, 0x09,  // an OBJECT IDENTIFIER of length 9
    127       // 1.2.840.113549.1.1.5 - sha1WithRSAEncryption
    128       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
    129       0x00,  // a NULL of length 0
    130   };
    131 
    132   // RSA signature, a big integer in the big-endian byte order.
    133   const uint8_t signature[256] = {
    134       0x1e, 0x6a, 0xe7, 0xe0, 0x4f, 0xe7, 0x4d, 0xd0, 0x69, 0x7c, 0xf8, 0x8f,
    135       0x99, 0xb4, 0x18, 0x95, 0x36, 0x24, 0x0f, 0x0e, 0xa3, 0xea, 0x34, 0x37,
    136       0xf4, 0x7d, 0xd5, 0x92, 0x35, 0x53, 0x72, 0x76, 0x3f, 0x69, 0xf0, 0x82,
    137       0x56, 0xe3, 0x94, 0x7a, 0x1d, 0x1a, 0x81, 0xaf, 0x9f, 0xc7, 0x43, 0x01,
    138       0x64, 0xd3, 0x7c, 0x0d, 0xc8, 0x11, 0x4e, 0x4a, 0xe6, 0x1a, 0xc3, 0x01,
    139       0x74, 0xe8, 0x35, 0x87, 0x5c, 0x61, 0xaa, 0x8a, 0x46, 0x06, 0xbe, 0x98,
    140       0x95, 0x24, 0x9e, 0x01, 0xe3, 0xe6, 0xa0, 0x98, 0xee, 0x36, 0x44, 0x56,
    141       0x8d, 0x23, 0x9c, 0x65, 0xea, 0x55, 0x6a, 0xdf, 0x66, 0xee, 0x45, 0xe8,
    142       0xa0, 0xe9, 0x7d, 0x9a, 0xba, 0x94, 0xc5, 0xc8, 0xc4, 0x4b, 0x98, 0xff,
    143       0x9a, 0x01, 0x31, 0x6d, 0xf9, 0x2b, 0x58, 0xe7, 0xe7, 0x2a, 0xc5, 0x4d,
    144       0xbb, 0xbb, 0xcd, 0x0d, 0x70, 0xe1, 0xad, 0x03, 0xf5, 0xfe, 0xf4, 0x84,
    145       0x71, 0x08, 0xd2, 0xbc, 0x04, 0x7b, 0x26, 0x1c, 0xa8, 0x0f, 0x9c, 0xd8,
    146       0x12, 0x6a, 0x6f, 0x2b, 0x67, 0xa1, 0x03, 0x80, 0x9a, 0x11, 0x0b, 0xe9,
    147       0xe0, 0xb5, 0xb3, 0xb8, 0x19, 0x4e, 0x0c, 0xa4, 0xd9, 0x2b, 0x3b, 0xc2,
    148       0xca, 0x20, 0xd3, 0x0c, 0xa4, 0xff, 0x93, 0x13, 0x1f, 0xfc, 0xba, 0x94,
    149       0x93, 0x8c, 0x64, 0x15, 0x2e, 0x28, 0xa9, 0x55, 0x8c, 0x2c, 0x48, 0xd3,
    150       0xd3, 0xc1, 0x50, 0x69, 0x19, 0xe8, 0x34, 0xd3, 0xf1, 0x04, 0x9f, 0x0a,
    151       0x7a, 0x21, 0x87, 0xbf, 0xb9, 0x59, 0x37, 0x2e, 0xf4, 0x71, 0xa5, 0x3e,
    152       0xbe, 0xcd, 0x70, 0x83, 0x18, 0xf8, 0x8a, 0x72, 0x85, 0x45, 0x1f, 0x08,
    153       0x01, 0x6f, 0x37, 0xf5, 0x2b, 0x7b, 0xea, 0xb9, 0x8b, 0xa3, 0xcc, 0xfd,
    154       0x35, 0x52, 0xdd, 0x66, 0xde, 0x4f, 0x30, 0xc5, 0x73, 0x81, 0xb6, 0xe8,
    155       0x3c, 0xd8, 0x48, 0x8a};
    156 
    157   // The public key is specified as the following ASN.1 structure:
    158   //   SubjectPublicKeyInfo  ::=  SEQUENCE  {
    159   //       algorithm            AlgorithmIdentifier,
    160   //       subjectPublicKey     BIT STRING  }
    161   const uint8_t public_key_info[294] = {
    162       0x30, 0x82, 0x01, 0x22,  // a SEQUENCE of length 290 (0x122)
    163       // algorithm
    164       0x30, 0x0d,  // a SEQUENCE of length 13
    165       0x06, 0x09,  // an OBJECT IDENTIFIER of length 9
    166       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
    167       0x00,  // a NULL of length 0
    168       // subjectPublicKey
    169       0x03, 0x82, 0x01, 0x0f,  // a BIT STRING of length 271 (0x10f)
    170       0x00,                    // number of unused bits
    171       0x30, 0x82, 0x01, 0x0a,  // a SEQUENCE of length 266 (0x10a)
    172       // modulus
    173       0x02, 0x82, 0x01, 0x01,  // an INTEGER of length 257 (0x101)
    174       0x00, 0xc4, 0x2d, 0xd5, 0x15, 0x8c, 0x9c, 0x26, 0x4c, 0xec, 0x32, 0x35,
    175       0xeb, 0x5f, 0xb8, 0x59, 0x01, 0x5a, 0xa6, 0x61, 0x81, 0x59, 0x3b, 0x70,
    176       0x63, 0xab, 0xe3, 0xdc, 0x3d, 0xc7, 0x2a, 0xb8, 0xc9, 0x33, 0xd3, 0x79,
    177       0xe4, 0x3a, 0xed, 0x3c, 0x30, 0x23, 0x84, 0x8e, 0xb3, 0x30, 0x14, 0xb6,
    178       0xb2, 0x87, 0xc3, 0x3d, 0x95, 0x54, 0x04, 0x9e, 0xdf, 0x99, 0xdd, 0x0b,
    179       0x25, 0x1e, 0x21, 0xde, 0x65, 0x29, 0x7e, 0x35, 0xa8, 0xa9, 0x54, 0xeb,
    180       0xf6, 0xf7, 0x32, 0x39, 0xd4, 0x26, 0x55, 0x95, 0xad, 0xef, 0xfb, 0xfe,
    181       0x58, 0x86, 0xd7, 0x9e, 0xf4, 0x00, 0x8d, 0x8c, 0x2a, 0x0c, 0xbd, 0x42,
    182       0x04, 0xce, 0xa7, 0x3f, 0x04, 0xf6, 0xee, 0x80, 0xf2, 0xaa, 0xef, 0x52,
    183       0xa1, 0x69, 0x66, 0xda, 0xbe, 0x1a, 0xad, 0x5d, 0xda, 0x2c, 0x66, 0xea,
    184       0x1a, 0x6b, 0xbb, 0xe5, 0x1a, 0x51, 0x4a, 0x00, 0x2f, 0x48, 0xc7, 0x98,
    185       0x75, 0xd8, 0xb9, 0x29, 0xc8, 0xee, 0xf8, 0x66, 0x6d, 0x0a, 0x9c, 0xb3,
    186       0xf3, 0xfc, 0x78, 0x7c, 0xa2, 0xf8, 0xa3, 0xf2, 0xb5, 0xc3, 0xf3, 0xb9,
    187       0x7a, 0x91, 0xc1, 0xa7, 0xe6, 0x25, 0x2e, 0x9c, 0xa8, 0xed, 0x12, 0x65,
    188       0x6e, 0x6a, 0xf6, 0x12, 0x44, 0x53, 0x70, 0x30, 0x95, 0xc3, 0x9c, 0x2b,
    189       0x58, 0x2b, 0x3d, 0x08, 0x74, 0x4a, 0xf2, 0xbe, 0x51, 0xb0, 0xbf, 0x87,
    190       0xd0, 0x4c, 0x27, 0x58, 0x6b, 0xb5, 0x35, 0xc5, 0x9d, 0xaf, 0x17, 0x31,
    191       0xf8, 0x0b, 0x8f, 0xee, 0xad, 0x81, 0x36, 0x05, 0x89, 0x08, 0x98, 0xcf,
    192       0x3a, 0xaf, 0x25, 0x87, 0xc0, 0x49, 0xea, 0xa7, 0xfd, 0x67, 0xf7, 0x45,
    193       0x8e, 0x97, 0xcc, 0x14, 0x39, 0xe2, 0x36, 0x85, 0xb5, 0x7e, 0x1a, 0x37,
    194       0xfd, 0x16, 0xf6, 0x71, 0x11, 0x9a, 0x74, 0x30, 0x16, 0xfe, 0x13, 0x94,
    195       0xa3, 0x3f, 0x84, 0x0d, 0x4f,
    196       // public exponent
    197       0x02, 0x03,  // an INTEGER of length 3
    198       0x01, 0x00, 0x01};
    199 
    200   // We use the signature verifier to perform four signature verification
    201   // tests.
    202   crypto::SignatureVerifier verifier;
    203   bool ok;
    204 
    205   // Test 1: feed all of the data to the verifier at once (a single
    206   // VerifyUpdate call).
    207   ok = verifier.VerifyInit(signature_algorithm,
    208                            sizeof(signature_algorithm),
    209                            signature, sizeof(signature),
    210                            public_key_info, sizeof(public_key_info));
    211   EXPECT_TRUE(ok);
    212   verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
    213   ok = verifier.VerifyFinal();
    214   EXPECT_TRUE(ok);
    215 
    216   // Test 2: feed the data to the verifier in three parts (three VerifyUpdate
    217   // calls).
    218   ok = verifier.VerifyInit(signature_algorithm,
    219                            sizeof(signature_algorithm),
    220                            signature, sizeof(signature),
    221                            public_key_info, sizeof(public_key_info));
    222   EXPECT_TRUE(ok);
    223   verifier.VerifyUpdate(tbs_certificate,       256);
    224   verifier.VerifyUpdate(tbs_certificate + 256, 256);
    225   verifier.VerifyUpdate(tbs_certificate + 512, sizeof(tbs_certificate) - 512);
    226   ok = verifier.VerifyFinal();
    227   EXPECT_TRUE(ok);
    228 
    229   // Test 3: verify the signature with incorrect data.
    230   uint8_t bad_tbs_certificate[sizeof(tbs_certificate)];
    231   memcpy(bad_tbs_certificate, tbs_certificate, sizeof(tbs_certificate));
    232   bad_tbs_certificate[10] += 1;  // Corrupt one byte of the data.
    233   ok = verifier.VerifyInit(signature_algorithm,
    234                            sizeof(signature_algorithm),
    235                            signature, sizeof(signature),
    236                            public_key_info, sizeof(public_key_info));
    237   EXPECT_TRUE(ok);
    238   verifier.VerifyUpdate(bad_tbs_certificate, sizeof(bad_tbs_certificate));
    239   ok = verifier.VerifyFinal();
    240   EXPECT_FALSE(ok);
    241 
    242   // Test 4: verify a bad signature.
    243   uint8_t bad_signature[sizeof(signature)];
    244   memcpy(bad_signature, signature, sizeof(signature));
    245   bad_signature[10] += 1;  // Corrupt one byte of the signature.
    246   ok = verifier.VerifyInit(signature_algorithm,
    247                            sizeof(signature_algorithm),
    248                            bad_signature, sizeof(bad_signature),
    249                            public_key_info, sizeof(public_key_info));
    250 
    251   // A crypto library (e.g., NSS) may detect that the signature is corrupted
    252   // and cause VerifyInit to return false, so it is fine for 'ok' to be false.
    253   if (ok) {
    254     verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
    255     ok = verifier.VerifyFinal();
    256     EXPECT_FALSE(ok);
    257   }
    258 
    259   // Test 5: import an invalid key.
    260   uint8_t bad_public_key_info[sizeof(public_key_info)];
    261   memcpy(bad_public_key_info, public_key_info, sizeof(public_key_info));
    262   bad_public_key_info[0] += 1;  // Corrupt part of the SPKI syntax.
    263   ok = verifier.VerifyInit(signature_algorithm,
    264                            sizeof(signature_algorithm),
    265                            signature, sizeof(signature),
    266                            bad_public_key_info, sizeof(bad_public_key_info));
    267   EXPECT_FALSE(ok);
    268 
    269   // Test 6: import a key with extra data.
    270   uint8_t long_public_key_info[sizeof(public_key_info) + 5];
    271   memset(long_public_key_info, 0, sizeof(long_public_key_info));
    272   memcpy(long_public_key_info, public_key_info, sizeof(public_key_info));
    273   ok = verifier.VerifyInit(signature_algorithm,
    274                            sizeof(signature_algorithm),
    275                            signature, sizeof(signature),
    276                            long_public_key_info, sizeof(long_public_key_info));
    277   EXPECT_FALSE(ok);
    278 }
    279 
    280 //////////////////////////////////////////////////////////////////////
    281 //
    282 // RSA-PSS signature verification known answer test
    283 //
    284 //////////////////////////////////////////////////////////////////////
    285 
    286 // The following RSA-PSS signature test vectors come from the pss-vect.txt
    287 // file downloaded from
    288 // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip.
    289 //
    290 // For each key, 6 random messages of length between 1 and 256 octets have
    291 // been RSASSA-PSS signed.
    292 //
    293 // Hash function: SHA-1
    294 // Mask generation function: MGF1 with SHA-1
    295 // Salt length: 20 octets
    296 
    297 // Example 1: A 1024-bit RSA Key Pair"
    298 
    299 // RSA modulus n:
    300 static const char rsa_modulus_n_1[] =
    301   "a5 6e 4a 0e 70 10 17 58 9a 51 87 dc 7e a8 41 d1 "
    302   "56 f2 ec 0e 36 ad 52 a4 4d fe b1 e6 1f 7a d9 91 "
    303   "d8 c5 10 56 ff ed b1 62 b4 c0 f2 83 a1 2a 88 a3 "
    304   "94 df f5 26 ab 72 91 cb b3 07 ce ab fc e0 b1 df "
    305   "d5 cd 95 08 09 6d 5b 2b 8b 6d f5 d6 71 ef 63 77 "
    306   "c0 92 1c b2 3c 27 0a 70 e2 59 8e 6f f8 9d 19 f1 "
    307   "05 ac c2 d3 f0 cb 35 f2 92 80 e1 38 6b 6f 64 c4 "
    308   "ef 22 e1 e1 f2 0d 0c e8 cf fb 22 49 bd 9a 21 37 ";
    309 // RSA public exponent e: "
    310 static const char rsa_public_exponent_e_1[] =
    311   "01 00 01 ";
    312 
    313 // RSASSA-PSS Signature Example 1.1
    314 // Message to be signed:
    315 static const char message_1_1[] =
    316   "cd c8 7d a2 23 d7 86 df 3b 45 e0 bb bc 72 13 26 "
    317   "d1 ee 2a f8 06 cc 31 54 75 cc 6f 0d 9c 66 e1 b6 "
    318   "23 71 d4 5c e2 39 2e 1a c9 28 44 c3 10 10 2f 15 "
    319   "6a 0d 8d 52 c1 f4 c4 0b a3 aa 65 09 57 86 cb 76 "
    320   "97 57 a6 56 3b a9 58 fe d0 bc c9 84 e8 b5 17 a3 "
    321   "d5 f5 15 b2 3b 8a 41 e7 4a a8 67 69 3f 90 df b0 "
    322   "61 a6 e8 6d fa ae e6 44 72 c0 0e 5f 20 94 57 29 "
    323   "cb eb e7 7f 06 ce 78 e0 8f 40 98 fb a4 1f 9d 61 "
    324   "93 c0 31 7e 8b 60 d4 b6 08 4a cb 42 d2 9e 38 08 "
    325   "a3 bc 37 2d 85 e3 31 17 0f cb f7 cc 72 d0 b7 1c "
    326   "29 66 48 b3 a4 d1 0f 41 62 95 d0 80 7a a6 25 ca "
    327   "b2 74 4f d9 ea 8f d2 23 c4 25 37 02 98 28 bd 16 "
    328   "be 02 54 6f 13 0f d2 e3 3b 93 6d 26 76 e0 8a ed "
    329   "1b 73 31 8b 75 0a 01 67 d0 ";
    330 // Salt:
    331 static const char salt_1_1[] =
    332   "de e9 59 c7 e0 64 11 36 14 20 ff 80 18 5e d5 7f "
    333   "3e 67 76 af ";
    334 // Signature:
    335 static const char signature_1_1[] =
    336   "90 74 30 8f b5 98 e9 70 1b 22 94 38 8e 52 f9 71 "
    337   "fa ac 2b 60 a5 14 5a f1 85 df 52 87 b5 ed 28 87 "
    338   "e5 7c e7 fd 44 dc 86 34 e4 07 c8 e0 e4 36 0b c2 "
    339   "26 f3 ec 22 7f 9d 9e 54 63 8e 8d 31 f5 05 12 15 "
    340   "df 6e bb 9c 2f 95 79 aa 77 59 8a 38 f9 14 b5 b9 "
    341   "c1 bd 83 c4 e2 f9 f3 82 a0 d0 aa 35 42 ff ee 65 "
    342   "98 4a 60 1b c6 9e b2 8d eb 27 dc a1 2c 82 c2 d4 "
    343   "c3 f6 6c d5 00 f1 ff 2b 99 4d 8a 4e 30 cb b3 3c ";
    344 
    345 // RSASSA-PSS Signature Example 1.2
    346 // Message to be signed:
    347 static const char message_1_2[] =
    348   "85 13 84 cd fe 81 9c 22 ed 6c 4c cb 30 da eb 5c "
    349   "f0 59 bc 8e 11 66 b7 e3 53 0c 4c 23 3e 2b 5f 8f "
    350   "71 a1 cc a5 82 d4 3e cc 72 b1 bc a1 6d fc 70 13 "
    351   "22 6b 9e ";
    352 // Salt:
    353 static const char salt_1_2[] =
    354   "ef 28 69 fa 40 c3 46 cb 18 3d ab 3d 7b ff c9 8f "
    355   "d5 6d f4 2d ";
    356 // Signature:
    357 static const char signature_1_2[] =
    358   "3e f7 f4 6e 83 1b f9 2b 32 27 41 42 a5 85 ff ce "
    359   "fb dc a7 b3 2a e9 0d 10 fb 0f 0c 72 99 84 f0 4e "
    360   "f2 9a 9d f0 78 07 75 ce 43 73 9b 97 83 83 90 db "
    361   "0a 55 05 e6 3d e9 27 02 8d 9d 29 b2 19 ca 2c 45 "
    362   "17 83 25 58 a5 5d 69 4a 6d 25 b9 da b6 60 03 c4 "
    363   "cc cd 90 78 02 19 3b e5 17 0d 26 14 7d 37 b9 35 "
    364   "90 24 1b e5 1c 25 05 5f 47 ef 62 75 2c fb e2 14 "
    365   "18 fa fe 98 c2 2c 4d 4d 47 72 4f db 56 69 e8 43 ";
    366 
    367 // RSASSA-PSS Signature Example 1.3
    368 // Message to be signed:
    369 static const char message_1_3[] =
    370   "a4 b1 59 94 17 61 c4 0c 6a 82 f2 b8 0d 1b 94 f5 "
    371   "aa 26 54 fd 17 e1 2d 58 88 64 67 9b 54 cd 04 ef "
    372   "8b d0 30 12 be 8d c3 7f 4b 83 af 79 63 fa ff 0d "
    373   "fa 22 54 77 43 7c 48 01 7f f2 be 81 91 cf 39 55 "
    374   "fc 07 35 6e ab 3f 32 2f 7f 62 0e 21 d2 54 e5 db "
    375   "43 24 27 9f e0 67 e0 91 0e 2e 81 ca 2c ab 31 c7 "
    376   "45 e6 7a 54 05 8e b5 0d 99 3c db 9e d0 b4 d0 29 "
    377   "c0 6d 21 a9 4c a6 61 c3 ce 27 fa e1 d6 cb 20 f4 "
    378   "56 4d 66 ce 47 67 58 3d 0e 5f 06 02 15 b5 90 17 "
    379   "be 85 ea 84 89 39 12 7b d8 c9 c4 d4 7b 51 05 6c "
    380   "03 1c f3 36 f1 7c 99 80 f3 b8 f5 b9 b6 87 8e 8b "
    381   "79 7a a4 3b 88 26 84 33 3e 17 89 3f e9 ca a6 aa "
    382   "29 9f 7e d1 a1 8e e2 c5 48 64 b7 b2 b9 9b 72 61 "
    383   "8f b0 25 74 d1 39 ef 50 f0 19 c9 ee f4 16 97 13 "
    384   "38 e7 d4 70 ";
    385 // Salt:
    386 static const char salt_1_3[] =
    387   "71 0b 9c 47 47 d8 00 d4 de 87 f1 2a fd ce 6d f1 "
    388   "81 07 cc 77 ";
    389 // Signature:
    390 static const char signature_1_3[] =
    391   "66 60 26 fb a7 1b d3 e7 cf 13 15 7c c2 c5 1a 8e "
    392   "4a a6 84 af 97 78 f9 18 49 f3 43 35 d1 41 c0 01 "
    393   "54 c4 19 76 21 f9 62 4a 67 5b 5a bc 22 ee 7d 5b "
    394   "aa ff aa e1 c9 ba ca 2c c3 73 b3 f3 3e 78 e6 14 "
    395   "3c 39 5a 91 aa 7f ac a6 64 eb 73 3a fd 14 d8 82 "
    396   "72 59 d9 9a 75 50 fa ca 50 1e f2 b0 4e 33 c2 3a "
    397   "a5 1f 4b 9e 82 82 ef db 72 8c c0 ab 09 40 5a 91 "
    398   "60 7c 63 69 96 1b c8 27 0d 2d 4f 39 fc e6 12 b1 ";
    399 
    400 // RSASSA-PSS Signature Example 1.4
    401 // Message to be signed:
    402 static const char message_1_4[] =
    403   "bc 65 67 47 fa 9e af b3 f0 ";
    404 // Salt:
    405 static const char salt_1_4[] =
    406   "05 6f 00 98 5d e1 4d 8e f5 ce a9 e8 2f 8c 27 be "
    407   "f7 20 33 5e ";
    408 // Signature:
    409 static const char signature_1_4[] =
    410   "46 09 79 3b 23 e9 d0 93 62 dc 21 bb 47 da 0b 4f "
    411   "3a 76 22 64 9a 47 d4 64 01 9b 9a ea fe 53 35 9c "
    412   "17 8c 91 cd 58 ba 6b cb 78 be 03 46 a7 bc 63 7f "
    413   "4b 87 3d 4b ab 38 ee 66 1f 19 96 34 c5 47 a1 ad "
    414   "84 42 e0 3d a0 15 b1 36 e5 43 f7 ab 07 c0 c1 3e "
    415   "42 25 b8 de 8c ce 25 d4 f6 eb 84 00 f8 1f 7e 18 "
    416   "33 b7 ee 6e 33 4d 37 09 64 ca 79 fd b8 72 b4 d7 "
    417   "52 23 b5 ee b0 81 01 59 1f b5 32 d1 55 a6 de 87 ";
    418 
    419 // RSASSA-PSS Signature Example 1.5
    420 // Message to be signed:
    421 static const char message_1_5[] =
    422   "b4 55 81 54 7e 54 27 77 0c 76 8e 8b 82 b7 55 64 "
    423   "e0 ea 4e 9c 32 59 4d 6b ff 70 65 44 de 0a 87 76 "
    424   "c7 a8 0b 45 76 55 0e ee 1b 2a ca bc 7e 8b 7d 3e "
    425   "f7 bb 5b 03 e4 62 c1 10 47 ea dd 00 62 9a e5 75 "
    426   "48 0a c1 47 0f e0 46 f1 3a 2b f5 af 17 92 1d c4 "
    427   "b0 aa 8b 02 be e6 33 49 11 65 1d 7f 85 25 d1 0f "
    428   "32 b5 1d 33 be 52 0d 3d df 5a 70 99 55 a3 df e7 "
    429   "82 83 b9 e0 ab 54 04 6d 15 0c 17 7f 03 7f dc cc "
    430   "5b e4 ea 5f 68 b5 e5 a3 8c 9d 7e dc cc c4 97 5f "
    431   "45 5a 69 09 b4 ";
    432 // Salt:
    433 static const char salt_1_5[] =
    434   "80 e7 0f f8 6a 08 de 3e c6 09 72 b3 9b 4f bf dc "
    435   "ea 67 ae 8e ";
    436 // Signature:
    437 static const char signature_1_5[] =
    438   "1d 2a ad 22 1c a4 d3 1d df 13 50 92 39 01 93 98 "
    439   "e3 d1 4b 32 dc 34 dc 5a f4 ae ae a3 c0 95 af 73 "
    440   "47 9c f0 a4 5e 56 29 63 5a 53 a0 18 37 76 15 b1 "
    441   "6c b9 b1 3b 3e 09 d6 71 eb 71 e3 87 b8 54 5c 59 "
    442   "60 da 5a 64 77 6e 76 8e 82 b2 c9 35 83 bf 10 4c "
    443   "3f db 23 51 2b 7b 4e 89 f6 33 dd 00 63 a5 30 db "
    444   "45 24 b0 1c 3f 38 4c 09 31 0e 31 5a 79 dc d3 d6 "
    445   "84 02 2a 7f 31 c8 65 a6 64 e3 16 97 8b 75 9f ad ";
    446 
    447 // RSASSA-PSS Signature Example 1.6
    448 // Message to be signed:
    449 static const char message_1_6[] =
    450   "10 aa e9 a0 ab 0b 59 5d 08 41 20 7b 70 0d 48 d7 "
    451   "5f ae dd e3 b7 75 cd 6b 4c c8 8a e0 6e 46 94 ec "
    452   "74 ba 18 f8 52 0d 4f 5e a6 9c bb e7 cc 2b eb a4 "
    453   "3e fd c1 02 15 ac 4e b3 2d c3 02 a1 f5 3d c6 c4 "
    454   "35 22 67 e7 93 6c fe bf 7c 8d 67 03 57 84 a3 90 "
    455   "9f a8 59 c7 b7 b5 9b 8e 39 c5 c2 34 9f 18 86 b7 "
    456   "05 a3 02 67 d4 02 f7 48 6a b4 f5 8c ad 5d 69 ad "
    457   "b1 7a b8 cd 0c e1 ca f5 02 5a f4 ae 24 b1 fb 87 "
    458   "94 c6 07 0c c0 9a 51 e2 f9 91 13 11 e3 87 7d 00 "
    459   "44 c7 1c 57 a9 93 39 50 08 80 6b 72 3a c3 83 73 "
    460   "d3 95 48 18 18 52 8c 1e 70 53 73 92 82 05 35 29 "
    461   "51 0e 93 5c d0 fa 77 b8 fa 53 cc 2d 47 4b d4 fb "
    462   "3c c5 c6 72 d6 ff dc 90 a0 0f 98 48 71 2c 4b cf "
    463   "e4 6c 60 57 36 59 b1 1e 64 57 e8 61 f0 f6 04 b6 "
    464   "13 8d 14 4f 8c e4 e2 da 73 ";
    465 // Salt:
    466 static const char salt_1_6[] =
    467   "a8 ab 69 dd 80 1f 00 74 c2 a1 fc 60 64 98 36 c6 "
    468   "16 d9 96 81 ";
    469 // Signature:
    470 static const char signature_1_6[] =
    471   "2a 34 f6 12 5e 1f 6b 0b f9 71 e8 4f bd 41 c6 32 "
    472   "be 8f 2c 2a ce 7d e8 b6 92 6e 31 ff 93 e9 af 98 "
    473   "7f bc 06 e5 1e 9b e1 4f 51 98 f9 1f 3f 95 3b d6 "
    474   "7d a6 0a 9d f5 97 64 c3 dc 0f e0 8e 1c be f0 b7 "
    475   "5f 86 8d 10 ad 3f ba 74 9f ef 59 fb 6d ac 46 a0 "
    476   "d6 e5 04 36 93 31 58 6f 58 e4 62 8f 39 aa 27 89 "
    477   "82 54 3b c0 ee b5 37 dc 61 95 80 19 b3 94 fb 27 "
    478   "3f 21 58 58 a0 a0 1a c4 d6 50 b9 55 c6 7f 4c 58 ";
    479 
    480 // Example 9: A 1536-bit RSA Key Pair
    481 
    482 // RSA modulus n:
    483 static const char rsa_modulus_n_9[] =
    484   "e6 bd 69 2a c9 66 45 79 04 03 fd d0 f5 be b8 b9 "
    485   "bf 92 ed 10 00 7f c3 65 04 64 19 dd 06 c0 5c 5b "
    486   "5b 2f 48 ec f9 89 e4 ce 26 91 09 97 9c bb 40 b4 "
    487   "a0 ad 24 d2 24 83 d1 ee 31 5a d4 cc b1 53 42 68 "
    488   "35 26 91 c5 24 f6 dd 8e 6c 29 d2 24 cf 24 69 73 "
    489   "ae c8 6c 5b f6 b1 40 1a 85 0d 1b 9a d1 bb 8c bc "
    490   "ec 47 b0 6f 0f 8c 7f 45 d3 fc 8f 31 92 99 c5 43 "
    491   "3d db c2 b3 05 3b 47 de d2 ec d4 a4 ca ef d6 14 "
    492   "83 3d c8 bb 62 2f 31 7e d0 76 b8 05 7f e8 de 3f "
    493   "84 48 0a d5 e8 3e 4a 61 90 4a 4f 24 8f b3 97 02 "
    494   "73 57 e1 d3 0e 46 31 39 81 5c 6f d4 fd 5a c5 b8 "
    495   "17 2a 45 23 0e cb 63 18 a0 4f 14 55 d8 4e 5a 8b ";
    496 // RSA public exponent e:
    497 static const char rsa_public_exponent_e_9[] =
    498   "01 00 01 ";
    499 
    500 // RSASSA-PSS Signature Example 9.1
    501 // Message to be signed:
    502 static const char message_9_1[] =
    503   "a8 8e 26 58 55 e9 d7 ca 36 c6 87 95 f0 b3 1b 59 "
    504   "1c d6 58 7c 71 d0 60 a0 b3 f7 f3 ea ef 43 79 59 "
    505   "22 02 8b c2 b6 ad 46 7c fc 2d 7f 65 9c 53 85 aa "
    506   "70 ba 36 72 cd de 4c fe 49 70 cc 79 04 60 1b 27 "
    507   "88 72 bf 51 32 1c 4a 97 2f 3c 95 57 0f 34 45 d4 "
    508   "f5 79 80 e0 f2 0d f5 48 46 e6 a5 2c 66 8f 12 88 "
    509   "c0 3f 95 00 6e a3 2f 56 2d 40 d5 2a f9 fe b3 2f "
    510   "0f a0 6d b6 5b 58 8a 23 7b 34 e5 92 d5 5c f9 79 "
    511   "f9 03 a6 42 ef 64 d2 ed 54 2a a8 c7 7d c1 dd 76 "
    512   "2f 45 a5 93 03 ed 75 e5 41 ca 27 1e 2b 60 ca 70 "
    513   "9e 44 fa 06 61 13 1e 8d 5d 41 63 fd 8d 39 85 66 "
    514   "ce 26 de 87 30 e7 2f 9c ca 73 76 41 c2 44 15 94 "
    515   "20 63 70 28 df 0a 18 07 9d 62 08 ea 8b 47 11 a2 "
    516   "c7 50 f5 ";
    517 // Salt:
    518 static const char salt_9_1[] =
    519   "c0 a4 25 31 3d f8 d7 56 4b d2 43 4d 31 15 23 d5 "
    520   "25 7e ed 80 ";
    521 // Signature:
    522 static const char signature_9_1[] =
    523   "58 61 07 22 6c 3c e0 13 a7 c8 f0 4d 1a 6a 29 59 "
    524   "bb 4b 8e 20 5b a4 3a 27 b5 0f 12 41 11 bc 35 ef "
    525   "58 9b 03 9f 59 32 18 7c b6 96 d7 d9 a3 2c 0c 38 "
    526   "30 0a 5c dd a4 83 4b 62 d2 eb 24 0a f3 3f 79 d1 "
    527   "3d fb f0 95 bf 59 9e 0d 96 86 94 8c 19 64 74 7b "
    528   "67 e8 9c 9a ba 5c d8 50 16 23 6f 56 6c c5 80 2c "
    529   "b1 3e ad 51 bc 7c a6 be f3 b9 4d cb db b1 d5 70 "
    530   "46 97 71 df 0e 00 b1 a8 a0 67 77 47 2d 23 16 27 "
    531   "9e da e8 64 74 66 8d 4e 1e ff f9 5f 1d e6 1c 60 "
    532   "20 da 32 ae 92 bb f1 65 20 fe f3 cf 4d 88 f6 11 "
    533   "21 f2 4b bd 9f e9 1b 59 ca f1 23 5b 2a 93 ff 81 "
    534   "fc 40 3a dd f4 eb de a8 49 34 a9 cd af 8e 1a 9e ";
    535 
    536 // RSASSA-PSS Signature Example 9.2
    537 // Message to be signed:
    538 static const char message_9_2[] =
    539   "c8 c9 c6 af 04 ac da 41 4d 22 7e f2 3e 08 20 c3 "
    540   "73 2c 50 0d c8 72 75 e9 5b 0d 09 54 13 99 3c 26 "
    541   "58 bc 1d 98 85 81 ba 87 9c 2d 20 1f 14 cb 88 ce "
    542   "d1 53 a0 19 69 a7 bf 0a 7b e7 9c 84 c1 48 6b c1 "
    543   "2b 3f a6 c5 98 71 b6 82 7c 8c e2 53 ca 5f ef a8 "
    544   "a8 c6 90 bf 32 6e 8e 37 cd b9 6d 90 a8 2e ba b6 "
    545   "9f 86 35 0e 18 22 e8 bd 53 6a 2e ";
    546 // Salt:
    547 static const char salt_9_2[] =
    548   "b3 07 c4 3b 48 50 a8 da c2 f1 5f 32 e3 78 39 ef "
    549   "8c 5c 0e 91 ";
    550 // Signature:
    551 static const char signature_9_2[] =
    552   "80 b6 d6 43 25 52 09 f0 a4 56 76 38 97 ac 9e d2 "
    553   "59 d4 59 b4 9c 28 87 e5 88 2e cb 44 34 cf d6 6d "
    554   "d7 e1 69 93 75 38 1e 51 cd 7f 55 4f 2c 27 17 04 "
    555   "b3 99 d4 2b 4b e2 54 0a 0e ca 61 95 1f 55 26 7f "
    556   "7c 28 78 c1 22 84 2d ad b2 8b 01 bd 5f 8c 02 5f "
    557   "7e 22 84 18 a6 73 c0 3d 6b c0 c7 36 d0 a2 95 46 "
    558   "bd 67 f7 86 d9 d6 92 cc ea 77 8d 71 d9 8c 20 63 "
    559   "b7 a7 10 92 18 7a 4d 35 af 10 81 11 d8 3e 83 ea "
    560   "e4 6c 46 aa 34 27 7e 06 04 45 89 90 37 88 f1 d5 "
    561   "e7 ce e2 5f b4 85 e9 29 49 11 88 14 d6 f2 c3 ee "
    562   "36 14 89 01 6f 32 7f b5 bc 51 7e b5 04 70 bf fa "
    563   "1a fa 5f 4c e9 aa 0c e5 b8 ee 19 bf 55 01 b9 58 ";
    564 
    565 // RSASSA-PSS Signature Example 9.3
    566 // Message to be signed:
    567 static const char message_9_3[] =
    568   "0a fa d4 2c cd 4f c6 06 54 a5 50 02 d2 28 f5 2a "
    569   "4a 5f e0 3b 8b bb 08 ca 82 da ca 55 8b 44 db e1 "
    570   "26 6e 50 c0 e7 45 a3 6d 9d 29 04 e3 40 8a bc d1 "
    571   "fd 56 99 94 06 3f 4a 75 cc 72 f2 fe e2 a0 cd 89 "
    572   "3a 43 af 1c 5b 8b 48 7d f0 a7 16 10 02 4e 4f 6d "
    573   "df 9f 28 ad 08 13 c1 aa b9 1b cb 3c 90 64 d5 ff "
    574   "74 2d ef fe a6 57 09 41 39 36 9e 5e a6 f4 a9 63 "
    575   "19 a5 cc 82 24 14 5b 54 50 62 75 8f ef d1 fe 34 "
    576   "09 ae 16 92 59 c6 cd fd 6b 5f 29 58 e3 14 fa ec "
    577   "be 69 d2 ca ce 58 ee 55 17 9a b9 b3 e6 d1 ec c1 "
    578   "4a 55 7c 5f eb e9 88 59 52 64 fc 5d a1 c5 71 46 "
    579   "2e ca 79 8a 18 a1 a4 94 0c da b4 a3 e9 20 09 cc "
    580   "d4 2e 1e 94 7b 13 14 e3 22 38 a2 de ce 7d 23 a8 "
    581   "9b 5b 30 c7 51 fd 0a 4a 43 0d 2c 54 85 94 ";
    582 // Salt:
    583 static const char salt_9_3[] =
    584   "9a 2b 00 7e 80 97 8b bb 19 2c 35 4e b7 da 9a ed "
    585   "fc 74 db f5 ";
    586 // Signature:
    587 static const char signature_9_3[] =
    588   "48 44 08 f3 89 8c d5 f5 34 83 f8 08 19 ef bf 27 "
    589   "08 c3 4d 27 a8 b2 a6 fa e8 b3 22 f9 24 02 37 f9 "
    590   "81 81 7a ca 18 46 f1 08 4d aa 6d 7c 07 95 f6 e5 "
    591   "bf 1a f5 9c 38 e1 85 84 37 ce 1f 7e c4 19 b9 8c "
    592   "87 36 ad f6 dd 9a 00 b1 80 6d 2b d3 ad 0a 73 77 "
    593   "5e 05 f5 2d fe f3 a5 9a b4 b0 81 43 f0 df 05 cd "
    594   "1a d9 d0 4b ec ec a6 da a4 a2 12 98 03 e2 00 cb "
    595   "c7 77 87 ca f4 c1 d0 66 3a 6c 59 87 b6 05 95 20 "
    596   "19 78 2c af 2e c1 42 6d 68 fb 94 ed 1d 4b e8 16 "
    597   "a7 ed 08 1b 77 e6 ab 33 0b 3f fc 07 38 20 fe cd "
    598   "e3 72 7f cb e2 95 ee 61 a0 50 a3 43 65 86 37 c3 "
    599   "fd 65 9c fb 63 73 6d e3 2d 9f 90 d3 c2 f6 3e ca ";
    600 
    601 // RSASSA-PSS Signature Example 9.4
    602 // Message to be signed:
    603 static const char message_9_4[] =
    604   "1d fd 43 b4 6c 93 db 82 62 9b da e2 bd 0a 12 b8 "
    605   "82 ea 04 c3 b4 65 f5 cf 93 02 3f 01 05 96 26 db "
    606   "be 99 f2 6b b1 be 94 9d dd d1 6d c7 f3 de bb 19 "
    607   "a1 94 62 7f 0b 22 44 34 df 7d 87 00 e9 e9 8b 06 "
    608   "e3 60 c1 2f db e3 d1 9f 51 c9 68 4e b9 08 9e cb "
    609   "b0 a2 f0 45 03 99 d3 f5 9e ac 72 94 08 5d 04 4f "
    610   "53 93 c6 ce 73 74 23 d8 b8 6c 41 53 70 d3 89 e3 "
    611   "0b 9f 0a 3c 02 d2 5d 00 82 e8 ad 6f 3f 1e f2 4a "
    612   "45 c3 cf 82 b3 83 36 70 63 a4 d4 61 3e 42 64 f0 "
    613   "1b 2d ac 2e 5a a4 20 43 f8 fb 5f 69 fa 87 1d 14 "
    614   "fb 27 3e 76 7a 53 1c 40 f0 2f 34 3b c2 fb 45 a0 "
    615   "c7 e0 f6 be 25 61 92 3a 77 21 1d 66 a6 e2 db b4 "
    616   "3c 36 63 50 be ae 22 da 3a c2 c1 f5 07 70 96 fc "
    617   "b5 c4 bf 25 5f 75 74 35 1a e0 b1 e1 f0 36 32 81 "
    618   "7c 08 56 d4 a8 ba 97 af bd c8 b8 58 55 40 2b c5 "
    619   "69 26 fc ec 20 9f 9e a8 ";
    620 // Salt:
    621 static const char salt_9_4[] =
    622   "70 f3 82 bd df 4d 5d 2d d8 8b 3b c7 b7 30 8b e6 "
    623   "32 b8 40 45 ";
    624 // Signature:
    625 static const char signature_9_4[] =
    626   "84 eb eb 48 1b e5 98 45 b4 64 68 ba fb 47 1c 01 "
    627   "12 e0 2b 23 5d 84 b5 d9 11 cb d1 92 6e e5 07 4a "
    628   "e0 42 44 95 cb 20 e8 23 08 b8 eb b6 5f 41 9a 03 "
    629   "fb 40 e7 2b 78 98 1d 88 aa d1 43 05 36 85 17 2c "
    630   "97 b2 9c 8b 7b f0 ae 73 b5 b2 26 3c 40 3d a0 ed "
    631   "2f 80 ff 74 50 af 78 28 eb 8b 86 f0 02 8b d2 a8 "
    632   "b1 76 a4 d2 28 cc ce a1 83 94 f2 38 b0 9f f7 58 "
    633   "cc 00 bc 04 30 11 52 35 57 42 f2 82 b5 4e 66 3a "
    634   "91 9e 70 9d 8d a2 4a de 55 00 a7 b9 aa 50 22 6e "
    635   "0c a5 29 23 e6 c2 d8 60 ec 50 ff 48 0f a5 74 77 "
    636   "e8 2b 05 65 f4 37 9f 79 c7 72 d5 c2 da 80 af 9f "
    637   "bf 32 5e ce 6f c2 0b 00 96 16 14 be e8 9a 18 3e ";
    638 
    639 // RSASSA-PSS Signature Example 9.5
    640 // Message to be signed:
    641 static const char message_9_5[] =
    642   "1b dc 6e 7c 98 fb 8c f5 4e 9b 09 7b 66 a8 31 e9 "
    643   "cf e5 2d 9d 48 88 44 8e e4 b0 97 80 93 ba 1d 7d "
    644   "73 ae 78 b3 a6 2b a4 ad 95 cd 28 9c cb 9e 00 52 "
    645   "26 bb 3d 17 8b cc aa 82 1f b0 44 a4 e2 1e e9 76 "
    646   "96 c1 4d 06 78 c9 4c 2d ae 93 b0 ad 73 92 22 18 "
    647   "55 3d aa 7e 44 eb e5 77 25 a7 a4 5c c7 2b 9b 21 "
    648   "38 a6 b1 7c 8d b4 11 ce 82 79 ee 12 41 af f0 a8 "
    649   "be c6 f7 7f 87 ed b0 c6 9c b2 72 36 e3 43 5a 80 "
    650   "0b 19 2e 4f 11 e5 19 e3 fe 30 fc 30 ea cc ca 4f "
    651   "bb 41 76 90 29 bf 70 8e 81 7a 9e 68 38 05 be 67 "
    652   "fa 10 09 84 68 3b 74 83 8e 3b cf fa 79 36 6e ed "
    653   "1d 48 1c 76 72 91 18 83 8f 31 ba 8a 04 8a 93 c1 "
    654   "be 44 24 59 8e 8d f6 32 8b 7a 77 88 0a 3f 9c 7e "
    655   "2e 8d fc a8 eb 5a 26 fb 86 bd c5 56 d4 2b be 01 "
    656   "d9 fa 6e d8 06 46 49 1c 93 41 ";
    657 // Salt:
    658 static const char salt_9_5[] =
    659   "d6 89 25 7a 86 ef fa 68 21 2c 5e 0c 61 9e ca 29 "
    660   "5f b9 1b 67 ";
    661 // Signature:
    662 static const char signature_9_5[] =
    663   "82 10 2d f8 cb 91 e7 17 99 19 a0 4d 26 d3 35 d6 "
    664   "4f bc 2f 87 2c 44 83 39 43 24 1d e8 45 48 10 27 "
    665   "4c df 3d b5 f4 2d 42 3d b1 52 af 71 35 f7 01 42 "
    666   "0e 39 b4 94 a6 7c bf d1 9f 91 19 da 23 3a 23 da "
    667   "5c 64 39 b5 ba 0d 2b c3 73 ee e3 50 70 01 37 8d "
    668   "4a 40 73 85 6b 7f e2 ab a0 b5 ee 93 b2 7f 4a fe "
    669   "c7 d4 d1 20 92 1c 83 f6 06 76 5b 02 c1 9e 4d 6a "
    670   "1a 3b 95 fa 4c 42 29 51 be 4f 52 13 10 77 ef 17 "
    671   "17 97 29 cd df bd b5 69 50 db ac ee fe 78 cb 16 "
    672   "64 0a 09 9e a5 6d 24 38 9e ef 10 f8 fe cb 31 ba "
    673   "3e a3 b2 27 c0 a8 66 98 bb 89 e3 e9 36 39 05 bf "
    674   "22 77 7b 2a 3a a5 21 b6 5b 4c ef 76 d8 3b de 4c ";
    675 
    676 // RSASSA-PSS Signature Example 9.6
    677 // Message to be signed:
    678 static const char message_9_6[] =
    679   "88 c7 a9 f1 36 04 01 d9 0e 53 b1 01 b6 1c 53 25 "
    680   "c3 c7 5d b1 b4 11 fb eb 8e 83 0b 75 e9 6b 56 67 "
    681   "0a d2 45 40 4e 16 79 35 44 ee 35 4b c6 13 a9 0c "
    682   "c9 84 87 15 a7 3d b5 89 3e 7f 6d 27 98 15 c0 c1 "
    683   "de 83 ef 8e 29 56 e3 a5 6e d2 6a 88 8d 7a 9c dc "
    684   "d0 42 f4 b1 6b 7f a5 1e f1 a0 57 36 62 d1 6a 30 "
    685   "2d 0e c5 b2 85 d2 e0 3a d9 65 29 c8 7b 3d 37 4d "
    686   "b3 72 d9 5b 24 43 d0 61 b6 b1 a3 50 ba 87 80 7e "
    687   "d0 83 af d1 eb 05 c3 f5 2f 4e ba 5e d2 22 77 14 "
    688   "fd b5 0b 9d 9d 9d d6 81 4f 62 f6 27 2f cd 5c db "
    689   "ce 7a 9e f7 97 ";
    690 // Salt:
    691 static const char salt_9_6[] =
    692   "c2 5f 13 bf 67 d0 81 67 1a 04 81 a1 f1 82 0d 61 "
    693   "3b ba 22 76 ";
    694 // Signature:
    695 static const char signature_9_6[] =
    696   "a7 fd b0 d2 59 16 5c a2 c8 8d 00 bb f1 02 8a 86 "
    697   "7d 33 76 99 d0 61 19 3b 17 a9 64 8e 14 cc bb aa "
    698   "de ac aa cd ec 81 5e 75 71 29 4e bb 8a 11 7a f2 "
    699   "05 fa 07 8b 47 b0 71 2c 19 9e 3a d0 51 35 c5 04 "
    700   "c2 4b 81 70 51 15 74 08 02 48 79 92 ff d5 11 d4 "
    701   "af c6 b8 54 49 1e b3 f0 dd 52 31 39 54 2f f1 5c "
    702   "31 01 ee 85 54 35 17 c6 a3 c7 94 17 c6 7e 2d d9 "
    703   "aa 74 1e 9a 29 b0 6d cb 59 3c 23 36 b3 67 0a e3 "
    704   "af ba c7 c3 e7 6e 21 54 73 e8 66 e3 38 ca 24 4d "
    705   "e0 0b 62 62 4d 6b 94 26 82 2c ea e9 f8 cc 46 08 "
    706   "95 f4 12 50 07 3f d4 5c 5a 1e 7b 42 5c 20 4a 42 "
    707   "3a 69 91 59 f6 90 3e 71 0b 37 a7 bb 2b c8 04 9f ";
    708 
    709 // Example 10: A 2048-bit RSA Key Pair
    710 
    711 // RSA modulus n:
    712 static const char rsa_modulus_n_10[] =
    713   "a5 dd 86 7a c4 cb 02 f9 0b 94 57 d4 8c 14 a7 70 "
    714   "ef 99 1c 56 c3 9c 0e c6 5f d1 1a fa 89 37 ce a5 "
    715   "7b 9b e7 ac 73 b4 5c 00 17 61 5b 82 d6 22 e3 18 "
    716   "75 3b 60 27 c0 fd 15 7b e1 2f 80 90 fe e2 a7 ad "
    717   "cd 0e ef 75 9f 88 ba 49 97 c7 a4 2d 58 c9 aa 12 "
    718   "cb 99 ae 00 1f e5 21 c1 3b b5 43 14 45 a8 d5 ae "
    719   "4f 5e 4c 7e 94 8a c2 27 d3 60 40 71 f2 0e 57 7e "
    720   "90 5f be b1 5d fa f0 6d 1d e5 ae 62 53 d6 3a 6a "
    721   "21 20 b3 1a 5d a5 da bc 95 50 60 0e 20 f2 7d 37 "
    722   "39 e2 62 79 25 fe a3 cc 50 9f 21 df f0 4e 6e ea "
    723   "45 49 c5 40 d6 80 9f f9 30 7e ed e9 1f ff 58 73 "
    724   "3d 83 85 a2 37 d6 d3 70 5a 33 e3 91 90 09 92 07 "
    725   "0d f7 ad f1 35 7c f7 e3 70 0c e3 66 7d e8 3f 17 "
    726   "b8 df 17 78 db 38 1d ce 09 cb 4a d0 58 a5 11 00 "
    727   "1a 73 81 98 ee 27 cf 55 a1 3b 75 45 39 90 65 82 "
    728   "ec 8b 17 4b d5 8d 5d 1f 3d 76 7c 61 37 21 ae 05 ";
    729 // RSA public exponent e:
    730 static const char rsa_public_exponent_e_10[] =
    731   "01 00 01 ";
    732 
    733 // RSASSA-PSS Signature Example 10.1
    734 // Message to be signed:
    735 static const char message_10_1[] =
    736   "88 31 77 e5 12 6b 9b e2 d9 a9 68 03 27 d5 37 0c "
    737   "6f 26 86 1f 58 20 c4 3d a6 7a 3a d6 09 ";
    738 // Salt:
    739 static const char salt_10_1[] =
    740   "04 e2 15 ee 6f f9 34 b9 da 70 d7 73 0c 87 34 ab "
    741   "fc ec de 89 ";
    742 // Signature:
    743 static const char signature_10_1[] =
    744   "82 c2 b1 60 09 3b 8a a3 c0 f7 52 2b 19 f8 73 54 "
    745   "06 6c 77 84 7a bf 2a 9f ce 54 2d 0e 84 e9 20 c5 "
    746   "af b4 9f fd fd ac e1 65 60 ee 94 a1 36 96 01 14 "
    747   "8e ba d7 a0 e1 51 cf 16 33 17 91 a5 72 7d 05 f2 "
    748   "1e 74 e7 eb 81 14 40 20 69 35 d7 44 76 5a 15 e7 "
    749   "9f 01 5c b6 6c 53 2c 87 a6 a0 59 61 c8 bf ad 74 "
    750   "1a 9a 66 57 02 28 94 39 3e 72 23 73 97 96 c0 2a "
    751   "77 45 5d 0f 55 5b 0e c0 1d df 25 9b 62 07 fd 0f "
    752   "d5 76 14 ce f1 a5 57 3b aa ff 4e c0 00 69 95 16 "
    753   "59 b8 5f 24 30 0a 25 16 0c a8 52 2d c6 e6 72 7e "
    754   "57 d0 19 d7 e6 36 29 b8 fe 5e 89 e2 5c c1 5b eb "
    755   "3a 64 75 77 55 92 99 28 0b 9b 28 f7 9b 04 09 00 "
    756   "0b e2 5b bd 96 40 8b a3 b4 3c c4 86 18 4d d1 c8 "
    757   "e6 25 53 fa 1a f4 04 0f 60 66 3d e7 f5 e4 9c 04 "
    758   "38 8e 25 7f 1c e8 9c 95 da b4 8a 31 5d 9b 66 b1 "
    759   "b7 62 82 33 87 6f f2 38 52 30 d0 70 d0 7e 16 66 ";
    760 
    761 // RSASSA-PSS Signature Example 10.2
    762 // Message to be signed:
    763 static const char message_10_2[] =
    764   "dd 67 0a 01 46 58 68 ad c9 3f 26 13 19 57 a5 0c "
    765   "52 fb 77 7c db aa 30 89 2c 9e 12 36 11 64 ec 13 "
    766   "97 9d 43 04 81 18 e4 44 5d b8 7b ee 58 dd 98 7b "
    767   "34 25 d0 20 71 d8 db ae 80 70 8b 03 9d bb 64 db "
    768   "d1 de 56 57 d9 fe d0 c1 18 a5 41 43 74 2e 0f f3 "
    769   "c8 7f 74 e4 58 57 64 7a f3 f7 9e b0 a1 4c 9d 75 "
    770   "ea 9a 1a 04 b7 cf 47 8a 89 7a 70 8f d9 88 f4 8e "
    771   "80 1e db 0b 70 39 df 8c 23 bb 3c 56 f4 e8 21 ac ";
    772 // Salt:
    773 static const char salt_10_2[] =
    774   "8b 2b dd 4b 40 fa f5 45 c7 78 dd f9 bc 1a 49 cb "
    775   "57 f9 b7 1b ";
    776 // Signature:
    777 static const char signature_10_2[] =
    778   "14 ae 35 d9 dd 06 ba 92 f7 f3 b8 97 97 8a ed 7c "
    779   "d4 bf 5f f0 b5 85 a4 0b d4 6c e1 b4 2c d2 70 30 "
    780   "53 bb 90 44 d6 4e 81 3d 8f 96 db 2d d7 00 7d 10 "
    781   "11 8f 6f 8f 84 96 09 7a d7 5e 1f f6 92 34 1b 28 "
    782   "92 ad 55 a6 33 a1 c5 5e 7f 0a 0a d5 9a 0e 20 3a "
    783   "5b 82 78 ae c5 4d d8 62 2e 28 31 d8 71 74 f8 ca "
    784   "ff 43 ee 6c 46 44 53 45 d8 4a 59 65 9b fb 92 ec "
    785   "d4 c8 18 66 86 95 f3 47 06 f6 68 28 a8 99 59 63 "
    786   "7f 2b f3 e3 25 1c 24 bd ba 4d 4b 76 49 da 00 22 "
    787   "21 8b 11 9c 84 e7 9a 65 27 ec 5b 8a 5f 86 1c 15 "
    788   "99 52 e2 3e c0 5e 1e 71 73 46 fa ef e8 b1 68 68 "
    789   "25 bd 2b 26 2f b2 53 10 66 c0 de 09 ac de 2e 42 "
    790   "31 69 07 28 b5 d8 5e 11 5a 2f 6b 92 b7 9c 25 ab "
    791   "c9 bd 93 99 ff 8b cf 82 5a 52 ea 1f 56 ea 76 dd "
    792   "26 f4 3b aa fa 18 bf a9 2a 50 4c bd 35 69 9e 26 "
    793   "d1 dc c5 a2 88 73 85 f3 c6 32 32 f0 6f 32 44 c3 ";
    794 
    795 // RSASSA-PSS Signature Example 10.3
    796 // Message to be signed:
    797 static const char message_10_3[] =
    798   "48 b2 b6 a5 7a 63 c8 4c ea 85 9d 65 c6 68 28 4b "
    799   "08 d9 6b dc aa be 25 2d b0 e4 a9 6c b1 ba c6 01 "
    800   "93 41 db 6f be fb 8d 10 6b 0e 90 ed a6 bc c6 c6 "
    801   "26 2f 37 e7 ea 9c 7e 5d 22 6b d7 df 85 ec 5e 71 "
    802   "ef ff 2f 54 c5 db 57 7f f7 29 ff 91 b8 42 49 1d "
    803   "e2 74 1d 0c 63 16 07 df 58 6b 90 5b 23 b9 1a f1 "
    804   "3d a1 23 04 bf 83 ec a8 a7 3e 87 1f f9 db ";
    805 // Salt:
    806 static const char salt_10_3[] =
    807   "4e 96 fc 1b 39 8f 92 b4 46 71 01 0c 0d c3 ef d6 "
    808   "e2 0c 2d 73 ";
    809 // Signature:
    810 static const char signature_10_3[] =
    811   "6e 3e 4d 7b 6b 15 d2 fb 46 01 3b 89 00 aa 5b bb "
    812   "39 39 cf 2c 09 57 17 98 70 42 02 6e e6 2c 74 c5 "
    813   "4c ff d5 d7 d5 7e fb bf 95 0a 0f 5c 57 4f a0 9d "
    814   "3f c1 c9 f5 13 b0 5b 4f f5 0d d8 df 7e df a2 01 "
    815   "02 85 4c 35 e5 92 18 01 19 a7 0c e5 b0 85 18 2a "
    816   "a0 2d 9e a2 aa 90 d1 df 03 f2 da ae 88 5b a2 f5 "
    817   "d0 5a fd ac 97 47 6f 06 b9 3b 5b c9 4a 1a 80 aa "
    818   "91 16 c4 d6 15 f3 33 b0 98 89 2b 25 ff ac e2 66 "
    819   "f5 db 5a 5a 3b cc 10 a8 24 ed 55 aa d3 5b 72 78 "
    820   "34 fb 8c 07 da 28 fc f4 16 a5 d9 b2 22 4f 1f 8b "
    821   "44 2b 36 f9 1e 45 6f de a2 d7 cf e3 36 72 68 de "
    822   "03 07 a4 c7 4e 92 41 59 ed 33 39 3d 5e 06 55 53 "
    823   "1c 77 32 7b 89 82 1b de df 88 01 61 c7 8c d4 19 "
    824   "6b 54 19 f7 ac c3 f1 3e 5e bf 16 1b 6e 7c 67 24 "
    825   "71 6c a3 3b 85 c2 e2 56 40 19 2a c2 85 96 51 d5 "
    826   "0b de 7e b9 76 e5 1c ec 82 8b 98 b6 56 3b 86 bb ";
    827 
    828 // RSASSA-PSS Signature Example 10.4
    829 // Message to be signed:
    830 static const char message_10_4[] =
    831   "0b 87 77 c7 f8 39 ba f0 a6 4b bb db c5 ce 79 75 "
    832   "5c 57 a2 05 b8 45 c1 74 e2 d2 e9 05 46 a0 89 c4 "
    833   "e6 ec 8a df fa 23 a7 ea 97 ba e6 b6 5d 78 2b 82 "
    834   "db 5d 2b 5a 56 d2 2a 29 a0 5e 7c 44 33 e2 b8 2a "
    835   "62 1a bb a9 0a dd 05 ce 39 3f c4 8a 84 05 42 45 "
    836   "1a ";
    837 // Salt:
    838 static const char salt_10_4[] =
    839   "c7 cd 69 8d 84 b6 51 28 d8 83 5e 3a 8b 1e b0 e0 "
    840   "1c b5 41 ec ";
    841 // Signature:
    842 static const char signature_10_4[] =
    843   "34 04 7f f9 6c 4d c0 dc 90 b2 d4 ff 59 a1 a3 61 "
    844   "a4 75 4b 25 5d 2e e0 af 7d 8b f8 7c 9b c9 e7 dd "
    845   "ee de 33 93 4c 63 ca 1c 0e 3d 26 2c b1 45 ef 93 "
    846   "2a 1f 2c 0a 99 7a a6 a3 4f 8e ae e7 47 7d 82 cc "
    847   "f0 90 95 a6 b8 ac ad 38 d4 ee c9 fb 7e ab 7a d0 "
    848   "2d a1 d1 1d 8e 54 c1 82 5e 55 bf 58 c2 a2 32 34 "
    849   "b9 02 be 12 4f 9e 90 38 a8 f6 8f a4 5d ab 72 f6 "
    850   "6e 09 45 bf 1d 8b ac c9 04 4c 6f 07 09 8c 9f ce "
    851   "c5 8a 3a ab 10 0c 80 51 78 15 5f 03 0a 12 4c 45 "
    852   "0e 5a cb da 47 d0 e4 f1 0b 80 a2 3f 80 3e 77 4d "
    853   "02 3b 00 15 c2 0b 9f 9b be 7c 91 29 63 38 d5 ec "
    854   "b4 71 ca fb 03 20 07 b6 7a 60 be 5f 69 50 4a 9f "
    855   "01 ab b3 cb 46 7b 26 0e 2b ce 86 0b e8 d9 5b f9 "
    856   "2c 0c 8e 14 96 ed 1e 52 85 93 a4 ab b6 df 46 2d "
    857   "de 8a 09 68 df fe 46 83 11 68 57 a2 32 f5 eb f6 "
    858   "c8 5b e2 38 74 5a d0 f3 8f 76 7a 5f db f4 86 fb ";
    859 
    860 // RSASSA-PSS Signature Example 10.5
    861 // Message to be signed:
    862 static const char message_10_5[] =
    863   "f1 03 6e 00 8e 71 e9 64 da dc 92 19 ed 30 e1 7f "
    864   "06 b4 b6 8a 95 5c 16 b3 12 b1 ed df 02 8b 74 97 "
    865   "6b ed 6b 3f 6a 63 d4 e7 78 59 24 3c 9c cc dc 98 "
    866   "01 65 23 ab b0 24 83 b3 55 91 c3 3a ad 81 21 3b "
    867   "b7 c7 bb 1a 47 0a ab c1 0d 44 25 6c 4d 45 59 d9 "
    868   "16 ";
    869 // Salt:
    870 static const char salt_10_5[] =
    871   "ef a8 bf f9 62 12 b2 f4 a3 f3 71 a1 0d 57 41 52 "
    872   "65 5f 5d fb ";
    873 // Signature:
    874 static const char signature_10_5[] =
    875   "7e 09 35 ea 18 f4 d6 c1 d1 7c e8 2e b2 b3 83 6c "
    876   "55 b3 84 58 9c e1 9d fe 74 33 63 ac 99 48 d1 f3 "
    877   "46 b7 bf dd fe 92 ef d7 8a db 21 fa ef c8 9a de "
    878   "42 b1 0f 37 40 03 fe 12 2e 67 42 9a 1c b8 cb d1 "
    879   "f8 d9 01 45 64 c4 4d 12 01 16 f4 99 0f 1a 6e 38 "
    880   "77 4c 19 4b d1 b8 21 32 86 b0 77 b0 49 9d 2e 7b "
    881   "3f 43 4a b1 22 89 c5 56 68 4d ee d7 81 31 93 4b "
    882   "b3 dd 65 37 23 6f 7c 6f 3d cb 09 d4 76 be 07 72 "
    883   "1e 37 e1 ce ed 9b 2f 7b 40 68 87 bd 53 15 73 05 "
    884   "e1 c8 b4 f8 4d 73 3b c1 e1 86 fe 06 cc 59 b6 ed "
    885   "b8 f4 bd 7f fe fd f4 f7 ba 9c fb 9d 57 06 89 b5 "
    886   "a1 a4 10 9a 74 6a 69 08 93 db 37 99 25 5a 0c b9 "
    887   "21 5d 2d 1c d4 90 59 0e 95 2e 8c 87 86 aa 00 11 "
    888   "26 52 52 47 0c 04 1d fb c3 ee c7 c3 cb f7 1c 24 "
    889   "86 9d 11 5c 0c b4 a9 56 f5 6d 53 0b 80 ab 58 9a "
    890   "cf ef c6 90 75 1d df 36 e8 d3 83 f8 3c ed d2 cc ";
    891 
    892 // RSASSA-PSS Signature Example 10.6
    893 // Message to be signed:
    894 static const char message_10_6[] =
    895   "25 f1 08 95 a8 77 16 c1 37 45 0b b9 51 9d fa a1 "
    896   "f2 07 fa a9 42 ea 88 ab f7 1e 9c 17 98 00 85 b5 "
    897   "55 ae ba b7 62 64 ae 2a 3a b9 3c 2d 12 98 11 91 "
    898   "dd ac 6f b5 94 9e b3 6a ee 3c 5d a9 40 f0 07 52 "
    899   "c9 16 d9 46 08 fa 7d 97 ba 6a 29 15 b6 88 f2 03 "
    900   "23 d4 e9 d9 68 01 d8 9a 72 ab 58 92 dc 21 17 c0 "
    901   "74 34 fc f9 72 e0 58 cf 8c 41 ca 4b 4f f5 54 f7 "
    902   "d5 06 8a d3 15 5f ce d0 f3 12 5b c0 4f 91 93 37 "
    903   "8a 8f 5c 4c 3b 8c b4 dd 6d 1c c6 9d 30 ec ca 6e "
    904   "aa 51 e3 6a 05 73 0e 9e 34 2e 85 5b af 09 9d ef "
    905   "b8 af d7 ";
    906 // Salt:
    907 static const char salt_10_6[] =
    908   "ad 8b 15 23 70 36 46 22 4b 66 0b 55 08 85 91 7c "
    909   "a2 d1 df 28 ";
    910 // Signature:
    911 static const char signature_10_6[] =
    912   "6d 3b 5b 87 f6 7e a6 57 af 21 f7 54 41 97 7d 21 "
    913   "80 f9 1b 2c 5f 69 2d e8 29 55 69 6a 68 67 30 d9 "
    914   "b9 77 8d 97 07 58 cc b2 60 71 c2 20 9f fb d6 12 "
    915   "5b e2 e9 6e a8 1b 67 cb 9b 93 08 23 9f da 17 f7 "
    916   "b2 b6 4e cd a0 96 b6 b9 35 64 0a 5a 1c b4 2a 91 "
    917   "55 b1 c9 ef 7a 63 3a 02 c5 9f 0d 6e e5 9b 85 2c "
    918   "43 b3 50 29 e7 3c 94 0f f0 41 0e 8f 11 4e ed 46 "
    919   "bb d0 fa e1 65 e4 2b e2 52 8a 40 1c 3b 28 fd 81 "
    920   "8e f3 23 2d ca 9f 4d 2a 0f 51 66 ec 59 c4 23 96 "
    921   "d6 c1 1d bc 12 15 a5 6f a1 71 69 db 95 75 34 3e "
    922   "f3 4f 9d e3 2a 49 cd c3 17 49 22 f2 29 c2 3e 18 "
    923   "e4 5d f9 35 31 19 ec 43 19 ce dc e7 a1 7c 64 08 "
    924   "8c 1f 6f 52 be 29 63 41 00 b3 91 9d 38 f3 d1 ed "
    925   "94 e6 89 1e 66 a7 3b 8f b8 49 f5 87 4d f5 94 59 "
    926   "e2 98 c7 bb ce 2e ee 78 2a 19 5a a6 6f e2 d0 73 "
    927   "2b 25 e5 95 f5 7d 3e 06 1b 1f c3 e4 06 3b f9 8f ";
    928 
    929 struct SignatureExample {
    930   const char* message;
    931   const char* salt;
    932   const char* signature;
    933 };
    934 
    935 struct PSSTestVector {
    936   const char* modulus_n;
    937   const char* public_exponent_e;
    938   SignatureExample example[6];
    939 };
    940 
    941 static const PSSTestVector pss_test[] = {
    942   {
    943     rsa_modulus_n_1,
    944     rsa_public_exponent_e_1,
    945     {
    946       { message_1_1, salt_1_1, signature_1_1 },
    947       { message_1_2, salt_1_2, signature_1_2 },
    948       { message_1_3, salt_1_3, signature_1_3 },
    949       { message_1_4, salt_1_4, signature_1_4 },
    950       { message_1_5, salt_1_5, signature_1_5 },
    951       { message_1_6, salt_1_6, signature_1_6 },
    952     }
    953   },
    954   {
    955     rsa_modulus_n_9,
    956     rsa_public_exponent_e_9,
    957     {
    958       { message_9_1, salt_9_1, signature_9_1 },
    959       { message_9_2, salt_9_2, signature_9_2 },
    960       { message_9_3, salt_9_3, signature_9_3 },
    961       { message_9_4, salt_9_4, signature_9_4 },
    962       { message_9_5, salt_9_5, signature_9_5 },
    963       { message_9_6, salt_9_6, signature_9_6 },
    964     }
    965   },
    966   {
    967     rsa_modulus_n_10,
    968     rsa_public_exponent_e_10,
    969     {
    970       { message_10_1, salt_10_1, signature_10_1 },
    971       { message_10_2, salt_10_2, signature_10_2 },
    972       { message_10_3, salt_10_3, signature_10_3 },
    973       { message_10_4, salt_10_4, signature_10_4 },
    974       { message_10_5, salt_10_5, signature_10_5 },
    975       { message_10_6, salt_10_6, signature_10_6 },
    976     }
    977   },
    978 };
    979 
    980 static uint8_t HexDigitValue(char digit) {
    981   if ('0' <= digit && digit <= '9')
    982     return digit - '0';
    983   if ('a' <= digit && digit <= 'f')
    984     return digit - 'a' + 10;
    985   return digit - 'A' + 10;
    986 }
    987 
    988 static bool DecodeTestInput(const char* in, std::vector<uint8_t>* out) {
    989   out->clear();
    990   while (in[0] != '\0') {
    991     if (!isxdigit(in[0]) || !isxdigit(in[1]) || in[2] != ' ')
    992       return false;
    993     uint8_t octet = HexDigitValue(in[0]) * 16 + HexDigitValue(in[1]);
    994     out->push_back(octet);
    995     in += 3;
    996   }
    997   return true;
    998 }
    999 
   1000 // PrependASN1Length prepends an ASN.1 serialized length to the beginning of
   1001 // |out|.
   1002 static void PrependASN1Length(std::vector<uint8_t>* out, size_t len) {
   1003   if (len < 128) {
   1004     out->insert(out->begin(), static_cast<uint8_t>(len));
   1005   } else if (len < 256) {
   1006     out->insert(out->begin(), static_cast<uint8_t>(len));
   1007     out->insert(out->begin(), 0x81);
   1008   } else if (len < 0x10000) {
   1009     out->insert(out->begin(), static_cast<uint8_t>(len));
   1010     out->insert(out->begin(), static_cast<uint8_t>(len >> 8));
   1011     out->insert(out->begin(), 0x82);
   1012   } else {
   1013     CHECK(false) << "ASN.1 length not handled: " << len;
   1014   }
   1015 }
   1016 
   1017 static bool EncodeRSAPublicKey(const std::vector<uint8_t>& modulus_n,
   1018                                const std::vector<uint8_t>& public_exponent_e,
   1019                                std::vector<uint8_t>* public_key_info) {
   1020   // The public key is specified as the following ASN.1 structure:
   1021   //   SubjectPublicKeyInfo  ::=  SEQUENCE  {
   1022   //       algorithm            AlgorithmIdentifier,
   1023   //       subjectPublicKey     BIT STRING  }
   1024   //
   1025   // The signature algorithm is specified as the following ASN.1 structure:
   1026   //    AlgorithmIdentifier  ::=  SEQUENCE  {
   1027   //        algorithm               OBJECT IDENTIFIER,
   1028   //        parameters              ANY DEFINED BY algorithm OPTIONAL  }
   1029   //
   1030   // An RSA public key is specified as the following ASN.1 structure:
   1031   //    RSAPublicKey ::= SEQUENCE {
   1032   //        modulus           INTEGER,  -- n
   1033   //        publicExponent    INTEGER   -- e
   1034   //    }
   1035   static const uint8_t kIntegerTag = 0x02;
   1036   static const uint8_t kBitStringTag = 0x03;
   1037   static const uint8_t kSequenceTag = 0x30;
   1038   public_key_info->clear();
   1039 
   1040   // Encode the public exponent e as an INTEGER.
   1041   public_key_info->insert(public_key_info->begin(),
   1042                           public_exponent_e.begin(),
   1043                           public_exponent_e.end());
   1044   PrependASN1Length(public_key_info, public_exponent_e.size());
   1045   public_key_info->insert(public_key_info->begin(), kIntegerTag);
   1046 
   1047   // Encode the modulus n as an INTEGER.
   1048   public_key_info->insert(public_key_info->begin(),
   1049                           modulus_n.begin(), modulus_n.end());
   1050   size_t modulus_size = modulus_n.size();
   1051   if (modulus_n[0] & 0x80) {
   1052     public_key_info->insert(public_key_info->begin(), 0x00);
   1053     modulus_size++;
   1054   }
   1055   PrependASN1Length(public_key_info, modulus_size);
   1056   public_key_info->insert(public_key_info->begin(), kIntegerTag);
   1057 
   1058   // Encode the RSAPublicKey SEQUENCE.
   1059   PrependASN1Length(public_key_info, public_key_info->size());
   1060   public_key_info->insert(public_key_info->begin(), kSequenceTag);
   1061 
   1062   // Encode the BIT STRING.
   1063   // Number of unused bits.
   1064   public_key_info->insert(public_key_info->begin(), 0x00);
   1065   PrependASN1Length(public_key_info, public_key_info->size());
   1066   public_key_info->insert(public_key_info->begin(), kBitStringTag);
   1067 
   1068   // Encode the AlgorithmIdentifier.
   1069   static const uint8_t algorithm[] = {
   1070       0x30, 0x0d,  // a SEQUENCE of length 13
   1071       0x06, 0x09,  // an OBJECT IDENTIFIER of length 9
   1072       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
   1073   };
   1074   public_key_info->insert(public_key_info->begin(),
   1075                           algorithm, algorithm + sizeof(algorithm));
   1076 
   1077   // Encode the outermost SEQUENCE.
   1078   PrependASN1Length(public_key_info, public_key_info->size());
   1079   public_key_info->insert(public_key_info->begin(), kSequenceTag);
   1080 
   1081   return true;
   1082 }
   1083 
   1084 TEST(SignatureVerifierTest, VerifyRSAPSS) {
   1085   for (unsigned int i = 0; i < arraysize(pss_test); i++) {
   1086     SCOPED_TRACE(i);
   1087     std::vector<uint8_t> modulus_n;
   1088     std::vector<uint8_t> public_exponent_e;
   1089     ASSERT_TRUE(DecodeTestInput(pss_test[i].modulus_n, &modulus_n));
   1090     ASSERT_TRUE(DecodeTestInput(pss_test[i].public_exponent_e,
   1091                                 &public_exponent_e));
   1092     std::vector<uint8_t> public_key_info;
   1093     ASSERT_TRUE(EncodeRSAPublicKey(modulus_n, public_exponent_e,
   1094                                    &public_key_info));
   1095 
   1096     for (unsigned int j = 0; j < arraysize(pss_test[i].example); j++) {
   1097       SCOPED_TRACE(j);
   1098       std::vector<uint8_t> message;
   1099       std::vector<uint8_t> salt;
   1100       std::vector<uint8_t> signature;
   1101       ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].message, &message));
   1102       ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].salt, &salt));
   1103       ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].signature,
   1104                                   &signature));
   1105 
   1106       crypto::SignatureVerifier verifier;
   1107       bool ok;
   1108 
   1109       // Positive test.
   1110       ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
   1111                                      crypto::SignatureVerifier::SHA1,
   1112                                      salt.size(),
   1113                                      &signature[0], signature.size(),
   1114                                      &public_key_info[0],
   1115                                      public_key_info.size());
   1116       ASSERT_TRUE(ok);
   1117       verifier.VerifyUpdate(&message[0], message.size());
   1118       ok = verifier.VerifyFinal();
   1119       EXPECT_TRUE(ok);
   1120 
   1121       // Modify the first byte of the message.
   1122       ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
   1123                                      crypto::SignatureVerifier::SHA1,
   1124                                      salt.size(),
   1125                                      &signature[0], signature.size(),
   1126                                      &public_key_info[0],
   1127                                      public_key_info.size());
   1128       ASSERT_TRUE(ok);
   1129       message[0] += 1;
   1130       verifier.VerifyUpdate(&message[0], message.size());
   1131       message[0] -= 1;
   1132       ok = verifier.VerifyFinal();
   1133       EXPECT_FALSE(ok);
   1134 
   1135       // Truncate the message.
   1136       ASSERT_FALSE(message.empty());
   1137       ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
   1138                                      crypto::SignatureVerifier::SHA1,
   1139                                      salt.size(),
   1140                                      &signature[0], signature.size(),
   1141                                      &public_key_info[0],
   1142                                      public_key_info.size());
   1143       ASSERT_TRUE(ok);
   1144       verifier.VerifyUpdate(&message[0], message.size() - 1);
   1145       ok = verifier.VerifyFinal();
   1146       EXPECT_FALSE(ok);
   1147 
   1148       // Corrupt the signature.
   1149       signature[0] += 1;
   1150       ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
   1151                                      crypto::SignatureVerifier::SHA1,
   1152                                      salt.size(),
   1153                                      &signature[0], signature.size(),
   1154                                      &public_key_info[0],
   1155                                      public_key_info.size());
   1156       signature[0] -= 1;
   1157       ASSERT_TRUE(ok);
   1158       verifier.VerifyUpdate(&message[0], message.size());
   1159       ok = verifier.VerifyFinal();
   1160       EXPECT_FALSE(ok);
   1161     }
   1162   }
   1163 }
   1164