1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/rsa.h> 58 59 #include <stdlib.h> 60 #include <string.h> 61 62 #include <gtest/gtest.h> 63 64 #include <openssl/bn.h> 65 #include <openssl/bytestring.h> 66 #include <openssl/crypto.h> 67 #include <openssl/err.h> 68 #include <openssl/nid.h> 69 70 #include "../fipsmodule/bn/internal.h" 71 #include "../fipsmodule/rsa/internal.h" 72 #include "../internal.h" 73 #include "../test/test_util.h" 74 75 76 // kPlaintext is a sample plaintext. 77 static const uint8_t kPlaintext[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; 78 static const size_t kPlaintextLen = sizeof(kPlaintext) - 1; 79 80 // kKey1 is a DER-encoded RSAPrivateKey. 81 static const uint8_t kKey1[] = 82 "\x30\x82\x01\x38\x02\x01\x00\x02\x41\x00\xaa\x36\xab\xce\x88\xac\xfd\xff" 83 "\x55\x52\x3c\x7f\xc4\x52\x3f\x90\xef\xa0\x0d\xf3\x77\x4a\x25\x9f\x2e\x62" 84 "\xb4\xc5\xd9\x9c\xb5\xad\xb3\x00\xa0\x28\x5e\x53\x01\x93\x0e\x0c\x70\xfb" 85 "\x68\x76\x93\x9c\xe6\x16\xce\x62\x4a\x11\xe0\x08\x6d\x34\x1e\xbc\xac\xa0" 86 "\xa1\xf5\x02\x01\x11\x02\x40\x0a\x03\x37\x48\x62\x64\x87\x69\x5f\x5f\x30" 87 "\xbc\x38\xb9\x8b\x44\xc2\xcd\x2d\xff\x43\x40\x98\xcd\x20\xd8\xa1\x38\xd0" 88 "\x90\xbf\x64\x79\x7c\x3f\xa7\xa2\xcd\xcb\x3c\xd1\xe0\xbd\xba\x26\x54\xb4" 89 "\xf9\xdf\x8e\x8a\xe5\x9d\x73\x3d\x9f\x33\xb3\x01\x62\x4a\xfd\x1d\x51\x02" 90 "\x21\x00\xd8\x40\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf" 91 "\xce\x33\x52\x52\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x12\x0d\x02\x21" 92 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f" 93 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x89\x02\x20\x59" 94 "\x0b\x95\x72\xa2\xc2\xa9\xc4\x06\x05\x9d\xc2\xab\x2f\x1d\xaf\xeb\x7e\x8b" 95 "\x4f\x10\xa7\x54\x9e\x8e\xed\xf5\xb4\xfc\xe0\x9e\x05\x02\x21\x00\x8e\x3c" 96 "\x05\x21\xfe\x15\xe0\xea\x06\xa3\x6f\xf0\xf1\x0c\x99\x52\xc3\x5b\x7a\x75" 97 "\x14\xfd\x32\x38\xb8\x0a\xad\x52\x98\x62\x8d\x51\x02\x20\x36\x3f\xf7\x18" 98 "\x9d\xa8\xe9\x0b\x1d\x34\x1f\x71\xd0\x9b\x76\xa8\xa9\x43\xe1\x1d\x10\xb2" 99 "\x4d\x24\x9f\x2d\xea\xfe\xf8\x0c\x18\x26"; 100 101 // kFIPSKey is a DER-encoded RSAPrivateKey that is FIPS-compliant. 102 static const uint8_t kFIPSKey[] = 103 "\x30\x82\x02\x5c\x02\x01\x00\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7" 104 "\xb8\xfc\x2a\x45\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09" 105 "\x6b\x05\x4d\xec\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed" 106 "\x9a\x30\xf3\x14\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65" 107 "\xbf\xca\x45\xd9\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12" 108 "\xaf\xa5\xec\x9b\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24" 109 "\x3c\x82\x6f\xee\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81" 110 "\x59\xa7\x90\x56\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01" 111 "\x02\x81\x80\x60\x82\xcd\x44\x46\xcf\xeb\xf9\x6f\xf5\xad\x3b\xfd\x90\x18" 112 "\x57\xe7\x74\xdb\x91\xd0\xd3\x68\xa6\xaa\x38\xaa\x21\x1d\x06\xf9\x34\x8d" 113 "\xa0\x35\xb0\x24\xe0\xd0\x2f\x75\x9b\xdd\xfe\x91\x48\x9f\x5c\x5e\x57\x54" 114 "\x00\xc8\x0f\xe6\x1e\x52\x84\xd9\xc9\xa5\x55\xf4\x0a\xbe\x88\x46\x7a\xfb" 115 "\x18\x37\x8e\xe6\x6e\xa2\x5f\x80\x48\x34\x3f\x5c\xbe\x0e\x1e\xe8\x2f\x50" 116 "\xba\x14\x96\x3c\xea\xfb\xd2\x49\x33\xdc\x12\xb8\xa7\x8a\xb5\x27\xf9\x00" 117 "\x4b\xf5\xd2\x2a\xd0\x2c\x1d\x9b\xd5\x6c\x3e\x4b\xb9\x7e\x39\xf7\x3e\x39" 118 "\xc9\x47\x5e\xbe\x91\x02\x41\x00\xcd\x33\xcf\x37\x01\xd7\x59\xcc\xbe\xa0" 119 "\x1c\xb9\xf5\xe7\x44\x9f\x62\x91\xa7\xa7\x7b\x0c\x52\xcd\x7e\xe6\x31\x11" 120 "\x8b\xd8\x2c\x8a\x63\xe1\x07\xc9\xcb\xce\x01\x45\x63\xf5\x5d\x44\xfb\xeb" 121 "\x8d\x74\x16\x20\x7d\x3b\xb4\xa1\x61\xb0\xa8\x29\x51\xc9\xef\xb6\xa1\xd5" 122 "\x02\x41\x00\xc9\x68\xa6\xd3\x88\xd5\x49\x9d\x6b\x44\x96\xfd\xbf\x66\x27" 123 "\xb4\x1f\x90\x76\x86\x2f\xe2\xce\x20\x5d\xee\x9b\xeb\xc4\xb4\x62\x47\x79" 124 "\x99\xb1\x99\xbc\xa2\xa6\xb6\x96\x64\xd5\x77\x9b\x45\xd4\xf0\x99\xb5\x9e" 125 "\x61\x4d\xf5\x12\xdd\x84\x14\xaf\x1e\xdd\x83\x24\x43\x02\x40\x60\x29\x7f" 126 "\x59\xcf\xcb\x13\x92\x17\x63\x01\x13\x44\x61\x74\x8f\x1c\xaa\x15\x5f\x2f" 127 "\x12\xbf\x5a\xfd\xb4\xf2\x19\xbe\xe7\x37\x38\x43\x46\x19\x58\x3f\xe1\xf2" 128 "\x46\x8a\x69\x59\xa4\x12\x4a\x78\xa7\x86\x17\x03\x99\x0f\x34\xf1\x8a\xcf" 129 "\xc3\x4d\x48\xcc\xc5\x51\x61\x02\x41\x00\xc2\x12\xb3\x5d\xf5\xe5\xff\xcf" 130 "\x4e\x43\x83\x72\xf2\xf1\x4e\xa4\xc4\x1d\x81\xf7\xff\x40\x7e\xfa\xb5\x48" 131 "\x6c\xba\x1c\x8a\xec\x80\x8e\xed\xc8\x32\xa9\x8f\xd9\x30\xeb\x6e\x32\x3b" 132 "\xd4\x44\xcf\xd1\x1f\x6b\xe0\x37\x46\xd5\x35\xde\x79\x9d\x2c\xb9\x83\x1d" 133 "\x10\xdd\x02\x40\x0f\x14\x95\x96\xa0\xe2\x6c\xd4\x88\xa7\x0b\x82\x14\x10" 134 "\xad\x26\x0d\xe4\xa1\x5e\x01\x3d\x21\xd2\xfb\x0e\xf9\x58\xa5\xca\x1e\x21" 135 "\xb3\xf5\x9a\x6c\x3d\x5a\x72\xb1\x2d\xfe\xac\x09\x4f\xdd\xe5\x44\xd1\x4e" 136 "\xf8\x59\x85\x3a\x65\xe2\xcd\xbc\x27\x1d\x9b\x48\x9f\xb9"; 137 138 static const uint8_t kFIPSPublicKey[] = 139 "\x30\x81\x89\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7\xb8\xfc\x2a\x45" 140 "\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09\x6b\x05\x4d\xec" 141 "\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed\x9a\x30\xf3\x14" 142 "\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65\xbf\xca\x45\xd9" 143 "\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12\xaf\xa5\xec\x9b" 144 "\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24\x3c\x82\x6f\xee" 145 "\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81\x59\xa7\x90\x56" 146 "\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01"; 147 148 // kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using 149 // RSA OAEP. 150 static const uint8_t kOAEPCiphertext1[] = 151 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89\x2b\xfb" 152 "\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52\x33\x89\x5c\x74" 153 "\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44\xb0\x05\xc3\x9e\xd8\x27" 154 "\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2"; 155 156 // kKey2 is a DER-encoded RSAPrivateKey. 157 static const uint8_t kKey2[] = 158 "\x30\x81\xfb\x02\x01\x00\x02\x33\x00\xa3\x07\x9a\x90\xdf\x0d\xfd\x72\xac" 159 "\x09\x0c\xcc\x2a\x78\xb8\x74\x13\x13\x3e\x40\x75\x9c\x98\xfa\xf8\x20\x4f" 160 "\x35\x8a\x0b\x26\x3c\x67\x70\xe7\x83\xa9\x3b\x69\x71\xb7\x37\x79\xd2\x71" 161 "\x7b\xe8\x34\x77\xcf\x02\x01\x03\x02\x32\x6c\xaf\xbc\x60\x94\xb3\xfe\x4c" 162 "\x72\xb0\xb3\x32\xc6\xfb\x25\xa2\xb7\x62\x29\x80\x4e\x68\x65\xfc\xa4\x5a" 163 "\x74\xdf\x0f\x8f\xb8\x41\x3b\x52\xc0\xd0\xe5\x3d\x9b\x59\x0f\xf1\x9b\xe7" 164 "\x9f\x49\xdd\x21\xe5\xeb\x02\x1a\x00\xcf\x20\x35\x02\x8b\x9d\x86\x98\x40" 165 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x91\x02\x1a" 166 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f" 167 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5f\x02\x1a\x00\x8a\x15\x78\xac\x5d\x13\xaf" 168 "\x10\x2b\x22\xb9\x99\xcd\x74\x61\xf1\x5e\x6d\x22\xcc\x03\x23\xdf\xdf\x0b" 169 "\x02\x1a\x00\x86\x55\x21\x4a\xc5\x4d\x8d\x4e\xcd\x61\x77\xf1\xc7\x36\x90" 170 "\xce\x2a\x48\x2c\x8b\x05\x99\xcb\xe0\x3f\x02\x1a\x00\x83\xef\xef\xb8\xa9" 171 "\xa4\x0d\x1d\xb6\xed\x98\xad\x84\xed\x13\x35\xdc\xc1\x08\xf3\x22\xd0\x57" 172 "\xcf\x8d"; 173 174 // kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using 175 // RSA OAEP. 176 static const uint8_t kOAEPCiphertext2[] = 177 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a\x8b\x40" 178 "\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4\x17\x53\x03\x29" 179 "\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52\x62\x51"; 180 181 // kKey3 is a DER-encoded RSAPrivateKey. 182 static const uint8_t kKey3[] = 183 "\x30\x82\x02\x5b\x02\x01\x00\x02\x81\x81\x00\xbb\xf8\x2f\x09\x06\x82\xce" 184 "\x9c\x23\x38\xac\x2b\x9d\xa8\x71\xf7\x36\x8d\x07\xee\xd4\x10\x43\xa4\x40" 185 "\xd6\xb6\xf0\x74\x54\xf5\x1f\xb8\xdf\xba\xaf\x03\x5c\x02\xab\x61\xea\x48" 186 "\xce\xeb\x6f\xcd\x48\x76\xed\x52\x0d\x60\xe1\xec\x46\x19\x71\x9d\x8a\x5b" 187 "\x8b\x80\x7f\xaf\xb8\xe0\xa3\xdf\xc7\x37\x72\x3e\xe6\xb4\xb7\xd9\x3a\x25" 188 "\x84\xee\x6a\x64\x9d\x06\x09\x53\x74\x88\x34\xb2\x45\x45\x98\x39\x4e\xe0" 189 "\xaa\xb1\x2d\x7b\x61\xa5\x1f\x52\x7a\x9a\x41\xf6\xc1\x68\x7f\xe2\x53\x72" 190 "\x98\xca\x2a\x8f\x59\x46\xf8\xe5\xfd\x09\x1d\xbd\xcb\x02\x01\x11\x02\x81" 191 "\x81\x00\xa5\xda\xfc\x53\x41\xfa\xf2\x89\xc4\xb9\x88\xdb\x30\xc1\xcd\xf8" 192 "\x3f\x31\x25\x1e\x06\x68\xb4\x27\x84\x81\x38\x01\x57\x96\x41\xb2\x94\x10" 193 "\xb3\xc7\x99\x8d\x6b\xc4\x65\x74\x5e\x5c\x39\x26\x69\xd6\x87\x0d\xa2\xc0" 194 "\x82\xa9\x39\xe3\x7f\xdc\xb8\x2e\xc9\x3e\xda\xc9\x7f\xf3\xad\x59\x50\xac" 195 "\xcf\xbc\x11\x1c\x76\xf1\xa9\x52\x94\x44\xe5\x6a\xaf\x68\xc5\x6c\x09\x2c" 196 "\xd3\x8d\xc3\xbe\xf5\xd2\x0a\x93\x99\x26\xed\x4f\x74\xa1\x3e\xdd\xfb\xe1" 197 "\xa1\xce\xcc\x48\x94\xaf\x94\x28\xc2\xb7\xb8\x88\x3f\xe4\x46\x3a\x4b\xc8" 198 "\x5b\x1c\xb3\xc1\x02\x41\x00\xee\xcf\xae\x81\xb1\xb9\xb3\xc9\x08\x81\x0b" 199 "\x10\xa1\xb5\x60\x01\x99\xeb\x9f\x44\xae\xf4\xfd\xa4\x93\xb8\x1a\x9e\x3d" 200 "\x84\xf6\x32\x12\x4e\xf0\x23\x6e\x5d\x1e\x3b\x7e\x28\xfa\xe7\xaa\x04\x0a" 201 "\x2d\x5b\x25\x21\x76\x45\x9d\x1f\x39\x75\x41\xba\x2a\x58\xfb\x65\x99\x02" 202 "\x41\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35" 203 "\x3f\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x86\x98\x40" 204 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x33\x52\x52" 205 "\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x15\x03\x02\x40\x54\x49\x4c\xa6" 206 "\x3e\xba\x03\x37\xe4\xe2\x40\x23\xfc\xd6\x9a\x5a\xeb\x07\xdd\xdc\x01\x83" 207 "\xa4\xd0\xac\x9b\x54\xb0\x51\xf2\xb1\x3e\xd9\x49\x09\x75\xea\xb7\x74\x14" 208 "\xff\x59\xc1\xf7\x69\x2e\x9a\x2e\x20\x2b\x38\xfc\x91\x0a\x47\x41\x74\xad" 209 "\xc9\x3c\x1f\x67\xc9\x81\x02\x40\x47\x1e\x02\x90\xff\x0a\xf0\x75\x03\x51" 210 "\xb7\xf8\x78\x86\x4c\xa9\x61\xad\xbd\x3a\x8a\x7e\x99\x1c\x5c\x05\x56\xa9" 211 "\x4c\x31\x46\xa7\xf9\x80\x3f\x8f\x6f\x8a\xe3\x42\xe9\x31\xfd\x8a\xe4\x7a" 212 "\x22\x0d\x1b\x99\xa4\x95\x84\x98\x07\xfe\x39\xf9\x24\x5a\x98\x36\xda\x3d" 213 "\x02\x41\x00\xb0\x6c\x4f\xda\xbb\x63\x01\x19\x8d\x26\x5b\xdb\xae\x94\x23" 214 "\xb3\x80\xf2\x71\xf7\x34\x53\x88\x50\x93\x07\x7f\xcd\x39\xe2\x11\x9f\xc9" 215 "\x86\x32\x15\x4f\x58\x83\xb1\x67\xa9\x67\xbf\x40\x2b\x4e\x9e\x2e\x0f\x96" 216 "\x56\xe6\x98\xea\x36\x66\xed\xfb\x25\x79\x80\x39\xf7"; 217 218 // kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using 219 // RSA OAEP. 220 static const uint8_t kOAEPCiphertext3[] = 221 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7\x90\xc4" 222 "\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce\xf0\xc4\x36\x6f" 223 "\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3\xf2\xf1\x92\xdb\xea\xca" 224 "\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06\x69\xac\x22\xe9\xf3\xa7\x85\x2e" 225 "\x3c\x15\xd9\x13\xca\xb0\xb8\x86\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49" 226 "\x54\x61\x03\x46\xf4\xd4\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a" 227 "\x1f\xc4\x02\x6a\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20" 228 "\x2f\xb1"; 229 230 static const uint8_t kTwoPrimeKey[] = 231 "\x30\x82\x04\xa1\x02\x01\x00\x02\x82\x01\x01\x00\x93\x3a\x4f\xc9\x6a\x0a" 232 "\x6b\x28\x04\xfa\xb7\x05\x56\xdf\xa0\xaa\x4f\xaa\xab\x94\xa0\xa9\x25\xef" 233 "\xc5\x96\xd2\xd4\x66\x16\x62\x2c\x13\x7b\x91\xd0\x36\x0a\x10\x11\x6d\x7a" 234 "\x91\xb6\xe4\x74\x57\xc1\x3d\x7a\xbe\x24\x05\x3a\x04\x0b\x73\x91\x53\xb1" 235 "\x74\x10\xe1\x87\xdc\x91\x28\x9c\x1e\xe5\xf2\xb9\xfc\xa2\x48\x34\xb6\x78" 236 "\xed\x6d\x95\xfb\xf2\xc0\x4e\x1c\xa4\x15\x00\x3c\x8a\x68\x2b\xd6\xce\xd5" 237 "\xb3\x9f\x66\x02\xa7\x0d\x08\xa3\x23\x9b\xe5\x36\x96\x13\x22\xf9\x69\xa6" 238 "\x87\x88\x9b\x85\x3f\x83\x9c\xab\x1a\x1b\x6d\x8d\x16\xf4\x5e\xbd\xee\x4b" 239 "\x59\x56\xf8\x9d\x58\xcd\xd2\x83\x85\x59\x43\x84\x63\x4f\xe6\x1a\x86\x66" 240 "\x0d\xb5\xa0\x87\x89\xb6\x13\x82\x43\xda\x34\x92\x3b\x68\xc4\x95\x71\x2f" 241 "\x15\xc2\xe0\x43\x67\x3c\x08\x00\x36\x10\xc3\xb4\x46\x4c\x4e\x6e\xf5\x44" 242 "\xa9\x04\x44\x9d\xce\xc7\x05\x79\xee\x11\xcf\xaf\x2c\xd7\x9a\x32\xd3\xa5" 243 "\x30\xd4\x3a\x78\x43\x37\x74\x22\x90\x24\x04\x11\xd7\x95\x08\x52\xa4\x71" 244 "\x41\x68\x94\xb0\xa0\xc3\xec\x4e\xd2\xc4\x30\x71\x98\x64\x9c\xe3\x7c\x76" 245 "\xef\x33\xa3\x2b\xb1\x87\x63\xd2\x5c\x09\xfc\x90\x2d\x92\xf4\x57\x02\x01" 246 "\x03\x02\x82\x01\x00\x62\x26\xdf\xdb\x9c\x06\xf2\x1a\xad\xfc\x7a\x03\x8f" 247 "\x3f\xc0\x71\x8a\x71\xc7\xb8\x6b\x1b\x6e\x9f\xd9\x0f\x37\x38\x44\x0e\xec" 248 "\x1d\x62\x52\x61\x35\x79\x5c\x0a\xb6\x48\xfc\x61\x24\x98\x4d\x8f\xd6\x28" 249 "\xfc\x7e\xc2\xae\x26\xad\x5c\xf7\xb6\x37\xcb\xa2\xb5\xeb\xaf\xe8\x60\xc5" 250 "\xbd\x69\xee\xa1\xd1\x53\x16\xda\xcd\xce\xfb\x48\xf3\xb9\x52\xa1\xd5\x89" 251 "\x68\x6d\x63\x55\x7d\xb1\x9a\xc7\xe4\x89\xe3\xcd\x14\xee\xac\x6f\x5e\x05" 252 "\xc2\x17\xbd\x43\x79\xb9\x62\x17\x50\xf1\x19\xaf\xb0\x67\xae\x2a\x57\xbd" 253 "\xc7\x66\xbc\xf3\xb3\x64\xa1\xe3\x16\x74\x9e\xea\x02\x5c\xab\x94\xd8\x97" 254 "\x02\x42\x0c\x2c\xba\x54\xb9\xaf\xe0\x45\x93\xad\x7f\xb3\x10\x6a\x96\x50" 255 "\x4b\xaf\xcf\xc8\x27\x62\x2d\x83\xe9\x26\xc6\x94\xc1\xef\x5c\x8e\x06\x42" 256 "\x53\xe5\x56\xaf\xc2\x99\x01\xaa\x9a\x71\xbc\xe8\x21\x33\x2a\x2d\xa3\x36" 257 "\xac\x1b\x86\x19\xf8\xcd\x1f\x80\xa4\x26\x98\xb8\x9f\x62\x62\xd5\x1a\x7f" 258 "\xee\xdb\xdf\x81\xd3\x21\xdb\x33\x92\xee\xff\xe2\x2f\x32\x77\x73\x6a\x58" 259 "\xab\x21\xf3\xe3\xe1\xbc\x4f\x12\x72\xa6\xb5\xc2\xfb\x27\x9e\xc8\xca\xab" 260 "\x64\xa0\x87\x07\x9d\xef\xca\x0f\xdb\x02\x81\x81\x00\xe6\xd3\x4d\xc0\xa1" 261 "\x91\x0e\x62\xfd\xb0\xdd\xc6\x30\xb8\x8c\xcb\x14\xc1\x4b\x69\x30\xdd\xcd" 262 "\x86\x67\xcb\x37\x14\xc5\x03\xd2\xb4\x69\xab\x3d\xe5\x16\x81\x0f\xe5\x50" 263 "\xf4\x18\xb1\xec\xbc\x71\xe9\x80\x99\x06\xe4\xa3\xfe\x44\x84\x4a\x2d\x1e" 264 "\x07\x7f\x22\x70\x6d\x4f\xd4\x93\x0b\x8b\x99\xce\x1e\xab\xcd\x4c\xd2\xd3" 265 "\x10\x47\x5c\x09\x9f\x6d\x82\xc0\x08\x75\xe3\x3d\x83\xc2\x19\x50\x29\xec" 266 "\x1f\x84\x29\xcc\xf1\x56\xee\xbd\x54\x5d\xe6\x19\xdf\x0d\x1c\xa4\xbb\x0a" 267 "\xfe\x84\x44\x29\x1d\xf9\x5c\x80\x96\x5b\x24\xb4\xf7\x02\x1b\x02\x81\x81" 268 "\x00\xa3\x48\xf1\x9c\x58\xc2\x5f\x38\xfb\xd8\x12\x39\xf1\x8e\x73\xa1\xcf" 269 "\x78\x12\xe0\xed\x2a\xbb\xef\xac\x23\xb2\xbf\xd6\x0c\xe9\x6e\x1e\xab\xea" 270 "\x3f\x68\x36\xa7\x1f\xe5\xab\xe0\x86\xa5\x76\x32\x98\xdd\x75\xb5\x2b\xbc" 271 "\xcb\x8a\x03\x00\x7c\x2e\xca\xf8\xbc\x19\xe4\xe3\xa3\x31\xbd\x1d\x20\x2b" 272 "\x09\xad\x6f\x4c\xed\x48\xd4\xdf\x87\xf9\xf0\x46\xb9\x86\x4c\x4b\x71\xe7" 273 "\x48\x78\xdc\xed\xc7\x82\x02\x44\xd3\xa6\xb3\x10\x5f\x62\x81\xfc\xb8\xe4" 274 "\x0e\xf4\x1a\xdd\xab\x3f\xbc\x63\x79\x5b\x39\x69\x5e\xea\xa9\x15\xfe\x90" 275 "\xec\xda\x75\x02\x81\x81\x00\x99\xe2\x33\xd5\xc1\x0b\x5e\xec\xa9\x20\x93" 276 "\xd9\x75\xd0\x5d\xdc\xb8\x80\xdc\xf0\xcb\x3e\x89\x04\x45\x32\x24\xb8\x83" 277 "\x57\xe1\xcd\x9b\xc7\x7e\x98\xb9\xab\x5f\xee\x35\xf8\x10\x76\x9d\xd2\xf6" 278 "\x9b\xab\x10\xaf\x43\x17\xfe\xd8\x58\x31\x73\x69\x5a\x54\xc1\xa0\x48\xdf" 279 "\xe3\x0c\xb2\x5d\x11\x34\x14\x72\x88\xdd\xe1\xe2\x0a\xda\x3d\x5b\xbf\x9e" 280 "\x57\x2a\xb0\x4e\x97\x7e\x57\xd6\xbb\x8a\xc6\x9d\x6a\x58\x1b\xdd\xf6\x39" 281 "\xf4\x7e\x38\x3e\x99\x66\x94\xb3\x68\x6d\xd2\x07\x54\x58\x2d\x70\xbe\xa6" 282 "\x3d\xab\x0e\xe7\x6d\xcd\xfa\x01\x67\x02\x81\x80\x6c\xdb\x4b\xbd\x90\x81" 283 "\x94\xd0\xa7\xe5\x61\x7b\xf6\x5e\xf7\xc1\x34\xfa\xb7\x40\x9e\x1c\x7d\x4a" 284 "\x72\xc2\x77\x2a\x8e\xb3\x46\x49\x69\xc7\xf1\x7f\x9a\xcf\x1a\x15\x43\xc7" 285 "\xeb\x04\x6e\x4e\xcc\x65\xe8\xf9\x23\x72\x7d\xdd\x06\xac\xaa\xfd\x74\x87" 286 "\x50\x7d\x66\x98\x97\xc2\x21\x28\xbe\x15\x72\x06\x73\x9f\x88\x9e\x30\x8d" 287 "\xea\x5a\xa6\xa0\x2f\x26\x59\x88\x32\x4b\xef\x85\xa5\xe8\x9e\x85\x01\x56" 288 "\xd8\x8d\x19\xcc\xb5\x94\xec\x56\xa8\x7b\x42\xb4\xa2\xbc\x93\xc7\x7f\xd2" 289 "\xec\xfb\x92\x26\x46\x3f\x47\x1b\x63\xff\x0b\x48\x91\xa3\x02\x81\x80\x2c" 290 "\x4a\xb9\xa4\x46\x7b\xff\x50\x7e\xbf\x60\x47\x3b\x2b\x66\x82\xdc\x0e\x53" 291 "\x65\x71\xe9\xda\x2a\xb8\x32\x93\x42\xb7\xff\xea\x67\x66\xf1\xbc\x87\x28" 292 "\x65\x29\x79\xca\xab\x93\x56\xda\x95\xc1\x26\x44\x3d\x27\xc1\x91\xc6\x9b" 293 "\xd9\xec\x9d\xb7\x49\xe7\x16\xee\x99\x87\x50\x95\x81\xd4\x5c\x5b\x5a\x5d" 294 "\x0a\x43\xa5\xa7\x8f\x5a\x80\x49\xa0\xb7\x10\x85\xc7\xf4\x42\x34\x86\xb6" 295 "\x5f\x3f\x88\x9e\xc7\xf5\x59\x29\x39\x68\x48\xf2\xd7\x08\x5b\x92\x8e\x6b" 296 "\xea\xa5\x63\x5f\xc0\xfb\xe4\xe1\xb2\x7d\xb7\x40\xe9\x55\x06\xbf\x58\x25" 297 "\x6f"; 298 299 static const uint8_t kTwoPrimeEncryptedMessage[] = { 300 0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35, 301 0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c, 302 0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0, 303 0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3, 304 0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46, 305 0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54, 306 0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a, 307 0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78, 308 0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8, 309 0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83, 310 0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31, 311 0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45, 312 0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75, 313 0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11, 314 0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f, 315 0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2, 316 0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3, 317 0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca, 318 0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c, 319 0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4, 320 0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b, 321 0x6a, 0xce, 0x9f, 0xc8, 322 }; 323 324 // kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See 325 // https://crbug.com/532048. 326 static const uint8_t kEstonianRSAKey[] = { 327 0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c, 328 0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c, 329 0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80, 330 0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8, 331 0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29, 332 0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95, 333 0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea, 334 0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c, 335 0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac, 336 0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25, 337 0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a, 338 0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88, 339 0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17, 340 0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf, 341 0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c, 342 0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f, 343 0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc, 344 0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e, 345 0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87, 346 0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30, 347 0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94, 348 0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49, 349 0x02, 0x03, 0x01, 0x00, 0x01, 350 }; 351 352 // kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See 353 // https://crbug.com/541257 354 static const uint8_t kExponent1RSAKey[] = { 355 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a, 356 0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5, 357 0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa, 358 0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b, 359 0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64, 360 0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7, 361 0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d, 362 0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a, 363 0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a, 364 0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b, 365 0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c, 366 0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9, 367 0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad, 368 0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41, 369 0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91, 370 0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a, 371 0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d, 372 0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98, 373 0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9, 374 0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d, 375 0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0, 376 0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98, 377 0xdd, 0x02, 0x01, 0x01, 378 }; 379 380 struct RSAEncryptParam { 381 const uint8_t *der; 382 size_t der_len; 383 const uint8_t *oaep_ciphertext; 384 size_t oaep_ciphertext_len; 385 } kRSAEncryptParams[] = { 386 {kKey1, sizeof(kKey1) - 1, kOAEPCiphertext1, sizeof(kOAEPCiphertext1) - 1}, 387 {kKey2, sizeof(kKey2) - 1, kOAEPCiphertext2, sizeof(kOAEPCiphertext2) - 1}, 388 {kKey3, sizeof(kKey3) - 1, kOAEPCiphertext3, sizeof(kOAEPCiphertext3) - 1}, 389 }; 390 391 class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {}; 392 393 TEST_P(RSAEncryptTest, TestKey) { 394 const auto ¶m = GetParam(); 395 bssl::UniquePtr<RSA> key( 396 RSA_private_key_from_bytes(param.der, param.der_len)); 397 ASSERT_TRUE(key); 398 399 EXPECT_TRUE(RSA_check_key(key.get())); 400 401 uint8_t ciphertext[256]; 402 403 // Test that PKCS#1 v1.5 encryption round-trips. 404 size_t ciphertext_len = 0; 405 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext, 406 sizeof(ciphertext), kPlaintext, kPlaintextLen, 407 RSA_PKCS1_PADDING)); 408 EXPECT_EQ(RSA_size(key.get()), ciphertext_len); 409 410 uint8_t plaintext[256]; 411 size_t plaintext_len = 0; 412 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 413 sizeof(plaintext), ciphertext, ciphertext_len, 414 RSA_PKCS1_PADDING)); 415 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len)); 416 417 // Test that OAEP encryption round-trips. 418 ciphertext_len = 0; 419 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext, 420 sizeof(ciphertext), kPlaintext, kPlaintextLen, 421 RSA_PKCS1_OAEP_PADDING)); 422 EXPECT_EQ(RSA_size(key.get()), ciphertext_len); 423 424 plaintext_len = 0; 425 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 426 sizeof(plaintext), ciphertext, ciphertext_len, 427 RSA_PKCS1_OAEP_PADDING)); 428 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len)); 429 430 // |oaep_ciphertext| should decrypt to |kPlaintext|. 431 plaintext_len = 0; 432 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 433 sizeof(plaintext), param.oaep_ciphertext, 434 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING)); 435 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len)); 436 437 // Try decrypting corrupted ciphertexts. 438 OPENSSL_memcpy(ciphertext, param.oaep_ciphertext, param.oaep_ciphertext_len); 439 for (size_t i = 0; i < param.oaep_ciphertext_len; i++) { 440 SCOPED_TRACE(i); 441 ciphertext[i] ^= 1; 442 EXPECT_FALSE(RSA_decrypt( 443 key.get(), &plaintext_len, plaintext, sizeof(plaintext), ciphertext, 444 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING)); 445 ERR_clear_error(); 446 ciphertext[i] ^= 1; 447 } 448 449 // Test truncated ciphertexts. 450 for (size_t len = 0; len < param.oaep_ciphertext_len; len++) { 451 SCOPED_TRACE(len); 452 EXPECT_FALSE(RSA_decrypt(key.get(), &plaintext_len, plaintext, 453 sizeof(plaintext), ciphertext, len, 454 RSA_PKCS1_OAEP_PADDING)); 455 ERR_clear_error(); 456 } 457 } 458 459 INSTANTIATE_TEST_CASE_P(, RSAEncryptTest, testing::ValuesIn(kRSAEncryptParams)); 460 461 TEST(RSATest, TestDecrypt) { 462 bssl::UniquePtr<RSA> rsa( 463 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1)); 464 ASSERT_TRUE(rsa); 465 466 EXPECT_TRUE(RSA_check_key(rsa.get())); 467 468 uint8_t out[256]; 469 size_t out_len; 470 ASSERT_TRUE(RSA_decrypt( 471 rsa.get(), &out_len, out, sizeof(out), kTwoPrimeEncryptedMessage, 472 sizeof(kTwoPrimeEncryptedMessage), RSA_PKCS1_PADDING)); 473 EXPECT_EQ(Bytes("hello world"), Bytes(out, out_len)); 474 } 475 476 TEST(RSATest, CheckFIPS) { 477 bssl::UniquePtr<RSA> rsa( 478 RSA_private_key_from_bytes(kFIPSKey, sizeof(kFIPSKey) - 1)); 479 ASSERT_TRUE(rsa); 480 EXPECT_TRUE(RSA_check_fips(rsa.get())); 481 482 // Check that RSA_check_fips works on a public key. 483 bssl::UniquePtr<RSA> pub( 484 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1)); 485 ASSERT_TRUE(pub); 486 EXPECT_TRUE(RSA_check_fips(pub.get())); 487 } 488 489 TEST(RSATest, GenerateFIPS) { 490 bssl::UniquePtr<RSA> rsa(RSA_new()); 491 ASSERT_TRUE(rsa); 492 493 // RSA_generate_key_fips may only be used for 2048-bit and 3072-bit keys. 494 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr)); 495 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr)); 496 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr)); 497 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr)); 498 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr)); 499 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr)); 500 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4096, nullptr)); 501 ERR_clear_error(); 502 503 // Test that we can generate 2048-bit and 3072-bit RSA keys. 504 EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr)); 505 EXPECT_EQ(2048u, BN_num_bits(rsa->n)); 506 507 rsa.reset(RSA_new()); 508 ASSERT_TRUE(rsa); 509 EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 3072, nullptr)); 510 EXPECT_EQ(3072u, BN_num_bits(rsa->n)); 511 } 512 513 TEST(RSATest, BadKey) { 514 bssl::UniquePtr<RSA> key(RSA_new()); 515 bssl::UniquePtr<BIGNUM> e(BN_new()); 516 ASSERT_TRUE(key); 517 ASSERT_TRUE(e); 518 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 519 520 // Generate a bad key. 521 ASSERT_TRUE(RSA_generate_key_ex(key.get(), 512, e.get(), nullptr)); 522 ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one())); 523 524 // Bad keys are detected. 525 EXPECT_FALSE(RSA_check_key(key.get())); 526 EXPECT_FALSE(RSA_check_fips(key.get())); 527 528 // Bad keys may not be parsed. 529 uint8_t *der; 530 size_t der_len; 531 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get())); 532 bssl::UniquePtr<uint8_t> delete_der(der); 533 key.reset(RSA_private_key_from_bytes(der, der_len)); 534 EXPECT_FALSE(key); 535 } 536 537 TEST(RSATest, OnlyDGiven) { 538 static const char kN[] = 539 "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662" 540 "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659"; 541 static const char kE[] = "010001"; 542 static const char kD[] = 543 "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a" 544 "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01"; 545 546 bssl::UniquePtr<RSA> key(RSA_new()); 547 ASSERT_TRUE(key); 548 ASSERT_TRUE(BN_hex2bn(&key->n, kN)); 549 ASSERT_TRUE(BN_hex2bn(&key->e, kE)); 550 ASSERT_TRUE(BN_hex2bn(&key->d, kD)); 551 552 // Keys with only n, e, and d are functional. 553 EXPECT_TRUE(RSA_check_key(key.get())); 554 555 const uint8_t kDummyHash[32] = {0}; 556 uint8_t buf[64]; 557 unsigned buf_len = sizeof(buf); 558 ASSERT_LE(RSA_size(key.get()), sizeof(buf)); 559 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 560 &buf_len, key.get())); 561 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 562 buf_len, key.get())); 563 564 // Keys without the public exponent must continue to work when blinding is 565 // disabled to support Java's RSAPrivateKeySpec API. See 566 // https://bugs.chromium.org/p/boringssl/issues/detail?id=12. 567 bssl::UniquePtr<RSA> key2(RSA_new()); 568 ASSERT_TRUE(key2); 569 ASSERT_TRUE(BN_hex2bn(&key2->n, kN)); 570 ASSERT_TRUE(BN_hex2bn(&key2->d, kD)); 571 key2->flags |= RSA_FLAG_NO_BLINDING; 572 573 ASSERT_LE(RSA_size(key2.get()), sizeof(buf)); 574 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 575 &buf_len, key2.get())); 576 577 // Verify the signature with |key|. |key2| has no public exponent. 578 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, 579 buf_len, key.get())); 580 } 581 582 TEST(RSATest, ASN1) { 583 // Test that private keys may be decoded. 584 bssl::UniquePtr<RSA> rsa( 585 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1)); 586 ASSERT_TRUE(rsa); 587 588 // Test that the serialization round-trips. 589 uint8_t *der; 590 size_t der_len; 591 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get())); 592 bssl::UniquePtr<uint8_t> delete_der(der); 593 EXPECT_EQ(Bytes(kKey1, sizeof(kKey1) - 1), Bytes(der, der_len)); 594 595 // Test that serializing public keys works. 596 ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get())); 597 delete_der.reset(der); 598 599 // Public keys may be parsed back out. 600 rsa.reset(RSA_public_key_from_bytes(der, der_len)); 601 ASSERT_TRUE(rsa); 602 EXPECT_FALSE(rsa->p); 603 EXPECT_FALSE(rsa->q); 604 605 // Serializing the result round-trips. 606 uint8_t *der2; 607 size_t der2_len; 608 ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get())); 609 bssl::UniquePtr<uint8_t> delete_der2(der2); 610 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len)); 611 612 // Public keys cannot be serialized as private keys. 613 int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get()); 614 if (ok) { 615 OPENSSL_free(der); 616 } 617 EXPECT_FALSE(ok); 618 ERR_clear_error(); 619 620 // Public keys with negative moduli are invalid. 621 rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey, 622 sizeof(kEstonianRSAKey))); 623 EXPECT_FALSE(rsa); 624 ERR_clear_error(); 625 } 626 627 TEST(RSATest, BadExponent) { 628 bssl::UniquePtr<RSA> rsa( 629 RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey))); 630 EXPECT_FALSE(rsa); 631 ERR_clear_error(); 632 } 633 634 // Attempting to generate an excessively small key should fail. 635 TEST(RSATest, GenerateSmallKey) { 636 bssl::UniquePtr<RSA> rsa(RSA_new()); 637 ASSERT_TRUE(rsa); 638 bssl::UniquePtr<BIGNUM> e(BN_new()); 639 ASSERT_TRUE(e); 640 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 641 642 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr)); 643 uint32_t err = ERR_get_error(); 644 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err)); 645 EXPECT_EQ(RSA_R_KEY_SIZE_TOO_SMALL, ERR_GET_REASON(err)); 646 } 647 648 // Attempting to generate an funny RSA key length should round down. 649 TEST(RSATest, RoundKeyLengths) { 650 bssl::UniquePtr<BIGNUM> e(BN_new()); 651 ASSERT_TRUE(e); 652 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4)); 653 654 bssl::UniquePtr<RSA> rsa(RSA_new()); 655 ASSERT_TRUE(rsa); 656 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr)); 657 EXPECT_EQ(1024u, BN_num_bits(rsa->n)); 658 659 rsa.reset(RSA_new()); 660 ASSERT_TRUE(rsa); 661 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr)); 662 EXPECT_EQ(1024u, BN_num_bits(rsa->n)); 663 664 rsa.reset(RSA_new()); 665 ASSERT_TRUE(rsa); 666 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr)); 667 EXPECT_EQ(1024u, BN_num_bits(rsa->n)); 668 669 rsa.reset(RSA_new()); 670 ASSERT_TRUE(rsa); 671 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr)); 672 EXPECT_EQ(1152u, BN_num_bits(rsa->n)); 673 } 674 675 TEST(RSATest, BlindingDisabled) { 676 bssl::UniquePtr<RSA> rsa( 677 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1)); 678 ASSERT_TRUE(rsa); 679 680 rsa->flags |= RSA_FLAG_NO_BLINDING; 681 682 uint8_t sig[256]; 683 ASSERT_GE(sizeof(sig), RSA_size(rsa.get())); 684 685 static const uint8_t kZeros[32] = {0}; 686 unsigned sig_len; 687 ASSERT_TRUE( 688 RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig, &sig_len, rsa.get())); 689 EXPECT_TRUE( 690 RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig, sig_len, rsa.get())); 691 } 692 693 // Test that decrypting with a public key fails gracefully rather than crashing. 694 TEST(RSATest, DecryptPublic) { 695 bssl::UniquePtr<RSA> pub( 696 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1)); 697 ASSERT_TRUE(pub); 698 ASSERT_EQ(1024u / 8u, RSA_size(pub.get())); 699 700 size_t len; 701 uint8_t in[1024 / 8] = {0}, out[1024 / 8]; 702 EXPECT_FALSE(RSA_decrypt(pub.get(), &len, out, sizeof(out), in, sizeof(in), 703 RSA_PKCS1_PADDING)); 704 uint32_t err = ERR_get_error(); 705 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err)); 706 EXPECT_EQ(RSA_R_VALUE_MISSING, ERR_GET_REASON(err)); 707 } 708 709 #if !defined(BORINGSSL_SHARED_LIBRARY) 710 TEST(RSATest, SqrtTwo) { 711 bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new()); 712 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new()); 713 ASSERT_TRUE(sqrt); 714 ASSERT_TRUE(pow2); 715 ASSERT_TRUE(ctx); 716 717 size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2; 718 ASSERT_TRUE(BN_one(pow2.get())); 719 ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1)); 720 721 // Check that sqrt < pow2. 722 ASSERT_TRUE( 723 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)); 724 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get())); 725 EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0); 726 727 // Check that pow2 < (sqrt + 1). 728 ASSERT_TRUE( 729 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)); 730 ASSERT_TRUE(BN_add_word(sqrt.get(), 1)); 731 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get())); 732 EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0); 733 734 // Check the kBoringSSLRSASqrtTwo is sized for a 3072-bit RSA key. 735 EXPECT_EQ(3072u / 2u, bits); 736 } 737 738 TEST(RSATest, GreaterThanPow2) { 739 bssl::UniquePtr<BIGNUM> b(BN_new()); 740 BN_zero(b.get()); 741 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0)); 742 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1)); 743 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20)); 744 745 ASSERT_TRUE(BN_set_word(b.get(), 1)); 746 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0)); 747 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1)); 748 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20)); 749 750 ASSERT_TRUE(BN_set_word(b.get(), 2)); 751 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 0)); 752 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1)); 753 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20)); 754 755 ASSERT_TRUE(BN_set_word(b.get(), 3)); 756 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 0)); 757 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 1)); 758 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 2)); 759 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20)); 760 761 BN_set_negative(b.get(), 1); 762 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0)); 763 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1)); 764 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 2)); 765 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20)); 766 767 // Check all bit lengths mod 64. 768 for (int n = 1024; n < 1024 + 64; n++) { 769 SCOPED_TRACE(n); 770 ASSERT_TRUE(BN_set_word(b.get(), 1)); 771 ASSERT_TRUE(BN_lshift(b.get(), b.get(), n)); 772 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1)); 773 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n)); 774 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1)); 775 776 ASSERT_TRUE(BN_sub_word(b.get(), 1)); 777 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1)); 778 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n)); 779 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1)); 780 781 ASSERT_TRUE(BN_add_word(b.get(), 2)); 782 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1)); 783 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n)); 784 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1)); 785 } 786 } 787 #endif // !BORINGSSL_SHARED_LIBRARY 788