1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <stdlib.h>
60 #include <string.h>
61
62 #include <gtest/gtest.h>
63
64 #include <openssl/bn.h>
65 #include <openssl/bytestring.h>
66 #include <openssl/crypto.h>
67 #include <openssl/err.h>
68 #include <openssl/nid.h>
69
70 #include "../fipsmodule/bn/internal.h"
71 #include "../fipsmodule/rsa/internal.h"
72 #include "../internal.h"
73 #include "../test/test_util.h"
74
75 #if defined(OPENSSL_THREADS)
76 #include <thread>
77 #include <vector>
78 #endif
79
80
81 // kPlaintext is a sample plaintext.
82 static const uint8_t kPlaintext[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
83 static const size_t kPlaintextLen = sizeof(kPlaintext) - 1;
84
85 // kKey1 is a DER-encoded RSAPrivateKey.
86 static const uint8_t kKey1[] =
87 "\x30\x82\x01\x38\x02\x01\x00\x02\x41\x00\xaa\x36\xab\xce\x88\xac\xfd\xff"
88 "\x55\x52\x3c\x7f\xc4\x52\x3f\x90\xef\xa0\x0d\xf3\x77\x4a\x25\x9f\x2e\x62"
89 "\xb4\xc5\xd9\x9c\xb5\xad\xb3\x00\xa0\x28\x5e\x53\x01\x93\x0e\x0c\x70\xfb"
90 "\x68\x76\x93\x9c\xe6\x16\xce\x62\x4a\x11\xe0\x08\x6d\x34\x1e\xbc\xac\xa0"
91 "\xa1\xf5\x02\x01\x11\x02\x40\x0a\x03\x37\x48\x62\x64\x87\x69\x5f\x5f\x30"
92 "\xbc\x38\xb9\x8b\x44\xc2\xcd\x2d\xff\x43\x40\x98\xcd\x20\xd8\xa1\x38\xd0"
93 "\x90\xbf\x64\x79\x7c\x3f\xa7\xa2\xcd\xcb\x3c\xd1\xe0\xbd\xba\x26\x54\xb4"
94 "\xf9\xdf\x8e\x8a\xe5\x9d\x73\x3d\x9f\x33\xb3\x01\x62\x4a\xfd\x1d\x51\x02"
95 "\x21\x00\xd8\x40\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf"
96 "\xce\x33\x52\x52\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x12\x0d\x02\x21"
97 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
98 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x89\x02\x20\x59"
99 "\x0b\x95\x72\xa2\xc2\xa9\xc4\x06\x05\x9d\xc2\xab\x2f\x1d\xaf\xeb\x7e\x8b"
100 "\x4f\x10\xa7\x54\x9e\x8e\xed\xf5\xb4\xfc\xe0\x9e\x05\x02\x21\x00\x8e\x3c"
101 "\x05\x21\xfe\x15\xe0\xea\x06\xa3\x6f\xf0\xf1\x0c\x99\x52\xc3\x5b\x7a\x75"
102 "\x14\xfd\x32\x38\xb8\x0a\xad\x52\x98\x62\x8d\x51\x02\x20\x36\x3f\xf7\x18"
103 "\x9d\xa8\xe9\x0b\x1d\x34\x1f\x71\xd0\x9b\x76\xa8\xa9\x43\xe1\x1d\x10\xb2"
104 "\x4d\x24\x9f\x2d\xea\xfe\xf8\x0c\x18\x26";
105
106 // kFIPSKey is a DER-encoded RSAPrivateKey that is FIPS-compliant.
107 static const uint8_t kFIPSKey[] =
108 "\x30\x82\x02\x5c\x02\x01\x00\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7"
109 "\xb8\xfc\x2a\x45\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09"
110 "\x6b\x05\x4d\xec\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed"
111 "\x9a\x30\xf3\x14\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65"
112 "\xbf\xca\x45\xd9\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12"
113 "\xaf\xa5\xec\x9b\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24"
114 "\x3c\x82\x6f\xee\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81"
115 "\x59\xa7\x90\x56\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01"
116 "\x02\x81\x80\x60\x82\xcd\x44\x46\xcf\xeb\xf9\x6f\xf5\xad\x3b\xfd\x90\x18"
117 "\x57\xe7\x74\xdb\x91\xd0\xd3\x68\xa6\xaa\x38\xaa\x21\x1d\x06\xf9\x34\x8d"
118 "\xa0\x35\xb0\x24\xe0\xd0\x2f\x75\x9b\xdd\xfe\x91\x48\x9f\x5c\x5e\x57\x54"
119 "\x00\xc8\x0f\xe6\x1e\x52\x84\xd9\xc9\xa5\x55\xf4\x0a\xbe\x88\x46\x7a\xfb"
120 "\x18\x37\x8e\xe6\x6e\xa2\x5f\x80\x48\x34\x3f\x5c\xbe\x0e\x1e\xe8\x2f\x50"
121 "\xba\x14\x96\x3c\xea\xfb\xd2\x49\x33\xdc\x12\xb8\xa7\x8a\xb5\x27\xf9\x00"
122 "\x4b\xf5\xd2\x2a\xd0\x2c\x1d\x9b\xd5\x6c\x3e\x4b\xb9\x7e\x39\xf7\x3e\x39"
123 "\xc9\x47\x5e\xbe\x91\x02\x41\x00\xcd\x33\xcf\x37\x01\xd7\x59\xcc\xbe\xa0"
124 "\x1c\xb9\xf5\xe7\x44\x9f\x62\x91\xa7\xa7\x7b\x0c\x52\xcd\x7e\xe6\x31\x11"
125 "\x8b\xd8\x2c\x8a\x63\xe1\x07\xc9\xcb\xce\x01\x45\x63\xf5\x5d\x44\xfb\xeb"
126 "\x8d\x74\x16\x20\x7d\x3b\xb4\xa1\x61\xb0\xa8\x29\x51\xc9\xef\xb6\xa1\xd5"
127 "\x02\x41\x00\xc9\x68\xa6\xd3\x88\xd5\x49\x9d\x6b\x44\x96\xfd\xbf\x66\x27"
128 "\xb4\x1f\x90\x76\x86\x2f\xe2\xce\x20\x5d\xee\x9b\xeb\xc4\xb4\x62\x47\x79"
129 "\x99\xb1\x99\xbc\xa2\xa6\xb6\x96\x64\xd5\x77\x9b\x45\xd4\xf0\x99\xb5\x9e"
130 "\x61\x4d\xf5\x12\xdd\x84\x14\xaf\x1e\xdd\x83\x24\x43\x02\x40\x60\x29\x7f"
131 "\x59\xcf\xcb\x13\x92\x17\x63\x01\x13\x44\x61\x74\x8f\x1c\xaa\x15\x5f\x2f"
132 "\x12\xbf\x5a\xfd\xb4\xf2\x19\xbe\xe7\x37\x38\x43\x46\x19\x58\x3f\xe1\xf2"
133 "\x46\x8a\x69\x59\xa4\x12\x4a\x78\xa7\x86\x17\x03\x99\x0f\x34\xf1\x8a\xcf"
134 "\xc3\x4d\x48\xcc\xc5\x51\x61\x02\x41\x00\xc2\x12\xb3\x5d\xf5\xe5\xff\xcf"
135 "\x4e\x43\x83\x72\xf2\xf1\x4e\xa4\xc4\x1d\x81\xf7\xff\x40\x7e\xfa\xb5\x48"
136 "\x6c\xba\x1c\x8a\xec\x80\x8e\xed\xc8\x32\xa9\x8f\xd9\x30\xeb\x6e\x32\x3b"
137 "\xd4\x44\xcf\xd1\x1f\x6b\xe0\x37\x46\xd5\x35\xde\x79\x9d\x2c\xb9\x83\x1d"
138 "\x10\xdd\x02\x40\x0f\x14\x95\x96\xa0\xe2\x6c\xd4\x88\xa7\x0b\x82\x14\x10"
139 "\xad\x26\x0d\xe4\xa1\x5e\x01\x3d\x21\xd2\xfb\x0e\xf9\x58\xa5\xca\x1e\x21"
140 "\xb3\xf5\x9a\x6c\x3d\x5a\x72\xb1\x2d\xfe\xac\x09\x4f\xdd\xe5\x44\xd1\x4e"
141 "\xf8\x59\x85\x3a\x65\xe2\xcd\xbc\x27\x1d\x9b\x48\x9f\xb9";
142
143 static const uint8_t kFIPSPublicKey[] =
144 "\x30\x81\x89\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7\xb8\xfc\x2a\x45"
145 "\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09\x6b\x05\x4d\xec"
146 "\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed\x9a\x30\xf3\x14"
147 "\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65\xbf\xca\x45\xd9"
148 "\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12\xaf\xa5\xec\x9b"
149 "\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24\x3c\x82\x6f\xee"
150 "\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81\x59\xa7\x90\x56"
151 "\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01";
152
153 // kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using
154 // RSA OAEP.
155 static const uint8_t kOAEPCiphertext1[] =
156 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89\x2b\xfb"
157 "\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52\x33\x89\x5c\x74"
158 "\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44\xb0\x05\xc3\x9e\xd8\x27"
159 "\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
160
161 // kKey2 is a DER-encoded RSAPrivateKey.
162 static const uint8_t kKey2[] =
163 "\x30\x81\xfb\x02\x01\x00\x02\x33\x00\xa3\x07\x9a\x90\xdf\x0d\xfd\x72\xac"
164 "\x09\x0c\xcc\x2a\x78\xb8\x74\x13\x13\x3e\x40\x75\x9c\x98\xfa\xf8\x20\x4f"
165 "\x35\x8a\x0b\x26\x3c\x67\x70\xe7\x83\xa9\x3b\x69\x71\xb7\x37\x79\xd2\x71"
166 "\x7b\xe8\x34\x77\xcf\x02\x01\x03\x02\x32\x6c\xaf\xbc\x60\x94\xb3\xfe\x4c"
167 "\x72\xb0\xb3\x32\xc6\xfb\x25\xa2\xb7\x62\x29\x80\x4e\x68\x65\xfc\xa4\x5a"
168 "\x74\xdf\x0f\x8f\xb8\x41\x3b\x52\xc0\xd0\xe5\x3d\x9b\x59\x0f\xf1\x9b\xe7"
169 "\x9f\x49\xdd\x21\xe5\xeb\x02\x1a\x00\xcf\x20\x35\x02\x8b\x9d\x86\x98\x40"
170 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x91\x02\x1a"
171 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
172 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5f\x02\x1a\x00\x8a\x15\x78\xac\x5d\x13\xaf"
173 "\x10\x2b\x22\xb9\x99\xcd\x74\x61\xf1\x5e\x6d\x22\xcc\x03\x23\xdf\xdf\x0b"
174 "\x02\x1a\x00\x86\x55\x21\x4a\xc5\x4d\x8d\x4e\xcd\x61\x77\xf1\xc7\x36\x90"
175 "\xce\x2a\x48\x2c\x8b\x05\x99\xcb\xe0\x3f\x02\x1a\x00\x83\xef\xef\xb8\xa9"
176 "\xa4\x0d\x1d\xb6\xed\x98\xad\x84\xed\x13\x35\xdc\xc1\x08\xf3\x22\xd0\x57"
177 "\xcf\x8d";
178
179 // kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using
180 // RSA OAEP.
181 static const uint8_t kOAEPCiphertext2[] =
182 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a\x8b\x40"
183 "\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4\x17\x53\x03\x29"
184 "\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52\x62\x51";
185
186 // kKey3 is a DER-encoded RSAPrivateKey.
187 static const uint8_t kKey3[] =
188 "\x30\x82\x02\x5b\x02\x01\x00\x02\x81\x81\x00\xbb\xf8\x2f\x09\x06\x82\xce"
189 "\x9c\x23\x38\xac\x2b\x9d\xa8\x71\xf7\x36\x8d\x07\xee\xd4\x10\x43\xa4\x40"
190 "\xd6\xb6\xf0\x74\x54\xf5\x1f\xb8\xdf\xba\xaf\x03\x5c\x02\xab\x61\xea\x48"
191 "\xce\xeb\x6f\xcd\x48\x76\xed\x52\x0d\x60\xe1\xec\x46\x19\x71\x9d\x8a\x5b"
192 "\x8b\x80\x7f\xaf\xb8\xe0\xa3\xdf\xc7\x37\x72\x3e\xe6\xb4\xb7\xd9\x3a\x25"
193 "\x84\xee\x6a\x64\x9d\x06\x09\x53\x74\x88\x34\xb2\x45\x45\x98\x39\x4e\xe0"
194 "\xaa\xb1\x2d\x7b\x61\xa5\x1f\x52\x7a\x9a\x41\xf6\xc1\x68\x7f\xe2\x53\x72"
195 "\x98\xca\x2a\x8f\x59\x46\xf8\xe5\xfd\x09\x1d\xbd\xcb\x02\x01\x11\x02\x81"
196 "\x81\x00\xa5\xda\xfc\x53\x41\xfa\xf2\x89\xc4\xb9\x88\xdb\x30\xc1\xcd\xf8"
197 "\x3f\x31\x25\x1e\x06\x68\xb4\x27\x84\x81\x38\x01\x57\x96\x41\xb2\x94\x10"
198 "\xb3\xc7\x99\x8d\x6b\xc4\x65\x74\x5e\x5c\x39\x26\x69\xd6\x87\x0d\xa2\xc0"
199 "\x82\xa9\x39\xe3\x7f\xdc\xb8\x2e\xc9\x3e\xda\xc9\x7f\xf3\xad\x59\x50\xac"
200 "\xcf\xbc\x11\x1c\x76\xf1\xa9\x52\x94\x44\xe5\x6a\xaf\x68\xc5\x6c\x09\x2c"
201 "\xd3\x8d\xc3\xbe\xf5\xd2\x0a\x93\x99\x26\xed\x4f\x74\xa1\x3e\xdd\xfb\xe1"
202 "\xa1\xce\xcc\x48\x94\xaf\x94\x28\xc2\xb7\xb8\x88\x3f\xe4\x46\x3a\x4b\xc8"
203 "\x5b\x1c\xb3\xc1\x02\x41\x00\xee\xcf\xae\x81\xb1\xb9\xb3\xc9\x08\x81\x0b"
204 "\x10\xa1\xb5\x60\x01\x99\xeb\x9f\x44\xae\xf4\xfd\xa4\x93\xb8\x1a\x9e\x3d"
205 "\x84\xf6\x32\x12\x4e\xf0\x23\x6e\x5d\x1e\x3b\x7e\x28\xfa\xe7\xaa\x04\x0a"
206 "\x2d\x5b\x25\x21\x76\x45\x9d\x1f\x39\x75\x41\xba\x2a\x58\xfb\x65\x99\x02"
207 "\x41\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35"
208 "\x3f\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x86\x98\x40"
209 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x33\x52\x52"
210 "\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x15\x03\x02\x40\x54\x49\x4c\xa6"
211 "\x3e\xba\x03\x37\xe4\xe2\x40\x23\xfc\xd6\x9a\x5a\xeb\x07\xdd\xdc\x01\x83"
212 "\xa4\xd0\xac\x9b\x54\xb0\x51\xf2\xb1\x3e\xd9\x49\x09\x75\xea\xb7\x74\x14"
213 "\xff\x59\xc1\xf7\x69\x2e\x9a\x2e\x20\x2b\x38\xfc\x91\x0a\x47\x41\x74\xad"
214 "\xc9\x3c\x1f\x67\xc9\x81\x02\x40\x47\x1e\x02\x90\xff\x0a\xf0\x75\x03\x51"
215 "\xb7\xf8\x78\x86\x4c\xa9\x61\xad\xbd\x3a\x8a\x7e\x99\x1c\x5c\x05\x56\xa9"
216 "\x4c\x31\x46\xa7\xf9\x80\x3f\x8f\x6f\x8a\xe3\x42\xe9\x31\xfd\x8a\xe4\x7a"
217 "\x22\x0d\x1b\x99\xa4\x95\x84\x98\x07\xfe\x39\xf9\x24\x5a\x98\x36\xda\x3d"
218 "\x02\x41\x00\xb0\x6c\x4f\xda\xbb\x63\x01\x19\x8d\x26\x5b\xdb\xae\x94\x23"
219 "\xb3\x80\xf2\x71\xf7\x34\x53\x88\x50\x93\x07\x7f\xcd\x39\xe2\x11\x9f\xc9"
220 "\x86\x32\x15\x4f\x58\x83\xb1\x67\xa9\x67\xbf\x40\x2b\x4e\x9e\x2e\x0f\x96"
221 "\x56\xe6\x98\xea\x36\x66\xed\xfb\x25\x79\x80\x39\xf7";
222
223 // kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using
224 // RSA OAEP.
225 static const uint8_t kOAEPCiphertext3[] =
226 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7\x90\xc4"
227 "\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce\xf0\xc4\x36\x6f"
228 "\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3\xf2\xf1\x92\xdb\xea\xca"
229 "\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06\x69\xac\x22\xe9\xf3\xa7\x85\x2e"
230 "\x3c\x15\xd9\x13\xca\xb0\xb8\x86\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49"
231 "\x54\x61\x03\x46\xf4\xd4\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a"
232 "\x1f\xc4\x02\x6a\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20"
233 "\x2f\xb1";
234
235 static const uint8_t kTwoPrimeKey[] =
236 "\x30\x82\x04\xa1\x02\x01\x00\x02\x82\x01\x01\x00\x93\x3a\x4f\xc9\x6a\x0a"
237 "\x6b\x28\x04\xfa\xb7\x05\x56\xdf\xa0\xaa\x4f\xaa\xab\x94\xa0\xa9\x25\xef"
238 "\xc5\x96\xd2\xd4\x66\x16\x62\x2c\x13\x7b\x91\xd0\x36\x0a\x10\x11\x6d\x7a"
239 "\x91\xb6\xe4\x74\x57\xc1\x3d\x7a\xbe\x24\x05\x3a\x04\x0b\x73\x91\x53\xb1"
240 "\x74\x10\xe1\x87\xdc\x91\x28\x9c\x1e\xe5\xf2\xb9\xfc\xa2\x48\x34\xb6\x78"
241 "\xed\x6d\x95\xfb\xf2\xc0\x4e\x1c\xa4\x15\x00\x3c\x8a\x68\x2b\xd6\xce\xd5"
242 "\xb3\x9f\x66\x02\xa7\x0d\x08\xa3\x23\x9b\xe5\x36\x96\x13\x22\xf9\x69\xa6"
243 "\x87\x88\x9b\x85\x3f\x83\x9c\xab\x1a\x1b\x6d\x8d\x16\xf4\x5e\xbd\xee\x4b"
244 "\x59\x56\xf8\x9d\x58\xcd\xd2\x83\x85\x59\x43\x84\x63\x4f\xe6\x1a\x86\x66"
245 "\x0d\xb5\xa0\x87\x89\xb6\x13\x82\x43\xda\x34\x92\x3b\x68\xc4\x95\x71\x2f"
246 "\x15\xc2\xe0\x43\x67\x3c\x08\x00\x36\x10\xc3\xb4\x46\x4c\x4e\x6e\xf5\x44"
247 "\xa9\x04\x44\x9d\xce\xc7\x05\x79\xee\x11\xcf\xaf\x2c\xd7\x9a\x32\xd3\xa5"
248 "\x30\xd4\x3a\x78\x43\x37\x74\x22\x90\x24\x04\x11\xd7\x95\x08\x52\xa4\x71"
249 "\x41\x68\x94\xb0\xa0\xc3\xec\x4e\xd2\xc4\x30\x71\x98\x64\x9c\xe3\x7c\x76"
250 "\xef\x33\xa3\x2b\xb1\x87\x63\xd2\x5c\x09\xfc\x90\x2d\x92\xf4\x57\x02\x01"
251 "\x03\x02\x82\x01\x00\x62\x26\xdf\xdb\x9c\x06\xf2\x1a\xad\xfc\x7a\x03\x8f"
252 "\x3f\xc0\x71\x8a\x71\xc7\xb8\x6b\x1b\x6e\x9f\xd9\x0f\x37\x38\x44\x0e\xec"
253 "\x1d\x62\x52\x61\x35\x79\x5c\x0a\xb6\x48\xfc\x61\x24\x98\x4d\x8f\xd6\x28"
254 "\xfc\x7e\xc2\xae\x26\xad\x5c\xf7\xb6\x37\xcb\xa2\xb5\xeb\xaf\xe8\x60\xc5"
255 "\xbd\x69\xee\xa1\xd1\x53\x16\xda\xcd\xce\xfb\x48\xf3\xb9\x52\xa1\xd5\x89"
256 "\x68\x6d\x63\x55\x7d\xb1\x9a\xc7\xe4\x89\xe3\xcd\x14\xee\xac\x6f\x5e\x05"
257 "\xc2\x17\xbd\x43\x79\xb9\x62\x17\x50\xf1\x19\xaf\xb0\x67\xae\x2a\x57\xbd"
258 "\xc7\x66\xbc\xf3\xb3\x64\xa1\xe3\x16\x74\x9e\xea\x02\x5c\xab\x94\xd8\x97"
259 "\x02\x42\x0c\x2c\xba\x54\xb9\xaf\xe0\x45\x93\xad\x7f\xb3\x10\x6a\x96\x50"
260 "\x4b\xaf\xcf\xc8\x27\x62\x2d\x83\xe9\x26\xc6\x94\xc1\xef\x5c\x8e\x06\x42"
261 "\x53\xe5\x56\xaf\xc2\x99\x01\xaa\x9a\x71\xbc\xe8\x21\x33\x2a\x2d\xa3\x36"
262 "\xac\x1b\x86\x19\xf8\xcd\x1f\x80\xa4\x26\x98\xb8\x9f\x62\x62\xd5\x1a\x7f"
263 "\xee\xdb\xdf\x81\xd3\x21\xdb\x33\x92\xee\xff\xe2\x2f\x32\x77\x73\x6a\x58"
264 "\xab\x21\xf3\xe3\xe1\xbc\x4f\x12\x72\xa6\xb5\xc2\xfb\x27\x9e\xc8\xca\xab"
265 "\x64\xa0\x87\x07\x9d\xef\xca\x0f\xdb\x02\x81\x81\x00\xe6\xd3\x4d\xc0\xa1"
266 "\x91\x0e\x62\xfd\xb0\xdd\xc6\x30\xb8\x8c\xcb\x14\xc1\x4b\x69\x30\xdd\xcd"
267 "\x86\x67\xcb\x37\x14\xc5\x03\xd2\xb4\x69\xab\x3d\xe5\x16\x81\x0f\xe5\x50"
268 "\xf4\x18\xb1\xec\xbc\x71\xe9\x80\x99\x06\xe4\xa3\xfe\x44\x84\x4a\x2d\x1e"
269 "\x07\x7f\x22\x70\x6d\x4f\xd4\x93\x0b\x8b\x99\xce\x1e\xab\xcd\x4c\xd2\xd3"
270 "\x10\x47\x5c\x09\x9f\x6d\x82\xc0\x08\x75\xe3\x3d\x83\xc2\x19\x50\x29\xec"
271 "\x1f\x84\x29\xcc\xf1\x56\xee\xbd\x54\x5d\xe6\x19\xdf\x0d\x1c\xa4\xbb\x0a"
272 "\xfe\x84\x44\x29\x1d\xf9\x5c\x80\x96\x5b\x24\xb4\xf7\x02\x1b\x02\x81\x81"
273 "\x00\xa3\x48\xf1\x9c\x58\xc2\x5f\x38\xfb\xd8\x12\x39\xf1\x8e\x73\xa1\xcf"
274 "\x78\x12\xe0\xed\x2a\xbb\xef\xac\x23\xb2\xbf\xd6\x0c\xe9\x6e\x1e\xab\xea"
275 "\x3f\x68\x36\xa7\x1f\xe5\xab\xe0\x86\xa5\x76\x32\x98\xdd\x75\xb5\x2b\xbc"
276 "\xcb\x8a\x03\x00\x7c\x2e\xca\xf8\xbc\x19\xe4\xe3\xa3\x31\xbd\x1d\x20\x2b"
277 "\x09\xad\x6f\x4c\xed\x48\xd4\xdf\x87\xf9\xf0\x46\xb9\x86\x4c\x4b\x71\xe7"
278 "\x48\x78\xdc\xed\xc7\x82\x02\x44\xd3\xa6\xb3\x10\x5f\x62\x81\xfc\xb8\xe4"
279 "\x0e\xf4\x1a\xdd\xab\x3f\xbc\x63\x79\x5b\x39\x69\x5e\xea\xa9\x15\xfe\x90"
280 "\xec\xda\x75\x02\x81\x81\x00\x99\xe2\x33\xd5\xc1\x0b\x5e\xec\xa9\x20\x93"
281 "\xd9\x75\xd0\x5d\xdc\xb8\x80\xdc\xf0\xcb\x3e\x89\x04\x45\x32\x24\xb8\x83"
282 "\x57\xe1\xcd\x9b\xc7\x7e\x98\xb9\xab\x5f\xee\x35\xf8\x10\x76\x9d\xd2\xf6"
283 "\x9b\xab\x10\xaf\x43\x17\xfe\xd8\x58\x31\x73\x69\x5a\x54\xc1\xa0\x48\xdf"
284 "\xe3\x0c\xb2\x5d\x11\x34\x14\x72\x88\xdd\xe1\xe2\x0a\xda\x3d\x5b\xbf\x9e"
285 "\x57\x2a\xb0\x4e\x97\x7e\x57\xd6\xbb\x8a\xc6\x9d\x6a\x58\x1b\xdd\xf6\x39"
286 "\xf4\x7e\x38\x3e\x99\x66\x94\xb3\x68\x6d\xd2\x07\x54\x58\x2d\x70\xbe\xa6"
287 "\x3d\xab\x0e\xe7\x6d\xcd\xfa\x01\x67\x02\x81\x80\x6c\xdb\x4b\xbd\x90\x81"
288 "\x94\xd0\xa7\xe5\x61\x7b\xf6\x5e\xf7\xc1\x34\xfa\xb7\x40\x9e\x1c\x7d\x4a"
289 "\x72\xc2\x77\x2a\x8e\xb3\x46\x49\x69\xc7\xf1\x7f\x9a\xcf\x1a\x15\x43\xc7"
290 "\xeb\x04\x6e\x4e\xcc\x65\xe8\xf9\x23\x72\x7d\xdd\x06\xac\xaa\xfd\x74\x87"
291 "\x50\x7d\x66\x98\x97\xc2\x21\x28\xbe\x15\x72\x06\x73\x9f\x88\x9e\x30\x8d"
292 "\xea\x5a\xa6\xa0\x2f\x26\x59\x88\x32\x4b\xef\x85\xa5\xe8\x9e\x85\x01\x56"
293 "\xd8\x8d\x19\xcc\xb5\x94\xec\x56\xa8\x7b\x42\xb4\xa2\xbc\x93\xc7\x7f\xd2"
294 "\xec\xfb\x92\x26\x46\x3f\x47\x1b\x63\xff\x0b\x48\x91\xa3\x02\x81\x80\x2c"
295 "\x4a\xb9\xa4\x46\x7b\xff\x50\x7e\xbf\x60\x47\x3b\x2b\x66\x82\xdc\x0e\x53"
296 "\x65\x71\xe9\xda\x2a\xb8\x32\x93\x42\xb7\xff\xea\x67\x66\xf1\xbc\x87\x28"
297 "\x65\x29\x79\xca\xab\x93\x56\xda\x95\xc1\x26\x44\x3d\x27\xc1\x91\xc6\x9b"
298 "\xd9\xec\x9d\xb7\x49\xe7\x16\xee\x99\x87\x50\x95\x81\xd4\x5c\x5b\x5a\x5d"
299 "\x0a\x43\xa5\xa7\x8f\x5a\x80\x49\xa0\xb7\x10\x85\xc7\xf4\x42\x34\x86\xb6"
300 "\x5f\x3f\x88\x9e\xc7\xf5\x59\x29\x39\x68\x48\xf2\xd7\x08\x5b\x92\x8e\x6b"
301 "\xea\xa5\x63\x5f\xc0\xfb\xe4\xe1\xb2\x7d\xb7\x40\xe9\x55\x06\xbf\x58\x25"
302 "\x6f";
303
304 static const uint8_t kTwoPrimeEncryptedMessage[] = {
305 0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35,
306 0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c,
307 0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0,
308 0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3,
309 0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46,
310 0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54,
311 0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a,
312 0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78,
313 0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8,
314 0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83,
315 0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31,
316 0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45,
317 0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75,
318 0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11,
319 0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f,
320 0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2,
321 0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3,
322 0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca,
323 0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c,
324 0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4,
325 0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b,
326 0x6a, 0xce, 0x9f, 0xc8,
327 };
328
329 // kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See
330 // https://crbug.com/532048.
331 static const uint8_t kEstonianRSAKey[] = {
332 0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c,
333 0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c,
334 0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80,
335 0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8,
336 0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29,
337 0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95,
338 0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea,
339 0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c,
340 0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac,
341 0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25,
342 0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a,
343 0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88,
344 0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17,
345 0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf,
346 0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c,
347 0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f,
348 0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc,
349 0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e,
350 0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87,
351 0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30,
352 0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94,
353 0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49,
354 0x02, 0x03, 0x01, 0x00, 0x01,
355 };
356
357 // kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See
358 // https://crbug.com/541257
359 static const uint8_t kExponent1RSAKey[] = {
360 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a,
361 0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5,
362 0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa,
363 0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b,
364 0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64,
365 0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7,
366 0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d,
367 0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a,
368 0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a,
369 0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b,
370 0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c,
371 0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9,
372 0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad,
373 0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41,
374 0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91,
375 0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a,
376 0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d,
377 0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98,
378 0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9,
379 0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d,
380 0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0,
381 0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98,
382 0xdd, 0x02, 0x01, 0x01,
383 };
384
385 struct RSAEncryptParam {
386 const uint8_t *der;
387 size_t der_len;
388 const uint8_t *oaep_ciphertext;
389 size_t oaep_ciphertext_len;
390 } kRSAEncryptParams[] = {
391 {kKey1, sizeof(kKey1) - 1, kOAEPCiphertext1, sizeof(kOAEPCiphertext1) - 1},
392 {kKey2, sizeof(kKey2) - 1, kOAEPCiphertext2, sizeof(kOAEPCiphertext2) - 1},
393 {kKey3, sizeof(kKey3) - 1, kOAEPCiphertext3, sizeof(kOAEPCiphertext3) - 1},
394 };
395
396 class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {};
397
TEST_P(RSAEncryptTest,TestKey)398 TEST_P(RSAEncryptTest, TestKey) {
399 const auto ¶m = GetParam();
400 bssl::UniquePtr<RSA> key(
401 RSA_private_key_from_bytes(param.der, param.der_len));
402 ASSERT_TRUE(key);
403
404 EXPECT_TRUE(RSA_check_key(key.get()));
405
406 uint8_t ciphertext[256];
407
408 // Test that PKCS#1 v1.5 encryption round-trips.
409 size_t ciphertext_len = 0;
410 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
411 sizeof(ciphertext), kPlaintext, kPlaintextLen,
412 RSA_PKCS1_PADDING));
413 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
414
415 uint8_t plaintext[256];
416 size_t plaintext_len = 0;
417 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
418 sizeof(plaintext), ciphertext, ciphertext_len,
419 RSA_PKCS1_PADDING));
420 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
421
422 // Test that OAEP encryption round-trips.
423 ciphertext_len = 0;
424 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
425 sizeof(ciphertext), kPlaintext, kPlaintextLen,
426 RSA_PKCS1_OAEP_PADDING));
427 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
428
429 plaintext_len = 0;
430 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
431 sizeof(plaintext), ciphertext, ciphertext_len,
432 RSA_PKCS1_OAEP_PADDING));
433 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
434
435 // |oaep_ciphertext| should decrypt to |kPlaintext|.
436 plaintext_len = 0;
437 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
438 sizeof(plaintext), param.oaep_ciphertext,
439 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
440 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
441
442 // Try decrypting corrupted ciphertexts.
443 OPENSSL_memcpy(ciphertext, param.oaep_ciphertext, param.oaep_ciphertext_len);
444 for (size_t i = 0; i < param.oaep_ciphertext_len; i++) {
445 SCOPED_TRACE(i);
446 ciphertext[i] ^= 1;
447 EXPECT_FALSE(RSA_decrypt(
448 key.get(), &plaintext_len, plaintext, sizeof(plaintext), ciphertext,
449 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
450 ERR_clear_error();
451 ciphertext[i] ^= 1;
452 }
453
454 // Test truncated ciphertexts.
455 for (size_t len = 0; len < param.oaep_ciphertext_len; len++) {
456 SCOPED_TRACE(len);
457 EXPECT_FALSE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
458 sizeof(plaintext), ciphertext, len,
459 RSA_PKCS1_OAEP_PADDING));
460 ERR_clear_error();
461 }
462 }
463
464 INSTANTIATE_TEST_SUITE_P(All, RSAEncryptTest,
465 testing::ValuesIn(kRSAEncryptParams));
466
TEST(RSATest,TestDecrypt)467 TEST(RSATest, TestDecrypt) {
468 bssl::UniquePtr<RSA> rsa(
469 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
470 ASSERT_TRUE(rsa);
471
472 EXPECT_TRUE(RSA_check_key(rsa.get()));
473
474 uint8_t out[256];
475 size_t out_len;
476 ASSERT_TRUE(RSA_decrypt(
477 rsa.get(), &out_len, out, sizeof(out), kTwoPrimeEncryptedMessage,
478 sizeof(kTwoPrimeEncryptedMessage), RSA_PKCS1_PADDING));
479 EXPECT_EQ(Bytes("hello world"), Bytes(out, out_len));
480 }
481
TEST(RSATest,CheckFIPS)482 TEST(RSATest, CheckFIPS) {
483 bssl::UniquePtr<RSA> rsa(
484 RSA_private_key_from_bytes(kFIPSKey, sizeof(kFIPSKey) - 1));
485 ASSERT_TRUE(rsa);
486 EXPECT_TRUE(RSA_check_fips(rsa.get()));
487
488 // Check that RSA_check_fips works on a public key.
489 bssl::UniquePtr<RSA> pub(
490 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
491 ASSERT_TRUE(pub);
492 EXPECT_TRUE(RSA_check_fips(pub.get()));
493 }
494
TEST(RSATest,GenerateFIPS)495 TEST(RSATest, GenerateFIPS) {
496 bssl::UniquePtr<RSA> rsa(RSA_new());
497 ASSERT_TRUE(rsa);
498
499 // RSA_generate_key_fips may only be used for 2048-bit and 3072-bit keys.
500 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr));
501 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr));
502 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr));
503 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr));
504 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr));
505 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr));
506 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4096, nullptr));
507 ERR_clear_error();
508
509 // Test that we can generate 2048-bit and 3072-bit RSA keys.
510 ASSERT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr));
511 EXPECT_EQ(2048u, BN_num_bits(rsa->n));
512
513 rsa.reset(RSA_new());
514 ASSERT_TRUE(rsa);
515 ASSERT_TRUE(RSA_generate_key_fips(rsa.get(), 3072, nullptr));
516 EXPECT_EQ(3072u, BN_num_bits(rsa->n));
517 }
518
TEST(RSATest,BadKey)519 TEST(RSATest, BadKey) {
520 bssl::UniquePtr<RSA> key(RSA_new());
521 bssl::UniquePtr<BIGNUM> e(BN_new());
522 ASSERT_TRUE(key);
523 ASSERT_TRUE(e);
524 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
525
526 // Generate a bad key.
527 ASSERT_TRUE(RSA_generate_key_ex(key.get(), 512, e.get(), nullptr));
528 ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one()));
529
530 // Bad keys are detected.
531 EXPECT_FALSE(RSA_check_key(key.get()));
532 EXPECT_FALSE(RSA_check_fips(key.get()));
533
534 // Bad keys may not be parsed.
535 uint8_t *der;
536 size_t der_len;
537 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get()));
538 bssl::UniquePtr<uint8_t> delete_der(der);
539 key.reset(RSA_private_key_from_bytes(der, der_len));
540 EXPECT_FALSE(key);
541 }
542
TEST(RSATest,OnlyDGiven)543 TEST(RSATest, OnlyDGiven) {
544 static const char kN[] =
545 "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662"
546 "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659";
547 static const char kE[] = "010001";
548 static const char kD[] =
549 "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a"
550 "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01";
551
552 bssl::UniquePtr<RSA> key(RSA_new());
553 ASSERT_TRUE(key);
554 ASSERT_TRUE(BN_hex2bn(&key->n, kN));
555 ASSERT_TRUE(BN_hex2bn(&key->e, kE));
556 ASSERT_TRUE(BN_hex2bn(&key->d, kD));
557
558 // Keys with only n, e, and d are functional.
559 EXPECT_TRUE(RSA_check_key(key.get()));
560
561 const uint8_t kDummyHash[32] = {0};
562 uint8_t buf[64];
563 unsigned buf_len = sizeof(buf);
564 ASSERT_LE(RSA_size(key.get()), sizeof(buf));
565 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
566 &buf_len, key.get()));
567 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
568 buf_len, key.get()));
569
570 // Keys without the public exponent must continue to work when blinding is
571 // disabled to support Java's RSAPrivateKeySpec API. See
572 // https://bugs.chromium.org/p/boringssl/issues/detail?id=12.
573 bssl::UniquePtr<RSA> key2(RSA_new());
574 ASSERT_TRUE(key2);
575 ASSERT_TRUE(BN_hex2bn(&key2->n, kN));
576 ASSERT_TRUE(BN_hex2bn(&key2->d, kD));
577 key2->flags |= RSA_FLAG_NO_BLINDING;
578
579 ASSERT_LE(RSA_size(key2.get()), sizeof(buf));
580 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
581 &buf_len, key2.get()));
582
583 // Verify the signature with |key|. |key2| has no public exponent.
584 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
585 buf_len, key.get()));
586 }
587
TEST(RSATest,ASN1)588 TEST(RSATest, ASN1) {
589 // Test that private keys may be decoded.
590 bssl::UniquePtr<RSA> rsa(
591 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
592 ASSERT_TRUE(rsa);
593
594 // Test that the serialization round-trips.
595 uint8_t *der;
596 size_t der_len;
597 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
598 bssl::UniquePtr<uint8_t> delete_der(der);
599 EXPECT_EQ(Bytes(kKey1, sizeof(kKey1) - 1), Bytes(der, der_len));
600
601 // Test that serializing public keys works.
602 ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get()));
603 delete_der.reset(der);
604
605 // Public keys may be parsed back out.
606 rsa.reset(RSA_public_key_from_bytes(der, der_len));
607 ASSERT_TRUE(rsa);
608 EXPECT_FALSE(rsa->p);
609 EXPECT_FALSE(rsa->q);
610
611 // Serializing the result round-trips.
612 uint8_t *der2;
613 size_t der2_len;
614 ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get()));
615 bssl::UniquePtr<uint8_t> delete_der2(der2);
616 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
617
618 // Public keys cannot be serialized as private keys.
619 int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get());
620 if (ok) {
621 OPENSSL_free(der);
622 }
623 EXPECT_FALSE(ok);
624 ERR_clear_error();
625
626 // Public keys with negative moduli are invalid.
627 rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey,
628 sizeof(kEstonianRSAKey)));
629 EXPECT_FALSE(rsa);
630 ERR_clear_error();
631 }
632
TEST(RSATest,BadExponent)633 TEST(RSATest, BadExponent) {
634 bssl::UniquePtr<RSA> rsa(
635 RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey)));
636 EXPECT_FALSE(rsa);
637 ERR_clear_error();
638 }
639
640 // Attempting to generate an excessively small key should fail.
TEST(RSATest,GenerateSmallKey)641 TEST(RSATest, GenerateSmallKey) {
642 bssl::UniquePtr<RSA> rsa(RSA_new());
643 ASSERT_TRUE(rsa);
644 bssl::UniquePtr<BIGNUM> e(BN_new());
645 ASSERT_TRUE(e);
646 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
647
648 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr));
649 uint32_t err = ERR_get_error();
650 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
651 EXPECT_EQ(RSA_R_KEY_SIZE_TOO_SMALL, ERR_GET_REASON(err));
652 }
653
654 // Attempting to generate an funny RSA key length should round down.
TEST(RSATest,RoundKeyLengths)655 TEST(RSATest, RoundKeyLengths) {
656 bssl::UniquePtr<BIGNUM> e(BN_new());
657 ASSERT_TRUE(e);
658 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
659
660 bssl::UniquePtr<RSA> rsa(RSA_new());
661 ASSERT_TRUE(rsa);
662 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr));
663 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
664
665 rsa.reset(RSA_new());
666 ASSERT_TRUE(rsa);
667 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr));
668 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
669
670 rsa.reset(RSA_new());
671 ASSERT_TRUE(rsa);
672 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr));
673 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
674
675 rsa.reset(RSA_new());
676 ASSERT_TRUE(rsa);
677 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr));
678 EXPECT_EQ(1152u, BN_num_bits(rsa->n));
679 }
680
TEST(RSATest,BlindingDisabled)681 TEST(RSATest, BlindingDisabled) {
682 bssl::UniquePtr<RSA> rsa(
683 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
684 ASSERT_TRUE(rsa);
685
686 rsa->flags |= RSA_FLAG_NO_BLINDING;
687
688 uint8_t sig[256];
689 ASSERT_GE(sizeof(sig), RSA_size(rsa.get()));
690
691 static const uint8_t kZeros[32] = {0};
692 unsigned sig_len;
693 ASSERT_TRUE(
694 RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig, &sig_len, rsa.get()));
695 EXPECT_TRUE(
696 RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig, sig_len, rsa.get()));
697 }
698
699 // Test that decrypting with a public key fails gracefully rather than crashing.
TEST(RSATest,DecryptPublic)700 TEST(RSATest, DecryptPublic) {
701 bssl::UniquePtr<RSA> pub(
702 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
703 ASSERT_TRUE(pub);
704 ASSERT_EQ(1024u / 8u, RSA_size(pub.get()));
705
706 size_t len;
707 uint8_t in[1024 / 8] = {0}, out[1024 / 8];
708 EXPECT_FALSE(RSA_decrypt(pub.get(), &len, out, sizeof(out), in, sizeof(in),
709 RSA_PKCS1_PADDING));
710 uint32_t err = ERR_get_error();
711 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
712 EXPECT_EQ(RSA_R_VALUE_MISSING, ERR_GET_REASON(err));
713 }
714
TEST(RSATest,CheckKey)715 TEST(RSATest, CheckKey) {
716 static const char kN[] =
717 "b5a5651bc2e15ce31d789f0984053a2ea0cf8f964a78068c45acfdf078c57fd62d5a287c"
718 "32f3baa879f5dfea27d7a3077c9d3a2a728368c3d90164690c3d82f660ffebc7f13fed45"
719 "4eb5103df943c10dc32ec60b0d9b6e307bfd7f9b943e0dc3901e42501765365f7286eff2"
720 "f1f728774aa6a371e108a3a7dd00d7bcd4c1a186c2865d4b370ea38cc89c0b23b318dbca"
721 "fbd872b4f9b833dfb2a4ca7fcc23298020044e8130bfe930adfb3e5cab8d324547adf4b2"
722 "ce34d7cea4298f0b613d85f2bf1df03da44aee0784a1a20a15ee0c38a0f8e84962f1f61b"
723 "18bd43781c7385f3c2b8e2aebd3c560b4faad208ad3938bad27ddda9ed9e933dba088021"
724 "2dd9e28d";
725 static const char kE[] = "10001";
726 static const char kD[] =
727 "fb9c6afd9568ce5ddac8e6a32bb881eb6cdd962bbc639dce5805548bf0fec2214f18ffd3"
728 "6a50aa520cfe4477f9507d87355a24e3ff537f9f29ccffe5730b11896ebb9142982ed0df"
729 "9c32ba98dddab863f3e5aa764d16ebff4500d3ee11de12fabd7aeca83c7ffa5d242b3ddc"
730 "ecc64bcb5220996e79249a6d3f78975dfde769710569812dee59c0f56e4650d02a939d9c"
731 "853e2cba9b0c2447a8757951ae9a0336dfa64c3d5476df9b20f200cfb52e3fbd2d4e3f34"
732 "200b1171cbac367096f23366e74592025875efb6a7e3b1dd365abb0d86f34ee65ddbfa93"
733 "90460da0d346833d6aa6277c0216b20073ba2f18471549c309e82d12e10714d0e0dbf146"
734 "6fcd1f1";
735 static const char kP[] =
736 "edbe476fe8989f3966e72a20348ec6d8e924f44e1d9fa2c3485ea8a2ffd39f68574a5cef"
737 "ffbb92d6764789ac0f67149127239c2027fbc55b5268a1dac6588de44e614f3bdce00f0a"
738 "56d138800ad772d159a583c6548e37cadbfcf1b4ebfd50d01508986a516f36ed827b94ef"
739 "1f9b4e233bf5762b3a903d2dfbbbce1fba30e9f1";
740 static const char kQ[] =
741 "c398518790a166dbe50498f04940d14c87ded09313fb0f69f69255c688142802ba3d4f9e"
742 "f9425dadc462170635593c06a332cfc5fc9e6e1c05281950a5ce3bad4fd7cc83a38bd4ad"
743 "6865594275af424f47c64c04af1caab2e261e95b975097c887d587dc8150df34cbeccd7d"
744 "0688c392d9f1c617810043c9b93b884bf6ed465d";
745 static const char kDMP1[] =
746 "b44db5d1fa7e1d6ba44e36d59be6988a132f7294f7c484e543b27e84b82e9fdbbb2feb92"
747 "1cc9fe0fe63e54fc07e66e63b3623f5ae7d7fb124a4a8e4de4556eaf327e7c5ff3207e67"
748 "a1f624ba7efe6cd6b6fd5f160034a7bd92df9fd44d919d436260556f74793b181ff867b8"
749 "7ea9033697978e5a349d05b9250c86c3eb2a8391";
750 static const char kDMQ1[] =
751 "7c06d9240265264927a6cba80a7b4c7c9fe77d10d669abb38083f85a24adcb55376d6b50"
752 "9e34241cecdb5a483889f6132b672bf31aa607a242eed3669d4cf1f08b2186f0ae431bc0"
753 "3de38e3f234ad7dc57e1f9103b4e0d3bd36b4cc324671968322207bd9e4e7ecb06c888e0"
754 "cfc4e766f646665b3f14c0e7684ac4b98ec1948d";
755 static const char kIQMP[] =
756 "2887a5cb0c1bf6710e91c25da141dad92134a927431471c2d4a8b78036026d21182990e1"
757 "2c1d70635f07ee551383899365a69b33d4db23e5ff7371ff4244d2c3290ce2b91ac11adc"
758 "a54bb61ea5e64b9423102933ea100c12dad809fbf9589515e9d28e867f6b95c2d307f792"
759 "cac28c6d7d23f441cb5b62798233db29b5cc0348";
760
761 bssl::UniquePtr<RSA> rsa(RSA_new());
762 ASSERT_TRUE(rsa);
763
764 // Missing n or e does not pass.
765 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
766 EXPECT_FALSE(RSA_check_key(rsa.get()));
767 ERR_clear_error();
768
769 BN_free(rsa->n);
770 rsa->n = nullptr;
771 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
772 EXPECT_FALSE(RSA_check_key(rsa.get()));
773 ERR_clear_error();
774
775 // Public keys pass.
776 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
777 EXPECT_TRUE(RSA_check_key(rsa.get()));
778
779 // Configuring d also passes.
780 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
781 EXPECT_TRUE(RSA_check_key(rsa.get()));
782
783 // p and q must be provided together.
784 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
785 EXPECT_FALSE(RSA_check_key(rsa.get()));
786 ERR_clear_error();
787
788 BN_free(rsa->p);
789 rsa->p = nullptr;
790 ASSERT_TRUE(BN_hex2bn(&rsa->q, kQ));
791 EXPECT_FALSE(RSA_check_key(rsa.get()));
792 ERR_clear_error();
793
794 // Supplying p and q without CRT parameters passes.
795 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
796 EXPECT_TRUE(RSA_check_key(rsa.get()));
797
798 // With p and q together, it is sufficient to check d against e.
799 ASSERT_TRUE(BN_add_word(rsa->d, 1));
800 EXPECT_FALSE(RSA_check_key(rsa.get()));
801 ERR_clear_error();
802
803 // Test another invalid d. p-1 is divisible by 3, so there is no valid value
804 // of d here if e = 111. Set d to what extended GCD would have given if it
805 // forgot to check the inverse existed.
806 static const char kDBogus[] =
807 "140be923edb928cf4340a08ada19f23da680ff20275a81e033825ee8605afc3bf6039b87"
808 "f0ddc7ea3b95f214a6fdda1064d0c66b50ac7bfe8cfe6c85d3cd217ae6f5094cd72a39e5"
809 "a17a9ce43eae1ba5d7d8c3fb743d8cbcb3bcd74edd0b75fcca23a0b00bcea119864c0243"
810 "bf9ab32b25a4d73a1e062482f538055bc2258369353647d4325aec7a28dc1a6798e85fae"
811 "85850558868468d60015927cb10b2a893e23aa16b1f9278d4413f64d0a3122218f9000ae"
812 "cd8743b8e9e50bd9de81eebc4e0230d1f4f7bffc1e6f903606afba9ee694c2b40022f171"
813 "a760e7c63e736e31d7c7ff8b77dc206c2a3aa5afd540073060ebb9050bddce1ff1917630"
814 "47fff51d";
815 ASSERT_TRUE(BN_set_word(rsa->e, 111));
816 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDBogus));
817 EXPECT_FALSE(RSA_check_key(rsa.get()));
818 ERR_clear_error();
819 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
820
821 // d computed via the Euler totient rather than the Carmichael totient is also
822 // acceptable.
823 static const char kDEuler[] =
824 "3d231ff6ca0ee41ea50ab62c93bcd6aa5f01bd484e643b7ff6eb94c4dd414c17a0481a1c"
825 "4361f94f3f4d5c42098af09a527cf0d8dc96122ae8dd29189a4011d62f2bb40625d2e85f"
826 "4d706fb90c2e9bc9b00a0c2a28384a4c134f6d25c62d64a08fdf3f5e89a14d3daee46fda"
827 "8b4a2eda87cbb2735fd47290cb37bf65150edef854a28927ce5ac36d36107711cffb8ac3"
828 "2b090e409bb822b117744a9aabf878b8b1998d406337ec24cee3877795061c67322ac626"
829 "6c675a2cefe0f85f06b4d24eb6ad8e3fae7f218f5bd8ff2fb8bf8176d8527b0dfdaf8490"
830 "8f9bfaf3f37dcf8aa0211311bac07b1a478c3ed8a6369e5d5fc42b2afa93f5de8f520981"
831 "c62bbe81";
832 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDEuler));
833 EXPECT_TRUE(RSA_check_key(rsa.get()));
834
835 // If d is completely out of range but otherwise valid, it is rejected.
836 static const char kDTooLarge[] =
837 "f2c885128cf04101c283553617c210d8ffd14cde98dc420c3c9892b55606cbedcda24298"
838 "7655b3f7b9433c2c316293a1cf1a2b034f197aeec1de8d81a67d94cc902b9fce1712d5a4"
839 "9c257ff705725cd77338d23535d3b87c8f4cecc15a6b72641ffd81aea106839d216b5fcd"
840 "7d415751d27255e540dd1638a8389721e9d0807d65d24d7b8c2f60e4b2c0bf250544ce68"
841 "b5ddbc1463d5a4638b2816b0f033dacdc0162f329af9e4d142352521fbd2fe14af824ef3"
842 "1601fe843c79cc3efbcb8eafd79262bdd25e2bdf21440f774e26d88ed7df938c5cf6982d"
843 "e9fa635b8ca36ce5c5fbd579a53cbb0348ceae752d4bc5621c5acc922ca2082494633337"
844 "42e770c1";
845 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDTooLarge));
846 EXPECT_FALSE(RSA_check_key(rsa.get()));
847 ERR_clear_error();
848 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
849
850 // CRT value must either all be provided or all missing.
851 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
852 EXPECT_FALSE(RSA_check_key(rsa.get()));
853 ERR_clear_error();
854 BN_free(rsa->dmp1);
855 rsa->dmp1 = nullptr;
856
857 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
858 EXPECT_FALSE(RSA_check_key(rsa.get()));
859 ERR_clear_error();
860 BN_free(rsa->dmq1);
861 rsa->dmq1 = nullptr;
862
863 ASSERT_TRUE(BN_hex2bn(&rsa->iqmp, kIQMP));
864 EXPECT_FALSE(RSA_check_key(rsa.get()));
865 ERR_clear_error();
866
867 // The full key is accepted.
868 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
869 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
870 EXPECT_TRUE(RSA_check_key(rsa.get()));
871
872 // Incorrect CRT values are rejected.
873 ASSERT_TRUE(BN_add_word(rsa->dmp1, 1));
874 EXPECT_FALSE(RSA_check_key(rsa.get()));
875 ERR_clear_error();
876 ASSERT_TRUE(BN_sub_word(rsa->dmp1, 1));
877
878 ASSERT_TRUE(BN_add_word(rsa->dmq1, 1));
879 EXPECT_FALSE(RSA_check_key(rsa.get()));
880 ERR_clear_error();
881 ASSERT_TRUE(BN_sub_word(rsa->dmq1, 1));
882
883 ASSERT_TRUE(BN_add_word(rsa->iqmp, 1));
884 EXPECT_FALSE(RSA_check_key(rsa.get()));
885 ERR_clear_error();
886 ASSERT_TRUE(BN_sub_word(rsa->iqmp, 1));
887
888 // Non-reduced CRT values are rejected.
889 ASSERT_TRUE(BN_add(rsa->dmp1, rsa->dmp1, rsa->p));
890 EXPECT_FALSE(RSA_check_key(rsa.get()));
891 ERR_clear_error();
892 ASSERT_TRUE(BN_sub(rsa->dmp1, rsa->dmp1, rsa->p));
893
894 ASSERT_TRUE(BN_add(rsa->dmq1, rsa->dmq1, rsa->q));
895 EXPECT_FALSE(RSA_check_key(rsa.get()));
896 ERR_clear_error();
897 ASSERT_TRUE(BN_sub(rsa->dmq1, rsa->dmq1, rsa->q));
898
899 ASSERT_TRUE(BN_add(rsa->iqmp, rsa->iqmp, rsa->p));
900 EXPECT_FALSE(RSA_check_key(rsa.get()));
901 ERR_clear_error();
902 ASSERT_TRUE(BN_sub(rsa->iqmp, rsa->iqmp, rsa->p));
903 }
904
TEST(RSATest,KeygenFail)905 TEST(RSATest, KeygenFail) {
906 bssl::UniquePtr<RSA> rsa(RSA_new());
907 ASSERT_TRUE(rsa);
908
909 // Cause RSA key generation after a prime has been generated, to test that
910 // |rsa| is left alone.
911 BN_GENCB cb;
912 BN_GENCB_set(&cb,
913 [](int event, int, BN_GENCB *) -> int { return event != 3; },
914 nullptr);
915
916 bssl::UniquePtr<BIGNUM> e(BN_new());
917 ASSERT_TRUE(e);
918 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
919
920 // Key generation should fail.
921 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
922
923 // Failed key generations do not leave garbage in |rsa|.
924 EXPECT_FALSE(rsa->n);
925 EXPECT_FALSE(rsa->e);
926 EXPECT_FALSE(rsa->d);
927 EXPECT_FALSE(rsa->p);
928 EXPECT_FALSE(rsa->q);
929 EXPECT_FALSE(rsa->dmp1);
930 EXPECT_FALSE(rsa->dmq1);
931 EXPECT_FALSE(rsa->iqmp);
932 EXPECT_FALSE(rsa->mont_n);
933 EXPECT_FALSE(rsa->mont_p);
934 EXPECT_FALSE(rsa->mont_q);
935 EXPECT_FALSE(rsa->d_fixed);
936 EXPECT_FALSE(rsa->dmp1_fixed);
937 EXPECT_FALSE(rsa->dmq1_fixed);
938 EXPECT_FALSE(rsa->inv_small_mod_large_mont);
939 EXPECT_FALSE(rsa->private_key_frozen);
940
941 // Failed key generations leave the previous contents alone.
942 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr));
943 uint8_t *der;
944 size_t der_len;
945 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
946 bssl::UniquePtr<uint8_t> delete_der(der);
947
948 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
949
950 uint8_t *der2;
951 size_t der2_len;
952 ASSERT_TRUE(RSA_private_key_to_bytes(&der2, &der2_len, rsa.get()));
953 bssl::UniquePtr<uint8_t> delete_der2(der2);
954 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
955
956 // Generating a key over an existing key works, despite any cached state.
957 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr));
958 EXPECT_TRUE(RSA_check_key(rsa.get()));
959 uint8_t *der3;
960 size_t der3_len;
961 ASSERT_TRUE(RSA_private_key_to_bytes(&der3, &der3_len, rsa.get()));
962 bssl::UniquePtr<uint8_t> delete_der3(der3);
963 EXPECT_NE(Bytes(der, der_len), Bytes(der3, der3_len));
964 }
965
TEST(RSATest,KeygenFailOnce)966 TEST(RSATest, KeygenFailOnce) {
967 bssl::UniquePtr<RSA> rsa(RSA_new());
968 ASSERT_TRUE(rsa);
969
970 // Cause only the first iteration of RSA key generation to fail.
971 bool failed = false;
972 BN_GENCB cb;
973 BN_GENCB_set(&cb,
974 [](int event, int n, BN_GENCB *cb_ptr) -> int {
975 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg);
976 if (*failed_ptr) {
977 ADD_FAILURE() << "Callback called multiple times.";
978 return 1;
979 }
980 *failed_ptr = true;
981 return 0;
982 },
983 &failed);
984
985 // Although key generation internally retries, the external behavior of
986 // |BN_GENCB| is preserved.
987 bssl::UniquePtr<BIGNUM> e(BN_new());
988 ASSERT_TRUE(e);
989 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
990 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
991 }
992
TEST(RSATest,KeygenInternalRetry)993 TEST(RSATest, KeygenInternalRetry) {
994 bssl::UniquePtr<RSA> rsa(RSA_new());
995 ASSERT_TRUE(rsa);
996
997 // Simulate one internal attempt at key generation failing.
998 bool failed = false;
999 BN_GENCB cb;
1000 BN_GENCB_set(&cb,
1001 [](int event, int n, BN_GENCB *cb_ptr) -> int {
1002 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg);
1003 if (*failed_ptr) {
1004 return 1;
1005 }
1006 *failed_ptr = true;
1007 // This test does not test any public API behavior. It is just
1008 // a hack to exercise the retry codepath and make sure it
1009 // works.
1010 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
1011 return 0;
1012 },
1013 &failed);
1014
1015 // Key generation internally retries on RSA_R_TOO_MANY_ITERATIONS.
1016 bssl::UniquePtr<BIGNUM> e(BN_new());
1017 ASSERT_TRUE(e);
1018 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
1019 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
1020 }
1021
1022 #if !defined(BORINGSSL_SHARED_LIBRARY)
TEST(RSATest,SqrtTwo)1023 TEST(RSATest, SqrtTwo) {
1024 bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new());
1025 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
1026 ASSERT_TRUE(sqrt);
1027 ASSERT_TRUE(pow2);
1028 ASSERT_TRUE(ctx);
1029
1030 size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
1031 ASSERT_TRUE(BN_one(pow2.get()));
1032 ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1));
1033
1034 // Check that sqrt² < pow2.
1035 ASSERT_TRUE(
1036 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
1037 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
1038 EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0);
1039
1040 // Check that pow2 < (sqrt + 1)².
1041 ASSERT_TRUE(
1042 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
1043 ASSERT_TRUE(BN_add_word(sqrt.get(), 1));
1044 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
1045 EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0);
1046
1047 // Check the kBoringSSLRSASqrtTwo is sized for a 3072-bit RSA key.
1048 EXPECT_EQ(3072u / 2u, bits);
1049 }
1050 #endif // !BORINGSSL_SHARED_LIBRARY
1051
1052 #if defined(OPENSSL_THREADS)
TEST(RSATest,Threads)1053 TEST(RSATest, Threads) {
1054 bssl::UniquePtr<RSA> rsa_template(
1055 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
1056 ASSERT_TRUE(rsa_template);
1057
1058 const uint8_t kDummyHash[32] = {0};
1059 uint8_t sig[256];
1060 unsigned sig_len = sizeof(sig);
1061 ASSERT_LE(RSA_size(rsa_template.get()), sizeof(sig));
1062 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig,
1063 &sig_len, rsa_template.get()));
1064
1065 // RSA keys may be assembled piece-meal and then used in parallel between
1066 // threads, which requires internal locking to create some derived properties.
1067 bssl::UniquePtr<RSA> rsa(RSA_new());
1068 rsa->n = BN_dup(rsa_template->n);
1069 ASSERT_TRUE(rsa->n);
1070 rsa->e = BN_dup(rsa_template->e);
1071 ASSERT_TRUE(rsa->e);
1072 rsa->d = BN_dup(rsa_template->d);
1073 ASSERT_TRUE(rsa->d);
1074 rsa->p = BN_dup(rsa_template->p);
1075 ASSERT_TRUE(rsa->p);
1076 rsa->q = BN_dup(rsa_template->q);
1077 ASSERT_TRUE(rsa->q);
1078 rsa->dmp1 = BN_dup(rsa_template->dmp1);
1079 ASSERT_TRUE(rsa->dmp1);
1080 rsa->dmq1 = BN_dup(rsa_template->dmq1);
1081 ASSERT_TRUE(rsa->dmq1);
1082 rsa->iqmp = BN_dup(rsa_template->iqmp);
1083 ASSERT_TRUE(rsa->iqmp);
1084
1085 // Each of these operations must be safe to do concurrently on different
1086 // threads.
1087 auto raw_access = [&] { EXPECT_EQ(0, BN_cmp(rsa->d, rsa_template->d)); };
1088 auto getter = [&] {
1089 const BIGNUM *d;
1090 RSA_get0_key(rsa.get(), nullptr, nullptr, &d);
1091 EXPECT_EQ(0, BN_cmp(d, rsa_template->d));
1092 };
1093 auto sign = [&] {
1094 uint8_t sig2[256];
1095 unsigned sig2_len = sizeof(sig2);
1096 ASSERT_LE(RSA_size(rsa.get()), sizeof(sig2));
1097 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig2,
1098 &sig2_len, rsa.get()));
1099 // RSASSA-PKCS1-v1_5 is deterministic.
1100 EXPECT_EQ(Bytes(sig, sig_len), Bytes(sig2, sig2_len));
1101 };
1102 auto verify = [&] {
1103 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), sig,
1104 sig_len, rsa.get()));
1105 };
1106
1107 std::vector<std::thread> threads;
1108 threads.emplace_back(raw_access);
1109 threads.emplace_back(raw_access);
1110 threads.emplace_back(getter);
1111 threads.emplace_back(getter);
1112 threads.emplace_back(sign);
1113 threads.emplace_back(sign);
1114 threads.emplace_back(verify);
1115 threads.emplace_back(verify);
1116 for (auto &thread : threads) {
1117 thread.join();
1118 }
1119 }
1120 #endif
1121