1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <stdlib.h>
60 #include <string.h>
61
62 #include <gtest/gtest.h>
63
64 #include <openssl/bn.h>
65 #include <openssl/bytestring.h>
66 #include <openssl/crypto.h>
67 #include <openssl/digest.h>
68 #include <openssl/err.h>
69 #include <openssl/nid.h>
70
71 #include "../fipsmodule/bn/internal.h"
72 #include "../fipsmodule/rsa/internal.h"
73 #include "../internal.h"
74 #include "../test/test_util.h"
75
76 #if defined(OPENSSL_THREADS)
77 #include <thread>
78 #include <vector>
79 #endif
80
81
82 // kPlaintext is a sample plaintext.
83 static const uint8_t kPlaintext[] = {0x54, 0x85, 0x9b, 0x34,
84 0x2c, 0x49, 0xea, 0x2a};
85
86
87 // kKey1 is a DER-encoded 1024-bit RSAPrivateKey with e = 65537.
88 static const uint8_t kKey1[] = {
89 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xa1,
90 0x71, 0x90, 0x77, 0x86, 0x8a, 0xc7, 0xb8, 0xfc, 0x2a, 0x45, 0x82, 0x6d,
91 0xee, 0xeb, 0x35, 0x3a, 0x18, 0x3f, 0xb6, 0xb0, 0x1e, 0xb1, 0xd3, 0x09,
92 0x6b, 0x05, 0x4d, 0xec, 0x1c, 0x37, 0x6f, 0x09, 0x31, 0x32, 0xda, 0x21,
93 0x8a, 0x49, 0x0e, 0x16, 0x28, 0xed, 0x9a, 0x30, 0xf3, 0x14, 0x53, 0xfd,
94 0x5b, 0xb0, 0xf6, 0x4a, 0x5d, 0x52, 0xe1, 0xda, 0xe1, 0x40, 0x6e, 0x65,
95 0xbf, 0xca, 0x45, 0xd9, 0x62, 0x96, 0x4a, 0x1e, 0x11, 0xc4, 0x61, 0x83,
96 0x1f, 0x58, 0x8d, 0x5e, 0xd0, 0x12, 0xaf, 0xa5, 0xec, 0x9b, 0x97, 0x2f,
97 0x6c, 0xb2, 0x82, 0x4a, 0x73, 0xd0, 0xd3, 0x9a, 0xc9, 0x69, 0x6b, 0x24,
98 0x3c, 0x82, 0x6f, 0xee, 0x4d, 0x0c, 0x7e, 0xdf, 0xd7, 0xae, 0xea, 0x3a,
99 0xeb, 0x04, 0x27, 0x8d, 0x43, 0x81, 0x59, 0xa7, 0x90, 0x56, 0xc1, 0x69,
100 0x42, 0xb3, 0xaf, 0x1c, 0x8d, 0x4e, 0xbf, 0x02, 0x03, 0x01, 0x00, 0x01,
101 0x02, 0x81, 0x80, 0x60, 0x82, 0xcd, 0x44, 0x46, 0xcf, 0xeb, 0xf9, 0x6f,
102 0xf5, 0xad, 0x3b, 0xfd, 0x90, 0x18, 0x57, 0xe7, 0x74, 0xdb, 0x91, 0xd0,
103 0xd3, 0x68, 0xa6, 0xaa, 0x38, 0xaa, 0x21, 0x1d, 0x06, 0xf9, 0x34, 0x8d,
104 0xa0, 0x35, 0xb0, 0x24, 0xe0, 0xd0, 0x2f, 0x75, 0x9b, 0xdd, 0xfe, 0x91,
105 0x48, 0x9f, 0x5c, 0x5e, 0x57, 0x54, 0x00, 0xc8, 0x0f, 0xe6, 0x1e, 0x52,
106 0x84, 0xd9, 0xc9, 0xa5, 0x55, 0xf4, 0x0a, 0xbe, 0x88, 0x46, 0x7a, 0xfb,
107 0x18, 0x37, 0x8e, 0xe6, 0x6e, 0xa2, 0x5f, 0x80, 0x48, 0x34, 0x3f, 0x5c,
108 0xbe, 0x0e, 0x1e, 0xe8, 0x2f, 0x50, 0xba, 0x14, 0x96, 0x3c, 0xea, 0xfb,
109 0xd2, 0x49, 0x33, 0xdc, 0x12, 0xb8, 0xa7, 0x8a, 0xb5, 0x27, 0xf9, 0x00,
110 0x4b, 0xf5, 0xd2, 0x2a, 0xd0, 0x2c, 0x1d, 0x9b, 0xd5, 0x6c, 0x3e, 0x4b,
111 0xb9, 0x7e, 0x39, 0xf7, 0x3e, 0x39, 0xc9, 0x47, 0x5e, 0xbe, 0x91, 0x02,
112 0x41, 0x00, 0xcd, 0x33, 0xcf, 0x37, 0x01, 0xd7, 0x59, 0xcc, 0xbe, 0xa0,
113 0x1c, 0xb9, 0xf5, 0xe7, 0x44, 0x9f, 0x62, 0x91, 0xa7, 0xa7, 0x7b, 0x0c,
114 0x52, 0xcd, 0x7e, 0xe6, 0x31, 0x11, 0x8b, 0xd8, 0x2c, 0x8a, 0x63, 0xe1,
115 0x07, 0xc9, 0xcb, 0xce, 0x01, 0x45, 0x63, 0xf5, 0x5d, 0x44, 0xfb, 0xeb,
116 0x8d, 0x74, 0x16, 0x20, 0x7d, 0x3b, 0xb4, 0xa1, 0x61, 0xb0, 0xa8, 0x29,
117 0x51, 0xc9, 0xef, 0xb6, 0xa1, 0xd5, 0x02, 0x41, 0x00, 0xc9, 0x68, 0xa6,
118 0xd3, 0x88, 0xd5, 0x49, 0x9d, 0x6b, 0x44, 0x96, 0xfd, 0xbf, 0x66, 0x27,
119 0xb4, 0x1f, 0x90, 0x76, 0x86, 0x2f, 0xe2, 0xce, 0x20, 0x5d, 0xee, 0x9b,
120 0xeb, 0xc4, 0xb4, 0x62, 0x47, 0x79, 0x99, 0xb1, 0x99, 0xbc, 0xa2, 0xa6,
121 0xb6, 0x96, 0x64, 0xd5, 0x77, 0x9b, 0x45, 0xd4, 0xf0, 0x99, 0xb5, 0x9e,
122 0x61, 0x4d, 0xf5, 0x12, 0xdd, 0x84, 0x14, 0xaf, 0x1e, 0xdd, 0x83, 0x24,
123 0x43, 0x02, 0x40, 0x60, 0x29, 0x7f, 0x59, 0xcf, 0xcb, 0x13, 0x92, 0x17,
124 0x63, 0x01, 0x13, 0x44, 0x61, 0x74, 0x8f, 0x1c, 0xaa, 0x15, 0x5f, 0x2f,
125 0x12, 0xbf, 0x5a, 0xfd, 0xb4, 0xf2, 0x19, 0xbe, 0xe7, 0x37, 0x38, 0x43,
126 0x46, 0x19, 0x58, 0x3f, 0xe1, 0xf2, 0x46, 0x8a, 0x69, 0x59, 0xa4, 0x12,
127 0x4a, 0x78, 0xa7, 0x86, 0x17, 0x03, 0x99, 0x0f, 0x34, 0xf1, 0x8a, 0xcf,
128 0xc3, 0x4d, 0x48, 0xcc, 0xc5, 0x51, 0x61, 0x02, 0x41, 0x00, 0xc2, 0x12,
129 0xb3, 0x5d, 0xf5, 0xe5, 0xff, 0xcf, 0x4e, 0x43, 0x83, 0x72, 0xf2, 0xf1,
130 0x4e, 0xa4, 0xc4, 0x1d, 0x81, 0xf7, 0xff, 0x40, 0x7e, 0xfa, 0xb5, 0x48,
131 0x6c, 0xba, 0x1c, 0x8a, 0xec, 0x80, 0x8e, 0xed, 0xc8, 0x32, 0xa9, 0x8f,
132 0xd9, 0x30, 0xeb, 0x6e, 0x32, 0x3b, 0xd4, 0x44, 0xcf, 0xd1, 0x1f, 0x6b,
133 0xe0, 0x37, 0x46, 0xd5, 0x35, 0xde, 0x79, 0x9d, 0x2c, 0xb9, 0x83, 0x1d,
134 0x10, 0xdd, 0x02, 0x40, 0x0f, 0x14, 0x95, 0x96, 0xa0, 0xe2, 0x6c, 0xd4,
135 0x88, 0xa7, 0x0b, 0x82, 0x14, 0x10, 0xad, 0x26, 0x0d, 0xe4, 0xa1, 0x5e,
136 0x01, 0x3d, 0x21, 0xd2, 0xfb, 0x0e, 0xf9, 0x58, 0xa5, 0xca, 0x1e, 0x21,
137 0xb3, 0xf5, 0x9a, 0x6c, 0x3d, 0x5a, 0x72, 0xb1, 0x2d, 0xfe, 0xac, 0x09,
138 0x4f, 0xdd, 0xe5, 0x44, 0xd1, 0x4e, 0xf8, 0x59, 0x85, 0x3a, 0x65, 0xe2,
139 0xcd, 0xbc, 0x27, 0x1d, 0x9b, 0x48, 0x9f, 0xb9};
140
141 static const uint8_t kKey1Public[] = {
142 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xa1, 0x71, 0x90, 0x77, 0x86,
143 0x8a, 0xc7, 0xb8, 0xfc, 0x2a, 0x45, 0x82, 0x6d, 0xee, 0xeb, 0x35, 0x3a,
144 0x18, 0x3f, 0xb6, 0xb0, 0x1e, 0xb1, 0xd3, 0x09, 0x6b, 0x05, 0x4d, 0xec,
145 0x1c, 0x37, 0x6f, 0x09, 0x31, 0x32, 0xda, 0x21, 0x8a, 0x49, 0x0e, 0x16,
146 0x28, 0xed, 0x9a, 0x30, 0xf3, 0x14, 0x53, 0xfd, 0x5b, 0xb0, 0xf6, 0x4a,
147 0x5d, 0x52, 0xe1, 0xda, 0xe1, 0x40, 0x6e, 0x65, 0xbf, 0xca, 0x45, 0xd9,
148 0x62, 0x96, 0x4a, 0x1e, 0x11, 0xc4, 0x61, 0x83, 0x1f, 0x58, 0x8d, 0x5e,
149 0xd0, 0x12, 0xaf, 0xa5, 0xec, 0x9b, 0x97, 0x2f, 0x6c, 0xb2, 0x82, 0x4a,
150 0x73, 0xd0, 0xd3, 0x9a, 0xc9, 0x69, 0x6b, 0x24, 0x3c, 0x82, 0x6f, 0xee,
151 0x4d, 0x0c, 0x7e, 0xdf, 0xd7, 0xae, 0xea, 0x3a, 0xeb, 0x04, 0x27, 0x8d,
152 0x43, 0x81, 0x59, 0xa7, 0x90, 0x56, 0xc1, 0x69, 0x42, 0xb3, 0xaf, 0x1c,
153 0x8d, 0x4e, 0xbf, 0x02, 0x03, 0x01, 0x00, 0x01};
154
155 // kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using
156 // RSA OAEP, SHA-1, and no label. It was generated with:
157 //
158 // clang-format off
159 // openssl pkeyutl -encrypt -inkey key1.pem -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1 -in plaintext | xxd -i
160 // clang-format on
161 static const uint8_t kOAEPCiphertext1[] = {
162 0x53, 0xa3, 0x0e, 0xc7, 0x95, 0x52, 0x80, 0x6f, 0x9d, 0x4c, 0xd2, 0x87,
163 0xa0, 0x5d, 0x4b, 0xee, 0x78, 0x7d, 0xaa, 0x2a, 0xf6, 0x48, 0x5e, 0x83,
164 0xb4, 0xc7, 0xd5, 0x82, 0xa7, 0xe9, 0x3e, 0x4c, 0x54, 0xa0, 0x1e, 0x5f,
165 0x49, 0x17, 0x26, 0x36, 0x37, 0x22, 0x09, 0xe8, 0xde, 0x8d, 0x51, 0x49,
166 0x0b, 0x34, 0x27, 0x30, 0x1f, 0x12, 0xbd, 0xf4, 0x2f, 0xed, 0x9e, 0xcf,
167 0x9e, 0xda, 0x41, 0x69, 0xf7, 0x86, 0x64, 0xfc, 0x7d, 0x0a, 0x4b, 0x28,
168 0x28, 0x9e, 0x38, 0x97, 0xae, 0x01, 0x86, 0xbe, 0xb0, 0x92, 0xfd, 0xa0,
169 0x5c, 0x75, 0xaf, 0x01, 0x88, 0xf7, 0x24, 0xa8, 0xcd, 0x44, 0x3c, 0x13,
170 0x42, 0xf7, 0x03, 0x9b, 0x88, 0x1c, 0x65, 0xf4, 0x83, 0xba, 0xc8, 0x10,
171 0xe2, 0x9a, 0x37, 0x79, 0x77, 0xef, 0x20, 0x3d, 0x2d, 0xa4, 0xe5, 0x3e,
172 0xd4, 0x18, 0x3e, 0x12, 0xc1, 0xc3, 0x68, 0x65};
173
174 // kKey2 is a 2048-bit RSA private key, with e = 3.
175 static const uint8_t kKey2[] = {
176 0x30, 0x82, 0x04, 0xa1, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
177 0x93, 0x3a, 0x4f, 0xc9, 0x6a, 0x0a, 0x6b, 0x28, 0x04, 0xfa, 0xb7, 0x05,
178 0x56, 0xdf, 0xa0, 0xaa, 0x4f, 0xaa, 0xab, 0x94, 0xa0, 0xa9, 0x25, 0xef,
179 0xc5, 0x96, 0xd2, 0xd4, 0x66, 0x16, 0x62, 0x2c, 0x13, 0x7b, 0x91, 0xd0,
180 0x36, 0x0a, 0x10, 0x11, 0x6d, 0x7a, 0x91, 0xb6, 0xe4, 0x74, 0x57, 0xc1,
181 0x3d, 0x7a, 0xbe, 0x24, 0x05, 0x3a, 0x04, 0x0b, 0x73, 0x91, 0x53, 0xb1,
182 0x74, 0x10, 0xe1, 0x87, 0xdc, 0x91, 0x28, 0x9c, 0x1e, 0xe5, 0xf2, 0xb9,
183 0xfc, 0xa2, 0x48, 0x34, 0xb6, 0x78, 0xed, 0x6d, 0x95, 0xfb, 0xf2, 0xc0,
184 0x4e, 0x1c, 0xa4, 0x15, 0x00, 0x3c, 0x8a, 0x68, 0x2b, 0xd6, 0xce, 0xd5,
185 0xb3, 0x9f, 0x66, 0x02, 0xa7, 0x0d, 0x08, 0xa3, 0x23, 0x9b, 0xe5, 0x36,
186 0x96, 0x13, 0x22, 0xf9, 0x69, 0xa6, 0x87, 0x88, 0x9b, 0x85, 0x3f, 0x83,
187 0x9c, 0xab, 0x1a, 0x1b, 0x6d, 0x8d, 0x16, 0xf4, 0x5e, 0xbd, 0xee, 0x4b,
188 0x59, 0x56, 0xf8, 0x9d, 0x58, 0xcd, 0xd2, 0x83, 0x85, 0x59, 0x43, 0x84,
189 0x63, 0x4f, 0xe6, 0x1a, 0x86, 0x66, 0x0d, 0xb5, 0xa0, 0x87, 0x89, 0xb6,
190 0x13, 0x82, 0x43, 0xda, 0x34, 0x92, 0x3b, 0x68, 0xc4, 0x95, 0x71, 0x2f,
191 0x15, 0xc2, 0xe0, 0x43, 0x67, 0x3c, 0x08, 0x00, 0x36, 0x10, 0xc3, 0xb4,
192 0x46, 0x4c, 0x4e, 0x6e, 0xf5, 0x44, 0xa9, 0x04, 0x44, 0x9d, 0xce, 0xc7,
193 0x05, 0x79, 0xee, 0x11, 0xcf, 0xaf, 0x2c, 0xd7, 0x9a, 0x32, 0xd3, 0xa5,
194 0x30, 0xd4, 0x3a, 0x78, 0x43, 0x37, 0x74, 0x22, 0x90, 0x24, 0x04, 0x11,
195 0xd7, 0x95, 0x08, 0x52, 0xa4, 0x71, 0x41, 0x68, 0x94, 0xb0, 0xa0, 0xc3,
196 0xec, 0x4e, 0xd2, 0xc4, 0x30, 0x71, 0x98, 0x64, 0x9c, 0xe3, 0x7c, 0x76,
197 0xef, 0x33, 0xa3, 0x2b, 0xb1, 0x87, 0x63, 0xd2, 0x5c, 0x09, 0xfc, 0x90,
198 0x2d, 0x92, 0xf4, 0x57, 0x02, 0x01, 0x03, 0x02, 0x82, 0x01, 0x00, 0x62,
199 0x26, 0xdf, 0xdb, 0x9c, 0x06, 0xf2, 0x1a, 0xad, 0xfc, 0x7a, 0x03, 0x8f,
200 0x3f, 0xc0, 0x71, 0x8a, 0x71, 0xc7, 0xb8, 0x6b, 0x1b, 0x6e, 0x9f, 0xd9,
201 0x0f, 0x37, 0x38, 0x44, 0x0e, 0xec, 0x1d, 0x62, 0x52, 0x61, 0x35, 0x79,
202 0x5c, 0x0a, 0xb6, 0x48, 0xfc, 0x61, 0x24, 0x98, 0x4d, 0x8f, 0xd6, 0x28,
203 0xfc, 0x7e, 0xc2, 0xae, 0x26, 0xad, 0x5c, 0xf7, 0xb6, 0x37, 0xcb, 0xa2,
204 0xb5, 0xeb, 0xaf, 0xe8, 0x60, 0xc5, 0xbd, 0x69, 0xee, 0xa1, 0xd1, 0x53,
205 0x16, 0xda, 0xcd, 0xce, 0xfb, 0x48, 0xf3, 0xb9, 0x52, 0xa1, 0xd5, 0x89,
206 0x68, 0x6d, 0x63, 0x55, 0x7d, 0xb1, 0x9a, 0xc7, 0xe4, 0x89, 0xe3, 0xcd,
207 0x14, 0xee, 0xac, 0x6f, 0x5e, 0x05, 0xc2, 0x17, 0xbd, 0x43, 0x79, 0xb9,
208 0x62, 0x17, 0x50, 0xf1, 0x19, 0xaf, 0xb0, 0x67, 0xae, 0x2a, 0x57, 0xbd,
209 0xc7, 0x66, 0xbc, 0xf3, 0xb3, 0x64, 0xa1, 0xe3, 0x16, 0x74, 0x9e, 0xea,
210 0x02, 0x5c, 0xab, 0x94, 0xd8, 0x97, 0x02, 0x42, 0x0c, 0x2c, 0xba, 0x54,
211 0xb9, 0xaf, 0xe0, 0x45, 0x93, 0xad, 0x7f, 0xb3, 0x10, 0x6a, 0x96, 0x50,
212 0x4b, 0xaf, 0xcf, 0xc8, 0x27, 0x62, 0x2d, 0x83, 0xe9, 0x26, 0xc6, 0x94,
213 0xc1, 0xef, 0x5c, 0x8e, 0x06, 0x42, 0x53, 0xe5, 0x56, 0xaf, 0xc2, 0x99,
214 0x01, 0xaa, 0x9a, 0x71, 0xbc, 0xe8, 0x21, 0x33, 0x2a, 0x2d, 0xa3, 0x36,
215 0xac, 0x1b, 0x86, 0x19, 0xf8, 0xcd, 0x1f, 0x80, 0xa4, 0x26, 0x98, 0xb8,
216 0x9f, 0x62, 0x62, 0xd5, 0x1a, 0x7f, 0xee, 0xdb, 0xdf, 0x81, 0xd3, 0x21,
217 0xdb, 0x33, 0x92, 0xee, 0xff, 0xe2, 0x2f, 0x32, 0x77, 0x73, 0x6a, 0x58,
218 0xab, 0x21, 0xf3, 0xe3, 0xe1, 0xbc, 0x4f, 0x12, 0x72, 0xa6, 0xb5, 0xc2,
219 0xfb, 0x27, 0x9e, 0xc8, 0xca, 0xab, 0x64, 0xa0, 0x87, 0x07, 0x9d, 0xef,
220 0xca, 0x0f, 0xdb, 0x02, 0x81, 0x81, 0x00, 0xe6, 0xd3, 0x4d, 0xc0, 0xa1,
221 0x91, 0x0e, 0x62, 0xfd, 0xb0, 0xdd, 0xc6, 0x30, 0xb8, 0x8c, 0xcb, 0x14,
222 0xc1, 0x4b, 0x69, 0x30, 0xdd, 0xcd, 0x86, 0x67, 0xcb, 0x37, 0x14, 0xc5,
223 0x03, 0xd2, 0xb4, 0x69, 0xab, 0x3d, 0xe5, 0x16, 0x81, 0x0f, 0xe5, 0x50,
224 0xf4, 0x18, 0xb1, 0xec, 0xbc, 0x71, 0xe9, 0x80, 0x99, 0x06, 0xe4, 0xa3,
225 0xfe, 0x44, 0x84, 0x4a, 0x2d, 0x1e, 0x07, 0x7f, 0x22, 0x70, 0x6d, 0x4f,
226 0xd4, 0x93, 0x0b, 0x8b, 0x99, 0xce, 0x1e, 0xab, 0xcd, 0x4c, 0xd2, 0xd3,
227 0x10, 0x47, 0x5c, 0x09, 0x9f, 0x6d, 0x82, 0xc0, 0x08, 0x75, 0xe3, 0x3d,
228 0x83, 0xc2, 0x19, 0x50, 0x29, 0xec, 0x1f, 0x84, 0x29, 0xcc, 0xf1, 0x56,
229 0xee, 0xbd, 0x54, 0x5d, 0xe6, 0x19, 0xdf, 0x0d, 0x1c, 0xa4, 0xbb, 0x0a,
230 0xfe, 0x84, 0x44, 0x29, 0x1d, 0xf9, 0x5c, 0x80, 0x96, 0x5b, 0x24, 0xb4,
231 0xf7, 0x02, 0x1b, 0x02, 0x81, 0x81, 0x00, 0xa3, 0x48, 0xf1, 0x9c, 0x58,
232 0xc2, 0x5f, 0x38, 0xfb, 0xd8, 0x12, 0x39, 0xf1, 0x8e, 0x73, 0xa1, 0xcf,
233 0x78, 0x12, 0xe0, 0xed, 0x2a, 0xbb, 0xef, 0xac, 0x23, 0xb2, 0xbf, 0xd6,
234 0x0c, 0xe9, 0x6e, 0x1e, 0xab, 0xea, 0x3f, 0x68, 0x36, 0xa7, 0x1f, 0xe5,
235 0xab, 0xe0, 0x86, 0xa5, 0x76, 0x32, 0x98, 0xdd, 0x75, 0xb5, 0x2b, 0xbc,
236 0xcb, 0x8a, 0x03, 0x00, 0x7c, 0x2e, 0xca, 0xf8, 0xbc, 0x19, 0xe4, 0xe3,
237 0xa3, 0x31, 0xbd, 0x1d, 0x20, 0x2b, 0x09, 0xad, 0x6f, 0x4c, 0xed, 0x48,
238 0xd4, 0xdf, 0x87, 0xf9, 0xf0, 0x46, 0xb9, 0x86, 0x4c, 0x4b, 0x71, 0xe7,
239 0x48, 0x78, 0xdc, 0xed, 0xc7, 0x82, 0x02, 0x44, 0xd3, 0xa6, 0xb3, 0x10,
240 0x5f, 0x62, 0x81, 0xfc, 0xb8, 0xe4, 0x0e, 0xf4, 0x1a, 0xdd, 0xab, 0x3f,
241 0xbc, 0x63, 0x79, 0x5b, 0x39, 0x69, 0x5e, 0xea, 0xa9, 0x15, 0xfe, 0x90,
242 0xec, 0xda, 0x75, 0x02, 0x81, 0x81, 0x00, 0x99, 0xe2, 0x33, 0xd5, 0xc1,
243 0x0b, 0x5e, 0xec, 0xa9, 0x20, 0x93, 0xd9, 0x75, 0xd0, 0x5d, 0xdc, 0xb8,
244 0x80, 0xdc, 0xf0, 0xcb, 0x3e, 0x89, 0x04, 0x45, 0x32, 0x24, 0xb8, 0x83,
245 0x57, 0xe1, 0xcd, 0x9b, 0xc7, 0x7e, 0x98, 0xb9, 0xab, 0x5f, 0xee, 0x35,
246 0xf8, 0x10, 0x76, 0x9d, 0xd2, 0xf6, 0x9b, 0xab, 0x10, 0xaf, 0x43, 0x17,
247 0xfe, 0xd8, 0x58, 0x31, 0x73, 0x69, 0x5a, 0x54, 0xc1, 0xa0, 0x48, 0xdf,
248 0xe3, 0x0c, 0xb2, 0x5d, 0x11, 0x34, 0x14, 0x72, 0x88, 0xdd, 0xe1, 0xe2,
249 0x0a, 0xda, 0x3d, 0x5b, 0xbf, 0x9e, 0x57, 0x2a, 0xb0, 0x4e, 0x97, 0x7e,
250 0x57, 0xd6, 0xbb, 0x8a, 0xc6, 0x9d, 0x6a, 0x58, 0x1b, 0xdd, 0xf6, 0x39,
251 0xf4, 0x7e, 0x38, 0x3e, 0x99, 0x66, 0x94, 0xb3, 0x68, 0x6d, 0xd2, 0x07,
252 0x54, 0x58, 0x2d, 0x70, 0xbe, 0xa6, 0x3d, 0xab, 0x0e, 0xe7, 0x6d, 0xcd,
253 0xfa, 0x01, 0x67, 0x02, 0x81, 0x80, 0x6c, 0xdb, 0x4b, 0xbd, 0x90, 0x81,
254 0x94, 0xd0, 0xa7, 0xe5, 0x61, 0x7b, 0xf6, 0x5e, 0xf7, 0xc1, 0x34, 0xfa,
255 0xb7, 0x40, 0x9e, 0x1c, 0x7d, 0x4a, 0x72, 0xc2, 0x77, 0x2a, 0x8e, 0xb3,
256 0x46, 0x49, 0x69, 0xc7, 0xf1, 0x7f, 0x9a, 0xcf, 0x1a, 0x15, 0x43, 0xc7,
257 0xeb, 0x04, 0x6e, 0x4e, 0xcc, 0x65, 0xe8, 0xf9, 0x23, 0x72, 0x7d, 0xdd,
258 0x06, 0xac, 0xaa, 0xfd, 0x74, 0x87, 0x50, 0x7d, 0x66, 0x98, 0x97, 0xc2,
259 0x21, 0x28, 0xbe, 0x15, 0x72, 0x06, 0x73, 0x9f, 0x88, 0x9e, 0x30, 0x8d,
260 0xea, 0x5a, 0xa6, 0xa0, 0x2f, 0x26, 0x59, 0x88, 0x32, 0x4b, 0xef, 0x85,
261 0xa5, 0xe8, 0x9e, 0x85, 0x01, 0x56, 0xd8, 0x8d, 0x19, 0xcc, 0xb5, 0x94,
262 0xec, 0x56, 0xa8, 0x7b, 0x42, 0xb4, 0xa2, 0xbc, 0x93, 0xc7, 0x7f, 0xd2,
263 0xec, 0xfb, 0x92, 0x26, 0x46, 0x3f, 0x47, 0x1b, 0x63, 0xff, 0x0b, 0x48,
264 0x91, 0xa3, 0x02, 0x81, 0x80, 0x2c, 0x4a, 0xb9, 0xa4, 0x46, 0x7b, 0xff,
265 0x50, 0x7e, 0xbf, 0x60, 0x47, 0x3b, 0x2b, 0x66, 0x82, 0xdc, 0x0e, 0x53,
266 0x65, 0x71, 0xe9, 0xda, 0x2a, 0xb8, 0x32, 0x93, 0x42, 0xb7, 0xff, 0xea,
267 0x67, 0x66, 0xf1, 0xbc, 0x87, 0x28, 0x65, 0x29, 0x79, 0xca, 0xab, 0x93,
268 0x56, 0xda, 0x95, 0xc1, 0x26, 0x44, 0x3d, 0x27, 0xc1, 0x91, 0xc6, 0x9b,
269 0xd9, 0xec, 0x9d, 0xb7, 0x49, 0xe7, 0x16, 0xee, 0x99, 0x87, 0x50, 0x95,
270 0x81, 0xd4, 0x5c, 0x5b, 0x5a, 0x5d, 0x0a, 0x43, 0xa5, 0xa7, 0x8f, 0x5a,
271 0x80, 0x49, 0xa0, 0xb7, 0x10, 0x85, 0xc7, 0xf4, 0x42, 0x34, 0x86, 0xb6,
272 0x5f, 0x3f, 0x88, 0x9e, 0xc7, 0xf5, 0x59, 0x29, 0x39, 0x68, 0x48, 0xf2,
273 0xd7, 0x08, 0x5b, 0x92, 0x8e, 0x6b, 0xea, 0xa5, 0x63, 0x5f, 0xc0, 0xfb,
274 0xe4, 0xe1, 0xb2, 0x7d, 0xb7, 0x40, 0xe9, 0x55, 0x06, 0xbf, 0x58, 0x25,
275 0x6f};
276
277 // kPKCS1Ciphertext2 is "hello world" encrypted with kKey2 and RSAES-PKCS1-v1_5.
278 static const uint8_t kPKCS1Ciphertext2[] = {
279 0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35,
280 0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c,
281 0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0,
282 0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3,
283 0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46,
284 0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54,
285 0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a,
286 0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78,
287 0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8,
288 0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83,
289 0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31,
290 0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45,
291 0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75,
292 0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11,
293 0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f,
294 0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2,
295 0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3,
296 0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca,
297 0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c,
298 0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4,
299 0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b,
300 0x6a, 0xce, 0x9f, 0xc8};
301
302 // kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using
303 // RSA OAEP, SHA-1, and no label. It was generated with:
304 //
305 // clang-format off
306 // openssl pkeyutl -encrypt -inkey key2.pem -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1 -in plaintext | xxd -i
307 // clang-format on
308 static const uint8_t kOAEPCiphertext2[] = {
309 0x56, 0x10, 0x50, 0x5b, 0x9a, 0xa8, 0x2e, 0x3f, 0x24, 0x06, 0x5b, 0xd3,
310 0x06, 0x03, 0xde, 0x18, 0x69, 0xb2, 0x1b, 0xec, 0x12, 0x14, 0x76, 0xb9,
311 0x8c, 0x7b, 0xf8, 0x4a, 0xaf, 0x87, 0xa8, 0x83, 0x49, 0x1c, 0x5e, 0xb4,
312 0xe5, 0x9f, 0xff, 0x00, 0xf2, 0xdd, 0x34, 0xf0, 0x10, 0x9f, 0xca, 0xc6,
313 0x02, 0x54, 0x23, 0xb2, 0xc3, 0xdc, 0x74, 0xa8, 0x9f, 0xd2, 0xdc, 0x87,
314 0x48, 0x2f, 0x02, 0x8b, 0xf1, 0x7a, 0x91, 0x8d, 0x2d, 0x77, 0x7f, 0x6f,
315 0x8f, 0x19, 0xde, 0x90, 0x54, 0x0d, 0x1b, 0x7b, 0x96, 0x81, 0x84, 0xf9,
316 0x03, 0x48, 0xef, 0xab, 0xe5, 0x07, 0xcd, 0x7f, 0x01, 0xeb, 0x86, 0x8d,
317 0x7e, 0x7e, 0xf8, 0x2a, 0x50, 0x02, 0xcd, 0xcb, 0xa5, 0xfe, 0xc2, 0x35,
318 0x1f, 0x82, 0xef, 0xb9, 0x1d, 0x98, 0xd5, 0x07, 0x94, 0x37, 0x08, 0x13,
319 0x1c, 0xc8, 0x19, 0x06, 0x13, 0x2d, 0x1c, 0xb2, 0x50, 0x34, 0xad, 0x99,
320 0x3c, 0xe6, 0xce, 0x4c, 0x88, 0x6d, 0x96, 0xc8, 0x85, 0xd1, 0x5e, 0xd5,
321 0x77, 0x02, 0x0a, 0xa9, 0x2a, 0xf1, 0xa3, 0x4a, 0x04, 0x65, 0x87, 0x05,
322 0x6b, 0x34, 0x65, 0x1c, 0xef, 0x64, 0x11, 0xee, 0x23, 0x7e, 0x36, 0x4f,
323 0x4c, 0x5d, 0xb7, 0xd6, 0x79, 0x30, 0xec, 0xdf, 0xde, 0x35, 0x32, 0xd0,
324 0xb0, 0x7e, 0x26, 0x1f, 0xea, 0xa2, 0x78, 0x98, 0x4b, 0x77, 0x9b, 0x03,
325 0x75, 0x33, 0x08, 0x72, 0x91, 0x0b, 0x77, 0xc0, 0x6e, 0xe1, 0x0f, 0x14,
326 0xf1, 0xf0, 0xb9, 0xe5, 0x5f, 0x08, 0xc2, 0x92, 0x79, 0x2e, 0x6f, 0xef,
327 0x2a, 0x1b, 0x31, 0x64, 0x36, 0x67, 0xf8, 0x1d, 0xc8, 0xb7, 0xc3, 0x15,
328 0x6c, 0xd8, 0x35, 0x34, 0x44, 0xb2, 0x91, 0xf2, 0x07, 0x86, 0xd6, 0xfa,
329 0x42, 0x04, 0xae, 0xc5, 0x17, 0x14, 0x61, 0x6f, 0x12, 0x84, 0xb9, 0x99,
330 0x47, 0xd1, 0xdc, 0x3c};
331
332 // kKey3 is a DER-encoded RSAPrivateKey. It is a 1024-bit RSA private key with
333 // exponent 17.
334 static const uint8_t kKey3[] = {
335 0x30, 0x82, 0x02, 0x5b, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xbb,
336 0xf8, 0x2f, 0x09, 0x06, 0x82, 0xce, 0x9c, 0x23, 0x38, 0xac, 0x2b, 0x9d,
337 0xa8, 0x71, 0xf7, 0x36, 0x8d, 0x07, 0xee, 0xd4, 0x10, 0x43, 0xa4, 0x40,
338 0xd6, 0xb6, 0xf0, 0x74, 0x54, 0xf5, 0x1f, 0xb8, 0xdf, 0xba, 0xaf, 0x03,
339 0x5c, 0x02, 0xab, 0x61, 0xea, 0x48, 0xce, 0xeb, 0x6f, 0xcd, 0x48, 0x76,
340 0xed, 0x52, 0x0d, 0x60, 0xe1, 0xec, 0x46, 0x19, 0x71, 0x9d, 0x8a, 0x5b,
341 0x8b, 0x80, 0x7f, 0xaf, 0xb8, 0xe0, 0xa3, 0xdf, 0xc7, 0x37, 0x72, 0x3e,
342 0xe6, 0xb4, 0xb7, 0xd9, 0x3a, 0x25, 0x84, 0xee, 0x6a, 0x64, 0x9d, 0x06,
343 0x09, 0x53, 0x74, 0x88, 0x34, 0xb2, 0x45, 0x45, 0x98, 0x39, 0x4e, 0xe0,
344 0xaa, 0xb1, 0x2d, 0x7b, 0x61, 0xa5, 0x1f, 0x52, 0x7a, 0x9a, 0x41, 0xf6,
345 0xc1, 0x68, 0x7f, 0xe2, 0x53, 0x72, 0x98, 0xca, 0x2a, 0x8f, 0x59, 0x46,
346 0xf8, 0xe5, 0xfd, 0x09, 0x1d, 0xbd, 0xcb, 0x02, 0x01, 0x11, 0x02, 0x81,
347 0x81, 0x00, 0xa5, 0xda, 0xfc, 0x53, 0x41, 0xfa, 0xf2, 0x89, 0xc4, 0xb9,
348 0x88, 0xdb, 0x30, 0xc1, 0xcd, 0xf8, 0x3f, 0x31, 0x25, 0x1e, 0x06, 0x68,
349 0xb4, 0x27, 0x84, 0x81, 0x38, 0x01, 0x57, 0x96, 0x41, 0xb2, 0x94, 0x10,
350 0xb3, 0xc7, 0x99, 0x8d, 0x6b, 0xc4, 0x65, 0x74, 0x5e, 0x5c, 0x39, 0x26,
351 0x69, 0xd6, 0x87, 0x0d, 0xa2, 0xc0, 0x82, 0xa9, 0x39, 0xe3, 0x7f, 0xdc,
352 0xb8, 0x2e, 0xc9, 0x3e, 0xda, 0xc9, 0x7f, 0xf3, 0xad, 0x59, 0x50, 0xac,
353 0xcf, 0xbc, 0x11, 0x1c, 0x76, 0xf1, 0xa9, 0x52, 0x94, 0x44, 0xe5, 0x6a,
354 0xaf, 0x68, 0xc5, 0x6c, 0x09, 0x2c, 0xd3, 0x8d, 0xc3, 0xbe, 0xf5, 0xd2,
355 0x0a, 0x93, 0x99, 0x26, 0xed, 0x4f, 0x74, 0xa1, 0x3e, 0xdd, 0xfb, 0xe1,
356 0xa1, 0xce, 0xcc, 0x48, 0x94, 0xaf, 0x94, 0x28, 0xc2, 0xb7, 0xb8, 0x88,
357 0x3f, 0xe4, 0x46, 0x3a, 0x4b, 0xc8, 0x5b, 0x1c, 0xb3, 0xc1, 0x02, 0x41,
358 0x00, 0xee, 0xcf, 0xae, 0x81, 0xb1, 0xb9, 0xb3, 0xc9, 0x08, 0x81, 0x0b,
359 0x10, 0xa1, 0xb5, 0x60, 0x01, 0x99, 0xeb, 0x9f, 0x44, 0xae, 0xf4, 0xfd,
360 0xa4, 0x93, 0xb8, 0x1a, 0x9e, 0x3d, 0x84, 0xf6, 0x32, 0x12, 0x4e, 0xf0,
361 0x23, 0x6e, 0x5d, 0x1e, 0x3b, 0x7e, 0x28, 0xfa, 0xe7, 0xaa, 0x04, 0x0a,
362 0x2d, 0x5b, 0x25, 0x21, 0x76, 0x45, 0x9d, 0x1f, 0x39, 0x75, 0x41, 0xba,
363 0x2a, 0x58, 0xfb, 0x65, 0x99, 0x02, 0x41, 0x00, 0xc9, 0x7f, 0xb1, 0xf0,
364 0x27, 0xf4, 0x53, 0xf6, 0x34, 0x12, 0x33, 0xea, 0xaa, 0xd1, 0xd9, 0x35,
365 0x3f, 0x6c, 0x42, 0xd0, 0x88, 0x66, 0xb1, 0xd0, 0x5a, 0x0f, 0x20, 0x35,
366 0x02, 0x8b, 0x9d, 0x86, 0x98, 0x40, 0xb4, 0x16, 0x66, 0xb4, 0x2e, 0x92,
367 0xea, 0x0d, 0xa3, 0xb4, 0x32, 0x04, 0xb5, 0xcf, 0xce, 0x33, 0x52, 0x52,
368 0x4d, 0x04, 0x16, 0xa5, 0xa4, 0x41, 0xe7, 0x00, 0xaf, 0x46, 0x15, 0x03,
369 0x02, 0x40, 0x54, 0x49, 0x4c, 0xa6, 0x3e, 0xba, 0x03, 0x37, 0xe4, 0xe2,
370 0x40, 0x23, 0xfc, 0xd6, 0x9a, 0x5a, 0xeb, 0x07, 0xdd, 0xdc, 0x01, 0x83,
371 0xa4, 0xd0, 0xac, 0x9b, 0x54, 0xb0, 0x51, 0xf2, 0xb1, 0x3e, 0xd9, 0x49,
372 0x09, 0x75, 0xea, 0xb7, 0x74, 0x14, 0xff, 0x59, 0xc1, 0xf7, 0x69, 0x2e,
373 0x9a, 0x2e, 0x20, 0x2b, 0x38, 0xfc, 0x91, 0x0a, 0x47, 0x41, 0x74, 0xad,
374 0xc9, 0x3c, 0x1f, 0x67, 0xc9, 0x81, 0x02, 0x40, 0x47, 0x1e, 0x02, 0x90,
375 0xff, 0x0a, 0xf0, 0x75, 0x03, 0x51, 0xb7, 0xf8, 0x78, 0x86, 0x4c, 0xa9,
376 0x61, 0xad, 0xbd, 0x3a, 0x8a, 0x7e, 0x99, 0x1c, 0x5c, 0x05, 0x56, 0xa9,
377 0x4c, 0x31, 0x46, 0xa7, 0xf9, 0x80, 0x3f, 0x8f, 0x6f, 0x8a, 0xe3, 0x42,
378 0xe9, 0x31, 0xfd, 0x8a, 0xe4, 0x7a, 0x22, 0x0d, 0x1b, 0x99, 0xa4, 0x95,
379 0x84, 0x98, 0x07, 0xfe, 0x39, 0xf9, 0x24, 0x5a, 0x98, 0x36, 0xda, 0x3d,
380 0x02, 0x41, 0x00, 0xb0, 0x6c, 0x4f, 0xda, 0xbb, 0x63, 0x01, 0x19, 0x8d,
381 0x26, 0x5b, 0xdb, 0xae, 0x94, 0x23, 0xb3, 0x80, 0xf2, 0x71, 0xf7, 0x34,
382 0x53, 0x88, 0x50, 0x93, 0x07, 0x7f, 0xcd, 0x39, 0xe2, 0x11, 0x9f, 0xc9,
383 0x86, 0x32, 0x15, 0x4f, 0x58, 0x83, 0xb1, 0x67, 0xa9, 0x67, 0xbf, 0x40,
384 0x2b, 0x4e, 0x9e, 0x2e, 0x0f, 0x96, 0x56, 0xe6, 0x98, 0xea, 0x36, 0x66,
385 0xed, 0xfb, 0x25, 0x79, 0x80, 0x39, 0xf7};
386
387 // kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using
388 // RSA OAEP, SHA-1, and no label.
389 static const uint8_t kOAEPCiphertext3[] = {
390 0xb8, 0x24, 0x6b, 0x56, 0xa6, 0xed, 0x58, 0x81, 0xae, 0xb5, 0x85, 0xd9,
391 0xa2, 0x5b, 0x2a, 0xd7, 0x90, 0xc4, 0x17, 0xe0, 0x80, 0x68, 0x1b, 0xf1,
392 0xac, 0x2b, 0xc3, 0xde, 0xb6, 0x9d, 0x8b, 0xce, 0xf0, 0xc4, 0x36, 0x6f,
393 0xec, 0x40, 0x0a, 0xf0, 0x52, 0xa7, 0x2e, 0x9b, 0x0e, 0xff, 0xb5, 0xb3,
394 0xf2, 0xf1, 0x92, 0xdb, 0xea, 0xca, 0x03, 0xc1, 0x27, 0x40, 0x05, 0x71,
395 0x13, 0xbf, 0x1f, 0x06, 0x69, 0xac, 0x22, 0xe9, 0xf3, 0xa7, 0x85, 0x2e,
396 0x3c, 0x15, 0xd9, 0x13, 0xca, 0xb0, 0xb8, 0x86, 0x3a, 0x95, 0xc9, 0x92,
397 0x94, 0xce, 0x86, 0x74, 0x21, 0x49, 0x54, 0x61, 0x03, 0x46, 0xf4, 0xd4,
398 0x74, 0xb2, 0x6f, 0x7c, 0x48, 0xb4, 0x2e, 0xe6, 0x8e, 0x1f, 0x57, 0x2a,
399 0x1f, 0xc4, 0x02, 0x6a, 0xc4, 0x56, 0xb4, 0xf5, 0x9f, 0x7b, 0x62, 0x1e,
400 0xa1, 0xb9, 0xd8, 0x8f, 0x64, 0x20, 0x2f, 0xb1};
401
402 // kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See
403 // https://crbug.com/532048.
404 static const uint8_t kEstonianRSAKey[] = {
405 0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c,
406 0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c,
407 0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80,
408 0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8,
409 0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29,
410 0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95,
411 0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea,
412 0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c,
413 0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac,
414 0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25,
415 0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a,
416 0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88,
417 0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17,
418 0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf,
419 0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c,
420 0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f,
421 0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc,
422 0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e,
423 0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87,
424 0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30,
425 0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94,
426 0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49,
427 0x02, 0x03, 0x01, 0x00, 0x01,
428 };
429
430 // kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See
431 // https://crbug.com/541257
432 static const uint8_t kExponent1RSAKey[] = {
433 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a,
434 0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5,
435 0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa,
436 0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b,
437 0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64,
438 0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7,
439 0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d,
440 0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a,
441 0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a,
442 0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b,
443 0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c,
444 0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9,
445 0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad,
446 0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41,
447 0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91,
448 0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a,
449 0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d,
450 0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98,
451 0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9,
452 0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d,
453 0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0,
454 0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98,
455 0xdd, 0x02, 0x01, 0x01,
456 };
457
458 struct RSAEncryptParam {
459 bssl::Span<const uint8_t> der;
460 bssl::Span<const uint8_t> oaep_ciphertext;
461 } kRSAEncryptParams[] = {
462 {kKey1, kOAEPCiphertext1},
463 {kKey2, kOAEPCiphertext2},
464 {kKey3, kOAEPCiphertext3},
465 };
466
467 class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {};
468
TEST_P(RSAEncryptTest,TestKey)469 TEST_P(RSAEncryptTest, TestKey) {
470 // Construct an RSA key in different ways.
471 const auto ¶m = GetParam();
472 bssl::UniquePtr<RSA> parsed(
473 RSA_private_key_from_bytes(param.der.data(), param.der.size()));
474 ASSERT_TRUE(parsed);
475 EXPECT_TRUE(RSA_get0_e(parsed.get()));
476 EXPECT_TRUE(RSA_get0_d(parsed.get()));
477
478 bssl::UniquePtr<RSA> constructed(RSA_new_private_key(
479 RSA_get0_n(parsed.get()), RSA_get0_e(parsed.get()),
480 RSA_get0_d(parsed.get()), RSA_get0_p(parsed.get()),
481 RSA_get0_q(parsed.get()), RSA_get0_dmp1(parsed.get()),
482 RSA_get0_dmq1(parsed.get()), RSA_get0_iqmp(parsed.get())));
483 ASSERT_TRUE(constructed);
484 EXPECT_TRUE(RSA_get0_e(constructed.get()));
485 EXPECT_TRUE(RSA_get0_d(constructed.get()));
486
487 bssl::UniquePtr<RSA> no_crt(RSA_new_private_key_no_crt(
488 RSA_get0_n(parsed.get()), RSA_get0_e(parsed.get()),
489 RSA_get0_d(parsed.get())));
490 ASSERT_TRUE(no_crt);
491 EXPECT_TRUE(RSA_get0_e(no_crt.get()));
492 EXPECT_TRUE(RSA_get0_d(no_crt.get()));
493
494 bssl::UniquePtr<RSA> no_e(RSA_new_private_key_no_e(RSA_get0_n(parsed.get()),
495 RSA_get0_d(parsed.get())));
496 ASSERT_TRUE(no_e);
497 EXPECT_FALSE(RSA_get0_e(no_e.get()));
498 EXPECT_TRUE(RSA_get0_d(no_e.get()));
499
500 bssl::UniquePtr<RSA> pub(
501 RSA_new_public_key(RSA_get0_n(parsed.get()), RSA_get0_e(parsed.get())));
502 ASSERT_TRUE(pub);
503 EXPECT_TRUE(RSA_get0_e(pub.get()));
504 EXPECT_FALSE(RSA_get0_d(pub.get()));
505
506 for (RSA *key :
507 {parsed.get(), constructed.get(), no_crt.get(), no_e.get(), pub.get()}) {
508 EXPECT_TRUE(RSA_check_key(key));
509
510 std::vector<uint8_t> ciphertext(RSA_size(key)), plaintext(RSA_size(key));
511 size_t ciphertext_len = 0, plaintext_len = 0;
512
513 if (RSA_get0_e(key) != nullptr) {
514 // Test that PKCS#1 v1.5 encryption round-trips.
515 ASSERT_TRUE(RSA_encrypt(key, &ciphertext_len, ciphertext.data(),
516 ciphertext.size(), kPlaintext, sizeof(kPlaintext),
517 RSA_PKCS1_PADDING));
518 EXPECT_EQ(RSA_size(key), ciphertext_len);
519
520 ASSERT_TRUE(RSA_decrypt(parsed.get(), &plaintext_len, plaintext.data(),
521 plaintext.size(), ciphertext.data(),
522 ciphertext_len, RSA_PKCS1_PADDING));
523 EXPECT_EQ(Bytes(kPlaintext), Bytes(plaintext.data(), plaintext_len));
524
525 // Test that OAEP encryption round-trips.
526 ciphertext_len = 0;
527 ASSERT_TRUE(RSA_encrypt(key, &ciphertext_len, ciphertext.data(),
528 ciphertext.size(), kPlaintext, sizeof(kPlaintext),
529 RSA_PKCS1_OAEP_PADDING));
530 EXPECT_EQ(RSA_size(key), ciphertext_len);
531
532 plaintext_len = 0;
533 ASSERT_TRUE(RSA_decrypt(parsed.get(), &plaintext_len, plaintext.data(),
534 plaintext.size(), ciphertext.data(),
535 ciphertext_len, RSA_PKCS1_OAEP_PADDING));
536 EXPECT_EQ(Bytes(kPlaintext), Bytes(plaintext.data(), plaintext_len));
537 }
538
539 if (RSA_get0_d(key) != nullptr) {
540 // |oaep_ciphertext| should decrypt to |kPlaintext|.
541 plaintext_len = 0;
542 ASSERT_TRUE(RSA_decrypt(key, &plaintext_len, plaintext.data(),
543 plaintext.size(), param.oaep_ciphertext.data(),
544 param.oaep_ciphertext.size(),
545 RSA_PKCS1_OAEP_PADDING));
546 EXPECT_EQ(Bytes(kPlaintext), Bytes(plaintext.data(), plaintext_len));
547
548 // Try decrypting corrupted ciphertexts.
549 ciphertext.assign(
550 param.oaep_ciphertext.data(),
551 param.oaep_ciphertext.data() + param.oaep_ciphertext.size());
552 for (size_t i = 0; i < ciphertext.size(); i++) {
553 SCOPED_TRACE(i);
554 ciphertext[i] ^= 1;
555 EXPECT_FALSE(RSA_decrypt(key, &plaintext_len, plaintext.data(),
556 plaintext.size(), ciphertext.data(),
557 ciphertext.size(), RSA_PKCS1_OAEP_PADDING));
558 ERR_clear_error();
559 ciphertext[i] ^= 1;
560 }
561
562 // Test truncated ciphertexts.
563 for (size_t len = 0; len < ciphertext.size(); len++) {
564 SCOPED_TRACE(len);
565 EXPECT_FALSE(RSA_decrypt(key, &plaintext_len, plaintext.data(),
566 plaintext.size(), ciphertext.data(), len,
567 RSA_PKCS1_OAEP_PADDING));
568 ERR_clear_error();
569 }
570 }
571 }
572 }
573
574 INSTANTIATE_TEST_SUITE_P(All, RSAEncryptTest,
575 testing::ValuesIn(kRSAEncryptParams));
576
TEST(RSATest,TestDecrypt)577 TEST(RSATest, TestDecrypt) {
578 bssl::UniquePtr<RSA> rsa(RSA_private_key_from_bytes(kKey2, sizeof(kKey2)));
579 ASSERT_TRUE(rsa);
580
581 EXPECT_TRUE(RSA_check_key(rsa.get()));
582
583 std::vector<uint8_t> out(RSA_size(rsa.get()));
584 size_t out_len;
585 ASSERT_TRUE(RSA_decrypt(rsa.get(), &out_len, out.data(), out.size(),
586 kPKCS1Ciphertext2, sizeof(kPKCS1Ciphertext2),
587 RSA_PKCS1_PADDING));
588 out.resize(out_len);
589 EXPECT_EQ(Bytes("hello world"), Bytes(out));
590 }
591
TEST(RSATest,CheckFIPS)592 TEST(RSATest, CheckFIPS) {
593 bssl::UniquePtr<RSA> rsa(RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
594 ASSERT_TRUE(rsa);
595 EXPECT_TRUE(RSA_check_fips(rsa.get()));
596
597 // Check that RSA_check_fips works on a public key.
598 bssl::UniquePtr<RSA> pub(
599 RSA_public_key_from_bytes(kKey1Public, sizeof(kKey1Public)));
600 ASSERT_TRUE(pub);
601 EXPECT_TRUE(RSA_check_fips(pub.get()));
602 }
603
TEST(RSATest,GenerateFIPS)604 TEST(RSATest, GenerateFIPS) {
605 bssl::UniquePtr<RSA> rsa(RSA_new());
606 ASSERT_TRUE(rsa);
607
608 // RSA_generate_key_fips may only be used for 2048-, 3072-, and 4096-bit
609 // keys.
610 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr));
611 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr));
612 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr));
613 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr));
614 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr));
615 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr));
616 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4095, nullptr));
617 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4097, nullptr));
618 ERR_clear_error();
619
620 // Test that we can generate keys of the supported lengths:
621 for (const size_t bits : {2048, 3072, 4096}) {
622 SCOPED_TRACE(bits);
623
624 rsa.reset(RSA_new());
625 ASSERT_TRUE(rsa);
626 ASSERT_TRUE(RSA_generate_key_fips(rsa.get(), bits, nullptr));
627 EXPECT_EQ(bits, BN_num_bits(rsa->n));
628 }
629 }
630
TEST(RSATest,BadKey)631 TEST(RSATest, BadKey) {
632 bssl::UniquePtr<RSA> key(RSA_new());
633 bssl::UniquePtr<BIGNUM> e(BN_new());
634 ASSERT_TRUE(key);
635 ASSERT_TRUE(e);
636 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
637
638 // Generate a bad key.
639 ASSERT_TRUE(RSA_generate_key_ex(key.get(), 2048, e.get(), nullptr));
640 ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one()));
641
642 // Bad keys are detected.
643 EXPECT_FALSE(RSA_check_key(key.get()));
644 EXPECT_FALSE(RSA_check_fips(key.get()));
645
646 // Bad keys may not be parsed.
647 uint8_t *der;
648 size_t der_len;
649 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get()));
650 bssl::UniquePtr<uint8_t> delete_der(der);
651 key.reset(RSA_private_key_from_bytes(der, der_len));
652 EXPECT_FALSE(key);
653 }
654
TEST(RSATest,ASN1)655 TEST(RSATest, ASN1) {
656 // Test that private keys may be decoded.
657 bssl::UniquePtr<RSA> rsa(RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
658 ASSERT_TRUE(rsa);
659
660 // Test that the serialization round-trips.
661 uint8_t *der;
662 size_t der_len;
663 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
664 bssl::UniquePtr<uint8_t> delete_der(der);
665 EXPECT_EQ(Bytes(kKey1), Bytes(der, der_len));
666
667 // Test that serializing public keys works.
668 ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get()));
669 delete_der.reset(der);
670
671 // Public keys may be parsed back out.
672 rsa.reset(RSA_public_key_from_bytes(der, der_len));
673 ASSERT_TRUE(rsa);
674 EXPECT_FALSE(rsa->p);
675 EXPECT_FALSE(rsa->q);
676
677 // Serializing the result round-trips.
678 uint8_t *der2;
679 size_t der2_len;
680 ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get()));
681 bssl::UniquePtr<uint8_t> delete_der2(der2);
682 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
683
684 // Public keys cannot be serialized as private keys.
685 int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get());
686 if (ok) {
687 OPENSSL_free(der);
688 }
689 EXPECT_FALSE(ok);
690 ERR_clear_error();
691
692 // Public keys with negative moduli are invalid.
693 rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey,
694 sizeof(kEstonianRSAKey)));
695 EXPECT_FALSE(rsa);
696 ERR_clear_error();
697 }
698
TEST(RSATest,BadExponent)699 TEST(RSATest, BadExponent) {
700 bssl::UniquePtr<RSA> rsa(
701 RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey)));
702 EXPECT_FALSE(rsa);
703 ERR_clear_error();
704 }
705
706 // Attempting to generate an excessively small key should fail.
TEST(RSATest,GenerateSmallKey)707 TEST(RSATest, GenerateSmallKey) {
708 bssl::UniquePtr<RSA> rsa(RSA_new());
709 ASSERT_TRUE(rsa);
710 bssl::UniquePtr<BIGNUM> e(BN_new());
711 ASSERT_TRUE(e);
712 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
713
714 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr));
715 EXPECT_TRUE(
716 ErrorEquals(ERR_get_error(), ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL));
717 }
718
719 // Attempting to generate an funny RSA key length should round down.
TEST(RSATest,RoundKeyLengths)720 TEST(RSATest, RoundKeyLengths) {
721 bssl::UniquePtr<BIGNUM> e(BN_new());
722 ASSERT_TRUE(e);
723 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
724
725 bssl::UniquePtr<RSA> rsa(RSA_new());
726 ASSERT_TRUE(rsa);
727 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr));
728 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
729
730 rsa.reset(RSA_new());
731 ASSERT_TRUE(rsa);
732 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr));
733 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
734
735 rsa.reset(RSA_new());
736 ASSERT_TRUE(rsa);
737 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr));
738 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
739
740 rsa.reset(RSA_new());
741 ASSERT_TRUE(rsa);
742 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr));
743 EXPECT_EQ(1152u, BN_num_bits(rsa->n));
744 }
745
TEST(RSATest,BlindingDisabled)746 TEST(RSATest, BlindingDisabled) {
747 bssl::UniquePtr<RSA> rsa(
748 RSA_private_key_from_bytes(kKey2, sizeof(kKey2)));
749 ASSERT_TRUE(rsa);
750
751 rsa->flags |= RSA_FLAG_NO_BLINDING;
752
753 std::vector<uint8_t> sig(RSA_size(rsa.get()));
754 static const uint8_t kZeros[32] = {0};
755 unsigned sig_len;
756 ASSERT_TRUE(RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig.data(), &sig_len,
757 rsa.get()));
758 EXPECT_TRUE(RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig.data(),
759 sig_len, rsa.get()));
760 }
761
TEST(RSATest,CheckKey)762 TEST(RSATest, CheckKey) {
763 static const char kN[] =
764 "b5a5651bc2e15ce31d789f0984053a2ea0cf8f964a78068c45acfdf078c57fd62d5a287c"
765 "32f3baa879f5dfea27d7a3077c9d3a2a728368c3d90164690c3d82f660ffebc7f13fed45"
766 "4eb5103df943c10dc32ec60b0d9b6e307bfd7f9b943e0dc3901e42501765365f7286eff2"
767 "f1f728774aa6a371e108a3a7dd00d7bcd4c1a186c2865d4b370ea38cc89c0b23b318dbca"
768 "fbd872b4f9b833dfb2a4ca7fcc23298020044e8130bfe930adfb3e5cab8d324547adf4b2"
769 "ce34d7cea4298f0b613d85f2bf1df03da44aee0784a1a20a15ee0c38a0f8e84962f1f61b"
770 "18bd43781c7385f3c2b8e2aebd3c560b4faad208ad3938bad27ddda9ed9e933dba088021"
771 "2dd9e28d";
772 static const char kE[] = "10001";
773 static const char kD[] =
774 "fb9c6afd9568ce5ddac8e6a32bb881eb6cdd962bbc639dce5805548bf0fec2214f18ffd3"
775 "6a50aa520cfe4477f9507d87355a24e3ff537f9f29ccffe5730b11896ebb9142982ed0df"
776 "9c32ba98dddab863f3e5aa764d16ebff4500d3ee11de12fabd7aeca83c7ffa5d242b3ddc"
777 "ecc64bcb5220996e79249a6d3f78975dfde769710569812dee59c0f56e4650d02a939d9c"
778 "853e2cba9b0c2447a8757951ae9a0336dfa64c3d5476df9b20f200cfb52e3fbd2d4e3f34"
779 "200b1171cbac367096f23366e74592025875efb6a7e3b1dd365abb0d86f34ee65ddbfa93"
780 "90460da0d346833d6aa6277c0216b20073ba2f18471549c309e82d12e10714d0e0dbf146"
781 "6fcd1f1";
782 static const char kP[] =
783 "edbe476fe8989f3966e72a20348ec6d8e924f44e1d9fa2c3485ea8a2ffd39f68574a5cef"
784 "ffbb92d6764789ac0f67149127239c2027fbc55b5268a1dac6588de44e614f3bdce00f0a"
785 "56d138800ad772d159a583c6548e37cadbfcf1b4ebfd50d01508986a516f36ed827b94ef"
786 "1f9b4e233bf5762b3a903d2dfbbbce1fba30e9f1";
787 static const char kQ[] =
788 "c398518790a166dbe50498f04940d14c87ded09313fb0f69f69255c688142802ba3d4f9e"
789 "f9425dadc462170635593c06a332cfc5fc9e6e1c05281950a5ce3bad4fd7cc83a38bd4ad"
790 "6865594275af424f47c64c04af1caab2e261e95b975097c887d587dc8150df34cbeccd7d"
791 "0688c392d9f1c617810043c9b93b884bf6ed465d";
792 static const char kDMP1[] =
793 "b44db5d1fa7e1d6ba44e36d59be6988a132f7294f7c484e543b27e84b82e9fdbbb2feb92"
794 "1cc9fe0fe63e54fc07e66e63b3623f5ae7d7fb124a4a8e4de4556eaf327e7c5ff3207e67"
795 "a1f624ba7efe6cd6b6fd5f160034a7bd92df9fd44d919d436260556f74793b181ff867b8"
796 "7ea9033697978e5a349d05b9250c86c3eb2a8391";
797 static const char kDMQ1[] =
798 "7c06d9240265264927a6cba80a7b4c7c9fe77d10d669abb38083f85a24adcb55376d6b50"
799 "9e34241cecdb5a483889f6132b672bf31aa607a242eed3669d4cf1f08b2186f0ae431bc0"
800 "3de38e3f234ad7dc57e1f9103b4e0d3bd36b4cc324671968322207bd9e4e7ecb06c888e0"
801 "cfc4e766f646665b3f14c0e7684ac4b98ec1948d";
802 static const char kIQMP[] =
803 "2887a5cb0c1bf6710e91c25da141dad92134a927431471c2d4a8b78036026d21182990e1"
804 "2c1d70635f07ee551383899365a69b33d4db23e5ff7371ff4244d2c3290ce2b91ac11adc"
805 "a54bb61ea5e64b9423102933ea100c12dad809fbf9589515e9d28e867f6b95c2d307f792"
806 "cac28c6d7d23f441cb5b62798233db29b5cc0348";
807
808 bssl::UniquePtr<RSA> rsa(RSA_new());
809 ASSERT_TRUE(rsa);
810
811 // Missing n or e does not pass.
812 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
813 EXPECT_FALSE(RSA_check_key(rsa.get()));
814 ERR_clear_error();
815
816 BN_free(rsa->n);
817 rsa->n = nullptr;
818 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
819 EXPECT_FALSE(RSA_check_key(rsa.get()));
820 ERR_clear_error();
821
822 // Public keys pass.
823 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
824 EXPECT_TRUE(RSA_check_key(rsa.get()));
825
826 // Configuring d also passes.
827 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
828 EXPECT_TRUE(RSA_check_key(rsa.get()));
829
830 // p and q must be provided together.
831 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
832 EXPECT_FALSE(RSA_check_key(rsa.get()));
833 ERR_clear_error();
834
835 BN_free(rsa->p);
836 rsa->p = nullptr;
837 ASSERT_TRUE(BN_hex2bn(&rsa->q, kQ));
838 EXPECT_FALSE(RSA_check_key(rsa.get()));
839 ERR_clear_error();
840
841 // Supplying p and q without CRT parameters passes.
842 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
843 EXPECT_TRUE(RSA_check_key(rsa.get()));
844
845 // With p and q together, it is sufficient to check d against e.
846 ASSERT_TRUE(BN_add_word(rsa->d, 1));
847 EXPECT_FALSE(RSA_check_key(rsa.get()));
848 ERR_clear_error();
849
850 // Test another invalid d. p-1 is divisible by 3, so there is no valid value
851 // of d here if e = 111. Set d to what extended GCD would have given if it
852 // forgot to check the inverse existed.
853 static const char kDBogus[] =
854 "140be923edb928cf4340a08ada19f23da680ff20275a81e033825ee8605afc3bf6039b87"
855 "f0ddc7ea3b95f214a6fdda1064d0c66b50ac7bfe8cfe6c85d3cd217ae6f5094cd72a39e5"
856 "a17a9ce43eae1ba5d7d8c3fb743d8cbcb3bcd74edd0b75fcca23a0b00bcea119864c0243"
857 "bf9ab32b25a4d73a1e062482f538055bc2258369353647d4325aec7a28dc1a6798e85fae"
858 "85850558868468d60015927cb10b2a893e23aa16b1f9278d4413f64d0a3122218f9000ae"
859 "cd8743b8e9e50bd9de81eebc4e0230d1f4f7bffc1e6f903606afba9ee694c2b40022f171"
860 "a760e7c63e736e31d7c7ff8b77dc206c2a3aa5afd540073060ebb9050bddce1ff1917630"
861 "47fff51d";
862 ASSERT_TRUE(BN_set_word(rsa->e, 111));
863 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDBogus));
864 EXPECT_FALSE(RSA_check_key(rsa.get()));
865 ERR_clear_error();
866 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
867
868 // d computed via the Euler totient rather than the Carmichael totient is also
869 // acceptable.
870 static const char kDEuler[] =
871 "3d231ff6ca0ee41ea50ab62c93bcd6aa5f01bd484e643b7ff6eb94c4dd414c17a0481a1c"
872 "4361f94f3f4d5c42098af09a527cf0d8dc96122ae8dd29189a4011d62f2bb40625d2e85f"
873 "4d706fb90c2e9bc9b00a0c2a28384a4c134f6d25c62d64a08fdf3f5e89a14d3daee46fda"
874 "8b4a2eda87cbb2735fd47290cb37bf65150edef854a28927ce5ac36d36107711cffb8ac3"
875 "2b090e409bb822b117744a9aabf878b8b1998d406337ec24cee3877795061c67322ac626"
876 "6c675a2cefe0f85f06b4d24eb6ad8e3fae7f218f5bd8ff2fb8bf8176d8527b0dfdaf8490"
877 "8f9bfaf3f37dcf8aa0211311bac07b1a478c3ed8a6369e5d5fc42b2afa93f5de8f520981"
878 "c62bbe81";
879 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDEuler));
880 EXPECT_TRUE(RSA_check_key(rsa.get()));
881
882 // If d is completely out of range but otherwise valid, it is rejected.
883 static const char kDTooLarge[] =
884 "f2c885128cf04101c283553617c210d8ffd14cde98dc420c3c9892b55606cbedcda24298"
885 "7655b3f7b9433c2c316293a1cf1a2b034f197aeec1de8d81a67d94cc902b9fce1712d5a4"
886 "9c257ff705725cd77338d23535d3b87c8f4cecc15a6b72641ffd81aea106839d216b5fcd"
887 "7d415751d27255e540dd1638a8389721e9d0807d65d24d7b8c2f60e4b2c0bf250544ce68"
888 "b5ddbc1463d5a4638b2816b0f033dacdc0162f329af9e4d142352521fbd2fe14af824ef3"
889 "1601fe843c79cc3efbcb8eafd79262bdd25e2bdf21440f774e26d88ed7df938c5cf6982d"
890 "e9fa635b8ca36ce5c5fbd579a53cbb0348ceae752d4bc5621c5acc922ca2082494633337"
891 "42e770c1";
892 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDTooLarge));
893 EXPECT_FALSE(RSA_check_key(rsa.get()));
894 ERR_clear_error();
895 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
896
897 // CRT value must either all be provided or all missing.
898 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
899 EXPECT_FALSE(RSA_check_key(rsa.get()));
900 ERR_clear_error();
901 BN_free(rsa->dmp1);
902 rsa->dmp1 = nullptr;
903
904 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
905 EXPECT_FALSE(RSA_check_key(rsa.get()));
906 ERR_clear_error();
907 BN_free(rsa->dmq1);
908 rsa->dmq1 = nullptr;
909
910 ASSERT_TRUE(BN_hex2bn(&rsa->iqmp, kIQMP));
911 EXPECT_FALSE(RSA_check_key(rsa.get()));
912 ERR_clear_error();
913
914 // The full key is accepted.
915 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
916 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
917 EXPECT_TRUE(RSA_check_key(rsa.get()));
918
919 // Incorrect CRT values are rejected.
920 ASSERT_TRUE(BN_add_word(rsa->dmp1, 1));
921 EXPECT_FALSE(RSA_check_key(rsa.get()));
922 ERR_clear_error();
923 ASSERT_TRUE(BN_sub_word(rsa->dmp1, 1));
924
925 ASSERT_TRUE(BN_add_word(rsa->dmq1, 1));
926 EXPECT_FALSE(RSA_check_key(rsa.get()));
927 ERR_clear_error();
928 ASSERT_TRUE(BN_sub_word(rsa->dmq1, 1));
929
930 ASSERT_TRUE(BN_add_word(rsa->iqmp, 1));
931 EXPECT_FALSE(RSA_check_key(rsa.get()));
932 ERR_clear_error();
933 ASSERT_TRUE(BN_sub_word(rsa->iqmp, 1));
934
935 // Non-reduced CRT values are rejected.
936 ASSERT_TRUE(BN_add(rsa->dmp1, rsa->dmp1, rsa->p));
937 EXPECT_FALSE(RSA_check_key(rsa.get()));
938 ERR_clear_error();
939 ASSERT_TRUE(BN_sub(rsa->dmp1, rsa->dmp1, rsa->p));
940
941 ASSERT_TRUE(BN_add(rsa->dmq1, rsa->dmq1, rsa->q));
942 EXPECT_FALSE(RSA_check_key(rsa.get()));
943 ERR_clear_error();
944 ASSERT_TRUE(BN_sub(rsa->dmq1, rsa->dmq1, rsa->q));
945
946 ASSERT_TRUE(BN_add(rsa->iqmp, rsa->iqmp, rsa->p));
947 EXPECT_FALSE(RSA_check_key(rsa.get()));
948 ERR_clear_error();
949 ASSERT_TRUE(BN_sub(rsa->iqmp, rsa->iqmp, rsa->p));
950 }
951
TEST(RSATest,KeygenFail)952 TEST(RSATest, KeygenFail) {
953 bssl::UniquePtr<RSA> rsa(RSA_new());
954 ASSERT_TRUE(rsa);
955
956 // Cause RSA key generation after a prime has been generated, to test that
957 // |rsa| is left alone.
958 BN_GENCB cb;
959 BN_GENCB_set(&cb,
960 [](int event, int, BN_GENCB *) -> int { return event != 3; },
961 nullptr);
962
963 bssl::UniquePtr<BIGNUM> e(BN_new());
964 ASSERT_TRUE(e);
965 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
966
967 // Key generation should fail.
968 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
969
970 // Failed key generations do not leave garbage in |rsa|.
971 EXPECT_FALSE(rsa->n);
972 EXPECT_FALSE(rsa->e);
973 EXPECT_FALSE(rsa->d);
974 EXPECT_FALSE(rsa->p);
975 EXPECT_FALSE(rsa->q);
976 EXPECT_FALSE(rsa->dmp1);
977 EXPECT_FALSE(rsa->dmq1);
978 EXPECT_FALSE(rsa->iqmp);
979 EXPECT_FALSE(rsa->mont_n);
980 EXPECT_FALSE(rsa->mont_p);
981 EXPECT_FALSE(rsa->mont_q);
982 EXPECT_FALSE(rsa->d_fixed);
983 EXPECT_FALSE(rsa->dmp1_fixed);
984 EXPECT_FALSE(rsa->dmq1_fixed);
985 EXPECT_FALSE(rsa->iqmp_mont);
986 EXPECT_FALSE(rsa->private_key_frozen);
987
988 // Failed key generations leave the previous contents alone.
989 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr));
990 uint8_t *der;
991 size_t der_len;
992 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
993 bssl::UniquePtr<uint8_t> delete_der(der);
994
995 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
996
997 uint8_t *der2;
998 size_t der2_len;
999 ASSERT_TRUE(RSA_private_key_to_bytes(&der2, &der2_len, rsa.get()));
1000 bssl::UniquePtr<uint8_t> delete_der2(der2);
1001 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
1002
1003 // Generating a key over an existing key works, despite any cached state.
1004 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr));
1005 EXPECT_TRUE(RSA_check_key(rsa.get()));
1006 uint8_t *der3;
1007 size_t der3_len;
1008 ASSERT_TRUE(RSA_private_key_to_bytes(&der3, &der3_len, rsa.get()));
1009 bssl::UniquePtr<uint8_t> delete_der3(der3);
1010 EXPECT_NE(Bytes(der, der_len), Bytes(der3, der3_len));
1011 }
1012
TEST(RSATest,KeygenFailOnce)1013 TEST(RSATest, KeygenFailOnce) {
1014 bssl::UniquePtr<RSA> rsa(RSA_new());
1015 ASSERT_TRUE(rsa);
1016
1017 // Cause only the first iteration of RSA key generation to fail.
1018 bool failed = false;
1019 BN_GENCB cb;
1020 BN_GENCB_set(&cb,
1021 [](int event, int n, BN_GENCB *cb_ptr) -> int {
1022 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg);
1023 if (*failed_ptr) {
1024 ADD_FAILURE() << "Callback called multiple times.";
1025 return 1;
1026 }
1027 *failed_ptr = true;
1028 return 0;
1029 },
1030 &failed);
1031
1032 // Although key generation internally retries, the external behavior of
1033 // |BN_GENCB| is preserved.
1034 bssl::UniquePtr<BIGNUM> e(BN_new());
1035 ASSERT_TRUE(e);
1036 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
1037 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
1038 }
1039
TEST(RSATest,KeygenInternalRetry)1040 TEST(RSATest, KeygenInternalRetry) {
1041 bssl::UniquePtr<RSA> rsa(RSA_new());
1042 ASSERT_TRUE(rsa);
1043
1044 // Simulate one internal attempt at key generation failing.
1045 bool failed = false;
1046 BN_GENCB cb;
1047 BN_GENCB_set(&cb,
1048 [](int event, int n, BN_GENCB *cb_ptr) -> int {
1049 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg);
1050 if (*failed_ptr) {
1051 return 1;
1052 }
1053 *failed_ptr = true;
1054 // This test does not test any public API behavior. It is just
1055 // a hack to exercise the retry codepath and make sure it
1056 // works.
1057 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
1058 return 0;
1059 },
1060 &failed);
1061
1062 // Key generation internally retries on RSA_R_TOO_MANY_ITERATIONS.
1063 bssl::UniquePtr<BIGNUM> e(BN_new());
1064 ASSERT_TRUE(e);
1065 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
1066 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
1067 }
1068
1069 // Test that, after a key has been used, it can still be modified into another
1070 // key.
TEST(RSATest,OverwriteKey)1071 TEST(RSATest, OverwriteKey) {
1072 // Make a key and perform public and private key operations with it, so that
1073 // all derived values are filled in.
1074 bssl::UniquePtr<RSA> key1(RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
1075 ASSERT_TRUE(key1);
1076
1077 ASSERT_TRUE(RSA_check_key(key1.get()));
1078 size_t len;
1079 std::vector<uint8_t> ciphertext(RSA_size(key1.get()));
1080 ASSERT_TRUE(RSA_encrypt(key1.get(), &len, ciphertext.data(),
1081 ciphertext.size(), kPlaintext, sizeof(kPlaintext),
1082 RSA_PKCS1_OAEP_PADDING));
1083 ciphertext.resize(len);
1084
1085 std::vector<uint8_t> plaintext(RSA_size(key1.get()));
1086 ASSERT_TRUE(RSA_decrypt(key1.get(), &len, plaintext.data(),
1087 plaintext.size(), ciphertext.data(), ciphertext.size(),
1088 RSA_PKCS1_OAEP_PADDING));
1089 plaintext.resize(len);
1090 EXPECT_EQ(Bytes(plaintext), Bytes(kPlaintext));
1091
1092 // Overwrite |key1| with the contents of |key2|.
1093 bssl::UniquePtr<RSA> key2(RSA_private_key_from_bytes(kKey2, sizeof(kKey2)));
1094 ASSERT_TRUE(key2);
1095
1096 auto copy_rsa_fields = [](RSA *dst, const RSA *src) {
1097 bssl::UniquePtr<BIGNUM> n(BN_dup(RSA_get0_n(src)));
1098 ASSERT_TRUE(n);
1099 bssl::UniquePtr<BIGNUM> e(BN_dup(RSA_get0_e(src)));
1100 ASSERT_TRUE(e);
1101 bssl::UniquePtr<BIGNUM> d(BN_dup(RSA_get0_d(src)));
1102 ASSERT_TRUE(d);
1103 bssl::UniquePtr<BIGNUM> p(BN_dup(RSA_get0_p(src)));
1104 ASSERT_TRUE(p);
1105 bssl::UniquePtr<BIGNUM> q(BN_dup(RSA_get0_q(src)));
1106 ASSERT_TRUE(q);
1107 bssl::UniquePtr<BIGNUM> dmp1(BN_dup(RSA_get0_dmp1(src)));
1108 ASSERT_TRUE(dmp1);
1109 bssl::UniquePtr<BIGNUM> dmq1(BN_dup(RSA_get0_dmq1(src)));
1110 ASSERT_TRUE(dmq1);
1111 bssl::UniquePtr<BIGNUM> iqmp(BN_dup(RSA_get0_iqmp(src)));
1112 ASSERT_TRUE(iqmp);
1113 ASSERT_TRUE(RSA_set0_key(dst, n.release(), e.release(), d.release()));
1114 ASSERT_TRUE(RSA_set0_factors(dst, p.release(), q.release()));
1115 ASSERT_TRUE(RSA_set0_crt_params(dst, dmp1.release(), dmq1.release(),
1116 iqmp.release()));
1117 };
1118 ASSERT_NO_FATAL_FAILURE(copy_rsa_fields(key1.get(), key2.get()));
1119
1120 auto check_rsa_compatible = [&](RSA *enc, RSA *dec) {
1121 ciphertext.resize(RSA_size(enc));
1122 ASSERT_TRUE(RSA_encrypt(enc, &len, ciphertext.data(), ciphertext.size(),
1123 kPlaintext, sizeof(kPlaintext),
1124 RSA_PKCS1_OAEP_PADDING));
1125 ciphertext.resize(len);
1126
1127 plaintext.resize(RSA_size(dec));
1128 ASSERT_TRUE(RSA_decrypt(dec, &len, plaintext.data(),
1129 plaintext.size(), ciphertext.data(),
1130 ciphertext.size(), RSA_PKCS1_OAEP_PADDING));
1131 plaintext.resize(len);
1132 EXPECT_EQ(Bytes(plaintext), Bytes(kPlaintext));
1133 };
1134
1135 ASSERT_NO_FATAL_FAILURE(
1136 check_rsa_compatible(/*enc=*/key1.get(), /*dec=*/key2.get()));
1137 ASSERT_NO_FATAL_FAILURE(
1138 check_rsa_compatible(/*enc=*/key2.get(), /*dec=*/key1.get()));
1139
1140 // If we generate a new key on top of |key1|, it should be usable and
1141 // self-consistent. We test this by making a new key with the same parameters
1142 // and checking they behave the same.
1143 ASSERT_TRUE(
1144 RSA_generate_key_ex(key1.get(), 1024, RSA_get0_e(key2.get()), nullptr));
1145 EXPECT_NE(0, BN_cmp(RSA_get0_n(key1.get()), RSA_get0_n(key2.get())));
1146
1147 key2.reset(RSA_new());
1148 ASSERT_TRUE(key2);
1149 ASSERT_NO_FATAL_FAILURE(copy_rsa_fields(key2.get(), key1.get()));
1150 ASSERT_NO_FATAL_FAILURE(
1151 check_rsa_compatible(/*enc=*/key1.get(), /*dec=*/key2.get()));
1152 ASSERT_NO_FATAL_FAILURE(
1153 check_rsa_compatible(/*enc=*/key2.get(), /*dec=*/key1.get()));
1154 }
1155
1156 // Test that RSA keys do not support operations will cleanly fail them.
TEST(RSATest,MissingParameters)1157 TEST(RSATest, MissingParameters) {
1158 bssl::UniquePtr<RSA> sample(RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
1159 ASSERT_TRUE(sample);
1160
1161 // Make a sample signature.
1162 const uint8_t kZeros[32] = {0};
1163 std::vector<uint8_t> sig(RSA_size(sample.get()));
1164 unsigned len_u;
1165 ASSERT_TRUE(RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig.data(), &len_u,
1166 sample.get()));
1167 sig.resize(len_u);
1168
1169 // A public key cannot perform private key operations.
1170 bssl::UniquePtr<RSA> rsa(
1171 RSA_new_public_key(RSA_get0_n(sample.get()), RSA_get0_e(sample.get())));
1172 ASSERT_TRUE(rsa);
1173
1174 std::vector<uint8_t> out(RSA_size(sample.get()));
1175 EXPECT_FALSE(RSA_sign(NID_sha256, kZeros, sizeof(kZeros), out.data(), &len_u,
1176 rsa.get()));
1177 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_RSA, RSA_R_VALUE_MISSING));
1178
1179 size_t len;
1180 EXPECT_FALSE(RSA_decrypt(rsa.get(), &len, out.data(), out.size(),
1181 kOAEPCiphertext1, sizeof(kOAEPCiphertext1),
1182 RSA_PKCS1_OAEP_PADDING));
1183 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_RSA, RSA_R_VALUE_MISSING));
1184
1185 // A private key without e cannot perform public key operations.
1186 rsa.reset(RSA_new_private_key_no_e(RSA_get0_n(sample.get()),
1187 RSA_get0_d(sample.get())));
1188 ASSERT_TRUE(rsa);
1189
1190 EXPECT_FALSE(RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig.data(),
1191 sig.size(), rsa.get()));
1192 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_RSA, RSA_R_VALUE_MISSING));
1193
1194 EXPECT_FALSE(RSA_encrypt(rsa.get(), &len, out.data(), out.size(), kPlaintext,
1195 sizeof(kPlaintext), RSA_PKCS1_OAEP_PADDING));
1196 EXPECT_TRUE(ErrorEquals(ERR_get_error(), ERR_LIB_RSA, RSA_R_VALUE_MISSING));
1197 }
1198
TEST(RSATest,Negative)1199 TEST(RSATest, Negative) {
1200 auto dup_neg = [](const BIGNUM *bn) -> bssl::UniquePtr<BIGNUM> {
1201 bssl::UniquePtr<BIGNUM> ret(BN_dup(bn));
1202 if (!ret) {
1203 return nullptr;
1204 }
1205 BN_set_negative(ret.get(), 1);
1206 return ret;
1207 };
1208
1209 bssl::UniquePtr<RSA> key(
1210 RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
1211 ASSERT_TRUE(key);
1212 const BIGNUM *n = RSA_get0_n(key.get());
1213 bssl::UniquePtr<BIGNUM> neg_n = dup_neg(n);
1214 ASSERT_TRUE(neg_n);
1215 const BIGNUM *e = RSA_get0_e(key.get());
1216 bssl::UniquePtr<BIGNUM> neg_e = dup_neg(e);
1217 ASSERT_TRUE(neg_e);
1218 const BIGNUM *d = RSA_get0_d(key.get());
1219 bssl::UniquePtr<BIGNUM> neg_d = dup_neg(d);
1220 ASSERT_TRUE(neg_d);
1221 const BIGNUM *p = RSA_get0_p(key.get());
1222 bssl::UniquePtr<BIGNUM> neg_p = dup_neg(p);
1223 ASSERT_TRUE(neg_p);
1224 const BIGNUM *q = RSA_get0_q(key.get());
1225 bssl::UniquePtr<BIGNUM> neg_q = dup_neg(q);
1226 ASSERT_TRUE(neg_q);
1227 const BIGNUM *dmp1 = RSA_get0_dmp1(key.get());
1228 bssl::UniquePtr<BIGNUM> neg_dmp1 = dup_neg(dmp1);
1229 ASSERT_TRUE(neg_dmp1);
1230 const BIGNUM *dmq1 = RSA_get0_dmq1(key.get());
1231 bssl::UniquePtr<BIGNUM> neg_dmq1 = dup_neg(dmq1);
1232 ASSERT_TRUE(neg_dmq1);
1233 const BIGNUM *iqmp = RSA_get0_iqmp(key.get());
1234 bssl::UniquePtr<BIGNUM> neg_iqmp = dup_neg(iqmp);
1235 ASSERT_TRUE(neg_iqmp);
1236
1237 EXPECT_FALSE(RSA_new_public_key(neg_n.get(), e));
1238 EXPECT_FALSE(RSA_new_public_key(n, neg_e.get()));
1239 EXPECT_FALSE(RSA_new_private_key(neg_n.get(), e, d, p, q, dmp1, dmq1, iqmp));
1240 EXPECT_FALSE(RSA_new_private_key(n, neg_e.get(), d, p, q, dmp1, dmq1, iqmp));
1241 EXPECT_FALSE(RSA_new_private_key(n, e, neg_d.get(), p, q, dmp1, dmq1, iqmp));
1242 EXPECT_FALSE(RSA_new_private_key(n, e, d, neg_p.get(), q, dmp1, dmq1, iqmp));
1243 EXPECT_FALSE(RSA_new_private_key(n, e, d, p, neg_q.get(), dmp1, dmq1, iqmp));
1244 EXPECT_FALSE(RSA_new_private_key(n, e, d, p, q, neg_dmp1.get(), dmq1, iqmp));
1245 EXPECT_FALSE(RSA_new_private_key(n, e, d, p, q, dmp1, neg_dmq1.get(), iqmp));
1246 EXPECT_FALSE(RSA_new_private_key(n, e, d, p, q, dmp1, dmq1, neg_iqmp.get()));
1247 }
1248
TEST(RSATest,LargeE)1249 TEST(RSATest, LargeE) {
1250 // Test an RSA key with large e by swapping d and e in kKey1.
1251 // Since e is small, e mod (p-1) and e mod (q-1) will simply be e.
1252 bssl::UniquePtr<RSA> key(RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
1253 ASSERT_TRUE(key);
1254 const BIGNUM *n = RSA_get0_n(key.get());
1255 const BIGNUM *e = RSA_get0_e(key.get());
1256 const BIGNUM *d = RSA_get0_d(key.get());
1257 const BIGNUM *p = RSA_get0_p(key.get());
1258 const BIGNUM *q = RSA_get0_q(key.get());
1259 const BIGNUM *iqmp = RSA_get0_iqmp(key.get());
1260
1261 // By default, the large exponent is not allowed as e.
1262 bssl::UniquePtr<RSA> pub(RSA_new_public_key(n, /*e=*/d));
1263 EXPECT_FALSE(pub);
1264 bssl::UniquePtr<RSA> priv(RSA_new_private_key(n, /*e=*/d, /*d=*/e, p, q,
1265 /*dmp1=*/e, /*dmq1=*/e, iqmp));
1266 EXPECT_FALSE(priv);
1267
1268 // Constructing such a key piecemeal also would not work. This was only
1269 // possible with private APIs, so when |RSA| is opaque, this case will be
1270 // impossible.
1271 priv.reset(RSA_new());
1272 ASSERT_TRUE(priv);
1273 priv->n = BN_dup(n);
1274 ASSERT_TRUE(priv->n);
1275 priv->e = BN_dup(d); // Swapped
1276 ASSERT_TRUE(priv->e);
1277 priv->d = BN_dup(e);
1278 ASSERT_TRUE(priv->d);
1279
1280 static const uint8_t kDigest[32] = {0};
1281 std::vector<uint8_t> sig(RSA_size(priv.get()));
1282 size_t len;
1283 EXPECT_FALSE(RSA_sign_pss_mgf1(priv.get(), &len, sig.data(), sig.size(),
1284 kDigest, sizeof(kDigest), EVP_sha256(),
1285 EVP_sha256(), /*salt_len=*/32));
1286
1287 // But the "large e" APIs tolerate it.
1288 pub.reset(RSA_new_public_key_large_e(n, /*e=*/d));
1289 ASSERT_TRUE(pub);
1290 priv.reset(RSA_new_private_key_large_e(n, /*e=*/d, /*d=*/e, p, q, /*dmp1=*/e,
1291 /*dmq1=*/e, iqmp));
1292 ASSERT_TRUE(priv);
1293
1294 // Test that operations work correctly.
1295 sig.resize(RSA_size(priv.get()));
1296 ASSERT_TRUE(RSA_sign_pss_mgf1(priv.get(), &len, sig.data(), sig.size(),
1297 kDigest, sizeof(kDigest), EVP_sha256(),
1298 EVP_sha256(), /*salt_len=*/32));
1299 sig.resize(len);
1300
1301 EXPECT_TRUE(RSA_verify_pss_mgf1(pub.get(), kDigest, sizeof(kDigest),
1302 EVP_sha256(), EVP_sha256(), /*salt_len=*/32,
1303 sig.data(), sig.size()));
1304
1305 // e = 1 is still invalid.
1306 EXPECT_FALSE(RSA_new_public_key_large_e(n, BN_value_one()));
1307
1308 // e must still be odd.
1309 bssl::UniquePtr<BIGNUM> bad_e(BN_dup(d));
1310 ASSERT_TRUE(bad_e);
1311 ASSERT_TRUE(BN_add_word(bad_e.get(), 1));
1312 EXPECT_FALSE(RSA_new_public_key_large_e(n, bad_e.get()));
1313
1314 // e must still be bounded by n.
1315 bad_e.reset(BN_dup(n));
1316 ASSERT_TRUE(bad_e);
1317 ASSERT_TRUE(BN_add_word(bad_e.get(), 2)); // Preserve parity.
1318 EXPECT_FALSE(RSA_new_public_key_large_e(n, bad_e.get()));
1319 }
1320
1321 // Test minimum key limits on RSA keys. Currently, we require a minimum of
1322 // 512-bit RSA.
1323 //
1324 // TODO(crbug.com/boringssl/607): Raise this limit. 512-bit RSA was factored in
1325 // 1999.
TEST(RSATest,SmallKey)1326 TEST(RSATest, SmallKey) {
1327 static const uint8_t kRSA511Private[] = {
1328 0x30, 0x82, 0x01, 0x39, 0x02, 0x01, 0x00, 0x02, 0x40, 0x56, 0xc1, 0x3d,
1329 0xb3, 0x4f, 0xe4, 0xe9, 0x2f, 0x29, 0x8a, 0xd3, 0xe2, 0xfe, 0xb3, 0x3b,
1330 0x88, 0x02, 0x8b, 0xdd, 0x44, 0xb5, 0x41, 0x4b, 0x43, 0x97, 0x93, 0x75,
1331 0x78, 0x4b, 0x10, 0x30, 0x88, 0xce, 0xd2, 0x32, 0xe3, 0x9e, 0xda, 0x68,
1332 0xc9, 0xc3, 0xcd, 0xa1, 0xde, 0xbc, 0x4a, 0xeb, 0x37, 0x60, 0xd2, 0x82,
1333 0x2f, 0x5d, 0x21, 0x3b, 0x88, 0x0e, 0x12, 0x44, 0x4d, 0x5d, 0x44, 0xc1,
1334 0x9d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x40, 0x08, 0xe5, 0xf5, 0x30,
1335 0x29, 0x27, 0xaf, 0x8b, 0x38, 0xd5, 0x96, 0x7a, 0x17, 0xe9, 0xc6, 0x57,
1336 0x62, 0xfb, 0x79, 0x8c, 0x8c, 0x92, 0xcf, 0xe7, 0x74, 0xea, 0x99, 0x07,
1337 0xe7, 0x9b, 0x17, 0x7f, 0x30, 0x9f, 0x86, 0x55, 0x15, 0x8d, 0xe6, 0xa8,
1338 0x0d, 0x7b, 0x42, 0x41, 0x27, 0x18, 0x29, 0x55, 0xb1, 0x08, 0x07, 0x2a,
1339 0x4e, 0x67, 0x19, 0x9c, 0xe3, 0xe4, 0x84, 0xd6, 0x82, 0x62, 0xd4, 0x81,
1340 0x02, 0x21, 0x00, 0xcd, 0x5a, 0x9b, 0x23, 0x3d, 0xb5, 0x9c, 0x56, 0xbc,
1341 0xc5, 0x56, 0xcf, 0x77, 0x58, 0xc0, 0x62, 0x72, 0xa0, 0x85, 0x77, 0xf4,
1342 0xc3, 0xf8, 0x47, 0x6d, 0xc0, 0x8f, 0x18, 0x77, 0xee, 0xf1, 0xad, 0x02,
1343 0x20, 0x6c, 0x26, 0xaa, 0x8a, 0xaf, 0x7b, 0x9f, 0x35, 0x19, 0x08, 0xc2,
1344 0xa0, 0x9f, 0x4e, 0x9e, 0x62, 0x48, 0xb1, 0x7c, 0x0e, 0x68, 0x63, 0x0d,
1345 0x05, 0x76, 0x73, 0x0a, 0xa0, 0xb3, 0xed, 0x6d, 0xb1, 0x02, 0x21, 0x00,
1346 0xc2, 0x26, 0x1c, 0xb0, 0xa7, 0xe2, 0x31, 0x4a, 0x4c, 0x34, 0xe2, 0xcb,
1347 0x49, 0x51, 0xce, 0xaa, 0x05, 0x27, 0xc0, 0xa8, 0x55, 0xf0, 0x85, 0xa6,
1348 0xba, 0x9c, 0x28, 0x6e, 0x00, 0xce, 0x17, 0x0d, 0x02, 0x20, 0x65, 0x51,
1349 0xb0, 0x11, 0xaf, 0x26, 0xbc, 0x57, 0x4d, 0x35, 0xb4, 0xc8, 0x2f, 0x96,
1350 0xc2, 0xb0, 0xc6, 0xf3, 0x67, 0x8a, 0x43, 0xe7, 0x0f, 0xaa, 0xdf, 0x76,
1351 0x15, 0x2d, 0xca, 0x82, 0x93, 0x71, 0x02, 0x21, 0x00, 0x9e, 0x89, 0x74,
1352 0x15, 0x7e, 0x73, 0x43, 0xa0, 0x1e, 0xa9, 0xa5, 0x9f, 0xad, 0xf1, 0xa0,
1353 0xfa, 0x13, 0x86, 0x10, 0x3f, 0xb0, 0xba, 0x3f, 0x45, 0x87, 0x13, 0x02,
1354 0x86, 0xa4, 0xa4, 0x31, 0x92};
1355 static const uint8_t kRSA511Public[] = {
1356 0x30, 0x47, 0x02, 0x40, 0x56, 0xc1, 0x3d, 0xb3, 0x4f, 0xe4, 0xe9,
1357 0x2f, 0x29, 0x8a, 0xd3, 0xe2, 0xfe, 0xb3, 0x3b, 0x88, 0x02, 0x8b,
1358 0xdd, 0x44, 0xb5, 0x41, 0x4b, 0x43, 0x97, 0x93, 0x75, 0x78, 0x4b,
1359 0x10, 0x30, 0x88, 0xce, 0xd2, 0x32, 0xe3, 0x9e, 0xda, 0x68, 0xc9,
1360 0xc3, 0xcd, 0xa1, 0xde, 0xbc, 0x4a, 0xeb, 0x37, 0x60, 0xd2, 0x82,
1361 0x2f, 0x5d, 0x21, 0x3b, 0x88, 0x0e, 0x12, 0x44, 0x4d, 0x5d, 0x44,
1362 0xc1, 0x9d, 0x02, 0x03, 0x01, 0x00, 0x01};
1363 static const uint8_t kRSA512Private[] = {
1364 0x30, 0x82, 0x01, 0x3a, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00, 0xa5, 0x44,
1365 0x8f, 0x3d, 0xa2, 0x0b, 0x20, 0xc6, 0xac, 0x10, 0xc1, 0x27, 0x11, 0xf0,
1366 0x43, 0x5d, 0x05, 0xb7, 0x0f, 0x80, 0x3b, 0x9b, 0x85, 0xf1, 0x7a, 0x0e,
1367 0xbd, 0x72, 0xed, 0x8a, 0xdc, 0xa1, 0xaa, 0xd4, 0x53, 0xcb, 0x65, 0x78,
1368 0x4b, 0x30, 0x6b, 0x52, 0x51, 0xee, 0xcd, 0x2f, 0x90, 0x7b, 0xd1, 0x9c,
1369 0xe9, 0x79, 0x98, 0x58, 0xe3, 0x47, 0x35, 0xa7, 0xcd, 0x6a, 0x71, 0x38,
1370 0xb5, 0x0d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x41, 0x00, 0x94, 0x24,
1371 0x82, 0xa9, 0xe2, 0xa9, 0x4a, 0xf6, 0x0b, 0xa2, 0xf1, 0x21, 0x0e, 0x89,
1372 0x6a, 0x38, 0xe6, 0x38, 0x93, 0xe2, 0x84, 0x8c, 0x02, 0x62, 0xd4, 0xe0,
1373 0x85, 0x9d, 0x91, 0xa4, 0xd9, 0xe3, 0x77, 0x6c, 0x26, 0x85, 0xf6, 0x2e,
1374 0x0a, 0xe4, 0x18, 0x73, 0x06, 0x9a, 0xea, 0xde, 0x78, 0x65, 0xba, 0x7a,
1375 0xdb, 0xc0, 0x3b, 0xf7, 0x29, 0x1e, 0x43, 0xed, 0xaf, 0xf5, 0xaf, 0xa8,
1376 0xdf, 0x01, 0x02, 0x21, 0x00, 0xdb, 0x93, 0x05, 0x2d, 0xf3, 0xdf, 0xe4,
1377 0x31, 0xef, 0x50, 0xc7, 0x54, 0x0f, 0x08, 0x5d, 0x50, 0x42, 0xfa, 0xb9,
1378 0x20, 0x37, 0x98, 0xd3, 0xc0, 0x64, 0x2f, 0xb6, 0xe4, 0xb2, 0xfe, 0xe5,
1379 0x6d, 0x02, 0x21, 0x00, 0xc0, 0xaf, 0x3a, 0x1f, 0xd9, 0xba, 0x5a, 0x6a,
1380 0xc2, 0x80, 0x2e, 0x7b, 0x65, 0x3d, 0x8a, 0x76, 0xae, 0x4b, 0x5a, 0xff,
1381 0x7a, 0x9a, 0x5e, 0xc2, 0xfa, 0x07, 0xfb, 0x2d, 0x0c, 0x16, 0x6a, 0x21,
1382 0x02, 0x20, 0x06, 0xf3, 0xb9, 0xb7, 0x41, 0xc0, 0x75, 0xfe, 0x2a, 0xc0,
1383 0x98, 0xff, 0x0d, 0x56, 0xcb, 0x75, 0x8e, 0x19, 0x58, 0x21, 0x30, 0x01,
1384 0x73, 0xba, 0xe4, 0xb1, 0x2a, 0x0e, 0x45, 0xa8, 0x92, 0x65, 0x02, 0x20,
1385 0x25, 0xcd, 0xbb, 0x3f, 0xa8, 0x7e, 0x11, 0x63, 0x44, 0xc9, 0xd5, 0x54,
1386 0xcc, 0x66, 0x28, 0x96, 0x64, 0x57, 0xd0, 0x80, 0xb3, 0x53, 0x3a, 0x28,
1387 0x52, 0xd9, 0xe2, 0x03, 0xd2, 0x8d, 0x4b, 0x41, 0x02, 0x20, 0x09, 0x30,
1388 0xd9, 0xfd, 0xad, 0x31, 0x1a, 0x38, 0xb7, 0x71, 0x06, 0xed, 0x49, 0xa6,
1389 0xe2, 0xec, 0x42, 0xc2, 0x8e, 0xe9, 0xec, 0xf7, 0x3e, 0xb7, 0x4a, 0x5e,
1390 0x2e, 0xa2, 0x7a, 0x8d, 0xa4, 0x95};
1391 static const uint8_t kRSA512Public[] = {
1392 0x30, 0x48, 0x02, 0x41, 0x00, 0xa5, 0x44, 0x8f, 0x3d, 0xa2, 0x0b,
1393 0x20, 0xc6, 0xac, 0x10, 0xc1, 0x27, 0x11, 0xf0, 0x43, 0x5d, 0x05,
1394 0xb7, 0x0f, 0x80, 0x3b, 0x9b, 0x85, 0xf1, 0x7a, 0x0e, 0xbd, 0x72,
1395 0xed, 0x8a, 0xdc, 0xa1, 0xaa, 0xd4, 0x53, 0xcb, 0x65, 0x78, 0x4b,
1396 0x30, 0x6b, 0x52, 0x51, 0xee, 0xcd, 0x2f, 0x90, 0x7b, 0xd1, 0x9c,
1397 0xe9, 0x79, 0x98, 0x58, 0xe3, 0x47, 0x35, 0xa7, 0xcd, 0x6a, 0x71,
1398 0x38, 0xb5, 0x0d, 0x02, 0x03, 0x01, 0x00, 0x01};
1399
1400 bssl::UniquePtr<RSA> rsa(
1401 RSA_public_key_from_bytes(kRSA511Public, sizeof(kRSA511Public)));
1402 EXPECT_FALSE(rsa);
1403 rsa.reset(RSA_private_key_from_bytes(kRSA511Private, sizeof(kRSA511Private)));
1404 EXPECT_FALSE(rsa);
1405
1406 rsa.reset(RSA_public_key_from_bytes(kRSA512Public, sizeof(kRSA512Public)));
1407 EXPECT_TRUE(rsa);
1408 rsa.reset(RSA_private_key_from_bytes(kRSA512Private, sizeof(kRSA512Private)));
1409 EXPECT_TRUE(rsa);
1410 }
1411
1412 #if !defined(BORINGSSL_SHARED_LIBRARY)
TEST(RSATest,SqrtTwo)1413 TEST(RSATest, SqrtTwo) {
1414 bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new());
1415 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
1416 ASSERT_TRUE(sqrt);
1417 ASSERT_TRUE(pow2);
1418 ASSERT_TRUE(ctx);
1419
1420 size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
1421 ASSERT_TRUE(BN_one(pow2.get()));
1422 ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1));
1423
1424 // Check that sqrt² < pow2.
1425 ASSERT_TRUE(
1426 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
1427 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
1428 EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0);
1429
1430 // Check that pow2 < (sqrt + 1)².
1431 ASSERT_TRUE(
1432 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
1433 ASSERT_TRUE(BN_add_word(sqrt.get(), 1));
1434 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
1435 EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0);
1436
1437 // Check the kBoringSSLRSASqrtTwo is sized for a 4096-bit RSA key.
1438 EXPECT_EQ(4096u / 2u, bits);
1439 }
1440 #endif // !BORINGSSL_SHARED_LIBRARY
1441
1442 #if defined(OPENSSL_THREADS)
TEST(RSATest,Threads)1443 TEST(RSATest, Threads) {
1444 bssl::UniquePtr<RSA> rsa_template(
1445 RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
1446 ASSERT_TRUE(rsa_template);
1447
1448 const uint8_t kDummyHash[32] = {0};
1449 std::vector<uint8_t> sig(RSA_size(rsa_template.get()));
1450 unsigned sig_len;
1451 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig.data(),
1452 &sig_len, rsa_template.get()));
1453 sig.resize(sig_len);
1454
1455 // RSA keys may be assembled piece-meal and then used in parallel between
1456 // threads, which requires internal locking to create some derived properties.
1457 bssl::UniquePtr<RSA> rsa(RSA_new());
1458 rsa->n = BN_dup(rsa_template->n);
1459 ASSERT_TRUE(rsa->n);
1460 rsa->e = BN_dup(rsa_template->e);
1461 ASSERT_TRUE(rsa->e);
1462 rsa->d = BN_dup(rsa_template->d);
1463 ASSERT_TRUE(rsa->d);
1464 rsa->p = BN_dup(rsa_template->p);
1465 ASSERT_TRUE(rsa->p);
1466 rsa->q = BN_dup(rsa_template->q);
1467 ASSERT_TRUE(rsa->q);
1468 rsa->dmp1 = BN_dup(rsa_template->dmp1);
1469 ASSERT_TRUE(rsa->dmp1);
1470 rsa->dmq1 = BN_dup(rsa_template->dmq1);
1471 ASSERT_TRUE(rsa->dmq1);
1472 rsa->iqmp = BN_dup(rsa_template->iqmp);
1473 ASSERT_TRUE(rsa->iqmp);
1474
1475 // Each of these operations must be safe to do concurrently on different
1476 // threads.
1477 auto raw_access = [&] { EXPECT_EQ(0, BN_cmp(rsa->d, rsa_template->d)); };
1478 auto getter = [&] {
1479 const BIGNUM *d;
1480 RSA_get0_key(rsa.get(), nullptr, nullptr, &d);
1481 EXPECT_EQ(0, BN_cmp(d, rsa_template->d));
1482 };
1483 auto sign = [&] {
1484 std::vector<uint8_t> sig2(RSA_size(rsa.get()));
1485 unsigned sig2_len;
1486 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash),
1487 sig2.data(), &sig2_len, rsa.get()));
1488 sig2.resize(sig2_len);
1489 // RSASSA-PKCS1-v1_5 is deterministic.
1490 EXPECT_EQ(Bytes(sig), Bytes(sig2));
1491 };
1492 auto verify = [&] {
1493 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash),
1494 sig.data(), sig.size(), rsa.get()));
1495 };
1496
1497 std::vector<std::thread> threads;
1498 threads.emplace_back(raw_access);
1499 threads.emplace_back(raw_access);
1500 threads.emplace_back(getter);
1501 threads.emplace_back(getter);
1502 threads.emplace_back(sign);
1503 threads.emplace_back(sign);
1504 threads.emplace_back(verify);
1505 threads.emplace_back(verify);
1506 for (auto &thread : threads) {
1507 thread.join();
1508 }
1509 }
1510
1511 // This test might be excessively slow on slower CPUs or platforms that do not
1512 // expect server workloads. It is disabled by default and reenabled on some
1513 // platforms when running tests standalone via all_tests.go.
1514 //
1515 // Additionally, even when running disabled tests standalone, limit this to
1516 // x86_64. On other platforms, this test hits resource limits or is too slow. We
1517 // also disable on FreeBSD. See https://crbug.com/boringssl/603.
1518 #if defined(OPENSSL_TSAN) || \
1519 (defined(OPENSSL_X86_64) && !defined(OPENSSL_FREEBSD))
TEST(RSATest,DISABLED_BlindingCacheConcurrency)1520 TEST(RSATest, DISABLED_BlindingCacheConcurrency) {
1521 bssl::UniquePtr<RSA> rsa(RSA_private_key_from_bytes(kKey1, sizeof(kKey1)));
1522 ASSERT_TRUE(rsa);
1523
1524 #if defined(OPENSSL_TSAN)
1525 constexpr size_t kSignaturesPerThread = 10;
1526 constexpr size_t kNumThreads = 10;
1527 #else
1528 constexpr size_t kSignaturesPerThread = 100;
1529 constexpr size_t kNumThreads = 2048;
1530 #endif
1531
1532 const uint8_t kDummyHash[32] = {0};
1533 auto worker = [&] {
1534 std::vector<uint8_t> sig(RSA_size(rsa.get()));
1535 for (size_t i = 0; i < kSignaturesPerThread; i++) {
1536 unsigned sig_len = sig.size();
1537 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash),
1538 sig.data(), &sig_len, rsa.get()));
1539 }
1540 };
1541
1542 std::vector<std::thread> threads;
1543 threads.reserve(kNumThreads);
1544 for (size_t i = 0; i < kNumThreads; i++) {
1545 threads.emplace_back(worker);
1546 }
1547 for (auto &thread : threads) {
1548 thread.join();
1549 }
1550 }
1551 #endif // TSAN || (X86_64 && !FREEBSD)
1552
1553 #endif // THREADS
1554