1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <stdlib.h>
60 #include <string.h>
61
62 #include <gtest/gtest.h>
63
64 #include <openssl/bn.h>
65 #include <openssl/bytestring.h>
66 #include <openssl/crypto.h>
67 #include <openssl/err.h>
68 #include <openssl/nid.h>
69
70 #include "../fipsmodule/bn/internal.h"
71 #include "../fipsmodule/rsa/internal.h"
72 #include "../internal.h"
73 #include "../test/test_util.h"
74
75 #if defined(OPENSSL_THREADS)
76 #include <thread>
77 #include <vector>
78 #endif
79
80
81 // kPlaintext is a sample plaintext.
82 static const uint8_t kPlaintext[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
83 static const size_t kPlaintextLen = sizeof(kPlaintext) - 1;
84
85 // kKey1 is a DER-encoded RSAPrivateKey.
86 static const uint8_t kKey1[] =
87 "\x30\x82\x01\x38\x02\x01\x00\x02\x41\x00\xaa\x36\xab\xce\x88\xac\xfd\xff"
88 "\x55\x52\x3c\x7f\xc4\x52\x3f\x90\xef\xa0\x0d\xf3\x77\x4a\x25\x9f\x2e\x62"
89 "\xb4\xc5\xd9\x9c\xb5\xad\xb3\x00\xa0\x28\x5e\x53\x01\x93\x0e\x0c\x70\xfb"
90 "\x68\x76\x93\x9c\xe6\x16\xce\x62\x4a\x11\xe0\x08\x6d\x34\x1e\xbc\xac\xa0"
91 "\xa1\xf5\x02\x01\x11\x02\x40\x0a\x03\x37\x48\x62\x64\x87\x69\x5f\x5f\x30"
92 "\xbc\x38\xb9\x8b\x44\xc2\xcd\x2d\xff\x43\x40\x98\xcd\x20\xd8\xa1\x38\xd0"
93 "\x90\xbf\x64\x79\x7c\x3f\xa7\xa2\xcd\xcb\x3c\xd1\xe0\xbd\xba\x26\x54\xb4"
94 "\xf9\xdf\x8e\x8a\xe5\x9d\x73\x3d\x9f\x33\xb3\x01\x62\x4a\xfd\x1d\x51\x02"
95 "\x21\x00\xd8\x40\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf"
96 "\xce\x33\x52\x52\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x12\x0d\x02\x21"
97 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
98 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x89\x02\x20\x59"
99 "\x0b\x95\x72\xa2\xc2\xa9\xc4\x06\x05\x9d\xc2\xab\x2f\x1d\xaf\xeb\x7e\x8b"
100 "\x4f\x10\xa7\x54\x9e\x8e\xed\xf5\xb4\xfc\xe0\x9e\x05\x02\x21\x00\x8e\x3c"
101 "\x05\x21\xfe\x15\xe0\xea\x06\xa3\x6f\xf0\xf1\x0c\x99\x52\xc3\x5b\x7a\x75"
102 "\x14\xfd\x32\x38\xb8\x0a\xad\x52\x98\x62\x8d\x51\x02\x20\x36\x3f\xf7\x18"
103 "\x9d\xa8\xe9\x0b\x1d\x34\x1f\x71\xd0\x9b\x76\xa8\xa9\x43\xe1\x1d\x10\xb2"
104 "\x4d\x24\x9f\x2d\xea\xfe\xf8\x0c\x18\x26";
105
106 // kFIPSKey is a DER-encoded RSAPrivateKey that is FIPS-compliant.
107 static const uint8_t kFIPSKey[] =
108 "\x30\x82\x02\x5c\x02\x01\x00\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7"
109 "\xb8\xfc\x2a\x45\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09"
110 "\x6b\x05\x4d\xec\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed"
111 "\x9a\x30\xf3\x14\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65"
112 "\xbf\xca\x45\xd9\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12"
113 "\xaf\xa5\xec\x9b\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24"
114 "\x3c\x82\x6f\xee\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81"
115 "\x59\xa7\x90\x56\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01"
116 "\x02\x81\x80\x60\x82\xcd\x44\x46\xcf\xeb\xf9\x6f\xf5\xad\x3b\xfd\x90\x18"
117 "\x57\xe7\x74\xdb\x91\xd0\xd3\x68\xa6\xaa\x38\xaa\x21\x1d\x06\xf9\x34\x8d"
118 "\xa0\x35\xb0\x24\xe0\xd0\x2f\x75\x9b\xdd\xfe\x91\x48\x9f\x5c\x5e\x57\x54"
119 "\x00\xc8\x0f\xe6\x1e\x52\x84\xd9\xc9\xa5\x55\xf4\x0a\xbe\x88\x46\x7a\xfb"
120 "\x18\x37\x8e\xe6\x6e\xa2\x5f\x80\x48\x34\x3f\x5c\xbe\x0e\x1e\xe8\x2f\x50"
121 "\xba\x14\x96\x3c\xea\xfb\xd2\x49\x33\xdc\x12\xb8\xa7\x8a\xb5\x27\xf9\x00"
122 "\x4b\xf5\xd2\x2a\xd0\x2c\x1d\x9b\xd5\x6c\x3e\x4b\xb9\x7e\x39\xf7\x3e\x39"
123 "\xc9\x47\x5e\xbe\x91\x02\x41\x00\xcd\x33\xcf\x37\x01\xd7\x59\xcc\xbe\xa0"
124 "\x1c\xb9\xf5\xe7\x44\x9f\x62\x91\xa7\xa7\x7b\x0c\x52\xcd\x7e\xe6\x31\x11"
125 "\x8b\xd8\x2c\x8a\x63\xe1\x07\xc9\xcb\xce\x01\x45\x63\xf5\x5d\x44\xfb\xeb"
126 "\x8d\x74\x16\x20\x7d\x3b\xb4\xa1\x61\xb0\xa8\x29\x51\xc9\xef\xb6\xa1\xd5"
127 "\x02\x41\x00\xc9\x68\xa6\xd3\x88\xd5\x49\x9d\x6b\x44\x96\xfd\xbf\x66\x27"
128 "\xb4\x1f\x90\x76\x86\x2f\xe2\xce\x20\x5d\xee\x9b\xeb\xc4\xb4\x62\x47\x79"
129 "\x99\xb1\x99\xbc\xa2\xa6\xb6\x96\x64\xd5\x77\x9b\x45\xd4\xf0\x99\xb5\x9e"
130 "\x61\x4d\xf5\x12\xdd\x84\x14\xaf\x1e\xdd\x83\x24\x43\x02\x40\x60\x29\x7f"
131 "\x59\xcf\xcb\x13\x92\x17\x63\x01\x13\x44\x61\x74\x8f\x1c\xaa\x15\x5f\x2f"
132 "\x12\xbf\x5a\xfd\xb4\xf2\x19\xbe\xe7\x37\x38\x43\x46\x19\x58\x3f\xe1\xf2"
133 "\x46\x8a\x69\x59\xa4\x12\x4a\x78\xa7\x86\x17\x03\x99\x0f\x34\xf1\x8a\xcf"
134 "\xc3\x4d\x48\xcc\xc5\x51\x61\x02\x41\x00\xc2\x12\xb3\x5d\xf5\xe5\xff\xcf"
135 "\x4e\x43\x83\x72\xf2\xf1\x4e\xa4\xc4\x1d\x81\xf7\xff\x40\x7e\xfa\xb5\x48"
136 "\x6c\xba\x1c\x8a\xec\x80\x8e\xed\xc8\x32\xa9\x8f\xd9\x30\xeb\x6e\x32\x3b"
137 "\xd4\x44\xcf\xd1\x1f\x6b\xe0\x37\x46\xd5\x35\xde\x79\x9d\x2c\xb9\x83\x1d"
138 "\x10\xdd\x02\x40\x0f\x14\x95\x96\xa0\xe2\x6c\xd4\x88\xa7\x0b\x82\x14\x10"
139 "\xad\x26\x0d\xe4\xa1\x5e\x01\x3d\x21\xd2\xfb\x0e\xf9\x58\xa5\xca\x1e\x21"
140 "\xb3\xf5\x9a\x6c\x3d\x5a\x72\xb1\x2d\xfe\xac\x09\x4f\xdd\xe5\x44\xd1\x4e"
141 "\xf8\x59\x85\x3a\x65\xe2\xcd\xbc\x27\x1d\x9b\x48\x9f\xb9";
142
143 static const uint8_t kFIPSPublicKey[] =
144 "\x30\x81\x89\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7\xb8\xfc\x2a\x45"
145 "\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09\x6b\x05\x4d\xec"
146 "\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed\x9a\x30\xf3\x14"
147 "\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65\xbf\xca\x45\xd9"
148 "\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12\xaf\xa5\xec\x9b"
149 "\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24\x3c\x82\x6f\xee"
150 "\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81\x59\xa7\x90\x56"
151 "\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01";
152
153 // kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using
154 // RSA OAEP.
155 static const uint8_t kOAEPCiphertext1[] =
156 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89\x2b\xfb"
157 "\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52\x33\x89\x5c\x74"
158 "\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44\xb0\x05\xc3\x9e\xd8\x27"
159 "\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
160
161 // kKey2 is a DER-encoded RSAPrivateKey.
162 static const uint8_t kKey2[] =
163 "\x30\x81\xfb\x02\x01\x00\x02\x33\x00\xa3\x07\x9a\x90\xdf\x0d\xfd\x72\xac"
164 "\x09\x0c\xcc\x2a\x78\xb8\x74\x13\x13\x3e\x40\x75\x9c\x98\xfa\xf8\x20\x4f"
165 "\x35\x8a\x0b\x26\x3c\x67\x70\xe7\x83\xa9\x3b\x69\x71\xb7\x37\x79\xd2\x71"
166 "\x7b\xe8\x34\x77\xcf\x02\x01\x03\x02\x32\x6c\xaf\xbc\x60\x94\xb3\xfe\x4c"
167 "\x72\xb0\xb3\x32\xc6\xfb\x25\xa2\xb7\x62\x29\x80\x4e\x68\x65\xfc\xa4\x5a"
168 "\x74\xdf\x0f\x8f\xb8\x41\x3b\x52\xc0\xd0\xe5\x3d\x9b\x59\x0f\xf1\x9b\xe7"
169 "\x9f\x49\xdd\x21\xe5\xeb\x02\x1a\x00\xcf\x20\x35\x02\x8b\x9d\x86\x98\x40"
170 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x91\x02\x1a"
171 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
172 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5f\x02\x1a\x00\x8a\x15\x78\xac\x5d\x13\xaf"
173 "\x10\x2b\x22\xb9\x99\xcd\x74\x61\xf1\x5e\x6d\x22\xcc\x03\x23\xdf\xdf\x0b"
174 "\x02\x1a\x00\x86\x55\x21\x4a\xc5\x4d\x8d\x4e\xcd\x61\x77\xf1\xc7\x36\x90"
175 "\xce\x2a\x48\x2c\x8b\x05\x99\xcb\xe0\x3f\x02\x1a\x00\x83\xef\xef\xb8\xa9"
176 "\xa4\x0d\x1d\xb6\xed\x98\xad\x84\xed\x13\x35\xdc\xc1\x08\xf3\x22\xd0\x57"
177 "\xcf\x8d";
178
179 // kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using
180 // RSA OAEP.
181 static const uint8_t kOAEPCiphertext2[] =
182 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a\x8b\x40"
183 "\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4\x17\x53\x03\x29"
184 "\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52\x62\x51";
185
186 // kKey3 is a DER-encoded RSAPrivateKey.
187 static const uint8_t kKey3[] =
188 "\x30\x82\x02\x5b\x02\x01\x00\x02\x81\x81\x00\xbb\xf8\x2f\x09\x06\x82\xce"
189 "\x9c\x23\x38\xac\x2b\x9d\xa8\x71\xf7\x36\x8d\x07\xee\xd4\x10\x43\xa4\x40"
190 "\xd6\xb6\xf0\x74\x54\xf5\x1f\xb8\xdf\xba\xaf\x03\x5c\x02\xab\x61\xea\x48"
191 "\xce\xeb\x6f\xcd\x48\x76\xed\x52\x0d\x60\xe1\xec\x46\x19\x71\x9d\x8a\x5b"
192 "\x8b\x80\x7f\xaf\xb8\xe0\xa3\xdf\xc7\x37\x72\x3e\xe6\xb4\xb7\xd9\x3a\x25"
193 "\x84\xee\x6a\x64\x9d\x06\x09\x53\x74\x88\x34\xb2\x45\x45\x98\x39\x4e\xe0"
194 "\xaa\xb1\x2d\x7b\x61\xa5\x1f\x52\x7a\x9a\x41\xf6\xc1\x68\x7f\xe2\x53\x72"
195 "\x98\xca\x2a\x8f\x59\x46\xf8\xe5\xfd\x09\x1d\xbd\xcb\x02\x01\x11\x02\x81"
196 "\x81\x00\xa5\xda\xfc\x53\x41\xfa\xf2\x89\xc4\xb9\x88\xdb\x30\xc1\xcd\xf8"
197 "\x3f\x31\x25\x1e\x06\x68\xb4\x27\x84\x81\x38\x01\x57\x96\x41\xb2\x94\x10"
198 "\xb3\xc7\x99\x8d\x6b\xc4\x65\x74\x5e\x5c\x39\x26\x69\xd6\x87\x0d\xa2\xc0"
199 "\x82\xa9\x39\xe3\x7f\xdc\xb8\x2e\xc9\x3e\xda\xc9\x7f\xf3\xad\x59\x50\xac"
200 "\xcf\xbc\x11\x1c\x76\xf1\xa9\x52\x94\x44\xe5\x6a\xaf\x68\xc5\x6c\x09\x2c"
201 "\xd3\x8d\xc3\xbe\xf5\xd2\x0a\x93\x99\x26\xed\x4f\x74\xa1\x3e\xdd\xfb\xe1"
202 "\xa1\xce\xcc\x48\x94\xaf\x94\x28\xc2\xb7\xb8\x88\x3f\xe4\x46\x3a\x4b\xc8"
203 "\x5b\x1c\xb3\xc1\x02\x41\x00\xee\xcf\xae\x81\xb1\xb9\xb3\xc9\x08\x81\x0b"
204 "\x10\xa1\xb5\x60\x01\x99\xeb\x9f\x44\xae\xf4\xfd\xa4\x93\xb8\x1a\x9e\x3d"
205 "\x84\xf6\x32\x12\x4e\xf0\x23\x6e\x5d\x1e\x3b\x7e\x28\xfa\xe7\xaa\x04\x0a"
206 "\x2d\x5b\x25\x21\x76\x45\x9d\x1f\x39\x75\x41\xba\x2a\x58\xfb\x65\x99\x02"
207 "\x41\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35"
208 "\x3f\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x86\x98\x40"
209 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x33\x52\x52"
210 "\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x15\x03\x02\x40\x54\x49\x4c\xa6"
211 "\x3e\xba\x03\x37\xe4\xe2\x40\x23\xfc\xd6\x9a\x5a\xeb\x07\xdd\xdc\x01\x83"
212 "\xa4\xd0\xac\x9b\x54\xb0\x51\xf2\xb1\x3e\xd9\x49\x09\x75\xea\xb7\x74\x14"
213 "\xff\x59\xc1\xf7\x69\x2e\x9a\x2e\x20\x2b\x38\xfc\x91\x0a\x47\x41\x74\xad"
214 "\xc9\x3c\x1f\x67\xc9\x81\x02\x40\x47\x1e\x02\x90\xff\x0a\xf0\x75\x03\x51"
215 "\xb7\xf8\x78\x86\x4c\xa9\x61\xad\xbd\x3a\x8a\x7e\x99\x1c\x5c\x05\x56\xa9"
216 "\x4c\x31\x46\xa7\xf9\x80\x3f\x8f\x6f\x8a\xe3\x42\xe9\x31\xfd\x8a\xe4\x7a"
217 "\x22\x0d\x1b\x99\xa4\x95\x84\x98\x07\xfe\x39\xf9\x24\x5a\x98\x36\xda\x3d"
218 "\x02\x41\x00\xb0\x6c\x4f\xda\xbb\x63\x01\x19\x8d\x26\x5b\xdb\xae\x94\x23"
219 "\xb3\x80\xf2\x71\xf7\x34\x53\x88\x50\x93\x07\x7f\xcd\x39\xe2\x11\x9f\xc9"
220 "\x86\x32\x15\x4f\x58\x83\xb1\x67\xa9\x67\xbf\x40\x2b\x4e\x9e\x2e\x0f\x96"
221 "\x56\xe6\x98\xea\x36\x66\xed\xfb\x25\x79\x80\x39\xf7";
222
223 // kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using
224 // RSA OAEP.
225 static const uint8_t kOAEPCiphertext3[] =
226 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7\x90\xc4"
227 "\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce\xf0\xc4\x36\x6f"
228 "\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3\xf2\xf1\x92\xdb\xea\xca"
229 "\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06\x69\xac\x22\xe9\xf3\xa7\x85\x2e"
230 "\x3c\x15\xd9\x13\xca\xb0\xb8\x86\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49"
231 "\x54\x61\x03\x46\xf4\xd4\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a"
232 "\x1f\xc4\x02\x6a\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20"
233 "\x2f\xb1";
234
235 static const uint8_t kTwoPrimeKey[] =
236 "\x30\x82\x04\xa1\x02\x01\x00\x02\x82\x01\x01\x00\x93\x3a\x4f\xc9\x6a\x0a"
237 "\x6b\x28\x04\xfa\xb7\x05\x56\xdf\xa0\xaa\x4f\xaa\xab\x94\xa0\xa9\x25\xef"
238 "\xc5\x96\xd2\xd4\x66\x16\x62\x2c\x13\x7b\x91\xd0\x36\x0a\x10\x11\x6d\x7a"
239 "\x91\xb6\xe4\x74\x57\xc1\x3d\x7a\xbe\x24\x05\x3a\x04\x0b\x73\x91\x53\xb1"
240 "\x74\x10\xe1\x87\xdc\x91\x28\x9c\x1e\xe5\xf2\xb9\xfc\xa2\x48\x34\xb6\x78"
241 "\xed\x6d\x95\xfb\xf2\xc0\x4e\x1c\xa4\x15\x00\x3c\x8a\x68\x2b\xd6\xce\xd5"
242 "\xb3\x9f\x66\x02\xa7\x0d\x08\xa3\x23\x9b\xe5\x36\x96\x13\x22\xf9\x69\xa6"
243 "\x87\x88\x9b\x85\x3f\x83\x9c\xab\x1a\x1b\x6d\x8d\x16\xf4\x5e\xbd\xee\x4b"
244 "\x59\x56\xf8\x9d\x58\xcd\xd2\x83\x85\x59\x43\x84\x63\x4f\xe6\x1a\x86\x66"
245 "\x0d\xb5\xa0\x87\x89\xb6\x13\x82\x43\xda\x34\x92\x3b\x68\xc4\x95\x71\x2f"
246 "\x15\xc2\xe0\x43\x67\x3c\x08\x00\x36\x10\xc3\xb4\x46\x4c\x4e\x6e\xf5\x44"
247 "\xa9\x04\x44\x9d\xce\xc7\x05\x79\xee\x11\xcf\xaf\x2c\xd7\x9a\x32\xd3\xa5"
248 "\x30\xd4\x3a\x78\x43\x37\x74\x22\x90\x24\x04\x11\xd7\x95\x08\x52\xa4\x71"
249 "\x41\x68\x94\xb0\xa0\xc3\xec\x4e\xd2\xc4\x30\x71\x98\x64\x9c\xe3\x7c\x76"
250 "\xef\x33\xa3\x2b\xb1\x87\x63\xd2\x5c\x09\xfc\x90\x2d\x92\xf4\x57\x02\x01"
251 "\x03\x02\x82\x01\x00\x62\x26\xdf\xdb\x9c\x06\xf2\x1a\xad\xfc\x7a\x03\x8f"
252 "\x3f\xc0\x71\x8a\x71\xc7\xb8\x6b\x1b\x6e\x9f\xd9\x0f\x37\x38\x44\x0e\xec"
253 "\x1d\x62\x52\x61\x35\x79\x5c\x0a\xb6\x48\xfc\x61\x24\x98\x4d\x8f\xd6\x28"
254 "\xfc\x7e\xc2\xae\x26\xad\x5c\xf7\xb6\x37\xcb\xa2\xb5\xeb\xaf\xe8\x60\xc5"
255 "\xbd\x69\xee\xa1\xd1\x53\x16\xda\xcd\xce\xfb\x48\xf3\xb9\x52\xa1\xd5\x89"
256 "\x68\x6d\x63\x55\x7d\xb1\x9a\xc7\xe4\x89\xe3\xcd\x14\xee\xac\x6f\x5e\x05"
257 "\xc2\x17\xbd\x43\x79\xb9\x62\x17\x50\xf1\x19\xaf\xb0\x67\xae\x2a\x57\xbd"
258 "\xc7\x66\xbc\xf3\xb3\x64\xa1\xe3\x16\x74\x9e\xea\x02\x5c\xab\x94\xd8\x97"
259 "\x02\x42\x0c\x2c\xba\x54\xb9\xaf\xe0\x45\x93\xad\x7f\xb3\x10\x6a\x96\x50"
260 "\x4b\xaf\xcf\xc8\x27\x62\x2d\x83\xe9\x26\xc6\x94\xc1\xef\x5c\x8e\x06\x42"
261 "\x53\xe5\x56\xaf\xc2\x99\x01\xaa\x9a\x71\xbc\xe8\x21\x33\x2a\x2d\xa3\x36"
262 "\xac\x1b\x86\x19\xf8\xcd\x1f\x80\xa4\x26\x98\xb8\x9f\x62\x62\xd5\x1a\x7f"
263 "\xee\xdb\xdf\x81\xd3\x21\xdb\x33\x92\xee\xff\xe2\x2f\x32\x77\x73\x6a\x58"
264 "\xab\x21\xf3\xe3\xe1\xbc\x4f\x12\x72\xa6\xb5\xc2\xfb\x27\x9e\xc8\xca\xab"
265 "\x64\xa0\x87\x07\x9d\xef\xca\x0f\xdb\x02\x81\x81\x00\xe6\xd3\x4d\xc0\xa1"
266 "\x91\x0e\x62\xfd\xb0\xdd\xc6\x30\xb8\x8c\xcb\x14\xc1\x4b\x69\x30\xdd\xcd"
267 "\x86\x67\xcb\x37\x14\xc5\x03\xd2\xb4\x69\xab\x3d\xe5\x16\x81\x0f\xe5\x50"
268 "\xf4\x18\xb1\xec\xbc\x71\xe9\x80\x99\x06\xe4\xa3\xfe\x44\x84\x4a\x2d\x1e"
269 "\x07\x7f\x22\x70\x6d\x4f\xd4\x93\x0b\x8b\x99\xce\x1e\xab\xcd\x4c\xd2\xd3"
270 "\x10\x47\x5c\x09\x9f\x6d\x82\xc0\x08\x75\xe3\x3d\x83\xc2\x19\x50\x29\xec"
271 "\x1f\x84\x29\xcc\xf1\x56\xee\xbd\x54\x5d\xe6\x19\xdf\x0d\x1c\xa4\xbb\x0a"
272 "\xfe\x84\x44\x29\x1d\xf9\x5c\x80\x96\x5b\x24\xb4\xf7\x02\x1b\x02\x81\x81"
273 "\x00\xa3\x48\xf1\x9c\x58\xc2\x5f\x38\xfb\xd8\x12\x39\xf1\x8e\x73\xa1\xcf"
274 "\x78\x12\xe0\xed\x2a\xbb\xef\xac\x23\xb2\xbf\xd6\x0c\xe9\x6e\x1e\xab\xea"
275 "\x3f\x68\x36\xa7\x1f\xe5\xab\xe0\x86\xa5\x76\x32\x98\xdd\x75\xb5\x2b\xbc"
276 "\xcb\x8a\x03\x00\x7c\x2e\xca\xf8\xbc\x19\xe4\xe3\xa3\x31\xbd\x1d\x20\x2b"
277 "\x09\xad\x6f\x4c\xed\x48\xd4\xdf\x87\xf9\xf0\x46\xb9\x86\x4c\x4b\x71\xe7"
278 "\x48\x78\xdc\xed\xc7\x82\x02\x44\xd3\xa6\xb3\x10\x5f\x62\x81\xfc\xb8\xe4"
279 "\x0e\xf4\x1a\xdd\xab\x3f\xbc\x63\x79\x5b\x39\x69\x5e\xea\xa9\x15\xfe\x90"
280 "\xec\xda\x75\x02\x81\x81\x00\x99\xe2\x33\xd5\xc1\x0b\x5e\xec\xa9\x20\x93"
281 "\xd9\x75\xd0\x5d\xdc\xb8\x80\xdc\xf0\xcb\x3e\x89\x04\x45\x32\x24\xb8\x83"
282 "\x57\xe1\xcd\x9b\xc7\x7e\x98\xb9\xab\x5f\xee\x35\xf8\x10\x76\x9d\xd2\xf6"
283 "\x9b\xab\x10\xaf\x43\x17\xfe\xd8\x58\x31\x73\x69\x5a\x54\xc1\xa0\x48\xdf"
284 "\xe3\x0c\xb2\x5d\x11\x34\x14\x72\x88\xdd\xe1\xe2\x0a\xda\x3d\x5b\xbf\x9e"
285 "\x57\x2a\xb0\x4e\x97\x7e\x57\xd6\xbb\x8a\xc6\x9d\x6a\x58\x1b\xdd\xf6\x39"
286 "\xf4\x7e\x38\x3e\x99\x66\x94\xb3\x68\x6d\xd2\x07\x54\x58\x2d\x70\xbe\xa6"
287 "\x3d\xab\x0e\xe7\x6d\xcd\xfa\x01\x67\x02\x81\x80\x6c\xdb\x4b\xbd\x90\x81"
288 "\x94\xd0\xa7\xe5\x61\x7b\xf6\x5e\xf7\xc1\x34\xfa\xb7\x40\x9e\x1c\x7d\x4a"
289 "\x72\xc2\x77\x2a\x8e\xb3\x46\x49\x69\xc7\xf1\x7f\x9a\xcf\x1a\x15\x43\xc7"
290 "\xeb\x04\x6e\x4e\xcc\x65\xe8\xf9\x23\x72\x7d\xdd\x06\xac\xaa\xfd\x74\x87"
291 "\x50\x7d\x66\x98\x97\xc2\x21\x28\xbe\x15\x72\x06\x73\x9f\x88\x9e\x30\x8d"
292 "\xea\x5a\xa6\xa0\x2f\x26\x59\x88\x32\x4b\xef\x85\xa5\xe8\x9e\x85\x01\x56"
293 "\xd8\x8d\x19\xcc\xb5\x94\xec\x56\xa8\x7b\x42\xb4\xa2\xbc\x93\xc7\x7f\xd2"
294 "\xec\xfb\x92\x26\x46\x3f\x47\x1b\x63\xff\x0b\x48\x91\xa3\x02\x81\x80\x2c"
295 "\x4a\xb9\xa4\x46\x7b\xff\x50\x7e\xbf\x60\x47\x3b\x2b\x66\x82\xdc\x0e\x53"
296 "\x65\x71\xe9\xda\x2a\xb8\x32\x93\x42\xb7\xff\xea\x67\x66\xf1\xbc\x87\x28"
297 "\x65\x29\x79\xca\xab\x93\x56\xda\x95\xc1\x26\x44\x3d\x27\xc1\x91\xc6\x9b"
298 "\xd9\xec\x9d\xb7\x49\xe7\x16\xee\x99\x87\x50\x95\x81\xd4\x5c\x5b\x5a\x5d"
299 "\x0a\x43\xa5\xa7\x8f\x5a\x80\x49\xa0\xb7\x10\x85\xc7\xf4\x42\x34\x86\xb6"
300 "\x5f\x3f\x88\x9e\xc7\xf5\x59\x29\x39\x68\x48\xf2\xd7\x08\x5b\x92\x8e\x6b"
301 "\xea\xa5\x63\x5f\xc0\xfb\xe4\xe1\xb2\x7d\xb7\x40\xe9\x55\x06\xbf\x58\x25"
302 "\x6f";
303
304 static const uint8_t kTwoPrimeEncryptedMessage[] = {
305 0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35,
306 0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c,
307 0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0,
308 0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3,
309 0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46,
310 0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54,
311 0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a,
312 0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78,
313 0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8,
314 0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83,
315 0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31,
316 0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45,
317 0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75,
318 0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11,
319 0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f,
320 0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2,
321 0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3,
322 0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca,
323 0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c,
324 0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4,
325 0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b,
326 0x6a, 0xce, 0x9f, 0xc8,
327 };
328
329 // kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See
330 // https://crbug.com/532048.
331 static const uint8_t kEstonianRSAKey[] = {
332 0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c,
333 0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c,
334 0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80,
335 0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8,
336 0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29,
337 0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95,
338 0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea,
339 0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c,
340 0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac,
341 0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25,
342 0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a,
343 0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88,
344 0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17,
345 0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf,
346 0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c,
347 0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f,
348 0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc,
349 0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e,
350 0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87,
351 0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30,
352 0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94,
353 0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49,
354 0x02, 0x03, 0x01, 0x00, 0x01,
355 };
356
357 // kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See
358 // https://crbug.com/541257
359 static const uint8_t kExponent1RSAKey[] = {
360 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a,
361 0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5,
362 0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa,
363 0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b,
364 0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64,
365 0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7,
366 0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d,
367 0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a,
368 0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a,
369 0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b,
370 0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c,
371 0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9,
372 0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad,
373 0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41,
374 0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91,
375 0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a,
376 0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d,
377 0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98,
378 0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9,
379 0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d,
380 0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0,
381 0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98,
382 0xdd, 0x02, 0x01, 0x01,
383 };
384
385 struct RSAEncryptParam {
386 const uint8_t *der;
387 size_t der_len;
388 const uint8_t *oaep_ciphertext;
389 size_t oaep_ciphertext_len;
390 } kRSAEncryptParams[] = {
391 {kKey1, sizeof(kKey1) - 1, kOAEPCiphertext1, sizeof(kOAEPCiphertext1) - 1},
392 {kKey2, sizeof(kKey2) - 1, kOAEPCiphertext2, sizeof(kOAEPCiphertext2) - 1},
393 {kKey3, sizeof(kKey3) - 1, kOAEPCiphertext3, sizeof(kOAEPCiphertext3) - 1},
394 };
395
396 class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {};
397
TEST_P(RSAEncryptTest,TestKey)398 TEST_P(RSAEncryptTest, TestKey) {
399 const auto ¶m = GetParam();
400 bssl::UniquePtr<RSA> key(
401 RSA_private_key_from_bytes(param.der, param.der_len));
402 ASSERT_TRUE(key);
403
404 EXPECT_TRUE(RSA_check_key(key.get()));
405
406 uint8_t ciphertext[256];
407
408 // Test that PKCS#1 v1.5 encryption round-trips.
409 size_t ciphertext_len = 0;
410 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
411 sizeof(ciphertext), kPlaintext, kPlaintextLen,
412 RSA_PKCS1_PADDING));
413 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
414
415 uint8_t plaintext[256];
416 size_t plaintext_len = 0;
417 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
418 sizeof(plaintext), ciphertext, ciphertext_len,
419 RSA_PKCS1_PADDING));
420 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
421
422 // Test that OAEP encryption round-trips.
423 ciphertext_len = 0;
424 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
425 sizeof(ciphertext), kPlaintext, kPlaintextLen,
426 RSA_PKCS1_OAEP_PADDING));
427 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
428
429 plaintext_len = 0;
430 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
431 sizeof(plaintext), ciphertext, ciphertext_len,
432 RSA_PKCS1_OAEP_PADDING));
433 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
434
435 // |oaep_ciphertext| should decrypt to |kPlaintext|.
436 plaintext_len = 0;
437 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
438 sizeof(plaintext), param.oaep_ciphertext,
439 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
440 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
441
442 // Try decrypting corrupted ciphertexts.
443 OPENSSL_memcpy(ciphertext, param.oaep_ciphertext, param.oaep_ciphertext_len);
444 for (size_t i = 0; i < param.oaep_ciphertext_len; i++) {
445 SCOPED_TRACE(i);
446 ciphertext[i] ^= 1;
447 EXPECT_FALSE(RSA_decrypt(
448 key.get(), &plaintext_len, plaintext, sizeof(plaintext), ciphertext,
449 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
450 ERR_clear_error();
451 ciphertext[i] ^= 1;
452 }
453
454 // Test truncated ciphertexts.
455 for (size_t len = 0; len < param.oaep_ciphertext_len; len++) {
456 SCOPED_TRACE(len);
457 EXPECT_FALSE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
458 sizeof(plaintext), ciphertext, len,
459 RSA_PKCS1_OAEP_PADDING));
460 ERR_clear_error();
461 }
462 }
463
464 INSTANTIATE_TEST_SUITE_P(All, RSAEncryptTest,
465 testing::ValuesIn(kRSAEncryptParams));
466
TEST(RSATest,TestDecrypt)467 TEST(RSATest, TestDecrypt) {
468 bssl::UniquePtr<RSA> rsa(
469 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
470 ASSERT_TRUE(rsa);
471
472 EXPECT_TRUE(RSA_check_key(rsa.get()));
473
474 uint8_t out[256];
475 size_t out_len;
476 ASSERT_TRUE(RSA_decrypt(
477 rsa.get(), &out_len, out, sizeof(out), kTwoPrimeEncryptedMessage,
478 sizeof(kTwoPrimeEncryptedMessage), RSA_PKCS1_PADDING));
479 EXPECT_EQ(Bytes("hello world"), Bytes(out, out_len));
480 }
481
TEST(RSATest,CheckFIPS)482 TEST(RSATest, CheckFIPS) {
483 bssl::UniquePtr<RSA> rsa(
484 RSA_private_key_from_bytes(kFIPSKey, sizeof(kFIPSKey) - 1));
485 ASSERT_TRUE(rsa);
486 EXPECT_TRUE(RSA_check_fips(rsa.get()));
487
488 // Check that RSA_check_fips works on a public key.
489 bssl::UniquePtr<RSA> pub(
490 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
491 ASSERT_TRUE(pub);
492 EXPECT_TRUE(RSA_check_fips(pub.get()));
493 }
494
TEST(RSATest,GenerateFIPS)495 TEST(RSATest, GenerateFIPS) {
496 bssl::UniquePtr<RSA> rsa(RSA_new());
497 ASSERT_TRUE(rsa);
498
499 // RSA_generate_key_fips may only be used for 2048-, 3072-, and 4096-bit
500 // keys.
501 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr));
502 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr));
503 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr));
504 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr));
505 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr));
506 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr));
507 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4095, nullptr));
508 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4097, nullptr));
509 ERR_clear_error();
510
511 // Test that we can generate keys of the supported lengths:
512 for (const size_t bits : {2048, 3072, 4096}) {
513 SCOPED_TRACE(bits);
514
515 rsa.reset(RSA_new());
516 ASSERT_TRUE(RSA_generate_key_fips(rsa.get(), bits, nullptr));
517 EXPECT_EQ(bits, BN_num_bits(rsa->n));
518 }
519 }
520
TEST(RSATest,BadKey)521 TEST(RSATest, BadKey) {
522 bssl::UniquePtr<RSA> key(RSA_new());
523 bssl::UniquePtr<BIGNUM> e(BN_new());
524 ASSERT_TRUE(key);
525 ASSERT_TRUE(e);
526 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
527
528 // Generate a bad key.
529 ASSERT_TRUE(RSA_generate_key_ex(key.get(), 512, e.get(), nullptr));
530 ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one()));
531
532 // Bad keys are detected.
533 EXPECT_FALSE(RSA_check_key(key.get()));
534 EXPECT_FALSE(RSA_check_fips(key.get()));
535
536 // Bad keys may not be parsed.
537 uint8_t *der;
538 size_t der_len;
539 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get()));
540 bssl::UniquePtr<uint8_t> delete_der(der);
541 key.reset(RSA_private_key_from_bytes(der, der_len));
542 EXPECT_FALSE(key);
543 }
544
TEST(RSATest,OnlyDGiven)545 TEST(RSATest, OnlyDGiven) {
546 static const char kN[] =
547 "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662"
548 "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659";
549 static const char kE[] = "010001";
550 static const char kD[] =
551 "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a"
552 "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01";
553
554 bssl::UniquePtr<RSA> key(RSA_new());
555 ASSERT_TRUE(key);
556 ASSERT_TRUE(BN_hex2bn(&key->n, kN));
557 ASSERT_TRUE(BN_hex2bn(&key->e, kE));
558 ASSERT_TRUE(BN_hex2bn(&key->d, kD));
559
560 // Keys with only n, e, and d are functional.
561 EXPECT_TRUE(RSA_check_key(key.get()));
562
563 const uint8_t kDummyHash[32] = {0};
564 uint8_t buf[64];
565 unsigned buf_len = sizeof(buf);
566 ASSERT_LE(RSA_size(key.get()), sizeof(buf));
567 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
568 &buf_len, key.get()));
569 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
570 buf_len, key.get()));
571
572 // Keys without the public exponent must continue to work when blinding is
573 // disabled to support Java's RSAPrivateKeySpec API. See
574 // https://bugs.chromium.org/p/boringssl/issues/detail?id=12.
575 bssl::UniquePtr<RSA> key2(RSA_new());
576 ASSERT_TRUE(key2);
577 ASSERT_TRUE(BN_hex2bn(&key2->n, kN));
578 ASSERT_TRUE(BN_hex2bn(&key2->d, kD));
579 key2->flags |= RSA_FLAG_NO_BLINDING;
580
581 ASSERT_LE(RSA_size(key2.get()), sizeof(buf));
582 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
583 &buf_len, key2.get()));
584
585 // Verify the signature with |key|. |key2| has no public exponent.
586 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
587 buf_len, key.get()));
588 }
589
TEST(RSATest,ASN1)590 TEST(RSATest, ASN1) {
591 // Test that private keys may be decoded.
592 bssl::UniquePtr<RSA> rsa(
593 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
594 ASSERT_TRUE(rsa);
595
596 // Test that the serialization round-trips.
597 uint8_t *der;
598 size_t der_len;
599 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
600 bssl::UniquePtr<uint8_t> delete_der(der);
601 EXPECT_EQ(Bytes(kKey1, sizeof(kKey1) - 1), Bytes(der, der_len));
602
603 // Test that serializing public keys works.
604 ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get()));
605 delete_der.reset(der);
606
607 // Public keys may be parsed back out.
608 rsa.reset(RSA_public_key_from_bytes(der, der_len));
609 ASSERT_TRUE(rsa);
610 EXPECT_FALSE(rsa->p);
611 EXPECT_FALSE(rsa->q);
612
613 // Serializing the result round-trips.
614 uint8_t *der2;
615 size_t der2_len;
616 ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get()));
617 bssl::UniquePtr<uint8_t> delete_der2(der2);
618 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
619
620 // Public keys cannot be serialized as private keys.
621 int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get());
622 if (ok) {
623 OPENSSL_free(der);
624 }
625 EXPECT_FALSE(ok);
626 ERR_clear_error();
627
628 // Public keys with negative moduli are invalid.
629 rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey,
630 sizeof(kEstonianRSAKey)));
631 EXPECT_FALSE(rsa);
632 ERR_clear_error();
633 }
634
TEST(RSATest,BadExponent)635 TEST(RSATest, BadExponent) {
636 bssl::UniquePtr<RSA> rsa(
637 RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey)));
638 EXPECT_FALSE(rsa);
639 ERR_clear_error();
640 }
641
642 // Attempting to generate an excessively small key should fail.
TEST(RSATest,GenerateSmallKey)643 TEST(RSATest, GenerateSmallKey) {
644 bssl::UniquePtr<RSA> rsa(RSA_new());
645 ASSERT_TRUE(rsa);
646 bssl::UniquePtr<BIGNUM> e(BN_new());
647 ASSERT_TRUE(e);
648 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
649
650 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr));
651 uint32_t err = ERR_get_error();
652 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
653 EXPECT_EQ(RSA_R_KEY_SIZE_TOO_SMALL, ERR_GET_REASON(err));
654 }
655
656 // Attempting to generate an funny RSA key length should round down.
TEST(RSATest,RoundKeyLengths)657 TEST(RSATest, RoundKeyLengths) {
658 bssl::UniquePtr<BIGNUM> e(BN_new());
659 ASSERT_TRUE(e);
660 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
661
662 bssl::UniquePtr<RSA> rsa(RSA_new());
663 ASSERT_TRUE(rsa);
664 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr));
665 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
666
667 rsa.reset(RSA_new());
668 ASSERT_TRUE(rsa);
669 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr));
670 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
671
672 rsa.reset(RSA_new());
673 ASSERT_TRUE(rsa);
674 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr));
675 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
676
677 rsa.reset(RSA_new());
678 ASSERT_TRUE(rsa);
679 ASSERT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr));
680 EXPECT_EQ(1152u, BN_num_bits(rsa->n));
681 }
682
TEST(RSATest,BlindingDisabled)683 TEST(RSATest, BlindingDisabled) {
684 bssl::UniquePtr<RSA> rsa(
685 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
686 ASSERT_TRUE(rsa);
687
688 rsa->flags |= RSA_FLAG_NO_BLINDING;
689
690 uint8_t sig[256];
691 ASSERT_GE(sizeof(sig), RSA_size(rsa.get()));
692
693 static const uint8_t kZeros[32] = {0};
694 unsigned sig_len;
695 ASSERT_TRUE(
696 RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig, &sig_len, rsa.get()));
697 EXPECT_TRUE(
698 RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig, sig_len, rsa.get()));
699 }
700
701 // Test that decrypting with a public key fails gracefully rather than crashing.
TEST(RSATest,DecryptPublic)702 TEST(RSATest, DecryptPublic) {
703 bssl::UniquePtr<RSA> pub(
704 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
705 ASSERT_TRUE(pub);
706 ASSERT_EQ(1024u / 8u, RSA_size(pub.get()));
707
708 size_t len;
709 uint8_t in[1024 / 8] = {0}, out[1024 / 8];
710 EXPECT_FALSE(RSA_decrypt(pub.get(), &len, out, sizeof(out), in, sizeof(in),
711 RSA_PKCS1_PADDING));
712 uint32_t err = ERR_get_error();
713 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
714 EXPECT_EQ(RSA_R_VALUE_MISSING, ERR_GET_REASON(err));
715 }
716
TEST(RSATest,CheckKey)717 TEST(RSATest, CheckKey) {
718 static const char kN[] =
719 "b5a5651bc2e15ce31d789f0984053a2ea0cf8f964a78068c45acfdf078c57fd62d5a287c"
720 "32f3baa879f5dfea27d7a3077c9d3a2a728368c3d90164690c3d82f660ffebc7f13fed45"
721 "4eb5103df943c10dc32ec60b0d9b6e307bfd7f9b943e0dc3901e42501765365f7286eff2"
722 "f1f728774aa6a371e108a3a7dd00d7bcd4c1a186c2865d4b370ea38cc89c0b23b318dbca"
723 "fbd872b4f9b833dfb2a4ca7fcc23298020044e8130bfe930adfb3e5cab8d324547adf4b2"
724 "ce34d7cea4298f0b613d85f2bf1df03da44aee0784a1a20a15ee0c38a0f8e84962f1f61b"
725 "18bd43781c7385f3c2b8e2aebd3c560b4faad208ad3938bad27ddda9ed9e933dba088021"
726 "2dd9e28d";
727 static const char kE[] = "10001";
728 static const char kD[] =
729 "fb9c6afd9568ce5ddac8e6a32bb881eb6cdd962bbc639dce5805548bf0fec2214f18ffd3"
730 "6a50aa520cfe4477f9507d87355a24e3ff537f9f29ccffe5730b11896ebb9142982ed0df"
731 "9c32ba98dddab863f3e5aa764d16ebff4500d3ee11de12fabd7aeca83c7ffa5d242b3ddc"
732 "ecc64bcb5220996e79249a6d3f78975dfde769710569812dee59c0f56e4650d02a939d9c"
733 "853e2cba9b0c2447a8757951ae9a0336dfa64c3d5476df9b20f200cfb52e3fbd2d4e3f34"
734 "200b1171cbac367096f23366e74592025875efb6a7e3b1dd365abb0d86f34ee65ddbfa93"
735 "90460da0d346833d6aa6277c0216b20073ba2f18471549c309e82d12e10714d0e0dbf146"
736 "6fcd1f1";
737 static const char kP[] =
738 "edbe476fe8989f3966e72a20348ec6d8e924f44e1d9fa2c3485ea8a2ffd39f68574a5cef"
739 "ffbb92d6764789ac0f67149127239c2027fbc55b5268a1dac6588de44e614f3bdce00f0a"
740 "56d138800ad772d159a583c6548e37cadbfcf1b4ebfd50d01508986a516f36ed827b94ef"
741 "1f9b4e233bf5762b3a903d2dfbbbce1fba30e9f1";
742 static const char kQ[] =
743 "c398518790a166dbe50498f04940d14c87ded09313fb0f69f69255c688142802ba3d4f9e"
744 "f9425dadc462170635593c06a332cfc5fc9e6e1c05281950a5ce3bad4fd7cc83a38bd4ad"
745 "6865594275af424f47c64c04af1caab2e261e95b975097c887d587dc8150df34cbeccd7d"
746 "0688c392d9f1c617810043c9b93b884bf6ed465d";
747 static const char kDMP1[] =
748 "b44db5d1fa7e1d6ba44e36d59be6988a132f7294f7c484e543b27e84b82e9fdbbb2feb92"
749 "1cc9fe0fe63e54fc07e66e63b3623f5ae7d7fb124a4a8e4de4556eaf327e7c5ff3207e67"
750 "a1f624ba7efe6cd6b6fd5f160034a7bd92df9fd44d919d436260556f74793b181ff867b8"
751 "7ea9033697978e5a349d05b9250c86c3eb2a8391";
752 static const char kDMQ1[] =
753 "7c06d9240265264927a6cba80a7b4c7c9fe77d10d669abb38083f85a24adcb55376d6b50"
754 "9e34241cecdb5a483889f6132b672bf31aa607a242eed3669d4cf1f08b2186f0ae431bc0"
755 "3de38e3f234ad7dc57e1f9103b4e0d3bd36b4cc324671968322207bd9e4e7ecb06c888e0"
756 "cfc4e766f646665b3f14c0e7684ac4b98ec1948d";
757 static const char kIQMP[] =
758 "2887a5cb0c1bf6710e91c25da141dad92134a927431471c2d4a8b78036026d21182990e1"
759 "2c1d70635f07ee551383899365a69b33d4db23e5ff7371ff4244d2c3290ce2b91ac11adc"
760 "a54bb61ea5e64b9423102933ea100c12dad809fbf9589515e9d28e867f6b95c2d307f792"
761 "cac28c6d7d23f441cb5b62798233db29b5cc0348";
762
763 bssl::UniquePtr<RSA> rsa(RSA_new());
764 ASSERT_TRUE(rsa);
765
766 // Missing n or e does not pass.
767 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
768 EXPECT_FALSE(RSA_check_key(rsa.get()));
769 ERR_clear_error();
770
771 BN_free(rsa->n);
772 rsa->n = nullptr;
773 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
774 EXPECT_FALSE(RSA_check_key(rsa.get()));
775 ERR_clear_error();
776
777 // Public keys pass.
778 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
779 EXPECT_TRUE(RSA_check_key(rsa.get()));
780
781 // Configuring d also passes.
782 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
783 EXPECT_TRUE(RSA_check_key(rsa.get()));
784
785 // p and q must be provided together.
786 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
787 EXPECT_FALSE(RSA_check_key(rsa.get()));
788 ERR_clear_error();
789
790 BN_free(rsa->p);
791 rsa->p = nullptr;
792 ASSERT_TRUE(BN_hex2bn(&rsa->q, kQ));
793 EXPECT_FALSE(RSA_check_key(rsa.get()));
794 ERR_clear_error();
795
796 // Supplying p and q without CRT parameters passes.
797 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
798 EXPECT_TRUE(RSA_check_key(rsa.get()));
799
800 // With p and q together, it is sufficient to check d against e.
801 ASSERT_TRUE(BN_add_word(rsa->d, 1));
802 EXPECT_FALSE(RSA_check_key(rsa.get()));
803 ERR_clear_error();
804
805 // Test another invalid d. p-1 is divisible by 3, so there is no valid value
806 // of d here if e = 111. Set d to what extended GCD would have given if it
807 // forgot to check the inverse existed.
808 static const char kDBogus[] =
809 "140be923edb928cf4340a08ada19f23da680ff20275a81e033825ee8605afc3bf6039b87"
810 "f0ddc7ea3b95f214a6fdda1064d0c66b50ac7bfe8cfe6c85d3cd217ae6f5094cd72a39e5"
811 "a17a9ce43eae1ba5d7d8c3fb743d8cbcb3bcd74edd0b75fcca23a0b00bcea119864c0243"
812 "bf9ab32b25a4d73a1e062482f538055bc2258369353647d4325aec7a28dc1a6798e85fae"
813 "85850558868468d60015927cb10b2a893e23aa16b1f9278d4413f64d0a3122218f9000ae"
814 "cd8743b8e9e50bd9de81eebc4e0230d1f4f7bffc1e6f903606afba9ee694c2b40022f171"
815 "a760e7c63e736e31d7c7ff8b77dc206c2a3aa5afd540073060ebb9050bddce1ff1917630"
816 "47fff51d";
817 ASSERT_TRUE(BN_set_word(rsa->e, 111));
818 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDBogus));
819 EXPECT_FALSE(RSA_check_key(rsa.get()));
820 ERR_clear_error();
821 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
822
823 // d computed via the Euler totient rather than the Carmichael totient is also
824 // acceptable.
825 static const char kDEuler[] =
826 "3d231ff6ca0ee41ea50ab62c93bcd6aa5f01bd484e643b7ff6eb94c4dd414c17a0481a1c"
827 "4361f94f3f4d5c42098af09a527cf0d8dc96122ae8dd29189a4011d62f2bb40625d2e85f"
828 "4d706fb90c2e9bc9b00a0c2a28384a4c134f6d25c62d64a08fdf3f5e89a14d3daee46fda"
829 "8b4a2eda87cbb2735fd47290cb37bf65150edef854a28927ce5ac36d36107711cffb8ac3"
830 "2b090e409bb822b117744a9aabf878b8b1998d406337ec24cee3877795061c67322ac626"
831 "6c675a2cefe0f85f06b4d24eb6ad8e3fae7f218f5bd8ff2fb8bf8176d8527b0dfdaf8490"
832 "8f9bfaf3f37dcf8aa0211311bac07b1a478c3ed8a6369e5d5fc42b2afa93f5de8f520981"
833 "c62bbe81";
834 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDEuler));
835 EXPECT_TRUE(RSA_check_key(rsa.get()));
836
837 // If d is completely out of range but otherwise valid, it is rejected.
838 static const char kDTooLarge[] =
839 "f2c885128cf04101c283553617c210d8ffd14cde98dc420c3c9892b55606cbedcda24298"
840 "7655b3f7b9433c2c316293a1cf1a2b034f197aeec1de8d81a67d94cc902b9fce1712d5a4"
841 "9c257ff705725cd77338d23535d3b87c8f4cecc15a6b72641ffd81aea106839d216b5fcd"
842 "7d415751d27255e540dd1638a8389721e9d0807d65d24d7b8c2f60e4b2c0bf250544ce68"
843 "b5ddbc1463d5a4638b2816b0f033dacdc0162f329af9e4d142352521fbd2fe14af824ef3"
844 "1601fe843c79cc3efbcb8eafd79262bdd25e2bdf21440f774e26d88ed7df938c5cf6982d"
845 "e9fa635b8ca36ce5c5fbd579a53cbb0348ceae752d4bc5621c5acc922ca2082494633337"
846 "42e770c1";
847 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDTooLarge));
848 EXPECT_FALSE(RSA_check_key(rsa.get()));
849 ERR_clear_error();
850 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
851
852 // CRT value must either all be provided or all missing.
853 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
854 EXPECT_FALSE(RSA_check_key(rsa.get()));
855 ERR_clear_error();
856 BN_free(rsa->dmp1);
857 rsa->dmp1 = nullptr;
858
859 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
860 EXPECT_FALSE(RSA_check_key(rsa.get()));
861 ERR_clear_error();
862 BN_free(rsa->dmq1);
863 rsa->dmq1 = nullptr;
864
865 ASSERT_TRUE(BN_hex2bn(&rsa->iqmp, kIQMP));
866 EXPECT_FALSE(RSA_check_key(rsa.get()));
867 ERR_clear_error();
868
869 // The full key is accepted.
870 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
871 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
872 EXPECT_TRUE(RSA_check_key(rsa.get()));
873
874 // Incorrect CRT values are rejected.
875 ASSERT_TRUE(BN_add_word(rsa->dmp1, 1));
876 EXPECT_FALSE(RSA_check_key(rsa.get()));
877 ERR_clear_error();
878 ASSERT_TRUE(BN_sub_word(rsa->dmp1, 1));
879
880 ASSERT_TRUE(BN_add_word(rsa->dmq1, 1));
881 EXPECT_FALSE(RSA_check_key(rsa.get()));
882 ERR_clear_error();
883 ASSERT_TRUE(BN_sub_word(rsa->dmq1, 1));
884
885 ASSERT_TRUE(BN_add_word(rsa->iqmp, 1));
886 EXPECT_FALSE(RSA_check_key(rsa.get()));
887 ERR_clear_error();
888 ASSERT_TRUE(BN_sub_word(rsa->iqmp, 1));
889
890 // Non-reduced CRT values are rejected.
891 ASSERT_TRUE(BN_add(rsa->dmp1, rsa->dmp1, rsa->p));
892 EXPECT_FALSE(RSA_check_key(rsa.get()));
893 ERR_clear_error();
894 ASSERT_TRUE(BN_sub(rsa->dmp1, rsa->dmp1, rsa->p));
895
896 ASSERT_TRUE(BN_add(rsa->dmq1, rsa->dmq1, rsa->q));
897 EXPECT_FALSE(RSA_check_key(rsa.get()));
898 ERR_clear_error();
899 ASSERT_TRUE(BN_sub(rsa->dmq1, rsa->dmq1, rsa->q));
900
901 ASSERT_TRUE(BN_add(rsa->iqmp, rsa->iqmp, rsa->p));
902 EXPECT_FALSE(RSA_check_key(rsa.get()));
903 ERR_clear_error();
904 ASSERT_TRUE(BN_sub(rsa->iqmp, rsa->iqmp, rsa->p));
905 }
906
TEST(RSATest,KeygenFail)907 TEST(RSATest, KeygenFail) {
908 bssl::UniquePtr<RSA> rsa(RSA_new());
909 ASSERT_TRUE(rsa);
910
911 // Cause RSA key generation after a prime has been generated, to test that
912 // |rsa| is left alone.
913 BN_GENCB cb;
914 BN_GENCB_set(&cb,
915 [](int event, int, BN_GENCB *) -> int { return event != 3; },
916 nullptr);
917
918 bssl::UniquePtr<BIGNUM> e(BN_new());
919 ASSERT_TRUE(e);
920 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
921
922 // Key generation should fail.
923 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
924
925 // Failed key generations do not leave garbage in |rsa|.
926 EXPECT_FALSE(rsa->n);
927 EXPECT_FALSE(rsa->e);
928 EXPECT_FALSE(rsa->d);
929 EXPECT_FALSE(rsa->p);
930 EXPECT_FALSE(rsa->q);
931 EXPECT_FALSE(rsa->dmp1);
932 EXPECT_FALSE(rsa->dmq1);
933 EXPECT_FALSE(rsa->iqmp);
934 EXPECT_FALSE(rsa->mont_n);
935 EXPECT_FALSE(rsa->mont_p);
936 EXPECT_FALSE(rsa->mont_q);
937 EXPECT_FALSE(rsa->d_fixed);
938 EXPECT_FALSE(rsa->dmp1_fixed);
939 EXPECT_FALSE(rsa->dmq1_fixed);
940 EXPECT_FALSE(rsa->inv_small_mod_large_mont);
941 EXPECT_FALSE(rsa->private_key_frozen);
942
943 // Failed key generations leave the previous contents alone.
944 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr));
945 uint8_t *der;
946 size_t der_len;
947 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
948 bssl::UniquePtr<uint8_t> delete_der(der);
949
950 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
951
952 uint8_t *der2;
953 size_t der2_len;
954 ASSERT_TRUE(RSA_private_key_to_bytes(&der2, &der2_len, rsa.get()));
955 bssl::UniquePtr<uint8_t> delete_der2(der2);
956 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
957
958 // Generating a key over an existing key works, despite any cached state.
959 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr));
960 EXPECT_TRUE(RSA_check_key(rsa.get()));
961 uint8_t *der3;
962 size_t der3_len;
963 ASSERT_TRUE(RSA_private_key_to_bytes(&der3, &der3_len, rsa.get()));
964 bssl::UniquePtr<uint8_t> delete_der3(der3);
965 EXPECT_NE(Bytes(der, der_len), Bytes(der3, der3_len));
966 }
967
TEST(RSATest,KeygenFailOnce)968 TEST(RSATest, KeygenFailOnce) {
969 bssl::UniquePtr<RSA> rsa(RSA_new());
970 ASSERT_TRUE(rsa);
971
972 // Cause only the first iteration of RSA key generation to fail.
973 bool failed = false;
974 BN_GENCB cb;
975 BN_GENCB_set(&cb,
976 [](int event, int n, BN_GENCB *cb_ptr) -> int {
977 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg);
978 if (*failed_ptr) {
979 ADD_FAILURE() << "Callback called multiple times.";
980 return 1;
981 }
982 *failed_ptr = true;
983 return 0;
984 },
985 &failed);
986
987 // Although key generation internally retries, the external behavior of
988 // |BN_GENCB| is preserved.
989 bssl::UniquePtr<BIGNUM> e(BN_new());
990 ASSERT_TRUE(e);
991 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
992 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
993 }
994
TEST(RSATest,KeygenInternalRetry)995 TEST(RSATest, KeygenInternalRetry) {
996 bssl::UniquePtr<RSA> rsa(RSA_new());
997 ASSERT_TRUE(rsa);
998
999 // Simulate one internal attempt at key generation failing.
1000 bool failed = false;
1001 BN_GENCB cb;
1002 BN_GENCB_set(&cb,
1003 [](int event, int n, BN_GENCB *cb_ptr) -> int {
1004 bool *failed_ptr = static_cast<bool *>(cb_ptr->arg);
1005 if (*failed_ptr) {
1006 return 1;
1007 }
1008 *failed_ptr = true;
1009 // This test does not test any public API behavior. It is just
1010 // a hack to exercise the retry codepath and make sure it
1011 // works.
1012 OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
1013 return 0;
1014 },
1015 &failed);
1016
1017 // Key generation internally retries on RSA_R_TOO_MANY_ITERATIONS.
1018 bssl::UniquePtr<BIGNUM> e(BN_new());
1019 ASSERT_TRUE(e);
1020 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
1021 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 2048, e.get(), &cb));
1022 }
1023
1024 #if !defined(BORINGSSL_SHARED_LIBRARY)
TEST(RSATest,SqrtTwo)1025 TEST(RSATest, SqrtTwo) {
1026 bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new());
1027 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
1028 ASSERT_TRUE(sqrt);
1029 ASSERT_TRUE(pow2);
1030 ASSERT_TRUE(ctx);
1031
1032 size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
1033 ASSERT_TRUE(BN_one(pow2.get()));
1034 ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1));
1035
1036 // Check that sqrt² < pow2.
1037 ASSERT_TRUE(
1038 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
1039 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
1040 EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0);
1041
1042 // Check that pow2 < (sqrt + 1)².
1043 ASSERT_TRUE(
1044 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
1045 ASSERT_TRUE(BN_add_word(sqrt.get(), 1));
1046 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
1047 EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0);
1048
1049 // Check the kBoringSSLRSASqrtTwo is sized for a 4096-bit RSA key.
1050 EXPECT_EQ(4096u / 2u, bits);
1051 }
1052 #endif // !BORINGSSL_SHARED_LIBRARY
1053
1054 #if defined(OPENSSL_THREADS)
TEST(RSATest,Threads)1055 TEST(RSATest, Threads) {
1056 bssl::UniquePtr<RSA> rsa_template(
1057 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
1058 ASSERT_TRUE(rsa_template);
1059
1060 const uint8_t kDummyHash[32] = {0};
1061 uint8_t sig[256];
1062 unsigned sig_len = sizeof(sig);
1063 ASSERT_LE(RSA_size(rsa_template.get()), sizeof(sig));
1064 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig,
1065 &sig_len, rsa_template.get()));
1066
1067 // RSA keys may be assembled piece-meal and then used in parallel between
1068 // threads, which requires internal locking to create some derived properties.
1069 bssl::UniquePtr<RSA> rsa(RSA_new());
1070 rsa->n = BN_dup(rsa_template->n);
1071 ASSERT_TRUE(rsa->n);
1072 rsa->e = BN_dup(rsa_template->e);
1073 ASSERT_TRUE(rsa->e);
1074 rsa->d = BN_dup(rsa_template->d);
1075 ASSERT_TRUE(rsa->d);
1076 rsa->p = BN_dup(rsa_template->p);
1077 ASSERT_TRUE(rsa->p);
1078 rsa->q = BN_dup(rsa_template->q);
1079 ASSERT_TRUE(rsa->q);
1080 rsa->dmp1 = BN_dup(rsa_template->dmp1);
1081 ASSERT_TRUE(rsa->dmp1);
1082 rsa->dmq1 = BN_dup(rsa_template->dmq1);
1083 ASSERT_TRUE(rsa->dmq1);
1084 rsa->iqmp = BN_dup(rsa_template->iqmp);
1085 ASSERT_TRUE(rsa->iqmp);
1086
1087 // Each of these operations must be safe to do concurrently on different
1088 // threads.
1089 auto raw_access = [&] { EXPECT_EQ(0, BN_cmp(rsa->d, rsa_template->d)); };
1090 auto getter = [&] {
1091 const BIGNUM *d;
1092 RSA_get0_key(rsa.get(), nullptr, nullptr, &d);
1093 EXPECT_EQ(0, BN_cmp(d, rsa_template->d));
1094 };
1095 auto sign = [&] {
1096 uint8_t sig2[256];
1097 unsigned sig2_len = sizeof(sig2);
1098 ASSERT_LE(RSA_size(rsa.get()), sizeof(sig2));
1099 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig2,
1100 &sig2_len, rsa.get()));
1101 // RSASSA-PKCS1-v1_5 is deterministic.
1102 EXPECT_EQ(Bytes(sig, sig_len), Bytes(sig2, sig2_len));
1103 };
1104 auto verify = [&] {
1105 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), sig,
1106 sig_len, rsa.get()));
1107 };
1108
1109 std::vector<std::thread> threads;
1110 threads.emplace_back(raw_access);
1111 threads.emplace_back(raw_access);
1112 threads.emplace_back(getter);
1113 threads.emplace_back(getter);
1114 threads.emplace_back(sign);
1115 threads.emplace_back(sign);
1116 threads.emplace_back(verify);
1117 threads.emplace_back(verify);
1118 for (auto &thread : threads) {
1119 thread.join();
1120 }
1121 }
1122
1123 // This test might be excessively slow on slower CPUs or platforms that do not
1124 // expect server workloads. It is disabled by default and reenabled on some
1125 // platforms when running tests standalone via all_tests.go.
1126 //
1127 // Additionally, even when running disabled tests standalone, limit this to
1128 // x86_64. On other platforms, this test hits resource limits or is too slow.
1129 #if defined(OPENSSL_X86_64)
TEST(RSATest,DISABLED_BlindingCacheConcurrency)1130 TEST(RSATest, DISABLED_BlindingCacheConcurrency) {
1131 bssl::UniquePtr<RSA> rsa(
1132 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
1133 ASSERT_TRUE(rsa);
1134
1135 #if defined(OPENSSL_TSAN)
1136 constexpr size_t kSignaturesPerThread = 10;
1137 constexpr size_t kNumThreads = 10;
1138 #else
1139 constexpr size_t kSignaturesPerThread = 100;
1140 constexpr size_t kNumThreads = 2048;
1141 #endif
1142
1143 const uint8_t kDummyHash[32] = {0};
1144 auto worker = [&] {
1145 uint8_t sig[256];
1146 ASSERT_LE(RSA_size(rsa.get()), sizeof(sig));
1147
1148 for (size_t i = 0; i < kSignaturesPerThread; i++) {
1149 unsigned sig_len = sizeof(sig);
1150 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig,
1151 &sig_len, rsa.get()));
1152 }
1153 };
1154
1155 std::vector<std::thread> threads;
1156 threads.reserve(kNumThreads);
1157 for (size_t i = 0; i < kNumThreads; i++) {
1158 threads.emplace_back(worker);
1159 }
1160 for (auto &thread : threads) {
1161 thread.join();
1162 }
1163 }
1164 #endif // X86_64
1165
1166 #endif // THREADS
1167