1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/rsa.h>
58
59 #include <stdlib.h>
60 #include <string.h>
61
62 #include <gtest/gtest.h>
63
64 #include <openssl/bn.h>
65 #include <openssl/bytestring.h>
66 #include <openssl/crypto.h>
67 #include <openssl/err.h>
68 #include <openssl/nid.h>
69
70 #include "../fipsmodule/bn/internal.h"
71 #include "../fipsmodule/rsa/internal.h"
72 #include "../internal.h"
73 #include "../test/test_util.h"
74
75
76 // kPlaintext is a sample plaintext.
77 static const uint8_t kPlaintext[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
78 static const size_t kPlaintextLen = sizeof(kPlaintext) - 1;
79
80 // kKey1 is a DER-encoded RSAPrivateKey.
81 static const uint8_t kKey1[] =
82 "\x30\x82\x01\x38\x02\x01\x00\x02\x41\x00\xaa\x36\xab\xce\x88\xac\xfd\xff"
83 "\x55\x52\x3c\x7f\xc4\x52\x3f\x90\xef\xa0\x0d\xf3\x77\x4a\x25\x9f\x2e\x62"
84 "\xb4\xc5\xd9\x9c\xb5\xad\xb3\x00\xa0\x28\x5e\x53\x01\x93\x0e\x0c\x70\xfb"
85 "\x68\x76\x93\x9c\xe6\x16\xce\x62\x4a\x11\xe0\x08\x6d\x34\x1e\xbc\xac\xa0"
86 "\xa1\xf5\x02\x01\x11\x02\x40\x0a\x03\x37\x48\x62\x64\x87\x69\x5f\x5f\x30"
87 "\xbc\x38\xb9\x8b\x44\xc2\xcd\x2d\xff\x43\x40\x98\xcd\x20\xd8\xa1\x38\xd0"
88 "\x90\xbf\x64\x79\x7c\x3f\xa7\xa2\xcd\xcb\x3c\xd1\xe0\xbd\xba\x26\x54\xb4"
89 "\xf9\xdf\x8e\x8a\xe5\x9d\x73\x3d\x9f\x33\xb3\x01\x62\x4a\xfd\x1d\x51\x02"
90 "\x21\x00\xd8\x40\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf"
91 "\xce\x33\x52\x52\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x12\x0d\x02\x21"
92 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
93 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x89\x02\x20\x59"
94 "\x0b\x95\x72\xa2\xc2\xa9\xc4\x06\x05\x9d\xc2\xab\x2f\x1d\xaf\xeb\x7e\x8b"
95 "\x4f\x10\xa7\x54\x9e\x8e\xed\xf5\xb4\xfc\xe0\x9e\x05\x02\x21\x00\x8e\x3c"
96 "\x05\x21\xfe\x15\xe0\xea\x06\xa3\x6f\xf0\xf1\x0c\x99\x52\xc3\x5b\x7a\x75"
97 "\x14\xfd\x32\x38\xb8\x0a\xad\x52\x98\x62\x8d\x51\x02\x20\x36\x3f\xf7\x18"
98 "\x9d\xa8\xe9\x0b\x1d\x34\x1f\x71\xd0\x9b\x76\xa8\xa9\x43\xe1\x1d\x10\xb2"
99 "\x4d\x24\x9f\x2d\xea\xfe\xf8\x0c\x18\x26";
100
101 // kFIPSKey is a DER-encoded RSAPrivateKey that is FIPS-compliant.
102 static const uint8_t kFIPSKey[] =
103 "\x30\x82\x02\x5c\x02\x01\x00\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7"
104 "\xb8\xfc\x2a\x45\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09"
105 "\x6b\x05\x4d\xec\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed"
106 "\x9a\x30\xf3\x14\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65"
107 "\xbf\xca\x45\xd9\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12"
108 "\xaf\xa5\xec\x9b\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24"
109 "\x3c\x82\x6f\xee\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81"
110 "\x59\xa7\x90\x56\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01"
111 "\x02\x81\x80\x60\x82\xcd\x44\x46\xcf\xeb\xf9\x6f\xf5\xad\x3b\xfd\x90\x18"
112 "\x57\xe7\x74\xdb\x91\xd0\xd3\x68\xa6\xaa\x38\xaa\x21\x1d\x06\xf9\x34\x8d"
113 "\xa0\x35\xb0\x24\xe0\xd0\x2f\x75\x9b\xdd\xfe\x91\x48\x9f\x5c\x5e\x57\x54"
114 "\x00\xc8\x0f\xe6\x1e\x52\x84\xd9\xc9\xa5\x55\xf4\x0a\xbe\x88\x46\x7a\xfb"
115 "\x18\x37\x8e\xe6\x6e\xa2\x5f\x80\x48\x34\x3f\x5c\xbe\x0e\x1e\xe8\x2f\x50"
116 "\xba\x14\x96\x3c\xea\xfb\xd2\x49\x33\xdc\x12\xb8\xa7\x8a\xb5\x27\xf9\x00"
117 "\x4b\xf5\xd2\x2a\xd0\x2c\x1d\x9b\xd5\x6c\x3e\x4b\xb9\x7e\x39\xf7\x3e\x39"
118 "\xc9\x47\x5e\xbe\x91\x02\x41\x00\xcd\x33\xcf\x37\x01\xd7\x59\xcc\xbe\xa0"
119 "\x1c\xb9\xf5\xe7\x44\x9f\x62\x91\xa7\xa7\x7b\x0c\x52\xcd\x7e\xe6\x31\x11"
120 "\x8b\xd8\x2c\x8a\x63\xe1\x07\xc9\xcb\xce\x01\x45\x63\xf5\x5d\x44\xfb\xeb"
121 "\x8d\x74\x16\x20\x7d\x3b\xb4\xa1\x61\xb0\xa8\x29\x51\xc9\xef\xb6\xa1\xd5"
122 "\x02\x41\x00\xc9\x68\xa6\xd3\x88\xd5\x49\x9d\x6b\x44\x96\xfd\xbf\x66\x27"
123 "\xb4\x1f\x90\x76\x86\x2f\xe2\xce\x20\x5d\xee\x9b\xeb\xc4\xb4\x62\x47\x79"
124 "\x99\xb1\x99\xbc\xa2\xa6\xb6\x96\x64\xd5\x77\x9b\x45\xd4\xf0\x99\xb5\x9e"
125 "\x61\x4d\xf5\x12\xdd\x84\x14\xaf\x1e\xdd\x83\x24\x43\x02\x40\x60\x29\x7f"
126 "\x59\xcf\xcb\x13\x92\x17\x63\x01\x13\x44\x61\x74\x8f\x1c\xaa\x15\x5f\x2f"
127 "\x12\xbf\x5a\xfd\xb4\xf2\x19\xbe\xe7\x37\x38\x43\x46\x19\x58\x3f\xe1\xf2"
128 "\x46\x8a\x69\x59\xa4\x12\x4a\x78\xa7\x86\x17\x03\x99\x0f\x34\xf1\x8a\xcf"
129 "\xc3\x4d\x48\xcc\xc5\x51\x61\x02\x41\x00\xc2\x12\xb3\x5d\xf5\xe5\xff\xcf"
130 "\x4e\x43\x83\x72\xf2\xf1\x4e\xa4\xc4\x1d\x81\xf7\xff\x40\x7e\xfa\xb5\x48"
131 "\x6c\xba\x1c\x8a\xec\x80\x8e\xed\xc8\x32\xa9\x8f\xd9\x30\xeb\x6e\x32\x3b"
132 "\xd4\x44\xcf\xd1\x1f\x6b\xe0\x37\x46\xd5\x35\xde\x79\x9d\x2c\xb9\x83\x1d"
133 "\x10\xdd\x02\x40\x0f\x14\x95\x96\xa0\xe2\x6c\xd4\x88\xa7\x0b\x82\x14\x10"
134 "\xad\x26\x0d\xe4\xa1\x5e\x01\x3d\x21\xd2\xfb\x0e\xf9\x58\xa5\xca\x1e\x21"
135 "\xb3\xf5\x9a\x6c\x3d\x5a\x72\xb1\x2d\xfe\xac\x09\x4f\xdd\xe5\x44\xd1\x4e"
136 "\xf8\x59\x85\x3a\x65\xe2\xcd\xbc\x27\x1d\x9b\x48\x9f\xb9";
137
138 static const uint8_t kFIPSPublicKey[] =
139 "\x30\x81\x89\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7\xb8\xfc\x2a\x45"
140 "\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09\x6b\x05\x4d\xec"
141 "\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed\x9a\x30\xf3\x14"
142 "\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65\xbf\xca\x45\xd9"
143 "\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12\xaf\xa5\xec\x9b"
144 "\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24\x3c\x82\x6f\xee"
145 "\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81\x59\xa7\x90\x56"
146 "\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01";
147
148 // kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using
149 // RSA OAEP.
150 static const uint8_t kOAEPCiphertext1[] =
151 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89\x2b\xfb"
152 "\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52\x33\x89\x5c\x74"
153 "\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44\xb0\x05\xc3\x9e\xd8\x27"
154 "\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
155
156 // kKey2 is a DER-encoded RSAPrivateKey.
157 static const uint8_t kKey2[] =
158 "\x30\x81\xfb\x02\x01\x00\x02\x33\x00\xa3\x07\x9a\x90\xdf\x0d\xfd\x72\xac"
159 "\x09\x0c\xcc\x2a\x78\xb8\x74\x13\x13\x3e\x40\x75\x9c\x98\xfa\xf8\x20\x4f"
160 "\x35\x8a\x0b\x26\x3c\x67\x70\xe7\x83\xa9\x3b\x69\x71\xb7\x37\x79\xd2\x71"
161 "\x7b\xe8\x34\x77\xcf\x02\x01\x03\x02\x32\x6c\xaf\xbc\x60\x94\xb3\xfe\x4c"
162 "\x72\xb0\xb3\x32\xc6\xfb\x25\xa2\xb7\x62\x29\x80\x4e\x68\x65\xfc\xa4\x5a"
163 "\x74\xdf\x0f\x8f\xb8\x41\x3b\x52\xc0\xd0\xe5\x3d\x9b\x59\x0f\xf1\x9b\xe7"
164 "\x9f\x49\xdd\x21\xe5\xeb\x02\x1a\x00\xcf\x20\x35\x02\x8b\x9d\x86\x98\x40"
165 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x91\x02\x1a"
166 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
167 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5f\x02\x1a\x00\x8a\x15\x78\xac\x5d\x13\xaf"
168 "\x10\x2b\x22\xb9\x99\xcd\x74\x61\xf1\x5e\x6d\x22\xcc\x03\x23\xdf\xdf\x0b"
169 "\x02\x1a\x00\x86\x55\x21\x4a\xc5\x4d\x8d\x4e\xcd\x61\x77\xf1\xc7\x36\x90"
170 "\xce\x2a\x48\x2c\x8b\x05\x99\xcb\xe0\x3f\x02\x1a\x00\x83\xef\xef\xb8\xa9"
171 "\xa4\x0d\x1d\xb6\xed\x98\xad\x84\xed\x13\x35\xdc\xc1\x08\xf3\x22\xd0\x57"
172 "\xcf\x8d";
173
174 // kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using
175 // RSA OAEP.
176 static const uint8_t kOAEPCiphertext2[] =
177 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a\x8b\x40"
178 "\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4\x17\x53\x03\x29"
179 "\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52\x62\x51";
180
181 // kKey3 is a DER-encoded RSAPrivateKey.
182 static const uint8_t kKey3[] =
183 "\x30\x82\x02\x5b\x02\x01\x00\x02\x81\x81\x00\xbb\xf8\x2f\x09\x06\x82\xce"
184 "\x9c\x23\x38\xac\x2b\x9d\xa8\x71\xf7\x36\x8d\x07\xee\xd4\x10\x43\xa4\x40"
185 "\xd6\xb6\xf0\x74\x54\xf5\x1f\xb8\xdf\xba\xaf\x03\x5c\x02\xab\x61\xea\x48"
186 "\xce\xeb\x6f\xcd\x48\x76\xed\x52\x0d\x60\xe1\xec\x46\x19\x71\x9d\x8a\x5b"
187 "\x8b\x80\x7f\xaf\xb8\xe0\xa3\xdf\xc7\x37\x72\x3e\xe6\xb4\xb7\xd9\x3a\x25"
188 "\x84\xee\x6a\x64\x9d\x06\x09\x53\x74\x88\x34\xb2\x45\x45\x98\x39\x4e\xe0"
189 "\xaa\xb1\x2d\x7b\x61\xa5\x1f\x52\x7a\x9a\x41\xf6\xc1\x68\x7f\xe2\x53\x72"
190 "\x98\xca\x2a\x8f\x59\x46\xf8\xe5\xfd\x09\x1d\xbd\xcb\x02\x01\x11\x02\x81"
191 "\x81\x00\xa5\xda\xfc\x53\x41\xfa\xf2\x89\xc4\xb9\x88\xdb\x30\xc1\xcd\xf8"
192 "\x3f\x31\x25\x1e\x06\x68\xb4\x27\x84\x81\x38\x01\x57\x96\x41\xb2\x94\x10"
193 "\xb3\xc7\x99\x8d\x6b\xc4\x65\x74\x5e\x5c\x39\x26\x69\xd6\x87\x0d\xa2\xc0"
194 "\x82\xa9\x39\xe3\x7f\xdc\xb8\x2e\xc9\x3e\xda\xc9\x7f\xf3\xad\x59\x50\xac"
195 "\xcf\xbc\x11\x1c\x76\xf1\xa9\x52\x94\x44\xe5\x6a\xaf\x68\xc5\x6c\x09\x2c"
196 "\xd3\x8d\xc3\xbe\xf5\xd2\x0a\x93\x99\x26\xed\x4f\x74\xa1\x3e\xdd\xfb\xe1"
197 "\xa1\xce\xcc\x48\x94\xaf\x94\x28\xc2\xb7\xb8\x88\x3f\xe4\x46\x3a\x4b\xc8"
198 "\x5b\x1c\xb3\xc1\x02\x41\x00\xee\xcf\xae\x81\xb1\xb9\xb3\xc9\x08\x81\x0b"
199 "\x10\xa1\xb5\x60\x01\x99\xeb\x9f\x44\xae\xf4\xfd\xa4\x93\xb8\x1a\x9e\x3d"
200 "\x84\xf6\x32\x12\x4e\xf0\x23\x6e\x5d\x1e\x3b\x7e\x28\xfa\xe7\xaa\x04\x0a"
201 "\x2d\x5b\x25\x21\x76\x45\x9d\x1f\x39\x75\x41\xba\x2a\x58\xfb\x65\x99\x02"
202 "\x41\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35"
203 "\x3f\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x86\x98\x40"
204 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x33\x52\x52"
205 "\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x15\x03\x02\x40\x54\x49\x4c\xa6"
206 "\x3e\xba\x03\x37\xe4\xe2\x40\x23\xfc\xd6\x9a\x5a\xeb\x07\xdd\xdc\x01\x83"
207 "\xa4\xd0\xac\x9b\x54\xb0\x51\xf2\xb1\x3e\xd9\x49\x09\x75\xea\xb7\x74\x14"
208 "\xff\x59\xc1\xf7\x69\x2e\x9a\x2e\x20\x2b\x38\xfc\x91\x0a\x47\x41\x74\xad"
209 "\xc9\x3c\x1f\x67\xc9\x81\x02\x40\x47\x1e\x02\x90\xff\x0a\xf0\x75\x03\x51"
210 "\xb7\xf8\x78\x86\x4c\xa9\x61\xad\xbd\x3a\x8a\x7e\x99\x1c\x5c\x05\x56\xa9"
211 "\x4c\x31\x46\xa7\xf9\x80\x3f\x8f\x6f\x8a\xe3\x42\xe9\x31\xfd\x8a\xe4\x7a"
212 "\x22\x0d\x1b\x99\xa4\x95\x84\x98\x07\xfe\x39\xf9\x24\x5a\x98\x36\xda\x3d"
213 "\x02\x41\x00\xb0\x6c\x4f\xda\xbb\x63\x01\x19\x8d\x26\x5b\xdb\xae\x94\x23"
214 "\xb3\x80\xf2\x71\xf7\x34\x53\x88\x50\x93\x07\x7f\xcd\x39\xe2\x11\x9f\xc9"
215 "\x86\x32\x15\x4f\x58\x83\xb1\x67\xa9\x67\xbf\x40\x2b\x4e\x9e\x2e\x0f\x96"
216 "\x56\xe6\x98\xea\x36\x66\xed\xfb\x25\x79\x80\x39\xf7";
217
218 // kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using
219 // RSA OAEP.
220 static const uint8_t kOAEPCiphertext3[] =
221 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7\x90\xc4"
222 "\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce\xf0\xc4\x36\x6f"
223 "\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3\xf2\xf1\x92\xdb\xea\xca"
224 "\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06\x69\xac\x22\xe9\xf3\xa7\x85\x2e"
225 "\x3c\x15\xd9\x13\xca\xb0\xb8\x86\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49"
226 "\x54\x61\x03\x46\xf4\xd4\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a"
227 "\x1f\xc4\x02\x6a\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20"
228 "\x2f\xb1";
229
230 static const uint8_t kTwoPrimeKey[] =
231 "\x30\x82\x04\xa1\x02\x01\x00\x02\x82\x01\x01\x00\x93\x3a\x4f\xc9\x6a\x0a"
232 "\x6b\x28\x04\xfa\xb7\x05\x56\xdf\xa0\xaa\x4f\xaa\xab\x94\xa0\xa9\x25\xef"
233 "\xc5\x96\xd2\xd4\x66\x16\x62\x2c\x13\x7b\x91\xd0\x36\x0a\x10\x11\x6d\x7a"
234 "\x91\xb6\xe4\x74\x57\xc1\x3d\x7a\xbe\x24\x05\x3a\x04\x0b\x73\x91\x53\xb1"
235 "\x74\x10\xe1\x87\xdc\x91\x28\x9c\x1e\xe5\xf2\xb9\xfc\xa2\x48\x34\xb6\x78"
236 "\xed\x6d\x95\xfb\xf2\xc0\x4e\x1c\xa4\x15\x00\x3c\x8a\x68\x2b\xd6\xce\xd5"
237 "\xb3\x9f\x66\x02\xa7\x0d\x08\xa3\x23\x9b\xe5\x36\x96\x13\x22\xf9\x69\xa6"
238 "\x87\x88\x9b\x85\x3f\x83\x9c\xab\x1a\x1b\x6d\x8d\x16\xf4\x5e\xbd\xee\x4b"
239 "\x59\x56\xf8\x9d\x58\xcd\xd2\x83\x85\x59\x43\x84\x63\x4f\xe6\x1a\x86\x66"
240 "\x0d\xb5\xa0\x87\x89\xb6\x13\x82\x43\xda\x34\x92\x3b\x68\xc4\x95\x71\x2f"
241 "\x15\xc2\xe0\x43\x67\x3c\x08\x00\x36\x10\xc3\xb4\x46\x4c\x4e\x6e\xf5\x44"
242 "\xa9\x04\x44\x9d\xce\xc7\x05\x79\xee\x11\xcf\xaf\x2c\xd7\x9a\x32\xd3\xa5"
243 "\x30\xd4\x3a\x78\x43\x37\x74\x22\x90\x24\x04\x11\xd7\x95\x08\x52\xa4\x71"
244 "\x41\x68\x94\xb0\xa0\xc3\xec\x4e\xd2\xc4\x30\x71\x98\x64\x9c\xe3\x7c\x76"
245 "\xef\x33\xa3\x2b\xb1\x87\x63\xd2\x5c\x09\xfc\x90\x2d\x92\xf4\x57\x02\x01"
246 "\x03\x02\x82\x01\x00\x62\x26\xdf\xdb\x9c\x06\xf2\x1a\xad\xfc\x7a\x03\x8f"
247 "\x3f\xc0\x71\x8a\x71\xc7\xb8\x6b\x1b\x6e\x9f\xd9\x0f\x37\x38\x44\x0e\xec"
248 "\x1d\x62\x52\x61\x35\x79\x5c\x0a\xb6\x48\xfc\x61\x24\x98\x4d\x8f\xd6\x28"
249 "\xfc\x7e\xc2\xae\x26\xad\x5c\xf7\xb6\x37\xcb\xa2\xb5\xeb\xaf\xe8\x60\xc5"
250 "\xbd\x69\xee\xa1\xd1\x53\x16\xda\xcd\xce\xfb\x48\xf3\xb9\x52\xa1\xd5\x89"
251 "\x68\x6d\x63\x55\x7d\xb1\x9a\xc7\xe4\x89\xe3\xcd\x14\xee\xac\x6f\x5e\x05"
252 "\xc2\x17\xbd\x43\x79\xb9\x62\x17\x50\xf1\x19\xaf\xb0\x67\xae\x2a\x57\xbd"
253 "\xc7\x66\xbc\xf3\xb3\x64\xa1\xe3\x16\x74\x9e\xea\x02\x5c\xab\x94\xd8\x97"
254 "\x02\x42\x0c\x2c\xba\x54\xb9\xaf\xe0\x45\x93\xad\x7f\xb3\x10\x6a\x96\x50"
255 "\x4b\xaf\xcf\xc8\x27\x62\x2d\x83\xe9\x26\xc6\x94\xc1\xef\x5c\x8e\x06\x42"
256 "\x53\xe5\x56\xaf\xc2\x99\x01\xaa\x9a\x71\xbc\xe8\x21\x33\x2a\x2d\xa3\x36"
257 "\xac\x1b\x86\x19\xf8\xcd\x1f\x80\xa4\x26\x98\xb8\x9f\x62\x62\xd5\x1a\x7f"
258 "\xee\xdb\xdf\x81\xd3\x21\xdb\x33\x92\xee\xff\xe2\x2f\x32\x77\x73\x6a\x58"
259 "\xab\x21\xf3\xe3\xe1\xbc\x4f\x12\x72\xa6\xb5\xc2\xfb\x27\x9e\xc8\xca\xab"
260 "\x64\xa0\x87\x07\x9d\xef\xca\x0f\xdb\x02\x81\x81\x00\xe6\xd3\x4d\xc0\xa1"
261 "\x91\x0e\x62\xfd\xb0\xdd\xc6\x30\xb8\x8c\xcb\x14\xc1\x4b\x69\x30\xdd\xcd"
262 "\x86\x67\xcb\x37\x14\xc5\x03\xd2\xb4\x69\xab\x3d\xe5\x16\x81\x0f\xe5\x50"
263 "\xf4\x18\xb1\xec\xbc\x71\xe9\x80\x99\x06\xe4\xa3\xfe\x44\x84\x4a\x2d\x1e"
264 "\x07\x7f\x22\x70\x6d\x4f\xd4\x93\x0b\x8b\x99\xce\x1e\xab\xcd\x4c\xd2\xd3"
265 "\x10\x47\x5c\x09\x9f\x6d\x82\xc0\x08\x75\xe3\x3d\x83\xc2\x19\x50\x29\xec"
266 "\x1f\x84\x29\xcc\xf1\x56\xee\xbd\x54\x5d\xe6\x19\xdf\x0d\x1c\xa4\xbb\x0a"
267 "\xfe\x84\x44\x29\x1d\xf9\x5c\x80\x96\x5b\x24\xb4\xf7\x02\x1b\x02\x81\x81"
268 "\x00\xa3\x48\xf1\x9c\x58\xc2\x5f\x38\xfb\xd8\x12\x39\xf1\x8e\x73\xa1\xcf"
269 "\x78\x12\xe0\xed\x2a\xbb\xef\xac\x23\xb2\xbf\xd6\x0c\xe9\x6e\x1e\xab\xea"
270 "\x3f\x68\x36\xa7\x1f\xe5\xab\xe0\x86\xa5\x76\x32\x98\xdd\x75\xb5\x2b\xbc"
271 "\xcb\x8a\x03\x00\x7c\x2e\xca\xf8\xbc\x19\xe4\xe3\xa3\x31\xbd\x1d\x20\x2b"
272 "\x09\xad\x6f\x4c\xed\x48\xd4\xdf\x87\xf9\xf0\x46\xb9\x86\x4c\x4b\x71\xe7"
273 "\x48\x78\xdc\xed\xc7\x82\x02\x44\xd3\xa6\xb3\x10\x5f\x62\x81\xfc\xb8\xe4"
274 "\x0e\xf4\x1a\xdd\xab\x3f\xbc\x63\x79\x5b\x39\x69\x5e\xea\xa9\x15\xfe\x90"
275 "\xec\xda\x75\x02\x81\x81\x00\x99\xe2\x33\xd5\xc1\x0b\x5e\xec\xa9\x20\x93"
276 "\xd9\x75\xd0\x5d\xdc\xb8\x80\xdc\xf0\xcb\x3e\x89\x04\x45\x32\x24\xb8\x83"
277 "\x57\xe1\xcd\x9b\xc7\x7e\x98\xb9\xab\x5f\xee\x35\xf8\x10\x76\x9d\xd2\xf6"
278 "\x9b\xab\x10\xaf\x43\x17\xfe\xd8\x58\x31\x73\x69\x5a\x54\xc1\xa0\x48\xdf"
279 "\xe3\x0c\xb2\x5d\x11\x34\x14\x72\x88\xdd\xe1\xe2\x0a\xda\x3d\x5b\xbf\x9e"
280 "\x57\x2a\xb0\x4e\x97\x7e\x57\xd6\xbb\x8a\xc6\x9d\x6a\x58\x1b\xdd\xf6\x39"
281 "\xf4\x7e\x38\x3e\x99\x66\x94\xb3\x68\x6d\xd2\x07\x54\x58\x2d\x70\xbe\xa6"
282 "\x3d\xab\x0e\xe7\x6d\xcd\xfa\x01\x67\x02\x81\x80\x6c\xdb\x4b\xbd\x90\x81"
283 "\x94\xd0\xa7\xe5\x61\x7b\xf6\x5e\xf7\xc1\x34\xfa\xb7\x40\x9e\x1c\x7d\x4a"
284 "\x72\xc2\x77\x2a\x8e\xb3\x46\x49\x69\xc7\xf1\x7f\x9a\xcf\x1a\x15\x43\xc7"
285 "\xeb\x04\x6e\x4e\xcc\x65\xe8\xf9\x23\x72\x7d\xdd\x06\xac\xaa\xfd\x74\x87"
286 "\x50\x7d\x66\x98\x97\xc2\x21\x28\xbe\x15\x72\x06\x73\x9f\x88\x9e\x30\x8d"
287 "\xea\x5a\xa6\xa0\x2f\x26\x59\x88\x32\x4b\xef\x85\xa5\xe8\x9e\x85\x01\x56"
288 "\xd8\x8d\x19\xcc\xb5\x94\xec\x56\xa8\x7b\x42\xb4\xa2\xbc\x93\xc7\x7f\xd2"
289 "\xec\xfb\x92\x26\x46\x3f\x47\x1b\x63\xff\x0b\x48\x91\xa3\x02\x81\x80\x2c"
290 "\x4a\xb9\xa4\x46\x7b\xff\x50\x7e\xbf\x60\x47\x3b\x2b\x66\x82\xdc\x0e\x53"
291 "\x65\x71\xe9\xda\x2a\xb8\x32\x93\x42\xb7\xff\xea\x67\x66\xf1\xbc\x87\x28"
292 "\x65\x29\x79\xca\xab\x93\x56\xda\x95\xc1\x26\x44\x3d\x27\xc1\x91\xc6\x9b"
293 "\xd9\xec\x9d\xb7\x49\xe7\x16\xee\x99\x87\x50\x95\x81\xd4\x5c\x5b\x5a\x5d"
294 "\x0a\x43\xa5\xa7\x8f\x5a\x80\x49\xa0\xb7\x10\x85\xc7\xf4\x42\x34\x86\xb6"
295 "\x5f\x3f\x88\x9e\xc7\xf5\x59\x29\x39\x68\x48\xf2\xd7\x08\x5b\x92\x8e\x6b"
296 "\xea\xa5\x63\x5f\xc0\xfb\xe4\xe1\xb2\x7d\xb7\x40\xe9\x55\x06\xbf\x58\x25"
297 "\x6f";
298
299 static const uint8_t kTwoPrimeEncryptedMessage[] = {
300 0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35,
301 0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c,
302 0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0,
303 0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3,
304 0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46,
305 0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54,
306 0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a,
307 0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78,
308 0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8,
309 0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83,
310 0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31,
311 0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45,
312 0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75,
313 0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11,
314 0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f,
315 0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2,
316 0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3,
317 0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca,
318 0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c,
319 0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4,
320 0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b,
321 0x6a, 0xce, 0x9f, 0xc8,
322 };
323
324 // kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See
325 // https://crbug.com/532048.
326 static const uint8_t kEstonianRSAKey[] = {
327 0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c,
328 0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c,
329 0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80,
330 0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8,
331 0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29,
332 0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95,
333 0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea,
334 0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c,
335 0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac,
336 0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25,
337 0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a,
338 0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88,
339 0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17,
340 0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf,
341 0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c,
342 0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f,
343 0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc,
344 0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e,
345 0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87,
346 0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30,
347 0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94,
348 0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49,
349 0x02, 0x03, 0x01, 0x00, 0x01,
350 };
351
352 // kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See
353 // https://crbug.com/541257
354 static const uint8_t kExponent1RSAKey[] = {
355 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a,
356 0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5,
357 0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa,
358 0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b,
359 0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64,
360 0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7,
361 0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d,
362 0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a,
363 0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a,
364 0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b,
365 0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c,
366 0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9,
367 0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad,
368 0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41,
369 0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91,
370 0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a,
371 0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d,
372 0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98,
373 0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9,
374 0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d,
375 0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0,
376 0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98,
377 0xdd, 0x02, 0x01, 0x01,
378 };
379
380 struct RSAEncryptParam {
381 const uint8_t *der;
382 size_t der_len;
383 const uint8_t *oaep_ciphertext;
384 size_t oaep_ciphertext_len;
385 } kRSAEncryptParams[] = {
386 {kKey1, sizeof(kKey1) - 1, kOAEPCiphertext1, sizeof(kOAEPCiphertext1) - 1},
387 {kKey2, sizeof(kKey2) - 1, kOAEPCiphertext2, sizeof(kOAEPCiphertext2) - 1},
388 {kKey3, sizeof(kKey3) - 1, kOAEPCiphertext3, sizeof(kOAEPCiphertext3) - 1},
389 };
390
391 class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {};
392
TEST_P(RSAEncryptTest,TestKey)393 TEST_P(RSAEncryptTest, TestKey) {
394 const auto ¶m = GetParam();
395 bssl::UniquePtr<RSA> key(
396 RSA_private_key_from_bytes(param.der, param.der_len));
397 ASSERT_TRUE(key);
398
399 EXPECT_TRUE(RSA_check_key(key.get()));
400
401 uint8_t ciphertext[256];
402
403 // Test that PKCS#1 v1.5 encryption round-trips.
404 size_t ciphertext_len = 0;
405 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
406 sizeof(ciphertext), kPlaintext, kPlaintextLen,
407 RSA_PKCS1_PADDING));
408 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
409
410 uint8_t plaintext[256];
411 size_t plaintext_len = 0;
412 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
413 sizeof(plaintext), ciphertext, ciphertext_len,
414 RSA_PKCS1_PADDING));
415 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
416
417 // Test that OAEP encryption round-trips.
418 ciphertext_len = 0;
419 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
420 sizeof(ciphertext), kPlaintext, kPlaintextLen,
421 RSA_PKCS1_OAEP_PADDING));
422 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
423
424 plaintext_len = 0;
425 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
426 sizeof(plaintext), ciphertext, ciphertext_len,
427 RSA_PKCS1_OAEP_PADDING));
428 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
429
430 // |oaep_ciphertext| should decrypt to |kPlaintext|.
431 plaintext_len = 0;
432 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
433 sizeof(plaintext), param.oaep_ciphertext,
434 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
435 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
436
437 // Try decrypting corrupted ciphertexts.
438 OPENSSL_memcpy(ciphertext, param.oaep_ciphertext, param.oaep_ciphertext_len);
439 for (size_t i = 0; i < param.oaep_ciphertext_len; i++) {
440 SCOPED_TRACE(i);
441 ciphertext[i] ^= 1;
442 EXPECT_FALSE(RSA_decrypt(
443 key.get(), &plaintext_len, plaintext, sizeof(plaintext), ciphertext,
444 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
445 ERR_clear_error();
446 ciphertext[i] ^= 1;
447 }
448
449 // Test truncated ciphertexts.
450 for (size_t len = 0; len < param.oaep_ciphertext_len; len++) {
451 SCOPED_TRACE(len);
452 EXPECT_FALSE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
453 sizeof(plaintext), ciphertext, len,
454 RSA_PKCS1_OAEP_PADDING));
455 ERR_clear_error();
456 }
457 }
458
459 INSTANTIATE_TEST_CASE_P(, RSAEncryptTest, testing::ValuesIn(kRSAEncryptParams));
460
TEST(RSATest,TestDecrypt)461 TEST(RSATest, TestDecrypt) {
462 bssl::UniquePtr<RSA> rsa(
463 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
464 ASSERT_TRUE(rsa);
465
466 EXPECT_TRUE(RSA_check_key(rsa.get()));
467
468 uint8_t out[256];
469 size_t out_len;
470 ASSERT_TRUE(RSA_decrypt(
471 rsa.get(), &out_len, out, sizeof(out), kTwoPrimeEncryptedMessage,
472 sizeof(kTwoPrimeEncryptedMessage), RSA_PKCS1_PADDING));
473 EXPECT_EQ(Bytes("hello world"), Bytes(out, out_len));
474 }
475
TEST(RSATest,CheckFIPS)476 TEST(RSATest, CheckFIPS) {
477 bssl::UniquePtr<RSA> rsa(
478 RSA_private_key_from_bytes(kFIPSKey, sizeof(kFIPSKey) - 1));
479 ASSERT_TRUE(rsa);
480 EXPECT_TRUE(RSA_check_fips(rsa.get()));
481
482 // Check that RSA_check_fips works on a public key.
483 bssl::UniquePtr<RSA> pub(
484 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
485 ASSERT_TRUE(pub);
486 EXPECT_TRUE(RSA_check_fips(pub.get()));
487 }
488
TEST(RSATest,GenerateFIPS)489 TEST(RSATest, GenerateFIPS) {
490 bssl::UniquePtr<RSA> rsa(RSA_new());
491 ASSERT_TRUE(rsa);
492
493 // RSA_generate_key_fips may only be used for 2048-bit and 3072-bit keys.
494 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr));
495 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr));
496 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr));
497 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr));
498 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr));
499 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr));
500 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4096, nullptr));
501 ERR_clear_error();
502
503 // Test that we can generate 2048-bit and 3072-bit RSA keys.
504 EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr));
505 EXPECT_EQ(2048u, BN_num_bits(rsa->n));
506
507 rsa.reset(RSA_new());
508 ASSERT_TRUE(rsa);
509 EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 3072, nullptr));
510 EXPECT_EQ(3072u, BN_num_bits(rsa->n));
511 }
512
TEST(RSATest,BadKey)513 TEST(RSATest, BadKey) {
514 bssl::UniquePtr<RSA> key(RSA_new());
515 bssl::UniquePtr<BIGNUM> e(BN_new());
516 ASSERT_TRUE(key);
517 ASSERT_TRUE(e);
518 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
519
520 // Generate a bad key.
521 ASSERT_TRUE(RSA_generate_key_ex(key.get(), 512, e.get(), nullptr));
522 ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one()));
523
524 // Bad keys are detected.
525 EXPECT_FALSE(RSA_check_key(key.get()));
526 EXPECT_FALSE(RSA_check_fips(key.get()));
527
528 // Bad keys may not be parsed.
529 uint8_t *der;
530 size_t der_len;
531 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get()));
532 bssl::UniquePtr<uint8_t> delete_der(der);
533 key.reset(RSA_private_key_from_bytes(der, der_len));
534 EXPECT_FALSE(key);
535 }
536
TEST(RSATest,OnlyDGiven)537 TEST(RSATest, OnlyDGiven) {
538 static const char kN[] =
539 "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662"
540 "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659";
541 static const char kE[] = "010001";
542 static const char kD[] =
543 "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a"
544 "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01";
545
546 bssl::UniquePtr<RSA> key(RSA_new());
547 ASSERT_TRUE(key);
548 ASSERT_TRUE(BN_hex2bn(&key->n, kN));
549 ASSERT_TRUE(BN_hex2bn(&key->e, kE));
550 ASSERT_TRUE(BN_hex2bn(&key->d, kD));
551
552 // Keys with only n, e, and d are functional.
553 EXPECT_TRUE(RSA_check_key(key.get()));
554
555 const uint8_t kDummyHash[32] = {0};
556 uint8_t buf[64];
557 unsigned buf_len = sizeof(buf);
558 ASSERT_LE(RSA_size(key.get()), sizeof(buf));
559 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
560 &buf_len, key.get()));
561 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
562 buf_len, key.get()));
563
564 // Keys without the public exponent must continue to work when blinding is
565 // disabled to support Java's RSAPrivateKeySpec API. See
566 // https://bugs.chromium.org/p/boringssl/issues/detail?id=12.
567 bssl::UniquePtr<RSA> key2(RSA_new());
568 ASSERT_TRUE(key2);
569 ASSERT_TRUE(BN_hex2bn(&key2->n, kN));
570 ASSERT_TRUE(BN_hex2bn(&key2->d, kD));
571 key2->flags |= RSA_FLAG_NO_BLINDING;
572
573 ASSERT_LE(RSA_size(key2.get()), sizeof(buf));
574 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
575 &buf_len, key2.get()));
576
577 // Verify the signature with |key|. |key2| has no public exponent.
578 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
579 buf_len, key.get()));
580 }
581
TEST(RSATest,ASN1)582 TEST(RSATest, ASN1) {
583 // Test that private keys may be decoded.
584 bssl::UniquePtr<RSA> rsa(
585 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
586 ASSERT_TRUE(rsa);
587
588 // Test that the serialization round-trips.
589 uint8_t *der;
590 size_t der_len;
591 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
592 bssl::UniquePtr<uint8_t> delete_der(der);
593 EXPECT_EQ(Bytes(kKey1, sizeof(kKey1) - 1), Bytes(der, der_len));
594
595 // Test that serializing public keys works.
596 ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get()));
597 delete_der.reset(der);
598
599 // Public keys may be parsed back out.
600 rsa.reset(RSA_public_key_from_bytes(der, der_len));
601 ASSERT_TRUE(rsa);
602 EXPECT_FALSE(rsa->p);
603 EXPECT_FALSE(rsa->q);
604
605 // Serializing the result round-trips.
606 uint8_t *der2;
607 size_t der2_len;
608 ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get()));
609 bssl::UniquePtr<uint8_t> delete_der2(der2);
610 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
611
612 // Public keys cannot be serialized as private keys.
613 int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get());
614 if (ok) {
615 OPENSSL_free(der);
616 }
617 EXPECT_FALSE(ok);
618 ERR_clear_error();
619
620 // Public keys with negative moduli are invalid.
621 rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey,
622 sizeof(kEstonianRSAKey)));
623 EXPECT_FALSE(rsa);
624 ERR_clear_error();
625
626 // But |RSA_parse_public_key_buggy| will accept it.
627 CBS cbs;
628 CBS_init(&cbs, kEstonianRSAKey, sizeof(kEstonianRSAKey));
629 rsa.reset(RSA_parse_public_key_buggy(&cbs));
630 EXPECT_TRUE(rsa);
631 EXPECT_EQ(0u, CBS_len(&cbs));
632 }
633
TEST(RSATest,BadExponent)634 TEST(RSATest, BadExponent) {
635 bssl::UniquePtr<RSA> rsa(
636 RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey)));
637 EXPECT_FALSE(rsa);
638 ERR_clear_error();
639 }
640
641 // Attempting to generate an excessively small key should fail.
TEST(RSATest,GenerateSmallKey)642 TEST(RSATest, GenerateSmallKey) {
643 bssl::UniquePtr<RSA> rsa(RSA_new());
644 ASSERT_TRUE(rsa);
645 bssl::UniquePtr<BIGNUM> e(BN_new());
646 ASSERT_TRUE(e);
647 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
648
649 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr));
650 uint32_t err = ERR_get_error();
651 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
652 EXPECT_EQ(RSA_R_KEY_SIZE_TOO_SMALL, ERR_GET_REASON(err));
653 }
654
655 // Attempting to generate an funny RSA key length should round down.
TEST(RSATest,RoundKeyLengths)656 TEST(RSATest, RoundKeyLengths) {
657 bssl::UniquePtr<BIGNUM> e(BN_new());
658 ASSERT_TRUE(e);
659 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
660
661 bssl::UniquePtr<RSA> rsa(RSA_new());
662 ASSERT_TRUE(rsa);
663 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr));
664 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
665
666 rsa.reset(RSA_new());
667 ASSERT_TRUE(rsa);
668 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr));
669 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
670
671 rsa.reset(RSA_new());
672 ASSERT_TRUE(rsa);
673 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr));
674 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
675
676 rsa.reset(RSA_new());
677 ASSERT_TRUE(rsa);
678 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr));
679 EXPECT_EQ(1152u, BN_num_bits(rsa->n));
680 }
681
TEST(RSATest,BlindingDisabled)682 TEST(RSATest, BlindingDisabled) {
683 bssl::UniquePtr<RSA> rsa(
684 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
685 ASSERT_TRUE(rsa);
686
687 rsa->flags |= RSA_FLAG_NO_BLINDING;
688
689 uint8_t sig[256];
690 ASSERT_GE(sizeof(sig), RSA_size(rsa.get()));
691
692 static const uint8_t kZeros[32] = {0};
693 unsigned sig_len;
694 ASSERT_TRUE(
695 RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig, &sig_len, rsa.get()));
696 EXPECT_TRUE(
697 RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig, sig_len, rsa.get()));
698 }
699
700 // Test that decrypting with a public key fails gracefully rather than crashing.
TEST(RSATest,DecryptPublic)701 TEST(RSATest, DecryptPublic) {
702 bssl::UniquePtr<RSA> pub(
703 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
704 ASSERT_TRUE(pub);
705 ASSERT_EQ(1024u / 8u, RSA_size(pub.get()));
706
707 size_t len;
708 uint8_t in[1024 / 8] = {0}, out[1024 / 8];
709 EXPECT_FALSE(RSA_decrypt(pub.get(), &len, out, sizeof(out), in, sizeof(in),
710 RSA_PKCS1_PADDING));
711 uint32_t err = ERR_get_error();
712 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
713 EXPECT_EQ(RSA_R_VALUE_MISSING, ERR_GET_REASON(err));
714 }
715
716 #if !defined(BORINGSSL_SHARED_LIBRARY)
TEST(RSATest,SqrtTwo)717 TEST(RSATest, SqrtTwo) {
718 bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new());
719 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
720 ASSERT_TRUE(sqrt);
721 ASSERT_TRUE(pow2);
722 ASSERT_TRUE(ctx);
723
724 size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
725 ASSERT_TRUE(BN_one(pow2.get()));
726 ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1));
727
728 // Check that sqrt² < pow2.
729 ASSERT_TRUE(
730 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
731 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
732 EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0);
733
734 // Check that pow2 < (sqrt + 1)².
735 ASSERT_TRUE(
736 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
737 ASSERT_TRUE(BN_add_word(sqrt.get(), 1));
738 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
739 EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0);
740
741 // Check the kBoringSSLRSASqrtTwo is sized for a 3072-bit RSA key.
742 EXPECT_EQ(3072u / 2u, bits);
743 }
744
TEST(RSATest,LessThanWords)745 TEST(RSATest, LessThanWords) {
746 // kTestVectors is an array of 256-bit values in sorted order.
747 static const BN_ULONG kTestVectors[][256 / BN_BITS2] = {
748 {TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
749 TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
750 {TOBN(0x00000000, 0x00000001), TOBN(0x00000000, 0x00000000),
751 TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
752 {TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0x00000000),
753 TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
754 {TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
755 TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
756 {TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
757 TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0x00000000)},
758 {TOBN(0x00000000, 0x00000000), TOBN(0x1d6f60ba, 0x893ba84c),
759 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
760 {TOBN(0x00000000, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
761 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
762 {TOBN(0xed17ac85, 0x00000000), TOBN(0x1d6f60ba, 0x893ba84c),
763 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
764 {TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
765 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
766 {TOBN(0xed17ac85, 0xffffffff), TOBN(0x1d6f60ba, 0x893ba84c),
767 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
768 {TOBN(0xffffffff, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
769 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
770 {TOBN(0xffffffff, 0xffffffff), TOBN(0x1d6f60ba, 0x893ba84c),
771 TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
772 {TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
773 TOBN(0x00000000, 0x00000000), TOBN(0xffffffff, 0xffffffff)},
774 {TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
775 TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
776 {TOBN(0x00000000, 0x00000001), TOBN(0x00000000, 0x00000000),
777 TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
778 {TOBN(0x00000000, 0x00000000), TOBN(0xffffffff, 0xffffffff),
779 TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
780 {TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
781 TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
782 };
783
784 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTestVectors); i++) {
785 SCOPED_TRACE(i);
786 for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(kTestVectors); j++) {
787 SCOPED_TRACE(j);
788 EXPECT_EQ(i < j ? 1 : 0,
789 rsa_less_than_words(kTestVectors[i], kTestVectors[j],
790 OPENSSL_ARRAY_SIZE(kTestVectors[i])));
791 }
792 }
793
794 EXPECT_EQ(0, rsa_less_than_words(NULL, NULL, 0));
795 }
796
TEST(RSATest,GreaterThanPow2)797 TEST(RSATest, GreaterThanPow2) {
798 bssl::UniquePtr<BIGNUM> b(BN_new());
799 BN_zero(b.get());
800 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0));
801 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
802 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
803
804 ASSERT_TRUE(BN_set_word(b.get(), 1));
805 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0));
806 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
807 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
808
809 ASSERT_TRUE(BN_set_word(b.get(), 2));
810 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 0));
811 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
812 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
813
814 ASSERT_TRUE(BN_set_word(b.get(), 3));
815 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 0));
816 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 1));
817 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 2));
818 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
819
820 BN_set_negative(b.get(), 1);
821 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0));
822 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
823 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 2));
824 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
825
826 // Check all bit lengths mod 64.
827 for (int n = 1024; n < 1024 + 64; n++) {
828 SCOPED_TRACE(n);
829 ASSERT_TRUE(BN_set_word(b.get(), 1));
830 ASSERT_TRUE(BN_lshift(b.get(), b.get(), n));
831 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1));
832 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n));
833 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1));
834
835 ASSERT_TRUE(BN_sub_word(b.get(), 1));
836 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1));
837 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n));
838 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1));
839
840 ASSERT_TRUE(BN_add_word(b.get(), 2));
841 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1));
842 EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n));
843 EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1));
844 }
845 }
846 #endif // !BORINGSSL_SHARED_LIBRARY
847