2 * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* test vectors from p1ovect1.txt */
13 * RSA low level APIs are deprecated for public use, but still ok for
16 #include "internal/deprecated.h"
21 #include "internal/nelem.h"
23 #include <openssl/crypto.h>
24 #include <openssl/err.h>
25 #include <openssl/rand.h>
26 #include <openssl/bn.h>
30 #include <openssl/rsa.h>
34 BN_bin2bn(n, sizeof(n)-1, NULL), \
35 BN_bin2bn(e, sizeof(e)-1, NULL), \
36 BN_bin2bn(d, sizeof(d)-1, NULL)); \
37 RSA_set0_factors(key, \
38 BN_bin2bn(p, sizeof(p)-1, NULL), \
39 BN_bin2bn(q, sizeof(q)-1, NULL)); \
40 RSA_set0_crt_params(key, \
41 BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \
42 BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \
43 BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); \
45 memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
46 return sizeof(ctext_ex) - 1;
48 static int key1(RSA *key, unsigned char *c)
50 static unsigned char n[] =
51 "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
52 "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
53 "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
54 "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
57 static unsigned char e[] = "\x11";
59 static unsigned char d[] =
60 "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
61 "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
62 "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
63 "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
65 static unsigned char p[] =
66 "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
67 "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
70 static unsigned char q[] =
71 "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
72 "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
75 static unsigned char dmp1[] =
76 "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
77 "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
79 static unsigned char dmq1[] =
80 "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
81 "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
84 static unsigned char iqmp[] =
85 "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
86 "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
88 static unsigned char ctext_ex[] =
89 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89"
90 "\x2b\xfb\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52"
91 "\x33\x89\x5c\x74\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44"
92 "\xb0\x05\xc3\x9e\xd8\x27\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
97 static int key2(RSA *key, unsigned char *c)
99 static unsigned char n[] =
100 "\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
101 "\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
102 "\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
105 static unsigned char e[] = "\x3";
107 static unsigned char d[] =
108 "\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
109 "\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
110 "\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
113 static unsigned char p[] =
114 "\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
115 "\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
117 static unsigned char q[] =
118 "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
119 "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
121 static unsigned char dmp1[] =
122 "\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
123 "\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
125 static unsigned char dmq1[] =
126 "\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
127 "\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
129 static unsigned char iqmp[] =
130 "\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
131 "\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
133 static unsigned char ctext_ex[] =
134 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a"
135 "\x8b\x40\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4"
136 "\x17\x53\x03\x29\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52"
142 static int key3(RSA *key, unsigned char *c)
144 static unsigned char n[] =
145 "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
146 "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
147 "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
148 "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
149 "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
150 "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
151 "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
152 "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
155 static unsigned char e[] = "\x11";
157 static unsigned char d[] =
158 "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
159 "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
160 "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
161 "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
162 "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
163 "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
164 "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
165 "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
168 static unsigned char p[] =
169 "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
170 "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
171 "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
172 "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
175 static unsigned char q[] =
176 "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
177 "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
178 "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
179 "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
182 static unsigned char dmp1[] =
183 "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
184 "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
185 "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
186 "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
188 static unsigned char dmq1[] =
189 "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
190 "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
191 "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
192 "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
194 static unsigned char iqmp[] =
195 "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
196 "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
197 "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
198 "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
201 static unsigned char ctext_ex[] =
202 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7"
203 "\x90\xc4\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce"
204 "\xf0\xc4\x36\x6f\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3"
205 "\xf2\xf1\x92\xdb\xea\xca\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06"
206 "\x69\xac\x22\xe9\xf3\xa7\x85\x2e\x3c\x15\xd9\x13\xca\xb0\xb8\x86"
207 "\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49\x54\x61\x03\x46\xf4\xd4"
208 "\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a\x1f\xc4\x02\x6a"
209 "\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20\x2f\xb1";
214 static int rsa_setkey(RSA** key, unsigned char *ctext, int idx)
222 clen = key1(*key, ctext);
225 clen = key2(*key, ctext);
228 clen = key3(*key, ctext);
234 static int test_rsa_simple(int idx, int en_pad_type, int de_pad_type,
235 int success, unsigned char *ctext_ex, int *clen,
240 unsigned char ptext[256];
241 unsigned char ctext[256];
242 static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
247 plen = sizeof(ptext_ex) - 1;
248 clentmp = rsa_setkey(&key, ctext_ex, idx);
252 num = RSA_public_encrypt(plen, ptext_ex, ctext, key, en_pad_type);
253 if (!TEST_int_eq(num, clentmp))
256 num = RSA_private_decrypt(num, ctext, ptext, key, de_pad_type);
258 if (!TEST_int_gt(num, 0) || !TEST_mem_eq(ptext, num, ptext_ex, plen))
261 if (!TEST_int_lt(num, 0))
266 if (retkey != NULL) {
275 static int test_rsa_pkcs1(int idx)
277 return test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_PKCS1_PADDING, 1, NULL,
281 static int test_rsa_oaep(int idx)
285 unsigned char ptext[256];
286 static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
287 unsigned char ctext_ex[256];
293 if (!test_rsa_simple(idx, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_OAEP_PADDING, 1,
294 ctext_ex, &clen, &key))
297 plen = sizeof(ptext_ex) - 1;
299 /* Different ciphertexts. Try decrypting ctext_ex */
300 num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
301 RSA_PKCS1_OAEP_PADDING);
302 if (num <= 0 || !TEST_mem_eq(ptext, num, ptext_ex, plen))
305 /* Try decrypting corrupted ciphertexts. */
306 for (n = 0; n < clen; ++n) {
308 num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
309 RSA_PKCS1_OAEP_PADDING);
310 if (!TEST_int_le(num, 0))
315 /* Test truncated ciphertexts, as well as negative length. */
316 for (n = -1; n < clen; ++n) {
317 num = RSA_private_decrypt(n, ctext_ex, ptext, key,
318 RSA_PKCS1_OAEP_PADDING);
319 if (!TEST_int_le(num, 0))
329 static const struct {
332 } rsa_security_bits_cases[] = {
333 /* NIST SP 800-56B rev 2 (draft) Appendix D Table 5 */
339 /* NIST FIPS 140-2 IG 7.5 */
346 /* Some other values */
357 static int test_rsa_security_bit(int n)
359 static const unsigned char vals[8] = {
360 0x80, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40
362 RSA *key = RSA_new();
363 const int bits = rsa_security_bits_cases[n].bits;
364 const int result = rsa_security_bits_cases[n].r;
365 const int bytes = (bits + 7) / 8;
367 unsigned char num[2000];
369 if (!TEST_ptr(key) || !TEST_int_le(bytes, (int)sizeof(num)))
373 * It is necessary to set the RSA key in order to ask for the strength.
374 * A BN of an appropriate size is created, in general it won't have the
375 * properties necessary for RSA to function. This is okay here since
376 * the RSA key is never used.
378 memset(num, vals[bits % 8], bytes);
381 * The 'e' parameter is set to the same value as 'n'. This saves having
382 * an extra BN to hold a sensible value for 'e'. This is safe since the
383 * RSA key is not used. The 'd' parameter can be NULL safely.
385 if (TEST_true(RSA_set0_key(key, BN_bin2bn(num, bytes, NULL),
386 BN_bin2bn(num, bytes, NULL), NULL))
387 && TEST_uint_eq(RSA_security_bits(key), result))
394 static int test_EVP_rsa_legacy_key(void)
399 unsigned char sigbuf[384];
400 unsigned char msgbuf[64];
408 EVP_MD_CTX *ctx = NULL;
409 EVP_PKEY *pkey = NULL;
411 unsigned char n_data[] = {
412 0x00, 0xc7, 0x28, 0x7a, 0x28, 0x91, 0x51, 0xa5, 0xe8, 0x3c, 0x45, 0xcf,
413 0x1d, 0xa9, 0x69, 0x7a, 0x0d, 0xdb, 0xdd, 0x8f, 0xe2, 0xde, 0x85, 0xdd,
414 0x85, 0x6d, 0x8f, 0x78, 0x20, 0xd6, 0xe, 0xe5, 0x06, 0xcb, 0x9c, 0xd6,
415 0xd3, 0xca, 0xef, 0x1d, 0x80, 0xd3, 0x18, 0x23, 0x91, 0x5c, 0xe5, 0xc8,
416 0x44, 0x37, 0x56, 0x1b, 0x68, 0x7f, 0x08, 0xa3, 0x1c, 0xf6, 0xe8, 0x11,
417 0x38, 0x0f, 0x2e, 0xad, 0xb1, 0x89, 0x8b, 0x08, 0xe8, 0x35, 0xaf, 0x3b,
418 0xfe, 0x37, 0x8d, 0x21, 0xd5, 0x3f, 0x1f, 0x4b, 0x01, 0x30, 0xd8, 0xd0,
419 0x24, 0xf7, 0xab, 0x57, 0xad, 0xac, 0xbc, 0x53, 0x6d, 0x84, 0x8e, 0xa1,
420 0xb2, 0x5b, 0x8e, 0xe7, 0xb3, 0xac, 0xfc, 0x60, 0x22, 0x10, 0x1e, 0x99,
421 0xfa, 0xa0, 0x60, 0x00, 0x69, 0x5f, 0x8e, 0xca, 0x6d, 0x9c, 0xee, 0x5e,
422 0x84, 0x4e, 0x53, 0x83, 0x42, 0x76, 0x4d, 0xb8, 0xc1, 0xeb, 0x4e, 0x3d,
423 0xc3, 0xce, 0xac, 0x79, 0xbb, 0x29, 0x5d, 0x92, 0x33, 0x6e, 0xcf, 0x8f,
424 0x5a, 0xf0, 0xb3, 0xb5, 0xdc, 0xd5, 0xa3, 0xaf, 0x40, 0x4b, 0x0f, 0x05,
425 0xac, 0x46, 0x53, 0x2d, 0x5f, 0x20, 0x96, 0x42, 0xa8, 0x47, 0x61, 0x54,
426 0x05, 0x2c, 0x8a, 0x26, 0x5d, 0x92, 0x1d, 0x01, 0x2a, 0x27, 0x8a, 0xfc,
427 0x64, 0x24, 0x5c, 0x34, 0xde, 0x92, 0xc6, 0x82, 0xea, 0x4d, 0xe2, 0x52,
428 0xe5, 0xad, 0x62, 0x00, 0xc6, 0xc8, 0xe9, 0x0c, 0x22, 0xf0, 0x9e, 0xbe,
429 0xdc, 0x51, 0x58, 0xad, 0x3b, 0xba, 0x2e, 0x45, 0x65, 0xcc, 0x5b, 0x55,
430 0x46, 0x67, 0x18, 0x4a, 0x80, 0x67, 0x5b, 0x84, 0x7f, 0x13, 0x37, 0x45,
431 0xd8, 0x03, 0xc6, 0x22, 0xc3, 0x4a, 0x46, 0x6b, 0xde, 0x50, 0xbf, 0x16,
432 0x0a, 0x23, 0x0b, 0xaa, 0x50, 0x54, 0xf6, 0x20, 0x83, 0x74, 0x33, 0x97,
433 0x2e, 0xf2, 0x8e, 0x7e, 0x13 };
435 unsigned char e_data[] = { 0x01, 0x00, 0x01 };
437 unsigned char d_data[] = {
438 0x09, 0x2d, 0xcb, 0xe7, 0x87, 0xbf, 0x10, 0x1a, 0xf2, 0x80, 0x33, 0x2a,
439 0x06, 0x4f, 0x56, 0xb1, 0x41, 0xd3, 0x65, 0xd8, 0xca, 0x71, 0xb8, 0x02,
440 0x78, 0xc8, 0xb6, 0x7c, 0x28, 0xf4, 0x6c, 0xe8, 0xd1, 0xc4, 0x92, 0x40,
441 0x23, 0xa7, 0xbe, 0x9f, 0xdb, 0xda, 0xce, 0x74, 0xda, 0x27, 0xbb, 0x01,
442 0xad, 0xdd, 0x39, 0x99, 0x28, 0xd5, 0xb0, 0x92, 0xda, 0xac, 0x5a, 0x72,
443 0xcf, 0x7c, 0x52, 0xc4, 0x0e, 0x77, 0x4a, 0x7b, 0x4d, 0x52, 0x1c, 0xbd,
444 0x3c, 0x39, 0x34, 0x78, 0x7c, 0x16, 0xc8, 0xa1, 0xae, 0xeb, 0x27, 0x38,
445 0xb4, 0xf3, 0x80, 0x30, 0x80, 0x78, 0x13, 0x8e, 0x46, 0x20, 0x3e, 0xc2,
446 0x96, 0x26, 0xb1, 0x76, 0x1e, 0x00, 0x69, 0xbb, 0xd8, 0x2b, 0x58, 0xe4,
447 0x6c, 0xb4, 0xd0, 0x00, 0x0b, 0x47, 0xec, 0xfb, 0x7d, 0x52, 0x9d, 0x27,
448 0x92, 0xe6, 0x95, 0x73, 0xa0, 0x39, 0x37, 0xcd, 0x1f, 0x60, 0x13, 0x1c,
449 0x87, 0x9d, 0xa7, 0x91, 0x90, 0xf9, 0x36, 0xc5, 0xfa, 0x3f, 0xf9, 0x7f,
450 0x50, 0xf8, 0xb3, 0x54, 0x65, 0xff, 0x6f, 0xa6, 0x22, 0xcc, 0x4a, 0x1e,
451 0x49, 0x3f, 0x07, 0xc6, 0xf2, 0x65, 0x73, 0x13, 0x1b, 0x2d, 0xb6, 0x15,
452 0xff, 0xcd, 0x9a, 0x1c, 0xea, 0xef, 0x58, 0x56, 0x91, 0x2d, 0x47, 0x81,
453 0x56, 0x0d, 0xc3, 0xb0, 0x47, 0x58, 0x8d, 0x05, 0x7d, 0x5b, 0xc0, 0x22,
454 0xa4, 0xf0, 0x2e, 0x70, 0x36, 0x01, 0x89, 0xa1, 0x71, 0xed, 0x76, 0xe9,
455 0x8d, 0xf5, 0x49, 0xaf, 0x11, 0xbe, 0xe4, 0xd4, 0x48, 0x92, 0xb6, 0x5b,
456 0xc2, 0x04, 0xd4, 0x0c, 0x5c, 0x8b, 0xe3, 0xfa, 0x29, 0x63, 0x86, 0xb4,
457 0x10, 0xad, 0x32, 0x07, 0x85, 0xe2, 0x43, 0x76, 0x16, 0x90, 0xab, 0xdf,
458 0xb3, 0x36, 0x0a, 0xc4, 0x49, 0x7b, 0x95, 0x48, 0x50, 0x72, 0x8f, 0x7d,
459 0xf4, 0xfa, 0x60, 0xc1 };
461 unsigned char p_data[] = {
462 0x00, 0xed, 0xf7, 0xa7, 0x00, 0x5a, 0xbb, 0xd1, 0x52, 0x65, 0x9b, 0xec,
463 0xfe, 0x27, 0x8b, 0xe2, 0xbe, 0x40, 0x8c, 0x2f, 0x6f, 0xb4, 0x26, 0xb2,
464 0xbe, 0x45, 0x4b, 0x3b, 0x5a, 0xaa, 0xc6, 0xaa, 0xfa, 0xc1, 0x3a, 0xa9,
465 0xa1, 0xba, 0xb7, 0x86, 0x1a, 0x98, 0x15, 0x5f, 0x5c, 0x1c, 0x57, 0x78,
466 0x78, 0x6a, 0x13, 0xc2, 0x40, 0x7d, 0x07, 0x87, 0x47, 0xc6, 0x96, 0xd5,
467 0x92, 0xc9, 0x65, 0x2c, 0xfe, 0xbb, 0xe0, 0xd6, 0x76, 0x25, 0x5a, 0xa3,
468 0xdf, 0x97, 0x4b, 0x64, 0xfd, 0x3b, 0x2b, 0xbc, 0xfb, 0x80, 0xad, 0x3b,
469 0x7d, 0x1f, 0x48, 0x56, 0x27, 0xf7, 0x2f, 0x8e, 0x92, 0x07, 0xa8, 0x9f,
470 0xbc, 0x5a, 0xce, 0xfa, 0xd5, 0x67, 0xad, 0xf4, 0xbf, 0xe0, 0xc9, 0x3e,
471 0x8e, 0xb5, 0x90, 0x58, 0x54, 0x92, 0x9f, 0xda, 0x36, 0xc0, 0x0d, 0x57,
472 0xfe, 0x6c, 0x23, 0x63, 0x8b, 0xd1, 0x1e, 0x4f, 0xd3 };
474 unsigned char q_data[] = {
475 0x00, 0xd6, 0x3f, 0xf5, 0xee, 0xff, 0x4d, 0x7d, 0x8c, 0x1a, 0x85, 0x5d,
476 0x3c, 0x4f, 0x9d, 0xdf, 0xc7, 0x68, 0x27, 0x7f, 0xe4, 0x4f, 0x4f, 0xd7,
477 0xa2, 0x3b, 0xcd, 0x4a, 0x34, 0xd8, 0x55, 0x4a, 0x3e, 0x8e, 0xb3, 0xa8,
478 0xe9, 0x8a, 0xc5, 0x94, 0xd1, 0x09, 0x32, 0x4b, 0x79, 0x8d, 0x7b, 0x03,
479 0x0b, 0x5d, 0xca, 0x91, 0x41, 0xbc, 0x82, 0xc3, 0x89, 0x67, 0x4d, 0x03,
480 0x68, 0x03, 0x2d, 0x0e, 0x4e, 0x97, 0x6c, 0xf6, 0x3e, 0x1f, 0xf4, 0x50,
481 0x06, 0x5d, 0x05, 0x22, 0xf2, 0xf8, 0xf2, 0xde, 0xad, 0x2e, 0x9d, 0xc3,
482 0x97, 0x1b, 0xc3, 0x75, 0xe7, 0x86, 0xde, 0xc5, 0x11, 0x89, 0xed, 0x6a,
483 0x13, 0x14, 0x23, 0x4b, 0x98, 0x81, 0xf7, 0xd4, 0x1c, 0xee, 0x30, 0x92,
484 0x85, 0x20, 0x4f, 0x35, 0x02, 0xfa, 0xda, 0x14, 0x77, 0xfa, 0x08, 0x34,
485 0x60, 0xc7, 0x93, 0x72, 0xdc, 0xc4, 0x18, 0x70, 0xc1 };
487 memset(msgbuf, 0xef, 64);
489 ret = (TEST_ptr((p = BN_bin2bn(p_data, sizeof(p_data), NULL)))
490 && TEST_ptr((q = BN_bin2bn(q_data, sizeof(q_data), NULL)))
491 && TEST_ptr((n = BN_bin2bn(n_data, sizeof(n_data), NULL)))
492 && TEST_ptr((d = BN_bin2bn(d_data, sizeof(d_data), NULL)))
493 && TEST_ptr((e = BN_bin2bn(e_data, sizeof(e_data), NULL)))
494 && TEST_ptr((rsa = RSA_new()))
495 && TEST_ptr((md = EVP_sha256()))
496 && TEST_ptr((ctx = EVP_MD_CTX_new()))
497 && TEST_ptr((pkey = EVP_PKEY_new()))
498 && TEST_true(RSA_set0_factors(rsa, p, q))
499 && TEST_true(RSA_set0_key(rsa, n, e, d))
500 && TEST_true(EVP_PKEY_assign_RSA(pkey, rsa))
501 && TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
502 && TEST_true(EVP_DigestSign(ctx, sigbuf, &buflen, msgbuf, msglen)));
504 EVP_MD_CTX_free(ctx);
509 static RSA *load_key(int priv)
512 BIGNUM *pn = NULL, *pe = NULL, *pd= NULL;
514 /* RSA key extracted using > openssl genpkey -algorithm RSA -text */
515 static const unsigned char n[] = {
516 0x00, 0xbe, 0x24, 0x14, 0xf2, 0x39, 0xde, 0x19, 0xb3, 0xd7, 0x86, 0x1e, 0xf8, 0xd3, 0x97,
517 0x9f, 0x78, 0x28, 0x4c, 0xbf, 0xef, 0x03, 0x29, 0xc5, 0xeb, 0x97, 0x18, 0xdb, 0xa5, 0x17,
518 0x07, 0x57, 0x96, 0xe2, 0x45, 0x91, 0x2b, 0xd2, 0x9e, 0x28, 0x61, 0xa7, 0x8f, 0x39, 0xaa,
519 0xde, 0x94, 0x6d, 0x2b, 0x39, 0xde, 0xbe, 0xcf, 0xd7, 0x29, 0x16, 0x3a, 0x1a, 0x86, 0x2f,
520 0xff, 0x7a, 0x2f, 0x12, 0xc4, 0x8a, 0x32, 0x06, 0x6f, 0x40, 0x42, 0x37, 0xaa, 0x5f, 0xaf,
521 0x40, 0x77, 0xa5, 0x73, 0x09, 0xbf, 0xc5, 0x85, 0x79, 0xc0, 0x38, 0xd6, 0xb7, 0x2f, 0x77,
522 0xf0, 0x5a, 0xaf, 0xaf, 0xc3, 0x63, 0x4b, 0xea, 0xa2, 0x0c, 0x27, 0xcd, 0x7c, 0x77, 0xf4,
523 0x29, 0x5a, 0x69, 0xbd, 0xfe, 0x17, 0xb6, 0xc5, 0xd7, 0xc0, 0x40, 0xf9, 0x29, 0x46, 0x1f,
524 0xc0, 0x4b, 0xcf, 0x4e, 0x8f, 0x74, 0xd9, 0xc8, 0xd0, 0xde, 0x9c, 0x48, 0x57, 0xcc, 0x30,
525 0xbc, 0x06, 0x47, 0x4a, 0x8e, 0x40, 0x8a, 0xa1, 0x2a, 0x09, 0x8d, 0xe8, 0x41, 0x3d, 0x21,
526 0x52, 0xdc, 0x9c, 0xa9, 0x43, 0x63, 0x01, 0x44, 0xb3, 0xec, 0x22, 0x06, 0x29, 0xf6, 0xd8,
527 0xf6, 0x6b, 0xc3, 0x36, 0x25, 0xb0, 0x9b, 0xdb, 0x9a, 0x22, 0x51, 0x13, 0x42, 0xbd, 0x28,
528 0x0b, 0xd8, 0x5e, 0xac, 0xc7, 0x71, 0x6e, 0x78, 0xfc, 0xf4, 0x1d, 0x74, 0x9b, 0x1a, 0x19,
529 0x13, 0x56, 0x04, 0xb4, 0x33, 0x4e, 0xed, 0x54, 0x59, 0x7f, 0x71, 0x5d, 0x24, 0x18, 0x91,
530 0x51, 0x20, 0x39, 0x78, 0x4e, 0x33, 0x73, 0x96, 0xa8, 0x12, 0x2f, 0xff, 0x48, 0xc2, 0x11,
531 0x33, 0x95, 0xe5, 0xcc, 0x1a, 0xe2, 0x39, 0xd5, 0x57, 0x44, 0x51, 0x59, 0xd1, 0x35, 0x62,
532 0x16, 0x22, 0xf5, 0x52, 0x3d, 0xe0, 0x9b, 0x2d, 0x33, 0x34, 0x75, 0x13, 0x7d, 0x62, 0x70,
535 static const unsigned char e[] = {
538 static const unsigned char d[] = {
539 0x0b, 0xd3, 0x07, 0x7a, 0xb0, 0x0c, 0xb2, 0xe3, 0x5d, 0x49, 0x7f, 0xe0, 0xf4, 0x5b, 0x21,
540 0x31, 0x96, 0x2b, 0x7e, 0x32, 0xdf, 0x5a, 0xec, 0x5e, 0x10, 0x14, 0x9d, 0x99, 0xaa, 0xd8,
541 0xc3, 0xfa, 0x9c, 0x0e, 0x0c, 0x96, 0xe9, 0xa3, 0x58, 0x62, 0x68, 0xca, 0xba, 0x50, 0xc9,
542 0x04, 0x58, 0xd4, 0xe3, 0xa5, 0x99, 0x8f, 0x08, 0x2b, 0xcb, 0xe0, 0x1f, 0x84, 0xc5, 0x64,
543 0xbd, 0x48, 0xe2, 0xc1, 0x56, 0x51, 0x01, 0xb7, 0x8e, 0xca, 0xe3, 0x66, 0x70, 0xea, 0x7f,
544 0x8f, 0x45, 0x3a, 0xa6, 0x02, 0x3f, 0x16, 0xc3, 0xad, 0x57, 0x97, 0x8a, 0x37, 0x2d, 0x6d,
545 0xb4, 0xfd, 0x08, 0x98, 0x95, 0x72, 0xeb, 0xd7, 0xa9, 0x9a, 0xfa, 0xcf, 0x55, 0x10, 0x19,
546 0xf7, 0x7f, 0x7c, 0x8f, 0x49, 0xf3, 0x1d, 0xc2, 0xf2, 0xd7, 0xb3, 0x8a, 0xfc, 0x9b, 0x76,
547 0x40, 0x5c, 0xa7, 0x2f, 0x7a, 0x8a, 0x3d, 0xdf, 0xbc, 0x52, 0x69, 0x99, 0xf8, 0x4b, 0x7a,
548 0xbf, 0x11, 0x5d, 0x31, 0x41, 0x5f, 0xa3, 0xb9, 0x74, 0xaf, 0xe4, 0x08, 0x19, 0x9f, 0x88,
549 0xca, 0xfb, 0x8e, 0xab, 0xa4, 0x00, 0x31, 0xc9, 0xf1, 0x77, 0xe9, 0xe3, 0xf1, 0x98, 0xd9,
550 0x04, 0x08, 0x0c, 0x38, 0x35, 0x4b, 0xcc, 0xab, 0x22, 0xdf, 0x84, 0xea, 0xe4, 0x2e, 0x57,
551 0xa5, 0xc1, 0x91, 0x0c, 0x34, 0x3b, 0x88, 0xbc, 0x14, 0xee, 0x6e, 0xe3, 0xf0, 0xe0, 0xdc,
552 0xae, 0xd6, 0x0c, 0x9b, 0xa0, 0x6d, 0xb6, 0x92, 0x6c, 0x7e, 0x05, 0x46, 0x02, 0xbc, 0x23,
553 0xbc, 0x65, 0xe6, 0x62, 0x04, 0x19, 0xe6, 0x98, 0x67, 0x2d, 0x15, 0x0a, 0xc4, 0xea, 0xb5,
554 0x62, 0xa0, 0x54, 0xed, 0x07, 0x45, 0x3e, 0x21, 0x93, 0x3e, 0x22, 0xd0, 0xc3, 0xca, 0x37,
555 0x3c, 0xea, 0x90, 0xdd, 0xa6, 0xb1, 0x6c, 0x76, 0xce, 0x5a, 0xe1, 0xc2, 0x80, 0x1f, 0x32,
559 if (!TEST_ptr(rsa = RSA_new()))
561 pn = BN_bin2bn(n, sizeof(n), NULL);
562 pe = BN_bin2bn(e, sizeof(e), NULL);
564 pd = BN_bin2bn(d, sizeof(d), NULL);
565 if (!TEST_false(pn == NULL
567 || (priv && pd == NULL)
568 || !RSA_set0_key(rsa, pn, pe, pd))) {
578 static int test_rsa_saos(void)
581 unsigned int siglen = 0;
582 RSA *rsa_priv = NULL, *rsa_pub = NULL;
583 static const unsigned char in[256] = { 0 };
584 unsigned char sig[256];
585 /* Maximum length allowed: The 3 relates to the octet byte 0x04 followed by a 2 byte length */
586 unsigned int inlen = sizeof(in) - RSA_PKCS1_PADDING_SIZE - 3;
588 /* A generated signature when in[inlen]= { 1 }. */
589 static const unsigned char sig_mismatch[256] = {
590 0x5f, 0x64, 0xab, 0xd3, 0x86, 0xdf, 0x6e, 0x91,
591 0xa8, 0xdb, 0x9d, 0x36, 0x7a, 0x15, 0xe5, 0x75,
592 0xe4, 0x27, 0xdf, 0xeb, 0x8d, 0xaf, 0xb0, 0x60,
593 0xec, 0x36, 0x8b, 0x00, 0x36, 0xb4, 0x61, 0x38,
594 0xfe, 0xfa, 0x49, 0x55, 0xcf, 0xb7, 0xff, 0xeb,
595 0x25, 0xa5, 0x41, 0x1e, 0xaa, 0x74, 0x3d, 0x57,
596 0xed, 0x5c, 0x4a, 0x01, 0x9e, 0xb2, 0x50, 0xbc,
597 0x50, 0x15, 0xd5, 0x97, 0x93, 0x91, 0x97, 0xa3,
598 0xff, 0x67, 0x2a, 0xe9, 0x04, 0xdd, 0x31, 0x6f,
599 0x4b, 0x44, 0x4f, 0x04, 0xa0, 0x48, 0x6a, 0xc1,
600 0x8d, 0xc2, 0xf3, 0xf7, 0xc4, 0x8c, 0x29, 0xcb,
601 0x2c, 0x04, 0x8f, 0x30, 0x71, 0xbb, 0x5b, 0xf9,
602 0xf9, 0x1b, 0xe8, 0xf0, 0xe8, 0xd1, 0xcf, 0x73,
603 0xf6, 0x02, 0x45, 0x6f, 0x53, 0x25, 0x1e, 0x74,
604 0x94, 0x6e, 0xf4, 0x0d, 0x36, 0x6c, 0xa3, 0xae,
605 0x8f, 0x94, 0x05, 0xa9, 0xe9, 0x65, 0x26, 0x7f,
606 0x07, 0xc5, 0x7e, 0xab, 0xd9, 0xe9, 0x09, 0x2d,
607 0x19, 0x8c, 0x6a, 0xcc, 0xd5, 0x62, 0x04, 0xb4,
608 0x9b, 0xaf, 0x99, 0x6a, 0x7a, 0x7b, 0xef, 0x01,
609 0x9b, 0xc1, 0x46, 0x59, 0x88, 0xee, 0x8b, 0xd7,
610 0xe5, 0x35, 0xad, 0x4c, 0xb2, 0x0d, 0x93, 0xdd,
611 0x0e, 0x50, 0x36, 0x2b, 0x7b, 0x42, 0x9b, 0x59,
612 0x95, 0xe7, 0xe1, 0x36, 0x50, 0x87, 0x7c, 0xac,
613 0x47, 0x13, 0x9b, 0xa7, 0x36, 0xdf, 0x8a, 0xd7,
614 0xee, 0x7d, 0x2e, 0xa6, 0xbb, 0x31, 0x32, 0xed,
615 0x39, 0x77, 0xf2, 0x41, 0xf9, 0x2d, 0x29, 0xfc,
616 0x6d, 0x32, 0x8e, 0x35, 0x99, 0x38, 0x8b, 0xd9,
617 0xc6, 0x77, 0x09, 0xe3, 0xe3, 0x06, 0x98, 0xe1,
618 0x96, 0xe9, 0x23, 0x11, 0xeb, 0x09, 0xa2, 0x6b,
619 0x21, 0x52, 0x67, 0x94, 0x15, 0x72, 0x7e, 0xdd,
620 0x66, 0x1c, 0xe7, 0xdb, 0x0e, 0x71, 0x5d, 0x95,
621 0x9d, 0xf8, 0x8e, 0x65, 0x97, 0x2f, 0x1a, 0x86
623 /* The signature generated by RSA_private_encrypt of in[inlen] */
624 static const unsigned char no_octet_sig[256] = {
625 0x78, 0xaf, 0x3e, 0xd1, 0xbc, 0x99, 0xb3, 0x19,
626 0xa8, 0xaa, 0x64, 0x56, 0x60, 0x95, 0xa0, 0x81,
627 0xd8, 0xb4, 0xe1, 0x9c, 0xf8, 0x94, 0xfa, 0x31,
628 0xb5, 0xde, 0x90, 0x75, 0xa7, 0xdb, 0xd4, 0x7e,
629 0xda, 0x62, 0xde, 0x16, 0x78, 0x4f, 0x9b, 0xc2,
630 0xa4, 0xd4, 0x5c, 0x17, 0x4f, 0x2d, 0xf2, 0x84,
631 0x5b, 0x5d, 0x00, 0xa0, 0xcf, 0xda, 0x3f, 0xbc,
632 0x40, 0xb4, 0x4e, 0xcb, 0x18, 0xeb, 0x4b, 0x0f,
633 0xce, 0x95, 0x3a, 0x5a, 0x9c, 0x49, 0xb4, 0x63,
634 0xd4, 0xde, 0xfb, 0xe2, 0xa8, 0xf3, 0x97, 0x52,
635 0x36, 0x3e, 0xc0, 0xab, 0xc8, 0x1c, 0xef, 0xdd,
636 0xf4, 0x37, 0xbc, 0xf3, 0xc3, 0x67, 0xf6, 0xc0,
637 0x6e, 0x75, 0xa6, 0xf3, 0x7e, 0x37, 0x96, 0xf2,
638 0xbb, 0x25, 0x3a, 0xa0, 0xa8, 0x8e, 0xce, 0xa0,
639 0xce, 0x0f, 0x22, 0x2d, 0x9c, 0x30, 0x0d, 0x20,
640 0x36, 0xc6, 0x9d, 0x36, 0x5d, 0x5b, 0x3e, 0xbc,
641 0x7c, 0x55, 0x95, 0xb4, 0x69, 0x19, 0x27, 0xf6,
642 0x63, 0x78, 0x21, 0x2d, 0xcf, 0x51, 0xb0, 0x46,
643 0x44, 0x02, 0x29, 0x93, 0xa5, 0x1b, 0xda, 0x21,
644 0xb3, 0x74, 0xf6, 0x4e, 0xd0, 0xdb, 0x3d, 0x59,
645 0xfd, 0xd7, 0x88, 0xd0, 0x2f, 0x84, 0xf6, 0xb1,
646 0xaa, 0xce, 0x3e, 0xa0, 0xdc, 0x1a, 0xd0, 0xe3,
647 0x5f, 0x3c, 0xda, 0x96, 0xee, 0xce, 0xf9, 0x75,
648 0xcf, 0x8d, 0xf3, 0x03, 0x28, 0xa7, 0x39, 0xbd,
649 0x95, 0xaa, 0x73, 0xbe, 0xa5, 0x5f, 0x84, 0x33,
650 0x07, 0x49, 0xbf, 0x03, 0xf8, 0x4b, 0x46, 0xbf,
651 0x38, 0xd4, 0x9b, 0x14, 0xa7, 0x01, 0xb7, 0x1f,
652 0x12, 0x08, 0x01, 0xed, 0xcd, 0x34, 0xf5, 0xb4,
653 0x06, 0x47, 0xe0, 0x53, 0x1c, 0x7c, 0x3f, 0xb5,
654 0x30, 0x59, 0xbb, 0xe3, 0xd6, 0x7c, 0x41, 0xcc,
655 0xd2, 0x11, 0x73, 0x03, 0x77, 0x7f, 0x5f, 0xad,
656 0x4a, 0x54, 0xdf, 0x17, 0x94, 0x97, 0x5c, 0x16
659 if (!TEST_ptr(rsa_priv = load_key(1)))
661 if (!TEST_ptr(rsa_pub = load_key(0)))
663 if (!TEST_int_ge((int)sizeof(sig), RSA_size(rsa_priv)))
666 /* Test that a generated signature can be verified */
667 if (!TEST_true(RSA_sign_ASN1_OCTET_STRING(0, in, inlen, sig, &siglen,
670 if (!TEST_true(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, sig, siglen, rsa_pub)))
673 /* Test sign fails if the input is too large */
674 if (!TEST_false(RSA_sign_ASN1_OCTET_STRING(0, in, inlen + 1, sig, &siglen,
678 /* Fail if there is no private signing key */
679 if (!TEST_false(RSA_sign_ASN1_OCTET_STRING(0, in, inlen, sig, &siglen,
683 /* Fail if the signature is the wrong size */
684 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, sig, siglen - 1, rsa_pub)))
687 /* Fail if the encrypted input is not octet encoded */
688 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, (unsigned char *)no_octet_sig,
689 (unsigned int)sizeof(no_octet_sig),
693 /* Fail if the signature does not match the input */
694 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, (unsigned char *)sig_mismatch,
695 (unsigned int)sizeof(sig_mismatch),
699 /* Fail if the signature is corrupt */
701 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, sig, siglen, rsa_pub)))
712 int setup_tests(void)
714 ADD_ALL_TESTS(test_rsa_pkcs1, 3);
715 ADD_ALL_TESTS(test_rsa_oaep, 3);
716 ADD_ALL_TESTS(test_rsa_security_bit, OSSL_NELEM(rsa_security_bits_cases));
717 ADD_TEST(test_rsa_saos);
718 ADD_TEST(test_EVP_rsa_legacy_key);