2 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* test vectors from p1ovect1.txt */
13 * RSA low level APIs are deprecated for public use, but still ok for
16 #include "internal/deprecated.h"
21 #include "internal/nelem.h"
23 #include <openssl/crypto.h>
24 #include <openssl/err.h>
25 #include <openssl/rand.h>
26 #include <openssl/bn.h>
30 #include <openssl/rsa.h>
34 BN_bin2bn(n, sizeof(n)-1, NULL), \
35 BN_bin2bn(e, sizeof(e)-1, NULL), \
36 BN_bin2bn(d, sizeof(d)-1, NULL)); \
37 RSA_set0_factors(key, \
38 BN_bin2bn(p, sizeof(p)-1, NULL), \
39 BN_bin2bn(q, sizeof(q)-1, NULL)); \
40 RSA_set0_crt_params(key, \
41 BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \
42 BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \
43 BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); \
45 memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
46 return sizeof(ctext_ex) - 1;
48 static int key1(RSA *key, unsigned char *c)
50 static unsigned char n[] =
51 "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
52 "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
53 "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
54 "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
57 static unsigned char e[] = "\x11";
59 static unsigned char d[] =
60 "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
61 "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
62 "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
63 "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
65 static unsigned char p[] =
66 "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
67 "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
70 static unsigned char q[] =
71 "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
72 "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
75 static unsigned char dmp1[] =
76 "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
77 "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
79 static unsigned char dmq1[] =
80 "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
81 "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
84 static unsigned char iqmp[] =
85 "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
86 "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
88 static unsigned char ctext_ex[] =
89 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89"
90 "\x2b\xfb\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52"
91 "\x33\x89\x5c\x74\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44"
92 "\xb0\x05\xc3\x9e\xd8\x27\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
97 static int key2(RSA *key, unsigned char *c)
99 static unsigned char n[] =
100 "\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
101 "\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
102 "\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
105 static unsigned char e[] = "\x3";
107 static unsigned char d[] =
108 "\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
109 "\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
110 "\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
113 static unsigned char p[] =
114 "\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
115 "\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
117 static unsigned char q[] =
118 "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
119 "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
121 static unsigned char dmp1[] =
122 "\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
123 "\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
125 static unsigned char dmq1[] =
126 "\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
127 "\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
129 static unsigned char iqmp[] =
130 "\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
131 "\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
133 static unsigned char ctext_ex[] =
134 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a"
135 "\x8b\x40\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4"
136 "\x17\x53\x03\x29\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52"
142 static int key3(RSA *key, unsigned char *c)
144 static unsigned char n[] =
145 "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
146 "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
147 "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
148 "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
149 "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
150 "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
151 "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
152 "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
155 static unsigned char e[] = "\x11";
157 static unsigned char d[] =
158 "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
159 "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
160 "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
161 "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
162 "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
163 "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
164 "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
165 "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
168 static unsigned char p[] =
169 "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
170 "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
171 "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
172 "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
175 static unsigned char q[] =
176 "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
177 "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
178 "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
179 "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
182 static unsigned char dmp1[] =
183 "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
184 "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
185 "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
186 "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
188 static unsigned char dmq1[] =
189 "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
190 "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
191 "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
192 "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
194 static unsigned char iqmp[] =
195 "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
196 "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
197 "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
198 "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
201 static unsigned char ctext_ex[] =
202 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7"
203 "\x90\xc4\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce"
204 "\xf0\xc4\x36\x6f\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3"
205 "\xf2\xf1\x92\xdb\xea\xca\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06"
206 "\x69\xac\x22\xe9\xf3\xa7\x85\x2e\x3c\x15\xd9\x13\xca\xb0\xb8\x86"
207 "\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49\x54\x61\x03\x46\xf4\xd4"
208 "\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a\x1f\xc4\x02\x6a"
209 "\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20\x2f\xb1";
214 static int rsa_setkey(RSA** key, unsigned char *ctext, int idx)
222 clen = key1(*key, ctext);
225 clen = key2(*key, ctext);
228 clen = key3(*key, ctext);
234 static int test_rsa_simple(int idx, int en_pad_type, int de_pad_type,
235 int success, unsigned char *ctext_ex, int *clen,
240 unsigned char ptext[256];
241 unsigned char ctext[256];
242 static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
247 plen = sizeof(ptext_ex) - 1;
248 clentmp = rsa_setkey(&key, ctext_ex, idx);
252 num = RSA_public_encrypt(plen, ptext_ex, ctext, key, en_pad_type);
253 if (!TEST_int_eq(num, clentmp))
256 num = RSA_private_decrypt(num, ctext, ptext, key, de_pad_type);
258 if (!TEST_int_gt(num, 0) || !TEST_mem_eq(ptext, num, ptext_ex, plen))
261 if (!TEST_int_lt(num, 0))
266 if (retkey != NULL) {
275 static int test_rsa_pkcs1(int idx)
277 return test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_PKCS1_PADDING, 1, NULL,
281 static int test_rsa_oaep(int idx)
285 unsigned char ptext[256];
286 static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
287 unsigned char ctext_ex[256];
293 if (!test_rsa_simple(idx, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_OAEP_PADDING, 1,
294 ctext_ex, &clen, &key))
297 plen = sizeof(ptext_ex) - 1;
299 /* Different ciphertexts. Try decrypting ctext_ex */
300 num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
301 RSA_PKCS1_OAEP_PADDING);
302 if (num <= 0 || !TEST_mem_eq(ptext, num, ptext_ex, plen))
305 /* Try decrypting corrupted ciphertexts. */
306 for (n = 0; n < clen; ++n) {
308 num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
309 RSA_PKCS1_OAEP_PADDING);
310 if (!TEST_int_le(num, 0))
315 /* Test truncated ciphertexts, as well as negative length. */
316 for (n = -1; n < clen; ++n) {
317 num = RSA_private_decrypt(n, ctext_ex, ptext, key,
318 RSA_PKCS1_OAEP_PADDING);
319 if (!TEST_int_le(num, 0))
329 static const struct {
332 } rsa_security_bits_cases[] = {
333 /* NIST SP 800-56B rev 2 (draft) Appendix D Table 5 */
339 /* NIST FIPS 140-2 IG 7.5 */
346 /* Some other values */
357 static int test_rsa_security_bit(int n)
359 static const unsigned char vals[8] = {
360 0x80, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40
362 RSA *key = RSA_new();
363 const int bits = rsa_security_bits_cases[n].bits;
364 const int result = rsa_security_bits_cases[n].r;
365 const int bytes = (bits + 7) / 8;
367 unsigned char num[2000];
369 if (!TEST_ptr(key) || !TEST_int_le(bytes, (int)sizeof(num)))
373 * It is necessary to set the RSA key in order to ask for the strength.
374 * A BN of an appropriate size is created, in general it won't have the
375 * properties necessary for RSA to function. This is okay here since
376 * the RSA key is never used.
378 memset(num, vals[bits % 8], bytes);
381 * The 'e' parameter is set to the same value as 'n'. This saves having
382 * an extra BN to hold a sensible value for 'e'. This is safe since the
383 * RSA key is not used. The 'd' parameter can be NULL safely.
385 if (TEST_true(RSA_set0_key(key, BN_bin2bn(num, bytes, NULL),
386 BN_bin2bn(num, bytes, NULL), NULL))
387 && TEST_uint_eq(RSA_security_bits(key), result))
394 static RSA *load_key(int priv)
397 BIGNUM *pn = NULL, *pe = NULL, *pd= NULL;
399 /* RSA key extracted using > openssl genpkey -algorithm RSA -text */
400 static const unsigned char n[] = {
401 0x00, 0xbe, 0x24, 0x14, 0xf2, 0x39, 0xde, 0x19, 0xb3, 0xd7, 0x86, 0x1e, 0xf8, 0xd3, 0x97,
402 0x9f, 0x78, 0x28, 0x4c, 0xbf, 0xef, 0x03, 0x29, 0xc5, 0xeb, 0x97, 0x18, 0xdb, 0xa5, 0x17,
403 0x07, 0x57, 0x96, 0xe2, 0x45, 0x91, 0x2b, 0xd2, 0x9e, 0x28, 0x61, 0xa7, 0x8f, 0x39, 0xaa,
404 0xde, 0x94, 0x6d, 0x2b, 0x39, 0xde, 0xbe, 0xcf, 0xd7, 0x29, 0x16, 0x3a, 0x1a, 0x86, 0x2f,
405 0xff, 0x7a, 0x2f, 0x12, 0xc4, 0x8a, 0x32, 0x06, 0x6f, 0x40, 0x42, 0x37, 0xaa, 0x5f, 0xaf,
406 0x40, 0x77, 0xa5, 0x73, 0x09, 0xbf, 0xc5, 0x85, 0x79, 0xc0, 0x38, 0xd6, 0xb7, 0x2f, 0x77,
407 0xf0, 0x5a, 0xaf, 0xaf, 0xc3, 0x63, 0x4b, 0xea, 0xa2, 0x0c, 0x27, 0xcd, 0x7c, 0x77, 0xf4,
408 0x29, 0x5a, 0x69, 0xbd, 0xfe, 0x17, 0xb6, 0xc5, 0xd7, 0xc0, 0x40, 0xf9, 0x29, 0x46, 0x1f,
409 0xc0, 0x4b, 0xcf, 0x4e, 0x8f, 0x74, 0xd9, 0xc8, 0xd0, 0xde, 0x9c, 0x48, 0x57, 0xcc, 0x30,
410 0xbc, 0x06, 0x47, 0x4a, 0x8e, 0x40, 0x8a, 0xa1, 0x2a, 0x09, 0x8d, 0xe8, 0x41, 0x3d, 0x21,
411 0x52, 0xdc, 0x9c, 0xa9, 0x43, 0x63, 0x01, 0x44, 0xb3, 0xec, 0x22, 0x06, 0x29, 0xf6, 0xd8,
412 0xf6, 0x6b, 0xc3, 0x36, 0x25, 0xb0, 0x9b, 0xdb, 0x9a, 0x22, 0x51, 0x13, 0x42, 0xbd, 0x28,
413 0x0b, 0xd8, 0x5e, 0xac, 0xc7, 0x71, 0x6e, 0x78, 0xfc, 0xf4, 0x1d, 0x74, 0x9b, 0x1a, 0x19,
414 0x13, 0x56, 0x04, 0xb4, 0x33, 0x4e, 0xed, 0x54, 0x59, 0x7f, 0x71, 0x5d, 0x24, 0x18, 0x91,
415 0x51, 0x20, 0x39, 0x78, 0x4e, 0x33, 0x73, 0x96, 0xa8, 0x12, 0x2f, 0xff, 0x48, 0xc2, 0x11,
416 0x33, 0x95, 0xe5, 0xcc, 0x1a, 0xe2, 0x39, 0xd5, 0x57, 0x44, 0x51, 0x59, 0xd1, 0x35, 0x62,
417 0x16, 0x22, 0xf5, 0x52, 0x3d, 0xe0, 0x9b, 0x2d, 0x33, 0x34, 0x75, 0x13, 0x7d, 0x62, 0x70,
420 static const unsigned char e[] = {
423 static const unsigned char d[] = {
424 0x0b, 0xd3, 0x07, 0x7a, 0xb0, 0x0c, 0xb2, 0xe3, 0x5d, 0x49, 0x7f, 0xe0, 0xf4, 0x5b, 0x21,
425 0x31, 0x96, 0x2b, 0x7e, 0x32, 0xdf, 0x5a, 0xec, 0x5e, 0x10, 0x14, 0x9d, 0x99, 0xaa, 0xd8,
426 0xc3, 0xfa, 0x9c, 0x0e, 0x0c, 0x96, 0xe9, 0xa3, 0x58, 0x62, 0x68, 0xca, 0xba, 0x50, 0xc9,
427 0x04, 0x58, 0xd4, 0xe3, 0xa5, 0x99, 0x8f, 0x08, 0x2b, 0xcb, 0xe0, 0x1f, 0x84, 0xc5, 0x64,
428 0xbd, 0x48, 0xe2, 0xc1, 0x56, 0x51, 0x01, 0xb7, 0x8e, 0xca, 0xe3, 0x66, 0x70, 0xea, 0x7f,
429 0x8f, 0x45, 0x3a, 0xa6, 0x02, 0x3f, 0x16, 0xc3, 0xad, 0x57, 0x97, 0x8a, 0x37, 0x2d, 0x6d,
430 0xb4, 0xfd, 0x08, 0x98, 0x95, 0x72, 0xeb, 0xd7, 0xa9, 0x9a, 0xfa, 0xcf, 0x55, 0x10, 0x19,
431 0xf7, 0x7f, 0x7c, 0x8f, 0x49, 0xf3, 0x1d, 0xc2, 0xf2, 0xd7, 0xb3, 0x8a, 0xfc, 0x9b, 0x76,
432 0x40, 0x5c, 0xa7, 0x2f, 0x7a, 0x8a, 0x3d, 0xdf, 0xbc, 0x52, 0x69, 0x99, 0xf8, 0x4b, 0x7a,
433 0xbf, 0x11, 0x5d, 0x31, 0x41, 0x5f, 0xa3, 0xb9, 0x74, 0xaf, 0xe4, 0x08, 0x19, 0x9f, 0x88,
434 0xca, 0xfb, 0x8e, 0xab, 0xa4, 0x00, 0x31, 0xc9, 0xf1, 0x77, 0xe9, 0xe3, 0xf1, 0x98, 0xd9,
435 0x04, 0x08, 0x0c, 0x38, 0x35, 0x4b, 0xcc, 0xab, 0x22, 0xdf, 0x84, 0xea, 0xe4, 0x2e, 0x57,
436 0xa5, 0xc1, 0x91, 0x0c, 0x34, 0x3b, 0x88, 0xbc, 0x14, 0xee, 0x6e, 0xe3, 0xf0, 0xe0, 0xdc,
437 0xae, 0xd6, 0x0c, 0x9b, 0xa0, 0x6d, 0xb6, 0x92, 0x6c, 0x7e, 0x05, 0x46, 0x02, 0xbc, 0x23,
438 0xbc, 0x65, 0xe6, 0x62, 0x04, 0x19, 0xe6, 0x98, 0x67, 0x2d, 0x15, 0x0a, 0xc4, 0xea, 0xb5,
439 0x62, 0xa0, 0x54, 0xed, 0x07, 0x45, 0x3e, 0x21, 0x93, 0x3e, 0x22, 0xd0, 0xc3, 0xca, 0x37,
440 0x3c, 0xea, 0x90, 0xdd, 0xa6, 0xb1, 0x6c, 0x76, 0xce, 0x5a, 0xe1, 0xc2, 0x80, 0x1f, 0x32,
444 if (!TEST_ptr(rsa = RSA_new()))
446 pn = BN_bin2bn(n, sizeof(n), NULL);
447 pe = BN_bin2bn(e, sizeof(e), NULL);
449 pd = BN_bin2bn(d, sizeof(d), NULL);
450 if (!TEST_false(pn == NULL
452 || (priv && pd == NULL)
453 || !RSA_set0_key(rsa, pn, pe, pd))) {
463 static int test_rsa_saos(void)
466 unsigned int siglen = 0;
467 RSA *rsa_priv = NULL, *rsa_pub = NULL;
468 static const unsigned char in[256] = { 0 };
469 unsigned char sig[256];
470 /* Maximum length allowed: The 3 relates to the octet byte 0x04 followed by a 2 byte length */
471 unsigned int inlen = sizeof(in) - RSA_PKCS1_PADDING_SIZE - 3;
473 /* A generated signature when in[inlen]= { 1 }. */
474 static const unsigned char sig_mismatch[256] = {
475 0x5f, 0x64, 0xab, 0xd3, 0x86, 0xdf, 0x6e, 0x91,
476 0xa8, 0xdb, 0x9d, 0x36, 0x7a, 0x15, 0xe5, 0x75,
477 0xe4, 0x27, 0xdf, 0xeb, 0x8d, 0xaf, 0xb0, 0x60,
478 0xec, 0x36, 0x8b, 0x00, 0x36, 0xb4, 0x61, 0x38,
479 0xfe, 0xfa, 0x49, 0x55, 0xcf, 0xb7, 0xff, 0xeb,
480 0x25, 0xa5, 0x41, 0x1e, 0xaa, 0x74, 0x3d, 0x57,
481 0xed, 0x5c, 0x4a, 0x01, 0x9e, 0xb2, 0x50, 0xbc,
482 0x50, 0x15, 0xd5, 0x97, 0x93, 0x91, 0x97, 0xa3,
483 0xff, 0x67, 0x2a, 0xe9, 0x04, 0xdd, 0x31, 0x6f,
484 0x4b, 0x44, 0x4f, 0x04, 0xa0, 0x48, 0x6a, 0xc1,
485 0x8d, 0xc2, 0xf3, 0xf7, 0xc4, 0x8c, 0x29, 0xcb,
486 0x2c, 0x04, 0x8f, 0x30, 0x71, 0xbb, 0x5b, 0xf9,
487 0xf9, 0x1b, 0xe8, 0xf0, 0xe8, 0xd1, 0xcf, 0x73,
488 0xf6, 0x02, 0x45, 0x6f, 0x53, 0x25, 0x1e, 0x74,
489 0x94, 0x6e, 0xf4, 0x0d, 0x36, 0x6c, 0xa3, 0xae,
490 0x8f, 0x94, 0x05, 0xa9, 0xe9, 0x65, 0x26, 0x7f,
491 0x07, 0xc5, 0x7e, 0xab, 0xd9, 0xe9, 0x09, 0x2d,
492 0x19, 0x8c, 0x6a, 0xcc, 0xd5, 0x62, 0x04, 0xb4,
493 0x9b, 0xaf, 0x99, 0x6a, 0x7a, 0x7b, 0xef, 0x01,
494 0x9b, 0xc1, 0x46, 0x59, 0x88, 0xee, 0x8b, 0xd7,
495 0xe5, 0x35, 0xad, 0x4c, 0xb2, 0x0d, 0x93, 0xdd,
496 0x0e, 0x50, 0x36, 0x2b, 0x7b, 0x42, 0x9b, 0x59,
497 0x95, 0xe7, 0xe1, 0x36, 0x50, 0x87, 0x7c, 0xac,
498 0x47, 0x13, 0x9b, 0xa7, 0x36, 0xdf, 0x8a, 0xd7,
499 0xee, 0x7d, 0x2e, 0xa6, 0xbb, 0x31, 0x32, 0xed,
500 0x39, 0x77, 0xf2, 0x41, 0xf9, 0x2d, 0x29, 0xfc,
501 0x6d, 0x32, 0x8e, 0x35, 0x99, 0x38, 0x8b, 0xd9,
502 0xc6, 0x77, 0x09, 0xe3, 0xe3, 0x06, 0x98, 0xe1,
503 0x96, 0xe9, 0x23, 0x11, 0xeb, 0x09, 0xa2, 0x6b,
504 0x21, 0x52, 0x67, 0x94, 0x15, 0x72, 0x7e, 0xdd,
505 0x66, 0x1c, 0xe7, 0xdb, 0x0e, 0x71, 0x5d, 0x95,
506 0x9d, 0xf8, 0x8e, 0x65, 0x97, 0x2f, 0x1a, 0x86
508 /* The signature generated by RSA_private_encrypt of in[inlen] */
509 static const unsigned char no_octet_sig[256] = {
510 0x78, 0xaf, 0x3e, 0xd1, 0xbc, 0x99, 0xb3, 0x19,
511 0xa8, 0xaa, 0x64, 0x56, 0x60, 0x95, 0xa0, 0x81,
512 0xd8, 0xb4, 0xe1, 0x9c, 0xf8, 0x94, 0xfa, 0x31,
513 0xb5, 0xde, 0x90, 0x75, 0xa7, 0xdb, 0xd4, 0x7e,
514 0xda, 0x62, 0xde, 0x16, 0x78, 0x4f, 0x9b, 0xc2,
515 0xa4, 0xd4, 0x5c, 0x17, 0x4f, 0x2d, 0xf2, 0x84,
516 0x5b, 0x5d, 0x00, 0xa0, 0xcf, 0xda, 0x3f, 0xbc,
517 0x40, 0xb4, 0x4e, 0xcb, 0x18, 0xeb, 0x4b, 0x0f,
518 0xce, 0x95, 0x3a, 0x5a, 0x9c, 0x49, 0xb4, 0x63,
519 0xd4, 0xde, 0xfb, 0xe2, 0xa8, 0xf3, 0x97, 0x52,
520 0x36, 0x3e, 0xc0, 0xab, 0xc8, 0x1c, 0xef, 0xdd,
521 0xf4, 0x37, 0xbc, 0xf3, 0xc3, 0x67, 0xf6, 0xc0,
522 0x6e, 0x75, 0xa6, 0xf3, 0x7e, 0x37, 0x96, 0xf2,
523 0xbb, 0x25, 0x3a, 0xa0, 0xa8, 0x8e, 0xce, 0xa0,
524 0xce, 0x0f, 0x22, 0x2d, 0x9c, 0x30, 0x0d, 0x20,
525 0x36, 0xc6, 0x9d, 0x36, 0x5d, 0x5b, 0x3e, 0xbc,
526 0x7c, 0x55, 0x95, 0xb4, 0x69, 0x19, 0x27, 0xf6,
527 0x63, 0x78, 0x21, 0x2d, 0xcf, 0x51, 0xb0, 0x46,
528 0x44, 0x02, 0x29, 0x93, 0xa5, 0x1b, 0xda, 0x21,
529 0xb3, 0x74, 0xf6, 0x4e, 0xd0, 0xdb, 0x3d, 0x59,
530 0xfd, 0xd7, 0x88, 0xd0, 0x2f, 0x84, 0xf6, 0xb1,
531 0xaa, 0xce, 0x3e, 0xa0, 0xdc, 0x1a, 0xd0, 0xe3,
532 0x5f, 0x3c, 0xda, 0x96, 0xee, 0xce, 0xf9, 0x75,
533 0xcf, 0x8d, 0xf3, 0x03, 0x28, 0xa7, 0x39, 0xbd,
534 0x95, 0xaa, 0x73, 0xbe, 0xa5, 0x5f, 0x84, 0x33,
535 0x07, 0x49, 0xbf, 0x03, 0xf8, 0x4b, 0x46, 0xbf,
536 0x38, 0xd4, 0x9b, 0x14, 0xa7, 0x01, 0xb7, 0x1f,
537 0x12, 0x08, 0x01, 0xed, 0xcd, 0x34, 0xf5, 0xb4,
538 0x06, 0x47, 0xe0, 0x53, 0x1c, 0x7c, 0x3f, 0xb5,
539 0x30, 0x59, 0xbb, 0xe3, 0xd6, 0x7c, 0x41, 0xcc,
540 0xd2, 0x11, 0x73, 0x03, 0x77, 0x7f, 0x5f, 0xad,
541 0x4a, 0x54, 0xdf, 0x17, 0x94, 0x97, 0x5c, 0x16
544 if (!TEST_ptr(rsa_priv = load_key(1)))
546 if (!TEST_ptr(rsa_pub = load_key(0)))
548 if (!TEST_int_ge((int)sizeof(sig), RSA_size(rsa_priv)))
551 /* Test that a generated signature can be verified */
552 if (!TEST_true(RSA_sign_ASN1_OCTET_STRING(0, in, inlen, sig, &siglen,
555 if (!TEST_true(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, sig, siglen, rsa_pub)))
558 /* Test sign fails if the input is too large */
559 if (!TEST_false(RSA_sign_ASN1_OCTET_STRING(0, in, inlen + 1, sig, &siglen,
563 /* Fail if there is no private signing key */
564 if (!TEST_false(RSA_sign_ASN1_OCTET_STRING(0, in, inlen, sig, &siglen,
568 /* Fail if the signature is the wrong size */
569 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, sig, siglen - 1, rsa_pub)))
572 /* Fail if the encrypted input is not octet encoded */
573 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, (unsigned char *)no_octet_sig,
574 (unsigned int)sizeof(no_octet_sig),
578 /* Fail if the signature does not match the input */
579 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, (unsigned char *)sig_mismatch,
580 (unsigned int)sizeof(sig_mismatch),
584 /* Fail if the signature is corrupt */
586 if (!TEST_false(RSA_verify_ASN1_OCTET_STRING(0, in, inlen, sig, siglen, rsa_pub)))
597 int setup_tests(void)
599 ADD_ALL_TESTS(test_rsa_pkcs1, 3);
600 ADD_ALL_TESTS(test_rsa_oaep, 3);
601 ADD_ALL_TESTS(test_rsa_security_bit, OSSL_NELEM(rsa_security_bits_cases));
602 ADD_TEST(test_rsa_saos);