1# Test vectors for public key validation. 2 3# Invalid Curve Attack from 4# https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html 5# https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/09/14/main-full.pdf 6Curve = P-256 7Q = 04b70bf043c144935756f8f4578c369cf960ee510a5a0f90e93a373a21f0d1397f4a2e0ded57a5156bb82eb4314c37fd4155395a7e51988af289cce531b9c17192 8Result = F 9 10 11# Test vectors for Public Key Point Validation. 12# 13# These test vectors were generated by applying the patch in 14# util/generate-tests.patch to BoringSSL, and then running 15# `bssl generate-tests ecc-public-key`. 16# 17 18# X == 0, decompressed with y_bit == 0. This verifies that the 19# implementation doesn't reject zero-valued field elements (they 20# aren't scalars). 21Curve = P-256 22Q = 04000000000000000000000000000000000000000000000000000000000000000066485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4 23Result = P 24 25# X == q. This is invalid because q isn't a valid field element. Some 26# broken implementations might accept this if they reduce X mod q 27# since q mod q == 0 and the Y coordinate matches the one from the 28# x == 0 test case above. 29Curve = P-256 30Q = 04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff66485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4 31Result = F (X is out of range) 32 33# X == 0, decompressed with y_bit == 1. 34Curve = P-256 35Q = 04000000000000000000000000000000000000000000000000000000000000000099b7a386f1d07c29dbcc42a27b5f9449abe3d50de25178e8d7407a95e8b06c0b 36Result = P 37 38# X == q, decompressed with y_bit == 1. See the previous X == q test 39# case. 40Curve = P-256 41Q = 04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff99b7a386f1d07c29dbcc42a27b5f9449abe3d50de25178e8d7407a95e8b06c0b 42Result = F (X is out of range) 43 44# The largest valid X coordinate, decompressed with y_bit == 0. This 45# helps ensure that the upper bound on coordinate values is not too 46# low. 47Curve = P-256 48Q = 04ffffffff00000001000000000000000000000000fffffffffffffffffffffffce68e641309515ec1da369202838e0adda2b37040614a5f5460c616e871aa3ede 49Result = P 50 51# X == 0, decompressed with y_bit == 0. This verifies that the 52# implementation doesn't reject zero-valued field elements (they 53# aren't scalars). 54Curve = P-384 55Q = 040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003cf99ef04f51a5ea630ba3f9f960dd593a14c9be39fd2bd215d3b4b08aaaf86bbf927f2c46e52ab06fb742b8850e521e 56Result = P 57 58# X == q. This is invalid because q isn't a valid field element. Some 59# broken implementations might accept this if they reduce X mod q 60# since q mod q == 0 and the Y coordinate matches the one from the 61# x == 0 test case above. 62Curve = P-384 63Q = 04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff3cf99ef04f51a5ea630ba3f9f960dd593a14c9be39fd2bd215d3b4b08aaaf86bbf927f2c46e52ab06fb742b8850e521e 64Result = F (X is out of range) 65 66# X == 0, decompressed with y_bit == 1. 67Curve = P-384 68Q = 04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c306610fb0ae5a159cf45c06069f22a6c5eb3641c602d42dea2c4b4f75550793406d80d2b91ad54f9048bd487af1ade1 69Result = P 70 71# X == q, decompressed with y_bit == 1. See the previous X == q test 72# case. 73Curve = P-384 74Q = 04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffc306610fb0ae5a159cf45c06069f22a6c5eb3641c602d42dea2c4b4f75550793406d80d2b91ad54f9048bd487af1ade1 75Result = F (X is out of range) 76 77# The largest valid X coordinate, decompressed with y_bit == 0. This 78# helps ensure that the upper bound on coordinate values is not too 79# low. 80Curve = P-384 81Q = 04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe8cdeadbbd04911a3c1931e26df3fa6439dca9c7eb286fbd46fc319f0e2bb780232baf57825fc0c1912ada2fefe84024c 82Result = P 83 84 85# RFC 5903 (IKE and IKEv2 ECDH) Test Vectors 86# Q is (grx, gry) in uncompressed encoding. 87 88Curve = P-256 89Q = 04D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB 90Result = P 91 92Curve = P-384 93Q = 04E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C 94Result = P 95 96# Tweaks of the RFC 5903 vectors for testing malformed (syntactically) public 97# keys 98 99Curve = P-256 100Q = "" 101Result = F (Peer public key is empty.) 102 103Curve = P-384 104Q = "" 105Result = F (Peer public key is empty.) 106 107Curve = P-256 108Q = 00 109Result = F (Peer public key is the special encoding of the point at infinity.) 110 111Curve = P-384 112Q = 00 113Result = F (Peer public key is the special encoding of the point at infinity.) 114 115Curve = P-256 116Q = 01 117Result = F (Peer public key consists of (only) an invalid encoding indicator.) 118 119Curve = P-384 120Q = 01 121Result = F (Peer public key consists of (only) an invalid encoding indicator.) 122 123Curve = P-256 124Q = 02 125Result = F (Peer public key consists of (only) a compressed encoding indicator (0x02).) 126 127Curve = P-384 128Q = 02 129Result = F (Peer public key consists of (only) a compressed encoding indicator (0x02).) 130 131Curve = P-256 132Q = 03 133Result = F (Peer public key consists of (only) a compressed encoding indicator (0x03).) 134 135Curve = P-384 136Q = 03 137Result = F (Peer public key consists of (only) a compressed encoding indicator (0x03).) 138 139Curve = P-256 140Q = 04 141Result = F (Peer public key consists of (only) a uncompressed encoding indicator.) 142 143Curve = P-384 144Q = 04 145Result = F (Peer public key consists of (only) a compressed encoding indicator.) 146 147Curve = P-256 148Q = 04 149Result = F (Peer public key consists of (only) an invalid encoding indicator (0x05).) 150 151Curve = P-384 152Q = 04 153Result = F (Peer public key consists of (only) an invalid encoding indicator (0x05).) 154 155Curve = P-256 156Q = 01D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB 157Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x01).) 158 159Curve = P-384 160Q = 01E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C 161Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x01).) 162 163Curve = P-256 164Q = 02D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB 165Result = F (Peer public key encoding's first byte is 0x02, should be 0x04.) 166 167Curve = P-384 168Q = 02E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C 169Result = F (Peer public key encoding's first byte is 0x02, should be 0x04.) 170 171Curve = P-256 172Q = 03D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB 173Result = F (Peer public key encoding's first byte is 0x03, should be 0x04.) 174 175Curve = P-384 176Q = 03E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C 177Result = F (Peer public key encoding's first byte is 0x03, should be 0x04.) 178 179Curve = P-256 180Q = 05D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB 181Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x05).) 182 183Curve = P-384 184Q = 05E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C 185Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x05).) 186 187Curve = P-256 188Q = FFD12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB 189Result = F (Peer public key starts with a completely invalid encoding indicator byte (0xff).) 190 191Curve = P-384 192Q = FFE558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C 193Result = F (Peer public key starts with a completely invalid encoding indicator byte (0xff).) 194 195Curve = P-256 196Q = D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB 197Result = F (Peer public key is missing the encoding indicator byte.) 198 199Curve = P-384 200Q = E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C 201Result = F (Peer public key is missing the encoding indicator byte.) 202 203Curve = P-256 204Q = 04D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872 205Result = F (Peer public key has the last byte truncated.) 206 207Curve = P-384 208Q = 04E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E638 209Result = F (Peer public key has the last byte truncated.) 210 211Curve = P-256 212Q = 04D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63 213Result = F (Peer public key is missing the Y coordinate completely.) 214 215Curve = P-384 216Q = 04E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571 217Result = F (Peer public key is missing the Y coordinate completely.) 218 219Curve = P-256 220Q = 02D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63 221Result = F (Peer public key is in compressed form (0x02).) 222 223Curve = P-384 224Q = 02E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571 225Result = F (Peer public key is in compressed form (0x02).) 226 227Curve = P-256 228Q = 03D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63 229Result = F (Peer public key is in compressed form (0x03).) 230 231Curve = P-384 232Q = 03E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571 233Result = F (Peer public key is in compressed form (0x03).) 234