1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/signature_verifier.h"
6
7 #include <stddef.h>
8 #include <stdint.h>
9
10 #include "base/macros.h"
11 #include "base/numerics/safe_conversions.h"
12 #include "testing/gtest/include/gtest/gtest.h"
13
TEST(SignatureVerifierTest,BasicTest)14 TEST(SignatureVerifierTest, BasicTest) {
15 // The input data in this test comes from real certificates.
16 //
17 // tbs_certificate ("to-be-signed certificate", the part of a certificate that
18 // is signed), signature, and algorithm come from the certificate of
19 // bugs.webkit.org.
20 //
21 // public_key_info comes from the certificate of the issuer, Go Daddy Secure
22 // Certification Authority.
23 //
24 // The bytes in the array initializers are formatted to expose the DER
25 // encoding of the ASN.1 structures.
26
27 // The data that is signed is the following ASN.1 structure:
28 // TBSCertificate ::= SEQUENCE {
29 // ... -- omitted, not important
30 // }
31 const uint8_t tbs_certificate[1017] = {
32 0x30, 0x82, 0x03, 0xf5, // a SEQUENCE of length 1013 (0x3f5)
33 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x43, 0xdd, 0x63, 0x30, 0x0d,
34 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
35 0x00, 0x30, 0x81, 0xca, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
36 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55,
37 0x04, 0x08, 0x13, 0x07, 0x41, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x61, 0x31,
38 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x63,
39 0x6f, 0x74, 0x74, 0x73, 0x64, 0x61, 0x6c, 0x65, 0x31, 0x1a, 0x30, 0x18,
40 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x47, 0x6f, 0x44, 0x61, 0x64,
41 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
42 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x68,
43 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
44 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64,
45 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73,
46 0x69, 0x74, 0x6f, 0x72, 0x79, 0x31, 0x30, 0x30, 0x2e, 0x06, 0x03, 0x55,
47 0x04, 0x03, 0x13, 0x27, 0x47, 0x6f, 0x20, 0x44, 0x61, 0x64, 0x64, 0x79,
48 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
49 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
50 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x11, 0x30, 0x0f, 0x06,
51 0x03, 0x55, 0x04, 0x05, 0x13, 0x08, 0x30, 0x37, 0x39, 0x36, 0x39, 0x32,
52 0x38, 0x37, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x33, 0x31, 0x38,
53 0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30,
54 0x33, 0x31, 0x38, 0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x30, 0x79,
55 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
56 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
57 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12,
58 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70,
59 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
60 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
61 0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0b,
62 0x13, 0x0c, 0x4d, 0x61, 0x63, 0x20, 0x4f, 0x53, 0x20, 0x46, 0x6f, 0x72,
63 0x67, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
64 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69, 0x74, 0x2e, 0x6f, 0x72,
65 0x67, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
66 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
67 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xa7, 0x62, 0x79, 0x41, 0xda, 0x28,
68 0xf2, 0xc0, 0x4f, 0xe0, 0x25, 0xaa, 0xa1, 0x2e, 0x3b, 0x30, 0x94, 0xb5,
69 0xc9, 0x26, 0x3a, 0x1b, 0xe2, 0xd0, 0xcc, 0xa2, 0x95, 0xe2, 0x91, 0xc0,
70 0xf0, 0x40, 0x9e, 0x27, 0x6e, 0xbd, 0x6e, 0xde, 0x7c, 0xb6, 0x30, 0x5c,
71 0xb8, 0x9b, 0x01, 0x2f, 0x92, 0x04, 0xa1, 0xef, 0x4a, 0xb1, 0x6c, 0xb1,
72 0x7e, 0x8e, 0xcd, 0xa6, 0xf4, 0x40, 0x73, 0x1f, 0x2c, 0x96, 0xad, 0xff,
73 0x2a, 0x6d, 0x0e, 0xba, 0x52, 0x84, 0x83, 0xb0, 0x39, 0xee, 0xc9, 0x39,
74 0xdc, 0x1e, 0x34, 0xd0, 0xd8, 0x5d, 0x7a, 0x09, 0xac, 0xa9, 0xee, 0xca,
75 0x65, 0xf6, 0x85, 0x3a, 0x6b, 0xee, 0xe4, 0x5c, 0x5e, 0xf8, 0xda, 0xd1,
76 0xce, 0x88, 0x47, 0xcd, 0x06, 0x21, 0xe0, 0xb9, 0x4b, 0xe4, 0x07, 0xcb,
77 0x57, 0xdc, 0xca, 0x99, 0x54, 0xf7, 0x0e, 0xd5, 0x17, 0x95, 0x05, 0x2e,
78 0xe9, 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xce, 0x30,
79 0x82, 0x01, 0xca, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02,
80 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03,
81 0x02, 0x05, 0xa0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16,
82 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
83 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x57,
84 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x50, 0x30, 0x4e, 0x30, 0x4c, 0xa0,
85 0x4a, 0xa0, 0x48, 0x86, 0x46, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
86 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73,
87 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
88 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x2f,
89 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x65, 0x78, 0x74, 0x65, 0x6e,
90 0x64, 0x65, 0x64, 0x69, 0x73, 0x73, 0x75, 0x69, 0x6e, 0x67, 0x33, 0x2e,
91 0x63, 0x72, 0x6c, 0x30, 0x52, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x4b,
92 0x30, 0x49, 0x30, 0x47, 0x06, 0x0b, 0x60, 0x86, 0x48, 0x01, 0x86, 0xfd,
93 0x6d, 0x01, 0x07, 0x17, 0x02, 0x30, 0x38, 0x30, 0x36, 0x06, 0x08, 0x2b,
94 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x2a, 0x68, 0x74, 0x74,
95 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
96 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79,
97 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74,
98 0x6f, 0x72, 0x79, 0x30, 0x7f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
99 0x07, 0x01, 0x01, 0x04, 0x73, 0x30, 0x71, 0x30, 0x23, 0x06, 0x08, 0x2b,
100 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74,
101 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x67, 0x6f, 0x64,
102 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x4a, 0x06, 0x08,
103 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74,
104 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
105 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64,
106 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69,
107 0x74, 0x6f, 0x72, 0x79, 0x2f, 0x67, 0x64, 0x5f, 0x69, 0x6e, 0x74, 0x65,
108 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x2e, 0x63, 0x72, 0x74,
109 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x48,
110 0xdf, 0x60, 0x32, 0xcc, 0x89, 0x01, 0xb6, 0xdc, 0x2f, 0xe3, 0x73, 0xb5,
111 0x9c, 0x16, 0x58, 0x32, 0x68, 0xa9, 0xc3, 0x30, 0x1f, 0x06, 0x03, 0x55,
112 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xfd, 0xac, 0x61, 0x32,
113 0x93, 0x6c, 0x45, 0xd6, 0xe2, 0xee, 0x85, 0x5f, 0x9a, 0xba, 0xe7, 0x76,
114 0x99, 0x68, 0xcc, 0xe7, 0x30, 0x23, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04,
115 0x1c, 0x30, 0x1a, 0x82, 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69,
116 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x82, 0x0a, 0x77, 0x65, 0x62, 0x6b, 0x69,
117 0x74, 0x2e, 0x6f, 0x72, 0x67};
118
119 // RSA signature, a big integer in the big-endian byte order.
120 const uint8_t signature[256] = {
121 0x1e, 0x6a, 0xe7, 0xe0, 0x4f, 0xe7, 0x4d, 0xd0, 0x69, 0x7c, 0xf8, 0x8f,
122 0x99, 0xb4, 0x18, 0x95, 0x36, 0x24, 0x0f, 0x0e, 0xa3, 0xea, 0x34, 0x37,
123 0xf4, 0x7d, 0xd5, 0x92, 0x35, 0x53, 0x72, 0x76, 0x3f, 0x69, 0xf0, 0x82,
124 0x56, 0xe3, 0x94, 0x7a, 0x1d, 0x1a, 0x81, 0xaf, 0x9f, 0xc7, 0x43, 0x01,
125 0x64, 0xd3, 0x7c, 0x0d, 0xc8, 0x11, 0x4e, 0x4a, 0xe6, 0x1a, 0xc3, 0x01,
126 0x74, 0xe8, 0x35, 0x87, 0x5c, 0x61, 0xaa, 0x8a, 0x46, 0x06, 0xbe, 0x98,
127 0x95, 0x24, 0x9e, 0x01, 0xe3, 0xe6, 0xa0, 0x98, 0xee, 0x36, 0x44, 0x56,
128 0x8d, 0x23, 0x9c, 0x65, 0xea, 0x55, 0x6a, 0xdf, 0x66, 0xee, 0x45, 0xe8,
129 0xa0, 0xe9, 0x7d, 0x9a, 0xba, 0x94, 0xc5, 0xc8, 0xc4, 0x4b, 0x98, 0xff,
130 0x9a, 0x01, 0x31, 0x6d, 0xf9, 0x2b, 0x58, 0xe7, 0xe7, 0x2a, 0xc5, 0x4d,
131 0xbb, 0xbb, 0xcd, 0x0d, 0x70, 0xe1, 0xad, 0x03, 0xf5, 0xfe, 0xf4, 0x84,
132 0x71, 0x08, 0xd2, 0xbc, 0x04, 0x7b, 0x26, 0x1c, 0xa8, 0x0f, 0x9c, 0xd8,
133 0x12, 0x6a, 0x6f, 0x2b, 0x67, 0xa1, 0x03, 0x80, 0x9a, 0x11, 0x0b, 0xe9,
134 0xe0, 0xb5, 0xb3, 0xb8, 0x19, 0x4e, 0x0c, 0xa4, 0xd9, 0x2b, 0x3b, 0xc2,
135 0xca, 0x20, 0xd3, 0x0c, 0xa4, 0xff, 0x93, 0x13, 0x1f, 0xfc, 0xba, 0x94,
136 0x93, 0x8c, 0x64, 0x15, 0x2e, 0x28, 0xa9, 0x55, 0x8c, 0x2c, 0x48, 0xd3,
137 0xd3, 0xc1, 0x50, 0x69, 0x19, 0xe8, 0x34, 0xd3, 0xf1, 0x04, 0x9f, 0x0a,
138 0x7a, 0x21, 0x87, 0xbf, 0xb9, 0x59, 0x37, 0x2e, 0xf4, 0x71, 0xa5, 0x3e,
139 0xbe, 0xcd, 0x70, 0x83, 0x18, 0xf8, 0x8a, 0x72, 0x85, 0x45, 0x1f, 0x08,
140 0x01, 0x6f, 0x37, 0xf5, 0x2b, 0x7b, 0xea, 0xb9, 0x8b, 0xa3, 0xcc, 0xfd,
141 0x35, 0x52, 0xdd, 0x66, 0xde, 0x4f, 0x30, 0xc5, 0x73, 0x81, 0xb6, 0xe8,
142 0x3c, 0xd8, 0x48, 0x8a};
143
144 // The public key is specified as the following ASN.1 structure:
145 // SubjectPublicKeyInfo ::= SEQUENCE {
146 // algorithm AlgorithmIdentifier,
147 // subjectPublicKey BIT STRING }
148 const uint8_t public_key_info[294] = {
149 0x30, 0x82, 0x01, 0x22, // a SEQUENCE of length 290 (0x122)
150 // algorithm
151 0x30, 0x0d, // a SEQUENCE of length 13
152 0x06, 0x09, // an OBJECT IDENTIFIER of length 9
153 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
154 0x00, // a NULL of length 0
155 // subjectPublicKey
156 0x03, 0x82, 0x01, 0x0f, // a BIT STRING of length 271 (0x10f)
157 0x00, // number of unused bits
158 0x30, 0x82, 0x01, 0x0a, // a SEQUENCE of length 266 (0x10a)
159 // modulus
160 0x02, 0x82, 0x01, 0x01, // an INTEGER of length 257 (0x101)
161 0x00, 0xc4, 0x2d, 0xd5, 0x15, 0x8c, 0x9c, 0x26, 0x4c, 0xec, 0x32, 0x35,
162 0xeb, 0x5f, 0xb8, 0x59, 0x01, 0x5a, 0xa6, 0x61, 0x81, 0x59, 0x3b, 0x70,
163 0x63, 0xab, 0xe3, 0xdc, 0x3d, 0xc7, 0x2a, 0xb8, 0xc9, 0x33, 0xd3, 0x79,
164 0xe4, 0x3a, 0xed, 0x3c, 0x30, 0x23, 0x84, 0x8e, 0xb3, 0x30, 0x14, 0xb6,
165 0xb2, 0x87, 0xc3, 0x3d, 0x95, 0x54, 0x04, 0x9e, 0xdf, 0x99, 0xdd, 0x0b,
166 0x25, 0x1e, 0x21, 0xde, 0x65, 0x29, 0x7e, 0x35, 0xa8, 0xa9, 0x54, 0xeb,
167 0xf6, 0xf7, 0x32, 0x39, 0xd4, 0x26, 0x55, 0x95, 0xad, 0xef, 0xfb, 0xfe,
168 0x58, 0x86, 0xd7, 0x9e, 0xf4, 0x00, 0x8d, 0x8c, 0x2a, 0x0c, 0xbd, 0x42,
169 0x04, 0xce, 0xa7, 0x3f, 0x04, 0xf6, 0xee, 0x80, 0xf2, 0xaa, 0xef, 0x52,
170 0xa1, 0x69, 0x66, 0xda, 0xbe, 0x1a, 0xad, 0x5d, 0xda, 0x2c, 0x66, 0xea,
171 0x1a, 0x6b, 0xbb, 0xe5, 0x1a, 0x51, 0x4a, 0x00, 0x2f, 0x48, 0xc7, 0x98,
172 0x75, 0xd8, 0xb9, 0x29, 0xc8, 0xee, 0xf8, 0x66, 0x6d, 0x0a, 0x9c, 0xb3,
173 0xf3, 0xfc, 0x78, 0x7c, 0xa2, 0xf8, 0xa3, 0xf2, 0xb5, 0xc3, 0xf3, 0xb9,
174 0x7a, 0x91, 0xc1, 0xa7, 0xe6, 0x25, 0x2e, 0x9c, 0xa8, 0xed, 0x12, 0x65,
175 0x6e, 0x6a, 0xf6, 0x12, 0x44, 0x53, 0x70, 0x30, 0x95, 0xc3, 0x9c, 0x2b,
176 0x58, 0x2b, 0x3d, 0x08, 0x74, 0x4a, 0xf2, 0xbe, 0x51, 0xb0, 0xbf, 0x87,
177 0xd0, 0x4c, 0x27, 0x58, 0x6b, 0xb5, 0x35, 0xc5, 0x9d, 0xaf, 0x17, 0x31,
178 0xf8, 0x0b, 0x8f, 0xee, 0xad, 0x81, 0x36, 0x05, 0x89, 0x08, 0x98, 0xcf,
179 0x3a, 0xaf, 0x25, 0x87, 0xc0, 0x49, 0xea, 0xa7, 0xfd, 0x67, 0xf7, 0x45,
180 0x8e, 0x97, 0xcc, 0x14, 0x39, 0xe2, 0x36, 0x85, 0xb5, 0x7e, 0x1a, 0x37,
181 0xfd, 0x16, 0xf6, 0x71, 0x11, 0x9a, 0x74, 0x30, 0x16, 0xfe, 0x13, 0x94,
182 0xa3, 0x3f, 0x84, 0x0d, 0x4f,
183 // public exponent
184 0x02, 0x03, // an INTEGER of length 3
185 0x01, 0x00, 0x01};
186
187 // We use the signature verifier to perform four signature verification
188 // tests.
189 crypto::SignatureVerifier verifier;
190 bool ok;
191
192 // Test 1: feed all of the data to the verifier at once (a single
193 // VerifyUpdate call).
194 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
195 sizeof(signature), public_key_info,
196 sizeof(public_key_info));
197 EXPECT_TRUE(ok);
198 verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
199 ok = verifier.VerifyFinal();
200 EXPECT_TRUE(ok);
201
202 // Test 2: feed the data to the verifier in three parts (three VerifyUpdate
203 // calls).
204 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
205 sizeof(signature), public_key_info,
206 sizeof(public_key_info));
207 EXPECT_TRUE(ok);
208 verifier.VerifyUpdate(tbs_certificate, 256);
209 verifier.VerifyUpdate(tbs_certificate + 256, 256);
210 verifier.VerifyUpdate(tbs_certificate + 512, sizeof(tbs_certificate) - 512);
211 ok = verifier.VerifyFinal();
212 EXPECT_TRUE(ok);
213
214 // Test 3: verify the signature with incorrect data.
215 uint8_t bad_tbs_certificate[sizeof(tbs_certificate)];
216 memcpy(bad_tbs_certificate, tbs_certificate, sizeof(tbs_certificate));
217 bad_tbs_certificate[10] += 1; // Corrupt one byte of the data.
218 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
219 sizeof(signature), public_key_info,
220 sizeof(public_key_info));
221 EXPECT_TRUE(ok);
222 verifier.VerifyUpdate(bad_tbs_certificate, sizeof(bad_tbs_certificate));
223 ok = verifier.VerifyFinal();
224 EXPECT_FALSE(ok);
225
226 // Test 4: verify a bad signature.
227 uint8_t bad_signature[sizeof(signature)];
228 memcpy(bad_signature, signature, sizeof(signature));
229 bad_signature[10] += 1; // Corrupt one byte of the signature.
230 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1,
231 bad_signature, sizeof(bad_signature),
232 public_key_info, sizeof(public_key_info));
233
234 // A crypto library (e.g., NSS) may detect that the signature is corrupted
235 // and cause VerifyInit to return false, so it is fine for 'ok' to be false.
236 if (ok) {
237 verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
238 ok = verifier.VerifyFinal();
239 EXPECT_FALSE(ok);
240 }
241
242 // Test 5: import an invalid key.
243 uint8_t bad_public_key_info[sizeof(public_key_info)];
244 memcpy(bad_public_key_info, public_key_info, sizeof(public_key_info));
245 bad_public_key_info[0] += 1; // Corrupt part of the SPKI syntax.
246 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
247 sizeof(signature), bad_public_key_info,
248 sizeof(bad_public_key_info));
249 EXPECT_FALSE(ok);
250
251 // Test 6: import a key with extra data.
252 uint8_t long_public_key_info[sizeof(public_key_info) + 5];
253 memset(long_public_key_info, 0, sizeof(long_public_key_info));
254 memcpy(long_public_key_info, public_key_info, sizeof(public_key_info));
255 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
256 sizeof(signature), long_public_key_info,
257 sizeof(long_public_key_info));
258 EXPECT_FALSE(ok);
259 }
260
261 //////////////////////////////////////////////////////////////////////
262 //
263 // RSA-PSS signature verification known answer test
264 //
265 //////////////////////////////////////////////////////////////////////
266
267 // The following RSA-PSS signature test vectors come from the pss-vect.txt
268 // file downloaded from
269 // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip.
270 //
271 // For each key, 6 random messages of length between 1 and 256 octets have
272 // been RSASSA-PSS signed.
273 //
274 // Hash function: SHA-1
275 // Mask generation function: MGF1 with SHA-1
276 // Salt length: 20 octets
277
278 // Example 1: A 1024-bit RSA Key Pair"
279
280 // RSA modulus n:
281 static const char rsa_modulus_n_1[] =
282 "a5 6e 4a 0e 70 10 17 58 9a 51 87 dc 7e a8 41 d1 "
283 "56 f2 ec 0e 36 ad 52 a4 4d fe b1 e6 1f 7a d9 91 "
284 "d8 c5 10 56 ff ed b1 62 b4 c0 f2 83 a1 2a 88 a3 "
285 "94 df f5 26 ab 72 91 cb b3 07 ce ab fc e0 b1 df "
286 "d5 cd 95 08 09 6d 5b 2b 8b 6d f5 d6 71 ef 63 77 "
287 "c0 92 1c b2 3c 27 0a 70 e2 59 8e 6f f8 9d 19 f1 "
288 "05 ac c2 d3 f0 cb 35 f2 92 80 e1 38 6b 6f 64 c4 "
289 "ef 22 e1 e1 f2 0d 0c e8 cf fb 22 49 bd 9a 21 37 ";
290 // RSA public exponent e: "
291 static const char rsa_public_exponent_e_1[] =
292 "01 00 01 ";
293
294 // RSASSA-PSS Signature Example 1.1
295 // Message to be signed:
296 static const char message_1_1[] =
297 "cd c8 7d a2 23 d7 86 df 3b 45 e0 bb bc 72 13 26 "
298 "d1 ee 2a f8 06 cc 31 54 75 cc 6f 0d 9c 66 e1 b6 "
299 "23 71 d4 5c e2 39 2e 1a c9 28 44 c3 10 10 2f 15 "
300 "6a 0d 8d 52 c1 f4 c4 0b a3 aa 65 09 57 86 cb 76 "
301 "97 57 a6 56 3b a9 58 fe d0 bc c9 84 e8 b5 17 a3 "
302 "d5 f5 15 b2 3b 8a 41 e7 4a a8 67 69 3f 90 df b0 "
303 "61 a6 e8 6d fa ae e6 44 72 c0 0e 5f 20 94 57 29 "
304 "cb eb e7 7f 06 ce 78 e0 8f 40 98 fb a4 1f 9d 61 "
305 "93 c0 31 7e 8b 60 d4 b6 08 4a cb 42 d2 9e 38 08 "
306 "a3 bc 37 2d 85 e3 31 17 0f cb f7 cc 72 d0 b7 1c "
307 "29 66 48 b3 a4 d1 0f 41 62 95 d0 80 7a a6 25 ca "
308 "b2 74 4f d9 ea 8f d2 23 c4 25 37 02 98 28 bd 16 "
309 "be 02 54 6f 13 0f d2 e3 3b 93 6d 26 76 e0 8a ed "
310 "1b 73 31 8b 75 0a 01 67 d0 ";
311 // Salt:
312 static const char salt_1_1[] =
313 "de e9 59 c7 e0 64 11 36 14 20 ff 80 18 5e d5 7f "
314 "3e 67 76 af ";
315 // Signature:
316 static const char signature_1_1[] =
317 "90 74 30 8f b5 98 e9 70 1b 22 94 38 8e 52 f9 71 "
318 "fa ac 2b 60 a5 14 5a f1 85 df 52 87 b5 ed 28 87 "
319 "e5 7c e7 fd 44 dc 86 34 e4 07 c8 e0 e4 36 0b c2 "
320 "26 f3 ec 22 7f 9d 9e 54 63 8e 8d 31 f5 05 12 15 "
321 "df 6e bb 9c 2f 95 79 aa 77 59 8a 38 f9 14 b5 b9 "
322 "c1 bd 83 c4 e2 f9 f3 82 a0 d0 aa 35 42 ff ee 65 "
323 "98 4a 60 1b c6 9e b2 8d eb 27 dc a1 2c 82 c2 d4 "
324 "c3 f6 6c d5 00 f1 ff 2b 99 4d 8a 4e 30 cb b3 3c ";
325
326 // RSASSA-PSS Signature Example 1.2
327 // Message to be signed:
328 static const char message_1_2[] =
329 "85 13 84 cd fe 81 9c 22 ed 6c 4c cb 30 da eb 5c "
330 "f0 59 bc 8e 11 66 b7 e3 53 0c 4c 23 3e 2b 5f 8f "
331 "71 a1 cc a5 82 d4 3e cc 72 b1 bc a1 6d fc 70 13 "
332 "22 6b 9e ";
333 // Salt:
334 static const char salt_1_2[] =
335 "ef 28 69 fa 40 c3 46 cb 18 3d ab 3d 7b ff c9 8f "
336 "d5 6d f4 2d ";
337 // Signature:
338 static const char signature_1_2[] =
339 "3e f7 f4 6e 83 1b f9 2b 32 27 41 42 a5 85 ff ce "
340 "fb dc a7 b3 2a e9 0d 10 fb 0f 0c 72 99 84 f0 4e "
341 "f2 9a 9d f0 78 07 75 ce 43 73 9b 97 83 83 90 db "
342 "0a 55 05 e6 3d e9 27 02 8d 9d 29 b2 19 ca 2c 45 "
343 "17 83 25 58 a5 5d 69 4a 6d 25 b9 da b6 60 03 c4 "
344 "cc cd 90 78 02 19 3b e5 17 0d 26 14 7d 37 b9 35 "
345 "90 24 1b e5 1c 25 05 5f 47 ef 62 75 2c fb e2 14 "
346 "18 fa fe 98 c2 2c 4d 4d 47 72 4f db 56 69 e8 43 ";
347
348 // RSASSA-PSS Signature Example 1.3
349 // Message to be signed:
350 static const char message_1_3[] =
351 "a4 b1 59 94 17 61 c4 0c 6a 82 f2 b8 0d 1b 94 f5 "
352 "aa 26 54 fd 17 e1 2d 58 88 64 67 9b 54 cd 04 ef "
353 "8b d0 30 12 be 8d c3 7f 4b 83 af 79 63 fa ff 0d "
354 "fa 22 54 77 43 7c 48 01 7f f2 be 81 91 cf 39 55 "
355 "fc 07 35 6e ab 3f 32 2f 7f 62 0e 21 d2 54 e5 db "
356 "43 24 27 9f e0 67 e0 91 0e 2e 81 ca 2c ab 31 c7 "
357 "45 e6 7a 54 05 8e b5 0d 99 3c db 9e d0 b4 d0 29 "
358 "c0 6d 21 a9 4c a6 61 c3 ce 27 fa e1 d6 cb 20 f4 "
359 "56 4d 66 ce 47 67 58 3d 0e 5f 06 02 15 b5 90 17 "
360 "be 85 ea 84 89 39 12 7b d8 c9 c4 d4 7b 51 05 6c "
361 "03 1c f3 36 f1 7c 99 80 f3 b8 f5 b9 b6 87 8e 8b "
362 "79 7a a4 3b 88 26 84 33 3e 17 89 3f e9 ca a6 aa "
363 "29 9f 7e d1 a1 8e e2 c5 48 64 b7 b2 b9 9b 72 61 "
364 "8f b0 25 74 d1 39 ef 50 f0 19 c9 ee f4 16 97 13 "
365 "38 e7 d4 70 ";
366 // Salt:
367 static const char salt_1_3[] =
368 "71 0b 9c 47 47 d8 00 d4 de 87 f1 2a fd ce 6d f1 "
369 "81 07 cc 77 ";
370 // Signature:
371 static const char signature_1_3[] =
372 "66 60 26 fb a7 1b d3 e7 cf 13 15 7c c2 c5 1a 8e "
373 "4a a6 84 af 97 78 f9 18 49 f3 43 35 d1 41 c0 01 "
374 "54 c4 19 76 21 f9 62 4a 67 5b 5a bc 22 ee 7d 5b "
375 "aa ff aa e1 c9 ba ca 2c c3 73 b3 f3 3e 78 e6 14 "
376 "3c 39 5a 91 aa 7f ac a6 64 eb 73 3a fd 14 d8 82 "
377 "72 59 d9 9a 75 50 fa ca 50 1e f2 b0 4e 33 c2 3a "
378 "a5 1f 4b 9e 82 82 ef db 72 8c c0 ab 09 40 5a 91 "
379 "60 7c 63 69 96 1b c8 27 0d 2d 4f 39 fc e6 12 b1 ";
380
381 // RSASSA-PSS Signature Example 1.4
382 // Message to be signed:
383 static const char message_1_4[] =
384 "bc 65 67 47 fa 9e af b3 f0 ";
385 // Salt:
386 static const char salt_1_4[] =
387 "05 6f 00 98 5d e1 4d 8e f5 ce a9 e8 2f 8c 27 be "
388 "f7 20 33 5e ";
389 // Signature:
390 static const char signature_1_4[] =
391 "46 09 79 3b 23 e9 d0 93 62 dc 21 bb 47 da 0b 4f "
392 "3a 76 22 64 9a 47 d4 64 01 9b 9a ea fe 53 35 9c "
393 "17 8c 91 cd 58 ba 6b cb 78 be 03 46 a7 bc 63 7f "
394 "4b 87 3d 4b ab 38 ee 66 1f 19 96 34 c5 47 a1 ad "
395 "84 42 e0 3d a0 15 b1 36 e5 43 f7 ab 07 c0 c1 3e "
396 "42 25 b8 de 8c ce 25 d4 f6 eb 84 00 f8 1f 7e 18 "
397 "33 b7 ee 6e 33 4d 37 09 64 ca 79 fd b8 72 b4 d7 "
398 "52 23 b5 ee b0 81 01 59 1f b5 32 d1 55 a6 de 87 ";
399
400 // RSASSA-PSS Signature Example 1.5
401 // Message to be signed:
402 static const char message_1_5[] =
403 "b4 55 81 54 7e 54 27 77 0c 76 8e 8b 82 b7 55 64 "
404 "e0 ea 4e 9c 32 59 4d 6b ff 70 65 44 de 0a 87 76 "
405 "c7 a8 0b 45 76 55 0e ee 1b 2a ca bc 7e 8b 7d 3e "
406 "f7 bb 5b 03 e4 62 c1 10 47 ea dd 00 62 9a e5 75 "
407 "48 0a c1 47 0f e0 46 f1 3a 2b f5 af 17 92 1d c4 "
408 "b0 aa 8b 02 be e6 33 49 11 65 1d 7f 85 25 d1 0f "
409 "32 b5 1d 33 be 52 0d 3d df 5a 70 99 55 a3 df e7 "
410 "82 83 b9 e0 ab 54 04 6d 15 0c 17 7f 03 7f dc cc "
411 "5b e4 ea 5f 68 b5 e5 a3 8c 9d 7e dc cc c4 97 5f "
412 "45 5a 69 09 b4 ";
413 // Salt:
414 static const char salt_1_5[] =
415 "80 e7 0f f8 6a 08 de 3e c6 09 72 b3 9b 4f bf dc "
416 "ea 67 ae 8e ";
417 // Signature:
418 static const char signature_1_5[] =
419 "1d 2a ad 22 1c a4 d3 1d df 13 50 92 39 01 93 98 "
420 "e3 d1 4b 32 dc 34 dc 5a f4 ae ae a3 c0 95 af 73 "
421 "47 9c f0 a4 5e 56 29 63 5a 53 a0 18 37 76 15 b1 "
422 "6c b9 b1 3b 3e 09 d6 71 eb 71 e3 87 b8 54 5c 59 "
423 "60 da 5a 64 77 6e 76 8e 82 b2 c9 35 83 bf 10 4c "
424 "3f db 23 51 2b 7b 4e 89 f6 33 dd 00 63 a5 30 db "
425 "45 24 b0 1c 3f 38 4c 09 31 0e 31 5a 79 dc d3 d6 "
426 "84 02 2a 7f 31 c8 65 a6 64 e3 16 97 8b 75 9f ad ";
427
428 // RSASSA-PSS Signature Example 1.6
429 // Message to be signed:
430 static const char message_1_6[] =
431 "10 aa e9 a0 ab 0b 59 5d 08 41 20 7b 70 0d 48 d7 "
432 "5f ae dd e3 b7 75 cd 6b 4c c8 8a e0 6e 46 94 ec "
433 "74 ba 18 f8 52 0d 4f 5e a6 9c bb e7 cc 2b eb a4 "
434 "3e fd c1 02 15 ac 4e b3 2d c3 02 a1 f5 3d c6 c4 "
435 "35 22 67 e7 93 6c fe bf 7c 8d 67 03 57 84 a3 90 "
436 "9f a8 59 c7 b7 b5 9b 8e 39 c5 c2 34 9f 18 86 b7 "
437 "05 a3 02 67 d4 02 f7 48 6a b4 f5 8c ad 5d 69 ad "
438 "b1 7a b8 cd 0c e1 ca f5 02 5a f4 ae 24 b1 fb 87 "
439 "94 c6 07 0c c0 9a 51 e2 f9 91 13 11 e3 87 7d 00 "
440 "44 c7 1c 57 a9 93 39 50 08 80 6b 72 3a c3 83 73 "
441 "d3 95 48 18 18 52 8c 1e 70 53 73 92 82 05 35 29 "
442 "51 0e 93 5c d0 fa 77 b8 fa 53 cc 2d 47 4b d4 fb "
443 "3c c5 c6 72 d6 ff dc 90 a0 0f 98 48 71 2c 4b cf "
444 "e4 6c 60 57 36 59 b1 1e 64 57 e8 61 f0 f6 04 b6 "
445 "13 8d 14 4f 8c e4 e2 da 73 ";
446 // Salt:
447 static const char salt_1_6[] =
448 "a8 ab 69 dd 80 1f 00 74 c2 a1 fc 60 64 98 36 c6 "
449 "16 d9 96 81 ";
450 // Signature:
451 static const char signature_1_6[] =
452 "2a 34 f6 12 5e 1f 6b 0b f9 71 e8 4f bd 41 c6 32 "
453 "be 8f 2c 2a ce 7d e8 b6 92 6e 31 ff 93 e9 af 98 "
454 "7f bc 06 e5 1e 9b e1 4f 51 98 f9 1f 3f 95 3b d6 "
455 "7d a6 0a 9d f5 97 64 c3 dc 0f e0 8e 1c be f0 b7 "
456 "5f 86 8d 10 ad 3f ba 74 9f ef 59 fb 6d ac 46 a0 "
457 "d6 e5 04 36 93 31 58 6f 58 e4 62 8f 39 aa 27 89 "
458 "82 54 3b c0 ee b5 37 dc 61 95 80 19 b3 94 fb 27 "
459 "3f 21 58 58 a0 a0 1a c4 d6 50 b9 55 c6 7f 4c 58 ";
460
461 // Example 9: A 1536-bit RSA Key Pair
462
463 // RSA modulus n:
464 static const char rsa_modulus_n_9[] =
465 "e6 bd 69 2a c9 66 45 79 04 03 fd d0 f5 be b8 b9 "
466 "bf 92 ed 10 00 7f c3 65 04 64 19 dd 06 c0 5c 5b "
467 "5b 2f 48 ec f9 89 e4 ce 26 91 09 97 9c bb 40 b4 "
468 "a0 ad 24 d2 24 83 d1 ee 31 5a d4 cc b1 53 42 68 "
469 "35 26 91 c5 24 f6 dd 8e 6c 29 d2 24 cf 24 69 73 "
470 "ae c8 6c 5b f6 b1 40 1a 85 0d 1b 9a d1 bb 8c bc "
471 "ec 47 b0 6f 0f 8c 7f 45 d3 fc 8f 31 92 99 c5 43 "
472 "3d db c2 b3 05 3b 47 de d2 ec d4 a4 ca ef d6 14 "
473 "83 3d c8 bb 62 2f 31 7e d0 76 b8 05 7f e8 de 3f "
474 "84 48 0a d5 e8 3e 4a 61 90 4a 4f 24 8f b3 97 02 "
475 "73 57 e1 d3 0e 46 31 39 81 5c 6f d4 fd 5a c5 b8 "
476 "17 2a 45 23 0e cb 63 18 a0 4f 14 55 d8 4e 5a 8b ";
477 // RSA public exponent e:
478 static const char rsa_public_exponent_e_9[] =
479 "01 00 01 ";
480
481 // RSASSA-PSS Signature Example 9.1
482 // Message to be signed:
483 static const char message_9_1[] =
484 "a8 8e 26 58 55 e9 d7 ca 36 c6 87 95 f0 b3 1b 59 "
485 "1c d6 58 7c 71 d0 60 a0 b3 f7 f3 ea ef 43 79 59 "
486 "22 02 8b c2 b6 ad 46 7c fc 2d 7f 65 9c 53 85 aa "
487 "70 ba 36 72 cd de 4c fe 49 70 cc 79 04 60 1b 27 "
488 "88 72 bf 51 32 1c 4a 97 2f 3c 95 57 0f 34 45 d4 "
489 "f5 79 80 e0 f2 0d f5 48 46 e6 a5 2c 66 8f 12 88 "
490 "c0 3f 95 00 6e a3 2f 56 2d 40 d5 2a f9 fe b3 2f "
491 "0f a0 6d b6 5b 58 8a 23 7b 34 e5 92 d5 5c f9 79 "
492 "f9 03 a6 42 ef 64 d2 ed 54 2a a8 c7 7d c1 dd 76 "
493 "2f 45 a5 93 03 ed 75 e5 41 ca 27 1e 2b 60 ca 70 "
494 "9e 44 fa 06 61 13 1e 8d 5d 41 63 fd 8d 39 85 66 "
495 "ce 26 de 87 30 e7 2f 9c ca 73 76 41 c2 44 15 94 "
496 "20 63 70 28 df 0a 18 07 9d 62 08 ea 8b 47 11 a2 "
497 "c7 50 f5 ";
498 // Salt:
499 static const char salt_9_1[] =
500 "c0 a4 25 31 3d f8 d7 56 4b d2 43 4d 31 15 23 d5 "
501 "25 7e ed 80 ";
502 // Signature:
503 static const char signature_9_1[] =
504 "58 61 07 22 6c 3c e0 13 a7 c8 f0 4d 1a 6a 29 59 "
505 "bb 4b 8e 20 5b a4 3a 27 b5 0f 12 41 11 bc 35 ef "
506 "58 9b 03 9f 59 32 18 7c b6 96 d7 d9 a3 2c 0c 38 "
507 "30 0a 5c dd a4 83 4b 62 d2 eb 24 0a f3 3f 79 d1 "
508 "3d fb f0 95 bf 59 9e 0d 96 86 94 8c 19 64 74 7b "
509 "67 e8 9c 9a ba 5c d8 50 16 23 6f 56 6c c5 80 2c "
510 "b1 3e ad 51 bc 7c a6 be f3 b9 4d cb db b1 d5 70 "
511 "46 97 71 df 0e 00 b1 a8 a0 67 77 47 2d 23 16 27 "
512 "9e da e8 64 74 66 8d 4e 1e ff f9 5f 1d e6 1c 60 "
513 "20 da 32 ae 92 bb f1 65 20 fe f3 cf 4d 88 f6 11 "
514 "21 f2 4b bd 9f e9 1b 59 ca f1 23 5b 2a 93 ff 81 "
515 "fc 40 3a dd f4 eb de a8 49 34 a9 cd af 8e 1a 9e ";
516
517 // RSASSA-PSS Signature Example 9.2
518 // Message to be signed:
519 static const char message_9_2[] =
520 "c8 c9 c6 af 04 ac da 41 4d 22 7e f2 3e 08 20 c3 "
521 "73 2c 50 0d c8 72 75 e9 5b 0d 09 54 13 99 3c 26 "
522 "58 bc 1d 98 85 81 ba 87 9c 2d 20 1f 14 cb 88 ce "
523 "d1 53 a0 19 69 a7 bf 0a 7b e7 9c 84 c1 48 6b c1 "
524 "2b 3f a6 c5 98 71 b6 82 7c 8c e2 53 ca 5f ef a8 "
525 "a8 c6 90 bf 32 6e 8e 37 cd b9 6d 90 a8 2e ba b6 "
526 "9f 86 35 0e 18 22 e8 bd 53 6a 2e ";
527 // Salt:
528 static const char salt_9_2[] =
529 "b3 07 c4 3b 48 50 a8 da c2 f1 5f 32 e3 78 39 ef "
530 "8c 5c 0e 91 ";
531 // Signature:
532 static const char signature_9_2[] =
533 "80 b6 d6 43 25 52 09 f0 a4 56 76 38 97 ac 9e d2 "
534 "59 d4 59 b4 9c 28 87 e5 88 2e cb 44 34 cf d6 6d "
535 "d7 e1 69 93 75 38 1e 51 cd 7f 55 4f 2c 27 17 04 "
536 "b3 99 d4 2b 4b e2 54 0a 0e ca 61 95 1f 55 26 7f "
537 "7c 28 78 c1 22 84 2d ad b2 8b 01 bd 5f 8c 02 5f "
538 "7e 22 84 18 a6 73 c0 3d 6b c0 c7 36 d0 a2 95 46 "
539 "bd 67 f7 86 d9 d6 92 cc ea 77 8d 71 d9 8c 20 63 "
540 "b7 a7 10 92 18 7a 4d 35 af 10 81 11 d8 3e 83 ea "
541 "e4 6c 46 aa 34 27 7e 06 04 45 89 90 37 88 f1 d5 "
542 "e7 ce e2 5f b4 85 e9 29 49 11 88 14 d6 f2 c3 ee "
543 "36 14 89 01 6f 32 7f b5 bc 51 7e b5 04 70 bf fa "
544 "1a fa 5f 4c e9 aa 0c e5 b8 ee 19 bf 55 01 b9 58 ";
545
546 // RSASSA-PSS Signature Example 9.3
547 // Message to be signed:
548 static const char message_9_3[] =
549 "0a fa d4 2c cd 4f c6 06 54 a5 50 02 d2 28 f5 2a "
550 "4a 5f e0 3b 8b bb 08 ca 82 da ca 55 8b 44 db e1 "
551 "26 6e 50 c0 e7 45 a3 6d 9d 29 04 e3 40 8a bc d1 "
552 "fd 56 99 94 06 3f 4a 75 cc 72 f2 fe e2 a0 cd 89 "
553 "3a 43 af 1c 5b 8b 48 7d f0 a7 16 10 02 4e 4f 6d "
554 "df 9f 28 ad 08 13 c1 aa b9 1b cb 3c 90 64 d5 ff "
555 "74 2d ef fe a6 57 09 41 39 36 9e 5e a6 f4 a9 63 "
556 "19 a5 cc 82 24 14 5b 54 50 62 75 8f ef d1 fe 34 "
557 "09 ae 16 92 59 c6 cd fd 6b 5f 29 58 e3 14 fa ec "
558 "be 69 d2 ca ce 58 ee 55 17 9a b9 b3 e6 d1 ec c1 "
559 "4a 55 7c 5f eb e9 88 59 52 64 fc 5d a1 c5 71 46 "
560 "2e ca 79 8a 18 a1 a4 94 0c da b4 a3 e9 20 09 cc "
561 "d4 2e 1e 94 7b 13 14 e3 22 38 a2 de ce 7d 23 a8 "
562 "9b 5b 30 c7 51 fd 0a 4a 43 0d 2c 54 85 94 ";
563 // Salt:
564 static const char salt_9_3[] =
565 "9a 2b 00 7e 80 97 8b bb 19 2c 35 4e b7 da 9a ed "
566 "fc 74 db f5 ";
567 // Signature:
568 static const char signature_9_3[] =
569 "48 44 08 f3 89 8c d5 f5 34 83 f8 08 19 ef bf 27 "
570 "08 c3 4d 27 a8 b2 a6 fa e8 b3 22 f9 24 02 37 f9 "
571 "81 81 7a ca 18 46 f1 08 4d aa 6d 7c 07 95 f6 e5 "
572 "bf 1a f5 9c 38 e1 85 84 37 ce 1f 7e c4 19 b9 8c "
573 "87 36 ad f6 dd 9a 00 b1 80 6d 2b d3 ad 0a 73 77 "
574 "5e 05 f5 2d fe f3 a5 9a b4 b0 81 43 f0 df 05 cd "
575 "1a d9 d0 4b ec ec a6 da a4 a2 12 98 03 e2 00 cb "
576 "c7 77 87 ca f4 c1 d0 66 3a 6c 59 87 b6 05 95 20 "
577 "19 78 2c af 2e c1 42 6d 68 fb 94 ed 1d 4b e8 16 "
578 "a7 ed 08 1b 77 e6 ab 33 0b 3f fc 07 38 20 fe cd "
579 "e3 72 7f cb e2 95 ee 61 a0 50 a3 43 65 86 37 c3 "
580 "fd 65 9c fb 63 73 6d e3 2d 9f 90 d3 c2 f6 3e ca ";
581
582 // RSASSA-PSS Signature Example 9.4
583 // Message to be signed:
584 static const char message_9_4[] =
585 "1d fd 43 b4 6c 93 db 82 62 9b da e2 bd 0a 12 b8 "
586 "82 ea 04 c3 b4 65 f5 cf 93 02 3f 01 05 96 26 db "
587 "be 99 f2 6b b1 be 94 9d dd d1 6d c7 f3 de bb 19 "
588 "a1 94 62 7f 0b 22 44 34 df 7d 87 00 e9 e9 8b 06 "
589 "e3 60 c1 2f db e3 d1 9f 51 c9 68 4e b9 08 9e cb "
590 "b0 a2 f0 45 03 99 d3 f5 9e ac 72 94 08 5d 04 4f "
591 "53 93 c6 ce 73 74 23 d8 b8 6c 41 53 70 d3 89 e3 "
592 "0b 9f 0a 3c 02 d2 5d 00 82 e8 ad 6f 3f 1e f2 4a "
593 "45 c3 cf 82 b3 83 36 70 63 a4 d4 61 3e 42 64 f0 "
594 "1b 2d ac 2e 5a a4 20 43 f8 fb 5f 69 fa 87 1d 14 "
595 "fb 27 3e 76 7a 53 1c 40 f0 2f 34 3b c2 fb 45 a0 "
596 "c7 e0 f6 be 25 61 92 3a 77 21 1d 66 a6 e2 db b4 "
597 "3c 36 63 50 be ae 22 da 3a c2 c1 f5 07 70 96 fc "
598 "b5 c4 bf 25 5f 75 74 35 1a e0 b1 e1 f0 36 32 81 "
599 "7c 08 56 d4 a8 ba 97 af bd c8 b8 58 55 40 2b c5 "
600 "69 26 fc ec 20 9f 9e a8 ";
601 // Salt:
602 static const char salt_9_4[] =
603 "70 f3 82 bd df 4d 5d 2d d8 8b 3b c7 b7 30 8b e6 "
604 "32 b8 40 45 ";
605 // Signature:
606 static const char signature_9_4[] =
607 "84 eb eb 48 1b e5 98 45 b4 64 68 ba fb 47 1c 01 "
608 "12 e0 2b 23 5d 84 b5 d9 11 cb d1 92 6e e5 07 4a "
609 "e0 42 44 95 cb 20 e8 23 08 b8 eb b6 5f 41 9a 03 "
610 "fb 40 e7 2b 78 98 1d 88 aa d1 43 05 36 85 17 2c "
611 "97 b2 9c 8b 7b f0 ae 73 b5 b2 26 3c 40 3d a0 ed "
612 "2f 80 ff 74 50 af 78 28 eb 8b 86 f0 02 8b d2 a8 "
613 "b1 76 a4 d2 28 cc ce a1 83 94 f2 38 b0 9f f7 58 "
614 "cc 00 bc 04 30 11 52 35 57 42 f2 82 b5 4e 66 3a "
615 "91 9e 70 9d 8d a2 4a de 55 00 a7 b9 aa 50 22 6e "
616 "0c a5 29 23 e6 c2 d8 60 ec 50 ff 48 0f a5 74 77 "
617 "e8 2b 05 65 f4 37 9f 79 c7 72 d5 c2 da 80 af 9f "
618 "bf 32 5e ce 6f c2 0b 00 96 16 14 be e8 9a 18 3e ";
619
620 // RSASSA-PSS Signature Example 9.5
621 // Message to be signed:
622 static const char message_9_5[] =
623 "1b dc 6e 7c 98 fb 8c f5 4e 9b 09 7b 66 a8 31 e9 "
624 "cf e5 2d 9d 48 88 44 8e e4 b0 97 80 93 ba 1d 7d "
625 "73 ae 78 b3 a6 2b a4 ad 95 cd 28 9c cb 9e 00 52 "
626 "26 bb 3d 17 8b cc aa 82 1f b0 44 a4 e2 1e e9 76 "
627 "96 c1 4d 06 78 c9 4c 2d ae 93 b0 ad 73 92 22 18 "
628 "55 3d aa 7e 44 eb e5 77 25 a7 a4 5c c7 2b 9b 21 "
629 "38 a6 b1 7c 8d b4 11 ce 82 79 ee 12 41 af f0 a8 "
630 "be c6 f7 7f 87 ed b0 c6 9c b2 72 36 e3 43 5a 80 "
631 "0b 19 2e 4f 11 e5 19 e3 fe 30 fc 30 ea cc ca 4f "
632 "bb 41 76 90 29 bf 70 8e 81 7a 9e 68 38 05 be 67 "
633 "fa 10 09 84 68 3b 74 83 8e 3b cf fa 79 36 6e ed "
634 "1d 48 1c 76 72 91 18 83 8f 31 ba 8a 04 8a 93 c1 "
635 "be 44 24 59 8e 8d f6 32 8b 7a 77 88 0a 3f 9c 7e "
636 "2e 8d fc a8 eb 5a 26 fb 86 bd c5 56 d4 2b be 01 "
637 "d9 fa 6e d8 06 46 49 1c 93 41 ";
638 // Salt:
639 static const char salt_9_5[] =
640 "d6 89 25 7a 86 ef fa 68 21 2c 5e 0c 61 9e ca 29 "
641 "5f b9 1b 67 ";
642 // Signature:
643 static const char signature_9_5[] =
644 "82 10 2d f8 cb 91 e7 17 99 19 a0 4d 26 d3 35 d6 "
645 "4f bc 2f 87 2c 44 83 39 43 24 1d e8 45 48 10 27 "
646 "4c df 3d b5 f4 2d 42 3d b1 52 af 71 35 f7 01 42 "
647 "0e 39 b4 94 a6 7c bf d1 9f 91 19 da 23 3a 23 da "
648 "5c 64 39 b5 ba 0d 2b c3 73 ee e3 50 70 01 37 8d "
649 "4a 40 73 85 6b 7f e2 ab a0 b5 ee 93 b2 7f 4a fe "
650 "c7 d4 d1 20 92 1c 83 f6 06 76 5b 02 c1 9e 4d 6a "
651 "1a 3b 95 fa 4c 42 29 51 be 4f 52 13 10 77 ef 17 "
652 "17 97 29 cd df bd b5 69 50 db ac ee fe 78 cb 16 "
653 "64 0a 09 9e a5 6d 24 38 9e ef 10 f8 fe cb 31 ba "
654 "3e a3 b2 27 c0 a8 66 98 bb 89 e3 e9 36 39 05 bf "
655 "22 77 7b 2a 3a a5 21 b6 5b 4c ef 76 d8 3b de 4c ";
656
657 // RSASSA-PSS Signature Example 9.6
658 // Message to be signed:
659 static const char message_9_6[] =
660 "88 c7 a9 f1 36 04 01 d9 0e 53 b1 01 b6 1c 53 25 "
661 "c3 c7 5d b1 b4 11 fb eb 8e 83 0b 75 e9 6b 56 67 "
662 "0a d2 45 40 4e 16 79 35 44 ee 35 4b c6 13 a9 0c "
663 "c9 84 87 15 a7 3d b5 89 3e 7f 6d 27 98 15 c0 c1 "
664 "de 83 ef 8e 29 56 e3 a5 6e d2 6a 88 8d 7a 9c dc "
665 "d0 42 f4 b1 6b 7f a5 1e f1 a0 57 36 62 d1 6a 30 "
666 "2d 0e c5 b2 85 d2 e0 3a d9 65 29 c8 7b 3d 37 4d "
667 "b3 72 d9 5b 24 43 d0 61 b6 b1 a3 50 ba 87 80 7e "
668 "d0 83 af d1 eb 05 c3 f5 2f 4e ba 5e d2 22 77 14 "
669 "fd b5 0b 9d 9d 9d d6 81 4f 62 f6 27 2f cd 5c db "
670 "ce 7a 9e f7 97 ";
671 // Salt:
672 static const char salt_9_6[] =
673 "c2 5f 13 bf 67 d0 81 67 1a 04 81 a1 f1 82 0d 61 "
674 "3b ba 22 76 ";
675 // Signature:
676 static const char signature_9_6[] =
677 "a7 fd b0 d2 59 16 5c a2 c8 8d 00 bb f1 02 8a 86 "
678 "7d 33 76 99 d0 61 19 3b 17 a9 64 8e 14 cc bb aa "
679 "de ac aa cd ec 81 5e 75 71 29 4e bb 8a 11 7a f2 "
680 "05 fa 07 8b 47 b0 71 2c 19 9e 3a d0 51 35 c5 04 "
681 "c2 4b 81 70 51 15 74 08 02 48 79 92 ff d5 11 d4 "
682 "af c6 b8 54 49 1e b3 f0 dd 52 31 39 54 2f f1 5c "
683 "31 01 ee 85 54 35 17 c6 a3 c7 94 17 c6 7e 2d d9 "
684 "aa 74 1e 9a 29 b0 6d cb 59 3c 23 36 b3 67 0a e3 "
685 "af ba c7 c3 e7 6e 21 54 73 e8 66 e3 38 ca 24 4d "
686 "e0 0b 62 62 4d 6b 94 26 82 2c ea e9 f8 cc 46 08 "
687 "95 f4 12 50 07 3f d4 5c 5a 1e 7b 42 5c 20 4a 42 "
688 "3a 69 91 59 f6 90 3e 71 0b 37 a7 bb 2b c8 04 9f ";
689
690 // Example 10: A 2048-bit RSA Key Pair
691
692 // RSA modulus n:
693 static const char rsa_modulus_n_10[] =
694 "a5 dd 86 7a c4 cb 02 f9 0b 94 57 d4 8c 14 a7 70 "
695 "ef 99 1c 56 c3 9c 0e c6 5f d1 1a fa 89 37 ce a5 "
696 "7b 9b e7 ac 73 b4 5c 00 17 61 5b 82 d6 22 e3 18 "
697 "75 3b 60 27 c0 fd 15 7b e1 2f 80 90 fe e2 a7 ad "
698 "cd 0e ef 75 9f 88 ba 49 97 c7 a4 2d 58 c9 aa 12 "
699 "cb 99 ae 00 1f e5 21 c1 3b b5 43 14 45 a8 d5 ae "
700 "4f 5e 4c 7e 94 8a c2 27 d3 60 40 71 f2 0e 57 7e "
701 "90 5f be b1 5d fa f0 6d 1d e5 ae 62 53 d6 3a 6a "
702 "21 20 b3 1a 5d a5 da bc 95 50 60 0e 20 f2 7d 37 "
703 "39 e2 62 79 25 fe a3 cc 50 9f 21 df f0 4e 6e ea "
704 "45 49 c5 40 d6 80 9f f9 30 7e ed e9 1f ff 58 73 "
705 "3d 83 85 a2 37 d6 d3 70 5a 33 e3 91 90 09 92 07 "
706 "0d f7 ad f1 35 7c f7 e3 70 0c e3 66 7d e8 3f 17 "
707 "b8 df 17 78 db 38 1d ce 09 cb 4a d0 58 a5 11 00 "
708 "1a 73 81 98 ee 27 cf 55 a1 3b 75 45 39 90 65 82 "
709 "ec 8b 17 4b d5 8d 5d 1f 3d 76 7c 61 37 21 ae 05 ";
710 // RSA public exponent e:
711 static const char rsa_public_exponent_e_10[] =
712 "01 00 01 ";
713
714 // RSASSA-PSS Signature Example 10.1
715 // Message to be signed:
716 static const char message_10_1[] =
717 "88 31 77 e5 12 6b 9b e2 d9 a9 68 03 27 d5 37 0c "
718 "6f 26 86 1f 58 20 c4 3d a6 7a 3a d6 09 ";
719 // Salt:
720 static const char salt_10_1[] =
721 "04 e2 15 ee 6f f9 34 b9 da 70 d7 73 0c 87 34 ab "
722 "fc ec de 89 ";
723 // Signature:
724 static const char signature_10_1[] =
725 "82 c2 b1 60 09 3b 8a a3 c0 f7 52 2b 19 f8 73 54 "
726 "06 6c 77 84 7a bf 2a 9f ce 54 2d 0e 84 e9 20 c5 "
727 "af b4 9f fd fd ac e1 65 60 ee 94 a1 36 96 01 14 "
728 "8e ba d7 a0 e1 51 cf 16 33 17 91 a5 72 7d 05 f2 "
729 "1e 74 e7 eb 81 14 40 20 69 35 d7 44 76 5a 15 e7 "
730 "9f 01 5c b6 6c 53 2c 87 a6 a0 59 61 c8 bf ad 74 "
731 "1a 9a 66 57 02 28 94 39 3e 72 23 73 97 96 c0 2a "
732 "77 45 5d 0f 55 5b 0e c0 1d df 25 9b 62 07 fd 0f "
733 "d5 76 14 ce f1 a5 57 3b aa ff 4e c0 00 69 95 16 "
734 "59 b8 5f 24 30 0a 25 16 0c a8 52 2d c6 e6 72 7e "
735 "57 d0 19 d7 e6 36 29 b8 fe 5e 89 e2 5c c1 5b eb "
736 "3a 64 75 77 55 92 99 28 0b 9b 28 f7 9b 04 09 00 "
737 "0b e2 5b bd 96 40 8b a3 b4 3c c4 86 18 4d d1 c8 "
738 "e6 25 53 fa 1a f4 04 0f 60 66 3d e7 f5 e4 9c 04 "
739 "38 8e 25 7f 1c e8 9c 95 da b4 8a 31 5d 9b 66 b1 "
740 "b7 62 82 33 87 6f f2 38 52 30 d0 70 d0 7e 16 66 ";
741
742 // RSASSA-PSS Signature Example 10.2
743 // Message to be signed:
744 static const char message_10_2[] =
745 "dd 67 0a 01 46 58 68 ad c9 3f 26 13 19 57 a5 0c "
746 "52 fb 77 7c db aa 30 89 2c 9e 12 36 11 64 ec 13 "
747 "97 9d 43 04 81 18 e4 44 5d b8 7b ee 58 dd 98 7b "
748 "34 25 d0 20 71 d8 db ae 80 70 8b 03 9d bb 64 db "
749 "d1 de 56 57 d9 fe d0 c1 18 a5 41 43 74 2e 0f f3 "
750 "c8 7f 74 e4 58 57 64 7a f3 f7 9e b0 a1 4c 9d 75 "
751 "ea 9a 1a 04 b7 cf 47 8a 89 7a 70 8f d9 88 f4 8e "
752 "80 1e db 0b 70 39 df 8c 23 bb 3c 56 f4 e8 21 ac ";
753 // Salt:
754 static const char salt_10_2[] =
755 "8b 2b dd 4b 40 fa f5 45 c7 78 dd f9 bc 1a 49 cb "
756 "57 f9 b7 1b ";
757 // Signature:
758 static const char signature_10_2[] =
759 "14 ae 35 d9 dd 06 ba 92 f7 f3 b8 97 97 8a ed 7c "
760 "d4 bf 5f f0 b5 85 a4 0b d4 6c e1 b4 2c d2 70 30 "
761 "53 bb 90 44 d6 4e 81 3d 8f 96 db 2d d7 00 7d 10 "
762 "11 8f 6f 8f 84 96 09 7a d7 5e 1f f6 92 34 1b 28 "
763 "92 ad 55 a6 33 a1 c5 5e 7f 0a 0a d5 9a 0e 20 3a "
764 "5b 82 78 ae c5 4d d8 62 2e 28 31 d8 71 74 f8 ca "
765 "ff 43 ee 6c 46 44 53 45 d8 4a 59 65 9b fb 92 ec "
766 "d4 c8 18 66 86 95 f3 47 06 f6 68 28 a8 99 59 63 "
767 "7f 2b f3 e3 25 1c 24 bd ba 4d 4b 76 49 da 00 22 "
768 "21 8b 11 9c 84 e7 9a 65 27 ec 5b 8a 5f 86 1c 15 "
769 "99 52 e2 3e c0 5e 1e 71 73 46 fa ef e8 b1 68 68 "
770 "25 bd 2b 26 2f b2 53 10 66 c0 de 09 ac de 2e 42 "
771 "31 69 07 28 b5 d8 5e 11 5a 2f 6b 92 b7 9c 25 ab "
772 "c9 bd 93 99 ff 8b cf 82 5a 52 ea 1f 56 ea 76 dd "
773 "26 f4 3b aa fa 18 bf a9 2a 50 4c bd 35 69 9e 26 "
774 "d1 dc c5 a2 88 73 85 f3 c6 32 32 f0 6f 32 44 c3 ";
775
776 // RSASSA-PSS Signature Example 10.3
777 // Message to be signed:
778 static const char message_10_3[] =
779 "48 b2 b6 a5 7a 63 c8 4c ea 85 9d 65 c6 68 28 4b "
780 "08 d9 6b dc aa be 25 2d b0 e4 a9 6c b1 ba c6 01 "
781 "93 41 db 6f be fb 8d 10 6b 0e 90 ed a6 bc c6 c6 "
782 "26 2f 37 e7 ea 9c 7e 5d 22 6b d7 df 85 ec 5e 71 "
783 "ef ff 2f 54 c5 db 57 7f f7 29 ff 91 b8 42 49 1d "
784 "e2 74 1d 0c 63 16 07 df 58 6b 90 5b 23 b9 1a f1 "
785 "3d a1 23 04 bf 83 ec a8 a7 3e 87 1f f9 db ";
786 // Salt:
787 static const char salt_10_3[] =
788 "4e 96 fc 1b 39 8f 92 b4 46 71 01 0c 0d c3 ef d6 "
789 "e2 0c 2d 73 ";
790 // Signature:
791 static const char signature_10_3[] =
792 "6e 3e 4d 7b 6b 15 d2 fb 46 01 3b 89 00 aa 5b bb "
793 "39 39 cf 2c 09 57 17 98 70 42 02 6e e6 2c 74 c5 "
794 "4c ff d5 d7 d5 7e fb bf 95 0a 0f 5c 57 4f a0 9d "
795 "3f c1 c9 f5 13 b0 5b 4f f5 0d d8 df 7e df a2 01 "
796 "02 85 4c 35 e5 92 18 01 19 a7 0c e5 b0 85 18 2a "
797 "a0 2d 9e a2 aa 90 d1 df 03 f2 da ae 88 5b a2 f5 "
798 "d0 5a fd ac 97 47 6f 06 b9 3b 5b c9 4a 1a 80 aa "
799 "91 16 c4 d6 15 f3 33 b0 98 89 2b 25 ff ac e2 66 "
800 "f5 db 5a 5a 3b cc 10 a8 24 ed 55 aa d3 5b 72 78 "
801 "34 fb 8c 07 da 28 fc f4 16 a5 d9 b2 22 4f 1f 8b "
802 "44 2b 36 f9 1e 45 6f de a2 d7 cf e3 36 72 68 de "
803 "03 07 a4 c7 4e 92 41 59 ed 33 39 3d 5e 06 55 53 "
804 "1c 77 32 7b 89 82 1b de df 88 01 61 c7 8c d4 19 "
805 "6b 54 19 f7 ac c3 f1 3e 5e bf 16 1b 6e 7c 67 24 "
806 "71 6c a3 3b 85 c2 e2 56 40 19 2a c2 85 96 51 d5 "
807 "0b de 7e b9 76 e5 1c ec 82 8b 98 b6 56 3b 86 bb ";
808
809 // RSASSA-PSS Signature Example 10.4
810 // Message to be signed:
811 static const char message_10_4[] =
812 "0b 87 77 c7 f8 39 ba f0 a6 4b bb db c5 ce 79 75 "
813 "5c 57 a2 05 b8 45 c1 74 e2 d2 e9 05 46 a0 89 c4 "
814 "e6 ec 8a df fa 23 a7 ea 97 ba e6 b6 5d 78 2b 82 "
815 "db 5d 2b 5a 56 d2 2a 29 a0 5e 7c 44 33 e2 b8 2a "
816 "62 1a bb a9 0a dd 05 ce 39 3f c4 8a 84 05 42 45 "
817 "1a ";
818 // Salt:
819 static const char salt_10_4[] =
820 "c7 cd 69 8d 84 b6 51 28 d8 83 5e 3a 8b 1e b0 e0 "
821 "1c b5 41 ec ";
822 // Signature:
823 static const char signature_10_4[] =
824 "34 04 7f f9 6c 4d c0 dc 90 b2 d4 ff 59 a1 a3 61 "
825 "a4 75 4b 25 5d 2e e0 af 7d 8b f8 7c 9b c9 e7 dd "
826 "ee de 33 93 4c 63 ca 1c 0e 3d 26 2c b1 45 ef 93 "
827 "2a 1f 2c 0a 99 7a a6 a3 4f 8e ae e7 47 7d 82 cc "
828 "f0 90 95 a6 b8 ac ad 38 d4 ee c9 fb 7e ab 7a d0 "
829 "2d a1 d1 1d 8e 54 c1 82 5e 55 bf 58 c2 a2 32 34 "
830 "b9 02 be 12 4f 9e 90 38 a8 f6 8f a4 5d ab 72 f6 "
831 "6e 09 45 bf 1d 8b ac c9 04 4c 6f 07 09 8c 9f ce "
832 "c5 8a 3a ab 10 0c 80 51 78 15 5f 03 0a 12 4c 45 "
833 "0e 5a cb da 47 d0 e4 f1 0b 80 a2 3f 80 3e 77 4d "
834 "02 3b 00 15 c2 0b 9f 9b be 7c 91 29 63 38 d5 ec "
835 "b4 71 ca fb 03 20 07 b6 7a 60 be 5f 69 50 4a 9f "
836 "01 ab b3 cb 46 7b 26 0e 2b ce 86 0b e8 d9 5b f9 "
837 "2c 0c 8e 14 96 ed 1e 52 85 93 a4 ab b6 df 46 2d "
838 "de 8a 09 68 df fe 46 83 11 68 57 a2 32 f5 eb f6 "
839 "c8 5b e2 38 74 5a d0 f3 8f 76 7a 5f db f4 86 fb ";
840
841 // RSASSA-PSS Signature Example 10.5
842 // Message to be signed:
843 static const char message_10_5[] =
844 "f1 03 6e 00 8e 71 e9 64 da dc 92 19 ed 30 e1 7f "
845 "06 b4 b6 8a 95 5c 16 b3 12 b1 ed df 02 8b 74 97 "
846 "6b ed 6b 3f 6a 63 d4 e7 78 59 24 3c 9c cc dc 98 "
847 "01 65 23 ab b0 24 83 b3 55 91 c3 3a ad 81 21 3b "
848 "b7 c7 bb 1a 47 0a ab c1 0d 44 25 6c 4d 45 59 d9 "
849 "16 ";
850 // Salt:
851 static const char salt_10_5[] =
852 "ef a8 bf f9 62 12 b2 f4 a3 f3 71 a1 0d 57 41 52 "
853 "65 5f 5d fb ";
854 // Signature:
855 static const char signature_10_5[] =
856 "7e 09 35 ea 18 f4 d6 c1 d1 7c e8 2e b2 b3 83 6c "
857 "55 b3 84 58 9c e1 9d fe 74 33 63 ac 99 48 d1 f3 "
858 "46 b7 bf dd fe 92 ef d7 8a db 21 fa ef c8 9a de "
859 "42 b1 0f 37 40 03 fe 12 2e 67 42 9a 1c b8 cb d1 "
860 "f8 d9 01 45 64 c4 4d 12 01 16 f4 99 0f 1a 6e 38 "
861 "77 4c 19 4b d1 b8 21 32 86 b0 77 b0 49 9d 2e 7b "
862 "3f 43 4a b1 22 89 c5 56 68 4d ee d7 81 31 93 4b "
863 "b3 dd 65 37 23 6f 7c 6f 3d cb 09 d4 76 be 07 72 "
864 "1e 37 e1 ce ed 9b 2f 7b 40 68 87 bd 53 15 73 05 "
865 "e1 c8 b4 f8 4d 73 3b c1 e1 86 fe 06 cc 59 b6 ed "
866 "b8 f4 bd 7f fe fd f4 f7 ba 9c fb 9d 57 06 89 b5 "
867 "a1 a4 10 9a 74 6a 69 08 93 db 37 99 25 5a 0c b9 "
868 "21 5d 2d 1c d4 90 59 0e 95 2e 8c 87 86 aa 00 11 "
869 "26 52 52 47 0c 04 1d fb c3 ee c7 c3 cb f7 1c 24 "
870 "86 9d 11 5c 0c b4 a9 56 f5 6d 53 0b 80 ab 58 9a "
871 "cf ef c6 90 75 1d df 36 e8 d3 83 f8 3c ed d2 cc ";
872
873 // RSASSA-PSS Signature Example 10.6
874 // Message to be signed:
875 static const char message_10_6[] =
876 "25 f1 08 95 a8 77 16 c1 37 45 0b b9 51 9d fa a1 "
877 "f2 07 fa a9 42 ea 88 ab f7 1e 9c 17 98 00 85 b5 "
878 "55 ae ba b7 62 64 ae 2a 3a b9 3c 2d 12 98 11 91 "
879 "dd ac 6f b5 94 9e b3 6a ee 3c 5d a9 40 f0 07 52 "
880 "c9 16 d9 46 08 fa 7d 97 ba 6a 29 15 b6 88 f2 03 "
881 "23 d4 e9 d9 68 01 d8 9a 72 ab 58 92 dc 21 17 c0 "
882 "74 34 fc f9 72 e0 58 cf 8c 41 ca 4b 4f f5 54 f7 "
883 "d5 06 8a d3 15 5f ce d0 f3 12 5b c0 4f 91 93 37 "
884 "8a 8f 5c 4c 3b 8c b4 dd 6d 1c c6 9d 30 ec ca 6e "
885 "aa 51 e3 6a 05 73 0e 9e 34 2e 85 5b af 09 9d ef "
886 "b8 af d7 ";
887 // Salt:
888 static const char salt_10_6[] =
889 "ad 8b 15 23 70 36 46 22 4b 66 0b 55 08 85 91 7c "
890 "a2 d1 df 28 ";
891 // Signature:
892 static const char signature_10_6[] =
893 "6d 3b 5b 87 f6 7e a6 57 af 21 f7 54 41 97 7d 21 "
894 "80 f9 1b 2c 5f 69 2d e8 29 55 69 6a 68 67 30 d9 "
895 "b9 77 8d 97 07 58 cc b2 60 71 c2 20 9f fb d6 12 "
896 "5b e2 e9 6e a8 1b 67 cb 9b 93 08 23 9f da 17 f7 "
897 "b2 b6 4e cd a0 96 b6 b9 35 64 0a 5a 1c b4 2a 91 "
898 "55 b1 c9 ef 7a 63 3a 02 c5 9f 0d 6e e5 9b 85 2c "
899 "43 b3 50 29 e7 3c 94 0f f0 41 0e 8f 11 4e ed 46 "
900 "bb d0 fa e1 65 e4 2b e2 52 8a 40 1c 3b 28 fd 81 "
901 "8e f3 23 2d ca 9f 4d 2a 0f 51 66 ec 59 c4 23 96 "
902 "d6 c1 1d bc 12 15 a5 6f a1 71 69 db 95 75 34 3e "
903 "f3 4f 9d e3 2a 49 cd c3 17 49 22 f2 29 c2 3e 18 "
904 "e4 5d f9 35 31 19 ec 43 19 ce dc e7 a1 7c 64 08 "
905 "8c 1f 6f 52 be 29 63 41 00 b3 91 9d 38 f3 d1 ed "
906 "94 e6 89 1e 66 a7 3b 8f b8 49 f5 87 4d f5 94 59 "
907 "e2 98 c7 bb ce 2e ee 78 2a 19 5a a6 6f e2 d0 73 "
908 "2b 25 e5 95 f5 7d 3e 06 1b 1f c3 e4 06 3b f9 8f ";
909
910 struct SignatureExample {
911 const char* message;
912 const char* salt;
913 const char* signature;
914 };
915
916 struct PSSTestVector {
917 const char* modulus_n;
918 const char* public_exponent_e;
919 SignatureExample example[6];
920 };
921
922 static const PSSTestVector pss_test[] = {
923 {
924 rsa_modulus_n_1,
925 rsa_public_exponent_e_1,
926 {
927 { message_1_1, salt_1_1, signature_1_1 },
928 { message_1_2, salt_1_2, signature_1_2 },
929 { message_1_3, salt_1_3, signature_1_3 },
930 { message_1_4, salt_1_4, signature_1_4 },
931 { message_1_5, salt_1_5, signature_1_5 },
932 { message_1_6, salt_1_6, signature_1_6 },
933 }
934 },
935 {
936 rsa_modulus_n_9,
937 rsa_public_exponent_e_9,
938 {
939 { message_9_1, salt_9_1, signature_9_1 },
940 { message_9_2, salt_9_2, signature_9_2 },
941 { message_9_3, salt_9_3, signature_9_3 },
942 { message_9_4, salt_9_4, signature_9_4 },
943 { message_9_5, salt_9_5, signature_9_5 },
944 { message_9_6, salt_9_6, signature_9_6 },
945 }
946 },
947 {
948 rsa_modulus_n_10,
949 rsa_public_exponent_e_10,
950 {
951 { message_10_1, salt_10_1, signature_10_1 },
952 { message_10_2, salt_10_2, signature_10_2 },
953 { message_10_3, salt_10_3, signature_10_3 },
954 { message_10_4, salt_10_4, signature_10_4 },
955 { message_10_5, salt_10_5, signature_10_5 },
956 { message_10_6, salt_10_6, signature_10_6 },
957 }
958 },
959 };
960
HexDigitValue(char digit)961 static uint8_t HexDigitValue(char digit) {
962 if ('0' <= digit && digit <= '9')
963 return digit - '0';
964 if ('a' <= digit && digit <= 'f')
965 return digit - 'a' + 10;
966 return digit - 'A' + 10;
967 }
968
DecodeTestInput(const char * in,std::vector<uint8_t> * out)969 static bool DecodeTestInput(const char* in, std::vector<uint8_t>* out) {
970 out->clear();
971 while (in[0] != '\0') {
972 if (!isxdigit(in[0]) || !isxdigit(in[1]) || in[2] != ' ')
973 return false;
974 uint8_t octet = HexDigitValue(in[0]) * 16 + HexDigitValue(in[1]);
975 out->push_back(octet);
976 in += 3;
977 }
978 return true;
979 }
980
981 // PrependASN1Length prepends an ASN.1 serialized length to the beginning of
982 // |out|.
PrependASN1Length(std::vector<uint8_t> * out,size_t len)983 static void PrependASN1Length(std::vector<uint8_t>* out, size_t len) {
984 if (len < 128) {
985 out->insert(out->begin(), static_cast<uint8_t>(len));
986 } else if (len < 256) {
987 out->insert(out->begin(), static_cast<uint8_t>(len));
988 out->insert(out->begin(), 0x81);
989 } else if (len < 0x10000) {
990 out->insert(out->begin(), static_cast<uint8_t>(len));
991 out->insert(out->begin(), static_cast<uint8_t>(len >> 8));
992 out->insert(out->begin(), 0x82);
993 } else {
994 CHECK(false) << "ASN.1 length not handled: " << len;
995 }
996 }
997
EncodeRSAPublicKey(const std::vector<uint8_t> & modulus_n,const std::vector<uint8_t> & public_exponent_e,std::vector<uint8_t> * public_key_info)998 static bool EncodeRSAPublicKey(const std::vector<uint8_t>& modulus_n,
999 const std::vector<uint8_t>& public_exponent_e,
1000 std::vector<uint8_t>* public_key_info) {
1001 // The public key is specified as the following ASN.1 structure:
1002 // SubjectPublicKeyInfo ::= SEQUENCE {
1003 // algorithm AlgorithmIdentifier,
1004 // subjectPublicKey BIT STRING }
1005 //
1006 // The algorithm is specified as the following ASN.1 structure:
1007 // AlgorithmIdentifier ::= SEQUENCE {
1008 // algorithm OBJECT IDENTIFIER,
1009 // parameters ANY DEFINED BY algorithm OPTIONAL }
1010 //
1011 // An RSA public key is specified as the following ASN.1 structure:
1012 // RSAPublicKey ::= SEQUENCE {
1013 // modulus INTEGER, -- n
1014 // publicExponent INTEGER -- e
1015 // }
1016 static const uint8_t kIntegerTag = 0x02;
1017 static const uint8_t kBitStringTag = 0x03;
1018 static const uint8_t kSequenceTag = 0x30;
1019 public_key_info->clear();
1020
1021 // Encode the public exponent e as an INTEGER.
1022 public_key_info->insert(public_key_info->begin(),
1023 public_exponent_e.begin(),
1024 public_exponent_e.end());
1025 PrependASN1Length(public_key_info, public_exponent_e.size());
1026 public_key_info->insert(public_key_info->begin(), kIntegerTag);
1027
1028 // Encode the modulus n as an INTEGER.
1029 public_key_info->insert(public_key_info->begin(),
1030 modulus_n.begin(), modulus_n.end());
1031 size_t modulus_size = modulus_n.size();
1032 if (modulus_n[0] & 0x80) {
1033 public_key_info->insert(public_key_info->begin(), 0x00);
1034 modulus_size++;
1035 }
1036 PrependASN1Length(public_key_info, modulus_size);
1037 public_key_info->insert(public_key_info->begin(), kIntegerTag);
1038
1039 // Encode the RSAPublicKey SEQUENCE.
1040 PrependASN1Length(public_key_info, public_key_info->size());
1041 public_key_info->insert(public_key_info->begin(), kSequenceTag);
1042
1043 // Encode the BIT STRING.
1044 // Number of unused bits.
1045 public_key_info->insert(public_key_info->begin(), 0x00);
1046 PrependASN1Length(public_key_info, public_key_info->size());
1047 public_key_info->insert(public_key_info->begin(), kBitStringTag);
1048
1049 // Encode the AlgorithmIdentifier.
1050 static const uint8_t algorithm[] = {
1051 0x30, 0x0d, // a SEQUENCE of length 13
1052 0x06, 0x09, // an OBJECT IDENTIFIER of length 9
1053 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
1054 };
1055 public_key_info->insert(public_key_info->begin(),
1056 algorithm, algorithm + sizeof(algorithm));
1057
1058 // Encode the outermost SEQUENCE.
1059 PrependASN1Length(public_key_info, public_key_info->size());
1060 public_key_info->insert(public_key_info->begin(), kSequenceTag);
1061
1062 return true;
1063 }
1064
TEST(SignatureVerifierTest,VerifyRSAPSS)1065 TEST(SignatureVerifierTest, VerifyRSAPSS) {
1066 for (unsigned int i = 0; i < arraysize(pss_test); i++) {
1067 SCOPED_TRACE(i);
1068 std::vector<uint8_t> modulus_n;
1069 std::vector<uint8_t> public_exponent_e;
1070 ASSERT_TRUE(DecodeTestInput(pss_test[i].modulus_n, &modulus_n));
1071 ASSERT_TRUE(DecodeTestInput(pss_test[i].public_exponent_e,
1072 &public_exponent_e));
1073 std::vector<uint8_t> public_key_info;
1074 ASSERT_TRUE(EncodeRSAPublicKey(modulus_n, public_exponent_e,
1075 &public_key_info));
1076
1077 for (unsigned int j = 0; j < arraysize(pss_test[i].example); j++) {
1078 SCOPED_TRACE(j);
1079 std::vector<uint8_t> message;
1080 std::vector<uint8_t> salt;
1081 std::vector<uint8_t> signature;
1082 ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].message, &message));
1083 ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].salt, &salt));
1084 ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].signature,
1085 &signature));
1086
1087 crypto::SignatureVerifier verifier;
1088 bool ok;
1089
1090 // Positive test.
1091 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1092 crypto::SignatureVerifier::SHA1,
1093 salt.size(),
1094 &signature[0], signature.size(),
1095 &public_key_info[0],
1096 public_key_info.size());
1097 ASSERT_TRUE(ok);
1098 verifier.VerifyUpdate(&message[0], message.size());
1099 ok = verifier.VerifyFinal();
1100 EXPECT_TRUE(ok);
1101
1102 // Modify the first byte of the message.
1103 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1104 crypto::SignatureVerifier::SHA1,
1105 salt.size(),
1106 &signature[0], signature.size(),
1107 &public_key_info[0],
1108 public_key_info.size());
1109 ASSERT_TRUE(ok);
1110 message[0] += 1;
1111 verifier.VerifyUpdate(&message[0], message.size());
1112 message[0] -= 1;
1113 ok = verifier.VerifyFinal();
1114 EXPECT_FALSE(ok);
1115
1116 // Truncate the message.
1117 ASSERT_FALSE(message.empty());
1118 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1119 crypto::SignatureVerifier::SHA1,
1120 salt.size(),
1121 &signature[0], signature.size(),
1122 &public_key_info[0],
1123 public_key_info.size());
1124 ASSERT_TRUE(ok);
1125 verifier.VerifyUpdate(&message[0], message.size() - 1);
1126 ok = verifier.VerifyFinal();
1127 EXPECT_FALSE(ok);
1128
1129 // Corrupt the signature.
1130 signature[0] += 1;
1131 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1132 crypto::SignatureVerifier::SHA1,
1133 salt.size(),
1134 &signature[0], signature.size(),
1135 &public_key_info[0],
1136 public_key_info.size());
1137 signature[0] -= 1;
1138 ASSERT_TRUE(ok);
1139 verifier.VerifyUpdate(&message[0], message.size());
1140 ok = verifier.VerifyFinal();
1141 EXPECT_FALSE(ok);
1142 }
1143 }
1144 }
1145