1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/signature_verifier.h"
6
7 #include <stddef.h>
8 #include <stdint.h>
9
10 #include "base/logging.h"
11 #include "base/macros.h"
12 #include "base/numerics/safe_conversions.h"
13 #include "testing/gtest/include/gtest/gtest.h"
14
TEST(SignatureVerifierTest,BasicTest)15 TEST(SignatureVerifierTest, BasicTest) {
16 // The input data in this test comes from real certificates.
17 //
18 // tbs_certificate ("to-be-signed certificate", the part of a certificate that
19 // is signed), signature, and algorithm come from the certificate of
20 // bugs.webkit.org.
21 //
22 // public_key_info comes from the certificate of the issuer, Go Daddy Secure
23 // Certification Authority.
24 //
25 // The bytes in the array initializers are formatted to expose the DER
26 // encoding of the ASN.1 structures.
27
28 // The data that is signed is the following ASN.1 structure:
29 // TBSCertificate ::= SEQUENCE {
30 // ... -- omitted, not important
31 // }
32 const uint8_t tbs_certificate[1017] = {
33 0x30, 0x82, 0x03, 0xf5, // a SEQUENCE of length 1013 (0x3f5)
34 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x43, 0xdd, 0x63, 0x30, 0x0d,
35 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
36 0x00, 0x30, 0x81, 0xca, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
37 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55,
38 0x04, 0x08, 0x13, 0x07, 0x41, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x61, 0x31,
39 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x63,
40 0x6f, 0x74, 0x74, 0x73, 0x64, 0x61, 0x6c, 0x65, 0x31, 0x1a, 0x30, 0x18,
41 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x47, 0x6f, 0x44, 0x61, 0x64,
42 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
43 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x68,
44 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
45 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64,
46 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73,
47 0x69, 0x74, 0x6f, 0x72, 0x79, 0x31, 0x30, 0x30, 0x2e, 0x06, 0x03, 0x55,
48 0x04, 0x03, 0x13, 0x27, 0x47, 0x6f, 0x20, 0x44, 0x61, 0x64, 0x64, 0x79,
49 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
50 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
51 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x11, 0x30, 0x0f, 0x06,
52 0x03, 0x55, 0x04, 0x05, 0x13, 0x08, 0x30, 0x37, 0x39, 0x36, 0x39, 0x32,
53 0x38, 0x37, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x33, 0x31, 0x38,
54 0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30,
55 0x33, 0x31, 0x38, 0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x30, 0x79,
56 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
57 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
58 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12,
59 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70,
60 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
61 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
62 0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0b,
63 0x13, 0x0c, 0x4d, 0x61, 0x63, 0x20, 0x4f, 0x53, 0x20, 0x46, 0x6f, 0x72,
64 0x67, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
65 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69, 0x74, 0x2e, 0x6f, 0x72,
66 0x67, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
67 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
68 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xa7, 0x62, 0x79, 0x41, 0xda, 0x28,
69 0xf2, 0xc0, 0x4f, 0xe0, 0x25, 0xaa, 0xa1, 0x2e, 0x3b, 0x30, 0x94, 0xb5,
70 0xc9, 0x26, 0x3a, 0x1b, 0xe2, 0xd0, 0xcc, 0xa2, 0x95, 0xe2, 0x91, 0xc0,
71 0xf0, 0x40, 0x9e, 0x27, 0x6e, 0xbd, 0x6e, 0xde, 0x7c, 0xb6, 0x30, 0x5c,
72 0xb8, 0x9b, 0x01, 0x2f, 0x92, 0x04, 0xa1, 0xef, 0x4a, 0xb1, 0x6c, 0xb1,
73 0x7e, 0x8e, 0xcd, 0xa6, 0xf4, 0x40, 0x73, 0x1f, 0x2c, 0x96, 0xad, 0xff,
74 0x2a, 0x6d, 0x0e, 0xba, 0x52, 0x84, 0x83, 0xb0, 0x39, 0xee, 0xc9, 0x39,
75 0xdc, 0x1e, 0x34, 0xd0, 0xd8, 0x5d, 0x7a, 0x09, 0xac, 0xa9, 0xee, 0xca,
76 0x65, 0xf6, 0x85, 0x3a, 0x6b, 0xee, 0xe4, 0x5c, 0x5e, 0xf8, 0xda, 0xd1,
77 0xce, 0x88, 0x47, 0xcd, 0x06, 0x21, 0xe0, 0xb9, 0x4b, 0xe4, 0x07, 0xcb,
78 0x57, 0xdc, 0xca, 0x99, 0x54, 0xf7, 0x0e, 0xd5, 0x17, 0x95, 0x05, 0x2e,
79 0xe9, 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xce, 0x30,
80 0x82, 0x01, 0xca, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02,
81 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03,
82 0x02, 0x05, 0xa0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16,
83 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
84 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x57,
85 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x50, 0x30, 0x4e, 0x30, 0x4c, 0xa0,
86 0x4a, 0xa0, 0x48, 0x86, 0x46, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
87 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73,
88 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
89 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x2f,
90 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x65, 0x78, 0x74, 0x65, 0x6e,
91 0x64, 0x65, 0x64, 0x69, 0x73, 0x73, 0x75, 0x69, 0x6e, 0x67, 0x33, 0x2e,
92 0x63, 0x72, 0x6c, 0x30, 0x52, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x4b,
93 0x30, 0x49, 0x30, 0x47, 0x06, 0x0b, 0x60, 0x86, 0x48, 0x01, 0x86, 0xfd,
94 0x6d, 0x01, 0x07, 0x17, 0x02, 0x30, 0x38, 0x30, 0x36, 0x06, 0x08, 0x2b,
95 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x2a, 0x68, 0x74, 0x74,
96 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
97 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79,
98 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74,
99 0x6f, 0x72, 0x79, 0x30, 0x7f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
100 0x07, 0x01, 0x01, 0x04, 0x73, 0x30, 0x71, 0x30, 0x23, 0x06, 0x08, 0x2b,
101 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74,
102 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x67, 0x6f, 0x64,
103 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x4a, 0x06, 0x08,
104 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74,
105 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
106 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64,
107 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69,
108 0x74, 0x6f, 0x72, 0x79, 0x2f, 0x67, 0x64, 0x5f, 0x69, 0x6e, 0x74, 0x65,
109 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x2e, 0x63, 0x72, 0x74,
110 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x48,
111 0xdf, 0x60, 0x32, 0xcc, 0x89, 0x01, 0xb6, 0xdc, 0x2f, 0xe3, 0x73, 0xb5,
112 0x9c, 0x16, 0x58, 0x32, 0x68, 0xa9, 0xc3, 0x30, 0x1f, 0x06, 0x03, 0x55,
113 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xfd, 0xac, 0x61, 0x32,
114 0x93, 0x6c, 0x45, 0xd6, 0xe2, 0xee, 0x85, 0x5f, 0x9a, 0xba, 0xe7, 0x76,
115 0x99, 0x68, 0xcc, 0xe7, 0x30, 0x23, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04,
116 0x1c, 0x30, 0x1a, 0x82, 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69,
117 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x82, 0x0a, 0x77, 0x65, 0x62, 0x6b, 0x69,
118 0x74, 0x2e, 0x6f, 0x72, 0x67};
119
120 // RSA signature, a big integer in the big-endian byte order.
121 const uint8_t signature[256] = {
122 0x1e, 0x6a, 0xe7, 0xe0, 0x4f, 0xe7, 0x4d, 0xd0, 0x69, 0x7c, 0xf8, 0x8f,
123 0x99, 0xb4, 0x18, 0x95, 0x36, 0x24, 0x0f, 0x0e, 0xa3, 0xea, 0x34, 0x37,
124 0xf4, 0x7d, 0xd5, 0x92, 0x35, 0x53, 0x72, 0x76, 0x3f, 0x69, 0xf0, 0x82,
125 0x56, 0xe3, 0x94, 0x7a, 0x1d, 0x1a, 0x81, 0xaf, 0x9f, 0xc7, 0x43, 0x01,
126 0x64, 0xd3, 0x7c, 0x0d, 0xc8, 0x11, 0x4e, 0x4a, 0xe6, 0x1a, 0xc3, 0x01,
127 0x74, 0xe8, 0x35, 0x87, 0x5c, 0x61, 0xaa, 0x8a, 0x46, 0x06, 0xbe, 0x98,
128 0x95, 0x24, 0x9e, 0x01, 0xe3, 0xe6, 0xa0, 0x98, 0xee, 0x36, 0x44, 0x56,
129 0x8d, 0x23, 0x9c, 0x65, 0xea, 0x55, 0x6a, 0xdf, 0x66, 0xee, 0x45, 0xe8,
130 0xa0, 0xe9, 0x7d, 0x9a, 0xba, 0x94, 0xc5, 0xc8, 0xc4, 0x4b, 0x98, 0xff,
131 0x9a, 0x01, 0x31, 0x6d, 0xf9, 0x2b, 0x58, 0xe7, 0xe7, 0x2a, 0xc5, 0x4d,
132 0xbb, 0xbb, 0xcd, 0x0d, 0x70, 0xe1, 0xad, 0x03, 0xf5, 0xfe, 0xf4, 0x84,
133 0x71, 0x08, 0xd2, 0xbc, 0x04, 0x7b, 0x26, 0x1c, 0xa8, 0x0f, 0x9c, 0xd8,
134 0x12, 0x6a, 0x6f, 0x2b, 0x67, 0xa1, 0x03, 0x80, 0x9a, 0x11, 0x0b, 0xe9,
135 0xe0, 0xb5, 0xb3, 0xb8, 0x19, 0x4e, 0x0c, 0xa4, 0xd9, 0x2b, 0x3b, 0xc2,
136 0xca, 0x20, 0xd3, 0x0c, 0xa4, 0xff, 0x93, 0x13, 0x1f, 0xfc, 0xba, 0x94,
137 0x93, 0x8c, 0x64, 0x15, 0x2e, 0x28, 0xa9, 0x55, 0x8c, 0x2c, 0x48, 0xd3,
138 0xd3, 0xc1, 0x50, 0x69, 0x19, 0xe8, 0x34, 0xd3, 0xf1, 0x04, 0x9f, 0x0a,
139 0x7a, 0x21, 0x87, 0xbf, 0xb9, 0x59, 0x37, 0x2e, 0xf4, 0x71, 0xa5, 0x3e,
140 0xbe, 0xcd, 0x70, 0x83, 0x18, 0xf8, 0x8a, 0x72, 0x85, 0x45, 0x1f, 0x08,
141 0x01, 0x6f, 0x37, 0xf5, 0x2b, 0x7b, 0xea, 0xb9, 0x8b, 0xa3, 0xcc, 0xfd,
142 0x35, 0x52, 0xdd, 0x66, 0xde, 0x4f, 0x30, 0xc5, 0x73, 0x81, 0xb6, 0xe8,
143 0x3c, 0xd8, 0x48, 0x8a};
144
145 // The public key is specified as the following ASN.1 structure:
146 // SubjectPublicKeyInfo ::= SEQUENCE {
147 // algorithm AlgorithmIdentifier,
148 // subjectPublicKey BIT STRING }
149 const uint8_t public_key_info[294] = {
150 0x30, 0x82, 0x01, 0x22, // a SEQUENCE of length 290 (0x122)
151 // algorithm
152 0x30, 0x0d, // a SEQUENCE of length 13
153 0x06, 0x09, // an OBJECT IDENTIFIER of length 9
154 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
155 0x00, // a NULL of length 0
156 // subjectPublicKey
157 0x03, 0x82, 0x01, 0x0f, // a BIT STRING of length 271 (0x10f)
158 0x00, // number of unused bits
159 0x30, 0x82, 0x01, 0x0a, // a SEQUENCE of length 266 (0x10a)
160 // modulus
161 0x02, 0x82, 0x01, 0x01, // an INTEGER of length 257 (0x101)
162 0x00, 0xc4, 0x2d, 0xd5, 0x15, 0x8c, 0x9c, 0x26, 0x4c, 0xec, 0x32, 0x35,
163 0xeb, 0x5f, 0xb8, 0x59, 0x01, 0x5a, 0xa6, 0x61, 0x81, 0x59, 0x3b, 0x70,
164 0x63, 0xab, 0xe3, 0xdc, 0x3d, 0xc7, 0x2a, 0xb8, 0xc9, 0x33, 0xd3, 0x79,
165 0xe4, 0x3a, 0xed, 0x3c, 0x30, 0x23, 0x84, 0x8e, 0xb3, 0x30, 0x14, 0xb6,
166 0xb2, 0x87, 0xc3, 0x3d, 0x95, 0x54, 0x04, 0x9e, 0xdf, 0x99, 0xdd, 0x0b,
167 0x25, 0x1e, 0x21, 0xde, 0x65, 0x29, 0x7e, 0x35, 0xa8, 0xa9, 0x54, 0xeb,
168 0xf6, 0xf7, 0x32, 0x39, 0xd4, 0x26, 0x55, 0x95, 0xad, 0xef, 0xfb, 0xfe,
169 0x58, 0x86, 0xd7, 0x9e, 0xf4, 0x00, 0x8d, 0x8c, 0x2a, 0x0c, 0xbd, 0x42,
170 0x04, 0xce, 0xa7, 0x3f, 0x04, 0xf6, 0xee, 0x80, 0xf2, 0xaa, 0xef, 0x52,
171 0xa1, 0x69, 0x66, 0xda, 0xbe, 0x1a, 0xad, 0x5d, 0xda, 0x2c, 0x66, 0xea,
172 0x1a, 0x6b, 0xbb, 0xe5, 0x1a, 0x51, 0x4a, 0x00, 0x2f, 0x48, 0xc7, 0x98,
173 0x75, 0xd8, 0xb9, 0x29, 0xc8, 0xee, 0xf8, 0x66, 0x6d, 0x0a, 0x9c, 0xb3,
174 0xf3, 0xfc, 0x78, 0x7c, 0xa2, 0xf8, 0xa3, 0xf2, 0xb5, 0xc3, 0xf3, 0xb9,
175 0x7a, 0x91, 0xc1, 0xa7, 0xe6, 0x25, 0x2e, 0x9c, 0xa8, 0xed, 0x12, 0x65,
176 0x6e, 0x6a, 0xf6, 0x12, 0x44, 0x53, 0x70, 0x30, 0x95, 0xc3, 0x9c, 0x2b,
177 0x58, 0x2b, 0x3d, 0x08, 0x74, 0x4a, 0xf2, 0xbe, 0x51, 0xb0, 0xbf, 0x87,
178 0xd0, 0x4c, 0x27, 0x58, 0x6b, 0xb5, 0x35, 0xc5, 0x9d, 0xaf, 0x17, 0x31,
179 0xf8, 0x0b, 0x8f, 0xee, 0xad, 0x81, 0x36, 0x05, 0x89, 0x08, 0x98, 0xcf,
180 0x3a, 0xaf, 0x25, 0x87, 0xc0, 0x49, 0xea, 0xa7, 0xfd, 0x67, 0xf7, 0x45,
181 0x8e, 0x97, 0xcc, 0x14, 0x39, 0xe2, 0x36, 0x85, 0xb5, 0x7e, 0x1a, 0x37,
182 0xfd, 0x16, 0xf6, 0x71, 0x11, 0x9a, 0x74, 0x30, 0x16, 0xfe, 0x13, 0x94,
183 0xa3, 0x3f, 0x84, 0x0d, 0x4f,
184 // public exponent
185 0x02, 0x03, // an INTEGER of length 3
186 0x01, 0x00, 0x01};
187
188 // We use the signature verifier to perform four signature verification
189 // tests.
190 crypto::SignatureVerifier verifier;
191 bool ok;
192
193 // Test 1: feed all of the data to the verifier at once (a single
194 // VerifyUpdate call).
195 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
196 sizeof(signature), public_key_info,
197 sizeof(public_key_info));
198 EXPECT_TRUE(ok);
199 verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
200 ok = verifier.VerifyFinal();
201 EXPECT_TRUE(ok);
202
203 // Test 2: feed the data to the verifier in three parts (three VerifyUpdate
204 // calls).
205 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
206 sizeof(signature), public_key_info,
207 sizeof(public_key_info));
208 EXPECT_TRUE(ok);
209 verifier.VerifyUpdate(tbs_certificate, 256);
210 verifier.VerifyUpdate(tbs_certificate + 256, 256);
211 verifier.VerifyUpdate(tbs_certificate + 512, sizeof(tbs_certificate) - 512);
212 ok = verifier.VerifyFinal();
213 EXPECT_TRUE(ok);
214
215 // Test 3: verify the signature with incorrect data.
216 uint8_t bad_tbs_certificate[sizeof(tbs_certificate)];
217 memcpy(bad_tbs_certificate, tbs_certificate, sizeof(tbs_certificate));
218 bad_tbs_certificate[10] += 1; // Corrupt one byte of the data.
219 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
220 sizeof(signature), public_key_info,
221 sizeof(public_key_info));
222 EXPECT_TRUE(ok);
223 verifier.VerifyUpdate(bad_tbs_certificate, sizeof(bad_tbs_certificate));
224 ok = verifier.VerifyFinal();
225 EXPECT_FALSE(ok);
226
227 // Test 4: verify a bad signature.
228 uint8_t bad_signature[sizeof(signature)];
229 memcpy(bad_signature, signature, sizeof(signature));
230 bad_signature[10] += 1; // Corrupt one byte of the signature.
231 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1,
232 bad_signature, sizeof(bad_signature),
233 public_key_info, sizeof(public_key_info));
234
235 // A crypto library (e.g., NSS) may detect that the signature is corrupted
236 // and cause VerifyInit to return false, so it is fine for 'ok' to be false.
237 if (ok) {
238 verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
239 ok = verifier.VerifyFinal();
240 EXPECT_FALSE(ok);
241 }
242
243 // Test 5: import an invalid key.
244 uint8_t bad_public_key_info[sizeof(public_key_info)];
245 memcpy(bad_public_key_info, public_key_info, sizeof(public_key_info));
246 bad_public_key_info[0] += 1; // Corrupt part of the SPKI syntax.
247 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
248 sizeof(signature), bad_public_key_info,
249 sizeof(bad_public_key_info));
250 EXPECT_FALSE(ok);
251
252 // Test 6: import a key with extra data.
253 uint8_t long_public_key_info[sizeof(public_key_info) + 5];
254 memset(long_public_key_info, 0, sizeof(long_public_key_info));
255 memcpy(long_public_key_info, public_key_info, sizeof(public_key_info));
256 ok = verifier.VerifyInit(crypto::SignatureVerifier::RSA_PKCS1_SHA1, signature,
257 sizeof(signature), long_public_key_info,
258 sizeof(long_public_key_info));
259 EXPECT_FALSE(ok);
260 }
261
262 //////////////////////////////////////////////////////////////////////
263 //
264 // RSA-PSS signature verification known answer test
265 //
266 //////////////////////////////////////////////////////////////////////
267
268 // The following RSA-PSS signature test vectors come from the pss-vect.txt
269 // file downloaded from
270 // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip.
271 //
272 // For each key, 6 random messages of length between 1 and 256 octets have
273 // been RSASSA-PSS signed.
274 //
275 // Hash function: SHA-1
276 // Mask generation function: MGF1 with SHA-1
277 // Salt length: 20 octets
278
279 // Example 1: A 1024-bit RSA Key Pair"
280
281 // RSA modulus n:
282 static const char rsa_modulus_n_1[] =
283 "a5 6e 4a 0e 70 10 17 58 9a 51 87 dc 7e a8 41 d1 "
284 "56 f2 ec 0e 36 ad 52 a4 4d fe b1 e6 1f 7a d9 91 "
285 "d8 c5 10 56 ff ed b1 62 b4 c0 f2 83 a1 2a 88 a3 "
286 "94 df f5 26 ab 72 91 cb b3 07 ce ab fc e0 b1 df "
287 "d5 cd 95 08 09 6d 5b 2b 8b 6d f5 d6 71 ef 63 77 "
288 "c0 92 1c b2 3c 27 0a 70 e2 59 8e 6f f8 9d 19 f1 "
289 "05 ac c2 d3 f0 cb 35 f2 92 80 e1 38 6b 6f 64 c4 "
290 "ef 22 e1 e1 f2 0d 0c e8 cf fb 22 49 bd 9a 21 37 ";
291 // RSA public exponent e: "
292 static const char rsa_public_exponent_e_1[] =
293 "01 00 01 ";
294
295 // RSASSA-PSS Signature Example 1.1
296 // Message to be signed:
297 static const char message_1_1[] =
298 "cd c8 7d a2 23 d7 86 df 3b 45 e0 bb bc 72 13 26 "
299 "d1 ee 2a f8 06 cc 31 54 75 cc 6f 0d 9c 66 e1 b6 "
300 "23 71 d4 5c e2 39 2e 1a c9 28 44 c3 10 10 2f 15 "
301 "6a 0d 8d 52 c1 f4 c4 0b a3 aa 65 09 57 86 cb 76 "
302 "97 57 a6 56 3b a9 58 fe d0 bc c9 84 e8 b5 17 a3 "
303 "d5 f5 15 b2 3b 8a 41 e7 4a a8 67 69 3f 90 df b0 "
304 "61 a6 e8 6d fa ae e6 44 72 c0 0e 5f 20 94 57 29 "
305 "cb eb e7 7f 06 ce 78 e0 8f 40 98 fb a4 1f 9d 61 "
306 "93 c0 31 7e 8b 60 d4 b6 08 4a cb 42 d2 9e 38 08 "
307 "a3 bc 37 2d 85 e3 31 17 0f cb f7 cc 72 d0 b7 1c "
308 "29 66 48 b3 a4 d1 0f 41 62 95 d0 80 7a a6 25 ca "
309 "b2 74 4f d9 ea 8f d2 23 c4 25 37 02 98 28 bd 16 "
310 "be 02 54 6f 13 0f d2 e3 3b 93 6d 26 76 e0 8a ed "
311 "1b 73 31 8b 75 0a 01 67 d0 ";
312 // Salt:
313 static const char salt_1_1[] =
314 "de e9 59 c7 e0 64 11 36 14 20 ff 80 18 5e d5 7f "
315 "3e 67 76 af ";
316 // Signature:
317 static const char signature_1_1[] =
318 "90 74 30 8f b5 98 e9 70 1b 22 94 38 8e 52 f9 71 "
319 "fa ac 2b 60 a5 14 5a f1 85 df 52 87 b5 ed 28 87 "
320 "e5 7c e7 fd 44 dc 86 34 e4 07 c8 e0 e4 36 0b c2 "
321 "26 f3 ec 22 7f 9d 9e 54 63 8e 8d 31 f5 05 12 15 "
322 "df 6e bb 9c 2f 95 79 aa 77 59 8a 38 f9 14 b5 b9 "
323 "c1 bd 83 c4 e2 f9 f3 82 a0 d0 aa 35 42 ff ee 65 "
324 "98 4a 60 1b c6 9e b2 8d eb 27 dc a1 2c 82 c2 d4 "
325 "c3 f6 6c d5 00 f1 ff 2b 99 4d 8a 4e 30 cb b3 3c ";
326
327 // RSASSA-PSS Signature Example 1.2
328 // Message to be signed:
329 static const char message_1_2[] =
330 "85 13 84 cd fe 81 9c 22 ed 6c 4c cb 30 da eb 5c "
331 "f0 59 bc 8e 11 66 b7 e3 53 0c 4c 23 3e 2b 5f 8f "
332 "71 a1 cc a5 82 d4 3e cc 72 b1 bc a1 6d fc 70 13 "
333 "22 6b 9e ";
334 // Salt:
335 static const char salt_1_2[] =
336 "ef 28 69 fa 40 c3 46 cb 18 3d ab 3d 7b ff c9 8f "
337 "d5 6d f4 2d ";
338 // Signature:
339 static const char signature_1_2[] =
340 "3e f7 f4 6e 83 1b f9 2b 32 27 41 42 a5 85 ff ce "
341 "fb dc a7 b3 2a e9 0d 10 fb 0f 0c 72 99 84 f0 4e "
342 "f2 9a 9d f0 78 07 75 ce 43 73 9b 97 83 83 90 db "
343 "0a 55 05 e6 3d e9 27 02 8d 9d 29 b2 19 ca 2c 45 "
344 "17 83 25 58 a5 5d 69 4a 6d 25 b9 da b6 60 03 c4 "
345 "cc cd 90 78 02 19 3b e5 17 0d 26 14 7d 37 b9 35 "
346 "90 24 1b e5 1c 25 05 5f 47 ef 62 75 2c fb e2 14 "
347 "18 fa fe 98 c2 2c 4d 4d 47 72 4f db 56 69 e8 43 ";
348
349 // RSASSA-PSS Signature Example 1.3
350 // Message to be signed:
351 static const char message_1_3[] =
352 "a4 b1 59 94 17 61 c4 0c 6a 82 f2 b8 0d 1b 94 f5 "
353 "aa 26 54 fd 17 e1 2d 58 88 64 67 9b 54 cd 04 ef "
354 "8b d0 30 12 be 8d c3 7f 4b 83 af 79 63 fa ff 0d "
355 "fa 22 54 77 43 7c 48 01 7f f2 be 81 91 cf 39 55 "
356 "fc 07 35 6e ab 3f 32 2f 7f 62 0e 21 d2 54 e5 db "
357 "43 24 27 9f e0 67 e0 91 0e 2e 81 ca 2c ab 31 c7 "
358 "45 e6 7a 54 05 8e b5 0d 99 3c db 9e d0 b4 d0 29 "
359 "c0 6d 21 a9 4c a6 61 c3 ce 27 fa e1 d6 cb 20 f4 "
360 "56 4d 66 ce 47 67 58 3d 0e 5f 06 02 15 b5 90 17 "
361 "be 85 ea 84 89 39 12 7b d8 c9 c4 d4 7b 51 05 6c "
362 "03 1c f3 36 f1 7c 99 80 f3 b8 f5 b9 b6 87 8e 8b "
363 "79 7a a4 3b 88 26 84 33 3e 17 89 3f e9 ca a6 aa "
364 "29 9f 7e d1 a1 8e e2 c5 48 64 b7 b2 b9 9b 72 61 "
365 "8f b0 25 74 d1 39 ef 50 f0 19 c9 ee f4 16 97 13 "
366 "38 e7 d4 70 ";
367 // Salt:
368 static const char salt_1_3[] =
369 "71 0b 9c 47 47 d8 00 d4 de 87 f1 2a fd ce 6d f1 "
370 "81 07 cc 77 ";
371 // Signature:
372 static const char signature_1_3[] =
373 "66 60 26 fb a7 1b d3 e7 cf 13 15 7c c2 c5 1a 8e "
374 "4a a6 84 af 97 78 f9 18 49 f3 43 35 d1 41 c0 01 "
375 "54 c4 19 76 21 f9 62 4a 67 5b 5a bc 22 ee 7d 5b "
376 "aa ff aa e1 c9 ba ca 2c c3 73 b3 f3 3e 78 e6 14 "
377 "3c 39 5a 91 aa 7f ac a6 64 eb 73 3a fd 14 d8 82 "
378 "72 59 d9 9a 75 50 fa ca 50 1e f2 b0 4e 33 c2 3a "
379 "a5 1f 4b 9e 82 82 ef db 72 8c c0 ab 09 40 5a 91 "
380 "60 7c 63 69 96 1b c8 27 0d 2d 4f 39 fc e6 12 b1 ";
381
382 // RSASSA-PSS Signature Example 1.4
383 // Message to be signed:
384 static const char message_1_4[] =
385 "bc 65 67 47 fa 9e af b3 f0 ";
386 // Salt:
387 static const char salt_1_4[] =
388 "05 6f 00 98 5d e1 4d 8e f5 ce a9 e8 2f 8c 27 be "
389 "f7 20 33 5e ";
390 // Signature:
391 static const char signature_1_4[] =
392 "46 09 79 3b 23 e9 d0 93 62 dc 21 bb 47 da 0b 4f "
393 "3a 76 22 64 9a 47 d4 64 01 9b 9a ea fe 53 35 9c "
394 "17 8c 91 cd 58 ba 6b cb 78 be 03 46 a7 bc 63 7f "
395 "4b 87 3d 4b ab 38 ee 66 1f 19 96 34 c5 47 a1 ad "
396 "84 42 e0 3d a0 15 b1 36 e5 43 f7 ab 07 c0 c1 3e "
397 "42 25 b8 de 8c ce 25 d4 f6 eb 84 00 f8 1f 7e 18 "
398 "33 b7 ee 6e 33 4d 37 09 64 ca 79 fd b8 72 b4 d7 "
399 "52 23 b5 ee b0 81 01 59 1f b5 32 d1 55 a6 de 87 ";
400
401 // RSASSA-PSS Signature Example 1.5
402 // Message to be signed:
403 static const char message_1_5[] =
404 "b4 55 81 54 7e 54 27 77 0c 76 8e 8b 82 b7 55 64 "
405 "e0 ea 4e 9c 32 59 4d 6b ff 70 65 44 de 0a 87 76 "
406 "c7 a8 0b 45 76 55 0e ee 1b 2a ca bc 7e 8b 7d 3e "
407 "f7 bb 5b 03 e4 62 c1 10 47 ea dd 00 62 9a e5 75 "
408 "48 0a c1 47 0f e0 46 f1 3a 2b f5 af 17 92 1d c4 "
409 "b0 aa 8b 02 be e6 33 49 11 65 1d 7f 85 25 d1 0f "
410 "32 b5 1d 33 be 52 0d 3d df 5a 70 99 55 a3 df e7 "
411 "82 83 b9 e0 ab 54 04 6d 15 0c 17 7f 03 7f dc cc "
412 "5b e4 ea 5f 68 b5 e5 a3 8c 9d 7e dc cc c4 97 5f "
413 "45 5a 69 09 b4 ";
414 // Salt:
415 static const char salt_1_5[] =
416 "80 e7 0f f8 6a 08 de 3e c6 09 72 b3 9b 4f bf dc "
417 "ea 67 ae 8e ";
418 // Signature:
419 static const char signature_1_5[] =
420 "1d 2a ad 22 1c a4 d3 1d df 13 50 92 39 01 93 98 "
421 "e3 d1 4b 32 dc 34 dc 5a f4 ae ae a3 c0 95 af 73 "
422 "47 9c f0 a4 5e 56 29 63 5a 53 a0 18 37 76 15 b1 "
423 "6c b9 b1 3b 3e 09 d6 71 eb 71 e3 87 b8 54 5c 59 "
424 "60 da 5a 64 77 6e 76 8e 82 b2 c9 35 83 bf 10 4c "
425 "3f db 23 51 2b 7b 4e 89 f6 33 dd 00 63 a5 30 db "
426 "45 24 b0 1c 3f 38 4c 09 31 0e 31 5a 79 dc d3 d6 "
427 "84 02 2a 7f 31 c8 65 a6 64 e3 16 97 8b 75 9f ad ";
428
429 // RSASSA-PSS Signature Example 1.6
430 // Message to be signed:
431 static const char message_1_6[] =
432 "10 aa e9 a0 ab 0b 59 5d 08 41 20 7b 70 0d 48 d7 "
433 "5f ae dd e3 b7 75 cd 6b 4c c8 8a e0 6e 46 94 ec "
434 "74 ba 18 f8 52 0d 4f 5e a6 9c bb e7 cc 2b eb a4 "
435 "3e fd c1 02 15 ac 4e b3 2d c3 02 a1 f5 3d c6 c4 "
436 "35 22 67 e7 93 6c fe bf 7c 8d 67 03 57 84 a3 90 "
437 "9f a8 59 c7 b7 b5 9b 8e 39 c5 c2 34 9f 18 86 b7 "
438 "05 a3 02 67 d4 02 f7 48 6a b4 f5 8c ad 5d 69 ad "
439 "b1 7a b8 cd 0c e1 ca f5 02 5a f4 ae 24 b1 fb 87 "
440 "94 c6 07 0c c0 9a 51 e2 f9 91 13 11 e3 87 7d 00 "
441 "44 c7 1c 57 a9 93 39 50 08 80 6b 72 3a c3 83 73 "
442 "d3 95 48 18 18 52 8c 1e 70 53 73 92 82 05 35 29 "
443 "51 0e 93 5c d0 fa 77 b8 fa 53 cc 2d 47 4b d4 fb "
444 "3c c5 c6 72 d6 ff dc 90 a0 0f 98 48 71 2c 4b cf "
445 "e4 6c 60 57 36 59 b1 1e 64 57 e8 61 f0 f6 04 b6 "
446 "13 8d 14 4f 8c e4 e2 da 73 ";
447 // Salt:
448 static const char salt_1_6[] =
449 "a8 ab 69 dd 80 1f 00 74 c2 a1 fc 60 64 98 36 c6 "
450 "16 d9 96 81 ";
451 // Signature:
452 static const char signature_1_6[] =
453 "2a 34 f6 12 5e 1f 6b 0b f9 71 e8 4f bd 41 c6 32 "
454 "be 8f 2c 2a ce 7d e8 b6 92 6e 31 ff 93 e9 af 98 "
455 "7f bc 06 e5 1e 9b e1 4f 51 98 f9 1f 3f 95 3b d6 "
456 "7d a6 0a 9d f5 97 64 c3 dc 0f e0 8e 1c be f0 b7 "
457 "5f 86 8d 10 ad 3f ba 74 9f ef 59 fb 6d ac 46 a0 "
458 "d6 e5 04 36 93 31 58 6f 58 e4 62 8f 39 aa 27 89 "
459 "82 54 3b c0 ee b5 37 dc 61 95 80 19 b3 94 fb 27 "
460 "3f 21 58 58 a0 a0 1a c4 d6 50 b9 55 c6 7f 4c 58 ";
461
462 // Example 9: A 1536-bit RSA Key Pair
463
464 // RSA modulus n:
465 static const char rsa_modulus_n_9[] =
466 "e6 bd 69 2a c9 66 45 79 04 03 fd d0 f5 be b8 b9 "
467 "bf 92 ed 10 00 7f c3 65 04 64 19 dd 06 c0 5c 5b "
468 "5b 2f 48 ec f9 89 e4 ce 26 91 09 97 9c bb 40 b4 "
469 "a0 ad 24 d2 24 83 d1 ee 31 5a d4 cc b1 53 42 68 "
470 "35 26 91 c5 24 f6 dd 8e 6c 29 d2 24 cf 24 69 73 "
471 "ae c8 6c 5b f6 b1 40 1a 85 0d 1b 9a d1 bb 8c bc "
472 "ec 47 b0 6f 0f 8c 7f 45 d3 fc 8f 31 92 99 c5 43 "
473 "3d db c2 b3 05 3b 47 de d2 ec d4 a4 ca ef d6 14 "
474 "83 3d c8 bb 62 2f 31 7e d0 76 b8 05 7f e8 de 3f "
475 "84 48 0a d5 e8 3e 4a 61 90 4a 4f 24 8f b3 97 02 "
476 "73 57 e1 d3 0e 46 31 39 81 5c 6f d4 fd 5a c5 b8 "
477 "17 2a 45 23 0e cb 63 18 a0 4f 14 55 d8 4e 5a 8b ";
478 // RSA public exponent e:
479 static const char rsa_public_exponent_e_9[] =
480 "01 00 01 ";
481
482 // RSASSA-PSS Signature Example 9.1
483 // Message to be signed:
484 static const char message_9_1[] =
485 "a8 8e 26 58 55 e9 d7 ca 36 c6 87 95 f0 b3 1b 59 "
486 "1c d6 58 7c 71 d0 60 a0 b3 f7 f3 ea ef 43 79 59 "
487 "22 02 8b c2 b6 ad 46 7c fc 2d 7f 65 9c 53 85 aa "
488 "70 ba 36 72 cd de 4c fe 49 70 cc 79 04 60 1b 27 "
489 "88 72 bf 51 32 1c 4a 97 2f 3c 95 57 0f 34 45 d4 "
490 "f5 79 80 e0 f2 0d f5 48 46 e6 a5 2c 66 8f 12 88 "
491 "c0 3f 95 00 6e a3 2f 56 2d 40 d5 2a f9 fe b3 2f "
492 "0f a0 6d b6 5b 58 8a 23 7b 34 e5 92 d5 5c f9 79 "
493 "f9 03 a6 42 ef 64 d2 ed 54 2a a8 c7 7d c1 dd 76 "
494 "2f 45 a5 93 03 ed 75 e5 41 ca 27 1e 2b 60 ca 70 "
495 "9e 44 fa 06 61 13 1e 8d 5d 41 63 fd 8d 39 85 66 "
496 "ce 26 de 87 30 e7 2f 9c ca 73 76 41 c2 44 15 94 "
497 "20 63 70 28 df 0a 18 07 9d 62 08 ea 8b 47 11 a2 "
498 "c7 50 f5 ";
499 // Salt:
500 static const char salt_9_1[] =
501 "c0 a4 25 31 3d f8 d7 56 4b d2 43 4d 31 15 23 d5 "
502 "25 7e ed 80 ";
503 // Signature:
504 static const char signature_9_1[] =
505 "58 61 07 22 6c 3c e0 13 a7 c8 f0 4d 1a 6a 29 59 "
506 "bb 4b 8e 20 5b a4 3a 27 b5 0f 12 41 11 bc 35 ef "
507 "58 9b 03 9f 59 32 18 7c b6 96 d7 d9 a3 2c 0c 38 "
508 "30 0a 5c dd a4 83 4b 62 d2 eb 24 0a f3 3f 79 d1 "
509 "3d fb f0 95 bf 59 9e 0d 96 86 94 8c 19 64 74 7b "
510 "67 e8 9c 9a ba 5c d8 50 16 23 6f 56 6c c5 80 2c "
511 "b1 3e ad 51 bc 7c a6 be f3 b9 4d cb db b1 d5 70 "
512 "46 97 71 df 0e 00 b1 a8 a0 67 77 47 2d 23 16 27 "
513 "9e da e8 64 74 66 8d 4e 1e ff f9 5f 1d e6 1c 60 "
514 "20 da 32 ae 92 bb f1 65 20 fe f3 cf 4d 88 f6 11 "
515 "21 f2 4b bd 9f e9 1b 59 ca f1 23 5b 2a 93 ff 81 "
516 "fc 40 3a dd f4 eb de a8 49 34 a9 cd af 8e 1a 9e ";
517
518 // RSASSA-PSS Signature Example 9.2
519 // Message to be signed:
520 static const char message_9_2[] =
521 "c8 c9 c6 af 04 ac da 41 4d 22 7e f2 3e 08 20 c3 "
522 "73 2c 50 0d c8 72 75 e9 5b 0d 09 54 13 99 3c 26 "
523 "58 bc 1d 98 85 81 ba 87 9c 2d 20 1f 14 cb 88 ce "
524 "d1 53 a0 19 69 a7 bf 0a 7b e7 9c 84 c1 48 6b c1 "
525 "2b 3f a6 c5 98 71 b6 82 7c 8c e2 53 ca 5f ef a8 "
526 "a8 c6 90 bf 32 6e 8e 37 cd b9 6d 90 a8 2e ba b6 "
527 "9f 86 35 0e 18 22 e8 bd 53 6a 2e ";
528 // Salt:
529 static const char salt_9_2[] =
530 "b3 07 c4 3b 48 50 a8 da c2 f1 5f 32 e3 78 39 ef "
531 "8c 5c 0e 91 ";
532 // Signature:
533 static const char signature_9_2[] =
534 "80 b6 d6 43 25 52 09 f0 a4 56 76 38 97 ac 9e d2 "
535 "59 d4 59 b4 9c 28 87 e5 88 2e cb 44 34 cf d6 6d "
536 "d7 e1 69 93 75 38 1e 51 cd 7f 55 4f 2c 27 17 04 "
537 "b3 99 d4 2b 4b e2 54 0a 0e ca 61 95 1f 55 26 7f "
538 "7c 28 78 c1 22 84 2d ad b2 8b 01 bd 5f 8c 02 5f "
539 "7e 22 84 18 a6 73 c0 3d 6b c0 c7 36 d0 a2 95 46 "
540 "bd 67 f7 86 d9 d6 92 cc ea 77 8d 71 d9 8c 20 63 "
541 "b7 a7 10 92 18 7a 4d 35 af 10 81 11 d8 3e 83 ea "
542 "e4 6c 46 aa 34 27 7e 06 04 45 89 90 37 88 f1 d5 "
543 "e7 ce e2 5f b4 85 e9 29 49 11 88 14 d6 f2 c3 ee "
544 "36 14 89 01 6f 32 7f b5 bc 51 7e b5 04 70 bf fa "
545 "1a fa 5f 4c e9 aa 0c e5 b8 ee 19 bf 55 01 b9 58 ";
546
547 // RSASSA-PSS Signature Example 9.3
548 // Message to be signed:
549 static const char message_9_3[] =
550 "0a fa d4 2c cd 4f c6 06 54 a5 50 02 d2 28 f5 2a "
551 "4a 5f e0 3b 8b bb 08 ca 82 da ca 55 8b 44 db e1 "
552 "26 6e 50 c0 e7 45 a3 6d 9d 29 04 e3 40 8a bc d1 "
553 "fd 56 99 94 06 3f 4a 75 cc 72 f2 fe e2 a0 cd 89 "
554 "3a 43 af 1c 5b 8b 48 7d f0 a7 16 10 02 4e 4f 6d "
555 "df 9f 28 ad 08 13 c1 aa b9 1b cb 3c 90 64 d5 ff "
556 "74 2d ef fe a6 57 09 41 39 36 9e 5e a6 f4 a9 63 "
557 "19 a5 cc 82 24 14 5b 54 50 62 75 8f ef d1 fe 34 "
558 "09 ae 16 92 59 c6 cd fd 6b 5f 29 58 e3 14 fa ec "
559 "be 69 d2 ca ce 58 ee 55 17 9a b9 b3 e6 d1 ec c1 "
560 "4a 55 7c 5f eb e9 88 59 52 64 fc 5d a1 c5 71 46 "
561 "2e ca 79 8a 18 a1 a4 94 0c da b4 a3 e9 20 09 cc "
562 "d4 2e 1e 94 7b 13 14 e3 22 38 a2 de ce 7d 23 a8 "
563 "9b 5b 30 c7 51 fd 0a 4a 43 0d 2c 54 85 94 ";
564 // Salt:
565 static const char salt_9_3[] =
566 "9a 2b 00 7e 80 97 8b bb 19 2c 35 4e b7 da 9a ed "
567 "fc 74 db f5 ";
568 // Signature:
569 static const char signature_9_3[] =
570 "48 44 08 f3 89 8c d5 f5 34 83 f8 08 19 ef bf 27 "
571 "08 c3 4d 27 a8 b2 a6 fa e8 b3 22 f9 24 02 37 f9 "
572 "81 81 7a ca 18 46 f1 08 4d aa 6d 7c 07 95 f6 e5 "
573 "bf 1a f5 9c 38 e1 85 84 37 ce 1f 7e c4 19 b9 8c "
574 "87 36 ad f6 dd 9a 00 b1 80 6d 2b d3 ad 0a 73 77 "
575 "5e 05 f5 2d fe f3 a5 9a b4 b0 81 43 f0 df 05 cd "
576 "1a d9 d0 4b ec ec a6 da a4 a2 12 98 03 e2 00 cb "
577 "c7 77 87 ca f4 c1 d0 66 3a 6c 59 87 b6 05 95 20 "
578 "19 78 2c af 2e c1 42 6d 68 fb 94 ed 1d 4b e8 16 "
579 "a7 ed 08 1b 77 e6 ab 33 0b 3f fc 07 38 20 fe cd "
580 "e3 72 7f cb e2 95 ee 61 a0 50 a3 43 65 86 37 c3 "
581 "fd 65 9c fb 63 73 6d e3 2d 9f 90 d3 c2 f6 3e ca ";
582
583 // RSASSA-PSS Signature Example 9.4
584 // Message to be signed:
585 static const char message_9_4[] =
586 "1d fd 43 b4 6c 93 db 82 62 9b da e2 bd 0a 12 b8 "
587 "82 ea 04 c3 b4 65 f5 cf 93 02 3f 01 05 96 26 db "
588 "be 99 f2 6b b1 be 94 9d dd d1 6d c7 f3 de bb 19 "
589 "a1 94 62 7f 0b 22 44 34 df 7d 87 00 e9 e9 8b 06 "
590 "e3 60 c1 2f db e3 d1 9f 51 c9 68 4e b9 08 9e cb "
591 "b0 a2 f0 45 03 99 d3 f5 9e ac 72 94 08 5d 04 4f "
592 "53 93 c6 ce 73 74 23 d8 b8 6c 41 53 70 d3 89 e3 "
593 "0b 9f 0a 3c 02 d2 5d 00 82 e8 ad 6f 3f 1e f2 4a "
594 "45 c3 cf 82 b3 83 36 70 63 a4 d4 61 3e 42 64 f0 "
595 "1b 2d ac 2e 5a a4 20 43 f8 fb 5f 69 fa 87 1d 14 "
596 "fb 27 3e 76 7a 53 1c 40 f0 2f 34 3b c2 fb 45 a0 "
597 "c7 e0 f6 be 25 61 92 3a 77 21 1d 66 a6 e2 db b4 "
598 "3c 36 63 50 be ae 22 da 3a c2 c1 f5 07 70 96 fc "
599 "b5 c4 bf 25 5f 75 74 35 1a e0 b1 e1 f0 36 32 81 "
600 "7c 08 56 d4 a8 ba 97 af bd c8 b8 58 55 40 2b c5 "
601 "69 26 fc ec 20 9f 9e a8 ";
602 // Salt:
603 static const char salt_9_4[] =
604 "70 f3 82 bd df 4d 5d 2d d8 8b 3b c7 b7 30 8b e6 "
605 "32 b8 40 45 ";
606 // Signature:
607 static const char signature_9_4[] =
608 "84 eb eb 48 1b e5 98 45 b4 64 68 ba fb 47 1c 01 "
609 "12 e0 2b 23 5d 84 b5 d9 11 cb d1 92 6e e5 07 4a "
610 "e0 42 44 95 cb 20 e8 23 08 b8 eb b6 5f 41 9a 03 "
611 "fb 40 e7 2b 78 98 1d 88 aa d1 43 05 36 85 17 2c "
612 "97 b2 9c 8b 7b f0 ae 73 b5 b2 26 3c 40 3d a0 ed "
613 "2f 80 ff 74 50 af 78 28 eb 8b 86 f0 02 8b d2 a8 "
614 "b1 76 a4 d2 28 cc ce a1 83 94 f2 38 b0 9f f7 58 "
615 "cc 00 bc 04 30 11 52 35 57 42 f2 82 b5 4e 66 3a "
616 "91 9e 70 9d 8d a2 4a de 55 00 a7 b9 aa 50 22 6e "
617 "0c a5 29 23 e6 c2 d8 60 ec 50 ff 48 0f a5 74 77 "
618 "e8 2b 05 65 f4 37 9f 79 c7 72 d5 c2 da 80 af 9f "
619 "bf 32 5e ce 6f c2 0b 00 96 16 14 be e8 9a 18 3e ";
620
621 // RSASSA-PSS Signature Example 9.5
622 // Message to be signed:
623 static const char message_9_5[] =
624 "1b dc 6e 7c 98 fb 8c f5 4e 9b 09 7b 66 a8 31 e9 "
625 "cf e5 2d 9d 48 88 44 8e e4 b0 97 80 93 ba 1d 7d "
626 "73 ae 78 b3 a6 2b a4 ad 95 cd 28 9c cb 9e 00 52 "
627 "26 bb 3d 17 8b cc aa 82 1f b0 44 a4 e2 1e e9 76 "
628 "96 c1 4d 06 78 c9 4c 2d ae 93 b0 ad 73 92 22 18 "
629 "55 3d aa 7e 44 eb e5 77 25 a7 a4 5c c7 2b 9b 21 "
630 "38 a6 b1 7c 8d b4 11 ce 82 79 ee 12 41 af f0 a8 "
631 "be c6 f7 7f 87 ed b0 c6 9c b2 72 36 e3 43 5a 80 "
632 "0b 19 2e 4f 11 e5 19 e3 fe 30 fc 30 ea cc ca 4f "
633 "bb 41 76 90 29 bf 70 8e 81 7a 9e 68 38 05 be 67 "
634 "fa 10 09 84 68 3b 74 83 8e 3b cf fa 79 36 6e ed "
635 "1d 48 1c 76 72 91 18 83 8f 31 ba 8a 04 8a 93 c1 "
636 "be 44 24 59 8e 8d f6 32 8b 7a 77 88 0a 3f 9c 7e "
637 "2e 8d fc a8 eb 5a 26 fb 86 bd c5 56 d4 2b be 01 "
638 "d9 fa 6e d8 06 46 49 1c 93 41 ";
639 // Salt:
640 static const char salt_9_5[] =
641 "d6 89 25 7a 86 ef fa 68 21 2c 5e 0c 61 9e ca 29 "
642 "5f b9 1b 67 ";
643 // Signature:
644 static const char signature_9_5[] =
645 "82 10 2d f8 cb 91 e7 17 99 19 a0 4d 26 d3 35 d6 "
646 "4f bc 2f 87 2c 44 83 39 43 24 1d e8 45 48 10 27 "
647 "4c df 3d b5 f4 2d 42 3d b1 52 af 71 35 f7 01 42 "
648 "0e 39 b4 94 a6 7c bf d1 9f 91 19 da 23 3a 23 da "
649 "5c 64 39 b5 ba 0d 2b c3 73 ee e3 50 70 01 37 8d "
650 "4a 40 73 85 6b 7f e2 ab a0 b5 ee 93 b2 7f 4a fe "
651 "c7 d4 d1 20 92 1c 83 f6 06 76 5b 02 c1 9e 4d 6a "
652 "1a 3b 95 fa 4c 42 29 51 be 4f 52 13 10 77 ef 17 "
653 "17 97 29 cd df bd b5 69 50 db ac ee fe 78 cb 16 "
654 "64 0a 09 9e a5 6d 24 38 9e ef 10 f8 fe cb 31 ba "
655 "3e a3 b2 27 c0 a8 66 98 bb 89 e3 e9 36 39 05 bf "
656 "22 77 7b 2a 3a a5 21 b6 5b 4c ef 76 d8 3b de 4c ";
657
658 // RSASSA-PSS Signature Example 9.6
659 // Message to be signed:
660 static const char message_9_6[] =
661 "88 c7 a9 f1 36 04 01 d9 0e 53 b1 01 b6 1c 53 25 "
662 "c3 c7 5d b1 b4 11 fb eb 8e 83 0b 75 e9 6b 56 67 "
663 "0a d2 45 40 4e 16 79 35 44 ee 35 4b c6 13 a9 0c "
664 "c9 84 87 15 a7 3d b5 89 3e 7f 6d 27 98 15 c0 c1 "
665 "de 83 ef 8e 29 56 e3 a5 6e d2 6a 88 8d 7a 9c dc "
666 "d0 42 f4 b1 6b 7f a5 1e f1 a0 57 36 62 d1 6a 30 "
667 "2d 0e c5 b2 85 d2 e0 3a d9 65 29 c8 7b 3d 37 4d "
668 "b3 72 d9 5b 24 43 d0 61 b6 b1 a3 50 ba 87 80 7e "
669 "d0 83 af d1 eb 05 c3 f5 2f 4e ba 5e d2 22 77 14 "
670 "fd b5 0b 9d 9d 9d d6 81 4f 62 f6 27 2f cd 5c db "
671 "ce 7a 9e f7 97 ";
672 // Salt:
673 static const char salt_9_6[] =
674 "c2 5f 13 bf 67 d0 81 67 1a 04 81 a1 f1 82 0d 61 "
675 "3b ba 22 76 ";
676 // Signature:
677 static const char signature_9_6[] =
678 "a7 fd b0 d2 59 16 5c a2 c8 8d 00 bb f1 02 8a 86 "
679 "7d 33 76 99 d0 61 19 3b 17 a9 64 8e 14 cc bb aa "
680 "de ac aa cd ec 81 5e 75 71 29 4e bb 8a 11 7a f2 "
681 "05 fa 07 8b 47 b0 71 2c 19 9e 3a d0 51 35 c5 04 "
682 "c2 4b 81 70 51 15 74 08 02 48 79 92 ff d5 11 d4 "
683 "af c6 b8 54 49 1e b3 f0 dd 52 31 39 54 2f f1 5c "
684 "31 01 ee 85 54 35 17 c6 a3 c7 94 17 c6 7e 2d d9 "
685 "aa 74 1e 9a 29 b0 6d cb 59 3c 23 36 b3 67 0a e3 "
686 "af ba c7 c3 e7 6e 21 54 73 e8 66 e3 38 ca 24 4d "
687 "e0 0b 62 62 4d 6b 94 26 82 2c ea e9 f8 cc 46 08 "
688 "95 f4 12 50 07 3f d4 5c 5a 1e 7b 42 5c 20 4a 42 "
689 "3a 69 91 59 f6 90 3e 71 0b 37 a7 bb 2b c8 04 9f ";
690
691 // Example 10: A 2048-bit RSA Key Pair
692
693 // RSA modulus n:
694 static const char rsa_modulus_n_10[] =
695 "a5 dd 86 7a c4 cb 02 f9 0b 94 57 d4 8c 14 a7 70 "
696 "ef 99 1c 56 c3 9c 0e c6 5f d1 1a fa 89 37 ce a5 "
697 "7b 9b e7 ac 73 b4 5c 00 17 61 5b 82 d6 22 e3 18 "
698 "75 3b 60 27 c0 fd 15 7b e1 2f 80 90 fe e2 a7 ad "
699 "cd 0e ef 75 9f 88 ba 49 97 c7 a4 2d 58 c9 aa 12 "
700 "cb 99 ae 00 1f e5 21 c1 3b b5 43 14 45 a8 d5 ae "
701 "4f 5e 4c 7e 94 8a c2 27 d3 60 40 71 f2 0e 57 7e "
702 "90 5f be b1 5d fa f0 6d 1d e5 ae 62 53 d6 3a 6a "
703 "21 20 b3 1a 5d a5 da bc 95 50 60 0e 20 f2 7d 37 "
704 "39 e2 62 79 25 fe a3 cc 50 9f 21 df f0 4e 6e ea "
705 "45 49 c5 40 d6 80 9f f9 30 7e ed e9 1f ff 58 73 "
706 "3d 83 85 a2 37 d6 d3 70 5a 33 e3 91 90 09 92 07 "
707 "0d f7 ad f1 35 7c f7 e3 70 0c e3 66 7d e8 3f 17 "
708 "b8 df 17 78 db 38 1d ce 09 cb 4a d0 58 a5 11 00 "
709 "1a 73 81 98 ee 27 cf 55 a1 3b 75 45 39 90 65 82 "
710 "ec 8b 17 4b d5 8d 5d 1f 3d 76 7c 61 37 21 ae 05 ";
711 // RSA public exponent e:
712 static const char rsa_public_exponent_e_10[] =
713 "01 00 01 ";
714
715 // RSASSA-PSS Signature Example 10.1
716 // Message to be signed:
717 static const char message_10_1[] =
718 "88 31 77 e5 12 6b 9b e2 d9 a9 68 03 27 d5 37 0c "
719 "6f 26 86 1f 58 20 c4 3d a6 7a 3a d6 09 ";
720 // Salt:
721 static const char salt_10_1[] =
722 "04 e2 15 ee 6f f9 34 b9 da 70 d7 73 0c 87 34 ab "
723 "fc ec de 89 ";
724 // Signature:
725 static const char signature_10_1[] =
726 "82 c2 b1 60 09 3b 8a a3 c0 f7 52 2b 19 f8 73 54 "
727 "06 6c 77 84 7a bf 2a 9f ce 54 2d 0e 84 e9 20 c5 "
728 "af b4 9f fd fd ac e1 65 60 ee 94 a1 36 96 01 14 "
729 "8e ba d7 a0 e1 51 cf 16 33 17 91 a5 72 7d 05 f2 "
730 "1e 74 e7 eb 81 14 40 20 69 35 d7 44 76 5a 15 e7 "
731 "9f 01 5c b6 6c 53 2c 87 a6 a0 59 61 c8 bf ad 74 "
732 "1a 9a 66 57 02 28 94 39 3e 72 23 73 97 96 c0 2a "
733 "77 45 5d 0f 55 5b 0e c0 1d df 25 9b 62 07 fd 0f "
734 "d5 76 14 ce f1 a5 57 3b aa ff 4e c0 00 69 95 16 "
735 "59 b8 5f 24 30 0a 25 16 0c a8 52 2d c6 e6 72 7e "
736 "57 d0 19 d7 e6 36 29 b8 fe 5e 89 e2 5c c1 5b eb "
737 "3a 64 75 77 55 92 99 28 0b 9b 28 f7 9b 04 09 00 "
738 "0b e2 5b bd 96 40 8b a3 b4 3c c4 86 18 4d d1 c8 "
739 "e6 25 53 fa 1a f4 04 0f 60 66 3d e7 f5 e4 9c 04 "
740 "38 8e 25 7f 1c e8 9c 95 da b4 8a 31 5d 9b 66 b1 "
741 "b7 62 82 33 87 6f f2 38 52 30 d0 70 d0 7e 16 66 ";
742
743 // RSASSA-PSS Signature Example 10.2
744 // Message to be signed:
745 static const char message_10_2[] =
746 "dd 67 0a 01 46 58 68 ad c9 3f 26 13 19 57 a5 0c "
747 "52 fb 77 7c db aa 30 89 2c 9e 12 36 11 64 ec 13 "
748 "97 9d 43 04 81 18 e4 44 5d b8 7b ee 58 dd 98 7b "
749 "34 25 d0 20 71 d8 db ae 80 70 8b 03 9d bb 64 db "
750 "d1 de 56 57 d9 fe d0 c1 18 a5 41 43 74 2e 0f f3 "
751 "c8 7f 74 e4 58 57 64 7a f3 f7 9e b0 a1 4c 9d 75 "
752 "ea 9a 1a 04 b7 cf 47 8a 89 7a 70 8f d9 88 f4 8e "
753 "80 1e db 0b 70 39 df 8c 23 bb 3c 56 f4 e8 21 ac ";
754 // Salt:
755 static const char salt_10_2[] =
756 "8b 2b dd 4b 40 fa f5 45 c7 78 dd f9 bc 1a 49 cb "
757 "57 f9 b7 1b ";
758 // Signature:
759 static const char signature_10_2[] =
760 "14 ae 35 d9 dd 06 ba 92 f7 f3 b8 97 97 8a ed 7c "
761 "d4 bf 5f f0 b5 85 a4 0b d4 6c e1 b4 2c d2 70 30 "
762 "53 bb 90 44 d6 4e 81 3d 8f 96 db 2d d7 00 7d 10 "
763 "11 8f 6f 8f 84 96 09 7a d7 5e 1f f6 92 34 1b 28 "
764 "92 ad 55 a6 33 a1 c5 5e 7f 0a 0a d5 9a 0e 20 3a "
765 "5b 82 78 ae c5 4d d8 62 2e 28 31 d8 71 74 f8 ca "
766 "ff 43 ee 6c 46 44 53 45 d8 4a 59 65 9b fb 92 ec "
767 "d4 c8 18 66 86 95 f3 47 06 f6 68 28 a8 99 59 63 "
768 "7f 2b f3 e3 25 1c 24 bd ba 4d 4b 76 49 da 00 22 "
769 "21 8b 11 9c 84 e7 9a 65 27 ec 5b 8a 5f 86 1c 15 "
770 "99 52 e2 3e c0 5e 1e 71 73 46 fa ef e8 b1 68 68 "
771 "25 bd 2b 26 2f b2 53 10 66 c0 de 09 ac de 2e 42 "
772 "31 69 07 28 b5 d8 5e 11 5a 2f 6b 92 b7 9c 25 ab "
773 "c9 bd 93 99 ff 8b cf 82 5a 52 ea 1f 56 ea 76 dd "
774 "26 f4 3b aa fa 18 bf a9 2a 50 4c bd 35 69 9e 26 "
775 "d1 dc c5 a2 88 73 85 f3 c6 32 32 f0 6f 32 44 c3 ";
776
777 // RSASSA-PSS Signature Example 10.3
778 // Message to be signed:
779 static const char message_10_3[] =
780 "48 b2 b6 a5 7a 63 c8 4c ea 85 9d 65 c6 68 28 4b "
781 "08 d9 6b dc aa be 25 2d b0 e4 a9 6c b1 ba c6 01 "
782 "93 41 db 6f be fb 8d 10 6b 0e 90 ed a6 bc c6 c6 "
783 "26 2f 37 e7 ea 9c 7e 5d 22 6b d7 df 85 ec 5e 71 "
784 "ef ff 2f 54 c5 db 57 7f f7 29 ff 91 b8 42 49 1d "
785 "e2 74 1d 0c 63 16 07 df 58 6b 90 5b 23 b9 1a f1 "
786 "3d a1 23 04 bf 83 ec a8 a7 3e 87 1f f9 db ";
787 // Salt:
788 static const char salt_10_3[] =
789 "4e 96 fc 1b 39 8f 92 b4 46 71 01 0c 0d c3 ef d6 "
790 "e2 0c 2d 73 ";
791 // Signature:
792 static const char signature_10_3[] =
793 "6e 3e 4d 7b 6b 15 d2 fb 46 01 3b 89 00 aa 5b bb "
794 "39 39 cf 2c 09 57 17 98 70 42 02 6e e6 2c 74 c5 "
795 "4c ff d5 d7 d5 7e fb bf 95 0a 0f 5c 57 4f a0 9d "
796 "3f c1 c9 f5 13 b0 5b 4f f5 0d d8 df 7e df a2 01 "
797 "02 85 4c 35 e5 92 18 01 19 a7 0c e5 b0 85 18 2a "
798 "a0 2d 9e a2 aa 90 d1 df 03 f2 da ae 88 5b a2 f5 "
799 "d0 5a fd ac 97 47 6f 06 b9 3b 5b c9 4a 1a 80 aa "
800 "91 16 c4 d6 15 f3 33 b0 98 89 2b 25 ff ac e2 66 "
801 "f5 db 5a 5a 3b cc 10 a8 24 ed 55 aa d3 5b 72 78 "
802 "34 fb 8c 07 da 28 fc f4 16 a5 d9 b2 22 4f 1f 8b "
803 "44 2b 36 f9 1e 45 6f de a2 d7 cf e3 36 72 68 de "
804 "03 07 a4 c7 4e 92 41 59 ed 33 39 3d 5e 06 55 53 "
805 "1c 77 32 7b 89 82 1b de df 88 01 61 c7 8c d4 19 "
806 "6b 54 19 f7 ac c3 f1 3e 5e bf 16 1b 6e 7c 67 24 "
807 "71 6c a3 3b 85 c2 e2 56 40 19 2a c2 85 96 51 d5 "
808 "0b de 7e b9 76 e5 1c ec 82 8b 98 b6 56 3b 86 bb ";
809
810 // RSASSA-PSS Signature Example 10.4
811 // Message to be signed:
812 static const char message_10_4[] =
813 "0b 87 77 c7 f8 39 ba f0 a6 4b bb db c5 ce 79 75 "
814 "5c 57 a2 05 b8 45 c1 74 e2 d2 e9 05 46 a0 89 c4 "
815 "e6 ec 8a df fa 23 a7 ea 97 ba e6 b6 5d 78 2b 82 "
816 "db 5d 2b 5a 56 d2 2a 29 a0 5e 7c 44 33 e2 b8 2a "
817 "62 1a bb a9 0a dd 05 ce 39 3f c4 8a 84 05 42 45 "
818 "1a ";
819 // Salt:
820 static const char salt_10_4[] =
821 "c7 cd 69 8d 84 b6 51 28 d8 83 5e 3a 8b 1e b0 e0 "
822 "1c b5 41 ec ";
823 // Signature:
824 static const char signature_10_4[] =
825 "34 04 7f f9 6c 4d c0 dc 90 b2 d4 ff 59 a1 a3 61 "
826 "a4 75 4b 25 5d 2e e0 af 7d 8b f8 7c 9b c9 e7 dd "
827 "ee de 33 93 4c 63 ca 1c 0e 3d 26 2c b1 45 ef 93 "
828 "2a 1f 2c 0a 99 7a a6 a3 4f 8e ae e7 47 7d 82 cc "
829 "f0 90 95 a6 b8 ac ad 38 d4 ee c9 fb 7e ab 7a d0 "
830 "2d a1 d1 1d 8e 54 c1 82 5e 55 bf 58 c2 a2 32 34 "
831 "b9 02 be 12 4f 9e 90 38 a8 f6 8f a4 5d ab 72 f6 "
832 "6e 09 45 bf 1d 8b ac c9 04 4c 6f 07 09 8c 9f ce "
833 "c5 8a 3a ab 10 0c 80 51 78 15 5f 03 0a 12 4c 45 "
834 "0e 5a cb da 47 d0 e4 f1 0b 80 a2 3f 80 3e 77 4d "
835 "02 3b 00 15 c2 0b 9f 9b be 7c 91 29 63 38 d5 ec "
836 "b4 71 ca fb 03 20 07 b6 7a 60 be 5f 69 50 4a 9f "
837 "01 ab b3 cb 46 7b 26 0e 2b ce 86 0b e8 d9 5b f9 "
838 "2c 0c 8e 14 96 ed 1e 52 85 93 a4 ab b6 df 46 2d "
839 "de 8a 09 68 df fe 46 83 11 68 57 a2 32 f5 eb f6 "
840 "c8 5b e2 38 74 5a d0 f3 8f 76 7a 5f db f4 86 fb ";
841
842 // RSASSA-PSS Signature Example 10.5
843 // Message to be signed:
844 static const char message_10_5[] =
845 "f1 03 6e 00 8e 71 e9 64 da dc 92 19 ed 30 e1 7f "
846 "06 b4 b6 8a 95 5c 16 b3 12 b1 ed df 02 8b 74 97 "
847 "6b ed 6b 3f 6a 63 d4 e7 78 59 24 3c 9c cc dc 98 "
848 "01 65 23 ab b0 24 83 b3 55 91 c3 3a ad 81 21 3b "
849 "b7 c7 bb 1a 47 0a ab c1 0d 44 25 6c 4d 45 59 d9 "
850 "16 ";
851 // Salt:
852 static const char salt_10_5[] =
853 "ef a8 bf f9 62 12 b2 f4 a3 f3 71 a1 0d 57 41 52 "
854 "65 5f 5d fb ";
855 // Signature:
856 static const char signature_10_5[] =
857 "7e 09 35 ea 18 f4 d6 c1 d1 7c e8 2e b2 b3 83 6c "
858 "55 b3 84 58 9c e1 9d fe 74 33 63 ac 99 48 d1 f3 "
859 "46 b7 bf dd fe 92 ef d7 8a db 21 fa ef c8 9a de "
860 "42 b1 0f 37 40 03 fe 12 2e 67 42 9a 1c b8 cb d1 "
861 "f8 d9 01 45 64 c4 4d 12 01 16 f4 99 0f 1a 6e 38 "
862 "77 4c 19 4b d1 b8 21 32 86 b0 77 b0 49 9d 2e 7b "
863 "3f 43 4a b1 22 89 c5 56 68 4d ee d7 81 31 93 4b "
864 "b3 dd 65 37 23 6f 7c 6f 3d cb 09 d4 76 be 07 72 "
865 "1e 37 e1 ce ed 9b 2f 7b 40 68 87 bd 53 15 73 05 "
866 "e1 c8 b4 f8 4d 73 3b c1 e1 86 fe 06 cc 59 b6 ed "
867 "b8 f4 bd 7f fe fd f4 f7 ba 9c fb 9d 57 06 89 b5 "
868 "a1 a4 10 9a 74 6a 69 08 93 db 37 99 25 5a 0c b9 "
869 "21 5d 2d 1c d4 90 59 0e 95 2e 8c 87 86 aa 00 11 "
870 "26 52 52 47 0c 04 1d fb c3 ee c7 c3 cb f7 1c 24 "
871 "86 9d 11 5c 0c b4 a9 56 f5 6d 53 0b 80 ab 58 9a "
872 "cf ef c6 90 75 1d df 36 e8 d3 83 f8 3c ed d2 cc ";
873
874 // RSASSA-PSS Signature Example 10.6
875 // Message to be signed:
876 static const char message_10_6[] =
877 "25 f1 08 95 a8 77 16 c1 37 45 0b b9 51 9d fa a1 "
878 "f2 07 fa a9 42 ea 88 ab f7 1e 9c 17 98 00 85 b5 "
879 "55 ae ba b7 62 64 ae 2a 3a b9 3c 2d 12 98 11 91 "
880 "dd ac 6f b5 94 9e b3 6a ee 3c 5d a9 40 f0 07 52 "
881 "c9 16 d9 46 08 fa 7d 97 ba 6a 29 15 b6 88 f2 03 "
882 "23 d4 e9 d9 68 01 d8 9a 72 ab 58 92 dc 21 17 c0 "
883 "74 34 fc f9 72 e0 58 cf 8c 41 ca 4b 4f f5 54 f7 "
884 "d5 06 8a d3 15 5f ce d0 f3 12 5b c0 4f 91 93 37 "
885 "8a 8f 5c 4c 3b 8c b4 dd 6d 1c c6 9d 30 ec ca 6e "
886 "aa 51 e3 6a 05 73 0e 9e 34 2e 85 5b af 09 9d ef "
887 "b8 af d7 ";
888 // Salt:
889 static const char salt_10_6[] =
890 "ad 8b 15 23 70 36 46 22 4b 66 0b 55 08 85 91 7c "
891 "a2 d1 df 28 ";
892 // Signature:
893 static const char signature_10_6[] =
894 "6d 3b 5b 87 f6 7e a6 57 af 21 f7 54 41 97 7d 21 "
895 "80 f9 1b 2c 5f 69 2d e8 29 55 69 6a 68 67 30 d9 "
896 "b9 77 8d 97 07 58 cc b2 60 71 c2 20 9f fb d6 12 "
897 "5b e2 e9 6e a8 1b 67 cb 9b 93 08 23 9f da 17 f7 "
898 "b2 b6 4e cd a0 96 b6 b9 35 64 0a 5a 1c b4 2a 91 "
899 "55 b1 c9 ef 7a 63 3a 02 c5 9f 0d 6e e5 9b 85 2c "
900 "43 b3 50 29 e7 3c 94 0f f0 41 0e 8f 11 4e ed 46 "
901 "bb d0 fa e1 65 e4 2b e2 52 8a 40 1c 3b 28 fd 81 "
902 "8e f3 23 2d ca 9f 4d 2a 0f 51 66 ec 59 c4 23 96 "
903 "d6 c1 1d bc 12 15 a5 6f a1 71 69 db 95 75 34 3e "
904 "f3 4f 9d e3 2a 49 cd c3 17 49 22 f2 29 c2 3e 18 "
905 "e4 5d f9 35 31 19 ec 43 19 ce dc e7 a1 7c 64 08 "
906 "8c 1f 6f 52 be 29 63 41 00 b3 91 9d 38 f3 d1 ed "
907 "94 e6 89 1e 66 a7 3b 8f b8 49 f5 87 4d f5 94 59 "
908 "e2 98 c7 bb ce 2e ee 78 2a 19 5a a6 6f e2 d0 73 "
909 "2b 25 e5 95 f5 7d 3e 06 1b 1f c3 e4 06 3b f9 8f ";
910
911 struct SignatureExample {
912 const char* message;
913 const char* salt;
914 const char* signature;
915 };
916
917 struct PSSTestVector {
918 const char* modulus_n;
919 const char* public_exponent_e;
920 SignatureExample example[6];
921 };
922
923 static const PSSTestVector pss_test[] = {
924 {
925 rsa_modulus_n_1,
926 rsa_public_exponent_e_1,
927 {
928 { message_1_1, salt_1_1, signature_1_1 },
929 { message_1_2, salt_1_2, signature_1_2 },
930 { message_1_3, salt_1_3, signature_1_3 },
931 { message_1_4, salt_1_4, signature_1_4 },
932 { message_1_5, salt_1_5, signature_1_5 },
933 { message_1_6, salt_1_6, signature_1_6 },
934 }
935 },
936 {
937 rsa_modulus_n_9,
938 rsa_public_exponent_e_9,
939 {
940 { message_9_1, salt_9_1, signature_9_1 },
941 { message_9_2, salt_9_2, signature_9_2 },
942 { message_9_3, salt_9_3, signature_9_3 },
943 { message_9_4, salt_9_4, signature_9_4 },
944 { message_9_5, salt_9_5, signature_9_5 },
945 { message_9_6, salt_9_6, signature_9_6 },
946 }
947 },
948 {
949 rsa_modulus_n_10,
950 rsa_public_exponent_e_10,
951 {
952 { message_10_1, salt_10_1, signature_10_1 },
953 { message_10_2, salt_10_2, signature_10_2 },
954 { message_10_3, salt_10_3, signature_10_3 },
955 { message_10_4, salt_10_4, signature_10_4 },
956 { message_10_5, salt_10_5, signature_10_5 },
957 { message_10_6, salt_10_6, signature_10_6 },
958 }
959 },
960 };
961
HexDigitValue(char digit)962 static uint8_t HexDigitValue(char digit) {
963 if ('0' <= digit && digit <= '9')
964 return digit - '0';
965 if ('a' <= digit && digit <= 'f')
966 return digit - 'a' + 10;
967 return digit - 'A' + 10;
968 }
969
DecodeTestInput(const char * in,std::vector<uint8_t> * out)970 static bool DecodeTestInput(const char* in, std::vector<uint8_t>* out) {
971 out->clear();
972 while (in[0] != '\0') {
973 if (!isxdigit(in[0]) || !isxdigit(in[1]) || in[2] != ' ')
974 return false;
975 uint8_t octet = HexDigitValue(in[0]) * 16 + HexDigitValue(in[1]);
976 out->push_back(octet);
977 in += 3;
978 }
979 return true;
980 }
981
982 // PrependASN1Length prepends an ASN.1 serialized length to the beginning of
983 // |out|.
PrependASN1Length(std::vector<uint8_t> * out,size_t len)984 static void PrependASN1Length(std::vector<uint8_t>* out, size_t len) {
985 if (len < 128) {
986 out->insert(out->begin(), static_cast<uint8_t>(len));
987 } else if (len < 256) {
988 out->insert(out->begin(), static_cast<uint8_t>(len));
989 out->insert(out->begin(), 0x81);
990 } else if (len < 0x10000) {
991 out->insert(out->begin(), static_cast<uint8_t>(len));
992 out->insert(out->begin(), static_cast<uint8_t>(len >> 8));
993 out->insert(out->begin(), 0x82);
994 } else {
995 CHECK(false) << "ASN.1 length not handled: " << len;
996 }
997 }
998
EncodeRSAPublicKey(const std::vector<uint8_t> & modulus_n,const std::vector<uint8_t> & public_exponent_e,std::vector<uint8_t> * public_key_info)999 static bool EncodeRSAPublicKey(const std::vector<uint8_t>& modulus_n,
1000 const std::vector<uint8_t>& public_exponent_e,
1001 std::vector<uint8_t>* public_key_info) {
1002 // The public key is specified as the following ASN.1 structure:
1003 // SubjectPublicKeyInfo ::= SEQUENCE {
1004 // algorithm AlgorithmIdentifier,
1005 // subjectPublicKey BIT STRING }
1006 //
1007 // The algorithm is specified as the following ASN.1 structure:
1008 // AlgorithmIdentifier ::= SEQUENCE {
1009 // algorithm OBJECT IDENTIFIER,
1010 // parameters ANY DEFINED BY algorithm OPTIONAL }
1011 //
1012 // An RSA public key is specified as the following ASN.1 structure:
1013 // RSAPublicKey ::= SEQUENCE {
1014 // modulus INTEGER, -- n
1015 // publicExponent INTEGER -- e
1016 // }
1017 static const uint8_t kIntegerTag = 0x02;
1018 static const uint8_t kBitStringTag = 0x03;
1019 static const uint8_t kSequenceTag = 0x30;
1020 public_key_info->clear();
1021
1022 // Encode the public exponent e as an INTEGER.
1023 public_key_info->insert(public_key_info->begin(),
1024 public_exponent_e.begin(),
1025 public_exponent_e.end());
1026 PrependASN1Length(public_key_info, public_exponent_e.size());
1027 public_key_info->insert(public_key_info->begin(), kIntegerTag);
1028
1029 // Encode the modulus n as an INTEGER.
1030 public_key_info->insert(public_key_info->begin(),
1031 modulus_n.begin(), modulus_n.end());
1032 size_t modulus_size = modulus_n.size();
1033 if (modulus_n[0] & 0x80) {
1034 public_key_info->insert(public_key_info->begin(), 0x00);
1035 modulus_size++;
1036 }
1037 PrependASN1Length(public_key_info, modulus_size);
1038 public_key_info->insert(public_key_info->begin(), kIntegerTag);
1039
1040 // Encode the RSAPublicKey SEQUENCE.
1041 PrependASN1Length(public_key_info, public_key_info->size());
1042 public_key_info->insert(public_key_info->begin(), kSequenceTag);
1043
1044 // Encode the BIT STRING.
1045 // Number of unused bits.
1046 public_key_info->insert(public_key_info->begin(), 0x00);
1047 PrependASN1Length(public_key_info, public_key_info->size());
1048 public_key_info->insert(public_key_info->begin(), kBitStringTag);
1049
1050 // Encode the AlgorithmIdentifier.
1051 static const uint8_t algorithm[] = {
1052 0x30, 0x0d, // a SEQUENCE of length 13
1053 0x06, 0x09, // an OBJECT IDENTIFIER of length 9
1054 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
1055 };
1056 public_key_info->insert(public_key_info->begin(),
1057 algorithm, algorithm + sizeof(algorithm));
1058
1059 // Encode the outermost SEQUENCE.
1060 PrependASN1Length(public_key_info, public_key_info->size());
1061 public_key_info->insert(public_key_info->begin(), kSequenceTag);
1062
1063 return true;
1064 }
1065
TEST(SignatureVerifierTest,VerifyRSAPSS)1066 TEST(SignatureVerifierTest, VerifyRSAPSS) {
1067 for (unsigned int i = 0; i < arraysize(pss_test); i++) {
1068 SCOPED_TRACE(i);
1069 std::vector<uint8_t> modulus_n;
1070 std::vector<uint8_t> public_exponent_e;
1071 ASSERT_TRUE(DecodeTestInput(pss_test[i].modulus_n, &modulus_n));
1072 ASSERT_TRUE(DecodeTestInput(pss_test[i].public_exponent_e,
1073 &public_exponent_e));
1074 std::vector<uint8_t> public_key_info;
1075 ASSERT_TRUE(EncodeRSAPublicKey(modulus_n, public_exponent_e,
1076 &public_key_info));
1077
1078 for (unsigned int j = 0; j < arraysize(pss_test[i].example); j++) {
1079 SCOPED_TRACE(j);
1080 std::vector<uint8_t> message;
1081 std::vector<uint8_t> salt;
1082 std::vector<uint8_t> signature;
1083 ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].message, &message));
1084 ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].salt, &salt));
1085 ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].signature,
1086 &signature));
1087
1088 crypto::SignatureVerifier verifier;
1089 bool ok;
1090
1091 // Positive test.
1092 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1093 crypto::SignatureVerifier::SHA1,
1094 salt.size(),
1095 &signature[0], signature.size(),
1096 &public_key_info[0],
1097 public_key_info.size());
1098 ASSERT_TRUE(ok);
1099 verifier.VerifyUpdate(&message[0], message.size());
1100 ok = verifier.VerifyFinal();
1101 EXPECT_TRUE(ok);
1102
1103 // Modify the first byte of the message.
1104 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1105 crypto::SignatureVerifier::SHA1,
1106 salt.size(),
1107 &signature[0], signature.size(),
1108 &public_key_info[0],
1109 public_key_info.size());
1110 ASSERT_TRUE(ok);
1111 message[0] += 1;
1112 verifier.VerifyUpdate(&message[0], message.size());
1113 message[0] -= 1;
1114 ok = verifier.VerifyFinal();
1115 EXPECT_FALSE(ok);
1116
1117 // Truncate the message.
1118 ASSERT_FALSE(message.empty());
1119 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1120 crypto::SignatureVerifier::SHA1,
1121 salt.size(),
1122 &signature[0], signature.size(),
1123 &public_key_info[0],
1124 public_key_info.size());
1125 ASSERT_TRUE(ok);
1126 verifier.VerifyUpdate(&message[0], message.size() - 1);
1127 ok = verifier.VerifyFinal();
1128 EXPECT_FALSE(ok);
1129
1130 // Corrupt the signature.
1131 signature[0] += 1;
1132 ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
1133 crypto::SignatureVerifier::SHA1,
1134 salt.size(),
1135 &signature[0], signature.size(),
1136 &public_key_info[0],
1137 public_key_info.size());
1138 signature[0] -= 1;
1139 ASSERT_TRUE(ok);
1140 verifier.VerifyUpdate(&message[0], message.size());
1141 ok = verifier.VerifyFinal();
1142 EXPECT_FALSE(ok);
1143 }
1144 }
1145 }
1146