summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc')
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc294
1 files changed, 294 insertions, 0 deletions
diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
new file mode 100644
index 0000000000..7ae7189823
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
@@ -0,0 +1,294 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdint.h>
+#include <memory>
+#include "cryptohi.h"
+#include "cpputil.h"
+#include "databuffer.h"
+#include "gtest/gtest.h"
+#include "nss.h"
+#include "nss_scoped_ptrs.h"
+#include "pk11pub.h"
+#include "secerr.h"
+#include "sechash.h"
+#include "pk11_signature_test.h"
+
+#include "testvectors/rsa_signature_2048_sha224-vectors.h"
+#include "testvectors/rsa_signature_2048_sha256-vectors.h"
+#include "testvectors/rsa_signature_2048_sha512-vectors.h"
+#include "testvectors/rsa_signature_3072_sha256-vectors.h"
+#include "testvectors/rsa_signature_3072_sha384-vectors.h"
+#include "testvectors/rsa_signature_3072_sha512-vectors.h"
+#include "testvectors/rsa_signature_4096_sha384-vectors.h"
+#include "testvectors/rsa_signature_4096_sha512-vectors.h"
+#include "testvectors/rsa_signature-vectors.h"
+
+namespace nss_test {
+
+CK_MECHANISM_TYPE RsaHashToComboMech(SECOidTag hash) {
+ switch (hash) {
+ case SEC_OID_SHA1:
+ return CKM_SHA1_RSA_PKCS;
+ case SEC_OID_SHA224:
+ return CKM_SHA224_RSA_PKCS;
+ case SEC_OID_SHA256:
+ return CKM_SHA256_RSA_PKCS;
+ case SEC_OID_SHA384:
+ return CKM_SHA384_RSA_PKCS;
+ case SEC_OID_SHA512:
+ return CKM_SHA512_RSA_PKCS;
+ default:
+ break;
+ }
+ return CKM_INVALID_MECHANISM;
+}
+
+class Pkcs11RsaBaseTest : public Pk11SignatureTest {
+ protected:
+ Pkcs11RsaBaseTest(SECOidTag hashOid)
+ : Pk11SignatureTest(CKM_RSA_PKCS, hashOid, RsaHashToComboMech(hashOid)) {}
+
+ void Verify(const RsaSignatureTestVector vec) {
+ Pkcs11SignatureTestParams params = {
+ DataBuffer(), DataBuffer(vec.public_key.data(), vec.public_key.size()),
+ DataBuffer(vec.msg.data(), vec.msg.size()),
+ DataBuffer(vec.sig.data(), vec.sig.size())};
+ Pk11SignatureTest::Verify(params, (bool)vec.valid);
+ }
+};
+
+class Pkcs11RsaPkcs1WycheproofTest
+ : public Pkcs11RsaBaseTest,
+ public ::testing::WithParamInterface<RsaSignatureTestVector> {
+ public:
+ Pkcs11RsaPkcs1WycheproofTest() : Pkcs11RsaBaseTest(GetParam().hash_oid) {}
+
+ protected:
+ void Verify1(const RsaSignatureTestVector vec) {
+ SECItem spki_item = {siBuffer, toUcharPtr(vec.public_key.data()),
+ static_cast<unsigned int>(vec.public_key.size())};
+
+ ScopedCERTSubjectPublicKeyInfo cert_spki(
+ SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
+ ASSERT_TRUE(cert_spki);
+
+ ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get()));
+ ASSERT_TRUE(pub_key);
+
+ DataBuffer hash;
+ hash.Allocate(static_cast<size_t>(HASH_ResultLenByOidTag(vec.hash_oid)));
+ SECStatus rv = PK11_HashBuf(vec.hash_oid, toUcharPtr(hash.data()),
+ toUcharPtr(vec.msg.data()), vec.msg.size());
+ ASSERT_EQ(rv, SECSuccess);
+
+ // Verify.
+ SECItem hash_item = {siBuffer, toUcharPtr(hash.data()),
+ static_cast<unsigned int>(hash.len())};
+ SECItem sig_item = {siBuffer, toUcharPtr(vec.sig.data()),
+ static_cast<unsigned int>(vec.sig.size())};
+
+ rv = VFY_VerifyDigestDirect(&hash_item, pub_key.get(), &sig_item,
+ SEC_OID_PKCS1_RSA_ENCRYPTION, vec.hash_oid,
+ nullptr);
+ EXPECT_EQ(rv, vec.valid ? SECSuccess : SECFailure);
+ };
+};
+
+/* Test that PKCS #1 v1.5 verification requires a minimum of 8B
+ * of padding, per-RFC3447. The padding formula is
+ * `pad_len = em_len - t_len - 3`, where em_len is the octet length
+ * of the RSA modulus and t_len is the length of the `DigestInfo ||
+ * Hash(message)` sequence. For SHA512, t_len is 83. We'll tweak the
+ * modulus size to test with a pad_len of 8 (valid) and 6 (invalid):
+ * em_len = `8 + 83 + 3` = `94*8` = 752b
+ * em_len = `6 + 83 + 3` = `92*8` = 736b
+ * Use 6 as the invalid value since modLen % 16 must be zero.
+ */
+TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
+ const size_t kRsaShortKeyBits = 736;
+ const size_t kRsaKeyBits = 752;
+ static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
+ static const std::vector<uint8_t> kSha512DigestInfo{
+ 0x30, 0x51, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
+ static const std::vector<uint8_t> kMsgSha512{
+ 0x7B, 0xFA, 0x95, 0xA6, 0x88, 0x92, 0x4C, 0x47, 0xC7, 0xD2, 0x23,
+ 0x81, 0xF2, 0x0C, 0xC9, 0x26, 0xF5, 0x24, 0xBE, 0xAC, 0xB1, 0x3F,
+ 0x84, 0xE2, 0x03, 0xD4, 0xBD, 0x8C, 0xB6, 0xBA, 0x2F, 0xCE, 0x81,
+ 0xC5, 0x7A, 0x5F, 0x05, 0x9B, 0xF3, 0xD5, 0x09, 0x92, 0x64, 0x87,
+ 0xBD, 0xE9, 0x25, 0xB3, 0xBC, 0xEE, 0x06, 0x35, 0xE4, 0xF7, 0xBA,
+ 0xEB, 0xA0, 0x54, 0xE5, 0xDB, 0xA6, 0x96, 0xB2, 0xBF};
+
+ ScopedSECKEYPrivateKey short_priv, good_priv;
+ ScopedSECKEYPublicKey short_pub, good_pub;
+ PK11RSAGenParams rsa_params;
+ rsa_params.keySizeInBits = kRsaShortKeyBits;
+ rsa_params.pe = 65537;
+
+ ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+ ASSERT_TRUE(slot);
+ SECKEYPublicKey* p_pub_tmp = nullptr;
+ short_priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
+ &rsa_params, &p_pub_tmp, false, false,
+ nullptr));
+ short_pub.reset(p_pub_tmp);
+
+ rsa_params.keySizeInBits = kRsaKeyBits;
+ good_priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
+ &rsa_params, &p_pub_tmp, false, false,
+ nullptr));
+ good_pub.reset(p_pub_tmp);
+
+ size_t em_len = kRsaShortKeyBits / 8;
+ size_t t_len = kSha512DigestInfo.size() + kMsgSha512.size();
+ size_t pad_len = em_len - t_len - 3;
+ ASSERT_EQ(6U, pad_len);
+
+ std::vector<uint8_t> invalid_pkcs;
+ invalid_pkcs.push_back(0x00);
+ invalid_pkcs.push_back(0x01);
+ invalid_pkcs.insert(invalid_pkcs.end(), pad_len, 0xff);
+ invalid_pkcs.insert(invalid_pkcs.end(), 1, 0x00);
+ invalid_pkcs.insert(invalid_pkcs.end(), kSha512DigestInfo.begin(),
+ kSha512DigestInfo.end());
+ invalid_pkcs.insert(invalid_pkcs.end(), kMsgSha512.begin(), kMsgSha512.end());
+ ASSERT_EQ(em_len, invalid_pkcs.size());
+
+ // Sign it indirectly. Signing functions check for a proper pad_len.
+ std::vector<uint8_t> sig(em_len);
+ uint32_t sig_len;
+ SECStatus rv =
+ PK11_PubDecryptRaw(short_priv.get(), sig.data(), &sig_len, sig.size(),
+ invalid_pkcs.data(), invalid_pkcs.size());
+ EXPECT_EQ(SECSuccess, rv);
+
+ // Verify it.
+ DataBuffer hash;
+ hash.Allocate(static_cast<size_t>(HASH_ResultLenByOidTag(SEC_OID_SHA512)));
+ rv = PK11_HashBuf(SEC_OID_SHA512, toUcharPtr(hash.data()),
+ toUcharPtr(kMsg.data()), kMsg.size());
+ ASSERT_EQ(rv, SECSuccess);
+ SECItem hash_item = {siBuffer, toUcharPtr(hash.data()),
+ static_cast<unsigned int>(hash.len())};
+ SECItem sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len};
+ rv = VFY_VerifyDigestDirect(&hash_item, short_pub.get(), &sig_item,
+ SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
+ nullptr);
+ EXPECT_EQ(SECFailure, rv);
+ EXPECT_EQ(SEC_ERROR_BAD_SIGNATURE, PORT_GetError());
+
+ // Repeat the test with the sufficiently-long key.
+ em_len = kRsaKeyBits / 8;
+ t_len = kSha512DigestInfo.size() + kMsgSha512.size();
+ pad_len = em_len - t_len - 3;
+ ASSERT_EQ(8U, pad_len);
+
+ std::vector<uint8_t> valid_pkcs;
+ valid_pkcs.push_back(0x00);
+ valid_pkcs.push_back(0x01);
+ valid_pkcs.insert(valid_pkcs.end(), pad_len, 0xff);
+ valid_pkcs.insert(valid_pkcs.end(), 1, 0x00);
+ valid_pkcs.insert(valid_pkcs.end(), kSha512DigestInfo.begin(),
+ kSha512DigestInfo.end());
+ valid_pkcs.insert(valid_pkcs.end(), kMsgSha512.begin(), kMsgSha512.end());
+ ASSERT_EQ(em_len, valid_pkcs.size());
+
+ // Sign it the same way as above (even though we could use sign APIs now).
+ sig.resize(em_len);
+ rv = PK11_PubDecryptRaw(good_priv.get(), sig.data(), &sig_len, sig.size(),
+ valid_pkcs.data(), valid_pkcs.size());
+ EXPECT_EQ(SECSuccess, rv);
+
+ // Verify it.
+ sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len};
+ rv = VFY_VerifyDigestDirect(&hash_item, good_pub.get(), &sig_item,
+ SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
+ nullptr);
+ EXPECT_EQ(SECSuccess, rv);
+}
+
+TEST(RsaPkcs1Test, RequireNullParameter) {
+ // The test vectors may be verified with:
+ //
+ // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig.bin | der2ascii
+ // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig2.bin | der2ascii
+
+ // Import public key.
+ SECItem spki_item = {siBuffer, toUcharPtr(kSpki), sizeof(kSpki)};
+ ScopedCERTSubjectPublicKeyInfo cert_spki(
+ SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
+ ASSERT_TRUE(cert_spki);
+ ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get()));
+ ASSERT_TRUE(pub_key);
+
+ SECItem hash = {siBuffer, toUcharPtr(kHash), sizeof(kHash)};
+
+ // kSignature is a valid signature.
+ SECItem sig_item = {siBuffer, toUcharPtr(kSignature), sizeof(kSignature)};
+ SECStatus rv = VFY_VerifyDigestDirect(&hash, pub_key.get(), &sig_item,
+ SEC_OID_PKCS1_RSA_ENCRYPTION,
+ SEC_OID_SHA256, nullptr);
+ EXPECT_EQ(SECSuccess, rv);
+
+ // kSignatureInvalid is not.
+ sig_item = {siBuffer, toUcharPtr(kSignatureInvalid),
+ sizeof(kSignatureInvalid)};
+ rv = VFY_VerifyDigestDirect(&hash, pub_key.get(), &sig_item,
+ SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA256,
+ nullptr);
+#ifdef NSS_PKCS1_AllowMissingParameters
+ EXPECT_EQ(SECSuccess, rv);
+#else
+ EXPECT_EQ(SECFailure, rv);
+#endif
+}
+
+TEST_P(Pkcs11RsaPkcs1WycheproofTest, Verify) {
+ /* Using VFY_ interface */
+ Verify1(GetParam());
+ /* Using PKCS #11 interface */
+ setSkipRaw(true);
+ Verify(GetParam());
+}
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof2048RsaSignatureSha224Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature2048Sha224WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof2048RsaSignatureSha256Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature2048Sha256WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof2048RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature2048Sha512WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof3072RsaSignatureSha256Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature3072Sha256WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof3072RsaSignatureSha384Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature3072Sha384WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof3072RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature3072Sha512WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof4096RsaSignatureSha384Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature4096Sha384WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(
+ Wycheproof4096RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignature4096Sha512WycheproofVectors));
+
+INSTANTIATE_TEST_SUITE_P(WycheproofRsaSignatureTest,
+ Pkcs11RsaPkcs1WycheproofTest,
+ ::testing::ValuesIn(kRsaSignatureWycheproofVectors));
+
+} // namespace nss_test
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-23 16:03:37 +0000