diff options
Diffstat (limited to 'security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc')
| -rw-r--r-- | security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc | 203 |
1 files changed, 203 insertions, 0 deletions
diff --git a/security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc new file mode 100644 index 0000000000..82f3f9fb89 --- /dev/null +++ b/security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc @@ -0,0 +1,203 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <stdint.h> + +#include "cpputil.h" +#include "cryptohi.h" +#include "gtest/gtest.h" +#include "limits.h" +#include "nss.h" +#include "nss_scoped_ptrs.h" +#include "pk11pub.h" + +#include "testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h" +#include "testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h" +#include "testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h" +#include "testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h" +#include "testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h" +#include "testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h" +#include "testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h" + +namespace nss_test { + +class RsaOaepWycheproofTest + : public ::testing::TestWithParam<RsaOaepTestVectorStr> { + protected: + void TestDecrypt(const RsaOaepTestVectorStr vec) { + SECItem pkcs8_item = {siBuffer, toUcharPtr(vec.priv_key.data()), + static_cast<unsigned int>(vec.priv_key.size())}; + + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + EXPECT_NE(nullptr, slot); + + SECKEYPrivateKey* key = nullptr; + SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( + slot.get(), &pkcs8_item, nullptr, nullptr, false, false, KU_ALL, &key, + nullptr); + ASSERT_EQ(SECSuccess, rv); + ASSERT_NE(nullptr, key); + ScopedSECKEYPrivateKey priv_key(key); + + // Set up the OAEP parameters. + CK_RSA_PKCS_OAEP_PARAMS oaepParams; + oaepParams.source = CKZ_DATA_SPECIFIED; + oaepParams.pSourceData = const_cast<unsigned char*>(vec.label.data()); + oaepParams.ulSourceDataLen = vec.label.size(); + oaepParams.mgf = vec.mgf_hash; + oaepParams.hashAlg = HashOidToHashMech(vec.hash_oid); + SECItem params_item = {siBuffer, + toUcharPtr(reinterpret_cast<uint8_t*>(&oaepParams)), + static_cast<unsigned int>(sizeof(oaepParams))}; + // Decrypt. + std::vector<uint8_t> decrypted(PR_MAX(1, vec.ct.size())); + unsigned int decrypted_len = 0; + rv = PK11_PrivDecrypt(priv_key.get(), CKM_RSA_PKCS_OAEP, ¶ms_item, + decrypted.data(), &decrypted_len, decrypted.size(), + vec.ct.data(), vec.ct.size()); + + if (vec.valid) { + EXPECT_EQ(SECSuccess, rv); + decrypted.resize(decrypted_len); + EXPECT_EQ(vec.msg, decrypted); + } else { + EXPECT_EQ(SECFailure, rv); + } + }; + + private: + inline CK_MECHANISM_TYPE HashOidToHashMech(SECOidTag hash_oid) { + switch (hash_oid) { + case SEC_OID_SHA1: + return CKM_SHA_1; + case SEC_OID_SHA224: + return CKM_SHA224; + case SEC_OID_SHA256: + return CKM_SHA256; + case SEC_OID_SHA384: + return CKM_SHA384; + case SEC_OID_SHA512: + return CKM_SHA512; + default: + ADD_FAILURE(); + } + return CKM_INVALID_MECHANISM; + } +}; + +TEST_P(RsaOaepWycheproofTest, OaepDecrypt) { TestDecrypt(GetParam()); } + +INSTANTIATE_TEST_SUITE_P( + WycheproofRsa2048Sha1OaepTest, RsaOaepWycheproofTest, + ::testing::ValuesIn(kRsaOaep2048Sha1WycheproofVectors)); + +INSTANTIATE_TEST_SUITE_P( + WycheproofOaep2048Sha256Sha1Test, RsaOaepWycheproofTest, + ::testing::ValuesIn(kRsaOaep2048Sha256Mgf1Sha1WycheproofVectors)); + +INSTANTIATE_TEST_SUITE_P( + WycheproofOaep2048Sha256Sha256Test, RsaOaepWycheproofTest, + ::testing::ValuesIn(kRsaOaep2048Sha256Mgf1Sha256WycheproofVectors)); + +INSTANTIATE_TEST_SUITE_P( + WycheproofOaep2048Sha384Sha1Test, RsaOaepWycheproofTest, + ::testing::ValuesIn(kRsaOaep2048Sha384Mgf1Sha1WycheproofVectors)); + +INSTANTIATE_TEST_SUITE_P( + WycheproofOaep2048Sha384Sha384Test, RsaOaepWycheproofTest, + ::testing::ValuesIn(kRsaOaep2048Sha384Mgf1Sha384WycheproofVectors)); + +INSTANTIATE_TEST_SUITE_P( + WycheproofOaep2048Sha512Sha1Test, RsaOaepWycheproofTest, + ::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha1WycheproofVectors)); + +INSTANTIATE_TEST_SUITE_P( + WycheproofOaep2048Sha512Sha512Test, RsaOaepWycheproofTest, + ::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha512WycheproofVectors)); + +TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwrap) { + const size_t kRsaKeyBits = 2048; + const size_t kwrappedBufLen = 4096; + + SECStatus rv = SECFailure; + + ScopedSECKEYPrivateKey priv; + ScopedSECKEYPublicKey pub; + PK11RSAGenParams rsa_params; + rsa_params.keySizeInBits = kRsaKeyBits; + rsa_params.pe = 65537; + + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ASSERT_NE(slot, nullptr); + + SECKEYPublicKey* p_pub_tmp = nullptr; + priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN, + &rsa_params, &p_pub_tmp, false, false, + nullptr)); + pub.reset(p_pub_tmp); + + ASSERT_NE(priv.get(), nullptr); + ASSERT_NE(pub.get(), nullptr); + + ScopedPK11SymKey to_wrap( + PK11_KeyGen(slot.get(), CKM_AES_CBC, nullptr, 16, nullptr)); + + CK_RSA_PKCS_OAEP_PARAMS oaep_params = {CKM_SHA256, CKG_MGF1_SHA256, + CKZ_DATA_SPECIFIED, NULL, 0}; + + SECItem param = {siBuffer, (unsigned char*)&oaep_params, sizeof(oaep_params)}; + + ScopedSECItem wrapped(SECITEM_AllocItem(nullptr, nullptr, kwrappedBufLen)); + rv = PK11_PubWrapSymKeyWithMechanism(pub.get(), CKM_RSA_PKCS_OAEP, ¶m, + to_wrap.get(), wrapped.get()); + ASSERT_EQ(rv, SECSuccess); + + PK11SymKey* p_unwrapped_tmp = nullptr; + + // Extract key's value in order to validate decryption worked. + rv = PK11_ExtractKeyValue(to_wrap.get()); + ASSERT_EQ(rv, SECSuccess); + + // References owned by PKCS#11 layer; no need to scope and free. + SECItem* expectedItem = PK11_GetKeyData(to_wrap.get()); + + // This assumes CKM_RSA_PKCS and doesn't understand OAEP. + // CKM_RSA_PKCS cannot safely return errors, however, as it can lead + // to Bleichenbacher-like attacks. To solve this there's a new definition + // that generates fake key material based on the message and private key. + // This returned key material will not be the key we were expecting, so + // make sure that's the case: + p_unwrapped_tmp = PK11_PubUnwrapSymKey(priv.get(), wrapped.get(), CKM_AES_CBC, + CKA_DECRYPT, 16); + // As long as the wrapped data is the same length as the key + // (which it should be), then CKM_RSA_PKCS should not fail. + ASSERT_NE(p_unwrapped_tmp, nullptr); + ScopedPK11SymKey fakeUnwrapped; + fakeUnwrapped.reset(p_unwrapped_tmp); + rv = PK11_ExtractKeyValue(fakeUnwrapped.get()); + ASSERT_EQ(rv, SECSuccess); + + // References owned by PKCS#11 layer; no need to scope and free. + SECItem* fakeItem = PK11_GetKeyData(fakeUnwrapped.get()); + ASSERT_NE(SECITEM_CompareItem(fakeItem, expectedItem), 0); + + ScopedPK11SymKey unwrapped; + p_unwrapped_tmp = PK11_PubUnwrapSymKeyWithMechanism( + priv.get(), CKM_RSA_PKCS_OAEP, ¶m, wrapped.get(), CKM_AES_CBC, + CKA_DECRYPT, 16); + ASSERT_NE(p_unwrapped_tmp, nullptr); + + unwrapped.reset(p_unwrapped_tmp); + + rv = PK11_ExtractKeyValue(unwrapped.get()); + ASSERT_EQ(rv, SECSuccess); + + // References owned by PKCS#11 layer; no need to scope and free. + SECItem* actualItem = PK11_GetKeyData(unwrapped.get()); + + ASSERT_EQ(SECITEM_CompareItem(actualItem, expectedItem), 0); +} +} // namespace nss_test |