/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ #include #include #include "cryptohi.h" #include "cpputil.h" #include "databuffer.h" #include "gtest/gtest.h" #include "nss.h" #include "nss_scoped_ptrs.h" #include "pk11pub.h" #include "secerr.h" #include "sechash.h" #include "pk11_signature_test.h" #include "testvectors/rsa_signature_2048_sha224-vectors.h" #include "testvectors/rsa_signature_2048_sha256-vectors.h" #include "testvectors/rsa_signature_2048_sha512-vectors.h" #include "testvectors/rsa_signature_3072_sha256-vectors.h" #include "testvectors/rsa_signature_3072_sha384-vectors.h" #include "testvectors/rsa_signature_3072_sha512-vectors.h" #include "testvectors/rsa_signature_4096_sha384-vectors.h" #include "testvectors/rsa_signature_4096_sha512-vectors.h" #include "testvectors/rsa_signature-vectors.h" namespace nss_test { CK_MECHANISM_TYPE RsaHashToComboMech(SECOidTag hash) { switch (hash) { case SEC_OID_SHA1: return CKM_SHA1_RSA_PKCS; case SEC_OID_SHA224: return CKM_SHA224_RSA_PKCS; case SEC_OID_SHA256: return CKM_SHA256_RSA_PKCS; case SEC_OID_SHA384: return CKM_SHA384_RSA_PKCS; case SEC_OID_SHA512: return CKM_SHA512_RSA_PKCS; default: break; } return CKM_INVALID_MECHANISM; } class Pkcs11RsaBaseTest : public Pk11SignatureTest { protected: Pkcs11RsaBaseTest(SECOidTag hashOid) : Pk11SignatureTest(CKM_RSA_PKCS, hashOid, RsaHashToComboMech(hashOid)) {} void Verify(const RsaSignatureTestVector vec) { Pkcs11SignatureTestParams params = { DataBuffer(), DataBuffer(vec.public_key.data(), vec.public_key.size()), DataBuffer(vec.msg.data(), vec.msg.size()), DataBuffer(vec.sig.data(), vec.sig.size())}; Pk11SignatureTest::Verify(params, (bool)vec.valid); } }; class Pkcs11RsaPkcs1WycheproofTest : public Pkcs11RsaBaseTest, public ::testing::WithParamInterface { public: Pkcs11RsaPkcs1WycheproofTest() : Pkcs11RsaBaseTest(GetParam().hash_oid) {} protected: void Verify1(const RsaSignatureTestVector vec) { SECItem spki_item = {siBuffer, toUcharPtr(vec.public_key.data()), static_cast(vec.public_key.size())}; ScopedCERTSubjectPublicKeyInfo cert_spki( SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item)); ASSERT_TRUE(cert_spki); ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get())); ASSERT_TRUE(pub_key); DataBuffer hash; hash.Allocate(static_cast(HASH_ResultLenByOidTag(vec.hash_oid))); SECStatus rv = PK11_HashBuf(vec.hash_oid, toUcharPtr(hash.data()), toUcharPtr(vec.msg.data()), vec.msg.size()); ASSERT_EQ(rv, SECSuccess); // Verify. SECItem hash_item = {siBuffer, toUcharPtr(hash.data()), static_cast(hash.len())}; SECItem sig_item = {siBuffer, toUcharPtr(vec.sig.data()), static_cast(vec.sig.size())}; rv = VFY_VerifyDigestDirect(&hash_item, pub_key.get(), &sig_item, SEC_OID_PKCS1_RSA_ENCRYPTION, vec.hash_oid, nullptr); EXPECT_EQ(rv, vec.valid ? SECSuccess : SECFailure); }; }; /* Test that PKCS #1 v1.5 verification requires a minimum of 8B * of padding, per-RFC3447. The padding formula is * `pad_len = em_len - t_len - 3`, where em_len is the octet length * of the RSA modulus and t_len is the length of the `DigestInfo || * Hash(message)` sequence. For SHA512, t_len is 83. We'll tweak the * modulus size to test with a pad_len of 8 (valid) and 6 (invalid): * em_len = `8 + 83 + 3` = `94*8` = 752b * em_len = `6 + 83 + 3` = `92*8` = 736b * Use 6 as the invalid value since modLen % 16 must be zero. */ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) { const size_t kRsaShortKeyBits = 736; const size_t kRsaKeyBits = 752; static const std::vector kMsg{'T', 'E', 'S', 'T'}; static const std::vector kSha512DigestInfo{ 0x30, 0x51, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; static const std::vector kMsgSha512{ 0x7B, 0xFA, 0x95, 0xA6, 0x88, 0x92, 0x4C, 0x47, 0xC7, 0xD2, 0x23, 0x81, 0xF2, 0x0C, 0xC9, 0x26, 0xF5, 0x24, 0xBE, 0xAC, 0xB1, 0x3F, 0x84, 0xE2, 0x03, 0xD4, 0xBD, 0x8C, 0xB6, 0xBA, 0x2F, 0xCE, 0x81, 0xC5, 0x7A, 0x5F, 0x05, 0x9B, 0xF3, 0xD5, 0x09, 0x92, 0x64, 0x87, 0xBD, 0xE9, 0x25, 0xB3, 0xBC, 0xEE, 0x06, 0x35, 0xE4, 0xF7, 0xBA, 0xEB, 0xA0, 0x54, 0xE5, 0xDB, 0xA6, 0x96, 0xB2, 0xBF}; ScopedSECKEYPrivateKey short_priv, good_priv; ScopedSECKEYPublicKey short_pub, good_pub; PK11RSAGenParams rsa_params; rsa_params.keySizeInBits = kRsaShortKeyBits; rsa_params.pe = 65537; ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); ASSERT_TRUE(slot); SECKEYPublicKey* p_pub_tmp = nullptr; short_priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsa_params, &p_pub_tmp, false, false, nullptr)); short_pub.reset(p_pub_tmp); rsa_params.keySizeInBits = kRsaKeyBits; good_priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsa_params, &p_pub_tmp, false, false, nullptr)); good_pub.reset(p_pub_tmp); size_t em_len = kRsaShortKeyBits / 8; size_t t_len = kSha512DigestInfo.size() + kMsgSha512.size(); size_t pad_len = em_len - t_len - 3; ASSERT_EQ(6U, pad_len); std::vector invalid_pkcs; invalid_pkcs.push_back(0x00); invalid_pkcs.push_back(0x01); invalid_pkcs.insert(invalid_pkcs.end(), pad_len, 0xff); invalid_pkcs.insert(invalid_pkcs.end(), 1, 0x00); invalid_pkcs.insert(invalid_pkcs.end(), kSha512DigestInfo.begin(), kSha512DigestInfo.end()); invalid_pkcs.insert(invalid_pkcs.end(), kMsgSha512.begin(), kMsgSha512.end()); ASSERT_EQ(em_len, invalid_pkcs.size()); // Sign it indirectly. Signing functions check for a proper pad_len. std::vector sig(em_len); uint32_t sig_len; SECStatus rv = PK11_PubDecryptRaw(short_priv.get(), sig.data(), &sig_len, sig.size(), invalid_pkcs.data(), invalid_pkcs.size()); EXPECT_EQ(SECSuccess, rv); // Verify it. DataBuffer hash; hash.Allocate(static_cast(HASH_ResultLenByOidTag(SEC_OID_SHA512))); rv = PK11_HashBuf(SEC_OID_SHA512, toUcharPtr(hash.data()), toUcharPtr(kMsg.data()), kMsg.size()); ASSERT_EQ(rv, SECSuccess); SECItem hash_item = {siBuffer, toUcharPtr(hash.data()), static_cast(hash.len())}; SECItem sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len}; rv = VFY_VerifyDigestDirect(&hash_item, short_pub.get(), &sig_item, SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512, nullptr); EXPECT_EQ(SECFailure, rv); EXPECT_EQ(SEC_ERROR_BAD_SIGNATURE, PORT_GetError()); // Repeat the test with the sufficiently-long key. em_len = kRsaKeyBits / 8; t_len = kSha512DigestInfo.size() + kMsgSha512.size(); pad_len = em_len - t_len - 3; ASSERT_EQ(8U, pad_len); std::vector valid_pkcs; valid_pkcs.push_back(0x00); valid_pkcs.push_back(0x01); valid_pkcs.insert(valid_pkcs.end(), pad_len, 0xff); valid_pkcs.insert(valid_pkcs.end(), 1, 0x00); valid_pkcs.insert(valid_pkcs.end(), kSha512DigestInfo.begin(), kSha512DigestInfo.end()); valid_pkcs.insert(valid_pkcs.end(), kMsgSha512.begin(), kMsgSha512.end()); ASSERT_EQ(em_len, valid_pkcs.size()); // Sign it the same way as above (even though we could use sign APIs now). sig.resize(em_len); rv = PK11_PubDecryptRaw(good_priv.get(), sig.data(), &sig_len, sig.size(), valid_pkcs.data(), valid_pkcs.size()); EXPECT_EQ(SECSuccess, rv); // Verify it. sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len}; rv = VFY_VerifyDigestDirect(&hash_item, good_pub.get(), &sig_item, SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512, nullptr); EXPECT_EQ(SECSuccess, rv); } TEST(RsaPkcs1Test, RequireNullParameter) { // The test vectors may be verified with: // // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig.bin | der2ascii // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig2.bin | der2ascii // Import public key. SECItem spki_item = {siBuffer, toUcharPtr(kSpki), sizeof(kSpki)}; ScopedCERTSubjectPublicKeyInfo cert_spki( SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item)); ASSERT_TRUE(cert_spki); ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get())); ASSERT_TRUE(pub_key); SECItem hash = {siBuffer, toUcharPtr(kHash), sizeof(kHash)}; // kSignature is a valid signature. SECItem sig_item = {siBuffer, toUcharPtr(kSignature), sizeof(kSignature)}; SECStatus rv = VFY_VerifyDigestDirect(&hash, pub_key.get(), &sig_item, SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA256, nullptr); EXPECT_EQ(SECSuccess, rv); // kSignatureInvalid is not. sig_item = {siBuffer, toUcharPtr(kSignatureInvalid), sizeof(kSignatureInvalid)}; rv = VFY_VerifyDigestDirect(&hash, pub_key.get(), &sig_item, SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA256, nullptr); #ifdef NSS_PKCS1_AllowMissingParameters EXPECT_EQ(SECSuccess, rv); #else EXPECT_EQ(SECFailure, rv); #endif } TEST_P(Pkcs11RsaPkcs1WycheproofTest, Verify) { /* Using VFY_ interface */ Verify1(GetParam()); /* Using PKCS #11 interface */ setSkipRaw(true); Verify(GetParam()); } INSTANTIATE_TEST_SUITE_P( Wycheproof2048RsaSignatureSha224Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature2048Sha224WycheproofVectors)); INSTANTIATE_TEST_SUITE_P( Wycheproof2048RsaSignatureSha256Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature2048Sha256WycheproofVectors)); INSTANTIATE_TEST_SUITE_P( Wycheproof2048RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature2048Sha512WycheproofVectors)); INSTANTIATE_TEST_SUITE_P( Wycheproof3072RsaSignatureSha256Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature3072Sha256WycheproofVectors)); INSTANTIATE_TEST_SUITE_P( Wycheproof3072RsaSignatureSha384Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature3072Sha384WycheproofVectors)); INSTANTIATE_TEST_SUITE_P( Wycheproof3072RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature3072Sha512WycheproofVectors)); INSTANTIATE_TEST_SUITE_P( Wycheproof4096RsaSignatureSha384Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature4096Sha384WycheproofVectors)); INSTANTIATE_TEST_SUITE_P( Wycheproof4096RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignature4096Sha512WycheproofVectors)); INSTANTIATE_TEST_SUITE_P(WycheproofRsaSignatureTest, Pkcs11RsaPkcs1WycheproofTest, ::testing::ValuesIn(kRsaSignatureWycheproofVectors)); } // namespace nss_test