commit
78e367895a
@ -24,6 +24,10 @@ int main(void)
|
||||
printf("\nmodes_test...."); fflush(stdout); x = modes_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\nder_test......"); fflush(stdout); x = der_tests(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\npkcs_1_test..."); fflush(stdout); x = pkcs_1_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\npkcs_1_pss_test...."); fflush(stdout); x = pkcs_1_pss_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\npkcs_1_oaep_test...."); fflush(stdout); x = pkcs_1_oaep_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\npkcs_1_emsa_test...."); fflush(stdout); x = pkcs_1_emsa_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\npkcs_1_eme_test...."); fflush(stdout); x = pkcs_1_eme_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\nrsa_test......"); fflush(stdout); x = rsa_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\ndh_test......."); fflush(stdout); x = dh_test(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
printf("\necc_test......"); fflush(stdout); x = ecc_tests(); printf(x ? "failed" : "passed");if (x) exit(EXIT_FAILURE);
|
||||
|
11
notes/rsa-testvectors/makefile
Normal file
11
notes/rsa-testvectors/makefile
Normal file
@ -0,0 +1,11 @@
|
||||
default: regen
|
||||
|
||||
clean:
|
||||
rm -f *.c
|
||||
|
||||
regen:
|
||||
python rt.py pss-vect.txt pss > pss-vect.c
|
||||
python rt.py oaep-vect.txt oaep > oaep-vect.c
|
||||
python rt.py pkcs1v15sign-vectors.txt emsa > pkcs1v15sign-vectors.c
|
||||
python rt.py pkcs1v15crypt-vectors.txt eme > pkcs1v15crypt-vectors.c
|
||||
|
369
notes/rsa-testvectors/oaep-int.txt
Executable file
369
notes/rsa-testvectors/oaep-int.txt
Executable file
@ -0,0 +1,369 @@
|
||||
# =================================
|
||||
# WORKED-OUT EXAMPLE FOR RSAES-OAEP
|
||||
# =================================
|
||||
#
|
||||
# This file gives an example of the process of
|
||||
# encrypting and decrypting a message with
|
||||
# RSAES-OAEP as specified in PKCS #1 v2.1.
|
||||
#
|
||||
# The message is a bit string of length 128,
|
||||
# while the size of the modulus in the public
|
||||
# key is 1024 bits. The second representation
|
||||
# of the private key is used, which means that
|
||||
# CRT is applied in the decryption process.
|
||||
#
|
||||
# The underlying hash function is SHA-1; the
|
||||
# mask generation function is MGF1 with SHA-1
|
||||
# as specified in PKCS #1 v2.1.
|
||||
#
|
||||
# This file also contains a demonstration of
|
||||
# the RSADP decryption primitive with CRT.
|
||||
# Finally, DER encodings of the RSA keys are
|
||||
# given at the end of the file.
|
||||
#
|
||||
#
|
||||
# Integers are represented by strings of octets
|
||||
# with the leftmost octet being the most
|
||||
# significant octet. For example,
|
||||
#
|
||||
# 9,202,000 = (0x)8c 69 50.
|
||||
#
|
||||
# =============================================
|
||||
|
||||
# ------------------------------
|
||||
# Components of the RSA Key Pair
|
||||
# ------------------------------
|
||||
|
||||
# RSA modulus n:
|
||||
bb f8 2f 09 06 82 ce 9c 23 38 ac 2b 9d a8 71 f7
|
||||
36 8d 07 ee d4 10 43 a4 40 d6 b6 f0 74 54 f5 1f
|
||||
b8 df ba af 03 5c 02 ab 61 ea 48 ce eb 6f cd 48
|
||||
76 ed 52 0d 60 e1 ec 46 19 71 9d 8a 5b 8b 80 7f
|
||||
af b8 e0 a3 df c7 37 72 3e e6 b4 b7 d9 3a 25 84
|
||||
ee 6a 64 9d 06 09 53 74 88 34 b2 45 45 98 39 4e
|
||||
e0 aa b1 2d 7b 61 a5 1f 52 7a 9a 41 f6 c1 68 7f
|
||||
e2 53 72 98 ca 2a 8f 59 46 f8 e5 fd 09 1d bd cb
|
||||
|
||||
# RSA public exponent e:
|
||||
(0x)11
|
||||
|
||||
# Prime p:
|
||||
ee cf ae 81 b1 b9 b3 c9 08 81 0b 10 a1 b5 60 01
|
||||
99 eb 9f 44 ae f4 fd a4 93 b8 1a 9e 3d 84 f6 32
|
||||
12 4e f0 23 6e 5d 1e 3b 7e 28 fa e7 aa 04 0a 2d
|
||||
5b 25 21 76 45 9d 1f 39 75 41 ba 2a 58 fb 65 99
|
||||
|
||||
# Prime q:
|
||||
c9 7f b1 f0 27 f4 53 f6 34 12 33 ea aa d1 d9 35
|
||||
3f 6c 42 d0 88 66 b1 d0 5a 0f 20 35 02 8b 9d 86
|
||||
98 40 b4 16 66 b4 2e 92 ea 0d a3 b4 32 04 b5 cf
|
||||
ce 33 52 52 4d 04 16 a5 a4 41 e7 00 af 46 15 03
|
||||
|
||||
# p's CRT exponent dP:
|
||||
54 49 4c a6 3e ba 03 37 e4 e2 40 23 fc d6 9a 5a
|
||||
eb 07 dd dc 01 83 a4 d0 ac 9b 54 b0 51 f2 b1 3e
|
||||
d9 49 09 75 ea b7 74 14 ff 59 c1 f7 69 2e 9a 2e
|
||||
20 2b 38 fc 91 0a 47 41 74 ad c9 3c 1f 67 c9 81
|
||||
|
||||
# q's CRT exponent dQ:
|
||||
47 1e 02 90 ff 0a f0 75 03 51 b7 f8 78 86 4c a9
|
||||
61 ad bd 3a 8a 7e 99 1c 5c 05 56 a9 4c 31 46 a7
|
||||
f9 80 3f 8f 6f 8a e3 42 e9 31 fd 8a e4 7a 22 0d
|
||||
1b 99 a4 95 84 98 07 fe 39 f9 24 5a 98 36 da 3d
|
||||
|
||||
# CRT coefficient qInv:
|
||||
b0 6c 4f da bb 63 01 19 8d 26 5b db ae 94 23 b3
|
||||
80 f2 71 f7 34 53 88 50 93 07 7f cd 39 e2 11 9f
|
||||
c9 86 32 15 4f 58 83 b1 67 a9 67 bf 40 2b 4e 9e
|
||||
2e 0f 96 56 e6 98 ea 36 66 ed fb 25 79 80 39 f7
|
||||
|
||||
# ----------------------------------
|
||||
# Step-by-step RSAES-OAEP Encryption
|
||||
# ----------------------------------
|
||||
|
||||
# Message M to be encrypted:
|
||||
d4 36 e9 95 69 fd 32 a7 c8 a0 5b bc 90 d3 2c 49
|
||||
|
||||
# Label L:
|
||||
(the empty string)
|
||||
|
||||
# lHash = Hash(L)
|
||||
# DB = lHash || Padding || M
|
||||
# seed = random string of octets
|
||||
# dbMask = MGF(seed, length(DB))
|
||||
# maskedDB = DB xor dbMask
|
||||
# seedMask = MGF(maskedDB, length(seed))
|
||||
# maskedSeed = seed xor seedMask
|
||||
# EM = 0x00 || maskedSeed || maskedDB
|
||||
|
||||
# lHash:
|
||||
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90
|
||||
af d8 07 09
|
||||
|
||||
# DB:
|
||||
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90
|
||||
af d8 07 09 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 01 d4 36 e9 95 69
|
||||
fd 32 a7 c8 a0 5b bc 90 d3 2c 49
|
||||
|
||||
# seed:
|
||||
aa fd 12 f6 59 ca e6 34 89 b4 79 e5 07 6d de c2
|
||||
f0 6c b5 8f
|
||||
|
||||
# dbMask:
|
||||
06 e1 de b2 36 9a a5 a5 c7 07 d8 2c 8e 4e 93 24
|
||||
8a c7 83 de e0 b2 c0 46 26 f5 af f9 3e dc fb 25
|
||||
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4
|
||||
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5
|
||||
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0
|
||||
95 ae b4 04 48 db 97 2f 3a c1 4e af f4 9c 8c 3b
|
||||
7c fc 95 1a 51 ec d1 dd e6 12 64
|
||||
|
||||
# maskedDB:
|
||||
dc d8 7d 5c 68 f1 ee a8 f5 52 67 c3 1b 2e 8b b4
|
||||
25 1f 84 d7 e0 b2 c0 46 26 f5 af f9 3e dc fb 25
|
||||
c9 c2 b3 ff 8a e1 0e 83 9a 2d db 4c dc fe 4f f4
|
||||
77 28 b4 a1 b7 c1 36 2b aa d2 9a b4 8d 28 69 d5
|
||||
02 41 21 43 58 11 59 1b e3 92 f9 82 fb 3e 87 d0
|
||||
95 ae b4 04 48 db 97 2f 3a c1 4f 7b c2 75 19 52
|
||||
81 ce 32 d2 f1 b7 6d 4d 35 3e 2d
|
||||
|
||||
# seedMask:
|
||||
41 87 0b 5a b0 29 e6 57 d9 57 50 b5 4c 28 3c 08
|
||||
72 5d be a9
|
||||
|
||||
# maskedSeed:
|
||||
eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2 ca
|
||||
82 31 0b 26
|
||||
|
||||
# EM = 00 || maskedSeed || maskedDB:
|
||||
00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2
|
||||
ca 82 31 0b 26 dc d8 7d 5c 68 f1 ee a8 f5 52 67
|
||||
c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af
|
||||
f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db
|
||||
4c dc fe 4f f4 77 28 b4 a1 b7 c1 36 2b aa d2 9a
|
||||
b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9
|
||||
82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f
|
||||
7b c2 75 19 52 81 ce 32 d2 f1 b7 6d 4d 35 3e 2d
|
||||
|
||||
# Ciphertext, the RSA encryption of EM:
|
||||
12 53 e0 4d c0 a5 39 7b b4 4a 7a b8 7e 9b f2 a0
|
||||
39 a3 3d 1e 99 6f c8 2a 94 cc d3 00 74 c9 5d f7
|
||||
63 72 20 17 06 9e 52 68 da 5d 1c 0b 4f 87 2c f6
|
||||
53 c1 1d f8 23 14 a6 79 68 df ea e2 8d ef 04 bb
|
||||
6d 84 b1 c3 1d 65 4a 19 70 e5 78 3b d6 eb 96 a0
|
||||
24 c2 ca 2f 4a 90 fe 9f 2e f5 c9 c1 40 e5 bb 48
|
||||
da 95 36 ad 87 00 c8 4f c9 13 0a de a7 4e 55 8d
|
||||
51 a7 4d df 85 d8 b5 0d e9 68 38 d6 06 3e 09 55
|
||||
|
||||
# --------------------------------------------
|
||||
# Step-by-step RSAES-OAEP Decryption Using CRT
|
||||
# --------------------------------------------
|
||||
|
||||
# c = the integer value of C above
|
||||
# m1 = c^dP mod p = (c mod p)^dP mod p
|
||||
# m2 = c^dQ mod q = (c mod q)^dQ mod q
|
||||
# h = (m1-m2)*qInv mod p
|
||||
# m = m2 + q*h = the integer value of EM above
|
||||
|
||||
# c mod p:
|
||||
de 63 d4 72 35 66 fa a7 59 bf e4 08 82 1d d5 25
|
||||
72 ec 92 85 4d df 87 a2 b6 64 d4 4d aa 37 ca 34
|
||||
6a 05 20 3d 82 ff 2d e8 e3 6c ec 1d 34 f9 8e b6
|
||||
05 e2 a7 d2 6d e7 af 36 9c e4 ec ae 14 e3 56 33
|
||||
|
||||
# c mod q:
|
||||
a2 d9 24 de d9 c3 6d 62 3e d9 a6 5b 5d 86 2c fb
|
||||
ec 8b 19 9c 64 27 9c 54 14 e6 41 19 6e f1 c9 3c
|
||||
50 7a 9b 52 13 88 1a ad 05 b4 cc fa 02 8a c1 ec
|
||||
61 42 09 74 bf 16 25 83 6b 0b 7d 05 fb b7 53 36
|
||||
|
||||
# m1:
|
||||
89 6c a2 6c d7 e4 87 1c 7f c9 68 a8 ed ea 11 e2
|
||||
71 82 4f 0e 03 65 52 17 94 f1 e9 e9 43 b4 a4 4b
|
||||
57 c9 e3 95 a1 46 74 78 f5 26 49 6b 4b b9 1f 1c
|
||||
ba ea 90 0f fc 60 2c f0 c6 63 6e ba 84 fc 9f f7
|
||||
|
||||
# m2:
|
||||
4e bb 22 75 85 f0 c1 31 2d ca 19 e0 b5 41 db 14
|
||||
99 fb f1 4e 27 0e 69 8e 23 9a 8c 27 a9 6c da 9a
|
||||
74 09 74 de 93 7b 5c 9c 93 ea d9 46 2c 65 75 02
|
||||
1a 23 d4 64 99 dc 9f 6b 35 89 75 59 60 8f 19 be
|
||||
|
||||
# h:
|
||||
01 2b 2b 24 15 0e 76 e1 59 bd 8d db 42 76 e0 7b
|
||||
fa c1 88 e0 8d 60 47 cf 0e fb 8a e2 ae bd f2 51
|
||||
c4 0e bc 23 dc fd 4a 34 42 43 94 ad a9 2c fc be
|
||||
1b 2e ff bb 60 fd fb 03 35 9a 95 36 8d 98 09 25
|
||||
|
||||
# m:
|
||||
00 eb 7a 19 ac e9 e3 00 63 50 e3 29 50 4b 45 e2
|
||||
ca 82 31 0b 26 dc d8 7d 5c 68 f1 ee a8 f5 52 67
|
||||
c3 1b 2e 8b b4 25 1f 84 d7 e0 b2 c0 46 26 f5 af
|
||||
f9 3e dc fb 25 c9 c2 b3 ff 8a e1 0e 83 9a 2d db
|
||||
4c dc fe 4f f4 77 28 b4 a1 b7 c1 36 2b aa d2 9a
|
||||
b4 8d 28 69 d5 02 41 21 43 58 11 59 1b e3 92 f9
|
||||
82 fb 3e 87 d0 95 ae b4 04 48 db 97 2f 3a c1 4f
|
||||
7b c2 75 19 52 81 ce 32 d2 f1 b7 6d 4d 35 3e 2d
|
||||
|
||||
# The intermediate values in the remaining
|
||||
# decryption process are the same as during
|
||||
# RSAES-OAEP encryption of M.
|
||||
|
||||
# =============================================
|
||||
|
||||
# ========================
|
||||
# DER Encoding of RSA Keys
|
||||
# ========================
|
||||
|
||||
# ------------
|
||||
# RSAPublicKey
|
||||
# ------------
|
||||
30 81 87
|
||||
# modulus
|
||||
02 81 81
|
||||
00 bb f8 2f 09 06 82 ce
|
||||
9c 23 38 ac 2b 9d a8 71
|
||||
f7 36 8d 07 ee d4 10 43
|
||||
a4 40 d6 b6 f0 74 54 f5
|
||||
1f b8 df ba af 03 5c 02
|
||||
ab 61 ea 48 ce eb 6f cd
|
||||
48 76 ed 52 0d 60 e1 ec
|
||||
46 19 71 9d 8a 5b 8b 80
|
||||
7f af b8 e0 a3 df c7 37
|
||||
72 3e e6 b4 b7 d9 3a 25
|
||||
84 ee 6a 64 9d 06 09 53
|
||||
74 88 34 b2 45 45 98 39
|
||||
4e e0 aa b1 2d 7b 61 a5
|
||||
1f 52 7a 9a 41 f6 c1 68
|
||||
7f e2 53 72 98 ca 2a 8f
|
||||
59 46 f8 e5 fd 09 1d bd
|
||||
cb
|
||||
# publicExponent
|
||||
02 01
|
||||
11
|
||||
|
||||
# -------------
|
||||
# RSAPrivateKey
|
||||
# -------------
|
||||
30 82 02 5b
|
||||
# version
|
||||
02 01
|
||||
00
|
||||
# modulus
|
||||
02 81 81
|
||||
00 bb f8 2f 09 06 82 ce
|
||||
9c 23 38 ac 2b 9d a8 71
|
||||
f7 36 8d 07 ee d4 10 43
|
||||
a4 40 d6 b6 f0 74 54 f5
|
||||
1f b8 df ba af 03 5c 02
|
||||
ab 61 ea 48 ce eb 6f cd
|
||||
48 76 ed 52 0d 60 e1 ec
|
||||
46 19 71 9d 8a 5b 8b 80
|
||||
7f af b8 e0 a3 df c7 37
|
||||
72 3e e6 b4 b7 d9 3a 25
|
||||
84 ee 6a 64 9d 06 09 53
|
||||
74 88 34 b2 45 45 98 39
|
||||
4e e0 aa b1 2d 7b 61 a5
|
||||
1f 52 7a 9a 41 f6 c1 68
|
||||
7f e2 53 72 98 ca 2a 8f
|
||||
59 46 f8 e5 fd 09 1d bd
|
||||
cb
|
||||
# publicExponent
|
||||
02 01
|
||||
11
|
||||
# privateExponent
|
||||
02 81 81
|
||||
00 a5 da fc 53 41 fa f2
|
||||
89 c4 b9 88 db 30 c1 cd
|
||||
f8 3f 31 25 1e 06 68 b4
|
||||
27 84 81 38 01 57 96 41
|
||||
b2 94 10 b3 c7 99 8d 6b
|
||||
c4 65 74 5e 5c 39 26 69
|
||||
d6 87 0d a2 c0 82 a9 39
|
||||
e3 7f dc b8 2e c9 3e da
|
||||
c9 7f f3 ad 59 50 ac cf
|
||||
bc 11 1c 76 f1 a9 52 94
|
||||
44 e5 6a af 68 c5 6c 09
|
||||
2c d3 8d c3 be f5 d2 0a
|
||||
93 99 26 ed 4f 74 a1 3e
|
||||
dd fb e1 a1 ce cc 48 94
|
||||
af 94 28 c2 b7 b8 88 3f
|
||||
e4 46 3a 4b c8 5b 1c b3
|
||||
c1
|
||||
# prime1
|
||||
02 41
|
||||
00 ee cf ae 81 b1 b9 b3
|
||||
c9 08 81 0b 10 a1 b5 60
|
||||
01 99 eb 9f 44 ae f4 fd
|
||||
a4 93 b8 1a 9e 3d 84 f6
|
||||
32 12 4e f0 23 6e 5d 1e
|
||||
3b 7e 28 fa e7 aa 04 0a
|
||||
2d 5b 25 21 76 45 9d 1f
|
||||
39 75 41 ba 2a 58 fb 65
|
||||
99
|
||||
# prime2
|
||||
02 41
|
||||
00 c9 7f b1 f0 27 f4 53
|
||||
f6 34 12 33 ea aa d1 d9
|
||||
35 3f 6c 42 d0 88 66 b1
|
||||
d0 5a 0f 20 35 02 8b 9d
|
||||
86 98 40 b4 16 66 b4 2e
|
||||
92 ea 0d a3 b4 32 04 b5
|
||||
cf ce 33 52 52 4d 04 16
|
||||
a5 a4 41 e7 00 af 46 15
|
||||
03
|
||||
# exponent1
|
||||
02 40
|
||||
54 49 4c a6 3e ba 03 37
|
||||
e4 e2 40 23 fc d6 9a 5a
|
||||
eb 07 dd dc 01 83 a4 d0
|
||||
ac 9b 54 b0 51 f2 b1 3e
|
||||
d9 49 09 75 ea b7 74 14
|
||||
ff 59 c1 f7 69 2e 9a 2e
|
||||
20 2b 38 fc 91 0a 47 41
|
||||
74 ad c9 3c 1f 67 c9 81
|
||||
# exponent2
|
||||
02 40
|
||||
47 1e 02 90 ff 0a f0 75
|
||||
03 51 b7 f8 78 86 4c a9
|
||||
61 ad bd 3a 8a 7e 99 1c
|
||||
5c 05 56 a9 4c 31 46 a7
|
||||
f9 80 3f 8f 6f 8a e3 42
|
||||
e9 31 fd 8a e4 7a 22 0d
|
||||
1b 99 a4 95 84 98 07 fe
|
||||
39 f9 24 5a 98 36 da 3d
|
||||
# coefficient
|
||||
02 41
|
||||
00 b0 6c 4f da bb 63 01
|
||||
19 8d 26 5b db ae 94 23
|
||||
b3 80 f2 71 f7 34 53 88
|
||||
50 93 07 7f cd 39 e2 11
|
||||
9f c9 86 32 15 4f 58 83
|
||||
b1 67 a9 67 bf 40 2b 4e
|
||||
9e 2e 0f 96 56 e6 98 ea
|
||||
36 66 ed fb 25 79 80 39
|
||||
f7
|
||||
|
||||
# ------------------------
|
||||
# PrivateKeyInfo (PKCS #8)
|
||||
# ------------------------
|
||||
30 82 02 75
|
||||
# version
|
||||
02 01
|
||||
00
|
||||
# privateKeyAlgorithmIdentifier
|
||||
30 0d
|
||||
06 09
|
||||
2a 86 48 86 f7 0d 01 01 01
|
||||
# parameters
|
||||
05 00
|
||||
# privateKey = RSAPrivateKey encoding
|
||||
04 82 02 5f
|
||||
# DER encoding of RSAPrivateKey structure
|
||||
30 82 02 5b ... 79 80 39 f7
|
||||
|
||||
# =============================================
|
1418
notes/rsa-testvectors/oaep-vect.c
Normal file
1418
notes/rsa-testvectors/oaep-vect.c
Normal file
File diff suppressed because it is too large
Load Diff
2212
notes/rsa-testvectors/oaep-vect.txt
Executable file
2212
notes/rsa-testvectors/oaep-vect.txt
Executable file
File diff suppressed because it is too large
Load Diff
5463
notes/rsa-testvectors/pkcs1v15crypt-vectors.c
Normal file
5463
notes/rsa-testvectors/pkcs1v15crypt-vectors.c
Normal file
File diff suppressed because it is too large
Load Diff
9709
notes/rsa-testvectors/pkcs1v15crypt-vectors.txt
Executable file
9709
notes/rsa-testvectors/pkcs1v15crypt-vectors.txt
Executable file
File diff suppressed because it is too large
Load Diff
4261
notes/rsa-testvectors/pkcs1v15sign-vectors.c
Normal file
4261
notes/rsa-testvectors/pkcs1v15sign-vectors.c
Normal file
File diff suppressed because it is too large
Load Diff
9049
notes/rsa-testvectors/pkcs1v15sign-vectors.txt
Executable file
9049
notes/rsa-testvectors/pkcs1v15sign-vectors.txt
Executable file
File diff suppressed because it is too large
Load Diff
162
notes/rsa-testvectors/pss-int.txt
Executable file
162
notes/rsa-testvectors/pss-int.txt
Executable file
@ -0,0 +1,162 @@
|
||||
# =================================
|
||||
# WORKED-OUT EXAMPLE FOR RSASSA-PSS
|
||||
# =================================
|
||||
#
|
||||
# This file gives an example of the process of
|
||||
# signing a message with RSASSA-PSS as
|
||||
# specified in PKCS #1 v2.1.
|
||||
#
|
||||
# The message is an octet string of length 114,
|
||||
# while the size of the modulus in the public
|
||||
# key is 1024 bits. The message is signed via a
|
||||
# random salt of length 20 octets
|
||||
#
|
||||
# The underlying hash function in the EMSA-PSS
|
||||
# encoding method is SHA-1; the mask generation
|
||||
# function is MGF1 with SHA-1 as specified in
|
||||
# PKCS #1 v2.1.
|
||||
#
|
||||
# Integers are represented by strings of octets
|
||||
# with the leftmost octet being the most
|
||||
# significant octet. For example,
|
||||
#
|
||||
# 9,202,000 = (0x)8c 69 50.
|
||||
#
|
||||
# =============================================
|
||||
|
||||
# ------------------------------
|
||||
# Components of the RSA Key Pair
|
||||
# ------------------------------
|
||||
|
||||
# RSA modulus n:
|
||||
a2 ba 40 ee 07 e3 b2 bd 2f 02 ce 22 7f 36 a1 95
|
||||
02 44 86 e4 9c 19 cb 41 bb bd fb ba 98 b2 2b 0e
|
||||
57 7c 2e ea ff a2 0d 88 3a 76 e6 5e 39 4c 69 d4
|
||||
b3 c0 5a 1e 8f ad da 27 ed b2 a4 2b c0 00 fe 88
|
||||
8b 9b 32 c2 2d 15 ad d0 cd 76 b3 e7 93 6e 19 95
|
||||
5b 22 0d d1 7d 4e a9 04 b1 ec 10 2b 2e 4d e7 75
|
||||
12 22 aa 99 15 10 24 c7 cb 41 cc 5e a2 1d 00 ee
|
||||
b4 1f 7c 80 08 34 d2 c6 e0 6b ce 3b ce 7e a9 a5
|
||||
|
||||
# RSA public exponent e:
|
||||
01 00 01
|
||||
|
||||
# Prime p:
|
||||
d1 7f 65 5b f2 7c 8b 16 d3 54 62 c9 05 cc 04 a2
|
||||
6f 37 e2 a6 7f a9 c0 ce 0d ce d4 72 39 4a 0d f7
|
||||
43 fe 7f 92 9e 37 8e fd b3 68 ed df f4 53 cf 00
|
||||
7a f6 d9 48 e0 ad e7 57 37 1f 8a 71 1e 27 8f 6b
|
||||
|
||||
# Prime q:
|
||||
c6 d9 2b 6f ee 74 14 d1 35 8c e1 54 6f b6 29 87
|
||||
53 0b 90 bd 15 e0 f1 49 63 a5 e2 63 5a db 69 34
|
||||
7e c0 c0 1b 2a b1 76 3f d8 ac 1a 59 2f b2 27 57
|
||||
46 3a 98 24 25 bb 97 a3 a4 37 c5 bf 86 d0 3f 2f
|
||||
|
||||
# p's CRT exponent dP:
|
||||
9d 0d bf 83 e5 ce 9e 4b 17 54 dc d5 cd 05 bc b7
|
||||
b5 5f 15 08 33 0e a4 9f 14 d4 e8 89 55 0f 82 56
|
||||
cb 5f 80 6d ff 34 b1 7a da 44 20 88 53 57 7d 08
|
||||
e4 26 28 90 ac f7 52 46 1c ea 05 54 76 01 bc 4f
|
||||
|
||||
# q's CRT exponent dQ:
|
||||
12 91 a5 24 c6 b7 c0 59 e9 0e 46 dc 83 b2 17 1e
|
||||
b3 fa 98 81 8f d1 79 b6 c8 bf 6c ec aa 47 63 03
|
||||
ab f2 83 fe 05 76 9c fc 49 57 88 fe 5b 1d df de
|
||||
9e 88 4a 3c d5 e9 36 b7 e9 55 eb f9 7e b5 63 b1
|
||||
|
||||
# CRT coefficient qInv:
|
||||
a6 3f 1d a3 8b 95 0c 9a d1 c6 7c e0 d6 77 ec 29
|
||||
14 cd 7d 40 06 2d f4 2a 67 eb 19 8a 17 6f 97 42
|
||||
aa c7 c5 fe a1 4f 22 97 66 2b 84 81 2c 4d ef c4
|
||||
9a 80 25 ab 43 82 28 6b e4 c0 37 88 dd 01 d6 9f
|
||||
|
||||
# ---------------------------------
|
||||
# Step-by-step RSASSA-PSS Signature
|
||||
# ---------------------------------
|
||||
|
||||
# Message M to be signed:
|
||||
85 9e ef 2f d7 8a ca 00 30 8b dc 47 11 93 bf 55
|
||||
bf 9d 78 db 8f 8a 67 2b 48 46 34 f3 c9 c2 6e 64
|
||||
78 ae 10 26 0f e0 dd 8c 08 2e 53 a5 29 3a f2 17
|
||||
3c d5 0c 6d 5d 35 4f eb f7 8b 26 02 1c 25 c0 27
|
||||
12 e7 8c d4 69 4c 9f 46 97 77 e4 51 e7 f8 e9 e0
|
||||
4c d3 73 9c 6b bf ed ae 48 7f b5 56 44 e9 ca 74
|
||||
ff 77 a5 3c b7 29 80 2f 6e d4 a5 ff a8 ba 15 98
|
||||
90 fc
|
||||
|
||||
# mHash = Hash(M)
|
||||
# salt = random string of octets
|
||||
# M' = Padding || mHash || salt
|
||||
# H = Hash(M')
|
||||
# DB = Padding || salt
|
||||
# dbMask = MGF(H, length(DB))
|
||||
# maskedDB = DB xor dbMask (leftmost bit set to
|
||||
# zero)
|
||||
# EM = maskedDB || H || 0xbc
|
||||
|
||||
# mHash:
|
||||
37 b6 6a e0 44 58 43 35 3d 47 ec b0 b4 fd 14 c1
|
||||
10 e6 2d 6a
|
||||
|
||||
# salt:
|
||||
e3 b5 d5 d0 02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8
|
||||
3b ce 7e 61
|
||||
|
||||
# M':
|
||||
00 00 00 00 00 00 00 00 37 b6 6a e0 44 58 43 35
|
||||
3d 47 ec b0 b4 fd 14 c1 10 e6 2d 6a e3 b5 d5 d0
|
||||
02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8 3b ce 7e 61
|
||||
|
||||
# H:
|
||||
df 1a 89 6f 9d 8b c8 16 d9 7c d7 a2 c4 3b ad 54
|
||||
6f be 8c fe
|
||||
|
||||
# DB:
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
00 00 00 00 00 00 01 e3 b5 d5 d0 02 c1 bc e5 0c
|
||||
2b 65 ef 88 a1 88 d8 3b ce 7e 61
|
||||
|
||||
# dbMask:
|
||||
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67
|
||||
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af
|
||||
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4
|
||||
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1
|
||||
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec
|
||||
d3 18 3a 31 1f c8 97 39 a9 66 43 13 6e 8b 0f 46
|
||||
5e 87 a4 53 5c d4 c5 9b 10 02 8d
|
||||
|
||||
# maskedDB:
|
||||
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67
|
||||
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af
|
||||
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4
|
||||
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1
|
||||
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec
|
||||
d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a
|
||||
75 e2 4b db fd 5c 1d a0 de 7c ec
|
||||
|
||||
# Encoded message EM:
|
||||
66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67
|
||||
d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af
|
||||
50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4
|
||||
d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1
|
||||
e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec
|
||||
d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a
|
||||
75 e2 4b db fd 5c 1d a0 de 7c ec df 1a 89 6f 9d
|
||||
8b c8 16 d9 7c d7 a2 c4 3b ad 54 6f be 8c fe bc
|
||||
|
||||
# Signature S, the RSA decryption of EM:
|
||||
8d aa 62 7d 3d e7 59 5d 63 05 6c 7e c6 59 e5 44
|
||||
06 f1 06 10 12 8b aa e8 21 c8 b2 a0 f3 93 6d 54
|
||||
dc 3b dc e4 66 89 f6 b7 95 1b b1 8e 84 05 42 76
|
||||
97 18 d5 71 5d 21 0d 85 ef bb 59 61 92 03 2c 42
|
||||
be 4c 29 97 2c 85 62 75 eb 6d 5a 45 f0 5f 51 87
|
||||
6f c6 74 3d ed dd 28 ca ec 9b b3 0e a9 9e 02 c3
|
||||
48 82 69 60 4f e4 97 f7 4c cd 7c 7f ca 16 71 89
|
||||
71 23 cb d3 0d ef 5d 54 a2 b5 53 6a d9 0a 74 7e
|
||||
|
||||
# =============================================
|
1418
notes/rsa-testvectors/pss-vect.c
Normal file
1418
notes/rsa-testvectors/pss-vect.c
Normal file
File diff suppressed because it is too large
Load Diff
2581
notes/rsa-testvectors/pss-vect.txt
Executable file
2581
notes/rsa-testvectors/pss-vect.txt
Executable file
File diff suppressed because it is too large
Load Diff
22
notes/rsa-testvectors/readme.txt
Executable file
22
notes/rsa-testvectors/readme.txt
Executable file
@ -0,0 +1,22 @@
|
||||
====================
|
||||
pkcs-1v2-1-vec.zip
|
||||
====================
|
||||
|
||||
This directory contains test vectors for RSAES-OAEP and
|
||||
RSASSA-PSS as defined in PKCS #1 v2.1.
|
||||
|
||||
The files:
|
||||
|
||||
readme.txt This file.
|
||||
|
||||
oaep-vect.txt Test vectors for RSAES-OAEP encryption.
|
||||
|
||||
oaep-int.txt Intermediate values for RSAES-OAEP
|
||||
encryption and RSA decryption with CRT.
|
||||
Also, DER-encoded RSAPrivateKey and
|
||||
RSAPublicKey types.
|
||||
|
||||
pss-vect.txt Test vectors for RSASSA-PSS signing.
|
||||
|
||||
pss-int.txt Intermediate values for RSASSA-PSS
|
||||
signing.
|
253
notes/rsa-testvectors/rt.py
Executable file
253
notes/rsa-testvectors/rt.py
Executable file
@ -0,0 +1,253 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
import sys
|
||||
import os
|
||||
import hashlib
|
||||
|
||||
def md5_for_file(path, block_size=256*128):
|
||||
'''
|
||||
Block size directly depends on the block size of your filesystem
|
||||
to avoid performances issues
|
||||
Here I have blocks of 4096 octets (Default NTFS)
|
||||
'''
|
||||
md5 = hashlib.md5()
|
||||
with open(path,'rb') as f:
|
||||
for chunk in iter(lambda: f.read(block_size), b''):
|
||||
md5.update(chunk)
|
||||
f.close()
|
||||
return md5.hexdigest()
|
||||
|
||||
def read_until_ends(f, s):
|
||||
while True:
|
||||
l = f.readline()
|
||||
if l.strip().endswith(s):
|
||||
break
|
||||
return l
|
||||
|
||||
def read_until_start(f, s):
|
||||
while True:
|
||||
l = f.readline()
|
||||
if l.startswith(s):
|
||||
break
|
||||
return l
|
||||
|
||||
def read_hex(f):
|
||||
t = []
|
||||
while True:
|
||||
l = f.readline()
|
||||
if l.strip() == '':
|
||||
break
|
||||
t.extend(l.strip().split(' '))
|
||||
return t
|
||||
|
||||
class NamedData(object):
|
||||
def __init__(self, name, data):
|
||||
self.name = name
|
||||
self.data = data
|
||||
|
||||
def __str__(self):
|
||||
return " /* {0} */\n {1},\n {{ {2} }}\n".format(self.name, len(self.data), ', '.join('0x' + x for x in self.data))
|
||||
|
||||
def read_part(f, s):
|
||||
name = read_until_start(f, s).strip().lstrip('# ').rstrip(':')
|
||||
data = read_hex(f)
|
||||
e = NamedData(name, data)
|
||||
return e
|
||||
|
||||
class RsaKey(object):
|
||||
def __init__(self, n, e, d, p, q, dP, dQ, qInv):
|
||||
self.n = n
|
||||
self.e = e
|
||||
self.d = d
|
||||
self.p = p
|
||||
self.q = q
|
||||
self.dP = dP
|
||||
self.dQ = dQ
|
||||
self.qInv = qInv
|
||||
|
||||
def __str__(self):
|
||||
return "{{\n{0},\n{1},\n{2},\n{3},\n{4},\n{5},\n{6},\n{7}\n}}\n".format(self.n, self.e, self.d, self.p, self.q, self.dP, self.dQ, self.qInv)
|
||||
|
||||
def read_key(f):
|
||||
if ftype.version == 1:
|
||||
read_until_start(f, '# Private key')
|
||||
n = read_part(f, ftype.n)
|
||||
e = read_part(f, ftype.e)
|
||||
d = read_part(f, ftype.d)
|
||||
p = read_part(f, ftype.p)
|
||||
q = read_part(f, ftype.q)
|
||||
dP = read_part(f, ftype.dP)
|
||||
dQ = read_part(f, ftype.dQ)
|
||||
qInv = read_part(f, ftype.qInv)
|
||||
k = RsaKey(n, e, d, p, q, dP, dQ, qInv)
|
||||
return k
|
||||
|
||||
class Data(object):
|
||||
def __init__(self, name, obj1, obj2, obj3):
|
||||
self.name = name
|
||||
self.obj1 = obj1
|
||||
self.obj2 = obj2
|
||||
self.obj3 = obj3
|
||||
|
||||
def __str__(self):
|
||||
if self.obj3 == None:
|
||||
return "{{\n \"{0}\",\n{1},\n{2}\n}}\n,".format(self.name, self.obj1, self.obj2)
|
||||
else:
|
||||
return "{{\n \"{0}\",\n{1},\n{2},\n{3}\n}}\n,".format(self.name, self.obj1, self.obj2, self.obj3)
|
||||
|
||||
def read_data(f):
|
||||
name = read_until_start(f, ftype.o).strip().lstrip('# ')
|
||||
obj1 = read_part(f, ftype.o1)
|
||||
obj2 = read_part(f, ftype.o2)
|
||||
if ftype.name == 'emsa':
|
||||
obj3 = None
|
||||
else:
|
||||
obj3 = read_part(f, ftype.o3)
|
||||
s = Data(name, obj1, obj2, obj3)
|
||||
return s
|
||||
|
||||
class Example(object):
|
||||
def __init__(self, name, key, data):
|
||||
self.name = name
|
||||
self.key = key
|
||||
self.data = data
|
||||
|
||||
def __str__(self):
|
||||
res = "{{\n \"{0}\",\n{1},\n{{".format(self.name, str(self.key))
|
||||
for idx, d in enumerate(self.data, 1):
|
||||
if idx == 2:
|
||||
res += '#ifdef LTC_TEST_EXT\n'
|
||||
res += str(d) + '\n'
|
||||
if idx == ftype.numcases:
|
||||
res += '#endif /* LTC_TEST_EXT */\n'
|
||||
res += '}\n},'
|
||||
return res
|
||||
|
||||
def read_example(f):
|
||||
name = read_until_start(f, '# Example').strip().lstrip('# ')
|
||||
key = read_key(f)
|
||||
l = read_until_start(f, ftype.sod)
|
||||
d = []
|
||||
while l.strip().startswith(ftype.sod):
|
||||
if ftype.version == 1:
|
||||
f.seek(-len(l), os.SEEK_CUR)
|
||||
data = read_data(f)
|
||||
d.append(data)
|
||||
l = read_until_start(f, '#')
|
||||
|
||||
e = Example(name, key, d)
|
||||
f.seek(-len(l), os.SEEK_CUR)
|
||||
return e
|
||||
|
||||
|
||||
class PkcsType(object):
|
||||
def __init__(self, name):
|
||||
if name == 'pss':
|
||||
self.o = '# RSASSA-PSS Signature Example'
|
||||
self.o1 = '# Message to be signed'
|
||||
self.o2 = '# Salt'
|
||||
self.o3 = '# Signature'
|
||||
elif name == 'oaep':
|
||||
self.o = '# RSAES-OAEP Encryption Example'
|
||||
self.o1 = '# Message to be encrypted'
|
||||
self.o2 = '# Seed'
|
||||
self.o3 = '# Encryption'
|
||||
elif name == 'emsa':
|
||||
self.o = '# PKCS#1 v1.5 Signature Example'
|
||||
self.o1 = '# Message to be signed'
|
||||
self.o2 = '# Signature'
|
||||
elif name == 'eme':
|
||||
self.o = '# PKCS#1 v1.5 Encryption Example'
|
||||
self.o1 = '# Message'
|
||||
self.o2 = '# Seed'
|
||||
self.o3 = '# Encryption'
|
||||
else:
|
||||
raise ValueError('Type unknown: ' + name)
|
||||
|
||||
if name == 'pss' or name == 'oaep':
|
||||
self.version = 2
|
||||
self.numcases = 6
|
||||
self.n = '# RSA modulus n'
|
||||
self.e = '# RSA public exponent e'
|
||||
self.d = '# RSA private exponent d'
|
||||
self.p = '# Prime p'
|
||||
self.q = '# Prime q'
|
||||
self.dP = '# p\'s CRT exponent dP'
|
||||
self.dQ = '# q\'s CRT exponent dQ'
|
||||
self.qInv = '# CRT coefficient qInv'
|
||||
self.sod = '# --------------------------------'
|
||||
elif name == 'emsa' or name == 'eme':
|
||||
self.version = 1
|
||||
self.numcases = 20
|
||||
self.n = '# Modulus'
|
||||
self.e = '# Public exponent'
|
||||
self.d = '# Exponent'
|
||||
self.p = '# Prime 1'
|
||||
self.q = '# Prime 2'
|
||||
self.dP = '# Prime exponent 1'
|
||||
self.dQ = '# Prime exponent 2'
|
||||
self.qInv = '# Coefficient'
|
||||
self.sod = self.o
|
||||
self.name = name
|
||||
|
||||
ftype = PkcsType(sys.argv[2])
|
||||
|
||||
print('/* Generated from file: %s\n * with md5 hash: %s\n */\n' % (sys.argv[1], md5_for_file(sys.argv[1])))
|
||||
print('''
|
||||
typedef struct rsaKey {
|
||||
int n_l;
|
||||
unsigned char n[256];
|
||||
int e_l;
|
||||
unsigned char e[256];
|
||||
int d_l;
|
||||
unsigned char d[256];
|
||||
int p_l;
|
||||
unsigned char p[256];
|
||||
int q_l;
|
||||
unsigned char q[256];
|
||||
int dP_l;
|
||||
unsigned char dP[256];
|
||||
int dQ_l;
|
||||
unsigned char dQ[256];
|
||||
int qInv_l;
|
||||
unsigned char qInv[256];
|
||||
} rsaKey_t;
|
||||
|
||||
typedef struct rsaData {
|
||||
const char* name;
|
||||
int o1_l;
|
||||
unsigned char o1[256];
|
||||
int o2_l;
|
||||
unsigned char o2[256];''')
|
||||
|
||||
if ftype.name != 'emsa':
|
||||
print(''' int o3_l;
|
||||
unsigned char o3[256];''')
|
||||
|
||||
print('''} rsaData_t;
|
||||
|
||||
typedef struct testcase {
|
||||
const char* name;
|
||||
rsaKey_t rsa;
|
||||
#ifdef LTC_TEST_EXT
|
||||
rsaData_t data[%d];
|
||||
#else
|
||||
rsaData_t data[1];
|
||||
#endif /* LTC_TEST_EXT */
|
||||
} testcase_t;
|
||||
|
||||
testcase_t testcases_%s[] =
|
||||
{''' % (ftype.numcases, sys.argv[2]))
|
||||
|
||||
with open(sys.argv[1], 'rb') as f:
|
||||
ex = []
|
||||
while read_until_ends(f, '============================================='):
|
||||
if f.tell() == os.path.getsize(sys.argv[1]):
|
||||
break
|
||||
e = read_example(f)
|
||||
ex.append(e)
|
||||
|
||||
for i in ex:
|
||||
print(i)
|
||||
f.close()
|
||||
print('};\n')
|
@ -51,11 +51,12 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
|
||||
}
|
||||
|
||||
hLen = hash_descriptor[hash_idx].hashsize;
|
||||
modulus_bitlen--;
|
||||
modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0);
|
||||
|
||||
/* check sizes */
|
||||
if ((saltlen > modulus_len) ||
|
||||
(modulus_len < hLen + saltlen + 2) || (siglen != modulus_len)) {
|
||||
(modulus_len < hLen + saltlen + 2)) {
|
||||
return CRYPT_PK_INVALID_SIZE;
|
||||
}
|
||||
|
||||
@ -95,8 +96,9 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
|
||||
XMEMCPY(hash, sig + x, hLen);
|
||||
x += hLen;
|
||||
|
||||
|
||||
/* check the MSB */
|
||||
if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen-1)))) != 0) {
|
||||
if ((sig[0] & ~(0xFF >> ((modulus_len<<3) - (modulus_bitlen)))) != 0) {
|
||||
err = CRYPT_INVALID_PACKET;
|
||||
goto LBL_ERR;
|
||||
}
|
||||
@ -112,7 +114,7 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
|
||||
}
|
||||
|
||||
/* now clear the first byte [make sure smaller than modulus] */
|
||||
DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen-1));
|
||||
DB[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen));
|
||||
|
||||
/* DB = PS || 0x01 || salt, PS == modulus_len - saltlen - hLen - 2 zero bytes */
|
||||
|
||||
|
@ -54,6 +54,7 @@ int pkcs_1_pss_encode(const unsigned char *msghash, unsigned long msghashlen,
|
||||
}
|
||||
|
||||
hLen = hash_descriptor[hash_idx].hashsize;
|
||||
modulus_bitlen--;
|
||||
modulus_len = (modulus_bitlen>>3) + (modulus_bitlen & 7 ? 1 : 0);
|
||||
|
||||
/* check sizes */
|
||||
@ -147,7 +148,7 @@ int pkcs_1_pss_encode(const unsigned char *msghash, unsigned long msghashlen,
|
||||
out[y] = 0xBC;
|
||||
|
||||
/* now clear the 8*modulus_len - modulus_bitlen most significant bits */
|
||||
out[0] &= 0xFF >> ((modulus_len<<3) - (modulus_bitlen-1));
|
||||
out[0] &= 0xFF >> ((modulus_len<<3) - modulus_bitlen);
|
||||
|
||||
/* store output size */
|
||||
*outlen = modulus_len;
|
||||
|
@ -65,9 +65,8 @@ int pkcs_1_v1_5_decode(const unsigned char *msg,
|
||||
}
|
||||
ps_len = i++ - 2;
|
||||
|
||||
if ((i >= modulus_len) || (ps_len < 8)) {
|
||||
/* There was no octet with hexadecimal value 0x00 to separate ps from m,
|
||||
* or the length of ps is less than 8 octets.
|
||||
if (i >= modulus_len) {
|
||||
/* There was no octet with hexadecimal value 0x00 to separate ps from m.
|
||||
*/
|
||||
result = CRYPT_INVALID_PACKET;
|
||||
goto bail;
|
||||
@ -87,6 +86,14 @@ int pkcs_1_v1_5_decode(const unsigned char *msg,
|
||||
ps_len = i - 2;
|
||||
}
|
||||
|
||||
if (ps_len < 8)
|
||||
{
|
||||
/* The length of ps is less than 8 octets.
|
||||
*/
|
||||
result = CRYPT_INVALID_PACKET;
|
||||
goto bail;
|
||||
}
|
||||
|
||||
if (*outlen < (msglen - (2 + ps_len + 1))) {
|
||||
*outlen = msglen - (2 + ps_len + 1);
|
||||
result = CRYPT_BUFFER_OVERFLOW;
|
||||
|
@ -76,7 +76,7 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen,
|
||||
if (which == PK_PRIVATE) {
|
||||
#ifdef LTC_RSA_BLINDING
|
||||
/* do blinding */
|
||||
err = mp_rand(rnd, mp_count_bits(key->N));
|
||||
err = mp_rand(rnd, mp_get_digit_count(key->N));
|
||||
if (err != CRYPT_OK) {
|
||||
goto error;
|
||||
}
|
||||
|
@ -92,11 +92,18 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
|
||||
|
||||
if (padding == LTC_PKCS_1_PSS) {
|
||||
/* PSS decode and verify it */
|
||||
|
||||
if(modulus_bitlen%8 == 1){
|
||||
err = pkcs_1_pss_decode(hash, hashlen, tmpbuf+1, x-1, saltlen, hash_idx, modulus_bitlen, stat);
|
||||
}
|
||||
else{
|
||||
err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat);
|
||||
}
|
||||
|
||||
} else {
|
||||
/* PKCS #1 v1.5 decode it */
|
||||
unsigned char *out;
|
||||
unsigned long outlen, loid[16];
|
||||
unsigned long outlen, loid[16], reallen;
|
||||
int decoded;
|
||||
ltc_asn1_list digestinfo[2], siginfo[2];
|
||||
|
||||
@ -138,8 +145,14 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
|
||||
goto bail_2;
|
||||
}
|
||||
|
||||
if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
|
||||
XFREE(out);
|
||||
goto bail_2;
|
||||
}
|
||||
|
||||
/* test OID */
|
||||
if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
|
||||
if ((reallen == outlen) &&
|
||||
(digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
|
||||
(XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) &&
|
||||
(siginfo[1].size == hashlen) &&
|
||||
(XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {
|
||||
|
@ -5,9 +5,10 @@ ifndef RANLIB
|
||||
RANLIB=ranlib
|
||||
endif
|
||||
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
|
||||
dsa_test.o ecc_test.o mac_test.o misc_test.o modes_test.o pkcs_1_test.o rsa_test.o \
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o \
|
||||
pkcs_1_pss_test.o pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
|
||||
|
||||
ifndef LIBTEST_S
|
||||
LIBTEST_S=libtomcrypt_prof.a
|
||||
|
@ -1,9 +1,10 @@
|
||||
CFLAGS += -I../src/headers -I./
|
||||
CC?=icc
|
||||
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
|
||||
dsa_test.o ecc_test.o mac_test.o modes_test.o pkcs_1_test.o rsa_test.o \
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o \
|
||||
pkcs_1_pss_test.o pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
|
||||
|
||||
ifndef LIBTEST_S
|
||||
LIBTEST_S = libtomcrypt_prof.a
|
||||
|
@ -4,9 +4,10 @@
|
||||
|
||||
CFLAGS = $(CFLAGS_OPTS) -W -I../src/headers -I. -Wall -W
|
||||
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
|
||||
dsa_test.o ecc_test.o mac_test.o misc_test.o modes_test.o pkcs_1_test.o rsa_test.o \
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o pkcs_1_pss_test.o \
|
||||
pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
|
||||
|
||||
default: $(LIBTEST_S)
|
||||
|
||||
|
@ -1,9 +1,10 @@
|
||||
CFLAGS = /I../src/headers/ /I./ /Ox /DWIN32 /DLTC_SOURCE /W3 /Fo$@
|
||||
|
||||
OBJECTS=base64_test.obj cipher_hash_test.obj der_tests.obj \
|
||||
OBJECTS=base64_test.obj cipher_hash_test.obj der_tests.obj no_prng.obj \
|
||||
dsa_test.obj ecc_test.obj mac_test.obj modes_test.obj pkcs_1_test.obj \
|
||||
rsa_test.obj store_test.obj test_driver.obj x86_prof.obj katja_test.obj \
|
||||
dh_test.obj misc_test.obj
|
||||
dh_test.obj misc_test.obj pkcs_1_pss_test.obj pkcs_1_oaep_test.obj \
|
||||
pkcs_1_emsa_test.obj pkcs_1_eme_test.obj
|
||||
|
||||
tomcrypt_prof.lib: $(OBJECTS)
|
||||
lib /out:tomcrypt_prof.lib $(OBJECTS)
|
||||
|
@ -6,9 +6,10 @@ LTCOMPILE = $(LT) --mode=compile --tag=CC $(CC)
|
||||
|
||||
CFLAGS += -I../src/headers -I./ -Wall -Wsign-compare -W -Wshadow -Wno-unused-parameter
|
||||
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o \
|
||||
OBJECTS = base64_test.o cipher_hash_test.o der_tests.o no_prng.o \
|
||||
dsa_test.o ecc_test.o mac_test.o modes_test.o pkcs_1_test.o rsa_test.o \
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o
|
||||
store_test.o test_driver.o x86_prof.o katja_test.o dh_test.o misc_test.o \
|
||||
pkcs_1_pss_test.o pkcs_1_oaep_test.o pkcs_1_emsa_test.o pkcs_1_eme_test.o
|
||||
|
||||
ifndef LIBTEST
|
||||
LIBTEST=libtomcrypt_prof.la
|
||||
|
148
testprof/no_prng.c
Normal file
148
testprof/no_prng.c
Normal file
@ -0,0 +1,148 @@
|
||||
/* LibTomCrypt, modular cryptographic library
|
||||
*
|
||||
* LibTomCrypt is a library that provides various cryptographic
|
||||
* algorithms in a highly modular and flexible manner.
|
||||
*
|
||||
* The library is free for all purposes without any express
|
||||
* guarantee it works.
|
||||
*
|
||||
* http://libtom.org
|
||||
*/
|
||||
#include "tomcrypt.h"
|
||||
|
||||
/**
|
||||
@file no_prng.c
|
||||
NO PRNG, Steffen Jaeckel
|
||||
*/
|
||||
|
||||
#ifdef LTC_PKCS_1
|
||||
|
||||
static unsigned char no_prng_entropy[1024];
|
||||
static unsigned long no_prng_len = 0;
|
||||
static unsigned long no_prng_offset = 0;
|
||||
|
||||
/**
|
||||
Start the PRNG
|
||||
@param prng [out] The PRNG state to initialize
|
||||
@return CRYPT_OK if successful
|
||||
*/
|
||||
int no_prng_start(prng_state *prng)
|
||||
{
|
||||
no_prng_len = 0;
|
||||
no_prng_offset = 0;
|
||||
|
||||
return CRYPT_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
Add entropy to the PRNG state
|
||||
@param in The data to add
|
||||
@param inlen Length of the data to add
|
||||
@param prng PRNG state to update
|
||||
@return CRYPT_OK if successful
|
||||
*/
|
||||
int no_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
|
||||
{
|
||||
LTC_ARGCHK(in != NULL);
|
||||
LTC_ARGCHK(inlen <= sizeof(no_prng_entropy));
|
||||
|
||||
no_prng_len = MIN(inlen, sizeof(no_prng_entropy));
|
||||
memcpy(no_prng_entropy, in, no_prng_len);
|
||||
no_prng_offset = 0;
|
||||
|
||||
return CRYPT_OK;
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
Make the PRNG ready to read from
|
||||
@param prng The PRNG to make active
|
||||
@return CRYPT_OK if successful
|
||||
*/
|
||||
int no_prng_ready(prng_state *prng)
|
||||
{
|
||||
LTC_ARGCHK(prng != NULL);
|
||||
|
||||
return CRYPT_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
Read from the PRNG
|
||||
@param out Destination
|
||||
@param outlen Length of output
|
||||
@param prng The active PRNG to read from
|
||||
@return Number of octets read
|
||||
*/
|
||||
unsigned long no_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng)
|
||||
{
|
||||
LTC_ARGCHK(out != NULL);
|
||||
|
||||
outlen = MIN(outlen, no_prng_len - no_prng_offset);
|
||||
memcpy(out, &no_prng_entropy[no_prng_offset], outlen);
|
||||
no_prng_offset += outlen;
|
||||
|
||||
return outlen;
|
||||
}
|
||||
|
||||
/**
|
||||
Terminate the PRNG
|
||||
@param prng The PRNG to terminate
|
||||
@return CRYPT_OK if successful
|
||||
*/
|
||||
int no_prng_done(prng_state *prng)
|
||||
{
|
||||
return CRYPT_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
Export the PRNG state
|
||||
@param out [out] Destination
|
||||
@param outlen [in/out] Max size and resulting size of the state
|
||||
@param prng The PRNG to export
|
||||
@return CRYPT_OK if successful
|
||||
*/
|
||||
int no_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
|
||||
{
|
||||
return CRYPT_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
Import a PRNG state
|
||||
@param in The PRNG state
|
||||
@param inlen Size of the state
|
||||
@param prng The PRNG to import
|
||||
@return CRYPT_OK if successful
|
||||
*/
|
||||
int no_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
|
||||
{
|
||||
return CRYPT_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
PRNG self-test
|
||||
@return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled
|
||||
*/
|
||||
int no_prng_test(void)
|
||||
{
|
||||
return CRYPT_OK;
|
||||
}
|
||||
|
||||
const struct ltc_prng_descriptor no_prng_desc =
|
||||
{
|
||||
"no_prng", 0,
|
||||
&no_prng_start,
|
||||
&no_prng_add_entropy,
|
||||
&no_prng_ready,
|
||||
&no_prng_read,
|
||||
&no_prng_done,
|
||||
&no_prng_export,
|
||||
&no_prng_import,
|
||||
&no_prng_test
|
||||
};
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
/* $Source$ */
|
||||
/* $Revision$ */
|
||||
/* $Date$ */
|
69
testprof/pkcs_1_eme_test.c
Normal file
69
testprof/pkcs_1_eme_test.c
Normal file
@ -0,0 +1,69 @@
|
||||
#include <tomcrypt_test.h>
|
||||
|
||||
#ifdef LTC_PKCS_1
|
||||
|
||||
#include "../notes/rsa-testvectors/pkcs1v15crypt-vectors.c"
|
||||
|
||||
|
||||
|
||||
int pkcs_1_eme_test(void)
|
||||
{
|
||||
int prng_idx = register_prng(&no_prng_desc);
|
||||
int hash_idx = find_hash("sha1");
|
||||
unsigned int i;
|
||||
|
||||
DO(prng_is_valid(prng_idx));
|
||||
DO(hash_is_valid(hash_idx));
|
||||
|
||||
for (i = 0; i < sizeof(testcases_eme)/sizeof(testcases_eme[0]); ++i) {
|
||||
testcase_t* t = &testcases_eme[i];
|
||||
rsa_key k, *key = &k;
|
||||
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
|
||||
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
|
||||
|
||||
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
|
||||
key->type = PK_PRIVATE;
|
||||
|
||||
unsigned int j;
|
||||
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
|
||||
rsaData_t* s = &t->data[j];
|
||||
unsigned char buf[256], obuf[256];
|
||||
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
|
||||
int stat;
|
||||
prng_descriptor[prng_idx].add_entropy(s->o2, s->o2_l, NULL);
|
||||
DOX(rsa_encrypt_key_ex(s->o1, s->o1_l, obuf, &obuflen, NULL, 0, NULL, prng_idx, -1, LTC_PKCS_1_V1_5, key), s->name);
|
||||
DOX(obuflen == (unsigned long)s->o3_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(memcmp(s->o3, obuf, s->o3_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(rsa_decrypt_key_ex(obuf, obuflen, buf, &buflen, NULL, 0, -1, LTC_PKCS_1_V1_5, &stat, key), s->name);
|
||||
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
} /* for */
|
||||
|
||||
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
|
||||
} /* for */
|
||||
|
||||
unregister_prng(&no_prng_desc);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
int pkcs_1_eme_test(void)
|
||||
{
|
||||
fprintf(stderr, "NOP");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
/* $Source$ */
|
||||
/* $Revision$ */
|
||||
/* $Date$ */
|
65
testprof/pkcs_1_emsa_test.c
Normal file
65
testprof/pkcs_1_emsa_test.c
Normal file
@ -0,0 +1,65 @@
|
||||
#include <tomcrypt_test.h>
|
||||
|
||||
#ifdef LTC_PKCS_1
|
||||
|
||||
#include "../notes/rsa-testvectors/pkcs1v15sign-vectors.c"
|
||||
|
||||
|
||||
|
||||
int pkcs_1_emsa_test(void)
|
||||
{
|
||||
int hash_idx = find_hash("sha1");
|
||||
unsigned int i;
|
||||
|
||||
DO(hash_is_valid(hash_idx));
|
||||
|
||||
for (i = 0; i < sizeof(testcases_emsa)/sizeof(testcases_emsa[0]); ++i) {
|
||||
testcase_t* t = &testcases_emsa[i];
|
||||
rsa_key k, *key = &k;
|
||||
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
|
||||
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
|
||||
|
||||
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
|
||||
key->type = PK_PRIVATE;
|
||||
|
||||
unsigned int j;
|
||||
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
|
||||
rsaData_t* s = &t->data[j];
|
||||
unsigned char buf[20], obuf[256];
|
||||
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
|
||||
int stat;
|
||||
DOX(hash_memory(hash_idx, s->o1, s->o1_l, buf, &buflen), s->name);
|
||||
DOX(rsa_sign_hash_ex(buf, buflen, obuf, &obuflen, LTC_PKCS_1_V1_5, NULL, -1, hash_idx, 0, key), s->name);
|
||||
DOX(obuflen == (unsigned long)s->o2_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(memcmp(s->o2, obuf, s->o2_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(rsa_verify_hash_ex(obuf, obuflen, buf, buflen, LTC_PKCS_1_V1_5, hash_idx, 0, &stat, key), s->name);
|
||||
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
} /* for */
|
||||
|
||||
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
|
||||
} /* for */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
int pkcs_1_emsa_test(void)
|
||||
{
|
||||
fprintf(stderr, "NOP");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
/* $Source$ */
|
||||
/* $Revision$ */
|
||||
/* $Date$ */
|
69
testprof/pkcs_1_oaep_test.c
Normal file
69
testprof/pkcs_1_oaep_test.c
Normal file
@ -0,0 +1,69 @@
|
||||
#include <tomcrypt_test.h>
|
||||
|
||||
#ifdef LTC_PKCS_1
|
||||
|
||||
#include "../notes/rsa-testvectors/oaep-vect.c"
|
||||
|
||||
|
||||
|
||||
int pkcs_1_oaep_test(void)
|
||||
{
|
||||
int prng_idx = register_prng(&no_prng_desc);
|
||||
int hash_idx = find_hash("sha1");
|
||||
unsigned int i;
|
||||
|
||||
DO(prng_is_valid(prng_idx));
|
||||
DO(hash_is_valid(hash_idx));
|
||||
|
||||
for (i = 0; i < sizeof(testcases_oaep)/sizeof(testcases_oaep[0]); ++i) {
|
||||
testcase_t* t = &testcases_oaep[i];
|
||||
rsa_key k, *key = &k;
|
||||
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
|
||||
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
|
||||
|
||||
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
|
||||
key->type = PK_PRIVATE;
|
||||
|
||||
unsigned int j;
|
||||
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
|
||||
rsaData_t* s = &t->data[j];
|
||||
unsigned char buf[256], obuf[256];
|
||||
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
|
||||
int stat;
|
||||
prng_descriptor[prng_idx].add_entropy(s->o2, s->o2_l, NULL);
|
||||
DOX(rsa_encrypt_key(s->o1, s->o1_l, obuf, &obuflen, NULL, 0, NULL, prng_idx, hash_idx, key), s->name);
|
||||
DOX(obuflen == (unsigned long)s->o3_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(memcmp(s->o3, obuf, s->o3_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(rsa_decrypt_key(obuf, obuflen, buf, &buflen, NULL, 0, hash_idx, &stat, key), s->name);
|
||||
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
} /* for */
|
||||
|
||||
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
|
||||
} /* for */
|
||||
|
||||
unregister_prng(&no_prng_desc);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
int pkcs_1_oaep_test(void)
|
||||
{
|
||||
fprintf(stderr, "NOP");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
/* $Source$ */
|
||||
/* $Revision$ */
|
||||
/* $Date$ */
|
70
testprof/pkcs_1_pss_test.c
Normal file
70
testprof/pkcs_1_pss_test.c
Normal file
@ -0,0 +1,70 @@
|
||||
#include <tomcrypt_test.h>
|
||||
|
||||
#ifdef LTC_PKCS_1
|
||||
|
||||
#include "../notes/rsa-testvectors/pss-vect.c"
|
||||
|
||||
|
||||
|
||||
int pkcs_1_pss_test(void)
|
||||
{
|
||||
int prng_idx = register_prng(&no_prng_desc);
|
||||
int hash_idx = find_hash("sha1");
|
||||
unsigned int i;
|
||||
|
||||
DO(prng_is_valid(prng_idx));
|
||||
DO(hash_is_valid(hash_idx));
|
||||
|
||||
for (i = 0; i < sizeof(testcases_pss)/sizeof(testcases_pss[0]); ++i) {
|
||||
testcase_t* t = &testcases_pss[i];
|
||||
rsa_key k, *key = &k;
|
||||
DOX(mp_init_multi(&key->e, &key->d, &key->N, &key->dQ,
|
||||
&key->dP, &key->qP, &key->p, &key->q, NULL), t->name);
|
||||
|
||||
DOX(mp_read_unsigned_bin(key->e, t->rsa.e, t->rsa.e_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->d, t->rsa.d, t->rsa.d_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->N, t->rsa.n, t->rsa.n_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dQ, t->rsa.dQ, t->rsa.dQ_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->dP, t->rsa.dP, t->rsa.dP_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->qP, t->rsa.qInv, t->rsa.qInv_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->q, t->rsa.q, t->rsa.q_l), t->name);
|
||||
DOX(mp_read_unsigned_bin(key->p, t->rsa.p, t->rsa.p_l), t->name);
|
||||
key->type = PK_PRIVATE;
|
||||
|
||||
unsigned int j;
|
||||
for (j = 0; j < sizeof(t->data)/sizeof(t->data[0]); ++j) {
|
||||
rsaData_t* s = &t->data[j];
|
||||
unsigned char buf[20], obuf[256];
|
||||
unsigned long buflen = sizeof(buf), obuflen = sizeof(obuf);
|
||||
int stat;
|
||||
prng_descriptor[prng_idx].add_entropy(s->o2, s->o2_l, NULL);
|
||||
DOX(hash_memory(hash_idx, s->o1, s->o1_l, buf, &buflen), s->name);
|
||||
DOX(rsa_sign_hash(buf, buflen, obuf, &obuflen, NULL, prng_idx, hash_idx, s->o2_l, key), s->name);
|
||||
DOX(obuflen == (unsigned long)s->o3_l?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(memcmp(s->o3, obuf, s->o3_l)==0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
DOX(rsa_verify_hash(obuf, obuflen, buf, buflen, hash_idx, s->o2_l, &stat, key), s->name);
|
||||
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, s->name);
|
||||
} /* for */
|
||||
|
||||
mp_clear_multi(key->d, key->e, key->N, key->dQ, key->dP, key->qP, key->p, key->q, NULL);
|
||||
} /* for */
|
||||
|
||||
unregister_prng(&no_prng_desc);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
int pkcs_1_pss_test(void)
|
||||
{
|
||||
fprintf(stderr, "NOP");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
/* $Source$ */
|
||||
/* $Revision$ */
|
||||
/* $Date$ */
|
@ -2,6 +2,12 @@
|
||||
|
||||
#ifdef LTC_PKCS_1
|
||||
|
||||
#ifdef LTC_TEST_REAL_RAND
|
||||
#define LTC_TEST_RAND_SEED time(NULL)
|
||||
#else
|
||||
#define LTC_TEST_RAND_SEED 23
|
||||
#endif
|
||||
|
||||
int pkcs_1_test(void)
|
||||
{
|
||||
unsigned char buf[3][128];
|
||||
@ -18,7 +24,7 @@ int pkcs_1_test(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
srand(time(NULL));
|
||||
srand(LTC_TEST_RAND_SEED);
|
||||
/* do many tests */
|
||||
for (x = 0; x < 100; x++) {
|
||||
zeromem(buf, sizeof(buf));
|
||||
|
@ -104,8 +104,8 @@ int rsa_test(void)
|
||||
{
|
||||
unsigned char in[1024], out[1024], tmp[1024];
|
||||
rsa_key key, privKey, pubKey;
|
||||
int hash_idx, prng_idx, stat, stat2;
|
||||
unsigned long rsa_msgsize, len, len2, cnt;
|
||||
int hash_idx, prng_idx, stat, stat2, i;
|
||||
unsigned long rsa_msgsize, len, len2, len3, cnt, cnt2;
|
||||
static unsigned char lparam[] = { 0x01, 0x02, 0x03, 0x04 };
|
||||
|
||||
if (rsa_compat_test() != 0) {
|
||||
@ -186,24 +186,9 @@ for (cnt = 0; cnt < len; ) {
|
||||
return 1;
|
||||
}
|
||||
if (len2 != rsa_msgsize || memcmp(tmp, in, rsa_msgsize)) {
|
||||
unsigned long x;
|
||||
fprintf(stderr, "\nrsa_decrypt_key mismatch, len %lu (second decrypt)\n", len2);
|
||||
fprintf(stderr, "Original contents: \n");
|
||||
for (x = 0; x < rsa_msgsize; ) {
|
||||
fprintf(stderr, "%02x ", in[x]);
|
||||
if (!(++x % 16)) {
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
}
|
||||
fprintf(stderr, "\n");
|
||||
fprintf(stderr, "Output contents: \n");
|
||||
for (x = 0; x < rsa_msgsize; ) {
|
||||
fprintf(stderr, "%02x ", out[x]);
|
||||
if (!(++x % 16)) {
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
}
|
||||
fprintf(stderr, "\n");
|
||||
print_hex("Original", in, rsa_msgsize);
|
||||
print_hex("Output", tmp, len2);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
@ -232,6 +217,8 @@ for (cnt = 0; cnt < len; ) {
|
||||
}
|
||||
if (len2 != rsa_msgsize || memcmp(tmp, in, rsa_msgsize)) {
|
||||
fprintf(stderr, "rsa_decrypt_key mismatch len %lu", len2);
|
||||
print_hex("Original", in, rsa_msgsize);
|
||||
print_hex("Output", tmp, len2);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
@ -240,18 +227,26 @@ for (cnt = 0; cnt < len; ) {
|
||||
for (rsa_msgsize = 1; rsa_msgsize <= 117; rsa_msgsize++) {
|
||||
len = sizeof(out);
|
||||
len2 = rsa_msgsize;
|
||||
/* make a random key/msg */
|
||||
yarrow_read(in, rsa_msgsize, &yarrow_prng);
|
||||
DO(rsa_encrypt_key_ex(in, rsa_msgsize, out, &len, NULL, 0, &yarrow_prng, prng_idx, 0, LTC_PKCS_1_V1_5, &key));
|
||||
|
||||
len2 = rsa_msgsize;
|
||||
DO(rsa_decrypt_key_ex(out, len, tmp, &len2, NULL, 0, 0, LTC_PKCS_1_V1_5, &stat, &key));
|
||||
if (!(stat == 1 && stat2 == 0)) {
|
||||
if (stat != 1) {
|
||||
fprintf(stderr, "rsa_decrypt_key_ex failed, %d, %d", stat, stat2);
|
||||
return 1;
|
||||
}
|
||||
if (len2 != rsa_msgsize || memcmp(tmp, in, rsa_msgsize)) {
|
||||
if (len2 != rsa_msgsize) {
|
||||
fprintf(stderr, "rsa_decrypt_key_ex mismatch len %lu", len2);
|
||||
return 1;
|
||||
}
|
||||
if (memcmp(tmp, in, rsa_msgsize)) {
|
||||
fprintf(stderr, "rsa_decrypt_key_ex mismatch data");
|
||||
print_hex("Original", in, rsa_msgsize);
|
||||
print_hex("Output", tmp, rsa_msgsize);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
/* sign a message (unsalted, lower cholestorol and Atkins approved) now */
|
||||
@ -281,7 +276,7 @@ for (cnt = 0; cnt < len; ) {
|
||||
}
|
||||
|
||||
/* verify with privKey */
|
||||
/* change a byte */
|
||||
/* change byte back to original */
|
||||
in[0] ^= 1;
|
||||
DO(rsa_verify_hash(out, len, in, 20, hash_idx, 0, &stat, &privKey));
|
||||
/* change a byte */
|
||||
@ -297,7 +292,7 @@ for (cnt = 0; cnt < len; ) {
|
||||
}
|
||||
|
||||
/* verify with pubKey */
|
||||
/* change a byte */
|
||||
/* change byte back to original */
|
||||
in[0] ^= 1;
|
||||
DO(rsa_verify_hash(out, len, in, 20, hash_idx, 0, &stat, &pubKey));
|
||||
/* change a byte */
|
||||
@ -344,6 +339,85 @@ for (cnt = 0; cnt < len; ) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Testcase for Bleichenbacher attack
|
||||
*
|
||||
* (1) Create a valid signature
|
||||
* (2) Check that it can be verified
|
||||
* (3) Decrypt the package to fetch plain text
|
||||
* (4) Forge the structure of PKCS#1-EMSA encoded data
|
||||
* (4.1) Search for start and end of the padding string
|
||||
* (4.2) Move the signature to the front of the padding string
|
||||
* (4.3) Zero the message until the end
|
||||
* (5) Encrypt the package again
|
||||
* (6) Profit :)
|
||||
* For PS lengths < 8: the verification process should fail
|
||||
* For PS lengths >= 8: the verification process should succeed
|
||||
* For all PS lengths: the result should not be valid
|
||||
*/
|
||||
|
||||
unsigned char* p = in;
|
||||
unsigned char* p2 = out;
|
||||
unsigned char* p3 = tmp;
|
||||
for (i = 0; i < 9; ++i) {
|
||||
len = sizeof(in);
|
||||
len2 = sizeof(out);
|
||||
cnt = rsa_get_size(&key);
|
||||
/* (1) */
|
||||
DO(rsa_sign_hash_ex(p, 20, p2, &len2, LTC_PKCS_1_V1_5, &yarrow_prng, prng_idx, hash_idx, 8, &privKey));
|
||||
/* (2) */
|
||||
DOX(rsa_verify_hash_ex(p2, len2, p, 20, LTC_PKCS_1_V1_5, hash_idx, -1, &stat, &pubKey), "should succeed");
|
||||
DOX(stat == 1?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, "should succeed");
|
||||
len3 = sizeof(tmp);
|
||||
/* (3) */
|
||||
DO(ltc_mp.rsa_me(p2, len2, p3, &len3, PK_PUBLIC, &key));
|
||||
/* (4) */
|
||||
#if 0
|
||||
printf("\nBefore:");
|
||||
for (cnt = 0; cnt < len3; ++cnt) {
|
||||
if (cnt%32 == 0)
|
||||
printf("\n%3lu:", cnt);
|
||||
printf(" %02x", p3[cnt]);
|
||||
}
|
||||
#endif
|
||||
/* (4.1) */
|
||||
for (cnt = 0; cnt < len3; ++cnt) {
|
||||
if (p3[cnt] == 0xff)
|
||||
break;
|
||||
}
|
||||
for (cnt2 = cnt+1; cnt2 < len3; ++cnt2) {
|
||||
if (p3[cnt2] != 0xff)
|
||||
break;
|
||||
}
|
||||
/* (4.2) */
|
||||
memmove(&p3[cnt+i], &p3[cnt2], len3-cnt2);
|
||||
/* (4.3) */
|
||||
for (cnt = cnt + len3-cnt2+i; cnt < len; ++cnt) {
|
||||
p3[cnt] = 0;
|
||||
}
|
||||
#if 0
|
||||
printf("\nAfter:");
|
||||
for (cnt = 0; cnt < len3; ++cnt) {
|
||||
if (cnt%32 == 0)
|
||||
printf("\n%3lu:", cnt);
|
||||
printf(" %02x", p3[cnt]);
|
||||
}
|
||||
printf("\n");
|
||||
#endif
|
||||
|
||||
len2 = sizeof(out);
|
||||
/* (5) */
|
||||
DO(ltc_mp.rsa_me(p3, len3, p2, &len2, PK_PRIVATE, &key));
|
||||
|
||||
len3 = sizeof(tmp);
|
||||
/* (6) */
|
||||
if (i < 8)
|
||||
DOX(rsa_verify_hash_ex(p2, len2, p, 20, LTC_PKCS_1_V1_5, hash_idx, -1, &stat, &pubKey)
|
||||
== CRYPT_INVALID_PACKET ? CRYPT_OK:CRYPT_INVALID_PACKET, "should fail");
|
||||
else
|
||||
DOX(rsa_verify_hash_ex(p2, len2, p, 20, LTC_PKCS_1_V1_5, hash_idx, -1, &stat, &pubKey), "should succeed");
|
||||
DOX(stat == 0?CRYPT_OK:CRYPT_FAIL_TESTVECTOR, "should fail");
|
||||
}
|
||||
|
||||
/* free the key and return */
|
||||
rsa_free(&key);
|
||||
rsa_free(&pubKey);
|
||||
|
@ -39,11 +39,11 @@ extern prng_state yarrow_prng;
|
||||
void run_cmd(int res, int line, char *file, char *cmd, const char *algorithm);
|
||||
|
||||
#ifdef LTC_VERBOSE
|
||||
#define DO(x) do { fprintf(stderr, "%s:\n", #x); run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0);
|
||||
#define DOX(x, str) do { fprintf(stderr, "%s - %s:\n", #x, (str)); run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0);
|
||||
#define DO(x) do { fprintf(stderr, "%s:\n", #x); run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0)
|
||||
#define DOX(x, str) do { fprintf(stderr, "%s - %s:\n", #x, (str)); run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0)
|
||||
#else
|
||||
#define DO(x) do { run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0);
|
||||
#define DOX(x, str) do { run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0);
|
||||
#define DO(x) do { run_cmd((x), __LINE__, __FILE__, #x, NULL); } while (0)
|
||||
#define DOX(x, str) do { run_cmd((x), __LINE__, __FILE__, #x, (str)); } while (0)
|
||||
#endif
|
||||
|
||||
/* TESTS */
|
||||
@ -51,6 +51,10 @@ int cipher_hash_test(void);
|
||||
int modes_test(void);
|
||||
int mac_test(void);
|
||||
int pkcs_1_test(void);
|
||||
int pkcs_1_pss_test(void);
|
||||
int pkcs_1_oaep_test(void);
|
||||
int pkcs_1_emsa_test(void);
|
||||
int pkcs_1_eme_test(void);
|
||||
int store_test(void);
|
||||
int rsa_test(void);
|
||||
int dh_test(void);
|
||||
@ -72,6 +76,11 @@ extern struct list {
|
||||
|
||||
extern int no_results;
|
||||
|
||||
#ifdef LTC_PKCS_1
|
||||
extern const struct ltc_prng_descriptor no_prng_desc;
|
||||
#endif
|
||||
|
||||
void print_hex(const char* what, const unsigned char* p, const unsigned long l);
|
||||
int sorter(const void *a, const void *b);
|
||||
void tally_results(int type);
|
||||
ulong64 rdtsc (void);
|
||||
|
@ -2,6 +2,19 @@
|
||||
|
||||
prng_state yarrow_prng;
|
||||
|
||||
void print_hex(const char* what, const unsigned char* p, const unsigned long l)
|
||||
{
|
||||
unsigned long x;
|
||||
fprintf(stderr, "%s contents: \n", what);
|
||||
for (x = 0; x < l; ) {
|
||||
fprintf(stderr, "%02x ", p[x]);
|
||||
if (!(++x % 16)) {
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
}
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
|
||||
struct list results[100];
|
||||
int no_results;
|
||||
int sorter(const void *a, const void *b)
|
||||
|
Loading…
Reference in New Issue
Block a user