1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
57 #include <openssl/rsa.h>
62 #include <gtest/gtest.h>
64 #include <openssl/bn.h>
65 #include <openssl/bytestring.h>
66 #include <openssl/crypto.h>
67 #include <openssl/err.h>
68 #include <openssl/nid.h>
70 #include "../fipsmodule/bn/internal.h"
71 #include "../fipsmodule/rsa/internal.h"
72 #include "../internal.h"
73 #include "../test/test_util.h"
76 // kPlaintext is a sample plaintext.
77 static const uint8_t kPlaintext[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
78 static const size_t kPlaintextLen = sizeof(kPlaintext) - 1;
80 // kKey1 is a DER-encoded RSAPrivateKey.
81 static const uint8_t kKey1[] =
82 "\x30\x82\x01\x38\x02\x01\x00\x02\x41\x00\xaa\x36\xab\xce\x88\xac\xfd\xff"
83 "\x55\x52\x3c\x7f\xc4\x52\x3f\x90\xef\xa0\x0d\xf3\x77\x4a\x25\x9f\x2e\x62"
84 "\xb4\xc5\xd9\x9c\xb5\xad\xb3\x00\xa0\x28\x5e\x53\x01\x93\x0e\x0c\x70\xfb"
85 "\x68\x76\x93\x9c\xe6\x16\xce\x62\x4a\x11\xe0\x08\x6d\x34\x1e\xbc\xac\xa0"
86 "\xa1\xf5\x02\x01\x11\x02\x40\x0a\x03\x37\x48\x62\x64\x87\x69\x5f\x5f\x30"
87 "\xbc\x38\xb9\x8b\x44\xc2\xcd\x2d\xff\x43\x40\x98\xcd\x20\xd8\xa1\x38\xd0"
88 "\x90\xbf\x64\x79\x7c\x3f\xa7\xa2\xcd\xcb\x3c\xd1\xe0\xbd\xba\x26\x54\xb4"
89 "\xf9\xdf\x8e\x8a\xe5\x9d\x73\x3d\x9f\x33\xb3\x01\x62\x4a\xfd\x1d\x51\x02"
90 "\x21\x00\xd8\x40\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf"
91 "\xce\x33\x52\x52\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x12\x0d\x02\x21"
92 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
93 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x89\x02\x20\x59"
94 "\x0b\x95\x72\xa2\xc2\xa9\xc4\x06\x05\x9d\xc2\xab\x2f\x1d\xaf\xeb\x7e\x8b"
95 "\x4f\x10\xa7\x54\x9e\x8e\xed\xf5\xb4\xfc\xe0\x9e\x05\x02\x21\x00\x8e\x3c"
96 "\x05\x21\xfe\x15\xe0\xea\x06\xa3\x6f\xf0\xf1\x0c\x99\x52\xc3\x5b\x7a\x75"
97 "\x14\xfd\x32\x38\xb8\x0a\xad\x52\x98\x62\x8d\x51\x02\x20\x36\x3f\xf7\x18"
98 "\x9d\xa8\xe9\x0b\x1d\x34\x1f\x71\xd0\x9b\x76\xa8\xa9\x43\xe1\x1d\x10\xb2"
99 "\x4d\x24\x9f\x2d\xea\xfe\xf8\x0c\x18\x26";
101 // kFIPSKey is a DER-encoded RSAPrivateKey that is FIPS-compliant.
102 static const uint8_t kFIPSKey[] =
103 "\x30\x82\x02\x5c\x02\x01\x00\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7"
104 "\xb8\xfc\x2a\x45\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09"
105 "\x6b\x05\x4d\xec\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed"
106 "\x9a\x30\xf3\x14\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65"
107 "\xbf\xca\x45\xd9\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12"
108 "\xaf\xa5\xec\x9b\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24"
109 "\x3c\x82\x6f\xee\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81"
110 "\x59\xa7\x90\x56\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01"
111 "\x02\x81\x80\x60\x82\xcd\x44\x46\xcf\xeb\xf9\x6f\xf5\xad\x3b\xfd\x90\x18"
112 "\x57\xe7\x74\xdb\x91\xd0\xd3\x68\xa6\xaa\x38\xaa\x21\x1d\x06\xf9\x34\x8d"
113 "\xa0\x35\xb0\x24\xe0\xd0\x2f\x75\x9b\xdd\xfe\x91\x48\x9f\x5c\x5e\x57\x54"
114 "\x00\xc8\x0f\xe6\x1e\x52\x84\xd9\xc9\xa5\x55\xf4\x0a\xbe\x88\x46\x7a\xfb"
115 "\x18\x37\x8e\xe6\x6e\xa2\x5f\x80\x48\x34\x3f\x5c\xbe\x0e\x1e\xe8\x2f\x50"
116 "\xba\x14\x96\x3c\xea\xfb\xd2\x49\x33\xdc\x12\xb8\xa7\x8a\xb5\x27\xf9\x00"
117 "\x4b\xf5\xd2\x2a\xd0\x2c\x1d\x9b\xd5\x6c\x3e\x4b\xb9\x7e\x39\xf7\x3e\x39"
118 "\xc9\x47\x5e\xbe\x91\x02\x41\x00\xcd\x33\xcf\x37\x01\xd7\x59\xcc\xbe\xa0"
119 "\x1c\xb9\xf5\xe7\x44\x9f\x62\x91\xa7\xa7\x7b\x0c\x52\xcd\x7e\xe6\x31\x11"
120 "\x8b\xd8\x2c\x8a\x63\xe1\x07\xc9\xcb\xce\x01\x45\x63\xf5\x5d\x44\xfb\xeb"
121 "\x8d\x74\x16\x20\x7d\x3b\xb4\xa1\x61\xb0\xa8\x29\x51\xc9\xef\xb6\xa1\xd5"
122 "\x02\x41\x00\xc9\x68\xa6\xd3\x88\xd5\x49\x9d\x6b\x44\x96\xfd\xbf\x66\x27"
123 "\xb4\x1f\x90\x76\x86\x2f\xe2\xce\x20\x5d\xee\x9b\xeb\xc4\xb4\x62\x47\x79"
124 "\x99\xb1\x99\xbc\xa2\xa6\xb6\x96\x64\xd5\x77\x9b\x45\xd4\xf0\x99\xb5\x9e"
125 "\x61\x4d\xf5\x12\xdd\x84\x14\xaf\x1e\xdd\x83\x24\x43\x02\x40\x60\x29\x7f"
126 "\x59\xcf\xcb\x13\x92\x17\x63\x01\x13\x44\x61\x74\x8f\x1c\xaa\x15\x5f\x2f"
127 "\x12\xbf\x5a\xfd\xb4\xf2\x19\xbe\xe7\x37\x38\x43\x46\x19\x58\x3f\xe1\xf2"
128 "\x46\x8a\x69\x59\xa4\x12\x4a\x78\xa7\x86\x17\x03\x99\x0f\x34\xf1\x8a\xcf"
129 "\xc3\x4d\x48\xcc\xc5\x51\x61\x02\x41\x00\xc2\x12\xb3\x5d\xf5\xe5\xff\xcf"
130 "\x4e\x43\x83\x72\xf2\xf1\x4e\xa4\xc4\x1d\x81\xf7\xff\x40\x7e\xfa\xb5\x48"
131 "\x6c\xba\x1c\x8a\xec\x80\x8e\xed\xc8\x32\xa9\x8f\xd9\x30\xeb\x6e\x32\x3b"
132 "\xd4\x44\xcf\xd1\x1f\x6b\xe0\x37\x46\xd5\x35\xde\x79\x9d\x2c\xb9\x83\x1d"
133 "\x10\xdd\x02\x40\x0f\x14\x95\x96\xa0\xe2\x6c\xd4\x88\xa7\x0b\x82\x14\x10"
134 "\xad\x26\x0d\xe4\xa1\x5e\x01\x3d\x21\xd2\xfb\x0e\xf9\x58\xa5\xca\x1e\x21"
135 "\xb3\xf5\x9a\x6c\x3d\x5a\x72\xb1\x2d\xfe\xac\x09\x4f\xdd\xe5\x44\xd1\x4e"
136 "\xf8\x59\x85\x3a\x65\xe2\xcd\xbc\x27\x1d\x9b\x48\x9f\xb9";
138 static const uint8_t kFIPSPublicKey[] =
139 "\x30\x81\x89\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7\xb8\xfc\x2a\x45"
140 "\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09\x6b\x05\x4d\xec"
141 "\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed\x9a\x30\xf3\x14"
142 "\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65\xbf\xca\x45\xd9"
143 "\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12\xaf\xa5\xec\x9b"
144 "\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24\x3c\x82\x6f\xee"
145 "\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81\x59\xa7\x90\x56"
146 "\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01";
148 // kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using
150 static const uint8_t kOAEPCiphertext1[] =
151 "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89\x2b\xfb"
152 "\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52\x33\x89\x5c\x74"
153 "\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44\xb0\x05\xc3\x9e\xd8\x27"
154 "\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
156 // kKey2 is a DER-encoded RSAPrivateKey.
157 static const uint8_t kKey2[] =
158 "\x30\x81\xfb\x02\x01\x00\x02\x33\x00\xa3\x07\x9a\x90\xdf\x0d\xfd\x72\xac"
159 "\x09\x0c\xcc\x2a\x78\xb8\x74\x13\x13\x3e\x40\x75\x9c\x98\xfa\xf8\x20\x4f"
160 "\x35\x8a\x0b\x26\x3c\x67\x70\xe7\x83\xa9\x3b\x69\x71\xb7\x37\x79\xd2\x71"
161 "\x7b\xe8\x34\x77\xcf\x02\x01\x03\x02\x32\x6c\xaf\xbc\x60\x94\xb3\xfe\x4c"
162 "\x72\xb0\xb3\x32\xc6\xfb\x25\xa2\xb7\x62\x29\x80\x4e\x68\x65\xfc\xa4\x5a"
163 "\x74\xdf\x0f\x8f\xb8\x41\x3b\x52\xc0\xd0\xe5\x3d\x9b\x59\x0f\xf1\x9b\xe7"
164 "\x9f\x49\xdd\x21\xe5\xeb\x02\x1a\x00\xcf\x20\x35\x02\x8b\x9d\x86\x98\x40"
165 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x91\x02\x1a"
166 "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
167 "\x6c\x42\xd0\x88\x66\xb1\xd0\x5f\x02\x1a\x00\x8a\x15\x78\xac\x5d\x13\xaf"
168 "\x10\x2b\x22\xb9\x99\xcd\x74\x61\xf1\x5e\x6d\x22\xcc\x03\x23\xdf\xdf\x0b"
169 "\x02\x1a\x00\x86\x55\x21\x4a\xc5\x4d\x8d\x4e\xcd\x61\x77\xf1\xc7\x36\x90"
170 "\xce\x2a\x48\x2c\x8b\x05\x99\xcb\xe0\x3f\x02\x1a\x00\x83\xef\xef\xb8\xa9"
171 "\xa4\x0d\x1d\xb6\xed\x98\xad\x84\xed\x13\x35\xdc\xc1\x08\xf3\x22\xd0\x57"
174 // kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using
176 static const uint8_t kOAEPCiphertext2[] =
177 "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a\x8b\x40"
178 "\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4\x17\x53\x03\x29"
179 "\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52\x62\x51";
181 // kKey3 is a DER-encoded RSAPrivateKey.
182 static const uint8_t kKey3[] =
183 "\x30\x82\x02\x5b\x02\x01\x00\x02\x81\x81\x00\xbb\xf8\x2f\x09\x06\x82\xce"
184 "\x9c\x23\x38\xac\x2b\x9d\xa8\x71\xf7\x36\x8d\x07\xee\xd4\x10\x43\xa4\x40"
185 "\xd6\xb6\xf0\x74\x54\xf5\x1f\xb8\xdf\xba\xaf\x03\x5c\x02\xab\x61\xea\x48"
186 "\xce\xeb\x6f\xcd\x48\x76\xed\x52\x0d\x60\xe1\xec\x46\x19\x71\x9d\x8a\x5b"
187 "\x8b\x80\x7f\xaf\xb8\xe0\xa3\xdf\xc7\x37\x72\x3e\xe6\xb4\xb7\xd9\x3a\x25"
188 "\x84\xee\x6a\x64\x9d\x06\x09\x53\x74\x88\x34\xb2\x45\x45\x98\x39\x4e\xe0"
189 "\xaa\xb1\x2d\x7b\x61\xa5\x1f\x52\x7a\x9a\x41\xf6\xc1\x68\x7f\xe2\x53\x72"
190 "\x98\xca\x2a\x8f\x59\x46\xf8\xe5\xfd\x09\x1d\xbd\xcb\x02\x01\x11\x02\x81"
191 "\x81\x00\xa5\xda\xfc\x53\x41\xfa\xf2\x89\xc4\xb9\x88\xdb\x30\xc1\xcd\xf8"
192 "\x3f\x31\x25\x1e\x06\x68\xb4\x27\x84\x81\x38\x01\x57\x96\x41\xb2\x94\x10"
193 "\xb3\xc7\x99\x8d\x6b\xc4\x65\x74\x5e\x5c\x39\x26\x69\xd6\x87\x0d\xa2\xc0"
194 "\x82\xa9\x39\xe3\x7f\xdc\xb8\x2e\xc9\x3e\xda\xc9\x7f\xf3\xad\x59\x50\xac"
195 "\xcf\xbc\x11\x1c\x76\xf1\xa9\x52\x94\x44\xe5\x6a\xaf\x68\xc5\x6c\x09\x2c"
196 "\xd3\x8d\xc3\xbe\xf5\xd2\x0a\x93\x99\x26\xed\x4f\x74\xa1\x3e\xdd\xfb\xe1"
197 "\xa1\xce\xcc\x48\x94\xaf\x94\x28\xc2\xb7\xb8\x88\x3f\xe4\x46\x3a\x4b\xc8"
198 "\x5b\x1c\xb3\xc1\x02\x41\x00\xee\xcf\xae\x81\xb1\xb9\xb3\xc9\x08\x81\x0b"
199 "\x10\xa1\xb5\x60\x01\x99\xeb\x9f\x44\xae\xf4\xfd\xa4\x93\xb8\x1a\x9e\x3d"
200 "\x84\xf6\x32\x12\x4e\xf0\x23\x6e\x5d\x1e\x3b\x7e\x28\xfa\xe7\xaa\x04\x0a"
201 "\x2d\x5b\x25\x21\x76\x45\x9d\x1f\x39\x75\x41\xba\x2a\x58\xfb\x65\x99\x02"
202 "\x41\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35"
203 "\x3f\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x86\x98\x40"
204 "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x33\x52\x52"
205 "\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x15\x03\x02\x40\x54\x49\x4c\xa6"
206 "\x3e\xba\x03\x37\xe4\xe2\x40\x23\xfc\xd6\x9a\x5a\xeb\x07\xdd\xdc\x01\x83"
207 "\xa4\xd0\xac\x9b\x54\xb0\x51\xf2\xb1\x3e\xd9\x49\x09\x75\xea\xb7\x74\x14"
208 "\xff\x59\xc1\xf7\x69\x2e\x9a\x2e\x20\x2b\x38\xfc\x91\x0a\x47\x41\x74\xad"
209 "\xc9\x3c\x1f\x67\xc9\x81\x02\x40\x47\x1e\x02\x90\xff\x0a\xf0\x75\x03\x51"
210 "\xb7\xf8\x78\x86\x4c\xa9\x61\xad\xbd\x3a\x8a\x7e\x99\x1c\x5c\x05\x56\xa9"
211 "\x4c\x31\x46\xa7\xf9\x80\x3f\x8f\x6f\x8a\xe3\x42\xe9\x31\xfd\x8a\xe4\x7a"
212 "\x22\x0d\x1b\x99\xa4\x95\x84\x98\x07\xfe\x39\xf9\x24\x5a\x98\x36\xda\x3d"
213 "\x02\x41\x00\xb0\x6c\x4f\xda\xbb\x63\x01\x19\x8d\x26\x5b\xdb\xae\x94\x23"
214 "\xb3\x80\xf2\x71\xf7\x34\x53\x88\x50\x93\x07\x7f\xcd\x39\xe2\x11\x9f\xc9"
215 "\x86\x32\x15\x4f\x58\x83\xb1\x67\xa9\x67\xbf\x40\x2b\x4e\x9e\x2e\x0f\x96"
216 "\x56\xe6\x98\xea\x36\x66\xed\xfb\x25\x79\x80\x39\xf7";
218 // kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using
220 static const uint8_t kOAEPCiphertext3[] =
221 "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7\x90\xc4"
222 "\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce\xf0\xc4\x36\x6f"
223 "\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3\xf2\xf1\x92\xdb\xea\xca"
224 "\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06\x69\xac\x22\xe9\xf3\xa7\x85\x2e"
225 "\x3c\x15\xd9\x13\xca\xb0\xb8\x86\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49"
226 "\x54\x61\x03\x46\xf4\xd4\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a"
227 "\x1f\xc4\x02\x6a\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20"
230 static const uint8_t kTwoPrimeKey[] =
231 "\x30\x82\x04\xa1\x02\x01\x00\x02\x82\x01\x01\x00\x93\x3a\x4f\xc9\x6a\x0a"
232 "\x6b\x28\x04\xfa\xb7\x05\x56\xdf\xa0\xaa\x4f\xaa\xab\x94\xa0\xa9\x25\xef"
233 "\xc5\x96\xd2\xd4\x66\x16\x62\x2c\x13\x7b\x91\xd0\x36\x0a\x10\x11\x6d\x7a"
234 "\x91\xb6\xe4\x74\x57\xc1\x3d\x7a\xbe\x24\x05\x3a\x04\x0b\x73\x91\x53\xb1"
235 "\x74\x10\xe1\x87\xdc\x91\x28\x9c\x1e\xe5\xf2\xb9\xfc\xa2\x48\x34\xb6\x78"
236 "\xed\x6d\x95\xfb\xf2\xc0\x4e\x1c\xa4\x15\x00\x3c\x8a\x68\x2b\xd6\xce\xd5"
237 "\xb3\x9f\x66\x02\xa7\x0d\x08\xa3\x23\x9b\xe5\x36\x96\x13\x22\xf9\x69\xa6"
238 "\x87\x88\x9b\x85\x3f\x83\x9c\xab\x1a\x1b\x6d\x8d\x16\xf4\x5e\xbd\xee\x4b"
239 "\x59\x56\xf8\x9d\x58\xcd\xd2\x83\x85\x59\x43\x84\x63\x4f\xe6\x1a\x86\x66"
240 "\x0d\xb5\xa0\x87\x89\xb6\x13\x82\x43\xda\x34\x92\x3b\x68\xc4\x95\x71\x2f"
241 "\x15\xc2\xe0\x43\x67\x3c\x08\x00\x36\x10\xc3\xb4\x46\x4c\x4e\x6e\xf5\x44"
242 "\xa9\x04\x44\x9d\xce\xc7\x05\x79\xee\x11\xcf\xaf\x2c\xd7\x9a\x32\xd3\xa5"
243 "\x30\xd4\x3a\x78\x43\x37\x74\x22\x90\x24\x04\x11\xd7\x95\x08\x52\xa4\x71"
244 "\x41\x68\x94\xb0\xa0\xc3\xec\x4e\xd2\xc4\x30\x71\x98\x64\x9c\xe3\x7c\x76"
245 "\xef\x33\xa3\x2b\xb1\x87\x63\xd2\x5c\x09\xfc\x90\x2d\x92\xf4\x57\x02\x01"
246 "\x03\x02\x82\x01\x00\x62\x26\xdf\xdb\x9c\x06\xf2\x1a\xad\xfc\x7a\x03\x8f"
247 "\x3f\xc0\x71\x8a\x71\xc7\xb8\x6b\x1b\x6e\x9f\xd9\x0f\x37\x38\x44\x0e\xec"
248 "\x1d\x62\x52\x61\x35\x79\x5c\x0a\xb6\x48\xfc\x61\x24\x98\x4d\x8f\xd6\x28"
249 "\xfc\x7e\xc2\xae\x26\xad\x5c\xf7\xb6\x37\xcb\xa2\xb5\xeb\xaf\xe8\x60\xc5"
250 "\xbd\x69\xee\xa1\xd1\x53\x16\xda\xcd\xce\xfb\x48\xf3\xb9\x52\xa1\xd5\x89"
251 "\x68\x6d\x63\x55\x7d\xb1\x9a\xc7\xe4\x89\xe3\xcd\x14\xee\xac\x6f\x5e\x05"
252 "\xc2\x17\xbd\x43\x79\xb9\x62\x17\x50\xf1\x19\xaf\xb0\x67\xae\x2a\x57\xbd"
253 "\xc7\x66\xbc\xf3\xb3\x64\xa1\xe3\x16\x74\x9e\xea\x02\x5c\xab\x94\xd8\x97"
254 "\x02\x42\x0c\x2c\xba\x54\xb9\xaf\xe0\x45\x93\xad\x7f\xb3\x10\x6a\x96\x50"
255 "\x4b\xaf\xcf\xc8\x27\x62\x2d\x83\xe9\x26\xc6\x94\xc1\xef\x5c\x8e\x06\x42"
256 "\x53\xe5\x56\xaf\xc2\x99\x01\xaa\x9a\x71\xbc\xe8\x21\x33\x2a\x2d\xa3\x36"
257 "\xac\x1b\x86\x19\xf8\xcd\x1f\x80\xa4\x26\x98\xb8\x9f\x62\x62\xd5\x1a\x7f"
258 "\xee\xdb\xdf\x81\xd3\x21\xdb\x33\x92\xee\xff\xe2\x2f\x32\x77\x73\x6a\x58"
259 "\xab\x21\xf3\xe3\xe1\xbc\x4f\x12\x72\xa6\xb5\xc2\xfb\x27\x9e\xc8\xca\xab"
260 "\x64\xa0\x87\x07\x9d\xef\xca\x0f\xdb\x02\x81\x81\x00\xe6\xd3\x4d\xc0\xa1"
261 "\x91\x0e\x62\xfd\xb0\xdd\xc6\x30\xb8\x8c\xcb\x14\xc1\x4b\x69\x30\xdd\xcd"
262 "\x86\x67\xcb\x37\x14\xc5\x03\xd2\xb4\x69\xab\x3d\xe5\x16\x81\x0f\xe5\x50"
263 "\xf4\x18\xb1\xec\xbc\x71\xe9\x80\x99\x06\xe4\xa3\xfe\x44\x84\x4a\x2d\x1e"
264 "\x07\x7f\x22\x70\x6d\x4f\xd4\x93\x0b\x8b\x99\xce\x1e\xab\xcd\x4c\xd2\xd3"
265 "\x10\x47\x5c\x09\x9f\x6d\x82\xc0\x08\x75\xe3\x3d\x83\xc2\x19\x50\x29\xec"
266 "\x1f\x84\x29\xcc\xf1\x56\xee\xbd\x54\x5d\xe6\x19\xdf\x0d\x1c\xa4\xbb\x0a"
267 "\xfe\x84\x44\x29\x1d\xf9\x5c\x80\x96\x5b\x24\xb4\xf7\x02\x1b\x02\x81\x81"
268 "\x00\xa3\x48\xf1\x9c\x58\xc2\x5f\x38\xfb\xd8\x12\x39\xf1\x8e\x73\xa1\xcf"
269 "\x78\x12\xe0\xed\x2a\xbb\xef\xac\x23\xb2\xbf\xd6\x0c\xe9\x6e\x1e\xab\xea"
270 "\x3f\x68\x36\xa7\x1f\xe5\xab\xe0\x86\xa5\x76\x32\x98\xdd\x75\xb5\x2b\xbc"
271 "\xcb\x8a\x03\x00\x7c\x2e\xca\xf8\xbc\x19\xe4\xe3\xa3\x31\xbd\x1d\x20\x2b"
272 "\x09\xad\x6f\x4c\xed\x48\xd4\xdf\x87\xf9\xf0\x46\xb9\x86\x4c\x4b\x71\xe7"
273 "\x48\x78\xdc\xed\xc7\x82\x02\x44\xd3\xa6\xb3\x10\x5f\x62\x81\xfc\xb8\xe4"
274 "\x0e\xf4\x1a\xdd\xab\x3f\xbc\x63\x79\x5b\x39\x69\x5e\xea\xa9\x15\xfe\x90"
275 "\xec\xda\x75\x02\x81\x81\x00\x99\xe2\x33\xd5\xc1\x0b\x5e\xec\xa9\x20\x93"
276 "\xd9\x75\xd0\x5d\xdc\xb8\x80\xdc\xf0\xcb\x3e\x89\x04\x45\x32\x24\xb8\x83"
277 "\x57\xe1\xcd\x9b\xc7\x7e\x98\xb9\xab\x5f\xee\x35\xf8\x10\x76\x9d\xd2\xf6"
278 "\x9b\xab\x10\xaf\x43\x17\xfe\xd8\x58\x31\x73\x69\x5a\x54\xc1\xa0\x48\xdf"
279 "\xe3\x0c\xb2\x5d\x11\x34\x14\x72\x88\xdd\xe1\xe2\x0a\xda\x3d\x5b\xbf\x9e"
280 "\x57\x2a\xb0\x4e\x97\x7e\x57\xd6\xbb\x8a\xc6\x9d\x6a\x58\x1b\xdd\xf6\x39"
281 "\xf4\x7e\x38\x3e\x99\x66\x94\xb3\x68\x6d\xd2\x07\x54\x58\x2d\x70\xbe\xa6"
282 "\x3d\xab\x0e\xe7\x6d\xcd\xfa\x01\x67\x02\x81\x80\x6c\xdb\x4b\xbd\x90\x81"
283 "\x94\xd0\xa7\xe5\x61\x7b\xf6\x5e\xf7\xc1\x34\xfa\xb7\x40\x9e\x1c\x7d\x4a"
284 "\x72\xc2\x77\x2a\x8e\xb3\x46\x49\x69\xc7\xf1\x7f\x9a\xcf\x1a\x15\x43\xc7"
285 "\xeb\x04\x6e\x4e\xcc\x65\xe8\xf9\x23\x72\x7d\xdd\x06\xac\xaa\xfd\x74\x87"
286 "\x50\x7d\x66\x98\x97\xc2\x21\x28\xbe\x15\x72\x06\x73\x9f\x88\x9e\x30\x8d"
287 "\xea\x5a\xa6\xa0\x2f\x26\x59\x88\x32\x4b\xef\x85\xa5\xe8\x9e\x85\x01\x56"
288 "\xd8\x8d\x19\xcc\xb5\x94\xec\x56\xa8\x7b\x42\xb4\xa2\xbc\x93\xc7\x7f\xd2"
289 "\xec\xfb\x92\x26\x46\x3f\x47\x1b\x63\xff\x0b\x48\x91\xa3\x02\x81\x80\x2c"
290 "\x4a\xb9\xa4\x46\x7b\xff\x50\x7e\xbf\x60\x47\x3b\x2b\x66\x82\xdc\x0e\x53"
291 "\x65\x71\xe9\xda\x2a\xb8\x32\x93\x42\xb7\xff\xea\x67\x66\xf1\xbc\x87\x28"
292 "\x65\x29\x79\xca\xab\x93\x56\xda\x95\xc1\x26\x44\x3d\x27\xc1\x91\xc6\x9b"
293 "\xd9\xec\x9d\xb7\x49\xe7\x16\xee\x99\x87\x50\x95\x81\xd4\x5c\x5b\x5a\x5d"
294 "\x0a\x43\xa5\xa7\x8f\x5a\x80\x49\xa0\xb7\x10\x85\xc7\xf4\x42\x34\x86\xb6"
295 "\x5f\x3f\x88\x9e\xc7\xf5\x59\x29\x39\x68\x48\xf2\xd7\x08\x5b\x92\x8e\x6b"
296 "\xea\xa5\x63\x5f\xc0\xfb\xe4\xe1\xb2\x7d\xb7\x40\xe9\x55\x06\xbf\x58\x25"
299 static const uint8_t kTwoPrimeEncryptedMessage[] = {
300 0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35,
301 0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c,
302 0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0,
303 0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3,
304 0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46,
305 0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54,
306 0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a,
307 0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78,
308 0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8,
309 0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83,
310 0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31,
311 0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45,
312 0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75,
313 0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11,
314 0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f,
315 0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2,
316 0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3,
317 0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca,
318 0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c,
319 0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4,
320 0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b,
321 0x6a, 0xce, 0x9f, 0xc8,
324 // kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See
325 // https://crbug.com/532048.
326 static const uint8_t kEstonianRSAKey[] = {
327 0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c,
328 0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c,
329 0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80,
330 0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8,
331 0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29,
332 0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95,
333 0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea,
334 0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c,
335 0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac,
336 0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25,
337 0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a,
338 0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88,
339 0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17,
340 0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf,
341 0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c,
342 0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f,
343 0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc,
344 0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e,
345 0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87,
346 0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30,
347 0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94,
348 0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49,
349 0x02, 0x03, 0x01, 0x00, 0x01,
352 // kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See
353 // https://crbug.com/541257
354 static const uint8_t kExponent1RSAKey[] = {
355 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a,
356 0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5,
357 0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa,
358 0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b,
359 0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64,
360 0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7,
361 0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d,
362 0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a,
363 0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a,
364 0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b,
365 0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c,
366 0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9,
367 0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad,
368 0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41,
369 0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91,
370 0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a,
371 0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d,
372 0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98,
373 0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9,
374 0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d,
375 0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0,
376 0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98,
377 0xdd, 0x02, 0x01, 0x01,
380 struct RSAEncryptParam {
383 const uint8_t *oaep_ciphertext;
384 size_t oaep_ciphertext_len;
385 } kRSAEncryptParams[] = {
386 {kKey1, sizeof(kKey1) - 1, kOAEPCiphertext1, sizeof(kOAEPCiphertext1) - 1},
387 {kKey2, sizeof(kKey2) - 1, kOAEPCiphertext2, sizeof(kOAEPCiphertext2) - 1},
388 {kKey3, sizeof(kKey3) - 1, kOAEPCiphertext3, sizeof(kOAEPCiphertext3) - 1},
391 class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {};
393 TEST_P(RSAEncryptTest, TestKey) {
394 const auto ¶m = GetParam();
395 bssl::UniquePtr<RSA> key(
396 RSA_private_key_from_bytes(param.der, param.der_len));
399 EXPECT_TRUE(RSA_check_key(key.get()));
401 uint8_t ciphertext[256];
403 // Test that PKCS#1 v1.5 encryption round-trips.
404 size_t ciphertext_len = 0;
405 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
406 sizeof(ciphertext), kPlaintext, kPlaintextLen,
408 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
410 uint8_t plaintext[256];
411 size_t plaintext_len = 0;
412 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
413 sizeof(plaintext), ciphertext, ciphertext_len,
415 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
417 // Test that OAEP encryption round-trips.
419 ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
420 sizeof(ciphertext), kPlaintext, kPlaintextLen,
421 RSA_PKCS1_OAEP_PADDING));
422 EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
425 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
426 sizeof(plaintext), ciphertext, ciphertext_len,
427 RSA_PKCS1_OAEP_PADDING));
428 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
430 // |oaep_ciphertext| should decrypt to |kPlaintext|.
432 ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
433 sizeof(plaintext), param.oaep_ciphertext,
434 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
435 EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
437 // Try decrypting corrupted ciphertexts.
438 OPENSSL_memcpy(ciphertext, param.oaep_ciphertext, param.oaep_ciphertext_len);
439 for (size_t i = 0; i < param.oaep_ciphertext_len; i++) {
442 EXPECT_FALSE(RSA_decrypt(
443 key.get(), &plaintext_len, plaintext, sizeof(plaintext), ciphertext,
444 param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
449 // Test truncated ciphertexts.
450 for (size_t len = 0; len < param.oaep_ciphertext_len; len++) {
452 EXPECT_FALSE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
453 sizeof(plaintext), ciphertext, len,
454 RSA_PKCS1_OAEP_PADDING));
459 INSTANTIATE_TEST_CASE_P(, RSAEncryptTest, testing::ValuesIn(kRSAEncryptParams));
461 TEST(RSATest, TestDecrypt) {
462 bssl::UniquePtr<RSA> rsa(
463 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
466 EXPECT_TRUE(RSA_check_key(rsa.get()));
470 ASSERT_TRUE(RSA_decrypt(
471 rsa.get(), &out_len, out, sizeof(out), kTwoPrimeEncryptedMessage,
472 sizeof(kTwoPrimeEncryptedMessage), RSA_PKCS1_PADDING));
473 EXPECT_EQ(Bytes("hello world"), Bytes(out, out_len));
476 TEST(RSATest, CheckFIPS) {
477 bssl::UniquePtr<RSA> rsa(
478 RSA_private_key_from_bytes(kFIPSKey, sizeof(kFIPSKey) - 1));
480 EXPECT_TRUE(RSA_check_fips(rsa.get()));
482 // Check that RSA_check_fips works on a public key.
483 bssl::UniquePtr<RSA> pub(
484 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
486 EXPECT_TRUE(RSA_check_fips(pub.get()));
489 TEST(RSATest, GenerateFIPS) {
490 bssl::UniquePtr<RSA> rsa(RSA_new());
493 // RSA_generate_key_fips may only be used for 2048-bit and 3072-bit keys.
494 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr));
495 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr));
496 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr));
497 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr));
498 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr));
499 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr));
500 EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4096, nullptr));
503 // Test that we can generate 2048-bit and 3072-bit RSA keys.
504 EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr));
505 EXPECT_EQ(2048u, BN_num_bits(rsa->n));
507 rsa.reset(RSA_new());
509 EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 3072, nullptr));
510 EXPECT_EQ(3072u, BN_num_bits(rsa->n));
513 TEST(RSATest, BadKey) {
514 bssl::UniquePtr<RSA> key(RSA_new());
515 bssl::UniquePtr<BIGNUM> e(BN_new());
518 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
520 // Generate a bad key.
521 ASSERT_TRUE(RSA_generate_key_ex(key.get(), 512, e.get(), nullptr));
522 ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one()));
524 // Bad keys are detected.
525 EXPECT_FALSE(RSA_check_key(key.get()));
526 EXPECT_FALSE(RSA_check_fips(key.get()));
528 // Bad keys may not be parsed.
531 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get()));
532 bssl::UniquePtr<uint8_t> delete_der(der);
533 key.reset(RSA_private_key_from_bytes(der, der_len));
537 TEST(RSATest, OnlyDGiven) {
538 static const char kN[] =
539 "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662"
540 "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659";
541 static const char kE[] = "010001";
542 static const char kD[] =
543 "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a"
544 "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01";
546 bssl::UniquePtr<RSA> key(RSA_new());
548 ASSERT_TRUE(BN_hex2bn(&key->n, kN));
549 ASSERT_TRUE(BN_hex2bn(&key->e, kE));
550 ASSERT_TRUE(BN_hex2bn(&key->d, kD));
552 // Keys with only n, e, and d are functional.
553 EXPECT_TRUE(RSA_check_key(key.get()));
555 const uint8_t kDummyHash[32] = {0};
557 unsigned buf_len = sizeof(buf);
558 ASSERT_LE(RSA_size(key.get()), sizeof(buf));
559 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
560 &buf_len, key.get()));
561 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
562 buf_len, key.get()));
564 // Keys without the public exponent must continue to work when blinding is
565 // disabled to support Java's RSAPrivateKeySpec API. See
566 // https://bugs.chromium.org/p/boringssl/issues/detail?id=12.
567 bssl::UniquePtr<RSA> key2(RSA_new());
569 ASSERT_TRUE(BN_hex2bn(&key2->n, kN));
570 ASSERT_TRUE(BN_hex2bn(&key2->d, kD));
571 key2->flags |= RSA_FLAG_NO_BLINDING;
573 ASSERT_LE(RSA_size(key2.get()), sizeof(buf));
574 EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
575 &buf_len, key2.get()));
577 // Verify the signature with |key|. |key2| has no public exponent.
578 EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
579 buf_len, key.get()));
582 TEST(RSATest, ASN1) {
583 // Test that private keys may be decoded.
584 bssl::UniquePtr<RSA> rsa(
585 RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
588 // Test that the serialization round-trips.
591 ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
592 bssl::UniquePtr<uint8_t> delete_der(der);
593 EXPECT_EQ(Bytes(kKey1, sizeof(kKey1) - 1), Bytes(der, der_len));
595 // Test that serializing public keys works.
596 ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get()));
597 delete_der.reset(der);
599 // Public keys may be parsed back out.
600 rsa.reset(RSA_public_key_from_bytes(der, der_len));
602 EXPECT_FALSE(rsa->p);
603 EXPECT_FALSE(rsa->q);
605 // Serializing the result round-trips.
608 ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get()));
609 bssl::UniquePtr<uint8_t> delete_der2(der2);
610 EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
612 // Public keys cannot be serialized as private keys.
613 int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get());
620 // Public keys with negative moduli are invalid.
621 rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey,
622 sizeof(kEstonianRSAKey)));
627 TEST(RSATest, BadExponent) {
628 bssl::UniquePtr<RSA> rsa(
629 RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey)));
634 // Attempting to generate an excessively small key should fail.
635 TEST(RSATest, GenerateSmallKey) {
636 bssl::UniquePtr<RSA> rsa(RSA_new());
638 bssl::UniquePtr<BIGNUM> e(BN_new());
640 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
642 EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr));
643 uint32_t err = ERR_get_error();
644 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
645 EXPECT_EQ(RSA_R_KEY_SIZE_TOO_SMALL, ERR_GET_REASON(err));
648 // Attempting to generate an funny RSA key length should round down.
649 TEST(RSATest, RoundKeyLengths) {
650 bssl::UniquePtr<BIGNUM> e(BN_new());
652 ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
654 bssl::UniquePtr<RSA> rsa(RSA_new());
656 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr));
657 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
659 rsa.reset(RSA_new());
661 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr));
662 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
664 rsa.reset(RSA_new());
666 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr));
667 EXPECT_EQ(1024u, BN_num_bits(rsa->n));
669 rsa.reset(RSA_new());
671 EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr));
672 EXPECT_EQ(1152u, BN_num_bits(rsa->n));
675 TEST(RSATest, BlindingDisabled) {
676 bssl::UniquePtr<RSA> rsa(
677 RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
680 rsa->flags |= RSA_FLAG_NO_BLINDING;
683 ASSERT_GE(sizeof(sig), RSA_size(rsa.get()));
685 static const uint8_t kZeros[32] = {0};
688 RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig, &sig_len, rsa.get()));
690 RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig, sig_len, rsa.get()));
693 // Test that decrypting with a public key fails gracefully rather than crashing.
694 TEST(RSATest, DecryptPublic) {
695 bssl::UniquePtr<RSA> pub(
696 RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
698 ASSERT_EQ(1024u / 8u, RSA_size(pub.get()));
701 uint8_t in[1024 / 8] = {0}, out[1024 / 8];
702 EXPECT_FALSE(RSA_decrypt(pub.get(), &len, out, sizeof(out), in, sizeof(in),
704 uint32_t err = ERR_get_error();
705 EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
706 EXPECT_EQ(RSA_R_VALUE_MISSING, ERR_GET_REASON(err));
709 TEST(RSATest, CheckKey) {
710 static const char kN[] =
711 "b5a5651bc2e15ce31d789f0984053a2ea0cf8f964a78068c45acfdf078c57fd62d5a287c"
712 "32f3baa879f5dfea27d7a3077c9d3a2a728368c3d90164690c3d82f660ffebc7f13fed45"
713 "4eb5103df943c10dc32ec60b0d9b6e307bfd7f9b943e0dc3901e42501765365f7286eff2"
714 "f1f728774aa6a371e108a3a7dd00d7bcd4c1a186c2865d4b370ea38cc89c0b23b318dbca"
715 "fbd872b4f9b833dfb2a4ca7fcc23298020044e8130bfe930adfb3e5cab8d324547adf4b2"
716 "ce34d7cea4298f0b613d85f2bf1df03da44aee0784a1a20a15ee0c38a0f8e84962f1f61b"
717 "18bd43781c7385f3c2b8e2aebd3c560b4faad208ad3938bad27ddda9ed9e933dba088021"
719 static const char kE[] = "10001";
720 static const char kD[] =
721 "fb9c6afd9568ce5ddac8e6a32bb881eb6cdd962bbc639dce5805548bf0fec2214f18ffd3"
722 "6a50aa520cfe4477f9507d87355a24e3ff537f9f29ccffe5730b11896ebb9142982ed0df"
723 "9c32ba98dddab863f3e5aa764d16ebff4500d3ee11de12fabd7aeca83c7ffa5d242b3ddc"
724 "ecc64bcb5220996e79249a6d3f78975dfde769710569812dee59c0f56e4650d02a939d9c"
725 "853e2cba9b0c2447a8757951ae9a0336dfa64c3d5476df9b20f200cfb52e3fbd2d4e3f34"
726 "200b1171cbac367096f23366e74592025875efb6a7e3b1dd365abb0d86f34ee65ddbfa93"
727 "90460da0d346833d6aa6277c0216b20073ba2f18471549c309e82d12e10714d0e0dbf146"
729 static const char kP[] =
730 "edbe476fe8989f3966e72a20348ec6d8e924f44e1d9fa2c3485ea8a2ffd39f68574a5cef"
731 "ffbb92d6764789ac0f67149127239c2027fbc55b5268a1dac6588de44e614f3bdce00f0a"
732 "56d138800ad772d159a583c6548e37cadbfcf1b4ebfd50d01508986a516f36ed827b94ef"
733 "1f9b4e233bf5762b3a903d2dfbbbce1fba30e9f1";
734 static const char kQ[] =
735 "c398518790a166dbe50498f04940d14c87ded09313fb0f69f69255c688142802ba3d4f9e"
736 "f9425dadc462170635593c06a332cfc5fc9e6e1c05281950a5ce3bad4fd7cc83a38bd4ad"
737 "6865594275af424f47c64c04af1caab2e261e95b975097c887d587dc8150df34cbeccd7d"
738 "0688c392d9f1c617810043c9b93b884bf6ed465d";
739 static const char kDMP1[] =
740 "b44db5d1fa7e1d6ba44e36d59be6988a132f7294f7c484e543b27e84b82e9fdbbb2feb92"
741 "1cc9fe0fe63e54fc07e66e63b3623f5ae7d7fb124a4a8e4de4556eaf327e7c5ff3207e67"
742 "a1f624ba7efe6cd6b6fd5f160034a7bd92df9fd44d919d436260556f74793b181ff867b8"
743 "7ea9033697978e5a349d05b9250c86c3eb2a8391";
744 static const char kDMQ1[] =
745 "7c06d9240265264927a6cba80a7b4c7c9fe77d10d669abb38083f85a24adcb55376d6b50"
746 "9e34241cecdb5a483889f6132b672bf31aa607a242eed3669d4cf1f08b2186f0ae431bc0"
747 "3de38e3f234ad7dc57e1f9103b4e0d3bd36b4cc324671968322207bd9e4e7ecb06c888e0"
748 "cfc4e766f646665b3f14c0e7684ac4b98ec1948d";
749 static const char kIQMP[] =
750 "2887a5cb0c1bf6710e91c25da141dad92134a927431471c2d4a8b78036026d21182990e1"
751 "2c1d70635f07ee551383899365a69b33d4db23e5ff7371ff4244d2c3290ce2b91ac11adc"
752 "a54bb61ea5e64b9423102933ea100c12dad809fbf9589515e9d28e867f6b95c2d307f792"
753 "cac28c6d7d23f441cb5b62798233db29b5cc0348";
755 bssl::UniquePtr<RSA> rsa(RSA_new());
758 // Missing n or e does not pass.
759 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
760 EXPECT_FALSE(RSA_check_key(rsa.get()));
765 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
766 EXPECT_FALSE(RSA_check_key(rsa.get()));
770 ASSERT_TRUE(BN_hex2bn(&rsa->n, kN));
771 EXPECT_TRUE(RSA_check_key(rsa.get()));
773 // Configuring d also passes.
774 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
775 EXPECT_TRUE(RSA_check_key(rsa.get()));
777 // p and q must be provided together.
778 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
779 EXPECT_FALSE(RSA_check_key(rsa.get()));
784 ASSERT_TRUE(BN_hex2bn(&rsa->q, kQ));
785 EXPECT_FALSE(RSA_check_key(rsa.get()));
788 // Supplying p and q without CRT parameters passes.
789 ASSERT_TRUE(BN_hex2bn(&rsa->p, kP));
790 EXPECT_TRUE(RSA_check_key(rsa.get()));
792 // With p and q together, it is sufficient to check d against e.
793 ASSERT_TRUE(BN_add_word(rsa->d, 1));
794 EXPECT_FALSE(RSA_check_key(rsa.get()));
797 // Test another invalid d. p-1 is divisible by 3, so there is no valid value
798 // of d here if e = 111. Set d to what extended GCD would have given if it
799 // forgot to check the inverse existed.
800 static const char kDBogus[] =
801 "140be923edb928cf4340a08ada19f23da680ff20275a81e033825ee8605afc3bf6039b87"
802 "f0ddc7ea3b95f214a6fdda1064d0c66b50ac7bfe8cfe6c85d3cd217ae6f5094cd72a39e5"
803 "a17a9ce43eae1ba5d7d8c3fb743d8cbcb3bcd74edd0b75fcca23a0b00bcea119864c0243"
804 "bf9ab32b25a4d73a1e062482f538055bc2258369353647d4325aec7a28dc1a6798e85fae"
805 "85850558868468d60015927cb10b2a893e23aa16b1f9278d4413f64d0a3122218f9000ae"
806 "cd8743b8e9e50bd9de81eebc4e0230d1f4f7bffc1e6f903606afba9ee694c2b40022f171"
807 "a760e7c63e736e31d7c7ff8b77dc206c2a3aa5afd540073060ebb9050bddce1ff1917630"
809 ASSERT_TRUE(BN_set_word(rsa->e, 111));
810 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDBogus));
811 EXPECT_FALSE(RSA_check_key(rsa.get()));
813 ASSERT_TRUE(BN_hex2bn(&rsa->e, kE));
815 // d computed via the Euler totient rather than the Carmichael totient is also
817 static const char kDEuler[] =
818 "3d231ff6ca0ee41ea50ab62c93bcd6aa5f01bd484e643b7ff6eb94c4dd414c17a0481a1c"
819 "4361f94f3f4d5c42098af09a527cf0d8dc96122ae8dd29189a4011d62f2bb40625d2e85f"
820 "4d706fb90c2e9bc9b00a0c2a28384a4c134f6d25c62d64a08fdf3f5e89a14d3daee46fda"
821 "8b4a2eda87cbb2735fd47290cb37bf65150edef854a28927ce5ac36d36107711cffb8ac3"
822 "2b090e409bb822b117744a9aabf878b8b1998d406337ec24cee3877795061c67322ac626"
823 "6c675a2cefe0f85f06b4d24eb6ad8e3fae7f218f5bd8ff2fb8bf8176d8527b0dfdaf8490"
824 "8f9bfaf3f37dcf8aa0211311bac07b1a478c3ed8a6369e5d5fc42b2afa93f5de8f520981"
826 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDEuler));
827 EXPECT_TRUE(RSA_check_key(rsa.get()));
829 // If d is completely out of range but otherwise valid, it is rejected.
830 static const char kDTooLarge[] =
831 "f2c885128cf04101c283553617c210d8ffd14cde98dc420c3c9892b55606cbedcda24298"
832 "7655b3f7b9433c2c316293a1cf1a2b034f197aeec1de8d81a67d94cc902b9fce1712d5a4"
833 "9c257ff705725cd77338d23535d3b87c8f4cecc15a6b72641ffd81aea106839d216b5fcd"
834 "7d415751d27255e540dd1638a8389721e9d0807d65d24d7b8c2f60e4b2c0bf250544ce68"
835 "b5ddbc1463d5a4638b2816b0f033dacdc0162f329af9e4d142352521fbd2fe14af824ef3"
836 "1601fe843c79cc3efbcb8eafd79262bdd25e2bdf21440f774e26d88ed7df938c5cf6982d"
837 "e9fa635b8ca36ce5c5fbd579a53cbb0348ceae752d4bc5621c5acc922ca2082494633337"
839 ASSERT_TRUE(BN_hex2bn(&rsa->d, kDTooLarge));
840 EXPECT_FALSE(RSA_check_key(rsa.get()));
842 ASSERT_TRUE(BN_hex2bn(&rsa->d, kD));
844 // CRT value must either all be provided or all missing.
845 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
846 EXPECT_FALSE(RSA_check_key(rsa.get()));
851 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
852 EXPECT_FALSE(RSA_check_key(rsa.get()));
857 ASSERT_TRUE(BN_hex2bn(&rsa->iqmp, kIQMP));
858 EXPECT_FALSE(RSA_check_key(rsa.get()));
861 // The full key is accepted.
862 ASSERT_TRUE(BN_hex2bn(&rsa->dmp1, kDMP1));
863 ASSERT_TRUE(BN_hex2bn(&rsa->dmq1, kDMQ1));
864 EXPECT_TRUE(RSA_check_key(rsa.get()));
866 // Incorrect CRT values are rejected.
867 ASSERT_TRUE(BN_add_word(rsa->dmp1, 1));
868 EXPECT_FALSE(RSA_check_key(rsa.get()));
870 ASSERT_TRUE(BN_sub_word(rsa->dmp1, 1));
872 ASSERT_TRUE(BN_add_word(rsa->dmq1, 1));
873 EXPECT_FALSE(RSA_check_key(rsa.get()));
875 ASSERT_TRUE(BN_sub_word(rsa->dmq1, 1));
877 ASSERT_TRUE(BN_add_word(rsa->iqmp, 1));
878 EXPECT_FALSE(RSA_check_key(rsa.get()));
880 ASSERT_TRUE(BN_sub_word(rsa->iqmp, 1));
882 // Non-reduced CRT values are rejected.
883 ASSERT_TRUE(BN_add(rsa->dmp1, rsa->dmp1, rsa->p));
884 EXPECT_FALSE(RSA_check_key(rsa.get()));
886 ASSERT_TRUE(BN_sub(rsa->dmp1, rsa->dmp1, rsa->p));
888 ASSERT_TRUE(BN_add(rsa->dmq1, rsa->dmq1, rsa->q));
889 EXPECT_FALSE(RSA_check_key(rsa.get()));
891 ASSERT_TRUE(BN_sub(rsa->dmq1, rsa->dmq1, rsa->q));
893 ASSERT_TRUE(BN_add(rsa->iqmp, rsa->iqmp, rsa->p));
894 EXPECT_FALSE(RSA_check_key(rsa.get()));
896 ASSERT_TRUE(BN_sub(rsa->iqmp, rsa->iqmp, rsa->p));
899 #if !defined(BORINGSSL_SHARED_LIBRARY)
900 TEST(RSATest, SqrtTwo) {
901 bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new());
902 bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
907 size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
908 ASSERT_TRUE(BN_one(pow2.get()));
909 ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1));
911 // Check that sqrt² < pow2.
913 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
914 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
915 EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0);
917 // Check that pow2 < (sqrt + 1)².
919 bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
920 ASSERT_TRUE(BN_add_word(sqrt.get(), 1));
921 ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
922 EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0);
924 // Check the kBoringSSLRSASqrtTwo is sized for a 3072-bit RSA key.
925 EXPECT_EQ(3072u / 2u, bits);
927 #endif // !BORINGSSL_SHARED_LIBRARY