2016-08-17 23:20:01 -10:00
|
|
|
// Copyright 2015-2016 Brian Smith.
|
|
|
|
//
|
|
|
|
// Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
// purpose with or without fee is hereby granted, provided that the above
|
|
|
|
// copyright notice and this permission notice appear in all copies.
|
|
|
|
//
|
|
|
|
// THE SOFTWARE IS PROVIDED "AS IS" AND AND THE AUTHORS DISCLAIM ALL WARRANTIES
|
|
|
|
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
|
|
|
|
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
|
|
|
|
/// RSA PKCS#1 1.5 signatures.
|
|
|
|
|
2016-11-23 11:35:30 -10:00
|
|
|
use {bits, bssl, c, der, digest, error};
|
2016-08-17 23:20:01 -10:00
|
|
|
use rand;
|
|
|
|
use std;
|
2016-11-25 00:20:50 -10:00
|
|
|
use super::bigint;
|
|
|
|
use super::bigint::{GFp_BN_free, GFp_BN_MONT_CTX_free};
|
2016-08-17 23:20:01 -10:00
|
|
|
use untrusted;
|
|
|
|
|
|
|
|
/// An RSA key pair, used for signing. Feature: `rsa_signing`.
|
2016-08-18 09:30:50 -10:00
|
|
|
///
|
|
|
|
/// After constructing an `RSAKeyPair`, construct one or more
|
|
|
|
/// `RSASigningState`s that reference the `RSAKeyPair` and use
|
|
|
|
/// `RSASigningState::sign()` to generate signatures. See `ring::signature`'s
|
|
|
|
/// module-level documentation for an example.
|
2016-08-17 23:20:01 -10:00
|
|
|
pub struct RSAKeyPair {
|
2016-08-18 00:12:40 -10:00
|
|
|
rsa: RSA,
|
2016-11-14 11:13:43 -10:00
|
|
|
|
|
|
|
// The length of the public modulus in bits.
|
|
|
|
n_bits: bits::BitLength,
|
2016-08-17 23:20:01 -10:00
|
|
|
}
|
|
|
|
|
|
|
|
impl RSAKeyPair {
|
|
|
|
/// Parse a private key in DER-encoded ASN.1 `RSAPrivateKey` form (see
|
|
|
|
/// [RFC 3447 Appendix A.1.2]).
|
|
|
|
///
|
|
|
|
/// Only two-prime keys (version 0) keys are supported. The public modulus
|
|
|
|
/// (n) must be at least 2048 bits. Currently, the public modulus must be
|
|
|
|
/// no larger than 4096 bits.
|
|
|
|
///
|
|
|
|
/// Here's one way to generate a key in the required format using OpenSSL:
|
|
|
|
///
|
|
|
|
/// ```sh
|
|
|
|
/// openssl genpkey -algorithm RSA \
|
|
|
|
/// -pkeyopt rsa_keygen_bits:2048 \
|
|
|
|
/// -outform der \
|
|
|
|
/// -out private_key.der
|
|
|
|
/// ```
|
|
|
|
///
|
|
|
|
/// Often, keys generated for use in OpenSSL-based software are
|
|
|
|
/// encoded in PEM format, which is not supported by *ring*. PEM-encoded
|
|
|
|
/// keys that are in `RSAPrivateKey` format can be decoded into the using
|
|
|
|
/// an OpenSSL command like this:
|
|
|
|
///
|
|
|
|
/// ```sh
|
|
|
|
/// openssl rsa -in private_key.pem -outform DER -out private_key.der
|
|
|
|
/// ```
|
|
|
|
///
|
|
|
|
/// If these commands don't work, it is likely that the private key is in a
|
|
|
|
/// different format like PKCS#8, which isn't supported yet. An upcoming
|
|
|
|
/// version of *ring* will likely replace the support for the
|
|
|
|
/// `RSAPrivateKey` format with support for the PKCS#8 format.
|
|
|
|
///
|
|
|
|
/// [RFC 3447 Appendix A.1.2]:
|
|
|
|
/// https://tools.ietf.org/html/rfc3447#appendix-A.1.2
|
|
|
|
pub fn from_der(input: untrusted::Input)
|
|
|
|
-> Result<RSAKeyPair, error::Unspecified> {
|
|
|
|
input.read_all(error::Unspecified, |input| {
|
2016-08-25 21:07:31 -10:00
|
|
|
der::nested(input, der::Tag::Sequence, error::Unspecified, |input| {
|
2016-08-17 23:20:01 -10:00
|
|
|
let version = try!(der::small_nonnegative_integer(input));
|
|
|
|
if version != 0 {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
2016-11-25 00:20:50 -10:00
|
|
|
let n = try!(bigint::Positive::from_der(input));
|
|
|
|
let e = try!(bigint::Positive::from_der(input));
|
|
|
|
let d = try!(bigint::Positive::from_der(input));
|
|
|
|
let p = try!(bigint::Positive::from_der(input));
|
|
|
|
let q = try!(bigint::Positive::from_der(input));
|
|
|
|
let dmp1 = try!(bigint::Positive::from_der(input));
|
|
|
|
let dmq1 = try!(bigint::Positive::from_der(input));
|
|
|
|
let iqmp = try!(bigint::Positive::from_der(input));
|
2016-11-28 12:04:42 -10:00
|
|
|
|
|
|
|
let n_bits = n.bit_length();
|
|
|
|
|
|
|
|
// XXX: The maximum limit of 4096 bits is primarily due to lack
|
|
|
|
// of testing of larger key sizes; see, in particular,
|
|
|
|
// https://www.mail-archive.com/openssl-dev@openssl.org/msg44586.html
|
|
|
|
// and
|
|
|
|
// https://www.mail-archive.com/openssl-dev@openssl.org/msg44759.html.
|
|
|
|
// Also, this limit might help with memory management decisions
|
|
|
|
// later.
|
|
|
|
let (n, e) = try!(super::check_public_modulus_and_exponent(
|
|
|
|
n, e, bits::BitLength::from_usize_bits(2048),
|
|
|
|
super::PRIVATE_KEY_PUBLIC_MODULUS_MAX_BITS));
|
|
|
|
|
2016-11-28 12:12:41 -10:00
|
|
|
let d = try!(d.into_odd_positive());
|
|
|
|
if !(e < d) {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
if !(d < n) {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
|
|
|
|
let p = try!(p.into_odd_positive());
|
|
|
|
if !(p < d) {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
if p.bit_length() != q.bit_length() {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
// XXX: |p < q| is actual OK, it seems, but our implementation
|
|
|
|
// of CRT-based moduluar exponentiation used requires that
|
|
|
|
// |q > p|. (|p == q| is just wrong.)
|
|
|
|
let q = try!(q.into_odd_positive());
|
|
|
|
if !(q < p) {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
|
|
|
|
// We need to prove that `dmp1` < p - 1`. If we verify
|
|
|
|
// `dmp1 < p` then we'll know that either `dmp1 == p - 1` or
|
|
|
|
// `dmp1 < p - 1`. Since `p` is odd, `p - 1` is even. `d` is
|
|
|
|
// odd, and an odd number modulo an even number is odd.
|
|
|
|
// Therefore `dmp1` must be odd. But then it cannot be `p - 1`
|
|
|
|
// and so we know `dmp1 < p - 1`.
|
|
|
|
let dmp1 = try!(dmp1.into_odd_positive());
|
|
|
|
if !(dmp1 < p) {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
// The same argument can be used to prove `dmq1 < q - 1`.
|
|
|
|
let dmq1 = try!(dmq1.into_odd_positive());
|
|
|
|
if !(dmq1 < q) {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
|
|
|
|
if !(&iqmp < &p) {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
|
2016-08-18 00:12:40 -10:00
|
|
|
let mut rsa = RSA {
|
2016-08-17 23:20:01 -10:00
|
|
|
e: e.into_raw(), dmp1: dmp1.into_raw(),
|
2016-11-25 12:00:48 -10:00
|
|
|
dmq1: dmq1.into_raw(),
|
2016-08-17 23:20:01 -10:00
|
|
|
mont_n: std::ptr::null_mut(), mont_p: std::ptr::null_mut(),
|
|
|
|
mont_q: std::ptr::null_mut(),
|
|
|
|
mont_qq: std::ptr::null_mut(),
|
|
|
|
qmn_mont: std::ptr::null_mut(),
|
|
|
|
iqmp_mont: std::ptr::null_mut(),
|
2016-08-18 00:12:40 -10:00
|
|
|
};
|
2016-08-17 23:20:01 -10:00
|
|
|
try!(bssl::map_result(unsafe {
|
2016-08-22 17:56:40 -10:00
|
|
|
GFp_rsa_new_end(&mut rsa, n.as_ref(), d.as_ref(),
|
2016-11-25 12:00:48 -10:00
|
|
|
p.as_ref(), q.as_ref(), iqmp.as_ref())
|
2016-08-17 23:20:01 -10:00
|
|
|
}));
|
2016-11-14 11:13:43 -10:00
|
|
|
Ok(RSAKeyPair {
|
|
|
|
rsa: rsa,
|
|
|
|
n_bits: n_bits,
|
|
|
|
})
|
2016-08-17 23:20:01 -10:00
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Returns the length in bytes of the key pair's public modulus.
|
|
|
|
///
|
|
|
|
/// A signature has the same length as the public modulus.
|
2016-08-22 17:56:40 -10:00
|
|
|
pub fn public_modulus_len(&self) -> usize {
|
2016-11-14 11:13:43 -10:00
|
|
|
self.n_bits.as_usize_bytes_rounded_up()
|
2016-08-22 17:56:40 -10:00
|
|
|
}
|
2016-08-18 09:30:50 -10:00
|
|
|
}
|
|
|
|
|
2016-08-25 21:07:31 -10:00
|
|
|
unsafe impl Send for RSAKeyPair {}
|
|
|
|
unsafe impl Sync for RSAKeyPair {}
|
2016-08-18 09:30:50 -10:00
|
|
|
|
|
|
|
/// Needs to be kept in sync with `struct rsa_st` (in `include/openssl/rsa.h`).
|
|
|
|
#[repr(C)]
|
|
|
|
struct RSA {
|
2016-11-25 00:20:50 -10:00
|
|
|
e: *mut bigint::BIGNUM,
|
|
|
|
dmp1: *mut bigint::BIGNUM,
|
|
|
|
dmq1: *mut bigint::BIGNUM,
|
|
|
|
mont_n: *mut bigint::BN_MONT_CTX,
|
|
|
|
mont_p: *mut bigint::BN_MONT_CTX,
|
|
|
|
mont_q: *mut bigint::BN_MONT_CTX,
|
|
|
|
mont_qq: *mut bigint::BN_MONT_CTX,
|
|
|
|
qmn_mont: *mut bigint::BIGNUM,
|
|
|
|
iqmp_mont: *mut bigint::BIGNUM,
|
2016-08-18 09:30:50 -10:00
|
|
|
}
|
|
|
|
|
2016-11-12 12:04:32 -10:00
|
|
|
impl Drop for RSA {
|
|
|
|
fn drop(&mut self) {
|
|
|
|
unsafe {
|
|
|
|
GFp_BN_free(self.e);
|
|
|
|
GFp_BN_free(self.dmp1);
|
|
|
|
GFp_BN_free(self.dmq1);
|
|
|
|
GFp_BN_MONT_CTX_free(self.mont_n);
|
|
|
|
GFp_BN_MONT_CTX_free(self.mont_p);
|
|
|
|
GFp_BN_MONT_CTX_free(self.mont_q);
|
|
|
|
GFp_BN_MONT_CTX_free(self.mont_qq);
|
|
|
|
GFp_BN_free(self.qmn_mont);
|
|
|
|
GFp_BN_free(self.iqmp_mont);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-18 09:30:50 -10:00
|
|
|
|
|
|
|
/// State used for RSA Signing. Feature: `rsa_signing`.
|
|
|
|
///
|
|
|
|
/// # Performance Considerations
|
|
|
|
///
|
|
|
|
/// Every time `sign` is called, some internal state is updated. Usually the
|
|
|
|
/// state update is relatively cheap, but the first time, and periodically, a
|
|
|
|
/// relatively expensive computation (computing the modular inverse of a random
|
|
|
|
/// number modulo the public key modulus, for blinding the RSA exponentiation)
|
|
|
|
/// will be done. Reusing the same `RSASigningState` when generating multiple
|
|
|
|
/// signatures improves the computational efficiency of signing by minimizing
|
|
|
|
/// the frequency of the expensive computations.
|
|
|
|
///
|
|
|
|
/// `RSASigningState` is not `Sync`; i.e. concurrent use of an `sign()` on the
|
|
|
|
/// same `RSASigningState` from multiple threads is not allowed. An
|
|
|
|
/// `RSASigningState` can be wrapped in a `Mutex` to be shared between threads;
|
|
|
|
/// this would maximize the computational efficiency (as explained above) and
|
|
|
|
/// minimizes memory usage, but it also minimizes concurrency because all the
|
|
|
|
/// calls to `sign()` would be serialized. To increases concurrency one could
|
|
|
|
/// create multiple `RSASigningState`s that share the same `RSAKeyPair`; the
|
|
|
|
/// number of `RSASigningState` in use at once determines the concurrency
|
|
|
|
/// factor. This increases memory usage, but only by a small amount, as each
|
|
|
|
/// `RSASigningState` is much smaller than the `RSAKeyPair` that they would
|
|
|
|
/// share. Using multiple `RSASigningState` per `RSAKeyPair` may also decrease
|
|
|
|
/// computational efficiency by increasing the frequency of the expensive
|
|
|
|
/// modular inversions; managing a pool of `RSASigningState`s in a
|
|
|
|
/// most-recently-used fashion would improve the computational efficiency.
|
|
|
|
pub struct RSASigningState {
|
|
|
|
key_pair: std::sync::Arc<RSAKeyPair>,
|
|
|
|
blinding: Blinding,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl RSASigningState {
|
|
|
|
/// Construct an `RSASigningState` for the given `RSAKeyPair`.
|
|
|
|
pub fn new(key_pair: std::sync::Arc<RSAKeyPair>)
|
|
|
|
-> Result<Self, error::Unspecified> {
|
2016-08-22 16:06:43 -10:00
|
|
|
let blinding = unsafe { GFp_BN_BLINDING_new() };
|
2016-08-18 09:30:50 -10:00
|
|
|
if blinding.is_null() {
|
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
Ok(RSASigningState {
|
|
|
|
key_pair: key_pair,
|
|
|
|
blinding: Blinding { blinding: blinding },
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
/// The `RSAKeyPair`. This can be used, for example, to access the key
|
|
|
|
/// pair's public key through the `RSASigningState`.
|
|
|
|
pub fn key_pair(&self) -> &RSAKeyPair { self.key_pair.as_ref() }
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
/// Sign `msg`. `msg` is digested using the digest algorithm from
|
|
|
|
/// `padding_alg` and the digest is then padded using the padding algorithm
|
|
|
|
/// from `padding_alg`. The signature it written into `signature`;
|
|
|
|
/// `signature`'s length must be exactly the length returned by
|
|
|
|
/// `public_modulus_len()`. `rng` is used for blinding the message during
|
|
|
|
/// signing, to mitigate some side-channel (e.g. timing) attacks.
|
|
|
|
///
|
|
|
|
/// Many other crypto libraries have signing functions that takes a
|
|
|
|
/// precomputed digest as input, instead of the message to digest. This
|
|
|
|
/// function does *not* take a precomputed digest; instead, `sign`
|
|
|
|
/// calculates the digest itself.
|
|
|
|
///
|
|
|
|
/// Lots of effort has been made to make the signing operations close to
|
|
|
|
/// constant time to protect the private key from side channel attacks. On
|
|
|
|
/// x86-64, this is done pretty well, but not perfectly. On other
|
|
|
|
/// platforms, it is done less perfectly. To help mitigate the current
|
|
|
|
/// imperfections, and for defense-in-depth, base blinding is always done.
|
|
|
|
/// Exponent blinding is not done, but it may be done in the future.
|
2016-11-14 15:58:16 -10:00
|
|
|
pub fn sign(&mut self, padding_alg: &'static ::signature::RSAEncoding,
|
2016-08-17 23:20:01 -10:00
|
|
|
rng: &rand::SecureRandom, msg: &[u8], signature: &mut [u8])
|
|
|
|
-> Result<(), error::Unspecified> {
|
2016-11-14 11:13:43 -10:00
|
|
|
let mod_bits = self.key_pair.n_bits;
|
|
|
|
if signature.len() != mod_bits.as_usize_bytes_rounded_up() {
|
2016-08-17 23:20:01 -10:00
|
|
|
return Err(error::Unspecified);
|
|
|
|
}
|
|
|
|
|
2016-11-23 11:35:30 -10:00
|
|
|
let m_hash = digest::digest(padding_alg.digest_alg(), msg);
|
|
|
|
try!(padding_alg.encode(&m_hash, signature, mod_bits, rng));
|
2016-08-17 23:20:01 -10:00
|
|
|
let mut rand = rand::RAND::new(rng);
|
|
|
|
bssl::map_result(unsafe {
|
2016-08-18 09:30:50 -10:00
|
|
|
GFp_rsa_private_transform(&self.key_pair.rsa,
|
|
|
|
signature.as_mut_ptr(), signature.len(),
|
|
|
|
self.blinding.blinding, &mut rand)
|
2016-08-17 23:20:01 -10:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-18 09:30:50 -10:00
|
|
|
struct Blinding {
|
|
|
|
blinding: *mut BN_BLINDING,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl Drop for Blinding {
|
2016-08-22 16:06:43 -10:00
|
|
|
fn drop(&mut self) { unsafe { GFp_BN_BLINDING_free(self.blinding) } }
|
2016-08-17 23:20:01 -10:00
|
|
|
}
|
|
|
|
|
2016-08-25 21:07:31 -10:00
|
|
|
unsafe impl Send for Blinding {}
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
/// Needs to be kept in sync with `bn_blinding_st` in `crypto/rsa/blinding.c`.
|
|
|
|
#[allow(non_camel_case_types)]
|
|
|
|
#[repr(C)]
|
|
|
|
struct BN_BLINDING {
|
2016-11-25 00:20:50 -10:00
|
|
|
a: *mut bigint::BIGNUM,
|
|
|
|
ai: *mut bigint::BIGNUM,
|
2016-08-17 23:20:01 -10:00
|
|
|
counter: u32,
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
extern {
|
2016-08-22 16:06:43 -10:00
|
|
|
fn GFp_BN_BLINDING_new() -> *mut BN_BLINDING;
|
|
|
|
fn GFp_BN_BLINDING_free(b: *mut BN_BLINDING);
|
2016-11-25 00:20:50 -10:00
|
|
|
fn GFp_rsa_new_end(rsa: *mut RSA, n: &bigint::BIGNUM, d: &bigint::BIGNUM,
|
|
|
|
p: &bigint::BIGNUM, q: &bigint::BIGNUM,
|
|
|
|
iqmp: &bigint::BIGNUM) -> c::int;
|
2016-08-17 23:20:01 -10:00
|
|
|
}
|
|
|
|
|
|
|
|
#[allow(improper_ctypes)]
|
|
|
|
extern {
|
|
|
|
fn GFp_rsa_private_transform(rsa: *const RSA, inout: *mut u8,
|
|
|
|
len: c::size_t, blinding: *mut BN_BLINDING,
|
|
|
|
rng: *mut rand::RAND) -> c::int;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
mod tests {
|
2016-11-14 15:58:16 -10:00
|
|
|
// We intentionally avoid `use super::*` so that we are sure to use only
|
|
|
|
// the public API; this ensures that enough of the API is public.
|
|
|
|
use {error, rand, signature, test};
|
2016-08-17 23:20:01 -10:00
|
|
|
use std;
|
|
|
|
use untrusted;
|
|
|
|
|
2016-08-25 21:07:31 -10:00
|
|
|
extern {
|
|
|
|
static GFp_BN_BLINDING_COUNTER: u32;
|
|
|
|
}
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn test_signature_rsa_pkcs1_sign() {
|
|
|
|
let rng = rand::SystemRandom::new();
|
|
|
|
test::from_file("src/rsa/rsa_pkcs1_sign_tests.txt",
|
|
|
|
|section, test_case| {
|
2016-11-09 10:28:52 -10:00
|
|
|
assert_eq!(section, "");
|
|
|
|
|
2016-08-17 23:20:01 -10:00
|
|
|
let digest_name = test_case.consume_string("Digest");
|
2016-11-09 11:42:47 -10:00
|
|
|
let alg = match digest_name.as_ref() {
|
2016-11-14 15:58:16 -10:00
|
|
|
"SHA256" => &signature::RSA_PKCS1_SHA256,
|
|
|
|
"SHA384" => &signature::RSA_PKCS1_SHA384,
|
|
|
|
"SHA512" => &signature::RSA_PKCS1_SHA512,
|
2016-11-09 11:42:47 -10:00
|
|
|
_ => { panic!("Unsupported digest: {}", digest_name) }
|
2016-08-17 23:20:01 -10:00
|
|
|
};
|
|
|
|
|
|
|
|
let private_key = test_case.consume_bytes("Key");
|
|
|
|
let msg = test_case.consume_bytes("Msg");
|
|
|
|
let expected = test_case.consume_bytes("Sig");
|
|
|
|
let result = test_case.consume_string("Result");
|
|
|
|
|
|
|
|
let private_key = untrusted::Input::from(&private_key);
|
2016-11-14 15:58:16 -10:00
|
|
|
let key_pair = signature::RSAKeyPair::from_der(private_key);
|
2016-08-17 23:20:01 -10:00
|
|
|
if key_pair.is_err() && result == "Fail-Invalid-Key" {
|
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
let key_pair = key_pair.unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
let key_pair = std::sync::Arc::new(key_pair);
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
// XXX: This test is too slow on Android ARM Travis CI builds.
|
|
|
|
// TODO: re-enable these tests on Android ARM.
|
2016-11-14 15:58:16 -10:00
|
|
|
let mut signing_state =
|
|
|
|
signature::RSASigningState::new(key_pair).unwrap();
|
2016-08-17 23:20:01 -10:00
|
|
|
let mut actual: std::vec::Vec<u8> =
|
2016-08-18 09:30:50 -10:00
|
|
|
vec![0; signing_state.key_pair().public_modulus_len()];
|
|
|
|
signing_state.sign(alg, &rng, &msg, actual.as_mut_slice()).unwrap();
|
2016-08-17 23:20:01 -10:00
|
|
|
assert_eq!(actual.as_slice() == &expected[..], result == "Pass");
|
|
|
|
Ok(())
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2016-11-13 18:06:18 -10:00
|
|
|
|
|
|
|
|
2016-08-17 23:20:01 -10:00
|
|
|
// `RSAKeyPair::sign` requires that the output buffer is the same length as
|
|
|
|
// the public key modulus. Test what happens when it isn't the same length.
|
|
|
|
#[test]
|
|
|
|
fn test_signature_rsa_pkcs1_sign_output_buffer_len() {
|
|
|
|
// Sign the message "hello, world", using PKCS#1 v1.5 padding and the
|
|
|
|
// SHA256 digest algorithm.
|
|
|
|
const MESSAGE: &'static [u8] = b"hello, world";
|
|
|
|
let rng = rand::SystemRandom::new();
|
|
|
|
|
|
|
|
const PRIVATE_KEY_DER: &'static [u8] =
|
|
|
|
include_bytes!("signature_rsa_example_private_key.der");
|
|
|
|
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
|
2016-11-14 15:58:16 -10:00
|
|
|
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
let key_pair = std::sync::Arc::new(key_pair);
|
2016-11-14 15:58:16 -10:00
|
|
|
let mut signing_state =
|
|
|
|
signature::RSASigningState::new(key_pair).unwrap();
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
// The output buffer is one byte too short.
|
2016-08-18 09:30:50 -10:00
|
|
|
let mut signature =
|
|
|
|
vec![0; signing_state.key_pair().public_modulus_len() - 1];
|
|
|
|
|
2016-11-14 15:58:16 -10:00
|
|
|
assert!(signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE,
|
2016-08-18 09:30:50 -10:00
|
|
|
&mut signature).is_err());
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
// The output buffer is the right length.
|
|
|
|
signature.push(0);
|
2016-11-14 15:58:16 -10:00
|
|
|
assert!(signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE,
|
2016-08-18 09:30:50 -10:00
|
|
|
&mut signature).is_ok());
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
|
|
|
|
// The output buffer is one byte too long.
|
|
|
|
signature.push(0);
|
2016-11-14 15:58:16 -10:00
|
|
|
assert!(signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE,
|
2016-08-18 09:30:50 -10:00
|
|
|
&mut signature).is_err());
|
2016-08-17 23:20:01 -10:00
|
|
|
}
|
|
|
|
|
|
|
|
// Once the `BN_BLINDING` in an `RSAKeyPair` has been used
|
|
|
|
// `GFp_BN_BLINDING_COUNTER` times, a new blinding should be created. we
|
|
|
|
// don't check that a new blinding was created; we just make sure to
|
|
|
|
// exercise the code path, so this is basically a coverage test.
|
|
|
|
#[test]
|
|
|
|
fn test_signature_rsa_pkcs1_sign_blinding_reuse() {
|
|
|
|
const MESSAGE: &'static [u8] = b"hello, world";
|
|
|
|
let rng = rand::SystemRandom::new();
|
|
|
|
|
|
|
|
const PRIVATE_KEY_DER: &'static [u8] =
|
|
|
|
include_bytes!("signature_rsa_example_private_key.der");
|
|
|
|
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
|
2016-11-14 15:58:16 -10:00
|
|
|
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
let key_pair = std::sync::Arc::new(key_pair);
|
2016-08-17 23:20:01 -10:00
|
|
|
let mut signature = vec![0; key_pair.public_modulus_len()];
|
|
|
|
|
2016-11-14 15:58:16 -10:00
|
|
|
let mut signing_state =
|
|
|
|
signature::RSASigningState::new(key_pair).unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
|
2016-09-11 09:18:05 -10:00
|
|
|
let blinding_counter = unsafe { GFp_BN_BLINDING_COUNTER };
|
|
|
|
|
|
|
|
for _ in 0..(blinding_counter + 1) {
|
2016-08-25 21:07:31 -10:00
|
|
|
let prev_counter =
|
|
|
|
unsafe { (*signing_state.blinding.blinding).counter };
|
2016-08-17 23:20:01 -10:00
|
|
|
|
2016-11-14 15:58:16 -10:00
|
|
|
let _ = signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng,
|
|
|
|
MESSAGE, &mut signature);
|
2016-08-17 23:20:01 -10:00
|
|
|
|
2016-08-25 21:07:31 -10:00
|
|
|
let counter = unsafe { (*signing_state.blinding.blinding).counter };
|
2016-08-17 23:20:01 -10:00
|
|
|
|
2016-09-11 09:18:05 -10:00
|
|
|
assert_eq!(counter, (prev_counter + 1) % blinding_counter);
|
2016-08-17 23:20:01 -10:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// In `crypto/rsa/blinding.c`, when `bn_blinding_create_param` fails to
|
|
|
|
// randomly generate an invertible blinding factor too many times in a
|
|
|
|
// loop, it returns an error. Check that we observe this.
|
|
|
|
#[test]
|
|
|
|
fn test_signature_rsa_pkcs1_sign_blinding_creation_failure() {
|
|
|
|
const MESSAGE: &'static [u8] = b"hello, world";
|
|
|
|
|
|
|
|
// Stub RNG that is constantly 0. In `bn_blinding_create_param`, this
|
|
|
|
// causes the candidate blinding factors to always be 0, which has no
|
|
|
|
// inverse, so `BN_mod_inverse_no_branch` fails.
|
2016-11-23 14:06:12 -10:00
|
|
|
let rng = test::rand::FixedByteRandom { byte: 0x00 };
|
2016-08-17 23:20:01 -10:00
|
|
|
|
|
|
|
const PRIVATE_KEY_DER: &'static [u8] =
|
|
|
|
include_bytes!("signature_rsa_example_private_key.der");
|
|
|
|
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
|
2016-11-14 15:58:16 -10:00
|
|
|
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
let key_pair = std::sync::Arc::new(key_pair);
|
2016-11-14 15:58:16 -10:00
|
|
|
let mut signing_state =
|
|
|
|
signature::RSASigningState::new(key_pair).unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
let mut signature =
|
|
|
|
vec![0; signing_state.key_pair().public_modulus_len()];
|
2016-11-14 15:58:16 -10:00
|
|
|
let result = signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng,
|
|
|
|
MESSAGE, &mut signature);
|
2016-08-17 23:20:01 -10:00
|
|
|
|
2016-08-18 09:30:50 -10:00
|
|
|
assert!(result.is_err());
|
|
|
|
}
|
2016-08-17 23:20:01 -10:00
|
|
|
|
2016-11-13 18:06:18 -10:00
|
|
|
#[cfg(feature = "rsa_signing")]
|
|
|
|
#[test]
|
|
|
|
fn test_signature_rsa_pss_sign() {
|
|
|
|
// Outputs the same value whenever a certain length is requested (the
|
|
|
|
// same as the length of the salt). Otherwise, the rng is used.
|
|
|
|
struct DeterministicSalt<'a> {
|
|
|
|
salt: &'a [u8],
|
|
|
|
rng: &'a rand::SecureRandom
|
|
|
|
}
|
|
|
|
impl<'a> rand::SecureRandom for DeterministicSalt<'a> {
|
|
|
|
fn fill(&self, dest: &mut [u8]) -> Result<(), error::Unspecified> {
|
|
|
|
let dest_len = dest.len();
|
|
|
|
if dest_len != self.salt.len() {
|
|
|
|
try!(self.rng.fill(dest));
|
|
|
|
} else {
|
|
|
|
dest.copy_from_slice(&self.salt);
|
|
|
|
}
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
let rng = rand::SystemRandom::new();
|
|
|
|
|
|
|
|
test::from_file("src/rsa/rsa_pss_sign_tests.txt", |section, test_case| {
|
|
|
|
assert_eq!(section, "");
|
|
|
|
|
|
|
|
let digest_name = test_case.consume_string("Digest");
|
|
|
|
let alg = match digest_name.as_ref() {
|
2016-11-14 15:58:16 -10:00
|
|
|
"SHA256" => &signature::RSA_PSS_SHA256,
|
|
|
|
"SHA384" => &signature::RSA_PSS_SHA384,
|
|
|
|
"SHA512" => &signature::RSA_PSS_SHA512,
|
2016-11-13 18:06:18 -10:00
|
|
|
_ => { panic!("Unsupported digest: {}", digest_name) }
|
|
|
|
};
|
|
|
|
|
|
|
|
let result = test_case.consume_string("Result");
|
|
|
|
let private_key = test_case.consume_bytes("Key");
|
|
|
|
let private_key = untrusted::Input::from(&private_key);
|
2016-11-14 15:58:16 -10:00
|
|
|
let key_pair = signature::RSAKeyPair::from_der(private_key);
|
2016-11-13 18:06:18 -10:00
|
|
|
if key_pair.is_err() && result == "Fail-Invalid-Key" {
|
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
let key_pair = key_pair.unwrap();
|
|
|
|
let key_pair = std::sync::Arc::new(key_pair);
|
|
|
|
let msg = test_case.consume_bytes("Msg");
|
|
|
|
let salt = test_case.consume_bytes("Salt");
|
|
|
|
let expected = test_case.consume_bytes("Sig");
|
|
|
|
|
|
|
|
let new_rng = DeterministicSalt { salt: &salt, rng: &rng };
|
|
|
|
|
2016-11-14 15:58:16 -10:00
|
|
|
let mut signing_state =
|
|
|
|
signature::RSASigningState::new(key_pair).unwrap();
|
2016-11-13 18:06:18 -10:00
|
|
|
let mut actual: std::vec::Vec<u8> =
|
|
|
|
vec![0; signing_state.key_pair().public_modulus_len()];
|
|
|
|
try!(signing_state.sign(alg, &new_rng, &msg, actual.as_mut_slice()));
|
|
|
|
assert_eq!(actual.as_slice() == &expected[..], result == "Pass");
|
|
|
|
Ok(())
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-08-18 09:30:50 -10:00
|
|
|
#[test]
|
|
|
|
fn test_sync_and_send() {
|
|
|
|
const PRIVATE_KEY_DER: &'static [u8] =
|
|
|
|
include_bytes!("signature_rsa_example_private_key.der");
|
|
|
|
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
|
2016-11-14 15:58:16 -10:00
|
|
|
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
let key_pair = std::sync::Arc::new(key_pair);
|
2016-08-17 23:20:01 -10:00
|
|
|
|
2016-08-18 09:30:50 -10:00
|
|
|
let _: &Send = &key_pair;
|
2016-08-25 21:07:31 -10:00
|
|
|
let _: &Sync = &key_pair;
|
2016-08-18 09:30:50 -10:00
|
|
|
|
2016-11-14 15:58:16 -10:00
|
|
|
let signing_state = signature::RSASigningState::new(key_pair).unwrap();
|
2016-08-18 09:30:50 -10:00
|
|
|
let _: &Send = &signing_state;
|
|
|
|
// TODO: Test that signing_state is NOT Sync; i.e.
|
|
|
|
// `let _: &Sync = &signing_state;` must fail
|
2016-08-17 23:20:01 -10:00
|
|
|
}
|
|
|
|
}
|