From: Thomas Pornin Date: Wed, 23 May 2018 16:48:19 +0000 (+0200) Subject: Added stricter rule on input for RSA private key operation (mathematically correct... X-Git-Tag: v0.6~13 X-Git-Url: https://bearssl.org/gitweb//home/git/?a=commitdiff_plain;h=f81a2828787c3ae7903bff66d64d71d6362ab4e1;p=BearSSL Added stricter rule on input for RSA private key operation (mathematically correct but out-of-range values are now rejected). --- diff --git a/src/rsa/rsa_i15_priv.c b/src/rsa/rsa_i15_priv.c index e692da4..177cc3a 100644 --- a/src/rsa/rsa_i15_priv.c +++ b/src/rsa/rsa_i15_priv.c @@ -27,24 +27,6 @@ #define U (2 + ((BR_MAX_RSA_FACTOR + 14) / 15)) #define TLEN (8 * U) -/* obsolete -static void -print_int(const char *name, const uint16_t *x) -{ - extern int printf(const char *fmt, ...); - unsigned char tmp[1000]; - size_t u, len; - - len = (x[0] - (x[0] >> 4) + 7) >> 3; - br_i15_encode(tmp, len, x); - printf("%s = ", name); - for (u = 0; u < len; u ++) { - printf("%02X", tmp[u]); - } - printf("\n"); -} -*/ - /* see bearssl_rsa.h */ uint32_t br_rsa_i15_private(unsigned char *x, const br_rsa_private_key *sk) @@ -53,7 +35,7 @@ br_rsa_i15_private(unsigned char *x, const br_rsa_private_key *sk) size_t plen, qlen; size_t fwlen; uint16_t p0i, q0i; - size_t xlen; + size_t xlen, u; uint16_t tmp[1 + TLEN]; long z; uint16_t *mp, *mq, *s1, *s2, *t1, *t2, *t3; @@ -117,19 +99,56 @@ br_rsa_i15_private(unsigned char *x, const br_rsa_private_key *sk) br_i15_decode(mq, q, qlen); /* - * Compute s2 = x^dq mod q. + * Decode p. */ - q0i = br_i15_ninv15(mq[1]); - s2 = mq + fwlen; - br_i15_decode_reduce(s2, x, xlen, mq); - r = br_i15_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i, - mq + 2 * fwlen, TLEN - 2 * fwlen); + t1 = mq + fwlen; + br_i15_decode(t1, p, plen); /* - * Decode p. + * Compute the modulus (product of the two factors), to compare + * it with the source value. We use br_i15_mulacc(), since it's + * already used later on. + */ + t2 = mq + 2 * fwlen; + br_i15_zero(t2, mq[0]); + br_i15_mulacc(t2, mq, t1); + + /* + * We encode the modulus into bytes, to perform the comparison + * with bytes. We know that the product length, in bytes, is + * exactly xlen. + * The comparison actually computes the carry when subtracting + * the modulus from the source value; that carry must be 1 for + * a value in the correct range. We keep it in r, which is our + * accumulator for the error code. + */ + t3 = mq + 4 * fwlen; + br_i15_encode(t3, xlen, t2); + u = xlen; + r = 0; + while (u > 0) { + uint32_t wn, wx; + + u --; + wn = ((unsigned char *)t3)[u]; + wx = x[u]; + r = ((wx - (wn + r)) >> 8) & 1; + } + + /* + * Move the decoded p to another temporary buffer. */ mp = mq + 2 * fwlen; - br_i15_decode(mp, p, plen); + memmove(mp, t1, fwlen * sizeof *t1); + + /* + * Compute s2 = x^dq mod q. + */ + q0i = br_i15_ninv15(mq[1]); + s2 = mq + fwlen; + br_i15_decode_reduce(s2, x, xlen, mq); + r &= br_i15_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i, + mq + 3 * fwlen, TLEN - 3 * fwlen); /* * Compute s1 = x^dq mod q. diff --git a/src/rsa/rsa_i31_priv.c b/src/rsa/rsa_i31_priv.c index cb2858b..b1e1244 100644 --- a/src/rsa/rsa_i31_priv.c +++ b/src/rsa/rsa_i31_priv.c @@ -35,7 +35,7 @@ br_rsa_i31_private(unsigned char *x, const br_rsa_private_key *sk) size_t plen, qlen; size_t fwlen; uint32_t p0i, q0i; - size_t xlen; + size_t xlen, u; uint32_t tmp[1 + TLEN]; long z; uint32_t *mp, *mq, *s1, *s2, *t1, *t2, *t3; @@ -82,7 +82,7 @@ br_rsa_i31_private(unsigned char *x, const br_rsa_private_key *sk) } /* - * Compute signature length (in bytes). + * Compute modulus length (in bytes). */ xlen = (sk->n_bitlen + 7) >> 3; @@ -93,19 +93,56 @@ br_rsa_i31_private(unsigned char *x, const br_rsa_private_key *sk) br_i31_decode(mq, q, qlen); /* - * Compute s2 = x^dq mod q. + * Decode p. */ - q0i = br_i31_ninv31(mq[1]); - s2 = mq + fwlen; - br_i31_decode_reduce(s2, x, xlen, mq); - r = br_i31_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i, - mq + 2 * fwlen, TLEN - 2 * fwlen); + t1 = mq + fwlen; + br_i31_decode(t1, p, plen); /* - * Decode p. + * Compute the modulus (product of the two factors), to compare + * it with the source value. We use br_i31_mulacc(), since it's + * already used later on. + */ + t2 = mq + 2 * fwlen; + br_i31_zero(t2, mq[0]); + br_i31_mulacc(t2, mq, t1); + + /* + * We encode the modulus into bytes, to perform the comparison + * with bytes. We know that the product length, in bytes, is + * exactly xlen. + * The comparison actually computes the carry when subtracting + * the modulus from the source value; that carry must be 1 for + * a value in the correct range. We keep it in r, which is our + * accumulator for the error code. + */ + t3 = mq + 4 * fwlen; + br_i31_encode(t3, xlen, t2); + u = xlen; + r = 0; + while (u > 0) { + uint32_t wn, wx; + + u --; + wn = ((unsigned char *)t3)[u]; + wx = x[u]; + r = ((wx - (wn + r)) >> 8) & 1; + } + + /* + * Move the decoded p to another temporary buffer. */ mp = mq + 2 * fwlen; - br_i31_decode(mp, p, plen); + memmove(mp, t1, fwlen * sizeof *t1); + + /* + * Compute s2 = x^dq mod q. + */ + q0i = br_i31_ninv31(mq[1]); + s2 = mq + fwlen; + br_i31_decode_reduce(s2, x, xlen, mq); + r &= br_i31_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i, + mq + 3 * fwlen, TLEN - 3 * fwlen); /* * Compute s1 = x^dp mod p. diff --git a/src/rsa/rsa_i32_priv.c b/src/rsa/rsa_i32_priv.c index 3c08d00..05c22ec 100644 --- a/src/rsa/rsa_i32_priv.c +++ b/src/rsa/rsa_i32_priv.c @@ -35,7 +35,8 @@ br_rsa_i32_private(unsigned char *x, const br_rsa_private_key *sk) uint32_t tmp[6 * U]; uint32_t *mp, *mq, *s1, *s2, *t1, *t2, *t3; uint32_t p0i, q0i; - size_t xlen; + size_t xlen, u; + uint32_t r; /* * All our temporary buffers are from the tmp[] array. @@ -82,16 +83,22 @@ br_rsa_i32_private(unsigned char *x, const br_rsa_private_key *sk) br_i32_decode(mq, q, qlen); /* - * obsolete -- we do not compute the length of n, it is now - * an input parameter. - br_i32_zero(t3, mp[0]); - br_i32_mulacc(t3, mp, mq); - n_bitlen = br_i32_bit_length(t3 + 1, (t3[0] + 31) >> 5); - if (xlen != ((n_bitlen + 7) >> 3)) { - return 0; - } + * Recompute modulus, to compare with the source value. */ + br_i32_zero(t2, mp[0]); + br_i32_mulacc(t2, mp, mq); xlen = (sk->n_bitlen + 7) >> 3; + br_i32_encode(t2 + 2 * U, xlen, t2); + u = xlen; + r = 0; + while (u > 0) { + uint32_t wn, wx; + + u --; + wn = ((unsigned char *)(t2 + 2 * U))[u]; + wx = x[u]; + r = ((wx - (wn + r)) >> 8) & 1; + } /* * Compute s1 = x^dp mod p. @@ -149,5 +156,5 @@ br_rsa_i32_private(unsigned char *x, const br_rsa_private_key *sk) * The only error conditions remaining at that point are invalid * values for p and q (even integers). */ - return p0i & q0i & 1; + return p0i & q0i & r; } diff --git a/src/rsa/rsa_i62_priv.c b/src/rsa/rsa_i62_priv.c index ffa03c2..f0da600 100644 --- a/src/rsa/rsa_i62_priv.c +++ b/src/rsa/rsa_i62_priv.c @@ -37,7 +37,7 @@ br_rsa_i62_private(unsigned char *x, const br_rsa_private_key *sk) size_t plen, qlen; size_t fwlen; uint32_t p0i, q0i; - size_t xlen; + size_t xlen, u; uint64_t tmp[TLEN]; long z; uint32_t *mp, *mq, *s1, *s2, *t1, *t2, *t3; @@ -95,19 +95,56 @@ br_rsa_i62_private(unsigned char *x, const br_rsa_private_key *sk) br_i31_decode(mq, q, qlen); /* - * Compute s2 = x^dq mod q. + * Decode p. */ - q0i = br_i31_ninv31(mq[1]); - s2 = (uint32_t *)(tmp + fwlen); - br_i31_decode_reduce(s2, x, xlen, mq); - r = br_i62_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i, - tmp + 2 * fwlen, TLEN - 2 * fwlen); + t1 = (uint32_t *)(tmp + fwlen); + br_i31_decode(t1, p, plen); /* - * Decode p. + * Compute the modulus (product of the two factors), to compare + * it with the source value. We use br_i31_mulacc(), since it's + * already used later on. + */ + t2 = (uint32_t *)(tmp + 2 * fwlen); + br_i31_zero(t2, mq[0]); + br_i31_mulacc(t2, mq, t1); + + /* + * We encode the modulus into bytes, to perform the comparison + * with bytes. We know that the product length, in bytes, is + * exactly xlen. + * The comparison actually computes the carry when subtracting + * the modulus from the source value; that carry must be 1 for + * a value in the correct range. We keep it in r, which is our + * accumulator for the error code. + */ + t3 = (uint32_t *)(tmp + 4 * fwlen); + br_i31_encode(t3, xlen, t2); + u = xlen; + r = 0; + while (u > 0) { + uint32_t wn, wx; + + u --; + wn = ((unsigned char *)t3)[u]; + wx = x[u]; + r = ((wx - (wn + r)) >> 8) & 1; + } + + /* + * Move the decoded p to another temporary buffer. */ mp = (uint32_t *)(tmp + 2 * fwlen); - br_i31_decode(mp, p, plen); + memmove(mp, t1, 2 * fwlen * sizeof *t1); + + /* + * Compute s2 = x^dq mod q. + */ + q0i = br_i31_ninv31(mq[1]); + s2 = (uint32_t *)(tmp + fwlen); + br_i31_decode_reduce(s2, x, xlen, mq); + r &= br_i62_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i, + tmp + 3 * fwlen, TLEN - 3 * fwlen); /* * Compute s1 = x^dp mod p. diff --git a/test/test_crypto.c b/test/test_crypto.c index a8119be..41f7612 100644 --- a/test/test_crypto.c +++ b/test/test_crypto.c @@ -4720,10 +4720,413 @@ static const br_rsa_private_key RSA_SK = { (void *)RSA_IQ, sizeof RSA_IQ }; +/* + * A 2048-bit RSA key, generated with OpenSSL. + */ +static const unsigned char RSA2048_N[] = { + 0xEA, 0xB1, 0xB0, 0x87, 0x60, 0xE2, 0x69, 0xF5, + 0xC9, 0x3F, 0xCB, 0x4F, 0x9E, 0x7D, 0xD0, 0x56, + 0x54, 0x8F, 0xF5, 0x59, 0x97, 0x04, 0x3F, 0x30, + 0xE1, 0xFB, 0x7B, 0xF5, 0xA0, 0xEB, 0xA7, 0x7B, + 0x29, 0x96, 0x7B, 0x32, 0x48, 0x48, 0xA4, 0x99, + 0x90, 0x92, 0x48, 0xFB, 0xDC, 0xEC, 0x8A, 0x3B, + 0xE0, 0x57, 0x6E, 0xED, 0x1C, 0x5B, 0x78, 0xCF, + 0x07, 0x41, 0x96, 0x4C, 0x2F, 0xA2, 0xD1, 0xC8, + 0xA0, 0x5F, 0xFC, 0x2A, 0x5B, 0x3F, 0xBC, 0xD7, + 0xE6, 0x91, 0xF1, 0x44, 0xD6, 0xD8, 0x41, 0x66, + 0x3E, 0x80, 0xEE, 0x98, 0x73, 0xD5, 0x32, 0x60, + 0x7F, 0xDF, 0xBF, 0xB2, 0x0B, 0xA5, 0xCA, 0x11, + 0x88, 0x1A, 0x0E, 0xA1, 0x61, 0x4C, 0x5A, 0x70, + 0xCE, 0x12, 0xC0, 0x61, 0xF5, 0x50, 0x0E, 0xF6, + 0xC1, 0xC2, 0x88, 0x8B, 0xE5, 0xCE, 0xAE, 0x90, + 0x65, 0x23, 0xA7, 0xAD, 0xCB, 0x04, 0x17, 0x00, + 0xA2, 0xDB, 0xB0, 0x21, 0x49, 0xDD, 0x3C, 0x2E, + 0x8C, 0x47, 0x27, 0xF2, 0x84, 0x51, 0x63, 0xEB, + 0xF8, 0xAF, 0x63, 0xA7, 0x89, 0xE1, 0xF0, 0x2F, + 0xF9, 0x9C, 0x0A, 0x8A, 0xBC, 0x57, 0x05, 0xB0, + 0xEF, 0xA0, 0xDA, 0x67, 0x70, 0xAF, 0x3F, 0xA4, + 0x92, 0xFC, 0x4A, 0xAC, 0xEF, 0x89, 0x41, 0x58, + 0x57, 0x63, 0x0F, 0x6A, 0x89, 0x68, 0x45, 0x4C, + 0x20, 0xF9, 0x7F, 0x50, 0x9D, 0x8C, 0x52, 0xC4, + 0xC1, 0x33, 0xCD, 0x42, 0x35, 0x12, 0xEC, 0x82, + 0xF9, 0xC1, 0xB7, 0x60, 0x7B, 0x52, 0x61, 0xD0, + 0xAE, 0xFD, 0x4B, 0x68, 0xB1, 0x55, 0x0E, 0xAB, + 0x99, 0x24, 0x52, 0x60, 0x8E, 0xDB, 0x90, 0x34, + 0x61, 0xE3, 0x95, 0x7C, 0x34, 0x64, 0x06, 0xCB, + 0x44, 0x17, 0x70, 0x78, 0xC1, 0x1B, 0x87, 0x8F, + 0xCF, 0xB0, 0x7D, 0x93, 0x59, 0x84, 0x49, 0xF5, + 0x55, 0xBB, 0x48, 0xCA, 0xD3, 0x76, 0x1E, 0x7F +}; +static const unsigned char RSA2048_E[] = { + 0x01, 0x00, 0x01 +}; +static const unsigned char RSA2048_P[] = { + 0xF9, 0xA7, 0xB5, 0xC4, 0xE8, 0x52, 0xEC, 0xB1, + 0x33, 0x6A, 0x68, 0x32, 0x63, 0x2D, 0xBA, 0xE5, + 0x61, 0x14, 0x69, 0x82, 0xC8, 0x31, 0x14, 0xD5, + 0xC2, 0x6C, 0x1A, 0xBE, 0xA0, 0x68, 0xA6, 0xC5, + 0xEA, 0x40, 0x59, 0xFB, 0x0A, 0x30, 0x3D, 0xD5, + 0xDD, 0x94, 0xAE, 0x0C, 0x9F, 0xEE, 0x19, 0x0C, + 0xA8, 0xF2, 0x85, 0x27, 0x60, 0xAA, 0xD5, 0x7C, + 0x59, 0x91, 0x1F, 0xAF, 0x5E, 0x00, 0xC8, 0x2D, + 0xCA, 0xB4, 0x70, 0xA1, 0xF8, 0x8C, 0x0A, 0xB3, + 0x08, 0x95, 0x03, 0x9E, 0xA4, 0x6B, 0x9D, 0x55, + 0x47, 0xE0, 0xEC, 0xB3, 0x21, 0x7C, 0xE4, 0x16, + 0x91, 0xE3, 0xD7, 0x1B, 0x3D, 0x81, 0xF1, 0xED, + 0x16, 0xF9, 0x05, 0x0E, 0xA6, 0x9F, 0x37, 0x73, + 0x18, 0x1B, 0x9C, 0x9D, 0x33, 0xAD, 0x25, 0xEF, + 0x3A, 0xC0, 0x4B, 0x34, 0x24, 0xF5, 0xFD, 0x59, + 0xF5, 0x65, 0xE6, 0x92, 0x2A, 0x04, 0x06, 0x3D +}; +static const unsigned char RSA2048_Q[] = { + 0xF0, 0xA8, 0xA4, 0x20, 0xDD, 0xF3, 0x99, 0xE6, + 0x1C, 0xB1, 0x21, 0xE8, 0x66, 0x68, 0x48, 0x00, + 0x04, 0xE3, 0x21, 0xA3, 0xE8, 0xC5, 0xFD, 0x85, + 0x6D, 0x2C, 0x98, 0xE3, 0x36, 0x39, 0x3E, 0x80, + 0xB7, 0x36, 0xA5, 0xA9, 0xBB, 0xEB, 0x1E, 0xB8, + 0xEB, 0x44, 0x65, 0xE8, 0x81, 0x7D, 0xE0, 0x87, + 0xC1, 0x08, 0x94, 0xDD, 0x92, 0x40, 0xF4, 0x8B, + 0x3C, 0xB5, 0xC1, 0xAD, 0x9D, 0x4C, 0x14, 0xCD, + 0xD9, 0x2D, 0xB6, 0xE4, 0x99, 0xB3, 0x71, 0x63, + 0x64, 0xE1, 0x31, 0x7E, 0x34, 0x95, 0x96, 0x52, + 0x85, 0x27, 0xBE, 0x40, 0x10, 0x0A, 0x9E, 0x01, + 0x1C, 0xBB, 0xB2, 0x5B, 0x40, 0x85, 0x65, 0x6E, + 0xA0, 0x88, 0x73, 0xF6, 0x22, 0xCC, 0x23, 0x26, + 0x62, 0xAD, 0x92, 0x57, 0x57, 0xF4, 0xD4, 0xDF, + 0xD9, 0x7C, 0xDE, 0xAD, 0xD2, 0x1F, 0x32, 0x29, + 0xBA, 0xE7, 0xE2, 0x32, 0xA1, 0xA0, 0xBF, 0x6B +}; +static const unsigned char RSA2048_DP[] = { + 0xB2, 0xF9, 0xD7, 0x66, 0xC5, 0x83, 0x05, 0x6A, + 0x77, 0xC8, 0xB5, 0xD0, 0x41, 0xA7, 0xBC, 0x0F, + 0xCB, 0x4B, 0xFD, 0xE4, 0x23, 0x2E, 0x84, 0x98, + 0x46, 0x1C, 0x88, 0x03, 0xD7, 0x2D, 0x8F, 0x39, + 0xDD, 0x98, 0xAA, 0xA9, 0x3D, 0x01, 0x9E, 0xA2, + 0xDE, 0x8A, 0x43, 0x48, 0x8B, 0xB2, 0xFE, 0xC4, + 0x43, 0xAE, 0x31, 0x65, 0x2C, 0x78, 0xEC, 0x39, + 0x8C, 0x60, 0x6C, 0xCD, 0xA4, 0xDF, 0x7C, 0xA2, + 0xCF, 0x6A, 0x12, 0x41, 0x1B, 0xD5, 0x11, 0xAA, + 0x8D, 0xE1, 0x7E, 0x49, 0xD1, 0xE7, 0xD0, 0x50, + 0x1E, 0x0A, 0x92, 0xC6, 0x4C, 0xA0, 0xA3, 0x47, + 0xC6, 0xE9, 0x07, 0x01, 0xE1, 0x53, 0x72, 0x23, + 0x9D, 0x4F, 0x82, 0x9F, 0xA1, 0x36, 0x0D, 0x63, + 0x76, 0x89, 0xFC, 0xF9, 0xF9, 0xDD, 0x0C, 0x8F, + 0xF7, 0x97, 0x79, 0x92, 0x75, 0x58, 0xE0, 0x7B, + 0x08, 0x61, 0x38, 0x2D, 0xDA, 0xEF, 0x2D, 0xA5 +}; +static const unsigned char RSA2048_DQ[] = { + 0x8B, 0x69, 0x56, 0x33, 0x08, 0x00, 0x8F, 0x3D, + 0xC3, 0x8F, 0x45, 0x52, 0x48, 0xC8, 0xCE, 0x34, + 0xDC, 0x9F, 0xEB, 0x23, 0xF5, 0xBB, 0x84, 0x62, + 0xDF, 0xDC, 0xBE, 0xF0, 0x98, 0xBF, 0xCE, 0x9A, + 0x68, 0x08, 0x4B, 0x2D, 0xA9, 0x83, 0xC9, 0xF7, + 0x5B, 0xAA, 0xF2, 0xD2, 0x1E, 0xF9, 0x99, 0xB1, + 0x6A, 0xBC, 0x9A, 0xE8, 0x44, 0x4A, 0x46, 0x9F, + 0xC6, 0x5A, 0x90, 0x49, 0x0F, 0xDF, 0x3C, 0x0A, + 0x07, 0x6E, 0xB9, 0x0D, 0x72, 0x90, 0x85, 0xF6, + 0x0B, 0x41, 0x7D, 0x17, 0x5C, 0x44, 0xEF, 0xA0, + 0xFC, 0x2C, 0x0A, 0xC5, 0x37, 0xC5, 0xBE, 0xC4, + 0x6C, 0x2D, 0xBB, 0x63, 0xAB, 0x5B, 0xDB, 0x67, + 0x9B, 0xAD, 0x90, 0x67, 0x9C, 0xBE, 0xDE, 0xF9, + 0xE4, 0x9E, 0x22, 0x31, 0x60, 0xED, 0x9E, 0xC7, + 0xD2, 0x48, 0xC9, 0x02, 0xAE, 0xBF, 0x8D, 0xA2, + 0xA8, 0xF8, 0x9D, 0x8B, 0xB1, 0x1F, 0xDA, 0xE3 +}; +static const unsigned char RSA2048_IQ[] = { + 0xB5, 0x48, 0xD4, 0x48, 0x5A, 0x33, 0xCD, 0x13, + 0xFE, 0xC6, 0xF7, 0x01, 0x0A, 0x3E, 0x40, 0xA3, + 0x45, 0x94, 0x6F, 0x85, 0xE4, 0x68, 0x66, 0xEC, + 0x69, 0x6A, 0x3E, 0xE0, 0x62, 0x3F, 0x0C, 0xEF, + 0x21, 0xCC, 0xDA, 0xAD, 0x75, 0x98, 0x12, 0xCA, + 0x9E, 0x31, 0xDD, 0x95, 0x0D, 0xBD, 0x55, 0xEB, + 0x92, 0xF7, 0x9E, 0xBD, 0xFC, 0x28, 0x35, 0x96, + 0x31, 0xDC, 0x53, 0x80, 0xA3, 0x57, 0x89, 0x3C, + 0x4A, 0xEC, 0x40, 0x75, 0x13, 0xAC, 0x4F, 0x36, + 0x3A, 0x86, 0x9A, 0xA6, 0x58, 0xC9, 0xED, 0xCB, + 0xD6, 0xBB, 0xB2, 0xD9, 0xAA, 0x04, 0xC4, 0xE8, + 0x47, 0x3E, 0xBD, 0x14, 0x9B, 0x8F, 0x61, 0x70, + 0x69, 0x66, 0x23, 0x62, 0x18, 0xE3, 0x52, 0x98, + 0xE3, 0x22, 0xE9, 0x6F, 0xDA, 0x28, 0x68, 0x08, + 0xB8, 0xB9, 0x8B, 0x97, 0x8B, 0x77, 0x3F, 0xCA, + 0x9D, 0x9D, 0xBE, 0xD5, 0x2D, 0x3E, 0xC2, 0x11 +}; + +static const br_rsa_public_key RSA2048_PK = { + (void *)RSA2048_N, sizeof RSA2048_N, + (void *)RSA2048_E, sizeof RSA2048_E +}; + +static const br_rsa_private_key RSA2048_SK = { + 2048, + (void *)RSA2048_P, sizeof RSA2048_P, + (void *)RSA2048_Q, sizeof RSA2048_Q, + (void *)RSA2048_DP, sizeof RSA2048_DP, + (void *)RSA2048_DQ, sizeof RSA2048_DQ, + (void *)RSA2048_IQ, sizeof RSA2048_IQ +}; + +/* + * A 4096-bit RSA key, generated with OpenSSL. + */ +static const unsigned char RSA4096_N[] = { + 0xAA, 0x17, 0x71, 0xBC, 0x92, 0x3E, 0xB5, 0xBD, + 0x3E, 0x64, 0xCF, 0x03, 0x9B, 0x24, 0x65, 0x33, + 0x5F, 0xB4, 0x47, 0x89, 0xE5, 0x63, 0xE4, 0xA0, + 0x5A, 0x51, 0x95, 0x07, 0x73, 0xEE, 0x00, 0xF6, + 0x3E, 0x31, 0x0E, 0xDA, 0x15, 0xC3, 0xAA, 0x21, + 0x6A, 0xCD, 0xFF, 0x46, 0x6B, 0xDF, 0x0A, 0x7F, + 0x8A, 0xC2, 0x25, 0x19, 0x47, 0x44, 0xD8, 0x52, + 0xC1, 0x56, 0x25, 0x6A, 0xE0, 0xD2, 0x61, 0x11, + 0x2C, 0xF7, 0x73, 0x9F, 0x5F, 0x74, 0xAA, 0xDD, + 0xDE, 0xAF, 0x81, 0xF6, 0x0C, 0x1A, 0x3A, 0xF9, + 0xC5, 0x47, 0x82, 0x75, 0x1D, 0x41, 0xF0, 0xB2, + 0xFD, 0xBA, 0xE2, 0xA4, 0xA1, 0xB8, 0x32, 0x48, + 0x06, 0x0D, 0x29, 0x2F, 0x44, 0x14, 0xF5, 0xAC, + 0x54, 0x83, 0xC4, 0xB6, 0x85, 0x85, 0x9B, 0x1C, + 0x05, 0x61, 0x28, 0x62, 0x24, 0xA8, 0xF0, 0xE6, + 0x80, 0xA7, 0x91, 0xE8, 0xC7, 0x8E, 0x52, 0x17, + 0xBE, 0xAF, 0xC6, 0x0A, 0xA3, 0xFB, 0xD1, 0x04, + 0x15, 0x3B, 0x14, 0x35, 0xA5, 0x41, 0xF5, 0x30, + 0xFE, 0xEF, 0x53, 0xA7, 0x89, 0x91, 0x78, 0x30, + 0xBE, 0x3A, 0xB1, 0x4B, 0x2E, 0x4A, 0x0E, 0x25, + 0x1D, 0xCF, 0x51, 0x54, 0x52, 0xF1, 0x88, 0x85, + 0x36, 0x23, 0xDE, 0xBA, 0x66, 0x25, 0x60, 0x8D, + 0x45, 0xD7, 0xD8, 0x10, 0x41, 0x64, 0xC7, 0x4B, + 0xCE, 0x72, 0x13, 0xD7, 0x20, 0xF8, 0x2A, 0x74, + 0xA5, 0x05, 0xF4, 0x5A, 0x90, 0xF4, 0x9C, 0xE7, + 0xC9, 0xCF, 0x1E, 0xD5, 0x9C, 0xAC, 0xE5, 0x00, + 0x83, 0x73, 0x9F, 0xE7, 0xC6, 0x93, 0xC0, 0x06, + 0xA7, 0xB8, 0xF8, 0x46, 0x90, 0xC8, 0x78, 0x27, + 0x2E, 0xCC, 0xC0, 0x2A, 0x20, 0xC5, 0xFC, 0x63, + 0x22, 0xA1, 0xD6, 0x16, 0xAD, 0x9C, 0xD6, 0xFC, + 0x7A, 0x6E, 0x9C, 0x98, 0x51, 0xEE, 0x6B, 0x6D, + 0x8F, 0xEF, 0xCE, 0x7C, 0x5D, 0x16, 0xB0, 0xCE, + 0x9C, 0xEE, 0x92, 0xCF, 0xB7, 0xEB, 0x41, 0x36, + 0x3A, 0x6C, 0xF2, 0x0D, 0x26, 0x11, 0x2F, 0x6C, + 0x27, 0x62, 0xA2, 0xCC, 0x63, 0x53, 0xBD, 0xFC, + 0x9F, 0xBE, 0x9B, 0xBD, 0xE5, 0xA7, 0xDA, 0xD4, + 0xF8, 0xED, 0x5E, 0x59, 0x2D, 0xAC, 0xCD, 0x13, + 0xEB, 0xE5, 0x9E, 0x39, 0x82, 0x8B, 0xFD, 0xA8, + 0xFB, 0xCB, 0x86, 0x27, 0xC7, 0x4B, 0x4C, 0xD0, + 0xBA, 0x12, 0xD0, 0x76, 0x1A, 0xDB, 0x30, 0xC5, + 0xB3, 0x2C, 0x4C, 0xC5, 0x32, 0x03, 0x05, 0x67, + 0x8D, 0xD0, 0x14, 0x37, 0x59, 0x2B, 0xE3, 0x1C, + 0x25, 0x3E, 0xA5, 0xE4, 0xF1, 0x0D, 0x34, 0xBB, + 0xD5, 0xF6, 0x76, 0x45, 0x5B, 0x0F, 0x1E, 0x07, + 0x0A, 0xBA, 0x9D, 0x71, 0x87, 0xDE, 0x45, 0x50, + 0xE5, 0x0F, 0x32, 0xBB, 0x5C, 0x32, 0x2D, 0x40, + 0xCD, 0x19, 0x95, 0x4E, 0xC5, 0x54, 0x3A, 0x9A, + 0x46, 0x9B, 0x85, 0xFE, 0x53, 0xB7, 0xD8, 0x65, + 0x6D, 0x68, 0x0C, 0xBB, 0xE3, 0x3D, 0x8E, 0x64, + 0xBE, 0x27, 0x15, 0xAB, 0x12, 0x20, 0xD9, 0x84, + 0xF5, 0x02, 0xE4, 0xBB, 0xDD, 0xAB, 0x59, 0x51, + 0xF4, 0xE1, 0x79, 0xBE, 0xB8, 0xA3, 0x8E, 0xD1, + 0x1C, 0xB0, 0xFA, 0x48, 0x76, 0xC2, 0x9D, 0x7A, + 0x01, 0xA5, 0xAF, 0x8C, 0xBA, 0xAA, 0x4C, 0x06, + 0x2B, 0x0A, 0x62, 0xF0, 0x79, 0x5B, 0x42, 0xFC, + 0xF8, 0xBF, 0xD4, 0xDD, 0x62, 0x32, 0xE3, 0xCE, + 0xF1, 0x2C, 0xE6, 0xED, 0xA8, 0x8A, 0x41, 0xA3, + 0xC1, 0x1E, 0x07, 0xB6, 0x43, 0x10, 0x80, 0xB7, + 0xF3, 0xD0, 0x53, 0x2A, 0x9A, 0x98, 0xA7, 0x4F, + 0x9E, 0xA3, 0x3E, 0x1B, 0xDA, 0x93, 0x15, 0xF2, + 0xF4, 0x20, 0xA5, 0xA8, 0x4F, 0x8A, 0xBA, 0xED, + 0xB1, 0x17, 0x6C, 0x0F, 0xD9, 0x8F, 0x38, 0x11, + 0xF3, 0xD9, 0x5E, 0x88, 0xA1, 0xA1, 0x82, 0x8B, + 0x30, 0xD7, 0xC6, 0xCE, 0x4E, 0x30, 0x55, 0x57 +}; +static const unsigned char RSA4096_E[] = { + 0x01, 0x00, 0x01 +}; +static const unsigned char RSA4096_P[] = { + 0xD3, 0x7A, 0x22, 0xD8, 0x9B, 0xBF, 0x42, 0xB4, + 0x53, 0x04, 0x10, 0x6A, 0x84, 0xFD, 0x7C, 0x1D, + 0xF6, 0xF4, 0x10, 0x65, 0xAA, 0xE5, 0xE1, 0x4E, + 0xB4, 0x37, 0xF7, 0xAC, 0xF7, 0xD3, 0xB2, 0x3B, + 0xFE, 0xE7, 0x63, 0x42, 0xE9, 0xF0, 0x3C, 0xE0, + 0x42, 0xB4, 0xBB, 0x09, 0xD0, 0xB2, 0x7C, 0x70, + 0xA4, 0x11, 0x97, 0x90, 0x01, 0xD0, 0x0E, 0x7B, + 0xAF, 0x7D, 0x30, 0x4E, 0x6B, 0x3A, 0xCC, 0x50, + 0x4E, 0xAF, 0x2F, 0xC3, 0xC2, 0x4F, 0x7E, 0xC5, + 0xB3, 0x76, 0x33, 0xFB, 0xA7, 0xB1, 0x96, 0xA5, + 0x46, 0x41, 0xC6, 0xDA, 0x5A, 0xFD, 0x17, 0x0A, + 0x6A, 0x86, 0x54, 0x83, 0xE1, 0x57, 0xE7, 0xAF, + 0x8C, 0x42, 0xE5, 0x39, 0xF2, 0xC7, 0xFC, 0x4A, + 0x3D, 0x3C, 0x94, 0x89, 0xC2, 0xC6, 0x2D, 0x0A, + 0x5F, 0xD0, 0x21, 0x23, 0x5C, 0xC9, 0xC8, 0x44, + 0x8A, 0x96, 0x72, 0x4D, 0x96, 0xC6, 0x17, 0x0C, + 0x36, 0x43, 0x7F, 0xD8, 0xA0, 0x7A, 0x31, 0x7E, + 0xCE, 0x13, 0xE3, 0x13, 0x2E, 0xE0, 0x91, 0xC2, + 0x61, 0x13, 0x16, 0x8D, 0x99, 0xCB, 0xA9, 0x2C, + 0x4D, 0x9D, 0xDD, 0x1D, 0x03, 0xE7, 0xA7, 0x50, + 0xF4, 0x16, 0x43, 0xB1, 0x7F, 0x99, 0x61, 0x3F, + 0xA5, 0x59, 0x91, 0x16, 0xC3, 0x06, 0x63, 0x59, + 0xE9, 0xDA, 0xB5, 0x06, 0x2E, 0x0C, 0xD9, 0xAB, + 0x93, 0x89, 0x12, 0x82, 0xFB, 0x90, 0xD9, 0x30, + 0x60, 0xF7, 0x35, 0x2D, 0x18, 0x78, 0xEB, 0x2B, + 0xA1, 0x06, 0x67, 0x37, 0xDE, 0x72, 0x20, 0xD2, + 0x80, 0xE5, 0x2C, 0xD7, 0x5E, 0xC7, 0x67, 0x2D, + 0x40, 0xE7, 0x7A, 0xCF, 0x4A, 0x69, 0x9D, 0xA7, + 0x90, 0x9F, 0x3B, 0xDF, 0x07, 0x97, 0x64, 0x69, + 0x06, 0x4F, 0xBA, 0xF4, 0xE5, 0xBD, 0x71, 0x60, + 0x36, 0xB7, 0xA3, 0xDE, 0x76, 0xC5, 0x38, 0xD7, + 0x1D, 0x9A, 0xFC, 0x36, 0x3D, 0x3B, 0xDC, 0xCF +}; +static const unsigned char RSA4096_Q[] = { + 0xCD, 0xE6, 0xC6, 0xA6, 0x42, 0x4C, 0x45, 0x65, + 0x8B, 0x85, 0x76, 0xFC, 0x21, 0xB6, 0x57, 0x79, + 0x3C, 0xE4, 0xE3, 0x85, 0x55, 0x2F, 0x59, 0xD3, + 0x3F, 0x74, 0xAF, 0x9F, 0x11, 0x04, 0x10, 0x8B, + 0xF9, 0x5F, 0x4D, 0x25, 0xEE, 0x20, 0xF9, 0x69, + 0x3B, 0x02, 0xB6, 0x43, 0x0D, 0x0C, 0xED, 0x30, + 0x31, 0x57, 0xE7, 0x9A, 0x57, 0x24, 0x6B, 0x4A, + 0x5E, 0xA2, 0xBF, 0xD4, 0x47, 0x7D, 0xFA, 0x78, + 0x51, 0x86, 0x80, 0x68, 0x85, 0x7C, 0x7B, 0x08, + 0x4A, 0x35, 0x24, 0x4F, 0x8B, 0x24, 0x49, 0xF8, + 0x16, 0x06, 0x9C, 0x57, 0x4E, 0x94, 0x4C, 0xBD, + 0x6E, 0x53, 0x52, 0xC9, 0xC1, 0x64, 0x43, 0x22, + 0x1E, 0xDD, 0xEB, 0xAC, 0x90, 0x58, 0xCA, 0xBA, + 0x9C, 0xAC, 0xCF, 0xDD, 0x08, 0x6D, 0xB7, 0x31, + 0xDB, 0x0D, 0x83, 0xE6, 0x50, 0xA6, 0x69, 0xB1, + 0x1C, 0x68, 0x92, 0xB4, 0xB5, 0x76, 0xDE, 0xBD, + 0x4F, 0xA5, 0x30, 0xED, 0x23, 0xFF, 0xE5, 0x80, + 0x21, 0xAB, 0xED, 0xE6, 0xDC, 0x32, 0x3D, 0xF7, + 0x45, 0xB8, 0x19, 0x3D, 0x8E, 0x15, 0x7C, 0xE5, + 0x0D, 0xC8, 0x9B, 0x7D, 0x1F, 0x7C, 0x14, 0x14, + 0x41, 0x09, 0xA7, 0xEB, 0xFB, 0xD9, 0x5F, 0x9A, + 0x94, 0xB6, 0xD5, 0xA0, 0x2C, 0xAF, 0xB5, 0xEF, + 0x5C, 0x5A, 0x8E, 0x34, 0xA1, 0x8F, 0xEB, 0x38, + 0x0F, 0x31, 0x6E, 0x45, 0x21, 0x7A, 0xAA, 0xAF, + 0x6C, 0xB1, 0x8E, 0xB2, 0xB9, 0xD4, 0x1E, 0xEF, + 0x66, 0xD8, 0x4E, 0x3D, 0xF2, 0x0C, 0xF1, 0xBA, + 0xFB, 0xA9, 0x27, 0xD2, 0x45, 0x54, 0x83, 0x4B, + 0x10, 0xC4, 0x9A, 0x32, 0x9C, 0xC7, 0x9A, 0xCF, + 0x4E, 0xBF, 0x07, 0xFC, 0x27, 0xB7, 0x96, 0x1D, + 0xDE, 0x9D, 0xE4, 0x84, 0x68, 0x00, 0x9A, 0x9F, + 0x3D, 0xE6, 0xC7, 0x26, 0x11, 0x48, 0x79, 0xFA, + 0x09, 0x76, 0xC8, 0x25, 0x3A, 0xE4, 0x70, 0xF9 +}; +static const unsigned char RSA4096_DP[] = { + 0x5C, 0xE3, 0x3E, 0xBF, 0x09, 0xD9, 0xFE, 0x80, + 0x9A, 0x1E, 0x24, 0xDF, 0xC4, 0xBE, 0x5A, 0x70, + 0x06, 0xF2, 0xB8, 0xE9, 0x0F, 0x21, 0x9D, 0xCF, + 0x26, 0x15, 0x97, 0x32, 0x60, 0x40, 0x99, 0xFF, + 0x04, 0x3D, 0xBA, 0x39, 0xBF, 0xEB, 0x87, 0xB1, + 0xB1, 0x5B, 0x14, 0xF4, 0x80, 0xB8, 0x85, 0x34, + 0x2C, 0xBC, 0x95, 0x67, 0xE9, 0x83, 0xEB, 0x78, + 0xA4, 0x62, 0x46, 0x7F, 0x8B, 0x55, 0xEE, 0x3C, + 0x2F, 0xF3, 0x7E, 0xF5, 0x6B, 0x39, 0xE3, 0xA3, + 0x0E, 0xEA, 0x92, 0x76, 0xAC, 0xF7, 0xB2, 0x05, + 0xB2, 0x50, 0x5D, 0xF9, 0xB7, 0x11, 0x87, 0xB7, + 0x49, 0x86, 0xEB, 0x44, 0x6A, 0x0C, 0x64, 0x75, + 0x95, 0x14, 0x24, 0xFF, 0x49, 0x06, 0x52, 0x68, + 0x81, 0x71, 0x44, 0x85, 0x26, 0x0A, 0x49, 0xEA, + 0x4E, 0x9F, 0x6A, 0x8E, 0xCF, 0xC8, 0xC9, 0xB0, + 0x61, 0x77, 0x27, 0x89, 0xB0, 0xFA, 0x1D, 0x51, + 0x7D, 0xDC, 0x34, 0x21, 0x80, 0x8B, 0x6B, 0x86, + 0x19, 0x1A, 0x5F, 0x19, 0x23, 0xF3, 0xFB, 0xD1, + 0xF7, 0x35, 0x9D, 0x28, 0x61, 0x2F, 0x35, 0x85, + 0x82, 0x2A, 0x1E, 0xDF, 0x09, 0xC2, 0x0C, 0x99, + 0xE0, 0x3C, 0x8F, 0x4B, 0x3D, 0x92, 0xAF, 0x46, + 0x77, 0x68, 0x59, 0xF4, 0x37, 0x81, 0x6C, 0xCE, + 0x27, 0x8B, 0xAB, 0x0B, 0xA5, 0xDA, 0x7B, 0x19, + 0x83, 0xDA, 0x27, 0x49, 0x65, 0x1A, 0x00, 0x6B, + 0xE1, 0x8B, 0x73, 0xCD, 0xF4, 0xFB, 0xD7, 0xBF, + 0xF8, 0x20, 0x89, 0xE1, 0xDE, 0x51, 0x1E, 0xDD, + 0x97, 0x44, 0x12, 0x68, 0x1E, 0xF7, 0x52, 0xF8, + 0x6B, 0x93, 0xC1, 0x3B, 0x9F, 0xA1, 0xB8, 0x5F, + 0xCB, 0x84, 0x45, 0x95, 0xF7, 0x0D, 0xA6, 0x4B, + 0x03, 0x3C, 0xAE, 0x0F, 0xB7, 0x81, 0x78, 0x75, + 0x1C, 0x53, 0x99, 0x24, 0xB3, 0xE2, 0x78, 0xCE, + 0xF3, 0xF0, 0x09, 0x6C, 0x01, 0x85, 0x73, 0xBD +}; +static const unsigned char RSA4096_DQ[] = { + 0xCD, 0x88, 0xAC, 0x8B, 0x92, 0x6A, 0xA8, 0x6B, + 0x71, 0x16, 0xCD, 0x6B, 0x6A, 0x0B, 0xA6, 0xCD, + 0xF3, 0x27, 0x58, 0xA6, 0xE4, 0x1D, 0xDC, 0x40, + 0xAF, 0x7B, 0x3F, 0x44, 0x3D, 0xAC, 0x1D, 0x08, + 0x5C, 0xE9, 0xF1, 0x0D, 0x07, 0xE4, 0x0A, 0x94, + 0x2C, 0xBF, 0xCC, 0x48, 0xAA, 0x62, 0x58, 0xF2, + 0x5E, 0x8F, 0x2D, 0x36, 0x37, 0xFE, 0xB6, 0xCB, + 0x0A, 0x24, 0xD3, 0xF0, 0x87, 0x5D, 0x0E, 0x05, + 0xC4, 0xFB, 0xCA, 0x7A, 0x8B, 0xA5, 0x72, 0xFB, + 0x17, 0x78, 0x6C, 0xC2, 0xAA, 0x56, 0x93, 0x2F, + 0xFE, 0x6C, 0xA2, 0xEB, 0xD4, 0x18, 0xDD, 0x71, + 0xCB, 0x0B, 0x89, 0xFC, 0xB3, 0xFB, 0xED, 0xB7, + 0xC5, 0xB0, 0x29, 0x6D, 0x9C, 0xB9, 0xC5, 0xC4, + 0xFA, 0x58, 0xD7, 0x36, 0x01, 0x0F, 0xE4, 0x6A, + 0xF4, 0x0B, 0x4D, 0xBB, 0x3E, 0x8E, 0x9F, 0xBA, + 0x98, 0x6D, 0x1A, 0xE5, 0x20, 0xAF, 0x84, 0x30, + 0xDD, 0xAC, 0x3C, 0x66, 0xBC, 0x24, 0xD9, 0x67, + 0x4A, 0x35, 0x61, 0xC9, 0xAD, 0xCC, 0xC9, 0x66, + 0x68, 0x46, 0x19, 0x8C, 0x04, 0xA5, 0x16, 0x83, + 0x5F, 0x7A, 0xFD, 0x1B, 0xAD, 0xAE, 0x22, 0x2D, + 0x05, 0xAF, 0x29, 0xDC, 0xBB, 0x0E, 0x86, 0x0C, + 0xBC, 0x9E, 0xB6, 0x28, 0xA9, 0xF2, 0xCC, 0x5E, + 0x1F, 0x86, 0x95, 0xA5, 0x9C, 0x11, 0x19, 0xF0, + 0x5F, 0xDA, 0x2C, 0x04, 0xFE, 0x22, 0x80, 0xF7, + 0x94, 0x3C, 0xBA, 0x01, 0x56, 0xD6, 0x93, 0xFA, + 0xCE, 0x62, 0xE5, 0xD7, 0x98, 0x23, 0xAB, 0xB9, + 0xC7, 0x35, 0x57, 0xF6, 0xE2, 0x16, 0x36, 0xE9, + 0x5B, 0xD7, 0xA5, 0x45, 0x18, 0x93, 0x77, 0xC9, + 0xB1, 0x05, 0xA8, 0x66, 0xE1, 0x0E, 0xB5, 0xDF, + 0x23, 0x35, 0xE1, 0xC2, 0xFA, 0x3E, 0x80, 0x1A, + 0xAD, 0xA4, 0x0C, 0xEF, 0xC7, 0x18, 0xDE, 0x09, + 0xE6, 0x20, 0x98, 0x31, 0xF1, 0xD3, 0xCF, 0xA1 +}; +static const unsigned char RSA4096_IQ[] = { + 0x76, 0xD7, 0x75, 0xDF, 0xA3, 0x0C, 0x9D, 0x64, + 0x6E, 0x00, 0x82, 0x2E, 0x5C, 0x5E, 0x43, 0xC4, + 0xD2, 0x28, 0xB0, 0xB1, 0xA8, 0xD8, 0x26, 0x91, + 0xA0, 0xF5, 0xC8, 0x69, 0xFF, 0x24, 0x33, 0xAB, + 0x67, 0xC7, 0xA3, 0xAE, 0xBB, 0x17, 0x27, 0x5B, + 0x5A, 0xCD, 0x67, 0xA3, 0x70, 0x91, 0x9E, 0xD5, + 0xF1, 0x97, 0x00, 0x0A, 0x30, 0x64, 0x3D, 0x9B, + 0xBF, 0xB5, 0x8C, 0xAC, 0xC7, 0x20, 0x0A, 0xD2, + 0x76, 0x36, 0x36, 0x5D, 0xE4, 0xAC, 0x5D, 0xBC, + 0x44, 0x32, 0xB0, 0x76, 0x33, 0x40, 0xDD, 0x29, + 0x22, 0xE0, 0xFF, 0x55, 0x4C, 0xCE, 0x3F, 0x43, + 0x34, 0x95, 0x94, 0x7C, 0x22, 0x0D, 0xAB, 0x20, + 0x38, 0x70, 0xC3, 0x4A, 0x19, 0xCF, 0x81, 0xCE, + 0x79, 0x28, 0x6C, 0xC2, 0xA3, 0xB3, 0x48, 0x20, + 0x2D, 0x3E, 0x74, 0x45, 0x2C, 0xAA, 0x9F, 0xA5, + 0xC2, 0xE3, 0x2D, 0x41, 0x95, 0xBD, 0x78, 0xAB, + 0x6A, 0xA8, 0x7A, 0x45, 0x52, 0xE2, 0x66, 0xE7, + 0x6C, 0x38, 0x03, 0xA5, 0xDA, 0xAD, 0x94, 0x3C, + 0x6A, 0xA1, 0xA2, 0xD5, 0xCD, 0xDE, 0x05, 0xCC, + 0x6E, 0x3D, 0x8A, 0xF6, 0x9A, 0xA5, 0x0F, 0xA9, + 0x18, 0xC4, 0xF9, 0x9C, 0x2F, 0xB3, 0xF1, 0x30, + 0x38, 0x60, 0x69, 0x09, 0x67, 0x2C, 0xE9, 0x42, + 0x68, 0x3C, 0x70, 0x32, 0x1A, 0x44, 0x32, 0x02, + 0x82, 0x9F, 0x60, 0xE8, 0xA4, 0x42, 0x74, 0xA2, + 0xA2, 0x5A, 0x99, 0xDC, 0xC8, 0xCA, 0x15, 0x4D, + 0xFF, 0xF1, 0x8A, 0x23, 0xD8, 0xD3, 0xB1, 0x9A, + 0xB4, 0x0B, 0xBB, 0xE8, 0x38, 0x74, 0x0C, 0x52, + 0xC7, 0x8B, 0x63, 0x4C, 0xEA, 0x7D, 0x5F, 0x58, + 0x34, 0x53, 0x3E, 0x23, 0x10, 0xBB, 0x60, 0x6B, + 0x52, 0x9D, 0x89, 0x9F, 0xF0, 0x5F, 0xCE, 0xB3, + 0x9C, 0x0E, 0x75, 0x0F, 0x87, 0xF6, 0x66, 0xA5, + 0x4C, 0x94, 0x84, 0xFE, 0x94, 0xB9, 0x04, 0xB7 +}; + +static const br_rsa_public_key RSA4096_PK = { + (void *)RSA4096_N, sizeof RSA4096_N, + (void *)RSA4096_E, sizeof RSA4096_E +}; + +static const br_rsa_private_key RSA4096_SK = { + 4096, + (void *)RSA4096_P, sizeof RSA4096_P, + (void *)RSA4096_Q, sizeof RSA4096_Q, + (void *)RSA4096_DP, sizeof RSA4096_DP, + (void *)RSA4096_DQ, sizeof RSA4096_DQ, + (void *)RSA4096_IQ, sizeof RSA4096_IQ +}; + static void test_RSA_core(const char *name, br_rsa_public fpub, br_rsa_private fpriv) { - unsigned char t1[128], t2[128], t3[128]; + unsigned char t1[512], t2[512], t3[512]; + size_t len; printf("Test %s: ", name); fflush(stdout); @@ -4731,19 +5134,104 @@ test_RSA_core(const char *name, br_rsa_public fpub, br_rsa_private fpriv) /* * A KAT test (computed with OpenSSL). */ - hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D"); + len = hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D"); hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3"); - memcpy(t3, t1, sizeof t1); - if (!fpub(t3, sizeof t3, &RSA_PK)) { - fprintf(stderr, "RSA public operation failed\n"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA_PK)) { + fprintf(stderr, "RSA public operation failed (1)\n"); exit(EXIT_FAILURE); } - check_equals("KAT RSA pub", t2, t3, sizeof t2); + check_equals("KAT RSA pub", t2, t3, len); if (!fpriv(t3, &RSA_SK)) { - fprintf(stderr, "RSA private operation failed\n"); + fprintf(stderr, "RSA private operation failed (1)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA priv (1)", t1, t3, len); + + /* + * Another KAT test, with a (fake) hash value slightly different + * (last byte is 0xD9 instead of 0xD3). + */ + len = hextobin(t1, "32C2DB8B2C73BBCA9960CB3F11FEDEE7B699359EF2EEC3A632E56B7FF3DE2F371E5179BAB03F17E0BB20D2891ACAB679F95DA9B43A01DAAD192FADD25D8ACCF1498EC80F5BBCAC88EA59D60E3BC9D3CE27743981DE42385FFFFF04DD2D716E1A46C04A28ECAF6CD200DAB81083A830D61538D69BB39A183107BD50302AA6BC28"); + hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD9"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA_PK)) { + fprintf(stderr, "RSA public operation failed (2)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA pub", t2, t3, len); + if (!fpriv(t3, &RSA_SK)) { + fprintf(stderr, "RSA private operation failed (2)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA priv (2)", t1, t3, len); + + /* + * Third KAT vector is invalid, because the encrypted value is + * out of range: instead of x, value is x+n (where n is the + * modulus). Mathematically, this still works, but implementations + * are supposed to reject such cases. + */ + len = hextobin(t1, "F27781B9B3B358583A24F9BA6B34EE98B67A5AE8D8D4FA567BA773EB6B85EF88848680640A1E2F5FD117876E5FB928B64C6EFC7E03632A3F4C941E15657C0C705F3BB8D0B03A0249143674DB1FE6E5406D690BF2DA76EA7FF3AC6FCE12C7801252FAD52D332BE4AB41F9F8CF1728CDF98AB8E8C20E0C350E4F707A6402C01E0B"); + hextobin(t2, "BFB6A62E873F9C8DA0C42E7B59360FB0FFE12549E5E636B048C2086B77A7C051663506A959DF177F15F6B4E544EE723C531152C9C9614F923364704307F13F7F15ACF0C1547D55C029DC9ECCE41D117245F4D270FC34B21FF3AD6AEFE58633281540902F547F79F3461F44D33CCB2D094231ADCC76BE25511B4513BB70491DBC"); + memcpy(t3, t1, len); + if (fpub(t3, len, &RSA_PK)) { + size_t u; + fprintf(stderr, "RSA public operation should have failed" + " (value out of range)\n"); + fprintf(stderr, "x = "); + for (u = 0; u < len; u ++) { + fprintf(stderr, "%02X", t3[u]); + } + fprintf(stderr, "\n"); + exit(EXIT_FAILURE); + } + memcpy(t3, t2, len); + if (fpriv(t3, &RSA_SK)) { + size_t u; + fprintf(stderr, "RSA private operation should have failed" + " (value out of range)\n"); + fprintf(stderr, "x = "); + for (u = 0; u < len; u ++) { + fprintf(stderr, "%02X", t3[u]); + } + fprintf(stderr, "\n"); + exit(EXIT_FAILURE); + } + + /* + * RSA-2048 test vector. + */ + len = hextobin(t1, "B188ED4EF173A30AED3889926E3CF1CE03FE3BAA7AB122B119A8CD529062F235A7B321008FB898894A624B3E6C8C5374950E78FAC86651345FE2ABA0791968284F23B0D794F8DCDDA924518854822CB7FF2AA9F205AACD909BB5EA541534CC00DBC2EF7727B9FE1BAFE6241B931E8BD01E13632E5AF9E94F4A335772B61F24D6F6AA642AEABB173E36F546CB02B19A1E5D4E27E3EB67F2E986E9F084D4BD266543800B1DC96088A05DFA9AFA595398E9A766D41DD8DA4F74F36C9D74867F0BF7BFA8622EE43C79DA0CEAC14B5D39DE074BDB89D84145BC19D8B2D0EA74DBF2DC29E907BF7C7506A2603CD8BC25EFE955D0125EDB2685EF158B020C9FC539242A"); + hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D060960864801650304020105000420A5A0A792A09438811584A68E240C6C89F1FB1C53C0C86E270B942635F4F6B24A"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA2048_PK)) { + fprintf(stderr, "RSA public operation failed (2048)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA pub", t2, t3, len); + if (!fpriv(t3, &RSA2048_SK)) { + fprintf(stderr, "RSA private operation failed (2048)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA priv (2048)", t1, t3, len); + + /* + * RSA-4096 test vector. + */ + len = hextobin(t1, "7D35B6B4D85252D08A2658C0B04126CC617B0E56B2A782A5FA2722AD05BD49538111682C12DA2C5FA1B9C30FB1AB8DA2C6A49EB4226A4D32290CF091FBB22EC499C7B18192C230B29F957DAF551F1EAD1917BA9E03D757100BD1F96B829708A6188A3927436113BB21E175D436BBB7A90E20162203FFB8F675313DFB21EFDA3EA0C7CC9B605AE7FB47E2DD2A9C4D5F124D7DE1B690AF9ADFEDC6055E0F9D2C9A891FB2501F3055D6DA7E94D51672BA1E86AEB782E4B020F70E0DF5399262909FC5B4770B987F2826EF2099A15F3CD5A0D6FE82E0C85FBA2C53C77305F534A7B0C7EA0D5244E37F1C1318EEF7079995F0642E4AB80EB0ED60DB4955FB652ED372DAC787581054A827C37A25C7B4DE7AE7EF3D099D47D6682ADF02BCC4DE04DDF2920F7124CF5B4955705E4BDB97A0BF341B584797878B4D3795134A9469FB391E4E4988F0AA451027CBC2ED6121FC23B26BF593E3C51DEDD53B62E23050D5B41CA34204679916A87AF1B17873A0867924D0C303942ADA478B769487FCEF861D4B20DCEE6942CCB84184833CDB258167258631C796BC1977D001354E2EE168ABE3B45FC969EA7F22B8E133C57A10FBB25ED19694E89C399CF7723B3C0DF0CC9F57A8ED0959EFC392FB31B8ADAEA969E2DEE8282CB245E5677368F00CCE4BA52C07C16BE7F9889D57191D5B2FE552D72B3415C64C09EE622457766EC809344A1EFE"); + hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D0609608648016503040201050004205B60DD5AD5B3C62E0DA25FD0D8CB26325E1CE32CC9ED234B288235BCCF6ED2C8"); + memcpy(t3, t1, len); + if (!fpub(t3, len, &RSA4096_PK)) { + fprintf(stderr, "RSA public operation failed (4096)\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA pub", t2, t3, len); + if (!fpriv(t3, &RSA4096_SK)) { + fprintf(stderr, "RSA private operation failed (4096)\n"); exit(EXIT_FAILURE); } - check_equals("KAT RSA priv", t1, t3, sizeof t1); + check_equals("KAT RSA priv (4096)", t1, t3, len); printf("done.\n"); fflush(stdout);