1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22/* 23 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26#include <sys/types.h> 27#include <sys/sha1.h> 28#define _SHA2_IMPL 29#include <sys/sha2.h> 30 31#ifdef _KERNEL 32 33#include <sys/param.h> 34#include <sys/kmem.h> 35 36#else 37 38#include <strings.h> 39#include <cryptoutil.h> 40#include "softMAC.h" 41 42#include <security/cryptoki.h> 43#include <sys/crypto/common.h> 44 45#endif 46 47#include <padding/padding.h> 48#include <sha2/sha2_impl.h> 49#define _RSA_FIPS_POST 50#include <rsa/rsa_impl.h> 51 52int 53fips_rsa_encrypt(RSAPrivateKey_t *key, uint8_t *in, int in_len, uint8_t *out) 54{ 55 return (rsa_encrypt(&(key->bkey), in, in_len, out)); 56} 57 58int 59fips_rsa_decrypt(RSAPrivateKey_t *key, uint8_t *in, int in_len, 60 uint8_t *out) 61{ 62 return (rsa_decrypt(&(key->bkey), in, in_len, out)); 63} 64 65static CK_RV 66#ifdef _KERNEL 67fips_rsa_sign_verify_test(sha2_mech_t mechanism, 68#else 69fips_rsa_sign_verify_test(CK_MECHANISM_TYPE mechanism, 70#endif 71 RSAPrivateKey_t *rsa_private_key, 72 unsigned char *rsa_known_msg, 73 unsigned int rsa_msg_length, 74 unsigned char *rsa_computed_signature, 75 unsigned char *der_data, int sign) 76 77{ 78 unsigned char hash[SHA512_DIGEST_LENGTH]; /* SHA digest */ 79 SHA1_CTX *sha1_context = NULL; 80 SHA2_CTX *sha2_context = NULL; 81 int hash_len; 82 CK_RV rv; 83 CK_ULONG der_len; 84 CK_BYTE *der_prefix; 85 CK_ULONG der_data_len; 86 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 87 uint32_t modulus_len; 88 89 switch (mechanism) { 90#ifdef _KERNEL 91 case SHA1_TYPE: 92#else 93 case CKM_SHA_1: 94#endif 95 { 96 97#ifdef _KERNEL 98 if ((sha1_context = kmem_zalloc(sizeof (SHA1_CTX), 99 KM_SLEEP)) == NULL) 100#else 101 if ((sha1_context = malloc(sizeof (SHA1_CTX))) == NULL) 102#endif 103 return (CKR_HOST_MEMORY); 104 105 SHA1Init(sha1_context); 106 107#ifdef __sparcv9 108 SHA1Update(sha1_context, rsa_known_msg, 109 (uint_t)rsa_msg_length); 110#else /* !__sparcv9 */ 111 SHA1Update(sha1_context, rsa_known_msg, rsa_msg_length); 112#endif /* __sparcv9 */ 113 SHA1Final(hash, sha1_context); 114 115 hash_len = SHA1_DIGEST_LENGTH; 116 117 /* 118 * Prepare the DER encoding of the DigestInfo value 119 * by setting it to: 120 * <MECH>_DER_PREFIX || H 121 */ 122 der_len = SHA1_DER_PREFIX_Len; 123 der_prefix = (CK_BYTE *)SHA1_DER_PREFIX; 124 (void) memcpy(der_data, der_prefix, der_len); 125 (void) memcpy(der_data + der_len, hash, hash_len); 126 der_data_len = der_len + hash_len; 127#ifdef _KERNEL 128 kmem_free(sha1_context, sizeof (SHA1_CTX)); 129#else 130 free(sha1_context); 131#endif 132 break; 133 } 134 135#ifdef _KERNEL 136 case SHA256_TYPE: 137#else 138 case CKM_SHA256: 139#endif 140 { 141 142 sha2_context = fips_sha2_build_context(mechanism); 143 if (sha2_context == NULL) 144 return (CKR_HOST_MEMORY); 145 146 rv = fips_sha2_hash(sha2_context, rsa_known_msg, 147 rsa_msg_length, hash); 148 hash_len = SHA256_DIGEST_LENGTH; 149 150 /* 151 * Prepare the DER encoding of the DigestInfo value 152 * by setting it to: 153 * <MECH>_DER_PREFIX || H 154 */ 155 (void) memcpy(der_data, SHA256_DER_PREFIX, 156 SHA2_DER_PREFIX_Len); 157 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 158 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 159 break; 160 } 161#ifdef _KERNEL 162 case SHA384_TYPE: 163#else 164 case CKM_SHA384: 165#endif 166 { 167 168 sha2_context = fips_sha2_build_context(mechanism); 169 if (sha2_context == NULL) 170 return (CKR_HOST_MEMORY); 171 172 rv = fips_sha2_hash(sha2_context, rsa_known_msg, 173 rsa_msg_length, hash); 174 hash_len = SHA384_DIGEST_LENGTH; 175 176 /* 177 * Prepare the DER encoding of the DigestInfo value 178 * by setting it to: 179 * <MECH>_DER_PREFIX || H 180 */ 181 (void) memcpy(der_data, SHA384_DER_PREFIX, 182 SHA2_DER_PREFIX_Len); 183 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 184 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 185 break; 186 } 187#ifdef _KERNEL 188 case SHA512_TYPE: 189#else 190 case CKM_SHA512: 191#endif 192 { 193 194 sha2_context = fips_sha2_build_context(mechanism); 195 if (sha2_context == NULL) 196 return (CKR_HOST_MEMORY); 197 198 rv = fips_sha2_hash(sha2_context, rsa_known_msg, 199 rsa_msg_length, hash); 200 hash_len = SHA512_DIGEST_LENGTH; 201 202 /* 203 * Prepare the DER encoding of the DigestInfo value 204 * by setting it to: 205 * <MECH>_DER_PREFIX || H 206 */ 207 (void) memcpy(der_data, SHA512_DER_PREFIX, 208 SHA2_DER_PREFIX_Len); 209 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 210 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 211 break; 212 } 213 } 214 215 modulus_len = CRYPTO_BITS2BYTES(rsa_private_key->bkey.modulus_bits); 216 217 if (sign) { 218 rv = pkcs1_encode(PKCS1_SIGN, der_data, der_data_len, 219 plain_data, modulus_len); 220 221 if (rv != CKR_OK) { 222 return (CKR_DEVICE_ERROR); 223 } 224 225 /* Sign operation uses decryption with private key */ 226 rv = fips_rsa_decrypt(rsa_private_key, plain_data, modulus_len, 227 rsa_computed_signature); 228 229 if (rv != CKR_OK) { 230 return (CKR_DEVICE_ERROR); 231 } 232 } else { 233 /* 234 * Perform RSA decryption with the signer's RSA public key 235 * for verification process. 236 */ 237 rv = fips_rsa_encrypt(rsa_private_key, rsa_computed_signature, 238 modulus_len, plain_data); 239 240 if (rv == CKR_OK) { 241 242 /* 243 * Strip off the encoded padding bytes in front of the 244 * recovered data, then compare the recovered data with 245 * the original data. 246 */ 247 size_t data_len = modulus_len; 248 249 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len); 250 if (rv != CKR_OK) { 251 return (CKR_DEVICE_ERROR); 252 } 253 254 if ((CK_ULONG)data_len != der_data_len) { 255 return (CKR_SIGNATURE_LEN_RANGE); 256 } else if (memcmp(der_data, 257 &plain_data[modulus_len - data_len], 258 data_len) != 0) { 259 return (CKR_SIGNATURE_INVALID); 260 } 261 } else { 262 263 return (CKR_DEVICE_ERROR); 264 } 265 } 266 return (CKR_OK); 267} 268 269 270/* 271 * RSA Power-On SelfTest(s). 272 */ 273int 274fips_rsa_post(void) 275{ 276 /* 277 * RSA Known Modulus used in both Public/Private Key Values (1024-bits). 278 */ 279 static uint8_t rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = { 280 0xd5, 0x84, 0x95, 0x07, 0xf4, 0xd0, 0x1f, 0x82, 281 0xf3, 0x79, 0xf4, 0x99, 0x48, 0x10, 0xe1, 0x71, 282 0xa5, 0x62, 0x22, 0xa3, 0x4b, 0x00, 0xe3, 0x5b, 283 0x3a, 0xcc, 0x10, 0x83, 0xe0, 0xaf, 0x61, 0x13, 284 0x54, 0x6a, 0xa2, 0x6a, 0x2c, 0x5e, 0xb3, 0xcc, 285 0xa3, 0x71, 0x9a, 0xb2, 0x3e, 0x78, 0xec, 0xb5, 286 0x0e, 0x6e, 0x31, 0x3b, 0x77, 0x1f, 0x6e, 0x94, 287 0x41, 0x60, 0xd5, 0x6e, 0xd9, 0xc6, 0xf9, 0x29, 288 0xc3, 0x40, 0x36, 0x25, 0xdb, 0xea, 0x0b, 0x07, 289 0xae, 0x76, 0xfd, 0x99, 0x29, 0xf4, 0x22, 0xc1, 290 0x1a, 0x8f, 0x05, 0xfe, 0x98, 0x09, 0x07, 0x05, 291 0xc2, 0x0f, 0x0b, 0x11, 0x83, 0x39, 0xca, 0xc7, 292 0x43, 0x63, 0xff, 0x33, 0x80, 0xe7, 0xc3, 0x78, 293 0xae, 0xf1, 0x73, 0x52, 0x98, 0x1d, 0xde, 0x5c, 294 0x53, 0x6e, 0x01, 0x73, 0x0d, 0x12, 0x7e, 0x77, 295 0x03, 0xf1, 0xef, 0x1b, 0xc8, 0xa8, 0x0f, 0x97 296 }; 297 298 /* RSA Known Public Key Values (24-bits). */ 299 static uint8_t rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 300 0x01, 0x00, 0x01 301 }; 302 303 /* 304 * RSA Known Private Key Values (version is 8-bits), 305 * (private exponent is 1024-bits), 306 * (private prime0 is 512-bits), 307 * (private prime1 is 512-bits), 308 * (private prime exponent0 is 512-bits), 309 * (private prime exponent1 is 512-bits), 310 * and (private coefficient is 512-bits). 311 */ 312 static uint8_t rsa_version[] = { 0x00 }; 313 314 static uint8_t rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] 315 = { 316 0x85, 0x27, 0x47, 0x61, 0x4c, 0xd4, 0xb5, 0xb2, 317 0x0e, 0x70, 0x91, 0x8f, 0x3d, 0x97, 0xf9, 0x5f, 318 0xcc, 0x09, 0x65, 0x1c, 0x7c, 0x5b, 0xb3, 0x6d, 319 0x63, 0x3f, 0x7b, 0x55, 0x22, 0xbb, 0x7c, 0x48, 320 0x77, 0xae, 0x80, 0x56, 0xc2, 0x10, 0xd5, 0x03, 321 0xdb, 0x31, 0xaf, 0x8d, 0x54, 0xd4, 0x48, 0x99, 322 0xa8, 0xc4, 0x23, 0x43, 0xb8, 0x48, 0x0b, 0xc7, 323 0xbc, 0xf5, 0xcc, 0x64, 0x72, 0xbf, 0x59, 0x06, 324 0x04, 0x1c, 0x32, 0xf5, 0x14, 0x2e, 0x6e, 0xe2, 325 0x0f, 0x5c, 0xde, 0x36, 0x3c, 0x6e, 0x7c, 0x4d, 326 0xcc, 0xd3, 0x00, 0x6e, 0xe5, 0x45, 0x46, 0xef, 327 0x4d, 0x25, 0x46, 0x6d, 0x7f, 0xed, 0xbb, 0x4f, 328 0x4d, 0x9f, 0xda, 0x87, 0x47, 0x8f, 0x74, 0x44, 329 0xb7, 0xbe, 0x9d, 0xf5, 0xdd, 0xd2, 0x4c, 0xa5, 330 0xab, 0x74, 0xe5, 0x29, 0xa1, 0xd2, 0x45, 0x3b, 331 0x33, 0xde, 0xd5, 0xae, 0xf7, 0x03, 0x10, 0x21 332 }; 333 334 static uint8_t rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = { 335 0xf9, 0x74, 0x8f, 0x16, 0x02, 0x6b, 0xa0, 0xee, 336 0x7f, 0x28, 0x97, 0x91, 0xdc, 0xec, 0xc0, 0x7c, 337 0x49, 0xc2, 0x85, 0x76, 0xee, 0x66, 0x74, 0x2d, 338 0x1a, 0xb8, 0xf7, 0x2f, 0x11, 0x5b, 0x36, 0xd8, 339 0x46, 0x33, 0x3b, 0xd8, 0xf3, 0x2d, 0xa1, 0x03, 340 0x83, 0x2b, 0xec, 0x35, 0x43, 0x32, 0xff, 0xdd, 341 0x81, 0x7c, 0xfd, 0x65, 0x13, 0x04, 0x7c, 0xfc, 342 0x03, 0x97, 0xf0, 0xd5, 0x62, 0xdc, 0x0d, 0xbf 343 }; 344 345 static uint8_t rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = { 346 0xdb, 0x1e, 0xa7, 0x3d, 0xe7, 0xfa, 0x8b, 0x04, 347 0x83, 0x48, 0xf3, 0xa5, 0x31, 0x9d, 0x35, 0x5e, 348 0x4d, 0x54, 0x77, 0xcc, 0x84, 0x09, 0xf3, 0x11, 349 0x0d, 0x54, 0xed, 0x85, 0x39, 0xa9, 0xca, 0xa8, 350 0xea, 0xae, 0x19, 0x9c, 0x75, 0xdb, 0x88, 0xb8, 351 0x04, 0x8d, 0x54, 0xc6, 0xa4, 0x80, 0xf8, 0x93, 352 0xf0, 0xdb, 0x19, 0xef, 0xd7, 0x87, 0x8a, 0x8f, 353 0x5a, 0x09, 0x2e, 0x54, 0xf3, 0x45, 0x24, 0x29 354 }; 355 356 static uint8_t rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = { 357 0x6a, 0xd1, 0x25, 0x80, 0x18, 0x33, 0x3c, 0x2b, 358 0x44, 0x19, 0xfe, 0xa5, 0x40, 0x03, 0xc4, 0xfc, 359 0xb3, 0x9c, 0xef, 0x07, 0x99, 0x58, 0x17, 0xc1, 360 0x44, 0xa3, 0x15, 0x7d, 0x7b, 0x22, 0x22, 0xdf, 361 0x03, 0x58, 0x66, 0xf5, 0x24, 0x54, 0x52, 0x91, 362 0x2d, 0x76, 0xfe, 0x63, 0x64, 0x4e, 0x0f, 0x50, 363 0x2b, 0x65, 0x79, 0x1f, 0xf1, 0xbf, 0xc7, 0x41, 364 0x26, 0xcc, 0xc6, 0x1c, 0xa9, 0x83, 0x6f, 0x03 365 }; 366 367 static uint8_t rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = { 368 0x12, 0x84, 0x1a, 0x99, 0xce, 0x9a, 0x8b, 0x58, 369 0xcc, 0x47, 0x43, 0xdf, 0x77, 0xbb, 0xd3, 0x20, 370 0xae, 0xe4, 0x2e, 0x63, 0x67, 0xdc, 0xf7, 0x5f, 371 0x3f, 0x83, 0x27, 0xb7, 0x14, 0x52, 0x56, 0xbf, 372 0xc3, 0x65, 0x06, 0xe1, 0x03, 0xcc, 0x93, 0x57, 373 0x09, 0x7b, 0x6f, 0xe8, 0x81, 0x4a, 0x2c, 0xb7, 374 0x43, 0xa9, 0x20, 0x1d, 0xf6, 0x56, 0x8b, 0xcc, 375 0xe5, 0x4c, 0xd5, 0x4f, 0x74, 0x67, 0x29, 0x51 376 }; 377 378 static uint8_t rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = { 379 0x23, 0xab, 0xf4, 0x03, 0x2f, 0x29, 0x95, 0x74, 380 0xac, 0x1a, 0x33, 0x96, 0x62, 0xed, 0xf7, 0xf6, 381 0xae, 0x07, 0x2a, 0x2e, 0xe8, 0xab, 0xfb, 0x1e, 382 0xb9, 0xb2, 0x88, 0x1e, 0x85, 0x05, 0x42, 0x64, 383 0x03, 0xb2, 0x8b, 0xc1, 0x81, 0x75, 0xd7, 0xba, 384 0xaa, 0xd4, 0x31, 0x3c, 0x8a, 0x96, 0x23, 0x9d, 385 0x3f, 0x06, 0x3e, 0x44, 0xa9, 0x62, 0x2f, 0x61, 386 0x5a, 0x51, 0x82, 0x2c, 0x04, 0x85, 0x73, 0xd1 387 }; 388 389 /* RSA Known Plaintext Message (1024-bits). */ 390 static uint8_t rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = { 391 "Known plaintext message utilized" 392 "for RSA Encryption & Decryption" 393 "block, SHA1, SHA256, SHA384 and" 394 "SHA512 RSA Signature KAT tests." 395 }; 396 397 /* RSA Known Ciphertext (1024-bits). */ 398 static uint8_t rsa_known_ciphertext[] = { 399 0x1e, 0x7e, 0x12, 0xbb, 0x15, 0x62, 0xd0, 0x23, 400 0x53, 0x4c, 0x51, 0x97, 0x77, 0x06, 0xa0, 0xbb, 401 0x26, 0x99, 0x9a, 0x8f, 0x39, 0xad, 0x88, 0x5c, 402 0xc4, 0xce, 0x33, 0x40, 0x94, 0x92, 0xb4, 0x0e, 403 0xab, 0x71, 0xa9, 0x5d, 0x9a, 0x37, 0xe3, 0x9a, 404 0x24, 0x95, 0x13, 0xea, 0x0f, 0xbb, 0xf7, 0xff, 405 0xdf, 0x31, 0x33, 0x23, 0x1d, 0xce, 0x26, 0x9e, 406 0xd1, 0xde, 0x98, 0x40, 0xde, 0x57, 0x86, 0x12, 407 0xf1, 0xe6, 0x5a, 0x3f, 0x08, 0x02, 0x81, 0x85, 408 0xe0, 0xd9, 0xad, 0x3c, 0x8c, 0x71, 0xf8, 0xcf, 409 0x0a, 0x98, 0xc5, 0x08, 0xdc, 0xc4, 0xca, 0x8c, 410 0x23, 0x1b, 0x4d, 0x9b, 0xb5, 0x13, 0x44, 0xe1, 411 0x5f, 0xf9, 0x30, 0x80, 0x25, 0xe0, 0x1e, 0x94, 412 0xa3, 0x0c, 0xdc, 0x82, 0x2e, 0xfb, 0x30, 0xbe, 413 0x89, 0xba, 0x76, 0xb6, 0x23, 0xf7, 0xda, 0x7c, 414 0xca, 0xe6, 0x02, 0xbd, 0x92, 0xce, 0x64, 0xfc 415 }; 416 417 /* RSA Known Signed Hash (1024-bits). */ 418 static uint8_t rsa_known_sha1_signature[] = { 419 0xd2, 0xa4, 0xe0, 0x2b, 0xc7, 0x03, 0x7f, 0xc6, 420 0x06, 0x9e, 0xa2, 0x82, 0x19, 0xe9, 0x2b, 0xaf, 421 0xe3, 0x48, 0x88, 0xc1, 0xf3, 0xb5, 0x0d, 0xe4, 422 0x52, 0x9e, 0xad, 0xd5, 0x58, 0xb5, 0x9f, 0xe8, 423 0x40, 0xe9, 0xb7, 0x2e, 0xc6, 0x71, 0x58, 0x56, 424 0x04, 0xac, 0xb0, 0xf3, 0x3a, 0x42, 0x38, 0x08, 425 0xc4, 0x43, 0x39, 0xba, 0x19, 0xce, 0xb1, 0x99, 426 0xf1, 0x8d, 0x89, 0xd8, 0x50, 0x07, 0x14, 0x3d, 427 0xcf, 0xd0, 0xb6, 0x79, 0xde, 0x9c, 0x89, 0x32, 428 0xb0, 0x73, 0x3f, 0xed, 0x03, 0x0b, 0xdf, 0x6d, 429 0x7e, 0xc9, 0x1c, 0x39, 0xe8, 0x2b, 0x16, 0x09, 430 0xbb, 0x5f, 0x99, 0x2f, 0xeb, 0xf3, 0x37, 0x73, 431 0x0d, 0x0e, 0xcc, 0x95, 0xad, 0x90, 0x80, 0x03, 432 0x1d, 0x80, 0x55, 0x37, 0xa1, 0x2a, 0x71, 0x76, 433 0x23, 0x87, 0x8c, 0x9b, 0x41, 0x07, 0xc6, 0x3d, 434 0xc6, 0xa3, 0x7d, 0x1b, 0xff, 0x4e, 0x11, 0x19 435 }; 436 437 /* RSA Known Signed Hash (1024-bits). */ 438 static uint8_t rsa_known_sha256_signature[] = { 439 0x27, 0x35, 0xdd, 0xc4, 0xf8, 0xe2, 0x0b, 0xa3, 440 0xef, 0x63, 0x57, 0x3b, 0xe1, 0x58, 0x9a, 0xbc, 441 0x20, 0x9c, 0x25, 0x12, 0x01, 0xbf, 0xbb, 0x29, 442 0x80, 0x1a, 0xb1, 0x37, 0x9c, 0xcd, 0x67, 0xc7, 443 0x0d, 0xf8, 0x64, 0x10, 0x9f, 0xe2, 0xa1, 0x9b, 444 0x21, 0x90, 0xcc, 0xda, 0x8b, 0x76, 0x5e, 0x79, 445 0x00, 0x9d, 0x58, 0x8b, 0x8a, 0xb3, 0xc3, 0xb5, 446 0xf1, 0x54, 0xc5, 0x8c, 0x72, 0xba, 0xde, 0x51, 447 0x3c, 0x6b, 0x94, 0xd6, 0xf3, 0x1b, 0xa2, 0x53, 448 0xe6, 0x1a, 0x46, 0x1d, 0x7f, 0x14, 0x86, 0xcc, 449 0xa6, 0x30, 0x92, 0x96, 0xc0, 0x96, 0x24, 0xf0, 450 0x42, 0x53, 0x4c, 0xdd, 0x27, 0xdf, 0x1d, 0x2e, 451 0x8b, 0x83, 0xbe, 0xed, 0x85, 0x1d, 0x50, 0x46, 452 0xa3, 0x7d, 0x20, 0xea, 0x3e, 0x91, 0xfb, 0xf6, 453 0x86, 0x51, 0xfd, 0x8c, 0xe5, 0x31, 0xe6, 0x7e, 454 0x60, 0x08, 0x0e, 0xec, 0xa6, 0xea, 0x24, 0x8d 455 }; 456 457 /* RSA Known Signed Hash (1024-bits). */ 458 static uint8_t rsa_known_sha384_signature[] = { 459 0x0b, 0x03, 0x94, 0x4f, 0x94, 0x78, 0x9b, 0x96, 460 0x76, 0xeb, 0x72, 0x58, 0xe1, 0xc5, 0xc7, 0x5f, 461 0x85, 0x01, 0xa8, 0xc4, 0xf6, 0x1a, 0xb5, 0x2c, 462 0xd1, 0xd8, 0x87, 0xde, 0x3a, 0x9c, 0x9f, 0x57, 463 0x81, 0x2a, 0x1e, 0x23, 0x07, 0x70, 0xb0, 0xf9, 464 0x28, 0x3d, 0xfa, 0xe5, 0x2e, 0x1b, 0x9a, 0x72, 465 0xc3, 0x74, 0xb3, 0x42, 0x1c, 0x9a, 0x13, 0xdc, 466 0xc9, 0xd6, 0xd5, 0x88, 0xc9, 0x9c, 0x46, 0xf1, 467 0x0c, 0xa6, 0xf7, 0xd8, 0x06, 0xa3, 0x1b, 0xdf, 468 0x55, 0xb3, 0x1b, 0x7b, 0x58, 0x1d, 0xff, 0x19, 469 0xc7, 0xe0, 0xdd, 0x59, 0xac, 0x2f, 0x78, 0x71, 470 0xe7, 0xe0, 0x17, 0xa3, 0x1c, 0x5c, 0x92, 0xef, 471 0xb6, 0x75, 0xed, 0xbe, 0x18, 0x39, 0x6b, 0xd7, 472 0xc9, 0x08, 0x62, 0x55, 0x62, 0xac, 0x5d, 0xa1, 473 0x9b, 0xd5, 0xb8, 0x98, 0x15, 0xc0, 0xf5, 0x41, 474 0x85, 0x44, 0x96, 0xca, 0x10, 0xdc, 0x57, 0x21 475 }; 476 477 /* RSA Known Signed Hash (1024-bits). */ 478 static uint8_t rsa_known_sha512_signature[] = { 479 0xa5, 0xd0, 0x80, 0x04, 0x22, 0xfc, 0x80, 0x73, 480 0x7d, 0x46, 0xc8, 0x7b, 0xac, 0x44, 0x7b, 0xe6, 481 0x07, 0xe5, 0x61, 0x4c, 0x33, 0x7f, 0x6f, 0x46, 482 0x7c, 0x30, 0xe3, 0x75, 0x59, 0x4b, 0x42, 0xf3, 483 0x9f, 0x35, 0x3c, 0x10, 0x56, 0xdb, 0xd2, 0x69, 484 0x43, 0xcb, 0x77, 0xe9, 0x7d, 0xcd, 0x07, 0x43, 485 0xc5, 0xd4, 0x0c, 0x9d, 0xf5, 0x92, 0xbd, 0x0e, 486 0x3b, 0xb7, 0x68, 0x88, 0x84, 0xca, 0xae, 0x0d, 487 0xab, 0x71, 0x10, 0xad, 0xab, 0x27, 0xe4, 0xa3, 488 0x24, 0x41, 0xeb, 0x1c, 0xa6, 0x5f, 0xf1, 0x85, 489 0xd0, 0xf6, 0x22, 0x74, 0x3d, 0x81, 0xbe, 0xdd, 490 0x1b, 0x2a, 0x4c, 0xd1, 0x6c, 0xb5, 0x6d, 0x7a, 491 0xbb, 0x99, 0x69, 0x01, 0xa6, 0xc0, 0x98, 0xfa, 492 0x97, 0xa3, 0xd1, 0xb0, 0xdf, 0x09, 0xe3, 0x3d, 493 0x88, 0xee, 0x90, 0xf3, 0x10, 0x41, 0x0f, 0x06, 494 0x31, 0xe9, 0x60, 0x2d, 0xbf, 0x63, 0x7b, 0xf8 495 }; 496 497 RSAPrivateKey_t rsa_private_key; 498 CK_RV rv; 499 uint8_t rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH]; 500 uint8_t rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH]; 501 uint8_t rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH]; 502 CK_BYTE der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 503 504 /* 505 * RSA Known Answer Encryption Test. 506 */ 507 rsa_private_key.bkey.modulus = rsa_modulus; 508 rsa_private_key.bkey.modulus_bits = 509 CRYPTO_BYTES2BITS(FIPS_RSA_MODULUS_LENGTH); 510 rsa_private_key.bkey.pubexpo = rsa_public_exponent; 511 rsa_private_key.bkey.pubexpo_bytes = FIPS_RSA_PUBLIC_EXPONENT_LENGTH; 512 rsa_private_key.bkey.rfunc = NULL; 513 514 /* Perform RSA Public Key Encryption. */ 515 rv = fips_rsa_encrypt(&rsa_private_key, 516 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 517 rsa_computed_ciphertext); 518 519 if ((rv != CKR_OK) || 520 (memcmp(rsa_computed_ciphertext, rsa_known_ciphertext, 521 FIPS_RSA_ENCRYPT_LENGTH) != 0)) 522 return (CKR_DEVICE_ERROR); 523 524 /* 525 * RSA Known Answer Decryption Test. 526 */ 527 rsa_private_key.version = rsa_version; 528 rsa_private_key.version_len = FIPS_RSA_PRIVATE_VERSION_LENGTH; 529 rsa_private_key.bkey.modulus = rsa_modulus; 530 rsa_private_key.bkey.modulus_bits = 531 CRYPTO_BYTES2BITS(FIPS_RSA_MODULUS_LENGTH); 532 rsa_private_key.bkey.pubexpo = rsa_public_exponent; 533 rsa_private_key.bkey.pubexpo_bytes = FIPS_RSA_PUBLIC_EXPONENT_LENGTH; 534 rsa_private_key.bkey.privexpo = rsa_private_exponent; 535 rsa_private_key.bkey.privexpo_bytes = FIPS_RSA_PRIVATE_EXPONENT_LENGTH; 536 rsa_private_key.bkey.prime1 = rsa_prime0; 537 rsa_private_key.bkey.prime1_bytes = FIPS_RSA_PRIME0_LENGTH; 538 rsa_private_key.bkey.prime2 = rsa_prime1; 539 rsa_private_key.bkey.prime2_bytes = FIPS_RSA_PRIME1_LENGTH; 540 rsa_private_key.bkey.expo1 = rsa_exponent0; 541 rsa_private_key.bkey.expo1_bytes = FIPS_RSA_EXPONENT0_LENGTH; 542 rsa_private_key.bkey.expo2 = rsa_exponent1; 543 rsa_private_key.bkey.expo2_bytes = FIPS_RSA_EXPONENT1_LENGTH; 544 rsa_private_key.bkey.coeff = rsa_coefficient; 545 rsa_private_key.bkey.coeff_bytes = FIPS_RSA_COEFFICIENT_LENGTH; 546 547 /* Perform RSA Private Key Decryption. */ 548 rv = fips_rsa_decrypt(&rsa_private_key, rsa_known_ciphertext, 549 FIPS_RSA_MESSAGE_LENGTH, rsa_computed_plaintext); 550 551 if ((rv != CKR_OK) || 552 (memcmp(rsa_computed_plaintext, rsa_known_plaintext_msg, 553 FIPS_RSA_DECRYPT_LENGTH) != 0)) 554 return (CKR_DEVICE_ERROR); 555 556 /* SHA-1 Sign/Verify */ 557#ifdef _KERNEL 558 rv = fips_rsa_sign_verify_test(SHA1_TYPE, &rsa_private_key, 559 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 560 rsa_computed_signature, der_data, 1); 561#else 562 rv = fips_rsa_sign_verify_test(CKM_SHA_1, &rsa_private_key, 563 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 564 rsa_computed_signature, der_data, 1); 565#endif 566 567 if ((rv != CKR_OK) || 568 (memcmp(rsa_computed_signature, rsa_known_sha1_signature, 569 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 570 return (CKR_DEVICE_ERROR); 571 572#ifdef _KERNEL 573 rv = fips_rsa_sign_verify_test(SHA1_TYPE, &rsa_private_key, 574 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 575 rsa_computed_signature, der_data, 0); 576#else 577 rv = fips_rsa_sign_verify_test(CKM_SHA_1, &rsa_private_key, 578 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 579 rsa_computed_signature, der_data, 0); 580#endif 581 582 if (rv != CKR_OK) 583 goto rsa_loser; 584 585 /* SHA256 Sign/Verify */ 586#ifdef _KERNEL 587 rv = fips_rsa_sign_verify_test(SHA256_TYPE, &rsa_private_key, 588 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 589 rsa_computed_signature, der_data, 1); 590#else 591 rv = fips_rsa_sign_verify_test(CKM_SHA256, &rsa_private_key, 592 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 593 rsa_computed_signature, der_data, 1); 594#endif 595 596 if ((rv != CKR_OK) || 597 (memcmp(rsa_computed_signature, rsa_known_sha256_signature, 598 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 599 return (CKR_DEVICE_ERROR); 600 601#ifdef _KERNEL 602 rv = fips_rsa_sign_verify_test(SHA256_TYPE, &rsa_private_key, 603 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 604 rsa_computed_signature, der_data, 0); 605#else 606 rv = fips_rsa_sign_verify_test(CKM_SHA256, &rsa_private_key, 607 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 608 rsa_computed_signature, der_data, 0); 609#endif 610 611 if (rv != CKR_OK) 612 goto rsa_loser; 613 614 /* SHA384 Sign/Verify */ 615#ifdef _KERNEL 616 rv = fips_rsa_sign_verify_test(SHA384_TYPE, &rsa_private_key, 617 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 618 rsa_computed_signature, der_data, 1); 619#else 620 rv = fips_rsa_sign_verify_test(CKM_SHA384, &rsa_private_key, 621 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 622 rsa_computed_signature, der_data, 1); 623#endif 624 625 if ((rv != CKR_OK) || 626 (memcmp(rsa_computed_signature, rsa_known_sha384_signature, 627 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 628 return (CKR_DEVICE_ERROR); 629 630#ifdef _KERNEL 631 rv = fips_rsa_sign_verify_test(SHA384_TYPE, &rsa_private_key, 632 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 633 rsa_computed_signature, der_data, 0); 634#else 635 rv = fips_rsa_sign_verify_test(CKM_SHA384, &rsa_private_key, 636 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 637 rsa_computed_signature, der_data, 0); 638#endif 639 640 if (rv != CKR_OK) 641 goto rsa_loser; 642 643 /* SHA512 Sign/Verify */ 644#ifdef _KERNEL 645 rv = fips_rsa_sign_verify_test(SHA512_TYPE, &rsa_private_key, 646 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 647 rsa_computed_signature, der_data, 1); 648#else 649 rv = fips_rsa_sign_verify_test(CKM_SHA512, &rsa_private_key, 650 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 651 rsa_computed_signature, der_data, 1); 652#endif 653 654 if ((rv != CKR_OK) || 655 (memcmp(rsa_computed_signature, rsa_known_sha512_signature, 656 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 657 return (CKR_DEVICE_ERROR); 658 659#ifdef _KERNEL 660 rv = fips_rsa_sign_verify_test(SHA512_TYPE, &rsa_private_key, 661 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 662 rsa_computed_signature, der_data, 0); 663#else 664 rv = fips_rsa_sign_verify_test(CKM_SHA512, &rsa_private_key, 665 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 666 rsa_computed_signature, der_data, 0); 667#endif 668 669rsa_loser: 670 if (rv != CKR_OK) 671 return (CKR_DEVICE_ERROR); 672 else 673 return (CKR_OK); 674 675} 676