Add tests for RSA objects with only n and d.

Conscrypt, thanks to Java's RSAPrivateKeySpec API, must be able to use RSA keys with only modulus and exponent. This is kind of silly and breaks the blinding code so they, both in OpenSSL and BoringSSL, had to explicitly turn blinding off. Add a test for this as we're otherwise sure to break it on accident. We may wish to avoid the silly rsa->flags modification, I'm not sure. For now, keep the requirement in so other consumers do not accidentally rely on this. (Also add a few missing ERR_clear_error calls. Functions which are expected to fail should be followed by an ERR_clear_error so later unexpected failures don't get confused.) BUG=boringssl:12 Change-Id: I674349821f1f59292b8edd085f21dc37e8bcaa75 Reviewed-on: https://boringssl-review.googlesource.com/7560 Reviewed-by: David Benjamin <davidben@google.com>
author: David Benjamin <davidben@google.com> 2016-03-25 16:18:19 -0400
committer: David Benjamin <davidben@google.com> 2016-03-25 20:52:17 +0000
commit: db50299b247bb7eab4df8c8fdd82fc727e8f67c8 (patch)
tree: 3d842f940f9dd9f075f4332b9e8cb2525e503d5e /crypto
parent: cbf56a5683ddda831ff91c46ea48d1fba545db66 (diff)
download: boringssl-db50299b247bb7eab4df8c8fdd82fc727e8f67c8.zip
boringssl-db50299b247bb7eab4df8c8fdd82fc727e8f67c8.tar.gz
boringssl-db50299b247bb7eab4df8c8fdd82fc727e8f67c8.tar.bz2
1 files changed, 48 insertions, 12 deletions
diff --git a/crypto/rsa/rsa_test.cc b/crypto/rsa/rsa_test.cc
index 5545161..593a3ee 100644
--- a/crypto/rsa/rsa_test.cc
+++ b/crypto/rsa/rsa_test.cc
@@ -593,6 +593,7 @@ static bool TestRSA(const uint8_t *der, size_t der_len,
       fprintf(stderr, "Corrupt data decrypted!\n");
       return false;
     }
+    ERR_clear_error();
     ciphertext[i] ^= 1;
   }
 
@@ -603,6 +604,7 @@ static bool TestRSA(const uint8_t *der, size_t der_len,
       fprintf(stderr, "Corrupt data decrypted!\n");
       return false;
     }
+    ERR_clear_error();
   }
 
   return true;
@@ -693,25 +695,27 @@ static bool TestBadKey() {
 }
 
 static bool TestOnlyDGiven() {
+  static const char kN[] =
+      "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662"
+      "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659";
+  static const char kE[] = "010001";
+  static const char kD[] =
+      "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a"
+      "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01";
+
   uint8_t buf[64];
   unsigned buf_len = sizeof(buf);
   ScopedRSA key(RSA_new());
   if (!key ||
-      !BN_hex2bn(&key->n,
-                 "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd"
-                 "09ac42b26621cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e"
-                 "5808c659") ||
-      !BN_hex2bn(&key->e, "010001") ||
-      !BN_hex2bn(&key->d,
-                 "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea"
-                 "316eaeca21a73ac365e58713195f2ae9849348525ca855386b6d028e437a9"
-                 "495a01") ||
+      !BN_hex2bn(&key->n, kN) ||
+      !BN_hex2bn(&key->e, kE) ||
+      !BN_hex2bn(&key->d, kD) ||
       RSA_size(key.get()) > sizeof(buf)) {
     return false;
   }
 
   if (!RSA_check_key(key.get())) {
-    fprintf(stderr, "RSA_check_key failed with only d given.\n");
+    fprintf(stderr, "RSA_check_key failed with only n, d, and e given.\n");
     ERR_print_errors_fp(stderr);
     return false;
   }
@@ -720,14 +724,46 @@ static bool TestOnlyDGiven() {
 
   if (!RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
                 key.get())) {
-    fprintf(stderr, "RSA_sign failed with only d given.\n");
+    fprintf(stderr, "RSA_sign failed with only n, d, and e given.\n");
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  if (!RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, buf_len,
+                  key.get())) {
+    fprintf(stderr, "RSA_verify failed with only n, d, and e given.\n");
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  // Keys without the private exponent must continue to work when blinding is
+  // disabled to support Java's RSAPrivateKeySpec API. See
+  // https://bugs.chromium.org/p/boringssl/issues/detail?id=12.
+  ScopedRSA key2(RSA_new());
+  if (!key2 ||
+      !BN_hex2bn(&key2->n, kN) ||
+      !BN_hex2bn(&key2->d, kD)) {
+    return false;
+  }
+  key2->flags |= RSA_FLAG_NO_BLINDING;
+
+  if (RSA_size(key2.get()) > sizeof(buf)) {
+    return false;
+  }
+
+  if (!RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
+                key2.get())) {
+    fprintf(stderr, "RSA_sign failed with only n and d given.\n");
     ERR_print_errors_fp(stderr);
     return false;
   }
 
+  // Verify the signature with |key|. |key2| has no public exponent.
   if (!RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, buf_len,
                   key.get())) {
-    fprintf(stderr, "RSA_verify failed with only d given.\n");
+    fprintf(stderr,
+            "Could not verify signature produced from key with only n and d "
+            "given.\n");
     ERR_print_errors_fp(stderr);
     return false;
   }
author	David Benjamin <davidben@google.com>	2016-03-25 16:18:19 -0400
committer	David Benjamin <davidben@google.com>	2016-03-25 20:52:17 +0000
commit	db50299b247bb7eab4df8c8fdd82fc727e8f67c8 (patch)
tree	3d842f940f9dd9f075f4332b9e8cb2525e503d5e /crypto
parent	cbf56a5683ddda831ff91c46ea48d1fba545db66 (diff)
download	boringssl-db50299b247bb7eab4df8c8fdd82fc727e8f67c8.zip boringssl-db50299b247bb7eab4df8c8fdd82fc727e8f67c8.tar.gz boringssl-db50299b247bb7eab4df8c8fdd82fc727e8f67c8.tar.bz2