Source file src/crypto/rsa/rsa_test.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package rsa_test
     6  
     7  import (
     8  	"bufio"
     9  	"bytes"
    10  	"crypto"
    11  	"crypto/internal/boring"
    12  	"crypto/internal/cryptotest"
    13  	"crypto/rand"
    14  	. "crypto/rsa"
    15  	"crypto/sha1"
    16  	"crypto/sha256"
    17  	"crypto/sha512"
    18  	"crypto/x509"
    19  	"encoding/pem"
    20  	"flag"
    21  	"fmt"
    22  	"math/big"
    23  	"strings"
    24  	"testing"
    25  )
    26  
    27  func TestKeyGeneration(t *testing.T) {
    28  	sizes := []int{128, 512, 1024, 2048, 3072, 4096}
    29  	if testing.Short() {
    30  		sizes = sizes[:2]
    31  	}
    32  	for _, size := range sizes {
    33  		t.Run(fmt.Sprintf("%d", size), func(t *testing.T) {
    34  			if size < 1024 {
    35  				_, err := GenerateKey(rand.Reader, size)
    36  				if err == nil {
    37  					t.Errorf("GenerateKey(%d) succeeded without GODEBUG", size)
    38  				}
    39  				t.Setenv("GODEBUG", "rsa1024min=0")
    40  			}
    41  			priv, err := GenerateKey(rand.Reader, size)
    42  			if err != nil {
    43  				t.Errorf("GenerateKey(%d): %v", size, err)
    44  			}
    45  			if bits := priv.N.BitLen(); bits != size {
    46  				t.Errorf("key too short (%d vs %d)", bits, size)
    47  			}
    48  			testKeyBasics(t, priv)
    49  		})
    50  	}
    51  }
    52  
    53  func Test3PrimeKeyGeneration(t *testing.T) {
    54  	size := 1024
    55  	if testing.Short() {
    56  		t.Setenv("GODEBUG", "rsa1024min=0")
    57  		size = 256
    58  	}
    59  
    60  	priv, err := GenerateMultiPrimeKey(rand.Reader, 3, size)
    61  	if err != nil {
    62  		t.Errorf("failed to generate key")
    63  	}
    64  	testKeyBasics(t, priv)
    65  }
    66  
    67  func Test4PrimeKeyGeneration(t *testing.T) {
    68  	size := 1024
    69  	if testing.Short() {
    70  		t.Setenv("GODEBUG", "rsa1024min=0")
    71  		size = 256
    72  	}
    73  
    74  	priv, err := GenerateMultiPrimeKey(rand.Reader, 4, size)
    75  	if err != nil {
    76  		t.Errorf("failed to generate key")
    77  	}
    78  	testKeyBasics(t, priv)
    79  }
    80  
    81  func TestNPrimeKeyGeneration(t *testing.T) {
    82  	t.Setenv("GODEBUG", "rsa1024min=0")
    83  	primeSize := 64
    84  	maxN := 24
    85  	if testing.Short() {
    86  		primeSize = 16
    87  		maxN = 16
    88  	}
    89  	// Test that generation of N-prime keys works for N > 4.
    90  	for n := 5; n < maxN; n++ {
    91  		priv, err := GenerateMultiPrimeKey(rand.Reader, n, 64+n*primeSize)
    92  		if err == nil {
    93  			testKeyBasics(t, priv)
    94  		} else {
    95  			t.Errorf("failed to generate %d-prime key", n)
    96  		}
    97  	}
    98  }
    99  
   100  func TestImpossibleKeyGeneration(t *testing.T) {
   101  	// This test ensures that trying to generate or validate toy RSA keys
   102  	// doesn't enter an infinite loop or panic.
   103  	t.Setenv("GODEBUG", "rsa1024min=0")
   104  	for i := 0; i < 32; i++ {
   105  		GenerateKey(rand.Reader, i)
   106  		GenerateMultiPrimeKey(rand.Reader, 3, i)
   107  		GenerateMultiPrimeKey(rand.Reader, 4, i)
   108  		GenerateMultiPrimeKey(rand.Reader, 5, i)
   109  	}
   110  }
   111  
   112  func TestTinyKeyGeneration(t *testing.T) {
   113  	// Toy-sized keys can randomly hit hard failures in GenerateKey.
   114  	if testing.Short() {
   115  		t.Skip("skipping in short mode")
   116  	}
   117  	t.Setenv("GODEBUG", "rsa1024min=0")
   118  	for range 10000 {
   119  		k, err := GenerateKey(rand.Reader, 32)
   120  		if err != nil {
   121  			t.Fatalf("GenerateKey(32): %v", err)
   122  		}
   123  		if err := k.Validate(); err != nil {
   124  			t.Fatalf("Validate(32): %v", err)
   125  		}
   126  	}
   127  }
   128  
   129  func TestGnuTLSKey(t *testing.T) {
   130  	t.Setenv("GODEBUG", "rsa1024min=0")
   131  	// This is a key generated by `certtool --generate-privkey --bits 128`.
   132  	// It's such that de ≢ 1 mod φ(n), but is congruent mod the order of
   133  	// the group.
   134  	priv := parseKey(testingKey(`-----BEGIN RSA TESTING KEY-----
   135  MGECAQACEQDar8EuoZuSosYtE9SeXSyPAgMBAAECEBf7XDET8e6jjTcfO7y/sykC
   136  CQDozXjCjkBzLQIJAPB6MqNbZaQrAghbZTdQoko5LQIIUp9ZiKDdYjMCCCCpqzmX
   137  d8Y7
   138  -----END RSA TESTING KEY-----`))
   139  	testKeyBasics(t, priv)
   140  }
   141  
   142  func testKeyBasics(t *testing.T, priv *PrivateKey) {
   143  	if err := priv.Validate(); err != nil {
   144  		t.Errorf("Validate() failed: %s", err)
   145  	}
   146  	if priv.D.Cmp(priv.N) > 0 {
   147  		t.Errorf("private exponent too large")
   148  	}
   149  
   150  	msg := []byte("hi!")
   151  	enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
   152  	if err != nil {
   153  		t.Errorf("EncryptPKCS1v15: %v", err)
   154  		return
   155  	}
   156  
   157  	dec, err := DecryptPKCS1v15(nil, priv, enc)
   158  	if err != nil {
   159  		t.Errorf("DecryptPKCS1v15: %v", err)
   160  		return
   161  	}
   162  	if !bytes.Equal(dec, msg) {
   163  		t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
   164  	}
   165  }
   166  
   167  func TestAllocations(t *testing.T) {
   168  	cryptotest.SkipTestAllocations(t)
   169  
   170  	m := []byte("Hello Gophers")
   171  	c, err := EncryptPKCS1v15(rand.Reader, &test2048Key.PublicKey, m)
   172  	if err != nil {
   173  		t.Fatal(err)
   174  	}
   175  
   176  	if allocs := testing.AllocsPerRun(100, func() {
   177  		p, err := DecryptPKCS1v15(nil, test2048Key, c)
   178  		if err != nil {
   179  			t.Fatal(err)
   180  		}
   181  		if !bytes.Equal(p, m) {
   182  			t.Fatalf("unexpected output: %q", p)
   183  		}
   184  	}); allocs > 10 {
   185  		t.Errorf("expected less than 10 allocations, got %0.1f", allocs)
   186  	}
   187  }
   188  
   189  var allFlag = flag.Bool("all", false, "test all key sizes up to 2048")
   190  
   191  func TestEverything(t *testing.T) {
   192  	if testing.Short() {
   193  		// Skip key generation, but still test real sizes.
   194  		for _, key := range []*PrivateKey{test1024Key, test2048Key} {
   195  			t.Run(fmt.Sprintf("%d", key.N.BitLen()), func(t *testing.T) {
   196  				t.Parallel()
   197  				testEverything(t, key)
   198  			})
   199  		}
   200  		return
   201  	}
   202  
   203  	t.Setenv("GODEBUG", "rsa1024min=0")
   204  	min := 32
   205  	max := 560 // any smaller than this and not all tests will run
   206  	if *allFlag {
   207  		max = 2048
   208  	}
   209  	for size := min; size <= max; size++ {
   210  		size := size
   211  		t.Run(fmt.Sprintf("%d", size), func(t *testing.T) {
   212  			t.Parallel()
   213  			priv, err := GenerateKey(rand.Reader, size)
   214  			if err != nil {
   215  				t.Fatalf("GenerateKey(%d): %v", size, err)
   216  			}
   217  			if bits := priv.N.BitLen(); bits != size {
   218  				t.Errorf("key too short (%d vs %d)", bits, size)
   219  			}
   220  			testEverything(t, priv)
   221  		})
   222  	}
   223  }
   224  
   225  func testEverything(t *testing.T, priv *PrivateKey) {
   226  	if err := priv.Validate(); err != nil {
   227  		t.Errorf("Validate() failed: %s", err)
   228  	}
   229  
   230  	msg := []byte("test")
   231  	enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
   232  	if err == ErrMessageTooLong {
   233  		t.Log("key too small for EncryptPKCS1v15")
   234  	} else if err != nil {
   235  		t.Errorf("EncryptPKCS1v15: %v", err)
   236  	}
   237  	if err == nil {
   238  		dec, err := DecryptPKCS1v15(nil, priv, enc)
   239  		if err != nil {
   240  			t.Errorf("DecryptPKCS1v15: %v", err)
   241  		}
   242  		err = DecryptPKCS1v15SessionKey(nil, priv, enc, make([]byte, 4))
   243  		if err != nil {
   244  			t.Errorf("DecryptPKCS1v15SessionKey: %v", err)
   245  		}
   246  		if !bytes.Equal(dec, msg) {
   247  			t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
   248  		}
   249  	}
   250  
   251  	label := []byte("label")
   252  	enc, err = EncryptOAEP(sha256.New(), rand.Reader, &priv.PublicKey, msg, label)
   253  	if err == ErrMessageTooLong {
   254  		t.Log("key too small for EncryptOAEP")
   255  	} else if err != nil {
   256  		t.Errorf("EncryptOAEP: %v", err)
   257  	}
   258  	if err == nil {
   259  		dec, err := DecryptOAEP(sha256.New(), nil, priv, enc, label)
   260  		if err != nil {
   261  			t.Errorf("DecryptOAEP: %v", err)
   262  		}
   263  		if !bytes.Equal(dec, msg) {
   264  			t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
   265  		}
   266  	}
   267  
   268  	const hashMsg = "crypto/rsa: input must be hashed message"
   269  	sig, err := SignPKCS1v15(nil, priv, crypto.SHA256, msg)
   270  	if err == nil || err.Error() != hashMsg {
   271  		t.Errorf("SignPKCS1v15 with bad hash: err = %q, want %q", err, hashMsg)
   272  	}
   273  
   274  	hash := sha256.Sum256(msg)
   275  	sig, err = SignPKCS1v15(nil, priv, crypto.SHA256, hash[:])
   276  	if err == ErrMessageTooLong {
   277  		t.Log("key too small for SignPKCS1v15")
   278  	} else if err != nil {
   279  		t.Errorf("SignPKCS1v15: %v", err)
   280  	}
   281  	if err == nil {
   282  		err = VerifyPKCS1v15(&priv.PublicKey, crypto.SHA256, hash[:], sig)
   283  		if err != nil {
   284  			t.Errorf("VerifyPKCS1v15: %v", err)
   285  		}
   286  		sig[1] ^= 0x80
   287  		err = VerifyPKCS1v15(&priv.PublicKey, crypto.SHA256, hash[:], sig)
   288  		if err == nil {
   289  			t.Errorf("VerifyPKCS1v15 success for tampered signature")
   290  		}
   291  		sig[1] ^= 0x80
   292  		hash[1] ^= 0x80
   293  		err = VerifyPKCS1v15(&priv.PublicKey, crypto.SHA256, hash[:], sig)
   294  		if err == nil {
   295  			t.Errorf("VerifyPKCS1v15 success for tampered message")
   296  		}
   297  		hash[1] ^= 0x80
   298  	}
   299  
   300  	opts := &PSSOptions{SaltLength: PSSSaltLengthAuto}
   301  	sig, err = SignPSS(rand.Reader, priv, crypto.SHA256, hash[:], opts)
   302  	if err == ErrMessageTooLong {
   303  		t.Log("key too small for SignPSS with PSSSaltLengthAuto")
   304  	} else if err != nil {
   305  		t.Errorf("SignPSS: %v", err)
   306  	}
   307  	if err == nil {
   308  		err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], sig, opts)
   309  		if err != nil {
   310  			t.Errorf("VerifyPSS: %v", err)
   311  		}
   312  		sig[1] ^= 0x80
   313  		err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], sig, opts)
   314  		if err == nil {
   315  			t.Errorf("VerifyPSS success for tampered signature")
   316  		}
   317  		sig[1] ^= 0x80
   318  		hash[1] ^= 0x80
   319  		err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], sig, opts)
   320  		if err == nil {
   321  			t.Errorf("VerifyPSS success for tampered message")
   322  		}
   323  		hash[1] ^= 0x80
   324  	}
   325  
   326  	opts.SaltLength = PSSSaltLengthEqualsHash
   327  	sig, err = SignPSS(rand.Reader, priv, crypto.SHA256, hash[:], opts)
   328  	if err == ErrMessageTooLong {
   329  		t.Log("key too small for SignPSS with PSSSaltLengthEqualsHash")
   330  	} else if err != nil {
   331  		t.Errorf("SignPSS: %v", err)
   332  	}
   333  	if err == nil {
   334  		err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], sig, opts)
   335  		if err != nil {
   336  			t.Errorf("VerifyPSS: %v", err)
   337  		}
   338  		sig[1] ^= 0x80
   339  		err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], sig, opts)
   340  		if err == nil {
   341  			t.Errorf("VerifyPSS success for tampered signature")
   342  		}
   343  		sig[1] ^= 0x80
   344  		hash[1] ^= 0x80
   345  		err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], sig, opts)
   346  		if err == nil {
   347  			t.Errorf("VerifyPSS success for tampered message")
   348  		}
   349  		hash[1] ^= 0x80
   350  	}
   351  
   352  	// Check that an input bigger than the modulus is handled correctly,
   353  	// whether it is longer than the byte size of the modulus or not.
   354  	c := bytes.Repeat([]byte{0xff}, priv.Size())
   355  	err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], c, opts)
   356  	if err == nil {
   357  		t.Errorf("VerifyPSS accepted a large signature")
   358  	}
   359  	_, err = DecryptPKCS1v15(nil, priv, c)
   360  	if err == nil {
   361  		t.Errorf("DecryptPKCS1v15 accepted a large ciphertext")
   362  	}
   363  	c = append(c, 0xff)
   364  	err = VerifyPSS(&priv.PublicKey, crypto.SHA256, hash[:], c, opts)
   365  	if err == nil {
   366  		t.Errorf("VerifyPSS accepted a long signature")
   367  	}
   368  	_, err = DecryptPKCS1v15(nil, priv, c)
   369  	if err == nil {
   370  		t.Errorf("DecryptPKCS1v15 accepted a long ciphertext")
   371  	}
   372  
   373  	der, err := x509.MarshalPKCS8PrivateKey(priv)
   374  	if err != nil {
   375  		t.Errorf("MarshalPKCS8PrivateKey: %v", err)
   376  	}
   377  	key, err := x509.ParsePKCS8PrivateKey(der)
   378  	if err != nil {
   379  		t.Errorf("ParsePKCS8PrivateKey: %v", err)
   380  	}
   381  	if !key.(*PrivateKey).Equal(priv) {
   382  		t.Errorf("private key mismatch")
   383  	}
   384  
   385  	der, err = x509.MarshalPKIXPublicKey(&priv.PublicKey)
   386  	if err != nil {
   387  		t.Errorf("MarshalPKIXPublicKey: %v", err)
   388  	}
   389  	pub, err := x509.ParsePKIXPublicKey(der)
   390  	if err != nil {
   391  		t.Errorf("ParsePKIXPublicKey: %v", err)
   392  	}
   393  	if !pub.(*PublicKey).Equal(&priv.PublicKey) {
   394  		t.Errorf("public key mismatch")
   395  	}
   396  }
   397  
   398  func TestKeyTooSmall(t *testing.T) {
   399  	checkErr := func(err error) {
   400  		t.Helper()
   401  		if err == nil {
   402  			t.Error("expected error")
   403  		}
   404  		if !strings.Contains(err.Error(), "insecure") {
   405  			t.Errorf("unexpected error: %v", err)
   406  		}
   407  	}
   408  	checkErr2 := func(_ []byte, err error) {
   409  		t.Helper()
   410  		checkErr(err)
   411  	}
   412  
   413  	buf := make([]byte, 512/8)
   414  	checkErr2(test512Key.Sign(rand.Reader, buf, crypto.SHA512))
   415  	checkErr2(test512Key.Sign(rand.Reader, buf, &PSSOptions{SaltLength: PSSSaltLengthEqualsHash}))
   416  	checkErr2(test512Key.Decrypt(rand.Reader, buf, &PKCS1v15DecryptOptions{}))
   417  	checkErr2(test512Key.Decrypt(rand.Reader, buf, &OAEPOptions{Hash: crypto.SHA512}))
   418  	checkErr(VerifyPKCS1v15(&test512Key.PublicKey, crypto.SHA512, buf, buf))
   419  	checkErr(VerifyPSS(&test512Key.PublicKey, crypto.SHA512, buf, buf, &PSSOptions{SaltLength: PSSSaltLengthEqualsHash}))
   420  	checkErr2(SignPKCS1v15(rand.Reader, test512Key, crypto.SHA512, buf))
   421  	checkErr2(SignPSS(rand.Reader, test512Key, crypto.SHA512, buf, &PSSOptions{SaltLength: PSSSaltLengthEqualsHash}))
   422  	checkErr2(EncryptPKCS1v15(rand.Reader, &test512Key.PublicKey, buf))
   423  	checkErr2(EncryptOAEP(sha512.New(), rand.Reader, &test512Key.PublicKey, buf, nil))
   424  	checkErr2(DecryptPKCS1v15(nil, test512Key, buf))
   425  	checkErr2(DecryptOAEP(sha512.New(), nil, test512Key, buf, nil))
   426  	checkErr(DecryptPKCS1v15SessionKey(nil, test512Key, buf, buf))
   427  }
   428  
   429  func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
   430  
   431  func parseKey(s string) *PrivateKey {
   432  	p, _ := pem.Decode([]byte(s))
   433  	if p.Type == "PRIVATE KEY" {
   434  		k, err := x509.ParsePKCS8PrivateKey(p.Bytes)
   435  		if err != nil {
   436  			panic(err)
   437  		}
   438  		return k.(*PrivateKey)
   439  	}
   440  	k, err := x509.ParsePKCS1PrivateKey(p.Bytes)
   441  	if err != nil {
   442  		panic(err)
   443  	}
   444  	return k
   445  }
   446  
   447  var rsaPrivateKey = test1024Key
   448  
   449  var test512Key = parseKey(testingKey(`-----BEGIN RSA TESTING KEY-----
   450  MIIBOgIBAAJBALKZD0nEffqM1ACuak0bijtqE2QrI/KLADv7l3kK3ppMyCuLKoF0
   451  fd7Ai2KW5ToIwzFofvJcS/STa6HA5gQenRUCAwEAAQJBAIq9amn00aS0h/CrjXqu
   452  /ThglAXJmZhOMPVn4eiu7/ROixi9sex436MaVeMqSNf7Ex9a8fRNfWss7Sqd9eWu
   453  RTUCIQDasvGASLqmjeffBNLTXV2A5g4t+kLVCpsEIZAycV5GswIhANEPLmax0ME/
   454  EO+ZJ79TJKN5yiGBRsv5yvx5UiHxajEXAiAhAol5N4EUyq6I9w1rYdhPMGpLfk7A
   455  IU2snfRJ6Nq2CQIgFrPsWRCkV+gOYcajD17rEqmuLrdIRexpg8N1DOSXoJ8CIGlS
   456  tAboUGBxTDq3ZroNism3DaMIbKPyYrAqhKov1h5V
   457  -----END RSA TESTING KEY-----`))
   458  
   459  var test512KeyTwo = parseKey(testingKey(`-----BEGIN TESTING KEY-----
   460  MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEA0wLCoguSfgskR8tY
   461  Fh2AzXQzBpSEmPucxtVe93HzPdQpxvtSTvZe5kIsdvPc7QZ0dCc/qbnUBRbuGIAl
   462  Ir0c9QIDAQABAkAzul+AXhnhcFXKi9ziPwVOWIgRuuLupe//BluriXG53BEBSVrV
   463  Hr7qFqwnSLSLroMzqhZwoqyRgjsLYyGEHDGBAiEA8T0sDPuht3w2Qv61IAvBwjLH
   464  H4HXjRUEWYRn1XjHqAUCIQDf7BYlANRqFfvg1YK3VCM4YyK2mH1UivDi8wdPlJRk
   465  MQIhAMp5i2WCNeNpD6n/WkqBU6kJMXPSaPZy82mm5feYHgt5AiEAkg/QnhB9fjma
   466  1BzRqD4Uv0pDMXIkhooe+Rrn0OwtI3ECIQDP6nxML3JOjbAS7ydFBv176uVsMJib
   467  r4PZozCXKuuGNg==
   468  -----END PRIVATE KEY-----`))
   469  
   470  var test1024Key = parseKey(testingKey(`-----BEGIN RSA TESTING KEY-----
   471  MIICXQIBAAKBgQCw0YNSqI9T1VFvRsIOejZ9feiKz1SgGfbe9Xq5tEzt2yJCsbyg
   472  +xtcuCswNhdqY5A1ZN7G60HbL4/Hh/TlLhFJ4zNHVylz9mDDx3yp4IIcK2lb566d
   473  fTD0B5EQ9Iqub4twLUdLKQCBfyhmJJvsEqKxm4J4QWgI+Brh/Pm3d4piPwIDAQAB
   474  AoGASC6fj6TkLfMNdYHLQqG9kOlPfys4fstarpZD7X+fUBJ/H/7y5DzeZLGCYAIU
   475  +QeAHWv6TfZIQjReW7Qy00RFJdgwFlTFRCsKXhG5x+IB+jL0Grr08KbgPPDgy4Jm
   476  xirRHZVtU8lGbkiZX+omDIU28EHLNWL6rFEcTWao/tERspECQQDp2G5Nw0qYWn7H
   477  Wm9Up1zkUTnkUkCzhqtxHbeRvNmHGKE7ryGMJEk2RmgHVstQpsvuFY4lIUSZEjAc
   478  DUFJERhFAkEAwZH6O1ULORp8sHKDdidyleYcZU8L7y9Y3OXJYqELfddfBgFUZeVQ
   479  duRmJj7ryu0g0uurOTE+i8VnMg/ostxiswJBAOc64Dd8uLJWKa6uug+XPr91oi0n
   480  OFtM+xHrNK2jc+WmcSg3UJDnAI3uqMc5B+pERLq0Dc6hStehqHjUko3RnZECQEGZ
   481  eRYWciE+Cre5dzfZkomeXE0xBrhecV0bOq6EKWLSVE+yr6mAl05ThRK9DCfPSOpy
   482  F6rgN3QiyCA9J/1FluUCQQC5nX+PTU1FXx+6Ri2ZCi6EjEKMHr7gHcABhMinZYOt
   483  N59pra9UdVQw9jxCU9G7eMyb0jJkNACAuEwakX3gi27b
   484  -----END RSA TESTING KEY-----`))
   485  
   486  var test2048KeyPEM = testingKey(`-----BEGIN TESTING KEY-----
   487  MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNoyFUYeDuqw+k
   488  iyv47iBy/udbWmQdpbUZ8JobHv8uQrvL7sQN6l83teHgNJsXqtiLF3MC+K+XI6Dq
   489  hxUWfQwLip8WEnv7Jx/+53S8yp/CS4Jw86Q1bQHbZjFDpcoqSuwAxlegw18HNZCY
   490  fpipYnA1lYCm+MTjtgXJQbjA0dwUGCf4BDMqt+76Jk3XZF5975rftbkGoT9eu8Jt
   491  Xs5F5Xkwd8q3fkQz+fpLW4u9jrfFyQ61RRFkYrCjlhtGjYIzBHGgQM4n/sNXhiy5
   492  h0tA7Xa6NyYrN/OXe/Y1K8Rz/tzlvbMoxgZgtBuKo1N3m8ckFi7hUVK2eNv7GoAb
   493  teTTPrg/AgMBAAECggEAAnfsVpmsL3R0Bh4gXRpPeM63H6e1a8B8kyVwiO9o0cXX
   494  gKp9+P39izfB0Kt6lyCj/Wg+wOQT7rg5qy1yIw7fBHGmcjquxh3uN0s3YZ+Vcym6
   495  SAY5f0vh/OyJN9r3Uv8+Pc4jtb7So7QDzdWeZurssBmUB0avAMRdGNFGP5SyILcz
   496  l3Q59hTxQ4czRHKjZ06L1/sA+tFVbO1j39FN8nMOU/ovLF4lAmZTkQ6AP6n6XPHP
   497  B8Nq7jSYz6RDO200jzp6UsdrnjjkJRbzOxN/fn+ckCP+WYuq+y/d05ET9PdVa4qI
   498  Jyr80D9QgHmfztcecvYwoskGnkb2F4Tmp0WnAj/xVQKBgQD4TrMLyyHdbAr5hoSi
   499  p+r7qBQxnHxPe2FKO7aqagi4iPEHauEDgwPIcsOYota1ACiSs3BaESdJAClbqPYd
   500  HDI4c2DZ6opux6WYkSju+tVXYW6qarR3fzrP3fUCdz2c2NfruWOqq8YmjzAhTNPm
   501  YzvtzTdwheNYV0Vi71t1SfZmfQKBgQDUAgSUcrgXdGDnSbaNe6KwjY5oZWOQfZe2
   502  DUhqfN/JRFZj+EMfIIh6OQXnZqkp0FeRdfRAFl8Yz8ESHEs4j+TikLJEeOdfmYLS
   503  TWxlMPDTUGbUvSf4g358NJ8TlfYA7dYpSTNPXMRSLtsz1palmaDBTE/V2xKtTH6p
   504  VglRNRUKawKBgCPqBh2TkN9czC2RFkgMb4FcqycN0jEQ0F6TSnVVhtNiAzKmc8s1
   505  POvWJZJDIzjkv/mP+JUeXAdD/bdjNc26EU126rA6KzGgsMPjYv9FymusDPybGGUc
   506  Qt5j5RcpNgEkn/5ZPyAlXjCfjz+RxChTfAyGHRmqU9qoLMIFir3pJ7llAoGBAMNH
   507  sIxENwlzqyafoUUlEq/pU7kZWuJmrO2FwqRDraYoCiM/NCRhxRQ/ng6NY1gejepw
   508  abD2alXiV4alBSxubne6rFmhvA00y2mG40c6Ezmxn2ZpbX3dMQ6bMcPKp7QnXtLc
   509  mCSL4FGK02ImUNDsd0RVVFw51DRId4rmsuJYMK9NAoGAKlYdc4784ixTD2ZICIOC
   510  ZWPxPAyQUEA7EkuUhAX1bVNG6UJTYA8kmGcUCG4jPTgWzi00IyUUr8jK7efyU/zs
   511  qiJuVs1bia+flYIQpysMl1VzZh8gW1nkB4SVPm5l2wBvVJDIr9Mc6rueC/oVNkh2
   512  fLVGuFoTVIu2bF0cWAjNNMg=
   513  -----END TESTING KEY-----`)
   514  
   515  var test2048Key = parseKey(test2048KeyPEM)
   516  
   517  var test3072Key = parseKey(testingKey(`-----BEGIN TESTING KEY-----
   518  MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDJrvevql7G07LM
   519  xQAwAA1Oo8qUAkWfmpgrpxIUZE1QTyMCDaspQJGBBR2+iStrzi2NnWvyBz3jJWFZ
   520  LepnsMUFSXj5Ez6bEt2x9YbLAAVGhI6USrGAKqRdJ77+F7yIVCJWcV4vtTyN86IO
   521  UaHObwCR8GX7MUwJiRxDUZtYxJcwTMHSs4OWxNnqc+A8yRKn85CsCx0X9I1DULq+
   522  5BL8gF3MUXvb2zYzIOGI1s3lXOo9tHVcRVB1eV7dZHDyYGxZ4Exj9eKhiOL52hE6
   523  ZPTWCCKbQnyBV3HYe+t8DscOG/IzaAzLrx1s6xnqKEe5lUQ03Ty9QN3tpqqLsC4b
   524  CUkdk6Ma43KXGkCmoPaGCkssSc9qOrwHrqoMkOnZDWOJ5mKHhINKWV/U7p54T7tx
   525  FWI3PFvvYevoPf7cQdJcChbIBvQ+LEuVZvmljhONUjIGKBaqBz5Sjv7Fd5BNnBGz
   526  8NwH6tYdT9kdTkCZdfrazbuhLxN0mhhXp2sePRV2KZsB7i7cUJMCAwEAAQKCAYAT
   527  fqunbxmehhu237tUaHTg1e6WHvVu54kaUxm+ydvlTY5N5ldV801Sl4AtXjdJwjy0
   528  qcj430qpTarawsLxMezhcB2BlKLNEjucC5EeHIrmAEMt7LMP90868prAweJHRTv/
   529  zLvfcwPURClf0Uk0L0Dyr7Y+hnXZ8scTb2x2M06FQdjMY+4Yy+oKgm05mEVgNv1p
   530  e+DcjhbSMRf+rVoeeSQCmhprATCnLDWmE1QEqIC7OoR2SPxC1rAHnhatfwo00nwz
   531  rciN5YSOqoGa1WMNv6ut0HJWZnu5nR1OuZpaf+zrxlthMxPwhhPq0211J4fZviTO
   532  WLnubXD3/G9TN1TszeFuO7Ty8HYYkTJ3RLRrTRrfwhOtOJ4tkuwSJol3QIs1asab
   533  wYabuqyTv4+6JeoMBSLnMoA8rXSW9ti4gvJ1h8xMqmMF6e91Z0Fn7fvP5MCn/t8H
   534  8cIPhYLOhdPH5JMqxozb/a1s+JKvRTLnAXxNjlmyXzNvC+3Ixp4q9O8dWJ8Gt+EC
   535  gcEA+12m6iMXU3tBw1cYDcs/Jc0hOVgMAMgtnWZ4+p8RSucO/74bq82kdyAOJxao
   536  spAcK03NnpRBDcYsSyuQrE6AXQYel1Gj98mMtOirwt2T9vH5fHT6oKsqEu03hYIB
   537  5cggeie4wqKAOb9tVdShJk7YBJUgIXnAcqqmkD4oeUGzUV0QseQtspEHUJSqBQ9n
   538  yR4DmyMECgLm47S9LwPMtgRh9ADLBaZeuIRdBEKCDPgNkdya/dLb8u8kE8Ox3T3R
   539  +r2hAoHBAM1m1ZNqP9bEa74jZkpMxDN+vUdN7rZcxcpHu1nyii8OzXEopB+jByFA
   540  lmMqnKt8z5DRD0dmHXzOggnKJGO2j63/XFaVmsaXcM2B8wlRCqwm4mBE/bYCEKJl
   541  xqkDveICzwb1paWSgmFkjc6DN2g1jUd3ptOORuU38onrSphPHFxgyNlNTcOcXvxb
   542  GW4R8iPinvpkY3shluWqRQTvai1+gNQlmKMdqXvreUjKqJFCOhoRUVG/MDv8IdP2
   543  tXq43+UZswKBwQDSErOzi74r25/bVAdbR9gvjF7O4OGvKZzNpd1HfvbhxXcIjuXr
   544  UEK5+AU777ju+ndATZahiD9R9qP/8pnHFxg6JiocxnMlW8EHVEhv4+SMBjA+Ljlj
   545  W4kfJjc3ka5qTjWuQVIs/8fv+yayC7DeJhhsxACFWY5Xhn0LoZcLt7fYMNIKCauT
   546  R5d4ZbYt4nEXaMkUt0/h2gkCloNhLmjAWatPU/ZYc3FH/f8K11Z+5jPZCihSJw4A
   547  2pEpH2yffNHnHuECgcEAmxIWEHNYuwYT6brEETgfsFjxAZI+tIMZ+HtrYJ8R4DEm
   548  vVXXguMMEPi4ESosmfNiqYyMInVfscgeuNFZ48YCd3Sg++V6so/G5ABFwjTi/9Fj
   549  exbbDLxGXrTD5PokMyu3rSNr6bLQqELIJK8/93bmsJwO4Q07TPaOL73p1U90s/GF
   550  8TjBivrVY2RLsKPv0VPYfmWoDV/wkneYH/+4g5xMGt4/fHZ6bEn8iQ4ncXM0dlW4
   551  tSTIf6D80RAjNwG4VzitAoHAA8GLh22w+Cx8RPsj6xdrUiVFE+nNMMgeY8Mdjsrq
   552  Fh4jJb+4zwSML9R6iJu/LH5B7Fre2Te8QrYP+k/jIHPYJtGesVt/WlAtpDCNsC3j
   553  8CBzxwL6zkN+46pph35jPKUSaQQ2r8euNMp/sirkYcP8PpbdtifXCjN08QQIKsqj
   554  17IGHe9jZX/EVnSshCkXOBHG31buV10k5GSkeKcoDrkpp25wQ6FjW9L3Q68y6Y8r
   555  8h02sdAMB9Yc2A4EgzOySWoD
   556  -----END TESTING KEY-----`))
   557  
   558  var test4096Key = parseKey(testingKey(`-----BEGIN TESTING KEY-----
   559  MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCmH55T2e8fdUaL
   560  iWVL2yI7d/wOu/sxI4nVGoiRMiSMlMZlOEZ4oJY6l2y9N/b8ftwoIpjYO8CBk5au
   561  x2Odgpuz+FJyHppvKakUIeAn4940zoNkRe/iptybIuH5tCBygjs0y1617TlR/c5+
   562  FF5YRkzsEJrGcLqXzj0hDyrwdplBOv1xz2oHYlvKWWcVMR/qgwoRuj65Ef262t/Q
   563  ELH3+fFLzIIstFTk2co2WaALquOsOB6xGOJSAAr8cIAWe+3MqWM8DOcgBuhABA42
   564  9IhbBBw0uqTXUv/TGi6tcF29H2buSxAx/Wm6h2PstLd6IJAbWHAa6oTz87H0S6XZ
   565  v42cYoFhHma1OJw4id1oOZMFDTPDbHxgUnr2puSU+Fpxrj9+FWwViKE4j0YatbG9
   566  cNVpx9xo4NdvOkejWUrqziRorMZTk/zWKz0AkGQzTN3PrX0yy61BoWfznH/NXZ+o
   567  j3PqVtkUs6schoIYvrUcdhTCrlLwGSHhU1VKNGAUlLbNrIYTQNgt2gqvjLEsn4/i
   568  PgS1IsuDHIc7nGjzvKcuR0UeYCDkmBQqKrdhGbdJ1BRohzLdm+woRpjrqmUCbMa5
   569  VWWldJen0YyAlxNILvXMD117azeduseM1sZeGA9L8MmE12auzNbKr371xzgANSXn
   570  jRuyrblAZKc10kYStrcEmJdfNlzYAwIDAQABAoICABdQBpsD0W/buFuqm2GKzgIE
   571  c4Xp0XVy5EvYnmOp4sEru6/GtvUErDBqwaLIMMv8TY8AU+y8beaBPLsoVg1rn8gg
   572  yAklzExfT0/49QkEDFHizUOMIP7wpbLLsWSmZ4tKRV7CT3c+ZDXiZVECML84lmDm
   573  b6H7feQB2EhEZaU7L4Sc76ZCEkIZBoKeCz5JF46EdyxHs7erE61eO9xqC1+eXsNh
   574  Xr9BS0yWV69K4o/gmnS3p2747AHP6brFWuRM3fFDsB5kPScccQlSyF/j7yK+r+qi
   575  arGg/y+z0+sZAr6gooQ8Wnh5dJXtnBNCxSDJYw/DWHAeiyvk/gsndo3ZONlCZZ9u
   576  bpwBYx3hA2wTa5GUQxFM0KlI7Ftr9Cescf2jN6Ia48C6FcQsepMzD3jaMkLir8Jk
   577  /YD/s5KPzNvwPAyLnf7x574JeWuuxTIPx6b/fHVtboDK6j6XQnzrN2Hy3ngvlEFo
   578  zuGYVvtrz5pJXWGVSjZWG1kc9iXCdHKpmFdPj7XhU0gugTzQ/e5uRIqdOqfNLI37
   579  fppSuWkWd5uaAg0Zuhd+2L4LG2GhVdfFa1UeHBe/ncFKz1km9Bmjvt04TpxlRnVG
   580  wHxJZKlxpxCZ3AuLNUMP/QazPXO8OIfGOCbwkgFiqRY32mKDUvmEADBBoYpk/wBv
   581  qV99g5gvYFC5Le4QLzOJAoIBAQDcnqnK2tgkISJhsLs2Oj8vEcT7dU9vVnPSxTcC
   582  M0F+8ITukn33K0biUlA+ktcQaF+eeLjfbjkn/H0f2Ajn++ldT56MgAFutZkYvwxJ
   583  2A6PVB3jesauSpe8aqoKMDIj8HSA3+AwH+yU+yA9r5EdUq1S6PscP+5Wj22+thAa
   584  l65CFD77C0RX0lly5zdjQo3Vyca2HYGm/cshFCPRZc66TPjNAHFthbqktKjMQ91H
   585  Hg+Gun2zv8KqeSzMDeHnef4rVaWMIyIBzpu3QdkKPUXMQQxvJ+RW7+MORV9VjE7Z
   586  KVnHa/6x9n+jvtQ0ydHc2n0NOp6BQghTCB2G3w3JJfmPcRSNAoIBAQDAw6mPddoz
   587  UUzANMOYcFtos4EaWfTQE2okSLVAmLY2gtAK6ldTv6X9xl0IiC/DmWqiNZJ/WmVI
   588  glkp6iZhxBSmqov0X9P0M+jdz7CRnbZDFhQWPxSPicurYuPKs52IC08HgIrwErzT
   589  /lh+qRXEqzT8rTdftywj5fE89w52NPHBsMS07VhFsJtU4aY2Yl8y1PHeumXU6h66
   590  yTvoCLLxJPiLIg9PgvbMF+RiYyomIg75gwfx4zWvIvWdXifQBC88fE7lP2u5gtWL
   591  JUJaMy6LNKHn8YezvwQp0dRecvvoqzoApOuHfsPASHb9cfvcy/BxDXFMJO4QWCi1
   592  6WLaR835nKLPAoIBAFw7IHSjxNRl3b/FaJ6k/yEoZpdRVaIQHF+y/uo2j10IJCqw
   593  p2SbfQjErLNcI/jCCadwhKkzpUVoMs8LO73v/IF79aZ7JR4pYRWNWQ/N+VhGLDCb
   594  dVAL8x9b4DZeK7gGoE34SfsUfY1S5wmiyiHeHIOazs/ikjsxvwmJh3X2j20klafR
   595  8AJe9/InY2plunHz5tTfxQIQ+8iaaNbzntcXsrPRSZol2/9bX231uR4wHQGQGVj6
   596  A+HMwsOT0is5Pt7S8WCCl4b13vdf2eKD9xgK4a3emYEWzG985PwYqiXzOYs7RMEV
   597  cgr8ji57aPbRiJHtPbJ/7ob3z5BA07yR2aDz/0kCggEAZDyajHYNLAhHr98AIuGy
   598  NsS5CpnietzNoeaJEfkXL0tgoXxwQqVyzH7827XtmHnLgGP5NO4tosHdWbVflhEf
   599  Z/dhZYb7MY5YthcMyvvGziXJ9jOBHo7Z8Nowd7Rk41x2EQGfve0QcfBd1idYoXch
   600  y47LL6OReW1Vv4z84Szw1fZ0o1yUPVDzxPS9uKP4uvcOevJUh53isuB3nVYArvK5
   601  p6fjbEY+zaxS33KPdVrajJa9Z+Ptg4/bRqSycTHr2jkN0ZnkC4hkQMH0OfFJb6vD
   602  0VfAaBCZOqHZG/AQ3FFFjRY1P7UEV5WXAn3mKU+HTVJfKug9PxSIvueIttcF3Zm8
   603  8wKCAQAM43+DnGW1w34jpsTAeOXC5mhIz7J8spU6Uq5bJIheEE2AbX1z+eRVErZX
   604  1WsRNPsNrQfdt/b5IKboBbSYKoGxxRMngJI1eJqyj4LxZrACccS3euAlcU1q+3oN
   605  T10qfQol54KjGld/HVDhzbsZJxzLDqvPlroWgwLdOLDMXhwJYfTnqMEQkaG4Aawr
   606  3P14+Zp/woLiPWw3iZFcL/bt23IOa9YI0NoLhp5MFNXfIuzx2FhVz6BUSeVfQ6Ko
   607  Nx2YZ03g6Kt6B6c43LJx1a/zEPYSZcPERgWOSHlcjmwRfTs6uoN9xt1qs4zEUaKv
   608  Axreud3rJ0rekUp6rI1joG717Wls
   609  -----END TESTING KEY-----`))
   610  
   611  func BenchmarkDecryptPKCS1v15(b *testing.B) {
   612  	b.Run("2048", func(b *testing.B) { benchmarkDecryptPKCS1v15(b, test2048Key) })
   613  	b.Run("3072", func(b *testing.B) { benchmarkDecryptPKCS1v15(b, test3072Key) })
   614  	b.Run("4096", func(b *testing.B) { benchmarkDecryptPKCS1v15(b, test4096Key) })
   615  }
   616  
   617  func benchmarkDecryptPKCS1v15(b *testing.B, k *PrivateKey) {
   618  	r := bufio.NewReaderSize(rand.Reader, 1<<15)
   619  
   620  	m := []byte("Hello Gophers")
   621  	c, err := EncryptPKCS1v15(r, &k.PublicKey, m)
   622  	if err != nil {
   623  		b.Fatal(err)
   624  	}
   625  
   626  	b.ResetTimer()
   627  	var sink byte
   628  	for i := 0; i < b.N; i++ {
   629  		p, err := DecryptPKCS1v15(r, k, c)
   630  		if err != nil {
   631  			b.Fatal(err)
   632  		}
   633  		if !bytes.Equal(p, m) {
   634  			b.Fatalf("unexpected output: %q", p)
   635  		}
   636  		sink ^= p[0]
   637  	}
   638  }
   639  
   640  func BenchmarkEncryptPKCS1v15(b *testing.B) {
   641  	b.Run("2048", func(b *testing.B) {
   642  		r := bufio.NewReaderSize(rand.Reader, 1<<15)
   643  		m := []byte("Hello Gophers")
   644  
   645  		var sink byte
   646  		for i := 0; i < b.N; i++ {
   647  			c, err := EncryptPKCS1v15(r, &test2048Key.PublicKey, m)
   648  			if err != nil {
   649  				b.Fatal(err)
   650  			}
   651  			sink ^= c[0]
   652  		}
   653  	})
   654  }
   655  
   656  func BenchmarkDecryptOAEP(b *testing.B) {
   657  	b.Run("2048", func(b *testing.B) {
   658  		r := bufio.NewReaderSize(rand.Reader, 1<<15)
   659  
   660  		m := []byte("Hello Gophers")
   661  		c, err := EncryptOAEP(sha256.New(), r, &test2048Key.PublicKey, m, nil)
   662  		if err != nil {
   663  			b.Fatal(err)
   664  		}
   665  
   666  		b.ResetTimer()
   667  		var sink byte
   668  		for i := 0; i < b.N; i++ {
   669  			p, err := DecryptOAEP(sha256.New(), r, test2048Key, c, nil)
   670  			if err != nil {
   671  				b.Fatal(err)
   672  			}
   673  			if !bytes.Equal(p, m) {
   674  				b.Fatalf("unexpected output: %q", p)
   675  			}
   676  			sink ^= p[0]
   677  		}
   678  	})
   679  }
   680  
   681  func BenchmarkEncryptOAEP(b *testing.B) {
   682  	b.Run("2048", func(b *testing.B) {
   683  		r := bufio.NewReaderSize(rand.Reader, 1<<15)
   684  		m := []byte("Hello Gophers")
   685  
   686  		var sink byte
   687  		for i := 0; i < b.N; i++ {
   688  			c, err := EncryptOAEP(sha256.New(), r, &test2048Key.PublicKey, m, nil)
   689  			if err != nil {
   690  				b.Fatal(err)
   691  			}
   692  			sink ^= c[0]
   693  		}
   694  	})
   695  }
   696  
   697  func BenchmarkSignPKCS1v15(b *testing.B) {
   698  	b.Run("2048", func(b *testing.B) {
   699  		hashed := sha256.Sum256([]byte("testing"))
   700  
   701  		var sink byte
   702  		b.ResetTimer()
   703  		for i := 0; i < b.N; i++ {
   704  			s, err := SignPKCS1v15(rand.Reader, test2048Key, crypto.SHA256, hashed[:])
   705  			if err != nil {
   706  				b.Fatal(err)
   707  			}
   708  			sink ^= s[0]
   709  		}
   710  	})
   711  }
   712  
   713  func BenchmarkVerifyPKCS1v15(b *testing.B) {
   714  	b.Run("2048", func(b *testing.B) {
   715  		hashed := sha256.Sum256([]byte("testing"))
   716  		s, err := SignPKCS1v15(rand.Reader, test2048Key, crypto.SHA256, hashed[:])
   717  		if err != nil {
   718  			b.Fatal(err)
   719  		}
   720  
   721  		b.ResetTimer()
   722  		for i := 0; i < b.N; i++ {
   723  			err := VerifyPKCS1v15(&test2048Key.PublicKey, crypto.SHA256, hashed[:], s)
   724  			if err != nil {
   725  				b.Fatal(err)
   726  			}
   727  		}
   728  	})
   729  }
   730  
   731  func BenchmarkSignPSS(b *testing.B) {
   732  	b.Run("2048", func(b *testing.B) {
   733  		hashed := sha256.Sum256([]byte("testing"))
   734  
   735  		var sink byte
   736  		b.ResetTimer()
   737  		for i := 0; i < b.N; i++ {
   738  			s, err := SignPSS(rand.Reader, test2048Key, crypto.SHA256, hashed[:], nil)
   739  			if err != nil {
   740  				b.Fatal(err)
   741  			}
   742  			sink ^= s[0]
   743  		}
   744  	})
   745  }
   746  
   747  func BenchmarkVerifyPSS(b *testing.B) {
   748  	b.Run("2048", func(b *testing.B) {
   749  		hashed := sha256.Sum256([]byte("testing"))
   750  		s, err := SignPSS(rand.Reader, test2048Key, crypto.SHA256, hashed[:], nil)
   751  		if err != nil {
   752  			b.Fatal(err)
   753  		}
   754  
   755  		b.ResetTimer()
   756  		for i := 0; i < b.N; i++ {
   757  			err := VerifyPSS(&test2048Key.PublicKey, crypto.SHA256, hashed[:], s, nil)
   758  			if err != nil {
   759  				b.Fatal(err)
   760  			}
   761  		}
   762  	})
   763  }
   764  
   765  func BenchmarkGenerateKey(b *testing.B) {
   766  	b.Run("2048", func(b *testing.B) {
   767  		for i := 0; i < b.N; i++ {
   768  			if _, err := GenerateKey(rand.Reader, 2048); err != nil {
   769  				b.Fatal(err)
   770  			}
   771  		}
   772  	})
   773  }
   774  
   775  func BenchmarkParsePKCS8PrivateKey(b *testing.B) {
   776  	b.Run("2048", func(b *testing.B) {
   777  		p, _ := pem.Decode([]byte(test2048KeyPEM))
   778  		b.ResetTimer()
   779  		for i := 0; i < b.N; i++ {
   780  			if _, err := x509.ParsePKCS8PrivateKey(p.Bytes); err != nil {
   781  				b.Fatal(err)
   782  			}
   783  		}
   784  	})
   785  }
   786  
   787  type testEncryptOAEPMessage struct {
   788  	in   []byte
   789  	seed []byte
   790  	out  []byte
   791  }
   792  
   793  type testEncryptOAEPStruct struct {
   794  	modulus string
   795  	e       int
   796  	d       string
   797  	msgs    []testEncryptOAEPMessage
   798  }
   799  
   800  func TestEncryptOAEP(t *testing.T) {
   801  	sha1 := sha1.New()
   802  	n := new(big.Int)
   803  	for i, test := range testEncryptOAEPData {
   804  		n.SetString(test.modulus, 16)
   805  		public := PublicKey{N: n, E: test.e}
   806  
   807  		for j, message := range test.msgs {
   808  			randomSource := bytes.NewReader(message.seed)
   809  			out, err := EncryptOAEP(sha1, randomSource, &public, message.in, nil)
   810  			if err != nil {
   811  				t.Errorf("#%d,%d error: %s", i, j, err)
   812  			}
   813  			if !bytes.Equal(out, message.out) {
   814  				t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out)
   815  			}
   816  		}
   817  	}
   818  }
   819  
   820  func TestDecryptOAEP(t *testing.T) {
   821  	random := rand.Reader
   822  
   823  	sha1 := sha1.New()
   824  	n := new(big.Int)
   825  	d := new(big.Int)
   826  	for i, test := range testEncryptOAEPData {
   827  		n.SetString(test.modulus, 16)
   828  		d.SetString(test.d, 16)
   829  		private := new(PrivateKey)
   830  		private.PublicKey = PublicKey{N: n, E: test.e}
   831  		private.D = d
   832  
   833  		for j, message := range test.msgs {
   834  			out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
   835  			if err != nil {
   836  				t.Errorf("#%d,%d error: %s", i, j, err)
   837  			} else if !bytes.Equal(out, message.in) {
   838  				t.Errorf("#%d,%d bad result: %#v (want %#v)", i, j, out, message.in)
   839  			}
   840  
   841  			// Decrypt with blinding.
   842  			out, err = DecryptOAEP(sha1, random, private, message.out, nil)
   843  			if err != nil {
   844  				t.Errorf("#%d,%d (blind) error: %s", i, j, err)
   845  			} else if !bytes.Equal(out, message.in) {
   846  				t.Errorf("#%d,%d (blind) bad result: %#v (want %#v)", i, j, out, message.in)
   847  			}
   848  		}
   849  		if testing.Short() {
   850  			break
   851  		}
   852  	}
   853  }
   854  
   855  func Test2DecryptOAEP(t *testing.T) {
   856  	random := rand.Reader
   857  
   858  	msg := []byte{0xed, 0x36, 0x90, 0x8d, 0xbe, 0xfc, 0x35, 0x40, 0x70, 0x4f, 0xf5, 0x9d, 0x6e, 0xc2, 0xeb, 0xf5, 0x27, 0xae, 0x65, 0xb0, 0x59, 0x29, 0x45, 0x25, 0x8c, 0xc1, 0x91, 0x22}
   859  	in := []byte{0x72, 0x26, 0x84, 0xc9, 0xcf, 0xd6, 0xa8, 0x96, 0x04, 0x3e, 0x34, 0x07, 0x2c, 0x4f, 0xe6, 0x52, 0xbe, 0x46, 0x3c, 0xcf, 0x79, 0x21, 0x09, 0x64, 0xe7, 0x33, 0x66, 0x9b, 0xf8, 0x14, 0x22, 0x43, 0xfe, 0x8e, 0x52, 0x8b, 0xe0, 0x5f, 0x98, 0xef, 0x54, 0xac, 0x6b, 0xc6, 0x26, 0xac, 0x5b, 0x1b, 0x4b, 0x7d, 0x2e, 0xd7, 0x69, 0x28, 0x5a, 0x2f, 0x4a, 0x95, 0x89, 0x6c, 0xc7, 0x53, 0x95, 0xc7, 0xd2, 0x89, 0x04, 0x6f, 0x94, 0x74, 0x9b, 0x09, 0x0d, 0xf4, 0x61, 0x2e, 0xab, 0x48, 0x57, 0x4a, 0xbf, 0x95, 0xcb, 0xff, 0x15, 0xe2, 0xa0, 0x66, 0x58, 0xf7, 0x46, 0xf8, 0xc7, 0x0b, 0xb5, 0x1e, 0xa7, 0xba, 0x36, 0xce, 0xdd, 0x36, 0x41, 0x98, 0x6e, 0x10, 0xf9, 0x3b, 0x70, 0xbb, 0xa1, 0xda, 0x00, 0x40, 0xd5, 0xa5, 0x3f, 0x87, 0x64, 0x32, 0x7c, 0xbc, 0x50, 0x52, 0x0e, 0x4f, 0x21, 0xbd}
   860  
   861  	n := new(big.Int)
   862  	d := new(big.Int)
   863  	n.SetString(testEncryptOAEPData[0].modulus, 16)
   864  	d.SetString(testEncryptOAEPData[0].d, 16)
   865  	priv := new(PrivateKey)
   866  	priv.PublicKey = PublicKey{N: n, E: testEncryptOAEPData[0].e}
   867  	priv.D = d
   868  	sha1 := crypto.SHA1
   869  	sha256 := crypto.SHA256
   870  
   871  	out, err := priv.Decrypt(random, in, &OAEPOptions{MGFHash: sha1, Hash: sha256})
   872  
   873  	if err != nil {
   874  		t.Errorf("error: %s", err)
   875  	} else if !bytes.Equal(out, msg) {
   876  		t.Errorf("bad result %#v (want %#v)", out, msg)
   877  	}
   878  }
   879  
   880  func TestEncryptDecryptOAEP(t *testing.T) {
   881  	sha256 := sha256.New()
   882  	n := new(big.Int)
   883  	d := new(big.Int)
   884  	for i, test := range testEncryptOAEPData {
   885  		n.SetString(test.modulus, 16)
   886  		d.SetString(test.d, 16)
   887  		priv := new(PrivateKey)
   888  		priv.PublicKey = PublicKey{N: n, E: test.e}
   889  		priv.D = d
   890  
   891  		for j, message := range test.msgs {
   892  			label := []byte(fmt.Sprintf("hi#%d", j))
   893  			enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, message.in, label)
   894  			if err != nil {
   895  				t.Errorf("#%d,%d: EncryptOAEP: %v", i, j, err)
   896  				continue
   897  			}
   898  			dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, label)
   899  			if err != nil {
   900  				t.Errorf("#%d,%d: DecryptOAEP: %v", i, j, err)
   901  				continue
   902  			}
   903  			if !bytes.Equal(dec, message.in) {
   904  				t.Errorf("#%d,%d: round trip %q -> %q", i, j, message.in, dec)
   905  			}
   906  		}
   907  	}
   908  }
   909  
   910  // testEncryptOAEPData contains a subset of the vectors from RSA's "Test vectors for RSA-OAEP".
   911  var testEncryptOAEPData = []testEncryptOAEPStruct{
   912  	// Key 1
   913  	{"a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb",
   914  		65537,
   915  		"53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf119517ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d65a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1",
   916  		[]testEncryptOAEPMessage{
   917  			// Example 1.1
   918  			{
   919  				[]byte{0x66, 0x28, 0x19, 0x4e, 0x12, 0x07, 0x3d, 0xb0,
   920  					0x3b, 0xa9, 0x4c, 0xda, 0x9e, 0xf9, 0x53, 0x23, 0x97,
   921  					0xd5, 0x0d, 0xba, 0x79, 0xb9, 0x87, 0x00, 0x4a, 0xfe,
   922  					0xfe, 0x34,
   923  				},
   924  				[]byte{0x18, 0xb7, 0x76, 0xea, 0x21, 0x06, 0x9d, 0x69,
   925  					0x77, 0x6a, 0x33, 0xe9, 0x6b, 0xad, 0x48, 0xe1, 0xdd,
   926  					0xa0, 0xa5, 0xef,
   927  				},
   928  				[]byte{0x35, 0x4f, 0xe6, 0x7b, 0x4a, 0x12, 0x6d, 0x5d,
   929  					0x35, 0xfe, 0x36, 0xc7, 0x77, 0x79, 0x1a, 0x3f, 0x7b,
   930  					0xa1, 0x3d, 0xef, 0x48, 0x4e, 0x2d, 0x39, 0x08, 0xaf,
   931  					0xf7, 0x22, 0xfa, 0xd4, 0x68, 0xfb, 0x21, 0x69, 0x6d,
   932  					0xe9, 0x5d, 0x0b, 0xe9, 0x11, 0xc2, 0xd3, 0x17, 0x4f,
   933  					0x8a, 0xfc, 0xc2, 0x01, 0x03, 0x5f, 0x7b, 0x6d, 0x8e,
   934  					0x69, 0x40, 0x2d, 0xe5, 0x45, 0x16, 0x18, 0xc2, 0x1a,
   935  					0x53, 0x5f, 0xa9, 0xd7, 0xbf, 0xc5, 0xb8, 0xdd, 0x9f,
   936  					0xc2, 0x43, 0xf8, 0xcf, 0x92, 0x7d, 0xb3, 0x13, 0x22,
   937  					0xd6, 0xe8, 0x81, 0xea, 0xa9, 0x1a, 0x99, 0x61, 0x70,
   938  					0xe6, 0x57, 0xa0, 0x5a, 0x26, 0x64, 0x26, 0xd9, 0x8c,
   939  					0x88, 0x00, 0x3f, 0x84, 0x77, 0xc1, 0x22, 0x70, 0x94,
   940  					0xa0, 0xd9, 0xfa, 0x1e, 0x8c, 0x40, 0x24, 0x30, 0x9c,
   941  					0xe1, 0xec, 0xcc, 0xb5, 0x21, 0x00, 0x35, 0xd4, 0x7a,
   942  					0xc7, 0x2e, 0x8a,
   943  				},
   944  			},
   945  			// Example 1.2
   946  			{
   947  				[]byte{0x75, 0x0c, 0x40, 0x47, 0xf5, 0x47, 0xe8, 0xe4,
   948  					0x14, 0x11, 0x85, 0x65, 0x23, 0x29, 0x8a, 0xc9, 0xba,
   949  					0xe2, 0x45, 0xef, 0xaf, 0x13, 0x97, 0xfb, 0xe5, 0x6f,
   950  					0x9d, 0xd5,
   951  				},
   952  				[]byte{0x0c, 0xc7, 0x42, 0xce, 0x4a, 0x9b, 0x7f, 0x32,
   953  					0xf9, 0x51, 0xbc, 0xb2, 0x51, 0xef, 0xd9, 0x25, 0xfe,
   954  					0x4f, 0xe3, 0x5f,
   955  				},
   956  				[]byte{0x64, 0x0d, 0xb1, 0xac, 0xc5, 0x8e, 0x05, 0x68,
   957  					0xfe, 0x54, 0x07, 0xe5, 0xf9, 0xb7, 0x01, 0xdf, 0xf8,
   958  					0xc3, 0xc9, 0x1e, 0x71, 0x6c, 0x53, 0x6f, 0xc7, 0xfc,
   959  					0xec, 0x6c, 0xb5, 0xb7, 0x1c, 0x11, 0x65, 0x98, 0x8d,
   960  					0x4a, 0x27, 0x9e, 0x15, 0x77, 0xd7, 0x30, 0xfc, 0x7a,
   961  					0x29, 0x93, 0x2e, 0x3f, 0x00, 0xc8, 0x15, 0x15, 0x23,
   962  					0x6d, 0x8d, 0x8e, 0x31, 0x01, 0x7a, 0x7a, 0x09, 0xdf,
   963  					0x43, 0x52, 0xd9, 0x04, 0xcd, 0xeb, 0x79, 0xaa, 0x58,
   964  					0x3a, 0xdc, 0xc3, 0x1e, 0xa6, 0x98, 0xa4, 0xc0, 0x52,
   965  					0x83, 0xda, 0xba, 0x90, 0x89, 0xbe, 0x54, 0x91, 0xf6,
   966  					0x7c, 0x1a, 0x4e, 0xe4, 0x8d, 0xc7, 0x4b, 0xbb, 0xe6,
   967  					0x64, 0x3a, 0xef, 0x84, 0x66, 0x79, 0xb4, 0xcb, 0x39,
   968  					0x5a, 0x35, 0x2d, 0x5e, 0xd1, 0x15, 0x91, 0x2d, 0xf6,
   969  					0x96, 0xff, 0xe0, 0x70, 0x29, 0x32, 0x94, 0x6d, 0x71,
   970  					0x49, 0x2b, 0x44,
   971  				},
   972  			},
   973  			// Example 1.3
   974  			{
   975  				[]byte{0xd9, 0x4a, 0xe0, 0x83, 0x2e, 0x64, 0x45, 0xce,
   976  					0x42, 0x33, 0x1c, 0xb0, 0x6d, 0x53, 0x1a, 0x82, 0xb1,
   977  					0xdb, 0x4b, 0xaa, 0xd3, 0x0f, 0x74, 0x6d, 0xc9, 0x16,
   978  					0xdf, 0x24, 0xd4, 0xe3, 0xc2, 0x45, 0x1f, 0xff, 0x59,
   979  					0xa6, 0x42, 0x3e, 0xb0, 0xe1, 0xd0, 0x2d, 0x4f, 0xe6,
   980  					0x46, 0xcf, 0x69, 0x9d, 0xfd, 0x81, 0x8c, 0x6e, 0x97,
   981  					0xb0, 0x51,
   982  				},
   983  				[]byte{0x25, 0x14, 0xdf, 0x46, 0x95, 0x75, 0x5a, 0x67,
   984  					0xb2, 0x88, 0xea, 0xf4, 0x90, 0x5c, 0x36, 0xee, 0xc6,
   985  					0x6f, 0xd2, 0xfd,
   986  				},
   987  				[]byte{0x42, 0x37, 0x36, 0xed, 0x03, 0x5f, 0x60, 0x26,
   988  					0xaf, 0x27, 0x6c, 0x35, 0xc0, 0xb3, 0x74, 0x1b, 0x36,
   989  					0x5e, 0x5f, 0x76, 0xca, 0x09, 0x1b, 0x4e, 0x8c, 0x29,
   990  					0xe2, 0xf0, 0xbe, 0xfe, 0xe6, 0x03, 0x59, 0x5a, 0xa8,
   991  					0x32, 0x2d, 0x60, 0x2d, 0x2e, 0x62, 0x5e, 0x95, 0xeb,
   992  					0x81, 0xb2, 0xf1, 0xc9, 0x72, 0x4e, 0x82, 0x2e, 0xca,
   993  					0x76, 0xdb, 0x86, 0x18, 0xcf, 0x09, 0xc5, 0x34, 0x35,
   994  					0x03, 0xa4, 0x36, 0x08, 0x35, 0xb5, 0x90, 0x3b, 0xc6,
   995  					0x37, 0xe3, 0x87, 0x9f, 0xb0, 0x5e, 0x0e, 0xf3, 0x26,
   996  					0x85, 0xd5, 0xae, 0xc5, 0x06, 0x7c, 0xd7, 0xcc, 0x96,
   997  					0xfe, 0x4b, 0x26, 0x70, 0xb6, 0xea, 0xc3, 0x06, 0x6b,
   998  					0x1f, 0xcf, 0x56, 0x86, 0xb6, 0x85, 0x89, 0xaa, 0xfb,
   999  					0x7d, 0x62, 0x9b, 0x02, 0xd8, 0xf8, 0x62, 0x5c, 0xa3,
  1000  					0x83, 0x36, 0x24, 0xd4, 0x80, 0x0f, 0xb0, 0x81, 0xb1,
  1001  					0xcf, 0x94, 0xeb,
  1002  				},
  1003  			},
  1004  		},
  1005  	},
  1006  	// Key 10
  1007  	{"ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb",
  1008  		65537,
  1009  		"056b04216fe5f354ac77250a4b6b0c8525a85c59b0bd80c56450a22d5f438e596a333aa875e291dd43f48cb88b9d5fc0d499f9fcd1c397f9afc070cd9e398c8d19e61db7c7410a6b2675dfbf5d345b804d201add502d5ce2dfcb091ce9997bbebe57306f383e4d588103f036f7e85d1934d152a323e4a8db451d6f4a5b1b0f102cc150e02feee2b88dea4ad4c1baccb24d84072d14e1d24a6771f7408ee30564fb86d4393a34bcf0b788501d193303f13a2284b001f0f649eaf79328d4ac5c430ab4414920a9460ed1b7bc40ec653e876d09abc509ae45b525190116a0c26101848298509c1c3bf3a483e7274054e15e97075036e989f60932807b5257751e79",
  1010  		[]testEncryptOAEPMessage{
  1011  			// Example 10.1
  1012  			{
  1013  				[]byte{0x8b, 0xba, 0x6b, 0xf8, 0x2a, 0x6c, 0x0f, 0x86,
  1014  					0xd5, 0xf1, 0x75, 0x6e, 0x97, 0x95, 0x68, 0x70, 0xb0,
  1015  					0x89, 0x53, 0xb0, 0x6b, 0x4e, 0xb2, 0x05, 0xbc, 0x16,
  1016  					0x94, 0xee,
  1017  				},
  1018  				[]byte{0x47, 0xe1, 0xab, 0x71, 0x19, 0xfe, 0xe5, 0x6c,
  1019  					0x95, 0xee, 0x5e, 0xaa, 0xd8, 0x6f, 0x40, 0xd0, 0xaa,
  1020  					0x63, 0xbd, 0x33,
  1021  				},
  1022  				[]byte{0x53, 0xea, 0x5d, 0xc0, 0x8c, 0xd2, 0x60, 0xfb,
  1023  					0x3b, 0x85, 0x85, 0x67, 0x28, 0x7f, 0xa9, 0x15, 0x52,
  1024  					0xc3, 0x0b, 0x2f, 0xeb, 0xfb, 0xa2, 0x13, 0xf0, 0xae,
  1025  					0x87, 0x70, 0x2d, 0x06, 0x8d, 0x19, 0xba, 0xb0, 0x7f,
  1026  					0xe5, 0x74, 0x52, 0x3d, 0xfb, 0x42, 0x13, 0x9d, 0x68,
  1027  					0xc3, 0xc5, 0xaf, 0xee, 0xe0, 0xbf, 0xe4, 0xcb, 0x79,
  1028  					0x69, 0xcb, 0xf3, 0x82, 0xb8, 0x04, 0xd6, 0xe6, 0x13,
  1029  					0x96, 0x14, 0x4e, 0x2d, 0x0e, 0x60, 0x74, 0x1f, 0x89,
  1030  					0x93, 0xc3, 0x01, 0x4b, 0x58, 0xb9, 0xb1, 0x95, 0x7a,
  1031  					0x8b, 0xab, 0xcd, 0x23, 0xaf, 0x85, 0x4f, 0x4c, 0x35,
  1032  					0x6f, 0xb1, 0x66, 0x2a, 0xa7, 0x2b, 0xfc, 0xc7, 0xe5,
  1033  					0x86, 0x55, 0x9d, 0xc4, 0x28, 0x0d, 0x16, 0x0c, 0x12,
  1034  					0x67, 0x85, 0xa7, 0x23, 0xeb, 0xee, 0xbe, 0xff, 0x71,
  1035  					0xf1, 0x15, 0x94, 0x44, 0x0a, 0xae, 0xf8, 0x7d, 0x10,
  1036  					0x79, 0x3a, 0x87, 0x74, 0xa2, 0x39, 0xd4, 0xa0, 0x4c,
  1037  					0x87, 0xfe, 0x14, 0x67, 0xb9, 0xda, 0xf8, 0x52, 0x08,
  1038  					0xec, 0x6c, 0x72, 0x55, 0x79, 0x4a, 0x96, 0xcc, 0x29,
  1039  					0x14, 0x2f, 0x9a, 0x8b, 0xd4, 0x18, 0xe3, 0xc1, 0xfd,
  1040  					0x67, 0x34, 0x4b, 0x0c, 0xd0, 0x82, 0x9d, 0xf3, 0xb2,
  1041  					0xbe, 0xc6, 0x02, 0x53, 0x19, 0x62, 0x93, 0xc6, 0xb3,
  1042  					0x4d, 0x3f, 0x75, 0xd3, 0x2f, 0x21, 0x3d, 0xd4, 0x5c,
  1043  					0x62, 0x73, 0xd5, 0x05, 0xad, 0xf4, 0xcc, 0xed, 0x10,
  1044  					0x57, 0xcb, 0x75, 0x8f, 0xc2, 0x6a, 0xee, 0xfa, 0x44,
  1045  					0x12, 0x55, 0xed, 0x4e, 0x64, 0xc1, 0x99, 0xee, 0x07,
  1046  					0x5e, 0x7f, 0x16, 0x64, 0x61, 0x82, 0xfd, 0xb4, 0x64,
  1047  					0x73, 0x9b, 0x68, 0xab, 0x5d, 0xaf, 0xf0, 0xe6, 0x3e,
  1048  					0x95, 0x52, 0x01, 0x68, 0x24, 0xf0, 0x54, 0xbf, 0x4d,
  1049  					0x3c, 0x8c, 0x90, 0xa9, 0x7b, 0xb6, 0xb6, 0x55, 0x32,
  1050  					0x84, 0xeb, 0x42, 0x9f, 0xcc,
  1051  				},
  1052  			},
  1053  		},
  1054  	},
  1055  }
  1056  
  1057  func TestPSmallerThanQ(t *testing.T) {
  1058  	// This key has a 256-bit P and a 257-bit Q.
  1059  	k := parseKey(testingKey(`-----BEGIN RSA TESTING KEY-----
  1060  MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
  1061  KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
  1062  o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
  1063  TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
  1064  9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
  1065  v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
  1066  /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
  1067  -----END RSA TESTING KEY-----`))
  1068  	t.Setenv("GODEBUG", "rsa1024min=0")
  1069  	if boring.Enabled {
  1070  		t.Skip("BoringCrypto mode returns the wrong error from SignPSS")
  1071  	}
  1072  	testEverything(t, k)
  1073  }
  1074  

View as plain text