1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 #include <sys/types.h>
27 #include <sys/sha1.h>
28 #define _SHA2_IMPL
29 #include <sys/sha2.h>
30
31 #ifdef _KERNEL
32
33 #include <sys/param.h>
34 #include <sys/kmem.h>
35
36 #else
37
38 #include <strings.h>
39 #include <cryptoutil.h>
40 #include "softMAC.h"
41
42 #include <security/cryptoki.h>
43 #include <sys/crypto/common.h>
44
45 #endif
46
47 #include <padding/padding.h>
48 #include <sha2/sha2_impl.h>
49 #define _RSA_FIPS_POST
50 #include <rsa/rsa_impl.h>
51
52 int
fips_rsa_encrypt(RSAPrivateKey_t * key,uint8_t * in,int in_len,uint8_t * out)53 fips_rsa_encrypt(RSAPrivateKey_t *key, uint8_t *in, int in_len, uint8_t *out)
54 {
55 return (rsa_encrypt(&(key->bkey), in, in_len, out));
56 }
57
58 int
fips_rsa_decrypt(RSAPrivateKey_t * key,uint8_t * in,int in_len,uint8_t * out)59 fips_rsa_decrypt(RSAPrivateKey_t *key, uint8_t *in, int in_len,
60 uint8_t *out)
61 {
62 return (rsa_decrypt(&(key->bkey), in, in_len, out));
63 }
64
65 static CK_RV
66 #ifdef _KERNEL
fips_rsa_sign_verify_test(sha2_mech_t mechanism,RSAPrivateKey_t * rsa_private_key,unsigned char * rsa_known_msg,unsigned int rsa_msg_length,unsigned char * rsa_computed_signature,unsigned char * der_data,int sign)67 fips_rsa_sign_verify_test(sha2_mech_t mechanism,
68 #else
69 fips_rsa_sign_verify_test(CK_MECHANISM_TYPE mechanism,
70 #endif
71 RSAPrivateKey_t *rsa_private_key,
72 unsigned char *rsa_known_msg,
73 unsigned int rsa_msg_length,
74 unsigned char *rsa_computed_signature,
75 unsigned char *der_data, int sign)
76
77 {
78 unsigned char hash[SHA512_DIGEST_LENGTH]; /* SHA digest */
79 SHA1_CTX *sha1_context = NULL;
80 SHA2_CTX *sha2_context = NULL;
81 int hash_len;
82 CK_RV rv;
83 CK_ULONG der_len;
84 CK_BYTE *der_prefix;
85 CK_ULONG der_data_len;
86 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
87 uint32_t modulus_len;
88
89 switch (mechanism) {
90 #ifdef _KERNEL
91 case SHA1_TYPE:
92 #else
93 case CKM_SHA_1:
94 #endif
95 {
96
97 #ifdef _KERNEL
98 if ((sha1_context = kmem_zalloc(sizeof (SHA1_CTX),
99 KM_SLEEP)) == NULL)
100 #else
101 if ((sha1_context = malloc(sizeof (SHA1_CTX))) == NULL)
102 #endif
103 return (CKR_HOST_MEMORY);
104
105 SHA1Init(sha1_context);
106
107 #ifdef __sparcv9
108 SHA1Update(sha1_context, rsa_known_msg,
109 (uint_t)rsa_msg_length);
110 #else /* !__sparcv9 */
111 SHA1Update(sha1_context, rsa_known_msg, rsa_msg_length);
112 #endif /* __sparcv9 */
113 SHA1Final(hash, sha1_context);
114
115 hash_len = SHA1_DIGEST_LENGTH;
116
117 /*
118 * Prepare the DER encoding of the DigestInfo value
119 * by setting it to:
120 * <MECH>_DER_PREFIX || H
121 */
122 der_len = SHA1_DER_PREFIX_Len;
123 der_prefix = (CK_BYTE *)SHA1_DER_PREFIX;
124 (void) memcpy(der_data, der_prefix, der_len);
125 (void) memcpy(der_data + der_len, hash, hash_len);
126 der_data_len = der_len + hash_len;
127 #ifdef _KERNEL
128 kmem_free(sha1_context, sizeof (SHA1_CTX));
129 #else
130 free(sha1_context);
131 #endif
132 break;
133 }
134
135 #ifdef _KERNEL
136 case SHA256_TYPE:
137 #else
138 case CKM_SHA256:
139 #endif
140 {
141
142 sha2_context = fips_sha2_build_context(mechanism);
143 if (sha2_context == NULL)
144 return (CKR_HOST_MEMORY);
145
146 rv = fips_sha2_hash(sha2_context, rsa_known_msg,
147 rsa_msg_length, hash);
148 hash_len = SHA256_DIGEST_LENGTH;
149
150 /*
151 * Prepare the DER encoding of the DigestInfo value
152 * by setting it to:
153 * <MECH>_DER_PREFIX || H
154 */
155 (void) memcpy(der_data, SHA256_DER_PREFIX,
156 SHA2_DER_PREFIX_Len);
157 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
158 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
159 break;
160 }
161 #ifdef _KERNEL
162 case SHA384_TYPE:
163 #else
164 case CKM_SHA384:
165 #endif
166 {
167
168 sha2_context = fips_sha2_build_context(mechanism);
169 if (sha2_context == NULL)
170 return (CKR_HOST_MEMORY);
171
172 rv = fips_sha2_hash(sha2_context, rsa_known_msg,
173 rsa_msg_length, hash);
174 hash_len = SHA384_DIGEST_LENGTH;
175
176 /*
177 * Prepare the DER encoding of the DigestInfo value
178 * by setting it to:
179 * <MECH>_DER_PREFIX || H
180 */
181 (void) memcpy(der_data, SHA384_DER_PREFIX,
182 SHA2_DER_PREFIX_Len);
183 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
184 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
185 break;
186 }
187 #ifdef _KERNEL
188 case SHA512_TYPE:
189 #else
190 case CKM_SHA512:
191 #endif
192 {
193
194 sha2_context = fips_sha2_build_context(mechanism);
195 if (sha2_context == NULL)
196 return (CKR_HOST_MEMORY);
197
198 rv = fips_sha2_hash(sha2_context, rsa_known_msg,
199 rsa_msg_length, hash);
200 hash_len = SHA512_DIGEST_LENGTH;
201
202 /*
203 * Prepare the DER encoding of the DigestInfo value
204 * by setting it to:
205 * <MECH>_DER_PREFIX || H
206 */
207 (void) memcpy(der_data, SHA512_DER_PREFIX,
208 SHA2_DER_PREFIX_Len);
209 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
210 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
211 break;
212 }
213 }
214
215 modulus_len = CRYPTO_BITS2BYTES(rsa_private_key->bkey.modulus_bits);
216
217 if (sign) {
218 rv = pkcs1_encode(PKCS1_SIGN, der_data, der_data_len,
219 plain_data, modulus_len);
220
221 if (rv != CKR_OK) {
222 return (CKR_DEVICE_ERROR);
223 }
224
225 /* Sign operation uses decryption with private key */
226 rv = fips_rsa_decrypt(rsa_private_key, plain_data, modulus_len,
227 rsa_computed_signature);
228
229 if (rv != CKR_OK) {
230 return (CKR_DEVICE_ERROR);
231 }
232 } else {
233 /*
234 * Perform RSA decryption with the signer's RSA public key
235 * for verification process.
236 */
237 rv = fips_rsa_encrypt(rsa_private_key, rsa_computed_signature,
238 modulus_len, plain_data);
239
240 if (rv == CKR_OK) {
241
242 /*
243 * Strip off the encoded padding bytes in front of the
244 * recovered data, then compare the recovered data with
245 * the original data.
246 */
247 size_t data_len = modulus_len;
248
249 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
250 if (rv != CKR_OK) {
251 return (CKR_DEVICE_ERROR);
252 }
253
254 if ((CK_ULONG)data_len != der_data_len) {
255 return (CKR_SIGNATURE_LEN_RANGE);
256 } else if (memcmp(der_data,
257 &plain_data[modulus_len - data_len],
258 data_len) != 0) {
259 return (CKR_SIGNATURE_INVALID);
260 }
261 } else {
262
263 return (CKR_DEVICE_ERROR);
264 }
265 }
266 return (CKR_OK);
267 }
268
269
270 /*
271 * RSA Power-On SelfTest(s).
272 */
273 int
fips_rsa_post(void)274 fips_rsa_post(void)
275 {
276 /*
277 * RSA Known Modulus used in both Public/Private Key Values (1024-bits).
278 */
279 static uint8_t rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
280 0xd5, 0x84, 0x95, 0x07, 0xf4, 0xd0, 0x1f, 0x82,
281 0xf3, 0x79, 0xf4, 0x99, 0x48, 0x10, 0xe1, 0x71,
282 0xa5, 0x62, 0x22, 0xa3, 0x4b, 0x00, 0xe3, 0x5b,
283 0x3a, 0xcc, 0x10, 0x83, 0xe0, 0xaf, 0x61, 0x13,
284 0x54, 0x6a, 0xa2, 0x6a, 0x2c, 0x5e, 0xb3, 0xcc,
285 0xa3, 0x71, 0x9a, 0xb2, 0x3e, 0x78, 0xec, 0xb5,
286 0x0e, 0x6e, 0x31, 0x3b, 0x77, 0x1f, 0x6e, 0x94,
287 0x41, 0x60, 0xd5, 0x6e, 0xd9, 0xc6, 0xf9, 0x29,
288 0xc3, 0x40, 0x36, 0x25, 0xdb, 0xea, 0x0b, 0x07,
289 0xae, 0x76, 0xfd, 0x99, 0x29, 0xf4, 0x22, 0xc1,
290 0x1a, 0x8f, 0x05, 0xfe, 0x98, 0x09, 0x07, 0x05,
291 0xc2, 0x0f, 0x0b, 0x11, 0x83, 0x39, 0xca, 0xc7,
292 0x43, 0x63, 0xff, 0x33, 0x80, 0xe7, 0xc3, 0x78,
293 0xae, 0xf1, 0x73, 0x52, 0x98, 0x1d, 0xde, 0x5c,
294 0x53, 0x6e, 0x01, 0x73, 0x0d, 0x12, 0x7e, 0x77,
295 0x03, 0xf1, 0xef, 0x1b, 0xc8, 0xa8, 0x0f, 0x97
296 };
297
298 /* RSA Known Public Key Values (24-bits). */
299 static uint8_t rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = {
300 0x01, 0x00, 0x01
301 };
302
303 /*
304 * RSA Known Private Key Values (version is 8-bits),
305 * (private exponent is 1024-bits),
306 * (private prime0 is 512-bits),
307 * (private prime1 is 512-bits),
308 * (private prime exponent0 is 512-bits),
309 * (private prime exponent1 is 512-bits),
310 * and (private coefficient is 512-bits).
311 */
312 static uint8_t rsa_version[] = { 0x00 };
313
314 static uint8_t rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH]
315 = {
316 0x85, 0x27, 0x47, 0x61, 0x4c, 0xd4, 0xb5, 0xb2,
317 0x0e, 0x70, 0x91, 0x8f, 0x3d, 0x97, 0xf9, 0x5f,
318 0xcc, 0x09, 0x65, 0x1c, 0x7c, 0x5b, 0xb3, 0x6d,
319 0x63, 0x3f, 0x7b, 0x55, 0x22, 0xbb, 0x7c, 0x48,
320 0x77, 0xae, 0x80, 0x56, 0xc2, 0x10, 0xd5, 0x03,
321 0xdb, 0x31, 0xaf, 0x8d, 0x54, 0xd4, 0x48, 0x99,
322 0xa8, 0xc4, 0x23, 0x43, 0xb8, 0x48, 0x0b, 0xc7,
323 0xbc, 0xf5, 0xcc, 0x64, 0x72, 0xbf, 0x59, 0x06,
324 0x04, 0x1c, 0x32, 0xf5, 0x14, 0x2e, 0x6e, 0xe2,
325 0x0f, 0x5c, 0xde, 0x36, 0x3c, 0x6e, 0x7c, 0x4d,
326 0xcc, 0xd3, 0x00, 0x6e, 0xe5, 0x45, 0x46, 0xef,
327 0x4d, 0x25, 0x46, 0x6d, 0x7f, 0xed, 0xbb, 0x4f,
328 0x4d, 0x9f, 0xda, 0x87, 0x47, 0x8f, 0x74, 0x44,
329 0xb7, 0xbe, 0x9d, 0xf5, 0xdd, 0xd2, 0x4c, 0xa5,
330 0xab, 0x74, 0xe5, 0x29, 0xa1, 0xd2, 0x45, 0x3b,
331 0x33, 0xde, 0xd5, 0xae, 0xf7, 0x03, 0x10, 0x21
332 };
333
334 static uint8_t rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = {
335 0xf9, 0x74, 0x8f, 0x16, 0x02, 0x6b, 0xa0, 0xee,
336 0x7f, 0x28, 0x97, 0x91, 0xdc, 0xec, 0xc0, 0x7c,
337 0x49, 0xc2, 0x85, 0x76, 0xee, 0x66, 0x74, 0x2d,
338 0x1a, 0xb8, 0xf7, 0x2f, 0x11, 0x5b, 0x36, 0xd8,
339 0x46, 0x33, 0x3b, 0xd8, 0xf3, 0x2d, 0xa1, 0x03,
340 0x83, 0x2b, 0xec, 0x35, 0x43, 0x32, 0xff, 0xdd,
341 0x81, 0x7c, 0xfd, 0x65, 0x13, 0x04, 0x7c, 0xfc,
342 0x03, 0x97, 0xf0, 0xd5, 0x62, 0xdc, 0x0d, 0xbf
343 };
344
345 static uint8_t rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = {
346 0xdb, 0x1e, 0xa7, 0x3d, 0xe7, 0xfa, 0x8b, 0x04,
347 0x83, 0x48, 0xf3, 0xa5, 0x31, 0x9d, 0x35, 0x5e,
348 0x4d, 0x54, 0x77, 0xcc, 0x84, 0x09, 0xf3, 0x11,
349 0x0d, 0x54, 0xed, 0x85, 0x39, 0xa9, 0xca, 0xa8,
350 0xea, 0xae, 0x19, 0x9c, 0x75, 0xdb, 0x88, 0xb8,
351 0x04, 0x8d, 0x54, 0xc6, 0xa4, 0x80, 0xf8, 0x93,
352 0xf0, 0xdb, 0x19, 0xef, 0xd7, 0x87, 0x8a, 0x8f,
353 0x5a, 0x09, 0x2e, 0x54, 0xf3, 0x45, 0x24, 0x29
354 };
355
356 static uint8_t rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
357 0x6a, 0xd1, 0x25, 0x80, 0x18, 0x33, 0x3c, 0x2b,
358 0x44, 0x19, 0xfe, 0xa5, 0x40, 0x03, 0xc4, 0xfc,
359 0xb3, 0x9c, 0xef, 0x07, 0x99, 0x58, 0x17, 0xc1,
360 0x44, 0xa3, 0x15, 0x7d, 0x7b, 0x22, 0x22, 0xdf,
361 0x03, 0x58, 0x66, 0xf5, 0x24, 0x54, 0x52, 0x91,
362 0x2d, 0x76, 0xfe, 0x63, 0x64, 0x4e, 0x0f, 0x50,
363 0x2b, 0x65, 0x79, 0x1f, 0xf1, 0xbf, 0xc7, 0x41,
364 0x26, 0xcc, 0xc6, 0x1c, 0xa9, 0x83, 0x6f, 0x03
365 };
366
367 static uint8_t rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
368 0x12, 0x84, 0x1a, 0x99, 0xce, 0x9a, 0x8b, 0x58,
369 0xcc, 0x47, 0x43, 0xdf, 0x77, 0xbb, 0xd3, 0x20,
370 0xae, 0xe4, 0x2e, 0x63, 0x67, 0xdc, 0xf7, 0x5f,
371 0x3f, 0x83, 0x27, 0xb7, 0x14, 0x52, 0x56, 0xbf,
372 0xc3, 0x65, 0x06, 0xe1, 0x03, 0xcc, 0x93, 0x57,
373 0x09, 0x7b, 0x6f, 0xe8, 0x81, 0x4a, 0x2c, 0xb7,
374 0x43, 0xa9, 0x20, 0x1d, 0xf6, 0x56, 0x8b, 0xcc,
375 0xe5, 0x4c, 0xd5, 0x4f, 0x74, 0x67, 0x29, 0x51
376 };
377
378 static uint8_t rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
379 0x23, 0xab, 0xf4, 0x03, 0x2f, 0x29, 0x95, 0x74,
380 0xac, 0x1a, 0x33, 0x96, 0x62, 0xed, 0xf7, 0xf6,
381 0xae, 0x07, 0x2a, 0x2e, 0xe8, 0xab, 0xfb, 0x1e,
382 0xb9, 0xb2, 0x88, 0x1e, 0x85, 0x05, 0x42, 0x64,
383 0x03, 0xb2, 0x8b, 0xc1, 0x81, 0x75, 0xd7, 0xba,
384 0xaa, 0xd4, 0x31, 0x3c, 0x8a, 0x96, 0x23, 0x9d,
385 0x3f, 0x06, 0x3e, 0x44, 0xa9, 0x62, 0x2f, 0x61,
386 0x5a, 0x51, 0x82, 0x2c, 0x04, 0x85, 0x73, 0xd1
387 };
388
389 /* RSA Known Plaintext Message (1024-bits). */
390 static uint8_t rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = {
391 "Known plaintext message utilized"
392 "for RSA Encryption & Decryption"
393 "block, SHA1, SHA256, SHA384 and"
394 "SHA512 RSA Signature KAT tests."
395 };
396
397 /* RSA Known Ciphertext (1024-bits). */
398 static uint8_t rsa_known_ciphertext[] = {
399 0x1e, 0x7e, 0x12, 0xbb, 0x15, 0x62, 0xd0, 0x23,
400 0x53, 0x4c, 0x51, 0x97, 0x77, 0x06, 0xa0, 0xbb,
401 0x26, 0x99, 0x9a, 0x8f, 0x39, 0xad, 0x88, 0x5c,
402 0xc4, 0xce, 0x33, 0x40, 0x94, 0x92, 0xb4, 0x0e,
403 0xab, 0x71, 0xa9, 0x5d, 0x9a, 0x37, 0xe3, 0x9a,
404 0x24, 0x95, 0x13, 0xea, 0x0f, 0xbb, 0xf7, 0xff,
405 0xdf, 0x31, 0x33, 0x23, 0x1d, 0xce, 0x26, 0x9e,
406 0xd1, 0xde, 0x98, 0x40, 0xde, 0x57, 0x86, 0x12,
407 0xf1, 0xe6, 0x5a, 0x3f, 0x08, 0x02, 0x81, 0x85,
408 0xe0, 0xd9, 0xad, 0x3c, 0x8c, 0x71, 0xf8, 0xcf,
409 0x0a, 0x98, 0xc5, 0x08, 0xdc, 0xc4, 0xca, 0x8c,
410 0x23, 0x1b, 0x4d, 0x9b, 0xb5, 0x13, 0x44, 0xe1,
411 0x5f, 0xf9, 0x30, 0x80, 0x25, 0xe0, 0x1e, 0x94,
412 0xa3, 0x0c, 0xdc, 0x82, 0x2e, 0xfb, 0x30, 0xbe,
413 0x89, 0xba, 0x76, 0xb6, 0x23, 0xf7, 0xda, 0x7c,
414 0xca, 0xe6, 0x02, 0xbd, 0x92, 0xce, 0x64, 0xfc
415 };
416
417 /* RSA Known Signed Hash (1024-bits). */
418 static uint8_t rsa_known_sha1_signature[] = {
419 0xd2, 0xa4, 0xe0, 0x2b, 0xc7, 0x03, 0x7f, 0xc6,
420 0x06, 0x9e, 0xa2, 0x82, 0x19, 0xe9, 0x2b, 0xaf,
421 0xe3, 0x48, 0x88, 0xc1, 0xf3, 0xb5, 0x0d, 0xe4,
422 0x52, 0x9e, 0xad, 0xd5, 0x58, 0xb5, 0x9f, 0xe8,
423 0x40, 0xe9, 0xb7, 0x2e, 0xc6, 0x71, 0x58, 0x56,
424 0x04, 0xac, 0xb0, 0xf3, 0x3a, 0x42, 0x38, 0x08,
425 0xc4, 0x43, 0x39, 0xba, 0x19, 0xce, 0xb1, 0x99,
426 0xf1, 0x8d, 0x89, 0xd8, 0x50, 0x07, 0x14, 0x3d,
427 0xcf, 0xd0, 0xb6, 0x79, 0xde, 0x9c, 0x89, 0x32,
428 0xb0, 0x73, 0x3f, 0xed, 0x03, 0x0b, 0xdf, 0x6d,
429 0x7e, 0xc9, 0x1c, 0x39, 0xe8, 0x2b, 0x16, 0x09,
430 0xbb, 0x5f, 0x99, 0x2f, 0xeb, 0xf3, 0x37, 0x73,
431 0x0d, 0x0e, 0xcc, 0x95, 0xad, 0x90, 0x80, 0x03,
432 0x1d, 0x80, 0x55, 0x37, 0xa1, 0x2a, 0x71, 0x76,
433 0x23, 0x87, 0x8c, 0x9b, 0x41, 0x07, 0xc6, 0x3d,
434 0xc6, 0xa3, 0x7d, 0x1b, 0xff, 0x4e, 0x11, 0x19
435 };
436
437 /* RSA Known Signed Hash (1024-bits). */
438 static uint8_t rsa_known_sha256_signature[] = {
439 0x27, 0x35, 0xdd, 0xc4, 0xf8, 0xe2, 0x0b, 0xa3,
440 0xef, 0x63, 0x57, 0x3b, 0xe1, 0x58, 0x9a, 0xbc,
441 0x20, 0x9c, 0x25, 0x12, 0x01, 0xbf, 0xbb, 0x29,
442 0x80, 0x1a, 0xb1, 0x37, 0x9c, 0xcd, 0x67, 0xc7,
443 0x0d, 0xf8, 0x64, 0x10, 0x9f, 0xe2, 0xa1, 0x9b,
444 0x21, 0x90, 0xcc, 0xda, 0x8b, 0x76, 0x5e, 0x79,
445 0x00, 0x9d, 0x58, 0x8b, 0x8a, 0xb3, 0xc3, 0xb5,
446 0xf1, 0x54, 0xc5, 0x8c, 0x72, 0xba, 0xde, 0x51,
447 0x3c, 0x6b, 0x94, 0xd6, 0xf3, 0x1b, 0xa2, 0x53,
448 0xe6, 0x1a, 0x46, 0x1d, 0x7f, 0x14, 0x86, 0xcc,
449 0xa6, 0x30, 0x92, 0x96, 0xc0, 0x96, 0x24, 0xf0,
450 0x42, 0x53, 0x4c, 0xdd, 0x27, 0xdf, 0x1d, 0x2e,
451 0x8b, 0x83, 0xbe, 0xed, 0x85, 0x1d, 0x50, 0x46,
452 0xa3, 0x7d, 0x20, 0xea, 0x3e, 0x91, 0xfb, 0xf6,
453 0x86, 0x51, 0xfd, 0x8c, 0xe5, 0x31, 0xe6, 0x7e,
454 0x60, 0x08, 0x0e, 0xec, 0xa6, 0xea, 0x24, 0x8d
455 };
456
457 /* RSA Known Signed Hash (1024-bits). */
458 static uint8_t rsa_known_sha384_signature[] = {
459 0x0b, 0x03, 0x94, 0x4f, 0x94, 0x78, 0x9b, 0x96,
460 0x76, 0xeb, 0x72, 0x58, 0xe1, 0xc5, 0xc7, 0x5f,
461 0x85, 0x01, 0xa8, 0xc4, 0xf6, 0x1a, 0xb5, 0x2c,
462 0xd1, 0xd8, 0x87, 0xde, 0x3a, 0x9c, 0x9f, 0x57,
463 0x81, 0x2a, 0x1e, 0x23, 0x07, 0x70, 0xb0, 0xf9,
464 0x28, 0x3d, 0xfa, 0xe5, 0x2e, 0x1b, 0x9a, 0x72,
465 0xc3, 0x74, 0xb3, 0x42, 0x1c, 0x9a, 0x13, 0xdc,
466 0xc9, 0xd6, 0xd5, 0x88, 0xc9, 0x9c, 0x46, 0xf1,
467 0x0c, 0xa6, 0xf7, 0xd8, 0x06, 0xa3, 0x1b, 0xdf,
468 0x55, 0xb3, 0x1b, 0x7b, 0x58, 0x1d, 0xff, 0x19,
469 0xc7, 0xe0, 0xdd, 0x59, 0xac, 0x2f, 0x78, 0x71,
470 0xe7, 0xe0, 0x17, 0xa3, 0x1c, 0x5c, 0x92, 0xef,
471 0xb6, 0x75, 0xed, 0xbe, 0x18, 0x39, 0x6b, 0xd7,
472 0xc9, 0x08, 0x62, 0x55, 0x62, 0xac, 0x5d, 0xa1,
473 0x9b, 0xd5, 0xb8, 0x98, 0x15, 0xc0, 0xf5, 0x41,
474 0x85, 0x44, 0x96, 0xca, 0x10, 0xdc, 0x57, 0x21
475 };
476
477 /* RSA Known Signed Hash (1024-bits). */
478 static uint8_t rsa_known_sha512_signature[] = {
479 0xa5, 0xd0, 0x80, 0x04, 0x22, 0xfc, 0x80, 0x73,
480 0x7d, 0x46, 0xc8, 0x7b, 0xac, 0x44, 0x7b, 0xe6,
481 0x07, 0xe5, 0x61, 0x4c, 0x33, 0x7f, 0x6f, 0x46,
482 0x7c, 0x30, 0xe3, 0x75, 0x59, 0x4b, 0x42, 0xf3,
483 0x9f, 0x35, 0x3c, 0x10, 0x56, 0xdb, 0xd2, 0x69,
484 0x43, 0xcb, 0x77, 0xe9, 0x7d, 0xcd, 0x07, 0x43,
485 0xc5, 0xd4, 0x0c, 0x9d, 0xf5, 0x92, 0xbd, 0x0e,
486 0x3b, 0xb7, 0x68, 0x88, 0x84, 0xca, 0xae, 0x0d,
487 0xab, 0x71, 0x10, 0xad, 0xab, 0x27, 0xe4, 0xa3,
488 0x24, 0x41, 0xeb, 0x1c, 0xa6, 0x5f, 0xf1, 0x85,
489 0xd0, 0xf6, 0x22, 0x74, 0x3d, 0x81, 0xbe, 0xdd,
490 0x1b, 0x2a, 0x4c, 0xd1, 0x6c, 0xb5, 0x6d, 0x7a,
491 0xbb, 0x99, 0x69, 0x01, 0xa6, 0xc0, 0x98, 0xfa,
492 0x97, 0xa3, 0xd1, 0xb0, 0xdf, 0x09, 0xe3, 0x3d,
493 0x88, 0xee, 0x90, 0xf3, 0x10, 0x41, 0x0f, 0x06,
494 0x31, 0xe9, 0x60, 0x2d, 0xbf, 0x63, 0x7b, 0xf8
495 };
496
497 RSAPrivateKey_t rsa_private_key;
498 CK_RV rv;
499 uint8_t rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH];
500 uint8_t rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH];
501 uint8_t rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
502 CK_BYTE der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
503
504 /*
505 * RSA Known Answer Encryption Test.
506 */
507 rsa_private_key.bkey.modulus = rsa_modulus;
508 rsa_private_key.bkey.modulus_bits =
509 CRYPTO_BYTES2BITS(FIPS_RSA_MODULUS_LENGTH);
510 rsa_private_key.bkey.pubexpo = rsa_public_exponent;
511 rsa_private_key.bkey.pubexpo_bytes = FIPS_RSA_PUBLIC_EXPONENT_LENGTH;
512 rsa_private_key.bkey.rfunc = NULL;
513
514 /* Perform RSA Public Key Encryption. */
515 rv = fips_rsa_encrypt(&rsa_private_key,
516 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
517 rsa_computed_ciphertext);
518
519 if ((rv != CKR_OK) ||
520 (memcmp(rsa_computed_ciphertext, rsa_known_ciphertext,
521 FIPS_RSA_ENCRYPT_LENGTH) != 0))
522 return (CKR_DEVICE_ERROR);
523
524 /*
525 * RSA Known Answer Decryption Test.
526 */
527 rsa_private_key.version = rsa_version;
528 rsa_private_key.version_len = FIPS_RSA_PRIVATE_VERSION_LENGTH;
529 rsa_private_key.bkey.modulus = rsa_modulus;
530 rsa_private_key.bkey.modulus_bits =
531 CRYPTO_BYTES2BITS(FIPS_RSA_MODULUS_LENGTH);
532 rsa_private_key.bkey.pubexpo = rsa_public_exponent;
533 rsa_private_key.bkey.pubexpo_bytes = FIPS_RSA_PUBLIC_EXPONENT_LENGTH;
534 rsa_private_key.bkey.privexpo = rsa_private_exponent;
535 rsa_private_key.bkey.privexpo_bytes = FIPS_RSA_PRIVATE_EXPONENT_LENGTH;
536 rsa_private_key.bkey.prime1 = rsa_prime0;
537 rsa_private_key.bkey.prime1_bytes = FIPS_RSA_PRIME0_LENGTH;
538 rsa_private_key.bkey.prime2 = rsa_prime1;
539 rsa_private_key.bkey.prime2_bytes = FIPS_RSA_PRIME1_LENGTH;
540 rsa_private_key.bkey.expo1 = rsa_exponent0;
541 rsa_private_key.bkey.expo1_bytes = FIPS_RSA_EXPONENT0_LENGTH;
542 rsa_private_key.bkey.expo2 = rsa_exponent1;
543 rsa_private_key.bkey.expo2_bytes = FIPS_RSA_EXPONENT1_LENGTH;
544 rsa_private_key.bkey.coeff = rsa_coefficient;
545 rsa_private_key.bkey.coeff_bytes = FIPS_RSA_COEFFICIENT_LENGTH;
546
547 /* Perform RSA Private Key Decryption. */
548 rv = fips_rsa_decrypt(&rsa_private_key, rsa_known_ciphertext,
549 FIPS_RSA_MESSAGE_LENGTH, rsa_computed_plaintext);
550
551 if ((rv != CKR_OK) ||
552 (memcmp(rsa_computed_plaintext, rsa_known_plaintext_msg,
553 FIPS_RSA_DECRYPT_LENGTH) != 0))
554 return (CKR_DEVICE_ERROR);
555
556 /* SHA-1 Sign/Verify */
557 #ifdef _KERNEL
558 rv = fips_rsa_sign_verify_test(SHA1_TYPE, &rsa_private_key,
559 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
560 rsa_computed_signature, der_data, 1);
561 #else
562 rv = fips_rsa_sign_verify_test(CKM_SHA_1, &rsa_private_key,
563 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
564 rsa_computed_signature, der_data, 1);
565 #endif
566
567 if ((rv != CKR_OK) ||
568 (memcmp(rsa_computed_signature, rsa_known_sha1_signature,
569 FIPS_RSA_SIGNATURE_LENGTH) != 0))
570 return (CKR_DEVICE_ERROR);
571
572 #ifdef _KERNEL
573 rv = fips_rsa_sign_verify_test(SHA1_TYPE, &rsa_private_key,
574 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
575 rsa_computed_signature, der_data, 0);
576 #else
577 rv = fips_rsa_sign_verify_test(CKM_SHA_1, &rsa_private_key,
578 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
579 rsa_computed_signature, der_data, 0);
580 #endif
581
582 if (rv != CKR_OK)
583 goto rsa_loser;
584
585 /* SHA256 Sign/Verify */
586 #ifdef _KERNEL
587 rv = fips_rsa_sign_verify_test(SHA256_TYPE, &rsa_private_key,
588 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
589 rsa_computed_signature, der_data, 1);
590 #else
591 rv = fips_rsa_sign_verify_test(CKM_SHA256, &rsa_private_key,
592 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
593 rsa_computed_signature, der_data, 1);
594 #endif
595
596 if ((rv != CKR_OK) ||
597 (memcmp(rsa_computed_signature, rsa_known_sha256_signature,
598 FIPS_RSA_SIGNATURE_LENGTH) != 0))
599 return (CKR_DEVICE_ERROR);
600
601 #ifdef _KERNEL
602 rv = fips_rsa_sign_verify_test(SHA256_TYPE, &rsa_private_key,
603 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
604 rsa_computed_signature, der_data, 0);
605 #else
606 rv = fips_rsa_sign_verify_test(CKM_SHA256, &rsa_private_key,
607 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
608 rsa_computed_signature, der_data, 0);
609 #endif
610
611 if (rv != CKR_OK)
612 goto rsa_loser;
613
614 /* SHA384 Sign/Verify */
615 #ifdef _KERNEL
616 rv = fips_rsa_sign_verify_test(SHA384_TYPE, &rsa_private_key,
617 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
618 rsa_computed_signature, der_data, 1);
619 #else
620 rv = fips_rsa_sign_verify_test(CKM_SHA384, &rsa_private_key,
621 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
622 rsa_computed_signature, der_data, 1);
623 #endif
624
625 if ((rv != CKR_OK) ||
626 (memcmp(rsa_computed_signature, rsa_known_sha384_signature,
627 FIPS_RSA_SIGNATURE_LENGTH) != 0))
628 return (CKR_DEVICE_ERROR);
629
630 #ifdef _KERNEL
631 rv = fips_rsa_sign_verify_test(SHA384_TYPE, &rsa_private_key,
632 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
633 rsa_computed_signature, der_data, 0);
634 #else
635 rv = fips_rsa_sign_verify_test(CKM_SHA384, &rsa_private_key,
636 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
637 rsa_computed_signature, der_data, 0);
638 #endif
639
640 if (rv != CKR_OK)
641 goto rsa_loser;
642
643 /* SHA512 Sign/Verify */
644 #ifdef _KERNEL
645 rv = fips_rsa_sign_verify_test(SHA512_TYPE, &rsa_private_key,
646 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
647 rsa_computed_signature, der_data, 1);
648 #else
649 rv = fips_rsa_sign_verify_test(CKM_SHA512, &rsa_private_key,
650 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
651 rsa_computed_signature, der_data, 1);
652 #endif
653
654 if ((rv != CKR_OK) ||
655 (memcmp(rsa_computed_signature, rsa_known_sha512_signature,
656 FIPS_RSA_SIGNATURE_LENGTH) != 0))
657 return (CKR_DEVICE_ERROR);
658
659 #ifdef _KERNEL
660 rv = fips_rsa_sign_verify_test(SHA512_TYPE, &rsa_private_key,
661 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
662 rsa_computed_signature, der_data, 0);
663 #else
664 rv = fips_rsa_sign_verify_test(CKM_SHA512, &rsa_private_key,
665 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
666 rsa_computed_signature, der_data, 0);
667 #endif
668
669 rsa_loser:
670 if (rv != CKR_OK)
671 return (CKR_DEVICE_ERROR);
672 else
673 return (CKR_OK);
674
675 }
676