1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/param.h> 28 #include <sys/errno.h> 29 #include <sys/kmem.h> 30 #include <sys/systm.h> 31 #include <sys/sysmacros.h> 32 #include <sys/sha1.h> 33 #define _SHA2_IMPL 34 #include <sys/sha2.h> 35 #include <sys/crypto/common.h> 36 #define _RSA_FIPS_POST 37 #include <rsa/rsa_impl.h> 38 #ifndef _KERNEL 39 #include <stdlib.h> 40 #include <string.h> 41 #include <strings.h> 42 #include <stdio.h> 43 #include <security/cryptoki.h> 44 #include <cryptoutil.h> 45 #include "softMAC.h" 46 #endif 47 #include <sha2/sha2_impl.h> 48 49 int 50 fips_rsa_encrypt(uint8_t *modulus, int modulus_len, 51 uint8_t *expo, int expo_len, 52 uint8_t *in, int in_len, uint8_t *out) 53 { 54 55 RSAkey *rsakey; 56 BIGNUM msg; 57 CK_RV rv = CKR_OK; 58 59 #ifdef _KERNEL 60 if ((rsakey = kmem_zalloc(sizeof (RSAkey), KM_SLEEP)) == NULL) { 61 #else 62 if ((rsakey = calloc(1, sizeof (RSAkey))) == NULL) { 63 #endif 64 rv = CKR_HOST_MEMORY; 65 goto clean1; 66 } 67 68 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 69 rv = CKR_HOST_MEMORY; 70 goto clean2; 71 } 72 73 /* Size for big_init is in (32-bit) words. */ 74 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 75 rv = CKR_HOST_MEMORY; 76 goto clean3; 77 } 78 79 /* Convert octet string exponent to big integer format. */ 80 bytestring2bignum(&(rsakey->e), expo, expo_len); 81 82 /* Convert octet string modulus to big integer format. */ 83 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 84 85 /* Convert octet string input data to big integer format. */ 86 bytestring2bignum(&msg, (uchar_t *)in, in_len); 87 88 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 89 rv = CKR_DATA_LEN_RANGE; 90 goto clean4; 91 } 92 93 /* Perform RSA computation on big integer input data. */ 94 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) != 95 BIG_OK) { 96 rv = CKR_HOST_MEMORY; 97 goto clean4; 98 } 99 100 /* Convert the big integer output data to octet string. */ 101 bignum2bytestring((uchar_t *)out, &msg, modulus_len); 102 103 clean4: 104 big_finish(&msg); 105 clean3: 106 RSA_key_finish(rsakey); 107 clean2: 108 #ifndef _KERNEL 109 free(rsakey); 110 #else 111 kmem_free(rsakey, sizeof (RSAkey)); 112 #endif 113 clean1: 114 115 return (rv); 116 } 117 118 int 119 fips_rsa_decrypt(RSAPrivateKey_t *key, uint8_t *in, int in_len, 120 uint8_t *out) 121 { 122 123 RSAkey *rsakey; 124 BIGNUM msg; 125 CK_RV rv = CKR_OK; 126 127 #ifdef _KERNEL 128 if ((rsakey = kmem_zalloc(sizeof (RSAkey), KM_SLEEP)) == NULL) { 129 #else 130 if ((rsakey = calloc(1, sizeof (RSAkey))) == NULL) { 131 #endif 132 rv = CKR_HOST_MEMORY; 133 goto clean1; 134 } 135 136 /* psize and qsize for RSA_key_init is in bits. */ 137 if (RSA_key_init(rsakey, key->prime2_len * 8, key->prime1_len * 8) 138 != BIG_OK) { 139 rv = CKR_HOST_MEMORY; 140 goto clean2; 141 } 142 143 /* Size for big_init is in (32-bit) words. */ 144 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 145 rv = CKR_HOST_MEMORY; 146 goto clean3; 147 } 148 149 /* Convert octet string input data to big integer format. */ 150 bytestring2bignum(&msg, (uchar_t *)in, in_len); 151 152 /* Convert octet string modulus to big integer format. */ 153 bytestring2bignum(&(rsakey->n), key->modulus, key->modulus_len); 154 155 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 156 rv = CKR_DATA_LEN_RANGE; 157 goto clean4; 158 } 159 160 /* Convert the rest of private key attributes to big integer format. */ 161 bytestring2bignum(&(rsakey->dmodpminus1), key->exponent2, 162 key->exponent2_len); 163 bytestring2bignum(&(rsakey->dmodqminus1), key->exponent1, 164 key->exponent1_len); 165 bytestring2bignum(&(rsakey->p), key->prime2, key->prime2_len); 166 bytestring2bignum(&(rsakey->q), key->prime1, key->prime1_len); 167 bytestring2bignum(&(rsakey->pinvmodq), key->coef, key->coef_len); 168 169 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 170 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 171 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 172 #ifndef _KERNEL 173 rv = CKR_KEY_SIZE_RANGE; 174 #else 175 rv = CRYPTO_KEY_SIZE_RANGE; 176 #endif 177 goto clean4; 178 } 179 180 /* Perform RSA computation on big integer input data. */ 181 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 182 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 183 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 184 rv = CKR_HOST_MEMORY; 185 goto clean4; 186 } 187 188 /* Convert the big integer output data to octet string. */ 189 bignum2bytestring((uchar_t *)out, &msg, key->modulus_len); 190 191 clean4: 192 big_finish(&msg); 193 clean3: 194 RSA_key_finish(rsakey); 195 clean2: 196 #ifndef _KERNEL 197 free(rsakey); 198 #else 199 kmem_free(rsakey, sizeof (RSAkey)); 200 #endif 201 clean1: 202 203 return (rv); 204 205 } 206 207 int 208 fips_rsa_sign(RSAPrivateKey_t *rsa_params, uint8_t *in, 209 uint32_t inlen, uint8_t *out) 210 { 211 BIGNUM msg; 212 RSAkey rsakey; 213 CK_RV rv = CKR_OK; 214 215 /* psize and qsize for RSA_key_init is in bits. */ 216 if (RSA_key_init(&rsakey, rsa_params->prime2_len * 8, 217 rsa_params->prime1_len * 8) != BIG_OK) { 218 rv = CKR_HOST_MEMORY; 219 goto clean1; 220 } 221 222 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 223 if (big_init(&msg, CHARLEN2BIGNUMLEN(inlen)) != BIG_OK) { 224 rv = CKR_HOST_MEMORY; 225 goto clean2; 226 } 227 228 /* Convert octet string input data to big integer format. */ 229 bytestring2bignum(&msg, (uchar_t *)in, inlen); 230 231 /* Convert octet string modulus to big integer format. */ 232 bytestring2bignum(&(rsakey.n), rsa_params->modulus, 233 rsa_params->modulus_len); 234 235 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) { 236 rv = CKR_DATA_LEN_RANGE; 237 goto clean3; 238 } 239 240 /* Convert the rest of private key attributes to big integer format. */ 241 bytestring2bignum(&(rsakey.dmodpminus1), rsa_params->exponent2, 242 rsa_params->exponent2_len); 243 bytestring2bignum(&(rsakey.dmodqminus1), rsa_params->exponent1, 244 rsa_params->exponent1_len); 245 bytestring2bignum(&(rsakey.p), rsa_params->prime2, 246 rsa_params->prime2_len); 247 bytestring2bignum(&(rsakey.q), rsa_params->prime1, 248 rsa_params->prime1_len); 249 bytestring2bignum(&(rsakey.pinvmodq), rsa_params->coef, 250 rsa_params->coef_len); 251 252 if ((big_cmp_abs(&(rsakey.dmodpminus1), &(rsakey.p)) > 0) || 253 (big_cmp_abs(&(rsakey.dmodqminus1), &(rsakey.q)) > 0) || 254 (big_cmp_abs(&(rsakey.pinvmodq), &(rsakey.q)) > 0)) { 255 #ifndef _KERNEL 256 rv = CKR_KEY_SIZE_RANGE; 257 #else 258 rv = CRYPTO_KEY_SIZE_RANGE; 259 #endif 260 goto clean3; 261 } 262 263 /* Perform RSA computation on big integer input data. */ 264 if (big_modexp_crt(&msg, &msg, &(rsakey.dmodpminus1), 265 &(rsakey.dmodqminus1), &(rsakey.p), &(rsakey.q), 266 &(rsakey.pinvmodq), NULL, NULL) != BIG_OK) { 267 rv = CKR_HOST_MEMORY; 268 goto clean3; 269 } 270 271 /* Convert the big integer output data to octet string. */ 272 bignum2bytestring((uchar_t *)out, &msg, rsa_params->modulus_len); 273 274 clean3: 275 big_finish(&msg); 276 clean2: 277 RSA_key_finish(&rsakey); 278 clean1: 279 280 return (rv); 281 282 } 283 284 int 285 fips_rsa_verify(RSAPrivateKey_t *rsa_params, uint8_t *in, uint32_t in_len, 286 uint8_t *out) 287 { 288 289 BIGNUM msg; 290 RSAkey rsakey; 291 CK_RV rv = CKR_OK; 292 293 if (RSA_key_init(&rsakey, rsa_params->modulus_len * 4, 294 rsa_params->modulus_len * 4) != BIG_OK) { 295 rv = CKR_HOST_MEMORY; 296 goto clean1; 297 } 298 299 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 300 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 301 rv = CKR_HOST_MEMORY; 302 goto clean2; 303 } 304 305 /* Convert octet string exponent to big integer format. */ 306 bytestring2bignum(&(rsakey.e), rsa_params->public_expo, 307 rsa_params->public_expo_len); 308 309 /* Convert octet string modulus to big integer format. */ 310 bytestring2bignum(&(rsakey.n), rsa_params->modulus, 311 rsa_params->modulus_len); 312 313 /* Convert octet string input data to big integer format. */ 314 bytestring2bignum(&msg, (uchar_t *)in, in_len); 315 316 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) { 317 rv = CKR_DATA_LEN_RANGE; 318 goto clean3; 319 } 320 321 /* Perform RSA computation on big integer input data. */ 322 if (big_modexp(&msg, &msg, &(rsakey.e), &(rsakey.n), NULL) != 323 BIG_OK) { 324 rv = CKR_HOST_MEMORY; 325 goto clean3; 326 } 327 328 /* Convert the big integer output data to octet string. */ 329 bignum2bytestring((uchar_t *)out, &msg, rsa_params->modulus_len); 330 331 clean3: 332 big_finish(&msg); 333 clean2: 334 RSA_key_finish(&rsakey); 335 clean1: 336 337 return (rv); 338 } 339 340 static CK_RV 341 #ifdef _KERNEL 342 fips_rsa_sign_verify_test(sha2_mech_t mechanism, 343 #else 344 fips_rsa_sign_verify_test(CK_MECHANISM_TYPE mechanism, 345 #endif 346 RSAPrivateKey_t *rsa_private_key, 347 unsigned char *rsa_known_msg, 348 unsigned int rsa_msg_length, 349 unsigned char *rsa_computed_signature, 350 unsigned char *der_data, int sign) 351 352 { 353 unsigned char hash[SHA512_DIGEST_LENGTH]; /* SHA digest */ 354 SHA1_CTX *sha1_context = NULL; 355 SHA2_CTX *sha2_context = NULL; 356 int hash_len; 357 CK_RV rv; 358 CK_ULONG der_len; 359 CK_BYTE *der_prefix; 360 CK_ULONG der_data_len; 361 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 362 uint32_t modulus_len; 363 364 switch (mechanism) { 365 #ifdef _KERNEL 366 case SHA1_TYPE: 367 #else 368 case CKM_SHA_1: 369 #endif 370 { 371 372 #ifdef _KERNEL 373 if ((sha1_context = kmem_zalloc(sizeof (SHA1_CTX), 374 KM_SLEEP)) == NULL) 375 #else 376 if ((sha1_context = malloc(sizeof (SHA1_CTX))) == NULL) 377 #endif 378 return (CKR_HOST_MEMORY); 379 380 SHA1Init(sha1_context); 381 382 #ifdef __sparcv9 383 SHA1Update(sha1_context, rsa_known_msg, 384 (uint_t)rsa_msg_length); 385 #else /* !__sparcv9 */ 386 SHA1Update(sha1_context, rsa_known_msg, rsa_msg_length); 387 #endif /* __sparcv9 */ 388 SHA1Final(hash, sha1_context); 389 390 hash_len = SHA1_DIGEST_LENGTH; 391 392 /* 393 * Prepare the DER encoding of the DigestInfo value 394 * by setting it to: 395 * <MECH>_DER_PREFIX || H 396 */ 397 der_len = SHA1_DER_PREFIX_Len; 398 der_prefix = (CK_BYTE *)SHA1_DER_PREFIX; 399 (void) memcpy(der_data, der_prefix, der_len); 400 (void) memcpy(der_data + der_len, hash, hash_len); 401 der_data_len = der_len + hash_len; 402 break; 403 } 404 405 #ifdef _KERNEL 406 case SHA256_TYPE: 407 #else 408 case CKM_SHA256: 409 #endif 410 { 411 412 sha2_context = fips_sha2_build_context(mechanism); 413 if (sha2_context == NULL) 414 return (CKR_HOST_MEMORY); 415 416 rv = fips_sha2_hash(sha2_context, rsa_known_msg, 417 rsa_msg_length, hash); 418 hash_len = SHA256_DIGEST_LENGTH; 419 420 /* 421 * Prepare the DER encoding of the DigestInfo value 422 * by setting it to: 423 * <MECH>_DER_PREFIX || H 424 */ 425 (void) memcpy(der_data, SHA256_DER_PREFIX, 426 SHA2_DER_PREFIX_Len); 427 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 428 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 429 break; 430 } 431 #ifdef _KERNEL 432 case SHA384_TYPE: 433 #else 434 case CKM_SHA384: 435 #endif 436 { 437 438 sha2_context = fips_sha2_build_context(mechanism); 439 if (sha2_context == NULL) 440 return (CKR_HOST_MEMORY); 441 442 rv = fips_sha2_hash(sha2_context, rsa_known_msg, 443 rsa_msg_length, hash); 444 hash_len = SHA384_DIGEST_LENGTH; 445 446 /* 447 * Prepare the DER encoding of the DigestInfo value 448 * by setting it to: 449 * <MECH>_DER_PREFIX || H 450 */ 451 (void) memcpy(der_data, SHA384_DER_PREFIX, 452 SHA2_DER_PREFIX_Len); 453 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 454 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 455 break; 456 } 457 #ifdef _KERNEL 458 case SHA512_TYPE: 459 #else 460 case CKM_SHA512: 461 #endif 462 { 463 464 sha2_context = fips_sha2_build_context(mechanism); 465 if (sha2_context == NULL) 466 return (CKR_HOST_MEMORY); 467 468 rv = fips_sha2_hash(sha2_context, rsa_known_msg, 469 rsa_msg_length, hash); 470 hash_len = SHA512_DIGEST_LENGTH; 471 472 /* 473 * Prepare the DER encoding of the DigestInfo value 474 * by setting it to: 475 * <MECH>_DER_PREFIX || H 476 */ 477 (void) memcpy(der_data, SHA512_DER_PREFIX, 478 SHA2_DER_PREFIX_Len); 479 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 480 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 481 break; 482 } 483 } 484 485 modulus_len = rsa_private_key->modulus_len; 486 487 if (sign) { 488 rv = soft_sign_rsa_pkcs_encode(der_data, der_data_len, 489 plain_data, modulus_len); 490 491 if (rv != CKR_OK) { 492 return (CKR_DEVICE_ERROR); 493 } 494 495 rv = fips_rsa_sign(rsa_private_key, plain_data, modulus_len, 496 rsa_computed_signature); 497 498 if (rv != CKR_OK) { 499 return (CKR_DEVICE_ERROR); 500 } 501 } else { 502 /* 503 * Perform RSA decryption with the signer's RSA public key 504 * for verification process. 505 */ 506 rv = fips_rsa_verify(rsa_private_key, rsa_computed_signature, 507 modulus_len, plain_data); 508 509 if (rv == CKR_OK) { 510 511 /* 512 * Strip off the encoded padding bytes in front of the 513 * recovered data, then compare the recovered data with 514 * the original data. 515 */ 516 int data_len = modulus_len; 517 518 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 519 if (rv != CKR_OK) { 520 return (CKR_DEVICE_ERROR); 521 } 522 523 if ((CK_ULONG)data_len != der_data_len) { 524 #ifdef _KERNEL 525 return (CRYPTO_SIGNATURE_LEN_RANGE); 526 #else 527 return (CKR_SIGNATURE_LEN_RANGE); 528 #endif 529 } else if (memcmp(der_data, 530 &plain_data[modulus_len - data_len], 531 data_len) != 0) { 532 return (CKR_SIGNATURE_INVALID); 533 } 534 } else { 535 536 return (CKR_DEVICE_ERROR); 537 } 538 } 539 return (CKR_OK); 540 } 541 542 543 /* 544 * RSA Power-On SelfTest(s). 545 */ 546 int 547 fips_rsa_post(void) 548 { 549 /* 550 * RSA Known Modulus used in both Public/Private Key Values (1024-bits). 551 */ 552 static uint8_t rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = { 553 0xd5, 0x84, 0x95, 0x07, 0xf4, 0xd0, 0x1f, 0x82, 554 0xf3, 0x79, 0xf4, 0x99, 0x48, 0x10, 0xe1, 0x71, 555 0xa5, 0x62, 0x22, 0xa3, 0x4b, 0x00, 0xe3, 0x5b, 556 0x3a, 0xcc, 0x10, 0x83, 0xe0, 0xaf, 0x61, 0x13, 557 0x54, 0x6a, 0xa2, 0x6a, 0x2c, 0x5e, 0xb3, 0xcc, 558 0xa3, 0x71, 0x9a, 0xb2, 0x3e, 0x78, 0xec, 0xb5, 559 0x0e, 0x6e, 0x31, 0x3b, 0x77, 0x1f, 0x6e, 0x94, 560 0x41, 0x60, 0xd5, 0x6e, 0xd9, 0xc6, 0xf9, 0x29, 561 0xc3, 0x40, 0x36, 0x25, 0xdb, 0xea, 0x0b, 0x07, 562 0xae, 0x76, 0xfd, 0x99, 0x29, 0xf4, 0x22, 0xc1, 563 0x1a, 0x8f, 0x05, 0xfe, 0x98, 0x09, 0x07, 0x05, 564 0xc2, 0x0f, 0x0b, 0x11, 0x83, 0x39, 0xca, 0xc7, 565 0x43, 0x63, 0xff, 0x33, 0x80, 0xe7, 0xc3, 0x78, 566 0xae, 0xf1, 0x73, 0x52, 0x98, 0x1d, 0xde, 0x5c, 567 0x53, 0x6e, 0x01, 0x73, 0x0d, 0x12, 0x7e, 0x77, 568 0x03, 0xf1, 0xef, 0x1b, 0xc8, 0xa8, 0x0f, 0x97 569 }; 570 571 /* RSA Known Public Key Values (24-bits). */ 572 static uint8_t rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 573 0x01, 0x00, 0x01 574 }; 575 576 /* 577 * RSA Known Private Key Values (version is 8-bits), 578 * (private exponent is 1024-bits), 579 * (private prime0 is 512-bits), 580 * (private prime1 is 512-bits), 581 * (private prime exponent0 is 512-bits), 582 * (private prime exponent1 is 512-bits), 583 * and (private coefficient is 512-bits). 584 */ 585 static uint8_t rsa_version[] = { 0x00 }; 586 587 static uint8_t rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] 588 = { 589 0x85, 0x27, 0x47, 0x61, 0x4c, 0xd4, 0xb5, 0xb2, 590 0x0e, 0x70, 0x91, 0x8f, 0x3d, 0x97, 0xf9, 0x5f, 591 0xcc, 0x09, 0x65, 0x1c, 0x7c, 0x5b, 0xb3, 0x6d, 592 0x63, 0x3f, 0x7b, 0x55, 0x22, 0xbb, 0x7c, 0x48, 593 0x77, 0xae, 0x80, 0x56, 0xc2, 0x10, 0xd5, 0x03, 594 0xdb, 0x31, 0xaf, 0x8d, 0x54, 0xd4, 0x48, 0x99, 595 0xa8, 0xc4, 0x23, 0x43, 0xb8, 0x48, 0x0b, 0xc7, 596 0xbc, 0xf5, 0xcc, 0x64, 0x72, 0xbf, 0x59, 0x06, 597 0x04, 0x1c, 0x32, 0xf5, 0x14, 0x2e, 0x6e, 0xe2, 598 0x0f, 0x5c, 0xde, 0x36, 0x3c, 0x6e, 0x7c, 0x4d, 599 0xcc, 0xd3, 0x00, 0x6e, 0xe5, 0x45, 0x46, 0xef, 600 0x4d, 0x25, 0x46, 0x6d, 0x7f, 0xed, 0xbb, 0x4f, 601 0x4d, 0x9f, 0xda, 0x87, 0x47, 0x8f, 0x74, 0x44, 602 0xb7, 0xbe, 0x9d, 0xf5, 0xdd, 0xd2, 0x4c, 0xa5, 603 0xab, 0x74, 0xe5, 0x29, 0xa1, 0xd2, 0x45, 0x3b, 604 0x33, 0xde, 0xd5, 0xae, 0xf7, 0x03, 0x10, 0x21 605 }; 606 607 static uint8_t rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = { 608 0xf9, 0x74, 0x8f, 0x16, 0x02, 0x6b, 0xa0, 0xee, 609 0x7f, 0x28, 0x97, 0x91, 0xdc, 0xec, 0xc0, 0x7c, 610 0x49, 0xc2, 0x85, 0x76, 0xee, 0x66, 0x74, 0x2d, 611 0x1a, 0xb8, 0xf7, 0x2f, 0x11, 0x5b, 0x36, 0xd8, 612 0x46, 0x33, 0x3b, 0xd8, 0xf3, 0x2d, 0xa1, 0x03, 613 0x83, 0x2b, 0xec, 0x35, 0x43, 0x32, 0xff, 0xdd, 614 0x81, 0x7c, 0xfd, 0x65, 0x13, 0x04, 0x7c, 0xfc, 615 0x03, 0x97, 0xf0, 0xd5, 0x62, 0xdc, 0x0d, 0xbf 616 }; 617 618 static uint8_t rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = { 619 0xdb, 0x1e, 0xa7, 0x3d, 0xe7, 0xfa, 0x8b, 0x04, 620 0x83, 0x48, 0xf3, 0xa5, 0x31, 0x9d, 0x35, 0x5e, 621 0x4d, 0x54, 0x77, 0xcc, 0x84, 0x09, 0xf3, 0x11, 622 0x0d, 0x54, 0xed, 0x85, 0x39, 0xa9, 0xca, 0xa8, 623 0xea, 0xae, 0x19, 0x9c, 0x75, 0xdb, 0x88, 0xb8, 624 0x04, 0x8d, 0x54, 0xc6, 0xa4, 0x80, 0xf8, 0x93, 625 0xf0, 0xdb, 0x19, 0xef, 0xd7, 0x87, 0x8a, 0x8f, 626 0x5a, 0x09, 0x2e, 0x54, 0xf3, 0x45, 0x24, 0x29 627 }; 628 629 static uint8_t rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = { 630 0x6a, 0xd1, 0x25, 0x80, 0x18, 0x33, 0x3c, 0x2b, 631 0x44, 0x19, 0xfe, 0xa5, 0x40, 0x03, 0xc4, 0xfc, 632 0xb3, 0x9c, 0xef, 0x07, 0x99, 0x58, 0x17, 0xc1, 633 0x44, 0xa3, 0x15, 0x7d, 0x7b, 0x22, 0x22, 0xdf, 634 0x03, 0x58, 0x66, 0xf5, 0x24, 0x54, 0x52, 0x91, 635 0x2d, 0x76, 0xfe, 0x63, 0x64, 0x4e, 0x0f, 0x50, 636 0x2b, 0x65, 0x79, 0x1f, 0xf1, 0xbf, 0xc7, 0x41, 637 0x26, 0xcc, 0xc6, 0x1c, 0xa9, 0x83, 0x6f, 0x03 638 }; 639 640 static uint8_t rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = { 641 0x12, 0x84, 0x1a, 0x99, 0xce, 0x9a, 0x8b, 0x58, 642 0xcc, 0x47, 0x43, 0xdf, 0x77, 0xbb, 0xd3, 0x20, 643 0xae, 0xe4, 0x2e, 0x63, 0x67, 0xdc, 0xf7, 0x5f, 644 0x3f, 0x83, 0x27, 0xb7, 0x14, 0x52, 0x56, 0xbf, 645 0xc3, 0x65, 0x06, 0xe1, 0x03, 0xcc, 0x93, 0x57, 646 0x09, 0x7b, 0x6f, 0xe8, 0x81, 0x4a, 0x2c, 0xb7, 647 0x43, 0xa9, 0x20, 0x1d, 0xf6, 0x56, 0x8b, 0xcc, 648 0xe5, 0x4c, 0xd5, 0x4f, 0x74, 0x67, 0x29, 0x51 649 }; 650 651 static uint8_t rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = { 652 0x23, 0xab, 0xf4, 0x03, 0x2f, 0x29, 0x95, 0x74, 653 0xac, 0x1a, 0x33, 0x96, 0x62, 0xed, 0xf7, 0xf6, 654 0xae, 0x07, 0x2a, 0x2e, 0xe8, 0xab, 0xfb, 0x1e, 655 0xb9, 0xb2, 0x88, 0x1e, 0x85, 0x05, 0x42, 0x64, 656 0x03, 0xb2, 0x8b, 0xc1, 0x81, 0x75, 0xd7, 0xba, 657 0xaa, 0xd4, 0x31, 0x3c, 0x8a, 0x96, 0x23, 0x9d, 658 0x3f, 0x06, 0x3e, 0x44, 0xa9, 0x62, 0x2f, 0x61, 659 0x5a, 0x51, 0x82, 0x2c, 0x04, 0x85, 0x73, 0xd1 660 }; 661 662 /* RSA Known Plaintext Message (1024-bits). */ 663 static uint8_t rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = { 664 "Known plaintext message utilized" 665 "for RSA Encryption & Decryption" 666 "block, SHA1, SHA256, SHA384 and" 667 "SHA512 RSA Signature KAT tests." 668 }; 669 670 /* RSA Known Ciphertext (1024-bits). */ 671 static uint8_t rsa_known_ciphertext[] = { 672 0x1e, 0x7e, 0x12, 0xbb, 0x15, 0x62, 0xd0, 0x23, 673 0x53, 0x4c, 0x51, 0x97, 0x77, 0x06, 0xa0, 0xbb, 674 0x26, 0x99, 0x9a, 0x8f, 0x39, 0xad, 0x88, 0x5c, 675 0xc4, 0xce, 0x33, 0x40, 0x94, 0x92, 0xb4, 0x0e, 676 0xab, 0x71, 0xa9, 0x5d, 0x9a, 0x37, 0xe3, 0x9a, 677 0x24, 0x95, 0x13, 0xea, 0x0f, 0xbb, 0xf7, 0xff, 678 0xdf, 0x31, 0x33, 0x23, 0x1d, 0xce, 0x26, 0x9e, 679 0xd1, 0xde, 0x98, 0x40, 0xde, 0x57, 0x86, 0x12, 680 0xf1, 0xe6, 0x5a, 0x3f, 0x08, 0x02, 0x81, 0x85, 681 0xe0, 0xd9, 0xad, 0x3c, 0x8c, 0x71, 0xf8, 0xcf, 682 0x0a, 0x98, 0xc5, 0x08, 0xdc, 0xc4, 0xca, 0x8c, 683 0x23, 0x1b, 0x4d, 0x9b, 0xb5, 0x13, 0x44, 0xe1, 684 0x5f, 0xf9, 0x30, 0x80, 0x25, 0xe0, 0x1e, 0x94, 685 0xa3, 0x0c, 0xdc, 0x82, 0x2e, 0xfb, 0x30, 0xbe, 686 0x89, 0xba, 0x76, 0xb6, 0x23, 0xf7, 0xda, 0x7c, 687 0xca, 0xe6, 0x02, 0xbd, 0x92, 0xce, 0x64, 0xfc 688 }; 689 690 /* RSA Known Signed Hash (1024-bits). */ 691 static uint8_t rsa_known_sha1_signature[] = { 692 0xd2, 0xa4, 0xe0, 0x2b, 0xc7, 0x03, 0x7f, 0xc6, 693 0x06, 0x9e, 0xa2, 0x82, 0x19, 0xe9, 0x2b, 0xaf, 694 0xe3, 0x48, 0x88, 0xc1, 0xf3, 0xb5, 0x0d, 0xe4, 695 0x52, 0x9e, 0xad, 0xd5, 0x58, 0xb5, 0x9f, 0xe8, 696 0x40, 0xe9, 0xb7, 0x2e, 0xc6, 0x71, 0x58, 0x56, 697 0x04, 0xac, 0xb0, 0xf3, 0x3a, 0x42, 0x38, 0x08, 698 0xc4, 0x43, 0x39, 0xba, 0x19, 0xce, 0xb1, 0x99, 699 0xf1, 0x8d, 0x89, 0xd8, 0x50, 0x07, 0x14, 0x3d, 700 0xcf, 0xd0, 0xb6, 0x79, 0xde, 0x9c, 0x89, 0x32, 701 0xb0, 0x73, 0x3f, 0xed, 0x03, 0x0b, 0xdf, 0x6d, 702 0x7e, 0xc9, 0x1c, 0x39, 0xe8, 0x2b, 0x16, 0x09, 703 0xbb, 0x5f, 0x99, 0x2f, 0xeb, 0xf3, 0x37, 0x73, 704 0x0d, 0x0e, 0xcc, 0x95, 0xad, 0x90, 0x80, 0x03, 705 0x1d, 0x80, 0x55, 0x37, 0xa1, 0x2a, 0x71, 0x76, 706 0x23, 0x87, 0x8c, 0x9b, 0x41, 0x07, 0xc6, 0x3d, 707 0xc6, 0xa3, 0x7d, 0x1b, 0xff, 0x4e, 0x11, 0x19 708 }; 709 710 /* RSA Known Signed Hash (1024-bits). */ 711 static uint8_t rsa_known_sha256_signature[] = { 712 0x27, 0x35, 0xdd, 0xc4, 0xf8, 0xe2, 0x0b, 0xa3, 713 0xef, 0x63, 0x57, 0x3b, 0xe1, 0x58, 0x9a, 0xbc, 714 0x20, 0x9c, 0x25, 0x12, 0x01, 0xbf, 0xbb, 0x29, 715 0x80, 0x1a, 0xb1, 0x37, 0x9c, 0xcd, 0x67, 0xc7, 716 0x0d, 0xf8, 0x64, 0x10, 0x9f, 0xe2, 0xa1, 0x9b, 717 0x21, 0x90, 0xcc, 0xda, 0x8b, 0x76, 0x5e, 0x79, 718 0x00, 0x9d, 0x58, 0x8b, 0x8a, 0xb3, 0xc3, 0xb5, 719 0xf1, 0x54, 0xc5, 0x8c, 0x72, 0xba, 0xde, 0x51, 720 0x3c, 0x6b, 0x94, 0xd6, 0xf3, 0x1b, 0xa2, 0x53, 721 0xe6, 0x1a, 0x46, 0x1d, 0x7f, 0x14, 0x86, 0xcc, 722 0xa6, 0x30, 0x92, 0x96, 0xc0, 0x96, 0x24, 0xf0, 723 0x42, 0x53, 0x4c, 0xdd, 0x27, 0xdf, 0x1d, 0x2e, 724 0x8b, 0x83, 0xbe, 0xed, 0x85, 0x1d, 0x50, 0x46, 725 0xa3, 0x7d, 0x20, 0xea, 0x3e, 0x91, 0xfb, 0xf6, 726 0x86, 0x51, 0xfd, 0x8c, 0xe5, 0x31, 0xe6, 0x7e, 727 0x60, 0x08, 0x0e, 0xec, 0xa6, 0xea, 0x24, 0x8d 728 }; 729 730 /* RSA Known Signed Hash (1024-bits). */ 731 static uint8_t rsa_known_sha384_signature[] = { 732 0x0b, 0x03, 0x94, 0x4f, 0x94, 0x78, 0x9b, 0x96, 733 0x76, 0xeb, 0x72, 0x58, 0xe1, 0xc5, 0xc7, 0x5f, 734 0x85, 0x01, 0xa8, 0xc4, 0xf6, 0x1a, 0xb5, 0x2c, 735 0xd1, 0xd8, 0x87, 0xde, 0x3a, 0x9c, 0x9f, 0x57, 736 0x81, 0x2a, 0x1e, 0x23, 0x07, 0x70, 0xb0, 0xf9, 737 0x28, 0x3d, 0xfa, 0xe5, 0x2e, 0x1b, 0x9a, 0x72, 738 0xc3, 0x74, 0xb3, 0x42, 0x1c, 0x9a, 0x13, 0xdc, 739 0xc9, 0xd6, 0xd5, 0x88, 0xc9, 0x9c, 0x46, 0xf1, 740 0x0c, 0xa6, 0xf7, 0xd8, 0x06, 0xa3, 0x1b, 0xdf, 741 0x55, 0xb3, 0x1b, 0x7b, 0x58, 0x1d, 0xff, 0x19, 742 0xc7, 0xe0, 0xdd, 0x59, 0xac, 0x2f, 0x78, 0x71, 743 0xe7, 0xe0, 0x17, 0xa3, 0x1c, 0x5c, 0x92, 0xef, 744 0xb6, 0x75, 0xed, 0xbe, 0x18, 0x39, 0x6b, 0xd7, 745 0xc9, 0x08, 0x62, 0x55, 0x62, 0xac, 0x5d, 0xa1, 746 0x9b, 0xd5, 0xb8, 0x98, 0x15, 0xc0, 0xf5, 0x41, 747 0x85, 0x44, 0x96, 0xca, 0x10, 0xdc, 0x57, 0x21 748 }; 749 750 /* RSA Known Signed Hash (1024-bits). */ 751 static uint8_t rsa_known_sha512_signature[] = { 752 0xa5, 0xd0, 0x80, 0x04, 0x22, 0xfc, 0x80, 0x73, 753 0x7d, 0x46, 0xc8, 0x7b, 0xac, 0x44, 0x7b, 0xe6, 754 0x07, 0xe5, 0x61, 0x4c, 0x33, 0x7f, 0x6f, 0x46, 755 0x7c, 0x30, 0xe3, 0x75, 0x59, 0x4b, 0x42, 0xf3, 756 0x9f, 0x35, 0x3c, 0x10, 0x56, 0xdb, 0xd2, 0x69, 757 0x43, 0xcb, 0x77, 0xe9, 0x7d, 0xcd, 0x07, 0x43, 758 0xc5, 0xd4, 0x0c, 0x9d, 0xf5, 0x92, 0xbd, 0x0e, 759 0x3b, 0xb7, 0x68, 0x88, 0x84, 0xca, 0xae, 0x0d, 760 0xab, 0x71, 0x10, 0xad, 0xab, 0x27, 0xe4, 0xa3, 761 0x24, 0x41, 0xeb, 0x1c, 0xa6, 0x5f, 0xf1, 0x85, 762 0xd0, 0xf6, 0x22, 0x74, 0x3d, 0x81, 0xbe, 0xdd, 763 0x1b, 0x2a, 0x4c, 0xd1, 0x6c, 0xb5, 0x6d, 0x7a, 764 0xbb, 0x99, 0x69, 0x01, 0xa6, 0xc0, 0x98, 0xfa, 765 0x97, 0xa3, 0xd1, 0xb0, 0xdf, 0x09, 0xe3, 0x3d, 766 0x88, 0xee, 0x90, 0xf3, 0x10, 0x41, 0x0f, 0x06, 767 0x31, 0xe9, 0x60, 0x2d, 0xbf, 0x63, 0x7b, 0xf8 768 }; 769 770 RSAPrivateKey_t rsa_private_key; 771 CK_RV rv; 772 uint8_t rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH]; 773 uint8_t rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH]; 774 uint8_t rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH]; 775 CK_BYTE der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 776 777 /* 778 * RSA Known Answer Encryption Test. 779 */ 780 781 /* Perform RSA Public Key Encryption. */ 782 rv = fips_rsa_encrypt(rsa_modulus, FIPS_RSA_MODULUS_LENGTH, 783 rsa_public_exponent, FIPS_RSA_PUBLIC_EXPONENT_LENGTH, 784 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 785 rsa_computed_ciphertext); 786 787 if ((rv != CKR_OK) || 788 (memcmp(rsa_computed_ciphertext, rsa_known_ciphertext, 789 FIPS_RSA_ENCRYPT_LENGTH) != 0)) 790 return (CKR_DEVICE_ERROR); 791 792 /* 793 * RSA Known Answer Decryption Test. 794 */ 795 rsa_private_key.version = rsa_version; 796 rsa_private_key.version_len = FIPS_RSA_PRIVATE_VERSION_LENGTH; 797 rsa_private_key.modulus = rsa_modulus; 798 rsa_private_key.modulus_len = FIPS_RSA_MODULUS_LENGTH; 799 rsa_private_key.public_expo = rsa_public_exponent; 800 rsa_private_key.public_expo_len = FIPS_RSA_PUBLIC_EXPONENT_LENGTH; 801 rsa_private_key.private_expo = rsa_private_exponent; 802 rsa_private_key.private_expo_len = FIPS_RSA_PRIVATE_EXPONENT_LENGTH; 803 rsa_private_key.prime1 = rsa_prime0; 804 rsa_private_key.prime1_len = FIPS_RSA_PRIME0_LENGTH; 805 rsa_private_key.prime2 = rsa_prime1; 806 rsa_private_key.prime2_len = FIPS_RSA_PRIME1_LENGTH; 807 rsa_private_key.exponent1 = rsa_exponent0; 808 rsa_private_key.exponent1_len = FIPS_RSA_EXPONENT0_LENGTH; 809 rsa_private_key.exponent2 = rsa_exponent1; 810 rsa_private_key.exponent2_len = FIPS_RSA_EXPONENT1_LENGTH; 811 rsa_private_key.coef = rsa_coefficient; 812 rsa_private_key.coef_len = FIPS_RSA_COEFFICIENT_LENGTH; 813 814 /* Perform RSA Private Key Decryption. */ 815 rv = fips_rsa_decrypt(&rsa_private_key, rsa_known_ciphertext, 816 FIPS_RSA_MESSAGE_LENGTH, rsa_computed_plaintext); 817 818 if ((rv != CKR_OK) || 819 (memcmp(rsa_computed_plaintext, rsa_known_plaintext_msg, 820 FIPS_RSA_DECRYPT_LENGTH) != 0)) 821 return (CKR_DEVICE_ERROR); 822 823 /* SHA-1 Sign/Verify */ 824 #ifdef _KERNEL 825 rv = fips_rsa_sign_verify_test(SHA1_TYPE, &rsa_private_key, 826 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 827 rsa_computed_signature, der_data, 1); 828 #else 829 rv = fips_rsa_sign_verify_test(CKM_SHA_1, &rsa_private_key, 830 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 831 rsa_computed_signature, der_data, 1); 832 #endif 833 834 if ((rv != CKR_OK) || 835 (memcmp(rsa_computed_signature, rsa_known_sha1_signature, 836 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 837 return (CKR_DEVICE_ERROR); 838 839 #ifdef _KERNEL 840 rv = fips_rsa_sign_verify_test(SHA1_TYPE, &rsa_private_key, 841 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 842 rsa_computed_signature, der_data, 0); 843 #else 844 rv = fips_rsa_sign_verify_test(CKM_SHA_1, &rsa_private_key, 845 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 846 rsa_computed_signature, der_data, 0); 847 #endif 848 849 if (rv != CKR_OK) 850 goto rsa_loser; 851 852 /* SHA256 Sign/Verify */ 853 #ifdef _KERNEL 854 rv = fips_rsa_sign_verify_test(SHA256_TYPE, &rsa_private_key, 855 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 856 rsa_computed_signature, der_data, 1); 857 #else 858 rv = fips_rsa_sign_verify_test(CKM_SHA256, &rsa_private_key, 859 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 860 rsa_computed_signature, der_data, 1); 861 #endif 862 863 if ((rv != CKR_OK) || 864 (memcmp(rsa_computed_signature, rsa_known_sha256_signature, 865 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 866 return (CKR_DEVICE_ERROR); 867 868 #ifdef _KERNEL 869 rv = fips_rsa_sign_verify_test(SHA256_TYPE, &rsa_private_key, 870 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 871 rsa_computed_signature, der_data, 0); 872 #else 873 rv = fips_rsa_sign_verify_test(CKM_SHA256, &rsa_private_key, 874 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 875 rsa_computed_signature, der_data, 0); 876 #endif 877 878 if (rv != CKR_OK) 879 goto rsa_loser; 880 881 /* SHA384 Sign/Verify */ 882 #ifdef _KERNEL 883 rv = fips_rsa_sign_verify_test(SHA384_TYPE, &rsa_private_key, 884 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 885 rsa_computed_signature, der_data, 1); 886 #else 887 rv = fips_rsa_sign_verify_test(CKM_SHA384, &rsa_private_key, 888 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 889 rsa_computed_signature, der_data, 1); 890 #endif 891 892 if ((rv != CKR_OK) || 893 (memcmp(rsa_computed_signature, rsa_known_sha384_signature, 894 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 895 return (CKR_DEVICE_ERROR); 896 897 #ifdef _KERNEL 898 rv = fips_rsa_sign_verify_test(SHA384_TYPE, &rsa_private_key, 899 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 900 rsa_computed_signature, der_data, 0); 901 #else 902 rv = fips_rsa_sign_verify_test(CKM_SHA384, &rsa_private_key, 903 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 904 rsa_computed_signature, der_data, 0); 905 #endif 906 907 if (rv != CKR_OK) 908 goto rsa_loser; 909 910 /* SHA512 Sign/Verify */ 911 #ifdef _KERNEL 912 rv = fips_rsa_sign_verify_test(SHA512_TYPE, &rsa_private_key, 913 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 914 rsa_computed_signature, der_data, 1); 915 #else 916 rv = fips_rsa_sign_verify_test(CKM_SHA512, &rsa_private_key, 917 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 918 rsa_computed_signature, der_data, 1); 919 #endif 920 921 if ((rv != CKR_OK) || 922 (memcmp(rsa_computed_signature, rsa_known_sha512_signature, 923 FIPS_RSA_SIGNATURE_LENGTH) != 0)) 924 return (CKR_DEVICE_ERROR); 925 926 #ifdef _KERNEL 927 rv = fips_rsa_sign_verify_test(SHA512_TYPE, &rsa_private_key, 928 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 929 rsa_computed_signature, der_data, 0); 930 #else 931 rv = fips_rsa_sign_verify_test(CKM_SHA512, &rsa_private_key, 932 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 933 rsa_computed_signature, der_data, 0); 934 #endif 935 936 rsa_loser: 937 if (rv != CKR_OK) 938 return (CKR_DEVICE_ERROR); 939 else 940 return (CKR_OK); 941 942 } 943