wolfcrypt-ring-compat 1.16.5

wolfcrypt-ring-compat is a cryptographic library using wolfSSL for its cryptographic operations. This library strives to be API-compatible with the popular Rust library named ring.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258

// Copyright 2015-2016 Brian Smith.
// SPDX-License-Identifier: ISC
// Modifications copyright wolfSSL Inc.
// SPDX-License-Identifier: MIT

//! RSA Signature Support.

// *R* and *r* in Montgomery math refer to different things, so we always use
// `R` to refer to *R* to avoid confusion, even when that's against the normal
// naming conventions. Also the standard camelCase names are used for `KeyPair`
// components.

mod encoding;
/// RSA encryption (OAEP and PKCS#1 v1.5).
pub mod encryption;
pub(crate) mod key;
pub(crate) mod signature;

pub use self::encryption::oaep::{
    OaepPrivateDecryptingKey, OaepPublicEncryptingKey, OAEP_SHA1_MGF1SHA1, OAEP_SHA256_MGF1SHA256,
    OAEP_SHA384_MGF1SHA384, OAEP_SHA512_MGF1SHA512,
};
pub use self::encryption::pkcs1::{Pkcs1PrivateDecryptingKey, Pkcs1PublicEncryptingKey};
pub use self::encryption::{EncryptionAlgorithmId, PrivateDecryptingKey, PublicEncryptingKey};
pub use self::key::{KeyPair, KeySize, PublicKey, PublicKeyComponents};
#[allow(clippy::module_name_repetitions)]
pub use self::signature::RsaParameters;

pub(crate) use self::signature::RsaVerificationAlgorithmId;

#[cfg(test)]
mod tests {
    #[cfg(feature = "fips")]
    mod fips;

    mod encryption_tests {
        use super::super::encryption::{
            oaep::{OaepPrivateDecryptingKey, OaepPublicEncryptingKey, OAEP_SHA256_MGF1SHA256},
            pkcs1::{Pkcs1PrivateDecryptingKey, Pkcs1PublicEncryptingKey},
            PrivateDecryptingKey,
        };
        use super::super::KeySize;

        #[test]
        fn test_oaep_sha256_round_trip() {
            let priv_key = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();
            let pub_key = priv_key.public_key();

            let oaep_pub = OaepPublicEncryptingKey::new(pub_key).unwrap();
            let oaep_priv = OaepPrivateDecryptingKey::new(priv_key).unwrap();

            let plaintext = b"hello, RSA-OAEP encryption test!";
            let mut ciphertext = vec![0u8; oaep_pub.ciphertext_size()];

            let ct = oaep_pub
                .encrypt(&OAEP_SHA256_MGF1SHA256, plaintext, &mut ciphertext, None)
                .unwrap();

            // Ciphertext should differ from plaintext
            assert_ne!(ct, plaintext);
            assert_eq!(ct.len(), oaep_priv.key_size_bytes());

            let mut decrypted = vec![0u8; oaep_priv.min_output_size()];
            let pt = oaep_priv
                .decrypt(&OAEP_SHA256_MGF1SHA256, ct, &mut decrypted, None)
                .unwrap();

            assert_eq!(pt, plaintext, "recovered plaintext must match original");
        }

        #[test]
        fn test_pkcs1v15_round_trip() {
            let priv_key = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();
            let pub_key = priv_key.public_key();

            let pkcs1_pub = Pkcs1PublicEncryptingKey::new(pub_key).unwrap();
            let pkcs1_priv = Pkcs1PrivateDecryptingKey::new(priv_key).unwrap();

            let plaintext = b"hello, PKCS1v15 encryption test!";
            let mut ciphertext = vec![0u8; pkcs1_pub.ciphertext_size()];

            let ct = pkcs1_pub.encrypt(plaintext, &mut ciphertext).unwrap();

            assert_ne!(ct, plaintext);
            assert_eq!(ct.len(), pkcs1_priv.key_size_bytes());

            let mut decrypted = vec![0u8; pkcs1_priv.min_output_size()];
            let pt = pkcs1_priv.decrypt(ct, &mut decrypted).unwrap();

            assert_eq!(pt, plaintext, "recovered plaintext must match original");
        }

        #[test]
        fn test_oaep_decrypt_with_wrong_key_fails() {
            let priv_key1 = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();
            let pub_key1 = priv_key1.public_key();

            let priv_key2 = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();

            let oaep_pub = OaepPublicEncryptingKey::new(pub_key1).unwrap();
            let oaep_priv_wrong = OaepPrivateDecryptingKey::new(priv_key2).unwrap();

            let plaintext = b"secret message";
            let mut ciphertext = vec![0u8; oaep_pub.ciphertext_size()];

            let ct = oaep_pub
                .encrypt(&OAEP_SHA256_MGF1SHA256, plaintext, &mut ciphertext, None)
                .unwrap();

            let mut decrypted = vec![0u8; oaep_priv_wrong.min_output_size()];
            let result = oaep_priv_wrong.decrypt(&OAEP_SHA256_MGF1SHA256, ct, &mut decrypted, None);
            assert!(result.is_err(), "decrypting with wrong key must fail");
        }

        #[test]
        fn test_oaep_corrupted_ciphertext_fails() {
            let priv_key = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();
            let pub_key = priv_key.public_key();

            let oaep_pub = OaepPublicEncryptingKey::new(pub_key).unwrap();
            let oaep_priv = OaepPrivateDecryptingKey::new(priv_key).unwrap();

            let plaintext = b"test corruption";
            let mut ciphertext = vec![0u8; oaep_pub.ciphertext_size()];

            let ct = oaep_pub
                .encrypt(&OAEP_SHA256_MGF1SHA256, plaintext, &mut ciphertext, None)
                .unwrap();

            // Corrupt the ciphertext
            let mut corrupted = ct.to_vec();
            corrupted[0] ^= 0xff;
            let mid = corrupted.len() / 2;
            corrupted[mid] ^= 0x42;

            let mut decrypted = vec![0u8; oaep_priv.min_output_size()];
            let result =
                oaep_priv.decrypt(&OAEP_SHA256_MGF1SHA256, &corrupted, &mut decrypted, None);
            assert!(result.is_err(), "corrupted ciphertext must fail to decrypt");
        }

        #[test]
        fn test_pkcs1v15_decrypt_with_wrong_key_fails() {
            let priv_key1 = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();
            let pub_key1 = priv_key1.public_key();

            let priv_key2 = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();

            let pkcs1_pub = Pkcs1PublicEncryptingKey::new(pub_key1).unwrap();
            let pkcs1_priv_wrong = Pkcs1PrivateDecryptingKey::new(priv_key2).unwrap();

            let plaintext = b"secret message";
            let mut ciphertext = vec![0u8; pkcs1_pub.ciphertext_size()];

            let ct = pkcs1_pub.encrypt(plaintext, &mut ciphertext).unwrap();

            let mut decrypted = vec![0u8; pkcs1_priv_wrong.min_output_size()];
            let result = pkcs1_priv_wrong.decrypt(ct, &mut decrypted);
            assert!(result.is_err(), "decrypting with wrong key must fail");
        }

        #[test]
        fn test_pkcs1v15_corrupted_ciphertext_fails() {
            let priv_key = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();
            let pub_key = priv_key.public_key();

            let pkcs1_pub = Pkcs1PublicEncryptingKey::new(pub_key).unwrap();
            let pkcs1_priv = Pkcs1PrivateDecryptingKey::new(priv_key).unwrap();

            let plaintext = b"test corruption";
            let mut ciphertext = vec![0u8; pkcs1_pub.ciphertext_size()];

            let ct = pkcs1_pub.encrypt(plaintext, &mut ciphertext).unwrap();

            let mut corrupted = ct.to_vec();
            corrupted[0] ^= 0xff;

            let mut decrypted = vec![0u8; pkcs1_priv.min_output_size()];
            let result = pkcs1_priv.decrypt(&corrupted, &mut decrypted);
            assert!(result.is_err(), "corrupted ciphertext must fail to decrypt");
        }

        #[test]
        fn test_oaep_rejects_nonempty_label() {
            // wolfSSL does not support custom OAEP labels
            let priv_key = PrivateDecryptingKey::generate(KeySize::Rsa2048).unwrap();
            let pub_key = priv_key.public_key();

            let oaep_pub = OaepPublicEncryptingKey::new(pub_key).unwrap();

            let plaintext = b"test";
            let mut ciphertext = vec![0u8; oaep_pub.ciphertext_size()];

            let result = oaep_pub.encrypt(
                &OAEP_SHA256_MGF1SHA256,
                plaintext,
                &mut ciphertext,
                Some(b"custom label"),
            );
            assert!(result.is_err(), "non-empty OAEP label should be rejected");
        }
    }

    #[cfg(feature = "ring-io")]
    #[test]
    fn test_rsa() {
        use crate::signature::KeyPair;
        use crate::test::from_dirty_hex;
        let rsa_pkcs8_input: Vec<u8> = from_dirty_hex(
            r"308204bd020100300d06092a864886f70d0101010500048204a7308204a30201000282010100b9d7a
        f84fa4184a5f22037ec8aff2db5f78bd8c21e714e579ae57c6398c4950f3a694b17bfccf488766159aec5bb7c2c4
        3d59c798cbd45a09c9c86933f126879ee7eadcd404f61ecfc425197cab03946ba381a49ef3b4d0f60b17f8a747cd
        e56a834a7f6008f35ffb2f60a54ceda1974ff2a9963aba7f80d4e2916a93d8c74bb1ba5f3b189a4e8f0377bd3e94
        b5cc3f9c53cb8c8c7c0af394818755e968b7a76d9cada8da7af5fbe25da2a09737d5e4e4d7092aa16a0718d7322c
        e8aca767015128d6d35775ea9cb8bb1ac6512e1b787d34015221be780a37b1d69bc3708bfd8832591be6095a768f
        0fd3b3457927e6ae3641d55799a29a0a269cb4a693bc14b0203010001028201001c5fb7e69fa6dd2fd0f5e653f12
        ce0b7c5a1ce6864e97bc2985dad4e2f86e4133d21d25b3fe774f658cca83aace9e11d8905d62c20b6cd28a680a77
        357cfe1afac201f3d1532898afb40cce0560bedd2c49fc833bd98da3d1cd03cded0c637d4173e62de865b572d410
        f9ba83324cd7a3573359428232f1628f6d104e9e6c5f380898b5570201cf11eb5f7e0c4933139c7e7fba67582287
        ffb81b84fa81e9a2d9739815a25790c06ead7abcf286bd43c6e3d009d01f15fca3d720bbea48b0c8ccf8764f3c82
        2e61159d8efcbff38c794f8afe040b45df14c976a91b1b6d886a55b8e68969bcb30c7197920d97d7721d78d954d8
        9ffecbcc93c6ee82a86fe754102818100eba1cbe453f5cb2fb7eabc12d697267d25785a8f7b43cc2cb14555d3618
        c63929b19839dcd4212397ecda8ad872f97ede6ac95ebda7322bbc9409bac2b24ae56ad62202800c670365ae2867
        1195fe934978a5987bee2fcea06561b782630b066b0a35c3f559a281f0f729fc282ef8ebdbb065d60000223da6ed
        b732fa32d82bb02818100c9e81e353315fd88eff53763ed7b3859f419a0a158f5155851ce0fe6e43188e44fb43dd
        25bcdb7f3839fe84a5db88c6525e5bcbae513bae5ff54398106bd8ae4d241c082f8a64a9089531f7b57b09af5204
        2efa097140702dda55a2141c174dd7a324761267728a6cc4ce386c034393d855ebe985c4e5f2aec2bd3f2e2123ab
        1028180566889dd9c50798771397a68aa1ad9b970e136cc811676ac3901c51c741c48737dbf187de8c47eec68acc
        05b8a4490c164230c0366a36c2c52fc075a56a3e7eecf3c39b091c0336c2b5e00913f0de5f62c5046ceb9d88188c
        c740d34bd44839bd4d0c346527cea93a15596727d139e53c35eed25043bc4ac18950f237c02777b0281800f9dd98
        049e44088efee6a8b5b19f5c0d765880c12c25a154bb6817a5d5a0b798544aea76f9c58c707fe3d4c4b3573fe7ad
        0eb291580d22ae9f5ccc0d311a40590d1af1f3236427c2d72f57367d3ec185b9771cb5d041a8ab93409e59a9d68f
        99c72f91c658a3fe5aed59f9f938c368530a4a45f4a7c7155f3906c4354030ef102818100c89e0ba805c970abd84
        a70770d8fc57bfaa34748a58b77fcddaf0ca285db91953ef5728c1be7470da5540df6af56bb04c0f5ec500f83b08
        057664cb1551e1e29c58d8b1e9d70e23ed57fdf9936c591a83c1dc954f6654d4a245b6d8676d045c2089ffce537d
        234fc88e98d92afa92926c75b286e8fee70e273d762bbe63cd63b",
        );

        let key = super::KeyPair::from_pkcs8(&rsa_pkcs8_input).unwrap();
        let pk = key.public_key();
        let modulus_bytes = pk.modulus().big_endian_without_leading_zero();
        assert_eq!(&rsa_pkcs8_input[38..294], modulus_bytes);
    }

    #[test]
    fn test_debug() {
        use crate::signature;
        assert_eq!(
            "{ RSA_PSS_SHA512 }",
            format!("{:?}", signature::RSA_PSS_SHA512)
        );

        assert_eq!(
            "{ RSA_PSS_2048_8192_SHA256 }",
            format!("{:?}", signature::RSA_PSS_2048_8192_SHA256)
        );
    }
}