[apple/security.git] / OSX / shared_regressions / si-44-seckey-rsa.m

/*
 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */


#import <Foundation/Foundation.h>

#import <Security/SecKeyPriv.h>
#import <Security/SecItemPriv.h>
#import <Security/oidsalg.h>

#import <corecrypto/ccrng.h>
#import <corecrypto/ccsha1.h>
#import <corecrypto/ccsha2.h>
#import <corecrypto/ccdigest.h>
#import <corecrypto/ccrsa.h>

#include "shared_regressions.h"

static NSData *decryptAndUnpad(SecKeyRef privateKey, SecKeyAlgorithm algorithm, NSData *ciphertext, NSError **error) {
    NSData *plaintext = CFBridgingRelease(SecKeyCreateDecryptedData(privateKey, algorithm, (CFDataRef)ciphertext, (void *)error));
    if (plaintext != nil && [(__bridge id)algorithm isEqual:(id)kSecKeyAlgorithmRSAEncryptionRaw]) {
        NSRange range = NSMakeRange(0, plaintext.length);
        while (((const UInt8 *)plaintext.bytes)[range.location] == 0x00 && range.location < plaintext.length) {
            range.length--;
            range.location++;
        }
        plaintext = [plaintext subdataWithRange:range];
    }
    return plaintext;
}

static void test_encrypt_run(SecKeyRef privateKey, SecKeyRef publicKey, SecKeyRef iosPrivateKey, SecKeyRef iosPublicKey, SecKeyAlgorithm algorithm) {
    NSData *original = [NSData dataWithBytes:"encrypt" length:7], *plaintext;
    NSError *error;

    error = nil;
    NSData *ciphertext = CFBridgingRelease(SecKeyCreateEncryptedData(publicKey, algorithm, (CFDataRef)original, (void *)&error));
    ok(ciphertext != nil, "RSA encrypt (native) succeeded (error: %@, key %@)", error, publicKey);

    error = nil;
    NSData *iosCiphertext = CFBridgingRelease(SecKeyCreateEncryptedData(iosPublicKey, algorithm, (CFDataRef)original, (void *)&error));
    ok(iosCiphertext != nil, "RSA encrypt (native) succeeded (error: %@, key %@)", error, iosPublicKey);

    error = nil;
    plaintext = decryptAndUnpad(privateKey, algorithm, ciphertext, &error);
    ok(plaintext != nil, "RSA decrypt (native) succeeded (error: %@, key %@)", error, privateKey);
    ok([plaintext isEqual:original], "(native -> native) plaintext equals original (%@ : %@)", original, plaintext);

    error = nil;
    plaintext = decryptAndUnpad(privateKey, algorithm, iosCiphertext, &error);
    ok(plaintext != nil, "RSA decrypt (native) succeeded (error: %@, key %@)", error, privateKey);
    ok([plaintext isEqual:original], "(ios -> native) plaintext equals original (%@ : %@)", original, plaintext);

    error = nil;
    plaintext = decryptAndUnpad(iosPrivateKey, algorithm, ciphertext, &error);
    ok(plaintext != nil, "RSA decrypt (ios) succeeded (error: %@, key %@)", error, privateKey);
    ok([plaintext isEqual:original], "(native -> ios) plaintext equals original (%@ : %@)", original, plaintext);

    error = nil;
    plaintext = decryptAndUnpad(iosPrivateKey, algorithm, iosCiphertext, &error);
    ok(plaintext != nil, "RSA decrypt (ios) succeeded (error: %@, key %@)", error, privateKey);
    ok([plaintext isEqual:original], "(ios -> ios) plaintext equals original (%@ : %@)", original, plaintext);
}
static const int TestCountEncryptRun = 10;

static void test_encrypt_keypair_run(int keySizeInBits, NSArray *algorithms, NSArray *failAlgorithms) {
    NSError *error;
    NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(keySizeInBits)};

    error = nil;
    id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
    ok(privateKey != nil, "generate private key (error %@)", error);

    id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
    ok(publicKey != nil, "get public key");

    NSData *data = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)privateKey, NULL));
    NSDictionary *attrs = CFBridgingRelease(SecKeyCopyAttributes((SecKeyRef)privateKey));
    error = nil;
    id iosPrivateKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)data, (CFDictionaryRef)attrs, (void *)&error));
    ok(iosPrivateKey != nil, "get private key created from data");

    data = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)publicKey, NULL));
    attrs = CFBridgingRelease(SecKeyCopyAttributes((SecKeyRef)publicKey));
    error = nil;
    id iosPublicKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)data, (CFDictionaryRef)attrs, (void *)&error));
    ok(iosPublicKey != nil, "get public key created from data");

    for (id algorithm in algorithms) {
        test_encrypt_run((__bridge SecKeyRef)privateKey, (__bridge SecKeyRef)publicKey,
                         (__bridge SecKeyRef)iosPrivateKey, (__bridge SecKeyRef)iosPublicKey,
                         (__bridge SecKeyAlgorithm)algorithm);
    }

    for (id algorithm in failAlgorithms) {
        error = nil;
        NSData *data = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, (SecKeyAlgorithm)algorithm, (CFDataRef)[NSData data], (void *)&error));
        ok(data == nil && error.code == errSecParam, "incorrect algorithm refused");
    }
}
static const int TestCountEncryptKeypairRun = 4;

static void test_encryption() {
    test_encrypt_keypair_run(1024,
                             @[
                               (id)kSecKeyAlgorithmRSAEncryptionRaw,
                               (id)kSecKeyAlgorithmRSAEncryptionPKCS1,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
                               ],
                             @[
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
                               ]);

    test_encrypt_keypair_run(2048,
                             @[
                               (id)kSecKeyAlgorithmRSAEncryptionRaw,
                               (id)kSecKeyAlgorithmRSAEncryptionPKCS1,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
                               (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
                               ],
                             @[
                               ]);
}
static const int TestCountEncryption =
TestCountEncryptKeypairRun + (TestCountEncryptRun * 6) + (1 * 1) +
TestCountEncryptKeypairRun + (TestCountEncryptRun * 7) + (1 * 0);

static void test_pss_sign_run(SecKeyRef privateKey, SecKeyAlgorithm algorithm, SecKeyAlgorithm digestAlgorithm,
                              const struct ccdigest_info *di) {
    NSError *error;
    id publicKey = CFBridgingRelease(SecKeyCopyPublicKey(privateKey));
    NSData *message = [NSData dataWithBytes:"1234" length:4];
    NSMutableData *digest = [NSMutableData dataWithLength:di->output_size];
    ccdigest(di, message.length, message.bytes, digest.mutableBytes);

    // Verify algorithm's availability
    ok(SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, algorithm), "algorithm %@ available on key %@", algorithm, privateKey);
    ok(SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, digestAlgorithm), "algorithm %@ available on key %@", digestAlgorithm, privateKey);

    // Calculate signature of the message using SecKey
    error = nil;
    NSData *signature = CFBridgingRelease(SecKeyCreateSignature(privateKey, algorithm, (CFDataRef)message, (void *)&error));
    ok(signature != nil, "sign message with algorithm %@: error %@", algorithm, error);

    // Verify signature of the message using SecKey
    error = nil;
    Boolean verified = SecKeyVerifySignature((SecKeyRef)publicKey, algorithm, (CFDataRef)message, (CFDataRef)signature, (void *)&error);
    ok(verified, "signature verified for algorithm %@: error %@", algorithm, error);

    // Calculate signature of the digest using SecKey
    error = nil;
    signature = CFBridgingRelease(SecKeyCreateSignature(privateKey, digestAlgorithm, (CFDataRef)digest, (void *)&error));
    ok(signature != nil, "sign digest with algorithm %@: error %@", digestAlgorithm, error);

    // Verify signature of the digest using CC
    NSData *pubData = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)publicKey, (void *)&error));
    ok(pubData != nil, "export public key: error %@", error);
    cc_size n = ccrsa_import_pub_n(pubData.length, pubData.bytes);
    ccrsa_pub_ctx_decl(ccn_sizeof_n(n), ccpub);
    ccrsa_ctx_n(ccpub) = n;
    int err = ccrsa_import_pub(ccpub, pubData.length, pubData.bytes);
    is(err, 0, "ccrsa_import_pub(key=%@) failed", publicKey);

    bool valid = false;
    err = ccrsa_verify_pss(ccpub, di, di, di->output_size, digest.bytes, signature.length, signature.bytes, di->output_size, &valid);
    is(err, 0, "ccrsa_verify_pss(%@) failed", algorithm);
    ok(valid, "ccrsa verify signature (alg %@)", algorithm);

    // Calculate signature of the digest using CC
    error = nil;
    NSData *privData = CFBridgingRelease(SecKeyCopyExternalRepresentation(privateKey, (void *)&error));
    ok(privData != nil, "export private key: error %@", error);
    n = ccrsa_import_priv_n(privData.length, privData.bytes);
    ccrsa_full_ctx_decl(ccn_sizeof_n(n), ccpriv);
    ccrsa_ctx_n(ccpriv) = n;
    err = ccrsa_import_priv(ccpriv, privData.length, privData.bytes);
    is(err, 0, "ccrsa_import_priv(key=%@) failed", privateKey);

    NSMutableData *ccSig = [NSMutableData dataWithLength:SecKeyGetBlockSize(privateKey)];
    size_t sigSize = ccSig.length;
    err = ccrsa_sign_pss(ccpriv, di, di, di->output_size, ccrng(NULL), digest.length, digest.bytes, &sigSize, ccSig.mutableBytes);
    is(err, 0, "ccrsa_sign_pss(%@) failed", digestAlgorithm);
    is(sigSize, ccSig.length, "unexpected signature size for algorithm %@", digestAlgorithm);

    // Verify signature of the digest using SecKey
    error = nil;
    verified = SecKeyVerifySignature((SecKeyRef)publicKey, digestAlgorithm, (CFDataRef)digest, (CFDataRef)ccSig, (void *)&error);
    ok(verified, "signature verified for algorithm %@: error %@", digestAlgorithm, error);
}
static const int TestCountPSSSignRun = 14;

static void test_pss_sign() {
    NSError *error;
    NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @1024};

    error = nil;
    id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
    ok(privateKey != nil, "generate private key (error %@)", error);

    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA1, kSecKeyAlgorithmRSASignatureDigestPSSSHA1, ccsha1_di());
    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA224, kSecKeyAlgorithmRSASignatureDigestPSSSHA224, ccsha224_di());
    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA256, kSecKeyAlgorithmRSASignatureDigestPSSSHA256, ccsha256_di());
    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA384, kSecKeyAlgorithmRSASignatureDigestPSSSHA384, ccsha384_di());

    // RSASSA-PSS requires hlen + slen + 2 size modulus, so it requires at least 1040bit keys, and should not be available for 1024b keys.
    ok(!SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, kSecKeyAlgorithmRSASignatureDigestPSSSHA512));
    ok(!SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, kSecKeyAlgorithmRSASignatureMessagePSSSHA512));

    error = nil;
    params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @2048};
    privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
    ok(privateKey != nil, "generate private key (error %@)", error);

    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA1, kSecKeyAlgorithmRSASignatureDigestPSSSHA1, ccsha1_di());
    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA224, kSecKeyAlgorithmRSASignatureDigestPSSSHA224, ccsha224_di());
    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA256, kSecKeyAlgorithmRSASignatureDigestPSSSHA256, ccsha256_di());
    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA384, kSecKeyAlgorithmRSASignatureDigestPSSSHA384, ccsha384_di());
    test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA512, kSecKeyAlgorithmRSASignatureDigestPSSSHA512, ccsha512_di());
}
static const int TestCountPSSSign = 1 + TestCountPSSSignRun * 4 + 2 + 1 + TestCountPSSSignRun * 5;

static void test_bad_input(NSInteger keySizeInBits, NSInteger inputSize, SecKeyAlgorithm algorithm) {
    NSError *error;
    NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(keySizeInBits)};

    error = nil;
    id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
    ok(privateKey != nil, "generate private key (error %@)", error);
    id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));

    NSData *input, *output;

    error = nil;
    input = [NSMutableData dataWithLength:inputSize];
    output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
    ok(output, "encryption succeeds at the border size %d (key=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, algorithm);
    is((NSInteger)output.length, keySizeInBits / 8, "Unexpected output block size");

    input = [NSMutableData dataWithLength:inputSize + 1];
    output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
    ok(output == nil, "encryption did not fail for border size %d (key=%dbytes, output=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, (int)output.length, algorithm);
    is_status((OSStatus)error.code, errSecParam, "Fails with errSecParam for too long input (%@)", algorithm);
}
static const int TestCountBadInputSizeStep = 5;

static void test_bad_input_size() {
    test_bad_input(1024, 128, kSecKeyAlgorithmRSAEncryptionRaw);
    test_bad_input(2048, 256, kSecKeyAlgorithmRSAEncryptionRaw);
    test_bad_input(1024, 128 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
    test_bad_input(2048, 256 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
    test_bad_input(1024, 128 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
    test_bad_input(2048, 256 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
    test_bad_input(1024, 128 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
    test_bad_input(2048, 256 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
}
static const int TestCountBadInputSize = TestCountBadInputSizeStep * 8;

static void test_bad_signature() {
    NSDictionary *params = @{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @2048 };
    NSError *error;
    id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
    ok(privateKey, "Generate RSA-2048 temporary key, err %@", error);
    id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
    ok(publicKey, "Get public key from private key");

#if TARGET_OS_IPHONE
    SecKeyAlgorithm algorithm = kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1;
#else
    SecKeyAlgorithm algorithm = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1;
#endif

    char digest[20] = "digest";
    NSData *digestData = [NSData dataWithBytes:digest length:sizeof(digest)];
    NSData *signature = CFBridgingRelease(SecKeyCreateSignature((SecKeyRef)privateKey, algorithm, (CFDataRef)digestData, (void *)&error));
    ok(signature, "Sign digest, err %@", error);

    bool result = SecKeyVerifySignature((SecKeyRef)publicKey, algorithm, (CFDataRef)digestData, (CFDataRef)signature, (void *)&error);
    ok(result, "Verify signature, err %@", error);

    OSStatus status = SecKeyRawVerify((SecKeyRef)publicKey, kSecPaddingPKCS1SHA1, (const uint8_t *)digest, sizeof(digest), signature.bytes, signature.length);
    ok_status(status, "Raw verify correct signature");

    status = SecKeyRawVerify((SecKeyRef)publicKey, kSecPaddingPKCS1SHA1, (const uint8_t *)digest, sizeof(digest), (void  * _Nonnull)NULL, 0);
    is_status(status, errSSLCrypto, "NULL signature failure");

    const SecAsn1AlgId algId = { .algorithm = CSSMOID_SHA1WithRSA };
    signature = CFBridgingRelease(SecKeyCreateSignature((SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1, (CFDataRef)digestData, (void *)&error));
    ok(signature, "Sign message, err %@", error);

    status = SecKeyDigestAndVerify((__bridge SecKeyRef)publicKey, &algId, (const uint8_t *)digest, sizeof(digest), signature.bytes, signature.length);
    ok_status(status, "Raw verify correct signature");

    status = SecKeyDigestAndVerify((__bridge SecKeyRef)publicKey, &algId, (const uint8_t *)digest, sizeof(digest), (void * _Nonnull)NULL, 0);
    is_status(status, errSSLCrypto, "NULL signature failure");

    signature = CFBridgingRelease(SecKeyCreateSignature((SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, (CFDataRef)digestData, (void *)&error));
    ok(signature, "Sign message, err %@", error);

    status = SecKeyVerifyDigest((__bridge SecKeyRef)publicKey, &algId, (const uint8_t *)digest, sizeof(digest), signature.bytes, signature.length);
    ok_status(status, "Raw verify correct signature");

    status = SecKeyVerifyDigest((__bridge SecKeyRef)publicKey, &algId, (const uint8_t *)digest, sizeof(digest), (void * _Nonnull)NULL, 0);
    is_status(status, errSSLCrypto, "NULL signature failure");
}
static const int TestCountBadSignature = 12;

static const int TestCount =
TestCountEncryption +
TestCountPSSSign +
TestCountBadInputSize +
TestCountBadSignature;

int si_44_seckey_rsa(int argc, char *const *argv) {
    plan_tests(TestCount);

    @autoreleasepool {
        test_encryption();
        test_pss_sign();
        test_bad_input_size();
        test_bad_signature();
    }
    
    return 0;
}
Commit	Line	Data
fa7225c8 A	1	/*
	2	* Copyright (c) 2016 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	#import <Foundation/Foundation.h>
	26
6b200bc3	27	#import <Security/SecKeyPriv.h>
866f8763	28	#import <Security/SecItemPriv.h>
6b200bc3 A	29	#import <Security/oidsalg.h>
6b200bc3 A	30
866f8763 A	31	#import <corecrypto/ccrng.h>
	32	#import <corecrypto/ccsha1.h>
	33	#import <corecrypto/ccsha2.h>
	34	#import <corecrypto/ccdigest.h>
	35	#import <corecrypto/ccrsa.h>
	36
fa7225c8 A	37	#include "shared_regressions.h"
	38
	39	static NSData decryptAndUnpad(SecKeyRef privateKey, SecKeyAlgorithm algorithm, NSData ciphertext, NSError **error) {
	40	NSData plaintext = CFBridgingRelease(SecKeyCreateDecryptedData(privateKey, algorithm, (CFDataRef)ciphertext, (void )error));
	41	if (plaintext != nil && [(__bridge id)algorithm isEqual:(id)kSecKeyAlgorithmRSAEncryptionRaw]) {
	42	NSRange range = NSMakeRange(0, plaintext.length);
	43	while (((const UInt8 *)plaintext.bytes)[range.location] == 0x00 && range.location < plaintext.length) {
	44	range.length--;
	45	range.location++;
	46	}
	47	plaintext = [plaintext subdataWithRange:range];
	48	}
	49	return plaintext;
	50	}
	51
	52	static void test_encrypt_run(SecKeyRef privateKey, SecKeyRef publicKey, SecKeyRef iosPrivateKey, SecKeyRef iosPublicKey, SecKeyAlgorithm algorithm) {
	53	NSData original = [NSData dataWithBytes:"encrypt" length:7], plaintext;
	54	NSError *error;
	55
	56	error = nil;
	57	NSData ciphertext = CFBridgingRelease(SecKeyCreateEncryptedData(publicKey, algorithm, (CFDataRef)original, (void )&error));
	58	ok(ciphertext != nil, "RSA encrypt (native) succeeded (error: %@, key %@)", error, publicKey);
	59
	60	error = nil;
	61	NSData iosCiphertext = CFBridgingRelease(SecKeyCreateEncryptedData(iosPublicKey, algorithm, (CFDataRef)original, (void )&error));
	62	ok(iosCiphertext != nil, "RSA encrypt (native) succeeded (error: %@, key %@)", error, iosPublicKey);
	63
	64	error = nil;
	65	plaintext = decryptAndUnpad(privateKey, algorithm, ciphertext, &error);
	66	ok(plaintext != nil, "RSA decrypt (native) succeeded (error: %@, key %@)", error, privateKey);
	67	ok([plaintext isEqual:original], "(native -> native) plaintext equals original (%@ : %@)", original, plaintext);
	68
	69	error = nil;
	70	plaintext = decryptAndUnpad(privateKey, algorithm, iosCiphertext, &error);
	71	ok(plaintext != nil, "RSA decrypt (native) succeeded (error: %@, key %@)", error, privateKey);
	72	ok([plaintext isEqual:original], "(ios -> native) plaintext equals original (%@ : %@)", original, plaintext);
	73
	74	error = nil;
	75	plaintext = decryptAndUnpad(iosPrivateKey, algorithm, ciphertext, &error);
	76	ok(plaintext != nil, "RSA decrypt (ios) succeeded (error: %@, key %@)", error, privateKey);
	77	ok([plaintext isEqual:original], "(native -> ios) plaintext equals original (%@ : %@)", original, plaintext);
	78
	79	error = nil;
	80	plaintext = decryptAndUnpad(iosPrivateKey, algorithm, iosCiphertext, &error);
	81	ok(plaintext != nil, "RSA decrypt (ios) succeeded (error: %@, key %@)", error, privateKey);
	82	ok([plaintext isEqual:original], "(ios -> ios) plaintext equals original (%@ : %@)", original, plaintext);
	83	}
	84	static const int TestCountEncryptRun = 10;
	85
	86	static void test_encrypt_keypair_run(int keySizeInBits, NSArray algorithms, NSArray failAlgorithms) {
	87	NSError *error;
	88	NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(keySizeInBits)};
	89
	90	error = nil;
	91	id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
	92	ok(privateKey != nil, "generate private key (error %@)", error);
	93
	94	id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
	95	ok(publicKey != nil, "get public key");
	96
	97	NSData *data = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)privateKey, NULL));
	98	NSDictionary *attrs = CFBridgingRelease(SecKeyCopyAttributes((SecKeyRef)privateKey));
	99	error = nil;
	100	id iosPrivateKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)data, (CFDictionaryRef)attrs, (void *)&error));
101	ok(iosPrivateKey != nil, "get private key created from data");
102
103	data = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)publicKey, NULL));
104	attrs = CFBridgingRelease(SecKeyCopyAttributes((SecKeyRef)publicKey));
105	error = nil;
106	id iosPublicKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)data, (CFDictionaryRef)attrs, (void *)&error));
107	ok(iosPublicKey != nil, "get public key created from data");
108
109	for (id algorithm in algorithms) {
110	test_encrypt_run((__bridge SecKeyRef)privateKey, (__bridge SecKeyRef)publicKey,
111	(__bridge SecKeyRef)iosPrivateKey, (__bridge SecKeyRef)iosPublicKey,
112	(__bridge SecKeyAlgorithm)algorithm);
113	}
114
115	for (id algorithm in failAlgorithms) {
116	error = nil;
117	NSData data = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, (SecKeyAlgorithm)algorithm, (CFDataRef)[NSData data], (void )&error));
118	ok(data == nil && error.code == errSecParam, "incorrect algorithm refused");
119	}
120	}
121	static const int TestCountEncryptKeypairRun = 4;
122
123	static void test_encryption() {
124	test_encrypt_keypair_run(1024,
125	@[
126	(id)kSecKeyAlgorithmRSAEncryptionRaw,
127	(id)kSecKeyAlgorithmRSAEncryptionPKCS1,
128	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
129	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
130	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
131	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
132	],
133	@[
134	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
135	]);
136
137	test_encrypt_keypair_run(2048,
138	@[
139	(id)kSecKeyAlgorithmRSAEncryptionRaw,
140	(id)kSecKeyAlgorithmRSAEncryptionPKCS1,
141	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
142	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
143	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
144	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
145	(id)kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
146	],
147	@[
148	]);
149	}
150	static const int TestCountEncryption =
151	TestCountEncryptKeypairRun + (TestCountEncryptRun * 6) + (1 * 1) +
152	TestCountEncryptKeypairRun + (TestCountEncryptRun * 7) + (1 * 0);
153
866f8763 A	154	static void test_pss_sign_run(SecKeyRef privateKey, SecKeyAlgorithm algorithm, SecKeyAlgorithm digestAlgorithm,
	155	const struct ccdigest_info *di) {
	156	NSError *error;
	157	id publicKey = CFBridgingRelease(SecKeyCopyPublicKey(privateKey));
	158	NSData *message = [NSData dataWithBytes:"1234" length:4];
	159	NSMutableData *digest = [NSMutableData dataWithLength:di->output_size];
	160	ccdigest(di, message.length, message.bytes, digest.mutableBytes);
	161
	162	// Verify algorithm's availability
	163	ok(SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, algorithm), "algorithm %@ available on key %@", algorithm, privateKey);
	164	ok(SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, digestAlgorithm), "algorithm %@ available on key %@", digestAlgorithm, privateKey);
	165
	166	// Calculate signature of the message using SecKey
	167	error = nil;
	168	NSData signature = CFBridgingRelease(SecKeyCreateSignature(privateKey, algorithm, (CFDataRef)message, (void )&error));
	169	ok(signature != nil, "sign message with algorithm %@: error %@", algorithm, error);
	170
	171	// Verify signature of the message using SecKey
	172	error = nil;
	173	Boolean verified = SecKeyVerifySignature((SecKeyRef)publicKey, algorithm, (CFDataRef)message, (CFDataRef)signature, (void *)&error);
	174	ok(verified, "signature verified for algorithm %@: error %@", algorithm, error);
	175
	176	// Calculate signature of the digest using SecKey
	177	error = nil;
	178	signature = CFBridgingRelease(SecKeyCreateSignature(privateKey, digestAlgorithm, (CFDataRef)digest, (void *)&error));
	179	ok(signature != nil, "sign digest with algorithm %@: error %@", digestAlgorithm, error);
	180
	181	// Verify signature of the digest using CC
	182	NSData pubData = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)publicKey, (void )&error));
	183	ok(pubData != nil, "export public key: error %@", error);
	184	cc_size n = ccrsa_import_pub_n(pubData.length, pubData.bytes);
	185	ccrsa_pub_ctx_decl(ccn_sizeof_n(n), ccpub);
	186	ccrsa_ctx_n(ccpub) = n;
	187	int err = ccrsa_import_pub(ccpub, pubData.length, pubData.bytes);
	188	is(err, 0, "ccrsa_import_pub(key=%@) failed", publicKey);
	189
	190	bool valid = false;
	191	err = ccrsa_verify_pss(ccpub, di, di, di->output_size, digest.bytes, signature.length, signature.bytes, di->output_size, &valid);
	192	is(err, 0, "ccrsa_verify_pss(%@) failed", algorithm);
	193	ok(valid, "ccrsa verify signature (alg %@)", algorithm);
	194
	195	// Calculate signature of the digest using CC
	196	error = nil;
	197	NSData privData = CFBridgingRelease(SecKeyCopyExternalRepresentation(privateKey, (void )&error));
	198	ok(privData != nil, "export private key: error %@", error);
	199	n = ccrsa_import_priv_n(privData.length, privData.bytes);
	200	ccrsa_full_ctx_decl(ccn_sizeof_n(n), ccpriv);
	201	ccrsa_ctx_n(ccpriv) = n;
	202	err = ccrsa_import_priv(ccpriv, privData.length, privData.bytes);
	203	is(err, 0, "ccrsa_import_priv(key=%@) failed", privateKey);
	204
	205	NSMutableData *ccSig = [NSMutableData dataWithLength:SecKeyGetBlockSize(privateKey)];
	206	size_t sigSize = ccSig.length;
	207	err = ccrsa_sign_pss(ccpriv, di, di, di->output_size, ccrng(NULL), digest.length, digest.bytes, &sigSize, ccSig.mutableBytes);
	208	is(err, 0, "ccrsa_sign_pss(%@) failed", digestAlgorithm);
	209	is(sigSize, ccSig.length, "unexpected signature size for algorithm %@", digestAlgorithm);
	210
	211	// Verify signature of the digest using SecKey
	212	error = nil;
	213	verified = SecKeyVerifySignature((SecKeyRef)publicKey, digestAlgorithm, (CFDataRef)digest, (CFDataRef)ccSig, (void *)&error);
	214	ok(verified, "signature verified for algorithm %@: error %@", digestAlgorithm, error);
	215	}
	216	static const int TestCountPSSSignRun = 14;
	217
218	static void test_pss_sign() {
219	NSError *error;
220	NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @1024};
221
222	error = nil;
223	id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
224	ok(privateKey != nil, "generate private key (error %@)", error);
225
226	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA1, kSecKeyAlgorithmRSASignatureDigestPSSSHA1, ccsha1_di());
227	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA224, kSecKeyAlgorithmRSASignatureDigestPSSSHA224, ccsha224_di());
228	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA256, kSecKeyAlgorithmRSASignatureDigestPSSSHA256, ccsha256_di());
229	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA384, kSecKeyAlgorithmRSASignatureDigestPSSSHA384, ccsha384_di());
230
231	// RSASSA-PSS requires hlen + slen + 2 size modulus, so it requires at least 1040bit keys, and should not be available for 1024b keys.
232	ok(!SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, kSecKeyAlgorithmRSASignatureDigestPSSSHA512));
233	ok(!SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeSign, kSecKeyAlgorithmRSASignatureMessagePSSSHA512));
234
235	error = nil;
236	params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @2048};
237	privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
238	ok(privateKey != nil, "generate private key (error %@)", error);
239
240	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA1, kSecKeyAlgorithmRSASignatureDigestPSSSHA1, ccsha1_di());
241	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA224, kSecKeyAlgorithmRSASignatureDigestPSSSHA224, ccsha224_di());
242	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA256, kSecKeyAlgorithmRSASignatureDigestPSSSHA256, ccsha256_di());
243	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA384, kSecKeyAlgorithmRSASignatureDigestPSSSHA384, ccsha384_di());
244	test_pss_sign_run((__bridge SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePSSSHA512, kSecKeyAlgorithmRSASignatureDigestPSSSHA512, ccsha512_di());
245	}
246	static const int TestCountPSSSign = 1 + TestCountPSSSignRun * 4 + 2 + 1 + TestCountPSSSignRun * 5;
247
b04fe171 A	248	static void test_bad_input(NSInteger keySizeInBits, NSInteger inputSize, SecKeyAlgorithm algorithm) {
	249	NSError *error;
	250	NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(keySizeInBits)};
	251
	252	error = nil;
	253	id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
	254	ok(privateKey != nil, "generate private key (error %@)", error);
	255	id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
	256
	257	NSData input, output;
	258
	259	error = nil;
	260	input = [NSMutableData dataWithLength:inputSize];
	261	output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
	262	ok(output, "encryption succeeds at the border size %d (key=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, algorithm);
	263	is((NSInteger)output.length, keySizeInBits / 8, "Unexpected output block size");
	264
	265	input = [NSMutableData dataWithLength:inputSize + 1];
	266	output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
	267	ok(output == nil, "encryption did not fail for border size %d (key=%dbytes, output=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, (int)output.length, algorithm);
	268	is_status((OSStatus)error.code, errSecParam, "Fails with errSecParam for too long input (%@)", algorithm);
	269	}
	270	static const int TestCountBadInputSizeStep = 5;
	271
	272	static void test_bad_input_size() {
	273	test_bad_input(1024, 128, kSecKeyAlgorithmRSAEncryptionRaw);
	274	test_bad_input(2048, 256, kSecKeyAlgorithmRSAEncryptionRaw);
	275	test_bad_input(1024, 128 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
	276	test_bad_input(2048, 256 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
	277	test_bad_input(1024, 128 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
	278	test_bad_input(2048, 256 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
	279	test_bad_input(1024, 128 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
	280	test_bad_input(2048, 256 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
	281	}
	282	static const int TestCountBadInputSize = TestCountBadInputSizeStep * 8;
	283
6b200bc3 A	284	static void test_bad_signature() {
	285	NSDictionary *params = @{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @2048 };
	286	NSError *error;
	287	id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
	288	ok(privateKey, "Generate RSA-2048 temporary key, err %@", error);
	289	id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
	290	ok(publicKey, "Get public key from private key");
	291
	292	#if TARGET_OS_IPHONE
	293	SecKeyAlgorithm algorithm = kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1;
	294	#else
	295	SecKeyAlgorithm algorithm = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1;
	296	#endif
	297
	298	char digest[20] = "digest";
	299	NSData *digestData = [NSData dataWithBytes:digest length:sizeof(digest)];
	300	NSData signature = CFBridgingRelease(SecKeyCreateSignature((SecKeyRef)privateKey, algorithm, (CFDataRef)digestData, (void )&error));
	301	ok(signature, "Sign digest, err %@", error);
	302
	303	bool result = SecKeyVerifySignature((SecKeyRef)publicKey, algorithm, (CFDataRef)digestData, (CFDataRef)signature, (void *)&error);
	304	ok(result, "Verify signature, err %@", error);
	305
	306	OSStatus status = SecKeyRawVerify((SecKeyRef)publicKey, kSecPaddingPKCS1SHA1, (const uint8_t *)digest, sizeof(digest), signature.bytes, signature.length);
	307	ok_status(status, "Raw verify correct signature");
	308
	309	status = SecKeyRawVerify((SecKeyRef)publicKey, kSecPaddingPKCS1SHA1, (const uint8_t )digest, sizeof(digest), (void _Nonnull)NULL, 0);
	310	is_status(status, errSSLCrypto, "NULL signature failure");
	311
	312	const SecAsn1AlgId algId = { .algorithm = CSSMOID_SHA1WithRSA };
	313	signature = CFBridgingRelease(SecKeyCreateSignature((SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1, (CFDataRef)digestData, (void *)&error));
	314	ok(signature, "Sign message, err %@", error);
	315
	316	status = SecKeyDigestAndVerify((__bridge SecKeyRef)publicKey, &algId, (const uint8_t *)digest, sizeof(digest), signature.bytes, signature.length);
	317	ok_status(status, "Raw verify correct signature");
	318
	319	status = SecKeyDigestAndVerify((__bridge SecKeyRef)publicKey, &algId, (const uint8_t )digest, sizeof(digest), (void _Nonnull)NULL, 0);
	320	is_status(status, errSSLCrypto, "NULL signature failure");
	321
	322	signature = CFBridgingRelease(SecKeyCreateSignature((SecKeyRef)privateKey, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, (CFDataRef)digestData, (void *)&error));
	323	ok(signature, "Sign message, err %@", error);
	324
	325	status = SecKeyVerifyDigest((__bridge SecKeyRef)publicKey, &algId, (const uint8_t *)digest, sizeof(digest), signature.bytes, signature.length);
	326	ok_status(status, "Raw verify correct signature");
	327
	328	status = SecKeyVerifyDigest((__bridge SecKeyRef)publicKey, &algId, (const uint8_t )digest, sizeof(digest), (void _Nonnull)NULL, 0);
	329	is_status(status, errSSLCrypto, "NULL signature failure");
	330	}
	331	static const int TestCountBadSignature = 12;
	332
b04fe171 A	333	static const int TestCount =
b04fe171 A	334	TestCountEncryption +
866f8763	335	TestCountPSSSign +
6b200bc3 A	336	TestCountBadInputSize +
6b200bc3 A	337	TestCountBadSignature;
b04fe171	338
fa7225c8 A	339	int si_44_seckey_rsa(int argc, char const argv) {
	340	plan_tests(TestCount);
	341
	342	@autoreleasepool {
	343	test_encryption();
866f8763	344	test_pss_sign();
b04fe171	345	test_bad_input_size();
6b200bc3	346	test_bad_signature();
fa7225c8 A	347	}
	348
	349	return 0;
	350	}