1 /*
2 * PKCS #11 FIPS Power-Up Self Test.
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7
8 #include "seccomon.h"
9 #include "blapi.h"
10 #include "softoken.h"
11 #include "lowkeyi.h"
12 #include "secoid.h"
13 #include "secerr.h"
14
15 /*
16 * different platforms have different ways of calling and initial entry point
17 * when the dll/.so is loaded. Most platforms support either a posix pragma
18 * or the GCC attribute. Some platforms suppor a pre-defined name, and some
19 * platforms have a link line way of invoking this function.
20 */
21
22 /* The pragma */
23 #if defined(USE_INIT_PRAGMA)
24 #pragma init(sftk_startup_tests)
25 #endif
26
27 /* GCC Attribute */
28 #if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT)
29 #define INIT_FUNCTION __attribute__((constructor))
30 #else
31 #define INIT_FUNCTION
32 #endif
33
34 static void INIT_FUNCTION sftk_startup_tests(void);
35
36 /* Windows pre-defined entry */
37 #if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT)
38 #include <windows.h>
39
DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)40 BOOL WINAPI DllMain(
41 HINSTANCE hinstDLL, // handle to DLL module
42 DWORD fdwReason, // reason for calling function
43 LPVOID lpReserved) // reserved
44 {
45 // Perform actions based on the reason for calling.
46 switch (fdwReason) {
47 case DLL_PROCESS_ATTACH:
48 // Initialize once for each new process.
49 // Return FALSE to fail DLL load.
50 sftk_startup_tests();
51 break;
52
53 case DLL_THREAD_ATTACH:
54 // Do thread-specific initialization.
55 break;
56
57 case DLL_THREAD_DETACH:
58 // Do thread-specific cleanup.
59 break;
60
61 case DLL_PROCESS_DETACH:
62 // Perform any necessary cleanup.
63 break;
64 }
65 return TRUE; // Successful DLL_PROCESS_ATTACH.
66 }
67 #endif
68
69 /* FIPS preprocessor directives for RSA. */
70 #define FIPS_RSA_TYPE siBuffer
71 #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */
72 #define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */
73 #define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */
74 #define FIPS_RSA_COEFFICIENT_LENGTH 128 /* 1024-bits */
75 #define FIPS_RSA_PRIME0_LENGTH 128 /* 1024-bits */
76 #define FIPS_RSA_PRIME1_LENGTH 128 /* 1024-bits */
77 #define FIPS_RSA_EXPONENT0_LENGTH 128 /* 1024-bits */
78 #define FIPS_RSA_EXPONENT1_LENGTH 128 /* 1024-bits */
79 #define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 256 /* 2048-bits */
80 #define FIPS_RSA_ENCRYPT_LENGTH 256 /* 2048-bits */
81 #define FIPS_RSA_DECRYPT_LENGTH 256 /* 2048-bits */
82 #define FIPS_RSA_SIGNATURE_LENGTH 256 /* 2048-bits */
83 #define FIPS_RSA_MODULUS_LENGTH 256 /* 2048-bits */
84
85 /*
86 * Test the softoken RSA_HashSign and RSH_HashCheckSign.
87 */
88 static SECStatus
sftk_fips_RSA_PowerUpSigSelfTest(HASH_HashType shaAlg,NSSLOWKEYPublicKey * rsa_public_key,NSSLOWKEYPrivateKey * rsa_private_key,const unsigned char * rsa_known_msg,const unsigned int rsa_kmsg_length,const unsigned char * rsa_known_signature)89 sftk_fips_RSA_PowerUpSigSelfTest(HASH_HashType shaAlg,
90 NSSLOWKEYPublicKey *rsa_public_key,
91 NSSLOWKEYPrivateKey *rsa_private_key,
92 const unsigned char *rsa_known_msg,
93 const unsigned int rsa_kmsg_length,
94 const unsigned char *rsa_known_signature)
95 {
96 SECOidTag shaOid; /* SHA OID */
97 unsigned char sha[HASH_LENGTH_MAX]; /* SHA digest */
98 unsigned int shaLength = 0; /* length of SHA */
99 unsigned int rsa_bytes_signed;
100 unsigned char rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
101 SECStatus rv;
102
103 if (shaAlg == HASH_AlgSHA1) {
104 if (SHA1_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
105 goto loser;
106 }
107 shaLength = SHA1_LENGTH;
108 shaOid = SEC_OID_SHA1;
109 } else if (shaAlg == HASH_AlgSHA256) {
110 if (SHA256_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
111 goto loser;
112 }
113 shaLength = SHA256_LENGTH;
114 shaOid = SEC_OID_SHA256;
115 } else if (shaAlg == HASH_AlgSHA384) {
116 if (SHA384_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
117 goto loser;
118 }
119 shaLength = SHA384_LENGTH;
120 shaOid = SEC_OID_SHA384;
121 } else if (shaAlg == HASH_AlgSHA512) {
122 if (SHA512_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
123 goto loser;
124 }
125 shaLength = SHA512_LENGTH;
126 shaOid = SEC_OID_SHA512;
127 } else {
128 goto loser;
129 }
130
131 /*************************************************/
132 /* RSA Single-Round Known Answer Signature Test. */
133 /*************************************************/
134
135 /* Perform RSA signature with the RSA private key. */
136 rv = RSA_HashSign(shaOid,
137 rsa_private_key,
138 rsa_computed_signature,
139 &rsa_bytes_signed,
140 FIPS_RSA_SIGNATURE_LENGTH,
141 sha,
142 shaLength);
143
144 if ((rv != SECSuccess) ||
145 (rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH) ||
146 (PORT_Memcmp(rsa_computed_signature, rsa_known_signature,
147 FIPS_RSA_SIGNATURE_LENGTH) != 0)) {
148 goto loser;
149 }
150
151 /****************************************************/
152 /* RSA Single-Round Known Answer Verification Test. */
153 /****************************************************/
154
155 /* Perform RSA verification with the RSA public key. */
156 rv = RSA_HashCheckSign(shaOid,
157 rsa_public_key,
158 rsa_computed_signature,
159 rsa_bytes_signed,
160 sha,
161 shaLength);
162
163 if (rv != SECSuccess) {
164 goto loser;
165 }
166 return (SECSuccess);
167
168 loser:
169
170 return (SECFailure);
171 }
172
173 static SECStatus
sftk_fips_RSA_PowerUpSelfTest(void)174 sftk_fips_RSA_PowerUpSelfTest(void)
175 {
176 /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */
177 static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
178 0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5,
179 0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2,
180 0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e,
181 0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88,
182 0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed,
183 0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f,
184 0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9,
185 0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e,
186 0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7,
187 0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7,
188 0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8,
189 0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2,
190 0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57,
191 0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6,
192 0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d,
193 0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20,
194 0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9,
195 0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d,
196 0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7,
197 0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e,
198 0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15,
199 0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12,
200 0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4,
201 0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e,
202 0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77,
203 0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53,
204 0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0,
205 0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46,
206 0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39,
207 0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4,
208 0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43,
209 0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b
210 };
211
212 /* RSA Known Public Key Values (24-bits). */
213 static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 0x01, 0x00, 0x01 };
214 /* RSA Known Private Key Values (version is 8-bits), */
215 /* (private exponent is 2048-bits), */
216 /* (private prime0 is 1024-bits), */
217 /* (private prime1 is 1024-bits), */
218 /* (private prime exponent0 is 1024-bits), */
219 /* (private prime exponent1 is 1024-bits), */
220 /* and (private coefficient is 1024-bits). */
221 static const PRUint8 rsa_version[] = { 0x00 };
222
223 static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = {
224 0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c,
225 0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67,
226 0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5,
227 0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff,
228 0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35,
229 0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83,
230 0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0,
231 0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00,
232 0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e,
233 0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7,
234 0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67,
235 0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84,
236 0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4,
237 0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54,
238 0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9,
239 0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c,
240 0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06,
241 0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a,
242 0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7,
243 0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8,
244 0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95,
245 0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02,
246 0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb,
247 0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c,
248 0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38,
249 0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44,
250 0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23,
251 0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e,
252 0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d,
253 0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21,
254 0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48,
255 0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81
256 };
257
258 static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = {
259 0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40,
260 0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96,
261 0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f,
262 0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96,
263 0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d,
264 0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc,
265 0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58,
266 0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38,
267 0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85,
268 0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6,
269 0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4,
270 0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f,
271 0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19,
272 0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4,
273 0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95,
274 0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05
275 };
276 static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = {
277 0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06,
278 0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c,
279 0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8,
280 0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34,
281 0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36,
282 0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88,
283 0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9,
284 0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd,
285 0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b,
286 0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35,
287 0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a,
288 0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70,
289 0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05,
290 0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed,
291 0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9,
292 0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf
293 };
294 static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
295 0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1,
296 0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a,
297 0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9,
298 0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37,
299 0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d,
300 0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c,
301 0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59,
302 0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01,
303 0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda,
304 0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63,
305 0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde,
306 0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62,
307 0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5,
308 0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2,
309 0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8,
310 0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d
311 };
312 static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
313 0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b,
314 0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea,
315 0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44,
316 0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02,
317 0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c,
318 0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a,
319 0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4,
320 0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb,
321 0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea,
322 0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07,
323 0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97,
324 0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55,
325 0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4,
326 0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7,
327 0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40,
328 0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59
329 };
330 static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
331 0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96,
332 0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3,
333 0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91,
334 0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83,
335 0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b,
336 0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b,
337 0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0,
338 0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a,
339 0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5,
340 0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd,
341 0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37,
342 0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22,
343 0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21,
344 0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1,
345 0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2,
346 0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02
347 };
348
349 /* RSA Known Plaintext Message (1024-bits). */
350 static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = {
351 "Known plaintext message utilized"
352 "for RSA Encryption & Decryption"
353 "blocks SHA256, SHA384 and "
354 "SHA512 RSA Signature KAT tests. "
355 "Known plaintext message utilized"
356 "for RSA Encryption & Decryption"
357 "blocks SHA256, SHA384 and "
358 "SHA512 RSA Signature KAT tests."
359 };
360
361 /* RSA Known Signed Hash (2048-bits). */
362 static const PRUint8 rsa_known_sha256_signature[] = {
363 0x8c, 0x2d, 0x2e, 0xfb, 0x37, 0xb5, 0x6f, 0x38,
364 0x9f, 0x06, 0x5a, 0xf3, 0x8c, 0xa0, 0xd0, 0x7a,
365 0xde, 0xcf, 0xf9, 0x14, 0x95, 0x59, 0xd3, 0x5f,
366 0x51, 0x5d, 0x5d, 0xad, 0xd8, 0x71, 0x33, 0x50,
367 0x1d, 0x03, 0x3b, 0x3a, 0x32, 0x00, 0xb4, 0xde,
368 0x7f, 0xe4, 0xb1, 0xe5, 0x6b, 0x83, 0xf4, 0x80,
369 0x10, 0x3b, 0xb8, 0x8a, 0xdb, 0xe8, 0x0a, 0x42,
370 0x9e, 0x8d, 0xd7, 0xbe, 0xed, 0xde, 0x5a, 0x3d,
371 0xc6, 0xdb, 0xfe, 0x49, 0x6a, 0xe9, 0x1e, 0x75,
372 0x66, 0xf1, 0x3f, 0x9e, 0x3f, 0xff, 0x05, 0x65,
373 0xde, 0xca, 0x62, 0x62, 0xf3, 0xec, 0x53, 0x09,
374 0xa0, 0x37, 0xd5, 0x66, 0x62, 0x72, 0x14, 0xb6,
375 0x51, 0x32, 0x67, 0x50, 0xc1, 0xe1, 0x2f, 0x9e,
376 0x98, 0x4e, 0x53, 0x96, 0x55, 0x4b, 0xc4, 0x92,
377 0xc3, 0xb4, 0x80, 0xf0, 0x35, 0xc9, 0x00, 0x4b,
378 0x5c, 0x85, 0x92, 0xb1, 0xe8, 0x6e, 0xa5, 0x51,
379 0x38, 0x9f, 0xc9, 0x11, 0xb6, 0x14, 0xdf, 0x34,
380 0x64, 0x40, 0x82, 0x82, 0xde, 0x16, 0x69, 0x93,
381 0x89, 0x4e, 0x5c, 0x32, 0xf2, 0x0a, 0x4e, 0x9e,
382 0xbd, 0x63, 0x99, 0x4f, 0xf3, 0x15, 0x90, 0xc2,
383 0xfe, 0x6f, 0xb7, 0xf4, 0xad, 0xd4, 0x8e, 0x0b,
384 0xd2, 0xf5, 0x22, 0xd2, 0x71, 0x65, 0x13, 0xf7,
385 0x82, 0x7b, 0x75, 0xb6, 0xc1, 0xb4, 0x45, 0xbd,
386 0x8f, 0x95, 0xcf, 0x5b, 0x95, 0x32, 0xef, 0x18,
387 0x5f, 0xd3, 0xdf, 0x7e, 0x22, 0xdd, 0x25, 0xeb,
388 0xe1, 0xbf, 0x3b, 0x9a, 0x55, 0x75, 0x4f, 0x3c,
389 0x38, 0x67, 0x57, 0x04, 0x04, 0x57, 0x27, 0xf6,
390 0x34, 0x0e, 0x57, 0x8a, 0x7c, 0xff, 0x7d, 0xca,
391 0x8c, 0x06, 0xf8, 0x9d, 0xdb, 0xe4, 0xd8, 0x19,
392 0xdd, 0x4d, 0xfd, 0x8f, 0xa0, 0x06, 0x53, 0xe8,
393 0x33, 0x00, 0x70, 0x3f, 0x6b, 0xc3, 0xbd, 0x9a,
394 0x78, 0xb5, 0xa9, 0xef, 0x6d, 0xda, 0x67, 0x92
395 };
396
397 /* RSA Known Signed Hash (2048-bits). */
398 static const PRUint8 rsa_known_sha384_signature[] = {
399 0x20, 0x2d, 0x21, 0x3a, 0xaa, 0x1e, 0x05, 0x15,
400 0x5c, 0xca, 0x84, 0x86, 0xc0, 0x15, 0x81, 0xdf,
401 0xd4, 0x06, 0x9f, 0xe0, 0xc1, 0xed, 0xef, 0x0f,
402 0xfe, 0xb3, 0xc3, 0xbb, 0x28, 0xa5, 0x56, 0xbf,
403 0xe3, 0x11, 0x5c, 0xc2, 0xc0, 0x0b, 0xfa, 0xfa,
404 0x3d, 0xd3, 0x06, 0x20, 0xe2, 0xc9, 0xe4, 0x66,
405 0x28, 0xb7, 0xc0, 0x3b, 0x3c, 0x96, 0xc6, 0x49,
406 0x3b, 0xcf, 0x86, 0x49, 0x31, 0xaf, 0x5b, 0xa3,
407 0xec, 0x63, 0x10, 0xdf, 0xda, 0x2f, 0x68, 0xac,
408 0x7b, 0x3a, 0x49, 0xfa, 0xe6, 0x0d, 0xfe, 0x37,
409 0x17, 0x56, 0x8e, 0x5c, 0x48, 0x97, 0x43, 0xf7,
410 0xa0, 0xbc, 0xe3, 0x4b, 0x42, 0xde, 0x58, 0x1d,
411 0xd9, 0x5d, 0xb3, 0x08, 0x35, 0xbd, 0xa4, 0xe1,
412 0x80, 0xc3, 0x64, 0xab, 0x21, 0x97, 0xad, 0xfb,
413 0x71, 0xee, 0xa3, 0x3d, 0x9c, 0xaa, 0xfa, 0x16,
414 0x60, 0x46, 0x32, 0xda, 0x44, 0x2e, 0x10, 0x92,
415 0x20, 0xd8, 0x98, 0x80, 0x84, 0x75, 0x5b, 0x70,
416 0x91, 0x00, 0x33, 0x19, 0x69, 0xc9, 0x2a, 0xec,
417 0x3d, 0xe5, 0x5f, 0x0f, 0x9a, 0xa7, 0x97, 0x1f,
418 0x79, 0xc3, 0x1d, 0x65, 0x74, 0x62, 0xc5, 0xa1,
419 0x23, 0x65, 0x4b, 0x84, 0xa1, 0x03, 0x98, 0xf3,
420 0xf1, 0x02, 0x24, 0xca, 0xe5, 0xd4, 0xc8, 0xa2,
421 0x30, 0xad, 0x72, 0x7d, 0x29, 0x60, 0x1a, 0x8e,
422 0x6f, 0x23, 0xa4, 0xda, 0x68, 0xa4, 0x45, 0x9c,
423 0x39, 0x70, 0x44, 0x18, 0x4b, 0x73, 0xfe, 0xf8,
424 0x33, 0x53, 0x1d, 0x7e, 0x93, 0x93, 0xac, 0xc7,
425 0x1e, 0x6e, 0x6b, 0xfd, 0x9e, 0xba, 0xa6, 0x71,
426 0x70, 0x47, 0x6a, 0xd6, 0x82, 0x32, 0xa2, 0x6e,
427 0x20, 0x72, 0xb0, 0xba, 0xec, 0x91, 0xbb, 0x6b,
428 0xcc, 0x84, 0x0a, 0x33, 0x2b, 0x8a, 0x8d, 0xeb,
429 0x71, 0xcd, 0xca, 0x67, 0x1b, 0xad, 0x10, 0xd4,
430 0xce, 0x4f, 0xc0, 0x29, 0xec, 0xfa, 0xed, 0xfa
431 };
432
433 /* RSA Known Signed Hash (2048-bits). */
434 static const PRUint8 rsa_known_sha512_signature[] = {
435 0x35, 0x0e, 0x74, 0x9d, 0xeb, 0xc7, 0x67, 0x31,
436 0x9f, 0xff, 0x0b, 0xbb, 0x5e, 0x66, 0xb4, 0x2f,
437 0xbf, 0x72, 0x60, 0x4f, 0xe9, 0xbd, 0xec, 0xc8,
438 0x17, 0x79, 0x5f, 0x39, 0x83, 0xb4, 0x54, 0x2e,
439 0x01, 0xb9, 0xd3, 0x20, 0x47, 0xcb, 0xd4, 0x42,
440 0xf2, 0x6e, 0x36, 0xc1, 0x97, 0xad, 0xef, 0x8e,
441 0xe6, 0x51, 0xee, 0x5e, 0x9e, 0x88, 0xb4, 0x9d,
442 0xda, 0x3e, 0x77, 0x4b, 0xe8, 0xae, 0x48, 0x53,
443 0x2c, 0xc4, 0xd3, 0x25, 0x6b, 0x23, 0xb7, 0x54,
444 0x3c, 0x95, 0x8f, 0xfb, 0x6f, 0x6d, 0xc5, 0x56,
445 0x39, 0x69, 0x28, 0x0e, 0x74, 0x9b, 0x31, 0xe8,
446 0x76, 0x77, 0x2b, 0xc1, 0x44, 0x89, 0x81, 0x93,
447 0xfc, 0xf6, 0xec, 0x5f, 0x8f, 0x89, 0xfc, 0x1d,
448 0xa4, 0x53, 0x58, 0x8c, 0xe9, 0xc0, 0xc0, 0x26,
449 0xe6, 0xdf, 0x6d, 0x27, 0xb1, 0x8e, 0x3e, 0xb6,
450 0x47, 0xe1, 0x02, 0x96, 0xc2, 0x5f, 0x7f, 0x3d,
451 0xc5, 0x6c, 0x2f, 0xea, 0xaa, 0x5e, 0x39, 0xfc,
452 0x77, 0xca, 0x00, 0x02, 0x5c, 0x64, 0x7c, 0xce,
453 0x7d, 0x63, 0x82, 0x05, 0xed, 0xf7, 0x5b, 0x55,
454 0x58, 0xc0, 0xeb, 0x76, 0xd7, 0x95, 0x55, 0x37,
455 0x85, 0x7d, 0x17, 0xad, 0xd2, 0x11, 0xfd, 0x97,
456 0x48, 0xb5, 0xc2, 0x5e, 0xc7, 0x62, 0xc0, 0xe0,
457 0x68, 0xa8, 0x61, 0x14, 0x41, 0xca, 0x25, 0x3a,
458 0xec, 0x48, 0x54, 0x22, 0x83, 0x2b, 0x69, 0x54,
459 0xfd, 0xc8, 0x99, 0x9a, 0xee, 0x37, 0x03, 0xa3,
460 0x8f, 0x0f, 0x32, 0xb0, 0xaa, 0x74, 0x39, 0x04,
461 0x7c, 0xd9, 0xc2, 0x8f, 0xbe, 0xf2, 0xc4, 0xbe,
462 0xdd, 0x7a, 0x7a, 0x7f, 0x72, 0xd3, 0x80, 0x59,
463 0x18, 0xa0, 0xa1, 0x2d, 0x6f, 0xa3, 0xa9, 0x48,
464 0xed, 0x20, 0xa6, 0xea, 0xaa, 0x10, 0x83, 0x98,
465 0x0c, 0x13, 0x69, 0x6e, 0xcd, 0x31, 0x6b, 0xd0,
466 0x66, 0xa6, 0x5e, 0x30, 0x0c, 0x82, 0xd5, 0x81
467 };
468
469 static const RSAPublicKey bl_public_key = {
470 NULL,
471 { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,
472 FIPS_RSA_MODULUS_LENGTH },
473 { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,
474 FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
475 };
476 static const RSAPrivateKey bl_private_key = {
477 NULL,
478 { FIPS_RSA_TYPE, (unsigned char *)rsa_version,
479 FIPS_RSA_PRIVATE_VERSION_LENGTH },
480 { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,
481 FIPS_RSA_MODULUS_LENGTH },
482 { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,
483 FIPS_RSA_PUBLIC_EXPONENT_LENGTH },
484 { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent,
485 FIPS_RSA_PRIVATE_EXPONENT_LENGTH },
486 { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0,
487 FIPS_RSA_PRIME0_LENGTH },
488 { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1,
489 FIPS_RSA_PRIME1_LENGTH },
490 { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0,
491 FIPS_RSA_EXPONENT0_LENGTH },
492 { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1,
493 FIPS_RSA_EXPONENT1_LENGTH },
494 { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient,
495 FIPS_RSA_COEFFICIENT_LENGTH }
496 };
497
498 /* RSA variables. */
499 #ifdef CREATE_TEMP_ARENAS
500 PLArenaPool *rsa_public_arena;
501 PLArenaPool *rsa_private_arena;
502 #endif
503 NSSLOWKEYPublicKey *rsa_public_key;
504 NSSLOWKEYPrivateKey *rsa_private_key;
505 SECStatus rsa_status;
506
507 NSSLOWKEYPublicKey low_public_key = { NULL, NSSLOWKEYRSAKey };
508 NSSLOWKEYPrivateKey low_private_key = { NULL, NSSLOWKEYRSAKey };
509
510 /****************************************/
511 /* Compose RSA Public/Private Key Pair. */
512 /****************************************/
513
514 low_public_key.u.rsa = bl_public_key;
515 low_private_key.u.rsa = bl_private_key;
516
517 rsa_public_key = &low_public_key;
518 rsa_private_key = &low_private_key;
519
520 #ifdef CREATE_TEMP_ARENAS
521 /* Create some space for the RSA public key. */
522 rsa_public_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
523
524 if (rsa_public_arena == NULL) {
525 PORT_SetError(SEC_ERROR_NO_MEMORY);
526 return (SECFailure);
527 }
528
529 /* Create some space for the RSA private key. */
530 rsa_private_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
531
532 if (rsa_private_arena == NULL) {
533 PORT_FreeArena(rsa_public_arena, PR_TRUE);
534 PORT_SetError(SEC_ERROR_NO_MEMORY);
535 return (SECFailure);
536 }
537
538 rsa_public_key->arena = rsa_public_arena;
539 rsa_private_key->arena = rsa_private_arena;
540 #endif
541
542 /**************************************************/
543 /* RSA Hash tests */
544 /**************************************************/
545
546 rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA256,
547 rsa_public_key, rsa_private_key,
548 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
549 rsa_known_sha256_signature);
550 if (rsa_status != SECSuccess)
551 goto rsa_loser;
552
553 rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA384,
554 rsa_public_key, rsa_private_key,
555 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
556 rsa_known_sha384_signature);
557 if (rsa_status != SECSuccess)
558 goto rsa_loser;
559
560 rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA512,
561 rsa_public_key, rsa_private_key,
562 rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
563 rsa_known_sha512_signature);
564 if (rsa_status != SECSuccess)
565 goto rsa_loser;
566
567 /* Dispose of all RSA key material. */
568 nsslowkey_DestroyPublicKey(rsa_public_key);
569 nsslowkey_DestroyPrivateKey(rsa_private_key);
570
571 return (SECSuccess);
572
573 rsa_loser:
574
575 nsslowkey_DestroyPublicKey(rsa_public_key);
576 nsslowkey_DestroyPrivateKey(rsa_private_key);
577
578 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
579 return (SECFailure);
580 }
581
582 static PRBool sftk_self_tests_ran = PR_FALSE;
583 static PRBool sftk_self_tests_success = PR_FALSE;
584
585 /*
586 * This function is called at dll load time, the code tha makes this
587 * happen is platform specific on defined above.
588 */
589 static void
sftk_startup_tests(void)590 sftk_startup_tests(void)
591 {
592 SECStatus rv;
593 const char *libraryName = SOFTOKEN_LIB_NAME;
594
595 PORT_Assert(!sftk_self_tests_ran);
596 PORT_Assert(!sftk_self_tests_success);
597 sftk_self_tests_ran = PR_TRUE;
598 sftk_self_tests_success = PR_FALSE; /* just in case */
599
600 /* need to initiallize the oid library before the RSA tests */
601 rv = SECOID_Init();
602 if (rv != SECSuccess) {
603 return;
604 }
605 /* make sure freebl is initialized, or our RSA check
606 * may fail. This is normally done at freebl load time, but it's
607 * possible we may have shut freebl down without unloading it. */
608 rv = BL_Init();
609 if (rv != SECSuccess) {
610 return;
611 }
612
613 rv = RNG_RNGInit();
614 if (rv != SECSuccess) {
615 return;
616 }
617 /* check the RSA combined functions in softoken */
618 rv = sftk_fips_RSA_PowerUpSelfTest();
619 if (rv != SECSuccess) {
620 return;
621 }
622 if (!BLAPI_SHVerify(libraryName,
623 (PRFuncPtr)&sftk_fips_RSA_PowerUpSelfTest)) {
624 /* something is wrong with the library, fail without enabling
625 * the token */
626 return;
627 }
628 sftk_self_tests_success = PR_TRUE;
629 }
630
631 /*
632 * this is called from nsc_Common_Initizialize entry points that gates access
633 * to * all other pkcs11 functions. This prevents softoken operation if our
634 * power on selftest failed.
635 */
636 CK_RV
sftk_FIPSEntryOK()637 sftk_FIPSEntryOK()
638 {
639 #ifdef NSS_NO_INIT_SUPPORT
640 /* this should only be set on platforms that can't handle one of the INIT
641 * schemes. This code allows those platforms to continue to function,
642 * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
643 * is not set, and init support has not been properly enabled, softken
644 * will always fail because of the test below
645 */
646 if (!sftk_self_tests_ran) {
647 sftk_startup_tests();
648 }
649 #endif
650 if (!sftk_self_tests_success) {
651 return CKR_DEVICE_ERROR;
652 }
653 return CKR_OK;
654 }
655