1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to.  The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 *    notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 *    notice, this list of conditions and the following disclaimer in the
29 *    documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 *    must display the following acknowledgement:
32 *    "This product includes cryptographic software written by
33 *     Eric Young (eay@cryptsoft.com)"
34 *    The word 'cryptographic' can be left out if the rouines from the library
35 *    being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 *    the apps directory (application code) you must include an acknowledgement:
38 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed.  i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#include <openssl/rsa.h>
58
59#include <stdlib.h>
60#include <string.h>
61
62#include <gtest/gtest.h>
63
64#include <openssl/bn.h>
65#include <openssl/bytestring.h>
66#include <openssl/crypto.h>
67#include <openssl/err.h>
68#include <openssl/nid.h>
69
70#include "../fipsmodule/bn/internal.h"
71#include "../fipsmodule/rsa/internal.h"
72#include "../internal.h"
73#include "../test/test_util.h"
74
75
76// kPlaintext is a sample plaintext.
77static const uint8_t kPlaintext[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
78static const size_t kPlaintextLen = sizeof(kPlaintext) - 1;
79
80// kKey1 is a DER-encoded RSAPrivateKey.
81static const uint8_t kKey1[] =
82    "\x30\x82\x01\x38\x02\x01\x00\x02\x41\x00\xaa\x36\xab\xce\x88\xac\xfd\xff"
83    "\x55\x52\x3c\x7f\xc4\x52\x3f\x90\xef\xa0\x0d\xf3\x77\x4a\x25\x9f\x2e\x62"
84    "\xb4\xc5\xd9\x9c\xb5\xad\xb3\x00\xa0\x28\x5e\x53\x01\x93\x0e\x0c\x70\xfb"
85    "\x68\x76\x93\x9c\xe6\x16\xce\x62\x4a\x11\xe0\x08\x6d\x34\x1e\xbc\xac\xa0"
86    "\xa1\xf5\x02\x01\x11\x02\x40\x0a\x03\x37\x48\x62\x64\x87\x69\x5f\x5f\x30"
87    "\xbc\x38\xb9\x8b\x44\xc2\xcd\x2d\xff\x43\x40\x98\xcd\x20\xd8\xa1\x38\xd0"
88    "\x90\xbf\x64\x79\x7c\x3f\xa7\xa2\xcd\xcb\x3c\xd1\xe0\xbd\xba\x26\x54\xb4"
89    "\xf9\xdf\x8e\x8a\xe5\x9d\x73\x3d\x9f\x33\xb3\x01\x62\x4a\xfd\x1d\x51\x02"
90    "\x21\x00\xd8\x40\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf"
91    "\xce\x33\x52\x52\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x12\x0d\x02\x21"
92    "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
93    "\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x89\x02\x20\x59"
94    "\x0b\x95\x72\xa2\xc2\xa9\xc4\x06\x05\x9d\xc2\xab\x2f\x1d\xaf\xeb\x7e\x8b"
95    "\x4f\x10\xa7\x54\x9e\x8e\xed\xf5\xb4\xfc\xe0\x9e\x05\x02\x21\x00\x8e\x3c"
96    "\x05\x21\xfe\x15\xe0\xea\x06\xa3\x6f\xf0\xf1\x0c\x99\x52\xc3\x5b\x7a\x75"
97    "\x14\xfd\x32\x38\xb8\x0a\xad\x52\x98\x62\x8d\x51\x02\x20\x36\x3f\xf7\x18"
98    "\x9d\xa8\xe9\x0b\x1d\x34\x1f\x71\xd0\x9b\x76\xa8\xa9\x43\xe1\x1d\x10\xb2"
99    "\x4d\x24\x9f\x2d\xea\xfe\xf8\x0c\x18\x26";
100
101// kFIPSKey is a DER-encoded RSAPrivateKey that is FIPS-compliant.
102static const uint8_t kFIPSKey[] =
103    "\x30\x82\x02\x5c\x02\x01\x00\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7"
104    "\xb8\xfc\x2a\x45\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09"
105    "\x6b\x05\x4d\xec\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed"
106    "\x9a\x30\xf3\x14\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65"
107    "\xbf\xca\x45\xd9\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12"
108    "\xaf\xa5\xec\x9b\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24"
109    "\x3c\x82\x6f\xee\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81"
110    "\x59\xa7\x90\x56\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01"
111    "\x02\x81\x80\x60\x82\xcd\x44\x46\xcf\xeb\xf9\x6f\xf5\xad\x3b\xfd\x90\x18"
112    "\x57\xe7\x74\xdb\x91\xd0\xd3\x68\xa6\xaa\x38\xaa\x21\x1d\x06\xf9\x34\x8d"
113    "\xa0\x35\xb0\x24\xe0\xd0\x2f\x75\x9b\xdd\xfe\x91\x48\x9f\x5c\x5e\x57\x54"
114    "\x00\xc8\x0f\xe6\x1e\x52\x84\xd9\xc9\xa5\x55\xf4\x0a\xbe\x88\x46\x7a\xfb"
115    "\x18\x37\x8e\xe6\x6e\xa2\x5f\x80\x48\x34\x3f\x5c\xbe\x0e\x1e\xe8\x2f\x50"
116    "\xba\x14\x96\x3c\xea\xfb\xd2\x49\x33\xdc\x12\xb8\xa7\x8a\xb5\x27\xf9\x00"
117    "\x4b\xf5\xd2\x2a\xd0\x2c\x1d\x9b\xd5\x6c\x3e\x4b\xb9\x7e\x39\xf7\x3e\x39"
118    "\xc9\x47\x5e\xbe\x91\x02\x41\x00\xcd\x33\xcf\x37\x01\xd7\x59\xcc\xbe\xa0"
119    "\x1c\xb9\xf5\xe7\x44\x9f\x62\x91\xa7\xa7\x7b\x0c\x52\xcd\x7e\xe6\x31\x11"
120    "\x8b\xd8\x2c\x8a\x63\xe1\x07\xc9\xcb\xce\x01\x45\x63\xf5\x5d\x44\xfb\xeb"
121    "\x8d\x74\x16\x20\x7d\x3b\xb4\xa1\x61\xb0\xa8\x29\x51\xc9\xef\xb6\xa1\xd5"
122    "\x02\x41\x00\xc9\x68\xa6\xd3\x88\xd5\x49\x9d\x6b\x44\x96\xfd\xbf\x66\x27"
123    "\xb4\x1f\x90\x76\x86\x2f\xe2\xce\x20\x5d\xee\x9b\xeb\xc4\xb4\x62\x47\x79"
124    "\x99\xb1\x99\xbc\xa2\xa6\xb6\x96\x64\xd5\x77\x9b\x45\xd4\xf0\x99\xb5\x9e"
125    "\x61\x4d\xf5\x12\xdd\x84\x14\xaf\x1e\xdd\x83\x24\x43\x02\x40\x60\x29\x7f"
126    "\x59\xcf\xcb\x13\x92\x17\x63\x01\x13\x44\x61\x74\x8f\x1c\xaa\x15\x5f\x2f"
127    "\x12\xbf\x5a\xfd\xb4\xf2\x19\xbe\xe7\x37\x38\x43\x46\x19\x58\x3f\xe1\xf2"
128    "\x46\x8a\x69\x59\xa4\x12\x4a\x78\xa7\x86\x17\x03\x99\x0f\x34\xf1\x8a\xcf"
129    "\xc3\x4d\x48\xcc\xc5\x51\x61\x02\x41\x00\xc2\x12\xb3\x5d\xf5\xe5\xff\xcf"
130    "\x4e\x43\x83\x72\xf2\xf1\x4e\xa4\xc4\x1d\x81\xf7\xff\x40\x7e\xfa\xb5\x48"
131    "\x6c\xba\x1c\x8a\xec\x80\x8e\xed\xc8\x32\xa9\x8f\xd9\x30\xeb\x6e\x32\x3b"
132    "\xd4\x44\xcf\xd1\x1f\x6b\xe0\x37\x46\xd5\x35\xde\x79\x9d\x2c\xb9\x83\x1d"
133    "\x10\xdd\x02\x40\x0f\x14\x95\x96\xa0\xe2\x6c\xd4\x88\xa7\x0b\x82\x14\x10"
134    "\xad\x26\x0d\xe4\xa1\x5e\x01\x3d\x21\xd2\xfb\x0e\xf9\x58\xa5\xca\x1e\x21"
135    "\xb3\xf5\x9a\x6c\x3d\x5a\x72\xb1\x2d\xfe\xac\x09\x4f\xdd\xe5\x44\xd1\x4e"
136    "\xf8\x59\x85\x3a\x65\xe2\xcd\xbc\x27\x1d\x9b\x48\x9f\xb9";
137
138static const uint8_t kFIPSPublicKey[] =
139    "\x30\x81\x89\x02\x81\x81\x00\xa1\x71\x90\x77\x86\x8a\xc7\xb8\xfc\x2a\x45"
140    "\x82\x6d\xee\xeb\x35\x3a\x18\x3f\xb6\xb0\x1e\xb1\xd3\x09\x6b\x05\x4d\xec"
141    "\x1c\x37\x6f\x09\x31\x32\xda\x21\x8a\x49\x0e\x16\x28\xed\x9a\x30\xf3\x14"
142    "\x53\xfd\x5b\xb0\xf6\x4a\x5d\x52\xe1\xda\xe1\x40\x6e\x65\xbf\xca\x45\xd9"
143    "\x62\x96\x4a\x1e\x11\xc4\x61\x83\x1f\x58\x8d\x5e\xd0\x12\xaf\xa5\xec\x9b"
144    "\x97\x2f\x6c\xb2\x82\x4a\x73\xd0\xd3\x9a\xc9\x69\x6b\x24\x3c\x82\x6f\xee"
145    "\x4d\x0c\x7e\xdf\xd7\xae\xea\x3a\xeb\x04\x27\x8d\x43\x81\x59\xa7\x90\x56"
146    "\xc1\x69\x42\xb3\xaf\x1c\x8d\x4e\xbf\x02\x03\x01\x00\x01";
147
148// kOAEPCiphertext1 is a sample encryption of |kPlaintext| with |kKey1| using
149// RSA OAEP.
150static const uint8_t kOAEPCiphertext1[] =
151    "\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89\x2b\xfb"
152    "\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52\x33\x89\x5c\x74"
153    "\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44\xb0\x05\xc3\x9e\xd8\x27"
154    "\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
155
156// kKey2 is a DER-encoded RSAPrivateKey.
157static const uint8_t kKey2[] =
158    "\x30\x81\xfb\x02\x01\x00\x02\x33\x00\xa3\x07\x9a\x90\xdf\x0d\xfd\x72\xac"
159    "\x09\x0c\xcc\x2a\x78\xb8\x74\x13\x13\x3e\x40\x75\x9c\x98\xfa\xf8\x20\x4f"
160    "\x35\x8a\x0b\x26\x3c\x67\x70\xe7\x83\xa9\x3b\x69\x71\xb7\x37\x79\xd2\x71"
161    "\x7b\xe8\x34\x77\xcf\x02\x01\x03\x02\x32\x6c\xaf\xbc\x60\x94\xb3\xfe\x4c"
162    "\x72\xb0\xb3\x32\xc6\xfb\x25\xa2\xb7\x62\x29\x80\x4e\x68\x65\xfc\xa4\x5a"
163    "\x74\xdf\x0f\x8f\xb8\x41\x3b\x52\xc0\xd0\xe5\x3d\x9b\x59\x0f\xf1\x9b\xe7"
164    "\x9f\x49\xdd\x21\xe5\xeb\x02\x1a\x00\xcf\x20\x35\x02\x8b\x9d\x86\x98\x40"
165    "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x91\x02\x1a"
166    "\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35\x3f"
167    "\x6c\x42\xd0\x88\x66\xb1\xd0\x5f\x02\x1a\x00\x8a\x15\x78\xac\x5d\x13\xaf"
168    "\x10\x2b\x22\xb9\x99\xcd\x74\x61\xf1\x5e\x6d\x22\xcc\x03\x23\xdf\xdf\x0b"
169    "\x02\x1a\x00\x86\x55\x21\x4a\xc5\x4d\x8d\x4e\xcd\x61\x77\xf1\xc7\x36\x90"
170    "\xce\x2a\x48\x2c\x8b\x05\x99\xcb\xe0\x3f\x02\x1a\x00\x83\xef\xef\xb8\xa9"
171    "\xa4\x0d\x1d\xb6\xed\x98\xad\x84\xed\x13\x35\xdc\xc1\x08\xf3\x22\xd0\x57"
172    "\xcf\x8d";
173
174// kOAEPCiphertext2 is a sample encryption of |kPlaintext| with |kKey2| using
175// RSA OAEP.
176static const uint8_t kOAEPCiphertext2[] =
177    "\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a\x8b\x40"
178    "\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4\x17\x53\x03\x29"
179    "\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52\x62\x51";
180
181// kKey3 is a DER-encoded RSAPrivateKey.
182static const uint8_t kKey3[] =
183    "\x30\x82\x02\x5b\x02\x01\x00\x02\x81\x81\x00\xbb\xf8\x2f\x09\x06\x82\xce"
184    "\x9c\x23\x38\xac\x2b\x9d\xa8\x71\xf7\x36\x8d\x07\xee\xd4\x10\x43\xa4\x40"
185    "\xd6\xb6\xf0\x74\x54\xf5\x1f\xb8\xdf\xba\xaf\x03\x5c\x02\xab\x61\xea\x48"
186    "\xce\xeb\x6f\xcd\x48\x76\xed\x52\x0d\x60\xe1\xec\x46\x19\x71\x9d\x8a\x5b"
187    "\x8b\x80\x7f\xaf\xb8\xe0\xa3\xdf\xc7\x37\x72\x3e\xe6\xb4\xb7\xd9\x3a\x25"
188    "\x84\xee\x6a\x64\x9d\x06\x09\x53\x74\x88\x34\xb2\x45\x45\x98\x39\x4e\xe0"
189    "\xaa\xb1\x2d\x7b\x61\xa5\x1f\x52\x7a\x9a\x41\xf6\xc1\x68\x7f\xe2\x53\x72"
190    "\x98\xca\x2a\x8f\x59\x46\xf8\xe5\xfd\x09\x1d\xbd\xcb\x02\x01\x11\x02\x81"
191    "\x81\x00\xa5\xda\xfc\x53\x41\xfa\xf2\x89\xc4\xb9\x88\xdb\x30\xc1\xcd\xf8"
192    "\x3f\x31\x25\x1e\x06\x68\xb4\x27\x84\x81\x38\x01\x57\x96\x41\xb2\x94\x10"
193    "\xb3\xc7\x99\x8d\x6b\xc4\x65\x74\x5e\x5c\x39\x26\x69\xd6\x87\x0d\xa2\xc0"
194    "\x82\xa9\x39\xe3\x7f\xdc\xb8\x2e\xc9\x3e\xda\xc9\x7f\xf3\xad\x59\x50\xac"
195    "\xcf\xbc\x11\x1c\x76\xf1\xa9\x52\x94\x44\xe5\x6a\xaf\x68\xc5\x6c\x09\x2c"
196    "\xd3\x8d\xc3\xbe\xf5\xd2\x0a\x93\x99\x26\xed\x4f\x74\xa1\x3e\xdd\xfb\xe1"
197    "\xa1\xce\xcc\x48\x94\xaf\x94\x28\xc2\xb7\xb8\x88\x3f\xe4\x46\x3a\x4b\xc8"
198    "\x5b\x1c\xb3\xc1\x02\x41\x00\xee\xcf\xae\x81\xb1\xb9\xb3\xc9\x08\x81\x0b"
199    "\x10\xa1\xb5\x60\x01\x99\xeb\x9f\x44\xae\xf4\xfd\xa4\x93\xb8\x1a\x9e\x3d"
200    "\x84\xf6\x32\x12\x4e\xf0\x23\x6e\x5d\x1e\x3b\x7e\x28\xfa\xe7\xaa\x04\x0a"
201    "\x2d\x5b\x25\x21\x76\x45\x9d\x1f\x39\x75\x41\xba\x2a\x58\xfb\x65\x99\x02"
202    "\x41\x00\xc9\x7f\xb1\xf0\x27\xf4\x53\xf6\x34\x12\x33\xea\xaa\xd1\xd9\x35"
203    "\x3f\x6c\x42\xd0\x88\x66\xb1\xd0\x5a\x0f\x20\x35\x02\x8b\x9d\x86\x98\x40"
204    "\xb4\x16\x66\xb4\x2e\x92\xea\x0d\xa3\xb4\x32\x04\xb5\xcf\xce\x33\x52\x52"
205    "\x4d\x04\x16\xa5\xa4\x41\xe7\x00\xaf\x46\x15\x03\x02\x40\x54\x49\x4c\xa6"
206    "\x3e\xba\x03\x37\xe4\xe2\x40\x23\xfc\xd6\x9a\x5a\xeb\x07\xdd\xdc\x01\x83"
207    "\xa4\xd0\xac\x9b\x54\xb0\x51\xf2\xb1\x3e\xd9\x49\x09\x75\xea\xb7\x74\x14"
208    "\xff\x59\xc1\xf7\x69\x2e\x9a\x2e\x20\x2b\x38\xfc\x91\x0a\x47\x41\x74\xad"
209    "\xc9\x3c\x1f\x67\xc9\x81\x02\x40\x47\x1e\x02\x90\xff\x0a\xf0\x75\x03\x51"
210    "\xb7\xf8\x78\x86\x4c\xa9\x61\xad\xbd\x3a\x8a\x7e\x99\x1c\x5c\x05\x56\xa9"
211    "\x4c\x31\x46\xa7\xf9\x80\x3f\x8f\x6f\x8a\xe3\x42\xe9\x31\xfd\x8a\xe4\x7a"
212    "\x22\x0d\x1b\x99\xa4\x95\x84\x98\x07\xfe\x39\xf9\x24\x5a\x98\x36\xda\x3d"
213    "\x02\x41\x00\xb0\x6c\x4f\xda\xbb\x63\x01\x19\x8d\x26\x5b\xdb\xae\x94\x23"
214    "\xb3\x80\xf2\x71\xf7\x34\x53\x88\x50\x93\x07\x7f\xcd\x39\xe2\x11\x9f\xc9"
215    "\x86\x32\x15\x4f\x58\x83\xb1\x67\xa9\x67\xbf\x40\x2b\x4e\x9e\x2e\x0f\x96"
216    "\x56\xe6\x98\xea\x36\x66\xed\xfb\x25\x79\x80\x39\xf7";
217
218// kOAEPCiphertext3 is a sample encryption of |kPlaintext| with |kKey3| using
219// RSA OAEP.
220static const uint8_t kOAEPCiphertext3[] =
221    "\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7\x90\xc4"
222    "\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce\xf0\xc4\x36\x6f"
223    "\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3\xf2\xf1\x92\xdb\xea\xca"
224    "\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06\x69\xac\x22\xe9\xf3\xa7\x85\x2e"
225    "\x3c\x15\xd9\x13\xca\xb0\xb8\x86\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49"
226    "\x54\x61\x03\x46\xf4\xd4\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a"
227    "\x1f\xc4\x02\x6a\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20"
228    "\x2f\xb1";
229
230static const uint8_t kTwoPrimeKey[] =
231    "\x30\x82\x04\xa1\x02\x01\x00\x02\x82\x01\x01\x00\x93\x3a\x4f\xc9\x6a\x0a"
232    "\x6b\x28\x04\xfa\xb7\x05\x56\xdf\xa0\xaa\x4f\xaa\xab\x94\xa0\xa9\x25\xef"
233    "\xc5\x96\xd2\xd4\x66\x16\x62\x2c\x13\x7b\x91\xd0\x36\x0a\x10\x11\x6d\x7a"
234    "\x91\xb6\xe4\x74\x57\xc1\x3d\x7a\xbe\x24\x05\x3a\x04\x0b\x73\x91\x53\xb1"
235    "\x74\x10\xe1\x87\xdc\x91\x28\x9c\x1e\xe5\xf2\xb9\xfc\xa2\x48\x34\xb6\x78"
236    "\xed\x6d\x95\xfb\xf2\xc0\x4e\x1c\xa4\x15\x00\x3c\x8a\x68\x2b\xd6\xce\xd5"
237    "\xb3\x9f\x66\x02\xa7\x0d\x08\xa3\x23\x9b\xe5\x36\x96\x13\x22\xf9\x69\xa6"
238    "\x87\x88\x9b\x85\x3f\x83\x9c\xab\x1a\x1b\x6d\x8d\x16\xf4\x5e\xbd\xee\x4b"
239    "\x59\x56\xf8\x9d\x58\xcd\xd2\x83\x85\x59\x43\x84\x63\x4f\xe6\x1a\x86\x66"
240    "\x0d\xb5\xa0\x87\x89\xb6\x13\x82\x43\xda\x34\x92\x3b\x68\xc4\x95\x71\x2f"
241    "\x15\xc2\xe0\x43\x67\x3c\x08\x00\x36\x10\xc3\xb4\x46\x4c\x4e\x6e\xf5\x44"
242    "\xa9\x04\x44\x9d\xce\xc7\x05\x79\xee\x11\xcf\xaf\x2c\xd7\x9a\x32\xd3\xa5"
243    "\x30\xd4\x3a\x78\x43\x37\x74\x22\x90\x24\x04\x11\xd7\x95\x08\x52\xa4\x71"
244    "\x41\x68\x94\xb0\xa0\xc3\xec\x4e\xd2\xc4\x30\x71\x98\x64\x9c\xe3\x7c\x76"
245    "\xef\x33\xa3\x2b\xb1\x87\x63\xd2\x5c\x09\xfc\x90\x2d\x92\xf4\x57\x02\x01"
246    "\x03\x02\x82\x01\x00\x62\x26\xdf\xdb\x9c\x06\xf2\x1a\xad\xfc\x7a\x03\x8f"
247    "\x3f\xc0\x71\x8a\x71\xc7\xb8\x6b\x1b\x6e\x9f\xd9\x0f\x37\x38\x44\x0e\xec"
248    "\x1d\x62\x52\x61\x35\x79\x5c\x0a\xb6\x48\xfc\x61\x24\x98\x4d\x8f\xd6\x28"
249    "\xfc\x7e\xc2\xae\x26\xad\x5c\xf7\xb6\x37\xcb\xa2\xb5\xeb\xaf\xe8\x60\xc5"
250    "\xbd\x69\xee\xa1\xd1\x53\x16\xda\xcd\xce\xfb\x48\xf3\xb9\x52\xa1\xd5\x89"
251    "\x68\x6d\x63\x55\x7d\xb1\x9a\xc7\xe4\x89\xe3\xcd\x14\xee\xac\x6f\x5e\x05"
252    "\xc2\x17\xbd\x43\x79\xb9\x62\x17\x50\xf1\x19\xaf\xb0\x67\xae\x2a\x57\xbd"
253    "\xc7\x66\xbc\xf3\xb3\x64\xa1\xe3\x16\x74\x9e\xea\x02\x5c\xab\x94\xd8\x97"
254    "\x02\x42\x0c\x2c\xba\x54\xb9\xaf\xe0\x45\x93\xad\x7f\xb3\x10\x6a\x96\x50"
255    "\x4b\xaf\xcf\xc8\x27\x62\x2d\x83\xe9\x26\xc6\x94\xc1\xef\x5c\x8e\x06\x42"
256    "\x53\xe5\x56\xaf\xc2\x99\x01\xaa\x9a\x71\xbc\xe8\x21\x33\x2a\x2d\xa3\x36"
257    "\xac\x1b\x86\x19\xf8\xcd\x1f\x80\xa4\x26\x98\xb8\x9f\x62\x62\xd5\x1a\x7f"
258    "\xee\xdb\xdf\x81\xd3\x21\xdb\x33\x92\xee\xff\xe2\x2f\x32\x77\x73\x6a\x58"
259    "\xab\x21\xf3\xe3\xe1\xbc\x4f\x12\x72\xa6\xb5\xc2\xfb\x27\x9e\xc8\xca\xab"
260    "\x64\xa0\x87\x07\x9d\xef\xca\x0f\xdb\x02\x81\x81\x00\xe6\xd3\x4d\xc0\xa1"
261    "\x91\x0e\x62\xfd\xb0\xdd\xc6\x30\xb8\x8c\xcb\x14\xc1\x4b\x69\x30\xdd\xcd"
262    "\x86\x67\xcb\x37\x14\xc5\x03\xd2\xb4\x69\xab\x3d\xe5\x16\x81\x0f\xe5\x50"
263    "\xf4\x18\xb1\xec\xbc\x71\xe9\x80\x99\x06\xe4\xa3\xfe\x44\x84\x4a\x2d\x1e"
264    "\x07\x7f\x22\x70\x6d\x4f\xd4\x93\x0b\x8b\x99\xce\x1e\xab\xcd\x4c\xd2\xd3"
265    "\x10\x47\x5c\x09\x9f\x6d\x82\xc0\x08\x75\xe3\x3d\x83\xc2\x19\x50\x29\xec"
266    "\x1f\x84\x29\xcc\xf1\x56\xee\xbd\x54\x5d\xe6\x19\xdf\x0d\x1c\xa4\xbb\x0a"
267    "\xfe\x84\x44\x29\x1d\xf9\x5c\x80\x96\x5b\x24\xb4\xf7\x02\x1b\x02\x81\x81"
268    "\x00\xa3\x48\xf1\x9c\x58\xc2\x5f\x38\xfb\xd8\x12\x39\xf1\x8e\x73\xa1\xcf"
269    "\x78\x12\xe0\xed\x2a\xbb\xef\xac\x23\xb2\xbf\xd6\x0c\xe9\x6e\x1e\xab\xea"
270    "\x3f\x68\x36\xa7\x1f\xe5\xab\xe0\x86\xa5\x76\x32\x98\xdd\x75\xb5\x2b\xbc"
271    "\xcb\x8a\x03\x00\x7c\x2e\xca\xf8\xbc\x19\xe4\xe3\xa3\x31\xbd\x1d\x20\x2b"
272    "\x09\xad\x6f\x4c\xed\x48\xd4\xdf\x87\xf9\xf0\x46\xb9\x86\x4c\x4b\x71\xe7"
273    "\x48\x78\xdc\xed\xc7\x82\x02\x44\xd3\xa6\xb3\x10\x5f\x62\x81\xfc\xb8\xe4"
274    "\x0e\xf4\x1a\xdd\xab\x3f\xbc\x63\x79\x5b\x39\x69\x5e\xea\xa9\x15\xfe\x90"
275    "\xec\xda\x75\x02\x81\x81\x00\x99\xe2\x33\xd5\xc1\x0b\x5e\xec\xa9\x20\x93"
276    "\xd9\x75\xd0\x5d\xdc\xb8\x80\xdc\xf0\xcb\x3e\x89\x04\x45\x32\x24\xb8\x83"
277    "\x57\xe1\xcd\x9b\xc7\x7e\x98\xb9\xab\x5f\xee\x35\xf8\x10\x76\x9d\xd2\xf6"
278    "\x9b\xab\x10\xaf\x43\x17\xfe\xd8\x58\x31\x73\x69\x5a\x54\xc1\xa0\x48\xdf"
279    "\xe3\x0c\xb2\x5d\x11\x34\x14\x72\x88\xdd\xe1\xe2\x0a\xda\x3d\x5b\xbf\x9e"
280    "\x57\x2a\xb0\x4e\x97\x7e\x57\xd6\xbb\x8a\xc6\x9d\x6a\x58\x1b\xdd\xf6\x39"
281    "\xf4\x7e\x38\x3e\x99\x66\x94\xb3\x68\x6d\xd2\x07\x54\x58\x2d\x70\xbe\xa6"
282    "\x3d\xab\x0e\xe7\x6d\xcd\xfa\x01\x67\x02\x81\x80\x6c\xdb\x4b\xbd\x90\x81"
283    "\x94\xd0\xa7\xe5\x61\x7b\xf6\x5e\xf7\xc1\x34\xfa\xb7\x40\x9e\x1c\x7d\x4a"
284    "\x72\xc2\x77\x2a\x8e\xb3\x46\x49\x69\xc7\xf1\x7f\x9a\xcf\x1a\x15\x43\xc7"
285    "\xeb\x04\x6e\x4e\xcc\x65\xe8\xf9\x23\x72\x7d\xdd\x06\xac\xaa\xfd\x74\x87"
286    "\x50\x7d\x66\x98\x97\xc2\x21\x28\xbe\x15\x72\x06\x73\x9f\x88\x9e\x30\x8d"
287    "\xea\x5a\xa6\xa0\x2f\x26\x59\x88\x32\x4b\xef\x85\xa5\xe8\x9e\x85\x01\x56"
288    "\xd8\x8d\x19\xcc\xb5\x94\xec\x56\xa8\x7b\x42\xb4\xa2\xbc\x93\xc7\x7f\xd2"
289    "\xec\xfb\x92\x26\x46\x3f\x47\x1b\x63\xff\x0b\x48\x91\xa3\x02\x81\x80\x2c"
290    "\x4a\xb9\xa4\x46\x7b\xff\x50\x7e\xbf\x60\x47\x3b\x2b\x66\x82\xdc\x0e\x53"
291    "\x65\x71\xe9\xda\x2a\xb8\x32\x93\x42\xb7\xff\xea\x67\x66\xf1\xbc\x87\x28"
292    "\x65\x29\x79\xca\xab\x93\x56\xda\x95\xc1\x26\x44\x3d\x27\xc1\x91\xc6\x9b"
293    "\xd9\xec\x9d\xb7\x49\xe7\x16\xee\x99\x87\x50\x95\x81\xd4\x5c\x5b\x5a\x5d"
294    "\x0a\x43\xa5\xa7\x8f\x5a\x80\x49\xa0\xb7\x10\x85\xc7\xf4\x42\x34\x86\xb6"
295    "\x5f\x3f\x88\x9e\xc7\xf5\x59\x29\x39\x68\x48\xf2\xd7\x08\x5b\x92\x8e\x6b"
296    "\xea\xa5\x63\x5f\xc0\xfb\xe4\xe1\xb2\x7d\xb7\x40\xe9\x55\x06\xbf\x58\x25"
297    "\x6f";
298
299static const uint8_t kTwoPrimeEncryptedMessage[] = {
300    0x63, 0x0a, 0x30, 0x45, 0x43, 0x11, 0x45, 0xb7, 0x99, 0x67, 0x90, 0x35,
301    0x37, 0x27, 0xff, 0xbc, 0xe0, 0xbf, 0xa6, 0xd1, 0x47, 0x50, 0xbb, 0x6c,
302    0x1c, 0xaa, 0x66, 0xf2, 0xff, 0x9d, 0x9a, 0xa6, 0xb4, 0x16, 0x63, 0xb0,
303    0xa1, 0x7c, 0x7c, 0x0c, 0xef, 0xb3, 0x66, 0x52, 0x42, 0xd7, 0x5e, 0xf3,
304    0xa4, 0x15, 0x33, 0x40, 0x43, 0xe8, 0xb1, 0xfc, 0xe0, 0x42, 0x83, 0x46,
305    0x28, 0xce, 0xde, 0x7b, 0x01, 0xeb, 0x28, 0x92, 0x70, 0xdf, 0x8d, 0x54,
306    0x9e, 0xed, 0x23, 0xb4, 0x78, 0xc3, 0xca, 0x85, 0x53, 0x48, 0xd6, 0x8a,
307    0x87, 0xf7, 0x69, 0xcd, 0x82, 0x8c, 0x4f, 0x5c, 0x05, 0x55, 0xa6, 0x78,
308    0x89, 0xab, 0x4c, 0xd8, 0xa9, 0xd6, 0xa5, 0xf4, 0x29, 0x4c, 0x23, 0xc8,
309    0xcf, 0xf0, 0x4c, 0x64, 0x6b, 0x4e, 0x02, 0x17, 0x69, 0xd6, 0x47, 0x83,
310    0x30, 0x43, 0x02, 0x29, 0xda, 0xda, 0x75, 0x3b, 0xd7, 0xa7, 0x2b, 0x31,
311    0xb3, 0xe9, 0x71, 0xa4, 0x41, 0xf7, 0x26, 0x9b, 0xcd, 0x23, 0xfa, 0x45,
312    0x3c, 0x9b, 0x7d, 0x28, 0xf7, 0xf9, 0x67, 0x04, 0xba, 0xfc, 0x46, 0x75,
313    0x11, 0x3c, 0xd5, 0x27, 0x43, 0x53, 0xb1, 0xb6, 0x9e, 0x18, 0xeb, 0x11,
314    0xb4, 0x25, 0x20, 0x30, 0x0b, 0xe0, 0x1c, 0x17, 0x36, 0x22, 0x10, 0x0f,
315    0x99, 0xb5, 0x50, 0x14, 0x73, 0x07, 0xf0, 0x2f, 0x5d, 0x4c, 0xe3, 0xf2,
316    0x86, 0xc2, 0x05, 0xc8, 0x38, 0xed, 0xeb, 0x2a, 0x4a, 0xab, 0x76, 0xe3,
317    0x1a, 0x75, 0x44, 0xf7, 0x6e, 0x94, 0xdc, 0x25, 0x62, 0x7e, 0x31, 0xca,
318    0xc2, 0x73, 0x51, 0xb5, 0x03, 0xfb, 0xf9, 0xf6, 0xb5, 0x8d, 0x4e, 0x6c,
319    0x21, 0x0e, 0xf9, 0x97, 0x26, 0x57, 0xf3, 0x52, 0x72, 0x07, 0xf8, 0xb4,
320    0xcd, 0xb4, 0x39, 0xcf, 0xbf, 0x78, 0xcc, 0xb6, 0x87, 0xf9, 0xb7, 0x8b,
321    0x6a, 0xce, 0x9f, 0xc8,
322};
323
324// kEstonianRSAKey is an RSAPublicKey encoded with a negative modulus. See
325// https://crbug.com/532048.
326static const uint8_t kEstonianRSAKey[] = {
327    0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0x96, 0xa6, 0x2e, 0x9c,
328    0x4e, 0x6a, 0xc3, 0xcc, 0xcd, 0x8f, 0x70, 0xc3, 0x55, 0xbf, 0x5e, 0x9c,
329    0xd4, 0xf3, 0x17, 0xc3, 0x97, 0x70, 0xae, 0xdf, 0x12, 0x5c, 0x15, 0x80,
330    0x03, 0xef, 0x2b, 0x18, 0x9d, 0x6a, 0xcb, 0x52, 0x22, 0xc1, 0x81, 0xb8,
331    0x7e, 0x61, 0xe8, 0x0f, 0x79, 0x24, 0x0f, 0x82, 0x70, 0x24, 0x4e, 0x29,
332    0x20, 0x05, 0x54, 0xeb, 0xd4, 0xa9, 0x65, 0x59, 0xb6, 0x3c, 0x75, 0x95,
333    0x2f, 0x4c, 0xf6, 0x9d, 0xd1, 0xaf, 0x5f, 0x14, 0x14, 0xe7, 0x25, 0xea,
334    0xa5, 0x47, 0x5d, 0xc6, 0x3e, 0x28, 0x8d, 0xdc, 0x54, 0x87, 0x2a, 0x7c,
335    0x10, 0xe9, 0xc6, 0x76, 0x2d, 0xe7, 0x79, 0xd8, 0x0e, 0xbb, 0xa9, 0xac,
336    0xb5, 0x18, 0x98, 0xd6, 0x47, 0x6e, 0x06, 0x70, 0xbf, 0x9e, 0x82, 0x25,
337    0x95, 0x4e, 0xfd, 0x70, 0xd7, 0x73, 0x45, 0x2e, 0xc1, 0x1f, 0x7a, 0x9a,
338    0x9d, 0x60, 0xc0, 0x1f, 0x67, 0x06, 0x2a, 0x4e, 0x87, 0x3f, 0x19, 0x88,
339    0x69, 0x64, 0x4d, 0x9f, 0x75, 0xf5, 0xd3, 0x1a, 0x41, 0x3d, 0x35, 0x17,
340    0xb6, 0xd1, 0x44, 0x0d, 0x25, 0x8b, 0xe7, 0x94, 0x39, 0xb0, 0x7c, 0xaf,
341    0x3e, 0x6a, 0xfa, 0x8d, 0x90, 0x21, 0x0f, 0x8a, 0x43, 0x94, 0x37, 0x7c,
342    0x2a, 0x15, 0x4c, 0xa0, 0xfa, 0xa9, 0x2f, 0x21, 0xa6, 0x6f, 0x8e, 0x2f,
343    0x89, 0xbc, 0xbb, 0x33, 0xf8, 0x31, 0xfc, 0xdf, 0xcd, 0x68, 0x9a, 0xbc,
344    0x75, 0x06, 0x95, 0xf1, 0x3d, 0xef, 0xca, 0x76, 0x27, 0xd2, 0xba, 0x8e,
345    0x0e, 0x1c, 0x43, 0xd7, 0x70, 0xb9, 0xc6, 0x15, 0xca, 0xd5, 0x4d, 0x87,
346    0xb9, 0xd1, 0xae, 0xde, 0x69, 0x73, 0x00, 0x2a, 0x97, 0x51, 0x4b, 0x30,
347    0x01, 0xc2, 0x85, 0xd0, 0x05, 0xcc, 0x2e, 0xe8, 0xc7, 0x42, 0xe7, 0x94,
348    0x51, 0xe3, 0xf5, 0x19, 0x35, 0xdc, 0x57, 0x96, 0xe7, 0xd9, 0xb4, 0x49,
349    0x02, 0x03, 0x01, 0x00, 0x01,
350};
351
352// kExponent1RSAKey is an RSAPublicKey encoded with an exponent of 1. See
353// https://crbug.com/541257
354static const uint8_t kExponent1RSAKey[] = {
355    0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0x86, 0x9a,
356    0x7d, 0x5c, 0x9f, 0xbd, 0x33, 0xbb, 0xc2, 0xb1, 0x06, 0xa8, 0x3e, 0xc5,
357    0x18, 0xf3, 0x01, 0x04, 0xdd, 0x7a, 0x38, 0x0e, 0x8e, 0x8d, 0x10, 0xaa,
358    0xf8, 0x64, 0x49, 0x82, 0xa6, 0x16, 0x9d, 0xd9, 0xae, 0x5e, 0x7f, 0x9b,
359    0x53, 0xcb, 0xbb, 0x29, 0xda, 0x98, 0x47, 0x26, 0x88, 0x2e, 0x1d, 0x64,
360    0xb3, 0xbc, 0x7e, 0x96, 0x3a, 0xa7, 0xd6, 0x87, 0xf6, 0xf5, 0x3f, 0xa7,
361    0x3b, 0xd3, 0xc5, 0xd5, 0x61, 0x3c, 0x63, 0x05, 0xf9, 0xbc, 0x64, 0x1d,
362    0x71, 0x65, 0xf5, 0xc8, 0xe8, 0x64, 0x41, 0x35, 0x88, 0x81, 0x6b, 0x2a,
363    0x24, 0xbb, 0xdd, 0x9f, 0x75, 0x4f, 0xea, 0x35, 0xe5, 0x32, 0x76, 0x5a,
364    0x8b, 0x7a, 0xb5, 0x92, 0x65, 0x34, 0xb7, 0x88, 0x42, 0x5d, 0x41, 0x0b,
365    0xd1, 0x00, 0x2d, 0x43, 0x47, 0x55, 0x60, 0x3c, 0x0e, 0x60, 0x04, 0x5c,
366    0x88, 0x13, 0xc7, 0x42, 0x55, 0x16, 0x31, 0x32, 0x81, 0xba, 0xde, 0xa9,
367    0x56, 0xeb, 0xdb, 0x66, 0x7f, 0x31, 0xba, 0xe8, 0x87, 0x1a, 0xcc, 0xad,
368    0x90, 0x86, 0x4b, 0xa7, 0x6d, 0xd5, 0xc1, 0xb7, 0xe7, 0x67, 0x56, 0x41,
369    0xf7, 0x03, 0xb3, 0x09, 0x61, 0x63, 0xb5, 0xb0, 0x19, 0x7b, 0xc5, 0x91,
370    0xc8, 0x96, 0x5b, 0x6a, 0x80, 0xa1, 0x53, 0x0f, 0x9a, 0x47, 0xb5, 0x9a,
371    0x44, 0x53, 0xbd, 0x93, 0xe3, 0xe4, 0xce, 0x0c, 0x17, 0x11, 0x51, 0x1d,
372    0xfd, 0x6c, 0x74, 0xe4, 0xec, 0x2a, 0xce, 0x57, 0x27, 0xcc, 0x83, 0x98,
373    0x08, 0x32, 0x2c, 0xd5, 0x75, 0xa9, 0x27, 0xfe, 0xaa, 0x5e, 0x48, 0xc9,
374    0x46, 0x9a, 0x29, 0x3f, 0xe6, 0x01, 0x4d, 0x97, 0x4a, 0x70, 0xd1, 0x5d,
375    0xf8, 0xc0, 0x0b, 0x23, 0xcb, 0xbe, 0xf5, 0x70, 0x0b, 0xc2, 0xf2, 0xc0,
376    0x33, 0x9c, 0xc4, 0x8b, 0x39, 0x7e, 0x3d, 0xc6, 0x23, 0x39, 0x9a, 0x98,
377    0xdd, 0x02, 0x01, 0x01,
378};
379
380struct RSAEncryptParam {
381  const uint8_t *der;
382  size_t der_len;
383  const uint8_t *oaep_ciphertext;
384  size_t oaep_ciphertext_len;
385} kRSAEncryptParams[] = {
386    {kKey1, sizeof(kKey1) - 1, kOAEPCiphertext1, sizeof(kOAEPCiphertext1) - 1},
387    {kKey2, sizeof(kKey2) - 1, kOAEPCiphertext2, sizeof(kOAEPCiphertext2) - 1},
388    {kKey3, sizeof(kKey3) - 1, kOAEPCiphertext3, sizeof(kOAEPCiphertext3) - 1},
389};
390
391class RSAEncryptTest : public testing::TestWithParam<RSAEncryptParam> {};
392
393TEST_P(RSAEncryptTest, TestKey) {
394  const auto &param = GetParam();
395  bssl::UniquePtr<RSA> key(
396      RSA_private_key_from_bytes(param.der, param.der_len));
397  ASSERT_TRUE(key);
398
399  EXPECT_TRUE(RSA_check_key(key.get()));
400
401  uint8_t ciphertext[256];
402
403  // Test that PKCS#1 v1.5 encryption round-trips.
404  size_t ciphertext_len = 0;
405  ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
406                          sizeof(ciphertext), kPlaintext, kPlaintextLen,
407                          RSA_PKCS1_PADDING));
408  EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
409
410  uint8_t plaintext[256];
411  size_t plaintext_len = 0;
412  ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
413                          sizeof(plaintext), ciphertext, ciphertext_len,
414                          RSA_PKCS1_PADDING));
415  EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
416
417  // Test that OAEP encryption round-trips.
418  ciphertext_len = 0;
419  ASSERT_TRUE(RSA_encrypt(key.get(), &ciphertext_len, ciphertext,
420                          sizeof(ciphertext), kPlaintext, kPlaintextLen,
421                          RSA_PKCS1_OAEP_PADDING));
422  EXPECT_EQ(RSA_size(key.get()), ciphertext_len);
423
424  plaintext_len = 0;
425  ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
426                          sizeof(plaintext), ciphertext, ciphertext_len,
427                          RSA_PKCS1_OAEP_PADDING));
428  EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
429
430  // |oaep_ciphertext| should decrypt to |kPlaintext|.
431  plaintext_len = 0;
432  ASSERT_TRUE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
433                          sizeof(plaintext), param.oaep_ciphertext,
434                          param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
435  EXPECT_EQ(Bytes(kPlaintext, kPlaintextLen), Bytes(plaintext, plaintext_len));
436
437  // Try decrypting corrupted ciphertexts.
438  OPENSSL_memcpy(ciphertext, param.oaep_ciphertext, param.oaep_ciphertext_len);
439  for (size_t i = 0; i < param.oaep_ciphertext_len; i++) {
440    SCOPED_TRACE(i);
441    ciphertext[i] ^= 1;
442    EXPECT_FALSE(RSA_decrypt(
443        key.get(), &plaintext_len, plaintext, sizeof(plaintext), ciphertext,
444        param.oaep_ciphertext_len, RSA_PKCS1_OAEP_PADDING));
445    ERR_clear_error();
446    ciphertext[i] ^= 1;
447  }
448
449  // Test truncated ciphertexts.
450  for (size_t len = 0; len < param.oaep_ciphertext_len; len++) {
451    SCOPED_TRACE(len);
452    EXPECT_FALSE(RSA_decrypt(key.get(), &plaintext_len, plaintext,
453                             sizeof(plaintext), ciphertext, len,
454                             RSA_PKCS1_OAEP_PADDING));
455    ERR_clear_error();
456  }
457}
458
459INSTANTIATE_TEST_CASE_P(, RSAEncryptTest, testing::ValuesIn(kRSAEncryptParams));
460
461TEST(RSATest, TestDecrypt) {
462  bssl::UniquePtr<RSA> rsa(
463      RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
464  ASSERT_TRUE(rsa);
465
466  EXPECT_TRUE(RSA_check_key(rsa.get()));
467
468  uint8_t out[256];
469  size_t out_len;
470  ASSERT_TRUE(RSA_decrypt(
471      rsa.get(), &out_len, out, sizeof(out), kTwoPrimeEncryptedMessage,
472      sizeof(kTwoPrimeEncryptedMessage), RSA_PKCS1_PADDING));
473  EXPECT_EQ(Bytes("hello world"), Bytes(out, out_len));
474}
475
476TEST(RSATest, CheckFIPS) {
477  bssl::UniquePtr<RSA> rsa(
478      RSA_private_key_from_bytes(kFIPSKey, sizeof(kFIPSKey) - 1));
479  ASSERT_TRUE(rsa);
480  EXPECT_TRUE(RSA_check_fips(rsa.get()));
481
482  // Check that RSA_check_fips works on a public key.
483  bssl::UniquePtr<RSA> pub(
484      RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
485  ASSERT_TRUE(pub);
486  EXPECT_TRUE(RSA_check_fips(pub.get()));
487}
488
489TEST(RSATest, GenerateFIPS) {
490  bssl::UniquePtr<RSA> rsa(RSA_new());
491  ASSERT_TRUE(rsa);
492
493  // RSA_generate_key_fips may only be used for 2048-bit and 3072-bit keys.
494  EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 512, nullptr));
495  EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 1024, nullptr));
496  EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2047, nullptr));
497  EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 2049, nullptr));
498  EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3071, nullptr));
499  EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 3073, nullptr));
500  EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), 4096, nullptr));
501  ERR_clear_error();
502
503  // Test that we can generate 2048-bit and 3072-bit RSA keys.
504  EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 2048, nullptr));
505  EXPECT_EQ(2048u, BN_num_bits(rsa->n));
506
507  rsa.reset(RSA_new());
508  ASSERT_TRUE(rsa);
509  EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), 3072, nullptr));
510  EXPECT_EQ(3072u, BN_num_bits(rsa->n));
511}
512
513TEST(RSATest, BadKey) {
514  bssl::UniquePtr<RSA> key(RSA_new());
515  bssl::UniquePtr<BIGNUM> e(BN_new());
516  ASSERT_TRUE(key);
517  ASSERT_TRUE(e);
518  ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
519
520  // Generate a bad key.
521  ASSERT_TRUE(RSA_generate_key_ex(key.get(), 512, e.get(), nullptr));
522  ASSERT_TRUE(BN_add(key->p, key->p, BN_value_one()));
523
524  // Bad keys are detected.
525  EXPECT_FALSE(RSA_check_key(key.get()));
526  EXPECT_FALSE(RSA_check_fips(key.get()));
527
528  // Bad keys may not be parsed.
529  uint8_t *der;
530  size_t der_len;
531  ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, key.get()));
532  bssl::UniquePtr<uint8_t> delete_der(der);
533  key.reset(RSA_private_key_from_bytes(der, der_len));
534  EXPECT_FALSE(key);
535}
536
537TEST(RSATest, OnlyDGiven) {
538  static const char kN[] =
539      "00e77bbf3889d4ef36a9a25d4d69f3f632eb4362214c74517da6d6aeaa9bd09ac42b2662"
540      "1cd88f3a6eb013772fc3bf9f83914b6467231c630202c35b3e5808c659";
541  static const char kE[] = "010001";
542  static const char kD[] =
543      "0365db9eb6d73b53b015c40cd8db4de7dd7035c68b5ac1bf786d7a4ee2cea316eaeca21a"
544      "73ac365e58713195f2ae9849348525ca855386b6d028e437a9495a01";
545
546  bssl::UniquePtr<RSA> key(RSA_new());
547  ASSERT_TRUE(key);
548  ASSERT_TRUE(BN_hex2bn(&key->n, kN));
549  ASSERT_TRUE(BN_hex2bn(&key->e, kE));
550  ASSERT_TRUE(BN_hex2bn(&key->d, kD));
551
552  // Keys with only n, e, and d are functional.
553  EXPECT_TRUE(RSA_check_key(key.get()));
554
555  const uint8_t kDummyHash[32] = {0};
556  uint8_t buf[64];
557  unsigned buf_len = sizeof(buf);
558  ASSERT_LE(RSA_size(key.get()), sizeof(buf));
559  EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
560                       &buf_len, key.get()));
561  EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
562                         buf_len, key.get()));
563
564  // Keys without the public exponent must continue to work when blinding is
565  // disabled to support Java's RSAPrivateKeySpec API. See
566  // https://bugs.chromium.org/p/boringssl/issues/detail?id=12.
567  bssl::UniquePtr<RSA> key2(RSA_new());
568  ASSERT_TRUE(key2);
569  ASSERT_TRUE(BN_hex2bn(&key2->n, kN));
570  ASSERT_TRUE(BN_hex2bn(&key2->d, kD));
571  key2->flags |= RSA_FLAG_NO_BLINDING;
572
573  ASSERT_LE(RSA_size(key2.get()), sizeof(buf));
574  EXPECT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
575                       &buf_len, key2.get()));
576
577  // Verify the signature with |key|. |key2| has no public exponent.
578  EXPECT_TRUE(RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf,
579                         buf_len, key.get()));
580}
581
582TEST(RSATest, ASN1) {
583  // Test that private keys may be decoded.
584  bssl::UniquePtr<RSA> rsa(
585      RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1));
586  ASSERT_TRUE(rsa);
587
588  // Test that the serialization round-trips.
589  uint8_t *der;
590  size_t der_len;
591  ASSERT_TRUE(RSA_private_key_to_bytes(&der, &der_len, rsa.get()));
592  bssl::UniquePtr<uint8_t> delete_der(der);
593  EXPECT_EQ(Bytes(kKey1, sizeof(kKey1) - 1), Bytes(der, der_len));
594
595  // Test that serializing public keys works.
596  ASSERT_TRUE(RSA_public_key_to_bytes(&der, &der_len, rsa.get()));
597  delete_der.reset(der);
598
599  // Public keys may be parsed back out.
600  rsa.reset(RSA_public_key_from_bytes(der, der_len));
601  ASSERT_TRUE(rsa);
602  EXPECT_FALSE(rsa->p);
603  EXPECT_FALSE(rsa->q);
604
605  // Serializing the result round-trips.
606  uint8_t *der2;
607  size_t der2_len;
608  ASSERT_TRUE(RSA_public_key_to_bytes(&der2, &der2_len, rsa.get()));
609  bssl::UniquePtr<uint8_t> delete_der2(der2);
610  EXPECT_EQ(Bytes(der, der_len), Bytes(der2, der2_len));
611
612  // Public keys cannot be serialized as private keys.
613  int ok = RSA_private_key_to_bytes(&der, &der_len, rsa.get());
614  if (ok) {
615    OPENSSL_free(der);
616  }
617  EXPECT_FALSE(ok);
618  ERR_clear_error();
619
620  // Public keys with negative moduli are invalid.
621  rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey,
622                                      sizeof(kEstonianRSAKey)));
623  EXPECT_FALSE(rsa);
624  ERR_clear_error();
625
626  // But |RSA_parse_public_key_buggy| will accept it.
627  CBS cbs;
628  CBS_init(&cbs, kEstonianRSAKey, sizeof(kEstonianRSAKey));
629  rsa.reset(RSA_parse_public_key_buggy(&cbs));
630  EXPECT_TRUE(rsa);
631  EXPECT_EQ(0u, CBS_len(&cbs));
632}
633
634TEST(RSATest, BadExponent) {
635  bssl::UniquePtr<RSA> rsa(
636      RSA_public_key_from_bytes(kExponent1RSAKey, sizeof(kExponent1RSAKey)));
637  EXPECT_FALSE(rsa);
638  ERR_clear_error();
639}
640
641// Attempting to generate an excessively small key should fail.
642TEST(RSATest, GenerateSmallKey) {
643  bssl::UniquePtr<RSA> rsa(RSA_new());
644  ASSERT_TRUE(rsa);
645  bssl::UniquePtr<BIGNUM> e(BN_new());
646  ASSERT_TRUE(e);
647  ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
648
649  EXPECT_FALSE(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr));
650  uint32_t err = ERR_get_error();
651  EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
652  EXPECT_EQ(RSA_R_KEY_SIZE_TOO_SMALL, ERR_GET_REASON(err));
653}
654
655// Attempting to generate an funny RSA key length should round down.
656TEST(RSATest, RoundKeyLengths) {
657  bssl::UniquePtr<BIGNUM> e(BN_new());
658  ASSERT_TRUE(e);
659  ASSERT_TRUE(BN_set_word(e.get(), RSA_F4));
660
661  bssl::UniquePtr<RSA> rsa(RSA_new());
662  ASSERT_TRUE(rsa);
663  EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1025, e.get(), nullptr));
664  EXPECT_EQ(1024u, BN_num_bits(rsa->n));
665
666  rsa.reset(RSA_new());
667  ASSERT_TRUE(rsa);
668  EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1027, e.get(), nullptr));
669  EXPECT_EQ(1024u, BN_num_bits(rsa->n));
670
671  rsa.reset(RSA_new());
672  ASSERT_TRUE(rsa);
673  EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1151, e.get(), nullptr));
674  EXPECT_EQ(1024u, BN_num_bits(rsa->n));
675
676  rsa.reset(RSA_new());
677  ASSERT_TRUE(rsa);
678  EXPECT_TRUE(RSA_generate_key_ex(rsa.get(), 1152, e.get(), nullptr));
679  EXPECT_EQ(1152u, BN_num_bits(rsa->n));
680}
681
682TEST(RSATest, BlindingDisabled) {
683  bssl::UniquePtr<RSA> rsa(
684      RSA_private_key_from_bytes(kTwoPrimeKey, sizeof(kTwoPrimeKey) - 1));
685  ASSERT_TRUE(rsa);
686
687  rsa->flags |= RSA_FLAG_NO_BLINDING;
688
689  uint8_t sig[256];
690  ASSERT_GE(sizeof(sig), RSA_size(rsa.get()));
691
692  static const uint8_t kZeros[32] = {0};
693  unsigned sig_len;
694  ASSERT_TRUE(
695      RSA_sign(NID_sha256, kZeros, sizeof(kZeros), sig, &sig_len, rsa.get()));
696  EXPECT_TRUE(
697      RSA_verify(NID_sha256, kZeros, sizeof(kZeros), sig, sig_len, rsa.get()));
698}
699
700// Test that decrypting with a public key fails gracefully rather than crashing.
701TEST(RSATest, DecryptPublic) {
702  bssl::UniquePtr<RSA> pub(
703      RSA_public_key_from_bytes(kFIPSPublicKey, sizeof(kFIPSPublicKey) - 1));
704  ASSERT_TRUE(pub);
705  ASSERT_EQ(1024u / 8u, RSA_size(pub.get()));
706
707  size_t len;
708  uint8_t in[1024 / 8] = {0}, out[1024 / 8];
709  EXPECT_FALSE(RSA_decrypt(pub.get(), &len, out, sizeof(out), in, sizeof(in),
710                           RSA_PKCS1_PADDING));
711  uint32_t err = ERR_get_error();
712  EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err));
713  EXPECT_EQ(RSA_R_VALUE_MISSING, ERR_GET_REASON(err));
714}
715
716#if !defined(BORINGSSL_SHARED_LIBRARY)
717TEST(RSATest, SqrtTwo) {
718  bssl::UniquePtr<BIGNUM> sqrt(BN_new()), pow2(BN_new());
719  bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());
720  ASSERT_TRUE(sqrt);
721  ASSERT_TRUE(pow2);
722  ASSERT_TRUE(ctx);
723
724  size_t bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
725  ASSERT_TRUE(BN_one(pow2.get()));
726  ASSERT_TRUE(BN_lshift(pow2.get(), pow2.get(), 2 * bits - 1));
727
728  // Check that sqrt² < pow2.
729  ASSERT_TRUE(
730      bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
731  ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
732  EXPECT_LT(BN_cmp(sqrt.get(), pow2.get()), 0);
733
734  // Check that pow2 < (sqrt + 1)².
735  ASSERT_TRUE(
736      bn_set_words(sqrt.get(), kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen));
737  ASSERT_TRUE(BN_add_word(sqrt.get(), 1));
738  ASSERT_TRUE(BN_sqr(sqrt.get(), sqrt.get(), ctx.get()));
739  EXPECT_LT(BN_cmp(pow2.get(), sqrt.get()), 0);
740
741  // Check the kBoringSSLRSASqrtTwo is sized for a 3072-bit RSA key.
742  EXPECT_EQ(3072u / 2u, bits);
743}
744
745TEST(RSATest, LessThanWords) {
746  // kTestVectors is an array of 256-bit values in sorted order.
747  static const BN_ULONG kTestVectors[][256 / BN_BITS2] = {
748      {TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
749       TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
750      {TOBN(0x00000000, 0x00000001), TOBN(0x00000000, 0x00000000),
751       TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
752      {TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0x00000000),
753       TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
754      {TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
755       TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000)},
756      {TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
757       TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0x00000000)},
758      {TOBN(0x00000000, 0x00000000), TOBN(0x1d6f60ba, 0x893ba84c),
759       TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
760      {TOBN(0x00000000, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
761       TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
762      {TOBN(0xed17ac85, 0x00000000), TOBN(0x1d6f60ba, 0x893ba84c),
763       TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
764      {TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
765       TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
766      {TOBN(0xed17ac85, 0xffffffff), TOBN(0x1d6f60ba, 0x893ba84c),
767       TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
768      {TOBN(0xffffffff, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
769       TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
770      {TOBN(0xffffffff, 0xffffffff), TOBN(0x1d6f60ba, 0x893ba84c),
771       TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484)},
772      {TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
773       TOBN(0x00000000, 0x00000000), TOBN(0xffffffff, 0xffffffff)},
774      {TOBN(0x00000000, 0x00000000), TOBN(0x00000000, 0x00000000),
775       TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
776      {TOBN(0x00000000, 0x00000001), TOBN(0x00000000, 0x00000000),
777       TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
778      {TOBN(0x00000000, 0x00000000), TOBN(0xffffffff, 0xffffffff),
779       TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
780      {TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff),
781       TOBN(0xffffffff, 0xffffffff), TOBN(0xffffffff, 0xffffffff)},
782  };
783
784  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTestVectors); i++) {
785    SCOPED_TRACE(i);
786    for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(kTestVectors); j++) {
787      SCOPED_TRACE(j);
788      EXPECT_EQ(i < j ? 1 : 0,
789                rsa_less_than_words(kTestVectors[i], kTestVectors[j],
790                                    OPENSSL_ARRAY_SIZE(kTestVectors[i])));
791    }
792  }
793
794  EXPECT_EQ(0, rsa_less_than_words(NULL, NULL, 0));
795}
796
797TEST(RSATest, GreaterThanPow2) {
798  bssl::UniquePtr<BIGNUM> b(BN_new());
799  BN_zero(b.get());
800  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0));
801  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
802  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
803
804  ASSERT_TRUE(BN_set_word(b.get(), 1));
805  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0));
806  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
807  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
808
809  ASSERT_TRUE(BN_set_word(b.get(), 2));
810  EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 0));
811  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
812  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
813
814  ASSERT_TRUE(BN_set_word(b.get(), 3));
815  EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 0));
816  EXPECT_TRUE(rsa_greater_than_pow2(b.get(), 1));
817  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 2));
818  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
819
820  BN_set_negative(b.get(), 1);
821  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 0));
822  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 1));
823  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 2));
824  EXPECT_FALSE(rsa_greater_than_pow2(b.get(), 20));
825
826  // Check all bit lengths mod 64.
827  for (int n = 1024; n < 1024 + 64; n++) {
828    SCOPED_TRACE(n);
829    ASSERT_TRUE(BN_set_word(b.get(), 1));
830    ASSERT_TRUE(BN_lshift(b.get(), b.get(), n));
831    EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1));
832    EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n));
833    EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1));
834
835    ASSERT_TRUE(BN_sub_word(b.get(), 1));
836    EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1));
837    EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n));
838    EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1));
839
840    ASSERT_TRUE(BN_add_word(b.get(), 2));
841    EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n - 1));
842    EXPECT_TRUE(rsa_greater_than_pow2(b.get(), n));
843    EXPECT_FALSE(rsa_greater_than_pow2(b.get(), n + 1));
844  }
845}
846#endif  // !BORINGSSL_SHARED_LIBRARY
847