cc/subtle/rsa_ssa_pss_verify_boringssl_test.cc - third_party/tink - Git at Google

 // Copyright 2018 Google Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ///////////////////////////////////////////////////////////////////////////////

 #include "tink/subtle/rsa_ssa_pss_verify_boringssl.h"

 #include <memory>
 #include <string>
 #include <utility>

 #include "gtest/gtest.h"
 #include "absl/status/status.h"
 #include "absl/strings/escaping.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_split.h"
 #include "absl/strings/string_view.h"
 #include "openssl/bn.h"
 #include "include/rapidjson/document.h"
 #include "tink/config/tink_fips.h"
 #include "tink/internal/err_util.h"
 #include "tink/internal/rsa_util.h"
 #include "tink/internal/ssl_unique_ptr.h"
 #include "tink/public_key_sign.h"
 #include "tink/public_key_verify.h"
 #include "tink/subtle/common_enums.h"
 #include "tink/subtle/wycheproof_util.h"
 #include "tink/util/status.h"
 #include "tink/util/statusor.h"
 #include "tink/util/test_matchers.h"

 // TODO(quannguyen):
 //  + Add tests for parameters validation.
 namespace crypto {
 namespace tink {
 namespace subtle {
 namespace {

 using ::crypto::tink::test::IsOk;
 using ::crypto::tink::test::StatusIs;
 using ::testing::TestParamInfo;
 using ::testing::ValuesIn;

 // Test vector from
 // https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Digital-Signatures
 struct NistTestVector {
   std::string n;
   std::string e;
   std::string message;
   std::string signature;
   HashType sig_hash;
   HashType mgf1_hash;
   int salt_length;
 };

 const NistTestVector GetNistTestVector() {
   NistTestVector test_vector = {
       absl::HexStringToBytes(
           "a47d04e7cacdba4ea26eca8a4c6e14563c2ce03b623b768c0d49868a57121301dbf7"
           "83d82f4c055e73960e70550187d0af62ac3496f0a3d9103c2eb7919a72752fa7ce8c"
           "688d81e3aee99468887a15288afbb7acb845b7c522b5c64e678fcd3d22feb84b4427"
           "2700be527d2b2025a3f83c2383bf6a39cf5b4e48b3cf2f56eef0dfff18555e31037b"
           "915248694876f3047814415164f2c660881e694b58c28038a032ad25634aad7b3917"
           "1dee368e3d59bfb7299e4601d4587e68caaf8db457b75af42fc0cf1ae7caced286d7"
           "7fac6cedb03ad94f1433d2c94d08e60bc1fdef0543cd2951e765b38230fdd18de5d2"
           "ca627ddc032fe05bbd2ff21e2db1c2f94d8b"),
       absl::HexStringToBytes("10e43f"),
       absl::HexStringToBytes(
           "e002377affb04f0fe4598de9d92d31d6c786040d5776976556a2cfc55e54a1dcb3cb"
           "1b126bd6a4bed2a184990ccea773fcc79d246553e6c64f686d21ad4152673cafec22"
           "aeb40f6a084e8a5b4991f4c64cf8a927effd0fd775e71e8329e41fdd4457b3911173"
           "187b4f09a817d79ea2397fc12dfe3d9c9a0290c8ead31b6690a6"),
       absl::HexStringToBytes(
           "4f9b425c2058460e4ab2f5c96384da2327fd29150f01955a76b4efe956af06dc0877"
           "9a374ee4607eab61a93adc5608f4ec36e47f2a0f754e8ff839a8a19b1db1e884ea4c"
           "f348cd455069eb87afd53645b44e28a0a56808f5031da5ba9112768dfbfca44ebe63"
           "a0c0572b731d66122fb71609be1480faa4e4f75e43955159d70f081e2a32fbb19a48"
           "b9f162cf6b2fb445d2d6994bc58910a26b5943477803cdaaa1bd74b0da0a5d053d8b"
           "1dc593091db5388383c26079f344e2aea600d0e324164b450f7b9b465111b7265f3b"
           "1b063089ae7e2623fc0fda8052cf4bf3379102fbf71d7c98e8258664ceed637d20f9"
           "5ff0111881e650ce61f251d9c3a629ef222d"),
       HashType::SHA256,
       HashType::SHA256,
       32,
   };
   return test_vector;
 }

 TEST(RsaSsaPssVerifyBoringSslTest, BasicVerify) {
   if (IsFipsModeEnabled()) {
     GTEST_SKIP() << "Test not run in FIPS-only mode";
   }
   const NistTestVector kNistTestVector = GetNistTestVector();
   internal::RsaPublicKey pub_key{kNistTestVector.n, kNistTestVector.e};
   internal::RsaSsaPssParams params = {
       kNistTestVector.sig_hash,
       kNistTestVector.mgf1_hash,
       kNistTestVector.salt_length,
   };

   util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> verifier =
       RsaSsaPssVerifyBoringSsl::New(pub_key, params);
   ASSERT_THAT(verifier, IsOk());
   util::Status status =
       (*verifier)->Verify(kNistTestVector.signature, kNistTestVector.message);
   EXPECT_TRUE(status.ok()) << status << internal::GetSslErrors();
 }

 TEST(RsaSsaPssVerifyBoringSslTest, NewErrors) {
   if (IsFipsModeEnabled()) {
     GTEST_SKIP() << "Test not run in FIPS-only mode";
   }
   const NistTestVector kNistTestVector = GetNistTestVector();
   internal::RsaPublicKey nist_pub_key{kNistTestVector.n, kNistTestVector.e};
   internal::RsaSsaPssParams nist_params = {
       kNistTestVector.sig_hash,
       kNistTestVector.mgf1_hash,
       kNistTestVector.salt_length,
   };
   internal::RsaPublicKey small_pub_key{std::string("\x23"), std::string("\x3")};
   internal::RsaSsaPssParams sha1_hash_params = {
       HashType::SHA1, kNistTestVector.mgf1_hash, kNistTestVector.salt_length};

   {  // Small modulus.
     auto result = RsaSsaPssVerifyBoringSsl::New(small_pub_key, nist_params);
     EXPECT_FALSE(result.ok());
     EXPECT_EQ(absl::StatusCode::kInvalidArgument, result.status().code());
     EXPECT_PRED_FORMAT2(testing::IsSubstring,
                         "only modulus size >= 2048-bit is supported",
                         std::string(result.status().message()));
   }

   {  // Use SHA1 for digital signature.
     auto result = RsaSsaPssVerifyBoringSsl::New(nist_pub_key, sha1_hash_params);
     EXPECT_FALSE(result.ok());
     EXPECT_EQ(absl::StatusCode::kInvalidArgument, result.status().code());
     EXPECT_PRED_FORMAT2(testing::IsSubstring,
                         "SHA1 is not safe for digital signature",
                         std::string(result.status().message()));
   }
 }

 TEST(RsaSsaPssVerifyBoringSslTest, Modification) {
   if (IsFipsModeEnabled()) {
     GTEST_SKIP() << "Test not run in FIPS-only mode";
   }
   const NistTestVector kNistTestVector = GetNistTestVector();
   internal::RsaPublicKey pub_key{kNistTestVector.n, kNistTestVector.e};
   internal::RsaSsaPssParams params = {
       kNistTestVector.sig_hash,
       kNistTestVector.mgf1_hash,
       kNistTestVector.salt_length,
   };

   util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> verifier =
       RsaSsaPssVerifyBoringSsl::New(pub_key, params);
   ASSERT_THAT(verifier, IsOk());
   // Modify the message.
   for (std::size_t i = 0; i < kNistTestVector.message.length(); i++) {
     std::string modified_message = kNistTestVector.message;
     modified_message[i / 8] ^= 1 << (i % 8);
     util::Status status =
         (*verifier)->Verify(kNistTestVector.signature, modified_message);
     EXPECT_FALSE(status.ok()) << status << internal::GetSslErrors();
   }
   // Modify the signature.
   for (std::size_t i = 0; i < kNistTestVector.signature.length(); i++) {
     std::string modified_signature = kNistTestVector.signature;
     modified_signature[i / 8] ^= 1 << (i % 8);
     util::Status status =
         (*verifier)->Verify(modified_signature, kNistTestVector.message);
     EXPECT_FALSE(status.ok()) << status << internal::GetSslErrors();
   }
   // Truncate the signature.
   for (std::size_t i = 0; i < kNistTestVector.signature.length(); i++) {
     std::string truncated_signature(kNistTestVector.signature, 0, i);
     util::Status status =
         (*verifier)->Verify(truncated_signature, kNistTestVector.message);
     EXPECT_FALSE(status.ok()) << status << internal::GetSslErrors();
   }
 }

 // Wycheproof test vector for RSA-SSA PSS.
 struct RsaSsaPssWycheproofTestVector {
   std::string file_name;
   internal::RsaPublicKey key;
   HashType hash_type;
   HashType mgf_hash_type;
   int salt_length;
   std::string expected;
   std::string msg;
   std::string sig;
   std::string id;
   std::string comment;
 };

 // Reads the RSA-SSA PSS wycheproof test vectors from a given `file_name` and
 // returns a vector of RsaSsaPssWycheproofTestVector.
 std::vector<RsaSsaPssWycheproofTestVector> ReadTestVectors(
     absl::string_view file_name) {
   std::vector<RsaSsaPssWycheproofTestVector> test_vectors;
   std::unique_ptr<rapidjson::Document> root =
       WycheproofUtil::ReadTestVectors(std::string(file_name));
   for (const rapidjson::Value& test_group : (*root)["testGroups"].GetArray()) {
     for (const rapidjson::Value& test : test_group["tests"].GetArray()) {
       test_vectors.push_back({
           /*file_name=*/std::string(file_name),
           /*key=*/
           {
               WycheproofUtil::GetInteger(test_group["n"]),
               WycheproofUtil::GetInteger(test_group["e"]),
           },
           /*hash_type=*/WycheproofUtil::GetHashType(test_group["sha"]),
           /*mgf_hash_type=*/WycheproofUtil::GetHashType(test_group["mgfSha"]),
           /*salt_length=*/test_group["sLen"].GetInt(),
           /*expected=*/test["result"].GetString(),
           /*msg=*/WycheproofUtil::GetBytes(test["msg"]),
           /*sig=*/WycheproofUtil::GetBytes(test["sig"]),
           /*id=*/absl::StrCat(test["tcId"].GetInt()),
           /*comment=*/test["comment"].GetString(),
       });
     }
   }
   return test_vectors;
 }

 // Creates a verifier using the parameters in `test_vector`.
 util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> GetVerifier(
     const RsaSsaPssWycheproofTestVector& test_vector) {
   internal::RsaPublicKey key = test_vector.key;
   internal::RsaSsaPssParams params = {
       test_vector.hash_type,
       test_vector.mgf_hash_type,
       test_vector.salt_length,
   };
   return RsaSsaPssVerifyBoringSsl::New(key, params);
 }

 using RsaSsaPssWycheproofTest =
     testing::TestWithParam<RsaSsaPssWycheproofTestVector>;

 // Tests signature verification using a test vector.
 TEST_P(RsaSsaPssWycheproofTest, SignatureVerify) {
   if (IsFipsModeEnabled()) {
     GTEST_SKIP() << "Test not run in FIPS-only mode";
   }
   RsaSsaPssWycheproofTestVector params = GetParam();
   util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> verifier =
       GetVerifier(params);
   ASSERT_THAT(verifier, IsOk());
   util::Status result = (*verifier)->Verify(params.sig, params.msg);

   if (params.expected == "valid") {
     EXPECT_THAT(result, IsOk());
   } else if (params.expected == "acceptable") {
     // The validity of the signature is undefined. Hence we skip the test but we
     // log the result since we might still want to know if the library is strict
     // or forgiving.
     GTEST_SKIP() << "Verification of an acceptable signature " << params.id
                  << " resulted in: " << result;
   } else {
     EXPECT_THAT(result, testing::Not(IsOk()));
   }
 }

 std::vector<RsaSsaPssWycheproofTestVector> GetTestParameters() {
   std::vector<RsaSsaPssWycheproofTestVector> test_vectors = ReadTestVectors(
       /*file_name=*/"rsa_pss_2048_sha256_mgf1_0_test.json");
   std::vector<RsaSsaPssWycheproofTestVector> others = ReadTestVectors(
       /*file_name=*/"rsa_pss_2048_sha256_mgf1_32_test.json");
   test_vectors.insert(test_vectors.end(), others.begin(), others.end());
   others = ReadTestVectors(
       /*file_name=*/"rsa_pss_3072_sha256_mgf1_32_test.json");
   test_vectors.insert(test_vectors.end(), others.begin(), others.end());
   others = ReadTestVectors(
       /*file_name=*/"rsa_pss_4096_sha256_mgf1_32_test.json");
   test_vectors.insert(test_vectors.end(), others.begin(), others.end());
   others = ReadTestVectors(
       /*file_name=*/"rsa_pss_4096_sha512_mgf1_32_test.json");
   test_vectors.insert(test_vectors.end(), others.begin(), others.end());
   return test_vectors;
 }

 INSTANTIATE_TEST_SUITE_P(
     RsaSsaPssWycheproofTests, RsaSsaPssWycheproofTest,
     ValuesIn(GetTestParameters()),
     [](const TestParamInfo<RsaSsaPssWycheproofTest::ParamType>& info) {
       // Testcase name is partly using the test name.
       std::vector<std::string> parts =
           absl::StrSplit(info.param.file_name, ".");
       return absl::StrCat(parts[0], "_tid", info.param.id);
     });

 // FIPS-only mode test
 TEST(RsaSsaPssVerifyBoringSslTest, TestFipsFailWithoutBoringCrypto) {
   if (!IsFipsModeEnabled() || FIPS_mode()) {
     GTEST_SKIP()
         << "Test assumes kOnlyUseFips but BoringCrypto is unavailable.";
   }
   const NistTestVector kNistTestVector = GetNistTestVector();
   internal::RsaPublicKey pub_key{kNistTestVector.n, kNistTestVector.e};
   internal::RsaSsaPssParams params = {
       /*sig_hash=*/HashType::SHA256,
       /*mgf1_hash=*/HashType::SHA256,
       /*salt_length=*/32,
   };
   EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(pub_key, params).status(),
               StatusIs(absl::StatusCode::kInternal));
 }

 TEST(RsaSsaPssVerifyBoringSslTest, TestAllowedFipsModuli) {
   if (!IsFipsModeEnabled() || !FIPS_mode()) {
     GTEST_SKIP() << "Test assumes kOnlyUseFips and BoringCrypto.";
   }

   internal::SslUniquePtr<BIGNUM> rsa_f4(BN_new());
   internal::RsaPrivateKey private_key;
   internal::RsaPublicKey public_key;
   internal::RsaSsaPssParams params = {
       /*sig_hash=*/HashType::SHA256,
       /*mgf1_hash=*/HashType::SHA256,
       /*salt_length=*/32,
   };
   BN_set_word(rsa_f4.get(), RSA_F4);
   ASSERT_THAT(
       internal::NewRsaKeyPair(3072, rsa_f4.get(), &private_key, &public_key),
       IsOk());
   EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(public_key, params).status(),
               IsOk());
 }

 TEST(RsaSsaPssVerifyBoringSslTest, TestRestrictedFipsModuli) {
   if (!IsFipsModeEnabled() || !FIPS_mode()) {
     GTEST_SKIP() << "Test assumes kOnlyUseFips and BoringCrypto.";
   }

   internal::SslUniquePtr<BIGNUM> rsa_f4(BN_new());
   internal::RsaPrivateKey private_key;
   internal::RsaPublicKey public_key;
   internal::RsaSsaPssParams params = {
       /*sig_hash=*/HashType::SHA256,
       /*mgf1_hash=*/HashType::SHA256,
       /*salt_length=*/32,
   };
   BN_set_word(rsa_f4.get(), RSA_F4);
   ASSERT_THAT(
       internal::NewRsaKeyPair(2560, rsa_f4.get(), &private_key, &public_key),
       IsOk());
   EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(public_key, params).status(),
               StatusIs(absl::StatusCode::kInternal));

   ASSERT_THAT(
       internal::NewRsaKeyPair(4096, rsa_f4.get(), &private_key, &public_key),
       IsOk());
   EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(public_key, params).status(),
               StatusIs(absl::StatusCode::kInternal));
 }

 }  // namespace
 }  // namespace subtle
 }  // namespace tink
 }  // namespace crypto
	// Copyright 2018 Google Inc.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	///////////////////////////////////////////////////////////////////////////////

	#include "tink/subtle/rsa_ssa_pss_verify_boringssl.h"

	#include <memory>
	#include <string>
	#include <utility>

	#include "gtest/gtest.h"
	#include "absl/status/status.h"
	#include "absl/strings/escaping.h"
	#include "absl/strings/str_cat.h"
	#include "absl/strings/str_split.h"
	#include "absl/strings/string_view.h"
	#include "openssl/bn.h"
	#include "include/rapidjson/document.h"
	#include "tink/config/tink_fips.h"
	#include "tink/internal/err_util.h"
	#include "tink/internal/rsa_util.h"
	#include "tink/internal/ssl_unique_ptr.h"
	#include "tink/public_key_sign.h"
	#include "tink/public_key_verify.h"
	#include "tink/subtle/common_enums.h"
	#include "tink/subtle/wycheproof_util.h"
	#include "tink/util/status.h"
	#include "tink/util/statusor.h"
	#include "tink/util/test_matchers.h"

	// TODO(quannguyen):
	// + Add tests for parameters validation.
	namespace crypto {
	namespace tink {
	namespace subtle {
	namespace {

	using ::crypto::tink::test::IsOk;
	using ::crypto::tink::test::StatusIs;
	using ::testing::TestParamInfo;
	using ::testing::ValuesIn;

	// Test vector from
	// https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Digital-Signatures
	struct NistTestVector {
	std::string n;
	std::string e;
	std::string message;
	std::string signature;
	HashType sig_hash;
	HashType mgf1_hash;
	int salt_length;
	};

	const NistTestVector GetNistTestVector() {
	NistTestVector test_vector = {
	absl::HexStringToBytes(
	"a47d04e7cacdba4ea26eca8a4c6e14563c2ce03b623b768c0d49868a57121301dbf7"
	"83d82f4c055e73960e70550187d0af62ac3496f0a3d9103c2eb7919a72752fa7ce8c"
	"688d81e3aee99468887a15288afbb7acb845b7c522b5c64e678fcd3d22feb84b4427"
	"2700be527d2b2025a3f83c2383bf6a39cf5b4e48b3cf2f56eef0dfff18555e31037b"
	"915248694876f3047814415164f2c660881e694b58c28038a032ad25634aad7b3917"
	"1dee368e3d59bfb7299e4601d4587e68caaf8db457b75af42fc0cf1ae7caced286d7"
	"7fac6cedb03ad94f1433d2c94d08e60bc1fdef0543cd2951e765b38230fdd18de5d2"
	"ca627ddc032fe05bbd2ff21e2db1c2f94d8b"),
	absl::HexStringToBytes("10e43f"),
	absl::HexStringToBytes(
	"e002377affb04f0fe4598de9d92d31d6c786040d5776976556a2cfc55e54a1dcb3cb"
	"1b126bd6a4bed2a184990ccea773fcc79d246553e6c64f686d21ad4152673cafec22"
	"aeb40f6a084e8a5b4991f4c64cf8a927effd0fd775e71e8329e41fdd4457b3911173"
	"187b4f09a817d79ea2397fc12dfe3d9c9a0290c8ead31b6690a6"),
	absl::HexStringToBytes(
	"4f9b425c2058460e4ab2f5c96384da2327fd29150f01955a76b4efe956af06dc0877"
	"9a374ee4607eab61a93adc5608f4ec36e47f2a0f754e8ff839a8a19b1db1e884ea4c"
	"f348cd455069eb87afd53645b44e28a0a56808f5031da5ba9112768dfbfca44ebe63"
	"a0c0572b731d66122fb71609be1480faa4e4f75e43955159d70f081e2a32fbb19a48"
	"b9f162cf6b2fb445d2d6994bc58910a26b5943477803cdaaa1bd74b0da0a5d053d8b"
	"1dc593091db5388383c26079f344e2aea600d0e324164b450f7b9b465111b7265f3b"
	"1b063089ae7e2623fc0fda8052cf4bf3379102fbf71d7c98e8258664ceed637d20f9"
	"5ff0111881e650ce61f251d9c3a629ef222d"),
	HashType::SHA256,
	HashType::SHA256,
	32,
	};
	return test_vector;
	}

	TEST(RsaSsaPssVerifyBoringSslTest, BasicVerify) {
	if (IsFipsModeEnabled()) {
	GTEST_SKIP() << "Test not run in FIPS-only mode";
	}
	const NistTestVector kNistTestVector = GetNistTestVector();
	internal::RsaPublicKey pub_key{kNistTestVector.n, kNistTestVector.e};
	internal::RsaSsaPssParams params = {
	kNistTestVector.sig_hash,
	kNistTestVector.mgf1_hash,
	kNistTestVector.salt_length,
	};

	util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> verifier =
	RsaSsaPssVerifyBoringSsl::New(pub_key, params);
	ASSERT_THAT(verifier, IsOk());
	util::Status status =
	(*verifier)->Verify(kNistTestVector.signature, kNistTestVector.message);
	EXPECT_TRUE(status.ok()) << status << internal::GetSslErrors();
	}

	TEST(RsaSsaPssVerifyBoringSslTest, NewErrors) {
	if (IsFipsModeEnabled()) {
	GTEST_SKIP() << "Test not run in FIPS-only mode";
	}
	const NistTestVector kNistTestVector = GetNistTestVector();
	internal::RsaPublicKey nist_pub_key{kNistTestVector.n, kNistTestVector.e};
	internal::RsaSsaPssParams nist_params = {
	kNistTestVector.sig_hash,
	kNistTestVector.mgf1_hash,
	kNistTestVector.salt_length,
	};
	internal::RsaPublicKey small_pub_key{std::string("\x23"), std::string("\x3")};
	internal::RsaSsaPssParams sha1_hash_params = {
	HashType::SHA1, kNistTestVector.mgf1_hash, kNistTestVector.salt_length};

	{ // Small modulus.
	auto result = RsaSsaPssVerifyBoringSsl::New(small_pub_key, nist_params);
	EXPECT_FALSE(result.ok());
	EXPECT_EQ(absl::StatusCode::kInvalidArgument, result.status().code());
	EXPECT_PRED_FORMAT2(testing::IsSubstring,
	"only modulus size >= 2048-bit is supported",
	std::string(result.status().message()));
	}

	{ // Use SHA1 for digital signature.
	auto result = RsaSsaPssVerifyBoringSsl::New(nist_pub_key, sha1_hash_params);
	EXPECT_FALSE(result.ok());
	EXPECT_EQ(absl::StatusCode::kInvalidArgument, result.status().code());
	EXPECT_PRED_FORMAT2(testing::IsSubstring,
	"SHA1 is not safe for digital signature",
	std::string(result.status().message()));
	}
	}

	TEST(RsaSsaPssVerifyBoringSslTest, Modification) {
	if (IsFipsModeEnabled()) {
	GTEST_SKIP() << "Test not run in FIPS-only mode";
	}
	const NistTestVector kNistTestVector = GetNistTestVector();
	internal::RsaPublicKey pub_key{kNistTestVector.n, kNistTestVector.e};
	internal::RsaSsaPssParams params = {
	kNistTestVector.sig_hash,
	kNistTestVector.mgf1_hash,
	kNistTestVector.salt_length,
	};

	util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> verifier =
	RsaSsaPssVerifyBoringSsl::New(pub_key, params);
	ASSERT_THAT(verifier, IsOk());
	// Modify the message.
	for (std::size_t i = 0; i < kNistTestVector.message.length(); i++) {
	std::string modified_message = kNistTestVector.message;
	modified_message[i / 8] ^= 1 << (i % 8);
	util::Status status =
	(*verifier)->Verify(kNistTestVector.signature, modified_message);
	EXPECT_FALSE(status.ok()) << status << internal::GetSslErrors();
	}
	// Modify the signature.
	for (std::size_t i = 0; i < kNistTestVector.signature.length(); i++) {
	std::string modified_signature = kNistTestVector.signature;
	modified_signature[i / 8] ^= 1 << (i % 8);
	util::Status status =
	(*verifier)->Verify(modified_signature, kNistTestVector.message);
	EXPECT_FALSE(status.ok()) << status << internal::GetSslErrors();
	}
	// Truncate the signature.
	for (std::size_t i = 0; i < kNistTestVector.signature.length(); i++) {
	std::string truncated_signature(kNistTestVector.signature, 0, i);
	util::Status status =
	(*verifier)->Verify(truncated_signature, kNistTestVector.message);
	EXPECT_FALSE(status.ok()) << status << internal::GetSslErrors();
	}
	}

	// Wycheproof test vector for RSA-SSA PSS.
	struct RsaSsaPssWycheproofTestVector {
	std::string file_name;
	internal::RsaPublicKey key;
	HashType hash_type;
	HashType mgf_hash_type;
	int salt_length;
	std::string expected;
	std::string msg;
	std::string sig;
	std::string id;
	std::string comment;
	};

	// Reads the RSA-SSA PSS wycheproof test vectors from a given `file_name` and
	// returns a vector of RsaSsaPssWycheproofTestVector.
	std::vector<RsaSsaPssWycheproofTestVector> ReadTestVectors(
	absl::string_view file_name) {
	std::vector<RsaSsaPssWycheproofTestVector> test_vectors;
	std::unique_ptr<rapidjson::Document> root =
	WycheproofUtil::ReadTestVectors(std::string(file_name));
	for (const rapidjson::Value& test_group : (*root)["testGroups"].GetArray()) {
	for (const rapidjson::Value& test : test_group["tests"].GetArray()) {
	test_vectors.push_back({
	/file_name=/std::string(file_name),
	/key=/
	{
	WycheproofUtil::GetInteger(test_group["n"]),
	WycheproofUtil::GetInteger(test_group["e"]),
	},
	/hash_type=/WycheproofUtil::GetHashType(test_group["sha"]),
	/mgf_hash_type=/WycheproofUtil::GetHashType(test_group["mgfSha"]),
	/salt_length=/test_group["sLen"].GetInt(),
	/expected=/test["result"].GetString(),
	/msg=/WycheproofUtil::GetBytes(test["msg"]),
	/sig=/WycheproofUtil::GetBytes(test["sig"]),
	/id=/absl::StrCat(test["tcId"].GetInt()),
	/comment=/test["comment"].GetString(),
	});
	}
	}
	return test_vectors;
	}

	// Creates a verifier using the parameters in `test_vector`.
	util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> GetVerifier(
	const RsaSsaPssWycheproofTestVector& test_vector) {
	internal::RsaPublicKey key = test_vector.key;
	internal::RsaSsaPssParams params = {
	test_vector.hash_type,
	test_vector.mgf_hash_type,
	test_vector.salt_length,
	};
	return RsaSsaPssVerifyBoringSsl::New(key, params);
	}

	using RsaSsaPssWycheproofTest =
	testing::TestWithParam<RsaSsaPssWycheproofTestVector>;

	// Tests signature verification using a test vector.
	TEST_P(RsaSsaPssWycheproofTest, SignatureVerify) {
	if (IsFipsModeEnabled()) {
	GTEST_SKIP() << "Test not run in FIPS-only mode";
	}
	RsaSsaPssWycheproofTestVector params = GetParam();
	util::StatusOr<std::unique_ptr<RsaSsaPssVerifyBoringSsl>> verifier =
	GetVerifier(params);
	ASSERT_THAT(verifier, IsOk());
	util::Status result = (*verifier)->Verify(params.sig, params.msg);

	if (params.expected == "valid") {
	EXPECT_THAT(result, IsOk());
	} else if (params.expected == "acceptable") {
	// The validity of the signature is undefined. Hence we skip the test but we
	// log the result since we might still want to know if the library is strict
	// or forgiving.
	GTEST_SKIP() << "Verification of an acceptable signature " << params.id
	<< " resulted in: " << result;
	} else {
	EXPECT_THAT(result, testing::Not(IsOk()));
	}
	}

	std::vector<RsaSsaPssWycheproofTestVector> GetTestParameters() {
	std::vector<RsaSsaPssWycheproofTestVector> test_vectors = ReadTestVectors(
	/file_name=/"rsa_pss_2048_sha256_mgf1_0_test.json");
	std::vector<RsaSsaPssWycheproofTestVector> others = ReadTestVectors(
	/file_name=/"rsa_pss_2048_sha256_mgf1_32_test.json");
	test_vectors.insert(test_vectors.end(), others.begin(), others.end());
	others = ReadTestVectors(
	/file_name=/"rsa_pss_3072_sha256_mgf1_32_test.json");
	test_vectors.insert(test_vectors.end(), others.begin(), others.end());
	others = ReadTestVectors(
	/file_name=/"rsa_pss_4096_sha256_mgf1_32_test.json");
	test_vectors.insert(test_vectors.end(), others.begin(), others.end());
	others = ReadTestVectors(
	/file_name=/"rsa_pss_4096_sha512_mgf1_32_test.json");
	test_vectors.insert(test_vectors.end(), others.begin(), others.end());
	return test_vectors;
	}

	INSTANTIATE_TEST_SUITE_P(
	RsaSsaPssWycheproofTests, RsaSsaPssWycheproofTest,
	ValuesIn(GetTestParameters()),
	[](const TestParamInfo<RsaSsaPssWycheproofTest::ParamType>& info) {
	// Testcase name is partly using the test name.
	std::vector<std::string> parts =
	absl::StrSplit(info.param.file_name, ".");
	return absl::StrCat(parts[0], "_tid", info.param.id);
	});

	// FIPS-only mode test
	TEST(RsaSsaPssVerifyBoringSslTest, TestFipsFailWithoutBoringCrypto) {
	if (!IsFipsModeEnabled() \|\| FIPS_mode()) {
	GTEST_SKIP()
	<< "Test assumes kOnlyUseFips but BoringCrypto is unavailable.";
	}
	const NistTestVector kNistTestVector = GetNistTestVector();
	internal::RsaPublicKey pub_key{kNistTestVector.n, kNistTestVector.e};
	internal::RsaSsaPssParams params = {
	/sig_hash=/HashType::SHA256,
	/mgf1_hash=/HashType::SHA256,
	/salt_length=/32,
	};
	EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(pub_key, params).status(),
	StatusIs(absl::StatusCode::kInternal));
	}

	TEST(RsaSsaPssVerifyBoringSslTest, TestAllowedFipsModuli) {
	if (!IsFipsModeEnabled() \|\| !FIPS_mode()) {
	GTEST_SKIP() << "Test assumes kOnlyUseFips and BoringCrypto.";
	}

	internal::SslUniquePtr<BIGNUM> rsa_f4(BN_new());
	internal::RsaPrivateKey private_key;
	internal::RsaPublicKey public_key;
	internal::RsaSsaPssParams params = {
	/sig_hash=/HashType::SHA256,
	/mgf1_hash=/HashType::SHA256,
	/salt_length=/32,
	};
	BN_set_word(rsa_f4.get(), RSA_F4);
	ASSERT_THAT(
	internal::NewRsaKeyPair(3072, rsa_f4.get(), &private_key, &public_key),
	IsOk());
	EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(public_key, params).status(),
	IsOk());
	}

	TEST(RsaSsaPssVerifyBoringSslTest, TestRestrictedFipsModuli) {
	if (!IsFipsModeEnabled() \|\| !FIPS_mode()) {
	GTEST_SKIP() << "Test assumes kOnlyUseFips and BoringCrypto.";
	}

	internal::SslUniquePtr<BIGNUM> rsa_f4(BN_new());
	internal::RsaPrivateKey private_key;
	internal::RsaPublicKey public_key;
	internal::RsaSsaPssParams params = {
	/sig_hash=/HashType::SHA256,
	/mgf1_hash=/HashType::SHA256,
	/salt_length=/32,
	};
	BN_set_word(rsa_f4.get(), RSA_F4);
	ASSERT_THAT(
	internal::NewRsaKeyPair(2560, rsa_f4.get(), &private_key, &public_key),
	IsOk());
	EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(public_key, params).status(),
	StatusIs(absl::StatusCode::kInternal));

	ASSERT_THAT(
	internal::NewRsaKeyPair(4096, rsa_f4.get(), &private_key, &public_key),
	IsOk());
	EXPECT_THAT(RsaSsaPssVerifyBoringSsl::New(public_key, params).status(),
	StatusIs(absl::StatusCode::kInternal));
	}

	} // namespace
	} // namespace subtle
	} // namespace tink
	} // namespace crypto