/* Copyright (c) (2015,2019) Apple Inc. All rights reserved. * * corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which * is contained in the License.txt file distributed with corecrypto) and only to * people who accept that license. IMPORTANT: Any license rights granted to you by * Apple Inc. (if any) are limited to internal use within your organization only on * devices and computers you own or control, for the sole purpose of verifying the * security characteristics and correct functioning of the Apple Software. You may * not, directly or indirectly, redistribute the Apple Software or any portions thereof. */ // ================================= // WORKED-OUT EXAMPLE FOR RSASSA-PSS // ================================= // // This file gives an example of the process of // signing a message with RSASSA-PSS as // specified"in PKCS #1 v2.1. // // The message is an octet string of length 114, // while the size of the modulus in the public // key is 1024"bits. The message is signed via a // random salt of length 20 octets // // The underlying hash function in the EMSA-PSS // encoding method is SHA-1; the mask generation // function is MGF1 with SHA-1 as specified in // PKCS #1 v2.1. // // Integers are represented by strings of octets // with the leftmost octet being the most // significant octet. For example, // // 9,202,000 = (0x)8c\x69\x50. // 0x8C6950 // ============================================= // ------------------------------ // Components of the RSA Key Pair // ------------------------------ .modulus= "\xa2\xba\x40\xee\x07\xe3\xb2\xbd\x2f\x02\xce\x22\x7f\x36\xa1\x95" "\x02\x44\x86\xe4\x9c\x19\xcb\x41\xbb\xbd\xfb\xba\x98\xb2\x2b\x0e" "\x57\x7c\x2e\xea\xff\xa2\x0d\x88\x3a\x76\xe6\x5e\x39\x4c\x69\xd4" "\xb3\xc0\x5a\x1e\x8f\xad\xda\x27\xed\xb2\xa4\x2b\xc0\x00\xfe\x88" "\x8b\x9b\x32\xc2\x2d\x15\xad\xd0\xcd\x76\xb3\xe7\x93\x6e\x19\x95" "\x5b\x22\x0d\xd1\x7d\x4e\xa9\x04\xb1\xec\x10\x2b\x2e\x4d\xe7\x75" "\x12\x22\xaa\x99\x15\x10\x24\xc7\xcb\x41\xcc\x5e\xa2\x1d\x00\xee" "\xb4\x1f\x7c\x80\x08\x34\xd2\xc6\xe0\x6b\xce\x3b\xce\x7e\xa9\xa5", .modulus_len=128, // RSA public exponent e: .e="\x01\x00\x01", .e_len=3, // Prime p: .p= "\xd1\x7f\x65\x5b\xf2\x7c\x8b\x16\xd3\x54\x62\xc9\x05\xcc\x04\xa2" "\x6f\x37\xe2\xa6\x7f\xa9\xc0\xce\x0d\xce\xd4\x72\x39\x4a\x0d\xf7" "\x43\xfe\x7f\x92\x9e\x37\x8e\xfd\xb3\x68\xed\xdf\xf4\x53\xcf\x00" "\x7a\xf6\xd9\x48\xe0\xad\xe7\x57\x37\x1f\x8a\x71\x1e\x27\x8f\x6b", .p_len=64, // Prime q: .q= "\xc6\xd9\x2b\x6f\xee\x74\x14\xd1\x35\x8c\xe1\x54\x6f\xb6\x29\x87" "\x53\x0b\x90\xbd\x15\xe0\xf1\x49\x63\xa5\xe2\x63\x5a\xdb\x69\x34" "\x7e\xc0\xc0\x1b\x2a\xb1\x76\x3f\xd8\xac\x1a\x59\x2f\xb2\x27\x57" "\x46\x3a\x98\x24\x25\xbb\x97\xa3\xa4\x37\xc5\xbf\x86\xd0\x3f\x2f", .q_len=64, // p's CRT exponent dP: .dp= "\x9d\x0d\xbf\x83\xe5\xce\x9e\x4b\x17\x54\xdc\xd5\xcd\x05\xbc\xb7" "\xb5\x5f\x15\x08\x33\x0e\xa4\x9f\x14\xd4\xe8\x89\x55\x0f\x82\x56" "\xcb\x5f\x80\x6d\xff\x34\xb1\x7a\xda\x44\x20\x88\x53\x57\x7d\x08" "\xe4\x26\x28\x90\xac\xf7\x52\x46\x1c\xea\x05\x54\x76\x01\xbc\x4f", .dp_len=64, // q's CRT exponent dQ: .dq="\x12\x91\xa5\x24\xc6\xb7\xc0\x59\xe9\x0e\x46\xdc\x83\xb2\x17\x1e" "\xb3\xfa\x98\x81\x8f\xd1\x79\xb6\xc8\xbf\x6c\xec\xaa\x47\x63\x03" "\xab\xf2\x83\xfe\x05\x76\x9c\xfc\x49\x57\x88\xfe\x5b\x1d\xdf\xde" "\x9e\x88\x4a\x3c\xd5\xe9\x36\xb7\xe9\x55\xeb\xf9\x7e\xb5\x63\xb1", .dq_len=64, // CRT coefficient qInv: .qinv= "\xa6\x3f\x1d\xa3\x8b\x95\x0c\x9a\xd1\xc6\x7c\xe0\xd6\x77\xec\x29" "\x14\xcd\x7d\x40\x06\x2d\xf4\x2a\x67\xeb\x19\x8a\x17\x6f\x97\x42" "\xaa\xc7\xc5\xfe\xa1\x4f\x22\x97\x66\x2b\x84\x81\x2c\x4d\xef\xc4" "\x9a\x80\x25\xab\x43\x82\x28\x6b\xe4\xc0\x37\x88\xdd\x01\xd6\x9f", .qinv_len=64, // --------------------------------- // Step-by-step RSASSA-PSS Signature // --------------------------------- {{ // Message M to be signed: .msg= "\x85\x9e\xef\x2f\xd7\x8a\xca\x00\x30\x8b\xdc\x47\x11\x93\xbf\x55" "\xbf\x9d\x78\xdb\x8f\x8a\x67\x2b\x48\x46\x34\xf3\xc9\xc2\x6e\x64" "\x78\xae\x10\x26\x0f\xe0\xdd\x8c\x08\x2e\x53\xa5\x29\x3a\xf2\x17" "\x3c\xd5\x0c\x6d\x5d\x35\x4f\xeb\xf7\x8b\x26\x02\x1c\x25\xc0\x27" "\x12\xe7\x8c\xd4\x69\x4c\x9f\x46\x97\x77\xe4\x51\xe7\xf8\xe9\xe0" "\x4c\xd3\x73\x9c\x6b\xbf\xed\xae\x48\x7f\xb5\x56\x44\xe9\xca\x74" "\xff\x77\xa5\x3c\xb7\x29\x80\x2f\x6e\xd4\xa5\xff\xa8\xba\x15\x98" "\x90\xfc", .msg_len=7*16+2, // salt: .salt="\xe3\xb5\xd5\xd0\x02\xc1\xbc\xe5\x0c\x2b\x65\xef\x88\xa1\x88\xd8" "\x3b\xce\x7e\x61", .salt_len=20, // Signature S, the RSA decryption of EM: .sig="\x8d\xaa\x62\x7d\x3d\xe7\x59\x5d\x63\x05\x6c\x7e\xc6\x59\xe5\x44" "\x06\xf1\x06\x10\x12\x8b\xaa\xe8\x21\xc8\xb2\xa0\xf3\x93\x6d\x54" "\xdc\x3b\xdc\xe4\x66\x89\xf6\xb7\x95\x1b\xb1\x8e\x84\x05\x42\x76" "\x97\x18\xd5\x71\x5d\x21\x0d\x85\xef\xbb\x59\x61\x92\x03\x2c\x42" "\xbe\x4c\x29\x97\x2c\x85\x62\x75\xeb\x6d\x5a\x45\xf0\x5f\x51\x87" "\x6f\xc6\x74\x3d\xed\xdd\x28\xca\xec\x9b\xb3\x0e\xa9\x9e\x02\xc3" "\x48\x82\x69\x60\x4f\xe4\x97\xf7\x4c\xcd\x7c\x7f\xca\x16\x71\x89" "\x71\x23\xcb\xd3\x0d\xef\x5d\x54\xa2\xb5\x53\x6a\xd9\x0a\x74\x7e", .sig_len = 128 }}