diff --git a/internal/signature/rsa.go b/internal/signature/rsa.go index 52f8a5f..29996ae 100644 --- a/internal/signature/rsa.go +++ b/internal/signature/rsa.go @@ -22,7 +22,6 @@ import ( "math/big" "github.com/tink-crypto/tink-go/v2/subtle" - "github.com/tink-crypto/tink-go/v2/tink" commonpb "github.com/tink-crypto/tink-go/v2/proto/common_go_proto" ) @@ -74,38 +73,6 @@ func ValidateRSAPublicKeyParams(hashAlg commonpb.HashType, modSizeBits int, pubE return RSAValidPublicExponent(int(e.Int64())) } -const ( - testMsg = "Tink and Wycheproof." - signVerifyErrMsg = "signing with private key followed by verifying with public key failed, the key may be corrupted" -) - -// Validate_RSA_SSA_PSS validates that the corresponding private key is valid by signing and verifying a message. -func Validate_RSA_SSA_PSS(hashAlg string, saltLen int, privKey *rsa.PrivateKey) error { - signer, err := New_RSA_SSA_PSS_Signer(hashAlg, saltLen, privKey) - if err != nil { - return err - } - verifier, err := New_RSA_SSA_PSS_Verifier(hashAlg, saltLen, &privKey.PublicKey) - if err != nil { - return err - } - if err := validateSignerVerifier(signer, verifier); err != nil { - return fmt.Errorf("RSA-SSA-PSS: %q", signVerifyErrMsg) - } - return nil -} - -func validateSignerVerifier(signer tink.Signer, verifier tink.Verifier) error { - signature, err := signer.Sign([]byte(testMsg)) - if err != nil { - return err - } - if err := verifier.Verify([]byte(signature), []byte(testMsg)); err != nil { - return err - } - return nil -} - func validRSAPublicKey(publicKey *rsa.PublicKey) error { if err := RSAValidModulusSizeInBits(publicKey.N.BitLen()); err != nil { return err diff --git a/internal/signature/rsa_test.go b/internal/signature/rsa_test.go index 4de946e..a4fc3e5 100644 --- a/internal/signature/rsa_test.go +++ b/internal/signature/rsa_test.go @@ -15,8 +15,6 @@ package signature_test import ( - "crypto/rand" - "crypto/rsa" "math/big" "testing" @@ -76,87 +74,6 @@ func TestHashNotSafeForSignatureFails(t *testing.T) { } } -func TestRSAKeySelfTestWithCorruptedKeysFails(t *testing.T) { - validPrivKey, err := rsa.GenerateKey(rand.Reader, 3072) - if err != nil { - t.Fatalf("rsa.GenerateKey(rand.Reader, 3072) err = %v, want nil", err) - } - saltLen := 0 - if err := internal.Validate_RSA_SSA_PSS("SHA256", saltLen, validPrivKey); err != nil { - t.Errorf("internal.Validate_RSA_SSA_PSS('SHA256', saltLen, validPrivKey) err = %v, want nil", err) - } - type testCase struct { - tag string - key *rsa.PrivateKey - hash string - } - for _, tc := range []testCase{ - { - tag: "modify public modulus", - key: &rsa.PrivateKey{ - D: validPrivKey.D, - Primes: validPrivKey.Primes, - Precomputed: validPrivKey.Precomputed, - PublicKey: rsa.PublicKey{ - N: validPrivKey.N.Add(validPrivKey.N, big.NewInt(500)), - E: validPrivKey.E, - }, - }, - }, - { - tag: "modify public exponent", - key: &rsa.PrivateKey{ - D: validPrivKey.D, - Primes: validPrivKey.Primes, - Precomputed: validPrivKey.Precomputed, - PublicKey: rsa.PublicKey{ - N: validPrivKey.N, - E: validPrivKey.E + 5, - }, - }, - }, - { - tag: "one byte shift in Q", - key: &rsa.PrivateKey{ - PublicKey: validPrivKey.PublicKey, - D: validPrivKey.D, - Precomputed: validPrivKey.Precomputed, - Primes: []*big.Int{ - func() *big.Int { - p := validPrivKey.Primes[0].Bytes() - p[4] = byte(uint8(p[4] + 1)) - return new(big.Int).SetBytes(p) - }(), - validPrivKey.Primes[1], - }, - }, - hash: "SHA256", - }, - { - tag: "removing one byte from P", - key: &rsa.PrivateKey{ - PublicKey: validPrivKey.PublicKey, - D: validPrivKey.D, - Precomputed: validPrivKey.Precomputed, - Primes: []*big.Int{ - validPrivKey.Primes[0], - func() *big.Int { - p := validPrivKey.Primes[1].Bytes() - return new(big.Int).SetBytes(p[:len(p)-2]) - }(), - }, - }, - hash: "SHA256", - }, - } { - t.Run(tc.tag, func(t *testing.T) { - if err := internal.Validate_RSA_SSA_PSS(tc.hash, saltLen, tc.key); err == nil { - t.Errorf("internal.Validate_RSA_SSA_PSS(hash = %d saltLen = %q, key) err = nil, want error", saltLen, tc.hash) - } - }) - } -} - func TestValidateRSAPublicKeyParams(t *testing.T) { f4 := new(big.Int).SetInt64(65537).Bytes() invalidPubExponent := new(big.Int).SetInt64(65537 + 1).Bytes()