Mercurial > dropbear
comparison libtomcrypt/notes/rsa-testvectors/pss-int.txt @ 1471:6dba84798cd5
Update to libtomcrypt 1.18.1, merged with Dropbear changes
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Fri, 09 Feb 2018 21:44:05 +0800 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 1470:8bba51a55704 | 1471:6dba84798cd5 |
|---|---|
| 1 # ================================= | |
| 2 # WORKED-OUT EXAMPLE FOR RSASSA-PSS | |
| 3 # ================================= | |
| 4 # | |
| 5 # This file gives an example of the process of | |
| 6 # signing a message with RSASSA-PSS as | |
| 7 # specified in PKCS #1 v2.1. | |
| 8 # | |
| 9 # The message is an octet string of length 114, | |
| 10 # while the size of the modulus in the public | |
| 11 # key is 1024 bits. The message is signed via a | |
| 12 # random salt of length 20 octets | |
| 13 # | |
| 14 # The underlying hash function in the EMSA-PSS | |
| 15 # encoding method is SHA-1; the mask generation | |
| 16 # function is MGF1 with SHA-1 as specified in | |
| 17 # PKCS #1 v2.1. | |
| 18 # | |
| 19 # Integers are represented by strings of octets | |
| 20 # with the leftmost octet being the most | |
| 21 # significant octet. For example, | |
| 22 # | |
| 23 # 9,202,000 = (0x)8c 69 50. | |
| 24 # | |
| 25 # ============================================= | |
| 26 | |
| 27 # ------------------------------ | |
| 28 # Components of the RSA Key Pair | |
| 29 # ------------------------------ | |
| 30 | |
| 31 # RSA modulus n: | |
| 32 a2 ba 40 ee 07 e3 b2 bd 2f 02 ce 22 7f 36 a1 95 | |
| 33 02 44 86 e4 9c 19 cb 41 bb bd fb ba 98 b2 2b 0e | |
| 34 57 7c 2e ea ff a2 0d 88 3a 76 e6 5e 39 4c 69 d4 | |
| 35 b3 c0 5a 1e 8f ad da 27 ed b2 a4 2b c0 00 fe 88 | |
| 36 8b 9b 32 c2 2d 15 ad d0 cd 76 b3 e7 93 6e 19 95 | |
| 37 5b 22 0d d1 7d 4e a9 04 b1 ec 10 2b 2e 4d e7 75 | |
| 38 12 22 aa 99 15 10 24 c7 cb 41 cc 5e a2 1d 00 ee | |
| 39 b4 1f 7c 80 08 34 d2 c6 e0 6b ce 3b ce 7e a9 a5 | |
| 40 | |
| 41 # RSA public exponent e: | |
| 42 01 00 01 | |
| 43 | |
| 44 # Prime p: | |
| 45 d1 7f 65 5b f2 7c 8b 16 d3 54 62 c9 05 cc 04 a2 | |
| 46 6f 37 e2 a6 7f a9 c0 ce 0d ce d4 72 39 4a 0d f7 | |
| 47 43 fe 7f 92 9e 37 8e fd b3 68 ed df f4 53 cf 00 | |
| 48 7a f6 d9 48 e0 ad e7 57 37 1f 8a 71 1e 27 8f 6b | |
| 49 | |
| 50 # Prime q: | |
| 51 c6 d9 2b 6f ee 74 14 d1 35 8c e1 54 6f b6 29 87 | |
| 52 53 0b 90 bd 15 e0 f1 49 63 a5 e2 63 5a db 69 34 | |
| 53 7e c0 c0 1b 2a b1 76 3f d8 ac 1a 59 2f b2 27 57 | |
| 54 46 3a 98 24 25 bb 97 a3 a4 37 c5 bf 86 d0 3f 2f | |
| 55 | |
| 56 # p's CRT exponent dP: | |
| 57 9d 0d bf 83 e5 ce 9e 4b 17 54 dc d5 cd 05 bc b7 | |
| 58 b5 5f 15 08 33 0e a4 9f 14 d4 e8 89 55 0f 82 56 | |
| 59 cb 5f 80 6d ff 34 b1 7a da 44 20 88 53 57 7d 08 | |
| 60 e4 26 28 90 ac f7 52 46 1c ea 05 54 76 01 bc 4f | |
| 61 | |
| 62 # q's CRT exponent dQ: | |
| 63 12 91 a5 24 c6 b7 c0 59 e9 0e 46 dc 83 b2 17 1e | |
| 64 b3 fa 98 81 8f d1 79 b6 c8 bf 6c ec aa 47 63 03 | |
| 65 ab f2 83 fe 05 76 9c fc 49 57 88 fe 5b 1d df de | |
| 66 9e 88 4a 3c d5 e9 36 b7 e9 55 eb f9 7e b5 63 b1 | |
| 67 | |
| 68 # CRT coefficient qInv: | |
| 69 a6 3f 1d a3 8b 95 0c 9a d1 c6 7c e0 d6 77 ec 29 | |
| 70 14 cd 7d 40 06 2d f4 2a 67 eb 19 8a 17 6f 97 42 | |
| 71 aa c7 c5 fe a1 4f 22 97 66 2b 84 81 2c 4d ef c4 | |
| 72 9a 80 25 ab 43 82 28 6b e4 c0 37 88 dd 01 d6 9f | |
| 73 | |
| 74 # --------------------------------- | |
| 75 # Step-by-step RSASSA-PSS Signature | |
| 76 # --------------------------------- | |
| 77 | |
| 78 # Message M to be signed: | |
| 79 85 9e ef 2f d7 8a ca 00 30 8b dc 47 11 93 bf 55 | |
| 80 bf 9d 78 db 8f 8a 67 2b 48 46 34 f3 c9 c2 6e 64 | |
| 81 78 ae 10 26 0f e0 dd 8c 08 2e 53 a5 29 3a f2 17 | |
| 82 3c d5 0c 6d 5d 35 4f eb f7 8b 26 02 1c 25 c0 27 | |
| 83 12 e7 8c d4 69 4c 9f 46 97 77 e4 51 e7 f8 e9 e0 | |
| 84 4c d3 73 9c 6b bf ed ae 48 7f b5 56 44 e9 ca 74 | |
| 85 ff 77 a5 3c b7 29 80 2f 6e d4 a5 ff a8 ba 15 98 | |
| 86 90 fc | |
| 87 | |
| 88 # mHash = Hash(M) | |
| 89 # salt = random string of octets | |
| 90 # M' = Padding || mHash || salt | |
| 91 # H = Hash(M') | |
| 92 # DB = Padding || salt | |
| 93 # dbMask = MGF(H, length(DB)) | |
| 94 # maskedDB = DB xor dbMask (leftmost bit set to | |
| 95 # zero) | |
| 96 # EM = maskedDB || H || 0xbc | |
| 97 | |
| 98 # mHash: | |
| 99 37 b6 6a e0 44 58 43 35 3d 47 ec b0 b4 fd 14 c1 | |
| 100 10 e6 2d 6a | |
| 101 | |
| 102 # salt: | |
| 103 e3 b5 d5 d0 02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8 | |
| 104 3b ce 7e 61 | |
| 105 | |
| 106 # M': | |
| 107 00 00 00 00 00 00 00 00 37 b6 6a e0 44 58 43 35 | |
| 108 3d 47 ec b0 b4 fd 14 c1 10 e6 2d 6a e3 b5 d5 d0 | |
| 109 02 c1 bc e5 0c 2b 65 ef 88 a1 88 d8 3b ce 7e 61 | |
| 110 | |
| 111 # H: | |
| 112 df 1a 89 6f 9d 8b c8 16 d9 7c d7 a2 c4 3b ad 54 | |
| 113 6f be 8c fe | |
| 114 | |
| 115 # DB: | |
| 116 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 117 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 118 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 119 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 121 00 00 00 00 00 00 01 e3 b5 d5 d0 02 c1 bc e5 0c | |
| 122 2b 65 ef 88 a1 88 d8 3b ce 7e 61 | |
| 123 | |
| 124 # dbMask: | |
| 125 66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67 | |
| 126 d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af | |
| 127 50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4 | |
| 128 d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1 | |
| 129 e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec | |
| 130 d3 18 3a 31 1f c8 97 39 a9 66 43 13 6e 8b 0f 46 | |
| 131 5e 87 a4 53 5c d4 c5 9b 10 02 8d | |
| 132 | |
| 133 # maskedDB: | |
| 134 66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67 | |
| 135 d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af | |
| 136 50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4 | |
| 137 d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1 | |
| 138 e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec | |
| 139 d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a | |
| 140 75 e2 4b db fd 5c 1d a0 de 7c ec | |
| 141 | |
| 142 # Encoded message EM: | |
| 143 66 e4 67 2e 83 6a d1 21 ba 24 4b ed 65 76 b8 67 | |
| 144 d9 a4 47 c2 8a 6e 66 a5 b8 7d ee 7f bc 7e 65 af | |
| 145 50 57 f8 6f ae 89 84 d9 ba 7f 96 9a d6 fe 02 a4 | |
| 146 d7 5f 74 45 fe fd d8 5b 6d 3a 47 7c 28 d2 4b a1 | |
| 147 e3 75 6f 79 2d d1 dc e8 ca 94 44 0e cb 52 79 ec | |
| 148 d3 18 3a 31 1f c8 96 da 1c b3 93 11 af 37 ea 4a | |
| 149 75 e2 4b db fd 5c 1d a0 de 7c ec df 1a 89 6f 9d | |
| 150 8b c8 16 d9 7c d7 a2 c4 3b ad 54 6f be 8c fe bc | |
| 151 | |
| 152 # Signature S, the RSA decryption of EM: | |
| 153 8d aa 62 7d 3d e7 59 5d 63 05 6c 7e c6 59 e5 44 | |
| 154 06 f1 06 10 12 8b aa e8 21 c8 b2 a0 f3 93 6d 54 | |
| 155 dc 3b dc e4 66 89 f6 b7 95 1b b1 8e 84 05 42 76 | |
| 156 97 18 d5 71 5d 21 0d 85 ef bb 59 61 92 03 2c 42 | |
| 157 be 4c 29 97 2c 85 62 75 eb 6d 5a 45 f0 5f 51 87 | |
| 158 6f c6 74 3d ed dd 28 ca ec 9b b3 0e a9 9e 02 c3 | |
| 159 48 82 69 60 4f e4 97 f7 4c cd 7c 7f ca 16 71 89 | |
| 160 71 23 cb d3 0d ef 5d 54 a2 b5 53 6a d9 0a 74 7e | |
| 161 | |
| 162 # ============================================= |