external/boringssl: Sync to ee7aa02744a78bf4630913b1c83d0fe36aa45efc.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/a93bc1124c00b1ac0a68ea5cb14b158d6c8366e1..ee7aa02744a78bf4630913b1c83d0fe36aa45efc
Test: BoringSSL CTS Presubmits.
Change-Id: I5a05899374e616003f841983b6545f5c90e7c71d
diff --git a/BORINGSSL_REVISION b/BORINGSSL_REVISION
index c0340b4..959b0f0 100644
--- a/BORINGSSL_REVISION
+++ b/BORINGSSL_REVISION
@@ -1 +1 @@
-a93bc1124c00b1ac0a68ea5cb14b158d6c8366e1
+ee7aa02744a78bf4630913b1c83d0fe36aa45efc
diff --git a/crypto_test_data.cc b/crypto_test_data.cc
index b2dd0cb..dd1dbd6 100644
--- a/crypto_test_data.cc
+++ b/crypto_test_data.cc
@@ -2424,20 +2424,20 @@
"# Public key algorithm tests\n\n# Keys used for PKEY operations.\n\n# RSA 2048 bit key.\nPrivateKey = RSA-2048\nType = RSA\nInput = 308204bc020100300d06092a864886f70d0101010500048204a6308204a20201000282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f02030100010282010060297ac7991b167a06d6b24758b8cbe208beb9b2d9ec9738bd80f90a2e35005dd7ce292d9e29ba885bd316fef1f20913bc0ac90d6b0808b2414d82104441d8624a33ce0233c8f780a48b375aff02d76712228a702484db3f9ebecccfbbee1709dba182800d949e9e4216e0bff3558388f8bd90da373a1d82743ec3fbdd1427fd16825a657a316912e8695365117ca2f845c909405fcac55f895fc15d20386c26ee78c9e99075029a178a6c1e4cf0c200e8a9cfb27e9d156f86e6c2adc22b1a84a1cd5ca5b2790875d79407c84b352395cb81cc3fed5bb043b69ede0c07204550025cee8c5f440170b6120bb48e0f747bcd8f522110850df043c428dfd187053102818100f6f961b47cbc035d3aedebc7de850a956b65ecdb9cf60764063f15aa48553c58d972fe6675056e35ddfdc37bf3b9f2f622ee271337256849c9bef2176fe8f7c3f8bb91ba374dd53baf3dec814d2bdec10c1fdc88cdd16876f26b1edfa3f094197edf4d42ff1fb2971103b898ca859c427287086a842ab410bb69cf2d35af6be302818100d47e724a7ff41048b270c2524a4101878b73159bb73d3dbc187b220e635b3534f96e243a184d93f860b6bfbb6b71c1ed9a1e1f458583023c301e96a692c1a08b53d0ec9ca910100d80451e3b7dc6a01bac4aecef8df798846bc235a08cbba2cf4c06804cc11219e95608c714e3f1430d491fadbba32a5751a04f97745834c9a502818021f2452bb9b95dfd028c914bf799f1ca77e89a95d50d3c16d384f8455f8bd7af9eb3dfa3d591d9842def235f7630a8e48c088ff6642e101794535a933e1e976fa8509fc728b2da0c4a1a08d7fcf37abaae1ff3001aca1dc1bbb05d9dffbaa1a09f7fb1eef38237d9ebccc722b9338436dde7119112798c26809c1a8dec4320610281801f7510aa62c2d8de4a3c53282781f41e02d0e8b402ae78432e449c48110161a11403f02d01880a8dcc938152d79721a4711a607ac4471ebf964810f95be47a45e60499e29f4c9773c83773404f606637728c2d0351bb03c326c8bb73a721e7fa5440ea2172bba1465fcc30dcb0d9f89930e815aa1f7f9729a857e00e0338dd590281804d1f0d756fe77e01099a652f50a88b7b685dc5bf00981d5d2376fd0c6fe29cd5b638734479305a73ad3c1599d39eae3bae035fbd6fed07c28de705933879a06e48e6a603686ed8e2560a5f6af1f2c24faf4aa960e382186f15eedce9a2491ae730680dd4cf778b70faa86826ab3223477cc91377b19a6d5a2eaea219760beed5\n\n# The public half of the same key encoded as a SubjectPublicKeyInfo.\nPublicKey = RSA-2048-SPKI\nType = RSA\nInput = 30820122300d06092a864886f70d01010105000382010f003082010a0282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f0203010001\n\n# The same key but with missing parameters rather than a NULL.\nPublicKey = RSA-2048-SPKI-Invalid\nInput = 30820120300b06092a864886f70d0101010382010f003082010a0282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f0203010001\nError = DECODE_ERROR\n\n# The same key but with an incorrectly-encoded length prefix.\nPublicKey = RSA-2048-SPKI-Invalid2\nInput = 3083000122300d06092a864886f70d01010105000382010f003082010a0282010100cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f0203010001\nError = DECODE_ERROR\n\n# RSA 512 bit key.\nPrivateKey = RSA-512\nType = RSA\nInput = 30820154020100300d06092a864886f70d01010105000482013e3082013a020100024100dd20403d976a38c9d79152d87b5c8e9f05033eadd7b7de709bf5b0c4a5182a97d18483526b02362b992e154a9f37faa396ca2685cdab8fec09877ebe705f4dd70203010001024055bebcca655d7e39de8a6eaa9d636db682161907064039544755c53eeb99ec618c03a210dbc61471eaba10c5c365c9726d6b7a96f54d455f7d168d49367270e1022100f21a05d9fd6817301ce49ce10448f9bdd44f5ef5b7557cd7d83155db46382ae7022100e9d1f7157783db2feab1936954ddc4e83aa365695868144cda1be6813b61d791022100d6001eb0040920860ce41fafdf23ca6dfbdf74e6e9f98cf3164cf5c16f9e727d02206f6f73f4b52b10517be6f9bc5f87fa0a3bb817e2e711636b651f9af1c85d4f21022063eff2e57f5b4ca20342cfe793e25526624e3692f192461f9e1ce7f13f2d72c8\n\n# RSA 515 bit key.\nPrivateKey = RSA-515\nType = RSA\nInput = 30820157020100300d06092a864886f70d0101010500048201413082013d0201000241054fa166e205e658bbe8a2dc35311c0c2b75b7e4569fd9642c8bae809279271fc824f26baa1166ea46298ca63379ea76adbada2b61e5066820a35beaec1aca227f020301000102410266c972be0d30e53ac2acb1aa13b4bd0401cccf212452a66b4615f7e943831f67b4ca48560582d0ca886044aaaaf87945252a848c1947944186e6eb83969bf91102210309e631761842cc8a2ccfd372c20a9cba21de1a199c30ab440bc6b51079f4e825022101bf715c1db432627ca7c29a293b9210f2eff1e92d12f306ebaa5334f8ee03dcd30221018ac58a765f2b8f37d434081fe5ff92b81735ead2f263f4968ccf63d61fbe3d0d0221015b247a1159a2d5a25d0db049593c6405f77f3a278c521d066e290c2a2d8fb59d0221026224aa31fd95c14d24fd03b8a195bba4cc88df7c37f5370a5ab19f882f1404d6\n\n# EC P-256 key\nPrivateKey = P-256\nType = EC\nInput = 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\n\n# The same key as above with the optional public key omitted.\nPrivateKey = P-256-MissingPublic\nType = EC\nInput = 3041020100301306072a8648ce3d020106082a8648ce3d0301070427302502010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725\n\n# The same key as above with redundant parameters.\nPrivateKey = P-256-ExtraParameters\nType = EC\nInput = 308193020100301306072a8648ce3d020106082a8648ce3d0301070479307702010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a00a06082a8648ce3d030107a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\n# The key re-encodes with the parameters removed.\nOutput = 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b02010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\n\n# The same key, but with the redundant parameters in the ECPrivateKey mismatched.\nPrivateKey = P-256-BadInnerParameters\nInput = 308190020100301306072a8648ce3d020106082a8648ce3d0301070476307402010104208a872fb62893c4d1ffc5b9f0f91758069f8352e08fa05a49f8db926cb5728725a00706052b81040022a144034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = GROUP_MISMATCH\n\n# The public half of the same key encoded as a PublicKey.\nPublicKey = P-256-SPKI\nType = EC\nInput = 3059301306072a8648ce3d020106082a8648ce3d030107034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cd",
"b664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\n\n# The same as above, but with the curve explicitly spelled out.\nPublicKey = P-256-SPKI\nInput = 3082014b3082010306072a8648ce3d02013081f7020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff305b0420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b031500c49d360886e704936a6678e1139d26b7819f7e900441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = DECODE_ERROR\n\n# The same as above, but with trailing data after the curve name.\nPublicKey = P-256-SPKI\nInput = 305b301506072a8648ce3d020106082a8648ce3d0301070500034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = DECODE_ERROR\n\n# A DSA private key.\nPrivateKey = DSA-1024\nType = DSA\nInput = 308202650201003082023906072a8648ce3804013082022c02820101009e12fab3de12213501dd82aa10ca2d101d2d4ebfef4d2a3f8daa0fe0cedad8d6af85616aa2f3252c0a2b5a6db09e6f14900e0ddb8311876dd8f9669525f99ed65949e184d5064793271169a228680b95ec12f59a8e20b21f2b58eb2a2012d35bde2ee351822fe8f32d0a330565dcce5c672b7259c14b2433d0b5b2ca2b2db0ab626e8f13f47fe0345d904e7294bb038e9ce21a9e580b83356278706cfe768436c69de149ccff98b4aab8cb4f6385c9f102ce59346eaeef27e0ad222d53d6e89cc8cde5776dd00057b03f2d88ab3cedbafd7b585f0b7f7835e17a3728bbf25ea62572f245dc111f3ce39cb6ffacc31b0a2790e7bde90224ea9b09315362af3d2b022100f381dcf53ebf724f8b2e5ca82c010fb4b5eda9358d0fd88ed278589488b54fc3028201000c402a725dcc3a62e02bf4cf43cd17f4a493591220223669cf4193edab423ad08dfb552e308a6a57a5ffbc7cd0fb2087f81f8df0cb08ab2133287d2b6968714a94f633c940845a48a3e16708dde761cc6a8eab2d84db21b6ea5b07681493cc9c31fbc368b243f6ddf8c932a8b4038f44e7b15ca876344a147859f2b43b39458668ad5e0a1a9a669546dd2812e3b3617a0aef99d58e3bb4cc87fd94225e01d2dcc469a77268146c51918f18e8b4d70aa1f0c7623bcc52cf3731d38641b2d2830b7eecb2f09552ff137d046e494e7f33c3590002b16d1b97d936fda28f90c3ed3ca35338168ac16f77c3c57adc2e8f7c6c2256e41a5f65450590dbb5bcf06d66610423022100b0c768702743bc51242993a971a52889795444f7c6452203d0ce84fe6117d46e\n\n# A DSA public key.\nPublicKey = DSA-1024-SPKI\nType = DSA\nInput = 308201b73082012c06072a8648ce3804013082011f02818100b3429b8b128c9079f9b72e86857e98d265e5d91661ed8b5f4cc56e5eed1e571da30186983a9dd76297eab73ee13a1db841f8800d04a7cab478af6cde2ea4a2868531af169a24858c6268efa39ceb7ed0d4227eb5bbb01124a2a5a26038c7bcfb8cc827f68f5202345166e4718596799b65c9def82828ce44e62e38e41a0d24b1021500c5a56c81ddd87f47e676546c56d05706421624cf0281810094de40d27314fe929e47ff9b1ac65cfc73ef38c4d381c890be6217b15039ae18190e6b421af8c0bda35a5cfd050f58ae2644adce83e68c8e5ba11729df56bbb21e227a60b816cc033fa799a38fe1ba5b4aa1801b6f841ce3df99feb3b4fb96950c960af13fa2ce920aabc12dd24ad2044a35063ea0e25f67f560f4cfbdc5598303818400028180258c30ebbb7f34fdc873ce679f6cea373c7886d75d4421b90920db034daedd292c64d8edd8cdbdd7f3ad23d74cfa2135247d0cef6ecf2e14f99e19d22a8c1266bd8fb8719c0e5667c716c45c7adbdabe548085bdad2dfee636f8d52fd6adb2193df6c4f0520fbd171b91882e0e4f321f8250ffecf4dbea00e114427d3ef96c1a\n\n# The same key as above, but without the parameters.\nPublicKey = DSA-1024-SPKI-No-Params\nType = DSA\nInput = 308192300906072a8648ce38040103818400028180258c30ebbb7f34fdc873ce679f6cea373c7886d75d4421b90920db034daedd292c64d8edd8cdbdd7f3ad23d74cfa2135247d0cef6ecf2e14f99e19d22a8c1266bd8fb8719c0e5667c716c45c7adbdabe548085bdad2dfee636f8d52fd6adb2193df6c4f0520fbd171b91882e0e4f321f8250ffecf4dbea00e114427d3ef96c1a\n\n# Private keys from RFC 8032.\nPrivateKey = Ed25519\nType = Ed25519\nInput = 302e020100300506032b6570042204209d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60\n\nPrivateKey = Ed25519-2\nType = Ed25519\nInput = 302e020100300506032b6570042204204ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb\n\nPrivateKey = Ed25519-3\nType = Ed25519\nInput = 302e020100300506032b657004220420c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7\n\nPrivateKey = Ed25519-4\nType = Ed25519\nInput = 302e020100300506032b657004220420f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5\n\nPrivateKey = Ed25519-5\nType = Ed25519\nInput = 302e020100300506032b657004220420833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42\n\n# Public keys from RFC 8032.\nPublicKey = Ed25519-SPKI\nType = Ed25519\nInput = 302a300506032b6570032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\n\nPublicKey = Ed25519-SPKI-2\nType = Ed25519\nInput = 302a300506032b65700321003d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c\n\nPublicKey = Ed25519-SPKI-3\nType = Ed25519\nInput = 302a300506032b6570032100fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025\n\nPublicKey = Ed25519-SPKI-4\nType = Ed25519\nInput = 302a300506032b6570032100278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e\n\nPublicKey = Ed25519-SPKI-5\nType = Ed25519\nInput = 302a300506032b6570032100ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf\n\n# The first key, private and public, with invalid NULL parameters.\nPrivateKey = Ed25519-NULL\nInput = 3030020100300706032b65700500042204209d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60\nError = DECODE_ERROR\n\nPublicKey = Ed25519-SPKI-NULL\nInput = 302c300706032b65700500032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\nError = DECODE_ERROR\n\n# Sample public key from draft-ietf-curdle-pkix-04.\nPublicKey = Ed25519-SPKI-Spec\nType = Ed25519\nInput = 302a300506032b657003210019bf44096984cdfe8541bac167dc3b96c85086aa30b6b6cb0c5c38ad703166e1\n\n# Sample private key from draft-ietf-curdle-pkix-04.\nPrivateKey = Ed25519-Spec\nType = Ed25519\nInput = 302e020100300506032b657004220420d4ee72dbf913584ad5b6d8f1f769f8ad3afe7c28cbf1d4fbe097a88f44755842\n\n\n# RSA tests\n\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\nVerify = RSA-2048-SPKI\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\n# Digest too long\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nError = INVALID_MESSAGE_LENGTH\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db1",
"5dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too short\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nError = INVALID_MESSAGE_LENGTH\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too large for key.\nSign = RSA-512\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DIGEST_TOO_BIG_FOR_RSA_KEY\n\n# Mismatched digest\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1233\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = BAD_SIGNATURE\n\n# Corrupted signature\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1233\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ae\nError = BLOCK_TYPE_IS_NOT_01\n\n# parameter missing (NOTE: this differs from upstream)\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e75b4f6b37f67edd9c60c800f9ab941c0c157d7d880ca9de40c951d60fd293ae220d4bc510b1572d6e85a1bbbd8605b52e05f1c64fafdae59a1c2fbed214b7844d0134619de62851d5a0522e32e556e5950f3f97b8150e3f0dffee612c924201c27cd9bc8b423a71533380c276d3d59fcba35a2e80a1a192ec266a6c2255012cd86a349fe90a542b355fa3355b04da6cdf1df77f0e7bd44a90e880e1760266d233e465226f5db1c68857847d82072861ee266ddfc2e596845b77e1803274a579835ab5e4975d81d20b7df9cec7795489e4a2bdb8c1cf6a6b359945ac92c\nError = BAD_SIGNATURE\n\n# embedded digest too long\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d\nError = BAD_SIGNATURE\n\n# embedded digest too short\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d\nError = BAD_SIGNATURE\n\n# Garbage after DigestInfo\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274\nError = BAD_SIGNATURE\n\n# invalid tag for parameter\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 49525db4d44c755e560cba980b1d85ea604b0e077fcadd4ba44072a3487bbddb835016200a7d8739cce2dc3223d9c20cbdd25059ab02277f1f21318efd18e21038ec89aa9d40680987129e8b41ba33bceb86518bdf47268b921cce2037acabca6575d832499538d6f40cdba0d40bd7f4d8ea6ca6e2eec87f294efc971407857f5d7db09f6a7b31e301f571c6d82a5e3d08d2bb3a36e673d28b910f5bec57f0fcc4d968fd7c94d0b9226dec17f5192ad8b42bcab6f26e1bea1fdc3b958199acb00f14ebcb2a352f3afcedd4c09000128a603bbeb9696dea13040445253972d46237a25c7845e3b464e6984c2348ea1f1210a9ff0b00d2d72b50db00c009bb39f9\nError = BAD_SIGNATURE\n\n\n# RSA-PSS tests.\n\n# Zero salt length makes the output deterministic\nSign = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n\n# Verify of above signature\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n\n# Auto-detected salt length\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n\n# Wrong digest\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"00000000000000000000000000000000\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13",
- "848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = BAD_SIGNATURE\n\n# Digest too short\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDE\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too long\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF0\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = INVALID_MESSAGE_LENGTH\n\n# Wrong salt length\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = SLEN_CHECK_FAILED\n\n# Wrong salt length using implicit hash length\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = -1\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = SLEN_CHECK_FAILED\n\n# Wrong MGF1 digest, SHA-1\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nMGF1Digest = SHA1\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n# If SHA-1, this input happens to succeed recovering a salt length, but it does\n# not match.\nError = SLEN_CHECK_FAILED\n\n# Wrong MGF1 digest, SHA-384\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nMGF1Digest = SHA384\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n# If SHA-384, this input happens fail to recover the salt length altogether.\nError = SLEN_RECOVERY_FAILED\n\n# The salt length is too large for the modulus (signing).\nSign = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 223\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE_FOR_KEY_SIZE\n\n# The salt length is too large for the modulus (verifying).\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 223\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = DATA_TOO_LARGE\n\n# The hash is too large for the modulus (signing).\nSign = RSA-512\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE_FOR_KEY_SIZE\n\nSign = RSA-512\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE_FOR_KEY_SIZE\n\n# The hash is too large for the modulus (verifying).\nVerify = RSA-512\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nOutput = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nError = DATA_TOO_LARGE\n\nVerify = RSA-512\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nOutput = 457001d9ca50a93385fc5ec721c9dbbe7a0f2e9e4a2f846a30a8811dde66347b83901c7492039243537c7a667fafffd69049bcbd36afd0010d9b425e2d8785c1\nError = DATA_TOO_LARGE\n\n# Sample RSA-515 signature.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 00c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\n\n# The above, but with too few leading zeros.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\nError = DATA_LEN_NOT_EQUAL_TO_MOD_LEN\n\n# The above, but with too many leading zeros.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 0000c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\nError = DATA_LEN_NOT_EQUAL_TO_MOD_LEN\n\n# The above with an invalid leading byte. The top few bits of EM are required to\n# be cleared.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 007f803c832a2090aea04013d9fa9c1630732a1625232826d235f0950f7050d3fb0eb06ef9ea8b260fad68e1165a2d770a8c7fc7a8aaa68620b021fc19c97e0041\nError = FIRST_OCTET_INVALID\n\n# The above with an invalid trailing byte.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 03e68555035891eb08d96c0967db22328cd892ad2856d88516ecb946bfdba732bb029b5c0dfa2119ed7349",
- "897d2324e95e86d91d0c4afc82700a36db8933abbf58\nError = LAST_OCTET_INVALID\n\n# Non-zero salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 32\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, wrong salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 31\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\nError = SLEN_CHECK_FAILED\n\n# Non-zero salt length, match hash length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -1\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, auto-detected.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n\n# RSA decrypt\n\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a78\nOutput = \"Hello World\"\n\n# Corrupted ciphertext\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a79\nError = PKCS_DECODING_ERROR\n\n# OAEP padding\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5af\nOutput = \"Hello World\"\n\n# OAEP padding, corrupted ciphertext\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5ac\nError = OAEP_DECODING_ERROR\n\n\n# EC tests\n\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\nVerify = P-256-SPKI\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\n# Digest too long\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest too short\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest invalid\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1235\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Invalid signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7\nError = BAD_SIGNATURE\n\n# Garbage after signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec800\nError = BAD_SIGNATURE\n\n# BER signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000\nError = BAD_SIGNATURE\n\n\n# Additional RSA-PSS and RSA-OAEP tests converted from\n# ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip\n\nPublicKey = RSA-PSS-1\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818100a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a21370203010001\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = cd8b6538cb8e8de566b68bd067569dbf1ee2718e\nOutput = 9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd\nOutput = 3ef7f46e831bf92b32274142a585ffcefbdca7b32a",
- "e90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0652ec67bcee30f9d2699122b91c19abdba89f91\nOutput = 666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 39c21c4cceda9c1adf839c744e1212a6437575ec\nOutput = 4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 36dae913b77bd17cae6e7b09453d24544cebb33c\nOutput = 1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 45eef191f4f79c31fe5d2ede7e5098994e929d2d\nOutput = 2a34f6125e1f6b0bf971e84fbd41c632be8f2c2ace7de8b6926e31ff93e9af987fbc06e51e9be14f5198f91f3f953bd67da60a9df59764c3dc0fe08e1cbef0b75f868d10ad3fba749fef59fb6dac46a0d6e504369331586f58e4628f39aa278982543bc0eeb537dc61958019b394fb273f215858a0a01ac4d650b955c67f4c58\n\nPublicKey = RSA-PSS-2\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818101d40c1bcf97a68ae7cdbd8a7bf3e34fa19dcca4ef75a47454375f94514d88fed006fb829f8419ff87d6315da68a1ff3a0938e9abb3464011c303ad99199cf0c7c7a8b477dce829e8844f625b115e5e9c4a59cf8f8113b6834336a2fd2689b472cbb5e5cabe674350c59b6c17e176874fb42f8fc3d176a017edc61fd326c4b33c90203010001\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 5c81a3e2a658246628cd0ee8b00bb4c012bc9739\nOutput = 014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 27f71611446aa6eabf037f7dedeede3203244991\nOutput = 010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 03ecc2c33e93f05fc7224fcc0d461356cb897217\nOutput = 007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 246c727b4b9494849dddb068d582e179ac20999c\nOutput = 009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912\nOutput = 00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7a6fdc1a4e434ecbc35d657ad49a2f4fafd43bc8\nOutput = 00475b1648f814a8dc0abdc37b5527f543b666bb6e39d30e5b49d3b876dccc58eac14e32a2d55c2616014456ad2f246fc8e3d560da3ddf379a1c0bd200f10221df078c219a151bc8d4ec9d2fc2564467811014ef15d8ea01c2ebbff8c2c8efab38096e55fcbe3285c7aa558851254faffa92c1c72b78758663ef4582843139d7a6\n\nPublicKey = RSA-PSS-3\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818102f246ef451ed3eebb9a310200cc25859c048e4be798302991112eb68ce6db674e280da21feded1ae74880ca522b18db249385012827c515f0e466a1ffa691d98170574e9d0eadb087586ca48933da3cc953d95bd0ed50de10ddcb6736107d6c831c7f663e833ca4c097e700ce0fb945f88fb85fe8e5a773172565b914a471a4430203010001\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3552be69dd74bdc56d2cf8c38ef7bafe269040fe\nOutput = 0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 609143ff7240e55c062aba8b9e4426a781919bc9\nOutput = 02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0afd22f879a9cda7c584f4135f8f1c961db114c0\nOutput = 0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 405dd56d395ef0f01b555c48f748cc32b210650b\nOutput = 0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a2c313b0440c8a0c47233b87f0a160c61af3eae7\nOutput = 021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f1bf6ca7b4bbdbb6bf20a4bf55728725d177154a\nOutput = 012fafec862f56e9e92f60ab0c77824f4299a0ca734ed26e0644d5d222c7f0bde03964f8e70a5cb65ed44e44d56ae0edf1ff86ca032cc5dd4404dbb76ab854586c44eed8336d08d457ce6c03693b45c0f1efef93624b95b8ec169c616d20e5538ebc0b6737a6f82b4bc0570924fc6b35759a3348426279f8b3d7744e2d222426ce\n\nPublicKey = RSA-PSS-4\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181054adb7886447efe6f57e0368f06cf52b0a3370760d161cef126b91be7f89c421b62a6ec1da3c311d75ed50e0ab5fff3fd338acc3aa8a4e77ee26369acb81ba900fa83f5300cf9bb6c53ad1dc8a178b815db4235a9a9da0c06de4e615ea1277ce559e9c108de58c14a81aa77f5a6f8d1335494498848c8b95940740be7bf7c37050203010001\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd\nOutput = 0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 04a10944bfe11ab801e77889f3fd3d7f4ff0b629\nOutput = 049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ba01243db223eb97fb86d746c3148adaaa0ca344\nOutput = 03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253",
- "b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 934bb0d38d6836daec9de82a9648d4593da67cd2\nOutput = 0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ec35d81abd1cceac425a935758b683465c8bd879\nOutput = 022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 72ce251d17b04dd3970d6ff1fbe3624899e9e941\nOutput = 00938dcb6d583046065f69c78da7a1f1757066a7fa75125a9d2929f0b79a60b627b082f11f5b196f28eb9daa6f21c05e5140f6aef1737d2023075c05ecf04a028c686a2ab3e7d5a0664f295ce12995e890908b6ad21f0839eb65b70393a7b5afd9871de0caa0cedec5b819626756209d13ab1e7bb9546a26ff37e9a51af9fd562e\n\nPublicKey = RSA-PSS-5\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d003081890281810d10f661f29940f5ed39aa260966deb47843679d2b6fb25b3de370f3ac7c19916391fd25fb527ebfa6a4b4df45a1759d996c4bb4ebd18828c44fc52d0191871740525f47a4b0cc8da325ed8aa676b0d0f626e0a77f07692170acac8082f42faa7dc7cd123e730e31a87985204cabcbe6670d43a2dd2b2ddef5e05392fc213bc5070203010001\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d98b7061943510bc3dd9162f7169aabdbdcd0222\nOutput = 0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ae8e699f754988f4fd645e463302e49a2552072\nOutput = 08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8d46c7c05534c1ba2cc7624500d48a4531604bff\nOutput = 05e0fdbdf6f756ef733185ccfa8ced2eb6d029d9d56e35561b5db8e70257ee6fd019d2f0bbf669fe9b9821e78df6d41e31608d58280f318ee34f559941c8df13287574bac000b7e58dc4f414ba49fb127f9d0f8936638c76e85356c994f79750f7fa3cf4fd482df75e3fb9978cd061f7abb17572e6e63e0bde12cbdcf18c68b979\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ee3de96783fd0a157c8b20bf5566124124dcfe65\nOutput = 0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1204df0b03c2724e2709c23fc71789a21b00ae4c\nOutput = 0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 29926bc3280c841f601acd0d6f17ea38023eddbc\nOutput = 02802dccfa8dfaf5279bf0b4a29ba1b157611faeaaf419b8919d15941900c1339e7e92e6fae562c53e6cc8e84104b110bce03ad18525e3c49a0eadad5d3f28f244a8ed89edbafbb686277cfa8ae909714d6b28f4bf8e293aa04c41efe7c0a81266d5c061e2575be032aa464674ff71626219bd74cc45f0e7ed4e3ff96eee758e8f\n\nPublicKey = RSA-PSS-6\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181164ca31cff609f3a0e7101b039f2e4fe6dd37519ab98598d179e174996598071f47d3a04559158d7be373cf1aa53f0aa6ef09039e5678c2a4c63900514c8c4f8aaed5de12a5f10b09c311af8c0ffb5b7a297f2efc63b8d6b0510931f0b98e48bf5fc6ec4e7b8db1ffaeb08c38e02adb8f03a48229c99e969431f61cb8c4dc698d10203010001\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6\nOutput = 04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 92d0bcae82b641f578f040f5151be8eda6d42299\nOutput = 0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3569bd8fd2e28f2443375efa94f186f6911ffc2b\nOutput = 086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7abbb7b42de335730a0b641f1e314b6950b84f98\nOutput = 0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 55b7eb27be7a787a59eb7e5fac468db8917a7725\nOutput = 02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = de2fa0367ef49083ff89b9905d3fd646fcc12c38\nOutput = 0a40a16e2fe2b38d1df90546167cf9469c9e3c3681a3442b4b2c2f581deb385ce99fc6188bb02a841d56e76d301891e24560550fcc2a26b55f4ccb26d837d350a154bcaca8392d98fa67959e9727b78cad03269f56968fc56b68bd679926d83cc9cb215550645ccda31c760ff35888943d2d8a1d351e81e5d07b86182e751081ef\n\nPublicKey = RSA-PSS-7\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818137c9da4a66c8c408b8da27d0c9d79f8ccb1eafc1d2fe48746d940b7c4ef5dee18ad12647cefaa0c4b3188b221c515386759b93f02024b25ab9242f8357d8f3fd49640ee5e643eaf6c64deefa7089727c8ff03993333915c6ef21bf5975b6e50d118b51008ec33e9f01a0a545a10a836a43ddbca9d8b5c5d3548022d7064ea29ab30203010001\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d\nOutput = 187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 402140dc605b2f5c5ec0d15bce9f9ba8857fe117\nOutput = 10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20\nOutput = 2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1fc2201d0c442a4736cd8b2cd00c959c47a3bf42\nOutput = 32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be04",
- "0aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e4351b66819e5a31501f89acc7faf57030e9aac5\nOutput = 07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 49f6cc58365e514e1a3f301f4de16f9fb5347ff2\nOutput = 18da3cdcfe79bfb77fd9c32f377ad399146f0a8e810620233271a6e3ed3248903f5cdc92dc79b55d3e11615aa056a795853792a3998c349ca5c457e8ca7d29d796aa24f83491709befcfb1510ea513c92829a3f00b104f655634f320752e130ec0ccf6754ff893db302932bb025eb60e87822598fc619e0e981737a9a4c4152d33\n\nPublicKey = RSA-PSS-8\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181495370a1fb18543c16d3631e3163255df62be6eee890d5f25509e4f778a8ea6fbbbcdf85dff64e0d972003ab3681fbba6dd41fd541829b2e582de9f2a4a4e0a2d0900bef4753db3cee0ee06c7dfae8b1d53b5953218f9cceea695b08668edeaadced9463b1d790d5ebf27e9115b46cad4d9a2b8efab0561b0810344739ada0733f0203010001\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a1dd230d8ead860199b6277c2ecfe3d95f6d9160\nOutput = 0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f6e68e53c602c5c65fa67b5aa6d786e5524b12ab\nOutput = 2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d6f9fcd3ae27f32bb2c7c93536782eba52af1f76\nOutput = 2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ff2a53ce2e2d900d468e498f230a5f5dd0020de\nOutput = 1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 4eb309f7022ba0b03bb78601b12931ec7c1be8d3\nOutput = 33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 65033bc2f67d6aba7d526acb873b8d9241e5e4d9\nOutput = 1ed1d848fb1edb44129bd9b354795af97a069a7a00d0151048593e0c72c3517ff9ff2a41d0cb5a0ac860d736a199704f7cb6a53986a88bbd8abcc0076a2ce847880031525d449da2ac78356374c536e343faa7cba42a5aaa6506087791c06a8e989335aed19bfab2d5e67e27fb0c2875af896c21b6e8e7309d04e4f6727e69463e\n\nPublicKey = RSA-PSS-9\nType = RSA\nInput = 3081df300d06092a864886f70d01010105000381cd003081c90281c100e6bd692ac96645790403fdd0f5beb8b9bf92ed10007fc365046419dd06c05c5b5b2f48ecf989e4ce269109979cbb40b4a0ad24d22483d1ee315ad4ccb1534268352691c524f6dd8e6c29d224cf246973aec86c5bf6b1401a850d1b9ad1bb8cbcec47b06f0f8c7f45d3fc8f319299c5433ddbc2b3053b47ded2ecd4a4caefd614833dc8bb622f317ed076b8057fe8de3f84480ad5e83e4a61904a4f248fb397027357e1d30e463139815c6fd4fd5ac5b8172a45230ecb6318a04f1455d84e5a8b0203010001\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2715a49b8b0012cd7aee84c116446e6dfe3faec0\nOutput = 586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2dac956d53964748ac364d06595827c6b4f143cd\nOutput = 80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 28d98c46cccafbd3bc04e72f967a54bd3ea12298\nOutput = 484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0866d2ff5a79f25ef668cd6f31b42dee421e4c0e\nOutput = 84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 6a5b4be4cd36cc97dfde9995efbf8f097a4a991a\nOutput = 82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b9dfd1df76a461c51e6576c6c8ed0a923d1c50e7\nOutput = a7fdb0d259165ca2c88d00bbf1028a867d337699d061193b17a9648e14ccbbaadeacaacdec815e7571294ebb8a117af205fa078b47b0712c199e3ad05135c504c24b81705115740802487992ffd511d4afc6b854491eb3f0dd523139542ff15c3101ee85543517c6a3c79417c67e2dd9aa741e9a29b06dcb593c2336b3670ae3afbac7c3e76e215473e866e338ca244de00b62624d6b9426822ceae9f8cc460895f41250073fd45c5a1e7b425c204a423a699159f6903e710b37a7bb2bc8049f\n\nPublicKey = RSA-PSS-10\nType = RSA\nInput = 30820122300d06092a864886f70d01010105000382010f003082010a0282010100a5dd867ac4cb02f90b9457d48c14a770ef991c56c39c0ec65fd11afa8937cea57b9be7ac73b45c0017615b82d622e318753b6027c0fd157be12f8090fee2a7adcd0eef759f88ba4997c7a42d58c9aa12cb99ae001fe521c13bb5431445a8d5ae4f5e4c7e948ac227d3604071f20e577e905fbeb15dfaf06d1de5ae6253d63a6a2120b31a5da5dabc9550600e20f27d3739e2627925fea3cc509f21dff04e6eea4549c540d6809ff9307eede91fff58733d8385a237d6d3705a33e391900992070df7adf1357cf7e3700ce3667de83f17b8df1778db381dce09cb4ad058a511001a738198ee27cf55a13b754539906582ec8b174bd58d5d1f3d767c613721ae050203010001\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 9596bb630cf6a8d4ea4600422b9eba8b13675dd4\nOutput = 82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce",
- "89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b503319399277fd6c1c8f1033cbf04199ea21716\nOutput = 14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 50aaede8536b2c307208b275a67ae2df196c7628\nOutput = 6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = aa0b72b8b371ddd10c8ae474425ccccf8842a294\nOutput = 34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = fad3902c9750622a2bc672622c48270cc57d3ea8\nOutput = 7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 122196deb5d122bd8c6fc781ff6924d7c695aade\nOutput = 6d3b5b87f67ea657af21f75441977d2180f91b2c5f692de82955696a686730d9b9778d970758ccb26071c2209ffbd6125be2e96ea81b67cb9b9308239fda17f7b2b64ecda096b6b935640a5a1cb42a9155b1c9ef7a633a02c59f0d6ee59b852c43b35029e73c940ff0410e8f114eed46bbd0fae165e42be2528a401c3b28fd818ef3232dca9f4d2a0f5166ec59c42396d6c11dbc1215a56fa17169db9575343ef34f9de32a49cdc3174922f229c23e18e45df9353119ec4319cedce7a17c64088c1f6f52be29634100b3919d38f3d1ed94e6891e66a73b8fb849f5874df59459e298c7bbce2eee782a195aa66fe2d0732b25e595f57d3e061b1fc3e4063bf98f\n\nPrivateKey = RSA-OAEP-1\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818100a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb020301000102818053339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf119517ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d65a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1024100d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c2f26a471dcad212eac7ca39d024100cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb33d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af72bfe9a030e860b0288b5d7702400e12bf1718e9cef5599ba1c3882fe8046a90874eefce8f2ccc20e4f2741fb0a33a3848aec9c9305fbecbd2d76819967d4671acc6431e4037968db37878e695c102410095297b0f95a2fa67d00707d609dfd4fc05c89dafc2ef6d6ea55bec771ea333734d9251e79082ecda866efef13c459e1a631386b7e354c899f5f112ca85d7158302404f456c502493bdc0ed2ab756a3a6ed4d67352a697d4216e93212b127a63d5411ce6fa98d5dbefd73263e3728142743818166ed7dd63687dd2a8ca1d2f4fbd8e1\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a\nOutput = 6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44\nOutput = 750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb\nOutput = d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755\nOutput = 52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439\nOutput = 8da89fd9e5f974a29feffb462b49180f6cf9e802\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 42cee2617b1ecea4db3f4829386fbd61dafbf038e180d837c96366df24c097b4ab0fac6bdf590d821c9f10642e681ad05b8d78b378c0f46ce2fad63f74e0ad3df06b075d7eb5f5636f8d403b9059ca761b5c62bb52aa45002ea70baace08ded243b9d8cbd62a68ade265832b56564e43a6fa42ed199a099769742df1539e8255\nOutput = 26521050844271\n\nPrivateKey = RSA-OAEP-2\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818101947c7fce90425f47279e70851f25d5e62316fe8a1df19371e3e628e260543e4901ef6081f68c0b8141190d2ae8daba7d1250ec6db636e944ec3722877c7c1d0a67f14b1694c5f0379451a43e49a32dde83670b73da91a1c99bc23b436a60055c610f0baf99c1a079565b95a3f1526632d1d4da60f20eda25e653c4f002766f4502030100010281800823f20fadb5da89088a9d00893e21fa4a1b11fbc93c64a3be0baaea97fb3b93c3ff713704c19c963c1d107aae99054739f79e02e186de86f87a6ddefea6d8ccd1d3c81a47bfa7255be20601a4a4b2f08a167b5e279d715b1b455bdd7eab245941d9768b9acefb3ccda5952da3cee72525b4501663a8ee15c9e992d92462fe3902410159dbde04a33ef06fb608b80b190f4d3e22bcc13ac8e4a081033abfa416edb0b338aa08b57309ea5a5240e7dc6e54378c69414c31d97ddb1f406db3769cc41a430241012b652f30403b38b40995fd6ff41a1acc8ada70373236b7202d39b2ee30cfb46db09511f6f307cc61cc21606c18a75b8a62f822df031ba0df0dafd5506f568bd70240436ef508de736519c2da4c580d98c82cb7452a3fb5efadc3b9c7789a1bc6584f795addbbd32439c74686552ecb6c2c307a4d3af7f539eec157248c7b31f1a2550241012b15a89f3dfb2b39073e73f02bdd0c1a7b379dd435f05cdde2eff9e462948b7cec62ee9050d5e0816e0785a856b49108dcb75f3683874d1ca6329a19013066ff02400270db17d5914b018d76118b24389a7350ec836b0063a21721236fd8edb6d89b51e7eeb87b611b7132cb7ea7356c23151c1e7751507c786d9ee1794170a8c8e8\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest ",
- "= SHA1\nInput = 0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e\nOutput = 8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245\nOutput = 2d\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053\nOutput = 74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641\nOutput = a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec\nOutput = 2ef2b066f854c33f3bdcbb5994a435e73d6c6c\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 010839ec20c27b9052e55befb9b77e6fc26e9075d7a54378c646abdf51e445bd5715de81789f56f1803d9170764a9e93cb78798694023ee7393ce04bc5d8f8c5a52c171d43837e3aca62f609eb0aa5ffb0960ef04198dd754f57f7fbe6abf765cf118b4ca443b23b5aab266f952326ac4581100644325f8b721acd5d04ff14ef3a\nOutput = 8a7fb344c8b6cb2cf2ef1f643f9a3218f6e19bba89c0\n\nPrivateKey = RSA-OAEP-3\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d02010002818102b58fec039a860700a4d7b6462f93e6cdd491161ddd74f4e810b40e3c1652006a5c277b2774c11305a4cbab5a78efa57e17a86df7a3fa36fc4b1d2249f22ec7c2dd6a463232accea906d66ebe80b5704b10729da6f833234abb5efdd4a292cbfad33b4d33fa7a14b8c397b56e3acd21203428b77cdfa33a6da706b3d8b0fc43e9020301000102818015b48a5b5683a94670e23b5718f814fa0e13f85038f50711182cba61510581f3d22c7e232ef937e22e551d68b86e2f8cb1aad8be2e488f5df7efd279e3f568d4eaf36f80cf7141ace60fcc9113fb6c4a841fd50bbc7c512ffcbeff21487aa811eb3ca8c62005346a86de86bfa1d8a948fd3f348c22eaadf333c3ce6ce13208fd024101bf01d216d73595cf0270c2beb78d40a0d8447d31da919a983f7eea781b77d85fe371b3e9373e7b69217d3150a02d8958de7fad9d555160958b4454127e0e7eaf0241018d3399658166db3829816d7b295416759e9c91987f5b2d8aecd63b04b48bd7b2fcf229bb7f8a6dc88ba13dd2e39ad55b6d1a06160708f9700be80b8fd3744ce7024006c0a249d20a6f2ee75c88b494d53f6aae99aa427c88c28b163a769445e5f390cf40c274fd6ea6329a5ce7c7ce03a2158396ee2a7845786e09e2885a9728e4e5024100d1d27c29fedd92d86c348edd0ccbfac14f746e051ce1d1811df35d61f2ee1c97d4bf2804802f6427187ba8e90a8af44243b4079b03445e602e29fa5193e64fe90241008cb2f756bd8941b1d3b770e5ad31ee373b28acda69ff9b6f40fe578b9f1afb85836f9627d37acff73c2779e634bb26011c2c8f7f3361ae2a9ea65ed689e3639a\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80\nOutput = 087820b569e8fa8d\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5\nOutput = 4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a\nOutput = d94cd0e08fa404ed89\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0\nOutput = 6cc641b6b61e6f963974dad23a9013284ef1\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60\nOutput = df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00112051e75d064943bc4478075e43482fd59cee0679de6893eec3a943daa490b9691c93dfc0464b6623b9f3dbd3e70083264f034b374f74164e1a00763725e574744ba0b9db83434f31df96f6e2a26f6d8eba348bd4686c2238ac07c37aac3785d1c7eea2f819fd91491798ed8e9cef5e43b781b0e0276e37c43ff9492d005730\nOutput = 3c3bad893c544a6d520ab022319188c8d504b7a788b850903b85972eaa18552e1134a7ad6098826254ff7ab672b3d8eb3158fac6d4cbaef1\n\nPrivateKey = RSA-OAEP-4\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d020100028181051240b6cc0004fa48d0134671c078c7c8dec3b3e2f25bc2564467339db38853d06b85eea5b2de353bff42ac2e46bc97fae6ac9618da9537a5c8f553c1e357625991d6108dcd7885fb3a25413f53efcad948cb35cd9b9ae9c1c67626d113d57dde4c5bea76bb5bb7de96c00d07372e9685a6d75cf9d239fa148d70931b5f3fb03902030100010281800411ffca3b7ca5e9e9be7fe38a85105e353896db05c5796aecd2a725161eb3651c8629a9b862b904d7b0c7b37f8cb5a1c2b54001018a00a1eb2cafe4ee4e9492c348bc2bedab4b9ebbf064e8eff322b9009f8eec653905f40df88a3cdc49d4567f75627d41aca624129b46a0b7c698e5e65f2b7ba102c749a10135b6540d04010241027458c19ec1636919e736c9af25d609a51b8f561d19c6bf6943dd1ee1ab8a4a3f232100bd40b88decc6ba235548b6ef792a11c9de823d0a7922c7095b6eba570102410210ee9b33ab61716e27d251bd465f4b35a1a232e2da00901c294bf22350ce490d099f642b5375612db63ba1f20386492bf04d34b3c22bceb909d13441b53b5139024039fa028b826e88c1121b750a8b242fa9a35c5b66bdfd1fa637d3cc48a84a4f457a194e7727e49f7bcc6e5a5a412657fc470c7322ebc37416ef458c307a8c09010241015d99a84195943979fa9e1be2c3c1b69f432f46fd03e47d5befbbbfd6b1d1371d83efb330a3e020942b2fed115e5d02be24fd92c9019d1cecd6dd4cf1e54cc899024101f0b7015170b3f5e42223ba30301c41a6d87cbb70e30cb7d3c67d25473db1f6cbf03e3f9126e3e97968279a865b2c2b426524cfc52a683d31ed30eb984be412ba\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8\nOutput = 4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e\nOutput = b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1",
- "\nInput = 0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065\nOutput = bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4\nOutput = fb2ef112f5e766eb94019297934794f7be2f6fc1c58e\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2\nOutput = 28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a5ffa4768c8bbecaee2db77e8f2eec99595933545520835e5ba7db9493d3e17cddefe6a5f567624471908db4e2d83a0fbee60608fc84049503b2234a07dc83b27b22847ad8920ff42f674ef79b76280b00233d2b51b8cb2703a9d42bfbc8250c96ec32c051e57f1b4ba528db89c37e4c54e27e6e64ac69635ae887d9541619a9\nOutput = f22242751ec6b1\n\nPrivateKey = RSA-OAEP-5\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281810aadf3f9c125e5d891f31ac448e993defe580f802b45f9d7f22ba5021e9c47576b5a1e68031ba9db4e6dabe4d96a1d6f3d267268cff408005f118efcadb99888d1c234467166b2a2b849a05a889c060ac0da0c5fae8b55f309ba62e703742fa0326f2d10b011021489ff497770190d895fd39f52293c39efd73a698bdab9f10ed902030100010281810256eb4cba7067f2d2be540dcdff4582a36b7d31d1c9099bb214b79848466a268f80f58a49ac04c0e3648934a0206c04537c19b236643a6082732144df75fa217588f794682be89168276dc726c5c0cbdb84d31bbf26d0a43af495717f7d528acfee341561f6ff3cae05c578f8470d9682f9c0d072f9f6068b56d5880f682be2c5024103b0d3962f6d17549cbfca11294348dcf0e7e39f8c2bc6824f2164b606d687860dae1e632393cfedf513228229069e2f60e4acd7e633a436063f82385f48993707024102e4c32e2f517269b7072309f00c0e31365f7ce28b236b82912df239abf39572cf0ed604b02982e53564c52d6a05397de5c052a2fddc141ef7189836346aeb331f024101e84b119d25161fa67b00256a5bd9b645d2b232ecb05b015180029a88622adc3f09b3aeacde6161ab7cde22c2ad26e7797df54e072cbd3b2673800b3e4338dbd5024100eb90aa1a40135b4cea07197cedc8819be1e7cbff2547662116f465a4a9f487ab12f3ba4fef13822265a65297d98b7bded9372e3ffe81a38b3e9600fed055754f0241012f7f8138f9404062eb85a42924520b38f5bb886a0196f48bb8dcea60fd92cc027f18e78158a34a5c5d5f860a0f6c04071a7d01312c065062f1eb48b79d1c83cb\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5\nOutput = af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad\nOutput = a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967\nOutput = 308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf\nOutput = 15c5b9ee1185\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723\nOutput = 21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 08c36d4dda33423b2ed6830d85f6411ba1dcf470a1fae0ebefee7c089f256cef74cb96ea69c38f60f39abee44129bcb4c92de7f797623b20074e3d9c2899701ed9071e1efa0bdd84d4c3e5130302d8f0240baba4b84a71cc032f2235a5ff0fae277c3e8f9112bef44c9ae20d175fc9a4058bfc930ba31b02e2e4f444483710f24a\nOutput = 541e37b68b6c8872b84c02\n\nPrivateKey = RSA-OAEP-6\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f02010002818112b17f6dad2ecd19ff46dc13f7860f09e0e0cfb677b38a52592305ceaf022c166db90d04ac29e33f7dd12d9faf66e0816bb63ead267cc7d46c17c37be214bca2a22d723a64e44407436b6fc965729aefc2554f376cd5dcea68293780a62bf39d0029485a160bbb9e5dc0972d21a504f52e5ee028aa416332f510b2e9cff5f722af02030100010281810295eca3560618369559cecd303aa9cfdafc1d9f06959df75ffef929aa896961bcd190dc6997eda7f5963e724d07b4dc11f3065e5ae97d96835112280b9084bb14f2a21ebd4e889d41b9c4132ec1956fcab8bb2fed0575884936522c5ff7d33261904824e7cadee4e0bb372d2457cf78e2bd1286228ff83f10731ce63c90cff3f9024104a6ce8b7358dfa69bdcf742617005afb5385f5f3a58a24ef74a22a8c05cb7cc38ebd4cc9d9a9d789a62cd0f60f0cb941d3423c9692efa4fe3adff290c4749a38b02410404c9a803371fedb4c5be39f3c00b009e5e08a63be1e40035cdaca5011cc701cf7eebcb99f0ffe17cfd0a4bf7befd2dd536ac946db797fdbc4abe8f29349b91ed024103961c8f760aa2bd5154c7aafd77225b3bacd0139ae7b5948ea3311fccd86fb95c75afa767284b9b2de559572f15d8d044c7eb83a1be5fadf2cc377c0d8475294b0241022197e066742196aabc03fa2feeb4e70b15cb787d617acd31bb75c7bc234ad706f7c48d2182d1f0ff9c228dcf41967b6c0ba6d2c0ad110a1b857831ec245e2cb102410401c4c0c53d45dbdb5e9d96d0fecf4275df0974bc4a0736b4a74c3269053efb686ace2406e22c9e058ddb4ae540627ae2fdb08261e8e7e4bcbc994daafa305c45\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3\nOutput = 4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f\nOutput = 5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65\nOutput = b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8\nOutput = 684e3038c5c041f7\n\nDe",
- "crypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab\nOutput = 32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a026dda5fc8785f7bd9bf75327b63e85e2c0fdee5dadb65ebdcac9ae1de95c92c672ab433aa7a8e69ce6a6d8897fac4ac4a54de841ae5e5bbce7687879d79634cea7a30684065c714d52409b928256bbf53eabcd5231eb7259504537399bd29164b726d33a46da701360a4168a091ccab72d44a62fed246c0ffea5b1348ab5470\nOutput = 50ba14be8462720279c306ba\n\nPrivateKey = RSA-OAEP-7\nType = RSA\nInput = 30820278020100300d06092a864886f70d0101010500048202623082025e020100028181311179f0bcfc9b9d3ca315d00ef30d7bdd3a2cfae9911bfedcb948b3a4782d0732b6ab44aa4bf03741a644dc01bec3e69b01a033e675d8acd7c4925c6b1aec3119051dfd89762d215d45475ffcb59f908148623f37177156f6ae86dd7a7c5f43dc1e1f908254058a284a5f06c0021793a87f1ac5feff7dcaee69c5e51a3789e3730203010001028181070cfcff2feb8276e27432c45dfee48f49b7917d6530e1f0ca3460f32e0276174487c56e22a45d2500d7775495219d7d165a9cf3bd92c32af9a98d8dc9cc296800adc94a0a54fb40f34291bf84ee8ea12b6f109359c6d3542a50f9c767f5cfff05a681c2e656fb77caaadb4be9468d8abcd4df98f58e86d2053fa1349f748e21b102410749262c111cd470ec2566e6b3732fc09329469aa19071d3b9c01906514c6f1d26baa14beab0971c8b7e611a4f79009d6fea776928ca25285b0de3643d1a3f8c71024106bc1e50e96c02bf636e9eea8b899bbebf7651de77dd474c3e9bc23bad8182b61904c7d97dfbebfb1e00108878b6e67e415391d67942c2b2bf9b4435f88b0cb023024103bc7ea7f0aab143abc6ce8b97118636a30172e4cfe02c8fa0dda3b7baaf90f8092982985525f488bdfcb4bd726e22639ac64a3092ab7ffcbf1d5334cfa50b5bf102410262a6aa29c2a3c67dc5346c06381afd987aa3cc93cfbfecf54fdd9f9d787d7f59a523d398979da137a2f6381fe94801f7c94da21518dc34cb40870c4697994ad90240649d4c17b6ee1721e772d0389a559c3d3cdf9550d457c46b037b74641b1d52166af8a213c8396206cdfba4422f18d6f61dbcb5d214c971bf482aeb976a7370c2\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1\nOutput = 47aae909\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6\nOutput = 1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b\nOutput = d976fc\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac\nOutput = d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478\nOutput = bb47231ca5ea1d3ad46c99345d9a8a61\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 14c678a94ad60525ef39e959b2f3ba5c097a94ff912b67dbace80535c187abd47d075420b1872152bba08f7fc31f313bbf9273c912fc4c0149a9b0cfb79807e346eb332069611bec0ff9bcd168f1f7c33e77313cea454b94e2549eecf002e2acf7f6f2d2845d4fe0aab2e5a92ddf68c480ae11247935d1f62574842216ae674115\nOutput = 2184827095d35c3f86f600e8e59754013296\n\nPrivateKey = RSA-OAEP-8\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281815bdf0e30d321dda5147f882408fa69195480df8f80d3f6e8bf5818504f36427ca9b1f5540b9c65a8f6974cf8447a244d9280201bb49fcbbe6378d1944cd227e230f96e3d10f819dcef276c64a00b2a4b6701e7d01de5fabde3b1e9a0df82f4631359cd22669647fbb1717246134ed7b497cfffbdc42b59c73a96ed90166212dff702030100010281810f7d1e9e5aaa25fd13e4a0663ae144e0d15f5cd18bcdb09df2cc7e64e3c5e915ad62645304161d098c715bb7ab8bd01d07eaf3fed7c7ed08af2a8a62ef44ab16b320e14af72a48f96afe262a0ae4cf65e635e910790cd4ee5cea768a4b2639f7e6f677b3f0bb6be32b75747d8909036f0264f58d401cdba131716157a75ecf633102410a02ef8448d9fad8bbd0d004c8c2aa9751ef9721c1b0d03236a54b0df947cbaed5a255ee9e8e20d491ea1723fe094704a9762e88afd16ebb5994412ca966dc4f9f0241092d362e7ed3a0bfd9e9fd0e6c0301b6df29159cf50cc83b9b0cf4d6eea71a61e002b46e0ae9f2de62d25b5d7452d498b81c9ac6fc58593d4c3fb4f5d72dfbb0a9024107c71410af103962db367404e37ae850baa4e9c29dd92145815294a67c7d1c6ded263aa030a9b633ae50303e14035d1af014123eba687820308d8ebc85b6957d7d024100ae2c75380c02c016ad05891b3301de881f28ae1171182b6b2c83bea7c515eca9ca298c7b1cab5817a597068fc85060de4da8a016378aae43c7f967bcc37904b902410598d1059e3ada4f6320752c09d805ff7d1f1ae0d017aeeee9cefa0d7dd7ff775e44b578322f6405d6211da19519666aa87fdc4cd8c88f6b6e3d67e961dcbba3d0\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61\nOutput = 050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d\nOutput = 4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f\nOutput = 8604ac56328c1ab5ad917861\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0\nOutput = fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2\nOutput = 4a5f4914bee25de3c69341de07\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 3afd9c6600147b21798d818c655a0f4c9212db26d0b0dfdc2a7594ccb3d22f5bf1d7c3e112cd73fc7d509c7a8bafdd3c274d1399009f9609ec4be6477e453f075aa33db382870c1c3409aef392d7386ae3a696b99a94b4da0589447e955d16c98b17602a59bd736279fcd8fb280c4462d590bfa9bf13fed570eafde97330a2c210\nOutput = 8e07d66f7b880a72563abcd3f35092bc33409fb7f88f2472be\n\nPrivateKey = RSA-OAEP-9\nType = RSA\nInput = 30820397020100300d06092a864886f70d0101010500048203813082037d0201000281c100cf2cd41",
- "e34ca3a728ea5cb8aff64c36d27bdef5364e336fd68d3123c5a196a8c287013e853d5156d58d151954520fb4f6d7b17abb6817765909c576119659d902b1906ed8a2b10c155c24d124528dab9eeae379beac66e4a411786dcb8fd0062ebc030de1219a04c2a8c1b7dd3131e4d6b6caee2e31a5ed41ac1509b2ef1ee2ab18364be568ca941c25ecc84ff9d643b5ec1aaae102a20d73f479b780fd6da91075212d9eac03a0674d899eba2e431f4c44b615b6ba2232bd4b33baed73d625d02030100010281c0198c141e23715a92bccf6a119a5bc11389468d2811f548d727e17b4ab0eb986d6f211efb53b71f7ccbea87ee69c75ee615008c5332deb52bf390abdfbfe37d7205368159b2638c1de326e21d22251f0fb5848b3bf15005d2a74330f0afe916ee62ccc1344d1d83a709e60676273840f7f377424a5e0a4da75f01b31ff76819cf9cbfdd215243c3917c03ef38199312e567b3bf7aed3ab457f371ef8a1423f45b68c6e282ec111bba2833b987fd69fad83bc1b8c613c5e1ea16c11ed125ea7ec1026100fc8d6c04bec4eb9a8192ca7900cbe536e2e8b519decf33b2459798c6909df4f176db7d23190fc72b8865a718af895f1bcd9145298027423b605e70a47cf58390a8c3e88fc8c48e8b32e3da210dfbe3e881ea5674b6a348c21e93f9e55ea65efd026100d200d45e788aacea606a401d0460f87dd5c1027e12dc1a0d7586e8939d9cf789b40f51ac0442961de7d21cc21e05c83155c1f2aa9193387cfdf956cb48d153ba270406f9bbba537d4987d9e2f9942d7a14cbfffea74fecdda928d23e259f5ee1026100db16802f79a2f0d45f358d69fd33e44b81fae828622e93a54253e997d01b0743759da0e812b4aa4e6c8beab2328d5431955a418a67ff26a8c5c807a5da354e05ef31cc8cf758f463732950b03e265726fb94e39d6a572a26244ab08db75752ad026100a0a317cfe7df1423f87a6dee8451f4e2b4a67e5497f29b4f1e4e830b9fadd9401167026f5596e5a39c97817e0f5f16e27e19ec9902e01d7ea6fb9aa3c760afee1e381b69de6ac9c07585a06ad9c4ba00bf75c8ad2fa898a479e80ae294fed2a102600b21f335c353342eb44c3aa24445780c2d655b940174cae38c7c8a4e6493c0ba9fd303748267b083b9a7a6cb61e42db362b8c9896db7064e02ad5ae61587da15b4649c90594909feb37dbcb654beb7268ec801e5a8b4aa3911bebd88542f05be\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72\nOutput = f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8\nOutput = 81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3\nOutput = fd326429df9b890e09b54b18b8f34f1e24\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858\nOutput = f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e\nOutput = 53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 438cc7dc08a68da249e42505f8573ba60e2c2773d5b290f4cf9dff718e842081c383e67024a0f29594ea987b9d25e4b738f285970d195abb3a8c8054e3d79d6b9c9a8327ba596f1259e27126674766907d8d582ff3a8476154929adb1e6d1235b2ccb4ec8f663ba9cc670a92bebd853c8dbf69c6436d016f61add836e94732450434207f9fd4c43dec2a12a958efa01efe2669899b5e604c255c55fb7166de5589e369597bb09168c06dd5db177e06a1740eb2d5c82faeca6d92fcee9931ba9f\nOutput = b6b28ea2198d0c1008bc64\n\nPrivateKey = RSA-OAEP-10\nType = RSA\nInput = 308204bd020100300d06092a864886f70d0101010500048204a7308204a30201000282010100ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb020301000102820100056b04216fe5f354ac77250a4b6b0c8525a85c59b0bd80c56450a22d5f438e596a333aa875e291dd43f48cb88b9d5fc0d499f9fcd1c397f9afc070cd9e398c8d19e61db7c7410a6b2675dfbf5d345b804d201add502d5ce2dfcb091ce9997bbebe57306f383e4d588103f036f7e85d1934d152a323e4a8db451d6f4a5b1b0f102cc150e02feee2b88dea4ad4c1baccb24d84072d14e1d24a6771f7408ee30564fb86d4393a34bcf0b788501d193303f13a2284b001f0f649eaf79328d4ac5c430ab4414920a9460ed1b7bc40ec653e876d09abc509ae45b525190116a0c26101848298509c1c3bf3a483e7274054e15e97075036e989f60932807b5257751e7902818100ecf5aecd1e5515fffacbd75a2816c6ebf49018cdfb4638e185d66a7396b6f8090f8018c7fd95cc34b857dc17f0cc6516bb1346ab4d582cadad7b4103352387b70338d084047c9d9539b6496204b3dd6ea442499207bec01f964287ff6336c3984658336846f56e46861881c10233d2176bf15a5e96ddc780bc868aa77d3ce76902818100bc46c464fc6ac4ca783b0eb08a3c841b772f7e9b2f28babd588ae885e1a0c61e4858a0fb25ac299990f35be85164c259ba1175cdd7192707135184992b6c29b746dd0d2cabe142835f7d148cc161524b4a09946d48b828473f1ce76b6cb6886c345c03e05f41d51b5c3a90a3f24073c7d74a4fe25d9cf21c75960f3fc386318302818100c73564571d00fb15d08a3de9957a50915d7126e9442dacf42bc82e862e5673ff6a008ed4d2e374617df89f17a160b43b7fda9cb6b6b74218609815f7d45ca263c159aa32d272d127faf4bc8ca2d77378e8aeb19b0ad7da3cb3de0ae7314980f62b6d4b0a875d1df03c1bae39ccd833ef6cd7e2d9528bf084d1f969e794e9f6c10281802658b37f6df9c1030be1db68117fa9d87e39ea2b693b7e6d3a2f70947413eec6142e18fb8dfcb6ac545d7c86a0ad48f8457170f0efb26bc48126c53efd1d16920198dc2a1107dc282db6a80cd3062360ba3fa13f70e4312ff1a6cd6b8fc4cd9c5c3db17c6d6a57212f73ae29f619327bad59b153858585ba4e28b60a62a45e490281806f38526b3925085534ef3e415a836ede8b86158a2c7cbfeccb0bd834304fec683ba8d4f479c433d43416e63269623cea100776d85aff401d3fff610ee65411ce3b1363d63a9709eede42647cea561493d54570a879c18682cd97710b96205ec31117d73b5f36223fadd6e8ba90dd7c0ee61d44e163251e20c7f66eb305117cb8\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 53ea5dc08cd260fb3b858567287fa91552c30b2febfba213f0ae87702d068d19bab07fe574523dfb42139d68c3c5afeee0bfe4cb7969cbf382b804d6e61396144e2d0e60741f8993c3014b58b9b1957a8babcd23af854f4c356fb1662aa72bfcc7e586559dc4280d160c126785a723ebeebeff71f11594440aaef87d10793a8774a239d4a04c87fe1467b9daf85208ec6c7255794a96cc29142f9a8bd418e3c1fd67344b0cd0829df3b2bec60253196293c6b34d3f75d32f213dd45c6273d505adf4cced1057cb758fc26aeefa441255ed4e64c199ee075e7f16646182fdb464739b68ab5daff0e63e9552016824f054bf4d3c8c90a97bb6b6553284eb429fcc\nOutput = 8bba6bf82a6c0f86d5f1756e97956870b08953b06b4eb205bc1694ee\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Dig",
- "est = SHA1\nInput = a2b1a430a9d657e2fa1c2bb5ed43ffb25c05a308fe9093c01031795f5874400110828ae58fb9b581ce9dddd3e549ae04a0985459bde6c626594e7b05dc4278b2a1465c1368408823c85e96dc66c3a30983c639664fc4569a37fe21e5a195b5776eed2df8d8d361af686e750229bbd663f161868a50615e0c337bec0ca35fec0bb19c36eb2e0bbcc0582fa1d93aacdb061063f59f2ce1ee43605e5d89eca183d2acdfe9f81011022ad3b43a3dd417dac94b4e11ea81b192966e966b182082e71964607b4f8002f36299844a11f2ae0faeac2eae70f8f4f98088acdcd0ac556e9fccc511521908fad26f04c64201450305778758b0538bf8b5bb144a828e629795\nOutput = e6ad181f053b58a904f2457510373e57\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 9886c3e6764a8b9a84e84148ebd8c3b1aa8050381a78f668714c16d9cfd2a6edc56979c535d9dee3b44b85c18be8928992371711472216d95dda98d2ee8347c9b14dffdff84aa48d25ac06f7d7e65398ac967b1ce90925f67dce049b7f812db0742997a74d44fe81dbe0e7a3feaf2e5c40af888d550ddbbe3bc20657a29543f8fc2913b9bd1a61b2ab2256ec409bbd7dc0d17717ea25c43f42ed27df8738bf4afc6766ff7aff0859555ee283920f4c8a63c4a7340cbafddc339ecdb4b0515002f96c932b5b79167af699c0ad3fccfdf0f44e85a70262bf2e18fe34b850589975e867ff969d48eabf212271546cdc05a69ecb526e52870c836f307bd798780ede\nOutput = 510a2cf60e866fa2340553c94ea39fbc256311e83e94454b4124\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 6318e9fb5c0d05e5307e1683436e903293ac4642358aaa223d7163013aba87e2dfda8e60c6860e29a1e92686163ea0b9175f329ca3b131a1edd3a77759a8b97bad6a4f8f4396f28cf6f39ca58112e48160d6e203daa5856f3aca5ffed577af499408e3dfd233e3e604dbe34a9c4c9082de65527cac6331d29dc80e0508a0fa7122e7f329f6cca5cfa34d4d1da417805457e008bec549e478ff9e12a763c477d15bbb78f5b69bd57830fc2c4ed686d79bc72a95d85f88134c6b0afe56a8ccfbc855828bb339bd17909cf1d70de3335ae07039093e606d655365de6550b872cd6de1d440ee031b61945f629ad8a353b0d40939e96a3c450d2a8d5eee9f678093c8\nOutput = bcdd190da3b7d300df9a06e22caae2a75f10c91ff667b7c16bde8b53064a2649a94045c9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 75290872ccfd4a4505660d651f56da6daa09ca1301d890632f6a992f3d565cee464afded40ed3b5be9356714ea5aa7655f4a1366c2f17c728f6f2c5a5d1f8e28429bc4e6f8f2cff8da8dc0e0a9808e45fd09ea2fa40cb2b6ce6ffff5c0e159d11b68d90a85f7b84e103b09e682666480c657505c0929259468a314786d74eab131573cf234bf57db7d9e66cc6748192e002dc0deea930585f0831fdcd9bc33d51f79ed2ffc16bcf4d59812fcebcaa3f9069b0e445686d644c25ccf63b456ee5fa6ffe96f19cdf751fed9eaf35957754dbf4bfea5216aa1844dc507cb2d080e722eba150308c2b5ff1193620f1766ecf4481bafb943bd292877f2136ca494aba0\nOutput = a7dd6c7dc24b46f9dd5f1e91ada4c3b3df947e877232a9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2d207a73432a8fb4c03051b3f73b28a61764098dfa34c47a20995f8115aa6816679b557e82dbee584908c6e69782d7deb34dbd65af063d57fca76a5fd069492fd6068d9984d209350565a62e5c77f23038c12cb10c6634709b547c46f6b4a709bd85ca122d74465ef97762c29763e06dbc7a9e738c78bfca0102dc5e79d65b973f28240caab2e161a78b57d262457ed8195d53e3c7ae9da021883c6db7c24afdd2322eac972ad3c354c5fcef1e146c3a0290fb67adf007066e00428d2cec18ce58f9328698defef4b2eb5ec76918fde1c198cbb38b7afc67626a9aefec4322bfd90d2563481c9a221f78c8272c82d1b62ab914e1c69f6af6ef30ca5260db4a46\nOutput = eaf1a73a1b0c4609537de69cd9228bbcfb9a8ca8c6c3efaf056fe4a7f4634ed00b7c39ec6922d7b8ea2c04ebac\n\n\n# Single-shot signing tests.\n\nSignMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048-SPKI\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = P-256\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 304502204c66004635c267394bd6857c1e0b53b22a2bab1ca7dff9d5c1b42143858b3ea7022100ae81228510e03cd49a8863d2ebd1c05fe0c87eacd1150433132b909994cd0dbd\n\n# Digest can't be omitted in many algorithms.\nSignMessage = RSA-2048\nInput = \"Hello world\"\nError = NO_DEFAULT_DIGEST\n\nVerifyMessage = RSA-2048\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\nError = NO_DEFAULT_DIGEST\n\n# Signing test vectors from RFC 8032.\nSignMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nSignMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nSignMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nSignMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497",
- "f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nSignMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Signing with public keys is not allowed.\nSignMessage = Ed25519-SPKI\nInput = \"\"\nError = NOT_A_PRIVATE_KEY\n\n# Verify test vectors from RFC 8032. Test verifying with both the public and\n# private key.\nVerifyMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-SPKI-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-SPKI-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-SPKI-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\nVerifyMessage = Ed25519-SPKI-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Length is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a10\nError = INVALID_SIGNATURE\n\n# Message is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"Hello world\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = INVALID_SIGNATURE\n\n# Ed25519 does not support configuring a digest.\nSignMessage = Ed25519\nInput = \"\"\nDigest = SHA256\nError = COMMAND_NOT_SUPPORTED\n\n# Ed25519 does not support signing a pre-hashed value.\nSign = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n\nVerify = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n",
+ "848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = BAD_SIGNATURE\n\n# Digest too short\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDE\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too long\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF0\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = INVALID_MESSAGE_LENGTH\n\n# Wrong salt length\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = SLEN_CHECK_FAILED\n\n# Wrong salt length using implicit hash length\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = -1\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = SLEN_CHECK_FAILED\n\n# Wrong MGF1 digest, SHA-1\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nMGF1Digest = SHA1\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n# If SHA-1, this input happens to succeed recovering a salt length, but it does\n# not match.\nError = SLEN_CHECK_FAILED\n\n# Wrong MGF1 digest, SHA-384\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nMGF1Digest = SHA384\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n# If SHA-384, this input happens fail to recover the salt length altogether.\nError = SLEN_RECOVERY_FAILED\n\n# The salt length is too large for the modulus (signing).\nSign = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 223\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE\n\n# The salt length is too large for the modulus (verifying).\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 223\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = DATA_TOO_LARGE\n\n# The hash is too large for the modulus (signing).\nSign = RSA-512\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE\n\nSign = RSA-512\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE\n\n# The hash is too large for the modulus (verifying).\nVerify = RSA-512\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nOutput = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nError = DATA_TOO_LARGE\n\nVerify = RSA-512\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nOutput = 457001d9ca50a93385fc5ec721c9dbbe7a0f2e9e4a2f846a30a8811dde66347b83901c7492039243537c7a667fafffd69049bcbd36afd0010d9b425e2d8785c1\nError = DATA_TOO_LARGE\n\n# Sample RSA-515 signature.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 00c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\n\n# The above, but with too few leading zeros.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\nError = DATA_LEN_NOT_EQUAL_TO_MOD_LEN\n\n# The above, but with too many leading zeros.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 0000c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\nError = DATA_LEN_NOT_EQUAL_TO_MOD_LEN\n\n# The above with an invalid leading byte. The top few bits of EM are required to\n# be cleared.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 007f803c832a2090aea04013d9fa9c1630732a1625232826d235f0950f7050d3fb0eb06ef9ea8b260fad68e1165a2d770a8c7fc7a8aaa68620b021fc19c97e0041\nError = FIRST_OCTET_INVALID\n\n# The above with an invalid trailing byte.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 03e68555035891eb08d96c0967db22328cd892ad2856d88516ecb946bfdba732bb029b5c0dfa2119ed7349897d2324e95e86d91d0c4afc82700a36db8933a",
+ "bbf58\nError = LAST_OCTET_INVALID\n\n# Non-zero salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 32\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, wrong salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 31\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\nError = SLEN_CHECK_FAILED\n\n# Non-zero salt length, match hash length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -1\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, auto-detected.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n\n# RSA decrypt\n\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a78\nOutput = \"Hello World\"\n\n# Corrupted ciphertext\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a79\nError = PKCS_DECODING_ERROR\n\n# OAEP padding\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5af\nOutput = \"Hello World\"\n\n# OAEP padding, corrupted ciphertext\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5ac\nError = OAEP_DECODING_ERROR\n\n\n# EC tests\n\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\nVerify = P-256-SPKI\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\n# Digest too long\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest too short\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest invalid\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1235\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Invalid signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7\nError = BAD_SIGNATURE\n\n# Garbage after signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec800\nError = BAD_SIGNATURE\n\n# BER signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000\nError = BAD_SIGNATURE\n\n\n# Additional RSA-PSS and RSA-OAEP tests converted from\n# ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip\n\nPublicKey = RSA-PSS-1\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818100a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a21370203010001\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = cd8b6538cb8e8de566b68bd067569dbf1ee2718e\nOutput = 9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd\nOutput = 3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce4",
+ "3739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0652ec67bcee30f9d2699122b91c19abdba89f91\nOutput = 666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 39c21c4cceda9c1adf839c744e1212a6437575ec\nOutput = 4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 36dae913b77bd17cae6e7b09453d24544cebb33c\nOutput = 1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 45eef191f4f79c31fe5d2ede7e5098994e929d2d\nOutput = 2a34f6125e1f6b0bf971e84fbd41c632be8f2c2ace7de8b6926e31ff93e9af987fbc06e51e9be14f5198f91f3f953bd67da60a9df59764c3dc0fe08e1cbef0b75f868d10ad3fba749fef59fb6dac46a0d6e504369331586f58e4628f39aa278982543bc0eeb537dc61958019b394fb273f215858a0a01ac4d650b955c67f4c58\n\nPublicKey = RSA-PSS-2\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818101d40c1bcf97a68ae7cdbd8a7bf3e34fa19dcca4ef75a47454375f94514d88fed006fb829f8419ff87d6315da68a1ff3a0938e9abb3464011c303ad99199cf0c7c7a8b477dce829e8844f625b115e5e9c4a59cf8f8113b6834336a2fd2689b472cbb5e5cabe674350c59b6c17e176874fb42f8fc3d176a017edc61fd326c4b33c90203010001\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 5c81a3e2a658246628cd0ee8b00bb4c012bc9739\nOutput = 014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 27f71611446aa6eabf037f7dedeede3203244991\nOutput = 010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 03ecc2c33e93f05fc7224fcc0d461356cb897217\nOutput = 007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 246c727b4b9494849dddb068d582e179ac20999c\nOutput = 009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912\nOutput = 00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7a6fdc1a4e434ecbc35d657ad49a2f4fafd43bc8\nOutput = 00475b1648f814a8dc0abdc37b5527f543b666bb6e39d30e5b49d3b876dccc58eac14e32a2d55c2616014456ad2f246fc8e3d560da3ddf379a1c0bd200f10221df078c219a151bc8d4ec9d2fc2564467811014ef15d8ea01c2ebbff8c2c8efab38096e55fcbe3285c7aa558851254faffa92c1c72b78758663ef4582843139d7a6\n\nPublicKey = RSA-PSS-3\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818102f246ef451ed3eebb9a310200cc25859c048e4be798302991112eb68ce6db674e280da21feded1ae74880ca522b18db249385012827c515f0e466a1ffa691d98170574e9d0eadb087586ca48933da3cc953d95bd0ed50de10ddcb6736107d6c831c7f663e833ca4c097e700ce0fb945f88fb85fe8e5a773172565b914a471a4430203010001\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3552be69dd74bdc56d2cf8c38ef7bafe269040fe\nOutput = 0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 609143ff7240e55c062aba8b9e4426a781919bc9\nOutput = 02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0afd22f879a9cda7c584f4135f8f1c961db114c0\nOutput = 0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 405dd56d395ef0f01b555c48f748cc32b210650b\nOutput = 0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a2c313b0440c8a0c47233b87f0a160c61af3eae7\nOutput = 021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f1bf6ca7b4bbdbb6bf20a4bf55728725d177154a\nOutput = 012fafec862f56e9e92f60ab0c77824f4299a0ca734ed26e0644d5d222c7f0bde03964f8e70a5cb65ed44e44d56ae0edf1ff86ca032cc5dd4404dbb76ab854586c44eed8336d08d457ce6c03693b45c0f1efef93624b95b8ec169c616d20e5538ebc0b6737a6f82b4bc0570924fc6b35759a3348426279f8b3d7744e2d222426ce\n\nPublicKey = RSA-PSS-4\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181054adb7886447efe6f57e0368f06cf52b0a3370760d161cef126b91be7f89c421b62a6ec1da3c311d75ed50e0ab5fff3fd338acc3aa8a4e77ee26369acb81ba900fa83f5300cf9bb6c53ad1dc8a178b815db4235a9a9da0c06de4e615ea1277ce559e9c108de58c14a81aa77f5a6f8d1335494498848c8b95940740be7bf7c37050203010001\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd\nOutput = 0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 04a10944bfe11ab801e77889f3fd3d7f4ff0b629\nOutput = 049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ba01243db223eb97fb86d746c3148adaaa0ca344\nOutput = 03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3",
+ "269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 934bb0d38d6836daec9de82a9648d4593da67cd2\nOutput = 0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ec35d81abd1cceac425a935758b683465c8bd879\nOutput = 022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 72ce251d17b04dd3970d6ff1fbe3624899e9e941\nOutput = 00938dcb6d583046065f69c78da7a1f1757066a7fa75125a9d2929f0b79a60b627b082f11f5b196f28eb9daa6f21c05e5140f6aef1737d2023075c05ecf04a028c686a2ab3e7d5a0664f295ce12995e890908b6ad21f0839eb65b70393a7b5afd9871de0caa0cedec5b819626756209d13ab1e7bb9546a26ff37e9a51af9fd562e\n\nPublicKey = RSA-PSS-5\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d003081890281810d10f661f29940f5ed39aa260966deb47843679d2b6fb25b3de370f3ac7c19916391fd25fb527ebfa6a4b4df45a1759d996c4bb4ebd18828c44fc52d0191871740525f47a4b0cc8da325ed8aa676b0d0f626e0a77f07692170acac8082f42faa7dc7cd123e730e31a87985204cabcbe6670d43a2dd2b2ddef5e05392fc213bc5070203010001\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d98b7061943510bc3dd9162f7169aabdbdcd0222\nOutput = 0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ae8e699f754988f4fd645e463302e49a2552072\nOutput = 08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8d46c7c05534c1ba2cc7624500d48a4531604bff\nOutput = 05e0fdbdf6f756ef733185ccfa8ced2eb6d029d9d56e35561b5db8e70257ee6fd019d2f0bbf669fe9b9821e78df6d41e31608d58280f318ee34f559941c8df13287574bac000b7e58dc4f414ba49fb127f9d0f8936638c76e85356c994f79750f7fa3cf4fd482df75e3fb9978cd061f7abb17572e6e63e0bde12cbdcf18c68b979\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ee3de96783fd0a157c8b20bf5566124124dcfe65\nOutput = 0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1204df0b03c2724e2709c23fc71789a21b00ae4c\nOutput = 0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 29926bc3280c841f601acd0d6f17ea38023eddbc\nOutput = 02802dccfa8dfaf5279bf0b4a29ba1b157611faeaaf419b8919d15941900c1339e7e92e6fae562c53e6cc8e84104b110bce03ad18525e3c49a0eadad5d3f28f244a8ed89edbafbb686277cfa8ae909714d6b28f4bf8e293aa04c41efe7c0a81266d5c061e2575be032aa464674ff71626219bd74cc45f0e7ed4e3ff96eee758e8f\n\nPublicKey = RSA-PSS-6\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181164ca31cff609f3a0e7101b039f2e4fe6dd37519ab98598d179e174996598071f47d3a04559158d7be373cf1aa53f0aa6ef09039e5678c2a4c63900514c8c4f8aaed5de12a5f10b09c311af8c0ffb5b7a297f2efc63b8d6b0510931f0b98e48bf5fc6ec4e7b8db1ffaeb08c38e02adb8f03a48229c99e969431f61cb8c4dc698d10203010001\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6\nOutput = 04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 92d0bcae82b641f578f040f5151be8eda6d42299\nOutput = 0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3569bd8fd2e28f2443375efa94f186f6911ffc2b\nOutput = 086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7abbb7b42de335730a0b641f1e314b6950b84f98\nOutput = 0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 55b7eb27be7a787a59eb7e5fac468db8917a7725\nOutput = 02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = de2fa0367ef49083ff89b9905d3fd646fcc12c38\nOutput = 0a40a16e2fe2b38d1df90546167cf9469c9e3c3681a3442b4b2c2f581deb385ce99fc6188bb02a841d56e76d301891e24560550fcc2a26b55f4ccb26d837d350a154bcaca8392d98fa67959e9727b78cad03269f56968fc56b68bd679926d83cc9cb215550645ccda31c760ff35888943d2d8a1d351e81e5d07b86182e751081ef\n\nPublicKey = RSA-PSS-7\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818137c9da4a66c8c408b8da27d0c9d79f8ccb1eafc1d2fe48746d940b7c4ef5dee18ad12647cefaa0c4b3188b221c515386759b93f02024b25ab9242f8357d8f3fd49640ee5e643eaf6c64deefa7089727c8ff03993333915c6ef21bf5975b6e50d118b51008ec33e9f01a0a545a10a836a43ddbca9d8b5c5d3548022d7064ea29ab30203010001\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d\nOutput = 187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 402140dc605b2f5c5ec0d15bce9f9ba8857fe117\nOutput = 10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20\nOutput = 2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1fc2201d0c442a4736cd8b2cd00c959c47a3bf42\nOutput = 32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d",
+ "26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e4351b66819e5a31501f89acc7faf57030e9aac5\nOutput = 07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 49f6cc58365e514e1a3f301f4de16f9fb5347ff2\nOutput = 18da3cdcfe79bfb77fd9c32f377ad399146f0a8e810620233271a6e3ed3248903f5cdc92dc79b55d3e11615aa056a795853792a3998c349ca5c457e8ca7d29d796aa24f83491709befcfb1510ea513c92829a3f00b104f655634f320752e130ec0ccf6754ff893db302932bb025eb60e87822598fc619e0e981737a9a4c4152d33\n\nPublicKey = RSA-PSS-8\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181495370a1fb18543c16d3631e3163255df62be6eee890d5f25509e4f778a8ea6fbbbcdf85dff64e0d972003ab3681fbba6dd41fd541829b2e582de9f2a4a4e0a2d0900bef4753db3cee0ee06c7dfae8b1d53b5953218f9cceea695b08668edeaadced9463b1d790d5ebf27e9115b46cad4d9a2b8efab0561b0810344739ada0733f0203010001\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a1dd230d8ead860199b6277c2ecfe3d95f6d9160\nOutput = 0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f6e68e53c602c5c65fa67b5aa6d786e5524b12ab\nOutput = 2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d6f9fcd3ae27f32bb2c7c93536782eba52af1f76\nOutput = 2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ff2a53ce2e2d900d468e498f230a5f5dd0020de\nOutput = 1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 4eb309f7022ba0b03bb78601b12931ec7c1be8d3\nOutput = 33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 65033bc2f67d6aba7d526acb873b8d9241e5e4d9\nOutput = 1ed1d848fb1edb44129bd9b354795af97a069a7a00d0151048593e0c72c3517ff9ff2a41d0cb5a0ac860d736a199704f7cb6a53986a88bbd8abcc0076a2ce847880031525d449da2ac78356374c536e343faa7cba42a5aaa6506087791c06a8e989335aed19bfab2d5e67e27fb0c2875af896c21b6e8e7309d04e4f6727e69463e\n\nPublicKey = RSA-PSS-9\nType = RSA\nInput = 3081df300d06092a864886f70d01010105000381cd003081c90281c100e6bd692ac96645790403fdd0f5beb8b9bf92ed10007fc365046419dd06c05c5b5b2f48ecf989e4ce269109979cbb40b4a0ad24d22483d1ee315ad4ccb1534268352691c524f6dd8e6c29d224cf246973aec86c5bf6b1401a850d1b9ad1bb8cbcec47b06f0f8c7f45d3fc8f319299c5433ddbc2b3053b47ded2ecd4a4caefd614833dc8bb622f317ed076b8057fe8de3f84480ad5e83e4a61904a4f248fb397027357e1d30e463139815c6fd4fd5ac5b8172a45230ecb6318a04f1455d84e5a8b0203010001\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2715a49b8b0012cd7aee84c116446e6dfe3faec0\nOutput = 586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2dac956d53964748ac364d06595827c6b4f143cd\nOutput = 80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 28d98c46cccafbd3bc04e72f967a54bd3ea12298\nOutput = 484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0866d2ff5a79f25ef668cd6f31b42dee421e4c0e\nOutput = 84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 6a5b4be4cd36cc97dfde9995efbf8f097a4a991a\nOutput = 82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b9dfd1df76a461c51e6576c6c8ed0a923d1c50e7\nOutput = a7fdb0d259165ca2c88d00bbf1028a867d337699d061193b17a9648e14ccbbaadeacaacdec815e7571294ebb8a117af205fa078b47b0712c199e3ad05135c504c24b81705115740802487992ffd511d4afc6b854491eb3f0dd523139542ff15c3101ee85543517c6a3c79417c67e2dd9aa741e9a29b06dcb593c2336b3670ae3afbac7c3e76e215473e866e338ca244de00b62624d6b9426822ceae9f8cc460895f41250073fd45c5a1e7b425c204a423a699159f6903e710b37a7bb2bc8049f\n\nPublicKey = RSA-PSS-10\nType = RSA\nInput = 30820122300d06092a864886f70d01010105000382010f003082010a0282010100a5dd867ac4cb02f90b9457d48c14a770ef991c56c39c0ec65fd11afa8937cea57b9be7ac73b45c0017615b82d622e318753b6027c0fd157be12f8090fee2a7adcd0eef759f88ba4997c7a42d58c9aa12cb99ae001fe521c13bb5431445a8d5ae4f5e4c7e948ac227d3604071f20e577e905fbeb15dfaf06d1de5ae6253d63a6a2120b31a5da5dabc9550600e20f27d3739e2627925fea3cc509f21dff04e6eea4549c540d6809ff9307eede91fff58733d8385a237d6d3705a33e391900992070df7adf1357cf7e3700ce3667de83f17b8df1778db381dce09cb4ad058a511001a738198ee27cf55a13b754539906582ec8b174bd58d5d1f3d767c613721ae050203010001\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 9596bb630cf6a8d4ea4600422b9eba8b13675dd4\nOutput = 82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff23852",
+ "30d070d07e1666\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b503319399277fd6c1c8f1033cbf04199ea21716\nOutput = 14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 50aaede8536b2c307208b275a67ae2df196c7628\nOutput = 6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = aa0b72b8b371ddd10c8ae474425ccccf8842a294\nOutput = 34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = fad3902c9750622a2bc672622c48270cc57d3ea8\nOutput = 7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 122196deb5d122bd8c6fc781ff6924d7c695aade\nOutput = 6d3b5b87f67ea657af21f75441977d2180f91b2c5f692de82955696a686730d9b9778d970758ccb26071c2209ffbd6125be2e96ea81b67cb9b9308239fda17f7b2b64ecda096b6b935640a5a1cb42a9155b1c9ef7a633a02c59f0d6ee59b852c43b35029e73c940ff0410e8f114eed46bbd0fae165e42be2528a401c3b28fd818ef3232dca9f4d2a0f5166ec59c42396d6c11dbc1215a56fa17169db9575343ef34f9de32a49cdc3174922f229c23e18e45df9353119ec4319cedce7a17c64088c1f6f52be29634100b3919d38f3d1ed94e6891e66a73b8fb849f5874df59459e298c7bbce2eee782a195aa66fe2d0732b25e595f57d3e061b1fc3e4063bf98f\n\nPrivateKey = RSA-OAEP-1\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818100a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb020301000102818053339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf119517ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d65a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1024100d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c2f26a471dcad212eac7ca39d024100cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb33d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af72bfe9a030e860b0288b5d7702400e12bf1718e9cef5599ba1c3882fe8046a90874eefce8f2ccc20e4f2741fb0a33a3848aec9c9305fbecbd2d76819967d4671acc6431e4037968db37878e695c102410095297b0f95a2fa67d00707d609dfd4fc05c89dafc2ef6d6ea55bec771ea333734d9251e79082ecda866efef13c459e1a631386b7e354c899f5f112ca85d7158302404f456c502493bdc0ed2ab756a3a6ed4d67352a697d4216e93212b127a63d5411ce6fa98d5dbefd73263e3728142743818166ed7dd63687dd2a8ca1d2f4fbd8e1\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a\nOutput = 6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44\nOutput = 750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb\nOutput = d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755\nOutput = 52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439\nOutput = 8da89fd9e5f974a29feffb462b49180f6cf9e802\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 42cee2617b1ecea4db3f4829386fbd61dafbf038e180d837c96366df24c097b4ab0fac6bdf590d821c9f10642e681ad05b8d78b378c0f46ce2fad63f74e0ad3df06b075d7eb5f5636f8d403b9059ca761b5c62bb52aa45002ea70baace08ded243b9d8cbd62a68ade265832b56564e43a6fa42ed199a099769742df1539e8255\nOutput = 26521050844271\n\nPrivateKey = RSA-OAEP-2\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818101947c7fce90425f47279e70851f25d5e62316fe8a1df19371e3e628e260543e4901ef6081f68c0b8141190d2ae8daba7d1250ec6db636e944ec3722877c7c1d0a67f14b1694c5f0379451a43e49a32dde83670b73da91a1c99bc23b436a60055c610f0baf99c1a079565b95a3f1526632d1d4da60f20eda25e653c4f002766f4502030100010281800823f20fadb5da89088a9d00893e21fa4a1b11fbc93c64a3be0baaea97fb3b93c3ff713704c19c963c1d107aae99054739f79e02e186de86f87a6ddefea6d8ccd1d3c81a47bfa7255be20601a4a4b2f08a167b5e279d715b1b455bdd7eab245941d9768b9acefb3ccda5952da3cee72525b4501663a8ee15c9e992d92462fe3902410159dbde04a33ef06fb608b80b190f4d3e22bcc13ac8e4a081033abfa416edb0b338aa08b57309ea5a5240e7dc6e54378c69414c31d97ddb1f406db3769cc41a430241012b652f30403b38b40995fd6ff41a1acc8ada70373236b7202d39b2ee30cfb46db09511f6f307cc61cc21606c18a75b8a62f822df031ba0df0dafd5506f568bd70240436ef508de736519c2da4c580d98c82cb7452a3fb5efadc3b9c7789a1bc6584f795addbbd32439c74686552ecb6c2c307a4d3af7f539eec157248c7b31f1a2550241012b15a89f3dfb2b39073e73f02bdd0c1a7b379dd435f05cdde2eff9e462948b7cec62ee9050d5e0816e0785a856b49108dcb75f3683874d1ca6329a19013066ff02400270db17d5914b018d76118b24389a7350ec836b0063a21721236fd8edb6d89b51e7eeb87b611b7132cb7ea7356c23151c1e7751507c786d9ee1794170a8c8e8\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0181af8922b9fcb4d79d92eb",
+ "e19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e\nOutput = 8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245\nOutput = 2d\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053\nOutput = 74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641\nOutput = a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec\nOutput = 2ef2b066f854c33f3bdcbb5994a435e73d6c6c\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 010839ec20c27b9052e55befb9b77e6fc26e9075d7a54378c646abdf51e445bd5715de81789f56f1803d9170764a9e93cb78798694023ee7393ce04bc5d8f8c5a52c171d43837e3aca62f609eb0aa5ffb0960ef04198dd754f57f7fbe6abf765cf118b4ca443b23b5aab266f952326ac4581100644325f8b721acd5d04ff14ef3a\nOutput = 8a7fb344c8b6cb2cf2ef1f643f9a3218f6e19bba89c0\n\nPrivateKey = RSA-OAEP-3\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d02010002818102b58fec039a860700a4d7b6462f93e6cdd491161ddd74f4e810b40e3c1652006a5c277b2774c11305a4cbab5a78efa57e17a86df7a3fa36fc4b1d2249f22ec7c2dd6a463232accea906d66ebe80b5704b10729da6f833234abb5efdd4a292cbfad33b4d33fa7a14b8c397b56e3acd21203428b77cdfa33a6da706b3d8b0fc43e9020301000102818015b48a5b5683a94670e23b5718f814fa0e13f85038f50711182cba61510581f3d22c7e232ef937e22e551d68b86e2f8cb1aad8be2e488f5df7efd279e3f568d4eaf36f80cf7141ace60fcc9113fb6c4a841fd50bbc7c512ffcbeff21487aa811eb3ca8c62005346a86de86bfa1d8a948fd3f348c22eaadf333c3ce6ce13208fd024101bf01d216d73595cf0270c2beb78d40a0d8447d31da919a983f7eea781b77d85fe371b3e9373e7b69217d3150a02d8958de7fad9d555160958b4454127e0e7eaf0241018d3399658166db3829816d7b295416759e9c91987f5b2d8aecd63b04b48bd7b2fcf229bb7f8a6dc88ba13dd2e39ad55b6d1a06160708f9700be80b8fd3744ce7024006c0a249d20a6f2ee75c88b494d53f6aae99aa427c88c28b163a769445e5f390cf40c274fd6ea6329a5ce7c7ce03a2158396ee2a7845786e09e2885a9728e4e5024100d1d27c29fedd92d86c348edd0ccbfac14f746e051ce1d1811df35d61f2ee1c97d4bf2804802f6427187ba8e90a8af44243b4079b03445e602e29fa5193e64fe90241008cb2f756bd8941b1d3b770e5ad31ee373b28acda69ff9b6f40fe578b9f1afb85836f9627d37acff73c2779e634bb26011c2c8f7f3361ae2a9ea65ed689e3639a\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80\nOutput = 087820b569e8fa8d\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5\nOutput = 4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a\nOutput = d94cd0e08fa404ed89\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0\nOutput = 6cc641b6b61e6f963974dad23a9013284ef1\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60\nOutput = df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00112051e75d064943bc4478075e43482fd59cee0679de6893eec3a943daa490b9691c93dfc0464b6623b9f3dbd3e70083264f034b374f74164e1a00763725e574744ba0b9db83434f31df96f6e2a26f6d8eba348bd4686c2238ac07c37aac3785d1c7eea2f819fd91491798ed8e9cef5e43b781b0e0276e37c43ff9492d005730\nOutput = 3c3bad893c544a6d520ab022319188c8d504b7a788b850903b85972eaa18552e1134a7ad6098826254ff7ab672b3d8eb3158fac6d4cbaef1\n\nPrivateKey = RSA-OAEP-4\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d020100028181051240b6cc0004fa48d0134671c078c7c8dec3b3e2f25bc2564467339db38853d06b85eea5b2de353bff42ac2e46bc97fae6ac9618da9537a5c8f553c1e357625991d6108dcd7885fb3a25413f53efcad948cb35cd9b9ae9c1c67626d113d57dde4c5bea76bb5bb7de96c00d07372e9685a6d75cf9d239fa148d70931b5f3fb03902030100010281800411ffca3b7ca5e9e9be7fe38a85105e353896db05c5796aecd2a725161eb3651c8629a9b862b904d7b0c7b37f8cb5a1c2b54001018a00a1eb2cafe4ee4e9492c348bc2bedab4b9ebbf064e8eff322b9009f8eec653905f40df88a3cdc49d4567f75627d41aca624129b46a0b7c698e5e65f2b7ba102c749a10135b6540d04010241027458c19ec1636919e736c9af25d609a51b8f561d19c6bf6943dd1ee1ab8a4a3f232100bd40b88decc6ba235548b6ef792a11c9de823d0a7922c7095b6eba570102410210ee9b33ab61716e27d251bd465f4b35a1a232e2da00901c294bf22350ce490d099f642b5375612db63ba1f20386492bf04d34b3c22bceb909d13441b53b5139024039fa028b826e88c1121b750a8b242fa9a35c5b66bdfd1fa637d3cc48a84a4f457a194e7727e49f7bcc6e5a5a412657fc470c7322ebc37416ef458c307a8c09010241015d99a84195943979fa9e1be2c3c1b69f432f46fd03e47d5befbbbfd6b1d1371d83efb330a3e020942b2fed115e5d02be24fd92c9019d1cecd6dd4cf1e54cc899024101f0b7015170b3f5e42223ba30301c41a6d87cbb70e30cb7d3c67d25473db1f6cbf03e3f9126e3e97968279a865b2c2b426524cfc52a683d31ed30eb984be412ba\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8\nOutput = 4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e\nOutput = b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0301f935e9c47abcb48acbbe09895d",
+ "9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065\nOutput = bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4\nOutput = fb2ef112f5e766eb94019297934794f7be2f6fc1c58e\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2\nOutput = 28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a5ffa4768c8bbecaee2db77e8f2eec99595933545520835e5ba7db9493d3e17cddefe6a5f567624471908db4e2d83a0fbee60608fc84049503b2234a07dc83b27b22847ad8920ff42f674ef79b76280b00233d2b51b8cb2703a9d42bfbc8250c96ec32c051e57f1b4ba528db89c37e4c54e27e6e64ac69635ae887d9541619a9\nOutput = f22242751ec6b1\n\nPrivateKey = RSA-OAEP-5\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281810aadf3f9c125e5d891f31ac448e993defe580f802b45f9d7f22ba5021e9c47576b5a1e68031ba9db4e6dabe4d96a1d6f3d267268cff408005f118efcadb99888d1c234467166b2a2b849a05a889c060ac0da0c5fae8b55f309ba62e703742fa0326f2d10b011021489ff497770190d895fd39f52293c39efd73a698bdab9f10ed902030100010281810256eb4cba7067f2d2be540dcdff4582a36b7d31d1c9099bb214b79848466a268f80f58a49ac04c0e3648934a0206c04537c19b236643a6082732144df75fa217588f794682be89168276dc726c5c0cbdb84d31bbf26d0a43af495717f7d528acfee341561f6ff3cae05c578f8470d9682f9c0d072f9f6068b56d5880f682be2c5024103b0d3962f6d17549cbfca11294348dcf0e7e39f8c2bc6824f2164b606d687860dae1e632393cfedf513228229069e2f60e4acd7e633a436063f82385f48993707024102e4c32e2f517269b7072309f00c0e31365f7ce28b236b82912df239abf39572cf0ed604b02982e53564c52d6a05397de5c052a2fddc141ef7189836346aeb331f024101e84b119d25161fa67b00256a5bd9b645d2b232ecb05b015180029a88622adc3f09b3aeacde6161ab7cde22c2ad26e7797df54e072cbd3b2673800b3e4338dbd5024100eb90aa1a40135b4cea07197cedc8819be1e7cbff2547662116f465a4a9f487ab12f3ba4fef13822265a65297d98b7bded9372e3ffe81a38b3e9600fed055754f0241012f7f8138f9404062eb85a42924520b38f5bb886a0196f48bb8dcea60fd92cc027f18e78158a34a5c5d5f860a0f6c04071a7d01312c065062f1eb48b79d1c83cb\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5\nOutput = af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad\nOutput = a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967\nOutput = 308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf\nOutput = 15c5b9ee1185\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723\nOutput = 21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 08c36d4dda33423b2ed6830d85f6411ba1dcf470a1fae0ebefee7c089f256cef74cb96ea69c38f60f39abee44129bcb4c92de7f797623b20074e3d9c2899701ed9071e1efa0bdd84d4c3e5130302d8f0240baba4b84a71cc032f2235a5ff0fae277c3e8f9112bef44c9ae20d175fc9a4058bfc930ba31b02e2e4f444483710f24a\nOutput = 541e37b68b6c8872b84c02\n\nPrivateKey = RSA-OAEP-6\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f02010002818112b17f6dad2ecd19ff46dc13f7860f09e0e0cfb677b38a52592305ceaf022c166db90d04ac29e33f7dd12d9faf66e0816bb63ead267cc7d46c17c37be214bca2a22d723a64e44407436b6fc965729aefc2554f376cd5dcea68293780a62bf39d0029485a160bbb9e5dc0972d21a504f52e5ee028aa416332f510b2e9cff5f722af02030100010281810295eca3560618369559cecd303aa9cfdafc1d9f06959df75ffef929aa896961bcd190dc6997eda7f5963e724d07b4dc11f3065e5ae97d96835112280b9084bb14f2a21ebd4e889d41b9c4132ec1956fcab8bb2fed0575884936522c5ff7d33261904824e7cadee4e0bb372d2457cf78e2bd1286228ff83f10731ce63c90cff3f9024104a6ce8b7358dfa69bdcf742617005afb5385f5f3a58a24ef74a22a8c05cb7cc38ebd4cc9d9a9d789a62cd0f60f0cb941d3423c9692efa4fe3adff290c4749a38b02410404c9a803371fedb4c5be39f3c00b009e5e08a63be1e40035cdaca5011cc701cf7eebcb99f0ffe17cfd0a4bf7befd2dd536ac946db797fdbc4abe8f29349b91ed024103961c8f760aa2bd5154c7aafd77225b3bacd0139ae7b5948ea3311fccd86fb95c75afa767284b9b2de559572f15d8d044c7eb83a1be5fadf2cc377c0d8475294b0241022197e066742196aabc03fa2feeb4e70b15cb787d617acd31bb75c7bc234ad706f7c48d2182d1f0ff9c228dcf41967b6c0ba6d2c0ad110a1b857831ec245e2cb102410401c4c0c53d45dbdb5e9d96d0fecf4275df0974bc4a0736b4a74c3269053efb686ace2406e22c9e058ddb4ae540627ae2fdb08261e8e7e4bcbc994daafa305c45\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3\nOutput = 4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f\nOutput = 5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65\nOutput = b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8\nOutput = 684e3038c5c041f7\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMG",
+ "F1Digest = SHA1\nInput = 00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab\nOutput = 32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a026dda5fc8785f7bd9bf75327b63e85e2c0fdee5dadb65ebdcac9ae1de95c92c672ab433aa7a8e69ce6a6d8897fac4ac4a54de841ae5e5bbce7687879d79634cea7a30684065c714d52409b928256bbf53eabcd5231eb7259504537399bd29164b726d33a46da701360a4168a091ccab72d44a62fed246c0ffea5b1348ab5470\nOutput = 50ba14be8462720279c306ba\n\nPrivateKey = RSA-OAEP-7\nType = RSA\nInput = 30820278020100300d06092a864886f70d0101010500048202623082025e020100028181311179f0bcfc9b9d3ca315d00ef30d7bdd3a2cfae9911bfedcb948b3a4782d0732b6ab44aa4bf03741a644dc01bec3e69b01a033e675d8acd7c4925c6b1aec3119051dfd89762d215d45475ffcb59f908148623f37177156f6ae86dd7a7c5f43dc1e1f908254058a284a5f06c0021793a87f1ac5feff7dcaee69c5e51a3789e3730203010001028181070cfcff2feb8276e27432c45dfee48f49b7917d6530e1f0ca3460f32e0276174487c56e22a45d2500d7775495219d7d165a9cf3bd92c32af9a98d8dc9cc296800adc94a0a54fb40f34291bf84ee8ea12b6f109359c6d3542a50f9c767f5cfff05a681c2e656fb77caaadb4be9468d8abcd4df98f58e86d2053fa1349f748e21b102410749262c111cd470ec2566e6b3732fc09329469aa19071d3b9c01906514c6f1d26baa14beab0971c8b7e611a4f79009d6fea776928ca25285b0de3643d1a3f8c71024106bc1e50e96c02bf636e9eea8b899bbebf7651de77dd474c3e9bc23bad8182b61904c7d97dfbebfb1e00108878b6e67e415391d67942c2b2bf9b4435f88b0cb023024103bc7ea7f0aab143abc6ce8b97118636a30172e4cfe02c8fa0dda3b7baaf90f8092982985525f488bdfcb4bd726e22639ac64a3092ab7ffcbf1d5334cfa50b5bf102410262a6aa29c2a3c67dc5346c06381afd987aa3cc93cfbfecf54fdd9f9d787d7f59a523d398979da137a2f6381fe94801f7c94da21518dc34cb40870c4697994ad90240649d4c17b6ee1721e772d0389a559c3d3cdf9550d457c46b037b74641b1d52166af8a213c8396206cdfba4422f18d6f61dbcb5d214c971bf482aeb976a7370c2\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1\nOutput = 47aae909\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6\nOutput = 1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b\nOutput = d976fc\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac\nOutput = d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478\nOutput = bb47231ca5ea1d3ad46c99345d9a8a61\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 14c678a94ad60525ef39e959b2f3ba5c097a94ff912b67dbace80535c187abd47d075420b1872152bba08f7fc31f313bbf9273c912fc4c0149a9b0cfb79807e346eb332069611bec0ff9bcd168f1f7c33e77313cea454b94e2549eecf002e2acf7f6f2d2845d4fe0aab2e5a92ddf68c480ae11247935d1f62574842216ae674115\nOutput = 2184827095d35c3f86f600e8e59754013296\n\nPrivateKey = RSA-OAEP-8\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281815bdf0e30d321dda5147f882408fa69195480df8f80d3f6e8bf5818504f36427ca9b1f5540b9c65a8f6974cf8447a244d9280201bb49fcbbe6378d1944cd227e230f96e3d10f819dcef276c64a00b2a4b6701e7d01de5fabde3b1e9a0df82f4631359cd22669647fbb1717246134ed7b497cfffbdc42b59c73a96ed90166212dff702030100010281810f7d1e9e5aaa25fd13e4a0663ae144e0d15f5cd18bcdb09df2cc7e64e3c5e915ad62645304161d098c715bb7ab8bd01d07eaf3fed7c7ed08af2a8a62ef44ab16b320e14af72a48f96afe262a0ae4cf65e635e910790cd4ee5cea768a4b2639f7e6f677b3f0bb6be32b75747d8909036f0264f58d401cdba131716157a75ecf633102410a02ef8448d9fad8bbd0d004c8c2aa9751ef9721c1b0d03236a54b0df947cbaed5a255ee9e8e20d491ea1723fe094704a9762e88afd16ebb5994412ca966dc4f9f0241092d362e7ed3a0bfd9e9fd0e6c0301b6df29159cf50cc83b9b0cf4d6eea71a61e002b46e0ae9f2de62d25b5d7452d498b81c9ac6fc58593d4c3fb4f5d72dfbb0a9024107c71410af103962db367404e37ae850baa4e9c29dd92145815294a67c7d1c6ded263aa030a9b633ae50303e14035d1af014123eba687820308d8ebc85b6957d7d024100ae2c75380c02c016ad05891b3301de881f28ae1171182b6b2c83bea7c515eca9ca298c7b1cab5817a597068fc85060de4da8a016378aae43c7f967bcc37904b902410598d1059e3ada4f6320752c09d805ff7d1f1ae0d017aeeee9cefa0d7dd7ff775e44b578322f6405d6211da19519666aa87fdc4cd8c88f6b6e3d67e961dcbba3d0\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61\nOutput = 050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d\nOutput = 4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f\nOutput = 8604ac56328c1ab5ad917861\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0\nOutput = fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2\nOutput = 4a5f4914bee25de3c69341de07\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 3afd9c6600147b21798d818c655a0f4c9212db26d0b0dfdc2a7594ccb3d22f5bf1d7c3e112cd73fc7d509c7a8bafdd3c274d1399009f9609ec4be6477e453f075aa33db382870c1c3409aef392d7386ae3a696b99a94b4da0589447e955d16c98b17602a59bd736279fcd8fb280c4462d590bfa9bf13fed570eafde97330a2c210\nOutput = 8e07d66f7b880a72563abcd3f35092bc33409fb7f88f2472be\n\nPrivateKey = RSA-OAEP-9\nType = RSA\nInput = 30820397020100300d06092a864886f70d0101010500048203813082037d0201000281c100cf2cd41e34ca3a728ea5cb8aff64c36d27bdef5364e336",
+ "fd68d3123c5a196a8c287013e853d5156d58d151954520fb4f6d7b17abb6817765909c576119659d902b1906ed8a2b10c155c24d124528dab9eeae379beac66e4a411786dcb8fd0062ebc030de1219a04c2a8c1b7dd3131e4d6b6caee2e31a5ed41ac1509b2ef1ee2ab18364be568ca941c25ecc84ff9d643b5ec1aaae102a20d73f479b780fd6da91075212d9eac03a0674d899eba2e431f4c44b615b6ba2232bd4b33baed73d625d02030100010281c0198c141e23715a92bccf6a119a5bc11389468d2811f548d727e17b4ab0eb986d6f211efb53b71f7ccbea87ee69c75ee615008c5332deb52bf390abdfbfe37d7205368159b2638c1de326e21d22251f0fb5848b3bf15005d2a74330f0afe916ee62ccc1344d1d83a709e60676273840f7f377424a5e0a4da75f01b31ff76819cf9cbfdd215243c3917c03ef38199312e567b3bf7aed3ab457f371ef8a1423f45b68c6e282ec111bba2833b987fd69fad83bc1b8c613c5e1ea16c11ed125ea7ec1026100fc8d6c04bec4eb9a8192ca7900cbe536e2e8b519decf33b2459798c6909df4f176db7d23190fc72b8865a718af895f1bcd9145298027423b605e70a47cf58390a8c3e88fc8c48e8b32e3da210dfbe3e881ea5674b6a348c21e93f9e55ea65efd026100d200d45e788aacea606a401d0460f87dd5c1027e12dc1a0d7586e8939d9cf789b40f51ac0442961de7d21cc21e05c83155c1f2aa9193387cfdf956cb48d153ba270406f9bbba537d4987d9e2f9942d7a14cbfffea74fecdda928d23e259f5ee1026100db16802f79a2f0d45f358d69fd33e44b81fae828622e93a54253e997d01b0743759da0e812b4aa4e6c8beab2328d5431955a418a67ff26a8c5c807a5da354e05ef31cc8cf758f463732950b03e265726fb94e39d6a572a26244ab08db75752ad026100a0a317cfe7df1423f87a6dee8451f4e2b4a67e5497f29b4f1e4e830b9fadd9401167026f5596e5a39c97817e0f5f16e27e19ec9902e01d7ea6fb9aa3c760afee1e381b69de6ac9c07585a06ad9c4ba00bf75c8ad2fa898a479e80ae294fed2a102600b21f335c353342eb44c3aa24445780c2d655b940174cae38c7c8a4e6493c0ba9fd303748267b083b9a7a6cb61e42db362b8c9896db7064e02ad5ae61587da15b4649c90594909feb37dbcb654beb7268ec801e5a8b4aa3911bebd88542f05be\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72\nOutput = f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8\nOutput = 81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3\nOutput = fd326429df9b890e09b54b18b8f34f1e24\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858\nOutput = f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e\nOutput = 53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 438cc7dc08a68da249e42505f8573ba60e2c2773d5b290f4cf9dff718e842081c383e67024a0f29594ea987b9d25e4b738f285970d195abb3a8c8054e3d79d6b9c9a8327ba596f1259e27126674766907d8d582ff3a8476154929adb1e6d1235b2ccb4ec8f663ba9cc670a92bebd853c8dbf69c6436d016f61add836e94732450434207f9fd4c43dec2a12a958efa01efe2669899b5e604c255c55fb7166de5589e369597bb09168c06dd5db177e06a1740eb2d5c82faeca6d92fcee9931ba9f\nOutput = b6b28ea2198d0c1008bc64\n\nPrivateKey = RSA-OAEP-10\nType = RSA\nInput = 308204bd020100300d06092a864886f70d0101010500048204a7308204a30201000282010100ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb020301000102820100056b04216fe5f354ac77250a4b6b0c8525a85c59b0bd80c56450a22d5f438e596a333aa875e291dd43f48cb88b9d5fc0d499f9fcd1c397f9afc070cd9e398c8d19e61db7c7410a6b2675dfbf5d345b804d201add502d5ce2dfcb091ce9997bbebe57306f383e4d588103f036f7e85d1934d152a323e4a8db451d6f4a5b1b0f102cc150e02feee2b88dea4ad4c1baccb24d84072d14e1d24a6771f7408ee30564fb86d4393a34bcf0b788501d193303f13a2284b001f0f649eaf79328d4ac5c430ab4414920a9460ed1b7bc40ec653e876d09abc509ae45b525190116a0c26101848298509c1c3bf3a483e7274054e15e97075036e989f60932807b5257751e7902818100ecf5aecd1e5515fffacbd75a2816c6ebf49018cdfb4638e185d66a7396b6f8090f8018c7fd95cc34b857dc17f0cc6516bb1346ab4d582cadad7b4103352387b70338d084047c9d9539b6496204b3dd6ea442499207bec01f964287ff6336c3984658336846f56e46861881c10233d2176bf15a5e96ddc780bc868aa77d3ce76902818100bc46c464fc6ac4ca783b0eb08a3c841b772f7e9b2f28babd588ae885e1a0c61e4858a0fb25ac299990f35be85164c259ba1175cdd7192707135184992b6c29b746dd0d2cabe142835f7d148cc161524b4a09946d48b828473f1ce76b6cb6886c345c03e05f41d51b5c3a90a3f24073c7d74a4fe25d9cf21c75960f3fc386318302818100c73564571d00fb15d08a3de9957a50915d7126e9442dacf42bc82e862e5673ff6a008ed4d2e374617df89f17a160b43b7fda9cb6b6b74218609815f7d45ca263c159aa32d272d127faf4bc8ca2d77378e8aeb19b0ad7da3cb3de0ae7314980f62b6d4b0a875d1df03c1bae39ccd833ef6cd7e2d9528bf084d1f969e794e9f6c10281802658b37f6df9c1030be1db68117fa9d87e39ea2b693b7e6d3a2f70947413eec6142e18fb8dfcb6ac545d7c86a0ad48f8457170f0efb26bc48126c53efd1d16920198dc2a1107dc282db6a80cd3062360ba3fa13f70e4312ff1a6cd6b8fc4cd9c5c3db17c6d6a57212f73ae29f619327bad59b153858585ba4e28b60a62a45e490281806f38526b3925085534ef3e415a836ede8b86158a2c7cbfeccb0bd834304fec683ba8d4f479c433d43416e63269623cea100776d85aff401d3fff610ee65411ce3b1363d63a9709eede42647cea561493d54570a879c18682cd97710b96205ec31117d73b5f36223fadd6e8ba90dd7c0ee61d44e163251e20c7f66eb305117cb8\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 53ea5dc08cd260fb3b858567287fa91552c30b2febfba213f0ae87702d068d19bab07fe574523dfb42139d68c3c5afeee0bfe4cb7969cbf382b804d6e61396144e2d0e60741f8993c3014b58b9b1957a8babcd23af854f4c356fb1662aa72bfcc7e586559dc4280d160c126785a723ebeebeff71f11594440aaef87d10793a8774a239d4a04c87fe1467b9daf85208ec6c7255794a96cc29142f9a8bd418e3c1fd67344b0cd0829df3b2bec60253196293c6b34d3f75d32f213dd45c6273d505adf4cced1057cb758fc26aeefa441255ed4e64c199ee075e7f16646182fdb464739b68ab5daff0e63e9552016824f054bf4d3c8c90a97bb6b6553284eb429fcc\nOutput = 8bba6bf82a6c0f86d5f1756e97956870b08953b06b4eb205bc1694ee\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = a2b1a430a9d657e2fa1c",
+ "2bb5ed43ffb25c05a308fe9093c01031795f5874400110828ae58fb9b581ce9dddd3e549ae04a0985459bde6c626594e7b05dc4278b2a1465c1368408823c85e96dc66c3a30983c639664fc4569a37fe21e5a195b5776eed2df8d8d361af686e750229bbd663f161868a50615e0c337bec0ca35fec0bb19c36eb2e0bbcc0582fa1d93aacdb061063f59f2ce1ee43605e5d89eca183d2acdfe9f81011022ad3b43a3dd417dac94b4e11ea81b192966e966b182082e71964607b4f8002f36299844a11f2ae0faeac2eae70f8f4f98088acdcd0ac556e9fccc511521908fad26f04c64201450305778758b0538bf8b5bb144a828e629795\nOutput = e6ad181f053b58a904f2457510373e57\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 9886c3e6764a8b9a84e84148ebd8c3b1aa8050381a78f668714c16d9cfd2a6edc56979c535d9dee3b44b85c18be8928992371711472216d95dda98d2ee8347c9b14dffdff84aa48d25ac06f7d7e65398ac967b1ce90925f67dce049b7f812db0742997a74d44fe81dbe0e7a3feaf2e5c40af888d550ddbbe3bc20657a29543f8fc2913b9bd1a61b2ab2256ec409bbd7dc0d17717ea25c43f42ed27df8738bf4afc6766ff7aff0859555ee283920f4c8a63c4a7340cbafddc339ecdb4b0515002f96c932b5b79167af699c0ad3fccfdf0f44e85a70262bf2e18fe34b850589975e867ff969d48eabf212271546cdc05a69ecb526e52870c836f307bd798780ede\nOutput = 510a2cf60e866fa2340553c94ea39fbc256311e83e94454b4124\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 6318e9fb5c0d05e5307e1683436e903293ac4642358aaa223d7163013aba87e2dfda8e60c6860e29a1e92686163ea0b9175f329ca3b131a1edd3a77759a8b97bad6a4f8f4396f28cf6f39ca58112e48160d6e203daa5856f3aca5ffed577af499408e3dfd233e3e604dbe34a9c4c9082de65527cac6331d29dc80e0508a0fa7122e7f329f6cca5cfa34d4d1da417805457e008bec549e478ff9e12a763c477d15bbb78f5b69bd57830fc2c4ed686d79bc72a95d85f88134c6b0afe56a8ccfbc855828bb339bd17909cf1d70de3335ae07039093e606d655365de6550b872cd6de1d440ee031b61945f629ad8a353b0d40939e96a3c450d2a8d5eee9f678093c8\nOutput = bcdd190da3b7d300df9a06e22caae2a75f10c91ff667b7c16bde8b53064a2649a94045c9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 75290872ccfd4a4505660d651f56da6daa09ca1301d890632f6a992f3d565cee464afded40ed3b5be9356714ea5aa7655f4a1366c2f17c728f6f2c5a5d1f8e28429bc4e6f8f2cff8da8dc0e0a9808e45fd09ea2fa40cb2b6ce6ffff5c0e159d11b68d90a85f7b84e103b09e682666480c657505c0929259468a314786d74eab131573cf234bf57db7d9e66cc6748192e002dc0deea930585f0831fdcd9bc33d51f79ed2ffc16bcf4d59812fcebcaa3f9069b0e445686d644c25ccf63b456ee5fa6ffe96f19cdf751fed9eaf35957754dbf4bfea5216aa1844dc507cb2d080e722eba150308c2b5ff1193620f1766ecf4481bafb943bd292877f2136ca494aba0\nOutput = a7dd6c7dc24b46f9dd5f1e91ada4c3b3df947e877232a9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2d207a73432a8fb4c03051b3f73b28a61764098dfa34c47a20995f8115aa6816679b557e82dbee584908c6e69782d7deb34dbd65af063d57fca76a5fd069492fd6068d9984d209350565a62e5c77f23038c12cb10c6634709b547c46f6b4a709bd85ca122d74465ef97762c29763e06dbc7a9e738c78bfca0102dc5e79d65b973f28240caab2e161a78b57d262457ed8195d53e3c7ae9da021883c6db7c24afdd2322eac972ad3c354c5fcef1e146c3a0290fb67adf007066e00428d2cec18ce58f9328698defef4b2eb5ec76918fde1c198cbb38b7afc67626a9aefec4322bfd90d2563481c9a221f78c8272c82d1b62ab914e1c69f6af6ef30ca5260db4a46\nOutput = eaf1a73a1b0c4609537de69cd9228bbcfb9a8ca8c6c3efaf056fe4a7f4634ed00b7c39ec6922d7b8ea2c04ebac\n\n\n# Single-shot signing tests.\n\nSignMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048-SPKI\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = P-256\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 304502204c66004635c267394bd6857c1e0b53b22a2bab1ca7dff9d5c1b42143858b3ea7022100ae81228510e03cd49a8863d2ebd1c05fe0c87eacd1150433132b909994cd0dbd\n\n# Digest can't be omitted in many algorithms.\nSignMessage = RSA-2048\nInput = \"Hello world\"\nError = NO_DEFAULT_DIGEST\n\nVerifyMessage = RSA-2048\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\nError = NO_DEFAULT_DIGEST\n\n# Signing test vectors from RFC 8032.\nSignMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nSignMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nSignMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nSignMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496af",
+ "c5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nSignMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Signing with public keys is not allowed.\nSignMessage = Ed25519-SPKI\nInput = \"\"\nError = NOT_A_PRIVATE_KEY\n\n# Verify test vectors from RFC 8032. Test verifying with both the public and\n# private key.\nVerifyMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-SPKI-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-SPKI-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-SPKI-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\nVerifyMessage = Ed25519-SPKI-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Length is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a10\nError = INVALID_SIGNATURE\n\n# Message is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"Hello world\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = INVALID_SIGNATURE\n\n# Ed25519 does not support configuring a digest.\nSignMessage = Ed25519\nInput = \"\"\nDigest = SHA256\nError = COMMAND_NOT_SUPPORTED\n\n# Ed25519 does not support signing a pre-hashed value.\nSign = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n\nVerify = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n",
};
-static const size_t kLen32 = 122874;
+static const size_t kLen32 = 122835;
static const char *kData33[] = {
"#\n# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.\n#\n# Licensed under the OpenSSL license (the \"License\"). You may not use\n# this file except in compliance with the License. You can obtain a copy\n# in the file LICENSE in the source distribution or at\n# https://www.openssl.org/source/license.html\n\nPassword = \"\"\nSalt = \"\"\nN = 16\nr = 1\np = 1\nKey = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906\n\nPassword = \"password\"\nSalt = \"NaCl\"\nN = 1024\nr = 8\np = 16\nKey = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640\n\nPassword = \"pleaseletmein\"\nSalt = \"SodiumChloride\"\nN = 16384\nr = 8\np = 1\nKey = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887\n\n# NB: this test requires more than 1GB of memory to run so it is disabled by\n# default. Uncomment it to run.\n# Password = \"pleaseletmein\"\n# Salt = \"SodiumChloride\"\n# N = 1048576\n# r = 8\n# p = 1\n# Key = 2101cb9b6a511aaeaddbbe09cf70f881ec568d574a2ffd4dabe5ee9820adaa478e56fd8f4ba5d09ffa1c6d927c40f4c337304049e8a952fbcbf45c6fa77a41a4\n# MaxMemory = 10000000000\n",
diff --git a/sources.bp b/sources.bp
index 6cc10a8..4343bb7 100644
--- a/sources.bp
+++ b/sources.bp
@@ -375,6 +375,7 @@
"src/ssl/ssl_session.c",
"src/ssl/ssl_stat.c",
"src/ssl/ssl_transcript.c",
+ "src/ssl/ssl_versions.c",
"src/ssl/ssl_x509.c",
"src/ssl/t1_enc.c",
"src/ssl/t1_lib.c",
diff --git a/src/FUZZING.md b/src/FUZZING.md
index abf5d97..60457c6 100644
--- a/src/FUZZING.md
+++ b/src/FUZZING.md
@@ -68,13 +68,15 @@
* Tickets are unencrypted and the MAC check is performed but ignored.
+* renegotiation\_info checks are ignored.
+
This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.
## TLS transcripts
The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. The `run_tests` target will pass appropriate command-line flags.
-There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-path` flags.
+There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-config` flags.
If both sets of tests pass, refresh the fuzzer corpora with `refresh_ssl_corpora.sh`:
diff --git a/src/STYLE.md b/src/STYLE.md
index 4b377e7..3c74b45 100644
--- a/src/STYLE.md
+++ b/src/STYLE.md
@@ -207,3 +207,14 @@
Document private functions in their `internal.h` header or, if static,
where defined.
+
+
+## Build logic
+
+BoringSSL is used by many projects with many different build tools.
+Reimplementing and maintaining build logic in each downstream build is
+cumbersome, so build logic should be avoided where possible. Platform-specific
+files should be excluded by wrapping the contents in `#ifdef`s, rather than
+computing platform-specific file lists. Generated source files such as perlasm
+and `err_data.c` may be used in the standalone CMake build but, for downstream
+builds, they should be pre-generated in `generate_build_files.py`.
diff --git a/src/crypto/cipher_extra/aead_test.cc b/src/crypto/cipher_extra/aead_test.cc
index cce432c..949c800 100644
--- a/src/crypto/cipher_extra/aead_test.cc
+++ b/src/crypto/cipher_extra/aead_test.cc
@@ -580,6 +580,31 @@
Bytes(out + 1, out_len));
}
+TEST_P(PerAEADTest, Overflow) {
+ alignas(64) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
+ OPENSSL_memset(key, 'K', sizeof(key));
+
+ bssl::ScopedEVP_AEAD_CTX ctx;
+ const size_t max_tag_len = EVP_AEAD_max_tag_len(aead());
+ ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(ctx.get(), aead(), key,
+ EVP_AEAD_key_length(aead()),
+ max_tag_len, evp_aead_seal));
+
+ uint8_t plaintext[1] = {0};
+ uint8_t ciphertext[1024] = {0};
+ size_t ciphertext_len;
+ // The AEAD must not overflow when calculating the ciphertext length.
+ ASSERT_FALSE(EVP_AEAD_CTX_seal(
+ ctx.get(), ciphertext, &ciphertext_len, sizeof(ciphertext), nullptr, 0,
+ plaintext, std::numeric_limits<size_t>::max() - max_tag_len + 1, nullptr,
+ 0));
+ ERR_clear_error();
+
+ // (Can't test the scatter interface because it'll attempt to zero the output
+ // buffer on error and the primary output buffer is implicitly the same size
+ // as the input.)
+}
+
// Test that EVP_aead_aes_128_gcm and EVP_aead_aes_256_gcm reject empty nonces.
// AES-GCM is not defined for those.
TEST(AEADTest, AESGCMEmptyNonce) {
diff --git a/src/crypto/evp/evp_tests.txt b/src/crypto/evp/evp_tests.txt
index 52b2a2c..5e69a4e 100644
--- a/src/crypto/evp/evp_tests.txt
+++ b/src/crypto/evp/evp_tests.txt
@@ -343,7 +343,7 @@
PSSSaltLength = 223
Digest = SHA256
Input = "0123456789ABCDEF0123456789ABCDEF"
-Error = DATA_TOO_LARGE_FOR_KEY_SIZE
+Error = DATA_TOO_LARGE
# The salt length is too large for the modulus (verifying).
Verify = RSA-2048
@@ -360,14 +360,14 @@
PSSSaltLength = 0
Digest = SHA512
Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
-Error = DATA_TOO_LARGE_FOR_KEY_SIZE
+Error = DATA_TOO_LARGE
Sign = RSA-512
RSAPadding = PSS
PSSSaltLength = -2
Digest = SHA512
Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
-Error = DATA_TOO_LARGE_FOR_KEY_SIZE
+Error = DATA_TOO_LARGE
# The hash is too large for the modulus (verifying).
Verify = RSA-512
diff --git a/src/crypto/fipsmodule/FIPS.md b/src/crypto/fipsmodule/FIPS.md
index 06ef9fb..30c4487 100644
--- a/src/crypto/fipsmodule/FIPS.md
+++ b/src/crypto/fipsmodule/FIPS.md
@@ -1,10 +1,57 @@
+# FIPS 140-2
+
+BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that is undergoing validation at time of writing. This document contains some notes about the design of the FIPS module and some documentation on performing FIPS-related tasks. This is not a substitute for reading the offical Security Policy (which, at the time of writing, has not yet been published).
+
+## Running CAVP tests
+
+CAVP results are calculated by `fipstools/cavp`, but that binary is almost always run by `fipstools/run_cavp.go`. The latter knows the set of tests to be processed and the flags needed to configure `cavp` for each one. It must be run from the top of a CAVP directory and needs the following options:
+
+1. `-oracle-bin`: points to the location of `fipstools/cavp`
+2. `-no-fax`: this is needed to suppress checking of the FAX files, which are only included in sample sets.
+
+## Breaking power-on and continuous tests
+
+In order to demonstrate failures of the various FIPS 140 tests, BoringSSL can be built in ways that will trigger such failures. This is controlled by passing `-DFIPS_BREAK_TEST=`(test to break) to CMake, where the following tests can be specified:
+
+1. AES\_CBC
+1. AES\_GCM
+1. DES
+1. SHA\_1
+1. SHA\_256
+1. SHA\_512
+1. RSA\_SIG
+1. ECDSA\_SIG
+1. DRBG
+1. RSA\_PWCT
+1. ECDSA\_PWCT
+
+## Breaking the integrity test
+
+The utility in `util/fipstools/break-hash.go` can be used to corrupt the FIPS module inside a binary and thus trigger a failure of the integrity test. Note that the binary must not be stripped, otherwise the utility will not be able to find the FIPS module.
+
+## RNG design
+
+FIPS 140-2 requires that one of its PRNGs be used (which they call DRBGs). In BoringCrypto, we use CTR-DRBG with AES-256 exclusively and `RAND_bytes` (the primary interface for the rest of the system to get random data) takes its output from there.
+
+The DRBG state is kept in a thread-local structure and is seeded from one of the following entropy sources in preference order: RDRAND (on Intel chips), `getrandom`, and `/dev/urandom`. In the case of `/dev/urandom`, in order to ensure that the system has a minimum level of entropy, BoringCrypto polls the kernel until the estimated entropy is at least 256 bits. This is a poor man's version of `getrandom` and we strongly recommend using a kernel recent enough to support the real thing.
+
+In FIPS mode, each of those entropy sources is subject to a 10× overread. That is, when *n* bytes of entropy are needed, *10n* bytes will be read from the entropy source and XORed down to *n* bytes. Reads from the entropy source are also processed in blocks of 16 bytes and if two consecutive chunks are equal the process will abort.
+
+The CTR-DRBG is reseeded every 4096 calls to `RAND_bytes`. Thus the process will randomly crash about every 2¹³⁵ calls.
+
+The FIPS PRNGs allow “additional input” to be fed into a given call. We use this feature to be as robust as possible to state duplication from process forks and VM copies: for every call we read 32 bytes of “additional data” from the entropy source (without overread) which means that cloned states will diverge at the next call to `RAND_bytes`. This is called “prediction resistance” by FIPS, but we do *not* claim this property in a FIPS context because we don't implement it the way they want.
+
+There is a second interface to the RNG which allows the caller to supply bytes that will be XORed into the generated additional data (`RAND_bytes_with_additional_data`). This is used in the ECDSA code to include the message and private key in the generation of *k*, the ECDSA nonce. This allows ECDSA to be robust to entropy failures while still following the FIPS rules.
+
+FIPS requires that RNG state be zeroed when the process exits. In order to implement this, all per-thread RNG states are tracked in a linked list and a destructor function is included which clears them. In order for this to be safe in the presence of threads, a lock is used to stop all other threads from using the RNG once this process has begun. Thus the main thread exiting may cause other threads to deadlock, and drawing on entropy in a destructor function may also deadlock.
+
## Integrity Test
FIPS-140 mandates that a module calculate an HMAC of its own code in a constructor function and compare the result to a known-good value. Typical code produced by a C compiler includes large numbers of relocations: places in the machine code where the linker needs to resolve and inject the final value of a symbolic expression. These relocations mean that the bytes that make up any specific bit of code generally aren't known until the final link has completed.
Additionally, because of shared libraries and ASLR, some relocations can only be resolved at run-time, and thus targets of those relocations vary even after the final link.
-BoringSSL is linked (often statically) into a large number of binaries. It would be a significant cost if each of these binaries had to be post-processed in order to calculate the known-good HMAC value. We would much prefer if the value could be calculated, once, when BoringSSL itself is compiled.
+BoringCrypto is linked (often statically) into a large number of binaries. It would be a significant cost if each of these binaries had to be post-processed in order to calculate the known-good HMAC value. We would much prefer if the value could be calculated, once, when BoringCrypto itself is compiled.
In order for the value to be calculated before the final link, there can be no relocations in the hashed code and data. This document describes how we build C and assembly code in order to produce an object file containing all the code and data for the FIPS module without that code having any relocations.
@@ -32,7 +79,7 @@
Mutable data is a problem. It cannot be in the text segment because the text segment is mapped read-only. If it's in a different segment then the code cannot reference it with a known, IP-relative offset because the segment layout is only fixed during the final link.
-Thankfully, mutable data is very rare in our cryptographic code and I hope that we can get it down to just a few variables. In order to allow this we use a similar design to the redirector functions: the code references a symbol that's in the text segment, but out of the module and thus not hashed. A relocation record is emitted to instruct the linker to poke the final offset to the variable in that location. Thus the only change needed is an extra indirection when loading the value.
+In order to allow this we use a similar design to the redirector functions: the code references a symbol that's in the text segment, but out of the module and thus not hashed. A relocation record is emitted to instruct the linker to poke the final offset to the variable in that location. Thus the only change needed is an extra indirection when loading the value.
##### Other transforms
@@ -42,8 +89,7 @@
1. Various sections, notably `.rodata`, are moved to the `.text` section, inside the module, so module code may reference it without relocations.
1. For each BSS symbol, it generates a function named after that symbol but with `_bss_get` appended, which returns its address.
1. It inserts the labels that delimit the module's code and data (called `module_start` and `module_end` in the diagram above).
-1. It adds a 32-byte, read-only array outside of the module to contain the known-good HMAC value.
-1. It rewrites some "dummy" references to point to those labels and that array. In order to get the C compiler to emit the correct code it's necessary to make it think that it's referencing static functions. This compensates for that trick.
+1. It adds a 64-byte, read-only array outside of the module to contain the known-good HMAC value.
##### Integrity testing
@@ -59,17 +105,16 @@
OpenSSL's solution to this problem is broadly similar but has a number of differences:
-1. OpenSSL deals with run-time relocations by not hashing parts of the module's data. BoringSSL will eliminate run-time relocations instead and hash everything.
-1. OpenSSL uses `ld -r` (the partial linking mode) to merge a number of object files into their `fipscanister.o`. For BoringSSL, we propose to merge all the C source files by building a single C file that #includes all the others, then we propose to merge the assembly sources by concatenating them to the assembly output from the C compiler.
-1. OpenSSL depends on the link order and inserts two object files, `fips_start.o` and `fips_end.o`, in order to establish the `module_start` and `module_end` values. BoringSSL proposes to simply add labels at the correct places in the assembly.
-1. OpenSSL calculates the hash after the final link and either injects it into the binary or recompiles with the value of the hash passed in as a #define. BoringSSL calculates it prior to the final link and injects it into the object file.
-1. OpenSSL references read-write data directly, since it can know the offsets to it. BoringSSL indirects these loads and stores.
-1. OpenSSL doesn't run the power-on test until `FIPS_module_mode_set` is called, BoringSSL plans to do it in a constructor function. Failure of the test is non-fatal in OpenSSL, BoringSSL plans to crash.
-1. Since the contents of OpenSSL's module change between compilation and use, OpenSSL generates `fipscanister.o.sha1` to check that the compiled object doesn't change before linking. Since BoringSSL's module is fixed after compilation, the final integrity check is unbroken through the linking process.
+1. OpenSSL deals with run-time relocations by not hashing parts of the module's data.
+1. OpenSSL uses `ld -r` (the partial linking mode) to merge a number of object files into their `fipscanister.o`. For BoringCrypto, we merge all the C source files by building a single C file that #includes all the others, and we merge the assembly sources by appending them to the assembly output from the C compiler.
+1. OpenSSL depends on the link order and inserts two object files, `fips_start.o` and `fips_end.o`, in order to establish the `module_start` and `module_end` values. BoringCrypto adds labels at the correct places in the assembly.
+1. OpenSSL calculates the hash after the final link and either injects it into the binary or recompiles with the value of the hash passed in as a #define. BoringCrypto calculates it prior to the final link and injects it into the object file.
+1. OpenSSL references read-write data directly, since it can know the offsets to it. BoringCrypto indirects these loads and stores.
+1. OpenSSL doesn't run the power-on test until `FIPS_module_mode_set` is called. BoringCrypto does it in a constructor function. Failure of the test is non-fatal in OpenSSL, BoringCrypto will crash.
+1. Since the contents of OpenSSL's module change between compilation and use, OpenSSL generates `fipscanister.o.sha1` to check that the compiled object doesn't change before linking. Since BoringCrypto's module is fixed after compilation, the final integrity check is unbroken through the linking process.
Some of the similarities are worth noting:
1. OpenSSL has all out-calls from the module indirecting via the PLT, which is equivalent to the redirector functions described above.
-
diff --git a/src/crypto/fipsmodule/rsa/padding.c b/src/crypto/fipsmodule/rsa/padding.c
index 69bd9ad..9f002d2 100644
--- a/src/crypto/fipsmodule/rsa/padding.c
+++ b/src/crypto/fipsmodule/rsa/padding.c
@@ -170,7 +170,7 @@
}
if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
return 0;
}
@@ -254,12 +254,12 @@
int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
size_t from_len) {
if (from_len > to_len) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
return 0;
}
if (from_len < to_len) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
return 0;
}
@@ -330,7 +330,7 @@
size_t emlen = to_len - 1;
if (from_len > emlen - 2 * mdlen - 1) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
return 0;
}
@@ -608,7 +608,7 @@
}
if (emLen < hLen + 2) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
@@ -629,7 +629,7 @@
}
if (emLen - hLen - 2 < sLen) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
diff --git a/src/crypto/fipsmodule/rsa/rsa_impl.c b/src/crypto/fipsmodule/rsa/rsa_impl.c
index c79f864..b126164 100644
--- a/src/crypto/fipsmodule/rsa/rsa_impl.c
+++ b/src/crypto/fipsmodule/rsa/rsa_impl.c
@@ -176,7 +176,7 @@
if (BN_ucmp(f, rsa->n) >= 0) {
/* usually the padding functions would catch this */
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
@@ -489,7 +489,7 @@
}
if (BN_ucmp(f, rsa->n) >= 0) {
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
@@ -563,7 +563,7 @@
if (BN_ucmp(f, rsa->n) >= 0) {
/* Usually the padding functions would catch this. */
- OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
diff --git a/src/crypto/x509/asn1_gen.c b/src/crypto/x509/asn1_gen.c
index c52a1ac..5b74cd1 100644
--- a/src/crypto/x509/asn1_gen.c
+++ b/src/crypto/x509/asn1_gen.c
@@ -84,6 +84,8 @@
#define ASN1_GEN_STR(str,val) {str, sizeof(str) - 1, val}
#define ASN1_FLAG_EXP_MAX 20
+/* Maximum number of nested sequences */
+#define ASN1_GEN_SEQ_MAX_DEPTH 50
/* Input formats */
@@ -120,13 +122,16 @@
int exp_count;
} tag_exp_arg;
+static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth,
+ int *perr);
static int bitstr_cb(const char *elem, int len, void *bitstr);
static int asn1_cb(const char *elem, int len, void *bitstr);
static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class,
int exp_constructed, int exp_pad, int imp_ok);
static int parse_tagging(const char *vstart, int vlen, int *ptag,
int *pclass);
-static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf);
+static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
+ int depth, int *perr);
static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype);
static int asn1_str2tag(const char *tagstr, int len);
@@ -143,6 +148,16 @@
ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
{
+ int err = 0;
+ ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err);
+ if (err)
+ OPENSSL_PUT_ERROR(ASN1, err);
+ return ret;
+}
+
+static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth,
+ int *perr)
+{
ASN1_TYPE *ret;
tag_exp_arg asn1_tags;
tag_exp_type *etmp;
@@ -162,16 +177,22 @@
asn1_tags.imp_class = -1;
asn1_tags.format = ASN1_GEN_FORMAT_ASCII;
asn1_tags.exp_count = 0;
- if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0)
+ if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) {
+ *perr = ASN1_R_UNKNOWN_TAG;
return NULL;
+ }
if ((asn1_tags.utype == V_ASN1_SEQUENCE)
|| (asn1_tags.utype == V_ASN1_SET)) {
if (!cnf) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);
+ *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG;
return NULL;
}
- ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf);
+ if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) {
+ *perr = ASN1_R_ILLEGAL_NESTED_TAGGING;
+ return NULL;
+ }
+ ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr);
} else
ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype);
@@ -289,7 +310,7 @@
int tmp_tag, tmp_class;
if (elem == NULL)
- return 0;
+ return -1;
for (i = 0, p = elem; i < len; p++, i++) {
/* Look for the ':' in name value pairs */
@@ -444,7 +465,8 @@
/* Handle multiple types: SET and SEQUENCE */
-static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
+static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
+ int depth, int *perr)
{
ASN1_TYPE *ret = NULL;
STACK_OF(ASN1_TYPE) *sk = NULL;
@@ -463,7 +485,8 @@
goto bad;
for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
ASN1_TYPE *typ =
- ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf);
+ generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf,
+ depth + 1, perr);
if (!typ)
goto bad;
if (!sk_ASN1_TYPE_push(sk, typ))
diff --git a/src/crypto/x509v3/pcy_tree.c b/src/crypto/x509v3/pcy_tree.c
index 71f9a6d..256fe88 100644
--- a/src/crypto/x509v3/pcy_tree.c
+++ b/src/crypto/x509v3/pcy_tree.c
@@ -136,11 +136,14 @@
#endif
-/*
- * Initialize policy tree. Return values: 0 Some internal error occured. -1
- * Inconsistent or invalid extensions in certificates. 1 Tree initialized
- * OK. 2 Policy tree is empty. 5 Tree OK and requireExplicitPolicy true. 6
- * Tree empty and requireExplicitPolicy true.
+/*-
+ * Initialize policy tree. Return values:
+ * 0 Some internal error occurred.
+ * -1 Inconsistent or invalid extensions in certificates.
+ * 1 Tree initialized OK.
+ * 2 Policy tree is empty.
+ * 5 Tree OK and requireExplicitPolicy true.
+ * 6 Tree empty and requireExplicitPolicy true.
*/
static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
@@ -720,10 +723,13 @@
}
-/*
- * Application policy checking function. Return codes: 0 Internal Error. 1
- * Successful. -1 One or more certificates contain invalid or inconsistent
- * extensions -2 User constrained policy set empty and requireExplicit true.
+/*-
+ * Application policy checking function.
+ * Return codes:
+ * 0 Internal Error.
+ * 1 Successful.
+ * -1 One or more certificates contain invalid or inconsistent extensions
+ * -2 User constrained policy set empty and requireExplicit true.
*/
int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
@@ -731,6 +737,7 @@
STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags)
{
int ret;
+ int calc_ret;
X509_POLICY_TREE *tree = NULL;
STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
*ptree = NULL;
@@ -799,16 +806,19 @@
/* Tree is not empty: continue */
- ret = tree_calculate_authority_set(tree, &auth_nodes);
+ calc_ret = tree_calculate_authority_set(tree, &auth_nodes);
+
+ if (!calc_ret)
+ goto error;
+
+ ret = tree_calculate_user_set(tree, policy_oids, auth_nodes);
+
+ if (calc_ret == 2)
+ sk_X509_POLICY_NODE_free(auth_nodes);
if (!ret)
goto error;
- if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
- goto error;
-
- if (ret == 2)
- sk_X509_POLICY_NODE_free(auth_nodes);
if (tree)
*ptree = tree;
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index b5f1c57..59fbeb8 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -1706,25 +1706,39 @@
/* Session caching.
*
- * Session caching allows clients to reconnect to a server based on saved
- * parameters from a previous connection.
+ * Session caching allows connections to be established more efficiently based
+ * on saved parameters from a previous connection, called a session (see
+ * |SSL_SESSION|). The client offers a saved session, using an opaque identifier
+ * from a previous connection. The server may accept the session, if it has the
+ * parameters available. Otherwise, it will decline and continue with a full
+ * handshake.
+ *
+ * This requires both the client and the server to retain session state. A
+ * client does so with a stateful session cache. A server may do the same or, if
+ * supported by both sides, statelessly using session tickets. For more
+ * information on the latter, see the next section.
*
* For a server, the library implements a built-in internal session cache as an
- * in-memory hash table. One may also register callbacks to implement a custom
- * external session cache. An external cache may be used in addition to or
- * instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to toggle
- * the internal cache.
+ * in-memory hash table. Servers may also use |SSL_CTX_sess_set_get_cb| and
+ * |SSL_CTX_sess_set_new_cb| to implement a custom external session cache. In
+ * particular, this may be used to share a session cache between multiple
+ * servers in a large deployment. An external cache may be used in addition to
+ * or instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to
+ * toggle the internal cache.
*
- * For a client, the only option is an external session cache. Prior to
- * handshaking, the consumer should look up a session externally (keyed, for
- * instance, by hostname) and use |SSL_set_session| to configure which session
- * to offer. The callbacks may be used to determine when new sessions are
- * available.
+ * For a client, the only option is an external session cache. Clients may use
+ * |SSL_CTX_sess_set_new_cb| to register a callback for when new sessions are
+ * available. These may be cached and, in subsequent compatible connections,
+ * configured with |SSL_set_session|.
*
- * Note that offering or accepting a session short-circuits most parameter
- * negotiation. Resuming sessions across different configurations may result in
- * surprising behavior. So, for instance, a client implementing a version
- * fallback should shard its session cache by maximum protocol version. */
+ * Note that offering or accepting a session short-circuits certificate
+ * verification and most parameter negotiation. Resuming sessions across
+ * different contexts may result in security failures and surprising
+ * behavior. For a typical client, this means sessions for different hosts must
+ * be cached under different keys. A client that connects to the same host with,
+ * e.g., different cipher suite settings or client certificates should also use
+ * separate session caches between those contexts. Servers should also partition
+ * session caches between SNI hosts with |SSL_CTX_set_session_id_context|. */
/* SSL_SESS_CACHE_OFF disables all session caching. */
#define SSL_SESS_CACHE_OFF 0x0000
@@ -1771,25 +1785,6 @@
* It is an error to call this function after the handshake has begun. */
OPENSSL_EXPORT int SSL_set_session(SSL *ssl, SSL_SESSION *session);
-/* SSL_get_session returns a non-owning pointer to |ssl|'s session. For
- * historical reasons, which session it returns depends on |ssl|'s state.
- *
- * Prior to the start of the initial handshake, it returns the session the
- * caller set with |SSL_set_session|. After the initial handshake has finished
- * and if no additional handshakes are in progress, it returns the currently
- * active session. Its behavior is undefined while a handshake is in progress.
- *
- * Using this function to add new sessions to an external session cache is
- * deprecated. Use |SSL_CTX_sess_set_new_cb| instead. */
-OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl);
-
-/* SSL_get0_session is an alias for |SSL_get_session|. */
-#define SSL_get0_session SSL_get_session
-
-/* SSL_get1_session acts like |SSL_get_session| but returns a new reference to
- * the session. */
-OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
-
/* SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a
* session in TLS 1.2 or earlier. This is how long we are willing to use the
* secret to encrypt traffic without fresh key material. */
@@ -1824,11 +1819,7 @@
* connection without a matching session ID context.
*
* For a server, if |SSL_VERIFY_PEER| is enabled, it is an error to not set a
- * session ID context.
- *
- * TODO(davidben): Is that check needed? That seems a special case of taking
- * care not to cross-resume across configuration changes, and this is only
- * relevant if a server requires client auth. */
+ * session ID context. */
OPENSSL_EXPORT int SSL_CTX_set_session_id_context(SSL_CTX *ctx,
const uint8_t *sid_ctx,
size_t sid_ctx_len);
@@ -1889,12 +1880,7 @@
* ticket is renewed. Further, it may not be called until some time after
* |SSL_do_handshake| or |SSL_connect| completes if False Start is enabled. Thus
* it's recommended to use this callback over checking |SSL_session_reused| on
- * handshake completion.
- *
- * TODO(davidben): Conditioning callbacks on |SSL_SESS_CACHE_CLIENT| or
- * |SSL_SESS_CACHE_SERVER| doesn't make any sense when one could just as easily
- * not supply the callbacks. Removing that condition and the client internal
- * cache would simplify things. */
+ * handshake completion. */
OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb(
SSL_CTX *ctx, int (*new_session_cb)(SSL *ssl, SSL_SESSION *session));
@@ -1959,23 +1945,36 @@
/* Session tickets.
*
* Session tickets, from RFC 5077, allow session resumption without server-side
- * state. Session tickets are supported in by default but may be disabled with
+ * state. The server maintains a secret ticket key and sends the client opaque
+ * encrypted session parameters, called a ticket. When offering the session, the
+ * client sends the ticket which the server decrypts to recover session state.
+ * Session tickets are enabled by default but may be disabled with
* |SSL_OP_NO_TICKET|.
*
* On the client, ticket-based sessions use the same APIs as ID-based tickets.
* Callers do not need to handle them differently.
*
* On the server, tickets are encrypted and authenticated with a secret key. By
- * default, an |SSL_CTX| generates a key on creation. Tickets are minted and
- * processed transparently. The following functions may be used to configure a
- * persistent key or implement more custom behavior. There are three levels of
- * customisation possible:
+ * default, an |SSL_CTX| generates a key on creation and uses it for the
+ * lifetime of the |SSL_CTX|. Tickets are minted and processed
+ * transparently. The following functions may be used to configure a persistent
+ * key or implement more custom behavior, including key rotation and sharing
+ * keys between multiple servers in a large deployment. There are three levels
+ * of customisation possible:
*
* 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|.
* 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for
* encryption and authentication.
* 3) One can configure an |SSL_TICKET_ENCRYPTION_METHOD| to have more control
- * and the option of asynchronous decryption. */
+ * and the option of asynchronous decryption.
+ *
+ * An attacker that compromises a server's session ticket key can impersonate
+ * the server and, prior to TLS 1.3, retroactively decrypt all application
+ * traffic from sessions using that ticket key. Thus ticket keys must be
+ * regularly rotated for forward secrecy. Note the default key is currently not
+ * rotated.
+ *
+ * TODO(davidben): This is silly. Rotate the default key automatically. */
/* SSL_CTX_get_tlsext_ticket_keys writes |ctx|'s session ticket key material to
* |len| bytes of |out|. It returns one on success and zero if |len| is not
@@ -2167,8 +2166,8 @@
#define SSL_VERIFY_PEER 0x01
/* SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if
- * the client declines to send a certificate. Otherwise |SSL_VERIFY_PEER| still
- * allows anonymous clients. */
+ * the client declines to send a certificate. This flag must be used together
+ * with |SSL_VERIFY_PEER|, otherwise it won't work. */
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
/* SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate
@@ -3884,6 +3883,29 @@
/* SSL_set_ecdh_auto returns one. */
#define SSL_set_ecdh_auto(ssl, onoff) 1
+/* SSL_get_session returns a non-owning pointer to |ssl|'s session. For
+ * historical reasons, which session it returns depends on |ssl|'s state.
+ *
+ * Prior to the start of the initial handshake, it returns the session the
+ * caller set with |SSL_set_session|. After the initial handshake has finished
+ * and if no additional handshakes are in progress, it returns the currently
+ * active session. Its behavior is undefined while a handshake is in progress.
+ *
+ * If trying to add new sessions to an external session cache, use
+ * |SSL_CTX_sess_set_new_cb| instead. In particular, using the callback is
+ * required as of TLS 1.3. For compatibility, this function will return an
+ * unresumable session which may be cached, but will never be resumed.
+ *
+ * If querying properties of the connection, use APIs on the |SSL| object. */
+OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl);
+
+/* SSL_get0_session is an alias for |SSL_get_session|. */
+#define SSL_get0_session SSL_get_session
+
+/* SSL_get1_session acts like |SSL_get_session| but returns a new reference to
+ * the session. */
+OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
+
/* Private structures.
*
diff --git a/src/ssl/CMakeLists.txt b/src/ssl/CMakeLists.txt
index 3e9cd40..0c09443 100644
--- a/src/ssl/CMakeLists.txt
+++ b/src/ssl/CMakeLists.txt
@@ -29,6 +29,7 @@
ssl_session.c
ssl_stat.c
ssl_transcript.c
+ ssl_versions.c
ssl_x509.c
t1_enc.c
t1_lib.c
diff --git a/src/ssl/dtls_method.c b/src/ssl/dtls_method.c
index 6084789..dd8d786 100644
--- a/src/ssl/dtls_method.c
+++ b/src/ssl/dtls_method.c
@@ -66,35 +66,6 @@
#include "internal.h"
-static int dtls1_version_from_wire(uint16_t *out_version,
- uint16_t wire_version) {
- switch (wire_version) {
- case DTLS1_VERSION:
- /* DTLS 1.0 maps to TLS 1.1, not TLS 1.0. */
- *out_version = TLS1_1_VERSION;
- return 1;
- case DTLS1_2_VERSION:
- *out_version = TLS1_2_VERSION;
- return 1;
- }
-
- return 0;
-}
-
-static uint16_t dtls1_version_to_wire(uint16_t version) {
- switch (version) {
- case TLS1_1_VERSION:
- /* DTLS 1.0 maps to TLS 1.1, not TLS 1.0. */
- return DTLS1_VERSION;
- case TLS1_2_VERSION:
- return DTLS1_2_VERSION;
- }
-
- /* It is an error to use this function with an invalid version. */
- assert(0);
- return 0;
-}
-
static int dtls1_supports_cipher(const SSL_CIPHER *cipher) {
return cipher->algorithm_enc != SSL_eNULL;
}
@@ -134,10 +105,6 @@
static const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {
1 /* is_dtls */,
- TLS1_1_VERSION,
- TLS1_2_VERSION,
- dtls1_version_from_wire,
- dtls1_version_to_wire,
dtls1_new,
dtls1_free,
dtls1_get_message,
diff --git a/src/ssl/handshake_client.c b/src/ssl/handshake_client.c
index dddf602..c772f77 100644
--- a/src/ssl/handshake_client.c
+++ b/src/ssl/handshake_client.c
@@ -717,33 +717,26 @@
return -1;
}
- uint16_t max_wire_version = ssl->method->version_to_wire(hs->max_version);
- assert(hs->state == SSL3_ST_CW_CLNT_HELLO_A);
- if (!ssl->s3->have_version) {
- ssl->version = max_wire_version;
- }
-
/* Always advertise the ClientHello version from the original maximum version,
* even on renegotiation. The static RSA key exchange uses this field, and
* some servers fail when it changes across handshakes. */
- hs->client_version = max_wire_version;
- if (hs->max_version >= TLS1_3_VERSION) {
- hs->client_version = ssl->method->version_to_wire(TLS1_2_VERSION);
+ if (SSL_is_dtls(hs->ssl)) {
+ hs->client_version =
+ hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;
+ } else {
+ hs->client_version =
+ hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
}
/* If the configured session has expired or was created at a disabled
* version, drop it. */
if (ssl->session != NULL) {
- uint16_t session_version;
if (ssl->session->is_server ||
- !ssl->method->version_from_wire(&session_version,
- ssl->session->ssl_version) ||
- (session_version < TLS1_3_VERSION &&
- ssl->session->session_id_length == 0) ||
+ !ssl_supports_version(hs, ssl->session->ssl_version) ||
+ (ssl->session->session_id_length == 0 &&
+ ssl->session->tlsext_ticklen == 0) ||
ssl->session->not_resumable ||
- !ssl_session_is_time_valid(ssl, ssl->session) ||
- session_version < hs->min_version ||
- session_version > hs->max_version) {
+ !ssl_session_is_time_valid(ssl, ssl->session)) {
ssl_set_session(ssl, NULL);
}
}
@@ -798,7 +791,7 @@
static int ssl3_get_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
CBS server_hello, server_random, session_id;
- uint16_t server_wire_version, cipher_suite;
+ uint16_t server_version, cipher_suite;
uint8_t compression_method;
int ret = ssl->method->ssl_get_message(ssl);
@@ -826,15 +819,13 @@
CBS_init(&server_hello, ssl->init_msg, ssl->init_num);
- if (!CBS_get_u16(&server_hello, &server_wire_version)) {
+ if (!CBS_get_u16(&server_hello, &server_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return -1;
}
- uint16_t server_version;
- if (!ssl->method->version_from_wire(&server_version, server_wire_version) ||
- server_version < hs->min_version || server_version > hs->max_version) {
+ if (!ssl_supports_version(hs, server_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
return -1;
@@ -842,11 +833,11 @@
assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
if (!ssl->s3->have_version) {
- ssl->version = server_wire_version;
+ ssl->version = server_version;
/* At this point, the connection's version is known and ssl->version is
* fixed. Begin enforcing the record-layer version. */
ssl->s3->have_version = 1;
- } else if (server_wire_version != ssl->version) {
+ } else if (server_version != ssl->version) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
return -1;
diff --git a/src/ssl/handshake_server.c b/src/ssl/handshake_server.c
index d591c80..64abd5d 100644
--- a/src/ssl/handshake_server.c
+++ b/src/ssl/handshake_server.c
@@ -471,12 +471,9 @@
const SSL_CLIENT_HELLO *client_hello) {
SSL *const ssl = hs->ssl;
assert(!ssl->s3->have_version);
- uint16_t version = 0;
- /* Check supported_versions extension if it is present. */
- CBS supported_versions;
+ CBS supported_versions, versions;
if (ssl_client_hello_get_extension(client_hello, &supported_versions,
TLSEXT_TYPE_supported_versions)) {
- CBS versions;
if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) ||
CBS_len(&supported_versions) != 0 ||
CBS_len(&versions) == 0) {
@@ -484,89 +481,63 @@
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
-
- /* Choose the newest commonly-supported version advertised by the client.
- * The client orders the versions according to its preferences, but we're
- * not required to honor the client's preferences. */
- int found_version = 0;
- while (CBS_len(&versions) != 0) {
- uint16_t ext_version;
- if (!CBS_get_u16(&versions, &ext_version)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- *out_alert = SSL_AD_DECODE_ERROR;
- return 0;
- }
- if (!ssl->method->version_from_wire(&ext_version, ext_version)) {
- continue;
- }
- if (hs->min_version <= ext_version &&
- ext_version <= hs->max_version &&
- (!found_version || version < ext_version)) {
- version = ext_version;
- found_version = 1;
- }
- }
-
- if (!found_version) {
- goto unsupported_protocol;
- }
} else {
- /* Process ClientHello.version instead. Note that versions beyond (D)TLS 1.2
- * do not use this mechanism. */
+ /* Convert the ClientHello version to an equivalent supported_versions
+ * extension. */
+ static const uint8_t kTLSVersions[] = {
+ 0x03, 0x03, /* TLS 1.2 */
+ 0x03, 0x02, /* TLS 1.1 */
+ 0x03, 0x01, /* TLS 1 */
+ 0x03, 0x00, /* SSL 3 */
+ };
+
+ static const uint8_t kDTLSVersions[] = {
+ 0xfe, 0xfd, /* DTLS 1.2 */
+ 0xfe, 0xff, /* DTLS 1.0 */
+ };
+
+ size_t versions_len = 0;
if (SSL_is_dtls(ssl)) {
if (client_hello->version <= DTLS1_2_VERSION) {
- version = TLS1_2_VERSION;
+ versions_len = 4;
} else if (client_hello->version <= DTLS1_VERSION) {
- version = TLS1_1_VERSION;
- } else {
- goto unsupported_protocol;
+ versions_len = 2;
}
+ CBS_init(&versions, kDTLSVersions + sizeof(kDTLSVersions) - versions_len,
+ versions_len);
} else {
if (client_hello->version >= TLS1_2_VERSION) {
- version = TLS1_2_VERSION;
+ versions_len = 8;
} else if (client_hello->version >= TLS1_1_VERSION) {
- version = TLS1_1_VERSION;
+ versions_len = 6;
} else if (client_hello->version >= TLS1_VERSION) {
- version = TLS1_VERSION;
+ versions_len = 4;
} else if (client_hello->version >= SSL3_VERSION) {
- version = SSL3_VERSION;
- } else {
- goto unsupported_protocol;
+ versions_len = 2;
}
- }
-
- /* Apply our minimum and maximum version. */
- if (version > hs->max_version) {
- version = hs->max_version;
- }
-
- if (version < hs->min_version) {
- goto unsupported_protocol;
+ CBS_init(&versions, kTLSVersions + sizeof(kTLSVersions) - versions_len,
+ versions_len);
}
}
- /* Handle FALLBACK_SCSV. */
- if (ssl_client_cipher_list_contains_cipher(client_hello,
- SSL3_CK_FALLBACK_SCSV & 0xffff) &&
- version < hs->max_version) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
- *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;
+ if (!ssl_negotiate_version(hs, out_alert, &ssl->version, &versions)) {
return 0;
}
- hs->client_version = client_hello->version;
- ssl->version = ssl->method->version_to_wire(version);
-
/* At this point, the connection's version is known and |ssl->version| is
* fixed. Begin enforcing the record-layer version. */
ssl->s3->have_version = 1;
- return 1;
+ /* Handle FALLBACK_SCSV. */
+ if (ssl_client_cipher_list_contains_cipher(client_hello,
+ SSL3_CK_FALLBACK_SCSV & 0xffff) &&
+ ssl3_protocol_version(ssl) < hs->max_version) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
+ *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;
+ return 0;
+ }
-unsupported_protocol:
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
- *out_alert = SSL_AD_PROTOCOL_VERSION;
- return 0;
+ return 1;
}
static STACK_OF(SSL_CIPHER) *
@@ -611,12 +582,6 @@
uint32_t *out_mask_k,
uint32_t *out_mask_a) {
SSL *const ssl = hs->ssl;
- if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
- *out_mask_k = SSL_kGENERIC;
- *out_mask_a = SSL_aGENERIC;
- return;
- }
-
uint32_t mask_k = 0;
uint32_t mask_a = 0;
@@ -759,7 +724,7 @@
return -1;
}
- /* Load the client random. */
+ hs->client_version = client_hello.version;
if (client_hello.random_len != SSL3_RANDOM_SIZE) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
@@ -1083,7 +1048,7 @@
/* Determine the group to use. */
uint16_t group_id;
if (!tls1_get_shared_group(hs, &group_id)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_ECDH_KEY);
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
goto err;
}
@@ -1478,7 +1443,7 @@
/* The key exchange state may now be discarded. */
SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
} else if (!(alg_k & SSL_kPSK)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_TYPE);
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
goto err;
}
@@ -1487,7 +1452,7 @@
* pre-shared key. */
if (alg_a & SSL_aPSK) {
if (ssl->psk_server_callback == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_NO_SERVER_CB);
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
}
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index d56c73b..f6cea7a 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -163,6 +163,57 @@
#endif
+typedef struct ssl_handshake_st SSL_HANDSHAKE;
+
+/* Protocol versions.
+ *
+ * Due to DTLS's historical wire version differences and to support multiple
+ * variants of the same protocol during development, we maintain two notions of
+ * version.
+ *
+ * The "version" or "wire version" is the actual 16-bit value that appears on
+ * the wire. It uniquely identifies a version and is also used at API
+ * boundaries. The set of supported versions differs between TLS and DTLS. Wire
+ * versions are opaque values and may not be compared numerically.
+ *
+ * The "protocol version" identifies the high-level handshake variant being
+ * used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3
+ * variants all map to TLS 1.3. Protocol versions are sequential and may be
+ * compared numerically. */
+
+/* ssl_protocol_version_from_wire sets |*out| to the protocol version
+ * corresponding to wire version |version| and returns one. If |version| is not
+ * a valid TLS or DTLS version, it returns zero.
+ *
+ * Note this simultaneously handles both DTLS and TLS. Use one of the
+ * higher-level functions below for most operations. */
+int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version);
+
+/* ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the
+ * minimum and maximum enabled protocol versions, respectively. */
+int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
+ uint16_t *out_max_version);
+
+/* ssl_supports_version returns one if |hs| supports |version| and zero
+ * otherwise. */
+int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version);
+
+/* ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in
+ * decreasing preference order. */
+int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb);
+
+/* ssl_negotiate_version negotiates a common version based on |hs|'s preferences
+ * and the peer preference list in |peer_versions|. On success, it returns one
+ * and sets |*out_version| to the selected version. Otherwise, it returns zero
+ * and sets |*out_alert| to an alert to send. */
+int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
+ uint16_t *out_version, const CBS *peer_versions);
+
+/* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to
+ * call this function before the version is determined. */
+uint16_t ssl3_protocol_version(const SSL *ssl);
+
+
/* Cipher suites. */
/* Bits for |algorithm_mkey| (key exchange algorithm). */
@@ -542,8 +593,6 @@
/* Private key operations. */
-typedef struct ssl_handshake_st SSL_HANDSHAKE;
-
/* ssl_has_private_key returns one if |ssl| has a private key
* configured and zero otherwise. */
int ssl_has_private_key(const SSL *ssl);
@@ -1414,17 +1463,6 @@
struct ssl_protocol_method_st {
/* is_dtls is one if the protocol is DTLS and zero otherwise. */
char is_dtls;
- /* min_version is the minimum implemented version. */
- uint16_t min_version;
- /* max_version is the maximum implemented version. */
- uint16_t max_version;
- /* version_from_wire maps |wire_version| to a protocol version. On success, it
- * sets |*out_version| to the result and returns one. If the version is
- * unknown, it returns zero. */
- int (*version_from_wire)(uint16_t *out_version, uint16_t wire_version);
- /* version_to_wire maps |version| to the wire representation. It is an error
- * to call it with an invalid version. */
- uint16_t (*version_to_wire)(uint16_t version);
int (*ssl_new)(SSL *ssl);
void (*ssl_free)(SSL *ssl);
/* ssl_get_message reads the next handshake message. On success, it returns
@@ -1846,7 +1884,7 @@
const SSL_PROTOCOL_METHOD *method;
/* version is the protocol version. */
- int version;
+ uint16_t version;
/* conf_max_version is the maximum acceptable protocol version configured by
* |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is
@@ -2049,10 +2087,12 @@
int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
const SSL_SESSION *session);
-/* SSL_SESSION_get_digest returns the digest used in |session|. If the digest is
- * invalid, it returns NULL. */
-const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session,
- const SSL *ssl);
+/* SSL_SESSION_protocol_version returns the protocol version associated with
+ * |session|. */
+uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session);
+
+/* SSL_SESSION_get_digest returns the digest used in |session|. */
+const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session);
void ssl_set_session(SSL *ssl, SSL_SESSION *session);
@@ -2285,15 +2325,6 @@
/* ssl_can_read returns one if |ssl| is allowed to read and zero otherwise. */
int ssl_can_read(const SSL *ssl);
-/* ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the
- * minimum and maximum enabled protocol versions, respectively. */
-int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
- uint16_t *out_max_version);
-
-/* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to
- * call this function before the version is determined. */
-uint16_t ssl3_protocol_version(const SSL *ssl);
-
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock);
/* ssl_reset_error_state resets state for |SSL_get_error|. */
diff --git a/src/ssl/ssl_asn1.c b/src/ssl/ssl_asn1.c
index f368ff2..cc6a559 100644
--- a/src/ssl/ssl_asn1.c
+++ b/src/ssl/ssl_asn1.c
@@ -576,10 +576,17 @@
CBS session;
uint64_t version, ssl_version;
+ uint16_t unused;
if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1_uint64(&session, &version) ||
version != kVersion ||
- !CBS_get_asn1_uint64(&session, &ssl_version)) {
+ !CBS_get_asn1_uint64(&session, &ssl_version) ||
+ /* Require sessions have versions valid in either TLS or DTLS. The session
+ * will not be used by the handshake if not applicable, but, for
+ * simplicity, never parse a session that does not pass
+ * |ssl_protocol_version_from_wire|. */
+ ssl_version > UINT16_MAX ||
+ !ssl_protocol_version_from_wire(&unused, ssl_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
diff --git a/src/ssl/ssl_cipher.c b/src/ssl/ssl_cipher.c
index 562c1f3..5d88878 100644
--- a/src/ssl/ssl_cipher.c
+++ b/src/ssl/ssl_cipher.c
@@ -1035,7 +1035,7 @@
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
uint16_t min_version;
const char *l, *buf;
- int multi, skip_rule, rule, ok, in_group = 0, has_group = 0;
+ int multi, skip_rule, rule, in_group = 0, has_group = 0;
size_t j, buf_len;
uint32_t cipher_id;
char ch;
@@ -1082,10 +1082,7 @@
rule = CIPHER_SPECIAL;
l++;
} else if (ch == '[') {
- if (in_group) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
- return 0;
- }
+ assert(!in_group);
in_group = 1;
has_group = 1;
l++;
@@ -1185,15 +1182,11 @@
/* Ok, we have the rule, now apply it. */
if (rule == CIPHER_SPECIAL) {
- /* special command */
- ok = 0;
- if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
- ok = ssl_cipher_strength_sort(head_p, tail_p);
- } else {
+ if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
+ return 0;
}
-
- if (ok == 0) {
+ if (!ssl_cipher_strength_sort(head_p, tail_p)) {
return 0;
}
diff --git a/src/ssl/ssl_lib.c b/src/ssl/ssl_lib.c
index 1b002a5..109dfd0 100644
--- a/src/ssl/ssl_lib.c
+++ b/src/ssl/ssl_lib.c
@@ -978,60 +978,6 @@
return SSL_ERROR_SYSCALL;
}
-static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
- uint16_t version) {
- /* Zero is interpreted as the default minimum version. */
- if (version == 0) {
- *out = method->min_version;
- /* SSL 3.0 is disabled unless explicitly enabled. */
- if (*out < TLS1_VERSION) {
- *out = TLS1_VERSION;
- }
- return 1;
- }
-
- if (version == TLS1_3_VERSION) {
- version = TLS1_3_DRAFT_VERSION;
- }
-
- return method->version_from_wire(out, version);
-}
-
-static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
- uint16_t version) {
- /* Zero is interpreted as the default maximum version. */
- if (version == 0) {
- *out = method->max_version;
- /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */
- if (*out > TLS1_2_VERSION) {
- *out = TLS1_2_VERSION;
- }
- return 1;
- }
-
- if (version == TLS1_3_VERSION) {
- version = TLS1_3_DRAFT_VERSION;
- }
-
- return method->version_from_wire(out, version);
-}
-
-int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
- return set_min_version(ctx->method, &ctx->conf_min_version, version);
-}
-
-int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
- return set_max_version(ctx->method, &ctx->conf_max_version, version);
-}
-
-int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
- return set_min_version(ssl->method, &ssl->conf_min_version, version);
-}
-
-int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
- return set_max_version(ssl->method, &ssl->conf_max_version, version);
-}
-
uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
ctx->options |= options;
return ctx->options;
@@ -1901,43 +1847,6 @@
}
}
-static const char *ssl_get_version(int version) {
- switch (version) {
- /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
- case TLS1_3_DRAFT_VERSION:
- return "TLSv1.3";
-
- case TLS1_2_VERSION:
- return "TLSv1.2";
-
- case TLS1_1_VERSION:
- return "TLSv1.1";
-
- case TLS1_VERSION:
- return "TLSv1";
-
- case SSL3_VERSION:
- return "SSLv3";
-
- case DTLS1_VERSION:
- return "DTLSv1";
-
- case DTLS1_2_VERSION:
- return "DTLSv1.2";
-
- default:
- return "unknown";
- }
-}
-
-const char *SSL_get_version(const SSL *ssl) {
- return ssl_get_version(ssl->version);
-}
-
-const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
- return ssl_get_version(session->ssl_version);
-}
-
EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
if (ssl->cert != NULL) {
return ssl->cert->privatekey;
@@ -2015,15 +1924,6 @@
return ret;
}
-int SSL_version(const SSL *ssl) {
- /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
- if (ssl->version == TLS1_3_DRAFT_VERSION) {
- return TLS1_3_VERSION;
- }
-
- return ssl->version;
-}
-
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; }
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
@@ -2329,102 +2229,6 @@
cipher->algorithm_mac == SSL_AEAD;
}
-const struct {
- uint16_t version;
- uint32_t flag;
-} kVersions[] = {
- {SSL3_VERSION, SSL_OP_NO_SSLv3},
- {TLS1_VERSION, SSL_OP_NO_TLSv1},
- {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
- {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
- {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
-};
-
-static const size_t kVersionsLen = OPENSSL_ARRAY_SIZE(kVersions);
-
-int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
- uint16_t *out_max_version) {
- /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
- * DTLS 1.0 should be mapped to TLS 1.1. */
- uint32_t options = ssl->options;
- if (SSL_is_dtls(ssl)) {
- options &= ~SSL_OP_NO_TLSv1_1;
- if (options & SSL_OP_NO_DTLSv1) {
- options |= SSL_OP_NO_TLSv1_1;
- }
- }
-
- uint16_t min_version = ssl->conf_min_version;
- uint16_t max_version = ssl->conf_max_version;
-
- /* Bound the range to only those implemented in this protocol. */
- if (min_version < ssl->method->min_version) {
- min_version = ssl->method->min_version;
- }
- if (max_version > ssl->method->max_version) {
- max_version = ssl->method->max_version;
- }
-
- /* OpenSSL's API for controlling versions entails blacklisting individual
- * protocols. This has two problems. First, on the client, the protocol can
- * only express a contiguous range of versions. Second, a library consumer
- * trying to set a maximum version cannot disable protocol versions that get
- * added in a future version of the library.
- *
- * To account for both of these, OpenSSL interprets the client-side bitmask
- * as a min/max range by picking the lowest contiguous non-empty range of
- * enabled protocols. Note that this means it is impossible to set a maximum
- * version of the higest supported TLS version in a future-proof way. */
- int any_enabled = 0;
- for (size_t i = 0; i < kVersionsLen; i++) {
- /* Only look at the versions already enabled. */
- if (min_version > kVersions[i].version) {
- continue;
- }
- if (max_version < kVersions[i].version) {
- break;
- }
-
- if (!(options & kVersions[i].flag)) {
- /* The minimum version is the first enabled version. */
- if (!any_enabled) {
- any_enabled = 1;
- min_version = kVersions[i].version;
- }
- continue;
- }
-
- /* If there is a disabled version after the first enabled one, all versions
- * after it are implicitly disabled. */
- if (any_enabled) {
- max_version = kVersions[i-1].version;
- break;
- }
- }
-
- if (!any_enabled) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
- return 0;
- }
-
- *out_min_version = min_version;
- *out_max_version = max_version;
- return 1;
-}
-
-uint16_t ssl3_protocol_version(const SSL *ssl) {
- assert(ssl->s3->have_version);
- uint16_t version;
- if (!ssl->method->version_from_wire(&version, ssl->version)) {
- /* TODO(davidben): Use the internal version representation for ssl->version
- * and map to the public API representation at API boundaries. */
- assert(0);
- return 0;
- }
-
- return version;
-}
-
int SSL_is_server(const SSL *ssl) { return ssl->server; }
int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; }
diff --git a/src/ssl/ssl_session.c b/src/ssl/ssl_session.c
index f025364..3e2c9f4 100644
--- a/src/ssl/ssl_session.c
+++ b/src/ssl/ssl_session.c
@@ -505,14 +505,21 @@
return CRYPTO_get_ex_data(&session->ex_data, idx);
}
-const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session,
- const SSL *ssl) {
- uint16_t version;
- if (!ssl->method->version_from_wire(&version, session->ssl_version)) {
- return NULL;
+uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session) {
+ uint16_t ret;
+ if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) {
+ /* An |SSL_SESSION| will never have an invalid version. This is enforced by
+ * the parser. */
+ assert(0);
+ return 0;
}
- return ssl_get_handshake_digest(session->cipher->algorithm_prf, version);
+ return ret;
+}
+
+const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session) {
+ return ssl_get_handshake_digest(session->cipher->algorithm_prf,
+ SSL_SESSION_protocol_version(session));
}
int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
@@ -952,7 +959,6 @@
}
if (ret) {
- found_session->not_resumable = 1;
if (ctx->remove_session_cb != NULL) {
ctx->remove_session_cb(ctx, found_session);
}
@@ -1031,7 +1037,6 @@
* save on locking overhead */
(void) lh_SSL_SESSION_delete(param->cache, session);
SSL_SESSION_list_remove(param->ctx, session);
- session->not_resumable = 1;
if (param->ctx->remove_session_cb != NULL) {
param->ctx->remove_session_cb(param->ctx, session);
}
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
index 84b7496..2c648ac 100644
--- a/src/ssl/ssl_test.cc
+++ b/src/ssl/ssl_test.cc
@@ -180,7 +180,7 @@
// Standard names may be used instead of OpenSSL names.
{
"[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
"[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
{
@@ -214,6 +214,32 @@
},
false,
},
+ // Additional masks after @STRENGTH get silently discarded.
+ //
+ // TODO(davidben): Make this an error. If not silently discarded, they get
+ // interpreted as + opcodes which are very different.
+ {
+ "ECDHE-RSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES256-GCM-SHA384:"
+ "@STRENGTH+AES256",
+ {
+ {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
+ {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
+ },
+ false,
+ },
+ {
+ "ECDHE-RSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES256-GCM-SHA384:"
+ "@STRENGTH+AES256:"
+ "ECDHE-RSA-CHACHA20-POLY1305",
+ {
+ {TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0},
+ {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
+ {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
+ },
+ false,
+ },
// Exact ciphers may not be used in multi-part rules; they are treated
// as unknown aliases.
{
@@ -2567,6 +2593,10 @@
EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
+ // TLS1_3_DRAFT_VERSION is not an API-level version.
+ EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION));
+ ERR_clear_error();
+
ctx.reset(SSL_CTX_new(DTLS_method()));
ASSERT_TRUE(ctx);
diff --git a/src/ssl/ssl_versions.c b/src/ssl/ssl_versions.c
new file mode 100644
index 0000000..5d92771
--- /dev/null
+++ b/src/ssl/ssl_versions.c
@@ -0,0 +1,343 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/ssl.h>
+
+#include <assert.h>
+
+#include <openssl/bytestring.h>
+#include <openssl/err.h>
+
+#include "internal.h"
+#include "../crypto/internal.h"
+
+
+int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
+ switch (version) {
+ case SSL3_VERSION:
+ case TLS1_VERSION:
+ case TLS1_1_VERSION:
+ case TLS1_2_VERSION:
+ *out = version;
+ return 1;
+
+ case TLS1_3_DRAFT_VERSION:
+ *out = TLS1_3_VERSION;
+ return 1;
+
+ case DTLS1_VERSION:
+ /* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */
+ *out = TLS1_1_VERSION;
+ return 1;
+
+ case DTLS1_2_VERSION:
+ *out = TLS1_2_VERSION;
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+/* The follow arrays are the supported versions for TLS and DTLS, in order of
+ * decreasing preference. */
+
+static const uint16_t kTLSVersions[] = {
+ TLS1_3_DRAFT_VERSION,
+ TLS1_2_VERSION,
+ TLS1_1_VERSION,
+ TLS1_VERSION,
+ SSL3_VERSION,
+};
+
+static const uint16_t kDTLSVersions[] = {
+ DTLS1_2_VERSION,
+ DTLS1_VERSION,
+};
+
+static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
+ const uint16_t **out, size_t *out_num) {
+ if (method->is_dtls) {
+ *out = kDTLSVersions;
+ *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
+ } else {
+ *out = kTLSVersions;
+ *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
+ }
+}
+
+static int method_supports_version(const SSL_PROTOCOL_METHOD *method,
+ uint16_t version) {
+ const uint16_t *versions;
+ size_t num_versions;
+ get_method_versions(method, &versions, &num_versions);
+ for (size_t i = 0; i < num_versions; i++) {
+ if (versions[i] == version) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+ uint16_t version) {
+ /* The public API uses wire versions, except we use |TLS1_3_VERSION|
+ * everywhere to refer to any draft TLS 1.3 versions. In this direction, we
+ * map it to some representative TLS 1.3 draft version. */
+ if (version == TLS1_3_DRAFT_VERSION) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
+ return 0;
+ }
+ if (version == TLS1_3_VERSION) {
+ version = TLS1_3_DRAFT_VERSION;
+ }
+
+ if (!method_supports_version(method, version) ||
+ !ssl_protocol_version_from_wire(out, version)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+ uint16_t version) {
+ /* Zero is interpreted as the default minimum version. */
+ if (version == 0) {
+ /* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */
+ *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
+ return 1;
+ }
+
+ return set_version_bound(method, out, version);
+}
+
+static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+ uint16_t version) {
+ /* Zero is interpreted as the default maximum version. */
+ if (version == 0) {
+ *out = TLS1_2_VERSION;
+ return 1;
+ }
+
+ return set_version_bound(method, out, version);
+}
+
+int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
+ return set_min_version(ctx->method, &ctx->conf_min_version, version);
+}
+
+int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
+ return set_max_version(ctx->method, &ctx->conf_max_version, version);
+}
+
+int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
+ return set_min_version(ssl->method, &ssl->conf_min_version, version);
+}
+
+int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
+ return set_max_version(ssl->method, &ssl->conf_max_version, version);
+}
+
+const struct {
+ uint16_t version;
+ uint32_t flag;
+} kProtocolVersions[] = {
+ {SSL3_VERSION, SSL_OP_NO_SSLv3},
+ {TLS1_VERSION, SSL_OP_NO_TLSv1},
+ {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
+ {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
+ {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
+};
+
+int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
+ uint16_t *out_max_version) {
+ /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
+ * DTLS 1.0 should be mapped to TLS 1.1. */
+ uint32_t options = ssl->options;
+ if (SSL_is_dtls(ssl)) {
+ options &= ~SSL_OP_NO_TLSv1_1;
+ if (options & SSL_OP_NO_DTLSv1) {
+ options |= SSL_OP_NO_TLSv1_1;
+ }
+ }
+
+ uint16_t min_version = ssl->conf_min_version;
+ uint16_t max_version = ssl->conf_max_version;
+
+ /* OpenSSL's API for controlling versions entails blacklisting individual
+ * protocols. This has two problems. First, on the client, the protocol can
+ * only express a contiguous range of versions. Second, a library consumer
+ * trying to set a maximum version cannot disable protocol versions that get
+ * added in a future version of the library.
+ *
+ * To account for both of these, OpenSSL interprets the client-side bitmask
+ * as a min/max range by picking the lowest contiguous non-empty range of
+ * enabled protocols. Note that this means it is impossible to set a maximum
+ * version of the higest supported TLS version in a future-proof way. */
+ int any_enabled = 0;
+ for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
+ /* Only look at the versions already enabled. */
+ if (min_version > kProtocolVersions[i].version) {
+ continue;
+ }
+ if (max_version < kProtocolVersions[i].version) {
+ break;
+ }
+
+ if (!(options & kProtocolVersions[i].flag)) {
+ /* The minimum version is the first enabled version. */
+ if (!any_enabled) {
+ any_enabled = 1;
+ min_version = kProtocolVersions[i].version;
+ }
+ continue;
+ }
+
+ /* If there is a disabled version after the first enabled one, all versions
+ * after it are implicitly disabled. */
+ if (any_enabled) {
+ max_version = kProtocolVersions[i-1].version;
+ break;
+ }
+ }
+
+ if (!any_enabled) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
+ return 0;
+ }
+
+ *out_min_version = min_version;
+ *out_max_version = max_version;
+ return 1;
+}
+
+static uint16_t ssl_version(const SSL *ssl) {
+ /* In early data, we report the predicted version. */
+ if (SSL_in_early_data(ssl) && !ssl->server) {
+ return ssl->s3->hs->early_session->ssl_version;
+ }
+ return ssl->version;
+}
+
+int SSL_version(const SSL *ssl) {
+ uint16_t ret = ssl_version(ssl);
+ /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
+ if (ret == TLS1_3_DRAFT_VERSION) {
+ return TLS1_3_VERSION;
+ }
+ return ret;
+}
+
+static const char *ssl_get_version(int version) {
+ switch (version) {
+ /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
+ case TLS1_3_DRAFT_VERSION:
+ return "TLSv1.3";
+
+ case TLS1_2_VERSION:
+ return "TLSv1.2";
+
+ case TLS1_1_VERSION:
+ return "TLSv1.1";
+
+ case TLS1_VERSION:
+ return "TLSv1";
+
+ case SSL3_VERSION:
+ return "SSLv3";
+
+ case DTLS1_VERSION:
+ return "DTLSv1";
+
+ case DTLS1_2_VERSION:
+ return "DTLSv1.2";
+
+ default:
+ return "unknown";
+ }
+}
+
+const char *SSL_get_version(const SSL *ssl) {
+ return ssl_get_version(ssl_version(ssl));
+}
+
+const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
+ return ssl_get_version(session->ssl_version);
+}
+
+uint16_t ssl3_protocol_version(const SSL *ssl) {
+ assert(ssl->s3->have_version);
+ uint16_t version;
+ if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
+ /* |ssl->version| will always be set to a valid version. */
+ assert(0);
+ return 0;
+ }
+
+ return version;
+}
+
+int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
+ uint16_t protocol_version;
+ return method_supports_version(hs->ssl->method, version) &&
+ ssl_protocol_version_from_wire(&protocol_version, version) &&
+ hs->min_version <= protocol_version &&
+ protocol_version <= hs->max_version;
+}
+
+int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
+ const uint16_t *versions;
+ size_t num_versions;
+ get_method_versions(hs->ssl->method, &versions, &num_versions);
+ for (size_t i = 0; i < num_versions; i++) {
+ if (ssl_supports_version(hs, versions[i]) &&
+ !CBB_add_u16(cbb, versions[i])) {
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
+ uint16_t *out_version, const CBS *peer_versions) {
+ const uint16_t *versions;
+ size_t num_versions;
+ get_method_versions(hs->ssl->method, &versions, &num_versions);
+ for (size_t i = 0; i < num_versions; i++) {
+ if (!ssl_supports_version(hs, versions[i])) {
+ continue;
+ }
+
+ CBS copy = *peer_versions;
+ while (CBS_len(©) != 0) {
+ uint16_t version;
+ if (!CBS_get_u16(©, &version)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+ *out_alert = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ if (version == versions[i]) {
+ *out_version = version;
+ return 1;
+ }
+ }
+ }
+
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
+ *out_alert = SSL_AD_PROTOCOL_VERSION;
+ return 0;
+}
diff --git a/src/ssl/t1_lib.c b/src/ssl/t1_lib.c
index 1b14371..8e858c4 100644
--- a/src/ssl/t1_lib.c
+++ b/src/ssl/t1_lib.c
@@ -799,16 +799,24 @@
}
const uint8_t *d = CBS_data(&renegotiated_connection);
- if (CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
- ssl->s3->previous_client_finished_len)) {
+ int ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
+ ssl->s3->previous_client_finished_len) == 0;
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ ok = 1;
+#endif
+ if (!ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
return 0;
}
d += ssl->s3->previous_client_finished_len;
- if (CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
- ssl->s3->previous_server_finished_len)) {
+ ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
+ ssl->s3->previous_server_finished_len) == 0;
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ ok = 1;
+#endif
+ if (!ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
@@ -970,14 +978,11 @@
* advertise the extension to avoid potentially breaking servers which carry
* over the state from the previous handshake, such as OpenSSL servers
* without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */
- uint16_t session_version;
if (!ssl->s3->initial_handshake_complete &&
ssl->session != NULL &&
ssl->session->tlsext_tick != NULL &&
/* Don't send TLS 1.3 session tickets in the ticket extension. */
- ssl->method->version_from_wire(&session_version,
- ssl->session->ssl_version) &&
- session_version < TLS1_3_VERSION) {
+ SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
ticket_data = ssl->session->tlsext_tick;
ticket_len = ssl->session->tlsext_ticklen;
}
@@ -1863,31 +1868,19 @@
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- uint16_t session_version;
if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
- !ssl->method->version_from_wire(&session_version,
- ssl->session->ssl_version) ||
- session_version < TLS1_3_VERSION) {
+ SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
return 0;
}
- const EVP_MD *digest = SSL_SESSION_get_digest(ssl->session, ssl);
- if (digest == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
-
- size_t binder_len = EVP_MD_size(digest);
+ size_t binder_len = EVP_MD_size(SSL_SESSION_get_digest(ssl->session));
return 15 + ssl->session->tlsext_ticklen + binder_len;
}
static int ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- uint16_t session_version;
if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
- !ssl->method->version_from_wire(&session_version,
- ssl->session->ssl_version) ||
- session_version < TLS1_3_VERSION) {
+ SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
return 1;
}
@@ -1899,14 +1892,7 @@
/* Fill in a placeholder zero binder of the appropriate length. It will be
* computed and filled in later after length prefixes are computed. */
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
-
- const EVP_MD *digest = SSL_SESSION_get_digest(ssl->session, ssl);
- if (digest == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
-
- size_t binder_len = EVP_MD_size(digest);
+ size_t binder_len = EVP_MD_size(SSL_SESSION_get_digest(ssl->session));
CBB contents, identity, ticket, binders, binder;
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
@@ -2071,11 +2057,8 @@
static int ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- uint16_t session_version;
if (ssl->session == NULL ||
- !ssl->method->version_from_wire(&session_version,
- ssl->session->ssl_version) ||
- session_version < TLS1_3_VERSION ||
+ SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION ||
ssl->session->ticket_max_early_data == 0 ||
hs->received_hello_retry_request ||
!ssl->cert->enable_early_data) {
@@ -2375,14 +2358,8 @@
return 0;
}
- for (uint16_t version = hs->max_version; version >= hs->min_version;
- version--) {
- if (!CBB_add_u16(&versions, ssl->method->version_to_wire(version))) {
- return 0;
- }
- }
-
- if (!CBB_flush(out)) {
+ if (!ssl_add_supported_versions(hs, &versions) ||
+ !CBB_flush(out)) {
return 0;
}
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index 3cb2856..6d3e6d1 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -62,6 +62,7 @@
#include "../../crypto/internal.h"
#include "../internal.h"
#include "async_bio.h"
+#include "fuzzer.h"
#include "packeted_bio.h"
#include "test_config.h"
@@ -1371,6 +1372,13 @@
return false;
}
+ if (config->expect_version != 0 &&
+ SSL_version(ssl) != config->expect_version) {
+ fprintf(stderr, "want version %04x, got %04x\n", config->expect_version,
+ SSL_version(ssl));
+ return false;
+ }
+
bool expect_resume =
is_resume && (!config->expect_session_miss || SSL_in_early_data(ssl));
if (!!SSL_session_reused(ssl) != expect_resume) {
@@ -1645,6 +1653,61 @@
return true;
}
+static bool WriteSettings(int i, const TestConfig *config,
+ const SSL_SESSION *session) {
+ if (config->write_settings.empty()) {
+ return true;
+ }
+
+ // Treat write_settings as a path prefix for each connection in the run.
+ char buf[DECIMAL_SIZE(int)];
+ snprintf(buf, sizeof(buf), "%d", i);
+ std::string path = config->write_settings + buf;
+
+ bssl::ScopedCBB cbb;
+ if (!CBB_init(cbb.get(), 64)) {
+ return false;
+ }
+
+ if (session != nullptr) {
+ uint8_t *data;
+ size_t len;
+ if (!SSL_SESSION_to_bytes(session, &data, &len)) {
+ return false;
+ }
+ bssl::UniquePtr<uint8_t> free_data(data);
+ CBB child;
+ if (!CBB_add_u16(cbb.get(), kSessionTag) ||
+ !CBB_add_u24_length_prefixed(cbb.get(), &child) ||
+ !CBB_add_bytes(&child, data, len) ||
+ !CBB_flush(cbb.get())) {
+ return false;
+ }
+ }
+
+ if (config->is_server &&
+ (config->require_any_client_certificate || config->verify_peer) &&
+ !CBB_add_u16(cbb.get(), kRequestClientCert)) {
+ return false;
+ }
+
+ uint8_t *settings;
+ size_t settings_len;
+ if (!CBB_add_u16(cbb.get(), kDataTag) ||
+ !CBB_finish(cbb.get(), &settings, &settings_len)) {
+ return false;
+ }
+ bssl::UniquePtr<uint8_t> free_settings(settings);
+
+ using ScopedFILE = std::unique_ptr<FILE, decltype(&fclose)>;
+ ScopedFILE file(fopen(path.c_str(), "w"), fclose);
+ if (!file) {
+ return false;
+ }
+
+ return fwrite(settings, settings_len, 1, file.get()) == 1;
+}
+
static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session, SSL *ssl,
const TestConfig *config, bool is_resume, bool is_retry);
@@ -1683,12 +1746,20 @@
SSL_set_cert_cb(ssl.get(), CertCallback, nullptr);
}
if (config->require_any_client_certificate) {
- SSL_set_verify(ssl.get(), SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ SSL_set_verify(ssl.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
}
if (config->verify_peer) {
SSL_set_verify(ssl.get(), SSL_VERIFY_PEER, NULL);
}
+ if (config->verify_peer_if_no_obc) {
+ // Set SSL_VERIFY_FAIL_IF_NO_PEER_CERT so testing whether client
+ // certificates were requested is easy.
+ SSL_set_verify(ssl.get(),
+ SSL_VERIFY_PEER | SSL_VERIFY_PEER_IF_NO_OBC |
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ NULL);
+ }
if (config->false_start) {
SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_FALSE_START);
}
@@ -2227,6 +2298,10 @@
}
bssl::UniquePtr<SSL_SESSION> offer_session = std::move(session);
+ if (!WriteSettings(i, config, offer_session.get())) {
+ fprintf(stderr, "Error writing settings.\n");
+ return 1;
+ }
if (!DoConnection(&session, ssl_ctx.get(), config, &retry_config, is_resume,
offer_session.get())) {
fprintf(stderr, "Connection %d failed.\n", i + 1);
diff --git a/src/ssl/test/fuzzer.h b/src/ssl/test/fuzzer.h
new file mode 100644
index 0000000..2f81653
--- /dev/null
+++ b/src/ssl/test/fuzzer.h
@@ -0,0 +1,271 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef HEADER_SSL_TEST_FUZZER
+#define HEADER_SSL_TEST_FUZZER
+
+#include <openssl/bytestring.h>
+#include <openssl/ssl.h>
+
+
+// SSL fuzzer utilities.
+//
+// The TLS client and server fuzzers coordinate with bssl_shim on a common
+// format to encode configuration parameters in a fuzzer file. To add a new
+// configuration, define a tag, update |SetupTest| below to parse it, and
+// update |WriteSettings| in bssl_shim to serialize it. Finally, record
+// transcripts from a test run, and use the BORINGSSL_FUZZER_DEBUG environment
+// variable to confirm the transcripts are compatible.
+
+// kDataTag denotes that the remainder of the input should be passed to the TLS
+// stack.
+static const uint16_t kDataTag = 0;
+
+// kSessionTag is followed by a u24-length-prefixed serialized SSL_SESSION to
+// resume.
+static const uint16_t kSessionTag = 1;
+
+// kRequestClientCert denotes that the server should request client
+// certificates.
+static const uint16_t kRequestClientCert = 2;
+
+// SetupTest parses parameters from |cbs| and returns a newly-configured |SSL|
+// object or nullptr on error. On success, the caller should feed the remaining
+// input in |cbs| to the SSL stack.
+static inline bssl::UniquePtr<SSL> SetupTest(CBS *cbs, SSL_CTX *ctx,
+ bool is_server) {
+ // Clear any sessions saved in |ctx| from the previous run.
+ SSL_CTX_flush_sessions(ctx, 0);
+
+ bssl::UniquePtr<SSL> ssl(SSL_new(ctx));
+ if (is_server) {
+ SSL_set_accept_state(ssl.get());
+ } else {
+ SSL_set_connect_state(ssl.get());
+ }
+
+ for (;;) {
+ uint16_t tag;
+ if (!CBS_get_u16(cbs, &tag)) {
+ return nullptr;
+ }
+ switch (tag) {
+ case kDataTag:
+ return ssl;
+
+ case kSessionTag: {
+ CBS data;
+ if (!CBS_get_u24_length_prefixed(cbs, &data)) {
+ return nullptr;
+ }
+ bssl::UniquePtr<SSL_SESSION> session(
+ SSL_SESSION_from_bytes(CBS_data(&data), CBS_len(&data), ctx));
+ if (!session) {
+ return nullptr;
+ }
+
+ if (is_server) {
+ SSL_CTX_add_session(ctx, session.get());
+ } else {
+ SSL_set_session(ssl.get(), session.get());
+ }
+ break;
+ }
+
+ case kRequestClientCert:
+ if (!is_server) {
+ return nullptr;
+ }
+ SSL_set_verify(ssl.get(), SSL_VERIFY_PEER, nullptr);
+ break;
+ }
+ }
+}
+
+
+// Additional shared constants.
+
+static const uint8_t kCertificateDER[] = {
+ 0x30, 0x82, 0x02, 0xff, 0x30, 0x82, 0x01, 0xe7, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x11, 0x00, 0xb1, 0x84, 0xee, 0x34, 0x99, 0x98, 0x76, 0xfb,
+ 0x6f, 0xb2, 0x15, 0xc8, 0x47, 0x79, 0x05, 0x9b, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30,
+ 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07,
+ 0x41, 0x63, 0x6d, 0x65, 0x20, 0x43, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
+ 0x35, 0x31, 0x31, 0x30, 0x37, 0x30, 0x30, 0x32, 0x34, 0x35, 0x36, 0x5a,
+ 0x17, 0x0d, 0x31, 0x36, 0x31, 0x31, 0x30, 0x36, 0x30, 0x30, 0x32, 0x34,
+ 0x35, 0x36, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55,
+ 0x04, 0x0a, 0x13, 0x07, 0x41, 0x63, 0x6d, 0x65, 0x20, 0x43, 0x6f, 0x30,
+ 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
+ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xce, 0x47, 0xcb, 0x11,
+ 0xbb, 0xd2, 0x9d, 0x8e, 0x9e, 0xd2, 0x1e, 0x14, 0xaf, 0xc7, 0xea, 0xb6,
+ 0xc9, 0x38, 0x2a, 0x6f, 0xb3, 0x7e, 0xfb, 0xbc, 0xfc, 0x59, 0x42, 0xb9,
+ 0x56, 0xf0, 0x4c, 0x3f, 0xf7, 0x31, 0x84, 0xbe, 0xac, 0x03, 0x9e, 0x71,
+ 0x91, 0x85, 0xd8, 0x32, 0xbd, 0x00, 0xea, 0xac, 0x65, 0xf6, 0x03, 0xc8,
+ 0x0f, 0x8b, 0xfd, 0x6e, 0x58, 0x88, 0x04, 0x41, 0x92, 0x74, 0xa6, 0x57,
+ 0x2e, 0x8e, 0x88, 0xd5, 0x3d, 0xda, 0x14, 0x3e, 0x63, 0x88, 0x22, 0xe3,
+ 0x53, 0xe9, 0xba, 0x39, 0x09, 0xac, 0xfb, 0xd0, 0x4c, 0xf2, 0x3c, 0x20,
+ 0xd6, 0x97, 0xe6, 0xed, 0xf1, 0x62, 0x1e, 0xe5, 0xc9, 0x48, 0xa0, 0xca,
+ 0x2e, 0x3c, 0x14, 0x5a, 0x82, 0xd4, 0xed, 0xb1, 0xe3, 0x43, 0xc1, 0x2a,
+ 0x59, 0xa5, 0xb9, 0xc8, 0x48, 0xa7, 0x39, 0x23, 0x74, 0xa7, 0x37, 0xb0,
+ 0x6f, 0xc3, 0x64, 0x99, 0x6c, 0xa2, 0x82, 0xc8, 0xf6, 0xdb, 0x86, 0x40,
+ 0xce, 0xd1, 0x85, 0x9f, 0xce, 0x69, 0xf4, 0x15, 0x2a, 0x23, 0xca, 0xea,
+ 0xb7, 0x7b, 0xdf, 0xfb, 0x43, 0x5f, 0xff, 0x7a, 0x49, 0x49, 0x0e, 0xe7,
+ 0x02, 0x51, 0x45, 0x13, 0xe8, 0x90, 0x64, 0x21, 0x0c, 0x26, 0x2b, 0x5d,
+ 0xfc, 0xe4, 0xb5, 0x86, 0x89, 0x43, 0x22, 0x4c, 0xf3, 0x3b, 0xf3, 0x09,
+ 0xc4, 0xa4, 0x10, 0x80, 0xf2, 0x46, 0xe2, 0x46, 0x8f, 0x76, 0x50, 0xbf,
+ 0xaf, 0x2b, 0x90, 0x1b, 0x78, 0xc7, 0xcf, 0xc1, 0x77, 0xd0, 0xfb, 0xa9,
+ 0xfb, 0xc9, 0x66, 0x5a, 0xc5, 0x9b, 0x31, 0x41, 0x67, 0x01, 0xbe, 0x33,
+ 0x10, 0xba, 0x05, 0x58, 0xed, 0x76, 0x53, 0xde, 0x5d, 0xc1, 0xe8, 0xbb,
+ 0x9f, 0xf1, 0xcd, 0xfb, 0xdf, 0x64, 0x7f, 0xd7, 0x18, 0xab, 0x0f, 0x94,
+ 0x28, 0x95, 0x4a, 0xcc, 0x6a, 0xa9, 0x50, 0xc7, 0x05, 0x47, 0x10, 0x41,
+ 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x0e, 0x06,
+ 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05,
+ 0xa0, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a,
+ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x30, 0x0c,
+ 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
+ 0x30, 0x19, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x12, 0x30, 0x10, 0x82,
+ 0x0e, 0x66, 0x75, 0x7a, 0x7a, 0x2e, 0x62, 0x6f, 0x72, 0x69, 0x6e, 0x67,
+ 0x73, 0x73, 0x6c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x92,
+ 0xde, 0xef, 0x96, 0x06, 0x7b, 0xff, 0x71, 0x7d, 0x4e, 0xa0, 0x7d, 0xae,
+ 0xb8, 0x22, 0xb4, 0x2c, 0xf7, 0x96, 0x9c, 0x37, 0x1d, 0x8f, 0xe7, 0xd9,
+ 0x47, 0xff, 0x3f, 0xe9, 0x35, 0x95, 0x0e, 0xdd, 0xdc, 0x7f, 0xc8, 0x8a,
+ 0x1e, 0x36, 0x1d, 0x38, 0x47, 0xfc, 0x76, 0xd2, 0x1f, 0x98, 0xa1, 0x36,
+ 0xac, 0xc8, 0x70, 0x38, 0x0a, 0x3d, 0x51, 0x8d, 0x0f, 0x03, 0x1b, 0xef,
+ 0x62, 0xa1, 0xcb, 0x2b, 0x4a, 0x8c, 0x12, 0x2b, 0x54, 0x50, 0x9a, 0x6b,
+ 0xfe, 0xaf, 0xd9, 0xf6, 0xbf, 0x58, 0x11, 0x58, 0x5e, 0xe5, 0x86, 0x1e,
+ 0x3b, 0x6b, 0x30, 0x7e, 0x72, 0x89, 0xe8, 0x6b, 0x7b, 0xb7, 0xaf, 0xef,
+ 0x8b, 0xa9, 0x3e, 0xb0, 0xcd, 0x0b, 0xef, 0xb0, 0x0c, 0x96, 0x2b, 0xc5,
+ 0x3b, 0xd5, 0xf1, 0xc2, 0xae, 0x3a, 0x60, 0xd9, 0x0f, 0x75, 0x37, 0x55,
+ 0x4d, 0x62, 0xd2, 0xed, 0x96, 0xac, 0x30, 0x6b, 0xda, 0xa1, 0x48, 0x17,
+ 0x96, 0x23, 0x85, 0x9a, 0x57, 0x77, 0xe9, 0x22, 0xa2, 0x37, 0x03, 0xba,
+ 0x49, 0x77, 0x40, 0x3b, 0x76, 0x4b, 0xda, 0xc1, 0x04, 0x57, 0x55, 0x34,
+ 0x22, 0x83, 0x45, 0x29, 0xab, 0x2e, 0x11, 0xff, 0x0d, 0xab, 0x55, 0xb1,
+ 0xa7, 0x58, 0x59, 0x05, 0x25, 0xf9, 0x1e, 0x3d, 0xb7, 0xac, 0x04, 0x39,
+ 0x2c, 0xf9, 0xaf, 0xb8, 0x68, 0xfb, 0x8e, 0x35, 0x71, 0x32, 0xff, 0x70,
+ 0xe9, 0x46, 0x6d, 0x5c, 0x06, 0x90, 0x88, 0x23, 0x48, 0x0c, 0x50, 0xeb,
+ 0x0a, 0xa9, 0xae, 0xe8, 0xfc, 0xbe, 0xa5, 0x76, 0x94, 0xd7, 0x64, 0x22,
+ 0x38, 0x98, 0x17, 0xa4, 0x3a, 0xa7, 0x59, 0x9f, 0x1d, 0x3b, 0x75, 0x90,
+ 0x1a, 0x81, 0xef, 0x19, 0xfb, 0x2b, 0xb7, 0xa7, 0x64, 0x61, 0x22, 0xa4,
+ 0x6f, 0x7b, 0xfa, 0x58, 0xbb, 0x8c, 0x4e, 0x77, 0x67, 0xd0, 0x5d, 0x58,
+ 0x76, 0x8a, 0xbb,
+};
+
+static const uint8_t kRSAPrivateKeyDER[] = {
+ 0x30, 0x82, 0x04, 0xa5, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
+ 0xce, 0x47, 0xcb, 0x11, 0xbb, 0xd2, 0x9d, 0x8e, 0x9e, 0xd2, 0x1e, 0x14,
+ 0xaf, 0xc7, 0xea, 0xb6, 0xc9, 0x38, 0x2a, 0x6f, 0xb3, 0x7e, 0xfb, 0xbc,
+ 0xfc, 0x59, 0x42, 0xb9, 0x56, 0xf0, 0x4c, 0x3f, 0xf7, 0x31, 0x84, 0xbe,
+ 0xac, 0x03, 0x9e, 0x71, 0x91, 0x85, 0xd8, 0x32, 0xbd, 0x00, 0xea, 0xac,
+ 0x65, 0xf6, 0x03, 0xc8, 0x0f, 0x8b, 0xfd, 0x6e, 0x58, 0x88, 0x04, 0x41,
+ 0x92, 0x74, 0xa6, 0x57, 0x2e, 0x8e, 0x88, 0xd5, 0x3d, 0xda, 0x14, 0x3e,
+ 0x63, 0x88, 0x22, 0xe3, 0x53, 0xe9, 0xba, 0x39, 0x09, 0xac, 0xfb, 0xd0,
+ 0x4c, 0xf2, 0x3c, 0x20, 0xd6, 0x97, 0xe6, 0xed, 0xf1, 0x62, 0x1e, 0xe5,
+ 0xc9, 0x48, 0xa0, 0xca, 0x2e, 0x3c, 0x14, 0x5a, 0x82, 0xd4, 0xed, 0xb1,
+ 0xe3, 0x43, 0xc1, 0x2a, 0x59, 0xa5, 0xb9, 0xc8, 0x48, 0xa7, 0x39, 0x23,
+ 0x74, 0xa7, 0x37, 0xb0, 0x6f, 0xc3, 0x64, 0x99, 0x6c, 0xa2, 0x82, 0xc8,
+ 0xf6, 0xdb, 0x86, 0x40, 0xce, 0xd1, 0x85, 0x9f, 0xce, 0x69, 0xf4, 0x15,
+ 0x2a, 0x23, 0xca, 0xea, 0xb7, 0x7b, 0xdf, 0xfb, 0x43, 0x5f, 0xff, 0x7a,
+ 0x49, 0x49, 0x0e, 0xe7, 0x02, 0x51, 0x45, 0x13, 0xe8, 0x90, 0x64, 0x21,
+ 0x0c, 0x26, 0x2b, 0x5d, 0xfc, 0xe4, 0xb5, 0x86, 0x89, 0x43, 0x22, 0x4c,
+ 0xf3, 0x3b, 0xf3, 0x09, 0xc4, 0xa4, 0x10, 0x80, 0xf2, 0x46, 0xe2, 0x46,
+ 0x8f, 0x76, 0x50, 0xbf, 0xaf, 0x2b, 0x90, 0x1b, 0x78, 0xc7, 0xcf, 0xc1,
+ 0x77, 0xd0, 0xfb, 0xa9, 0xfb, 0xc9, 0x66, 0x5a, 0xc5, 0x9b, 0x31, 0x41,
+ 0x67, 0x01, 0xbe, 0x33, 0x10, 0xba, 0x05, 0x58, 0xed, 0x76, 0x53, 0xde,
+ 0x5d, 0xc1, 0xe8, 0xbb, 0x9f, 0xf1, 0xcd, 0xfb, 0xdf, 0x64, 0x7f, 0xd7,
+ 0x18, 0xab, 0x0f, 0x94, 0x28, 0x95, 0x4a, 0xcc, 0x6a, 0xa9, 0x50, 0xc7,
+ 0x05, 0x47, 0x10, 0x41, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,
+ 0x01, 0x00, 0xa8, 0x47, 0xb9, 0x4a, 0x06, 0x47, 0x93, 0x71, 0x3d, 0xef,
+ 0x7b, 0xca, 0xb4, 0x7c, 0x0a, 0xe6, 0x82, 0xd0, 0xe7, 0x0d, 0xa9, 0x08,
+ 0xf6, 0xa4, 0xfd, 0xd8, 0x73, 0xae, 0x6f, 0x56, 0x29, 0x5e, 0x25, 0x72,
+ 0xa8, 0x30, 0x44, 0x73, 0xcf, 0x56, 0x26, 0xb9, 0x61, 0xde, 0x42, 0x81,
+ 0xf4, 0xf0, 0x1f, 0x5d, 0xcb, 0x47, 0xf2, 0x26, 0xe9, 0xe0, 0x93, 0x28,
+ 0xa3, 0x10, 0x3b, 0x42, 0x1e, 0x51, 0x11, 0x12, 0x06, 0x5e, 0xaf, 0xce,
+ 0xb0, 0xa5, 0x14, 0xdd, 0x82, 0x58, 0xa1, 0xa4, 0x12, 0xdf, 0x65, 0x1d,
+ 0x51, 0x70, 0x64, 0xd5, 0x58, 0x68, 0x11, 0xa8, 0x6a, 0x23, 0xc2, 0xbf,
+ 0xa1, 0x25, 0x24, 0x47, 0xb3, 0xa4, 0x3c, 0x83, 0x96, 0xb7, 0x1f, 0xf4,
+ 0x44, 0xd4, 0xd1, 0xe9, 0xfc, 0x33, 0x68, 0x5e, 0xe2, 0x68, 0x99, 0x9c,
+ 0x91, 0xe8, 0x72, 0xc9, 0xd7, 0x8c, 0x80, 0x20, 0x8e, 0x77, 0x83, 0x4d,
+ 0xe4, 0xab, 0xf9, 0x74, 0xa1, 0xdf, 0xd3, 0xc0, 0x0d, 0x5b, 0x05, 0x51,
+ 0xc2, 0x6f, 0xb2, 0x91, 0x02, 0xec, 0xc0, 0x02, 0x1a, 0x5c, 0x91, 0x05,
+ 0xf1, 0xe3, 0xfa, 0x65, 0xc2, 0xad, 0x24, 0xe6, 0xe5, 0x3c, 0xb6, 0x16,
+ 0xf1, 0xa1, 0x67, 0x1a, 0x9d, 0x37, 0x56, 0xbf, 0x01, 0xd7, 0x3b, 0x35,
+ 0x30, 0x57, 0x73, 0xf4, 0xf0, 0x5e, 0xa7, 0xe8, 0x0a, 0xc1, 0x94, 0x17,
+ 0xcf, 0x0a, 0xbd, 0xf5, 0x31, 0xa7, 0x2d, 0xf7, 0xf5, 0xd9, 0x8c, 0xc2,
+ 0x01, 0xbd, 0xda, 0x16, 0x8e, 0xb9, 0x30, 0x40, 0xa6, 0x6e, 0xbd, 0xcd,
+ 0x4d, 0x84, 0x67, 0x4e, 0x0b, 0xce, 0xd5, 0xef, 0xf8, 0x08, 0x63, 0x02,
+ 0xc6, 0xc7, 0xf7, 0x67, 0x92, 0xe2, 0x23, 0x9d, 0x27, 0x22, 0x1d, 0xc6,
+ 0x67, 0x5e, 0x66, 0xbf, 0x03, 0xb8, 0xa9, 0x67, 0xd4, 0x39, 0xd8, 0x75,
+ 0xfa, 0xe8, 0xed, 0x56, 0xb8, 0x81, 0x02, 0x81, 0x81, 0x00, 0xf7, 0x46,
+ 0x68, 0xc6, 0x13, 0xf8, 0xba, 0x0f, 0x83, 0xdb, 0x05, 0xa8, 0x25, 0x00,
+ 0x70, 0x9c, 0x9e, 0x8b, 0x12, 0x34, 0x0d, 0x96, 0xcf, 0x0d, 0x98, 0x9b,
+ 0x8d, 0x9c, 0x96, 0x78, 0xd1, 0x3c, 0x01, 0x8c, 0xb9, 0x35, 0x5c, 0x20,
+ 0x42, 0xb4, 0x38, 0xe3, 0xd6, 0x54, 0xe7, 0x55, 0xd6, 0x26, 0x8a, 0x0c,
+ 0xf6, 0x1f, 0xe0, 0x04, 0xc1, 0x22, 0x42, 0x19, 0x61, 0xc4, 0x94, 0x7c,
+ 0x07, 0x2e, 0x80, 0x52, 0xfe, 0x8d, 0xe6, 0x92, 0x3a, 0x91, 0xfe, 0x72,
+ 0x99, 0xe1, 0x2a, 0x73, 0x76, 0xb1, 0x24, 0x20, 0x67, 0xde, 0x28, 0xcb,
+ 0x0e, 0xe6, 0x52, 0xb5, 0xfa, 0xfb, 0x8b, 0x1e, 0x6a, 0x1d, 0x09, 0x26,
+ 0xb9, 0xa7, 0x61, 0xba, 0xf8, 0x79, 0xd2, 0x66, 0x57, 0x28, 0xd7, 0x31,
+ 0xb5, 0x0b, 0x27, 0x19, 0x1e, 0x6f, 0x46, 0xfc, 0x54, 0x95, 0xeb, 0x78,
+ 0x01, 0xb6, 0xd9, 0x79, 0x5a, 0x4d, 0x02, 0x81, 0x81, 0x00, 0xd5, 0x8f,
+ 0x16, 0x53, 0x2f, 0x57, 0x93, 0xbf, 0x09, 0x75, 0xbf, 0x63, 0x40, 0x3d,
+ 0x27, 0xfd, 0x23, 0x21, 0xde, 0x9b, 0xe9, 0x73, 0x3f, 0x49, 0x02, 0xd2,
+ 0x38, 0x96, 0xcf, 0xc3, 0xba, 0x92, 0x07, 0x87, 0x52, 0xa9, 0x35, 0xe3,
+ 0x0c, 0xe4, 0x2f, 0x05, 0x7b, 0x37, 0xa5, 0x40, 0x9c, 0x3b, 0x94, 0xf7,
+ 0xad, 0xa0, 0xee, 0x3a, 0xa8, 0xfb, 0x1f, 0x11, 0x1f, 0xd8, 0x9a, 0x80,
+ 0x42, 0x3d, 0x7f, 0xa4, 0xb8, 0x9a, 0xaa, 0xea, 0x72, 0xc1, 0xe3, 0xed,
+ 0x06, 0x60, 0x92, 0x37, 0xf9, 0xba, 0xfb, 0x9e, 0xed, 0x05, 0xa6, 0xd4,
+ 0x72, 0x68, 0x4f, 0x63, 0xfe, 0xd6, 0x10, 0x0d, 0x4f, 0x0a, 0x93, 0xc6,
+ 0xb9, 0xd7, 0xaf, 0xfd, 0xd9, 0x57, 0x7d, 0xcb, 0x75, 0xe8, 0x93, 0x2b,
+ 0xae, 0x4f, 0xea, 0xd7, 0x30, 0x0b, 0x58, 0x44, 0x82, 0x0f, 0x84, 0x5d,
+ 0x62, 0x11, 0x78, 0xea, 0x5f, 0xc5, 0x02, 0x81, 0x81, 0x00, 0x82, 0x0c,
+ 0xc1, 0xe6, 0x0b, 0x72, 0xf1, 0x48, 0x5f, 0xac, 0xbd, 0x98, 0xe5, 0x7d,
+ 0x09, 0xbd, 0x15, 0x95, 0x47, 0x09, 0xa1, 0x6c, 0x03, 0x91, 0xbf, 0x05,
+ 0x70, 0xc1, 0x3e, 0x52, 0x64, 0x99, 0x0e, 0xa7, 0x98, 0x70, 0xfb, 0xf6,
+ 0xeb, 0x9e, 0x25, 0x9d, 0x8e, 0x88, 0x30, 0xf2, 0xf0, 0x22, 0x6c, 0xd0,
+ 0xcc, 0x51, 0x8f, 0x5c, 0x70, 0xc7, 0x37, 0xc4, 0x69, 0xab, 0x1d, 0xfc,
+ 0xed, 0x3a, 0x03, 0xbb, 0xa2, 0xad, 0xb6, 0xea, 0x89, 0x6b, 0x67, 0x4b,
+ 0x96, 0xaa, 0xd9, 0xcc, 0xc8, 0x4b, 0xfa, 0x18, 0x21, 0x08, 0xb2, 0xa3,
+ 0xb9, 0x3e, 0x61, 0x99, 0xdc, 0x5a, 0x97, 0x9c, 0x73, 0x6a, 0xb9, 0xf9,
+ 0x68, 0x03, 0x24, 0x5f, 0x55, 0x77, 0x9c, 0xb4, 0xbe, 0x7a, 0x78, 0x53,
+ 0x68, 0x48, 0x69, 0x53, 0xc8, 0xb1, 0xf5, 0xbf, 0x98, 0x2d, 0x11, 0x1e,
+ 0x98, 0xa8, 0x36, 0x50, 0xa0, 0xb1, 0x02, 0x81, 0x81, 0x00, 0x90, 0x88,
+ 0x30, 0x71, 0xc7, 0xfe, 0x9b, 0x6d, 0x95, 0x37, 0x6d, 0x79, 0xfc, 0x85,
+ 0xe7, 0x44, 0x78, 0xbc, 0x79, 0x6e, 0x47, 0x86, 0xc9, 0xf3, 0xdd, 0xc6,
+ 0xec, 0xa9, 0x94, 0x9f, 0x40, 0xeb, 0x87, 0xd0, 0xdb, 0xee, 0xcd, 0x1b,
+ 0x87, 0x23, 0xff, 0x76, 0xd4, 0x37, 0x8a, 0xcd, 0xb9, 0x6e, 0xd1, 0x98,
+ 0xf6, 0x97, 0x8d, 0xe3, 0x81, 0x6d, 0xc3, 0x4e, 0xd1, 0xa0, 0xc4, 0x9f,
+ 0xbd, 0x34, 0xe5, 0xe8, 0x53, 0x4f, 0xca, 0x10, 0xb5, 0xed, 0xe7, 0x16,
+ 0x09, 0x54, 0xde, 0x60, 0xa7, 0xd1, 0x16, 0x6e, 0x2e, 0xb7, 0xbe, 0x7a,
+ 0xd5, 0x9b, 0x26, 0xef, 0xe4, 0x0e, 0x77, 0xfa, 0xa9, 0xdd, 0xdc, 0xb9,
+ 0x88, 0x19, 0x23, 0x70, 0xc7, 0xe1, 0x60, 0xaf, 0x8c, 0x73, 0x04, 0xf7,
+ 0x71, 0x17, 0x81, 0x36, 0x75, 0xbb, 0x97, 0xd7, 0x75, 0xb6, 0x8e, 0xbc,
+ 0xac, 0x9c, 0x6a, 0x9b, 0x24, 0x89, 0x02, 0x81, 0x80, 0x5a, 0x2b, 0xc7,
+ 0x6b, 0x8c, 0x65, 0xdb, 0x04, 0x73, 0xab, 0x25, 0xe1, 0x5b, 0xbc, 0x3c,
+ 0xcf, 0x5a, 0x3c, 0x04, 0xae, 0x97, 0x2e, 0xfd, 0xa4, 0x97, 0x1f, 0x05,
+ 0x17, 0x27, 0xac, 0x7c, 0x30, 0x85, 0xb4, 0x82, 0x3f, 0x5b, 0xb7, 0x94,
+ 0x3b, 0x7f, 0x6c, 0x0c, 0xc7, 0x16, 0xc6, 0xa0, 0xbd, 0x80, 0xb0, 0x81,
+ 0xde, 0xa0, 0x23, 0xa6, 0xf6, 0x75, 0x33, 0x51, 0x35, 0xa2, 0x75, 0x55,
+ 0x70, 0x4d, 0x42, 0xbb, 0xcf, 0x54, 0xe4, 0xdb, 0x2d, 0x88, 0xa0, 0x7a,
+ 0xf2, 0x17, 0xa7, 0xdd, 0x13, 0x44, 0x9f, 0x5f, 0x6b, 0x2c, 0x42, 0x42,
+ 0x8b, 0x13, 0x4d, 0xf9, 0x5b, 0xf8, 0x33, 0x42, 0xd9, 0x9e, 0x50, 0x1c,
+ 0x7c, 0xbc, 0xfa, 0x62, 0x85, 0x0b, 0xcf, 0x99, 0xda, 0x9e, 0x04, 0x90,
+ 0xb2, 0xc6, 0xb2, 0x0a, 0x2a, 0x7c, 0x6d, 0x6a, 0x40, 0xfc, 0xf5, 0x50,
+ 0x98, 0x46, 0x89, 0x82, 0x40,
+};
+
+
+#endif // HEADER_SSL_TEST_FUZZER
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index 0a6648f..9e7b204 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -26,9 +26,27 @@
VersionTLS13 = 0x0304
)
+const (
+ VersionDTLS10 = 0xfeff
+ VersionDTLS12 = 0xfefd
+)
+
// A draft version of TLS 1.3 that is sent over the wire for the current draft.
const tls13DraftVersion = 0x7f12
+var allTLSWireVersions = []uint16{
+ tls13DraftVersion,
+ VersionTLS12,
+ VersionTLS11,
+ VersionTLS10,
+ VersionSSL30,
+}
+
+var allDTLSWireVersions = []uint16{
+ VersionDTLS12,
+ VersionDTLS10,
+}
+
const (
maxPlaintext = 16384 // maximum plaintext payload length
maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
@@ -625,12 +643,12 @@
SendSupportedVersions []uint16
// NegotiateVersion, if non-zero, causes the server to negotiate the
- // specifed TLS version rather than the version supported by either
+ // specifed wire version rather than the version supported by either
// peer.
NegotiateVersion uint16
// NegotiateVersionOnRenego, if non-zero, causes the server to negotiate
- // the specified TLS version on renegotiation rather than retaining it.
+ // the specified wire version on renegotiation rather than retaining it.
NegotiateVersionOnRenego uint16
// ExpectFalseStart causes the server to, on full handshakes,
@@ -710,9 +728,13 @@
EmptyRenegotiationInfo bool
// BadRenegotiationInfo causes the renegotiation extension value in a
- // renegotiation handshake to be incorrect.
+ // renegotiation handshake to be incorrect at the start.
BadRenegotiationInfo bool
+ // BadRenegotiationInfoEnd causes the renegotiation extension value in
+ // a renegotiation handshake to be incorrect at the end.
+ BadRenegotiationInfoEnd bool
+
// NoRenegotiationInfo disables renegotiation info support in all
// handshakes.
NoRenegotiationInfo bool
@@ -1257,6 +1279,10 @@
// send in the ClientHello.
SendCompressionMethods []byte
+ // SendCompressionMethod is the compression method to send in the
+ // ServerHello.
+ SendCompressionMethod byte
+
// AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to
// always send a ServerKeyExchange for PSK ciphers, even if the identity
// hint is empty.
@@ -1438,10 +1464,29 @@
return defaultCurves
}
-// isSupportedVersion returns true if the specified protocol version is
-// acceptable.
-func (c *Config) isSupportedVersion(vers uint16, isDTLS bool) bool {
- return c.minVersion(isDTLS) <= vers && vers <= c.maxVersion(isDTLS)
+// isSupportedVersion checks if the specified wire version is acceptable. If so,
+// it returns true and the corresponding protocol version. Otherwise, it returns
+// false.
+func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
+ vers, ok := wireToVersion(wireVers, isDTLS)
+ if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) {
+ return 0, false
+ }
+ return vers, true
+}
+
+func (c *Config) supportedVersions(isDTLS bool) []uint16 {
+ versions := allTLSWireVersions
+ if isDTLS {
+ versions = allDTLSWireVersions
+ }
+ var ret []uint16
+ for _, vers := range versions {
+ if _, ok := c.isSupportedVersion(vers, isDTLS); ok {
+ ret = append(ret, vers)
+ }
+ }
+ return ret
}
// getCertificateForName returns the best certificate for the given name,
@@ -1717,3 +1762,12 @@
downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
)
+
+func containsGREASE(values []uint16) bool {
+ for _, v := range values {
+ if isGREASEValue(v) {
+ return true
+ }
+ }
+ return false
+}
diff --git a/src/ssl/test/runner/conn.go b/src/ssl/test/runner/conn.go
index fce0049..61fc9d3 100644
--- a/src/ssl/test/runner/conn.go
+++ b/src/ssl/test/runner/conn.go
@@ -35,6 +35,7 @@
// constant after handshake; protected by handshakeMutex
handshakeMutex sync.Mutex // handshakeMutex < in.Mutex, out.Mutex, errMutex
handshakeErr error // error resulting from handshake
+ wireVersion uint16 // TLS wire version
vers uint16 // TLS version
haveVers bool // version has been negotiated
config *Config // configuration passed to constructor
diff --git a/src/ssl/test/runner/dtls.go b/src/ssl/test/runner/dtls.go
index e273bc7..d46b247 100644
--- a/src/ssl/test/runner/dtls.go
+++ b/src/ssl/test/runner/dtls.go
@@ -23,32 +23,12 @@
"net"
)
-func versionToWire(vers uint16, isDTLS bool) uint16 {
- if isDTLS {
- switch vers {
- case VersionTLS12:
- return 0xfefd
- case VersionTLS10:
- return 0xfeff
- }
- } else {
- switch vers {
- case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
- return vers
- case VersionTLS13:
- return tls13DraftVersion
- }
- }
-
- panic("unknown version")
-}
-
func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) {
if isDTLS {
switch vers {
- case 0xfefd:
+ case VersionDTLS12:
return VersionTLS12, true
- case 0xfeff:
+ case VersionDTLS10:
return VersionTLS10, true
}
} else {
@@ -102,9 +82,9 @@
// version is irrelevant.)
if typ != recordTypeAlert {
if c.haveVers {
- if wireVers := versionToWire(c.vers, c.isDTLS); vers != wireVers {
+ if vers != c.wireVersion {
c.sendAlert(alertProtocolVersion)
- return 0, nil, c.in.setErrorLocked(fmt.Errorf("dtls: received record with version %x when expecting version %x", vers, wireVers))
+ return 0, nil, c.in.setErrorLocked(fmt.Errorf("dtls: received record with version %x when expecting version %x", vers, c.wireVersion))
}
} else {
// Pre-version-negotiation alerts may be sent with any version.
@@ -368,13 +348,16 @@
// TODO(nharper): DTLS 1.3 will likely need to set this to
// recordTypeApplicationData if c.out.cipher != nil.
b.data[0] = byte(typ)
- vers := c.vers
+ vers := c.wireVersion
if vers == 0 {
// Some TLS servers fail if the record version is greater than
// TLS 1.0 for the initial ClientHello.
- vers = VersionTLS10
+ if c.isDTLS {
+ vers = VersionDTLS10
+ } else {
+ vers = VersionTLS10
+ }
}
- vers = versionToWire(vers, c.isDTLS)
b.data[1] = byte(vers >> 8)
b.data[2] = byte(vers)
// DTLS records include an explicit sequence number.
diff --git a/src/ssl/test/runner/fuzzer_mode.json b/src/ssl/test/runner/fuzzer_mode.json
index fd819f9..d2f64ef 100644
--- a/src/ssl/test/runner/fuzzer_mode.json
+++ b/src/ssl/test/runner/fuzzer_mode.json
@@ -46,6 +46,8 @@
"TLS13-EarlyData-ALPNOmitted2-Server": "Trial decryption does not work with the NULL cipher.",
"TLS13-EarlyData-RejectUnfinishedWrite-Client-*": "Trial decryption does not work with the NULL cipher.",
"TLS13-EarlyData-Reject-Client": "Trial decryption does not work with the NULL cipher.",
- "TLS13-EarlyData-RejectTicket-Client": "Trial decryption does not work with the NULL cipher."
+ "TLS13-EarlyData-RejectTicket-Client": "Trial decryption does not work with the NULL cipher.",
+
+ "Renegotiate-Client-BadExt*": "Fuzzer mode does not check renegotiation_info."
}
}
diff --git a/src/ssl/test/runner/handshake_client.go b/src/ssl/test/runner/handshake_client.go
index c531a28..f0bfca4 100644
--- a/src/ssl/test/runner/handshake_client.go
+++ b/src/ssl/test/runner/handshake_client.go
@@ -35,6 +35,21 @@
finishedBytes []byte
}
+func mapClientHelloVersion(vers uint16, isDTLS bool) uint16 {
+ if !isDTLS {
+ return vers
+ }
+
+ switch vers {
+ case VersionTLS12:
+ return VersionDTLS12
+ case VersionTLS10:
+ return VersionDTLS10
+ }
+
+ panic("Unknown ClientHello version.")
+}
+
func (c *Conn) clientHandshake() error {
if c.config == nil {
c.config = defaultConfig()
@@ -63,7 +78,6 @@
maxVersion := c.config.maxVersion(c.isDTLS)
hello := &clientHelloMsg{
isDTLS: c.isDTLS,
- vers: versionToWire(maxVersion, c.isDTLS),
compressionMethods: []uint8{compressionNone},
random: make([]byte, 32),
ocspStapling: !c.config.Bugs.NoOCSPStapling,
@@ -85,6 +99,23 @@
pskBinderFirst: c.config.Bugs.PSKBinderFirst,
}
+ if maxVersion >= VersionTLS13 {
+ hello.vers = mapClientHelloVersion(VersionTLS12, c.isDTLS)
+ if !c.config.Bugs.OmitSupportedVersions {
+ hello.supportedVersions = c.config.supportedVersions(c.isDTLS)
+ }
+ } else {
+ hello.vers = mapClientHelloVersion(maxVersion, c.isDTLS)
+ }
+
+ if c.config.Bugs.SendClientVersion != 0 {
+ hello.vers = c.config.Bugs.SendClientVersion
+ }
+
+ if len(c.config.Bugs.SendSupportedVersions) > 0 {
+ hello.supportedVersions = c.config.Bugs.SendSupportedVersions
+ }
+
disableEMS := c.config.Bugs.NoExtendedMasterSecret
if c.cipherSuite != nil {
disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation
@@ -310,23 +341,6 @@
}
}
- if maxVersion == VersionTLS13 && !c.config.Bugs.OmitSupportedVersions {
- if hello.vers >= VersionTLS13 {
- hello.vers = VersionTLS12
- }
- for version := maxVersion; version >= minVersion; version-- {
- hello.supportedVersions = append(hello.supportedVersions, versionToWire(version, c.isDTLS))
- }
- }
-
- if len(c.config.Bugs.SendSupportedVersions) > 0 {
- hello.supportedVersions = c.config.Bugs.SendSupportedVersions
- }
-
- if c.config.Bugs.SendClientVersion != 0 {
- hello.vers = c.config.Bugs.SendClientVersion
- }
-
if c.config.Bugs.SendCipherSuites != nil {
hello.cipherSuites = c.config.Bugs.SendCipherSuites
}
@@ -409,7 +423,7 @@
if c.isDTLS {
helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
if ok {
- if helloVerifyRequest.vers != versionToWire(VersionTLS10, c.isDTLS) {
+ if helloVerifyRequest.vers != VersionDTLS10 {
// Per RFC 6347, the version field in
// HelloVerifyRequest SHOULD be always DTLS
// 1.0. Enforce this for testing purposes.
@@ -443,14 +457,12 @@
return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg)
}
- serverVersion, ok := wireToVersion(serverWireVersion, c.isDTLS)
- if ok {
- ok = c.config.isSupportedVersion(serverVersion, c.isDTLS)
- }
+ serverVersion, ok := c.config.isSupportedVersion(serverWireVersion, c.isDTLS)
if !ok {
c.sendAlert(alertProtocolVersion)
return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers)
}
+ c.wireVersion = serverWireVersion
c.vers = serverVersion
c.haveVers = true
diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go
index 3a182ec..f70f469 100644
--- a/src/ssl/test/runner/handshake_server.go
+++ b/src/ssl/test/runner/handshake_server.go
@@ -161,7 +161,7 @@
// Per RFC 6347, the version field in HelloVerifyRequest SHOULD
// be always DTLS 1.0
helloVerifyRequest := &helloVerifyRequestMsg{
- vers: versionToWire(VersionTLS10, c.isDTLS),
+ vers: VersionDTLS10,
cookie: make([]byte, 32),
}
if _, err := io.ReadFull(c.config.rand(), helloVerifyRequest.cookie); err != nil {
@@ -210,74 +210,69 @@
c.clientVersion = hs.clientHello.vers
- // Convert the ClientHello wire version to a protocol version.
- var clientVersion uint16
- if c.isDTLS {
- if hs.clientHello.vers <= 0xfefd {
- clientVersion = VersionTLS12
- } else if hs.clientHello.vers <= 0xfeff {
- clientVersion = VersionTLS10
+ // Use the versions extension if supplied, otherwise use the legacy ClientHello version.
+ if len(hs.clientHello.supportedVersions) == 0 {
+ if c.isDTLS {
+ if hs.clientHello.vers <= VersionDTLS12 {
+ hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS12)
+ }
+ if hs.clientHello.vers <= VersionDTLS10 {
+ hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS10)
+ }
+ } else {
+ if hs.clientHello.vers >= VersionTLS12 {
+ hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS12)
+ }
+ if hs.clientHello.vers >= VersionTLS11 {
+ hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS11)
+ }
+ if hs.clientHello.vers >= VersionTLS10 {
+ hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS10)
+ }
+ if hs.clientHello.vers >= VersionSSL30 {
+ hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionSSL30)
+ }
}
- } else {
- if hs.clientHello.vers >= VersionTLS12 {
- clientVersion = VersionTLS12
- } else if hs.clientHello.vers >= VersionTLS11 {
- clientVersion = VersionTLS11
- } else if hs.clientHello.vers >= VersionTLS10 {
- clientVersion = VersionTLS10
- } else if hs.clientHello.vers >= VersionSSL30 {
- clientVersion = VersionSSL30
- }
+ } else if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.supportedVersions) {
+ return errors.New("tls: no GREASE version value found")
}
- if config.Bugs.NegotiateVersion != 0 {
- c.vers = config.Bugs.NegotiateVersion
- } else if c.haveVers && config.Bugs.NegotiateVersionOnRenego != 0 {
- c.vers = config.Bugs.NegotiateVersionOnRenego
- } else if len(hs.clientHello.supportedVersions) > 0 {
- // Use the versions extension if supplied.
- var foundVersion, foundGREASE bool
- for _, extVersion := range hs.clientHello.supportedVersions {
- if isGREASEValue(extVersion) {
- foundGREASE = true
+ if !c.haveVers {
+ if config.Bugs.NegotiateVersion != 0 {
+ c.wireVersion = config.Bugs.NegotiateVersion
+ } else {
+ var found bool
+ for _, vers := range hs.clientHello.supportedVersions {
+ if _, ok := config.isSupportedVersion(vers, c.isDTLS); ok {
+ c.wireVersion = vers
+ found = true
+ break
+ }
}
- extVersion, ok = wireToVersion(extVersion, c.isDTLS)
- if !ok {
- continue
- }
- if config.isSupportedVersion(extVersion, c.isDTLS) && !foundVersion {
- c.vers = extVersion
- foundVersion = true
- break
+ if !found {
+ c.sendAlert(alertProtocolVersion)
+ return errors.New("tls: client did not offer any supported protocol versions")
}
}
- if !foundVersion {
- c.sendAlert(alertProtocolVersion)
- return errors.New("tls: client did not offer any supported protocol versions")
- }
- if config.Bugs.ExpectGREASE && !foundGREASE {
- return errors.New("tls: no GREASE version value found")
- }
- } else {
- // Otherwise, use the legacy ClientHello version.
- version := clientVersion
- if maxVersion := config.maxVersion(c.isDTLS); version > maxVersion {
- version = maxVersion
- }
- if version == 0 || !config.isSupportedVersion(version, c.isDTLS) {
- return fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
- }
- c.vers = version
+ } else if config.Bugs.NegotiateVersionOnRenego != 0 {
+ c.wireVersion = config.Bugs.NegotiateVersionOnRenego
+ }
+
+ c.vers, ok = wireToVersion(c.wireVersion, c.isDTLS)
+ if !ok {
+ panic("Could not map wire version")
}
c.haveVers = true
+ clientProtocol, ok := wireToVersion(c.clientVersion, c.isDTLS)
+
// Reject < 1.2 ClientHellos with signature_algorithms.
- if clientVersion < VersionTLS12 && len(hs.clientHello.signatureAlgorithms) > 0 {
+ if ok && clientProtocol < VersionTLS12 && len(hs.clientHello.signatureAlgorithms) > 0 {
return fmt.Errorf("tls: client included signature_algorithms before TLS 1.2")
}
// Check the client cipher list is consistent with the version.
- if clientVersion < VersionTLS12 {
+ if ok && clientProtocol < VersionTLS12 {
for _, id := range hs.clientHello.cipherSuites {
if isTLS12Cipher(id) {
return fmt.Errorf("tls: client offered TLS 1.2 cipher before TLS 1.2")
@@ -298,13 +293,11 @@
return fmt.Errorf("tls: client offered unexpected PSK identities")
}
- var scsvFound, greaseFound bool
+ var scsvFound bool
for _, cipherSuite := range hs.clientHello.cipherSuites {
if cipherSuite == fallbackSCSV {
scsvFound = true
- }
- if isGREASEValue(cipherSuite) {
- greaseFound = true
+ break
}
}
@@ -314,11 +307,11 @@
return errors.New("tls: fallback SCSV found when not expected")
}
- if !greaseFound && config.Bugs.ExpectGREASE {
+ if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.cipherSuites) {
return errors.New("tls: no GREASE cipher suite value found")
}
- greaseFound = false
+ var greaseFound bool
for _, curve := range hs.clientHello.supportedCurves {
if isGREASEValue(uint16(curve)) {
greaseFound = true
@@ -367,7 +360,7 @@
hs.hello = &serverHelloMsg{
isDTLS: c.isDTLS,
- vers: versionToWire(c.vers, c.isDTLS),
+ vers: c.wireVersion,
versOverride: config.Bugs.SendServerHelloVersion,
customExtension: config.Bugs.CustomUnencryptedExtension,
unencryptedALPN: config.Bugs.SendUnencryptedALPN,
@@ -526,7 +519,7 @@
ResendHelloRetryRequest:
var sendHelloRetryRequest bool
helloRetryRequest := &helloRetryRequestMsg{
- vers: versionToWire(c.vers, c.isDTLS),
+ vers: c.wireVersion,
duplicateExtensions: config.Bugs.DuplicateHelloRetryRequestExtensions,
}
@@ -1049,9 +1042,9 @@
hs.hello = &serverHelloMsg{
isDTLS: c.isDTLS,
- vers: versionToWire(c.vers, c.isDTLS),
+ vers: c.wireVersion,
versOverride: config.Bugs.SendServerHelloVersion,
- compressionMethod: compressionNone,
+ compressionMethod: config.Bugs.SendCompressionMethod,
}
hs.hello.random = make([]byte, 32)
@@ -1168,6 +1161,9 @@
if c.config.Bugs.BadRenegotiationInfo {
serverExtensions.secureRenegotiation[0] ^= 0x80
}
+ if c.config.Bugs.BadRenegotiationInfoEnd {
+ serverExtensions.secureRenegotiation[len(serverExtensions.secureRenegotiation)-1] ^= 0x80
+ }
} else {
serverExtensions.secureRenegotiation = hs.clientHello.secureRenegotiation
}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index d9218f2..03ba755 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -263,6 +263,31 @@
panic("Unknown test certificate")
}
+// configVersionToWire maps a protocol version to the default wire version to
+// test at that protocol.
+//
+// TODO(davidben): Rather than mapping these, make tlsVersions contains a list
+// of wire versions and test all of them.
+func configVersionToWire(vers uint16, protocol protocol) uint16 {
+ if protocol == dtls {
+ switch vers {
+ case VersionTLS12:
+ return VersionDTLS12
+ case VersionTLS10:
+ return VersionDTLS10
+ }
+ } else {
+ switch vers {
+ case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
+ return vers
+ case VersionTLS13:
+ return tls13DraftVersion
+ }
+ }
+
+ panic("unknown version")
+}
+
// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
func encodeDERValues(values [][]byte) string {
var ret string
@@ -440,30 +465,20 @@
var testCases []testCase
-func writeTranscript(test *testCase, num int, data []byte) {
+func writeTranscript(test *testCase, path string, data []byte) {
if len(data) == 0 {
return
}
- protocol := "tls"
- if test.protocol == dtls {
- protocol = "dtls"
- }
-
- side := "client"
- if test.testType == serverTest {
- side = "server"
- }
-
- dir := path.Join(*transcriptDir, protocol, side)
- if err := os.MkdirAll(dir, 0755); err != nil {
- fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
+ settings, err := ioutil.ReadFile(path)
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "Error reading %s: %s.\n", path, err)
return
}
- name := fmt.Sprintf("%s-%d", test.name, num)
- if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
- fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
+ settings = append(settings, data...)
+ if err := ioutil.WriteFile(path, settings, 0644); err != nil {
+ fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", path, err)
}
}
@@ -487,7 +502,7 @@
return t.Conn.Write(b)
}
-func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
+func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, transcriptPrefix string, num int) error {
if !test.noSessionCache {
if config.ClientSessionCache == nil {
config.ClientSessionCache = NewLRUClientSessionCache(1)
@@ -536,9 +551,10 @@
if *flagDebug {
defer connDebug.WriteTo(os.Stdout)
}
- if len(*transcriptDir) != 0 {
+ if len(transcriptPrefix) != 0 {
defer func() {
- writeTranscript(test, num, connDebug.Transcript())
+ path := transcriptPrefix + strconv.Itoa(num)
+ writeTranscript(test, path, connDebug.Transcript())
}()
}
@@ -613,6 +629,8 @@
channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
return fmt.Errorf("incorrect channel ID")
}
+ } else if connState.ChannelID != nil {
+ return fmt.Errorf("channel ID unexpectedly negotiated")
}
if expected := test.expectedNextProto; expected != "" {
@@ -1000,6 +1018,26 @@
flags = append(flags, "-tls-unique")
}
+ var transcriptPrefix string
+ if len(*transcriptDir) != 0 {
+ protocol := "tls"
+ if test.protocol == dtls {
+ protocol = "dtls"
+ }
+
+ side := "client"
+ if test.testType == serverTest {
+ side = "server"
+ }
+
+ dir := filepath.Join(*transcriptDir, protocol, side)
+ if err := os.MkdirAll(dir, 0755); err != nil {
+ return err
+ }
+ transcriptPrefix = filepath.Join(dir, test.name+"-")
+ flags = append(flags, "-write-settings", transcriptPrefix)
+ }
+
flags = append(flags, test.flags...)
var shim *exec.Cmd
@@ -1039,7 +1077,7 @@
conn, err := acceptOrWait(listener, waitChan)
if err == nil {
- err = doExchange(test, &config, conn, false /* not a resumption */, 0)
+ err = doExchange(test, &config, conn, false /* not a resumption */, transcriptPrefix, 0)
conn.Close()
}
@@ -1059,7 +1097,7 @@
var connResume net.Conn
connResume, err = acceptOrWait(listener, waitChan)
if err == nil {
- err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
+ err = doExchange(test, &resumeConfig, connResume, true /* resumption */, transcriptPrefix, i+1)
connResume.Close()
}
}
@@ -1155,16 +1193,27 @@
type tlsVersion struct {
name string
version uint16
- flag string
- hasDTLS bool
+ // excludeFlag is the legacy shim flag to disable the version.
+ excludeFlag string
+ hasDTLS bool
+ // shimTLS and shimDTLS are values the shim uses to refer to these
+ // versions in TLS and DTLS, respectively.
+ shimTLS, shimDTLS int
+}
+
+func (vers tlsVersion) shimFlag(protocol protocol) string {
+ if protocol == dtls {
+ return strconv.Itoa(vers.shimDTLS)
+ }
+ return strconv.Itoa(vers.shimTLS)
}
var tlsVersions = []tlsVersion{
- {"SSL3", VersionSSL30, "-no-ssl3", false},
- {"TLS1", VersionTLS10, "-no-tls1", true},
- {"TLS11", VersionTLS11, "-no-tls11", false},
- {"TLS12", VersionTLS12, "-no-tls12", true},
- {"TLS13", VersionTLS13, "-no-tls13", false},
+ {"SSL3", VersionSSL30, "-no-ssl3", false, VersionSSL30, 0},
+ {"TLS1", VersionTLS10, "-no-tls1", true, VersionTLS10, VersionDTLS10},
+ {"TLS11", VersionTLS11, "-no-tls11", false, VersionTLS11, 0},
+ {"TLS12", VersionTLS12, "-no-tls12", true, VersionTLS12, VersionDTLS12},
+ {"TLS13", VersionTLS13, "-no-tls13", false, VersionTLS13, 0},
}
type testCipherSuite struct {
@@ -2461,6 +2510,21 @@
expectedError: ":INVALID_COMPRESSION_LIST:",
expectedLocalError: "remote error: illegal parameter",
},
+ // Test that the client rejects invalid compression methods
+ // from the server.
+ {
+ testType: clientTest,
+ name: "InvalidCompressionMethod",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ SendCompressionMethod: 1,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNSUPPORTED_COMPRESSION_ALGORITHM:",
+ expectedLocalError: "remote error: illegal parameter",
+ },
{
name: "GREASE-Client-TLS12",
config: Config{
@@ -2957,6 +3021,116 @@
shouldFail: true,
expectedError: ":NO_SHARED_CIPHER:",
})
+
+ // Test cipher suite negotiation works as expected. Configure a
+ // complicated cipher suite configuration.
+ const negotiationTestCiphers = "" +
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:" +
+ "[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]:" +
+ "TLS_RSA_WITH_AES_128_GCM_SHA256:" +
+ "TLS_RSA_WITH_AES_128_CBC_SHA:" +
+ "[TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_CBC_SHA]"
+ negotiationTests := []struct {
+ ciphers []uint16
+ expected uint16
+ }{
+ // Server preferences are honored, including when
+ // equipreference groups are involved.
+ {
+ []uint16{
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ {
+ []uint16{
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ },
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ },
+ {
+ []uint16{
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ {
+ []uint16{
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ },
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ },
+ // Equipreference groups use the client preference.
+ {
+ []uint16{
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ },
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ },
+ {
+ []uint16{
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ },
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ {
+ []uint16{
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ },
+ {
+ []uint16{
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ },
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ },
+ {
+ []uint16{
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ },
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ },
+ // If there are two equipreference groups, the preferred one
+ // takes precedence.
+ {
+ []uint16{
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ },
+ }
+ for i, t := range negotiationTests {
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "CipherNegotiation-" + strconv.Itoa(i),
+ config: Config{
+ MaxVersion: VersionTLS12,
+ CipherSuites: t.ciphers,
+ },
+ flags: []string{"-cipher", negotiationTestCiphers},
+ expectedCipher: t.expected,
+ })
+ }
}
func addBadECDSASignatureTests() {
@@ -3036,36 +3210,46 @@
}
func addCBCSplittingTests() {
- testCases = append(testCases, testCase{
- name: "CBCRecordSplitting",
- config: Config{
- MaxVersion: VersionTLS10,
- MinVersion: VersionTLS10,
- CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
- },
- messageLen: -1, // read until EOF
- resumeSession: true,
- flags: []string{
- "-async",
- "-write-different-record-sizes",
- "-cbc-record-splitting",
- },
- })
- testCases = append(testCases, testCase{
- name: "CBCRecordSplittingPartialWrite",
- config: Config{
- MaxVersion: VersionTLS10,
- MinVersion: VersionTLS10,
- CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
- },
- messageLen: -1, // read until EOF
- flags: []string{
- "-async",
- "-write-different-record-sizes",
- "-cbc-record-splitting",
- "-partial-write",
- },
- })
+ var cbcCiphers = []struct {
+ name string
+ cipher uint16
+ }{
+ {"3DES", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+ {"AES128", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+ {"AES256", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
+ }
+ for _, t := range cbcCiphers {
+ testCases = append(testCases, testCase{
+ name: "CBCRecordSplitting-" + t.name,
+ config: Config{
+ MaxVersion: VersionTLS10,
+ MinVersion: VersionTLS10,
+ CipherSuites: []uint16{t.cipher},
+ },
+ messageLen: -1, // read until EOF
+ resumeSession: true,
+ flags: []string{
+ "-async",
+ "-write-different-record-sizes",
+ "-cbc-record-splitting",
+ },
+ })
+ testCases = append(testCases, testCase{
+ name: "CBCRecordSplittingPartialWrite-" + t.name,
+ config: Config{
+ MaxVersion: VersionTLS10,
+ MinVersion: VersionTLS10,
+ CipherSuites: []uint16{t.cipher},
+ },
+ messageLen: -1, // read until EOF
+ flags: []string{
+ "-async",
+ "-write-different-record-sizes",
+ "-cbc-record-splitting",
+ "-partial-write",
+ },
+ })
+ }
}
func addClientAuthTests() {
@@ -3209,6 +3393,37 @@
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "VerifyPeerIfNoOBC-NoChannelID-" + ver.name,
+ config: Config{
+ MinVersion: ver.version,
+ MaxVersion: ver.version,
+ },
+ flags: []string{
+ "-enable-channel-id",
+ "-verify-peer-if-no-obc",
+ },
+ shouldFail: true,
+ expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
+ expectedLocalError: certificateRequired,
+ })
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "VerifyPeerIfNoOBC-ChannelID-" + ver.name,
+ config: Config{
+ MinVersion: ver.version,
+ MaxVersion: ver.version,
+ ChannelID: channelIDKey,
+ },
+ expectChannelID: true,
+ flags: []string{
+ "-enable-channel-id",
+ "-verify-peer-if-no-obc",
+ },
+ })
}
testCases = append(testCases, testCase{
@@ -4363,6 +4578,36 @@
shouldFail: true,
expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
})
+
+ if ver.version < VersionTLS13 {
+ // Channel ID requires ECDHE ciphers.
+ tests = append(tests, testCase{
+ testType: serverTest,
+ name: "ChannelID-NoECDHE-" + ver.name,
+ config: Config{
+ MaxVersion: ver.version,
+ CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
+ ChannelID: channelIDKey,
+ },
+ expectChannelID: false,
+ flags: []string{"-enable-channel-id"},
+ })
+
+ // Sanity-check setting expectChannelID false works.
+ tests = append(tests, testCase{
+ testType: serverTest,
+ name: "ChannelID-ECDHE-" + ver.name,
+ config: Config{
+ MaxVersion: ver.version,
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+ ChannelID: channelIDKey,
+ },
+ expectChannelID: false,
+ flags: []string{"-enable-channel-id"},
+ shouldFail: true,
+ expectedLocalError: "channel ID unexpectedly negotiated",
+ })
+ }
}
// Channel ID and NPN at the same time, to ensure their relative
@@ -4541,7 +4786,7 @@
// Assemble flags to disable all newer versions on the shim.
var flags []string
for _, vers := range tlsVersions[i+1:] {
- flags = append(flags, vers.flag)
+ flags = append(flags, vers.excludeFlag)
}
// Test configuring the runner's maximum version.
@@ -4561,19 +4806,17 @@
suffix += "-DTLS"
}
- shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
-
// Determine the expected initial record-layer versions.
clientVers := shimVers.version
if clientVers > VersionTLS10 {
clientVers = VersionTLS10
}
- clientVers = versionToWire(clientVers, protocol == dtls)
+ clientVers = configVersionToWire(clientVers, protocol)
serverVers := expectedVersion
if expectedVersion >= VersionTLS13 {
serverVers = VersionTLS10
}
- serverVers = versionToWire(serverVers, protocol == dtls)
+ serverVers = configVersionToWire(serverVers, protocol)
testCases = append(testCases, testCase{
protocol: protocol,
@@ -4598,7 +4841,7 @@
ExpectInitialRecordVersion: clientVers,
},
},
- flags: []string{"-max-version", shimVersFlag},
+ flags: []string{"-max-version", shimVers.shimFlag(protocol)},
expectedVersion: expectedVersion,
})
@@ -4625,7 +4868,7 @@
ExpectInitialRecordVersion: serverVers,
},
},
- flags: []string{"-max-version", shimVersFlag},
+ flags: []string{"-max-version", shimVers.shimFlag(protocol)},
expectedVersion: expectedVersion,
})
}
@@ -4644,7 +4887,7 @@
suffix += "-DTLS"
}
- wireVersion := versionToWire(vers.version, protocol == dtls)
+ wireVersion := configVersionToWire(vers.version, protocol)
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
@@ -4882,7 +5125,7 @@
// Assemble flags to disable all older versions on the shim.
var flags []string
for _, vers := range tlsVersions[:i] {
- flags = append(flags, vers.flag)
+ flags = append(flags, vers.excludeFlag)
}
for _, runnerVers := range tlsVersions {
@@ -4895,7 +5138,6 @@
if protocol == dtls {
suffix += "-DTLS"
}
- shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
var expectedVersion uint16
var shouldFail bool
@@ -4918,7 +5160,7 @@
// Ensure the server does not decline to
// select a version (versions extension) or
// cipher (some ciphers depend on versions).
- NegotiateVersion: runnerVers.version,
+ NegotiateVersion: configVersionToWire(runnerVers.version, protocol),
IgnorePeerCipherPreferences: shouldFail,
},
},
@@ -4938,11 +5180,11 @@
// Ensure the server does not decline to
// select a version (versions extension) or
// cipher (some ciphers depend on versions).
- NegotiateVersion: runnerVers.version,
+ NegotiateVersion: configVersionToWire(runnerVers.version, protocol),
IgnorePeerCipherPreferences: shouldFail,
},
},
- flags: []string{"-min-version", shimVersFlag},
+ flags: []string{"-min-version", shimVers.shimFlag(protocol)},
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
@@ -4969,7 +5211,7 @@
config: Config{
MaxVersion: runnerVers.version,
},
- flags: []string{"-min-version", shimVersFlag},
+ flags: []string{"-min-version", shimVers.shimFlag(protocol)},
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
@@ -6464,6 +6706,19 @@
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
+ name: "Renegotiate-Client-BadExt2",
+ renegotiate: 1,
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ BadRenegotiationInfoEnd: true,
+ },
+ },
+ flags: []string{"-renegotiate-freely"},
+ shouldFail: true,
+ expectedError: ":RENEGOTIATION_MISMATCH:",
+ })
+ testCases = append(testCases, testCase{
name: "Renegotiate-Client-Downgrade",
renegotiate: 1,
config: Config{
@@ -10900,6 +11155,24 @@
"-enable-early-data",
},
})
+
+ // Test that the client reports TLS 1.3 as the version while sending
+ // early data.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "TLS13-EarlyData-Client-VersionAPI",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-early-data-info",
+ "-expect-accept-early-data",
+ "-expect-version", strconv.Itoa(VersionTLS13),
+ },
+ })
}
func addTLS13CipherPreferenceTests() {
diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc
index 960240e..195371f 100644
--- a/src/ssl/test/test_config.cc
+++ b/src/ssl/test/test_config.cc
@@ -95,6 +95,7 @@
{ "-shim-shuts-down", &TestConfig::shim_shuts_down },
{ "-verify-fail", &TestConfig::verify_fail },
{ "-verify-peer", &TestConfig::verify_peer },
+ { "-verify-peer-if-no-obc", &TestConfig::verify_peer_if_no_obc },
{ "-expect-verify-result", &TestConfig::expect_verify_result },
{ "-renegotiate-once", &TestConfig::renegotiate_once },
{ "-renegotiate-freely", &TestConfig::renegotiate_freely },
@@ -131,6 +132,7 @@
};
const Flag<std::string> kStringFlags[] = {
+ { "-write-settings", &TestConfig::write_settings },
{ "-digest-prefs", &TestConfig::digest_prefs },
{ "-key-file", &TestConfig::key_file },
{ "-cert-file", &TestConfig::cert_file },
@@ -172,6 +174,7 @@
{ "-resume-count", &TestConfig::resume_count },
{ "-min-version", &TestConfig::min_version },
{ "-max-version", &TestConfig::max_version },
+ { "-expect-version", &TestConfig::expect_version },
{ "-mtu", &TestConfig::mtu },
{ "-export-keying-material", &TestConfig::export_keying_material },
{ "-expect-total-renegotiations", &TestConfig::expect_total_renegotiations },
diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h
index 8bc8892..7b4b342 100644
--- a/src/ssl/test/test_config.h
+++ b/src/ssl/test/test_config.h
@@ -24,6 +24,7 @@
bool is_server = false;
bool is_dtls = false;
int resume_count = 0;
+ std::string write_settings;
bool fallback_scsv = false;
std::string digest_prefs;
std::vector<int> signing_prefs;
@@ -68,6 +69,7 @@
std::string expected_signed_cert_timestamps;
int min_version = 0;
int max_version = 0;
+ int expect_version = 0;
int mtu = 0;
bool implicit_handshake = false;
bool use_early_callback = false;
@@ -100,6 +102,7 @@
bool shim_shuts_down = false;
bool verify_fail = false;
bool verify_peer = false;
+ bool verify_peer_if_no_obc = false;
bool expect_verify_result = false;
std::string signed_cert_timestamps;
int expect_total_renegotiations = 0;
diff --git a/src/ssl/tls13_enc.c b/src/ssl/tls13_enc.c
index 2137fe2..97f0ed9 100644
--- a/src/ssl/tls13_enc.c
+++ b/src/ssl/tls13_enc.c
@@ -54,15 +54,8 @@
int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- uint16_t session_version;
- if (!ssl->method->version_from_wire(&session_version,
- ssl->session->ssl_version) ||
- !init_key_schedule(hs, session_version,
- ssl->session->cipher->algorithm_prf)) {
- return 0;
- }
-
- return 1;
+ return init_key_schedule(hs, SSL_SESSION_protocol_version(ssl->session),
+ ssl->session->cipher->algorithm_prf);
}
int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
@@ -122,11 +115,7 @@
const uint8_t *traffic_secret,
size_t traffic_secret_len) {
const SSL_SESSION *session = SSL_get_session(ssl);
- uint16_t version;
- if (!ssl->method->version_from_wire(&version, session->ssl_version)) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
+ uint16_t version = SSL_SESSION_protocol_version(session);
if (traffic_secret_len > 0xff) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
@@ -141,8 +130,7 @@
return 0;
}
- const EVP_MD *digest = ssl_get_handshake_digest(
- session->cipher->algorithm_prf, version);
+ const EVP_MD *digest = SSL_SESSION_get_digest(session);
/* Derive the key. */
size_t key_len = EVP_AEAD_key_length(aead);
@@ -383,11 +371,7 @@
int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {
SSL *const ssl = hs->ssl;
- const EVP_MD *digest = SSL_SESSION_get_digest(ssl->session, ssl);
- if (digest == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
+ const EVP_MD *digest = SSL_SESSION_get_digest(ssl->session);
size_t hash_len = EVP_MD_size(digest);
if (len < hash_len + 3) {
diff --git a/src/ssl/tls13_server.c b/src/ssl/tls13_server.c
index 0a5e1a2..fe2463b 100644
--- a/src/ssl/tls13_server.c
+++ b/src/ssl/tls13_server.c
@@ -537,11 +537,14 @@
goto err;
}
- /* Determine whether to request a client certificate. */
- hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
- /* CertificateRequest may only be sent in non-resumption handshakes. */
- if (ssl->s3->session_reused) {
- hs->cert_request = 0;
+ if (!ssl->s3->session_reused) {
+ /* Determine whether to request a client certificate. */
+ hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
+ /* Only request a certificate if Channel ID isn't negotiated. */
+ if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
+ ssl->s3->tlsext_channel_id_valid) {
+ hs->cert_request = 0;
+ }
}
/* Send a CertificateRequest, if necessary. */
diff --git a/src/ssl/tls_method.c b/src/ssl/tls_method.c
index 6144f86..d039b7d 100644
--- a/src/ssl/tls_method.c
+++ b/src/ssl/tls_method.c
@@ -65,39 +65,6 @@
#include "internal.h"
-static int ssl3_version_from_wire(uint16_t *out_version,
- uint16_t wire_version) {
- switch (wire_version) {
- case SSL3_VERSION:
- case TLS1_VERSION:
- case TLS1_1_VERSION:
- case TLS1_2_VERSION:
- *out_version = wire_version;
- return 1;
- case TLS1_3_DRAFT_VERSION:
- *out_version = TLS1_3_VERSION;
- return 1;
- }
-
- return 0;
-}
-
-static uint16_t ssl3_version_to_wire(uint16_t version) {
- switch (version) {
- case SSL3_VERSION:
- case TLS1_VERSION:
- case TLS1_1_VERSION:
- case TLS1_2_VERSION:
- return version;
- case TLS1_3_VERSION:
- return TLS1_3_DRAFT_VERSION;
- }
-
- /* It is an error to use this function with an invalid version. */
- assert(0);
- return 0;
-}
-
static int ssl3_supports_cipher(const SSL_CIPHER *cipher) { return 1; }
static void ssl3_expect_flight(SSL *ssl) {}
@@ -130,10 +97,6 @@
static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
0 /* is_dtls */,
- SSL3_VERSION,
- TLS1_3_VERSION,
- ssl3_version_from_wire,
- ssl3_version_to_wire,
ssl3_new,
ssl3_free,
ssl3_get_message,
diff --git a/src/ssl/tls_record.c b/src/ssl/tls_record.c
index a5bbe93..3bc0b29 100644
--- a/src/ssl/tls_record.c
+++ b/src/ssl/tls_record.c
@@ -389,8 +389,10 @@
* ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
* to change after version negotiation. */
uint16_t wire_version = TLS1_VERSION;
- if (ssl->version == SSL3_VERSION ||
- (ssl->s3->have_version && ssl3_protocol_version(ssl) < TLS1_3_VERSION)) {
+ if (ssl->s3->hs != NULL && ssl->s3->hs->max_version == SSL3_VERSION) {
+ wire_version = SSL3_VERSION;
+ }
+ if (ssl->s3->have_version && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
wire_version = ssl->version;
}
diff --git a/src/tool/client.cc b/src/tool/client.cc
index c4a071d..74a7124 100644
--- a/src/tool/client.cc
+++ b/src/tool/client.cc
@@ -127,6 +127,10 @@
"-ed25519", kBooleanArgument, "Advertise Ed25519 support",
},
{
+ "-http-tunnel", kOptionalArgument,
+ "An HTTP proxy server to tunnel the TCP connection through",
+ },
+ {
"", kOptionalArgument, "",
},
};
@@ -208,7 +212,12 @@
std::map<std::string, std::string> args_map,
bool (*cb)(SSL *ssl, int sock)) {
int sock = -1;
- if (!Connect(&sock, args_map["-connect"])) {
+ if (args_map.count("-http-tunnel") != 0) {
+ if (!Connect(&sock, args_map["-http-tunnel"]) ||
+ !DoHTTPTunnel(sock, args_map["-connect"])) {
+ return false;
+ }
+ } else if (!Connect(&sock, args_map["-connect"])) {
return false;
}
diff --git a/src/tool/transport_common.cc b/src/tool/transport_common.cc
index 912e680..0fc7c3c 100644
--- a/src/tool/transport_common.cc
+++ b/src/tool/transport_common.cc
@@ -70,10 +70,8 @@
return true;
}
-// Connect sets |*out_sock| to be a socket connected to the destination given
-// in |hostname_and_port|, which should be of the form "www.example.com:123".
-// It returns true on success and false otherwise.
-bool Connect(int *out_sock, const std::string &hostname_and_port) {
+static void SplitHostPort(std::string *out_hostname, std::string *out_port,
+ const std::string &hostname_and_port) {
size_t colon_offset = hostname_and_port.find_last_of(':');
const size_t bracket_offset = hostname_and_port.find_last_of(']');
std::string hostname, port;
@@ -85,12 +83,20 @@
}
if (colon_offset == std::string::npos) {
- hostname = hostname_and_port;
- port = "443";
+ *out_hostname = hostname_and_port;
+ *out_port = "443";
} else {
- hostname = hostname_and_port.substr(0, colon_offset);
- port = hostname_and_port.substr(colon_offset + 1);
+ *out_hostname = hostname_and_port.substr(0, colon_offset);
+ *out_port = hostname_and_port.substr(colon_offset + 1);
}
+}
+
+// Connect sets |*out_sock| to be a socket connected to the destination given
+// in |hostname_and_port|, which should be of the form "www.example.com:123".
+// It returns true on success and false otherwise.
+bool Connect(int *out_sock, const std::string &hostname_and_port) {
+ std::string hostname, port;
+ SplitHostPort(&hostname, &port, hostname_and_port);
// Handle IPv6 literals.
if (hostname.size() >= 2 && hostname[0] == '[' &&
@@ -631,3 +637,31 @@
return true;
}
+
+bool DoHTTPTunnel(int sock, const std::string &hostname_and_port) {
+ std::string hostname, port;
+ SplitHostPort(&hostname, &port, hostname_and_port);
+
+ fprintf(stderr, "Establishing HTTP tunnel to %s:%s.\n", hostname.c_str(),
+ port.c_str());
+ char buf[1024];
+ snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/1.0\r\n\r\n", hostname.c_str(),
+ port.c_str());
+ if (!SendAll(sock, buf, strlen(buf))) {
+ return false;
+ }
+
+ SocketLineReader line_reader(sock);
+
+ // Read until an empty line, signaling the end of the HTTP response.
+ std::string line;
+ for (;;) {
+ if (!line_reader.Next(&line)) {
+ return false;
+ }
+ if (line.empty()) {
+ return true;
+ }
+ fprintf(stderr, "%s\n", line.c_str());
+ }
+}
diff --git a/src/tool/transport_common.h b/src/tool/transport_common.h
index 7c157ba..b149671 100644
--- a/src/tool/transport_common.h
+++ b/src/tool/transport_common.h
@@ -18,6 +18,8 @@
#include <openssl/ssl.h>
#include <string.h>
+#include <string>
+
// InitSocketLibrary calls the Windows socket init functions, if needed.
bool InitSocketLibrary();
@@ -59,4 +61,8 @@
// returns true on success and false otherwise.
bool DoSMTPStartTLS(int sock);
+// DoHTTPTunnel sends an HTTP CONNECT request over |sock|. It returns true on
+// success and false otherwise.
+bool DoHTTPTunnel(int sock, const std::string &hostname_and_port);
+
#endif /* !OPENSSL_HEADER_TOOL_TRANSPORT_COMMON_H */
