| # Test vectors for public key validation. |
| |
| # Invalid Curve Attack from |
| # https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html |
| # https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/09/14/main-full.pdf |
| Curve = P-256 |
| Q = 04b70bf043c144935756f8f4578c369cf960ee510a5a0f90e93a373a21f0d1397f4a2e0ded57a5156bb82eb4314c37fd4155395a7e51988af289cce531b9c17192 |
| Result = F |
| |
| |
| # Test vectors for Public Key Point Validation. |
| # |
| # These test vectors were generated by applying the patch in |
| # util/generate-tests.patch to BoringSSL, and then running |
| # `bssl generate-tests ecc-public-key`. |
| # |
| |
| # X == 0, decompressed with y_bit == 0. This verifies that the |
| # implementation doesn't reject zero-valued field elements (they |
| # aren't scalars). |
| Curve = P-256 |
| Q = 04000000000000000000000000000000000000000000000000000000000000000066485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4 |
| Result = P |
| |
| # X == q. This is invalid because q isn't a valid field element. Some |
| # broken implementations might accept this if they reduce X mod q |
| # since q mod q == 0 and the Y coordinate matches the one from the |
| # x == 0 test case above. |
| Curve = P-256 |
| Q = 04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff66485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4 |
| Result = F (X is out of range) |
| |
| # X == 0, decompressed with y_bit == 1. |
| Curve = P-256 |
| Q = 04000000000000000000000000000000000000000000000000000000000000000099b7a386f1d07c29dbcc42a27b5f9449abe3d50de25178e8d7407a95e8b06c0b |
| Result = P |
| |
| # X == q, decompressed with y_bit == 1. See the previous X == q test |
| # case. |
| Curve = P-256 |
| Q = 04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff99b7a386f1d07c29dbcc42a27b5f9449abe3d50de25178e8d7407a95e8b06c0b |
| Result = F (X is out of range) |
| |
| # The largest valid X coordinate, decompressed with y_bit == 0. This |
| # helps ensure that the upper bound on coordinate values is not too |
| # low. |
| Curve = P-256 |
| Q = 04ffffffff00000001000000000000000000000000fffffffffffffffffffffffce68e641309515ec1da369202838e0adda2b37040614a5f5460c616e871aa3ede |
| Result = P |
| |
| # X == 0, decompressed with y_bit == 0. This verifies that the |
| # implementation doesn't reject zero-valued field elements (they |
| # aren't scalars). |
| Curve = P-384 |
| Q = 040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003cf99ef04f51a5ea630ba3f9f960dd593a14c9be39fd2bd215d3b4b08aaaf86bbf927f2c46e52ab06fb742b8850e521e |
| Result = P |
| |
| # X == q. This is invalid because q isn't a valid field element. Some |
| # broken implementations might accept this if they reduce X mod q |
| # since q mod q == 0 and the Y coordinate matches the one from the |
| # x == 0 test case above. |
| Curve = P-384 |
| Q = 04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff3cf99ef04f51a5ea630ba3f9f960dd593a14c9be39fd2bd215d3b4b08aaaf86bbf927f2c46e52ab06fb742b8850e521e |
| Result = F (X is out of range) |
| |
| # X == 0, decompressed with y_bit == 1. |
| Curve = P-384 |
| Q = 04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c306610fb0ae5a159cf45c06069f22a6c5eb3641c602d42dea2c4b4f75550793406d80d2b91ad54f9048bd487af1ade1 |
| Result = P |
| |
| # X == q, decompressed with y_bit == 1. See the previous X == q test |
| # case. |
| Curve = P-384 |
| Q = 04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffc306610fb0ae5a159cf45c06069f22a6c5eb3641c602d42dea2c4b4f75550793406d80d2b91ad54f9048bd487af1ade1 |
| Result = F (X is out of range) |
| |
| # The largest valid X coordinate, decompressed with y_bit == 0. This |
| # helps ensure that the upper bound on coordinate values is not too |
| # low. |
| Curve = P-384 |
| Q = 04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe8cdeadbbd04911a3c1931e26df3fa6439dca9c7eb286fbd46fc319f0e2bb780232baf57825fc0c1912ada2fefe84024c |
| Result = P |
| |
| |
| # RFC 5903 (IKE and IKEv2 ECDH) Test Vectors |
| # Q is (grx, gry) in uncompressed encoding. |
| |
| Curve = P-256 |
| Q = 04D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB |
| Result = P |
| |
| Curve = P-384 |
| Q = 04E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C |
| Result = P |
| |
| # Tweaks of the RFC 5903 vectors for testing malformed (syntactically) public |
| # keys |
| |
| Curve = P-256 |
| Q = "" |
| Result = F (Peer public key is empty.) |
| |
| Curve = P-384 |
| Q = "" |
| Result = F (Peer public key is empty.) |
| |
| Curve = P-256 |
| Q = 00 |
| Result = F (Peer public key is the special encoding of the point at infinity.) |
| |
| Curve = P-384 |
| Q = 00 |
| Result = F (Peer public key is the special encoding of the point at infinity.) |
| |
| Curve = P-256 |
| Q = 01 |
| Result = F (Peer public key consists of (only) an invalid encoding indicator.) |
| |
| Curve = P-384 |
| Q = 01 |
| Result = F (Peer public key consists of (only) an invalid encoding indicator.) |
| |
| Curve = P-256 |
| Q = 02 |
| Result = F (Peer public key consists of (only) a compressed encoding indicator (0x02).) |
| |
| Curve = P-384 |
| Q = 02 |
| Result = F (Peer public key consists of (only) a compressed encoding indicator (0x02).) |
| |
| Curve = P-256 |
| Q = 03 |
| Result = F (Peer public key consists of (only) a compressed encoding indicator (0x03).) |
| |
| Curve = P-384 |
| Q = 03 |
| Result = F (Peer public key consists of (only) a compressed encoding indicator (0x03).) |
| |
| Curve = P-256 |
| Q = 04 |
| Result = F (Peer public key consists of (only) a uncompressed encoding indicator.) |
| |
| Curve = P-384 |
| Q = 04 |
| Result = F (Peer public key consists of (only) a compressed encoding indicator.) |
| |
| Curve = P-256 |
| Q = 04 |
| Result = F (Peer public key consists of (only) an invalid encoding indicator (0x05).) |
| |
| Curve = P-384 |
| Q = 04 |
| Result = F (Peer public key consists of (only) an invalid encoding indicator (0x05).) |
| |
| Curve = P-256 |
| Q = 01D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB |
| Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x01).) |
| |
| Curve = P-384 |
| Q = 01E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C |
| Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x01).) |
| |
| Curve = P-256 |
| Q = 02D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB |
| Result = F (Peer public key encoding's first byte is 0x02, should be 0x04.) |
| |
| Curve = P-384 |
| Q = 02E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C |
| Result = F (Peer public key encoding's first byte is 0x02, should be 0x04.) |
| |
| Curve = P-256 |
| Q = 03D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB |
| Result = F (Peer public key encoding's first byte is 0x03, should be 0x04.) |
| |
| Curve = P-384 |
| Q = 03E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C |
| Result = F (Peer public key encoding's first byte is 0x03, should be 0x04.) |
| |
| Curve = P-256 |
| Q = 05D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB |
| Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x05).) |
| |
| Curve = P-384 |
| Q = 05E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C |
| Result = F (Peer public key starts with a completely invalid encoding indicator byte (0x05).) |
| |
| Curve = P-256 |
| Q = FFD12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB |
| Result = F (Peer public key starts with a completely invalid encoding indicator byte (0xff).) |
| |
| Curve = P-384 |
| Q = FFE558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C |
| Result = F (Peer public key starts with a completely invalid encoding indicator byte (0xff).) |
| |
| Curve = P-256 |
| Q = D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB |
| Result = F (Peer public key is missing the encoding indicator byte.) |
| |
| Curve = P-384 |
| Q = E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C |
| Result = F (Peer public key is missing the encoding indicator byte.) |
| |
| Curve = P-256 |
| Q = 04D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF6356FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872 |
| Result = F (Peer public key has the last byte truncated.) |
| |
| Curve = P-384 |
| Q = 04E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E638 |
| Result = F (Peer public key has the last byte truncated.) |
| |
| Curve = P-256 |
| Q = 04D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63 |
| Result = F (Peer public key is missing the Y coordinate completely.) |
| |
| Curve = P-384 |
| Q = 04E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571 |
| Result = F (Peer public key is missing the Y coordinate completely.) |
| |
| Curve = P-256 |
| Q = 02D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63 |
| Result = F (Peer public key is in compressed form (0x02).) |
| |
| Curve = P-384 |
| Q = 02E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571 |
| Result = F (Peer public key is in compressed form (0x02).) |
| |
| Curve = P-256 |
| Q = 03D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63 |
| Result = F (Peer public key is in compressed form (0x03).) |
| |
| Curve = P-384 |
| Q = 03E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571 |
| Result = F (Peer public key is in compressed form (0x03).) |