Skip to content

Commit

Permalink
mockhsm(rsa): when wrapped, the modulus is appended to the message
Browse files Browse the repository at this point in the history
  • Loading branch information
@baloo
baloo committed Jan 7, 2025
1 parent b5ae19f commit f2e6677
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 3 deletions.
2 changes: 2 additions & 0 deletions src/mockhsm/object/payload.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,8 @@ impl Payload {
if let Some(qinv) = k.qinv() {
out.extend_from_slice(&qinv.to_bytes_be().1)
}
// n
out.extend_from_slice(&k.n().to_bytes_be());

out
}
Expand Down
25 changes: 22 additions & 3 deletions tests/rsa/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ fn rsa_put_asymmetric_key() {
}

#[test]
fn rsa_import_wrapped_key() {
fn rsa_import_export_wrapped_key() {
let key = RsaPrivateKey::from_pkcs8_der(RSA_2048_PRIV_DER).unwrap();
let algorithm = wrap::Algorithm::Aes128Ccm;
let capabilities = Capability::EXPORT_WRAPPED | Capability::IMPORT_WRAPPED;
Expand All @@ -69,7 +69,7 @@ fn rsa_import_wrapped_key() {
let plaintext = wrap::Plaintext::from_rsa(
algorithm,
asymmetric_key_id,
Capability::empty(),
Capability::EXPORTABLE_UNDER_WRAP | Capability::SIGN_PKCS,
TEST_DOMAINS,
TEST_KEY_LABEL.into(),
key.clone(),
Expand Down Expand Up @@ -99,7 +99,7 @@ fn rsa_import_wrapped_key() {

let handle = client
.import_wrapped(TEST_KEY_ID, message)
.expect("impot asymmetric key");
.expect("import asymmetric key");

assert_eq!(handle.object_id, asymmetric_key_id);
let public = client
Expand All @@ -108,6 +108,25 @@ fn rsa_import_wrapped_key() {
let public = public.rsa().expect("rsa public key expected");

assert_eq!(public, key.as_ref().clone());

let message = client
.export_wrapped(TEST_KEY_ID, object::Type::AsymmetricKey, handle.object_id)
.expect("export asymmetric key");

let plaintext = message
.decrypt(&wrap_key)
.expect("failed to decrypt the wrapped key");

let exported_key = plaintext.rsa().expect("read back RSA key from HSM");

assert_eq!(public, exported_key.as_ref().clone());
// can't just check key against exported_key as the private exponent gets rebuilt, we'll check
// the primes instead.
assert_eq!(
exported_key.primes(),
key.primes(),
"RSA after import/export roundtrip mismatch: primes"
);
}

/// Example message to sign
Expand Down

0 comments on commit f2e6677

Please sign in to comment.