[cryptotest] Test RSA encrypt using wycheproof vectors

This commit extends the cryptotest framework to test the RSA encrypt
function. To test whether the encrypt was successful, the test
takes the ciphertext, decrypts it and compares it to the plaintext
that was fed into the encryption.

Signed-off-by: Pascal Nasahl <[email protected]>

Author: nasahlpa

sw/device/tests/crypto/cryptotest/BUILD

@@ -166,6 +166,25 @@ RSA_TESTVECTOR_TARGETS = [
         "sha512_mgf1_64",
         "shake256",
     ]
+] + [
+    "//sw/host/cryptotest/testvectors/data:wycheproof_rsa_oaep_2048_{}.json".format(hash)
+    for hash in [
+        "sha256_mgf1sha256",
+        "sha384_mgf1sha384",
+        "sha512_mgf1sha512",
+    ]
+] + [
+    "//sw/host/cryptotest/testvectors/data:wycheproof_rsa_oaep_3072_{}.json".format(hash)
+    for hash in [
+        "sha256_mgf1sha256",
+        "sha512_mgf1sha512",
+    ]
+] + [
+    "//sw/host/cryptotest/testvectors/data:wycheproof_rsa_oaep_4096_{}.json".format(hash)
+    for hash in [
+        "sha256_mgf1sha256",
+        "sha512_mgf1sha512",
+    ]
 ]
 
 RSA_TESTVECTOR_ARGS = " ".join([

sw/device/tests/crypto/cryptotest/firmware/rsa.c

@@ -51,6 +51,140 @@ enum {
   kCryptotestRsaShake256 = 7,
 };
 
+status_t handle_rsa_encrypt(ujson_t *uj) {
+  cryptotest_rsa_encrypt_t uj_input;
+  TRY(ujson_deserialize_cryptotest_rsa_encrypt_t(uj, &uj_input));
+
+  if (uj_input.padding != kCryptotestRsaPaddingOaep) {
+    LOG_ERROR("Unsupported RSA padding: %d", uj_input.padding);
+    return INVALID_ARGUMENT();
+  }
+
+  if (uj_input.e != kCryptotestRsaSupportedE) {
+    LOG_ERROR("Unsupported RSA public exponent e: %d", uj_input.e);
+    return INVALID_ARGUMENT();
+  }
+
+  size_t rsa_num_words;
+  size_t public_key_bytes;
+  otcrypto_rsa_size_t rsa_size;
+  size_t n_bytes = uj_input.security_level / 8;
+  switch (n_bytes) {
+    case kOtcryptoRsa2048PublicKeyBytes:
+      rsa_size = kOtcryptoRsaSize2048;
+      rsa_num_words = kCryptotestRsa2048NumWords;
+      public_key_bytes = kOtcryptoRsa2048PublicKeyBytes;
+      break;
+    case kOtcryptoRsa3072PublicKeyBytes:
+      rsa_size = kOtcryptoRsaSize3072;
+      rsa_num_words = kCryptotestRsa3072NumWords;
+      public_key_bytes = kOtcryptoRsa3072PublicKeyBytes;
+      break;
+    case kOtcryptoRsa4096PublicKeyBytes:
+      rsa_size = kOtcryptoRsaSize4096;
+      rsa_num_words = kCryptotestRsa4096NumWords;
+      public_key_bytes = kOtcryptoRsa4096PublicKeyBytes;
+      break;
+    default:
+      LOG_ERROR("Unsupported RSA security_level: %d", uj_input.security_level);
+      return INVALID_ARGUMENT();
+  }
+
+  otcrypto_hash_mode_t hash_mode;
+  switch (uj_input.hashing) {
+    case kCryptotestRsaSha256:
+      hash_mode = kOtcryptoHashModeSha256;
+      break;
+    case kCryptotestRsaSha384:
+      hash_mode = kOtcryptoHashModeSha384;
+      break;
+    case kCryptotestRsaSha512:
+      hash_mode = kOtcryptoHashModeSha512;
+      break;
+    case kCryptotestRsaSha3_256:
+      hash_mode = kOtcryptoHashModeSha3_256;
+      break;
+    case kCryptotestRsaSha3_384:
+      hash_mode = kOtcryptoHashModeSha3_384;
+      break;
+    case kCryptotestRsaSha3_512:
+      hash_mode = kOtcryptoHashModeSha3_512;
+      break;
+    case kCryptotestRsaShake128:
+      hash_mode = kOtcryptoHashXofModeShake128;
+      break;
+    case kCryptotestRsaShake256:
+      hash_mode = kOtcryptoHashXofModeShake256;
+      break;
+    default:
+      LOG_ERROR("Unsupported RSA hash mode: %d", uj_input.hashing);
+      return INVALID_ARGUMENT();
+  }
+
+  // Create the modulus N buffer.
+  uint32_t n_buf[rsa_num_words];
+  memset(n_buf, 0, sizeof(n_buf));
+  memcpy(n_buf, uj_input.n, n_bytes);
+
+  otcrypto_const_word32_buf_t modulus = {
+      .data = n_buf,
+      .len = rsa_num_words,
+  };
+
+  // Construct the public key.
+  uint32_t public_key_data[ceil_div(public_key_bytes, sizeof(uint32_t))];
+
+  otcrypto_unblinded_key_t public_key = {
+      .key_mode = kOtcryptoKeyModeRsaEncryptOaep,
+      .key_length = public_key_bytes,
+      .key = public_key_data,
+  };
+
+  TRY(otcrypto_rsa_public_key_construct(rsa_size, modulus, &public_key));
+
+  // Create input message.
+  uint8_t msg_buf[rsa_num_words];
+  memset(msg_buf, 0, sizeof(msg_buf));
+  memcpy(msg_buf, uj_input.plaintext, uj_input.plaintext_len);
+  otcrypto_const_byte_buf_t input_message = {
+      .len = uj_input.plaintext_len,
+      .data = msg_buf,
+  };
+
+  // Create label.
+  uint8_t label_buf[uj_input.label_len];
+  memset(label_buf, 0, sizeof(label_buf));
+  memcpy(label_buf, uj_input.label, uj_input.label_len);
+  otcrypto_const_byte_buf_t label = {
+      .data = label_buf,
+      .len = uj_input.label_len,
+  };
+
+  // Output buffer.
+  uint32_t ciphertext_buf[rsa_num_words];
+  otcrypto_word32_buf_t ciphertext = {
+      .data = ciphertext_buf,
+      .len = rsa_num_words,
+  };
+
+  bool status_resp = true;
+  otcrypto_status_t status = otcrypto_rsa_encrypt(
+      &public_key, hash_mode, input_message, label, ciphertext);
+  if (status.value != kOtcryptoStatusValueOk) {
+    status_resp = false;
+  }
+
+  // Return ciphertext and the status back to host.
+  cryptotest_rsa_encrypt_resp_t uj_output;
+  memset(uj_output.ciphertext, 0, RSA_CMD_MAX_MESSAGE_BYTES);
+  memcpy(uj_output.ciphertext, ciphertext_buf, n_bytes);
+  uj_output.ciphertext_len = n_bytes;
+  uj_output.result = status_resp;
+
+  RESP_OK(ujson_serialize_cryptotest_rsa_encrypt_resp_t, uj, &uj_output);
+  return OK_STATUS();
+}
+
 status_t handle_rsa_decrypt(ujson_t *uj) {
   cryptotest_rsa_decrypt_t uj_input;
   TRY(ujson_deserialize_cryptotest_rsa_decrypt_t(uj, &uj_input));
@@ -408,6 +542,8 @@ status_t handle_rsa(ujson_t *uj) {
   rsa_subcommand_t cmd;
   TRY(ujson_deserialize_rsa_subcommand_t(uj, &cmd));
   switch (cmd) {
+    case kRsaSubcommandRsaEncrypt:
+      return handle_rsa_encrypt(uj);
     case kRsaSubcommandRsaDecrypt:
       return handle_rsa_decrypt(uj);
     case kRsaSubcommandRsaVerify:

sw/device/tests/crypto/cryptotest/firmware/rsa.h

@@ -9,6 +9,7 @@
 #include "sw/device/lib/ujson/ujson.h"
 
 status_t handle_rsa_decrypt(ujson_t *uj);
+status_t handle_rsa_encrypt(ujson_t *uj);
 status_t handle_rsa_verify(ujson_t *uj);
 status_t handle_rsa(ujson_t *uj);
 

sw/device/tests/crypto/cryptotest/json/rsa_commands.h

@@ -18,6 +18,7 @@ extern "C" {
 // clang-format off
 
 #define RSA_SUBCOMMAND(_, value) \
+    value(_, RsaEncrypt) \
     value(_, RsaDecrypt) \
     value(_, RsaVerify)
 UJSON_SERDE_ENUM(RsaSubcommand, rsa_subcommand_t, RSA_SUBCOMMAND);
@@ -47,6 +48,18 @@ UJSON_SERDE_STRUCT(CryptotestRsaVerify, cryptotest_rsa_verify_t, RSA_VERIFY);
     field(padding, size_t)
 UJSON_SERDE_STRUCT(CryptotestRsaDecrypt, cryptotest_rsa_decrypt_t, RSA_DECRYPT);
 
+#define RSA_ENCRYPT(field, string) \
+    field(plaintext, uint8_t, RSA_CMD_MAX_MESSAGE_BYTES) \
+    field(plaintext_len, size_t) \
+    field(e, uint32_t) \
+    field(n, uint8_t, RSA_CMD_MAX_N_BYTES) \
+    field(security_level, size_t) \
+    field(label, uint8_t, RSA_CMD_MAX_MESSAGE_BYTES) \
+    field(label_len, size_t) \
+    field(hashing, size_t) \
+    field(padding, size_t)
+UJSON_SERDE_STRUCT(CryptotestRsaEncrypt, cryptotest_rsa_encrypt_t, RSA_ENCRYPT);
+
 #define RSA_VERIFY_RESP(field, string) \
     field(result, bool)
 UJSON_SERDE_STRUCT(CryptotestRsaVerifyResp, cryptotest_rsa_verify_resp_t, RSA_VERIFY_RESP);
@@ -57,6 +70,12 @@ UJSON_SERDE_STRUCT(CryptotestRsaVerifyResp, cryptotest_rsa_verify_resp_t, RSA_VE
     field(result, bool)
 UJSON_SERDE_STRUCT(CryptotestRsaDecryptResp, cryptotest_rsa_decrypt_resp_t, RSA_DECRYPT_RESP);
 
+#define RSA_ENCRYPT_RESP(field, string) \
+    field(ciphertext, uint8_t, RSA_CMD_MAX_MESSAGE_BYTES) \
+    field(ciphertext_len, size_t) \
+    field(result, bool)
+UJSON_SERDE_STRUCT(CryptotestRsaEncryptResp, cryptotest_rsa_encrypt_resp_t, RSA_ENCRYPT_RESP);
+
 #undef MODULE_ID
 
 // clang-format on

sw/host/tests/crypto/rsa_kat/src/main.rs

@@ -12,8 +12,8 @@ use serde::Deserialize;
 
 use cryptotest_commands::commands::CryptotestCommand;
 use cryptotest_commands::rsa_commands::{
-    CryptotestRsaDecrypt, CryptotestRsaDecryptResp, CryptotestRsaVerify, CryptotestRsaVerifyResp,
-    RsaSubcommand,
+    CryptotestRsaDecrypt, CryptotestRsaDecryptResp, CryptotestRsaEncrypt, CryptotestRsaEncryptResp,
+    CryptotestRsaVerify, CryptotestRsaVerifyResp, RsaSubcommand,
 };
 
 use opentitanlib::app::TransportWrapper;
@@ -152,6 +152,76 @@ fn run_rsa_testcase(
                 );
             }
         }
+        "encrypt" => {
+            // Send RsaEncrypt command.
+            RsaSubcommand::RsaEncrypt.send(spi_console)?;
+
+            // Convert the inputs into the expected format for the CL.
+            let ptx: Vec<_> = test_case.message.iter().copied().rev().collect();
+
+            // Assemble the input.
+            CryptotestRsaEncrypt {
+                plaintext: ArrayVec::try_from(ptx.as_slice()).unwrap(),
+                plaintext_len: test_case.message.len(),
+                e: test_case.e,
+                n: ArrayVec::try_from(n.as_slice()).unwrap(),
+                security_level: test_case.security_level,
+                label: ArrayVec::try_from(test_case.label.as_slice()).unwrap(),
+                label_len: test_case.label.len(),
+                hashing,
+                padding,
+            }
+            .send(spi_console)?;
+
+            // Get and evaluate the response.
+            let rsa_encrypt_resp =
+                CryptotestRsaEncryptResp::recv(spi_console, opts.timeout, false)?;
+            // Check if the encryption was successful.
+            assert_eq!(rsa_encrypt_resp.result, test_case.result);
+
+            // Use the received ciphertext, decrypt it, and compare it to the
+            // plaintext in the test vector.
+            if test_case.result {
+                // Decrypt it again and check if the plaintext matches.
+                // Send RsaDecrypt command.
+                CryptotestCommand::Rsa.send(spi_console)?;
+                RsaSubcommand::RsaDecrypt.send(spi_console)?;
+
+                // Convert the inputs into the expected format for the CL.
+                let d: Vec<_> = test_case.d.iter().copied().rev().collect();
+                let ctx: Vec<_> =
+                    Vec::from(&rsa_encrypt_resp.ciphertext[..rsa_encrypt_resp.ciphertext_len]);
+
+                // Assemble the input.
+                CryptotestRsaDecrypt {
+                    ciphertext: ArrayVec::try_from(ctx.as_slice()).unwrap(),
+                    ciphertext_len: rsa_encrypt_resp.ciphertext_len,
+                    e: test_case.e,
+                    d: ArrayVec::try_from(d.as_slice()).unwrap(),
+                    n: ArrayVec::try_from(n.as_slice()).unwrap(),
+                    security_level: test_case.security_level,
+                    label: ArrayVec::try_from(test_case.label.as_slice()).unwrap(),
+                    label_len: test_case.label.len(),
+                    hashing,
+                    padding,
+                }
+                .send(spi_console)?;
+
+                // Get and evaluate the response.
+                let rsa_decrypt_resp =
+                    CryptotestRsaDecryptResp::recv(spi_console, opts.timeout, false)?;
+                // Check if the decryption was successful.
+                assert_eq!(rsa_decrypt_resp.result, test_case.result);
+
+                if test_case.result {
+                    // Only check plaintext if the response is valid.
+                    assert_eq!(
+                        rsa_decrypt_resp.plaintext[0..test_case.message.len()],
+                        test_case.message[0..test_case.message.len()]
+                    );
+                }
+            }
+        }
         _ => panic!("Invalid operation"),
     };