p521: add Wycheproof test vectors (#957) · RustCrypto/elliptic-curves@3055a69

Commit

p521: add Wycheproof test vectors (#957)

Generated using the `wycheproof2blb` utility:

    $ cargo run ~/src/wycheproof secp521r1 521 wycheproof.blb desc.txt

This required a small change to `wycheproof2blb`:

RustCrypto/utils#980

Includes the following test vectors:

ECDSA case 1 [valid] signature malleability
ECDSA case 2 [valid] valid
ECDSA case 3 [invalid] length of sequence contains leading 0
ECDSA case 4 [invalid] wrong length of sequence
ECDSA case 5 [invalid] wrong length of sequence
ECDSA case 6 [invalid] uint32 overflow in length of sequence
ECDSA case 7 [invalid] uint64 overflow in length of sequence
ECDSA case 8 [invalid] length of sequence = 2**31 - 1
ECDSA case 9 [invalid] length of sequence = 2**32 - 1
ECDSA case 10 [invalid] length of sequence = 2**40 - 1
ECDSA case 11 [invalid] length of sequence = 2**64 - 1
ECDSA case 12 [invalid] incorrect length of sequence
ECDSA case 13 [invalid] indefinite length without termination
ECDSA case 14 [invalid] indefinite length without termination
ECDSA case 15 [invalid] indefinite length without termination
ECDSA case 16 [invalid] removing sequence
ECDSA case 17 [invalid] lonely sequence tag
ECDSA case 18 [invalid] appending 0's to sequence
ECDSA case 19 [invalid] prepending 0's to sequence
ECDSA case 20 [invalid] appending unused 0's to sequence
ECDSA case 21 [invalid] appending null value to sequence
ECDSA case 22 [invalid] including garbage
ECDSA case 23 [invalid] including garbage
ECDSA case 24 [invalid] including garbage
ECDSA case 25 [invalid] including garbage
ECDSA case 26 [invalid] including garbage
ECDSA case 27 [invalid] including garbage
ECDSA case 28 [invalid] including garbage
ECDSA case 29 [invalid] including garbage
ECDSA case 30 [invalid] including garbage
ECDSA case 31 [invalid] including undefined tags
ECDSA case 32 [invalid] including undefined tags
ECDSA case 33 [invalid] including undefined tags
ECDSA case 34 [invalid] including undefined tags
ECDSA case 35 [invalid] including undefined tags
ECDSA case 36 [invalid] including undefined tags
ECDSA case 37 [invalid] truncated length of sequence
ECDSA case 38 [invalid] using composition with indefinite length
ECDSA case 39 [invalid] using composition with indefinite length
ECDSA case 40 [invalid] using composition with indefinite length
ECDSA case 41 [invalid] using composition with wrong tag
ECDSA case 42 [invalid] using composition with wrong tag
ECDSA case 43 [invalid] using composition with wrong tag
ECDSA case 44 [invalid] Replacing sequence with NULL
ECDSA case 45 [invalid] changing tag value of sequence
ECDSA case 46 [invalid] changing tag value of sequence
ECDSA case 47 [invalid] changing tag value of sequence
ECDSA case 48 [invalid] changing tag value of sequence
ECDSA case 49 [invalid] changing tag value of sequence
ECDSA case 50 [invalid] dropping value of sequence
ECDSA case 51 [invalid] using composition for sequence
ECDSA case 52 [invalid] truncated sequence
ECDSA case 53 [invalid] truncated sequence
ECDSA case 54 [invalid] indefinite length
ECDSA case 55 [invalid] indefinite length with truncated delimiter
ECDSA case 56 [invalid] indefinite length with additional element
ECDSA case 57 [invalid] indefinite length with truncated element
ECDSA case 58 [invalid] indefinite length with garbage
ECDSA case 59 [invalid] indefinite length with nonempty EOC
ECDSA case 60 [invalid] prepend empty sequence
ECDSA case 61 [invalid] append empty sequence
ECDSA case 62 [invalid] append garbage with high tag number
ECDSA case 63 [invalid] sequence of sequence
ECDSA case 64 [invalid] truncated sequence: removed last 1 elements
ECDSA case 65 [invalid] repeating element in sequence
ECDSA case 66 [invalid] long form encoding of length of integer
ECDSA case 67 [invalid] long form encoding of length of integer
ECDSA case 68 [invalid] length of integer contains leading 0
ECDSA case 69 [invalid] length of integer contains leading 0
ECDSA case 70 [invalid] wrong length of integer
ECDSA case 71 [invalid] wrong length of integer
ECDSA case 72 [invalid] wrong length of integer
ECDSA case 73 [invalid] wrong length of integer
ECDSA case 74 [invalid] uint32 overflow in length of integer
ECDSA case 75 [invalid] uint32 overflow in length of integer
ECDSA case 76 [invalid] uint64 overflow in length of integer
ECDSA case 77 [invalid] uint64 overflow in length of integer
ECDSA case 78 [invalid] length of integer = 2**31 - 1
ECDSA case 79 [invalid] length of integer = 2**31 - 1
ECDSA case 80 [invalid] length of integer = 2**32 - 1
ECDSA case 81 [invalid] length of integer = 2**32 - 1
ECDSA case 82 [invalid] length of integer = 2**40 - 1
ECDSA case 83 [invalid] length of integer = 2**40 - 1
ECDSA case 84 [invalid] length of integer = 2**64 - 1
ECDSA case 85 [invalid] length of integer = 2**64 - 1
ECDSA case 86 [invalid] incorrect length of integer
ECDSA case 87 [invalid] incorrect length of integer
ECDSA case 88 [invalid] removing integer
ECDSA case 89 [invalid] lonely integer tag
ECDSA case 90 [invalid] lonely integer tag
ECDSA case 91 [invalid] appending 0's to integer
ECDSA case 92 [invalid] appending 0's to integer
ECDSA case 93 [invalid] prepending 0's to integer
ECDSA case 94 [invalid] prepending 0's to integer
ECDSA case 95 [invalid] appending unused 0's to integer
ECDSA case 96 [invalid] appending null value to integer
ECDSA case 97 [invalid] appending null value to integer
ECDSA case 98 [invalid] truncated length of integer
ECDSA case 99 [invalid] truncated length of integer
ECDSA case 100 [invalid] Replacing integer with NULL
ECDSA case 101 [invalid] Replacing integer with NULL
ECDSA case 102 [invalid] changing tag value of integer
ECDSA case 103 [invalid] changing tag value of integer
ECDSA case 104 [invalid] changing tag value of integer
ECDSA case 105 [invalid] changing tag value of integer
ECDSA case 106 [invalid] changing tag value of integer
ECDSA case 107 [invalid] changing tag value of integer
ECDSA case 108 [invalid] changing tag value of integer
ECDSA case 109 [invalid] changing tag value of integer
ECDSA case 110 [invalid] changing tag value of integer
ECDSA case 111 [invalid] changing tag value of integer
ECDSA case 112 [invalid] dropping value of integer
ECDSA case 113 [invalid] dropping value of integer
ECDSA case 114 [invalid] using composition for integer
ECDSA case 115 [invalid] using composition for integer
ECDSA case 116 [invalid] modify first byte of integer
ECDSA case 117 [invalid] modify first byte of integer
ECDSA case 118 [invalid] modify last byte of integer
ECDSA case 119 [invalid] modify last byte of integer
ECDSA case 120 [invalid] truncated integer
ECDSA case 121 [invalid] truncated integer
ECDSA case 122 [invalid] truncated integer
ECDSA case 123 [invalid] truncated integer
ECDSA case 124 [invalid] leading ff in integer
ECDSA case 125 [invalid] leading ff in integer
ECDSA case 126 [invalid] replaced integer by infinity
ECDSA case 127 [invalid] replaced integer by infinity
ECDSA case 128 [invalid] replacing integer with zero
ECDSA case 129 [invalid] replacing integer with zero
ECDSA case 130 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 131 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 132 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 133 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 134 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 135 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 136 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 137 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 138 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 139 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 140 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 141 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 142 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 143 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 144 [invalid] Modified r or s, e.g. by adding or subtracting the order of the group
ECDSA case 145 [invalid] Signature with special case values for r and s
ECDSA case 146 [invalid] Signature with special case values for r and s
ECDSA case 147 [invalid] Signature with special case values for r and s
ECDSA case 148 [invalid] Signature with special case values for r and s
ECDSA case 149 [invalid] Signature with special case values for r and s
ECDSA case 150 [invalid] Signature with special case values for r and s
ECDSA case 151 [invalid] Signature with special case values for r and s
ECDSA case 152 [invalid] Signature with special case values for r and s
ECDSA case 153 [invalid] Signature with special case values for r and s
ECDSA case 154 [invalid] Signature with special case values for r and s
ECDSA case 155 [invalid] Signature with special case values for r and s
ECDSA case 156 [invalid] Signature with special case values for r and s
ECDSA case 157 [invalid] Signature with special case values for r and s
ECDSA case 158 [invalid] Signature with special case values for r and s
ECDSA case 159 [invalid] Signature with special case values for r and s
ECDSA case 160 [invalid] Signature with special case values for r and s
ECDSA case 161 [invalid] Signature with special case values for r and s
ECDSA case 162 [invalid] Signature with special case values for r and s
ECDSA case 163 [invalid] Signature with special case values for r and s
ECDSA case 164 [invalid] Signature with special case values for r and s
ECDSA case 165 [invalid] Signature with special case values for r and s
ECDSA case 166 [invalid] Signature with special case values for r and s
ECDSA case 167 [invalid] Signature with special case values for r and s
ECDSA case 168 [invalid] Signature with special case values for r and s
ECDSA case 169 [invalid] Signature with special case values for r and s
ECDSA case 170 [invalid] Signature with special case values for r and s
ECDSA case 171 [invalid] Signature with special case values for r and s
ECDSA case 172 [invalid] Signature with special case values for r and s
ECDSA case 173 [invalid] Signature with special case values for r and s
ECDSA case 174 [invalid] Signature with special case values for r and s
ECDSA case 175 [invalid] Signature with special case values for r and s
ECDSA case 176 [invalid] Signature with special case values for r and s
ECDSA case 177 [invalid] Signature with special case values for r and s
ECDSA case 178 [invalid] Signature with special case values for r and s
ECDSA case 179 [invalid] Signature with special case values for r and s
ECDSA case 180 [invalid] Signature with special case values for r and s
ECDSA case 181 [invalid] Signature with special case values for r and s
ECDSA case 182 [invalid] Signature with special case values for r and s
ECDSA case 183 [invalid] Signature with special case values for r and s
ECDSA case 184 [invalid] Signature with special case values for r and s
ECDSA case 185 [invalid] Signature with special case values for r and s
ECDSA case 186 [invalid] Signature with special case values for r and s
ECDSA case 187 [invalid] Signature with special case values for r and s
ECDSA case 188 [invalid] Signature with special case values for r and s
ECDSA case 189 [invalid] Signature with special case values for r and s
ECDSA case 190 [invalid] Signature with special case values for r and s
ECDSA case 191 [invalid] Signature with special case values for r and s
ECDSA case 192 [invalid] Signature with special case values for r and s
ECDSA case 193 [invalid] Signature with special case values for r and s
ECDSA case 194 [invalid] Signature with special case values for r and s
ECDSA case 195 [invalid] Signature with special case values for r and s
ECDSA case 196 [invalid] Signature with special case values for r and s
ECDSA case 197 [invalid] Signature with special case values for r and s
ECDSA case 198 [invalid] Signature with special case values for r and s
ECDSA case 199 [invalid] Signature with special case values for r and s
ECDSA case 200 [invalid] Signature with special case values for r and s
ECDSA case 201 [invalid] Signature with special case values for r and s
ECDSA case 202 [invalid] Signature with special case values for r and s
ECDSA case 203 [invalid] Signature with special case values for r and s
ECDSA case 204 [invalid] Signature with special case values for r and s
ECDSA case 205 [invalid] Signature with special case values for r and s
ECDSA case 206 [invalid] Signature with special case values for r and s
ECDSA case 207 [invalid] Signature with special case values for r and s
ECDSA case 208 [invalid] Signature with special case values for r and s
ECDSA case 209 [invalid] Signature with special case values for r and s
ECDSA case 210 [invalid] Signature with special case values for r and s
ECDSA case 211 [invalid] Signature with special case values for r and s
ECDSA case 212 [invalid] Signature with special case values for r and s
ECDSA case 213 [invalid] Signature with special case values for r and s
ECDSA case 214 [invalid] Signature with special case values for r and s
ECDSA case 215 [invalid] Signature with special case values for r and s
ECDSA case 216 [invalid] Signature with special case values for r and s
ECDSA case 217 [invalid] Signature with special case values for r and s
ECDSA case 218 [invalid] Signature with special case values for r and s
ECDSA case 219 [invalid] Signature with special case values for r and s
ECDSA case 220 [invalid] Signature with special case values for r and s
ECDSA case 221 [invalid] Signature with special case values for r and s
ECDSA case 222 [invalid] Signature with special case values for r and s
ECDSA case 223 [invalid] Signature with special case values for r and s
ECDSA case 224 [invalid] Signature with special case values for r and s
ECDSA case 225 [invalid] Signature encoding contains wrong types.
ECDSA case 226 [invalid] Signature encoding contains wrong types.
ECDSA case 227 [invalid] Signature encoding contains wrong types.
ECDSA case 228 [invalid] Signature encoding contains wrong types.
ECDSA case 229 [invalid] Signature encoding contains wrong types.
ECDSA case 230 [invalid] Signature encoding contains wrong types.
ECDSA case 231 [valid] Edge case for Shamir multiplication
ECDSA case 232 [valid] special case hash
ECDSA case 233 [valid] special case hash
ECDSA case 234 [valid] special case hash
ECDSA case 235 [valid] special case hash
ECDSA case 236 [valid] special case hash
ECDSA case 237 [valid] special case hash
ECDSA case 238 [valid] special case hash
ECDSA case 239 [valid] special case hash
ECDSA case 240 [valid] special case hash
ECDSA case 241 [valid] special case hash
ECDSA case 242 [valid] special case hash
ECDSA case 243 [valid] special case hash
ECDSA case 244 [valid] special case hash
ECDSA case 245 [valid] special case hash
ECDSA case 246 [valid] special case hash
ECDSA case 247 [valid] special case hash
ECDSA case 248 [valid] special case hash
ECDSA case 249 [valid] special case hash
ECDSA case 250 [valid] special case hash
ECDSA case 251 [valid] special case hash
ECDSA case 252 [valid] special case hash
ECDSA case 253 [valid] special case hash
ECDSA case 254 [valid] special case hash
ECDSA case 255 [valid] special case hash
ECDSA case 256 [valid] special case hash
ECDSA case 257 [valid] special case hash
ECDSA case 258 [valid] special case hash
ECDSA case 259 [valid] special case hash
ECDSA case 260 [valid] special case hash
ECDSA case 261 [valid] special case hash
ECDSA case 262 [valid] special case hash
ECDSA case 263 [valid] special case hash
ECDSA case 264 [valid] special case hash
ECDSA case 265 [valid] special case hash
ECDSA case 266 [valid] special case hash
ECDSA case 267 [valid] special case hash
ECDSA case 268 [valid] special case hash
ECDSA case 269 [valid] special case hash
ECDSA case 270 [valid] special case hash
ECDSA case 271 [valid] special case hash
ECDSA case 272 [valid] special case hash
ECDSA case 273 [valid] special case hash
ECDSA case 274 [valid] special case hash
ECDSA case 275 [valid] special case hash
ECDSA case 276 [valid] special case hash
ECDSA case 277 [valid] special case hash
ECDSA case 278 [valid] special case hash
ECDSA case 279 [valid] special case hash
ECDSA case 280 [valid] special case hash
ECDSA case 281 [valid] special case hash
ECDSA case 282 [valid] special case hash
ECDSA case 283 [valid] special case hash
ECDSA case 284 [valid] special case hash
ECDSA case 285 [valid] special case hash
ECDSA case 286 [valid] special case hash
ECDSA case 287 [valid] special case hash
ECDSA case 288 [valid] special case hash
ECDSA case 289 [valid] special case hash
ECDSA case 290 [valid] special case hash
ECDSA case 291 [valid] special case hash
ECDSA case 292 [valid] special case hash
ECDSA case 293 [valid] special case hash
ECDSA case 294 [valid] special case hash
ECDSA case 295 [valid] special case hash
ECDSA case 296 [valid] special case hash
ECDSA case 297 [valid] special case hash
ECDSA case 298 [valid] special case hash
ECDSA case 299 [valid] special case hash
ECDSA case 300 [valid] special case hash
ECDSA case 301 [valid] special case hash
ECDSA case 302 [valid] special case hash
ECDSA case 303 [valid] special case hash
ECDSA case 304 [valid] special case hash
ECDSA case 305 [valid] special case hash
ECDSA case 306 [valid] special case hash
ECDSA case 307 [valid] special case hash
ECDSA case 308 [valid] special case hash
ECDSA case 309 [valid] special case hash
ECDSA case 310 [valid] special case hash
ECDSA case 311 [valid] special case hash
ECDSA case 312 [valid] special case hash
ECDSA case 313 [valid] special case hash
ECDSA case 314 [valid] special case hash
ECDSA case 315 [valid] special case hash
ECDSA case 316 [valid] special case hash
ECDSA case 317 [valid] special case hash
ECDSA case 318 [valid] special case hash
ECDSA case 319 [valid] special case hash
ECDSA case 320 [valid] special case hash
ECDSA case 321 [valid] special case hash
ECDSA case 322 [valid] special case hash
ECDSA case 323 [valid] special case hash
ECDSA case 324 [valid] special case hash
ECDSA case 325 [valid] special case hash
ECDSA case 326 [valid] special case hash
ECDSA case 327 [valid] special case hash
ECDSA case 328 [valid] special case hash
ECDSA case 329 [valid] special case hash
ECDSA case 330 [valid] special case hash
ECDSA case 331 [valid] special case hash
ECDSA case 332 [valid] special case hash
ECDSA case 333 [valid] special case hash
ECDSA case 334 [valid] special case hash
ECDSA case 335 [valid] special case hash
ECDSA case 336 [valid] special case hash
ECDSA case 337 [valid] special case hash
ECDSA case 338 [valid] special case hash
ECDSA case 339 [valid] special case hash
ECDSA case 340 [valid] special case hash
ECDSA case 341 [valid] special case hash
ECDSA case 342 [valid] special case hash
ECDSA case 343 [valid] special case hash
ECDSA case 344 [valid] special case hash
ECDSA case 345 [valid] special case hash
ECDSA case 346 [valid] special case hash
ECDSA case 347 [valid] special case hash
ECDSA case 348 [valid] special case hash
ECDSA case 349 [valid] special case hash
ECDSA case 350 [valid] special case hash
ECDSA case 351 [valid] special case hash
ECDSA case 352 [valid] special case hash
ECDSA case 353 [valid] special case hash
ECDSA case 354 [valid] special case hash
ECDSA case 355 [valid] k*G has a large x-coordinate
ECDSA case 356 [invalid] r too large
ECDSA case 357 [valid] r,s are large
ECDSA case 358 [valid] r and s^-1 have a large Hamming weight
ECDSA case 359 [valid] r and s^-1 have a large Hamming weight
ECDSA case 360 [valid] small r and s
ECDSA case 361 [valid] small r and s
ECDSA case 362 [valid] small r and s
ECDSA case 363 [invalid] r is larger than n
ECDSA case 364 [invalid] s is larger than n
ECDSA case 365 [valid] small r and s^-1
ECDSA case 366 [valid] smallish r and s^-1
ECDSA case 367 [valid] 100-bit r and small s^-1
ECDSA case 368 [valid] small r and 100 bit s^-1
ECDSA case 369 [valid] 100-bit r and s^-1
ECDSA case 370 [valid] r and s^-1 are close to n
ECDSA case 371 [valid] s == 1
ECDSA case 372 [invalid] s == 0
ECDSA case 373 [invalid] point at infinity during verify
ECDSA case 374 [valid] edge case for signature malleability
ECDSA case 375 [valid] edge case for signature malleability
ECDSA case 376 [valid] u1 == 1
ECDSA case 377 [valid] u1 == n - 1
ECDSA case 378 [valid] u2 == 1
ECDSA case 379 [valid] u2 == n - 1
ECDSA case 380 [valid] edge case for u1
ECDSA case 381 [valid] edge case for u1
ECDSA case 382 [valid] edge case for u1
ECDSA case 383 [valid] edge case for u1
ECDSA case 384 [valid] edge case for u1
ECDSA case 385 [valid] edge case for u1
ECDSA case 386 [valid] edge case for u1
ECDSA case 387 [valid] edge case for u1
ECDSA case 388 [valid] edge case for u1
ECDSA case 389 [valid] edge case for u1
ECDSA case 390 [valid] edge case for u1
ECDSA case 391 [valid] edge case for u1
ECDSA case 392 [valid] edge case for u1
ECDSA case 393 [valid] edge case for u1
ECDSA case 394 [valid] edge case for u2
ECDSA case 395 [valid] edge case for u2
ECDSA case 396 [valid] edge case for u2
ECDSA case 397 [valid] edge case for u2
ECDSA case 398 [valid] edge case for u2
ECDSA case 399 [valid] edge case for u2
ECDSA case 400 [valid] edge case for u2
ECDSA case 401 [valid] edge case for u2
ECDSA case 402 [valid] edge case for u2
ECDSA case 403 [valid] edge case for u2
ECDSA case 404 [valid] edge case for u2
ECDSA case 405 [valid] edge case for u2
ECDSA case 406 [valid] edge case for u2
ECDSA case 407 [valid] edge case for u2
ECDSA case 408 [valid] point duplication during verification
ECDSA case 409 [invalid] duplication bug
ECDSA case 410 [invalid] point with x-coordinate 0
ECDSA case 411 [invalid] point with x-coordinate 0
ECDSA case 412 [invalid] comparison with point at infinity
ECDSA case 413 [valid] extreme value for k and edgecase s
ECDSA case 414 [valid] extreme value for k and s^-1
ECDSA case 415 [valid] extreme value for k and s^-1
ECDSA case 416 [valid] extreme value for k and s^-1
ECDSA case 417 [valid] extreme value for k and s^-1
ECDSA case 418 [valid] extreme value for k
ECDSA case 419 [valid] extreme value for k and edgecase s
ECDSA case 420 [valid] extreme value for k and s^-1
ECDSA case 421 [valid] extreme value for k and s^-1
ECDSA case 422 [valid] extreme value for k and s^-1
ECDSA case 423 [valid] extreme value for k and s^-1
ECDSA case 424 [valid] extreme value for k
ECDSA case 425 [invalid] testing point duplication
ECDSA case 426 [invalid] testing point duplication
ECDSA case 427 [invalid] testing point duplication
ECDSA case 428 [invalid] testing point duplication
ECDSA case 429 [valid] pseudorandom signature
ECDSA case 430 [valid] pseudorandom signature
ECDSA case 431 [valid] pseudorandom signature
ECDSA case 432 [valid] pseudorandom signature
ECDSA case 433 [valid] y-coordinate of the public key is small
ECDSA case 434 [valid] y-coordinate of the public key is small
ECDSA case 435 [valid] y-coordinate of the public key is small
ECDSA case 436 [valid] y-coordinate of the public key is large
ECDSA case 437 [valid] y-coordinate of the public key is large
ECDSA case 438 [valid] y-coordinate of the public key is large
ECDSA case 439 [valid] x-coordinate of the public key is small
ECDSA case 440 [valid] x-coordinate of the public key is small
ECDSA case 441 [valid] x-coordinate of the public key is small
ECDSA case 442 [valid] x-coordinate of the public key is large
ECDSA case 443 [valid] x-coordinate of the public key is large
ECDSA case 444 [valid] x-coordinate of the public key is large
ECDSA case 445 [valid] y-coordinate of the public key has many trailing 1's
ECDSA case 446 [valid] y-coordinate of the public key has many trailing 1's
ECDSA case 447 [valid] y-coordinate of the public key has many trailing 1's

Loading branch information

tarcieri authored Nov 10, 2023

1 parent 62a4091 commit 3055a69

Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

p521/Cargo.toml

-Original file line number
+Diff line change
@@ Expand Up @@
     sha2 = { version = "0.10", optional = true, default-features = false }
     [dev-dependencies]
+    blobby = "0.3"
     ecdsa-core = { version = "0.16", package = "ecdsa", default-features = false, features = ["dev"] }
     hex-literal = "0.4"
     primeorder = { version = "0.13.3", features = ["dev"], path = "../primeorder" }
@@ Expand Down @@

p521/src/ecdsa.rs

-Original file line number
+Diff line change
@@ Expand Up / @@ -241,9 +241,89 @@ mod tests { @@
             ecdsa_core::new_verification_test!(NistP521, ECDSA_TEST_VECTORS);
         }
-        // TODO(tarcieri): wycheproof test vectors
-        // mod wycheproof {
-        //     use crate::NistP521;
-        //     ecdsa_core::new_wycheproof_test!(wycheproof, "wycheproof", NistP521);
-        // }
+        mod wycheproof {
+            use crate::{
+                ecdsa::{Signature, Verifier, VerifyingKey},
+                EncodedPoint, NistP521,
+            };
+            // TODO: use ecdsa_core::new_wycheproof_test!(wycheproof, "wycheproof", NistP521);
+            #[test]
+            fn wycheproof() {
+                use blobby::Blob5Iterator;
+                use elliptic_curve::generic_array::typenum::Unsigned;
+                // Build a field element but allow for too-short input (left pad with zeros)
+                // or too-long input (check excess leftmost bytes are zeros).
+                fn element_from_padded_slice<C: elliptic_curve::Curve>(
+                    data: &[u8],
+                ) -> elliptic_curve::FieldBytes<C> {
+                    let point_len = C::FieldBytesSize::USIZE;
+                    if data.len() >= point_len {
+                        let offset = data.len() - point_len;
+                        for v in data.iter().take(offset) {
+                            assert_eq!(*v, 0, "EcdsaVerifier: point too large");
+                        }
+                        elliptic_curve::FieldBytes::<C>::clone_from_slice(&data[offset..])
+                    } else {
+                        // Provided slice is too short and needs to be padded with zeros
+                        // on the left.  Build a combined exact iterator to do this.
+                        let iter = core::iter::repeat(0)
+                            .take(point_len - data.len())
+                            .chain(data.iter().cloned());
+                        elliptic_curve::FieldBytes::<C>::from_exact_iter(iter).unwrap()
+                    }
+                }
+                fn run_test(
+                    wx: &[u8],
+                    wy: &[u8],
+                    msg: &[u8],
+                    sig: &[u8],
+                    pass: bool,
+                ) -> Option<&'static str> {
+                    let x = element_from_padded_slice::<NistP521>(wx);
+                    let y = element_from_padded_slice::<NistP521>(wy);
+                    let q_encoded =
+                        EncodedPoint::from_affine_coordinates(&x, &y, /* compress= */ false);
+                    let verifying_key = VerifyingKey::from_encoded_point(&q_encoded).unwrap();
+                    let sig = match Signature::from_der(sig) {
+                        Ok(s) => s,
+                        Err(_) if !pass => return None,
+                        Err(_) => return Some("failed to parse signature ASN.1"),
+                    };
+                    match verifying_key.verify(msg, &sig) {
+                        Ok(_) if pass => None,
+                        Ok(_) => Some("signature verify unexpectedly succeeded"),
+                        Err(_) if !pass => None,
+                        Err(_) => Some("signature verify failed"),
+                    }
+                }
+                let data = include_bytes!(concat!("test_vectors/data/wycheproof.blb"));
+                for (i, row) in Blob5Iterator::new(data).unwrap().enumerate() {
+                    let [wx, wy, msg, sig, status] = row.unwrap();
+                    let pass = match status[0] {
+=> false,
+=> true,
+                        _ => panic!("invalid value for pass flag"),
+                    };
+                    if let Some(desc) = run_test(wx, wy, msg, sig, pass) {
+                        panic!(
+                            "\n\
+                                     Failed test №{}: {}\n\
+                                     wx:\t{:?}\n\
+                                     wy:\t{:?}\n\
+                                     msg:\t{:?}\n\
+                                     sig:\t{:?}\n\
+                                     pass:\t{}\n",
+                            i, desc, wx, wy, msg, sig, pass,
+                        );
+                    }
+                }
+            }
+        }
     }

p521/src/test_vectors/data/wycheproof.blb

Binary file not shown.

0 comments on commit `3055a69`

Please sign in to comment.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `3055a69`

Commit

There are no files selected for viewing

0 comments on commit 3055a69

0 comments on commit `3055a69`