// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "crypto/signature_verifier.h"
#include "testing/gtest/include/gtest/gtest.h"

TEST(SignatureVerifierTest, BasicTest) {
  // The input data in this test comes from real certificates.
  //
  // tbs_certificate ("to-be-signed certificate", the part of a certificate
  // that is signed), signature_algorithm, and algorithm come from the
  // certificate of bugs.webkit.org.
  //
  // public_key_info comes from the certificate of the issuer, Go Daddy Secure
  // Certification Authority.
  //
  // The bytes in the array initializers are formatted to expose the DER
  // encoding of the ASN.1 structures.

  // The data that is signed is the following ASN.1 structure:
  //    TBSCertificate  ::=  SEQUENCE  {
  //        ...  -- omitted, not important
  //        }
  const uint8 tbs_certificate[1017] = {
    0x30, 0x82, 0x03, 0xf5,  // a SEQUENCE of length 1013 (0x3f5)
    0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x43, 0xdd, 0x63, 0x30, 0x0d,
    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
    0x00, 0x30, 0x81, 0xca, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
    0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55,
    0x04, 0x08, 0x13, 0x07, 0x41, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x61, 0x31,
    0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x63,
    0x6f, 0x74, 0x74, 0x73, 0x64, 0x61, 0x6c, 0x65, 0x31, 0x1a, 0x30, 0x18,
    0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x47, 0x6f, 0x44, 0x61, 0x64,
    0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
    0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x68,
    0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
    0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64,
    0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73,
    0x69, 0x74, 0x6f, 0x72, 0x79, 0x31, 0x30, 0x30, 0x2e, 0x06, 0x03, 0x55,
    0x04, 0x03, 0x13, 0x27, 0x47, 0x6f, 0x20, 0x44, 0x61, 0x64, 0x64, 0x79,
    0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
    0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
    0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x11, 0x30, 0x0f, 0x06,
    0x03, 0x55, 0x04, 0x05, 0x13, 0x08, 0x30, 0x37, 0x39, 0x36, 0x39, 0x32,
    0x38, 0x37, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x33, 0x31, 0x38,
    0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30,
    0x33, 0x31, 0x38, 0x32, 0x33, 0x33, 0x35, 0x31, 0x39, 0x5a, 0x30, 0x79,
    0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
    0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
    0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12,
    0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70,
    0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
    0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
    0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0b,
    0x13, 0x0c, 0x4d, 0x61, 0x63, 0x20, 0x4f, 0x53, 0x20, 0x46, 0x6f, 0x72,
    0x67, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
    0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69, 0x74, 0x2e, 0x6f, 0x72,
    0x67, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
    0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
    0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xa7, 0x62, 0x79, 0x41, 0xda, 0x28,
    0xf2, 0xc0, 0x4f, 0xe0, 0x25, 0xaa, 0xa1, 0x2e, 0x3b, 0x30, 0x94, 0xb5,
    0xc9, 0x26, 0x3a, 0x1b, 0xe2, 0xd0, 0xcc, 0xa2, 0x95, 0xe2, 0x91, 0xc0,
    0xf0, 0x40, 0x9e, 0x27, 0x6e, 0xbd, 0x6e, 0xde, 0x7c, 0xb6, 0x30, 0x5c,
    0xb8, 0x9b, 0x01, 0x2f, 0x92, 0x04, 0xa1, 0xef, 0x4a, 0xb1, 0x6c, 0xb1,
    0x7e, 0x8e, 0xcd, 0xa6, 0xf4, 0x40, 0x73, 0x1f, 0x2c, 0x96, 0xad, 0xff,
    0x2a, 0x6d, 0x0e, 0xba, 0x52, 0x84, 0x83, 0xb0, 0x39, 0xee, 0xc9, 0x39,
    0xdc, 0x1e, 0x34, 0xd0, 0xd8, 0x5d, 0x7a, 0x09, 0xac, 0xa9, 0xee, 0xca,
    0x65, 0xf6, 0x85, 0x3a, 0x6b, 0xee, 0xe4, 0x5c, 0x5e, 0xf8, 0xda, 0xd1,
    0xce, 0x88, 0x47, 0xcd, 0x06, 0x21, 0xe0, 0xb9, 0x4b, 0xe4, 0x07, 0xcb,
    0x57, 0xdc, 0xca, 0x99, 0x54, 0xf7, 0x0e, 0xd5, 0x17, 0x95, 0x05, 0x2e,
    0xe9, 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xce, 0x30,
    0x82, 0x01, 0xca, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02,
    0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03,
    0x02, 0x05, 0xa0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16,
    0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
    0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x57,
    0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x50, 0x30, 0x4e, 0x30, 0x4c, 0xa0,
    0x4a, 0xa0, 0x48, 0x86, 0x46, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
    0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73,
    0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
    0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x2f,
    0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x65, 0x78, 0x74, 0x65, 0x6e,
    0x64, 0x65, 0x64, 0x69, 0x73, 0x73, 0x75, 0x69, 0x6e, 0x67, 0x33, 0x2e,
    0x63, 0x72, 0x6c, 0x30, 0x52, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x4b,
    0x30, 0x49, 0x30, 0x47, 0x06, 0x0b, 0x60, 0x86, 0x48, 0x01, 0x86, 0xfd,
    0x6d, 0x01, 0x07, 0x17, 0x02, 0x30, 0x38, 0x30, 0x36, 0x06, 0x08, 0x2b,
    0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x2a, 0x68, 0x74, 0x74,
    0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
    0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79,
    0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74,
    0x6f, 0x72, 0x79, 0x30, 0x7f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
    0x07, 0x01, 0x01, 0x04, 0x73, 0x30, 0x71, 0x30, 0x23, 0x06, 0x08, 0x2b,
    0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74,
    0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x67, 0x6f, 0x64,
    0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x4a, 0x06, 0x08,
    0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74,
    0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
    0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64,
    0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69,
    0x74, 0x6f, 0x72, 0x79, 0x2f, 0x67, 0x64, 0x5f, 0x69, 0x6e, 0x74, 0x65,
    0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x2e, 0x63, 0x72, 0x74,
    0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x48,
    0xdf, 0x60, 0x32, 0xcc, 0x89, 0x01, 0xb6, 0xdc, 0x2f, 0xe3, 0x73, 0xb5,
    0x9c, 0x16, 0x58, 0x32, 0x68, 0xa9, 0xc3, 0x30, 0x1f, 0x06, 0x03, 0x55,
    0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xfd, 0xac, 0x61, 0x32,
    0x93, 0x6c, 0x45, 0xd6, 0xe2, 0xee, 0x85, 0x5f, 0x9a, 0xba, 0xe7, 0x76,
    0x99, 0x68, 0xcc, 0xe7, 0x30, 0x23, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04,
    0x1c, 0x30, 0x1a, 0x82, 0x0c, 0x2a, 0x2e, 0x77, 0x65, 0x62, 0x6b, 0x69,
    0x74, 0x2e, 0x6f, 0x72, 0x67, 0x82, 0x0a, 0x77, 0x65, 0x62, 0x6b, 0x69,
    0x74, 0x2e, 0x6f, 0x72, 0x67
  };

  // The signature algorithm is specified as the following ASN.1 structure:
  //    AlgorithmIdentifier  ::=  SEQUENCE  {
  //        algorithm               OBJECT IDENTIFIER,
  //        parameters              ANY DEFINED BY algorithm OPTIONAL  }
  //
  const uint8 signature_algorithm[15] = {
    0x30, 0x0d,  // a SEQUENCE of length 13 (0xd)
      0x06, 0x09,  // an OBJECT IDENTIFIER of length 9
        // 1.2.840.113549.1.1.5 - sha1WithRSAEncryption
        0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
      0x05, 0x00,  // a NULL of length 0
  };

  // RSA signature, a big integer in the big-endian byte order.
  const uint8 signature[256] = {
    0x1e, 0x6a, 0xe7, 0xe0, 0x4f, 0xe7, 0x4d, 0xd0, 0x69, 0x7c, 0xf8, 0x8f,
    0x99, 0xb4, 0x18, 0x95, 0x36, 0x24, 0x0f, 0x0e, 0xa3, 0xea, 0x34, 0x37,
    0xf4, 0x7d, 0xd5, 0x92, 0x35, 0x53, 0x72, 0x76, 0x3f, 0x69, 0xf0, 0x82,
    0x56, 0xe3, 0x94, 0x7a, 0x1d, 0x1a, 0x81, 0xaf, 0x9f, 0xc7, 0x43, 0x01,
    0x64, 0xd3, 0x7c, 0x0d, 0xc8, 0x11, 0x4e, 0x4a, 0xe6, 0x1a, 0xc3, 0x01,
    0x74, 0xe8, 0x35, 0x87, 0x5c, 0x61, 0xaa, 0x8a, 0x46, 0x06, 0xbe, 0x98,
    0x95, 0x24, 0x9e, 0x01, 0xe3, 0xe6, 0xa0, 0x98, 0xee, 0x36, 0x44, 0x56,
    0x8d, 0x23, 0x9c, 0x65, 0xea, 0x55, 0x6a, 0xdf, 0x66, 0xee, 0x45, 0xe8,
    0xa0, 0xe9, 0x7d, 0x9a, 0xba, 0x94, 0xc5, 0xc8, 0xc4, 0x4b, 0x98, 0xff,
    0x9a, 0x01, 0x31, 0x6d, 0xf9, 0x2b, 0x58, 0xe7, 0xe7, 0x2a, 0xc5, 0x4d,
    0xbb, 0xbb, 0xcd, 0x0d, 0x70, 0xe1, 0xad, 0x03, 0xf5, 0xfe, 0xf4, 0x84,
    0x71, 0x08, 0xd2, 0xbc, 0x04, 0x7b, 0x26, 0x1c, 0xa8, 0x0f, 0x9c, 0xd8,
    0x12, 0x6a, 0x6f, 0x2b, 0x67, 0xa1, 0x03, 0x80, 0x9a, 0x11, 0x0b, 0xe9,
    0xe0, 0xb5, 0xb3, 0xb8, 0x19, 0x4e, 0x0c, 0xa4, 0xd9, 0x2b, 0x3b, 0xc2,
    0xca, 0x20, 0xd3, 0x0c, 0xa4, 0xff, 0x93, 0x13, 0x1f, 0xfc, 0xba, 0x94,
    0x93, 0x8c, 0x64, 0x15, 0x2e, 0x28, 0xa9, 0x55, 0x8c, 0x2c, 0x48, 0xd3,
    0xd3, 0xc1, 0x50, 0x69, 0x19, 0xe8, 0x34, 0xd3, 0xf1, 0x04, 0x9f, 0x0a,
    0x7a, 0x21, 0x87, 0xbf, 0xb9, 0x59, 0x37, 0x2e, 0xf4, 0x71, 0xa5, 0x3e,
    0xbe, 0xcd, 0x70, 0x83, 0x18, 0xf8, 0x8a, 0x72, 0x85, 0x45, 0x1f, 0x08,
    0x01, 0x6f, 0x37, 0xf5, 0x2b, 0x7b, 0xea, 0xb9, 0x8b, 0xa3, 0xcc, 0xfd,
    0x35, 0x52, 0xdd, 0x66, 0xde, 0x4f, 0x30, 0xc5, 0x73, 0x81, 0xb6, 0xe8,
    0x3c, 0xd8, 0x48, 0x8a
  };

  // The public key is specified as the following ASN.1 structure:
  //   SubjectPublicKeyInfo  ::=  SEQUENCE  {
  //       algorithm            AlgorithmIdentifier,
  //       subjectPublicKey     BIT STRING  }
  const uint8 public_key_info[294] = {
    0x30, 0x82, 0x01, 0x22,  // a SEQUENCE of length 290 (0x122)
      // algorithm
      0x30, 0x0d,  // a SEQUENCE of length 13
        0x06, 0x09,  // an OBJECT IDENTIFIER of length 9
          0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
        0x05, 0x00,  // a NULL of length 0
      // subjectPublicKey
      0x03, 0x82, 0x01, 0x0f,  // a BIT STRING of length 271 (0x10f)
        0x00,  // number of unused bits
        0x30, 0x82, 0x01, 0x0a,  // a SEQUENCE of length 266 (0x10a)
          // modulus
          0x02, 0x82, 0x01, 0x01,  // an INTEGER of length 257 (0x101)
            0x00, 0xc4, 0x2d, 0xd5, 0x15, 0x8c, 0x9c, 0x26, 0x4c, 0xec,
            0x32, 0x35, 0xeb, 0x5f, 0xb8, 0x59, 0x01, 0x5a, 0xa6, 0x61,
            0x81, 0x59, 0x3b, 0x70, 0x63, 0xab, 0xe3, 0xdc, 0x3d, 0xc7,
            0x2a, 0xb8, 0xc9, 0x33, 0xd3, 0x79, 0xe4, 0x3a, 0xed, 0x3c,
            0x30, 0x23, 0x84, 0x8e, 0xb3, 0x30, 0x14, 0xb6, 0xb2, 0x87,
            0xc3, 0x3d, 0x95, 0x54, 0x04, 0x9e, 0xdf, 0x99, 0xdd, 0x0b,
            0x25, 0x1e, 0x21, 0xde, 0x65, 0x29, 0x7e, 0x35, 0xa8, 0xa9,
            0x54, 0xeb, 0xf6, 0xf7, 0x32, 0x39, 0xd4, 0x26, 0x55, 0x95,
            0xad, 0xef, 0xfb, 0xfe, 0x58, 0x86, 0xd7, 0x9e, 0xf4, 0x00,
            0x8d, 0x8c, 0x2a, 0x0c, 0xbd, 0x42, 0x04, 0xce, 0xa7, 0x3f,
            0x04, 0xf6, 0xee, 0x80, 0xf2, 0xaa, 0xef, 0x52, 0xa1, 0x69,
            0x66, 0xda, 0xbe, 0x1a, 0xad, 0x5d, 0xda, 0x2c, 0x66, 0xea,
            0x1a, 0x6b, 0xbb, 0xe5, 0x1a, 0x51, 0x4a, 0x00, 0x2f, 0x48,
            0xc7, 0x98, 0x75, 0xd8, 0xb9, 0x29, 0xc8, 0xee, 0xf8, 0x66,
            0x6d, 0x0a, 0x9c, 0xb3, 0xf3, 0xfc, 0x78, 0x7c, 0xa2, 0xf8,
            0xa3, 0xf2, 0xb5, 0xc3, 0xf3, 0xb9, 0x7a, 0x91, 0xc1, 0xa7,
            0xe6, 0x25, 0x2e, 0x9c, 0xa8, 0xed, 0x12, 0x65, 0x6e, 0x6a,
            0xf6, 0x12, 0x44, 0x53, 0x70, 0x30, 0x95, 0xc3, 0x9c, 0x2b,
            0x58, 0x2b, 0x3d, 0x08, 0x74, 0x4a, 0xf2, 0xbe, 0x51, 0xb0,
            0xbf, 0x87, 0xd0, 0x4c, 0x27, 0x58, 0x6b, 0xb5, 0x35, 0xc5,
            0x9d, 0xaf, 0x17, 0x31, 0xf8, 0x0b, 0x8f, 0xee, 0xad, 0x81,
            0x36, 0x05, 0x89, 0x08, 0x98, 0xcf, 0x3a, 0xaf, 0x25, 0x87,
            0xc0, 0x49, 0xea, 0xa7, 0xfd, 0x67, 0xf7, 0x45, 0x8e, 0x97,
            0xcc, 0x14, 0x39, 0xe2, 0x36, 0x85, 0xb5, 0x7e, 0x1a, 0x37,
            0xfd, 0x16, 0xf6, 0x71, 0x11, 0x9a, 0x74, 0x30, 0x16, 0xfe,
            0x13, 0x94, 0xa3, 0x3f, 0x84, 0x0d, 0x4f,
          // public exponent
          0x02, 0x03,  // an INTEGER of length 3
             0x01, 0x00, 0x01
  };

  // We use the signature verifier to perform four signature verification
  // tests.
  crypto::SignatureVerifier verifier;
  bool ok;

  // Test 1: feed all of the data to the verifier at once (a single
  // VerifyUpdate call).
  ok = verifier.VerifyInit(signature_algorithm,
                           sizeof(signature_algorithm),
                           signature, sizeof(signature),
                           public_key_info, sizeof(public_key_info));
  EXPECT_TRUE(ok);
  verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
  ok = verifier.VerifyFinal();
  EXPECT_TRUE(ok);

  // Test 2: feed the data to the verifier in three parts (three VerifyUpdate
  // calls).
  ok = verifier.VerifyInit(signature_algorithm,
                           sizeof(signature_algorithm),
                           signature, sizeof(signature),
                           public_key_info, sizeof(public_key_info));
  EXPECT_TRUE(ok);
  verifier.VerifyUpdate(tbs_certificate,       256);
  verifier.VerifyUpdate(tbs_certificate + 256, 256);
  verifier.VerifyUpdate(tbs_certificate + 512, sizeof(tbs_certificate) - 512);
  ok = verifier.VerifyFinal();
  EXPECT_TRUE(ok);

  // Test 3: verify the signature with incorrect data.
  uint8 bad_tbs_certificate[sizeof(tbs_certificate)];
  memcpy(bad_tbs_certificate, tbs_certificate, sizeof(tbs_certificate));
  bad_tbs_certificate[10] += 1;  // Corrupt one byte of the data.
  ok = verifier.VerifyInit(signature_algorithm,
                           sizeof(signature_algorithm),
                           signature, sizeof(signature),
                           public_key_info, sizeof(public_key_info));
  EXPECT_TRUE(ok);
  verifier.VerifyUpdate(bad_tbs_certificate, sizeof(bad_tbs_certificate));
  ok = verifier.VerifyFinal();
  EXPECT_FALSE(ok);

  // Test 4: verify a bad signature.
  uint8 bad_signature[sizeof(signature)];
  memcpy(bad_signature, signature, sizeof(signature));
  bad_signature[10] += 1;  // Corrupt one byte of the signature.
  ok = verifier.VerifyInit(signature_algorithm,
                           sizeof(signature_algorithm),
                           bad_signature, sizeof(bad_signature),
                           public_key_info, sizeof(public_key_info));

  // A crypto library (e.g., NSS) may detect that the signature is corrupted
  // and cause VerifyInit to return false, so it is fine for 'ok' to be false.
  if (ok) {
    verifier.VerifyUpdate(tbs_certificate, sizeof(tbs_certificate));
    ok = verifier.VerifyFinal();
    EXPECT_FALSE(ok);
  }
}

//////////////////////////////////////////////////////////////////////
//
// RSA-PSS signature verification known answer test
//
//////////////////////////////////////////////////////////////////////

// The following RSA-PSS signature test vectors come from the pss-vect.txt
// file downloaded from
// ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip.
//
// For each key, 6 random messages of length between 1 and 256 octets have
// been RSASSA-PSS signed.
//
// Hash function: SHA-1
// Mask generation function: MGF1 with SHA-1
// Salt length: 20 octets

// Example 1: A 1024-bit RSA Key Pair"

// RSA modulus n:
static const char rsa_modulus_n_1[] =
  "a5 6e 4a 0e 70 10 17 58 9a 51 87 dc 7e a8 41 d1 "
  "56 f2 ec 0e 36 ad 52 a4 4d fe b1 e6 1f 7a d9 91 "
  "d8 c5 10 56 ff ed b1 62 b4 c0 f2 83 a1 2a 88 a3 "
  "94 df f5 26 ab 72 91 cb b3 07 ce ab fc e0 b1 df "
  "d5 cd 95 08 09 6d 5b 2b 8b 6d f5 d6 71 ef 63 77 "
  "c0 92 1c b2 3c 27 0a 70 e2 59 8e 6f f8 9d 19 f1 "
  "05 ac c2 d3 f0 cb 35 f2 92 80 e1 38 6b 6f 64 c4 "
  "ef 22 e1 e1 f2 0d 0c e8 cf fb 22 49 bd 9a 21 37 ";
// RSA public exponent e: "
static const char rsa_public_exponent_e_1[] =
  "01 00 01 ";

// RSASSA-PSS Signature Example 1.1
// Message to be signed:
static const char message_1_1[] =
  "cd c8 7d a2 23 d7 86 df 3b 45 e0 bb bc 72 13 26 "
  "d1 ee 2a f8 06 cc 31 54 75 cc 6f 0d 9c 66 e1 b6 "
  "23 71 d4 5c e2 39 2e 1a c9 28 44 c3 10 10 2f 15 "
  "6a 0d 8d 52 c1 f4 c4 0b a3 aa 65 09 57 86 cb 76 "
  "97 57 a6 56 3b a9 58 fe d0 bc c9 84 e8 b5 17 a3 "
  "d5 f5 15 b2 3b 8a 41 e7 4a a8 67 69 3f 90 df b0 "
  "61 a6 e8 6d fa ae e6 44 72 c0 0e 5f 20 94 57 29 "
  "cb eb e7 7f 06 ce 78 e0 8f 40 98 fb a4 1f 9d 61 "
  "93 c0 31 7e 8b 60 d4 b6 08 4a cb 42 d2 9e 38 08 "
  "a3 bc 37 2d 85 e3 31 17 0f cb f7 cc 72 d0 b7 1c "
  "29 66 48 b3 a4 d1 0f 41 62 95 d0 80 7a a6 25 ca "
  "b2 74 4f d9 ea 8f d2 23 c4 25 37 02 98 28 bd 16 "
  "be 02 54 6f 13 0f d2 e3 3b 93 6d 26 76 e0 8a ed "
  "1b 73 31 8b 75 0a 01 67 d0 ";
// Salt:
static const char salt_1_1[] =
  "de e9 59 c7 e0 64 11 36 14 20 ff 80 18 5e d5 7f "
  "3e 67 76 af ";
// Signature:
static const char signature_1_1[] =
  "90 74 30 8f b5 98 e9 70 1b 22 94 38 8e 52 f9 71 "
  "fa ac 2b 60 a5 14 5a f1 85 df 52 87 b5 ed 28 87 "
  "e5 7c e7 fd 44 dc 86 34 e4 07 c8 e0 e4 36 0b c2 "
  "26 f3 ec 22 7f 9d 9e 54 63 8e 8d 31 f5 05 12 15 "
  "df 6e bb 9c 2f 95 79 aa 77 59 8a 38 f9 14 b5 b9 "
  "c1 bd 83 c4 e2 f9 f3 82 a0 d0 aa 35 42 ff ee 65 "
  "98 4a 60 1b c6 9e b2 8d eb 27 dc a1 2c 82 c2 d4 "
  "c3 f6 6c d5 00 f1 ff 2b 99 4d 8a 4e 30 cb b3 3c ";

// RSASSA-PSS Signature Example 1.2
// Message to be signed:
static const char message_1_2[] =
  "85 13 84 cd fe 81 9c 22 ed 6c 4c cb 30 da eb 5c "
  "f0 59 bc 8e 11 66 b7 e3 53 0c 4c 23 3e 2b 5f 8f "
  "71 a1 cc a5 82 d4 3e cc 72 b1 bc a1 6d fc 70 13 "
  "22 6b 9e ";
// Salt:
static const char salt_1_2[] =
  "ef 28 69 fa 40 c3 46 cb 18 3d ab 3d 7b ff c9 8f "
  "d5 6d f4 2d ";
// Signature:
static const char signature_1_2[] =
  "3e f7 f4 6e 83 1b f9 2b 32 27 41 42 a5 85 ff ce "
  "fb dc a7 b3 2a e9 0d 10 fb 0f 0c 72 99 84 f0 4e "
  "f2 9a 9d f0 78 07 75 ce 43 73 9b 97 83 83 90 db "
  "0a 55 05 e6 3d e9 27 02 8d 9d 29 b2 19 ca 2c 45 "
  "17 83 25 58 a5 5d 69 4a 6d 25 b9 da b6 60 03 c4 "
  "cc cd 90 78 02 19 3b e5 17 0d 26 14 7d 37 b9 35 "
  "90 24 1b e5 1c 25 05 5f 47 ef 62 75 2c fb e2 14 "
  "18 fa fe 98 c2 2c 4d 4d 47 72 4f db 56 69 e8 43 ";

// RSASSA-PSS Signature Example 1.3
// Message to be signed:
static const char message_1_3[] =
  "a4 b1 59 94 17 61 c4 0c 6a 82 f2 b8 0d 1b 94 f5 "
  "aa 26 54 fd 17 e1 2d 58 88 64 67 9b 54 cd 04 ef "
  "8b d0 30 12 be 8d c3 7f 4b 83 af 79 63 fa ff 0d "
  "fa 22 54 77 43 7c 48 01 7f f2 be 81 91 cf 39 55 "
  "fc 07 35 6e ab 3f 32 2f 7f 62 0e 21 d2 54 e5 db "
  "43 24 27 9f e0 67 e0 91 0e 2e 81 ca 2c ab 31 c7 "
  "45 e6 7a 54 05 8e b5 0d 99 3c db 9e d0 b4 d0 29 "
  "c0 6d 21 a9 4c a6 61 c3 ce 27 fa e1 d6 cb 20 f4 "
  "56 4d 66 ce 47 67 58 3d 0e 5f 06 02 15 b5 90 17 "
  "be 85 ea 84 89 39 12 7b d8 c9 c4 d4 7b 51 05 6c "
  "03 1c f3 36 f1 7c 99 80 f3 b8 f5 b9 b6 87 8e 8b "
  "79 7a a4 3b 88 26 84 33 3e 17 89 3f e9 ca a6 aa "
  "29 9f 7e d1 a1 8e e2 c5 48 64 b7 b2 b9 9b 72 61 "
  "8f b0 25 74 d1 39 ef 50 f0 19 c9 ee f4 16 97 13 "
  "38 e7 d4 70 ";
// Salt:
static const char salt_1_3[] =
  "71 0b 9c 47 47 d8 00 d4 de 87 f1 2a fd ce 6d f1 "
  "81 07 cc 77 ";
// Signature:
static const char signature_1_3[] =
  "66 60 26 fb a7 1b d3 e7 cf 13 15 7c c2 c5 1a 8e "
  "4a a6 84 af 97 78 f9 18 49 f3 43 35 d1 41 c0 01 "
  "54 c4 19 76 21 f9 62 4a 67 5b 5a bc 22 ee 7d 5b "
  "aa ff aa e1 c9 ba ca 2c c3 73 b3 f3 3e 78 e6 14 "
  "3c 39 5a 91 aa 7f ac a6 64 eb 73 3a fd 14 d8 82 "
  "72 59 d9 9a 75 50 fa ca 50 1e f2 b0 4e 33 c2 3a "
  "a5 1f 4b 9e 82 82 ef db 72 8c c0 ab 09 40 5a 91 "
  "60 7c 63 69 96 1b c8 27 0d 2d 4f 39 fc e6 12 b1 ";

// RSASSA-PSS Signature Example 1.4
// Message to be signed:
static const char message_1_4[] =
  "bc 65 67 47 fa 9e af b3 f0 ";
// Salt:
static const char salt_1_4[] =
  "05 6f 00 98 5d e1 4d 8e f5 ce a9 e8 2f 8c 27 be "
  "f7 20 33 5e ";
// Signature:
static const char signature_1_4[] =
  "46 09 79 3b 23 e9 d0 93 62 dc 21 bb 47 da 0b 4f "
  "3a 76 22 64 9a 47 d4 64 01 9b 9a ea fe 53 35 9c "
  "17 8c 91 cd 58 ba 6b cb 78 be 03 46 a7 bc 63 7f "
  "4b 87 3d 4b ab 38 ee 66 1f 19 96 34 c5 47 a1 ad "
  "84 42 e0 3d a0 15 b1 36 e5 43 f7 ab 07 c0 c1 3e "
  "42 25 b8 de 8c ce 25 d4 f6 eb 84 00 f8 1f 7e 18 "
  "33 b7 ee 6e 33 4d 37 09 64 ca 79 fd b8 72 b4 d7 "
  "52 23 b5 ee b0 81 01 59 1f b5 32 d1 55 a6 de 87 ";

// RSASSA-PSS Signature Example 1.5
// Message to be signed:
static const char message_1_5[] =
  "b4 55 81 54 7e 54 27 77 0c 76 8e 8b 82 b7 55 64 "
  "e0 ea 4e 9c 32 59 4d 6b ff 70 65 44 de 0a 87 76 "
  "c7 a8 0b 45 76 55 0e ee 1b 2a ca bc 7e 8b 7d 3e "
  "f7 bb 5b 03 e4 62 c1 10 47 ea dd 00 62 9a e5 75 "
  "48 0a c1 47 0f e0 46 f1 3a 2b f5 af 17 92 1d c4 "
  "b0 aa 8b 02 be e6 33 49 11 65 1d 7f 85 25 d1 0f "
  "32 b5 1d 33 be 52 0d 3d df 5a 70 99 55 a3 df e7 "
  "82 83 b9 e0 ab 54 04 6d 15 0c 17 7f 03 7f dc cc "
  "5b e4 ea 5f 68 b5 e5 a3 8c 9d 7e dc cc c4 97 5f "
  "45 5a 69 09 b4 ";
// Salt:
static const char salt_1_5[] =
  "80 e7 0f f8 6a 08 de 3e c6 09 72 b3 9b 4f bf dc "
  "ea 67 ae 8e ";
// Signature:
static const char signature_1_5[] =
  "1d 2a ad 22 1c a4 d3 1d df 13 50 92 39 01 93 98 "
  "e3 d1 4b 32 dc 34 dc 5a f4 ae ae a3 c0 95 af 73 "
  "47 9c f0 a4 5e 56 29 63 5a 53 a0 18 37 76 15 b1 "
  "6c b9 b1 3b 3e 09 d6 71 eb 71 e3 87 b8 54 5c 59 "
  "60 da 5a 64 77 6e 76 8e 82 b2 c9 35 83 bf 10 4c "
  "3f db 23 51 2b 7b 4e 89 f6 33 dd 00 63 a5 30 db "
  "45 24 b0 1c 3f 38 4c 09 31 0e 31 5a 79 dc d3 d6 "
  "84 02 2a 7f 31 c8 65 a6 64 e3 16 97 8b 75 9f ad ";

// RSASSA-PSS Signature Example 1.6
// Message to be signed:
static const char message_1_6[] =
  "10 aa e9 a0 ab 0b 59 5d 08 41 20 7b 70 0d 48 d7 "
  "5f ae dd e3 b7 75 cd 6b 4c c8 8a e0 6e 46 94 ec "
  "74 ba 18 f8 52 0d 4f 5e a6 9c bb e7 cc 2b eb a4 "
  "3e fd c1 02 15 ac 4e b3 2d c3 02 a1 f5 3d c6 c4 "
  "35 22 67 e7 93 6c fe bf 7c 8d 67 03 57 84 a3 90 "
  "9f a8 59 c7 b7 b5 9b 8e 39 c5 c2 34 9f 18 86 b7 "
  "05 a3 02 67 d4 02 f7 48 6a b4 f5 8c ad 5d 69 ad "
  "b1 7a b8 cd 0c e1 ca f5 02 5a f4 ae 24 b1 fb 87 "
  "94 c6 07 0c c0 9a 51 e2 f9 91 13 11 e3 87 7d 00 "
  "44 c7 1c 57 a9 93 39 50 08 80 6b 72 3a c3 83 73 "
  "d3 95 48 18 18 52 8c 1e 70 53 73 92 82 05 35 29 "
  "51 0e 93 5c d0 fa 77 b8 fa 53 cc 2d 47 4b d4 fb "
  "3c c5 c6 72 d6 ff dc 90 a0 0f 98 48 71 2c 4b cf "
  "e4 6c 60 57 36 59 b1 1e 64 57 e8 61 f0 f6 04 b6 "
  "13 8d 14 4f 8c e4 e2 da 73 ";
// Salt:
static const char salt_1_6[] =
  "a8 ab 69 dd 80 1f 00 74 c2 a1 fc 60 64 98 36 c6 "
  "16 d9 96 81 ";
// Signature:
static const char signature_1_6[] =
  "2a 34 f6 12 5e 1f 6b 0b f9 71 e8 4f bd 41 c6 32 "
  "be 8f 2c 2a ce 7d e8 b6 92 6e 31 ff 93 e9 af 98 "
  "7f bc 06 e5 1e 9b e1 4f 51 98 f9 1f 3f 95 3b d6 "
  "7d a6 0a 9d f5 97 64 c3 dc 0f e0 8e 1c be f0 b7 "
  "5f 86 8d 10 ad 3f ba 74 9f ef 59 fb 6d ac 46 a0 "
  "d6 e5 04 36 93 31 58 6f 58 e4 62 8f 39 aa 27 89 "
  "82 54 3b c0 ee b5 37 dc 61 95 80 19 b3 94 fb 27 "
  "3f 21 58 58 a0 a0 1a c4 d6 50 b9 55 c6 7f 4c 58 ";

// Example 9: A 1536-bit RSA Key Pair

// RSA modulus n:
static const char rsa_modulus_n_9[] =
  "e6 bd 69 2a c9 66 45 79 04 03 fd d0 f5 be b8 b9 "
  "bf 92 ed 10 00 7f c3 65 04 64 19 dd 06 c0 5c 5b "
  "5b 2f 48 ec f9 89 e4 ce 26 91 09 97 9c bb 40 b4 "
  "a0 ad 24 d2 24 83 d1 ee 31 5a d4 cc b1 53 42 68 "
  "35 26 91 c5 24 f6 dd 8e 6c 29 d2 24 cf 24 69 73 "
  "ae c8 6c 5b f6 b1 40 1a 85 0d 1b 9a d1 bb 8c bc "
  "ec 47 b0 6f 0f 8c 7f 45 d3 fc 8f 31 92 99 c5 43 "
  "3d db c2 b3 05 3b 47 de d2 ec d4 a4 ca ef d6 14 "
  "83 3d c8 bb 62 2f 31 7e d0 76 b8 05 7f e8 de 3f "
  "84 48 0a d5 e8 3e 4a 61 90 4a 4f 24 8f b3 97 02 "
  "73 57 e1 d3 0e 46 31 39 81 5c 6f d4 fd 5a c5 b8 "
  "17 2a 45 23 0e cb 63 18 a0 4f 14 55 d8 4e 5a 8b ";
// RSA public exponent e:
static const char rsa_public_exponent_e_9[] =
  "01 00 01 ";

// RSASSA-PSS Signature Example 9.1
// Message to be signed:
static const char message_9_1[] =
  "a8 8e 26 58 55 e9 d7 ca 36 c6 87 95 f0 b3 1b 59 "
  "1c d6 58 7c 71 d0 60 a0 b3 f7 f3 ea ef 43 79 59 "
  "22 02 8b c2 b6 ad 46 7c fc 2d 7f 65 9c 53 85 aa "
  "70 ba 36 72 cd de 4c fe 49 70 cc 79 04 60 1b 27 "
  "88 72 bf 51 32 1c 4a 97 2f 3c 95 57 0f 34 45 d4 "
  "f5 79 80 e0 f2 0d f5 48 46 e6 a5 2c 66 8f 12 88 "
  "c0 3f 95 00 6e a3 2f 56 2d 40 d5 2a f9 fe b3 2f "
  "0f a0 6d b6 5b 58 8a 23 7b 34 e5 92 d5 5c f9 79 "
  "f9 03 a6 42 ef 64 d2 ed 54 2a a8 c7 7d c1 dd 76 "
  "2f 45 a5 93 03 ed 75 e5 41 ca 27 1e 2b 60 ca 70 "
  "9e 44 fa 06 61 13 1e 8d 5d 41 63 fd 8d 39 85 66 "
  "ce 26 de 87 30 e7 2f 9c ca 73 76 41 c2 44 15 94 "
  "20 63 70 28 df 0a 18 07 9d 62 08 ea 8b 47 11 a2 "
  "c7 50 f5 ";
// Salt:
static const char salt_9_1[] =
  "c0 a4 25 31 3d f8 d7 56 4b d2 43 4d 31 15 23 d5 "
  "25 7e ed 80 ";
// Signature:
static const char signature_9_1[] =
  "58 61 07 22 6c 3c e0 13 a7 c8 f0 4d 1a 6a 29 59 "
  "bb 4b 8e 20 5b a4 3a 27 b5 0f 12 41 11 bc 35 ef "
  "58 9b 03 9f 59 32 18 7c b6 96 d7 d9 a3 2c 0c 38 "
  "30 0a 5c dd a4 83 4b 62 d2 eb 24 0a f3 3f 79 d1 "
  "3d fb f0 95 bf 59 9e 0d 96 86 94 8c 19 64 74 7b "
  "67 e8 9c 9a ba 5c d8 50 16 23 6f 56 6c c5 80 2c "
  "b1 3e ad 51 bc 7c a6 be f3 b9 4d cb db b1 d5 70 "
  "46 97 71 df 0e 00 b1 a8 a0 67 77 47 2d 23 16 27 "
  "9e da e8 64 74 66 8d 4e 1e ff f9 5f 1d e6 1c 60 "
  "20 da 32 ae 92 bb f1 65 20 fe f3 cf 4d 88 f6 11 "
  "21 f2 4b bd 9f e9 1b 59 ca f1 23 5b 2a 93 ff 81 "
  "fc 40 3a dd f4 eb de a8 49 34 a9 cd af 8e 1a 9e ";

// RSASSA-PSS Signature Example 9.2
// Message to be signed:
static const char message_9_2[] =
  "c8 c9 c6 af 04 ac da 41 4d 22 7e f2 3e 08 20 c3 "
  "73 2c 50 0d c8 72 75 e9 5b 0d 09 54 13 99 3c 26 "
  "58 bc 1d 98 85 81 ba 87 9c 2d 20 1f 14 cb 88 ce "
  "d1 53 a0 19 69 a7 bf 0a 7b e7 9c 84 c1 48 6b c1 "
  "2b 3f a6 c5 98 71 b6 82 7c 8c e2 53 ca 5f ef a8 "
  "a8 c6 90 bf 32 6e 8e 37 cd b9 6d 90 a8 2e ba b6 "
  "9f 86 35 0e 18 22 e8 bd 53 6a 2e ";
// Salt:
static const char salt_9_2[] =
  "b3 07 c4 3b 48 50 a8 da c2 f1 5f 32 e3 78 39 ef "
  "8c 5c 0e 91 ";
// Signature:
static const char signature_9_2[] =
  "80 b6 d6 43 25 52 09 f0 a4 56 76 38 97 ac 9e d2 "
  "59 d4 59 b4 9c 28 87 e5 88 2e cb 44 34 cf d6 6d "
  "d7 e1 69 93 75 38 1e 51 cd 7f 55 4f 2c 27 17 04 "
  "b3 99 d4 2b 4b e2 54 0a 0e ca 61 95 1f 55 26 7f "
  "7c 28 78 c1 22 84 2d ad b2 8b 01 bd 5f 8c 02 5f "
  "7e 22 84 18 a6 73 c0 3d 6b c0 c7 36 d0 a2 95 46 "
  "bd 67 f7 86 d9 d6 92 cc ea 77 8d 71 d9 8c 20 63 "
  "b7 a7 10 92 18 7a 4d 35 af 10 81 11 d8 3e 83 ea "
  "e4 6c 46 aa 34 27 7e 06 04 45 89 90 37 88 f1 d5 "
  "e7 ce e2 5f b4 85 e9 29 49 11 88 14 d6 f2 c3 ee "
  "36 14 89 01 6f 32 7f b5 bc 51 7e b5 04 70 bf fa "
  "1a fa 5f 4c e9 aa 0c e5 b8 ee 19 bf 55 01 b9 58 ";

// RSASSA-PSS Signature Example 9.3
// Message to be signed:
static const char message_9_3[] =
  "0a fa d4 2c cd 4f c6 06 54 a5 50 02 d2 28 f5 2a "
  "4a 5f e0 3b 8b bb 08 ca 82 da ca 55 8b 44 db e1 "
  "26 6e 50 c0 e7 45 a3 6d 9d 29 04 e3 40 8a bc d1 "
  "fd 56 99 94 06 3f 4a 75 cc 72 f2 fe e2 a0 cd 89 "
  "3a 43 af 1c 5b 8b 48 7d f0 a7 16 10 02 4e 4f 6d "
  "df 9f 28 ad 08 13 c1 aa b9 1b cb 3c 90 64 d5 ff "
  "74 2d ef fe a6 57 09 41 39 36 9e 5e a6 f4 a9 63 "
  "19 a5 cc 82 24 14 5b 54 50 62 75 8f ef d1 fe 34 "
  "09 ae 16 92 59 c6 cd fd 6b 5f 29 58 e3 14 fa ec "
  "be 69 d2 ca ce 58 ee 55 17 9a b9 b3 e6 d1 ec c1 "
  "4a 55 7c 5f eb e9 88 59 52 64 fc 5d a1 c5 71 46 "
  "2e ca 79 8a 18 a1 a4 94 0c da b4 a3 e9 20 09 cc "
  "d4 2e 1e 94 7b 13 14 e3 22 38 a2 de ce 7d 23 a8 "
  "9b 5b 30 c7 51 fd 0a 4a 43 0d 2c 54 85 94 ";
// Salt:
static const char salt_9_3[] =
  "9a 2b 00 7e 80 97 8b bb 19 2c 35 4e b7 da 9a ed "
  "fc 74 db f5 ";
// Signature:
static const char signature_9_3[] =
  "48 44 08 f3 89 8c d5 f5 34 83 f8 08 19 ef bf 27 "
  "08 c3 4d 27 a8 b2 a6 fa e8 b3 22 f9 24 02 37 f9 "
  "81 81 7a ca 18 46 f1 08 4d aa 6d 7c 07 95 f6 e5 "
  "bf 1a f5 9c 38 e1 85 84 37 ce 1f 7e c4 19 b9 8c "
  "87 36 ad f6 dd 9a 00 b1 80 6d 2b d3 ad 0a 73 77 "
  "5e 05 f5 2d fe f3 a5 9a b4 b0 81 43 f0 df 05 cd "
  "1a d9 d0 4b ec ec a6 da a4 a2 12 98 03 e2 00 cb "
  "c7 77 87 ca f4 c1 d0 66 3a 6c 59 87 b6 05 95 20 "
  "19 78 2c af 2e c1 42 6d 68 fb 94 ed 1d 4b e8 16 "
  "a7 ed 08 1b 77 e6 ab 33 0b 3f fc 07 38 20 fe cd "
  "e3 72 7f cb e2 95 ee 61 a0 50 a3 43 65 86 37 c3 "
  "fd 65 9c fb 63 73 6d e3 2d 9f 90 d3 c2 f6 3e ca ";

// RSASSA-PSS Signature Example 9.4
// Message to be signed:
static const char message_9_4[] =
  "1d fd 43 b4 6c 93 db 82 62 9b da e2 bd 0a 12 b8 "
  "82 ea 04 c3 b4 65 f5 cf 93 02 3f 01 05 96 26 db "
  "be 99 f2 6b b1 be 94 9d dd d1 6d c7 f3 de bb 19 "
  "a1 94 62 7f 0b 22 44 34 df 7d 87 00 e9 e9 8b 06 "
  "e3 60 c1 2f db e3 d1 9f 51 c9 68 4e b9 08 9e cb "
  "b0 a2 f0 45 03 99 d3 f5 9e ac 72 94 08 5d 04 4f "
  "53 93 c6 ce 73 74 23 d8 b8 6c 41 53 70 d3 89 e3 "
  "0b 9f 0a 3c 02 d2 5d 00 82 e8 ad 6f 3f 1e f2 4a "
  "45 c3 cf 82 b3 83 36 70 63 a4 d4 61 3e 42 64 f0 "
  "1b 2d ac 2e 5a a4 20 43 f8 fb 5f 69 fa 87 1d 14 "
  "fb 27 3e 76 7a 53 1c 40 f0 2f 34 3b c2 fb 45 a0 "
  "c7 e0 f6 be 25 61 92 3a 77 21 1d 66 a6 e2 db b4 "
  "3c 36 63 50 be ae 22 da 3a c2 c1 f5 07 70 96 fc "
  "b5 c4 bf 25 5f 75 74 35 1a e0 b1 e1 f0 36 32 81 "
  "7c 08 56 d4 a8 ba 97 af bd c8 b8 58 55 40 2b c5 "
  "69 26 fc ec 20 9f 9e a8 ";
// Salt:
static const char salt_9_4[] =
  "70 f3 82 bd df 4d 5d 2d d8 8b 3b c7 b7 30 8b e6 "
  "32 b8 40 45 ";
// Signature:
static const char signature_9_4[] =
  "84 eb eb 48 1b e5 98 45 b4 64 68 ba fb 47 1c 01 "
  "12 e0 2b 23 5d 84 b5 d9 11 cb d1 92 6e e5 07 4a "
  "e0 42 44 95 cb 20 e8 23 08 b8 eb b6 5f 41 9a 03 "
  "fb 40 e7 2b 78 98 1d 88 aa d1 43 05 36 85 17 2c "
  "97 b2 9c 8b 7b f0 ae 73 b5 b2 26 3c 40 3d a0 ed "
  "2f 80 ff 74 50 af 78 28 eb 8b 86 f0 02 8b d2 a8 "
  "b1 76 a4 d2 28 cc ce a1 83 94 f2 38 b0 9f f7 58 "
  "cc 00 bc 04 30 11 52 35 57 42 f2 82 b5 4e 66 3a "
  "91 9e 70 9d 8d a2 4a de 55 00 a7 b9 aa 50 22 6e "
  "0c a5 29 23 e6 c2 d8 60 ec 50 ff 48 0f a5 74 77 "
  "e8 2b 05 65 f4 37 9f 79 c7 72 d5 c2 da 80 af 9f "
  "bf 32 5e ce 6f c2 0b 00 96 16 14 be e8 9a 18 3e ";

// RSASSA-PSS Signature Example 9.5
// Message to be signed:
static const char message_9_5[] =
  "1b dc 6e 7c 98 fb 8c f5 4e 9b 09 7b 66 a8 31 e9 "
  "cf e5 2d 9d 48 88 44 8e e4 b0 97 80 93 ba 1d 7d "
  "73 ae 78 b3 a6 2b a4 ad 95 cd 28 9c cb 9e 00 52 "
  "26 bb 3d 17 8b cc aa 82 1f b0 44 a4 e2 1e e9 76 "
  "96 c1 4d 06 78 c9 4c 2d ae 93 b0 ad 73 92 22 18 "
  "55 3d aa 7e 44 eb e5 77 25 a7 a4 5c c7 2b 9b 21 "
  "38 a6 b1 7c 8d b4 11 ce 82 79 ee 12 41 af f0 a8 "
  "be c6 f7 7f 87 ed b0 c6 9c b2 72 36 e3 43 5a 80 "
  "0b 19 2e 4f 11 e5 19 e3 fe 30 fc 30 ea cc ca 4f "
  "bb 41 76 90 29 bf 70 8e 81 7a 9e 68 38 05 be 67 "
  "fa 10 09 84 68 3b 74 83 8e 3b cf fa 79 36 6e ed "
  "1d 48 1c 76 72 91 18 83 8f 31 ba 8a 04 8a 93 c1 "
  "be 44 24 59 8e 8d f6 32 8b 7a 77 88 0a 3f 9c 7e "
  "2e 8d fc a8 eb 5a 26 fb 86 bd c5 56 d4 2b be 01 "
  "d9 fa 6e d8 06 46 49 1c 93 41 ";
// Salt:
static const char salt_9_5[] =
  "d6 89 25 7a 86 ef fa 68 21 2c 5e 0c 61 9e ca 29 "
  "5f b9 1b 67 ";
// Signature:
static const char signature_9_5[] =
  "82 10 2d f8 cb 91 e7 17 99 19 a0 4d 26 d3 35 d6 "
  "4f bc 2f 87 2c 44 83 39 43 24 1d e8 45 48 10 27 "
  "4c df 3d b5 f4 2d 42 3d b1 52 af 71 35 f7 01 42 "
  "0e 39 b4 94 a6 7c bf d1 9f 91 19 da 23 3a 23 da "
  "5c 64 39 b5 ba 0d 2b c3 73 ee e3 50 70 01 37 8d "
  "4a 40 73 85 6b 7f e2 ab a0 b5 ee 93 b2 7f 4a fe "
  "c7 d4 d1 20 92 1c 83 f6 06 76 5b 02 c1 9e 4d 6a "
  "1a 3b 95 fa 4c 42 29 51 be 4f 52 13 10 77 ef 17 "
  "17 97 29 cd df bd b5 69 50 db ac ee fe 78 cb 16 "
  "64 0a 09 9e a5 6d 24 38 9e ef 10 f8 fe cb 31 ba "
  "3e a3 b2 27 c0 a8 66 98 bb 89 e3 e9 36 39 05 bf "
  "22 77 7b 2a 3a a5 21 b6 5b 4c ef 76 d8 3b de 4c ";

// RSASSA-PSS Signature Example 9.6
// Message to be signed:
static const char message_9_6[] =
  "88 c7 a9 f1 36 04 01 d9 0e 53 b1 01 b6 1c 53 25 "
  "c3 c7 5d b1 b4 11 fb eb 8e 83 0b 75 e9 6b 56 67 "
  "0a d2 45 40 4e 16 79 35 44 ee 35 4b c6 13 a9 0c "
  "c9 84 87 15 a7 3d b5 89 3e 7f 6d 27 98 15 c0 c1 "
  "de 83 ef 8e 29 56 e3 a5 6e d2 6a 88 8d 7a 9c dc "
  "d0 42 f4 b1 6b 7f a5 1e f1 a0 57 36 62 d1 6a 30 "
  "2d 0e c5 b2 85 d2 e0 3a d9 65 29 c8 7b 3d 37 4d "
  "b3 72 d9 5b 24 43 d0 61 b6 b1 a3 50 ba 87 80 7e "
  "d0 83 af d1 eb 05 c3 f5 2f 4e ba 5e d2 22 77 14 "
  "fd b5 0b 9d 9d 9d d6 81 4f 62 f6 27 2f cd 5c db "
  "ce 7a 9e f7 97 ";
// Salt:
static const char salt_9_6[] =
  "c2 5f 13 bf 67 d0 81 67 1a 04 81 a1 f1 82 0d 61 "
  "3b ba 22 76 ";
// Signature:
static const char signature_9_6[] =
  "a7 fd b0 d2 59 16 5c a2 c8 8d 00 bb f1 02 8a 86 "
  "7d 33 76 99 d0 61 19 3b 17 a9 64 8e 14 cc bb aa "
  "de ac aa cd ec 81 5e 75 71 29 4e bb 8a 11 7a f2 "
  "05 fa 07 8b 47 b0 71 2c 19 9e 3a d0 51 35 c5 04 "
  "c2 4b 81 70 51 15 74 08 02 48 79 92 ff d5 11 d4 "
  "af c6 b8 54 49 1e b3 f0 dd 52 31 39 54 2f f1 5c "
  "31 01 ee 85 54 35 17 c6 a3 c7 94 17 c6 7e 2d d9 "
  "aa 74 1e 9a 29 b0 6d cb 59 3c 23 36 b3 67 0a e3 "
  "af ba c7 c3 e7 6e 21 54 73 e8 66 e3 38 ca 24 4d "
  "e0 0b 62 62 4d 6b 94 26 82 2c ea e9 f8 cc 46 08 "
  "95 f4 12 50 07 3f d4 5c 5a 1e 7b 42 5c 20 4a 42 "
  "3a 69 91 59 f6 90 3e 71 0b 37 a7 bb 2b c8 04 9f ";

// Example 10: A 2048-bit RSA Key Pair

// RSA modulus n:
static const char rsa_modulus_n_10[] =
  "a5 dd 86 7a c4 cb 02 f9 0b 94 57 d4 8c 14 a7 70 "
  "ef 99 1c 56 c3 9c 0e c6 5f d1 1a fa 89 37 ce a5 "
  "7b 9b e7 ac 73 b4 5c 00 17 61 5b 82 d6 22 e3 18 "
  "75 3b 60 27 c0 fd 15 7b e1 2f 80 90 fe e2 a7 ad "
  "cd 0e ef 75 9f 88 ba 49 97 c7 a4 2d 58 c9 aa 12 "
  "cb 99 ae 00 1f e5 21 c1 3b b5 43 14 45 a8 d5 ae "
  "4f 5e 4c 7e 94 8a c2 27 d3 60 40 71 f2 0e 57 7e "
  "90 5f be b1 5d fa f0 6d 1d e5 ae 62 53 d6 3a 6a "
  "21 20 b3 1a 5d a5 da bc 95 50 60 0e 20 f2 7d 37 "
  "39 e2 62 79 25 fe a3 cc 50 9f 21 df f0 4e 6e ea "
  "45 49 c5 40 d6 80 9f f9 30 7e ed e9 1f ff 58 73 "
  "3d 83 85 a2 37 d6 d3 70 5a 33 e3 91 90 09 92 07 "
  "0d f7 ad f1 35 7c f7 e3 70 0c e3 66 7d e8 3f 17 "
  "b8 df 17 78 db 38 1d ce 09 cb 4a d0 58 a5 11 00 "
  "1a 73 81 98 ee 27 cf 55 a1 3b 75 45 39 90 65 82 "
  "ec 8b 17 4b d5 8d 5d 1f 3d 76 7c 61 37 21 ae 05 ";
// RSA public exponent e:
static const char rsa_public_exponent_e_10[] =
  "01 00 01 ";

// RSASSA-PSS Signature Example 10.1
// Message to be signed:
static const char message_10_1[] =
  "88 31 77 e5 12 6b 9b e2 d9 a9 68 03 27 d5 37 0c "
  "6f 26 86 1f 58 20 c4 3d a6 7a 3a d6 09 ";
// Salt:
static const char salt_10_1[] =
  "04 e2 15 ee 6f f9 34 b9 da 70 d7 73 0c 87 34 ab "
  "fc ec de 89 ";
// Signature:
static const char signature_10_1[] =
  "82 c2 b1 60 09 3b 8a a3 c0 f7 52 2b 19 f8 73 54 "
  "06 6c 77 84 7a bf 2a 9f ce 54 2d 0e 84 e9 20 c5 "
  "af b4 9f fd fd ac e1 65 60 ee 94 a1 36 96 01 14 "
  "8e ba d7 a0 e1 51 cf 16 33 17 91 a5 72 7d 05 f2 "
  "1e 74 e7 eb 81 14 40 20 69 35 d7 44 76 5a 15 e7 "
  "9f 01 5c b6 6c 53 2c 87 a6 a0 59 61 c8 bf ad 74 "
  "1a 9a 66 57 02 28 94 39 3e 72 23 73 97 96 c0 2a "
  "77 45 5d 0f 55 5b 0e c0 1d df 25 9b 62 07 fd 0f "
  "d5 76 14 ce f1 a5 57 3b aa ff 4e c0 00 69 95 16 "
  "59 b8 5f 24 30 0a 25 16 0c a8 52 2d c6 e6 72 7e "
  "57 d0 19 d7 e6 36 29 b8 fe 5e 89 e2 5c c1 5b eb "
  "3a 64 75 77 55 92 99 28 0b 9b 28 f7 9b 04 09 00 "
  "0b e2 5b bd 96 40 8b a3 b4 3c c4 86 18 4d d1 c8 "
  "e6 25 53 fa 1a f4 04 0f 60 66 3d e7 f5 e4 9c 04 "
  "38 8e 25 7f 1c e8 9c 95 da b4 8a 31 5d 9b 66 b1 "
  "b7 62 82 33 87 6f f2 38 52 30 d0 70 d0 7e 16 66 ";

// RSASSA-PSS Signature Example 10.2
// Message to be signed:
static const char message_10_2[] =
  "dd 67 0a 01 46 58 68 ad c9 3f 26 13 19 57 a5 0c "
  "52 fb 77 7c db aa 30 89 2c 9e 12 36 11 64 ec 13 "
  "97 9d 43 04 81 18 e4 44 5d b8 7b ee 58 dd 98 7b "
  "34 25 d0 20 71 d8 db ae 80 70 8b 03 9d bb 64 db "
  "d1 de 56 57 d9 fe d0 c1 18 a5 41 43 74 2e 0f f3 "
  "c8 7f 74 e4 58 57 64 7a f3 f7 9e b0 a1 4c 9d 75 "
  "ea 9a 1a 04 b7 cf 47 8a 89 7a 70 8f d9 88 f4 8e "
  "80 1e db 0b 70 39 df 8c 23 bb 3c 56 f4 e8 21 ac ";
// Salt:
static const char salt_10_2[] =
  "8b 2b dd 4b 40 fa f5 45 c7 78 dd f9 bc 1a 49 cb "
  "57 f9 b7 1b ";
// Signature:
static const char signature_10_2[] =
  "14 ae 35 d9 dd 06 ba 92 f7 f3 b8 97 97 8a ed 7c "
  "d4 bf 5f f0 b5 85 a4 0b d4 6c e1 b4 2c d2 70 30 "
  "53 bb 90 44 d6 4e 81 3d 8f 96 db 2d d7 00 7d 10 "
  "11 8f 6f 8f 84 96 09 7a d7 5e 1f f6 92 34 1b 28 "
  "92 ad 55 a6 33 a1 c5 5e 7f 0a 0a d5 9a 0e 20 3a "
  "5b 82 78 ae c5 4d d8 62 2e 28 31 d8 71 74 f8 ca "
  "ff 43 ee 6c 46 44 53 45 d8 4a 59 65 9b fb 92 ec "
  "d4 c8 18 66 86 95 f3 47 06 f6 68 28 a8 99 59 63 "
  "7f 2b f3 e3 25 1c 24 bd ba 4d 4b 76 49 da 00 22 "
  "21 8b 11 9c 84 e7 9a 65 27 ec 5b 8a 5f 86 1c 15 "
  "99 52 e2 3e c0 5e 1e 71 73 46 fa ef e8 b1 68 68 "
  "25 bd 2b 26 2f b2 53 10 66 c0 de 09 ac de 2e 42 "
  "31 69 07 28 b5 d8 5e 11 5a 2f 6b 92 b7 9c 25 ab "
  "c9 bd 93 99 ff 8b cf 82 5a 52 ea 1f 56 ea 76 dd "
  "26 f4 3b aa fa 18 bf a9 2a 50 4c bd 35 69 9e 26 "
  "d1 dc c5 a2 88 73 85 f3 c6 32 32 f0 6f 32 44 c3 ";

// RSASSA-PSS Signature Example 10.3
// Message to be signed:
static const char message_10_3[] =
  "48 b2 b6 a5 7a 63 c8 4c ea 85 9d 65 c6 68 28 4b "
  "08 d9 6b dc aa be 25 2d b0 e4 a9 6c b1 ba c6 01 "
  "93 41 db 6f be fb 8d 10 6b 0e 90 ed a6 bc c6 c6 "
  "26 2f 37 e7 ea 9c 7e 5d 22 6b d7 df 85 ec 5e 71 "
  "ef ff 2f 54 c5 db 57 7f f7 29 ff 91 b8 42 49 1d "
  "e2 74 1d 0c 63 16 07 df 58 6b 90 5b 23 b9 1a f1 "
  "3d a1 23 04 bf 83 ec a8 a7 3e 87 1f f9 db ";
// Salt:
static const char salt_10_3[] =
  "4e 96 fc 1b 39 8f 92 b4 46 71 01 0c 0d c3 ef d6 "
  "e2 0c 2d 73 ";
// Signature:
static const char signature_10_3[] =
  "6e 3e 4d 7b 6b 15 d2 fb 46 01 3b 89 00 aa 5b bb "
  "39 39 cf 2c 09 57 17 98 70 42 02 6e e6 2c 74 c5 "
  "4c ff d5 d7 d5 7e fb bf 95 0a 0f 5c 57 4f a0 9d "
  "3f c1 c9 f5 13 b0 5b 4f f5 0d d8 df 7e df a2 01 "
  "02 85 4c 35 e5 92 18 01 19 a7 0c e5 b0 85 18 2a "
  "a0 2d 9e a2 aa 90 d1 df 03 f2 da ae 88 5b a2 f5 "
  "d0 5a fd ac 97 47 6f 06 b9 3b 5b c9 4a 1a 80 aa "
  "91 16 c4 d6 15 f3 33 b0 98 89 2b 25 ff ac e2 66 "
  "f5 db 5a 5a 3b cc 10 a8 24 ed 55 aa d3 5b 72 78 "
  "34 fb 8c 07 da 28 fc f4 16 a5 d9 b2 22 4f 1f 8b "
  "44 2b 36 f9 1e 45 6f de a2 d7 cf e3 36 72 68 de "
  "03 07 a4 c7 4e 92 41 59 ed 33 39 3d 5e 06 55 53 "
  "1c 77 32 7b 89 82 1b de df 88 01 61 c7 8c d4 19 "
  "6b 54 19 f7 ac c3 f1 3e 5e bf 16 1b 6e 7c 67 24 "
  "71 6c a3 3b 85 c2 e2 56 40 19 2a c2 85 96 51 d5 "
  "0b de 7e b9 76 e5 1c ec 82 8b 98 b6 56 3b 86 bb ";

// RSASSA-PSS Signature Example 10.4
// Message to be signed:
static const char message_10_4[] =
  "0b 87 77 c7 f8 39 ba f0 a6 4b bb db c5 ce 79 75 "
  "5c 57 a2 05 b8 45 c1 74 e2 d2 e9 05 46 a0 89 c4 "
  "e6 ec 8a df fa 23 a7 ea 97 ba e6 b6 5d 78 2b 82 "
  "db 5d 2b 5a 56 d2 2a 29 a0 5e 7c 44 33 e2 b8 2a "
  "62 1a bb a9 0a dd 05 ce 39 3f c4 8a 84 05 42 45 "
  "1a ";
// Salt:
static const char salt_10_4[] =
  "c7 cd 69 8d 84 b6 51 28 d8 83 5e 3a 8b 1e b0 e0 "
  "1c b5 41 ec ";
// Signature:
static const char signature_10_4[] =
  "34 04 7f f9 6c 4d c0 dc 90 b2 d4 ff 59 a1 a3 61 "
  "a4 75 4b 25 5d 2e e0 af 7d 8b f8 7c 9b c9 e7 dd "
  "ee de 33 93 4c 63 ca 1c 0e 3d 26 2c b1 45 ef 93 "
  "2a 1f 2c 0a 99 7a a6 a3 4f 8e ae e7 47 7d 82 cc "
  "f0 90 95 a6 b8 ac ad 38 d4 ee c9 fb 7e ab 7a d0 "
  "2d a1 d1 1d 8e 54 c1 82 5e 55 bf 58 c2 a2 32 34 "
  "b9 02 be 12 4f 9e 90 38 a8 f6 8f a4 5d ab 72 f6 "
  "6e 09 45 bf 1d 8b ac c9 04 4c 6f 07 09 8c 9f ce "
  "c5 8a 3a ab 10 0c 80 51 78 15 5f 03 0a 12 4c 45 "
  "0e 5a cb da 47 d0 e4 f1 0b 80 a2 3f 80 3e 77 4d "
  "02 3b 00 15 c2 0b 9f 9b be 7c 91 29 63 38 d5 ec "
  "b4 71 ca fb 03 20 07 b6 7a 60 be 5f 69 50 4a 9f "
  "01 ab b3 cb 46 7b 26 0e 2b ce 86 0b e8 d9 5b f9 "
  "2c 0c 8e 14 96 ed 1e 52 85 93 a4 ab b6 df 46 2d "
  "de 8a 09 68 df fe 46 83 11 68 57 a2 32 f5 eb f6 "
  "c8 5b e2 38 74 5a d0 f3 8f 76 7a 5f db f4 86 fb ";

// RSASSA-PSS Signature Example 10.5
// Message to be signed:
static const char message_10_5[] =
  "f1 03 6e 00 8e 71 e9 64 da dc 92 19 ed 30 e1 7f "
  "06 b4 b6 8a 95 5c 16 b3 12 b1 ed df 02 8b 74 97 "
  "6b ed 6b 3f 6a 63 d4 e7 78 59 24 3c 9c cc dc 98 "
  "01 65 23 ab b0 24 83 b3 55 91 c3 3a ad 81 21 3b "
  "b7 c7 bb 1a 47 0a ab c1 0d 44 25 6c 4d 45 59 d9 "
  "16 ";
// Salt:
static const char salt_10_5[] =
  "ef a8 bf f9 62 12 b2 f4 a3 f3 71 a1 0d 57 41 52 "
  "65 5f 5d fb ";
// Signature:
static const char signature_10_5[] =
  "7e 09 35 ea 18 f4 d6 c1 d1 7c e8 2e b2 b3 83 6c "
  "55 b3 84 58 9c e1 9d fe 74 33 63 ac 99 48 d1 f3 "
  "46 b7 bf dd fe 92 ef d7 8a db 21 fa ef c8 9a de "
  "42 b1 0f 37 40 03 fe 12 2e 67 42 9a 1c b8 cb d1 "
  "f8 d9 01 45 64 c4 4d 12 01 16 f4 99 0f 1a 6e 38 "
  "77 4c 19 4b d1 b8 21 32 86 b0 77 b0 49 9d 2e 7b "
  "3f 43 4a b1 22 89 c5 56 68 4d ee d7 81 31 93 4b "
  "b3 dd 65 37 23 6f 7c 6f 3d cb 09 d4 76 be 07 72 "
  "1e 37 e1 ce ed 9b 2f 7b 40 68 87 bd 53 15 73 05 "
  "e1 c8 b4 f8 4d 73 3b c1 e1 86 fe 06 cc 59 b6 ed "
  "b8 f4 bd 7f fe fd f4 f7 ba 9c fb 9d 57 06 89 b5 "
  "a1 a4 10 9a 74 6a 69 08 93 db 37 99 25 5a 0c b9 "
  "21 5d 2d 1c d4 90 59 0e 95 2e 8c 87 86 aa 00 11 "
  "26 52 52 47 0c 04 1d fb c3 ee c7 c3 cb f7 1c 24 "
  "86 9d 11 5c 0c b4 a9 56 f5 6d 53 0b 80 ab 58 9a "
  "cf ef c6 90 75 1d df 36 e8 d3 83 f8 3c ed d2 cc ";

// RSASSA-PSS Signature Example 10.6
// Message to be signed:
static const char message_10_6[] =
  "25 f1 08 95 a8 77 16 c1 37 45 0b b9 51 9d fa a1 "
  "f2 07 fa a9 42 ea 88 ab f7 1e 9c 17 98 00 85 b5 "
  "55 ae ba b7 62 64 ae 2a 3a b9 3c 2d 12 98 11 91 "
  "dd ac 6f b5 94 9e b3 6a ee 3c 5d a9 40 f0 07 52 "
  "c9 16 d9 46 08 fa 7d 97 ba 6a 29 15 b6 88 f2 03 "
  "23 d4 e9 d9 68 01 d8 9a 72 ab 58 92 dc 21 17 c0 "
  "74 34 fc f9 72 e0 58 cf 8c 41 ca 4b 4f f5 54 f7 "
  "d5 06 8a d3 15 5f ce d0 f3 12 5b c0 4f 91 93 37 "
  "8a 8f 5c 4c 3b 8c b4 dd 6d 1c c6 9d 30 ec ca 6e "
  "aa 51 e3 6a 05 73 0e 9e 34 2e 85 5b af 09 9d ef "
  "b8 af d7 ";
// Salt:
static const char salt_10_6[] =
  "ad 8b 15 23 70 36 46 22 4b 66 0b 55 08 85 91 7c "
  "a2 d1 df 28 ";
// Signature:
static const char signature_10_6[] =
  "6d 3b 5b 87 f6 7e a6 57 af 21 f7 54 41 97 7d 21 "
  "80 f9 1b 2c 5f 69 2d e8 29 55 69 6a 68 67 30 d9 "
  "b9 77 8d 97 07 58 cc b2 60 71 c2 20 9f fb d6 12 "
  "5b e2 e9 6e a8 1b 67 cb 9b 93 08 23 9f da 17 f7 "
  "b2 b6 4e cd a0 96 b6 b9 35 64 0a 5a 1c b4 2a 91 "
  "55 b1 c9 ef 7a 63 3a 02 c5 9f 0d 6e e5 9b 85 2c "
  "43 b3 50 29 e7 3c 94 0f f0 41 0e 8f 11 4e ed 46 "
  "bb d0 fa e1 65 e4 2b e2 52 8a 40 1c 3b 28 fd 81 "
  "8e f3 23 2d ca 9f 4d 2a 0f 51 66 ec 59 c4 23 96 "
  "d6 c1 1d bc 12 15 a5 6f a1 71 69 db 95 75 34 3e "
  "f3 4f 9d e3 2a 49 cd c3 17 49 22 f2 29 c2 3e 18 "
  "e4 5d f9 35 31 19 ec 43 19 ce dc e7 a1 7c 64 08 "
  "8c 1f 6f 52 be 29 63 41 00 b3 91 9d 38 f3 d1 ed "
  "94 e6 89 1e 66 a7 3b 8f b8 49 f5 87 4d f5 94 59 "
  "e2 98 c7 bb ce 2e ee 78 2a 19 5a a6 6f e2 d0 73 "
  "2b 25 e5 95 f5 7d 3e 06 1b 1f c3 e4 06 3b f9 8f ";

struct SignatureExample {
  const char* message;
  const char* salt;
  const char* signature;
};

struct PSSTestVector {
  const char* modulus_n;
  const char* public_exponent_e;
  SignatureExample example[6];
};

static const PSSTestVector pss_test[] = {
  {
    rsa_modulus_n_1,
    rsa_public_exponent_e_1,
    {
      { message_1_1, salt_1_1, signature_1_1 },
      { message_1_2, salt_1_2, signature_1_2 },
      { message_1_3, salt_1_3, signature_1_3 },
      { message_1_4, salt_1_4, signature_1_4 },
      { message_1_5, salt_1_5, signature_1_5 },
      { message_1_6, salt_1_6, signature_1_6 },
    }
  },
  {
    rsa_modulus_n_9,
    rsa_public_exponent_e_9,
    {
      { message_9_1, salt_9_1, signature_9_1 },
      { message_9_2, salt_9_2, signature_9_2 },
      { message_9_3, salt_9_3, signature_9_3 },
      { message_9_4, salt_9_4, signature_9_4 },
      { message_9_5, salt_9_5, signature_9_5 },
      { message_9_6, salt_9_6, signature_9_6 },
    }
  },
  {
    rsa_modulus_n_10,
    rsa_public_exponent_e_10,
    {
      { message_10_1, salt_10_1, signature_10_1 },
      { message_10_2, salt_10_2, signature_10_2 },
      { message_10_3, salt_10_3, signature_10_3 },
      { message_10_4, salt_10_4, signature_10_4 },
      { message_10_5, salt_10_5, signature_10_5 },
      { message_10_6, salt_10_6, signature_10_6 },
    }
  },
};

static uint8 HexDigitValue(char digit) {
  if ('0' <= digit && digit <= '9')
    return digit - '0';
  if ('a' <= digit && digit <= 'f')
    return digit - 'a' + 10;
  return digit - 'A' + 10;
}

static bool DecodeTestInput(const char* in, std::vector<uint8>* out) {
  out->clear();
  while (in[0] != '\0') {
    if (!isxdigit(in[0]) || !isxdigit(in[1]) || in[2] != ' ')
      return false;
    uint8 octet = HexDigitValue(in[0]) * 16 + HexDigitValue(in[1]);
    out->push_back(octet);
    in += 3;
  }
  return true;
}

static bool EncodeRSAPublicKey(const std::vector<uint8>& modulus_n,
                               const std::vector<uint8>& public_exponent_e,
                               std::vector<uint8>* public_key_info) {
  // The public key is specified as the following ASN.1 structure:
  //   SubjectPublicKeyInfo  ::=  SEQUENCE  {
  //       algorithm            AlgorithmIdentifier,
  //       subjectPublicKey     BIT STRING  }
  //
  // The signature algorithm is specified as the following ASN.1 structure:
  //    AlgorithmIdentifier  ::=  SEQUENCE  {
  //        algorithm               OBJECT IDENTIFIER,
  //        parameters              ANY DEFINED BY algorithm OPTIONAL  }
  //
  // An RSA public key is specified as the following ASN.1 structure:
  //    RSAPublicKey ::= SEQUENCE {
  //        modulus           INTEGER,  -- n
  //        publicExponent    INTEGER   -- e
  //    }
  static const uint8 kIntegerTag = 0x02;
  static const uint8 kBitStringTag = 0x03;
  static const uint8 kSequenceTag = 0x30;
  public_key_info->clear();

  // Encode the public exponent e as an INTEGER.
  public_key_info->insert(public_key_info->begin(),
                          public_exponent_e.begin(),
                          public_exponent_e.end());
  uint8 length = public_exponent_e.size();
  public_key_info->insert(public_key_info->begin(), length);
  public_key_info->insert(public_key_info->begin(), kIntegerTag);

  // Encode the modulus n as an INTEGER.
  public_key_info->insert(public_key_info->begin(),
                          modulus_n.begin(), modulus_n.end());
  uint16 length16 = modulus_n.size();
  if (modulus_n[0] & 0x80) {
    public_key_info->insert(public_key_info->begin(), 0x00);
    length16++;
  }
  public_key_info->insert(public_key_info->begin(), length16 & 0xff);
  public_key_info->insert(public_key_info->begin(), (length16 >> 8) & 0xff);
  public_key_info->insert(public_key_info->begin(), 0x82);
  public_key_info->insert(public_key_info->begin(), kIntegerTag);

  // Encode the RSAPublicKey SEQUENCE.
  length16 = public_key_info->size();
  public_key_info->insert(public_key_info->begin(), length16 & 0xff);
  public_key_info->insert(public_key_info->begin(), (length16 >> 8) & 0xff);
  public_key_info->insert(public_key_info->begin(), 0x82);
  public_key_info->insert(public_key_info->begin(), kSequenceTag);

  // Encode the BIT STRING.
  // Number of unused bits.
  public_key_info->insert(public_key_info->begin(), 0x00);
  length16 = public_key_info->size();
  public_key_info->insert(public_key_info->begin(), length16 & 0xff);
  public_key_info->insert(public_key_info->begin(), (length16 >> 8) & 0xff);
  public_key_info->insert(public_key_info->begin(), 0x82);
  public_key_info->insert(public_key_info->begin(), kBitStringTag);

  // Encode the AlgorithmIdentifier.
  static const uint8 algorithm[] = {
    0x30, 0x0d,  // a SEQUENCE of length 13
      0x06, 0x09,  // an OBJECT IDENTIFIER of length 9
        0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
      0x05, 0x00,
  };
  public_key_info->insert(public_key_info->begin(),
                          algorithm, algorithm + sizeof(algorithm));

  // Encode the outermost SEQUENCE.
  length16 = public_key_info->size();
  public_key_info->insert(public_key_info->begin(), length16 & 0xff);
  public_key_info->insert(public_key_info->begin(), (length16 >> 8) & 0xff);
  public_key_info->insert(public_key_info->begin(), 0x82);
  public_key_info->insert(public_key_info->begin(), kSequenceTag);

  return true;
}

TEST(SignatureVerifierTest, VerifyRSAPSS) {
  for (unsigned int i = 0; i < arraysize(pss_test); i++) {
    std::vector<uint8> modulus_n;
    std::vector<uint8> public_exponent_e;
    ASSERT_TRUE(DecodeTestInput(pss_test[i].modulus_n, &modulus_n));
    ASSERT_TRUE(DecodeTestInput(pss_test[i].public_exponent_e,
                                &public_exponent_e));
    std::vector<uint8> public_key_info;
    ASSERT_TRUE(EncodeRSAPublicKey(modulus_n, public_exponent_e,
                                   &public_key_info));

    for (unsigned int j = 0; j < arraysize(pss_test[i].example); j++) {
      std::vector<uint8> message;
      std::vector<uint8> salt;
      std::vector<uint8> signature;
      ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].message, &message));
      ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].salt, &salt));
      ASSERT_TRUE(DecodeTestInput(pss_test[i].example[j].signature,
                                  &signature));

      crypto::SignatureVerifier verifier;
      bool ok;

      // Positive test.
      ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
                                     crypto::SignatureVerifier::SHA1,
                                     salt.size(),
                                     &signature[0], signature.size(),
                                     &public_key_info[0],
                                     public_key_info.size());
      ASSERT_TRUE(ok);
      verifier.VerifyUpdate(&message[0], message.size());
      ok = verifier.VerifyFinal();
      EXPECT_TRUE(ok);

      // Modify the first byte of the message.
      ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
                                     crypto::SignatureVerifier::SHA1,
                                     salt.size(),
                                     &signature[0], signature.size(),
                                     &public_key_info[0],
                                     public_key_info.size());
      ASSERT_TRUE(ok);
      message[0] += 1;
      verifier.VerifyUpdate(&message[0], message.size());
      message[0] -= 1;
      ok = verifier.VerifyFinal();
      EXPECT_FALSE(ok);

      // Truncate the message.
      ASSERT_FALSE(message.empty());
      ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
                                     crypto::SignatureVerifier::SHA1,
                                     salt.size(),
                                     &signature[0], signature.size(),
                                     &public_key_info[0],
                                     public_key_info.size());
      ASSERT_TRUE(ok);
      verifier.VerifyUpdate(&message[0], message.size() - 1);
      ok = verifier.VerifyFinal();
      EXPECT_FALSE(ok);

      // Corrupt the signature.
      signature[0] += 1;
      ok = verifier.VerifyInitRSAPSS(crypto::SignatureVerifier::SHA1,
                                     crypto::SignatureVerifier::SHA1,
                                     salt.size(),
                                     &signature[0], signature.size(),
                                     &public_key_info[0],
                                     public_key_info.size());
      signature[0] -= 1;
      ASSERT_TRUE(ok);
      verifier.VerifyUpdate(&message[0], message.size());
      ok = verifier.VerifyFinal();
      EXPECT_FALSE(ok);
    }
  }
}