Add validation check to rsassapss.NewPrivateKey

This makes sure the public key corresponds to the public key.

PiperOrigin-RevId: 705492843
Change-Id: I45056508ca68d30baa7810c78061ff99ff75d838

signature/rsassapss/key.go

@@ -21,6 +21,7 @@ import (
 	"math/big"
 
 	"github.com/tink-crypto/tink-go/v2/insecuresecretdataaccess"
+	"github.com/tink-crypto/tink-go/v2/internal/internalapi"
 	"github.com/tink-crypto/tink-go/v2/internal/outputprefix"
 	"github.com/tink-crypto/tink-go/v2/key"
 	"github.com/tink-crypto/tink-go/v2/secretdata"
@@ -290,6 +291,27 @@ type PrivateKeyValues struct {
 	// See https://pkg.go.dev/crypto/rsa#PrivateKey.
 }
 
+// privateKeySelfCheck signs a test message with a private key and verifies a
+// the signature with the corresponding public key.
+//
+// This is a security check to ensure that the private key is valid.
+func privateKeySelfCheck(privateKey *PrivateKey) error {
+	signer, err := NewSigner(privateKey, internalapi.Token{})
+	if err != nil {
+		return err
+	}
+	verifier, err := NewVerifier(privateKey.publicKey, internalapi.Token{})
+	if err != nil {
+		return err
+	}
+	testMessage := []byte("Tink and Wycheproof.")
+	signature, err := signer.Sign(testMessage)
+	if err != nil {
+		return err
+	}
+	return verifier.Verify(signature, testMessage)
+}
+
 // NewPrivateKey creates a new RSA-SSA-PSS PrivateKey value from a public key
 // and private key values.
 //
@@ -313,10 +335,14 @@ func NewPrivateKey(publicKey *PublicKey, opts PrivateKeyValues) (*PrivateKey, er
 		return nil, fmt.Errorf("rsassapss.NewPrivateKey: %v", err)
 	}
 	privateKey.Precompute()
-	return &PrivateKey{
+	pk := &PrivateKey{
 		publicKey:  publicKey,
 		privateKey: &privateKey,
-	}, nil
+	}
+	if err := privateKeySelfCheck(pk); err != nil {
+		return nil, fmt.Errorf("rsassapss.NewPrivateKey: %v", err)
+	}
+	return pk, nil
 }
 
 // P returns the prime P.

signature/rsassapss/key_test.go

@@ -826,9 +826,9 @@ func TestNewPrivateKeyInvalidValues(t *testing.T) {
 	if err != nil {
 		t.Fatalf("rsassapss.NewParameters(%v, %v) = %v, want nil", paramsValues, rsassapss.VariantTink, err)
 	}
-	publicKey, err := rsassapss.NewPublicKey(n, 123, params)
+	publicKey, err := rsassapss.NewPublicKey(n, 0x11223344, params)
 	if err != nil {
-		t.Fatalf("rsassapss.NewPublicKey(%v, %v, %v) = %v, want nil", n, 123, params, err)
+		t.Fatalf("rsassapss.NewPublicKey(%v, %v, %v) = %v, want nil", n, 0x11223344, params, err)
 	}
 	invalidD := mustDecodeBase64(t, d2048Base64)
 	invalidD[0]++
@@ -837,6 +837,11 @@ func TestNewPrivateKeyInvalidValues(t *testing.T) {
 	invalidQ := mustDecodeBase64(t, q2048Base64)
 	invalidQ[0]++
 
+	// From:
+	// https://github.com/C2SP/wycheproof/blob/cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca/testvectors/rsa_pkcs1_2048_test.json#L353
+	differentN2048Base64 := "3ZBFkDl4CMQxQyliPZATRThDJRsTuLPE_vVFmBEq8-sxxxEDxiWZUWdOU72Tp-NtGUcuR06-gChobZUpSE2Lr-pKBLoZVVZnYWyEeGcFlACcm8aj7-UidMumTHJHR9ftwZTk_t3jKjKJ2Uwxk25-ehXXVvVISS9bNFuSfoxhi91VCsshoXrhSDBDg9ubPHuqPkyL2OhEqITao-GNVpmMsy-brk1B1WoY3dQxPICJt16du5EoRwusmwh_thkoqw-MTIk2CwIImQCNCOi9MfkHqAfoBWrWgA3_357Z2WSpOefkgRS4SXhVGsuFyd-RlvPv9VKG1s1LOagiqKd2Ohggjw"
+	differentPublicKey := mustCreatePublicKey(t, mustDecodeBase64(t, differentN2048Base64), 0x11223344, params)
+
 	token := insecuresecretdataaccess.Token{}
 	for _, tc := range []struct {
 		name             string
@@ -880,6 +885,15 @@ func TestNewPrivateKeyInvalidValues(t *testing.T) {
 				D: secretdata.NewBytesFromData(invalidD, token),
 			},
 		},
+		{
+			name:      "wrong public key",
+			publicKey: differentPublicKey,
+			privateKeyValues: rsassapss.PrivateKeyValues{
+				P: secretdata.NewBytesFromData(p, token),
+				Q: secretdata.NewBytesFromData(q, token),
+				D: secretdata.NewBytesFromData(d, token),
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			if _, err := rsassapss.NewPrivateKey(tc.publicKey, tc.privateKeyValues); err == nil {