SERVER-67551: Asymmetric Key class

9 files changed, 535 insertions, 0 deletions

diff --git a/src/mongo/base/error_codes.yml b/src/mongo/base/error_codes.yml
index 67d05e909bb..daa30044a7d 100644
--- a/src/mongo/base/error_codes.yml
+++ b/src/mongo/base/error_codes.yml
@@ -488,6 +488,8 @@ error_codes:
     - {code: 376, name: ChangeStreamNotEnabled}
     - {code: 377, name: FLEMaxTagLimitExceeded }
     - {code: 378, name: NonConformantBSON, categories: [ValidationError]}
+    - {code: 379, name: InvalidSignature}
+
 
     # Error codes 4000-8999 are reserved.
 
diff --git a/src/mongo/crypto/SConscript b/src/mongo/crypto/SConscript
index 86e457a0f40..32d2b1ef35b 100644
--- a/src/mongo/crypto/SConscript
+++ b/src/mongo/crypto/SConscript
@@ -73,6 +73,17 @@ cryptoEnv.Library(
     ],
 )
 
+cryptoEnv.Library(
+    target='asymmetric_crypto',
+    source=[
+        'asymmetric_crypto_{}.cpp'.format(ssl_provider),
+    ],
+    LIBDEPS=[
+        '$BUILD_DIR/mongo/util/net/openssl_init' if ssl_provider == 'openssl' else '',
+        'rsa_public_key',
+    ],
+)
+
 env.Library(
     target="aead_encryption",
     source=[
@@ -136,6 +147,7 @@ env.CppUnitTest(
     target='crypto_test',
     source=[
         'aead_encryption_test.cpp',
+        'asymmetric_crypto_openssl_test.cpp',
         'encryption_fields_util_test.cpp',
         'fle_crypto_test.cpp',
         'mechanism_scram_test.cpp',
@@ -150,6 +162,7 @@ env.CppUnitTest(
         '$BUILD_DIR/mongo/base/secure_allocator',
         '$BUILD_DIR/mongo/util/net/openssl_init' if ssl_provider == 'openssl' else '',
         'aead_encryption',
+        'asymmetric_crypto',
         'encrypted_field_config',
         'fle_crypto',
         'rsa_public_key',
diff --git a/src/mongo/crypto/asymmetric_crypto.h b/src/mongo/crypto/asymmetric_crypto.h
new file mode 100644
index 00000000000..add8d373bb4
--- /dev/null
+++ b/src/mongo/crypto/asymmetric_crypto.h
@@ -0,0 +1,48 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#pragma once
+
+#include "mongo/base/data_range.h"
+#include "mongo/base/status.h"
+#include "mongo/crypto/rsa_public_key.h"
+
+namespace mongo::crypto {
+
+enum class HashingAlgorithm { SHA256 };
+
+class RSAKeySignatureVerifier {
+public:
+    virtual ~RSAKeySignatureVerifier() = default;
+    virtual Status verifySignature(ConstDataRange msg, ConstDataRange signature) = 0;
+    static StatusWith<std::unique_ptr<RSAKeySignatureVerifier>> create(const RsaPublicKey& pubKey,
+                                                                       HashingAlgorithm hashAlg);
+};
+
+}  // namespace mongo::crypto
diff --git a/src/mongo/crypto/asymmetric_crypto_apple.cpp b/src/mongo/crypto/asymmetric_crypto_apple.cpp
new file mode 100644
index 00000000000..4c2c536164c
--- /dev/null
+++ b/src/mongo/crypto/asymmetric_crypto_apple.cpp
@@ -0,0 +1,52 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/crypto/asymmetric_crypto.h"
+
+#include "mongo/base/error_codes.h"
+
+namespace mongo::crypto {
+namespace {
+
+class RsaKeySignatureVerifierApple : public RSAKeySignatureVerifier {
+public:
+    RsaKeySignatureVerifierApple(){};
+
+    Status verifySignature(ConstDataRange msg, ConstDataRange signature) final {
+        return {ErrorCodes::OperationFailed, "Signature Verification Not Available"};
+    }
+};
+}  // namespace
+
+// TODO: SERVER-68518, remove or implement this class
+StatusWith<std::unique_ptr<RSAKeySignatureVerifier>> RSAKeySignatureVerifier::create(
+    const RsaPublicKey& pubKey, HashingAlgorithm hashAlg) {
+    return {ErrorCodes::OperationFailed, "Signature Verification Not Available"};
+}
+}  // namespace mongo::crypto
diff --git a/src/mongo/crypto/asymmetric_crypto_none.cpp b/src/mongo/crypto/asymmetric_crypto_none.cpp
new file mode 100644
index 00000000000..c8cef4aa29c
--- /dev/null
+++ b/src/mongo/crypto/asymmetric_crypto_none.cpp
@@ -0,0 +1,54 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/crypto/asymmetric_crypto.h"
+
+#include "mongo/base/error_codes.h"
+
+namespace mongo::crypto {
+namespace {
+
+class RSAKeySignatureVerifierNone : public RSAKeySignatureVerifier {
+
+public:
+    RSAKeySignatureVerifierNone(){};
+
+    Status verifySignature(ConstDataRange msg, ConstDataRange signature) final {
+        return {ErrorCodes::OperationFailed, "Signature Verification Not Available"};
+    }
+};
+}  // namespace
+
+// TODO: SERVER-68518, remove or implement this class
+StatusWith<std::unique_ptr<RSAKeySignatureVerifier>> RSAKeySignatureVerifier::create(
+    const RsaPublicKey& pubKey, HashingAlgorithm hashAlg) {
+    return {ErrorCodes::OperationFailed, "Signature Verification Not Available"};
+}
+
+}  // namespace mongo::crypto
diff --git a/src/mongo/crypto/asymmetric_crypto_openssl.cpp b/src/mongo/crypto/asymmetric_crypto_openssl.cpp
new file mode 100644
index 00000000000..8fe2d26af1b
--- /dev/null
+++ b/src/mongo/crypto/asymmetric_crypto_openssl.cpp
@@ -0,0 +1,142 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/crypto/asymmetric_crypto.h"
+
+#include <memory>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/ossl_typ.h>
+#include <openssl/rsa.h>
+
+#include "mongo/base/status.h"
+#include "mongo/crypto/rsa_public_key.h"
+#include "mongo/util/assert_util.h"
+#include "mongo/util/net/ssl_manager.h"
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+namespace {
+// Copies of OpenSSL 1.1.0 and later define new EVP digest routines. We must
+// polyfill used definitions to interact with older OpenSSL versions.
+EVP_MD_CTX* EVP_MD_CTX_new() {
+    return EVP_MD_CTX_create();
+}
+
+void EVP_MD_CTX_free(EVP_MD_CTX* ctx) {
+    EVP_MD_CTX_destroy(ctx);
+}
+
+}  // namespace
+#endif
+
+namespace mongo::crypto {
+namespace {
+
+using UniqueRSA = std::unique_ptr<RSA, OpenSSLDeleter<decltype(RSA_free), RSA_free>>;
+using UniqueEVPPKey =
+    std::unique_ptr<EVP_PKEY, OpenSSLDeleter<decltype(EVP_PKEY_free), EVP_PKEY_free>>;
+using UniqueBIGNUM = std::unique_ptr<BIGNUM, OpenSSLDeleter<decltype(BN_free), BN_free>>;
+
+class RSAKeySignatureVerifierOpenSSL : public RSAKeySignatureVerifier {
+public:
+    RSAKeySignatureVerifierOpenSSL(const RsaPublicKey& pubKey, HashingAlgorithm hashAlg)
+        : _verificationCtx(EVP_MD_CTX_new()) {
+#if OPENSSL_VERSION_NUMBER > 0x10100000L || \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER > 0x2070000fL)
+        const auto* pubKeyNData = pubKey.getN().data<unsigned char>();
+        UniqueBIGNUM n(BN_bin2bn(pubKeyNData, pubKey.getN().length(), nullptr));
+        uassertOpenSSL("Failed creating modulus", n.get() != nullptr);
+
+        const auto* pubKeyEData = pubKey.getE().data<unsigned char>();
+        UniqueBIGNUM e(BN_bin2bn(pubKeyEData, pubKey.getE().length(), nullptr));
+        uassertOpenSSL("Failed creating exponent", e.get() != nullptr);
+
+        UniqueRSA rsa(RSA_new());
+        uassertOpenSSL("Failed creating RSAKey", rsa.get() != nullptr);
+        uassertOpenSSL("RSA key setup failed",
+                       RSA_set0_key(rsa.get(), n.get(), e.get(), nullptr) == 1);
+        n.release();  // Now owned by rsa
+        e.release();  // Now owned by rsa
+
+        UniqueEVPPKey evpKey(EVP_PKEY_new());
+        uassertOpenSSL("Failed creating EVP_PKey", evpKey.get() != nullptr);
+        uassertOpenSSL("EVP_PKEY assignment failed",
+                       EVP_PKEY_assign_RSA(evpKey.get(), rsa.get()) == 1);
+        rsa.release();  // Now owned by evpKey
+
+        uassert(6755199, "Unknown hashing algorithm", hashAlg == HashingAlgorithm::SHA256);
+        uassertOpenSSL("DigestVerifyInit failed",
+                       EVP_DigestVerifyInit(
+                           _verificationCtx.get(), nullptr, EVP_sha256(), nullptr, evpKey.get()) ==
+                           1);
+#endif
+    }
+
+    Status verifySignature(ConstDataRange msg, ConstDataRange signature) final {
+#if OPENSSL_VERSION_NUMBER > 0x10100000L || \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER > 0x2070000fL)
+
+        uassertOpenSSL("DigestVerifyUpdate failed",
+                       EVP_DigestVerifyUpdate(
+                           _verificationCtx.get(), msg.data<std::uint8_t>(), msg.length()) == 1);
+
+        int verifyRes = EVP_DigestVerifyFinal(
+            _verificationCtx.get(), signature.data<std::uint8_t>(), signature.length());
+        if (verifyRes == 0) {
+            return {ErrorCodes::InvalidSignature, "OpenSSL: Signature is invalid"};
+        } else if (verifyRes != 1) {
+            return {ErrorCodes::UnknownError,
+                    SSLManagerInterface::getSSLErrorMessage(ERR_get_error())};
+        }
+        return Status::OK();
+#endif
+        return {ErrorCodes::OperationFailed, "Signature Verification Not Available"};
+    }
+
+private:
+    std::unique_ptr<EVP_MD_CTX, OpenSSLDeleter<decltype(EVP_MD_CTX_free), ::EVP_MD_CTX_free>>
+        _verificationCtx;
+
+    static void uassertOpenSSL(StringData context, bool success) {
+        uassert(ErrorCodes::OperationFailed,
+                str::stream() << context << ": "
+                              << SSLManagerInterface::getSSLErrorMessage(ERR_get_error()),
+                success);
+    }
+};
+}  // namespace
+
+StatusWith<std::unique_ptr<RSAKeySignatureVerifier>> RSAKeySignatureVerifier::create(
+    const RsaPublicKey& pubKey, HashingAlgorithm hashAlg) try {
+    return std::make_unique<RSAKeySignatureVerifierOpenSSL>(pubKey, hashAlg);
+} catch (const DBException& e) {
+    return e.toStatus();
+}
+}  // namespace mongo::crypto
diff --git a/src/mongo/crypto/asymmetric_crypto_openssl_test.cpp b/src/mongo/crypto/asymmetric_crypto_openssl_test.cpp
new file mode 100644
index 00000000000..2af5a532338
--- /dev/null
+++ b/src/mongo/crypto/asymmetric_crypto_openssl_test.cpp
@@ -0,0 +1,170 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/crypto/asymmetric_crypto.h"
+
+#include <iostream>
+#include <string>
+#include <vector>
+
+#include "mongo/base/data_range.h"
+#include "mongo/base/status.h"
+#include "mongo/base/string_data.h"
+#include "mongo/bson/bsontypes.h"
+#include "mongo/config.h"
+#include "mongo/crypto/rsa_public_key.h"
+#include "mongo/unittest/unittest.h"
+#include "mongo/util/assert_util.h"
+#include "mongo/util/base64.h"
+#include "mongo/util/hex.h"
+
+#if MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_OPENSSL
+
+namespace mongo::crypto {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
+
+class AsymmetricCryptoTestVectors : public unittest::Test {
+public:
+    class RSAKeySignatureVerificationVector {
+    public:
+        RSAKeySignatureVerificationVector(StringData keyID,
+                                          StringData e,
+                                          StringData n,
+                                          StringData msg,
+                                          StringData signature,
+                                          bool shouldPass) {
+            this->keyID = keyID.toString();
+
+            std::string strE = hexblob::decode(e);
+            std::string base64E = base64url::encode(StringData(strE.data(), strE.length()));
+            this->e = base64E;
+
+            std::string strN = hexblob::decode(n);
+            std::string base64N = base64url::encode(StringData(strN.data(), strN.length()));
+            this->n = base64N;
+
+            this->msg = hexblob::decode(msg);
+            this->signature = hexblob::decode(signature);
+            this->shouldPass = shouldPass;
+        }
+
+        std::string keyID;
+        std::string e;
+        std::string n;
+        std::string msg;
+        std::string signature;
+        bool shouldPass;
+    };
+
+    void evaluate(RSAKeySignatureVerificationVector test) {
+
+        RsaPublicKey rsaKey(test.keyID, test.e, test.n);
+
+        HashingAlgorithm hashAlg = HashingAlgorithm::SHA256;
+        auto asymmetricKey = uassertStatusOK(RSAKeySignatureVerifier::create(rsaKey, hashAlg));
+        Status result = asymmetricKey->verifySignature(
+            ConstDataRange(test.msg.data(), test.msg.length()),
+            ConstDataRange(test.signature.data(), test.signature.length()));
+        if (test.shouldPass == false) {
+            ASSERT_NOT_OK(result);
+        } else if (test.shouldPass == true) {
+            ASSERT_OK(result);
+        }
+    }
+};
+
+/**
+ * RSA test vectors are otained from FIPS 186-4 RSA:
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Digital-Signatures#rsa2vs
+ */
+
+TEST_F(AsymmetricCryptoTestVectors, RSASignatureVerificationTest1) {
+    evaluate(RSAKeySignatureVerificationVector(
+        "0UhWwyvtfIdxPvR9zCWYJB5_AM0LE2qc6RGOcI0cQjw"_sd,
+        "49d2a1"_sd,
+        "c47abacc2a84d56f3614d92fd62ed36ddde459664b9301dcd1d61781cfcc026bcb2399bee7e75681a80b7bf500e2d08ceae1c42ec0b707927f2b2fe92ae852087d25f1d260cc74905ee5f9b254ed05494a9fe06732c3680992dd6f0dc634568d11542a705f83ae96d2a49763d5fbb24398edf3702bc94bc168190166492b8671de874bb9cecb058c6c8344aa8c93754d6effcd44a41ed7de0a9dcd9144437f212b18881d042d331a4618a9e630ef9bb66305e4fdf8f0391b3b2313fe549f0189ff968b92f33c266a4bc2cffc897d1937eeb9e406f5d0eaa7a14782e76af3fce98f54ed237b4a04a4159a5f6250a296a902880204e61d891c4da29f2d65f34cbb"_sd,
+        "95123c8d1b236540b86976a11cea31f8bd4e6c54c235147d20ce722b03a6ad756fbd918c27df8ea9ce3104444c0bbe877305bc02e35535a02a58dcda306e632ad30b3dc3ce0ba97fdf46ec192965dd9cd7f4a71b02b8cba3d442646eeec4af590824ca98d74fbca934d0b6867aa1991f3040b707e806de6e66b5934f05509bea"_sd,
+        "51265d96f11ab338762891cb29bf3f1d2b3305107063f5f3245af376dfcc7027d39365de70a31db05e9e10eb6148cb7f6425f0c93c4fb0e2291adbd22c77656afc196858a11e1c670d9eeb592613e69eb4f3aa501730743ac4464486c7ae68fd509e896f63884e9424f69c1c5397959f1e52a368667a598a1fc90125273d9341295d2f8e1cc4969bf228c860e07a3546be2eeda1cde48ee94d062801fe666e4a7ae8cb9cd79262c017b081af874ff00453ca43e34efdb43fffb0bb42a4e2d32a5e5cc9e8546a221fe930250e5f5333e0efe58ffebf19369a3b8ae5a67f6a048bc9ef915bda25160729b508667ada84a0c27e7e26cf2abca413e5e4693f4a9405"_sd,
+        true));
+}
+
+TEST_F(AsymmetricCryptoTestVectors, RSASignatureVerificationTest2) {
+    evaluate(RSAKeySignatureVerificationVector(
+        "0UhWwyvtfIdxPvR9zCWYJB5_AM0LE2qc6RGOcI0cQjw"_sd,
+        "49d2a1"_sd,
+        "c47abacc2a84d56f3614d92fd62ed36ddde459664b9301dcd1d61781cfcc026bcb2399bee7e75681a80b7bf500e2d08ceae1c42ec0b707927f2b2fe92ae852087d25f1d260cc74905ee5f9b254ed05494a9fe06732c3680992dd6f0dc634568d11542a705f83ae96d2a49763d5fbb24398edf3702bc94bc168190166492b8671de874bb9cecb058c6c8344aa8c93754d6effcd44a41ed7de0a9dcd9144437f212b18881d042d331a4618a9e630ef9bb66305e4fdf8f0391b3b2313fe549f0189ff968b92f33c266a4bc2cffc897d1937eeb9e406f5d0eaa7a14782e76af3fce98f54ed237b4a04a4159a5f6250a296a902880204e61d891c4da29f2d65f34cbb"_sd,
+        "f89fd2f6c45a8b5066a651410b8e534bfec0d9a36f3e2b887457afd44dd651d1ec79274db5a455f182572fceea5e9e39c3c7c5d9e599e4fe31c37c34d253b419c3e8fb6b916aef6563f87d4c37224a456e5952698ba3d01b38945d998a795bd285d69478e3131f55117284e27b441f16095dca7ce9c5b68890b09a2bfbb010a5"_sd,
+        "ba48538708512d45c0edcac57a9b4fb637e9721f72003c60f13f5c9a36c968cef9be8f54665418141c3d9ecc02a5bf952cfc055fb51e18705e9d8850f4e1f5a344af550de84ffd0805e27e557f6aa50d2645314c64c1c71aa6bb44faf8f29ca6578e2441d4510e36052f46551df341b2dcf43f761f08b946ca0b7081dadbb88e955e820fd7f657c4dd9f4554d167dd7c9a487ed41ced2b40068098deedc951060faf7e15b1f0f80ae67ff2ee28a238d80bf72dd71c8d95c79bc156114ece8ec837573a4b66898d45b45a5eacd0b0e41447d8fa08a367f437645e50c9920b88a16bc0880147acfb9a79de9e351b3fa00b3f4e9f182f45553dffca55e393c5eab6"_sd,
+        false));
+}
+
+TEST_F(AsymmetricCryptoTestVectors, RSASignatureVerificationTest3) {
+    evaluate(RSAKeySignatureVerificationVector(
+        "0UhWwyvtfIdxPvR9zCWYJB5_AM0LE2qc6RGOcI0cQjw"_sd,
+        "49d2a1"_sd,
+        "c47abacc2a84d56f3614d92fd62ed36ddde459664b9301dcd1d61781cfcc026bcb2399bee7e75681a80b7bf500e2d08ceae1c42ec0b707927f2b2fe92ae852087d25f1d260cc74905ee5f9b254ed05494a9fe06732c3680992dd6f0dc634568d11542a705f83ae96d2a49763d5fbb24398edf3702bc94bc168190166492b8671de874bb9cecb058c6c8344aa8c93754d6effcd44a41ed7de0a9dcd9144437f212b18881d042d331a4618a9e630ef9bb66305e4fdf8f0391b3b2313fe549f0189ff968b92f33c266a4bc2cffc897d1937eeb9e406f5d0eaa7a14782e76af3fce98f54ed237b4a04a4159a5f6250a296a902880204e61d891c4da29f2d65f34cbb"_sd,
+        "915c5e4c16acfa0f49de43d6491f0060a944034475ba518572c08366a8d36c7f1e6afc11e5e4649757bf7b9da10a61d57f1d626847871d8a2948e551b54167c79de88d3ebd40a3e35809b996a53348f98a9918c7a7ec606896ed30c271e00c51953dd97aa6a8fe1cd423c3695c83fcf45120ec0a9cd1644642182b60e599a246"_sd,
+        "3d57ea5961db8fc144301ca4278f799911229d865ea3e992c7fbc4d03c6551729e26034e95dd71da312340e4051c9dd9b12f7700a821fe3b7c37785d5106350b667ac255a57c13da5842d90bcadea9e6b1f720c607d6893a2caa3c5f3c4074e914451a45380a767c291a67cac3f1cab1fbd05adc37036856a8404e7cea3654019466de449ad6e92b27254f3d25949b1b860065406455a13db7c5fe25d1af7a84cddf7792c64e16260c950d60bd86d005924148ad097c126b84947ab6e89d48f61e711d62522b6e48f16186d1339e6ab3f58c359eb24cb68043737591cd7d9390a468c0022b3b253be52f1a7fc408f84e9ffb4c34fa9e01605851d6583aa13032"_sd,
+        false));
+}
+
+TEST_F(AsymmetricCryptoTestVectors, RSASignatureVerificationTest4) {
+    evaluate(RSAKeySignatureVerificationVector(
+        "0UhWwyvtfIdxPvR9zCWYJB5_AM0LE2qc6RGOcI0cQjw"_sd,
+        "7485b2"_sd,
+        "c47abacc2a84d56f3614d92fd62ed36ddde459664b9301dcd1d61781cfcc026bcb2399bee7e75681a80b7bf500e2d08ceae1c42ec0b707927f2b2fe92ae852087d25f1d260cc74905ee5f9b254ed05494a9fe06732c3680992dd6f0dc634568d11542a705f83ae96d2a49763d5fbb24398edf3702bc94bc168190166492b8671de874bb9cecb058c6c8344aa8c93754d6effcd44a41ed7de0a9dcd9144437f212b18881d042d331a4618a9e630ef9bb66305e4fdf8f0391b3b2313fe549f0189ff968b92f33c266a4bc2cffc897d1937eeb9e406f5d0eaa7a14782e76af3fce98f54ed237b4a04a4159a5f6250a296a902880204e61d891c4da29f2d65f34cbb"_sd,
+        "3d2f0693517cffb2b724c1f30502c5359c051c1bcd88dc1dd54b89e6981009d275a813b2bf016b74d0f6ed0d91e62d0884785c9afd8fd1fb7e99246cd4005cdda71a39cb649197a996d8ad2d23fdfb6bb015f24ec3d7f88af64fb83b4b525eb06607d133eec834cf7d6c9ab817b4c0dda370459d9cfba05ad0c1adc86a909fe1"_sd,
+        "511abd82218cab344979b2887b02600d2427f1eb12ac01d97684c2a443a9272834c3f79cded07a39dbee3770dde827a74dc994b17bfd8a26d07b239d26d58c42f79d560264c31b7e1c3dddef6d7556f228c394414f4cec561c3da2686a8eebec7702f32850809a93deeb84b2a02fcdba224d2fd9efb8e056e796f49b57d56e9f3e90d0b49b08bdee93a2e12e676fb4d4fa838c5bd88eda008f1b592a72465587be0ae17d9b156b904f44a7e04d3b58d24ad67b71b0f4c699fa51639546b62b9f83597ff03d465f1bb396ae15e92d0e92e85647d5df113e2c7518d0e3ad2e7aa7dac720c98347aa151e4f37fea081dbed350cc9c93f606b38f21a3e5de6d140d2"_sd,
+        false));
+}
+
+TEST_F(AsymmetricCryptoTestVectors, RSASignatureVerificationTest5) {
+    evaluate(RSAKeySignatureVerificationVector(
+        "0UhWwyvtfIdxPvR9zCWYJB5_AM0LE2qc6RGOcI0cQjw"_sd,
+        "49d2a1"_sd,
+        "c47abacc2a84d56f3614d92fd62ed36ddde459664b9301dcd1d61781cfcc026bcb2399bee7e75681a80b7bf500e2d08ceae1c42ec0b707927f2b2fe92ae852087d25f1d260cc74905ee5f9b254ed05494a9fe06732c3680992dd6f0dc634568d11542a705f83ae96d2a49763d5fbb24398edf3702bc94bc168190166492b8671de874bb9cecb058c6c8344aa8c93754d6effcd44a41ed7de0a9dcd9144437f212b18881d042d331a4618a9e630ef9bb66305e4fdf8f0391b3b2313fe549f0189ff968b92f33c266a4bc2cffc897d1937eeb9e406f5d0eaa7a14782e76af3fce98f54ed237b4a04a4159a5f6250a296a902880204e61d891c4da29f2d65f34cbb"_sd,
+        "dffe42bfda886e1a73fe8a8dfcf71c9fb44deb054588a9bb9199d554aecce08f2ff88f2aa6f8a0fb675fb03c8e685c27432ca7c33c189bfd849d34fa7b2979ac1f57eca389632426bae0b98398ad60a3342557e14e96041c1bf4d90b46cf7ad1348322d28caf43c4f7e86c0924ae703c109ec50a84ea2a43df078c3015a52b28"_sd,
+        "8f4dd479239f2d08dc05d7d40539288b67c4d77210ecb16be76f0b1925e8b088570831e361a1ca57893135f8af64b8e2996b8d635899da4e04c68acb9b1b3813697d57da90c57f18509e0ab6705c704feb448cca5c07d258ecd884ab93f508cefdb25f2bc3061c4006099e2e33b27972c3edb0a0a33114d381c82ab506d041ff680af595ef3400a8bb6774030d2e38dd304272092bd32a553017f7bda4b998b27aa8aca12def327b1f11063a5342b0d55738183417d321c5682fc4ab64e79174216feebb989521e1e3d827647068003be34fe1d093964d28f4877c49b4065672448597a89b91919cfb55ca13836e7e6f3b3fd04f417cf1c16d9872538bf4e87a"_sd,
+        false));
+}
+
+TEST_F(AsymmetricCryptoTestVectors, RSASignatureVerificationTest6) {
+    evaluate(RSAKeySignatureVerificationVector(
+        "0UhWwyvtfIdxPvR9zCWYJB5_AM0LE2qc6RGOcI0cQjw"_sd,
+        "49d2a1"_sd,
+        "c47abacc2a84d56f3614d92fd62ed36ddde459664b9301dcd1d61781cfcc026bcb2399bee7e75681a80b7bf500e2d08ceae1c42ec0b707927f2b2fe92ae852087d25f1d260cc74905ee5f9b254ed05494a9fe06732c3680992dd6f0dc634568d11542a705f83ae96d2a49763d5fbb24398edf3702bc94bc168190166492b8671de874bb9cecb058c6c8344aa8c93754d6effcd44a41ed7de0a9dcd9144437f212b18881d042d331a4618a9e630ef9bb66305e4fdf8f0391b3b2313fe549f0189ff968b92f33c266a4bc2cffc897d1937eeb9e406f5d0eaa7a14782e76af3fce98f54ed237b4a04a4159a5f6250a296a902880204e61d891c4da29f2d65f34cbb"_sd,
+        "cfe99788f55ec6944942bd0a187d51b80fd8bd4051bd4f07c73e614eb75a8b9f997b176b2642b5f1b1877061ba9ce142c1d2a311583f072b7cbe08ed253681191c209d7b0d438fcdddc284d93d59d6dd80e48333a921dd31c9b6834f88768f8701e01102d3e8bdf074fbe0b8c93d9951f41545ef6eeb3be35530babc079f1fb3"_sd,
+        "9fd6f6107e838107f906c26cb2910704599f175b6a84db485fbc30776eb7fd53bfe20c38c537b154a3e519b662bd9fdc8e3045e21f6e5ae97d0ff6a9d8632825544525d84f99f80e3ed4e69dc5e219d59ccfbb37c23c84fe3b3e6fb22f402f94e5225c6387fdf8bcdb3508f8832908fe05771521e92234348004e8fe19a8f24bebcab9f074327c88d066bc12081748d696be6135c6aea32220ea786ebd7800e6936365ff25831c28cb6c8a59237ff84f5cf89036cff188ee0f9a6195f2b1aca2e4442af8369f1b49322fa2f891b83a14a97b60c6aeafd6c2928047affda9c8d869ff5294bb5943ad14a6d64e784d126c469d51e292b9ce33e1d8371ba5f467b3"_sd,
+        false));
+}
+#endif
+}  // namespace mongo::crypto
+
+#endif
diff --git a/src/mongo/crypto/asymmetric_crypto_windows.cpp b/src/mongo/crypto/asymmetric_crypto_windows.cpp
new file mode 100644
index 00000000000..7f3f42e3033
--- /dev/null
+++ b/src/mongo/crypto/asymmetric_crypto_windows.cpp
@@ -0,0 +1,53 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/crypto/asymmetric_crypto.h"
+
+#include "mongo/base/error_codes.h"
+
+namespace mongo::crypto {
+namespace {
+
+class RSAKeySignatureVerifierWindows : public RSAKeySignatureVerifier {
+public:
+    RSAKeySignatureVerifierWindows(){};
+
+    Status verifySignature(ConstDataRange msg, ConstDataRange signature) final {
+        return {ErrorCodes::OperationFailed, "Signature Verification Not Available"};
+    }
+};
+}  // namespace
+
+// TODO: SERVER-68518, remove or implement this class
+StatusWith<std::unique_ptr<RSAKeySignatureVerifier>> RSAKeySignatureVerifier::create(
+    const RsaPublicKey& pubKey, HashingAlgorithm hashAlg) {
+    return {ErrorCodes::OperationFailed, "Signature Verification Not Available"};
+}
+
+}  // namespace mongo::crypto
diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript
index 5ba69803f64..100568c6a18 100644
--- a/src/mongo/db/auth/SConscript
+++ b/src/mongo/db/auth/SConscript
@@ -448,6 +448,7 @@ env.Library(
     LIBDEPS=[
         '$BUILD_DIR/mongo/base',
         '$BUILD_DIR/mongo/base/secure_allocator',
+        '$BUILD_DIR/mongo/crypto/asymmetric_crypto',
         '$BUILD_DIR/mongo/crypto/rsa_public_key',
         '$BUILD_DIR/mongo/crypto/sha_block_${MONGO_CRYPTO}',
         '$BUILD_DIR/mongo/db/commands/test_commands_enabled',