/src/botan/src/lib/pubkey/rsa/rsa.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * RSA |
3 | | * (C) 1999-2010,2015,2016,2018,2019,2023 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/rsa.h> |
9 | | |
10 | | #include <botan/ber_dec.h> |
11 | | #include <botan/der_enc.h> |
12 | | #include <botan/reducer.h> |
13 | | #include <botan/internal/blinding.h> |
14 | | #include <botan/internal/divide.h> |
15 | | #include <botan/internal/emsa.h> |
16 | | #include <botan/internal/fmt.h> |
17 | | #include <botan/internal/keypair.h> |
18 | | #include <botan/internal/monty.h> |
19 | | #include <botan/internal/monty_exp.h> |
20 | | #include <botan/internal/parsing.h> |
21 | | #include <botan/internal/pk_ops_impl.h> |
22 | | #include <botan/internal/pss_params.h> |
23 | | #include <botan/internal/workfactor.h> |
24 | | |
25 | | #if defined(BOTAN_HAS_THREAD_UTILS) |
26 | | #include <botan/internal/thread_pool.h> |
27 | | #endif |
28 | | |
29 | | namespace Botan { |
30 | | |
31 | | class RSA_Public_Data final { |
32 | | public: |
33 | | RSA_Public_Data(BigInt&& n, BigInt&& e) : |
34 | 13.6k | m_n(std::move(n)), |
35 | 13.6k | m_e(std::move(e)), |
36 | 13.6k | m_monty_n(std::make_shared<Montgomery_Params>(m_n)), |
37 | 13.6k | m_public_modulus_bits(m_n.bits()), |
38 | 13.6k | m_public_modulus_bytes(m_n.bytes()) {} |
39 | | |
40 | 7.51k | BigInt public_op(const BigInt& m) const { |
41 | 7.51k | const size_t powm_window = 1; |
42 | 7.51k | auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false); |
43 | 7.51k | return monty_execute_vartime(*powm_m_n, m_e); |
44 | 7.51k | } |
45 | | |
46 | 7.54k | const BigInt& get_n() const { return m_n; } |
47 | | |
48 | 0 | const BigInt& get_e() const { return m_e; } |
49 | | |
50 | 7.62k | size_t public_modulus_bits() const { return m_public_modulus_bits; } |
51 | | |
52 | 7.64k | size_t public_modulus_bytes() const { return m_public_modulus_bytes; } |
53 | | |
54 | | private: |
55 | | BigInt m_n; |
56 | | BigInt m_e; |
57 | | std::shared_ptr<const Montgomery_Params> m_monty_n; |
58 | | size_t m_public_modulus_bits; |
59 | | size_t m_public_modulus_bytes; |
60 | | }; |
61 | | |
62 | | class RSA_Private_Data final { |
63 | | public: |
64 | | RSA_Private_Data(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) : |
65 | 5.78k | m_d(std::move(d)), |
66 | 5.78k | m_p(std::move(p)), |
67 | 5.78k | m_q(std::move(q)), |
68 | 5.78k | m_d1(std::move(d1)), |
69 | 5.78k | m_d2(std::move(d2)), |
70 | 5.78k | m_c(std::move(c)), |
71 | 5.78k | m_mod_p(m_p), |
72 | 5.78k | m_mod_q(m_q), |
73 | 5.78k | m_monty_p(std::make_shared<Montgomery_Params>(m_p, m_mod_p)), |
74 | 5.78k | m_monty_q(std::make_shared<Montgomery_Params>(m_q, m_mod_q)), |
75 | 5.78k | m_p_bits(m_p.bits()), |
76 | 5.78k | m_q_bits(m_q.bits()) {} |
77 | | |
78 | 0 | const BigInt& get_d() const { return m_d; } |
79 | | |
80 | 0 | const BigInt& get_p() const { return m_p; } |
81 | | |
82 | 0 | const BigInt& get_q() const { return m_q; } |
83 | | |
84 | 0 | const BigInt& get_d1() const { return m_d1; } |
85 | | |
86 | 0 | const BigInt& get_d2() const { return m_d2; } |
87 | | |
88 | 0 | const BigInt& get_c() const { return m_c; } |
89 | | |
90 | 0 | const Modular_Reducer& mod_p() const { return m_mod_p; } |
91 | | |
92 | 0 | const Modular_Reducer& mod_q() const { return m_mod_q; } |
93 | | |
94 | 0 | const std::shared_ptr<const Montgomery_Params>& monty_p() const { return m_monty_p; } |
95 | | |
96 | 0 | const std::shared_ptr<const Montgomery_Params>& monty_q() const { return m_monty_q; } |
97 | | |
98 | 0 | size_t p_bits() const { return m_p_bits; } |
99 | | |
100 | 0 | size_t q_bits() const { return m_q_bits; } |
101 | | |
102 | | private: |
103 | | BigInt m_d; |
104 | | BigInt m_p; |
105 | | BigInt m_q; |
106 | | BigInt m_d1; |
107 | | BigInt m_d2; |
108 | | BigInt m_c; |
109 | | |
110 | | Modular_Reducer m_mod_p; |
111 | | Modular_Reducer m_mod_q; |
112 | | std::shared_ptr<const Montgomery_Params> m_monty_p; |
113 | | std::shared_ptr<const Montgomery_Params> m_monty_q; |
114 | | size_t m_p_bits; |
115 | | size_t m_q_bits; |
116 | | }; |
117 | | |
118 | 7.73k | std::shared_ptr<const RSA_Public_Data> RSA_PublicKey::public_data() const { |
119 | 7.73k | return m_public; |
120 | 7.73k | } |
121 | | |
122 | 0 | const BigInt& RSA_PublicKey::get_int_field(std::string_view field) const { |
123 | 0 | if(field == "n") { |
124 | 0 | return m_public->get_n(); |
125 | 0 | } else if(field == "e") { |
126 | 0 | return m_public->get_e(); |
127 | 0 | } else { |
128 | 0 | return Public_Key::get_int_field(field); |
129 | 0 | } |
130 | 0 | } |
131 | | |
132 | 0 | std::unique_ptr<Private_Key> RSA_PublicKey::generate_another(RandomNumberGenerator& rng) const { |
133 | 0 | return std::make_unique<RSA_PrivateKey>(rng, m_public->public_modulus_bits(), m_public->get_e().to_u32bit()); |
134 | 0 | } |
135 | | |
136 | 0 | const BigInt& RSA_PublicKey::get_n() const { |
137 | 0 | return m_public->get_n(); |
138 | 0 | } |
139 | | |
140 | 0 | const BigInt& RSA_PublicKey::get_e() const { |
141 | 0 | return m_public->get_e(); |
142 | 0 | } |
143 | | |
144 | 13.8k | void RSA_PublicKey::init(BigInt&& n, BigInt&& e) { |
145 | 13.8k | if(n.is_negative() || n.is_even() || n.bits() < 5 /* n >= 3*5 */ || e.is_negative() || e.is_even()) { |
146 | 141 | throw Decoding_Error("Invalid RSA public key parameters"); |
147 | 141 | } |
148 | 13.6k | m_public = std::make_shared<RSA_Public_Data>(std::move(n), std::move(e)); |
149 | 13.6k | } |
150 | | |
151 | 8.37k | RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) { |
152 | 8.37k | BigInt n, e; |
153 | 8.37k | BER_Decoder(key_bits).start_sequence().decode(n).decode(e).end_cons(); |
154 | | |
155 | 8.37k | init(std::move(n), std::move(e)); |
156 | 8.37k | } Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Botan::RSA_PublicKey::RSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Line | Count | Source | 151 | 8.37k | RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) { | 152 | 8.37k | BigInt n, e; | 153 | 8.37k | BER_Decoder(key_bits).start_sequence().decode(n).decode(e).end_cons(); | 154 | | | 155 | 8.37k | init(std::move(n), std::move(e)); | 156 | 8.37k | } |
|
157 | | |
158 | 0 | bool RSA_PublicKey::supports_operation(PublicKeyOperation op) const { |
159 | 0 | return op == PublicKeyOperation::Signature || op == PublicKeyOperation::Encryption || |
160 | 0 | op == PublicKeyOperation::KeyEncapsulation; |
161 | 0 | } |
162 | | |
163 | 0 | RSA_PublicKey::RSA_PublicKey(const BigInt& modulus, const BigInt& exponent) { |
164 | 0 | BigInt n = modulus; |
165 | 0 | BigInt e = exponent; |
166 | 0 | init(std::move(n), std::move(e)); |
167 | 0 | } Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::BigInt const&, Botan::BigInt const&) Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::BigInt const&, Botan::BigInt const&) |
168 | | |
169 | 112 | size_t RSA_PublicKey::key_length() const { |
170 | 112 | return m_public->public_modulus_bits(); |
171 | 112 | } |
172 | | |
173 | 112 | size_t RSA_PublicKey::estimated_strength() const { |
174 | 112 | return if_work_factor(key_length()); |
175 | 112 | } |
176 | | |
177 | 0 | AlgorithmIdentifier RSA_PublicKey::algorithm_identifier() const { |
178 | 0 | return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_NULL_PARAM); |
179 | 0 | } |
180 | | |
181 | 0 | std::vector<uint8_t> RSA_PublicKey::raw_public_key_bits() const { |
182 | 0 | throw Not_Implemented("an RSA public key does not provide a raw binary representation."); |
183 | 0 | } |
184 | | |
185 | 0 | std::vector<uint8_t> RSA_PublicKey::public_key_bits() const { |
186 | 0 | std::vector<uint8_t> output; |
187 | 0 | DER_Encoder der(output); |
188 | 0 | der.start_sequence().encode(get_n()).encode(get_e()).end_cons(); |
189 | |
|
190 | 0 | return output; |
191 | 0 | } |
192 | | |
193 | | /* |
194 | | * Check RSA Public Parameters |
195 | | */ |
196 | 0 | bool RSA_PublicKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const { |
197 | 0 | if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) { |
198 | 0 | return false; |
199 | 0 | } |
200 | 0 | return true; |
201 | 0 | } |
202 | | |
203 | 0 | std::shared_ptr<const RSA_Private_Data> RSA_PrivateKey::private_data() const { |
204 | 0 | return m_private; |
205 | 0 | } |
206 | | |
207 | 0 | secure_vector<uint8_t> RSA_PrivateKey::private_key_bits() const { |
208 | 0 | return DER_Encoder() |
209 | 0 | .start_sequence() |
210 | 0 | .encode(static_cast<size_t>(0)) |
211 | 0 | .encode(get_n()) |
212 | 0 | .encode(get_e()) |
213 | 0 | .encode(get_d()) |
214 | 0 | .encode(get_p()) |
215 | 0 | .encode(get_q()) |
216 | 0 | .encode(get_d1()) |
217 | 0 | .encode(get_d2()) |
218 | 0 | .encode(get_c()) |
219 | 0 | .end_cons() |
220 | 0 | .get_contents(); |
221 | 0 | } |
222 | | |
223 | 0 | const BigInt& RSA_PrivateKey::get_p() const { |
224 | 0 | return m_private->get_p(); |
225 | 0 | } |
226 | | |
227 | 0 | const BigInt& RSA_PrivateKey::get_q() const { |
228 | 0 | return m_private->get_q(); |
229 | 0 | } |
230 | | |
231 | 0 | const BigInt& RSA_PrivateKey::get_d() const { |
232 | 0 | return m_private->get_d(); |
233 | 0 | } |
234 | | |
235 | 0 | const BigInt& RSA_PrivateKey::get_c() const { |
236 | 0 | return m_private->get_c(); |
237 | 0 | } |
238 | | |
239 | 0 | const BigInt& RSA_PrivateKey::get_d1() const { |
240 | 0 | return m_private->get_d1(); |
241 | 0 | } |
242 | | |
243 | 0 | const BigInt& RSA_PrivateKey::get_d2() const { |
244 | 0 | return m_private->get_d2(); |
245 | 0 | } |
246 | | |
247 | 5.78k | void RSA_PrivateKey::init(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) { |
248 | 5.78k | m_private = std::make_shared<RSA_Private_Data>( |
249 | 5.78k | std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); |
250 | 5.78k | } |
251 | | |
252 | 5.83k | RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) { |
253 | 5.83k | BigInt n, e, d, p, q, d1, d2, c; |
254 | | |
255 | 5.83k | BER_Decoder(key_bits) |
256 | 5.83k | .start_sequence() |
257 | 5.83k | .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version") |
258 | 5.83k | .decode(n) |
259 | 5.83k | .decode(e) |
260 | 5.83k | .decode(d) |
261 | 5.83k | .decode(p) |
262 | 5.83k | .decode(q) |
263 | 5.83k | .decode(d1) |
264 | 5.83k | .decode(d2) |
265 | 5.83k | .decode(c) |
266 | 5.83k | .end_cons(); |
267 | | |
268 | 5.83k | RSA_PublicKey::init(std::move(n), std::move(e)); |
269 | | |
270 | 5.83k | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); |
271 | 5.83k | } Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>) Line | Count | Source | 252 | 5.83k | RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) { | 253 | 5.83k | BigInt n, e, d, p, q, d1, d2, c; | 254 | | | 255 | 5.83k | BER_Decoder(key_bits) | 256 | 5.83k | .start_sequence() | 257 | 5.83k | .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version") | 258 | 5.83k | .decode(n) | 259 | 5.83k | .decode(e) | 260 | 5.83k | .decode(d) | 261 | 5.83k | .decode(p) | 262 | 5.83k | .decode(q) | 263 | 5.83k | .decode(d1) | 264 | 5.83k | .decode(d2) | 265 | 5.83k | .decode(c) | 266 | 5.83k | .end_cons(); | 267 | | | 268 | 5.83k | RSA_PublicKey::init(std::move(n), std::move(e)); | 269 | | | 270 | 5.83k | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); | 271 | 5.83k | } |
|
272 | | |
273 | | RSA_PrivateKey::RSA_PrivateKey( |
274 | 0 | const BigInt& prime1, const BigInt& prime2, const BigInt& exp, const BigInt& d_exp, const BigInt& mod) { |
275 | 0 | BigInt p = prime1; |
276 | 0 | BigInt q = prime2; |
277 | 0 | BigInt n = mod; |
278 | 0 | if(n.is_zero()) { |
279 | 0 | n = p * q; |
280 | 0 | } |
281 | |
|
282 | 0 | BigInt e = exp; |
283 | |
|
284 | 0 | BigInt d = d_exp; |
285 | |
|
286 | 0 | const BigInt p_minus_1 = p - 1; |
287 | 0 | const BigInt q_minus_1 = q - 1; |
288 | |
|
289 | 0 | if(d.is_zero()) { |
290 | 0 | const BigInt phi_n = lcm(p_minus_1, q_minus_1); |
291 | 0 | d = inverse_mod(e, phi_n); |
292 | 0 | } |
293 | |
|
294 | 0 | BigInt d1 = ct_modulo(d, p_minus_1); |
295 | 0 | BigInt d2 = ct_modulo(d, q_minus_1); |
296 | 0 | BigInt c = inverse_mod(q, p); |
297 | |
|
298 | 0 | RSA_PublicKey::init(std::move(n), std::move(e)); |
299 | |
|
300 | 0 | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); |
301 | 0 | } Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&) Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&) |
302 | | |
303 | | /* |
304 | | * Create a RSA private key |
305 | | */ |
306 | 0 | RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng, size_t bits, size_t exp) { |
307 | 0 | if(bits < 1024) { |
308 | 0 | throw Invalid_Argument(fmt("Cannot create an RSA key only {} bits long", bits)); |
309 | 0 | } |
310 | | |
311 | 0 | if(exp < 3 || exp % 2 == 0) { |
312 | 0 | throw Invalid_Argument("Invalid RSA encryption exponent"); |
313 | 0 | } |
314 | | |
315 | 0 | const size_t p_bits = (bits + 1) / 2; |
316 | 0 | const size_t q_bits = bits - p_bits; |
317 | |
|
318 | 0 | BigInt p, q, n; |
319 | 0 | BigInt e = BigInt::from_u64(exp); |
320 | |
|
321 | 0 | for(size_t attempt = 0;; ++attempt) { |
322 | 0 | if(attempt > 10) { |
323 | 0 | throw Internal_Error("RNG failure during RSA key generation"); |
324 | 0 | } |
325 | | |
326 | | // TODO could generate primes in thread pool |
327 | 0 | p = generate_rsa_prime(rng, rng, p_bits, e); |
328 | 0 | q = generate_rsa_prime(rng, rng, q_bits, e); |
329 | |
|
330 | 0 | const BigInt diff = p - q; |
331 | 0 | if(diff.bits() < (bits / 2) - 100) { |
332 | 0 | continue; |
333 | 0 | } |
334 | | |
335 | 0 | n = p * q; |
336 | |
|
337 | 0 | if(n.bits() != bits) { |
338 | 0 | continue; |
339 | 0 | } |
340 | | |
341 | 0 | break; |
342 | 0 | } |
343 | | |
344 | 0 | const BigInt p_minus_1 = p - 1; |
345 | 0 | const BigInt q_minus_1 = q - 1; |
346 | |
|
347 | 0 | const BigInt phi_n = lcm(p_minus_1, q_minus_1); |
348 | | // This is guaranteed because p,q == 3 mod 4 |
349 | 0 | BOTAN_DEBUG_ASSERT(low_zero_bits(phi_n) == 1); |
350 | |
|
351 | 0 | BigInt d = inverse_mod(e, phi_n); |
352 | 0 | BigInt d1 = ct_modulo(d, p_minus_1); |
353 | 0 | BigInt d2 = ct_modulo(d, q_minus_1); |
354 | 0 | BigInt c = inverse_mod(q, p); |
355 | |
|
356 | 0 | RSA_PublicKey::init(std::move(n), std::move(e)); |
357 | |
|
358 | 0 | RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); |
359 | 0 | } Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long) Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long) |
360 | | |
361 | 0 | const BigInt& RSA_PrivateKey::get_int_field(std::string_view field) const { |
362 | 0 | if(field == "p") { |
363 | 0 | return m_private->get_p(); |
364 | 0 | } else if(field == "q") { |
365 | 0 | return m_private->get_q(); |
366 | 0 | } else if(field == "d") { |
367 | 0 | return m_private->get_d(); |
368 | 0 | } else if(field == "c") { |
369 | 0 | return m_private->get_c(); |
370 | 0 | } else if(field == "d1") { |
371 | 0 | return m_private->get_d1(); |
372 | 0 | } else if(field == "d2") { |
373 | 0 | return m_private->get_d2(); |
374 | 0 | } else { |
375 | 0 | return RSA_PublicKey::get_int_field(field); |
376 | 0 | } |
377 | 0 | } |
378 | | |
379 | 0 | std::unique_ptr<Public_Key> RSA_PrivateKey::public_key() const { |
380 | 0 | return std::make_unique<RSA_PublicKey>(get_n(), get_e()); |
381 | 0 | } |
382 | | |
383 | | /* |
384 | | * Check Private RSA Parameters |
385 | | */ |
386 | 0 | bool RSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const { |
387 | 0 | if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) { |
388 | 0 | return false; |
389 | 0 | } |
390 | | |
391 | 0 | if(get_d() < 2 || get_p() < 3 || get_q() < 3) { |
392 | 0 | return false; |
393 | 0 | } |
394 | | |
395 | 0 | if(get_p() * get_q() != get_n()) { |
396 | 0 | return false; |
397 | 0 | } |
398 | | |
399 | 0 | if(get_p() == get_q()) { |
400 | 0 | return false; |
401 | 0 | } |
402 | | |
403 | 0 | if(get_d1() != ct_modulo(get_d(), get_p() - 1)) { |
404 | 0 | return false; |
405 | 0 | } |
406 | 0 | if(get_d2() != ct_modulo(get_d(), get_q() - 1)) { |
407 | 0 | return false; |
408 | 0 | } |
409 | 0 | if(get_c() != inverse_mod(get_q(), get_p())) { |
410 | 0 | return false; |
411 | 0 | } |
412 | | |
413 | 0 | const size_t prob = (strong) ? 128 : 12; |
414 | |
|
415 | 0 | if(!is_prime(get_p(), rng, prob)) { |
416 | 0 | return false; |
417 | 0 | } |
418 | 0 | if(!is_prime(get_q(), rng, prob)) { |
419 | 0 | return false; |
420 | 0 | } |
421 | | |
422 | 0 | if(strong) { |
423 | 0 | if(ct_modulo(get_e() * get_d(), lcm(get_p() - 1, get_q() - 1)) != 1) { |
424 | 0 | return false; |
425 | 0 | } |
426 | | |
427 | 0 | return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)"); |
428 | 0 | } |
429 | | |
430 | 0 | return true; |
431 | 0 | } |
432 | | |
433 | | namespace { |
434 | | |
435 | | /** |
436 | | * RSA private (decrypt/sign) operation |
437 | | */ |
438 | | class RSA_Private_Operation { |
439 | | protected: |
440 | 0 | size_t public_modulus_bits() const { return m_public->public_modulus_bits(); } |
441 | | |
442 | 0 | size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); } |
443 | | |
444 | | explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) : |
445 | 0 | m_public(rsa.public_data()), |
446 | 0 | m_private(rsa.private_data()), |
447 | 0 | m_blinder( |
448 | 0 | m_public->get_n(), |
449 | 0 | rng, |
450 | 0 | [this](const BigInt& k) { return m_public->public_op(k); }, |
451 | 0 | [this](const BigInt& k) { return inverse_mod(k, m_public->get_n()); }), |
452 | 0 | m_blinding_bits(64), |
453 | 0 | m_max_d1_bits(m_private->p_bits() + m_blinding_bits), |
454 | 0 | m_max_d2_bits(m_private->q_bits() + m_blinding_bits) {} |
455 | | |
456 | 0 | void raw_op(std::span<uint8_t> out, std::span<const uint8_t> input) { |
457 | 0 | if(input.size() > public_modulus_bytes()) { |
458 | 0 | throw Decoding_Error("RSA input is too long for this key"); |
459 | 0 | } |
460 | 0 | const BigInt input_bn(input.data(), input.size()); |
461 | 0 | if(input_bn >= m_public->get_n()) { |
462 | 0 | throw Decoding_Error("RSA input is too large for this key"); |
463 | 0 | } |
464 | | // TODO: This should be a function on blinder |
465 | | // BigInt Blinder::run_blinded_function(std::function<BigInt, BigInt> fn, const BigInt& input); |
466 | | |
467 | 0 | const BigInt recovered = m_blinder.unblind(rsa_private_op(m_blinder.blind(input_bn))); |
468 | 0 | BOTAN_ASSERT(input_bn == m_public->public_op(recovered), "RSA consistency check"); |
469 | 0 | BOTAN_ASSERT(m_public->public_modulus_bytes() == out.size(), "output size check"); |
470 | 0 | recovered.serialize_to(out); |
471 | 0 | } |
472 | | |
473 | | private: |
474 | 0 | BigInt rsa_private_op(const BigInt& m) const { |
475 | | /* |
476 | | TODO |
477 | | Consider using Montgomery reduction instead of Barrett, using |
478 | | the "Smooth RSA-CRT" method. https://eprint.iacr.org/2007/039.pdf |
479 | | */ |
480 | |
|
481 | 0 | static constexpr size_t powm_window = 4; |
482 | | |
483 | | // Compute this in main thread to avoid racing on the rng |
484 | 0 | const BigInt d1_mask(m_blinder.rng(), m_blinding_bits); |
485 | |
|
486 | 0 | #if defined(BOTAN_HAS_THREAD_UTILS) && !defined(BOTAN_HAS_VALGRIND) |
487 | 0 | #define BOTAN_RSA_USE_ASYNC |
488 | 0 | #endif |
489 | |
|
490 | 0 | #if defined(BOTAN_RSA_USE_ASYNC) |
491 | | /* |
492 | | * Precompute m.sig_words in the main thread before calling async. Otherwise |
493 | | * the two threads race (during Modular_Reducer::reduce) and while the output |
494 | | * is correct in both threads, helgrind warns. |
495 | | */ |
496 | 0 | m.sig_words(); |
497 | |
|
498 | 0 | auto future_j1 = Thread_Pool::global_instance().run([this, &m, &d1_mask]() { |
499 | 0 | #endif |
500 | 0 | const BigInt masked_d1 = m_private->get_d1() + (d1_mask * (m_private->get_p() - 1)); |
501 | 0 | auto powm_d1_p = monty_precompute(m_private->monty_p(), m_private->mod_p().reduce(m), powm_window); |
502 | 0 | BigInt j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits); |
503 | |
|
504 | 0 | #if defined(BOTAN_RSA_USE_ASYNC) |
505 | 0 | return j1; |
506 | 0 | }); |
507 | 0 | #endif |
508 | |
|
509 | 0 | const BigInt d2_mask(m_blinder.rng(), m_blinding_bits); |
510 | 0 | const BigInt masked_d2 = m_private->get_d2() + (d2_mask * (m_private->get_q() - 1)); |
511 | 0 | auto powm_d2_q = monty_precompute(m_private->monty_q(), m_private->mod_q().reduce(m), powm_window); |
512 | 0 | const BigInt j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits); |
513 | |
|
514 | 0 | #if defined(BOTAN_RSA_USE_ASYNC) |
515 | 0 | BigInt j1 = future_j1.get(); |
516 | 0 | #endif |
517 | | |
518 | | /* |
519 | | * To recover the final value from the CRT representation (j1,j2) |
520 | | * we use Garner's algorithm: |
521 | | * c = q^-1 mod p (this is precomputed) |
522 | | * h = c*(j1-j2) mod p |
523 | | * m = j2 + h*q |
524 | | * |
525 | | * We must avoid leaking if j1 >= j2 or not, as doing so allows deriving |
526 | | * information about the secret prime. Do this by first adding p to j1, |
527 | | * which should ensure the subtraction of j2 does not underflow. But |
528 | | * this may still underflow if p and q are imbalanced in size. |
529 | | */ |
530 | |
|
531 | 0 | j1 = |
532 | 0 | m_private->mod_p().multiply(m_private->mod_p().reduce((m_private->get_p() + j1) - j2), m_private->get_c()); |
533 | 0 | return j1 * m_private->get_q() + j2; |
534 | 0 | } |
535 | | |
536 | | std::shared_ptr<const RSA_Public_Data> m_public; |
537 | | std::shared_ptr<const RSA_Private_Data> m_private; |
538 | | |
539 | | // XXX could the blinder starting pair be shared? |
540 | | Blinder m_blinder; |
541 | | const size_t m_blinding_bits; |
542 | | const size_t m_max_d1_bits; |
543 | | const size_t m_max_d2_bits; |
544 | | }; |
545 | | |
546 | | class RSA_Signature_Operation final : public PK_Ops::Signature, |
547 | | private RSA_Private_Operation { |
548 | | public: |
549 | 0 | void update(std::span<const uint8_t> msg) override { m_emsa->update(msg.data(), msg.size()); } |
550 | | |
551 | 0 | std::vector<uint8_t> sign(RandomNumberGenerator& rng) override { |
552 | 0 | const size_t max_input_bits = public_modulus_bits() - 1; |
553 | 0 | const auto msg = m_emsa->raw_data(); |
554 | 0 | const auto padded = m_emsa->encoding_of(msg, max_input_bits, rng); |
555 | |
|
556 | 0 | std::vector<uint8_t> out(public_modulus_bytes()); |
557 | 0 | raw_op(out, padded); |
558 | 0 | return out; |
559 | 0 | } |
560 | | |
561 | 0 | size_t signature_length() const override { return public_modulus_bytes(); } |
562 | | |
563 | | AlgorithmIdentifier algorithm_identifier() const override; |
564 | | |
565 | 0 | std::string hash_function() const override { return m_emsa->hash_function(); } |
566 | | |
567 | | RSA_Signature_Operation(const RSA_PrivateKey& rsa, std::string_view padding, RandomNumberGenerator& rng) : |
568 | 0 | RSA_Private_Operation(rsa, rng), m_emsa(EMSA::create_or_throw(padding)) {} |
569 | | |
570 | | private: |
571 | | std::unique_ptr<EMSA> m_emsa; |
572 | | }; |
573 | | |
574 | 0 | AlgorithmIdentifier RSA_Signature_Operation::algorithm_identifier() const { |
575 | 0 | const std::string emsa_name = m_emsa->name(); |
576 | |
|
577 | 0 | try { |
578 | 0 | const std::string full_name = "RSA/" + emsa_name; |
579 | 0 | const OID oid = OID::from_string(full_name); |
580 | 0 | return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM); |
581 | 0 | } catch(Lookup_Error&) {} |
582 | | |
583 | 0 | if(emsa_name.starts_with("EMSA4(")) { |
584 | 0 | auto parameters = PSS_Params::from_emsa_name(m_emsa->name()).serialize(); |
585 | 0 | return AlgorithmIdentifier("RSA/EMSA4", parameters); |
586 | 0 | } |
587 | | |
588 | 0 | throw Not_Implemented("No algorithm identifier defined for RSA with " + emsa_name); |
589 | 0 | } |
590 | | |
591 | | class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME, |
592 | | private RSA_Private_Operation { |
593 | | public: |
594 | | RSA_Decryption_Operation(const RSA_PrivateKey& rsa, std::string_view eme, RandomNumberGenerator& rng) : |
595 | 0 | PK_Ops::Decryption_with_EME(eme), RSA_Private_Operation(rsa, rng) {} |
596 | | |
597 | 0 | size_t plaintext_length(size_t /*ctext_len*/) const override { return public_modulus_bytes(); } |
598 | | |
599 | 0 | secure_vector<uint8_t> raw_decrypt(std::span<const uint8_t> input) override { |
600 | 0 | secure_vector<uint8_t> out(public_modulus_bytes()); |
601 | 0 | raw_op(out, input); |
602 | 0 | return out; |
603 | 0 | } |
604 | | }; |
605 | | |
606 | | class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF, |
607 | | private RSA_Private_Operation { |
608 | | public: |
609 | | RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key, std::string_view kdf, RandomNumberGenerator& rng) : |
610 | 0 | PK_Ops::KEM_Decryption_with_KDF(kdf), RSA_Private_Operation(key, rng) {} |
611 | | |
612 | 0 | size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); } |
613 | | |
614 | 0 | size_t encapsulated_key_length() const override { return public_modulus_bytes(); } |
615 | | |
616 | 0 | void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override { |
617 | 0 | raw_op(out_shared_key, encapsulated_key); |
618 | 0 | } |
619 | | }; |
620 | | |
621 | | /** |
622 | | * RSA public (encrypt/verify) operation |
623 | | */ |
624 | | class RSA_Public_Operation { |
625 | | public: |
626 | 7.73k | explicit RSA_Public_Operation(const RSA_PublicKey& rsa) : m_public(rsa.public_data()) {} |
627 | | |
628 | 7.51k | size_t public_modulus_bits() const { return m_public->public_modulus_bits(); } |
629 | | |
630 | | protected: |
631 | 7.54k | BigInt public_op(const BigInt& m) const { |
632 | 7.54k | if(m >= m_public->get_n()) { |
633 | 35 | throw Decoding_Error("RSA public op - input is too large"); |
634 | 35 | } |
635 | | |
636 | 7.51k | return m_public->public_op(m); |
637 | 7.54k | } |
638 | | |
639 | 7.64k | size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); } |
640 | | |
641 | 0 | const BigInt& get_n() const { return m_public->get_n(); } |
642 | | |
643 | | private: |
644 | | std::shared_ptr<const RSA_Public_Data> m_public; |
645 | | }; |
646 | | |
647 | | class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME, |
648 | | private RSA_Public_Operation { |
649 | | public: |
650 | | RSA_Encryption_Operation(const RSA_PublicKey& rsa, std::string_view eme) : |
651 | 0 | PK_Ops::Encryption_with_EME(eme), RSA_Public_Operation(rsa) {} |
652 | | |
653 | 0 | size_t ciphertext_length(size_t /*ptext_len*/) const override { return public_modulus_bytes(); } |
654 | | |
655 | 0 | size_t max_ptext_input_bits() const override { return public_modulus_bits() - 1; } |
656 | | |
657 | 0 | std::vector<uint8_t> raw_encrypt(std::span<const uint8_t> input, RandomNumberGenerator& /*rng*/) override { |
658 | 0 | BigInt input_bn(input); |
659 | 0 | return public_op(input_bn).serialize(public_modulus_bytes()); |
660 | 0 | } |
661 | | }; |
662 | | |
663 | | class RSA_Verify_Operation final : public PK_Ops::Verification, |
664 | | private RSA_Public_Operation { |
665 | | public: |
666 | 7.64k | void update(std::span<const uint8_t> msg) override { m_emsa->update(msg.data(), msg.size()); } |
667 | | |
668 | 7.64k | bool is_valid_signature(std::span<const uint8_t> sig) override { |
669 | 7.64k | const auto msg = m_emsa->raw_data(); |
670 | 7.64k | const auto message_repr = recover_message_repr(sig.data(), sig.size()); |
671 | 7.64k | return m_emsa->verify(message_repr, msg, public_modulus_bits() - 1); |
672 | 7.64k | } |
673 | | |
674 | | RSA_Verify_Operation(const RSA_PublicKey& rsa, std::string_view padding) : |
675 | 7.73k | RSA_Public_Operation(rsa), m_emsa(EMSA::create_or_throw(padding)) {} |
676 | | |
677 | 5.27k | std::string hash_function() const override { return m_emsa->hash_function(); } |
678 | | |
679 | | private: |
680 | 7.64k | std::vector<uint8_t> recover_message_repr(const uint8_t input[], size_t input_len) { |
681 | 7.64k | if(input_len > public_modulus_bytes()) { |
682 | 91 | throw Decoding_Error("RSA signature too large to be valid for this key"); |
683 | 91 | } |
684 | 7.54k | BigInt input_bn(input, input_len); |
685 | 7.54k | return public_op(input_bn).serialize(); |
686 | 7.64k | } |
687 | | |
688 | | std::unique_ptr<EMSA> m_emsa; |
689 | | }; |
690 | | |
691 | | class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF, |
692 | | private RSA_Public_Operation { |
693 | | public: |
694 | | RSA_KEM_Encryption_Operation(const RSA_PublicKey& key, std::string_view kdf) : |
695 | 0 | PK_Ops::KEM_Encryption_with_KDF(kdf), RSA_Public_Operation(key) {} |
696 | | |
697 | | private: |
698 | 0 | size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); } |
699 | | |
700 | 0 | size_t encapsulated_key_length() const override { return public_modulus_bytes(); } |
701 | | |
702 | | void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key, |
703 | | std::span<uint8_t> raw_shared_key, |
704 | 0 | RandomNumberGenerator& rng) override { |
705 | 0 | const BigInt r = BigInt::random_integer(rng, 1, get_n()); |
706 | 0 | const BigInt c = public_op(r); |
707 | |
|
708 | 0 | c.serialize_to(out_encapsulated_key); |
709 | 0 | r.serialize_to(raw_shared_key); |
710 | 0 | } |
711 | | }; |
712 | | |
713 | | } // namespace |
714 | | |
715 | | std::unique_ptr<PK_Ops::Encryption> RSA_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/, |
716 | | std::string_view params, |
717 | 0 | std::string_view provider) const { |
718 | 0 | if(provider == "base" || provider.empty()) { |
719 | 0 | return std::make_unique<RSA_Encryption_Operation>(*this, params); |
720 | 0 | } |
721 | 0 | throw Provider_Not_Found(algo_name(), provider); |
722 | 0 | } |
723 | | |
724 | | std::unique_ptr<PK_Ops::KEM_Encryption> RSA_PublicKey::create_kem_encryption_op(std::string_view params, |
725 | 0 | std::string_view provider) const { |
726 | 0 | if(provider == "base" || provider.empty()) { |
727 | 0 | return std::make_unique<RSA_KEM_Encryption_Operation>(*this, params); |
728 | 0 | } |
729 | 0 | throw Provider_Not_Found(algo_name(), provider); |
730 | 0 | } |
731 | | |
732 | | std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_verification_op(std::string_view params, |
733 | 0 | std::string_view provider) const { |
734 | 0 | if(provider == "base" || provider.empty()) { |
735 | 0 | return std::make_unique<RSA_Verify_Operation>(*this, params); |
736 | 0 | } |
737 | | |
738 | 0 | throw Provider_Not_Found(algo_name(), provider); |
739 | 0 | } |
740 | | |
741 | | namespace { |
742 | | |
743 | 7.89k | std::string parse_rsa_signature_algorithm(const AlgorithmIdentifier& alg_id) { |
744 | 7.89k | const auto sig_info = split_on(alg_id.oid().to_formatted_string(), '/'); |
745 | | |
746 | 7.89k | if(sig_info.empty() || sig_info.size() != 2 || sig_info[0] != "RSA") { |
747 | 101 | throw Decoding_Error("Unknown AlgorithmIdentifier for RSA X.509 signatures"); |
748 | 101 | } |
749 | | |
750 | 7.79k | std::string padding = sig_info[1]; |
751 | | |
752 | 7.79k | if(padding == "EMSA4") { |
753 | | // "MUST contain RSASSA-PSS-params" |
754 | 164 | if(alg_id.parameters().empty()) { |
755 | 0 | throw Decoding_Error("PSS params must be provided"); |
756 | 0 | } |
757 | | |
758 | 164 | PSS_Params pss_params(alg_id.parameters()); |
759 | | |
760 | | // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512 |
761 | 164 | const std::string hash_algo = pss_params.hash_function(); |
762 | 164 | if(hash_algo != "SHA-1" && hash_algo != "SHA-224" && hash_algo != "SHA-256" && hash_algo != "SHA-384" && |
763 | 164 | hash_algo != "SHA-512") { |
764 | 4 | throw Decoding_Error("Unacceptable hash for PSS signatures"); |
765 | 4 | } |
766 | | |
767 | 160 | if(pss_params.mgf_function() != "MGF1") { |
768 | 3 | throw Decoding_Error("Unacceptable MGF for PSS signatures"); |
769 | 3 | } |
770 | | |
771 | | // For MGF1, it is strongly RECOMMENDED that the underlying hash |
772 | | // function be the same as the one identified by hashAlgorithm |
773 | | // |
774 | | // Must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512 |
775 | 157 | if(pss_params.hash_algid() != pss_params.mgf_hash_algid()) { |
776 | 9 | throw Decoding_Error("Unacceptable MGF hash for PSS signatures"); |
777 | 9 | } |
778 | | |
779 | 148 | if(pss_params.trailer_field() != 1) { |
780 | 1 | throw Decoding_Error("Unacceptable trailer field for PSS signatures"); |
781 | 1 | } |
782 | | |
783 | 147 | padding += fmt("({},MGF1,{})", hash_algo, pss_params.salt_length()); |
784 | 147 | } |
785 | | |
786 | 7.77k | return padding; |
787 | 7.79k | } |
788 | | |
789 | | } // namespace |
790 | | |
791 | | std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_x509_verification_op(const AlgorithmIdentifier& alg_id, |
792 | 7.89k | std::string_view provider) const { |
793 | 7.89k | if(provider == "base" || provider.empty()) { |
794 | 7.89k | return std::make_unique<RSA_Verify_Operation>(*this, parse_rsa_signature_algorithm(alg_id)); |
795 | 7.89k | } |
796 | | |
797 | 0 | throw Provider_Not_Found(algo_name(), provider); |
798 | 7.89k | } |
799 | | |
800 | | std::unique_ptr<PK_Ops::Decryption> RSA_PrivateKey::create_decryption_op(RandomNumberGenerator& rng, |
801 | | std::string_view params, |
802 | 0 | std::string_view provider) const { |
803 | 0 | if(provider == "base" || provider.empty()) { |
804 | 0 | return std::make_unique<RSA_Decryption_Operation>(*this, params, rng); |
805 | 0 | } |
806 | | |
807 | 0 | throw Provider_Not_Found(algo_name(), provider); |
808 | 0 | } |
809 | | |
810 | | std::unique_ptr<PK_Ops::KEM_Decryption> RSA_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& rng, |
811 | | std::string_view params, |
812 | 0 | std::string_view provider) const { |
813 | 0 | if(provider == "base" || provider.empty()) { |
814 | 0 | return std::make_unique<RSA_KEM_Decryption_Operation>(*this, params, rng); |
815 | 0 | } |
816 | | |
817 | 0 | throw Provider_Not_Found(algo_name(), provider); |
818 | 0 | } |
819 | | |
820 | | std::unique_ptr<PK_Ops::Signature> RSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng, |
821 | | std::string_view params, |
822 | 0 | std::string_view provider) const { |
823 | 0 | if(provider == "base" || provider.empty()) { |
824 | 0 | return std::make_unique<RSA_Signature_Operation>(*this, params, rng); |
825 | 0 | } |
826 | | |
827 | 0 | throw Provider_Not_Found(algo_name(), provider); |
828 | 0 | } |
829 | | |
830 | | } // namespace Botan |