Coverage Report

Created: 2024-11-29 06:10

/src/botan/src/lib/pubkey/rsa/rsa.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* RSA
3
* (C) 1999-2010,2015,2016,2018,2019,2023 Jack Lloyd
4
*
5
* Botan is released under the Simplified BSD License (see license.txt)
6
*/
7
8
#include <botan/rsa.h>
9
10
#include <botan/ber_dec.h>
11
#include <botan/der_enc.h>
12
#include <botan/reducer.h>
13
#include <botan/internal/blinding.h>
14
#include <botan/internal/divide.h>
15
#include <botan/internal/emsa.h>
16
#include <botan/internal/fmt.h>
17
#include <botan/internal/keypair.h>
18
#include <botan/internal/monty.h>
19
#include <botan/internal/monty_exp.h>
20
#include <botan/internal/parsing.h>
21
#include <botan/internal/pk_ops_impl.h>
22
#include <botan/internal/pss_params.h>
23
#include <botan/internal/workfactor.h>
24
25
#if defined(BOTAN_HAS_THREAD_UTILS)
26
   #include <botan/internal/thread_pool.h>
27
#endif
28
29
namespace Botan {
30
31
class RSA_Public_Data final {
32
   public:
33
      RSA_Public_Data(BigInt&& n, BigInt&& e) :
34
13.6k
            m_n(std::move(n)),
35
13.6k
            m_e(std::move(e)),
36
13.6k
            m_monty_n(std::make_shared<Montgomery_Params>(m_n)),
37
13.6k
            m_public_modulus_bits(m_n.bits()),
38
13.6k
            m_public_modulus_bytes(m_n.bytes()) {}
39
40
7.51k
      BigInt public_op(const BigInt& m) const {
41
7.51k
         const size_t powm_window = 1;
42
7.51k
         auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false);
43
7.51k
         return monty_execute_vartime(*powm_m_n, m_e);
44
7.51k
      }
45
46
7.54k
      const BigInt& get_n() const { return m_n; }
47
48
0
      const BigInt& get_e() const { return m_e; }
49
50
7.62k
      size_t public_modulus_bits() const { return m_public_modulus_bits; }
51
52
7.64k
      size_t public_modulus_bytes() const { return m_public_modulus_bytes; }
53
54
   private:
55
      BigInt m_n;
56
      BigInt m_e;
57
      std::shared_ptr<const Montgomery_Params> m_monty_n;
58
      size_t m_public_modulus_bits;
59
      size_t m_public_modulus_bytes;
60
};
61
62
class RSA_Private_Data final {
63
   public:
64
      RSA_Private_Data(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) :
65
5.78k
            m_d(std::move(d)),
66
5.78k
            m_p(std::move(p)),
67
5.78k
            m_q(std::move(q)),
68
5.78k
            m_d1(std::move(d1)),
69
5.78k
            m_d2(std::move(d2)),
70
5.78k
            m_c(std::move(c)),
71
5.78k
            m_mod_p(m_p),
72
5.78k
            m_mod_q(m_q),
73
5.78k
            m_monty_p(std::make_shared<Montgomery_Params>(m_p, m_mod_p)),
74
5.78k
            m_monty_q(std::make_shared<Montgomery_Params>(m_q, m_mod_q)),
75
5.78k
            m_p_bits(m_p.bits()),
76
5.78k
            m_q_bits(m_q.bits()) {}
77
78
0
      const BigInt& get_d() const { return m_d; }
79
80
0
      const BigInt& get_p() const { return m_p; }
81
82
0
      const BigInt& get_q() const { return m_q; }
83
84
0
      const BigInt& get_d1() const { return m_d1; }
85
86
0
      const BigInt& get_d2() const { return m_d2; }
87
88
0
      const BigInt& get_c() const { return m_c; }
89
90
0
      const Modular_Reducer& mod_p() const { return m_mod_p; }
91
92
0
      const Modular_Reducer& mod_q() const { return m_mod_q; }
93
94
0
      const std::shared_ptr<const Montgomery_Params>& monty_p() const { return m_monty_p; }
95
96
0
      const std::shared_ptr<const Montgomery_Params>& monty_q() const { return m_monty_q; }
97
98
0
      size_t p_bits() const { return m_p_bits; }
99
100
0
      size_t q_bits() const { return m_q_bits; }
101
102
   private:
103
      BigInt m_d;
104
      BigInt m_p;
105
      BigInt m_q;
106
      BigInt m_d1;
107
      BigInt m_d2;
108
      BigInt m_c;
109
110
      Modular_Reducer m_mod_p;
111
      Modular_Reducer m_mod_q;
112
      std::shared_ptr<const Montgomery_Params> m_monty_p;
113
      std::shared_ptr<const Montgomery_Params> m_monty_q;
114
      size_t m_p_bits;
115
      size_t m_q_bits;
116
};
117
118
7.73k
std::shared_ptr<const RSA_Public_Data> RSA_PublicKey::public_data() const {
119
7.73k
   return m_public;
120
7.73k
}
121
122
0
const BigInt& RSA_PublicKey::get_int_field(std::string_view field) const {
123
0
   if(field == "n") {
124
0
      return m_public->get_n();
125
0
   } else if(field == "e") {
126
0
      return m_public->get_e();
127
0
   } else {
128
0
      return Public_Key::get_int_field(field);
129
0
   }
130
0
}
131
132
0
std::unique_ptr<Private_Key> RSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
133
0
   return std::make_unique<RSA_PrivateKey>(rng, m_public->public_modulus_bits(), m_public->get_e().to_u32bit());
134
0
}
135
136
0
const BigInt& RSA_PublicKey::get_n() const {
137
0
   return m_public->get_n();
138
0
}
139
140
0
const BigInt& RSA_PublicKey::get_e() const {
141
0
   return m_public->get_e();
142
0
}
143
144
13.8k
void RSA_PublicKey::init(BigInt&& n, BigInt&& e) {
145
13.8k
   if(n.is_negative() || n.is_even() || n.bits() < 5 /* n >= 3*5 */ || e.is_negative() || e.is_even()) {
146
141
      throw Decoding_Error("Invalid RSA public key parameters");
147
141
   }
148
13.6k
   m_public = std::make_shared<RSA_Public_Data>(std::move(n), std::move(e));
149
13.6k
}
150
151
8.37k
RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
152
8.37k
   BigInt n, e;
153
8.37k
   BER_Decoder(key_bits).start_sequence().decode(n).decode(e).end_cons();
154
155
8.37k
   init(std::move(n), std::move(e));
156
8.37k
}
Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Botan::RSA_PublicKey::RSA_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Line
Count
Source
151
8.37k
RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
152
8.37k
   BigInt n, e;
153
8.37k
   BER_Decoder(key_bits).start_sequence().decode(n).decode(e).end_cons();
154
155
8.37k
   init(std::move(n), std::move(e));
156
8.37k
}
157
158
0
bool RSA_PublicKey::supports_operation(PublicKeyOperation op) const {
159
0
   return op == PublicKeyOperation::Signature || op == PublicKeyOperation::Encryption ||
160
0
          op == PublicKeyOperation::KeyEncapsulation;
161
0
}
162
163
0
RSA_PublicKey::RSA_PublicKey(const BigInt& modulus, const BigInt& exponent) {
164
0
   BigInt n = modulus;
165
0
   BigInt e = exponent;
166
0
   init(std::move(n), std::move(e));
167
0
}
Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::BigInt const&, Botan::BigInt const&)
Unexecuted instantiation: Botan::RSA_PublicKey::RSA_PublicKey(Botan::BigInt const&, Botan::BigInt const&)
168
169
112
size_t RSA_PublicKey::key_length() const {
170
112
   return m_public->public_modulus_bits();
171
112
}
172
173
112
size_t RSA_PublicKey::estimated_strength() const {
174
112
   return if_work_factor(key_length());
175
112
}
176
177
0
AlgorithmIdentifier RSA_PublicKey::algorithm_identifier() const {
178
0
   return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_NULL_PARAM);
179
0
}
180
181
0
std::vector<uint8_t> RSA_PublicKey::raw_public_key_bits() const {
182
0
   throw Not_Implemented("an RSA public key does not provide a raw binary representation.");
183
0
}
184
185
0
std::vector<uint8_t> RSA_PublicKey::public_key_bits() const {
186
0
   std::vector<uint8_t> output;
187
0
   DER_Encoder der(output);
188
0
   der.start_sequence().encode(get_n()).encode(get_e()).end_cons();
189
190
0
   return output;
191
0
}
192
193
/*
194
* Check RSA Public Parameters
195
*/
196
0
bool RSA_PublicKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
197
0
   if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) {
198
0
      return false;
199
0
   }
200
0
   return true;
201
0
}
202
203
0
std::shared_ptr<const RSA_Private_Data> RSA_PrivateKey::private_data() const {
204
0
   return m_private;
205
0
}
206
207
0
secure_vector<uint8_t> RSA_PrivateKey::private_key_bits() const {
208
0
   return DER_Encoder()
209
0
      .start_sequence()
210
0
      .encode(static_cast<size_t>(0))
211
0
      .encode(get_n())
212
0
      .encode(get_e())
213
0
      .encode(get_d())
214
0
      .encode(get_p())
215
0
      .encode(get_q())
216
0
      .encode(get_d1())
217
0
      .encode(get_d2())
218
0
      .encode(get_c())
219
0
      .end_cons()
220
0
      .get_contents();
221
0
}
222
223
0
const BigInt& RSA_PrivateKey::get_p() const {
224
0
   return m_private->get_p();
225
0
}
226
227
0
const BigInt& RSA_PrivateKey::get_q() const {
228
0
   return m_private->get_q();
229
0
}
230
231
0
const BigInt& RSA_PrivateKey::get_d() const {
232
0
   return m_private->get_d();
233
0
}
234
235
0
const BigInt& RSA_PrivateKey::get_c() const {
236
0
   return m_private->get_c();
237
0
}
238
239
0
const BigInt& RSA_PrivateKey::get_d1() const {
240
0
   return m_private->get_d1();
241
0
}
242
243
0
const BigInt& RSA_PrivateKey::get_d2() const {
244
0
   return m_private->get_d2();
245
0
}
246
247
5.78k
void RSA_PrivateKey::init(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) {
248
5.78k
   m_private = std::make_shared<RSA_Private_Data>(
249
5.78k
      std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
250
5.78k
}
251
252
5.83k
RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
253
5.83k
   BigInt n, e, d, p, q, d1, d2, c;
254
255
5.83k
   BER_Decoder(key_bits)
256
5.83k
      .start_sequence()
257
5.83k
      .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
258
5.83k
      .decode(n)
259
5.83k
      .decode(e)
260
5.83k
      .decode(d)
261
5.83k
      .decode(p)
262
5.83k
      .decode(q)
263
5.83k
      .decode(d1)
264
5.83k
      .decode(d2)
265
5.83k
      .decode(c)
266
5.83k
      .end_cons();
267
268
5.83k
   RSA_PublicKey::init(std::move(n), std::move(e));
269
270
5.83k
   RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
271
5.83k
}
Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Line
Count
Source
252
5.83k
RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
253
5.83k
   BigInt n, e, d, p, q, d1, d2, c;
254
255
5.83k
   BER_Decoder(key_bits)
256
5.83k
      .start_sequence()
257
5.83k
      .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
258
5.83k
      .decode(n)
259
5.83k
      .decode(e)
260
5.83k
      .decode(d)
261
5.83k
      .decode(p)
262
5.83k
      .decode(q)
263
5.83k
      .decode(d1)
264
5.83k
      .decode(d2)
265
5.83k
      .decode(c)
266
5.83k
      .end_cons();
267
268
5.83k
   RSA_PublicKey::init(std::move(n), std::move(e));
269
270
5.83k
   RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
271
5.83k
}
272
273
RSA_PrivateKey::RSA_PrivateKey(
274
0
   const BigInt& prime1, const BigInt& prime2, const BigInt& exp, const BigInt& d_exp, const BigInt& mod) {
275
0
   BigInt p = prime1;
276
0
   BigInt q = prime2;
277
0
   BigInt n = mod;
278
0
   if(n.is_zero()) {
279
0
      n = p * q;
280
0
   }
281
282
0
   BigInt e = exp;
283
284
0
   BigInt d = d_exp;
285
286
0
   const BigInt p_minus_1 = p - 1;
287
0
   const BigInt q_minus_1 = q - 1;
288
289
0
   if(d.is_zero()) {
290
0
      const BigInt phi_n = lcm(p_minus_1, q_minus_1);
291
0
      d = inverse_mod(e, phi_n);
292
0
   }
293
294
0
   BigInt d1 = ct_modulo(d, p_minus_1);
295
0
   BigInt d2 = ct_modulo(d, q_minus_1);
296
0
   BigInt c = inverse_mod(q, p);
297
298
0
   RSA_PublicKey::init(std::move(n), std::move(e));
299
300
0
   RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
301
0
}
Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&)
Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&, Botan::BigInt const&)
302
303
/*
304
* Create a RSA private key
305
*/
306
0
RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng, size_t bits, size_t exp) {
307
0
   if(bits < 1024) {
308
0
      throw Invalid_Argument(fmt("Cannot create an RSA key only {} bits long", bits));
309
0
   }
310
311
0
   if(exp < 3 || exp % 2 == 0) {
312
0
      throw Invalid_Argument("Invalid RSA encryption exponent");
313
0
   }
314
315
0
   const size_t p_bits = (bits + 1) / 2;
316
0
   const size_t q_bits = bits - p_bits;
317
318
0
   BigInt p, q, n;
319
0
   BigInt e = BigInt::from_u64(exp);
320
321
0
   for(size_t attempt = 0;; ++attempt) {
322
0
      if(attempt > 10) {
323
0
         throw Internal_Error("RNG failure during RSA key generation");
324
0
      }
325
326
      // TODO could generate primes in thread pool
327
0
      p = generate_rsa_prime(rng, rng, p_bits, e);
328
0
      q = generate_rsa_prime(rng, rng, q_bits, e);
329
330
0
      const BigInt diff = p - q;
331
0
      if(diff.bits() < (bits / 2) - 100) {
332
0
         continue;
333
0
      }
334
335
0
      n = p * q;
336
337
0
      if(n.bits() != bits) {
338
0
         continue;
339
0
      }
340
341
0
      break;
342
0
   }
343
344
0
   const BigInt p_minus_1 = p - 1;
345
0
   const BigInt q_minus_1 = q - 1;
346
347
0
   const BigInt phi_n = lcm(p_minus_1, q_minus_1);
348
   // This is guaranteed because p,q == 3 mod 4
349
0
   BOTAN_DEBUG_ASSERT(low_zero_bits(phi_n) == 1);
350
351
0
   BigInt d = inverse_mod(e, phi_n);
352
0
   BigInt d1 = ct_modulo(d, p_minus_1);
353
0
   BigInt d2 = ct_modulo(d, q_minus_1);
354
0
   BigInt c = inverse_mod(q, p);
355
356
0
   RSA_PublicKey::init(std::move(n), std::move(e));
357
358
0
   RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
359
0
}
Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long)
Unexecuted instantiation: Botan::RSA_PrivateKey::RSA_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long)
360
361
0
const BigInt& RSA_PrivateKey::get_int_field(std::string_view field) const {
362
0
   if(field == "p") {
363
0
      return m_private->get_p();
364
0
   } else if(field == "q") {
365
0
      return m_private->get_q();
366
0
   } else if(field == "d") {
367
0
      return m_private->get_d();
368
0
   } else if(field == "c") {
369
0
      return m_private->get_c();
370
0
   } else if(field == "d1") {
371
0
      return m_private->get_d1();
372
0
   } else if(field == "d2") {
373
0
      return m_private->get_d2();
374
0
   } else {
375
0
      return RSA_PublicKey::get_int_field(field);
376
0
   }
377
0
}
378
379
0
std::unique_ptr<Public_Key> RSA_PrivateKey::public_key() const {
380
0
   return std::make_unique<RSA_PublicKey>(get_n(), get_e());
381
0
}
382
383
/*
384
* Check Private RSA Parameters
385
*/
386
0
bool RSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
387
0
   if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) {
388
0
      return false;
389
0
   }
390
391
0
   if(get_d() < 2 || get_p() < 3 || get_q() < 3) {
392
0
      return false;
393
0
   }
394
395
0
   if(get_p() * get_q() != get_n()) {
396
0
      return false;
397
0
   }
398
399
0
   if(get_p() == get_q()) {
400
0
      return false;
401
0
   }
402
403
0
   if(get_d1() != ct_modulo(get_d(), get_p() - 1)) {
404
0
      return false;
405
0
   }
406
0
   if(get_d2() != ct_modulo(get_d(), get_q() - 1)) {
407
0
      return false;
408
0
   }
409
0
   if(get_c() != inverse_mod(get_q(), get_p())) {
410
0
      return false;
411
0
   }
412
413
0
   const size_t prob = (strong) ? 128 : 12;
414
415
0
   if(!is_prime(get_p(), rng, prob)) {
416
0
      return false;
417
0
   }
418
0
   if(!is_prime(get_q(), rng, prob)) {
419
0
      return false;
420
0
   }
421
422
0
   if(strong) {
423
0
      if(ct_modulo(get_e() * get_d(), lcm(get_p() - 1, get_q() - 1)) != 1) {
424
0
         return false;
425
0
      }
426
427
0
      return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)");
428
0
   }
429
430
0
   return true;
431
0
}
432
433
namespace {
434
435
/**
436
* RSA private (decrypt/sign) operation
437
*/
438
class RSA_Private_Operation {
439
   protected:
440
0
      size_t public_modulus_bits() const { return m_public->public_modulus_bits(); }
441
442
0
      size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
443
444
      explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
445
0
            m_public(rsa.public_data()),
446
0
            m_private(rsa.private_data()),
447
0
            m_blinder(
448
0
               m_public->get_n(),
449
0
               rng,
450
0
               [this](const BigInt& k) { return m_public->public_op(k); },
451
0
               [this](const BigInt& k) { return inverse_mod(k, m_public->get_n()); }),
452
0
            m_blinding_bits(64),
453
0
            m_max_d1_bits(m_private->p_bits() + m_blinding_bits),
454
0
            m_max_d2_bits(m_private->q_bits() + m_blinding_bits) {}
455
456
0
      void raw_op(std::span<uint8_t> out, std::span<const uint8_t> input) {
457
0
         if(input.size() > public_modulus_bytes()) {
458
0
            throw Decoding_Error("RSA input is too long for this key");
459
0
         }
460
0
         const BigInt input_bn(input.data(), input.size());
461
0
         if(input_bn >= m_public->get_n()) {
462
0
            throw Decoding_Error("RSA input is too large for this key");
463
0
         }
464
         // TODO: This should be a function on blinder
465
         // BigInt Blinder::run_blinded_function(std::function<BigInt, BigInt> fn, const BigInt& input);
466
467
0
         const BigInt recovered = m_blinder.unblind(rsa_private_op(m_blinder.blind(input_bn)));
468
0
         BOTAN_ASSERT(input_bn == m_public->public_op(recovered), "RSA consistency check");
469
0
         BOTAN_ASSERT(m_public->public_modulus_bytes() == out.size(), "output size check");
470
0
         recovered.serialize_to(out);
471
0
      }
472
473
   private:
474
0
      BigInt rsa_private_op(const BigInt& m) const {
475
         /*
476
         TODO
477
         Consider using Montgomery reduction instead of Barrett, using
478
         the "Smooth RSA-CRT" method. https://eprint.iacr.org/2007/039.pdf
479
         */
480
481
0
         static constexpr size_t powm_window = 4;
482
483
         // Compute this in main thread to avoid racing on the rng
484
0
         const BigInt d1_mask(m_blinder.rng(), m_blinding_bits);
485
486
0
#if defined(BOTAN_HAS_THREAD_UTILS) && !defined(BOTAN_HAS_VALGRIND)
487
0
   #define BOTAN_RSA_USE_ASYNC
488
0
#endif
489
490
0
#if defined(BOTAN_RSA_USE_ASYNC)
491
         /*
492
         * Precompute m.sig_words in the main thread before calling async. Otherwise
493
         * the two threads race (during Modular_Reducer::reduce) and while the output
494
         * is correct in both threads, helgrind warns.
495
         */
496
0
         m.sig_words();
497
498
0
         auto future_j1 = Thread_Pool::global_instance().run([this, &m, &d1_mask]() {
499
0
#endif
500
0
            const BigInt masked_d1 = m_private->get_d1() + (d1_mask * (m_private->get_p() - 1));
501
0
            auto powm_d1_p = monty_precompute(m_private->monty_p(), m_private->mod_p().reduce(m), powm_window);
502
0
            BigInt j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits);
503
504
0
#if defined(BOTAN_RSA_USE_ASYNC)
505
0
            return j1;
506
0
         });
507
0
#endif
508
509
0
         const BigInt d2_mask(m_blinder.rng(), m_blinding_bits);
510
0
         const BigInt masked_d2 = m_private->get_d2() + (d2_mask * (m_private->get_q() - 1));
511
0
         auto powm_d2_q = monty_precompute(m_private->monty_q(), m_private->mod_q().reduce(m), powm_window);
512
0
         const BigInt j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits);
513
514
0
#if defined(BOTAN_RSA_USE_ASYNC)
515
0
         BigInt j1 = future_j1.get();
516
0
#endif
517
518
         /*
519
         * To recover the final value from the CRT representation (j1,j2)
520
         * we use Garner's algorithm:
521
         * c = q^-1 mod p (this is precomputed)
522
         * h = c*(j1-j2) mod p
523
         * m = j2 + h*q
524
         *
525
         * We must avoid leaking if j1 >= j2 or not, as doing so allows deriving
526
         * information about the secret prime. Do this by first adding p to j1,
527
         * which should ensure the subtraction of j2 does not underflow. But
528
         * this may still underflow if p and q are imbalanced in size.
529
         */
530
531
0
         j1 =
532
0
            m_private->mod_p().multiply(m_private->mod_p().reduce((m_private->get_p() + j1) - j2), m_private->get_c());
533
0
         return j1 * m_private->get_q() + j2;
534
0
      }
535
536
      std::shared_ptr<const RSA_Public_Data> m_public;
537
      std::shared_ptr<const RSA_Private_Data> m_private;
538
539
      // XXX could the blinder starting pair be shared?
540
      Blinder m_blinder;
541
      const size_t m_blinding_bits;
542
      const size_t m_max_d1_bits;
543
      const size_t m_max_d2_bits;
544
};
545
546
class RSA_Signature_Operation final : public PK_Ops::Signature,
547
                                      private RSA_Private_Operation {
548
   public:
549
0
      void update(std::span<const uint8_t> msg) override { m_emsa->update(msg.data(), msg.size()); }
550
551
0
      std::vector<uint8_t> sign(RandomNumberGenerator& rng) override {
552
0
         const size_t max_input_bits = public_modulus_bits() - 1;
553
0
         const auto msg = m_emsa->raw_data();
554
0
         const auto padded = m_emsa->encoding_of(msg, max_input_bits, rng);
555
556
0
         std::vector<uint8_t> out(public_modulus_bytes());
557
0
         raw_op(out, padded);
558
0
         return out;
559
0
      }
560
561
0
      size_t signature_length() const override { return public_modulus_bytes(); }
562
563
      AlgorithmIdentifier algorithm_identifier() const override;
564
565
0
      std::string hash_function() const override { return m_emsa->hash_function(); }
566
567
      RSA_Signature_Operation(const RSA_PrivateKey& rsa, std::string_view padding, RandomNumberGenerator& rng) :
568
0
            RSA_Private_Operation(rsa, rng), m_emsa(EMSA::create_or_throw(padding)) {}
569
570
   private:
571
      std::unique_ptr<EMSA> m_emsa;
572
};
573
574
0
AlgorithmIdentifier RSA_Signature_Operation::algorithm_identifier() const {
575
0
   const std::string emsa_name = m_emsa->name();
576
577
0
   try {
578
0
      const std::string full_name = "RSA/" + emsa_name;
579
0
      const OID oid = OID::from_string(full_name);
580
0
      return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
581
0
   } catch(Lookup_Error&) {}
582
583
0
   if(emsa_name.starts_with("EMSA4(")) {
584
0
      auto parameters = PSS_Params::from_emsa_name(m_emsa->name()).serialize();
585
0
      return AlgorithmIdentifier("RSA/EMSA4", parameters);
586
0
   }
587
588
0
   throw Not_Implemented("No algorithm identifier defined for RSA with " + emsa_name);
589
0
}
590
591
class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME,
592
                                       private RSA_Private_Operation {
593
   public:
594
      RSA_Decryption_Operation(const RSA_PrivateKey& rsa, std::string_view eme, RandomNumberGenerator& rng) :
595
0
            PK_Ops::Decryption_with_EME(eme), RSA_Private_Operation(rsa, rng) {}
596
597
0
      size_t plaintext_length(size_t /*ctext_len*/) const override { return public_modulus_bytes(); }
598
599
0
      secure_vector<uint8_t> raw_decrypt(std::span<const uint8_t> input) override {
600
0
         secure_vector<uint8_t> out(public_modulus_bytes());
601
0
         raw_op(out, input);
602
0
         return out;
603
0
      }
604
};
605
606
class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF,
607
                                           private RSA_Private_Operation {
608
   public:
609
      RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key, std::string_view kdf, RandomNumberGenerator& rng) :
610
0
            PK_Ops::KEM_Decryption_with_KDF(kdf), RSA_Private_Operation(key, rng) {}
611
612
0
      size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); }
613
614
0
      size_t encapsulated_key_length() const override { return public_modulus_bytes(); }
615
616
0
      void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {
617
0
         raw_op(out_shared_key, encapsulated_key);
618
0
      }
619
};
620
621
/**
622
* RSA public (encrypt/verify) operation
623
*/
624
class RSA_Public_Operation {
625
   public:
626
7.73k
      explicit RSA_Public_Operation(const RSA_PublicKey& rsa) : m_public(rsa.public_data()) {}
627
628
7.51k
      size_t public_modulus_bits() const { return m_public->public_modulus_bits(); }
629
630
   protected:
631
7.54k
      BigInt public_op(const BigInt& m) const {
632
7.54k
         if(m >= m_public->get_n()) {
633
35
            throw Decoding_Error("RSA public op - input is too large");
634
35
         }
635
636
7.51k
         return m_public->public_op(m);
637
7.54k
      }
638
639
7.64k
      size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
640
641
0
      const BigInt& get_n() const { return m_public->get_n(); }
642
643
   private:
644
      std::shared_ptr<const RSA_Public_Data> m_public;
645
};
646
647
class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME,
648
                                       private RSA_Public_Operation {
649
   public:
650
      RSA_Encryption_Operation(const RSA_PublicKey& rsa, std::string_view eme) :
651
0
            PK_Ops::Encryption_with_EME(eme), RSA_Public_Operation(rsa) {}
652
653
0
      size_t ciphertext_length(size_t /*ptext_len*/) const override { return public_modulus_bytes(); }
654
655
0
      size_t max_ptext_input_bits() const override { return public_modulus_bits() - 1; }
656
657
0
      std::vector<uint8_t> raw_encrypt(std::span<const uint8_t> input, RandomNumberGenerator& /*rng*/) override {
658
0
         BigInt input_bn(input);
659
0
         return public_op(input_bn).serialize(public_modulus_bytes());
660
0
      }
661
};
662
663
class RSA_Verify_Operation final : public PK_Ops::Verification,
664
                                   private RSA_Public_Operation {
665
   public:
666
7.64k
      void update(std::span<const uint8_t> msg) override { m_emsa->update(msg.data(), msg.size()); }
667
668
7.64k
      bool is_valid_signature(std::span<const uint8_t> sig) override {
669
7.64k
         const auto msg = m_emsa->raw_data();
670
7.64k
         const auto message_repr = recover_message_repr(sig.data(), sig.size());
671
7.64k
         return m_emsa->verify(message_repr, msg, public_modulus_bits() - 1);
672
7.64k
      }
673
674
      RSA_Verify_Operation(const RSA_PublicKey& rsa, std::string_view padding) :
675
7.73k
            RSA_Public_Operation(rsa), m_emsa(EMSA::create_or_throw(padding)) {}
676
677
5.27k
      std::string hash_function() const override { return m_emsa->hash_function(); }
678
679
   private:
680
7.64k
      std::vector<uint8_t> recover_message_repr(const uint8_t input[], size_t input_len) {
681
7.64k
         if(input_len > public_modulus_bytes()) {
682
91
            throw Decoding_Error("RSA signature too large to be valid for this key");
683
91
         }
684
7.54k
         BigInt input_bn(input, input_len);
685
7.54k
         return public_op(input_bn).serialize();
686
7.64k
      }
687
688
      std::unique_ptr<EMSA> m_emsa;
689
};
690
691
class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF,
692
                                           private RSA_Public_Operation {
693
   public:
694
      RSA_KEM_Encryption_Operation(const RSA_PublicKey& key, std::string_view kdf) :
695
0
            PK_Ops::KEM_Encryption_with_KDF(kdf), RSA_Public_Operation(key) {}
696
697
   private:
698
0
      size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); }
699
700
0
      size_t encapsulated_key_length() const override { return public_modulus_bytes(); }
701
702
      void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
703
                           std::span<uint8_t> raw_shared_key,
704
0
                           RandomNumberGenerator& rng) override {
705
0
         const BigInt r = BigInt::random_integer(rng, 1, get_n());
706
0
         const BigInt c = public_op(r);
707
708
0
         c.serialize_to(out_encapsulated_key);
709
0
         r.serialize_to(raw_shared_key);
710
0
      }
711
};
712
713
}  // namespace
714
715
std::unique_ptr<PK_Ops::Encryption> RSA_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/,
716
                                                                        std::string_view params,
717
0
                                                                        std::string_view provider) const {
718
0
   if(provider == "base" || provider.empty()) {
719
0
      return std::make_unique<RSA_Encryption_Operation>(*this, params);
720
0
   }
721
0
   throw Provider_Not_Found(algo_name(), provider);
722
0
}
723
724
std::unique_ptr<PK_Ops::KEM_Encryption> RSA_PublicKey::create_kem_encryption_op(std::string_view params,
725
0
                                                                                std::string_view provider) const {
726
0
   if(provider == "base" || provider.empty()) {
727
0
      return std::make_unique<RSA_KEM_Encryption_Operation>(*this, params);
728
0
   }
729
0
   throw Provider_Not_Found(algo_name(), provider);
730
0
}
731
732
std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_verification_op(std::string_view params,
733
0
                                                                            std::string_view provider) const {
734
0
   if(provider == "base" || provider.empty()) {
735
0
      return std::make_unique<RSA_Verify_Operation>(*this, params);
736
0
   }
737
738
0
   throw Provider_Not_Found(algo_name(), provider);
739
0
}
740
741
namespace {
742
743
7.89k
std::string parse_rsa_signature_algorithm(const AlgorithmIdentifier& alg_id) {
744
7.89k
   const auto sig_info = split_on(alg_id.oid().to_formatted_string(), '/');
745
746
7.89k
   if(sig_info.empty() || sig_info.size() != 2 || sig_info[0] != "RSA") {
747
101
      throw Decoding_Error("Unknown AlgorithmIdentifier for RSA X.509 signatures");
748
101
   }
749
750
7.79k
   std::string padding = sig_info[1];
751
752
7.79k
   if(padding == "EMSA4") {
753
      // "MUST contain RSASSA-PSS-params"
754
164
      if(alg_id.parameters().empty()) {
755
0
         throw Decoding_Error("PSS params must be provided");
756
0
      }
757
758
164
      PSS_Params pss_params(alg_id.parameters());
759
760
      // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
761
164
      const std::string hash_algo = pss_params.hash_function();
762
164
      if(hash_algo != "SHA-1" && hash_algo != "SHA-224" && hash_algo != "SHA-256" && hash_algo != "SHA-384" &&
763
164
         hash_algo != "SHA-512") {
764
4
         throw Decoding_Error("Unacceptable hash for PSS signatures");
765
4
      }
766
767
160
      if(pss_params.mgf_function() != "MGF1") {
768
3
         throw Decoding_Error("Unacceptable MGF for PSS signatures");
769
3
      }
770
771
      // For MGF1, it is strongly RECOMMENDED that the underlying hash
772
      // function be the same as the one identified by hashAlgorithm
773
      //
774
      // Must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
775
157
      if(pss_params.hash_algid() != pss_params.mgf_hash_algid()) {
776
9
         throw Decoding_Error("Unacceptable MGF hash for PSS signatures");
777
9
      }
778
779
148
      if(pss_params.trailer_field() != 1) {
780
1
         throw Decoding_Error("Unacceptable trailer field for PSS signatures");
781
1
      }
782
783
147
      padding += fmt("({},MGF1,{})", hash_algo, pss_params.salt_length());
784
147
   }
785
786
7.77k
   return padding;
787
7.79k
}
788
789
}  // namespace
790
791
std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_x509_verification_op(const AlgorithmIdentifier& alg_id,
792
7.89k
                                                                                 std::string_view provider) const {
793
7.89k
   if(provider == "base" || provider.empty()) {
794
7.89k
      return std::make_unique<RSA_Verify_Operation>(*this, parse_rsa_signature_algorithm(alg_id));
795
7.89k
   }
796
797
0
   throw Provider_Not_Found(algo_name(), provider);
798
7.89k
}
799
800
std::unique_ptr<PK_Ops::Decryption> RSA_PrivateKey::create_decryption_op(RandomNumberGenerator& rng,
801
                                                                         std::string_view params,
802
0
                                                                         std::string_view provider) const {
803
0
   if(provider == "base" || provider.empty()) {
804
0
      return std::make_unique<RSA_Decryption_Operation>(*this, params, rng);
805
0
   }
806
807
0
   throw Provider_Not_Found(algo_name(), provider);
808
0
}
809
810
std::unique_ptr<PK_Ops::KEM_Decryption> RSA_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& rng,
811
                                                                                 std::string_view params,
812
0
                                                                                 std::string_view provider) const {
813
0
   if(provider == "base" || provider.empty()) {
814
0
      return std::make_unique<RSA_KEM_Decryption_Operation>(*this, params, rng);
815
0
   }
816
817
0
   throw Provider_Not_Found(algo_name(), provider);
818
0
}
819
820
std::unique_ptr<PK_Ops::Signature> RSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
821
                                                                       std::string_view params,
822
0
                                                                       std::string_view provider) const {
823
0
   if(provider == "base" || provider.empty()) {
824
0
      return std::make_unique<RSA_Signature_Operation>(*this, params, rng);
825
0
   }
826
827
0
   throw Provider_Not_Found(algo_name(), provider);
828
0
}
829
830
}  // namespace Botan