/rust/registry/src/index.crates.io-6f17d22bba15001f/ring-0.17.14/src/rsa/padding.rs

Source (jump to first uncovered line)
// Copyright 2015-2016 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

use crate::{bb, bits, digest, error, rand};

mod pkcs1;
mod pss;

pub use self::{
    pkcs1::{RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512},
    pss::{RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512},
};
pub(super) use pkcs1::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY;

/// Common features of both RSA padding encoding and RSA padding verification.
pub trait Padding: 'static + Sync + crate::sealed::Sealed + core::fmt::Debug {
    // The digest algorithm used for digesting the message (and maybe for
    // other things).
    fn digest_alg(&self) -> &'static digest::Algorithm;
}

pub(super) fn encode(
    encoding: &dyn RsaEncoding,
    m_hash: digest::Digest,
    m_out: &mut [u8],
    mod_bits: bits::BitLength,
    rng: &dyn rand::SecureRandom,
) -> Result<(), error::Unspecified> {
    #[allow(deprecated)]
    encoding.encode(m_hash, m_out, mod_bits, rng)
}

/// An RSA signature encoding as described in [RFC 3447 Section 8].
///
/// [RFC 3447 Section 8]: https://tools.ietf.org/html/rfc3447#section-8
#[cfg(feature = "alloc")]
pub trait RsaEncoding: Padding {
    #[deprecated(note = "internal API that will be removed")]
    #[doc(hidden)]
    fn encode(
        &self,
        m_hash: digest::Digest,
        m_out: &mut [u8],
        mod_bits: bits::BitLength,
        rng: &dyn rand::SecureRandom,
    ) -> Result<(), error::Unspecified>;
}

/// Verification of an RSA signature encoding as described in
/// [RFC 3447 Section 8].
///
/// [RFC 3447 Section 8]: https://tools.ietf.org/html/rfc3447#section-8
pub trait Verification: Padding {
    fn verify(
        &self,
        m_hash: digest::Digest,
        m: &mut untrusted::Reader,
        mod_bits: bits::BitLength,
    ) -> Result<(), error::Unspecified>;
}

// Masks `out` with the output of the mask-generating function MGF1 as
// described in https://tools.ietf.org/html/rfc3447#appendix-B.2.1.
fn mgf1(digest_alg: &'static digest::Algorithm, seed: &[u8], out: &mut [u8]) {
    let digest_len = digest_alg.output_len();

    // Maximum counter value is the value of (mask_len / digest_len) rounded up.
    for (i, out) in out.chunks_mut(digest_len).enumerate() {
        let mut ctx = digest::Context::new(digest_alg);
        ctx.update(seed);
        // The counter will always fit in a `u32` because we reject absurdly
        // long inputs very early.
        ctx.update(&u32::to_be_bytes(i.try_into().unwrap()));
        let digest = ctx.finish();

        // The last chunk may legitimately be shorter than `digest`, but
        // `digest` will never be shorter than `out`.
        bb::xor_assign_at_start(out, digest.as_ref());
    }
}

#[cfg(test)]
mod test {
    use super::*;
    use crate::testutil as test;
    use crate::{digest, error};
    use alloc::vec;

    #[test]
    fn test_pss_padding_verify() {
        test::run(
            test_vector_file!("rsa_pss_padding_tests.txt"),
            |section, test_case| {
                assert_eq!(section, "");

                let digest_name = test_case.consume_string("Digest");
                let alg = match digest_name.as_ref() {
                    "SHA256" => &RSA_PSS_SHA256,
                    "SHA384" => &RSA_PSS_SHA384,
                    "SHA512" => &RSA_PSS_SHA512,
                    _ => panic!("Unsupported digest: {}", digest_name),
                };

                let msg = test_case.consume_bytes("Msg");
                let msg = untrusted::Input::from(&msg);
                let m_hash = digest::digest(alg.digest_alg(), msg.as_slice_less_safe());

                let encoded = test_case.consume_bytes("EM");
                let encoded = untrusted::Input::from(&encoded);

                // Salt is recomputed in verification algorithm.
                let _ = test_case.consume_bytes("Salt");

                let bit_len = test_case.consume_usize_bits("Len");
                let is_valid = test_case.consume_string("Result") == "P";

                let actual_result =
                    encoded.read_all(error::Unspecified, |m| alg.verify(m_hash, m, bit_len));
                assert_eq!(actual_result.is_ok(), is_valid);

                Ok(())
            },
        );
    }

    // Tests PSS encoding for various public modulus lengths.
    #[cfg(feature = "alloc")]
    #[test]
    fn test_pss_padding_encode() {
        test::run(
            test_vector_file!("rsa_pss_padding_tests.txt"),
            |section, test_case| {
                assert_eq!(section, "");

                let digest_name = test_case.consume_string("Digest");
                let alg = match digest_name.as_ref() {
                    "SHA256" => &RSA_PSS_SHA256,
                    "SHA384" => &RSA_PSS_SHA384,
                    "SHA512" => &RSA_PSS_SHA512,
                    _ => panic!("Unsupported digest: {}", digest_name),
                };

                let msg = test_case.consume_bytes("Msg");
                let salt = test_case.consume_bytes("Salt");
                let encoded = test_case.consume_bytes("EM");
                let bit_len = test_case.consume_usize_bits("Len");
                let expected_result = test_case.consume_string("Result");

                // Only test the valid outputs
                if expected_result != "P" {
                    return Ok(());
                }

                let rng = test::rand::FixedSliceRandom { bytes: &salt };

                let mut m_out = vec![0u8; bit_len.as_usize_bytes_rounded_up()];
                let digest = digest::digest(alg.digest_alg(), &msg);
                #[allow(deprecated)]
                alg.encode(digest, &mut m_out, bit_len, &rng).unwrap();
                assert_eq!(m_out, encoded);

                Ok(())
            },
        );
    }
}

Coverage Report

Created: 2025-07-11 06:15

Line	Count	Source (jump to first uncovered line)
1		// Copyright 2015-2016 Brian Smith.
2		//
3		// Permission to use, copy, modify, and/or distribute this software for any
4		// purpose with or without fee is hereby granted, provided that the above
5		// copyright notice and this permission notice appear in all copies.
6		//
7		// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8		// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9		// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10		// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11		// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12		// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13		// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15		use crate::{bb, bits, digest, error, rand};
16
17		mod pkcs1;
18		mod pss;
19
20		pub use self::{
21		pkcs1::{RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512},
22		pss::{RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512},
23		};
24		pub(super) use pkcs1::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY;
25
26		/// Common features of both RSA padding encoding and RSA padding verification.
27		pub trait Padding: 'static + Sync + crate::sealed::Sealed + core::fmt::Debug {
28		// The digest algorithm used for digesting the message (and maybe for
29		// other things).
30		fn digest_alg(&self) -> &'static digest::Algorithm;
31		}
32
33	0	pub(super) fn encode(
34	0	encoding: &dyn RsaEncoding,
35	0	m_hash: digest::Digest,
36	0	m_out: &mut [u8],
37	0	mod_bits: bits::BitLength,
38	0	rng: &dyn rand::SecureRandom,
39	0	) -> Result<(), error::Unspecified> {
40	0	#[allow(deprecated)]
41	0	encoding.encode(m_hash, m_out, mod_bits, rng)
42	0	}
43
44		/// An RSA signature encoding as described in [RFC 3447 Section 8].
45		///
46		/// [RFC 3447 Section 8]: https://tools.ietf.org/html/rfc3447#section-8
47		#[cfg(feature = "alloc")]
48		pub trait RsaEncoding: Padding {
49		#[deprecated(note = "internal API that will be removed")]
50		#[doc(hidden)]
51		fn encode(
52		&self,
53		m_hash: digest::Digest,
54		m_out: &mut [u8],
55		mod_bits: bits::BitLength,
56		rng: &dyn rand::SecureRandom,
57		) -> Result<(), error::Unspecified>;
58		}
59
60		/// Verification of an RSA signature encoding as described in
61		/// [RFC 3447 Section 8].
62		///
63		/// [RFC 3447 Section 8]: https://tools.ietf.org/html/rfc3447#section-8
64		pub trait Verification: Padding {
65		fn verify(
66		&self,
67		m_hash: digest::Digest,
68		m: &mut untrusted::Reader,
69		mod_bits: bits::BitLength,
70		) -> Result<(), error::Unspecified>;
71		}
72
73		// Masks `out` with the output of the mask-generating function MGF1 as
74		// described in https://tools.ietf.org/html/rfc3447#appendix-B.2.1.
75	0	fn mgf1(digest_alg: &'static digest::Algorithm, seed: &[u8], out: &mut [u8]) {
76	0	let digest_len = digest_alg.output_len();
77
78		// Maximum counter value is the value of (mask_len / digest_len) rounded up.
79	0	for (i, out) in out.chunks_mut(digest_len).enumerate() {
80	0	let mut ctx = digest::Context::new(digest_alg);
81	0	ctx.update(seed);
82	0	// The counter will always fit in a `u32` because we reject absurdly
83	0	// long inputs very early.
84	0	ctx.update(&u32::to_be_bytes(i.try_into().unwrap()));
85	0	let digest = ctx.finish();
86	0
87	0	// The last chunk may legitimately be shorter than `digest`, but
88	0	// `digest` will never be shorter than `out`.
89	0	bb::xor_assign_at_start(out, digest.as_ref());
90	0	}
91	0	}
92
93		#[cfg(test)]
94		mod test {
95		use super::*;
96		use crate::testutil as test;
97		use crate::{digest, error};
98		use alloc::vec;
99
100		#[test]
101		fn test_pss_padding_verify() {
102		test::run(
103		test_vector_file!("rsa_pss_padding_tests.txt"),
104		\|section, test_case\| {
105		assert_eq!(section, "");
106
107		let digest_name = test_case.consume_string("Digest");
108		let alg = match digest_name.as_ref() {
109		"SHA256" => &RSA_PSS_SHA256,
110		"SHA384" => &RSA_PSS_SHA384,
111		"SHA512" => &RSA_PSS_SHA512,
112		_ => panic!("Unsupported digest: {}", digest_name),
113		};
114
115		let msg = test_case.consume_bytes("Msg");
116		let msg = untrusted::Input::from(&msg);
117		let m_hash = digest::digest(alg.digest_alg(), msg.as_slice_less_safe());
118
119		let encoded = test_case.consume_bytes("EM");
120		let encoded = untrusted::Input::from(&encoded);
121
122		// Salt is recomputed in verification algorithm.
123		let _ = test_case.consume_bytes("Salt");
124
125		let bit_len = test_case.consume_usize_bits("Len");
126		let is_valid = test_case.consume_string("Result") == "P";
127
128		let actual_result =
129		encoded.read_all(error::Unspecified, \|m\| alg.verify(m_hash, m, bit_len));
130		assert_eq!(actual_result.is_ok(), is_valid);
131
132		Ok(())
133		},
134		);
135		}
136
137		// Tests PSS encoding for various public modulus lengths.
138		#[cfg(feature = "alloc")]
139		#[test]
140		fn test_pss_padding_encode() {
141		test::run(
142		test_vector_file!("rsa_pss_padding_tests.txt"),
143		\|section, test_case\| {
144		assert_eq!(section, "");
145
146		let digest_name = test_case.consume_string("Digest");
147		let alg = match digest_name.as_ref() {
148		"SHA256" => &RSA_PSS_SHA256,
149		"SHA384" => &RSA_PSS_SHA384,
150		"SHA512" => &RSA_PSS_SHA512,
151		_ => panic!("Unsupported digest: {}", digest_name),
152		};
153
154		let msg = test_case.consume_bytes("Msg");
155		let salt = test_case.consume_bytes("Salt");
156		let encoded = test_case.consume_bytes("EM");
157		let bit_len = test_case.consume_usize_bits("Len");
158		let expected_result = test_case.consume_string("Result");
159
160		// Only test the valid outputs
161		if expected_result != "P" {
162		return Ok(());
163		}
164
165		let rng = test::rand::FixedSliceRandom { bytes: &salt };
166
167		let mut m_out = vec![0u8; bit_len.as_usize_bytes_rounded_up()];
168		let digest = digest::digest(alg.digest_alg(), &msg);
169		#[allow(deprecated)]
170		alg.encode(digest, &mut m_out, bit_len, &rng).unwrap();
171		assert_eq!(m_out, encoded);
172
173		Ok(())
174		},
175		);
176		}
177		}