Botan  2.17.3
Crypto and TLS for C++11
rsa.cpp
Go to the documentation of this file.
1 /*
2 * RSA
3 * (C) 1999-2010,2015,2016,2018,2019 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/rsa.h>
9 #include <botan/internal/pk_ops_impl.h>
10 #include <botan/keypair.h>
11 #include <botan/blinding.h>
12 #include <botan/reducer.h>
13 #include <botan/workfactor.h>
14 #include <botan/der_enc.h>
15 #include <botan/ber_dec.h>
16 #include <botan/monty.h>
17 #include <botan/divide.h>
18 #include <botan/internal/monty_exp.h>
19 
20 #if defined(BOTAN_HAS_OPENSSL)
21  #include <botan/internal/openssl.h>
22 #endif
23 
24 #if defined(BOTAN_HAS_THREAD_UTILS)
25  #include <botan/internal/thread_pool.h>
26 #endif
27 
28 namespace Botan {
29 
30 class RSA_Public_Data final
31  {
32  public:
33  RSA_Public_Data(BigInt&& n, BigInt&& e) :
34  m_n(n),
35  m_e(e),
36  m_monty_n(std::make_shared<Montgomery_Params>(m_n)),
37  m_public_modulus_bits(m_n.bits()),
38  m_public_modulus_bytes(m_n.bytes())
39  {}
40 
41  BigInt public_op(const BigInt& m) const
42  {
43  const size_t powm_window = 1;
44  auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false);
45  return monty_execute_vartime(*powm_m_n, m_e);
46  }
47 
48  const BigInt& get_n() const { return m_n; }
49  const BigInt& get_e() const { return m_e; }
50  size_t public_modulus_bits() const { return m_public_modulus_bits; }
51  size_t public_modulus_bytes() const { return m_public_modulus_bytes; }
52 
53  private:
54  BigInt m_n;
55  BigInt m_e;
56  std::shared_ptr<const Montgomery_Params> m_monty_n;
57  size_t m_public_modulus_bits;
58  size_t m_public_modulus_bytes;
59  };
60 
61 class RSA_Private_Data final
62  {
63  public:
64  RSA_Private_Data(BigInt&& d, BigInt&& p, BigInt&& q,
65  BigInt&& d1, BigInt&& d2, BigInt&& c) :
66  m_d(d),
67  m_p(p),
68  m_q(q),
69  m_d1(d1),
70  m_d2(d2),
71  m_c(c),
72  m_mod_p(m_p),
73  m_mod_q(m_q),
74  m_monty_p(std::make_shared<Montgomery_Params>(m_p, m_mod_p)),
75  m_monty_q(std::make_shared<Montgomery_Params>(m_q, m_mod_q)),
76  m_p_bits(m_p.bits()),
77  m_q_bits(m_q.bits())
78  {}
79 
80  const BigInt& get_d() const { return m_d; }
81  const BigInt& get_p() const { return m_p; }
82  const BigInt& get_q() const { return m_q; }
83  const BigInt& get_d1() const { return m_d1; }
84  const BigInt& get_d2() const { return m_d2; }
85  const BigInt& get_c() const { return m_c; }
86 
87  //private:
88  BigInt m_d;
89  BigInt m_p;
90  BigInt m_q;
91  BigInt m_d1;
92  BigInt m_d2;
93  BigInt m_c;
94 
95  Modular_Reducer m_mod_p;
96  Modular_Reducer m_mod_q;
97  std::shared_ptr<const Montgomery_Params> m_monty_p;
98  std::shared_ptr<const Montgomery_Params> m_monty_q;
99  size_t m_p_bits;
100  size_t m_q_bits;
101  };
102 
103 std::shared_ptr<const RSA_Public_Data> RSA_PublicKey::public_data() const
104  {
105  return m_public;
106  }
107 
108 const BigInt& RSA_PublicKey::get_n() const { return m_public->get_n(); }
109 const BigInt& RSA_PublicKey::get_e() const { return m_public->get_e(); }
110 
112  {
113  if(n.is_negative() || n.is_even() || e.is_negative() || e.is_even())
114  throw Decoding_Error("Invalid RSA public key parameters");
115  m_public = std::make_shared<RSA_Public_Data>(std::move(n), std::move(e));
116  }
117 
119  const std::vector<uint8_t>& key_bits)
120  {
121  BigInt n, e;
122  BER_Decoder(key_bits)
124  .decode(n)
125  .decode(e)
126  .end_cons();
127 
128  init(std::move(n), std::move(e));
129  }
130 
131 RSA_PublicKey::RSA_PublicKey(const BigInt& modulus, const BigInt& exponent)
132  {
133  BigInt n = modulus;
134  BigInt e = exponent;
135  init(std::move(n), std::move(e));
136  }
137 
139  {
140  return m_public->public_modulus_bits();
141  }
142 
144  {
145  return if_work_factor(key_length());
146  }
147 
149  {
151  }
152 
153 std::vector<uint8_t> RSA_PublicKey::public_key_bits() const
154  {
155  std::vector<uint8_t> output;
156  DER_Encoder der(output);
157  der.start_cons(SEQUENCE)
158  .encode(get_n())
159  .encode(get_e())
160  .end_cons();
161 
162  return output;
163  }
164 
165 /*
166 * Check RSA Public Parameters
167 */
169  {
170  if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even())
171  return false;
172  return true;
173  }
174 
175 std::shared_ptr<const RSA_Private_Data> RSA_PrivateKey::private_data() const
176  {
177  return m_private;
178  }
179 
181  {
182  return DER_Encoder()
184  .encode(static_cast<size_t>(0))
185  .encode(get_n())
186  .encode(get_e())
187  .encode(get_d())
188  .encode(get_p())
189  .encode(get_q())
190  .encode(get_d1())
191  .encode(get_d2())
192  .encode(get_c())
193  .end_cons()
194  .get_contents();
195  }
196 
197 const BigInt& RSA_PrivateKey::get_p() const { return m_private->get_p(); }
198 const BigInt& RSA_PrivateKey::get_q() const { return m_private->get_q(); }
199 const BigInt& RSA_PrivateKey::get_d() const { return m_private->get_d(); }
200 const BigInt& RSA_PrivateKey::get_c() const { return m_private->get_c(); }
201 const BigInt& RSA_PrivateKey::get_d1() const { return m_private->get_d1(); }
202 const BigInt& RSA_PrivateKey::get_d2() const { return m_private->get_d2(); }
203 
204 void RSA_PrivateKey::init(BigInt&& d, BigInt&& p, BigInt&& q,
205  BigInt&& d1, BigInt&& d2, BigInt&& c)
206  {
207  m_private = std::make_shared<RSA_Private_Data>(
208  std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
209  }
210 
212  const secure_vector<uint8_t>& key_bits)
213  {
214  BigInt n, e, d, p, q, d1, d2, c;
215 
216  BER_Decoder(key_bits)
218  .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
219  .decode(n)
220  .decode(e)
221  .decode(d)
222  .decode(p)
223  .decode(q)
224  .decode(d1)
225  .decode(d2)
226  .decode(c)
227  .end_cons();
228 
229  RSA_PublicKey::init(std::move(n), std::move(e));
230 
231  RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q),
232  std::move(d1), std::move(d2), std::move(c));
233  }
234 
236  const BigInt& prime2,
237  const BigInt& exp,
238  const BigInt& d_exp,
239  const BigInt& mod)
240  {
241  BigInt p = prime1;
242  BigInt q = prime2;
243  BigInt n = mod;
244  if(n.is_zero())
245  n = p * q;
246 
247  BigInt e = exp;
248 
249  BigInt d = d_exp;
250 
251  const BigInt p_minus_1 = p - 1;
252  const BigInt q_minus_1 = q - 1;
253 
254  if(d.is_zero())
255  {
256  const BigInt phi_n = lcm(p_minus_1, q_minus_1);
257  d = inverse_mod(e, phi_n);
258  }
259 
260  BigInt d1 = ct_modulo(d, p_minus_1);
261  BigInt d2 = ct_modulo(d, q_minus_1);
262  BigInt c = inverse_mod(q, p);
263 
264  RSA_PublicKey::init(std::move(n), std::move(e));
265 
266  RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q),
267  std::move(d1), std::move(d2), std::move(c));
268  }
269 
270 /*
271 * Create a RSA private key
272 */
274  size_t bits, size_t exp)
275  {
276  if(bits < 1024)
277  throw Invalid_Argument(algo_name() + ": Can't make a key that is only " +
278  std::to_string(bits) + " bits long");
279  if(exp < 3 || exp % 2 == 0)
280  throw Invalid_Argument(algo_name() + ": Invalid encryption exponent");
281 
282  BigInt n, e, d, p, q, d1, d2, c;
283 
284  e = exp;
285 
286  const size_t p_bits = (bits + 1) / 2;
287  const size_t q_bits = bits - p_bits;
288 
289  do
290  {
291  // TODO could generate primes in thread pool
292  p = generate_rsa_prime(rng, rng, p_bits, e);
293  q = generate_rsa_prime(rng, rng, q_bits, e);
294 
295  if(p == q)
296  throw Internal_Error("RNG failure during RSA key generation");
297 
298  n = p * q;
299  } while(n.bits() != bits);
300 
301  const BigInt p_minus_1 = p - 1;
302  const BigInt q_minus_1 = q - 1;
303 
304  const BigInt phi_n = lcm(p_minus_1, q_minus_1);
305  d = inverse_mod(e, phi_n);
306  d1 = ct_modulo(d, p_minus_1);
307  d2 = ct_modulo(d, q_minus_1);
308  c = inverse_mod(q, p);
309 
310  RSA_PublicKey::init(std::move(n), std::move(e));
311 
312  RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q),
313  std::move(d1), std::move(d2), std::move(c));
314  }
315 
316 /*
317 * Check Private RSA Parameters
318 */
320  {
321  if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even())
322  return false;
323 
324  if(get_d() < 2 || get_p() < 3 || get_q() < 3)
325  return false;
326 
327  if(get_p() * get_q() != get_n())
328  return false;
329 
330  if(get_p() == get_q())
331  return false;
332 
333  if(get_d1() != ct_modulo(get_d(), get_p() - 1))
334  return false;
335  if(get_d2() != ct_modulo(get_d(), get_q() - 1))
336  return false;
337  if(get_c() != inverse_mod(get_q(), get_p()))
338  return false;
339 
340  const size_t prob = (strong) ? 128 : 12;
341 
342  if(!is_prime(get_p(), rng, prob))
343  return false;
344  if(!is_prime(get_q(), rng, prob))
345  return false;
346 
347  if(strong)
348  {
349  if(ct_modulo(get_e() * get_d(), lcm(get_p() - 1, get_q() - 1)) != 1)
350  return false;
351 
352  return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)");
353  }
354 
355  return true;
356  }
357 
358 namespace {
359 
360 /**
361 * RSA private (decrypt/sign) operation
362 */
363 class RSA_Private_Operation
364  {
365  protected:
366  size_t public_modulus_bits() const { return m_public->public_modulus_bits(); }
367  size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
368 
369  explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
370  m_public(rsa.public_data()),
371  m_private(rsa.private_data()),
372  m_blinder(m_public->get_n(), rng,
373  [this](const BigInt& k) { return m_public->public_op(k); },
374  [this](const BigInt& k) { return inverse_mod(k, m_public->get_n()); }),
375  m_blinding_bits(64),
376  m_max_d1_bits(m_private->m_p_bits + m_blinding_bits),
377  m_max_d2_bits(m_private->m_q_bits + m_blinding_bits)
378  {
379  }
380 
381  secure_vector<uint8_t> raw_op(const uint8_t input[], size_t input_len)
382  {
383  const BigInt input_bn(input, input_len);
384  if(input_bn >= m_public->get_n())
385  throw Invalid_Argument("RSA private op - input is too large");
386 
387  // TODO: This should be a function on blinder
388  // BigInt Blinder::run_blinded_function(std::function<BigInt, BigInt> fn, const BigInt& input);
389 
390  const BigInt recovered = m_blinder.unblind(rsa_private_op(m_blinder.blind(input_bn)));
391  BOTAN_ASSERT(input_bn == m_public->public_op(recovered), "RSA consistency check");
392  return BigInt::encode_1363(recovered, m_public->public_modulus_bytes());
393  }
394 
395  private:
396 
397  BigInt rsa_private_op(const BigInt& m) const
398  {
399  /*
400  TODO
401  Consider using Montgomery reduction instead of Barrett, using
402  the "Smooth RSA-CRT" method. https://eprint.iacr.org/2007/039.pdf
403  */
404 
405  static constexpr size_t powm_window = 4;
406 
407  // Compute this in main thread to avoid racing on the rng
408  const BigInt d1_mask(m_blinder.rng(), m_blinding_bits);
409 
410 #if defined(BOTAN_HAS_THREAD_UTILS) && !defined(BOTAN_HAS_VALGRIND)
411  #define BOTAN_RSA_USE_ASYNC
412 #endif
413 
414 #if defined(BOTAN_RSA_USE_ASYNC)
415  /*
416  * Precompute m.sig_words in the main thread before calling async. Otherwise
417  * the two threads race (during Modular_Reducer::reduce) and while the output
418  * is correct in both threads, helgrind warns.
419  */
420  m.sig_words();
421 
422  auto future_j1 = Thread_Pool::global_instance().run([this, &m, &d1_mask]() {
423 #endif
424  const BigInt masked_d1 = m_private->get_d1() + (d1_mask * (m_private->get_p() - 1));
425  auto powm_d1_p = monty_precompute(m_private->m_monty_p, m_private->m_mod_p.reduce(m), powm_window);
426  BigInt j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits);
427 
428 #if defined(BOTAN_RSA_USE_ASYNC)
429  return j1;
430  });
431 #endif
432 
433  const BigInt d2_mask(m_blinder.rng(), m_blinding_bits);
434  const BigInt masked_d2 = m_private->get_d2() + (d2_mask * (m_private->get_q() - 1));
435  auto powm_d2_q = monty_precompute(m_private->m_monty_q, m_private->m_mod_q.reduce(m), powm_window);
436  const BigInt j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits);
437 
438 #if defined(BOTAN_RSA_USE_ASYNC)
439  BigInt j1 = future_j1.get();
440 #endif
441 
442  /*
443  * To recover the final value from the CRT representation (j1,j2)
444  * we use Garner's algorithm:
445  * c = q^-1 mod p (this is precomputed)
446  * h = c*(j1-j2) mod p
447  * m = j2 + h*q
448  *
449  * We must avoid leaking if j1 >= j2 or not, as doing so allows deriving
450  * information about the secret prime. Do this by first adding p to j1,
451  * which should ensure the subtraction of j2 does not underflow. But
452  * this may still underflow if p and q are imbalanced in size.
453  */
454 
455  j1 = m_private->m_mod_p.multiply(m_private->m_mod_p.reduce((m_private->get_p() + j1) - j2), m_private->get_c());
456  return mul_add(j1, m_private->get_q(), j2);
457  }
458 
459  std::shared_ptr<const RSA_Public_Data> m_public;
460  std::shared_ptr<const RSA_Private_Data> m_private;
461 
462  // XXX could the blinder starting pair be shared?
463  Blinder m_blinder;
464  const size_t m_blinding_bits;
465  const size_t m_max_d1_bits;
466  const size_t m_max_d2_bits;
467  };
468 
469 class RSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA,
470  private RSA_Private_Operation
471  {
472  public:
473  size_t max_input_bits() const override { return public_modulus_bits() - 1; }
474 
475  size_t signature_length() const override { return public_modulus_bytes(); }
476 
477  RSA_Signature_Operation(const RSA_PrivateKey& rsa, const std::string& emsa, RandomNumberGenerator& rng) :
478  PK_Ops::Signature_with_EMSA(emsa),
479  RSA_Private_Operation(rsa, rng)
480  {
481  }
482 
483  secure_vector<uint8_t> raw_sign(const uint8_t input[], size_t input_len,
484  RandomNumberGenerator&) override
485  {
486  return raw_op(input, input_len);
487  }
488  };
489 
490 class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME,
491  private RSA_Private_Operation
492  {
493  public:
494 
495  RSA_Decryption_Operation(const RSA_PrivateKey& rsa, const std::string& eme, RandomNumberGenerator& rng) :
496  PK_Ops::Decryption_with_EME(eme),
497  RSA_Private_Operation(rsa, rng)
498  {
499  }
500 
501  size_t plaintext_length(size_t) const override { return public_modulus_bytes(); }
502 
503  secure_vector<uint8_t> raw_decrypt(const uint8_t input[], size_t input_len) override
504  {
505  return raw_op(input, input_len);
506  }
507  };
508 
509 class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF,
510  private RSA_Private_Operation
511  {
512  public:
513 
514  RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key,
515  const std::string& kdf,
516  RandomNumberGenerator& rng) :
517  PK_Ops::KEM_Decryption_with_KDF(kdf),
518  RSA_Private_Operation(key, rng)
519  {}
520 
521  secure_vector<uint8_t>
522  raw_kem_decrypt(const uint8_t encap_key[], size_t len) override
523  {
524  return raw_op(encap_key, len);
525  }
526  };
527 
528 /**
529 * RSA public (encrypt/verify) operation
530 */
531 class RSA_Public_Operation
532  {
533  public:
534  explicit RSA_Public_Operation(const RSA_PublicKey& rsa) :
535  m_public(rsa.public_data())
536  {}
537 
538  size_t get_max_input_bits() const
539  {
540  const size_t n_bits = m_public->public_modulus_bits();
541 
542  /*
543  Make Coverity happy that n_bits - 1 won't underflow
544 
545  5 bit minimum: smallest possible RSA key is 3*5
546  */
547  BOTAN_ASSERT_NOMSG(n_bits >= 5);
548  return n_bits - 1;
549  }
550 
551  protected:
552  BigInt public_op(const BigInt& m) const
553  {
554  if(m >= m_public->get_n())
555  throw Invalid_Argument("RSA public op - input is too large");
556 
557  return m_public->public_op(m);
558  }
559 
560  size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
561 
562  const BigInt& get_n() const { return m_public->get_n(); }
563 
564  std::shared_ptr<const RSA_Public_Data> m_public;
565  };
566 
567 class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME,
568  private RSA_Public_Operation
569  {
570  public:
571 
572  RSA_Encryption_Operation(const RSA_PublicKey& rsa, const std::string& eme) :
573  PK_Ops::Encryption_with_EME(eme),
574  RSA_Public_Operation(rsa)
575  {
576  }
577 
578  size_t ciphertext_length(size_t) const override { return public_modulus_bytes(); }
579 
580  size_t max_raw_input_bits() const override { return get_max_input_bits(); }
581 
582  secure_vector<uint8_t> raw_encrypt(const uint8_t input[], size_t input_len,
583  RandomNumberGenerator&) override
584  {
585  BigInt input_bn(input, input_len);
586  return BigInt::encode_1363(public_op(input_bn), public_modulus_bytes());
587  }
588  };
589 
590 class RSA_Verify_Operation final : public PK_Ops::Verification_with_EMSA,
591  private RSA_Public_Operation
592  {
593  public:
594 
595  size_t max_input_bits() const override { return get_max_input_bits(); }
596 
597  RSA_Verify_Operation(const RSA_PublicKey& rsa, const std::string& emsa) :
598  PK_Ops::Verification_with_EMSA(emsa),
599  RSA_Public_Operation(rsa)
600  {
601  }
602 
603  bool with_recovery() const override { return true; }
604 
605  secure_vector<uint8_t> verify_mr(const uint8_t input[], size_t input_len) override
606  {
607  BigInt input_bn(input, input_len);
608  return BigInt::encode_locked(public_op(input_bn));
609  }
610  };
611 
612 class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF,
613  private RSA_Public_Operation
614  {
615  public:
616 
617  RSA_KEM_Encryption_Operation(const RSA_PublicKey& key,
618  const std::string& kdf) :
619  PK_Ops::KEM_Encryption_with_KDF(kdf),
620  RSA_Public_Operation(key) {}
621 
622  private:
623  void raw_kem_encrypt(secure_vector<uint8_t>& out_encapsulated_key,
624  secure_vector<uint8_t>& raw_shared_key,
625  Botan::RandomNumberGenerator& rng) override
626  {
627  const BigInt r = BigInt::random_integer(rng, 1, get_n());
628  const BigInt c = public_op(r);
629 
630  out_encapsulated_key = BigInt::encode_locked(c);
631  raw_shared_key = BigInt::encode_locked(r);
632  }
633  };
634 
635 }
636 
637 std::unique_ptr<PK_Ops::Encryption>
639  const std::string& params,
640  const std::string& provider) const
641  {
642 #if defined(BOTAN_HAS_OPENSSL)
643  if(provider == "openssl" || provider.empty())
644  {
645  try
646  {
647  return make_openssl_rsa_enc_op(*this, params);
648  }
649  catch(Exception& e)
650  {
651  /*
652  * If OpenSSL for some reason could not handle this (eg due to OAEP params),
653  * throw if openssl was specifically requested but otherwise just fall back
654  * to the normal version.
655  */
656  if(provider == "openssl")
657  throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what()));
658  }
659  }
660 #endif
661 
662  if(provider == "base" || provider.empty())
663  return std::unique_ptr<PK_Ops::Encryption>(new RSA_Encryption_Operation(*this, params));
664  throw Provider_Not_Found(algo_name(), provider);
665  }
666 
667 std::unique_ptr<PK_Ops::KEM_Encryption>
669  const std::string& params,
670  const std::string& provider) const
671  {
672  if(provider == "base" || provider.empty())
673  return std::unique_ptr<PK_Ops::KEM_Encryption>(new RSA_KEM_Encryption_Operation(*this, params));
674  throw Provider_Not_Found(algo_name(), provider);
675  }
676 
677 std::unique_ptr<PK_Ops::Verification>
678 RSA_PublicKey::create_verification_op(const std::string& params,
679  const std::string& provider) const
680  {
681 #if defined(BOTAN_HAS_OPENSSL)
682  if(provider == "openssl" || provider.empty())
683  {
684  std::unique_ptr<PK_Ops::Verification> res = make_openssl_rsa_ver_op(*this, params);
685  if(res)
686  return res;
687  }
688 #endif
689 
690  if(provider == "base" || provider.empty())
691  return std::unique_ptr<PK_Ops::Verification>(new RSA_Verify_Operation(*this, params));
692 
693  throw Provider_Not_Found(algo_name(), provider);
694  }
695 
696 std::unique_ptr<PK_Ops::Decryption>
698  const std::string& params,
699  const std::string& provider) const
700  {
701 #if defined(BOTAN_HAS_OPENSSL)
702  if(provider == "openssl" || provider.empty())
703  {
704  try
705  {
706  return make_openssl_rsa_dec_op(*this, params);
707  }
708  catch(Exception& e)
709  {
710  if(provider == "openssl")
711  throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what()));
712  }
713  }
714 #endif
715 
716  if(provider == "base" || provider.empty())
717  return std::unique_ptr<PK_Ops::Decryption>(new RSA_Decryption_Operation(*this, params, rng));
718 
719  throw Provider_Not_Found(algo_name(), provider);
720  }
721 
722 std::unique_ptr<PK_Ops::KEM_Decryption>
724  const std::string& params,
725  const std::string& provider) const
726  {
727  if(provider == "base" || provider.empty())
728  return std::unique_ptr<PK_Ops::KEM_Decryption>(new RSA_KEM_Decryption_Operation(*this, params, rng));
729 
730  throw Provider_Not_Found(algo_name(), provider);
731  }
732 
733 std::unique_ptr<PK_Ops::Signature>
735  const std::string& params,
736  const std::string& provider) const
737  {
738 #if defined(BOTAN_HAS_OPENSSL)
739  if(provider == "openssl" || provider.empty())
740  {
741  std::unique_ptr<PK_Ops::Signature> res = make_openssl_rsa_sig_op(*this, params);
742  if(res)
743  return res;
744  }
745 #endif
746 
747  if(provider == "base" || provider.empty())
748  return std::unique_ptr<PK_Ops::Signature>(new RSA_Signature_Operation(*this, params, rng));
749 
750  throw Provider_Not_Found(algo_name(), provider);
751  }
752 
753 }
BigInt mul_add(const BigInt &a, const BigInt &b, const BigInt &c)
Definition: mp_numth.cpp:30
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:697
size_t if_work_factor(size_t bits)
Definition: workfactor.cpp:38
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: rsa.cpp:168
size_t estimated_strength() const override
Definition: rsa.cpp:143
const BigInt & get_d1() const
Definition: rsa.cpp:201
const BigInt & get_d() const
Definition: rsa.cpp:199
const BigInt & get_e() const
Definition: rsa.cpp:109
size_t key_length() const override
Definition: rsa.cpp:138
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:668
secure_vector< uint8_t > private_key_bits() const override
Definition: rsa.cpp:180
size_t bits() const
Definition: bigint.cpp:296
BER_Decoder & decode_and_check(const T &expected, const std::string &error_msg)
Definition: ber_dec.h:277
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:723
int(* final)(unsigned char *, CTX *)
secure_vector< uint8_t > get_contents()
Definition: der_enc.cpp:152
bool is_zero() const
Definition: bigint.h:421
Definition: bigint.h:1143
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:210
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition: divide.cpp:118
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
const BigInt & get_q() const
Definition: rsa.cpp:198
const char * what() const noexcept override
Definition: exceptn.h:96
static secure_vector< uint8_t > encode_locked(const BigInt &n)
Definition: bigint.h:782
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
auto run(F &&f, Args &&... args) -> std::future< typename std::result_of< F(Args...)>::type >
Definition: thread_pool.h:57
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
BigInt monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Definition: monty_exp.cpp:171
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
virtual OID get_oid() const
Definition: pk_keys.cpp:53
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
BigInt lcm(const BigInt &a, const BigInt &b)
Definition: numthry.cpp:125
std::vector< uint8_t > public_key_bits() const override
Definition: rsa.cpp:153
const BigInt & get_d2() const
Definition: rsa.cpp:202
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: mod_inv.cpp:250
std::string algo_name() const override
Definition: rsa.h:43
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(std::shared_ptr< const Montgomery_Params > params, const BigInt &g, size_t window_bits, bool const_time)
Definition: monty_exp.cpp:157
std::shared_ptr< const RSA_Public_Data > public_data() const
Definition: rsa.cpp:103
Definition: alg_id.cpp:13
AlgorithmIdentifier algorithm_identifier() const override
Definition: rsa.cpp:148
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:678
std::shared_ptr< const RSA_Private_Data > private_data() const
Definition: rsa.cpp:175
RSA_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: rsa.cpp:211
std::shared_ptr< const RSA_Public_Data > m_public
Definition: rsa.h:86
void init(BigInt &&n, BigInt &&e)
Definition: rsa.cpp:111
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
static Thread_Pool & global_instance()
Definition: thread_pool.cpp:15
const BigInt & get_p() const
Definition: rsa.cpp:197
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:638
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: rsa.cpp:319
BigInt generate_rsa_prime(RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
Definition: make_prm.cpp:197
const BigInt & get_c() const
Definition: rsa.cpp:200
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition: monty_exp.cpp:165
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:734
const BigInt & get_n() const
Definition: rsa.cpp:108