Botan 3.11.0
Crypto and TLS for C&
rsa.cpp
Go to the documentation of this file.
1/*
2* RSA
3* (C) 1999-2010,2015,2016,2018,2019,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/rsa.h>
9
10#include <botan/ber_dec.h>
11#include <botan/der_enc.h>
12#include <botan/numthry.h>
13#include <botan/pss_params.h>
14#include <botan/internal/barrett.h>
15#include <botan/internal/blinding.h>
16#include <botan/internal/divide.h>
17#include <botan/internal/fmt.h>
18#include <botan/internal/keypair.h>
19#include <botan/internal/mod_inv.h>
20#include <botan/internal/monty.h>
21#include <botan/internal/monty_exp.h>
22#include <botan/internal/mp_core.h>
23#include <botan/internal/parsing.h>
24#include <botan/internal/pk_ops_impl.h>
25#include <botan/internal/sig_padding.h>
26#include <botan/internal/target_info.h>
27#include <botan/internal/workfactor.h>
28
29#if defined(BOTAN_HAS_THREAD_UTILS)
30 #include <botan/internal/thread_pool.h>
31#endif
32
33namespace Botan {
34
35class RSA_Public_Data final {
36 public:
37 RSA_Public_Data(BigInt&& n, BigInt&& e) :
38 m_n(std::move(n)),
39 m_e(std::move(e)),
40 m_mod_n(Barrett_Reduction::for_public_modulus(m_n)),
41 m_monty_n(m_n, m_mod_n),
42 m_public_modulus_bits(m_n.bits()),
43 m_public_modulus_bytes(m_n.bytes()) {}
44
45 BigInt public_op(const BigInt& m) const {
46 const size_t powm_window = 1;
47 auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false);
48 return monty_execute_vartime(*powm_m_n, m_e).value();
49 }
50
51 const BigInt& get_n() const { return m_n; }
52
53 const BigInt& get_e() const { return m_e; }
54
55 size_t public_modulus_bits() const { return m_public_modulus_bits; }
56
57 size_t public_modulus_bytes() const { return m_public_modulus_bytes; }
58
59 const Montgomery_Params& monty_n() const { return m_monty_n; }
60
61 const Barrett_Reduction& reducer_mod_n() const { return m_mod_n; }
62
63 private:
64 BigInt m_n;
65 BigInt m_e;
66 Barrett_Reduction m_mod_n;
67 const Montgomery_Params m_monty_n;
68 size_t m_public_modulus_bits;
69 size_t m_public_modulus_bytes;
70};
71
72class RSA_Private_Data final {
73 public:
74 RSA_Private_Data(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) :
75 m_d(std::move(d)),
76 m_p(std::move(p)),
77 m_q(std::move(q)),
78 m_d1(std::move(d1)),
79 m_d2(std::move(d2)),
80 m_c(std::move(c)),
81 m_monty_p(m_p),
82 m_monty_q(m_q),
83 m_c_monty(m_monty_p, m_c),
84 m_p_bits(m_p.bits()),
85 m_q_bits(m_q.bits()) {}
86
87 const BigInt& get_d() const { return m_d; }
88
89 const BigInt& get_p() const { return m_p; }
90
91 const BigInt& get_q() const { return m_q; }
92
93 const BigInt& get_d1() const { return m_d1; }
94
95 const BigInt& get_d2() const { return m_d2; }
96
97 BigInt blinded_d1(const BigInt& m) const { return m_d1 + m * (m_p - 1); }
98
99 BigInt blinded_d2(const BigInt& m) const { return m_d2 + m * (m_q - 1); }
100
101 const BigInt& get_c() const { return m_c; }
102
103 const Montgomery_Int& get_c_monty() const { return m_c_monty; }
104
105 const Montgomery_Params& monty_p() const { return m_monty_p; }
106
107 const Montgomery_Params& monty_q() const { return m_monty_q; }
108
109 size_t p_bits() const { return m_p_bits; }
110
111 size_t q_bits() const { return m_q_bits; }
112
113 bool primes_imbalanced() const { return p_bits() != q_bits(); }
114
115 private:
116 BigInt m_d;
117 BigInt m_p;
118 BigInt m_q;
119 BigInt m_d1;
120 BigInt m_d2;
121 BigInt m_c;
122
123 const Montgomery_Params m_monty_p;
124 const Montgomery_Params m_monty_q;
125 Montgomery_Int m_c_monty;
126 size_t m_p_bits;
127 size_t m_q_bits;
128};
129
130std::shared_ptr<const RSA_Public_Data> RSA_PublicKey::public_data() const {
131 return m_public;
132}
133
134const BigInt& RSA_PublicKey::get_int_field(std::string_view field) const {
135 if(field == "n") {
136 return m_public->get_n();
137 } else if(field == "e") {
138 return m_public->get_e();
139 } else {
140 return Public_Key::get_int_field(field);
141 }
142}
143
144std::unique_ptr<Private_Key> RSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
145 return std::make_unique<RSA_PrivateKey>(rng, m_public->public_modulus_bits(), m_public->get_e().to_u32bit());
146}
147
148const BigInt& RSA_PublicKey::get_n() const {
149 return m_public->get_n();
150}
151
152const BigInt& RSA_PublicKey::get_e() const {
153 return m_public->get_e();
154}
155
156void RSA_PublicKey::init(BigInt&& n, BigInt&& e) {
157 if(n.is_negative() || n.is_even() || n.bits() < 5 /* n >= 3*5 */ || e.is_negative() || e.is_even()) {
158 throw Decoding_Error("Invalid RSA public key parameters");
159 }
160 m_public = std::make_shared<RSA_Public_Data>(std::move(n), std::move(e));
161}
162
163RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
164 BigInt n;
165 BigInt e;
166 BER_Decoder(key_bits).start_sequence().decode(n).decode(e).end_cons();
167
168 init(std::move(n), std::move(e));
169}
170
175
176RSA_PublicKey::RSA_PublicKey(const BigInt& modulus, const BigInt& exponent) {
177 BigInt n = modulus;
178 BigInt e = exponent;
179 init(std::move(n), std::move(e));
180}
181
182size_t RSA_PublicKey::key_length() const {
183 return m_public->public_modulus_bits();
184}
185
189
193
194std::vector<uint8_t> RSA_PublicKey::raw_public_key_bits() const {
195 throw Not_Implemented("an RSA public key does not provide a raw binary representation.");
196}
197
198std::vector<uint8_t> RSA_PublicKey::public_key_bits() const {
199 std::vector<uint8_t> output;
200 DER_Encoder der(output);
201 der.start_sequence().encode(get_n()).encode(get_e()).end_cons();
202
203 return output;
204}
205
206/*
207* Check RSA Public Parameters
208*/
209bool RSA_PublicKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
210 if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) {
211 return false;
212 }
213 return true;
214}
215
216std::shared_ptr<const RSA_Private_Data> RSA_PrivateKey::private_data() const {
217 return m_private;
218}
219
220secure_vector<uint8_t> RSA_PrivateKey::private_key_bits() const {
221 return DER_Encoder()
222 .start_sequence()
223 .encode(static_cast<size_t>(0))
224 .encode(get_n())
225 .encode(get_e())
226 .encode(get_d())
227 .encode(get_p())
228 .encode(get_q())
229 .encode(get_d1())
230 .encode(get_d2())
231 .encode(get_c())
232 .end_cons()
233 .get_contents();
234}
235
236const BigInt& RSA_PrivateKey::get_p() const {
237 return m_private->get_p();
238}
239
240const BigInt& RSA_PrivateKey::get_q() const {
241 return m_private->get_q();
242}
243
244const BigInt& RSA_PrivateKey::get_d() const {
245 return m_private->get_d();
246}
247
248const BigInt& RSA_PrivateKey::get_c() const {
249 return m_private->get_c();
250}
251
252const BigInt& RSA_PrivateKey::get_d1() const {
253 return m_private->get_d1();
254}
255
256const BigInt& RSA_PrivateKey::get_d2() const {
257 return m_private->get_d2();
258}
259
260void RSA_PrivateKey::init(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) {
261 m_private = std::make_shared<RSA_Private_Data>(
262 std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
263}
264
265RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
266 BigInt n;
267 BigInt e;
268 BigInt d;
269 BigInt p;
270 BigInt q;
271 BigInt d1;
272 BigInt d2;
273 BigInt c;
274
275 BER_Decoder(key_bits)
276 .start_sequence()
277 .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
278 .decode(n)
279 .decode(e)
280 .decode(d)
281 .decode(p)
282 .decode(q)
283 .decode(d1)
284 .decode(d2)
285 .decode(c)
286 .end_cons();
287
288 RSA_PublicKey::init(std::move(n), std::move(e));
289
290 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
291}
292
293RSA_PrivateKey::RSA_PrivateKey(
294 const BigInt& prime1, const BigInt& prime2, const BigInt& exp, const BigInt& d_exp, const BigInt& mod) {
295 BigInt p = prime1;
296 BigInt q = prime2;
297 BigInt n = mod;
298 if(n.is_zero()) {
299 n = p * q;
300 }
301
302 BigInt e = exp;
303
304 BigInt d = d_exp;
305
306 const BigInt p_minus_1 = p - 1;
307 const BigInt q_minus_1 = q - 1;
308
309 if(d.is_zero()) {
310 const BigInt phi_n = lcm(p_minus_1, q_minus_1);
311 d = compute_rsa_secret_exponent(e, phi_n, p, q);
312 }
313
314 BigInt d1 = ct_modulo(d, p_minus_1);
315 BigInt d2 = ct_modulo(d, q_minus_1);
316 BigInt c = inverse_mod_secret_prime(ct_modulo(q, p), p);
317
318 RSA_PublicKey::init(std::move(n), std::move(e));
319
320 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
321}
322
323/*
324* Create a RSA private key
325*/
326RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng, size_t bits, size_t exp) {
327 if(bits < 1024) {
328 throw Invalid_Argument(fmt("Cannot create an RSA key only {} bits long", bits));
329 }
330
331 if(exp < 3 || exp % 2 == 0) {
332 throw Invalid_Argument("Invalid RSA encryption exponent");
333 }
334
335 const size_t p_bits = (bits + 1) / 2;
336 const size_t q_bits = bits - p_bits;
337
338 BigInt p;
339 BigInt q;
340 BigInt n;
341 BigInt e = BigInt::from_u64(exp);
342
343 for(size_t attempt = 0;; ++attempt) {
344 if(attempt > 10) {
345 throw Internal_Error("RNG failure during RSA key generation");
346 }
347
348 // TODO could generate primes in thread pool
349 p = generate_rsa_prime(rng, rng, p_bits, e);
350 q = generate_rsa_prime(rng, rng, q_bits, e);
351
352 const BigInt diff = p - q;
353 if(diff.bits() < (bits / 2) - 100) {
354 continue;
355 }
356
357 n = p * q;
358
359 if(n.bits() != bits) {
360 continue;
361 }
362
363 break;
364 }
365
366 const BigInt p_minus_1 = p - 1;
367 const BigInt q_minus_1 = q - 1;
368
369 const BigInt phi_n = lcm(p_minus_1, q_minus_1);
370 // This is guaranteed because p,q == 3 mod 4
371 BOTAN_DEBUG_ASSERT(low_zero_bits(phi_n) == 1);
372
373 BigInt d = compute_rsa_secret_exponent(e, phi_n, p, q);
374 BigInt d1 = ct_modulo(d, p_minus_1);
375 BigInt d2 = ct_modulo(d, q_minus_1);
376 BigInt c = inverse_mod_secret_prime(ct_modulo(q, p), p);
377
378 RSA_PublicKey::init(std::move(n), std::move(e));
379
380 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
381}
382
383const BigInt& RSA_PrivateKey::get_int_field(std::string_view field) const {
384 if(field == "p") {
385 return m_private->get_p();
386 } else if(field == "q") {
387 return m_private->get_q();
388 } else if(field == "d") {
389 return m_private->get_d();
390 } else if(field == "c") {
391 return m_private->get_c();
392 } else if(field == "d1") {
393 return m_private->get_d1();
394 } else if(field == "d2") {
395 return m_private->get_d2();
396 } else {
397 return RSA_PublicKey::get_int_field(field);
398 }
399}
400
401std::unique_ptr<Public_Key> RSA_PrivateKey::public_key() const {
402 return std::make_unique<RSA_PublicKey>(get_n(), get_e());
403}
404
405/*
406* Check Private RSA Parameters
407*/
408bool RSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
409 if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) {
410 return false;
411 }
412
413 if(get_d() < 2 || get_p() < 3 || get_q() < 3) {
414 return false;
415 }
416
417 if(get_p() * get_q() != get_n()) {
418 return false;
419 }
420
421 if(get_p() == get_q()) {
422 return false;
423 }
424
425 if(get_d1() != ct_modulo(get_d(), get_p() - 1)) {
426 return false;
427 }
428 if(get_d2() != ct_modulo(get_d(), get_q() - 1)) {
429 return false;
430 }
431 if(get_c() != inverse_mod_secret_prime(ct_modulo(get_q(), get_p()), get_p())) {
432 return false;
433 }
434
435 const size_t prob = (strong) ? 128 : 12;
436
437 if(!is_prime(get_p(), rng, prob)) {
438 return false;
439 }
440 if(!is_prime(get_q(), rng, prob)) {
441 return false;
442 }
443
444 if(strong) {
445 if(ct_modulo(get_e() * get_d(), lcm(get_p() - 1, get_q() - 1)) != 1) {
446 return false;
447 }
448
449#if defined(BOTAN_HAS_PSS) && defined(BOTAN_HAS_SHA_256)
450 const std::string padding = "PSS(SHA-256)";
451#else
452 const std::string padding = "Raw";
453#endif
454
455 return KeyPair::signature_consistency_check(rng, *this, padding);
456 }
457
458 return true;
459}
460
461namespace {
462
463/*
464* To recover the final value from the CRT representation (j1,j2)
465* we use Garner's algorithm:
466* c = q^-1 mod p (this is precomputed)
467* h = c*(j1-j2) mod p
468* r = h*q + j2
469*/
470BigInt crt_recombine(const Montgomery_Int& j1,
471 const Montgomery_Int& j2_p,
472 const BigInt& j2,
473 const Montgomery_Int& c_monty,
474 const BigInt& p,
475 const BigInt& q) {
476 // We skip CRT entirely if the primes are not balanced (same bitlength) so q is also of this size
477 const size_t p_words = p.sig_words();
478 BOTAN_ASSERT_NOMSG(p_words == q.sig_words());
479
480 const size_t n_words = 2 * p_words;
481
482 // Ensure sufficient storage
483 BOTAN_ASSERT_NOMSG(j1.repr().size() >= p_words);
484 BOTAN_ASSERT_NOMSG(j2_p.repr().size() >= p_words);
485 BOTAN_ASSERT_NOMSG(j2.size() >= p_words);
486
487 /*
488 * Compute h = (j1 - j2) * c mod p
489 *
490 * This doesn't quite match up with the "Smooth-CRT" proposal; there we would
491 * multiply by a precomputed c * R2, which would have the effect of both
492 * multiplying by c and immediately converting from Montgomery to standard form.
493 */
494 secure_vector<word> ws(2 * p_words);
495
496 const Montgomery_Int h_monty = (j1 - j2_p).mul(c_monty, ws);
497
498 const BigInt h = h_monty.value();
499 // Montgomery_Int always returns values sized to the modulus
500 BOTAN_ASSERT_NOMSG(h.size() >= p_words);
501 BOTAN_DEBUG_ASSERT(h.sig_words() <= p_words);
502
503 // Compute r = h * q
504 secure_vector<word> r(2 * p_words);
505
506 bigint_mul(r.data(), r.size(), h._data(), h.size(), p_words, q._data(), q.size(), p_words, ws.data(), ws.size());
507
508 // r += j2
509 const word carry = bigint_add2(r.data(), n_words, j2._data(), p_words);
510 BOTAN_ASSERT_NOMSG(carry == 0); // should not be possible since it would imply r > the public modulus
511
512 return BigInt::_from_words(r);
513}
514
515/**
516* RSA private (decrypt/sign) operation
517*/
518class RSA_Private_Operation {
519 protected:
520 size_t public_modulus_bits() const { return m_public->public_modulus_bits(); }
521
522 size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
523
524 explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
525 m_public(rsa.public_data()),
526 m_private(rsa.private_data()),
527 m_blinder(
528 m_public->reducer_mod_n(),
529 rng,
530 [this](const BigInt& k) { return m_public->public_op(k); },
531 [this](const BigInt& k) { return inverse_mod_rsa_public_modulus(k, m_public->get_n()); }),
532 m_blinding_bits(64),
533 m_max_d1_bits(m_private->p_bits() + m_blinding_bits),
534 m_max_d2_bits(m_private->q_bits() + m_blinding_bits) {}
535
536 void raw_op(std::span<uint8_t> out, std::span<const uint8_t> input) {
537 if(input.size() > public_modulus_bytes()) {
538 throw Decoding_Error("RSA input is too long for this key");
539 }
540 const BigInt input_bn(input.data(), input.size());
541 if(input_bn >= m_public->get_n()) {
542 throw Decoding_Error("RSA input is too large for this key");
543 }
544 // TODO: This should be a function on blinder
545 // BigInt Blinder::run_blinded_function(std::function<BigInt, BigInt> fn, const BigInt& input);
546
547 const BigInt recovered = m_blinder.unblind(rsa_private_op(m_blinder.blind(input_bn)));
548 BOTAN_ASSERT(input_bn == m_public->public_op(recovered), "RSA consistency check");
549 BOTAN_ASSERT(m_public->public_modulus_bytes() == out.size(), "output size check");
550 recovered.serialize_to(out);
551 }
552
553 private:
554 BigInt rsa_private_op(const BigInt& m) const {
555 /*
556 All normal implementations generate p/q of the same bitlength,
557 so this should rarely occur in practice
558 */
559 if(m_private->primes_imbalanced()) {
560 return monty_exp(m_public->monty_n(), m, m_private->get_d(), m_public->get_n().bits()).value();
561 }
562
563 static constexpr size_t powm_window = 4;
564
565 // Compute this in main thread to avoid racing on the rng
566 const BigInt d1_mask(m_blinder.rng(), m_blinding_bits);
567
568#if defined(BOTAN_HAS_THREAD_UTILS) && !defined(BOTAN_HAS_VALGRIND)
569 #define BOTAN_RSA_USE_ASYNC
570#endif
571
572#if defined(BOTAN_RSA_USE_ASYNC)
573 /*
574 * Precompute m.sig_words in the main thread before calling async. Otherwise
575 * the two threads race (during Barrett_Reduction::reduce) and while the output
576 * is correct in both threads, helgrind warns.
577 */
578 m.sig_words();
579
580 auto future_j1 = Thread_Pool::global_instance().run([this, &m, &d1_mask]() {
581#endif
582 const BigInt masked_d1 = m_private->blinded_d1(d1_mask);
583 auto powm_d1_p = monty_precompute(Montgomery_Int::from_wide_int(m_private->monty_p(), m), powm_window);
584 auto j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits);
585
586#if defined(BOTAN_RSA_USE_ASYNC)
587 return j1;
588 });
589#endif
590
591 const BigInt d2_mask(m_blinder.rng(), m_blinding_bits);
592 const BigInt masked_d2 = m_private->blinded_d2(d2_mask);
593 auto powm_d2_q = monty_precompute(Montgomery_Int::from_wide_int(m_private->monty_q(), m), powm_window);
594 const auto j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits).value();
595
596#if defined(BOTAN_RSA_USE_ASYNC)
597 auto j1 = future_j1.get();
598#endif
599
600 // Reduce j2 modulo p
601 const auto j2_p = Montgomery_Int::from_wide_int(m_private->monty_p(), j2);
602
603 return crt_recombine(j1, j2_p, j2, m_private->get_c_monty(), m_private->get_p(), m_private->get_q());
604 }
605
606 std::shared_ptr<const RSA_Public_Data> m_public;
607 std::shared_ptr<const RSA_Private_Data> m_private;
608
609 // XXX could the blinder starting pair be shared?
610 Blinder m_blinder;
611 const size_t m_blinding_bits;
612 const size_t m_max_d1_bits;
613 const size_t m_max_d2_bits;
614};
615
616class RSA_Signature_Operation final : public PK_Ops::Signature,
617 private RSA_Private_Operation {
618 public:
619 void update(std::span<const uint8_t> msg) override { m_padding->update(msg.data(), msg.size()); }
620
621 std::vector<uint8_t> sign(RandomNumberGenerator& rng) override {
622 const size_t max_input_bits = public_modulus_bits() - 1;
623 const auto msg = m_padding->raw_data();
624 const auto padded = m_padding->encoding_of(msg, max_input_bits, rng);
625
626 std::vector<uint8_t> out(public_modulus_bytes());
627 raw_op(out, padded);
628 return out;
629 }
630
631 size_t signature_length() const override { return public_modulus_bytes(); }
632
633 AlgorithmIdentifier algorithm_identifier() const override;
634
635 std::string hash_function() const override { return m_padding->hash_function(); }
636
637 RSA_Signature_Operation(const RSA_PrivateKey& rsa, std::string_view padding, RandomNumberGenerator& rng) :
638 RSA_Private_Operation(rsa, rng), m_padding(SignaturePaddingScheme::create_or_throw(padding)) {}
639
640 private:
641 std::unique_ptr<SignaturePaddingScheme> m_padding;
642};
643
644AlgorithmIdentifier RSA_Signature_Operation::algorithm_identifier() const {
645 const std::string padding_name = m_padding->name();
646
647 try {
648 const std::string full_name = "RSA/" + padding_name;
649 const OID oid = OID::from_string(full_name);
650 return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
651 } catch(Lookup_Error&) {}
652
653 if(padding_name.starts_with("PSS(")) {
654 auto parameters = PSS_Params::from_padding_name(m_padding->name()).serialize();
655 return AlgorithmIdentifier("RSA/PSS", parameters);
656 }
657
658 throw Invalid_Argument(fmt("Signatures using RSA/{} are not supported", padding_name));
659}
660
661class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_Padding,
662 private RSA_Private_Operation {
663 public:
664 RSA_Decryption_Operation(const RSA_PrivateKey& rsa, std::string_view padding, RandomNumberGenerator& rng) :
665 PK_Ops::Decryption_with_Padding(padding), RSA_Private_Operation(rsa, rng) {}
666
667 size_t plaintext_length(size_t /*ctext_len*/) const override { return public_modulus_bytes(); }
668
669 secure_vector<uint8_t> raw_decrypt(std::span<const uint8_t> input) override {
670 secure_vector<uint8_t> out(public_modulus_bytes());
671 raw_op(out, input);
672 return out;
673 }
674};
675
676class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF,
677 private RSA_Private_Operation {
678 public:
679 RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key, std::string_view kdf, RandomNumberGenerator& rng) :
680 PK_Ops::KEM_Decryption_with_KDF(kdf), RSA_Private_Operation(key, rng) {}
681
682 size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); }
683
684 size_t encapsulated_key_length() const override { return public_modulus_bytes(); }
685
686 void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {
687 raw_op(out_shared_key, encapsulated_key);
688 }
689};
690
691/**
692* RSA public (encrypt/verify) operation
693*/
694class RSA_Public_Operation {
695 public:
696 explicit RSA_Public_Operation(const RSA_PublicKey& rsa) : m_public(rsa.public_data()) {}
697
698 size_t public_modulus_bits() const { return m_public->public_modulus_bits(); }
699
700 protected:
701 BigInt public_op(const BigInt& m) const {
702 if(m >= m_public->get_n()) {
703 throw Decoding_Error("RSA public op - input is too large");
704 }
705
706 return m_public->public_op(m);
707 }
708
709 size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
710
711 const BigInt& get_n() const { return m_public->get_n(); }
712
713 private:
714 std::shared_ptr<const RSA_Public_Data> m_public;
715};
716
717class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_Padding,
718 private RSA_Public_Operation {
719 public:
720 RSA_Encryption_Operation(const RSA_PublicKey& rsa, std::string_view padding) :
721 PK_Ops::Encryption_with_Padding(padding), RSA_Public_Operation(rsa) {}
722
723 size_t ciphertext_length(size_t /*ptext_len*/) const override { return public_modulus_bytes(); }
724
725 size_t max_ptext_input_bits() const override { return public_modulus_bits() - 1; }
726
727 std::vector<uint8_t> raw_encrypt(std::span<const uint8_t> input, RandomNumberGenerator& /*rng*/) override {
728 const BigInt input_bn(input);
729 return public_op(input_bn).serialize(public_modulus_bytes());
730 }
731};
732
733class RSA_Verify_Operation final : public PK_Ops::Verification,
734 private RSA_Public_Operation {
735 public:
736 void update(std::span<const uint8_t> msg) override { m_padding->update(msg.data(), msg.size()); }
737
738 bool is_valid_signature(std::span<const uint8_t> sig) override {
739 const auto msg = m_padding->raw_data();
740 const auto message_repr = recover_message_repr(sig.data(), sig.size());
741 return m_padding->verify(message_repr, msg, public_modulus_bits() - 1);
742 }
743
744 RSA_Verify_Operation(const RSA_PublicKey& rsa, std::string_view padding) :
745 RSA_Public_Operation(rsa), m_padding(SignaturePaddingScheme::create_or_throw(padding)) {}
746
747 std::string hash_function() const override { return m_padding->hash_function(); }
748
749 private:
750 std::vector<uint8_t> recover_message_repr(const uint8_t input[], size_t input_len) {
751 if(input_len > public_modulus_bytes()) {
752 throw Decoding_Error("RSA signature too large to be valid for this key");
753 }
754 const BigInt input_bn(input, input_len);
755 return public_op(input_bn).serialize();
756 }
757
758 std::unique_ptr<SignaturePaddingScheme> m_padding;
759};
760
761class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF,
762 private RSA_Public_Operation {
763 public:
764 RSA_KEM_Encryption_Operation(const RSA_PublicKey& key, std::string_view kdf) :
765 PK_Ops::KEM_Encryption_with_KDF(kdf), RSA_Public_Operation(key) {}
766
767 private:
768 size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); }
769
770 size_t encapsulated_key_length() const override { return public_modulus_bytes(); }
771
772 void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
773 std::span<uint8_t> raw_shared_key,
774 RandomNumberGenerator& rng) override {
775 const BigInt r = BigInt::random_integer(rng, BigInt::one(), get_n());
776 const BigInt c = public_op(r);
777
778 c.serialize_to(out_encapsulated_key);
779 r.serialize_to(raw_shared_key);
780 }
781};
782
783} // namespace
784
785std::unique_ptr<PK_Ops::Encryption> RSA_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/,
786 std::string_view params,
787 std::string_view provider) const {
788 if(provider == "base" || provider.empty()) {
789 return std::make_unique<RSA_Encryption_Operation>(*this, params);
790 }
791 throw Provider_Not_Found(algo_name(), provider);
792}
793
794std::unique_ptr<PK_Ops::KEM_Encryption> RSA_PublicKey::create_kem_encryption_op(std::string_view params,
795 std::string_view provider) const {
796 if(provider == "base" || provider.empty()) {
797 return std::make_unique<RSA_KEM_Encryption_Operation>(*this, params);
798 }
799 throw Provider_Not_Found(algo_name(), provider);
800}
801
802std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_verification_op(std::string_view params,
803 std::string_view provider) const {
804 if(provider == "base" || provider.empty()) {
805 return std::make_unique<RSA_Verify_Operation>(*this, params);
806 }
807
808 throw Provider_Not_Found(algo_name(), provider);
809}
810
811namespace {
812
813std::string parse_rsa_signature_algorithm(const AlgorithmIdentifier& alg_id) {
814 const auto sig_info = split_on(alg_id.oid().to_formatted_string(), '/');
815
816 if(sig_info.empty() || sig_info.size() != 2 || sig_info[0] != "RSA") {
817 throw Decoding_Error("Unknown AlgorithmIdentifier for RSA X.509 signatures");
818 }
819
820 std::string padding = sig_info[1];
821
822 if(padding == "PSS") {
823 // "MUST contain RSASSA-PSS-params"
824 if(alg_id.parameters().empty()) {
825 throw Decoding_Error("PSS params must be provided");
826 }
827
828 const PSS_Params pss_params(alg_id.parameters());
829
830 // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
831 // We also support SHA-3 (is also supported by e.g. OpenSSL and bouncycastle)
832 const std::string hash_algo = pss_params.hash_function();
833 if(hash_algo != "SHA-1" && hash_algo != "SHA-224" && hash_algo != "SHA-256" && hash_algo != "SHA-384" &&
834 hash_algo != "SHA-512" && hash_algo != "SHA-3(224)" && hash_algo != "SHA-3(256)" &&
835 hash_algo != "SHA-3(384)" && hash_algo != "SHA-3(512)") {
836 throw Decoding_Error("Unacceptable hash for PSS signatures");
837 }
838
839 if(pss_params.mgf_function() != "MGF1") {
840 throw Decoding_Error("Unacceptable MGF for PSS signatures");
841 }
842
843 // For MGF1, it is strongly RECOMMENDED that the underlying hash
844 // function be the same as the one identified by hashAlgorithm
845 if(pss_params.hash_algid() != pss_params.mgf_hash_algid()) {
846 throw Decoding_Error("Unacceptable MGF hash for PSS signatures");
847 }
848
849 if(pss_params.trailer_field() != 1) {
850 throw Decoding_Error("Unacceptable trailer field for PSS signatures");
851 }
852
853 padding += fmt("({},MGF1,{})", hash_algo, pss_params.salt_length());
854 }
855
856 return padding;
857}
858
859} // namespace
860
861std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_x509_verification_op(const AlgorithmIdentifier& alg_id,
862 std::string_view provider) const {
863 if(provider == "base" || provider.empty()) {
864 return std::make_unique<RSA_Verify_Operation>(*this, parse_rsa_signature_algorithm(alg_id));
865 }
866
867 throw Provider_Not_Found(algo_name(), provider);
868}
869
870std::unique_ptr<PK_Ops::Decryption> RSA_PrivateKey::create_decryption_op(RandomNumberGenerator& rng,
871 std::string_view params,
872 std::string_view provider) const {
873 if(provider == "base" || provider.empty()) {
874 return std::make_unique<RSA_Decryption_Operation>(*this, params, rng);
875 }
876
877 throw Provider_Not_Found(algo_name(), provider);
878}
879
880std::unique_ptr<PK_Ops::KEM_Decryption> RSA_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& rng,
881 std::string_view params,
882 std::string_view provider) const {
883 if(provider == "base" || provider.empty()) {
884 return std::make_unique<RSA_KEM_Decryption_Operation>(*this, params, rng);
885 }
886
887 throw Provider_Not_Found(algo_name(), provider);
888}
889
890std::unique_ptr<PK_Ops::Signature> RSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
891 std::string_view params,
892 std::string_view provider) const {
893 if(provider == "base" || provider.empty()) {
894 return std::make_unique<RSA_Signature_Operation>(*this, params, rng);
895 }
896
897 throw Provider_Not_Found(algo_name(), provider);
898}
899
900} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::AlgorithmIdentifier::parameters
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:409
Botan::AlgorithmIdentifier::oid
const OID & oid() const
Definition asn1_obj.h:407
Botan::Asymmetric_Key::get_int_field
virtual const BigInt & get_int_field(std::string_view field) const
Definition pk_keys.cpp:18
Botan::Asymmetric_Key::object_identifier
virtual OID object_identifier() const
Definition pk_keys.cpp:22
Botan::BER_Decoder
Definition ber_dec.h:25
Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition ber_dec.h:188
Botan::BER_Decoder::end_cons
BER_Decoder & end_cons()
Definition ber_dec.cpp:337
Botan::BER_Decoder::start_sequence
BER_Decoder start_sequence()
Definition ber_dec.h:128
Botan::BER_Decoder::decode_and_check
BER_Decoder & decode_and_check(const T &expected, std::string_view error_msg)
Definition ber_dec.h:282
Botan::BigInt::sig_words
size_t sig_words() const
Definition bigint.h:631
Botan::BigInt::size
size_t size() const
Definition bigint.h:625
Botan::BigInt::_from_words
static BigInt _from_words(secure_vector< word > &words)
Definition bigint.h:971
Botan::BigInt::bits
size_t bits() const
Definition bigint.cpp:307
Botan::BigInt::from_u64
static BigInt from_u64(uint64_t n)
Definition bigint.cpp:30
Botan::BigInt::_data
const word * _data() const
Definition bigint.h:952
Botan::BigInt::is_zero
bool is_zero() const
Definition bigint.h:473
Botan::DER_Encoder
Definition der_enc.h:25
Botan::DER_Encoder::get_contents
secure_vector< uint8_t > get_contents()
Definition der_enc.cpp:134
Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition der_enc.h:67
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition der_enc.cpp:173
Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition der_enc.cpp:252
Botan::Decoding_Error
Definition exceptn.h:192
Botan::Internal_Error
Definition exceptn.h:322
Botan::Invalid_Argument
Definition exceptn.h:132
Botan::Montgomery_Int
Definition monty.h:103
Botan::Montgomery_Int::from_wide_int
static Montgomery_Int from_wide_int(const Montgomery_Params &params, const BigInt &x)
Definition monty.cpp:208
Botan::Montgomery_Int::repr
const secure_vector< word > & repr() const
Definition monty.h:143
Botan::Montgomery_Int::value
BigInt value() const
Definition monty.cpp:246
Botan::Not_Implemented
Definition exceptn.h:335
Botan::OID::to_formatted_string
std::string to_formatted_string() const
Definition asn1_oid.cpp:139
Botan::PK_Ops::Signature
Definition pk_ops.h:102
Botan::PK_Ops::Signature::update
virtual void update(std::span< const uint8_t > input)=0
Botan::Provider_Not_Found
Definition exceptn.h:263
Botan::RSA_PrivateKey::get_q
const BigInt & get_q() const
Definition rsa.cpp:240
Botan::RSA_PrivateKey::get_int_field
const BigInt & get_int_field(std::string_view field) const override
Definition rsa.cpp:383
Botan::RSA_PrivateKey::private_data
std::shared_ptr< const RSA_Private_Data > private_data() const
Definition rsa.cpp:216
Botan::RSA_PrivateKey::create_decryption_op
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:870
Botan::RSA_PrivateKey::get_c
const BigInt & get_c() const
Definition rsa.cpp:248
Botan::RSA_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:890
Botan::RSA_PrivateKey::RSA_PrivateKey
RSA_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition rsa.cpp:265
Botan::RSA_PrivateKey::get_p
const BigInt & get_p() const
Definition rsa.cpp:236
Botan::RSA_PrivateKey::get_d2
const BigInt & get_d2() const
Definition rsa.cpp:256
Botan::RSA_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition rsa.cpp:408
Botan::RSA_PrivateKey::get_d
const BigInt & get_d() const
Definition rsa.cpp:244
Botan::RSA_PrivateKey::private_key_bits
secure_vector< uint8_t > private_key_bits() const override
Definition rsa.cpp:220
Botan::RSA_PrivateKey::create_kem_decryption_op
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:880
Botan::RSA_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition rsa.cpp:401
Botan::RSA_PrivateKey::get_d1
const BigInt & get_d1() const
Definition rsa.cpp:252
Botan::RSA_PublicKey::create_encryption_op
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:785
Botan::RSA_PublicKey::init
void init(BigInt &&n, BigInt &&e)
Definition rsa.cpp:156
Botan::RSA_PublicKey::key_length
size_t key_length() const override
Definition rsa.cpp:182
Botan::RSA_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition rsa.cpp:802
Botan::RSA_PublicKey::algo_name
std::string algo_name() const override
Definition rsa.h:41
Botan::RSA_PublicKey::create_x509_verification_op
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &alg_id, std::string_view provider) const override
Definition rsa.cpp:861
Botan::RSA_PublicKey::get_int_field
const BigInt & get_int_field(std::string_view field) const override
Definition rsa.cpp:134
Botan::RSA_PublicKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition rsa.cpp:209
Botan::RSA_PublicKey::get_n
const BigInt & get_n() const
Definition rsa.cpp:148
Botan::RSA_PublicKey::RSA_PublicKey
RSA_PublicKey()=default
Botan::RSA_PublicKey::estimated_strength
size_t estimated_strength() const override
Definition rsa.cpp:186
Botan::RSA_PublicKey::create_kem_encryption_op
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(std::string_view params, std::string_view provider) const override
Definition rsa.cpp:794
Botan::RSA_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const override
Definition rsa.cpp:144
Botan::RSA_PublicKey::raw_public_key_bits
std::vector< uint8_t > raw_public_key_bits() const override
Definition rsa.cpp:194
Botan::RSA_PublicKey::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const override
Definition rsa.cpp:190
Botan::RSA_PublicKey::public_key_bits
std::vector< uint8_t > public_key_bits() const override
Definition rsa.cpp:198
Botan::RSA_PublicKey::m_public
std::shared_ptr< const RSA_Public_Data > m_public
Definition rsa.h:91
Botan::RSA_PublicKey::public_data
std::shared_ptr< const RSA_Public_Data > public_data() const
Definition rsa.cpp:130
Botan::RSA_PublicKey::get_e
const BigInt & get_e() const
Definition rsa.cpp:152
Botan::RSA_PublicKey::supports_operation
bool supports_operation(PublicKeyOperation op) const override
Definition rsa.cpp:171
Botan::Thread_Pool::run
auto run(F &&f, Args &&... args) -> std::future< std::invoke_result_t< F, Args... > >
Definition thread_pool.h:66
Botan::Thread_Pool::global_instance
static Thread_Pool & global_instance()
Definition thread_pool.cpp:56
Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
Definition keypair.cpp:49
Botan::inverse_mod_secret_prime
BigInt inverse_mod_secret_prime(const BigInt &x, const BigInt &p)
Definition mod_inv.cpp:282
Botan::bigint_add2
constexpr auto bigint_add2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:94
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::lcm
BigInt lcm(const BigInt &a, const BigInt &b)
Definition numthry.cpp:296
Botan::monty_precompute
std::shared_ptr< const Montgomery_Exponentiation_State > monty_precompute(const Montgomery_Int &g, size_t window_bits, bool const_time)
Definition monty_exp.cpp:141
Botan::split_on
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111
Botan::low_zero_bits
size_t low_zero_bits(const BigInt &n)
Definition numthry.cpp:194
Botan::bigint_mul
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:283
Botan::is_prime
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition numthry.cpp:381
Botan::ct_modulo
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition divide.cpp:192
Botan::monty_execute_vartime
Montgomery_Int monty_execute_vartime(const Montgomery_Exponentiation_State &precomputed_state, const BigInt &k)
Definition monty_exp.cpp:162
Botan::compute_rsa_secret_exponent
BigInt compute_rsa_secret_exponent(const BigInt &e, const BigInt &phi_n, const BigInt &p, const BigInt &q)
Definition mod_inv.cpp:332
Botan::PublicKeyOperation
PublicKeyOperation
Definition pk_keys.h:46
Botan::generate_rsa_prime
BigInt generate_rsa_prime(RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
Definition make_prm.cpp:226
Botan::carry
void carry(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:27
Botan::monty_execute
Montgomery_Int monty_execute(const Montgomery_Exponentiation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition monty_exp.cpp:156
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::inverse_mod_rsa_public_modulus
BigInt inverse_mod_rsa_public_modulus(const BigInt &x, const BigInt &n)
Definition mod_inv.cpp:297
Botan::if_work_factor
size_t if_work_factor(size_t bits)
Definition workfactor.cpp:37
Botan::word
std::conditional_t< HasNative64BitRegisters, std::uint64_t, uint32_t > word
Definition types.h:119
Botan::monty_exp
Montgomery_Int monty_exp(const Montgomery_Params &params_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
Definition monty_exp.h:46
Generated by doxygen 1.15.0