Botan  2.9.0
Crypto and TLS for C++11
rsa.cpp
Go to the documentation of this file.
1 /*
2 * RSA
3 * (C) 1999-2010,2015,2016,2018 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/rsa.h>
9 #include <botan/internal/pk_ops_impl.h>
10 #include <botan/keypair.h>
11 #include <botan/blinding.h>
12 #include <botan/reducer.h>
13 #include <botan/workfactor.h>
14 #include <botan/der_enc.h>
15 #include <botan/ber_dec.h>
16 #include <botan/pow_mod.h>
17 #include <botan/monty.h>
18 #include <botan/divide.h>
19 #include <botan/internal/monty_exp.h>
20 
21 #if defined(BOTAN_HAS_OPENSSL)
22  #include <botan/internal/openssl.h>
23 #endif
24 
25 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
26  #include <future>
27 #endif
28 
29 namespace Botan {
30 
32  {
33  return m_n.bits();
34  }
35 
37  {
38  return if_work_factor(key_length());
39  }
40 
42  {
45  }
46 
47 std::vector<uint8_t> RSA_PublicKey::public_key_bits() const
48  {
49  std::vector<uint8_t> output;
50  DER_Encoder der(output);
51  der.start_cons(SEQUENCE)
52  .encode(m_n)
53  .encode(m_e)
54  .end_cons();
55 
56  return output;
57  }
58 
60  const std::vector<uint8_t>& key_bits)
61  {
62  BER_Decoder(key_bits)
64  .decode(m_n)
65  .decode(m_e)
66  .end_cons();
67  }
68 
69 /*
70 * Check RSA Public Parameters
71 */
73  {
74  if(m_n < 35 || m_n.is_even() || m_e < 3 || m_e.is_even())
75  return false;
76  return true;
77  }
78 
80  {
81  return DER_Encoder()
83  .encode(static_cast<size_t>(0))
84  .encode(m_n)
85  .encode(m_e)
86  .encode(m_d)
87  .encode(m_p)
88  .encode(m_q)
89  .encode(m_d1)
90  .encode(m_d2)
91  .encode(m_c)
92  .end_cons()
93  .get_contents();
94  }
95 
97  const secure_vector<uint8_t>& key_bits)
98  {
99  BER_Decoder(key_bits)
101  .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
102  .decode(m_n)
103  .decode(m_e)
104  .decode(m_d)
105  .decode(m_p)
106  .decode(m_q)
107  .decode(m_d1)
108  .decode(m_d2)
109  .decode(m_c)
110  .end_cons();
111  }
112 
114  const BigInt& prime2,
115  const BigInt& exp,
116  const BigInt& d_exp,
117  const BigInt& mod) :
118  m_d{ d_exp }, m_p{ prime1 }, m_q{ prime2 }, m_d1{}, m_d2{}, m_c{ inverse_mod( m_q, m_p ) }
119  {
120  m_n = mod.is_nonzero() ? mod : m_p * m_q;
121  m_e = exp;
122 
123  if(m_d == 0)
124  {
125  const BigInt phi_n = lcm(m_p - 1, m_q - 1);
126  m_d = inverse_mod(m_e, phi_n);
127  }
128 
129  m_d1 = ct_modulo(m_d, m_p - 1);
130  m_d2 = ct_modulo(m_d, m_q - 1);
131  }
132 
133 /*
134 * Create a RSA private key
135 */
137  size_t bits, size_t exp)
138  {
139  if(bits < 1024)
140  throw Invalid_Argument(algo_name() + ": Can't make a key that is only " +
141  std::to_string(bits) + " bits long");
142  if(exp < 3 || exp % 2 == 0)
143  throw Invalid_Argument(algo_name() + ": Invalid encryption exponent");
144 
145  m_e = exp;
146 
147  const size_t p_bits = (bits + 1) / 2;
148  const size_t q_bits = bits - p_bits;
149 
150  do
151  {
152  m_p = generate_rsa_prime(rng, rng, p_bits, m_e);
153  m_q = generate_rsa_prime(rng, rng, q_bits, m_e);
154  m_n = m_p * m_q;
155  } while(m_n.bits() != bits);
156 
157  // FIXME: lcm calls gcd which is not const time
158  const BigInt phi_n = lcm(m_p - 1, m_q - 1);
159  // FIXME: this uses binary ext gcd because phi_n is even
160  m_d = inverse_mod(m_e, phi_n);
161  m_d1 = ct_modulo(m_d, m_p - 1);
162  m_d2 = ct_modulo(m_d, m_q - 1);
163  m_c = inverse_mod(m_q, m_p);
164  }
165 
166 /*
167 * Check Private RSA Parameters
168 */
170  {
171  if(m_n < 35 || m_n.is_even() || m_e < 3 || m_e.is_even())
172  return false;
173 
174  if(m_d < 2 || m_p < 3 || m_q < 3 || m_p*m_q != m_n)
175  return false;
176 
177  if(m_d1 != ct_modulo(m_d, m_p - 1) || m_d2 != ct_modulo(m_d, m_q - 1) || m_c != inverse_mod(m_q, m_p))
178  return false;
179 
180  const size_t prob = (strong) ? 128 : 12;
181 
182  if(!is_prime(m_p, rng, prob) || !is_prime(m_q, rng, prob))
183  return false;
184 
185  if(strong)
186  {
187  if(ct_modulo(m_e * m_d, lcm(m_p - 1, m_q - 1)) != 1)
188  return false;
189 
190  return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)");
191  }
192 
193  return true;
194  }
195 
196 namespace {
197 
198 /**
199 * RSA private (decrypt/sign) operation
200 */
201 class RSA_Private_Operation
202  {
203  protected:
204  size_t get_max_input_bits() const { return (m_mod_bits - 1); }
205 
206  const size_t exp_blinding_bits = 64;
207 
208  explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
209  m_key(rsa),
210  m_mod_p(m_key.get_p()),
211  m_mod_q(m_key.get_q()),
212  m_monty_p(std::make_shared<Montgomery_Params>(m_key.get_p(), m_mod_p)),
213  m_monty_q(std::make_shared<Montgomery_Params>(m_key.get_q(), m_mod_q)),
214  m_powermod_e_n(m_key.get_e(), m_key.get_n()),
215  m_blinder(m_key.get_n(),
216  rng,
217  [this](const BigInt& k) { return m_powermod_e_n(k); },
218  [this](const BigInt& k) { return inverse_mod(k, m_key.get_n()); }),
219  m_blinding_bits(64),
220  m_mod_bytes(m_key.get_n().bytes()),
221  m_mod_bits(m_key.get_n().bits()),
222  m_max_d1_bits(m_key.get_p().bits() + m_blinding_bits),
223  m_max_d2_bits(m_key.get_q().bits() + m_blinding_bits)
224  {
225  }
226 
227  BigInt blinded_private_op(const BigInt& m) const
228  {
229  if(m >= m_key.get_n())
230  throw Invalid_Argument("RSA private op - input is too large");
231 
232  return m_blinder.unblind(private_op(m_blinder.blind(m)));
233  }
234 
235  BigInt private_op(const BigInt& m) const
236  {
237  /*
238  TODO
239  Consider using Montgomery reduction instead of Barrett, using
240  the "Smooth RSA-CRT" method. https://eprint.iacr.org/2007/039.pdf
241  */
242 
243  const size_t powm_window = 4;
244 
245  const BigInt d1_mask(m_blinder.rng(), m_blinding_bits);
246 
247 #if defined(BOTAN_TARGET_OS_HAS_THREADS) && !defined(BOTAN_HAS_VALGRIND)
248  #define BOTAN_RSA_USE_ASYNC
249 #endif
250 
251 #if defined(BOTAN_RSA_USE_ASYNC)
252  auto future_j1 = std::async(std::launch::async, [this, &m, &d1_mask, powm_window]() {
253 #endif
254  const BigInt masked_d1 = m_key.get_d1() + (d1_mask * (m_key.get_p() - 1));
255  auto powm_d1_p = monty_precompute(m_monty_p, m_mod_p.reduce(m), powm_window);
256  BigInt j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits);
257 
258 #if defined(BOTAN_RSA_USE_ASYNC)
259  return j1;
260  });
261 #endif
262 
263  const BigInt d2_mask(m_blinder.rng(), m_blinding_bits);
264  const BigInt masked_d2 = m_key.get_d2() + (d2_mask * (m_key.get_q() - 1));
265  auto powm_d2_q = monty_precompute(m_monty_q, m_mod_q.reduce(m), powm_window);
266  const BigInt j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits);
267 
268 #if defined(BOTAN_RSA_USE_ASYNC)
269  BigInt j1 = future_j1.get();
270 #endif
271 
272  /*
273  * To recover the final value from the CRT representation (j1,j2)
274  * we use Garner's algorithm:
275  * c = q^-1 mod p (this is precomputed)
276  * h = c*(j1-j2) mod p
277  * m = j2 + h*q
278  *
279  * We must avoid leaking if j1 >= j2 or not, as doing so allows deriving
280  * information about the secret prime. Do this by first adding p to j1,
281  * which should ensure the subtraction of j2 does not underflow. But
282  * this may still underflow if p and q are imbalanced in size.
283  */
284 
285  j1 = m_mod_p.multiply(m_mod_p.reduce((m_key.get_p() + j1) - j2), m_key.get_c());
286  return mul_add(j1, m_key.get_q(), j2);
287  }
288 
289  const RSA_PrivateKey& m_key;
290 
291  // TODO these could all be computed once and stored in the key object
292  Modular_Reducer m_mod_p;
293  Modular_Reducer m_mod_q;
294  std::shared_ptr<const Montgomery_Params> m_monty_p;
295  std::shared_ptr<const Montgomery_Params> m_monty_q;
296 
297  Fixed_Exponent_Power_Mod m_powermod_e_n;
298  Blinder m_blinder;
299  const size_t m_blinding_bits;
300  const size_t m_mod_bytes;
301  const size_t m_mod_bits;
302  const size_t m_max_d1_bits;
303  const size_t m_max_d2_bits;
304  };
305 
306 class RSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA,
307  private RSA_Private_Operation
308  {
309  public:
310 
311  size_t max_input_bits() const override { return get_max_input_bits(); }
312 
313  size_t signature_length() const override { return m_key.get_n().bytes(); }
314 
315  RSA_Signature_Operation(const RSA_PrivateKey& rsa, const std::string& emsa, RandomNumberGenerator& rng) :
316  PK_Ops::Signature_with_EMSA(emsa),
317  RSA_Private_Operation(rsa, rng)
318  {
319  }
320 
321  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
322  RandomNumberGenerator&) override
323  {
324  const BigInt m(msg, msg_len);
325  const BigInt x = blinded_private_op(m);
326  const BigInt c = m_powermod_e_n(x);
327  BOTAN_ASSERT(m == c, "RSA sign consistency check");
328  return BigInt::encode_1363(x, m_mod_bytes);
329  }
330  };
331 
332 class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME,
333  private RSA_Private_Operation
334  {
335  public:
336 
337  RSA_Decryption_Operation(const RSA_PrivateKey& rsa, const std::string& eme, RandomNumberGenerator& rng) :
338  PK_Ops::Decryption_with_EME(eme),
339  RSA_Private_Operation(rsa, rng)
340  {
341  }
342 
343  size_t plaintext_length(size_t) const override { return m_mod_bytes; }
344 
345  secure_vector<uint8_t> raw_decrypt(const uint8_t msg[], size_t msg_len) override
346  {
347  const BigInt m(msg, msg_len);
348  const BigInt x = blinded_private_op(m);
349  const BigInt c = m_powermod_e_n(x);
350  BOTAN_ASSERT(m == c, "RSA decrypt consistency check");
351  return BigInt::encode_1363(x, m_mod_bytes);
352  }
353  };
354 
355 class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF,
356  private RSA_Private_Operation
357  {
358  public:
359 
360  RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key,
361  const std::string& kdf,
362  RandomNumberGenerator& rng) :
363  PK_Ops::KEM_Decryption_with_KDF(kdf),
364  RSA_Private_Operation(key, rng)
365  {}
366 
367  secure_vector<uint8_t>
368  raw_kem_decrypt(const uint8_t encap_key[], size_t len) override
369  {
370  const BigInt m(encap_key, len);
371  const BigInt x = blinded_private_op(m);
372  const BigInt c = m_powermod_e_n(x);
373  BOTAN_ASSERT(m == c, "RSA KEM consistency check");
374  return BigInt::encode_1363(x, m_mod_bytes);
375  }
376  };
377 
378 /**
379 * RSA public (encrypt/verify) operation
380 */
381 class RSA_Public_Operation
382  {
383  public:
384  explicit RSA_Public_Operation(const RSA_PublicKey& rsa) :
385  m_n(rsa.get_n()),
386  m_e(rsa.get_e()),
387  m_monty_n(std::make_shared<Montgomery_Params>(m_n))
388  {}
389 
390  size_t get_max_input_bits() const
391  {
392  const size_t n_bits = m_n.bits();
393  BOTAN_ASSERT_NOMSG(n_bits >= 384);
394  return n_bits - 1;
395  }
396 
397  protected:
398  BigInt public_op(const BigInt& m) const
399  {
400  if(m >= m_n)
401  throw Invalid_Argument("RSA public op - input is too large");
402 
403  const size_t powm_window = 1;
404 
405  auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false);
406  return monty_execute_vartime(*powm_m_n, m_e);
407  }
408 
409  const BigInt& get_n() const { return m_n; }
410 
411  const BigInt& m_n;
412  const BigInt& m_e;
413  std::shared_ptr<Montgomery_Params> m_monty_n;
414  };
415 
416 class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME,
417  private RSA_Public_Operation
418  {
419  public:
420 
421  RSA_Encryption_Operation(const RSA_PublicKey& rsa, const std::string& eme) :
422  PK_Ops::Encryption_with_EME(eme),
423  RSA_Public_Operation(rsa)
424  {
425  }
426 
427  size_t ciphertext_length(size_t) const override { return m_n.bytes(); }
428 
429  size_t max_raw_input_bits() const override { return get_max_input_bits(); }
430 
431  secure_vector<uint8_t> raw_encrypt(const uint8_t msg[], size_t msg_len,
432  RandomNumberGenerator&) override
433  {
434  BigInt m(msg, msg_len);
435  return BigInt::encode_1363(public_op(m), m_n.bytes());
436  }
437  };
438 
439 class RSA_Verify_Operation final : public PK_Ops::Verification_with_EMSA,
440  private RSA_Public_Operation
441  {
442  public:
443 
444  size_t max_input_bits() const override { return get_max_input_bits(); }
445 
446  RSA_Verify_Operation(const RSA_PublicKey& rsa, const std::string& emsa) :
447  PK_Ops::Verification_with_EMSA(emsa),
448  RSA_Public_Operation(rsa)
449  {
450  }
451 
452  bool with_recovery() const override { return true; }
453 
454  secure_vector<uint8_t> verify_mr(const uint8_t msg[], size_t msg_len) override
455  {
456  BigInt m(msg, msg_len);
457  return BigInt::encode_locked(public_op(m));
458  }
459  };
460 
461 class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF,
462  private RSA_Public_Operation
463  {
464  public:
465 
466  RSA_KEM_Encryption_Operation(const RSA_PublicKey& key,
467  const std::string& kdf) :
468  PK_Ops::KEM_Encryption_with_KDF(kdf),
469  RSA_Public_Operation(key) {}
470 
471  private:
472  void raw_kem_encrypt(secure_vector<uint8_t>& out_encapsulated_key,
473  secure_vector<uint8_t>& raw_shared_key,
474  Botan::RandomNumberGenerator& rng) override
475  {
476  const BigInt r = BigInt::random_integer(rng, 1, get_n());
477  const BigInt c = public_op(r);
478 
479  out_encapsulated_key = BigInt::encode_locked(c);
480  raw_shared_key = BigInt::encode_locked(r);
481  }
482  };
483 
484 }
485 
486 std::unique_ptr<PK_Ops::Encryption>
488  const std::string& params,
489  const std::string& provider) const
490  {
491 #if defined(BOTAN_HAS_OPENSSL)
492  if(provider == "openssl" || provider.empty())
493  {
494  try
495  {
496  return make_openssl_rsa_enc_op(*this, params);
497  }
498  catch(Exception& e)
499  {
500  /*
501  * If OpenSSL for some reason could not handle this (eg due to OAEP params),
502  * throw if openssl was specifically requested but otherwise just fall back
503  * to the normal version.
504  */
505  if(provider == "openssl")
506  throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what()));
507  }
508  }
509 #endif
510 
511  if(provider == "base" || provider.empty())
512  return std::unique_ptr<PK_Ops::Encryption>(new RSA_Encryption_Operation(*this, params));
513  throw Provider_Not_Found(algo_name(), provider);
514  }
515 
516 std::unique_ptr<PK_Ops::KEM_Encryption>
518  const std::string& params,
519  const std::string& provider) const
520  {
521  if(provider == "base" || provider.empty())
522  return std::unique_ptr<PK_Ops::KEM_Encryption>(new RSA_KEM_Encryption_Operation(*this, params));
523  throw Provider_Not_Found(algo_name(), provider);
524  }
525 
526 std::unique_ptr<PK_Ops::Verification>
527 RSA_PublicKey::create_verification_op(const std::string& params,
528  const std::string& provider) const
529  {
530 #if defined(BOTAN_HAS_OPENSSL)
531  if(provider == "openssl" || provider.empty())
532  {
533  std::unique_ptr<PK_Ops::Verification> res = make_openssl_rsa_ver_op(*this, params);
534  if(res)
535  return res;
536  }
537 #endif
538 
539  if(provider == "base" || provider.empty())
540  return std::unique_ptr<PK_Ops::Verification>(new RSA_Verify_Operation(*this, params));
541 
542  throw Provider_Not_Found(algo_name(), provider);
543  }
544 
545 std::unique_ptr<PK_Ops::Decryption>
547  const std::string& params,
548  const std::string& provider) const
549  {
550 #if defined(BOTAN_HAS_OPENSSL)
551  if(provider == "openssl" || provider.empty())
552  {
553  try
554  {
555  return make_openssl_rsa_dec_op(*this, params);
556  }
557  catch(Exception& e)
558  {
559  if(provider == "openssl")
560  throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what()));
561  }
562  }
563 #endif
564 
565  if(provider == "base" || provider.empty())
566  return std::unique_ptr<PK_Ops::Decryption>(new RSA_Decryption_Operation(*this, params, rng));
567 
568  throw Provider_Not_Found(algo_name(), provider);
569  }
570 
571 std::unique_ptr<PK_Ops::KEM_Decryption>
573  const std::string& params,
574  const std::string& provider) const
575  {
576  if(provider == "base" || provider.empty())
577  return std::unique_ptr<PK_Ops::KEM_Decryption>(new RSA_KEM_Decryption_Operation(*this, params, rng));
578 
579  throw Provider_Not_Found(algo_name(), provider);
580  }
581 
582 std::unique_ptr<PK_Ops::Signature>
584  const std::string& params,
585  const std::string& provider) const
586  {
587 #if defined(BOTAN_HAS_OPENSSL)
588  if(provider == "openssl" || provider.empty())
589  {
590  std::unique_ptr<PK_Ops::Signature> res = make_openssl_rsa_sig_op(*this, params);
591  if(res)
592  return res;
593  }
594 #endif
595 
596  if(provider == "base" || provider.empty())
597  return std::unique_ptr<PK_Ops::Signature>(new RSA_Signature_Operation(*this, params, rng));
598 
599  throw Provider_Not_Found(algo_name(), provider);
600  }
601 
602 }
BigInt mul_add(const BigInt &a, const BigInt &b, const BigInt &c)
Definition: mp_numth.cpp:30
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:546
size_t if_work_factor(size_t bits)
Definition: workfactor.cpp:38
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: rsa.cpp:72
size_t estimated_strength() const override
Definition: rsa.cpp:36
std::shared_ptr< const Montgomery_Params > m_monty_p
Definition: rsa.cpp:294
size_t key_length() const override
Definition: rsa.cpp:31
Modular_Reducer m_mod_q
Definition: rsa.cpp:293
const BigInt & m_e
Definition: rsa.cpp:412
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:517
secure_vector< uint8_t > private_key_bits() const override
Definition: rsa.cpp:79
size_t bits() const
Definition: bigint.cpp:281
BER_Decoder & decode_and_check(const T &expected, const std::string &error_msg)
Definition: ber_dec.h:277
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:572
int(* final)(unsigned char *, CTX *)
secure_vector< uint8_t > get_contents()
Definition: der_enc.cpp:152
Definition: bigint.h:1125
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:488
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition: divide.cpp:118
bool is_even() const
Definition: bigint.h:402
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
Fixed_Exponent_Power_Mod m_powermod_e_n
Definition: rsa.cpp:297
bool is_nonzero() const
Definition: bigint.h:414
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
const char * what() const noexcept override
Definition: exceptn.h:87
BigInt m_e
Definition: rsa.h:78
static secure_vector< uint8_t > encode_locked(const BigInt &n)
Definition: bigint.h:763
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
BigInt monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Definition: monty_exp.cpp:173
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
virtual OID get_oid() const
Definition: pk_keys.cpp:53
const size_t m_max_d2_bits
Definition: rsa.cpp:303
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
std::shared_ptr< Montgomery_Params > m_monty_n
Definition: rsa.cpp:413
BigInt lcm(const BigInt &a, const BigInt &b)
Definition: numthry.cpp:85
std::vector< uint8_t > public_key_bits() const override
Definition: rsa.cpp:47
const size_t exp_blinding_bits
Definition: rsa.cpp:206
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: numthry.cpp:290
const size_t m_max_d1_bits
Definition: rsa.cpp:302
std::shared_ptr< const Montgomery_Params > m_monty_q
Definition: rsa.cpp:295
std::string algo_name() const override
Definition: rsa.h:40
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(std::shared_ptr< const Montgomery_Params > params, const BigInt &g, size_t window_bits, bool const_time)
Definition: monty_exp.cpp:159
Definition: alg_id.cpp:13
AlgorithmIdentifier algorithm_identifier() const override
Definition: rsa.cpp:41
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:527
RSA_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: rsa.cpp:96
Blinder m_blinder
Definition: rsa.cpp:298
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:123
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:487
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: rsa.cpp:169
BigInt generate_rsa_prime(RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
Definition: make_prm.cpp:177
BigInt m_n
Definition: rsa.h:78
const size_t m_mod_bits
Definition: rsa.cpp:301
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition: monty_exp.cpp:167
const size_t m_blinding_bits
Definition: rsa.cpp:299
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:583
const RSA_PrivateKey & m_key
Definition: rsa.cpp:289
const size_t m_mod_bytes
Definition: rsa.cpp:300
const BigInt & m_n
Definition: rsa.cpp:411
Modular_Reducer m_mod_p
Definition: rsa.cpp:292