Botan 3.4.0
Crypto and TLS for C&
rsa.cpp
Go to the documentation of this file.
1/*
2* RSA
3* (C) 1999-2010,2015,2016,2018,2019,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/rsa.h>
9
10#include <botan/ber_dec.h>
11#include <botan/der_enc.h>
12#include <botan/reducer.h>
13#include <botan/internal/blinding.h>
14#include <botan/internal/divide.h>
15#include <botan/internal/emsa.h>
16#include <botan/internal/fmt.h>
17#include <botan/internal/keypair.h>
18#include <botan/internal/monty.h>
19#include <botan/internal/monty_exp.h>
20#include <botan/internal/parsing.h>
21#include <botan/internal/pk_ops_impl.h>
22#include <botan/internal/pss_params.h>
23#include <botan/internal/workfactor.h>
24
25#if defined(BOTAN_HAS_THREAD_UTILS)
26 #include <botan/internal/thread_pool.h>
27#endif
28
29namespace Botan {
30
31class RSA_Public_Data final {
32 public:
33 RSA_Public_Data(BigInt&& n, BigInt&& e) :
34 m_n(n),
35 m_e(e),
36 m_monty_n(std::make_shared<Montgomery_Params>(m_n)),
37 m_public_modulus_bits(m_n.bits()),
38 m_public_modulus_bytes(m_n.bytes()) {}
39
40 BigInt public_op(const BigInt& m) const {
41 const size_t powm_window = 1;
42 auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false);
43 return monty_execute_vartime(*powm_m_n, m_e);
44 }
45
46 const BigInt& get_n() const { return m_n; }
47
48 const BigInt& get_e() const { return m_e; }
49
50 size_t public_modulus_bits() const { return m_public_modulus_bits; }
51
52 size_t public_modulus_bytes() const { return m_public_modulus_bytes; }
53
54 private:
55 BigInt m_n;
56 BigInt m_e;
57 std::shared_ptr<const Montgomery_Params> m_monty_n;
58 size_t m_public_modulus_bits;
59 size_t m_public_modulus_bytes;
60};
61
62class RSA_Private_Data final {
63 public:
64 RSA_Private_Data(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) :
65 m_d(d),
66 m_p(p),
67 m_q(q),
68 m_d1(d1),
69 m_d2(d2),
70 m_c(c),
71 m_mod_p(m_p),
72 m_mod_q(m_q),
73 m_monty_p(std::make_shared<Montgomery_Params>(m_p, m_mod_p)),
74 m_monty_q(std::make_shared<Montgomery_Params>(m_q, m_mod_q)),
75 m_p_bits(m_p.bits()),
76 m_q_bits(m_q.bits()) {}
77
78 const BigInt& get_d() const { return m_d; }
79
80 const BigInt& get_p() const { return m_p; }
81
82 const BigInt& get_q() const { return m_q; }
83
84 const BigInt& get_d1() const { return m_d1; }
85
86 const BigInt& get_d2() const { return m_d2; }
87
88 const BigInt& get_c() const { return m_c; }
89
90 const Modular_Reducer& mod_p() const { return m_mod_p; }
91
92 const Modular_Reducer& mod_q() const { return m_mod_q; }
93
94 const std::shared_ptr<const Montgomery_Params>& monty_p() const { return m_monty_p; }
95
96 const std::shared_ptr<const Montgomery_Params>& monty_q() const { return m_monty_q; }
97
98 size_t p_bits() const { return m_p_bits; }
99
100 size_t q_bits() const { return m_q_bits; }
101
102 private:
103 BigInt m_d;
104 BigInt m_p;
105 BigInt m_q;
106 BigInt m_d1;
107 BigInt m_d2;
108 BigInt m_c;
109
110 Modular_Reducer m_mod_p;
111 Modular_Reducer m_mod_q;
112 std::shared_ptr<const Montgomery_Params> m_monty_p;
113 std::shared_ptr<const Montgomery_Params> m_monty_q;
114 size_t m_p_bits;
115 size_t m_q_bits;
116};
117
118std::shared_ptr<const RSA_Public_Data> RSA_PublicKey::public_data() const {
119 return m_public;
120}
121
122const BigInt& RSA_PublicKey::get_int_field(std::string_view field) const {
123 if(field == "n") {
124 return m_public->get_n();
125 } else if(field == "e") {
126 return m_public->get_e();
127 } else {
128 return Public_Key::get_int_field(field);
129 }
130}
131
132std::unique_ptr<Private_Key> RSA_PublicKey::generate_another(RandomNumberGenerator& rng) const {
133 return std::make_unique<RSA_PrivateKey>(rng, m_public->public_modulus_bits(), m_public->get_e().to_u32bit());
134}
135
136const BigInt& RSA_PublicKey::get_n() const {
137 return m_public->get_n();
138}
139
140const BigInt& RSA_PublicKey::get_e() const {
141 return m_public->get_e();
142}
143
144void RSA_PublicKey::init(BigInt&& n, BigInt&& e) {
145 if(n.is_negative() || n.is_even() || n.bits() < 5 /* n >= 3*5 */ || e.is_negative() || e.is_even()) {
146 throw Decoding_Error("Invalid RSA public key parameters");
147 }
148 m_public = std::make_shared<RSA_Public_Data>(std::move(n), std::move(e));
149}
150
151RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
152 BigInt n, e;
153 BER_Decoder(key_bits).start_sequence().decode(n).decode(e).end_cons();
154
155 init(std::move(n), std::move(e));
156}
157
162
163RSA_PublicKey::RSA_PublicKey(const BigInt& modulus, const BigInt& exponent) {
164 BigInt n = modulus;
165 BigInt e = exponent;
166 init(std::move(n), std::move(e));
167}
168
169size_t RSA_PublicKey::key_length() const {
170 return m_public->public_modulus_bits();
171}
172
176
180
181std::vector<uint8_t> RSA_PublicKey::public_key_bits() const {
182 std::vector<uint8_t> output;
183 DER_Encoder der(output);
184 der.start_sequence().encode(get_n()).encode(get_e()).end_cons();
185
186 return output;
187}
188
189/*
190* Check RSA Public Parameters
191*/
192bool RSA_PublicKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
193 if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) {
194 return false;
195 }
196 return true;
197}
198
199std::shared_ptr<const RSA_Private_Data> RSA_PrivateKey::private_data() const {
200 return m_private;
201}
202
203secure_vector<uint8_t> RSA_PrivateKey::private_key_bits() const {
204 return DER_Encoder()
205 .start_sequence()
206 .encode(static_cast<size_t>(0))
207 .encode(get_n())
208 .encode(get_e())
209 .encode(get_d())
210 .encode(get_p())
211 .encode(get_q())
212 .encode(get_d1())
213 .encode(get_d2())
214 .encode(get_c())
215 .end_cons()
216 .get_contents();
217}
218
219const BigInt& RSA_PrivateKey::get_p() const {
220 return m_private->get_p();
221}
222
223const BigInt& RSA_PrivateKey::get_q() const {
224 return m_private->get_q();
225}
226
227const BigInt& RSA_PrivateKey::get_d() const {
228 return m_private->get_d();
229}
230
231const BigInt& RSA_PrivateKey::get_c() const {
232 return m_private->get_c();
233}
234
235const BigInt& RSA_PrivateKey::get_d1() const {
236 return m_private->get_d1();
237}
238
239const BigInt& RSA_PrivateKey::get_d2() const {
240 return m_private->get_d2();
241}
242
243void RSA_PrivateKey::init(BigInt&& d, BigInt&& p, BigInt&& q, BigInt&& d1, BigInt&& d2, BigInt&& c) {
244 m_private = std::make_shared<RSA_Private_Data>(
245 std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
246}
247
248RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
249 BigInt n, e, d, p, q, d1, d2, c;
250
251 BER_Decoder(key_bits)
252 .start_sequence()
253 .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
254 .decode(n)
255 .decode(e)
256 .decode(d)
257 .decode(p)
258 .decode(q)
259 .decode(d1)
260 .decode(d2)
261 .decode(c)
262 .end_cons();
263
264 RSA_PublicKey::init(std::move(n), std::move(e));
265
266 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
267}
268
269RSA_PrivateKey::RSA_PrivateKey(
270 const BigInt& prime1, const BigInt& prime2, const BigInt& exp, const BigInt& d_exp, const BigInt& mod) {
271 BigInt p = prime1;
272 BigInt q = prime2;
273 BigInt n = mod;
274 if(n.is_zero()) {
275 n = p * q;
276 }
277
278 BigInt e = exp;
279
280 BigInt d = d_exp;
281
282 const BigInt p_minus_1 = p - 1;
283 const BigInt q_minus_1 = q - 1;
284
285 if(d.is_zero()) {
286 const BigInt phi_n = lcm(p_minus_1, q_minus_1);
287 d = inverse_mod(e, phi_n);
288 }
289
290 BigInt d1 = ct_modulo(d, p_minus_1);
291 BigInt d2 = ct_modulo(d, q_minus_1);
292 BigInt c = inverse_mod(q, p);
293
294 RSA_PublicKey::init(std::move(n), std::move(e));
295
296 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
297}
298
299/*
300* Create a RSA private key
301*/
302RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng, size_t bits, size_t exp) {
303 if(bits < 1024) {
304 throw Invalid_Argument(fmt("Cannot create an RSA key only {} bits long", bits));
305 }
306
307 if(exp < 3 || exp % 2 == 0) {
308 throw Invalid_Argument("Invalid RSA encryption exponent");
309 }
310
311 const size_t p_bits = (bits + 1) / 2;
312 const size_t q_bits = bits - p_bits;
313
314 BigInt p, q, n;
315 BigInt e = BigInt::from_u64(exp);
316
317 for(size_t attempt = 0;; ++attempt) {
318 if(attempt > 10) {
319 throw Internal_Error("RNG failure during RSA key generation");
320 }
321
322 // TODO could generate primes in thread pool
323 p = generate_rsa_prime(rng, rng, p_bits, e);
324 q = generate_rsa_prime(rng, rng, q_bits, e);
325
326 const BigInt diff = p - q;
327 if(diff.bits() < (bits / 2) - 100) {
328 continue;
329 }
330
331 n = p * q;
332
333 if(n.bits() != bits) {
334 continue;
335 }
336
337 break;
338 }
339
340 const BigInt p_minus_1 = p - 1;
341 const BigInt q_minus_1 = q - 1;
342
343 const BigInt phi_n = lcm(p_minus_1, q_minus_1);
344 // This is guaranteed because p,q == 3 mod 4
345 BOTAN_DEBUG_ASSERT(low_zero_bits(phi_n) == 1);
346
347 BigInt d = inverse_mod(e, phi_n);
348 BigInt d1 = ct_modulo(d, p_minus_1);
349 BigInt d2 = ct_modulo(d, q_minus_1);
350 BigInt c = inverse_mod(q, p);
351
352 RSA_PublicKey::init(std::move(n), std::move(e));
353
354 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
355}
356
357const BigInt& RSA_PrivateKey::get_int_field(std::string_view field) const {
358 if(field == "p") {
359 return m_private->get_p();
360 } else if(field == "q") {
361 return m_private->get_q();
362 } else if(field == "d") {
363 return m_private->get_d();
364 } else if(field == "c") {
365 return m_private->get_c();
366 } else if(field == "d1") {
367 return m_private->get_d1();
368 } else if(field == "d2") {
369 return m_private->get_d2();
370 } else {
371 return RSA_PublicKey::get_int_field(field);
372 }
373}
374
375std::unique_ptr<Public_Key> RSA_PrivateKey::public_key() const {
376 return std::make_unique<RSA_PublicKey>(get_n(), get_e());
377}
378
379/*
380* Check Private RSA Parameters
381*/
382bool RSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
383 if(get_n() < 35 || get_n().is_even() || get_e() < 3 || get_e().is_even()) {
384 return false;
385 }
386
387 if(get_d() < 2 || get_p() < 3 || get_q() < 3) {
388 return false;
389 }
390
391 if(get_p() * get_q() != get_n()) {
392 return false;
393 }
394
395 if(get_p() == get_q()) {
396 return false;
397 }
398
399 if(get_d1() != ct_modulo(get_d(), get_p() - 1)) {
400 return false;
401 }
402 if(get_d2() != ct_modulo(get_d(), get_q() - 1)) {
403 return false;
404 }
405 if(get_c() != inverse_mod(get_q(), get_p())) {
406 return false;
407 }
408
409 const size_t prob = (strong) ? 128 : 12;
410
411 if(!is_prime(get_p(), rng, prob)) {
412 return false;
413 }
414 if(!is_prime(get_q(), rng, prob)) {
415 return false;
416 }
417
418 if(strong) {
419 if(ct_modulo(get_e() * get_d(), lcm(get_p() - 1, get_q() - 1)) != 1) {
420 return false;
421 }
422
423 return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)");
424 }
425
426 return true;
427}
428
429namespace {
430
431/**
432* RSA private (decrypt/sign) operation
433*/
434class RSA_Private_Operation {
435 protected:
436 size_t public_modulus_bits() const { return m_public->public_modulus_bits(); }
437
438 size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
439
440 explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
441 m_public(rsa.public_data()),
442 m_private(rsa.private_data()),
443 m_blinder(
444 m_public->get_n(),
445 rng,
446 [this](const BigInt& k) { return m_public->public_op(k); },
447 [this](const BigInt& k) { return inverse_mod(k, m_public->get_n()); }),
448 m_blinding_bits(64),
449 m_max_d1_bits(m_private->p_bits() + m_blinding_bits),
450 m_max_d2_bits(m_private->q_bits() + m_blinding_bits) {}
451
452 void raw_op(std::span<uint8_t> out, std::span<const uint8_t> input) {
453 if(input.size() > public_modulus_bytes()) {
454 throw Decoding_Error("RSA input is too long for this key");
455 }
456 const BigInt input_bn(input.data(), input.size());
457 if(input_bn >= m_public->get_n()) {
458 throw Decoding_Error("RSA input is too large for this key");
459 }
460 // TODO: This should be a function on blinder
461 // BigInt Blinder::run_blinded_function(std::function<BigInt, BigInt> fn, const BigInt& input);
462
463 const BigInt recovered = m_blinder.unblind(rsa_private_op(m_blinder.blind(input_bn)));
464 BOTAN_ASSERT(input_bn == m_public->public_op(recovered), "RSA consistency check");
465 BOTAN_ASSERT(m_public->public_modulus_bytes() == out.size(), "output size check");
466 BigInt::encode_1363(out, recovered);
467 }
468
469 secure_vector<uint8_t> raw_op(const uint8_t input[], size_t input_len) {
470 secure_vector<uint8_t> out(m_public->public_modulus_bytes());
471 raw_op(out, {input, input_len});
472 return out;
473 }
474
475 private:
476 BigInt rsa_private_op(const BigInt& m) const {
477 /*
478 TODO
479 Consider using Montgomery reduction instead of Barrett, using
480 the "Smooth RSA-CRT" method. https://eprint.iacr.org/2007/039.pdf
481 */
482
483 static constexpr size_t powm_window = 4;
484
485 // Compute this in main thread to avoid racing on the rng
486 const BigInt d1_mask(m_blinder.rng(), m_blinding_bits);
487
488#if defined(BOTAN_HAS_THREAD_UTILS) && !defined(BOTAN_HAS_VALGRIND)
489 #define BOTAN_RSA_USE_ASYNC
490#endif
491
492#if defined(BOTAN_RSA_USE_ASYNC)
493 /*
494 * Precompute m.sig_words in the main thread before calling async. Otherwise
495 * the two threads race (during Modular_Reducer::reduce) and while the output
496 * is correct in both threads, helgrind warns.
497 */
498 m.sig_words();
499
500 auto future_j1 = Thread_Pool::global_instance().run([this, &m, &d1_mask]() {
501#endif
502 const BigInt masked_d1 = m_private->get_d1() + (d1_mask * (m_private->get_p() - 1));
503 auto powm_d1_p = monty_precompute(m_private->monty_p(), m_private->mod_p().reduce(m), powm_window);
504 BigInt j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits);
505
506#if defined(BOTAN_RSA_USE_ASYNC)
507 return j1;
508 });
509#endif
510
511 const BigInt d2_mask(m_blinder.rng(), m_blinding_bits);
512 const BigInt masked_d2 = m_private->get_d2() + (d2_mask * (m_private->get_q() - 1));
513 auto powm_d2_q = monty_precompute(m_private->monty_q(), m_private->mod_q().reduce(m), powm_window);
514 const BigInt j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits);
515
516#if defined(BOTAN_RSA_USE_ASYNC)
517 BigInt j1 = future_j1.get();
518#endif
519
520 /*
521 * To recover the final value from the CRT representation (j1,j2)
522 * we use Garner's algorithm:
523 * c = q^-1 mod p (this is precomputed)
524 * h = c*(j1-j2) mod p
525 * m = j2 + h*q
526 *
527 * We must avoid leaking if j1 >= j2 or not, as doing so allows deriving
528 * information about the secret prime. Do this by first adding p to j1,
529 * which should ensure the subtraction of j2 does not underflow. But
530 * this may still underflow if p and q are imbalanced in size.
531 */
532
533 j1 =
534 m_private->mod_p().multiply(m_private->mod_p().reduce((m_private->get_p() + j1) - j2), m_private->get_c());
535 return j1 * m_private->get_q() + j2;
536 }
537
538 std::shared_ptr<const RSA_Public_Data> m_public;
539 std::shared_ptr<const RSA_Private_Data> m_private;
540
541 // XXX could the blinder starting pair be shared?
542 Blinder m_blinder;
543 const size_t m_blinding_bits;
544 const size_t m_max_d1_bits;
545 const size_t m_max_d2_bits;
546};
547
548class RSA_Signature_Operation final : public PK_Ops::Signature,
549 private RSA_Private_Operation {
550 public:
551 void update(const uint8_t msg[], size_t msg_len) override { m_emsa->update(msg, msg_len); }
552
553 secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override {
554 const size_t max_input_bits = public_modulus_bits() - 1;
555 const auto msg = m_emsa->raw_data();
556 const auto padded = m_emsa->encoding_of(msg, max_input_bits, rng);
557 return raw_op(padded.data(), padded.size());
558 }
559
560 size_t signature_length() const override { return public_modulus_bytes(); }
561
562 AlgorithmIdentifier algorithm_identifier() const override;
563
564 std::string hash_function() const override { return m_emsa->hash_function(); }
565
566 RSA_Signature_Operation(const RSA_PrivateKey& rsa, std::string_view padding, RandomNumberGenerator& rng) :
567 RSA_Private_Operation(rsa, rng), m_emsa(EMSA::create_or_throw(padding)) {}
568
569 private:
570 std::unique_ptr<EMSA> m_emsa;
571};
572
573AlgorithmIdentifier RSA_Signature_Operation::algorithm_identifier() const {
574 const std::string emsa_name = m_emsa->name();
575
576 try {
577 const std::string full_name = "RSA/" + emsa_name;
578 const OID oid = OID::from_string(full_name);
579 return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
580 } catch(Lookup_Error&) {}
581
582 if(emsa_name.starts_with("EMSA4(")) {
583 auto parameters = PSS_Params::from_emsa_name(m_emsa->name()).serialize();
584 return AlgorithmIdentifier("RSA/EMSA4", parameters);
585 }
586
587 throw Not_Implemented("No algorithm identifier defined for RSA with " + emsa_name);
588}
589
590class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME,
591 private RSA_Private_Operation {
592 public:
593 RSA_Decryption_Operation(const RSA_PrivateKey& rsa, std::string_view eme, RandomNumberGenerator& rng) :
594 PK_Ops::Decryption_with_EME(eme), RSA_Private_Operation(rsa, rng) {}
595
596 size_t plaintext_length(size_t /*ctext_len*/) const override { return public_modulus_bytes(); }
597
598 secure_vector<uint8_t> raw_decrypt(const uint8_t input[], size_t input_len) override {
599 return raw_op(input, input_len);
600 }
601};
602
603class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF,
604 private RSA_Private_Operation {
605 public:
606 RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key, std::string_view kdf, RandomNumberGenerator& rng) :
607 PK_Ops::KEM_Decryption_with_KDF(kdf), RSA_Private_Operation(key, rng) {}
608
609 size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); }
610
611 size_t encapsulated_key_length() const override { return public_modulus_bytes(); }
612
613 void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {
614 raw_op(out_shared_key, encapsulated_key);
615 }
616};
617
618/**
619* RSA public (encrypt/verify) operation
620*/
621class RSA_Public_Operation {
622 public:
623 explicit RSA_Public_Operation(const RSA_PublicKey& rsa) : m_public(rsa.public_data()) {}
624
625 size_t public_modulus_bits() const { return m_public->public_modulus_bits(); }
626
627 protected:
628 BigInt public_op(const BigInt& m) const {
629 if(m >= m_public->get_n()) {
630 throw Decoding_Error("RSA public op - input is too large");
631 }
632
633 return m_public->public_op(m);
634 }
635
636 size_t public_modulus_bytes() const { return m_public->public_modulus_bytes(); }
637
638 const BigInt& get_n() const { return m_public->get_n(); }
639
640 private:
641 std::shared_ptr<const RSA_Public_Data> m_public;
642};
643
644class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME,
645 private RSA_Public_Operation {
646 public:
647 RSA_Encryption_Operation(const RSA_PublicKey& rsa, std::string_view eme) :
648 PK_Ops::Encryption_with_EME(eme), RSA_Public_Operation(rsa) {}
649
650 size_t ciphertext_length(size_t /*ptext_len*/) const override { return public_modulus_bytes(); }
651
652 size_t max_ptext_input_bits() const override { return public_modulus_bits() - 1; }
653
654 secure_vector<uint8_t> raw_encrypt(const uint8_t input[],
655 size_t input_len,
656 RandomNumberGenerator& /*rng*/) override {
657 BigInt input_bn(input, input_len);
658 return BigInt::encode_1363(public_op(input_bn), public_modulus_bytes());
659 }
660};
661
662class RSA_Verify_Operation final : public PK_Ops::Verification,
663 private RSA_Public_Operation {
664 public:
665 void update(const uint8_t msg[], size_t msg_len) override { m_emsa->update(msg, msg_len); }
666
667 bool is_valid_signature(const uint8_t sig[], size_t sig_len) override {
668 const auto msg = m_emsa->raw_data();
669 const auto message_repr = recover_message_repr(sig, sig_len);
670 return m_emsa->verify(message_repr, msg, public_modulus_bits() - 1);
671 }
672
673 RSA_Verify_Operation(const RSA_PublicKey& rsa, std::string_view padding) :
674 RSA_Public_Operation(rsa), m_emsa(EMSA::create_or_throw(padding)) {}
675
676 std::string hash_function() const override { return m_emsa->hash_function(); }
677
678 private:
679 std::vector<uint8_t> recover_message_repr(const uint8_t input[], size_t input_len) {
680 if(input_len > public_modulus_bytes()) {
681 throw Decoding_Error("RSA signature too large to be valid for this key");
682 }
683 BigInt input_bn(input, input_len);
684 return BigInt::encode(public_op(input_bn));
685 }
686
687 std::unique_ptr<EMSA> m_emsa;
688};
689
690class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF,
691 private RSA_Public_Operation {
692 public:
693 RSA_KEM_Encryption_Operation(const RSA_PublicKey& key, std::string_view kdf) :
694 PK_Ops::KEM_Encryption_with_KDF(kdf), RSA_Public_Operation(key) {}
695
696 private:
697 size_t raw_kem_shared_key_length() const override { return public_modulus_bytes(); }
698
699 size_t encapsulated_key_length() const override { return public_modulus_bytes(); }
700
701 void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
702 std::span<uint8_t> raw_shared_key,
703 RandomNumberGenerator& rng) override {
704 const BigInt r = BigInt::random_integer(rng, 1, get_n());
705 const BigInt c = public_op(r);
706
707 BigInt::encode_1363(out_encapsulated_key, c);
708 BigInt::encode_1363(raw_shared_key, r);
709 }
710};
711
712} // namespace
713
714std::unique_ptr<PK_Ops::Encryption> RSA_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/,
715 std::string_view params,
716 std::string_view provider) const {
717 if(provider == "base" || provider.empty()) {
718 return std::make_unique<RSA_Encryption_Operation>(*this, params);
719 }
720 throw Provider_Not_Found(algo_name(), provider);
721}
722
723std::unique_ptr<PK_Ops::KEM_Encryption> RSA_PublicKey::create_kem_encryption_op(std::string_view params,
724 std::string_view provider) const {
725 if(provider == "base" || provider.empty()) {
726 return std::make_unique<RSA_KEM_Encryption_Operation>(*this, params);
727 }
728 throw Provider_Not_Found(algo_name(), provider);
729}
730
731std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_verification_op(std::string_view params,
732 std::string_view provider) const {
733 if(provider == "base" || provider.empty()) {
734 return std::make_unique<RSA_Verify_Operation>(*this, params);
735 }
736
737 throw Provider_Not_Found(algo_name(), provider);
738}
739
740namespace {
741
742std::string parse_rsa_signature_algorithm(const AlgorithmIdentifier& alg_id) {
743 const auto sig_info = split_on(alg_id.oid().to_formatted_string(), '/');
744
745 if(sig_info.empty() || sig_info.size() != 2 || sig_info[0] != "RSA") {
746 throw Decoding_Error("Unknown AlgorithmIdentifier for RSA X.509 signatures");
747 }
748
749 std::string padding = sig_info[1];
750
751 if(padding == "EMSA4") {
752 // "MUST contain RSASSA-PSS-params"
753 if(alg_id.parameters().empty()) {
754 throw Decoding_Error("PSS params must be provided");
755 }
756
757 PSS_Params pss_params(alg_id.parameters());
758
759 // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
760 const std::string hash_algo = pss_params.hash_function();
761 if(hash_algo != "SHA-1" && hash_algo != "SHA-224" && hash_algo != "SHA-256" && hash_algo != "SHA-384" &&
762 hash_algo != "SHA-512") {
763 throw Decoding_Error("Unacceptable hash for PSS signatures");
764 }
765
766 if(pss_params.mgf_function() != "MGF1") {
767 throw Decoding_Error("Unacceptable MGF for PSS signatures");
768 }
769
770 // For MGF1, it is strongly RECOMMENDED that the underlying hash
771 // function be the same as the one identified by hashAlgorithm
772 //
773 // Must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
774 if(pss_params.hash_algid() != pss_params.mgf_hash_algid()) {
775 throw Decoding_Error("Unacceptable MGF hash for PSS signatures");
776 }
777
778 if(pss_params.trailer_field() != 1) {
779 throw Decoding_Error("Unacceptable trailer field for PSS signatures");
780 }
781
782 padding += fmt("({},MGF1,{})", hash_algo, pss_params.salt_length());
783 }
784
785 return padding;
786}
787
788} // namespace
789
790std::unique_ptr<PK_Ops::Verification> RSA_PublicKey::create_x509_verification_op(const AlgorithmIdentifier& alg_id,
791 std::string_view provider) const {
792 if(provider == "base" || provider.empty()) {
793 return std::make_unique<RSA_Verify_Operation>(*this, parse_rsa_signature_algorithm(alg_id));
794 }
795
796 throw Provider_Not_Found(algo_name(), provider);
797}
798
799std::unique_ptr<PK_Ops::Decryption> RSA_PrivateKey::create_decryption_op(RandomNumberGenerator& rng,
800 std::string_view params,
801 std::string_view provider) const {
802 if(provider == "base" || provider.empty()) {
803 return std::make_unique<RSA_Decryption_Operation>(*this, params, rng);
804 }
805
806 throw Provider_Not_Found(algo_name(), provider);
807}
808
809std::unique_ptr<PK_Ops::KEM_Decryption> RSA_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& rng,
810 std::string_view params,
811 std::string_view provider) const {
812 if(provider == "base" || provider.empty()) {
813 return std::make_unique<RSA_KEM_Decryption_Operation>(*this, params, rng);
814 }
815
816 throw Provider_Not_Found(algo_name(), provider);
817}
818
819std::unique_ptr<PK_Ops::Signature> RSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
820 std::string_view params,
821 std::string_view provider) const {
822 if(provider == "base" || provider.empty()) {
823 return std::make_unique<RSA_Signature_Operation>(*this, params, rng);
824 }
825
826 throw Provider_Not_Found(algo_name(), provider);
827}
828
829} // namespace Botan
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
Botan::AlgorithmIdentifier::parameters
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:457
Botan::AlgorithmIdentifier::oid
const OID & oid() const
Definition asn1_obj.h:455
Botan::Asymmetric_Key::get_int_field
virtual const BigInt & get_int_field(std::string_view field) const
Definition pk_keys.cpp:18
Botan::Asymmetric_Key::object_identifier
virtual OID object_identifier() const
Definition pk_keys.cpp:22
Botan::BER_Decoder
Definition ber_dec.h:22
Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition ber_dec.h:176
Botan::BER_Decoder::end_cons
BER_Decoder & end_cons()
Definition ber_dec.cpp:295
Botan::BER_Decoder::start_sequence
BER_Decoder start_sequence()
Definition ber_dec.h:113
Botan::BER_Decoder::decode_and_check
BER_Decoder & decode_and_check(const T &expected, std::string_view error_msg)
Definition ber_dec.h:257
Botan::BigInt::bits
size_t bits() const
Definition bigint.cpp:290
Botan::BigInt::from_u64
static BigInt from_u64(uint64_t n)
Definition bigint.cpp:28
Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition big_code.cpp:105
Botan::BigInt::is_zero
bool is_zero() const
Definition bigint.h:428
Botan::DER_Encoder
Definition der_enc.h:22
Botan::DER_Encoder::get_contents
secure_vector< uint8_t > get_contents()
Definition der_enc.cpp:132
Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition der_enc.h:65
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition der_enc.cpp:171
Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition der_enc.cpp:250
Botan::Decoding_Error
Definition exceptn.h:191
Botan::Internal_Error
Definition exceptn.h:321
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::OID::to_formatted_string
std::string to_formatted_string() const
Definition asn1_oid.cpp:114
Botan::Provider_Not_Found
Definition exceptn.h:262
Botan::RSA_PrivateKey::get_q
const BigInt & get_q() const
Definition rsa.cpp:223
Botan::RSA_PrivateKey::get_int_field
const BigInt & get_int_field(std::string_view field) const override
Definition rsa.cpp:357
Botan::RSA_PrivateKey::private_data
std::shared_ptr< const RSA_Private_Data > private_data() const
Definition rsa.cpp:199
Botan::RSA_PrivateKey::create_decryption_op
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:799
Botan::RSA_PrivateKey::get_c
const BigInt & get_c() const
Definition rsa.cpp:231
Botan::RSA_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:819
Botan::RSA_PrivateKey::RSA_PrivateKey
RSA_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition rsa.cpp:248
Botan::RSA_PrivateKey::get_p
const BigInt & get_p() const
Definition rsa.cpp:219
Botan::RSA_PrivateKey::get_d2
const BigInt & get_d2() const
Definition rsa.cpp:239
Botan::RSA_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition rsa.cpp:382
Botan::RSA_PrivateKey::get_d
const BigInt & get_d() const
Definition rsa.cpp:227
Botan::RSA_PrivateKey::private_key_bits
secure_vector< uint8_t > private_key_bits() const override
Definition rsa.cpp:203
Botan::RSA_PrivateKey::create_kem_decryption_op
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:809
Botan::RSA_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition rsa.cpp:375
Botan::RSA_PrivateKey::get_d1
const BigInt & get_d1() const
Definition rsa.cpp:235
Botan::RSA_PublicKey::create_encryption_op
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition rsa.cpp:714
Botan::RSA_PublicKey::init
void init(BigInt &&n, BigInt &&e)
Definition rsa.cpp:144
Botan::RSA_PublicKey::key_length
size_t key_length() const override
Definition rsa.cpp:169
Botan::RSA_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition rsa.cpp:731
Botan::RSA_PublicKey::create_x509_verification_op
std::unique_ptr< PK_Ops::Verification > create_x509_verification_op(const AlgorithmIdentifier &alg_id, std::string_view provider) const override
Definition rsa.cpp:790
Botan::RSA_PublicKey::get_int_field
const BigInt & get_int_field(std::string_view field) const override
Definition rsa.cpp:122
Botan::RSA_PublicKey::get_n
const BigInt & get_n() const
Definition rsa.cpp:136
Botan::RSA_PublicKey::RSA_PublicKey
RSA_PublicKey()=default
Botan::RSA_PublicKey::estimated_strength
size_t estimated_strength() const override
Definition rsa.cpp:173
Botan::RSA_PublicKey::create_kem_encryption_op
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(std::string_view params, std::string_view provider) const override
Definition rsa.cpp:723
Botan::RSA_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const override
Definition rsa.cpp:132
Botan::RSA_PublicKey::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const override
Definition rsa.cpp:177
Botan::RSA_PublicKey::public_key_bits
std::vector< uint8_t > public_key_bits() const override
Definition rsa.cpp:181
Botan::RSA_PublicKey::m_public
std::shared_ptr< const RSA_Public_Data > m_public
Definition rsa.h:89
Botan::RSA_PublicKey::public_data
std::shared_ptr< const RSA_Public_Data > public_data() const
Definition rsa.cpp:118
Botan::RSA_PublicKey::get_e
const BigInt & get_e() const
Definition rsa.cpp:140
Botan::RSA_PublicKey::supports_operation
bool supports_operation(PublicKeyOperation op) const override
Definition rsa.cpp:158
Botan::RSA_PublicKey::check_key
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition rsa.cpp:192
Botan::Thread_Pool::run
auto run(F &&f, Args &&... args) -> std::future< typename std::invoke_result< F, Args... >::type >
Definition thread_pool.h:66
Botan::Thread_Pool::global_instance
static Thread_Pool & global_instance()
Definition thread_pool.cpp:45
init
int(* init)(CTX *)
Definition commoncrypto_hash.cpp:27
update
int(* update)(CTX *, const void *, CC_LONG len)
Definition commoncrypto_hash.cpp:28
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
Definition keypair.cpp:49
Botan::PublicKeyOperation
PublicKeyOperation
Definition pk_keys.h:45
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::lcm
BigInt lcm(const BigInt &a, const BigInt &b)
Definition numthry.cpp:272
Botan::split_on
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111
Botan::low_zero_bits
size_t low_zero_bits(const BigInt &n)
Definition numthry.cpp:167
Botan::is_prime
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition numthry.cpp:357
Botan::ct_modulo
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition divide.cpp:117
Botan::generate_rsa_prime
BigInt generate_rsa_prime(RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
Definition make_prm.cpp:211
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::monty_execute_vartime
BigInt monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Definition monty_exp.cpp:154
Botan::if_work_factor
size_t if_work_factor(size_t bits)
Definition workfactor.cpp:36
Botan::inverse_mod
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition mod_inv.cpp:178
Botan::monty_execute
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition monty_exp.cpp:150
Botan::monty_precompute
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const std::shared_ptr< const Montgomery_Params > &params, const BigInt &g, size_t window_bits, bool const_time)
Definition monty_exp.cpp:145
Generated by doxygen 1.10.0