Botan  2.11.0
Crypto and TLS for C++11
rsa.cpp
Go to the documentation of this file.
1 /*
2 * RSA
3 * (C) 1999-2010,2015,2016,2018 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/rsa.h>
9 #include <botan/internal/pk_ops_impl.h>
10 #include <botan/keypair.h>
11 #include <botan/blinding.h>
12 #include <botan/reducer.h>
13 #include <botan/workfactor.h>
14 #include <botan/der_enc.h>
15 #include <botan/ber_dec.h>
16 #include <botan/pow_mod.h>
17 #include <botan/monty.h>
18 #include <botan/divide.h>
19 #include <botan/internal/monty_exp.h>
20 
21 #if defined(BOTAN_HAS_OPENSSL)
22  #include <botan/internal/openssl.h>
23 #endif
24 
25 #if defined(BOTAN_TARGET_OS_HAS_THREADS)
26  #include <future>
27 #endif
28 
29 namespace Botan {
30 
32  {
33  return m_n.bits();
34  }
35 
37  {
38  return if_work_factor(key_length());
39  }
40 
42  {
45  }
46 
47 std::vector<uint8_t> RSA_PublicKey::public_key_bits() const
48  {
49  std::vector<uint8_t> output;
50  DER_Encoder der(output);
51  der.start_cons(SEQUENCE)
52  .encode(m_n)
53  .encode(m_e)
54  .end_cons();
55 
56  return output;
57  }
58 
60  const std::vector<uint8_t>& key_bits)
61  {
62  BER_Decoder(key_bits)
64  .decode(m_n)
65  .decode(m_e)
66  .end_cons();
67  }
68 
69 /*
70 * Check RSA Public Parameters
71 */
73  {
74  if(m_n < 35 || m_n.is_even() || m_e < 3 || m_e.is_even())
75  return false;
76  return true;
77  }
78 
80  {
81  return DER_Encoder()
83  .encode(static_cast<size_t>(0))
84  .encode(m_n)
85  .encode(m_e)
86  .encode(m_d)
87  .encode(m_p)
88  .encode(m_q)
89  .encode(m_d1)
90  .encode(m_d2)
91  .encode(m_c)
92  .end_cons()
93  .get_contents();
94  }
95 
97  const secure_vector<uint8_t>& key_bits)
98  {
99  BER_Decoder(key_bits)
101  .decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
102  .decode(m_n)
103  .decode(m_e)
104  .decode(m_d)
105  .decode(m_p)
106  .decode(m_q)
107  .decode(m_d1)
108  .decode(m_d2)
109  .decode(m_c)
110  .end_cons();
111  }
112 
114  const BigInt& prime2,
115  const BigInt& exp,
116  const BigInt& d_exp,
117  const BigInt& mod) :
118  m_d{ d_exp }, m_p{ prime1 }, m_q{ prime2 }, m_d1{}, m_d2{}, m_c{ inverse_mod( m_q, m_p ) }
119  {
120  m_n = mod.is_nonzero() ? mod : m_p * m_q;
121  m_e = exp;
122 
123  if(m_d == 0)
124  {
125  const BigInt phi_n = lcm(m_p - 1, m_q - 1);
126  m_d = inverse_mod(m_e, phi_n);
127  }
128 
129  m_d1 = ct_modulo(m_d, m_p - 1);
130  m_d2 = ct_modulo(m_d, m_q - 1);
131  }
132 
133 /*
134 * Create a RSA private key
135 */
137  size_t bits, size_t exp)
138  {
139  if(bits < 1024)
140  throw Invalid_Argument(algo_name() + ": Can't make a key that is only " +
141  std::to_string(bits) + " bits long");
142  if(exp < 3 || exp % 2 == 0)
143  throw Invalid_Argument(algo_name() + ": Invalid encryption exponent");
144 
145  m_e = exp;
146 
147  const size_t p_bits = (bits + 1) / 2;
148  const size_t q_bits = bits - p_bits;
149 
150  do
151  {
152  m_p = generate_rsa_prime(rng, rng, p_bits, m_e);
153  m_q = generate_rsa_prime(rng, rng, q_bits, m_e);
154  m_n = m_p * m_q;
155  } while(m_n.bits() != bits);
156 
157  // FIXME: lcm calls gcd which is not const time
158  const BigInt phi_n = lcm(m_p - 1, m_q - 1);
159  // FIXME: this uses binary ext gcd because phi_n is even
160  m_d = inverse_mod(m_e, phi_n);
161  m_d1 = ct_modulo(m_d, m_p - 1);
162  m_d2 = ct_modulo(m_d, m_q - 1);
163  m_c = inverse_mod(m_q, m_p);
164  }
165 
166 /*
167 * Check Private RSA Parameters
168 */
170  {
171  if(m_n < 35 || m_n.is_even() || m_e < 3 || m_e.is_even())
172  return false;
173 
174  if(m_d < 2 || m_p < 3 || m_q < 3 || m_p*m_q != m_n)
175  return false;
176 
177  if(m_d1 != ct_modulo(m_d, m_p - 1) || m_d2 != ct_modulo(m_d, m_q - 1) || m_c != inverse_mod(m_q, m_p))
178  return false;
179 
180  const size_t prob = (strong) ? 128 : 12;
181 
182  if(!is_prime(m_p, rng, prob) || !is_prime(m_q, rng, prob))
183  return false;
184 
185  if(strong)
186  {
187  if(ct_modulo(m_e * m_d, lcm(m_p - 1, m_q - 1)) != 1)
188  return false;
189 
190  return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)");
191  }
192 
193  return true;
194  }
195 
196 namespace {
197 
198 /**
199 * RSA private (decrypt/sign) operation
200 */
201 class RSA_Private_Operation
202  {
203  protected:
204  size_t get_max_input_bits() const { return (m_mod_bits - 1); }
205 
206  const size_t exp_blinding_bits = 64;
207 
208  explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
209  m_key(rsa),
210  m_mod_p(m_key.get_p()),
211  m_mod_q(m_key.get_q()),
212  m_monty_p(std::make_shared<Montgomery_Params>(m_key.get_p(), m_mod_p)),
213  m_monty_q(std::make_shared<Montgomery_Params>(m_key.get_q(), m_mod_q)),
214  m_powermod_e_n(m_key.get_e(), m_key.get_n()),
215  m_blinder(m_key.get_n(),
216  rng,
217  [this](const BigInt& k) { return m_powermod_e_n(k); },
218  [this](const BigInt& k) { return inverse_mod(k, m_key.get_n()); }),
219  m_blinding_bits(64),
220  m_mod_bytes(m_key.get_n().bytes()),
221  m_mod_bits(m_key.get_n().bits()),
222  m_max_d1_bits(m_key.get_p().bits() + m_blinding_bits),
223  m_max_d2_bits(m_key.get_q().bits() + m_blinding_bits)
224  {
225  }
226 
227  BigInt blinded_private_op(const BigInt& m) const
228  {
229  if(m >= m_key.get_n())
230  throw Invalid_Argument("RSA private op - input is too large");
231 
232  return m_blinder.unblind(private_op(m_blinder.blind(m)));
233  }
234 
235  BigInt private_op(const BigInt& m) const
236  {
237  /*
238  TODO
239  Consider using Montgomery reduction instead of Barrett, using
240  the "Smooth RSA-CRT" method. https://eprint.iacr.org/2007/039.pdf
241  */
242 
243  const size_t powm_window = 4;
244 
245  const BigInt d1_mask(m_blinder.rng(), m_blinding_bits);
246 
247 #if defined(BOTAN_TARGET_OS_HAS_THREADS) && !defined(BOTAN_HAS_VALGRIND)
248  #define BOTAN_RSA_USE_ASYNC
249 #endif
250 
251 #if defined(BOTAN_RSA_USE_ASYNC)
252  /*
253  * Precompute m.sig_words in the main thread before calling async. Otherwise
254  * the two threads race (during Modular_Reducer::reduce) and while the output
255  * is correct in both threads, helgrind warns.
256  */
257  m.sig_words();
258 
259  auto future_j1 = std::async(std::launch::async, [this, &m, &d1_mask, powm_window]() {
260 #endif
261  const BigInt masked_d1 = m_key.get_d1() + (d1_mask * (m_key.get_p() - 1));
262  auto powm_d1_p = monty_precompute(m_monty_p, m_mod_p.reduce(m), powm_window);
263  BigInt j1 = monty_execute(*powm_d1_p, masked_d1, m_max_d1_bits);
264 
265 #if defined(BOTAN_RSA_USE_ASYNC)
266  return j1;
267  });
268 #endif
269 
270  const BigInt d2_mask(m_blinder.rng(), m_blinding_bits);
271  const BigInt masked_d2 = m_key.get_d2() + (d2_mask * (m_key.get_q() - 1));
272  auto powm_d2_q = monty_precompute(m_monty_q, m_mod_q.reduce(m), powm_window);
273  const BigInt j2 = monty_execute(*powm_d2_q, masked_d2, m_max_d2_bits);
274 
275 #if defined(BOTAN_RSA_USE_ASYNC)
276  BigInt j1 = future_j1.get();
277 #endif
278 
279  /*
280  * To recover the final value from the CRT representation (j1,j2)
281  * we use Garner's algorithm:
282  * c = q^-1 mod p (this is precomputed)
283  * h = c*(j1-j2) mod p
284  * m = j2 + h*q
285  *
286  * We must avoid leaking if j1 >= j2 or not, as doing so allows deriving
287  * information about the secret prime. Do this by first adding p to j1,
288  * which should ensure the subtraction of j2 does not underflow. But
289  * this may still underflow if p and q are imbalanced in size.
290  */
291 
292  j1 = m_mod_p.multiply(m_mod_p.reduce((m_key.get_p() + j1) - j2), m_key.get_c());
293  return mul_add(j1, m_key.get_q(), j2);
294  }
295 
296  const RSA_PrivateKey& m_key;
297 
298  // TODO these could all be computed once and stored in the key object
299  Modular_Reducer m_mod_p;
300  Modular_Reducer m_mod_q;
301  std::shared_ptr<const Montgomery_Params> m_monty_p;
302  std::shared_ptr<const Montgomery_Params> m_monty_q;
303 
304  Fixed_Exponent_Power_Mod m_powermod_e_n;
305  Blinder m_blinder;
306  const size_t m_blinding_bits;
307  const size_t m_mod_bytes;
308  const size_t m_mod_bits;
309  const size_t m_max_d1_bits;
310  const size_t m_max_d2_bits;
311  };
312 
313 class RSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA,
314  private RSA_Private_Operation
315  {
316  public:
317 
318  size_t max_input_bits() const override { return get_max_input_bits(); }
319 
320  size_t signature_length() const override { return m_key.get_n().bytes(); }
321 
322  RSA_Signature_Operation(const RSA_PrivateKey& rsa, const std::string& emsa, RandomNumberGenerator& rng) :
323  PK_Ops::Signature_with_EMSA(emsa),
324  RSA_Private_Operation(rsa, rng)
325  {
326  }
327 
328  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
329  RandomNumberGenerator&) override
330  {
331  const BigInt m(msg, msg_len);
332  const BigInt x = blinded_private_op(m);
333  const BigInt c = m_powermod_e_n(x);
334  BOTAN_ASSERT(m == c, "RSA sign consistency check");
335  return BigInt::encode_1363(x, m_mod_bytes);
336  }
337  };
338 
339 class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME,
340  private RSA_Private_Operation
341  {
342  public:
343 
344  RSA_Decryption_Operation(const RSA_PrivateKey& rsa, const std::string& eme, RandomNumberGenerator& rng) :
345  PK_Ops::Decryption_with_EME(eme),
346  RSA_Private_Operation(rsa, rng)
347  {
348  }
349 
350  size_t plaintext_length(size_t) const override { return m_mod_bytes; }
351 
352  secure_vector<uint8_t> raw_decrypt(const uint8_t msg[], size_t msg_len) override
353  {
354  const BigInt m(msg, msg_len);
355  const BigInt x = blinded_private_op(m);
356  const BigInt c = m_powermod_e_n(x);
357  BOTAN_ASSERT(m == c, "RSA decrypt consistency check");
358  return BigInt::encode_1363(x, m_mod_bytes);
359  }
360  };
361 
362 class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF,
363  private RSA_Private_Operation
364  {
365  public:
366 
367  RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key,
368  const std::string& kdf,
369  RandomNumberGenerator& rng) :
370  PK_Ops::KEM_Decryption_with_KDF(kdf),
371  RSA_Private_Operation(key, rng)
372  {}
373 
374  secure_vector<uint8_t>
375  raw_kem_decrypt(const uint8_t encap_key[], size_t len) override
376  {
377  const BigInt m(encap_key, len);
378  const BigInt x = blinded_private_op(m);
379  const BigInt c = m_powermod_e_n(x);
380  BOTAN_ASSERT(m == c, "RSA KEM consistency check");
381  return BigInt::encode_1363(x, m_mod_bytes);
382  }
383  };
384 
385 /**
386 * RSA public (encrypt/verify) operation
387 */
388 class RSA_Public_Operation
389  {
390  public:
391  explicit RSA_Public_Operation(const RSA_PublicKey& rsa) :
392  m_n(rsa.get_n()),
393  m_e(rsa.get_e()),
394  m_monty_n(std::make_shared<Montgomery_Params>(m_n))
395  {}
396 
397  size_t get_max_input_bits() const
398  {
399  const size_t n_bits = m_n.bits();
400  /*
401  Make Coverity happy that n_bits - 1 won't underflow
402 
403  5 bit minimum: smallest possible RSA key is 3*5
404  */
405  BOTAN_ASSERT_NOMSG(n_bits >= 5);
406  return n_bits - 1;
407  }
408 
409  protected:
410  BigInt public_op(const BigInt& m) const
411  {
412  if(m >= m_n)
413  throw Invalid_Argument("RSA public op - input is too large");
414 
415  const size_t powm_window = 1;
416 
417  auto powm_m_n = monty_precompute(m_monty_n, m, powm_window, false);
418  return monty_execute_vartime(*powm_m_n, m_e);
419  }
420 
421  const BigInt& get_n() const { return m_n; }
422 
423  const BigInt& m_n;
424  const BigInt& m_e;
425  std::shared_ptr<Montgomery_Params> m_monty_n;
426  };
427 
428 class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME,
429  private RSA_Public_Operation
430  {
431  public:
432 
433  RSA_Encryption_Operation(const RSA_PublicKey& rsa, const std::string& eme) :
434  PK_Ops::Encryption_with_EME(eme),
435  RSA_Public_Operation(rsa)
436  {
437  }
438 
439  size_t ciphertext_length(size_t) const override { return m_n.bytes(); }
440 
441  size_t max_raw_input_bits() const override { return get_max_input_bits(); }
442 
443  secure_vector<uint8_t> raw_encrypt(const uint8_t msg[], size_t msg_len,
444  RandomNumberGenerator&) override
445  {
446  BigInt m(msg, msg_len);
447  return BigInt::encode_1363(public_op(m), m_n.bytes());
448  }
449  };
450 
451 class RSA_Verify_Operation final : public PK_Ops::Verification_with_EMSA,
452  private RSA_Public_Operation
453  {
454  public:
455 
456  size_t max_input_bits() const override { return get_max_input_bits(); }
457 
458  RSA_Verify_Operation(const RSA_PublicKey& rsa, const std::string& emsa) :
459  PK_Ops::Verification_with_EMSA(emsa),
460  RSA_Public_Operation(rsa)
461  {
462  }
463 
464  bool with_recovery() const override { return true; }
465 
466  secure_vector<uint8_t> verify_mr(const uint8_t msg[], size_t msg_len) override
467  {
468  BigInt m(msg, msg_len);
469  return BigInt::encode_locked(public_op(m));
470  }
471  };
472 
473 class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF,
474  private RSA_Public_Operation
475  {
476  public:
477 
478  RSA_KEM_Encryption_Operation(const RSA_PublicKey& key,
479  const std::string& kdf) :
480  PK_Ops::KEM_Encryption_with_KDF(kdf),
481  RSA_Public_Operation(key) {}
482 
483  private:
484  void raw_kem_encrypt(secure_vector<uint8_t>& out_encapsulated_key,
485  secure_vector<uint8_t>& raw_shared_key,
486  Botan::RandomNumberGenerator& rng) override
487  {
488  const BigInt r = BigInt::random_integer(rng, 1, get_n());
489  const BigInt c = public_op(r);
490 
491  out_encapsulated_key = BigInt::encode_locked(c);
492  raw_shared_key = BigInt::encode_locked(r);
493  }
494  };
495 
496 }
497 
498 std::unique_ptr<PK_Ops::Encryption>
500  const std::string& params,
501  const std::string& provider) const
502  {
503 #if defined(BOTAN_HAS_OPENSSL)
504  if(provider == "openssl" || provider.empty())
505  {
506  try
507  {
508  return make_openssl_rsa_enc_op(*this, params);
509  }
510  catch(Exception& e)
511  {
512  /*
513  * If OpenSSL for some reason could not handle this (eg due to OAEP params),
514  * throw if openssl was specifically requested but otherwise just fall back
515  * to the normal version.
516  */
517  if(provider == "openssl")
518  throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what()));
519  }
520  }
521 #endif
522 
523  if(provider == "base" || provider.empty())
524  return std::unique_ptr<PK_Ops::Encryption>(new RSA_Encryption_Operation(*this, params));
525  throw Provider_Not_Found(algo_name(), provider);
526  }
527 
528 std::unique_ptr<PK_Ops::KEM_Encryption>
530  const std::string& params,
531  const std::string& provider) const
532  {
533  if(provider == "base" || provider.empty())
534  return std::unique_ptr<PK_Ops::KEM_Encryption>(new RSA_KEM_Encryption_Operation(*this, params));
535  throw Provider_Not_Found(algo_name(), provider);
536  }
537 
538 std::unique_ptr<PK_Ops::Verification>
539 RSA_PublicKey::create_verification_op(const std::string& params,
540  const std::string& provider) const
541  {
542 #if defined(BOTAN_HAS_OPENSSL)
543  if(provider == "openssl" || provider.empty())
544  {
545  std::unique_ptr<PK_Ops::Verification> res = make_openssl_rsa_ver_op(*this, params);
546  if(res)
547  return res;
548  }
549 #endif
550 
551  if(provider == "base" || provider.empty())
552  return std::unique_ptr<PK_Ops::Verification>(new RSA_Verify_Operation(*this, params));
553 
554  throw Provider_Not_Found(algo_name(), provider);
555  }
556 
557 std::unique_ptr<PK_Ops::Decryption>
559  const std::string& params,
560  const std::string& provider) const
561  {
562 #if defined(BOTAN_HAS_OPENSSL)
563  if(provider == "openssl" || provider.empty())
564  {
565  try
566  {
567  return make_openssl_rsa_dec_op(*this, params);
568  }
569  catch(Exception& e)
570  {
571  if(provider == "openssl")
572  throw Lookup_Error("OpenSSL RSA provider rejected key:" + std::string(e.what()));
573  }
574  }
575 #endif
576 
577  if(provider == "base" || provider.empty())
578  return std::unique_ptr<PK_Ops::Decryption>(new RSA_Decryption_Operation(*this, params, rng));
579 
580  throw Provider_Not_Found(algo_name(), provider);
581  }
582 
583 std::unique_ptr<PK_Ops::KEM_Decryption>
585  const std::string& params,
586  const std::string& provider) const
587  {
588  if(provider == "base" || provider.empty())
589  return std::unique_ptr<PK_Ops::KEM_Decryption>(new RSA_KEM_Decryption_Operation(*this, params, rng));
590 
591  throw Provider_Not_Found(algo_name(), provider);
592  }
593 
594 std::unique_ptr<PK_Ops::Signature>
596  const std::string& params,
597  const std::string& provider) const
598  {
599 #if defined(BOTAN_HAS_OPENSSL)
600  if(provider == "openssl" || provider.empty())
601  {
602  std::unique_ptr<PK_Ops::Signature> res = make_openssl_rsa_sig_op(*this, params);
603  if(res)
604  return res;
605  }
606 #endif
607 
608  if(provider == "base" || provider.empty())
609  return std::unique_ptr<PK_Ops::Signature>(new RSA_Signature_Operation(*this, params, rng));
610 
611  throw Provider_Not_Found(algo_name(), provider);
612  }
613 
614 }
BigInt mul_add(const BigInt &a, const BigInt &b, const BigInt &c)
Definition: mp_numth.cpp:30
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:558
size_t if_work_factor(size_t bits)
Definition: workfactor.cpp:38
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: rsa.cpp:72
size_t estimated_strength() const override
Definition: rsa.cpp:36
std::shared_ptr< const Montgomery_Params > m_monty_p
Definition: rsa.cpp:301
size_t key_length() const override
Definition: rsa.cpp:31
Modular_Reducer m_mod_q
Definition: rsa.cpp:300
const BigInt & m_e
Definition: rsa.cpp:424
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:529
secure_vector< uint8_t > private_key_bits() const override
Definition: rsa.cpp:79
size_t bits() const
Definition: bigint.cpp:281
BER_Decoder & decode_and_check(const T &expected, const std::string &error_msg)
Definition: ber_dec.h:277
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:584
int(* final)(unsigned char *, CTX *)
secure_vector< uint8_t > get_contents()
Definition: der_enc.cpp:152
Definition: bigint.h:1136
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:488
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition: divide.cpp:118
bool is_even() const
Definition: bigint.h:402
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
Fixed_Exponent_Power_Mod m_powermod_e_n
Definition: rsa.cpp:304
bool is_nonzero() const
Definition: bigint.h:414
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
const char * what() const noexcept override
Definition: exceptn.h:94
BigInt m_e
Definition: rsa.h:78
static secure_vector< uint8_t > encode_locked(const BigInt &n)
Definition: bigint.h:780
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
BigInt monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Definition: monty_exp.cpp:173
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
virtual OID get_oid() const
Definition: pk_keys.cpp:53
const size_t m_max_d2_bits
Definition: rsa.cpp:310
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
std::shared_ptr< Montgomery_Params > m_monty_n
Definition: rsa.cpp:425
BigInt lcm(const BigInt &a, const BigInt &b)
Definition: numthry.cpp:85
std::vector< uint8_t > public_key_bits() const override
Definition: rsa.cpp:47
const size_t exp_blinding_bits
Definition: rsa.cpp:206
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: numthry.cpp:290
const size_t m_max_d1_bits
Definition: rsa.cpp:309
std::shared_ptr< const Montgomery_Params > m_monty_q
Definition: rsa.cpp:302
std::string algo_name() const override
Definition: rsa.h:40
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(std::shared_ptr< const Montgomery_Params > params, const BigInt &g, size_t window_bits, bool const_time)
Definition: monty_exp.cpp:159
Definition: alg_id.cpp:13
AlgorithmIdentifier algorithm_identifier() const override
Definition: rsa.cpp:41
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:539
RSA_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: rsa.cpp:96
Blinder m_blinder
Definition: rsa.cpp:305
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:499
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: rsa.cpp:169
BigInt generate_rsa_prime(RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
Definition: make_prm.cpp:180
BigInt m_n
Definition: rsa.h:78
const size_t m_mod_bits
Definition: rsa.cpp:308
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition: monty_exp.cpp:167
const size_t m_blinding_bits
Definition: rsa.cpp:306
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: rsa.cpp:595
const RSA_PrivateKey & m_key
Definition: rsa.cpp:296
const size_t m_mod_bytes
Definition: rsa.cpp:307
const BigInt & m_n
Definition: rsa.cpp:423
Modular_Reducer m_mod_p
Definition: rsa.cpp:299