mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-01-25 18:35:28 +00:00
c70b982056
A new OID module has been created that contains the main OID searching functionality based on type-dependent arrays. A base type is used to contain the basic values (oid_descriptor_t) and that type is extended to contain type specific information (like a pk_alg_t). As a result the rsa sign and verify function prototypes have changed. They now expect a md_type_t identifier instead of the removed RSA_SIG_XXX defines. All OID definitions have been moved to oid.h All OID matching code is in the OID module. The RSA PKCS#1 functions cleaned up as a result and adapted to use the MD layer. The SSL layer cleanup up as a result and adapted to use the MD layer. The X509 parser cleaned up and matches OIDs in certificates with new module and adapted to use the MD layer. The X509 writer cleaned up and adapted to use the MD layer. Apps and tests modified accordingly
524 lines
20 KiB
C
524 lines
20 KiB
C
/**
|
|
* \file rsa.h
|
|
*
|
|
* \brief The RSA public-key cryptosystem
|
|
*
|
|
* Copyright (C) 2006-2010, Brainspark B.V.
|
|
*
|
|
* This file is part of PolarSSL (http://www.polarssl.org)
|
|
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
|
|
*
|
|
* All rights reserved.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*/
|
|
#ifndef POLARSSL_RSA_H
|
|
#define POLARSSL_RSA_H
|
|
|
|
#include "bignum.h"
|
|
#include "md.h"
|
|
|
|
/*
|
|
* RSA Error codes
|
|
*/
|
|
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
|
|
#define POLARSSL_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
|
|
#define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
|
|
#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the libraries validity check. */
|
|
#define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
|
|
#define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
|
|
#define POLARSSL_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
|
|
#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
|
|
#define POLARSSL_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
|
|
|
|
/*
|
|
* RSA constants
|
|
*/
|
|
#define RSA_PUBLIC 0
|
|
#define RSA_PRIVATE 1
|
|
|
|
#define RSA_PKCS_V15 0
|
|
#define RSA_PKCS_V21 1
|
|
|
|
#define RSA_SIGN 1
|
|
#define RSA_CRYPT 2
|
|
|
|
/**
|
|
* \brief RSA context structure
|
|
*/
|
|
typedef struct
|
|
{
|
|
int ver; /*!< always 0 */
|
|
size_t len; /*!< size(N) in chars */
|
|
|
|
mpi N; /*!< public modulus */
|
|
mpi E; /*!< public exponent */
|
|
|
|
mpi D; /*!< private exponent */
|
|
mpi P; /*!< 1st prime factor */
|
|
mpi Q; /*!< 2nd prime factor */
|
|
mpi DP; /*!< D % (P - 1) */
|
|
mpi DQ; /*!< D % (Q - 1) */
|
|
mpi QP; /*!< 1 / (Q % P) */
|
|
|
|
mpi RN; /*!< cached R^2 mod N */
|
|
mpi RP; /*!< cached R^2 mod P */
|
|
mpi RQ; /*!< cached R^2 mod Q */
|
|
|
|
int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
|
|
RSA_PKCS_v21 for OAEP/PSS */
|
|
int hash_id; /*!< Hash identifier of md_type_t as
|
|
specified in the md.h header file
|
|
for the EME-OAEP and EMSA-PSS
|
|
encoding */
|
|
}
|
|
rsa_context;
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/**
|
|
* \brief Initialize an RSA context
|
|
*
|
|
* Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP
|
|
* encryption scheme and the RSASSA-PSS signature scheme.
|
|
*
|
|
* \param ctx RSA context to be initialized
|
|
* \param padding RSA_PKCS_V15 or RSA_PKCS_V21
|
|
* \param hash_id RSA_PKCS_V21 hash identifier
|
|
*
|
|
* \note The hash_id parameter is actually ignored
|
|
* when using RSA_PKCS_V15 padding.
|
|
*/
|
|
void rsa_init( rsa_context *ctx,
|
|
int padding,
|
|
int hash_id);
|
|
|
|
/**
|
|
* \brief Generate an RSA keypair
|
|
*
|
|
* \param ctx RSA context that will hold the key
|
|
* \param f_rng RNG function
|
|
* \param p_rng RNG parameter
|
|
* \param nbits size of the public key in bits
|
|
* \param exponent public exponent (e.g., 65537)
|
|
*
|
|
* \note rsa_init() must be called beforehand to setup
|
|
* the RSA context.
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*/
|
|
int rsa_gen_key( rsa_context *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng,
|
|
unsigned int nbits, int exponent );
|
|
|
|
/**
|
|
* \brief Check a public RSA key
|
|
*
|
|
* \param ctx RSA context to be checked
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*/
|
|
int rsa_check_pubkey( const rsa_context *ctx );
|
|
|
|
/**
|
|
* \brief Check a private RSA key
|
|
*
|
|
* \param ctx RSA context to be checked
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*/
|
|
int rsa_check_privkey( const rsa_context *ctx );
|
|
|
|
/**
|
|
* \brief Do an RSA public key operation
|
|
*
|
|
* \param ctx RSA context
|
|
* \param input input buffer
|
|
* \param output output buffer
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note This function does NOT take care of message
|
|
* padding. Also, be sure to set input[0] = 0 or assure that
|
|
* input is smaller than N.
|
|
*
|
|
* \note The input and output buffers must be large
|
|
* enough (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
int rsa_public( rsa_context *ctx,
|
|
const unsigned char *input,
|
|
unsigned char *output );
|
|
|
|
/**
|
|
* \brief Do an RSA private key operation
|
|
*
|
|
* \param ctx RSA context
|
|
* \param input input buffer
|
|
* \param output output buffer
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The input and output buffers must be large
|
|
* enough (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
int rsa_private( rsa_context *ctx,
|
|
const unsigned char *input,
|
|
unsigned char *output );
|
|
|
|
/**
|
|
* \brief Generic wrapper to perform a PKCS#1 encryption using the
|
|
* mode from the context. Add the message padding, then do an
|
|
* RSA operation.
|
|
*
|
|
* \param ctx RSA context
|
|
* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
|
|
* \param p_rng RNG parameter
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param ilen contains the plaintext length
|
|
* \param input buffer holding the data to be encrypted
|
|
* \param output buffer that will hold the ciphertext
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The output buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
int rsa_pkcs1_encrypt( rsa_context *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng,
|
|
int mode, size_t ilen,
|
|
const unsigned char *input,
|
|
unsigned char *output );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
|
|
*
|
|
* \param ctx RSA context
|
|
* \param f_rng RNG function (Needed for padding)
|
|
* \param p_rng RNG parameter
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param ilen contains the plaintext length
|
|
* \param input buffer holding the data to be encrypted
|
|
* \param output buffer that will hold the ciphertext
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The output buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng,
|
|
int mode, size_t ilen,
|
|
const unsigned char *input,
|
|
unsigned char *output );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
|
|
*
|
|
* \param ctx RSA context
|
|
* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
|
|
* \param p_rng RNG parameter
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param label buffer holding the custom label to use
|
|
* \param label_len contains the label length
|
|
* \param ilen contains the plaintext length
|
|
* \param input buffer holding the data to be encrypted
|
|
* \param output buffer that will hold the ciphertext
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The output buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng,
|
|
int mode,
|
|
const unsigned char *label, size_t label_len,
|
|
size_t ilen,
|
|
const unsigned char *input,
|
|
unsigned char *output );
|
|
|
|
/**
|
|
* \brief Generic wrapper to perform a PKCS#1 decryption using the
|
|
* mode from the context. Do an RSA operation, then remove
|
|
* the message padding
|
|
*
|
|
* \param ctx RSA context
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param olen will contain the plaintext length
|
|
* \param input buffer holding the encrypted data
|
|
* \param output buffer that will hold the plaintext
|
|
* \param output_max_len maximum length of the output buffer
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The output buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
|
|
* an error is thrown.
|
|
*/
|
|
int rsa_pkcs1_decrypt( rsa_context *ctx,
|
|
int mode, size_t *olen,
|
|
const unsigned char *input,
|
|
unsigned char *output,
|
|
size_t output_max_len );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
|
|
*
|
|
* \param ctx RSA context
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param olen will contain the plaintext length
|
|
* \param input buffer holding the encrypted data
|
|
* \param output buffer that will hold the plaintext
|
|
* \param output_max_len maximum length of the output buffer
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The output buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
|
|
* an error is thrown.
|
|
*/
|
|
int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
|
|
int mode, size_t *olen,
|
|
const unsigned char *input,
|
|
unsigned char *output,
|
|
size_t output_max_len );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
|
|
*
|
|
* \param ctx RSA context
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param label buffer holding the custom label to use
|
|
* \param label_len contains the label length
|
|
* \param olen will contain the plaintext length
|
|
* \param input buffer holding the encrypted data
|
|
* \param output buffer that will hold the plaintext
|
|
* \param output_max_len maximum length of the output buffer
|
|
*
|
|
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The output buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
|
|
* an error is thrown.
|
|
*/
|
|
int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
|
|
int mode,
|
|
const unsigned char *label, size_t label_len,
|
|
size_t *olen,
|
|
const unsigned char *input,
|
|
unsigned char *output,
|
|
size_t output_max_len );
|
|
|
|
/**
|
|
* \brief Generic wrapper to perform a PKCS#1 signature using the
|
|
* mode from the context. Do a private RSA operation to sign
|
|
* a message digest
|
|
*
|
|
* \param ctx RSA context
|
|
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
|
|
* \param p_rng RNG parameter
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
|
|
* \param hashlen message digest length (for POLARSSL_MD_NONE only)
|
|
* \param hash buffer holding the message digest
|
|
* \param sig buffer that will hold the ciphertext
|
|
*
|
|
* \return 0 if the signing operation was successful,
|
|
* or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The "sig" buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*
|
|
* \note In case of PKCS#1 v2.1 encoding keep in mind that
|
|
* the hash_id in the RSA context is the one used for the
|
|
* encoding. hash_id in the function call is the type of hash
|
|
* that is encoded. According to RFC 3447 it is advised to
|
|
* keep both hashes the same.
|
|
*/
|
|
int rsa_pkcs1_sign( rsa_context *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng,
|
|
int mode,
|
|
md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
|
|
*
|
|
* \param ctx RSA context
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
|
|
* \param hashlen message digest length (for POLARSSL_MD_NONE only)
|
|
* \param hash buffer holding the message digest
|
|
* \param sig buffer that will hold the ciphertext
|
|
*
|
|
* \return 0 if the signing operation was successful,
|
|
* or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The "sig" buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
|
|
int mode,
|
|
md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
|
|
*
|
|
* \param ctx RSA context
|
|
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
|
|
* \param p_rng RNG parameter
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
|
|
* \param hashlen message digest length (for POLARSSL_MD_NONE only)
|
|
* \param hash buffer holding the message digest
|
|
* \param sig buffer that will hold the ciphertext
|
|
*
|
|
* \return 0 if the signing operation was successful,
|
|
* or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The "sig" buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*
|
|
* \note In case of PKCS#1 v2.1 encoding keep in mind that
|
|
* the hash_id in the RSA context is the one used for the
|
|
* encoding. hash_id in the function call is the type of hash
|
|
* that is encoded. According to RFC 3447 it is advised to
|
|
* keep both hashes the same.
|
|
*/
|
|
int rsa_rsassa_pss_sign( rsa_context *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng,
|
|
int mode,
|
|
md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig );
|
|
|
|
/**
|
|
* \brief Generic wrapper to perform a PKCS#1 verification using the
|
|
* mode from the context. Do a public RSA operation and check
|
|
* the message digest
|
|
*
|
|
* \param ctx points to an RSA public key
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
|
|
* \param hashlen message digest length (for POLARSSL_MD_NONE only)
|
|
* \param hash buffer holding the message digest
|
|
* \param sig buffer holding the ciphertext
|
|
*
|
|
* \return 0 if the verify operation was successful,
|
|
* or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The "sig" buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*
|
|
* \note In case of PKCS#1 v2.1 encoding keep in mind that
|
|
* the hash_id in the RSA context is the one used for the
|
|
* verification. hash_id in the function call is the type of hash
|
|
* that is verified. According to RFC 3447 it is advised to
|
|
* keep both hashes the same.
|
|
*/
|
|
int rsa_pkcs1_verify( rsa_context *ctx,
|
|
int mode,
|
|
md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
|
|
*
|
|
* \param ctx points to an RSA public key
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
|
|
* \param hashlen message digest length (for POLARSSL_MD_NONE only)
|
|
* \param hash buffer holding the message digest
|
|
* \param sig buffer holding the ciphertext
|
|
*
|
|
* \return 0 if the verify operation was successful,
|
|
* or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The "sig" buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
|
|
int mode,
|
|
md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig );
|
|
|
|
/**
|
|
* \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
|
|
* \brief Do a public RSA and check the message digest
|
|
*
|
|
* \param ctx points to an RSA public key
|
|
* \param mode RSA_PUBLIC or RSA_PRIVATE
|
|
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
|
|
* \param hashlen message digest length (for POLARSSL_MD_NONE only)
|
|
* \param hash buffer holding the message digest
|
|
* \param sig buffer holding the ciphertext
|
|
*
|
|
* \return 0 if the verify operation was successful,
|
|
* or an POLARSSL_ERR_RSA_XXX error code
|
|
*
|
|
* \note The "sig" buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*
|
|
* \note In case of PKCS#1 v2.1 encoding keep in mind that
|
|
* the hash_id in the RSA context is the one used for the
|
|
* verification. hash_id in the function call is the type of hash
|
|
* that is verified. According to RFC 3447 it is advised to
|
|
* keep both hashes the same.
|
|
*/
|
|
int rsa_rsassa_pss_verify( rsa_context *ctx,
|
|
int mode,
|
|
md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig );
|
|
|
|
/**
|
|
* \brief Free the components of an RSA key
|
|
*
|
|
* \param ctx RSA Context to free
|
|
*/
|
|
void rsa_free( rsa_context *ctx );
|
|
|
|
/**
|
|
* \brief Checkup routine
|
|
*
|
|
* \return 0 if successful, or 1 if the test failed
|
|
*/
|
|
int rsa_self_test( int verbose );
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* rsa.h */
|