| // Copyright 2015-2016 Brian Smith. |
| // |
| // Permission to use, copy, modify, and/or distribute this software for any |
| // purpose with or without fee is hereby granted, provided that the above |
| // copyright notice and this permission notice appear in all copies. |
| // |
| // THE SOFTWARE IS PROVIDED "AS IS" AND AND THE AUTHORS DISCLAIM ALL WARRANTIES |
| // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY |
| // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| |
| // *R* and *r* in Montgomery math refer to different things, so we always use |
| // `R` to refer to *R* to avoid confusion, even when that's against the normal |
| // naming conventions. Also the standard camelCase names are used for |
| // `RSAKeyPair` components. |
| #![allow(non_snake_case)] |
| |
| /// RSA signatures. |
| |
| use {bits, der, error}; |
| use untrusted; |
| |
| #[cfg(feature = "rsa_signing")] |
| use limb; |
| |
| mod padding; |
| |
| // `RSA_PKCS1_SHA1` is intentionally not exposed. |
| #[cfg(feature = "rsa_signing")] |
| pub use self::padding::RSAEncoding; |
| |
| pub use self::padding::{ |
| RSA_PKCS1_SHA256, |
| RSA_PKCS1_SHA384, |
| RSA_PKCS1_SHA512, |
| |
| RSA_PSS_SHA256, |
| RSA_PSS_SHA384, |
| RSA_PSS_SHA512 |
| }; |
| |
| |
| // Maximum RSA modulus size supported for signature verification (in bytes). |
| const PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN: usize = 8192 / 8; |
| |
| // Keep in sync with the documentation comment for `RSAKeyPair`. |
| #[cfg(feature = "rsa_signing")] |
| const PRIVATE_KEY_PUBLIC_MODULUS_MAX_BITS: bits::BitLength = |
| bits::BitLength(4096); |
| |
| #[cfg(feature = "rsa_signing")] |
| const PRIVATE_KEY_PUBLIC_MODULUS_MAX_LIMBS: usize = |
| (4096 + limb::LIMB_BITS - 1) / limb::LIMB_BITS; |
| |
| |
| /// Parameters for RSA verification. |
| pub struct RSAParameters { |
| padding_alg: &'static padding::RSAVerification, |
| min_bits: bits::BitLength, |
| id: RSAParametersID, |
| } |
| |
| #[allow(non_camel_case_types)] |
| enum RSAParametersID { |
| RSA_PKCS1_2048_8192_SHA1, |
| RSA_PKCS1_2048_8192_SHA256, |
| RSA_PKCS1_2048_8192_SHA384, |
| RSA_PKCS1_2048_8192_SHA512, |
| RSA_PKCS1_3072_8192_SHA384, |
| RSA_PSS_2048_8192_SHA256, |
| RSA_PSS_2048_8192_SHA384, |
| RSA_PSS_2048_8192_SHA512, |
| } |
| |
| fn parse_public_key(input: untrusted::Input) |
| -> Result<(untrusted::Input, untrusted::Input), |
| error::Unspecified> { |
| input.read_all(error::Unspecified, |input| { |
| der::nested(input, der::Tag::Sequence, error::Unspecified, |input| { |
| let n = der::positive_integer(input)?; |
| let e = der::positive_integer(input)?; |
| Ok((n, e)) |
| }) |
| }) |
| } |
| |
| fn check_public_modulus_and_exponent( |
| n: bigint::Positive, e: bigint::Positive, n_min_bits: bits::BitLength, |
| n_max_bits: bits::BitLength, e_min_bits: bits::BitLength) |
| -> Result<(bigint::OddPositive, bigint::PublicExponent), |
| error::Unspecified> { |
| // This is an incomplete implementation of NIST SP800-56Br1 Section |
| // 6.4.2.2, "Partial Public-Key Validation for RSA." That spec defers to |
| // NIST SP800-89 Section 5.3.3, "(Explicit) Partial Public Key Validation |
| // for RSA," "with the caveat that the length of the modulus shall be a |
| // length that is specified in this Recommendation." In SP800-89, two |
| // different sets of steps are given, one set numbered, and one set |
| // lettered. TODO: Document this in the end-user documentation for RSA |
| // keys. |
| |
| // Step 3 / Step c (out of order). |
| let n = n.into_odd_positive()?; |
| let e = e.into_odd_positive()?; |
| |
| // `pkcs1_encode` depends on this not being small. Otherwise, |
| // `pkcs1_encode` would generate padding that is invalid (too few 0xFF |
| // bytes) for very small keys. |
| const N_MIN_BITS: bits::BitLength = bits::BitLength(2048); |
| |
| // Step 1 / Step a. XXX: SP800-56Br1 and SP800-89 require the length of |
| // the public modulus to be exactly 2048 or 3072 bits, but we are more |
| // flexible to be compatible with other commonly-used crypto libraries. |
| assert!(n_min_bits >= N_MIN_BITS); |
| let n_bits = n.bit_length(); |
| let n_bits_rounded_up = |
| bits::BitLength::from_usize_bytes(n_bits.as_usize_bytes_rounded_up())?; |
| if n_bits_rounded_up < n_min_bits { |
| return Err(error::Unspecified); |
| } |
| if n_bits > n_max_bits { |
| return Err(error::Unspecified); |
| } |
| |
| // Step 2 / Step b. NIST SP800-89 defers to FIPS 186-3, which requires |
| // `e > 2**16`, so the requirement is met if and only if `e_min_bits >= 17`. |
| // We enforce this when signing, but are more flexible in verification, for |
| // compatibility. |
| debug_assert!(e_min_bits >= bits::BitLength::from_usize_bits(2)); |
| let e_bits = e.bit_length(); |
| if e_bits < e_min_bits { |
| return Err(error::Unspecified); |
| } |
| |
| // Only small public exponents are supported. |
| let e = e.into_public_exponent()?; |
| |
| // If `n` is less than `e` then somebody has probably accidentally swapped |
| // them. The largest acceptable `e` is smaller than the smallest acceptable |
| // `n`, so no additional checks need to be done. |
| debug_assert!(e_min_bits < bigint::PUBLIC_EXPONENT_MAX_BITS); |
| debug_assert!(bigint::PUBLIC_EXPONENT_MAX_BITS < N_MIN_BITS); |
| |
| // XXX: Steps 4 & 5 / Steps d, e, & f are not implemented. This is also the |
| // case in most other commonly-used crypto libraries. |
| |
| Ok((n, e)) |
| } |
| |
| // Type-level representation of an RSA public modulus *n*. See |
| // `super::bigint`'s modulue-level documentation. |
| pub enum N {} |
| |
| pub mod verification; |
| |
| #[cfg(feature = "rsa_signing")] |
| pub mod signing; |
| |
| mod bigint; |
| |
| #[cfg(feature = "rsa_signing")] |
| mod blinding; |
| |
| #[cfg(feature = "rsa_signing")] |
| mod random; |