3
* (C) 1999-2010,2015,2016 Jack Lloyd
5
* Botan is released under the Simplified BSD License (see license.txt)
9
#include <botan/internal/pk_ops_impl.h>
10
#include <botan/keypair.h>
11
#include <botan/blinding.h>
12
#include <botan/reducer.h>
13
#include <botan/workfactor.h>
14
#include <botan/der_enc.h>
15
#include <botan/ber_dec.h>
16
#include <botan/pow_mod.h>
18
#if defined(BOTAN_HAS_OPENSSL)
19
#include <botan/internal/openssl.h>
22
#if defined(BOTAN_TARGET_OS_HAS_THREADS)
28
size_t RSA_PublicKey::key_length() const
33
size_t RSA_PublicKey::estimated_strength() const
35
return if_work_factor(key_length());
38
AlgorithmIdentifier RSA_PublicKey::algorithm_identifier() const
40
return AlgorithmIdentifier(get_oid(),
41
AlgorithmIdentifier::USE_NULL_PARAM);
44
std::vector<uint8_t> RSA_PublicKey::public_key_bits() const
51
.get_contents_unlocked();
54
RSA_PublicKey::RSA_PublicKey(const AlgorithmIdentifier&,
55
const std::vector<uint8_t>& key_bits)
65
* Check RSA Public Parameters
67
bool RSA_PublicKey::check_key(RandomNumberGenerator&, bool) const
69
if(m_n < 35 || m_n.is_even() || m_e < 2)
74
secure_vector<uint8_t> RSA_PrivateKey::private_key_bits() const
78
.encode(static_cast<size_t>(0))
91
RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier&,
92
const secure_vector<uint8_t>& key_bits)
96
.decode_and_check<size_t>(0, "Unknown PKCS #1 key format version")
108
RSA_PrivateKey::RSA_PrivateKey(const BigInt& prime1,
109
const BigInt& prime2,
113
m_d{ d_exp }, m_p{ prime1 }, m_q{ prime2 }, m_d1{}, m_d2{}, m_c{ inverse_mod( m_q, m_p ) }
115
m_n = mod.is_nonzero() ? mod : m_p * m_q;
120
BigInt inv_for_d = lcm(m_p - 1, m_q - 1);
124
m_d = inverse_mod(m_e, inv_for_d);
127
m_d1 = m_d % (m_p - 1);
128
m_d2 = m_d % (m_q - 1);
132
* Create a RSA private key
134
RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng,
135
size_t bits, size_t exp)
138
throw Invalid_Argument(algo_name() + ": Can't make a key that is only " +
139
std::to_string(bits) + " bits long");
140
if(exp < 3 || exp % 2 == 0)
141
throw Invalid_Argument(algo_name() + ": Invalid encryption exponent");
147
m_p = random_prime(rng, (bits + 1) / 2, m_e);
148
m_q = random_prime(rng, bits - m_p.bits(), m_e);
150
} while(m_n.bits() != bits);
152
m_d = inverse_mod(m_e, lcm(m_p - 1, m_q - 1));
153
m_d1 = m_d % (m_p - 1);
154
m_d2 = m_d % (m_q - 1);
155
m_c = inverse_mod(m_q, m_p);
159
* Check Private RSA Parameters
161
bool RSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const
163
if(m_n < 35 || m_n.is_even() || m_e < 2 || m_d < 2 || m_p < 3 || m_q < 3 || m_p*m_q != m_n)
166
if(m_d1 != m_d % (m_p - 1) || m_d2 != m_d % (m_q - 1) || m_c != inverse_mod(m_q, m_p))
169
const size_t prob = (strong) ? 128 : 12;
171
if(!is_prime(m_p, rng, prob) || !is_prime(m_q, rng, prob))
176
if((m_e * m_d) % lcm(m_p - 1, m_q - 1) != 1)
179
return KeyPair::signature_consistency_check(rng, *this, "EMSA4(SHA-256)");
188
* RSA private (decrypt/sign) operation
190
class RSA_Private_Operation
193
size_t get_max_input_bits() const { return (m_n.bits() - 1); }
195
explicit RSA_Private_Operation(const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
199
m_powermod_e_n(rsa.get_e(), rsa.get_n()),
200
m_powermod_d1_p(rsa.get_d1(), rsa.get_p()),
201
m_powermod_d2_q(rsa.get_d2(), rsa.get_q()),
202
m_mod_p(rsa.get_p()),
205
[this](const BigInt& k) { return m_powermod_e_n(k); },
206
[this](const BigInt& k) { return inverse_mod(k, m_n); })
210
BigInt blinded_private_op(const BigInt& m) const
213
throw Invalid_Argument("RSA private op - input is too large");
215
return m_blinder.unblind(private_op(m_blinder.blind(m)));
218
BigInt private_op(const BigInt& m) const
220
#if defined(BOTAN_TARGET_OS_HAS_THREADS)
221
auto future_j1 = std::async(std::launch::async, m_powermod_d1_p, m);
222
BigInt j2 = m_powermod_d2_q(m);
223
BigInt j1 = future_j1.get();
225
BigInt j1 = m_powermod_d1_p(m);
226
BigInt j2 = m_powermod_d2_q(m);
229
j1 = m_mod_p.reduce(sub_mul(j1, j2, m_c));
231
return mul_add(j1, m_q, j2);
237
Fixed_Exponent_Power_Mod m_powermod_e_n, m_powermod_d1_p, m_powermod_d2_q;
238
Modular_Reducer m_mod_p;
242
class RSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA,
243
private RSA_Private_Operation
247
size_t max_input_bits() const override { return get_max_input_bits(); }
249
RSA_Signature_Operation(const RSA_PrivateKey& rsa, const std::string& emsa, RandomNumberGenerator& rng) :
250
PK_Ops::Signature_with_EMSA(emsa),
251
RSA_Private_Operation(rsa, rng)
255
secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
256
RandomNumberGenerator&) override
258
const BigInt m(msg, msg_len);
259
const BigInt x = blinded_private_op(m);
260
const BigInt c = m_powermod_e_n(x);
261
BOTAN_ASSERT(m == c, "RSA sign consistency check");
262
return BigInt::encode_1363(x, m_n.bytes());
266
class RSA_Decryption_Operation final : public PK_Ops::Decryption_with_EME,
267
private RSA_Private_Operation
271
size_t max_raw_input_bits() const override { return get_max_input_bits(); }
273
RSA_Decryption_Operation(const RSA_PrivateKey& rsa, const std::string& eme, RandomNumberGenerator& rng) :
274
PK_Ops::Decryption_with_EME(eme),
275
RSA_Private_Operation(rsa, rng)
279
secure_vector<uint8_t> raw_decrypt(const uint8_t msg[], size_t msg_len) override
281
const BigInt m(msg, msg_len);
282
const BigInt x = blinded_private_op(m);
283
const BigInt c = m_powermod_e_n(x);
284
BOTAN_ASSERT(m == c, "RSA decrypt consistency check");
285
return BigInt::encode_1363(x, m_n.bytes());
289
class RSA_KEM_Decryption_Operation final : public PK_Ops::KEM_Decryption_with_KDF,
290
private RSA_Private_Operation
294
RSA_KEM_Decryption_Operation(const RSA_PrivateKey& key,
295
const std::string& kdf,
296
RandomNumberGenerator& rng) :
297
PK_Ops::KEM_Decryption_with_KDF(kdf),
298
RSA_Private_Operation(key, rng)
301
secure_vector<uint8_t>
302
raw_kem_decrypt(const uint8_t encap_key[], size_t len) override
304
const BigInt m(encap_key, len);
305
const BigInt x = blinded_private_op(m);
306
const BigInt c = m_powermod_e_n(x);
307
BOTAN_ASSERT(m == c, "RSA KEM consistency check");
308
return BigInt::encode_1363(x, m_n.bytes());
313
* RSA public (encrypt/verify) operation
315
class RSA_Public_Operation
318
explicit RSA_Public_Operation(const RSA_PublicKey& rsa) :
319
m_n(rsa.get_n()), m_powermod_e_n(rsa.get_e(), rsa.get_n())
322
size_t get_max_input_bits() const { return (m_n.bits() - 1); }
325
BigInt public_op(const BigInt& m) const
328
throw Invalid_Argument("RSA public op - input is too large");
329
return m_powermod_e_n(m);
332
const BigInt& get_n() const { return m_n; }
335
Fixed_Exponent_Power_Mod m_powermod_e_n;
338
class RSA_Encryption_Operation final : public PK_Ops::Encryption_with_EME,
339
private RSA_Public_Operation
343
RSA_Encryption_Operation(const RSA_PublicKey& rsa, const std::string& eme) :
344
PK_Ops::Encryption_with_EME(eme),
345
RSA_Public_Operation(rsa)
349
size_t max_raw_input_bits() const override { return get_max_input_bits(); }
351
secure_vector<uint8_t> raw_encrypt(const uint8_t msg[], size_t msg_len,
352
RandomNumberGenerator&) override
354
BigInt m(msg, msg_len);
355
return BigInt::encode_1363(public_op(m), m_n.bytes());
359
class RSA_Verify_Operation final : public PK_Ops::Verification_with_EMSA,
360
private RSA_Public_Operation
364
size_t max_input_bits() const override { return get_max_input_bits(); }
366
RSA_Verify_Operation(const RSA_PublicKey& rsa, const std::string& emsa) :
367
PK_Ops::Verification_with_EMSA(emsa),
368
RSA_Public_Operation(rsa)
372
bool with_recovery() const override { return true; }
374
secure_vector<uint8_t> verify_mr(const uint8_t msg[], size_t msg_len) override
376
BigInt m(msg, msg_len);
377
return BigInt::encode_locked(public_op(m));
381
class RSA_KEM_Encryption_Operation final : public PK_Ops::KEM_Encryption_with_KDF,
382
private RSA_Public_Operation
386
RSA_KEM_Encryption_Operation(const RSA_PublicKey& key,
387
const std::string& kdf) :
388
PK_Ops::KEM_Encryption_with_KDF(kdf),
389
RSA_Public_Operation(key) {}
392
void raw_kem_encrypt(secure_vector<uint8_t>& out_encapsulated_key,
393
secure_vector<uint8_t>& raw_shared_key,
394
Botan::RandomNumberGenerator& rng) override
396
const BigInt r = BigInt::random_integer(rng, 1, get_n());
397
const BigInt c = public_op(r);
399
out_encapsulated_key = BigInt::encode_locked(c);
400
raw_shared_key = BigInt::encode_locked(r);
406
std::unique_ptr<PK_Ops::Encryption>
407
RSA_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/,
408
const std::string& params,
409
const std::string& provider) const
411
#if defined(BOTAN_HAS_OPENSSL)
412
if(provider == "openssl" || provider.empty())
416
return make_openssl_rsa_enc_op(*this, params);
421
* If OpenSSL for some reason could not handle this (eg due to OAEP params),
422
* throw if openssl was specifically requested but otherwise just fall back
423
* to the normal version.
425
if(provider == "openssl")
426
throw Exception("OpenSSL RSA provider rejected key:", e.what());
431
if(provider == "base" || provider.empty())
432
return std::unique_ptr<PK_Ops::Encryption>(new RSA_Encryption_Operation(*this, params));
433
throw Provider_Not_Found(algo_name(), provider);
436
std::unique_ptr<PK_Ops::KEM_Encryption>
437
RSA_PublicKey::create_kem_encryption_op(RandomNumberGenerator& /*rng*/,
438
const std::string& params,
439
const std::string& provider) const
441
if(provider == "base" || provider.empty())
442
return std::unique_ptr<PK_Ops::KEM_Encryption>(new RSA_KEM_Encryption_Operation(*this, params));
443
throw Provider_Not_Found(algo_name(), provider);
446
std::unique_ptr<PK_Ops::Verification>
447
RSA_PublicKey::create_verification_op(const std::string& params,
448
const std::string& provider) const
450
#if defined(BOTAN_HAS_OPENSSL)
451
if(provider == "openssl" || provider.empty())
453
std::unique_ptr<PK_Ops::Verification> res = make_openssl_rsa_ver_op(*this, params);
459
if(provider == "base" || provider.empty())
460
return std::unique_ptr<PK_Ops::Verification>(new RSA_Verify_Operation(*this, params));
462
throw Provider_Not_Found(algo_name(), provider);
465
std::unique_ptr<PK_Ops::Decryption>
466
RSA_PrivateKey::create_decryption_op(RandomNumberGenerator& rng,
467
const std::string& params,
468
const std::string& provider) const
470
#if defined(BOTAN_HAS_OPENSSL)
471
if(provider == "openssl" || provider.empty())
475
return make_openssl_rsa_dec_op(*this, params);
479
if(provider == "openssl")
480
throw Exception("OpenSSL RSA provider rejected key:", e.what());
485
if(provider == "base" || provider.empty())
486
return std::unique_ptr<PK_Ops::Decryption>(new RSA_Decryption_Operation(*this, params, rng));
488
throw Provider_Not_Found(algo_name(), provider);
491
std::unique_ptr<PK_Ops::KEM_Decryption>
492
RSA_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& rng,
493
const std::string& params,
494
const std::string& provider) const
496
if(provider == "base" || provider.empty())
497
return std::unique_ptr<PK_Ops::KEM_Decryption>(new RSA_KEM_Decryption_Operation(*this, params, rng));
499
throw Provider_Not_Found(algo_name(), provider);
502
std::unique_ptr<PK_Ops::Signature>
503
RSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
504
const std::string& params,
505
const std::string& provider) const
507
#if defined(BOTAN_HAS_OPENSSL)
508
if(provider == "openssl" || provider.empty())
510
std::unique_ptr<PK_Ops::Signature> res = make_openssl_rsa_sig_op(*this, params);
516
if(provider == "base" || provider.empty())
517
return std::unique_ptr<PK_Ops::Signature>(new RSA_Signature_Operation(*this, params, rng));
519
throw Provider_Not_Found(algo_name(), provider);