include/nettle/rsa.h

0001 /* rsa.h
0002
0003    The RSA publickey algorithm.
0004
0005    Copyright (C) 2001, 2002 Niels Möller
0006
0007    This file is part of GNU Nettle.
0008
0009    GNU Nettle is free software: you can redistribute it and/or
0010    modify it under the terms of either:
0011
0012      * the GNU Lesser General Public License as published by the Free
0013        Software Foundation; either version 3 of the License, or (at your
0014        option) any later version.
0015
0016    or
0017
0018      * the GNU General Public License as published by the Free
0019        Software Foundation; either version 2 of the License, or (at your
0020        option) any later version.
0021
0022    or both in parallel, as here.
0023
0024    GNU Nettle is distributed in the hope that it will be useful,
0025    but WITHOUT ANY WARRANTY; without even the implied warranty of
0026    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
0027    General Public License for more details.
0028
0029    You should have received copies of the GNU General Public License and
0030    the GNU Lesser General Public License along with this program.  If
0031    not, see http://www.gnu.org/licenses/.
0032 */
0033
0034 #ifndef NETTLE_RSA_H_INCLUDED
0035 #define NETTLE_RSA_H_INCLUDED
0036
0037 #include "nettle-types.h"
0038 #include "bignum.h"
0039
0040 #include "md5.h"
0041 #include "sha1.h"
0042 #include "sha2.h"
0043
0044 #ifdef __cplusplus
0045 extern "C" {
0046 #endif
0047
0048 /* Name mangling */
0049 #define rsa_public_key_init nettle_rsa_public_key_init
0050 #define rsa_public_key_clear nettle_rsa_public_key_clear
0051 #define rsa_public_key_prepare nettle_rsa_public_key_prepare
0052 #define rsa_private_key_init nettle_rsa_private_key_init
0053 #define rsa_private_key_clear nettle_rsa_private_key_clear
0054 #define rsa_private_key_prepare nettle_rsa_private_key_prepare
0055 #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify
0056 #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign
0057 #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr
0058 #define rsa_md5_sign nettle_rsa_md5_sign
0059 #define rsa_md5_sign_tr nettle_rsa_md5_sign_tr
0060 #define rsa_md5_verify nettle_rsa_md5_verify
0061 #define rsa_sha1_sign nettle_rsa_sha1_sign
0062 #define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr
0063 #define rsa_sha1_verify nettle_rsa_sha1_verify
0064 #define rsa_sha256_sign nettle_rsa_sha256_sign
0065 #define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr
0066 #define rsa_sha256_verify nettle_rsa_sha256_verify
0067 #define rsa_sha512_sign nettle_rsa_sha512_sign
0068 #define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr
0069 #define rsa_sha512_verify nettle_rsa_sha512_verify
0070 #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest
0071 #define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr
0072 #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest
0073 #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest
0074 #define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr
0075 #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest
0076 #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
0077 #define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr
0078 #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
0079 #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
0080 #define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr
0081 #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
0082 #define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr
0083 #define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest
0084 #define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr
0085 #define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest
0086 #define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr
0087 #define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest
0088 #define rsa_encrypt nettle_rsa_encrypt
0089 #define rsa_decrypt nettle_rsa_decrypt
0090 #define rsa_decrypt_tr nettle_rsa_decrypt_tr
0091 #define rsa_sec_decrypt nettle_rsa_sec_decrypt
0092 #define rsa_compute_root nettle_rsa_compute_root
0093 #define rsa_compute_root_tr nettle_rsa_compute_root_tr
0094 #define rsa_generate_keypair nettle_rsa_generate_keypair
0095 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
0096 #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
0097 #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp
0098 #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator
0099 #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator
0100 #define rsa_keypair_from_der nettle_rsa_keypair_from_der
0101 #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
0102
0103 /* This limit is somewhat arbitrary. Technically, the smallest modulo
0104    which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
0105    for ridiculously small keys, not all odd e are possible (e.g., for
0106    5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
0107    3 don't work). The smallest size that makes sense with pkcs#1, and
0108    which allows RSA encryption of one byte messages, is 12 octets, 89
0109    bits. */
0110
0111 #define RSA_MINIMUM_N_OCTETS 12
0112 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
0113
0114 struct rsa_public_key
0115 {
0116   /* Size of the modulo, in octets. This is also the size of all
0117    * signatures that are created or verified with this key. */
0118   size_t size;
0119
0120   /* Modulo */
0121   mpz_t n;
0122
0123   /* Public exponent */
0124   mpz_t e;
0125 };
0126
0127 struct rsa_private_key
0128 {
0129   size_t size;
0130
0131   /* d is filled in by the key generation function; otherwise it's
0132    * completely unused. */
0133   mpz_t d;
0134
0135   /* The two factors */
0136   mpz_t p; mpz_t q;
0137
0138   /* d % (p-1), i.e. a e = 1 (mod (p-1)) */
0139   mpz_t a;
0140
0141   /* d % (q-1), i.e. b e = 1 (mod (q-1)) */
0142   mpz_t b;
0143
0144   /* modular inverse of q , i.e. c q = 1 (mod p) */
0145   mpz_t c;
0146 };
0147
0148 /* Signing a message works as follows:
0149  *
0150  * Store the private key in a rsa_private_key struct.
0151  *
0152  * Call rsa_private_key_prepare. This initializes the size attribute
0153  * to the length of a signature.
0154  *
0155  * Initialize a hashing context, by callling
0156  *   md5_init
0157  *
0158  * Hash the message by calling
0159  *   md5_update
0160  *
0161  * Create the signature by calling
0162  *   rsa_md5_sign
0163  *
0164  * The signature is represented as a mpz_t bignum. This call also
0165  * resets the hashing context.
0166  *
0167  * When done with the key and signature, don't forget to call
0168  * mpz_clear.
0169  */
0170
0171 /* Calls mpz_init to initialize bignum storage. */
0172 void
0173 rsa_public_key_init(struct rsa_public_key *key);
0174
0175 /* Calls mpz_clear to deallocate bignum storage. */
0176 void
0177 rsa_public_key_clear(struct rsa_public_key *key);
0178
0179 int
0180 rsa_public_key_prepare(struct rsa_public_key *key);
0181
0182 /* Calls mpz_init to initialize bignum storage. */
0183 void
0184 rsa_private_key_init(struct rsa_private_key *key);
0185
0186 /* Calls mpz_clear to deallocate bignum storage. */
0187 void
0188 rsa_private_key_clear(struct rsa_private_key *key);
0189
0190 int
0191 rsa_private_key_prepare(struct rsa_private_key *key);
0192
0193
0194 /* PKCS#1 style signatures */
0195 int
0196 rsa_pkcs1_sign(const struct rsa_private_key *key,
0197            size_t length, const uint8_t *digest_info,
0198            mpz_t s);
0199
0200 int
0201 rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
0202               const struct rsa_private_key *key,
0203               void *random_ctx, nettle_random_func *random,
0204               size_t length, const uint8_t *digest_info,
0205               mpz_t s);
0206 int
0207 rsa_pkcs1_verify(const struct rsa_public_key *key,
0208          size_t length, const uint8_t *digest_info,
0209          const mpz_t signature);
0210
0211 int
0212 rsa_md5_sign(const struct rsa_private_key *key,
0213              struct md5_ctx *hash,
0214              mpz_t signature);
0215
0216 int
0217 rsa_md5_sign_tr(const struct rsa_public_key *pub,
0218         const struct rsa_private_key *key,
0219         void *random_ctx, nettle_random_func *random,
0220         struct md5_ctx *hash, mpz_t s);
0221
0222
0223 int
0224 rsa_md5_verify(const struct rsa_public_key *key,
0225                struct md5_ctx *hash,
0226            const mpz_t signature);
0227
0228 int
0229 rsa_sha1_sign(const struct rsa_private_key *key,
0230               struct sha1_ctx *hash,
0231               mpz_t signature);
0232
0233 int
0234 rsa_sha1_sign_tr(const struct rsa_public_key *pub,
0235          const struct rsa_private_key *key,
0236          void *random_ctx, nettle_random_func *random,
0237          struct sha1_ctx *hash,
0238          mpz_t s);
0239
0240 int
0241 rsa_sha1_verify(const struct rsa_public_key *key,
0242                 struct sha1_ctx *hash,
0243         const mpz_t signature);
0244
0245 int
0246 rsa_sha256_sign(const struct rsa_private_key *key,
0247         struct sha256_ctx *hash,
0248         mpz_t signature);
0249
0250 int
0251 rsa_sha256_sign_tr(const struct rsa_public_key *pub,
0252            const struct rsa_private_key *key,
0253            void *random_ctx, nettle_random_func *random,
0254            struct sha256_ctx *hash,
0255            mpz_t s);
0256
0257 int
0258 rsa_sha256_verify(const struct rsa_public_key *key,
0259           struct sha256_ctx *hash,
0260           const mpz_t signature);
0261
0262 int
0263 rsa_sha512_sign(const struct rsa_private_key *key,
0264         struct sha512_ctx *hash,
0265         mpz_t signature);
0266
0267 int
0268 rsa_sha512_sign_tr(const struct rsa_public_key *pub,
0269            const struct rsa_private_key *key,
0270            void *random_ctx, nettle_random_func *random,
0271            struct sha512_ctx *hash,
0272            mpz_t s);
0273
0274 int
0275 rsa_sha512_verify(const struct rsa_public_key *key,
0276           struct sha512_ctx *hash,
0277           const mpz_t signature);
0278
0279 /* Variants taking the digest as argument. */
0280 int
0281 rsa_md5_sign_digest(const struct rsa_private_key *key,
0282             const uint8_t *digest,
0283             mpz_t s);
0284
0285 int
0286 rsa_md5_sign_digest_tr(const struct rsa_public_key *pub,
0287                const struct rsa_private_key *key,
0288                void *random_ctx, nettle_random_func *random,
0289                const uint8_t *digest, mpz_t s);
0290
0291 int
0292 rsa_md5_verify_digest(const struct rsa_public_key *key,
0293               const uint8_t *digest,
0294               const mpz_t signature);
0295
0296 int
0297 rsa_sha1_sign_digest(const struct rsa_private_key *key,
0298              const uint8_t *digest,
0299              mpz_t s);
0300
0301 int
0302 rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub,
0303             const struct rsa_private_key *key,
0304             void *random_ctx, nettle_random_func *random,
0305             const uint8_t *digest,
0306             mpz_t s);
0307
0308 int
0309 rsa_sha1_verify_digest(const struct rsa_public_key *key,
0310                const uint8_t *digest,
0311                const mpz_t signature);
0312
0313 int
0314 rsa_sha256_sign_digest(const struct rsa_private_key *key,
0315                const uint8_t *digest,
0316                mpz_t s);
0317
0318 int
0319 rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub,
0320               const struct rsa_private_key *key,
0321               void *random_ctx, nettle_random_func *random,
0322               const uint8_t *digest,
0323               mpz_t s);
0324
0325 int
0326 rsa_sha256_verify_digest(const struct rsa_public_key *key,
0327              const uint8_t *digest,
0328              const mpz_t signature);
0329
0330 int
0331 rsa_sha512_sign_digest(const struct rsa_private_key *key,
0332                const uint8_t *digest,
0333                mpz_t s);
0334
0335 int
0336 rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub,
0337               const struct rsa_private_key *key,
0338               void *random_ctx, nettle_random_func *random,
0339               const uint8_t *digest,
0340               mpz_t s);
0341
0342 int
0343 rsa_sha512_verify_digest(const struct rsa_public_key *key,
0344              const uint8_t *digest,
0345              const mpz_t signature);
0346
0347 /* PSS style signatures */
0348 int
0349 rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub,
0350                   const struct rsa_private_key *key,
0351                   void *random_ctx, nettle_random_func *random,
0352                   size_t salt_length, const uint8_t *salt,
0353                   const uint8_t *digest,
0354                   mpz_t s);
0355
0356 int
0357 rsa_pss_sha256_verify_digest(const struct rsa_public_key *key,
0358                  size_t salt_length,
0359                  const uint8_t *digest,
0360                  const mpz_t signature);
0361
0362 int
0363 rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub,
0364                   const struct rsa_private_key *key,
0365                   void *random_ctx, nettle_random_func *random,
0366                   size_t salt_length, const uint8_t *salt,
0367                   const uint8_t *digest,
0368                   mpz_t s);
0369
0370 int
0371 rsa_pss_sha384_verify_digest(const struct rsa_public_key *key,
0372                  size_t salt_length,
0373                  const uint8_t *digest,
0374                  const mpz_t signature);
0375
0376 int
0377 rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub,
0378                   const struct rsa_private_key *key,
0379                   void *random_ctx, nettle_random_func *random,
0380                   size_t salt_length, const uint8_t *salt,
0381                   const uint8_t *digest,
0382                   mpz_t s);
0383
0384 int
0385 rsa_pss_sha512_verify_digest(const struct rsa_public_key *key,
0386                  size_t salt_length,
0387                  const uint8_t *digest,
0388                  const mpz_t signature);
0389
0390
0391 /* RSA encryption, using PKCS#1 */
0392 /* These functions uses the v1.5 padding. What should the v2 (OAEP)
0393  * functions be called? */
0394
0395 /* Returns 1 on success, 0 on failure, which happens if the
0396  * message is too long for the key. */
0397 int
0398 rsa_encrypt(const struct rsa_public_key *key,
0399         /* For padding */
0400         void *random_ctx, nettle_random_func *random,
0401         size_t length, const uint8_t *cleartext,
0402         mpz_t cipher);
0403
0404 /* Message must point to a buffer of size *LENGTH. KEY->size is enough
0405  * for all valid messages. On success, *LENGTH is updated to reflect
0406  * the actual length of the message. Returns 1 on success, 0 on
0407  * failure, which happens if decryption failed or if the message
0408  * didn't fit. */
0409 int
0410 rsa_decrypt(const struct rsa_private_key *key,
0411         size_t *length, uint8_t *cleartext,
0412         const mpz_t ciphertext);
0413
0414 /* Timing-resistant version, using randomized RSA blinding. */
0415 int
0416 rsa_decrypt_tr(const struct rsa_public_key *pub,
0417            const struct rsa_private_key *key,
0418            void *random_ctx, nettle_random_func *random,
0419            size_t *length, uint8_t *message,
0420            const mpz_t gibberish);
0421
0422 /* like rsa_decrypt_tr but with additional side-channel resistance.
0423  * NOTE: the length of the final message must be known in advance. */
0424 int
0425 rsa_sec_decrypt(const struct rsa_public_key *pub,
0426             const struct rsa_private_key *key,
0427             void *random_ctx, nettle_random_func *random,
0428             size_t length, uint8_t *message,
0429             const mpz_t gibberish);
0430
0431 /* Compute x, the e:th root of m. Calling it with x == m is allowed.
0432    It is required that 0 <= m < n. */
0433 void
0434 rsa_compute_root(const struct rsa_private_key *key,
0435          mpz_t x, const mpz_t m);
0436
0437 /* Safer variant, using RSA blinding, and checking the result after
0438    CRT. It is required that 0 <= m < n. */
0439 int
0440 rsa_compute_root_tr(const struct rsa_public_key *pub,
0441             const struct rsa_private_key *key,
0442             void *random_ctx, nettle_random_func *random,
0443             mpz_t x, const mpz_t m);
0444
0445 /* Key generation */
0446
0447 /* Note that the key structs must be initialized first. */
0448 int
0449 rsa_generate_keypair(struct rsa_public_key *pub,
0450              struct rsa_private_key *key,
0451
0452              void *random_ctx, nettle_random_func *random,
0453              void *progress_ctx, nettle_progress_func *progress,
0454
0455              /* Desired size of modulo, in bits */
0456              unsigned n_size,
0457
0458              /* Desired size of public exponent, in bits. If
0459               * zero, the passed in value pub->e is used. */
0460              unsigned e_size);
0461
0462
0463 #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
0464   algorithm##_update(ctx, length, data), \
0465   rsa_##algorithm##_sign(key, ctx, signature) \
0466 )
0467
0468 #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
0469   algorithm##_update(ctx, length, data), \
0470   rsa_##algorithm##_verify(key, ctx, signature) \
0471 )
0472
0473
0474 /* Keys in sexp form. */
0475
0476 struct nettle_buffer;
0477
0478 /* Generates a public-key expression if PRIV is NULL .*/
0479 int
0480 rsa_keypair_to_sexp(struct nettle_buffer *buffer,
0481             const char *algorithm_name, /* NULL means "rsa" */
0482             const struct rsa_public_key *pub,
0483             const struct rsa_private_key *priv);
0484
0485 struct sexp_iterator;
0486
0487 int
0488 rsa_keypair_from_sexp_alist(struct rsa_public_key *pub,
0489                 struct rsa_private_key *priv,
0490                 unsigned limit,
0491                 struct sexp_iterator *i);
0492
0493 /* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
0494  * expect a private key expression and ignore the parts not needed for
0495  * the public key. */
0496 /* Keys must be initialized before calling this function, as usual. */
0497 int
0498 rsa_keypair_from_sexp(struct rsa_public_key *pub,
0499               struct rsa_private_key *priv,
0500               unsigned limit,
0501               size_t length, const uint8_t *expr);
0502
0503
0504 /* Keys in PKCS#1 format. */
0505 struct asn1_der_iterator;
0506
0507 int
0508 rsa_public_key_from_der_iterator(struct rsa_public_key *pub,
0509                  unsigned limit,
0510                  struct asn1_der_iterator *i);
0511
0512 int
0513 rsa_private_key_from_der_iterator(struct rsa_public_key *pub,
0514                   struct rsa_private_key *priv,
0515                   unsigned limit,
0516                   struct asn1_der_iterator *i);
0517
0518 /* For public keys, use PRIV == NULL */
0519 int
0520 rsa_keypair_from_der(struct rsa_public_key *pub,
0521              struct rsa_private_key *priv,
0522              unsigned limit,
0523              size_t length, const uint8_t *data);
0524
0525 /* OpenPGP format. Experimental interface, subject to change. */
0526 int
0527 rsa_keypair_to_openpgp(struct nettle_buffer *buffer,
0528                const struct rsa_public_key *pub,
0529                const struct rsa_private_key *priv,
0530                /* A single user id. NUL-terminated utf8. */
0531                const char *userid);
0532
0533
0534 #ifdef __cplusplus
0535 }
0536 #endif
0537
0538 #endif /* NETTLE_RSA_H_INCLUDED */