1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
// Copyright 2015-2016 Brian Smith. // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above // copyright notice and this permission notice appear in all copies. // // THE SOFTWARE IS PROVIDED "AS IS" AND AND THE AUTHORS DISCLAIM ALL WARRANTIES // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. // *R* and *r* in Montgomery math refer to different things, so we always use // `R` to refer to *R* to avoid confusion, even when that's against the normal // naming conventions. Also the standard camelCase names are used for // `RSAKeyPair` components. #![allow(non_snake_case)] /// RSA signatures. use {bits, der, error, limb}; use untrusted; mod padding; // `RSA_PKCS1_SHA1` is intentionally not exposed. #[cfg(feature = "rsa_signing")] pub use self::padding::RSAEncoding; pub use self::padding::{ RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512, RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512 }; // Maximum RSA modulus size supported for signature verification (in bytes). const PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN: usize = 8192 / 8; // Keep in sync with the documentation comment for `RSAKeyPair`. #[cfg(feature = "rsa_signing")] const PRIVATE_KEY_PUBLIC_MODULUS_MAX_BITS: bits::BitLength = bits::BitLength(4096); const PRIVATE_KEY_PUBLIC_MODULUS_MAX_LIMBS: usize = (4096 + limb::LIMB_BITS - 1) / limb::LIMB_BITS; /// Parameters for RSA verification. pub struct RSAParameters { padding_alg: &'static padding::RSAVerification, min_bits: bits::BitLength, } fn parse_public_key(input: untrusted::Input) -> Result<(untrusted::Input, untrusted::Input), error::Unspecified> { input.read_all(error::Unspecified, |input| { der::nested(input, der::Tag::Sequence, error::Unspecified, |input| { let n = try!(der::positive_integer(input)); let e = try!(der::positive_integer(input)); Ok((n, e)) }) }) } fn check_public_modulus_and_exponent( n: bigint::Positive, e: bigint::Positive, n_min_bits: bits::BitLength, n_max_bits: bits::BitLength, e_min_bits: bits::BitLength) -> Result<(bigint::OddPositive, bigint::PublicExponent), error::Unspecified> { // This is an incomplete implementation of NIST SP800-56Br1 Section // 6.4.2.2, "Partial Public-Key Validation for RSA." That spec defers to // NIST SP800-89 Section 5.3.3, "(Explicit) Partial Public Key Validation // for RSA," "with the caveat that the length of the modulus shall be a // length that is specified in this Recommendation." In SP800-89, two // different sets of steps are given, one set numbered, and one set // lettered. TODO: Document this in the end-user documentation for RSA // keys. // Step 3 / Step c (out of order). let n = try!(n.into_odd_positive()); let e = try!(e.into_odd_positive()); // `pkcs1_encode` depends on this not being small. Otherwise, // `pkcs1_encode` would generate padding that is invalid (too few 0xFF // bytes) for very small keys. const N_MIN_BITS: bits::BitLength = bits::BitLength(2048); // Step 1 / Step a. XXX: SP800-56Br1 and SP800-89 require the length of // the public modulus to be exactly 2048 or 3072 bits, but we are more // flexible to be compatible with other commonly-used crypto libraries. assert!(n_min_bits >= N_MIN_BITS); let n_bits = n.bit_length(); let n_bits_rounded_up = try!(bits::BitLength::from_usize_bytes( n_bits.as_usize_bytes_rounded_up())); if n_bits_rounded_up < n_min_bits { return Err(error::Unspecified); } if n_bits > n_max_bits { return Err(error::Unspecified); } // Step 2 / Step b. NIST SP800-89 defers to FIPS 186-3, which requires // `e > 2**16`, so the requirement is met if and only if `e_min_bits >= 17`. // We enforce this when signing, but are more flexible in verification, for // compatibility. debug_assert!(e_min_bits >= bits::BitLength::from_usize_bits(2)); let e_bits = e.bit_length(); if e_bits < e_min_bits { return Err(error::Unspecified); } // Only small public exponents are supported. let e = try!(e.into_public_exponent()); // If `n` is less than `e` then somebody has probably accidentally swapped // them. The largest acceptable `e` is smaller than the smallest acceptable // `n`, so no additional checks need to be done. debug_assert!(e_min_bits < bigint::PUBLIC_EXPONENT_MAX_BITS); debug_assert!(bigint::PUBLIC_EXPONENT_MAX_BITS < N_MIN_BITS); // XXX: Steps 4 & 5 / Steps d, e, & f are not implemented. This is also the // case in most other commonly-used crypto libraries. Ok((n, e)) } // Type-level representation of an RSA public modulus *n*. See // `super::bigint`'s modulue-level documentation. pub enum N {} pub mod verification; #[cfg(feature = "rsa_signing")] pub mod signing; mod bigint; #[cfg(feature = "rsa_signing")] mod blinding; mod random; // Really a private method; only has public visibility so that C compilation // can see it. #[doc(hidden)] pub use rsa::random::GFp_rand_mod;