9 #include <botan/internal/pk_ops_impl.h>
10 #include <botan/keypair.h>
11 #include <botan/blinding.h>
12 #include <botan/reducer.h>
13 #include <botan/workfactor.h>
14 #include <botan/der_enc.h>
15 #include <botan/ber_dec.h>
16 #include <botan/monty.h>
17 #include <botan/divide.h>
18 #include <botan/internal/monty_exp.h>
20 #if defined(BOTAN_HAS_OPENSSL)
21 #include <botan/internal/openssl.h>
24 #if defined(BOTAN_HAS_THREAD_UTILS)
25 #include <botan/internal/thread_pool.h>
30 class RSA_Public_Data
final
33 RSA_Public_Data(BigInt&& n, BigInt&& e) :
36 m_monty_n(
std::make_shared<Montgomery_Params>(m_n)),
37 m_public_modulus_bits(m_n.bits()),
38 m_public_modulus_bytes(m_n.bytes())
41 BigInt public_op(
const BigInt& m)
const
43 const size_t powm_window = 1;
48 const BigInt& get_n()
const {
return m_n; }
49 const BigInt& get_e()
const {
return m_e; }
50 size_t public_modulus_bits()
const {
return m_public_modulus_bits; }
51 size_t public_modulus_bytes()
const {
return m_public_modulus_bytes; }
56 std::shared_ptr<const Montgomery_Params> m_monty_n;
57 size_t m_public_modulus_bits;
58 size_t m_public_modulus_bytes;
61 class RSA_Private_Data
final
64 RSA_Private_Data(BigInt&& d, BigInt&& p, BigInt&& q,
65 BigInt&& d1, BigInt&& d2, BigInt&& c) :
75 m_monty_q(
std::make_shared<Montgomery_Params>(m_q, m_mod_q)),
80 const BigInt& get_d()
const {
return m_d; }
81 const BigInt& get_p()
const {
return m_p; }
82 const BigInt& get_q()
const {
return m_q; }
83 const BigInt& get_d1()
const {
return m_d1; }
84 const BigInt& get_d2()
const {
return m_d2; }
85 const BigInt& get_c()
const {
return m_c; }
96 Modular_Reducer m_mod_q;
97 std::shared_ptr<const Montgomery_Params>
m_monty_p;
98 std::shared_ptr<const Montgomery_Params> m_monty_q;
113 if(n.is_negative() || n.is_even() || e.is_negative() || e.is_even())
115 m_public = std::make_shared<RSA_Public_Data>(std::move(n), std::move(e));
119 const std::vector<uint8_t>& key_bits)
128 init(std::move(n), std::move(e));
135 init(std::move(n), std::move(e));
140 return m_public->public_modulus_bits();
155 std::vector<uint8_t> output;
184 .
encode(static_cast<size_t>(0))
207 m_private = std::make_shared<RSA_Private_Data>(
208 std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c));
214 BigInt n, e, d, p, q, d1, d2, c;
231 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q),
232 std::move(d1), std::move(d2), std::move(c));
251 const BigInt p_minus_1 = p - 1;
252 const BigInt q_minus_1 = q - 1;
256 const BigInt phi_n =
lcm(p_minus_1, q_minus_1);
266 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q),
267 std::move(d1), std::move(d2), std::move(c));
274 size_t bits,
size_t exp)
279 if(exp < 3 || exp % 2 == 0)
282 BigInt n, e, d, p, q, d1, d2, c;
286 const size_t p_bits = (bits + 1) / 2;
287 const size_t q_bits = bits - p_bits;
299 }
while(n.
bits() != bits);
301 const BigInt p_minus_1 = p - 1;
302 const BigInt q_minus_1 = q - 1;
304 const BigInt phi_n =
lcm(p_minus_1, q_minus_1);
312 RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q),
313 std::move(d1), std::move(d2), std::move(c));
340 const size_t prob = (strong) ? 128 : 12;
363 class RSA_Private_Operation
366 size_t public_modulus_bits()
const {
return m_public->public_modulus_bits(); }
367 size_t public_modulus_bytes()
const {
return m_public->public_modulus_bytes(); }
369 explicit RSA_Private_Operation(
const RSA_PrivateKey& rsa, RandomNumberGenerator& rng) :
373 [this](const BigInt& k) {
return m_public->public_op(k); },
381 secure_vector<uint8_t> raw_op(
const uint8_t input[],
size_t input_len)
383 const BigInt input_bn(input, input_len);
385 throw Invalid_Argument(
"RSA private op - input is too large");
390 const BigInt recovered =
m_blinder.unblind(rsa_private_op(
m_blinder.blind(input_bn)));
397 BigInt rsa_private_op(
const BigInt& m)
const
405 static constexpr
size_t powm_window = 4;
410 #if defined(BOTAN_HAS_THREAD_UTILS) && !defined(BOTAN_HAS_VALGRIND)
411 #define BOTAN_RSA_USE_ASYNC
414 #if defined(BOTAN_RSA_USE_ASYNC)
428 #if defined(BOTAN_RSA_USE_ASYNC)
438 #if defined(BOTAN_RSA_USE_ASYNC)
439 BigInt j1 = future_j1.get();
469 class RSA_Signature_Operation
final :
public PK_Ops::Signature_with_EMSA,
470 private RSA_Private_Operation
473 size_t max_input_bits()
const override {
return public_modulus_bits() - 1; }
475 size_t signature_length()
const override {
return public_modulus_bytes(); }
477 RSA_Signature_Operation(
const RSA_PrivateKey& rsa,
const std::string& emsa, RandomNumberGenerator& rng) :
478 PK_Ops::Signature_with_EMSA(emsa),
479 RSA_Private_Operation(rsa, rng)
483 secure_vector<uint8_t> raw_sign(
const uint8_t input[],
size_t input_len,
484 RandomNumberGenerator&)
override
486 return raw_op(input, input_len);
490 class RSA_Decryption_Operation
final :
public PK_Ops::Decryption_with_EME,
491 private RSA_Private_Operation
495 RSA_Decryption_Operation(
const RSA_PrivateKey& rsa,
const std::string& eme, RandomNumberGenerator& rng) :
496 PK_Ops::Decryption_with_EME(eme),
497 RSA_Private_Operation(rsa, rng)
501 size_t plaintext_length(
size_t)
const override {
return public_modulus_bytes(); }
503 secure_vector<uint8_t> raw_decrypt(
const uint8_t input[],
size_t input_len)
override
505 return raw_op(input, input_len);
509 class RSA_KEM_Decryption_Operation
final :
public PK_Ops::KEM_Decryption_with_KDF,
510 private RSA_Private_Operation
514 RSA_KEM_Decryption_Operation(
const RSA_PrivateKey& key,
515 const std::string& kdf,
516 RandomNumberGenerator& rng) :
517 PK_Ops::KEM_Decryption_with_KDF(kdf),
518 RSA_Private_Operation(key, rng)
521 secure_vector<uint8_t>
522 raw_kem_decrypt(
const uint8_t encap_key[],
size_t len)
override
524 return raw_op(encap_key, len);
531 class RSA_Public_Operation
534 explicit RSA_Public_Operation(
const RSA_PublicKey& rsa) :
538 size_t get_max_input_bits()
const
540 const size_t n_bits =
m_public->public_modulus_bits();
552 BigInt public_op(
const BigInt& m)
const
555 throw Invalid_Argument(
"RSA public op - input is too large");
560 size_t public_modulus_bytes()
const {
return m_public->public_modulus_bytes(); }
562 const BigInt& get_n()
const {
return m_public->get_n(); }
564 std::shared_ptr<const RSA_Public_Data>
m_public;
567 class RSA_Encryption_Operation
final :
public PK_Ops::Encryption_with_EME,
568 private RSA_Public_Operation
572 RSA_Encryption_Operation(
const RSA_PublicKey& rsa,
const std::string& eme) :
573 PK_Ops::Encryption_with_EME(eme),
574 RSA_Public_Operation(rsa)
578 size_t ciphertext_length(
size_t)
const override {
return public_modulus_bytes(); }
580 size_t max_raw_input_bits()
const override {
return get_max_input_bits(); }
582 secure_vector<uint8_t> raw_encrypt(
const uint8_t input[],
size_t input_len,
583 RandomNumberGenerator&)
override
585 BigInt input_bn(input, input_len);
590 class RSA_Verify_Operation
final :
public PK_Ops::Verification_with_EMSA,
591 private RSA_Public_Operation
595 size_t max_input_bits()
const override {
return get_max_input_bits(); }
597 RSA_Verify_Operation(
const RSA_PublicKey& rsa,
const std::string& emsa) :
598 PK_Ops::Verification_with_EMSA(emsa),
599 RSA_Public_Operation(rsa)
603 bool with_recovery()
const override {
return true; }
605 secure_vector<uint8_t> verify_mr(
const uint8_t input[],
size_t input_len)
override
607 BigInt input_bn(input, input_len);
612 class RSA_KEM_Encryption_Operation
final :
public PK_Ops::KEM_Encryption_with_KDF,
613 private RSA_Public_Operation
617 RSA_KEM_Encryption_Operation(
const RSA_PublicKey& key,
618 const std::string& kdf) :
619 PK_Ops::KEM_Encryption_with_KDF(kdf),
620 RSA_Public_Operation(key) {}
623 void raw_kem_encrypt(secure_vector<uint8_t>& out_encapsulated_key,
624 secure_vector<uint8_t>& raw_shared_key,
628 const BigInt c = public_op(r);
637 std::unique_ptr<PK_Ops::Encryption>
639 const std::string& params,
640 const std::string& provider)
const
642 #if defined(BOTAN_HAS_OPENSSL)
643 if(provider ==
"openssl" || provider.empty())
647 return make_openssl_rsa_enc_op(*
this, params);
656 if(provider ==
"openssl")
657 throw Lookup_Error(
"OpenSSL RSA provider rejected key:" + std::string(e.
what()));
662 if(provider ==
"base" || provider.empty())
663 return std::unique_ptr<PK_Ops::Encryption>(
new RSA_Encryption_Operation(*
this, params));
667 std::unique_ptr<PK_Ops::KEM_Encryption>
669 const std::string& params,
670 const std::string& provider)
const
672 if(provider ==
"base" || provider.empty())
673 return std::unique_ptr<PK_Ops::KEM_Encryption>(
new RSA_KEM_Encryption_Operation(*
this, params));
677 std::unique_ptr<PK_Ops::Verification>
679 const std::string& provider)
const
681 #if defined(BOTAN_HAS_OPENSSL)
682 if(provider ==
"openssl" || provider.empty())
684 std::unique_ptr<PK_Ops::Verification> res = make_openssl_rsa_ver_op(*
this, params);
690 if(provider ==
"base" || provider.empty())
691 return std::unique_ptr<PK_Ops::Verification>(
new RSA_Verify_Operation(*
this, params));
696 std::unique_ptr<PK_Ops::Decryption>
698 const std::string& params,
699 const std::string& provider)
const
701 #if defined(BOTAN_HAS_OPENSSL)
702 if(provider ==
"openssl" || provider.empty())
706 return make_openssl_rsa_dec_op(*
this, params);
710 if(provider ==
"openssl")
711 throw Lookup_Error(
"OpenSSL RSA provider rejected key:" + std::string(e.
what()));
716 if(provider ==
"base" || provider.empty())
717 return std::unique_ptr<PK_Ops::Decryption>(
new RSA_Decryption_Operation(*
this, params, rng));
722 std::unique_ptr<PK_Ops::KEM_Decryption>
724 const std::string& params,
725 const std::string& provider)
const
727 if(provider ==
"base" || provider.empty())
728 return std::unique_ptr<PK_Ops::KEM_Decryption>(
new RSA_KEM_Decryption_Operation(*
this, params, rng));
733 std::unique_ptr<PK_Ops::Signature>
735 const std::string& params,
736 const std::string& provider)
const
738 #if defined(BOTAN_HAS_OPENSSL)
739 if(provider ==
"openssl" || provider.empty())
741 std::unique_ptr<PK_Ops::Signature> res = make_openssl_rsa_sig_op(*
this, params);
747 if(provider ==
"base" || provider.empty())
748 return std::unique_ptr<PK_Ops::Signature>(
new RSA_Signature_Operation(*
this, params, rng));
BigInt mul_add(const BigInt &a, const BigInt &b, const BigInt &c)
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
const BigInt & get_p() const
size_t if_work_factor(size_t bits)
bool check_key(RandomNumberGenerator &rng, bool) const override
const BigInt & get_n() const
size_t estimated_strength() const override
size_t key_length() const override
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
secure_vector< uint8_t > private_key_bits() const override
BER_Decoder & decode_and_check(const T &expected, const std::string &error_msg)
std::shared_ptr< const RSA_Public_Data > m_public
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
int(* final)(unsigned char *, CTX *)
const BigInt & get_e() const
secure_vector< uint8_t > get_contents()
std::shared_ptr< const RSA_Private_Data > private_data() const
std::shared_ptr< const Montgomery_Params > m_monty_p
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
#define BOTAN_ASSERT_NOMSG(expr)
BigInt ct_modulo(const BigInt &x, const BigInt &y)
std::string to_string(const BER_Object &obj)
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
BER_Decoder & decode(bool &out)
const BigInt & get_d2() const
virtual OID get_oid() const
static secure_vector< uint8_t > encode_locked(const BigInt &n)
#define BOTAN_ASSERT(expr, assertion_made)
const BigInt & get_d() const
DER_Encoder & encode(bool b)
BigInt monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
const size_t m_max_d2_bits
std::vector< T, secure_allocator< T >> secure_vector
std::shared_ptr< const RSA_Private_Data > m_private
BigInt lcm(const BigInt &a, const BigInt &b)
std::vector< uint8_t > public_key_bits() const override
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
const size_t m_max_d1_bits
std::string algo_name() const override
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(std::shared_ptr< const Montgomery_Params > params, const BigInt &g, size_t window_bits, bool const_time)
AlgorithmIdentifier algorithm_identifier() const override
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string ¶ms, const std::string &provider) const override
const BigInt & get_c() const
const BigInt & get_d1() const
RSA_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
const char * what() const noexceptoverride
std::shared_ptr< const RSA_Public_Data > m_public
const BigInt & get_q() const
void init(BigInt &&n, BigInt &&e)
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
auto run(F &&f, Args &&...args) -> std::future< typename std::result_of< F(Args...)>::type >
static Thread_Pool & global_instance()
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
bool check_key(RandomNumberGenerator &rng, bool) const override
BigInt generate_rsa_prime(RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
const size_t m_blinding_bits
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
std::shared_ptr< const RSA_Public_Data > public_data() const