]>
git.ipfire.org Git - thirdparty/nettle.git/blob - rsa.h
3 The RSA publickey algorithm.
5 Copyright (C) 2001, 2002 Niels Möller
7 This file is part of GNU Nettle.
9 GNU Nettle is free software: you can redistribute it and/or
10 modify it under the terms of either:
12 * the GNU Lesser General Public License as published by the Free
13 Software Foundation; either version 3 of the License, or (at your
14 option) any later version.
18 * the GNU General Public License as published by the Free
19 Software Foundation; either version 2 of the License, or (at your
20 option) any later version.
22 or both in parallel, as here.
24 GNU Nettle is distributed in the hope that it will be useful,
25 but WITHOUT ANY WARRANTY; without even the implied warranty of
26 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
27 General Public License for more details.
29 You should have received copies of the GNU General Public License and
30 the GNU Lesser General Public License along with this program. If
31 not, see http://www.gnu.org/licenses/.
34 #ifndef NETTLE_RSA_H_INCLUDED
35 #define NETTLE_RSA_H_INCLUDED
37 #include "nettle-types.h"
49 #define rsa_public_key_init nettle_rsa_public_key_init
50 #define rsa_public_key_clear nettle_rsa_public_key_clear
51 #define rsa_public_key_prepare nettle_rsa_public_key_prepare
52 #define rsa_private_key_init nettle_rsa_private_key_init
53 #define rsa_private_key_clear nettle_rsa_private_key_clear
54 #define rsa_private_key_prepare nettle_rsa_private_key_prepare
55 #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify
56 #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign
57 #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr
58 #define rsa_md5_sign nettle_rsa_md5_sign
59 #define rsa_md5_sign_tr nettle_rsa_md5_sign_tr
60 #define rsa_md5_verify nettle_rsa_md5_verify
61 #define rsa_sha1_sign nettle_rsa_sha1_sign
62 #define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr
63 #define rsa_sha1_verify nettle_rsa_sha1_verify
64 #define rsa_sha256_sign nettle_rsa_sha256_sign
65 #define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr
66 #define rsa_sha256_verify nettle_rsa_sha256_verify
67 #define rsa_sha512_sign nettle_rsa_sha512_sign
68 #define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr
69 #define rsa_sha512_verify nettle_rsa_sha512_verify
70 #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest
71 #define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr
72 #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest
73 #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest
74 #define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr
75 #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest
76 #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
77 #define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr
78 #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
79 #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
80 #define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr
81 #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
82 #define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr
83 #define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest
84 #define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr
85 #define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest
86 #define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr
87 #define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest
88 #define rsa_encrypt nettle_rsa_encrypt
89 #define rsa_decrypt nettle_rsa_decrypt
90 #define rsa_decrypt_tr nettle_rsa_decrypt_tr
91 #define rsa_oaep_sha256_encrypt nettle_rsa_oaep_sha256_encrypt
92 #define rsa_oaep_sha256_decrypt nettle_rsa_oaep_sha256_decrypt
93 #define rsa_oaep_sha384_encrypt nettle_rsa_oaep_sha384_encrypt
94 #define rsa_oaep_sha384_decrypt nettle_rsa_oaep_sha384_decrypt
95 #define rsa_oaep_sha512_encrypt nettle_rsa_oaep_sha512_encrypt
96 #define rsa_oaep_sha512_decrypt nettle_rsa_oaep_sha512_decrypt
97 #define rsa_sec_decrypt nettle_rsa_sec_decrypt
98 #define rsa_compute_root nettle_rsa_compute_root
99 #define rsa_compute_root_tr nettle_rsa_compute_root_tr
100 #define rsa_generate_keypair nettle_rsa_generate_keypair
101 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
102 #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
103 #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp
104 #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator
105 #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator
106 #define rsa_keypair_from_der nettle_rsa_keypair_from_der
107 #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
109 /* This limit is somewhat arbitrary. Technically, the smallest modulo
110 which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
111 for ridiculously small keys, not all odd e are possible (e.g., for
112 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
113 3 don't work). The smallest size that makes sense with pkcs#1, and
114 which allows RSA encryption of one byte messages, is 12 octets, 89
117 #define RSA_MINIMUM_N_OCTETS 12
118 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
120 struct rsa_public_key
122 /* Size of the modulo, in octets. This is also the size of all
123 * signatures that are created or verified with this key. */
129 /* Public exponent */
133 struct rsa_private_key
137 /* d is filled in by the key generation function; otherwise it's
138 * completely unused. */
141 /* The two factors */
144 /* d % (p-1), i.e. a e = 1 (mod (p-1)) */
147 /* d % (q-1), i.e. b e = 1 (mod (q-1)) */
150 /* modular inverse of q , i.e. c q = 1 (mod p) */
154 /* Signing a message works as follows:
156 * Store the private key in a rsa_private_key struct.
158 * Call rsa_private_key_prepare. This initializes the size attribute
159 * to the length of a signature.
161 * Initialize a hashing context, by callling
164 * Hash the message by calling
167 * Create the signature by calling
170 * The signature is represented as a mpz_t bignum. This call also
171 * resets the hashing context.
173 * When done with the key and signature, don't forget to call
177 /* Calls mpz_init to initialize bignum storage. */
179 rsa_public_key_init(struct rsa_public_key
*key
);
181 /* Calls mpz_clear to deallocate bignum storage. */
183 rsa_public_key_clear(struct rsa_public_key
*key
);
186 rsa_public_key_prepare(struct rsa_public_key
*key
);
188 /* Calls mpz_init to initialize bignum storage. */
190 rsa_private_key_init(struct rsa_private_key
*key
);
192 /* Calls mpz_clear to deallocate bignum storage. */
194 rsa_private_key_clear(struct rsa_private_key
*key
);
197 rsa_private_key_prepare(struct rsa_private_key
*key
);
200 /* PKCS#1 style signatures */
202 rsa_pkcs1_sign(const struct rsa_private_key
*key
,
203 size_t length
, const uint8_t *digest_info
,
207 rsa_pkcs1_sign_tr(const struct rsa_public_key
*pub
,
208 const struct rsa_private_key
*key
,
209 void *random_ctx
, nettle_random_func
*random
,
210 size_t length
, const uint8_t *digest_info
,
213 rsa_pkcs1_verify(const struct rsa_public_key
*key
,
214 size_t length
, const uint8_t *digest_info
,
215 const mpz_t signature
);
218 rsa_md5_sign(const struct rsa_private_key
*key
,
219 struct md5_ctx
*hash
,
223 rsa_md5_sign_tr(const struct rsa_public_key
*pub
,
224 const struct rsa_private_key
*key
,
225 void *random_ctx
, nettle_random_func
*random
,
226 struct md5_ctx
*hash
, mpz_t s
);
230 rsa_md5_verify(const struct rsa_public_key
*key
,
231 struct md5_ctx
*hash
,
232 const mpz_t signature
);
235 rsa_sha1_sign(const struct rsa_private_key
*key
,
236 struct sha1_ctx
*hash
,
240 rsa_sha1_sign_tr(const struct rsa_public_key
*pub
,
241 const struct rsa_private_key
*key
,
242 void *random_ctx
, nettle_random_func
*random
,
243 struct sha1_ctx
*hash
,
247 rsa_sha1_verify(const struct rsa_public_key
*key
,
248 struct sha1_ctx
*hash
,
249 const mpz_t signature
);
252 rsa_sha256_sign(const struct rsa_private_key
*key
,
253 struct sha256_ctx
*hash
,
257 rsa_sha256_sign_tr(const struct rsa_public_key
*pub
,
258 const struct rsa_private_key
*key
,
259 void *random_ctx
, nettle_random_func
*random
,
260 struct sha256_ctx
*hash
,
264 rsa_sha256_verify(const struct rsa_public_key
*key
,
265 struct sha256_ctx
*hash
,
266 const mpz_t signature
);
269 rsa_sha512_sign(const struct rsa_private_key
*key
,
270 struct sha512_ctx
*hash
,
274 rsa_sha512_sign_tr(const struct rsa_public_key
*pub
,
275 const struct rsa_private_key
*key
,
276 void *random_ctx
, nettle_random_func
*random
,
277 struct sha512_ctx
*hash
,
281 rsa_sha512_verify(const struct rsa_public_key
*key
,
282 struct sha512_ctx
*hash
,
283 const mpz_t signature
);
285 /* Variants taking the digest as argument. */
287 rsa_md5_sign_digest(const struct rsa_private_key
*key
,
288 const uint8_t *digest
,
292 rsa_md5_sign_digest_tr(const struct rsa_public_key
*pub
,
293 const struct rsa_private_key
*key
,
294 void *random_ctx
, nettle_random_func
*random
,
295 const uint8_t *digest
, mpz_t s
);
298 rsa_md5_verify_digest(const struct rsa_public_key
*key
,
299 const uint8_t *digest
,
300 const mpz_t signature
);
303 rsa_sha1_sign_digest(const struct rsa_private_key
*key
,
304 const uint8_t *digest
,
308 rsa_sha1_sign_digest_tr(const struct rsa_public_key
*pub
,
309 const struct rsa_private_key
*key
,
310 void *random_ctx
, nettle_random_func
*random
,
311 const uint8_t *digest
,
315 rsa_sha1_verify_digest(const struct rsa_public_key
*key
,
316 const uint8_t *digest
,
317 const mpz_t signature
);
320 rsa_sha256_sign_digest(const struct rsa_private_key
*key
,
321 const uint8_t *digest
,
325 rsa_sha256_sign_digest_tr(const struct rsa_public_key
*pub
,
326 const struct rsa_private_key
*key
,
327 void *random_ctx
, nettle_random_func
*random
,
328 const uint8_t *digest
,
332 rsa_sha256_verify_digest(const struct rsa_public_key
*key
,
333 const uint8_t *digest
,
334 const mpz_t signature
);
337 rsa_sha512_sign_digest(const struct rsa_private_key
*key
,
338 const uint8_t *digest
,
342 rsa_sha512_sign_digest_tr(const struct rsa_public_key
*pub
,
343 const struct rsa_private_key
*key
,
344 void *random_ctx
, nettle_random_func
*random
,
345 const uint8_t *digest
,
349 rsa_sha512_verify_digest(const struct rsa_public_key
*key
,
350 const uint8_t *digest
,
351 const mpz_t signature
);
353 /* PSS style signatures */
355 rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key
*pub
,
356 const struct rsa_private_key
*key
,
357 void *random_ctx
, nettle_random_func
*random
,
358 size_t salt_length
, const uint8_t *salt
,
359 const uint8_t *digest
,
363 rsa_pss_sha256_verify_digest(const struct rsa_public_key
*key
,
365 const uint8_t *digest
,
366 const mpz_t signature
);
369 rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key
*pub
,
370 const struct rsa_private_key
*key
,
371 void *random_ctx
, nettle_random_func
*random
,
372 size_t salt_length
, const uint8_t *salt
,
373 const uint8_t *digest
,
377 rsa_pss_sha384_verify_digest(const struct rsa_public_key
*key
,
379 const uint8_t *digest
,
380 const mpz_t signature
);
383 rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key
*pub
,
384 const struct rsa_private_key
*key
,
385 void *random_ctx
, nettle_random_func
*random
,
386 size_t salt_length
, const uint8_t *salt
,
387 const uint8_t *digest
,
391 rsa_pss_sha512_verify_digest(const struct rsa_public_key
*key
,
393 const uint8_t *digest
,
394 const mpz_t signature
);
397 /* RSA encryption, using PKCS#1 */
399 /* Returns 1 on success, 0 on failure, which happens if the
400 * message is too long for the key. */
402 rsa_encrypt(const struct rsa_public_key
*key
,
404 void *random_ctx
, nettle_random_func
*random
,
405 size_t length
, const uint8_t *cleartext
,
408 /* Message must point to a buffer of size *LENGTH. KEY->size is enough
409 * for all valid messages. On success, *LENGTH is updated to reflect
410 * the actual length of the message. Returns 1 on success, 0 on
411 * failure, which happens if decryption failed or if the message
414 rsa_decrypt(const struct rsa_private_key
*key
,
415 size_t *length
, uint8_t *cleartext
,
416 const mpz_t ciphertext
);
418 /* Timing-resistant version, using randomized RSA blinding. */
420 rsa_decrypt_tr(const struct rsa_public_key
*pub
,
421 const struct rsa_private_key
*key
,
422 void *random_ctx
, nettle_random_func
*random
,
423 size_t *length
, uint8_t *message
,
424 const mpz_t gibberish
);
426 /* like rsa_decrypt_tr but with additional side-channel resistance.
427 * NOTE: the length of the final message must be known in advance. */
429 rsa_sec_decrypt(const struct rsa_public_key
*pub
,
430 const struct rsa_private_key
*key
,
431 void *random_ctx
, nettle_random_func
*random
,
432 size_t length
, uint8_t *message
,
433 const mpz_t gibberish
);
435 /* RSA encryption, using OAEP */
438 rsa_oaep_sha256_encrypt (const struct rsa_public_key
*key
,
439 void *random_ctx
, nettle_random_func
*random
,
440 size_t label_length
, const uint8_t *label
,
441 size_t length
, const uint8_t * message
,
442 uint8_t *ciphertext
);
445 rsa_oaep_sha256_decrypt (const struct rsa_public_key
*pub
,
446 const struct rsa_private_key
*key
,
447 void *random_ctx
, nettle_random_func
*random
,
448 size_t label_length
, const uint8_t *label
,
449 size_t *length
, uint8_t *message
,
450 const uint8_t *ciphertext
);
453 rsa_oaep_sha384_encrypt (const struct rsa_public_key
*key
,
454 void *random_ctx
, nettle_random_func
*random
,
455 size_t label_length
, const uint8_t *label
,
456 size_t length
, const uint8_t * message
,
457 uint8_t *ciphertext
);
460 rsa_oaep_sha384_decrypt (const struct rsa_public_key
*pub
,
461 const struct rsa_private_key
*key
,
462 void *random_ctx
, nettle_random_func
*random
,
463 size_t label_length
, const uint8_t *label
,
464 size_t *length
, uint8_t *message
,
465 const uint8_t *ciphertext
);
468 rsa_oaep_sha512_encrypt (const struct rsa_public_key
*key
,
469 void *random_ctx
, nettle_random_func
*random
,
470 size_t label_length
, const uint8_t *label
,
471 size_t length
, const uint8_t *message
,
472 uint8_t *ciphertext
);
475 rsa_oaep_sha512_decrypt (const struct rsa_public_key
*pub
,
476 const struct rsa_private_key
*key
,
477 void *random_ctx
, nettle_random_func
*random
,
478 size_t label_length
, const uint8_t *label
,
479 size_t *length
, uint8_t *message
,
480 const uint8_t *ciphertext
);
482 /* Compute x, the e:th root of m. Calling it with x == m is allowed.
483 It is required that 0 <= m < n. */
485 rsa_compute_root(const struct rsa_private_key
*key
,
486 mpz_t x
, const mpz_t m
);
488 /* Safer variant, using RSA blinding, and checking the result after
489 CRT. It is required that 0 <= m < n. */
491 rsa_compute_root_tr(const struct rsa_public_key
*pub
,
492 const struct rsa_private_key
*key
,
493 void *random_ctx
, nettle_random_func
*random
,
494 mpz_t x
, const mpz_t m
);
498 /* Note that the key structs must be initialized first. */
500 rsa_generate_keypair(struct rsa_public_key
*pub
,
501 struct rsa_private_key
*key
,
503 void *random_ctx
, nettle_random_func
*random
,
504 void *progress_ctx
, nettle_progress_func
*progress
,
506 /* Desired size of modulo, in bits */
509 /* Desired size of public exponent, in bits. If
510 * zero, the passed in value pub->e is used. */
514 #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
515 algorithm##_update(ctx, length, data), \
516 rsa_##algorithm##_sign(key, ctx, signature) \
519 #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
520 algorithm##_update(ctx, length, data), \
521 rsa_##algorithm##_verify(key, ctx, signature) \
525 /* Keys in sexp form. */
527 struct nettle_buffer
;
529 /* Generates a public-key expression if PRIV is NULL .*/
531 rsa_keypair_to_sexp(struct nettle_buffer
*buffer
,
532 const char *algorithm_name
, /* NULL means "rsa" */
533 const struct rsa_public_key
*pub
,
534 const struct rsa_private_key
*priv
);
536 struct sexp_iterator
;
539 rsa_keypair_from_sexp_alist(struct rsa_public_key
*pub
,
540 struct rsa_private_key
*priv
,
542 struct sexp_iterator
*i
);
544 /* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
545 * expect a private key expression and ignore the parts not needed for
547 /* Keys must be initialized before calling this function, as usual. */
549 rsa_keypair_from_sexp(struct rsa_public_key
*pub
,
550 struct rsa_private_key
*priv
,
552 size_t length
, const uint8_t *expr
);
555 /* Keys in PKCS#1 format. */
556 struct asn1_der_iterator
;
559 rsa_public_key_from_der_iterator(struct rsa_public_key
*pub
,
561 struct asn1_der_iterator
*i
);
564 rsa_private_key_from_der_iterator(struct rsa_public_key
*pub
,
565 struct rsa_private_key
*priv
,
567 struct asn1_der_iterator
*i
);
569 /* For public keys, use PRIV == NULL */
571 rsa_keypair_from_der(struct rsa_public_key
*pub
,
572 struct rsa_private_key
*priv
,
574 size_t length
, const uint8_t *data
);
576 /* OpenPGP format. Experimental interface, subject to change. */
578 rsa_keypair_to_openpgp(struct nettle_buffer
*buffer
,
579 const struct rsa_public_key
*pub
,
580 const struct rsa_private_key
*priv
,
581 /* A single user id. NUL-terminated utf8. */
589 #endif /* NETTLE_RSA_H_INCLUDED */