Commit | Line | Data |
---|---|---|
80a47a2c TK |
1 | /** |
2 | * \file rsa.h | |
3 | * | |
62d3e98d TK |
4 | * Copyright (C) 2006-2010, Brainspark B.V. |
5 | * | |
6 | * This file is part of PolarSSL (http://www.polarssl.org) | |
7 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> | |
80a47a2c | 8 | * |
62d3e98d | 9 | * All rights reserved. |
80a47a2c TK |
10 | * |
11 | * This program is free software; you can redistribute it and/or modify | |
12 | * it under the terms of the GNU General Public License as published by | |
13 | * the Free Software Foundation; either version 2 of the License, or | |
14 | * (at your option) any later version. | |
15 | * | |
16 | * This program is distributed in the hope that it will be useful, | |
17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 | * GNU General Public License for more details. | |
20 | * | |
21 | * You should have received a copy of the GNU General Public License along | |
22 | * with this program; if not, write to the Free Software Foundation, Inc., | |
23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
24 | */ | |
80a47a2c TK |
25 | #ifndef POLARSSL_RSA_H |
26 | #define POLARSSL_RSA_H | |
27 | ||
ac3ad426 | 28 | #include "polarssl/bignum.h" |
80a47a2c | 29 | |
67932e54 TK |
30 | /* |
31 | * RSA Error codes | |
32 | */ | |
80a47a2c TK |
33 | #define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x0400 |
34 | #define POLARSSL_ERR_RSA_INVALID_PADDING -0x0410 | |
35 | #define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x0420 | |
36 | #define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x0430 | |
37 | #define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x0440 | |
38 | #define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x0450 | |
39 | #define POLARSSL_ERR_RSA_VERIFY_FAILED -0x0460 | |
67932e54 | 40 | #define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE -0x0470 |
62d3e98d | 41 | #define POLARSSL_ERR_RSA_RNG_FAILED -0x0480 |
80a47a2c | 42 | |
80a47a2c TK |
43 | /* |
44 | * PKCS#1 constants | |
45 | */ | |
67932e54 TK |
46 | #define SIG_RSA_RAW 0 |
47 | #define SIG_RSA_MD2 2 | |
48 | #define SIG_RSA_MD4 3 | |
49 | #define SIG_RSA_MD5 4 | |
ac3ad426 AM |
50 | #define SIG_RSA_SHA1 5 |
51 | #define SIG_RSA_SHA224 14 | |
52 | #define SIG_RSA_SHA256 11 | |
53 | #define SIG_RSA_SHA384 12 | |
54 | #define SIG_RSA_SHA512 13 | |
80a47a2c TK |
55 | |
56 | #define RSA_PUBLIC 0 | |
57 | #define RSA_PRIVATE 1 | |
58 | ||
59 | #define RSA_PKCS_V15 0 | |
60 | #define RSA_PKCS_V21 1 | |
61 | ||
62 | #define RSA_SIGN 1 | |
63 | #define RSA_CRYPT 2 | |
64 | ||
ac3ad426 AM |
65 | #define ASN1_STR_CONSTRUCTED_SEQUENCE "\x30" |
66 | #define ASN1_STR_NULL "\x05" | |
67 | #define ASN1_STR_OID "\x06" | |
68 | #define ASN1_STR_OCTET_STRING "\x04" | |
67932e54 | 69 | |
ac3ad426 AM |
70 | #define OID_DIGEST_ALG_MDX "\x2A\x86\x48\x86\xF7\x0D\x02\x00" |
71 | #define OID_HASH_ALG_SHA1 "\x2b\x0e\x03\x02\x1a" | |
72 | #define OID_HASH_ALG_SHA2X "\x60\x86\x48\x01\x65\x03\x04\x02\x00" | |
67932e54 | 73 | |
ac3ad426 AM |
74 | #define OID_ISO_MEMBER_BODIES "\x2a" |
75 | #define OID_ISO_IDENTIFIED_ORG "\x2b" | |
67932e54 TK |
76 | |
77 | /* | |
78 | * ISO Member bodies OID parts | |
79 | */ | |
ac3ad426 AM |
80 | #define OID_COUNTRY_US "\x86\x48" |
81 | #define OID_RSA_DATA_SECURITY "\x86\xf7\x0d" | |
67932e54 TK |
82 | |
83 | /* | |
84 | * ISO Identified organization OID parts | |
85 | */ | |
ac3ad426 | 86 | #define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a" |
67932e54 | 87 | |
80a47a2c TK |
88 | /* |
89 | * DigestInfo ::= SEQUENCE { | |
90 | * digestAlgorithm DigestAlgorithmIdentifier, | |
91 | * digest Digest } | |
92 | * | |
93 | * DigestAlgorithmIdentifier ::= AlgorithmIdentifier | |
94 | * | |
95 | * Digest ::= OCTET STRING | |
96 | */ | |
ac3ad426 AM |
97 | #define ASN1_HASH_MDX \ |
98 | ( \ | |
99 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x20" \ | |
100 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C" \ | |
101 | ASN1_STR_OID "\x08" \ | |
102 | OID_DIGEST_ALG_MDX \ | |
103 | ASN1_STR_NULL "\x00" \ | |
104 | ASN1_STR_OCTET_STRING "\x10" \ | |
67932e54 TK |
105 | ) |
106 | ||
ac3ad426 AM |
107 | #define ASN1_HASH_SHA1 \ |
108 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x21" \ | |
109 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x09" \ | |
110 | ASN1_STR_OID "\x05" \ | |
111 | OID_HASH_ALG_SHA1 \ | |
112 | ASN1_STR_NULL "\x00" \ | |
113 | ASN1_STR_OCTET_STRING "\x14" | |
114 | ||
115 | #define ASN1_HASH_SHA2X \ | |
116 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x11" \ | |
117 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d" \ | |
118 | ASN1_STR_OID "\x09" \ | |
119 | OID_HASH_ALG_SHA2X \ | |
120 | ASN1_STR_NULL "\x00" \ | |
121 | ASN1_STR_OCTET_STRING "\x00" | |
80a47a2c TK |
122 | |
123 | /** | |
124 | * \brief RSA context structure | |
125 | */ | |
126 | typedef struct | |
127 | { | |
128 | int ver; /*!< always 0 */ | |
129 | int len; /*!< size(N) in chars */ | |
130 | ||
131 | mpi N; /*!< public modulus */ | |
132 | mpi E; /*!< public exponent */ | |
133 | ||
134 | mpi D; /*!< private exponent */ | |
135 | mpi P; /*!< 1st prime factor */ | |
136 | mpi Q; /*!< 2nd prime factor */ | |
137 | mpi DP; /*!< D % (P - 1) */ | |
138 | mpi DQ; /*!< D % (Q - 1) */ | |
139 | mpi QP; /*!< 1 / (Q % P) */ | |
140 | ||
141 | mpi RN; /*!< cached R^2 mod N */ | |
142 | mpi RP; /*!< cached R^2 mod P */ | |
143 | mpi RQ; /*!< cached R^2 mod Q */ | |
144 | ||
145 | int padding; /*!< 1.5 or OAEP/PSS */ | |
146 | int hash_id; /*!< hash identifier */ | |
80a47a2c TK |
147 | } |
148 | rsa_context; | |
149 | ||
150 | #ifdef __cplusplus | |
151 | extern "C" { | |
152 | #endif | |
153 | ||
154 | /** | |
155 | * \brief Initialize an RSA context | |
156 | * | |
157 | * \param ctx RSA context to be initialized | |
158 | * \param padding RSA_PKCS_V15 or RSA_PKCS_V21 | |
159 | * \param hash_id RSA_PKCS_V21 hash identifier | |
80a47a2c TK |
160 | * |
161 | * \note The hash_id parameter is actually ignored | |
162 | * when using RSA_PKCS_V15 padding. | |
163 | * | |
62d3e98d | 164 | * \note Currently, RSA_PKCS_V21 padding |
80a47a2c TK |
165 | * is not supported. |
166 | */ | |
167 | void rsa_init( rsa_context *ctx, | |
168 | int padding, | |
62d3e98d | 169 | int hash_id); |
80a47a2c TK |
170 | |
171 | /** | |
172 | * \brief Generate an RSA keypair | |
173 | * | |
174 | * \param ctx RSA context that will hold the key | |
62d3e98d TK |
175 | * \param f_rng RNG function |
176 | * \param p_rng RNG parameter | |
80a47a2c TK |
177 | * \param nbits size of the public key in bits |
178 | * \param exponent public exponent (e.g., 65537) | |
179 | * | |
180 | * \note rsa_init() must be called beforehand to setup | |
62d3e98d | 181 | * the RSA context. |
80a47a2c TK |
182 | * |
183 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
184 | */ | |
62d3e98d TK |
185 | int rsa_gen_key( rsa_context *ctx, |
186 | int (*f_rng)(void *), | |
187 | void *p_rng, | |
188 | int nbits, int exponent ); | |
80a47a2c TK |
189 | |
190 | /** | |
191 | * \brief Check a public RSA key | |
192 | * | |
193 | * \param ctx RSA context to be checked | |
194 | * | |
195 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
196 | */ | |
62d3e98d | 197 | int rsa_check_pubkey( const rsa_context *ctx ); |
80a47a2c TK |
198 | |
199 | /** | |
200 | * \brief Check a private RSA key | |
201 | * | |
202 | * \param ctx RSA context to be checked | |
203 | * | |
204 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
205 | */ | |
62d3e98d | 206 | int rsa_check_privkey( const rsa_context *ctx ); |
80a47a2c TK |
207 | |
208 | /** | |
209 | * \brief Do an RSA public key operation | |
210 | * | |
211 | * \param ctx RSA context | |
212 | * \param input input buffer | |
213 | * \param output output buffer | |
214 | * | |
215 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
216 | * | |
217 | * \note This function does NOT take care of message | |
67932e54 TK |
218 | * padding. Also, be sure to set input[0] = 0 or assure that |
219 | * input is smaller than N. | |
80a47a2c TK |
220 | * |
221 | * \note The input and output buffers must be large | |
222 | * enough (eg. 128 bytes if RSA-1024 is used). | |
223 | */ | |
224 | int rsa_public( rsa_context *ctx, | |
62d3e98d | 225 | const unsigned char *input, |
80a47a2c TK |
226 | unsigned char *output ); |
227 | ||
228 | /** | |
229 | * \brief Do an RSA private key operation | |
230 | * | |
231 | * \param ctx RSA context | |
232 | * \param input input buffer | |
233 | * \param output output buffer | |
234 | * | |
235 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
236 | * | |
237 | * \note The input and output buffers must be large | |
238 | * enough (eg. 128 bytes if RSA-1024 is used). | |
239 | */ | |
240 | int rsa_private( rsa_context *ctx, | |
62d3e98d | 241 | const unsigned char *input, |
80a47a2c TK |
242 | unsigned char *output ); |
243 | ||
244 | /** | |
245 | * \brief Add the message padding, then do an RSA operation | |
246 | * | |
247 | * \param ctx RSA context | |
62d3e98d TK |
248 | * \param f_rng RNG function |
249 | * \param p_rng RNG parameter | |
80a47a2c | 250 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
67932e54 | 251 | * \param ilen contains the plaintext length |
80a47a2c TK |
252 | * \param input buffer holding the data to be encrypted |
253 | * \param output buffer that will hold the ciphertext | |
254 | * | |
255 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
256 | * | |
257 | * \note The output buffer must be as large as the size | |
258 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). | |
259 | */ | |
260 | int rsa_pkcs1_encrypt( rsa_context *ctx, | |
62d3e98d TK |
261 | int (*f_rng)(void *), |
262 | void *p_rng, | |
80a47a2c | 263 | int mode, int ilen, |
62d3e98d | 264 | const unsigned char *input, |
80a47a2c TK |
265 | unsigned char *output ); |
266 | ||
267 | /** | |
268 | * \brief Do an RSA operation, then remove the message padding | |
269 | * | |
270 | * \param ctx RSA context | |
271 | * \param mode RSA_PUBLIC or RSA_PRIVATE | |
272 | * \param input buffer holding the encrypted data | |
273 | * \param output buffer that will hold the plaintext | |
274 | * \param olen will contain the plaintext length | |
ac3ad426 | 275 | * \param output_max_len maximum length of the output buffer |
80a47a2c TK |
276 | * |
277 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
278 | * | |
279 | * \note The output buffer must be as large as the size | |
280 | * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise | |
281 | * an error is thrown. | |
282 | */ | |
283 | int rsa_pkcs1_decrypt( rsa_context *ctx, | |
284 | int mode, int *olen, | |
62d3e98d | 285 | const unsigned char *input, |
80a47a2c | 286 | unsigned char *output, |
ac3ad426 | 287 | int output_max_len ); |
80a47a2c TK |
288 | |
289 | /** | |
290 | * \brief Do a private RSA to sign a message digest | |
291 | * | |
292 | * \param ctx RSA context | |
293 | * \param mode RSA_PUBLIC or RSA_PRIVATE | |
67932e54 TK |
294 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} |
295 | * \param hashlen message digest length (for SIG_RSA_RAW only) | |
80a47a2c TK |
296 | * \param hash buffer holding the message digest |
297 | * \param sig buffer that will hold the ciphertext | |
298 | * | |
299 | * \return 0 if the signing operation was successful, | |
300 | * or an POLARSSL_ERR_RSA_XXX error code | |
301 | * | |
302 | * \note The "sig" buffer must be as large as the size | |
303 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). | |
304 | */ | |
305 | int rsa_pkcs1_sign( rsa_context *ctx, | |
306 | int mode, | |
307 | int hash_id, | |
308 | int hashlen, | |
62d3e98d | 309 | const unsigned char *hash, |
80a47a2c TK |
310 | unsigned char *sig ); |
311 | ||
312 | /** | |
313 | * \brief Do a public RSA and check the message digest | |
314 | * | |
315 | * \param ctx points to an RSA public key | |
316 | * \param mode RSA_PUBLIC or RSA_PRIVATE | |
62d3e98d | 317 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} |
67932e54 | 318 | * \param hashlen message digest length (for SIG_RSA_RAW only) |
80a47a2c TK |
319 | * \param hash buffer holding the message digest |
320 | * \param sig buffer holding the ciphertext | |
321 | * | |
322 | * \return 0 if the verify operation was successful, | |
323 | * or an POLARSSL_ERR_RSA_XXX error code | |
324 | * | |
325 | * \note The "sig" buffer must be as large as the size | |
326 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). | |
327 | */ | |
328 | int rsa_pkcs1_verify( rsa_context *ctx, | |
329 | int mode, | |
330 | int hash_id, | |
331 | int hashlen, | |
62d3e98d | 332 | const unsigned char *hash, |
80a47a2c TK |
333 | unsigned char *sig ); |
334 | ||
335 | /** | |
336 | * \brief Free the components of an RSA key | |
67932e54 TK |
337 | * |
338 | * \param ctx RSA Context to free | |
80a47a2c TK |
339 | */ |
340 | void rsa_free( rsa_context *ctx ); | |
341 | ||
ac3ad426 AM |
342 | /** |
343 | * \brief Checkup routine | |
344 | * | |
345 | * \return 0 if successful, or 1 if the test failed | |
346 | */ | |
347 | int rsa_self_test( int verbose ); | |
62d3e98d | 348 | |
80a47a2c TK |
349 | #ifdef __cplusplus |
350 | } | |
351 | #endif | |
352 | ||
353 | #endif /* rsa.h */ |