| 1 | /** |
| 2 | * \file rsa.h |
| 3 | * |
| 4 | * Copyright (C) 2006-2010, Brainspark B.V. |
| 5 | * |
| 6 | * This file is part of PolarSSL (http://www.polarssl.org) |
| 7 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> |
| 8 | * |
| 9 | * All rights reserved. |
| 10 | * |
| 11 | * This program is free software; you can redistribute it and/or modify |
| 12 | * it under the terms of the GNU General Public License as published by |
| 13 | * the Free Software Foundation; either version 2 of the License, or |
| 14 | * (at your option) any later version. |
| 15 | * |
| 16 | * This program is distributed in the hope that it will be useful, |
| 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 19 | * GNU General Public License for more details. |
| 20 | * |
| 21 | * You should have received a copy of the GNU General Public License along |
| 22 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 24 | */ |
| 25 | |
| 26 | #ifndef POLARSSL_RSA_H |
| 27 | #define POLARSSL_RSA_H |
| 28 | |
| 29 | #include "bignum.h" |
| 30 | |
| 31 | /* |
| 32 | * RSA Error codes |
| 33 | */ |
| 34 | #define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x0400 |
| 35 | #define POLARSSL_ERR_RSA_INVALID_PADDING -0x0410 |
| 36 | #define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x0420 |
| 37 | #define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x0430 |
| 38 | #define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x0440 |
| 39 | #define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x0450 |
| 40 | #define POLARSSL_ERR_RSA_VERIFY_FAILED -0x0460 |
| 41 | #define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE -0x0470 |
| 42 | #define POLARSSL_ERR_RSA_RNG_FAILED -0x0480 |
| 43 | |
| 44 | /* *************** begin copy from x509.h ************************/ |
| 45 | /* |
| 46 | * ASN1 Error codes |
| 47 | * |
| 48 | * These error codes will be OR'ed to X509 error codes for |
| 49 | * higher error granularity. |
| 50 | */ |
| 51 | #define POLARSSL_ERR_ASN1_OUT_OF_DATA 0x0014 |
| 52 | #define POLARSSL_ERR_ASN1_UNEXPECTED_TAG 0x0016 |
| 53 | #define POLARSSL_ERR_ASN1_INVALID_LENGTH 0x0018 |
| 54 | #define POLARSSL_ERR_ASN1_LENGTH_MISMATCH 0x001A |
| 55 | #define POLARSSL_ERR_ASN1_INVALID_DATA 0x001C |
| 56 | |
| 57 | /* |
| 58 | * X509 Error codes |
| 59 | */ |
| 60 | #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020 |
| 61 | #define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x0040 |
| 62 | #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060 |
| 63 | #define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x0080 |
| 64 | #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0 |
| 65 | #define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x00C0 |
| 66 | #define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x00E0 |
| 67 | #define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x0100 |
| 68 | #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120 |
| 69 | #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140 |
| 70 | #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160 |
| 71 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180 |
| 72 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0 |
| 73 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0 |
| 74 | #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0 |
| 75 | #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200 |
| 76 | #define POLARSSL_ERR_X509_KEY_INVALID_PEM -0x0220 |
| 77 | #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x0240 |
| 78 | #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260 |
| 79 | #define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280 |
| 80 | #define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0 |
| 81 | #define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0 |
| 82 | #define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0 |
| 83 | #define POLARSSL_ERR_X509_POINT_ERROR -0x0300 |
| 84 | #define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x0320 |
| 85 | |
| 86 | /* |
| 87 | * DER constants |
| 88 | */ |
| 89 | #define ASN1_BOOLEAN 0x01 |
| 90 | #define ASN1_INTEGER 0x02 |
| 91 | #define ASN1_BIT_STRING 0x03 |
| 92 | #define ASN1_OCTET_STRING 0x04 |
| 93 | #define ASN1_NULL 0x05 |
| 94 | #define ASN1_OID 0x06 |
| 95 | #define ASN1_UTF8_STRING 0x0C |
| 96 | #define ASN1_SEQUENCE 0x10 |
| 97 | #define ASN1_SET 0x11 |
| 98 | #define ASN1_PRINTABLE_STRING 0x13 |
| 99 | #define ASN1_T61_STRING 0x14 |
| 100 | #define ASN1_IA5_STRING 0x16 |
| 101 | #define ASN1_UTC_TIME 0x17 |
| 102 | #define ASN1_GENERALIZED_TIME 0x18 |
| 103 | #define ASN1_UNIVERSAL_STRING 0x1C |
| 104 | #define ASN1_BMP_STRING 0x1E |
| 105 | #define ASN1_PRIMITIVE 0x00 |
| 106 | #define ASN1_CONSTRUCTED 0x20 |
| 107 | #define ASN1_CONTEXT_SPECIFIC 0x80 |
| 108 | /* *************** end copy from x509.h ************************/ |
| 109 | |
| 110 | /* |
| 111 | * PKCS#1 constants |
| 112 | */ |
| 113 | #define SIG_RSA_RAW 0 |
| 114 | #define SIG_RSA_MD2 2 |
| 115 | #define SIG_RSA_MD4 3 |
| 116 | #define SIG_RSA_MD5 4 |
| 117 | #define SIG_RSA_SHA1 5 |
| 118 | #define SIG_RSA_SHA224 14 |
| 119 | #define SIG_RSA_SHA256 11 |
| 120 | #define SIG_RSA_SHA384 12 |
| 121 | #define SIG_RSA_SHA512 13 |
| 122 | |
| 123 | #define RSA_PUBLIC 0 |
| 124 | #define RSA_PRIVATE 1 |
| 125 | |
| 126 | #define RSA_PKCS_V15 0 |
| 127 | #define RSA_PKCS_V21 1 |
| 128 | |
| 129 | #define RSA_SIGN 1 |
| 130 | #define RSA_CRYPT 2 |
| 131 | |
| 132 | #define ASN1_STR_CONSTRUCTED_SEQUENCE "\x30" |
| 133 | #define ASN1_STR_NULL "\x05" |
| 134 | #define ASN1_STR_OID "\x06" |
| 135 | #define ASN1_STR_OCTET_STRING "\x04" |
| 136 | |
| 137 | #define OID_DIGEST_ALG_MDX "\x2A\x86\x48\x86\xF7\x0D\x02\x00" |
| 138 | #define OID_HASH_ALG_SHA1 "\x2b\x0e\x03\x02\x1a" |
| 139 | #define OID_HASH_ALG_SHA2X "\x60\x86\x48\x01\x65\x03\x04\x02\x00" |
| 140 | |
| 141 | #define OID_ISO_MEMBER_BODIES "\x2a" |
| 142 | #define OID_ISO_IDENTIFIED_ORG "\x2b" |
| 143 | |
| 144 | /* |
| 145 | * ISO Member bodies OID parts |
| 146 | */ |
| 147 | #define OID_COUNTRY_US "\x86\x48" |
| 148 | #define OID_RSA_DATA_SECURITY "\x86\xf7\x0d" |
| 149 | |
| 150 | /* |
| 151 | * ISO Identified organization OID parts |
| 152 | */ |
| 153 | #define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a" |
| 154 | |
| 155 | /* |
| 156 | * DigestInfo ::= SEQUENCE { |
| 157 | * digestAlgorithm DigestAlgorithmIdentifier, |
| 158 | * digest Digest } |
| 159 | * |
| 160 | * DigestAlgorithmIdentifier ::= AlgorithmIdentifier |
| 161 | * |
| 162 | * Digest ::= OCTET STRING |
| 163 | */ |
| 164 | #define ASN1_HASH_MDX \ |
| 165 | ( \ |
| 166 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x20" \ |
| 167 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C" \ |
| 168 | ASN1_STR_OID "\x08" \ |
| 169 | OID_DIGEST_ALG_MDX \ |
| 170 | ASN1_STR_NULL "\x00" \ |
| 171 | ASN1_STR_OCTET_STRING "\x10" \ |
| 172 | ) |
| 173 | |
| 174 | #define ASN1_HASH_SHA1 \ |
| 175 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x21" \ |
| 176 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x09" \ |
| 177 | ASN1_STR_OID "\x05" \ |
| 178 | OID_HASH_ALG_SHA1 \ |
| 179 | ASN1_STR_NULL "\x00" \ |
| 180 | ASN1_STR_OCTET_STRING "\x14" |
| 181 | |
| 182 | #define ASN1_HASH_SHA2X \ |
| 183 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x11" \ |
| 184 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d" \ |
| 185 | ASN1_STR_OID "\x09" \ |
| 186 | OID_HASH_ALG_SHA2X \ |
| 187 | ASN1_STR_NULL "\x00" \ |
| 188 | ASN1_STR_OCTET_STRING "\x00" |
| 189 | |
| 190 | /** |
| 191 | * \brief RSA context structure |
| 192 | */ |
| 193 | typedef struct |
| 194 | { |
| 195 | int ver; /*!< always 0 */ |
| 196 | int len; /*!< size(N) in chars */ |
| 197 | |
| 198 | mpi N; /*!< public modulus */ |
| 199 | mpi E; /*!< public exponent */ |
| 200 | |
| 201 | mpi D; /*!< private exponent */ |
| 202 | mpi P; /*!< 1st prime factor */ |
| 203 | mpi Q; /*!< 2nd prime factor */ |
| 204 | mpi DP; /*!< D % (P - 1) */ |
| 205 | mpi DQ; /*!< D % (Q - 1) */ |
| 206 | mpi QP; /*!< 1 / (Q % P) */ |
| 207 | |
| 208 | mpi RN; /*!< cached R^2 mod N */ |
| 209 | mpi RP; /*!< cached R^2 mod P */ |
| 210 | mpi RQ; /*!< cached R^2 mod Q */ |
| 211 | |
| 212 | int padding; /*!< 1.5 or OAEP/PSS */ |
| 213 | int hash_id; /*!< hash identifier */ |
| 214 | } |
| 215 | rsa_context; |
| 216 | |
| 217 | #ifdef __cplusplus |
| 218 | extern "C" { |
| 219 | #endif |
| 220 | |
| 221 | /** |
| 222 | * \brief Initialize an RSA context |
| 223 | * |
| 224 | * \param ctx RSA context to be initialized |
| 225 | * \param padding RSA_PKCS_V15 or RSA_PKCS_V21 |
| 226 | * \param hash_id RSA_PKCS_V21 hash identifier |
| 227 | * |
| 228 | * \note The hash_id parameter is actually ignored |
| 229 | * when using RSA_PKCS_V15 padding. |
| 230 | * |
| 231 | * \note Currently, RSA_PKCS_V21 padding |
| 232 | * is not supported. |
| 233 | */ |
| 234 | void rsa_init( rsa_context *ctx, |
| 235 | int padding, |
| 236 | int hash_id); |
| 237 | |
| 238 | /** |
| 239 | * \brief Generate an RSA keypair |
| 240 | * |
| 241 | * \param ctx RSA context that will hold the key |
| 242 | * \param f_rng RNG function |
| 243 | * \param p_rng RNG parameter |
| 244 | * \param nbits size of the public key in bits |
| 245 | * \param exponent public exponent (e.g., 65537) |
| 246 | * |
| 247 | * \note rsa_init() must be called beforehand to setup |
| 248 | * the RSA context. |
| 249 | * |
| 250 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 251 | */ |
| 252 | int rsa_gen_key( rsa_context *ctx, |
| 253 | int (*f_rng)(void *), |
| 254 | void *p_rng, |
| 255 | int nbits, int exponent ); |
| 256 | |
| 257 | /** |
| 258 | * \brief Check a public RSA key |
| 259 | * |
| 260 | * \param ctx RSA context to be checked |
| 261 | * |
| 262 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 263 | */ |
| 264 | int rsa_check_pubkey( const rsa_context *ctx ); |
| 265 | |
| 266 | /** |
| 267 | * \brief Check a private RSA key |
| 268 | * |
| 269 | * \param ctx RSA context to be checked |
| 270 | * |
| 271 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 272 | */ |
| 273 | int rsa_check_privkey( const rsa_context *ctx ); |
| 274 | |
| 275 | /** |
| 276 | * \brief Do an RSA public key operation |
| 277 | * |
| 278 | * \param ctx RSA context |
| 279 | * \param input input buffer |
| 280 | * \param output output buffer |
| 281 | * |
| 282 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 283 | * |
| 284 | * \note This function does NOT take care of message |
| 285 | * padding. Also, be sure to set input[0] = 0 or assure that |
| 286 | * input is smaller than N. |
| 287 | * |
| 288 | * \note The input and output buffers must be large |
| 289 | * enough (eg. 128 bytes if RSA-1024 is used). |
| 290 | */ |
| 291 | int rsa_public( rsa_context *ctx, |
| 292 | const unsigned char *input, |
| 293 | unsigned char *output ); |
| 294 | |
| 295 | /** |
| 296 | * \brief Do an RSA private key operation |
| 297 | * |
| 298 | * \param ctx RSA context |
| 299 | * \param input input buffer |
| 300 | * \param output output buffer |
| 301 | * |
| 302 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 303 | * |
| 304 | * \note The input and output buffers must be large |
| 305 | * enough (eg. 128 bytes if RSA-1024 is used). |
| 306 | */ |
| 307 | int rsa_private( rsa_context *ctx, |
| 308 | const unsigned char *input, |
| 309 | unsigned char *output ); |
| 310 | |
| 311 | /** |
| 312 | * \brief Add the message padding, then do an RSA operation |
| 313 | * |
| 314 | * \param ctx RSA context |
| 315 | * \param f_rng RNG function |
| 316 | * \param p_rng RNG parameter |
| 317 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 318 | * \param ilen contains the plaintext length |
| 319 | * \param input buffer holding the data to be encrypted |
| 320 | * \param output buffer that will hold the ciphertext |
| 321 | * |
| 322 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 323 | * |
| 324 | * \note The output buffer must be as large as the size |
| 325 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
| 326 | */ |
| 327 | int rsa_pkcs1_encrypt( rsa_context *ctx, |
| 328 | int (*f_rng)(void *), |
| 329 | void *p_rng, |
| 330 | int mode, int ilen, |
| 331 | const unsigned char *input, |
| 332 | unsigned char *output ); |
| 333 | |
| 334 | /** |
| 335 | * \brief Do an RSA operation, then remove the message padding |
| 336 | * |
| 337 | * \param ctx RSA context |
| 338 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 339 | * \param input buffer holding the encrypted data |
| 340 | * \param output buffer that will hold the plaintext |
| 341 | * \param olen will contain the plaintext length |
| 342 | * \param output_max_len maximum length of the output buffer |
| 343 | * |
| 344 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 345 | * |
| 346 | * \note The output buffer must be as large as the size |
| 347 | * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise |
| 348 | * an error is thrown. |
| 349 | */ |
| 350 | int rsa_pkcs1_decrypt( rsa_context *ctx, |
| 351 | int mode, int *olen, |
| 352 | const unsigned char *input, |
| 353 | unsigned char *output, |
| 354 | int output_max_len ); |
| 355 | |
| 356 | /** |
| 357 | * \brief Do a private RSA to sign a message digest |
| 358 | * |
| 359 | * \param ctx RSA context |
| 360 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 361 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} |
| 362 | * \param hashlen message digest length (for SIG_RSA_RAW only) |
| 363 | * \param hash buffer holding the message digest |
| 364 | * \param sig buffer that will hold the ciphertext |
| 365 | * |
| 366 | * \return 0 if the signing operation was successful, |
| 367 | * or an POLARSSL_ERR_RSA_XXX error code |
| 368 | * |
| 369 | * \note The "sig" buffer must be as large as the size |
| 370 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
| 371 | */ |
| 372 | int rsa_pkcs1_sign( rsa_context *ctx, |
| 373 | int mode, |
| 374 | int hash_id, |
| 375 | int hashlen, |
| 376 | const unsigned char *hash, |
| 377 | unsigned char *sig ); |
| 378 | |
| 379 | /** |
| 380 | * \brief Do a public RSA and check the message digest |
| 381 | * |
| 382 | * \param ctx points to an RSA public key |
| 383 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 384 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} |
| 385 | * \param hashlen message digest length (for SIG_RSA_RAW only) |
| 386 | * \param hash buffer holding the message digest |
| 387 | * \param sig buffer holding the ciphertext |
| 388 | * |
| 389 | * \return 0 if the verify operation was successful, |
| 390 | * or an POLARSSL_ERR_RSA_XXX error code |
| 391 | * |
| 392 | * \note The "sig" buffer must be as large as the size |
| 393 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
| 394 | */ |
| 395 | int rsa_pkcs1_verify( rsa_context *ctx, |
| 396 | int mode, |
| 397 | int hash_id, |
| 398 | int hashlen, |
| 399 | const unsigned char *hash, |
| 400 | unsigned char *sig ); |
| 401 | |
| 402 | /** |
| 403 | * \brief Free the components of an RSA key |
| 404 | * |
| 405 | * \param ctx RSA Context to free |
| 406 | */ |
| 407 | void rsa_free( rsa_context *ctx ); |
| 408 | |
| 409 | /* PDKIM declarations (not part of polarssl) */ |
| 410 | int rsa_parse_public_key( rsa_context *rsa, unsigned char *buf, int buflen ); |
| 411 | int rsa_parse_key( rsa_context *rsa, unsigned char *buf, int buflen, |
| 412 | unsigned char *pwd, int pwdlen ); |
| 413 | |
| 414 | |
| 415 | #ifdef __cplusplus |
| 416 | } |
| 417 | #endif |
| 418 | |
| 419 | #endif /* rsa.h */ |