use super::{parse_public_key, RsaParameters, N, PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN};
use crate::{
arithmetic::{bigint, montgomery::Unencoded},
bits, cpu, digest, error,
limb::LIMB_BYTES,
sealed, signature,
};
use untrusted;
#[derive(Debug)]
pub struct Key {
pub n: bigint::Modulus<N>,
pub e: bigint::PublicExponent,
pub n_bits: bits::BitLength,
}
impl Key {
pub fn from_modulus_and_exponent(
n: untrusted::Input,
e: untrusted::Input,
n_min_bits: bits::BitLength,
n_max_bits: bits::BitLength,
e_min_value: u64,
) -> Result<Self, error::KeyRejected> {
let (n, n_bits) = bigint::Modulus::from_be_bytes_with_bit_length(n)?;
const N_MIN_BITS: bits::BitLength = bits::BitLength::from_usize_bits(1024);
assert!(n_min_bits >= N_MIN_BITS);
let n_bits_rounded_up =
bits::BitLength::from_usize_bytes(n_bits.as_usize_bytes_rounded_up())
.map_err(|error::Unspecified| error::KeyRejected::unexpected_error())?;
if n_bits_rounded_up < n_min_bits {
return Err(error::KeyRejected::too_small());
}
if n_bits > n_max_bits {
return Err(error::KeyRejected::too_large());
}
let e = bigint::PublicExponent::from_be_bytes(e, e_min_value)?;
Ok(Self { n, e, n_bits })
}
}
impl signature::VerificationAlgorithm for RsaParameters {
fn verify(
&self,
public_key: untrusted::Input,
msg: untrusted::Input,
signature: untrusted::Input,
) -> Result<(), error::Unspecified> {
let (n, e) = parse_public_key(public_key)?;
verify_rsa_(
self,
(
n.big_endian_without_leading_zero_as_input(),
e.big_endian_without_leading_zero_as_input(),
),
msg,
signature,
)
}
}
impl sealed::Sealed for RsaParameters {}
macro_rules! rsa_params {
( $VERIFY_ALGORITHM:ident, $min_bits:expr, $PADDING_ALGORITHM:expr,
$doc_str:expr ) => {
#[doc=$doc_str]
pub static $VERIFY_ALGORITHM: RsaParameters = RsaParameters {
padding_alg: $PADDING_ALGORITHM,
min_bits: bits::BitLength::from_usize_bits($min_bits),
};
};
}
rsa_params!(
RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY,
1024,
&super::padding::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY,
"Verification of signatures using RSA keys of 1024-8192 bits,
PKCS#1.5 padding, and SHA-1.\n\nSee \"`RSA_PKCS1_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PKCS1_2048_8192_SHA1_FOR_LEGACY_USE_ONLY,
2048,
&super::padding::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY,
"Verification of signatures using RSA keys of 2048-8192 bits,
PKCS#1.5 padding, and SHA-1.\n\nSee \"`RSA_PKCS1_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY,
1024,
&super::RSA_PKCS1_SHA256,
"Verification of signatures using RSA keys of 1024-8192 bits,
PKCS#1.5 padding, and SHA-256.\n\nSee \"`RSA_PKCS1_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PKCS1_2048_8192_SHA256,
2048,
&super::RSA_PKCS1_SHA256,
"Verification of signatures using RSA keys of 2048-8192 bits,
PKCS#1.5 padding, and SHA-256.\n\nSee \"`RSA_PKCS1_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PKCS1_2048_8192_SHA384,
2048,
&super::RSA_PKCS1_SHA384,
"Verification of signatures using RSA keys of 2048-8192 bits,
PKCS#1.5 padding, and SHA-384.\n\nSee \"`RSA_PKCS1_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PKCS1_2048_8192_SHA512,
2048,
&super::RSA_PKCS1_SHA512,
"Verification of signatures using RSA keys of 2048-8192 bits,
PKCS#1.5 padding, and SHA-512.\n\nSee \"`RSA_PKCS1_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PKCS1_3072_8192_SHA384,
3072,
&super::RSA_PKCS1_SHA384,
"Verification of signatures using RSA keys of 3072-8192 bits,
PKCS#1.5 padding, and SHA-384.\n\nSee \"`RSA_PKCS1_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PSS_2048_8192_SHA256,
2048,
&super::RSA_PSS_SHA256,
"Verification of signatures using RSA keys of 2048-8192 bits,
PSS padding, and SHA-256.\n\nSee \"`RSA_PSS_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PSS_2048_8192_SHA384,
2048,
&super::RSA_PSS_SHA384,
"Verification of signatures using RSA keys of 2048-8192 bits,
PSS padding, and SHA-384.\n\nSee \"`RSA_PSS_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
rsa_params!(
RSA_PSS_2048_8192_SHA512,
2048,
&super::RSA_PSS_SHA512,
"Verification of signatures using RSA keys of 2048-8192 bits,
PSS padding, and SHA-512.\n\nSee \"`RSA_PSS_*` Details\" in
`ring::signature`'s module-level documentation for more details."
);
#[derive(Debug)]
pub struct RsaPublicKeyComponents<B: AsRef<[u8]> + core::fmt::Debug> {
pub n: B,
pub e: B,
}
impl<B: Copy> Copy for RsaPublicKeyComponents<B> where B: AsRef<[u8]> + core::fmt::Debug {}
impl<B: Clone> Clone for RsaPublicKeyComponents<B>
where
B: AsRef<[u8]> + core::fmt::Debug,
{
fn clone(&self) -> Self {
Self {
n: self.n.clone(),
e: self.e.clone(),
}
}
}
impl<B> RsaPublicKeyComponents<B>
where
B: AsRef<[u8]> + core::fmt::Debug,
{
pub fn verify(
&self,
params: &RsaParameters,
message: &[u8],
signature: &[u8],
) -> Result<(), error::Unspecified> {
let _ = cpu::features();
verify_rsa_(
params,
(
untrusted::Input::from(self.n.as_ref()),
untrusted::Input::from(self.e.as_ref()),
),
untrusted::Input::from(message),
untrusted::Input::from(signature),
)
}
}
pub(crate) fn verify_rsa_(
params: &RsaParameters,
(n, e): (untrusted::Input, untrusted::Input),
msg: untrusted::Input,
signature: untrusted::Input,
) -> Result<(), error::Unspecified> {
let max_bits = bits::BitLength::from_usize_bytes(PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN)?;
let Key { n, e, n_bits } = Key::from_modulus_and_exponent(n, e, params.min_bits, max_bits, 3)?;
if signature.len() != n_bits.as_usize_bytes_rounded_up() {
return Err(error::Unspecified);
}
let s = bigint::Elem::from_be_bytes_padded(signature, &n)?;
if s.is_zero() {
return Err(error::Unspecified);
}
let m = bigint::elem_exp_vartime(s, e, &n);
let m = m.into_unencoded(&n);
let mut decoded = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];
let decoded = fill_be_bytes_n(m, n_bits, &mut decoded);
let m_hash = digest::digest(params.padding_alg.digest_alg(), msg.as_slice_less_safe());
untrusted::Input::from(decoded).read_all(error::Unspecified, |m| {
params.padding_alg.verify(&m_hash, m, n_bits)
})
}
fn fill_be_bytes_n(
elem: bigint::Elem<N, Unencoded>,
n_bits: bits::BitLength,
out: &mut [u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN],
) -> &[u8] {
let n_bytes = n_bits.as_usize_bytes_rounded_up();
let n_bytes_padded = ((n_bytes + (LIMB_BYTES - 1)) / LIMB_BYTES) * LIMB_BYTES;
let out = &mut out[..n_bytes_padded];
elem.fill_be_bytes(out);
let (padding, out) = out.split_at(n_bytes_padded - n_bytes);
assert!(padding.iter().all(|&b| b == 0));
out
}