3 The RSA publickey algorithm.
5 Copyright (C) 2001, 2002 Niels Möller
7 This file is part of GNU Nettle.
9 GNU Nettle is free software: you can redistribute it and/or
10 modify it under the terms of either:
12 * the GNU Lesser General Public License as published by the Free
13 Software Foundation; either version 3 of the License, or (at your
14 option) any later version.
18 * the GNU General Public License as published by the Free
19 Software Foundation; either version 2 of the License, or (at your
20 option) any later version.
22 or both in parallel, as here.
24 GNU Nettle is distributed in the hope that it will be useful,
25 but WITHOUT ANY WARRANTY; without even the implied warranty of
26 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
27 General Public License for more details.
29 You should have received copies of the GNU General Public License and
30 the GNU Lesser General Public License along with this program. If
31 not, see http://www.gnu.org/licenses/.
34 #ifndef NETTLE_RSA_H_INCLUDED
35 #define NETTLE_RSA_H_INCLUDED
37 #include "nettle-types.h"
49 #define rsa_public_key_init nettle_rsa_public_key_init
50 #define rsa_public_key_clear nettle_rsa_public_key_clear
51 #define rsa_public_key_prepare nettle_rsa_public_key_prepare
52 #define rsa_private_key_init nettle_rsa_private_key_init
53 #define rsa_private_key_clear nettle_rsa_private_key_clear
54 #define rsa_private_key_prepare nettle_rsa_private_key_prepare
55 #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify
56 #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign
57 #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr
58 #define rsa_md5_sign nettle_rsa_md5_sign
59 #define rsa_md5_sign_tr nettle_rsa_md5_sign_tr
60 #define rsa_md5_verify nettle_rsa_md5_verify
61 #define rsa_sha1_sign nettle_rsa_sha1_sign
62 #define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr
63 #define rsa_sha1_verify nettle_rsa_sha1_verify
64 #define rsa_sha256_sign nettle_rsa_sha256_sign
65 #define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr
66 #define rsa_sha256_verify nettle_rsa_sha256_verify
67 #define rsa_sha512_sign nettle_rsa_sha512_sign
68 #define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr
69 #define rsa_sha512_verify nettle_rsa_sha512_verify
70 #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest
71 #define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr
72 #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest
73 #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest
74 #define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr
75 #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest
76 #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
77 #define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr
78 #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
79 #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
80 #define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr
81 #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
82 #define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr
83 #define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest
84 #define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr
85 #define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest
86 #define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr
87 #define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest
88 #define rsa_encrypt nettle_rsa_encrypt
89 #define rsa_decrypt nettle_rsa_decrypt
90 #define rsa_decrypt_tr nettle_rsa_decrypt_tr
91 #define rsa_sec_decrypt nettle_rsa_sec_decrypt
92 #define rsa_compute_root nettle_rsa_compute_root
93 #define rsa_compute_root_tr nettle_rsa_compute_root_tr
94 #define rsa_generate_keypair nettle_rsa_generate_keypair
95 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
96 #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
97 #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp
98 #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator
99 #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator
100 #define rsa_keypair_from_der nettle_rsa_keypair_from_der
101 #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
103 /* This limit is somewhat arbitrary. Technically, the smallest modulo
104 which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
105 for ridiculously small keys, not all odd e are possible (e.g., for
106 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
107 3 don't work). The smallest size that makes sense with pkcs#1, and
108 which allows RSA encryption of one byte messages, is 12 octets, 89
111 #define RSA_MINIMUM_N_OCTETS 12
112 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
114 struct rsa_public_key
116 /* Size of the modulo, in octets. This is also the size of all
117 * signatures that are created or verified with this key. */
123 /* Public exponent */
127 struct rsa_private_key
131 /* d is filled in by the key generation function; otherwise it's
132 * completely unused. */
135 /* The two factors */
138 /* d % (p-1), i.e. a e = 1 (mod (p-1)) */
141 /* d % (q-1), i.e. b e = 1 (mod (q-1)) */
144 /* modular inverse of q , i.e. c q = 1 (mod p) */
148 /* Signing a message works as follows:
150 * Store the private key in a rsa_private_key struct.
152 * Call rsa_private_key_prepare. This initializes the size attribute
153 * to the length of a signature.
155 * Initialize a hashing context, by callling
158 * Hash the message by calling
161 * Create the signature by calling
164 * The signature is represented as a mpz_t bignum. This call also
165 * resets the hashing context.
167 * When done with the key and signature, don't forget to call
171 /* Calls mpz_init to initialize bignum storage. */
173 rsa_public_key_init(struct rsa_public_key *key);
175 /* Calls mpz_clear to deallocate bignum storage. */
177 rsa_public_key_clear(struct rsa_public_key *key);
180 rsa_public_key_prepare(struct rsa_public_key *key);
182 /* Calls mpz_init to initialize bignum storage. */
184 rsa_private_key_init(struct rsa_private_key *key);
186 /* Calls mpz_clear to deallocate bignum storage. */
188 rsa_private_key_clear(struct rsa_private_key *key);
191 rsa_private_key_prepare(struct rsa_private_key *key);
194 /* PKCS#1 style signatures */
196 rsa_pkcs1_sign(const struct rsa_private_key *key,
197 size_t length, const uint8_t *digest_info,
201 rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
202 const struct rsa_private_key *key,
203 void *random_ctx, nettle_random_func *random,
204 size_t length, const uint8_t *digest_info,
207 rsa_pkcs1_verify(const struct rsa_public_key *key,
208 size_t length, const uint8_t *digest_info,
209 const mpz_t signature);
212 rsa_md5_sign(const struct rsa_private_key *key,
213 struct md5_ctx *hash,
217 rsa_md5_sign_tr(const struct rsa_public_key *pub,
218 const struct rsa_private_key *key,
219 void *random_ctx, nettle_random_func *random,
220 struct md5_ctx *hash, mpz_t s);
224 rsa_md5_verify(const struct rsa_public_key *key,
225 struct md5_ctx *hash,
226 const mpz_t signature);
229 rsa_sha1_sign(const struct rsa_private_key *key,
230 struct sha1_ctx *hash,
234 rsa_sha1_sign_tr(const struct rsa_public_key *pub,
235 const struct rsa_private_key *key,
236 void *random_ctx, nettle_random_func *random,
237 struct sha1_ctx *hash,
241 rsa_sha1_verify(const struct rsa_public_key *key,
242 struct sha1_ctx *hash,
243 const mpz_t signature);
246 rsa_sha256_sign(const struct rsa_private_key *key,
247 struct sha256_ctx *hash,
251 rsa_sha256_sign_tr(const struct rsa_public_key *pub,
252 const struct rsa_private_key *key,
253 void *random_ctx, nettle_random_func *random,
254 struct sha256_ctx *hash,
258 rsa_sha256_verify(const struct rsa_public_key *key,
259 struct sha256_ctx *hash,
260 const mpz_t signature);
263 rsa_sha512_sign(const struct rsa_private_key *key,
264 struct sha512_ctx *hash,
268 rsa_sha512_sign_tr(const struct rsa_public_key *pub,
269 const struct rsa_private_key *key,
270 void *random_ctx, nettle_random_func *random,
271 struct sha512_ctx *hash,
275 rsa_sha512_verify(const struct rsa_public_key *key,
276 struct sha512_ctx *hash,
277 const mpz_t signature);
279 /* Variants taking the digest as argument. */
281 rsa_md5_sign_digest(const struct rsa_private_key *key,
282 const uint8_t *digest,
286 rsa_md5_sign_digest_tr(const struct rsa_public_key *pub,
287 const struct rsa_private_key *key,
288 void *random_ctx, nettle_random_func *random,
289 const uint8_t *digest, mpz_t s);
292 rsa_md5_verify_digest(const struct rsa_public_key *key,
293 const uint8_t *digest,
294 const mpz_t signature);
297 rsa_sha1_sign_digest(const struct rsa_private_key *key,
298 const uint8_t *digest,
302 rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub,
303 const struct rsa_private_key *key,
304 void *random_ctx, nettle_random_func *random,
305 const uint8_t *digest,
309 rsa_sha1_verify_digest(const struct rsa_public_key *key,
310 const uint8_t *digest,
311 const mpz_t signature);
314 rsa_sha256_sign_digest(const struct rsa_private_key *key,
315 const uint8_t *digest,
319 rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub,
320 const struct rsa_private_key *key,
321 void *random_ctx, nettle_random_func *random,
322 const uint8_t *digest,
326 rsa_sha256_verify_digest(const struct rsa_public_key *key,
327 const uint8_t *digest,
328 const mpz_t signature);
331 rsa_sha512_sign_digest(const struct rsa_private_key *key,
332 const uint8_t *digest,
336 rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub,
337 const struct rsa_private_key *key,
338 void *random_ctx, nettle_random_func *random,
339 const uint8_t *digest,
343 rsa_sha512_verify_digest(const struct rsa_public_key *key,
344 const uint8_t *digest,
345 const mpz_t signature);
347 /* PSS style signatures */
349 rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub,
350 const struct rsa_private_key *key,
351 void *random_ctx, nettle_random_func *random,
352 size_t salt_length, const uint8_t *salt,
353 const uint8_t *digest,
357 rsa_pss_sha256_verify_digest(const struct rsa_public_key *key,
359 const uint8_t *digest,
360 const mpz_t signature);
363 rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub,
364 const struct rsa_private_key *key,
365 void *random_ctx, nettle_random_func *random,
366 size_t salt_length, const uint8_t *salt,
367 const uint8_t *digest,
371 rsa_pss_sha384_verify_digest(const struct rsa_public_key *key,
373 const uint8_t *digest,
374 const mpz_t signature);
377 rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub,
378 const struct rsa_private_key *key,
379 void *random_ctx, nettle_random_func *random,
380 size_t salt_length, const uint8_t *salt,
381 const uint8_t *digest,
385 rsa_pss_sha512_verify_digest(const struct rsa_public_key *key,
387 const uint8_t *digest,
388 const mpz_t signature);
391 /* RSA encryption, using PKCS#1 */
392 /* These functions uses the v1.5 padding. What should the v2 (OAEP)
393 * functions be called? */
395 /* Returns 1 on success, 0 on failure, which happens if the
396 * message is too long for the key. */
398 rsa_encrypt(const struct rsa_public_key *key,
400 void *random_ctx, nettle_random_func *random,
401 size_t length, const uint8_t *cleartext,
404 /* Message must point to a buffer of size *LENGTH. KEY->size is enough
405 * for all valid messages. On success, *LENGTH is updated to reflect
406 * the actual length of the message. Returns 1 on success, 0 on
407 * failure, which happens if decryption failed or if the message
410 rsa_decrypt(const struct rsa_private_key *key,
411 size_t *length, uint8_t *cleartext,
412 const mpz_t ciphertext);
414 /* Timing-resistant version, using randomized RSA blinding. */
416 rsa_decrypt_tr(const struct rsa_public_key *pub,
417 const struct rsa_private_key *key,
418 void *random_ctx, nettle_random_func *random,
419 size_t *length, uint8_t *message,
420 const mpz_t gibberish);
422 /* like rsa_decrypt_tr but with additional side-channel resistance.
423 * NOTE: the length of the final message must be known in advance. */
425 rsa_sec_decrypt(const struct rsa_public_key *pub,
426 const struct rsa_private_key *key,
427 void *random_ctx, nettle_random_func *random,
428 size_t length, uint8_t *message,
429 const mpz_t gibberish);
431 /* Compute x, the e:th root of m. Calling it with x == m is allowed. */
433 rsa_compute_root(const struct rsa_private_key *key,
434 mpz_t x, const mpz_t m);
436 /* Safer variant, using RSA blinding, and checking the result after
439 rsa_compute_root_tr(const struct rsa_public_key *pub,
440 const struct rsa_private_key *key,
441 void *random_ctx, nettle_random_func *random,
442 mpz_t x, const mpz_t m);
446 /* Note that the key structs must be initialized first. */
448 rsa_generate_keypair(struct rsa_public_key *pub,
449 struct rsa_private_key *key,
451 void *random_ctx, nettle_random_func *random,
452 void *progress_ctx, nettle_progress_func *progress,
454 /* Desired size of modulo, in bits */
457 /* Desired size of public exponent, in bits. If
458 * zero, the passed in value pub->e is used. */
462 #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
463 algorithm##_update(ctx, length, data), \
464 rsa_##algorithm##_sign(key, ctx, signature) \
467 #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
468 algorithm##_update(ctx, length, data), \
469 rsa_##algorithm##_verify(key, ctx, signature) \
473 /* Keys in sexp form. */
475 struct nettle_buffer;
477 /* Generates a public-key expression if PRIV is NULL .*/
479 rsa_keypair_to_sexp(struct nettle_buffer *buffer,
480 const char *algorithm_name, /* NULL means "rsa" */
481 const struct rsa_public_key *pub,
482 const struct rsa_private_key *priv);
484 struct sexp_iterator;
487 rsa_keypair_from_sexp_alist(struct rsa_public_key *pub,
488 struct rsa_private_key *priv,
490 struct sexp_iterator *i);
492 /* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
493 * expect a private key expression and ignore the parts not needed for
495 /* Keys must be initialized before calling this function, as usual. */
497 rsa_keypair_from_sexp(struct rsa_public_key *pub,
498 struct rsa_private_key *priv,
500 size_t length, const uint8_t *expr);
503 /* Keys in PKCS#1 format. */
504 struct asn1_der_iterator;
507 rsa_public_key_from_der_iterator(struct rsa_public_key *pub,
509 struct asn1_der_iterator *i);
512 rsa_private_key_from_der_iterator(struct rsa_public_key *pub,
513 struct rsa_private_key *priv,
515 struct asn1_der_iterator *i);
517 /* For public keys, use PRIV == NULL */
519 rsa_keypair_from_der(struct rsa_public_key *pub,
520 struct rsa_private_key *priv,
522 size_t length, const uint8_t *data);
524 /* OpenPGP format. Experimental interface, subject to change. */
526 rsa_keypair_to_openpgp(struct nettle_buffer *buffer,
527 const struct rsa_public_key *pub,
528 const struct rsa_private_key *priv,
529 /* A single user id. NUL-terminated utf8. */
537 #endif /* NETTLE_RSA_H_INCLUDED */