1/*
2 * ccrsa.h
3 * corecrypto
4 *
5 * Created on 11/16/2010
6 *
7 * Copyright (c) 2010,2011,2012,2014,2015 Apple Inc. All rights reserved.
8 *
9 */
10
11#ifndef _CORECRYPTO_CCRSA_H_
12#define _CORECRYPTO_CCRSA_H_
13
14#include <corecrypto/cc.h>
15#include <corecrypto/ccdigest.h>
16#include <corecrypto/ccrng.h>
17#include <corecrypto/cczp.h>
18#include <stdbool.h>
19
20// Apple does not generate keys of greater than 4096 bits
21// This limit is relaxed to accommodate potential third-party consumers
22#define CCRSA_KEYGEN_MAX_NBITS 8192
23
24struct ccrsa_full_ctx {
25 __CCZP_ELEMENTS_DEFINITIONS(pb_)
26} CC_ALIGNED(CCN_UNIT_SIZE);
27
28struct ccrsa_pub_ctx {
29 __CCZP_ELEMENTS_DEFINITIONS(pb_)
30} CC_ALIGNED(CCN_UNIT_SIZE);
31
32struct ccrsa_priv_ctx {
33 __CCZP_ELEMENTS_DEFINITIONS(pv_)
34} CC_ALIGNED(CCN_UNIT_SIZE);
35
36typedef struct ccrsa_full_ctx* ccrsa_full_ctx_t;
37typedef struct ccrsa_pub_ctx* ccrsa_pub_ctx_t;
38typedef struct ccrsa_priv_ctx* ccrsa_priv_ctx_t;
39
40/*
41 public key cczp d=e^-1 mod phi(m) priv key cczp priv key cczq dp, dq, qinv
42 | | | | |
43 | | | | |
44 +-------+------+-------+------++------++-------+------+---------++-------+------+---------++-------+-------+---------+
45 | zm_hd | m[n] |mr[n+1]| e[n] || d[n] || zp_hd |p[n/2]|pr[n/2+1]|| zq_hd |q[n/2]|qr[n/2+1]||dp[n/2]|dq[n/2]|qinv[n/2]|
46 +-------+------+-------+------++------++-------+------+---------++-------+------+---------++-------+-------+---------+
47 */
48
49 /* Return the size of an ccec_full_ctx where each ccn is _size_ bytes. Get _size_ through ccn_sizeof(nbits) */
50
51/* Return the size of an ccec_full_ctx where each ccn is _size_ bytes. */
52
53#define ccrsa_pub_ctx_size(_size_) (sizeof(struct cczp) + CCN_UNIT_SIZE + 3 * (_size_))
54#define ccrsa_priv_ctx_size(_size_) ((sizeof(struct cczp) + CCN_UNIT_SIZE) * 2 + 7 * ccn_sizeof(ccn_bitsof_size(_size_)/2 + 1))
55#define ccrsa_full_ctx_size(_size_) (ccrsa_pub_ctx_size(_size_) + _size_ + ccrsa_priv_ctx_size(_size_))
56
57/* Declare a fully scheduled rsa key. Size is the size in bytes each ccn in
58 the key. For example to declare (on the stack or in a struct) a 1021 bit
59 rsa public key named foo use ccrsa_pub_ctx_decl(ccn_sizeof(1021), foo).
60 */
61#define ccrsa_full_ctx_decl(_size_, _name_) cc_ctx_decl(struct ccrsa_full_ctx, ccrsa_full_ctx_size(_size_), _name_)
62#define ccrsa_full_ctx_clear(_size_, _name_) cc_clear(ccrsa_full_ctx_size(_size_), _name_)
63#define ccrsa_pub_ctx_decl(_size_, _name_) cc_ctx_decl(struct ccrsa_pub_ctx, ccrsa_pub_ctx_size(_size_), _name_)
64#define ccrsa_pub_ctx_clear(_size_, _name_) cc_clear(ccrsa_pub_ctx_size(_size_), _name_)
65
66// accessors to ccrsa full and public key fields. */
67// The offsets are computed using pb_ccn. If any object other than ccrsa_full_ctx_t
68// or ccrsa_pub_ctx_t is passed to the macros, compiler error is generated.
69
70#define ccrsa_ctx_zm(_ctx_) ((cczp_t)(_ctx_))
71#define ccrsa_ctx_n(_ctx_) (ccrsa_ctx_zm(_ctx_)->n)
72#define ccrsa_ctx_m(_ctx_) ((_ctx_)->pb_ccn)
73
74#define ccrsa_ctx_e(_ctx_) (ccrsa_ctx_m(_ctx_) + 2 * ccrsa_ctx_n(_ctx_) + 1)
75#define ccrsa_ctx_d(_ctx_) (ccrsa_ctx_m(_ctx_) + 3 * ccrsa_ctx_n(_ctx_) + 1)
76
77// accessors to ccrsa private key fields
78// The offsets are computed using pv_ccn. If any object other than ccrsa_priv_ctx_t
79// is passed to the macros, compiler error is generated.
80#define ccrsa_ctx_private_zp(FK) ((cczp_t)ccrsa_get_private_ctx_ptr(FK))
81#define ccrsa_ctx_private_zq(FK) ((cczp_t)((ccrsa_get_private_ctx_ptr(FK))->pv_ccn + 2 * ccrsa_ctx_private_zp(FK)->n + 1))
82#define ccrsa_ctx_private_dp(FK) ((ccrsa_get_private_ctx_ptr(FK))->pv_ccn + 4 * ccrsa_ctx_private_zp(FK)->n + 2 + ccn_nof_size(sizeof(struct cczp)))
83#define ccrsa_ctx_private_dq(FK) ((ccrsa_get_private_ctx_ptr(FK))->pv_ccn + 5 * ccrsa_ctx_private_zp(FK)->n + 2 + ccn_nof_size(sizeof(struct cczp)))
84#define ccrsa_ctx_private_qinv(FK) ((ccrsa_get_private_ctx_ptr(FK))->pv_ccn + 6 * ccrsa_ctx_private_zp(FK)->n + 2 + ccn_nof_size(sizeof(struct cczp)))
85
86/* rvalue accessors to ccec_key fields. */
87CC_CONST CC_INLINE
88ccrsa_priv_ctx_t ccrsa_get_private_ctx_ptr(ccrsa_full_ctx_t fk) {
89 ccrsa_priv_ctx_t priv = (ccrsa_priv_ctx_t)(ccrsa_ctx_d(fk)+ccrsa_ctx_n(fk));
90 return priv;
91}
92
93/*!
94 @function ccrsa_ctx_public
95 @abstract gets the public key from full key
96 @param fk RSA full key
97 @result Returns RSA public ker
98 */
99CC_CONST CC_INLINE
100ccrsa_pub_ctx_t ccrsa_ctx_public(ccrsa_full_ctx_t fk) {
101 return (ccrsa_pub_ctx_t) fk;
102}
103
104/* Return exact key bit size */
105static inline size_t
106ccrsa_pubkeylength(ccrsa_pub_ctx_t pubk) {
107 return cczp_bitlen(ccrsa_ctx_zm(pubk));
108}
109
110/* PKCS1 pad_markers */
111#define CCRSA_PKCS1_PAD_SIGN 1
112#define CCRSA_PKCS1_PAD_ENCRYPT 2
113
114/* Initialize key based on modulus and e as cc_unit. key->zp.n must already be set. */
115CC_NONNULL((1, 2, 3))
116int ccrsa_init_pub(ccrsa_pub_ctx_t key, const cc_unit *modulus,
117 const cc_unit *e);
118
119/* Initialize key based on modulus and e as big endian byte array
120 key->zp.n must already be set. */
121CC_NONNULL((1, 3, 5))
122int ccrsa_make_pub(ccrsa_pub_ctx_t pubk,
123 size_t exp_nbytes, const uint8_t *exp,
124 size_t mod_nbytes, const uint8_t *mod);
125
126/* Do a public key crypto operation (typically verify or encrypt) on in and put
127 the result in out. Both in and out should be cc_unit aligned and
128 ccrsa_key_n(key) units long. Clients should use ccn_read_uint() to
129 convert bytes to a cc_unit to use for this API.*/
130CC_NONNULL((1, 2, 3))
131int ccrsa_pub_crypt(ccrsa_pub_ctx_t key, cc_unit *out, const cc_unit *in);
132
133/* Generate an nbit rsa key pair in key, which should be allocated using
134 ccrsa_full_ctx_decl(ccn_sizeof(1024), rsa_ctx). The unsigned big endian
135 byte array exponent e of length e_size is used as the exponent. It's an
136 error to call this function with an exponent larger than nbits. rng
137 must be a pointer to an initialized struct ccrng_state. */
138CC_NONNULL((2, 4, 5))
139int ccrsa_generate_key(size_t nbits, ccrsa_full_ctx_t rsa_ctx,
140 size_t e_size, const void *e, struct ccrng_state *rng) CC_WARN_RESULT;
141
142/* Generate RSA key in conformance with FIPS186-4 standard */
143CC_NONNULL((2, 4, 5, 6))
144int
145ccrsa_generate_fips186_key(size_t nbits, ccrsa_full_ctx_t fk,
146 size_t e_size, const void *eBytes,
147 struct ccrng_state *rng1, struct ccrng_state *rng2) CC_WARN_RESULT;
148
149/* Construct RSA key from fix input in conformance with FIPS186-4 standard */
150CC_NONNULL((3, 5, 7, 9, 11, 13, 15, 16))
151int
152ccrsa_make_fips186_key(size_t nbits,
153 const cc_size e_n, const cc_unit *e,
154 const cc_size xp1Len, const cc_unit *xp1, const cc_size xp2Len, const cc_unit *xp2,
155 const cc_size xpLen, const cc_unit *xp,
156 const cc_size xq1Len, const cc_unit *xq1, const cc_size xq2Len, const cc_unit *xq2,
157 const cc_size xqLen, const cc_unit *xq,
158 ccrsa_full_ctx_t fk,
159 cc_size *np, cc_unit *r_p,
160 cc_size *nq, cc_unit *r_q,
161 cc_size *nm, cc_unit *r_m,
162 cc_size *nd, cc_unit *r_d);
163
164/*!
165 * @brief ccrsa_sign_pss() generates RSASSA-PSS signature in PKCS1-V2 format
166 *
167 * note that in RSASSA-PSS, salt length is part of the signature as specified in ASN1
168 * RSASSA-PSS-params ::= SEQUENCE {
169 * hashAlgorithm [0] HashAlgorithm DEFAULT sha1,
170 * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
171 * saltLength [2] INTEGER DEFAULT 20,
172 * trailerField [3] TrailerField DEFAULT trailerFieldBC
173 *
174 *
175 * FIPS 186-4 for RSASSA-PSS:
176 * .... Both signature schemes are approved for use, but additional constraints are imposed beyond those specified in PKCS #1 v2.1.....
177 *
178 * • If nlen = 1024 bits (i.e., 128 bytes), and the output length of the approved hash function output block is 512 bits (i.e., 64 bytes), then the length (in bytes) of the salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen – 2,
179 * • Otherwise, the length (in bytes) of the salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of the hash function output block (in bytes).
180 *
181 *
182 * • CAVS test vectors are not very useful in the case of RSA-PSS, because they only validate the exponentiation part of the signature. See: http://csrc.nist.gov/groups/STM/cavp/documents/components/RSA2SP1VS.pdf
183 *
184 * @param key The RSA key
185 * @param hashAlgorithm The hash algorithm used to generate mHash from the original message. It is also used inside the PSS encoding function. This is also the hash function to be used in the mask generation function (MGF)
186 * @param MgfHashAlgorithm The hash algorithm for thr mask generation function
187 * @param rng Random number geberator to generate salt in PSS encoding
188 * @param saltSize Intended length of the salt
189 * @param hSize Length of message hash . Must be equal to hashAlgorithm->output_size
190 * @param mHash The input that needs to be signed. This is the hash of message M with length of hLen
191 *
192 * @param sig The signature output
193 * @param sigSize The length of generated signature in bytes, which equals the size of the RSA modulus.
194 * @return 0:ok, non-zero:error
195 */
196CC_NONNULL((2, 3, 5, 7, 8, 9))
197int ccrsa_sign_pss(ccrsa_full_ctx_t key,
198 const struct ccdigest_info* hashAlgorithm, const struct ccdigest_info* MgfHashAlgorithm,
199 size_t saltSize, struct ccrng_state *rng,
200 size_t hSize, const uint8_t *mHash,
201 size_t *sigSize, uint8_t *sig);
202
203CC_NONNULL((2, 3, 5, 7, 9))
204int ccrsa_verify_pss(ccrsa_pub_ctx_t key,
205 const struct ccdigest_info* di, const struct ccdigest_info* MgfDi,
206 size_t digestSize, const uint8_t *digest,
207 size_t sigSize, const uint8_t *sig,
208 size_t saltSize, bool *valid);
209
210/*!
211 @function ccrsa_sign_pkcs1v15
212 @abstract RSA signature with PKCS#1 v1.5 format per PKCS#1 v2.2
213
214 @param key Full key
215 @param oid OID describing the type of digest passed in
216 @param digest_len Byte length of the digest
217 @param digest Byte array of digest_len bytes containing the digest
218 @param sig_len Pointer to the number of byte allocate for sig.
219 Output the exact size of the signature.
220 @param sig Pointer to the allocated buffer of size *sig_len
221 for the output signature
222
223 @result 0 iff successful.
224
225 @discussion Null OID is a special case, required to support RFC 4346 where the padding
226 is based on SHA1+MD5. In general it is not recommended to use a NULL OID,
227 except when strictly required for interoperability
228
229 */
230CC_NONNULL((1, 4, 5, 6))
231int ccrsa_sign_pkcs1v15(ccrsa_full_ctx_t key, const uint8_t *oid,
232 size_t digest_len, const uint8_t *digest,
233 size_t *sig_len, uint8_t *sig);
234
235
236/*!
237 @function ccrsa_verify_pkcs1v15
238 @abstract RSA signature with PKCS#1 v1.5 format per PKCS#1 v2.2
239
240 @param key Public key
241 @param oid OID describing the type of digest passed in
242 @param digest_len Byte length of the digest
243 @param digest Byte array of digest_len bytes containing the digest
244 @param sig_len Number of byte of the signature sig.
245 @param sig Pointer to the signature buffer of sig_len
246 @param valid Output boolean, true if the signature is valid.
247
248 @result 0 iff successful.
249
250 @discussion Null OID is a special case, required to support RFC 4346
251 where the padding is based on SHA1+MD5. In general it is not
252 recommended to use a NULL OID, except when strictly required for
253 interoperability.
254*/
255CC_NONNULL((1, 4, 6, 7))
256int ccrsa_verify_pkcs1v15(ccrsa_pub_ctx_t key, const uint8_t *oid,
257 size_t digest_len, const uint8_t *digest,
258 size_t sig_len, const uint8_t *sig,
259 bool *valid);
260
261/*!
262 @function ccder_encode_rsa_pub_size
263 @abstract Calculate size of public key export format data package.
264
265 @param key Public key
266
267 @result Returns size required for encoding.
268 */
269
270CC_NONNULL((1))
271size_t ccder_encode_rsa_pub_size(const ccrsa_pub_ctx_t key);
272
273/*!
274 @function ccrsa_export_priv_pkcs1
275 @abstract Export a public key.
276
277 @param key Public key
278 @param der Beginning of output DER buffer
279 @param der_end End of output DER buffer
280 */
281
282CC_NONNULL((1, 2, 3))
283uint8_t *ccder_encode_rsa_pub(const ccrsa_pub_ctx_t key, uint8_t *der, uint8_t *der_end);
284
285
286/*!
287 @function ccder_encode_rsa_priv_size
288 @abstract Calculate size of full key exported in PKCS#1 format.
289
290 @param key Full key
291
292 @result Returns size required for encoding.
293 */
294
295CC_NONNULL((1))
296size_t ccder_encode_rsa_priv_size(const ccrsa_full_ctx_t key);
297
298/*!
299 @function ccder_encode_rsa_priv
300 @abstract Export a full key in PKCS#1 format.
301
302 @param key Full key
303 @param der Beginning of output DER buffer
304 @param der_end End of output DER buffer
305 */
306
307CC_NONNULL((1, 2, 3))
308uint8_t *ccder_encode_rsa_priv(const ccrsa_full_ctx_t key, const uint8_t *der, uint8_t *der_end);
309
310/*!
311 @function ccder_decode_rsa_pub_n
312 @abstract Calculate "n" for a public key imported from a data package.
313 PKCS #1 format
314
315 @param der Beginning of input DER buffer
316 @param der_end End of input DER buffer
317
318 @result the "n" of the RSA key that would result from the import. This can be used
319 to declare the key itself.
320 */
321
322CC_NONNULL((1, 2))
323cc_size ccder_decode_rsa_pub_n(const uint8_t *der, const uint8_t *der_end);
324
325/*!
326 @function ccder_decode_rsa_pub
327 @abstract Import a public RSA key from a package in public key format.
328 PKCS #1 format
329
330 @param key Public key (n must be set)
331 @param der Beginning of input DER buffer
332 @param der_end End of input DER buffer
333
334 @result Key is initialized using the data in the public key message.
335 */
336
337CC_NONNULL((1, 2, 3))
338const uint8_t *ccder_decode_rsa_pub(const ccrsa_pub_ctx_t key, const uint8_t *der, const uint8_t *der_end);
339
340/*!
341 @function ccder_decode_rsa_pub_x509_n
342 @abstract Calculate "n" for a public key imported from a data package in x509 format
343
344 @param der Beginning of input DER buffer
345 @param der_end End of input DER buffer
346
347 @result the "n" of the RSA key that would result from the import. This can be used
348 to declare the key itself.
349 */
350
351CC_NONNULL((1, 2))
352cc_size ccder_decode_rsa_pub_x509_n(const uint8_t *der, const uint8_t *der_end);
353
354/*!
355 @function ccder_decode_rsa_pub_x509
356 @abstract Import a public RSA key from a package in x509 format.
357
358 @param key Public key (n must be set)
359 @param der Beginning of input DER buffer
360 @param der_end End of input DER buffer
361
362 @result Key is initialized using the data in the public key message.
363 */
364
365CC_NONNULL((1, 2, 3))
366const uint8_t *ccder_decode_rsa_pub_x509(const ccrsa_pub_ctx_t key, const uint8_t *der, const uint8_t *der_end);
367
368
369/*!
370 @function ccder_decode_rsa_priv_n
371 @abstract Calculate "n" for a private key imported from a data package.
372
373 @param der Beginning of input DER buffer
374 @param der_end End of input DER buffer
375
376 @result the "n" of the RSA key that would result from the import. This can be used
377 to declare the key itself.
378 */
379
380CC_NONNULL((1, 2))
381cc_size ccder_decode_rsa_priv_n(const uint8_t *der, const uint8_t *der_end);
382
383/*!
384 @function ccder_decode_rsa_priv
385 @abstract Import a private RSA key from a package in PKCS#1 format.
386
387 @param key Full key (n must be set)
388 @param der Beginning of input DER buffer
389 @param der_end End of input DER buffer
390
391 @result Key is initialized using the data in the public key message.
392 */
393
394CC_NONNULL((1, 2, 3))
395const uint8_t *ccder_decode_rsa_priv(const ccrsa_full_ctx_t key, const uint8_t *der, const uint8_t *der_end);
396
397/*!
398 @function ccrsa_export_pub_size
399 @abstract Calculate size of public key exported data package.
400
401 @param key Public key
402
403 @result Returns size required for encoding.
404 */
405
406CC_CONST CC_INLINE CC_NONNULL((1))
407size_t ccrsa_export_pub_size(const ccrsa_pub_ctx_t key) {
408 return ccder_encode_rsa_pub_size(key);
409}
410
411/*!
412 @function ccrsa_export_pub
413 @abstract Export a public key in public key format.
414
415 @param key Public key
416 @param out_len Allocated size
417 @param out Output buffer
418 */
419
420CC_NONNULL((1, 3))
421int ccrsa_export_pub(const ccrsa_pub_ctx_t key, size_t out_len, uint8_t *out);
422/*!
423 @function ccrsa_import_pub_n
424 @abstract Calculate "n" for a public key imported from a data package.
425
426 @param inlen Length of public key package data
427 @param der pointer to public key package data
428
429 @result the "n" of the RSA key that would result from the import. This can be used
430 to declare the key itself.
431 */
432
433CC_CONST CC_INLINE CC_NONNULL((2))
434cc_size ccrsa_import_pub_n(size_t inlen, const uint8_t *der) {
435 cc_size size = ccder_decode_rsa_pub_x509_n(der, der + inlen);
436 if(size == 0) {
437 size = ccder_decode_rsa_pub_n(der, der + inlen);
438 }
439 return size;
440}
441
442/*!
443 @function ccrsa_import_pub
444 @abstract Import a public RSA key from a package in public key format.
445
446 @param key Public key (n must be set)
447 @param inlen Length of public key package data
448 @param der pointer to public key package data
449
450 @result Key is initialized using the data in the public key message.
451 */
452
453CC_NONNULL((1, 3))
454int ccrsa_import_pub(ccrsa_pub_ctx_t key, size_t inlen, const uint8_t *der);
455
456/*!
457 @function ccrsa_export_priv_size
458 @abstract Calculate size of full key exported in PKCS#1 format.
459
460 @param key Full key
461
462 @result Returns size required for encoding.
463 */
464
465CC_CONST CC_INLINE CC_NONNULL((1))
466size_t ccrsa_export_priv_size(const ccrsa_full_ctx_t key) {
467 return ccder_encode_rsa_priv_size(key);
468}
469
470/*!
471 @function ccrsa_export_priv
472 @abstract Export a full key in PKCS#1 format.
473
474 @param key Full key
475 @param out_len Allocated size
476 @param out Output buffer
477 */
478
479CC_CONST CC_INLINE CC_NONNULL((1, 3))
480int ccrsa_export_priv(const ccrsa_full_ctx_t key, size_t out_len, uint8_t *out) {
481 return (ccder_encode_rsa_priv(key, out, out+out_len) != out);
482}
483
484/*!
485 @function ccrsa_import_priv_n
486 @abstract Calculate size of full key exported in PKCS#1 format.
487
488 @param inlen Length of PKCS#1 package data
489 @param der pointer to PKCS#1 package data
490
491 @result the "n" of the RSA key that would result from the import. This can be used
492 to declare the key itself.
493 */
494
495CC_CONST CC_INLINE CC_NONNULL((2))
496cc_size ccrsa_import_priv_n(size_t inlen, const uint8_t *der) {
497 return ccder_decode_rsa_priv_n(der, der + inlen);
498}
499
500/*!
501 @function ccrsa_import_priv
502 @abstract Import a full RSA key from a package in PKCS#1 format.
503
504 @param key Full key (n must be set)
505 @param inlen Length of PKCS#1 package data
506 @param der pointer to PKCS#1 package data
507
508 @result Key is initialized using the data in the PKCS#1 message.
509 */
510
511CC_CONST CC_INLINE CC_NONNULL((1, 3))
512int ccrsa_import_priv(ccrsa_full_ctx_t key, size_t inlen, const uint8_t *der) {
513 return (ccder_decode_rsa_priv(key, der, der+inlen) == NULL);
514}
515
516
517CC_NONNULL((1, 2))
518int ccrsa_get_pubkey_components(const ccrsa_pub_ctx_t pubkey, uint8_t *modulus, size_t *modulusLength, uint8_t *exponent, size_t *exponentLength);
519
520CC_NONNULL((1, 2))
521int ccrsa_get_fullkey_components(const ccrsa_full_ctx_t key, uint8_t *modulus, size_t *modulusLength, uint8_t *exponent, size_t *exponentLength,
522 uint8_t *p, size_t *pLength, uint8_t *q, size_t *qLength);
523
524
525/*!
526 @function ccrsa_dump_public_key
527 @abstract Print a rsa public key in the console (printf)
528
529 @param key Public key
530 */
531void ccrsa_dump_public_key(ccrsa_pub_ctx_t key);
532
533/*!
534 @function ccrsa_dump_full_key
535 @abstract Print a rsa private key in the console (printf)
536
537 @param key Public key
538 */
539void ccrsa_dump_full_key(ccrsa_full_ctx_t key);
540
541#endif /* _CORECRYPTO_CCRSA_H_ */
542