cc/internal/rsa_util.h

*e7b1675dSTing-Kang Chang// Copyright 2021 Google LLC
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License");
*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License.
*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang//     http://www.apache.org/licenses/LICENSE-2.0
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software
*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS,
*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and
*e7b1675dSTing-Kang Chang// limitations under the License.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang///////////////////////////////////////////////////////////////////////////////
*e7b1675dSTing-Kang Chang#ifndef TINK_INTERNAL_RSA_UTIL_H_
*e7b1675dSTing-Kang Chang#define TINK_INTERNAL_RSA_UTIL_H_
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include <stddef.h>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include <string>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "absl/strings/string_view.h"
*e7b1675dSTing-Kang Chang#include "openssl/bn.h"
*e7b1675dSTing-Kang Chang#include "openssl/rsa.h"
*e7b1675dSTing-Kang Chang#include "tink/internal/ssl_unique_ptr.h"
*e7b1675dSTing-Kang Chang#include "tink/subtle/common_enums.h"
*e7b1675dSTing-Kang Chang#include "tink/util/secret_data.h"
*e7b1675dSTing-Kang Chang#include "tink/util/status.h"
*e7b1675dSTing-Kang Chang#include "tink/util/statusor.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace crypto {
*e7b1675dSTing-Kang Changnamespace tink {
*e7b1675dSTing-Kang Changnamespace internal {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changstruct RsaPublicKey {
*e7b1675dSTing-Kang Chang  // Modulus.
*e7b1675dSTing-Kang Chang  // Unsigned big integer in bigendian representation.
*e7b1675dSTing-Kang Chang  std::string n;
*e7b1675dSTing-Kang Chang  // Public exponent.
*e7b1675dSTing-Kang Chang  // Unsigned big integer in bigendian representation.
*e7b1675dSTing-Kang Chang  std::string e;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Parameters of RSA SSA (Signature Schemes with Appendix) using  PSS
*e7b1675dSTing-Kang Chang// (Probabilistic Signature Scheme) encoding (see
*e7b1675dSTing-Kang Chang// https://tools.ietf.org/html/rfc8017#section-8.1).
*e7b1675dSTing-Kang Changstruct RsaSsaPssParams {
*e7b1675dSTing-Kang Chang  // Hash function used in computing hash of the signing message
*e7b1675dSTing-Kang Chang  // (see https://tools.ietf.org/html/rfc8017#section-9.1.1).
*e7b1675dSTing-Kang Chang  subtle::HashType sig_hash;
*e7b1675dSTing-Kang Chang  // Hash function used in MGF1 (a mask generation function based on a
*e7b1675dSTing-Kang Chang  // hash function) (see https://tools.ietf.org/html/rfc8017#appendix-B.2.1).
*e7b1675dSTing-Kang Chang  subtle::HashType mgf1_hash;
*e7b1675dSTing-Kang Chang  // Salt length (see https://tools.ietf.org/html/rfc8017#section-9.1.1)
*e7b1675dSTing-Kang Chang  int salt_length;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Parameters of RSA SSA (Signature Schemes with Appendix) using PKCS1
*e7b1675dSTing-Kang Chang// (Probabilistic Signature Scheme) encoding (see
*e7b1675dSTing-Kang Chang// https://tools.ietf.org/html/rfc8017#section-8.2).
*e7b1675dSTing-Kang Changstruct RsaSsaPkcs1Params {
*e7b1675dSTing-Kang Chang  // Hash function used in computing hash of the signing message
*e7b1675dSTing-Kang Chang  // (see https://tools.ietf.org/html/rfc8017#section-9.2).
*e7b1675dSTing-Kang Chang  subtle::HashType hash_type;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// RSA private key representation.
*e7b1675dSTing-Kang Changstruct RsaPrivateKey {
*e7b1675dSTing-Kang Chang  // Modulus.
*e7b1675dSTing-Kang Chang  std::string n;
*e7b1675dSTing-Kang Chang  // Public exponent.
*e7b1675dSTing-Kang Chang  std::string e;
*e7b1675dSTing-Kang Chang  // Private exponent.
*e7b1675dSTing-Kang Chang  // Unsigned big integer in bigendian representation.
*e7b1675dSTing-Kang Chang  util::SecretData d;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // The prime factor p of n.
*e7b1675dSTing-Kang Chang  // Unsigned big integer in bigendian representation.
*e7b1675dSTing-Kang Chang  util::SecretData p;
*e7b1675dSTing-Kang Chang  // The prime factor q of n.
*e7b1675dSTing-Kang Chang  // Unsigned big integer in bigendian representation.
*e7b1675dSTing-Kang Chang  util::SecretData q;
*e7b1675dSTing-Kang Chang  // d mod (p - 1).
*e7b1675dSTing-Kang Chang  util::SecretData dp;
*e7b1675dSTing-Kang Chang  // d mod (q - 1).
*e7b1675dSTing-Kang Chang  // Unsigned big integer in bigendian representation.
*e7b1675dSTing-Kang Chang  util::SecretData dq;
*e7b1675dSTing-Kang Chang  // Chinese Remainder Theorem coefficient q^(-1) mod p.
*e7b1675dSTing-Kang Chang  // Unsigned big integer in bigendian representation.
*e7b1675dSTing-Kang Chang  util::SecretData crt;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Validates whether 'modulus_size' is at least 2048-bit.
*e7b1675dSTing-Kang Chang// To reach 128-bit security strength, RSA's modulus must be at least
*e7b1675dSTing-Kang Chang// 3072-bit while 2048-bit RSA key only has 112-bit security. Nevertheless,
*e7b1675dSTing-Kang Chang// a 2048-bit RSA key is considered safe by NIST until 2030 (see
*e7b1675dSTing-Kang Chang// https://www.keylength.com/en/4/).
*e7b1675dSTing-Kang Changcrypto::tink::util::Status ValidateRsaModulusSize(size_t modulus_size);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Validates whether `exponent` is a valid bignum, is odd, greater than 65536
*e7b1675dSTing-Kang Chang// and smaller than 32 bits. The primes p and q are chosen such that (p-1)(q-1)
*e7b1675dSTing-Kang Chang// is relatively prime to the public exponent. Therefore, the public exponent
*e7b1675dSTing-Kang Chang// must be odd. Furthermore, choosing a public exponent which is not greater
*e7b1675dSTing-Kang Chang// than 65536 can lead to weak instantiations of RSA. A public exponent which is
*e7b1675dSTing-Kang Chang// odd and greater than 65536 conforms to the requirements set by NIST FIPS
*e7b1675dSTing-Kang Chang// 186-4 (Appendix B.3.1).
*e7b1675dSTing-Kang Changcrypto::tink::util::Status ValidateRsaPublicExponent(const BIGNUM *exponent);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Validates whether `exponent` is a valid bignum, is odd, greater than 65536
*e7b1675dSTing-Kang Chang// and smaller than 32 bits.
*e7b1675dSTing-Kang Changcrypto::tink::util::Status ValidateRsaPublicExponent(
*e7b1675dSTing-Kang Chang    absl::string_view exponent);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Creates a new RSA key pair and populates `private_key` and `public_key`.
*e7b1675dSTing-Kang Changcrypto::tink::util::Status NewRsaKeyPair(int modulus_size_in_bits,
*e7b1675dSTing-Kang Chang                                         const BIGNUM *e,
*e7b1675dSTing-Kang Chang                                         RsaPrivateKey *private_key,
*e7b1675dSTing-Kang Chang                                         RsaPublicKey *public_key);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Returns `key`'s private and public exponents (d and e) and mosulus
*e7b1675dSTing-Kang Chang// (n) writing a copy of them into `rsa`.
*e7b1675dSTing-Kang Changcrypto::tink::util::Status GetRsaModAndExponents(const RsaPrivateKey &key,
*e7b1675dSTing-Kang Chang                                                 RSA *rsa);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Returns `key`'s prime factors (p and q) writing a copy of them into `rsa`.
*e7b1675dSTing-Kang Changcrypto::tink::util::Status GetRsaPrimeFactors(const RsaPrivateKey &key,
*e7b1675dSTing-Kang Chang                                              RSA *rsa);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Returns `key`'s CRT parameters (dp and dq) writing a copy of them into `rsa`.
*e7b1675dSTing-Kang Changcrypto::tink::util::Status GetRsaCrtParams(const RsaPrivateKey &key, RSA *rsa);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Creates a OpenSSL/BoringSSL RSA key from `private_key`.
*e7b1675dSTing-Kang Changcrypto::tink::util::StatusOr<internal::SslUniquePtr<RSA>> RsaPrivateKeyToRsa(
*e7b1675dSTing-Kang Chang    const RsaPrivateKey &private_key);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Creates a OpenSSL/BoringSSL RSA key from an `public_key`.
*e7b1675dSTing-Kang Changcrypto::tink::util::StatusOr<internal::SslUniquePtr<RSA>> RsaPublicKeyToRsa(
*e7b1675dSTing-Kang Chang    const RsaPublicKey &public_key);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Performs some basic checks on the given RSA public key `key` as in [1] when
*e7b1675dSTing-Kang Chang// OpenSSL is used as a backend. This is needed because with OpenSSL calls to
*e7b1675dSTing-Kang Chang// RSA_check_key with RSA keys that have only the modulus and public exponent
*e7b1675dSTing-Kang Chang// populated don't work [2]. When BoringSSL is used, it uses BoringSSL's
*e7b1675dSTing-Kang Chang// RSA_check_key.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// [1] https://github.com/google/boringssl/blob/master/crypto/fipsmodule/rsa/rsa_impl.c#L76
*e7b1675dSTing-Kang Chang// [2] https://www.openssl.org/docs/man1.1.1/man3/RSA_check_key.html
*e7b1675dSTing-Kang Changcrypto::tink::util::Status RsaCheckPublicKey(const RSA *key);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace internal
*e7b1675dSTing-Kang Chang}  // namespace tink
*e7b1675dSTing-Kang Chang}  // namespace crypto
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#endif  // TINK_INTERNAL_RSA_UTIL_H_