Commit | Line | Data |
---|---|---|
420a0d19 CE |
1 | /** |
2 | * \file rsa.h | |
3 | * | |
4 | * Copyright (C) 2006-2010, Brainspark B.V. | |
5 | * | |
6 | * This file is part of PolarSSL (http://www.polarssl.org) | |
7 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> | |
8 | * | |
9 | * All rights reserved. | |
10 | * | |
11 | * This program is free software; you can redistribute it and/or modify | |
12 | * it under the terms of the GNU General Public License as published by | |
13 | * the Free Software Foundation; either version 2 of the License, or | |
14 | * (at your option) any later version. | |
15 | * | |
16 | * This program is distributed in the hope that it will be useful, | |
17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 | * GNU General Public License for more details. | |
20 | * | |
21 | * You should have received a copy of the GNU General Public License along | |
22 | * with this program; if not, write to the Free Software Foundation, Inc., | |
23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
24 | */ | |
25 | ||
26 | #ifndef POLARSSL_RSA_H | |
27 | #define POLARSSL_RSA_H | |
28 | ||
29 | #include "bignum.h" | |
30 | ||
31 | /* | |
32 | * RSA Error codes | |
33 | */ | |
34 | #define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x0400 | |
35 | #define POLARSSL_ERR_RSA_INVALID_PADDING -0x0410 | |
36 | #define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x0420 | |
37 | #define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x0430 | |
38 | #define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x0440 | |
39 | #define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x0450 | |
40 | #define POLARSSL_ERR_RSA_VERIFY_FAILED -0x0460 | |
41 | #define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE -0x0470 | |
42 | #define POLARSSL_ERR_RSA_RNG_FAILED -0x0480 | |
43 | ||
44 | /* *************** begin copy from x509.h ************************/ | |
45 | /* | |
46 | * ASN1 Error codes | |
47 | * | |
48 | * These error codes will be OR'ed to X509 error codes for | |
49 | * higher error granularity. | |
50 | */ | |
51 | #define POLARSSL_ERR_ASN1_OUT_OF_DATA 0x0014 | |
52 | #define POLARSSL_ERR_ASN1_UNEXPECTED_TAG 0x0016 | |
53 | #define POLARSSL_ERR_ASN1_INVALID_LENGTH 0x0018 | |
54 | #define POLARSSL_ERR_ASN1_LENGTH_MISMATCH 0x001A | |
55 | #define POLARSSL_ERR_ASN1_INVALID_DATA 0x001C | |
56 | ||
57 | /* | |
58 | * X509 Error codes | |
59 | */ | |
60 | #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020 | |
61 | #define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x0040 | |
62 | #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060 | |
63 | #define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x0080 | |
64 | #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0 | |
65 | #define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x00C0 | |
66 | #define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x00E0 | |
67 | #define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x0100 | |
68 | #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120 | |
69 | #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140 | |
70 | #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160 | |
71 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180 | |
72 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0 | |
73 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0 | |
74 | #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0 | |
75 | #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200 | |
76 | #define POLARSSL_ERR_X509_KEY_INVALID_PEM -0x0220 | |
77 | #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x0240 | |
78 | #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260 | |
79 | #define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280 | |
80 | #define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0 | |
81 | #define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0 | |
82 | #define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0 | |
83 | #define POLARSSL_ERR_X509_POINT_ERROR -0x0300 | |
84 | #define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x0320 | |
85 | ||
86 | /* | |
87 | * DER constants | |
88 | */ | |
89 | #define ASN1_BOOLEAN 0x01 | |
90 | #define ASN1_INTEGER 0x02 | |
91 | #define ASN1_BIT_STRING 0x03 | |
92 | #define ASN1_OCTET_STRING 0x04 | |
93 | #define ASN1_NULL 0x05 | |
94 | #define ASN1_OID 0x06 | |
95 | #define ASN1_UTF8_STRING 0x0C | |
96 | #define ASN1_SEQUENCE 0x10 | |
97 | #define ASN1_SET 0x11 | |
98 | #define ASN1_PRINTABLE_STRING 0x13 | |
99 | #define ASN1_T61_STRING 0x14 | |
100 | #define ASN1_IA5_STRING 0x16 | |
101 | #define ASN1_UTC_TIME 0x17 | |
102 | #define ASN1_GENERALIZED_TIME 0x18 | |
103 | #define ASN1_UNIVERSAL_STRING 0x1C | |
104 | #define ASN1_BMP_STRING 0x1E | |
105 | #define ASN1_PRIMITIVE 0x00 | |
106 | #define ASN1_CONSTRUCTED 0x20 | |
107 | #define ASN1_CONTEXT_SPECIFIC 0x80 | |
108 | /* *************** end copy from x509.h ************************/ | |
109 | ||
110 | /* | |
111 | * PKCS#1 constants | |
112 | */ | |
113 | #define SIG_RSA_RAW 0 | |
114 | #define SIG_RSA_MD2 2 | |
115 | #define SIG_RSA_MD4 3 | |
116 | #define SIG_RSA_MD5 4 | |
117 | #define SIG_RSA_SHA1 5 | |
118 | #define SIG_RSA_SHA224 14 | |
119 | #define SIG_RSA_SHA256 11 | |
120 | #define SIG_RSA_SHA384 12 | |
121 | #define SIG_RSA_SHA512 13 | |
122 | ||
123 | #define RSA_PUBLIC 0 | |
124 | #define RSA_PRIVATE 1 | |
125 | ||
126 | #define RSA_PKCS_V15 0 | |
127 | #define RSA_PKCS_V21 1 | |
128 | ||
129 | #define RSA_SIGN 1 | |
130 | #define RSA_CRYPT 2 | |
131 | ||
132 | #define ASN1_STR_CONSTRUCTED_SEQUENCE "\x30" | |
133 | #define ASN1_STR_NULL "\x05" | |
134 | #define ASN1_STR_OID "\x06" | |
135 | #define ASN1_STR_OCTET_STRING "\x04" | |
136 | ||
137 | #define OID_DIGEST_ALG_MDX "\x2A\x86\x48\x86\xF7\x0D\x02\x00" | |
138 | #define OID_HASH_ALG_SHA1 "\x2b\x0e\x03\x02\x1a" | |
139 | #define OID_HASH_ALG_SHA2X "\x60\x86\x48\x01\x65\x03\x04\x02\x00" | |
140 | ||
141 | #define OID_ISO_MEMBER_BODIES "\x2a" | |
142 | #define OID_ISO_IDENTIFIED_ORG "\x2b" | |
143 | ||
144 | /* | |
145 | * ISO Member bodies OID parts | |
146 | */ | |
147 | #define OID_COUNTRY_US "\x86\x48" | |
148 | #define OID_RSA_DATA_SECURITY "\x86\xf7\x0d" | |
149 | ||
150 | /* | |
151 | * ISO Identified organization OID parts | |
152 | */ | |
153 | #define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a" | |
154 | ||
155 | /* | |
156 | * DigestInfo ::= SEQUENCE { | |
157 | * digestAlgorithm DigestAlgorithmIdentifier, | |
158 | * digest Digest } | |
159 | * | |
160 | * DigestAlgorithmIdentifier ::= AlgorithmIdentifier | |
161 | * | |
162 | * Digest ::= OCTET STRING | |
163 | */ | |
164 | #define ASN1_HASH_MDX \ | |
165 | ( \ | |
166 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x20" \ | |
167 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C" \ | |
168 | ASN1_STR_OID "\x08" \ | |
169 | OID_DIGEST_ALG_MDX \ | |
170 | ASN1_STR_NULL "\x00" \ | |
171 | ASN1_STR_OCTET_STRING "\x10" \ | |
172 | ) | |
173 | ||
174 | #define ASN1_HASH_SHA1 \ | |
175 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x21" \ | |
176 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x09" \ | |
177 | ASN1_STR_OID "\x05" \ | |
178 | OID_HASH_ALG_SHA1 \ | |
179 | ASN1_STR_NULL "\x00" \ | |
180 | ASN1_STR_OCTET_STRING "\x14" | |
181 | ||
182 | #define ASN1_HASH_SHA2X \ | |
183 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x11" \ | |
184 | ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d" \ | |
185 | ASN1_STR_OID "\x09" \ | |
186 | OID_HASH_ALG_SHA2X \ | |
187 | ASN1_STR_NULL "\x00" \ | |
188 | ASN1_STR_OCTET_STRING "\x00" | |
189 | ||
190 | /** | |
191 | * \brief RSA context structure | |
192 | */ | |
193 | typedef struct | |
194 | { | |
195 | int ver; /*!< always 0 */ | |
196 | int len; /*!< size(N) in chars */ | |
197 | ||
198 | mpi N; /*!< public modulus */ | |
199 | mpi E; /*!< public exponent */ | |
200 | ||
201 | mpi D; /*!< private exponent */ | |
202 | mpi P; /*!< 1st prime factor */ | |
203 | mpi Q; /*!< 2nd prime factor */ | |
204 | mpi DP; /*!< D % (P - 1) */ | |
205 | mpi DQ; /*!< D % (Q - 1) */ | |
206 | mpi QP; /*!< 1 / (Q % P) */ | |
207 | ||
208 | mpi RN; /*!< cached R^2 mod N */ | |
209 | mpi RP; /*!< cached R^2 mod P */ | |
210 | mpi RQ; /*!< cached R^2 mod Q */ | |
211 | ||
212 | int padding; /*!< 1.5 or OAEP/PSS */ | |
213 | int hash_id; /*!< hash identifier */ | |
214 | } | |
215 | rsa_context; | |
216 | ||
217 | #ifdef __cplusplus | |
218 | extern "C" { | |
219 | #endif | |
220 | ||
221 | /** | |
222 | * \brief Initialize an RSA context | |
223 | * | |
224 | * \param ctx RSA context to be initialized | |
225 | * \param padding RSA_PKCS_V15 or RSA_PKCS_V21 | |
226 | * \param hash_id RSA_PKCS_V21 hash identifier | |
227 | * | |
228 | * \note The hash_id parameter is actually ignored | |
229 | * when using RSA_PKCS_V15 padding. | |
230 | * | |
231 | * \note Currently, RSA_PKCS_V21 padding | |
232 | * is not supported. | |
233 | */ | |
234 | void rsa_init( rsa_context *ctx, | |
235 | int padding, | |
236 | int hash_id); | |
237 | ||
238 | /** | |
239 | * \brief Generate an RSA keypair | |
240 | * | |
241 | * \param ctx RSA context that will hold the key | |
242 | * \param f_rng RNG function | |
243 | * \param p_rng RNG parameter | |
244 | * \param nbits size of the public key in bits | |
245 | * \param exponent public exponent (e.g., 65537) | |
246 | * | |
247 | * \note rsa_init() must be called beforehand to setup | |
248 | * the RSA context. | |
249 | * | |
250 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
251 | */ | |
252 | int rsa_gen_key( rsa_context *ctx, | |
253 | int (*f_rng)(void *), | |
254 | void *p_rng, | |
255 | int nbits, int exponent ); | |
256 | ||
257 | /** | |
258 | * \brief Check a public RSA key | |
259 | * | |
260 | * \param ctx RSA context to be checked | |
261 | * | |
262 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
263 | */ | |
264 | int rsa_check_pubkey( const rsa_context *ctx ); | |
265 | ||
266 | /** | |
267 | * \brief Check a private RSA key | |
268 | * | |
269 | * \param ctx RSA context to be checked | |
270 | * | |
271 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
272 | */ | |
273 | int rsa_check_privkey( const rsa_context *ctx ); | |
274 | ||
275 | /** | |
276 | * \brief Do an RSA public key operation | |
277 | * | |
278 | * \param ctx RSA context | |
279 | * \param input input buffer | |
280 | * \param output output buffer | |
281 | * | |
282 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
283 | * | |
284 | * \note This function does NOT take care of message | |
285 | * padding. Also, be sure to set input[0] = 0 or assure that | |
286 | * input is smaller than N. | |
287 | * | |
288 | * \note The input and output buffers must be large | |
289 | * enough (eg. 128 bytes if RSA-1024 is used). | |
290 | */ | |
291 | int rsa_public( rsa_context *ctx, | |
292 | const unsigned char *input, | |
293 | unsigned char *output ); | |
294 | ||
295 | /** | |
296 | * \brief Do an RSA private key operation | |
297 | * | |
298 | * \param ctx RSA context | |
299 | * \param input input buffer | |
300 | * \param output output buffer | |
301 | * | |
302 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
303 | * | |
304 | * \note The input and output buffers must be large | |
305 | * enough (eg. 128 bytes if RSA-1024 is used). | |
306 | */ | |
307 | int rsa_private( rsa_context *ctx, | |
308 | const unsigned char *input, | |
309 | unsigned char *output ); | |
310 | ||
311 | /** | |
312 | * \brief Add the message padding, then do an RSA operation | |
313 | * | |
314 | * \param ctx RSA context | |
315 | * \param f_rng RNG function | |
316 | * \param p_rng RNG parameter | |
317 | * \param mode RSA_PUBLIC or RSA_PRIVATE | |
318 | * \param ilen contains the plaintext length | |
319 | * \param input buffer holding the data to be encrypted | |
320 | * \param output buffer that will hold the ciphertext | |
321 | * | |
322 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
323 | * | |
324 | * \note The output buffer must be as large as the size | |
325 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). | |
326 | */ | |
327 | int rsa_pkcs1_encrypt( rsa_context *ctx, | |
328 | int (*f_rng)(void *), | |
329 | void *p_rng, | |
330 | int mode, int ilen, | |
331 | const unsigned char *input, | |
332 | unsigned char *output ); | |
333 | ||
334 | /** | |
335 | * \brief Do an RSA operation, then remove the message padding | |
336 | * | |
337 | * \param ctx RSA context | |
338 | * \param mode RSA_PUBLIC or RSA_PRIVATE | |
339 | * \param input buffer holding the encrypted data | |
340 | * \param output buffer that will hold the plaintext | |
341 | * \param olen will contain the plaintext length | |
342 | * \param output_max_len maximum length of the output buffer | |
343 | * | |
344 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code | |
345 | * | |
346 | * \note The output buffer must be as large as the size | |
347 | * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise | |
348 | * an error is thrown. | |
349 | */ | |
350 | int rsa_pkcs1_decrypt( rsa_context *ctx, | |
351 | int mode, int *olen, | |
352 | const unsigned char *input, | |
353 | unsigned char *output, | |
354 | int output_max_len ); | |
355 | ||
356 | /** | |
357 | * \brief Do a private RSA to sign a message digest | |
358 | * | |
359 | * \param ctx RSA context | |
360 | * \param mode RSA_PUBLIC or RSA_PRIVATE | |
361 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} | |
362 | * \param hashlen message digest length (for SIG_RSA_RAW only) | |
363 | * \param hash buffer holding the message digest | |
364 | * \param sig buffer that will hold the ciphertext | |
365 | * | |
366 | * \return 0 if the signing operation was successful, | |
367 | * or an POLARSSL_ERR_RSA_XXX error code | |
368 | * | |
369 | * \note The "sig" buffer must be as large as the size | |
370 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). | |
371 | */ | |
372 | int rsa_pkcs1_sign( rsa_context *ctx, | |
373 | int mode, | |
374 | int hash_id, | |
375 | int hashlen, | |
376 | const unsigned char *hash, | |
377 | unsigned char *sig ); | |
378 | ||
379 | /** | |
380 | * \brief Do a public RSA and check the message digest | |
381 | * | |
382 | * \param ctx points to an RSA public key | |
383 | * \param mode RSA_PUBLIC or RSA_PRIVATE | |
384 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} | |
385 | * \param hashlen message digest length (for SIG_RSA_RAW only) | |
386 | * \param hash buffer holding the message digest | |
387 | * \param sig buffer holding the ciphertext | |
388 | * | |
389 | * \return 0 if the verify operation was successful, | |
390 | * or an POLARSSL_ERR_RSA_XXX error code | |
391 | * | |
392 | * \note The "sig" buffer must be as large as the size | |
393 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). | |
394 | */ | |
395 | int rsa_pkcs1_verify( rsa_context *ctx, | |
396 | int mode, | |
397 | int hash_id, | |
398 | int hashlen, | |
399 | const unsigned char *hash, | |
400 | unsigned char *sig ); | |
401 | ||
402 | /** | |
403 | * \brief Free the components of an RSA key | |
404 | * | |
405 | * \param ctx RSA Context to free | |
406 | */ | |
407 | void rsa_free( rsa_context *ctx ); | |
408 | ||
409 | /* PDKIM declarations (not part of polarssl) */ | |
410 | int rsa_parse_public_key( rsa_context *rsa, unsigned char *buf, int buflen ); | |
411 | int rsa_parse_key( rsa_context *rsa, unsigned char *buf, int buflen, | |
412 | unsigned char *pwd, int pwdlen ); | |
413 | ||
414 | ||
415 | #ifdef __cplusplus | |
416 | } | |
417 | #endif | |
418 | ||
419 | #endif /* rsa.h */ |