3 * The RSA publickey algorithm.
6 /* nettle, low-level cryptographics library
8 * Copyright (C) 2001, 2002 Niels Möller
10 * The nettle library is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU Lesser General Public License as published by
12 * the Free Software Foundation; either version 2.1 of the License, or (at your
13 * option) any later version.
15 * The nettle library is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
18 * License for more details.
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with the nettle library; see the file COPYING.LIB. If not, write to
22 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
26 #ifndef NETTLE_RSA_H_INCLUDED
27 #define NETTLE_RSA_H_INCLUDED
30 #include "nettle-types.h"
41 #define rsa_public_key_init nettle_rsa_public_key_init
42 #define rsa_public_key_clear nettle_rsa_public_key_clear
43 #define rsa_public_key_prepare nettle_rsa_public_key_prepare
44 #define rsa_private_key_init nettle_rsa_private_key_init
45 #define rsa_private_key_clear nettle_rsa_private_key_clear
46 #define rsa_private_key_prepare nettle_rsa_private_key_prepare
47 #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify
48 #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign
49 #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr
50 #define rsa_md5_sign nettle_rsa_md5_sign
51 #define rsa_md5_verify nettle_rsa_md5_verify
52 #define rsa_sha1_sign nettle_rsa_sha1_sign
53 #define rsa_sha1_verify nettle_rsa_sha1_verify
54 #define rsa_sha256_sign nettle_rsa_sha256_sign
55 #define rsa_sha256_verify nettle_rsa_sha256_verify
56 #define rsa_sha512_sign nettle_rsa_sha512_sign
57 #define rsa_sha512_verify nettle_rsa_sha512_verify
58 #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest
59 #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest
60 #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest
61 #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest
62 #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
63 #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
64 #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
65 #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
66 #define rsa_encrypt nettle_rsa_encrypt
67 #define rsa_decrypt nettle_rsa_decrypt
68 #define rsa_decrypt_tr nettle_rsa_decrypt_tr
69 #define rsa_compute_root nettle_rsa_compute_root
70 #define rsa_generate_keypair nettle_rsa_generate_keypair
71 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
72 #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
73 #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp
74 #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator
75 #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator
76 #define rsa_keypair_from_der nettle_rsa_keypair_from_der
77 #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
78 #define _rsa_verify _nettle_rsa_verify
79 #define _rsa_check_size _nettle_rsa_check_size
80 #define _rsa_blind _nettle_rsa_blind
81 #define _rsa_unblind _nettle_rsa_unblind
83 /* This limit is somewhat arbitrary. Technically, the smallest modulo
84 which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
85 for ridiculously small keys, not all odd e are possible (e.g., for
86 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
87 3 don't work). The smallest size that makes sense with pkcs#1, and
88 which allows RSA encryption of one byte messages, is 12 octets, 89
91 #define RSA_MINIMUM_N_OCTETS 12
92 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
94 struct rsa_public_key
{
95 /* Size of the modulo, in octets. This is also the size of all
96 * signatures that are created or verified with this key. */
102 /* Public exponent */
106 struct rsa_private_key
{
109 /* d is filled in by the key generation function; otherwise it's
110 * completely unused. */
113 /* The two factors */
117 /* d % (p-1), i.e. a e = 1 (mod (p-1)) */
120 /* d % (q-1), i.e. b e = 1 (mod (q-1)) */
123 /* modular inverse of q , i.e. c q = 1 (mod p) */
127 /* Signing a message works as follows:
129 * Store the private key in a rsa_private_key struct.
131 * Call rsa_private_key_prepare. This initializes the size attribute
132 * to the length of a signature.
134 * Initialize a hashing context, by callling
137 * Hash the message by calling
140 * Create the signature by calling
143 * The signature is represented as a mpz_t bignum. This call also
144 * resets the hashing context.
146 * When done with the key and signature, don't forget to call
150 /* Calls mpz_init to initialize bignum storage. */
152 rsa_public_key_init(struct rsa_public_key
*key
);
154 /* Calls mpz_clear to deallocate bignum storage. */
156 rsa_public_key_clear(struct rsa_public_key
*key
);
159 rsa_public_key_prepare(struct rsa_public_key
*key
);
161 /* Calls mpz_init to initialize bignum storage. */
163 rsa_private_key_init(struct rsa_private_key
*key
);
165 /* Calls mpz_clear to deallocate bignum storage. */
167 rsa_private_key_clear(struct rsa_private_key
*key
);
170 rsa_private_key_prepare(struct rsa_private_key
*key
);
173 /* PKCS#1 style signatures */
175 rsa_pkcs1_sign(const struct rsa_private_key
*key
,
176 unsigned length
, const uint8_t * digest_info
,
180 rsa_pkcs1_sign_tr(const struct rsa_public_key
*pub
,
181 const struct rsa_private_key
*key
,
182 void *random_ctx
, nettle_random_func
* random
,
183 unsigned length
, const uint8_t * digest_info
,
186 rsa_pkcs1_verify(const struct rsa_public_key
*key
,
187 unsigned length
, const uint8_t * digest_info
,
188 const mpz_t signature
);
191 rsa_md5_sign(const struct rsa_private_key
*key
,
192 struct md5_ctx
*hash
, mpz_t signature
);
196 rsa_md5_verify(const struct rsa_public_key
*key
,
197 struct md5_ctx
*hash
, const mpz_t signature
);
200 rsa_sha1_sign(const struct rsa_private_key
*key
,
201 struct sha1_ctx
*hash
, mpz_t signature
);
204 rsa_sha1_verify(const struct rsa_public_key
*key
,
205 struct sha1_ctx
*hash
, const mpz_t signature
);
208 rsa_sha256_sign(const struct rsa_private_key
*key
,
209 struct sha256_ctx
*hash
, mpz_t signature
);
212 rsa_sha256_verify(const struct rsa_public_key
*key
,
213 struct sha256_ctx
*hash
, const mpz_t signature
);
216 rsa_sha512_sign(const struct rsa_private_key
*key
,
217 struct sha512_ctx
*hash
, mpz_t signature
);
220 rsa_sha512_verify(const struct rsa_public_key
*key
,
221 struct sha512_ctx
*hash
, const mpz_t signature
);
223 /* Variants taking the digest as argument. */
225 rsa_md5_sign_digest(const struct rsa_private_key
*key
,
226 const uint8_t * digest
, mpz_t s
);
229 rsa_md5_verify_digest(const struct rsa_public_key
*key
,
230 const uint8_t * digest
,
231 const mpz_t signature
);
234 rsa_sha1_sign_digest(const struct rsa_private_key
*key
,
235 const uint8_t * digest
, mpz_t s
);
238 rsa_sha1_verify_digest(const struct rsa_public_key
*key
,
239 const uint8_t * digest
,
240 const mpz_t signature
);
243 rsa_sha256_sign_digest(const struct rsa_private_key
*key
,
244 const uint8_t * digest
, mpz_t s
);
247 rsa_sha256_verify_digest(const struct rsa_public_key
*key
,
248 const uint8_t * digest
,
249 const mpz_t signature
);
252 rsa_sha512_sign_digest(const struct rsa_private_key
*key
,
253 const uint8_t * digest
, mpz_t s
);
256 rsa_sha512_verify_digest(const struct rsa_public_key
*key
,
257 const uint8_t * digest
,
258 const mpz_t signature
);
261 /* RSA encryption, using PKCS#1 */
262 /* These functions uses the v1.5 padding. What should the v2 (OAEP)
263 * functions be called? */
265 /* Returns 1 on success, 0 on failure, which happens if the
266 * message is too long for the key. */
268 rsa_encrypt(const struct rsa_public_key
*key
,
270 void *random_ctx
, nettle_random_func
* random
,
271 unsigned length
, const uint8_t * cleartext
,
274 /* Message must point to a buffer of size *LENGTH. KEY->size is enough
275 * for all valid messages. On success, *LENGTH is updated to reflect
276 * the actual length of the message. Returns 1 on success, 0 on
277 * failure, which happens if decryption failed or if the message
280 rsa_decrypt(const struct rsa_private_key
*key
,
281 unsigned *length
, uint8_t * cleartext
,
282 const mpz_t ciphertext
);
284 /* Timing-resistant version, using randomized RSA blinding. */
286 rsa_decrypt_tr(const struct rsa_public_key
*pub
,
287 const struct rsa_private_key
*key
,
288 void *random_ctx
, nettle_random_func
* random
,
289 unsigned *length
, uint8_t * message
,
290 const mpz_t gibberish
);
292 /* Compute x, the e:th root of m. Calling it with x == m is allowed. */
294 rsa_compute_root(const struct rsa_private_key
*key
,
295 mpz_t x
, const mpz_t m
);
300 /* Note that the key structs must be initialized first. */
302 rsa_generate_keypair(struct rsa_public_key
*pub
,
303 struct rsa_private_key
*key
,
305 nettle_random_func
* random
,
307 nettle_progress_func
* progress
,
308 /* Desired size of modulo, in bits */
310 /* Desired size of public exponent, in bits. If
311 * zero, the passed in value pub->e is used. */
315 #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
316 algorithm##_update(ctx, length, data), \
317 rsa_##algorithm##_sign(key, ctx, signature) \
320 #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
321 algorithm##_update(ctx, length, data), \
322 rsa_##algorithm##_verify(key, ctx, signature) \
326 /* Keys in sexp form. */
328 struct nettle_buffer
;
330 /* Generates a public-key expression if PRIV is NULL .*/
332 rsa_keypair_to_sexp(struct nettle_buffer
*buffer
, const char *algorithm_name
, /* NULL means "rsa" */
333 const struct rsa_public_key
*pub
,
334 const struct rsa_private_key
*priv
);
336 struct sexp_iterator
;
339 rsa_keypair_from_sexp_alist(struct rsa_public_key
*pub
,
340 struct rsa_private_key
*priv
,
342 struct sexp_iterator
*i
);
344 /* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
345 * expect a private key expression and ignore the parts not needed for
347 /* Keys must be initialized before calling this function, as usual. */
349 rsa_keypair_from_sexp(struct rsa_public_key
*pub
,
350 struct rsa_private_key
*priv
,
352 unsigned length
, const uint8_t * expr
);
355 /* Keys in PKCS#1 format. */
356 struct asn1_der_iterator
;
359 rsa_public_key_from_der_iterator(struct rsa_public_key
*pub
,
361 struct asn1_der_iterator
*i
);
364 rsa_private_key_from_der_iterator(struct rsa_public_key
*pub
,
365 struct rsa_private_key
*priv
,
367 struct asn1_der_iterator
*i
);
369 /* For public keys, use PRIV == NULL */
371 rsa_keypair_from_der(struct rsa_public_key
*pub
,
372 struct rsa_private_key
*priv
,
374 unsigned length
, const uint8_t * data
);
376 /* OpenPGP format. Experimental interface, subject to change. */
378 rsa_keypair_to_openpgp(struct nettle_buffer
*buffer
,
379 const struct rsa_public_key
*pub
,
380 const struct rsa_private_key
*priv
,
381 /* A single user id. NUL-terminated utf8. */
384 /* Internal functions. */
386 _rsa_verify(const struct rsa_public_key
*key
,
387 const mpz_t m
, const mpz_t s
);
390 _rsa_check_size(mpz_t n
);
393 _rsa_blind(const struct rsa_public_key
*pub
,
394 void *random_ctx
, nettle_random_func
* random
,
397 _rsa_unblind(const struct rsa_public_key
*pub
, mpz_t c
,
403 #endif /* NETTLE_RSA_H_INCLUDED */