libgo/go/crypto/rsa/pss.go

   1 // Copyright 2013 The Go Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style
   3 // license that can be found in the LICENSE file.
   4
   5 package rsa
   6
   7 // This file implements the PSS signature scheme [1].
   8 //
   9 // [1] https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf
  10
  11 import (
  12         "bytes"
  13         "crypto"
  14         "errors"
  15         "hash"
  16         "io"
  17         "math/big"
  18 )
  19
  20 func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) {
  21         // See [1], section 9.1.1
  22         hLen := hash.Size()
  23         sLen := len(salt)
  24         emLen := (emBits + 7) / 8
  25
  26         // 1.  If the length of M is greater than the input limitation for the
  27         //     hash function (2^61 - 1 octets for SHA-1), output "message too
  28         //     long" and stop.
  29         //
  30         // 2.  Let mHash = Hash(M), an octet string of length hLen.
  31
  32         if len(mHash) != hLen {
  33                 return nil, errors.New("crypto/rsa: input must be hashed message")
  34         }
  35
  36         // 3.  If emLen < hLen + sLen + 2, output "encoding error" and stop.
  37
  38         if emLen < hLen+sLen+2 {
  39                 return nil, errors.New("crypto/rsa: key size too small for PSS signature")
  40         }
  41
  42         em := make([]byte, emLen)
  43         db := em[:emLen-sLen-hLen-2+1+sLen]
  44         h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
  45
  46         // 4.  Generate a random octet string salt of length sLen; if sLen = 0,
  47         //     then salt is the empty string.
  48         //
  49         // 5.  Let
  50         //       M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt;
  51         //
  52         //     M' is an octet string of length 8 + hLen + sLen with eight
  53         //     initial zero octets.
  54         //
  55         // 6.  Let H = Hash(M'), an octet string of length hLen.
  56
  57         var prefix [8]byte
  58
  59         hash.Write(prefix[:])
  60         hash.Write(mHash)
  61         hash.Write(salt)
  62
  63         h = hash.Sum(h[:0])
  64         hash.Reset()
  65
  66         // 7.  Generate an octet string PS consisting of emLen - sLen - hLen - 2
  67         //     zero octets. The length of PS may be 0.
  68         //
  69         // 8.  Let DB = PS || 0x01 || salt; DB is an octet string of length
  70         //     emLen - hLen - 1.
  71
  72         db[emLen-sLen-hLen-2] = 0x01
  73         copy(db[emLen-sLen-hLen-1:], salt)
  74
  75         // 9.  Let dbMask = MGF(H, emLen - hLen - 1).
  76         //
  77         // 10. Let maskedDB = DB \xor dbMask.
  78
  79         mgf1XOR(db, hash, h)
  80
  81         // 11. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in
  82         //     maskedDB to zero.
  83
  84         db[0] &= (0xFF >> uint(8*emLen-emBits))
  85
  86         // 12. Let EM = maskedDB || H || 0xbc.
  87         em[emLen-1] = 0xBC
  88
  89         // 13. Output EM.
  90         return em, nil
  91 }
  92
  93 func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
  94         // 1.  If the length of M is greater than the input limitation for the
  95         //     hash function (2^61 - 1 octets for SHA-1), output "inconsistent"
  96         //     and stop.
  97         //
  98         // 2.  Let mHash = Hash(M), an octet string of length hLen.
  99         hLen := hash.Size()
 100         if hLen != len(mHash) {
 101                 return ErrVerification
 102         }
 103
 104         // 3.  If emLen < hLen + sLen + 2, output "inconsistent" and stop.
 105         emLen := (emBits + 7) / 8
 106         if emLen < hLen+sLen+2 {
 107                 return ErrVerification
 108         }
 109
 110         // 4.  If the rightmost octet of EM does not have hexadecimal value
 111         //     0xbc, output "inconsistent" and stop.
 112         if em[len(em)-1] != 0xBC {
 113                 return ErrVerification
 114         }
 115
 116         // 5.  Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and
 117         //     let H be the next hLen octets.
 118         db := em[:emLen-hLen-1]
 119         h := em[emLen-hLen-1 : len(em)-1]
 120
 121         // 6.  If the leftmost 8 * emLen - emBits bits of the leftmost octet in
 122         //     maskedDB are not all equal to zero, output "inconsistent" and
 123         //     stop.
 124         if em[0]&(0xFF<<uint(8-(8*emLen-emBits))) != 0 {
 125                 return ErrVerification
 126         }
 127
 128         // 7.  Let dbMask = MGF(H, emLen - hLen - 1).
 129         //
 130         // 8.  Let DB = maskedDB \xor dbMask.
 131         mgf1XOR(db, hash, h)
 132
 133         // 9.  Set the leftmost 8 * emLen - emBits bits of the leftmost octet in DB
 134         //     to zero.
 135         db[0] &= (0xFF >> uint(8*emLen-emBits))
 136
 137         if sLen == PSSSaltLengthAuto {
 138         FindSaltLength:
 139                 for sLen = emLen - (hLen + 2); sLen >= 0; sLen-- {
 140                         switch db[emLen-hLen-sLen-2] {
 141                         case 1:
 142                                 break FindSaltLength
 143                         case 0:
 144                                 continue
 145                         default:
 146                                 return ErrVerification
 147                         }
 148                 }
 149                 if sLen < 0 {
 150                         return ErrVerification
 151                 }
 152         } else {
 153                 // 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
 154                 //     or if the octet at position emLen - hLen - sLen - 1 (the leftmost
 155                 //     position is "position 1") does not have hexadecimal value 0x01,
 156                 //     output "inconsistent" and stop.
 157                 for _, e := range db[:emLen-hLen-sLen-2] {
 158                         if e != 0x00 {
 159                                 return ErrVerification
 160                         }
 161                 }
 162                 if db[emLen-hLen-sLen-2] != 0x01 {
 163                         return ErrVerification
 164                 }
 165         }
 166
 167         // 11.  Let salt be the last sLen octets of DB.
 168         salt := db[len(db)-sLen:]
 169
 170         // 12.  Let
 171         //          M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt ;
 172         //     M' is an octet string of length 8 + hLen + sLen with eight
 173         //     initial zero octets.
 174         //
 175         // 13. Let H' = Hash(M'), an octet string of length hLen.
 176         var prefix [8]byte
 177         hash.Write(prefix[:])
 178         hash.Write(mHash)
 179         hash.Write(salt)
 180
 181         h0 := hash.Sum(nil)
 182
 183         // 14. If H = H', output "consistent." Otherwise, output "inconsistent."
 184         if !bytes.Equal(h0, h) {
 185                 return ErrVerification
 186         }
 187         return nil
 188 }
 189
 190 // signPSSWithSalt calculates the signature of hashed using PSS [1] with specified salt.
 191 // Note that hashed must be the result of hashing the input message using the
 192 // given hash function. salt is a random sequence of bytes whose length will be
 193 // later used to verify the signature.
 194 func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) {
 195         nBits := priv.N.BitLen()
 196         em, err := emsaPSSEncode(hashed, nBits-1, salt, hash.New())
 197         if err != nil {
 198                 return
 199         }
 200         m := new(big.Int).SetBytes(em)
 201         c, err := decryptAndCheck(rand, priv, m)
 202         if err != nil {
 203                 return
 204         }
 205         s = make([]byte, (nBits+7)/8)
 206         copyWithLeftPad(s, c.Bytes())
 207         return
 208 }
 209
 210 const (
 211         // PSSSaltLengthAuto causes the salt in a PSS signature to be as large
 212         // as possible when signing, and to be auto-detected when verifying.
 213         PSSSaltLengthAuto = 0
 214         // PSSSaltLengthEqualsHash causes the salt length to equal the length
 215         // of the hash used in the signature.
 216         PSSSaltLengthEqualsHash = -1
 217 )
 218
 219 // PSSOptions contains options for creating and verifying PSS signatures.
 220 type PSSOptions struct {
 221         // SaltLength controls the length of the salt used in the PSS
 222         // signature. It can either be a number of bytes, or one of the special
 223         // PSSSaltLength constants.
 224         SaltLength int
 225
 226         // Hash, if not zero, overrides the hash function passed to SignPSS.
 227         // This is the only way to specify the hash function when using the
 228         // crypto.Signer interface.
 229         Hash crypto.Hash
 230 }
 231
 232 // HashFunc returns pssOpts.Hash so that PSSOptions implements
 233 // crypto.SignerOpts.
 234 func (pssOpts *PSSOptions) HashFunc() crypto.Hash {
 235         return pssOpts.Hash
 236 }
 237
 238 func (opts *PSSOptions) saltLength() int {
 239         if opts == nil {
 240                 return PSSSaltLengthAuto
 241         }
 242         return opts.SaltLength
 243 }
 244
 245 // SignPSS calculates the signature of hashed using RSASSA-PSS [1].
 246 // Note that hashed must be the result of hashing the input message using the
 247 // given hash function. The opts argument may be nil, in which case sensible
 248 // defaults are used.
 249 func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, opts *PSSOptions) ([]byte, error) {
 250         saltLength := opts.saltLength()
 251         switch saltLength {
 252         case PSSSaltLengthAuto:
 253                 saltLength = (priv.N.BitLen()+7)/8 - 2 - hash.Size()
 254         case PSSSaltLengthEqualsHash:
 255                 saltLength = hash.Size()
 256         }
 257
 258         if opts != nil && opts.Hash != 0 {
 259                 hash = opts.Hash
 260         }
 261
 262         salt := make([]byte, saltLength)
 263         if _, err := io.ReadFull(rand, salt); err != nil {
 264                 return nil, err
 265         }
 266         return signPSSWithSalt(rand, priv, hash, hashed, salt)
 267 }
 268
 269 // VerifyPSS verifies a PSS signature.
 270 // hashed is the result of hashing the input message using the given hash
 271 // function and sig is the signature. A valid signature is indicated by
 272 // returning a nil error. The opts argument may be nil, in which case sensible
 273 // defaults are used.
 274 func VerifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, opts *PSSOptions) error {
 275         return verifyPSS(pub, hash, hashed, sig, opts.saltLength())
 276 }
 277
 278 // verifyPSS verifies a PSS signature with the given salt length.
 279 func verifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, saltLen int) error {
 280         nBits := pub.N.BitLen()
 281         if len(sig) != (nBits+7)/8 {
 282                 return ErrVerification
 283         }
 284         s := new(big.Int).SetBytes(sig)
 285         m := encrypt(new(big.Int), pub, s)
 286         emBits := nBits - 1
 287         emLen := (emBits + 7) / 8
 288         if emLen < len(m.Bytes()) {
 289                 return ErrVerification
 290         }
 291         em := make([]byte, emLen)
 292         copyWithLeftPad(em, m.Bytes())
 293         if saltLen == PSSSaltLengthEqualsHash {
 294                 saltLen = hash.Size()
 295         }
 296         return emsaPSSVerify(hashed, em, emBits, saltLen, hash.New())
 297 }