| blob | c7a8d2053d8675a8425069ee77be8b43ee7e6912 |
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // This package implements RSA encryption as specified in PKCS#1.
6 package rsa
8 // TODO(agl): Add support for PSS padding.
11 "big"
12 "crypto/subtle"
13 "hash"
14 "io"
15 "os"
16 )
21 // randomPrime returns a number, p, of the given size, such that p is prime
22 // with high probability.
26 }
34 return
35 }
37 // Don't let the value be too small.
39 // Make the value odd since an even number this large certainly isn't prime.
44 return
45 }
46 }
48 return
49 }
51 // randomNumber returns a uniform random value in [0, max).
55 // r is the number of bits in the used in the most significant byte of
56 // max.
60 }
68 return
69 }
71 // Clear bits in the first byte to increase the probability
72 // that the candidate is < max.
77 return
78 }
79 }
81 return
82 }
84 // A PublicKey represents the public part of an RSA key.
88 }
90 // A PrivateKey represents an RSA key
92 PublicKey // public part.
95 }
97 // Validate performs basic sanity checks on the key.
98 // It returns nil if the key is valid, or else an os.Error describing a problem.
101 // Check that p and q are prime. Note that this is just a sanity
102 // check. Since the random witnesses chosen by ProbablyPrime are
103 // deterministic, given the candidate number, it's easy for an attack
104 // to generate composites that pass this test.
107 }
110 }
112 // Check that p*q == n.
116 }
117 // Check that e and totient(p, q) are coprime.
128 }
129 // Check that de ≡ 1 (mod totient(p, q))
134 }
136 }
138 // GenerateKeyPair generates an RSA keypair of the given bit size.
141 // Smaller public exponents lead to faster public key
142 // operations. Since the exponent must be coprime to
143 // (p-1)(q-1), the smallest possible value is 3. Some have
144 // suggested that a larger exponent (often 2**16+1) be used
145 // since previous implementation bugs[1] were avoided when this
146 // was the case. However, there are no current reasons not to use
147 // small exponents.
148 // [1] http://marc.info/?l=cryptography&m=115694833312008&w=2
159 }
164 }
167 continue
168 }
187 break
188 }
189 }
191 return
192 }
194 // incCounter increments a four byte, big-endian counter.
197 return
198 }
200 return
201 }
203 return
204 }
206 }
208 // mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function
209 // specified in PKCS#1 v2.1.
222 done++
223 }
225 }
226 }
228 // MessageTooLongError is returned when attempting to encrypt a message which
229 // is too large for the size of the public key.
234 }
239 return c
240 }
242 // EncryptOAEP encrypts the given message with RSA-OAEP.
243 // The message must be no longer than the length of the public modulus less
244 // twice the hash length plus 2.
245 func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, label []byte) (out []byte, err os.Error) {
250 return
251 }
267 return
268 }
277 return
278 }
280 // A DecryptionError represents a failure to decrypt a message.
281 // It is deliberately vague to avoid adaptive attacks.
286 // A VerificationError represents a failure to verify a signature.
287 // It is deliberately vague to avoid adaptive attacks.
292 // modInverse returns ia, the inverse of a in the multiplicative group of prime
293 // order n. It requires that a be a member of the group (i.e. less than n).
300 // In this case, a and n aren't coprime and we cannot calculate
301 // the inverse. This happens because the values of n are nearly
302 // prime (being the product of two primes) rather than truly
303 // prime.
304 return
305 }
308 // 0 is not the multiplicative inverse of any element so, if x
309 // < 1, then x is negative.
311 }
314 }
316 // decrypt performs an RSA decryption, resulting in a plaintext integer. If a
317 // random source is given, RSA blinding is used.
319 // TODO(agl): can we get away with reusing blinds?
322 return
323 }
327 // Blinding enabled. Blinding involves multiplying c by r^e.
328 // Then the decryption operation performs (m^e * r^e)^d mod n
329 // which equals mr mod n. The factor of r can then be removed
330 // by multipling by the multiplicative inverse of r.
337 return
338 }
340 r = bigOne
341 }
345 break
346 }
347 }
352 }
357 // Unblind.
360 }
362 return
363 }
365 // DecryptOAEP decrypts ciphertext using RSA-OAEP.
366 // If rand != nil, DecryptOAEP uses RSA blinding to avoid timing side-channel attacks.
367 func DecryptOAEP(hash hash.Hash, rand io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) (msg []byte, err os.Error) {
372 return
373 }
379 return
380 }
386 // Converting the plaintext number to bytes will strip any
387 // leading zeros so we may have to left pad. We do this unconditionally
388 // to avoid leaking timing information. (Although we still probably
389 // leak the number of leading zeros. It's not clear that we can do
390 // anything about this.)
403 // We have to validate the plaintext in constant time in order to avoid
404 // attacks like: J. Manger. A Chosen Ciphertext Attack on RSA Optimal
405 // Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1
406 // v2.0. In J. Kilian, editor, Advances in Cryptology.
409 // The remainder of the plaintext must be zero or more 0x00, followed
410 // by 0x01, followed by the message.
411 // lookingForIndex: 1 iff we are still looking for the 0x01
412 // index: the offset of the first 0x01 byte
413 // invalid: 1 iff we saw a non-zero byte before the 0x01.
424 }
428 return
429 }
432 return
433 }
435 // leftPad returns a new slice of length size. The contents of input are right
436 // aligned in the new slice.
440 n = size
441 }
444 return
445 }