| blob | bce6ba4eba31121edfb394f6112b23500461ac14 |
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package rsa implements RSA encryption as specified in PKCS#1.
6 package rsa
9 "crypto/rand"
10 "crypto/subtle"
11 "errors"
12 "hash"
13 "io"
14 "math/big"
15 )
20 // A PublicKey represents the public part of an RSA key.
24 }
30 )
32 // checkPub sanity checks the public key before we use it.
33 // We require pub.E to fit into a 32-bit integer so that we
34 // do not have different behavior depending on whether
35 // int is 32 or 64 bits. See also
36 // http://www.imperialviolet.org/2012/03/16/rsae.html.
39 return errPublicModulus
40 }
42 return errPublicExponentSmall
43 }
45 return errPublicExponentLarge
46 }
48 }
50 // A PrivateKey represents an RSA key
52 PublicKey // public part.
56 // Precomputed contains precomputed values that speed up private
57 // operations, if available.
58 Precomputed PrecomputedValues
59 }
65 // CRTValues is used for the 3rd and subsequent primes. Due to a
66 // historical accident, the CRT for the first two primes is handled
67 // differently in PKCS#1 and interoperability is sufficiently
68 // important that we mirror this.
69 CRTValues []CRTValue
70 }
72 // CRTValue contains the precomputed chinese remainder theorem values.
77 }
79 // Validate performs basic sanity checks on the key.
80 // It returns nil if the key is valid, or else an error describing a problem.
83 return err
84 }
86 // Check that the prime factors are actually prime. Note that this is
87 // just a sanity check. Since the random witnesses chosen by
88 // ProbablyPrime are deterministic, given the candidate number, it's
89 // easy for an attack to generate composites that pass this test.
93 }
94 }
96 // Check that Πprimes == n.
100 }
103 }
105 // Check that de ≡ 1 mod p-1, for each prime.
106 // This implies that e is coprime to each p-1 as e has a multiplicative
107 // inverse. Therefore e is coprime to lcm(p-1,q-1,r-1,...) =
108 // exponent(ℤ/nℤ). It also implies that a^de ≡ a mod p as a^(p-1) ≡ 1
109 // mod p. Thus a^de ≡ a mod n for all a coprime to n, as required.
118 }
119 }
121 }
123 // GenerateKey generates an RSA keypair of the given bit size using the
124 // random source random (for example, crypto/rand.Reader).
127 }
129 // GenerateMultiPrimeKey generates a multi-prime RSA keypair of the given bit
130 // size and the given random source, as suggested in [1]. Although the public
131 // keys are compatible (actually, indistinguishable) from the 2-prime case,
132 // the private keys are not. Thus it may not be possible to export multi-prime
133 // private keys in certain formats or to subsequently import them into other
134 // code.
135 //
136 // Table 1 in [2] suggests maximum numbers of primes for a given size.
137 //
138 // [1] US patent 4405829 (1972, expired)
139 // [2] http://www.cacr.math.uwaterloo.ca/techreports/2006/cacr2006-16.pdf
140 func GenerateMultiPrimeKey(random io.Reader, nprimes int, bits int) (priv *PrivateKey, err error) {
146 }
150 NextSetOfPrimes:
152 todo := bits
153 // crypto/rand should set the top two bits in each prime.
154 // Thus each prime has the form
155 // p_i = 2^bitlen(p_i) × 0.11... (in base 2).
156 // And the product is:
157 // P = 2^todo × α
158 // where α is the product of nprimes numbers of the form 0.11...
159 //
160 // If α < 1/2 (which can happen for nprimes > 2), we need to
161 // shift todo to compensate for lost bits: the mean value of 0.11...
162 // is 7/8, so todo + shift - nprimes * log2(7/8) ~= bits - 1/2
163 // will give good results.
166 }
171 }
173 }
175 // Make sure that primes is pairwise unequal.
179 continue NextSetOfPrimes
180 }
181 }
182 }
191 }
193 // This should never happen for nprimes == 2 because
194 // crypto/rand should set the top two bits in each prime.
195 // For nprimes > 2 we hope it does not happen often.
196 continue NextSetOfPrimes
197 }
208 }
212 break
213 }
214 }
217 return
218 }
220 // incCounter increments a four byte, big-endian counter.
223 return
224 }
226 return
227 }
229 return
230 }
232 }
234 // mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function
235 // specified in PKCS#1 v2.1.
249 done++
250 }
252 }
253 }
255 // ErrMessageTooLong is returned when attempting to encrypt a message which is
256 // too large for the size of the public key.
262 return c
263 }
265 // EncryptOAEP encrypts the given message with RSA-OAEP.
266 // The message must be no longer than the length of the public modulus less
267 // twice the hash length plus 2.
268 func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) (out []byte, err error) {
271 }
275 err = ErrMessageTooLong
276 return
277 }
293 return
294 }
305 // If the output is too small, we need to left-pad with zeros.
308 out = t
309 }
311 return
312 }
314 // ErrDecryption represents a failure to decrypt a message.
315 // It is deliberately vague to avoid adaptive attacks.
318 // ErrVerification represents a failure to verify a signature.
319 // It is deliberately vague to avoid adaptive attacks.
322 // modInverse returns ia, the inverse of a in the multiplicative group of prime
323 // order n. It requires that a be a member of the group (i.e. less than n).
330 // In this case, a and n aren't coprime and we cannot calculate
331 // the inverse. This happens because the values of n are nearly
332 // prime (being the product of two primes) rather than truly
333 // prime.
334 return
335 }
338 // 0 is not the multiplicative inverse of any element so, if x
339 // < 1, then x is negative.
341 }
344 }
346 // Precompute performs some calculations that speed up private key operations
347 // in the future.
350 return
351 }
374 }
375 }
377 // decrypt performs an RSA decryption, resulting in a plaintext integer. If a
378 // random source is given, RSA blinding is used.
380 // TODO(agl): can we get away with reusing blinds?
382 err = ErrDecryption
383 return
384 }
388 // Blinding enabled. Blinding involves multiplying c by r^e.
389 // Then the decryption operation performs (m^e * r^e)^d mod n
390 // which equals mr mod n. The factor of r can then be removed
391 // by multiplying by the multiplicative inverse of r.
398 return
399 }
401 r = bigOne
402 }
406 break
407 }
408 }
414 c = cCopy
415 }
420 // We have the precalculated values needed for the CRT.
426 }
440 }
443 }
444 }
447 // Unblind.
450 }
452 return
453 }
455 // DecryptOAEP decrypts ciphertext using RSA-OAEP.
456 // If random != nil, DecryptOAEP uses RSA blinding to avoid timing side-channel attacks.
457 func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) (msg []byte, err error) {
460 }
464 err = ErrDecryption
465 return
466 }
472 return
473 }
479 // Converting the plaintext number to bytes will strip any
480 // leading zeros so we may have to left pad. We do this unconditionally
481 // to avoid leaking timing information. (Although we still probably
482 // leak the number of leading zeros. It's not clear that we can do
483 // anything about this.)
496 // We have to validate the plaintext in constant time in order to avoid
497 // attacks like: J. Manger. A Chosen Ciphertext Attack on RSA Optimal
498 // Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1
499 // v2.0. In J. Kilian, editor, Advances in Cryptology.
502 // The remainder of the plaintext must be zero or more 0x00, followed
503 // by 0x01, followed by the message.
504 // lookingForIndex: 1 iff we are still looking for the 0x01
505 // index: the offset of the first 0x01 byte
506 // invalid: 1 iff we saw a non-zero byte before the 0x01.
517 }
520 err = ErrDecryption
521 return
522 }
525 return
526 }
528 // leftPad returns a new slice of length size. The contents of input are right
529 // aligned in the new slice.
533 n = size
534 }
537 return
538 }