| blob | 6fd59b39409ca979458b2777899e9fc612356787 |
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package rsa implements RSA encryption as specified in PKCS #1 and RFC 8017.
6 //
7 // RSA is a single, fundamental operation that is used in this package to
8 // implement either public-key encryption or public-key signatures.
9 //
10 // The original specification for encryption and signatures with RSA is PKCS #1
11 // and the terms "RSA encryption" and "RSA signatures" by default refer to
12 // PKCS #1 version 1.5. However, that specification has flaws and new designs
13 // should use version 2, usually called by just OAEP and PSS, where
14 // possible.
15 //
16 // Two sets of interfaces are included in this package. When a more abstract
17 // interface isn't necessary, there are functions for encrypting/decrypting
18 // with v1.5/OAEP and signing/verifying with v1.5/PSS. If one needs to abstract
19 // over the public key primitive, the PrivateKey type implements the
20 // Decrypter and Signer interfaces from the crypto package.
21 //
22 // The RSA operations in this package are not implemented using constant-time algorithms.
23 package rsa
26 "crypto"
27 "crypto/rand"
28 "crypto/subtle"
29 "errors"
30 "hash"
31 "io"
32 "math"
33 "math/big"
35 "crypto/internal/randutil"
36 )
41 // A PublicKey represents the public part of an RSA key.
45 }
47 // Any methods implemented on PublicKey might need to also be implemented on
48 // PrivateKey, as the latter embeds the former and will expose its methods.
50 // Size returns the modulus size in bytes. Raw signatures and ciphertexts
51 // for or by this public key will have the same size.
54 }
56 // Equal reports whether pub and x have the same value.
61 }
63 }
65 // OAEPOptions is an interface for passing options to OAEP decryption using the
66 // crypto.Decrypter interface.
68 // Hash is the hash function that will be used when generating the mask.
69 Hash crypto.Hash
70 // Label is an arbitrary byte string that must be equal to the value
71 // used when encrypting.
73 }
79 )
81 // checkPub sanity checks the public key before we use it.
82 // We require pub.E to fit into a 32-bit integer so that we
83 // do not have different behavior depending on whether
84 // int is 32 or 64 bits. See also
85 // https://www.imperialviolet.org/2012/03/16/rsae.html.
88 return errPublicModulus
89 }
91 return errPublicExponentSmall
92 }
94 return errPublicExponentLarge
95 }
97 }
99 // A PrivateKey represents an RSA key
101 PublicKey // public part.
105 // Precomputed contains precomputed values that speed up private
106 // operations, if available.
107 Precomputed PrecomputedValues
108 }
110 // Public returns the public key corresponding to priv.
113 }
115 // Equal reports whether priv and x have equivalent values. It ignores
116 // Precomputed values.
121 }
124 }
127 }
131 }
132 }
134 }
136 // Sign signs digest with priv, reading randomness from rand. If opts is a
137 // *PSSOptions then the PSS algorithm will be used, otherwise PKCS #1 v1.5 will
138 // be used. digest must be the result of hashing the input message using
139 // opts.HashFunc().
140 //
141 // This method implements crypto.Signer, which is an interface to support keys
142 // where the private part is kept in, for example, a hardware module. Common
143 // uses should use the Sign* functions in this package directly.
144 func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
147 }
150 }
152 // Decrypt decrypts ciphertext with priv. If opts is nil or of type
153 // *PKCS1v15DecryptOptions then PKCS #1 v1.5 decryption is performed. Otherwise
154 // opts must have type *OAEPOptions and OAEP decryption is done.
155 func (priv *PrivateKey) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error) {
158 }
169 }
172 }
176 }
180 }
181 }
187 // CRTValues is used for the 3rd and subsequent primes. Due to a
188 // historical accident, the CRT for the first two primes is handled
189 // differently in PKCS #1 and interoperability is sufficiently
190 // important that we mirror this.
191 CRTValues []CRTValue
192 }
194 // CRTValue contains the precomputed Chinese remainder theorem values.
199 }
201 // Validate performs basic sanity checks on the key.
202 // It returns nil if the key is valid, or else an error describing a problem.
205 return err
206 }
208 // Check that Πprimes == n.
211 // Any primes ≤ 1 will cause divide-by-zero panics later.
214 }
216 }
219 }
221 // Check that de ≡ 1 mod p-1, for each prime.
222 // This implies that e is coprime to each p-1 as e has a multiplicative
223 // inverse. Therefore e is coprime to lcm(p-1,q-1,r-1,...) =
224 // exponent(ℤ/nℤ). It also implies that a^de ≡ a mod p as a^(p-1) ≡ 1
225 // mod p. Thus a^de ≡ a mod n for all a coprime to n, as required.
234 }
235 }
237 }
239 // GenerateKey generates an RSA keypair of the given bit size using the
240 // random source random (for example, crypto/rand.Reader).
243 }
245 // GenerateMultiPrimeKey generates a multi-prime RSA keypair of the given bit
246 // size and the given random source, as suggested in [1]. Although the public
247 // keys are compatible (actually, indistinguishable) from the 2-prime case,
248 // the private keys are not. Thus it may not be possible to export multi-prime
249 // private keys in certain formats or to subsequently import them into other
250 // code.
251 //
252 // Table 1 in [2] suggests maximum numbers of primes for a given size.
253 //
254 // [1] US patent 4405829 (1972, expired)
255 // [2] http://www.cacr.math.uwaterloo.ca/techreports/2006/cacr2006-16.pdf
264 }
268 // pi approximates the number of primes less than primeLimit
270 // Generated primes start with 11 (in binary) so we can only
271 // use a quarter of them.
273 // Use a factor of two to ensure that key generation terminates
274 // in a reasonable amount of time.
278 }
279 }
283 NextSetOfPrimes:
285 todo := bits
286 // crypto/rand should set the top two bits in each prime.
287 // Thus each prime has the form
288 // p_i = 2^bitlen(p_i) × 0.11... (in base 2).
289 // And the product is:
290 // P = 2^todo × α
291 // where α is the product of nprimes numbers of the form 0.11...
292 //
293 // If α < 1/2 (which can happen for nprimes > 2), we need to
294 // shift todo to compensate for lost bits: the mean value of 0.11...
295 // is 7/8, so todo + shift - nprimes * log2(7/8) ~= bits - 1/2
296 // will give good results.
299 }
301 var err error
305 }
307 }
309 // Make sure that primes is pairwise unequal.
313 continue NextSetOfPrimes
314 }
315 }
316 }
325 }
327 // This should never happen for nprimes == 2 because
328 // crypto/rand should set the top two bits in each prime.
329 // For nprimes > 2 we hope it does not happen often.
330 continue NextSetOfPrimes
331 }
340 break
341 }
342 }
346 }
348 // incCounter increments a four byte, big-endian counter.
351 return
352 }
354 return
355 }
357 return
358 }
360 }
362 // mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function
363 // specified in PKCS #1 v2.1.
377 done++
378 }
380 }
381 }
383 // ErrMessageTooLong is returned when attempting to encrypt a message which is
384 // too large for the size of the public key.
390 return c
391 }
393 // EncryptOAEP encrypts the given message with RSA-OAEP.
394 //
395 // OAEP is parameterised by a hash function that is used as a random oracle.
396 // Encryption and decryption of a given message must use the same hash function
397 // and sha256.New() is a reasonable choice.
398 //
399 // The random parameter is used as a source of entropy to ensure that
400 // encrypting the same message twice doesn't result in the same ciphertext.
401 //
402 // The label parameter may contain arbitrary data that will not be encrypted,
403 // but which gives important context to the message. For example, if a given
404 // public key is used to encrypt two types of messages then distinct label
405 // values could be used to ensure that a ciphertext for one purpose cannot be
406 // used for another by an attacker. If not required it can be empty.
407 //
408 // The message must be no longer than the length of the public modulus minus
409 // twice the hash length, minus a further 2.
410 func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error) {
413 }
418 }
435 }
446 }
448 // ErrDecryption represents a failure to decrypt a message.
449 // It is deliberately vague to avoid adaptive attacks.
452 // ErrVerification represents a failure to verify a signature.
453 // It is deliberately vague to avoid adaptive attacks.
456 // Precompute performs some calculations that speed up private key operations
457 // in the future.
460 return
461 }
484 }
485 }
487 // decrypt performs an RSA decryption, resulting in a plaintext integer. If a
488 // random source is given, RSA blinding is used.
490 // TODO(agl): can we get away with reusing blinds?
492 err = ErrDecryption
493 return
494 }
497 }
503 // Blinding enabled. Blinding involves multiplying c by r^e.
504 // Then the decryption operation performs (m^e * r^e)^d mod n
505 // which equals mr mod n. The factor of r can then be removed
506 // by multiplying by the multiplicative inverse of r.
513 return
514 }
516 r = bigOne
517 }
520 break
521 }
522 }
528 c = cCopy
529 }
534 // We have the precalculated values needed for the CRT.
540 }
554 }
557 }
558 }
561 // Unblind.
564 }
566 return
567 }
573 }
575 // In order to defend against errors in the CRT computation, m^e is
576 // calculated, which should match the original ciphertext.
580 }
582 }
584 // DecryptOAEP decrypts ciphertext using RSA-OAEP.
585 //
586 // OAEP is parameterised by a hash function that is used as a random oracle.
587 // Encryption and decryption of a given message must use the same hash function
588 // and sha256.New() is a reasonable choice.
589 //
590 // The random parameter, if not nil, is used to blind the private-key operation
591 // and avoid timing side-channel attacks. Blinding is purely internal to this
592 // function – the random data need not match that used when encrypting.
593 //
594 // The label parameter must match the value given when encrypting. See
595 // EncryptOAEP for details.
596 func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error) {
599 }
604 }
611 }
617 // We probably leak the number of leading zeros.
618 // It's not clear that we can do anything about this.
631 // We have to validate the plaintext in constant time in order to avoid
632 // attacks like: J. Manger. A Chosen Ciphertext Attack on RSA Optimal
633 // Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1
634 // v2.0. In J. Kilian, editor, Advances in Cryptology.
637 // The remainder of the plaintext must be zero or more 0x00, followed
638 // by 0x01, followed by the message.
639 // lookingForIndex: 1 iff we are still looking for the 0x01
640 // index: the offset of the first 0x01 byte
641 // invalid: 1 iff we saw a non-zero byte before the 0x01.
652 }
656 }
659 }