| blob | 4226f389751f08fe35e6e18557672306139d09ce |
1 /* rsa.h
2 *
3 * The RSA publickey algorithm.
4 */
6 /* nettle, low-level cryptographics library
7 *
8 * Copyright (C) 2001, 2002 Niels Möller
9 *
10 * The nettle library is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU Lesser General Public License as published by
12 * the Free Software Foundation; either version 2.1 of the License, or (at your
13 * option) any later version.
14 *
15 * The nettle library is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
18 * License for more details.
19 *
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with the nettle library; see the file COPYING.LIB. If not, write to
22 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
23 * MA 02111-1301, USA.
24 */
26 #ifndef NETTLE_RSA_H_INCLUDED
27 #define NETTLE_RSA_H_INCLUDED
29 #include <gmp.h>
36 #ifdef __cplusplus
38 #endif
40 /* Name mangling */
41 #define rsa_public_key_init nettle_rsa_public_key_init
42 #define rsa_public_key_clear nettle_rsa_public_key_clear
43 #define rsa_public_key_prepare nettle_rsa_public_key_prepare
44 #define rsa_private_key_init nettle_rsa_private_key_init
45 #define rsa_private_key_clear nettle_rsa_private_key_clear
46 #define rsa_private_key_prepare nettle_rsa_private_key_prepare
47 #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify
48 #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign
49 #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr
50 #define rsa_md5_sign nettle_rsa_md5_sign
51 #define rsa_md5_verify nettle_rsa_md5_verify
52 #define rsa_sha1_sign nettle_rsa_sha1_sign
53 #define rsa_sha1_verify nettle_rsa_sha1_verify
54 #define rsa_sha256_sign nettle_rsa_sha256_sign
55 #define rsa_sha256_verify nettle_rsa_sha256_verify
56 #define rsa_sha512_sign nettle_rsa_sha512_sign
57 #define rsa_sha512_verify nettle_rsa_sha512_verify
58 #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest
59 #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest
60 #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest
61 #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest
62 #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
63 #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
64 #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
65 #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
66 #define rsa_encrypt nettle_rsa_encrypt
67 #define rsa_decrypt nettle_rsa_decrypt
68 #define rsa_decrypt_tr nettle_rsa_decrypt_tr
69 #define rsa_compute_root nettle_rsa_compute_root
70 #define rsa_generate_keypair nettle_rsa_generate_keypair
71 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
72 #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
73 #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp
74 #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator
75 #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator
76 #define rsa_keypair_from_der nettle_rsa_keypair_from_der
77 #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
78 #define _rsa_verify _nettle_rsa_verify
79 #define _rsa_check_size _nettle_rsa_check_size
80 #define _rsa_blind _nettle_rsa_blind
81 #define _rsa_unblind _nettle_rsa_unblind
83 /* This limit is somewhat arbitrary. Technically, the smallest modulo
84 which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
85 for ridiculously small keys, not all odd e are possible (e.g., for
86 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
87 3 don't work). The smallest size that makes sense with pkcs#1, and
88 which allows RSA encryption of one byte messages, is 12 octets, 89
89 bits. */
91 #define RSA_MINIMUM_N_OCTETS 12
92 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
94 struct rsa_public_key
95 {
96 /* Size of the modulo, in octets. This is also the size of all
97 * signatures that are created or verified with this key. */
100 /* Modulo */
101 mpz_t n;
103 /* Public exponent */
104 mpz_t e;
105 };
107 struct rsa_private_key
108 {
111 /* d is filled in by the key generation function; otherwise it's
112 * completely unused. */
113 mpz_t d;
115 /* The two factors */
118 /* d % (p-1), i.e. a e = 1 (mod (p-1)) */
119 mpz_t a;
121 /* d % (q-1), i.e. b e = 1 (mod (q-1)) */
122 mpz_t b;
124 /* modular inverse of q , i.e. c q = 1 (mod p) */
125 mpz_t c;
126 };
128 /* Signing a message works as follows:
129 *
130 * Store the private key in a rsa_private_key struct.
131 *
132 * Call rsa_private_key_prepare. This initializes the size attribute
133 * to the length of a signature.
134 *
135 * Initialize a hashing context, by callling
136 * md5_init
137 *
138 * Hash the message by calling
139 * md5_update
140 *
141 * Create the signature by calling
142 * rsa_md5_sign
143 *
144 * The signature is represented as a mpz_t bignum. This call also
145 * resets the hashing context.
146 *
147 * When done with the key and signature, don't forget to call
148 * mpz_clear.
149 */
151 /* Calls mpz_init to initialize bignum storage. */
152 void
155 /* Calls mpz_clear to deallocate bignum storage. */
156 void
159 int
162 /* Calls mpz_init to initialize bignum storage. */
163 void
166 /* Calls mpz_clear to deallocate bignum storage. */
167 void
170 int
174 /* PKCS#1 style signatures */
175 int
178 mpz_t s);
180 int
185 mpz_t s);
186 int
191 int
194 mpz_t signature);
197 int
202 int
205 mpz_t signature);
207 int
212 int
215 mpz_t signature);
217 int
222 int
225 mpz_t signature);
227 int
232 /* Variants taking the digest as argument. */
233 int
236 mpz_t s);
238 int
243 int
246 mpz_t s);
248 int
253 int
256 mpz_t s);
258 int
263 int
266 mpz_t s);
268 int
274 /* RSA encryption, using PKCS#1 */
275 /* These functions uses the v1.5 padding. What should the v2 (OAEP)
276 * functions be called? */
278 /* Returns 1 on success, 0 on failure, which happens if the
279 * message is too long for the key. */
280 int
282 /* For padding */
285 mpz_t cipher);
287 /* Message must point to a buffer of size *LENGTH. KEY->size is enough
288 * for all valid messages. On success, *LENGTH is updated to reflect
289 * the actual length of the message. Returns 1 on success, 0 on
290 * failure, which happens if decryption failed or if the message
291 * didn't fit. */
292 int
297 /* Timing-resistant version, using randomized RSA blinding. */
298 int
305 /* Compute x, the e:th root of m. Calling it with x == m is allowed. */
306 void
311 /* Key generation */
313 /* Note that the key structs must be initialized first. */
314 int
321 /* Desired size of modulo, in bits */
324 /* Desired size of public exponent, in bits. If
325 * zero, the passed in value pub->e is used. */
329 #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
330 algorithm##_update(ctx, length, data), \
331 rsa_##algorithm##_sign(key, ctx, signature) \
332 )
334 #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
335 algorithm##_update(ctx, length, data), \
336 rsa_##algorithm##_verify(key, ctx, signature) \
337 )
339 \f
340 /* Keys in sexp form. */
344 /* Generates a public-key expression if PRIV is NULL .*/
345 int
353 int
359 /* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
360 * expect a private key expression and ignore the parts not needed for
361 * the public key. */
362 /* Keys must be initialized before calling this function, as usual. */
363 int
370 /* Keys in PKCS#1 format. */
373 int
378 int
384 /* For public keys, use PRIV == NULL */
385 int
391 /* OpenPGP format. Experimental interface, subject to change. */
392 int
396 /* A single user id. NUL-terminated utf8. */
399 /* Internal functions. */
400 int
405 unsigned
408 void
412 void
415 #ifdef __cplusplus
416 }
417 #endif