TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 23986e5d5d501ae93bed161752708ba18fb9e016 / . / include / polarssl / rsa.h
blob: cb2420a7a523917951270cb1d6788c9c7a204872 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/**
2 * \file rsa.h
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]3 *
Paul Bakker37ca75d2011-01-06 12:28:03 +0000[diff] [blame]4 * \brief The RSA public-key cryptosystem
5 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]6 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]7 *
8 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]9 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]10 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]11 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]12 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License along
24 * with this program; if not, write to the Free Software Foundation, Inc.,
25 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]26 */
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]27#ifndef POLARSSL_RSA_H
28#define POLARSSL_RSA_H
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker8e831ed2009-01-03 21:24:11 +0000[diff] [blame]30#include "polarssl/bignum.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Paul Bakker13e2dfe2009-07-28 07:18:38 +0000[diff] [blame]32/*
33 * RSA Error codes
34 */
Paul Bakker3391b122009-07-28 20:11:54 +0000[diff] [blame]35#define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x0400
36#define POLARSSL_ERR_RSA_INVALID_PADDING -0x0410
37#define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x0420
38#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x0430
39#define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x0440
40#define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x0450
41#define POLARSSL_ERR_RSA_VERIFY_FAILED -0x0460
42#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE -0x0470
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]43#define POLARSSL_ERR_RSA_RNG_FAILED -0x0480
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
45/*
46 * PKCS#1 constants
47 */
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]48#define SIG_RSA_RAW 0
49#define SIG_RSA_MD2 2
50#define SIG_RSA_MD4 3
51#define SIG_RSA_MD5 4
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]52#define SIG_RSA_SHA1 5
53#define SIG_RSA_SHA224 14
54#define SIG_RSA_SHA256 11
55#define SIG_RSA_SHA384 12
56#define SIG_RSA_SHA512 13
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]57
58#define RSA_PUBLIC 0
59#define RSA_PRIVATE 1
60
61#define RSA_PKCS_V15 0
62#define RSA_PKCS_V21 1
63
64#define RSA_SIGN 1
65#define RSA_CRYPT 2
66
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]67#define ASN1_STR_CONSTRUCTED_SEQUENCE "\x30"
68#define ASN1_STR_NULL "\x05"
69#define ASN1_STR_OID "\x06"
70#define ASN1_STR_OCTET_STRING "\x04"
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]71
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]72#define OID_DIGEST_ALG_MDX "\x2A\x86\x48\x86\xF7\x0D\x02\x00"
73#define OID_HASH_ALG_SHA1 "\x2b\x0e\x03\x02\x1a"
74#define OID_HASH_ALG_SHA2X "\x60\x86\x48\x01\x65\x03\x04\x02\x00"
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]75
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]76#define OID_ISO_MEMBER_BODIES "\x2a"
77#define OID_ISO_IDENTIFIED_ORG "\x2b"
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]78
79/*
80 * ISO Member bodies OID parts
81 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]82#define OID_COUNTRY_US "\x86\x48"
83#define OID_RSA_DATA_SECURITY "\x86\xf7\x0d"
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]84
85/*
86 * ISO Identified organization OID parts
87 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]88#define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a"
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]89
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90/*
91 * DigestInfo ::= SEQUENCE {
92 * digestAlgorithm DigestAlgorithmIdentifier,
93 * digest Digest }
94 *
95 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
96 *
97 * Digest ::= OCTET STRING
98 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]99#define ASN1_HASH_MDX \
100( \
101 ASN1_STR_CONSTRUCTED_SEQUENCE "\x20" \
102 ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C" \
103 ASN1_STR_OID "\x08" \
104 OID_DIGEST_ALG_MDX \
105 ASN1_STR_NULL "\x00" \
106 ASN1_STR_OCTET_STRING "\x10" \
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]107)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]108
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]109#define ASN1_HASH_SHA1 \
110 ASN1_STR_CONSTRUCTED_SEQUENCE "\x21" \
111 ASN1_STR_CONSTRUCTED_SEQUENCE "\x09" \
112 ASN1_STR_OID "\x05" \
113 OID_HASH_ALG_SHA1 \
114 ASN1_STR_NULL "\x00" \
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]115 ASN1_STR_OCTET_STRING "\x14"
116
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]117#define ASN1_HASH_SHA2X \
118 ASN1_STR_CONSTRUCTED_SEQUENCE "\x11" \
119 ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d" \
120 ASN1_STR_OID "\x09" \
121 OID_HASH_ALG_SHA2X \
122 ASN1_STR_NULL "\x00" \
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]123 ASN1_STR_OCTET_STRING "\x00"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]124
125/**
126 * \brief RSA context structure
127 */
128typedef struct
129{
130 int ver; /*!< always 0 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]131 size_t len; /*!< size(N) in chars */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]132
133 mpi N; /*!< public modulus */
134 mpi E; /*!< public exponent */
135
136 mpi D; /*!< private exponent */
137 mpi P; /*!< 1st prime factor */
138 mpi Q; /*!< 2nd prime factor */
139 mpi DP; /*!< D % (P - 1) */
140 mpi DQ; /*!< D % (Q - 1) */
141 mpi QP; /*!< 1 / (Q % P) */
142
143 mpi RN; /*!< cached R^2 mod N */
144 mpi RP; /*!< cached R^2 mod P */
145 mpi RQ; /*!< cached R^2 mod Q */
146
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]147 int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
148 RSA_PKCS_v21 for OAEP/PSS */
149 int hash_id; /*!< Hash identifier of md_type_t as
150 specified in the md.h header file
151 for the EME-OAEP and EMSA-PSS
152 encoding */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]153}
154rsa_context;
155
156#ifdef __cplusplus
157extern "C" {
158#endif
159
160/**
161 * \brief Initialize an RSA context
162 *
163 * \param ctx RSA context to be initialized
164 * \param padding RSA_PKCS_V15 or RSA_PKCS_V21
165 * \param hash_id RSA_PKCS_V21 hash identifier
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]166 *
167 * \note The hash_id parameter is actually ignored
168 * when using RSA_PKCS_V15 padding.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]169 */
170void rsa_init( rsa_context *ctx,
171 int padding,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]172 int hash_id);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]173
174/**
175 * \brief Generate an RSA keypair
176 *
177 * \param ctx RSA context that will hold the key
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]178 * \param f_rng RNG function
179 * \param p_rng RNG parameter
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]180 * \param nbits size of the public key in bits
181 * \param exponent public exponent (e.g., 65537)
182 *
183 * \note rsa_init() must be called beforehand to setup
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]184 * the RSA context.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]185 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]186 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187 */
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]188int rsa_gen_key( rsa_context *ctx,
189 int (*f_rng)(void *),
190 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]191 unsigned int nbits, int exponent );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]192
193/**
194 * \brief Check a public RSA key
195 *
196 * \param ctx RSA context to be checked
197 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]198 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]199 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]200int rsa_check_pubkey( const rsa_context *ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]201
202/**
203 * \brief Check a private RSA key
204 *
205 * \param ctx RSA context to be checked
206 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]207 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]209int rsa_check_privkey( const rsa_context *ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210
211/**
212 * \brief Do an RSA public key operation
213 *
214 * \param ctx RSA context
215 * \param input input buffer
216 * \param output output buffer
217 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]218 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219 *
220 * \note This function does NOT take care of message
Paul Bakker619467a2009-03-28 23:26:51 +0000[diff] [blame]221 * padding. Also, be sure to set input[0] = 0 or assure that
222 * input is smaller than N.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223 *
224 * \note The input and output buffers must be large
225 * enough (eg. 128 bytes if RSA-1024 is used).
226 */
227int rsa_public( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]228 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]229 unsigned char *output );
230
231/**
232 * \brief Do an RSA private key operation
233 *
234 * \param ctx RSA context
235 * \param input input buffer
236 * \param output output buffer
237 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]238 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]239 *
240 * \note The input and output buffers must be large
241 * enough (eg. 128 bytes if RSA-1024 is used).
242 */
243int rsa_private( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]244 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]245 unsigned char *output );
246
247/**
248 * \brief Add the message padding, then do an RSA operation
249 *
250 * \param ctx RSA context
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]251 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]252 * \param p_rng RNG parameter
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]253 * \param mode RSA_PUBLIC or RSA_PRIVATE
Paul Bakker592457c2009-04-01 19:01:43 +0000[diff] [blame]254 * \param ilen contains the plaintext length
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]255 * \param input buffer holding the data to be encrypted
256 * \param output buffer that will hold the ciphertext
257 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]258 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]259 *
260 * \note The output buffer must be as large as the size
261 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
262 */
263int rsa_pkcs1_encrypt( rsa_context *ctx,
Paul Bakker21eb2802010-08-16 11:10:02 +0000[diff] [blame]264 int (*f_rng)(void *),
265 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]266 int mode, size_t ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]267 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]268 unsigned char *output );
269
270/**
271 * \brief Do an RSA operation, then remove the message padding
272 *
273 * \param ctx RSA context
274 * \param mode RSA_PUBLIC or RSA_PRIVATE
275 * \param input buffer holding the encrypted data
276 * \param output buffer that will hold the plaintext
277 * \param olen will contain the plaintext length
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]278 * \param output_max_len maximum length of the output buffer
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]279 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]280 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281 *
282 * \note The output buffer must be as large as the size
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]283 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
284 * an error is thrown.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]285 */
286int rsa_pkcs1_decrypt( rsa_context *ctx,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]287 int mode, size_t *olen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]288 const unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]289 unsigned char *output,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]290 size_t output_max_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]291
292/**
293 * \brief Do a private RSA to sign a message digest
294 *
295 * \param ctx RSA context
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]296 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
297 * \param p_rng RNG parameter
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]298 * \param mode RSA_PUBLIC or RSA_PRIVATE
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]299 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
300 * \param hashlen message digest length (for SIG_RSA_RAW only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]301 * \param hash buffer holding the message digest
302 * \param sig buffer that will hold the ciphertext
303 *
304 * \return 0 if the signing operation was successful,
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]305 * or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]306 *
307 * \note The "sig" buffer must be as large as the size
308 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]309 *
310 * \note In case of PKCS#1 v2.1 encoding keep in mind that
311 * the hash_id in the RSA context is the one used for the
312 * encoding. hash_id in the function call is the type of hash
313 * that is encoded. According to RFC 3447 it is advised to
314 * keep both hashes the same.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315 */
316int rsa_pkcs1_sign( rsa_context *ctx,
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]317 int (*f_rng)(void *),
318 void *p_rng,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319 int mode,
320 int hash_id,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]321 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]322 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323 unsigned char *sig );
324
325/**
326 * \brief Do a public RSA and check the message digest
327 *
328 * \param ctx points to an RSA public key
329 * \param mode RSA_PUBLIC or RSA_PRIVATE
Paul Bakkerb924f042010-07-18 08:49:19 +0000[diff] [blame]330 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]331 * \param hashlen message digest length (for SIG_RSA_RAW only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332 * \param hash buffer holding the message digest
333 * \param sig buffer holding the ciphertext
334 *
335 * \return 0 if the verify operation was successful,
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]336 * or an POLARSSL_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337 *
338 * \note The "sig" buffer must be as large as the size
339 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]340 *
341 * \note In case of PKCS#1 v2.1 encoding keep in mind that
342 * the hash_id in the RSA context is the one used for the
343 * verification. hash_id in the function call is the type of hash
344 * that is verified. According to RFC 3447 it is advised to
345 * keep both hashes the same.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346 */
347int rsa_pkcs1_verify( rsa_context *ctx,
348 int mode,
349 int hash_id,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]350 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]351 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352 unsigned char *sig );
353
354/**
355 * \brief Free the components of an RSA key
Paul Bakker13e2dfe2009-07-28 07:18:38 +0000[diff] [blame]356 *
357 * \param ctx RSA Context to free
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358 */
359void rsa_free( rsa_context *ctx );
360
361/**
362 * \brief Checkup routine
363 *
364 * \return 0 if successful, or 1 if the test failed
365 */
366int rsa_self_test( int verbose );
367
368#ifdef __cplusplus
369}
370#endif
371
372#endif /* rsa.h */