]> git.zerfleddert.de Git - proxmark3-svn/blame - common/polarssl/rsa.h
Change copyright to allow GPLV3, for https://github.com/Proxmark/proxmark3/issues/527
[proxmark3-svn] / common / polarssl / rsa.h
CommitLineData
d03fb293
OM
1/**
2 * \file rsa.h
3 *
4 * \brief The RSA public-key cryptosystem
5 *
6 * Copyright (C) 2006-2010, Brainspark B.V.
7 *
8 * This file is part of PolarSSL (http://www.polarssl.org)
9 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
10 *
11 * All rights reserved.
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License along
24 * with this program; if not, write to the Free Software Foundation, Inc.,
25 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 */
27#ifndef POLARSSL_RSA_H
28#define POLARSSL_RSA_H
29
30#include "bignum.h"
31
32/*
33 * RSA Error codes
34 */
35#define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
36#define POLARSSL_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
37#define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
38#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the libraries validity check. */
39#define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
40#define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
41#define POLARSSL_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
42#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
43#define POLARSSL_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
44
45/*
46 * PKCS#1 constants
47 */
48#define SIG_RSA_RAW 0
49#define SIG_RSA_MD2 2
50#define SIG_RSA_MD4 3
51#define SIG_RSA_MD5 4
52#define SIG_RSA_SHA1 5
53#define SIG_RSA_SHA224 14
54#define SIG_RSA_SHA256 11
55#define SIG_RSA_SHA384 12
56#define SIG_RSA_SHA512 13
57
58#define RSA_PUBLIC 0
59#define RSA_PRIVATE 1
60
61#define RSA_PKCS_V15 0
62#define RSA_PKCS_V21 1
63
64#define RSA_SIGN 1
65#define RSA_CRYPT 2
66
67#define ASN1_STR_CONSTRUCTED_SEQUENCE "\x30"
68#define ASN1_STR_NULL "\x05"
69#define ASN1_STR_OID "\x06"
70#define ASN1_STR_OCTET_STRING "\x04"
71
72#define OID_DIGEST_ALG_MDX "\x2A\x86\x48\x86\xF7\x0D\x02\x00"
73#define OID_HASH_ALG_SHA1 "\x2b\x0e\x03\x02\x1a"
74#define OID_HASH_ALG_SHA2X "\x60\x86\x48\x01\x65\x03\x04\x02\x00"
75
76#define OID_ISO_MEMBER_BODIES "\x2a"
77#define OID_ISO_IDENTIFIED_ORG "\x2b"
78
79/*
80 * ISO Member bodies OID parts
81 */
82#define OID_COUNTRY_US "\x86\x48"
83#define OID_RSA_DATA_SECURITY "\x86\xf7\x0d"
84
85/*
86 * ISO Identified organization OID parts
87 */
88#define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a"
89
90/*
91 * DigestInfo ::= SEQUENCE {
92 * digestAlgorithm DigestAlgorithmIdentifier,
93 * digest Digest }
94 *
95 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
96 *
97 * Digest ::= OCTET STRING
98 */
99#define ASN1_HASH_MDX \
100( \
101 ASN1_STR_CONSTRUCTED_SEQUENCE "\x20" \
102 ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C" \
103 ASN1_STR_OID "\x08" \
104 OID_DIGEST_ALG_MDX \
105 ASN1_STR_NULL "\x00" \
106 ASN1_STR_OCTET_STRING "\x10" \
107)
108
109#define ASN1_HASH_SHA1 \
110 ASN1_STR_CONSTRUCTED_SEQUENCE "\x21" \
111 ASN1_STR_CONSTRUCTED_SEQUENCE "\x09" \
112 ASN1_STR_OID "\x05" \
113 OID_HASH_ALG_SHA1 \
114 ASN1_STR_NULL "\x00" \
115 ASN1_STR_OCTET_STRING "\x14"
116
117#define ASN1_HASH_SHA1_ALT \
118 ASN1_STR_CONSTRUCTED_SEQUENCE "\x1F" \
119 ASN1_STR_CONSTRUCTED_SEQUENCE "\x07" \
120 ASN1_STR_OID "\x05" \
121 OID_HASH_ALG_SHA1 \
122 ASN1_STR_OCTET_STRING "\x14"
123
124#define ASN1_HASH_SHA2X \
125 ASN1_STR_CONSTRUCTED_SEQUENCE "\x11" \
126 ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d" \
127 ASN1_STR_OID "\x09" \
128 OID_HASH_ALG_SHA2X \
129 ASN1_STR_NULL "\x00" \
130 ASN1_STR_OCTET_STRING "\x00"
131
132/**
133 * \brief RSA context structure
134 */
135typedef struct
136{
137 int ver; /*!< always 0 */
138 size_t len; /*!< size(N) in chars */
139
140 mpi N; /*!< public modulus */
141 mpi E; /*!< public exponent */
142
143 mpi D; /*!< private exponent */
144 mpi P; /*!< 1st prime factor */
145 mpi Q; /*!< 2nd prime factor */
146 mpi DP; /*!< D % (P - 1) */
147 mpi DQ; /*!< D % (Q - 1) */
148 mpi QP; /*!< 1 / (Q % P) */
149
150 mpi RN; /*!< cached R^2 mod N */
151 mpi RP; /*!< cached R^2 mod P */
152 mpi RQ; /*!< cached R^2 mod Q */
153
154 int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
155 RSA_PKCS_v21 for OAEP/PSS */
156 int hash_id; /*!< Hash identifier of md_type_t as
157 specified in the md.h header file
158 for the EME-OAEP and EMSA-PSS
159 encoding */
160}
161rsa_context;
162
163#ifdef __cplusplus
164extern "C" {
165#endif
166
167/**
168 * \brief Initialize an RSA context
169 *
170 * Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP
171 * encryption scheme and the RSASSA-PSS signature scheme.
172 *
173 * \param ctx RSA context to be initialized
174 * \param padding RSA_PKCS_V15 or RSA_PKCS_V21
175 * \param hash_id RSA_PKCS_V21 hash identifier
176 *
177 * \note The hash_id parameter is actually ignored
178 * when using RSA_PKCS_V15 padding.
179 */
180void rsa_init( rsa_context *ctx,
181 int padding,
182 int hash_id);
183
184/**
185 * \brief Generate an RSA keypair
186 *
187 * \param ctx RSA context that will hold the key
188 * \param f_rng RNG function
189 * \param p_rng RNG parameter
190 * \param nbits size of the public key in bits
191 * \param exponent public exponent (e.g., 65537)
192 *
193 * \note rsa_init() must be called beforehand to setup
194 * the RSA context.
195 *
196 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
197 */
198int rsa_gen_key( rsa_context *ctx,
199 int (*f_rng)(void *, unsigned char *, size_t),
200 void *p_rng,
201 unsigned int nbits, int exponent );
202
203/**
204 * \brief Check a public RSA key
205 *
206 * \param ctx RSA context to be checked
207 *
208 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
209 */
210int rsa_check_pubkey( const rsa_context *ctx );
211
212/**
213 * \brief Check a private RSA key
214 *
215 * \param ctx RSA context to be checked
216 *
217 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
218 */
219int rsa_check_privkey( const rsa_context *ctx );
220
221/**
222 * \brief Do an RSA public key operation
223 *
224 * \param ctx RSA context
225 * \param input input buffer
226 * \param output output buffer
227 *
228 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
229 *
230 * \note This function does NOT take care of message
231 * padding. Also, be sure to set input[0] = 0 or assure that
232 * input is smaller than N.
233 *
234 * \note The input and output buffers must be large
235 * enough (eg. 128 bytes if RSA-1024 is used).
236 */
237int rsa_public( rsa_context *ctx,
238 const unsigned char *input,
239 unsigned char *output );
240
241/**
242 * \brief Do an RSA private key operation
243 *
244 * \param ctx RSA context
245 * \param input input buffer
246 * \param output output buffer
247 *
248 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
249 *
250 * \note The input and output buffers must be large
251 * enough (eg. 128 bytes if RSA-1024 is used).
252 */
253int rsa_private( rsa_context *ctx,
254 const unsigned char *input,
255 unsigned char *output );
256
257/**
258 * \brief Generic wrapper to perform a PKCS#1 encryption using the
259 * mode from the context. Add the message padding, then do an
260 * RSA operation.
261 *
262 * \param ctx RSA context
263 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
264 * \param p_rng RNG parameter
265 * \param mode RSA_PUBLIC or RSA_PRIVATE
266 * \param ilen contains the plaintext length
267 * \param input buffer holding the data to be encrypted
268 * \param output buffer that will hold the ciphertext
269 *
270 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
271 *
272 * \note The output buffer must be as large as the size
273 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
274 */
275int rsa_pkcs1_encrypt( rsa_context *ctx,
276 int (*f_rng)(void *, unsigned char *, size_t),
277 void *p_rng,
278 int mode, size_t ilen,
279 const unsigned char *input,
280 unsigned char *output );
281
282/**
283 * \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
284 *
285 * \param ctx RSA context
286 * \param f_rng RNG function (Needed for padding)
287 * \param p_rng RNG parameter
288 * \param mode RSA_PUBLIC or RSA_PRIVATE
289 * \param ilen contains the plaintext length
290 * \param input buffer holding the data to be encrypted
291 * \param output buffer that will hold the ciphertext
292 *
293 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
294 *
295 * \note The output buffer must be as large as the size
296 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
297 */
298int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
299 int (*f_rng)(void *, unsigned char *, size_t),
300 void *p_rng,
301 int mode, size_t ilen,
302 const unsigned char *input,
303 unsigned char *output );
304
305/**
306 * \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
307 *
308 * \param ctx RSA context
309 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
310 * \param p_rng RNG parameter
311 * \param mode RSA_PUBLIC or RSA_PRIVATE
312 * \param label buffer holding the custom label to use
313 * \param label_len contains the label length
314 * \param ilen contains the plaintext length
315 * \param input buffer holding the data to be encrypted
316 * \param output buffer that will hold the ciphertext
317 *
318 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
319 *
320 * \note The output buffer must be as large as the size
321 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
322 */
323int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
324 int (*f_rng)(void *, unsigned char *, size_t),
325 void *p_rng,
326 int mode,
327 const unsigned char *label, size_t label_len,
328 size_t ilen,
329 const unsigned char *input,
330 unsigned char *output );
331
332/**
333 * \brief Generic wrapper to perform a PKCS#1 decryption using the
334 * mode from the context. Do an RSA operation, then remove
335 * the message padding
336 *
337 * \param ctx RSA context
338 * \param mode RSA_PUBLIC or RSA_PRIVATE
339 * \param olen will contain the plaintext length
340 * \param input buffer holding the encrypted data
341 * \param output buffer that will hold the plaintext
342 * \param output_max_len maximum length of the output buffer
343 *
344 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
345 *
346 * \note The output buffer must be as large as the size
347 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
348 * an error is thrown.
349 */
350int rsa_pkcs1_decrypt( rsa_context *ctx,
351 int mode, size_t *olen,
352 const unsigned char *input,
353 unsigned char *output,
354 size_t output_max_len );
355
356/**
357 * \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
358 *
359 * \param ctx RSA context
360 * \param mode RSA_PUBLIC or RSA_PRIVATE
361 * \param olen will contain the plaintext length
362 * \param input buffer holding the encrypted data
363 * \param output buffer that will hold the plaintext
364 * \param output_max_len maximum length of the output buffer
365 *
366 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
367 *
368 * \note The output buffer must be as large as the size
369 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
370 * an error is thrown.
371 */
372int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
373 int mode, size_t *olen,
374 const unsigned char *input,
375 unsigned char *output,
376 size_t output_max_len );
377
378/**
379 * \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
380 *
381 * \param ctx RSA context
382 * \param mode RSA_PUBLIC or RSA_PRIVATE
383 * \param label buffer holding the custom label to use
384 * \param label_len contains the label length
385 * \param olen will contain the plaintext length
386 * \param input buffer holding the encrypted data
387 * \param output buffer that will hold the plaintext
388 * \param output_max_len maximum length of the output buffer
389 *
390 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
391 *
392 * \note The output buffer must be as large as the size
393 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
394 * an error is thrown.
395 */
396int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
397 int mode,
398 const unsigned char *label, size_t label_len,
399 size_t *olen,
400 const unsigned char *input,
401 unsigned char *output,
402 size_t output_max_len );
403
404/**
405 * \brief Generic wrapper to perform a PKCS#1 signature using the
406 * mode from the context. Do a private RSA operation to sign
407 * a message digest
408 *
409 * \param ctx RSA context
410 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
411 * \param p_rng RNG parameter
412 * \param mode RSA_PUBLIC or RSA_PRIVATE
413 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
414 * \param hashlen message digest length (for SIG_RSA_RAW only)
415 * \param hash buffer holding the message digest
416 * \param sig buffer that will hold the ciphertext
417 *
418 * \return 0 if the signing operation was successful,
419 * or an POLARSSL_ERR_RSA_XXX error code
420 *
421 * \note The "sig" buffer must be as large as the size
422 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
423 *
424 * \note In case of PKCS#1 v2.1 encoding keep in mind that
425 * the hash_id in the RSA context is the one used for the
426 * encoding. hash_id in the function call is the type of hash
427 * that is encoded. According to RFC 3447 it is advised to
428 * keep both hashes the same.
429 */
430int rsa_pkcs1_sign( rsa_context *ctx,
431 int (*f_rng)(void *, unsigned char *, size_t),
432 void *p_rng,
433 int mode,
434 int hash_id,
435 unsigned int hashlen,
436 const unsigned char *hash,
437 unsigned char *sig );
438
439/**
440 * \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
441 *
442 * \param ctx RSA context
443 * \param mode RSA_PUBLIC or RSA_PRIVATE
444 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
445 * \param hashlen message digest length (for SIG_RSA_RAW only)
446 * \param hash buffer holding the message digest
447 * \param sig buffer that will hold the ciphertext
448 *
449 * \return 0 if the signing operation was successful,
450 * or an POLARSSL_ERR_RSA_XXX error code
451 *
452 * \note The "sig" buffer must be as large as the size
453 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
454 */
455int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
456 int mode,
457 int hash_id,
458 unsigned int hashlen,
459 const unsigned char *hash,
460 unsigned char *sig );
461
462/**
463 * \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
464 *
465 * \param ctx RSA context
466 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
467 * \param p_rng RNG parameter
468 * \param mode RSA_PUBLIC or RSA_PRIVATE
469 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
470 * \param hashlen message digest length (for SIG_RSA_RAW only)
471 * \param hash buffer holding the message digest
472 * \param sig buffer that will hold the ciphertext
473 *
474 * \return 0 if the signing operation was successful,
475 * or an POLARSSL_ERR_RSA_XXX error code
476 *
477 * \note The "sig" buffer must be as large as the size
478 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
479 *
480 * \note In case of PKCS#1 v2.1 encoding keep in mind that
481 * the hash_id in the RSA context is the one used for the
482 * encoding. hash_id in the function call is the type of hash
483 * that is encoded. According to RFC 3447 it is advised to
484 * keep both hashes the same.
485 */
486int rsa_rsassa_pss_sign( rsa_context *ctx,
487 int (*f_rng)(void *, unsigned char *, size_t),
488 void *p_rng,
489 int mode,
490 int hash_id,
491 unsigned int hashlen,
492 const unsigned char *hash,
493 unsigned char *sig );
494
495/**
496 * \brief Generic wrapper to perform a PKCS#1 verification using the
497 * mode from the context. Do a public RSA operation and check
498 * the message digest
499 *
500 * \param ctx points to an RSA public key
501 * \param mode RSA_PUBLIC or RSA_PRIVATE
502 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
503 * \param hashlen message digest length (for SIG_RSA_RAW only)
504 * \param hash buffer holding the message digest
505 * \param sig buffer holding the ciphertext
506 *
507 * \return 0 if the verify operation was successful,
508 * or an POLARSSL_ERR_RSA_XXX error code
509 *
510 * \note The "sig" buffer must be as large as the size
511 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
512 *
513 * \note In case of PKCS#1 v2.1 encoding keep in mind that
514 * the hash_id in the RSA context is the one used for the
515 * verification. hash_id in the function call is the type of hash
516 * that is verified. According to RFC 3447 it is advised to
517 * keep both hashes the same.
518 */
519int rsa_pkcs1_verify( rsa_context *ctx,
520 int mode,
521 int hash_id,
522 unsigned int hashlen,
523 const unsigned char *hash,
524 unsigned char *sig );
525
526/**
527 * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
528 *
529 * \param ctx points to an RSA public key
530 * \param mode RSA_PUBLIC or RSA_PRIVATE
531 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
532 * \param hashlen message digest length (for SIG_RSA_RAW only)
533 * \param hash buffer holding the message digest
534 * \param sig buffer holding the ciphertext
535 *
536 * \return 0 if the verify operation was successful,
537 * or an POLARSSL_ERR_RSA_XXX error code
538 *
539 * \note The "sig" buffer must be as large as the size
540 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
541 */
542int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
543 int mode,
544 int hash_id,
545 unsigned int hashlen,
546 const unsigned char *hash,
547 unsigned char *sig );
548
549/**
550 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
551 * \brief Do a public RSA and check the message digest
552 *
553 * \param ctx points to an RSA public key
554 * \param mode RSA_PUBLIC or RSA_PRIVATE
555 * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
556 * \param hashlen message digest length (for SIG_RSA_RAW only)
557 * \param hash buffer holding the message digest
558 * \param sig buffer holding the ciphertext
559 *
560 * \return 0 if the verify operation was successful,
561 * or an POLARSSL_ERR_RSA_XXX error code
562 *
563 * \note The "sig" buffer must be as large as the size
564 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
565 *
566 * \note In case of PKCS#1 v2.1 encoding keep in mind that
567 * the hash_id in the RSA context is the one used for the
568 * verification. hash_id in the function call is the type of hash
569 * that is verified. According to RFC 3447 it is advised to
570 * keep both hashes the same.
571 */
572int rsa_rsassa_pss_verify( rsa_context *ctx,
573 int mode,
574 int hash_id,
575 unsigned int hashlen,
576 const unsigned char *hash,
577 unsigned char *sig );
578
579/**
580 * \brief Free the components of an RSA key
581 *
582 * \param ctx RSA Context to free
583 */
584void rsa_free( rsa_context *ctx );
585
586/**
587 * \brief Checkup routine
588 *
589 * \return 0 if successful, or 1 if the test failed
590 */
591int rsa_self_test( int verbose );
592
593#ifdef __cplusplus
594}
595#endif
596
597#endif /* rsa.h */
Impressum, Datenschutz