1 // rsa.cpp - originally written and placed in the public domain by Wei Dai
2
3 #include "pch.h"
4 #include "rsa.h"
5 #include "asn.h"
6 #include "sha.h"
7 #include "oids.h"
8 #include "modarith.h"
9 #include "nbtheory.h"
10 #include "algparam.h"
11 #include "fips140.h"
12 #include "pkcspad.h"
13
14 #if defined(CRYPTOPP_DEBUG) && !defined(CRYPTOPP_DOXYGEN_PROCESSING) && !defined(CRYPTOPP_IS_DLL)
15 #include "sha3.h"
16 #include "pssr.h"
NAMESPACE_BEGIN(CryptoPP)17 NAMESPACE_BEGIN(CryptoPP)
18 void RSA_TestInstantiations()
19 {
20 RSASS<PKCS1v15, SHA1>::Verifier x1(1, 1);
21 RSASS<PKCS1v15, SHA1>::Signer x2(NullRNG(), 1);
22 RSASS<PKCS1v15, SHA1>::Verifier x3(x2);
23 RSASS<PKCS1v15, SHA1>::Verifier x4(x2.GetKey());
24 RSASS<PSS, SHA1>::Verifier x5(x3);
25 #ifndef __MWERKS__
26 RSASS<PSSR, SHA1>::Signer x6 = x2;
27 x3 = x2;
28 x6 = x2;
29 #endif
30 RSAES<PKCS1v15>::Encryptor x7(x2);
31 #ifndef __GNUC__
32 RSAES<PKCS1v15>::Encryptor x8(x3);
33 #endif
34 RSAES<OAEP<SHA1> >::Encryptor x9(x2);
35 x4 = x2.GetKey();
36
37 RSASS<PKCS1v15, SHA3_256>::Verifier x10(1, 1);
38 RSASS<PKCS1v15, SHA3_256>::Signer x11(NullRNG(), 1);
39 RSASS<PKCS1v15, SHA3_256>::Verifier x12(x11);
40 RSASS<PKCS1v15, SHA3_256>::Verifier x13(x11.GetKey());
41 }
42 NAMESPACE_END
43 #endif
44
45 #ifndef CRYPTOPP_IMPORTS
46
NAMESPACE_BEGIN(CryptoPP)47 NAMESPACE_BEGIN(CryptoPP)
48
49 OID RSAFunction::GetAlgorithmID() const
50 {
51 return ASN1::rsaEncryption();
52 }
53
BERDecodePublicKey(BufferedTransformation & bt,bool,size_t)54 void RSAFunction::BERDecodePublicKey(BufferedTransformation &bt, bool, size_t)
55 {
56 BERSequenceDecoder seq(bt);
57 m_n.BERDecode(seq);
58 m_e.BERDecode(seq);
59 seq.MessageEnd();
60 }
61
DEREncodePublicKey(BufferedTransformation & bt) const62 void RSAFunction::DEREncodePublicKey(BufferedTransformation &bt) const
63 {
64 DERSequenceEncoder seq(bt);
65 m_n.DEREncode(seq);
66 m_e.DEREncode(seq);
67 seq.MessageEnd();
68 }
69
ApplyFunction(const Integer & x) const70 Integer RSAFunction::ApplyFunction(const Integer &x) const
71 {
72 DoQuickSanityCheck();
73 return a_exp_b_mod_c(x, m_e, m_n);
74 }
75
Validate(RandomNumberGenerator & rng,unsigned int level) const76 bool RSAFunction::Validate(RandomNumberGenerator& rng, unsigned int level) const
77 {
78 CRYPTOPP_UNUSED(rng), CRYPTOPP_UNUSED(level);
79
80 bool pass = true;
81 pass = pass && m_n > Integer::One() && m_n.IsOdd();
82 CRYPTOPP_ASSERT(pass);
83 pass = pass && m_e > Integer::One() && m_e.IsOdd() && m_e < m_n;
84 CRYPTOPP_ASSERT(pass);
85 return pass;
86 }
87
GetVoidValue(const char * name,const std::type_info & valueType,void * pValue) const88 bool RSAFunction::GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
89 {
90 return GetValueHelper(this, name, valueType, pValue).Assignable()
91 CRYPTOPP_GET_FUNCTION_ENTRY(Modulus)
92 CRYPTOPP_GET_FUNCTION_ENTRY(PublicExponent)
93 ;
94 }
95
AssignFrom(const NameValuePairs & source)96 void RSAFunction::AssignFrom(const NameValuePairs &source)
97 {
98 AssignFromHelper(this, source)
99 CRYPTOPP_SET_FUNCTION_ENTRY(Modulus)
100 CRYPTOPP_SET_FUNCTION_ENTRY(PublicExponent)
101 ;
102 }
103
104 // *****************************************************************************
105
106 class RSAPrimeSelector : public PrimeSelector
107 {
108 public:
RSAPrimeSelector(const Integer & e)109 RSAPrimeSelector(const Integer &e) : m_e(e) {}
IsAcceptable(const Integer & candidate) const110 bool IsAcceptable(const Integer &candidate) const {return RelativelyPrime(m_e, candidate-Integer::One());}
111 Integer m_e;
112 };
113
GenerateRandom(RandomNumberGenerator & rng,const NameValuePairs & alg)114 void InvertibleRSAFunction::GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg)
115 {
116 int modulusSize = 2048;
117 alg.GetIntValue(Name::ModulusSize(), modulusSize) || alg.GetIntValue(Name::KeySize(), modulusSize);
118
119 CRYPTOPP_ASSERT(modulusSize >= 16);
120 if (modulusSize < 16)
121 throw InvalidArgument("InvertibleRSAFunction: specified modulus size is too small");
122
123 m_e = alg.GetValueWithDefault(Name::PublicExponent(), Integer(17));
124
125 CRYPTOPP_ASSERT(m_e >= 3); CRYPTOPP_ASSERT(!m_e.IsEven());
126 if (m_e < 3 || m_e.IsEven())
127 throw InvalidArgument("InvertibleRSAFunction: invalid public exponent");
128
129 RSAPrimeSelector selector(m_e);
130 AlgorithmParameters primeParam = MakeParametersForTwoPrimesOfEqualSize(modulusSize)
131 (Name::PointerToPrimeSelector(), selector.GetSelectorPointer());
132 m_p.GenerateRandom(rng, primeParam);
133 m_q.GenerateRandom(rng, primeParam);
134
135 m_d = m_e.InverseMod(LCM(m_p-1, m_q-1));
136 CRYPTOPP_ASSERT(m_d.IsPositive());
137
138 m_dp = m_d % (m_p-1);
139 m_dq = m_d % (m_q-1);
140 m_n = m_p * m_q;
141 m_u = m_q.InverseMod(m_p);
142
143 if (FIPS_140_2_ComplianceEnabled())
144 {
145 RSASS<PKCS1v15, SHA1>::Signer signer(*this);
146 RSASS<PKCS1v15, SHA1>::Verifier verifier(signer);
147 SignaturePairwiseConsistencyTest_FIPS_140_Only(signer, verifier);
148
149 RSAES<OAEP<SHA1> >::Decryptor decryptor(*this);
150 RSAES<OAEP<SHA1> >::Encryptor encryptor(decryptor);
151 EncryptionPairwiseConsistencyTest_FIPS_140_Only(encryptor, decryptor);
152 }
153 }
154
Initialize(RandomNumberGenerator & rng,unsigned int keybits,const Integer & e)155 void InvertibleRSAFunction::Initialize(RandomNumberGenerator &rng, unsigned int keybits, const Integer &e)
156 {
157 GenerateRandom(rng, MakeParameters(Name::ModulusSize(), (int)keybits)(Name::PublicExponent(), e+e.IsEven()));
158 }
159
Initialize(const Integer & n,const Integer & e,const Integer & d)160 void InvertibleRSAFunction::Initialize(const Integer &n, const Integer &e, const Integer &d)
161 {
162 if (n.IsEven() || e.IsEven() | d.IsEven())
163 throw InvalidArgument("InvertibleRSAFunction: input is not a valid RSA private key");
164
165 m_n = n;
166 m_e = e;
167 m_d = d;
168
169 Integer r = --(d*e);
170 unsigned int s = 0;
171 while (r.IsEven())
172 {
173 r >>= 1;
174 s++;
175 }
176
177 ModularArithmetic modn(n);
178 for (Integer i = 2; ; ++i)
179 {
180 Integer a = modn.Exponentiate(i, r);
181 if (a == 1)
182 continue;
183 Integer b;
184 unsigned int j = 0;
185 while (a != n-1)
186 {
187 b = modn.Square(a);
188 if (b == 1)
189 {
190 m_p = GCD(a-1, n);
191 m_q = n/m_p;
192 m_dp = m_d % (m_p-1);
193 m_dq = m_d % (m_q-1);
194 m_u = m_q.InverseMod(m_p);
195 return;
196 }
197 if (++j == s)
198 throw InvalidArgument("InvertibleRSAFunction: input is not a valid RSA private key");
199 a = b;
200 }
201 }
202 }
203
BERDecodePrivateKey(BufferedTransformation & bt,bool,size_t)204 void InvertibleRSAFunction::BERDecodePrivateKey(BufferedTransformation &bt, bool, size_t)
205 {
206 BERSequenceDecoder privateKey(bt);
207 word32 version;
208 BERDecodeUnsigned<word32>(privateKey, version, INTEGER, 0, 0); // check version
209 m_n.BERDecode(privateKey);
210 m_e.BERDecode(privateKey);
211 m_d.BERDecode(privateKey);
212 m_p.BERDecode(privateKey);
213 m_q.BERDecode(privateKey);
214 m_dp.BERDecode(privateKey);
215 m_dq.BERDecode(privateKey);
216 m_u.BERDecode(privateKey);
217 privateKey.MessageEnd();
218 }
219
DEREncodePrivateKey(BufferedTransformation & bt) const220 void InvertibleRSAFunction::DEREncodePrivateKey(BufferedTransformation &bt) const
221 {
222 DERSequenceEncoder privateKey(bt);
223 DEREncodeUnsigned<word32>(privateKey, 0); // version
224 m_n.DEREncode(privateKey);
225 m_e.DEREncode(privateKey);
226 m_d.DEREncode(privateKey);
227 m_p.DEREncode(privateKey);
228 m_q.DEREncode(privateKey);
229 m_dp.DEREncode(privateKey);
230 m_dq.DEREncode(privateKey);
231 m_u.DEREncode(privateKey);
232 privateKey.MessageEnd();
233 }
234
CalculateInverse(RandomNumberGenerator & rng,const Integer & x) const235 Integer InvertibleRSAFunction::CalculateInverse(RandomNumberGenerator &rng, const Integer &x) const
236 {
237 DoQuickSanityCheck();
238 ModularArithmetic modn(m_n);
239 Integer r, rInv;
240 do { // do this in a loop for people using small numbers for testing
241 r.Randomize(rng, Integer::One(), m_n - Integer::One());
242 rInv = modn.MultiplicativeInverse(r);
243 } while (rInv.IsZero());
244 Integer re = modn.Exponentiate(r, m_e);
245 re = modn.Multiply(re, x); // blind
246 // here we follow the notation of PKCS #1 and let u=q inverse mod p
247 // but in ModRoot, u=p inverse mod q, so we reverse the order of p and q
248 Integer y = ModularRoot(re, m_dq, m_dp, m_q, m_p, m_u);
249 y = modn.Multiply(y, rInv); // unblind
250 if (modn.Exponentiate(y, m_e) != x) // check
251 throw Exception(Exception::OTHER_ERROR, "InvertibleRSAFunction: computational error during private key operation");
252 return y;
253 }
254
Validate(RandomNumberGenerator & rng,unsigned int level) const255 bool InvertibleRSAFunction::Validate(RandomNumberGenerator &rng, unsigned int level) const
256 {
257 bool pass = RSAFunction::Validate(rng, level);
258 CRYPTOPP_ASSERT(pass);
259 pass = pass && m_p > Integer::One() && m_p.IsOdd() && m_p < m_n;
260 CRYPTOPP_ASSERT(pass);
261 pass = pass && m_q > Integer::One() && m_q.IsOdd() && m_q < m_n;
262 CRYPTOPP_ASSERT(pass);
263 pass = pass && m_d > Integer::One() && m_d.IsOdd() && m_d < m_n;
264 CRYPTOPP_ASSERT(pass);
265 pass = pass && m_dp > Integer::One() && m_dp.IsOdd() && m_dp < m_p;
266 CRYPTOPP_ASSERT(pass);
267 pass = pass && m_dq > Integer::One() && m_dq.IsOdd() && m_dq < m_q;
268 CRYPTOPP_ASSERT(pass);
269 pass = pass && m_u.IsPositive() && m_u < m_p;
270 CRYPTOPP_ASSERT(pass);
271 if (level >= 1)
272 {
273 pass = pass && m_p * m_q == m_n;
274 CRYPTOPP_ASSERT(pass);
275 pass = pass && m_e*m_d % LCM(m_p-1, m_q-1) == 1;
276 CRYPTOPP_ASSERT(pass);
277 pass = pass && m_dp == m_d%(m_p-1) && m_dq == m_d%(m_q-1);
278 CRYPTOPP_ASSERT(pass);
279 pass = pass && m_u * m_q % m_p == 1;
280 CRYPTOPP_ASSERT(pass);
281 }
282 if (level >= 2)
283 {
284 pass = pass && VerifyPrime(rng, m_p, level-2) && VerifyPrime(rng, m_q, level-2);
285 CRYPTOPP_ASSERT(pass);
286 }
287 return pass;
288 }
289
GetVoidValue(const char * name,const std::type_info & valueType,void * pValue) const290 bool InvertibleRSAFunction::GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
291 {
292 return GetValueHelper<RSAFunction>(this, name, valueType, pValue).Assignable()
293 CRYPTOPP_GET_FUNCTION_ENTRY(Prime1)
294 CRYPTOPP_GET_FUNCTION_ENTRY(Prime2)
295 CRYPTOPP_GET_FUNCTION_ENTRY(PrivateExponent)
296 CRYPTOPP_GET_FUNCTION_ENTRY(ModPrime1PrivateExponent)
297 CRYPTOPP_GET_FUNCTION_ENTRY(ModPrime2PrivateExponent)
298 CRYPTOPP_GET_FUNCTION_ENTRY(MultiplicativeInverseOfPrime2ModPrime1)
299 ;
300 }
301
AssignFrom(const NameValuePairs & source)302 void InvertibleRSAFunction::AssignFrom(const NameValuePairs &source)
303 {
304 AssignFromHelper<RSAFunction>(this, source)
305 CRYPTOPP_SET_FUNCTION_ENTRY(Prime1)
306 CRYPTOPP_SET_FUNCTION_ENTRY(Prime2)
307 CRYPTOPP_SET_FUNCTION_ENTRY(PrivateExponent)
308 CRYPTOPP_SET_FUNCTION_ENTRY(ModPrime1PrivateExponent)
309 CRYPTOPP_SET_FUNCTION_ENTRY(ModPrime2PrivateExponent)
310 CRYPTOPP_SET_FUNCTION_ENTRY(MultiplicativeInverseOfPrime2ModPrime1)
311 ;
312 }
313
314 // *****************************************************************************
315
ApplyFunction(const Integer & x) const316 Integer RSAFunction_ISO::ApplyFunction(const Integer &x) const
317 {
318 Integer t = RSAFunction::ApplyFunction(x);
319 return t % 16 == 12 ? t : m_n - t;
320 }
321
CalculateInverse(RandomNumberGenerator & rng,const Integer & x) const322 Integer InvertibleRSAFunction_ISO::CalculateInverse(RandomNumberGenerator &rng, const Integer &x) const
323 {
324 Integer t = InvertibleRSAFunction::CalculateInverse(rng, x);
325 return STDMIN(t, m_n-t);
326 }
327
328 NAMESPACE_END
329
330 #endif
331