use {bits, bssl, c, der, digest, error};
use rand;
use std;
use super::bigint;
use untrusted;
pub struct RSAKeyPair {
n: bigint::Modulus<N>,
e: bigint::OddPositive,
p: bigint::Modulus<P>,
q: bigint::Modulus<Q>,
dmp1: bigint::OddPositive,
dmq1: bigint::OddPositive,
iqmp: bigint::Elem<P>,
qq: bigint::Modulus<QQ>,
q_mod_n: bigint::Elem<N>,
n_bits: bits::BitLength,
}
unsafe impl Send for RSAKeyPair {}
unsafe impl Sync for RSAKeyPair {}
impl RSAKeyPair {
pub fn from_der(input: untrusted::Input)
-> Result<RSAKeyPair, error::Unspecified> {
input.read_all(error::Unspecified, |input| {
der::nested(input, der::Tag::Sequence, error::Unspecified, |input| {
let version = try!(der::small_nonnegative_integer(input));
if version != 0 {
return Err(error::Unspecified);
}
let n = try!(bigint::Positive::from_der(input));
let e = try!(bigint::Positive::from_der(input));
let d = try!(bigint::Positive::from_der(input));
let p = try!(bigint::Positive::from_der(input));
let q = try!(bigint::Positive::from_der(input));
let dmp1 = try!(bigint::Positive::from_der(input));
let dmq1 = try!(bigint::Positive::from_der(input));
let iqmp = try!(bigint::Positive::from_der(input));
let n_bits = n.bit_length();
let (n, e) = try!(super::check_public_modulus_and_exponent(
n, e, bits::BitLength::from_usize_bits(2048),
super::PRIVATE_KEY_PUBLIC_MODULUS_MAX_BITS));
let d = try!(d.into_odd_positive());
try!(bigint::verify_less_than(&e, &d));
try!(bigint::verify_less_than(&d, &n));
let half_n_bits = n_bits.half_rounded_up();
if p.bit_length() != half_n_bits {
return Err(error::Unspecified);
}
let p = try!(p.into_odd_positive());
try!(bigint::verify_less_than(&p, &d));
if p.bit_length() != q.bit_length() {
return Err(error::Unspecified);
}
let q = try!(q.into_odd_positive());
try!(bigint::verify_less_than(&q, &p));
let n = try!(n.into_modulus::<N>());
let q_mod_n = {
let q = try!(q.try_clone());
try!(q.into_elem(&n))
};
let p_mod_n = {
let p = try!(p.try_clone());
try!(p.into_elem_decoded(&n))
};
let pq_mod_n =
try!(bigint::elem_mul_mixed(&q_mod_n, &p_mod_n, &n));
if !pq_mod_n.is_zero() {
return Err(error::Unspecified);
}
let dmp1 = try!(dmp1.into_odd_positive());
try!(bigint::verify_less_than(&dmp1, &p));
let dmq1 = try!(dmq1.into_odd_positive());
try!(bigint::verify_less_than(&dmq1, &q));
let p = try!(p.into_modulus::<P>());
let iqmp = try!(iqmp.into_elem(&p));
let q_mod_p = {
let q = try!(q.try_clone());
try!(q.into_elem_decoded(&p))
};
let iqmp_times_q_mod_p =
try!(bigint::elem_mul_mixed(&iqmp, &q_mod_p, &p));
if !iqmp_times_q_mod_p.is_one() {
return Err(error::Unspecified);
}
let q_mod_n_decoded = {
let q = try!(q.try_clone());
try!(q.into_elem_decoded(&n))
};
let qq =
try!(bigint::elem_mul_mixed(&q_mod_n, &q_mod_n_decoded,
&n));
let qq = try!(qq.into_odd_positive());
let qq = try!(qq.into_modulus::<QQ>());
let q = try!(q.into_modulus::<Q>());
Ok(RSAKeyPair {
n: n,
e: e,
p: p,
q: q,
dmp1: dmp1,
dmq1: dmq1,
iqmp: iqmp,
q_mod_n: q_mod_n,
qq: qq,
n_bits: n_bits,
})
})
})
}
pub fn public_modulus_len(&self) -> usize {
self.n_bits.as_usize_bytes_rounded_up()
}
}
enum N {}
unsafe impl bigint::Field for N {}
enum P {}
unsafe impl bigint::Field for P {}
enum Q {}
unsafe impl bigint::Field for Q {}
enum QQ {}
unsafe impl bigint::Field for QQ {}
#[repr(C)]
struct RSA<'a> {
e: &'a bigint::BIGNUM,
dmp1: &'a bigint::BIGNUM,
dmq1: &'a bigint::BIGNUM,
mont_n: &'a bigint::BN_MONT_CTX,
mont_p: &'a bigint::BN_MONT_CTX,
mont_q: &'a bigint::BN_MONT_CTX,
mont_qq: &'a bigint::BN_MONT_CTX,
qmn_mont: &'a bigint::BIGNUM,
iqmp_mont: &'a bigint::BIGNUM,
}
pub struct RSASigningState {
key_pair: std::sync::Arc<RSAKeyPair>,
blinding: Blinding,
}
impl RSASigningState {
pub fn new(key_pair: std::sync::Arc<RSAKeyPair>)
-> Result<Self, error::Unspecified> {
let blinding = unsafe { GFp_BN_BLINDING_new() };
if blinding.is_null() {
return Err(error::Unspecified);
}
Ok(RSASigningState {
key_pair: key_pair,
blinding: Blinding { blinding: blinding },
})
}
pub fn key_pair(&self) -> &RSAKeyPair { self.key_pair.as_ref() }
pub fn sign(&mut self, padding_alg: &'static ::signature::RSAEncoding,
rng: &rand::SecureRandom, msg: &[u8], signature: &mut [u8])
-> Result<(), error::Unspecified> {
let mod_bits = self.key_pair.n_bits;
if signature.len() != mod_bits.as_usize_bytes_rounded_up() {
return Err(error::Unspecified);
}
let key = self.key_pair();
let rsa = RSA {
e: key.e.as_ref(),
dmp1: key.dmp1.as_ref(),
dmq1: key.dmq1.as_ref(),
mont_n: key.n.as_ref(),
mont_p: key.p.as_ref(),
mont_q: key.q.as_ref(),
mont_qq: key.qq.as_ref(),
qmn_mont: key.q_mod_n.as_ref_montgomery_encoded(),
iqmp_mont: key.iqmp.as_ref_montgomery_encoded(),
};
let m_hash = digest::digest(padding_alg.digest_alg(), msg);
try!(padding_alg.encode(&m_hash, signature, mod_bits, rng));
let base = try!(bigint::Positive::from_be_bytes_padded(
untrusted::Input::from(signature)));
let mut base = try!(base.into_elem_decoded(&key.n));
let mut rand = rand::RAND::new(rng);
try!(bssl::map_result(unsafe {
GFp_rsa_private_transform(&rsa, base.as_mut_ref(),
&mut *self.blinding.blinding, &mut rand)
}));
base.fill_be_bytes(signature)
}
}
struct Blinding {
blinding: *mut BN_BLINDING,
}
impl Drop for Blinding {
fn drop(&mut self) { unsafe { GFp_BN_BLINDING_free(self.blinding) } }
}
unsafe impl Send for Blinding {}
#[allow(non_camel_case_types)]
#[repr(C)]
struct BN_BLINDING {
a: *mut bigint::BIGNUM,
ai: *mut bigint::BIGNUM,
counter: u32,
}
extern {
fn GFp_BN_BLINDING_new() -> *mut BN_BLINDING;
fn GFp_BN_BLINDING_free(b: *mut BN_BLINDING);
}
#[allow(improper_ctypes)]
extern {
fn GFp_rsa_private_transform(rsa: &RSA, base: &mut bigint::BIGNUM,
blinding: &mut BN_BLINDING,
rng: &mut rand::RAND) -> c::int;
}
#[cfg(test)]
mod tests {
use {error, rand, signature, test};
use std;
use untrusted;
extern {
static GFp_BN_BLINDING_COUNTER: u32;
}
#[test]
fn test_signature_rsa_pkcs1_sign() {
let rng = rand::SystemRandom::new();
test::from_file("src/rsa/rsa_pkcs1_sign_tests.txt",
|section, test_case| {
assert_eq!(section, "");
let digest_name = test_case.consume_string("Digest");
let alg = match digest_name.as_ref() {
"SHA256" => &signature::RSA_PKCS1_SHA256,
"SHA384" => &signature::RSA_PKCS1_SHA384,
"SHA512" => &signature::RSA_PKCS1_SHA512,
_ => { panic!("Unsupported digest: {}", digest_name) }
};
let private_key = test_case.consume_bytes("Key");
let msg = test_case.consume_bytes("Msg");
let expected = test_case.consume_bytes("Sig");
let result = test_case.consume_string("Result");
let private_key = untrusted::Input::from(&private_key);
let key_pair = signature::RSAKeyPair::from_der(private_key);
if key_pair.is_err() && result == "Fail-Invalid-Key" {
return Ok(());
}
let key_pair = key_pair.unwrap();
let key_pair = std::sync::Arc::new(key_pair);
let mut signing_state =
signature::RSASigningState::new(key_pair).unwrap();
let mut actual: std::vec::Vec<u8> =
vec![0; signing_state.key_pair().public_modulus_len()];
signing_state.sign(alg, &rng, &msg, actual.as_mut_slice()).unwrap();
assert_eq!(actual.as_slice() == &expected[..], result == "Pass");
Ok(())
});
}
#[test]
fn test_signature_rsa_pkcs1_sign_output_buffer_len() {
const MESSAGE: &'static [u8] = b"hello, world";
let rng = rand::SystemRandom::new();
const PRIVATE_KEY_DER: &'static [u8] =
include_bytes!("signature_rsa_example_private_key.der");
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
let key_pair = std::sync::Arc::new(key_pair);
let mut signing_state =
signature::RSASigningState::new(key_pair).unwrap();
let mut signature =
vec![0; signing_state.key_pair().public_modulus_len() - 1];
assert!(signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE,
&mut signature).is_err());
signature.push(0);
assert!(signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE,
&mut signature).is_ok());
signature.push(0);
assert!(signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE,
&mut signature).is_err());
}
#[test]
fn test_signature_rsa_pkcs1_sign_blinding_reuse() {
const MESSAGE: &'static [u8] = b"hello, world";
let rng = rand::SystemRandom::new();
const PRIVATE_KEY_DER: &'static [u8] =
include_bytes!("signature_rsa_example_private_key.der");
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
let key_pair = std::sync::Arc::new(key_pair);
let mut signature = vec![0; key_pair.public_modulus_len()];
let mut signing_state =
signature::RSASigningState::new(key_pair).unwrap();
let blinding_counter = unsafe { GFp_BN_BLINDING_COUNTER };
for _ in 0..(blinding_counter + 1) {
let prev_counter =
unsafe { (*signing_state.blinding.blinding).counter };
let _ = signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng,
MESSAGE, &mut signature);
let counter = unsafe { (*signing_state.blinding.blinding).counter };
assert_eq!(counter, (prev_counter + 1) % blinding_counter);
}
}
#[test]
fn test_signature_rsa_pkcs1_sign_blinding_creation_failure() {
const MESSAGE: &'static [u8] = b"hello, world";
let rng = test::rand::FixedByteRandom { byte: 0x00 };
const PRIVATE_KEY_DER: &'static [u8] =
include_bytes!("signature_rsa_example_private_key.der");
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
let key_pair = std::sync::Arc::new(key_pair);
let mut signing_state =
signature::RSASigningState::new(key_pair).unwrap();
let mut signature =
vec![0; signing_state.key_pair().public_modulus_len()];
let result = signing_state.sign(&signature::RSA_PKCS1_SHA256, &rng,
MESSAGE, &mut signature);
assert!(result.is_err());
}
#[cfg(feature = "rsa_signing")]
#[test]
fn test_signature_rsa_pss_sign() {
struct DeterministicSalt<'a> {
salt: &'a [u8],
rng: &'a rand::SecureRandom
}
impl<'a> rand::SecureRandom for DeterministicSalt<'a> {
fn fill(&self, dest: &mut [u8]) -> Result<(), error::Unspecified> {
let dest_len = dest.len();
if dest_len != self.salt.len() {
try!(self.rng.fill(dest));
} else {
dest.copy_from_slice(&self.salt);
}
Ok(())
}
}
let rng = rand::SystemRandom::new();
test::from_file("src/rsa/rsa_pss_sign_tests.txt", |section, test_case| {
assert_eq!(section, "");
let digest_name = test_case.consume_string("Digest");
let alg = match digest_name.as_ref() {
"SHA256" => &signature::RSA_PSS_SHA256,
"SHA384" => &signature::RSA_PSS_SHA384,
"SHA512" => &signature::RSA_PSS_SHA512,
_ => { panic!("Unsupported digest: {}", digest_name) }
};
let result = test_case.consume_string("Result");
let private_key = test_case.consume_bytes("Key");
let private_key = untrusted::Input::from(&private_key);
let key_pair = signature::RSAKeyPair::from_der(private_key);
if key_pair.is_err() && result == "Fail-Invalid-Key" {
return Ok(());
}
let key_pair = key_pair.unwrap();
let key_pair = std::sync::Arc::new(key_pair);
let msg = test_case.consume_bytes("Msg");
let salt = test_case.consume_bytes("Salt");
let expected = test_case.consume_bytes("Sig");
let new_rng = DeterministicSalt { salt: &salt, rng: &rng };
let mut signing_state =
signature::RSASigningState::new(key_pair).unwrap();
let mut actual: std::vec::Vec<u8> =
vec![0; signing_state.key_pair().public_modulus_len()];
try!(signing_state.sign(alg, &new_rng, &msg, actual.as_mut_slice()));
assert_eq!(actual.as_slice() == &expected[..], result == "Pass");
Ok(())
});
}
#[test]
fn test_sync_and_send() {
const PRIVATE_KEY_DER: &'static [u8] =
include_bytes!("signature_rsa_example_private_key.der");
let key_bytes_der = untrusted::Input::from(PRIVATE_KEY_DER);
let key_pair = signature::RSAKeyPair::from_der(key_bytes_der).unwrap();
let key_pair = std::sync::Arc::new(key_pair);
let _: &Send = &key_pair;
let _: &Sync = &key_pair;
let signing_state = signature::RSASigningState::new(key_pair).unwrap();
let _: &Send = &signing_state;
}
}