1// Copyright 2015-2016 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15use super::{super::PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN, Padding, RsaEncoding, Verification};
16use crate::{bits, digest, error, io::der, rand};
17
18/// PKCS#1 1.5 padding as described in [RFC 3447 Section 8.2].
19///
20/// See "`RSA_PSS_*` Details\" in `ring::signature`'s module-level
21/// documentation for more details.
22///
23/// [RFC 3447 Section 8.2]: https://tools.ietf.org/html/rfc3447#section-8.2
24#[derive(Debug)]
25pub struct PKCS1 {
26 digest_alg: &'static digest::Algorithm,
27 digestinfo_prefix: &'static [u8],
28}
29
30impl crate::sealed::Sealed for PKCS1 {}
31
32impl Padding for PKCS1 {
33 fn digest_alg(&self) -> &'static digest::Algorithm {
34 self.digest_alg
35 }
36}
37
38impl RsaEncoding for PKCS1 {
39 fn encode(
40 &self,
41 m_hash: digest::Digest,
42 m_out: &mut [u8],
43 _mod_bits: bits::BitLength,
44 _rng: &dyn rand::SecureRandom,
45 ) -> Result<(), error::Unspecified> {
46 pkcs1_encode(self, m_hash, m_out);
47 Ok(())
48 }
49}
50
51impl Verification for PKCS1 {
52 fn verify(
53 &self,
54 m_hash: digest::Digest,
55 m: &mut untrusted::Reader,
56 mod_bits: bits::BitLength,
57 ) -> Result<(), error::Unspecified> {
58 // `mod_bits.as_usize_bytes_rounded_up() <=
59 // PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN` is ensured by `verify_rsa_()`.
60 let mut calculated: [u8; 1024] = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];
61 let calculated: &mut [u8] = &mut calculated[..mod_bits.as_usize_bytes_rounded_up()];
62 pkcs1_encode(self, m_hash, m_out:calculated);
63 if m.read_bytes_to_end().as_slice_less_safe() != calculated {
64 return Err(error::Unspecified);
65 }
66 Ok(())
67 }
68}
69
70// Implement padding procedure per EMSA-PKCS1-v1_5,
71// https://tools.ietf.org/html/rfc3447#section-9.2. This is used by both
72// verification and signing so it needs to be able to handle moduli of the
73// minimum and maximum sizes for both operations.
74fn pkcs1_encode(pkcs1: &PKCS1, m_hash: digest::Digest, m_out: &mut [u8]) {
75 let em: &mut [u8] = m_out;
76
77 let digest_len: usize = pkcs1.digestinfo_prefix.len() + pkcs1.digest_alg.output_len();
78
79 // The specification requires at least 8 bytes of padding. Since we
80 // disallow keys smaller than 1024 bits, this should always be true.
81 assert!(em.len() >= digest_len + 11);
82 let pad_len: usize = em.len() - digest_len - 3;
83 em[0] = 0;
84 em[1] = 1;
85 for i: usize in 0..pad_len {
86 em[2 + i] = 0xff;
87 }
88 em[2 + pad_len] = 0;
89
90 let (digest_prefix: &mut [u8], digest_dst: &mut [u8]) = em[3 + pad_len..].split_at_mut(mid:pkcs1.digestinfo_prefix.len());
91 digest_prefix.copy_from_slice(src:pkcs1.digestinfo_prefix);
92 digest_dst.copy_from_slice(src:m_hash.as_ref());
93}
94
95macro_rules! rsa_pkcs1_padding {
96 ( $vis:vis $PADDING_ALGORITHM:ident, $digest_alg:expr, $digestinfo_prefix:expr,
97 $doc_str:expr ) => {
98 #[doc=$doc_str]
99 $vis static $PADDING_ALGORITHM: PKCS1 = PKCS1 {
100 digest_alg: $digest_alg,
101 digestinfo_prefix: $digestinfo_prefix,
102 };
103 };
104}
105
106// Intentionally not exposed except internally for signature verification. At a
107// minimum, we'd need to create test vectors for signing with it, which we
108// don't currently have. But, it's a bad idea to use SHA-1 anyway, so perhaps
109// we just won't ever expose it.
110rsa_pkcs1_padding!(
111 pub(in super::super) RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY,
112 &digest::SHA1_FOR_LEGACY_USE_ONLY,
113 &SHA1_PKCS1_DIGESTINFO_PREFIX,
114 "PKCS#1 1.5 padding using SHA-1 for RSA signatures."
115);
116
117rsa_pkcs1_padding!(
118 pub RSA_PKCS1_SHA256,
119 &digest::SHA256,
120 &SHA256_PKCS1_DIGESTINFO_PREFIX,
121 "PKCS#1 1.5 padding using SHA-256 for RSA signatures."
122);
123
124rsa_pkcs1_padding!(
125 pub RSA_PKCS1_SHA384,
126 &digest::SHA384,
127 &SHA384_PKCS1_DIGESTINFO_PREFIX,
128 "PKCS#1 1.5 padding using SHA-384 for RSA signatures."
129);
130
131rsa_pkcs1_padding!(
132 pub RSA_PKCS1_SHA512,
133 &digest::SHA512,
134 &SHA512_PKCS1_DIGESTINFO_PREFIX,
135 "PKCS#1 1.5 padding using SHA-512 for RSA signatures."
136);
137
138macro_rules! pkcs1_digestinfo_prefix {
139 ( $name:ident, $digest_len:expr, $digest_oid_len:expr,
140 [ $( $digest_oid:expr ),* ] ) => {
141 static $name: [u8; 2 + 8 + $digest_oid_len] = [
142 der::Tag::Sequence.into(), 8 + $digest_oid_len + $digest_len,
143 der::Tag::Sequence.into(), 2 + $digest_oid_len + 2,
144 der::Tag::OID.into(), $digest_oid_len, $( $digest_oid ),*,
145 der::Tag::Null.into(), 0,
146 der::Tag::OctetString.into(), $digest_len,
147 ];
148 }
149}
150
151pkcs1_digestinfo_prefix!(
152 SHA1_PKCS1_DIGESTINFO_PREFIX,
153 20,
154 5,
155 [0x2b, 0x0e, 0x03, 0x02, 0x1a]
156);
157
158pkcs1_digestinfo_prefix!(
159 SHA256_PKCS1_DIGESTINFO_PREFIX,
160 32,
161 9,
162 [0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01]
163);
164
165pkcs1_digestinfo_prefix!(
166 SHA384_PKCS1_DIGESTINFO_PREFIX,
167 48,
168 9,
169 [0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02]
170);
171
172pkcs1_digestinfo_prefix!(
173 SHA512_PKCS1_DIGESTINFO_PREFIX,
174 64,
175 9,
176 [0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03]
177);
178