1*62c56f98SSadaf Ebrahimi /** 2*62c56f98SSadaf Ebrahimi * \file rsa_alt_helpers.h 3*62c56f98SSadaf Ebrahimi * 4*62c56f98SSadaf Ebrahimi * \brief Context-independent RSA helper functions 5*62c56f98SSadaf Ebrahimi * 6*62c56f98SSadaf Ebrahimi * This module declares some RSA-related helper functions useful when 7*62c56f98SSadaf Ebrahimi * implementing the RSA interface. These functions are provided in a separate 8*62c56f98SSadaf Ebrahimi * compilation unit in order to make it easy for designers of alternative RSA 9*62c56f98SSadaf Ebrahimi * implementations to use them in their own code, as it is conceived that the 10*62c56f98SSadaf Ebrahimi * functionality they provide will be necessary for most complete 11*62c56f98SSadaf Ebrahimi * implementations. 12*62c56f98SSadaf Ebrahimi * 13*62c56f98SSadaf Ebrahimi * End-users of Mbed TLS who are not providing their own alternative RSA 14*62c56f98SSadaf Ebrahimi * implementations should not use these functions directly, and should instead 15*62c56f98SSadaf Ebrahimi * use only the functions declared in rsa.h. 16*62c56f98SSadaf Ebrahimi * 17*62c56f98SSadaf Ebrahimi * The interface provided by this module will be maintained through LTS (Long 18*62c56f98SSadaf Ebrahimi * Term Support) branches of Mbed TLS, but may otherwise be subject to change, 19*62c56f98SSadaf Ebrahimi * and must be considered an internal interface of the library. 20*62c56f98SSadaf Ebrahimi * 21*62c56f98SSadaf Ebrahimi * There are two classes of helper functions: 22*62c56f98SSadaf Ebrahimi * 23*62c56f98SSadaf Ebrahimi * (1) Parameter-generating helpers. These are: 24*62c56f98SSadaf Ebrahimi * - mbedtls_rsa_deduce_primes 25*62c56f98SSadaf Ebrahimi * - mbedtls_rsa_deduce_private_exponent 26*62c56f98SSadaf Ebrahimi * - mbedtls_rsa_deduce_crt 27*62c56f98SSadaf Ebrahimi * Each of these functions takes a set of core RSA parameters and 28*62c56f98SSadaf Ebrahimi * generates some other, or CRT related parameters. 29*62c56f98SSadaf Ebrahimi * 30*62c56f98SSadaf Ebrahimi * (2) Parameter-checking helpers. These are: 31*62c56f98SSadaf Ebrahimi * - mbedtls_rsa_validate_params 32*62c56f98SSadaf Ebrahimi * - mbedtls_rsa_validate_crt 33*62c56f98SSadaf Ebrahimi * They take a set of core or CRT related RSA parameters and check their 34*62c56f98SSadaf Ebrahimi * validity. 35*62c56f98SSadaf Ebrahimi * 36*62c56f98SSadaf Ebrahimi */ 37*62c56f98SSadaf Ebrahimi /* 38*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors 39*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 40*62c56f98SSadaf Ebrahimi * 41*62c56f98SSadaf Ebrahimi */ 42*62c56f98SSadaf Ebrahimi 43*62c56f98SSadaf Ebrahimi #ifndef MBEDTLS_RSA_INTERNAL_H 44*62c56f98SSadaf Ebrahimi #define MBEDTLS_RSA_INTERNAL_H 45*62c56f98SSadaf Ebrahimi 46*62c56f98SSadaf Ebrahimi #include "mbedtls/build_info.h" 47*62c56f98SSadaf Ebrahimi 48*62c56f98SSadaf Ebrahimi #include "mbedtls/bignum.h" 49*62c56f98SSadaf Ebrahimi 50*62c56f98SSadaf Ebrahimi #ifdef __cplusplus 51*62c56f98SSadaf Ebrahimi extern "C" { 52*62c56f98SSadaf Ebrahimi #endif 53*62c56f98SSadaf Ebrahimi 54*62c56f98SSadaf Ebrahimi 55*62c56f98SSadaf Ebrahimi /** 56*62c56f98SSadaf Ebrahimi * \brief Compute RSA prime moduli P, Q from public modulus N=PQ 57*62c56f98SSadaf Ebrahimi * and a pair of private and public key. 58*62c56f98SSadaf Ebrahimi * 59*62c56f98SSadaf Ebrahimi * \note This is a 'static' helper function not operating on 60*62c56f98SSadaf Ebrahimi * an RSA context. Alternative implementations need not 61*62c56f98SSadaf Ebrahimi * overwrite it. 62*62c56f98SSadaf Ebrahimi * 63*62c56f98SSadaf Ebrahimi * \param N RSA modulus N = PQ, with P, Q to be found 64*62c56f98SSadaf Ebrahimi * \param E RSA public exponent 65*62c56f98SSadaf Ebrahimi * \param D RSA private exponent 66*62c56f98SSadaf Ebrahimi * \param P Pointer to MPI holding first prime factor of N on success 67*62c56f98SSadaf Ebrahimi * \param Q Pointer to MPI holding second prime factor of N on success 68*62c56f98SSadaf Ebrahimi * 69*62c56f98SSadaf Ebrahimi * \return 70*62c56f98SSadaf Ebrahimi * - 0 if successful. In this case, P and Q constitute a 71*62c56f98SSadaf Ebrahimi * factorization of N. 72*62c56f98SSadaf Ebrahimi * - A non-zero error code otherwise. 73*62c56f98SSadaf Ebrahimi * 74*62c56f98SSadaf Ebrahimi * \note It is neither checked that P, Q are prime nor that 75*62c56f98SSadaf Ebrahimi * D, E are modular inverses wrt. P-1 and Q-1. For that, 76*62c56f98SSadaf Ebrahimi * use the helper function \c mbedtls_rsa_validate_params. 77*62c56f98SSadaf Ebrahimi * 78*62c56f98SSadaf Ebrahimi */ 79*62c56f98SSadaf Ebrahimi int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, mbedtls_mpi const *E, 80*62c56f98SSadaf Ebrahimi mbedtls_mpi const *D, 81*62c56f98SSadaf Ebrahimi mbedtls_mpi *P, mbedtls_mpi *Q); 82*62c56f98SSadaf Ebrahimi 83*62c56f98SSadaf Ebrahimi /** 84*62c56f98SSadaf Ebrahimi * \brief Compute RSA private exponent from 85*62c56f98SSadaf Ebrahimi * prime moduli and public key. 86*62c56f98SSadaf Ebrahimi * 87*62c56f98SSadaf Ebrahimi * \note This is a 'static' helper function not operating on 88*62c56f98SSadaf Ebrahimi * an RSA context. Alternative implementations need not 89*62c56f98SSadaf Ebrahimi * overwrite it. 90*62c56f98SSadaf Ebrahimi * 91*62c56f98SSadaf Ebrahimi * \param P First prime factor of RSA modulus 92*62c56f98SSadaf Ebrahimi * \param Q Second prime factor of RSA modulus 93*62c56f98SSadaf Ebrahimi * \param E RSA public exponent 94*62c56f98SSadaf Ebrahimi * \param D Pointer to MPI holding the private exponent on success. 95*62c56f98SSadaf Ebrahimi * 96*62c56f98SSadaf Ebrahimi * \return 97*62c56f98SSadaf Ebrahimi * - 0 if successful. In this case, D is set to a simultaneous 98*62c56f98SSadaf Ebrahimi * modular inverse of E modulo both P-1 and Q-1. 99*62c56f98SSadaf Ebrahimi * - A non-zero error code otherwise. 100*62c56f98SSadaf Ebrahimi * 101*62c56f98SSadaf Ebrahimi * \note This function does not check whether P and Q are primes. 102*62c56f98SSadaf Ebrahimi * 103*62c56f98SSadaf Ebrahimi */ 104*62c56f98SSadaf Ebrahimi int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P, 105*62c56f98SSadaf Ebrahimi mbedtls_mpi const *Q, 106*62c56f98SSadaf Ebrahimi mbedtls_mpi const *E, 107*62c56f98SSadaf Ebrahimi mbedtls_mpi *D); 108*62c56f98SSadaf Ebrahimi 109*62c56f98SSadaf Ebrahimi 110*62c56f98SSadaf Ebrahimi /** 111*62c56f98SSadaf Ebrahimi * \brief Generate RSA-CRT parameters 112*62c56f98SSadaf Ebrahimi * 113*62c56f98SSadaf Ebrahimi * \note This is a 'static' helper function not operating on 114*62c56f98SSadaf Ebrahimi * an RSA context. Alternative implementations need not 115*62c56f98SSadaf Ebrahimi * overwrite it. 116*62c56f98SSadaf Ebrahimi * 117*62c56f98SSadaf Ebrahimi * \param P First prime factor of N 118*62c56f98SSadaf Ebrahimi * \param Q Second prime factor of N 119*62c56f98SSadaf Ebrahimi * \param D RSA private exponent 120*62c56f98SSadaf Ebrahimi * \param DP Output variable for D modulo P-1 121*62c56f98SSadaf Ebrahimi * \param DQ Output variable for D modulo Q-1 122*62c56f98SSadaf Ebrahimi * \param QP Output variable for the modular inverse of Q modulo P. 123*62c56f98SSadaf Ebrahimi * 124*62c56f98SSadaf Ebrahimi * \return 0 on success, non-zero error code otherwise. 125*62c56f98SSadaf Ebrahimi * 126*62c56f98SSadaf Ebrahimi * \note This function does not check whether P, Q are 127*62c56f98SSadaf Ebrahimi * prime and whether D is a valid private exponent. 128*62c56f98SSadaf Ebrahimi * 129*62c56f98SSadaf Ebrahimi */ 130*62c56f98SSadaf Ebrahimi int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q, 131*62c56f98SSadaf Ebrahimi const mbedtls_mpi *D, mbedtls_mpi *DP, 132*62c56f98SSadaf Ebrahimi mbedtls_mpi *DQ, mbedtls_mpi *QP); 133*62c56f98SSadaf Ebrahimi 134*62c56f98SSadaf Ebrahimi 135*62c56f98SSadaf Ebrahimi /** 136*62c56f98SSadaf Ebrahimi * \brief Check validity of core RSA parameters 137*62c56f98SSadaf Ebrahimi * 138*62c56f98SSadaf Ebrahimi * \note This is a 'static' helper function not operating on 139*62c56f98SSadaf Ebrahimi * an RSA context. Alternative implementations need not 140*62c56f98SSadaf Ebrahimi * overwrite it. 141*62c56f98SSadaf Ebrahimi * 142*62c56f98SSadaf Ebrahimi * \param N RSA modulus N = PQ 143*62c56f98SSadaf Ebrahimi * \param P First prime factor of N 144*62c56f98SSadaf Ebrahimi * \param Q Second prime factor of N 145*62c56f98SSadaf Ebrahimi * \param D RSA private exponent 146*62c56f98SSadaf Ebrahimi * \param E RSA public exponent 147*62c56f98SSadaf Ebrahimi * \param f_rng PRNG to be used for primality check, or NULL 148*62c56f98SSadaf Ebrahimi * \param p_rng PRNG context for f_rng, or NULL 149*62c56f98SSadaf Ebrahimi * 150*62c56f98SSadaf Ebrahimi * \return 151*62c56f98SSadaf Ebrahimi * - 0 if the following conditions are satisfied 152*62c56f98SSadaf Ebrahimi * if all relevant parameters are provided: 153*62c56f98SSadaf Ebrahimi * - P prime if f_rng != NULL (%) 154*62c56f98SSadaf Ebrahimi * - Q prime if f_rng != NULL (%) 155*62c56f98SSadaf Ebrahimi * - 1 < N = P * Q 156*62c56f98SSadaf Ebrahimi * - 1 < D, E < N 157*62c56f98SSadaf Ebrahimi * - D and E are modular inverses modulo P-1 and Q-1 158*62c56f98SSadaf Ebrahimi * (%) This is only done if MBEDTLS_GENPRIME is defined. 159*62c56f98SSadaf Ebrahimi * - A non-zero error code otherwise. 160*62c56f98SSadaf Ebrahimi * 161*62c56f98SSadaf Ebrahimi * \note The function can be used with a restricted set of arguments 162*62c56f98SSadaf Ebrahimi * to perform specific checks only. E.g., calling it with 163*62c56f98SSadaf Ebrahimi * (-,P,-,-,-) and a PRNG amounts to a primality check for P. 164*62c56f98SSadaf Ebrahimi */ 165*62c56f98SSadaf Ebrahimi int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P, 166*62c56f98SSadaf Ebrahimi const mbedtls_mpi *Q, const mbedtls_mpi *D, 167*62c56f98SSadaf Ebrahimi const mbedtls_mpi *E, 168*62c56f98SSadaf Ebrahimi int (*f_rng)(void *, unsigned char *, size_t), 169*62c56f98SSadaf Ebrahimi void *p_rng); 170*62c56f98SSadaf Ebrahimi 171*62c56f98SSadaf Ebrahimi /** 172*62c56f98SSadaf Ebrahimi * \brief Check validity of RSA CRT parameters 173*62c56f98SSadaf Ebrahimi * 174*62c56f98SSadaf Ebrahimi * \note This is a 'static' helper function not operating on 175*62c56f98SSadaf Ebrahimi * an RSA context. Alternative implementations need not 176*62c56f98SSadaf Ebrahimi * overwrite it. 177*62c56f98SSadaf Ebrahimi * 178*62c56f98SSadaf Ebrahimi * \param P First prime factor of RSA modulus 179*62c56f98SSadaf Ebrahimi * \param Q Second prime factor of RSA modulus 180*62c56f98SSadaf Ebrahimi * \param D RSA private exponent 181*62c56f98SSadaf Ebrahimi * \param DP MPI to check for D modulo P-1 182*62c56f98SSadaf Ebrahimi * \param DQ MPI to check for D modulo P-1 183*62c56f98SSadaf Ebrahimi * \param QP MPI to check for the modular inverse of Q modulo P. 184*62c56f98SSadaf Ebrahimi * 185*62c56f98SSadaf Ebrahimi * \return 186*62c56f98SSadaf Ebrahimi * - 0 if the following conditions are satisfied: 187*62c56f98SSadaf Ebrahimi * - D = DP mod P-1 if P, D, DP != NULL 188*62c56f98SSadaf Ebrahimi * - Q = DQ mod P-1 if P, D, DQ != NULL 189*62c56f98SSadaf Ebrahimi * - QP = Q^-1 mod P if P, Q, QP != NULL 190*62c56f98SSadaf Ebrahimi * - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed, 191*62c56f98SSadaf Ebrahimi * potentially including \c MBEDTLS_ERR_MPI_XXX if some 192*62c56f98SSadaf Ebrahimi * MPI calculations failed. 193*62c56f98SSadaf Ebrahimi * - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient 194*62c56f98SSadaf Ebrahimi * data was provided to check DP, DQ or QP. 195*62c56f98SSadaf Ebrahimi * 196*62c56f98SSadaf Ebrahimi * \note The function can be used with a restricted set of arguments 197*62c56f98SSadaf Ebrahimi * to perform specific checks only. E.g., calling it with the 198*62c56f98SSadaf Ebrahimi * parameters (P, -, D, DP, -, -) will check DP = D mod P-1. 199*62c56f98SSadaf Ebrahimi */ 200*62c56f98SSadaf Ebrahimi int mbedtls_rsa_validate_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q, 201*62c56f98SSadaf Ebrahimi const mbedtls_mpi *D, const mbedtls_mpi *DP, 202*62c56f98SSadaf Ebrahimi const mbedtls_mpi *DQ, const mbedtls_mpi *QP); 203*62c56f98SSadaf Ebrahimi 204*62c56f98SSadaf Ebrahimi #ifdef __cplusplus 205*62c56f98SSadaf Ebrahimi } 206*62c56f98SSadaf Ebrahimi #endif 207*62c56f98SSadaf Ebrahimi 208*62c56f98SSadaf Ebrahimi #endif /* rsa_alt_helpers.h */ 209