1 // Copyright 2015-2016 Brian Smith.
2 //
3 // Permission to use, copy, modify, and/or distribute this software for any
4 // purpose with or without fee is hereby granted, provided that the above
5 // copyright notice and this permission notice appear in all copies.
6 //
7 // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8 // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
10 // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 
15 //! Verification of RSA signatures.
16 
17 use super::{
18     parse_public_key, PublicExponent, PublicKey, RsaParameters, PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN,
19 };
20 use crate::{bits, cpu, digest, error, sealed, signature};
21 
22 impl signature::VerificationAlgorithm for RsaParameters {
verify( &self, public_key: untrusted::Input, msg: untrusted::Input, signature: untrusted::Input, ) -> Result<(), error::Unspecified>23     fn verify(
24         &self,
25         public_key: untrusted::Input,
26         msg: untrusted::Input,
27         signature: untrusted::Input,
28     ) -> Result<(), error::Unspecified> {
29         let (n, e) = parse_public_key(public_key)?;
30         verify_rsa_(
31             self,
32             (
33                 n.big_endian_without_leading_zero_as_input(),
34                 e.big_endian_without_leading_zero_as_input(),
35             ),
36             msg,
37             signature,
38         )
39     }
40 }
41 
42 impl sealed::Sealed for RsaParameters {}
43 
44 macro_rules! rsa_params {
45     ( $VERIFY_ALGORITHM:ident, $min_bits:expr, $PADDING_ALGORITHM:expr,
46       $doc_str:expr ) => {
47         #[doc=$doc_str]
48         ///
49         /// Only available in `alloc` mode.
50         pub static $VERIFY_ALGORITHM: RsaParameters = RsaParameters {
51             padding_alg: $PADDING_ALGORITHM,
52             min_bits: bits::BitLength::from_usize_bits($min_bits),
53         };
54     };
55 }
56 
57 rsa_params!(
58     RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY,
59     1024,
60     &super::padding::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY,
61     "Verification of signatures using RSA keys of 1024-8192 bits,
62              PKCS#1.5 padding, and SHA-1.\n\nSee \"`RSA_PKCS1_*` Details\" in
63              `ring::signature`'s module-level documentation for more details."
64 );
65 rsa_params!(
66     RSA_PKCS1_2048_8192_SHA1_FOR_LEGACY_USE_ONLY,
67     2048,
68     &super::padding::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY,
69     "Verification of signatures using RSA keys of 2048-8192 bits,
70              PKCS#1.5 padding, and SHA-1.\n\nSee \"`RSA_PKCS1_*` Details\" in
71              `ring::signature`'s module-level documentation for more details."
72 );
73 rsa_params!(
74     RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY,
75     1024,
76     &super::padding::RSA_PKCS1_SHA256,
77     "Verification of signatures using RSA keys of 1024-8192 bits,
78              PKCS#1.5 padding, and SHA-256.\n\nSee \"`RSA_PKCS1_*` Details\" in
79              `ring::signature`'s module-level documentation for more details."
80 );
81 rsa_params!(
82     RSA_PKCS1_2048_8192_SHA256,
83     2048,
84     &super::padding::RSA_PKCS1_SHA256,
85     "Verification of signatures using RSA keys of 2048-8192 bits,
86              PKCS#1.5 padding, and SHA-256.\n\nSee \"`RSA_PKCS1_*` Details\" in
87              `ring::signature`'s module-level documentation for more details."
88 );
89 rsa_params!(
90     RSA_PKCS1_2048_8192_SHA384,
91     2048,
92     &super::padding::RSA_PKCS1_SHA384,
93     "Verification of signatures using RSA keys of 2048-8192 bits,
94              PKCS#1.5 padding, and SHA-384.\n\nSee \"`RSA_PKCS1_*` Details\" in
95              `ring::signature`'s module-level documentation for more details."
96 );
97 rsa_params!(
98     RSA_PKCS1_2048_8192_SHA512,
99     2048,
100     &super::padding::RSA_PKCS1_SHA512,
101     "Verification of signatures using RSA keys of 2048-8192 bits,
102              PKCS#1.5 padding, and SHA-512.\n\nSee \"`RSA_PKCS1_*` Details\" in
103              `ring::signature`'s module-level documentation for more details."
104 );
105 rsa_params!(
106     RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY,
107     1024,
108     &super::padding::RSA_PKCS1_SHA512,
109     "Verification of signatures using RSA keys of 1024-8192 bits,
110              PKCS#1.5 padding, and SHA-512.\n\nSee \"`RSA_PKCS1_*` Details\" in
111              `ring::signature`'s module-level documentation for more details."
112 );
113 rsa_params!(
114     RSA_PKCS1_3072_8192_SHA384,
115     3072,
116     &super::padding::RSA_PKCS1_SHA384,
117     "Verification of signatures using RSA keys of 3072-8192 bits,
118              PKCS#1.5 padding, and SHA-384.\n\nSee \"`RSA_PKCS1_*` Details\" in
119              `ring::signature`'s module-level documentation for more details."
120 );
121 
122 rsa_params!(
123     RSA_PSS_2048_8192_SHA256,
124     2048,
125     &super::padding::RSA_PSS_SHA256,
126     "Verification of signatures using RSA keys of 2048-8192 bits,
127              PSS padding, and SHA-256.\n\nSee \"`RSA_PSS_*` Details\" in
128              `ring::signature`'s module-level documentation for more details."
129 );
130 rsa_params!(
131     RSA_PSS_2048_8192_SHA384,
132     2048,
133     &super::padding::RSA_PSS_SHA384,
134     "Verification of signatures using RSA keys of 2048-8192 bits,
135              PSS padding, and SHA-384.\n\nSee \"`RSA_PSS_*` Details\" in
136              `ring::signature`'s module-level documentation for more details."
137 );
138 rsa_params!(
139     RSA_PSS_2048_8192_SHA512,
140     2048,
141     &super::padding::RSA_PSS_SHA512,
142     "Verification of signatures using RSA keys of 2048-8192 bits,
143              PSS padding, and SHA-512.\n\nSee \"`RSA_PSS_*` Details\" in
144              `ring::signature`'s module-level documentation for more details."
145 );
146 
147 pub use super::PublicKeyComponents as RsaPublicKeyComponents;
148 
149 impl<B> super::PublicKeyComponents<B>
150 where
151     B: AsRef<[u8]>,
152 {
153     /// Verifies that `signature` is a valid signature of `message` using `self`
154     /// as the public key. `params` determine what algorithm parameters
155     /// (padding, digest algorithm, key length range, etc.) are used in the
156     /// verification.
157     ///
158     /// When the public key is in DER-encoded PKCS#1 ASN.1 format, it is
159     /// recommended to use `ring::signature::verify()` with
160     /// `ring::signature::RSA_PKCS1_*`, because `ring::signature::verify()`
161     /// will handle the parsing in that case. Otherwise, this function can be used
162     /// to pass in the raw bytes for the public key components as
163     /// `untrusted::Input` arguments.
164     //
165     // There are a small number of tests that test this directly, but the
166     // test coverage for this function mostly depends on the test coverage for the
167     // `signature::VerificationAlgorithm` implementation for `RsaParameters`. If we
168     // change that, test coverage for `verify_rsa()` will need to be reconsidered.
169     // (The NIST test vectors were originally in a form that was optimized for
170     // testing `verify_rsa` directly, but the testing work for RSA PKCS#1
171     // verification was done during the implementation of
172     // `signature::VerificationAlgorithm`, before `verify_rsa` was factored out).
verify( &self, params: &RsaParameters, message: &[u8], signature: &[u8], ) -> Result<(), error::Unspecified>173     pub fn verify(
174         &self,
175         params: &RsaParameters,
176         message: &[u8],
177         signature: &[u8],
178     ) -> Result<(), error::Unspecified> {
179         verify_rsa_(
180             params,
181             (
182                 untrusted::Input::from(self.n.as_ref()),
183                 untrusted::Input::from(self.e.as_ref()),
184             ),
185             untrusted::Input::from(message),
186             untrusted::Input::from(signature),
187         )
188     }
189 }
190 
verify_rsa_( params: &RsaParameters, (n, e): (untrusted::Input, untrusted::Input), msg: untrusted::Input, signature: untrusted::Input, ) -> Result<(), error::Unspecified>191 pub(crate) fn verify_rsa_(
192     params: &RsaParameters,
193     (n, e): (untrusted::Input, untrusted::Input),
194     msg: untrusted::Input,
195     signature: untrusted::Input,
196 ) -> Result<(), error::Unspecified> {
197     let max_bits: bits::BitLength =
198         bits::BitLength::from_usize_bytes(PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN)?;
199 
200     // XXX: FIPS 186-4 seems to indicate that the minimum
201     // exponent value is 2**16 + 1, but it isn't clear if this is just for
202     // signing or also for verification. We support exponents of 3 and larger
203     // for compatibility with other commonly-used crypto libraries.
204     let key = PublicKey::from_modulus_and_exponent(
205         n,
206         e,
207         params.min_bits,
208         max_bits,
209         PublicExponent::_3,
210         cpu::features(),
211     )?;
212 
213     // RFC 8017 Section 5.2.2: RSAVP1.
214     let mut decoded = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];
215     let decoded = key.exponentiate(signature, &mut decoded)?;
216 
217     // Verify the padded message is correct.
218     let m_hash = digest::digest(params.padding_alg.digest_alg(), msg.as_slice_less_safe());
219     untrusted::Input::from(decoded).read_all(error::Unspecified, |m| {
220         params.padding_alg.verify(m_hash, m, key.n().len_bits())
221     })
222 }
223