Software APIs
rsa.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/include/rsa.h"
6 
7 #include "sw/device/lib/base/hardened_memory.h"
8 #include "sw/device/lib/crypto/drivers/entropy.h"
9 #include "sw/device/lib/crypto/impl/integrity.h"
10 #include "sw/device/lib/crypto/impl/rsa/rsa_encryption.h"
11 #include "sw/device/lib/crypto/impl/rsa/rsa_keygen.h"
12 #include "sw/device/lib/crypto/impl/rsa/rsa_signature.h"
13 #include "sw/device/lib/crypto/impl/status.h"
14 #include "sw/device/lib/crypto/include/datatypes.h"
15 
16 // Module ID for status codes.
17 #define MODULE_ID MAKE_MODULE_ID('r', 's', 'a')
18 
19 static_assert(kOtcryptoRsa2048PublicKeyBytes == sizeof(rsa_2048_public_key_t),
20  "RSA-2048 public key size mismatch.");
21 static_assert(kOtcryptoRsa3072PublicKeyBytes == sizeof(rsa_3072_public_key_t),
22  "RSA-3072 public key size mismatch.");
23 static_assert(kOtcryptoRsa4096PublicKeyBytes == sizeof(rsa_4096_public_key_t),
24  "RSA-4096 public key size mismatch.");
25 static_assert(kOtcryptoRsa2048PrivateKeyBytes == sizeof(rsa_2048_int_t),
26  "RSA-2048 private key size mismatch.");
27 static_assert(kOtcryptoRsa3072PrivateKeyBytes == sizeof(rsa_3072_int_t),
28  "RSA-3072 private key size mismatch.");
29 static_assert(kOtcryptoRsa4096PrivateKeyBytes == sizeof(rsa_4096_int_t),
30  "RSA-4096 private key size mismatch.");
31 static_assert(kOtcryptoRsa2048PrivateKeyblobBytes ==
32  sizeof(rsa_2048_private_key_t),
33  "RSA-2048 keyblob size mismatch.");
34 static_assert(kOtcryptoRsa3072PrivateKeyblobBytes ==
35  sizeof(rsa_3072_private_key_t),
36  "RSA-3072 keyblob size mismatch.");
37 static_assert(kOtcryptoRsa4096PrivateKeyblobBytes ==
38  sizeof(rsa_4096_private_key_t),
39  "RSA-4096 keyblob size mismatch.");
40 
41 otcrypto_status_t otcrypto_rsa_keygen(otcrypto_rsa_size_t size,
42  otcrypto_unblinded_key_t *public_key,
43  otcrypto_blinded_key_t *private_key) {
44  HARDENED_TRY(otcrypto_rsa_keygen_async_start(size));
45  return otcrypto_rsa_keygen_async_finalize(public_key, private_key);
46 }
47 
48 /**
49  * Check if a key mode is intended for RSA.
50  *
51  * @param mode Mode to check.
52  * @return OK if the mode is for RSA, OTCRYPTO_BAD_ARGS otherwise.
53  */
54 static status_t rsa_mode_check(const otcrypto_key_mode_t mode) {
55  switch (mode) {
56  case kOtcryptoKeyModeRsaSignPkcs:
57  return OTCRYPTO_OK;
58  case kOtcryptoKeyModeRsaSignPss:
59  return OTCRYPTO_OK;
60  case kOtcryptoKeyModeRsaEncryptOaep:
61  return OTCRYPTO_OK;
62  default:
63  return OTCRYPTO_BAD_ARGS;
64  }
65 
66  // Should be unreachable.
67  HARDENED_TRAP();
68  return OTCRYPTO_FATAL_ERR;
69 }
70 
71 otcrypto_status_t otcrypto_rsa_public_key_construct(
72  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus,
73  uint32_t exponent, otcrypto_unblinded_key_t *public_key) {
74  if (modulus.data == NULL || public_key == NULL || public_key->key == NULL) {
75  return OTCRYPTO_BAD_ARGS;
76  }
77  HARDENED_TRY(rsa_mode_check(public_key->key_mode));
78 
79  switch (size) {
80  case kOtcryptoRsaSize2048: {
81  if (public_key->key_length != sizeof(rsa_2048_public_key_t) ||
82  modulus.len != kRsa2048NumWords) {
83  return OTCRYPTO_BAD_ARGS;
84  }
85  rsa_2048_public_key_t *pk = (rsa_2048_public_key_t *)public_key->key;
86  pk->e = exponent;
87  hardened_memcpy(pk->n.data, modulus.data, modulus.len);
88  break;
89  }
90  case kOtcryptoRsaSize3072: {
91  if (public_key->key_length != sizeof(rsa_3072_public_key_t) ||
92  modulus.len != kRsa3072NumWords) {
93  return OTCRYPTO_BAD_ARGS;
94  }
95  rsa_3072_public_key_t *pk = (rsa_3072_public_key_t *)public_key->key;
96  pk->e = exponent;
97  hardened_memcpy(pk->n.data, modulus.data, modulus.len);
98  break;
99  }
100  case kOtcryptoRsaSize4096: {
101  if (public_key->key_length != sizeof(rsa_4096_public_key_t) ||
102  modulus.len != kRsa4096NumWords) {
103  return OTCRYPTO_BAD_ARGS;
104  }
105  rsa_4096_public_key_t *pk = (rsa_4096_public_key_t *)public_key->key;
106  pk->e = exponent;
107  hardened_memcpy(pk->n.data, modulus.data, modulus.len);
108  break;
109  }
110  default:
111  return OTCRYPTO_BAD_ARGS;
112  }
113 
114  public_key->checksum = integrity_unblinded_checksum(public_key);
115  return OTCRYPTO_OK;
116 }
117 
118 /**
119  * Basic structural validity checks for RSA private key buffers.
120  *
121  * Checks for bad length, invalid key modes, or an unsupported configuration.
122  * Does not verify checksums or actual key data requirements because this
123  * routine is used for keygen as well as other operations, when the key data is
124  * not yet populated.
125  *
126  * @param size RSA size parameter.
127  * @param private_key Key to check.
128  * @return OK if the key is valid, OTCRYPTO_BAD_ARGS otherwise.
129  */
130 static status_t private_key_structural_check(
131  const otcrypto_rsa_size_t size, const otcrypto_blinded_key_t *private_key) {
132  // Check that the key mode is a valid RSA mode.
133  HARDENED_TRY(rsa_mode_check(private_key->config.key_mode));
134 
135  // Sideloaded keys are not supported for RSA.
136  if (private_key->config.hw_backed != kHardenedBoolFalse) {
137  return OTCRYPTO_BAD_ARGS;
138  }
139 
140  // Check the lengths against the RSA size.
141  size_t key_length = 0;
142  size_t keyblob_length = 0;
143  switch (launder32(size)) {
144  case kOtcryptoRsaSize2048:
145  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize2048);
146  key_length = kOtcryptoRsa2048PrivateKeyBytes;
147  keyblob_length = kOtcryptoRsa2048PrivateKeyblobBytes;
148  break;
149  case kOtcryptoRsaSize3072:
150  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize3072);
151  key_length = kOtcryptoRsa3072PrivateKeyBytes;
152  keyblob_length = kOtcryptoRsa3072PrivateKeyblobBytes;
153  break;
154  case kOtcryptoRsaSize4096:
155  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize4096);
156  key_length = kOtcryptoRsa4096PrivateKeyBytes;
157  keyblob_length = kOtcryptoRsa4096PrivateKeyblobBytes;
158  break;
159  default:
160  return OTCRYPTO_BAD_ARGS;
161  }
162  HARDENED_CHECK_NE(key_length, 0);
163  HARDENED_CHECK_NE(keyblob_length, 0);
164 
165  if (private_key->config.key_length != key_length ||
166  private_key->keyblob_length != keyblob_length) {
167  return OTCRYPTO_BAD_ARGS;
168  }
169 
170  return OTCRYPTO_OK;
171 }
172 
173 otcrypto_status_t otcrypto_rsa_private_key_from_exponents(
174  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus, uint32_t e,
175  otcrypto_const_word32_buf_t d_share0, otcrypto_const_word32_buf_t d_share1,
176  otcrypto_blinded_key_t *private_key) {
177  if (modulus.data == NULL || d_share0.data == NULL || d_share1.data == NULL ||
178  private_key == NULL || private_key->keyblob == NULL) {
179  return OTCRYPTO_BAD_ARGS;
180  }
181  HARDENED_TRY(rsa_mode_check(private_key->config.key_mode));
182 
183  // Ensure that the length of the private exponent shares matches the length
184  // of the modulus.
185  if (d_share0.len != modulus.len || d_share1.len != modulus.len) {
186  return OTCRYPTO_BAD_ARGS;
187  }
188 
189  // Check the public exponent is odd and greater than 2^16 (see FIPS 186-5,
190  // section A.1.1).
191  if ((e & 1) != 1 || e >> 16 == 0) {
192  return OTCRYPTO_BAD_ARGS;
193  }
194 
195  // Check the mode and lengths for the private key.
196  HARDENED_TRY(private_key_structural_check(size, private_key));
197 
198  switch (size) {
199  case kOtcryptoRsaSize2048: {
200  if (private_key->keyblob_length != sizeof(rsa_2048_private_key_t) ||
201  modulus.len != kRsa2048NumWords) {
202  return OTCRYPTO_BAD_ARGS;
203  }
204  rsa_2048_private_key_t *sk =
205  (rsa_2048_private_key_t *)private_key->keyblob;
206  hardened_memcpy(sk->n.data, modulus.data, modulus.len);
207  hardened_memcpy(sk->d.data, d_share0.data, d_share0.len);
208  // TODO: RSA keys are currently unblinded, so combine the shares.
209  for (size_t i = 0; i < d_share1.len; i++) {
210  sk->d.data[i] ^= d_share1.data[i];
211  }
212  break;
213  }
214  case kOtcryptoRsaSize3072: {
215  if (private_key->keyblob_length != sizeof(rsa_3072_private_key_t) ||
216  modulus.len != kRsa3072NumWords) {
217  return OTCRYPTO_BAD_ARGS;
218  }
219  rsa_3072_private_key_t *sk =
220  (rsa_3072_private_key_t *)private_key->keyblob;
221  hardened_memcpy(sk->n.data, modulus.data, modulus.len);
222  hardened_memcpy(sk->d.data, d_share0.data, d_share0.len);
223  // TODO: RSA keys are currently unblinded, so combine the shares.
224  for (size_t i = 0; i < d_share1.len; i++) {
225  sk->d.data[i] ^= d_share1.data[i];
226  }
227  break;
228  }
229  case kOtcryptoRsaSize4096: {
230  if (private_key->keyblob_length != sizeof(rsa_4096_private_key_t) ||
231  modulus.len != kRsa4096NumWords) {
232  return OTCRYPTO_BAD_ARGS;
233  }
234  rsa_4096_private_key_t *sk =
235  (rsa_4096_private_key_t *)private_key->keyblob;
236  hardened_memcpy(sk->n.data, modulus.data, modulus.len);
237  hardened_memcpy(sk->d.data, d_share0.data, d_share0.len);
238  // TODO: RSA keys are currently unblinded, so combine the shares.
239  for (size_t i = 0; i < d_share1.len; i++) {
240  sk->d.data[i] ^= d_share1.data[i];
241  }
242  break;
243  }
244  default:
245  return OTCRYPTO_BAD_ARGS;
246  }
247 
248  private_key->checksum = integrity_blinded_checksum(private_key);
249  return OTCRYPTO_OK;
250 }
251 
252 otcrypto_status_t otcrypto_rsa_keypair_from_cofactor(
253  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus, uint32_t e,
254  otcrypto_const_word32_buf_t cofactor_share0,
255  otcrypto_const_word32_buf_t cofactor_share1,
256  otcrypto_unblinded_key_t *public_key, otcrypto_blinded_key_t *private_key) {
257  HARDENED_TRY(otcrypto_rsa_keypair_from_cofactor_async_start(
258  size, modulus, e, cofactor_share0, cofactor_share1));
259  HARDENED_TRY(otcrypto_rsa_keypair_from_cofactor_async_finalize(public_key,
260  private_key));
261 
262  // Interpret the recomputed public key. Double-check the lengths to be safe,
263  // but they should have been checked above already.
264  hardened_bool_t modulus_eq = kHardenedBoolFalse;
265  switch (size) {
266  case kOtcryptoRsaSize2048: {
267  if (public_key->key_length != sizeof(rsa_2048_public_key_t) ||
268  modulus.len != kRsa2048NumWords) {
269  return OTCRYPTO_RECOV_ERR;
270  }
271  rsa_2048_public_key_t *pk = (rsa_2048_public_key_t *)public_key->key;
272  modulus_eq = hardened_memeq(modulus.data, pk->n.data, modulus.len);
273  return OTCRYPTO_OK;
274  }
275  case kOtcryptoRsaSize3072:
276  return OTCRYPTO_NOT_IMPLEMENTED;
277  case kOtcryptoRsaSize4096:
278  return OTCRYPTO_NOT_IMPLEMENTED;
279  default:
280  return OTCRYPTO_BAD_ARGS;
281  }
282 
283  if (modulus_eq != kHardenedBoolTrue) {
284  // This likely means that the cofactor/modulus combination was invalid,
285  // for example the modulus was not divisible by the cofactor, or the
286  // cofactor was too small.
287  return OTCRYPTO_BAD_ARGS;
288  }
289  return OTCRYPTO_OK;
290 }
291 
292 otcrypto_status_t otcrypto_rsa_sign(const otcrypto_blinded_key_t *private_key,
293  const otcrypto_hash_digest_t message_digest,
294  otcrypto_rsa_padding_t padding_mode,
295  otcrypto_word32_buf_t signature) {
296  HARDENED_TRY(
297  otcrypto_rsa_sign_async_start(private_key, message_digest, padding_mode));
298  return otcrypto_rsa_sign_async_finalize(signature);
299 }
300 
301 otcrypto_status_t otcrypto_rsa_verify(
302  const otcrypto_unblinded_key_t *public_key,
303  const otcrypto_hash_digest_t message_digest,
304  otcrypto_rsa_padding_t padding_mode, otcrypto_const_word32_buf_t signature,
305  hardened_bool_t *verification_result) {
306  HARDENED_TRY(otcrypto_rsa_verify_async_start(public_key, signature));
307  return otcrypto_rsa_verify_async_finalize(message_digest, padding_mode,
308  verification_result);
309 }
310 
311 otcrypto_status_t otcrypto_rsa_encrypt(
312  const otcrypto_unblinded_key_t *public_key,
313  const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t message,
314  otcrypto_const_byte_buf_t label, otcrypto_word32_buf_t ciphertext) {
315  HARDENED_TRY(
316  otcrypto_rsa_encrypt_async_start(public_key, hash_mode, message, label));
317  return otcrypto_rsa_encrypt_async_finalize(ciphertext);
318 }
319 
320 otcrypto_status_t otcrypto_rsa_decrypt(
321  const otcrypto_blinded_key_t *private_key,
322  const otcrypto_hash_mode_t hash_mode,
323  otcrypto_const_word32_buf_t ciphertext, otcrypto_const_byte_buf_t label,
324  otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen) {
325  HARDENED_TRY(otcrypto_rsa_decrypt_async_start(private_key, ciphertext));
326  return otcrypto_rsa_decrypt_async_finalize(hash_mode, label, plaintext,
327  plaintext_bytelen);
328 }
329 
330 /**
331  * Infer the RSA key size from the length of the public key.
332  *
333  * @param public_key Public key.
334  * @param[out] key_size RSA key size.
335  * @return OK if the key is valid, OTCRYPTO_BAD_ARGS otherwise.
336  */
337 static status_t rsa_size_from_public_key(
338  const otcrypto_unblinded_key_t *public_key, otcrypto_rsa_size_t *key_size) {
339  switch (launder32(public_key->key_length)) {
340  case kOtcryptoRsa2048PublicKeyBytes:
341  HARDENED_CHECK_EQ(public_key->key_length, kOtcryptoRsa2048PublicKeyBytes);
342  *key_size = kOtcryptoRsaSize2048;
343  return OTCRYPTO_OK;
344  case kOtcryptoRsa3072PublicKeyBytes:
345  HARDENED_CHECK_EQ(public_key->key_length, kOtcryptoRsa3072PublicKeyBytes);
346  *key_size = kOtcryptoRsaSize3072;
347  return OTCRYPTO_OK;
348  case kOtcryptoRsa4096PublicKeyBytes:
349  HARDENED_CHECK_EQ(public_key->key_length, kOtcryptoRsa4096PublicKeyBytes);
350  *key_size = kOtcryptoRsaSize4096;
351  return OTCRYPTO_OK;
352  default:
353  // No matches.
354  return OTCRYPTO_BAD_ARGS;
355  }
356 
357  // Should be unreachable.
358  HARDENED_TRAP();
359  return OTCRYPTO_FATAL_ERR;
360 }
361 
362 /**
363  * Infer the RSA key size from the length of the private key.
364  *
365  * @param private_key Private key.
366  * @param[out] key_size RSA key size.
367  * @return OK if the key is valid, OTCRYPTO_BAD_ARGS otherwise.
368  */
369 static status_t rsa_size_from_private_key(
370  const otcrypto_blinded_key_t *private_key, otcrypto_rsa_size_t *key_size) {
371  switch (launder32(private_key->config.key_length)) {
372  case kOtcryptoRsa2048PrivateKeyBytes:
373  HARDENED_CHECK_EQ(private_key->config.key_length,
374  kOtcryptoRsa2048PrivateKeyBytes);
375  *key_size = kOtcryptoRsaSize2048;
376  return OTCRYPTO_OK;
377  case kOtcryptoRsa3072PrivateKeyBytes:
378  HARDENED_CHECK_EQ(private_key->config.key_length,
379  kOtcryptoRsa3072PrivateKeyBytes);
380  *key_size = kOtcryptoRsaSize3072;
381  return OTCRYPTO_OK;
382  case kOtcryptoRsa4096PrivateKeyBytes:
383  HARDENED_CHECK_EQ(private_key->config.key_length,
384  kOtcryptoRsa4096PrivateKeyBytes);
385  *key_size = kOtcryptoRsaSize4096;
386  return OTCRYPTO_OK;
387  default:
388  // No matches.
389  return OTCRYPTO_BAD_ARGS;
390  }
391 
392  // Should be unreachable.
393  HARDENED_TRAP();
394  return OTCRYPTO_FATAL_ERR;
395 }
396 
397 /**
398  * Basic structural validity checks for RSA public key buffers.
399  *
400  * Checks for NULL pointers or invalid key modes. Does not verify checksums
401  * or actual key data requirements because this routine is used for keygen as
402  * well as other operations, when the key data is not yet populated.
403  *
404  * @param public_key Key to check.
405  * @return OK if the key is valid, OTCRYPTO_BAD_ARGS otherwise.
406  */
407 static status_t public_key_structural_check(
408  const otcrypto_unblinded_key_t *public_key) {
409  // Check that the key mode is a valid RSA mode.
410  return rsa_mode_check(public_key->key_mode);
411 }
412 
413 otcrypto_status_t otcrypto_rsa_keygen_async_start(otcrypto_rsa_size_t size) {
414  // Check that the entropy complex is initialized.
415  HARDENED_TRY(entropy_complex_check());
416 
417  switch (size) {
418  case kOtcryptoRsaSize2048:
419  return rsa_keygen_2048_start();
420  case kOtcryptoRsaSize3072:
421  return rsa_keygen_3072_start();
422  case kOtcryptoRsaSize4096:
423  return rsa_keygen_4096_start();
424  default:
425  return OTCRYPTO_BAD_ARGS;
426  }
427 
428  // Should be unreachable.
429  HARDENED_TRAP();
430  return OTCRYPTO_FATAL_ERR;
431 }
432 
433 otcrypto_status_t otcrypto_rsa_keygen_async_finalize(
434  otcrypto_unblinded_key_t *public_key, otcrypto_blinded_key_t *private_key) {
435  // Check for NULL pointers.
436  if (public_key == NULL || public_key->key == NULL || private_key == NULL ||
437  private_key->keyblob == NULL) {
438  return OTCRYPTO_BAD_ARGS;
439  }
440  // Infer the RSA size from the public key modulus.
441  otcrypto_rsa_size_t size;
442  HARDENED_TRY(rsa_size_from_public_key(public_key, &size));
443 
444  // Check the caller-provided public key buffer.
445  HARDENED_TRY(public_key_structural_check(public_key));
446 
447  // Check the caller-provided private key buffer.
448  HARDENED_TRY(private_key_structural_check(size, private_key));
449 
450  // Call the required finalize() operation.
451  switch (size) {
452  case kOtcryptoRsaSize2048: {
453  // Finalize the keygen operation and retrieve the keys.
454  rsa_2048_public_key_t *pk = (rsa_2048_public_key_t *)public_key->key;
455  rsa_2048_private_key_t *sk =
456  (rsa_2048_private_key_t *)private_key->keyblob;
457  HARDENED_TRY(rsa_keygen_2048_finalize(pk, sk));
458  break;
459  }
460  case kOtcryptoRsaSize3072: {
461  // Finalize the keygen operation and retrieve the keys.
462  rsa_3072_public_key_t *pk = (rsa_3072_public_key_t *)public_key->key;
463  rsa_3072_private_key_t *sk =
464  (rsa_3072_private_key_t *)private_key->keyblob;
465  HARDENED_TRY(rsa_keygen_3072_finalize(pk, sk));
466  break;
467  }
468  case kOtcryptoRsaSize4096: {
469  // Finalize the keygen operation and retrieve the keys.
470  rsa_4096_public_key_t *pk = (rsa_4096_public_key_t *)public_key->key;
471  rsa_4096_private_key_t *sk =
472  (rsa_4096_private_key_t *)private_key->keyblob;
473  HARDENED_TRY(rsa_keygen_4096_finalize(pk, sk));
474  break;
475  }
476  default:
477  // Invalid key size.
478  return OTCRYPTO_BAD_ARGS;
479  }
480 
481  // Construct checksums for the new keys.
482  public_key->checksum = integrity_unblinded_checksum(public_key);
483  private_key->checksum = integrity_blinded_checksum(private_key);
484 
485  return OTCRYPTO_OK;
486 }
487 
488 otcrypto_status_t otcrypto_rsa_keypair_from_cofactor_async_start(
489  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus, uint32_t e,
490  otcrypto_const_word32_buf_t cofactor_share0,
491  otcrypto_const_word32_buf_t cofactor_share1) {
492  if (modulus.data == NULL || cofactor_share0.data == NULL ||
493  cofactor_share1.data == NULL) {
494  return OTCRYPTO_BAD_ARGS;
495  }
496 
497  // Ensure that the length of the cofactor shares is half the length
498  // of the modulus.
499  if (cofactor_share0.len != modulus.len / 2 ||
500  cofactor_share1.len != modulus.len / 2) {
501  return OTCRYPTO_BAD_ARGS;
502  }
503 
504  switch (size) {
505  case kOtcryptoRsaSize2048: {
506  if (cofactor_share0.len !=
507  sizeof(rsa_2048_cofactor_t) / sizeof(uint32_t) ||
508  modulus.len != kRsa2048NumWords) {
509  return OTCRYPTO_BAD_ARGS;
510  }
511  rsa_2048_cofactor_t *cf = (rsa_2048_cofactor_t *)cofactor_share0.data;
512  // TODO: RSA keys are currently unblinded, so combine the shares.
513  for (size_t i = 0; i < cofactor_share1.len; i++) {
514  cf->data[i] ^= cofactor_share1.data[i];
515  }
516  rsa_2048_public_key_t pk;
517  hardened_memcpy(pk.n.data, modulus.data, modulus.len);
518  pk.e = e;
519  return rsa_keygen_from_cofactor_2048_start(&pk, cf);
520  }
521  case kOtcryptoRsaSize3072: {
522  return OTCRYPTO_NOT_IMPLEMENTED;
523  }
524  case kOtcryptoRsaSize4096: {
525  return OTCRYPTO_NOT_IMPLEMENTED;
526  }
527  default:
528  return OTCRYPTO_BAD_ARGS;
529  }
530 
531  // Should be unreachable.
532  HARDENED_TRAP();
533  return OTCRYPTO_FATAL_ERR;
534 }
535 
536 otcrypto_status_t otcrypto_rsa_keypair_from_cofactor_async_finalize(
537  otcrypto_unblinded_key_t *public_key, otcrypto_blinded_key_t *private_key) {
538  // Check for NULL pointers.
539  if (public_key == NULL || public_key->key == NULL || private_key == NULL ||
540  private_key->keyblob == NULL) {
541  return OTCRYPTO_BAD_ARGS;
542  }
543  // Infer the RSA size from the public key modulus.
544  otcrypto_rsa_size_t size;
545  HARDENED_TRY(rsa_size_from_public_key(public_key, &size));
546 
547  // Check the caller-provided public key buffer.
548  HARDENED_TRY(public_key_structural_check(public_key));
549 
550  // Check the caller-provided private key buffer.
551  HARDENED_TRY(private_key_structural_check(size, private_key));
552 
553  // Call the required finalize() operation.
554  switch (size) {
555  case kOtcryptoRsaSize2048: {
556  rsa_2048_public_key_t *pk = (rsa_2048_public_key_t *)public_key->key;
557  rsa_2048_private_key_t *sk =
558  (rsa_2048_private_key_t *)private_key->keyblob;
559  HARDENED_TRY(rsa_keygen_from_cofactor_2048_finalize(pk, sk));
560  break;
561  }
562  case kOtcryptoRsaSize3072: {
563  return OTCRYPTO_NOT_IMPLEMENTED;
564  }
565  case kOtcryptoRsaSize4096: {
566  return OTCRYPTO_NOT_IMPLEMENTED;
567  }
568  default:
569  // Invalid key size.
570  return OTCRYPTO_BAD_ARGS;
571  }
572 
573  // Construct checksums for the new keys.
574  public_key->checksum = integrity_unblinded_checksum(public_key);
575  private_key->checksum = integrity_blinded_checksum(private_key);
576  return OTCRYPTO_OK;
577 }
578 
579 /**
580  * Ensure that the key mode matches the RSA sign padding mode.
581  *
582  * Only works for RSA signing keys; do not use with encryption keys.
583  *
584  * @param key_mode Mode for the RSA key.
585  * @param padding_mode RSA signature padding scheme.
586  */
587 static status_t key_mode_padding_check(otcrypto_key_mode_t key_mode,
588  otcrypto_rsa_padding_t padding_mode) {
589  switch (launder32(padding_mode)) {
590  case kOtcryptoRsaPaddingPkcs:
591  HARDENED_CHECK_EQ(padding_mode, kOtcryptoRsaPaddingPkcs);
592  if (launder32(key_mode) != kOtcryptoKeyModeRsaSignPkcs) {
593  return OTCRYPTO_BAD_ARGS;
594  }
595  HARDENED_CHECK_EQ(key_mode, kOtcryptoKeyModeRsaSignPkcs);
596  return OTCRYPTO_OK;
597  case kOtcryptoRsaPaddingPss:
598  HARDENED_CHECK_EQ(padding_mode, kOtcryptoRsaPaddingPss);
599  if (launder32(key_mode) != kOtcryptoKeyModeRsaSignPss) {
600  return OTCRYPTO_BAD_ARGS;
601  }
602  HARDENED_CHECK_EQ(key_mode, kOtcryptoKeyModeRsaSignPss);
603  return OTCRYPTO_OK;
604  default:
605  // Invalid padding mode.
606  return OTCRYPTO_BAD_ARGS;
607  }
608 
609  // Should be unreachable.
610  HARDENED_TRAP();
611  return OTCRYPTO_FATAL_ERR;
612 }
613 
614 otcrypto_status_t otcrypto_rsa_sign_async_start(
615  const otcrypto_blinded_key_t *private_key,
616  const otcrypto_hash_digest_t message_digest,
617  otcrypto_rsa_padding_t padding_mode) {
618  // Check for NULL pointers.
619  if (message_digest.data == NULL || private_key == NULL ||
620  private_key->keyblob == NULL) {
621  return OTCRYPTO_BAD_ARGS;
622  }
623 
624  // Infer the RSA size from the private key.
625  otcrypto_rsa_size_t size;
626  HARDENED_TRY(rsa_size_from_private_key(private_key, &size));
627 
628  // Check the caller-provided private key buffer.
629  HARDENED_TRY(private_key_structural_check(size, private_key));
630 
631  // Ensure the key mode matches the padding mode.
632  HARDENED_TRY(
633  key_mode_padding_check(private_key->config.key_mode, padding_mode));
634 
635  // Verify the checksum.
636  if (integrity_blinded_key_check(private_key) != kHardenedBoolTrue) {
637  return OTCRYPTO_BAD_ARGS;
638  }
639 
640  // Start the appropriate signature generation routine.
641  switch (size) {
642  case kOtcryptoRsaSize2048: {
643  rsa_2048_private_key_t *sk =
644  (rsa_2048_private_key_t *)private_key->keyblob;
645  return rsa_signature_generate_2048_start(
646  sk, message_digest, (rsa_signature_padding_t)padding_mode);
647  }
648  case kOtcryptoRsaSize3072: {
649  rsa_3072_private_key_t *sk =
650  (rsa_3072_private_key_t *)private_key->keyblob;
651  return rsa_signature_generate_3072_start(
652  sk, message_digest, (rsa_signature_padding_t)padding_mode);
653  }
654  case kOtcryptoRsaSize4096: {
655  rsa_4096_private_key_t *sk =
656  (rsa_4096_private_key_t *)private_key->keyblob;
657  return rsa_signature_generate_4096_start(
658  sk, message_digest, (rsa_signature_padding_t)padding_mode);
659  }
660  default:
661  // Invalid key size. Since the size was inferred, should be unreachable.
662  HARDENED_TRAP();
663  return OTCRYPTO_FATAL_ERR;
664  }
665 
666  // Should be unreachable.
667  HARDENED_TRAP();
668  return OTCRYPTO_FATAL_ERR;
669 }
670 
671 otcrypto_status_t otcrypto_rsa_sign_async_finalize(
672  otcrypto_word32_buf_t signature) {
673  // Check for NULL pointers.
674  if (signature.data == NULL) {
675  return OTCRYPTO_BAD_ARGS;
676  }
677 
678  // Determine the size based on the signature buffer length.
679  switch (signature.len) {
680  case kRsa2048NumWords:
681  return rsa_signature_generate_2048_finalize(
682  (rsa_2048_int_t *)signature.data);
683  case kRsa3072NumWords:
684  return rsa_signature_generate_3072_finalize(
685  (rsa_3072_int_t *)signature.data);
686  case kRsa4096NumWords:
687  return rsa_signature_generate_4096_finalize(
688  (rsa_4096_int_t *)signature.data);
689  default:
690  return OTCRYPTO_BAD_ARGS;
691  }
692 
693  // Should be unreachable.
694  HARDENED_TRAP();
695  return OTCRYPTO_FATAL_ERR;
696 }
697 
698 otcrypto_status_t otcrypto_rsa_verify_async_start(
699  const otcrypto_unblinded_key_t *public_key,
700  otcrypto_const_word32_buf_t signature) {
701  // Check for NULL pointers.
702  if (public_key == NULL || public_key->key == NULL || signature.data == NULL) {
703  return OTCRYPTO_BAD_ARGS;
704  }
705 
706  // Check the caller-provided public key buffer.
707  HARDENED_TRY(public_key_structural_check(public_key));
708 
709  // Verify the checksum.
710  if (integrity_unblinded_key_check(public_key) != kHardenedBoolTrue) {
711  return OTCRYPTO_BAD_ARGS;
712  }
713 
714  // Infer the RSA size from the public key.
715  otcrypto_rsa_size_t size;
716  HARDENED_TRY(rsa_size_from_public_key(public_key, &size));
717 
718  switch (size) {
719  case kOtcryptoRsaSize2048: {
720  if (signature.len != kRsa2048NumWords) {
721  return OTCRYPTO_BAD_ARGS;
722  }
723  rsa_2048_public_key_t *pk = (rsa_2048_public_key_t *)public_key->key;
724  rsa_2048_int_t *sig = (rsa_2048_int_t *)signature.data;
725  return rsa_signature_verify_2048_start(pk, sig);
726  }
727  case kOtcryptoRsaSize3072: {
728  if (signature.len != kRsa3072NumWords) {
729  return OTCRYPTO_BAD_ARGS;
730  }
731  rsa_3072_public_key_t *pk = (rsa_3072_public_key_t *)public_key->key;
732  rsa_3072_int_t *sig = (rsa_3072_int_t *)signature.data;
733  return rsa_signature_verify_3072_start(pk, sig);
734  }
735  case kOtcryptoRsaSize4096: {
736  if (signature.len != kRsa4096NumWords) {
737  return OTCRYPTO_BAD_ARGS;
738  }
739  rsa_4096_public_key_t *pk = (rsa_4096_public_key_t *)public_key->key;
740  rsa_4096_int_t *sig = (rsa_4096_int_t *)signature.data;
741  return rsa_signature_verify_4096_start(pk, sig);
742  }
743  default:
744  // Invalid key size. Since the size was inferred, should be unreachable.
745  HARDENED_TRAP();
746  return OTCRYPTO_FATAL_ERR;
747  }
748 
749  // Should be unreachable.
750  HARDENED_TRAP();
751  return OTCRYPTO_FATAL_ERR;
752 }
753 
754 otcrypto_status_t otcrypto_rsa_verify_async_finalize(
755  const otcrypto_hash_digest_t message_digest,
756  otcrypto_rsa_padding_t padding_mode, hardened_bool_t *verification_result) {
757  // Check for NULL pointers.
758  if (message_digest.data == NULL || verification_result == NULL) {
759  return OTCRYPTO_BAD_ARGS;
760  }
761 
762  // Initialize verification result to false by default.
763  *verification_result = kHardenedBoolFalse;
764 
765  // Call the unified `finalize` operation, which will determine the RSA size
766  // based on the mode stored in OTBN.
767  return rsa_signature_verify_finalize(message_digest,
768  (rsa_signature_padding_t)padding_mode,
769  verification_result);
770 }
771 
772 otcrypto_status_t otcrypto_rsa_encrypt_async_start(
773  const otcrypto_unblinded_key_t *public_key,
774  const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t message,
775  otcrypto_const_byte_buf_t label) {
776  // Check for NULL pointers.
777  if (public_key == NULL || public_key->key == NULL) {
778  return OTCRYPTO_BAD_ARGS;
779  }
780 
781  if (message.data == NULL && (message.len != 0)) {
782  return OTCRYPTO_BAD_ARGS;
783  }
784 
785  if (label.data == NULL && (label.len != 0)) {
786  return OTCRYPTO_BAD_ARGS;
787  }
788 
789  // Check the caller-provided public key buffer.
790  HARDENED_TRY(public_key_structural_check(public_key));
791 
792  // Verify the checksum.
793  if (integrity_unblinded_key_check(public_key) != kHardenedBoolTrue) {
794  return OTCRYPTO_BAD_ARGS;
795  }
796 
797  // Ensure the key is intended for encryption.
798  if (launder32(public_key->key_mode) != kOtcryptoKeyModeRsaEncryptOaep) {
799  return OTCRYPTO_BAD_ARGS;
800  }
801  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeRsaEncryptOaep);
802 
803  // Infer the RSA size from the public key.
804  otcrypto_rsa_size_t size;
805  HARDENED_TRY(rsa_size_from_public_key(public_key, &size));
806 
807  switch (launder32(size)) {
808  case kOtcryptoRsaSize2048: {
809  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize2048);
810  HARDENED_CHECK_EQ(public_key->key_length, sizeof(rsa_2048_public_key_t));
811  rsa_2048_public_key_t *pk = (rsa_2048_public_key_t *)public_key->key;
812  return rsa_encrypt_2048_start(pk, hash_mode, message.data, message.len,
813  label.data, label.len);
814  }
815  case kOtcryptoRsaSize3072: {
816  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize3072);
817  HARDENED_CHECK_EQ(public_key->key_length, sizeof(rsa_3072_public_key_t));
818  rsa_3072_public_key_t *pk = (rsa_3072_public_key_t *)public_key->key;
819  return rsa_encrypt_3072_start(pk, hash_mode, message.data, message.len,
820  label.data, label.len);
821  }
822  case kOtcryptoRsaSize4096: {
823  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize4096);
824  HARDENED_CHECK_EQ(public_key->key_length, sizeof(rsa_4096_public_key_t));
825  rsa_4096_public_key_t *pk = (rsa_4096_public_key_t *)public_key->key;
826  return rsa_encrypt_4096_start(pk, hash_mode, message.data, message.len,
827  label.data, label.len);
828  }
829  default:
830  // Invalid key size. Since the size was inferred, should be unreachable.
831  HARDENED_TRAP();
832  return OTCRYPTO_FATAL_ERR;
833  }
834 
835  // Should be unreachable.
836  HARDENED_TRAP();
837  return OTCRYPTO_FATAL_ERR;
838 }
839 
840 otcrypto_status_t otcrypto_rsa_encrypt_async_finalize(
841  otcrypto_word32_buf_t ciphertext) {
842  // Check for NULL pointers.
843  if (ciphertext.data == NULL) {
844  return OTCRYPTO_BAD_ARGS;
845  }
846 
847  switch (launder32(ciphertext.len)) {
848  case kRsa2048NumWords: {
849  HARDENED_CHECK_EQ(ciphertext.len * sizeof(uint32_t),
850  sizeof(rsa_2048_int_t));
851  rsa_2048_int_t *ctext = (rsa_2048_int_t *)ciphertext.data;
852  return rsa_encrypt_2048_finalize(ctext);
853  }
854  case kRsa3072NumWords: {
855  HARDENED_CHECK_EQ(ciphertext.len * sizeof(uint32_t),
856  sizeof(rsa_3072_int_t));
857  rsa_3072_int_t *ctext = (rsa_3072_int_t *)ciphertext.data;
858  return rsa_encrypt_3072_finalize(ctext);
859  }
860  case kRsa4096NumWords: {
861  HARDENED_CHECK_EQ(ciphertext.len * sizeof(uint32_t),
862  sizeof(rsa_4096_int_t));
863  rsa_4096_int_t *ctext = (rsa_4096_int_t *)ciphertext.data;
864  return rsa_encrypt_4096_finalize(ctext);
865  }
866  default:
867  return OTCRYPTO_BAD_ARGS;
868  }
869 
870  // Should be unreachable.
871  HARDENED_TRAP();
872  return OTCRYPTO_FATAL_ERR;
873 }
874 
875 otcrypto_status_t otcrypto_rsa_decrypt_async_start(
876  const otcrypto_blinded_key_t *private_key,
877  otcrypto_const_word32_buf_t ciphertext) {
878  // Check for NULL pointers.
879  if (private_key == NULL || private_key->keyblob == NULL ||
880  ciphertext.data == NULL) {
881  return OTCRYPTO_BAD_ARGS;
882  }
883 
884  // Infer the RSA size from the private key.
885  otcrypto_rsa_size_t size;
886  HARDENED_TRY(rsa_size_from_private_key(private_key, &size));
887 
888  // Check the caller-provided private key buffer.
889  HARDENED_TRY(private_key_structural_check(size, private_key));
890 
891  // Verify the checksum.
892  if (integrity_blinded_key_check(private_key) != kHardenedBoolTrue) {
893  return OTCRYPTO_BAD_ARGS;
894  }
895 
896  // Ensure that the key is intended for encryption.
897  if (launder32(private_key->config.key_mode) !=
898  kOtcryptoKeyModeRsaEncryptOaep) {
899  return OTCRYPTO_BAD_ARGS;
900  }
901  HARDENED_CHECK_EQ(private_key->config.key_mode,
902  kOtcryptoKeyModeRsaEncryptOaep);
903 
904  // Start the appropriate decryption routine.
905  switch (launder32(size)) {
906  case kOtcryptoRsaSize2048: {
907  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize2048);
908  HARDENED_CHECK_EQ(private_key->keyblob_length,
909  sizeof(rsa_2048_private_key_t));
910  if (ciphertext.len != kRsa2048NumWords) {
911  return OTCRYPTO_BAD_ARGS;
912  }
913  rsa_2048_private_key_t *sk =
914  (rsa_2048_private_key_t *)private_key->keyblob;
915  rsa_2048_int_t *ctext = (rsa_2048_int_t *)ciphertext.data;
916  return rsa_decrypt_2048_start(sk, ctext);
917  }
918  case kOtcryptoRsaSize3072: {
919  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize3072);
920  HARDENED_CHECK_EQ(private_key->keyblob_length,
921  sizeof(rsa_3072_private_key_t));
922  if (ciphertext.len != kRsa3072NumWords) {
923  return OTCRYPTO_BAD_ARGS;
924  }
925  rsa_3072_private_key_t *sk =
926  (rsa_3072_private_key_t *)private_key->keyblob;
927  rsa_3072_int_t *ctext = (rsa_3072_int_t *)ciphertext.data;
928  return rsa_decrypt_3072_start(sk, ctext);
929  }
930  case kOtcryptoRsaSize4096: {
931  HARDENED_CHECK_EQ(size, kOtcryptoRsaSize4096);
932  HARDENED_CHECK_EQ(private_key->keyblob_length,
933  sizeof(rsa_4096_private_key_t));
934  if (ciphertext.len != kRsa4096NumWords) {
935  return OTCRYPTO_BAD_ARGS;
936  }
937  rsa_4096_private_key_t *sk =
938  (rsa_4096_private_key_t *)private_key->keyblob;
939  rsa_4096_int_t *ctext = (rsa_4096_int_t *)ciphertext.data;
940  return rsa_decrypt_4096_start(sk, ctext);
941  }
942  default:
943  // Invalid key size. Since the size was inferred, should be unreachable.
944  HARDENED_TRAP();
945  return OTCRYPTO_FATAL_ERR;
946  }
947 
948  // Should be unreachable.
949  HARDENED_TRAP();
950  return OTCRYPTO_FATAL_ERR;
951 }
952 
953 otcrypto_status_t otcrypto_rsa_decrypt_async_finalize(
954  const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t label,
955  otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen) {
956  if (plaintext.data == NULL || label.data == NULL) {
957  return OTCRYPTO_BAD_ARGS;
958  }
959 
960  // Call the unified `finalize()` operation, which will infer the RSA size
961  // from OTBN.
962  HARDENED_TRY(rsa_decrypt_finalize(hash_mode, label.data, label.len,
963  plaintext.len, plaintext.data,
964  plaintext_bytelen));
965 
966  // Consistency check; this should never happen.
967  if (launder32(*plaintext_bytelen) > plaintext.len) {
968  HARDENED_TRAP();
969  return OTCRYPTO_FATAL_ERR;
970  }
971  HARDENED_CHECK_LE(*plaintext_bytelen, plaintext.len);
972 
973  return OTCRYPTO_OK;
974 }
Return to OpenTitan Documentation