Software APIs
rsa.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_RSA_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_RSA_H_
7 
8 #include "datatypes.h"
9 
10 /**
11  * @file
12  * @brief RSA signature operations for the OpenTitan cryptography library.
13  */
14 
15 #ifdef __cplusplus
16 extern "C" {
17 #endif // __cplusplus
18 
19 /**
20  * Enum to define padding scheme for RSA signature data.
21  *
22  * Values are hardened.
23  */
24 typedef enum otcrypto_rsa_padding {
25  // Pads input data according to the PKCS#1 (v1.5) scheme.
26  kOtcryptoRsaPaddingPkcs = 0x94e,
27  // Pads input data according to the PKCS#1-PSS scheme. The mask generation
28  // function is MGF1 with the same hash function as the input message
29  // (supported SHA2 or SHA3 hash functions only).
30  kOtcryptoRsaPaddingPss = 0x6b1,
31 } otcrypto_rsa_padding_t;
32 
33 /**
34  * Enum to define possible lengths of RSA (public) keys.
35  *
36  * Values are hardened.
37  */
38 typedef enum otcrypto_rsa_size {
39  // 2048-bit RSA.
40  kOtcryptoRsaSize2048 = 0x5d1,
41  // 3072-bit RSA.
42  kOtcryptoRsaSize3072 = 0xc35,
43  // 4096-bit RSA.
44  kOtcryptoRsaSize4096 = 0x8da,
45 } otcrypto_rsa_size_t;
46 
47 enum {
48  /**
49  * Number of bytes needed for RSA public keys.
50  *
51  * The exact representation is an implementation-specific detail and subject
52  * to change. This is the length that the caller should set as `key_length`
53  * and allocate for the `key` buffer in unblinded keys.
54  */
55  kOtcryptoRsa2048PublicKeyBytes = 260,
56  kOtcryptoRsa3072PublicKeyBytes = 388,
57  kOtcryptoRsa4096PublicKeyBytes = 516,
58  /**
59  * Number of bytes needed for RSA private keys.
60  *
61  * The exact representation is an implementation-specific detail and subject
62  * to change. This is the length that the caller should set in `key_length`
63  * for the blinded key configuration (NOT the blinded keyblob length).
64  */
65  kOtcryptoRsa2048PrivateKeyBytes = 256,
66  kOtcryptoRsa3072PrivateKeyBytes = 384,
67  kOtcryptoRsa4096PrivateKeyBytes = 512,
68  /**
69  * Number of bytes needed for RSA private keyblobs.
70  *
71  * The exact representation is an implementation-specific detail and subject
72  * to change. This is the length that the caller should set in
73  * `keyblob_length` and allocate for the `keyblob` buffer in blinded keys.
74  */
75  kOtcryptoRsa2048PrivateKeyblobBytes = 512,
76  kOtcryptoRsa3072PrivateKeyblobBytes = 768,
77  kOtcryptoRsa4096PrivateKeyblobBytes = 1024,
78 };
79 
80 /**
81  * Performs the RSA key generation.
82  *
83  * Computes RSA private key (d) and RSA public key exponent (e) and
84  * modulus (n).
85  *
86  * The caller should allocate space for the public key and set the `key` and
87  * `key_length` fields accordingly.
88  *
89  * The caller should fully populate the blinded key configuration and allocate
90  * space for the keyblob, setting `config.key_length` and `keyblob_length`
91  * accordingly.
92  *
93  * The value in the `checksum` field of key structs is not checked here and
94  * will be populated by the key generation function.
95  *
96  * @param size RSA size parameter.
97  * @param[out] public_key Pointer to public key struct.
98  * @param[out] private_key Pointer to blinded private key struct.
99  * @return Result of the RSA key generation.
100  */
101 otcrypto_status_t otcrypto_rsa_keygen(otcrypto_rsa_size_t size,
102  otcrypto_unblinded_key_t *public_key,
103  otcrypto_blinded_key_t *private_key);
104 
105 /**
106  * Constructs an RSA public key from the modulus and public exponent.
107  *
108  * The caller should allocate space for the public key and set the `key` and
109  * `key_length` fields accordingly.
110  *
111  * @param size RSA size parameter.
112  * @param modulus RSA modulus (n).
113  * @param exponent RSA public exponent (e).
114  * @param[out] public_key Destination public key struct.
115  * @return Result of the RSA key construction.
116  */
117 otcrypto_status_t otcrypto_rsa_public_key_construct(
118  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus,
119  uint32_t exponent, otcrypto_unblinded_key_t *public_key);
120 
121 /**
122  * Constructs an RSA private key from the modulus and public/private exponents.
123  *
124  * The caller should allocate space for the private key and set the `keyblob`,
125  * `keyblob_length`, and `key_length` fields accordingly.
126  *
127  * @param size RSA size parameter.
128  * @param modulus RSA modulus (n).
129  * @param exponent RSA public exponent (e).
130  * @param d_share0 First share of the RSA private exponent d.
131  * @param d_share1 Second share of the RSA private exponent d.
132  * @param[out] public_key Destination public key struct.
133  * @return Result of the RSA key construction.
134  */
135 otcrypto_status_t otcrypto_rsa_private_key_from_exponents(
136  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus, uint32_t e,
137  otcrypto_const_word32_buf_t d_share0, otcrypto_const_word32_buf_t d_share1,
138  otcrypto_blinded_key_t *private_key);
139 
140 /**
141  * Constructs an RSA keypair from the public key and one prime cofactor.
142  *
143  * The caller should allocate space for the private key and set the `keyblob`,
144  * `keyblob_length`, and `key_length` fields accordingly. Similarly, the caller
145  * should allocate space for the public key and set the `key` and `key_length`
146  * fields.
147  *
148  * @param size RSA size parameter.
149  * @param modulus RSA modulus (n).
150  * @param exponent RSA public exponent (e).
151  * @param cofactor_share0 First share of the prime cofactor (p or q).
152  * @param cofactor_share1 Second share of the prime cofactor (p or q).
153  * @param[out] public_key Destination public key struct.
154  * @param[out] private_key Destination private key struct.
155  * @return Result of the RSA key construction.
156  */
157 otcrypto_status_t otcrypto_rsa_keypair_from_cofactor(
158  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus, uint32_t e,
159  otcrypto_const_word32_buf_t cofactor_share0,
160  otcrypto_const_word32_buf_t cofactor_share1,
161  otcrypto_unblinded_key_t *public_key, otcrypto_blinded_key_t *private_key);
162 
163 /**
164  * Computes the digital signature on the input message data.
165  *
166  * The caller should allocate space for the `signature` buffer
167  * and set the length of expected output in the `len` field of
168  * `signature`. If the user-set length and the output length does not
169  * match, an error message will be returned.
170  *
171  * @param private_key Pointer to blinded private key struct.
172  * @param message_digest Message digest to be signed (pre-hashed).
173  * @param padding_mode Padding scheme to be used for the data.
174  * @param[out] signature Pointer to the generated signature struct.
175  * @return The result of the RSA signature generation.
176  */
177 otcrypto_status_t otcrypto_rsa_sign(const otcrypto_blinded_key_t *private_key,
178  const otcrypto_hash_digest_t message_digest,
179  otcrypto_rsa_padding_t padding_mode,
180  otcrypto_word32_buf_t signature);
181 
182 /**
183  * Verifies the authenticity of the input signature.
184  *
185  * An "OK" status code does not mean that the signature passed verification;
186  * the caller must check both the returned status and `verification_result`
187  * before trusting the signature.
188  *
189  * @param public_key Pointer to public key struct.
190  * @param message_digest Message digest to be verified (pre-hashed).
191  * @param padding_mode Padding scheme to be used for the data.
192  * @param signature Pointer to the input signature to be verified.
193  * @param[out] verification_result Result of signature verification.
194  * @return Result of the RSA verify operation.
195  */
196 otcrypto_status_t otcrypto_rsa_verify(
197  const otcrypto_unblinded_key_t *public_key,
198  const otcrypto_hash_digest_t message_digest,
199  otcrypto_rsa_padding_t padding_mode, otcrypto_const_word32_buf_t signature,
200  hardened_bool_t *verification_result);
201 
202 /**
203  * Encrypts a message with RSA.
204  *
205  * The only padding scheme available is OAEP, where the hash function is a
206  * member of the SHA-2 or SHA-3 family and the mask generation function is
207  * MGF1 with the same hash function.
208  *
209  * OAEP imposes strict limits on the length of the message (see IETF RFC 8017
210  * for details). Specifically, the message is at most k - 2*hLen - 2 bytes
211  * long, where k is the byte-length of the RSA modulus and hLen is the length
212  * of the hash function digest. If the message is too long, this function will
213  * return an error.
214  *
215  * The caller should allocate space for the `ciphertext` buffer and set the
216  * length of expected output in the `len` field of `signature`. The ciphertext
217  * is always the same length as the RSA modulus (so an RSA-2048 ciphertext is
218  * always 2048 bits long). If the length does not match the private key mode,
219  * this function returns an error.
220  *
221  * Note: RSA encryption is included for compatibility with legacy interfaces,
222  * and is typically not recommended for modern applications because it is
223  * slower and more fragile than other encryption methods. Consult an expert
224  * before using RSA encryption.
225  *
226  * @param private_key Pointer to public key struct.
227  * @param hash_mode Hash function to use for OAEP encoding.
228  * @param message Message to encrypt.
229  * @param label Label for OAEP encoding.
230  * @param[out] ciphertext Buffer for the ciphertext.
231  * @return The result of the RSA encryption operation.
232  */
233 otcrypto_status_t otcrypto_rsa_encrypt(
234  const otcrypto_unblinded_key_t *public_key,
235  const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t message,
236  otcrypto_const_byte_buf_t label, otcrypto_word32_buf_t ciphertext);
237 
238 /**
239  * Decrypts a message with RSA.
240  *
241  * The only padding scheme available is OAEP, where the hash function is a
242  * member of the SHA-2 or SHA-3 family and the mask generation function is
243  * MGF1 with the same hash function.
244  *
245  * The caller should allocate space for the `plaintext` buffer and set the
246  * allocated length in the `len` field. The length should be at least as long
247  * as the maximum message length imposed by OAEP; that is, k - 2*hLen - 2 bytes
248  * long, where k is the byte-length of the RSA modulus and hLen is the length
249  * of the hash function digest. If the plaintext buffer is not long enough,
250  * this function will return an error.
251  *
252  * Decryption recovers the original length of the plaintext buffer and will
253  * return its value in `plaintext_bytelen`.
254  *
255  * Note: RSA encryption is included for compatibility with legacy interfaces,
256  * and is typically not recommended for modern applications because it is
257  * slower and more fragile than other encryption methods. Consult an expert
258  * before using RSA encryption.
259  *
260  * @param private_key Pointer to blinded private key struct.
261  * @param hash_mode Hash function to use for OAEP encoding.
262  * @param ciphertext Ciphertext to decrypt.
263  * @param label Label for OAEP encoding.
264  * @param[out] plaintext Buffer for the decrypted message.
265  * @param[out] plaintext_bytelen Recovered byte-length of plaintext.
266  * @return Result of the RSA decryption operation.
267  */
268 otcrypto_status_t otcrypto_rsa_decrypt(
269  const otcrypto_blinded_key_t *private_key,
270  const otcrypto_hash_mode_t hash_mode,
271  otcrypto_const_word32_buf_t ciphertext, otcrypto_const_byte_buf_t label,
272  otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen);
273 /**
274  * Starts the asynchronous RSA key generation function.
275  *
276  * Initializes OTBN and starts the OTBN routine to compute the RSA
277  * private key (d), RSA public key exponent (e) and modulus (n).
278  *
279  * @param size RSA size parameter.
280  * @return Result of async RSA keygen start operation.
281  */
282 otcrypto_status_t otcrypto_rsa_keygen_async_start(otcrypto_rsa_size_t size);
283 
284 /**
285  * Finalizes the asynchronous RSA key generation function.
286  *
287  * See `otcrypto_rsa_keygen` for details on the requirements for `public_key`
288  * and `private_key`.
289  *
290  * @param[out] public_key Pointer to public key struct.
291  * @param[out] private_key Pointer to blinded private key struct.
292  * @return Result of asynchronous RSA keygen finalize operation.
293  */
294 otcrypto_status_t otcrypto_rsa_keygen_async_finalize(
295  otcrypto_unblinded_key_t *public_key, otcrypto_blinded_key_t *private_key);
296 
297 /**
298  * Starts constructing an RSA private key using a cofactor.
299  *
300  * See `otcrypto_rsa_keypair_from_cofactor` for the details
301  * on the requirements for input buffers.
302  *
303  * @param size RSA size parameter.
304  * @param modulus RSA modulus (n).
305  * @param exponent RSA public exponent (e).
306  * @param cofactor_share0 First share of the prime cofactor (p or q).
307  * @param cofactor_share1 Second share of the prime cofactor (p or q).
308  * @return Result of the RSA key construction.
309  */
310 otcrypto_status_t otcrypto_rsa_keypair_from_cofactor_async_start(
311  otcrypto_rsa_size_t size, otcrypto_const_word32_buf_t modulus, uint32_t e,
312  otcrypto_const_word32_buf_t cofactor_share0,
313  otcrypto_const_word32_buf_t cofactor_share1);
314 
315 /**
316  * Finalizes constructing an RSA private key using a cofactor.
317  *
318  * See `otcrypto_rsa_keypair_from_cofactor` for the details
319  * on the requirements for output buffers.
320  *
321  * The public key returned from this function is recomputed; we recommend that
322  * the caller compare it to the originally passed public key value to ensure
323  * that everything went as expected. If the key is invalid in certain ways
324  * (such as the modulus not being divisible by the key), then the modulus will
325  * not match the original input.
326  *
327  * @param[out] public_key Destination public key struct.
328  * @param[out] private_key Destination private key struct.
329  * @return Result of the RSA key construction.
330  */
331 otcrypto_status_t otcrypto_rsa_keypair_from_cofactor_async_finalize(
332  otcrypto_unblinded_key_t *public_key, otcrypto_blinded_key_t *private_key);
333 
334 /**
335  * Starts the asynchronous digital signature generation function.
336  *
337  * Initializes OTBN and starts the OTBN routine to compute the digital
338  * signature on the input message.
339  *
340  * @param private_key Pointer to blinded private key struct.
341  * @param message_digest Message digest to be signed (pre-hashed).
342  * @param padding_mode Padding scheme to be used for the data.
343  * @return Result of async RSA sign start operation.
344  */
345 otcrypto_status_t otcrypto_rsa_sign_async_start(
346  const otcrypto_blinded_key_t *private_key,
347  const otcrypto_hash_digest_t message_digest,
348  otcrypto_rsa_padding_t padding_mode);
349 
350 /**
351  * Finalizes the asynchronous digital signature generation function.
352  *
353  * See `otcrypto_rsa_sign` for details on the requirements for `signature`.
354  *
355  * @param[out] signature Pointer to generated signature struct.
356  * @return Result of async RSA sign finalize operation.
357  */
358 otcrypto_status_t otcrypto_rsa_sign_async_finalize(
359  otcrypto_word32_buf_t signature);
360 
361 /**
362  * Starts the asynchronous signature verification function.
363  *
364  * Initializes OTBN and starts the OTBN routine to recover the message
365  * from the input signature.
366  *
367  * @param public_key Pointer to public key struct.
368  * @param signature Pointer to the input signature to be verified.
369  * @return Result of async RSA verify start operation.
370  */
371 otcrypto_status_t otcrypto_rsa_verify_async_start(
372  const otcrypto_unblinded_key_t *public_key,
373  otcrypto_const_word32_buf_t signature);
374 
375 /**
376  * Finalizes the asynchronous signature verification function.
377  *
378  * An "OK" status code does not mean that the signature passed verification;
379  * the caller must check both the returned status and `verification_result`
380  * before trusting the signature.
381  *
382  * @param message_digest Message digest to be verified (pre-hashed).
383  * @param padding_mode Padding scheme to be used for the data.
384  * @param[out] verification_result Result of signature verification.
385  * @return Result of async RSA verify finalize operation.
386  */
387 otcrypto_status_t otcrypto_rsa_verify_async_finalize(
388  const otcrypto_hash_digest_t message_digest,
389  otcrypto_rsa_padding_t padding_mode, hardened_bool_t *verification_result);
390 
391 /**
392  * Starts the asynchronous encryption function.
393  *
394  * See `otcrypto_rsa_encrypt` for details on the length requirements for
395  * `message`.
396  *
397  * @param private_key Pointer to public key struct.
398  * @param hash_mode Hash function to use for OAEP encoding.
399  * @param message Message to encrypt.
400  * @param label Label for OAEP encoding.
401  * @return The result of the RSA encryption start operation.
402  */
403 otcrypto_status_t otcrypto_rsa_encrypt_async_start(
404  const otcrypto_unblinded_key_t *public_key,
405  const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t message,
406  otcrypto_const_byte_buf_t label);
407 
408 /**
409  * Finalizes the asynchronous encryption function.
410  *
411  * See `otcrypto_rsa_encrypt` for details on the length requirements for
412  * `ciphertext`. Infers the RSA size from `ciphertext`'s length, and will
413  * return an error if this does not match the RSA size for the current OTBN
414  * data.
415  *
416  * @param[out] ciphertext Buffer for the ciphertext.
417  * @return The result of the RSA encryption operation.
418  */
419 otcrypto_status_t otcrypto_rsa_encrypt_async_finalize(
420  otcrypto_word32_buf_t ciphertext);
421 
422 /**
423  * Starts the asynchronous decryption function.
424  *
425  * See `otcrypto_rsa_decrypt` for details on the length requirements for
426  * `ciphertext`.
427  *
428  * @param private_key Pointer to blinded private key struct.
429  * @param ciphertext Ciphertext to decrypt.
430  * @return Result of the RSA decryption start operation.
431  */
432 otcrypto_status_t otcrypto_rsa_decrypt_async_start(
433  const otcrypto_blinded_key_t *private_key,
434  otcrypto_const_word32_buf_t ciphertext);
435 
436 /**
437  * Finalizes the asynchronous decryption function.
438  *
439  * See `otcrypto_rsa_decrypt` for details on the requirements for `plaintext`
440  * length and the way in which the actual length of the plaintext is returned.
441  *
442  * @param hash_mode Hash function to use for OAEP encoding.
443  * @param label Label for OAEP encoding.
444  * @param[out] plaintext Buffer for the decrypted message.
445  * @param[out] plaintext_bytelen Recovered byte-length of plaintext.
446  * @return Result of the RSA decryption finalize operation.
447  */
448 otcrypto_status_t otcrypto_rsa_decrypt_async_finalize(
449  const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t label,
450  otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen);
451 
452 #ifdef __cplusplus
453 } // extern "C"
454 #endif // __cplusplus
455 
456 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_RSA_H_
Return to OpenTitan Documentation