Software APIs
rsa_3072_verify.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_RSA_RSA_3072_VERIFY_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_RSA_RSA_3072_VERIFY_H_
7 
8 #include <stddef.h>
9 #include <stdint.h>
10 
11 #include "sw/device/lib/base/hardened.h"
12 #include "sw/device/lib/crypto/drivers/hmac.h"
13 #include "sw/device/lib/crypto/drivers/otbn.h"
14 #include "sw/device/lib/crypto/impl/rsa/rsa_datatypes.h"
15 #include "sw/device/lib/crypto/impl/status.h"
16 
17 #ifdef __cplusplus
18 extern "C" {
19 #endif // __cplusplus
20 
21 /**
22  * A type that holds precomputed Montgomery constants for a RSA-3072 public
23  * key.
24  *
25  * The constants are:
26  * rr : (2^3072)^2 mod n
27  * m0_inv : (-(n^(-1))) mod 2^256
28  */
29 typedef struct rsa_3072_constants_t {
30  rsa_3072_int_t rr;
31  uint32_t m0_inv[kOtbnWideWordNumWords];
32 } rsa_3072_constants_t;
33 
34 /**
35  * Computes Montgomery constant R^2 for an RSA-3072 public key.
36  *
37  * @param public_key Key for which to compute constants.
38  * @param result Buffer in which to store output
39  * @return Result of the operation (OK or error).
40  */
41 status_t rsa_3072_compute_rr(const rsa_3072_public_key_t *public_key,
42  rsa_3072_int_t *result);
43 
44 /**
45  * Computes Montgomery constant m0_inv for an RSA-3072 public key.
46  *
47  * @param public_key Key for which to compute constants.
48  * @param result Buffer in which to store output
49  * @return Result of the operation (OK or error).
50  */
51 status_t rsa_3072_compute_m0_inv(const rsa_3072_public_key_t *public_key,
52  uint32_t result[kOtbnWideWordNumWords]);
53 
54 /**
55  * Computes Montgomery constants for an RSA-3072 public key.
56  *
57  * @param public_key Key for which to compute constants.
58  * @param result Buffer in which to store output
59  * @return Result of the operation (OK or error).
60  */
61 status_t rsa_3072_compute_constants(const rsa_3072_public_key_t *public_key,
62  rsa_3072_constants_t *result);
63 
64 /**
65  * Encode the message according to RFC 8017, section 9.2, with a SHA2-256 hash
66  * function. See https://datatracker.ietf.org/doc/html/rfc8017#section-9.2
67  *
68  * Note that because we know the length of the modulus is 3072 bits, we know
69  * that emLen (the intended length in bytes of the message representative) is
70  * 3072/8 = 384, so it is not an argument here.
71  *
72  * Unlike in RFC 8017, the message representative returned here is in
73  * little-endian form.
74  *
75  * @param msg Message to encode
76  * @param msgLen Length of the message
77  * @param result Resulting 3072-bit message representative
78  * @return Result of the operation (OK or error).
79  */
80 status_t rsa_3072_encode_sha256(const uint8_t *msg, size_t msgLen,
81  rsa_3072_int_t *result);
82 
83 /**
84  * Starts an RSA-3072 signature verification; returns immediately.
85  *
86  * The key exponent must be 65537; no other exponents are supported.
87  *
88  * @param signature Signature to be verified.
89  * @param public_key Key to check the signature against.
90  * @param constants Precomputed Montgomery constants for the public_key.
91  * @return Result of the operation (OK or error).
92  */
93 status_t rsa_3072_verify_start(const rsa_3072_int_t *signature,
94  const rsa_3072_public_key_t *public_key,
95  const rsa_3072_constants_t *constants);
96 
97 /**
98  * Waits for an RSA-3072 signature verification to complete.
99  *
100  * Should be invoked after `rsa_3072_verify_async`. The encoded `message`
101  * parameter should be related to the `signature` parameter passed to the prior
102  * invocation of `rsa_3072_verify_async`.
103  *
104  * @param message Encoded message representative to check the signature against.
105  * @return Result of the operation (OK or error).
106  */
107 status_t rsa_3072_verify_finalize(const rsa_3072_int_t *message,
108  hardened_bool_t *result);
109 
110 /**
111  * Verifies an RSA-3072 signature; blocks until complete.
112  *
113  * The key exponent must be 65537; no other exponents are supported.
114  *
115  * @param signature Signature to be verified.
116  * @param message Encoded message representative to check the signature against.
117  * @param public_key Key to check the signature against.
118  * @param constants Precomputed Montgomery constants for the public_key.
119  * @param result Buffer in which to store output (true iff signature is valid)
120  * @return Result of the operation (OK or error).
121  */
122 status_t rsa_3072_verify(const rsa_3072_int_t *signature,
123  const rsa_3072_int_t *message,
124  const rsa_3072_public_key_t *public_key,
125  const rsa_3072_constants_t *constants,
126  hardened_bool_t *result);
127 
128 #ifdef __cplusplus
129 } // extern "C"
130 #endif // __cplusplus
131 
132 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_RSA_RSA_3072_VERIFY_H_
Return to OpenTitan Documentation