Software APIs
rsa_signature.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_RSA_RSA_SIGNATURE_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_RSA_RSA_SIGNATURE_H_
7 
8 #include <stddef.h>
9 #include <stdint.h>
10 
11 #include "sw/device/lib/base/hardened.h"
12 #include "sw/device/lib/crypto/impl/rsa/rsa_datatypes.h"
13 #include "sw/device/lib/crypto/impl/status.h"
14 #include "sw/device/lib/crypto/include/datatypes.h"
15 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif // __cplusplus
19 
20 /**
21  * RSA signature padding scheme.
22  *
23  * Schemes are defined in IETF RFC 8017:
24  * https://www.rfc-editor.org/rfc/rfc8017
25  *
26  * In PSS padding mode, the mask generation function (MGF) is determined by the
27  * hash function used for the message:
28  * - If the message is hashed with a SHA-2 or SHA-3 hash function, PSS padding
29  * will use MGF1 with the same hash function.
30  * - If the message is hashed with a SHAKE128 or SHAKE256 XOF, PSS padding will
31  * use the same XOF as the MGF, as described in FIPS 186-5.
32  *
33  * Values in this enum should match the top-level `otcrypto_rsa_padding` enum
34  * from `sw/device/lib/crypto/include/rsa.h`.
35  */
36 typedef enum rsa_signature_padding {
37  // EMSA-PKCS1-v1_5 padding (RFC 8017, section 9.2).
38  kRsaSignaturePaddingPkcs1v15 = 0x94e,
39  // EMCS-PSS padding (RFC 8017, section 9.1).
40  kRsaSignaturePaddingPss = 0x6b1,
41 } rsa_signature_padding_t;
42 
43 /**
44  * Starts generating an RSA-2048 signature; returns immediately.
45  *
46  * The key exponent must be F4=65537; no other exponents are supported.
47  *
48  * Returns an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
49  *
50  * @param private_key RSA private key.
51  * @param message_digest Message digest to sign.
52  * @param padding_mode Signature padding mode.
53  * @return Result of the operation (OK or error).
54  */
55 OT_WARN_UNUSED_RESULT
56 status_t rsa_signature_generate_2048_start(
57  const rsa_2048_private_key_t *private_key,
58  const otcrypto_hash_digest_t message_digest,
59  const rsa_signature_padding_t padding_mode);
60 
61 /**
62  * Waits for an RSA-2048 signature generation to complete.
63  *
64  * Should be invoked only after `rsa_2048_sign_start`. Blocks until OTBN is
65  * done processing.
66  *
67  * @param[out] signature Generated signature.
68  * @return Result of the operation (OK or error).
69  */
70 OT_WARN_UNUSED_RESULT
71 status_t rsa_signature_generate_2048_finalize(rsa_2048_int_t *signature);
72 
73 /**
74  * Starts verifying an RSA-2048 signature; returns immediately.
75  *
76  * Returns an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
77  *
78  * @param public_key RSA public key.
79  * @param signature Signature to verify.
80  * @return Result of the operation (OK or error).
81  */
82 OT_WARN_UNUSED_RESULT
83 status_t rsa_signature_verify_2048_start(
84  const rsa_2048_public_key_t *public_key, const rsa_2048_int_t *signature);
85 
86 /**
87  * Waits for any RSA signature verification to complete.
88  *
89  * Should be invoked only after a `rsa_signature_verify_{size}_start` call, but
90  * can be invoked for any size. Blocks until OTBN is done processing, and then
91  * infers the size from the OTBN application mode.
92  *
93  * The caller must check the `result` parameter to see if the signature passed
94  * or failed verification; the return value of this function will always return
95  * OK unless there are operational errors while running the verification and
96  * reading back the result.
97  *
98  * @param message_digest Message digest to verify the signature against.
99  * @param padding_mode Signature padding mode.
100  * @param[out] verification_result Whether verification succeeded or failed.
101  * @return Result of the operation (OK or error).
102  */
103 OT_WARN_UNUSED_RESULT
104 status_t rsa_signature_verify_finalize(
105  const otcrypto_hash_digest_t message_digest,
106  const rsa_signature_padding_t padding_mode,
107  hardened_bool_t *verification_result);
108 
109 /**
110  * Starts generating an RSA-3072 signature; returns immediately.
111  *
112  * The key exponent must be F4=65537; no other exponents are supported.
113  *
114  * Returns an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
115  *
116  * @param private_key RSA private key.
117  * @param message_digest Message digest to sign.
118  * @param padding_mode Signature padding mode.
119  * @return Result of the operation (OK or error).
120  */
121 OT_WARN_UNUSED_RESULT
122 status_t rsa_signature_generate_3072_start(
123  const rsa_3072_private_key_t *private_key,
124  const otcrypto_hash_digest_t message_digest,
125  const rsa_signature_padding_t padding_mode);
126 
127 /**
128  * Waits for an RSA-3072 signature generation to complete.
129  *
130  * Should be invoked only after `rsa_3072_sign_start`. Blocks until OTBN is
131  * done processing.
132  *
133  * @param[out] signature Generated signature.
134  * @return Result of the operation (OK or error).
135  */
136 OT_WARN_UNUSED_RESULT
137 status_t rsa_signature_generate_3072_finalize(rsa_3072_int_t *signature);
138 
139 /**
140  * Starts verifying an RSA-3072 signature; returns immediately.
141  *
142  * Returns an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
143  *
144  * @param public_key RSA public key.
145  * @param signature Signature to verify.
146  * @return Result of the operation (OK or error).
147  */
148 OT_WARN_UNUSED_RESULT
149 status_t rsa_signature_verify_3072_start(
150  const rsa_3072_public_key_t *public_key, const rsa_3072_int_t *signature);
151 
152 /**
153  * Starts generating an RSA-4096 signature; returns immediately.
154  *
155  * The key exponent must be F4=65537; no other exponents are supported.
156  *
157  * Returns an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
158  *
159  * @param private_key RSA private key.
160  * @param message_digest Message digest to sign.
161  * @param padding_mode Signature padding mode.
162  * @return Result of the operation (OK or error).
163  */
164 OT_WARN_UNUSED_RESULT
165 status_t rsa_signature_generate_4096_start(
166  const rsa_4096_private_key_t *private_key,
167  const otcrypto_hash_digest_t message_digest,
168  const rsa_signature_padding_t padding_mode);
169 
170 /**
171  * Waits for an RSA-4096 signature generation to complete.
172  *
173  * Should be invoked only after `rsa_4096_sign_start`. Blocks until OTBN is
174  * done processing.
175  *
176  * @param[out] signature Generated signature.
177  * @return Result of the operation (OK or error).
178  */
179 OT_WARN_UNUSED_RESULT
180 status_t rsa_signature_generate_4096_finalize(rsa_4096_int_t *signature);
181 
182 /**
183  * Starts verifying an RSA-4096 signature; returns immediately.
184  *
185  * Returns an `OTCRYPTO_ASYNC_INCOMPLETE` error if OTBN is busy.
186  *
187  * @param public_key RSA public key.
188  * @param signature Signature to verify.
189  * @return Result of the operation (OK or error).
190  */
191 OT_WARN_UNUSED_RESULT
192 status_t rsa_signature_verify_4096_start(
193  const rsa_4096_public_key_t *public_key, const rsa_4096_int_t *signature);
194 
195 #ifdef __cplusplus
196 } // extern "C"
197 #endif // __cplusplus
198 
199 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_RSA_RSA_SIGNATURE_H_
Return to OpenTitan Documentation