Source file
src/crypto/rsa/pkcs1v15.go
1
2
3
4
5 package rsa
6
7 import (
8 "crypto"
9 "crypto/internal/boring"
10 "crypto/internal/randutil"
11 "crypto/subtle"
12 "errors"
13 "io"
14 "math/big"
15 )
16
17
18
19
20
21 type PKCS1v15DecryptOptions struct {
22
23
24
25
26 SessionKeyLen int
27 }
28
29
30
31
32
33
34
35
36
37
38
39 func EncryptPKCS1v15(random io.Reader, pub *PublicKey, msg []byte) ([]byte, error) {
40 randutil.MaybeReadByte(random)
41
42 if err := checkPub(pub); err != nil {
43 return nil, err
44 }
45 k := pub.Size()
46 if len(msg) > k-11 {
47 return nil, ErrMessageTooLong
48 }
49
50 if boring.Enabled && random == boring.RandReader {
51 bkey, err := boringPublicKey(pub)
52 if err != nil {
53 return nil, err
54 }
55 return boring.EncryptRSAPKCS1(bkey, msg)
56 }
57 boring.UnreachableExceptTests()
58
59
60 em := make([]byte, k)
61 em[1] = 2
62 ps, mm := em[2:len(em)-len(msg)-1], em[len(em)-len(msg):]
63 err := nonZeroRandomBytes(ps, random)
64 if err != nil {
65 return nil, err
66 }
67 em[len(em)-len(msg)-1] = 0
68 copy(mm, msg)
69
70 if boring.Enabled {
71 var bkey *boring.PublicKeyRSA
72 bkey, err = boringPublicKey(pub)
73 if err != nil {
74 return nil, err
75 }
76 return boring.EncryptRSANoPadding(bkey, em)
77 }
78
79 m := new(big.Int).SetBytes(em)
80 c := encrypt(new(big.Int), pub, m)
81 return c.FillBytes(em), nil
82 }
83
84
85
86
87
88
89
90
91
92 func DecryptPKCS1v15(random io.Reader, priv *PrivateKey, ciphertext []byte) ([]byte, error) {
93 if err := checkPub(&priv.PublicKey); err != nil {
94 return nil, err
95 }
96
97 if boring.Enabled {
98 bkey, err := boringPrivateKey(priv)
99 if err != nil {
100 return nil, err
101 }
102 out, err := boring.DecryptRSAPKCS1(bkey, ciphertext)
103 if err != nil {
104 return nil, ErrDecryption
105 }
106 return out, nil
107 }
108
109 valid, out, index, err := decryptPKCS1v15(random, priv, ciphertext)
110 if err != nil {
111 return nil, err
112 }
113 if valid == 0 {
114 return nil, ErrDecryption
115 }
116 return out[index:], nil
117 }
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138 func DecryptPKCS1v15SessionKey(random io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) error {
139 if err := checkPub(&priv.PublicKey); err != nil {
140 return err
141 }
142 k := priv.Size()
143 if k-(len(key)+3+8) < 0 {
144 return ErrDecryption
145 }
146
147 valid, em, index, err := decryptPKCS1v15(random, priv, ciphertext)
148 if err != nil {
149 return err
150 }
151
152 if len(em) != k {
153
154
155 return ErrDecryption
156 }
157
158 valid &= subtle.ConstantTimeEq(int32(len(em)-index), int32(len(key)))
159 subtle.ConstantTimeCopy(valid, key, em[len(em)-len(key):])
160 return nil
161 }
162
163
164
165
166
167
168
169 func decryptPKCS1v15(random io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
170 k := priv.Size()
171 if k < 11 {
172 err = ErrDecryption
173 return
174 }
175
176 if boring.Enabled {
177 var bkey *boring.PrivateKeyRSA
178 bkey, err = boringPrivateKey(priv)
179 if err != nil {
180 return
181 }
182 em, err = boring.DecryptRSANoPadding(bkey, ciphertext)
183 if err != nil {
184 return
185 }
186 } else {
187 c := new(big.Int).SetBytes(ciphertext)
188 var m *big.Int
189 m, err = decrypt(random, priv, c)
190 if err != nil {
191 return
192 }
193 em = m.FillBytes(make([]byte, k))
194 }
195
196 firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
197 secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
198
199
200
201
202
203 lookingForIndex := 1
204
205 for i := 2; i < len(em); i++ {
206 equals0 := subtle.ConstantTimeByteEq(em[i], 0)
207 index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
208 lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
209 }
210
211
212
213 validPS := subtle.ConstantTimeLessOrEq(2+8, index)
214
215 valid = firstByteIsZero & secondByteIsTwo & (^lookingForIndex & 1) & validPS
216 index = subtle.ConstantTimeSelect(valid, index+1, 0)
217 return valid, em, index, nil
218 }
219
220
221 func nonZeroRandomBytes(s []byte, random io.Reader) (err error) {
222 _, err = io.ReadFull(random, s)
223 if err != nil {
224 return
225 }
226
227 for i := 0; i < len(s); i++ {
228 for s[i] == 0 {
229 _, err = io.ReadFull(random, s[i:i+1])
230 if err != nil {
231 return
232 }
233
234
235 s[i] ^= 0x42
236 }
237 }
238
239 return
240 }
241
242
243
244
245
246
247
248
249
250
251
252 var hashPrefixes = map[crypto.Hash][]byte{
253 crypto.MD5: {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
254 crypto.SHA1: {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14},
255 crypto.SHA224: {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
256 crypto.SHA256: {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
257 crypto.SHA384: {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
258 crypto.SHA512: {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
259 crypto.MD5SHA1: {},
260 crypto.RIPEMD160: {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14},
261 }
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276 func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte) ([]byte, error) {
277 hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
278 if err != nil {
279 return nil, err
280 }
281
282 tLen := len(prefix) + hashLen
283 k := priv.Size()
284 if k < tLen+11 {
285 return nil, ErrMessageTooLong
286 }
287
288 if boring.Enabled {
289 bkey, err := boringPrivateKey(priv)
290 if err != nil {
291 return nil, err
292 }
293 return boring.SignRSAPKCS1v15(bkey, hash, hashed)
294 }
295
296
297 em := make([]byte, k)
298 em[1] = 1
299 for i := 2; i < k-tLen-1; i++ {
300 em[i] = 0xff
301 }
302 copy(em[k-tLen:k-hashLen], prefix)
303 copy(em[k-hashLen:k], hashed)
304
305 m := new(big.Int).SetBytes(em)
306 c, err := decryptAndCheck(random, priv, m)
307 if err != nil {
308 return nil, err
309 }
310
311 return c.FillBytes(em), nil
312 }
313
314
315
316
317
318
319 func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
320 if boring.Enabled {
321 bkey, err := boringPublicKey(pub)
322 if err != nil {
323 return err
324 }
325 if err := boring.VerifyRSAPKCS1v15(bkey, hash, hashed, sig); err != nil {
326 return ErrVerification
327 }
328 return nil
329 }
330
331 hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
332 if err != nil {
333 return err
334 }
335
336 tLen := len(prefix) + hashLen
337 k := pub.Size()
338 if k < tLen+11 {
339 return ErrVerification
340 }
341
342
343
344
345 if k != len(sig) {
346 return ErrVerification
347 }
348
349 c := new(big.Int).SetBytes(sig)
350 m := encrypt(new(big.Int), pub, c)
351 em := m.FillBytes(make([]byte, k))
352
353
354 ok := subtle.ConstantTimeByteEq(em[0], 0)
355 ok &= subtle.ConstantTimeByteEq(em[1], 1)
356 ok &= subtle.ConstantTimeCompare(em[k-hashLen:k], hashed)
357 ok &= subtle.ConstantTimeCompare(em[k-tLen:k-hashLen], prefix)
358 ok &= subtle.ConstantTimeByteEq(em[k-tLen-1], 0)
359
360 for i := 2; i < k-tLen-1; i++ {
361 ok &= subtle.ConstantTimeByteEq(em[i], 0xff)
362 }
363
364 if ok != 1 {
365 return ErrVerification
366 }
367
368 return nil
369 }
370
371 func pkcs1v15HashInfo(hash crypto.Hash, inLen int) (hashLen int, prefix []byte, err error) {
372
373
374 if hash == 0 {
375 return inLen, nil, nil
376 }
377
378 hashLen = hash.Size()
379 if inLen != hashLen {
380 return 0, nil, errors.New("crypto/rsa: input must be hashed message")
381 }
382 prefix, ok := hashPrefixes[hash]
383 if !ok {
384 return 0, nil, errors.New("crypto/rsa: unsupported hash function")
385 }
386 return
387 }
388
View as plain text