ring/rsa/
verification.rs

1// Copyright 2015-2016 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15//! Verification of RSA signatures.
16
17use super::{
18    parse_public_key, public_key, PublicExponent, RsaParameters, PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN,
19};
20use crate::{
21    bits::{self, FromByteLen as _},
22    cpu, digest,
23    error::{self, InputTooLongError},
24    sealed, signature,
25};
26
27impl signature::VerificationAlgorithm for RsaParameters {
28    fn verify(
29        &self,
30        public_key: untrusted::Input,
31        msg: untrusted::Input,
32        signature: untrusted::Input,
33    ) -> Result<(), error::Unspecified> {
34        let (n, e) = parse_public_key(public_key)?;
35        verify_rsa_(
36            self,
37            (
38                n.big_endian_without_leading_zero_as_input(),
39                e.big_endian_without_leading_zero_as_input(),
40            ),
41            msg,
42            signature,
43            cpu::features(),
44        )
45    }
46}
47
48impl sealed::Sealed for RsaParameters {}
49
50macro_rules! rsa_params {
51    ( $VERIFY_ALGORITHM:ident, $min_bits:expr, $PADDING_ALGORITHM:expr,
52      $doc_str:expr ) => {
53        #[doc=$doc_str]
54        ///
55        /// Only available in `alloc` mode.
56        pub static $VERIFY_ALGORITHM: RsaParameters = RsaParameters {
57            padding_alg: $PADDING_ALGORITHM,
58            min_bits: bits::BitLength::from_bits($min_bits),
59        };
60    };
61}
62
63rsa_params!(
64    RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY,
65    1024,
66    &super::padding::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY,
67    "Verification of signatures using RSA keys of 1024-8192 bits,
68             PKCS#1.5 padding, and SHA-1.\n\nSee \"`RSA_PKCS1_*` Details\" in
69             `ring::signature`'s module-level documentation for more details."
70);
71rsa_params!(
72    RSA_PKCS1_2048_8192_SHA1_FOR_LEGACY_USE_ONLY,
73    2048,
74    &super::padding::RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY,
75    "Verification of signatures using RSA keys of 2048-8192 bits,
76             PKCS#1.5 padding, and SHA-1.\n\nSee \"`RSA_PKCS1_*` Details\" in
77             `ring::signature`'s module-level documentation for more details."
78);
79rsa_params!(
80    RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY,
81    1024,
82    &super::padding::RSA_PKCS1_SHA256,
83    "Verification of signatures using RSA keys of 1024-8192 bits,
84             PKCS#1.5 padding, and SHA-256.\n\nSee \"`RSA_PKCS1_*` Details\" in
85             `ring::signature`'s module-level documentation for more details."
86);
87rsa_params!(
88    RSA_PKCS1_2048_8192_SHA256,
89    2048,
90    &super::padding::RSA_PKCS1_SHA256,
91    "Verification of signatures using RSA keys of 2048-8192 bits,
92             PKCS#1.5 padding, and SHA-256.\n\nSee \"`RSA_PKCS1_*` Details\" in
93             `ring::signature`'s module-level documentation for more details."
94);
95rsa_params!(
96    RSA_PKCS1_2048_8192_SHA384,
97    2048,
98    &super::padding::RSA_PKCS1_SHA384,
99    "Verification of signatures using RSA keys of 2048-8192 bits,
100             PKCS#1.5 padding, and SHA-384.\n\nSee \"`RSA_PKCS1_*` Details\" in
101             `ring::signature`'s module-level documentation for more details."
102);
103rsa_params!(
104    RSA_PKCS1_2048_8192_SHA512,
105    2048,
106    &super::padding::RSA_PKCS1_SHA512,
107    "Verification of signatures using RSA keys of 2048-8192 bits,
108             PKCS#1.5 padding, and SHA-512.\n\nSee \"`RSA_PKCS1_*` Details\" in
109             `ring::signature`'s module-level documentation for more details."
110);
111rsa_params!(
112    RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY,
113    1024,
114    &super::padding::RSA_PKCS1_SHA512,
115    "Verification of signatures using RSA keys of 1024-8192 bits,
116             PKCS#1.5 padding, and SHA-512.\n\nSee \"`RSA_PKCS1_*` Details\" in
117             `ring::signature`'s module-level documentation for more details."
118);
119rsa_params!(
120    RSA_PKCS1_3072_8192_SHA384,
121    3072,
122    &super::padding::RSA_PKCS1_SHA384,
123    "Verification of signatures using RSA keys of 3072-8192 bits,
124             PKCS#1.5 padding, and SHA-384.\n\nSee \"`RSA_PKCS1_*` Details\" in
125             `ring::signature`'s module-level documentation for more details."
126);
127
128rsa_params!(
129    RSA_PSS_2048_8192_SHA256,
130    2048,
131    &super::padding::RSA_PSS_SHA256,
132    "Verification of signatures using RSA keys of 2048-8192 bits,
133             PSS padding, and SHA-256.\n\nSee \"`RSA_PSS_*` Details\" in
134             `ring::signature`'s module-level documentation for more details."
135);
136rsa_params!(
137    RSA_PSS_2048_8192_SHA384,
138    2048,
139    &super::padding::RSA_PSS_SHA384,
140    "Verification of signatures using RSA keys of 2048-8192 bits,
141             PSS padding, and SHA-384.\n\nSee \"`RSA_PSS_*` Details\" in
142             `ring::signature`'s module-level documentation for more details."
143);
144rsa_params!(
145    RSA_PSS_2048_8192_SHA512,
146    2048,
147    &super::padding::RSA_PSS_SHA512,
148    "Verification of signatures using RSA keys of 2048-8192 bits,
149             PSS padding, and SHA-512.\n\nSee \"`RSA_PSS_*` Details\" in
150             `ring::signature`'s module-level documentation for more details."
151);
152
153pub use super::PublicKeyComponents as RsaPublicKeyComponents;
154
155impl<B> super::PublicKeyComponents<B>
156where
157    B: AsRef<[u8]>,
158{
159    /// Verifies that `signature` is a valid signature of `message` using `self`
160    /// as the public key. `params` determine what algorithm parameters
161    /// (padding, digest algorithm, key length range, etc.) are used in the
162    /// verification.
163    ///
164    /// When the public key is in DER-encoded PKCS#1 ASN.1 format, it is
165    /// recommended to use `ring::signature::verify()` with
166    /// `ring::signature::RSA_PKCS1_*`, because `ring::signature::verify()`
167    /// will handle the parsing in that case. Otherwise, this function can be used
168    /// to pass in the raw bytes for the public key components as
169    /// `untrusted::Input` arguments.
170    //
171    // There are a small number of tests that test this directly, but the
172    // test coverage for this function mostly depends on the test coverage for the
173    // `signature::VerificationAlgorithm` implementation for `RsaParameters`. If we
174    // change that, test coverage for `verify_rsa()` will need to be reconsidered.
175    // (The NIST test vectors were originally in a form that was optimized for
176    // testing `verify_rsa` directly, but the testing work for RSA PKCS#1
177    // verification was done during the implementation of
178    // `signature::VerificationAlgorithm`, before `verify_rsa` was factored out).
179    pub fn verify(
180        &self,
181        params: &RsaParameters,
182        message: &[u8],
183        signature: &[u8],
184    ) -> Result<(), error::Unspecified> {
185        verify_rsa_(
186            params,
187            (
188                untrusted::Input::from(self.n.as_ref()),
189                untrusted::Input::from(self.e.as_ref()),
190            ),
191            untrusted::Input::from(message),
192            untrusted::Input::from(signature),
193            cpu::features(),
194        )
195    }
196}
197
198pub(crate) fn verify_rsa_(
199    params: &RsaParameters,
200    (n, e): (untrusted::Input, untrusted::Input),
201    msg: untrusted::Input,
202    signature: untrusted::Input,
203    cpu_features: cpu::Features,
204) -> Result<(), error::Unspecified> {
205    let max_bits: bits::BitLength =
206        bits::BitLength::from_byte_len(PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN)
207            .map_err(error::erase::<InputTooLongError>)?;
208
209    // XXX: FIPS 186-4 seems to indicate that the minimum
210    // exponent value is 2**16 + 1, but it isn't clear if this is just for
211    // signing or also for verification. We support exponents of 3 and larger
212    // for compatibility with other commonly-used crypto libraries.
213    let key = public_key::Inner::from_modulus_and_exponent(
214        n,
215        e,
216        params.min_bits,
217        max_bits,
218        PublicExponent::_3,
219        cpu_features,
220    )?;
221
222    // RFC 8017 Section 5.2.2: RSAVP1.
223    let mut decoded = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];
224    let decoded = key.exponentiate(signature, &mut decoded, cpu_features)?;
225
226    // Verify the padded message is correct.
227    let m_hash = digest::digest(params.padding_alg.digest_alg(), msg.as_slice_less_safe());
228    untrusted::Input::from(decoded).read_all(error::Unspecified, |m| {
229        params.padding_alg.verify(m_hash, m, key.n().len_bits())
230    })
231}
ring/rsa/verification.rs

ring/rsa/
verification.rs
