1a8e1175bSopenharmony_ci/** 2a8e1175bSopenharmony_ci * \file rsa_alt_helpers.h 3a8e1175bSopenharmony_ci * 4a8e1175bSopenharmony_ci * \brief Context-independent RSA helper functions 5a8e1175bSopenharmony_ci * 6a8e1175bSopenharmony_ci * This module declares some RSA-related helper functions useful when 7a8e1175bSopenharmony_ci * implementing the RSA interface. These functions are provided in a separate 8a8e1175bSopenharmony_ci * compilation unit in order to make it easy for designers of alternative RSA 9a8e1175bSopenharmony_ci * implementations to use them in their own code, as it is conceived that the 10a8e1175bSopenharmony_ci * functionality they provide will be necessary for most complete 11a8e1175bSopenharmony_ci * implementations. 12a8e1175bSopenharmony_ci * 13a8e1175bSopenharmony_ci * End-users of Mbed TLS who are not providing their own alternative RSA 14a8e1175bSopenharmony_ci * implementations should not use these functions directly, and should instead 15a8e1175bSopenharmony_ci * use only the functions declared in rsa.h. 16a8e1175bSopenharmony_ci * 17a8e1175bSopenharmony_ci * The interface provided by this module will be maintained through LTS (Long 18a8e1175bSopenharmony_ci * Term Support) branches of Mbed TLS, but may otherwise be subject to change, 19a8e1175bSopenharmony_ci * and must be considered an internal interface of the library. 20a8e1175bSopenharmony_ci * 21a8e1175bSopenharmony_ci * There are two classes of helper functions: 22a8e1175bSopenharmony_ci * 23a8e1175bSopenharmony_ci * (1) Parameter-generating helpers. These are: 24a8e1175bSopenharmony_ci * - mbedtls_rsa_deduce_primes 25a8e1175bSopenharmony_ci * - mbedtls_rsa_deduce_private_exponent 26a8e1175bSopenharmony_ci * - mbedtls_rsa_deduce_crt 27a8e1175bSopenharmony_ci * Each of these functions takes a set of core RSA parameters and 28a8e1175bSopenharmony_ci * generates some other, or CRT related parameters. 29a8e1175bSopenharmony_ci * 30a8e1175bSopenharmony_ci * (2) Parameter-checking helpers. These are: 31a8e1175bSopenharmony_ci * - mbedtls_rsa_validate_params 32a8e1175bSopenharmony_ci * - mbedtls_rsa_validate_crt 33a8e1175bSopenharmony_ci * They take a set of core or CRT related RSA parameters and check their 34a8e1175bSopenharmony_ci * validity. 35a8e1175bSopenharmony_ci * 36a8e1175bSopenharmony_ci */ 37a8e1175bSopenharmony_ci/* 38a8e1175bSopenharmony_ci * Copyright The Mbed TLS Contributors 39a8e1175bSopenharmony_ci * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 40a8e1175bSopenharmony_ci */ 41a8e1175bSopenharmony_ci#ifndef MBEDTLS_RSA_ALT_HELPERS_H 42a8e1175bSopenharmony_ci#define MBEDTLS_RSA_ALT_HELPERS_H 43a8e1175bSopenharmony_ci 44a8e1175bSopenharmony_ci#include "mbedtls/build_info.h" 45a8e1175bSopenharmony_ci 46a8e1175bSopenharmony_ci#include "mbedtls/bignum.h" 47a8e1175bSopenharmony_ci 48a8e1175bSopenharmony_ci#ifdef __cplusplus 49a8e1175bSopenharmony_ciextern "C" { 50a8e1175bSopenharmony_ci#endif 51a8e1175bSopenharmony_ci 52a8e1175bSopenharmony_ci 53a8e1175bSopenharmony_ci/** 54a8e1175bSopenharmony_ci * \brief Compute RSA prime moduli P, Q from public modulus N=PQ 55a8e1175bSopenharmony_ci * and a pair of private and public key. 56a8e1175bSopenharmony_ci * 57a8e1175bSopenharmony_ci * \note This is a 'static' helper function not operating on 58a8e1175bSopenharmony_ci * an RSA context. Alternative implementations need not 59a8e1175bSopenharmony_ci * overwrite it. 60a8e1175bSopenharmony_ci * 61a8e1175bSopenharmony_ci * \param N RSA modulus N = PQ, with P, Q to be found 62a8e1175bSopenharmony_ci * \param E RSA public exponent 63a8e1175bSopenharmony_ci * \param D RSA private exponent 64a8e1175bSopenharmony_ci * \param P Pointer to MPI holding first prime factor of N on success 65a8e1175bSopenharmony_ci * \param Q Pointer to MPI holding second prime factor of N on success 66a8e1175bSopenharmony_ci * 67a8e1175bSopenharmony_ci * \return 68a8e1175bSopenharmony_ci * - 0 if successful. In this case, P and Q constitute a 69a8e1175bSopenharmony_ci * factorization of N. 70a8e1175bSopenharmony_ci * - A non-zero error code otherwise. 71a8e1175bSopenharmony_ci * 72a8e1175bSopenharmony_ci * \note It is neither checked that P, Q are prime nor that 73a8e1175bSopenharmony_ci * D, E are modular inverses wrt. P-1 and Q-1. For that, 74a8e1175bSopenharmony_ci * use the helper function \c mbedtls_rsa_validate_params. 75a8e1175bSopenharmony_ci * 76a8e1175bSopenharmony_ci */ 77a8e1175bSopenharmony_ciint mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, mbedtls_mpi const *E, 78a8e1175bSopenharmony_ci mbedtls_mpi const *D, 79a8e1175bSopenharmony_ci mbedtls_mpi *P, mbedtls_mpi *Q); 80a8e1175bSopenharmony_ci 81a8e1175bSopenharmony_ci/** 82a8e1175bSopenharmony_ci * \brief Compute RSA private exponent from 83a8e1175bSopenharmony_ci * prime moduli and public key. 84a8e1175bSopenharmony_ci * 85a8e1175bSopenharmony_ci * \note This is a 'static' helper function not operating on 86a8e1175bSopenharmony_ci * an RSA context. Alternative implementations need not 87a8e1175bSopenharmony_ci * overwrite it. 88a8e1175bSopenharmony_ci * 89a8e1175bSopenharmony_ci * \param P First prime factor of RSA modulus 90a8e1175bSopenharmony_ci * \param Q Second prime factor of RSA modulus 91a8e1175bSopenharmony_ci * \param E RSA public exponent 92a8e1175bSopenharmony_ci * \param D Pointer to MPI holding the private exponent on success. 93a8e1175bSopenharmony_ci * 94a8e1175bSopenharmony_ci * \return 95a8e1175bSopenharmony_ci * - 0 if successful. In this case, D is set to a simultaneous 96a8e1175bSopenharmony_ci * modular inverse of E modulo both P-1 and Q-1. 97a8e1175bSopenharmony_ci * - A non-zero error code otherwise. 98a8e1175bSopenharmony_ci * 99a8e1175bSopenharmony_ci * \note This function does not check whether P and Q are primes. 100a8e1175bSopenharmony_ci * 101a8e1175bSopenharmony_ci */ 102a8e1175bSopenharmony_ciint mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P, 103a8e1175bSopenharmony_ci mbedtls_mpi const *Q, 104a8e1175bSopenharmony_ci mbedtls_mpi const *E, 105a8e1175bSopenharmony_ci mbedtls_mpi *D); 106a8e1175bSopenharmony_ci 107a8e1175bSopenharmony_ci 108a8e1175bSopenharmony_ci/** 109a8e1175bSopenharmony_ci * \brief Generate RSA-CRT parameters 110a8e1175bSopenharmony_ci * 111a8e1175bSopenharmony_ci * \note This is a 'static' helper function not operating on 112a8e1175bSopenharmony_ci * an RSA context. Alternative implementations need not 113a8e1175bSopenharmony_ci * overwrite it. 114a8e1175bSopenharmony_ci * 115a8e1175bSopenharmony_ci * \param P First prime factor of N 116a8e1175bSopenharmony_ci * \param Q Second prime factor of N 117a8e1175bSopenharmony_ci * \param D RSA private exponent 118a8e1175bSopenharmony_ci * \param DP Output variable for D modulo P-1 119a8e1175bSopenharmony_ci * \param DQ Output variable for D modulo Q-1 120a8e1175bSopenharmony_ci * \param QP Output variable for the modular inverse of Q modulo P. 121a8e1175bSopenharmony_ci * 122a8e1175bSopenharmony_ci * \return 0 on success, non-zero error code otherwise. 123a8e1175bSopenharmony_ci * 124a8e1175bSopenharmony_ci * \note This function does not check whether P, Q are 125a8e1175bSopenharmony_ci * prime and whether D is a valid private exponent. 126a8e1175bSopenharmony_ci * 127a8e1175bSopenharmony_ci */ 128a8e1175bSopenharmony_ciint mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q, 129a8e1175bSopenharmony_ci const mbedtls_mpi *D, mbedtls_mpi *DP, 130a8e1175bSopenharmony_ci mbedtls_mpi *DQ, mbedtls_mpi *QP); 131a8e1175bSopenharmony_ci 132a8e1175bSopenharmony_ci 133a8e1175bSopenharmony_ci/** 134a8e1175bSopenharmony_ci * \brief Check validity of core RSA parameters 135a8e1175bSopenharmony_ci * 136a8e1175bSopenharmony_ci * \note This is a 'static' helper function not operating on 137a8e1175bSopenharmony_ci * an RSA context. Alternative implementations need not 138a8e1175bSopenharmony_ci * overwrite it. 139a8e1175bSopenharmony_ci * 140a8e1175bSopenharmony_ci * \param N RSA modulus N = PQ 141a8e1175bSopenharmony_ci * \param P First prime factor of N 142a8e1175bSopenharmony_ci * \param Q Second prime factor of N 143a8e1175bSopenharmony_ci * \param D RSA private exponent 144a8e1175bSopenharmony_ci * \param E RSA public exponent 145a8e1175bSopenharmony_ci * \param f_rng PRNG to be used for primality check, or NULL 146a8e1175bSopenharmony_ci * \param p_rng PRNG context for f_rng, or NULL 147a8e1175bSopenharmony_ci * 148a8e1175bSopenharmony_ci * \return 149a8e1175bSopenharmony_ci * - 0 if the following conditions are satisfied 150a8e1175bSopenharmony_ci * if all relevant parameters are provided: 151a8e1175bSopenharmony_ci * - P prime if f_rng != NULL (%) 152a8e1175bSopenharmony_ci * - Q prime if f_rng != NULL (%) 153a8e1175bSopenharmony_ci * - 1 < N = P * Q 154a8e1175bSopenharmony_ci * - 1 < D, E < N 155a8e1175bSopenharmony_ci * - D and E are modular inverses modulo P-1 and Q-1 156a8e1175bSopenharmony_ci * (%) This is only done if MBEDTLS_GENPRIME is defined. 157a8e1175bSopenharmony_ci * - A non-zero error code otherwise. 158a8e1175bSopenharmony_ci * 159a8e1175bSopenharmony_ci * \note The function can be used with a restricted set of arguments 160a8e1175bSopenharmony_ci * to perform specific checks only. E.g., calling it with 161a8e1175bSopenharmony_ci * (-,P,-,-,-) and a PRNG amounts to a primality check for P. 162a8e1175bSopenharmony_ci */ 163a8e1175bSopenharmony_ciint mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P, 164a8e1175bSopenharmony_ci const mbedtls_mpi *Q, const mbedtls_mpi *D, 165a8e1175bSopenharmony_ci const mbedtls_mpi *E, 166a8e1175bSopenharmony_ci int (*f_rng)(void *, unsigned char *, size_t), 167a8e1175bSopenharmony_ci void *p_rng); 168a8e1175bSopenharmony_ci 169a8e1175bSopenharmony_ci/** 170a8e1175bSopenharmony_ci * \brief Check validity of RSA CRT parameters 171a8e1175bSopenharmony_ci * 172a8e1175bSopenharmony_ci * \note This is a 'static' helper function not operating on 173a8e1175bSopenharmony_ci * an RSA context. Alternative implementations need not 174a8e1175bSopenharmony_ci * overwrite it. 175a8e1175bSopenharmony_ci * 176a8e1175bSopenharmony_ci * \param P First prime factor of RSA modulus 177a8e1175bSopenharmony_ci * \param Q Second prime factor of RSA modulus 178a8e1175bSopenharmony_ci * \param D RSA private exponent 179a8e1175bSopenharmony_ci * \param DP MPI to check for D modulo P-1 180a8e1175bSopenharmony_ci * \param DQ MPI to check for D modulo P-1 181a8e1175bSopenharmony_ci * \param QP MPI to check for the modular inverse of Q modulo P. 182a8e1175bSopenharmony_ci * 183a8e1175bSopenharmony_ci * \return 184a8e1175bSopenharmony_ci * - 0 if the following conditions are satisfied: 185a8e1175bSopenharmony_ci * - D = DP mod P-1 if P, D, DP != NULL 186a8e1175bSopenharmony_ci * - Q = DQ mod P-1 if P, D, DQ != NULL 187a8e1175bSopenharmony_ci * - QP = Q^-1 mod P if P, Q, QP != NULL 188a8e1175bSopenharmony_ci * - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed, 189a8e1175bSopenharmony_ci * potentially including \c MBEDTLS_ERR_MPI_XXX if some 190a8e1175bSopenharmony_ci * MPI calculations failed. 191a8e1175bSopenharmony_ci * - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient 192a8e1175bSopenharmony_ci * data was provided to check DP, DQ or QP. 193a8e1175bSopenharmony_ci * 194a8e1175bSopenharmony_ci * \note The function can be used with a restricted set of arguments 195a8e1175bSopenharmony_ci * to perform specific checks only. E.g., calling it with the 196a8e1175bSopenharmony_ci * parameters (P, -, D, DP, -, -) will check DP = D mod P-1. 197a8e1175bSopenharmony_ci */ 198a8e1175bSopenharmony_ciint mbedtls_rsa_validate_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q, 199a8e1175bSopenharmony_ci const mbedtls_mpi *D, const mbedtls_mpi *DP, 200a8e1175bSopenharmony_ci const mbedtls_mpi *DQ, const mbedtls_mpi *QP); 201a8e1175bSopenharmony_ci 202a8e1175bSopenharmony_ci#ifdef __cplusplus 203a8e1175bSopenharmony_ci} 204a8e1175bSopenharmony_ci#endif 205a8e1175bSopenharmony_ci 206a8e1175bSopenharmony_ci#endif /* rsa_alt_helpers.h */ 207