ring/src/rsa/public_modulus.rs

use crate::{arithmetic::bigint, bits, cpu, error, rsa::N};
use core::ops::RangeInclusive;

/// The modulus (n) of an RSA public key.
#[derive(Clone)]
pub struct PublicModulus {
    value: bigint::OwnedModulusWithOne<N>,
    bits: bits::BitLength,
}

/*
impl core::fmt::Debug for PublicModulus {
    fn fmt(&self, fmt: &mut ::core::fmt::Formatter) -> Result<(), ::core::fmt::Error> {
        self.value.fmt(fmt)
    }
}*/

impl PublicModulus {
    pub(super) fn from_be_bytes(
        n: untrusted::Input,
        allowed_bit_lengths: RangeInclusive<bits::BitLength>,
        cpu_features: cpu::Features,
    ) -> Result<Self, error::KeyRejected> {
        // See `PublicKey::from_modulus_and_exponent` for background on the step
        // numbering.

        let min_bits = *allowed_bit_lengths.start();
        let max_bits = *allowed_bit_lengths.end();

        // `pkcs1_encode` depends on this not being small. Otherwise,
        // `pkcs1_encode` would generate padding that is invalid (too few 0xFF
        // bytes) for very small keys.
        const MIN_BITS: bits::BitLength = bits::BitLength::from_usize_bits(1024);

        // Step 3 / Step c for `n` (out of order).
        let (value, bits) =
            bigint::OwnedModulusWithOne::from_be_bytes_with_bit_length(n, cpu_features)?;

        // Step 1 / Step a. XXX: SP800-56Br1 and SP800-89 require the length of
        // the public modulus to be exactly 2048 or 3072 bits, but we are more
        // flexible to be compatible with other commonly-used crypto libraries.
        assert!(min_bits >= MIN_BITS);
        let bits_rounded_up =
            bits::BitLength::from_usize_bytes(bits.as_usize_bytes_rounded_up()).unwrap(); // TODO: safe?
        if bits_rounded_up < min_bits {
            return Err(error::KeyRejected::too_small());
        }
        if bits > max_bits {
            return Err(error::KeyRejected::too_large());
        }

        Ok(Self { value, bits })
    }

    /// The big-endian encoding of the modulus.
    ///
    /// There are no leading zeros.
    pub fn be_bytes(&self) -> impl ExactSizeIterator<Item = u8> + Clone + '_ {
        self.value.be_bytes()
    }

    /// The length of the modulus in bits.
    pub fn len_bits(&self) -> bits::BitLength {
        self.bits
    }

    pub(super) fn value(&self) -> &bigint::OwnedModulusWithOne<N> {
        &self.value
    }
}
RSA/bigint: Thread proof of CPU feature detection through bigint. The tests of `bigint` were not doing CPU feature detection themselves. Thus they were depending on some other tests that run before them to do it, or else they were not making use of all the CPU optimizations possible, and thus not testing all the interesting code paths. Also, as we are expanding the functionality of the RSA module, it has become more difficult to track where CPU feature detection has been done and where it needs to be done. Move the proof that the CPU feature detection has been done down into the callers of the `bn_` functions that need CPU feature detection to have been done. This will also be helpful if/when we expand the use of the `bigint` module beyond RSA. 2021-09-27 16:47:04 -07:00			`use crate::{arithmetic::bigint, bits, cpu, error, rsa::N};`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`use core::ops::RangeInclusive;`

Make `rsa::{self, public::{self, *}}` public. 2021-09-22 11:31:52 -07:00			`/// The modulus (n) of an RSA public key.`
RSA: Make `rsa::public::Key` clonable. 2021-09-24 10:31:26 -07:00			`#[derive(Clone)]`
RSA: Flatten API by removing `public` and `keypair` submodules. When looking at how this would generlaize to the other public key cryptosystems (ECDSA, ED25519, etc.), I think having fewer submodules involved makes more sense. 2021-09-28 11:44:07 -07:00			`pub struct PublicModulus {`
Rename PartialModulus to Modulus, Modulus to OwnedModulusWithOne. Originally we only had `Modulus`. Then we had a need for a temporary `Modulus` without `oneRR` so we created `PartialModulus`. However, there is really nothing "partial" about them. So, improve the naming by renaming `PartialModulus` to `Modulus` and `Modulus` to `OwnedModulusWithOne`. In the future we may refactor things further to separate the ownership aspect from the "has oneRR" aspect. Instead of just doing a straightforward rename, take this opportunity to refactor the code so that it uses the new `Modulus` whenever `oneRR()` isn't used. This eliminates the duplication of the APIs of the two modulus types, and the duplication of `elem_mul` and `elem_mul_`. 2023-11-02 16:49:28 -07:00			`value: bigint::OwnedModulusWithOne<N>,`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`bits: bits::BitLength,`
			`}`

Remove `BitLength`, `PublicModulus`, `PublicExponent` from the public API. Replace `rsa::PublicKey::{n,e}()` with an implementation of `From<&PublicKey>` for `PublicKeyComponents`. This will fit better with the plans to do the same for other public key cryptosystem types. This also allows us to remove `BitLength` from the public API and also to remove some `Debug` implementations. 2021-09-28 12:20:55 -07:00			`/*`
RSA: Flatten API by removing `public` and `keypair` submodules. When looking at how this would generlaize to the other public key cryptosystems (ECDSA, ED25519, etc.), I think having fewer submodules involved makes more sense. 2021-09-28 11:44:07 -07:00			`impl core::fmt::Debug for PublicModulus {`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`fn fmt(&self, fmt: &mut ::core::fmt::Formatter) -> Result<(), ::core::fmt::Error> {`
			`self.value.fmt(fmt)`
			`}`
Remove `BitLength`, `PublicModulus`, `PublicExponent` from the public API. Replace `rsa::PublicKey::{n,e}()` with an implementation of `From<&PublicKey>` for `PublicKeyComponents`. This will fit better with the plans to do the same for other public key cryptosystem types. This also allows us to remove `BitLength` from the public API and also to remove some `Debug` implementations. 2021-09-28 12:20:55 -07:00			`}*/`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00
RSA: Flatten API by removing `public` and `keypair` submodules. When looking at how this would generlaize to the other public key cryptosystems (ECDSA, ED25519, etc.), I think having fewer submodules involved makes more sense. 2021-09-28 11:44:07 -07:00			`impl PublicModulus {`
RSA: Reduce visibility of `pub(in crate::rsa)` items. Avoid `pub(in crate::rsa)` in favor of relative visibility constraints. 2021-09-22 11:38:09 -07:00			`pub(super) fn from_be_bytes(`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`n: untrusted::Input,`
			`allowed_bit_lengths: RangeInclusive<bits::BitLength>,`
RSA/bigint: Thread proof of CPU feature detection through bigint. The tests of `bigint` were not doing CPU feature detection themselves. Thus they were depending on some other tests that run before them to do it, or else they were not making use of all the CPU optimizations possible, and thus not testing all the interesting code paths. Also, as we are expanding the functionality of the RSA module, it has become more difficult to track where CPU feature detection has been done and where it needs to be done. Move the proof that the CPU feature detection has been done down into the callers of the `bn_` functions that need CPU feature detection to have been done. This will also be helpful if/when we expand the use of the `bigint` module beyond RSA. 2021-09-27 16:47:04 -07:00			`cpu_features: cpu::Features,`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`) -> Result<Self, error::KeyRejected> {`
RSA: Flatten API by removing `public` and `keypair` submodules. When looking at how this would generlaize to the other public key cryptosystems (ECDSA, ED25519, etc.), I think having fewer submodules involved makes more sense. 2021-09-28 11:44:07 -07:00			// See `PublicKey::from_modulus_and_exponent` for background on the step
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`// numbering.`

			`let min_bits = *allowed_bit_lengths.start();`
			`let max_bits = *allowed_bit_lengths.end();`

			// `pkcs1_encode` depends on this not being small. Otherwise,
			// `pkcs1_encode` would generate padding that is invalid (too few 0xFF
			`// bytes) for very small keys.`
			`const MIN_BITS: bits::BitLength = bits::BitLength::from_usize_bits(1024);`

			// Step 3 / Step c for `n` (out of order).
Rename PartialModulus to Modulus, Modulus to OwnedModulusWithOne. Originally we only had `Modulus`. Then we had a need for a temporary `Modulus` without `oneRR` so we created `PartialModulus`. However, there is really nothing "partial" about them. So, improve the naming by renaming `PartialModulus` to `Modulus` and `Modulus` to `OwnedModulusWithOne`. In the future we may refactor things further to separate the ownership aspect from the "has oneRR" aspect. Instead of just doing a straightforward rename, take this opportunity to refactor the code so that it uses the new `Modulus` whenever `oneRR()` isn't used. This eliminates the duplication of the APIs of the two modulus types, and the duplication of `elem_mul` and `elem_mul_`. 2023-11-02 16:49:28 -07:00			`let (value, bits) =`
			`bigint::OwnedModulusWithOne::from_be_bytes_with_bit_length(n, cpu_features)?;`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00
			`// Step 1 / Step a. XXX: SP800-56Br1 and SP800-89 require the length of`
			`// the public modulus to be exactly 2048 or 3072 bits, but we are more`
			`// flexible to be compatible with other commonly-used crypto libraries.`
			`assert!(min_bits >= MIN_BITS);`
			`let bits_rounded_up =`
			`bits::BitLength::from_usize_bytes(bits.as_usize_bytes_rounded_up()).unwrap(); // TODO: safe?`
			`if bits_rounded_up < min_bits {`
			`return Err(error::KeyRejected::too_small());`
			`}`
			`if bits > max_bits {`
			`return Err(error::KeyRejected::too_large());`
			`}`

			`Ok(Self { value, bits })`
			`}`

RSA: Replace `RsaSubjectPublicKey::{modulus,exponent}` with `rsa::Public::{Modulus,Exponent}::be_bytes()`. This is a step towards removing the heap-allocated and usually-unnecessary `public_key: RsaSubjectPublicKey` field. The new API allows the caller to better control how it stores/allocates the component values. This also removes a couple of infallible `unwrap()`s. This is a step towards removing `io::Positive` from the public API. This is a breaking API change. 2021-09-24 10:29:50 -07:00			`/// The big-endian encoding of the modulus.`
			`///`
			`/// There are no leading zeros.`
			`pub fn be_bytes(&self) -> impl ExactSizeIterator<Item = u8> + Clone + '_ {`
			`self.value.be_bytes()`
			`}`

RSA: Deprecate and replace `RsaKeyPair::public_modulus_len`. 2021-09-22 11:32:27 -07:00			`/// The length of the modulus in bits.`
			`pub fn len_bits(&self) -> bits::BitLength {`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`self.bits`
			`}`

Rename PartialModulus to Modulus, Modulus to OwnedModulusWithOne. Originally we only had `Modulus`. Then we had a need for a temporary `Modulus` without `oneRR` so we created `PartialModulus`. However, there is really nothing "partial" about them. So, improve the naming by renaming `PartialModulus` to `Modulus` and `Modulus` to `OwnedModulusWithOne`. In the future we may refactor things further to separate the ownership aspect from the "has oneRR" aspect. Instead of just doing a straightforward rename, take this opportunity to refactor the code so that it uses the new `Modulus` whenever `oneRR()` isn't used. This eliminates the duplication of the APIs of the two modulus types, and the duplication of `elem_mul` and `elem_mul_`. 2023-11-02 16:49:28 -07:00			`pub(super) fn value(&self) -> &bigint::OwnedModulusWithOne<N> {`
Factor out rsa::public::Modulus. This is a step towards making `rsa::public::Key` public. 2021-09-20 15:11:04 -07:00			`&self.value`
			`}`
			`}`