| // Copyright 2026 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package rsa |
| |
| import ( |
| "bytes" |
| "crypto/internal/constanttime" |
| "crypto/internal/fips140" |
| "crypto/internal/fips140/bigmod" |
| "crypto/internal/fips140/drbg" |
| "crypto/internal/fips140/subtle" |
| "errors" |
| "hash" |
| "io" |
| ) |
| |
| // TestingOnlyLargeExponentPublicKey is a variant of [PublicKey] that supports |
| // large public exponents. It is only meant for supporting the full ACVP test |
| // suite, which unfortunately forces us to choose between a fixed exponent and |
| // the full (2¹⁶, 2²⁵⁶) range. This type must not be used in production code, |
| // nor for e values < 2³¹, which instead must use [PublicKey]. |
| type TestingOnlyLargeExponentPublicKey struct { |
| N *bigmod.Modulus |
| // E is the public exponent, represented as a big-endian byte slice. |
| E []byte |
| } |
| |
| func (pub *TestingOnlyLargeExponentPublicKey) Size() int { |
| return (pub.N.BitLen() + 7) / 8 |
| } |
| |
| func checkLargeExponentPublicKey(pub *TestingOnlyLargeExponentPublicKey) error { |
| if pub.N == nil { |
| return errors.New("crypto/rsa: missing public modulus") |
| } |
| if pub.N.Nat().IsOdd() == 0 { |
| return errors.New("crypto/rsa: public modulus is even") |
| } |
| if pub.N.BitLen() < 2048 { |
| return errors.New("crypto/rsa: public modulus too small") |
| } |
| if pub.N.BitLen()%2 == 1 { |
| return errors.New("crypto/rsa: public modulus bit length not even") |
| } |
| E := pub.E |
| for len(E) > 0 && E[0] == 0 { |
| E = E[1:] |
| } |
| if len(E) < 32/8 || (len(E) == 32/8 && E[0] < 0x80) { |
| // Exponents less than 2^31 must use [PublicKey]. |
| return errors.New("crypto/rsa: public exponent too small") |
| } |
| if len(E) > 256/8 { |
| return errors.New("crypto/rsa: public exponent too large") |
| } |
| if E[len(E)-1]&1 == 0 { |
| return errors.New("crypto/rsa: public exponent is even") |
| } |
| return nil |
| } |
| |
| func encryptLargeExponent(pub *TestingOnlyLargeExponentPublicKey, plaintext []byte) ([]byte, error) { |
| m, err := bigmod.NewNat().SetBytes(plaintext, pub.N) |
| if err != nil { |
| return nil, err |
| } |
| return bigmod.NewNat().Exp(m, pub.E, pub.N).Bytes(pub.N), nil |
| } |
| |
| func TestingOnlyLargeExponentVerifyPKCS1v15(pub *TestingOnlyLargeExponentPublicKey, hash string, hashed []byte, sig []byte) error { |
| fipsSelfTest() |
| fips140.RecordApproved() |
| checkApprovedHashName(hash) |
| if err := checkLargeExponentPublicKey(pub); err != nil { |
| return err |
| } |
| if pub.Size() != len(sig) { |
| return ErrVerification |
| } |
| em, err := encryptLargeExponent(pub, sig) |
| if err != nil { |
| return ErrVerification |
| } |
| expected, err := pkcs1v15ConstructEM(&PublicKey{N: pub.N}, hash, hashed) |
| if err != nil { |
| return ErrVerification |
| } |
| if !bytes.Equal(em, expected) { |
| return ErrVerification |
| } |
| return nil |
| } |
| |
| func TestingOnlyLargeExponentVerifyPSS(pub *TestingOnlyLargeExponentPublicKey, hash hash.Hash, digest []byte, sig []byte) error { |
| fipsSelfTest() |
| fips140.RecordApproved() |
| checkApprovedHash(hash) |
| if err := checkLargeExponentPublicKey(pub); err != nil { |
| return err |
| } |
| if len(sig) != pub.Size() { |
| return ErrVerification |
| } |
| emBits := pub.N.BitLen() - 1 |
| emLen := (emBits + 7) / 8 |
| em, err := encryptLargeExponent(pub, sig) |
| if err != nil { |
| return ErrVerification |
| } |
| for len(em) > emLen && len(em) > 0 { |
| if em[0] != 0 { |
| return ErrVerification |
| } |
| em = em[1:] |
| } |
| return emsaPSSVerify(digest, em, emBits, pssSaltLengthAutodetect, hash) |
| } |
| |
| // TestingOnlyLargeExponentPrivateKey is a variant of [PrivateKey] that supports |
| // large public exponents. It is only meant for supporting the full ACVP test |
| // suite. This type must not be used in production code. |
| type TestingOnlyLargeExponentPrivateKey struct { |
| n *bigmod.Modulus |
| e []byte // big-endian public exponent |
| d *bigmod.Nat |
| p, q *bigmod.Modulus |
| dP []byte |
| dQ []byte |
| qInv *bigmod.Nat |
| } |
| |
| func (priv *TestingOnlyLargeExponentPrivateKey) Size() int { |
| return (priv.n.BitLen() + 7) / 8 |
| } |
| |
| // TestingOnlyNewLargeExponentPrivateKeyWithPrecomputation creates a new RSA private key |
| // with a large public exponent from the given parameters. It is only meant for ACVP testing. |
| func TestingOnlyNewLargeExponentPrivateKeyWithPrecomputation(N []byte, e []byte, d, P, Q, dP, dQ, qInv []byte) (*TestingOnlyLargeExponentPrivateKey, error) { |
| n, err := bigmod.NewModulus(N) |
| if err != nil { |
| return nil, err |
| } |
| p, err := bigmod.NewModulus(P) |
| if err != nil { |
| return nil, err |
| } |
| q, err := bigmod.NewModulus(Q) |
| if err != nil { |
| return nil, err |
| } |
| dN, err := bigmod.NewNat().SetBytes(d, n) |
| if err != nil { |
| return nil, err |
| } |
| qInvNat, err := bigmod.NewNat().SetBytes(qInv, p) |
| if err != nil { |
| return nil, err |
| } |
| |
| priv := &TestingOnlyLargeExponentPrivateKey{ |
| n: n, e: e, d: dN, p: p, q: q, |
| dP: dP, dQ: dQ, qInv: qInvNat, |
| } |
| if err := checkLargeExponentPrivateKey(priv); err != nil { |
| return nil, err |
| } |
| return priv, nil |
| } |
| |
| func checkLargeExponentPrivateKey(priv *TestingOnlyLargeExponentPrivateKey) error { |
| // Check public key portion. |
| pub := &TestingOnlyLargeExponentPublicKey{N: priv.n, E: priv.e} |
| if err := checkLargeExponentPublicKey(pub); err != nil { |
| return err |
| } |
| |
| N := priv.n |
| p := priv.p |
| q := priv.q |
| |
| // FIPS 186-5, Section 5.1 requires "that p and q be of the same bit length." |
| if p.BitLen() != q.BitLen() { |
| // We don't enforce this for testing, just note it. |
| } |
| |
| // Check that pq ≡ 1 mod N (and that p < N and q < N). |
| pN := bigmod.NewNat().ExpandFor(N) |
| if _, err := pN.SetBytes(p.Nat().Bytes(p), N); err != nil { |
| return errors.New("crypto/rsa: invalid prime") |
| } |
| qN := bigmod.NewNat().ExpandFor(N) |
| if _, err := qN.SetBytes(q.Nat().Bytes(q), N); err != nil { |
| return errors.New("crypto/rsa: invalid prime") |
| } |
| if pN.Mul(qN, N).IsZero() != 1 { |
| return errors.New("crypto/rsa: p * q != n") |
| } |
| |
| // Check that de ≡ 1 mod p-1, and de ≡ 1 mod q-1. |
| // Uses byte-slice exponent for large exponents. |
| pMinus1, err := bigmod.NewModulus(p.Nat().SubOne(p).Bytes(p)) |
| if err != nil { |
| return errors.New("crypto/rsa: invalid prime") |
| } |
| dP, err := bigmod.NewNat().SetBytes(priv.dP, pMinus1) |
| if err != nil { |
| return errors.New("crypto/rsa: invalid CRT exponent") |
| } |
| de := bigmod.NewNat() |
| if _, err := de.SetBytes(priv.e, pMinus1); err != nil { |
| // Exponent might be larger than p-1, reduce it. |
| eNat, _ := bigmod.NewNat().SetBytes(priv.e, priv.n) |
| de.Mod(eNat, pMinus1) |
| } |
| de.Mul(dP, pMinus1) |
| if de.IsOne() != 1 { |
| return errors.New("crypto/rsa: invalid CRT exponent") |
| } |
| |
| qMinus1, err := bigmod.NewModulus(q.Nat().SubOne(q).Bytes(q)) |
| if err != nil { |
| return errors.New("crypto/rsa: invalid prime") |
| } |
| dQ, err := bigmod.NewNat().SetBytes(priv.dQ, qMinus1) |
| if err != nil { |
| return errors.New("crypto/rsa: invalid CRT exponent") |
| } |
| if _, err := de.SetBytes(priv.e, qMinus1); err != nil { |
| // Exponent might be larger than q-1, reduce it. |
| eNat, _ := bigmod.NewNat().SetBytes(priv.e, priv.n) |
| de.Mod(eNat, qMinus1) |
| } |
| de.Mul(dQ, qMinus1) |
| if de.IsOne() != 1 { |
| return errors.New("crypto/rsa: invalid CRT exponent") |
| } |
| |
| // Check that qInv * q ≡ 1 mod p. |
| qP, err := bigmod.NewNat().SetOverflowingBytes(q.Nat().Bytes(q), p) |
| if err != nil { |
| // q >= 2^⌈log2(p)⌉ |
| qP = bigmod.NewNat().Mod(q.Nat(), p) |
| } |
| if qP.Mul(priv.qInv, p).IsOne() != 1 { |
| return errors.New("crypto/rsa: invalid CRT coefficient") |
| } |
| |
| return nil |
| } |
| |
| func decryptLargeExponent(priv *TestingOnlyLargeExponentPrivateKey, ciphertext []byte) ([]byte, error) { |
| N := priv.n |
| c, err := bigmod.NewNat().SetBytes(ciphertext, N) |
| if err != nil { |
| return nil, ErrDecryption |
| } |
| |
| // CRT-based decryption (same as regular decrypt, doesn't use E). |
| P, Q := priv.p, priv.q |
| t0 := bigmod.NewNat() |
| // m = c ^ Dp mod p |
| m := bigmod.NewNat().Exp(t0.Mod(c, P), priv.dP, P) |
| // m2 = c ^ Dq mod q |
| m2 := bigmod.NewNat().Exp(t0.Mod(c, Q), priv.dQ, Q) |
| // m = m - m2 mod p |
| m.Sub(t0.Mod(m2, P), P) |
| // m = m * Qinv mod p |
| m.Mul(priv.qInv, P) |
| // m = m * q mod N |
| m.ExpandFor(N).Mul(t0.Mod(Q.Nat(), N), N) |
| // m = m + m2 mod N |
| m.Add(m2.ExpandFor(N), N) |
| |
| return m.Bytes(N), nil |
| } |
| |
| // TestingOnlyLargeExponentDecryptOAEP decrypts ciphertext using RSAES-OAEP with |
| // a private key that has a large public exponent. It is only meant for ACVP testing. |
| func TestingOnlyLargeExponentDecryptOAEP(hash, mgfHash hash.Hash, priv *TestingOnlyLargeExponentPrivateKey, ciphertext []byte, label []byte) ([]byte, error) { |
| fipsSelfTest() |
| fips140.RecordApproved() |
| checkApprovedHash(hash) |
| |
| k := priv.Size() |
| if len(ciphertext) > k || k < hash.Size()*2+2 { |
| return nil, ErrDecryption |
| } |
| |
| em, err := decryptLargeExponent(priv, ciphertext) |
| if err != nil { |
| return nil, err |
| } |
| |
| hash.Reset() |
| hash.Write(label) |
| lHash := hash.Sum(nil) |
| |
| firstByteIsZero := constanttime.ByteEq(em[0], 0) |
| |
| seed := em[1 : hash.Size()+1] |
| db := em[hash.Size()+1:] |
| |
| mgf1XOR(seed, mgfHash, db) |
| mgf1XOR(db, mgfHash, seed) |
| |
| lHash2 := db[0:hash.Size()] |
| |
| lHash2Good := subtle.ConstantTimeCompare(lHash, lHash2) |
| |
| var lookingForIndex, index, invalid int |
| lookingForIndex = 1 |
| rest := db[hash.Size():] |
| |
| for i := 0; i < len(rest); i++ { |
| equals0 := constanttime.ByteEq(rest[i], 0) |
| equals1 := constanttime.ByteEq(rest[i], 1) |
| index = constanttime.Select(lookingForIndex&equals1, i, index) |
| lookingForIndex = constanttime.Select(equals1, 0, lookingForIndex) |
| invalid = constanttime.Select(lookingForIndex&^equals0, 1, invalid) |
| } |
| |
| if firstByteIsZero&lHash2Good&^invalid&^lookingForIndex != 1 { |
| return nil, ErrDecryption |
| } |
| |
| return rest[index+1:], nil |
| } |
| |
| // TestingOnlyLargeExponentEncryptOAEP encrypts the given message with RSAES-OAEP |
| // using a public key with a large exponent. It is only meant for ACVP testing. |
| func TestingOnlyLargeExponentEncryptOAEP(hash, mgfHash hash.Hash, random io.Reader, pub *TestingOnlyLargeExponentPublicKey, msg []byte, label []byte) ([]byte, error) { |
| fipsSelfTest() |
| fips140.RecordApproved() |
| checkApprovedHash(hash) |
| if err := checkLargeExponentPublicKey(pub); err != nil { |
| return nil, err |
| } |
| k := pub.Size() |
| if len(msg) > k-2*hash.Size()-2 { |
| return nil, ErrMessageTooLong |
| } |
| |
| hash.Reset() |
| hash.Write(label) |
| lHash := hash.Sum(nil) |
| |
| em := make([]byte, k) |
| seed := em[1 : 1+hash.Size()] |
| db := em[1+hash.Size():] |
| |
| copy(db[0:hash.Size()], lHash) |
| db[len(db)-len(msg)-1] = 1 |
| copy(db[len(db)-len(msg):], msg) |
| |
| if err := drbg.ReadWithReader(random, seed); err != nil { |
| return nil, err |
| } |
| |
| mgf1XOR(db, mgfHash, seed) |
| mgf1XOR(seed, mgfHash, db) |
| |
| return encryptLargeExponent(pub, em) |
| } |
