Lines Matching +full:key +full:- +full:value
47 * ## Key Elements
50 * such integers are represented with big-endian unsigned notation:
51 * first byte is the most significant, and the value is positive (so
52 * there is no dedicated "sign bit"). Public and private key structures
53 * thus contain, for each such integer, a pointer to the first value byte
55 * relevant bytes. As a general rule, minimal-length encoding is not
56 * enforced: values may have extra leading bytes of value 0.
60 * - the modulus (`n`);
61 * - the public exponent (`e`).
66 * - the modulus (`n`);
67 * - the public exponent (`e`);
68 * - the private exponent (`d`);
69 * - the first prime factor (`p`);
70 * - the second prime factor (`q`);
71 * - the first reduced exponent (`dp`, which is `d` modulo `p-1`);
72 * - the second reduced exponent (`dq`, which is `d` modulo `q-1`);
73 * - the CRT coefficient (`iq`, the inverse of `q` modulo `p`).
83 * - They are constant-time. This means that the execution time and
85 * key components, but not on their value, nor on the value of
87 * random masking, but "true" constant-time code.
89 * - They support only private keys with two prime factors. RSA private
95 * - The public exponent may have arbitrary length. Of course, it is
96 * a good idea to keep public exponents small, so that public key
101 * - The two prime factors of the modulus need not have the same length
106 * - Prime factors and modulus must be smaller than a compile-time limit.
107 * This is made necessary by the use of fixed-size stack buffers, and
112 * - The RSA functions themselves do not enforce lower size limits,
115 * SHA-1 requires a modulus of at least 361 bits). It is up to users
120 * - Within the size constraints expressed above, arbitrary bit lengths
124 * - When verifying PKCS#1 v1.5 signatures, both variants of the hash
133 * - The **i32** implementation internally represents big integers
134 * as arrays of 32-bit integers. It is perfunctory and portable,
137 * - The **i31** implementation uses 32-bit integers, each containing
143 * - The **i62** implementation is similar to the i31 implementation,
144 * except that it internally leverages the 64x64->128 multiplication
148 * - The **i15** implementation uses 16-bit integers, each containing
151 * on ARM Cortex M0/M0+, for much better performance and constant-time
156 * \brief RSA public key.
159 * integers use unsigned big-endian representation; extra leading bytes
160 * of value 0 are allowed.
174 * \brief RSA private key.
178 * the modulus. The big integers use unsigned big-endian representation;
179 * extra leading bytes of value 0 are allowed. However, the modulus bit
183 /** \brief Modulus bit length (in bits, exact value). */
208 * \brief Type for a RSA public key engine.
210 * The public key engine performs the modular exponentiation of the
211 * provided value with the public exponent. The value is modified in
214 * The value length (`xlen`) is verified to have _exactly_ the same
219 * It `xlen` is correct, then `x[]` is modified. Returned value is 1
221 * (the array has the same length as the modulus, but the numerical value
228 * \param pk RSA public key.
239 * - The signature itself. The provided array is NOT modified.
241 * - The encoded OID for the hash function. The provided array must begin
242 * with a single byte that contains the length of the OID value (in
244 * also be `NULL`, in which case the raw hash value should be used
246 * to TLS-1.1, with a 36-byte hash value).
248 * - The hash output length, in bytes.
250 * - The public key.
252 * - An output buffer for the hash value. The caller must still compare
257 * - Hash length MUST be no more than 64 bytes.
259 * - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]`
260 * must have a value in the 0..32 range, inclusive).
267 * Returned value is 1 on success, 0 on error.
269 * Implementations of this type need not be constant-time.
274 * \param hash_len expected hash value length (in bytes).
275 * \param pk RSA public key.
276 * \param hash_out output buffer for the hash value.
288 * - The signature itself. The provided array is NOT modified.
290 * - The hash function which was used to hash the message.
292 * - The hash function to use with MGF1 within the PSS padding. This
296 * - The hashed message (as an array of bytes).
298 * - The PSS salt length (in bytes).
300 * - The public key.
304 * - Hash message length MUST be no more than 64 bytes.
306 * Note that, contrary to PKCS#1 v1.5 signature, the hash value of the
315 * Returned value is 1 on success, 0 on error.
317 * Implementations of this type need not be constant-time.
323 * \param hash hash value of the signed message.
325 * \param pk RSA public key.
337 * - A source of random bytes. The source must be already initialized.
339 * - A hash function, used internally with the mask generation function
342 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
345 * - The public key.
347 * - The destination buffer. Its maximum length (in bytes) is provided;
348 * if that length is lower than the public key length, then an error
351 * - The source message.
355 * modulus representation in the public key).
362 * is not large enough, or the public is invalid, or the public key
367 * \param label label value (may be `NULL` if `label_len` is zero).
369 * \param pk RSA public key.
384 * \brief Type for a RSA private key engine.
388 * `(sk->n_bitlen+7)/8` bytes).
390 * Returned value is 1 on success, 0 on error.
393 * \param sk RSA private key.
404 * - The encoded OID for the hash function. The provided array must begin
405 * with a single byte that contains the length of the OID value (in
407 * also be `NULL`, in which case the raw hash value should be used
409 * to TLS-1.1, with a 36-byte hash value).
411 * - The hash value computes over the data to sign (its length is
414 * - The RSA private key.
416 * - The output buffer, that receives the signature.
418 * Returned value is 1 on success, 0 on error. Error conditions include
419 * a too small modulus for the provided hash OID and value, or some
420 * invalid key parameters. The signature length is exactly
421 * `(sk->n_bitlen+7)/8` bytes.
423 * This function is expected to be constant-time with regards to the
424 * private key bytes (lengths of the modulus and the individual factors
428 * \param hash hash value.
429 * \param hash_len hash value length (in bytes).
430 * \param sk RSA private key.
431 * \param x output buffer for the signature value.
443 * - An initialized PRNG for salt generation. If the salt length is
446 * tighter when a non-empty salt is used).
448 * - The hash function which was used to hash the message.
450 * - The hash function to use with MGF1 within the PSS padding. This
454 * - The hashed message.
456 * - The salt length, in bytes.
458 * - The RSA private key.
460 * - The output buffer, that receives the signature.
462 * Returned value is 1 on success, 0 on error. Error conditions include
464 * invalid key parameters. The signature length is exactly
465 * `(sk->n_bitlen+7)/8` bytes.
467 * This function is expected to be constant-time with regards to the
468 * private key bytes (lengths of the modulus and the individual factors
476 * \param sk RSA private key.
477 * \param x output buffer for the signature value.
486 * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures).
492 * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures).
498 * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures).
504 * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures).
510 * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures).
520 * - A hash function, used internally with the mask generation function
523 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
526 * - The private key.
528 * - The source and destination buffer. The buffer initially contains
536 * checking that the input message length matches the key modulus length,
539 * Implementations MUST use constant-time check of the validity of the
540 * OAEP padding, at least until the leading byte and hash value have
545 * \param label label value (may be `NULL` if `label_len` is zero).
547 * \param sk RSA private key.
558 * 32-bit integers, and the core multiplication primitive is the
559 * 32x32->64 multiplication.
563 * \brief RSA public key engine "i32".
569 * \param pk RSA public key.
583 * \param hash_len expected hash value length (in bytes).
584 * \param pk RSA public key.
585 * \param hash_out output buffer for the hash value.
601 * \param hash hash value of the signed message.
603 * \param pk RSA public key.
611 * \brief RSA private key engine "i32".
616 * \param sk RSA private key.
628 * \param hash hash value.
629 * \param hash_len hash value length (in bytes).
630 * \param sk RSA private key.
631 * \param x output buffer for the hash value.
648 * \param sk RSA private key.
649 * \param x output buffer for the signature value.
658 * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit
664 * \brief RSA public key engine "i31".
670 * \param pk RSA public key.
684 * \param hash_len expected hash value length (in bytes).
685 * \param pk RSA public key.
686 * \param hash_out output buffer for the hash value.
702 * \param hash hash value of the signed message.
704 * \param pk RSA public key.
712 * \brief RSA private key engine "i31".
717 * \param sk RSA private key.
729 * \param hash hash value.
730 * \param hash_len hash value length (in bytes).
731 * \param sk RSA private key.
732 * \param x output buffer for the hash value.
749 * \param sk RSA private key.
750 * \param x output buffer for the signature value.
760 * 64x64->128 multiplications. This is available only on architecture
765 * \brief RSA public key engine "i62".
767 * This function is defined only on architecture that offer a 64x64->128
775 * \param pk RSA public key.
784 * This function is defined only on architecture that offer a 64x64->128
793 * \param hash_len expected hash value length (in bytes).
794 * \param pk RSA public key.
795 * \param hash_out output buffer for the hash value.
805 * This function is defined only on architecture that offer a 64x64->128
815 * \param hash hash value of the signed message.
817 * \param pk RSA public key.
825 * \brief RSA private key engine "i62".
827 * This function is defined only on architecture that offer a 64x64->128
834 * \param sk RSA private key.
843 * This function is defined only on architecture that offer a 64x64->128
850 * \param hash hash value.
851 * \param hash_len hash value length (in bytes).
852 * \param sk RSA private key.
853 * \param x output buffer for the hash value.
863 * This function is defined only on architecture that offer a 64x64->128
874 * \param sk RSA private key.
875 * \param x output buffer for the signature value.
884 * \brief Get the RSA "i62" implementation (public key operations),
908 * \brief Get the RSA "i62" implementation (private key operations),
948 * RSA "i15" engine. Integers are represented as 15-bit integers, so
949 * the code uses only 32-bit multiplication (no 64-bit result), which
950 * is vastly faster (and constant-time) on the ARM Cortex M0/M0+.
954 * \brief RSA public key engine "i15".
960 * \param pk RSA public key.
974 * \param hash_len expected hash value length (in bytes).
975 * \param pk RSA public key.
976 * \param hash_out output buffer for the hash value.
992 * \param hash hash value of the signed message.
994 * \param pk RSA public key.
1002 * \brief RSA private key engine "i15".
1007 * \param sk RSA private key.
1019 * \param hash hash value.
1020 * \param hash_len hash value length (in bytes).
1021 * \param sk RSA private key.
1022 * \param x output buffer for the hash value.
1039 * \param sk RSA private key.
1040 * \param x output buffer for the signature value.
1049 * \brief Get "default" RSA implementation (public-key operations).
1051 * This returns the preferred implementation of RSA (public-key operations)
1059 * \brief Get "default" RSA implementation (private-key operations).
1061 * This returns the preferred implementation of RSA (private-key operations)
1131 * This function performs the RSA decryption for a RSA-based key exchange
1133 * parameter points to the value to decrypt, of length `len` bytes. On
1134 * success, the 48-byte pre-master secret is copied into `data`, starting
1138 * This function first checks that the provided value length (`len`) is
1144 * in constant-time. A decryption error, or a bad padding, or an
1145 * incorrect decrypted value length are reported with a returned value of
1147 * to proceed with a random pre-master secret in case of error.
1149 * \param core RSA private key engine.
1150 * \param sk RSA private key.
1165 * \param label label value (may be `NULL` if `label_len` is zero).
1167 * \param pk RSA public key.
1187 * \param label label value (may be `NULL` if `label_len` is zero).
1189 * \param sk RSA private key.
1205 * \param label label value (may be `NULL` if `label_len` is zero).
1207 * \param pk RSA public key.
1227 * \param label label value (may be `NULL` if `label_len` is zero).
1229 * \param sk RSA private key.
1245 * \param label label value (may be `NULL` if `label_len` is zero).
1247 * \param pk RSA public key.
1267 * \param label label value (may be `NULL` if `label_len` is zero).
1269 * \param sk RSA private key.
1281 * This function is defined only on architecture that offer a 64x64->128
1289 * \param label label value (may be `NULL` if `label_len` is zero).
1291 * \param pk RSA public key.
1308 * This function is defined only on architecture that offer a 64x64->128
1315 * \param label label value (may be `NULL` if `label_len` is zero).
1317 * \param sk RSA private key.
1327 * \brief Get buffer size to hold RSA private key elements.
1330 * receive the elements of a RSA private key, as generated by one of
1334 * \param size target key size (modulus size, in bits)
1335 * \return the length of the private key buffer, in bytes.
1340 * \brief Get buffer size to hold RSA public key elements.
1343 * receive the elements of a RSA public key, as generated by one of
1347 * \param size target key size (modulus size, in bits)
1348 * \return the length of the public key buffer, in bytes.
1353 * \brief Type for RSA key pair generator implementation.
1355 * This function generates a new RSA key pair whose modulus has bit
1356 * length `size` bits. The private key elements are written in the
1358 * elements are populated in the provided private key structure `sk`.
1359 * Similarly, the public key elements are written in `kbuf_pub`, with
1363 * private key is set.
1365 * If `pubexp` is not zero, then its value will be used as public
1368 * have value 3.
1373 * Returned value is 1 on success, 0 on error. An error is reported
1374 * if the requested range is outside of the supported key sizes, or
1375 * if an invalid non-zero public exponent value is provided. Supported
1376 * range starts at 512 bits, and up to an implementation-defined
1377 * maximum (by default 4096 bits). Note that key sizes up to 768 bits
1382 * \param sk RSA private key structure (destination)
1383 * \param kbuf_priv buffer for private key elements
1384 * \param pk RSA public key structure (destination), or `NULL`
1385 * \param kbuf_pub buffer for public key elements, or `NULL`
1397 * \brief RSA key pair generation with the "i15" engine.
1402 * \param sk RSA private key structure (destination)
1403 * \param kbuf_priv buffer for private key elements
1404 * \param pk RSA public key structure (destination), or `NULL`
1405 * \param kbuf_pub buffer for public key elements, or `NULL`
1417 * \brief RSA key pair generation with the "i31" engine.
1422 * \param sk RSA private key structure (destination)
1423 * \param kbuf_priv buffer for private key elements
1424 * \param pk RSA public key structure (destination), or `NULL`
1425 * \param kbuf_pub buffer for public key elements, or `NULL`
1437 * \brief RSA key pair generation with the "i62" engine.
1439 * This function is defined only on architecture that offer a 64x64->128
1446 * \param sk RSA private key structure (destination)
1447 * \param kbuf_priv buffer for private key elements
1448 * \param pk RSA public key structure (destination), or `NULL`
1449 * \param kbuf_pub buffer for public key elements, or `NULL`
1461 * \brief Get the RSA "i62" implementation (key pair generation),
1469 * \brief Get "default" RSA implementation (key pair generation).
1471 * This returns the preferred implementation of RSA (key pair generation)
1481 * Such a function computes the public modulus from the private key. The
1482 * encoded modulus (unsigned big-endian) is written on `n`, and the size
1486 * If the key size exceeds an internal limit, 0 is returned.
1489 * \param sk RSA private key.
1500 * \param sk RSA private key.
1511 * \param sk RSA private key.
1529 * Such a function recomputes the public exponent from the private key.
1532 * - Either `p` or `q` is not equal to 3 modulo 4.
1534 * - The public exponent does not fit on 32 bits.
1536 * - An internal limit is exceeded.
1538 * - The private key is invalid in some way.
1540 * For all private keys produced by the key generator functions
1580 * An RSA private key (`br_rsa_private_key`) contains two reduced
1581 * private exponents, which are sufficient to perform private key
1583 * require also a copy of the complete private exponent (non-reduced),
1588 * - Both private factors `p` and `q` are equal to 3 modulo 4.
1590 * - The provided public exponent `pubexp` is correct, and, in particular,
1591 * is odd, relatively prime to `p-1` and `q-1`, and greater than 1.
1593 * - No internal storage limit is exceeded.
1595 * For all private keys produced by the key generator functions
1599 * The encoded private exponent is written in `d` (unsigned big-endian
1605 * returned value shall be checked also when actually producing the value.
1608 * \param sk RSA private key.
1621 * \param sk RSA private key.
1634 * \param sk RSA private key.