RSAPSS#

RSASSA-PSS as defined in RFC 8017.

Available Implementations#

#include "Hacl_RSAPSS.h"

API Reference#

Example

// We want to sign and verify a message.

// Keys
uint8_t* e;
uint32_t eBits;
uint8_t* d;
uint32_t dBits;
uint8_t* mod;
uint32_t modBits;
// Note: This is not in HACL*.
//       You need to bring your own keys.
generate_rsapss_key(&e, &eBits, &d, &dBits, &mod, &modBits);
uint64_t* skey =
  Hacl_RSAPSS_new_rsapss_load_skey(modBits, eBits, dBits, mod, e, d);

if (skey == NULL) {
  //Error
}

uint64_t* pkey = Hacl_RSAPSS_new_rsapss_load_pkey(modBits, eBits, mod, e);

if (pkey == NULL) {
  //Error
}

// Message
const char* msg = "Hello, World!";
size_t msgLen = strlen(msg);

// Salt
uint32_t saltLen =
  Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_SHA2_256);
uint8_t* salt = (uint8_t*)malloc(saltLen);
generate_random(salt, saltLen);

// Signature
uint32_t sgntLen = modBits / 8;
uint8_t* sgnt = (uint8_t*)malloc(sgntLen);

// Sign
bool res_sign = Hacl_RSAPSS_rsapss_sign(Spec_Hash_Definitions_SHA2_256,
                                        modBits,
                                        eBits,
                                        dBits,
                                        skey,
                                        saltLen,
                                        salt,
                                        msgLen,
                                        (uint8_t*)msg,
                                        sgnt);

if (!res_sign) {
  // Error
}

bool res_verify = Hacl_RSAPSS_rsapss_verify(Spec_Hash_Definitions_SHA2_256,
                                            modBits,
                                            eBits,
                                            pkey,
                                            saltLen,
                                            sgntLen,
                                            sgnt,
                                            msgLen,
                                            (uint8_t*)msg);

if (!res_verify) {
  // Error
}

free(sgnt);
free(salt);
free(pkey);
free(skey);
free(mod);
free(d);
free(e);
uint64_t *Hacl_RSAPSS_new_rsapss_load_skey(uint32_t modBits, uint32_t eBits, uint32_t dBits, uint8_t *nb, uint8_t *eb, uint8_t *db)#

Load a secret key from key parts.

Parameters

  • modBits – Count of bits in modulus (n).

  • eBits – Count of bits in e value.

  • dBits – Count of bits in d value.

  • nb – Pointer to ceil(modBits / 8) bytes where the modulus (n), in big-endian byte order, is read from.

  • eb – Pointer to ceil(modBits / 8) bytes where the e value, in big-endian byte order, is read from.

  • db – Pointer to ceil(modBits / 8) bytes where the d value, in big-endian byte order, is read from.

Returns

Returns an allocated secret key upon success, otherwise, NULL if key part arguments are invalid or memory allocation fails. Note: caller must take care to free() the created key.

uint64_t *Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb)#

Load a public key from key parts.

Parameters

  • modBits – Count of bits in modulus (n).

  • eBits – Count of bits in e value.

  • nb – Pointer to ceil(modBits / 8) bytes where the modulus (n), in big-endian byte order, is read from.

  • eb – Pointer to ceil(modBits / 8) bytes where the e value, in big-endian byte order, is read from.

Returns

Returns an allocated public key upon success, otherwise, NULL if key part arguments are invalid or memory allocation fails. Note: caller must take care to free() the created key.

bool Hacl_RSAPSS_rsapss_sign(Spec_Hash_Definitions_hash_alg a, uint32_t modBits, uint32_t eBits, uint32_t dBits, uint64_t *skey, uint32_t saltLen, uint8_t *salt, uint32_t msgLen, uint8_t *msg, uint8_t *sgnt)#

Sign a message msg and write the signature to sgnt.

Parameters

  • a – Hash algorithm to use. Allowed values for a are …

    • Spec_Hash_Definitions_SHA2_256,

    • Spec_Hash_Definitions_SHA2_384, and

    • Spec_Hash_Definitions_SHA2_512.

  • modBits – Count of bits in the modulus (n).

  • eBits – Count of bits in e value.

  • dBits – Count of bits in d value.

  • skey – Pointer to secret key created by Hacl_RSAPSS_new_rsapss_load_skey.

  • saltLen – Length of salt.

  • salt – Pointer to saltLen bytes where the salt is read from.

  • msgLen – Length of message.

  • msg – Pointer to msgLen bytes where the message is read from.

  • sgnt – Pointer to ceil(modBits / 8) bytes where the signature is written to.

Returns

Returns true if and only if signing was successful.

bool Hacl_RSAPSS_rsapss_verify(Spec_Hash_Definitions_hash_alg a, uint32_t modBits, uint32_t eBits, uint64_t *pkey, uint32_t saltLen, uint32_t sgntLen, uint8_t *sgnt, uint32_t msgLen, uint8_t *msg)#

Verify the signature sgnt of a message msg.

Parameters

  • a – Hash algorithm to use. Allowed values for a are …

    • Spec_Hash_Definitions_SHA2_256,

    • Spec_Hash_Definitions_SHA2_384, and

    • Spec_Hash_Definitions_SHA2_512.

  • modBits – Count of bits in the modulus (n).

  • eBits – Count of bits in e value.

  • pkey – Pointer to public key created by Hacl_RSAPSS_new_rsapss_load_pkey.

  • saltLen – Length of salt.

  • sgntLen – Length of signature.

  • sgnt – Pointer to sgntLen bytes where the signature is read from.

  • msgLen – Length of message.

  • msg – Pointer to msgLen bytes where the message is read from.

Returns

Returns true if and only if the signature is valid.

bool Hacl_RSAPSS_rsapss_skey_sign(Spec_Hash_Definitions_hash_alg a, uint32_t modBits, uint32_t eBits, uint32_t dBits, uint8_t *nb, uint8_t *eb, uint8_t *db, uint32_t saltLen, uint8_t *salt, uint32_t msgLen, uint8_t *msg, uint8_t *sgnt)#

Sign a message msg and write the signature to sgnt.

Parameters

  • a – Hash algorithm to use. Allowed values for a are …

    • Spec_Hash_Definitions_SHA2_256,

    • Spec_Hash_Definitions_SHA2_384, and

    • Spec_Hash_Definitions_SHA2_512.

  • modBits – Count of bits in the modulus (n).

  • eBits – Count of bits in e value.

  • dBits – Count of bits in d value.

  • nb – Pointer to ceil(modBits / 8) bytes where the modulus (n), in big-endian byte order, is read from.

  • eb – Pointer to ceil(modBits / 8) bytes where the e value, in big-endian byte order, is read from.

  • db – Pointer to ceil(modBits / 8) bytes where the d value, in big-endian byte order, is read from.

  • saltLen – Length of salt.

  • salt – Pointer to saltLen bytes where the salt is read from.

  • msgLen – Length of message.

  • msg – Pointer to msgLen bytes where the message is read from.

  • sgnt – Pointer to ceil(modBits / 8) bytes where the signature is written to.

Returns

Returns true if and only if signing was successful.

bool Hacl_RSAPSS_rsapss_pkey_verify(Spec_Hash_Definitions_hash_alg a, uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb, uint32_t saltLen, uint32_t sgntLen, uint8_t *sgnt, uint32_t msgLen, uint8_t *msg)#

Verify the signature sgnt of a message msg.

Parameters

  • a – Hash algorithm to use. Allowed values for a are …

    • Spec_Hash_Definitions_SHA2_256,

    • Spec_Hash_Definitions_SHA2_384, and

    • Spec_Hash_Definitions_SHA2_512.

  • modBits – Count of bits in the modulus (n).

  • eBits – Count of bits in e value.

  • nb – Pointer to ceil(modBits / 8) bytes where the modulus (n), in big-endian byte order, is read from.

  • eb – Pointer to ceil(modBits / 8) bytes where the e value, in big-endian byte order, is read from.

  • saltLen – Length of salt.

  • sgntLen – Length of signature.

  • sgnt – Pointer to sgntLen bytes where the signature is read from.

  • msgLen – Length of message.

  • msg – Pointer to msgLen bytes where the message is read from.

Returns

Returns true if and only if the signature is valid.