brsa.go

Documentation: github.com/cloudflare/circl/blindsign/blindrsa

     1  // Package blindrsa implements the RSA Blind Signature Protocol as defined in [RFC9474].
     2  //
     3  // The RSA Blind Signature protocol, and its variant RSABSSA
     4  // (RSA Blind Signature with Appendix) is a two-party protocol
     5  // between a Client and Server where they interact to compute
     6  //
     7  //	sig = Sign(sk, input_msg),
     8  //
     9  // where `input_msg = Prepare(msg)` is a prepared version of a private
    10  // message `msg` provided by the Client, and `sk` is the private signing
    11  // key provided by the server.
    12  //
    13  // # Supported Variants
    14  //
    15  // This package is compliant with the [RFC-9474] document
    16  // and supports the following variants:
    17  //   - [NewVerifier] implements RSABSSA-SHA384-PSS-Deterministic
    18  //   - [NewDeterministicVerifier] implements RSABSSA-SHA384-PSSZERO-Deterministic
    19  //
    20  // while these variants are not supported yet:
    21  //   - RSABSSA-SHA384-PSS-Randomized
    22  //   - RSABSSA-SHA384-PSSZERO-Randomized
    23  //
    24  // [RFC-9474]: https://www.rfc-editor.org/info/rfc9474
    25  package blindrsa
    26  
    27  import (
    28  	"crypto"
    29  	"crypto/rand"
    30  	"crypto/rsa"
    31  	"hash"
    32  	"io"
    33  	"math/big"
    34  
    35  	"github.com/cloudflare/circl/blindsign/blindrsa/internal/common"
    36  	"github.com/cloudflare/circl/blindsign/blindrsa/internal/keys"
    37  )
    38  
    39  // An randomBRSAVerifier represents a Verifier in the RSA blind signature protocol.
    40  // It carries state needed to produce and validate an RSA signature produced
    41  // using the blind RSA protocol.
    42  type randomBRSAVerifier struct {
    43  	// Public key of the Signer
    44  	pk *rsa.PublicKey
    45  
    46  	// Identifier of the cryptographic hash function used in producing the message signature
    47  	cryptoHash crypto.Hash
    48  
    49  	// Hash function used in producing the message signature
    50  	hash hash.Hash
    51  }
    52  
    53  // A deterministicBRSAVerifier is a BRSAVerifier that supports deterministic signatures.
    54  type deterministicBRSAVerifier struct {
    55  	// Public key of the Signer
    56  	pk *rsa.PublicKey
    57  
    58  	// Identifier of the cryptographic hash function used in producing the message signature
    59  	cryptoHash crypto.Hash
    60  
    61  	// Hash function used in producing the message signature
    62  	hash hash.Hash
    63  }
    64  
    65  // Verifier is a type that implements the client side of the blind RSA
    66  // protocol, described in https://www.rfc-editor.org/rfc/rfc9474.html#name-rsabssa-variants
    67  type Verifier interface {
    68  	// Blind initializes the blind RSA protocol using an input message and source of randomness. The
    69  	// signature is deterministic. This function fails if randomness was not provided.
    70  	Blind(random io.Reader, message []byte) ([]byte, VerifierState, error)
    71  
    72  	// FixedBlind runs the Blind function with fixed blind and salt inputs.
    73  	FixedBlind(message, blind, salt []byte) ([]byte, VerifierState, error)
    74  
    75  	// Verify verifies the input (message, signature) pair and produces an error upon failure.
    76  	Verify(message, signature []byte) error
    77  
    78  	// Hash returns the hash function associated with the Verifier.
    79  	Hash() hash.Hash
    80  }
    81  
    82  // NewDeterministicVerifier creates a new DeterministicBRSAVerifier using the corresponding Signer parameters.
    83  // This corresponds to the RSABSSA-SHA384-PSSZERO-Deterministic variant. See the specification for more details:
    84  // https://www.rfc-editor.org/rfc/rfc9474.html#name-rsabssa-variants
    85  func NewDeterministicVerifier(pk *rsa.PublicKey, hash crypto.Hash) Verifier {
    86  	h := common.ConvertHashFunction(hash)
    87  	return deterministicBRSAVerifier{
    88  		pk:         pk,
    89  		cryptoHash: hash,
    90  		hash:       h,
    91  	}
    92  }
    93  
    94  // Hash returns the hash function associated with the BRSAVerifier.
    95  func (v deterministicBRSAVerifier) Hash() hash.Hash {
    96  	return v.hash
    97  }
    98  
    99  // NewVerifier creates a new BRSAVerifier using the corresponding Signer parameters.
   100  // This corresponds to the RSABSSA-SHA384-PSS-Deterministic variant. See the specification for more details:
   101  // https://www.rfc-editor.org/rfc/rfc9474.html#name-rsabssa-variants
   102  func NewVerifier(pk *rsa.PublicKey, hash crypto.Hash) Verifier {
   103  	h := common.ConvertHashFunction(hash)
   104  	return randomBRSAVerifier{
   105  		pk:         pk,
   106  		cryptoHash: hash,
   107  		hash:       h,
   108  	}
   109  }
   110  
   111  // Hash returns the hash function associated with the BRSAVerifier.
   112  func (v randomBRSAVerifier) Hash() hash.Hash {
   113  	return v.hash
   114  }
   115  
   116  func prepareMsg(message, prefix []byte) []byte {
   117  	return append(prefix, message...)
   118  }
   119  
   120  func fixedBlind(message, salt []byte, r, rInv *big.Int, pk *rsa.PublicKey, hash hash.Hash) ([]byte, VerifierState, error) {
   121  	encodedMsg, err := common.EncodeMessageEMSAPSS(message, pk.N, hash, salt)
   122  	if err != nil {
   123  		return nil, VerifierState{}, err
   124  	}
   125  
   126  	m := new(big.Int).SetBytes(encodedMsg)
   127  
   128  	bigE := big.NewInt(int64(pk.E))
   129  	x := new(big.Int).Exp(r, bigE, pk.N)
   130  	z := new(big.Int).Set(m)
   131  	z.Mul(z, x)
   132  	z.Mod(z, pk.N)
   133  
   134  	kLen := (pk.N.BitLen() + 7) / 8
   135  	blindedMsg := make([]byte, kLen)
   136  	z.FillBytes(blindedMsg)
   137  
   138  	return blindedMsg, VerifierState{
   139  		encodedMsg: encodedMsg,
   140  		pk:         pk,
   141  		hash:       hash,
   142  		salt:       salt,
   143  		rInv:       rInv,
   144  	}, nil
   145  }
   146  
   147  // Blind initializes the blind RSA protocol using an input message and source of randomness. The
   148  // signature is deterministic. This function fails if randomness was not provided.
   149  //
   150  // See the specification for more details:
   151  // https://www.rfc-editor.org/rfc/rfc9474.html#name-blind
   152  func (v deterministicBRSAVerifier) Blind(random io.Reader, message []byte) ([]byte, VerifierState, error) {
   153  	if random == nil {
   154  		return nil, VerifierState{}, common.ErrInvalidRandomness
   155  	}
   156  
   157  	r, rInv, err := common.GenerateBlindingFactor(random, v.pk.N)
   158  	if err != nil {
   159  		return nil, VerifierState{}, err
   160  	}
   161  
   162  	return fixedBlind(message, nil, r, rInv, v.pk, v.hash)
   163  }
   164  
   165  // FixedBlind runs the Blind function with fixed blind and salt inputs.
   166  func (v deterministicBRSAVerifier) FixedBlind(message, blind, salt []byte) ([]byte, VerifierState, error) {
   167  	if blind == nil {
   168  		return nil, VerifierState{}, common.ErrInvalidRandomness
   169  	}
   170  
   171  	r := new(big.Int).SetBytes(blind)
   172  	if r.Cmp(v.pk.N) >= 0 {
   173  		return nil, VerifierState{}, common.ErrInvalidBlind
   174  	}
   175  	rInv := new(big.Int).ModInverse(r, v.pk.N)
   176  	if rInv == nil {
   177  		return nil, VerifierState{}, common.ErrInvalidBlind
   178  	}
   179  
   180  	return fixedBlind(message, salt, r, rInv, v.pk, v.hash)
   181  }
   182  
   183  // Verify verifies the input (message, signature) pair and produces an error upon failure.
   184  func (v deterministicBRSAVerifier) Verify(message, signature []byte) error {
   185  	return common.VerifyMessageSignature(message, signature, 0, keys.NewBigPublicKey(v.pk), v.cryptoHash)
   186  }
   187  
   188  // Blind initializes the blind RSA protocol using an input message and source of randomness. The
   189  // signature includes a randomly generated PSS salt whose length equals the size of the underlying
   190  // hash function. This function fails if randomness was not provided.
   191  //
   192  // See the specification for more details:
   193  // https://www.rfc-editor.org/rfc/rfc9474.html#name-blind
   194  func (v randomBRSAVerifier) Blind(random io.Reader, message []byte) ([]byte, VerifierState, error) {
   195  	if random == nil {
   196  		return nil, VerifierState{}, common.ErrInvalidRandomness
   197  	}
   198  
   199  	salt := make([]byte, v.hash.Size())
   200  	_, err := io.ReadFull(random, salt)
   201  	if err != nil {
   202  		return nil, VerifierState{}, err
   203  	}
   204  
   205  	r, rInv, err := common.GenerateBlindingFactor(random, v.pk.N)
   206  	if err != nil {
   207  		return nil, VerifierState{}, err
   208  	}
   209  
   210  	return fixedBlind(message, salt, r, rInv, v.pk, v.hash)
   211  }
   212  
   213  // FixedBlind runs the Blind function with fixed blind and salt inputs.
   214  func (v randomBRSAVerifier) FixedBlind(message, blind, salt []byte) ([]byte, VerifierState, error) {
   215  	if blind == nil {
   216  		return nil, VerifierState{}, common.ErrInvalidRandomness
   217  	}
   218  
   219  	r := new(big.Int).SetBytes(blind)
   220  	if r.Cmp(v.pk.N) >= 0 {
   221  		return nil, VerifierState{}, common.ErrInvalidBlind
   222  	}
   223  
   224  	rInv := new(big.Int).ModInverse(r, v.pk.N)
   225  	if rInv == nil {
   226  		return nil, VerifierState{}, common.ErrInvalidBlind
   227  	}
   228  
   229  	return fixedBlind(message, salt, r, rInv, v.pk, v.hash)
   230  }
   231  
   232  // Verify verifies the input (message, signature) pair and produces an error upon failure.
   233  func (v randomBRSAVerifier) Verify(message, signature []byte) error {
   234  	return common.VerifyMessageSignature(message, signature, v.hash.Size(), keys.NewBigPublicKey(v.pk), v.cryptoHash)
   235  }
   236  
   237  // An VerifierState carries state needed to complete the blind signature protocol
   238  // as a verifier.
   239  type VerifierState struct {
   240  	// Public key of the Signer
   241  	pk *rsa.PublicKey
   242  
   243  	// Hash function used in producing the message signature
   244  	hash hash.Hash
   245  
   246  	// The hashed and encoded message being signed
   247  	encodedMsg []byte
   248  
   249  	// The salt used when encoding the message
   250  	salt []byte
   251  
   252  	// Inverse of the blinding factor produced by the Verifier
   253  	rInv *big.Int
   254  }
   255  
   256  // Finalize computes and outputs the final signature, if it's valid. Otherwise, it returns an error.
   257  //
   258  // See the specification for more details:
   259  // https://www.rfc-editor.org/rfc/rfc9474.html#name-finalize
   260  func (state VerifierState) Finalize(data []byte) ([]byte, error) {
   261  	kLen := (state.pk.N.BitLen() + 7) / 8
   262  	if len(data) != kLen {
   263  		return nil, common.ErrUnexpectedSize
   264  	}
   265  
   266  	z := new(big.Int).SetBytes(data)
   267  	s := new(big.Int).Set(state.rInv)
   268  	s.Mul(s, z)
   269  	s.Mod(s, state.pk.N)
   270  
   271  	sig := make([]byte, kLen)
   272  	s.FillBytes(sig)
   273  
   274  	err := common.VerifyBlindSignature(keys.NewBigPublicKey(state.pk), state.encodedMsg, sig)
   275  	if err != nil {
   276  		return nil, err
   277  	}
   278  
   279  	return sig, nil
   280  }
   281  
   282  // CopyBlind returns an encoding of the blind value used in the protocol.
   283  func (state VerifierState) CopyBlind() []byte {
   284  	r := new(big.Int).ModInverse(state.rInv, state.pk.N)
   285  	return r.Bytes()
   286  }
   287  
   288  // CopySalt returns an encoding of the per-message salt used in the protocol.
   289  func (state VerifierState) CopySalt() []byte {
   290  	salt := make([]byte, len(state.salt))
   291  	copy(salt, state.salt)
   292  	return salt
   293  }
   294  
   295  // An Signer represents the Signer in the blind RSA protocol.
   296  // It carries the raw RSA private key used for signing blinded messages.
   297  type Signer struct {
   298  	// An RSA private key
   299  	sk *rsa.PrivateKey
   300  }
   301  
   302  // NewSigner creates a new Signer for the blind RSA protocol using an RSA private key.
   303  func NewSigner(sk *rsa.PrivateKey) Signer {
   304  	return Signer{
   305  		sk: sk,
   306  	}
   307  }
   308  
   309  // BlindSign blindly computes the RSA operation using the Signer's private key on the blinded
   310  // message input, if it's of valid length, and returns an error should the function fail.
   311  //
   312  // See the specification for more details:
   313  // https://www.rfc-editor.org/rfc/rfc9474.html#name-blindsign
   314  func (signer Signer) BlindSign(data []byte) ([]byte, error) {
   315  	kLen := (signer.sk.N.BitLen() + 7) / 8
   316  	if len(data) != kLen {
   317  		return nil, common.ErrUnexpectedSize
   318  	}
   319  
   320  	m := new(big.Int).SetBytes(data)
   321  	if m.Cmp(signer.sk.N) > 0 {
   322  		return nil, common.ErrInvalidMessageLength
   323  	}
   324  
   325  	s, err := common.DecryptAndCheck(rand.Reader, keys.NewBigPrivateKey(signer.sk), m)
   326  	if err != nil {
   327  		return nil, err
   328  	}
   329  
   330  	blindSig := make([]byte, kLen)
   331  	s.FillBytes(blindSig)
   332  
   333  	return blindSig, nil
   334  }
   335  
   336  var (
   337  	ErrUnexpectedSize          = common.ErrUnexpectedSize
   338  	ErrInvalidMessageLength    = common.ErrInvalidMessageLength
   339  	ErrInvalidBlind            = common.ErrInvalidBlind
   340  	ErrInvalidRandomness       = common.ErrInvalidRandomness
   341  	ErrUnsupportedHashFunction = common.ErrUnsupportedHashFunction
   342  )
   343
View as plain text