rsa: Validate public key befrore allocating memory.

Author: briansmith

src/arithmetic/bigint/modulusvalue.rs

@@ -108,7 +108,11 @@ impl<'a> ValidatedInput<'a> {
         self.len_bits
     }
 
-    pub(crate) fn build_value<M>(self) -> OwnedModulusValue<M> {
+    pub fn input(&self) -> untrusted::Input<'_> {
+        self.input
+    }
+
+    pub(crate) fn build_value<M>(&self) -> OwnedModulusValue<M> {
         let limbs = Uninit::new_less_safe(self.num_limbs)
             .write_from_be_byes_padded(self.input)
             .unwrap_or_else(|LenMismatchError { .. }| unreachable!());

src/rsa/keypair.rs

@@ -14,7 +14,7 @@
 
 use super::{
     padding::{self, RsaEncoding},
-    KeyPairComponents, PublicExponent, PublicKey, PublicKeyComponents, N,
+    public_key, KeyPairComponents, PublicExponent, PublicKey, PublicKeyComponents, N,
 };
 
 /// RSA PKCS#1 1.5 signatures.
@@ -274,15 +274,16 @@ impl KeyPair {
         // https://www.mail-archive.com/[email protected]/msg44759.html.
         // Also, this limit might help with memory management decisions later.
 
-        // Step 1.c. We validate e >= 65537.
-        let public_key = PublicKey::new(
+        let public_key = public_key::ValidatedInput::try_from_be_bytes(
             public_key,
             BitLength::from_bits(2048),
             super::PRIVATE_KEY_PUBLIC_MODULUS_MAX_BITS,
             PublicExponent::_65537,
-            cpu_features,
         )?;
 
+        // Step 1.c. We validate e >= 65537.
+        let public_key = PublicKey::new(public_key, cpu_features)?;
+
         let n_one = public_key.inner().n().oneRR();
         let n = &public_key.inner().n().value(cpu_features);
 

src/rsa/public_key.rs

@@ -37,22 +37,13 @@ derive_debug_self_as_ref_hex_bytes!(PublicKey);
 
 impl PublicKey {
     pub(super) fn new(
-        components: PublicKeyComponents<&[u8]>,
-        n_min_bits: bits::BitLength,
-        n_max_bits: bits::BitLength,
-        e_min_value: PublicExponent,
+        input: ValidatedInput<'_>,
         cpu_features: cpu::Features,
     ) -> Result<Self, error::KeyRejected> {
-        let inner = Inner::new(
-            components,
-            n_min_bits,
-            n_max_bits,
-            e_min_value,
-            cpu_features,
-        )?;
+        let inner = input.build(cpu_features);
 
-        let n_bytes = untrusted::Input::from(components.n);
-        let e_bytes = untrusted::Input::from(components.e);
+        let n_bytes = input.n.input();
+        let e_bytes = input.e_input;
 
         // TODO: Remove this re-parsing, and stop allocating this here.
         // Instead we should serialize on demand without allocation, from
@@ -92,14 +83,27 @@ pub(crate) struct Inner {
     e: PublicExponent,
 }
 
-impl Inner {
-    pub(super) fn new(
-        components: PublicKeyComponents<&[u8]>,
+pub struct ValidatedInput<'a> {
+    n: public_modulus::ValidatedInput<'a>,
+    e: PublicExponent,
+    e_input: untrusted::Input<'a>,
+}
+
+impl<'a> ValidatedInput<'a> {
+    pub(super) fn try_from_be_bytes(
+        components: PublicKeyComponents<&'a [u8]>,
         n_min_bits: bits::BitLength,
         n_max_bits: bits::BitLength,
         e_min_value: PublicExponent,
-        cpu_features: cpu::Features,
     ) -> Result<Self, error::KeyRejected> {
+        let n =
+            public_modulus::ValidatedInput::from_be_bytes(components.n, n_min_bits..=n_max_bits)?;
+        let e_input = components.e.into();
+        let e = PublicExponent::from_be_bytes(e_input, e_min_value)?;
+        Ok(Self { n, e, e_input })
+    }
+
+    pub(super) fn build(&self, cpu_features: cpu::Features) -> Inner {
         // This is an incomplete implementation of NIST SP800-56Br1 Section
         // 6.4.2.2, "Partial Public-Key Validation for RSA." That spec defers
         // to NIST SP800-89 Section 5.3.3, "(Explicit) Partial Public Key
@@ -109,13 +113,7 @@ impl Inner {
         // and one set lettered. TODO: Document this in the end-user
         // documentation for RSA keys.
 
-        let n = public_modulus::ValidatedInput::from_be_bytes(
-            components.n.into(),
-            n_min_bits..=n_max_bits,
-        )?;
-        let e = PublicExponent::from_be_bytes(components.e.into(), e_min_value)?;
-
-        let n = n.build(cpu_features);
+        let n = self.n.build(cpu_features);
 
         // If `n` is less than `e` then somebody has probably accidentally swapped
         // them. The largest acceptable `e` is smaller than the smallest acceptable
@@ -124,9 +122,11 @@ impl Inner {
         // XXX: Steps 4 & 5 / Steps d, e, & f are not implemented. This is also the
         // case in most other commonly-used crypto libraries.
 
-        Ok(Self { n, e })
+        Inner { n, e: self.e }
     }
+}
 
+impl Inner {
     /// The public modulus.
     #[inline]
     pub(super) fn n(&self) -> &PublicModulus {

src/rsa/public_modulus.rs

@@ -41,7 +41,7 @@ pub struct ValidatedInput<'a> {
 
 impl<'a> ValidatedInput<'a> {
     pub fn from_be_bytes(
-        n: untrusted::Input<'a>,
+        n: &'a [u8],
         allowed_bit_lengths: RangeInclusive<bits::BitLength>,
     ) -> Result<Self, error::KeyRejected> {
         // See `PublicKey::from_modulus_and_exponent` for background on the step
@@ -56,7 +56,7 @@ impl<'a> ValidatedInput<'a> {
         const MIN_BITS: bits::BitLength = bits::BitLength::from_bits(1024);
 
         // Step 3 / Step c for `n` (out of order).
-        let input = bigint::modulus::ValidatedInput::try_from_be_bytes(n)?;
+        let input = bigint::modulus::ValidatedInput::try_from_be_bytes(n.into())?;
         let bits = input.len_bits();
 
         // Step 1 / Step a. XXX: SP800-56Br1 and SP800-89 require the length of
@@ -75,7 +75,11 @@ impl<'a> ValidatedInput<'a> {
         Ok(Self { input })
     }
 
-    pub(super) fn build(self, cpu_features: cpu::Features) -> PublicModulus {
+    pub fn input(&self) -> untrusted::Input<'_> {
+        self.input.input()
+    }
+
+    pub(super) fn build(&self, cpu_features: cpu::Features) -> PublicModulus {
         let value = self.input.build_value().into_modulus();
         let m = value.modulus(cpu_features);
         let oneRR = m.alloc_uninit();

src/rsa/verification.rs

@@ -196,19 +196,19 @@ fn verify(
     let max_bits: bits::BitLength =
         bits::BitLength::from_byte_len(PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN)
             .map_err(error::erase::<InputTooLongError>)?;
-
-    // XXX: FIPS 186-4 seems to indicate that the minimum
-    // exponent value is 2**16 + 1, but it isn't clear if this is just for
-    // signing or also for verification. We support exponents of 3 and larger
-    // for compatibility with other commonly-used crypto libraries.
-    let key = public_key::Inner::new(
+    let validated = public_key::ValidatedInput::try_from_be_bytes(
         components,
         params.min_bits,
         max_bits,
         PublicExponent::_3,
-        cpu_features,
     )?;
 
+    // XXX: FIPS 186-4 seems to indicate that the minimum
+    // exponent value is 2**16 + 1, but it isn't clear if this is just for
+    // signing or also for verification. We support exponents of 3 and larger
+    // for compatibility with other commonly-used crypto libraries.
+    let key = validated.build(cpu_features);
+
     // RFC 8017 Section 5.2.2: RSAVP1.
     let mut decoded = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];
     let decoded = key.exponentiate(signature, &mut decoded, cpu_features)?;