It may happen that the scalars used by SECPxxxr1 turn out to be slightly
smaller than their actual size when serialized to `UnsignedBigInteger`,
especially for P521. Handle this case by serializing zeros instead of
failing.
Originally discovered as a flaky WPT test.
Our `UnsignedBigInteger` implementation cannot handle numbers whose
size is not a multiple of 4. For this reason we need to carry the real
size around for P-521 support.
The code was printing one error message only, but multiple can be
generated in one call. Additionally, using this builtin produces
a much more descriptive output.
This replaces the old `OAEP` implementation with one backed by OpenSSL.
The changes also include some added modularity to the RSA class by
making the `RSA_EME` and `RSA_EMSE` for encryption/decryption and
signing/verifying respectively.
This commit replaces the old implementation of `EMSA_PKCS1_V1_5` with
one backed by OpenSSL. In doing so, the `sign` and `verify` methods of
RSA have been modified to behave like expected and not just be
encryption and decryption.
I was not able to split this commit because the changes to `verify` and
`sign` break pretty much everything.
It used to be that the caller would supply a buffer to write the output
to. This created an anti-pattern in multiple places where the caller
would allocate a `ByteBuffer` and then use `.bytes()` to provide it to
the `PKSystem` method. Then the callee would resize the output buffer
and reassign it, but because the resize was on `Bytes` and not on
`ByteBuffer`, the caller using the latter would cause a bug.
Additionally, in pretty much all cases the buffer was pre-allocated
shortly before.
Replace our slow, possibly incorrect RSA key generation with OpenSSL.
This should fix many WPT tests that are timing out because we were too
slow at computing keys.
Implement the Ed448 curve for signing and verifying using OpenSSL.
The methods could be all made static, but all other curves are not.
I think this is material for further refactoring.
This adds a thin wrapper to LibCrypto for generating cryptographically
secure random values and replaces current usages of PRNG within
LibCrypto as well.
This required multiple changes:
- Make hashes non-copiable because they contain a heap allocated pointer
- Reference classes via `NonnullOwnPtr` only (they are non-copiable)
- Drop all existing hashes implementations
- Use the `OpenSSLHashFunction` base class to implement the same hashes
I was not able to come up with a way to divide this commit into multiple
without increasing the amount of changes.
Nothing breaks with this commit!
Ensure becomes `m1` greater than `m2` even when smaller by more than
one `p`. Since the next operations on `m1` are modulus `p` we can add it
as many times as it's needed.
Previously, if `nullptr` was passed as params for
`wrap_in_private_key_info` or `wrap_in_subject_public_key_info` an ASN1
null was serialized. This was not the intended behaviour for many.
The issue was discovered while implementing `wrapKey` and `unwrapKey` in
the next commits.
The textbook RSA decryption method of `c^d % n` is quite slow. If the
necessary parameters are present, the CRT variant will be used.
Performing RSA decryption this way is ~3 times faster.
- Removed the constructor taking a (n, d, e) tuple and moved
it to `RSAPrivateKey`
- Removed default constructor with key generation because it was always
misused and the default key size is quite small
- Added utility constructors to accept a key pair, public key, private
key or both
- Made constructor parameters const
- Updated test to use generated random keys where possible
