Replace our slow, possibly incorrect RSA key generation with OpenSSL.
This should fix many WPT tests that are timing out because we were too
slow at computing keys.
Implement the Ed448 curve for signing and verifying using OpenSSL.
The methods could be all made static, but all other curves are not.
I think this is material for further refactoring.
This adds a thin wrapper to LibCrypto for generating cryptographically
secure random values and replaces current usages of PRNG within
LibCrypto as well.
This required multiple changes:
- Make hashes non-copiable because they contain a heap allocated pointer
- Reference classes via `NonnullOwnPtr` only (they are non-copiable)
- Drop all existing hashes implementations
- Use the `OpenSSLHashFunction` base class to implement the same hashes
I was not able to come up with a way to divide this commit into multiple
without increasing the amount of changes.
Nothing breaks with this commit!
Ensure becomes `m1` greater than `m2` even when smaller by more than
one `p`. Since the next operations on `m1` are modulus `p` we can add it
as many times as it's needed.
Previously, if `nullptr` was passed as params for
`wrap_in_private_key_info` or `wrap_in_subject_public_key_info` an ASN1
null was serialized. This was not the intended behaviour for many.
The issue was discovered while implementing `wrapKey` and `unwrapKey` in
the next commits.
The textbook RSA decryption method of `c^d % n` is quite slow. If the
necessary parameters are present, the CRT variant will be used.
Performing RSA decryption this way is ~3 times faster.
- Removed the constructor taking a (n, d, e) tuple and moved
it to `RSAPrivateKey`
- Removed default constructor with key generation because it was always
misused and the default key size is quite small
- Added utility constructors to accept a key pair, public key, private
key or both
- Made constructor parameters const
- Updated test to use generated random keys where possible
The previous implementation of `ModularInverse` was flaky and did not
compute the correct value in many occasions, especially with big numbers
like in RSA.
Also added a bunch of tests with big numbers.
The trimmed cache length of the `UnsignedBigInteger` was not reset after
an `add_into_accumulator_without_allocation` operation because the
function manipulates the words directly.
This meant that if the trimmed length was calculated before this
operation it would be wrong after.
In order for public/private key serialization to work correctly we must
store the size of the key because P-521 cannot be stored as full words
inside `UnsignedBigInteger` and therefore is exported as the wrong
length (68 instead of 66).
This makes it also possible to refactor some methods and cleanup
constants scattered around.
Gets almost all import/export tests, expect the JWK ones that calculate
the public key on export. The `SECPxxxr1` implementation currently fails
to do calculations for P-521.
Define SECP521r1 with its constants. Since the parameters cannot be
represented as full bytes, a slight modification has been added to the
byte size.
The current implementation of SECPxxxr1 does not work with this curve.
Little refactoring to remove the last bits of ASN1 decoding/encoding
from within the `SECPxxxr1` class. It was a bit confusing for the
`SECPxxxr1` methods to handle ASN1 internally implicitly. Some explicit
methods are available to achieve the same functionality on the data
structures.
This allows to move ASN1 logic from inside the `SECPxxxr1` curve
itself to the data structures. It makes more sense to have dedicated and
explicit methods to handle transformation between formats.
C++ will jovially select the implicit conversion operator, even if it's
complete bogus, such as for unknown-size types or non-destructible
types. Therefore, all such conversions (which incur a copy) must
(unfortunately) be explicit so that non-copyable types continue to work.
NOTE: We make an exception for trivially copyable types, since they
are, well, trivially copyable.
Co-authored-by: kleines Filmröllchen <filmroellchen@serenityos.org>
Replicate what we are doing with RSA and parse both the private and
public key when parsing the ASN1.
The only thing that changed in the tests is the error message.
The decoding inside `RSA::parse_rsa_key` is quite complex because it
tries to understand if it's decoding PKCS#8 or PKCS#1. Simplify the code
by moving the burden to the PEM decoder.
I have divided ANS1 constants by length so that they don't have
trailing zeros that need to be removed.
Also moved OIDs lists to the only place they are used for clarity.
Fixed a couple of WPT tests by adding SECP521r1 to the list of known
curves.
Parse and store the `ECPrivateKey` extracted from the
`privateKeyAlgorithm` field of the ASN.1 `PrivateKeyInfo` sequence when
the algorithm identifier is `ec_public_key_encryption`.
The parsing function returns `ErrorOr` instead of an "empty" key, like
`parse_rsa_key` does. To me, this seemed better in terms of reliability.
As mentioned in the previous commit, there is room for improvement.
Added basic EC private and public key definitions as well as ASN.1
encoding and decoding.
A lot of refactoring can be made around the ASN.1 processing (here and
in other parts of the codebase) by utilizing what is available
in `LibCrypto::Certificate` as macros, but I think it's outside the
scope of implementing ECDH support for WebCryptoAPI.
It looks like the `SECPxxxr1` was made mainly to work with the TLS
implementation which requires everything to be bytes. This is not always
the case and a loss of generality.
I have added some methods that take and return `UnsignedBigInteger`s
for better interoperability with ASN.1 stuff. I would like to remove
the old methods relying on bytes, but I haven't made my mind around how
to generalize it for all curves.
