Module: OpenSSL::PKCS1

Defined in:
lib/mcapi/encryption/utils/openssl_rsa_oaep.rb

Class Method Summary collapse

Class Method Details

.add_oaep_mgf1(str, len, label = '', md = nil, mgf1md = nil) ⇒ Object

Raises:

  • (OpenSSL::PKey::RSAError)


25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/mcapi/encryption/utils/openssl_rsa_oaep.rb', line 25

def add_oaep_mgf1(str, len, label = '', md = nil, mgf1md = nil)
  md ||= OpenSSL::Digest::SHA1
  mgf1md ||= md

  mdlen = md.new.digest_length
  z_len = len - str.bytesize - 2 * mdlen - 2
  raise OpenSSL::PKey::RSAError, 'key size too small' if len < 2 * mdlen + 1
  raise OpenSSL::PKey::RSAError, 'data too large for key size' if z_len.negative?

  l_hash = md.digest(label)
  db = l_hash + ([0] * z_len + [1]).pack('C*') + [str].pack('a*')
  seed = OpenSSL::Random.random_bytes(mdlen)

  masked_db = mgf1_xor(db, seed, mgf1md)
  masked_seed = mgf1_xor(seed, masked_db, mgf1md)

  [0, masked_seed, masked_db].pack('Ca*a*')
end

.check_oaep_mgf1(str, label = '', md = nil, mgf1md = nil) ⇒ Object

Raises:

  • (OpenSSL::PKey::RSAError)


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# File 'lib/mcapi/encryption/utils/openssl_rsa_oaep.rb', line 46

def check_oaep_mgf1(str, label = '', md = nil, mgf1md = nil)
  md ||= OpenSSL::Digest::SHA1
  mgf1md ||= md

  mdlen = md.new.digest_length
  em = str.bytes
  raise OpenSSL::PKey::RSAError if em.size < 2 * mdlen + 2

  # Keep constant calculation even if the text is invalid in order to avoid attacks.
  good = secure_byte_is_zero(em[0])
  masked_seed = em[1...1 + mdlen].pack('C*')
  masked_db = em[1 + mdlen...em.size].pack('C*')

  seed = mgf1_xor(masked_seed, masked_db, mgf1md)
  db = mgf1_xor(masked_db, seed, mgf1md)
  db_bytes = db.bytes

  l_hash = md.digest(label)
  good &= secure_hash_eq(l_hash.bytes, db_bytes[0...mdlen])

  one_index = 0
  found_one_byte = 0
  (mdlen...db_bytes.size).each do |i|
    equals1 = secure_byte_eq(db_bytes[i], 1)
    equals0 = secure_byte_is_zero(db_bytes[i])
    one_index = secure_select(~found_one_byte & equals1, i, one_index)
    found_one_byte |= equals1
    good &= (found_one_byte | equals0)
  end

  good &= found_one_byte

  raise OpenSSL::PKey::RSAError if good.zero?

  db_bytes[one_index + 1...db_bytes.size].pack('C*')
end

.mgf1_xor(out, seed, md) ⇒ Object



85
86
87
88
89
90
91
92
93
94
95
96
97
# File 'lib/mcapi/encryption/utils/openssl_rsa_oaep.rb', line 85

def mgf1_xor(out, seed, md)
  counter = 0
  out_bytes = out.bytes
  mask_bytes = []
  while mask_bytes.size < out_bytes.size
    mask_bytes += md.digest([seed, counter].pack('a*N')).bytes
    counter += 1
  end
  out_bytes.size.times do |i|
    out_bytes[i] ^= mask_bytes[i]
  end
  out_bytes.pack('C*')
end

.secure_byte_eq(v1, v2) ⇒ Object



106
107
108
# File 'lib/mcapi/encryption/utils/openssl_rsa_oaep.rb', line 106

def secure_byte_eq(v1, v2)
  secure_byte_is_zero(v1 ^ v2)
end

.secure_byte_is_zero(v) ⇒ Object

Constant time comparistion utilities.



102
103
104
# File 'lib/mcapi/encryption/utils/openssl_rsa_oaep.rb', line 102

def secure_byte_is_zero(v)
  v - 1 >> 8
end

.secure_hash_eq(vs1, vs2) ⇒ Object



114
115
116
117
118
119
120
121
122
123
124
# File 'lib/mcapi/encryption/utils/openssl_rsa_oaep.rb', line 114

def secure_hash_eq(vs1, vs2)
  # Assumes the given hash values have the same size.
  # This check is not constant time, but should not depends on the texts.
  return 0 unless vs1.size == vs2.size

  res = secure_byte_is_zero(0)
  (0...vs1.size).each do |i|
    res &= secure_byte_eq(vs1[i], vs2[i])
  end
  res
end

.secure_select(mask, eq, ne) ⇒ Object



110
111
112
# File 'lib/mcapi/encryption/utils/openssl_rsa_oaep.rb', line 110

def secure_select(mask, eq, ne)
  (mask & eq) | (~mask & ne)
end