Module rsa_cortex_m4::padding[][src]

Padding for RSA.

Main reference is RFC 3447 (PKCS #1 v2.1), there is also RFC 8017 (v2.2).

PKCS #1 v1.5 padding is of historical (and practical...) interest. It is used both for encipherment + signatures.

For encipherment, RSAES-OAEP is recommended. This acronym means: RSA Encryption Scheme, with Optimal Asymmetric Encryption Padding. The RFC defines a "label", which we restrict to empty in this implementation.

For signatures, RSASSA-PSS is recommended. This acronym means: RSA Signature Scheme with Appendix, with Probabilistc Signature Scheme The RFC allows flexibility in a salt length, which we restrict to be the size of the digest function's output in this implementation.

The RFC allows a choice of "mask generating function" for both PSS + OAEP, which we restrict to MGF1 in this implementation.

TODO:

Maybe rename to armor.rs? https://news.ycombinator.com/item?id=3715393

"RSA padding" is one of the worst names in cryptography, because it isn't so much "padding" as it is "armor". If you don't pad in a very particular way, and check the padding scrupulously, you end up with multiple different vulnerabilities.

TODO TODO TODO: For RSASSA PKCS1-v1_5, need to ASN.1-encode the hash :/

Structs

Oaep

Optimal Asymmetric Encryption Padding.

Pkcs1

PKCS #1 v1.5 padding.

Pss

Probabilistic Signature Scheme.

Unpadded

Helper type to convert between the big-endian bytes representation in the spec and our internal little-endian digits representation.

Enums

Error

The spec has a few error cases.

Constants

SHA256_PREFIX
SHA384_PREFIX
SHA512_PREFIX

Traits

Asn1Digest

ASN.1 prefixes for RSASSA-PKCS1-v1_5.

EncryptionPadding

Padding usable for encryption and decryption.

SignaturePadding

Padding usable for signatures and their verification.

Functions

xor_mgf1

Mask Generating Function 1

Type Definitions

Result