1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
#ifndef AWS_CAL_RSA_H
#define AWS_CAL_RSA_H
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
#include <aws/cal/cal.h>
#include <aws/common/byte_buf.h>
AWS_PUSH_SANE_WARNING_LEVEL
struct aws_rsa_key_pair;
enum aws_rsa_encryption_algorithm {
AWS_CAL_RSA_ENCRYPTION_PKCS1_5,
AWS_CAL_RSA_ENCRYPTION_OAEP_SHA256,
AWS_CAL_RSA_ENCRYPTION_OAEP_SHA512,
};
enum aws_rsa_signature_algorithm {
AWS_CAL_RSA_SIGNATURE_PKCS1_5_SHA256,
AWS_CAL_RSA_SIGNATURE_PSS_SHA256,
};
/*
* Note: prefer using standard key sizes - 1024, 2048, 4096.
* Other key sizes will work, but which key sizes are supported may vary by
* platform. Typically, multiples of 64 should work on all platforms.
*/
enum {
AWS_CAL_RSA_MIN_SUPPORTED_KEY_SIZE_IN_BITS = 1024,
AWS_CAL_RSA_MAX_SUPPORTED_KEY_SIZE_IN_BITS = 4096,
};
AWS_EXTERN_C_BEGIN
/**
* Creates an RSA public key from RSAPublicKey as defined in rfc 8017 (aka PKCS1).
* Returns a new instance of aws_rsa_key_pair if the key was successfully built.
* Otherwise returns NULL.
*/
AWS_CAL_API struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_public_key_pkcs1(
struct aws_allocator *allocator,
struct aws_byte_cursor key);
/**
* Creates an RSA private key from RSAPrivateKey as defined in rfc 8017 (aka PKCS1).
* Returns a new instance of aws_rsa_key_pair if the key was successfully built.
* Otherwise returns NULL.
*/
AWS_CAL_API struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs1(
struct aws_allocator *allocator,
struct aws_byte_cursor key);
/**
* Adds one to an RSA key pair's ref count.
* Returns key_pair pointer.
*/
AWS_CAL_API struct aws_rsa_key_pair *aws_rsa_key_pair_acquire(struct aws_rsa_key_pair *key_pair);
/**
* Subtracts one from an RSA key pair's ref count. If ref count reaches zero, the key pair is destroyed.
* Always returns NULL.
*/
AWS_CAL_API struct aws_rsa_key_pair *aws_rsa_key_pair_release(struct aws_rsa_key_pair *key_pair);
/**
* Max plaintext size that can be encrypted by the key (i.e. max data size
* supported by the key - bytes needed for padding).
*/
AWS_CAL_API size_t aws_rsa_key_pair_max_encrypt_plaintext_size(
const struct aws_rsa_key_pair *key_pair,
enum aws_rsa_encryption_algorithm algorithm);
/*
* Uses the key_pair's private key to encrypt the plaintext. The output will be
* in out. out must be large enough to to hold the ciphertext. Check
* aws_rsa_key_pair_block_length() for output upper bound.
*/
AWS_CAL_API int aws_rsa_key_pair_encrypt(
const struct aws_rsa_key_pair *key_pair,
enum aws_rsa_encryption_algorithm algorithm,
struct aws_byte_cursor plaintext,
struct aws_byte_buf *out);
/*
* Uses the key_pair's private key to decrypt the ciphertext. The output will be
* in out. out must be large enough to to hold the ciphertext. Check
* aws_rsa_key_pair_block_length() for output upper bound.
*/
AWS_CAL_API int aws_rsa_key_pair_decrypt(
const struct aws_rsa_key_pair *key_pair,
enum aws_rsa_encryption_algorithm algorithm,
struct aws_byte_cursor ciphertext,
struct aws_byte_buf *out);
/*
* Max size for a block supported by a given key pair.
*/
AWS_CAL_API size_t aws_rsa_key_pair_block_length(const struct aws_rsa_key_pair *key_pair);
/**
* Uses the key_pair's private key to sign message. The output will be in out. out must be large enough
* to hold the signature. Check aws_rsa_key_pair_signature_length() for the appropriate size.
*
* It is the callers job to make sure message is the appropriate cryptographic digest for this operation. It's usually
* something like a SHA256.
*/
AWS_CAL_API int aws_rsa_key_pair_sign_message(
const struct aws_rsa_key_pair *key_pair,
enum aws_rsa_signature_algorithm algorithm,
struct aws_byte_cursor digest,
struct aws_byte_buf *out);
/**
* Uses the key_pair's public key to verify signature of message.
*
* It is the callers job to make sure message is the appropriate cryptographic digest for this operation. It's usually
* something like a SHA256.
*
* returns AWS_OP_SUCCESS if the signature is valid.
* raises AWS_ERROR_CAL_SIGNATURE_VALIDATION_FAILED if signature validation failed
*/
AWS_CAL_API int aws_rsa_key_pair_verify_signature(
const struct aws_rsa_key_pair *key_pair,
enum aws_rsa_signature_algorithm algorithm,
struct aws_byte_cursor digest,
struct aws_byte_cursor signature);
/*
* Max size for a signature supported by a given key pair.
*/
AWS_CAL_API size_t aws_rsa_key_pair_signature_length(const struct aws_rsa_key_pair *key_pair);
enum aws_rsa_key_export_format {
AWS_CAL_RSA_KEY_EXPORT_PKCS1,
};
/*
* Get public key for the key pair.
* Inits out to a copy of key.
* Any encoding on top of that (ex. b64) is left up to user.
* Note: this function is currently not supported on windows for generated keys.
*/
AWS_CAL_API int aws_rsa_key_pair_get_public_key(
const struct aws_rsa_key_pair *key_pair,
enum aws_rsa_key_export_format format,
struct aws_byte_buf *out);
/*
* Get private key for the key pair.
* Inits out to a copy of key.
* Any encoding on top of that (ex. b64) is left up to user.
* Note: this function is currently not supported on Windows for generated keys.
*/
AWS_CAL_API int aws_rsa_key_pair_get_private_key(
const struct aws_rsa_key_pair *key_pair,
enum aws_rsa_key_export_format format,
struct aws_byte_buf *out);
AWS_EXTERN_C_END
AWS_POP_SANE_WARNING_LEVEL
#endif /* AWS_CAL_RSA_H */
|
