1 // Copyright 2023 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef ANONYMOUS_TOKENS_CPP_CRYPTO_RSA_BLINDER_H_ 16 #define ANONYMOUS_TOKENS_CPP_CRYPTO_RSA_BLINDER_H_ 17 18 #include <stdint.h> 19 20 #include <memory> 21 #include <optional> 22 #include <string> 23 24 #include "absl/status/status.h" 25 #include "absl/status/statusor.h" 26 #include "absl/strings/string_view.h" 27 #include "anonymous_tokens/cpp/crypto/blinder.h" 28 #include "anonymous_tokens/cpp/crypto/crypto_utils.h" 29 30 31 namespace anonymous_tokens { 32 33 // RsaBlinder `blinds` input messages, and then unblinds them after they are 34 // signed. 35 class RsaBlinder : public Blinder { 36 public: 37 // Passing of public_metadata is optional. If it is set to any value including 38 // an empty string, RsaBlinder will assume that partially blind RSA signature 39 // protocol is being executed. 40 // 41 // If public metadata is passed and the boolean "use_rsa_public_exponent" is 42 // set to false, the rsa_public_exponent is not used in any computations in 43 // the protocol. 44 // 45 // Setting "use_rsa_public_exponent" to true is deprecated. All new users 46 // should set it to false. 47 static absl::StatusOr<std::unique_ptr<RsaBlinder>> New( 48 absl::string_view rsa_modulus, absl::string_view rsa_public_exponent, 49 const EVP_MD* signature_hash_function, const EVP_MD* mgf1_hash_function, 50 int salt_length, bool use_rsa_public_exponent, 51 std::optional<absl::string_view> public_metadata = std::nullopt); 52 53 // Blind `message` using n and e derived from an RSA public key and the public 54 // metadata if applicable. 55 // 56 // Before blinding, the `message` will first be hashed and then encoded with 57 // the EMSA-PSS operation. 58 absl::StatusOr<std::string> Blind(absl::string_view message) override; 59 60 // Unblinds `blind_signature`. 61 // 62 // Callers should run Verify on the returned signature before using it / 63 // passing it on. 64 absl::StatusOr<std::string> Unblind( 65 absl::string_view blind_signature) override; 66 67 // Verifies an `unblinded` signature against the same `message' that was 68 // passed to Blind. 69 absl::Status Verify(absl::string_view signature, absl::string_view message); 70 71 private: 72 // Use `New` to construct 73 RsaBlinder(int salt_length, std::optional<absl::string_view> public_metadata, 74 const EVP_MD* sig_hash, const EVP_MD* mgf1_hash, 75 bssl::UniquePtr<RSA> rsa_public_key, bssl::UniquePtr<BIGNUM> r, 76 bssl::UniquePtr<BIGNUM> r_inv_mont, 77 bssl::UniquePtr<BN_MONT_CTX> mont_n); 78 79 const int salt_length_; 80 std::optional<std::string> public_metadata_; 81 const EVP_MD* sig_hash_; // Owned by BoringSSL. 82 const EVP_MD* mgf1_hash_; // Owned by BoringSSL. 83 84 // If public metadata was passed to RsaBlinder::New, rsa_public_key_ will 85 // will be initialized using RSA_new_public_key_large_e method. 86 const bssl::UniquePtr<RSA> rsa_public_key_; 87 88 const bssl::UniquePtr<BIGNUM> r_; 89 // r^-1 mod n in the Montgomery domain 90 const bssl::UniquePtr<BIGNUM> r_inv_mont_; 91 const bssl::UniquePtr<BN_MONT_CTX> mont_n_; 92 93 BlinderState blinder_state_; 94 }; 95 96 } // namespace anonymous_tokens 97 98 99 #endif // ANONYMOUS_TOKENS_CPP_CRYPTO_RSA_BLINDER_H_ 100