Allow exporting public components of RSAKeyPair.

[stephank]

In Portier, we load RSA private keys once, leveraging the DER parsing in Ring. However, we need to then serve the public keys as JWK to clients. These additions allow us to grab the public components of an RSAKeyPair to build the JWK.

I agree to license my contributions to each file under the terms given at the top of each file I changed.

[stephank]

That is one huge CI setup. :)

Thinking some more about just what's in this PR, I have 2 questions myself:

• Is the export_ naming ok? I considered read_, but it also sounds weird. Something else?
• While simpler, I think it's probably inconsistent and less useful to expose the public exponent as an u64? Now considering treating it like the modulus, adding public_exponent_len and export_public_exponent instead.

For the opposite direction (loading JWK), I want to propose an API change. This can be a separate PR just fine. My Rust is still not as fluent as I'd like it to be, but I think this should be possible:

• Formalize the (n, e) pair we pass around as a public struct RSAPublicKey. (Some of the src/rsa/rsa.rs methods could probably be moved to this type.)
• Replace n and e in RSAKeyPair, with an RSAPublicKey field.
• Move current public component RSAKeyPair accessors to RSAPublicKey. (Can drop the public_ prefix.)
• Provide an accessor for &RSAPublicKey on RSAKeyPair.
• Provide bigint accessors on RSAKeyPair for the private components, similar to what this PR does for the public components. (For completeness)
• Provide constructors for DER and BE bigint byte arrays.
• Add a public key type field to the trait VerificationAlgorithm, and a verify_with_key method as an alternative to verify, which operates on an instance of that type.
• Apply same to Ed25519. Hopefully smooth. :)

Does that sound good?

[briansmith]

Thanks for contributing this.

Please make the requested changes. Also, please add the contributor's statement to the end of your commit messages; see https://github.com/briansmith/ring#contributing.

[briansmith]

I suggest this (with fixed line wrapping to 80 characters):

/// Extracts the public modulus.
///
/// `out` must be exactly `public_modulus_len()` bytes long. It
/// will be filled with the big-endian-encoded bytes of the
/// public key, without any padding.

[briansmith]

fill_be_bytes() zero-pads the result. I think that JWT and similar things don't want zero-padded output, so there needs to be a check that out is exactly the right length. This check would make this symmetric with the ring::signature::verify_rsa() and other APIs exposed by ring.

Also, let's add unit tests that verify that we reject 1-byte-too-long and 1-byte-too-short out, and accept correct-length out.

[stephank]

Shouldn't we leave this to the user? The user must allocate enough space somehow based on public_modulus_len. If there's not enough space, fill_be_bytes errors, if there's more space, it's padded, but that may be the user's intent. Doesn't verify_rsa also accept padded input?

I'll look into the unit tests!

[briansmith]

Here's an excerpt from the documentation for verify_rsa:

/// `n` is the public key modulus and `e` is the public key exponent. Both are
/// interpreted as unsigned big-endian encoded values. Both must be positive
/// and neither may have any leading zeros.

These requirements come directly from JWA https://tools.ietf.org/html/rfc7518#section-6.3.1.1 (for n):

Note that implementers have found that some cryptographic libraries prefix an extra zero-valued octet to the modulus representations they return, for instance, returning 257 octets for a 2048-bit key, rather than 256. Implementations using such libraries will need to take care to omit the extra octet from the base64url-encoded representation.

and (for e):

For instance, when representing the value 65537, the octet sequence to be base64url-encoded MUST consist of the three octets [1, 0, 1];

Thus supporting extra zero padding doesn't do anybody any good, AFAICT.

[briansmith]

Maybe it's better to output the exponent as a big-endian byte slice, like the modulus? That would be symmetric with ring::signature::verify_rsa and export_public_modulus(), and it is probably what all the callers need anyway.

[briansmith]

Let's move this unsafe implementation of fill_be_bytes() to Nonnegative, and then make the Modulus and Elem implementations be simple wrappers around it.

[stephank]

I'm not sure how to do this. Modulus contains a BN_MONT_CTX, which owns a BIGNUM, but Nonnegative also wants ownership of its BIGNUM.

bit_length has the same issue. I can try to add both to BIGNUM, then make the others wrappers.

[briansmith]

Please change this to (wrapping at 80 characters):

/// Exporting information about the value is only allowed for the public
/// modulus `N`, not for private moduli.
impl Modulus<super::N> {

[stephank]

Why would we not allow this? JWK also has a private key mapping: https://tools.ietf.org/html/rfc7517#appendix-A.2

[briansmith]

Why would we not allow this? JWK also has a private key mapping: https://tools.ietf.org/html/rfc7517#appendix-A.2

In ring, when you construct a private or symmetric key object, there's no way to get the key material out. This way, you can safely pass an &RSAKeyPair or &OpeningKey to a function and know that that function won't ever leak the key.

If you look at Ed25519KeyPair::generate_serializable, you can see that when we generate a key pair, we also output the bytes needed to serialize the key, along with the generated key pair. When we add RSA key generation to ring, we'll do it the same way.

[briansmith]

Is the export_ naming ok? I considered read_, but it also sounds weird. Something else?

It isn't perfect but I don't have a better suggestion either.

While simpler, I think it's probably inconsistent and less useful to expose the public exponent as an u64? Now considering treating it like the modulus, adding public_exponent_len and export_public_exponent instead.

I agree.

For the opposite direction (loading JWK), I want to propose an API change.

Your suggestion is now tracked in #445. Let's discuss it there. I'll need some time to process it.

[briansmith]

This would fix #299.

[coveralls]

Changes Unknown when pulling 6a27497181f8097be144131baa6d5c4201bfad25 on stephank:feat/rsa-export into ** on briansmith:master**.

[stephank]

I've addressed feedback as far as I could.

I don't see a reason why we wouldn't allow exporting the private components too, though I'm also not sure what that API would look like. Doing the same for all RSA private parts would add a slew of methods. But I don't have anything else.

[coveralls]

Coverage increased (+0.01%) to 93.538% when pulling b7b00d6db6545e9ac0eab59cce86a4d6c7f1a2ad on stephank:feat/rsa-export into cb57b1e on briansmith:master.

[coveralls]

Coverage increased (+0.02%) to 93.547% when pulling abec71d on stephank:feat/rsa-export into cb57b1e on briansmith:master.

[coveralls]

Coverage increased (+0.02%) to 93.547% when pulling abec71d on stephank:feat/rsa-export into cb57b1e on briansmith:master.

[briansmith]

@stephank Sorry for the long delay on this.

I independently did some foundational work for this. For example, I added the equivalent of the RSAPublicKey type here:

ring/src/rsa/verification.rs

Lines 24 to 25 in 0c0f7c4

	#[derive(Debug)]
	pub struct Key {

Now there are a lot of conflicts. I'm going to close this PR since there's an issue open for getting RSA public keys from RSA private keys and I think we should explore a new approach to resolving that.

[stephank]

@briansmith No worries! Thanks for all the effort you're putting into ring & co, and sorry I couldn't keep up. :)