File Coverage

blib/lib/Crypt/RSA/ES/OAEP.pm
Criterion Covered Total %
statement 129 133 96.9
branch 17 30 56.6
condition 5 12 41.6
subroutine 20 20 100.0
pod 4 10 40.0
total 175 205 85.3


line stmt bran cond sub pod time code
1             package Crypt::RSA::ES::OAEP;
2 3     3   27758 use strict;
  3         7  
  3         72  
3 3     3   14 use warnings;
  3         6  
  3         80  
4              
5             ## Crypt::RSA::ES::OAEP
6             ##
7             ## Copyright (c) 2001, Vipul Ved Prakash. All rights reserved.
8             ## This code is free software; you can redistribute it and/or modify
9             ## it under the same terms as Perl itself.
10              
11 3     3   13 use base 'Crypt::RSA::Errorhandler';
  3         6  
  3         744  
12 3     3   1727 use Math::Prime::Util qw/random_bytes/;
  3         19278  
  3         19  
13 3     3   947 use Crypt::RSA::DataFormat qw(bitsize os2ip i2osp octet_xor mgf1 octet_len);
  3         11  
  3         190  
14 3     3   961 use Crypt::RSA::Primitives;
  3         7  
  3         77  
15 3     3   17 use Crypt::RSA::Debug qw(debug);
  3         5  
  3         107  
16 3     3   16 use Digest::SHA qw(sha1);
  3         19  
  3         102  
17 3     3   1127 use Sort::Versions qw(versioncmp);
  3         1538  
  3         139  
18 3     3   18 use Carp;
  3         7  
  3         3309  
19              
20             $Crypt::RSA::ES::OAEP::VERSION = '1.99';
21              
22             sub new {
23 4     4 1 1356 my ($class, %params) = @_;
24 4         23 my $self = bless { primitives => new Crypt::RSA::Primitives,
25             P => "",
26             hlen => 20,
27             VERSION => $Crypt::RSA::ES::OAEP::VERSION,
28             }, $class;
29 4 100       33 if ($params{Version}) {
30 2 100       9 if (versioncmp($params{Version}, '1.15') == -1) {
    50          
31 1         46 $$self{P} = "Crypt::RSA";
32 1         3 $$self{VERSION} = $params{Version};
33             } elsif (versioncmp($params{Version}, $$self{VERSION}) == 1) {
34 1         251 croak "Required version ($params{Version}) greater than installed version ($$self{VERSION}) of $class.\n";
35             }
36             }
37 3         16 return $self;
38             }
39              
40              
41             sub encrypt {
42 256     256 1 1181 my ($self, %params) = @_;
43 256   33     715 my $key = $params{Key}; my $M = $params{Message} || $params{Plaintext};
  256         947  
44 256 50       874 return $self->error ("Missing Message or Plaintext parameter", \$key, \%params) unless $M;
45 256 50       1532 return $self->error ($key->errstr, \$M, $key, \%params) unless $key->check;
46 256         1140 my $k = octet_len ($key->n); debug ("octet_len of modulus: $k");
  256         1423  
47 256   50     1445 my $em = $self->encode ($M, $self->{P}, $k-1) ||
48             return $self->error ($self->errstr, \$M, $key, \%params);
49 256         906 my $m = os2ip ($em);
50 256         454562 my $c = $self->{primitives}->core_encrypt ( Plaintext => $m, Key => $key );
51 256         1459 my $ec = i2osp ($c, $k); debug ("ec: $ec");
  256         1361  
52 256         2855 return $ec;
53             }
54              
55              
56             sub decrypt {
57 256     256 1 1198 my ($self, %params) = @_;
58 256   33     696 my $key = $params{Key}; my $C = $params{Cyphertext} || $params{Ciphertext};
  256         885  
59 256 50       699 return $self->error ("Missing Cyphertext or Ciphertext parameter", \$key, \%params) unless $C;
60 256 50       1933 return $self->error ($key->errstr, $key, \%params) unless $key->check;
61 256         2495 my $k = octet_len ($key->n);
62 256         1151 my $c = os2ip ($C);
63 256 50       461400 if (bitsize($c) > bitsize($key->n)) {
64 0         0 return $self->error ("Decryption error.", $key, \%params)
65             }
66 256   50     1984 my $m = $self->{primitives}->core_decrypt (Cyphertext => $c, Key => $key) ||
67             return $self->error ("Decryption error.", $key, \%params);
68 256   50     8192 my $em = i2osp ($m, $k-1) ||
69             return $self->error ("Decryption error.", $key, \%params);
70 256         593 my $M; $self->errstrrst; # reset the errstr
  256         2004  
71 256 50       1473 unless ($M = $self->decode ($em, $$self{P})) {
72 0 0       0 return $self->error ("Decryption error.", $key, \%params) if $self->errstr();
73 0         0 return $M;
74             }
75 256         2928 return $M;
76             }
77              
78              
79             sub encode {
80 256     256 0 891 my ($self, $M, $P, $emlen) = @_;
81 256         709 my $hlen = $$self{hlen};
82 256         523 my $mlen = length($M);
83 256 50       957 return $self->error ("Message too long.", \$P, \$M) if $mlen > $emlen-(2*$hlen)-1;
84 256         689 my ($PS, $pslen) = ("", 0);
85 256 100       789 if ($pslen = $emlen-(2*$hlen+1+$mlen)) {
86 2         8 $PS = chr(0)x$pslen;
87             }
88 256         1050 my $phash = $self->hash ($P);
89 256         782 my $db = $phash . $PS . chr(1) . $M;
90 256         1737 my $seed = random_bytes($hlen);
91 256         987 my $dbmask = $self->mgf ($seed, $emlen-$hlen);
92 256         910 my $maskeddb = octet_xor ($db, $dbmask);
93 256         755 my $seedmask = $self->mgf ($maskeddb, $hlen);
94 256         755 my $maskedseed = octet_xor ($seed, $seedmask);
95 256         547 my $em = $maskedseed . $maskeddb;
96              
97 256         1011 debug ("emlen == $emlen");
98 256         1288 debug ("M == $M [" . length($M) . "]");
99 256         1109 debug ("PS == $PS [$pslen]");
100 256         1108 debug ("phash == $phash [" . length($phash) . "]");
101 256         1059 debug ("seed == $seed [" . length($seed) . "]");
102 256         1179 debug ("seedmask == $seedmask [" . length($seedmask) . "]");
103 256         1160 debug ("db == $db [" . length($db) . "]");
104 256         913 debug ("dbmask == $dbmask [" . length($dbmask) . "]");
105 256         1050 debug ("maskeddb == $maskeddb [" . length($maskeddb) . "]");
106 256         985 debug ("em == $em [" . length($em) . "]");
107              
108 256         894 return $em;
109             }
110              
111              
112             sub decode {
113 256     256 0 856 my ($self, $em, $P) = @_;
114 256         774 my $hlen = $$self{hlen};
115              
116 256         1260 debug ("P == $P");
117 256 50       876 return $self->error ("Decoding error.", \$P) if length($em) < 2*$hlen+1;
118 256         814 my $maskedseed = substr $em, 0, $hlen;
119 256         677 my $maskeddb = substr $em, $hlen;
120 256         1059 my $seedmask = $self->mgf ($maskeddb, $hlen);
121 256         1051 my $seed = octet_xor ($maskedseed, $seedmask);
122 256         1043 my $dbmask = $self->mgf ($seed, length($em) - $hlen);
123 256         871 my $db = octet_xor ($maskeddb, $dbmask);
124 256         942 my $phash = $self->hash ($P);
125              
126 256         1368 debug ("em == $em [" . length($em) . "]");
127 256         1124 debug ("phash == $phash [" . length($phash) . "]");
128 256         1120 debug ("seed == $seed [" . length($seed) . "]");
129 256         1187 debug ("seedmask == $seedmask [" . length($seedmask) . "]");
130 256         1040 debug ("maskedseed == $maskedseed [" . length($maskedseed) . "]");
131 256         1035 debug ("db == $db [" . length($db) . "]");
132 256         1063 debug ("maskeddb == $maskeddb [" . length($maskeddb) . "]");
133 256         1259 debug ("dbmask == $dbmask [" . length($dbmask) . "]");
134              
135 256         709 my ($phashorig) = substr $db, 0, $hlen;
136 256         1214 debug ("phashorig == $phashorig [" . length($phashorig) . "]");
137 256 50       849 return $self->error ("Decoding error.", \$P) unless $phashorig eq $phash;
138 256         634 $db = substr $db, $hlen;
139 256         642 my ($chr0, $chr1) = (chr(0), chr(1));
140 256         478 my ($ps, $m);
141 256         1041 debug ("db == $db [" . length($db) . "]");
142 256 50       3778 unless ( ($ps, undef, $m) = $db =~ /^($chr0*)($chr1)(.*)$/s ) {
143 0         0 return $self->error ("Decoding error.", \$P);
144             }
145              
146 256         1294 return $m;
147             }
148              
149              
150             sub hash {
151 512     512 0 1444 my ($self, $data) = @_;
152 512         4002 return sha1 ($data);
153             }
154              
155              
156             sub mgf {
157 1024     1024 0 2697 my ($self, @data) = @_;
158 1024         3650 return mgf1 (@data);
159             }
160              
161              
162             sub encryptblock {
163 2     2 0 9 my ($self, %params) = @_;
164 2         15 return octet_len ($params{Key}->n) - 42;
165             }
166              
167              
168             sub decryptblock {
169 1     1 0 5 my ($self, %params) = @_;
170 1         6 return octet_len ($params{Key}->n);
171             }
172              
173              
174             # should be able to call this as a class method.
175             sub version {
176 1     1 1 3 my $self = shift;
177 1         51 return $self->{VERSION};
178             }
179              
180              
181             1;
182              
183             =head1 NAME
184              
185             Crypt::RSA::ES::OAEP - Plaintext-aware encryption with RSA.
186              
187             =head1 SYNOPSIS
188              
189             my $oaep = new Crypt::RSA::ES::OAEP;
190              
191             my $ct = $oaep->encrypt( Key => $key, Message => $message ) ||
192             die $oaep->errstr;
193              
194             my $pt = $oaep->decrypt( Key => $key, Cyphertext => $ct ) ||
195             die $oaep->errstr;
196              
197             =head1 DESCRIPTION
198              
199             This module implements Optimal Asymmetric Encryption, a plaintext-aware
200             encryption scheme based on RSA. The notion of plaintext-aware implies it's
201             computationally infeasible to obtain full or partial information about a
202             message from a cyphertext, and computationally infeasible to generate a
203             valid cyphertext without knowing the corresponding message.
204             Plaintext-aware schemes, such as OAEP, are semantically secure,
205             non-malleable and secure against chosen-ciphertext attack. For more
206             information on OAEP and plaintext-aware encryption, see [3], [9] & [13].
207              
208             =head1 METHODS
209              
210             =head2 B
211              
212             Constructor.
213              
214             =head2 B
215              
216             Returns the version number of the module.
217              
218             =head2 B
219              
220             Encrypts a string with a public key and returns the encrypted string
221             on success. encrypt() takes a hash argument with the following
222             mandatory keys:
223              
224             =over 4
225              
226             =item B
227              
228             A string to be encrypted. The length of this string should not exceed k-42
229             octets, where k is the octet length of the RSA modulus. If Message is
230             longer than k-42, the method will fail and set $self->errstr to "Message
231             too long." This means the key must be at least _336_ bits long if you are
232             to use OAEP.
233              
234             =item B
235              
236             Public key of the recipient, a Crypt::RSA::Key::Public object.
237              
238             =back
239              
240             =head2 B
241              
242             Decrypts cyphertext with a private key and returns plaintext on
243             success. $self->errstr is set to "Decryption Error." or appropriate
244             error on failure. decrypt() takes a hash argument with the following
245             mandatory keys:
246              
247             =over 4
248              
249             =item B
250              
251             A string encrypted with encrypt(). The length of the cyphertext must be k
252             octets, where k is the length of the RSA modulus.
253              
254             =item B
255              
256             Private key of the receiver, a Crypt::RSA::Key::Private object.
257              
258             =item B
259              
260             Version of the module that was used for creating the Cyphertext. This is
261             an optional argument. When present, decrypt() will ensure before
262             proceeding that the installed version of the module can successfully
263             decrypt the Cyphertext.
264              
265             =back
266              
267             =head1 ERROR HANDLING
268              
269             See ERROR HANDLING in Crypt::RSA(3) manpage.
270              
271             =head1 BIBLIOGRAPHY
272              
273             See BIBLIOGRAPHY in Crypt::RSA(3) manpage.
274              
275             =head1 AUTHOR
276              
277             Vipul Ved Prakash, Email@vipul.netE
278              
279             =head1 SEE ALSO
280              
281             Crypt::RSA(3), Crypt::RSA::Primitives(3), Crypt::RSA::Keys(3),
282             Crypt::RSA::SSA::PSS(3)
283              
284             =cut
285              
286