github.com/cloudflare/circl@v1.5.0/tss/rsa/padding.go

github.com/cloudflare/circl@v1.5.0/tss/rsa/padding.go (about)

     1  package rsa
     2  
     3  import (
     4  	"crypto"
     5  	"crypto/rsa"
     6  	"io"
     7  
     8  	"github.com/cloudflare/circl/tss/rsa/internal"
     9  	pss2 "github.com/cloudflare/circl/tss/rsa/internal/pss"
    10  )
    11  
    12  type Padder interface {
    13  	Pad(pub *rsa.PublicKey, hash crypto.Hash, hashed []byte) ([]byte, error)
    14  }
    15  
    16  type PKCS1v15Padder struct{}
    17  
    18  func (PKCS1v15Padder) Pad(pub *rsa.PublicKey, hash crypto.Hash, hashed []byte) ([]byte, error) {
    19  	return internal.PadPKCS1v15(pub, hash, hashed)
    20  }
    21  
    22  // PSSPadder is a padder for RSA Probabilistic Padding Scheme (RSA-PSS) used in TLS 1.3
    23  //
    24  // Note: If the salt length is non-zero, PSS padding is not deterministic.
    25  // TLS 1.3 mandates that the salt length is the same as the hash output length. As such, each player cannot
    26  // pad the message individually, otherwise they will produce unique messages and the signature will not be valid.
    27  // Instead, one party should generate a random saltLen byte string. When requesting signatures from the rest of the
    28  // parties they should send along the same random string to be used as `rand` here.
    29  //
    30  // For TLS, rsa.PSSOptions.SaltLength should be PSSSaltLengthEqualsHash.
    31  type PSSPadder struct {
    32  	Rand io.Reader
    33  	Opts *rsa.PSSOptions
    34  }
    35  
    36  func (pss *PSSPadder) Pad(pub *rsa.PublicKey, hash crypto.Hash, hashed []byte) ([]byte, error) {
    37  	return pss2.PadPSS(pss.Rand, pub, hash, hashed, pss.Opts)
    38  }