LibCrypto: Add OAEP

Tests/LibCrypto/CMakeLists.txt

@@ -11,6 +11,7 @@ set(TEST_SOURCES
     TestHash.cpp
     TestHMAC.cpp
     TestMGF.cpp
+    TestOAEP.cpp
     TestPBKDF2.cpp
     TestPoly1305.cpp
     TestRSA.cpp

Tests/LibCrypto/TestOAEP.cpp

@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2024, stelar7  <dudedbz@gmail.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibCrypto/Hash/MGF.h>
+#include <LibCrypto/Hash/SHA1.h>
+#include <LibCrypto/Hash/SHA2.h>
+#include <LibCrypto/Padding/OAEP.h>
+#include <LibTest/TestCase.h>
+
+// https://www.inf.pucrs.br/~calazans/graduate/TPVLSI_I/RSA-oaep_spec.pdf
+TEST_CASE(test_oaep)
+{
+    u8 message_raw[16] {
+        0xd4, 0x36, 0xe9, 0x95, 0x69, 0xfd, 0x32, 0xa7, 0xc8, 0xa0, 0x5b, 0xbc, 0x90, 0xd3, 0x2c, 0x49
+    };
+    auto message = ReadonlyBytes { message_raw, 16 };
+
+    u8 params_raw[0] {};
+    auto params = ReadonlyBytes { params_raw, 0 };
+
+    u8 expected_raw[127] {
+        0xeb, 0x7a, 0x19, 0xac, 0xe9, 0xe3, 0x00, 0x63,
+        0x50, 0xe3, 0x29, 0x50, 0x4b, 0x45, 0xe2, 0xca,
+        0x82, 0x31, 0x0b, 0x26, 0xdc, 0xd8, 0x7d, 0x5c,
+        0x68, 0xf1, 0xee, 0xa8, 0xf5, 0x52, 0x67, 0xc3,
+        0x1b, 0x2e, 0x8b, 0xb4, 0x25, 0x1f, 0x84, 0xd7,
+        0xe0, 0xb2, 0xc0, 0x46, 0x26, 0xf5, 0xaf, 0xf9,
+        0x3e, 0xdc, 0xfb, 0x25, 0xc9, 0xc2, 0xb3, 0xff,
+        0x8a, 0xe1, 0x0e, 0x83, 0x9a, 0x2d, 0xdb, 0x4c,
+        0xdc, 0xfe, 0x4f, 0xf4, 0x77, 0x28, 0xb4, 0xa1,
+        0xb7, 0xc1, 0x36, 0x2b, 0xaa, 0xd2, 0x9a, 0xb4,
+        0x8d, 0x28, 0x69, 0xd5, 0x02, 0x41, 0x21, 0x43,
+        0x58, 0x11, 0x59, 0x1b, 0xe3, 0x92, 0xf9, 0x82,
+        0xfb, 0x3e, 0x87, 0xd0, 0x95, 0xae, 0xb4, 0x04,
+        0x48, 0xdb, 0x97, 0x2f, 0x3a, 0xc1, 0x4f, 0x7b,
+        0xc2, 0x75, 0x19, 0x52, 0x81, 0xce, 0x32, 0xd2,
+        0xf1, 0xb7, 0x6d, 0x4d, 0x35, 0x3e, 0x2d
+    };
+    auto expected = ReadonlyBytes { expected_raw, 127 };
+
+    u8 seed_data[20] {
+        0xaa, 0xfd, 0x12, 0xf6, 0x59, 0xca, 0xe6, 0x34,
+        0x89, 0xb4, 0x79, 0xe5, 0x07, 0x6d, 0xde, 0xc2,
+        0xf0, 0x6c, 0xb5, 0x8f
+    };
+
+    auto maybe_result = Crypto::Padding::OAEP::encode<Crypto::Hash::SHA1, Crypto::Hash::MGF>(
+        message,
+        params,
+        127,
+        [&](auto buffer) {
+            memcpy(buffer.data(), seed_data, 20);
+        });
+    auto result = maybe_result.release_value();
+
+    EXPECT_EQ(expected, result);
+}

Userland/Libraries/LibCrypto/Padding/OAEP.h

@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2024, stelar7 <dudedbz@gmail.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/ByteBuffer.h>
+#include <AK/ByteReader.h>
+#include <AK/Endian.h>
+#include <AK/Function.h>
+#include <AK/Random.h>
+#include <LibCrypto/BigInt/UnsignedBigInteger.h>
+
+namespace Crypto::Padding {
+
+// https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1
+class OAEP {
+public:
+    // https://datatracker.ietf.org/doc/html/rfc2437#section-9.1.1.1
+    template<typename HashFunction, typename MaskGenerationFunction>
+    static ErrorOr<ByteBuffer> encode(ReadonlyBytes message, ReadonlyBytes parameters, size_t length, Function<void(Bytes)> seed_function = fill_with_random)
+    {
+        // FIXME: 1. If the length of P is greater than the input limitation for the
+        // hash function (2^61-1 octets for SHA-1) then output "parameter string
+        // too long" and stop.
+
+        // 2. If ||M|| > emLen - 2hLen - 1 then output "message too long" and stop.
+        auto h_len = HashFunction::digest_size();
+        auto max_message_size = length - (2 * h_len) - 1;
+        if (message.size() > max_message_size)
+            return Error::from_string_view("message too long"sv);
+
+        // 3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero octets. The length of PS may be 0.
+        auto padding_size = length - message.size() - (2 * h_len) - 1;
+        auto ps = TRY(ByteBuffer::create_zeroed(padding_size));
+
+        // 4. Let pHash = Hash(P), an octet string of length hLen.
+        HashFunction hash;
+        hash.update(parameters);
+        auto digest = hash.digest();
+        auto p_hash = digest.bytes();
+
+        // 5. Concatenate pHash, PS, the message M, and other padding to form a data block DB as: DB = pHash || PS || 01 || M
+        auto db = TRY(ByteBuffer::create_uninitialized(0));
+        TRY(db.try_append(p_hash));
+        TRY(db.try_append(ps.bytes()));
+        TRY(db.try_append(0x01));
+        TRY(db.try_append(message));
+
+        // 6. Generate a random octet string seed of length hLen.
+        auto seed = TRY(ByteBuffer::create_uninitialized(h_len));
+        seed_function(seed);
+
+        // 7. Let dbMask = MGF(seed, emLen-hLen).
+        auto db_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(seed, length - h_len));
+
+        // 8. Let maskedDB = DB \xor dbMask.
+        auto masked_db = TRY(ByteBuffer::xor_buffers(db, db_mask));
+
+        // 9. Let seedMask = MGF(maskedDB, hLen).
+        auto seed_mask = TRY(MaskGenerationFunction::template mgf1<HashFunction>(masked_db, h_len));
+
+        // 10. Let maskedSeed = seed \xor seedMask.
+        auto masked_seed = TRY(ByteBuffer::xor_buffers(seed, seed_mask));
+
+        // 11. Let EM = maskedSeed || maskedDB.
+        auto em = TRY(ByteBuffer::create_uninitialized(0));
+        TRY(em.try_append(masked_seed));
+        TRY(em.try_append(masked_db));
+
+        // 12. Output EM.
+        return em;
+    }
+};
+
+}