/*
* Verify that the public data in an RSA key matches the private
* data. We also check the private data itself: we ensure that p >
* q and that iqmp really is the inverse of q mod p.
*/
bool rsa_verify(RSAKey *key)
{
mp_int *n, *ed, *pm1, *qm1;
unsigned ok = 1;
/* Preliminary checks: p,q must actually be nonzero. */
if (mp_eq_integer(key->p, 0) | mp_eq_integer(key->q, 0))
return false;
/* n must equal pq. */
n = mp_mul(key->p, key->q);
ok &= mp_cmp_eq(n, key->modulus);
mp_free(n);
/* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
pm1 = mp_copy(key->p);
mp_sub_integer_into(pm1, pm1, 1);
ed = mp_modmul(key->exponent, key->private_exponent, pm1);
mp_free(pm1);
ok &= mp_eq_integer(ed, 1);
mp_free(ed);
qm1 = mp_copy(key->q);
mp_sub_integer_into(qm1, qm1, 1);
ed = mp_modmul(key->exponent, key->private_exponent, qm1);
mp_free(qm1);
ok &= mp_eq_integer(ed, 1);
mp_free(ed);
/*
* Ensure p > q.
*
* I have seen key blobs in the wild which were generated with
* p < q, so instead of rejecting the key in this case we
* should instead flip them round into the canonical order of
* p > q. This also involves regenerating iqmp.
*/
mp_int *p_new = mp_max(key->p, key->q);
mp_int *q_new = mp_min(key->p, key->q);
mp_free(key->p);
mp_free(key->q);
mp_free(key->iqmp);
key->p = p_new;
key->q = q_new;
key->iqmp = mp_invert(key->q, key->p);
return ok;
}
int min(MINT *a) { return (mp_min(a)); }
