X.509 (raw) RSA

The X.509 (raw) RSA mechanism, denoted CKM_RSA_X_509, is a multi-purpose mechanism based on the RSA public-key cryptosystem. It supports single-part encryption and decryption; single-part signatures and verification with and without message recovery; key wrapping; and key unwrapping. All these operations are based on so-called "raw" RSA, as assumed in X.509.

"Raw" RSA as defined here encrypts a byte string by converting it to an integer, most-significant byte first, applying "raw" RSA exponentiation, and converting the result to a byte string, most-significant byte first. The input string, considered as an integer, must be less than the modulus; the output string is also less than the modulus.

This mechanism does not have a parameter.

This mechanism can wrap and unwrap any secret key of appropriate length. Of course, a particular token may not be able to wrap/unwrap every appropriate-length secret key that it supports. For wrapping, the "input" to the encryption operation is the value of the CKA_VALUE attribute of the key that is wrapped; similarly for unwrapping. The mechanism does not wrap the key type, key length, or any other information about the key; the application must convey these separately, and supply them when unwrapping the key.

Unfortunately, X.509 does not specify how to perform padding for RSA encryption. For this mechanism, padding should be performed by prepending plaintext data with 0-valued bytes. In effect, to encrypt the sequence of plaintext bytes b₁ b₂ ... b_n (n <= k), Cryptoki forms P=2^n-1b₁+2^n-2b₂+...+b_n. This number must be less than the RSA modulus. The k -byte ciphertext (k is the length in bytes of the RSA modulus) is produced by raising P to the RSA public exponent modulo the RSA modulus. Decryption of a k -byte ciphertext C is accomplished by raising C to the RSA private exponent modulo the RSA modulus, and returning the resulting value as a sequence of exactly k bytes. If the resulting plaintext is to be used to produce an unwrapped key, then however many bytes are specified in the template for the length of the key are taken from the end of this sequence of bytes.

Technically, the above procedures may differ very slightly from certain details of what is specified in X.509.

Executing cryptographic operations using this mechanism can result in the error returns CKR_DATA_INVALID (if plaintext is supplied which has the same length as the RSA modulus and is numerically at least as large as the modulus) and CKR_ENCRYPTED_DATA_INVALID (if ciphertext is supplied which has the same length as the RSA modulus and is numerically at least as large as the modulus).

Constraints on key types and the length of input and output data are summarized in the following table. In the table, k is the length in bytes of the RSA modulus.

Table 61, X.509 (Raw) RSA: Key And Data Length
Function Key type Input length Output length

C_Encrypt¹ RSA public key <= k k

C_Decrypt¹ RSA private key k k

C_Sign¹ RSA private key <= k k

C_SignRecover RSA private key <= k k

C_Verify¹ RSA public key <= k, k ² N/A

C_VerifyRecover RSA public key k k

C_WrapKey RSA public key <= k k

C_UnwrapKey RSA private key k <= k (specified in template)

¹ Single-part operations only.

² Data length, signature length.

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure specify the supported range of RSA modulus sizes, in bits.

This mechanism is intended for compatibility with applications that do not follow the PKCS #1 or ISO/IEC 9796 block formats.

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v210

Function	Key type	Input length	Output length
C_Encrypt¹	RSA public key	<= k	k
C_Decrypt¹	RSA private key	k	k
C_Sign¹	RSA private key	<= k	k
C_SignRecover	RSA private key	<= k	k
C_Verify¹	RSA public key	<= k, k ²	N/A
C_VerifyRecover	RSA public key	k	k
C_WrapKey	RSA public key	<= k	k
C_UnwrapKey	RSA private key	k	<= k (specified in template)