rsa: Allocate public key on the stack in one-shot verification.

Author: briansmith

src/arithmetic/bigint.rs

@@ -40,7 +40,7 @@
 use crate::polyfill::prelude::*;
 
 use self::boxed_limbs::BoxedLimbs;
-use super::{montgomery::*, LimbSliceError};
+use super::{montgomery::*, LimbSliceError, MAX_LIMBS};
 use crate::{
     error::{self, LenMismatchError},
     limb::{self, Limb},
@@ -54,6 +54,7 @@ pub(crate) use {
         },
         exp::elem_exp_consttime,
         modulus::{BoxedIntoMont, IntoMont, Mont, One},
+        oversized_uninit::OversizedUninit,
         private_exponent::PrivateExponent,
     },
     super::exp_vartime::elem_exp_vartime,
@@ -63,6 +64,7 @@ mod boxed_limbs;
 mod elem;
 mod exp;
 pub mod modulus;
+mod oversized_uninit;
 mod private_exponent;
 
 pub trait PublicModulus {}

src/arithmetic/bigint/modulus/mont.rs

@@ -19,7 +19,7 @@ use super::{
     super::{
         super::montgomery::{limbs_square_mont, Unencoded, RR, RRR},
         modulus::value::Value,
-        unwrap_impossible_limb_slice_error, Elem, One, PublicModulus, Uninit, N0,
+        unwrap_impossible_limb_slice_error, Elem, One, OversizedUninit, PublicModulus, Uninit, N0,
     },
     ValidatedInput,
 };
@@ -106,6 +106,15 @@ impl ValidatedInput<'_> {
         }
     }
 
+    pub(crate) fn build_into_mont<'o, M>(
+        &self,
+        uninit: &'o mut OversizedUninit<2>,
+        cpu: cpu::Features,
+    ) -> IntoMont<'o, M, RR> {
+        self.write_into_mont(&mut uninit.as_uninit().into_cursor(), cpu)
+            .unwrap_or_else(|LenMismatchError { .. }| unreachable!())
+    }
+
     fn write_into_mont<'o, M>(
         &self,
         out: &mut Cursor<'o, Limb>,

src/arithmetic/bigint/oversized_uninit.rs

@@ -0,0 +1,34 @@
+// Copyright 2025 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+#[allow(unused_imports)]
+use crate::polyfill::prelude::*;
+
+use super::{Limb, MAX_LIMBS};
+use crate::polyfill;
+use core::mem::MaybeUninit;
+
+/// A buffer that has enough space to hold `N` values of the maximum size,
+/// hiding the representation of values from the user.
+pub struct OversizedUninit<const N: usize>([[MaybeUninit<Limb>; MAX_LIMBS]; N]);
+
+impl<const N: usize> OversizedUninit<N> {
+    pub fn new() -> Self {
+        Self(unsafe { MaybeUninit::uninit().assume_init() })
+    }
+
+    pub(super) fn as_uninit(&mut self) -> polyfill::slice::Uninit<'_, Limb> {
+        self.0.as_flattened_mut().into()
+    }
+}

src/rsa/base/mod.rs

@@ -16,6 +16,4 @@ mod public_exponent;
 pub(super) mod public_key;
 mod public_modulus;
 
-pub(super) use self::{
-    public_exponent::PublicExponent, public_key::PublicKey, public_modulus::PublicModulus,
-};
+pub(super) use self::{public_exponent::PublicExponent, public_modulus::PublicModulus};

src/rsa/base/public_key.rs

@@ -16,13 +16,17 @@ use super::{
     super::{PublicKeyComponents, N, PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN},
     public_modulus, PublicExponent, PublicModulus,
 };
-use crate::{arithmetic::bigint, bits, cpu, error, limb::LIMB_BYTES};
+use crate::{
+    arithmetic::{bigint, montgomery::RR},
+    bits, cpu, error,
+    limb::LIMB_BYTES,
+};
 use core::num::NonZeroU64;
 
 /// An RSA Public Key.
 #[derive(Clone)]
-pub(crate) struct PublicKey {
-    n: PublicModulus,
+pub(crate) struct PublicKey<S> {
+    n: PublicModulus<S>,
     e: PublicExponent,
 }
 
@@ -70,18 +74,41 @@ impl<'a> ValidatedInput<'a> {
         self.e_input
     }
 
-    pub(in super::super) fn build(&self, cpu_features: cpu::Features) -> PublicKey {
+    pub(in super::super) fn build_boxed(
+        &self,
+        cpu: cpu::Features,
+    ) -> PublicKey<bigint::BoxedIntoMont<N, RR>> {
+        PublicKey {
+            n: self.n.build_boxed_into_mont(cpu),
+            e: self.e,
+        }
+    }
+
+    pub(in super::super) fn build<'o>(
+        &self,
+        out: &'o mut bigint::OversizedUninit<2>,
+        cpu: cpu::Features,
+    ) -> PublicKey<bigint::IntoMont<'o, N, RR>> {
+        PublicKey {
+            n: self.n.build(out, cpu),
+            e: self.e,
+        }
+    }
+}
+
+impl PublicKey<bigint::BoxedIntoMont<N, RR>> {
+    pub fn reborrow(&self) -> PublicKey<bigint::IntoMont<'_, N, RR>> {
         PublicKey {
-            n: self.n.build(cpu_features),
+            n: self.n.reborrow(),
             e: self.e,
         }
     }
 }
 
-impl PublicKey {
+impl PublicKey<bigint::IntoMont<'_, N, RR>> {
     /// The public modulus.
     #[inline]
-    pub(in super::super) fn n(&self) -> &PublicModulus {
+    pub(in super::super) fn n(&self) -> &PublicModulus<bigint::IntoMont<'_, N, RR>> {
         &self.n
     }
 

src/rsa/base/public_modulus.rs

@@ -9,8 +9,8 @@ use core::ops::RangeInclusive;
 
 /// The modulus (n) of an RSA public key.
 #[derive(Clone)]
-pub struct PublicModulus {
-    value: bigint::BoxedIntoMont<N, RR>,
+pub struct PublicModulus<S> {
+    value: S,
 }
 
 /*
@@ -68,27 +68,48 @@ impl<'a> ValidatedInput<'a> {
         self.input.len_bits()
     }
 
-    pub(super) fn build(&self, cpu_features: cpu::Features) -> PublicModulus {
+    pub(super) fn build_boxed_into_mont(
+        &self,
+        cpu_features: cpu::Features,
+    ) -> PublicModulus<bigint::BoxedIntoMont<N, RR>> {
         PublicModulus {
             value: self.input.build_boxed_into_mont(cpu_features),
         }
     }
+
+    pub(super) fn build<'o>(
+        &self,
+        out: &'o mut bigint::OversizedUninit<2>,
+        cpu_features: cpu::Features,
+    ) -> PublicModulus<bigint::IntoMont<'o, N, RR>> {
+        PublicModulus {
+            value: self.input.build_into_mont(out, cpu_features),
+        }
+    }
+}
+
+impl PublicModulus<bigint::BoxedIntoMont<N, RR>> {
+    pub fn reborrow(&self) -> PublicModulus<bigint::IntoMont<'_, N, RR>> {
+        PublicModulus {
+            value: self.value.reborrow(),
+        }
+    }
 }
 
-impl PublicModulus {
+impl PublicModulus<bigint::IntoMont<'_, N, RR>> {
     /// The big-endian encoding of the modulus.
     ///
     /// There are no leading zeros.
     pub fn be_bytes(&self) -> impl ExactSizeIterator<Item = u8> + Clone + '_ {
-        self.value.reborrow().be_bytes()
+        self.value.be_bytes()
     }
 
     /// The length of the modulus in bits.
     pub fn len_bits(&self) -> bits::BitLength {
-        self.value.reborrow().len_bits()
+        self.value.len_bits()
     }
 
-    pub(in super::super) fn value(&self) -> bigint::IntoMont<'_, N, RR> {
-        self.value.reborrow()
+    pub(in super::super) fn value(&self) -> &bigint::IntoMont<'_, N, RR> {
+        &self.value
     }
 }

src/rsa/keypair.rs

@@ -330,7 +330,8 @@ impl KeyPair {
         // checking p * q == 0 (mod n) is equivalent to checking p * q == n.
         let public_key = PublicKey::new(public_key, cpu_features)?;
 
-        let n = &public_key.inner().n().value();
+        let borrowed_public_key = public_key.inner();
+        let n = borrowed_public_key.n().value();
         let nm = &n.modulus(cpu_features);
 
         let q = q.build(cpu_features);
@@ -607,7 +608,8 @@ impl KeyPair {
         // RFC 8017 Section 5.1.2: RSADP, using the Chinese Remainder Theorem
         // with Garner's algorithm.
 
-        let n = &self.public.inner().n().value();
+        let borrowed_public = self.public.inner();
+        let n = borrowed_public.n().value();
         let nm = &n.modulus(cpu_features);
 
         // Step 1. The value zero is also rejected.

src/rsa/public_key.rs

@@ -12,8 +12,9 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-use super::base;
+use super::{base, N};
 use crate::{
+    arithmetic::{bigint, montgomery::RR},
     cpu, error,
     io::{self, der, der_writer},
 };
@@ -24,7 +25,7 @@ pub(super) use base::public_key::ValidatedInput;
 /// An RSA Public Key.
 #[derive(Clone)]
 pub struct PublicKey {
-    inner: base::PublicKey,
+    inner: base::public_key::PublicKey<bigint::BoxedIntoMont<N, RR>>,
     serialized: Box<[u8]>,
 }
 
@@ -35,7 +36,7 @@ impl PublicKey {
         input: ValidatedInput<'_>,
         cpu_features: cpu::Features,
     ) -> Result<Self, error::KeyRejected> {
-        let inner = input.build(cpu_features);
+        let inner = input.build_boxed(cpu_features);
 
         let n_bytes = input.n().input();
         let e_bytes = input.e_input();
@@ -62,11 +63,15 @@ impl PublicKey {
     /// The modulus length is rounded up to a whole number of bytes if its
     /// bit length isn't a multiple of 8.
     pub fn modulus_len(&self) -> usize {
-        self.inner.n().len_bits().as_usize_bytes_rounded_up()
+        self.inner
+            .reborrow()
+            .n()
+            .len_bits()
+            .as_usize_bytes_rounded_up()
     }
 
-    pub(super) fn inner(&self) -> &base::PublicKey {
-        &self.inner
+    pub(super) fn inner(&self) -> base::public_key::PublicKey<bigint::IntoMont<'_, N, RR>> {
+        self.inner.reborrow()
     }
 }
 

src/rsa/verification.rs

@@ -19,6 +19,7 @@ use super::{
     parse_public_key, PublicKeyComponents, RsaParameters, PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN,
 };
 use crate::{
+    arithmetic::bigint,
     bits::{self, FromByteLen as _},
     cpu, digest,
     error::{self, InputTooLongError},
@@ -207,7 +208,8 @@ fn verify(
     // exponent value is 2**16 + 1, but it isn't clear if this is just for
     // signing or also for verification. We support exponents of 3 and larger
     // for compatibility with other commonly-used crypto libraries.
-    let key = validated.build(cpu_features);
+    let mut out = bigint::OversizedUninit::<2>::new();
+    let key = validated.build(&mut out, cpu_features);
 
     // RFC 8017 Section 5.2.2: RSAVP1.
     let mut decoded = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN];