From 0994aa91dc221c77abf678b22e0d766294507b4f Mon Sep 17 00:00:00 2001
From: Ali Mohammad Pur <ali.mpfard@gmail.com>
Date: Fri, 15 Mar 2024 08:18:22 +0100
Subject: [PATCH] LibCrypto: Remove unused Crypto::PK::EMSA_PSS class

This is not used, and its implementation is not actually correct
regardless.
---
 Tests/LibCrypto/TestRSA.cpp                   |   7 -
 .../Libraries/LibCrypto/PK/Code/EMSA_PSS.h    | 169 ------------------
 Userland/Libraries/LibCrypto/PK/RSA.cpp       |  33 ----
 Userland/Libraries/LibCrypto/PK/RSA.h         |  20 ---
 Userland/Libraries/LibTLS/Handshake.cpp       |   1 -
 .../Libraries/LibTLS/HandshakeCertificate.cpp |   1 -
 Userland/Libraries/LibTLS/HandshakeClient.cpp |   1 -
 Userland/Libraries/LibTLS/HandshakeServer.cpp |   1 -
 Userland/Libraries/LibTLS/Record.cpp          |   1 -
 Userland/Libraries/LibTLS/Socket.cpp          |   1 -
 Userland/Libraries/LibTLS/TLSv12.cpp          |   1 -
 11 files changed, 236 deletions(-)
 delete mode 100644 Userland/Libraries/LibCrypto/PK/Code/EMSA_PSS.h

diff --git a/Tests/LibCrypto/TestRSA.cpp b/Tests/LibCrypto/TestRSA.cpp
index 322f03cfcf..27b1ae048d 100644
--- a/Tests/LibCrypto/TestRSA.cpp
+++ b/Tests/LibCrypto/TestRSA.cpp
@@ -161,10 +161,3 @@ TEST_CASE(test_RSA_encrypt_decrypt)
 
     EXPECT(memcmp(enc.data(), "WellHelloFriendsWellHelloFriendsWellHelloFriendsWellHelloFriends", 64) == 0);
 }
-
-TEST_CASE(test_RSA_EMSA_PSS_construction)
-{
-    // This is a template validity test
-    Crypto::PK::RSA rsa;
-    Crypto::PK::RSA_EMSA_PSS<Crypto::Hash::SHA256> rsa_esma_pss(rsa);
-}
diff --git a/Userland/Libraries/LibCrypto/PK/Code/EMSA_PSS.h b/Userland/Libraries/LibCrypto/PK/Code/EMSA_PSS.h
deleted file mode 100644
index 980c9d11cb..0000000000
--- a/Userland/Libraries/LibCrypto/PK/Code/EMSA_PSS.h
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
- *
- * SPDX-License-Identifier: BSD-2-Clause
- */
-
-#pragma once
-
-#include <AK/Array.h>
-#include <AK/Format.h>
-#include <AK/Memory.h>
-#include <AK/Random.h>
-#include <AK/Vector.h>
-#include <LibCrypto/PK/Code/Code.h>
-
-namespace Crypto::PK {
-
-template<typename HashFunction, size_t SaltSize>
-class EMSA_PSS : public Code<HashFunction> {
-public:
-    template<typename... Args>
-    EMSA_PSS(Args... args)
-        : Code<HashFunction>(args...)
-    {
-        m_buffer = Bytes { m_data_buffer, sizeof(m_data_buffer) };
-    }
-
-    static constexpr auto SaltLength = SaltSize;
-
-    virtual void encode(ReadonlyBytes in, ByteBuffer& out, size_t em_bits) override
-    {
-        // FIXME: we're supposed to check if in.size() > HashFunction::input_limitation
-        //        however, all of our current hash functions can hash unlimited blocks
-        auto& hash_fn = this->hasher();
-        hash_fn.update(in);
-        auto message_hash = hash_fn.digest();
-        constexpr auto hash_length = HashFunction::DigestSize;
-        auto em_length = (em_bits + 7) / 8;
-        u8 salt[SaltLength];
-
-        fill_with_random(salt);
-
-        if (em_length < hash_length + SaltLength + 2) {
-            dbgln("Ooops...encoding error");
-            return;
-        }
-
-        constexpr Array<u8, 8> zeros {};
-
-        m_buffer.overwrite(0, zeros.data(), 8);
-        m_buffer.overwrite(8, message_hash.data, HashFunction::DigestSize);
-        m_buffer.overwrite(8 + HashFunction::DigestSize, salt, SaltLength);
-
-        hash_fn.update(m_buffer);
-        auto hash = hash_fn.digest();
-
-        Vector<u8, 256> DB_data;
-        DB_data.resize(em_length - HashFunction::DigestSize - 1);
-        Bytes DB = DB_data;
-        auto DB_offset = 0;
-
-        for (size_t i = 0; i < em_length - SaltLength - HashFunction::DigestSize - 2; ++i)
-            DB[DB_offset++] = 0;
-
-        DB[DB_offset++] = 0x01;
-
-        DB.overwrite(DB_offset, salt, SaltLength);
-
-        auto mask_length = em_length - HashFunction::DigestSize - 1;
-
-        Vector<u8, 256> DB_mask;
-        DB_mask.resize(mask_length);
-        Bytes DB_mask_buffer { DB_mask };
-        // FIXME: we should probably allow reading from u8*
-        MGF1(ReadonlyBytes { hash.data, HashFunction::DigestSize }, mask_length, DB_mask_buffer);
-
-        for (size_t i = 0; i < DB.size(); ++i)
-            DB_data[i] ^= DB_mask[i];
-
-        auto count = (8 - (em_length * 8 - em_bits));
-        DB_data[0] &= (0xff >> count) << count;
-
-        out.overwrite(0, DB.data(), DB.size());
-        out.overwrite(DB.size(), hash.data, hash_fn.DigestSize);
-        out[DB.size() + hash_fn.DigestSize] = 0xbc;
-    }
-
-    virtual VerificationConsistency verify(ReadonlyBytes msg, ReadonlyBytes emsg, size_t em_bits) override
-    {
-        auto& hash_fn = this->hasher();
-        hash_fn.update(msg);
-        auto message_hash = hash_fn.digest();
-
-        if (emsg.size() < HashFunction::DigestSize + SaltLength + 2)
-            return VerificationConsistency::Inconsistent;
-
-        if (emsg[emsg.size() - 1] != 0xbc)
-            return VerificationConsistency::Inconsistent;
-
-        auto mask_length = emsg.size() - HashFunction::DigestSize - 1;
-        auto masked_DB = emsg.slice(0, mask_length);
-        auto H = emsg.slice(mask_length, HashFunction::DigestSize);
-
-        auto length_to_check = 8 * emsg.size() - em_bits;
-        auto octet = masked_DB[0];
-        for (size_t i = 0; i < length_to_check; ++i)
-            if ((octet >> (8 - i)) & 0x01)
-                return VerificationConsistency::Inconsistent;
-
-        Vector<u8, 256> DB_mask;
-        DB_mask.resize(mask_length);
-        Bytes DB_mask_buffer { DB_mask };
-        MGF1(H, mask_length, DB_mask_buffer);
-
-        Vector<u8, 256> DB;
-        DB.resize(mask_length);
-
-        for (size_t i = 0; i < mask_length; ++i)
-            DB[i] = masked_DB[i] ^ DB_mask[i];
-
-        DB[0] &= 0xff >> (8 - length_to_check);
-
-        auto check_octets = emsg.size() - HashFunction::DigestSize - SaltLength - 2;
-        for (size_t i = 0; i < check_octets; ++i) {
-            if (DB[i])
-                return VerificationConsistency::Inconsistent;
-        }
-
-        if (DB[check_octets + 1] != 0x01)
-            return VerificationConsistency::Inconsistent;
-
-        auto* salt = DB.span().offset(mask_length - SaltLength);
-        u8 m_prime[8 + HashFunction::DigestSize + SaltLength] { 0 };
-
-        auto m_prime_buffer = Bytes { m_prime, sizeof(m_prime) };
-
-        m_prime_buffer.overwrite(8, message_hash.data, HashFunction::DigestSize);
-        m_prime_buffer.overwrite(8 + HashFunction::DigestSize, salt, SaltLength);
-
-        hash_fn.update(m_prime_buffer);
-        auto H_prime = hash_fn.digest();
-
-        if (!timing_safe_compare(message_hash.data, H_prime.data, HashFunction::DigestSize))
-            return VerificationConsistency::Inconsistent;
-
-        return VerificationConsistency::Consistent;
-    }
-
-    void MGF1(ReadonlyBytes seed, size_t length, Bytes out)
-    {
-        auto& hash_fn = this->hasher();
-        ByteBuffer T;
-        for (size_t counter = 0; counter < length / HashFunction::DigestSize - 1; ++counter) {
-            hash_fn.update(seed);
-            hash_fn.update((u8*)&counter, 4);
-            if (auto result = T.try_append(hash_fn.digest().data, HashFunction::DigestSize); result.is_error()) {
-                dbgln("EMSA_PSS: MGF1 digest failed: {}", result.error());
-                return;
-            }
-        }
-        out.overwrite(0, T.data(), length);
-    }
-
-private:
-    u8 m_data_buffer[8 + HashFunction::DigestSize + SaltLength];
-    Bytes m_buffer;
-};
-
-}
diff --git a/Userland/Libraries/LibCrypto/PK/RSA.cpp b/Userland/Libraries/LibCrypto/PK/RSA.cpp
index e033b1c038..120f87c26e 100644
--- a/Userland/Libraries/LibCrypto/PK/RSA.cpp
+++ b/Userland/Libraries/LibCrypto/PK/RSA.cpp
@@ -295,39 +295,6 @@ void RSA::import_public_key(ReadonlyBytes bytes, bool pem)
     m_public_key = key.public_key;
 }
 
-template<typename HashFunction>
-void RSA_EMSA_PSS<HashFunction>::sign(ReadonlyBytes in, Bytes& out)
-{
-    // -- encode via EMSA_PSS
-    auto mod_bits = m_rsa.private_key().modulus().trimmed_length() * sizeof(u32) * 8;
-
-    Vector<u8, 2048> EM;
-    EM.resize(mod_bits);
-    auto EM_buf = Bytes { EM };
-    m_emsa_pss.encode(in, EM_buf, mod_bits - 1);
-
-    // -- sign via RSA
-    m_rsa.sign(EM_buf, out);
-}
-
-template<typename HashFunction>
-VerificationConsistency RSA_EMSA_PSS<HashFunction>::verify(ReadonlyBytes in)
-{
-    auto mod_bytes = m_rsa.public_key().modulus().trimmed_length() * sizeof(u32);
-    if (in.size() != mod_bytes)
-        return VerificationConsistency::Inconsistent;
-
-    Vector<u8, 256> EM;
-    EM.resize(mod_bytes);
-    auto EM_buf = Bytes { EM };
-
-    // -- verify via RSA
-    m_rsa.verify(in, EM_buf);
-
-    // -- verify via EMSA_PSS
-    return m_emsa_pss.verify(in, EM, mod_bytes * 8 - 1);
-}
-
 void RSA_PKCS1_EME::encrypt(ReadonlyBytes in, Bytes& out)
 {
     auto mod_len = (m_public_key.modulus().trimmed_length() * sizeof(u32) * 8 + 7) / 8;
diff --git a/Userland/Libraries/LibCrypto/PK/RSA.h b/Userland/Libraries/LibCrypto/PK/RSA.h
index 242cfa2ebf..584e00e2ff 100644
--- a/Userland/Libraries/LibCrypto/PK/RSA.h
+++ b/Userland/Libraries/LibCrypto/PK/RSA.h
@@ -11,7 +11,6 @@
 #include <LibCrypto/ASN1/DER.h>
 #include <LibCrypto/BigInt/UnsignedBigInteger.h>
 #include <LibCrypto/NumberTheory/ModularFunctions.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibCrypto/PK/PK.h>
 
 namespace Crypto::PK {
@@ -142,9 +141,6 @@ struct RSAKeyPair {
 
 using IntegerType = UnsignedBigInteger;
 class RSA : public PKSystem<RSAPrivateKey<IntegerType>, RSAPublicKey<IntegerType>> {
-    template<typename T>
-    friend class RSA_EMSA_PSS;
-
 public:
     using KeyPairType = RSAKeyPair<PublicKeyType, PrivateKeyType>;
 
@@ -229,22 +225,6 @@ public:
     PublicKeyType const& public_key() const { return m_public_key; }
 };
 
-template<typename HashFunction>
-class RSA_EMSA_PSS {
-public:
-    RSA_EMSA_PSS(RSA& rsa)
-        : m_rsa(rsa)
-    {
-    }
-
-    void sign(ReadonlyBytes in, Bytes& out);
-    VerificationConsistency verify(ReadonlyBytes in);
-
-private:
-    EMSA_PSS<HashFunction, HashFunction::DigestSize> m_emsa_pss;
-    RSA m_rsa;
-};
-
 class RSA_PKCS1_EME : public RSA {
 public:
     // forward all constructions to RSA
diff --git a/Userland/Libraries/LibTLS/Handshake.cpp b/Userland/Libraries/LibTLS/Handshake.cpp
index c9cea5ba5f..72f5993d96 100644
--- a/Userland/Libraries/LibTLS/Handshake.cpp
+++ b/Userland/Libraries/LibTLS/Handshake.cpp
@@ -11,7 +11,6 @@
 
 #include <LibCore/Timer.h>
 #include <LibCrypto/ASN1/DER.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibTLS/TLSv12.h>
 
 namespace TLS {
diff --git a/Userland/Libraries/LibTLS/HandshakeCertificate.cpp b/Userland/Libraries/LibTLS/HandshakeCertificate.cpp
index c59740e38b..8c79e4afc8 100644
--- a/Userland/Libraries/LibTLS/HandshakeCertificate.cpp
+++ b/Userland/Libraries/LibTLS/HandshakeCertificate.cpp
@@ -10,7 +10,6 @@
 
 #include <LibCore/Timer.h>
 #include <LibCrypto/ASN1/DER.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibTLS/TLSv12.h>
 
 namespace TLS {
diff --git a/Userland/Libraries/LibTLS/HandshakeClient.cpp b/Userland/Libraries/LibTLS/HandshakeClient.cpp
index 1092aa5d53..50ccb4d196 100644
--- a/Userland/Libraries/LibTLS/HandshakeClient.cpp
+++ b/Userland/Libraries/LibTLS/HandshakeClient.cpp
@@ -11,7 +11,6 @@
 #include <LibCrypto/ASN1/DER.h>
 #include <LibCrypto/BigInt/UnsignedBigInteger.h>
 #include <LibCrypto/NumberTheory/ModularFunctions.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibTLS/TLSv12.h>
 
 namespace TLS {
diff --git a/Userland/Libraries/LibTLS/HandshakeServer.cpp b/Userland/Libraries/LibTLS/HandshakeServer.cpp
index a0b42479ee..4f94b95f46 100644
--- a/Userland/Libraries/LibTLS/HandshakeServer.cpp
+++ b/Userland/Libraries/LibTLS/HandshakeServer.cpp
@@ -17,7 +17,6 @@
 #include <LibCrypto/Curves/X25519.h>
 #include <LibCrypto/Curves/X448.h>
 #include <LibCrypto/PK/Code/EMSA_PKCS1_V1_5.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibTLS/TLSv12.h>
 
 namespace TLS {
diff --git a/Userland/Libraries/LibTLS/Record.cpp b/Userland/Libraries/LibTLS/Record.cpp
index f2b4fcb494..15ce2157e6 100644
--- a/Userland/Libraries/LibTLS/Record.cpp
+++ b/Userland/Libraries/LibTLS/Record.cpp
@@ -9,7 +9,6 @@
 #include <AK/MemoryStream.h>
 #include <LibCore/EventLoop.h>
 #include <LibCore/Timer.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibTLS/TLSv12.h>
 
 namespace TLS {
diff --git a/Userland/Libraries/LibTLS/Socket.cpp b/Userland/Libraries/LibTLS/Socket.cpp
index 88102acffb..0d2e21e362 100644
--- a/Userland/Libraries/LibTLS/Socket.cpp
+++ b/Userland/Libraries/LibTLS/Socket.cpp
@@ -8,7 +8,6 @@
 #include <LibCore/DateTime.h>
 #include <LibCore/EventLoop.h>
 #include <LibCore/Timer.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibTLS/TLSv12.h>
 
 // Each record can hold at most 18432 bytes, leaving some headroom and rounding down to
diff --git a/Userland/Libraries/LibTLS/TLSv12.cpp b/Userland/Libraries/LibTLS/TLSv12.cpp
index dbe32e1fdf..6e4b2cce6b 100644
--- a/Userland/Libraries/LibTLS/TLSv12.cpp
+++ b/Userland/Libraries/LibTLS/TLSv12.cpp
@@ -17,7 +17,6 @@
 #include <LibCrypto/Curves/Ed25519.h>
 #include <LibCrypto/Curves/SECPxxxr1.h>
 #include <LibCrypto/PK/Code/EMSA_PKCS1_V1_5.h>
-#include <LibCrypto/PK/Code/EMSA_PSS.h>
 #include <LibFileSystem/FileSystem.h>
 #include <LibTLS/Certificate.h>
 #include <LibTLS/TLSv12.h>