Updating RsaBlindSignatureVerify in crypto_utils to use RSA struct only when verifying even for public metadata signature verification. PiperOrigin-RevId: 546058963

diff --git a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.cc b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.cc
index 1a013bb..656909f 100644
--- a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.cc
+++ b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.cc

@@ -435,18 +435,14 @@
   return new_e;
 }
 
-absl::Status RsaBlindSignatureVerify(
-    const int salt_length, const EVP_MD* sig_hash, const EVP_MD* mgf1_hash,
-    RSA* rsa_public_key, const BIGNUM& rsa_modulus,
-    const BIGNUM& augmented_rsa_e, absl::string_view signature,
-    absl::string_view message,
-    std::optional<absl::string_view> public_metadata) {
-  std::string augmented_message(message);
-  if (public_metadata.has_value()) {
-    augmented_message = EncodeMessagePublicMetadata(message, *public_metadata);
-  }
+absl::Status RsaBlindSignatureVerify(const int salt_length,
+                                     const EVP_MD* sig_hash,
+                                     const EVP_MD* mgf1_hash,
+                                     const absl::string_view signature,
+                                     const absl::string_view message,
+                                     RSA* rsa_public_key) {
   ANON_TOKENS_ASSIGN_OR_RETURN(std::string message_digest,
-                               ComputeHash(augmented_message, *sig_hash));
+                               ComputeHash(message, *sig_hash));
   const int hash_size = EVP_MD_size(sig_hash);
   // Make sure the size of the digest is correct.
   if (message_digest.size() != hash_size) {
@@ -455,50 +451,27 @@
                      "of the hashing algorithm; expected ",
                      hash_size, " got ", message_digest.size()));
   }
-  const int rsa_modulus_size = BN_num_bytes(&rsa_modulus);
+  // Make sure the size of the signature is correct.
+  const int rsa_modulus_size = BN_num_bytes(RSA_get0_n(rsa_public_key));
   if (signature.size() != rsa_modulus_size) {
     return absl::InvalidArgumentError(
         "Signature size not equal to modulus size.");
   }
 
   std::string recovered_message_digest(rsa_modulus_size, 0);
-  if (!public_metadata.has_value()) {
-    int recovered_message_digest_size = RSA_public_decrypt(
-        /*flen=*/signature.size(),
-        /*from=*/reinterpret_cast<const uint8_t*>(signature.data()),
-        /*to=*/
-        reinterpret_cast<uint8_t*>(recovered_message_digest.data()),
-        /*rsa=*/rsa_public_key,
-        /*padding=*/RSA_NO_PADDING);
-    if (recovered_message_digest_size != rsa_modulus_size) {
-      return absl::InvalidArgumentError(
-          absl::StrCat("Invalid signature size (likely an incorrect key is "
-                       "used); expected ",
-                       rsa_modulus_size, " got ", recovered_message_digest_size,
-                       ": ", GetSslErrors()));
-    }
-  } else {
-    ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> signature_bn,
-                                 StringToBignum(signature));
-    if (BN_ucmp(signature_bn.get(), &rsa_modulus) >= 0) {
-      return absl::InternalError("Data too large for modulus.");
-    }
-    ANON_TOKENS_ASSIGN_OR_RETURN(BnCtxPtr bn_ctx, GetAndStartBigNumCtx());
-    bssl::UniquePtr<BN_MONT_CTX> bn_mont_ctx(
-        BN_MONT_CTX_new_for_modulus(&rsa_modulus, bn_ctx.get()));
-    if (!bn_mont_ctx) {
-      return absl::InternalError("BN_MONT_CTX_new_for_modulus failed.");
-    }
-    ANON_TOKENS_ASSIGN_OR_RETURN(
-        bssl::UniquePtr<BIGNUM> recovered_message_digest_bn, NewBigNum());
-    if (BN_mod_exp_mont(recovered_message_digest_bn.get(), signature_bn.get(),
-                        &augmented_rsa_e, &rsa_modulus, bn_ctx.get(),
-                        bn_mont_ctx.get()) != kBsslSuccess) {
-      return absl::InternalError("Exponentiation failed.");
-    }
-    ANON_TOKENS_ASSIGN_OR_RETURN(
-        recovered_message_digest,
-        BignumToString(*recovered_message_digest_bn, rsa_modulus_size));
+  int recovered_message_digest_size = RSA_public_decrypt(
+      /*flen=*/signature.size(),
+      /*from=*/reinterpret_cast<const uint8_t*>(signature.data()),
+      /*to=*/
+      reinterpret_cast<uint8_t*>(recovered_message_digest.data()),
+      /*rsa=*/rsa_public_key,
+      /*padding=*/RSA_NO_PADDING);
+  if (recovered_message_digest_size != rsa_modulus_size) {
+    return absl::InvalidArgumentError(
+        absl::StrCat("Invalid signature size (likely an incorrect key is "
+                     "used); expected ",
+                     rsa_modulus_size, " got ", recovered_message_digest_size,
+                     ": ", GetSslErrors()));
   }
   if (RSA_verify_PKCS1_PSS_mgf1(
           rsa_public_key, reinterpret_cast<const uint8_t*>(&message_digest[0]),

diff --git a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h
index 2932a19..18371cf 100644
--- a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h
+++ b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h

@@ -177,19 +177,20 @@
 // Helper method that implements RSA PSS Blind Signatures verification protocol
 // for both the standard scheme as well as the public metadata version.
 //
-// The standard public exponent e in rsa_public_key should always have a
-// standard value even if the public_metada is not std::nullopt.
+// For the public metadata version,
 //
-// If the public_metadata is set to std::nullopt, augmented_rsa_e should be
-// equal to a standard public exponent same as the value of e in rsa_public_key.
-// Otherwise, it will be equal to a new public exponent value derived using the
-// public metadata.
+// 1) `rsa_public_key' must contain a public exponent derived using the public
+// metadata.
+//
+// 2) The `message' must be an encoding of an original input message
+// and the public metadata e.g. by using EncodeMessagePublicMetadata method in
+// this file. The caller should make sure that its original input message is a
+// random message. In case it is not, it should be concatenated with a random
+// string.
 absl::Status QUICHE_EXPORT RsaBlindSignatureVerify(
     int salt_length, const EVP_MD* sig_hash, const EVP_MD* mgf1_hash,
-    RSA* rsa_public_key, const BIGNUM& rsa_modulus,
-    const BIGNUM& augmented_rsa_e, absl::string_view signature,
-    absl::string_view message,
-    std::optional<absl::string_view> public_metadata = std::nullopt);
+    absl::string_view signature, absl::string_view message,
+    RSA* rsa_public_key);
 
 // This method outputs a DER encoding of RSASSA-PSS (RSA Signature Scheme with
 // Appendix - Probabilistic Signature Scheme) Public Key as described here

diff --git a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.cc b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.cc
index 28e03fd..5e8b40d 100644
--- a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.cc
+++ b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.cc

@@ -245,12 +245,12 @@
 
 absl::Status RsaBlinder::Verify(absl::string_view signature,
                                 absl::string_view message) {
-  // TODO(b/289550754): Only pass RSA struct here and not the modulus and
-  // exponent.
-  return RsaBlindSignatureVerify(
-      salt_length_, sig_hash_, mgf1_hash_, rsa_public_key_.get(),
-      *RSA_get0_n(rsa_public_key_.get()), *RSA_get0_e(rsa_public_key_.get()),
-      signature, message, public_metadata_);
+  std::string augmented_message(message);
+  if (public_metadata_.has_value()) {
+    augmented_message = EncodeMessagePublicMetadata(message, *public_metadata_);
+  }
+  return RsaBlindSignatureVerify(salt_length_, sig_hash_, mgf1_hash_, signature,
+                                 augmented_message, rsa_public_key_.get());
 }
 
 }  // namespace anonymous_tokens

diff --git a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.h b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.h
index 9ddc9b4..f9029fb 100644
--- a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.h
+++ b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blinder.h

@@ -62,7 +62,8 @@
   absl::StatusOr<std::string> Unblind(
       absl::string_view blind_signature) override;
 
-  // Verifies an `unblinded` signature against the input message.
+  // Verifies an `unblinded` signature against the same `message' that was
+  // passed to Blind.
   absl::Status Verify(absl::string_view signature, absl::string_view message);
 
  private:

diff --git a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.cc b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.cc
index ac9255f..33d4b1b 100644
--- a/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.cc
+++ b/quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_ssa_pss_verifier.cc

@@ -72,12 +72,13 @@
 
 absl::Status RsaSsaPssVerifier::Verify(absl::string_view unblind_token,
                                        absl::string_view message) {
-  // TODO(b/289550754): Only pass RSA struct here and not the modulus and
-  // exponent.
-  return RsaBlindSignatureVerify(
-      salt_length_, sig_hash_, mgf1_hash_, rsa_public_key_.get(),
-      *RSA_get0_n(rsa_public_key_.get()), *RSA_get0_e(rsa_public_key_.get()),
-      unblind_token, message, public_metadata_);
+  std::string augmented_message(message);
+  if (public_metadata_.has_value()) {
+    augmented_message = EncodeMessagePublicMetadata(message, *public_metadata_);
+  }
+  return RsaBlindSignatureVerify(salt_length_, sig_hash_, mgf1_hash_,
+                                 unblind_token, augmented_message,
+                                 rsa_public_key_.get());
 }
 
 }  // namespace anonymous_tokens