af09a2af548aa4648e94f72c72706f0c9ab12e8f
[strongswan.git] / Source / lib / crypto / rsa / rsa_private_key.c
1 /**
2 * @file rsa_private_key.c
3 *
4 * @brief Implementation of rsa_private_key_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <gmp.h>
24 #include <sys/stat.h>
25 #include <unistd.h>
26 #include <string.h>
27
28 #include "rsa_private_key.h"
29
30 #include <daemon.h>
31 #include <asn1-pluto/asn1-pluto.h>
32
33
34 /*
35 * Oids for hash algorithms are defined in
36 * rsa_public_key.c.
37 */
38 extern u_int8_t md2_oid[18];
39 extern u_int8_t md5_oid[18];
40 extern u_int8_t sha1_oid[15];
41 extern u_int8_t sha256_oid[19];
42 extern u_int8_t sha384_oid[19];
43 extern u_int8_t sha512_oid[19];
44
45
46 /**
47 * Public exponent to use for key generation.
48 */
49 #define PUBLIC_EXPONENT 0x10001
50
51
52 typedef struct private_rsa_private_key_t private_rsa_private_key_t;
53
54 /**
55 * Private data of a rsa_private_key_t object.
56 */
57 struct private_rsa_private_key_t {
58 /**
59 * Public interface for this signer.
60 */
61 rsa_private_key_t public;
62
63 /**
64 * Version of key, as encoded in PKCS#1
65 */
66 u_int version;
67
68 /**
69 * Public modulus.
70 */
71 mpz_t n;
72
73 /**
74 * Public exponent.
75 */
76 mpz_t e;
77
78 /**
79 * Private prime 1.
80 */
81 mpz_t p;
82
83 /**
84 * Private Prime 2.
85 */
86 mpz_t q;
87
88 /**
89 * Private exponent.
90 */
91 mpz_t d;
92
93 /**
94 * Private exponent 1.
95 */
96 mpz_t exp1;
97
98 /**
99 * Private exponent 2.
100 */
101 mpz_t exp2;
102
103 /**
104 * Private coefficient.
105 */
106 mpz_t coeff;
107
108 /**
109 * Keysize in bytes.
110 */
111 size_t k;
112
113 /**
114 * @brief Implements the RSADP algorithm specified in PKCS#1.
115 *
116 * @param this calling object
117 * @param data data to process
118 * @return processed data
119 */
120 chunk_t (*rsadp) (private_rsa_private_key_t *this, chunk_t data);
121
122 /**
123 * @brief Implements the RSASP1 algorithm specified in PKCS#1.
124 * @param this calling object
125 * @param data data to process
126 * @return processed data
127 */
128 chunk_t (*rsasp1) (private_rsa_private_key_t *this, chunk_t data);
129
130 /**
131 * @brief Generate a prime value.
132 *
133 * @param this calling object
134 * @param prime_size size of the prime, in bytes
135 * @param[out] prime uninitialized mpz
136 */
137 status_t (*compute_prime) (private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime);
138
139 };
140
141 #if 0
142 Not used yet, since we use plutos ASN1 stuff
143 /**
144 * Rules for de-/encoding of a private key from/in ASN1
145 */
146 static asn1_rule_t rsa_private_key_rules[] = {
147 {ASN1_SEQUENCE, 0, 0, 0},
148 { ASN1_INTEGER, 0, offsetof(private_rsa_private_key_t, version), 0},
149 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, n), 0},
150 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, e), 0},
151 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, d), 0},
152 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, p), 0},
153 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, q), 0},
154 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, exp1), 0},
155 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, exp2), 0},
156 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_private_key_t, coeff), 0},
157 {ASN1_END, 0, 0, 0},
158 };
159 #endif
160
161 struct {
162 const char *name;
163 size_t offset;
164 } RSA_private_field[] = {
165 { "Modulus", offsetof(private_rsa_private_key_t, n) },
166 { "PublicExponent", offsetof(private_rsa_private_key_t, e) },
167 { "PrivateExponent", offsetof(private_rsa_private_key_t, d) },
168 { "Prime1", offsetof(private_rsa_private_key_t, p) },
169 { "Prime2", offsetof(private_rsa_private_key_t, q) },
170 { "Exponent1", offsetof(private_rsa_private_key_t, exp1) },
171 { "Exponent2", offsetof(private_rsa_private_key_t, exp2) },
172 { "Coefficient", offsetof(private_rsa_private_key_t, coeff) },
173 };
174
175 /* ASN.1 definition of a PKCS#1 RSA private key */
176
177 static const asn1Object_t privkeyObjects[] = {
178 { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
179 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
180 { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */
181 { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */
182 { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */
183 { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */
184 { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */
185 { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */
186 { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */
187 { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */
188 { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT |
189 ASN1_LOOP }, /* 10 */
190 { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
191 { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */
192 { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */
193 { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */
194 { 1, "end opt or loop", ASN1_EOC, ASN1_END } /* 15 */
195 };
196
197 #define PKCS1_PRIV_KEY_VERSION 1
198 #define PKCS1_PRIV_KEY_MODULUS 2
199 #define PKCS1_PRIV_KEY_PUB_EXP 3
200 #define PKCS1_PRIV_KEY_COEFF 9
201 #define PKCS1_PRIV_KEY_ROOF 16
202
203
204
205 static private_rsa_private_key_t *rsa_private_key_create_empty();
206
207 /**
208 * Implementation of private_rsa_private_key_t.compute_prime.
209 */
210 static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime)
211 {
212 randomizer_t *randomizer;
213 chunk_t random_bytes;
214 status_t status;
215
216 randomizer = randomizer_create();
217 mpz_init(*prime);
218
219 do
220 {
221 status = randomizer->allocate_random_bytes(randomizer, prime_size, &random_bytes);
222 if (status != SUCCESS)
223 {
224 randomizer->destroy(randomizer);
225 mpz_clear(*prime);
226 return FAILED;
227 }
228
229 /* make sure most significant bit is set */
230 random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
231
232 /* convert chunk to mpz value */
233 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
234
235 /* get next prime */
236 mpz_nextprime (*prime, *prime);
237
238 free(random_bytes.ptr);
239 }
240 /* check if it isnt too large */
241 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
242
243 randomizer->destroy(randomizer);
244 return SUCCESS;
245 }
246
247 /**
248 * Implementation of private_rsa_private_key_t.rsadp and private_rsa_private_key_t.rsasp1.
249 */
250 static chunk_t rsadp(private_rsa_private_key_t *this, chunk_t data)
251 {
252 mpz_t t1, t2;
253 chunk_t decrypted;
254
255 mpz_init(t1);
256 mpz_init(t2);
257
258 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
259
260 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
261 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
262 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
263 mpz_mod(t2, t2, this->p);
264 mpz_mul(t2, t2, this->coeff);
265 mpz_mod(t2, t2, this->p);
266
267 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
268 mpz_add(t1, t1, t2);
269
270 decrypted.len = this->k;
271 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
272
273 mpz_clear(t1);
274 mpz_clear(t2);
275
276 return decrypted;
277 }
278
279 /**
280 * Implementation of rsa_private_key.build_emsa_signature.
281 */
282 static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash_algorithm_t hash_algorithm, chunk_t data, chunk_t *signature)
283 {
284 hasher_t *hasher;
285 chunk_t hash;
286 chunk_t oid;
287 chunk_t em;
288
289 /* get oid string prepended to hash */
290 switch (hash_algorithm)
291 {
292 case HASH_MD2:
293 {
294 oid.ptr = md2_oid;
295 oid.len = sizeof(md2_oid);
296 break;
297 }
298 case HASH_MD5:
299 {
300 oid.ptr = md5_oid;
301 oid.len = sizeof(md5_oid);
302 break;
303 }
304 case HASH_SHA1:
305 {
306 oid.ptr = sha1_oid;
307 oid.len = sizeof(sha1_oid);
308 break;
309 }
310 case HASH_SHA256:
311 {
312 oid.ptr = sha256_oid;
313 oid.len = sizeof(sha256_oid);
314 break;
315 }
316 case HASH_SHA384:
317 {
318 oid.ptr = sha384_oid;
319 oid.len = sizeof(sha384_oid);
320 break;
321 }
322 case HASH_SHA512:
323 {
324 oid.ptr = sha512_oid;
325 oid.len = sizeof(sha512_oid);
326 break;
327 }
328 default:
329 {
330 return NOT_SUPPORTED;
331 }
332 }
333
334 /* get hasher */
335 hasher = hasher_create(hash_algorithm);
336 if (hasher == NULL)
337 {
338 return NOT_SUPPORTED;
339 }
340
341 /* build hash */
342 hasher->allocate_hash(hasher, data, &hash);
343 hasher->destroy(hasher);
344
345 /* build chunk to rsa-decrypt:
346 * EM = 0x00 || 0x01 || PS || 0x00 || T.
347 * PS = 0xFF padding, with length to fill em
348 * T = oid || hash
349 */
350 em.len = this->k;
351 em.ptr = malloc(em.len);
352
353 /* fill em with padding */
354 memset(em.ptr, 0xFF, em.len);
355 /* set magic bytes */
356 *(em.ptr) = 0x00;
357 *(em.ptr+1) = 0x01;
358 *(em.ptr + em.len - hash.len - oid.len - 1) = 0x00;
359 /* set hash */
360 memcpy(em.ptr + em.len - hash.len, hash.ptr, hash.len);
361 /* set oid */
362 memcpy(em.ptr + em.len - hash.len - oid.len, oid.ptr, oid.len);
363
364
365 /* build signature */
366 *signature = this->rsasp1(this, em);
367
368 free(hash.ptr);
369 free(em.ptr);
370
371 return SUCCESS;
372 }
373
374 /**
375 * Implementation of rsa_private_key.get_key.
376 */
377 static status_t get_key(private_rsa_private_key_t *this, chunk_t *key)
378 {
379 chunk_t n, e, p, q, d, exp1, exp2, coeff;
380
381 n.len = this->k;
382 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
383 e.len = this->k;
384 e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
385 p.len = this->k;
386 p.ptr = mpz_export(NULL, NULL, 1, p.len, 1, 0, this->p);
387 q.len = this->k;
388 q.ptr = mpz_export(NULL, NULL, 1, q.len, 1, 0, this->q);
389 d.len = this->k;
390 d.ptr = mpz_export(NULL, NULL, 1, d.len, 1, 0, this->d);
391 exp1.len = this->k;
392 exp1.ptr = mpz_export(NULL, NULL, 1, exp1.len, 1, 0, this->exp1);
393 exp2.len = this->k;
394 exp2.ptr = mpz_export(NULL, NULL, 1, exp2.len, 1, 0, this->exp2);
395 coeff.len = this->k;
396 coeff.ptr = mpz_export(NULL, NULL, 1, coeff.len, 1, 0, this->coeff);
397
398 key->len = this->k * 8;
399 key->ptr = malloc(key->len);
400 memcpy(key->ptr + this->k * 0, n.ptr , n.len);
401 memcpy(key->ptr + this->k * 1, e.ptr, e.len);
402 memcpy(key->ptr + this->k * 2, p.ptr, p.len);
403 memcpy(key->ptr + this->k * 3, q.ptr, q.len);
404 memcpy(key->ptr + this->k * 4, d.ptr, d.len);
405 memcpy(key->ptr + this->k * 5, exp1.ptr, exp1.len);
406 memcpy(key->ptr + this->k * 6, exp2.ptr, exp2.len);
407 memcpy(key->ptr + this->k * 7, coeff.ptr, coeff.len);
408
409 free(n.ptr);
410 free(e.ptr);
411 free(p.ptr);
412 free(q.ptr);
413 free(d.ptr);
414 free(exp1.ptr);
415 free(exp2.ptr);
416 free(coeff.ptr);
417
418 return SUCCESS;
419 }
420
421 /**
422 * Implementation of rsa_private_key.save_key.
423 */
424 static status_t save_key(private_rsa_private_key_t *this, char *file)
425 {
426 return NOT_SUPPORTED;
427 }
428
429 /**
430 * Implementation of rsa_private_key.get_public_key.
431 */
432 rsa_public_key_t *get_public_key(private_rsa_private_key_t *this)
433 {
434 return NULL;
435 }
436
437 /**
438 * Implementation of rsa_private_key.belongs_to.
439 */
440 static bool belongs_to(private_rsa_private_key_t *this, rsa_public_key_t *public)
441 {
442 if (mpz_cmp(this->n, *public->get_modulus(public)) == 0)
443 {
444 return TRUE;
445 }
446 return FALSE;
447 }
448
449 /**
450 * Implementation of rsa_private_key.clone.
451 */
452 static rsa_private_key_t* _clone(private_rsa_private_key_t *this)
453 {
454 private_rsa_private_key_t *clone = rsa_private_key_create_empty();
455
456 mpz_init_set(clone->n, this->n);
457 mpz_init_set(clone->e, this->e);
458 mpz_init_set(clone->p, this->p);
459 mpz_init_set(clone->q, this->q);
460 mpz_init_set(clone->d, this->d);
461 mpz_init_set(clone->exp1, this->exp1);
462 mpz_init_set(clone->exp2, this->exp2);
463 mpz_init_set(clone->coeff, this->coeff);
464 clone->k = this->k;
465
466 return &clone->public;
467 }
468
469 /**
470 * Implementation of rsa_private_key.destroy.
471 */
472 static void destroy(private_rsa_private_key_t *this)
473 {
474 mpz_clear(this->n);
475 mpz_clear(this->e);
476 mpz_clear(this->p);
477 mpz_clear(this->q);
478 mpz_clear(this->d);
479 mpz_clear(this->exp1);
480 mpz_clear(this->exp2);
481 mpz_clear(this->coeff);
482 free(this);
483 }
484
485 /**
486 * Internal generic constructor
487 */
488 static private_rsa_private_key_t *rsa_private_key_create_empty()
489 {
490 private_rsa_private_key_t *this = malloc_thing(private_rsa_private_key_t);
491
492 /* public functions */
493 this->public.build_emsa_pkcs1_signature = (status_t (*) (rsa_private_key_t*,hash_algorithm_t,chunk_t,chunk_t*))build_emsa_pkcs1_signature;
494 this->public.get_key = (status_t (*) (rsa_private_key_t*,chunk_t*))get_key;
495 this->public.save_key = (status_t (*) (rsa_private_key_t*,char*))save_key;
496 this->public.get_public_key = (rsa_public_key_t *(*) (rsa_private_key_t*))get_public_key;
497 this->public.belongs_to = (bool (*) (rsa_private_key_t*,rsa_public_key_t*))belongs_to;
498 this->public.clone = (rsa_private_key_t*(*)(rsa_private_key_t*))_clone;
499 this->public.destroy = (void (*) (rsa_private_key_t*))destroy;
500
501 /* private functions */
502 this->rsadp = rsadp;
503 this->rsasp1 = rsadp; /* same algorithm */
504 this->compute_prime = compute_prime;
505
506 return this;
507 }
508
509 /*
510 * See header
511 */
512 rsa_private_key_t *rsa_private_key_create(size_t key_size)
513 {
514 mpz_t p, q, n, e, d, exp1, exp2, coeff;
515 mpz_t m, q1, t;
516 private_rsa_private_key_t *this;
517
518 this = rsa_private_key_create_empty();
519 key_size = key_size / 8;
520
521 /* Get values of primes p and q */
522 if (this->compute_prime(this, key_size/2, &p) != SUCCESS)
523 {
524 free(this);
525 return NULL;
526 }
527 if (this->compute_prime(this, key_size/2, &q) != SUCCESS)
528 {
529 mpz_clear(p);
530 free(this);
531 return NULL;
532 }
533
534
535 mpz_init(t);
536 mpz_init(n);
537 mpz_init(d);
538 mpz_init(exp1);
539 mpz_init(exp2);
540 mpz_init(coeff);
541
542
543 /* Swapping Primes so p is larger then q */
544 if (mpz_cmp(p, q) < 0)
545 {
546 mpz_set(t, p);
547 mpz_set(p, q);
548 mpz_set(q, t);
549 }
550
551 mpz_mul(n, p, q); /* n = p*q */
552 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
553 mpz_init_set(m, p); /* m = p */
554 mpz_sub_ui(m, m, 1); /* m = m -1 */
555 mpz_init_set(q1, q); /* q1 = q */
556 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
557 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
558 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
559 mpz_divexact(m, m, t); /* m = m / t */
560 mpz_gcd(t, m, e); /* t = gcd(m, e) (greatest common divisor) */
561
562 mpz_invert(d, e, m); /* e has an inverse mod m */
563 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
564 {
565 mpz_add(d, d, m);
566 }
567 mpz_sub_ui(t, p, 1); /* t = p-1 */
568 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
569 mpz_sub_ui(t, q, 1); /* t = q-1 */
570 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
571
572 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
573 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
574 {
575 mpz_add(coeff, coeff, p);
576 }
577
578 mpz_clear(q1);
579 mpz_clear(m);
580 mpz_clear(t);
581
582 /* apply values */
583 *(this->p) = *p;
584 *(this->q) = *q;
585 *(this->n) = *n;
586 *(this->e) = *e;
587 *(this->d) = *d;
588 *(this->exp1) = *exp1;
589 *(this->exp2) = *exp2;
590 *(this->coeff) = *coeff;
591
592 /* set key size in bytes */
593 this->k = key_size;
594
595 return &this->public;
596 }
597
598
599 #if 0
600 NOT used yet, since we use plutos ASN1 parser for now
601 /*
602 * see header
603 */
604 rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t chunk)
605 {
606 private_rsa_private_key_t *this;
607 der_decoder_t *dd;
608 status_t status;
609
610 this = rsa_private_key_create_empty();
611
612 mpz_init(this->n);
613 mpz_init(this->e);
614 mpz_init(this->p);
615 mpz_init(this->q);
616 mpz_init(this->d);
617 mpz_init(this->exp1);
618 mpz_init(this->exp2);
619 mpz_init(this->coeff);
620
621 dd = der_decoder_create(rsa_private_key_rules);
622 status = dd->decode(dd, chunk, this);
623 dd->destroy(dd);
624 if (status != SUCCESS)
625 {
626 destroy(this);
627 return NULL;
628 }
629 this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
630 return &this->public;
631 }
632 #endif
633
634 static status_t check(private_rsa_private_key_t *this)
635 {
636 mpz_t t, u, q1;
637 status_t status = SUCCESS;
638
639 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
640 * We actually require more (for security).
641 */
642 if (this->k < 512/8)
643 return FAILED;
644
645 /* we picked a max modulus size to simplify buffer allocation */
646 if (this->k > 8192/8)
647 return FAILED;
648
649 mpz_init(t);
650 mpz_init(u);
651 mpz_init(q1);
652
653 /* check that n == p * q */
654 mpz_mul(u, this->p, this->q);
655 if (mpz_cmp(u, this->n) != 0)
656 {
657 status = FAILED;
658 }
659
660 /* check that e divides neither p-1 nor q-1 */
661 mpz_sub_ui(t, this->p, 1);
662 mpz_mod(t, t, this->e);
663 if (mpz_cmp_ui(t, 0) == 0)
664 {
665 status = FAILED;
666 }
667
668 mpz_sub_ui(t, this->q, 1);
669 mpz_mod(t, t, this->e);
670 if (mpz_cmp_ui(t, 0) == 0)
671 {
672 status = FAILED;
673 }
674
675 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
676 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
677 mpz_sub_ui(q1, this->q, 1);
678 mpz_sub_ui(u, this->p, 1);
679 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
680 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
681 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
682
683 mpz_mul(t, this->d, this->e);
684 mpz_mod(t, t, u);
685 if (mpz_cmp_ui(t, 1) != 0)
686 {
687 status = FAILED;
688 }
689
690 /* check that exp1 is d mod (p-1) */
691 mpz_sub_ui(u, this->p, 1);
692 mpz_mod(t, this->d, u);
693 if (mpz_cmp(t, this->exp1) != 0)
694 {
695 status = FAILED;
696 }
697
698 /* check that exp2 is d mod (q-1) */
699 mpz_sub_ui(u, this->q, 1);
700 mpz_mod(t, this->d, u);
701 if (mpz_cmp(t, this->exp2) != 0)
702 {
703 status = FAILED;
704 }
705
706 /* check that coeff is (q^-1) mod p */
707 mpz_mul(t, this->coeff, this->q);
708 mpz_mod(t, t, this->p);
709 if (mpz_cmp_ui(t, 1) != 0)
710 {
711 status = FAILED;
712 }
713
714 mpz_clear(t);
715 mpz_clear(u);
716 mpz_clear(q1);
717 return status;
718 }
719
720 /*
721 * Parses a PKCS#1 private key
722 */
723 rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t blob)
724 {
725 asn1_ctx_t ctx;
726 chunk_t object;
727 u_int level;
728 int objectID = 0;
729 private_rsa_private_key_t *this;
730
731 this = rsa_private_key_create_empty();
732
733 mpz_init(this->n);
734 mpz_init(this->e);
735 mpz_init(this->p);
736 mpz_init(this->q);
737 mpz_init(this->d);
738 mpz_init(this->exp1);
739 mpz_init(this->exp2);
740 mpz_init(this->coeff);
741
742 asn1_init(&ctx, blob, 0, FALSE);
743
744 while (objectID < PKCS1_PRIV_KEY_ROOF)
745 {
746 if (!extract_object(privkeyObjects, &objectID, &object, &level, &ctx))
747 {
748 return FALSE;
749 }
750 if (objectID == PKCS1_PRIV_KEY_VERSION)
751 {
752 if (object.len > 0 && *object.ptr != 0)
753 {
754 destroy(this);
755 return NULL;
756 }
757 }
758 else if (objectID >= PKCS1_PRIV_KEY_MODULUS &&
759 objectID <= PKCS1_PRIV_KEY_COEFF)
760 {
761 mpz_t *u = (mpz_t *) ((char *)this
762 + RSA_private_field[objectID - PKCS1_PRIV_KEY_MODULUS].offset);
763
764 mpz_import(*u, object.len, 1, 1, 1, 0, object.ptr);
765 }
766 objectID++;
767 }
768 if (check(this) != SUCCESS)
769 {
770 destroy(this);
771 return NULL;
772 }
773 else
774 {
775 return &this->public;
776 }
777 }
778
779 /*
780 * see header
781 */
782 rsa_private_key_t *rsa_private_key_create_from_file(char *filename, char *passphrase)
783 {
784 chunk_t chunk;
785 struct stat stb;
786 FILE *file;
787 char *buffer;
788
789 if (stat(filename, &stb) == -1)
790 {
791 return NULL;
792 }
793
794 buffer = alloca(stb.st_size);
795
796 file = fopen(filename, "r");
797 if (file == NULL)
798 {
799 return NULL;
800 }
801
802 if (fread(buffer, stb.st_size, 1, file) != 1)
803 {
804 fclose(file);
805 return NULL;
806 }
807 fclose(file);
808
809 chunk.ptr = buffer;
810 chunk.len = stb.st_size;
811
812 return rsa_private_key_create_from_chunk(chunk);
813 }