61739dd38d6da86609bef67e4ff07b2ec07c0c7e
[strongswan.git] / Source / lib / crypto / rsa / rsa_public_key.c
1 /**
2 * @file rsa_public_key.c
3 *
4 * @brief Implementation of rsa_public_key_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <gmp.h>
24 #include <sys/stat.h>
25 #include <unistd.h>
26 #include <string.h>
27
28 #include "rsa_public_key.h"
29
30 #include <daemon.h>
31 #include <crypto/hashers/hasher.h>
32 #include <asn1/der_decoder.h>
33
34 /*
35 * For simplicity,
36 * we use these predefined values for
37 * hash algorithm OIDs. These also contain
38 * the length of the following hash.
39 * These values are also used in rsa_private_key.c.
40 * TODO: We may move them in asn1 sometime...
41 */
42
43 u_int8_t md2_oid[] = {
44 0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,
45 0x48,0x86,0xf7,0x0d,0x02,0x02,0x05,0x00,
46 0x04,0x10
47 };
48
49 u_int8_t md5_oid[] = {
50 0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,
51 0x48,0x86,0xf7,0x0d,0x02,0x05,0x05,0x00,
52 0x04,0x10
53 };
54
55 u_int8_t sha1_oid[] = {
56 0x30,0x21,0x30,0x09,0x06,0x05,0x2b,0x0e,
57 0x03,0x02,0x1a,0x05,0x00,0x04,0x14
58 };
59
60 u_int8_t sha256_oid[] = {
61 0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,
62 0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,
63 0x00,0x04,0x20
64 };
65
66 u_int8_t sha384_oid[] = {
67 0x30,0x41,0x30,0x0d,0x06,0x09,0x60,0x86,
68 0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,
69 0x00,0x04,0x30
70 };
71
72 u_int8_t sha512_oid[] = {
73 0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,
74 0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,
75 0x00,0x04,0x40
76 };
77
78
79 typedef struct private_rsa_public_key_t private_rsa_public_key_t;
80
81 /**
82 * Private data structure with signing context.
83 */
84 struct private_rsa_public_key_t {
85 /**
86 * Public interface for this signer.
87 */
88 rsa_public_key_t public;
89
90 /**
91 * Public modulus.
92 */
93 mpz_t n;
94
95 /**
96 * Public exponent.
97 */
98 mpz_t e;
99
100 /**
101 * Keysize in bytes.
102 */
103 size_t k;
104
105 /**
106 * @brief Implements the RSAEP algorithm specified in PKCS#1.
107 *
108 * @param this calling object
109 * @param data data to process
110 * @return processed data
111 */
112 chunk_t (*rsaep) (private_rsa_public_key_t *this, chunk_t data);
113
114 /**
115 * @brief Implements the RSASVP1 algorithm specified in PKCS#1.
116 *
117 * @param this calling object
118 * @param data data to process
119 * @return processed data
120 */
121 chunk_t (*rsavp1) (private_rsa_public_key_t *this, chunk_t data);
122 };
123
124
125 typedef struct rsa_public_key_info_t rsa_public_key_info_t;
126
127 /**
128 * KeyInfo, as it appears in a public key file
129 */
130 struct rsa_public_key_info_t {
131 /**
132 * Algorithm for this key
133 */
134 chunk_t algorithm_oid;
135
136 /**
137 * Public key, parseable with rsa_public_key_rules
138 */
139 chunk_t public_key;
140 };
141
142 /**
143 * Rules for de-/encoding of a public key from/in ASN1
144 */
145 static asn1_rule_t rsa_public_key_rules[] = {
146 {ASN1_SEQUENCE, 0, 0, 0},
147 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_public_key_t, n), 0},
148 { ASN1_INTEGER, ASN1_MPZ, offsetof(private_rsa_public_key_t, e), 0},
149 {ASN1_END, 0, 0, 0},
150 };
151
152 /**
153 * Rules for de-/encoding of a PublicKeyInfo from/in ASN1
154 */
155 static asn1_rule_t rsa_public_key_info_rules[] = {
156 {ASN1_SEQUENCE, 0, 0, 0},
157 { ASN1_SEQUENCE, 0, 0, 0},
158 { ASN1_OID, 0, offsetof(rsa_public_key_info_t, algorithm_oid), 0},
159 { ASN1_NULL, 0, 0, 0},
160 { ASN1_END, 0, 0, 0},
161 { ASN1_BITSTRING, 0, offsetof(rsa_public_key_info_t, public_key), 0},
162 {ASN1_END, 0, 0, 0},
163 };
164
165 private_rsa_public_key_t *rsa_public_key_create_empty();
166
167 /**
168 * Implementation of private_rsa_public_key_t.rsaep and private_rsa_public_key_t.rsavp1
169 */
170 static chunk_t rsaep(private_rsa_public_key_t *this, chunk_t data)
171 {
172 mpz_t m, c;
173 chunk_t encrypted;
174
175 mpz_init(c);
176 mpz_init(m);
177
178 mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
179
180 mpz_powm(c, m, this->e, this->n);
181
182 encrypted.len = this->k;
183 encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
184
185 mpz_clear(c);
186 mpz_clear(m);
187
188 return encrypted;
189 }
190
191 /**
192 * Implementation of rsa_public_key.verify_emsa_pkcs1_signature.
193 */
194 static status_t verify_emsa_pkcs1_signature(private_rsa_public_key_t *this, chunk_t data, chunk_t signature)
195 {
196 hasher_t *hasher = NULL;
197 chunk_t hash;
198 chunk_t em;
199 u_int8_t *pos;
200
201 if (signature.len > this->k)
202 {
203 return INVALID_ARG;
204 }
205
206 /* unpack signature */
207 em = this->rsavp1(this, signature);
208
209 /* result should look like this:
210 * EM = 0x00 || 0x01 || PS || 0x00 || T.
211 * PS = 0xFF padding, with length to fill em
212 * T = oid || hash
213 */
214
215 /* check magic bytes */
216 if ((*(em.ptr) != 0x00) ||
217 (*(em.ptr+1) != 0x01))
218 {
219 free(em.ptr);
220 return FAILED;
221 }
222
223 /* find magic 0x00 */
224 pos = em.ptr + 2;
225 while (pos <= em.ptr + em.len)
226 {
227 if (*pos == 0x00)
228 {
229 /* found magic byte, stop */
230 pos++;
231 break;
232 }
233 else if (*pos != 0xFF)
234 {
235 /* bad padding, decryption failed ?!*/
236 free(em.ptr);
237 return FAILED;
238 }
239 pos++;
240 }
241
242 if (pos + 20 > em.ptr + em.len)
243 {
244 /* not enought room for oid compare */
245 free(em.ptr);
246 return FAILED;
247 }
248
249 if (memcmp(md2_oid, pos, sizeof(md2_oid)) == 0)
250 {
251 hasher = hasher_create(HASH_MD2);
252 pos += sizeof(md2_oid);
253 }
254 else if (memcmp(md5_oid, pos, sizeof(md5_oid)) == 0)
255 {
256 hasher = hasher_create(HASH_MD5);
257 pos += sizeof(md5_oid);
258 }
259 else if (memcmp(sha1_oid, pos, sizeof(sha1_oid)) == 0)
260 {
261 hasher = hasher_create(HASH_SHA1);
262 pos += sizeof(sha1_oid);
263 }
264 else if (memcmp(sha256_oid, pos, sizeof(sha256_oid)) == 0)
265 {
266 hasher = hasher_create(HASH_SHA256);
267 pos += sizeof(sha256_oid);
268 }
269 else if (memcmp(sha384_oid, pos, sizeof(sha384_oid)) == 0)
270 {
271 hasher = hasher_create(HASH_SHA384);
272 pos += sizeof(sha384_oid);
273 }
274 else if (memcmp(sha512_oid, pos, sizeof(sha512_oid)) == 0)
275 {
276 hasher = hasher_create(HASH_SHA512);
277 pos += sizeof(sha512_oid);
278 }
279
280 if (hasher == NULL)
281 {
282 /* not supported hash algorithm */
283 free(em.ptr);
284 return NOT_SUPPORTED;
285 }
286
287 if (pos + hasher->get_block_size(hasher) != em.ptr + em.len)
288 {
289 /* bad length */
290 free(em.ptr);
291 hasher->destroy(hasher);
292 return FAILED;
293 }
294
295 /* build own hash for a compare */
296 hasher->allocate_hash(hasher, data, &hash);
297 hasher->destroy(hasher);
298
299 if (memcmp(hash.ptr, pos, hash.len) != 0)
300 {
301 /* hash does not equal */
302 free(hash.ptr);
303 free(em.ptr);
304 return FAILED;
305
306 }
307
308 /* seems good */
309 free(hash.ptr);
310 free(em.ptr);
311 return SUCCESS;
312 }
313
314 /**
315 * Implementation of rsa_public_key.get_key.
316 */
317 static status_t get_key(private_rsa_public_key_t *this, chunk_t *key)
318 {
319 chunk_t n, e;
320
321 n.len = this->k;
322 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
323 e.len = this->k;
324 e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
325
326 key->len = this->k * 2;
327 key->ptr = malloc(key->len);
328 memcpy(key->ptr, n.ptr, n.len);
329 memcpy(key->ptr + n.len, e.ptr, e.len);
330 free(n.ptr);
331 free(e.ptr);
332
333 return SUCCESS;
334 }
335
336 /**
337 * Implementation of rsa_public_key.save_key.
338 */
339 static status_t save_key(private_rsa_public_key_t *this, char *file)
340 {
341 return NOT_SUPPORTED;
342 }
343
344 /**
345 * Implementation of rsa_public_key.get_modulus.
346 */
347 static mpz_t *get_modulus(private_rsa_public_key_t *this)
348 {
349 return &this->n;
350 }
351
352 /**
353 * Implementation of rsa_public_key.clone.
354 */
355 static rsa_public_key_t* _clone(private_rsa_public_key_t *this)
356 {
357 private_rsa_public_key_t *clone = rsa_public_key_create_empty();
358
359 mpz_init_set(clone->n, this->n);
360 mpz_init_set(clone->e, this->e);
361 clone->k = this->k;
362
363 return &clone->public;
364 }
365
366 /**
367 * Implementation of rsa_public_key.destroy.
368 */
369 static void destroy(private_rsa_public_key_t *this)
370 {
371 mpz_clear(this->n);
372 mpz_clear(this->e);
373 free(this);
374 }
375
376 /**
377 * Generic private constructor
378 */
379 private_rsa_public_key_t *rsa_public_key_create_empty()
380 {
381 private_rsa_public_key_t *this = malloc_thing(private_rsa_public_key_t);
382
383 /* public functions */
384 this->public.verify_emsa_pkcs1_signature = (status_t (*) (rsa_public_key_t*,chunk_t,chunk_t))verify_emsa_pkcs1_signature;
385 this->public.get_key = (status_t (*) (rsa_public_key_t*,chunk_t*))get_key;
386 this->public.save_key = (status_t (*) (rsa_public_key_t*,char*))save_key;
387 this->public.get_modulus = (mpz_t *(*) (rsa_public_key_t*))get_modulus;
388 this->public.clone = (rsa_public_key_t* (*) (rsa_public_key_t*))_clone;
389 this->public.destroy = (void (*) (rsa_public_key_t*))destroy;
390
391 /* private functions */
392 this->rsaep = rsaep;
393 this->rsavp1 = rsaep; /* same algorithm */
394
395 return this;
396 }
397
398 /*
399 * See header
400 */
401 rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t chunk)
402 {
403 der_decoder_t *dd;
404 status_t status;
405 private_rsa_public_key_t *this;
406
407 this = rsa_public_key_create_empty();
408 mpz_init(this->n);
409 mpz_init(this->e);
410
411 dd = der_decoder_create(rsa_public_key_rules);
412 status = dd->decode(dd, chunk, this);
413 dd->destroy(dd);
414 if (status != SUCCESS)
415 {
416 destroy(this);
417 return NULL;
418 }
419 this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
420 return &this->public;
421 }
422
423 /*
424 * See header
425 */
426 rsa_public_key_t *rsa_public_key_create_from_file(char *filename)
427 {
428 struct stat stb;
429 FILE *file;
430 char *buffer;
431 chunk_t chunk;
432 rsa_public_key_info_t key_info = {CHUNK_INITIALIZER, CHUNK_INITIALIZER};
433 der_decoder_t *dd;
434 status_t status;
435 rsa_public_key_t *public_key = NULL;
436
437 if (stat(filename, &stb) == -1)
438 {
439 return NULL;
440 }
441
442 buffer = alloca(stb.st_size);
443
444 file = fopen(filename, "r");
445 if (file == NULL)
446 {
447 return NULL;
448 }
449
450 if (fread(buffer, stb.st_size, 1, file) != 1)
451 {
452 return NULL;
453 }
454
455 chunk.ptr = buffer;
456 chunk.len = stb.st_size;
457
458 /* parse public key info first */
459 dd = der_decoder_create(rsa_public_key_info_rules);
460 status = dd->decode(dd, chunk, &key_info);
461 dd->destroy(dd);
462 chunk_free(&key_info.algorithm_oid);
463 if (status == SUCCESS)
464 {
465 public_key = rsa_public_key_create_from_chunk(chunk);
466 }
467 chunk_free(&key_info.public_key);
468 return public_key;
469 }