implemented IKEv1 specific SIGN_RSA_EMSA_PKCS1_NULL scheme in gcrypt
[strongswan.git] / src / libstrongswan / plugins / gcrypt / gcrypt_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <gcrypt.h>
17
18 #include "gcrypt_rsa_private_key.h"
19
20 #include <debug.h>
21 #include <asn1/oid.h>
22 #include <asn1/asn1.h>
23 #include <asn1/asn1_parser.h>
24
25 typedef struct private_gcrypt_rsa_private_key_t private_gcrypt_rsa_private_key_t;
26
27 /**
28 * Private data of a gcrypt_rsa_private_key_t object.
29 */
30 struct private_gcrypt_rsa_private_key_t {
31
32 /**
33 * Public interface
34 */
35 gcrypt_rsa_private_key_t public;
36
37 /**
38 * gcrypt S-expression representing an RSA key
39 */
40 gcry_sexp_t key;
41
42 /**
43 * Keyid formed as a SHA-1 hash of a publicKey object
44 */
45 identification_t* keyid;
46
47 /**
48 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
49 */
50 identification_t* keyid_info;
51
52 /**
53 * reference count
54 */
55 refcount_t ref;
56 };
57
58 /**
59 * Implemented in gcrypt_rsa_public_key.c
60 */
61 public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key);
62
63 /**
64 * find a token in a S-expression
65 */
66 chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
67 {
68 gcry_sexp_t token;
69 chunk_t data = chunk_empty;
70
71 token = gcry_sexp_find_token(sexp, name, 1);
72 if (token)
73 {
74 data.ptr = (char*)gcry_sexp_nth_data(token, 1, &data.len);
75 if (!data.ptr)
76 {
77 data.len = 0;
78 }
79 data = chunk_clone(data);
80 gcry_sexp_release(token);
81 }
82 return data;
83 }
84
85 /**
86 * Sign a chunk of data with direct PKCS#1 encoding, no hash OID
87 */
88 static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
89 chunk_t data, chunk_t *signature)
90 {
91 gcry_sexp_t in, out;
92 gcry_error_t err;
93 chunk_t em;
94 size_t k;
95
96 /* EM = 0x00 || 0x01 || PS || 0x00 || T
97 * PS = 0xFF padding, with length to fill em
98 * T = data
99 */
100 k = gcry_pk_get_nbits(this->key) / 8;
101 if (data.len > k - 3)
102 {
103 return FALSE;
104 }
105 em = chunk_alloc(k);
106 memset(em.ptr, 0xFF, em.len);
107 em.ptr[0] = 0x00;
108 em.ptr[1] = 0x01;
109 em.ptr[em.len - data.len - 1] = 0x00;
110 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
111
112 err = gcry_sexp_build(&in, NULL, "(data(flags raw)(value %b))",
113 em.len, em.ptr);
114 chunk_free(&em);
115 if (err)
116 {
117 DBG1("building signature S-expression failed: %s", gpg_strerror(err));
118 return FALSE;
119 }
120 err = gcry_pk_sign(&out, in, this->key);
121 gcry_sexp_release(in);
122 if (err)
123 {
124 DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
125 return FALSE;
126 }
127 *signature = gcrypt_rsa_find_token(out, "s");
128 gcry_sexp_release(out);
129 return !!signature->len;
130 }
131
132 /**
133 * Sign a chunk of data using hashing and PKCS#1 encoding
134 */
135 static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
136 hash_algorithm_t hash_algorithm, char *hash_name,
137 chunk_t data, chunk_t *signature)
138 {
139 hasher_t *hasher;
140 chunk_t hash;
141 gcry_error_t err;
142 gcry_sexp_t in, out;
143 int hash_oid;
144
145 hash_oid = hasher_algorithm_to_oid(hash_algorithm);
146 if (hash_oid == OID_UNKNOWN)
147 {
148 return FALSE;
149 }
150 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
151 if (!hasher)
152 {
153 return FALSE;
154 }
155 hasher->allocate_hash(hasher, data, &hash);
156 hasher->destroy(hasher);
157
158 err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
159 hash_name, hash.len, hash.ptr);
160 chunk_free(&hash);
161 if (err)
162 {
163 DBG1("building signature S-expression failed: %s", gpg_strerror(err));
164 return FALSE;
165 }
166 err = gcry_pk_sign(&out, in, this->key);
167 gcry_sexp_release(in);
168 if (err)
169 {
170 DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
171 return FALSE;
172 }
173 *signature = gcrypt_rsa_find_token(out, "s");
174 gcry_sexp_release(out);
175 return !!signature->len;
176 }
177
178 /**
179 * Implementation of gcrypt_rsa_private_key.destroy.
180 */
181 static key_type_t get_type(private_gcrypt_rsa_private_key_t *this)
182 {
183 return KEY_RSA;
184 }
185
186 /**
187 * Implementation of gcrypt_rsa_private_key.destroy.
188 */
189 static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
190 chunk_t data, chunk_t *sig)
191 {
192 switch (scheme)
193 {
194 case SIGN_RSA_EMSA_PKCS1_NULL:
195 return sign_raw(this, data, sig);
196 case SIGN_RSA_EMSA_PKCS1_SHA1:
197 return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
198 case SIGN_RSA_EMSA_PKCS1_SHA256:
199 return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig);
200 case SIGN_RSA_EMSA_PKCS1_SHA384:
201 return sign_pkcs1(this, HASH_SHA384, "sha384", data, sig);
202 case SIGN_RSA_EMSA_PKCS1_SHA512:
203 return sign_pkcs1(this, HASH_SHA512, "sha512", data, sig);
204 case SIGN_RSA_EMSA_PKCS1_MD5:
205 return sign_pkcs1(this, HASH_MD5, "md5", data, sig);
206 default:
207 DBG1("signature scheme %N not supported in RSA",
208 signature_scheme_names, scheme);
209 return FALSE;
210 }
211 }
212
213 /**
214 * Implementation of gcrypt_rsa_private_key.destroy.
215 */
216 static bool decrypt(private_gcrypt_rsa_private_key_t *this,
217 chunk_t crypto, chunk_t *plain)
218 {
219 DBG1("RSA private key decryption not implemented");
220 return FALSE;
221 }
222
223 /**
224 * Implementation of gcrypt_rsa_private_key.get_keysize.
225 */
226 static size_t get_keysize(private_gcrypt_rsa_private_key_t *this)
227 {
228 return gcry_pk_get_nbits(this->key) / 8;
229 }
230
231 /**
232 * Implementation of gcrypt_rsa_private_key.destroy.
233 */
234 static identification_t* get_id(private_gcrypt_rsa_private_key_t *this,
235 id_type_t type)
236 {
237 switch (type)
238 {
239 case ID_PUBKEY_INFO_SHA1:
240 return this->keyid_info;
241 case ID_PUBKEY_SHA1:
242 return this->keyid;
243 default:
244 return NULL;
245 }
246 }
247
248 /**
249 * Implementation of gcrypt_rsa_private_key.get_public_key.
250 */
251 static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
252 {
253 return gcrypt_rsa_public_key_create_from_sexp(this->key);
254 }
255
256 /**
257 * Implementation of gcrypt_rsa_private_key.equals.
258 */
259 static bool equals(private_gcrypt_rsa_private_key_t *this, private_key_t *other)
260 {
261 identification_t *keyid;
262
263 if (&this->public.interface == other)
264 {
265 return TRUE;
266 }
267 if (other->get_type(other) != KEY_RSA)
268 {
269 return FALSE;
270 }
271 keyid = other->get_id(other, ID_PUBKEY_SHA1);
272 if (keyid && keyid->equals(keyid, this->keyid))
273 {
274 return TRUE;
275 }
276 keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
277 if (keyid && keyid->equals(keyid, this->keyid_info))
278 {
279 return TRUE;
280 }
281 return FALSE;
282 }
283
284 /**
285 * Implementation of gcrypt_rsa_private_key.belongs_to.
286 */
287 static bool belongs_to(private_gcrypt_rsa_private_key_t *this,
288 public_key_t *public)
289 {
290 identification_t *keyid;
291
292 if (public->get_type(public) != KEY_RSA)
293 {
294 return FALSE;
295 }
296 keyid = public->get_id(public, ID_PUBKEY_SHA1);
297 if (keyid && keyid->equals(keyid, this->keyid))
298 {
299 return TRUE;
300 }
301 keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
302 if (keyid && keyid->equals(keyid, this->keyid_info))
303 {
304 return TRUE;
305 }
306 return FALSE;
307 }
308
309 /**
310 * Implementation of private_key_t.get_encoding.
311 */
312 static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
313 {
314 chunk_t cp, cq, cd, cexp1 = chunk_empty, cexp2 = chunk_empty;
315 gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
316 gcry_error_t err;
317
318 /* p and q are swapped, gcrypt expects p < q */
319 cp = gcrypt_rsa_find_token(this->key, "q");
320 cq = gcrypt_rsa_find_token(this->key, "p");
321 cd = gcrypt_rsa_find_token(this->key, "d");
322
323 err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
324 | gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
325 | gcry_mpi_scan(&d, GCRYMPI_FMT_USG, cd.ptr, cd.len, NULL);
326 if (err)
327 {
328 gcry_mpi_release(p);
329 gcry_mpi_release(q);
330 gcry_mpi_release(d);
331 chunk_clear(&cp);
332 chunk_clear(&cq);
333 chunk_clear(&cd);
334 DBG1("scanning mpi for export failed: %s", gpg_strerror(err));
335 return chunk_empty;
336 }
337
338 gcry_mpi_sub_ui(p, p, 1);
339 exp1 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
340 gcry_mpi_mod(exp1, d, p);
341 gcry_mpi_release(p);
342
343 gcry_mpi_sub_ui(q, q, 1);
344 exp2 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
345 gcry_mpi_mod(exp1, d, q);
346 gcry_mpi_release(q);
347
348 err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp1.ptr, &cexp1.len, exp1)
349 | gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp2.ptr, &cexp2.len, exp2);
350
351 gcry_mpi_release(d);
352 gcry_mpi_release(exp1);
353 gcry_mpi_release(exp2);
354
355 if (err)
356 {
357 DBG1("printing mpi for export failed: %s", gpg_strerror(err));
358 chunk_clear(&cp);
359 chunk_clear(&cq);
360 chunk_clear(&cd);
361 chunk_clear(&cexp1);
362 chunk_clear(&cexp2);
363 return chunk_empty;
364 }
365
366 return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0,
367 asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
368 asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")),
369 asn1_integer("m", cd),
370 asn1_integer("m", cp),
371 asn1_integer("m", cq),
372 asn1_integer("m", cexp1),
373 asn1_integer("m", cexp2),
374 asn1_integer("m", gcrypt_rsa_find_token(this->key, "u")));
375 }
376
377 /**
378 * Implementation of gcrypt_rsa_private_key.get_ref.
379 */
380 static private_key_t* get_ref(private_gcrypt_rsa_private_key_t *this)
381 {
382 ref_get(&this->ref);
383 return &this->public.interface;
384 }
385
386 /**
387 * Implementation of gcrypt_rsa_private_key.destroy.
388 */
389 static void destroy(private_gcrypt_rsa_private_key_t *this)
390 {
391 if (ref_put(&this->ref))
392 {
393 DESTROY_IF(this->keyid);
394 DESTROY_IF(this->keyid_info);
395 gcry_sexp_release(this->key);
396 free(this);
397 }
398 }
399
400 /**
401 * Internal generic constructor
402 */
403 static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
404 {
405 private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
406
407 this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
408 this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
409 this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
410 this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
411 this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
412 this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
413 this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
414 this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
415 this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
416 this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
417 this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
418
419 this->key = NULL;
420 this->keyid = NULL;
421 this->keyid_info = NULL;
422 this->ref = 1;
423
424 return this;
425 }
426
427 /**
428 * build the keyids of a private/public key
429 */
430 bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
431 identification_t **keyid_info)
432 {
433 chunk_t publicKeyInfo, publicKey, hash;
434 hasher_t *hasher;
435
436 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
437 if (!hasher)
438 {
439 DBG1("SHA1 hash algorithm not supported, unable to use RSA");
440 return FALSE;
441 }
442 publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
443 asn1_integer("m", gcrypt_rsa_find_token(key, "n")),
444 asn1_integer("m", gcrypt_rsa_find_token(key, "e")));
445 hasher->allocate_hash(hasher, publicKey, &hash);
446 *keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
447 chunk_free(&hash);
448
449 publicKeyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
450 asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
451 asn1_bitstring("m", publicKey));
452 hasher->allocate_hash(hasher, publicKeyInfo, &hash);
453 *keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
454 chunk_free(&hash);
455
456 hasher->destroy(hasher);
457 chunk_free(&publicKeyInfo);
458
459 return TRUE;
460 }
461
462 /**
463 * Generate an RSA key of specified key size
464 */
465 static gcrypt_rsa_private_key_t *generate(size_t key_size)
466 {
467 private_gcrypt_rsa_private_key_t *this;
468 gcry_sexp_t param, key;
469 gcry_error_t err;
470
471 err = gcry_sexp_build(&param, NULL, "(genkey(rsa(nbits %d)))", key_size);
472 if (err)
473 {
474 DBG1("building S-expression failed: %s", gpg_strerror(err));
475 return NULL;
476 }
477
478 err = gcry_pk_genkey(&key, param);
479 gcry_sexp_release(param);
480 if (err)
481 {
482 DBG1("generating RSA key failed: %s", gpg_strerror(err));
483 return NULL;
484 }
485 this = gcrypt_rsa_private_key_create_empty();
486 this->key = key;
487
488 if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
489 {
490 destroy(this);
491 return NULL;
492 }
493
494 return &this->public;
495 }
496
497 /**
498 * ASN.1 definition of a PKCS#1 RSA private key
499 */
500 static const asn1Object_t privkeyObjects[] = {
501 { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
502 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
503 { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */
504 { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */
505 { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */
506 { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */
507 { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */
508 { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */
509 { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */
510 { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */
511 { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT |
512 ASN1_LOOP }, /* 10 */
513 { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
514 { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */
515 { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */
516 { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */
517 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 15 */
518 { 0, "exit", ASN1_EOC, ASN1_EXIT }
519 };
520 #define PRIV_KEY_VERSION 1
521 #define PRIV_KEY_MODULUS 2
522 #define PRIV_KEY_PUB_EXP 3
523 #define PRIV_KEY_PRIV_EXP 4
524 #define PRIV_KEY_PRIME1 5
525 #define PRIV_KEY_PRIME2 6
526 #define PRIV_KEY_EXP1 7
527 #define PRIV_KEY_EXP2 8
528 #define PRIV_KEY_COEFF 9
529
530 /**
531 * load private key from a ASN1 encoded blob
532 */
533 static gcrypt_rsa_private_key_t *load(chunk_t blob)
534 {
535 private_gcrypt_rsa_private_key_t *this;
536 asn1_parser_t *parser;
537 chunk_t object;
538 int objectID ;
539 bool success = FALSE;
540 chunk_t n, e, d, u, p, q;
541 gcry_error_t err;
542
543 parser = asn1_parser_create(privkeyObjects, blob);
544 parser->set_flags(parser, FALSE, TRUE);
545
546 while (parser->iterate(parser, &objectID, &object))
547 {
548 switch (objectID)
549 {
550 case PRIV_KEY_VERSION:
551 if (object.len > 0 && *object.ptr != 0)
552 {
553 goto end;
554 }
555 break;
556 case PRIV_KEY_MODULUS:
557 n = object;
558 break;
559 case PRIV_KEY_PUB_EXP:
560 e = object;
561 break;
562 case PRIV_KEY_PRIV_EXP:
563 d = object;
564 break;
565 case PRIV_KEY_PRIME1:
566 /* p and q are swapped, as gcrypt expects p < q */
567 q = object;
568 break;
569 case PRIV_KEY_PRIME2:
570 p = object;
571 break;
572 case PRIV_KEY_EXP1:
573 case PRIV_KEY_EXP2:
574 break;
575 case PRIV_KEY_COEFF:
576 u = object;
577 break;
578 }
579 }
580 success = parser->success(parser);
581
582 end:
583 parser->destroy(parser);
584
585 if (!success)
586 {
587 return NULL;
588 }
589
590 this = gcrypt_rsa_private_key_create_empty();
591 err = gcry_sexp_build(&this->key, NULL,
592 "(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
593 n.len, n.ptr, e.len, e.ptr, d.len, d.ptr,
594 p.len, p.ptr, q.len, q.ptr, u.len, u.ptr);
595 if (err)
596 {
597 DBG1("loading private key failed: %s", gpg_strerror(err));
598 free(this);
599 return NULL;
600 }
601 err = gcry_pk_testkey(this->key);
602 if (err)
603 {
604 DBG1("private key sanity check failed: %s", gpg_strerror(err));
605 destroy(this);
606 return NULL;
607 }
608 if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
609 {
610 destroy(this);
611 return NULL;
612 }
613 return &this->public;
614 }
615
616 typedef struct private_builder_t private_builder_t;
617
618 /**
619 * Builder implementation for key loading/generation
620 */
621 struct private_builder_t {
622 /** implements the builder interface */
623 builder_t public;
624 /** loaded/generated private key */
625 gcrypt_rsa_private_key_t *key;
626 };
627
628 /**
629 * Implementation of builder_t.build
630 */
631 static gcrypt_rsa_private_key_t *build(private_builder_t *this)
632 {
633 gcrypt_rsa_private_key_t *key = this->key;
634
635 free(this);
636 return key;
637 }
638
639 /**
640 * Implementation of builder_t.add
641 */
642 static void add(private_builder_t *this, builder_part_t part, ...)
643 {
644 if (!this->key)
645 {
646 va_list args;
647
648 switch (part)
649 {
650 case BUILD_BLOB_ASN1_DER:
651 {
652 va_start(args, part);
653 this->key = load(va_arg(args, chunk_t));
654 va_end(args);
655 return;
656 }
657 case BUILD_KEY_SIZE:
658 {
659 va_start(args, part);
660 this->key = generate(va_arg(args, u_int));
661 va_end(args);
662 return;
663 }
664 default:
665 break;
666 }
667 }
668 if (this->key)
669 {
670 destroy((private_gcrypt_rsa_private_key_t*)this->key);
671 }
672 builder_cancel(&this->public);
673 }
674
675 /**
676 * Builder construction function
677 */
678 builder_t *gcrypt_rsa_private_key_builder(key_type_t type)
679 {
680 private_builder_t *this;
681
682 if (type != KEY_RSA)
683 {
684 return NULL;
685 }
686
687 this = malloc_thing(private_builder_t);
688
689 this->key = NULL;
690 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
691 this->public.build = (void*(*)(builder_t *this))build;
692
693 return &this->public;
694 }
695