211ce411e08f0a926cab9edec5dba8bb1dc52193
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <string.h>
21
22 #include "gmp_rsa_private_key.h"
23 #include "gmp_rsa_public_key.h"
24
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29
30 #ifdef HAVE_MPZ_POWM_SEC
31 # undef mpz_powm
32 # define mpz_powm mpz_powm_sec
33 #endif
34
35 /**
36 * Public exponent to use for key generation.
37 */
38 #define PUBLIC_EXPONENT 0x10001
39
40 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
41
42 /**
43 * Private data of a gmp_rsa_private_key_t object.
44 */
45 struct private_gmp_rsa_private_key_t {
46 /**
47 * Public interface for this signer.
48 */
49 gmp_rsa_private_key_t public;
50
51 /**
52 * Public modulus.
53 */
54 mpz_t n;
55
56 /**
57 * Public exponent.
58 */
59 mpz_t e;
60
61 /**
62 * Private prime 1.
63 */
64 mpz_t p;
65
66 /**
67 * Private Prime 2.
68 */
69 mpz_t q;
70
71 /**
72 * Private exponent.
73 */
74 mpz_t d;
75
76 /**
77 * Private exponent 1.
78 */
79 mpz_t exp1;
80
81 /**
82 * Private exponent 2.
83 */
84 mpz_t exp2;
85
86 /**
87 * Private coefficient.
88 */
89 mpz_t coeff;
90
91 /**
92 * Keysize in bytes.
93 */
94 size_t k;
95
96 /**
97 * reference count
98 */
99 refcount_t ref;
100 };
101
102 /**
103 * Convert a MP integer into a chunk_t
104 */
105 chunk_t gmp_mpz_to_chunk(const mpz_t value)
106 {
107 chunk_t n;
108
109 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
110 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
111 if (n.ptr == NULL)
112 { /* if we have zero in "value", gmp returns NULL */
113 n.len = 0;
114 }
115 return n;
116 }
117
118 /**
119 * Auxiliary function overwriting private key material with zero bytes
120 */
121 static void mpz_clear_sensitive(mpz_t z)
122 {
123 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
124 u_int8_t *random = alloca(len);
125
126 memset(random, 0, len);
127 /* overwrite mpz_t with zero bytes before clearing it */
128 mpz_import(z, len, 1, 1, 1, 0, random);
129 mpz_clear(z);
130 }
131
132 /**
133 * Create a mpz prime of at least prime_size
134 */
135 static status_t compute_prime(private_gmp_rsa_private_key_t *this,
136 size_t prime_size, mpz_t *prime)
137 {
138 rng_t *rng;
139 chunk_t random_bytes;
140
141 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
142 if (!rng)
143 {
144 DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
145 return FAILED;
146 }
147
148 mpz_init(*prime);
149 do
150 {
151 rng->allocate_bytes(rng, prime_size, &random_bytes);
152 /* make sure the two most significant bits are set */
153 random_bytes.ptr[0] = random_bytes.ptr[0] | 0xC0;
154
155 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
156 mpz_nextprime (*prime, *prime);
157 chunk_clear(&random_bytes);
158 }
159 /* check if it isn't too large */
160 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
161
162 rng->destroy(rng);
163 return SUCCESS;
164 }
165
166 /**
167 * PKCS#1 RSADP function
168 */
169 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
170 {
171 mpz_t t1, t2;
172 chunk_t decrypted;
173
174 mpz_init(t1);
175 mpz_init(t2);
176
177 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
178
179 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
180 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
181 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
182 mpz_mod(t2, t2, this->p);
183 mpz_mul(t2, t2, this->coeff);
184 mpz_mod(t2, t2, this->p);
185
186 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
187 mpz_add(t1, t1, t2);
188
189 decrypted.len = this->k;
190 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
191 if (decrypted.ptr == NULL)
192 {
193 decrypted.len = 0;
194 }
195
196 mpz_clear_sensitive(t1);
197 mpz_clear_sensitive(t2);
198
199 return decrypted;
200 }
201
202 /**
203 * PKCS#1 RSASP1 function
204 */
205 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
206 {
207 return rsadp(this, data);
208 }
209
210 /**
211 * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
212 */
213 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
214 hash_algorithm_t hash_algorithm,
215 chunk_t data, chunk_t *signature)
216 {
217 chunk_t digestInfo = chunk_empty;
218 chunk_t em;
219
220 if (hash_algorithm != HASH_UNKNOWN)
221 {
222 hasher_t *hasher;
223 chunk_t hash;
224 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
225
226 if (hash_oid == OID_UNKNOWN)
227 {
228 return FALSE;
229 }
230
231 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
232 if (hasher == NULL)
233 {
234 return FALSE;
235 }
236 hasher->allocate_hash(hasher, data, &hash);
237 hasher->destroy(hasher);
238
239 /* build DER-encoded digestInfo */
240 digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
241 asn1_algorithmIdentifier(hash_oid),
242 asn1_simple_object(ASN1_OCTET_STRING, hash)
243 );
244 chunk_free(&hash);
245 data = digestInfo;
246 }
247
248 if (data.len > this->k - 3)
249 {
250 free(digestInfo.ptr);
251 DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
252 return FALSE;
253 }
254
255 /* build chunk to rsa-decrypt:
256 * EM = 0x00 || 0x01 || PS || 0x00 || T.
257 * PS = 0xFF padding, with length to fill em
258 * T = encoded_hash
259 */
260 em.len = this->k;
261 em.ptr = malloc(em.len);
262
263 /* fill em with padding */
264 memset(em.ptr, 0xFF, em.len);
265 /* set magic bytes */
266 *(em.ptr) = 0x00;
267 *(em.ptr+1) = 0x01;
268 *(em.ptr + em.len - data.len - 1) = 0x00;
269 /* set DER-encoded hash */
270 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
271
272 /* build signature */
273 *signature = rsasp1(this, em);
274
275 free(digestInfo.ptr);
276 free(em.ptr);
277
278 return TRUE;
279 }
280
281 /**
282 * Implementation of gmp_rsa_private_key.get_type.
283 */
284 static key_type_t get_type(private_gmp_rsa_private_key_t *this)
285 {
286 return KEY_RSA;
287 }
288
289 /**
290 * Implementation of gmp_rsa_private_key.sign.
291 */
292 static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
293 chunk_t data, chunk_t *signature)
294 {
295 switch (scheme)
296 {
297 case SIGN_RSA_EMSA_PKCS1_NULL:
298 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
299 case SIGN_RSA_EMSA_PKCS1_SHA1:
300 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
301 case SIGN_RSA_EMSA_PKCS1_SHA224:
302 return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
303 case SIGN_RSA_EMSA_PKCS1_SHA256:
304 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
305 case SIGN_RSA_EMSA_PKCS1_SHA384:
306 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
307 case SIGN_RSA_EMSA_PKCS1_SHA512:
308 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
309 case SIGN_RSA_EMSA_PKCS1_MD5:
310 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
311 default:
312 DBG1("signature scheme %N not supported in RSA",
313 signature_scheme_names, scheme);
314 return FALSE;
315 }
316 }
317
318 /**
319 * Implementation of gmp_rsa_private_key.decrypt.
320 */
321 static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
322 chunk_t *plain)
323 {
324 chunk_t em, stripped;
325 bool success = FALSE;
326
327 /* rsa decryption using PKCS#1 RSADP */
328 stripped = em = rsadp(this, crypto);
329
330 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
331
332 /* check for hex pattern 00 02 in decrypted message */
333 if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
334 {
335 DBG1("incorrect padding - probably wrong rsa key");
336 goto end;
337 }
338 stripped.len -= 2;
339
340 /* the plaintext data starts after first 0x00 byte */
341 while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
342
343 if (stripped.len == 0)
344 {
345 DBG1("no plaintext data");
346 goto end;
347 }
348
349 *plain = chunk_clone(stripped);
350 success = TRUE;
351
352 end:
353 chunk_clear(&em);
354 return success;
355 }
356
357 /**
358 * Implementation of gmp_rsa_private_key.get_keysize.
359 */
360 static size_t get_keysize(private_gmp_rsa_private_key_t *this)
361 {
362 return this->k;
363 }
364
365 /**
366 * Implementation of gmp_rsa_private_key.get_public_key.
367 */
368 static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
369 {
370 chunk_t n, e;
371 public_key_t *public;
372
373 n = gmp_mpz_to_chunk(this->n);
374 e = gmp_mpz_to_chunk(this->e);
375
376 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
377 BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
378 chunk_free(&n);
379 chunk_free(&e);
380
381 return public;
382 }
383
384 /**
385 * Implementation of gmp_rsa_private_key.equals.
386 */
387 static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
388 {
389 return private_key_equals(&this->public.interface, other);
390 }
391
392 /**
393 * Implementation of gmp_rsa_private_key.belongs_to.
394 */
395 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
396 {
397 return private_key_belongs_to(&this->public.interface, public);
398 }
399
400 /**
401 * Implementation of private_key_t.get_encoding
402 */
403 static bool get_encoding(private_gmp_rsa_private_key_t *this,
404 key_encoding_type_t type, chunk_t *encoding)
405 {
406 chunk_t n, e, d, p, q, exp1, exp2, coeff;
407 bool success;
408
409 n = gmp_mpz_to_chunk(this->n);
410 e = gmp_mpz_to_chunk(this->e);
411 d = gmp_mpz_to_chunk(this->d);
412 p = gmp_mpz_to_chunk(this->p);
413 q = gmp_mpz_to_chunk(this->q);
414 exp1 = gmp_mpz_to_chunk(this->exp1);
415 exp2 = gmp_mpz_to_chunk(this->exp2);
416 coeff = gmp_mpz_to_chunk(this->coeff);
417
418 success = lib->encoding->encode(lib->encoding,
419 type, NULL, encoding, KEY_PART_RSA_MODULUS, n,
420 KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d,
421 KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q,
422 KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2,
423 KEY_PART_RSA_COEFF, coeff, KEY_PART_END);
424 chunk_free(&n);
425 chunk_free(&e);
426 chunk_clear(&d);
427 chunk_clear(&p);
428 chunk_clear(&q);
429 chunk_clear(&exp1);
430 chunk_clear(&exp2);
431 chunk_clear(&coeff);
432
433 return success;
434 }
435
436 /**
437 * Implementation of private_key_t.get_fingerprint
438 */
439 static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
440 key_encoding_type_t type, chunk_t *fp)
441 {
442 chunk_t n, e;
443 bool success;
444
445 if (lib->encoding->get_cache(lib->encoding, type, this, fp))
446 {
447 return TRUE;
448 }
449 n = gmp_mpz_to_chunk(this->n);
450 e = gmp_mpz_to_chunk(this->e);
451
452 success = lib->encoding->encode(lib->encoding, type, this, fp,
453 KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
454 chunk_free(&n);
455 chunk_free(&e);
456
457 return success;
458 }
459
460 /**
461 * Implementation of gmp_rsa_private_key.get_ref.
462 */
463 static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
464 {
465 ref_get(&this->ref);
466 return this;
467 }
468
469 /**
470 * Implementation of gmp_rsa_private_key.destroy.
471 */
472 static void destroy(private_gmp_rsa_private_key_t *this)
473 {
474 if (ref_put(&this->ref))
475 {
476 mpz_clear_sensitive(this->n);
477 mpz_clear_sensitive(this->e);
478 mpz_clear_sensitive(this->p);
479 mpz_clear_sensitive(this->q);
480 mpz_clear_sensitive(this->d);
481 mpz_clear_sensitive(this->exp1);
482 mpz_clear_sensitive(this->exp2);
483 mpz_clear_sensitive(this->coeff);
484 lib->encoding->clear_cache(lib->encoding, this);
485 free(this);
486 }
487 }
488
489 /**
490 * Check the loaded key if it is valid and usable
491 */
492 static status_t check(private_gmp_rsa_private_key_t *this)
493 {
494 mpz_t t, u, q1;
495 status_t status = SUCCESS;
496
497 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
498 * We actually require more (for security).
499 */
500 if (this->k < 512 / BITS_PER_BYTE)
501 {
502 DBG1("key shorter than 512 bits");
503 return FAILED;
504 }
505
506 /* we picked a max modulus size to simplify buffer allocation */
507 if (this->k > 8192 / BITS_PER_BYTE)
508 {
509 DBG1("key larger than 8192 bits");
510 return FAILED;
511 }
512
513 mpz_init(t);
514 mpz_init(u);
515 mpz_init(q1);
516
517 /* check that n == p * q */
518 mpz_mul(u, this->p, this->q);
519 if (mpz_cmp(u, this->n) != 0)
520 {
521 status = FAILED;
522 }
523
524 /* check that e divides neither p-1 nor q-1 */
525 mpz_sub_ui(t, this->p, 1);
526 mpz_mod(t, t, this->e);
527 if (mpz_cmp_ui(t, 0) == 0)
528 {
529 status = FAILED;
530 }
531
532 mpz_sub_ui(t, this->q, 1);
533 mpz_mod(t, t, this->e);
534 if (mpz_cmp_ui(t, 0) == 0)
535 {
536 status = FAILED;
537 }
538
539 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
540 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
541 mpz_sub_ui(q1, this->q, 1);
542 mpz_sub_ui(u, this->p, 1);
543 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
544 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
545 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
546
547 mpz_mul(t, this->d, this->e);
548 mpz_mod(t, t, u);
549 if (mpz_cmp_ui(t, 1) != 0)
550 {
551 status = FAILED;
552 }
553
554 /* check that exp1 is d mod (p-1) */
555 mpz_sub_ui(u, this->p, 1);
556 mpz_mod(t, this->d, u);
557 if (mpz_cmp(t, this->exp1) != 0)
558 {
559 status = FAILED;
560 }
561
562 /* check that exp2 is d mod (q-1) */
563 mpz_sub_ui(u, this->q, 1);
564 mpz_mod(t, this->d, u);
565 if (mpz_cmp(t, this->exp2) != 0)
566 {
567 status = FAILED;
568 }
569
570 /* check that coeff is (q^-1) mod p */
571 mpz_mul(t, this->coeff, this->q);
572 mpz_mod(t, t, this->p);
573 if (mpz_cmp_ui(t, 1) != 0)
574 {
575 status = FAILED;
576 }
577
578 mpz_clear_sensitive(t);
579 mpz_clear_sensitive(u);
580 mpz_clear_sensitive(q1);
581 if (status != SUCCESS)
582 {
583 DBG1("key integrity tests failed");
584 }
585 return status;
586 }
587
588 /**
589 * Internal generic constructor
590 */
591 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
592 {
593 private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
594
595 this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
596 this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
597 this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
598 this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
599 this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
600 this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
601 this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
602 this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
603 this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
604 this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
605 this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
606 this->public.interface.destroy = (void (*) (private_key_t*))destroy;
607
608 this->ref = 1;
609
610 return this;
611 }
612
613 /**
614 * See header.
615 */
616 gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
617 {
618 mpz_t p, q, n, e, d, exp1, exp2, coeff, m, q1, t;
619 private_gmp_rsa_private_key_t *this;
620 u_int key_size = 0;
621
622 while (TRUE)
623 {
624 switch (va_arg(args, builder_part_t))
625 {
626 case BUILD_KEY_SIZE:
627 key_size = va_arg(args, u_int);
628 continue;
629 case BUILD_END:
630 break;
631 default:
632 return NULL;
633 }
634 break;
635 }
636 if (!key_size)
637 {
638 return NULL;
639 }
640
641 this = gmp_rsa_private_key_create_empty();
642 key_size = key_size / BITS_PER_BYTE;
643
644 /* Get values of primes p and q */
645 if (compute_prime(this, key_size/2, &p) != SUCCESS)
646 {
647 free(this);
648 return NULL;
649 }
650 if (compute_prime(this, key_size/2, &q) != SUCCESS)
651 {
652 mpz_clear(p);
653 free(this);
654 return NULL;
655 }
656
657 mpz_init(t);
658 mpz_init(n);
659 mpz_init(d);
660 mpz_init(exp1);
661 mpz_init(exp2);
662 mpz_init(coeff);
663
664 /* Swapping Primes so p is larger then q */
665 if (mpz_cmp(p, q) < 0)
666 {
667 mpz_swap(p, q);
668 }
669
670 mpz_mul(n, p, q); /* n = p*q */
671 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
672 mpz_init_set(m, p); /* m = p */
673 mpz_sub_ui(m, m, 1); /* m = m -1 */
674 mpz_init_set(q1, q); /* q1 = q */
675 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
676 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
677 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
678 mpz_divexact(m, m, t); /* m = m / t */
679 mpz_gcd(t, m, e); /* t = gcd(m, e) */
680
681 mpz_invert(d, e, m); /* e has an inverse mod m */
682 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
683 {
684 mpz_add(d, d, m);
685 }
686 mpz_sub_ui(t, p, 1); /* t = p-1 */
687 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
688 mpz_sub_ui(t, q, 1); /* t = q-1 */
689 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
690
691 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
692 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
693 {
694 mpz_add(coeff, coeff, p);
695 }
696
697 mpz_clear_sensitive(q1);
698 mpz_clear_sensitive(m);
699 mpz_clear_sensitive(t);
700
701 /* apply values */
702 *(this->p) = *p;
703 *(this->q) = *q;
704 *(this->n) = *n;
705 *(this->e) = *e;
706 *(this->d) = *d;
707 *(this->exp1) = *exp1;
708 *(this->exp2) = *exp2;
709 *(this->coeff) = *coeff;
710
711 /* set key size in bytes */
712 this->k = key_size;
713
714 return &this->public;
715 }
716
717 /**
718 * See header.
719 */
720 gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
721 {
722 chunk_t n, e, d, p, q, exp1, exp2, coeff;
723 private_gmp_rsa_private_key_t *this;
724
725 n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
726 while (TRUE)
727 {
728 switch (va_arg(args, builder_part_t))
729 {
730 case BUILD_RSA_MODULUS:
731 n = va_arg(args, chunk_t);
732 continue;
733 case BUILD_RSA_PUB_EXP:
734 e = va_arg(args, chunk_t);
735 continue;
736 case BUILD_RSA_PRIV_EXP:
737 d = va_arg(args, chunk_t);
738 continue;
739 case BUILD_RSA_PRIME1:
740 p = va_arg(args, chunk_t);
741 continue;
742 case BUILD_RSA_PRIME2:
743 q = va_arg(args, chunk_t);
744 continue;
745 case BUILD_RSA_EXP1:
746 exp1 = va_arg(args, chunk_t);
747 continue;
748 case BUILD_RSA_EXP2:
749 exp2 = va_arg(args, chunk_t);
750 continue;
751 case BUILD_RSA_COEFF:
752 coeff = va_arg(args, chunk_t);
753 continue;
754 case BUILD_END:
755 break;
756 default:
757 return NULL;
758 }
759 break;
760 }
761
762 this = gmp_rsa_private_key_create_empty();
763
764 mpz_init(this->n);
765 mpz_init(this->e);
766 mpz_init(this->p);
767 mpz_init(this->q);
768 mpz_init(this->d);
769 mpz_init(this->exp1);
770 mpz_init(this->exp2);
771 mpz_init(this->coeff);
772
773 mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
774 mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
775 mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
776 mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
777 mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
778 mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
779 if (!exp1.len)
780 { /* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
781 mpz_sub_ui(this->exp1, this->p, 1);
782 mpz_mod(this->exp1, this->d, this->exp1);
783 }
784 else
785 {
786 mpz_import(this->exp1, exp1.len, 1, 1, 1, 0, exp1.ptr);
787 }
788 if (!exp2.len)
789 { /* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
790 mpz_sub_ui(this->exp2, this->q, 1);
791 mpz_mod(this->exp2, this->d, this->exp2);
792 }
793 else
794 {
795 mpz_import(this->exp2, exp2.len, 1, 1, 1, 0, exp2.ptr);
796 }
797 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
798 if (check(this) != SUCCESS)
799 {
800 destroy(this);
801 return NULL;
802 }
803 return &this->public;
804 }
805