gmp: Support of SHA-3 RSA signatures
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005 Jan Hutter
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2012 Andreas Steffen
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <gmp.h>
19 #include <sys/stat.h>
20 #include <unistd.h>
21 #include <string.h>
22
23 #include "gmp_rsa_private_key.h"
24 #include "gmp_rsa_public_key.h"
25
26 #include <utils/debug.h>
27 #include <asn1/oid.h>
28 #include <asn1/asn1.h>
29 #include <asn1/asn1_parser.h>
30
31 #ifdef HAVE_MPZ_POWM_SEC
32 # undef mpz_powm
33 # define mpz_powm mpz_powm_sec
34 #endif
35
36 /**
37 * Public exponent to use for key generation.
38 */
39 #define PUBLIC_EXPONENT 0x10001
40
41 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
42
43 /**
44 * Private data of a gmp_rsa_private_key_t object.
45 */
46 struct private_gmp_rsa_private_key_t {
47 /**
48 * Public interface for this signer.
49 */
50 gmp_rsa_private_key_t public;
51
52 /**
53 * Public modulus.
54 */
55 mpz_t n;
56
57 /**
58 * Public exponent.
59 */
60 mpz_t e;
61
62 /**
63 * Private prime 1.
64 */
65 mpz_t p;
66
67 /**
68 * Private Prime 2.
69 */
70 mpz_t q;
71
72 /**
73 * Carmichael function m = lambda(n) = lcm(p-1,q-1).
74 */
75 mpz_t m;
76
77 /**
78 * Private exponent and optional secret sharing polynomial coefficients.
79 */
80 mpz_t *d;
81
82 /**
83 * Private exponent 1.
84 */
85 mpz_t exp1;
86
87 /**
88 * Private exponent 2.
89 */
90 mpz_t exp2;
91
92 /**
93 * Private coefficient.
94 */
95 mpz_t coeff;
96
97 /**
98 * Total number of private key shares
99 */
100 u_int shares;
101
102 /**
103 * Secret sharing threshold
104 */
105 u_int threshold;
106
107 /**
108 * Optional verification key (threshold > 1).
109 */
110 mpz_t v;
111
112 /**
113 * Keysize in bytes.
114 */
115 size_t k;
116
117 /**
118 * reference count
119 */
120 refcount_t ref;
121 };
122
123 /**
124 * Convert a MP integer into a chunk_t
125 */
126 chunk_t gmp_mpz_to_chunk(const mpz_t value)
127 {
128 chunk_t n;
129
130 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
131 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
132 if (n.ptr == NULL)
133 { /* if we have zero in "value", gmp returns NULL */
134 n.len = 0;
135 }
136 return n;
137 }
138
139 /**
140 * Auxiliary function overwriting private key material with zero bytes
141 */
142 static void mpz_clear_sensitive(mpz_t z)
143 {
144 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
145 uint8_t *zeros = alloca(len);
146
147 memset(zeros, 0, len);
148 /* overwrite mpz_t with zero bytes before clearing it */
149 mpz_import(z, len, 1, 1, 1, 0, zeros);
150 mpz_clear(z);
151 }
152
153 /**
154 * Create a mpz prime of at least prime_size
155 */
156 static status_t compute_prime(size_t prime_size, bool safe, mpz_t *p, mpz_t *q)
157 {
158 rng_t *rng;
159 chunk_t random_bytes;
160 int count = 0;
161
162 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
163 if (!rng)
164 {
165 DBG1(DBG_LIB, "no RNG of quality %N found", rng_quality_names,
166 RNG_TRUE);
167 return FAILED;
168 }
169
170 mpz_init(*p);
171 mpz_init(*q);
172
173 do
174 {
175 if (!rng->allocate_bytes(rng, prime_size, &random_bytes))
176 {
177 DBG1(DBG_LIB, "failed to allocate random prime");
178 mpz_clear(*p);
179 mpz_clear(*q);
180 rng->destroy(rng);
181 return FAILED;
182 }
183
184 /* make sure the two most significant bits are set */
185 if (safe)
186 {
187 random_bytes.ptr[0] &= 0x7F;
188 random_bytes.ptr[0] |= 0x60;
189 mpz_import(*q, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
190 do
191 {
192 count++;
193 mpz_nextprime (*q, *q);
194 mpz_mul_ui(*p, *q, 2);
195 mpz_add_ui(*p, *p, 1);
196 }
197 while (mpz_probab_prime_p(*p, 10) == 0);
198 DBG2(DBG_LIB, "safe prime found after %d iterations", count);
199 }
200 else
201 {
202 random_bytes.ptr[0] |= 0xC0;
203 mpz_import(*p, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
204 mpz_nextprime (*p, *p);
205 }
206 chunk_clear(&random_bytes);
207 }
208
209 /* check if the prime isn't too large */
210 while (((mpz_sizeinbase(*p, 2) + 7) / 8) > prime_size);
211
212 rng->destroy(rng);
213
214 /* additionally return p-1 */
215 mpz_sub_ui(*q, *p, 1);
216
217 return SUCCESS;
218 }
219
220 /**
221 * PKCS#1 RSADP function
222 */
223 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
224 {
225 mpz_t t1, t2;
226 chunk_t decrypted;
227
228 mpz_init(t1);
229 mpz_init(t2);
230
231 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
232
233 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
234 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
235 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
236 mpz_mod(t2, t2, this->p);
237 mpz_mul(t2, t2, this->coeff);
238 mpz_mod(t2, t2, this->p);
239
240 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
241 mpz_add(t1, t1, t2);
242
243 decrypted.len = this->k;
244 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
245 if (decrypted.ptr == NULL)
246 {
247 decrypted.len = 0;
248 }
249
250 mpz_clear_sensitive(t1);
251 mpz_clear_sensitive(t2);
252
253 return decrypted;
254 }
255
256 /**
257 * PKCS#1 RSASP1 function
258 */
259 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
260 {
261 return rsadp(this, data);
262 }
263
264 /**
265 * Build a signature using the PKCS#1 EMSA scheme
266 */
267 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
268 hash_algorithm_t hash_algorithm,
269 chunk_t data, chunk_t *signature)
270 {
271 chunk_t digestInfo = chunk_empty;
272 chunk_t em;
273
274 if (hash_algorithm != HASH_UNKNOWN)
275 {
276 hasher_t *hasher;
277 chunk_t hash;
278 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
279
280 if (hash_oid == OID_UNKNOWN)
281 {
282 return FALSE;
283 }
284
285 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
286 if (!hasher || !hasher->allocate_hash(hasher, data, &hash))
287 {
288 DESTROY_IF(hasher);
289 return FALSE;
290 }
291 hasher->destroy(hasher);
292
293 /* build DER-encoded digestInfo */
294 digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
295 asn1_algorithmIdentifier(hash_oid),
296 asn1_simple_object(ASN1_OCTET_STRING, hash)
297 );
298 chunk_free(&hash);
299 data = digestInfo;
300 }
301
302 if (data.len > this->k - 3)
303 {
304 free(digestInfo.ptr);
305 DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
306 mpz_sizeinbase(this->n, 2));
307 return FALSE;
308 }
309
310 /* build chunk to rsa-decrypt:
311 * EM = 0x00 || 0x01 || PS || 0x00 || T.
312 * PS = 0xFF padding, with length to fill em
313 * T = encoded_hash
314 */
315 em.len = this->k;
316 em.ptr = malloc(em.len);
317
318 /* fill em with padding */
319 memset(em.ptr, 0xFF, em.len);
320 /* set magic bytes */
321 *(em.ptr) = 0x00;
322 *(em.ptr+1) = 0x01;
323 *(em.ptr + em.len - data.len - 1) = 0x00;
324 /* set DER-encoded hash */
325 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
326
327 /* build signature */
328 *signature = rsasp1(this, em);
329
330 free(digestInfo.ptr);
331 free(em.ptr);
332
333 return TRUE;
334 }
335
336 METHOD(private_key_t, get_type, key_type_t,
337 private_gmp_rsa_private_key_t *this)
338 {
339 return KEY_RSA;
340 }
341
342 METHOD(private_key_t, sign, bool,
343 private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
344 chunk_t data, chunk_t *signature)
345 {
346 switch (scheme)
347 {
348 case SIGN_RSA_EMSA_PKCS1_NULL:
349 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
350 case SIGN_RSA_EMSA_PKCS1_SHA2_224:
351 return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
352 case SIGN_RSA_EMSA_PKCS1_SHA2_256:
353 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
354 case SIGN_RSA_EMSA_PKCS1_SHA2_384:
355 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
356 case SIGN_RSA_EMSA_PKCS1_SHA2_512:
357 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
358 case SIGN_RSA_EMSA_PKCS1_SHA3_224:
359 return build_emsa_pkcs1_signature(this, HASH_SHA3_224, data, signature);
360 case SIGN_RSA_EMSA_PKCS1_SHA3_256:
361 return build_emsa_pkcs1_signature(this, HASH_SHA3_256, data, signature);
362 case SIGN_RSA_EMSA_PKCS1_SHA3_384:
363 return build_emsa_pkcs1_signature(this, HASH_SHA3_384, data, signature);
364 case SIGN_RSA_EMSA_PKCS1_SHA3_512:
365 return build_emsa_pkcs1_signature(this, HASH_SHA3_512, data, signature);
366 case SIGN_RSA_EMSA_PKCS1_SHA1:
367 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
368 case SIGN_RSA_EMSA_PKCS1_MD5:
369 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
370 default:
371 DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
372 signature_scheme_names, scheme);
373 return FALSE;
374 }
375 }
376
377 METHOD(private_key_t, decrypt, bool,
378 private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme,
379 chunk_t crypto, chunk_t *plain)
380 {
381 chunk_t em, stripped;
382 bool success = FALSE;
383
384 if (scheme != ENCRYPT_RSA_PKCS1)
385 {
386 DBG1(DBG_LIB, "encryption scheme %N not supported",
387 encryption_scheme_names, scheme);
388 return FALSE;
389 }
390 /* rsa decryption using PKCS#1 RSADP */
391 stripped = em = rsadp(this, crypto);
392
393 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
394
395 /* check for hex pattern 00 02 in decrypted message */
396 if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
397 {
398 DBG1(DBG_LIB, "incorrect padding - probably wrong rsa key");
399 goto end;
400 }
401 stripped.len -= 2;
402
403 /* the plaintext data starts after first 0x00 byte */
404 while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
405
406 if (stripped.len == 0)
407 {
408 DBG1(DBG_LIB, "no plaintext data");
409 goto end;
410 }
411
412 *plain = chunk_clone(stripped);
413 success = TRUE;
414
415 end:
416 chunk_clear(&em);
417 return success;
418 }
419
420 METHOD(private_key_t, get_keysize, int,
421 private_gmp_rsa_private_key_t *this)
422 {
423 return mpz_sizeinbase(this->n, 2);
424 }
425
426 METHOD(private_key_t, get_public_key, public_key_t*,
427 private_gmp_rsa_private_key_t *this)
428 {
429 chunk_t n, e;
430 public_key_t *public;
431
432 n = gmp_mpz_to_chunk(this->n);
433 e = gmp_mpz_to_chunk(this->e);
434
435 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
436 BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
437 chunk_free(&n);
438 chunk_free(&e);
439
440 return public;
441 }
442
443 METHOD(private_key_t, get_encoding, bool,
444 private_gmp_rsa_private_key_t *this, cred_encoding_type_t type,
445 chunk_t *encoding)
446 {
447 chunk_t n, e, d, p, q, exp1, exp2, coeff;
448 bool success;
449
450 n = gmp_mpz_to_chunk(this->n);
451 e = gmp_mpz_to_chunk(this->e);
452 d = gmp_mpz_to_chunk(*this->d);
453 p = gmp_mpz_to_chunk(this->p);
454 q = gmp_mpz_to_chunk(this->q);
455 exp1 = gmp_mpz_to_chunk(this->exp1);
456 exp2 = gmp_mpz_to_chunk(this->exp2);
457 coeff = gmp_mpz_to_chunk(this->coeff);
458
459 success = lib->encoding->encode(lib->encoding,
460 type, NULL, encoding, CRED_PART_RSA_MODULUS, n,
461 CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d,
462 CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q,
463 CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2,
464 CRED_PART_RSA_COEFF, coeff, CRED_PART_END);
465 chunk_free(&n);
466 chunk_free(&e);
467 chunk_clear(&d);
468 chunk_clear(&p);
469 chunk_clear(&q);
470 chunk_clear(&exp1);
471 chunk_clear(&exp2);
472 chunk_clear(&coeff);
473
474 return success;
475 }
476
477 METHOD(private_key_t, get_fingerprint, bool,
478 private_gmp_rsa_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
479 {
480 chunk_t n, e;
481 bool success;
482
483 if (lib->encoding->get_cache(lib->encoding, type, this, fp))
484 {
485 return TRUE;
486 }
487 n = gmp_mpz_to_chunk(this->n);
488 e = gmp_mpz_to_chunk(this->e);
489
490 success = lib->encoding->encode(lib->encoding, type, this, fp,
491 CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
492 chunk_free(&n);
493 chunk_free(&e);
494
495 return success;
496 }
497
498 METHOD(private_key_t, get_ref, private_key_t*,
499 private_gmp_rsa_private_key_t *this)
500 {
501 ref_get(&this->ref);
502 return &this->public.key;
503 }
504
505 METHOD(private_key_t, destroy, void,
506 private_gmp_rsa_private_key_t *this)
507 {
508 if (ref_put(&this->ref))
509 {
510 int i;
511
512 mpz_clear(this->n);
513 mpz_clear(this->e);
514 mpz_clear(this->v);
515 mpz_clear_sensitive(this->p);
516 mpz_clear_sensitive(this->q);
517 mpz_clear_sensitive(this->m);
518 mpz_clear_sensitive(this->exp1);
519 mpz_clear_sensitive(this->exp2);
520 mpz_clear_sensitive(this->coeff);
521
522 for (i = 0; i < this->threshold; i++)
523 {
524 mpz_clear_sensitive(*this->d + i);
525 }
526 free(this->d);
527
528 lib->encoding->clear_cache(lib->encoding, this);
529 free(this);
530 }
531 }
532
533 /**
534 * Check the loaded key if it is valid and usable
535 */
536 static status_t check(private_gmp_rsa_private_key_t *this)
537 {
538 mpz_t u, p1, q1;
539 status_t status = SUCCESS;
540
541 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
542 * We actually require more (for security).
543 */
544 if (this->k < 512 / BITS_PER_BYTE)
545 {
546 DBG1(DBG_LIB, "key shorter than 512 bits");
547 return FAILED;
548 }
549
550 /* we picked a max modulus size to simplify buffer allocation */
551 if (this->k > 8192 / BITS_PER_BYTE)
552 {
553 DBG1(DBG_LIB, "key larger than 8192 bits");
554 return FAILED;
555 }
556
557 mpz_init(u);
558 mpz_init(p1);
559 mpz_init(q1);
560
561 /* precompute p1 = p-1 and q1 = q-1 */
562 mpz_sub_ui(p1, this->p, 1);
563 mpz_sub_ui(q1, this->q, 1);
564
565 /* check that n == p * q */
566 mpz_mul(u, this->p, this->q);
567 if (mpz_cmp(u, this->n) != 0)
568 {
569 status = FAILED;
570 }
571
572 /* check that e divides neither p-1 nor q-1 */
573 mpz_mod(u, p1, this->e);
574 if (mpz_cmp_ui(u, 0) == 0)
575 {
576 status = FAILED;
577 }
578
579 mpz_mod(u, q1, this->e);
580 if (mpz_cmp_ui(u, 0) == 0)
581 {
582 status = FAILED;
583 }
584
585 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
586 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
587 mpz_lcm(this->m, p1, q1);
588 mpz_mul(u, *this->d, this->e);
589 mpz_mod(u, u, this->m);
590 if (mpz_cmp_ui(u, 1) != 0)
591 {
592 status = FAILED;
593 }
594
595 /* check that exp1 is d mod (p-1) */
596 mpz_mod(u, *this->d, p1);
597 if (mpz_cmp(u, this->exp1) != 0)
598 {
599 status = FAILED;
600 }
601
602 /* check that exp2 is d mod (q-1) */
603 mpz_mod(u, *this->d, q1);
604 if (mpz_cmp(u, this->exp2) != 0)
605 {
606 status = FAILED;
607 }
608
609 /* check that coeff is (q^-1) mod p */
610 mpz_mul(u, this->coeff, this->q);
611 mpz_mod(u, u, this->p);
612 if (mpz_cmp_ui(u, 1) != 0)
613 {
614 status = FAILED;
615 }
616
617 mpz_clear_sensitive(u);
618 mpz_clear_sensitive(p1);
619 mpz_clear_sensitive(q1);
620
621 if (status != SUCCESS)
622 {
623 DBG1(DBG_LIB, "key integrity tests failed");
624 }
625 return status;
626 }
627
628 /**
629 * Internal generic constructor
630 */
631 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
632 {
633 private_gmp_rsa_private_key_t *this;
634
635 INIT(this,
636 .public = {
637 .key = {
638 .get_type = _get_type,
639 .sign = _sign,
640 .decrypt = _decrypt,
641 .get_keysize = _get_keysize,
642 .get_public_key = _get_public_key,
643 .equals = private_key_equals,
644 .belongs_to = private_key_belongs_to,
645 .get_fingerprint = _get_fingerprint,
646 .has_fingerprint = private_key_has_fingerprint,
647 .get_encoding = _get_encoding,
648 .get_ref = _get_ref,
649 .destroy = _destroy,
650 },
651 },
652 .threshold = 1,
653 .ref = 1,
654 );
655 return this;
656 }
657
658 /**
659 * See header.
660 */
661 gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
662 {
663 private_gmp_rsa_private_key_t *this;
664 u_int key_size = 0, shares = 0, threshold = 1;
665 bool safe_prime = FALSE, rng_failed = FALSE, invert_failed = FALSE;
666 mpz_t p, q, p1, q1, d;
667 ;
668
669 while (TRUE)
670 {
671 switch (va_arg(args, builder_part_t))
672 {
673 case BUILD_KEY_SIZE:
674 key_size = va_arg(args, u_int);
675 continue;
676 case BUILD_SAFE_PRIMES:
677 safe_prime = TRUE;
678 continue;
679 case BUILD_SHARES:
680 shares = va_arg(args, u_int);
681 continue;
682 case BUILD_THRESHOLD:
683 threshold = va_arg(args, u_int);
684 continue;
685 case BUILD_END:
686 break;
687 default:
688 return NULL;
689 }
690 break;
691 }
692 if (!key_size)
693 {
694 return NULL;
695 }
696 key_size = key_size / BITS_PER_BYTE;
697
698 /* Get values of primes p and q */
699 if (compute_prime(key_size/2, safe_prime, &p, &p1) != SUCCESS)
700 {
701 return NULL;
702 }
703 if (compute_prime(key_size/2, safe_prime, &q, &q1) != SUCCESS)
704 {
705 mpz_clear(p);
706 mpz_clear(p1);
707 return NULL;
708 }
709
710 /* Swapping Primes so p is larger then q */
711 if (mpz_cmp(p, q) < 0)
712 {
713 mpz_swap(p, q);
714 mpz_swap(p1, q1);
715 }
716
717 /* Create and initialize RSA private key object */
718 this = gmp_rsa_private_key_create_empty();
719 this->shares = shares;
720 this->threshold = threshold;
721 this->d = malloc(threshold * sizeof(mpz_t));
722 *this->p = *p;
723 *this->q = *q;
724
725 mpz_init_set_ui(this->e, PUBLIC_EXPONENT);
726 mpz_init(this->n);
727 mpz_init(this->m);
728 mpz_init(this->exp1);
729 mpz_init(this->exp2);
730 mpz_init(this->coeff);
731 mpz_init(this->v);
732 mpz_init(d);
733
734 mpz_mul(this->n, p, q); /* n = p*q */
735 mpz_lcm(this->m, p1, q1); /* m = lcm(p-1,q-1) */
736 mpz_invert(d, this->e, this->m); /* e has an inverse mod m */
737 mpz_mod(this->exp1, d, p1); /* exp1 = d mod p-1 */
738 mpz_mod(this->exp2, d, q1); /* exp2 = d mod q-1 */
739 mpz_invert(this->coeff, q, p); /* coeff = q^-1 mod p */
740
741 invert_failed = mpz_cmp_ui(this->m, 0) == 0 ||
742 mpz_cmp_ui(this->coeff, 0) == 0;
743
744 /* store secret exponent d */
745 (*this->d)[0] = *d;
746
747 /* generate and store random coefficients of secret sharing polynomial */
748 if (threshold > 1)
749 {
750 rng_t *rng;
751 chunk_t random_bytes;
752 mpz_t u;
753 int i;
754
755 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
756 mpz_init(u);
757
758 for (i = 1; i < threshold; i++)
759 {
760 mpz_init(d);
761
762 if (!rng->allocate_bytes(rng, key_size, &random_bytes))
763 {
764 rng_failed = TRUE;
765 continue;
766 }
767 mpz_import(d, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
768 mpz_mod(d, d, this->m);
769 (*this->d)[i] = *d;
770 chunk_clear(&random_bytes);
771 }
772
773 /* generate verification key v as a square number */
774 do
775 {
776 if (!rng->allocate_bytes(rng, key_size, &random_bytes))
777 {
778 rng_failed = TRUE;
779 break;
780 }
781 mpz_import(this->v, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
782 mpz_mul(this->v, this->v, this->v);
783 mpz_mod(this->v, this->v, this->n);
784 mpz_gcd(u, this->v, this->n);
785 chunk_free(&random_bytes);
786 }
787 while (mpz_cmp_ui(u, 1) != 0);
788
789 mpz_clear(u);
790 rng->destroy(rng);
791 }
792
793 mpz_clear_sensitive(p1);
794 mpz_clear_sensitive(q1);
795
796 if (rng_failed || invert_failed)
797 {
798 DBG1(DBG_LIB, "rsa key generation failed");
799 destroy(this);
800 return NULL;
801 }
802
803 /* set key size in bytes */
804 this->k = key_size;
805
806 return &this->public;
807 }
808
809 /**
810 * See header.
811 */
812 gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
813 {
814 private_gmp_rsa_private_key_t *this;
815 chunk_t n, e, d, p, q, exp1, exp2, coeff;
816
817 n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
818 while (TRUE)
819 {
820 switch (va_arg(args, builder_part_t))
821 {
822 case BUILD_RSA_MODULUS:
823 n = va_arg(args, chunk_t);
824 continue;
825 case BUILD_RSA_PUB_EXP:
826 e = va_arg(args, chunk_t);
827 continue;
828 case BUILD_RSA_PRIV_EXP:
829 d = va_arg(args, chunk_t);
830 continue;
831 case BUILD_RSA_PRIME1:
832 p = va_arg(args, chunk_t);
833 continue;
834 case BUILD_RSA_PRIME2:
835 q = va_arg(args, chunk_t);
836 continue;
837 case BUILD_RSA_EXP1:
838 exp1 = va_arg(args, chunk_t);
839 continue;
840 case BUILD_RSA_EXP2:
841 exp2 = va_arg(args, chunk_t);
842 continue;
843 case BUILD_RSA_COEFF:
844 coeff = va_arg(args, chunk_t);
845 continue;
846 case BUILD_END:
847 break;
848 default:
849 return NULL;
850 }
851 break;
852 }
853
854 this = gmp_rsa_private_key_create_empty();
855
856 this->d = malloc(sizeof(mpz_t));
857 mpz_init(this->n);
858 mpz_init(this->e);
859 mpz_init(*this->d);
860 mpz_init(this->p);
861 mpz_init(this->q);
862 mpz_init(this->m);
863 mpz_init(this->exp1);
864 mpz_init(this->exp2);
865 mpz_init(this->coeff);
866 mpz_init(this->v);
867
868 mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
869 mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
870 mpz_import(*this->d, d.len, 1, 1, 1, 0, d.ptr);
871 mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
872 mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
873 mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
874 if (!exp1.len)
875 { /* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
876 mpz_sub_ui(this->exp1, this->p, 1);
877 mpz_mod(this->exp1, *this->d, this->exp1);
878 }
879 else
880 {
881 mpz_import(this->exp1, exp1.len, 1, 1, 1, 0, exp1.ptr);
882 }
883 if (!exp2.len)
884 { /* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
885 mpz_sub_ui(this->exp2, this->q, 1);
886 mpz_mod(this->exp2, *this->d, this->exp2);
887 }
888 else
889 {
890 mpz_import(this->exp2, exp2.len, 1, 1, 1, 0, exp2.ptr);
891 }
892 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
893 if (check(this) != SUCCESS)
894 {
895 destroy(this);
896 return NULL;
897 }
898 return &this->public;
899 }
900