support of SHA224-based certificate signatures
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2008 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <string.h>
21
22 #include "gmp_rsa_private_key.h"
23 #include "gmp_rsa_public_key.h"
24
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <pgp/pgp.h>
30
31 /**
32 * Public exponent to use for key generation.
33 */
34 #define PUBLIC_EXPONENT 0x10001
35
36 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
37
38 /**
39 * Private data of a gmp_rsa_private_key_t object.
40 */
41 struct private_gmp_rsa_private_key_t {
42 /**
43 * Public interface for this signer.
44 */
45 gmp_rsa_private_key_t public;
46
47 /**
48 * Version of key, as encoded in PKCS#1
49 */
50 u_int version;
51
52 /**
53 * Public modulus.
54 */
55 mpz_t n;
56
57 /**
58 * Public exponent.
59 */
60 mpz_t e;
61
62 /**
63 * Private prime 1.
64 */
65 mpz_t p;
66
67 /**
68 * Private Prime 2.
69 */
70 mpz_t q;
71
72 /**
73 * Private exponent.
74 */
75 mpz_t d;
76
77 /**
78 * Private exponent 1.
79 */
80 mpz_t exp1;
81
82 /**
83 * Private exponent 2.
84 */
85 mpz_t exp2;
86
87 /**
88 * Private coefficient.
89 */
90 mpz_t coeff;
91
92 /**
93 * Keysize in bytes.
94 */
95 size_t k;
96
97 /**
98 * Keyid formed as a SHA-1 hash of a publicKey object
99 */
100 identification_t* keyid;
101
102 /**
103 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
104 */
105 identification_t* keyid_info;
106
107 /**
108 * reference count
109 */
110 refcount_t ref;
111 };
112
113 /**
114 * Shared functions defined in gmp_rsa_public_key.c
115 */
116 extern bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e,
117 identification_t **keyid,
118 identification_t **keyid_info);
119 extern gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
120
121 /**
122 * Auxiliary function overwriting private key material with zero bytes
123 */
124 static void mpz_clear_randomized(mpz_t z)
125 {
126 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
127 u_int8_t *random = alloca(len);
128
129 memset(random, 0, len);
130 /* overwrite mpz_t with zero bytes before clearing it */
131 mpz_import(z, len, 1, 1, 1, 0, random);
132 mpz_clear(z);
133 }
134
135 /**
136 * Create a mpz prime of at least prime_size
137 */
138 static status_t compute_prime(private_gmp_rsa_private_key_t *this,
139 size_t prime_size, mpz_t *prime)
140 {
141 rng_t *rng;
142 chunk_t random_bytes;
143
144 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
145 if (!rng)
146 {
147 DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
148 return FAILED;
149 }
150
151 mpz_init(*prime);
152 do
153 {
154 rng->allocate_bytes(rng, prime_size, &random_bytes);
155 /* make sure most significant bit is set */
156 random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
157
158 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
159 mpz_nextprime (*prime, *prime);
160 chunk_clear(&random_bytes);
161 }
162 /* check if it isn't too large */
163 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
164
165 rng->destroy(rng);
166 return SUCCESS;
167 }
168
169 /**
170 * PKCS#1 RSADP function
171 */
172 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
173 {
174 mpz_t t1, t2;
175 chunk_t decrypted;
176
177 mpz_init(t1);
178 mpz_init(t2);
179
180 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
181
182 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
183 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
184 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
185 mpz_mod(t2, t2, this->p);
186 mpz_mul(t2, t2, this->coeff);
187 mpz_mod(t2, t2, this->p);
188
189 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
190 mpz_add(t1, t1, t2);
191
192 decrypted.len = this->k;
193 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
194 if (decrypted.ptr == NULL)
195 {
196 decrypted.len = 0;
197 }
198
199 mpz_clear_randomized(t1);
200 mpz_clear_randomized(t2);
201
202 return decrypted;
203 }
204
205 /**
206 * PKCS#1 RSASP1 function
207 */
208 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
209 {
210 return rsadp(this, data);
211 }
212
213 /**
214 * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
215 */
216 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
217 hash_algorithm_t hash_algorithm,
218 chunk_t data, chunk_t *signature)
219 {
220 chunk_t digestInfo = chunk_empty;
221 chunk_t em;
222
223 if (hash_algorithm != HASH_UNKNOWN)
224 {
225 hasher_t *hasher;
226 chunk_t hash;
227 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
228
229 if (hash_oid == OID_UNKNOWN)
230 {
231 return FALSE;
232 }
233
234 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
235 if (hasher == NULL)
236 {
237 return FALSE;
238 }
239 hasher->allocate_hash(hasher, data, &hash);
240 hasher->destroy(hasher);
241
242 /* build DER-encoded digestInfo */
243 digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
244 asn1_algorithmIdentifier(hash_oid),
245 asn1_simple_object(ASN1_OCTET_STRING, hash)
246 );
247 chunk_free(&hash);
248 data = digestInfo;
249 }
250
251 if (data.len > this->k - 3)
252 {
253 free(digestInfo.ptr);
254 DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
255 return FALSE;
256 }
257
258 /* build chunk to rsa-decrypt:
259 * EM = 0x00 || 0x01 || PS || 0x00 || T.
260 * PS = 0xFF padding, with length to fill em
261 * T = encoded_hash
262 */
263 em.len = this->k;
264 em.ptr = malloc(em.len);
265
266 /* fill em with padding */
267 memset(em.ptr, 0xFF, em.len);
268 /* set magic bytes */
269 *(em.ptr) = 0x00;
270 *(em.ptr+1) = 0x01;
271 *(em.ptr + em.len - data.len - 1) = 0x00;
272 /* set DER-encoded hash */
273 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
274
275 /* build signature */
276 *signature = rsasp1(this, em);
277
278 free(digestInfo.ptr);
279 free(em.ptr);
280
281 return TRUE;
282 }
283
284 /**
285 * Implementation of gmp_rsa_private_key.get_type.
286 */
287 static key_type_t get_type(private_gmp_rsa_private_key_t *this)
288 {
289 return KEY_RSA;
290 }
291
292 /**
293 * Implementation of gmp_rsa_private_key.sign.
294 */
295 static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
296 chunk_t data, chunk_t *signature)
297 {
298 switch (scheme)
299 {
300 case SIGN_RSA_EMSA_PKCS1_NULL:
301 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
302 case SIGN_RSA_EMSA_PKCS1_SHA1:
303 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
304 case SIGN_RSA_EMSA_PKCS1_SHA224:
305 return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
306 case SIGN_RSA_EMSA_PKCS1_SHA256:
307 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
308 case SIGN_RSA_EMSA_PKCS1_SHA384:
309 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
310 case SIGN_RSA_EMSA_PKCS1_SHA512:
311 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
312 case SIGN_RSA_EMSA_PKCS1_MD5:
313 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
314 default:
315 DBG1("signature scheme %N not supported in RSA",
316 signature_scheme_names, scheme);
317 return FALSE;
318 }
319 }
320
321 /**
322 * Implementation of gmp_rsa_private_key.decrypt.
323 */
324 static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
325 chunk_t *plain)
326 {
327 chunk_t em, stripped;
328 bool success = FALSE;
329
330 /* rsa decryption using PKCS#1 RSADP */
331 stripped = em = rsadp(this, crypto);
332
333 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
334
335 /* check for hex pattern 00 02 in decrypted message */
336 if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
337 {
338 DBG1("incorrect padding - probably wrong rsa key");
339 goto end;
340 }
341 stripped.len -= 2;
342
343 /* the plaintext data starts after first 0x00 byte */
344 while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
345
346 if (stripped.len == 0)
347 {
348 DBG1("no plaintext data");
349 goto end;
350 }
351
352 *plain = chunk_clone(stripped);
353 success = TRUE;
354
355 end:
356 chunk_clear(&em);
357 return success;
358 }
359
360 /**
361 * Implementation of gmp_rsa_private_key.get_keysize.
362 */
363 static size_t get_keysize(private_gmp_rsa_private_key_t *this)
364 {
365 return this->k;
366 }
367
368 /**
369 * Implementation of gmp_rsa_private_key.get_id.
370 */
371 static identification_t* get_id(private_gmp_rsa_private_key_t *this,
372 id_type_t type)
373 {
374 switch (type)
375 {
376 case ID_PUBKEY_INFO_SHA1:
377 return this->keyid_info;
378 case ID_PUBKEY_SHA1:
379 return this->keyid;
380 default:
381 return NULL;
382 }
383 }
384
385 /**
386 * Implementation of gmp_rsa_private_key.get_public_key.
387 */
388 static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
389 {
390 return gmp_rsa_public_key_create_from_n_e(this->n, this->e);
391 }
392
393 /**
394 * Implementation of gmp_rsa_private_key.equals.
395 */
396 static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
397 {
398 identification_t *keyid;
399
400 if (&this->public.interface == other)
401 {
402 return TRUE;
403 }
404 if (other->get_type(other) != KEY_RSA)
405 {
406 return FALSE;
407 }
408 keyid = other->get_id(other, ID_PUBKEY_SHA1);
409 if (keyid && keyid->equals(keyid, this->keyid))
410 {
411 return TRUE;
412 }
413 keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
414 if (keyid && keyid->equals(keyid, this->keyid_info))
415 {
416 return TRUE;
417 }
418 return FALSE;
419 }
420
421 /**
422 * Implementation of gmp_rsa_private_key.belongs_to.
423 */
424 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
425 {
426 identification_t *keyid;
427
428 if (public->get_type(public) != KEY_RSA)
429 {
430 return FALSE;
431 }
432 keyid = public->get_id(public, ID_PUBKEY_SHA1);
433 if (keyid && keyid->equals(keyid, this->keyid))
434 {
435 return TRUE;
436 }
437 keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
438 if (keyid && keyid->equals(keyid, this->keyid_info))
439 {
440 return TRUE;
441 }
442 return FALSE;
443 }
444
445 /**
446 * Convert a MP integer into a chunk_t
447 */
448 chunk_t gmp_mpz_to_chunk(const mpz_t value)
449 {
450 chunk_t n;
451
452 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
453 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
454 if (n.ptr == NULL)
455 { /* if we have zero in "value", gmp returns NULL */
456 n.len = 0;
457 }
458 return n;
459 }
460
461 /**
462 * Convert a MP integer into a DER coded ASN.1 object
463 */
464 chunk_t gmp_mpz_to_asn1(const mpz_t value)
465 {
466 return asn1_wrap(ASN1_INTEGER, "m", gmp_mpz_to_chunk(value));
467 }
468
469 /**
470 * Implementation of private_key_t.get_encoding.
471 */
472 static chunk_t get_encoding(private_gmp_rsa_private_key_t *this)
473 {
474 return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm",
475 ASN1_INTEGER_0,
476 gmp_mpz_to_asn1(this->n),
477 gmp_mpz_to_asn1(this->e),
478 gmp_mpz_to_asn1(this->d),
479 gmp_mpz_to_asn1(this->p),
480 gmp_mpz_to_asn1(this->q),
481 gmp_mpz_to_asn1(this->exp1),
482 gmp_mpz_to_asn1(this->exp2),
483 gmp_mpz_to_asn1(this->coeff));
484 }
485
486 /**
487 * Implementation of gmp_rsa_private_key.get_ref.
488 */
489 static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
490 {
491 ref_get(&this->ref);
492 return this;
493
494 }
495
496 /**
497 * Implementation of gmp_rsa_private_key.destroy.
498 */
499 static void destroy(private_gmp_rsa_private_key_t *this)
500 {
501 if (ref_put(&this->ref))
502 {
503 mpz_clear_randomized(this->n);
504 mpz_clear_randomized(this->e);
505 mpz_clear_randomized(this->p);
506 mpz_clear_randomized(this->q);
507 mpz_clear_randomized(this->d);
508 mpz_clear_randomized(this->exp1);
509 mpz_clear_randomized(this->exp2);
510 mpz_clear_randomized(this->coeff);
511 DESTROY_IF(this->keyid);
512 DESTROY_IF(this->keyid_info);
513 free(this);
514 }
515 }
516
517 /**
518 * Check the loaded key if it is valid and usable
519 */
520 static status_t check(private_gmp_rsa_private_key_t *this)
521 {
522 mpz_t t, u, q1;
523 status_t status = SUCCESS;
524
525 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
526 * We actually require more (for security).
527 */
528 if (this->k < 512 / BITS_PER_BYTE)
529 {
530 DBG1("key shorter than 512 bits");
531 return FAILED;
532 }
533
534 /* we picked a max modulus size to simplify buffer allocation */
535 if (this->k > 8192 / BITS_PER_BYTE)
536 {
537 DBG1("key larger than 8192 bits");
538 return FAILED;
539 }
540
541 mpz_init(t);
542 mpz_init(u);
543 mpz_init(q1);
544
545 /* check that n == p * q */
546 mpz_mul(u, this->p, this->q);
547 if (mpz_cmp(u, this->n) != 0)
548 {
549 status = FAILED;
550 }
551
552 /* check that e divides neither p-1 nor q-1 */
553 mpz_sub_ui(t, this->p, 1);
554 mpz_mod(t, t, this->e);
555 if (mpz_cmp_ui(t, 0) == 0)
556 {
557 status = FAILED;
558 }
559
560 mpz_sub_ui(t, this->q, 1);
561 mpz_mod(t, t, this->e);
562 if (mpz_cmp_ui(t, 0) == 0)
563 {
564 status = FAILED;
565 }
566
567 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
568 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
569 mpz_sub_ui(q1, this->q, 1);
570 mpz_sub_ui(u, this->p, 1);
571 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
572 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
573 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
574
575 mpz_mul(t, this->d, this->e);
576 mpz_mod(t, t, u);
577 if (mpz_cmp_ui(t, 1) != 0)
578 {
579 status = FAILED;
580 }
581
582 /* check that exp1 is d mod (p-1) */
583 mpz_sub_ui(u, this->p, 1);
584 mpz_mod(t, this->d, u);
585 if (mpz_cmp(t, this->exp1) != 0)
586 {
587 status = FAILED;
588 }
589
590 /* check that exp2 is d mod (q-1) */
591 mpz_sub_ui(u, this->q, 1);
592 mpz_mod(t, this->d, u);
593 if (mpz_cmp(t, this->exp2) != 0)
594 {
595 status = FAILED;
596 }
597
598 /* check that coeff is (q^-1) mod p */
599 mpz_mul(t, this->coeff, this->q);
600 mpz_mod(t, t, this->p);
601 if (mpz_cmp_ui(t, 1) != 0)
602 {
603 status = FAILED;
604 }
605
606 mpz_clear_randomized(t);
607 mpz_clear_randomized(u);
608 mpz_clear_randomized(q1);
609 if (status != SUCCESS)
610 {
611 DBG1("key integrity tests failed");
612 }
613 return status;
614 }
615
616 /**
617 * Internal generic constructor
618 */
619 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
620 {
621 private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
622
623 this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
624 this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
625 this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
626 this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
627 this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
628 this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
629 this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
630 this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
631 this->public.interface.get_encoding = (chunk_t (*) (private_key_t*))get_encoding;
632 this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
633 this->public.interface.destroy = (void (*) (private_key_t*))destroy;
634
635 this->keyid = NULL;
636 this->keyid_info = NULL;
637 this->ref = 1;
638
639 return this;
640 }
641
642 /**
643 * Generate an RSA key of specified key size
644 */
645 static gmp_rsa_private_key_t *generate(size_t key_size)
646 {
647 mpz_t p, q, n, e, d, exp1, exp2, coeff;
648 mpz_t m, q1, t;
649 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
650
651 key_size = key_size / BITS_PER_BYTE;
652
653 /* Get values of primes p and q */
654 if (compute_prime(this, key_size/2, &p) != SUCCESS)
655 {
656 free(this);
657 return NULL;
658 }
659 if (compute_prime(this, key_size/2, &q) != SUCCESS)
660 {
661 mpz_clear(p);
662 free(this);
663 return NULL;
664 }
665
666 mpz_init(t);
667 mpz_init(n);
668 mpz_init(d);
669 mpz_init(exp1);
670 mpz_init(exp2);
671 mpz_init(coeff);
672
673 /* Swapping Primes so p is larger then q */
674 if (mpz_cmp(p, q) < 0)
675 {
676 mpz_swap(p, q);
677 }
678
679 mpz_mul(n, p, q); /* n = p*q */
680 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
681 mpz_init_set(m, p); /* m = p */
682 mpz_sub_ui(m, m, 1); /* m = m -1 */
683 mpz_init_set(q1, q); /* q1 = q */
684 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
685 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
686 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
687 mpz_divexact(m, m, t); /* m = m / t */
688 mpz_gcd(t, m, e); /* t = gcd(m, e) */
689
690 mpz_invert(d, e, m); /* e has an inverse mod m */
691 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
692 {
693 mpz_add(d, d, m);
694 }
695 mpz_sub_ui(t, p, 1); /* t = p-1 */
696 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
697 mpz_sub_ui(t, q, 1); /* t = q-1 */
698 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
699
700 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
701 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
702 {
703 mpz_add(coeff, coeff, p);
704 }
705
706 mpz_clear_randomized(q1);
707 mpz_clear_randomized(m);
708 mpz_clear_randomized(t);
709
710 /* apply values */
711 *(this->p) = *p;
712 *(this->q) = *q;
713 *(this->n) = *n;
714 *(this->e) = *e;
715 *(this->d) = *d;
716 *(this->exp1) = *exp1;
717 *(this->exp2) = *exp2;
718 *(this->coeff) = *coeff;
719
720 /* set key size in bytes */
721 this->k = key_size;
722
723 return &this->public;
724 }
725
726 /**
727 * ASN.1 definition of a PKCS#1 RSA private key
728 */
729 static const asn1Object_t privkeyObjects[] = {
730 { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
731 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
732 { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */
733 { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */
734 { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */
735 { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */
736 { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */
737 { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */
738 { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */
739 { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */
740 { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT |
741 ASN1_LOOP }, /* 10 */
742 { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
743 { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */
744 { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */
745 { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */
746 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 15 */
747 { 0, "exit", ASN1_EOC, ASN1_EXIT }
748 };
749 #define PRIV_KEY_VERSION 1
750 #define PRIV_KEY_MODULUS 2
751 #define PRIV_KEY_PUB_EXP 3
752 #define PRIV_KEY_PRIV_EXP 4
753 #define PRIV_KEY_PRIME1 5
754 #define PRIV_KEY_PRIME2 6
755 #define PRIV_KEY_EXP1 7
756 #define PRIV_KEY_EXP2 8
757 #define PRIV_KEY_COEFF 9
758
759 /**
760 * load private key from a ASN1 encoded blob
761 */
762 static gmp_rsa_private_key_t *load_asn1_der(chunk_t blob)
763 {
764 asn1_parser_t *parser;
765 chunk_t object;
766 int objectID ;
767 bool success = FALSE;
768
769 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
770
771 mpz_init(this->n);
772 mpz_init(this->e);
773 mpz_init(this->p);
774 mpz_init(this->q);
775 mpz_init(this->d);
776 mpz_init(this->exp1);
777 mpz_init(this->exp2);
778 mpz_init(this->coeff);
779
780 parser = asn1_parser_create(privkeyObjects, blob);
781 parser->set_flags(parser, FALSE, TRUE);
782
783 while (parser->iterate(parser, &objectID, &object))
784 {
785 switch (objectID)
786 {
787 case PRIV_KEY_VERSION:
788 if (object.len > 0 && *object.ptr != 0)
789 {
790 DBG1("PKCS#1 private key format is not version 1");
791 goto end;
792 }
793 break;
794 case PRIV_KEY_MODULUS:
795 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
796 break;
797 case PRIV_KEY_PUB_EXP:
798 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
799 break;
800 case PRIV_KEY_PRIV_EXP:
801 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
802 break;
803 case PRIV_KEY_PRIME1:
804 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
805 break;
806 case PRIV_KEY_PRIME2:
807 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
808 break;
809 case PRIV_KEY_EXP1:
810 mpz_import(this->exp1, object.len, 1, 1, 1, 0, object.ptr);
811 break;
812 case PRIV_KEY_EXP2:
813 mpz_import(this->exp2, object.len, 1, 1, 1, 0, object.ptr);
814 break;
815 case PRIV_KEY_COEFF:
816 mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
817 break;
818 }
819 }
820 success = parser->success(parser);
821
822 end:
823 parser->destroy(parser);
824 chunk_clear(&blob);
825
826 if (!success)
827 {
828 destroy(this);
829 return NULL;
830 }
831
832 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
833
834 if (!gmp_rsa_public_key_build_id(this->n, this->e,
835 &this->keyid, &this->keyid_info))
836 {
837 destroy(this);
838 return NULL;
839 }
840 if (check(this) != SUCCESS)
841 {
842 destroy(this);
843 return NULL;
844 }
845 return &this->public;
846 }
847
848 /**
849 * load private key from an OpenPGP blob coded according to section
850 */
851 static gmp_rsa_private_key_t *load_pgp(chunk_t blob)
852 {
853 mpz_t u;
854 int objectID;
855 chunk_t packet = blob;
856 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
857
858 mpz_init(this->n);
859 mpz_init(this->e);
860 mpz_init(this->p);
861 mpz_init(this->q);
862 mpz_init(this->d);
863 mpz_init(this->exp1);
864 mpz_init(this->exp2);
865 mpz_init(this->coeff);
866
867 for (objectID = PRIV_KEY_MODULUS; objectID <= PRIV_KEY_COEFF; objectID++)
868 {
869 chunk_t object;
870
871 switch (objectID)
872 {
873 case PRIV_KEY_PRIV_EXP:
874 {
875 pgp_sym_alg_t s2k;
876
877 /* string-to-key usage */
878 s2k = pgp_length(&packet, 1);
879 DBG2("L3 - string-to-key: %d", s2k);
880
881 if (s2k == 255 || s2k == 254)
882 {
883 DBG1("string-to-key specifiers not supported");
884 goto end;
885 }
886 DBG2(" %N", pgp_sym_alg_names, s2k);
887
888 if (s2k != PGP_SYM_ALG_PLAIN)
889 {
890 DBG1("%N encryption not supported", pgp_sym_alg_names, s2k);
891 goto end;
892 }
893 break;
894 }
895 case PRIV_KEY_EXP1:
896 case PRIV_KEY_EXP2:
897 /* not contained in OpenPGP secret key payload */
898 continue;
899 default:
900 break;
901 }
902
903 DBG2("L3 - %s:", privkeyObjects[objectID].name);
904 object.len = pgp_length(&packet, 2);
905
906 if (object.len == PGP_INVALID_LENGTH)
907 {
908 DBG1("OpenPGP length is invalid");
909 goto end;
910 }
911 object.len = (object.len + 7) / BITS_PER_BYTE;
912 if (object.len > packet.len)
913 {
914 DBG1("OpenPGP field is too short");
915 goto end;
916 }
917 object.ptr = packet.ptr;
918 packet.ptr += object.len;
919 packet.len -= object.len;
920 DBG4("%B", &object);
921
922 switch (objectID)
923 {
924 case PRIV_KEY_MODULUS:
925 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
926 break;
927 case PRIV_KEY_PUB_EXP:
928 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
929 break;
930 case PRIV_KEY_PRIV_EXP:
931 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
932 break;
933 case PRIV_KEY_PRIME1:
934 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
935 break;
936 case PRIV_KEY_PRIME2:
937 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
938 break;
939 case PRIV_KEY_COEFF:
940 mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
941 break;
942 }
943 }
944
945 /* auxiliary variable */
946 mpz_init(u);
947
948 /* exp1 = d mod (p-1) */
949 mpz_sub_ui(u, this->p, 1);
950 mpz_mod(this->exp1, this->d, u);
951
952 /* exp2 = d mod (q-1) */
953 mpz_sub_ui(u, this->q, 1);
954 mpz_mod(this->exp2, this->d, u);
955
956 mpz_clear(u);
957 chunk_clear(&blob);
958
959 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
960
961 if (!gmp_rsa_public_key_build_id(this->n, this->e,
962 &this->keyid, &this->keyid_info))
963 {
964 destroy(this);
965 return NULL;
966 }
967 if (check(this) != SUCCESS)
968 {
969 destroy(this);
970 return NULL;
971 }
972 return &this->public;
973
974 end:
975 chunk_clear(&blob);
976 destroy(this);
977 return NULL;
978 }
979
980 typedef struct private_builder_t private_builder_t;
981 /**
982 * Builder implementation for key loading/generation
983 */
984 struct private_builder_t {
985 /** implements the builder interface */
986 builder_t public;
987 /** loaded/generated private key */
988 gmp_rsa_private_key_t *key;
989 };
990
991 /**
992 * Implementation of builder_t.build
993 */
994 static gmp_rsa_private_key_t *build(private_builder_t *this)
995 {
996 gmp_rsa_private_key_t *key = this->key;
997
998 free(this);
999 return key;
1000 }
1001
1002 /**
1003 * Implementation of builder_t.add
1004 */
1005 static void add(private_builder_t *this, builder_part_t part, ...)
1006 {
1007 if (!this->key)
1008 {
1009 va_list args;
1010 chunk_t chunk;
1011
1012 switch (part)
1013 {
1014 case BUILD_BLOB_ASN1_DER:
1015 {
1016 va_start(args, part);
1017 chunk = va_arg(args, chunk_t);
1018 this->key = load_asn1_der(chunk_clone(chunk));
1019 va_end(args);
1020 return;
1021 }
1022 case BUILD_BLOB_PGP:
1023 {
1024 va_start(args, part);
1025 chunk = va_arg(args, chunk_t);
1026 this->key = load_pgp(chunk_clone(chunk));
1027 va_end(args);
1028 return;
1029 }
1030 case BUILD_KEY_SIZE:
1031 {
1032 va_start(args, part);
1033 this->key = generate(va_arg(args, u_int));
1034 va_end(args);
1035 return;
1036 }
1037 default:
1038 break;
1039 }
1040 }
1041 if (this->key)
1042 {
1043 destroy((private_gmp_rsa_private_key_t*)this->key);
1044 }
1045 builder_cancel(&this->public);
1046 }
1047
1048 /**
1049 * Builder construction function
1050 */
1051 builder_t *gmp_rsa_private_key_builder(key_type_t type)
1052 {
1053 private_builder_t *this;
1054
1055 if (type != KEY_RSA)
1056 {
1057 return NULL;
1058 }
1059
1060 this = malloc_thing(private_builder_t);
1061
1062 this->key = NULL;
1063 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1064 this->public.build = (void*(*)(builder_t *this))build;
1065
1066 return &this->public;
1067 }
1068