Use bits instead of bytes for a private/public key
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <string.h>
21
22 #include "gmp_rsa_private_key.h"
23 #include "gmp_rsa_public_key.h"
24
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29
30 #ifdef HAVE_MPZ_POWM_SEC
31 # undef mpz_powm
32 # define mpz_powm mpz_powm_sec
33 #endif
34
35 /**
36 * Public exponent to use for key generation.
37 */
38 #define PUBLIC_EXPONENT 0x10001
39
40 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
41
42 /**
43 * Private data of a gmp_rsa_private_key_t object.
44 */
45 struct private_gmp_rsa_private_key_t {
46 /**
47 * Public interface for this signer.
48 */
49 gmp_rsa_private_key_t public;
50
51 /**
52 * Public modulus.
53 */
54 mpz_t n;
55
56 /**
57 * Public exponent.
58 */
59 mpz_t e;
60
61 /**
62 * Private prime 1.
63 */
64 mpz_t p;
65
66 /**
67 * Private Prime 2.
68 */
69 mpz_t q;
70
71 /**
72 * Private exponent.
73 */
74 mpz_t d;
75
76 /**
77 * Private exponent 1.
78 */
79 mpz_t exp1;
80
81 /**
82 * Private exponent 2.
83 */
84 mpz_t exp2;
85
86 /**
87 * Private coefficient.
88 */
89 mpz_t coeff;
90
91 /**
92 * Keysize in bytes.
93 */
94 size_t k;
95
96 /**
97 * reference count
98 */
99 refcount_t ref;
100 };
101
102 /**
103 * Convert a MP integer into a chunk_t
104 */
105 chunk_t gmp_mpz_to_chunk(const mpz_t value)
106 {
107 chunk_t n;
108
109 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
110 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
111 if (n.ptr == NULL)
112 { /* if we have zero in "value", gmp returns NULL */
113 n.len = 0;
114 }
115 return n;
116 }
117
118 /**
119 * Auxiliary function overwriting private key material with zero bytes
120 */
121 static void mpz_clear_sensitive(mpz_t z)
122 {
123 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
124 u_int8_t *random = alloca(len);
125
126 memset(random, 0, len);
127 /* overwrite mpz_t with zero bytes before clearing it */
128 mpz_import(z, len, 1, 1, 1, 0, random);
129 mpz_clear(z);
130 }
131
132 /**
133 * Create a mpz prime of at least prime_size
134 */
135 static status_t compute_prime(private_gmp_rsa_private_key_t *this,
136 size_t prime_size, mpz_t *prime)
137 {
138 rng_t *rng;
139 chunk_t random_bytes;
140
141 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
142 if (!rng)
143 {
144 DBG1(DBG_LIB, "no RNG of quality %N found", rng_quality_names,
145 RNG_TRUE);
146 return FAILED;
147 }
148
149 mpz_init(*prime);
150 do
151 {
152 rng->allocate_bytes(rng, prime_size, &random_bytes);
153 /* make sure the two most significant bits are set */
154 random_bytes.ptr[0] = random_bytes.ptr[0] | 0xC0;
155
156 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
157 mpz_nextprime (*prime, *prime);
158 chunk_clear(&random_bytes);
159 }
160 /* check if it isn't too large */
161 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
162
163 rng->destroy(rng);
164 return SUCCESS;
165 }
166
167 /**
168 * PKCS#1 RSADP function
169 */
170 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
171 {
172 mpz_t t1, t2;
173 chunk_t decrypted;
174
175 mpz_init(t1);
176 mpz_init(t2);
177
178 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
179
180 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
181 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
182 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
183 mpz_mod(t2, t2, this->p);
184 mpz_mul(t2, t2, this->coeff);
185 mpz_mod(t2, t2, this->p);
186
187 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
188 mpz_add(t1, t1, t2);
189
190 decrypted.len = this->k;
191 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
192 if (decrypted.ptr == NULL)
193 {
194 decrypted.len = 0;
195 }
196
197 mpz_clear_sensitive(t1);
198 mpz_clear_sensitive(t2);
199
200 return decrypted;
201 }
202
203 /**
204 * PKCS#1 RSASP1 function
205 */
206 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
207 {
208 return rsadp(this, data);
209 }
210
211 /**
212 * Build a signature using the PKCS#1 EMSA scheme
213 */
214 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
215 hash_algorithm_t hash_algorithm,
216 chunk_t data, chunk_t *signature)
217 {
218 chunk_t digestInfo = chunk_empty;
219 chunk_t em;
220
221 if (hash_algorithm != HASH_UNKNOWN)
222 {
223 hasher_t *hasher;
224 chunk_t hash;
225 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
226
227 if (hash_oid == OID_UNKNOWN)
228 {
229 return FALSE;
230 }
231
232 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
233 if (hasher == NULL)
234 {
235 return FALSE;
236 }
237 hasher->allocate_hash(hasher, data, &hash);
238 hasher->destroy(hasher);
239
240 /* build DER-encoded digestInfo */
241 digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
242 asn1_algorithmIdentifier(hash_oid),
243 asn1_simple_object(ASN1_OCTET_STRING, hash)
244 );
245 chunk_free(&hash);
246 data = digestInfo;
247 }
248
249 if (data.len > this->k - 3)
250 {
251 free(digestInfo.ptr);
252 DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
253 mpz_sizeinbase(this->n, 2));
254 return FALSE;
255 }
256
257 /* build chunk to rsa-decrypt:
258 * EM = 0x00 || 0x01 || PS || 0x00 || T.
259 * PS = 0xFF padding, with length to fill em
260 * T = encoded_hash
261 */
262 em.len = this->k;
263 em.ptr = malloc(em.len);
264
265 /* fill em with padding */
266 memset(em.ptr, 0xFF, em.len);
267 /* set magic bytes */
268 *(em.ptr) = 0x00;
269 *(em.ptr+1) = 0x01;
270 *(em.ptr + em.len - data.len - 1) = 0x00;
271 /* set DER-encoded hash */
272 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
273
274 /* build signature */
275 *signature = rsasp1(this, em);
276
277 free(digestInfo.ptr);
278 free(em.ptr);
279
280 return TRUE;
281 }
282
283 METHOD(private_key_t, get_type, key_type_t,
284 private_gmp_rsa_private_key_t *this)
285 {
286 return KEY_RSA;
287 }
288
289 METHOD(private_key_t, sign, bool,
290 private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
291 chunk_t data, chunk_t *signature)
292 {
293 switch (scheme)
294 {
295 case SIGN_RSA_EMSA_PKCS1_NULL:
296 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
297 case SIGN_RSA_EMSA_PKCS1_SHA1:
298 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
299 case SIGN_RSA_EMSA_PKCS1_SHA224:
300 return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
301 case SIGN_RSA_EMSA_PKCS1_SHA256:
302 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
303 case SIGN_RSA_EMSA_PKCS1_SHA384:
304 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
305 case SIGN_RSA_EMSA_PKCS1_SHA512:
306 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
307 case SIGN_RSA_EMSA_PKCS1_MD5:
308 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
309 default:
310 DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
311 signature_scheme_names, scheme);
312 return FALSE;
313 }
314 }
315
316 METHOD(private_key_t, decrypt, bool,
317 private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme,
318 chunk_t crypto, chunk_t *plain)
319 {
320 chunk_t em, stripped;
321 bool success = FALSE;
322
323 if (scheme != ENCRYPT_RSA_PKCS1)
324 {
325 DBG1(DBG_LIB, "encryption scheme %N not supported",
326 encryption_scheme_names, scheme);
327 return FALSE;
328 }
329 /* rsa decryption using PKCS#1 RSADP */
330 stripped = em = rsadp(this, crypto);
331
332 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
333
334 /* check for hex pattern 00 02 in decrypted message */
335 if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
336 {
337 DBG1(DBG_LIB, "incorrect padding - probably wrong rsa key");
338 goto end;
339 }
340 stripped.len -= 2;
341
342 /* the plaintext data starts after first 0x00 byte */
343 while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
344
345 if (stripped.len == 0)
346 {
347 DBG1(DBG_LIB, "no plaintext data");
348 goto end;
349 }
350
351 *plain = chunk_clone(stripped);
352 success = TRUE;
353
354 end:
355 chunk_clear(&em);
356 return success;
357 }
358
359 METHOD(private_key_t, get_keysize, int,
360 private_gmp_rsa_private_key_t *this)
361 {
362 return mpz_sizeinbase(this->n, 2);
363 }
364
365 METHOD(private_key_t, get_public_key, public_key_t*,
366 private_gmp_rsa_private_key_t *this)
367 {
368 chunk_t n, e;
369 public_key_t *public;
370
371 n = gmp_mpz_to_chunk(this->n);
372 e = gmp_mpz_to_chunk(this->e);
373
374 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
375 BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
376 chunk_free(&n);
377 chunk_free(&e);
378
379 return public;
380 }
381
382 METHOD(private_key_t, get_encoding, bool,
383 private_gmp_rsa_private_key_t *this, cred_encoding_type_t type,
384 chunk_t *encoding)
385 {
386 chunk_t n, e, d, p, q, exp1, exp2, coeff;
387 bool success;
388
389 n = gmp_mpz_to_chunk(this->n);
390 e = gmp_mpz_to_chunk(this->e);
391 d = gmp_mpz_to_chunk(this->d);
392 p = gmp_mpz_to_chunk(this->p);
393 q = gmp_mpz_to_chunk(this->q);
394 exp1 = gmp_mpz_to_chunk(this->exp1);
395 exp2 = gmp_mpz_to_chunk(this->exp2);
396 coeff = gmp_mpz_to_chunk(this->coeff);
397
398 success = lib->encoding->encode(lib->encoding,
399 type, NULL, encoding, CRED_PART_RSA_MODULUS, n,
400 CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d,
401 CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q,
402 CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2,
403 CRED_PART_RSA_COEFF, coeff, CRED_PART_END);
404 chunk_free(&n);
405 chunk_free(&e);
406 chunk_clear(&d);
407 chunk_clear(&p);
408 chunk_clear(&q);
409 chunk_clear(&exp1);
410 chunk_clear(&exp2);
411 chunk_clear(&coeff);
412
413 return success;
414 }
415
416 METHOD(private_key_t, get_fingerprint, bool,
417 private_gmp_rsa_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
418 {
419 chunk_t n, e;
420 bool success;
421
422 if (lib->encoding->get_cache(lib->encoding, type, this, fp))
423 {
424 return TRUE;
425 }
426 n = gmp_mpz_to_chunk(this->n);
427 e = gmp_mpz_to_chunk(this->e);
428
429 success = lib->encoding->encode(lib->encoding, type, this, fp,
430 CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
431 chunk_free(&n);
432 chunk_free(&e);
433
434 return success;
435 }
436
437 METHOD(private_key_t, get_ref, private_key_t*,
438 private_gmp_rsa_private_key_t *this)
439 {
440 ref_get(&this->ref);
441 return &this->public.key;
442 }
443
444 METHOD(private_key_t, destroy, void,
445 private_gmp_rsa_private_key_t *this)
446 {
447 if (ref_put(&this->ref))
448 {
449 mpz_clear_sensitive(this->n);
450 mpz_clear_sensitive(this->e);
451 mpz_clear_sensitive(this->p);
452 mpz_clear_sensitive(this->q);
453 mpz_clear_sensitive(this->d);
454 mpz_clear_sensitive(this->exp1);
455 mpz_clear_sensitive(this->exp2);
456 mpz_clear_sensitive(this->coeff);
457 lib->encoding->clear_cache(lib->encoding, this);
458 free(this);
459 }
460 }
461
462 /**
463 * Check the loaded key if it is valid and usable
464 */
465 static status_t check(private_gmp_rsa_private_key_t *this)
466 {
467 mpz_t t, u, q1;
468 status_t status = SUCCESS;
469
470 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
471 * We actually require more (for security).
472 */
473 if (this->k < 512 / BITS_PER_BYTE)
474 {
475 DBG1(DBG_LIB, "key shorter than 512 bits");
476 return FAILED;
477 }
478
479 /* we picked a max modulus size to simplify buffer allocation */
480 if (this->k > 8192 / BITS_PER_BYTE)
481 {
482 DBG1(DBG_LIB, "key larger than 8192 bits");
483 return FAILED;
484 }
485
486 mpz_init(t);
487 mpz_init(u);
488 mpz_init(q1);
489
490 /* check that n == p * q */
491 mpz_mul(u, this->p, this->q);
492 if (mpz_cmp(u, this->n) != 0)
493 {
494 status = FAILED;
495 }
496
497 /* check that e divides neither p-1 nor q-1 */
498 mpz_sub_ui(t, this->p, 1);
499 mpz_mod(t, t, this->e);
500 if (mpz_cmp_ui(t, 0) == 0)
501 {
502 status = FAILED;
503 }
504
505 mpz_sub_ui(t, this->q, 1);
506 mpz_mod(t, t, this->e);
507 if (mpz_cmp_ui(t, 0) == 0)
508 {
509 status = FAILED;
510 }
511
512 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
513 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
514 mpz_sub_ui(q1, this->q, 1);
515 mpz_sub_ui(u, this->p, 1);
516 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
517 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
518 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
519
520 mpz_mul(t, this->d, this->e);
521 mpz_mod(t, t, u);
522 if (mpz_cmp_ui(t, 1) != 0)
523 {
524 status = FAILED;
525 }
526
527 /* check that exp1 is d mod (p-1) */
528 mpz_sub_ui(u, this->p, 1);
529 mpz_mod(t, this->d, u);
530 if (mpz_cmp(t, this->exp1) != 0)
531 {
532 status = FAILED;
533 }
534
535 /* check that exp2 is d mod (q-1) */
536 mpz_sub_ui(u, this->q, 1);
537 mpz_mod(t, this->d, u);
538 if (mpz_cmp(t, this->exp2) != 0)
539 {
540 status = FAILED;
541 }
542
543 /* check that coeff is (q^-1) mod p */
544 mpz_mul(t, this->coeff, this->q);
545 mpz_mod(t, t, this->p);
546 if (mpz_cmp_ui(t, 1) != 0)
547 {
548 status = FAILED;
549 }
550
551 mpz_clear_sensitive(t);
552 mpz_clear_sensitive(u);
553 mpz_clear_sensitive(q1);
554 if (status != SUCCESS)
555 {
556 DBG1(DBG_LIB, "key integrity tests failed");
557 }
558 return status;
559 }
560
561 /**
562 * Internal generic constructor
563 */
564 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
565 {
566 private_gmp_rsa_private_key_t *this;
567
568 INIT(this,
569 .public.key = {
570 .get_type = _get_type,
571 .sign = _sign,
572 .decrypt = _decrypt,
573 .get_keysize = _get_keysize,
574 .get_public_key = _get_public_key,
575 .equals = private_key_equals,
576 .belongs_to = private_key_belongs_to,
577 .get_fingerprint = _get_fingerprint,
578 .has_fingerprint = private_key_has_fingerprint,
579 .get_encoding = _get_encoding,
580 .get_ref = _get_ref,
581 .destroy = _destroy,
582 },
583 .ref = 1,
584 );
585 return this;
586 }
587
588 /**
589 * See header.
590 */
591 gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
592 {
593 mpz_t p, q, n, e, d, exp1, exp2, coeff, m, q1, t;
594 private_gmp_rsa_private_key_t *this;
595 u_int key_size = 0;
596
597 while (TRUE)
598 {
599 switch (va_arg(args, builder_part_t))
600 {
601 case BUILD_KEY_SIZE:
602 key_size = va_arg(args, u_int);
603 continue;
604 case BUILD_END:
605 break;
606 default:
607 return NULL;
608 }
609 break;
610 }
611 if (!key_size)
612 {
613 return NULL;
614 }
615
616 this = gmp_rsa_private_key_create_empty();
617 key_size = key_size / BITS_PER_BYTE;
618
619 /* Get values of primes p and q */
620 if (compute_prime(this, key_size/2, &p) != SUCCESS)
621 {
622 free(this);
623 return NULL;
624 }
625 if (compute_prime(this, key_size/2, &q) != SUCCESS)
626 {
627 mpz_clear(p);
628 free(this);
629 return NULL;
630 }
631
632 mpz_init(t);
633 mpz_init(n);
634 mpz_init(d);
635 mpz_init(exp1);
636 mpz_init(exp2);
637 mpz_init(coeff);
638
639 /* Swapping Primes so p is larger then q */
640 if (mpz_cmp(p, q) < 0)
641 {
642 mpz_swap(p, q);
643 }
644
645 mpz_mul(n, p, q); /* n = p*q */
646 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
647 mpz_init_set(m, p); /* m = p */
648 mpz_sub_ui(m, m, 1); /* m = m -1 */
649 mpz_init_set(q1, q); /* q1 = q */
650 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
651 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
652 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
653 mpz_divexact(m, m, t); /* m = m / t */
654 mpz_gcd(t, m, e); /* t = gcd(m, e) */
655
656 mpz_invert(d, e, m); /* e has an inverse mod m */
657 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
658 {
659 mpz_add(d, d, m);
660 }
661 mpz_sub_ui(t, p, 1); /* t = p-1 */
662 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
663 mpz_sub_ui(t, q, 1); /* t = q-1 */
664 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
665
666 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
667 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
668 {
669 mpz_add(coeff, coeff, p);
670 }
671
672 mpz_clear_sensitive(q1);
673 mpz_clear_sensitive(m);
674 mpz_clear_sensitive(t);
675
676 /* apply values */
677 *(this->p) = *p;
678 *(this->q) = *q;
679 *(this->n) = *n;
680 *(this->e) = *e;
681 *(this->d) = *d;
682 *(this->exp1) = *exp1;
683 *(this->exp2) = *exp2;
684 *(this->coeff) = *coeff;
685
686 /* set key size in bytes */
687 this->k = key_size;
688
689 return &this->public;
690 }
691
692 /**
693 * See header.
694 */
695 gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
696 {
697 chunk_t n, e, d, p, q, exp1, exp2, coeff;
698 private_gmp_rsa_private_key_t *this;
699
700 n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
701 while (TRUE)
702 {
703 switch (va_arg(args, builder_part_t))
704 {
705 case BUILD_RSA_MODULUS:
706 n = va_arg(args, chunk_t);
707 continue;
708 case BUILD_RSA_PUB_EXP:
709 e = va_arg(args, chunk_t);
710 continue;
711 case BUILD_RSA_PRIV_EXP:
712 d = va_arg(args, chunk_t);
713 continue;
714 case BUILD_RSA_PRIME1:
715 p = va_arg(args, chunk_t);
716 continue;
717 case BUILD_RSA_PRIME2:
718 q = va_arg(args, chunk_t);
719 continue;
720 case BUILD_RSA_EXP1:
721 exp1 = va_arg(args, chunk_t);
722 continue;
723 case BUILD_RSA_EXP2:
724 exp2 = va_arg(args, chunk_t);
725 continue;
726 case BUILD_RSA_COEFF:
727 coeff = va_arg(args, chunk_t);
728 continue;
729 case BUILD_END:
730 break;
731 default:
732 return NULL;
733 }
734 break;
735 }
736
737 this = gmp_rsa_private_key_create_empty();
738
739 mpz_init(this->n);
740 mpz_init(this->e);
741 mpz_init(this->p);
742 mpz_init(this->q);
743 mpz_init(this->d);
744 mpz_init(this->exp1);
745 mpz_init(this->exp2);
746 mpz_init(this->coeff);
747
748 mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
749 mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
750 mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
751 mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
752 mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
753 mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
754 if (!exp1.len)
755 { /* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
756 mpz_sub_ui(this->exp1, this->p, 1);
757 mpz_mod(this->exp1, this->d, this->exp1);
758 }
759 else
760 {
761 mpz_import(this->exp1, exp1.len, 1, 1, 1, 0, exp1.ptr);
762 }
763 if (!exp2.len)
764 { /* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
765 mpz_sub_ui(this->exp2, this->q, 1);
766 mpz_mod(this->exp2, this->d, this->exp2);
767 }
768 else
769 {
770 mpz_import(this->exp2, exp2.len, 1, 1, 1, 0, exp2.ptr);
771 }
772 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
773 if (check(this) != SUCCESS)
774 {
775 destroy(this);
776 return NULL;
777 }
778 return &this->public;
779 }
780