PEM encoding for GMP RSA public and private keys
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <string.h>
21
22 #include "gmp_rsa_private_key.h"
23 #include "gmp_rsa_public_key.h"
24
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29
30 #ifdef HAVE_MPZ_POWM_SEC
31 # undef mpz_powm
32 # define mpz_powm mpz_powm_sec
33 #endif
34
35 /**
36 * Public exponent to use for key generation.
37 */
38 #define PUBLIC_EXPONENT 0x10001
39
40 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
41
42 /**
43 * Private data of a gmp_rsa_private_key_t object.
44 */
45 struct private_gmp_rsa_private_key_t {
46 /**
47 * Public interface for this signer.
48 */
49 gmp_rsa_private_key_t public;
50
51 /**
52 * Public modulus.
53 */
54 mpz_t n;
55
56 /**
57 * Public exponent.
58 */
59 mpz_t e;
60
61 /**
62 * Private prime 1.
63 */
64 mpz_t p;
65
66 /**
67 * Private Prime 2.
68 */
69 mpz_t q;
70
71 /**
72 * Private exponent.
73 */
74 mpz_t d;
75
76 /**
77 * Private exponent 1.
78 */
79 mpz_t exp1;
80
81 /**
82 * Private exponent 2.
83 */
84 mpz_t exp2;
85
86 /**
87 * Private coefficient.
88 */
89 mpz_t coeff;
90
91 /**
92 * Keysize in bytes.
93 */
94 size_t k;
95
96 /**
97 * reference count
98 */
99 refcount_t ref;
100 };
101
102 /**
103 * Convert a MP integer into a chunk_t
104 */
105 chunk_t gmp_mpz_to_chunk(const mpz_t value)
106 {
107 chunk_t n;
108
109 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
110 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
111 if (n.ptr == NULL)
112 { /* if we have zero in "value", gmp returns NULL */
113 n.len = 0;
114 }
115 return n;
116 }
117
118 /**
119 * Auxiliary function overwriting private key material with zero bytes
120 */
121 static void mpz_clear_sensitive(mpz_t z)
122 {
123 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
124 u_int8_t *random = alloca(len);
125
126 memset(random, 0, len);
127 /* overwrite mpz_t with zero bytes before clearing it */
128 mpz_import(z, len, 1, 1, 1, 0, random);
129 mpz_clear(z);
130 }
131
132 /**
133 * Create a mpz prime of at least prime_size
134 */
135 static status_t compute_prime(private_gmp_rsa_private_key_t *this,
136 size_t prime_size, mpz_t *prime)
137 {
138 rng_t *rng;
139 chunk_t random_bytes;
140
141 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
142 if (!rng)
143 {
144 DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
145 return FAILED;
146 }
147
148 mpz_init(*prime);
149 do
150 {
151 rng->allocate_bytes(rng, prime_size, &random_bytes);
152 /* make sure the two most significant bits are set */
153 random_bytes.ptr[0] = random_bytes.ptr[0] | 0xC0;
154
155 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
156 mpz_nextprime (*prime, *prime);
157 chunk_clear(&random_bytes);
158 }
159 /* check if it isn't too large */
160 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
161
162 rng->destroy(rng);
163 return SUCCESS;
164 }
165
166 /**
167 * PKCS#1 RSADP function
168 */
169 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
170 {
171 mpz_t t1, t2;
172 chunk_t decrypted;
173
174 mpz_init(t1);
175 mpz_init(t2);
176
177 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
178
179 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
180 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
181 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
182 mpz_mod(t2, t2, this->p);
183 mpz_mul(t2, t2, this->coeff);
184 mpz_mod(t2, t2, this->p);
185
186 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
187 mpz_add(t1, t1, t2);
188
189 decrypted.len = this->k;
190 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
191 if (decrypted.ptr == NULL)
192 {
193 decrypted.len = 0;
194 }
195
196 mpz_clear_sensitive(t1);
197 mpz_clear_sensitive(t2);
198
199 return decrypted;
200 }
201
202 /**
203 * PKCS#1 RSASP1 function
204 */
205 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
206 {
207 return rsadp(this, data);
208 }
209
210 /**
211 * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
212 */
213 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
214 hash_algorithm_t hash_algorithm,
215 chunk_t data, chunk_t *signature)
216 {
217 chunk_t digestInfo = chunk_empty;
218 chunk_t em;
219
220 if (hash_algorithm != HASH_UNKNOWN)
221 {
222 hasher_t *hasher;
223 chunk_t hash;
224 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
225
226 if (hash_oid == OID_UNKNOWN)
227 {
228 return FALSE;
229 }
230
231 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
232 if (hasher == NULL)
233 {
234 return FALSE;
235 }
236 hasher->allocate_hash(hasher, data, &hash);
237 hasher->destroy(hasher);
238
239 /* build DER-encoded digestInfo */
240 digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
241 asn1_algorithmIdentifier(hash_oid),
242 asn1_simple_object(ASN1_OCTET_STRING, hash)
243 );
244 chunk_free(&hash);
245 data = digestInfo;
246 }
247
248 if (data.len > this->k - 3)
249 {
250 free(digestInfo.ptr);
251 DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
252 return FALSE;
253 }
254
255 /* build chunk to rsa-decrypt:
256 * EM = 0x00 || 0x01 || PS || 0x00 || T.
257 * PS = 0xFF padding, with length to fill em
258 * T = encoded_hash
259 */
260 em.len = this->k;
261 em.ptr = malloc(em.len);
262
263 /* fill em with padding */
264 memset(em.ptr, 0xFF, em.len);
265 /* set magic bytes */
266 *(em.ptr) = 0x00;
267 *(em.ptr+1) = 0x01;
268 *(em.ptr + em.len - data.len - 1) = 0x00;
269 /* set DER-encoded hash */
270 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
271
272 /* build signature */
273 *signature = rsasp1(this, em);
274
275 free(digestInfo.ptr);
276 free(em.ptr);
277
278 return TRUE;
279 }
280
281 /**
282 * Implementation of gmp_rsa_private_key.get_type.
283 */
284 static key_type_t get_type(private_gmp_rsa_private_key_t *this)
285 {
286 return KEY_RSA;
287 }
288
289 /**
290 * Implementation of gmp_rsa_private_key.sign.
291 */
292 static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
293 chunk_t data, chunk_t *signature)
294 {
295 switch (scheme)
296 {
297 case SIGN_RSA_EMSA_PKCS1_NULL:
298 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
299 case SIGN_RSA_EMSA_PKCS1_SHA1:
300 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
301 case SIGN_RSA_EMSA_PKCS1_SHA224:
302 return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
303 case SIGN_RSA_EMSA_PKCS1_SHA256:
304 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
305 case SIGN_RSA_EMSA_PKCS1_SHA384:
306 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
307 case SIGN_RSA_EMSA_PKCS1_SHA512:
308 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
309 case SIGN_RSA_EMSA_PKCS1_MD5:
310 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
311 default:
312 DBG1("signature scheme %N not supported in RSA",
313 signature_scheme_names, scheme);
314 return FALSE;
315 }
316 }
317
318 /**
319 * Implementation of gmp_rsa_private_key.decrypt.
320 */
321 static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
322 chunk_t *plain)
323 {
324 chunk_t em, stripped;
325 bool success = FALSE;
326
327 /* rsa decryption using PKCS#1 RSADP */
328 stripped = em = rsadp(this, crypto);
329
330 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
331
332 /* check for hex pattern 00 02 in decrypted message */
333 if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
334 {
335 DBG1("incorrect padding - probably wrong rsa key");
336 goto end;
337 }
338 stripped.len -= 2;
339
340 /* the plaintext data starts after first 0x00 byte */
341 while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
342
343 if (stripped.len == 0)
344 {
345 DBG1("no plaintext data");
346 goto end;
347 }
348
349 *plain = chunk_clone(stripped);
350 success = TRUE;
351
352 end:
353 chunk_clear(&em);
354 return success;
355 }
356
357 /**
358 * Implementation of gmp_rsa_private_key.get_keysize.
359 */
360 static size_t get_keysize(private_gmp_rsa_private_key_t *this)
361 {
362 return this->k;
363 }
364
365 /**
366 * Implementation of gmp_rsa_private_key.get_public_key.
367 */
368 static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
369 {
370 chunk_t n, e;
371 public_key_t *public;
372
373 n = gmp_mpz_to_chunk(this->n);
374 e = gmp_mpz_to_chunk(this->e);
375
376 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
377 BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
378 chunk_free(&n);
379 chunk_free(&e);
380
381 return public;
382 }
383
384 /**
385 * Implementation of gmp_rsa_private_key.equals.
386 */
387 static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
388 {
389 return private_key_equals(&this->public.interface, other);
390 }
391
392 /**
393 * Implementation of gmp_rsa_private_key.belongs_to.
394 */
395 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
396 {
397 return private_key_belongs_to(&this->public.interface, public);
398 }
399
400 /**
401 * Implementation of private_key_t.get_encoding
402 */
403 static bool get_encoding(private_gmp_rsa_private_key_t *this,
404 key_encoding_type_t type, chunk_t *encoding)
405 {
406 chunk_t n, e, d, p, q, exp1, exp2, coeff;
407 bool success, pem = FALSE;
408
409 if (type == KEY_PRIV_PEM)
410 {
411 pem = TRUE;
412 type = KEY_PRIV_ASN1_DER;
413 }
414
415 n = gmp_mpz_to_chunk(this->n);
416 e = gmp_mpz_to_chunk(this->e);
417 d = gmp_mpz_to_chunk(this->d);
418 p = gmp_mpz_to_chunk(this->p);
419 q = gmp_mpz_to_chunk(this->q);
420 exp1 = gmp_mpz_to_chunk(this->exp1);
421 exp2 = gmp_mpz_to_chunk(this->exp2);
422 coeff = gmp_mpz_to_chunk(this->coeff);
423
424 success = lib->encoding->encode(lib->encoding,
425 type, NULL, encoding, KEY_PART_RSA_MODULUS, n,
426 KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d,
427 KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q,
428 KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2,
429 KEY_PART_RSA_COEFF, coeff, KEY_PART_END);
430 chunk_free(&n);
431 chunk_free(&e);
432 chunk_clear(&d);
433 chunk_clear(&p);
434 chunk_clear(&q);
435 chunk_clear(&exp1);
436 chunk_clear(&exp2);
437 chunk_clear(&coeff);
438
439 if (pem && success)
440 {
441 chunk_t asn1_encoding = *encoding;
442
443 success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM, NULL,
444 encoding, KEY_PART_RSA_PRIV_ASN1_DER,
445 asn1_encoding, KEY_PART_END);
446 chunk_clear(&asn1_encoding);
447 }
448 return success;
449 }
450
451 /**
452 * Implementation of private_key_t.get_fingerprint
453 */
454 static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
455 key_encoding_type_t type, chunk_t *fp)
456 {
457 chunk_t n, e;
458 bool success;
459
460 if (lib->encoding->get_cache(lib->encoding, type, this, fp))
461 {
462 return TRUE;
463 }
464 n = gmp_mpz_to_chunk(this->n);
465 e = gmp_mpz_to_chunk(this->e);
466
467 success = lib->encoding->encode(lib->encoding, type, this, fp,
468 KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
469 chunk_free(&n);
470 chunk_free(&e);
471
472 return success;
473 }
474
475 /**
476 * Implementation of gmp_rsa_private_key.get_ref.
477 */
478 static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
479 {
480 ref_get(&this->ref);
481 return this;
482 }
483
484 /**
485 * Implementation of gmp_rsa_private_key.destroy.
486 */
487 static void destroy(private_gmp_rsa_private_key_t *this)
488 {
489 if (ref_put(&this->ref))
490 {
491 mpz_clear_sensitive(this->n);
492 mpz_clear_sensitive(this->e);
493 mpz_clear_sensitive(this->p);
494 mpz_clear_sensitive(this->q);
495 mpz_clear_sensitive(this->d);
496 mpz_clear_sensitive(this->exp1);
497 mpz_clear_sensitive(this->exp2);
498 mpz_clear_sensitive(this->coeff);
499 lib->encoding->clear_cache(lib->encoding, this);
500 free(this);
501 }
502 }
503
504 /**
505 * Check the loaded key if it is valid and usable
506 */
507 static status_t check(private_gmp_rsa_private_key_t *this)
508 {
509 mpz_t t, u, q1;
510 status_t status = SUCCESS;
511
512 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
513 * We actually require more (for security).
514 */
515 if (this->k < 512 / BITS_PER_BYTE)
516 {
517 DBG1("key shorter than 512 bits");
518 return FAILED;
519 }
520
521 /* we picked a max modulus size to simplify buffer allocation */
522 if (this->k > 8192 / BITS_PER_BYTE)
523 {
524 DBG1("key larger than 8192 bits");
525 return FAILED;
526 }
527
528 mpz_init(t);
529 mpz_init(u);
530 mpz_init(q1);
531
532 /* check that n == p * q */
533 mpz_mul(u, this->p, this->q);
534 if (mpz_cmp(u, this->n) != 0)
535 {
536 status = FAILED;
537 }
538
539 /* check that e divides neither p-1 nor q-1 */
540 mpz_sub_ui(t, this->p, 1);
541 mpz_mod(t, t, this->e);
542 if (mpz_cmp_ui(t, 0) == 0)
543 {
544 status = FAILED;
545 }
546
547 mpz_sub_ui(t, this->q, 1);
548 mpz_mod(t, t, this->e);
549 if (mpz_cmp_ui(t, 0) == 0)
550 {
551 status = FAILED;
552 }
553
554 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
555 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
556 mpz_sub_ui(q1, this->q, 1);
557 mpz_sub_ui(u, this->p, 1);
558 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
559 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
560 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
561
562 mpz_mul(t, this->d, this->e);
563 mpz_mod(t, t, u);
564 if (mpz_cmp_ui(t, 1) != 0)
565 {
566 status = FAILED;
567 }
568
569 /* check that exp1 is d mod (p-1) */
570 mpz_sub_ui(u, this->p, 1);
571 mpz_mod(t, this->d, u);
572 if (mpz_cmp(t, this->exp1) != 0)
573 {
574 status = FAILED;
575 }
576
577 /* check that exp2 is d mod (q-1) */
578 mpz_sub_ui(u, this->q, 1);
579 mpz_mod(t, this->d, u);
580 if (mpz_cmp(t, this->exp2) != 0)
581 {
582 status = FAILED;
583 }
584
585 /* check that coeff is (q^-1) mod p */
586 mpz_mul(t, this->coeff, this->q);
587 mpz_mod(t, t, this->p);
588 if (mpz_cmp_ui(t, 1) != 0)
589 {
590 status = FAILED;
591 }
592
593 mpz_clear_sensitive(t);
594 mpz_clear_sensitive(u);
595 mpz_clear_sensitive(q1);
596 if (status != SUCCESS)
597 {
598 DBG1("key integrity tests failed");
599 }
600 return status;
601 }
602
603 /**
604 * Internal generic constructor
605 */
606 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
607 {
608 private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
609
610 this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
611 this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
612 this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
613 this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
614 this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
615 this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
616 this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
617 this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
618 this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
619 this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
620 this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
621 this->public.interface.destroy = (void (*) (private_key_t*))destroy;
622
623 this->ref = 1;
624
625 return this;
626 }
627
628 /**
629 * See header.
630 */
631 gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
632 {
633 mpz_t p, q, n, e, d, exp1, exp2, coeff, m, q1, t;
634 private_gmp_rsa_private_key_t *this;
635 u_int key_size = 0;
636
637 while (TRUE)
638 {
639 switch (va_arg(args, builder_part_t))
640 {
641 case BUILD_KEY_SIZE:
642 key_size = va_arg(args, u_int);
643 continue;
644 case BUILD_END:
645 break;
646 default:
647 return NULL;
648 }
649 break;
650 }
651 if (!key_size)
652 {
653 return NULL;
654 }
655
656 this = gmp_rsa_private_key_create_empty();
657 key_size = key_size / BITS_PER_BYTE;
658
659 /* Get values of primes p and q */
660 if (compute_prime(this, key_size/2, &p) != SUCCESS)
661 {
662 free(this);
663 return NULL;
664 }
665 if (compute_prime(this, key_size/2, &q) != SUCCESS)
666 {
667 mpz_clear(p);
668 free(this);
669 return NULL;
670 }
671
672 mpz_init(t);
673 mpz_init(n);
674 mpz_init(d);
675 mpz_init(exp1);
676 mpz_init(exp2);
677 mpz_init(coeff);
678
679 /* Swapping Primes so p is larger then q */
680 if (mpz_cmp(p, q) < 0)
681 {
682 mpz_swap(p, q);
683 }
684
685 mpz_mul(n, p, q); /* n = p*q */
686 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
687 mpz_init_set(m, p); /* m = p */
688 mpz_sub_ui(m, m, 1); /* m = m -1 */
689 mpz_init_set(q1, q); /* q1 = q */
690 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
691 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
692 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
693 mpz_divexact(m, m, t); /* m = m / t */
694 mpz_gcd(t, m, e); /* t = gcd(m, e) */
695
696 mpz_invert(d, e, m); /* e has an inverse mod m */
697 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
698 {
699 mpz_add(d, d, m);
700 }
701 mpz_sub_ui(t, p, 1); /* t = p-1 */
702 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
703 mpz_sub_ui(t, q, 1); /* t = q-1 */
704 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
705
706 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
707 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
708 {
709 mpz_add(coeff, coeff, p);
710 }
711
712 mpz_clear_sensitive(q1);
713 mpz_clear_sensitive(m);
714 mpz_clear_sensitive(t);
715
716 /* apply values */
717 *(this->p) = *p;
718 *(this->q) = *q;
719 *(this->n) = *n;
720 *(this->e) = *e;
721 *(this->d) = *d;
722 *(this->exp1) = *exp1;
723 *(this->exp2) = *exp2;
724 *(this->coeff) = *coeff;
725
726 /* set key size in bytes */
727 this->k = key_size;
728
729 return &this->public;
730 }
731
732 /**
733 * See header.
734 */
735 gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
736 {
737 chunk_t n, e, d, p, q, exp1, exp2, coeff;
738 private_gmp_rsa_private_key_t *this;
739
740 n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
741 while (TRUE)
742 {
743 switch (va_arg(args, builder_part_t))
744 {
745 case BUILD_RSA_MODULUS:
746 n = va_arg(args, chunk_t);
747 continue;
748 case BUILD_RSA_PUB_EXP:
749 e = va_arg(args, chunk_t);
750 continue;
751 case BUILD_RSA_PRIV_EXP:
752 d = va_arg(args, chunk_t);
753 continue;
754 case BUILD_RSA_PRIME1:
755 p = va_arg(args, chunk_t);
756 continue;
757 case BUILD_RSA_PRIME2:
758 q = va_arg(args, chunk_t);
759 continue;
760 case BUILD_RSA_EXP1:
761 exp1 = va_arg(args, chunk_t);
762 continue;
763 case BUILD_RSA_EXP2:
764 exp2 = va_arg(args, chunk_t);
765 continue;
766 case BUILD_RSA_COEFF:
767 coeff = va_arg(args, chunk_t);
768 continue;
769 case BUILD_END:
770 break;
771 default:
772 return NULL;
773 }
774 break;
775 }
776
777 this = gmp_rsa_private_key_create_empty();
778
779 mpz_init(this->n);
780 mpz_init(this->e);
781 mpz_init(this->p);
782 mpz_init(this->q);
783 mpz_init(this->d);
784 mpz_init(this->exp1);
785 mpz_init(this->exp2);
786 mpz_init(this->coeff);
787
788 mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
789 mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
790 mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
791 mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
792 mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
793 mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
794 if (!exp1.len)
795 { /* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
796 mpz_sub_ui(this->exp1, this->p, 1);
797 mpz_mod(this->exp1, this->d, this->exp1);
798 }
799 else
800 {
801 mpz_import(this->exp1, exp1.len, 1, 1, 1, 0, exp1.ptr);
802 }
803 if (!exp2.len)
804 { /* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
805 mpz_sub_ui(this->exp2, this->q, 1);
806 mpz_mod(this->exp2, this->d, this->exp2);
807 }
808 else
809 {
810 mpz_import(this->exp2, exp2.len, 1, 1, 1, 0, exp2.ptr);
811 }
812 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
813 if (check(this) != SUCCESS)
814 {
815 destroy(this);
816 return NULL;
817 }
818 return &this->public;
819 }
820