bc79beb6a803b1869d6f54eba4464b06de8dd5a5
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2008 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <string.h>
21
22 #include "gmp_rsa_private_key.h"
23 #include "gmp_rsa_public_key.h"
24
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <pgp/pgp.h>
30
31 /**
32 * Public exponent to use for key generation.
33 */
34 #define PUBLIC_EXPONENT 0x10001
35
36 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
37
38 /**
39 * Private data of a gmp_rsa_private_key_t object.
40 */
41 struct private_gmp_rsa_private_key_t {
42 /**
43 * Public interface for this signer.
44 */
45 gmp_rsa_private_key_t public;
46
47 /**
48 * Version of key, as encoded in PKCS#1
49 */
50 u_int version;
51
52 /**
53 * Public modulus.
54 */
55 mpz_t n;
56
57 /**
58 * Public exponent.
59 */
60 mpz_t e;
61
62 /**
63 * Private prime 1.
64 */
65 mpz_t p;
66
67 /**
68 * Private Prime 2.
69 */
70 mpz_t q;
71
72 /**
73 * Private exponent.
74 */
75 mpz_t d;
76
77 /**
78 * Private exponent 1.
79 */
80 mpz_t exp1;
81
82 /**
83 * Private exponent 2.
84 */
85 mpz_t exp2;
86
87 /**
88 * Private coefficient.
89 */
90 mpz_t coeff;
91
92 /**
93 * Keysize in bytes.
94 */
95 size_t k;
96
97 /**
98 * Keyid formed as a SHA-1 hash of a publicKey object
99 */
100 identification_t* keyid;
101
102 /**
103 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
104 */
105 identification_t* keyid_info;
106
107 /**
108 * reference count
109 */
110 refcount_t ref;
111 };
112
113 /**
114 * Shared functions defined in gmp_rsa_public_key.c
115 */
116 extern bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e,
117 identification_t **keyid,
118 identification_t **keyid_info);
119 extern gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
120
121 /**
122 * Auxiliary function overwriting private key material with zero bytes
123 */
124 static void mpz_clear_randomized(mpz_t z)
125 {
126 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
127 u_int8_t *random = alloca(len);
128
129 memset(random, 0, len);
130 /* overwrite mpz_t with zero bytes before clearing it */
131 mpz_import(z, len, 1, 1, 1, 0, random);
132 mpz_clear(z);
133 }
134
135 /**
136 * Create a mpz prime of at least prime_size
137 */
138 static status_t compute_prime(private_gmp_rsa_private_key_t *this,
139 size_t prime_size, mpz_t *prime)
140 {
141 rng_t *rng;
142 chunk_t random_bytes;
143
144 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
145 if (!rng)
146 {
147 DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
148 return FAILED;
149 }
150
151 mpz_init(*prime);
152 do
153 {
154 rng->allocate_bytes(rng, prime_size, &random_bytes);
155 /* make sure most significant bit is set */
156 random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
157
158 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
159 mpz_nextprime (*prime, *prime);
160 chunk_clear(&random_bytes);
161 }
162 /* check if it isn't too large */
163 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
164
165 rng->destroy(rng);
166 return SUCCESS;
167 }
168
169 /**
170 * PKCS#1 RSADP function
171 */
172 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
173 {
174 mpz_t t1, t2;
175 chunk_t decrypted;
176
177 mpz_init(t1);
178 mpz_init(t2);
179
180 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
181
182 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
183 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
184 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
185 mpz_mod(t2, t2, this->p);
186 mpz_mul(t2, t2, this->coeff);
187 mpz_mod(t2, t2, this->p);
188
189 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
190 mpz_add(t1, t1, t2);
191
192 decrypted.len = this->k;
193 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
194 if (decrypted.ptr == NULL)
195 {
196 decrypted.len = 0;
197 }
198
199 mpz_clear_randomized(t1);
200 mpz_clear_randomized(t2);
201
202 return decrypted;
203 }
204
205 /**
206 * PKCS#1 RSASP1 function
207 */
208 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
209 {
210 return rsadp(this, data);
211 }
212
213 /**
214 * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
215 */
216 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
217 hash_algorithm_t hash_algorithm,
218 chunk_t data, chunk_t *signature)
219 {
220 chunk_t digestInfo = chunk_empty;
221 chunk_t em;
222
223 if (hash_algorithm != HASH_UNKNOWN)
224 {
225 hasher_t *hasher;
226 chunk_t hash;
227 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
228
229 if (hash_oid == OID_UNKNOWN)
230 {
231 return FALSE;
232 }
233
234 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
235 if (hasher == NULL)
236 {
237 return FALSE;
238 }
239 hasher->allocate_hash(hasher, data, &hash);
240 hasher->destroy(hasher);
241
242 /* build DER-encoded digestInfo */
243 digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
244 asn1_algorithmIdentifier(hash_oid),
245 asn1_simple_object(ASN1_OCTET_STRING, hash)
246 );
247 chunk_free(&hash);
248 data = digestInfo;
249 }
250
251 /* build chunk to rsa-decrypt:
252 * EM = 0x00 || 0x01 || PS || 0x00 || T.
253 * PS = 0xFF padding, with length to fill em
254 * T = encoded_hash
255 */
256 em.len = this->k;
257 em.ptr = malloc(em.len);
258
259 /* fill em with padding */
260 memset(em.ptr, 0xFF, em.len);
261 /* set magic bytes */
262 *(em.ptr) = 0x00;
263 *(em.ptr+1) = 0x01;
264 *(em.ptr + em.len - data.len - 1) = 0x00;
265 /* set DER-encoded hash */
266 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
267
268 /* build signature */
269 *signature = rsasp1(this, em);
270
271 free(digestInfo.ptr);
272 free(em.ptr);
273
274 return TRUE;
275 }
276
277 /**
278 * Implementation of gmp_rsa_private_key.get_type.
279 */
280 static key_type_t get_type(private_gmp_rsa_private_key_t *this)
281 {
282 return KEY_RSA;
283 }
284
285 /**
286 * Implementation of gmp_rsa_private_key.sign.
287 */
288 static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
289 chunk_t data, chunk_t *signature)
290 {
291 switch (scheme)
292 {
293 case SIGN_RSA_EMSA_PKCS1_NULL:
294 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
295 case SIGN_DEFAULT:
296 case SIGN_RSA_EMSA_PKCS1_SHA1:
297 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
298 case SIGN_RSA_EMSA_PKCS1_SHA256:
299 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
300 case SIGN_RSA_EMSA_PKCS1_SHA384:
301 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
302 case SIGN_RSA_EMSA_PKCS1_SHA512:
303 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
304 case SIGN_RSA_EMSA_PKCS1_MD5:
305 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
306 default:
307 DBG1("signature scheme %N not supported in RSA",
308 signature_scheme_names, scheme);
309 return FALSE;
310 }
311 }
312
313 /**
314 * Implementation of gmp_rsa_private_key.decrypt.
315 */
316 static bool decrypt(private_gmp_rsa_private_key_t *this,
317 chunk_t crypto, chunk_t *plain)
318 {
319 DBG1("RSA private key decryption not implemented");
320 return FALSE;
321 }
322
323 /**
324 * Implementation of gmp_rsa_private_key.get_keysize.
325 */
326 static size_t get_keysize(private_gmp_rsa_private_key_t *this)
327 {
328 return this->k;
329 }
330
331 /**
332 * Implementation of gmp_rsa_private_key.get_id.
333 */
334 static identification_t* get_id(private_gmp_rsa_private_key_t *this,
335 id_type_t type)
336 {
337 switch (type)
338 {
339 case ID_PUBKEY_INFO_SHA1:
340 return this->keyid_info;
341 case ID_PUBKEY_SHA1:
342 return this->keyid;
343 default:
344 return NULL;
345 }
346 }
347
348 /**
349 * Implementation of gmp_rsa_private_key.get_public_key.
350 */
351 static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
352 {
353 return gmp_rsa_public_key_create_from_n_e(this->n, this->e);
354 }
355
356 /**
357 * Implementation of gmp_rsa_private_key.equals.
358 */
359 static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
360 {
361 identification_t *keyid;
362
363 if (&this->public.interface == other)
364 {
365 return TRUE;
366 }
367 if (other->get_type(other) != KEY_RSA)
368 {
369 return FALSE;
370 }
371 keyid = other->get_id(other, ID_PUBKEY_SHA1);
372 if (keyid && keyid->equals(keyid, this->keyid))
373 {
374 return TRUE;
375 }
376 keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
377 if (keyid && keyid->equals(keyid, this->keyid_info))
378 {
379 return TRUE;
380 }
381 return FALSE;
382 }
383
384 /**
385 * Implementation of gmp_rsa_private_key.belongs_to.
386 */
387 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
388 {
389 identification_t *keyid;
390
391 if (public->get_type(public) != KEY_RSA)
392 {
393 return FALSE;
394 }
395 keyid = public->get_id(public, ID_PUBKEY_SHA1);
396 if (keyid && keyid->equals(keyid, this->keyid))
397 {
398 return TRUE;
399 }
400 keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
401 if (keyid && keyid->equals(keyid, this->keyid_info))
402 {
403 return TRUE;
404 }
405 return FALSE;
406 }
407
408 /**
409 * Convert a MP integer into a chunk_t
410 */
411 chunk_t gmp_mpz_to_chunk(const mpz_t value)
412 {
413 chunk_t n;
414
415 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
416 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
417 if (n.ptr == NULL)
418 { /* if we have zero in "value", gmp returns NULL */
419 n.len = 0;
420 }
421 return n;
422 }
423
424 /**
425 * Convert a MP integer into a DER coded ASN.1 object
426 */
427 chunk_t gmp_mpz_to_asn1(const mpz_t value)
428 {
429 return asn1_wrap(ASN1_INTEGER, "m", gmp_mpz_to_chunk(value));
430 }
431
432 /**
433 * Implementation of private_key_t.get_encoding.
434 */
435 static chunk_t get_encoding(private_gmp_rsa_private_key_t *this)
436 {
437 return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm",
438 ASN1_INTEGER_0,
439 gmp_mpz_to_asn1(this->n),
440 gmp_mpz_to_asn1(this->e),
441 gmp_mpz_to_asn1(this->d),
442 gmp_mpz_to_asn1(this->p),
443 gmp_mpz_to_asn1(this->q),
444 gmp_mpz_to_asn1(this->exp1),
445 gmp_mpz_to_asn1(this->exp2),
446 gmp_mpz_to_asn1(this->coeff));
447 }
448
449 /**
450 * Implementation of gmp_rsa_private_key.get_ref.
451 */
452 static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
453 {
454 ref_get(&this->ref);
455 return this;
456
457 }
458
459 /**
460 * Implementation of gmp_rsa_private_key.destroy.
461 */
462 static void destroy(private_gmp_rsa_private_key_t *this)
463 {
464 if (ref_put(&this->ref))
465 {
466 mpz_clear_randomized(this->n);
467 mpz_clear_randomized(this->e);
468 mpz_clear_randomized(this->p);
469 mpz_clear_randomized(this->q);
470 mpz_clear_randomized(this->d);
471 mpz_clear_randomized(this->exp1);
472 mpz_clear_randomized(this->exp2);
473 mpz_clear_randomized(this->coeff);
474 DESTROY_IF(this->keyid);
475 DESTROY_IF(this->keyid_info);
476 free(this);
477 }
478 }
479
480 /**
481 * Check the loaded key if it is valid and usable
482 */
483 static status_t check(private_gmp_rsa_private_key_t *this)
484 {
485 mpz_t t, u, q1;
486 status_t status = SUCCESS;
487
488 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
489 * We actually require more (for security).
490 */
491 if (this->k < 512 / BITS_PER_BYTE)
492 {
493 DBG1("key shorter than 512 bits");
494 return FAILED;
495 }
496
497 /* we picked a max modulus size to simplify buffer allocation */
498 if (this->k > 8192 / BITS_PER_BYTE)
499 {
500 DBG1("key larger than 8192 bits");
501 return FAILED;
502 }
503
504 mpz_init(t);
505 mpz_init(u);
506 mpz_init(q1);
507
508 /* check that n == p * q */
509 mpz_mul(u, this->p, this->q);
510 if (mpz_cmp(u, this->n) != 0)
511 {
512 status = FAILED;
513 }
514
515 /* check that e divides neither p-1 nor q-1 */
516 mpz_sub_ui(t, this->p, 1);
517 mpz_mod(t, t, this->e);
518 if (mpz_cmp_ui(t, 0) == 0)
519 {
520 status = FAILED;
521 }
522
523 mpz_sub_ui(t, this->q, 1);
524 mpz_mod(t, t, this->e);
525 if (mpz_cmp_ui(t, 0) == 0)
526 {
527 status = FAILED;
528 }
529
530 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
531 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
532 mpz_sub_ui(q1, this->q, 1);
533 mpz_sub_ui(u, this->p, 1);
534 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
535 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
536 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
537
538 mpz_mul(t, this->d, this->e);
539 mpz_mod(t, t, u);
540 if (mpz_cmp_ui(t, 1) != 0)
541 {
542 status = FAILED;
543 }
544
545 /* check that exp1 is d mod (p-1) */
546 mpz_sub_ui(u, this->p, 1);
547 mpz_mod(t, this->d, u);
548 if (mpz_cmp(t, this->exp1) != 0)
549 {
550 status = FAILED;
551 }
552
553 /* check that exp2 is d mod (q-1) */
554 mpz_sub_ui(u, this->q, 1);
555 mpz_mod(t, this->d, u);
556 if (mpz_cmp(t, this->exp2) != 0)
557 {
558 status = FAILED;
559 }
560
561 /* check that coeff is (q^-1) mod p */
562 mpz_mul(t, this->coeff, this->q);
563 mpz_mod(t, t, this->p);
564 if (mpz_cmp_ui(t, 1) != 0)
565 {
566 status = FAILED;
567 }
568
569 mpz_clear_randomized(t);
570 mpz_clear_randomized(u);
571 mpz_clear_randomized(q1);
572 if (status != SUCCESS)
573 {
574 DBG1("key integrity tests failed");
575 }
576 return status;
577 }
578
579 /**
580 * Internal generic constructor
581 */
582 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
583 {
584 private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
585
586 this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
587 this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
588 this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
589 this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
590 this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
591 this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
592 this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
593 this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
594 this->public.interface.get_encoding = (chunk_t (*) (private_key_t*))get_encoding;
595 this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
596 this->public.interface.destroy = (void (*) (private_key_t*))destroy;
597
598 this->keyid = NULL;
599 this->keyid_info = NULL;
600 this->ref = 1;
601
602 return this;
603 }
604
605 /**
606 * Generate an RSA key of specified key size
607 */
608 static gmp_rsa_private_key_t *generate(size_t key_size)
609 {
610 mpz_t p, q, n, e, d, exp1, exp2, coeff;
611 mpz_t m, q1, t;
612 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
613
614 key_size = key_size / BITS_PER_BYTE;
615
616 /* Get values of primes p and q */
617 if (compute_prime(this, key_size/2, &p) != SUCCESS)
618 {
619 free(this);
620 return NULL;
621 }
622 if (compute_prime(this, key_size/2, &q) != SUCCESS)
623 {
624 mpz_clear(p);
625 free(this);
626 return NULL;
627 }
628
629 mpz_init(t);
630 mpz_init(n);
631 mpz_init(d);
632 mpz_init(exp1);
633 mpz_init(exp2);
634 mpz_init(coeff);
635
636 /* Swapping Primes so p is larger then q */
637 if (mpz_cmp(p, q) < 0)
638 {
639 mpz_swap(p, q);
640 }
641
642 mpz_mul(n, p, q); /* n = p*q */
643 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
644 mpz_init_set(m, p); /* m = p */
645 mpz_sub_ui(m, m, 1); /* m = m -1 */
646 mpz_init_set(q1, q); /* q1 = q */
647 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
648 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
649 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
650 mpz_divexact(m, m, t); /* m = m / t */
651 mpz_gcd(t, m, e); /* t = gcd(m, e) */
652
653 mpz_invert(d, e, m); /* e has an inverse mod m */
654 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
655 {
656 mpz_add(d, d, m);
657 }
658 mpz_sub_ui(t, p, 1); /* t = p-1 */
659 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
660 mpz_sub_ui(t, q, 1); /* t = q-1 */
661 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
662
663 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
664 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
665 {
666 mpz_add(coeff, coeff, p);
667 }
668
669 mpz_clear_randomized(q1);
670 mpz_clear_randomized(m);
671 mpz_clear_randomized(t);
672
673 /* apply values */
674 *(this->p) = *p;
675 *(this->q) = *q;
676 *(this->n) = *n;
677 *(this->e) = *e;
678 *(this->d) = *d;
679 *(this->exp1) = *exp1;
680 *(this->exp2) = *exp2;
681 *(this->coeff) = *coeff;
682
683 /* set key size in bytes */
684 this->k = key_size;
685
686 return &this->public;
687 }
688
689 /**
690 * ASN.1 definition of a PKCS#1 RSA private key
691 */
692 static const asn1Object_t privkeyObjects[] = {
693 { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
694 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
695 { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */
696 { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */
697 { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */
698 { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */
699 { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */
700 { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */
701 { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */
702 { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */
703 { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT |
704 ASN1_LOOP }, /* 10 */
705 { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
706 { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */
707 { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */
708 { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */
709 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 15 */
710 { 0, "exit", ASN1_EOC, ASN1_EXIT }
711 };
712 #define PRIV_KEY_VERSION 1
713 #define PRIV_KEY_MODULUS 2
714 #define PRIV_KEY_PUB_EXP 3
715 #define PRIV_KEY_PRIV_EXP 4
716 #define PRIV_KEY_PRIME1 5
717 #define PRIV_KEY_PRIME2 6
718 #define PRIV_KEY_EXP1 7
719 #define PRIV_KEY_EXP2 8
720 #define PRIV_KEY_COEFF 9
721
722 /**
723 * load private key from a ASN1 encoded blob
724 */
725 static gmp_rsa_private_key_t *load_asn1_der(chunk_t blob)
726 {
727 asn1_parser_t *parser;
728 chunk_t object;
729 int objectID ;
730 bool success = FALSE;
731
732 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
733
734 mpz_init(this->n);
735 mpz_init(this->e);
736 mpz_init(this->p);
737 mpz_init(this->q);
738 mpz_init(this->d);
739 mpz_init(this->exp1);
740 mpz_init(this->exp2);
741 mpz_init(this->coeff);
742
743 parser = asn1_parser_create(privkeyObjects, blob);
744 parser->set_flags(parser, FALSE, TRUE);
745
746 while (parser->iterate(parser, &objectID, &object))
747 {
748 switch (objectID)
749 {
750 case PRIV_KEY_VERSION:
751 if (object.len > 0 && *object.ptr != 0)
752 {
753 DBG1("PKCS#1 private key format is not version 1");
754 goto end;
755 }
756 break;
757 case PRIV_KEY_MODULUS:
758 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
759 break;
760 case PRIV_KEY_PUB_EXP:
761 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
762 break;
763 case PRIV_KEY_PRIV_EXP:
764 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
765 break;
766 case PRIV_KEY_PRIME1:
767 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
768 break;
769 case PRIV_KEY_PRIME2:
770 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
771 break;
772 case PRIV_KEY_EXP1:
773 mpz_import(this->exp1, object.len, 1, 1, 1, 0, object.ptr);
774 break;
775 case PRIV_KEY_EXP2:
776 mpz_import(this->exp2, object.len, 1, 1, 1, 0, object.ptr);
777 break;
778 case PRIV_KEY_COEFF:
779 mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
780 break;
781 }
782 }
783 success = parser->success(parser);
784
785 end:
786 parser->destroy(parser);
787 chunk_clear(&blob);
788
789 if (!success)
790 {
791 destroy(this);
792 return NULL;
793 }
794
795 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
796
797 if (!gmp_rsa_public_key_build_id(this->n, this->e,
798 &this->keyid, &this->keyid_info))
799 {
800 destroy(this);
801 return NULL;
802 }
803 if (check(this) != SUCCESS)
804 {
805 destroy(this);
806 return NULL;
807 }
808 return &this->public;
809 }
810
811 /**
812 * load private key from an OpenPGP blob coded according to section
813 */
814 static gmp_rsa_private_key_t *load_pgp(chunk_t blob)
815 {
816 mpz_t u;
817 int objectID;
818 chunk_t packet = blob;
819 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
820
821 mpz_init(this->n);
822 mpz_init(this->e);
823 mpz_init(this->p);
824 mpz_init(this->q);
825 mpz_init(this->d);
826 mpz_init(this->exp1);
827 mpz_init(this->exp2);
828 mpz_init(this->coeff);
829
830 for (objectID = PRIV_KEY_MODULUS; objectID <= PRIV_KEY_PRIME2; objectID++)
831 {
832 chunk_t object;
833
834 if (objectID == PRIV_KEY_PRIV_EXP)
835 {
836 pgp_sym_alg_t s2k;
837
838 /* string-to-key usage */
839 s2k = pgp_length(&packet, 1);
840 DBG2("L3 - string-to-key: %d", s2k);
841
842 if (s2k == 255 || s2k == 254)
843 {
844 DBG1("string-to-key specifiers not supported");
845 goto end;
846 }
847 DBG2(" %N", pgp_sym_alg_names, s2k);
848
849 if (s2k != PGP_SYM_ALG_PLAIN)
850 {
851 DBG1("%N encryption not supported", pgp_sym_alg_names, s2k);
852 goto end;
853 }
854 }
855
856 DBG2("L3 - %s:", privkeyObjects[objectID].name);
857 object.len = pgp_length(&packet, 2);
858
859 if (object.len == PGP_INVALID_LENGTH)
860 {
861 DBG1("OpenPGP length is invalid");
862 goto end;
863 }
864 object.len = (object.len + 7) / BITS_PER_BYTE;
865 if (object.len > packet.len)
866 {
867 DBG1("OpenPGP field is too short");
868 goto end;
869 }
870 object.ptr = packet.ptr;
871 packet.ptr += object.len;
872 packet.len -= object.len;
873 DBG4("%B", &object);
874
875 switch (objectID)
876 {
877 case PRIV_KEY_MODULUS:
878 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
879 break;
880 case PRIV_KEY_PUB_EXP:
881 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
882 break;
883 case PRIV_KEY_PRIV_EXP:
884 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
885 break;
886 case PRIV_KEY_PRIME1:
887 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
888 break;
889 case PRIV_KEY_PRIME2:
890 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
891 break;
892 }
893 }
894
895 /* auxiliary variable */
896 mpz_init(u);
897
898 /* exp1 = d mod (p-1) */
899 mpz_sub_ui(u, this->p, 1);
900 mpz_mod(this->exp1, this->d, u);
901
902 /* exp2 = d mod (q-1) */
903 mpz_sub_ui(u, this->q, 1);
904 mpz_mod(this->exp2, this->d, u);
905
906 /* coeff = (q^-1) mod p */
907 mpz_invert(this->coeff, this->q, this->p);
908 if (mpz_cmp_ui(this->coeff, 0) < 0)
909 {
910 mpz_add(this->coeff, this->coeff, this->p);
911 }
912 mpz_clear(u);
913 chunk_clear(&blob);
914
915 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
916
917 if (!gmp_rsa_public_key_build_id(this->n, this->e,
918 &this->keyid, &this->keyid_info))
919 {
920 destroy(this);
921 return NULL;
922 }
923 if (check(this) != SUCCESS)
924 {
925 destroy(this);
926 return NULL;
927 }
928 return &this->public;
929
930 end:
931 chunk_clear(&blob);
932 destroy(this);
933 return NULL;
934 }
935
936 typedef struct private_builder_t private_builder_t;
937 /**
938 * Builder implementation for key loading/generation
939 */
940 struct private_builder_t {
941 /** implements the builder interface */
942 builder_t public;
943 /** loaded/generated private key */
944 gmp_rsa_private_key_t *key;
945 };
946
947 /**
948 * Implementation of builder_t.build
949 */
950 static gmp_rsa_private_key_t *build(private_builder_t *this)
951 {
952 gmp_rsa_private_key_t *key = this->key;
953
954 free(this);
955 return key;
956 }
957
958 /**
959 * Implementation of builder_t.add
960 */
961 static void add(private_builder_t *this, builder_part_t part, ...)
962 {
963 if (!this->key)
964 {
965 va_list args;
966 chunk_t chunk;
967
968 switch (part)
969 {
970 case BUILD_BLOB_ASN1_DER:
971 {
972 va_start(args, part);
973 chunk = va_arg(args, chunk_t);
974 this->key = load_asn1_der(chunk_clone(chunk));
975 va_end(args);
976 return;
977 }
978 case BUILD_BLOB_PGP:
979 {
980 va_start(args, part);
981 chunk = va_arg(args, chunk_t);
982 this->key = load_pgp(chunk_clone(chunk));
983 va_end(args);
984 return;
985 }
986 case BUILD_KEY_SIZE:
987 {
988 va_start(args, part);
989 this->key = generate(va_arg(args, u_int));
990 va_end(args);
991 return;
992 }
993 default:
994 break;
995 }
996 }
997 if (this->key)
998 {
999 destroy((private_gmp_rsa_private_key_t*)this->key);
1000 }
1001 builder_cancel(&this->public);
1002 }
1003
1004 /**
1005 * Builder construction function
1006 */
1007 builder_t *gmp_rsa_private_key_builder(key_type_t type)
1008 {
1009 private_builder_t *this;
1010
1011 if (type != KEY_RSA)
1012 {
1013 return NULL;
1014 }
1015
1016 this = malloc_thing(private_builder_t);
1017
1018 this->key = NULL;
1019 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1020 this->public.build = (void*(*)(builder_t *this))build;
1021
1022 return &this->public;
1023 }
1024