check if RSA key is large enough to sign a chunk of data
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2008 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <string.h>
21
22 #include "gmp_rsa_private_key.h"
23 #include "gmp_rsa_public_key.h"
24
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <pgp/pgp.h>
30
31 /**
32 * Public exponent to use for key generation.
33 */
34 #define PUBLIC_EXPONENT 0x10001
35
36 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
37
38 /**
39 * Private data of a gmp_rsa_private_key_t object.
40 */
41 struct private_gmp_rsa_private_key_t {
42 /**
43 * Public interface for this signer.
44 */
45 gmp_rsa_private_key_t public;
46
47 /**
48 * Version of key, as encoded in PKCS#1
49 */
50 u_int version;
51
52 /**
53 * Public modulus.
54 */
55 mpz_t n;
56
57 /**
58 * Public exponent.
59 */
60 mpz_t e;
61
62 /**
63 * Private prime 1.
64 */
65 mpz_t p;
66
67 /**
68 * Private Prime 2.
69 */
70 mpz_t q;
71
72 /**
73 * Private exponent.
74 */
75 mpz_t d;
76
77 /**
78 * Private exponent 1.
79 */
80 mpz_t exp1;
81
82 /**
83 * Private exponent 2.
84 */
85 mpz_t exp2;
86
87 /**
88 * Private coefficient.
89 */
90 mpz_t coeff;
91
92 /**
93 * Keysize in bytes.
94 */
95 size_t k;
96
97 /**
98 * Keyid formed as a SHA-1 hash of a publicKey object
99 */
100 identification_t* keyid;
101
102 /**
103 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
104 */
105 identification_t* keyid_info;
106
107 /**
108 * reference count
109 */
110 refcount_t ref;
111 };
112
113 /**
114 * Shared functions defined in gmp_rsa_public_key.c
115 */
116 extern bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e,
117 identification_t **keyid,
118 identification_t **keyid_info);
119 extern gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
120
121 /**
122 * Auxiliary function overwriting private key material with zero bytes
123 */
124 static void mpz_clear_randomized(mpz_t z)
125 {
126 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
127 u_int8_t *random = alloca(len);
128
129 memset(random, 0, len);
130 /* overwrite mpz_t with zero bytes before clearing it */
131 mpz_import(z, len, 1, 1, 1, 0, random);
132 mpz_clear(z);
133 }
134
135 /**
136 * Create a mpz prime of at least prime_size
137 */
138 static status_t compute_prime(private_gmp_rsa_private_key_t *this,
139 size_t prime_size, mpz_t *prime)
140 {
141 rng_t *rng;
142 chunk_t random_bytes;
143
144 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
145 if (!rng)
146 {
147 DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
148 return FAILED;
149 }
150
151 mpz_init(*prime);
152 do
153 {
154 rng->allocate_bytes(rng, prime_size, &random_bytes);
155 /* make sure most significant bit is set */
156 random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
157
158 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
159 mpz_nextprime (*prime, *prime);
160 chunk_clear(&random_bytes);
161 }
162 /* check if it isn't too large */
163 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
164
165 rng->destroy(rng);
166 return SUCCESS;
167 }
168
169 /**
170 * PKCS#1 RSADP function
171 */
172 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
173 {
174 mpz_t t1, t2;
175 chunk_t decrypted;
176
177 mpz_init(t1);
178 mpz_init(t2);
179
180 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
181
182 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
183 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
184 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
185 mpz_mod(t2, t2, this->p);
186 mpz_mul(t2, t2, this->coeff);
187 mpz_mod(t2, t2, this->p);
188
189 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
190 mpz_add(t1, t1, t2);
191
192 decrypted.len = this->k;
193 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
194 if (decrypted.ptr == NULL)
195 {
196 decrypted.len = 0;
197 }
198
199 mpz_clear_randomized(t1);
200 mpz_clear_randomized(t2);
201
202 return decrypted;
203 }
204
205 /**
206 * PKCS#1 RSASP1 function
207 */
208 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
209 {
210 return rsadp(this, data);
211 }
212
213 /**
214 * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
215 */
216 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
217 hash_algorithm_t hash_algorithm,
218 chunk_t data, chunk_t *signature)
219 {
220 chunk_t digestInfo = chunk_empty;
221 chunk_t em;
222
223 if (hash_algorithm != HASH_UNKNOWN)
224 {
225 hasher_t *hasher;
226 chunk_t hash;
227 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
228
229 if (hash_oid == OID_UNKNOWN)
230 {
231 return FALSE;
232 }
233
234 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
235 if (hasher == NULL)
236 {
237 return FALSE;
238 }
239 hasher->allocate_hash(hasher, data, &hash);
240 hasher->destroy(hasher);
241
242 /* build DER-encoded digestInfo */
243 digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
244 asn1_algorithmIdentifier(hash_oid),
245 asn1_simple_object(ASN1_OCTET_STRING, hash)
246 );
247 chunk_free(&hash);
248 data = digestInfo;
249 }
250
251 if (data.len > this->k - 3)
252 {
253 free(digestInfo.ptr);
254 DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
255 return FALSE;
256 }
257
258 /* build chunk to rsa-decrypt:
259 * EM = 0x00 || 0x01 || PS || 0x00 || T.
260 * PS = 0xFF padding, with length to fill em
261 * T = encoded_hash
262 */
263 em.len = this->k;
264 em.ptr = malloc(em.len);
265
266 /* fill em with padding */
267 memset(em.ptr, 0xFF, em.len);
268 /* set magic bytes */
269 *(em.ptr) = 0x00;
270 *(em.ptr+1) = 0x01;
271 *(em.ptr + em.len - data.len - 1) = 0x00;
272 /* set DER-encoded hash */
273 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
274
275 /* build signature */
276 *signature = rsasp1(this, em);
277
278 free(digestInfo.ptr);
279 free(em.ptr);
280
281 return TRUE;
282 }
283
284 /**
285 * Implementation of gmp_rsa_private_key.get_type.
286 */
287 static key_type_t get_type(private_gmp_rsa_private_key_t *this)
288 {
289 return KEY_RSA;
290 }
291
292 /**
293 * Implementation of gmp_rsa_private_key.sign.
294 */
295 static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
296 chunk_t data, chunk_t *signature)
297 {
298 switch (scheme)
299 {
300 case SIGN_RSA_EMSA_PKCS1_NULL:
301 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
302 case SIGN_RSA_EMSA_PKCS1_SHA1:
303 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
304 case SIGN_RSA_EMSA_PKCS1_SHA256:
305 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
306 case SIGN_RSA_EMSA_PKCS1_SHA384:
307 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
308 case SIGN_RSA_EMSA_PKCS1_SHA512:
309 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
310 case SIGN_RSA_EMSA_PKCS1_MD5:
311 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
312 default:
313 DBG1("signature scheme %N not supported in RSA",
314 signature_scheme_names, scheme);
315 return FALSE;
316 }
317 }
318
319 /**
320 * Implementation of gmp_rsa_private_key.decrypt.
321 */
322 static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
323 chunk_t *plain)
324 {
325 chunk_t em, stripped;
326 bool success = FALSE;
327
328 /* rsa decryption using PKCS#1 RSADP */
329 stripped = em = rsadp(this, crypto);
330
331 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
332
333 /* check for hex pattern 00 02 in decrypted message */
334 if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
335 {
336 DBG1("incorrect padding - probably wrong rsa key");
337 goto end;
338 }
339 stripped.len -= 2;
340
341 /* the plaintext data starts after first 0x00 byte */
342 while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
343
344 if (stripped.len == 0)
345 {
346 DBG1("no plaintext data");
347 goto end;
348 }
349
350 *plain = chunk_clone(stripped);
351 success = TRUE;
352
353 end:
354 chunk_clear(&em);
355 return success;
356 }
357
358 /**
359 * Implementation of gmp_rsa_private_key.get_keysize.
360 */
361 static size_t get_keysize(private_gmp_rsa_private_key_t *this)
362 {
363 return this->k;
364 }
365
366 /**
367 * Implementation of gmp_rsa_private_key.get_id.
368 */
369 static identification_t* get_id(private_gmp_rsa_private_key_t *this,
370 id_type_t type)
371 {
372 switch (type)
373 {
374 case ID_PUBKEY_INFO_SHA1:
375 return this->keyid_info;
376 case ID_PUBKEY_SHA1:
377 return this->keyid;
378 default:
379 return NULL;
380 }
381 }
382
383 /**
384 * Implementation of gmp_rsa_private_key.get_public_key.
385 */
386 static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
387 {
388 return gmp_rsa_public_key_create_from_n_e(this->n, this->e);
389 }
390
391 /**
392 * Implementation of gmp_rsa_private_key.equals.
393 */
394 static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
395 {
396 identification_t *keyid;
397
398 if (&this->public.interface == other)
399 {
400 return TRUE;
401 }
402 if (other->get_type(other) != KEY_RSA)
403 {
404 return FALSE;
405 }
406 keyid = other->get_id(other, ID_PUBKEY_SHA1);
407 if (keyid && keyid->equals(keyid, this->keyid))
408 {
409 return TRUE;
410 }
411 keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
412 if (keyid && keyid->equals(keyid, this->keyid_info))
413 {
414 return TRUE;
415 }
416 return FALSE;
417 }
418
419 /**
420 * Implementation of gmp_rsa_private_key.belongs_to.
421 */
422 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
423 {
424 identification_t *keyid;
425
426 if (public->get_type(public) != KEY_RSA)
427 {
428 return FALSE;
429 }
430 keyid = public->get_id(public, ID_PUBKEY_SHA1);
431 if (keyid && keyid->equals(keyid, this->keyid))
432 {
433 return TRUE;
434 }
435 keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
436 if (keyid && keyid->equals(keyid, this->keyid_info))
437 {
438 return TRUE;
439 }
440 return FALSE;
441 }
442
443 /**
444 * Convert a MP integer into a chunk_t
445 */
446 chunk_t gmp_mpz_to_chunk(const mpz_t value)
447 {
448 chunk_t n;
449
450 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
451 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
452 if (n.ptr == NULL)
453 { /* if we have zero in "value", gmp returns NULL */
454 n.len = 0;
455 }
456 return n;
457 }
458
459 /**
460 * Convert a MP integer into a DER coded ASN.1 object
461 */
462 chunk_t gmp_mpz_to_asn1(const mpz_t value)
463 {
464 return asn1_wrap(ASN1_INTEGER, "m", gmp_mpz_to_chunk(value));
465 }
466
467 /**
468 * Implementation of private_key_t.get_encoding.
469 */
470 static chunk_t get_encoding(private_gmp_rsa_private_key_t *this)
471 {
472 return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm",
473 ASN1_INTEGER_0,
474 gmp_mpz_to_asn1(this->n),
475 gmp_mpz_to_asn1(this->e),
476 gmp_mpz_to_asn1(this->d),
477 gmp_mpz_to_asn1(this->p),
478 gmp_mpz_to_asn1(this->q),
479 gmp_mpz_to_asn1(this->exp1),
480 gmp_mpz_to_asn1(this->exp2),
481 gmp_mpz_to_asn1(this->coeff));
482 }
483
484 /**
485 * Implementation of gmp_rsa_private_key.get_ref.
486 */
487 static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
488 {
489 ref_get(&this->ref);
490 return this;
491
492 }
493
494 /**
495 * Implementation of gmp_rsa_private_key.destroy.
496 */
497 static void destroy(private_gmp_rsa_private_key_t *this)
498 {
499 if (ref_put(&this->ref))
500 {
501 mpz_clear_randomized(this->n);
502 mpz_clear_randomized(this->e);
503 mpz_clear_randomized(this->p);
504 mpz_clear_randomized(this->q);
505 mpz_clear_randomized(this->d);
506 mpz_clear_randomized(this->exp1);
507 mpz_clear_randomized(this->exp2);
508 mpz_clear_randomized(this->coeff);
509 DESTROY_IF(this->keyid);
510 DESTROY_IF(this->keyid_info);
511 free(this);
512 }
513 }
514
515 /**
516 * Check the loaded key if it is valid and usable
517 */
518 static status_t check(private_gmp_rsa_private_key_t *this)
519 {
520 mpz_t t, u, q1;
521 status_t status = SUCCESS;
522
523 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
524 * We actually require more (for security).
525 */
526 if (this->k < 512 / BITS_PER_BYTE)
527 {
528 DBG1("key shorter than 512 bits");
529 return FAILED;
530 }
531
532 /* we picked a max modulus size to simplify buffer allocation */
533 if (this->k > 8192 / BITS_PER_BYTE)
534 {
535 DBG1("key larger than 8192 bits");
536 return FAILED;
537 }
538
539 mpz_init(t);
540 mpz_init(u);
541 mpz_init(q1);
542
543 /* check that n == p * q */
544 mpz_mul(u, this->p, this->q);
545 if (mpz_cmp(u, this->n) != 0)
546 {
547 status = FAILED;
548 }
549
550 /* check that e divides neither p-1 nor q-1 */
551 mpz_sub_ui(t, this->p, 1);
552 mpz_mod(t, t, this->e);
553 if (mpz_cmp_ui(t, 0) == 0)
554 {
555 status = FAILED;
556 }
557
558 mpz_sub_ui(t, this->q, 1);
559 mpz_mod(t, t, this->e);
560 if (mpz_cmp_ui(t, 0) == 0)
561 {
562 status = FAILED;
563 }
564
565 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
566 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
567 mpz_sub_ui(q1, this->q, 1);
568 mpz_sub_ui(u, this->p, 1);
569 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
570 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
571 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
572
573 mpz_mul(t, this->d, this->e);
574 mpz_mod(t, t, u);
575 if (mpz_cmp_ui(t, 1) != 0)
576 {
577 status = FAILED;
578 }
579
580 /* check that exp1 is d mod (p-1) */
581 mpz_sub_ui(u, this->p, 1);
582 mpz_mod(t, this->d, u);
583 if (mpz_cmp(t, this->exp1) != 0)
584 {
585 status = FAILED;
586 }
587
588 /* check that exp2 is d mod (q-1) */
589 mpz_sub_ui(u, this->q, 1);
590 mpz_mod(t, this->d, u);
591 if (mpz_cmp(t, this->exp2) != 0)
592 {
593 status = FAILED;
594 }
595
596 /* check that coeff is (q^-1) mod p */
597 mpz_mul(t, this->coeff, this->q);
598 mpz_mod(t, t, this->p);
599 if (mpz_cmp_ui(t, 1) != 0)
600 {
601 status = FAILED;
602 }
603
604 mpz_clear_randomized(t);
605 mpz_clear_randomized(u);
606 mpz_clear_randomized(q1);
607 if (status != SUCCESS)
608 {
609 DBG1("key integrity tests failed");
610 }
611 return status;
612 }
613
614 /**
615 * Internal generic constructor
616 */
617 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
618 {
619 private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
620
621 this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
622 this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
623 this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
624 this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
625 this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
626 this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
627 this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
628 this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
629 this->public.interface.get_encoding = (chunk_t (*) (private_key_t*))get_encoding;
630 this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
631 this->public.interface.destroy = (void (*) (private_key_t*))destroy;
632
633 this->keyid = NULL;
634 this->keyid_info = NULL;
635 this->ref = 1;
636
637 return this;
638 }
639
640 /**
641 * Generate an RSA key of specified key size
642 */
643 static gmp_rsa_private_key_t *generate(size_t key_size)
644 {
645 mpz_t p, q, n, e, d, exp1, exp2, coeff;
646 mpz_t m, q1, t;
647 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
648
649 key_size = key_size / BITS_PER_BYTE;
650
651 /* Get values of primes p and q */
652 if (compute_prime(this, key_size/2, &p) != SUCCESS)
653 {
654 free(this);
655 return NULL;
656 }
657 if (compute_prime(this, key_size/2, &q) != SUCCESS)
658 {
659 mpz_clear(p);
660 free(this);
661 return NULL;
662 }
663
664 mpz_init(t);
665 mpz_init(n);
666 mpz_init(d);
667 mpz_init(exp1);
668 mpz_init(exp2);
669 mpz_init(coeff);
670
671 /* Swapping Primes so p is larger then q */
672 if (mpz_cmp(p, q) < 0)
673 {
674 mpz_swap(p, q);
675 }
676
677 mpz_mul(n, p, q); /* n = p*q */
678 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
679 mpz_init_set(m, p); /* m = p */
680 mpz_sub_ui(m, m, 1); /* m = m -1 */
681 mpz_init_set(q1, q); /* q1 = q */
682 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
683 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
684 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
685 mpz_divexact(m, m, t); /* m = m / t */
686 mpz_gcd(t, m, e); /* t = gcd(m, e) */
687
688 mpz_invert(d, e, m); /* e has an inverse mod m */
689 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
690 {
691 mpz_add(d, d, m);
692 }
693 mpz_sub_ui(t, p, 1); /* t = p-1 */
694 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
695 mpz_sub_ui(t, q, 1); /* t = q-1 */
696 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
697
698 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
699 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
700 {
701 mpz_add(coeff, coeff, p);
702 }
703
704 mpz_clear_randomized(q1);
705 mpz_clear_randomized(m);
706 mpz_clear_randomized(t);
707
708 /* apply values */
709 *(this->p) = *p;
710 *(this->q) = *q;
711 *(this->n) = *n;
712 *(this->e) = *e;
713 *(this->d) = *d;
714 *(this->exp1) = *exp1;
715 *(this->exp2) = *exp2;
716 *(this->coeff) = *coeff;
717
718 /* set key size in bytes */
719 this->k = key_size;
720
721 return &this->public;
722 }
723
724 /**
725 * ASN.1 definition of a PKCS#1 RSA private key
726 */
727 static const asn1Object_t privkeyObjects[] = {
728 { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
729 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
730 { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */
731 { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */
732 { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */
733 { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */
734 { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */
735 { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */
736 { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */
737 { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */
738 { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT |
739 ASN1_LOOP }, /* 10 */
740 { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
741 { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */
742 { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */
743 { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */
744 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 15 */
745 { 0, "exit", ASN1_EOC, ASN1_EXIT }
746 };
747 #define PRIV_KEY_VERSION 1
748 #define PRIV_KEY_MODULUS 2
749 #define PRIV_KEY_PUB_EXP 3
750 #define PRIV_KEY_PRIV_EXP 4
751 #define PRIV_KEY_PRIME1 5
752 #define PRIV_KEY_PRIME2 6
753 #define PRIV_KEY_EXP1 7
754 #define PRIV_KEY_EXP2 8
755 #define PRIV_KEY_COEFF 9
756
757 /**
758 * load private key from a ASN1 encoded blob
759 */
760 static gmp_rsa_private_key_t *load_asn1_der(chunk_t blob)
761 {
762 asn1_parser_t *parser;
763 chunk_t object;
764 int objectID ;
765 bool success = FALSE;
766
767 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
768
769 mpz_init(this->n);
770 mpz_init(this->e);
771 mpz_init(this->p);
772 mpz_init(this->q);
773 mpz_init(this->d);
774 mpz_init(this->exp1);
775 mpz_init(this->exp2);
776 mpz_init(this->coeff);
777
778 parser = asn1_parser_create(privkeyObjects, blob);
779 parser->set_flags(parser, FALSE, TRUE);
780
781 while (parser->iterate(parser, &objectID, &object))
782 {
783 switch (objectID)
784 {
785 case PRIV_KEY_VERSION:
786 if (object.len > 0 && *object.ptr != 0)
787 {
788 DBG1("PKCS#1 private key format is not version 1");
789 goto end;
790 }
791 break;
792 case PRIV_KEY_MODULUS:
793 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
794 break;
795 case PRIV_KEY_PUB_EXP:
796 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
797 break;
798 case PRIV_KEY_PRIV_EXP:
799 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
800 break;
801 case PRIV_KEY_PRIME1:
802 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
803 break;
804 case PRIV_KEY_PRIME2:
805 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
806 break;
807 case PRIV_KEY_EXP1:
808 mpz_import(this->exp1, object.len, 1, 1, 1, 0, object.ptr);
809 break;
810 case PRIV_KEY_EXP2:
811 mpz_import(this->exp2, object.len, 1, 1, 1, 0, object.ptr);
812 break;
813 case PRIV_KEY_COEFF:
814 mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
815 break;
816 }
817 }
818 success = parser->success(parser);
819
820 end:
821 parser->destroy(parser);
822 chunk_clear(&blob);
823
824 if (!success)
825 {
826 destroy(this);
827 return NULL;
828 }
829
830 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
831
832 if (!gmp_rsa_public_key_build_id(this->n, this->e,
833 &this->keyid, &this->keyid_info))
834 {
835 destroy(this);
836 return NULL;
837 }
838 if (check(this) != SUCCESS)
839 {
840 destroy(this);
841 return NULL;
842 }
843 return &this->public;
844 }
845
846 /**
847 * load private key from an OpenPGP blob coded according to section
848 */
849 static gmp_rsa_private_key_t *load_pgp(chunk_t blob)
850 {
851 mpz_t u;
852 int objectID;
853 chunk_t packet = blob;
854 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
855
856 mpz_init(this->n);
857 mpz_init(this->e);
858 mpz_init(this->p);
859 mpz_init(this->q);
860 mpz_init(this->d);
861 mpz_init(this->exp1);
862 mpz_init(this->exp2);
863 mpz_init(this->coeff);
864
865 for (objectID = PRIV_KEY_MODULUS; objectID <= PRIV_KEY_COEFF; objectID++)
866 {
867 chunk_t object;
868
869 switch (objectID)
870 {
871 case PRIV_KEY_PRIV_EXP:
872 {
873 pgp_sym_alg_t s2k;
874
875 /* string-to-key usage */
876 s2k = pgp_length(&packet, 1);
877 DBG2("L3 - string-to-key: %d", s2k);
878
879 if (s2k == 255 || s2k == 254)
880 {
881 DBG1("string-to-key specifiers not supported");
882 goto end;
883 }
884 DBG2(" %N", pgp_sym_alg_names, s2k);
885
886 if (s2k != PGP_SYM_ALG_PLAIN)
887 {
888 DBG1("%N encryption not supported", pgp_sym_alg_names, s2k);
889 goto end;
890 }
891 break;
892 }
893 case PRIV_KEY_EXP1:
894 case PRIV_KEY_EXP2:
895 /* not contained in OpenPGP secret key payload */
896 continue;
897 default:
898 break;
899 }
900
901 DBG2("L3 - %s:", privkeyObjects[objectID].name);
902 object.len = pgp_length(&packet, 2);
903
904 if (object.len == PGP_INVALID_LENGTH)
905 {
906 DBG1("OpenPGP length is invalid");
907 goto end;
908 }
909 object.len = (object.len + 7) / BITS_PER_BYTE;
910 if (object.len > packet.len)
911 {
912 DBG1("OpenPGP field is too short");
913 goto end;
914 }
915 object.ptr = packet.ptr;
916 packet.ptr += object.len;
917 packet.len -= object.len;
918 DBG4("%B", &object);
919
920 switch (objectID)
921 {
922 case PRIV_KEY_MODULUS:
923 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
924 break;
925 case PRIV_KEY_PUB_EXP:
926 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
927 break;
928 case PRIV_KEY_PRIV_EXP:
929 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
930 break;
931 case PRIV_KEY_PRIME1:
932 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
933 break;
934 case PRIV_KEY_PRIME2:
935 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
936 break;
937 case PRIV_KEY_COEFF:
938 mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
939 break;
940 }
941 }
942
943 /* auxiliary variable */
944 mpz_init(u);
945
946 /* exp1 = d mod (p-1) */
947 mpz_sub_ui(u, this->p, 1);
948 mpz_mod(this->exp1, this->d, u);
949
950 /* exp2 = d mod (q-1) */
951 mpz_sub_ui(u, this->q, 1);
952 mpz_mod(this->exp2, this->d, u);
953
954 mpz_clear(u);
955 chunk_clear(&blob);
956
957 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
958
959 if (!gmp_rsa_public_key_build_id(this->n, this->e,
960 &this->keyid, &this->keyid_info))
961 {
962 destroy(this);
963 return NULL;
964 }
965 if (check(this) != SUCCESS)
966 {
967 destroy(this);
968 return NULL;
969 }
970 return &this->public;
971
972 end:
973 chunk_clear(&blob);
974 destroy(this);
975 return NULL;
976 }
977
978 typedef struct private_builder_t private_builder_t;
979 /**
980 * Builder implementation for key loading/generation
981 */
982 struct private_builder_t {
983 /** implements the builder interface */
984 builder_t public;
985 /** loaded/generated private key */
986 gmp_rsa_private_key_t *key;
987 };
988
989 /**
990 * Implementation of builder_t.build
991 */
992 static gmp_rsa_private_key_t *build(private_builder_t *this)
993 {
994 gmp_rsa_private_key_t *key = this->key;
995
996 free(this);
997 return key;
998 }
999
1000 /**
1001 * Implementation of builder_t.add
1002 */
1003 static void add(private_builder_t *this, builder_part_t part, ...)
1004 {
1005 if (!this->key)
1006 {
1007 va_list args;
1008 chunk_t chunk;
1009
1010 switch (part)
1011 {
1012 case BUILD_BLOB_ASN1_DER:
1013 {
1014 va_start(args, part);
1015 chunk = va_arg(args, chunk_t);
1016 this->key = load_asn1_der(chunk_clone(chunk));
1017 va_end(args);
1018 return;
1019 }
1020 case BUILD_BLOB_PGP:
1021 {
1022 va_start(args, part);
1023 chunk = va_arg(args, chunk_t);
1024 this->key = load_pgp(chunk_clone(chunk));
1025 va_end(args);
1026 return;
1027 }
1028 case BUILD_KEY_SIZE:
1029 {
1030 va_start(args, part);
1031 this->key = generate(va_arg(args, u_int));
1032 va_end(args);
1033 return;
1034 }
1035 default:
1036 break;
1037 }
1038 }
1039 if (this->key)
1040 {
1041 destroy((private_gmp_rsa_private_key_t*)this->key);
1042 }
1043 builder_cancel(&this->public);
1044 }
1045
1046 /**
1047 * Builder construction function
1048 */
1049 builder_t *gmp_rsa_private_key_builder(key_type_t type)
1050 {
1051 private_builder_t *this;
1052
1053 if (type != KEY_RSA)
1054 {
1055 return NULL;
1056 }
1057
1058 this = malloc_thing(private_builder_t);
1059
1060 this->key = NULL;
1061 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1062 this->public.build = (void*(*)(builder_t *this))build;
1063
1064 return &this->public;
1065 }
1066