dec4e46a5242154bc5aa10a2503846c1887d6851
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_private_key.c
1 /*
2 * Copyright (C) 2005-2008 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <string.h>
21
22 #include "gmp_rsa_private_key.h"
23 #include "gmp_rsa_public_key.h"
24
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <pgp/pgp.h>
30
31 /**
32 * Public exponent to use for key generation.
33 */
34 #define PUBLIC_EXPONENT 0x10001
35
36 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
37
38 /**
39 * Private data of a gmp_rsa_private_key_t object.
40 */
41 struct private_gmp_rsa_private_key_t {
42 /**
43 * Public interface for this signer.
44 */
45 gmp_rsa_private_key_t public;
46
47 /**
48 * Version of key, as encoded in PKCS#1
49 */
50 u_int version;
51
52 /**
53 * Public modulus.
54 */
55 mpz_t n;
56
57 /**
58 * Public exponent.
59 */
60 mpz_t e;
61
62 /**
63 * Private prime 1.
64 */
65 mpz_t p;
66
67 /**
68 * Private Prime 2.
69 */
70 mpz_t q;
71
72 /**
73 * Private exponent.
74 */
75 mpz_t d;
76
77 /**
78 * Private exponent 1.
79 */
80 mpz_t exp1;
81
82 /**
83 * Private exponent 2.
84 */
85 mpz_t exp2;
86
87 /**
88 * Private coefficient.
89 */
90 mpz_t coeff;
91
92 /**
93 * Keysize in bytes.
94 */
95 size_t k;
96
97 /**
98 * Keyid formed as a SHA-1 hash of a publicKey object
99 */
100 identification_t* keyid;
101
102 /**
103 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
104 */
105 identification_t* keyid_info;
106
107 /**
108 * reference count
109 */
110 refcount_t ref;
111 };
112
113 /**
114 * Shared functions defined in gmp_rsa_public_key.c
115 */
116 extern bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e,
117 identification_t **keyid,
118 identification_t **keyid_info);
119 extern gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
120
121 /**
122 * Auxiliary function overwriting private key material with zero bytes
123 */
124 static void mpz_clear_randomized(mpz_t z)
125 {
126 size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
127 u_int8_t *random = alloca(len);
128
129 memset(random, 0, len);
130 /* overwrite mpz_t with zero bytes before clearing it */
131 mpz_import(z, len, 1, 1, 1, 0, random);
132 mpz_clear(z);
133 }
134
135 /**
136 * Create a mpz prime of at least prime_size
137 */
138 static status_t compute_prime(private_gmp_rsa_private_key_t *this,
139 size_t prime_size, mpz_t *prime)
140 {
141 rng_t *rng;
142 chunk_t random_bytes;
143
144 rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
145 if (!rng)
146 {
147 DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
148 return FAILED;
149 }
150
151 mpz_init(*prime);
152 do
153 {
154 rng->allocate_bytes(rng, prime_size, &random_bytes);
155 /* make sure most significant bit is set */
156 random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
157
158 mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
159 mpz_nextprime (*prime, *prime);
160 chunk_clear(&random_bytes);
161 }
162 /* check if it isn't too large */
163 while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
164
165 rng->destroy(rng);
166 return SUCCESS;
167 }
168
169 /**
170 * PKCS#1 RSADP function
171 */
172 static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
173 {
174 mpz_t t1, t2;
175 chunk_t decrypted;
176
177 mpz_init(t1);
178 mpz_init(t2);
179
180 mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
181
182 mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
183 mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
184 mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
185 mpz_mod(t2, t2, this->p);
186 mpz_mul(t2, t2, this->coeff);
187 mpz_mod(t2, t2, this->p);
188
189 mpz_mul(t2, t2, this->q); /* m = m2 + h q */
190 mpz_add(t1, t1, t2);
191
192 decrypted.len = this->k;
193 decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
194 if (decrypted.ptr == NULL)
195 {
196 decrypted.len = 0;
197 }
198
199 mpz_clear_randomized(t1);
200 mpz_clear_randomized(t2);
201
202 return decrypted;
203 }
204
205 /**
206 * PKCS#1 RSASP1 function
207 */
208 static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
209 {
210 return rsadp(this, data);
211 }
212
213 /**
214 * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
215 */
216 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
217 hash_algorithm_t hash_algorithm,
218 chunk_t data, chunk_t *signature)
219 {
220 chunk_t digestInfo = chunk_empty;
221 chunk_t em;
222
223 if (hash_algorithm != HASH_UNKNOWN)
224 {
225 hasher_t *hasher;
226 chunk_t hash;
227 int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
228
229 if (hash_oid == OID_UNKNOWN)
230 {
231 return FALSE;
232 }
233
234 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
235 if (hasher == NULL)
236 {
237 return FALSE;
238 }
239 hasher->allocate_hash(hasher, data, &hash);
240 hasher->destroy(hasher);
241
242 /* build DER-encoded digestInfo */
243 digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
244 asn1_algorithmIdentifier(hash_oid),
245 asn1_simple_object(ASN1_OCTET_STRING, hash)
246 );
247 chunk_free(&hash);
248 data = digestInfo;
249 }
250
251 /* build chunk to rsa-decrypt:
252 * EM = 0x00 || 0x01 || PS || 0x00 || T.
253 * PS = 0xFF padding, with length to fill em
254 * T = encoded_hash
255 */
256 em.len = this->k;
257 em.ptr = malloc(em.len);
258
259 /* fill em with padding */
260 memset(em.ptr, 0xFF, em.len);
261 /* set magic bytes */
262 *(em.ptr) = 0x00;
263 *(em.ptr+1) = 0x01;
264 *(em.ptr + em.len - data.len - 1) = 0x00;
265 /* set DER-encoded hash */
266 memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
267
268 /* build signature */
269 *signature = rsasp1(this, em);
270
271 free(digestInfo.ptr);
272 free(em.ptr);
273
274 return TRUE;
275 }
276
277 /**
278 * Implementation of gmp_rsa_private_key.get_type.
279 */
280 static key_type_t get_type(private_gmp_rsa_private_key_t *this)
281 {
282 return KEY_RSA;
283 }
284
285 /**
286 * Implementation of gmp_rsa_private_key.sign.
287 */
288 static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
289 chunk_t data, chunk_t *signature)
290 {
291 switch (scheme)
292 {
293 case SIGN_RSA_EMSA_PKCS1_NULL:
294 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
295 case SIGN_RSA_EMSA_PKCS1_SHA1:
296 return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
297 case SIGN_RSA_EMSA_PKCS1_SHA256:
298 return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
299 case SIGN_RSA_EMSA_PKCS1_SHA384:
300 return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
301 case SIGN_RSA_EMSA_PKCS1_SHA512:
302 return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
303 case SIGN_RSA_EMSA_PKCS1_MD5:
304 return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
305 default:
306 DBG1("signature scheme %N not supported in RSA",
307 signature_scheme_names, scheme);
308 return FALSE;
309 }
310 }
311
312 /**
313 * Implementation of gmp_rsa_private_key.decrypt.
314 */
315 static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
316 chunk_t *plain)
317 {
318 chunk_t em, stripped;
319 bool success = FALSE;
320
321 /* rsa decryption using PKCS#1 RSADP */
322 stripped = em = rsadp(this, crypto);
323
324 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
325
326 /* check for hex pattern 00 02 in decrypted message */
327 if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
328 {
329 DBG1("incorrect padding - probably wrong rsa key");
330 goto end;
331 }
332 stripped.len -= 2;
333
334 /* the plaintext data starts after first 0x00 byte */
335 while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
336
337 if (stripped.len == 0)
338 {
339 DBG1("no plaintext data");
340 goto end;
341 }
342
343 *plain = chunk_clone(stripped);
344 success = TRUE;
345
346 end:
347 chunk_clear(&em);
348 return success;
349 }
350
351 /**
352 * Implementation of gmp_rsa_private_key.get_keysize.
353 */
354 static size_t get_keysize(private_gmp_rsa_private_key_t *this)
355 {
356 return this->k;
357 }
358
359 /**
360 * Implementation of gmp_rsa_private_key.get_id.
361 */
362 static identification_t* get_id(private_gmp_rsa_private_key_t *this,
363 id_type_t type)
364 {
365 switch (type)
366 {
367 case ID_PUBKEY_INFO_SHA1:
368 return this->keyid_info;
369 case ID_PUBKEY_SHA1:
370 return this->keyid;
371 default:
372 return NULL;
373 }
374 }
375
376 /**
377 * Implementation of gmp_rsa_private_key.get_public_key.
378 */
379 static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
380 {
381 return gmp_rsa_public_key_create_from_n_e(this->n, this->e);
382 }
383
384 /**
385 * Implementation of gmp_rsa_private_key.equals.
386 */
387 static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
388 {
389 identification_t *keyid;
390
391 if (&this->public.interface == other)
392 {
393 return TRUE;
394 }
395 if (other->get_type(other) != KEY_RSA)
396 {
397 return FALSE;
398 }
399 keyid = other->get_id(other, ID_PUBKEY_SHA1);
400 if (keyid && keyid->equals(keyid, this->keyid))
401 {
402 return TRUE;
403 }
404 keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
405 if (keyid && keyid->equals(keyid, this->keyid_info))
406 {
407 return TRUE;
408 }
409 return FALSE;
410 }
411
412 /**
413 * Implementation of gmp_rsa_private_key.belongs_to.
414 */
415 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
416 {
417 identification_t *keyid;
418
419 if (public->get_type(public) != KEY_RSA)
420 {
421 return FALSE;
422 }
423 keyid = public->get_id(public, ID_PUBKEY_SHA1);
424 if (keyid && keyid->equals(keyid, this->keyid))
425 {
426 return TRUE;
427 }
428 keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
429 if (keyid && keyid->equals(keyid, this->keyid_info))
430 {
431 return TRUE;
432 }
433 return FALSE;
434 }
435
436 /**
437 * Convert a MP integer into a chunk_t
438 */
439 chunk_t gmp_mpz_to_chunk(const mpz_t value)
440 {
441 chunk_t n;
442
443 n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
444 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
445 if (n.ptr == NULL)
446 { /* if we have zero in "value", gmp returns NULL */
447 n.len = 0;
448 }
449 return n;
450 }
451
452 /**
453 * Convert a MP integer into a DER coded ASN.1 object
454 */
455 chunk_t gmp_mpz_to_asn1(const mpz_t value)
456 {
457 return asn1_wrap(ASN1_INTEGER, "m", gmp_mpz_to_chunk(value));
458 }
459
460 /**
461 * Implementation of private_key_t.get_encoding.
462 */
463 static chunk_t get_encoding(private_gmp_rsa_private_key_t *this)
464 {
465 return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm",
466 ASN1_INTEGER_0,
467 gmp_mpz_to_asn1(this->n),
468 gmp_mpz_to_asn1(this->e),
469 gmp_mpz_to_asn1(this->d),
470 gmp_mpz_to_asn1(this->p),
471 gmp_mpz_to_asn1(this->q),
472 gmp_mpz_to_asn1(this->exp1),
473 gmp_mpz_to_asn1(this->exp2),
474 gmp_mpz_to_asn1(this->coeff));
475 }
476
477 /**
478 * Implementation of gmp_rsa_private_key.get_ref.
479 */
480 static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
481 {
482 ref_get(&this->ref);
483 return this;
484
485 }
486
487 /**
488 * Implementation of gmp_rsa_private_key.destroy.
489 */
490 static void destroy(private_gmp_rsa_private_key_t *this)
491 {
492 if (ref_put(&this->ref))
493 {
494 mpz_clear_randomized(this->n);
495 mpz_clear_randomized(this->e);
496 mpz_clear_randomized(this->p);
497 mpz_clear_randomized(this->q);
498 mpz_clear_randomized(this->d);
499 mpz_clear_randomized(this->exp1);
500 mpz_clear_randomized(this->exp2);
501 mpz_clear_randomized(this->coeff);
502 DESTROY_IF(this->keyid);
503 DESTROY_IF(this->keyid_info);
504 free(this);
505 }
506 }
507
508 /**
509 * Check the loaded key if it is valid and usable
510 */
511 static status_t check(private_gmp_rsa_private_key_t *this)
512 {
513 mpz_t t, u, q1;
514 status_t status = SUCCESS;
515
516 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
517 * We actually require more (for security).
518 */
519 if (this->k < 512 / BITS_PER_BYTE)
520 {
521 DBG1("key shorter than 512 bits");
522 return FAILED;
523 }
524
525 /* we picked a max modulus size to simplify buffer allocation */
526 if (this->k > 8192 / BITS_PER_BYTE)
527 {
528 DBG1("key larger than 8192 bits");
529 return FAILED;
530 }
531
532 mpz_init(t);
533 mpz_init(u);
534 mpz_init(q1);
535
536 /* check that n == p * q */
537 mpz_mul(u, this->p, this->q);
538 if (mpz_cmp(u, this->n) != 0)
539 {
540 status = FAILED;
541 }
542
543 /* check that e divides neither p-1 nor q-1 */
544 mpz_sub_ui(t, this->p, 1);
545 mpz_mod(t, t, this->e);
546 if (mpz_cmp_ui(t, 0) == 0)
547 {
548 status = FAILED;
549 }
550
551 mpz_sub_ui(t, this->q, 1);
552 mpz_mod(t, t, this->e);
553 if (mpz_cmp_ui(t, 0) == 0)
554 {
555 status = FAILED;
556 }
557
558 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
559 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
560 mpz_sub_ui(q1, this->q, 1);
561 mpz_sub_ui(u, this->p, 1);
562 mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
563 mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
564 mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
565
566 mpz_mul(t, this->d, this->e);
567 mpz_mod(t, t, u);
568 if (mpz_cmp_ui(t, 1) != 0)
569 {
570 status = FAILED;
571 }
572
573 /* check that exp1 is d mod (p-1) */
574 mpz_sub_ui(u, this->p, 1);
575 mpz_mod(t, this->d, u);
576 if (mpz_cmp(t, this->exp1) != 0)
577 {
578 status = FAILED;
579 }
580
581 /* check that exp2 is d mod (q-1) */
582 mpz_sub_ui(u, this->q, 1);
583 mpz_mod(t, this->d, u);
584 if (mpz_cmp(t, this->exp2) != 0)
585 {
586 status = FAILED;
587 }
588
589 /* check that coeff is (q^-1) mod p */
590 mpz_mul(t, this->coeff, this->q);
591 mpz_mod(t, t, this->p);
592 if (mpz_cmp_ui(t, 1) != 0)
593 {
594 status = FAILED;
595 }
596
597 mpz_clear_randomized(t);
598 mpz_clear_randomized(u);
599 mpz_clear_randomized(q1);
600 if (status != SUCCESS)
601 {
602 DBG1("key integrity tests failed");
603 }
604 return status;
605 }
606
607 /**
608 * Internal generic constructor
609 */
610 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
611 {
612 private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
613
614 this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
615 this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
616 this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
617 this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
618 this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
619 this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
620 this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
621 this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
622 this->public.interface.get_encoding = (chunk_t (*) (private_key_t*))get_encoding;
623 this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
624 this->public.interface.destroy = (void (*) (private_key_t*))destroy;
625
626 this->keyid = NULL;
627 this->keyid_info = NULL;
628 this->ref = 1;
629
630 return this;
631 }
632
633 /**
634 * Generate an RSA key of specified key size
635 */
636 static gmp_rsa_private_key_t *generate(size_t key_size)
637 {
638 mpz_t p, q, n, e, d, exp1, exp2, coeff;
639 mpz_t m, q1, t;
640 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
641
642 key_size = key_size / BITS_PER_BYTE;
643
644 /* Get values of primes p and q */
645 if (compute_prime(this, key_size/2, &p) != SUCCESS)
646 {
647 free(this);
648 return NULL;
649 }
650 if (compute_prime(this, key_size/2, &q) != SUCCESS)
651 {
652 mpz_clear(p);
653 free(this);
654 return NULL;
655 }
656
657 mpz_init(t);
658 mpz_init(n);
659 mpz_init(d);
660 mpz_init(exp1);
661 mpz_init(exp2);
662 mpz_init(coeff);
663
664 /* Swapping Primes so p is larger then q */
665 if (mpz_cmp(p, q) < 0)
666 {
667 mpz_swap(p, q);
668 }
669
670 mpz_mul(n, p, q); /* n = p*q */
671 mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
672 mpz_init_set(m, p); /* m = p */
673 mpz_sub_ui(m, m, 1); /* m = m -1 */
674 mpz_init_set(q1, q); /* q1 = q */
675 mpz_sub_ui(q1, q1, 1); /* q1 = q1 -1 */
676 mpz_gcd(t, m, q1); /* t = gcd(p-1, q-1) */
677 mpz_mul(m, m, q1); /* m = (p-1)*(q-1) */
678 mpz_divexact(m, m, t); /* m = m / t */
679 mpz_gcd(t, m, e); /* t = gcd(m, e) */
680
681 mpz_invert(d, e, m); /* e has an inverse mod m */
682 if (mpz_cmp_ui(d, 0) < 0) /* make sure d is positive */
683 {
684 mpz_add(d, d, m);
685 }
686 mpz_sub_ui(t, p, 1); /* t = p-1 */
687 mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
688 mpz_sub_ui(t, q, 1); /* t = q-1 */
689 mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
690
691 mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
692 if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
693 {
694 mpz_add(coeff, coeff, p);
695 }
696
697 mpz_clear_randomized(q1);
698 mpz_clear_randomized(m);
699 mpz_clear_randomized(t);
700
701 /* apply values */
702 *(this->p) = *p;
703 *(this->q) = *q;
704 *(this->n) = *n;
705 *(this->e) = *e;
706 *(this->d) = *d;
707 *(this->exp1) = *exp1;
708 *(this->exp2) = *exp2;
709 *(this->coeff) = *coeff;
710
711 /* set key size in bytes */
712 this->k = key_size;
713
714 return &this->public;
715 }
716
717 /**
718 * ASN.1 definition of a PKCS#1 RSA private key
719 */
720 static const asn1Object_t privkeyObjects[] = {
721 { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
722 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
723 { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */
724 { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */
725 { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */
726 { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */
727 { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */
728 { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */
729 { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */
730 { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */
731 { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT |
732 ASN1_LOOP }, /* 10 */
733 { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
734 { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */
735 { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */
736 { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */
737 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 15 */
738 { 0, "exit", ASN1_EOC, ASN1_EXIT }
739 };
740 #define PRIV_KEY_VERSION 1
741 #define PRIV_KEY_MODULUS 2
742 #define PRIV_KEY_PUB_EXP 3
743 #define PRIV_KEY_PRIV_EXP 4
744 #define PRIV_KEY_PRIME1 5
745 #define PRIV_KEY_PRIME2 6
746 #define PRIV_KEY_EXP1 7
747 #define PRIV_KEY_EXP2 8
748 #define PRIV_KEY_COEFF 9
749
750 /**
751 * load private key from a ASN1 encoded blob
752 */
753 static gmp_rsa_private_key_t *load_asn1_der(chunk_t blob)
754 {
755 asn1_parser_t *parser;
756 chunk_t object;
757 int objectID ;
758 bool success = FALSE;
759
760 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
761
762 mpz_init(this->n);
763 mpz_init(this->e);
764 mpz_init(this->p);
765 mpz_init(this->q);
766 mpz_init(this->d);
767 mpz_init(this->exp1);
768 mpz_init(this->exp2);
769 mpz_init(this->coeff);
770
771 parser = asn1_parser_create(privkeyObjects, blob);
772 parser->set_flags(parser, FALSE, TRUE);
773
774 while (parser->iterate(parser, &objectID, &object))
775 {
776 switch (objectID)
777 {
778 case PRIV_KEY_VERSION:
779 if (object.len > 0 && *object.ptr != 0)
780 {
781 DBG1("PKCS#1 private key format is not version 1");
782 goto end;
783 }
784 break;
785 case PRIV_KEY_MODULUS:
786 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
787 break;
788 case PRIV_KEY_PUB_EXP:
789 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
790 break;
791 case PRIV_KEY_PRIV_EXP:
792 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
793 break;
794 case PRIV_KEY_PRIME1:
795 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
796 break;
797 case PRIV_KEY_PRIME2:
798 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
799 break;
800 case PRIV_KEY_EXP1:
801 mpz_import(this->exp1, object.len, 1, 1, 1, 0, object.ptr);
802 break;
803 case PRIV_KEY_EXP2:
804 mpz_import(this->exp2, object.len, 1, 1, 1, 0, object.ptr);
805 break;
806 case PRIV_KEY_COEFF:
807 mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
808 break;
809 }
810 }
811 success = parser->success(parser);
812
813 end:
814 parser->destroy(parser);
815 chunk_clear(&blob);
816
817 if (!success)
818 {
819 destroy(this);
820 return NULL;
821 }
822
823 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
824
825 if (!gmp_rsa_public_key_build_id(this->n, this->e,
826 &this->keyid, &this->keyid_info))
827 {
828 destroy(this);
829 return NULL;
830 }
831 if (check(this) != SUCCESS)
832 {
833 destroy(this);
834 return NULL;
835 }
836 return &this->public;
837 }
838
839 /**
840 * load private key from an OpenPGP blob coded according to section
841 */
842 static gmp_rsa_private_key_t *load_pgp(chunk_t blob)
843 {
844 mpz_t u;
845 int objectID;
846 chunk_t packet = blob;
847 private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
848
849 mpz_init(this->n);
850 mpz_init(this->e);
851 mpz_init(this->p);
852 mpz_init(this->q);
853 mpz_init(this->d);
854 mpz_init(this->exp1);
855 mpz_init(this->exp2);
856 mpz_init(this->coeff);
857
858 for (objectID = PRIV_KEY_MODULUS; objectID <= PRIV_KEY_COEFF; objectID++)
859 {
860 chunk_t object;
861
862 switch (objectID)
863 {
864 case PRIV_KEY_PRIV_EXP:
865 {
866 pgp_sym_alg_t s2k;
867
868 /* string-to-key usage */
869 s2k = pgp_length(&packet, 1);
870 DBG2("L3 - string-to-key: %d", s2k);
871
872 if (s2k == 255 || s2k == 254)
873 {
874 DBG1("string-to-key specifiers not supported");
875 goto end;
876 }
877 DBG2(" %N", pgp_sym_alg_names, s2k);
878
879 if (s2k != PGP_SYM_ALG_PLAIN)
880 {
881 DBG1("%N encryption not supported", pgp_sym_alg_names, s2k);
882 goto end;
883 }
884 break;
885 }
886 case PRIV_KEY_EXP1:
887 case PRIV_KEY_EXP2:
888 /* not contained in OpenPGP secret key payload */
889 continue;
890 default:
891 break;
892 }
893
894 DBG2("L3 - %s:", privkeyObjects[objectID].name);
895 object.len = pgp_length(&packet, 2);
896
897 if (object.len == PGP_INVALID_LENGTH)
898 {
899 DBG1("OpenPGP length is invalid");
900 goto end;
901 }
902 object.len = (object.len + 7) / BITS_PER_BYTE;
903 if (object.len > packet.len)
904 {
905 DBG1("OpenPGP field is too short");
906 goto end;
907 }
908 object.ptr = packet.ptr;
909 packet.ptr += object.len;
910 packet.len -= object.len;
911 DBG4("%B", &object);
912
913 switch (objectID)
914 {
915 case PRIV_KEY_MODULUS:
916 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
917 break;
918 case PRIV_KEY_PUB_EXP:
919 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
920 break;
921 case PRIV_KEY_PRIV_EXP:
922 mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
923 break;
924 case PRIV_KEY_PRIME1:
925 mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
926 break;
927 case PRIV_KEY_PRIME2:
928 mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
929 break;
930 case PRIV_KEY_COEFF:
931 mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
932 break;
933 }
934 }
935
936 /* auxiliary variable */
937 mpz_init(u);
938
939 /* exp1 = d mod (p-1) */
940 mpz_sub_ui(u, this->p, 1);
941 mpz_mod(this->exp1, this->d, u);
942
943 /* exp2 = d mod (q-1) */
944 mpz_sub_ui(u, this->q, 1);
945 mpz_mod(this->exp2, this->d, u);
946
947 mpz_clear(u);
948 chunk_clear(&blob);
949
950 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
951
952 if (!gmp_rsa_public_key_build_id(this->n, this->e,
953 &this->keyid, &this->keyid_info))
954 {
955 destroy(this);
956 return NULL;
957 }
958 if (check(this) != SUCCESS)
959 {
960 destroy(this);
961 return NULL;
962 }
963 return &this->public;
964
965 end:
966 chunk_clear(&blob);
967 destroy(this);
968 return NULL;
969 }
970
971 typedef struct private_builder_t private_builder_t;
972 /**
973 * Builder implementation for key loading/generation
974 */
975 struct private_builder_t {
976 /** implements the builder interface */
977 builder_t public;
978 /** loaded/generated private key */
979 gmp_rsa_private_key_t *key;
980 };
981
982 /**
983 * Implementation of builder_t.build
984 */
985 static gmp_rsa_private_key_t *build(private_builder_t *this)
986 {
987 gmp_rsa_private_key_t *key = this->key;
988
989 free(this);
990 return key;
991 }
992
993 /**
994 * Implementation of builder_t.add
995 */
996 static void add(private_builder_t *this, builder_part_t part, ...)
997 {
998 if (!this->key)
999 {
1000 va_list args;
1001 chunk_t chunk;
1002
1003 switch (part)
1004 {
1005 case BUILD_BLOB_ASN1_DER:
1006 {
1007 va_start(args, part);
1008 chunk = va_arg(args, chunk_t);
1009 this->key = load_asn1_der(chunk_clone(chunk));
1010 va_end(args);
1011 return;
1012 }
1013 case BUILD_BLOB_PGP:
1014 {
1015 va_start(args, part);
1016 chunk = va_arg(args, chunk_t);
1017 this->key = load_pgp(chunk_clone(chunk));
1018 va_end(args);
1019 return;
1020 }
1021 case BUILD_KEY_SIZE:
1022 {
1023 va_start(args, part);
1024 this->key = generate(va_arg(args, u_int));
1025 va_end(args);
1026 return;
1027 }
1028 default:
1029 break;
1030 }
1031 }
1032 if (this->key)
1033 {
1034 destroy((private_gmp_rsa_private_key_t*)this->key);
1035 }
1036 builder_cancel(&this->public);
1037 }
1038
1039 /**
1040 * Builder construction function
1041 */
1042 builder_t *gmp_rsa_private_key_builder(key_type_t type)
1043 {
1044 private_builder_t *this;
1045
1046 if (type != KEY_RSA)
1047 {
1048 return NULL;
1049 }
1050
1051 this = malloc_thing(private_builder_t);
1052
1053 this->key = NULL;
1054 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1055 this->public.build = (void*(*)(builder_t *this))build;
1056
1057 return &this->public;
1058 }
1059