32a72ac9600b871b47ab96e1d8ac7713f957d56b
[strongswan.git] / src / libstrongswan / plugins / gmp / gmp_rsa_public_key.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <gmp.h>
18 #include <sys/stat.h>
19 #include <unistd.h>
20 #include <stdio.h>
21 #include <string.h>
22
23 #include "gmp_rsa_public_key.h"
24
25 #include <utils/debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <crypto/hashers/hasher.h>
30
31 #ifdef HAVE_MPZ_POWM_SEC
32 # undef mpz_powm
33 # define mpz_powm mpz_powm_sec
34 #endif
35
36 typedef struct private_gmp_rsa_public_key_t private_gmp_rsa_public_key_t;
37
38 /**
39 * Private data structure with signing context.
40 */
41 struct private_gmp_rsa_public_key_t {
42 /**
43 * Public interface for this signer.
44 */
45 gmp_rsa_public_key_t public;
46
47 /**
48 * Public modulus.
49 */
50 mpz_t n;
51
52 /**
53 * Public exponent.
54 */
55 mpz_t e;
56
57 /**
58 * Keysize in bytes.
59 */
60 size_t k;
61
62 /**
63 * reference counter
64 */
65 refcount_t ref;
66 };
67
68 /**
69 * Shared functions defined in gmp_rsa_private_key.c
70 */
71 extern chunk_t gmp_mpz_to_chunk(const mpz_t value);
72
73 /**
74 * RSAEP algorithm specified in PKCS#1.
75 */
76 static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data)
77 {
78 mpz_t m, c;
79 chunk_t encrypted;
80
81 mpz_init(c);
82 mpz_init(m);
83
84 mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
85
86 mpz_powm(c, m, this->e, this->n);
87
88 encrypted.len = this->k;
89 encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
90 if (encrypted.ptr == NULL)
91 {
92 encrypted.len = 0;
93 }
94
95 mpz_clear(c);
96 mpz_clear(m);
97
98 return encrypted;
99 }
100
101 /**
102 * RSAVP1 algorithm specified in PKCS#1.
103 */
104 static chunk_t rsavp1(private_gmp_rsa_public_key_t *this, chunk_t data)
105 {
106 return rsaep(this, data);
107 }
108
109 /**
110 * ASN.1 definition of digestInfo
111 */
112 static const asn1Object_t digestInfoObjects[] = {
113 { 0, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
114 { 1, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 1 */
115 { 1, "digest", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
116 { 0, "exit", ASN1_EOC, ASN1_EXIT }
117 };
118 #define DIGEST_INFO 0
119 #define DIGEST_INFO_ALGORITHM 1
120 #define DIGEST_INFO_DIGEST 2
121
122 /**
123 * Verification of an EMPSA PKCS1 signature described in PKCS#1
124 */
125 static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
126 hash_algorithm_t algorithm,
127 chunk_t data, chunk_t signature)
128 {
129 chunk_t em_ori, em;
130 bool success = FALSE;
131
132 /* remove any preceding 0-bytes from signature */
133 while (signature.len && *(signature.ptr) == 0x00)
134 {
135 signature = chunk_skip(signature, 1);
136 }
137
138 if (signature.len == 0 || signature.len > this->k)
139 {
140 return FALSE;
141 }
142
143 /* unpack signature */
144 em_ori = em = rsavp1(this, signature);
145
146 /* result should look like this:
147 * EM = 0x00 || 0x01 || PS || 0x00 || T.
148 * PS = 0xFF padding, with length to fill em
149 * T = oid || hash
150 */
151
152 /* check magic bytes */
153 if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
154 {
155 goto end;
156 }
157 em = chunk_skip(em, 2);
158
159 /* find magic 0x00 */
160 while (em.len > 0)
161 {
162 if (*em.ptr == 0x00)
163 {
164 /* found magic byte, stop */
165 em = chunk_skip(em, 1);
166 break;
167 }
168 else if (*em.ptr != 0xFF)
169 {
170 /* bad padding, decryption failed ?!*/
171 goto end;
172 }
173 em = chunk_skip(em, 1);
174 }
175
176 if (em.len == 0)
177 {
178 /* no digestInfo found */
179 goto end;
180 }
181
182 if (algorithm == HASH_UNKNOWN)
183 { /* IKEv1 signatures without digestInfo */
184 if (em.len != data.len)
185 {
186 DBG1(DBG_LIB, "hash size in signature is %u bytes instead of"
187 " %u bytes", em.len, data.len);
188 goto end;
189 }
190 success = memeq_const(em.ptr, data.ptr, data.len);
191 }
192 else
193 { /* IKEv2 and X.509 certificate signatures */
194 asn1_parser_t *parser;
195 chunk_t object;
196 int objectID;
197 hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
198
199 DBG2(DBG_LIB, "signature verification:");
200 parser = asn1_parser_create(digestInfoObjects, em);
201
202 while (parser->iterate(parser, &objectID, &object))
203 {
204 switch (objectID)
205 {
206 case DIGEST_INFO:
207 {
208 if (em.len > object.len)
209 {
210 DBG1(DBG_LIB, "digestInfo field in signature is"
211 " followed by %u surplus bytes",
212 em.len - object.len);
213 goto end_parser;
214 }
215 break;
216 }
217 case DIGEST_INFO_ALGORITHM:
218 {
219 int hash_oid = asn1_parse_algorithmIdentifier(object,
220 parser->get_level(parser)+1, NULL);
221
222 hash_algorithm = hasher_algorithm_from_oid(hash_oid);
223 if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm)
224 {
225 DBG1(DBG_LIB, "expected hash algorithm %N, but found"
226 " %N (OID: %#B)", hash_algorithm_names, algorithm,
227 hash_algorithm_names, hash_algorithm, &object);
228 goto end_parser;
229 }
230 break;
231 }
232 case DIGEST_INFO_DIGEST:
233 {
234 chunk_t hash;
235 hasher_t *hasher;
236
237 hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
238 if (hasher == NULL)
239 {
240 DBG1(DBG_LIB, "hash algorithm %N not supported",
241 hash_algorithm_names, hash_algorithm);
242 goto end_parser;
243 }
244
245 if (object.len != hasher->get_hash_size(hasher))
246 {
247 DBG1(DBG_LIB, "hash size in signature is %u bytes"
248 " instead of %u bytes", object.len,
249 hasher->get_hash_size(hasher));
250 hasher->destroy(hasher);
251 goto end_parser;
252 }
253
254 /* build our own hash and compare */
255 if (!hasher->allocate_hash(hasher, data, &hash))
256 {
257 hasher->destroy(hasher);
258 goto end_parser;
259 }
260 hasher->destroy(hasher);
261 success = memeq_const(object.ptr, hash.ptr, hash.len);
262 free(hash.ptr);
263 break;
264 }
265 default:
266 break;
267 }
268 }
269
270 end_parser:
271 success &= parser->success(parser);
272 parser->destroy(parser);
273 }
274
275 end:
276 free(em_ori.ptr);
277 return success;
278 }
279
280 METHOD(public_key_t, get_type, key_type_t,
281 private_gmp_rsa_public_key_t *this)
282 {
283 return KEY_RSA;
284 }
285
286 METHOD(public_key_t, verify, bool,
287 private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
288 chunk_t data, chunk_t signature)
289 {
290 switch (scheme)
291 {
292 case SIGN_RSA_EMSA_PKCS1_NULL:
293 return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
294 case SIGN_RSA_EMSA_PKCS1_SHA2_224:
295 return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
296 case SIGN_RSA_EMSA_PKCS1_SHA2_256:
297 return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
298 case SIGN_RSA_EMSA_PKCS1_SHA2_384:
299 return verify_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
300 case SIGN_RSA_EMSA_PKCS1_SHA2_512:
301 return verify_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
302 case SIGN_RSA_EMSA_PKCS1_SHA3_224:
303 return verify_emsa_pkcs1_signature(this, HASH_SHA3_224, data, signature);
304 case SIGN_RSA_EMSA_PKCS1_SHA3_256:
305 return verify_emsa_pkcs1_signature(this, HASH_SHA3_256, data, signature);
306 case SIGN_RSA_EMSA_PKCS1_SHA3_384:
307 return verify_emsa_pkcs1_signature(this, HASH_SHA3_384, data, signature);
308 case SIGN_RSA_EMSA_PKCS1_SHA3_512:
309 return verify_emsa_pkcs1_signature(this, HASH_SHA3_512, data, signature);
310 case SIGN_RSA_EMSA_PKCS1_SHA1:
311 return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
312 case SIGN_RSA_EMSA_PKCS1_MD5:
313 return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
314 default:
315 DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
316 signature_scheme_names, scheme);
317 return FALSE;
318 }
319 }
320
321 #define MIN_PS_PADDING 8
322
323 METHOD(public_key_t, encrypt_, bool,
324 private_gmp_rsa_public_key_t *this, encryption_scheme_t scheme,
325 chunk_t plain, chunk_t *crypto)
326 {
327 chunk_t em;
328 u_char *pos;
329 int padding;
330 rng_t *rng;
331
332 if (scheme != ENCRYPT_RSA_PKCS1)
333 {
334 DBG1(DBG_LIB, "encryption scheme %N not supported",
335 encryption_scheme_names, scheme);
336 return FALSE;
337 }
338 /* number of pseudo-random padding octets */
339 padding = this->k - plain.len - 3;
340 if (padding < MIN_PS_PADDING)
341 {
342 DBG1(DBG_LIB, "pseudo-random padding must be at least %d octets",
343 MIN_PS_PADDING);
344 return FALSE;
345 }
346 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
347 if (rng == NULL)
348 {
349 DBG1(DBG_LIB, "no random generator available");
350 return FALSE;
351 }
352
353 /* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
354 DBG2(DBG_LIB, "padding %u bytes of data to the rsa modulus size of"
355 " %u bytes", plain.len, this->k);
356 em.len = this->k;
357 em.ptr = malloc(em.len);
358 pos = em.ptr;
359 *pos++ = 0x00;
360 *pos++ = 0x02;
361
362 /* fill with pseudo random octets */
363 if (!rng_get_bytes_not_zero(rng, padding, pos, TRUE))
364 {
365 DBG1(DBG_LIB, "failed to allocate padding");
366 chunk_clear(&em);
367 rng->destroy(rng);
368 return FALSE;
369 }
370 rng->destroy(rng);
371
372 pos += padding;
373
374 /* append the padding terminator */
375 *pos++ = 0x00;
376
377 /* now add the data */
378 memcpy(pos, plain.ptr, plain.len);
379 DBG3(DBG_LIB, "padded data before rsa encryption: %B", &em);
380
381 /* rsa encryption using PKCS#1 RSAEP */
382 *crypto = rsaep(this, em);
383 DBG3(DBG_LIB, "rsa encrypted data: %B", crypto);
384 chunk_clear(&em);
385 return TRUE;
386 }
387
388 METHOD(public_key_t, get_keysize, int,
389 private_gmp_rsa_public_key_t *this)
390 {
391 return mpz_sizeinbase(this->n, 2);
392 }
393
394 METHOD(public_key_t, get_encoding, bool,
395 private_gmp_rsa_public_key_t *this, cred_encoding_type_t type,
396 chunk_t *encoding)
397 {
398 chunk_t n, e;
399 bool success;
400
401 n = gmp_mpz_to_chunk(this->n);
402 e = gmp_mpz_to_chunk(this->e);
403
404 success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
405 CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
406 chunk_free(&n);
407 chunk_free(&e);
408
409 return success;
410 }
411
412 METHOD(public_key_t, get_fingerprint, bool,
413 private_gmp_rsa_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
414 {
415 chunk_t n, e;
416 bool success;
417
418 if (lib->encoding->get_cache(lib->encoding, type, this, fp))
419 {
420 return TRUE;
421 }
422 n = gmp_mpz_to_chunk(this->n);
423 e = gmp_mpz_to_chunk(this->e);
424
425 success = lib->encoding->encode(lib->encoding, type, this, fp,
426 CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
427 chunk_free(&n);
428 chunk_free(&e);
429
430 return success;
431 }
432
433 METHOD(public_key_t, get_ref, public_key_t*,
434 private_gmp_rsa_public_key_t *this)
435 {
436 ref_get(&this->ref);
437 return &this->public.key;
438 }
439
440 METHOD(public_key_t, destroy, void,
441 private_gmp_rsa_public_key_t *this)
442 {
443 if (ref_put(&this->ref))
444 {
445 mpz_clear(this->n);
446 mpz_clear(this->e);
447 lib->encoding->clear_cache(lib->encoding, this);
448 free(this);
449 }
450 }
451
452 /**
453 * See header.
454 */
455 gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
456 {
457 private_gmp_rsa_public_key_t *this;
458 chunk_t n, e;
459
460 n = e = chunk_empty;
461 while (TRUE)
462 {
463 switch (va_arg(args, builder_part_t))
464 {
465 case BUILD_RSA_MODULUS:
466 n = va_arg(args, chunk_t);
467 continue;
468 case BUILD_RSA_PUB_EXP:
469 e = va_arg(args, chunk_t);
470 continue;
471 case BUILD_END:
472 break;
473 default:
474 return NULL;
475 }
476 break;
477 }
478 if (!e.len || !n.len || (n.ptr[n.len-1] & 0x01) == 0)
479 {
480 return NULL;
481 }
482
483 INIT(this,
484 .public = {
485 .key = {
486 .get_type = _get_type,
487 .verify = _verify,
488 .encrypt = _encrypt_,
489 .equals = public_key_equals,
490 .get_keysize = _get_keysize,
491 .get_fingerprint = _get_fingerprint,
492 .has_fingerprint = public_key_has_fingerprint,
493 .get_encoding = _get_encoding,
494 .get_ref = _get_ref,
495 .destroy = _destroy,
496 },
497 },
498 .ref = 1,
499 );
500
501 mpz_init(this->n);
502 mpz_init(this->e);
503
504 mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
505 mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
506
507 this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
508
509 if (!mpz_sgn(this->e))
510 {
511 destroy(this);
512 return NULL;
513 }
514 return &this->public;
515 }