projects / strongswan.git / blob
? search:


ce65cddb4fc6830046f0f2342e6204205de63453
[strongswan.git] / src / libstrongswan / plugins / openssl / openssl_rsa_private_key.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Copyright (C) 2008 Tobias Brunner
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "openssl_rsa_private_key.h"
18 #include "openssl_rsa_public_key.h"
19
20 #include <debug.h>
21
22 #include <openssl/evp.h>
23 #include <openssl/rsa.h>
24 #include <openssl/engine.h>
25
26 /**
27 * Public exponent to use for key generation.
28 */
29 #define PUBLIC_EXPONENT 0x10001
30
31 typedef struct private_openssl_rsa_private_key_t private_openssl_rsa_private_key_t;
32
33 /**
34 * Private data of a openssl_rsa_private_key_t object.
35 */
36 struct private_openssl_rsa_private_key_t {
37 /**
38 * Public interface for this signer.
39 */
40 openssl_rsa_private_key_t public;
41
42 /**
43 * RSA object from OpenSSL
44 */
45 RSA *rsa;
46
47 /**
48 * TRUE if the key is from an OpenSSL ENGINE and might not be readable
49 */
50 bool engine;
51
52 /**
53 * reference count
54 */
55 refcount_t ref;
56 };
57
58 /* implemented in rsa public key */
59 bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp);
60
61 /**
62 * Build an EMPSA PKCS1 signature described in PKCS#1
63 */
64 static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
65 int type, chunk_t data, chunk_t *sig)
66 {
67 bool success = FALSE;
68
69 *sig = chunk_alloc(RSA_size(this->rsa));
70
71 if (type == NID_undef)
72 {
73 if (RSA_private_encrypt(data.len, data.ptr, sig->ptr, this->rsa,
74 RSA_PKCS1_PADDING) == sig->len)
75 {
76 success = TRUE;
77 }
78 }
79 else
80 {
81 EVP_MD_CTX *ctx;
82 EVP_PKEY *key;
83 const EVP_MD *hasher;
84 u_int len;
85
86 hasher = EVP_get_digestbynid(type);
87 if (!hasher)
88 {
89 return FALSE;
90 }
91
92 ctx = EVP_MD_CTX_create();
93 key = EVP_PKEY_new();
94 if (!ctx || !key)
95 {
96 goto error;
97 }
98 if (!EVP_PKEY_set1_RSA(key, this->rsa))
99 {
100 goto error;
101 }
102 if (!EVP_SignInit_ex(ctx, hasher, NULL))
103 {
104 goto error;
105 }
106 if (!EVP_SignUpdate(ctx, data.ptr, data.len))
107 {
108 goto error;
109 }
110 if (EVP_SignFinal(ctx, sig->ptr, &len, key))
111 {
112 success = TRUE;
113 }
114
115 error:
116 if (key)
117 {
118 EVP_PKEY_free(key);
119 }
120 if (ctx)
121 {
122 EVP_MD_CTX_destroy(ctx);
123 }
124 }
125 if (!success)
126 {
127 free(sig->ptr);
128 }
129 return success;
130 }
131
132 /**
133 * Implementation of openssl_rsa_private_key.get_type.
134 */
135 static key_type_t get_type(private_openssl_rsa_private_key_t *this)
136 {
137 return KEY_RSA;
138 }
139
140 /**
141 * Implementation of openssl_rsa_private_key.sign.
142 */
143 static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
144 chunk_t data, chunk_t *signature)
145 {
146 switch (scheme)
147 {
148 case SIGN_RSA_EMSA_PKCS1_NULL:
149 return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
150 case SIGN_RSA_EMSA_PKCS1_SHA1:
151 return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
152 case SIGN_RSA_EMSA_PKCS1_SHA224:
153 return build_emsa_pkcs1_signature(this, NID_sha224, data, signature);
154 case SIGN_RSA_EMSA_PKCS1_SHA256:
155 return build_emsa_pkcs1_signature(this, NID_sha256, data, signature);
156 case SIGN_RSA_EMSA_PKCS1_SHA384:
157 return build_emsa_pkcs1_signature(this, NID_sha384, data, signature);
158 case SIGN_RSA_EMSA_PKCS1_SHA512:
159 return build_emsa_pkcs1_signature(this, NID_sha512, data, signature);
160 case SIGN_RSA_EMSA_PKCS1_MD5:
161 return build_emsa_pkcs1_signature(this, NID_md5, data, signature);
162 default:
163 DBG1("signature scheme %N not supported in RSA",
164 signature_scheme_names, scheme);
165 return FALSE;
166 }
167 }
168
169 /**
170 * Implementation of openssl_rsa_private_key.decrypt.
171 */
172 static bool decrypt(private_openssl_rsa_private_key_t *this,
173 chunk_t crypto, chunk_t *plain)
174 {
175 DBG1("RSA private key decryption not implemented");
176 return FALSE;
177 }
178
179 /**
180 * Implementation of openssl_rsa_private_key.get_keysize.
181 */
182 static size_t get_keysize(private_openssl_rsa_private_key_t *this)
183 {
184 return RSA_size(this->rsa);
185 }
186
187 /**
188 * Implementation of openssl_rsa_private_key.get_public_key.
189 */
190 static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
191 {
192 chunk_t enc;
193 public_key_t *key;
194 u_char *p;
195
196 enc = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL));
197 p = enc.ptr;
198 i2d_RSAPublicKey(this->rsa, &p);
199 key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
200 BUILD_BLOB_ASN1_DER, enc, BUILD_END);
201 free(enc.ptr);
202 return key;
203 }
204
205 /**
206 * Implementation of public_key_t.get_fingerprint.
207 */
208 static bool get_fingerprint(private_openssl_rsa_private_key_t *this,
209 key_encoding_type_t type, chunk_t *fingerprint)
210 {
211 return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
212 }
213
214 /*
215 * Implementation of public_key_t.get_encoding.
216 */
217 static bool get_encoding(private_openssl_rsa_private_key_t *this,
218 key_encoding_type_t type, chunk_t *encoding)
219 {
220 u_char *p;
221
222 if (this->engine)
223 {
224 return FALSE;
225 }
226 switch (type)
227 {
228 case KEY_PRIV_ASN1_DER:
229 {
230 *encoding = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
231 p = encoding->ptr;
232 i2d_RSAPrivateKey(this->rsa, &p);
233 return TRUE;
234 }
235 default:
236 return FALSE;
237 }
238 }
239
240 /**
241 * Implementation of openssl_rsa_private_key.get_ref.
242 */
243 static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_key_t *this)
244 {
245 ref_get(&this->ref);
246 return this;
247 }
248
249 /**
250 * Implementation of openssl_rsa_private_key.destroy.
251 */
252 static void destroy(private_openssl_rsa_private_key_t *this)
253 {
254 if (ref_put(&this->ref))
255 {
256 if (this->rsa)
257 {
258 lib->encoding->clear_cache(lib->encoding, this->rsa);
259 RSA_free(this->rsa);
260 }
261 free(this);
262 }
263 }
264
265 /**
266 * Internal generic constructor
267 */
268 static private_openssl_rsa_private_key_t *create_empty(void)
269 {
270 private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
271
272 this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
273 this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
274 this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
275 this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
276 this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
277 this->public.interface.equals = private_key_equals;
278 this->public.interface.belongs_to = private_key_belongs_to;
279 this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
280 this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
281 this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
282 this->public.interface.destroy = (void (*) (private_key_t*))destroy;
283
284 this->engine = FALSE;
285 this->ref = 1;
286
287 return this;
288 }
289
290 /**
291 * See header.
292 */
293 openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
294 va_list args)
295 {
296 private_openssl_rsa_private_key_t *this;
297 u_int key_size = 0;
298
299 while (TRUE)
300 {
301 switch (va_arg(args, builder_part_t))
302 {
303 case BUILD_KEY_SIZE:
304 key_size = va_arg(args, u_int);
305 continue;
306 case BUILD_END:
307 break;
308 default:
309 return NULL;
310 }
311 break;
312 }
313 if (!key_size)
314 {
315 return NULL;
316 }
317 this = create_empty();
318 this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL);
319
320 return &this->public;
321 }
322
323 /**
324 * See header
325 */
326 openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
327 va_list args)
328 {
329 private_openssl_rsa_private_key_t *this;
330 chunk_t blob = chunk_empty;
331
332 while (TRUE)
333 {
334 switch (va_arg(args, builder_part_t))
335 {
336 case BUILD_BLOB_ASN1_DER:
337 blob = va_arg(args, chunk_t);
338 continue;
339 case BUILD_END:
340 break;
341 default:
342 return NULL;
343 }
344 break;
345 }
346
347 this = create_empty();
348 this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
349 if (!this->rsa)
350 {
351 destroy(this);
352 return NULL;
353 }
354 if (!RSA_check_key(this->rsa))
355 {
356 destroy(this);
357 return NULL;
358 }
359 return &this->public;
360 }
361
362 /**
363 * See header.
364 */
365 openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
366 va_list args)
367 {
368 private_openssl_rsa_private_key_t *this;
369 char *keyid = NULL, *pin = NULL;
370 EVP_PKEY *key;
371 char *engine_id;
372 ENGINE *engine;
373
374 while (TRUE)
375 {
376 switch (va_arg(args, builder_part_t))
377 {
378 case BUILD_SMARTCARD_KEYID:
379 keyid = va_arg(args, char*);
380 continue;
381 case BUILD_SMARTCARD_PIN:
382 pin = va_arg(args, char*);
383 continue;
384 case BUILD_END:
385 break;
386 default:
387 return NULL;
388 }
389 break;
390 }
391 if (!keyid || !pin)
392 {
393 return NULL;
394 }
395
396 engine_id = lib->settings->get_str(lib->settings,
397 "library.plugins.openssl.engine_id", "pkcs11");
398 engine = ENGINE_by_id(engine_id);
399 if (!engine)
400 {
401 DBG1("engine '%s' is not available", engine_id);
402 return NULL;
403 }
404 if (!ENGINE_init(engine))
405 {
406 DBG1("failed to initialize engine '%s'", engine_id);
407 ENGINE_free(engine);
408 return NULL;
409 }
410 if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
411 {
412 DBG1("failed to set PIN on engine '%s'", engine_id);
413 ENGINE_free(engine);
414 return NULL;
415 }
416
417 key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
418 if (!key)
419 {
420 DBG1("failed to load private key with ID '%s' from engine '%s'",
421 keyid, engine_id);
422 ENGINE_free(engine);
423 return NULL;
424 }
425 ENGINE_free(engine);
426
427 this = create_empty();
428 this->rsa = EVP_PKEY_get1_RSA(key);
429 this->engine = TRUE;
430
431 return &this->public;
432 }
433
strongSwan - IPsec VPN