Use bits instead of bytes for a private/public key
authorMartin Willi <martin@revosec.ch>
Tue, 10 Aug 2010 13:56:10 +0000 (15:56 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 10 Aug 2010 16:46:30 +0000 (18:46 +0200)
24 files changed:
scripts/key2keyid.c
scripts/pubkey_speed.c
src/libcharon/plugins/stroke/stroke_list.c
src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
src/libcharon/sa/authenticators/pubkey_authenticator.c
src/libstrongswan/credentials/keys/private_key.h
src/libstrongswan/credentials/keys/public_key.h
src/libstrongswan/plugins/agent/agent_private_key.c
src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
src/pki/commands/print.c
src/pluto/certs.c
src/pluto/ike_alg.c
src/pluto/keys.c
src/pluto/x509.c
src/scepclient/scepclient.c

index 551d031..6a8301c 100644 (file)
@@ -35,7 +35,7 @@ int main(int argc, char *argv[])
        if (private)
        {
                printf("parsed %d bits %N private key.\n",
-                          private->get_keysize(private)*8,
+                          private->get_keysize(private),
                           key_type_names, private->get_type(private));
                if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &chunk))
                {
@@ -65,7 +65,7 @@ int main(int argc, char *argv[])
        if (public)
        {
                printf("parsed %d bits %N public key.\n",
-                          public->get_keysize(public)*8,
+                          public->get_keysize(public),
                           key_type_names, public->get_type(public));
                if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
                {
index 255f650..6402e60 100644 (file)
@@ -79,23 +79,23 @@ int main(int argc, char *argv[])
        {
                switch (private->get_keysize(private))
                {
-                       case 32:
+                       case 256:
                                scheme = SIGN_ECDSA_256;
                                break;
-                       case 48:
+                       case 384:
                                scheme = SIGN_ECDSA_384;
                                break;
-                       case 66:
+                       case 521:
                                scheme = SIGN_ECDSA_521;
                                break;
                        default:
                                printf("%d bit ECDSA private key size not supported",
-                                               private->get_keysize(private) * 8);
+                                               private->get_keysize(private));
                                exit(1);
                }
        }
 
-       printf("%4d bit %N: ", private->get_keysize(private)*8,
+       printf("%4d bit %N: ", private->get_keysize(private),
                key_type_names, type);
 
        sigs = malloc(sizeof(chunk_t) * rounds);
index a6de354..f4ffa94 100644 (file)
@@ -638,7 +638,7 @@ static void list_public_key(public_key_t *public, FILE *out)
 
        fprintf(out, "  pubkey:    %N %d bits%s\n",
                        key_type_names, public->get_type(public),
-                       public->get_keysize(public) * 8,
+                       public->get_keysize(public),
                        private ? ", has private key" : "");
        if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
        {
index 43688f6..6ba5769 100644 (file)
@@ -110,7 +110,7 @@ bool test_rsa_load_any()
        public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
                                                                BUILD_BLOB_ASN1_DER, chunk,
                                                                BUILD_END);
-       if (!public || public->get_keysize(public) != 256)
+       if (!public || public->get_keysize(public) != 2048)
        {
                return FALSE;
        }
index 3c67f6d..54b4338 100644 (file)
@@ -84,15 +84,15 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
                        /* we try to deduct the signature scheme from the keysize */
                        switch (private->get_keysize(private))
                        {
-                               case 32:
+                               case 256:
                                        scheme = SIGN_ECDSA_256;
                                        auth_method = AUTH_ECDSA_256;
                                        break;
-                               case 48:
+                               case 384:
                                        scheme = SIGN_ECDSA_384;
                                        auth_method = AUTH_ECDSA_384;
                                        break;
-                               case 66:
+                               case 521:
                                        scheme = SIGN_ECDSA_521;
                                        auth_method = AUTH_ECDSA_521;
                                        break;
index cec920b..e57d3f5 100644 (file)
@@ -60,11 +60,11 @@ struct private_key_t {
                                        chunk_t crypto, chunk_t *plain);
 
        /**
-        * Get the strength of the key in bytes.
+        * Get the strength of the key in bits.
         *
-        * @return                      strength of the key in bytes
+        * @return                      strength of the key in bits
         */
-       size_t (*get_keysize) (private_key_t *this);
+       int (*get_keysize) (private_key_t *this);
 
        /**
         * Get the public part from the private key.
index 3b45b6c..d20d273 100644 (file)
@@ -165,11 +165,11 @@ struct public_key_t {
        bool (*equals)(public_key_t *this, public_key_t *other);
 
        /**
-        * Get the strength of the key in bytes.
+        * Get the strength of the key in bits.
         *
-        * @return                      strength of the key in bytes
+        * @return                      strength of the key in bits
         */
-       size_t (*get_keysize) (public_key_t *this);
+       int (*get_keysize) (public_key_t *this);
 
        /**
         * Get the fingerprint of the key.
index 7fc840f..31f0b07 100644 (file)
@@ -306,10 +306,10 @@ METHOD(private_key_t, decrypt, bool,
        return FALSE;
 }
 
-METHOD(private_key_t, get_keysize, size_t,
+METHOD(private_key_t, get_keysize, int,
        private_agent_private_key_t *this)
 {
-       return this->key_size;
+       return this->key_size * 8;
 }
 
 METHOD(private_key_t, get_public_key, public_key_t*,
index 63002d2..2d9baa4 100644 (file)
@@ -277,10 +277,10 @@ METHOD(private_key_t, decrypt, bool,
        return TRUE;
 }
 
-METHOD(private_key_t, get_keysize, size_t,
+METHOD(private_key_t, get_keysize, int,
        private_gcrypt_rsa_private_key_t *this)
 {
-       return gcry_pk_get_nbits(this->key) / 8;
+       return gcry_pk_get_nbits(this->key);
 }
 
 METHOD(private_key_t, get_public_key, public_key_t*,
index 7eae594..a49a6e5 100644 (file)
@@ -228,10 +228,10 @@ METHOD(public_key_t, encrypt_, bool,
        return !!encrypted->len;
 }
 
-METHOD(public_key_t, get_keysize, size_t,
+METHOD(public_key_t, get_keysize, int,
        private_gcrypt_rsa_public_key_t *this)
 {
-       return gcry_pk_get_nbits(this->key) / 8;
+       return gcry_pk_get_nbits(this->key);
 }
 
 METHOD(public_key_t, get_encoding, bool,
index e21e713..5001a87 100644 (file)
@@ -250,7 +250,7 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
        {
                free(digestInfo.ptr);
                DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
-                        this->k * 8);
+                        mpz_sizeinbase(this->n, 2));
                return FALSE;
        }
 
@@ -356,10 +356,10 @@ end:
        return success;
 }
 
-METHOD(private_key_t, get_keysize, size_t,
+METHOD(private_key_t, get_keysize, int,
        private_gmp_rsa_private_key_t *this)
 {
-       return this->k;
+       return mpz_sizeinbase(this->n, 2);
 }
 
 METHOD(private_key_t, get_public_key, public_key_t*,
index 762238f..4beeaa5 100644 (file)
@@ -375,10 +375,10 @@ METHOD(public_key_t, encrypt_, bool,
        return TRUE;
 }
 
-METHOD(public_key_t, get_keysize, size_t,
+METHOD(public_key_t, get_keysize, int,
        private_gmp_rsa_public_key_t *this)
 {
-       return this->k;
+       return mpz_sizeinbase(this->n, 2);
 }
 
 METHOD(public_key_t, get_encoding, bool,
index ffd9ac6..15b0f57 100644 (file)
@@ -178,10 +178,20 @@ METHOD(private_key_t, decrypt, bool,
        return FALSE;
 }
 
-METHOD(private_key_t, get_keysize, size_t,
+METHOD(private_key_t, get_keysize, int,
        private_openssl_ec_private_key_t *this)
 {
-       return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+       switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+       {
+               case NID_X9_62_prime256v1:
+                       return 256;
+               case NID_secp384r1:
+                       return 384;
+               case NID_secp521r1:
+                       return 521;
+               default:
+                       return 0;
+       }
 }
 
 METHOD(private_key_t, get_type, key_type_t,
index 1625717..f680749 100644 (file)
@@ -176,10 +176,20 @@ METHOD(public_key_t, encrypt, bool,
        return FALSE;
 }
 
-METHOD(public_key_t, get_keysize, size_t,
+METHOD(public_key_t, get_keysize, int,
        private_openssl_ec_public_key_t *this)
 {
-       return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+       switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+       {
+               case NID_X9_62_prime256v1:
+                       return 256;
+               case NID_secp384r1:
+                       return 384;
+               case NID_secp521r1:
+                       return 521;
+               default:
+                       return 0;
+       }
 }
 
 /**
index 291acb0..dbf990e 100644 (file)
@@ -173,10 +173,10 @@ METHOD(private_key_t, decrypt, bool,
        return FALSE;
 }
 
-METHOD(private_key_t, get_keysize, size_t,
+METHOD(private_key_t, get_keysize, int,
        private_openssl_rsa_private_key_t *this)
 {
-       return RSA_size(this->rsa);
+       return RSA_size(this->rsa) * 8;
 }
 
 METHOD(private_key_t, get_public_key, public_key_t*,
index e3ce66d..80a5710 100644 (file)
@@ -155,10 +155,10 @@ METHOD(public_key_t, encrypt, bool,
        return FALSE;
 }
 
-METHOD(public_key_t, get_keysize, size_t,
+METHOD(public_key_t, get_keysize, int,
        private_openssl_rsa_public_key_t *this)
 {
-       return RSA_size(this->rsa);
+       return RSA_size(this->rsa) * 8;
 }
 
 /**
index 87ef89e..52a9e09 100644 (file)
@@ -80,7 +80,7 @@ METHOD(private_key_t, get_type, key_type_t,
        return this->pubkey->get_type(this->pubkey);
 }
 
-METHOD(private_key_t, get_keysize, size_t,
+METHOD(private_key_t, get_keysize, int,
        private_pkcs11_private_key_t *this)
 {
        return this->pubkey->get_keysize(this->pubkey);
@@ -178,7 +178,7 @@ METHOD(private_key_t, sign, bool,
                DBG1(DBG_LIB, "C_SignInit() failed: %N", ck_rv_names, rv);
                return FALSE;
        }
-       len = get_keysize(this);
+       len = (get_keysize(this) + 7) / 8;
        buf = malloc(len);
        rv = this->lib->f->C_Sign(this->session, data.ptr, data.len, buf, &len);
        this->mutex->unlock(this->mutex);
index 468c2bb..affd8ca 100644 (file)
@@ -125,10 +125,10 @@ METHOD(public_key_t, encrypt, bool,
        return FALSE;
 }
 
-METHOD(public_key_t, get_keysize, size_t,
+METHOD(public_key_t, get_keysize, int,
        private_pkcs11_public_key_t *this)
 {
-       return this->k;
+       return this->k * 8;
 }
 
 /**
index 6d54627..1f449de 100644 (file)
@@ -29,7 +29,7 @@ static void print_pubkey(public_key_t *key)
        chunk_t chunk;
 
        printf("pubkey:    %N %d bits\n", key_type_names, key->get_type(key),
-                  key->get_keysize(key) * 8);
+                  key->get_keysize(key));
        if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
        {
                printf("keyid:     %#B\n", &chunk);
index 414f243..a9179c4 100644 (file)
@@ -232,7 +232,7 @@ void list_pgp_end_certs(bool utc)
 
                                whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
                                                key_type_names, key->get_type(key),
-                                               key->get_keysize(key) * BITS_PER_BYTE,
+                                               key->get_keysize(key),
                                                has_private_key(cert)? ", has private key" : "");
                                if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
                                {
index 7521dd3..0835390 100644 (file)
@@ -194,18 +194,16 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
 
                if (policy & POLICY_PUBKEY)
                {
-                       int auth_method = 0;
-                       size_t key_size = 0;
+                       int auth_method = 0, key_size = 0;
                        key_type_t key_type = KEY_ANY;
 
-
                        if (c->spd.this.cert)
                        {
                                certificate_t *certificate = c->spd.this.cert->cert;
                                public_key_t *key = certificate->get_public_key(certificate);
 
                                if (key == NULL)
-                               {                               
+                               {
                                        plog("ike alg: unable to retrieve my public key");
                                        continue;
                                }
@@ -233,13 +231,13 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
                                case KEY_ECDSA:
                                        switch (key_size)
                                        {
-                                               case 32:
+                                               case 256:
                                                        auth_method = OAKLEY_ECDSA_256;
                                                        break;
-                                               case 48:
+                                               case 384:
                                                        auth_method = OAKLEY_ECDSA_384;
                                                        break;
-                                               case 66:
+                                               case 521:
                                                        auth_method = OAKLEY_ECDSA_521;
                                                        break;
                                                default:
index 12a3ccf..a79c2c0 100644 (file)
@@ -1449,7 +1449,7 @@ void list_public_keys(bool utc)
                whack_log(RC_COMMENT, "  identity: '%Y'", key->id);
                whack_log(RC_COMMENT, "  pubkey:    %N %4d bits, until %T %s",
                        key_type_names, public->get_type(public),
-                       public->get_keysize(public) * BITS_PER_BYTE,
+                       public->get_keysize(public),
                        &key->until_time, utc,
                        check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
                if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
index 2b86812..d717beb 100644 (file)
@@ -427,7 +427,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
                        {
                                whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
                                        key_type_names, key->get_type(key),
-                                       key->get_keysize(key) * BITS_PER_BYTE,
+                                       key->get_keysize(key),
                                        cert->smartcard ? ", on smartcard" :
                                        (has_private_key(cert)? ", has private key" : ""));
 
index b7d029f..448854a 100644 (file)
@@ -807,7 +807,7 @@ int main(int argc, char **argv)
        public_key = private_key->get_public_key(private_key);
 
        /* check for minimum key length */
-       if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS)
+       if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
        {
                exit_scepclient("length of RSA key has to be at least %d bits"
                        ,RSA_MIN_OCTETS * BITS_PER_BYTE);