Source/lib/crypto/rsa/rsa_public_key.c

   1 /**
   2  * @file rsa_public_key.c
   3  *
   4  * @brief Implementation of rsa_public_key_t.
   5  *
   6  */
   7
   8 /*
   9  * Copyright (C) 2005 Jan Hutter, Martin Willi
  10  * Hochschule fuer Technik Rapperswil
  11  *
  12  * This program is free software; you can redistribute it and/or modify it
  13  * under the terms of the GNU General Public License as published by the
  14  * Free Software Foundation; either version 2 of the License, or (at your
  15  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  16  *
  17  * This program is distributed in the hope that it will be useful, but
  18  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  19  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  20  * for more details.
  21  */
  22
  23 #include <gmp.h>
  24 #include <sys/stat.h>
  25 #include <unistd.h>
  26 #include <string.h>
  27
  28 #include "rsa_public_key.h"
  29
  30 #include <daemon.h>
  31 #include <crypto/hashers/hasher.h>
  32 #include <asn1/asn1.h>
  33
  34 /*
  35  * For simplicity,
  36  * we use these predefined values for
  37  * hash algorithm OIDs. These also contain
  38  * the length of the following hash.
  39  * These values are also used in rsa_private_key.c.
  40  * TODO: We may move them in asn1 sometime...
  41  */
  42
  43 u_int8_t md2_oid[] = {
  44         0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,
  45         0x48,0x86,0xf7,0x0d,0x02,0x02,0x05,0x00,
  46         0x04,0x10
  47 };
  48
  49 u_int8_t md5_oid[] = {
  50         0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,
  51         0x48,0x86,0xf7,0x0d,0x02,0x05,0x05,0x00,
  52         0x04,0x10
  53 };
  54
  55 u_int8_t sha1_oid[] = {
  56         0x30,0x21,0x30,0x09,0x06,0x05,0x2b,0x0e,
  57         0x03,0x02,0x1a,0x05,0x00,0x04,0x14
  58 };
  59
  60 u_int8_t sha256_oid[] = {
  61         0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,
  62         0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,
  63         0x00,0x04,0x20
  64 };
  65
  66 u_int8_t sha384_oid[] = {
  67         0x30,0x41,0x30,0x0d,0x06,0x09,0x60,0x86,
  68         0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,
  69         0x00,0x04,0x30
  70 };
  71
  72 u_int8_t sha512_oid[] = {
  73         0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,
  74         0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,
  75         0x00,0x04,0x40
  76 };
  77
  78 /* ASN.1 definition public key */
  79 static const asn1Object_t pubkey_objects[] = {
  80         { 0, "RSAPublicKey",            ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
  81         { 1,   "modulus",                       ASN1_INTEGER,      ASN1_BODY }, /*  1 */
  82         { 1,   "publicExponent",        ASN1_INTEGER,      ASN1_BODY }, /*  2 */
  83 };
  84
  85 #define PUB_KEY_RSA_PUBLIC_KEY          0
  86 #define PUB_KEY_MODULUS                         1
  87 #define PUB_KEY_EXPONENT                        2
  88 #define PUB_KEY_ROOF                            3
  89
  90 typedef struct private_rsa_public_key_t private_rsa_public_key_t;
  91
  92 /**
  93  * Private data structure with signing context.
  94  */
  95 struct private_rsa_public_key_t {
  96         /**
  97          * Public interface for this signer.
  98          */
  99         rsa_public_key_t public;
 100
 101         /**
 102          * Public modulus.
 103          */
 104         mpz_t n;
 105
 106         /**
 107          * Public exponent.
 108          */
 109         mpz_t e;
 110
 111         /**
 112          * Keysize in bytes.
 113          */
 114         size_t k;
 115
 116         /**
 117          * @brief Implements the RSAEP algorithm specified in PKCS#1.
 118          *
 119          * @param this          calling object
 120          * @param data          data to process
 121          * @return                      processed data
 122          */
 123         chunk_t (*rsaep) (private_rsa_public_key_t *this, chunk_t data);
 124
 125         /**
 126          * @brief Implements the RSASVP1 algorithm specified in PKCS#1.
 127          *
 128          * @param this          calling object
 129          * @param data          data to process
 130          * @return                      processed data
 131          */
 132         chunk_t (*rsavp1) (private_rsa_public_key_t *this, chunk_t data);
 133 };
 134
 135
 136 typedef struct rsa_public_key_info_t rsa_public_key_info_t;
 137
 138 /**
 139  * KeyInfo, as it appears in a public key file
 140  */
 141 struct rsa_public_key_info_t {
 142         /**
 143          * Algorithm for this key
 144          */
 145         chunk_t algorithm_oid;
 146
 147         /**
 148          * Public key, parseable with rsa_public_key_rules
 149          */
 150         chunk_t public_key;
 151 };
 152
 153 private_rsa_public_key_t *rsa_public_key_create_empty();
 154
 155 /**
 156  * Implementation of private_rsa_public_key_t.rsaep and private_rsa_public_key_t.rsavp1
 157  */
 158 static chunk_t rsaep(private_rsa_public_key_t *this, chunk_t data)
 159 {
 160         mpz_t m, c;
 161         chunk_t encrypted;
 162
 163         mpz_init(c);
 164         mpz_init(m);
 165
 166         mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
 167
 168         mpz_powm(c, m, this->e, this->n);
 169
 170     encrypted.len = this->k;
 171     encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
 172
 173         mpz_clear(c);
 174         mpz_clear(m);
 175
 176         return encrypted;
 177 }
 178
 179 /**
 180  * Implementation of rsa_public_key.verify_emsa_pkcs1_signature.
 181  */
 182 static status_t verify_emsa_pkcs1_signature(private_rsa_public_key_t *this, chunk_t data, chunk_t signature)
 183 {
 184         hasher_t *hasher = NULL;
 185         chunk_t hash;
 186         chunk_t em;
 187         u_int8_t *pos;
 188
 189         if (signature.len > this->k)
 190         {
 191                 return INVALID_ARG;
 192         }
 193
 194         /* unpack signature */
 195         em = this->rsavp1(this, signature);
 196
 197         /* result should look like this:
 198          * EM = 0x00 || 0x01 || PS || 0x00 || T.
 199          * PS = 0xFF padding, with length to fill em
 200          * T = oid || hash
 201          */
 202
 203         /* check magic bytes */
 204         if ((*(em.ptr) != 0x00) ||
 205                 (*(em.ptr+1) != 0x01))
 206         {
 207                 free(em.ptr);
 208                 return FAILED;
 209         }
 210
 211         /* find magic 0x00 */
 212         pos = em.ptr + 2;
 213         while (pos <= em.ptr + em.len)
 214         {
 215                 if (*pos == 0x00)
 216                 {
 217                         /* found magic byte, stop */
 218                         pos++;
 219                         break;
 220                 }
 221                 else if (*pos != 0xFF)
 222                 {
 223                         /* bad padding, decryption failed ?!*/
 224                         free(em.ptr);
 225                         return FAILED;
 226                 }
 227                 pos++;
 228         }
 229
 230         if (pos + 20 > em.ptr + em.len)
 231         {
 232                 /* not enought room for oid compare */
 233                 free(em.ptr);
 234                 return FAILED;
 235         }
 236
 237         if (memcmp(md2_oid, pos, sizeof(md2_oid)) == 0)
 238         {
 239                 hasher = hasher_create(HASH_MD2);
 240                 pos += sizeof(md2_oid);
 241         }
 242         else if (memcmp(md5_oid, pos, sizeof(md5_oid)) == 0)
 243         {
 244                 hasher = hasher_create(HASH_MD5);
 245                 pos += sizeof(md5_oid);
 246         }
 247         else if (memcmp(sha1_oid, pos, sizeof(sha1_oid)) == 0)
 248         {
 249                 hasher = hasher_create(HASH_SHA1);
 250                 pos += sizeof(sha1_oid);
 251         }
 252         else if (memcmp(sha256_oid, pos, sizeof(sha256_oid)) == 0)
 253         {
 254                 hasher = hasher_create(HASH_SHA256);
 255                 pos += sizeof(sha256_oid);
 256         }
 257         else if (memcmp(sha384_oid, pos, sizeof(sha384_oid)) == 0)
 258         {
 259                 hasher = hasher_create(HASH_SHA384);
 260                 pos += sizeof(sha384_oid);
 261         }
 262         else if (memcmp(sha512_oid, pos, sizeof(sha512_oid)) == 0)
 263         {
 264                 hasher = hasher_create(HASH_SHA512);
 265                 pos += sizeof(sha512_oid);
 266         }
 267
 268         if (hasher == NULL)
 269         {
 270                 /* not supported hash algorithm */
 271                 free(em.ptr);
 272                 return NOT_SUPPORTED;
 273         }
 274
 275         if (pos + hasher->get_hash_size(hasher) != em.ptr + em.len)
 276         {
 277                 /* bad length */
 278                 free(em.ptr);
 279                 hasher->destroy(hasher);
 280                 return FAILED;
 281         }
 282
 283         /* build own hash for a compare */
 284         hasher->allocate_hash(hasher, data, &hash);
 285         hasher->destroy(hasher);
 286
 287         if (memcmp(hash.ptr, pos, hash.len) != 0)
 288         {
 289                 /* hash does not equal */
 290                 free(hash.ptr);
 291                 free(em.ptr);
 292                 return FAILED;
 293
 294         }
 295
 296         /* seems good */
 297         free(hash.ptr);
 298         free(em.ptr);
 299         return SUCCESS;
 300 }
 301
 302 /**
 303  * Implementation of rsa_public_key.get_key.
 304  */
 305 static status_t get_key(private_rsa_public_key_t *this, chunk_t *key)
 306 {
 307         chunk_t n, e;
 308
 309         n.len = this->k;
 310         n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
 311         e.len = this->k;
 312         e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
 313
 314         key->len = this->k * 2;
 315         key->ptr = malloc(key->len);
 316         memcpy(key->ptr, n.ptr, n.len);
 317         memcpy(key->ptr + n.len, e.ptr, e.len);
 318         free(n.ptr);
 319         free(e.ptr);
 320
 321         return SUCCESS;
 322 }
 323
 324 /**
 325  * Implementation of rsa_public_key.save_key.
 326  */
 327 static status_t save_key(private_rsa_public_key_t *this, char *file)
 328 {
 329         return NOT_SUPPORTED;
 330 }
 331
 332 /**
 333  * Implementation of rsa_public_key.get_modulus.
 334  */
 335 static mpz_t *get_modulus(private_rsa_public_key_t *this)
 336 {
 337         return &this->n;
 338 }
 339
 340 /**
 341  * Implementation of rsa_public_key.clone.
 342  */
 343 static rsa_public_key_t* _clone(private_rsa_public_key_t *this)
 344 {
 345         private_rsa_public_key_t *clone = rsa_public_key_create_empty();
 346
 347         mpz_init_set(clone->n, this->n);
 348         mpz_init_set(clone->e, this->e);
 349         clone->k = this->k;
 350
 351         return &clone->public;
 352 }
 353
 354 /**
 355  * Implementation of rsa_public_key.destroy.
 356  */
 357 static void destroy(private_rsa_public_key_t *this)
 358 {
 359         mpz_clear(this->n);
 360         mpz_clear(this->e);
 361         free(this);
 362 }
 363
 364 /**
 365  * Generic private constructor
 366  */
 367 private_rsa_public_key_t *rsa_public_key_create_empty()
 368 {
 369         private_rsa_public_key_t *this = malloc_thing(private_rsa_public_key_t);
 370
 371         /* public functions */
 372         this->public.verify_emsa_pkcs1_signature = (status_t (*) (rsa_public_key_t*,chunk_t,chunk_t))verify_emsa_pkcs1_signature;
 373         this->public.get_key = (status_t (*) (rsa_public_key_t*,chunk_t*))get_key;
 374         this->public.save_key = (status_t (*) (rsa_public_key_t*,char*))save_key;
 375         this->public.get_modulus = (mpz_t *(*) (rsa_public_key_t*))get_modulus;
 376         this->public.clone = (rsa_public_key_t* (*) (rsa_public_key_t*))_clone;
 377         this->public.destroy = (void (*) (rsa_public_key_t*))destroy;
 378
 379         /* private functions */
 380         this->rsaep = rsaep;
 381         this->rsavp1 = rsaep; /* same algorithm */
 382
 383         return this;
 384 }
 385
 386 /*
 387  * See header
 388  */
 389 rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t blob)
 390 {
 391         asn1_ctx_t ctx;
 392         chunk_t object;
 393         u_int level;
 394         int objectID = 0;
 395         private_rsa_public_key_t *this;
 396
 397         this = rsa_public_key_create_empty();
 398         mpz_init(this->n);
 399         mpz_init(this->e);
 400
 401         asn1_init(&ctx, blob, 0, FALSE);
 402
 403         while (objectID < PUB_KEY_ROOF)
 404         {
 405                 if (!extract_object(pubkey_objects, &objectID, &object, &level, &ctx))
 406                 {
 407                         destroy(this);
 408                         return FALSE;
 409                 }
 410                 switch (objectID)
 411                 {
 412                         case PUB_KEY_MODULUS:
 413                                 mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
 414                                 break;
 415                         case PUB_KEY_EXPONENT:
 416                                 mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
 417                                 break;
 418                 }
 419                 objectID++;
 420         }
 421
 422         this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
 423         return &this->public;
 424 }
 425
 426 /*
 427  * See header
 428  */
 429 rsa_public_key_t *rsa_public_key_create_from_file(char *filename)
 430 {
 431         struct stat stb;
 432         FILE *file;
 433         char *buffer;
 434         chunk_t chunk;
 435
 436         if (stat(filename, &stb) == -1)
 437         {
 438                 return NULL;
 439         }
 440
 441         buffer = alloca(stb.st_size);
 442
 443         file = fopen(filename, "r");
 444         if (file == NULL)
 445         {
 446                 return NULL;
 447         }
 448
 449         if (fread(buffer, stb.st_size, 1, file) != 1)
 450         {
 451                 return NULL;
 452         }
 453
 454         chunk.ptr = buffer;
 455         chunk.len = stb.st_size;
 456
 457         return rsa_public_key_create_from_chunk(chunk);
 458 }