2 * Copyright (C) 2017 Tobias Brunner
3 * Copyright (C) 2005 Jan Hutter
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2012 Andreas Steffen
6 * HSR Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
24 #include "gmp_rsa_private_key.h"
25 #include "gmp_rsa_public_key.h"
27 #include <utils/debug.h>
29 #include <asn1/asn1.h>
30 #include <asn1/asn1_parser.h>
31 #include <credentials/keys/signature_params.h>
33 #ifdef HAVE_MPZ_POWM_SEC
35 # define mpz_powm mpz_powm_sec
39 * Public exponent to use for key generation.
41 #define PUBLIC_EXPONENT 0x10001
43 typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t
;
46 * Private data of a gmp_rsa_private_key_t object.
48 struct private_gmp_rsa_private_key_t
{
50 * Public interface for this signer.
52 gmp_rsa_private_key_t
public;
75 * Carmichael function m = lambda(n) = lcm(p-1,q-1).
80 * Private exponent and optional secret sharing polynomial coefficients.
95 * Private coefficient.
100 * Total number of private key shares
105 * Secret sharing threshold
110 * Optional verification key (threshold > 1).
126 * Convert a MP integer into a chunk_t
128 chunk_t
gmp_mpz_to_chunk(const mpz_t value
)
132 n
.len
= 1 + mpz_sizeinbase(value
, 2) / BITS_PER_BYTE
;
133 n
.ptr
= mpz_export(NULL
, NULL
, 1, n
.len
, 1, 0, value
);
135 { /* if we have zero in "value", gmp returns NULL */
142 * Auxiliary function overwriting private key material with zero bytes
144 static void mpz_clear_sensitive(mpz_t z
)
146 size_t len
= mpz_size(z
) * GMP_LIMB_BITS
/ BITS_PER_BYTE
;
147 uint8_t *zeros
= alloca(len
);
149 memset(zeros
, 0, len
);
150 /* overwrite mpz_t with zero bytes before clearing it */
151 mpz_import(z
, len
, 1, 1, 1, 0, zeros
);
156 * Create a mpz prime of at least prime_size
158 static status_t
compute_prime(size_t prime_size
, bool safe
, mpz_t
*p
, mpz_t
*q
)
161 chunk_t random_bytes
;
164 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_TRUE
);
167 DBG1(DBG_LIB
, "no RNG of quality %N found", rng_quality_names
,
177 if (!rng
->allocate_bytes(rng
, prime_size
, &random_bytes
))
179 DBG1(DBG_LIB
, "failed to allocate random prime");
186 /* make sure the two most significant bits are set */
189 random_bytes
.ptr
[0] &= 0x7F;
190 random_bytes
.ptr
[0] |= 0x60;
191 mpz_import(*q
, random_bytes
.len
, 1, 1, 1, 0, random_bytes
.ptr
);
195 mpz_nextprime (*q
, *q
);
196 mpz_mul_ui(*p
, *q
, 2);
197 mpz_add_ui(*p
, *p
, 1);
199 while (mpz_probab_prime_p(*p
, 10) == 0);
200 DBG2(DBG_LIB
, "safe prime found after %d iterations", count
);
204 random_bytes
.ptr
[0] |= 0xC0;
205 mpz_import(*p
, random_bytes
.len
, 1, 1, 1, 0, random_bytes
.ptr
);
206 mpz_nextprime (*p
, *p
);
208 chunk_clear(&random_bytes
);
211 /* check if the prime isn't too large */
212 while (((mpz_sizeinbase(*p
, 2) + 7) / 8) > prime_size
);
216 /* additionally return p-1 */
217 mpz_sub_ui(*q
, *p
, 1);
223 * PKCS#1 RSADP function
225 static chunk_t
rsadp(private_gmp_rsa_private_key_t
*this, chunk_t data
)
233 mpz_import(t1
, data
.len
, 1, 1, 1, 0, data
.ptr
);
235 mpz_powm(t2
, t1
, this->exp1
, this->p
); /* m1 = c^dP mod p */
236 mpz_powm(t1
, t1
, this->exp2
, this->q
); /* m2 = c^dQ mod Q */
237 mpz_sub(t2
, t2
, t1
); /* h = qInv (m1 - m2) mod p */
238 mpz_mod(t2
, t2
, this->p
);
239 mpz_mul(t2
, t2
, this->coeff
);
240 mpz_mod(t2
, t2
, this->p
);
242 mpz_mul(t2
, t2
, this->q
); /* m = m2 + h q */
245 decrypted
.len
= this->k
;
246 decrypted
.ptr
= mpz_export(NULL
, NULL
, 1, decrypted
.len
, 1, 0, t1
);
247 if (decrypted
.ptr
== NULL
)
252 mpz_clear_sensitive(t1
);
253 mpz_clear_sensitive(t2
);
259 * PKCS#1 RSASP1 function
261 static chunk_t
rsasp1(private_gmp_rsa_private_key_t
*this, chunk_t data
)
263 return rsadp(this, data
);
267 * Build a signature using the PKCS#1 EMSA scheme
269 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t
*this,
270 hash_algorithm_t hash_algorithm
,
271 chunk_t data
, chunk_t
*signature
)
273 chunk_t digestInfo
= chunk_empty
;
276 if (hash_algorithm
!= HASH_UNKNOWN
)
280 int hash_oid
= hasher_algorithm_to_oid(hash_algorithm
);
282 if (hash_oid
== OID_UNKNOWN
)
287 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, hash_algorithm
);
288 if (!hasher
|| !hasher
->allocate_hash(hasher
, data
, &hash
))
293 hasher
->destroy(hasher
);
295 /* build DER-encoded digestInfo */
296 digestInfo
= asn1_wrap(ASN1_SEQUENCE
, "mm",
297 asn1_algorithmIdentifier(hash_oid
),
298 asn1_simple_object(ASN1_OCTET_STRING
, hash
)
304 if (data
.len
> this->k
- 3)
306 free(digestInfo
.ptr
);
307 DBG1(DBG_LIB
, "unable to sign %d bytes using a %dbit key", data
.len
,
308 mpz_sizeinbase(this->n
, 2));
312 /* build chunk to rsa-decrypt:
313 * EM = 0x00 || 0x01 || PS || 0x00 || T.
314 * PS = 0xFF padding, with length to fill em
318 em
.ptr
= malloc(em
.len
);
320 /* fill em with padding */
321 memset(em
.ptr
, 0xFF, em
.len
);
322 /* set magic bytes */
325 *(em
.ptr
+ em
.len
- data
.len
- 1) = 0x00;
326 /* set DER-encoded hash */
327 memcpy(em
.ptr
+ em
.len
- data
.len
, data
.ptr
, data
.len
);
329 /* build signature */
330 *signature
= rsasp1(this, em
);
332 free(digestInfo
.ptr
);
339 * Build a signature using the PKCS#1 EMSA PSS scheme
341 static bool build_emsa_pss_signature(private_gmp_rsa_private_key_t
*this,
342 rsa_pss_params_t
*params
, chunk_t data
,
345 ext_out_function_t xof
;
346 hasher_t
*hasher
= NULL
;
349 chunk_t hash
, salt
= chunk_empty
, m
, ps
, db
, dbmask
, em
;
350 size_t embits
, emlen
, maskbits
;
351 bool success
= FALSE
;
357 xof
= xof_mgf1_from_hash_algorithm(params
->mgf1_hash
);
358 if (xof
== XOF_UNDEFINED
)
360 DBG1(DBG_LIB
, "%N is not supported for MGF1", hash_algorithm_names
,
364 /* emBits = modBits - 1 */
365 embits
= mpz_sizeinbase(this->n
, 2) - 1;
366 /* emLen = ceil(emBits/8) */
367 emlen
= (embits
+ 7) / BITS_PER_BYTE
;
368 /* mHash = Hash(M) */
369 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, params
->hash
);
372 DBG1(DBG_LIB
, "hash algorithm %N not supported",
373 hash_algorithm_names
, params
->hash
);
376 hash
= chunk_alloca(hasher
->get_hash_size(hasher
));
377 if (!hasher
->get_hash(hasher
, data
, hash
.ptr
))
383 if (params
->salt_len
> RSA_PSS_SALT_LEN_DEFAULT
)
385 salt
.len
= params
->salt_len
;
387 if (emlen
< (hash
.len
+ salt
.len
+ 2))
393 salt
= chunk_alloca(salt
.len
);
394 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_STRONG
);
395 if (!rng
|| !rng
->get_bytes(rng
, salt
.len
, salt
.ptr
))
400 /* M' = 0x0000000000000000 | mHash | salt */
401 m
= chunk_cata("ccc",
402 chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
405 if (!hasher
->get_hash(hasher
, m
, hash
.ptr
))
409 /* PS = 00...<padding depending on hash and salt length> */
410 ps
= chunk_alloca(emlen
- salt
.len
- hash
.len
- 2);
411 memset(ps
.ptr
, 0, ps
.len
);
412 /* DB = PS | 0x01 | salt */
413 db
= chunk_cata("ccc", ps
, chunk_from_chars(0x01), salt
);
414 /* dbMask = MGF(H, emLen - hLen - 1) */
415 mgf
= lib
->crypto
->create_xof(lib
->crypto
, xof
);
416 dbmask
= chunk_alloca(db
.len
);
419 DBG1(DBG_LIB
, "%N not supported", ext_out_function_names
, xof
);
422 if (!mgf
->set_seed(mgf
, hash
) ||
423 !mgf
->get_bytes(mgf
, dbmask
.len
, dbmask
.ptr
))
427 /* maskedDB = DB xor dbMask */
428 memxor(db
.ptr
, dbmask
.ptr
, db
.len
);
429 /* zero out unused bits */
430 maskbits
= (8 * emlen
) - embits
;
433 db
.ptr
[0] &= (0xff >> maskbits
);
435 /* EM = maskedDB | H | 0xbc */
436 em
= chunk_cata("ccc", db
, hash
, chunk_from_chars(0xbc));
437 /* S = RSASP1(K, EM) */
438 *signature
= rsasp1(this, em
);
448 METHOD(private_key_t
, get_type
, key_type_t
,
449 private_gmp_rsa_private_key_t
*this)
454 METHOD(private_key_t
, sign
, bool,
455 private_gmp_rsa_private_key_t
*this, signature_scheme_t scheme
,
456 void *params
, chunk_t data
, chunk_t
*signature
)
460 case SIGN_RSA_EMSA_PKCS1_NULL
:
461 return build_emsa_pkcs1_signature(this, HASH_UNKNOWN
, data
, signature
);
462 case SIGN_RSA_EMSA_PKCS1_SHA2_224
:
463 return build_emsa_pkcs1_signature(this, HASH_SHA224
, data
, signature
);
464 case SIGN_RSA_EMSA_PKCS1_SHA2_256
:
465 return build_emsa_pkcs1_signature(this, HASH_SHA256
, data
, signature
);
466 case SIGN_RSA_EMSA_PKCS1_SHA2_384
:
467 return build_emsa_pkcs1_signature(this, HASH_SHA384
, data
, signature
);
468 case SIGN_RSA_EMSA_PKCS1_SHA2_512
:
469 return build_emsa_pkcs1_signature(this, HASH_SHA512
, data
, signature
);
470 case SIGN_RSA_EMSA_PKCS1_SHA3_224
:
471 return build_emsa_pkcs1_signature(this, HASH_SHA3_224
, data
, signature
);
472 case SIGN_RSA_EMSA_PKCS1_SHA3_256
:
473 return build_emsa_pkcs1_signature(this, HASH_SHA3_256
, data
, signature
);
474 case SIGN_RSA_EMSA_PKCS1_SHA3_384
:
475 return build_emsa_pkcs1_signature(this, HASH_SHA3_384
, data
, signature
);
476 case SIGN_RSA_EMSA_PKCS1_SHA3_512
:
477 return build_emsa_pkcs1_signature(this, HASH_SHA3_512
, data
, signature
);
478 case SIGN_RSA_EMSA_PKCS1_SHA1
:
479 return build_emsa_pkcs1_signature(this, HASH_SHA1
, data
, signature
);
480 case SIGN_RSA_EMSA_PKCS1_MD5
:
481 return build_emsa_pkcs1_signature(this, HASH_MD5
, data
, signature
);
482 case SIGN_RSA_EMSA_PSS
:
483 return build_emsa_pss_signature(this, params
, data
, signature
);
485 DBG1(DBG_LIB
, "signature scheme %N not supported in RSA",
486 signature_scheme_names
, scheme
);
491 METHOD(private_key_t
, decrypt
, bool,
492 private_gmp_rsa_private_key_t
*this, encryption_scheme_t scheme
,
493 chunk_t crypto
, chunk_t
*plain
)
495 chunk_t em
, stripped
;
496 bool success
= FALSE
;
498 if (scheme
!= ENCRYPT_RSA_PKCS1
)
500 DBG1(DBG_LIB
, "encryption scheme %N not supported",
501 encryption_scheme_names
, scheme
);
504 /* rsa decryption using PKCS#1 RSADP */
505 stripped
= em
= rsadp(this, crypto
);
507 /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
509 /* check for hex pattern 00 02 in decrypted message */
510 if ((*stripped
.ptr
++ != 0x00) || (*(stripped
.ptr
++) != 0x02))
512 DBG1(DBG_LIB
, "incorrect padding - probably wrong rsa key");
517 /* the plaintext data starts after first 0x00 byte */
518 while (stripped
.len
-- > 0 && *stripped
.ptr
++ != 0x00)
520 if (stripped
.len
== 0)
522 DBG1(DBG_LIB
, "no plaintext data");
526 *plain
= chunk_clone(stripped
);
534 METHOD(private_key_t
, get_keysize
, int,
535 private_gmp_rsa_private_key_t
*this)
537 return mpz_sizeinbase(this->n
, 2);
540 METHOD(private_key_t
, get_public_key
, public_key_t
*,
541 private_gmp_rsa_private_key_t
*this)
544 public_key_t
*public;
546 n
= gmp_mpz_to_chunk(this->n
);
547 e
= gmp_mpz_to_chunk(this->e
);
549 public = lib
->creds
->create(lib
->creds
, CRED_PUBLIC_KEY
, KEY_RSA
,
550 BUILD_RSA_MODULUS
, n
, BUILD_RSA_PUB_EXP
, e
, BUILD_END
);
557 METHOD(private_key_t
, get_encoding
, bool,
558 private_gmp_rsa_private_key_t
*this, cred_encoding_type_t type
,
561 chunk_t n
, e
, d
, p
, q
, exp1
, exp2
, coeff
;
564 n
= gmp_mpz_to_chunk(this->n
);
565 e
= gmp_mpz_to_chunk(this->e
);
566 d
= gmp_mpz_to_chunk(*this->d
);
567 p
= gmp_mpz_to_chunk(this->p
);
568 q
= gmp_mpz_to_chunk(this->q
);
569 exp1
= gmp_mpz_to_chunk(this->exp1
);
570 exp2
= gmp_mpz_to_chunk(this->exp2
);
571 coeff
= gmp_mpz_to_chunk(this->coeff
);
573 success
= lib
->encoding
->encode(lib
->encoding
,
574 type
, NULL
, encoding
, CRED_PART_RSA_MODULUS
, n
,
575 CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_RSA_PRIV_EXP
, d
,
576 CRED_PART_RSA_PRIME1
, p
, CRED_PART_RSA_PRIME2
, q
,
577 CRED_PART_RSA_EXP1
, exp1
, CRED_PART_RSA_EXP2
, exp2
,
578 CRED_PART_RSA_COEFF
, coeff
, CRED_PART_END
);
591 METHOD(private_key_t
, get_fingerprint
, bool,
592 private_gmp_rsa_private_key_t
*this, cred_encoding_type_t type
, chunk_t
*fp
)
597 if (lib
->encoding
->get_cache(lib
->encoding
, type
, this, fp
))
601 n
= gmp_mpz_to_chunk(this->n
);
602 e
= gmp_mpz_to_chunk(this->e
);
604 success
= lib
->encoding
->encode(lib
->encoding
, type
, this, fp
,
605 CRED_PART_RSA_MODULUS
, n
, CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
612 METHOD(private_key_t
, get_ref
, private_key_t
*,
613 private_gmp_rsa_private_key_t
*this)
616 return &this->public.key
;
619 METHOD(private_key_t
, destroy
, void,
620 private_gmp_rsa_private_key_t
*this)
622 if (ref_put(&this->ref
))
629 mpz_clear_sensitive(this->p
);
630 mpz_clear_sensitive(this->q
);
631 mpz_clear_sensitive(this->m
);
632 mpz_clear_sensitive(this->exp1
);
633 mpz_clear_sensitive(this->exp2
);
634 mpz_clear_sensitive(this->coeff
);
636 for (i
= 0; i
< this->threshold
; i
++)
638 mpz_clear_sensitive(*this->d
+ i
);
642 lib
->encoding
->clear_cache(lib
->encoding
, this);
648 * Check the loaded key if it is valid and usable
650 static status_t
check(private_gmp_rsa_private_key_t
*this)
653 status_t status
= SUCCESS
;
655 /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
656 * We actually require more (for security).
658 if (this->k
< 512 / BITS_PER_BYTE
)
660 DBG1(DBG_LIB
, "key shorter than 512 bits");
664 /* we picked a max modulus size to simplify buffer allocation */
665 if (this->k
> 8192 / BITS_PER_BYTE
)
667 DBG1(DBG_LIB
, "key larger than 8192 bits");
675 /* precompute p1 = p-1 and q1 = q-1 */
676 mpz_sub_ui(p1
, this->p
, 1);
677 mpz_sub_ui(q1
, this->q
, 1);
679 /* check that n == p * q */
680 mpz_mul(u
, this->p
, this->q
);
681 if (mpz_cmp(u
, this->n
) != 0)
686 /* check that e divides neither p-1 nor q-1 */
687 mpz_mod(u
, p1
, this->e
);
688 if (mpz_cmp_ui(u
, 0) == 0)
693 mpz_mod(u
, q1
, this->e
);
694 if (mpz_cmp_ui(u
, 0) == 0)
699 /* check that d is e^-1 (mod lcm(p-1, q-1)) */
700 /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
701 mpz_lcm(this->m
, p1
, q1
);
702 mpz_mul(u
, *this->d
, this->e
);
703 mpz_mod(u
, u
, this->m
);
704 if (mpz_cmp_ui(u
, 1) != 0)
709 /* check that exp1 is d mod (p-1) */
710 mpz_mod(u
, *this->d
, p1
);
711 if (mpz_cmp(u
, this->exp1
) != 0)
716 /* check that exp2 is d mod (q-1) */
717 mpz_mod(u
, *this->d
, q1
);
718 if (mpz_cmp(u
, this->exp2
) != 0)
723 /* check that coeff is (q^-1) mod p */
724 mpz_mul(u
, this->coeff
, this->q
);
725 mpz_mod(u
, u
, this->p
);
726 if (mpz_cmp_ui(u
, 1) != 0)
731 mpz_clear_sensitive(u
);
732 mpz_clear_sensitive(p1
);
733 mpz_clear_sensitive(q1
);
735 if (status
!= SUCCESS
)
737 DBG1(DBG_LIB
, "key integrity tests failed");
743 * Internal generic constructor
745 static private_gmp_rsa_private_key_t
*gmp_rsa_private_key_create_empty(void)
747 private_gmp_rsa_private_key_t
*this;
752 .get_type
= _get_type
,
755 .get_keysize
= _get_keysize
,
756 .get_public_key
= _get_public_key
,
757 .equals
= private_key_equals
,
758 .belongs_to
= private_key_belongs_to
,
759 .get_fingerprint
= _get_fingerprint
,
760 .has_fingerprint
= private_key_has_fingerprint
,
761 .get_encoding
= _get_encoding
,
775 gmp_rsa_private_key_t
*gmp_rsa_private_key_gen(key_type_t type
, va_list args
)
777 private_gmp_rsa_private_key_t
*this;
778 u_int key_size
= 0, shares
= 0, threshold
= 1;
779 bool safe_prime
= FALSE
, rng_failed
= FALSE
, invert_failed
= FALSE
;
780 mpz_t p
, q
, p1
, q1
, d
;
785 switch (va_arg(args
, builder_part_t
))
788 key_size
= va_arg(args
, u_int
);
790 case BUILD_SAFE_PRIMES
:
794 shares
= va_arg(args
, u_int
);
796 case BUILD_THRESHOLD
:
797 threshold
= va_arg(args
, u_int
);
810 key_size
= key_size
/ BITS_PER_BYTE
;
812 /* Get values of primes p and q */
813 if (compute_prime(key_size
/2, safe_prime
, &p
, &p1
) != SUCCESS
)
817 if (compute_prime(key_size
/2, safe_prime
, &q
, &q1
) != SUCCESS
)
824 /* Swapping Primes so p is larger then q */
825 if (mpz_cmp(p
, q
) < 0)
831 /* Create and initialize RSA private key object */
832 this = gmp_rsa_private_key_create_empty();
833 this->shares
= shares
;
834 this->threshold
= threshold
;
835 this->d
= malloc(threshold
* sizeof(mpz_t
));
839 mpz_init_set_ui(this->e
, PUBLIC_EXPONENT
);
842 mpz_init(this->exp1
);
843 mpz_init(this->exp2
);
844 mpz_init(this->coeff
);
848 mpz_mul(this->n
, p
, q
); /* n = p*q */
849 mpz_lcm(this->m
, p1
, q1
); /* m = lcm(p-1,q-1) */
850 mpz_invert(d
, this->e
, this->m
); /* e has an inverse mod m */
851 mpz_mod(this->exp1
, d
, p1
); /* exp1 = d mod p-1 */
852 mpz_mod(this->exp2
, d
, q1
); /* exp2 = d mod q-1 */
853 mpz_invert(this->coeff
, q
, p
); /* coeff = q^-1 mod p */
855 invert_failed
= mpz_cmp_ui(this->m
, 0) == 0 ||
856 mpz_cmp_ui(this->coeff
, 0) == 0;
858 /* store secret exponent d */
861 /* generate and store random coefficients of secret sharing polynomial */
865 chunk_t random_bytes
;
869 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_TRUE
);
872 for (i
= 1; i
< threshold
; i
++)
876 if (!rng
->allocate_bytes(rng
, key_size
, &random_bytes
))
881 mpz_import(d
, random_bytes
.len
, 1, 1, 1, 0, random_bytes
.ptr
);
882 mpz_mod(d
, d
, this->m
);
884 chunk_clear(&random_bytes
);
887 /* generate verification key v as a square number */
890 if (!rng
->allocate_bytes(rng
, key_size
, &random_bytes
))
895 mpz_import(this->v
, random_bytes
.len
, 1, 1, 1, 0, random_bytes
.ptr
);
896 mpz_mul(this->v
, this->v
, this->v
);
897 mpz_mod(this->v
, this->v
, this->n
);
898 mpz_gcd(u
, this->v
, this->n
);
899 chunk_free(&random_bytes
);
901 while (mpz_cmp_ui(u
, 1) != 0);
907 mpz_clear_sensitive(p1
);
908 mpz_clear_sensitive(q1
);
910 if (rng_failed
|| invert_failed
)
912 DBG1(DBG_LIB
, "rsa key generation failed");
917 /* set key size in bytes */
920 return &this->public;
924 * Recover the primes from n, e and d using the algorithm described in
925 * Appendix C of NIST SP 800-56B.
927 static bool calculate_pq(private_gmp_rsa_private_key_t
*this)
929 gmp_randstate_t rstate
;
930 mpz_t k
, r
, g
, y
, n1
, x
;
932 bool success
= FALSE
;
934 gmp_randinit_default(rstate
);
935 mpz_inits(k
, r
, g
, y
, n1
, x
, NULL
);
936 /* k = (d * e) - 1 */
937 mpz_mul(k
, *this->d
, this->e
);
943 /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */
945 for (t
= 0; !mpz_odd_p(r
); t
++)
947 mpz_divexact_ui(r
, r
, 2);
949 /* we need n-1 below */
950 mpz_sub_ui(n1
, this->n
, 1);
951 for (i
= 0; i
< 100; i
++)
952 { /* generate random integer g in [0, n-1] */
953 mpz_urandomm(g
, rstate
, this->n
);
955 mpz_powm_sec(y
, g
, r
, this->n
);
956 /* try again if y == 1 or y == n-1 */
957 if (mpz_cmp_ui(y
, 1) == 0 || mpz_cmp(y
, n1
) == 0)
961 for (j
= 0; j
< t
; j
++)
962 { /* x = y^2 mod n */
963 mpz_powm_ui(x
, y
, 2, this->n
);
965 if (mpz_cmp_ui(x
, 1) == 0)
969 /* retry with new g if x = n-1 */
970 if (mpz_cmp(x
, n1
) == 0)
981 /* p = gcd(y-1, n) */
983 mpz_gcd(this->p
, y
, this->n
);
985 mpz_divexact(this->q
, this->n
, this->p
);
989 mpz_clear_sensitive(k
);
990 mpz_clear_sensitive(r
);
991 mpz_clear_sensitive(g
);
992 mpz_clear_sensitive(y
);
993 mpz_clear_sensitive(x
);
995 gmp_randclear(rstate
);
1002 gmp_rsa_private_key_t
*gmp_rsa_private_key_load(key_type_t type
, va_list args
)
1004 private_gmp_rsa_private_key_t
*this;
1005 chunk_t n
, e
, d
, p
, q
, exp1
, exp2
, coeff
;
1007 n
= e
= d
= p
= q
= exp1
= exp2
= coeff
= chunk_empty
;
1010 switch (va_arg(args
, builder_part_t
))
1012 case BUILD_RSA_MODULUS
:
1013 n
= va_arg(args
, chunk_t
);
1015 case BUILD_RSA_PUB_EXP
:
1016 e
= va_arg(args
, chunk_t
);
1018 case BUILD_RSA_PRIV_EXP
:
1019 d
= va_arg(args
, chunk_t
);
1021 case BUILD_RSA_PRIME1
:
1022 p
= va_arg(args
, chunk_t
);
1024 case BUILD_RSA_PRIME2
:
1025 q
= va_arg(args
, chunk_t
);
1027 case BUILD_RSA_EXP1
:
1028 exp1
= va_arg(args
, chunk_t
);
1030 case BUILD_RSA_EXP2
:
1031 exp2
= va_arg(args
, chunk_t
);
1033 case BUILD_RSA_COEFF
:
1034 coeff
= va_arg(args
, chunk_t
);
1044 this = gmp_rsa_private_key_create_empty();
1046 this->d
= malloc(sizeof(mpz_t
));
1053 mpz_init(this->exp1
);
1054 mpz_init(this->exp2
);
1055 mpz_init(this->coeff
);
1058 mpz_import(this->n
, n
.len
, 1, 1, 1, 0, n
.ptr
);
1059 mpz_import(this->e
, e
.len
, 1, 1, 1, 0, e
.ptr
);
1060 mpz_import(*this->d
, d
.len
, 1, 1, 1, 0, d
.ptr
);
1063 mpz_import(this->p
, p
.len
, 1, 1, 1, 0, p
.ptr
);
1067 mpz_import(this->q
, q
.len
, 1, 1, 1, 0, q
.ptr
);
1069 if (!p
.len
&& !q
.len
)
1070 { /* p and q missing in key, recalculate from n, e and d */
1071 if (!calculate_pq(this))
1078 { /* p missing in key, recalculate: p = n / q */
1079 mpz_divexact(this->p
, this->n
, this->q
);
1082 { /* q missing in key, recalculate: q = n / p */
1083 mpz_divexact(this->q
, this->n
, this->p
);
1086 { /* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
1087 mpz_sub_ui(this->exp1
, this->p
, 1);
1088 mpz_mod(this->exp1
, *this->d
, this->exp1
);
1092 mpz_import(this->exp1
, exp1
.len
, 1, 1, 1, 0, exp1
.ptr
);
1095 { /* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
1096 mpz_sub_ui(this->exp2
, this->q
, 1);
1097 mpz_mod(this->exp2
, *this->d
, this->exp2
);
1101 mpz_import(this->exp2
, exp2
.len
, 1, 1, 1, 0, exp2
.ptr
);
1104 { /* coeff missing in key, recalculate: coeff = q^-1 mod p */
1105 mpz_invert(this->coeff
, this->q
, this->p
);
1109 mpz_import(this->coeff
, coeff
.len
, 1, 1, 1, 0, coeff
.ptr
);
1111 this->k
= (mpz_sizeinbase(this->n
, 2) + 7) / BITS_PER_BYTE
;
1112 if (check(this) != SUCCESS
)
1117 return &this->public;