2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #include "gmp_rsa_public_key.h"
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <crypto/hashers/hasher.h>
31 #ifdef HAVE_MPZ_POWM_SEC
33 # define mpz_powm mpz_powm_sec
36 typedef struct private_gmp_rsa_public_key_t private_gmp_rsa_public_key_t
;
39 * Private data structure with signing context.
41 struct private_gmp_rsa_public_key_t
{
43 * Public interface for this signer.
45 gmp_rsa_public_key_t
public;
69 * Shared functions defined in gmp_rsa_private_key.c
71 extern chunk_t
gmp_mpz_to_chunk(const mpz_t value
);
74 * RSAEP algorithm specified in PKCS#1.
76 static chunk_t
rsaep(private_gmp_rsa_public_key_t
*this, chunk_t data
)
84 mpz_import(m
, data
.len
, 1, 1, 1, 0, data
.ptr
);
86 mpz_powm(c
, m
, this->e
, this->n
);
88 encrypted
.len
= this->k
;
89 encrypted
.ptr
= mpz_export(NULL
, NULL
, 1, encrypted
.len
, 1, 0, c
);
90 if (encrypted
.ptr
== NULL
)
102 * RSAVP1 algorithm specified in PKCS#1.
104 static chunk_t
rsavp1(private_gmp_rsa_public_key_t
*this, chunk_t data
)
106 return rsaep(this, data
);
110 * ASN.1 definition of digestInfo
112 static const asn1Object_t digestInfoObjects
[] = {
113 { 0, "digestInfo", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 0 */
114 { 1, "digestAlgorithm", ASN1_EOC
, ASN1_RAW
}, /* 1 */
115 { 1, "digest", ASN1_OCTET_STRING
, ASN1_BODY
}, /* 2 */
116 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
118 #define DIGEST_INFO 0
119 #define DIGEST_INFO_ALGORITHM 1
120 #define DIGEST_INFO_DIGEST 2
123 * Verification of an EMPSA PKCS1 signature described in PKCS#1
125 static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t
*this,
126 hash_algorithm_t algorithm
,
127 chunk_t data
, chunk_t signature
)
130 bool success
= FALSE
;
132 /* remove any preceding 0-bytes from signature */
133 while (signature
.len
&& *(signature
.ptr
) == 0x00)
135 signature
= chunk_skip(signature
, 1);
138 if (signature
.len
== 0 || signature
.len
> this->k
)
143 /* unpack signature */
144 em_ori
= em
= rsavp1(this, signature
);
146 /* result should look like this:
147 * EM = 0x00 || 0x01 || PS || 0x00 || T.
148 * PS = 0xFF padding, with length to fill em
152 /* check magic bytes */
153 if (*(em
.ptr
) != 0x00 || *(em
.ptr
+1) != 0x01)
157 em
= chunk_skip(em
, 2);
159 /* find magic 0x00 */
164 /* found magic byte, stop */
165 em
= chunk_skip(em
, 1);
168 else if (*em
.ptr
!= 0xFF)
170 /* bad padding, decryption failed ?!*/
173 em
= chunk_skip(em
, 1);
178 /* no digestInfo found */
182 if (algorithm
== HASH_UNKNOWN
)
183 { /* IKEv1 signatures without digestInfo */
184 if (em
.len
!= data
.len
)
186 DBG1(DBG_LIB
, "hash size in signature is %u bytes instead of"
187 " %u bytes", em
.len
, data
.len
);
190 success
= memeq(em
.ptr
, data
.ptr
, data
.len
);
193 { /* IKEv2 and X.509 certificate signatures */
194 asn1_parser_t
*parser
;
197 hash_algorithm_t hash_algorithm
= HASH_UNKNOWN
;
199 DBG2(DBG_LIB
, "signature verification:");
200 parser
= asn1_parser_create(digestInfoObjects
, em
);
202 while (parser
->iterate(parser
, &objectID
, &object
))
208 if (em
.len
> object
.len
)
210 DBG1(DBG_LIB
, "digestInfo field in signature is"
211 " followed by %u surplus bytes",
212 em
.len
- object
.len
);
217 case DIGEST_INFO_ALGORITHM
:
219 int hash_oid
= asn1_parse_algorithmIdentifier(object
,
220 parser
->get_level(parser
)+1, NULL
);
222 hash_algorithm
= hasher_algorithm_from_oid(hash_oid
);
223 if (hash_algorithm
== HASH_UNKNOWN
|| hash_algorithm
!= algorithm
)
225 DBG1(DBG_LIB
, "expected hash algorithm %N, but found"
226 " %N (OID: %#B)", hash_algorithm_names
, algorithm
,
227 hash_algorithm_names
, hash_algorithm
, &object
);
232 case DIGEST_INFO_DIGEST
:
237 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, hash_algorithm
);
240 DBG1(DBG_LIB
, "hash algorithm %N not supported",
241 hash_algorithm_names
, hash_algorithm
);
245 if (object
.len
!= hasher
->get_hash_size(hasher
))
247 DBG1(DBG_LIB
, "hash size in signature is %u bytes"
248 " instead of %u bytes", object
.len
,
249 hasher
->get_hash_size(hasher
));
250 hasher
->destroy(hasher
);
254 /* build our own hash and compare */
255 if (!hasher
->allocate_hash(hasher
, data
, &hash
))
257 hasher
->destroy(hasher
);
260 hasher
->destroy(hasher
);
261 success
= memeq(object
.ptr
, hash
.ptr
, hash
.len
);
271 success
&= parser
->success(parser
);
272 parser
->destroy(parser
);
280 METHOD(public_key_t
, get_type
, key_type_t
,
281 private_gmp_rsa_public_key_t
*this)
286 METHOD(public_key_t
, verify
, bool,
287 private_gmp_rsa_public_key_t
*this, signature_scheme_t scheme
,
288 chunk_t data
, chunk_t signature
)
292 case SIGN_RSA_EMSA_PKCS1_NULL
:
293 return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN
, data
, signature
);
294 case SIGN_RSA_EMSA_PKCS1_MD5
:
295 return verify_emsa_pkcs1_signature(this, HASH_MD5
, data
, signature
);
296 case SIGN_RSA_EMSA_PKCS1_SHA1
:
297 return verify_emsa_pkcs1_signature(this, HASH_SHA1
, data
, signature
);
298 case SIGN_RSA_EMSA_PKCS1_SHA224
:
299 return verify_emsa_pkcs1_signature(this, HASH_SHA224
, data
, signature
);
300 case SIGN_RSA_EMSA_PKCS1_SHA256
:
301 return verify_emsa_pkcs1_signature(this, HASH_SHA256
, data
, signature
);
302 case SIGN_RSA_EMSA_PKCS1_SHA384
:
303 return verify_emsa_pkcs1_signature(this, HASH_SHA384
, data
, signature
);
304 case SIGN_RSA_EMSA_PKCS1_SHA512
:
305 return verify_emsa_pkcs1_signature(this, HASH_SHA512
, data
, signature
);
307 DBG1(DBG_LIB
, "signature scheme %N not supported in RSA",
308 signature_scheme_names
, scheme
);
313 #define MIN_PS_PADDING 8
315 METHOD(public_key_t
, encrypt_
, bool,
316 private_gmp_rsa_public_key_t
*this, encryption_scheme_t scheme
,
317 chunk_t plain
, chunk_t
*crypto
)
324 if (scheme
!= ENCRYPT_RSA_PKCS1
)
326 DBG1(DBG_LIB
, "encryption scheme %N not supported",
327 encryption_scheme_names
, scheme
);
330 /* number of pseudo-random padding octets */
331 padding
= this->k
- plain
.len
- 3;
332 if (padding
< MIN_PS_PADDING
)
334 DBG1(DBG_LIB
, "pseudo-random padding must be at least %d octets",
338 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
341 DBG1(DBG_LIB
, "no random generator available");
345 /* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
346 DBG2(DBG_LIB
, "padding %u bytes of data to the rsa modulus size of"
347 " %u bytes", plain
.len
, this->k
);
349 em
.ptr
= malloc(em
.len
);
354 /* fill with pseudo random octets */
355 if (!rng_get_bytes_not_zero(rng
, padding
, pos
, TRUE
))
357 DBG1(DBG_LIB
, "failed to allocate padding");
364 /* append the padding terminator */
367 /* now add the data */
368 memcpy(pos
, plain
.ptr
, plain
.len
);
369 DBG3(DBG_LIB
, "padded data before rsa encryption: %B", &em
);
371 /* rsa encryption using PKCS#1 RSAEP */
372 *crypto
= rsaep(this, em
);
373 DBG3(DBG_LIB
, "rsa encrypted data: %B", crypto
);
378 METHOD(public_key_t
, get_keysize
, int,
379 private_gmp_rsa_public_key_t
*this)
381 return mpz_sizeinbase(this->n
, 2);
384 METHOD(public_key_t
, get_encoding
, bool,
385 private_gmp_rsa_public_key_t
*this, cred_encoding_type_t type
,
391 n
= gmp_mpz_to_chunk(this->n
);
392 e
= gmp_mpz_to_chunk(this->e
);
394 success
= lib
->encoding
->encode(lib
->encoding
, type
, NULL
, encoding
,
395 CRED_PART_RSA_MODULUS
, n
, CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
402 METHOD(public_key_t
, get_fingerprint
, bool,
403 private_gmp_rsa_public_key_t
*this, cred_encoding_type_t type
, chunk_t
*fp
)
408 if (lib
->encoding
->get_cache(lib
->encoding
, type
, this, fp
))
412 n
= gmp_mpz_to_chunk(this->n
);
413 e
= gmp_mpz_to_chunk(this->e
);
415 success
= lib
->encoding
->encode(lib
->encoding
, type
, this, fp
,
416 CRED_PART_RSA_MODULUS
, n
, CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
423 METHOD(public_key_t
, get_ref
, public_key_t
*,
424 private_gmp_rsa_public_key_t
*this)
427 return &this->public.key
;
430 METHOD(public_key_t
, destroy
, void,
431 private_gmp_rsa_public_key_t
*this)
433 if (ref_put(&this->ref
))
437 lib
->encoding
->clear_cache(lib
->encoding
, this);
445 gmp_rsa_public_key_t
*gmp_rsa_public_key_load(key_type_t type
, va_list args
)
447 private_gmp_rsa_public_key_t
*this;
453 switch (va_arg(args
, builder_part_t
))
455 case BUILD_RSA_MODULUS
:
456 n
= va_arg(args
, chunk_t
);
458 case BUILD_RSA_PUB_EXP
:
459 e
= va_arg(args
, chunk_t
);
468 if (!e
.ptr
|| !n
.ptr
)
476 .get_type
= _get_type
,
478 .encrypt
= _encrypt_
,
479 .equals
= public_key_equals
,
480 .get_keysize
= _get_keysize
,
481 .get_fingerprint
= _get_fingerprint
,
482 .has_fingerprint
= public_key_has_fingerprint
,
483 .get_encoding
= _get_encoding
,
494 mpz_import(this->n
, n
.len
, 1, 1, 1, 0, n
.ptr
);
495 mpz_import(this->e
, e
.len
, 1, 1, 1, 0, e
.ptr
);
497 this->k
= (mpz_sizeinbase(this->n
, 2) + 7) / BITS_PER_BYTE
;
499 return &this->public;