2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #include "gmp_rsa_public_key.h"
25 #include <utils/debug.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <crypto/hashers/hasher.h>
31 #ifdef HAVE_MPZ_POWM_SEC
33 # define mpz_powm mpz_powm_sec
36 typedef struct private_gmp_rsa_public_key_t private_gmp_rsa_public_key_t
;
39 * Private data structure with signing context.
41 struct private_gmp_rsa_public_key_t
{
43 * Public interface for this signer.
45 gmp_rsa_public_key_t
public;
69 * Shared functions defined in gmp_rsa_private_key.c
71 extern chunk_t
gmp_mpz_to_chunk(const mpz_t value
);
74 * RSAEP algorithm specified in PKCS#1.
76 static chunk_t
rsaep(private_gmp_rsa_public_key_t
*this, chunk_t data
)
82 mpz_import(m
, data
.len
, 1, 1, 1, 0, data
.ptr
);
84 if (mpz_cmp_ui(m
, 0) <= 0 || mpz_cmp(m
, this->n
) >= 0)
85 { /* m must be <= n-1, and while 0 is technically a valid value, it
86 * doesn't really make sense here, so we filter that too */
92 mpz_powm(c
, m
, this->e
, this->n
);
94 encrypted
.len
= this->k
;
95 encrypted
.ptr
= mpz_export(NULL
, NULL
, 1, encrypted
.len
, 1, 0, c
);
96 if (encrypted
.ptr
== NULL
)
108 * RSAVP1 algorithm specified in PKCS#1.
110 static chunk_t
rsavp1(private_gmp_rsa_public_key_t
*this, chunk_t data
)
112 return rsaep(this, data
);
116 * ASN.1 definition of digestInfo
118 static const asn1Object_t digestInfoObjects
[] = {
119 { 0, "digestInfo", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 0 */
120 { 1, "digestAlgorithm", ASN1_EOC
, ASN1_RAW
}, /* 1 */
121 { 1, "digest", ASN1_OCTET_STRING
, ASN1_BODY
}, /* 2 */
122 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
124 #define DIGEST_INFO 0
125 #define DIGEST_INFO_ALGORITHM 1
126 #define DIGEST_INFO_DIGEST 2
129 * Verification of an EMPSA PKCS1 signature described in PKCS#1
131 static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t
*this,
132 hash_algorithm_t algorithm
,
133 chunk_t data
, chunk_t signature
)
136 bool success
= FALSE
;
138 /* remove any preceding 0-bytes from signature */
139 while (signature
.len
&& *(signature
.ptr
) == 0x00)
141 signature
= chunk_skip(signature
, 1);
144 if (signature
.len
== 0 || signature
.len
> this->k
)
149 /* unpack signature */
150 em_ori
= em
= rsavp1(this, signature
);
152 /* result should look like this:
153 * EM = 0x00 || 0x01 || PS || 0x00 || T.
154 * PS = 0xFF padding, with length to fill em
158 /* check magic bytes */
159 if (em
.len
< 2 || *(em
.ptr
) != 0x00 || *(em
.ptr
+1) != 0x01)
163 em
= chunk_skip(em
, 2);
165 /* find magic 0x00 */
170 /* found magic byte, stop */
171 em
= chunk_skip(em
, 1);
174 else if (*em
.ptr
!= 0xFF)
176 /* bad padding, decryption failed ?!*/
179 em
= chunk_skip(em
, 1);
184 /* no digestInfo found */
188 if (algorithm
== HASH_UNKNOWN
)
189 { /* IKEv1 signatures without digestInfo */
190 if (em
.len
!= data
.len
)
192 DBG1(DBG_LIB
, "hash size in signature is %u bytes instead of"
193 " %u bytes", em
.len
, data
.len
);
196 success
= memeq_const(em
.ptr
, data
.ptr
, data
.len
);
199 { /* IKEv2 and X.509 certificate signatures */
200 asn1_parser_t
*parser
;
203 hash_algorithm_t hash_algorithm
= HASH_UNKNOWN
;
205 DBG2(DBG_LIB
, "signature verification:");
206 parser
= asn1_parser_create(digestInfoObjects
, em
);
208 while (parser
->iterate(parser
, &objectID
, &object
))
214 if (em
.len
> object
.len
)
216 DBG1(DBG_LIB
, "digestInfo field in signature is"
217 " followed by %u surplus bytes",
218 em
.len
- object
.len
);
223 case DIGEST_INFO_ALGORITHM
:
225 int hash_oid
= asn1_parse_algorithmIdentifier(object
,
226 parser
->get_level(parser
)+1, NULL
);
228 hash_algorithm
= hasher_algorithm_from_oid(hash_oid
);
229 if (hash_algorithm
== HASH_UNKNOWN
|| hash_algorithm
!= algorithm
)
231 DBG1(DBG_LIB
, "expected hash algorithm %N, but found"
232 " %N (OID: %#B)", hash_algorithm_names
, algorithm
,
233 hash_algorithm_names
, hash_algorithm
, &object
);
238 case DIGEST_INFO_DIGEST
:
243 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, hash_algorithm
);
246 DBG1(DBG_LIB
, "hash algorithm %N not supported",
247 hash_algorithm_names
, hash_algorithm
);
251 if (object
.len
!= hasher
->get_hash_size(hasher
))
253 DBG1(DBG_LIB
, "hash size in signature is %u bytes"
254 " instead of %u bytes", object
.len
,
255 hasher
->get_hash_size(hasher
));
256 hasher
->destroy(hasher
);
260 /* build our own hash and compare */
261 if (!hasher
->allocate_hash(hasher
, data
, &hash
))
263 hasher
->destroy(hasher
);
266 hasher
->destroy(hasher
);
267 success
= memeq_const(object
.ptr
, hash
.ptr
, hash
.len
);
277 success
&= parser
->success(parser
);
278 parser
->destroy(parser
);
286 METHOD(public_key_t
, get_type
, key_type_t
,
287 private_gmp_rsa_public_key_t
*this)
292 METHOD(public_key_t
, verify
, bool,
293 private_gmp_rsa_public_key_t
*this, signature_scheme_t scheme
,
294 chunk_t data
, chunk_t signature
)
298 case SIGN_RSA_EMSA_PKCS1_NULL
:
299 return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN
, data
, signature
);
300 case SIGN_RSA_EMSA_PKCS1_SHA2_224
:
301 return verify_emsa_pkcs1_signature(this, HASH_SHA224
, data
, signature
);
302 case SIGN_RSA_EMSA_PKCS1_SHA2_256
:
303 return verify_emsa_pkcs1_signature(this, HASH_SHA256
, data
, signature
);
304 case SIGN_RSA_EMSA_PKCS1_SHA2_384
:
305 return verify_emsa_pkcs1_signature(this, HASH_SHA384
, data
, signature
);
306 case SIGN_RSA_EMSA_PKCS1_SHA2_512
:
307 return verify_emsa_pkcs1_signature(this, HASH_SHA512
, data
, signature
);
308 case SIGN_RSA_EMSA_PKCS1_SHA3_224
:
309 return verify_emsa_pkcs1_signature(this, HASH_SHA3_224
, data
, signature
);
310 case SIGN_RSA_EMSA_PKCS1_SHA3_256
:
311 return verify_emsa_pkcs1_signature(this, HASH_SHA3_256
, data
, signature
);
312 case SIGN_RSA_EMSA_PKCS1_SHA3_384
:
313 return verify_emsa_pkcs1_signature(this, HASH_SHA3_384
, data
, signature
);
314 case SIGN_RSA_EMSA_PKCS1_SHA3_512
:
315 return verify_emsa_pkcs1_signature(this, HASH_SHA3_512
, data
, signature
);
316 case SIGN_RSA_EMSA_PKCS1_SHA1
:
317 return verify_emsa_pkcs1_signature(this, HASH_SHA1
, data
, signature
);
318 case SIGN_RSA_EMSA_PKCS1_MD5
:
319 return verify_emsa_pkcs1_signature(this, HASH_MD5
, data
, signature
);
321 DBG1(DBG_LIB
, "signature scheme %N not supported in RSA",
322 signature_scheme_names
, scheme
);
327 #define MIN_PS_PADDING 8
329 METHOD(public_key_t
, encrypt_
, bool,
330 private_gmp_rsa_public_key_t
*this, encryption_scheme_t scheme
,
331 chunk_t plain
, chunk_t
*crypto
)
338 if (scheme
!= ENCRYPT_RSA_PKCS1
)
340 DBG1(DBG_LIB
, "encryption scheme %N not supported",
341 encryption_scheme_names
, scheme
);
344 /* number of pseudo-random padding octets */
345 padding
= this->k
- plain
.len
- 3;
346 if (padding
< MIN_PS_PADDING
)
348 DBG1(DBG_LIB
, "pseudo-random padding must be at least %d octets",
352 rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
355 DBG1(DBG_LIB
, "no random generator available");
359 /* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
360 DBG2(DBG_LIB
, "padding %u bytes of data to the rsa modulus size of"
361 " %u bytes", plain
.len
, this->k
);
363 em
.ptr
= malloc(em
.len
);
368 /* fill with pseudo random octets */
369 if (!rng_get_bytes_not_zero(rng
, padding
, pos
, TRUE
))
371 DBG1(DBG_LIB
, "failed to allocate padding");
380 /* append the padding terminator */
383 /* now add the data */
384 memcpy(pos
, plain
.ptr
, plain
.len
);
385 DBG3(DBG_LIB
, "padded data before rsa encryption: %B", &em
);
387 /* rsa encryption using PKCS#1 RSAEP */
388 *crypto
= rsaep(this, em
);
389 DBG3(DBG_LIB
, "rsa encrypted data: %B", crypto
);
394 METHOD(public_key_t
, get_keysize
, int,
395 private_gmp_rsa_public_key_t
*this)
397 return mpz_sizeinbase(this->n
, 2);
400 METHOD(public_key_t
, get_encoding
, bool,
401 private_gmp_rsa_public_key_t
*this, cred_encoding_type_t type
,
407 n
= gmp_mpz_to_chunk(this->n
);
408 e
= gmp_mpz_to_chunk(this->e
);
410 success
= lib
->encoding
->encode(lib
->encoding
, type
, NULL
, encoding
,
411 CRED_PART_RSA_MODULUS
, n
, CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
418 METHOD(public_key_t
, get_fingerprint
, bool,
419 private_gmp_rsa_public_key_t
*this, cred_encoding_type_t type
, chunk_t
*fp
)
424 if (lib
->encoding
->get_cache(lib
->encoding
, type
, this, fp
))
428 n
= gmp_mpz_to_chunk(this->n
);
429 e
= gmp_mpz_to_chunk(this->e
);
431 success
= lib
->encoding
->encode(lib
->encoding
, type
, this, fp
,
432 CRED_PART_RSA_MODULUS
, n
, CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
439 METHOD(public_key_t
, get_ref
, public_key_t
*,
440 private_gmp_rsa_public_key_t
*this)
443 return &this->public.key
;
446 METHOD(public_key_t
, destroy
, void,
447 private_gmp_rsa_public_key_t
*this)
449 if (ref_put(&this->ref
))
453 lib
->encoding
->clear_cache(lib
->encoding
, this);
461 gmp_rsa_public_key_t
*gmp_rsa_public_key_load(key_type_t type
, va_list args
)
463 private_gmp_rsa_public_key_t
*this;
469 switch (va_arg(args
, builder_part_t
))
471 case BUILD_RSA_MODULUS
:
472 n
= va_arg(args
, chunk_t
);
474 case BUILD_RSA_PUB_EXP
:
475 e
= va_arg(args
, chunk_t
);
484 if (!e
.len
|| !n
.len
|| (n
.ptr
[n
.len
-1] & 0x01) == 0)
492 .get_type
= _get_type
,
494 .encrypt
= _encrypt_
,
495 .equals
= public_key_equals
,
496 .get_keysize
= _get_keysize
,
497 .get_fingerprint
= _get_fingerprint
,
498 .has_fingerprint
= public_key_has_fingerprint
,
499 .get_encoding
= _get_encoding
,
510 mpz_import(this->n
, n
.len
, 1, 1, 1, 0, n
.ptr
);
511 mpz_import(this->e
, e
.len
, 1, 1, 1, 0, e
.ptr
);
513 this->k
= (mpz_sizeinbase(this->n
, 2) + 7) / BITS_PER_BYTE
;
515 if (!mpz_sgn(this->e
))
520 return &this->public;