/*
- * Program to generate cryptographic keys for NTP clients and servers
+ * Program to generate cryptographic keys for ntp clients and servers
*
* This program generates password encrypted data files for use with the
* Autokey security protocol and Network Time Protocol Version 4. Files
* Identity schemes. The key type par is used for the challenge; the key
* type key is used for the response.
*
- * ntpkey_IFFkey_<trustname>.<filestamp>
- * ntpkey_iffkey_<trustname>
+ * ntpkey_IFFkey_<groupname>.<filestamp>
+ * ntpkey_iffkey_<groupname>
* Schnorr (IFF) identity parameters and keys
*
- * ntpkey_GQkey_<trustname>.<filestamp>,
- * ntpkey_gqkey_<trustname>
+ * ntpkey_GQkey_<groupname>.<filestamp>,
+ * ntpkey_gqkey_<groupname>
* Guillou-Quisquater (GQ) identity parameters and keys
*
- * ntpkey_MVkeyX_<trustname>.<filestamp>,
- * ntpkey_mvkey_<hostname>
+ * ntpkey_MVkeyX_<groupname>.<filestamp>,
+ * ntpkey_mvkey_<groupname>
* Mu-Varadharajan (MV) identity parameters and keys
*
* Note: Once in a while because of some statistical fluke this program
extern int ntp_getopt (int, char **, const char *);
#define getopt ntp_getopt
#define optarg ntp_optarg
-#endif
+#endif /* SYS_WINNT */
#ifdef OPENSSL
#include "openssl/bn.h"
#define MAXHOSTNAME 256 /* max host name length */
#ifdef OPENSSL
#define PLEN 512 /* default prime modulus size (bits) */
+#define MVMAX 100 /* max MV parameters */
/*
* Strings used in X509v3 extension fields
/*
* Prototypes
*/
-FILE *fheader (const char *, const char *);
-void fslink (const char *, const char *);
+FILE *fheader (const char *, const char *, const char *);
int gen_md5 (char *);
#ifdef OPENSSL
EVP_PKEY *gen_rsa (char *);
EVP_PKEY *gen_dsa (char *);
EVP_PKEY *gen_iffkey (char *);
EVP_PKEY *gen_gqkey (char *);
-EVP_PKEY *gen_mv (char *);
-int x509 (EVP_PKEY *, const EVP_MD *, char *, char *);
+EVP_PKEY *gen_mvkey (char *, EVP_PKEY **);
+void gen_mvserv (char *, EVP_PKEY **);
+int x509 (EVP_PKEY *, const EVP_MD *, char *, char *,
+ char *);
void cb (int, int, void *);
EVP_PKEY *genkey (char *, char *);
-EVP_PKEY *readkey (char *, char *, u_int *);
+EVP_PKEY *readkey (char *, char *, u_int *, EVP_PKEY **);
+void writekey (char *, char *, u_int *, EVP_PKEY **);
u_long asn2ntp (ASN1_TIME *);
#endif /* OPENSSL */
#ifdef OPENSSL
u_int modulus = PLEN; /* prime modulus size (bits) */
#endif
-int nkeys = 0; /* MV keys */
+int nkeys; /* MV keys */
time_t epoch; /* Unix epoch (seconds) since 1970 */
u_int fstamp; /* NTP filestamp */
char *hostname = NULL; /* host name (subject name) */
-char *trustname = NULL; /* trusted host name (issuer name) */
+char *groupname = NULL; /* trusted host name (issuer name) */
char filename[MAXFILENAME + 1]; /* file name */
char *passwd1 = NULL; /* input private key password */
char *passwd2 = NULL; /* output private key password */
*/
int
readlink(char *link, char *file, int len)
+{
return (-1);
+}
/*
* Don't try to create a symbolic link for now.
int md5key = 0; /* generate MD5 keys */
#ifdef OPENSSL
X509 *cert = NULL; /* X509 certificate */
+ X509_EXTENSION *ext; /* X509v3 extension */
EVP_PKEY *pkey_host = NULL; /* host key */
EVP_PKEY *pkey_sign = NULL; /* sign key */
- EVP_PKEY *pkey_iffkey = NULL; /* IFF keys */
- EVP_PKEY *pkey_gqkey = NULL; /* GQ parameters */
- EVP_PKEY *pkey_mv = NULL; /* MV parameters */
+ EVP_PKEY *pkey_iffkey = NULL; /* IFF sever keys */
+ EVP_PKEY *pkey_gqkey = NULL; /* GQ server keys */
+ EVP_PKEY *pkey_mvkey = NULL; /* MV trusted agen keys */
+ EVP_PKEY *pkey_mvpar[MVMAX]; /* MV cleient keys */
int hostkey = 0; /* generate RSA keys */
int iffkey = 0; /* generate IFF keys */
- int gqpar = 0; /* generate GQ keys */
- int mvpar = 0; /* generate MV parameters */
+ int gqkey = 0; /* generate GQ keys */
int mvkey = 0; /* update MV keys */
+ int mvpar = 0; /* generate MV parameters */
char *sign = NULL; /* sign key */
EVP_PKEY *pkey = NULL; /* temp key */
const EVP_MD *ectx; /* EVP digest */
#define iffsw HAVE_OPT(ID_KEY)
#endif /* OPENSSL */
char hostbuf[MAXHOSTNAME + 1];
+ char groupbuf[MAXHOSTNAME + 1];
progname = argv[0];
#ifdef OPENSSL
/*
- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
- * We match major, minor, fix and status (not patch)
+ * OpenSSL version numbers: MNNFFPPS: major minor fix patch
+ * status We match major, minor, fix and status (not patch)
*/
if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
fprintf(stderr,
*/
gethostname(hostbuf, MAXHOSTNAME);
hostname = hostbuf;
-#ifdef OPENSSL
- passwd1 = hostbuf;
-#endif
#ifndef SYS_WINNT
gettimeofday(&tv, 0);
#else
argc -= optct;
argv += optct;
}
-
-#ifdef OPENSSL
- if (HAVE_OPT( CERTIFICATE ))
- scheme = OPT_ARG( CERTIFICATE );
-#endif
-
debug = DESC(DEBUG_LEVEL).optOccCt;
-
-#ifdef OPENSSL
- if (HAVE_OPT( GQ_PARAMS ))
- gqpar++;
-
- if (HAVE_OPT( HOST_KEY ))
- hostkey++;
-
- if (HAVE_OPT( IFFKEY ))
- iffkey++;
-
- if (HAVE_OPT( ISSUER_NAME ))
- trustname = OPT_ARG( ISSUER_NAME );
-#endif
-
if (HAVE_OPT( MD5KEY ))
- md5key++;
+ md5key++;
#ifdef OPENSSL
- if (HAVE_OPT( MODULUS ))
- modulus = OPT_VALUE_MODULUS;
-
- if (HAVE_OPT( PVT_CERT ))
- exten = EXT_KEY_PRIVATE;
-
+ passwd1 = hostbuf;
if (HAVE_OPT( PVT_PASSWD ))
- passwd2 = OPT_ARG( PVT_PASSWD );
+ passwd1 = OPT_ARG( PVT_PASSWD );
if (HAVE_OPT( GET_PVT_PASSWD ))
- passwd1 = OPT_ARG( GET_PVT_PASSWD );
+ passwd2 = OPT_ARG( GET_PVT_PASSWD );
+
+ if (HAVE_OPT( HOST_KEY ))
+ hostkey++;
if (HAVE_OPT( SIGN_KEY ))
- sign = OPT_ARG( SIGN_KEY );
+ sign = OPT_ARG( SIGN_KEY );
- if (HAVE_OPT( SUBJECT_NAME ))
- hostname = OPT_ARG( SUBJECT_NAME );
+ if (HAVE_OPT( GQ_PARAMS ))
+ gqkey++;
- if (HAVE_OPT( TRUSTED_CERT ))
- exten = EXT_KEY_TRUST;
+ if (HAVE_OPT( IFFKEY ))
+ iffkey++;
if (HAVE_OPT( MV_PARAMS )) {
- mvpar++;
+ mvkey++;
nkeys = OPT_VALUE_MV_PARAMS;
}
-
if (HAVE_OPT( MV_KEYS )) {
- mvkey++;
+ mvpar++;
nkeys = OPT_VALUE_MV_KEYS;
}
- if (trustname == NULL)
- trustname = hostname;
-#endif
- if (passwd2 == NULL)
- passwd2 = passwd1;
-#ifdef OPENSSL
+ if (HAVE_OPT( MODULUS ))
+ modulus = OPT_VALUE_MODULUS;
+
+ if (HAVE_OPT( CERTIFICATE ))
+ scheme = OPT_ARG( CERTIFICATE );
+
+ if (HAVE_OPT( SUBJECT_NAME ))
+ hostname = OPT_ARG( SUBJECT_NAME );
+
+ if (HAVE_OPT( ISSUER_NAME ))
+ groupname = OPT_ARG( ISSUER_NAME );
+
+ if (HAVE_OPT( PVT_CERT ))
+ exten = EXT_KEY_PRIVATE;
+
+ if (HAVE_OPT( TRUSTED_CERT ))
+ exten = EXT_KEY_TRUST;
+
/*
* Seed random number generator and grow weeds.
*/
"Random seed file %s %u bytes\n", pathbuf, temp);
RAND_add(&epoch, sizeof(epoch), 4.0);
}
-#endif
/*
- * Generate new MD5 keys if requested. These replace any
- * keysalready generated.
+ * Load previous certificate if available.
*/
- if (md5key)
- gen_md5("MD5");
+ sprintf(filename, "ntpkey_cert_%s", hostname);
+ if ((fstr = fopen(filename, "r")) != NULL) {
+ cert = PEM_read_X509(fstr, NULL, NULL, NULL);
+ fclose(fstr);
+ }
+ if (cert != NULL) {
+
+ /*
+ * Extract subject name.
+ */
+ X509_NAME_oneline(X509_get_subject_name(cert), groupbuf,
+ MAXFILENAME);
+
+ /*
+ * Extract digest/signature scheme.
+ */
+ if (scheme == NULL) {
+ nid = OBJ_obj2nid(cert->cert_info->
+ signature->algorithm);
+ scheme = OBJ_nid2sn(nid);
+ }
+
+ /*
+ * If a key_usage extension field is present, determine
+ * whether this is a trusted or private certificate.
+ */
+ if (exten == NULL) {
+ BIO *bp;
+ int i, cnt;
+ char *ptr;
+
+ ptr = strstr(groupbuf, "CN=");
+ cnt = X509_get_ext_count(cert);
+ for (i = 0; i < cnt; i++) {
+ ext = X509_get_ext(cert, i);
+ if (OBJ_obj2nid(ext->object) ==
+ NID_ext_key_usage) {
+ bp = BIO_new(BIO_s_mem());
+ X509V3_EXT_print(bp, ext, 0, 0);
+ BIO_gets(bp, pathbuf,
+ MAXFILENAME);
+ BIO_free(bp);
+ if (strcmp(pathbuf,
+ "Trust Root") == 0)
+ exten = EXT_KEY_TRUST;
+ else if (strcmp(pathbuf,
+ "Private") == 0)
+ exten = EXT_KEY_PRIVATE;
+ if (groupname == NULL)
+ groupname = ptr + 3;
+ }
+ }
+ }
+ }
+ if (scheme == NULL)
+ scheme = "RSA-MD5";
+ if (groupname == NULL)
+ groupname = hostname;
+ fprintf(stderr, "Using host %s group %s\n", hostname,
+ groupname);
+ if ((iffkey || gqkey || mvkey) && exten == NULL)
+ fprintf(stderr,
+ "Warning: identity files may not be useful with a nontrusted certificate.\n");
+#endif /* OPENSSL */
+
+ /*
+ * Create new unencrypted MD5 keys file if requested. If this
+ * option is selected, ignore all other options.
+ */
+ if (md5key) {
+ gen_md5("md5");
+ exit (0);
+ }
+
#ifdef OPENSSL
/*
* Create a new encrypted RSA host key file if requested;
* otherwise, look for an existing host key file. If not found,
- * create a new encrypted RSA host key file containing a
- * public/private key pair.
+ * create a new encrypted RSA host key file. If that fails, go
+ * no further.
*/
if (hostkey)
pkey_host = genkey("RSA", "host");
- if (pkey_host == NULL && strcmp(passwd1, passwd2) == 0) {
+ if (pkey_host == NULL) {
sprintf(filename, "ntpkey_host_%s", hostname);
- pkey_host = readkey(filename, passwd1, &fstamp);
- if (pkey_host == NULL) {
- pkey_host = genkey("RSA", "host");
- if (pkey_host == NULL) {
- fprintf(stderr, "No host key %s\n",
- filename);
- exit (-1);
- }
- } else {
+ pkey_host = readkey(filename, passwd1, &fstamp, NULL);
+ if (pkey_host != NULL) {
readlink(filename, filename, sizeof(filename));
fprintf(stderr, "Using host key %s\n",
filename);
+ } else {
+ pkey_host = genkey("RSA", "host");
}
}
+ if (pkey_host == NULL) {
+ fprintf(stderr, "Generating host key fails\n");
+ exit (-1);
+ }
/*
- * Create new encrypted RSA or DSA sign key file if requested;
+ * Create new encrypted RSA or DSA sign keys file if requested;
* otherwise, look for an existing sign key file. If not found,
- * use the host keys instead.
+ * use the host key instead.
*/
if (sign != NULL)
pkey_sign = genkey(sign, "sign");
- if (pkey_sign == NULL && strcmp(passwd1, passwd2) == 0) {
+ if (pkey_sign == NULL) {
sprintf(filename, "ntpkey_sign_%s", hostname);
- pkey_sign = readkey(filename, passwd1, &fstamp);
+ pkey_sign = readkey(filename, passwd1, &fstamp, NULL);
if (pkey_sign != NULL) {
readlink(filename, filename, sizeof(filename));
fprintf(stderr, "Using sign key %s\n",
filename);
- } else {
+ } else if (pkey_host != NULL) {
pkey_sign = pkey_host;
fprintf(stderr, "Using host key as sign key\n");
}
}
/*
- * Create new encrypted GQ parameter file if requested;
+ * Create new encrypted GQ server keys file if requested;
* otherwise, look for an exisiting file. If found, fetch the
* public key for the certificate.
*/
- if (gqpar)
+ if (gqkey)
pkey_gqkey = gen_gqkey("gqkey");
if (pkey_gqkey == NULL) {
- sprintf(filename, "ntpkey_gqkey_%s", trustname);
- pkey_gqkey = readkey(filename, passwd1, &fstamp);
+ sprintf(filename, "ntpkey_gqkey_%s", groupname);
+ pkey_gqkey = readkey(filename, passwd1, &fstamp, NULL);
if (pkey_gqkey != NULL) {
readlink(filename, filename, sizeof(filename));
fprintf(stderr, "Using GQ parameters %s\n",
grpkey = BN_bn2hex(pkey_gqkey->pkey.rsa->q);
/*
- * Write the nonencrypted GQ parameters to the stdout stream.
- * The parameer file is the keys file with the private key
- * obscured.
+ * Write the nonencrypted GQ client parameters to the stdout
+ * stream. The parameter file is the server key file with the
+ * private key obscured.
*/
if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) {
RSA *rsa;
epoch = fstamp - JAN_1970;
- sprintf(filename, "ntpkey_gqpar_%s.%u", trustname,
+ sprintf(filename, "ntpkey_gqpar_%s.%u", groupname,
fstamp);
fprintf(stderr, "Writing GQ parameters %s to stdout\n",
filename);
}
/*
- * Write the encrypted GQ keys to the stdout stream.
+ * Write the encrypted GQ server keys to the stdout stream.
*/
- if (pkey_gqkey != NULL && strcmp(passwd1, passwd2) != 0) {
+ if (pkey_gqkey != NULL && passwd2 != NULL) {
RSA *rsa;
- sprintf(filename, "ntpkey_GQkey_%s.%u", trustname,
+ sprintf(filename, "ntpkey_gqkey_%s.%u", groupname,
fstamp);
fprintf(stderr, "Writing GQ keys %s to stdout\n",
filename);
}
/*
- * Create new encrypted IFF keys file if requested; otherwise,
- * look for existing keys file.
+ * Create new encrypted IFF server keys file if requested;
+ * otherwise, look for existing file.
*/
if (iffkey)
pkey_iffkey = gen_iffkey("iffkey");
if (pkey_iffkey == NULL) {
- sprintf(filename, "ntpkey_iffkey_%s", trustname);
- pkey_iffkey = readkey(filename, passwd1, &fstamp);
+ sprintf(filename, "ntpkey_iffkey_%s", groupname);
+ pkey_iffkey = readkey(filename, passwd1, &fstamp, NULL);
if (pkey_iffkey != NULL) {
readlink(filename, filename, sizeof(filename));
fprintf(stderr, "Using IFF keys %s\n",
}
/*
- * Write the nonencrypted IFF parameters to the stdout stream.
- * The parameer file is the keys file with the private key
- * obscured.
+ * Write the nonencrypted IFF client parameters to the stdout
+ * stream. The parameter file is the server key file with the
+ * private key obscured.
*/
if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) {
DSA *dsa;
epoch = fstamp - JAN_1970;
- sprintf(filename, "ntpkey_iffpar_%s.%u", trustname,
+ sprintf(filename, "ntpkey_iffpar_%s.%u", groupname,
fstamp);
fprintf(stderr, "Writing IFF parameters %s to stdout\n",
filename);
}
/*
- * Write the encrypted IFF keys to the stdout stream.
+ * Write the encrypted IFF server keys to the stdout stream.
*/
- if (pkey_iffkey != NULL && strcmp(passwd1, passwd2) != 0) {
+ if (pkey_iffkey != NULL && passwd2 != NULL) {
DSA *dsa;
epoch = fstamp - JAN_1970;
- sprintf(filename, "ntpkey_IFFkey_%s.%u", trustname,
+ sprintf(filename, "ntpkey_iffkey_%s.%u", groupname,
fstamp);
fprintf(stderr, "Writing IFF keys %s to stdout\n",
filename);
}
/*
- * Create new MV parameters if requested. Not clear what to do
- * with MV for now.
+ * Create new encrypted MV trusted-authority keys file if
+ * requested; otherwise, look for existing keys file.
*/
- if (mvpar)
- pkey_mv = gen_mv("mv");
- if (strcmp(passwd1, passwd2) != 0 || HAVE_OPT(ID_KEY))
- exit (0);
+ if (mvkey)
+ pkey_mvkey = gen_mvkey("mv", pkey_mvpar);
+ if (pkey_mvkey == NULL) {
+ sprintf(filename, "ntpkey_mvta_%s", groupname);
+ pkey_mvkey = readkey(filename, passwd1, &fstamp,
+ pkey_mvpar);
+ if (pkey_mvkey != NULL) {
+ readlink(filename, filename, sizeof(filename));
+ fprintf(stderr, "Using MV keys %s\n",
+ filename);
+ }
+ }
/*
- * Generate a X509v3 certificate.
+ * Write the nonencrypted MV client parameters to the stdout
+ * stream. For the moment, we always use the client parameters
+ * associated with client key 1.
*/
- if (scheme == NULL) {
- scheme = "RSA-MD5";
- sprintf(filename, "ntpkey_cert_%s", hostname);
- if ((fstr = fopen(filename, "r")) != NULL) {
- cert = PEM_read_X509(fstr, NULL, NULL, NULL);
- fclose(fstr);
- readlink(filename, filename, sizeof(filename));
- if (cert != NULL) {
- nid = OBJ_obj2nid(
- cert->cert_info->signature->algorithm);
- scheme = OBJ_nid2sn(nid);
- fprintf(stderr,
- "Using scheme %s from %s\n", scheme,
- filename);
- }
- }
+ if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) {
+ epoch = fstamp - JAN_1970;
+ sprintf(filename, "ntpkey_mvpar_%s.%u", groupname,
+ fstamp);
+ fprintf(stderr, "Writing MV parameters %s to stdout\n",
+ filename);
+ fprintf(stdout, "# %s\n# %s\n", filename,
+ ctime(&epoch));
+ pkey = pkey_mvpar[2];
+ PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL,
+ NULL);
+ fclose(stdout);
+ if (debug)
+ DSA_print_fp(stderr, pkey->pkey.dsa, 0);
}
+
+ /*
+ * Write the encrypted MV server keys to the stdout stream.
+ */
+ if (pkey_mvkey != NULL && passwd2 != NULL) {
+ epoch = fstamp - JAN_1970;
+ sprintf(filename, "ntpkey_mvkey_%s.%u", groupname,
+ fstamp);
+ fprintf(stderr, "Writing MV keys %s to stdout\n",
+ filename);
+ fprintf(stdout, "# %s\n# %s\n", filename,
+ ctime(&epoch));
+ pkey = pkey_mvpar[1];
+ PEM_write_PrivateKey(stdout, pkey, EVP_des_cbc(), NULL,
+ 0, NULL, passwd2);
+ fclose(stdout);
+ if (debug)
+ DSA_print_fp(stderr, pkey->pkey.dsa, 0);
+ }
+
+ /*
+ * Don't generate a certificate if no host keys or extracting
+ * encrypted or nonencrypted keys to the standard output stream.
+ */
+ if (pkey_host == NULL || HAVE_OPT(ID_KEY) || passwd2 != NULL)
+ exit (0);
+
+ /*
+ * Decode the digest/signature scheme. If trusted, set the
+ * subject and issuer names to the group name; if not set both
+ * to the host name.
+ */
ectx = EVP_get_digestbyname(scheme);
if (ectx == NULL) {
fprintf(stderr,
"Invalid digest/signature combination %s\n",
scheme);
exit (-1);
- } else {
-
- /*
- * If GQ parameters are available, extract the public
- * key for the certificate.
- */
- x509(pkey_sign, ectx, grpkey, exten);
}
+ if (exten == NULL)
+ x509(pkey_sign, ectx, grpkey, exten, hostname);
+ else
+ x509(pkey_sign, ectx, grpkey, exten, groupname);
#endif /* OPENSSL */
exit (0);
}
-#if 0
-/*
- * Generate random MD5 key with password.
- */
-int
-gen_md5(
- char *id /* file name id */
- )
-{
- BIGNUM *key;
- BIGNUM *keyid;
- FILE *str;
- u_char bin[16];
-
- fprintf(stderr, "Generating MD5 keys...\n");
- str = fheader("MD5key", trustname);
- keyid = BN_new(); key = BN_new();
- BN_rand(keyid, 16, -1, 0);
- BN_rand(key, 128, -1, 0);
- BN_bn2bin(key, bin);
- PEM_write_fp(str, MD5, NULL, bin);
- fclose(str);
- fslink(id, trustname);
- return (1);
-}
-
-
-#else
/*
* Generate semi-random MD5 keys compatible with NTPv3 and NTPv4
*/
{
u_char md5key[16]; /* MD5 key */
FILE *str;
- u_int temp = 0; /* prevent warnings during compile */
int i, j;
- fprintf(stderr, "Generating MD5 keys...\n");
- str = fheader("MD5key", trustname);
+ str = fheader("MD5key", id, groupname);
ntp_srandom(epoch);
for (i = 1; i <= MD5KEYS; i++) {
for (j = 0; j < 16; j++) {
+ int temp;
+
while (1) {
temp = ntp_random() & 0xff;
if (temp == '#')
continue;
+
if (temp > 0x20 && temp < 0x7f)
break;
}
md5key);
}
fclose(str);
- fslink(id, trustname);
return (1);
}
-#endif /* 0 */
+
#ifdef OPENSSL
/*
* readkey - load cryptographic parameters and keys
*
* This routine loads a PEM-encoded file of given name and password and
- * extracts the filestamp from the file name. It returns the key pointer
- * if valid, NULL if not.
+ * extracts the filestamp from the file name. It returns a pointer to
+ * the first key if valid, NULL if not.
*/
EVP_PKEY * /* public/private key pair */
readkey(
char *cp, /* file name */
char *passwd, /* password */
- u_int *estamp /* file stamp */
+ u_int *estamp, /* file stamp */
+ EVP_PKEY **evpars /* parameter list pointer */
)
{
FILE *str; /* file handle */
EVP_PKEY *pkey = NULL; /* public/private key */
u_int gstamp; /* filestamp */
char linkname[MAXFILENAME]; /* filestamp buffer) */
+ EVP_PKEY *parkey;
char *ptr;
+ int i;
/*
* Open the key file.
}
/*
- * Read and decrypt PEM-encoded private key.
+ * Read and decrypt PEM-encoded private keys. The first one
+ * found is returned. If others are expected, add them to the
+ * parameter list.
*/
- pkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
+ for (i = 0; i <= MVMAX - 1;) {
+ parkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
+ if (evpars != NULL) {
+ evpars[i++] = parkey;
+ evpars[i] = NULL;
+ }
+ if (parkey == NULL)
+ break;
+
+ if (pkey == NULL)
+ pkey = parkey;
+ if (debug) {
+ if (parkey->type == EVP_PKEY_DSA)
+ DSA_print_fp(stderr, parkey->pkey.dsa,
+ 0);
+ else if (parkey->type == EVP_PKEY_RSA)
+ RSA_print_fp(stderr, parkey->pkey.rsa,
+ 0);
+ }
+ }
fclose(str);
if (pkey == NULL) {
fprintf(stderr, "Corrupt file %s or wrong key %s\n%s\n",
cp, passwd, ERR_error_string(ERR_get_error(),
NULL));
+ fclose(str);
exit (-1);
}
*estamp = gstamp;
- if (debug) {
- if (pkey->type == EVP_PKEY_DSA)
- DSA_print_fp(stderr, pkey->pkey.dsa, 0);
- else if (pkey->type == EVP_PKEY_RSA)
- RSA_print_fp(stderr, pkey->pkey.rsa, 0);
- }
return (pkey);
}
* Write the RSA parameters and keys as a RSA private key
* encoded in PEM.
*/
- str = fheader("RSApar", hostname);
+ str = fheader("RSAkey", id, hostname);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, rsa);
PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
- passwd2);
+ passwd1);
fclose(str);
if (debug)
RSA_print_fp(stderr, rsa, 0);
- fslink(id, hostname);
return (pkey);
}
* Write the DSA parameters and keys as a DSA private key
* encoded in PEM.
*/
- str = fheader("DSAkey", hostname);
+ str = fheader("DSAkey", id, hostname);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_DSA(pkey, dsa);
PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
- passwd2);
+ passwd1);
fclose(str);
if (debug)
DSA_print_fp(stderr, dsa, 0);
- fslink(id, hostname);
return (pkey);
}
/*
- * Generate Schnorr (IFF) parameters and keys
+ ***********************************************************************
+ * *
+ * The following routines implement the Schnorr (IFF) identity scheme *
+ * *
+ ***********************************************************************
*
- * The Schnorr (IFF)identity scheme is intended for use when
+ * The Schnorr (IFF) identity scheme is intended for use when
* certificates are generated by some other trusted certificate
- * authority and the parameters cannot be conveyed in the certificate
- * itself. For this purpose, new generations of IFF values must be
- * securely transmitted to all members of the group before use. There
- * are two kinds of files: server/client files that include private and
- * public parameters and client files that include only public
- * parameters. The scheme is self contained and independent of new
- * generations of host keys, sign keys and certificates.
+ * authority and the certificate cannot be used to convey public
+ * parameters. There are two kinds of files: encrypted server files that
+ * contain private and public values and nonencrypted client files that
+ * contain only public values. New generations of server files must be
+ * securely transmitted to all servers of the group; client files can be
+ * distributed by any means. The scheme is self contained and
+ * independent of new generations of host keys, sign keys and
+ * certificates.
*
* The IFF values hide in a DSA cuckoo structure which uses the same
* parameters. The values are used by an identity scheme based on DSA
* cryptography and described in Stimson p. 285. The p is a 512-bit
* prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
* and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
- * private random group key b (0 < b < q), then computes public
- * v = g^(q - a). All values except the group key are known to all group
- * members; the group key is known to the group servers, but not the
- * group clients. Alice challenges Bob to confirm identity using the
- * protocol described below.
+ * private random group key b (0 < b < q) and public key v = g^b, then
+ * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients.
+ * Alice challenges Bob to confirm identity using the protocol described
+ * below.
+ *
+ * How it works
+ *
+ * The scheme goes like this. Both Alice and Bob have the public primes
+ * p, q and generator g. The TA gives private key b to Bob and public
+ * key v to Alice.
+ *
+ * Alice rolls new random challenge r (o < r < q) and sends to Bob in
+ * the IFF request message. Bob rolls new random k (0 < k < q), then
+ * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x))
+ * to Alice in the response message. Besides making the response
+ * shorter, the hash makes it effectivey impossible for an intruder to
+ * solve for b by observing a number of these messages.
+ *
+ * Alice receives the response and computes g^y v^r mod p. After a bit
+ * of algebra, this simplifies to g^k. If the hash of this result
+ * matches hash(x), Alice knows that Bob has the group key b. The signed
+ * response binds this knowledge to Bob's private key and the public key
+ * previously received in his certificate.
*/
/*
* Generate Schnorr (IFF) keys.
/*
* Generate the private and public keys. The DSA parameters and
- * these keys are distributed to all members of the group.
+ * private key are distributed to the servers, while all except
+ * the private key are distributed to the clients.
*/
b = BN_new(); r = BN_new(); k = BN_new();
u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
/*
* Here is a trial round of the protocol. First, Alice rolls
- * random r (0 < r < q) and sends it to Bob. She needs only
- * modulus q.
+ * random nonce r mod q and sends it to Bob. She needs only
+ * q from parameters.
*/
BN_rand(r, BN_num_bits(dsa->q), -1, 0); /* r */
BN_mod(r, r, dsa->q, ctx);
/*
- * Bob rolls random k (0 < k < q), computes y = k + b r mod q
+ * Bob rolls random nonce k mod q, computes y = k + b r mod q
* and x = g^k mod p, then sends (y, x) to Alice. He needs
- * moduli p, q and the group key b.
+ * p, q and b from parameters and r from Alice.
*/
BN_rand(k, BN_num_bits(dsa->q), -1, 0); /* k, 0 < k < q */
BN_mod(k, k, dsa->q, ctx);
BN_mod_exp(u, dsa->g, k, dsa->p, ctx); /* x = g^k mod p */
/*
- * Alice computes g^y v^r and verifies the result is equal to x.
- * She needs modulus p, generator g, and the public key v, as
- * well as her original r.
+ * Alice verifies x = g^y v^r to confirm that Bob has group key
+ * b. She needs p, q, g from parameters, (y, x) from Bob and the
+ * original r. We omit the detail here thatt only the hash of y
+ * is sent.
*/
BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^y mod p */
BN_mod_exp(w, dsa->pub_key, r, dsa->p, ctx); /* v^r */
* kinv not used
* r not used
*/
- str = fheader("IFFkey", trustname);
+ str = fheader("IFFkey", id, groupname);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_DSA(pkey, dsa);
PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
- passwd2);
+ passwd1);
fclose(str);
if (debug)
DSA_print_fp(stderr, dsa, 0);
- fslink(id, trustname);
return (pkey);
}
+
/*
- * Generate Guillou-Quisquater (GQ) parameters and keys
+ ***********************************************************************
+ * *
+ * The following routines implement the Guillou-Quisquater (GQ) *
+ * identity scheme *
+ * *
+ ***********************************************************************
*
* The Guillou-Quisquater (GQ) identity scheme is intended for use when
- * the parameters, keys and certificates are generated by this program.
- * The scheme uses a certificate extension field do convey the public
- * key of a particular group identified by a group key known only to
- * members of the group. The scheme is self contained and independent of
- * new generations of host keys and sign keys.
+ * the certificate can be used to convey public parameters. The scheme
+ * uses a X509v3 certificate extension field do convey the public key of
+ * a private key known only to servers. There are two kinds of files:
+ * encrypted server files that contain private and public values and
+ * nonencrypted client files that contain only public values. New
+ * generations of server files must be securely transmitted to all
+ * servers of the group; client files can be distributed by any means.
+ * The scheme is self contained and independent of new generations of
+ * host keys and sign keys. The scheme is self contained and independent
+ * of new generations of host keys and sign keys.
*
* The GQ parameters hide in a RSA cuckoo structure which uses the same
* parameters. The values are used by an identity scheme based on RSA
* The TA rolls private random group key b as RSA exponent. These values
* are known to all group members.
*
- * When rolling new certificates, a member recomputes the private and
+ * When rolling new certificates, a server recomputes the private and
* public keys. The private key u is a random roll, while the public key
* is the inverse obscured by the group key v = (u^-1)^b. These values
* replace the private and public keys normally generated by the RSA
* scheme. Alice challenges Bob to confirm identity using the protocol
* described below.
+ *
+ * How it works
+ *
+ * The scheme goes like this. Both Alice and Bob have the same modulus n
+ * and some random b as the group key. These values are computed and
+ * distributed in advance via secret means, although only the group key
+ * b is truly secret. Each has a private random private key u and public
+ * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
+ * can regenerate the key pair from time to time without affecting
+ * operations. The public key is conveyed on the certificate in an
+ * extension field; the private key is never revealed.
+ *
+ * Alice rolls new random challenge r and sends to Bob in the GQ
+ * request message. Bob rolls new random k, then computes y = k u^r mod
+ * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
+ * message. Besides making the response shorter, the hash makes it
+ * effectivey impossible for an intruder to solve for b by observing
+ * a number of these messages.
+ *
+ * Alice receives the response and computes y^b v^r mod n. After a bit
+ * of algebra, this simplifies to k^b. If the hash of this result
+ * matches hash(x), Alice knows that Bob has the group key b. The signed
+ * response binds this knowledge to Bob's private key and the public key
+ * previously received in his certificate.
*/
/*
* Generate Guillou-Quisquater (GQ) parameters file.
/*
* When generating his certificate, Bob rolls random private key
- * u.
+ * u, then computes inverse v = u^-1.
*/
BN_rand(u, BN_num_bits(rsa->n), -1, 0); /* u */
BN_mod(u, u, rsa->n, ctx);
/*
* Here is a trial run of the protocol. First, Alice rolls
- * random r (0 < r < n) and sends it to Bob. She needs only
- * modulus n from the parameters.
+ * random nonce r mod n and sends it to Bob. She needs only n
+ * from parameters.
*/
BN_rand(r, BN_num_bits(rsa->n), -1, 0); /* r */
BN_mod(r, r, rsa->n, ctx);
/*
- * Bob rolls random k (0 < k < n), computes y = k u^r mod n and
- * g = k^b mod n, then sends (y, g) to Alice. He needs modulus n
- * from the parameters and his private key u.
+ * Bob rolls random nonce k mod n, computes y = k u^r mod n and
+ * g = k^b mod n, then sends (y, g) to Alice. He needs n, u, b
+ * from parameters and r from Alice.
*/
BN_rand(k, BN_num_bits(rsa->n), -1, 0); /* k */
BN_mod(k, k, rsa->n, ctx);
BN_mod_exp(y, rsa->p, r, rsa->n, ctx); /* u^r mod n */
BN_mod_mul(y, k, y, rsa->n, ctx); /* y = k u^r mod n */
- BN_mod_exp(g, k, rsa->e, rsa->n, ctx); /* g = k^b mod n */
+ BN_mod_exp(g, k, rsa->e, rsa->n, ctx); /* g = k^b mod n */
/*
- * Alice computes v^r y^b mod n and verifies the result is equal
- * to g. She needs modulus n, generator g and group key b from
- * the parameters and Bob's public key v = (u^-1)^b from his
- * certificate.
+ * Alice verifies g = v^r y^b mod n to confirm that Bob has
+ * private key u. She needs n, g from parameters, public key v =
+ * (u^-1)^b from the certificate, (y, g) from Bob and the
+ * original r. We omit the detaul here that only the hash of g
+ * is sent.
*/
BN_mod_exp(v, rsa->q, r, rsa->n, ctx); /* v^r mod n */
BN_mod_exp(y, y, rsa->e, rsa->n, ctx); /* y^b mod n */
BN_copy(rsa->dmp1, BN_value_one());
BN_copy(rsa->dmq1, BN_value_one());
BN_copy(rsa->iqmp, BN_value_one());
- str = fheader("GQkey", trustname);
+ str = fheader("GQkey", id, groupname);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, rsa);
PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
- passwd2);
+ passwd1);
fclose(str);
if (debug)
RSA_print_fp(stderr, rsa, 0);
- fslink(id, trustname);
return (pkey);
}
/*
- * Generate Mu-Varadharajan (MV) parameters and keys
+ ***********************************************************************
+ * *
+ * The following routines implement the Mu-Varadharajan (MV) identity *
+ * scheme *
+ * *
+ ***********************************************************************
*
- * The Mu-Varadharajan (MV) cryptosystem is useful when servers
- * broadcast messages to clients, but clients never send messages to
- * servers. There is one encryption key for the server and a separate
- * decryption key for each client. It operates something like a
+ * The Mu-Varadharajan (MV) cryptosystem was originally intended when
+ * servers broadcast messages to clients, but clients never send
+ * messages to servers. There is one encryption key for the server and a
+ * separate decryption key for each client. It operated something like a
* pay-per-view satellite broadcasting system where the session key is
* encrypted by the broadcaster and the decryption keys are held in a
- * tamperproof set-top box. We don't use it this way, but read on.
+ * tamperproof set-top box.
*
* The MV parameters and private encryption key hide in a DSA cuckoo
* structure which uses the same parameters, but generated in a
* Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
* 223-231. The paper has significant errors and serious omissions.
*
- * Let q be the product of n distinct primes s'[j] (j = 1...n), where
- * each s'[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
- * that q and each s'[j] divide p - 1 and p has M = n * m + 1
+ * Let q be the product of n distinct primes s1[j] (j = 1...n), where
+ * each s1[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
+ * that q and each s1[j] divide p - 1 and p has M = n * m + 1
* significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
* = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
* project into Zp* as exponents of g. Sometimes we have to compute an
* inverse b^-1 of random b in Zq, but for that purpose we require
* gcd(b, q) = 1. We expect M to be in the 500-bit range and n
- * relatively small, like 30. Associated with each s'[j] is an element
- * s[j] such that s[j] s'[j] = s'[j] mod q. We find s[j] as the quotient
- * (q + s'[j]) / s'[j]. These are the parameters of the scheme and they
- * are expensive to compute.
+ * relatively small, like 30. These are the parameters of the scheme and
+ * they are expensive to compute.
*
* We set up an instance of the scheme as follows. A set of random
* values x[j] mod q (j = 1...n), are generated as the zeros of a
* pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
* to construct the decryption keys. The devil is in the details.
*
- * This routine generates a private encryption file including the
- * private encryption key E and public key (gbar, ghat). It then
- * generates decryption files including the private key (xbar[j],
- * xhat[j]) for each client. E is a permutation that encrypts a block
- * y = E x. The jth client computes the inverse permutation E^-1 =
- * gbar^xhat[j] ghat^xbar[j] and decrypts the block x = E^-1 y.
+ * This routine generates a private server encryption file including the
+ * private encryption key E and partial decryption keys gbar and ghat.
+ * It then generates public client decryption files including the public
+ * keys xbar[j] and xhat[j] for each client j. The partial decryption
+ * files are used to compute the inverse of E. These values are suitably
+ * blinded so secrets are not revealed.
*
* The distinguishing characteristic of this scheme is the capability to
* revoke keys. Included in the calculation of E, gbar and ghat is the
- * product s = prod(s'[j]) (j = 1...n) above. If the factor s'[j] is
+ * product s = prod(s1[j]) (j = 1...n) above. If the factor s1[j] is
* subsequently removed from the product and E, gbar and ghat
* recomputed, the jth client will no longer be able to compute E^-1 and
- * thus unable to decrypt the block.
+ * thus unable to decrypt the messageblock.
+ *
+ * How it works
+ *
+ * The scheme goes like this. Bob has the server values (p, E, q, gbar,
+ * ghat) and Alice has the client values (p, xbar, xhat).
+ *
+ * Alice rolls new random nonce r mod p and sends to Bob in the MV
+ * request message. Bob rolls random nonce k mod q, encrypts y = r E^k
+ * mod p and sends (y, gbar^k, ghat^k) to Alice.
+ *
+ * Alice receives the response and computes the inverse (E^k)^-1 from
+ * the partial decryption keys gbar^k, ghat^k, xbar and xhat. She then
+ * decrypts y and verifies it matches the original r. The signed
+ * response binds this knowledge to Bob's private key and the public key
+ * previously received in his certificate.
*/
EVP_PKEY * /* DSA cuckoo nest */
-gen_mv(
- char *id /* file name id */
+gen_mvkey(
+ char *id, /* file name id */
+ EVP_PKEY **evpars /* parameter list pointer */
)
{
- EVP_PKEY *pkey, *pkey1; /* private key */
- DSA *dsa; /* DSA parameters */
- DSA *sdsa; /* DSA parameters */
+ EVP_PKEY *pkey, *pkey1; /* private keys */
+ DSA *dsa, *dsa2, *sdsa; /* DSA parameters */
BN_CTX *ctx; /* BN working space */
- BIGNUM **x; /* polynomial zeros vector */
- BIGNUM **a; /* polynomial coefficient vector */
- BIGNUM **g; /* public key vector */
- BIGNUM **s, **s1; /* private enabling keys */
- BIGNUM **xbar, **xhat; /* private keys vector */
+ BIGNUM *a[MVMAX]; /* polynomial coefficient vector */
+ BIGNUM *g[MVMAX];; /* public key vector */
+ BIGNUM *s1[MVMAX]; /* private enabling keys */
+ BIGNUM *x[MVMAX]; /* polynomial zeros vector */
+ BIGNUM *xbar[MVMAX], *xhat[MVMAX]; /* private keys vector */
BIGNUM *b; /* group key */
BIGNUM *b1; /* inverse group key */
- BIGNUM *ss; /* enabling key */
+ BIGNUM *s; /* enabling key */
BIGNUM *biga; /* master encryption key */
BIGNUM *bige; /* session encryption key */
BIGNUM *gbar, *ghat; /* public key */
int i, j, n;
FILE *str;
u_int temp;
- char ident[20];
/*
* Generate MV parameters.
*
* The object is to generate a multiplicative group Zp* modulo a
* prime p and a subset Zq mod q, where q is the product of n
- * distinct primes s'[j] (j = 1...n) and q divides p - 1. We
- * first generate n distinct primes, which may have to be
- * regenerated later. As a practical matter, it is tough to find
- * more than 31 distinct primes for modulus 512 or 61 primes for
- * modulus 1024. The latter can take several hundred iterations
+ * distinct primes s1[j] (j = 1...n) and q divides p - 1. We
+ * first generate n m-bit primes, where the product n m is in
+ * the order of 512 bits. One or more of these may have to be
+ * replaced later. As a practical matter, it is tough to find
+ * more than 31 distinct primes for 512 bits or 61 primes for
+ * 1024 bits. The latter can take several hundred iterations
* and several minutes on a Sun Blade 1000.
*/
n = nkeys;
ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
b = BN_new(); b1 = BN_new();
dsa = DSA_new();
- dsa->p = BN_new();
- dsa->q = BN_new();
- dsa->g = BN_new();
- s = malloc((n + 1) * sizeof(BIGNUM *));
- s1 = malloc((n + 1) * sizeof(BIGNUM *));
- for (j = 1; j <= n; j++)
- s1[j] = BN_new();
+ dsa->p = BN_new(); dsa->q = BN_new(); dsa->g = BN_new();
+ dsa->priv_key = BN_new(); dsa->pub_key = BN_new();
temp = 0;
for (j = 1; j <= n; j++) {
+ s1[j] = BN_new();
while (1) {
- fprintf(stderr, "Birthdays %d\r", temp);
BN_generate_prime(s1[j], modulus / n, 0, NULL,
NULL, NULL, NULL);
for (i = 1; i < j; i++) {
temp++;
}
}
- fprintf(stderr, "Birthday keys rejected %d\n", temp);
+ fprintf(stderr, "Birthday keys regenerated %d\n", temp);
/*
* Compute the modulus q as the product of the primes. Compute
* the modulus p as 2 * q + 1 and test p for primality. If p
* is composite, replace one of the primes with a new distinct
* one and try again. Note that q will hardly be a secret since
- * we have to reveal p to servers and clients. However,
+ * we have to reveal p to servers, but not clients. However,
* factoring q to find the primes should be adequately hard, as
* this is the same problem considered hard in RSA. Question: is
* it as hard to find n small prime factors totalling n bits as
*/
temp = 0;
while (1) {
- fprintf(stderr, "Duplicate keys rejected %d\n", ++temp);
BN_one(dsa->q);
for (j = 1; j <= n; j++)
BN_mul(dsa->q, dsa->q, s1[j], ctx);
NULL))
break;
+ temp++;
j = temp % n + 1;
while (1) {
BN_generate_prime(u, modulus / n, 0, 0, NULL,
}
BN_copy(s1[j], u);
}
- fprintf(stderr, "Duplicate keys rejected %d\n", temp);
+ fprintf(stderr, "Defective keys regenerated %d\n", temp);
/*
* Compute the generator g using a random roll such that
* gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
- * q.
+ * q. This may take several iterations.
*/
BN_copy(v, dsa->p);
BN_sub_word(v, 1);
break;
}
- /*
- * Compute s[j] such that s[j] * s'[j] = s'[j] for all j. The
- * easy way to do this is to compute q + s'[j] and divide the
- * result by s'[j]. Exercise for the student: prove the
- * remainder is always zero.
- */
- for (j = 1; j <= n; j++) {
- s[j] = BN_new();
- BN_add(s[j], dsa->q, s1[j]);
- BN_div(s[j], u, s[j], s1[j], ctx);
- }
-
/*
* Setup is now complete. Roll random polynomial roots x[j]
- * (0 < x[j] < q) for all j. While it may not be strictly
+ * (j = 1...n) for all j. While it may not be strictly
* necessary, Make sure each root has no factors in common with
* q.
*/
fprintf(stderr,
"Generating polynomial coefficients for %d roots (%d bits)\n",
n, BN_num_bits(dsa->q));
- x = malloc((n + 1) * sizeof(BIGNUM *));
for (j = 1; j <= n; j++) {
x[j] = BN_new();
+
while (1) {
BN_rand(x[j], BN_num_bits(dsa->q), 0, 0);
BN_mod(x[j], x[j], dsa->q, ctx);
* expansion of root products (x - x[j]) mod q for all j. The
* method is a present from Charlie Boncelet.
*/
- a = malloc((n + 1) * sizeof(BIGNUM *));
for (i = 0; i <= n; i++) {
a[i] = BN_new();
+
BN_one(a[i]);
}
for (j = 1; j <= n; j++) {
/*
* Generate g[i] = g^a[i] mod p for all i and the generator g.
*/
- fprintf(stderr, "Generating g[i] parameters\n");
- g = malloc((n + 1) * sizeof(BIGNUM *));
for (i = 0; i <= n; i++) {
g[i] = BN_new();
+
BN_mod_exp(g[i], dsa->g, a[i], dsa->p, ctx);
}
/*
- * Verify prod(g[i]^(a[i] x[j]^i)) = 1 for all i, j; otherwise,
- * exit. Note the a[i] x[j]^i exponent is computed mod q, but
- * the g[i] is computed mod p. also note the expression given in
- * the paper is incorrect.
+ * Verify prod(g[i]^(a[i] x[j]^i)) = 1 for all i, j. Note the
+ * a[i] x[j]^i exponent is computed mod q, but the g[i] is
+ * computed mod p. also note the expression given in the paper
+ * is incorrect.
*/
temp = 1;
for (j = 1; j <= n; j++) {
* since it is expensive to compute.
*/
biga = BN_new();
+
BN_one(biga);
for (j = 1; j <= n; j++) {
for (i = 0; i < n; i++) {
/*
* Roll private random group key b mod q (0 < b < q), where
- * gcd(b, q) = 1 to guarantee b^1 exists, then compute b^-1
+ * gcd(b, q) = 1 to guarantee b^-1 exists, then compute b^-1
* mod q. If b is changed, the client keys must be recomputed.
*/
while (1) {
/*
* Make private client keys (xbar[j], xhat[j]) for all j. Note
- * that the keys for the jth client involve s[j], but not s'[j]
- * or the product s = prod(s'[j]) mod q, which is the enabling
- * key.
+ * that the keys for the jth client do not s1[j] or the product
+ * s1[j]) (j = 1...n) which is q by construction.
+ *
+ * Compute the factor w such that w s1[j] = s1[j] for all j. The
+ * easy way to do this is to compute (q + s1[j]) / s1[j].
+ * Exercise for the student: prove the remainder is always zero.
*/
- xbar = malloc((n + 1) * sizeof(BIGNUM *));
- xhat = malloc((n + 1) * sizeof(BIGNUM *));
for (j = 1; j <= n; j++) {
xbar[j] = BN_new(); xhat[j] = BN_new();
+
+ BN_add(w, dsa->q, s1[j]);
+ BN_div(w, u, w, s1[j], ctx);
BN_zero(xbar[j]);
BN_set_word(v, n);
for (i = 1; i <= n; i++) {
}
BN_mod_mul(xbar[j], xbar[j], b1, dsa->q, ctx);
BN_mod_exp(xhat[j], x[j], v, dsa->q, ctx);
- BN_mod_mul(xhat[j], xhat[j], s[j], dsa->q, ctx);
+ BN_mod_mul(xhat[j], xhat[j], w, dsa->q, ctx);
}
/*
- * The enabling key is initially q by construction. We can
- * revoke client j by dividing q by s'[j]. The quotient becomes
- * the enabling key s. Note we always have to revoke one key;
- * otherwise, the plaintext and cryptotext would be identical.
+ * We revoke client j by dividing q by s1[j]. The quotient
+ * becomes the enabling key s. Note we always have to revoke
+ * one key; otherwise, the plaintext and cryptotext would be
+ * identical. For the present there are no provisions to revoke
+ * additional keys, so we sail on with only token revocations.
*/
- ss = BN_new();
- BN_copy(ss, dsa->q);
- BN_div(ss, u, dsa->q, s1[n], ctx);
+ s = BN_new();
+
+ BN_copy(s, dsa->q);
+ BN_div(s, u, s, s1[10], ctx);
+ BN_div(s, u, s, s1[n], ctx);
/*
- * Make private server encryption key E = A^s and public server
- * keys gbar = g^s mod p and ghat = g^(s b) mod p. The (gbar,
- * ghat) is the public key provided to the server, which uses it
- * to compute the session encryption key and public key included
- * in its messages. These values must be regenerated if the
- * enabling key is changed.
+ * For each combination of clients to be revoked, make private
+ * encryption key E = A^s and partial decryption keys gbar = g^s
+ * and ghat = g^(s b), all mod p. The servers use these keys to
+ * compute the session encryption key and partial decryption
+ * keys. These values must be regenerated if the enabling key is
+ * changed.
*/
bige = BN_new(); gbar = BN_new(); ghat = BN_new();
- BN_mod_exp(bige, biga, ss, dsa->p, ctx);
- BN_mod_exp(gbar, dsa->g, ss, dsa->p, ctx);
- BN_mod_mul(v, ss, b, dsa->q, ctx);
- BN_mod_exp(ghat, dsa->g, v, dsa->p, ctx);
+ BN_mod_exp(bige, biga, s, dsa->p, ctx);
+ BN_mod_exp(gbar, dsa->g, s, dsa->p, ctx);
+ BN_mod_mul(v, s, b, dsa->q, ctx);
+ BN_mod_exp(ghat, dsa->g, v, dsa->p, ctx);
+
/*
- * We produce the key media in three steps. The first step is to
- * generate the private values that do not depend on the
- * enabling key. These include the server values p, q, g, b, A
- * and the client values s'[j], xbar[j] and xhat[j] for each j.
- * The p, xbar[j] and xhat[j] values are encoded in private
- * files which are distributed to respective clients. The p, q,
- * g, A and s'[j] values (will be) written to a secret file to
- * be read back later.
- *
- * The secret file (will be) read back at some later time to
- * enable/disable individual keys and generate/regenerate the
- * enabling key s. The p, q, E, gbar and ghat values are written
- * to a secret file to be read back later by the server.
+ * Notes: We produce the key media in three steps. The first
+ * step is to generate the system parameters p, q, g, b, A and
+ * the enabling keys s1[j]. Associated with each s1[j] are
+ * parameters xbar[j] and xhat[j]. All of these parameters are
+ * retained in a data structure protecteted by the trusted-agent
+ * password. The p, xbar[j] and xhat[j] paremeters are
+ * distributed to the j clients. When the client keys are to be
+ * activated, the enabled keys are multipied together to form
+ * the master enabling key s. This and the other parameters are
+ * used to compute the server encryption key E and the partial
+ * decryption keys gbar and ghat.
*
- * The server reads the secret file and rolls the session key
- * k, which is used only once, then computes E^k, gbar^k and
- * ghat^k. The E^k is the session encryption key. The encrypted
- * data, gbar^k and ghat^k are transmtted to clients in an
- * extension field. The client receives the message and computes
- * x = (gbar^k)^xbar[j] (ghat^k)^xhat[j], finds the session
- * encryption key E^k as the inverse x^-1 and decrypts the data.
+ * In the identity exchange the client rolls random r and sends
+ * it to the server. The server rolls random k, which is used
+ * only once, then computes the session key E^k and partial
+ * decryption keys gbar^k and ghat^k. The server sends the
+ * encrypted r along with gbar^k and ghat^k to the client. The
+ * client completes the decryption and verifies it matches r.
*/
- BN_copy(dsa->g, bige);
- dsa->priv_key = BN_dup(gbar);
- dsa->pub_key = BN_dup(ghat);
-
/*
- * Write the MV server parameters and keys as a DSA private key
- * encoded in PEM.
+ * Write the MV trusted-agent parameters and keys as a DSA
+ * private key encoded in PEM.
*
* p modulus p
- * q modulus q (used only to generate k)
- * g E mod p
- * priv_key gbar mod p
- * pub_key ghat mod p
+ * q modulus q
+ * g generator g
+ * priv_key A mod p
+ * pub_key b mod q
+ * (remaining values are not used)
*/
- str = fheader("MVpar", trustname);
+ i = 0;
+ str = fheader("MVta", "mvta", groupname);
+ fprintf(stderr, "Generating MV trusted-authority keys\n");
+ BN_copy(dsa->priv_key, biga);
+ BN_copy(dsa->pub_key, b);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_DSA(pkey, dsa);
PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
- passwd2);
- fclose(str);
+ passwd1);
+ evpars[i++] = pkey;
if (debug)
DSA_print_fp(stderr, dsa, 0);
- fslink(id, trustname);
/*
- * Write the parameters and private key (xbar[j], xhat[j]) for
- * all j as a DSA private key encoded in PEM. It is used only by
- * the designated recipient(s) who pay a suitably outrageous fee
- * for its use.
+ * Append the MV server parameters and keys as a DSA key encoded
+ * in PEM.
+ *
+ * p modulus p
+ * q modulus q (used only when generating k)
+ * g bige
+ * priv_key gbar
+ * pub_key ghat
+ * (remaining values are not used)
+ */
+ fprintf(stderr, "Generating MV server keys\n");
+ dsa2 = DSA_new();
+ dsa2->p = BN_dup(dsa->p);
+ dsa2->q = BN_dup(dsa->q);
+ dsa2->g = BN_dup(bige);
+ dsa2->priv_key = BN_dup(gbar);
+ dsa2->pub_key = BN_dup(ghat);
+ pkey1 = EVP_PKEY_new();
+ EVP_PKEY_assign_DSA(pkey1, dsa2);
+ PEM_write_PrivateKey(str, pkey1, EVP_des_cbc(), NULL, 0, NULL,
+ passwd1);
+ evpars[i++] = pkey1;
+ if (debug)
+ DSA_print_fp(stderr, dsa2, 0);
+
+ /*
+ * Append the MV client parameters for each client j as DSA keys
+ * encoded in PEM.
+ *
+ * p modulus p
+ * priv_key xbar[j] mod q
+ * pub_key xhat[j] mod q
+ * (remaining values are not used)
*/
- sdsa = DSA_new();
- sdsa->p = BN_dup(dsa->p);
- sdsa->q = BN_dup(BN_value_one());
- sdsa->g = BN_dup(BN_value_one());
- sdsa->priv_key = BN_new();
- sdsa->pub_key = BN_new();
+ fprintf(stderr, "Generating %d MV client keys\n", n);
for (j = 1; j <= n; j++) {
- BN_copy(sdsa->priv_key, xbar[j]);
- BN_copy(sdsa->pub_key, xhat[j]);
- BN_mod_exp(v, dsa->priv_key, sdsa->pub_key, dsa->p,
+ sdsa = DSA_new();
+
+ sdsa->p = BN_dup(dsa->p);
+ sdsa->q = BN_dup(BN_value_one());
+ sdsa->g = BN_dup(BN_value_one());
+ sdsa->priv_key = BN_dup(xbar[j]);
+ sdsa->pub_key = BN_dup(xhat[j]);
+ pkey1 = EVP_PKEY_new();
+ EVP_PKEY_set1_DSA(pkey1, sdsa);
+ PEM_write_PrivateKey(str, pkey1, EVP_des_cbc(), NULL, 0,
+ NULL, passwd1);
+ evpars[i++] = pkey1;
+ if (debug)
+ DSA_print_fp(stderr, sdsa, 0);
+
+ /*
+ * The product gbar^k)^xbar[j] (ghat^k)^xhat[j] and E
+ * are inverses of each other. We check that the product
+ * is one for each client except the ones that have been
+ * revoked.
+ */
+ BN_mod_exp(v, dsa2->priv_key, sdsa->pub_key, dsa->p,
ctx);
- BN_mod_exp(u, dsa->pub_key, sdsa->priv_key, dsa->p,
+ BN_mod_exp(u, dsa2->pub_key, sdsa->priv_key, dsa->p,
ctx);
BN_mod_mul(u, u, v, dsa->p, ctx);
- BN_mod_mul(u, u, dsa->g, dsa->p, ctx);
- BN_free(xbar[j]); BN_free(xhat[j]);
- BN_free(x[j]); BN_free(s[j]); BN_free(s1[j]);
+ BN_mod_mul(u, u, bige, dsa->p, ctx);
if (!BN_is_one(u)) {
fprintf(stderr, "Revoke key %d\n", j);
continue;
}
-
- /*
- * Write the client parameters as a DSA private key
- * encoded in PEM. We don't make links for these.
- *
- * p modulus p
- * priv_key xbar[j] mod q
- * pub_key xhat[j] mod q
- * (remaining values are not used)
- */
- sprintf(ident, "MVkey%d", j);
- str = fheader(ident, trustname);
- pkey1 = EVP_PKEY_new();
- EVP_PKEY_set1_DSA(pkey1, sdsa);
- PEM_write_PrivateKey(str, pkey1, EVP_des_cbc(), NULL, 0,
- NULL, passwd2);
- fclose(str);
- fprintf(stderr, "ntpkey_%s_%s.%lu\n", ident, trustname,
- epoch + JAN_1970);
- if (debug)
- DSA_print_fp(stderr, sdsa, 0);
- EVP_PKEY_free(pkey1);
}
+ evpars[i++] = NULL;
+ fclose(str);
/*
* Free the countries.
*/
for (i = 0; i <= n; i++) {
- BN_free(a[i]);
- BN_free(g[i]);
+ BN_free(a[i]); BN_free(g[i]);
+ }
+ for (j = 1; j <= n; j++) {
+ BN_free(x[j]); BN_free(xbar[j]); BN_free(xhat[j]);
+ BN_free(s1[j]);
}
- BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
- BN_free(b); BN_free(b1); BN_free(biga); BN_free(bige);
- BN_free(ss); BN_free(gbar); BN_free(ghat);
- DSA_free(sdsa);
-
- /*
- * Free the world.
- */
- free(x); free(a); free(g); free(s); free(s1);
- free(xbar); free(xhat);
return (pkey);
}
EVP_PKEY *pkey, /* generic signature algorithm */
const EVP_MD *md, /* generic digest algorithm */
char *gqpub, /* identity extension (hex string) */
- char *exten /* private cert extension */
+ char *exten, /* private cert extension */
+ char *name /* subject/issuer namd */
)
{
X509 *cert; /* X509 certificate */
* Generate X509 self-signed certificate.
*
* Set the certificate serial to the NTP seconds for grins. Set
- * the version to 3. Set the subject name and issuer name to the
- * subject name in the request. Set the initial validity to the
- * current time and the final validity one year hence.
+ * the version to 3. Set the initial validity to the current
+ * time and the finalvalidity one year hence.
*/
- id = OBJ_nid2sn(md->pkey_type);
- fprintf(stderr, "Generating certificate %s\n", id);
+ id = OBJ_nid2sn(md->pkey_type);
+ fprintf(stderr, "Generating new certificate %s %s\n", name, id);
cert = X509_new();
X509_set_version(cert, 2L);
serial = ASN1_INTEGER_new();
X509_time_adj(X509_get_notAfter(cert), YEAR, &epoch);
subj = X509_get_subject_name(cert);
X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
- (unsigned char *) hostname, strlen(hostname), -1, 0);
+ (unsigned char *) name, strlen(name), -1, 0);
subj = X509_get_issuer_name(cert);
X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
- (unsigned char *) hostname, strlen(hostname), -1, 0);
+ (unsigned char *) name, strlen(name), -1, 0);
if (!X509_set_pubkey(cert, pkey)) {
fprintf(stderr, "Assign key fails\n%s\n",
ERR_error_string(ERR_get_error(), NULL));
* Write the certificate encoded in PEM.
*/
sprintf(pathbuf, "%scert", id);
- str = fheader(pathbuf, hostname);
+ str = fheader(pathbuf, "cert", hostname);
PEM_write_X509(str, cert);
fclose(str);
if (debug)
X509_print_fp(stderr, cert);
X509_free(cert);
- fslink("cert", hostname);
return (1);
}
-#if 0 /* asn2ntp is not used */
+#if 0 /* asn2ntp is used only with commercial certificates */
/*
* asn2ntp - convert ASN1_TIME time structure to NTP time
*/
/*
- * Generate file header
+ * Generate file header and link
*/
FILE *
fheader (
- const char *id, /* file name id */
- const char *name /* owner name */
+ const char *file, /* file name id */
+ const char *ulink, /* linkname */
+ const char *owner /* owner name */
)
{
FILE *str; /* file handle */
+ char linkname[MAXFILENAME]; /* link name */
+ int temp;
- sprintf(filename, "ntpkey_%s_%s.%lu", id, name, epoch +
+ sprintf(filename, "ntpkey_%s_%s.%lu", file, owner, epoch +
JAN_1970);
if ((str = fopen(filename, "w")) == NULL) {
perror("Write");
exit (-1);
}
- fprintf(str, "# %s\n# %s\n", filename, ctime(&epoch));
- return (str);
-}
-
-
-/*
- * Generate symbolic links
- */
-void
-fslink(
- const char *id, /* file name id */
- const char *name /* owner name */
- )
-{
- char linkname[MAXFILENAME]; /* link name */
- int temp;
-
- sprintf(linkname, "ntpkey_%s_%s", id, name);
+ sprintf(linkname, "ntpkey_%s_%s", ulink, owner);
remove(linkname);
temp = symlink(filename, linkname);
if (temp < 0)
- perror(id);
- fprintf(stderr, "Generating new %s file and link\n", id);
+ perror(file);
+ fprintf(stderr, "Generating new %s file and link\n", ulink);
fprintf(stderr, "%s->%s\n", linkname, filename);
+ fprintf(str, "# %s\n# %s\n", filename, ctime(&epoch));
+ return (str);
}
projects / thirdparty / ntp.git / commitdiff
