5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 2003 - 2008 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
20 #include "silccrypto.h"
22 #include "silcpkcs1_i.h"
24 /************************** PKCS #1 message format ***************************/
26 /* Minimum padding in block */
27 #define SILC_PKCS1_MIN_PADDING 8
29 /* Encodes PKCS#1 data block from the `data' according to the block type
30 indicated by `bt'. When encoding signatures the `bt' must be
31 SILC_PKCS1_BT_PRV1 and when encoding encryption blocks the `bt' must
32 be SILC_PKCS1_BT_PUB. The encoded data is copied into the `dest_data'
33 buffer which is size of `dest_data_size'. If the `dest_data' is not
34 able to hold the encoded block this returns FALSE. The `rng' must be
35 set when `bt' is SILC_PKCS1_BT_PUB. This function returns TRUE on
38 SilcBool silc_pkcs1_encode(SilcPkcs1BlockType bt,
39 const unsigned char *data,
41 unsigned char *dest_data,
42 SilcUInt32 dest_data_size,
48 SILC_LOG_DEBUG(("PKCS#1 encoding, bt %d", bt));
50 if (!data || !dest_data ||
51 dest_data_size < SILC_PKCS1_MIN_PADDING + 3 ||
52 dest_data_size < data_len) {
53 SILC_LOG_DEBUG(("Data to be encoded is too long"));
59 dest_data[1] = (unsigned char)bt;
61 padlen = (SilcInt32)dest_data_size - (SilcInt32)data_len - 3;
62 if (padlen < SILC_PKCS1_MIN_PADDING) {
63 SILC_LOG_DEBUG(("Data to be encoded is too long"));
67 /* Encode according to block type */
69 case SILC_PKCS1_BT_PRV0:
70 case SILC_PKCS1_BT_PRV1:
72 memset(dest_data + 2, bt == SILC_PKCS1_BT_PRV1 ? 0xff : 0x00, padlen);
75 case SILC_PKCS1_BT_PUB:
78 SILC_LOG_ERROR(("Cannot encrypt: random number generator not provided"));
82 /* It is guaranteed this routine does not return zero byte. */
83 for (i = 2; i < padlen; i++)
84 dest_data[i] = silc_rng_get_byte_fast(rng);
90 dest_data[padlen + 2] = 0x00;
91 memcpy(dest_data + padlen + 3, data, data_len);
96 /* Decodes the PKCS#1 encoded block according to the block type `bt'.
97 When verifying signatures the `bt' must be SILC_PKCS1_BT_PRV1 and
98 when decrypting it must be SILC_PKCS1_BT_PUB. This copies the
99 decoded data into `dest_data' which is size of `dest_data_size'. If
100 the deocded block does not fit to `dest_data' this returns FALSE.
101 Returns TRUE on success. */
103 SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
104 const unsigned char *data,
106 unsigned char *dest_data,
107 SilcUInt32 dest_data_size,
108 SilcUInt32 *dest_len)
112 SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
115 if (!data || !dest_data || dest_data_size < 3 ||
116 data[0] != 0x00 || data[1] != (unsigned char)bt) {
117 SILC_LOG_DEBUG(("Malformed block"));
121 /* Decode according to block type */
123 case SILC_PKCS1_BT_PRV0:
127 case SILC_PKCS1_BT_PRV1:
129 for (i = 2; i < data_len; i++)
134 case SILC_PKCS1_BT_PUB:
136 for (i = 2; i < data_len; i++)
143 if (data[i++] != 0x00) {
144 SILC_LOG_DEBUG(("Malformed block"));
147 if (i - 1 < SILC_PKCS1_MIN_PADDING) {
148 SILC_LOG_DEBUG(("Malformed block"));
151 if (dest_data_size < data_len - i) {
152 SILC_LOG_DEBUG(("Destination buffer too small"));
157 memcpy(dest_data, data + i, data_len - i);
159 /* Return data length */
161 *dest_len = data_len - i;
167 /***************************** PKCS #1 PKCS API ******************************/
169 /* Generates RSA key pair. */
171 SILC_PKCS_ALG_GENERATE_KEY(silc_pkcs1_generate_key)
173 SilcUInt32 prime_bits = keylen / 2;
175 SilcBool found = FALSE;
177 if (keylen < 768 || keylen > 16384)
185 silc_math_gen_prime(&p, prime_bits, FALSE, rng);
186 silc_math_gen_prime(&q, prime_bits, FALSE, rng);
187 if ((silc_mp_cmp(&p, &q)) != 0)
191 /* If p is smaller than q, switch them */
192 if ((silc_mp_cmp(&p, &q)) > 0) {
196 silc_mp_set(&hlp, &p);
198 silc_mp_set(&q, &hlp);
200 silc_mp_uninit(&hlp);
203 /* Generate the actual keys */
204 if (!silc_rsa_generate_keys(keylen, &p, &q, ret_public_key, ret_private_key))
213 /* Import PKCS #1 compliant public key */
215 SILC_PKCS_ALG_IMPORT_PUBLIC_KEY(silc_pkcs1_import_public_key)
217 SilcAsn1 asn1 = NULL;
218 SilcBufferStruct alg_key;
219 RsaPublicKey *pubkey;
224 asn1 = silc_asn1_alloc(NULL);
228 /* Allocate RSA public key */
229 *ret_public_key = pubkey = silc_calloc(1, sizeof(*pubkey));
233 /* Parse the PKCS #1 public key */
234 silc_buffer_set(&alg_key, key, key_len);
235 if (!silc_asn1_decode(asn1, &alg_key,
236 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
238 SILC_ASN1_INT(&pubkey->n),
239 SILC_ASN1_INT(&pubkey->e),
240 SILC_ASN1_END, SILC_ASN1_END))
244 pubkey->bits = ((silc_mp_sizeinbase(&pubkey->n, 2) + 7) / 8) * 8;
246 silc_asn1_free(asn1);
252 silc_asn1_free(asn1);
256 /* Export PKCS #1 compliant public key */
258 SILC_PKCS_ALG_EXPORT_PUBLIC_KEY(silc_pkcs1_export_public_key)
260 RsaPublicKey *key = public_key;
261 SilcAsn1 asn1 = NULL;
262 SilcBufferStruct alg_key;
265 asn1 = silc_asn1_alloc(stack);
269 /* Encode to PKCS #1 public key */
270 memset(&alg_key, 0, sizeof(alg_key));
271 if (!silc_asn1_encode(asn1, &alg_key,
272 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
274 SILC_ASN1_INT(&key->n),
275 SILC_ASN1_INT(&key->e),
276 SILC_ASN1_END, SILC_ASN1_END))
279 ret = silc_buffer_steal(&alg_key, ret_len);
280 silc_asn1_free(asn1);
286 silc_asn1_free(asn1);
290 /* Returns key length */
292 SILC_PKCS_ALG_PUBLIC_KEY_BITLEN(silc_pkcs1_public_key_bitlen)
294 RsaPublicKey *key = public_key;
298 /* Copy public key */
300 SILC_PKCS_ALG_PUBLIC_KEY_COPY(silc_pkcs1_public_key_copy)
302 RsaPublicKey *key = public_key, *new_key;
304 new_key = silc_calloc(1, sizeof(*new_key));
308 silc_mp_init(&new_key->n);
309 silc_mp_init(&new_key->e);
310 silc_mp_set(&new_key->n, &key->n);
311 silc_mp_set(&new_key->e, &key->e);
312 new_key->bits = key->bits;
317 /* Compare public keys */
319 SILC_PKCS_ALG_PUBLIC_KEY_COMPARE(silc_pkcs1_public_key_compare)
321 RsaPublicKey *k1 = key1, *k2 = key2;
323 if (k1->bits != k2->bits)
325 if (silc_mp_cmp(&k1->e, &k2->e) != 0)
327 if (silc_mp_cmp(&k1->n, &k2->n) != 0)
333 /* Frees public key */
335 SILC_PKCS_ALG_PUBLIC_KEY_FREE(silc_pkcs1_public_key_free)
337 RsaPublicKey *key = public_key;
339 silc_mp_uninit(&key->n);
340 silc_mp_uninit(&key->e);
344 /* Import PKCS #1 compliant private key */
346 SILC_PKCS_ALG_IMPORT_PRIVATE_KEY(silc_pkcs1_import_private_key)
349 SilcBufferStruct alg_key;
350 RsaPrivateKey *privkey;
353 if (!ret_private_key)
356 asn1 = silc_asn1_alloc(NULL);
360 /* Allocate RSA private key */
361 *ret_private_key = privkey = silc_calloc(1, sizeof(*privkey));
365 /* Parse the PKCS #1 private key */
366 silc_buffer_set(&alg_key, key, key_len);
367 if (!silc_asn1_decode(asn1, &alg_key,
368 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
370 SILC_ASN1_SHORT_INT(&ver),
371 SILC_ASN1_INT(&privkey->n),
372 SILC_ASN1_INT(&privkey->e),
373 SILC_ASN1_INT(&privkey->d),
374 SILC_ASN1_INT(&privkey->p),
375 SILC_ASN1_INT(&privkey->q),
376 SILC_ASN1_INT(&privkey->dP),
377 SILC_ASN1_INT(&privkey->dQ),
378 SILC_ASN1_INT(&privkey->qP),
379 SILC_ASN1_END, SILC_ASN1_END))
386 privkey->bits = ((silc_mp_sizeinbase(&privkey->n, 2) + 7) / 8) * 8;
388 silc_asn1_free(asn1);
394 silc_asn1_free(asn1);
398 /* Export PKCS #1 compliant private key */
400 SILC_PKCS_ALG_EXPORT_PRIVATE_KEY(silc_pkcs1_export_private_key)
402 RsaPrivateKey *key = private_key;
404 SilcBufferStruct alg_key;
407 asn1 = silc_asn1_alloc(stack);
411 /* Encode to PKCS #1 private key */
412 memset(&alg_key, 0, sizeof(alg_key));
413 if (!silc_asn1_encode(asn1, &alg_key,
414 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
416 SILC_ASN1_SHORT_INT(0),
417 SILC_ASN1_INT(&key->n),
418 SILC_ASN1_INT(&key->e),
419 SILC_ASN1_INT(&key->d),
420 SILC_ASN1_INT(&key->p),
421 SILC_ASN1_INT(&key->q),
422 SILC_ASN1_INT(&key->dP),
423 SILC_ASN1_INT(&key->dQ),
424 SILC_ASN1_INT(&key->qP),
425 SILC_ASN1_END, SILC_ASN1_END))
428 ret = silc_buffer_steal(&alg_key, ret_len);
429 silc_asn1_free(asn1);
434 silc_asn1_free(asn1);
438 /* Returns key length */
440 SILC_PKCS_ALG_PRIVATE_KEY_BITLEN(silc_pkcs1_private_key_bitlen)
442 RsaPrivateKey *key = private_key;
446 /* Frees private key */
448 SILC_PKCS_ALG_PRIVATE_KEY_FREE(silc_pkcs1_private_key_free)
450 RsaPrivateKey *key = private_key;
452 silc_mp_uninit(&key->n);
453 silc_mp_uninit(&key->e);
454 silc_mp_uninit(&key->d);
455 silc_mp_uninit(&key->dP);
456 silc_mp_uninit(&key->dQ);
457 silc_mp_uninit(&key->qP);
458 silc_mp_uninit(&key->p);
459 silc_mp_uninit(&key->q);
463 /* PKCS #1 RSA routines */
465 SILC_PKCS_ALG_ENCRYPT(silc_pkcs1_encrypt)
467 RsaPublicKey *key = public_key;
470 unsigned char padded[2048 + 1];
471 SilcUInt32 len = (key->bits + 7) / 8;
474 if (sizeof(padded) < len) {
475 encrypt_cb(FALSE, NULL, 0, context);
480 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PUB, src, src_len,
482 encrypt_cb(FALSE, NULL, 0, context);
486 stack = silc_stack_alloc(2048, silc_crypto_stack());
488 silc_mp_sinit(stack, &mp_tmp);
489 silc_mp_sinit(stack, &mp_dst);
492 silc_mp_bin2mp(padded, len, &mp_tmp);
495 silc_rsa_public_operation(key, &mp_tmp, &mp_dst);
498 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
501 encrypt_cb(TRUE, padded, len, context);
503 memset(padded, 0, sizeof(padded));
504 silc_mp_suninit(stack, &mp_tmp);
505 silc_mp_suninit(stack, &mp_dst);
506 silc_stack_free(stack);
511 SILC_PKCS_ALG_DECRYPT(silc_pkcs1_decrypt)
513 RsaPrivateKey *key = private_key;
516 unsigned char *padded, unpadded[2048 + 1];
517 SilcUInt32 padded_len, dst_len;
520 if (sizeof(unpadded) < (key->bits + 7) / 8) {
521 decrypt_cb(FALSE, NULL, 0, context);
525 stack = silc_stack_alloc(2048, silc_crypto_stack());
527 silc_mp_sinit(stack, &mp_tmp);
528 silc_mp_sinit(stack, &mp_dst);
531 silc_mp_bin2mp(src, src_len, &mp_tmp);
534 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
537 padded = silc_mp_mp2bin(&mp_dst, (key->bits + 7) / 8, &padded_len);
540 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PUB, padded, padded_len,
541 unpadded, sizeof(unpadded), &dst_len)) {
542 memset(padded, 0, padded_len);
544 silc_mp_suninit(stack, &mp_tmp);
545 silc_mp_suninit(stack, &mp_dst);
546 decrypt_cb(FALSE, NULL, 0, context);
551 decrypt_cb(TRUE, unpadded, dst_len, context);
553 memset(padded, 0, padded_len);
554 memset(unpadded, 0, sizeof(unpadded));
556 silc_mp_suninit(stack, &mp_tmp);
557 silc_mp_suninit(stack, &mp_dst);
558 silc_stack_free(stack);
563 /* PKCS #1 sign with appendix, hash OID included in the signature */
565 SILC_PKCS_ALG_SIGN(silc_pkcs1_sign)
567 RsaPrivateKey *key = private_key;
568 unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
572 SilcUInt32 len = (key->bits + 7) / 8;
577 SILC_LOG_DEBUG(("Sign"));
579 if (sizeof(padded) < len) {
580 sign_cb(FALSE, NULL, 0, context);
584 oid = silc_hash_get_oid(hash);
586 sign_cb(FALSE, NULL, 0, context);
590 stack = silc_stack_alloc(2048, silc_crypto_stack());
592 asn1 = silc_asn1_alloc(stack);
594 silc_stack_free(stack);
595 sign_cb(FALSE, NULL, 0, context);
601 silc_hash_make(hash, src, src_len, hashr);
603 src_len = silc_hash_len(hash);
606 /* Encode digest info */
607 memset(&di, 0, sizeof(di));
608 if (!silc_asn1_encode(asn1, &di,
612 SILC_ASN1_NULL(TRUE),
614 SILC_ASN1_OCTET_STRING(src, src_len),
615 SILC_ASN1_END, SILC_ASN1_END)) {
616 silc_asn1_free(asn1);
617 silc_stack_free(stack);
618 sign_cb(FALSE, NULL, 0, context);
621 SILC_LOG_HEXDUMP(("DigestInfo"), silc_buffer_data(&di),
622 silc_buffer_len(&di));
625 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, silc_buffer_data(&di),
626 silc_buffer_len(&di), padded, len, NULL)) {
627 silc_asn1_free(asn1);
628 silc_stack_free(stack);
629 sign_cb(FALSE, NULL, 0, context);
633 silc_mp_sinit(stack, &mp_tmp);
634 silc_mp_sinit(stack, &mp_dst);
637 silc_mp_bin2mp(padded, len, &mp_tmp);
640 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
643 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
646 sign_cb(TRUE, padded, len, context);
648 memset(padded, 0, sizeof(padded));
650 memset(hashr, 0, sizeof(hashr));
651 silc_mp_suninit(stack, &mp_tmp);
652 silc_mp_suninit(stack, &mp_dst);
653 silc_asn1_free(asn1);
654 silc_stack_free(stack);
659 /* PKCS #1 verification with appendix. */
661 SILC_PKCS_ALG_VERIFY(silc_pkcs1_verify)
663 RsaPublicKey *key = public_key;
664 SilcBool ret = FALSE;
667 unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
668 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
669 SilcBufferStruct di, ldi;
670 SilcBool has_null = TRUE;
671 SilcHash ihash = NULL;
676 SILC_LOG_DEBUG(("Verify signature"));
678 stack = silc_stack_alloc(2048, silc_crypto_stack());
680 asn1 = silc_asn1_alloc(stack);
682 verify_cb(FALSE, context);
686 silc_mp_sinit(stack, &mp_tmp2);
687 silc_mp_sinit(stack, &mp_dst);
689 /* Format the signature into MP int */
690 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
693 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
696 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
699 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
700 unpadded, sizeof(unpadded), &len))
702 silc_buffer_set(&di, unpadded, len);
704 /* If hash isn't given, allocate the one given in digest info */
708 /* Decode digest info */
709 if (!silc_asn1_decode(asn1, &di,
710 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
714 SILC_ASN1_NULL_T(SILC_ASN1_OPTIONAL,
715 SILC_ASN1_TAG_NULL, &has_null),
717 SILC_ASN1_END, SILC_ASN1_END))
720 if (!silc_hash_alloc_by_oid(oid, &ihash)) {
721 SILC_LOG_DEBUG(("Unknown OID %s", oid));
728 silc_hash_make(hash, data, data_len, hashr);
730 data_len = silc_hash_len(hash);
731 oid = (char *)silc_hash_get_oid(hash);
733 /* Encode digest info for comparison */
734 memset(&ldi, 0, sizeof(ldi));
735 if (!silc_asn1_encode(asn1, &ldi,
736 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
740 SILC_ASN1_NULL(has_null),
742 SILC_ASN1_OCTET_STRING(data, data_len),
743 SILC_ASN1_END, SILC_ASN1_END))
746 SILC_LOG_HEXDUMP(("DigestInfo remote"), silc_buffer_data(&di),
747 silc_buffer_len(&di));
748 SILC_LOG_HEXDUMP(("DigestInfo local"), silc_buffer_data(&ldi),
749 silc_buffer_len(&ldi));
752 if (silc_buffer_len(&di) == silc_buffer_len(&ldi) &&
753 !memcmp(silc_buffer_data(&di), silc_buffer_data(&ldi),
754 silc_buffer_len(&ldi)))
758 verify_cb(ret, context);
760 memset(verify, 0, verify_len);
761 memset(unpadded, 0, sizeof(unpadded));
763 silc_mp_suninit(stack, &mp_tmp2);
764 silc_mp_suninit(stack, &mp_dst);
766 memset(hashr, 0, sizeof(hashr));
768 silc_hash_free(ihash);
769 silc_asn1_free(asn1);
770 silc_stack_free(stack);
775 memset(verify, 0, verify_len);
777 silc_mp_suninit(stack, &mp_tmp2);
778 silc_mp_suninit(stack, &mp_dst);
780 silc_hash_free(ihash);
781 silc_asn1_free(asn1);
782 silc_stack_free(stack);
784 verify_cb(FALSE, context);
788 /* PKCS #1 sign without hash oid */
790 SILC_PKCS_ALG_SIGN(silc_pkcs1_sign_no_oid)
792 RsaPrivateKey *key = private_key;
795 unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
796 SilcUInt32 len = (key->bits + 7) / 8;
799 SILC_LOG_DEBUG(("Sign"));
801 if (sizeof(padded) < len) {
802 sign_cb(FALSE, NULL, 0, context);
806 /* Compute hash if requested */
808 silc_hash_make(hash, src, src_len, hashr);
810 src_len = silc_hash_len(hash);
814 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, src, src_len,
815 padded, len, NULL)) {
816 sign_cb(FALSE, NULL, 0, context);
820 stack = silc_stack_alloc(2048, silc_crypto_stack());
822 silc_mp_sinit(stack, &mp_tmp);
823 silc_mp_sinit(stack, &mp_dst);
826 silc_mp_bin2mp(padded, len, &mp_tmp);
829 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
832 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
835 sign_cb(TRUE, padded, len, context);
837 memset(padded, 0, sizeof(padded));
839 memset(hashr, 0, sizeof(hashr));
840 silc_mp_suninit(stack, &mp_tmp);
841 silc_mp_suninit(stack, &mp_dst);
842 silc_stack_free(stack);
847 /* PKCS #1 verify without hash oid */
849 SILC_PKCS_ALG_VERIFY(silc_pkcs1_verify_no_oid)
851 RsaPublicKey *key = public_key;
852 SilcBool ret = FALSE;
855 unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
856 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
859 SILC_LOG_DEBUG(("Verify signature"));
861 stack = silc_stack_alloc(2048, silc_crypto_stack());
863 silc_mp_sinit(stack, &mp_tmp2);
864 silc_mp_sinit(stack, &mp_dst);
866 /* Format the signature into MP int */
867 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
870 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
873 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
876 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
877 unpadded, sizeof(unpadded), &len)) {
878 memset(verify, 0, verify_len);
880 silc_mp_suninit(stack, &mp_tmp2);
881 silc_mp_suninit(stack, &mp_dst);
882 silc_stack_free(stack);
883 verify_cb(FALSE, context);
887 /* Hash data if requested */
889 silc_hash_make(hash, data, data_len, hashr);
891 data_len = silc_hash_len(hash);
895 if (len == data_len && !memcmp(data, unpadded, len))
899 verify_cb(ret, context);
901 memset(verify, 0, verify_len);
902 memset(unpadded, 0, sizeof(unpadded));
904 memset(hashr, 0, sizeof(hashr));
906 silc_mp_suninit(stack, &mp_tmp2);
907 silc_mp_suninit(stack, &mp_dst);
908 silc_stack_free(stack);