5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 2003 - 2008 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
20 #include "silccrypto.h"
22 #include "silcpkcs1_i.h"
24 /************************** PKCS #1 message format ***************************/
26 /* Minimum padding in block */
27 #define SILC_PKCS1_MIN_PADDING 8
29 /* Encodes PKCS#1 data block from the `data' according to the block type
30 indicated by `bt'. When encoding signatures the `bt' must be
31 SILC_PKCS1_BT_PRV1 and when encoding encryption blocks the `bt' must
32 be SILC_PKCS1_BT_PUB. The encoded data is copied into the `dest_data'
33 buffer which is size of `dest_data_size'. If the `dest_data' is not
34 able to hold the encoded block this returns FALSE. The `rng' must be
35 set when `bt' is SILC_PKCS1_BT_PUB. This function returns TRUE on
38 SilcBool silc_pkcs1_encode(SilcPkcs1BlockType bt,
39 const unsigned char *data,
41 unsigned char *dest_data,
42 SilcUInt32 dest_data_size,
48 SILC_LOG_DEBUG(("PKCS#1 encoding, bt %d", bt));
50 if (!data || !dest_data ||
51 dest_data_size < SILC_PKCS1_MIN_PADDING + 3 ||
52 dest_data_size < data_len) {
53 SILC_LOG_DEBUG(("Data to be encoded is too long"));
59 dest_data[1] = (unsigned char)bt;
61 padlen = (SilcInt32)dest_data_size - (SilcInt32)data_len - 3;
62 if (padlen < SILC_PKCS1_MIN_PADDING) {
63 SILC_LOG_DEBUG(("Data to be encoded is too long"));
67 /* Encode according to block type */
69 case SILC_PKCS1_BT_PRV0:
70 case SILC_PKCS1_BT_PRV1:
72 memset(dest_data + 2, bt == SILC_PKCS1_BT_PRV1 ? 0xff : 0x00, padlen);
75 case SILC_PKCS1_BT_PUB:
78 SILC_LOG_ERROR(("Cannot encrypt: random number generator not provided"));
82 /* It is guaranteed this routine does not return zero byte. */
83 for (i = 2; i < padlen; i++)
84 dest_data[i] = silc_rng_get_byte_fast(rng);
90 dest_data[padlen + 2] = 0x00;
91 memcpy(dest_data + padlen + 3, data, data_len);
96 /* Decodes the PKCS#1 encoded block according to the block type `bt'.
97 When verifying signatures the `bt' must be SILC_PKCS1_BT_PRV1 and
98 when decrypting it must be SILC_PKCS1_BT_PUB. This copies the
99 decoded data into `dest_data' which is size of `dest_data_size'. If
100 the deocded block does not fit to `dest_data' this returns FALSE.
101 Returns TRUE on success. */
103 SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
104 const unsigned char *data,
106 unsigned char *dest_data,
107 SilcUInt32 dest_data_size,
108 SilcUInt32 *dest_len)
112 SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
115 if (!data || !dest_data || dest_data_size < 3 ||
116 data[0] != 0x00 || data[1] != (unsigned char)bt) {
117 SILC_LOG_DEBUG(("Malformed block"));
121 /* Decode according to block type */
123 case SILC_PKCS1_BT_PRV0:
127 case SILC_PKCS1_BT_PRV1:
129 for (i = 2; i < data_len; i++)
134 case SILC_PKCS1_BT_PUB:
136 for (i = 2; i < data_len; i++)
143 if (data[i++] != 0x00) {
144 SILC_LOG_DEBUG(("Malformed block"));
147 if (i - 1 < SILC_PKCS1_MIN_PADDING) {
148 SILC_LOG_DEBUG(("Malformed block"));
151 if (dest_data_size < data_len - i) {
152 SILC_LOG_DEBUG(("Destination buffer too small"));
157 memcpy(dest_data, data + i, data_len - i);
159 /* Return data length */
161 *dest_len = data_len - i;
167 /***************************** PKCS #1 PKCS API ******************************/
169 /* Generates RSA key pair. */
171 SILC_PKCS_ALG_GENERATE_KEY(silc_pkcs1_generate_key)
173 SilcUInt32 prime_bits = keylen / 2;
175 SilcBool found = FALSE;
177 if (keylen < 768 || keylen > 16384)
185 silc_math_gen_prime(&p, prime_bits, FALSE, rng);
186 silc_math_gen_prime(&q, prime_bits, FALSE, rng);
187 if ((silc_mp_cmp(&p, &q)) != 0)
191 /* If p is smaller than q, switch them */
192 if ((silc_mp_cmp(&p, &q)) > 0) {
196 silc_mp_set(&hlp, &p);
198 silc_mp_set(&q, &hlp);
200 silc_mp_uninit(&hlp);
203 /* Generate the actual keys */
204 if (!silc_rsa_generate_keys(keylen, &p, &q, ret_public_key, ret_private_key))
213 /* Import PKCS #1 compliant public key */
215 SILC_PKCS_ALG_IMPORT_PUBLIC_KEY(silc_pkcs1_import_public_key)
217 SilcAsn1 asn1 = NULL;
218 SilcBufferStruct alg_key;
219 RsaPublicKey *pubkey;
224 asn1 = silc_asn1_alloc(NULL);
228 /* Allocate RSA public key */
229 *ret_public_key = pubkey = silc_calloc(1, sizeof(*pubkey));
233 /* Parse the PKCS #1 public key */
234 silc_buffer_set(&alg_key, key, key_len);
235 if (!silc_asn1_decode(asn1, &alg_key,
236 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
238 SILC_ASN1_INT(&pubkey->n),
239 SILC_ASN1_INT(&pubkey->e),
240 SILC_ASN1_END, SILC_ASN1_END))
244 pubkey->bits = ((silc_mp_sizeinbase(&pubkey->n, 2) + 7) / 8) * 8;
246 silc_asn1_free(asn1);
252 silc_asn1_free(asn1);
256 /* Export PKCS #1 compliant public key */
258 SILC_PKCS_ALG_EXPORT_PUBLIC_KEY(silc_pkcs1_export_public_key)
260 RsaPublicKey *key = public_key;
261 SilcAsn1 asn1 = NULL;
262 SilcBufferStruct alg_key;
265 asn1 = silc_asn1_alloc(stack);
269 /* Encode to PKCS #1 public key */
270 memset(&alg_key, 0, sizeof(alg_key));
271 if (!silc_asn1_encode(asn1, &alg_key,
272 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
274 SILC_ASN1_INT(&key->n),
275 SILC_ASN1_INT(&key->e),
276 SILC_ASN1_END, SILC_ASN1_END))
279 ret = silc_buffer_steal(&alg_key, ret_len);
280 silc_asn1_free(asn1);
286 silc_asn1_free(asn1);
290 /* Returns key length */
292 SILC_PKCS_ALG_PUBLIC_KEY_BITLEN(silc_pkcs1_public_key_bitlen)
294 RsaPublicKey *key = public_key;
298 /* Copy public key */
300 SILC_PKCS_ALG_PUBLIC_KEY_COPY(silc_pkcs1_public_key_copy)
302 RsaPublicKey *key = public_key, *new_key;
304 new_key = silc_calloc(1, sizeof(*new_key));
308 silc_mp_init(&new_key->n);
309 silc_mp_init(&new_key->e);
310 silc_mp_set(&new_key->n, &key->n);
311 silc_mp_set(&new_key->e, &key->e);
312 new_key->bits = key->bits;
317 /* Compare public keys */
319 SILC_PKCS_ALG_PUBLIC_KEY_COMPARE(silc_pkcs1_public_key_compare)
321 RsaPublicKey *k1 = key1, *k2 = key2;
323 if (k1->bits != k2->bits)
325 if (silc_mp_cmp(&k1->e, &k2->e) != 0)
327 if (silc_mp_cmp(&k1->n, &k2->n) != 0)
333 /* Frees public key */
335 SILC_PKCS_ALG_PUBLIC_KEY_FREE(silc_pkcs1_public_key_free)
337 RsaPublicKey *key = public_key;
339 silc_mp_uninit(&key->n);
340 silc_mp_uninit(&key->e);
341 silc_hash_free(key->hash);
345 /* Import PKCS #1 compliant private key */
347 SILC_PKCS_ALG_IMPORT_PRIVATE_KEY(silc_pkcs1_import_private_key)
350 SilcBufferStruct alg_key;
351 RsaPrivateKey *privkey;
354 if (!ret_private_key)
357 asn1 = silc_asn1_alloc(NULL);
361 /* Allocate RSA private key */
362 *ret_private_key = privkey = silc_calloc(1, sizeof(*privkey));
366 /* Parse the PKCS #1 private key */
367 silc_buffer_set(&alg_key, key, key_len);
368 if (!silc_asn1_decode(asn1, &alg_key,
369 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
371 SILC_ASN1_SHORT_INT(&ver),
372 SILC_ASN1_INT(&privkey->n),
373 SILC_ASN1_INT(&privkey->e),
374 SILC_ASN1_INT(&privkey->d),
375 SILC_ASN1_INT(&privkey->p),
376 SILC_ASN1_INT(&privkey->q),
377 SILC_ASN1_INT(&privkey->dP),
378 SILC_ASN1_INT(&privkey->dQ),
379 SILC_ASN1_INT(&privkey->qP),
380 SILC_ASN1_END, SILC_ASN1_END))
387 privkey->bits = ((silc_mp_sizeinbase(&privkey->n, 2) + 7) / 8) * 8;
389 silc_asn1_free(asn1);
395 silc_asn1_free(asn1);
399 /* Export PKCS #1 compliant private key */
401 SILC_PKCS_ALG_EXPORT_PRIVATE_KEY(silc_pkcs1_export_private_key)
403 RsaPrivateKey *key = private_key;
405 SilcBufferStruct alg_key;
408 asn1 = silc_asn1_alloc(stack);
412 /* Encode to PKCS #1 private key */
413 memset(&alg_key, 0, sizeof(alg_key));
414 if (!silc_asn1_encode(asn1, &alg_key,
415 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
417 SILC_ASN1_SHORT_INT(0),
418 SILC_ASN1_INT(&key->n),
419 SILC_ASN1_INT(&key->e),
420 SILC_ASN1_INT(&key->d),
421 SILC_ASN1_INT(&key->p),
422 SILC_ASN1_INT(&key->q),
423 SILC_ASN1_INT(&key->dP),
424 SILC_ASN1_INT(&key->dQ),
425 SILC_ASN1_INT(&key->qP),
426 SILC_ASN1_END, SILC_ASN1_END))
429 ret = silc_buffer_steal(&alg_key, ret_len);
430 silc_asn1_free(asn1);
435 silc_asn1_free(asn1);
439 /* Returns key length */
441 SILC_PKCS_ALG_PRIVATE_KEY_BITLEN(silc_pkcs1_private_key_bitlen)
443 RsaPrivateKey *key = private_key;
447 /* Frees private key */
449 SILC_PKCS_ALG_PRIVATE_KEY_FREE(silc_pkcs1_private_key_free)
451 RsaPrivateKey *key = private_key;
453 silc_mp_uninit(&key->n);
454 silc_mp_uninit(&key->e);
455 silc_mp_uninit(&key->d);
456 silc_mp_uninit(&key->dP);
457 silc_mp_uninit(&key->dQ);
458 silc_mp_uninit(&key->qP);
459 silc_mp_uninit(&key->p);
460 silc_mp_uninit(&key->q);
461 silc_hash_free(key->hash);
465 /* PKCS #1 RSA routines */
467 SILC_PKCS_ALG_ENCRYPT(silc_pkcs1_encrypt)
469 RsaPublicKey *key = public_key;
472 unsigned char padded[2048 + 1];
473 SilcUInt32 len = (key->bits + 7) / 8;
476 if (sizeof(padded) < len) {
477 encrypt_cb(FALSE, NULL, 0, context);
482 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PUB, src, src_len,
484 encrypt_cb(FALSE, NULL, 0, context);
488 stack = silc_stack_alloc(2048, silc_crypto_stack());
490 silc_mp_sinit(stack, &mp_tmp);
491 silc_mp_sinit(stack, &mp_dst);
494 silc_mp_bin2mp(padded, len, &mp_tmp);
497 silc_rsa_public_operation(key, &mp_tmp, &mp_dst);
500 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
503 encrypt_cb(TRUE, padded, len, context);
505 memset(padded, 0, sizeof(padded));
506 silc_mp_uninit(&mp_tmp);
507 silc_mp_uninit(&mp_dst);
508 silc_stack_free(stack);
513 SILC_PKCS_ALG_DECRYPT(silc_pkcs1_decrypt)
515 RsaPrivateKey *key = private_key;
518 unsigned char *padded, unpadded[2048 + 1];
519 SilcUInt32 padded_len, dst_len;
522 if (sizeof(unpadded) < (key->bits + 7) / 8) {
523 decrypt_cb(FALSE, NULL, 0, context);
527 stack = silc_stack_alloc(2048, silc_crypto_stack());
529 silc_mp_sinit(stack, &mp_tmp);
530 silc_mp_sinit(stack, &mp_dst);
533 silc_mp_bin2mp(src, src_len, &mp_tmp);
536 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
539 padded = silc_mp_mp2bin(&mp_dst, (key->bits + 7) / 8, &padded_len);
542 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PUB, padded, padded_len,
543 unpadded, sizeof(unpadded), &dst_len)) {
544 memset(padded, 0, padded_len);
546 silc_mp_uninit(&mp_tmp);
547 silc_mp_uninit(&mp_dst);
548 decrypt_cb(FALSE, NULL, 0, context);
553 decrypt_cb(TRUE, unpadded, dst_len, context);
555 memset(padded, 0, padded_len);
556 memset(unpadded, 0, sizeof(unpadded));
558 silc_mp_uninit(&mp_tmp);
559 silc_mp_uninit(&mp_dst);
560 silc_stack_free(stack);
565 /* PKCS #1 sign with appendix, hash OID included in the signature */
567 SILC_PKCS_ALG_SIGN(silc_pkcs1_sign)
569 RsaPrivateKey *key = private_key;
570 unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
574 SilcUInt32 len = (key->bits + 7) / 8;
579 SILC_LOG_DEBUG(("Sign"));
581 if (sizeof(padded) < len) {
582 sign_cb(FALSE, NULL, 0, context);
586 oid = silc_hash_get_oid(hash);
588 sign_cb(FALSE, NULL, 0, context);
592 stack = silc_stack_alloc(2048, silc_crypto_stack());
594 asn1 = silc_asn1_alloc(stack);
596 silc_stack_free(stack);
597 sign_cb(FALSE, NULL, 0, context);
605 silc_hash_make(hash, src, src_len, hashr);
607 src_len = silc_hash_len(hash);
610 /* Encode digest info */
611 memset(&di, 0, sizeof(di));
612 if (!silc_asn1_encode(asn1, &di,
616 SILC_ASN1_NULL(TRUE),
618 SILC_ASN1_OCTET_STRING(src, src_len),
619 SILC_ASN1_END, SILC_ASN1_END)) {
620 silc_asn1_free(asn1);
621 silc_stack_free(stack);
622 sign_cb(FALSE, NULL, 0, context);
625 SILC_LOG_HEXDUMP(("DigestInfo"), silc_buffer_data(&di),
626 silc_buffer_len(&di));
629 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, silc_buffer_data(&di),
630 silc_buffer_len(&di), padded, len, NULL)) {
631 silc_asn1_free(asn1);
632 silc_stack_free(stack);
633 sign_cb(FALSE, NULL, 0, context);
637 silc_mp_sinit(stack, &mp_tmp);
638 silc_mp_sinit(stack, &mp_dst);
641 silc_mp_bin2mp(padded, len, &mp_tmp);
644 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
647 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
650 sign_cb(TRUE, padded, len, context);
652 memset(padded, 0, sizeof(padded));
654 memset(hashr, 0, sizeof(hashr));
655 silc_mp_uninit(&mp_tmp);
656 silc_mp_uninit(&mp_dst);
657 silc_asn1_free(asn1);
658 silc_stack_free(stack);
663 /* PKCS #1 verification with appendix. */
665 SILC_PKCS_ALG_VERIFY(silc_pkcs1_verify)
667 RsaPublicKey *key = public_key;
668 SilcBool ret = FALSE;
671 unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
672 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
673 SilcBufferStruct di, ldi;
674 SilcBool has_null = TRUE;
675 SilcHash ihash = NULL;
680 SILC_LOG_DEBUG(("Verify signature"));
682 stack = silc_stack_alloc(2048, silc_crypto_stack());
684 asn1 = silc_asn1_alloc(stack);
686 verify_cb(FALSE, context);
690 silc_mp_sinit(stack, &mp_tmp2);
691 silc_mp_sinit(stack, &mp_dst);
693 /* Format the signature into MP int */
694 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
697 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
700 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
703 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
704 unpadded, sizeof(unpadded), &len))
706 silc_buffer_set(&di, unpadded, len);
708 /* If hash isn't given, allocate the one given in digest info */
713 /* Decode digest info */
714 if (!silc_asn1_decode(asn1, &di,
715 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
719 SILC_ASN1_NULL_T(SILC_ASN1_OPTIONAL,
720 SILC_ASN1_TAG_NULL, &has_null),
722 SILC_ASN1_END, SILC_ASN1_END))
725 if (!silc_hash_alloc_by_oid(oid, &ihash)) {
726 SILC_LOG_DEBUG(("Unknown OID %s", oid));
733 silc_hash_make(hash, data, data_len, hashr);
735 data_len = silc_hash_len(hash);
736 oid = (char *)silc_hash_get_oid(hash);
739 /* Encode digest info for comparison */
740 memset(&ldi, 0, sizeof(ldi));
741 if (!silc_asn1_encode(asn1, &ldi,
742 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
746 SILC_ASN1_NULL(has_null),
748 SILC_ASN1_OCTET_STRING(data, data_len),
749 SILC_ASN1_END, SILC_ASN1_END))
752 SILC_LOG_HEXDUMP(("DigestInfo remote"), silc_buffer_data(&di),
753 silc_buffer_len(&di));
754 SILC_LOG_HEXDUMP(("DigestInfo local"), silc_buffer_data(&ldi),
755 silc_buffer_len(&ldi));
758 if (silc_buffer_len(&di) == silc_buffer_len(&ldi) &&
759 !memcmp(silc_buffer_data(&di), silc_buffer_data(&ldi),
760 silc_buffer_len(&ldi)))
764 verify_cb(ret, context);
766 memset(verify, 0, verify_len);
767 memset(unpadded, 0, sizeof(unpadded));
769 silc_mp_uninit(&mp_tmp2);
770 silc_mp_uninit(&mp_dst);
772 memset(hashr, 0, sizeof(hashr));
774 silc_hash_free(ihash);
775 silc_asn1_free(asn1);
776 silc_stack_free(stack);
781 memset(verify, 0, verify_len);
783 silc_mp_uninit(&mp_tmp2);
784 silc_mp_uninit(&mp_dst);
786 silc_hash_free(ihash);
787 silc_asn1_free(asn1);
788 silc_stack_free(stack);
790 verify_cb(FALSE, context);
794 /* PKCS #1 sign without hash oid */
796 SILC_PKCS_ALG_SIGN(silc_pkcs1_sign_no_oid)
798 RsaPrivateKey *key = private_key;
801 unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
802 SilcUInt32 len = (key->bits + 7) / 8;
805 SILC_LOG_DEBUG(("Sign"));
807 if (sizeof(padded) < len) {
808 sign_cb(FALSE, NULL, 0, context);
812 /* Compute hash if requested */
816 silc_hash_make(hash, src, src_len, hashr);
818 src_len = silc_hash_len(hash);
822 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, src, src_len,
823 padded, len, NULL)) {
824 sign_cb(FALSE, NULL, 0, context);
828 stack = silc_stack_alloc(2048, silc_crypto_stack());
830 silc_mp_sinit(stack, &mp_tmp);
831 silc_mp_sinit(stack, &mp_dst);
834 silc_mp_bin2mp(padded, len, &mp_tmp);
837 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
840 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
843 sign_cb(TRUE, padded, len, context);
845 memset(padded, 0, sizeof(padded));
847 memset(hashr, 0, sizeof(hashr));
848 silc_mp_uninit(&mp_tmp);
849 silc_mp_uninit(&mp_dst);
850 silc_stack_free(stack);
855 /* PKCS #1 verify without hash oid */
857 SILC_PKCS_ALG_VERIFY(silc_pkcs1_verify_no_oid)
859 RsaPublicKey *key = public_key;
860 SilcBool ret = FALSE;
863 unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
864 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
867 SILC_LOG_DEBUG(("Verify signature"));
869 stack = silc_stack_alloc(2048, silc_crypto_stack());
871 silc_mp_sinit(stack, &mp_tmp2);
872 silc_mp_sinit(stack, &mp_dst);
874 /* Format the signature into MP int */
875 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
878 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
881 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
884 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
885 unpadded, sizeof(unpadded), &len)) {
886 memset(verify, 0, verify_len);
888 silc_mp_uninit(&mp_tmp2);
889 silc_mp_uninit(&mp_dst);
890 silc_stack_free(stack);
891 verify_cb(FALSE, context);
895 /* Hash data if requested */
899 silc_hash_make(hash, data, data_len, hashr);
901 data_len = silc_hash_len(hash);
905 if (len == data_len && !memcmp(data, unpadded, len))
909 verify_cb(ret, context);
911 memset(verify, 0, verify_len);
912 memset(unpadded, 0, sizeof(unpadded));
914 memset(hashr, 0, sizeof(hashr));
916 silc_mp_uninit(&mp_tmp2);
917 silc_mp_uninit(&mp_dst);
918 silc_stack_free(stack);