5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 2003 - 2007 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
23 #include "silcpkcs1_i.h"
25 /************************** PKCS #1 message format ***************************/
27 /* Minimum padding in block */
28 #define SILC_PKCS1_MIN_PADDING 8
30 /* Encodes PKCS#1 data block from the `data' according to the block type
31 indicated by `bt'. When encoding signatures the `bt' must be
32 SILC_PKCS1_BT_PRV1 and when encoding encryption blocks the `bt' must
33 be SILC_PKCS1_BT_PUB. The encoded data is copied into the `dest_data'
34 buffer which is size of `dest_data_size'. If the `dest_data' is not
35 able to hold the encoded block this returns FALSE. The `rng' must be
36 set when `bt' is SILC_PKCS1_BT_PUB. This function returns TRUE on
39 SilcBool silc_pkcs1_encode(SilcPkcs1BlockType bt,
40 const unsigned char *data,
42 unsigned char *dest_data,
43 SilcUInt32 dest_data_size,
49 SILC_LOG_DEBUG(("PKCS#1 encoding, bt %d", bt));
51 if (!data || !dest_data ||
52 dest_data_size < SILC_PKCS1_MIN_PADDING + 3 ||
53 dest_data_size < data_len) {
54 SILC_LOG_DEBUG(("Data to be encoded is too long"));
60 dest_data[1] = (unsigned char)bt;
62 padlen = (SilcInt32)dest_data_size - (SilcInt32)data_len - 3;
63 if (padlen < SILC_PKCS1_MIN_PADDING) {
64 SILC_LOG_DEBUG(("Data to be encoded is too long"));
68 /* Encode according to block type */
70 case SILC_PKCS1_BT_PRV0:
71 case SILC_PKCS1_BT_PRV1:
73 memset(dest_data + 2, bt == SILC_PKCS1_BT_PRV1 ? 0xff : 0x00, padlen);
76 case SILC_PKCS1_BT_PUB:
79 SILC_LOG_ERROR(("Cannot encrypt: random number generator not provided"));
83 /* It is guaranteed this routine does not return zero byte. */
84 for (i = 2; i < padlen; i++)
85 dest_data[i] = silc_rng_get_byte_fast(rng);
91 dest_data[padlen + 2] = 0x00;
92 memcpy(dest_data + padlen + 3, data, data_len);
97 /* Decodes the PKCS#1 encoded block according to the block type `bt'.
98 When verifying signatures the `bt' must be SILC_PKCS1_BT_PRV1 and
99 when decrypting it must be SILC_PKCS1_BT_PUB. This copies the
100 decoded data into `dest_data' which is size of `dest_data_size'. If
101 the deocded block does not fit to `dest_data' this returns FALSE.
102 Returns TRUE on success. */
104 SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
105 const unsigned char *data,
107 unsigned char *dest_data,
108 SilcUInt32 dest_data_size,
109 SilcUInt32 *dest_len)
113 SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
116 if (!data || !dest_data || dest_data_size < 3 ||
117 data[0] != 0x00 || data[1] != (unsigned char)bt) {
118 SILC_LOG_DEBUG(("Malformed block"));
122 /* Decode according to block type */
124 case SILC_PKCS1_BT_PRV0:
128 case SILC_PKCS1_BT_PRV1:
130 for (i = 2; i < data_len; i++)
135 case SILC_PKCS1_BT_PUB:
137 for (i = 2; i < data_len; i++)
144 if (data[i++] != 0x00) {
145 SILC_LOG_DEBUG(("Malformed block"));
148 if (i - 1 < SILC_PKCS1_MIN_PADDING) {
149 SILC_LOG_DEBUG(("Malformed block"));
152 if (dest_data_size < data_len - i) {
153 SILC_LOG_DEBUG(("Destination buffer too small"));
158 memcpy(dest_data, data + i, data_len - i);
160 /* Return data length */
162 *dest_len = data_len - i;
168 /***************************** PKCS #1 PKCS API ******************************/
170 /* Generates RSA key pair. */
172 SILC_PKCS_ALG_GENERATE_KEY(silc_pkcs1_generate_key)
174 SilcUInt32 prime_bits = keylen / 2;
176 SilcBool found = FALSE;
178 if (keylen < 768 || keylen > 16384)
186 silc_math_gen_prime(&p, prime_bits, FALSE, rng);
187 silc_math_gen_prime(&q, prime_bits, FALSE, rng);
188 if ((silc_mp_cmp(&p, &q)) != 0)
192 /* If p is smaller than q, switch them */
193 if ((silc_mp_cmp(&p, &q)) > 0) {
197 silc_mp_set(&hlp, &p);
199 silc_mp_set(&q, &hlp);
201 silc_mp_uninit(&hlp);
204 /* Generate the actual keys */
205 if (!silc_rsa_generate_keys(keylen, &p, &q, ret_public_key, ret_private_key))
214 /* Import PKCS #1 compliant public key */
216 SILC_PKCS_ALG_IMPORT_PUBLIC_KEY(silc_pkcs1_import_public_key)
218 SilcAsn1 asn1 = NULL;
219 SilcBufferStruct alg_key;
220 RsaPublicKey *pubkey;
225 asn1 = silc_asn1_alloc(NULL);
229 /* Allocate RSA public key */
230 *ret_public_key = pubkey = silc_calloc(1, sizeof(*pubkey));
234 /* Parse the PKCS #1 public key */
235 silc_buffer_set(&alg_key, key, key_len);
236 if (!silc_asn1_decode(asn1, &alg_key,
237 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
239 SILC_ASN1_INT(&pubkey->n),
240 SILC_ASN1_INT(&pubkey->e),
241 SILC_ASN1_END, SILC_ASN1_END))
245 pubkey->bits = ((silc_mp_sizeinbase(&pubkey->n, 2) + 7) / 8) * 8;
247 silc_asn1_free(asn1);
253 silc_asn1_free(asn1);
257 /* Export PKCS #1 compliant public key */
259 SILC_PKCS_ALG_EXPORT_PUBLIC_KEY(silc_pkcs1_export_public_key)
261 RsaPublicKey *key = public_key;
262 SilcAsn1 asn1 = NULL;
263 SilcBufferStruct alg_key;
266 asn1 = silc_asn1_alloc(stack);
270 /* Encode to PKCS #1 public key */
271 memset(&alg_key, 0, sizeof(alg_key));
272 if (!silc_asn1_encode(asn1, &alg_key,
273 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
275 SILC_ASN1_INT(&key->n),
276 SILC_ASN1_INT(&key->e),
277 SILC_ASN1_END, SILC_ASN1_END))
280 ret = silc_buffer_steal(&alg_key, ret_len);
281 silc_asn1_free(asn1);
287 silc_asn1_free(asn1);
291 /* Returns key length */
293 SILC_PKCS_ALG_PUBLIC_KEY_BITLEN(silc_pkcs1_public_key_bitlen)
295 RsaPublicKey *key = public_key;
299 /* Copy public key */
301 SILC_PKCS_ALG_PUBLIC_KEY_COPY(silc_pkcs1_public_key_copy)
303 RsaPublicKey *key = public_key, *new_key;
305 new_key = silc_calloc(1, sizeof(*new_key));
309 silc_mp_init(&new_key->n);
310 silc_mp_init(&new_key->e);
311 silc_mp_set(&new_key->n, &key->n);
312 silc_mp_set(&new_key->e, &key->e);
313 new_key->bits = key->bits;
318 /* Compare public keys */
320 SILC_PKCS_ALG_PUBLIC_KEY_COMPARE(silc_pkcs1_public_key_compare)
322 RsaPublicKey *k1 = key1, *k2 = key2;
324 if (k1->bits != k2->bits)
326 if (silc_mp_cmp(&k1->e, &k2->e) != 0)
328 if (silc_mp_cmp(&k1->n, &k2->n) != 0)
334 /* Frees public key */
336 SILC_PKCS_ALG_PUBLIC_KEY_FREE(silc_pkcs1_public_key_free)
338 RsaPublicKey *key = public_key;
340 silc_mp_uninit(&key->n);
341 silc_mp_uninit(&key->e);
345 /* Import PKCS #1 compliant private key */
347 SILC_PKCS_ALG_IMPORT_PRIVATE_KEY(silc_pkcs1_import_private_key)
350 SilcBufferStruct alg_key;
351 RsaPrivateKey *privkey;
354 if (!ret_private_key)
357 asn1 = silc_asn1_alloc(NULL);
361 /* Allocate RSA private key */
362 *ret_private_key = privkey = silc_calloc(1, sizeof(*privkey));
366 /* Parse the PKCS #1 private key */
367 silc_buffer_set(&alg_key, key, key_len);
368 if (!silc_asn1_decode(asn1, &alg_key,
369 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
371 SILC_ASN1_SHORT_INT(&ver),
372 SILC_ASN1_INT(&privkey->n),
373 SILC_ASN1_INT(&privkey->e),
374 SILC_ASN1_INT(&privkey->d),
375 SILC_ASN1_INT(&privkey->p),
376 SILC_ASN1_INT(&privkey->q),
377 SILC_ASN1_INT(&privkey->dP),
378 SILC_ASN1_INT(&privkey->dQ),
379 SILC_ASN1_INT(&privkey->qP),
380 SILC_ASN1_END, SILC_ASN1_END))
387 privkey->bits = ((silc_mp_sizeinbase(&privkey->n, 2) + 7) / 8) * 8;
389 silc_asn1_free(asn1);
395 silc_asn1_free(asn1);
399 /* Export PKCS #1 compliant private key */
401 SILC_PKCS_ALG_EXPORT_PRIVATE_KEY(silc_pkcs1_export_private_key)
403 RsaPrivateKey *key = private_key;
405 SilcBufferStruct alg_key;
408 asn1 = silc_asn1_alloc(stack);
412 /* Encode to PKCS #1 private key */
413 memset(&alg_key, 0, sizeof(alg_key));
414 if (!silc_asn1_encode(asn1, &alg_key,
415 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
417 SILC_ASN1_SHORT_INT(0),
418 SILC_ASN1_INT(&key->n),
419 SILC_ASN1_INT(&key->e),
420 SILC_ASN1_INT(&key->d),
421 SILC_ASN1_INT(&key->p),
422 SILC_ASN1_INT(&key->q),
423 SILC_ASN1_INT(&key->dP),
424 SILC_ASN1_INT(&key->dQ),
425 SILC_ASN1_INT(&key->qP),
426 SILC_ASN1_END, SILC_ASN1_END))
429 ret = silc_buffer_steal(&alg_key, ret_len);
430 silc_asn1_free(asn1);
435 silc_asn1_free(asn1);
439 /* Returns key length */
441 SILC_PKCS_ALG_PRIVATE_KEY_BITLEN(silc_pkcs1_private_key_bitlen)
443 RsaPrivateKey *key = private_key;
447 /* Frees private key */
449 SILC_PKCS_ALG_PRIVATE_KEY_FREE(silc_pkcs1_private_key_free)
451 RsaPrivateKey *key = private_key;
453 silc_mp_uninit(&key->n);
454 silc_mp_uninit(&key->e);
455 silc_mp_uninit(&key->d);
456 silc_mp_uninit(&key->dP);
457 silc_mp_uninit(&key->dQ);
458 silc_mp_uninit(&key->qP);
459 silc_mp_uninit(&key->p);
460 silc_mp_uninit(&key->q);
464 /* PKCS #1 RSA routines */
466 SILC_PKCS_ALG_ENCRYPT(silc_pkcs1_encrypt)
468 RsaPublicKey *key = public_key;
471 unsigned char padded[2048 + 1];
472 SilcUInt32 len = (key->bits + 7) / 8;
475 if (sizeof(padded) < len) {
476 encrypt_cb(FALSE, NULL, 0, context);
481 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PUB, src, src_len,
483 encrypt_cb(FALSE, NULL, 0, context);
487 stack = silc_stack_alloc(2048, silc_crypto_stack());
489 silc_mp_sinit(stack, &mp_tmp);
490 silc_mp_sinit(stack, &mp_dst);
493 silc_mp_bin2mp(padded, len, &mp_tmp);
496 silc_rsa_public_operation(key, &mp_tmp, &mp_dst);
499 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
502 encrypt_cb(TRUE, padded, len, context);
504 memset(padded, 0, sizeof(padded));
505 silc_mp_suninit(stack, &mp_tmp);
506 silc_mp_suninit(stack, &mp_dst);
507 silc_stack_free(stack);
512 SILC_PKCS_ALG_DECRYPT(silc_pkcs1_decrypt)
514 RsaPrivateKey *key = private_key;
517 unsigned char *padded, unpadded[2048 + 1];
518 SilcUInt32 padded_len, dst_len;
521 if (sizeof(unpadded) < (key->bits + 7) / 8) {
522 decrypt_cb(FALSE, NULL, 0, context);
526 stack = silc_stack_alloc(2048, silc_crypto_stack());
528 silc_mp_sinit(stack, &mp_tmp);
529 silc_mp_sinit(stack, &mp_dst);
532 silc_mp_bin2mp(src, src_len, &mp_tmp);
535 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
538 padded = silc_mp_mp2bin(&mp_dst, (key->bits + 7) / 8, &padded_len);
541 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PUB, padded, padded_len,
542 unpadded, sizeof(unpadded), &dst_len)) {
543 memset(padded, 0, padded_len);
545 silc_mp_suninit(stack, &mp_tmp);
546 silc_mp_suninit(stack, &mp_dst);
547 decrypt_cb(FALSE, NULL, 0, context);
552 decrypt_cb(TRUE, unpadded, dst_len, context);
554 memset(padded, 0, padded_len);
555 memset(unpadded, 0, sizeof(unpadded));
557 silc_mp_suninit(stack, &mp_tmp);
558 silc_mp_suninit(stack, &mp_dst);
559 silc_stack_free(stack);
564 /* PKCS #1 sign with appendix, hash OID included in the signature */
566 SILC_PKCS_ALG_SIGN(silc_pkcs1_sign)
568 RsaPrivateKey *key = private_key;
569 unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
573 SilcUInt32 len = (key->bits + 7) / 8;
578 SILC_LOG_DEBUG(("Sign"));
580 if (sizeof(padded) < len) {
581 sign_cb(FALSE, NULL, 0, context);
585 oid = silc_hash_get_oid(hash);
587 sign_cb(FALSE, NULL, 0, context);
591 stack = silc_stack_alloc(2048, silc_crypto_stack());
593 asn1 = silc_asn1_alloc(stack);
595 silc_stack_free(stack);
596 sign_cb(FALSE, NULL, 0, context);
602 silc_hash_make(hash, src, src_len, hashr);
604 src_len = silc_hash_len(hash);
607 /* Encode digest info */
608 memset(&di, 0, sizeof(di));
609 if (!silc_asn1_encode(asn1, &di,
613 SILC_ASN1_NULL(TRUE),
615 SILC_ASN1_OCTET_STRING(src, src_len),
616 SILC_ASN1_END, SILC_ASN1_END)) {
617 silc_asn1_free(asn1);
618 silc_stack_free(stack);
619 sign_cb(FALSE, NULL, 0, context);
622 SILC_LOG_HEXDUMP(("DigestInfo"), silc_buffer_data(&di),
623 silc_buffer_len(&di));
626 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, silc_buffer_data(&di),
627 silc_buffer_len(&di), padded, len, NULL)) {
628 silc_asn1_free(asn1);
629 silc_stack_free(stack);
630 sign_cb(FALSE, NULL, 0, context);
634 silc_mp_sinit(stack, &mp_tmp);
635 silc_mp_sinit(stack, &mp_dst);
638 silc_mp_bin2mp(padded, len, &mp_tmp);
641 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
644 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
647 sign_cb(TRUE, padded, len, context);
649 memset(padded, 0, sizeof(padded));
651 memset(hashr, 0, sizeof(hashr));
652 silc_mp_suninit(stack, &mp_tmp);
653 silc_mp_suninit(stack, &mp_dst);
654 silc_asn1_free(asn1);
655 silc_stack_free(stack);
660 /* PKCS #1 verification with appendix. */
662 SILC_PKCS_ALG_VERIFY(silc_pkcs1_verify)
664 RsaPublicKey *key = public_key;
665 SilcBool ret = FALSE;
668 unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
669 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
670 SilcBufferStruct di, ldi;
671 SilcBool has_null = TRUE;
672 SilcHash ihash = NULL;
677 SILC_LOG_DEBUG(("Verify signature"));
679 stack = silc_stack_alloc(2048, silc_crypto_stack());
681 asn1 = silc_asn1_alloc(stack);
683 verify_cb(FALSE, context);
687 silc_mp_sinit(stack, &mp_tmp2);
688 silc_mp_sinit(stack, &mp_dst);
690 /* Format the signature into MP int */
691 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
694 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
697 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
700 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
701 unpadded, sizeof(unpadded), &len))
703 silc_buffer_set(&di, unpadded, len);
705 /* If hash isn't given, allocate the one given in digest info */
709 /* Decode digest info */
710 if (!silc_asn1_decode(asn1, &di,
711 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
715 SILC_ASN1_NULL_T(SILC_ASN1_OPTIONAL,
716 SILC_ASN1_TAG_NULL, &has_null),
718 SILC_ASN1_END, SILC_ASN1_END))
721 if (!silc_hash_alloc_by_oid(oid, &ihash)) {
722 SILC_LOG_DEBUG(("Unknown OID %s", oid));
729 silc_hash_make(hash, data, data_len, hashr);
731 data_len = silc_hash_len(hash);
732 oid = (char *)silc_hash_get_oid(hash);
734 /* Encode digest info for comparison */
735 memset(&ldi, 0, sizeof(ldi));
736 if (!silc_asn1_encode(asn1, &ldi,
737 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
741 SILC_ASN1_NULL(has_null),
743 SILC_ASN1_OCTET_STRING(data, data_len),
744 SILC_ASN1_END, SILC_ASN1_END))
747 SILC_LOG_HEXDUMP(("DigestInfo remote"), silc_buffer_data(&di),
748 silc_buffer_len(&di));
749 SILC_LOG_HEXDUMP(("DigestInfo local"), silc_buffer_data(&ldi),
750 silc_buffer_len(&ldi));
753 if (silc_buffer_len(&di) == silc_buffer_len(&ldi) &&
754 !memcmp(silc_buffer_data(&di), silc_buffer_data(&ldi),
755 silc_buffer_len(&ldi)))
759 verify_cb(ret, context);
761 memset(verify, 0, verify_len);
762 memset(unpadded, 0, sizeof(unpadded));
764 silc_mp_suninit(stack, &mp_tmp2);
765 silc_mp_suninit(stack, &mp_dst);
767 memset(hashr, 0, sizeof(hashr));
769 silc_hash_free(ihash);
770 silc_asn1_free(asn1);
771 silc_stack_free(stack);
776 memset(verify, 0, verify_len);
778 silc_mp_suninit(stack, &mp_tmp2);
779 silc_mp_suninit(stack, &mp_dst);
781 silc_hash_free(ihash);
782 silc_asn1_free(asn1);
783 silc_stack_free(stack);
785 verify_cb(FALSE, context);
789 /* PKCS #1 sign without hash oid */
791 SILC_PKCS_ALG_SIGN(silc_pkcs1_sign_no_oid)
793 RsaPrivateKey *key = private_key;
796 unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
797 SilcUInt32 len = (key->bits + 7) / 8;
800 SILC_LOG_DEBUG(("Sign"));
802 if (sizeof(padded) < len) {
803 sign_cb(FALSE, NULL, 0, context);
807 /* Compute hash if requested */
809 silc_hash_make(hash, src, src_len, hashr);
811 src_len = silc_hash_len(hash);
815 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, src, src_len,
816 padded, len, NULL)) {
817 sign_cb(FALSE, NULL, 0, context);
821 stack = silc_stack_alloc(2048, silc_crypto_stack());
823 silc_mp_sinit(stack, &mp_tmp);
824 silc_mp_sinit(stack, &mp_dst);
827 silc_mp_bin2mp(padded, len, &mp_tmp);
830 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
833 silc_mp_mp2bin_noalloc(&mp_dst, padded, len);
836 sign_cb(TRUE, padded, len, context);
838 memset(padded, 0, sizeof(padded));
840 memset(hashr, 0, sizeof(hashr));
841 silc_mp_suninit(stack, &mp_tmp);
842 silc_mp_suninit(stack, &mp_dst);
843 silc_stack_free(stack);
848 /* PKCS #1 verify without hash oid */
850 SILC_PKCS_ALG_VERIFY(silc_pkcs1_verify_no_oid)
852 RsaPublicKey *key = public_key;
853 SilcBool ret = FALSE;
856 unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
857 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
860 SILC_LOG_DEBUG(("Verify signature"));
862 stack = silc_stack_alloc(2048, silc_crypto_stack());
864 silc_mp_sinit(stack, &mp_tmp2);
865 silc_mp_sinit(stack, &mp_dst);
867 /* Format the signature into MP int */
868 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
871 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
874 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
877 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
878 unpadded, sizeof(unpadded), &len)) {
879 memset(verify, 0, verify_len);
881 silc_mp_suninit(stack, &mp_tmp2);
882 silc_mp_suninit(stack, &mp_dst);
883 silc_stack_free(stack);
884 verify_cb(FALSE, context);
888 /* Hash data if requested */
890 silc_hash_make(hash, data, data_len, hashr);
892 data_len = silc_hash_len(hash);
896 if (len == data_len && !memcmp(data, unpadded, len))
900 verify_cb(ret, context);
902 memset(verify, 0, verify_len);
903 memset(unpadded, 0, sizeof(unpadded));
905 memset(hashr, 0, sizeof(hashr));
907 silc_mp_suninit(stack, &mp_tmp2);
908 silc_mp_suninit(stack, &mp_dst);
909 silc_stack_free(stack);