5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 2003 - 2014 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
23 #include "silcpkcs1_i.h"
25 /************************** PKCS #1 message format ***************************/
27 /* Minimum padding in block */
28 #define SILC_PKCS1_MIN_PADDING 8
30 /* Encodes PKCS#1 data block from the `data' according to the block type
31 indicated by `bt'. When encoding signatures the `bt' must be
32 SILC_PKCS1_BT_PRV1 and when encoding encryption blocks the `bt' must
33 be SILC_PKCS1_BT_PUB. The encoded data is copied into the `dest_data'
34 buffer which is size of `dest_data_size'. If the `dest_data' is not
35 able to hold the encoded block this returns FALSE. The `rng' must be
36 set when `bt' is SILC_PKCS1_BT_PUB. This function returns TRUE on
39 SilcBool silc_pkcs1_encode(SilcPkcs1BlockType bt,
40 const unsigned char *data,
42 unsigned char *dest_data,
43 SilcUInt32 dest_data_size,
49 SILC_LOG_DEBUG(("PKCS#1 encoding, bt %d", bt));
51 if (!data || !dest_data ||
52 dest_data_size < SILC_PKCS1_MIN_PADDING + 3 ||
53 dest_data_size < data_len) {
54 SILC_LOG_DEBUG(("Data to be encoded is too long"));
60 dest_data[1] = (unsigned char)bt;
62 padlen = (SilcInt32)dest_data_size - (SilcInt32)data_len - 3;
63 if (padlen < SILC_PKCS1_MIN_PADDING) {
64 SILC_LOG_DEBUG(("Data to be encoded is too long"));
68 /* Encode according to block type */
70 case SILC_PKCS1_BT_PRV0:
71 case SILC_PKCS1_BT_PRV1:
73 memset(dest_data + 2, bt == SILC_PKCS1_BT_PRV1 ? 0xff : 0x00, padlen);
76 case SILC_PKCS1_BT_PUB:
79 SILC_LOG_ERROR(("Cannot encrypt: random number generator not provided"));
83 /* It is guaranteed this routine does not return zero byte. */
84 for (i = 2; i < padlen; i++)
85 dest_data[i] = silc_rng_get_byte_fast(rng);
91 dest_data[padlen + 2] = 0x00;
92 memcpy(dest_data + padlen + 3, data, data_len);
97 /* Decodes the PKCS#1 encoded block according to the block type `bt'.
98 When verifying signatures the `bt' must be SILC_PKCS1_BT_PRV1 and
99 when decrypting it must be SILC_PKCS1_BT_PUB. This copies the
100 decoded data into `dest_data' which is size of `dest_data_size'. If
101 the deocded block does not fit to `dest_data' this returns FALSE.
102 Returns TRUE on success. */
104 SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
105 const unsigned char *data,
107 unsigned char *dest_data,
108 SilcUInt32 dest_data_size,
109 SilcUInt32 *dest_len)
113 SILC_LOG_DEBUG(("PKCS#1 decoding, bt %d", bt));
116 if (!data || !dest_data || dest_data_size < 3 ||
117 data[0] != 0x00 || data[1] != (unsigned char)bt) {
118 SILC_LOG_DEBUG(("Malformed block"));
122 /* Decode according to block type */
124 case SILC_PKCS1_BT_PRV0:
128 case SILC_PKCS1_BT_PRV1:
130 for (i = 2; i < data_len; i++)
135 case SILC_PKCS1_BT_PUB:
137 for (i = 2; i < data_len; i++)
145 SILC_LOG_DEBUG(("Malformed block"));
148 if (i < SILC_PKCS1_MIN_PADDING) {
149 SILC_LOG_DEBUG(("Malformed block"));
152 if (data[i++] != 0x00) {
153 SILC_LOG_DEBUG(("Malformed block"));
157 SILC_LOG_DEBUG(("Malformed block"));
160 if (dest_data_size < data_len - i) {
161 SILC_LOG_DEBUG(("Destination buffer too small"));
166 memcpy(dest_data, data + i, data_len - i);
168 /* Return data length */
170 *dest_len = data_len - i;
176 /***************************** PKCS #1 PKCS API ******************************/
178 /* Generates RSA key pair. */
180 SilcBool silc_pkcs1_generate_key(SilcUInt32 keylen,
182 void **ret_public_key,
183 void **ret_private_key)
185 SilcUInt32 prime_bits = keylen / 2;
187 SilcBool found = FALSE;
189 if (keylen < 768 || keylen > 16384)
197 silc_math_gen_prime(&p, prime_bits, FALSE, rng);
198 silc_math_gen_prime(&q, prime_bits, FALSE, rng);
199 if ((silc_mp_cmp(&p, &q)) != 0)
203 /* If p is smaller than q, switch them */
204 if ((silc_mp_cmp(&p, &q)) > 0) {
208 silc_mp_set(&hlp, &p);
210 silc_mp_set(&q, &hlp);
212 silc_mp_uninit(&hlp);
215 /* Generate the actual keys */
216 if (!silc_rsa_generate_keys(keylen, &p, &q, ret_public_key, ret_private_key))
225 /* Import PKCS #1 compliant public key */
227 int silc_pkcs1_import_public_key(unsigned char *key,
229 void **ret_public_key)
231 SilcAsn1 asn1 = NULL;
232 SilcBufferStruct alg_key;
233 RsaPublicKey *pubkey;
238 asn1 = silc_asn1_alloc();
242 /* Allocate RSA public key */
243 *ret_public_key = pubkey = silc_calloc(1, sizeof(*pubkey));
247 /* Parse the PKCS #1 public key */
248 silc_buffer_set(&alg_key, key, key_len);
249 if (!silc_asn1_decode(asn1, &alg_key,
250 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
252 SILC_ASN1_INT(&pubkey->n),
253 SILC_ASN1_INT(&pubkey->e),
254 SILC_ASN1_END, SILC_ASN1_END))
258 pubkey->bits = ((silc_mp_sizeinbase(&pubkey->n, 2) + 7) / 8) * 8;
260 silc_asn1_free(asn1);
266 silc_asn1_free(asn1);
270 /* Export PKCS #1 compliant public key */
272 unsigned char *silc_pkcs1_export_public_key(void *public_key,
275 RsaPublicKey *key = public_key;
276 SilcAsn1 asn1 = NULL;
277 SilcBufferStruct alg_key;
280 asn1 = silc_asn1_alloc();
284 /* Encode to PKCS #1 public key */
285 memset(&alg_key, 0, sizeof(alg_key));
286 if (!silc_asn1_encode(asn1, &alg_key,
287 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
289 SILC_ASN1_INT(&key->n),
290 SILC_ASN1_INT(&key->e),
291 SILC_ASN1_END, SILC_ASN1_END))
294 ret = silc_buffer_steal(&alg_key, ret_len);
295 silc_asn1_free(asn1);
301 silc_asn1_free(asn1);
305 /* Returns key length */
307 SilcUInt32 silc_pkcs1_public_key_bitlen(void *public_key)
309 RsaPublicKey *key = public_key;
313 /* Copy public key */
315 void *silc_pkcs1_public_key_copy(void *public_key)
317 RsaPublicKey *key = public_key, *new_key;
319 new_key = silc_calloc(1, sizeof(*new_key));
323 silc_mp_init(&new_key->n);
324 silc_mp_init(&new_key->e);
325 silc_mp_set(&new_key->n, &key->n);
326 silc_mp_set(&new_key->e, &key->e);
327 new_key->bits = key->bits;
332 /* Compare public keys */
334 SilcBool silc_pkcs1_public_key_compare(void *key1, void *key2)
336 RsaPublicKey *k1 = key1, *k2 = key2;
338 if (k1->bits != k2->bits)
340 if (silc_mp_cmp(&k1->e, &k2->e) != 0)
342 if (silc_mp_cmp(&k1->n, &k2->n) != 0)
348 /* Frees public key */
350 void silc_pkcs1_public_key_free(void *public_key)
352 RsaPublicKey *key = public_key;
354 silc_mp_uninit(&key->n);
355 silc_mp_uninit(&key->e);
359 /* Import PKCS #1 compliant private key */
361 int silc_pkcs1_import_private_key(unsigned char *key,
363 void **ret_private_key)
366 SilcBufferStruct alg_key;
367 RsaPrivateKey *privkey;
370 if (!ret_private_key)
373 asn1 = silc_asn1_alloc();
377 /* Allocate RSA private key */
378 *ret_private_key = privkey = silc_calloc(1, sizeof(*privkey));
382 /* Parse the PKCS #1 private key */
383 silc_buffer_set(&alg_key, key, key_len);
384 if (!silc_asn1_decode(asn1, &alg_key,
385 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
387 SILC_ASN1_SHORT_INT(&ver),
388 SILC_ASN1_INT(&privkey->n),
389 SILC_ASN1_INT(&privkey->e),
390 SILC_ASN1_INT(&privkey->d),
391 SILC_ASN1_INT(&privkey->p),
392 SILC_ASN1_INT(&privkey->q),
393 SILC_ASN1_INT(&privkey->dP),
394 SILC_ASN1_INT(&privkey->dQ),
395 SILC_ASN1_INT(&privkey->qP),
396 SILC_ASN1_END, SILC_ASN1_END))
403 privkey->bits = ((silc_mp_sizeinbase(&privkey->n, 2) + 7) / 8) * 8;
405 silc_asn1_free(asn1);
411 silc_asn1_free(asn1);
415 /* Export PKCS #1 compliant private key */
417 unsigned char *silc_pkcs1_export_private_key(void *private_key,
420 RsaPrivateKey *key = private_key;
422 SilcBufferStruct alg_key;
425 asn1 = silc_asn1_alloc();
429 /* Encode to PKCS #1 private key */
430 memset(&alg_key, 0, sizeof(alg_key));
431 if (!silc_asn1_encode(asn1, &alg_key,
432 SILC_ASN1_OPTS(SILC_ASN1_ALLOC),
434 SILC_ASN1_SHORT_INT(0),
435 SILC_ASN1_INT(&key->n),
436 SILC_ASN1_INT(&key->e),
437 SILC_ASN1_INT(&key->d),
438 SILC_ASN1_INT(&key->p),
439 SILC_ASN1_INT(&key->q),
440 SILC_ASN1_INT(&key->dP),
441 SILC_ASN1_INT(&key->dQ),
442 SILC_ASN1_INT(&key->qP),
443 SILC_ASN1_END, SILC_ASN1_END))
446 ret = silc_buffer_steal(&alg_key, ret_len);
447 silc_asn1_free(asn1);
452 silc_asn1_free(asn1);
456 /* Returns key length */
458 SilcUInt32 silc_pkcs1_private_key_bitlen(void *private_key)
460 RsaPrivateKey *key = private_key;
464 /* Frees private key */
466 void silc_pkcs1_private_key_free(void *private_key)
468 RsaPrivateKey *key = private_key;
470 silc_mp_uninit(&key->n);
471 silc_mp_uninit(&key->e);
472 silc_mp_uninit(&key->d);
473 silc_mp_uninit(&key->dP);
474 silc_mp_uninit(&key->dQ);
475 silc_mp_uninit(&key->qP);
476 silc_mp_uninit(&key->p);
477 silc_mp_uninit(&key->q);
481 /* PKCS #1 RSA routines */
483 SilcBool silc_pkcs1_encrypt(void *public_key,
488 SilcUInt32 *ret_dst_len,
491 RsaPublicKey *key = public_key;
494 unsigned char padded[65536 + 1];
495 SilcUInt32 len = (key->bits + 7) / 8;
497 if (sizeof(padded) < len)
503 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PUB, src, src_len,
507 silc_mp_init(&mp_tmp);
508 silc_mp_init(&mp_dst);
511 silc_mp_bin2mp(padded, len, &mp_tmp);
514 silc_rsa_public_operation(key, &mp_tmp, &mp_dst);
517 silc_mp_mp2bin_noalloc(&mp_dst, dst, len);
520 memset(padded, 0, sizeof(padded));
521 silc_mp_uninit(&mp_tmp);
522 silc_mp_uninit(&mp_dst);
527 SilcBool silc_pkcs1_decrypt(void *private_key,
532 SilcUInt32 *ret_dst_len)
534 RsaPrivateKey *key = private_key;
537 unsigned char *padded, unpadded[65536 + 1];
538 SilcUInt32 padded_len;
540 if (dst_size < (key->bits + 7) / 8)
543 silc_mp_init(&mp_tmp);
544 silc_mp_init(&mp_dst);
547 silc_mp_bin2mp(src, src_len, &mp_tmp);
550 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
553 padded = silc_mp_mp2bin(&mp_dst, (key->bits + 7) / 8, &padded_len);
555 silc_mp_uninit(&mp_tmp);
556 silc_mp_uninit(&mp_dst);
561 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PUB, padded, padded_len,
562 unpadded, sizeof(unpadded), ret_dst_len)) {
563 memset(padded, 0, padded_len);
565 silc_mp_uninit(&mp_tmp);
566 silc_mp_uninit(&mp_dst);
570 /* Copy to destination */
571 memcpy(dst, unpadded, *ret_dst_len);
573 memset(padded, 0, padded_len);
574 memset(unpadded, 0, sizeof(unpadded));
576 silc_mp_uninit(&mp_tmp);
577 silc_mp_uninit(&mp_dst);
582 /* PKCS #1 sign with appendix, hash OID included in the signature */
584 SilcBool silc_pkcs1_sign(void *private_key,
587 unsigned char *signature,
588 SilcUInt32 signature_size,
589 SilcUInt32 *ret_signature_len,
590 SilcBool compute_hash,
593 RsaPrivateKey *key = private_key;
594 unsigned char padded[65536 + 1], hashr[SILC_HASH_MAXLEN];
598 SilcUInt32 len = (key->bits + 7) / 8;
602 SILC_LOG_DEBUG(("Sign"));
604 if (sizeof(padded) < len)
606 if (signature_size < len)
609 oid = silc_hash_get_oid(hash);
613 asn1 = silc_asn1_alloc();
619 silc_hash_make(hash, src, src_len, hashr);
621 src_len = silc_hash_len(hash);
624 /* Encode digest info */
625 memset(&di, 0, sizeof(di));
626 if (!silc_asn1_encode(asn1, &di,
632 SILC_ASN1_OCTET_STRING(src, src_len),
633 SILC_ASN1_END, SILC_ASN1_END)) {
634 silc_asn1_free(asn1);
637 SILC_LOG_HEXDUMP(("DigestInfo"), silc_buffer_data(&di),
638 silc_buffer_len(&di));
641 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, silc_buffer_data(&di),
642 silc_buffer_len(&di), padded, len, NULL)) {
643 silc_asn1_free(asn1);
647 silc_mp_init(&mp_tmp);
648 silc_mp_init(&mp_dst);
651 silc_mp_bin2mp(padded, len, &mp_tmp);
654 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
657 silc_mp_mp2bin_noalloc(&mp_dst, signature, len);
658 *ret_signature_len = len;
660 memset(padded, 0, sizeof(padded));
661 silc_mp_uninit(&mp_tmp);
662 silc_mp_uninit(&mp_dst);
664 memset(hashr, 0, sizeof(hashr));
665 silc_asn1_free(asn1);
670 /* PKCS #1 verification with appendix. */
672 SilcBool silc_pkcs1_verify(void *public_key,
673 unsigned char *signature,
674 SilcUInt32 signature_len,
679 RsaPublicKey *key = public_key;
680 SilcBool ret = FALSE;
683 unsigned char *verify = NULL, unpadded[65536 + 1], hashr[SILC_HASH_MAXLEN];
684 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
685 SilcBufferStruct di, ldi;
686 SilcHash ihash = NULL;
687 SilcAsn1 asn1 = NULL;
690 SILC_LOG_DEBUG(("Verify signature"));
692 asn1 = silc_asn1_alloc();
696 silc_mp_init(&mp_tmp2);
697 silc_mp_init(&mp_dst);
699 /* Format the signature into MP int */
700 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
703 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
706 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
711 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
712 unpadded, sizeof(unpadded), &len))
714 silc_buffer_set(&di, unpadded, len);
716 /* If hash isn't given, allocate the one given in digest info */
718 /* Decode digest info */
719 if (!silc_asn1_decode(asn1, &di,
720 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
725 SILC_ASN1_END, SILC_ASN1_END))
728 if (!silc_hash_alloc_by_oid(oid, &ihash)) {
729 SILC_LOG_DEBUG(("Unknown OID %s", oid));
736 silc_hash_make(hash, data, data_len, hashr);
738 data_len = silc_hash_len(hash);
739 oid = (char *)silc_hash_get_oid(hash);
741 /* Encode digest info for comparison */
742 memset(&ldi, 0, sizeof(ldi));
743 if (!silc_asn1_encode(asn1, &ldi,
744 SILC_ASN1_OPTS(SILC_ASN1_ACCUMUL),
750 SILC_ASN1_OCTET_STRING(data, data_len),
751 SILC_ASN1_END, SILC_ASN1_END))
754 SILC_LOG_HEXDUMP(("DigestInfo remote"), silc_buffer_data(&di),
755 silc_buffer_len(&di));
756 SILC_LOG_HEXDUMP(("DigestInfo local"), silc_buffer_data(&ldi),
757 silc_buffer_len(&ldi));
760 if (silc_buffer_len(&di) == silc_buffer_len(&ldi) &&
761 !memcmp(silc_buffer_data(&di), silc_buffer_data(&ldi),
762 silc_buffer_len(&ldi)))
765 memset(verify, 0, verify_len);
766 memset(unpadded, 0, sizeof(unpadded));
768 silc_mp_uninit(&mp_tmp2);
769 silc_mp_uninit(&mp_dst);
771 memset(hashr, 0, sizeof(hashr));
773 silc_hash_free(ihash);
774 silc_asn1_free(asn1);
780 memset(verify, 0, verify_len);
783 silc_mp_uninit(&mp_tmp2);
784 silc_mp_uninit(&mp_dst);
786 silc_hash_free(ihash);
787 silc_asn1_free(asn1);
791 /* PKCS #1 sign without hash oid */
793 SilcBool silc_pkcs1_sign_no_oid(void *private_key,
796 unsigned char *signature,
797 SilcUInt32 signature_size,
798 SilcUInt32 *ret_signature_len,
799 SilcBool compute_hash,
802 RsaPrivateKey *key = private_key;
805 unsigned char padded[65536 + 1], hashr[SILC_HASH_MAXLEN];
806 SilcUInt32 len = (key->bits + 7) / 8;
808 SILC_LOG_DEBUG(("Sign"));
810 if (sizeof(padded) < len)
812 if (signature_size < len)
815 /* Compute hash if requested */
817 silc_hash_make(hash, src, src_len, hashr);
819 src_len = silc_hash_len(hash);
823 if (!silc_pkcs1_encode(SILC_PKCS1_BT_PRV1, src, src_len,
827 silc_mp_init(&mp_tmp);
828 silc_mp_init(&mp_dst);
831 silc_mp_bin2mp(padded, len, &mp_tmp);
834 silc_rsa_private_operation(key, &mp_tmp, &mp_dst);
837 silc_mp_mp2bin_noalloc(&mp_dst, signature, len);
838 *ret_signature_len = len;
840 memset(padded, 0, sizeof(padded));
841 silc_mp_uninit(&mp_tmp);
842 silc_mp_uninit(&mp_dst);
844 memset(hashr, 0, sizeof(hashr));
849 /* PKCS #1 verify without hash oid */
851 SilcBool silc_pkcs1_verify_no_oid(void *public_key,
852 unsigned char *signature,
853 SilcUInt32 signature_len,
858 RsaPublicKey *key = public_key;
859 SilcBool ret = FALSE;
862 unsigned char *verify, unpadded[65536 + 1], hashr[SILC_HASH_MAXLEN];
863 SilcUInt32 verify_len, len = (key->bits + 7) / 8;
865 SILC_LOG_DEBUG(("Verify signature"));
867 silc_mp_init(&mp_tmp2);
868 silc_mp_init(&mp_dst);
870 /* Format the signature into MP int */
871 silc_mp_bin2mp(signature, signature_len, &mp_tmp2);
874 silc_rsa_public_operation(key, &mp_tmp2, &mp_dst);
877 verify = silc_mp_mp2bin(&mp_dst, len, &verify_len);
879 silc_mp_uninit(&mp_tmp2);
880 silc_mp_uninit(&mp_dst);
885 if (!silc_pkcs1_decode(SILC_PKCS1_BT_PRV1, verify, verify_len,
886 unpadded, sizeof(unpadded), &len)) {
887 memset(verify, 0, verify_len);
889 silc_mp_uninit(&mp_tmp2);
890 silc_mp_uninit(&mp_dst);
894 /* Hash data if requested */
896 silc_hash_make(hash, data, data_len, hashr);
898 data_len = silc_hash_len(hash);
902 if (len == data_len && !memcmp(data, unpadded, len))
905 memset(verify, 0, verify_len);
906 memset(unpadded, 0, sizeof(unpadded));
908 silc_mp_uninit(&mp_tmp2);
909 silc_mp_uninit(&mp_dst);
911 memset(hashr, 0, sizeof(hashr));