Annotation of embedaddon/strongswan/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_private_key.c, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2019 Sean Parkinson, wolfSSL Inc.
3: *
4: * Permission is hereby granted, free of charge, to any person obtaining a copy
5: * of this software and associated documentation files (the "Software"), to deal
6: * in the Software without restriction, including without limitation the rights
7: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8: * copies of the Software, and to permit persons to whom the Software is
9: * furnished to do so, subject to the following conditions:
10: *
11: * The above copyright notice and this permission notice shall be included in
12: * all copies or substantial portions of the Software.
13: *
14: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17: * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
20: * THE SOFTWARE.
21: */
22:
23: #include "wolfssl_common.h"
24:
25: #ifndef NO_RSA
26:
27: #include "wolfssl_rsa_private_key.h"
28: #include "wolfssl_rsa_public_key.h"
29: #include "wolfssl_util.h"
30:
31: #include <utils/debug.h>
32: #include <crypto/hashers/hasher.h>
33: #include <credentials/keys/signature_params.h>
34:
35: #include <wolfssl/wolfcrypt/rsa.h>
36: #include <wolfssl/wolfcrypt/asn.h>
37:
38: typedef struct private_wolfssl_rsa_private_key_t private_wolfssl_rsa_private_key_t;
39:
40: /**
41: * Private data of a wolfssl_rsa_private_key_t object
42: */
43: struct private_wolfssl_rsa_private_key_t {
44:
45: /**
46: * Public interface
47: */
48: wolfssl_rsa_private_key_t public;
49:
50: /**
51: * RSA key object from wolfSSL
52: */
53: RsaKey rsa;
54:
55: /**
56: * Random number generator to use with RSA operations.
57: */
58: WC_RNG rng;
59:
60: /**
61: * Reference count
62: */
63: refcount_t ref;
64: };
65:
66: /* implemented in rsa public key */
67: bool wolfssl_rsa_encode_public(RsaKey *rsa, chunk_t *encoding);
68: bool wolfssl_rsa_fingerprint(RsaKey *rsa, cred_encoding_type_t type, chunk_t *fp);
69:
70: /**
71: * Build RSA signature
72: */
73: static bool build_signature(private_wolfssl_rsa_private_key_t *this,
74: enum wc_HashType hash, chunk_t data, chunk_t *sig)
75: {
76: int ret = wc_RsaSSL_Sign(data.ptr, data.len, sig->ptr, sig->len, &this->rsa,
77: &this->rng);
78: if (ret > 0)
79: {
80: sig->len = ret;
81: }
82: return ret > 0;
83: }
84:
85: /**
86: * Build an EMSA PKCS1 signature described in PKCS#1
87: */
88: static bool build_emsa_pkcs1_signature(private_wolfssl_rsa_private_key_t *this,
89: enum wc_HashType hash, chunk_t data,
90: chunk_t *sig)
91: {
92: bool success = FALSE;
93: chunk_t dgst, digestInfo;
94: int len;
95:
96: *sig = chunk_alloc(wc_RsaEncryptSize(&this->rsa));
97:
98: if (hash == WC_HASH_TYPE_NONE)
99: {
100: success = build_signature(this, hash, data, sig);
101: }
102: else if (wolfssl_hash_chunk(hash, data, &dgst))
103: {
104: digestInfo = chunk_alloc(MAX_DER_DIGEST_SZ);
105: len = wc_EncodeSignature(digestInfo.ptr, dgst.ptr, dgst.len,
106: wc_HashGetOID(hash));
107: if (len > 0)
108: {
109: digestInfo.len = len;
110: success = build_signature(this, hash, digestInfo, sig);
111: }
112: chunk_free(&digestInfo);
113: chunk_free(&dgst);
114: }
115:
116: if (!success)
117: {
118: chunk_free(sig);
119: }
120: return success;
121: }
122:
123: #ifdef WC_RSA_PSS
124: /**
125: * Build an EMSA PSS signature described in PKCS#1
126: */
127: static bool build_emsa_pss_signature(private_wolfssl_rsa_private_key_t *this,
128: rsa_pss_params_t *params, chunk_t data,
129: chunk_t *sig)
130: {
131: bool success = FALSE;
132: chunk_t dgst = chunk_empty;
133: enum wc_HashType hash;
134: int mgf, ret;
135:
136: if (!wolfssl_hash2type(params->hash, &hash))
137: {
138: return FALSE;
139: }
140: if (!wolfssl_hash2mgf1(params->mgf1_hash, &mgf))
141: {
142: return FALSE;
143: }
144:
145: *sig = chunk_alloc(wc_RsaEncryptSize(&this->rsa));
146:
147: if (wolfssl_hash_chunk(hash, data, &dgst))
148: {
149: ret = wc_RsaPSS_Sign_ex(dgst.ptr, dgst.len, sig->ptr, sig->len, hash,
150: mgf, params->salt_len, &this->rsa, &this->rng);
151: if (ret > 0)
152: {
153: sig->len = ret;
154: success = TRUE;
155: }
156: }
157:
158: chunk_free(&dgst);
159: if (!success)
160: {
161: chunk_free(sig);
162: }
163: return success;
164: }
165: #endif
166:
167:
168: METHOD(private_key_t, get_type, key_type_t,
169: private_wolfssl_rsa_private_key_t *this)
170: {
171: return KEY_RSA;
172: }
173:
174: METHOD(private_key_t, sign, bool,
175: private_wolfssl_rsa_private_key_t *this, signature_scheme_t scheme,
176: void *params, chunk_t data, chunk_t *signature)
177: {
178: switch (scheme)
179: {
180: case SIGN_RSA_EMSA_PKCS1_NULL:
181: return build_emsa_pkcs1_signature(this, WC_HASH_TYPE_NONE, data,
182: signature);
183: #ifdef WOLFSSL_SHA224
184: case SIGN_RSA_EMSA_PKCS1_SHA2_224:
185: return build_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA224, data,
186: signature);
187: #endif
188: #ifndef NO_SHA256
189: case SIGN_RSA_EMSA_PKCS1_SHA2_256:
190: return build_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA256, data,
191: signature);
192: #endif
193: #ifdef WOLFSSL_SHA384
194: case SIGN_RSA_EMSA_PKCS1_SHA2_384:
195: return build_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA384, data,
196: signature);
197: #endif
198: #ifdef WOLFSSL_SHA512
199: case SIGN_RSA_EMSA_PKCS1_SHA2_512:
200: return build_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA512, data,
201: signature);
202: #endif
203: #ifndef NO_SHA
204: case SIGN_RSA_EMSA_PKCS1_SHA1:
205: return build_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA, data,
206: signature);
207: #endif
208: #ifndef NO_MD5
209: case SIGN_RSA_EMSA_PKCS1_MD5:
210: return build_emsa_pkcs1_signature(this, WC_HASH_TYPE_MD5, data,
211: signature);
212: #endif
213: #ifdef WC_RSA_PSS
214: case SIGN_RSA_EMSA_PSS:
215: return build_emsa_pss_signature(this, params, data, signature);
216: #endif
217: default:
218: DBG1(DBG_LIB, "signature scheme %N not supported via wolfssl",
219: signature_scheme_names, scheme);
220: return FALSE;
221: }
222: }
223:
224: METHOD(private_key_t, decrypt, bool,
225: private_wolfssl_rsa_private_key_t *this, encryption_scheme_t scheme,
226: chunk_t crypto, chunk_t *plain)
227: {
228: int padding, mgf, len;
229: enum wc_HashType hash;
230:
231: switch (scheme)
232: {
233: case ENCRYPT_RSA_PKCS1:
234: hash = WC_HASH_TYPE_NONE;
235: padding = WC_RSA_PKCSV15_PAD;
236: mgf = WC_MGF1NONE;
237: break;
238: #ifndef WC_NO_RSA_OAEP
239: #ifndef NO_SHA
240: case ENCRYPT_RSA_OAEP_SHA1:
241: hash = WC_HASH_TYPE_SHA;
242: padding = WC_RSA_OAEP_PAD;
243: mgf = WC_MGF1SHA1;
244: break;
245: #endif
246: #ifdef WOLFSSL_SHA224
247: case ENCRYPT_RSA_OAEP_SHA224:
248: hash = WC_HASH_TYPE_SHA224;
249: padding = WC_RSA_OAEP_PAD;
250: mgf = WC_MGF1SHA224;
251: break;
252: #endif
253: #ifndef NO_SHA256
254: case ENCRYPT_RSA_OAEP_SHA256:
255: hash = WC_HASH_TYPE_SHA256;
256: padding = WC_RSA_OAEP_PAD;
257: mgf = WC_MGF1SHA256;
258: break;
259: #endif
260: #ifdef WOLFSSL_SHA384
261: case ENCRYPT_RSA_OAEP_SHA384:
262: hash = WC_HASH_TYPE_SHA384;
263: padding = WC_RSA_OAEP_PAD;
264: mgf = WC_MGF1SHA384;
265: break;
266: #endif
267: #ifdef WOLFSSL_SHA512
268: case ENCRYPT_RSA_OAEP_SHA512:
269: hash = WC_HASH_TYPE_SHA512;
270: padding = WC_RSA_OAEP_PAD;
271: mgf = WC_MGF1SHA512;
272: break;
273: #endif
274: #endif
275: default:
276: DBG1(DBG_LIB, "encryption scheme %N not supported via wolfssl",
277: encryption_scheme_names, scheme);
278: return FALSE;
279: }
280: len = wc_RsaEncryptSize(&this->rsa);
281: *plain = chunk_alloc(len);
282: len = wc_RsaPrivateDecrypt_ex(crypto.ptr, crypto.len, plain->ptr, len,
283: &this->rsa, padding, hash, mgf, NULL, 0);
284: if (len < 0)
285: {
286: DBG1(DBG_LIB, "RSA decryption failed");
287: chunk_free(plain);
288: return FALSE;
289: }
290: plain->len = len;
291: return TRUE;
292: }
293:
294: METHOD(private_key_t, get_keysize, int,
295: private_wolfssl_rsa_private_key_t *this)
296: {
297: return wc_RsaEncryptSize(&this->rsa) * 8;
298: }
299:
300: METHOD(private_key_t, get_public_key, public_key_t*,
301: private_wolfssl_rsa_private_key_t *this)
302: {
303: public_key_t *key;
304: chunk_t enc;
305:
306: if (!wolfssl_rsa_encode_public(&this->rsa, &enc))
307: {
308: return NULL;
309: }
310: key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
311: BUILD_BLOB_ASN1_DER, enc, BUILD_END);
312: chunk_free(&enc);
313: return key;
314: }
315:
316: METHOD(private_key_t, get_fingerprint, bool,
317: private_wolfssl_rsa_private_key_t *this, cred_encoding_type_t type,
318: chunk_t *fingerprint)
319: {
320: return wolfssl_rsa_fingerprint(&this->rsa, type, fingerprint);
321: }
322:
323: METHOD(private_key_t, get_encoding, bool,
324: private_wolfssl_rsa_private_key_t *this, cred_encoding_type_t type,
325: chunk_t *encoding)
326: {
327: switch (type)
328: {
329: case PRIVKEY_ASN1_DER:
330: case PRIVKEY_PEM:
331: {
332: bool success = TRUE;
333: int len;
334:
335: /* n and d are of keysize length, p and q plus the three CRT
336: * params roughly half that, the version and e are small */
337: len = wc_RsaEncryptSize(&this->rsa) * 5 + MAX_SEQ_SZ;
338: *encoding = chunk_alloc(len);
339: len = wc_RsaKeyToDer(&this->rsa, encoding->ptr, len);
340: if (len < 0)
341: {
342: chunk_free(encoding);
343: return FALSE;
344: }
345: encoding->len = len;
346:
347: if (type == PRIVKEY_PEM)
348: {
349: chunk_t asn1_encoding = *encoding;
350:
351: success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
352: NULL, encoding, CRED_PART_RSA_PRIV_ASN1_DER,
353: asn1_encoding, CRED_PART_END);
354: chunk_clear(&asn1_encoding);
355: }
356: return success;
357: }
358: default:
359: return FALSE;
360: }
361: }
362:
363: METHOD(private_key_t, get_ref, private_key_t*,
364: private_wolfssl_rsa_private_key_t *this)
365: {
366: ref_get(&this->ref);
367: return &this->public.key;
368: }
369:
370: METHOD(private_key_t, destroy, void,
371: private_wolfssl_rsa_private_key_t *this)
372: {
373: if (ref_put(&this->ref))
374: {
375: lib->encoding->clear_cache(lib->encoding, &this->rsa);
376: wc_FreeRsaKey(&this->rsa);
377: wc_FreeRng(&this->rng);
378: free(this);
379: }
380: }
381:
382: /**
383: * Internal generic constructor
384: */
385: static private_wolfssl_rsa_private_key_t *create_empty()
386: {
387: private_wolfssl_rsa_private_key_t *this;
388:
389: INIT(this,
390: .public = {
391: .key = {
392: .get_type = _get_type,
393: .sign = _sign,
394: .decrypt = _decrypt,
395: .get_keysize = _get_keysize,
396: .get_public_key = _get_public_key,
397: .equals = private_key_equals,
398: .belongs_to = private_key_belongs_to,
399: .get_fingerprint = _get_fingerprint,
400: .has_fingerprint = private_key_has_fingerprint,
401: .get_encoding = _get_encoding,
402: .get_ref = _get_ref,
403: .destroy = _destroy,
404: },
405: },
406: .ref = 1,
407: );
408:
409: if (wc_InitRng(&this->rng) != 0)
410: {
411: DBG1(DBG_LIB, "init RNG failed, rsa private key create failed");
412: free(this);
413: return NULL;
414: }
415: if (wc_InitRsaKey(&this->rsa, NULL) != 0)
416: {
417: DBG1(DBG_LIB, "init RSA failed, rsa private key create failed");
418: wc_FreeRng(&this->rng);
419: free(this);
420: return NULL;
421: }
422: #ifdef WC_RSA_BLINDING
423: this->rsa.rng = &this->rng;
424: #endif
425:
426: return this;
427: }
428:
429: /*
430: * Described in header
431: */
432: wolfssl_rsa_private_key_t *wolfssl_rsa_private_key_gen(key_type_t type,
433: va_list args)
434: {
435: private_wolfssl_rsa_private_key_t *this;
436: u_int key_size = 0;
437:
438: while (TRUE)
439: {
440: switch (va_arg(args, builder_part_t))
441: {
442: case BUILD_KEY_SIZE:
443: key_size = va_arg(args, u_int);
444: continue;
445: case BUILD_END:
446: break;
447: default:
448: return NULL;
449: }
450: break;
451: }
452: if (!key_size)
453: {
454: return NULL;
455: }
456:
457: this = create_empty();
458: if (!this)
459: {
460: return NULL;
461: }
462:
463: if (wc_MakeRsaKey(&this->rsa, key_size, WC_RSA_EXPONENT, &this->rng) < 0)
464: {
465: destroy(this);
466: return NULL;
467: }
468: return &this->public;
469: }
470:
471: /**
472: * Allocate a random number in the range [0, n-1]
473: */
474: static bool wolfssl_mp_rand(mp_int *n, WC_RNG *rng, mp_int *r)
475: {
476: int len, ret;
477:
478: /* ensure the number has enough memory. */
479: ret = mp_set_bit(r, mp_count_bits(n));
480: if (ret == 0)
481: {
482: len = sizeof(*r->dp) * n->used;
483: ret = wc_RNG_GenerateBlock(rng, (byte *)r->dp, len);
484: }
485: if (ret == 0)
486: {
487: ret = mp_mod(r, n, r);
488: }
489: return ret == 0;
490: }
491:
492: /**
493: * Recover the primes from n, e and d using the algorithm described in
494: * Appendix C of NIST SP 800-56B.
495: */
496: static bool calculate_pq(mp_int *n, mp_int *e, mp_int *d, mp_int *p, mp_int *q,
497: mp_int *t1, mp_int *t2, WC_RNG* rng)
498: {
499: int i, t, j;
500: bool success = FALSE;
501: mp_int *k = p;
502: mp_int *r = p;
503: mp_int *n1 = q;
504: mp_int *g = t2;
505: mp_int *y = t2;
506: mp_int *x = t1;
507:
508: /* k = (d * e) - 1 */
509: if (mp_mul(d, e, k) != 0)
510: {
511: goto error;
512: }
513: if (mp_sub_d(k, 1, k) != 0)
514: {
515: goto error;
516: }
517: /* k must be even */
518: if (mp_isodd(k))
519: {
520: goto error;
521: }
522: /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */
523: if (mp_copy(k, r) != 0)
524: {
525: goto error;
526: }
527: for (t = 0; !mp_isodd(r); t++)
528: { /* r = r/2 */
529: if (mp_div_2(r, r) != 0)
530: goto error;
531: }
532: /* we need n-1 below */
533: if (mp_sub_d(n, 1, n1) != 0)
534: {
535: goto error;
536: }
537: for (i = 0; i < 100; i++)
538: { /* generate random integer g in [0, n-1] */
539: if (!wolfssl_mp_rand(n, rng, g))
540: {
541: goto error;
542: }
543: /* y = g^r mod n */
544: if (mp_exptmod(g, r, n, y) != 0)
545: {
546: goto error;
547: }
548: /* try again if y == 1 or y == n-1 */
549: if (mp_isone(y) || mp_cmp(y, n1) == MP_EQ)
550: {
551: continue;
552: }
553: for (j = 0; j < t; j++)
554: { /* x = y^2 mod n */
555: if (mp_sqrmod(y, n, x) != 0)
556: {
557: goto error;
558: }
559: /* stop if x == 1 */
560: if (mp_isone(x))
561: {
562: goto done;
563: }
564: /* retry with new g if x = n-1 */
565: if (mp_cmp(x, n1) == MP_EQ)
566: {
567: break;
568: }
569: /* y = x */
570: if (mp_copy(x, y) != 0)
571: {
572: goto error;
573: }
574: }
575: }
576: goto error;
577:
578: done:
579: /* p = gcd(y-1, n) */
580: if (mp_sub_d(y, 1, y) != 0)
581: {
582: goto error;
583: }
584: if (mp_gcd(y, n, p) != 0)
585: {
586: goto error;
587: }
588: /* q = n/p */
589: if (mp_div(n, p, q, NULL) != 0)
590: {
591: goto error;
592: }
593:
594: success = TRUE;
595:
596: error:
597: return success;
598: }
599:
600: /**
601: * Calculates dp = d (mod p-1) or dq = d (mod q-1) for the Chinese remainder
602: * algorithm.
603: */
604: static bool dmodpq1(mp_int *d, mp_int *pq, mp_int *res)
605: {
606: /* p|q - 1
607: * d (mod p|q -1) */
608: return mp_sub_d(pq, 1, res) == 0 &&
609: mp_mod(d, res, res) == 0;
610: }
611:
612: /**
613: * Calculates qinv = q^-1 (mod p) for the Chinese remainder algorithm.
614: */
615: static int qinv(mp_int *q, mp_int *p, mp_int *res)
616: {
617: /* q^-1 (mod p) */
618: return mp_invmod(q, p, res) == 0;
619: }
620:
621: /*
622: * Described in header
623: */
624: wolfssl_rsa_private_key_t *wolfssl_rsa_private_key_load(key_type_t type,
625: va_list args)
626: {
627: private_wolfssl_rsa_private_key_t *this;
628: chunk_t blob, n, e, d, p, q, exp1, exp2, coeff;
629: word32 idx;
630: int ret;
631:
632: blob = n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
633: while (TRUE)
634: {
635: switch (va_arg(args, builder_part_t))
636: {
637: case BUILD_BLOB_ASN1_DER:
638: blob = va_arg(args, chunk_t);
639: continue;
640: case BUILD_RSA_MODULUS:
641: n = va_arg(args, chunk_t);
642: continue;
643: case BUILD_RSA_PUB_EXP:
644: e = va_arg(args, chunk_t);
645: continue;
646: case BUILD_RSA_PRIV_EXP:
647: d = va_arg(args, chunk_t);
648: continue;
649: case BUILD_RSA_PRIME1:
650: p = va_arg(args, chunk_t);
651: continue;
652: case BUILD_RSA_PRIME2:
653: q = va_arg(args, chunk_t);
654: continue;
655: case BUILD_RSA_EXP1:
656: exp1 = va_arg(args, chunk_t);
657: continue;
658: case BUILD_RSA_EXP2:
659: exp2 = va_arg(args, chunk_t);
660: continue;
661: case BUILD_RSA_COEFF:
662: coeff = va_arg(args, chunk_t);
663: continue;
664: case BUILD_END:
665: break;
666: default:
667: return NULL;
668: }
669: break;
670: }
671:
672: this = create_empty();
673: if (!this)
674: {
675: return NULL;
676: }
677:
678: if (blob.ptr)
679: {
680: idx = 0;
681: ret = wc_RsaPrivateKeyDecode(blob.ptr, &idx, &this->rsa, blob.len);
682: if (ret == 0)
683: {
684: return &this->public;
685: }
686: }
687: else if (n.ptr && e.ptr && d.ptr)
688: {
689: if (mp_read_unsigned_bin(&this->rsa.n, n.ptr, n.len) != 0)
690: {
691: goto error;
692: }
693: if (mp_read_unsigned_bin(&this->rsa.e, e.ptr, e.len) != 0)
694: {
695: goto error;
696: }
697: if (mp_read_unsigned_bin(&this->rsa.d, d.ptr, d.len) != 0)
698: {
699: goto error;
700: }
701: if (p.ptr && q.ptr)
702: {
703: if (mp_read_unsigned_bin(&this->rsa.p, p.ptr, p.len) != 0)
704: {
705: goto error;
706: }
707: if (mp_read_unsigned_bin(&this->rsa.q, q.ptr, q.len) != 0)
708: {
709: goto error;
710: }
711: }
712: else if (!calculate_pq(&this->rsa.n, &this->rsa.e, &this->rsa.d,
713: &this->rsa.p, &this->rsa.q, &this->rsa.dP,
714: &this->rsa.dQ, &this->rng))
715: {
716: goto error;
717: }
718: if (exp1.ptr)
719: {
720: if (mp_read_unsigned_bin(&this->rsa.dP, exp1.ptr, exp1.len) != 0)
721: {
722: goto error;
723: }
724: }
725: else if (!dmodpq1(&this->rsa.d, &this->rsa.p, &this->rsa.dP))
726: {
727: goto error;
728: }
729: if (exp2.ptr)
730: {
731: if (mp_read_unsigned_bin(&this->rsa.dQ, exp2.ptr, exp2.len) != 0)
732: {
733: goto error;
734: }
735: }
736: else if (!dmodpq1(&this->rsa.d, &this->rsa.q, &this->rsa.dQ))
737: {
738: goto error;
739: }
740: if (coeff.ptr)
741: {
742: if (mp_read_unsigned_bin(&this->rsa.u, coeff.ptr, coeff.len) != 0)
743: {
744: goto error;
745: }
746: }
747: else if (!qinv(&this->rsa.q, &this->rsa.p, &this->rsa.u))
748: {
749: goto error;
750: }
751:
752: return &this->public;
753: }
754: error:
755: destroy(this);
756: return NULL;
757: }
758:
759: #endif /* NO_RSA */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>