2 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GNUTLS.
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* This file contains the functions needed for RSA/DSA public key
24 * encryption and signatures.
27 #include <gnutls_int.h>
28 #include <gnutls_mpi.h>
29 #include <gnutls_pk.h>
30 #include <gnutls_errors.h>
31 #include <gnutls_datum.h>
32 #include <gnutls_global.h>
33 #include <gnutls_sig.h>
34 #include <gnutls_num.h>
35 #include <x509/x509_int.h>
36 #include <x509/common.h>
38 #include <gnutls_pk.h>
39 #include <nettle/dsa.h>
40 #include <nettle/rsa.h>
42 #include <gnutls/crypto.h>
45 #define TOMPZ(x) (*((mpz_t*)(x)))
47 static inline int is_supported_curve(int curve
);
50 rnd_func (void *_ctx
, unsigned length
, uint8_t * data
)
52 _gnutls_rnd (GNUTLS_RND_RANDOM
, data
, length
);
56 _dsa_params_to_pubkey (const gnutls_pk_params_st
* pk_params
,
57 struct dsa_public_key
*pub
)
59 memcpy (&pub
->p
, pk_params
->params
[0], sizeof (mpz_t
));
60 memcpy (&pub
->q
, pk_params
->params
[1], sizeof (mpz_t
));
61 memcpy (&pub
->g
, pk_params
->params
[2], sizeof (mpz_t
));
62 memcpy (&pub
->y
, pk_params
->params
[3], sizeof (mpz_t
));
66 _dsa_params_to_privkey (const gnutls_pk_params_st
* pk_params
,
67 struct dsa_private_key
*pub
)
69 memcpy (&pub
->x
, pk_params
->params
[4], sizeof (mpz_t
));
73 _rsa_params_to_privkey (const gnutls_pk_params_st
* pk_params
,
74 struct rsa_private_key
*priv
)
76 memcpy (&priv
->d
, pk_params
->params
[2], sizeof (mpz_t
));
77 memcpy (&priv
->p
, pk_params
->params
[3], sizeof (mpz_t
));
78 memcpy (&priv
->q
, pk_params
->params
[4], sizeof (mpz_t
));
79 memcpy (&priv
->c
, pk_params
->params
[5], sizeof (mpz_t
));
80 memcpy (&priv
->a
, pk_params
->params
[6], sizeof (mpz_t
));
81 memcpy (&priv
->b
, pk_params
->params
[7], sizeof (mpz_t
));
82 priv
->size
= nettle_mpz_sizeinbase_256_u(TOMPZ(pk_params
->params
[RSA_MODULUS
]));
86 _rsa_params_to_pubkey (const gnutls_pk_params_st
* pk_params
,
87 struct rsa_public_key
*pub
)
89 memcpy (&pub
->n
, pk_params
->params
[RSA_MODULUS
], sizeof (mpz_t
));
90 memcpy (&pub
->e
, pk_params
->params
[RSA_PUB
], sizeof (mpz_t
));
91 pub
->size
= nettle_mpz_sizeinbase_256_u(pub
->n
);
95 _ecc_params_to_privkey(const gnutls_pk_params_st
* pk_params
,
98 priv
->type
= PK_PRIVATE
;
99 memcpy(&priv
->prime
, pk_params
->params
[ECC_PRIME
], sizeof(mpz_t
));
100 memcpy(&priv
->order
, pk_params
->params
[ECC_ORDER
], sizeof(mpz_t
));
101 memcpy(&priv
->A
, pk_params
->params
[ECC_A
], sizeof(mpz_t
));
102 memcpy(&priv
->B
, pk_params
->params
[ECC_B
], sizeof(mpz_t
));
103 memcpy(&priv
->Gx
, pk_params
->params
[ECC_GX
], sizeof(mpz_t
));
104 memcpy(&priv
->Gy
, pk_params
->params
[ECC_GY
], sizeof(mpz_t
));
105 memcpy(&priv
->pubkey
.x
, pk_params
->params
[ECC_X
], sizeof(mpz_t
));
106 memcpy(&priv
->pubkey
.y
, pk_params
->params
[ECC_Y
], sizeof(mpz_t
));
107 memcpy(&priv
->k
, pk_params
->params
[ECC_K
], sizeof(mpz_t
));
108 mpz_init_set_ui(priv
->pubkey
.z
, 1);
111 static void _ecc_params_clear(ecc_key
* key
)
113 mpz_clear(key
->pubkey
.z
);
117 _ecc_params_to_pubkey(const gnutls_pk_params_st
* pk_params
,
120 pub
->type
= PK_PUBLIC
;
121 memcpy(&pub
->prime
, pk_params
->params
[ECC_PRIME
], sizeof(mpz_t
));
122 memcpy(&pub
->order
, pk_params
->params
[ECC_ORDER
], sizeof(mpz_t
));
123 memcpy(&pub
->A
, pk_params
->params
[ECC_A
], sizeof(mpz_t
));
124 memcpy(&pub
->B
, pk_params
->params
[ECC_B
], sizeof(mpz_t
));
125 memcpy(&pub
->Gx
, pk_params
->params
[ECC_GX
], sizeof(mpz_t
));
126 memcpy(&pub
->Gy
, pk_params
->params
[ECC_GY
], sizeof(mpz_t
));
127 memcpy(&pub
->pubkey
.x
, pk_params
->params
[ECC_X
], sizeof(mpz_t
));
128 memcpy(&pub
->pubkey
.y
, pk_params
->params
[ECC_Y
], sizeof(mpz_t
));
129 mpz_init_set_ui(pub
->pubkey
.z
, 1);
132 static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo
, gnutls_datum_t
* out
,
133 const gnutls_pk_params_st
* priv
,
134 const gnutls_pk_params_st
* pub
)
142 ecc_key ecc_pub
, ecc_priv
;
143 int curve
= priv
->flags
;
148 if (is_supported_curve(curve
) == 0)
149 return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE
);
151 _ecc_params_to_pubkey(pub
, &ecc_pub
);
152 _ecc_params_to_privkey(priv
, &ecc_priv
);
154 if (ecc_projective_check_point(&ecc_pub
.pubkey
, pub
->params
[ECC_B
], pub
->params
[ECC_PRIME
]) != 0)
156 ret
= gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER
);
161 out
->data
= gnutls_malloc(sz
);
162 if (out
->data
== NULL
)
164 ret
= gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
168 ret
= ecc_shared_secret(&ecc_priv
, &ecc_pub
, out
->data
, &sz
);
170 ret
= gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
173 _ecc_params_clear(&ecc_pub
);
174 _ecc_params_clear(&ecc_priv
);
178 gnutls_free(out
->data
);
187 ret
= GNUTLS_E_INTERNAL_ERROR
;
199 _wrap_nettle_pk_encrypt (gnutls_pk_algorithm_t algo
,
200 gnutls_datum_t
* ciphertext
,
201 const gnutls_datum_t
* plaintext
,
202 const gnutls_pk_params_st
* pk_params
)
213 struct rsa_public_key pub
;
215 _rsa_params_to_pubkey (pk_params
, &pub
);
217 ret
= rsa_encrypt(&pub
, NULL
, rnd_func
, plaintext
->size
, plaintext
->data
, p
);
220 ret
= gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED
);
224 ret
= _gnutls_mpi_dprint_size (p
, ciphertext
, plaintext
->size
);
235 ret
= GNUTLS_E_INTERNAL_ERROR
;
248 _wrap_nettle_pk_decrypt (gnutls_pk_algorithm_t algo
,
249 gnutls_datum_t
* plaintext
,
250 const gnutls_datum_t
* ciphertext
,
251 const gnutls_pk_params_st
* pk_params
)
255 plaintext
->data
= NULL
;
257 /* make a sexp from pkey */
262 struct rsa_private_key priv
;
263 struct rsa_public_key pub
;
267 _rsa_params_to_privkey (pk_params
, &priv
);
268 _rsa_params_to_pubkey (pk_params
, &pub
);
270 if (_gnutls_mpi_scan_nz (&c
, ciphertext
->data
, ciphertext
->size
) != 0)
272 ret
= gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED
);
277 plaintext
->data
= gnutls_malloc(length
);
278 if (plaintext
->data
== NULL
)
280 ret
= gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
284 ret
= rsa_decrypt_tr(&pub
, &priv
, NULL
, rnd_func
, &length
, plaintext
->data
,
286 _gnutls_mpi_release (&c
);
287 plaintext
->size
= length
;
291 ret
= gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
299 ret
= GNUTLS_E_INTERNAL_ERROR
;
307 gnutls_free(plaintext
->data
);
312 /* in case of DSA puts into data, r,s
315 _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo
,
316 gnutls_datum_t
* signature
,
317 const gnutls_datum_t
* vdata
,
318 const gnutls_pk_params_st
* pk_params
)
322 unsigned int hash_len
;
326 case GNUTLS_PK_EC
: /* we do ECDSA */
329 struct dsa_signature sig
;
331 _ecc_params_to_privkey(pk_params
, &priv
);
333 dsa_signature_init (&sig
);
335 hash
= _gnutls_dsa_q_to_hash (algo
, pk_params
, &hash_len
);
336 if (hash_len
> vdata
->size
)
339 _gnutls_debug_log("Security level of algorithm requires hash %s(%d) or better\n", gnutls_mac_get_name(hash
), hash_len
);
340 hash_len
= vdata
->size
;
343 ret
= ecc_sign_hash(vdata
->data
, hash_len
,
344 &sig
, NULL
, rnd_func
, &priv
);
348 ret
= GNUTLS_E_PK_SIGN_FAILED
;
352 ret
= _gnutls_encode_ber_rs (signature
, &sig
.r
, &sig
.s
);
355 dsa_signature_clear (&sig
);
356 _ecc_params_clear( &priv
);
367 struct dsa_public_key pub
;
368 struct dsa_private_key priv
;
369 struct dsa_signature sig
;
371 memset(&priv
, 0, sizeof(priv
));
372 memset(&pub
, 0, sizeof(pub
));
373 _dsa_params_to_pubkey (pk_params
, &pub
);
374 _dsa_params_to_privkey (pk_params
, &priv
);
376 dsa_signature_init (&sig
);
378 hash
= _gnutls_dsa_q_to_hash (algo
, pk_params
, &hash_len
);
379 if (hash_len
> vdata
->size
)
382 _gnutls_debug_log("Security level of algorithm requires hash %s(%d) or better\n", gnutls_mac_get_name(hash
), hash_len
);
383 hash_len
= vdata
->size
;
387 _dsa_sign (&pub
, &priv
, NULL
, rnd_func
,
388 hash_len
, vdata
->data
, &sig
);
392 ret
= GNUTLS_E_PK_SIGN_FAILED
;
396 ret
= _gnutls_encode_ber_rs (signature
, &sig
.r
, &sig
.s
);
399 dsa_signature_clear (&sig
);
410 struct rsa_private_key priv
;
411 struct rsa_public_key pub
;
414 _rsa_params_to_privkey (pk_params
, &priv
);
415 _rsa_params_to_pubkey (pk_params
, &pub
);
419 ret
= rsa_pkcs1_sign_tr(&pub
, &priv
, NULL
, rnd_func
,
420 vdata
->size
, vdata
->data
, s
);
424 ret
= GNUTLS_E_PK_SIGN_FAILED
;
428 ret
= _gnutls_mpi_dprint (s
, signature
);
443 ret
= GNUTLS_E_INTERNAL_ERROR
;
455 _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo
,
456 const gnutls_datum_t
* vdata
,
457 const gnutls_datum_t
* signature
,
458 const gnutls_pk_params_st
* pk_params
)
461 unsigned int hash_len
;
462 bigint_t tmp
[2] = { NULL
, NULL
};
466 case GNUTLS_PK_EC
: /* ECDSA */
469 struct dsa_signature sig
;
472 ret
= _gnutls_decode_ber_rs (signature
, &tmp
[0], &tmp
[1]);
479 _ecc_params_to_pubkey(pk_params
, &pub
);
480 memcpy (&sig
.r
, tmp
[0], sizeof (sig
.r
));
481 memcpy (&sig
.s
, tmp
[1], sizeof (sig
.s
));
483 _gnutls_dsa_q_to_hash (algo
, pk_params
, &hash_len
);
484 if (hash_len
> vdata
->size
)
485 hash_len
= vdata
->size
;
487 ret
= ecc_verify_hash(&sig
, vdata
->data
, hash_len
, &stat
, &pub
);
488 if (ret
!= 0 || stat
!= 1)
491 ret
= GNUTLS_E_PK_SIG_VERIFY_FAILED
;
496 _gnutls_mpi_release (&tmp
[0]);
497 _gnutls_mpi_release (&tmp
[1]);
498 _ecc_params_clear( &pub
);
503 struct dsa_public_key pub
;
504 struct dsa_signature sig
;
506 ret
= _gnutls_decode_ber_rs (signature
, &tmp
[0], &tmp
[1]);
512 memset(&pub
, 0, sizeof(pub
));
513 _dsa_params_to_pubkey (pk_params
, &pub
);
514 memcpy (&sig
.r
, tmp
[0], sizeof (sig
.r
));
515 memcpy (&sig
.s
, tmp
[1], sizeof (sig
.s
));
517 _gnutls_dsa_q_to_hash (algo
, pk_params
, &hash_len
);
518 if (hash_len
> vdata
->size
)
519 hash_len
= vdata
->size
;
521 ret
= _dsa_verify (&pub
, hash_len
, vdata
->data
, &sig
);
525 ret
= GNUTLS_E_PK_SIG_VERIFY_FAILED
;
530 _gnutls_mpi_release (&tmp
[0]);
531 _gnutls_mpi_release (&tmp
[1]);
536 struct rsa_public_key pub
;
538 _rsa_params_to_pubkey (pk_params
, &pub
);
540 ret
= _gnutls_mpi_scan_nz (&tmp
[0], signature
->data
, signature
->size
);
547 ret
= rsa_pkcs1_verify (&pub
, vdata
->size
, vdata
->data
, TOMPZ(tmp
[0]));
549 ret
= gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED
);
552 _gnutls_mpi_release (&tmp
[0]);
557 ret
= GNUTLS_E_INTERNAL_ERROR
;
566 static inline int is_supported_curve(int curve
)
568 if (gnutls_ecc_curve_get_name(curve
) != NULL
)
576 wrap_nettle_pk_generate_params (gnutls_pk_algorithm_t algo
,
577 unsigned int level
/*bits */ ,
578 gnutls_pk_params_st
* params
)
581 unsigned int i
, q_bits
;
583 memset(params
, 0, sizeof(*params
));
590 struct dsa_public_key pub
;
591 struct dsa_private_key priv
;
593 dsa_public_key_init (&pub
);
594 dsa_private_key_init (&priv
);
596 /* the best would be to use _gnutls_pk_bits_to_subgroup_bits()
597 * but we do NIST DSA here */
604 dsa_generate_keypair (&pub
, &priv
, NULL
,
605 rnd_func
, NULL
, NULL
, level
, q_bits
);
609 ret
= GNUTLS_E_INTERNAL_ERROR
;
613 params
->params_nr
= 0;
614 for (i
= 0; i
< DSA_PRIVATE_PARAMS
; i
++)
616 params
->params
[i
] = _gnutls_mpi_alloc_like (&pub
.p
);
617 if (params
->params
[i
] == NULL
)
619 ret
= GNUTLS_E_MEMORY_ERROR
;
626 _gnutls_mpi_set (params
->params
[0], pub
.p
);
627 _gnutls_mpi_set (params
->params
[1], pub
.q
);
628 _gnutls_mpi_set (params
->params
[2], pub
.g
);
629 _gnutls_mpi_set (params
->params
[3], pub
.y
);
630 _gnutls_mpi_set (params
->params
[4], priv
.x
);
633 dsa_private_key_clear (&priv
);
634 dsa_public_key_clear (&pub
);
643 struct rsa_public_key pub
;
644 struct rsa_private_key priv
;
646 rsa_public_key_init (&pub
);
647 rsa_private_key_init (&priv
);
649 _gnutls_mpi_set_ui (&pub
.e
, 65537);
652 rsa_generate_keypair (&pub
, &priv
, NULL
,
653 rnd_func
, NULL
, NULL
, level
, 0);
657 ret
= GNUTLS_E_INTERNAL_ERROR
;
661 params
->params_nr
= 0;
662 for (i
= 0; i
< RSA_PRIVATE_PARAMS
; i
++)
664 params
->params
[i
] = _gnutls_mpi_alloc_like (&pub
.n
);
665 if (params
->params
[i
] == NULL
)
667 ret
= GNUTLS_E_MEMORY_ERROR
;
676 _gnutls_mpi_set (params
->params
[0], pub
.n
);
677 _gnutls_mpi_set (params
->params
[1], pub
.e
);
678 _gnutls_mpi_set (params
->params
[2], priv
.d
);
679 _gnutls_mpi_set (params
->params
[3], priv
.p
);
680 _gnutls_mpi_set (params
->params
[4], priv
.q
);
681 _gnutls_mpi_set (params
->params
[5], priv
.c
);
682 _gnutls_mpi_set (params
->params
[6], priv
.a
);
683 _gnutls_mpi_set (params
->params
[7], priv
.b
);
686 rsa_private_key_clear (&priv
);
687 rsa_public_key_clear (&pub
);
697 ecc_set_type tls_ecc_set
;
698 const gnutls_ecc_curve_entry_st
*st
;
700 st
= _gnutls_ecc_curve_get_params(level
);
702 return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE
);
704 tls_ecc_set
.size
= st
->size
;
705 tls_ecc_set
.prime
= st
->prime
;
706 tls_ecc_set
.order
= st
->order
;
707 tls_ecc_set
.Gx
= st
->Gx
;
708 tls_ecc_set
.Gy
= st
->Gy
;
709 tls_ecc_set
.A
= st
->A
;
710 tls_ecc_set
.B
= st
->B
;
712 ret
= ecc_make_key(NULL
, rnd_func
, &key
, &tls_ecc_set
);
714 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
716 params
->params_nr
= 0;
717 for (i
= 0; i
< ECC_PRIVATE_PARAMS
; i
++)
719 params
->params
[i
] = _gnutls_mpi_alloc_like(&key
.prime
);
720 if (params
->params
[i
] == NULL
)
722 ret
= GNUTLS_E_MEMORY_ERROR
;
727 params
->flags
= level
;
729 mpz_set(TOMPZ(params
->params
[ECC_PRIME
]), key
.prime
);
730 mpz_set(TOMPZ(params
->params
[ECC_ORDER
]), key
.order
);
731 mpz_set(TOMPZ(params
->params
[ECC_A
]), key
.A
);
732 mpz_set(TOMPZ(params
->params
[ECC_B
]), key
.B
);
733 mpz_set(TOMPZ(params
->params
[ECC_GX
]), key
.Gx
);
734 mpz_set(TOMPZ(params
->params
[ECC_GY
]), key
.Gy
);
735 mpz_set(TOMPZ(params
->params
[ECC_X
]), key
.pubkey
.x
);
736 mpz_set(TOMPZ(params
->params
[ECC_Y
]), key
.pubkey
.y
);
737 mpz_set(TOMPZ(params
->params
[ECC_K
]), key
.k
);
749 return GNUTLS_E_INVALID_REQUEST
;
756 for (i
= 0; i
< params
->params_nr
; i
++)
758 _gnutls_mpi_release (¶ms
->params
[i
]);
760 params
->params_nr
= 0;
766 wrap_nettle_pk_verify_params (gnutls_pk_algorithm_t algo
,
767 const gnutls_pk_params_st
* params
)
775 bigint_t t1
= NULL
, t2
= NULL
;
777 if (params
->params_nr
!= RSA_PRIVATE_PARAMS
)
778 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
780 t1
= _gnutls_mpi_new (256);
782 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
784 _gnutls_mpi_mulm (t1
, params
->params
[RSA_PRIME1
], params
->params
[RSA_PRIME2
], params
->params
[RSA_MODULUS
]);
785 if (_gnutls_mpi_cmp_ui(t1
, 0) != 0)
787 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
791 mpz_invert (TOMPZ(t1
), TOMPZ (params
->params
[RSA_PRIME2
]), TOMPZ (params
->params
[RSA_PRIME1
]));
792 if (_gnutls_mpi_cmp(t1
, params
->params
[RSA_COEF
]) != 0)
794 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
798 /* [RSA_PRIME1] = d % p-1, [RSA_PRIME2] = d % q-1 */
799 _gnutls_mpi_sub_ui (t1
, params
->params
[RSA_PRIME1
], 1);
800 t2
= _gnutls_mpi_mod (params
->params
[RSA_PRIV
], t1
);
803 ret
= gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
807 if (_gnutls_mpi_cmp(params
->params
[RSA_E1
], t2
) != 0)
809 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
813 _gnutls_mpi_sub_ui (t1
, params
->params
[RSA_PRIME2
], 1);
814 _gnutls_mpi_release(&t2
);
816 t2
= _gnutls_mpi_mod (params
->params
[RSA_PRIV
], t1
);
819 ret
= gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
823 if (_gnutls_mpi_cmp(params
->params
[RSA_E2
], t2
) != 0)
825 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
832 _gnutls_mpi_release(&t1
);
833 _gnutls_mpi_release(&t2
);
841 if (params
->params_nr
!= DSA_PRIVATE_PARAMS
)
842 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
844 t1
= _gnutls_mpi_new (256);
846 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
848 _gnutls_mpi_powm (t1
, params
->params
[DSA_G
], params
->params
[DSA_X
], params
->params
[DSA_P
]);
850 if (_gnutls_mpi_cmp(t1
, params
->params
[DSA_Y
]) != 0)
852 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
859 _gnutls_mpi_release(&t1
);
865 int curve
= params
->flags
;
870 if (params
->params_nr
!= ECC_PRIVATE_PARAMS
)
871 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
873 if (is_supported_curve(curve
) == 0)
874 return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE
);
876 _ecc_params_to_privkey(params
, &ecc_priv
);
879 /* verify that x,y lie on the curve */
880 ret
= ecc_projective_check_point(&ecc_priv
.pubkey
, TOMPZ(params
->params
[ECC_B
]), params
->params
[ECC_PRIME
]);
883 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
887 memcpy(&zero
.x
, ecc_priv
.Gx
, sizeof(mpz_t
));
888 memcpy(&zero
.y
, ecc_priv
.Gy
, sizeof(mpz_t
));
889 memcpy(&zero
.z
, ecc_priv
.pubkey
.z
, sizeof(mpz_t
)); /* z = 1 */
891 /* verify that k*(Gx,Gy)=(x,y) */
892 ret
= ecc_mulmod(ecc_priv
.k
, &zero
, R
, TOMPZ(params
->params
[ECC_A
]), TOMPZ(params
->params
[ECC_PRIME
]), 1);
895 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
899 if (mpz_cmp(ecc_priv
.pubkey
.x
, R
->x
) != 0 || mpz_cmp(ecc_priv
.pubkey
.y
, R
->y
) != 0)
901 ret
= gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER
);
908 _ecc_params_clear(&ecc_priv
);
913 ret
= gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
919 static int calc_rsa_exp (gnutls_pk_params_st
* params
)
921 bigint_t tmp
= _gnutls_mpi_alloc_like (params
->params
[0]);
923 if (params
->params_nr
< RSA_PRIVATE_PARAMS
- 2)
926 return GNUTLS_E_INTERNAL_ERROR
;
932 return GNUTLS_E_MEMORY_ERROR
;
935 /* [6] = d % p-1, [7] = d % q-1 */
936 _gnutls_mpi_sub_ui (tmp
, params
->params
[3], 1);
937 params
->params
[6] = _gnutls_mpi_mod (params
->params
[2] /*d */ , tmp
);
939 _gnutls_mpi_sub_ui (tmp
, params
->params
[4], 1);
940 params
->params
[7] = _gnutls_mpi_mod (params
->params
[2] /*d */ , tmp
);
942 _gnutls_mpi_release (&tmp
);
944 if (params
->params
[7] == NULL
|| params
->params
[6] == NULL
)
947 return GNUTLS_E_MEMORY_ERROR
;
955 wrap_nettle_pk_fixup (gnutls_pk_algorithm_t algo
,
956 gnutls_direction_t direction
,
957 gnutls_pk_params_st
* params
)
961 if (direction
== GNUTLS_IMPORT
&& algo
== GNUTLS_PK_RSA
)
963 /* do not trust the generated values. Some old private keys
964 * generated by us have mess on the values. Those were very
965 * old but it seemed some of the shipped example private
968 mpz_invert (TOMPZ (params
->params
[RSA_COEF
]),
969 TOMPZ (params
->params
[RSA_PRIME2
]), TOMPZ (params
->params
[RSA_PRIME1
]));
971 /* calculate exp1 [6] and exp2 [7] */
972 _gnutls_mpi_release (¶ms
->params
[RSA_E1
]);
973 _gnutls_mpi_release (¶ms
->params
[RSA_E2
]);
975 result
= calc_rsa_exp (params
);
981 params
->params_nr
= RSA_PRIVATE_PARAMS
;
988 extract_digest_info(const struct rsa_public_key
*key
,
989 unsigned *length
, uint8_t *digest_info
,
990 const mpz_t signature
)
997 if (key
->size
== 0 || *length
< key
->size
)
1000 em
= gnutls_malloc(key
->size
);
1006 mpz_powm(m
, signature
, key
->e
, key
->n
);
1008 nettle_mpz_get_str_256(key
->size
, em
, m
);
1011 if (em
[0] != 0 || em
[1] != 1)
1017 for (i
= 2; i
< key
->size
; i
++)
1019 if (em
[i
] == 0 && i
> 2)
1030 memcpy(digest_info
, &em
[i
], key
->size
-i
);
1031 *length
= key
->size
-i
;
1040 /* Given a signature and parameters, it should return
1041 * the hash algorithm used in the signature. This is a kludge
1042 * but until we deprecate gnutls_pubkey_get_verify_algorithm()
1045 static int wrap_nettle_hash_algorithm (gnutls_pk_algorithm_t pk
,
1046 const gnutls_datum_t
* sig
, gnutls_pk_params_st
* issuer_params
,
1047 gnutls_digest_algorithm_t
* hash_algo
)
1049 uint8_t digest
[MAX_HASH_SIZE
];
1050 uint8_t digest_info
[MAX_HASH_SIZE
*3];
1052 unsigned digest_size
;
1054 struct rsa_public_key pub
;
1065 *hash_algo
= _gnutls_dsa_q_to_hash (pk
, issuer_params
, NULL
);
1071 { /* return a sensible algorithm */
1073 *hash_algo
= GNUTLS_DIG_SHA256
;
1077 _rsa_params_to_pubkey (issuer_params
, &pub
);
1079 digest_size
= sizeof(digest
);
1081 nettle_mpz_set_str_256_u(s
, sig
->size
, sig
->data
);
1083 digest_size
= sizeof (digest_info
);
1084 ret
= extract_digest_info( &pub
, &digest_size
, digest_info
, s
);
1087 ret
= GNUTLS_E_PK_SIG_VERIFY_FAILED
;
1092 di
.data
= digest_info
;
1093 di
.size
= digest_size
;
1095 digest_size
= sizeof(digest
);
1097 decode_ber_digest_info (&di
, hash_algo
, digest
,
1104 if (digest_size
!= _gnutls_hash_get_algo_len (*hash_algo
))
1107 ret
= GNUTLS_E_PK_SIG_VERIFY_FAILED
;
1116 ret
= GNUTLS_E_INTERNAL_ERROR
;
1126 int crypto_pk_prio
= INT_MAX
;
1128 gnutls_crypto_pk_st _gnutls_pk_ops
= {
1129 .hash_algorithm
= wrap_nettle_hash_algorithm
,
1130 .encrypt
= _wrap_nettle_pk_encrypt
,
1131 .decrypt
= _wrap_nettle_pk_decrypt
,
1132 .sign
= _wrap_nettle_pk_sign
,
1133 .verify
= _wrap_nettle_pk_verify
,
1134 .verify_params
= wrap_nettle_pk_verify_params
,
1135 .generate
= wrap_nettle_pk_generate_params
,
1136 .pk_fixup_private_params
= wrap_nettle_pk_fixup
,
1137 .derive
= _wrap_nettle_pk_derive
,