2 * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <krb5-types.h>
39 #include <rfc2459_asn1.h>
46 * @page page_rsa RSA - public-key cryptography
48 * RSA is named by its inventors (Ron Rivest, Adi Shamir, and Leonard
49 * Adleman) (published in 1977), patented expired in 21 September 2000.
52 * Speed for RSA in seconds
56 * operation performed each eteration sign, verify, encrypt, decrypt on a random bit pattern
59 * tfm: 2.450173 (default in hcrypto)
63 * See the library functions here: @ref hcrypto_rsa
67 * Same as RSA_new_method() using NULL as engine.
69 * @return a newly allocated RSA object. Free with RSA_free().
71 * @ingroup hcrypto_rsa
77 return RSA_new_method(NULL
);
81 * Allocate a new RSA object using the engine, if NULL is specified as
82 * the engine, use the default RSA engine as returned by
83 * ENGINE_get_default_RSA().
85 * @param engine Specific what ENGINE RSA provider should be used.
87 * @return a newly allocated RSA object. Free with RSA_free().
89 * @ingroup hcrypto_rsa
93 RSA_new_method(ENGINE
*engine
)
97 rsa
= calloc(1, sizeof(*rsa
));
104 ENGINE_up_ref(engine
);
105 rsa
->engine
= engine
;
107 rsa
->engine
= ENGINE_get_default_RSA();
111 rsa
->meth
= ENGINE_get_RSA(rsa
->engine
);
112 if (rsa
->meth
== NULL
) {
113 ENGINE_finish(engine
);
119 if (rsa
->meth
== NULL
)
120 rsa
->meth
= rk_UNCONST(RSA_get_default_method());
122 (*rsa
->meth
->init
)(rsa
);
128 * Free an allocation RSA object.
130 * @param rsa the RSA object to free.
131 * @ingroup hcrypto_rsa
137 if (rsa
->references
<= 0)
140 if (--rsa
->references
> 0)
143 (*rsa
->meth
->finish
)(rsa
);
146 ENGINE_finish(rsa
->engine
);
148 #define free_if(f) if (f) { BN_free(f); }
159 memset(rsa
, 0, sizeof(*rsa
));
164 * Add an extra reference to the RSA object. The object should be free
165 * with RSA_free() to drop the reference.
167 * @param rsa the object to add reference counting too.
169 * @return the current reference count, can't safely be used except
170 * for debug printing.
172 * @ingroup hcrypto_rsa
178 return ++rsa
->references
;
182 * Return the RSA_METHOD used for this RSA object.
184 * @param rsa the object to get the method from.
186 * @return the method used for this RSA object.
188 * @ingroup hcrypto_rsa
192 RSA_get_method(const RSA
*rsa
)
198 * Set a new method for the RSA keypair.
200 * @param rsa rsa parameter.
201 * @param method the new method for the RSA parameter.
203 * @return 1 on success.
205 * @ingroup hcrypto_rsa
209 RSA_set_method(RSA
*rsa
, const RSA_METHOD
*method
)
211 (*rsa
->meth
->finish
)(rsa
);
214 ENGINE_finish(rsa
->engine
);
219 (*rsa
->meth
->init
)(rsa
);
224 * Set the application data for the RSA object.
226 * @param rsa the rsa object to set the parameter for
227 * @param arg the data object to store
229 * @return 1 on success.
231 * @ingroup hcrypto_rsa
235 RSA_set_app_data(RSA
*rsa
, void *arg
)
237 rsa
->ex_data
.sk
= arg
;
242 * Get the application data for the RSA object.
244 * @param rsa the rsa object to get the parameter for
246 * @return the data object
248 * @ingroup hcrypto_rsa
252 RSA_get_app_data(RSA
*rsa
)
254 return rsa
->ex_data
.sk
;
258 RSA_check_key(const RSA
*key
)
260 static const unsigned char inbuf
[] = "hello, world!";
261 RSA
*rsa
= rk_UNCONST(key
);
266 * XXX I have no clue how to implement this w/o a bignum library.
267 * Well, when we have a RSA key pair, we can try to encrypt/sign
268 * and then decrypt/verify.
271 if ((rsa
->d
== NULL
|| rsa
->n
== NULL
) &&
272 (rsa
->p
== NULL
|| rsa
->q
|| rsa
->dmp1
== NULL
|| rsa
->dmq1
== NULL
|| rsa
->iqmp
== NULL
))
275 buffer
= malloc(RSA_size(rsa
));
279 ret
= RSA_private_encrypt(sizeof(inbuf
), inbuf
, buffer
,
280 rsa
, RSA_PKCS1_PADDING
);
286 ret
= RSA_public_decrypt(ret
, buffer
, buffer
,
287 rsa
, RSA_PKCS1_PADDING
);
293 if (ret
== sizeof(inbuf
) && ct_memcmp(buffer
, inbuf
, sizeof(inbuf
)) == 0) {
302 RSA_size(const RSA
*rsa
)
304 return BN_num_bytes(rsa
->n
);
307 #define RSAFUNC(name, body) \
309 name(int flen,const unsigned char* f, unsigned char* t, RSA* r, int p){\
313 RSAFUNC(RSA_public_encrypt
, (r
)->meth
->rsa_pub_enc(flen
, f
, t
, r
, p
))
314 RSAFUNC(RSA_public_decrypt
, (r
)->meth
->rsa_pub_dec(flen
, f
, t
, r
, p
))
315 RSAFUNC(RSA_private_encrypt
, (r
)->meth
->rsa_priv_enc(flen
, f
, t
, r
, p
))
316 RSAFUNC(RSA_private_decrypt
, (r
)->meth
->rsa_priv_dec(flen
, f
, t
, r
, p
))
320 RSA_sign(int type
, const unsigned char *from
, unsigned int flen
,
321 unsigned char *to
, unsigned int *tlen
, RSA
*rsa
)
327 RSA_verify(int type
, const unsigned char *from
, unsigned int flen
,
328 unsigned char *to
, unsigned int tlen
, RSA
*rsa
)
334 * A NULL RSA_METHOD that returns failure for all operations. This is
335 * used as the default RSA method if we don't have any native
339 static RSAFUNC(null_rsa_public_encrypt
, -1)
340 static RSAFUNC(null_rsa_public_decrypt
, -1)
341 static RSAFUNC(null_rsa_private_encrypt
, -1)
342 static RSAFUNC(null_rsa_private_decrypt
, -1)
349 RSA_generate_key_ex(RSA
*r
, int bits
, BIGNUM
*e
, BN_GENCB
*cb
)
351 if (r
->meth
->rsa_keygen
)
352 return (*r
->meth
->rsa_keygen
)(r
, bits
, e
, cb
);
362 null_rsa_init(RSA
*rsa
)
368 null_rsa_finish(RSA
*rsa
)
373 static const RSA_METHOD rsa_null_method
= {
375 null_rsa_public_encrypt
,
376 null_rsa_public_decrypt
,
377 null_rsa_private_encrypt
,
378 null_rsa_private_decrypt
,
390 RSA_null_method(void)
392 return &rsa_null_method
;
395 extern const RSA_METHOD hc_rsa_imath_method
;
397 static const RSA_METHOD
*default_rsa_method
= &hc_rsa_gmp_method
;
399 static const RSA_METHOD
*default_rsa_method
= &hc_rsa_imath_method
;
403 RSA_get_default_method(void)
405 return default_rsa_method
;
409 RSA_set_default_method(const RSA_METHOD
*meth
)
411 default_rsa_method
= meth
;
419 heim_int2BN(const heim_integer
*i
)
423 bn
= BN_bin2bn(i
->data
, i
->length
, NULL
);
425 BN_set_negative(bn
, i
->negative
);
430 bn2heim_int(BIGNUM
*bn
, heim_integer
*integer
)
432 integer
->length
= BN_num_bytes(bn
);
433 integer
->data
= malloc(integer
->length
);
434 if (integer
->data
== NULL
) {
438 BN_bn2bin(bn
, integer
->data
);
439 integer
->negative
= BN_is_negative(bn
);
445 d2i_RSAPrivateKey(RSA
*rsa
, const unsigned char **pp
, size_t len
)
452 ret
= decode_RSAPrivateKey(*pp
, len
, &data
, &size
);
461 free_RSAPrivateKey(&data
);
466 k
->n
= heim_int2BN(&data
.modulus
);
467 k
->e
= heim_int2BN(&data
.publicExponent
);
468 k
->d
= heim_int2BN(&data
.privateExponent
);
469 k
->p
= heim_int2BN(&data
.prime1
);
470 k
->q
= heim_int2BN(&data
.prime2
);
471 k
->dmp1
= heim_int2BN(&data
.exponent1
);
472 k
->dmq1
= heim_int2BN(&data
.exponent2
);
473 k
->iqmp
= heim_int2BN(&data
.coefficient
);
474 free_RSAPrivateKey(&data
);
476 if (k
->n
== NULL
|| k
->e
== NULL
|| k
->d
== NULL
|| k
->p
== NULL
||
477 k
->q
== NULL
|| k
->dmp1
== NULL
|| k
->dmq1
== NULL
|| k
->iqmp
== NULL
)
487 i2d_RSAPrivateKey(RSA
*rsa
, unsigned char **pp
)
493 if (rsa
->n
== NULL
|| rsa
->e
== NULL
|| rsa
->d
== NULL
|| rsa
->p
== NULL
||
494 rsa
->q
== NULL
|| rsa
->dmp1
== NULL
|| rsa
->dmq1
== NULL
||
498 memset(&data
, 0, sizeof(data
));
500 ret
= bn2heim_int(rsa
->n
, &data
.modulus
);
501 ret
|= bn2heim_int(rsa
->e
, &data
.publicExponent
);
502 ret
|= bn2heim_int(rsa
->d
, &data
.privateExponent
);
503 ret
|= bn2heim_int(rsa
->p
, &data
.prime1
);
504 ret
|= bn2heim_int(rsa
->q
, &data
.prime2
);
505 ret
|= bn2heim_int(rsa
->dmp1
, &data
.exponent1
);
506 ret
|= bn2heim_int(rsa
->dmq1
, &data
.exponent2
);
507 ret
|= bn2heim_int(rsa
->iqmp
, &data
.coefficient
);
509 free_RSAPrivateKey(&data
);
514 size
= length_RSAPrivateKey(&data
);
515 free_RSAPrivateKey(&data
);
520 ASN1_MALLOC_ENCODE(RSAPrivateKey
, p
, len
, &data
, &size
, ret
);
521 free_RSAPrivateKey(&data
);
527 memcpy(*pp
, p
, size
);
537 i2d_RSAPublicKey(RSA
*rsa
, unsigned char **pp
)
543 memset(&data
, 0, sizeof(data
));
545 if (bn2heim_int(rsa
->n
, &data
.modulus
) ||
546 bn2heim_int(rsa
->e
, &data
.publicExponent
))
548 free_RSAPublicKey(&data
);
553 size
= length_RSAPublicKey(&data
);
554 free_RSAPublicKey(&data
);
559 ASN1_MALLOC_ENCODE(RSAPublicKey
, p
, len
, &data
, &size
, ret
);
560 free_RSAPublicKey(&data
);
566 memcpy(*pp
, p
, size
);
576 d2i_RSAPublicKey(RSA
*rsa
, const unsigned char **pp
, size_t len
)
583 ret
= decode_RSAPublicKey(*pp
, len
, &data
, &size
);
592 free_RSAPublicKey(&data
);
597 k
->n
= heim_int2BN(&data
.modulus
);
598 k
->e
= heim_int2BN(&data
.publicExponent
);
600 free_RSAPublicKey(&data
);
602 if (k
->n
== NULL
|| k
->e
== NULL
) {