Commit | Line | Data |
---|---|---|
80a47a2c TK |
1 | /* |
2 | * The RSA public-key cryptosystem | |
3 | * | |
4 | * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine | |
5 | * | |
6 | * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License along | |
19 | * with this program; if not, write to the Free Software Foundation, Inc., | |
20 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
22 | /* | |
23 | * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman. | |
24 | * | |
25 | * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf | |
26 | * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf | |
27 | */ | |
28 | ||
29 | /* $Cambridge: exim/src/src/pdkim/rsa.c,v 1.2 2009/06/10 07:34:05 tom Exp $ */ | |
30 | ||
31 | #include "rsa.h" | |
32 | #include "base64.h" | |
33 | ||
34 | #include <stdlib.h> | |
35 | #include <string.h> | |
36 | #include <stdio.h> | |
37 | ||
38 | ||
39 | /* | |
40 | * ASN.1 DER decoding routines | |
41 | */ | |
42 | static int asn1_get_len( unsigned char **p, | |
43 | unsigned char *end, | |
44 | int *len ) | |
45 | { | |
46 | if( ( end - *p ) < 1 ) | |
47 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
48 | ||
49 | if( ( **p & 0x80 ) == 0 ) | |
50 | *len = *(*p)++; | |
51 | else | |
52 | { | |
53 | switch( **p & 0x7F ) | |
54 | { | |
55 | case 1: | |
56 | if( ( end - *p ) < 2 ) | |
57 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
58 | ||
59 | *len = (*p)[1]; | |
60 | (*p) += 2; | |
61 | break; | |
62 | ||
63 | case 2: | |
64 | if( ( end - *p ) < 3 ) | |
65 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
66 | ||
67 | *len = ( (*p)[1] << 8 ) | (*p)[2]; | |
68 | (*p) += 3; | |
69 | break; | |
70 | ||
71 | default: | |
72 | return( POLARSSL_ERR_ASN1_INVALID_LENGTH ); | |
73 | break; | |
74 | } | |
75 | } | |
76 | ||
77 | if( *len > (int) ( end - *p ) ) | |
78 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
79 | ||
80 | return( 0 ); | |
81 | } | |
82 | ||
83 | static int asn1_get_tag( unsigned char **p, | |
84 | unsigned char *end, | |
85 | int *len, int tag ) | |
86 | { | |
87 | if( ( end - *p ) < 1 ) | |
88 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
89 | ||
90 | if( **p != tag ) | |
91 | return( POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); | |
92 | ||
93 | (*p)++; | |
94 | ||
95 | return( asn1_get_len( p, end, len ) ); | |
96 | } | |
97 | ||
98 | static int asn1_get_int( unsigned char **p, | |
99 | unsigned char *end, | |
100 | int *val ) | |
101 | { | |
102 | int ret, len; | |
103 | ||
104 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_INTEGER ) ) != 0 ) | |
105 | return( ret ); | |
106 | ||
107 | if( len > (int) sizeof( int ) || ( **p & 0x80 ) != 0 ) | |
108 | return( POLARSSL_ERR_ASN1_INVALID_LENGTH ); | |
109 | ||
110 | *val = 0; | |
111 | ||
112 | while( len-- > 0 ) | |
113 | { | |
114 | *val = ( *val << 8 ) | **p; | |
115 | (*p)++; | |
116 | } | |
117 | ||
118 | return( 0 ); | |
119 | } | |
120 | ||
121 | static int asn1_get_mpi( unsigned char **p, | |
122 | unsigned char *end, | |
123 | mpi *X ) | |
124 | { | |
125 | int ret, len; | |
126 | ||
127 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_INTEGER ) ) != 0 ) | |
128 | return( ret ); | |
129 | ||
130 | ret = mpi_read_binary( X, *p, len ); | |
131 | ||
132 | *p += len; | |
133 | ||
134 | return( ret ); | |
135 | } | |
136 | ||
137 | ||
138 | /* | |
139 | * Initialize an RSA context | |
140 | */ | |
141 | void rsa_init( rsa_context *ctx, | |
142 | int padding, | |
143 | int hash_id, | |
144 | int (*f_rng)(void *), | |
145 | void *p_rng ) | |
146 | { | |
147 | memset( ctx, 0, sizeof( rsa_context ) ); | |
148 | ||
149 | ctx->padding = padding; | |
150 | ctx->hash_id = hash_id; | |
151 | ||
152 | ctx->f_rng = f_rng; | |
153 | ctx->p_rng = p_rng; | |
154 | } | |
155 | ||
156 | ||
157 | /* | |
158 | * Check a public RSA key | |
159 | */ | |
160 | int rsa_check_pubkey( rsa_context *ctx ) | |
161 | { | |
162 | if( ( ctx->N.p[0] & 1 ) == 0 || | |
163 | ( ctx->E.p[0] & 1 ) == 0 ) | |
164 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
165 | ||
166 | if( mpi_msb( &ctx->N ) < 128 || | |
167 | mpi_msb( &ctx->N ) > 4096 ) | |
168 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
169 | ||
170 | if( mpi_msb( &ctx->E ) < 2 || | |
171 | mpi_msb( &ctx->E ) > 64 ) | |
172 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
173 | ||
174 | return( 0 ); | |
175 | } | |
176 | ||
177 | /* | |
178 | * Check a private RSA key | |
179 | */ | |
180 | int rsa_check_privkey( rsa_context *ctx ) | |
181 | { | |
182 | int ret; | |
183 | mpi PQ, DE, P1, Q1, H, I, G; | |
184 | ||
185 | if( ( ret = rsa_check_pubkey( ctx ) ) != 0 ) | |
186 | return( ret ); | |
187 | ||
188 | mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, NULL ); | |
189 | ||
190 | MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) ); | |
191 | MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) ); | |
192 | MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) ); | |
193 | MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) ); | |
194 | MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) ); | |
195 | MPI_CHK( mpi_mod_mpi( &I, &DE, &H ) ); | |
196 | MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) ); | |
197 | ||
198 | if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 && | |
199 | mpi_cmp_int( &I, 1 ) == 0 && | |
200 | mpi_cmp_int( &G, 1 ) == 0 ) | |
201 | { | |
202 | mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL ); | |
203 | return( 0 ); | |
204 | } | |
205 | ||
206 | cleanup: | |
207 | ||
208 | mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL ); | |
209 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret ); | |
210 | } | |
211 | ||
212 | /* | |
213 | * Do an RSA public key operation | |
214 | */ | |
215 | int rsa_public( rsa_context *ctx, | |
216 | unsigned char *input, | |
217 | unsigned char *output ) | |
218 | { | |
219 | int ret, olen; | |
220 | mpi T; | |
221 | ||
222 | mpi_init( &T, NULL ); | |
223 | ||
224 | MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); | |
225 | ||
226 | if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) | |
227 | { | |
228 | mpi_free( &T, NULL ); | |
229 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
230 | } | |
231 | ||
232 | olen = ctx->len; | |
233 | MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); | |
234 | MPI_CHK( mpi_write_binary( &T, output, olen ) ); | |
235 | ||
236 | cleanup: | |
237 | ||
238 | mpi_free( &T, NULL ); | |
239 | ||
240 | if( ret != 0 ) | |
241 | return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret ); | |
242 | ||
243 | return( 0 ); | |
244 | } | |
245 | ||
246 | /* | |
247 | * Do an RSA private key operation | |
248 | */ | |
249 | int rsa_private( rsa_context *ctx, | |
250 | unsigned char *input, | |
251 | unsigned char *output ) | |
252 | { | |
253 | int ret, olen; | |
254 | mpi T, T1, T2; | |
255 | ||
256 | mpi_init( &T, &T1, &T2, NULL ); | |
257 | ||
258 | MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); | |
259 | ||
260 | if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) | |
261 | { | |
262 | mpi_free( &T, NULL ); | |
263 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
264 | } | |
265 | ||
266 | #if 0 | |
267 | MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); | |
268 | #else | |
269 | /* | |
270 | * faster decryption using the CRT | |
271 | * | |
272 | * T1 = input ^ dP mod P | |
273 | * T2 = input ^ dQ mod Q | |
274 | */ | |
275 | MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) ); | |
276 | MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) ); | |
277 | ||
278 | /* | |
279 | * T = (T1 - T2) * (Q^-1 mod P) mod P | |
280 | */ | |
281 | MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) ); | |
282 | MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) ); | |
283 | MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) ); | |
284 | ||
285 | /* | |
286 | * output = T2 + T * Q | |
287 | */ | |
288 | MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) ); | |
289 | MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) ); | |
290 | #endif | |
291 | ||
292 | olen = ctx->len; | |
293 | MPI_CHK( mpi_write_binary( &T, output, olen ) ); | |
294 | ||
295 | cleanup: | |
296 | ||
297 | mpi_free( &T, &T1, &T2, NULL ); | |
298 | ||
299 | if( ret != 0 ) | |
300 | return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret ); | |
301 | ||
302 | return( 0 ); | |
303 | } | |
304 | ||
305 | /* | |
306 | * Add the message padding, then do an RSA operation | |
307 | */ | |
308 | int rsa_pkcs1_encrypt( rsa_context *ctx, | |
309 | int mode, int ilen, | |
310 | unsigned char *input, | |
311 | unsigned char *output ) | |
312 | { | |
313 | int nb_pad, olen; | |
314 | unsigned char *p = output; | |
315 | ||
316 | olen = ctx->len; | |
317 | ||
318 | switch( ctx->padding ) | |
319 | { | |
320 | case RSA_PKCS_V15: | |
321 | ||
322 | if( ilen < 0 || olen < ilen + 11 ) | |
323 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
324 | ||
325 | nb_pad = olen - 3 - ilen; | |
326 | ||
327 | *p++ = 0; | |
328 | *p++ = RSA_CRYPT; | |
329 | ||
330 | while( nb_pad-- > 0 ) | |
331 | { | |
332 | do { | |
333 | *p = (unsigned char) rand(); | |
334 | } while( *p == 0 ); | |
335 | p++; | |
336 | } | |
337 | *p++ = 0; | |
338 | memcpy( p, input, ilen ); | |
339 | break; | |
340 | ||
341 | default: | |
342 | ||
343 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
344 | } | |
345 | ||
346 | return( ( mode == RSA_PUBLIC ) | |
347 | ? rsa_public( ctx, output, output ) | |
348 | : rsa_private( ctx, output, output ) ); | |
349 | } | |
350 | ||
351 | /* | |
352 | * Do an RSA operation, then remove the message padding | |
353 | */ | |
354 | int rsa_pkcs1_decrypt( rsa_context *ctx, | |
355 | int mode, int *olen, | |
356 | unsigned char *input, | |
357 | unsigned char *output, | |
358 | int output_max_len) | |
359 | { | |
360 | int ret, ilen; | |
361 | unsigned char *p; | |
362 | unsigned char buf[512]; | |
363 | ||
364 | ilen = ctx->len; | |
365 | ||
366 | if( ilen < 16 || ilen > (int) sizeof( buf ) ) | |
367 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
368 | ||
369 | ret = ( mode == RSA_PUBLIC ) | |
370 | ? rsa_public( ctx, input, buf ) | |
371 | : rsa_private( ctx, input, buf ); | |
372 | ||
373 | if( ret != 0 ) | |
374 | return( ret ); | |
375 | ||
376 | p = buf; | |
377 | ||
378 | switch( ctx->padding ) | |
379 | { | |
380 | case RSA_PKCS_V15: | |
381 | ||
382 | if( *p++ != 0 || *p++ != RSA_CRYPT ) | |
383 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
384 | ||
385 | while( *p != 0 ) | |
386 | { | |
387 | if( p >= buf + ilen - 1 ) | |
388 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
389 | p++; | |
390 | } | |
391 | p++; | |
392 | break; | |
393 | ||
394 | default: | |
395 | ||
396 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
397 | } | |
398 | ||
399 | if (ilen - (int)(p - buf) > output_max_len) | |
400 | return( POLARSSL_ERR_RSA_OUTPUT_TO_LARGE ); | |
401 | ||
402 | *olen = ilen - (int)(p - buf); | |
403 | memcpy( output, p, *olen ); | |
404 | ||
405 | return( 0 ); | |
406 | } | |
407 | ||
408 | /* | |
409 | * Do an RSA operation to sign the message digest | |
410 | */ | |
411 | int rsa_pkcs1_sign( rsa_context *ctx, | |
412 | int mode, | |
413 | int hash_id, | |
414 | int hashlen, | |
415 | unsigned char *hash, | |
416 | unsigned char *sig ) | |
417 | { | |
418 | int nb_pad, olen; | |
419 | unsigned char *p = sig; | |
420 | ||
421 | olen = ctx->len; | |
422 | ||
423 | switch( ctx->padding ) | |
424 | { | |
425 | case RSA_PKCS_V15: | |
426 | ||
427 | switch( hash_id ) | |
428 | { | |
429 | case RSA_RAW: | |
430 | nb_pad = olen - 3 - hashlen; | |
431 | break; | |
432 | ||
433 | case RSA_MD2: | |
434 | case RSA_MD4: | |
435 | case RSA_MD5: | |
436 | nb_pad = olen - 3 - 16 - 18; | |
437 | break; | |
438 | ||
439 | case RSA_SHA1: | |
440 | nb_pad = olen - 3 - 20 - 15; | |
441 | break; | |
442 | ||
443 | case RSA_SHA256: | |
444 | nb_pad = olen - 3 - 32 - 19; | |
445 | break; | |
446 | ||
447 | default: | |
448 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
449 | } | |
450 | ||
451 | if( nb_pad < 8 ) | |
452 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
453 | ||
454 | *p++ = 0; | |
455 | *p++ = RSA_SIGN; | |
456 | memset( p, 0xFF, nb_pad ); | |
457 | p += nb_pad; | |
458 | *p++ = 0; | |
459 | break; | |
460 | ||
461 | default: | |
462 | ||
463 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
464 | } | |
465 | ||
466 | switch( hash_id ) | |
467 | { | |
468 | case RSA_RAW: | |
469 | memcpy( p, hash, hashlen ); | |
470 | break; | |
471 | ||
472 | case RSA_MD2: | |
473 | memcpy( p, ASN1_HASH_MDX, 18 ); | |
474 | memcpy( p + 18, hash, 16 ); | |
475 | p[13] = 2; break; | |
476 | ||
477 | case RSA_MD4: | |
478 | memcpy( p, ASN1_HASH_MDX, 18 ); | |
479 | memcpy( p + 18, hash, 16 ); | |
480 | p[13] = 4; break; | |
481 | ||
482 | case RSA_MD5: | |
483 | memcpy( p, ASN1_HASH_MDX, 18 ); | |
484 | memcpy( p + 18, hash, 16 ); | |
485 | p[13] = 5; break; | |
486 | ||
487 | case RSA_SHA1: | |
488 | memcpy( p, ASN1_HASH_SHA1, 15 ); | |
489 | memcpy( p + 15, hash, 20 ); | |
490 | break; | |
491 | ||
492 | case RSA_SHA256: | |
493 | memcpy( p, ASN1_HASH_SHA256, 19 ); | |
494 | memcpy( p + 19, hash, 32 ); | |
495 | break; | |
496 | ||
497 | default: | |
498 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
499 | } | |
500 | ||
501 | return( ( mode == RSA_PUBLIC ) | |
502 | ? rsa_public( ctx, sig, sig ) | |
503 | : rsa_private( ctx, sig, sig ) ); | |
504 | } | |
505 | ||
506 | /* | |
507 | * Do an RSA operation and check the message digest | |
508 | */ | |
509 | int rsa_pkcs1_verify( rsa_context *ctx, | |
510 | int mode, | |
511 | int hash_id, | |
512 | int hashlen, | |
513 | unsigned char *hash, | |
514 | unsigned char *sig ) | |
515 | { | |
516 | int ret, len, siglen; | |
517 | unsigned char *p, c; | |
518 | unsigned char buf[512]; | |
519 | ||
520 | siglen = ctx->len; | |
521 | ||
522 | if( siglen < 16 || siglen > (int) sizeof( buf ) ) | |
523 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
524 | ||
525 | ret = ( mode == RSA_PUBLIC ) | |
526 | ? rsa_public( ctx, sig, buf ) | |
527 | : rsa_private( ctx, sig, buf ); | |
528 | ||
529 | if( ret != 0 ) | |
530 | return( ret ); | |
531 | ||
532 | p = buf; | |
533 | ||
534 | switch( ctx->padding ) | |
535 | { | |
536 | case RSA_PKCS_V15: | |
537 | ||
538 | if( *p++ != 0 || *p++ != RSA_SIGN ) | |
539 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
540 | ||
541 | while( *p != 0 ) | |
542 | { | |
543 | if( p >= buf + siglen - 1 || *p != 0xFF ) | |
544 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
545 | p++; | |
546 | } | |
547 | p++; | |
548 | break; | |
549 | ||
550 | default: | |
551 | ||
552 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
553 | } | |
554 | ||
555 | len = siglen - (int)( p - buf ); | |
556 | ||
557 | if( len == 34 ) | |
558 | { | |
559 | c = p[13]; | |
560 | p[13] = 0; | |
561 | ||
562 | if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 ) | |
563 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
564 | ||
565 | if( ( c == 2 && hash_id == RSA_MD2 ) || | |
566 | ( c == 4 && hash_id == RSA_MD4 ) || | |
567 | ( c == 5 && hash_id == RSA_MD5 ) ) | |
568 | { | |
569 | if( memcmp( p + 18, hash, 16 ) == 0 ) | |
570 | return( 0 ); | |
571 | else | |
572 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
573 | } | |
574 | } | |
575 | ||
576 | if( len == 35 && hash_id == RSA_SHA1 ) | |
577 | { | |
578 | if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 && | |
579 | memcmp( p + 15, hash, 20 ) == 0 ) | |
580 | return( 0 ); | |
581 | else | |
582 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
583 | } | |
584 | ||
585 | if( len == 51 && hash_id == RSA_SHA256 ) | |
586 | { | |
587 | if( memcmp( p, ASN1_HASH_SHA256, 19 ) == 0 && | |
588 | memcmp( p + 19, hash, 32 ) == 0 ) | |
589 | return( 0 ); | |
590 | else | |
591 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
592 | } | |
593 | ||
594 | if( len == hashlen && hash_id == RSA_RAW ) | |
595 | { | |
596 | if( memcmp( p, hash, hashlen ) == 0 ) | |
597 | return( 0 ); | |
598 | else | |
599 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
600 | } | |
601 | ||
602 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
603 | } | |
604 | ||
605 | /* | |
606 | * Free the components of an RSA key | |
607 | */ | |
608 | void rsa_free( rsa_context *ctx ) | |
609 | { | |
610 | mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN, | |
611 | &ctx->QP, &ctx->DQ, &ctx->DP, | |
612 | &ctx->Q, &ctx->P, &ctx->D, | |
613 | &ctx->E, &ctx->N, NULL ); | |
614 | } | |
615 | ||
616 | ||
617 | /* | |
618 | * Parse a public RSA key | |
619 | ||
620 | OpenSSL RSA public key ASN1 container | |
621 | 0:d=0 hl=3 l= 159 cons: SEQUENCE | |
622 | 3:d=1 hl=2 l= 13 cons: SEQUENCE | |
623 | 5:d=2 hl=2 l= 9 prim: OBJECT:rsaEncryption | |
624 | 16:d=2 hl=2 l= 0 prim: NULL | |
625 | 18:d=1 hl=3 l= 141 prim: BIT STRING:RSAPublicKey (below) | |
626 | ||
627 | RSAPublicKey ASN1 container | |
628 | 0:d=0 hl=3 l= 137 cons: SEQUENCE | |
629 | 3:d=1 hl=3 l= 129 prim: INTEGER:Public modulus | |
630 | 135:d=1 hl=2 l= 3 prim: INTEGER:Public exponent | |
631 | */ | |
632 | ||
633 | int rsa_parse_public_key( rsa_context *rsa, unsigned char *buf, int buflen ) | |
634 | { | |
635 | unsigned char *p, *end; | |
636 | int ret, len; | |
637 | ||
638 | p = buf; | |
639 | end = buf+buflen; | |
640 | ||
641 | if( ( ret = asn1_get_tag( &p, end, &len, | |
642 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) { | |
643 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
644 | } | |
645 | ||
646 | if( ( ret = asn1_get_tag( &p, end, &len, | |
647 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) == 0 ) { | |
648 | /* Skip over embedded rsaEncryption Object */ | |
649 | p+=len; | |
650 | ||
651 | /* The RSAPublicKey ASN1 container is wrapped in a BIT STRING */ | |
652 | if( ( ret = asn1_get_tag( &p, end, &len, | |
653 | ASN1_BIT_STRING ) ) != 0 ) { | |
654 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
655 | } | |
656 | ||
657 | /* Limit range to that BIT STRING */ | |
658 | end = p + len; | |
659 | p++; | |
660 | ||
661 | if( ( ret = asn1_get_tag( &p, end, &len, | |
662 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) { | |
663 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
664 | } | |
665 | } | |
666 | ||
667 | if ( ( ( ret = asn1_get_mpi( &p, end, &(rsa->N) ) ) == 0 ) && | |
668 | ( ( ret = asn1_get_mpi( &p, end, &(rsa->E) ) ) == 0 ) ) { | |
669 | rsa->len = mpi_size( &rsa->N ); | |
670 | return 0; | |
671 | } | |
672 | ||
673 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
674 | } | |
675 | ||
676 | /* | |
677 | * Parse a private RSA key | |
678 | */ | |
679 | int rsa_parse_key( rsa_context *rsa, unsigned char *buf, int buflen, | |
680 | unsigned char *pwd, int pwdlen ) | |
681 | { | |
682 | int ret, len, enc; | |
683 | unsigned char *s1, *s2; | |
684 | unsigned char *p, *end; | |
685 | ||
686 | s1 = (unsigned char *) strstr( (char *) buf, | |
687 | "-----BEGIN RSA PRIVATE KEY-----" ); | |
688 | ||
689 | if( s1 != NULL ) | |
690 | { | |
691 | s2 = (unsigned char *) strstr( (char *) buf, | |
692 | "-----END RSA PRIVATE KEY-----" ); | |
693 | ||
694 | if( s2 == NULL || s2 <= s1 ) | |
695 | return( POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
696 | ||
697 | s1 += 31; | |
698 | if( *s1 == '\r' ) s1++; | |
699 | if( *s1 == '\n' ) s1++; | |
700 | else return( POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
701 | ||
702 | enc = 0; | |
703 | ||
704 | if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 ) | |
705 | { | |
706 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); | |
707 | } | |
708 | ||
709 | len = 0; | |
710 | ret = base64_decode( NULL, &len, s1, s2 - s1 ); | |
711 | ||
712 | if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER ) | |
713 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
714 | ||
715 | if( ( buf = (unsigned char *) malloc( len ) ) == NULL ) | |
716 | return( 1 ); | |
717 | ||
718 | if( ( ret = base64_decode( buf, &len, s1, s2 - s1 ) ) != 0 ) | |
719 | { | |
720 | free( buf ); | |
721 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
722 | } | |
723 | ||
724 | buflen = len; | |
725 | ||
726 | if( enc != 0 ) | |
727 | { | |
728 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); | |
729 | } | |
730 | } | |
731 | ||
732 | memset( rsa, 0, sizeof( rsa_context ) ); | |
733 | ||
734 | p = buf; | |
735 | end = buf + buflen; | |
736 | ||
737 | /* | |
738 | * RSAPrivateKey ::= SEQUENCE { | |
739 | * version Version, | |
740 | * modulus INTEGER, -- n | |
741 | * publicExponent INTEGER, -- e | |
742 | * privateExponent INTEGER, -- d | |
743 | * prime1 INTEGER, -- p | |
744 | * prime2 INTEGER, -- q | |
745 | * exponent1 INTEGER, -- d mod (p-1) | |
746 | * exponent2 INTEGER, -- d mod (q-1) | |
747 | * coefficient INTEGER, -- (inverse of q) mod p | |
748 | * otherPrimeInfos OtherPrimeInfos OPTIONAL | |
749 | * } | |
750 | */ | |
751 | if( ( ret = asn1_get_tag( &p, end, &len, | |
752 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) | |
753 | { | |
754 | if( s1 != NULL ) | |
755 | free( buf ); | |
756 | ||
757 | rsa_free( rsa ); | |
758 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
759 | } | |
760 | ||
761 | end = p + len; | |
762 | ||
763 | if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 ) | |
764 | { | |
765 | if( s1 != NULL ) | |
766 | free( buf ); | |
767 | ||
768 | rsa_free( rsa ); | |
769 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
770 | } | |
771 | ||
772 | if( rsa->ver != 0 ) | |
773 | { | |
774 | if( s1 != NULL ) | |
775 | free( buf ); | |
776 | ||
777 | rsa_free( rsa ); | |
778 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_VERSION ); | |
779 | } | |
780 | ||
781 | if( ( ret = asn1_get_mpi( &p, end, &rsa->N ) ) != 0 || | |
782 | ( ret = asn1_get_mpi( &p, end, &rsa->E ) ) != 0 || | |
783 | ( ret = asn1_get_mpi( &p, end, &rsa->D ) ) != 0 || | |
784 | ( ret = asn1_get_mpi( &p, end, &rsa->P ) ) != 0 || | |
785 | ( ret = asn1_get_mpi( &p, end, &rsa->Q ) ) != 0 || | |
786 | ( ret = asn1_get_mpi( &p, end, &rsa->DP ) ) != 0 || | |
787 | ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 || | |
788 | ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 ) | |
789 | { | |
790 | if( s1 != NULL ) | |
791 | free( buf ); | |
792 | ||
793 | rsa_free( rsa ); | |
794 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_FORMAT ); | |
795 | } | |
796 | ||
797 | rsa->len = mpi_size( &rsa->N ); | |
798 | ||
799 | if( p != end ) | |
800 | { | |
801 | if( s1 != NULL ) | |
802 | free( buf ); | |
803 | ||
804 | rsa_free( rsa ); | |
805 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | | |
806 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); | |
807 | } | |
808 | ||
809 | if( ( ret = rsa_check_privkey( rsa ) ) != 0 ) | |
810 | { | |
811 | if( s1 != NULL ) | |
812 | free( buf ); | |
813 | ||
814 | rsa_free( rsa ); | |
815 | return( ret ); | |
816 | } | |
817 | ||
818 | if( s1 != NULL ) | |
819 | free( buf ); | |
820 | ||
821 | return( 0 ); | |
822 | } |