2 * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 FILE_LICENCE ( GPL2_OR_LATER );
27 #include <ipxe/asn1.h>
28 #include <ipxe/crypto.h>
29 #include <ipxe/bigint.h>
30 #include <ipxe/random_nz.h>
32 #include <ipxe/sha1.h>
33 #include <ipxe/sha256.h>
38 * RSA public-key cryptography
40 * RSA is documented in RFC 3447.
43 /* Disambiguate the various error causes */
44 #define EACCES_VERIFY \
45 __einfo_error ( EINFO_EACCES_VERIFY )
46 #define EINFO_EACCES_VERIFY \
47 __einfo_uniqify ( EINFO_EACCES, 0x01, "RSA signature incorrect" )
49 /** "rsaEncryption" object identifier */
50 static uint8_t oid_rsa_encryption[] = { ASN1_OID_RSAENCRYPTION };
52 /** "md5WithRSAEncryption" object identifier */
53 static uint8_t oid_md5_with_rsa_encryption[] =
54 { ASN1_OID_MD5WITHRSAENCRYPTION };
56 /** "sha1WithRSAEncryption" object identifier */
57 static uint8_t oid_sha1_with_rsa_encryption[] =
58 { ASN1_OID_SHA1WITHRSAENCRYPTION };
60 /** "sha256WithRSAEncryption" object identifier */
61 static uint8_t oid_sha256_with_rsa_encryption[] =
62 { ASN1_OID_SHA256WITHRSAENCRYPTION };
64 /** "rsaEncryption" OID-identified algorithm */
65 struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
66 .name = "rsaEncryption",
67 .pubkey = &rsa_algorithm,
69 .oid = ASN1_OID_CURSOR ( oid_rsa_encryption ),
72 /** "md5WithRSAEncryption" OID-identified algorithm */
73 struct asn1_algorithm md5_with_rsa_encryption_algorithm __asn1_algorithm = {
74 .name = "md5WithRSAEncryption",
75 .pubkey = &rsa_algorithm,
76 .digest = &md5_algorithm,
77 .oid = ASN1_OID_CURSOR ( oid_md5_with_rsa_encryption ),
80 /** "sha1WithRSAEncryption" OID-identified algorithm */
81 struct asn1_algorithm sha1_with_rsa_encryption_algorithm __asn1_algorithm = {
82 .name = "sha1WithRSAEncryption",
83 .pubkey = &rsa_algorithm,
84 .digest = &sha1_algorithm,
85 .oid = ASN1_OID_CURSOR ( oid_sha1_with_rsa_encryption ),
88 /** "sha256WithRSAEncryption" OID-identified algorithm */
89 struct asn1_algorithm sha256_with_rsa_encryption_algorithm __asn1_algorithm = {
90 .name = "sha256WithRSAEncryption",
91 .pubkey = &rsa_algorithm,
92 .digest = &sha256_algorithm,
93 .oid = ASN1_OID_CURSOR ( oid_sha256_with_rsa_encryption ),
96 /** MD5 digestInfo prefix */
97 static const uint8_t rsa_md5_prefix_data[] =
98 { RSA_DIGESTINFO_PREFIX ( MD5_DIGEST_SIZE, ASN1_OID_MD5 ) };
100 /** SHA-1 digestInfo prefix */
101 static const uint8_t rsa_sha1_prefix_data[] =
102 { RSA_DIGESTINFO_PREFIX ( SHA1_DIGEST_SIZE, ASN1_OID_SHA1 ) };
104 /** SHA-256 digestInfo prefix */
105 static const uint8_t rsa_sha256_prefix_data[] =
106 { RSA_DIGESTINFO_PREFIX ( SHA256_DIGEST_SIZE, ASN1_OID_SHA256 ) };
108 /** MD5 digestInfo prefix */
109 struct rsa_digestinfo_prefix rsa_md5_prefix __rsa_digestinfo_prefix = {
110 .digest = &md5_algorithm,
111 .data = rsa_md5_prefix_data,
112 .len = sizeof ( rsa_md5_prefix_data ),
115 /** SHA-1 digestInfo prefix */
116 struct rsa_digestinfo_prefix rsa_sha1_prefix __rsa_digestinfo_prefix = {
117 .digest = &sha1_algorithm,
118 .data = rsa_sha1_prefix_data,
119 .len = sizeof ( rsa_sha1_prefix_data ),
122 /** SHA-256 digestInfo prefix */
123 struct rsa_digestinfo_prefix rsa_sha256_prefix __rsa_digestinfo_prefix = {
124 .digest = &sha256_algorithm,
125 .data = rsa_sha256_prefix_data,
126 .len = sizeof ( rsa_sha256_prefix_data ),
130 * Identify RSA prefix
132 * @v digest Digest algorithm
133 * @ret prefix RSA prefix, or NULL
135 static struct rsa_digestinfo_prefix *
136 rsa_find_prefix ( struct digest_algorithm *digest ) {
137 struct rsa_digestinfo_prefix *prefix;
139 for_each_table_entry ( prefix, RSA_DIGESTINFO_PREFIXES ) {
140 if ( prefix->digest == digest )
147 * Free RSA dynamic storage
149 * @v context RSA context
151 static void rsa_free ( struct rsa_context *context ) {
153 free ( context->dynamic );
154 context->dynamic = NULL;
158 * Allocate RSA dynamic storage
160 * @v context RSA context
161 * @v modulus_len Modulus length
162 * @v exponent_len Exponent length
163 * @ret rc Return status code
165 static int rsa_alloc ( struct rsa_context *context, size_t modulus_len,
166 size_t exponent_len ) {
167 unsigned int size = bigint_required_size ( modulus_len );
168 unsigned int exponent_size = bigint_required_size ( exponent_len );
169 bigint_t ( size ) *modulus;
170 bigint_t ( exponent_size ) *exponent;
171 size_t tmp_len = bigint_mod_exp_tmp_len ( modulus, exponent );
173 bigint_t ( size ) modulus;
174 bigint_t ( exponent_size ) exponent;
175 bigint_t ( size ) input;
176 bigint_t ( size ) output;
177 uint8_t tmp[tmp_len];
178 } __attribute__ (( packed )) *dynamic;
180 /* Free any existing dynamic storage */
181 rsa_free ( context );
183 /* Allocate dynamic storage */
184 dynamic = malloc ( sizeof ( *dynamic ) );
188 /* Assign dynamic storage */
189 context->dynamic = dynamic;
190 context->modulus0 = &dynamic->modulus.element[0];
191 context->size = size;
192 context->max_len = modulus_len;
193 context->exponent0 = &dynamic->exponent.element[0];
194 context->exponent_size = exponent_size;
195 context->input0 = &dynamic->input.element[0];
196 context->output0 = &dynamic->output.element[0];
197 context->tmp = &dynamic->tmp;
205 * @v integer Integer to fill in
206 * @v raw ASN.1 cursor
207 * @ret rc Return status code
209 static int rsa_parse_integer ( struct asn1_cursor *integer,
210 const struct asn1_cursor *raw ) {
213 memcpy ( integer, raw, sizeof ( *integer ) );
214 asn1_enter ( integer, ASN1_INTEGER );
216 /* Skip initial sign byte if applicable */
217 if ( ( integer->len > 1 ) &&
218 ( *( ( uint8_t * ) integer->data ) == 0x00 ) ) {
223 /* Fail if cursor or integer are invalid */
224 if ( ! integer->len )
231 * Parse RSA modulus and exponent
233 * @v modulus Modulus to fill in
234 * @v exponent Exponent to fill in
235 * @v raw ASN.1 cursor
236 * @ret rc Return status code
238 static int rsa_parse_mod_exp ( struct asn1_cursor *modulus,
239 struct asn1_cursor *exponent,
240 const struct asn1_cursor *raw ) {
241 struct asn1_bit_string bits;
242 struct asn1_cursor cursor;
246 /* Enter subjectPublicKeyInfo/RSAPrivateKey */
247 memcpy ( &cursor, raw, sizeof ( cursor ) );
248 asn1_enter ( &cursor, ASN1_SEQUENCE );
250 /* Determine key format */
251 if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
257 asn1_skip_any ( &cursor );
265 asn1_skip ( &cursor, ASN1_SEQUENCE );
267 /* Enter subjectPublicKey */
268 if ( ( rc = asn1_integral_bit_string ( &cursor, &bits ) ) != 0 )
270 cursor.data = bits.data;
271 cursor.len = bits.len;
273 /* Enter RSAPublicKey */
274 asn1_enter ( &cursor, ASN1_SEQUENCE );
277 /* Extract modulus */
278 if ( ( rc = rsa_parse_integer ( modulus, &cursor ) ) != 0 )
280 asn1_skip_any ( &cursor );
282 /* Skip public exponent, if applicable */
284 asn1_skip ( &cursor, ASN1_INTEGER );
286 /* Extract publicExponent/privateExponent */
287 if ( ( rc = rsa_parse_integer ( exponent, &cursor ) ) != 0 )
294 * Initialise RSA cipher
298 * @v key_len Length of key
299 * @ret rc Return status code
301 static int rsa_init ( void *ctx, const void *key, size_t key_len ) {
302 struct rsa_context *context = ctx;
303 struct asn1_cursor modulus;
304 struct asn1_cursor exponent;
305 struct asn1_cursor cursor;
308 /* Initialise context */
309 memset ( context, 0, sizeof ( *context ) );
311 /* Initialise cursor */
313 cursor.len = key_len;
315 /* Parse modulus and exponent */
316 if ( ( rc = rsa_parse_mod_exp ( &modulus, &exponent, &cursor ) ) != 0 ){
317 DBGC ( context, "RSA %p invalid modulus/exponent:\n", context );
318 DBGC_HDA ( context, 0, cursor.data, cursor.len );
322 DBGC ( context, "RSA %p modulus:\n", context );
323 DBGC_HDA ( context, 0, modulus.data, modulus.len );
324 DBGC ( context, "RSA %p exponent:\n", context );
325 DBGC_HDA ( context, 0, exponent.data, exponent.len );
327 /* Allocate dynamic storage */
328 if ( ( rc = rsa_alloc ( context, modulus.len, exponent.len ) ) != 0 )
331 /* Construct big integers */
332 bigint_init ( ( ( bigint_t ( context->size ) * ) context->modulus0 ),
333 modulus.data, modulus.len );
334 bigint_init ( ( ( bigint_t ( context->exponent_size ) * )
335 context->exponent0 ), exponent.data, exponent.len );
339 rsa_free ( context );
346 * Calculate RSA maximum output length
349 * @ret max_len Maximum output length
351 static size_t rsa_max_len ( void *ctx ) {
352 struct rsa_context *context = ctx;
354 return context->max_len;
358 * Perform RSA cipher operation
360 * @v context RSA context
362 * @v out Output buffer
364 static void rsa_cipher ( struct rsa_context *context,
365 const void *in, void *out ) {
366 bigint_t ( context->size ) *input = ( ( void * ) context->input0 );
367 bigint_t ( context->size ) *output = ( ( void * ) context->output0 );
368 bigint_t ( context->size ) *modulus = ( ( void * ) context->modulus0 );
369 bigint_t ( context->exponent_size ) *exponent =
370 ( ( void * ) context->exponent0 );
372 /* Initialise big integer */
373 bigint_init ( input, in, context->max_len );
375 /* Perform modular exponentiation */
376 bigint_mod_exp ( input, modulus, exponent, output, context->tmp );
378 /* Copy out result */
379 bigint_done ( output, out, context->max_len );
386 * @v plaintext Plaintext
387 * @v plaintext_len Length of plaintext
388 * @v ciphertext Ciphertext
389 * @ret ciphertext_len Length of ciphertext, or negative error
391 static int rsa_encrypt ( void *ctx, const void *plaintext,
392 size_t plaintext_len, void *ciphertext ) {
393 struct rsa_context *context = ctx;
396 size_t max_len = ( context->max_len - 11 );
397 size_t random_nz_len = ( max_len - plaintext_len + 8 );
401 if ( plaintext_len > max_len ) {
402 DBGC ( context, "RSA %p plaintext too long (%zd bytes, max "
403 "%zd)\n", context, plaintext_len, max_len );
406 DBGC ( context, "RSA %p encrypting:\n", context );
407 DBGC_HDA ( context, 0, plaintext, plaintext_len );
409 /* Construct encoded message (using the big integer output
410 * buffer as temporary storage)
412 temp = context->output0;
416 if ( ( rc = get_random_nz ( &encoded[2], random_nz_len ) ) != 0 ) {
417 DBGC ( context, "RSA %p could not generate random data: %s\n",
418 context, strerror ( rc ) );
421 encoded[ 2 + random_nz_len ] = 0x00;
422 memcpy ( &encoded[ context->max_len - plaintext_len ],
423 plaintext, plaintext_len );
425 /* Encipher the encoded message */
426 rsa_cipher ( context, encoded, ciphertext );
427 DBGC ( context, "RSA %p encrypted:\n", context );
428 DBGC_HDA ( context, 0, ciphertext, context->max_len );
430 return context->max_len;
437 * @v ciphertext Ciphertext
438 * @v ciphertext_len Ciphertext length
439 * @v plaintext Plaintext
440 * @ret plaintext_len Plaintext length, or negative error
442 static int rsa_decrypt ( void *ctx, const void *ciphertext,
443 size_t ciphertext_len, void *plaintext ) {
444 struct rsa_context *context = ctx;
450 size_t plaintext_len;
453 if ( ciphertext_len != context->max_len ) {
454 DBGC ( context, "RSA %p ciphertext incorrect length (%zd "
455 "bytes, should be %zd)\n",
456 context, ciphertext_len, context->max_len );
459 DBGC ( context, "RSA %p decrypting:\n", context );
460 DBGC_HDA ( context, 0, ciphertext, ciphertext_len );
462 /* Decipher the message (using the big integer input buffer as
465 temp = context->input0;
467 rsa_cipher ( context, ciphertext, encoded );
469 /* Parse the message */
470 end = ( encoded + context->max_len );
471 if ( ( encoded[0] != 0x00 ) || ( encoded[1] != 0x02 ) )
473 zero = memchr ( &encoded[2], 0, ( end - &encoded[2] ) );
476 start = ( zero + 1 );
477 plaintext_len = ( end - start );
479 /* Copy out message */
480 memcpy ( plaintext, start, plaintext_len );
481 DBGC ( context, "RSA %p decrypted:\n", context );
482 DBGC_HDA ( context, 0, plaintext, plaintext_len );
484 return plaintext_len;
487 DBGC ( context, "RSA %p invalid decrypted message:\n", context );
488 DBGC_HDA ( context, 0, encoded, context->max_len );
495 * @v context RSA context
496 * @v digest Digest algorithm
497 * @v value Digest value
498 * @v encoded Encoded digest
499 * @ret rc Return status code
501 static int rsa_encode_digest ( struct rsa_context *context,
502 struct digest_algorithm *digest,
503 const void *value, void *encoded ) {
504 struct rsa_digestinfo_prefix *prefix;
505 size_t digest_len = digest->digestsize;
506 uint8_t *temp = encoded;
507 size_t digestinfo_len;
511 /* Identify prefix */
512 prefix = rsa_find_prefix ( digest );
514 DBGC ( context, "RSA %p has no prefix for %s\n",
515 context, digest->name );
518 digestinfo_len = ( prefix->len + digest_len );
521 max_len = ( context->max_len - 11 );
522 if ( digestinfo_len > max_len ) {
523 DBGC ( context, "RSA %p %s digestInfo too long (%zd bytes, max"
525 context, digest->name, digestinfo_len, max_len );
528 DBGC ( context, "RSA %p encoding %s digest:\n",
529 context, digest->name );
530 DBGC_HDA ( context, 0, value, digest_len );
532 /* Construct encoded message */
535 pad_len = ( max_len - digestinfo_len + 8 );
536 memset ( temp, 0xff, pad_len );
539 memcpy ( temp, prefix->data, prefix->len );
541 memcpy ( temp, value, digest_len );
543 assert ( temp == ( encoded + context->max_len ) );
544 DBGC ( context, "RSA %p encoded %s digest:\n", context, digest->name );
545 DBGC_HDA ( context, 0, encoded, context->max_len );
551 * Sign digest value using RSA
554 * @v digest Digest algorithm
555 * @v value Digest value
556 * @v signature Signature
557 * @ret signature_len Signature length, or negative error
559 static int rsa_sign ( void *ctx, struct digest_algorithm *digest,
560 const void *value, void *signature ) {
561 struct rsa_context *context = ctx;
565 DBGC ( context, "RSA %p signing %s digest:\n", context, digest->name );
566 DBGC_HDA ( context, 0, value, digest->digestsize );
568 /* Encode digest (using the big integer output buffer as
571 temp = context->output0;
572 if ( ( rc = rsa_encode_digest ( context, digest, value, temp ) ) != 0 )
575 /* Encipher the encoded digest */
576 rsa_cipher ( context, temp, signature );
577 DBGC ( context, "RSA %p signed %s digest:\n", context, digest->name );
578 DBGC_HDA ( context, 0, signature, context->max_len );
580 return context->max_len;
584 * Verify signed digest value using RSA
587 * @v digest Digest algorithm
588 * @v value Digest value
589 * @v signature Signature
590 * @v signature_len Signature length
591 * @ret rc Return status code
593 static int rsa_verify ( void *ctx, struct digest_algorithm *digest,
594 const void *value, const void *signature,
595 size_t signature_len ) {
596 struct rsa_context *context = ctx;
603 if ( signature_len != context->max_len ) {
604 DBGC ( context, "RSA %p signature incorrect length (%zd "
605 "bytes, should be %zd)\n",
606 context, signature_len, context->max_len );
609 DBGC ( context, "RSA %p verifying %s digest:\n",
610 context, digest->name );
611 DBGC_HDA ( context, 0, value, digest->digestsize );
612 DBGC_HDA ( context, 0, signature, signature_len );
614 /* Decipher the signature (using the big integer input buffer
615 * as temporary storage)
617 temp = context->input0;
619 rsa_cipher ( context, signature, expected );
620 DBGC ( context, "RSA %p deciphered signature:\n", context );
621 DBGC_HDA ( context, 0, expected, context->max_len );
623 /* Encode digest (using the big integer output buffer as
626 temp = context->output0;
628 if ( ( rc = rsa_encode_digest ( context, digest, value, actual ) ) !=0 )
631 /* Verify the signature */
632 if ( memcmp ( actual, expected, context->max_len ) != 0 ) {
633 DBGC ( context, "RSA %p signature verification failed\n",
635 return -EACCES_VERIFY;
638 DBGC ( context, "RSA %p signature verified successfully\n", context );
643 * Finalise RSA cipher
647 static void rsa_final ( void *ctx ) {
648 struct rsa_context *context = ctx;
650 rsa_free ( context );
654 * Check for matching RSA public/private key pair
656 * @v private_key Private key
657 * @v private_key_len Private key length
658 * @v public_key Public key
659 * @v public_key_len Public key length
660 * @ret rc Return status code
662 static int rsa_match ( const void *private_key, size_t private_key_len,
663 const void *public_key, size_t public_key_len ) {
664 struct asn1_cursor private_modulus;
665 struct asn1_cursor private_exponent;
666 struct asn1_cursor private_cursor;
667 struct asn1_cursor public_modulus;
668 struct asn1_cursor public_exponent;
669 struct asn1_cursor public_cursor;
672 /* Initialise cursors */
673 private_cursor.data = private_key;
674 private_cursor.len = private_key_len;
675 public_cursor.data = public_key;
676 public_cursor.len = public_key_len;
678 /* Parse moduli and exponents */
679 if ( ( rc = rsa_parse_mod_exp ( &private_modulus, &private_exponent,
680 &private_cursor ) ) != 0 )
682 if ( ( rc = rsa_parse_mod_exp ( &public_modulus, &public_exponent,
683 &public_cursor ) ) != 0 )
687 if ( asn1_compare ( &private_modulus, &public_modulus ) != 0 )
693 /** RSA public-key algorithm */
694 struct pubkey_algorithm rsa_algorithm = {
696 .ctxsize = sizeof ( struct rsa_context ),
698 .max_len = rsa_max_len,
699 .encrypt = rsa_encrypt,
700 .decrypt = rsa_decrypt,
702 .verify = rsa_verify,