2 * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19 * You can also choose to distribute this program under the terms of
20 * the Unmodified Binary Distribution Licence (as given in the file
21 * COPYING.UBDL), provided that you have satisfied its requirements.
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
31 #include <ipxe/asn1.h>
32 #include <ipxe/crypto.h>
33 #include <ipxe/bigint.h>
34 #include <ipxe/random_nz.h>
39 * RSA public-key cryptography
41 * RSA is documented in RFC 3447.
44 /* Disambiguate the various error causes */
45 #define EACCES_VERIFY \
46 __einfo_error ( EINFO_EACCES_VERIFY )
47 #define EINFO_EACCES_VERIFY \
48 __einfo_uniqify ( EINFO_EACCES, 0x01, "RSA signature incorrect" )
50 /** "rsaEncryption" object identifier */
51 static uint8_t oid_rsa_encryption[] = { ASN1_OID_RSAENCRYPTION };
53 /** "rsaEncryption" OID-identified algorithm */
54 struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
55 .name = "rsaEncryption",
56 .pubkey = &rsa_algorithm,
58 .oid = ASN1_OID_CURSOR ( oid_rsa_encryption ),
64 * @v digest Digest algorithm
65 * @ret prefix RSA prefix, or NULL
67 static struct rsa_digestinfo_prefix *
68 rsa_find_prefix ( struct digest_algorithm *digest ) {
69 struct rsa_digestinfo_prefix *prefix;
71 for_each_table_entry ( prefix, RSA_DIGESTINFO_PREFIXES ) {
72 if ( prefix->digest == digest )
79 * Free RSA dynamic storage
81 * @v context RSA context
83 static void rsa_free ( struct rsa_context *context ) {
85 free ( context->dynamic );
86 context->dynamic = NULL;
90 * Allocate RSA dynamic storage
92 * @v context RSA context
93 * @v modulus_len Modulus length
94 * @v exponent_len Exponent length
95 * @ret rc Return status code
97 static int rsa_alloc ( struct rsa_context *context, size_t modulus_len,
98 size_t exponent_len ) {
99 unsigned int size = bigint_required_size ( modulus_len );
100 unsigned int exponent_size = bigint_required_size ( exponent_len );
101 bigint_t ( size ) *modulus;
102 bigint_t ( exponent_size ) *exponent;
103 size_t tmp_len = bigint_mod_exp_tmp_len ( modulus, exponent );
105 bigint_t ( size ) modulus;
106 bigint_t ( exponent_size ) exponent;
107 bigint_t ( size ) input;
108 bigint_t ( size ) output;
109 uint8_t tmp[tmp_len];
110 } __attribute__ (( packed )) *dynamic;
112 /* Free any existing dynamic storage */
113 rsa_free ( context );
115 /* Allocate dynamic storage */
116 dynamic = malloc ( sizeof ( *dynamic ) );
120 /* Assign dynamic storage */
121 context->dynamic = dynamic;
122 context->modulus0 = &dynamic->modulus.element[0];
123 context->size = size;
124 context->max_len = modulus_len;
125 context->exponent0 = &dynamic->exponent.element[0];
126 context->exponent_size = exponent_size;
127 context->input0 = &dynamic->input.element[0];
128 context->output0 = &dynamic->output.element[0];
129 context->tmp = &dynamic->tmp;
137 * @v integer Integer to fill in
138 * @v raw ASN.1 cursor
139 * @ret rc Return status code
141 static int rsa_parse_integer ( struct asn1_cursor *integer,
142 const struct asn1_cursor *raw ) {
145 memcpy ( integer, raw, sizeof ( *integer ) );
146 asn1_enter ( integer, ASN1_INTEGER );
148 /* Skip initial sign byte if applicable */
149 if ( ( integer->len > 1 ) &&
150 ( *( ( uint8_t * ) integer->data ) == 0x00 ) ) {
155 /* Fail if cursor or integer are invalid */
156 if ( ! integer->len )
163 * Parse RSA modulus and exponent
165 * @v modulus Modulus to fill in
166 * @v exponent Exponent to fill in
167 * @v raw ASN.1 cursor
168 * @ret rc Return status code
170 static int rsa_parse_mod_exp ( struct asn1_cursor *modulus,
171 struct asn1_cursor *exponent,
172 const struct asn1_cursor *raw ) {
173 struct asn1_bit_string bits;
174 struct asn1_cursor cursor;
178 /* Enter subjectPublicKeyInfo/RSAPrivateKey */
179 memcpy ( &cursor, raw, sizeof ( cursor ) );
180 asn1_enter ( &cursor, ASN1_SEQUENCE );
182 /* Determine key format */
183 if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
189 asn1_skip_any ( &cursor );
197 asn1_skip ( &cursor, ASN1_SEQUENCE );
199 /* Enter subjectPublicKey */
200 if ( ( rc = asn1_integral_bit_string ( &cursor, &bits ) ) != 0 )
202 cursor.data = bits.data;
203 cursor.len = bits.len;
205 /* Enter RSAPublicKey */
206 asn1_enter ( &cursor, ASN1_SEQUENCE );
209 /* Extract modulus */
210 if ( ( rc = rsa_parse_integer ( modulus, &cursor ) ) != 0 )
212 asn1_skip_any ( &cursor );
214 /* Skip public exponent, if applicable */
216 asn1_skip ( &cursor, ASN1_INTEGER );
218 /* Extract publicExponent/privateExponent */
219 if ( ( rc = rsa_parse_integer ( exponent, &cursor ) ) != 0 )
226 * Initialise RSA cipher
230 * @v key_len Length of key
231 * @ret rc Return status code
233 static int rsa_init ( void *ctx, const void *key, size_t key_len ) {
234 struct rsa_context *context = ctx;
235 struct asn1_cursor modulus;
236 struct asn1_cursor exponent;
237 struct asn1_cursor cursor;
240 /* Initialise context */
241 memset ( context, 0, sizeof ( *context ) );
243 /* Initialise cursor */
245 cursor.len = key_len;
247 /* Parse modulus and exponent */
248 if ( ( rc = rsa_parse_mod_exp ( &modulus, &exponent, &cursor ) ) != 0 ){
249 DBGC ( context, "RSA %p invalid modulus/exponent:\n", context );
250 DBGC_HDA ( context, 0, cursor.data, cursor.len );
254 DBGC ( context, "RSA %p modulus:\n", context );
255 DBGC_HDA ( context, 0, modulus.data, modulus.len );
256 DBGC ( context, "RSA %p exponent:\n", context );
257 DBGC_HDA ( context, 0, exponent.data, exponent.len );
259 /* Allocate dynamic storage */
260 if ( ( rc = rsa_alloc ( context, modulus.len, exponent.len ) ) != 0 )
263 /* Construct big integers */
264 bigint_init ( ( ( bigint_t ( context->size ) * ) context->modulus0 ),
265 modulus.data, modulus.len );
266 bigint_init ( ( ( bigint_t ( context->exponent_size ) * )
267 context->exponent0 ), exponent.data, exponent.len );
271 rsa_free ( context );
278 * Calculate RSA maximum output length
281 * @ret max_len Maximum output length
283 static size_t rsa_max_len ( void *ctx ) {
284 struct rsa_context *context = ctx;
286 return context->max_len;
290 * Perform RSA cipher operation
292 * @v context RSA context
294 * @v out Output buffer
296 static void rsa_cipher ( struct rsa_context *context,
297 const void *in, void *out ) {
298 bigint_t ( context->size ) *input = ( ( void * ) context->input0 );
299 bigint_t ( context->size ) *output = ( ( void * ) context->output0 );
300 bigint_t ( context->size ) *modulus = ( ( void * ) context->modulus0 );
301 bigint_t ( context->exponent_size ) *exponent =
302 ( ( void * ) context->exponent0 );
304 /* Initialise big integer */
305 bigint_init ( input, in, context->max_len );
307 /* Perform modular exponentiation */
308 bigint_mod_exp ( input, modulus, exponent, output, context->tmp );
310 /* Copy out result */
311 bigint_done ( output, out, context->max_len );
318 * @v plaintext Plaintext
319 * @v plaintext_len Length of plaintext
320 * @v ciphertext Ciphertext
321 * @ret ciphertext_len Length of ciphertext, or negative error
323 static int rsa_encrypt ( void *ctx, const void *plaintext,
324 size_t plaintext_len, void *ciphertext ) {
325 struct rsa_context *context = ctx;
328 size_t max_len = ( context->max_len - 11 );
329 size_t random_nz_len = ( max_len - plaintext_len + 8 );
333 if ( plaintext_len > max_len ) {
334 DBGC ( context, "RSA %p plaintext too long (%zd bytes, max "
335 "%zd)\n", context, plaintext_len, max_len );
338 DBGC ( context, "RSA %p encrypting:\n", context );
339 DBGC_HDA ( context, 0, plaintext, plaintext_len );
341 /* Construct encoded message (using the big integer output
342 * buffer as temporary storage)
344 temp = context->output0;
348 if ( ( rc = get_random_nz ( &encoded[2], random_nz_len ) ) != 0 ) {
349 DBGC ( context, "RSA %p could not generate random data: %s\n",
350 context, strerror ( rc ) );
353 encoded[ 2 + random_nz_len ] = 0x00;
354 memcpy ( &encoded[ context->max_len - plaintext_len ],
355 plaintext, plaintext_len );
357 /* Encipher the encoded message */
358 rsa_cipher ( context, encoded, ciphertext );
359 DBGC ( context, "RSA %p encrypted:\n", context );
360 DBGC_HDA ( context, 0, ciphertext, context->max_len );
362 return context->max_len;
369 * @v ciphertext Ciphertext
370 * @v ciphertext_len Ciphertext length
371 * @v plaintext Plaintext
372 * @ret plaintext_len Plaintext length, or negative error
374 static int rsa_decrypt ( void *ctx, const void *ciphertext,
375 size_t ciphertext_len, void *plaintext ) {
376 struct rsa_context *context = ctx;
382 size_t plaintext_len;
385 if ( ciphertext_len != context->max_len ) {
386 DBGC ( context, "RSA %p ciphertext incorrect length (%zd "
387 "bytes, should be %zd)\n",
388 context, ciphertext_len, context->max_len );
391 DBGC ( context, "RSA %p decrypting:\n", context );
392 DBGC_HDA ( context, 0, ciphertext, ciphertext_len );
394 /* Decipher the message (using the big integer input buffer as
397 temp = context->input0;
399 rsa_cipher ( context, ciphertext, encoded );
401 /* Parse the message */
402 end = ( encoded + context->max_len );
403 if ( ( encoded[0] != 0x00 ) || ( encoded[1] != 0x02 ) )
405 zero = memchr ( &encoded[2], 0, ( end - &encoded[2] ) );
408 start = ( zero + 1 );
409 plaintext_len = ( end - start );
411 /* Copy out message */
412 memcpy ( plaintext, start, plaintext_len );
413 DBGC ( context, "RSA %p decrypted:\n", context );
414 DBGC_HDA ( context, 0, plaintext, plaintext_len );
416 return plaintext_len;
419 DBGC ( context, "RSA %p invalid decrypted message:\n", context );
420 DBGC_HDA ( context, 0, encoded, context->max_len );
427 * @v context RSA context
428 * @v digest Digest algorithm
429 * @v value Digest value
430 * @v encoded Encoded digest
431 * @ret rc Return status code
433 static int rsa_encode_digest ( struct rsa_context *context,
434 struct digest_algorithm *digest,
435 const void *value, void *encoded ) {
436 struct rsa_digestinfo_prefix *prefix;
437 size_t digest_len = digest->digestsize;
438 uint8_t *temp = encoded;
439 size_t digestinfo_len;
443 /* Identify prefix */
444 prefix = rsa_find_prefix ( digest );
446 DBGC ( context, "RSA %p has no prefix for %s\n",
447 context, digest->name );
450 digestinfo_len = ( prefix->len + digest_len );
453 max_len = ( context->max_len - 11 );
454 if ( digestinfo_len > max_len ) {
455 DBGC ( context, "RSA %p %s digestInfo too long (%zd bytes, max"
457 context, digest->name, digestinfo_len, max_len );
460 DBGC ( context, "RSA %p encoding %s digest:\n",
461 context, digest->name );
462 DBGC_HDA ( context, 0, value, digest_len );
464 /* Construct encoded message */
467 pad_len = ( max_len - digestinfo_len + 8 );
468 memset ( temp, 0xff, pad_len );
471 memcpy ( temp, prefix->data, prefix->len );
473 memcpy ( temp, value, digest_len );
475 assert ( temp == ( encoded + context->max_len ) );
476 DBGC ( context, "RSA %p encoded %s digest:\n", context, digest->name );
477 DBGC_HDA ( context, 0, encoded, context->max_len );
483 * Sign digest value using RSA
486 * @v digest Digest algorithm
487 * @v value Digest value
488 * @v signature Signature
489 * @ret signature_len Signature length, or negative error
491 static int rsa_sign ( void *ctx, struct digest_algorithm *digest,
492 const void *value, void *signature ) {
493 struct rsa_context *context = ctx;
497 DBGC ( context, "RSA %p signing %s digest:\n", context, digest->name );
498 DBGC_HDA ( context, 0, value, digest->digestsize );
500 /* Encode digest (using the big integer output buffer as
503 temp = context->output0;
504 if ( ( rc = rsa_encode_digest ( context, digest, value, temp ) ) != 0 )
507 /* Encipher the encoded digest */
508 rsa_cipher ( context, temp, signature );
509 DBGC ( context, "RSA %p signed %s digest:\n", context, digest->name );
510 DBGC_HDA ( context, 0, signature, context->max_len );
512 return context->max_len;
516 * Verify signed digest value using RSA
519 * @v digest Digest algorithm
520 * @v value Digest value
521 * @v signature Signature
522 * @v signature_len Signature length
523 * @ret rc Return status code
525 static int rsa_verify ( void *ctx, struct digest_algorithm *digest,
526 const void *value, const void *signature,
527 size_t signature_len ) {
528 struct rsa_context *context = ctx;
535 if ( signature_len != context->max_len ) {
536 DBGC ( context, "RSA %p signature incorrect length (%zd "
537 "bytes, should be %zd)\n",
538 context, signature_len, context->max_len );
541 DBGC ( context, "RSA %p verifying %s digest:\n",
542 context, digest->name );
543 DBGC_HDA ( context, 0, value, digest->digestsize );
544 DBGC_HDA ( context, 0, signature, signature_len );
546 /* Decipher the signature (using the big integer input buffer
547 * as temporary storage)
549 temp = context->input0;
551 rsa_cipher ( context, signature, expected );
552 DBGC ( context, "RSA %p deciphered signature:\n", context );
553 DBGC_HDA ( context, 0, expected, context->max_len );
555 /* Encode digest (using the big integer output buffer as
558 temp = context->output0;
560 if ( ( rc = rsa_encode_digest ( context, digest, value, actual ) ) !=0 )
563 /* Verify the signature */
564 if ( memcmp ( actual, expected, context->max_len ) != 0 ) {
565 DBGC ( context, "RSA %p signature verification failed\n",
567 return -EACCES_VERIFY;
570 DBGC ( context, "RSA %p signature verified successfully\n", context );
575 * Finalise RSA cipher
579 static void rsa_final ( void *ctx ) {
580 struct rsa_context *context = ctx;
582 rsa_free ( context );
586 * Check for matching RSA public/private key pair
588 * @v private_key Private key
589 * @v private_key_len Private key length
590 * @v public_key Public key
591 * @v public_key_len Public key length
592 * @ret rc Return status code
594 static int rsa_match ( const void *private_key, size_t private_key_len,
595 const void *public_key, size_t public_key_len ) {
596 struct asn1_cursor private_modulus;
597 struct asn1_cursor private_exponent;
598 struct asn1_cursor private_cursor;
599 struct asn1_cursor public_modulus;
600 struct asn1_cursor public_exponent;
601 struct asn1_cursor public_cursor;
604 /* Initialise cursors */
605 private_cursor.data = private_key;
606 private_cursor.len = private_key_len;
607 public_cursor.data = public_key;
608 public_cursor.len = public_key_len;
610 /* Parse moduli and exponents */
611 if ( ( rc = rsa_parse_mod_exp ( &private_modulus, &private_exponent,
612 &private_cursor ) ) != 0 )
614 if ( ( rc = rsa_parse_mod_exp ( &public_modulus, &public_exponent,
615 &public_cursor ) ) != 0 )
619 if ( asn1_compare ( &private_modulus, &public_modulus ) != 0 )
625 /** RSA public-key algorithm */
626 struct pubkey_algorithm rsa_algorithm = {
628 .ctxsize = sizeof ( struct rsa_context ),
630 .max_len = rsa_max_len,
631 .encrypt = rsa_encrypt,
632 .decrypt = rsa_decrypt,
634 .verify = rsa_verify,