Blob
PrivateKey::decrypt(const Blob& cipher) const
{
if (!key)
throw CryptoException("Can't decrypt data without private key !");
unsigned key_len = 0;
int err = gnutls_privkey_get_pk_algorithm(key, &key_len);
if (err < 0)
throw CryptoException("Can't read public key length !");
if (err != GNUTLS_PK_RSA)
throw CryptoException("Must be an RSA key");
unsigned cypher_block_sz = key_len / 8;
if (cipher.size() % cypher_block_sz)
throw CryptoException("Unexpected cipher length");
Blob ret;
for (auto cb = cipher.cbegin(), ce = cipher.cend(); cb < ce; cb += cypher_block_sz) {
const gnutls_datum_t dat {(uint8_t*)(&(*cb)), cypher_block_sz};
gnutls_datum_t out;
int err = gnutls_privkey_decrypt_data(key, 0, &dat, &out);
if (err != GNUTLS_E_SUCCESS)
throw DhtException(std::string("Can't decrypt data: ") + gnutls_strerror(err));
ret.insert(ret.end(), out.data, out.data+out.size);
gnutls_free(out.data);
}
return ret;
}
void CryptoManager::generateCertificate() throw(CryptoException) {
#ifdef _WIN32
// Generate certificate using OpenSSL
if(SETTING(TLS_PRIVATE_KEY_FILE).empty()) {
throw CryptoException("No private key file chosen");
}
if(SETTING(TLS_CERTIFICATE_FILE).empty()) {
throw CryptoException("No certificate file chosen");
}
wstring cmd = L"openssl.exe genrsa -out \"" + Text::utf8ToWide(SETTING(TLS_PRIVATE_KEY_FILE)) + L"\" 2048";
PROCESS_INFORMATION pi = { 0 };
STARTUPINFO si = { 0 };
si.cb = sizeof(si);
if(!CreateProcess(0, const_cast<wchar_t*>(cmd.c_str()), 0, 0, FALSE, 0, 0, 0, &si, &pi)) {
throw CryptoException(Util::translateError(::GetLastError()));
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
cmd = L"openssl.exe req -x509 -new -batch -days 3650 -key \"" + Text::utf8ToWide(SETTING(TLS_PRIVATE_KEY_FILE)) +
L"\" -out \"" + Text::utf8ToWide(SETTING(TLS_CERTIFICATE_FILE)) + L"\" -subj \"/CN=" +
Text::utf8ToWide(ClientManager::getInstance()->getMyCID().toBase32()) + L"\"";
if(!CreateProcess(0, const_cast<wchar_t*>(cmd.c_str()), 0, 0, FALSE, 0, 0, 0, &si, &pi)) {
throw CryptoException(Util::translateError(::GetLastError()));
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
#endif
}
PrivateKey::PrivateKey(gnutls_x509_privkey_t k) : x509_key(k)
{
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize GnuTLS.");
gnutls_privkey_init(&key);
if (gnutls_privkey_import_x509(key, k, GNUTLS_PRIVKEY_IMPORT_COPY) != GNUTLS_E_SUCCESS) {
key = nullptr;
throw CryptoException("Can't load generic private key !");
}
}
Blob
PrivateKey::sign(const Blob& data) const
{
if (!key)
throw CryptoException("Can't sign data: no private key set !");
gnutls_datum_t sig;
const gnutls_datum_t dat {(unsigned char*)data.data(), (unsigned)data.size()};
if (gnutls_privkey_sign_data(key, GNUTLS_DIG_SHA512, 0, &dat, &sig) != GNUTLS_E_SUCCESS)
throw CryptoException("Can't sign data !");
Blob ret(sig.data, sig.data+sig.size);
gnutls_free(sig.data);
return ret;
}
PrivateKey
PrivateKey::generate(unsigned key_length)
{
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize GnuTLS.");
gnutls_x509_privkey_t key;
if (gnutls_x509_privkey_init(&key) != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize private key.");
int err = gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, key_length, 0);
if (err != GNUTLS_E_SUCCESS) {
gnutls_x509_privkey_deinit(key);
throw CryptoException(std::string("Can't generate RSA key pair: ") + gnutls_strerror(err));
}
return PrivateKey{key};
}
void CEstEIDCertificate::readFromCertContext() {
LOG_LOCATION;
PCCERT_CONTEXT pCertContext = NULL;
HCERTSTORE hCertStore = NULL;
CRYPTUI_SELECTCERTIFICATE_STRUCT sel = {sizeof(sel)};
int counter = 0;
hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG, L"MY");
if(!hCertStore){
throw CryptoException();
}
sel.pvCallbackData = &counter;
sel.pFilterCallback = filter_proc;
sel.rghDisplayStores = &hCertStore;
sel.cDisplayStores = 1;
#ifdef _SEB_BUILD
EstEID_log("SEB build");
PCCERT_CONTEXT pCertContextForEnumeration = NULL;
int certificatesCount = 0;
while(pCertContextForEnumeration = CertEnumCertificatesInStore(hCertStore, pCertContextForEnumeration)) {
if(isValidForSigning(pCertContextForEnumeration)) {
certificatesCount++;
pCertContext = pCertContextForEnumeration;
}
}
EstEID_log("Certificates count %i", certificatesCount);
if(certificatesCount != 1) {
pCertContext = CryptUIDlgSelectCertificate(&sel);
}
#else
pCertContext = CryptUIDlgSelectCertificate(&sel);
#endif
if(!pCertContext) {
EstEID_log("User didn't select sertificate");
throw CryptoException(ESTEID_USER_CANCEL);
}
loadCertContexts(pCertContext);
if(pCertContext){
CertFreeCertificateContext(pCertContext);
}
if(hCertStore) {
CertCloseStore(hCertStore, CERT_CLOSE_STORE_FORCE_FLAG);
}
}
void CEstEIDIEPluginBHO::CryptoErrorHandler(BOOL result) {
EstEID_log("");
if (!result) {
EstEID_log("Throwing CryptoException");
throw CryptoException();
}
}
void
Certificate::unpack(Blob::const_iterator& begin, Blob::const_iterator& end)
{
if (cert) {
gnutls_x509_crt_deinit(cert);
cert = nullptr;
}
gnutls_x509_crt_t* cert_list;
unsigned cert_num;
const gnutls_datum_t crt_dt {(uint8_t*)&(*begin), (unsigned)(end-begin)};
int err = gnutls_x509_crt_list_import2(&cert_list, &cert_num, &crt_dt, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (err != GNUTLS_E_SUCCESS)
err = gnutls_x509_crt_list_import2(&cert_list, &cert_num, &crt_dt, GNUTLS_X509_FMT_DER, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (err != GNUTLS_E_SUCCESS || cert_num == 0) {
cert = nullptr;
throw CryptoException(std::string("Could not read certificate - ") + gnutls_strerror(err));
}
cert = cert_list[0];
Certificate* crt = this;
size_t i = 1;
while (crt and i < cert_num) {
crt->issuer = std::make_shared<Certificate>(cert_list[i++]);
crt = crt->issuer.get();
}
gnutls_free(cert_list);
}
void AES::SetIV(ref<ByteArray> iv)
{
if (iv->Count() == 16)
m_iv = iv;
else
cdec_throw(CryptoException(EC_CRYPT_InvalidIVSize));
}
void AES::SetKey(ref<ByteArray> key)
{
int len = key->Count();
if (len == 16 || len == 24 || len == 32)
m_key = key;
else
cdec_throw(CryptoException(EC_CRYPT_InvalidKeySize));
}
void CEstEIDIEPluginBHO::signWithPKCS11(HINSTANCE hInst, BSTR id, BSTR hash, BSTR *signature) {
LOG_LOCATION;
char *_signature = NULL;
EstEID_errorCode = 0;
CK_SLOT_ID slotId;
if(id == NULL) {
throw CryptoException(ESTEID_CERT_NOT_FOUND_ERROR);
}
if(EstEID_getSlotId(CW2A(id), &slotId)){
if(EstEID_isPinPad(slotId)) {
#ifdef WIN_XP
_signature = EstEID_sign(strdup(CW2A(id)), strdup(CW2A(hash)), pinPromptData);
if(pinPadDlg != NULL) {
pinPadDlg->EndDialog(ESTEID_NO_ERROR);
}
#endif
}
else {
CEstEidPin2Dlg *pin2Dlg = new CEstEidPin2Dlg();
pin2Dlg->SetCertId(id);
pin2Dlg->SetHash(hash);
INT result = pin2Dlg->DoModal();
if(!result) {
throw CryptoException(ESTEID_USER_CANCEL);
}
_signature = pin2Dlg->GetSignature();
}
if(_signature == NULL) {
throw CryptoException(EstEID_errorCode == 0 ? ESTEID_PKCS11_ERROR : EstEID_errorCode);
}
}
else {
throw CryptoException(ESTEID_CERT_NOT_FOUND_ERROR);
}
if (_signature) {
*signature = _bstr_t(_signature).Detach();
free(_signature);
}
else {
//TODO:error handling
//EstEID_log("EstEID_error=%s", EstEID_error);
throw CryptoException(ESTEID_UNKNOWN_ERROR);
}
}
InfoHash
Certificate::getId() const
{
if (not cert)
return {};
InfoHash id;
size_t sz = id.size();
if (gnutls_x509_crt_get_key_id(cert, 0, id.data(), &sz) != GNUTLS_E_SUCCESS || sz != id.size())
throw CryptoException("Can't get certificate public key ID.");
return id;
}
void
PublicKey::pack(Blob& b) const
{
std::vector<uint8_t> tmp(2048);
size_t sz = tmp.size();
int err = gnutls_pubkey_export(pk, GNUTLS_X509_FMT_DER, tmp.data(), &sz);
if (err != GNUTLS_E_SUCCESS)
throw CryptoException(std::string("Could not export public key: ") + gnutls_strerror(err));
tmp.resize(sz);
serialize<Blob>(tmp, b);
}
void CEstEIDCertificate::readFromCertContext() {
PCCERT_CONTEXT certContext = NULL;
HCERTSTORE cert_store = NULL;
cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG, L"MY");
if(!cert_store){
throw CryptoException();
}
if(!CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, NULL)) {
CertCloseStore(cert_store, CERT_CLOSE_STORE_FORCE_FLAG);
throw CryptoException();
}
while(certContext = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, certContext)) {
BYTE keyUsage;
CertGetIntendedKeyUsage(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, certContext->pCertInfo, &keyUsage, 1);
if (keyUsage & CERT_NON_REPUDIATION_KEY_USAGE) {
this->certificates.push_back(CertDuplicateCertificateContext(certContext));
}
}
//PCCERT_CONTEXT ct = CryptUIDlgSelectCertificateFromStore(cert_store, NULL, L"TIITEL", L"Vali cert:", NULL, 0, 0);
//loadCertContexts(ct);
CCertificateSelectionDlg *dlg = new CCertificateSelectionDlg();
dlg->setCertificate(this->certificates);
INT_PTR selectedItem = dlg->DoModal();
EstEID_log("selected item index = %i", selectedItem);
if(selectedItem == -1) {
throw CryptoException(ESTEID_USER_CANCEL);
}
loadCertContexts(this->certificates[selectedItem]);
if(certContext){
CertFreeCertificateContext(certContext);
}
if(cert_store) {
CertCloseStore(cert_store, CERT_CLOSE_STORE_FORCE_FLAG);
}
}
void AES::SetMode(CipherMode mode)
{
switch (mode)
{
case Cipher_ECB:
case Cipher_CBC:
m_mode = mode;
break;
default:
cdec_throw(CryptoException(EC_CRYPT_InvalidCipherMode));
}
}
void CryptoManager::decodeBZ2(const u_int8_t* is, size_t sz, string& os) throw (CryptoException) {
bz_stream bs = { 0 };
if(BZ2_bzDecompressInit(&bs, 0, 0) != BZ_OK)
throw(CryptoException(STRING(DECOMPRESSION_ERROR)));
// We assume that the files aren't compressed more than 2:1...if they are it'll work anyway,
// but we'll have to do multiple passes...
size_t bufsize = 2*sz;
AutoArray<char> buf(bufsize);
bs.avail_in = sz;
bs.avail_out = bufsize;
bs.next_in = (char*)(const_cast<u_int8_t*>(is));
bs.next_out = buf;
int err;
os.clear();
while((err = BZ2_bzDecompress(&bs)) == BZ_OK) {
if (bs.avail_in == 0 && bs.avail_out > 0) { // error: BZ_UNEXPECTED_EOF
BZ2_bzDecompressEnd(&bs);
throw CryptoException(STRING(DECOMPRESSION_ERROR));
}
os.append(buf, bufsize-bs.avail_out);
bs.avail_out = bufsize;
bs.next_out = buf;
}
if(err == BZ_STREAM_END)
os.append(buf, bufsize-bs.avail_out);
BZ2_bzDecompressEnd(&bs);
if(err < 0) {
// This was a real error
throw CryptoException(STRING(DECOMPRESSION_ERROR));
}
}
PrivateKey::PrivateKey(const Blob& import)
{
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize GnuTLS.");
int err = gnutls_x509_privkey_init(&x509_key);
if (err != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize private key !");
const gnutls_datum_t dt {(uint8_t*)import.data(), static_cast<unsigned>(import.size())};
err = gnutls_x509_privkey_import2(x509_key, &dt, GNUTLS_X509_FMT_PEM, nullptr, GNUTLS_PKCS_PLAIN);
if (err != GNUTLS_E_SUCCESS)
err = gnutls_x509_privkey_import2(x509_key, &dt, GNUTLS_X509_FMT_DER, nullptr, GNUTLS_PKCS_PLAIN);
if (err != GNUTLS_E_SUCCESS) {
gnutls_x509_privkey_deinit(x509_key);
throw CryptoException("Can't load private key !");
}
gnutls_privkey_init(&key);
if (gnutls_privkey_import_x509(key, x509_key, GNUTLS_PRIVKEY_IMPORT_COPY) != GNUTLS_E_SUCCESS) {
throw CryptoException("Can't load generic private key !");
}
}
void
PublicKey::unpack(Blob::const_iterator& begin, Blob::const_iterator& end)
{
Blob tmp = deserialize<Blob>(begin, end);
if (pk)
gnutls_pubkey_deinit(pk);
gnutls_pubkey_init(&pk);
const gnutls_datum_t dat {(uint8_t*)tmp.data(), (unsigned)tmp.size()};
int err = gnutls_pubkey_import(pk, &dat, GNUTLS_X509_FMT_PEM);
if (err != GNUTLS_E_SUCCESS)
err = gnutls_pubkey_import(pk, &dat, GNUTLS_X509_FMT_DER);
if (err != GNUTLS_E_SUCCESS)
throw CryptoException(std::string("Could not read public key: ") + gnutls_strerror(err));
}
Blob
PublicKey::encrypt(const Blob& data) const
{
if (!pk)
throw CryptoException("Can't read public key !");
unsigned key_len = 0;
int err = gnutls_pubkey_get_pk_algorithm(pk, &key_len);
if (err < 0)
throw CryptoException("Can't read public key length !");
if (err != GNUTLS_PK_RSA)
throw CryptoException("Must be an RSA key");
unsigned max_block_sz = key_len / 8 - 11;
unsigned cypher_block_sz = key_len / 8;
unsigned block_num = data.empty() ? 1 : 1 + (data.size() - 1) / max_block_sz;
Blob ret;
auto eb = data.cbegin();
auto ee = data.cend();
for (unsigned i=0; i<block_num; i++) {
auto blk_sz = std::min<unsigned>(ee - eb, max_block_sz);
const gnutls_datum_t dat {(uint8_t*)&(*eb), blk_sz};
gnutls_datum_t encrypted;
err = gnutls_pubkey_encrypt_data(pk, 0, &dat, &encrypted);
if (err != GNUTLS_E_SUCCESS)
throw CryptoException(std::string("Can't encrypt data: ") + gnutls_strerror(err));
if (encrypted.size != cypher_block_sz)
throw CryptoException("Unexpected cypherblock size");
ret.insert(ret.end(), encrypted.data, encrypted.data+encrypted.size);
eb += blk_sz;
gnutls_free(encrypted.data);
}
return ret;
}
AesTransform::AesTransform(CAesAlg* alg, CipherMode mode, ref<ByteArray> iv, bool fEncoder)
{
m_alg = alg;
m_mode = mode;
if (mode != Cipher_ECB)
{
if (iv == NULL)
cdec_throw(CryptoException(EC_CRYPT_InvalidIVSize));
memcpy(m_iv, iv->GetBuffer().ptr(), 16);
}
if (mode == Cipher_ECB)
m_e = fEncoder ? &AesTransform::f_EncodeECB : &AesTransform::f_DecodeECB;
else if (mode == Cipher_CBC)
m_e = fEncoder ? &AesTransform::f_EncodeCBC : &AesTransform::f_DecodeCBC;
}
void Sec256DsaEx::ParsePubKey(RCSpan cbuf) {
if (!secp256k1_ec_pubkey_parse(g_sec256Ctx, &m_pubkey, cbuf.data(), cbuf.size()))
throw CryptoException(make_error_code(ExtErr::Crypto), "Invalid PubKey");
}
void CEstEIDIEPluginBHO::signWithCNG(BSTR id, BSTR hash, BSTR *signature) {
LOG_LOCATION;
#ifdef WIN_XP
EstEID_log("WARNING: CNG is not supported for windows XP");
#else
int methodResult = true;
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
SECURITY_STATUS secStatus = ERROR_SUCCESS;
NCRYPT_KEY_HANDLE hKey = NULL;
DWORD cbSignature = 0;
NTSTATUS status = ((NTSTATUS)0xC0000001L);
PBYTE pbSignature = NULL;
PCCERT_CONTEXT certContext = NULL;
HCERTSTORE cert_store;
BOOL must_release_provider;
int hashHexLength = _bstr_t(hash).length()/2;
BCRYPT_PKCS1_PADDING_INFO padInfo;
padInfo.pszAlgId = 0;
switch(hashHexLength) {
case BINARY_SHA1_LENGTH:
padInfo.pszAlgId = NCRYPT_SHA1_ALGORITHM;break;
case BINARY_SHA224_LENGTH:
padInfo.pszAlgId = L"SHA224"; break;
case BINARY_SHA256_LENGTH :
padInfo.pszAlgId = NCRYPT_SHA256_ALGORITHM; break;
case BINARY_SHA512_LENGTH:
padInfo.pszAlgId = NCRYPT_SHA512_ALGORITHM; break;
default:
break;
}
try {
if(!id || !strlen(CW2A(id))) {
throw CryptoException(ESTEID_CERT_NOT_FOUND_ERROR);
}
EstEID_log("signing started, selected certificate id = %s", CW2A(id));
if(padInfo.pszAlgId == 0) {
throw CryptoException(ESTEID_INVALID_HASH_ERROR);
}
cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG, L"MY");
if(!cert_store) throw CryptoException();
while(certContext = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, certContext)) {
if(certificateMatchesId(certContext, id)) {
if (!CryptAcquireCertificatePrivateKey(certContext, CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG|CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, &hKey,
NULL, &must_release_provider)) {
throw CryptoException(ESTEID_CRYPTO_API_ERROR);
}
BYTE hashBytes[65];
CryptStringToBinary(hash, hashHexLength*2, CRYPT_STRING_HEX, hashBytes, (DWORD*)&hashHexLength, 0, 0);
EstEID_log("Number of bytes stored in hashBytes buffer = %u", hashHexLength);
EstEID_log("signing with %s", CW2A(padInfo.pszAlgId));
if(FAILED(secStatus = NCryptSignHash(hKey, &padInfo, (PBYTE)hashBytes, hashHexLength, NULL, 0, &cbSignature, 0))) {
throw CryptoException(secStatus);
}
pbSignature = (PBYTE)HeapAlloc (GetProcessHeap (), 0, cbSignature);
if(NULL == pbSignature){
throw CryptoException(ESTEID_CRYPTO_API_ERROR);
}
if(FAILED(secStatus = NCryptSignHash(hKey, &padInfo, (PBYTE)hashBytes, hashHexLength, pbSignature, cbSignature, &cbSignature, BCRYPT_PAD_PKCS1))) {
throw CryptoException(secStatus);
}
std::stringstream ss;
for (DWORD i = 0; i < cbSignature; i++) {
ss << std::hex << std::setfill('0') << std::setw(2) << (short)pbSignature[i];
}
*signature = _bstr_t(ss.str().c_str()).Detach();
}
}
}
catch(CryptoException e) {
*signature = _bstr_t("").Detach();
if(pbSignature) HeapFree(GetProcessHeap(), 0, pbSignature);
if(hKey) NCryptFreeObject(hKey);
if(certContext) CertFreeCertificateContext(certContext);
if(must_release_provider && cert_store) CertCloseStore(cert_store, 0);
throw CryptoException(e.windowsErrorCode);
}
CertFreeCertificateContext(certContext);
if(must_release_provider) CertCloseStore(cert_store, 0);
#endif
}
void CEstEIDIEPluginBHO::signWithCSP(BSTR id, BSTR hash, BSTR *signature) {
LOG_LOCATION;
HCRYPTPROV cryptoProvider = NULL;
HCRYPTHASH _hash = NULL ;
PCCERT_CONTEXT certContext = NULL;
HCERTSTORE cert_store;
BOOL must_release_provider;
try{
if(!id || !strlen(CW2A(id))) {
throw CryptoException(ESTEID_CERT_NOT_FOUND_ERROR);
}
EstEID_log("signing started, selected certificate id = %s", CW2A(id));
#define VALID_HASH_LENGTH 40
if (_bstr_t(hash).length() != VALID_HASH_LENGTH) {
throw CryptoException("invalid hash");
}
cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG, L"MY");
if(!cert_store) throw CryptoException();
while(certContext = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, certContext)) {
if(certificateMatchesId(certContext, id)) {
DWORD key_type = 0;
if (CryptAcquireCertificatePrivateKey(certContext, CRYPT_ACQUIRE_CACHE_FLAG,
NULL, &cryptoProvider, &key_type, &must_release_provider)) {
BYTE hashBytes[21];
DWORD hashBytesLength = 20;
CryptStringToBinary(hash, VALID_HASH_LENGTH, CRYPT_STRING_HEX, hashBytes, &hashBytesLength, 0, 0);
hashBytes[hashBytesLength] = '\0';
EstEID_log("Number of bytes stored in hashBytes buffer = %u", hashBytesLength);
CryptoErrorHandler(CryptCreateHash(cryptoProvider, CALG_SHA1, 0, 0, &_hash));
EstEID_log("CryptCreateHash() set hash object pointer to %p", _hash);
CryptoErrorHandler(CryptSetHashParam(_hash, HP_HASHVAL, hashBytes, 0));
#define SIGNATURE_LENGTH 1024
BYTE _signature[SIGNATURE_LENGTH];
DWORD signatureLength = SIGNATURE_LENGTH;
INT retCode = CryptSignHash(_hash, AT_SIGNATURE, NULL, 0, _signature, &signatureLength);
DWORD lastError = GetLastError();
EstEID_log("CryptSignHash() return code: %u (%s) %x", retCode, retCode ? "SUCCESS" : "FAILURE", lastError);
if(!retCode) throw CryptoException(lastError);
CryptDestroyHash(_hash);
CryptReleaseContext(cryptoProvider, 0);
CertFreeCertificateContext(certContext);
if(must_release_provider) CertCloseStore(cert_store, 0);
std::stringstream ss;
for (DWORD i = 0; i < signatureLength; i++) {
ss << std::hex << std::setfill('0') << std::setw(2) << (short)_signature[signatureLength - i - 1];
}
*signature = _bstr_t(ss.str().c_str()).Detach();
}
else {
INT lastError = GetLastError();
EstEID_log("ERROR: CryptAcquireCertificatePrivateKey() failed, error code = %lXh", GetLastError());
switch(lastError) {
case NTE_BAD_PUBLIC_KEY:
EstEID_log(" error code %lXh: NTE_BAD_PUBLIC_KEY", lastError);
break;
case NTE_SILENT_CONTEXT:
EstEID_log(" error code %lXh: NTE_SILENT_CONTEXT", lastError);
}
}
break;
}
}
}
catch(CryptoException e) {
*signature = _bstr_t("").Detach();
if(_hash) CryptDestroyHash(_hash);
if(cryptoProvider) CryptReleaseContext(cryptoProvider, 0);
if(certContext) CertFreeCertificateContext(certContext);
if(must_release_provider && cert_store) CertCloseStore(cert_store, 0);
throw(CryptoException(e.windowsErrorCode));
}
}
void CryptoManager::decodeHuffman(const u_int8_t* is, string& os, const size_t len) throw(CryptoException) {
// BitInputStream bis;
int pos = 0;
if(len < 11 || is[pos] != 'H' || is[pos+1] != 'E' || !((is[pos+2] == '3') || (is[pos+2] == '0'))) {
throw CryptoException(STRING(DECOMPRESSION_ERROR));
}
pos+=5;
int size;
size = *(int*)&is[pos];
pos+=4;
dcdebug("Size: %d\n", size);
unsigned short treeSize;
treeSize = *(unsigned short*)&is[pos];
pos+=2;
if(len < (size_t)(11 + treeSize * 2))
throw CryptoException(STRING(DECOMPRESSION_ERROR));
Leaf** leaves = new Leaf*[treeSize];
int i;
for(i=0; i<treeSize; i++) {
int chr = is[pos++];
int bits = is[pos++];
leaves[i] = new Leaf(chr, bits);
}
BitInputStream bis(is, pos, len);
DecNode* root = new DecNode();
for(i=0; i<treeSize; i++) {
DecNode* node = root;
for(int j=0; j<leaves[i]->len; j++) {
try {
if(bis.get()) {
if(node->right == NULL)
node->right = new DecNode();
node = node->right;
} else {
if(node->left == NULL)
node->left = new DecNode();
node = node->left;
}
} catch(const BitStreamException&) {
throw CryptoException(STRING(DECOMPRESSION_ERROR));
}
}
node->chr = leaves[i]->chr;
}
bis.skipToByte();
// We know the size, so no need to use strange STL stuff...
AutoArray<char> buf(size+1);
pos = 0;
for(i=0; i<size; i++) {
DecNode* node = root;
while(node->chr == -1) {
try {
if(bis.get()) {
node = node->right;
} else {
node = node->left;
}
} catch(const BitStreamException&) {
throw CryptoException(STRING(DECOMPRESSION_ERROR));
}
if(node == NULL) {
for(i=0; i<treeSize; i++) {
delete leaves[i];
}
delete[] leaves;
delete root;
dcdebug("Bad node found!!!\n");
throw CryptoException(STRING(DECOMPRESSION_ERROR));
}
}
buf[pos++] = (u_int8_t)node->chr;
}
buf[pos] = 0;
os.assign(buf, size);
for(i=0; i<treeSize; i++) {
delete leaves[i];
}
delete[] leaves;
delete root;
}
void Sec256Signature::Parse(RCSpan cbuf) {
if (!secp256k1_ecdsa_sig_parse(&m_r, &m_s, cbuf.data(), cbuf.size()))
throw CryptoException(make_error_code(ExtErr::Crypto), "Invalid Signature");
}
PrivateKey::PrivateKey()
{
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize GnuTLS.");
}
void Sec256SignatureEx::Parse(RCSpan cbuf) {
if (!ecdsa_signature_parse_der_lax(g_sec256Ctx, &m_sig, cbuf.data(), cbuf.size()))
throw CryptoException(make_error_code(ExtErr::Crypto), "Invalid Signature");
secp256k1_ecdsa_signature_normalize(g_sec256Ctx, &m_sig, &m_sig);
}
void CEstEIDCertificate::CryptoErrorHandler(BOOL result) {
if (!result) {
throw CryptoException();
}
}
