static void
check_generated_ecc_key (gcry_sexp_t key)
{
gcry_sexp_t skey, pkey;
pkey = gcry_sexp_find_token (key, "public-key", 0);
if (!pkey)
fail ("public part missing in return value\n");
else
{
/* Fixme: Check more stuff. */
gcry_sexp_release (pkey);
}
skey = gcry_sexp_find_token (key, "private-key", 0);
if (!skey)
fail ("private part missing in return value\n");
else
{
int rc = gcry_pk_testkey (skey);
if (rc)
fail ("gcry_pk_testkey failed: %s\n", gpg_strerror (rc));
gcry_sexp_release (skey);
}
/* Finally check that gcry_pk_testkey also works on the entire
S-expression. */
{
int rc = gcry_pk_testkey (key);
if (rc)
fail ("gcry_pk_testkey failed on key pair: %s\n", gpg_strerror (rc));
}
}
/**
* Decode the private key from the data-format back
* to the "normal", internal format.
*
* @param buf the buffer where the private key data is stored
* @param len the length of the data in @a buf
* @return NULL on error
*/
struct GNUNET_CRYPTO_rsa_PrivateKey *
GNUNET_CRYPTO_rsa_private_key_decode (const char *buf,
size_t len)
{
struct GNUNET_CRYPTO_rsa_PrivateKey *key;
key = GNUNET_new (struct GNUNET_CRYPTO_rsa_PrivateKey);
if (0 !=
gcry_sexp_new (&key->sexp,
buf,
len,
0))
{
LOG (GNUNET_ERROR_TYPE_WARNING,
"Decoded private key is not valid\n");
GNUNET_free (key);
return NULL;
}
if (0 != gcry_pk_testkey (key->sexp))
{
LOG (GNUNET_ERROR_TYPE_WARNING,
"Decoded private key is not valid\n");
GNUNET_CRYPTO_rsa_private_key_free (key);
return NULL;
}
return key;
}
int p2p_convert_private_key(RSA *key, gcry_sexp_t *r_key) {
size_t err;
char *buf;
gcry_mpi_t n_mpi, e_mpi, d_mpi, p_mpi, q_mpi, u_mpi;
buf = BN_bn2hex(key->n);
gcry_mpi_scan(&n_mpi, GCRYMPI_FMT_HEX, buf, 0, &err);
OPENSSL_free(buf);
buf = BN_bn2hex(key->e);
gcry_mpi_scan(&e_mpi, GCRYMPI_FMT_HEX, buf, 0, &err);
OPENSSL_free(buf);
buf = BN_bn2hex(key->d);
gcry_mpi_scan(&d_mpi, GCRYMPI_FMT_HEX, buf, 0, &err);
OPENSSL_free(buf);
buf = BN_bn2hex(key->p);
gcry_mpi_scan(&p_mpi, GCRYMPI_FMT_HEX, buf, 0, &err);
OPENSSL_free(buf);
buf = BN_bn2hex(key->q);
gcry_mpi_scan(&q_mpi, GCRYMPI_FMT_HEX, buf, 0, &err);
OPENSSL_free(buf);
buf = BN_bn2hex(key->iqmp);
gcry_mpi_scan(&u_mpi, GCRYMPI_FMT_HEX, buf, 0, &err);
OPENSSL_free(buf);
if(gcry_mpi_cmp(p_mpi, q_mpi) > 0) {
gcry_mpi_swap(p_mpi, q_mpi);
gcry_mpi_invm(u_mpi, p_mpi, q_mpi);
}
gcry_sexp_build(r_key, &err, "(private-key (rsa (n %m) (e %m) (d %m) (p %m) (q %m) (u %m)))", n_mpi, e_mpi, d_mpi, p_mpi, q_mpi, u_mpi);
gcry_mpi_release(n_mpi);
gcry_mpi_release(e_mpi);
gcry_mpi_release(d_mpi);
gcry_mpi_release(p_mpi);
gcry_mpi_release(q_mpi);
gcry_mpi_release(u_mpi);
gcry_error_t sane = gcry_pk_testkey(*r_key);
if(sane) {
return -1;
}
return 0;
}
/**
* Create a new private key. Caller must free return value.
*
* @return fresh private key
*/
static struct GNUNET_CRYPTO_RsaPrivateKey *
rsa_key_create ()
{
struct GNUNET_CRYPTO_RsaPrivateKey *ret;
gcry_sexp_t s_key;
gcry_sexp_t s_keyparam;
GNUNET_assert (0 ==
gcry_sexp_build (&s_keyparam, NULL,
"(genkey(rsa(nbits %d)(rsa-use-e 3:257)))",
2048));
GNUNET_assert (0 == gcry_pk_genkey (&s_key, s_keyparam));
gcry_sexp_release (s_keyparam);
#if EXTRA_CHECKS
GNUNET_assert (0 == gcry_pk_testkey (s_key));
#endif
ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaPrivateKey));
ret->sexp = s_key;
return ret;
}
static void
check_generated_rsa_key (gcry_sexp_t key, unsigned long expected_e)
{
gcry_sexp_t skey, pkey, list;
pkey = gcry_sexp_find_token (key, "public-key", 0);
if (!pkey)
fail ("public part missing in return value\n");
else
{
gcry_mpi_t e = NULL;
list = gcry_sexp_find_token (pkey, "e", 0);
if (!list || !(e=gcry_sexp_nth_mpi (list, 1, 0)) )
fail ("public exponent not found\n");
else if (!expected_e)
{
if (verbose)
show_mpi ("public exponent: ", e);
}
else if ( gcry_mpi_cmp_ui (e, expected_e))
{
show_mpi ("public exponent: ", e);
fail ("public exponent is not %lu\n", expected_e);
}
gcry_sexp_release (list);
gcry_mpi_release (e);
gcry_sexp_release (pkey);
}
skey = gcry_sexp_find_token (key, "private-key", 0);
if (!skey)
fail ("private part missing in return value\n");
else
{
int rc = gcry_pk_testkey (skey);
if (rc)
fail ("gcry_pk_testkey failed: %s\n", gpg_strerror (rc));
gcry_sexp_release (skey);
}
}
/**
* Create a new private key. Caller must free return value.
*
* @param len length of the key in bits (i.e. 2048)
* @return fresh private key
*/
struct GNUNET_CRYPTO_rsa_PrivateKey *
GNUNET_CRYPTO_rsa_private_key_create (unsigned int len)
{
struct GNUNET_CRYPTO_rsa_PrivateKey *ret;
gcry_sexp_t s_key;
gcry_sexp_t s_keyparam;
GNUNET_assert (0 ==
gcry_sexp_build (&s_keyparam,
NULL,
"(genkey(rsa(nbits %d)))",
len));
GNUNET_assert (0 ==
gcry_pk_genkey (&s_key,
s_keyparam));
gcry_sexp_release (s_keyparam);
#if EXTRA_CHECKS
GNUNET_assert (0 ==
gcry_pk_testkey (s_key));
#endif
ret = GNUNET_new (struct GNUNET_CRYPTO_rsa_PrivateKey);
ret->sexp = s_key;
return ret;
}
static libspectrum_error
create_key( gcry_sexp_t *s_key, libspectrum_rzx_dsa_key *key,
int secret_key )
{
gcry_error_t error;
size_t i;
gcry_mpi_t mpis[MPI_COUNT];
const char *format;
for( i=0; i<MPI_COUNT; i++ ) mpis[i] = NULL;
error = gcry_mpi_scan( &mpis[0], GCRYMPI_FMT_HEX, (unsigned char*)key->p,
0, NULL );
if( !error )
error = gcry_mpi_scan( &mpis[1], GCRYMPI_FMT_HEX, (unsigned char*)key->q,
0, NULL );
if( !error )
error = gcry_mpi_scan( &mpis[2], GCRYMPI_FMT_HEX, (unsigned char*)key->g,
0, NULL );
if( !error )
error = gcry_mpi_scan( &mpis[3], GCRYMPI_FMT_HEX, (unsigned char*)key->y,
0, NULL );
if( !error && secret_key )
error = gcry_mpi_scan( &mpis[4], GCRYMPI_FMT_HEX, (unsigned char*)key->x,
0, NULL );
if( error ) {
libspectrum_print_error( LIBSPECTRUM_ERROR_LOGIC,
"create_key: error creating MPIs: %s",
gcry_strerror( error ) );
free_mpis( mpis, MPI_COUNT );
return LIBSPECTRUM_ERROR_LOGIC;
}
format = secret_key ? private_key_format : public_key_format;
error = gcry_sexp_build( s_key, NULL, format,
mpis[0], mpis[1], mpis[2], mpis[3], mpis[4] );
if( error ) {
libspectrum_print_error( LIBSPECTRUM_ERROR_LOGIC,
"create_key: error creating key: %s",
gcry_strerror( error ) );
free_mpis( mpis, MPI_COUNT );
return LIBSPECTRUM_ERROR_LOGIC;
}
free_mpis( mpis, MPI_COUNT );
/* FIXME: Test public keys as well once gcry_pk_testkey acquires this
functionality */
if( secret_key ) {
error = gcry_pk_testkey( *s_key );
if( error ) {
libspectrum_print_error( LIBSPECTRUM_ERROR_LOGIC,
"create_key: key is not sane: %s",
gcry_strerror( error ) );
return LIBSPECTRUM_ERROR_LOGIC;
}
}
return LIBSPECTRUM_ERROR_NONE;
}
static void
check_run (void)
{
gpg_error_t err;
gcry_sexp_t pkey, skey;
int variant;
for (variant=0; variant < 3; variant++)
{
if (verbose)
fprintf (stderr, "Checking sample key (%d).\n", variant);
get_keys_sample (&pkey, &skey, variant);
/* Check gcry_pk_testkey which requires all elements. */
err = gcry_pk_testkey (skey);
if ((variant == 0 && err)
|| (variant > 0 && gpg_err_code (err) != GPG_ERR_NO_OBJ))
die ("gcry_pk_testkey failed: %s\n", gpg_strerror (err));
/* Run the usual check but expect an error from variant 2. */
check_keys (pkey, skey, 800, variant == 2? GPG_ERR_NO_OBJ : 0);
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
}
if (verbose)
fprintf (stderr, "Checking generated RSA key.\n");
get_keys_new (&pkey, &skey);
check_keys (pkey, skey, 800, 0);
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (verbose)
fprintf (stderr, "Checking generated RSA key (X9.31).\n");
get_keys_x931_new (&pkey, &skey);
check_keys (pkey, skey, 800, 0);
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (verbose)
fprintf (stderr, "Checking generated Elgamal key.\n");
get_elg_key_new (&pkey, &skey, 0);
check_keys (pkey, skey, 400, 0);
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (verbose)
fprintf (stderr, "Checking passphrase generated Elgamal key.\n");
get_elg_key_new (&pkey, &skey, 1);
check_keys (pkey, skey, 800, 0);
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (verbose)
fprintf (stderr, "Generating DSA key.\n");
get_dsa_key_new (&pkey, &skey, 0);
/* Fixme: Add a check function for DSA keys. */
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (!gcry_fips_mode_active ())
{
if (verbose)
fprintf (stderr, "Generating transient DSA key.\n");
get_dsa_key_new (&pkey, &skey, 1);
/* Fixme: Add a check function for DSA keys. */
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
}
if (verbose)
fprintf (stderr, "Generating DSA key (FIPS 186).\n");
get_dsa_key_fips186_new (&pkey, &skey);
/* Fixme: Add a check function for DSA keys. */
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (verbose)
fprintf (stderr, "Generating DSA key with given domain.\n");
get_dsa_key_with_domain_new (&pkey, &skey);
/* Fixme: Add a check function for DSA keys. */
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (verbose)
fprintf (stderr, "Generating DSA key with given domain (FIPS 186).\n");
get_dsa_key_fips186_with_domain_new (&pkey, &skey);
/* Fixme: Add a check function for DSA keys. */
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
if (verbose)
fprintf (stderr, "Generating DSA key with given seed (FIPS 186).\n");
get_dsa_key_fips186_with_seed_new (&pkey, &skey);
/* Fixme: Add a check function for DSA keys. */
gcry_sexp_release (pkey);
gcry_sexp_release (skey);
}
