/* * Build an EVP_PKEY object */ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key) { EVP_PKEY *pk; RSA *rsa; rsa = pkcs11_get_rsa(key); if (rsa == NULL) return NULL; pk = EVP_PKEY_new(); if (pk == NULL) { RSA_free(rsa); return NULL; } EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */ if (key->isPrivate) RSA_set_method(rsa, PKCS11_get_rsa_method()); /* TODO: Retrieve the RSA private key object attributes instead, * unless the key has the "sensitive" attribute set */ #if OPENSSL_VERSION_NUMBER < 0x01010000L /* RSA_FLAG_SIGN_VER is no longer needed since OpenSSL 1.1 */ rsa->flags |= RSA_FLAG_SIGN_VER; #endif RSA_set_ex_data(rsa, rsa_ex_index, key); RSA_free(rsa); /* Drops our reference to it */ return pk; }
static EVP_PKEY *create_pkey(neverbleed_t *nb, size_t key_index, const char *ebuf, const char *nbuf) { struct st_neverbleed_rsa_exdata_t *exdata; RSA *rsa; EVP_PKEY *pkey; if ((exdata = malloc(sizeof(*exdata))) == NULL) { fprintf(stderr, "no memory\n"); abort(); } exdata->nb = nb; exdata->key_index = key_index; rsa = RSA_new_method(nb->engine); RSA_set_ex_data(rsa, 0, exdata); if (BN_hex2bn(&rsa->e, ebuf) == 0) { fprintf(stderr, "failed to parse e:%s\n", ebuf); abort(); } if (BN_hex2bn(&rsa->n, nbuf) == 0) { fprintf(stderr, "failed to parse n:%s\n", nbuf); abort(); } rsa->flags |= RSA_FLAG_EXT_PKEY; pkey = EVP_PKEY_new(); EVP_PKEY_set1_RSA(pkey, rsa); RSA_free(rsa); return pkey; }
int ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr) { BIO *in; X509 *x509 = NULL; EVP_PKEY *pkey = NULL; RSA *rsa = NULL; void *exdata = NULL; if ((in = BIO_new_mem_buf(buf, len)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_BUF_LIB); return (0); } if ((x509 = PEM_read_bio_X509(in, NULL, ssl_password_cb, NULL)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PEM_LIB); goto fail; } if ((pkey = X509_get_pubkey(x509)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_X509_LIB); goto fail; } BIO_free(in); in = NULL; if (data != NULL && datalen) { if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL || (exdata = malloc(datalen)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB); goto fail; } memcpy(exdata, data, datalen); RSA_set_ex_data(rsa, 0, exdata); RSA_free(rsa); /* dereference, will be cleaned up with pkey */ } *x509ptr = x509; *pkeyptr = pkey; return (1); fail: if (rsa != NULL) RSA_free(rsa); if (in != NULL) BIO_free(in); if (pkey != NULL) EVP_PKEY_free(pkey); if (x509 != NULL) X509_free(x509); free(exdata); return (0); }
static int capi_rsa_free(RSA *rsa) { CAPI_KEY *capi_key; capi_key = RSA_get_ex_data(rsa, rsa_capi_idx); capi_free_key(capi_key); RSA_set_ex_data(rsa, rsa_capi_idx, 0); return 1; }
static E_GMP_RSA_CTX *e_gmp_get_rsa(RSA *rsa) { E_GMP_RSA_CTX *hptr = RSA_get_ex_data(rsa, hndidx_rsa); if (hptr) return hptr; hptr = OPENSSL_malloc(sizeof(*hptr)); if (!hptr) return NULL; /* * These inits could probably be replaced by more intelligent mpz_init2() * versions, to reduce malloc-thrashing. */ mpz_init(hptr->n); mpz_init(hptr->d); mpz_init(hptr->e); mpz_init(hptr->p); mpz_init(hptr->q); mpz_init(hptr->dmp1); mpz_init(hptr->dmq1); mpz_init(hptr->iqmp); mpz_init(hptr->r0); mpz_init(hptr->r1); mpz_init(hptr->I0); mpz_init(hptr->m1); if (!bn2gmp(rsa->n, hptr->n) || !bn2gmp(rsa->e, hptr->e)) goto err; if (!rsa->p || !rsa->q || !rsa->d || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { hptr->public_only = 1; return hptr; } if (!bn2gmp(rsa->d, hptr->d) || !bn2gmp(rsa->p, hptr->p) || !bn2gmp(rsa->q, hptr->q) || !bn2gmp(rsa->dmp1, hptr->dmp1) || !bn2gmp(rsa->dmq1, hptr->dmq1) || !bn2gmp(rsa->iqmp, hptr->iqmp)) goto err; hptr->public_only = 0; RSA_set_ex_data(rsa, hndidx_rsa, hptr); return hptr; err: mpz_clear(hptr->n); mpz_clear(hptr->d); mpz_clear(hptr->e); mpz_clear(hptr->p); mpz_clear(hptr->q); mpz_clear(hptr->dmp1); mpz_clear(hptr->dmq1); mpz_clear(hptr->iqmp); mpz_clear(hptr->r0); mpz_clear(hptr->r1); mpz_clear(hptr->I0); mpz_clear(hptr->m1); OPENSSL_free(hptr); return NULL; }
static PKCS11H_BOOL __pkcs11h_openssl_session_setRSA( IN const pkcs11h_openssl_session_t openssl_session, IN EVP_PKEY * evp ) { PKCS11H_BOOL ret = FALSE; RSA *rsa = NULL; _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: __pkcs11h_openssl_session_setRSA - entered openssl_session=%p, evp=%p", (void *)openssl_session, (void *)evp ); if ( (rsa = EVP_PKEY_get1_RSA (evp)) == NULL ) { _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get RSA key"); goto cleanup; } RSA_set_method (rsa, __openssl_methods.rsa); RSA_set_ex_data (rsa, __openssl_methods.rsa_index, openssl_session); #if OPENSSL_VERSION_NUMBER < 0x10100001L rsa->flags |= RSA_FLAG_SIGN_VER; #endif #ifdef BROKEN_OPENSSL_ENGINE if (!rsa->engine) { rsa->engine = ENGINE_get_default_RSA (); } ENGINE_set_RSA(ENGINE_get_default_RSA (), &openssl_session->rsa); _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled"); #endif ret = TRUE; cleanup: if (rsa != NULL) { RSA_free (rsa); rsa = NULL; } _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: __pkcs11h_openssl_session_setRSA - return ret=%d", ret ); return ret; }
static int hwcrhk_rsa_finish(RSA *rsa) { HWCryptoHook_RSAKeyHandle *hptr; hptr = RSA_get_ex_data(rsa, hndidx_rsa); if (hptr) { p_hwcrhk_RSAUnloadKey(*hptr, NULL); OPENSSL_free(hptr); RSA_set_ex_data(rsa, hndidx_rsa, NULL); } return 1; }
static EVP_PKEY* keystore_loadkey(ENGINE* e, const char* key_id, UI_METHOD *ui_method, void *callback_data) { ALOGV("keystore_loadkey(%p, \"%s\", %p, %p)", e, key_id, ui_method, callback_data); Keystore_Reply reply; if (keystore_cmd(CommandCodes[GET_PUBKEY], &reply, 1, strlen(key_id), key_id) != NO_ERROR) { ALOGV("Cannot get public key for %s", key_id); return NULL; } const unsigned char* tmp = reinterpret_cast<const unsigned char*>(reply.get()); Unique_EVP_PKEY pkey(d2i_PUBKEY(NULL, &tmp, reply.length())); if (pkey.get() == NULL) { ALOGW("Cannot convert pubkey"); return NULL; } switch (EVP_PKEY_type(pkey->type)) { case EVP_PKEY_RSA: { Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey.get())); if (!RSA_set_ex_data(rsa.get(), rsa_key_handle, reinterpret_cast<void*>(strdup(key_id)))) { ALOGW("Could not set ex_data for loaded RSA key"); return NULL; } RSA_set_method(rsa.get(), &keystore_rsa_meth); RSA_blinding_off(rsa.get()); /* * This should probably be an OpenSSL API, but EVP_PKEY_free calls * ENGINE_finish(), so we need to call ENGINE_init() here. */ ENGINE_init(e); rsa->engine = e; rsa->flags |= RSA_FLAG_EXT_PKEY; break; } default: ALOGE("Unsupported key type %d", EVP_PKEY_type(pkey->type)); return NULL; } return pkey.release(); }
static int e_gmp_rsa_finish(RSA *rsa) { E_GMP_RSA_CTX *hptr = RSA_get_ex_data(rsa, hndidx_rsa); if(!hptr) return 0; mpz_clear(hptr->n); mpz_clear(hptr->d); mpz_clear(hptr->e); mpz_clear(hptr->p); mpz_clear(hptr->q); mpz_clear(hptr->dmp1); mpz_clear(hptr->dmq1); mpz_clear(hptr->iqmp); mpz_clear(hptr->r0); mpz_clear(hptr->r1); mpz_clear(hptr->I0); mpz_clear(hptr->m1); OPENSSL_free(hptr); RSA_set_ex_data(rsa, hndidx_rsa, NULL); return 1; }
static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY *key) { unsigned char *pubkey = NULL; DWORD len; BLOBHEADER *bh; RSA *rkey = NULL; DSA *dkey = NULL; EVP_PKEY *ret = NULL; if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, NULL, &len)) { CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR); capi_addlasterror(); return NULL; } pubkey = OPENSSL_malloc(len); if (!pubkey) goto memerr; if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, pubkey, &len)) { CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_ERROR); capi_addlasterror(); goto err; } bh = (BLOBHEADER *)pubkey; if (bh->bType != PUBLICKEYBLOB) { CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB); goto err; } if (bh->aiKeyAlg == CALG_RSA_SIGN || bh->aiKeyAlg == CALG_RSA_KEYX) { RSAPUBKEY *rp; DWORD rsa_modlen; unsigned char *rsa_modulus; rp = (RSAPUBKEY *)(bh + 1); if (rp->magic != 0x31415352) { char magstr[10]; BIO_snprintf(magstr, 10, "%lx", rp->magic); CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER); ERR_add_error_data(2, "magic=0x", magstr); goto err; } rsa_modulus = (unsigned char *)(rp + 1); rkey = RSA_new_method(eng); if (!rkey) goto memerr; rkey->e = BN_new(); rkey->n = BN_new(); if (!rkey->e || !rkey->n) goto memerr; if (!BN_set_word(rkey->e, rp->pubexp)) goto memerr; rsa_modlen = rp->bitlen / 8; if (!lend_tobn(rkey->n, rsa_modulus, rsa_modlen)) goto memerr; RSA_set_ex_data(rkey, rsa_capi_idx, key); if (!(ret = EVP_PKEY_new())) goto memerr; EVP_PKEY_assign_RSA(ret, rkey); rkey = NULL; } else if (bh->aiKeyAlg == CALG_DSS_SIGN) { DSSPUBKEY *dp; DWORD dsa_plen; unsigned char *btmp; dp = (DSSPUBKEY *)(bh + 1); if (dp->magic != 0x31535344) { char magstr[10]; BIO_snprintf(magstr, 10, "%lx", dp->magic); CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER); ERR_add_error_data(2, "magic=0x", magstr); goto err; } dsa_plen = dp->bitlen / 8; btmp = (unsigned char *)(dp + 1); dkey = DSA_new_method(eng); if (!dkey) goto memerr; dkey->p = BN_new(); dkey->q = BN_new(); dkey->g = BN_new(); dkey->pub_key = BN_new(); if (!dkey->p || !dkey->q || !dkey->g || !dkey->pub_key) goto memerr; if (!lend_tobn(dkey->p, btmp, dsa_plen)) goto memerr; btmp += dsa_plen; if (!lend_tobn(dkey->q, btmp, 20)) goto memerr; btmp += 20; if (!lend_tobn(dkey->g, btmp, dsa_plen)) goto memerr; btmp += dsa_plen; if (!lend_tobn(dkey->pub_key, btmp, dsa_plen)) goto memerr; btmp += dsa_plen; DSA_set_ex_data(dkey, dsa_capi_idx, key); if (!(ret = EVP_PKEY_new())) goto memerr; EVP_PKEY_assign_DSA(ret, dkey); dkey = NULL; } else { char algstr[10]; BIO_snprintf(algstr, 10, "%lx", bh->aiKeyAlg); CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM); ERR_add_error_data(2, "aiKeyAlg=0x", algstr); goto err; } err: if (pubkey) OPENSSL_free(pubkey); if (!ret) { if (rkey) RSA_free(rkey); if (dkey) DSA_free(dkey); } return ret; memerr: CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE); goto err; }
static EVP_PKEY* sureware_load_public(ENGINE *e,const char *key_id,char *hptr,unsigned long el,char keytype) { EVP_PKEY *res = NULL; #ifndef OPENSSL_NO_RSA RSA *rsatmp = NULL; #endif #ifndef OPENSSL_NO_DSA DSA *dsatmp=NULL; #endif char msg[64]="sureware_load_public"; int ret=0; if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey) { SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_NOT_INITIALISED); goto err; } switch (keytype) { #ifndef OPENSSL_NO_RSA case 1: /*RSA*/ /* set private external reference */ rsatmp = RSA_new_method(e); RSA_set_ex_data(rsatmp,rsaHndidx,hptr); rsatmp->flags |= RSA_FLAG_EXT_PKEY; /* set public big nums*/ rsatmp->e = BN_new(); rsatmp->n = BN_new(); bn_expand2(rsatmp->e, el/sizeof(BN_ULONG)); bn_expand2(rsatmp->n, el/sizeof(BN_ULONG)); if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))|| !rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG))) goto err; ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el, (unsigned long *)rsatmp->n->d, (unsigned long *)rsatmp->e->d); surewarehk_error_handling(msg,SUREWARE_F_SUREWARE_LOAD_PUBLIC,ret); if (ret!=1) { SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); goto err; } /* normalise pub e and pub n */ rsatmp->e->top=el/sizeof(BN_ULONG); bn_fix_top(rsatmp->e); rsatmp->n->top=el/sizeof(BN_ULONG); bn_fix_top(rsatmp->n); /* create an EVP object: engine + rsa key */ res = EVP_PKEY_new(); EVP_PKEY_assign_RSA(res, rsatmp); break; #endif #ifndef OPENSSL_NO_DSA case 2:/*DSA*/ /* set private/public external reference */ dsatmp = DSA_new_method(e); DSA_set_ex_data(dsatmp,dsaHndidx,hptr); /*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/ /* set public key*/ dsatmp->pub_key = BN_new(); dsatmp->p = BN_new(); dsatmp->q = BN_new(); dsatmp->g = BN_new(); bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG)); bn_expand2(dsatmp->p, el/sizeof(BN_ULONG)); bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG)); bn_expand2(dsatmp->g, el/sizeof(BN_ULONG)); if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))|| !dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) || !dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) || !dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG))) goto err; ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el, (unsigned long *)dsatmp->pub_key->d, (unsigned long *)dsatmp->p->d, (unsigned long *)dsatmp->q->d, (unsigned long *)dsatmp->g->d); surewarehk_error_handling(msg,SUREWARE_F_SUREWARE_LOAD_PUBLIC,ret); if (ret!=1) { SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); goto err; } /* set parameters */ /* normalise pubkey and parameters in case of */ dsatmp->pub_key->top=el/sizeof(BN_ULONG); bn_fix_top(dsatmp->pub_key); dsatmp->p->top=el/sizeof(BN_ULONG); bn_fix_top(dsatmp->p); dsatmp->q->top=20/sizeof(BN_ULONG); bn_fix_top(dsatmp->q); dsatmp->g->top=el/sizeof(BN_ULONG); bn_fix_top(dsatmp->g); /* create an EVP object: engine + rsa key */ res = EVP_PKEY_new(); EVP_PKEY_assign_DSA(res, dsatmp); break; #endif default: SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PRIVATE_KEY); goto err; } return res; err: #ifndef OPENSSL_NO_RSA if (rsatmp) RSA_free(rsatmp); #endif #ifndef OPENSSL_NO_DSA if (dsatmp) DSA_free(dsatmp); #endif return NULL; }
static EVP_PKEY *ibm_4758_load_pubkey(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data) { RSA *rtmp = NULL; EVP_PKEY *res = NULL; unsigned char *keyToken = NULL; long keyTokenLength = MAX_CCA_PKA_TOKEN_SIZE; long returnCode; long reasonCode; long exitDataLength = 0; long ruleArrayLength = 0; unsigned char exitData[8]; unsigned char ruleArray[8]; unsigned char keyLabel[64]; unsigned long keyLabelLength = strlen(key_id); unsigned char modulus[512]; long modulusFieldLength = sizeof(modulus); long modulusLength = 0; unsigned char exponent[512]; long exponentLength = sizeof(exponent); if (keyLabelLength > sizeof(keyLabel)) { CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY, CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL); return NULL; } memset(keyLabel, ' ', sizeof(keyLabel)); memcpy(keyLabel, key_id, keyLabelLength); keyToken = OPENSSL_malloc(MAX_CCA_PKA_TOKEN_SIZE + sizeof(long)); if (!keyToken) { CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY, ERR_R_MALLOC_FAILURE); goto err; } keyRecordRead(&returnCode, &reasonCode, &exitDataLength, exitData, &ruleArrayLength, ruleArray, keyLabel, &keyTokenLength, keyToken + sizeof(long)); if (returnCode) { CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY, ERR_R_MALLOC_FAILURE); goto err; } if (!getModulusAndExponent(keyToken + sizeof(long), &exponentLength, exponent, &modulusLength, &modulusFieldLength, modulus)) { CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY, CCA4758_R_FAILED_LOADING_PUBLIC_KEY); goto err; } (*(long *)keyToken) = keyTokenLength; rtmp = RSA_new_method(e); RSA_set_ex_data(rtmp, hndidx, (char *)keyToken); rtmp->e = BN_bin2bn(exponent, exponentLength, NULL); rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL); rtmp->flags |= RSA_FLAG_EXT_PKEY; res = EVP_PKEY_new(); EVP_PKEY_assign_RSA(res, rtmp); return res; err: if (keyToken) OPENSSL_free(keyToken); return NULL; }
static int pkcs11_rsa_free_method(RSA *rsa) { RSA_set_ex_data(rsa, rsa_ex_index, NULL); return 1; }
static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id, UI_METHOD *ui_method, void *callback_data) { #ifndef OPENSSL_NO_RSA RSA *rtmp = NULL; #endif EVP_PKEY *res = NULL; #ifndef OPENSSL_NO_RSA HWCryptoHook_MPI e, n; HWCryptoHook_RSAKeyHandle *hptr; #endif #if !defined(OPENSSL_NO_RSA) char tempbuf[1024]; HWCryptoHook_ErrMsgBuf rmsg; HWCryptoHook_PassphraseContext ppctx; #endif #if !defined(OPENSSL_NO_RSA) rmsg.buf = tempbuf; rmsg.size = sizeof(tempbuf); #endif if(!hwcrhk_context) { HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, HWCRHK_R_NOT_INITIALISED); goto err; } #ifndef OPENSSL_NO_RSA hptr = OPENSSL_malloc(sizeof(HWCryptoHook_RSAKeyHandle)); if (!hptr) { HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE); goto err; } ppctx.ui_method = ui_method; ppctx.callback_data = callback_data; if (p_hwcrhk_RSALoadKey(hwcrhk_context, key_id, hptr, &rmsg, &ppctx)) { HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, HWCRHK_R_CHIL_ERROR); ERR_add_error_data(1,rmsg.buf); goto err; } if (!*hptr) { HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, HWCRHK_R_NO_KEY); goto err; } #endif #ifndef OPENSSL_NO_RSA rtmp = RSA_new_method(eng); RSA_set_ex_data(rtmp, hndidx_rsa, (char *)hptr); rtmp->e = BN_new(); rtmp->n = BN_new(); rtmp->flags |= RSA_FLAG_EXT_PKEY; MPI2BN(rtmp->e, e); MPI2BN(rtmp->n, n); if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg) != HWCRYPTOHOOK_ERROR_MPISIZE) { HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,HWCRHK_R_CHIL_ERROR); ERR_add_error_data(1,rmsg.buf); goto err; } bn_expand2(rtmp->e, e.size/sizeof(BN_ULONG)); bn_expand2(rtmp->n, n.size/sizeof(BN_ULONG)); MPI2BN(rtmp->e, e); MPI2BN(rtmp->n, n); if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg)) { HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, HWCRHK_R_CHIL_ERROR); ERR_add_error_data(1,rmsg.buf); goto err; } rtmp->e->top = e.size / sizeof(BN_ULONG); bn_fix_top(rtmp->e); rtmp->n->top = n.size / sizeof(BN_ULONG); bn_fix_top(rtmp->n); res = EVP_PKEY_new(); EVP_PKEY_assign_RSA(res, rtmp); #endif if (!res) HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED); return res; err: #ifndef OPENSSL_NO_RSA if (rtmp) RSA_free(rtmp); #endif return NULL; }
PKI_RSA_KEY * _pki_pkcs11_rsakey_new( PKI_KEYPARAMS *kp, URL *url, PKCS11_HANDLER *lib, void *driver) { PKI_RSA_KEY *ret = NULL; CK_OBJECT_HANDLE *handler_pubkey = NULL; CK_OBJECT_HANDLE *handler_privkey = NULL; CK_ATTRIBUTE privTemp[32]; CK_ATTRIBUTE pubTemp[32]; CK_RV rv; CK_MECHANISM * RSA_MECH_PTR = NULL; CK_ULONG i = 0; CK_ULONG n = 0; CK_ULONG bits = 0; size_t label_len = 0; unsigned char *data = NULL; CK_BYTE *esp = NULL; CK_ULONG size = 0; BIGNUM *bn = NULL; BIGNUM *id_num = NULL; char *id = NULL; int id_len = 8; int idx = 0; if ( !url || !url->addr ) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return ( NULL ); } label_len = strlen( url->addr ); /* Check the min size for the key */ if ( kp ) { if( kp->bits < PKI_RSA_KEY_MIN_SIZE ) { PKI_ERROR(PKI_ERR_X509_KEYPAIR_SIZE_SHORT, NULL); } else { bits = (CK_ULONG) kp->bits; } } else { bits = PKI_RSA_KEY_DEFAULT_SIZE; } // Look for a supported key generation mechanism for (idx = 0; idx < RSA_MECH_LIST_SIZE; idx++) { // Checks if the mechanism is supported if (HSM_PKCS11_check_mechanism(lib, RSA_MECH_LIST[idx].mechanism) == PKI_OK) { // Set the pointer to the supported mechanism RSA_MECH_PTR = &RSA_MECH_LIST[idx]; // Debugging Information PKI_DEBUG("Found RSA KEY GEN MECHANISM 0x%8.8X", RSA_MECH_LIST[idx].mechanism); // Breaks out of the loop break; } else { // Let's provide debug information for not-supported mechs PKI_DEBUG("RSA KEY GEN MECHANISM 0x%8.8X not supported", RSA_MECH_LIST[idx].mechanism); } } // If no key gen algors are supported, abort if (RSA_MECH_PTR == NULL) { PKI_ERROR(PKI_ERR_HSM_KEYPAIR_GENERATE, "No KeyGen Mechanisms supported!"); return NULL; } PKI_DEBUG("BITS FOR KEY GENERATION %lu (def: %lu)", bits, PKI_RSA_KEY_DEFAULT_SIZE); if (kp && kp->rsa.exponent > 3) { // TO be Implemented } else { if( BN_hex2bn(&bn, "10001") == 0 ) { PKI_log_debug("ERROR, can not convert 10001 to BIGNUM"); return ( NULL ); } } if( url->path != NULL ) { if((BN_hex2bn(&id_num, url->path )) == 0 ) { PKI_log_debug("ERROR, can not convert %s to BIGNUM", url->path ); return ( NULL ); } if((id_len = BN_num_bytes(id_num)) < 0 ) { if ( bn ) BN_free ( bn ); if ( id_num ) BN_free ( id_num ); return ( NULL ); } id = PKI_Malloc ( (size_t ) id_len ); BN_bn2bin( id_num, (unsigned char *) id ); } else { id_len = 10; if((id = PKI_Malloc ( (size_t) id_len )) == NULL ) { if ( bn ) BN_free ( bn ); return ( NULL ); } if( RAND_bytes( (unsigned char *) id, id_len) == 0 ) { PKI_ERROR(PKI_ERR_X509_KEYPAIR_GENERATION, "Can not generate RAND bytes"); if( bn ) BN_free ( bn ); return ( NULL ); } } PKI_DEBUG("Setting the Bits to %lu", bits); /* Setting Attributes for the public Key Template */ n = 0; //HSM_PKCS11_set_attr_int( CKA_CLASS, CKO_PUBLIC_KEY, &pubTemp[n++]); //HSM_PKCS11_set_attr_int( CKA_KEY_TYPE, CKK_RSA, &pubTemp[n++]); HSM_PKCS11_set_attr_int( CKA_MODULUS_BITS, bits, &pubTemp[n++]); HSM_PKCS11_set_attr_bool( CKA_TOKEN, CK_TRUE, &pubTemp[n++]); HSM_PKCS11_set_attr_bool( CKA_ENCRYPT, CK_TRUE, &pubTemp[n++]); HSM_PKCS11_set_attr_bool( CKA_VERIFY, CK_TRUE, &pubTemp[n++]); HSM_PKCS11_set_attr_bool( CKA_WRAP, CK_TRUE, &pubTemp[n++]); HSM_PKCS11_set_attr_bn(CKA_PUBLIC_EXPONENT, bn, &pubTemp[n++]); HSM_PKCS11_set_attr_sn(CKA_LABEL, url->addr, label_len, &pubTemp[n++]); HSM_PKCS11_set_attr_sn(CKA_ID, id, (size_t) id_len, &pubTemp[n++]); /* Setting Attributes for the private Key Template */ i = 0; //HSM_PKCS11_set_attr_int( CKA_CLASS, CKO_PRIVATE_KEY, &privTemp[i++]); //HSM_PKCS11_set_attr_int( CKA_KEY_TYPE, CKK_RSA, &privTemp[i++]); //HSM_PKCS11_set_attr_int( CKA_MODULUS_BITS, bits, &privTemp[i++]); HSM_PKCS11_set_attr_bool( CKA_TOKEN, CK_TRUE, &privTemp[i++]); HSM_PKCS11_set_attr_bool( CKA_PRIVATE, CK_TRUE, &privTemp[i++]); HSM_PKCS11_set_attr_bool( CKA_SENSITIVE, CK_TRUE, &privTemp[i++]); HSM_PKCS11_set_attr_bool( CKA_DECRYPT, CK_TRUE, &privTemp[i++]); HSM_PKCS11_set_attr_bool( CKA_SIGN, CK_TRUE, &privTemp[i++]); // HSM_PKCS11_set_attr_bool( CKA_NEVER_EXTRACTABLE, CK_TRUE, // &privTemp[i++]); // HSM_PKCS11_set_attr_bool( CKA_EXTRACTABLE, CK_FALSE, &privTemp[i++]); HSM_PKCS11_set_attr_bool( CKA_UNWRAP, CK_TRUE, &privTemp[i++]); // HSM_PKCS11_set_attr_bn(CKA_PUBLIC_EXPONENT, bn, &privTemp[i++]); HSM_PKCS11_set_attr_sn(CKA_LABEL, url->addr, label_len, &privTemp[i++]); HSM_PKCS11_set_attr_sn(CKA_ID, id, (size_t) id_len, &privTemp[i++]); /* Allocate the handlers for pub and priv keys */ handler_pubkey = (CK_OBJECT_HANDLE *) PKI_Malloc ( sizeof( CK_OBJECT_HANDLE )); handler_privkey = (CK_OBJECT_HANDLE *) PKI_Malloc ( sizeof( CK_OBJECT_HANDLE )); if( !handler_pubkey || !handler_privkey ) { if ( bn ) BN_free ( bn ); if ( esp ) PKI_Free ( esp ); return ( NULL ); } PKI_log_debug("HSM_PKCS11_KEYPAIR_new()::Generating a new Key ... "); rv = lib->callbacks->C_GenerateKeyPair ( lib->session, RSA_MECH_PTR, pubTemp, n, privTemp, i, handler_pubkey, handler_privkey); if( rv != CKR_OK ) { if ( rv == CKR_MECHANISM_INVALID ) { PKI_log_err("HSM_PKCS11_KEYPAIR_new()::RSA Algorithm " "is not supported by the Token" ); } else { PKI_log_debug ("HSM_PKCS11_KEYPAIR_new()::Failed with " "code 0x%8.8X", rv ); }; if ( bn ) BN_free ( bn ); if ( esp ) PKI_Free ( esp ); return ( NULL ); } /* Clean up the Memory we are not using anymore */ if ( bn ) BN_free ( bn ); if ( esp ) PKI_Free ( esp ); /* Generate a new RSA container */ if((ret = RSA_new()) == NULL ) { goto err; }; if( HSM_PKCS11_get_attribute ( handler_pubkey, &lib->session, CKA_PUBLIC_EXPONENT, (void **) &data, &size, lib ) != PKI_OK ) { goto err; }; #if OPENSSL_VERSION_NUMBER >= 0x1010000fL RSA_set0_key(ret, NULL, BN_bin2bn( data, (int) size, NULL), NULL); #else ret->e = BN_bin2bn( data, (int) size, NULL ); #endif PKI_Free ( data ); data = NULL; if( HSM_PKCS11_get_attribute ( handler_pubkey, &lib->session, CKA_MODULUS, (void **) &data, &size, lib ) != PKI_OK ) { goto err; }; #if OPENSSL_VERSION_NUMBER >= 0x1010000fL RSA_set0_key(ret, BN_bin2bn(data, (int) size, NULL), NULL, NULL); #else ret->n = BN_bin2bn( data, (int) size, NULL ); #endif PKI_Free ( data ); data = NULL; /* Let's get the Attributes from the Keypair and store into the key's pointer */ RSA_set_method( ret, HSM_PKCS11_get_rsa_method()); #ifdef RSA_FLAG_SIGN_VER # if OPENSSL_VERSION_NUMBER >= 0x1010000fL RSA_set_flags( ret, RSA_FLAG_SIGN_VER); # else ret->flags |= RSA_FLAG_SIGN_VER; # endif #endif /* Push the priv and pub key handlers to the rsa->ex_data */ RSA_set_ex_data( ret, KEYPAIR_DRIVER_HANDLER_IDX, driver ); RSA_set_ex_data( ret, KEYPAIR_PRIVKEY_HANDLER_IDX, handler_privkey ); RSA_set_ex_data( ret, KEYPAIR_PUBKEY_HANDLER_IDX, handler_pubkey ); /* Cleanup the memory for Templates */ HSM_PKCS11_clean_template ( pubTemp, (int) n ); HSM_PKCS11_clean_template ( privTemp, (int) i ); /* Let's return the RSA_KEY infrastructure */ return (ret); err: if( ret ) RSA_free ((RSA *) ret ); if ( handler_pubkey ) { if((rv = lib->callbacks->C_DestroyObject( lib->session, *handler_pubkey )) != CKR_OK ) { PKI_log_debug ("HSM_PKCS11_KEYPAIR_new()::Failed to delete " "pubkey object"); }; PKI_Free ( handler_pubkey ); } if( handler_privkey ) { if((rv = lib->callbacks->C_DestroyObject( lib->session, *handler_privkey)) != CKR_OK ) { PKI_log_debug ("HSM_PKCS11_KEYPAIR_new()::Failed to delete " "privkey object"); }; PKI_Free ( handler_privkey ); } PKI_log_debug("HSM_PKCS11_KEYPAIR_new()::Key material DELETED!"); return ( NULL ); }
int fill_out_rsa_object(RSA *rsa, TSS_HKEY hKey) { TSS_RESULT result; UINT32 pubkey_len, encScheme, sigScheme; BYTE *pubkey; struct rsa_app_data *app_data; DBG("%s", __FUNCTION__); if ((result = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME, &encScheme))) { TSSerr(TPM_F_TPM_FILL_RSA_OBJECT, TPM_R_REQUEST_FAILED); return 0; } if ((result = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME, &sigScheme))) { TSSerr(TPM_F_TPM_FILL_RSA_OBJECT, TPM_R_REQUEST_FAILED); return 0; } /* pull out the public key and put it into the RSA object */ if ((result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_RSAKEY_INFO, TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &pubkey_len, &pubkey))) { TSSerr(TPM_F_TPM_FILL_RSA_OBJECT, TPM_R_REQUEST_FAILED); return 0; } if ((rsa->n = BN_bin2bn(pubkey, pubkey_len, rsa->n)) == NULL) { Tspi_Context_FreeMemory(hContext, pubkey); TSSerr(TPM_F_TPM_FILL_RSA_OBJECT, TPM_R_BN_CONVERSION_FAILED); return 0; } Tspi_Context_FreeMemory(hContext, pubkey); /* set e in the RSA object */ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) { TSSerr(TPM_F_TPM_FILL_RSA_OBJECT, ERR_R_MALLOC_FAILURE); return 0; } if (!BN_set_word(rsa->e, 65537)) { TSSerr(TPM_F_TPM_FILL_RSA_OBJECT, TPM_R_REQUEST_FAILED); BN_free(rsa->e); rsa->e = NULL; return 0; } if ((app_data = OPENSSL_malloc(sizeof(struct rsa_app_data))) == NULL) { TSSerr(TPM_F_TPM_FILL_RSA_OBJECT, ERR_R_MALLOC_FAILURE); BN_free(rsa->e); rsa->e = NULL; return 0; } DBG("Setting hKey(0x%x) in RSA object", hKey); DBG("Setting encScheme(0x%x) in RSA object", encScheme); DBG("Setting sigScheme(0x%x) in RSA object", sigScheme); memset(app_data, 0, sizeof(struct rsa_app_data)); app_data->hKey = hKey; app_data->encScheme = encScheme; app_data->sigScheme = sigScheme; RSA_set_ex_data(rsa, ex_app_data, app_data); return 1; }
int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, struct tls_keypair *keypair, int required) { EVP_PKEY *pkey = NULL; BIO *bio = NULL; if (!required && keypair->cert_mem == NULL && keypair->key_mem == NULL) return(0); if (keypair->cert_mem != NULL) { if (keypair->cert_len > INT_MAX) { tls_set_errorx(ctx, "certificate too long"); goto err; } if (SSL_CTX_use_certificate_chain_mem(ssl_ctx, keypair->cert_mem, keypair->cert_len) != 1) { tls_set_errorx(ctx, "failed to load certificate"); goto err; } if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1) goto err; } if (keypair->key_mem != NULL) { if (keypair->key_len > INT_MAX) { tls_set_errorx(ctx, "key too long"); goto err; } if ((bio = BIO_new_mem_buf(keypair->key_mem, keypair->key_len)) == NULL) { tls_set_errorx(ctx, "failed to create buffer"); goto err; } if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, NULL)) == NULL) { tls_set_errorx(ctx, "failed to read private key"); goto err; } if (keypair->pubkey_hash != NULL) { RSA *rsa; /* XXX only RSA for now for relayd privsep */ if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) { RSA_set_ex_data(rsa, 0, keypair->pubkey_hash); RSA_free(rsa); } } if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { tls_set_errorx(ctx, "failed to load private key"); goto err; } BIO_free(bio); bio = NULL; EVP_PKEY_free(pkey); pkey = NULL; } if (!ctx->config->skip_private_key_check && SSL_CTX_check_private_key(ssl_ctx) != 1) { tls_set_errorx(ctx, "private/public key mismatch"); goto err; } return (0); err: EVP_PKEY_free(pkey); BIO_free(bio); return (1); }
inline void rsa_key::set_external_data(int index, void* data) { error::throw_error_if(RSA_set_ex_data(raw(), index, data) == 0); }