void
rsa_sha256_sign_digest(const struct rsa_private_key *key,
const uint8_t *digest,
mpz_t s)
{
assert(key->size >= RSA_MINIMUM_N_OCTETS);
pkcs1_rsa_sha256_encode_digest(s, key->size - 1, digest);
rsa_compute_root(key, s, s);
}
void
rsa_sha256_sign(const struct rsa_private_key *key,
struct sha256_ctx *hash,
mpz_t s)
{
assert(key->size >= RSA_MINIMUM_N_OCTETS);
pkcs1_rsa_sha256_encode(s, key->size - 1, hash);
rsa_compute_root(key, s, s);
}
static struct lsh_string *
do_rsa_sign(struct signer *s,
int algorithm,
UINT32 msg_length,
const UINT8 *msg)
{
CAST(rsa_signer, self, s);
struct lsh_string *res;
mpz_t m;
trace("do_rsa_sign: Signing according to %a\n", algorithm);
mpz_init(m);
pkcs1_encode(m, self->verifier->params, self->verifier->size - 1,
msg_length, msg);
rsa_compute_root(self, m, m);
switch (algorithm)
{
case ATOM_SSH_RSA:
/* Uses the encoding:
*
* string ssh-rsa
* string signature-blob
*/
res = ssh_format("%a%un", ATOM_SSH_RSA, m);
break;
#if 0
case ATOM_RSA_PKCS1_SHA1:
case ATOM_RSA_PKCS1_SHA1_LOCAL:
/* Uses the encoding:
*
* string rsa-pkcs1
* string signature-blob
*/
res = ssh_format("%a%un", ATOM_RSA_PKCS1_SHA1, m);
break;
#endif
/* It doesn't matter here which flavour of SPKI is used. */
case ATOM_SPKI_SIGN_RSA:
case ATOM_SPKI_SIGN_DSS:
res = sexp_format(encode_rsa_sig_val(m), SEXP_CANONICAL, 0);
break;
default:
fatal("do_rsa_sign: Internal error!\n");
}
mpz_clear(m);
return res;
}
int
rsa_decrypt(const struct rsa_private_key *key,
unsigned *length, uint8_t *message,
const mpz_t gibberish)
{
mpz_t m;
int res;
mpz_init(m);
rsa_compute_root(key, m, gibberish);
res = pkcs1_decrypt (key->size, m, length, message);
mpz_clear(m);
return res;
}
int
rsa_md5_sign_digest(const struct rsa_private_key *key,
const uint8_t *digest,
mpz_t s)
{
if (pkcs1_rsa_md5_encode_digest(s, key->size, digest))
{
rsa_compute_root(key, s, s);
return 1;
}
else
{
mpz_set_ui(s, 0);
return 0;
}
}
int
rsa_md5_sign(const struct rsa_private_key *key,
struct md5_ctx *hash,
mpz_t s)
{
if (pkcs1_rsa_md5_encode(s, key->size, hash))
{
rsa_compute_root(key, s, s);
return 1;
}
else
{
mpz_set_ui(s, 0);
return 0;
}
}
static struct sexp *
do_rsa_sign_spki(struct signer *s,
/* struct sexp *hash, struct sexp *principal, */
UINT32 msg_length,
const UINT8 *msg)
{
CAST(rsa_signer, self, s);
mpz_t m;
struct sexp *signature;
mpz_init(m);
pkcs1_encode(m, self->verifier->params, self->verifier->size - 1,
msg_length, msg);
rsa_compute_root(self, m, m);
signature = encode_rsa_sig_val(m);
mpz_clear(m);
return signature;
}
int
rsa_decrypt_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random,
unsigned *length, uint8_t *message,
const mpz_t gibberish)
{
mpz_t m, ri;
int res;
mpz_init_set(m, gibberish);
mpz_init (ri);
_rsa_blind (pub, random_ctx, random, m, ri);
rsa_compute_root(key, m, m);
_rsa_unblind (pub, m, ri);
mpz_clear (ri);
res = pkcs1_decrypt (key->size, m, length, message);
mpz_clear(m);
return res;
}
/* in case of DSA puts into data, r,s
*/
static int
_wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
gnutls_datum_t * signature,
const gnutls_datum_t * vdata,
const gnutls_pk_params_st * pk_params)
{
int ret;
unsigned int hash;
unsigned int hash_len;
switch (algo)
{
case GNUTLS_PK_EC: /* we do ECDSA */
{
ecc_key priv;
struct dsa_signature sig;
_ecc_params_to_privkey(pk_params, &priv);
dsa_signature_init (&sig);
hash = _gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
if (hash_len > vdata->size)
{
gnutls_assert ();
_gnutls_debug_log("Security level of algorithm requires hash %s(%d) or better\n", gnutls_mac_get_name(hash), hash_len);
hash_len = vdata->size;
}
ret = ecc_sign_hash(vdata->data, hash_len,
&sig, NULL, rnd_func, &priv);
if (ret != 0)
{
gnutls_assert ();
ret = GNUTLS_E_PK_SIGN_FAILED;
goto ecdsa_fail;
}
ret = _gnutls_encode_ber_rs (signature, &sig.r, &sig.s);
ecdsa_fail:
dsa_signature_clear (&sig);
_ecc_params_clear( &priv);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
break;
}
case GNUTLS_PK_DSA:
{
struct dsa_public_key pub;
struct dsa_private_key priv;
struct dsa_signature sig;
memset(&priv, 0, sizeof(priv));
memset(&pub, 0, sizeof(pub));
_dsa_params_to_pubkey (pk_params, &pub);
_dsa_params_to_privkey (pk_params, &priv);
dsa_signature_init (&sig);
hash = _gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
if (hash_len > vdata->size)
{
gnutls_assert ();
_gnutls_debug_log("Security level of algorithm requires hash %s(%d) or better\n", gnutls_mac_get_name(hash), hash_len);
hash_len = vdata->size;
}
ret =
_dsa_sign (&pub, &priv, NULL, rnd_func,
hash_len, vdata->data, &sig);
if (ret == 0)
{
gnutls_assert ();
ret = GNUTLS_E_PK_SIGN_FAILED;
goto dsa_fail;
}
ret = _gnutls_encode_ber_rs (signature, &sig.r, &sig.s);
dsa_fail:
dsa_signature_clear (&sig);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
break;
}
case GNUTLS_PK_RSA:
{
struct rsa_private_key priv;
bigint_t hash, nc, ri;
if (_gnutls_mpi_scan_nz (&hash, vdata->data, vdata->size) != 0)
{
gnutls_assert ();
return GNUTLS_E_MPI_SCAN_FAILED;
}
memset(&priv, 0, sizeof(priv));
_rsa_params_to_privkey (pk_params, &priv);
nc = rsa_blind (hash, pk_params->params[1] /*e */ ,
pk_params->params[0] /*m */ , &ri);
_gnutls_mpi_release (&hash);
if (nc == NULL)
{
gnutls_assert ();
ret = GNUTLS_E_MEMORY_ERROR;
goto rsa_fail;
}
rsa_compute_root (&priv, TOMPZ (nc), TOMPZ (nc));
rsa_unblind (nc, ri, pk_params->params[0] /*m */ );
ret = _gnutls_mpi_dprint (nc, signature);
rsa_fail:
_gnutls_mpi_release (&nc);
_gnutls_mpi_release (&ri);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
break;
}
default:
gnutls_assert ();
ret = GNUTLS_E_INTERNAL_ERROR;
goto cleanup;
}
ret = 0;
cleanup:
return ret;
}
static int
_wrap_nettle_pk_decrypt (gnutls_pk_algorithm_t algo,
gnutls_datum_t * plaintext,
const gnutls_datum_t * ciphertext,
const gnutls_pk_params_st * pk_params)
{
int ret;
/* make a sexp from pkey */
switch (algo)
{
case GNUTLS_PK_RSA:
{
struct rsa_private_key priv;
bigint_t c, ri, nc;
if (_gnutls_mpi_scan_nz (&c, ciphertext->data, ciphertext->size) != 0)
{
gnutls_assert ();
return GNUTLS_E_MPI_SCAN_FAILED;
}
nc = rsa_blind (c, pk_params->params[1] /*e */ ,
pk_params->params[0] /*m */ , &ri);
_gnutls_mpi_release (&c);
if (nc == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
memset(&priv, 0, sizeof(priv));
_rsa_params_to_privkey (pk_params, &priv);
rsa_compute_root (&priv, TOMPZ (nc), TOMPZ (nc));
rsa_unblind (nc, ri, pk_params->params[0] /*m */ );
ret = _gnutls_mpi_dprint_size (nc, plaintext, ciphertext->size);
_gnutls_mpi_release (&nc);
_gnutls_mpi_release (&ri);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
break;
}
default:
gnutls_assert ();
ret = GNUTLS_E_INTERNAL_ERROR;
goto cleanup;
}
ret = 0;
cleanup:
return ret;
}
