+/*----- Seeding -----------------------------------------------------------*/
+
+const struct seedalg { const char *p; grand *(*gen)(const void *, size_t); }
+seedtab[] = {
+ { "dsarand", dsarand_create },
+ { "rmd128-mgf", rmd128_mgfrand },
+ { "rmd160-mgf", rmd160_mgfrand },
+ { "rmd256-mgf", rmd256_mgfrand },
+ { "rmd320-mgf", rmd320_mgfrand },
+ { "sha-mgf", sha_mgfrand },
+ { "sha224-mgf", sha224_mgfrand },
+ { "sha256-mgf", sha256_mgfrand },
+ { "sha384-mgf", sha384_mgfrand },
+ { "sha512-mgf", sha512_mgfrand },
+ { "tiger-mgf", tiger_mgfrand },
+ { 0, 0 }
+};
+
+#define SEEDALG_DEFAULT (seedtab + 2)
+
+/*----- Key generation ----------------------------------------------------*/
+
+/* --- Key generation parameters --- */
+
+typedef struct keyopts {
+ key_file *kf; /* Pointer to key file */
+ key *k; /* Pointer to the actual key */
+ dstr tag; /* Full tag name for the key */
+ unsigned f; /* Flags for the new key */
+ unsigned bits, qbits; /* Bit length for the new key */
+ const char *curve; /* Elliptic curve name/info */
+ grand *r; /* Random number source */
+ key *p; /* Parameters key-data */
+} keyopts;
+
+#define f_bogus 1u /* Error in parsing */
+#define f_lock 2u /* Passphrase-lock private key */
+#define f_quiet 4u /* Don't show a progress indicator */
+#define f_limlee 8u /* Generate Lim-Lee primes */
+#define f_subgroup 16u /* Generate a subgroup */
+#define f_retag 32u /* Remove any existing tag */
+
+/* --- @dolock@ --- *
+ *
+ * Arguments: @keyopts *k@ = key generation options
+ * @key_data **kd@ = pointer to key data to lock
+ * @const char *t@ = tag suffix or null
+ *
+ * Returns: ---
+ *
+ * Use: Does passphrase locking on new keys.
+ */
+
+static void dolock(keyopts *k, key_data **kd, const char *t)
+{
+ if (!(k->f & f_lock))
+ return;
+ if (t)
+ dstr_putf(&k->tag, ".%s", t);
+ if (key_plock(kd, 0, k->tag.buf))
+ die(EXIT_FAILURE, "couldn't lock key");
+}
+
+/* --- @copyparam@ --- *
+ *
+ * Arguments: @keyopts *k@ = pointer to key options
+ * @const char **pp@ = checklist of parameters
+ *
+ * Returns: Nonzero if parameters copied; zero if you have to generate
+ * them.
+ *
+ * Use: Copies parameters from a source key to the current one.
+ */
+
+static int copyparam(keyopts *k, const char **pp)
+{
+ key_filter kf;
+ key_attriter i;
+ const char *n, *v;
+
+ /* --- Quick check if no parameters supplied --- */
+
+ if (!k->p)
+ return (0);
+
+ /* --- Run through the checklist --- */
+
+ while (*pp) {
+ key_data *kd = key_structfind(k->p->k, *pp);
+ if (!kd)
+ die(EXIT_FAILURE, "bad parameter key: parameter `%s' not found", *pp);
+ if ((kd->e & KF_CATMASK) != KCAT_SHARE)
+ die(EXIT_FAILURE, "bad parameter key: subkey `%s' is not shared", *pp);
+ pp++;
+ }
+
+ /* --- Copy over the parameters --- */
+
+ kf.f = KCAT_SHARE;
+ kf.m = KF_CATMASK;
+ key_setkeydata(k->kf, k->k, k->p->k);
+
+ /* --- Copy over attributes --- */
+
+ for (key_mkattriter(&i, k->p); key_nextattr(&i, &n, &v); )
+ key_putattr(k->kf, k->k, n, v);
+
+ /* --- Done --- */
+
+ return (1);
+}
+
+/* --- @getmp@ --- *
+ *
+ * Arguments: @key_data *k@ = pointer to key data block
+ * @const char *tag@ = tag string to use
+ *
+ * Returns: Pointer to multiprecision integer key item.
+ *
+ * Use: Fetches an MP key component.
+ */
+
+static mp *getmp(key_data *k, const char *tag)
+{
+ k = key_structfind(k, tag);
+ if (!k)
+ die(EXIT_FAILURE, "unexpected failure looking up subkey `%s'", tag);
+ if ((k->e & KF_ENCMASK) != KENC_MP)
+ die(EXIT_FAILURE, "subkey `%s' has an incompatible type");
+ return (k->u.m);
+}
+
+/* --- @keyrand@ --- *
+ *
+ * Arguments: @key_file *kf@ = pointer to key file
+ * @const char *id@ = pointer to key id (or null)
+ *
+ * Returns: ---
+ *
+ * Use: Keys the random number generator.
+ */
+
+static void keyrand(key_file *kf, const char *id)
+{
+ key *k;
+
+ /* --- Find the key --- */
+
+ if (id) {
+ if ((k = key_bytag(kf, id)) == 0)
+ die(EXIT_FAILURE, "key `%s' not found", id);
+ } else
+ k = key_bytype(kf, "catacomb-rand");
+
+ if (k) {
+ key_data *kd = k->k, *kkd;
+ key_incref(kd);
+
+ again:
+ switch (kd->e & KF_ENCMASK) {
+ case KENC_BINARY:
+ break;
+ case KENC_ENCRYPT: {
+ dstr d = DSTR_INIT;
+ key_fulltag(k, &d);
+ if (key_punlock(&kkd, kd, d.buf))
+ die(EXIT_FAILURE, "error unlocking key `%s'", d.buf);
+ dstr_destroy(&d);
+ key_drop(kd);
+ kd = kkd;
+ } goto again;
+ default: {
+ dstr d = DSTR_INIT;
+ key_fulltag(k, &d);
+ die(EXIT_FAILURE, "bad encoding type for key `%s'", d.buf);
+ } break;
+ }
+
+ /* --- Key the generator --- */
+
+ rand_key(RAND_GLOBAL, kd->u.k.k, kd->u.k.sz);
+ key_drop(kd);
+ }
+}
+
+/* --- Key generation algorithms --- */
+
+static void alg_binary(keyopts *k)
+{
+ unsigned sz;
+ unsigned m;
+ key_data *kd;
+ octet *p;
+
+ if (!k->bits)
+ k->bits = 128;
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for binary keys");
+
+ sz = (k->bits + 7) >> 3;
+ p = sub_alloc(sz);
+ m = (1 << (((k->bits - 1) & 7) + 1)) - 1;
+ k->r->ops->fill(k->r, p, sz);
+ *p &= m;
+ kd = key_newbinary(KCAT_SYMM | KF_BURN, p, sz);
+ memset(p, 0, sz);
+ dolock(k, &kd, 0);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ sub_free(p, sz);
+}
+
+static void alg_des(keyopts *k)
+{
+ unsigned sz;
+ octet *p;
+ key_data *kd;
+ int i;
+
+ if (!k->bits)
+ k->bits = 168;
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for DES keys");
+ if (k->bits % 56 || k->bits > 168)
+ die(EXIT_FAILURE, "DES keys must be 56, 112 or 168 bits long");
+
+ sz = k->bits / 7;
+ p = sub_alloc(sz);
+ k->r->ops->fill(k->r, p, sz);
+ for (i = 0; i < sz; i++) {
+ octet x = p[i] | 0x01;
+ x = x ^ (x >> 4);
+ x = x ^ (x >> 2);
+ x = x ^ (x >> 1);
+ p[i] = (p[i] & 0xfe) | (x & 0x01);
+ }
+ kd = key_newbinary(KCAT_SYMM | KF_BURN, p, sz);
+ memset(p, 0, sz);
+ dolock(k, &kd, 0);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ sub_free(p, sz);
+}
+
+static void alg_rsa(keyopts *k)
+{
+ rsa_priv rp;
+ key_data *kd, *kkd;
+
+ /* --- Sanity checking --- */
+
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for RSA keys");
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Generate the RSA parameters --- */
+
+ if (rsa_gen(&rp, k->bits, k->r, 0,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0))
+ die(EXIT_FAILURE, "RSA key generation failed");
+
+ /* --- Run a test encryption --- */
+
+ {
+ grand *g = fibrand_create(k->r->ops->word(k->r));
+ rsa_pub rpp;
+ mp *m = mprand_range(MP_NEW, rp.n, g, 0);
+ mp *c;
+
+ rpp.n = rp.n;
+ rpp.e = rp.e;
+ c = rsa_qpubop(&rpp, MP_NEW, m);
+ c = rsa_qprivop(&rp, c, c, g);
+
+ if (!MP_EQ(c, m))
+ die(EXIT_FAILURE, "test encryption failed");
+ mp_drop(c);
+ mp_drop(m);
+ g->ops->destroy(g);
+ }
+
+ /* --- Allrighty then --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "n", key_newmp(KCAT_PUB, rp.n));
+ key_structsteal(kd, "e", key_newmp(KCAT_PUB, rp.e));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "d", key_newmp(KCAT_PRIV | KF_BURN, rp.d));
+ key_structsteal(kkd, "p", key_newmp(KCAT_PRIV | KF_BURN, rp.p));
+ key_structsteal(kkd, "q", key_newmp(KCAT_PRIV | KF_BURN, rp.q));
+ key_structsteal(kkd, "q-inv", key_newmp(KCAT_PRIV | KF_BURN, rp.q_inv));
+ key_structsteal(kkd, "d-mod-p", key_newmp(KCAT_PRIV | KF_BURN, rp.dp));
+ key_structsteal(kkd, "d-mod-q", key_newmp(KCAT_PRIV | KF_BURN, rp.dq));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ rsa_privfree(&rp);
+}
+
+static void alg_dsaparam(keyopts *k)
+{
+ static const char *pl[] = { "q", "p", "g", 0 };
+ if (!copyparam(k, pl)) {
+ dsa_param dp;
+ octet *p;
+ size_t sz;
+ dstr d = DSTR_INIT;
+ base64_ctx c;
+ key_data *kd;
+ dsa_seed ds;
+
+ /* --- Choose appropriate bit lengths if necessary --- */
+
+ if (!k->qbits)
+ k->qbits = 160;
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Allocate a seed block --- */
+
+ sz = (k->qbits + 7) >> 3;
+ p = sub_alloc(sz);
+ k->r->ops->fill(k->r, p, sz);
+
+ /* --- Allocate the parameters --- */
+
+ if (dsa_gen(&dp, k->qbits, k->bits, 0, p, sz, &ds,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0))
+ die(EXIT_FAILURE, "DSA parameter generation failed");
+
+ /* --- Store the parameters --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "q", key_newmp(KCAT_SHARE, dp.q));
+ key_structsteal(kd, "p", key_newmp(KCAT_SHARE, dp.p));
+ key_structsteal(kd, "g", key_newmp(KCAT_SHARE, dp.g));
+ mp_drop(dp.q);
+ mp_drop(dp.p);
+ mp_drop(dp.g);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+
+ /* --- Store the seed for future verification --- */
+
+ base64_init(&c);
+ c.maxline = 0;
+ c.indent = "";
+ base64_encode(&c, ds.p, ds.sz, &d);
+ base64_encode(&c, 0, 0, &d);
+ DPUTZ(&d);
+ key_putattr(k->kf, k->k, "seed", d.buf);
+ DRESET(&d);
+ dstr_putf(&d, "%u", ds.count);
+ key_putattr(k->kf, k->k, "count", d.buf);
+ xfree(ds.p);
+ sub_free(p, sz);
+ dstr_destroy(&d);
+ }
+}
+
+static void alg_dsa(keyopts *k)
+{
+ mp *q, *p, *g;
+ mp *x, *y;
+ mpmont mm;
+ key_data *kd, *kkd;
+
+ /* --- Get the shared parameters --- */
+
+ alg_dsaparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ q = getmp(kd, "q");
+ p = getmp(kd, "p");
+ g = getmp(kd, "g");
+
+ /* --- Choose a private key --- */
+
+ x = mprand_range(MP_NEWSEC, q, k->r, 0);
+ mpmont_create(&mm, p);
+ y = mpmont_exp(&mm, MP_NEW, g, x);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ mp_drop(x); mp_drop(y);
+}
+
+static void alg_dhparam(keyopts *k)
+{
+ static const char *pl[] = { "p", "q", "g", 0 };
+ key_data *kd;
+ if (!copyparam(k, pl)) {
+ dh_param dp;
+ int rc;
+
+ if (k->curve) {
+ qd_parse qd;
+ group *g;
+ const char *e;
+
+ if (strcmp(k->curve, "list") == 0) {
+ unsigned i, w;
+ LIST("Built-in prime fields", stdout, ptab[i].name, ptab[i].name);
+ exit(0);
+ }
+ qd.p = k->curve;
+ if (dh_parse(&qd, &dp))
+ die(EXIT_FAILURE, "error in field spec: %s", qd.e);
+ if (!qd_eofp(&qd))
+ die(EXIT_FAILURE, "junk at end of field spec");
+ if ((g = group_prime(&dp)) == 0)
+ die(EXIT_FAILURE, "invalid prime field");
+ if (!(k->f & f_quiet) && (e = G_CHECK(g, &rand_global)) != 0)
+ moan("WARNING! group check failed: %s", e);
+ G_DESTROYGROUP(g);
+ goto done;
+ }
+
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Choose a large safe prime number --- */
+
+ if (k->f & f_limlee) {
+ mp **f;
+ size_t nf;
+ if (!k->qbits)
+ k->qbits = 256;
+ rc = dh_limlee(&dp, k->qbits, k->bits,
+ (k->f & f_subgroup) ? DH_SUBGROUP : 0,
+ 0, k->r, (k->f & f_quiet) ? 0 : pgen_ev, 0,
+ (k->f & f_quiet) ? 0 : pgen_evspin, 0, &nf, &f);
+ if (!rc) {
+ dstr d = DSTR_INIT;
+ size_t i;
+ for (i = 0; i < nf; i++) {
+ if (i)
+ dstr_puts(&d, ", ");
+ mp_writedstr(f[i], &d, 10);
+ mp_drop(f[i]);
+ }
+ key_putattr(k->kf, k->k, "factors", d.buf);
+ dstr_destroy(&d);
+ }
+ } else
+ rc = dh_gen(&dp, k->qbits, k->bits, 0, k->r,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0);
+
+ if (rc)
+ die(EXIT_FAILURE, "Diffie-Hellman parameter generation failed");
+
+ done:
+ kd = key_newstruct();
+ key_structsteal(kd, "p", key_newmp(KCAT_SHARE, dp.p));
+ key_structsteal(kd, "q", key_newmp(KCAT_SHARE, dp.q));
+ key_structsteal(kd, "g", key_newmp(KCAT_SHARE, dp.g));
+ mp_drop(dp.q);
+ mp_drop(dp.p);
+ mp_drop(dp.g);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ }
+}
+
+static void alg_dh(keyopts *k)
+{
+ mp *x, *y;
+ mp *p, *q, *g;
+ mpmont mm;
+ key_data *kd, *kkd;
+
+ /* --- Get the shared parameters --- */
+
+ alg_dhparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ p = getmp(kd, "p");
+ q = getmp(kd, "q");
+ g = getmp(kd, "g");
+
+ /* --- Choose a suitable private key --- *
+ *
+ * Since %$g$% has order %$q$%, choose %$x < q$%.
+ */
+
+ x = mprand_range(MP_NEWSEC, q, k->r, 0);
+
+ /* --- Compute the public key %$y = g^x \bmod p$% --- */
+
+ mpmont_create(&mm, p);
+ y = mpmont_exp(&mm, MP_NEW, g, x);
+ mpmont_destroy(&mm);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ mp_drop(x); mp_drop(y);
+}
+
+static void alg_bbs(keyopts *k)
+{
+ bbs_priv bp;
+ key_data *kd, *kkd;
+
+ /* --- Sanity checking --- */
+
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for Blum-Blum-Shub keys");
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Generate the BBS parameters --- */
+
+ if (bbs_gen(&bp, k->bits, k->r, 0,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0))
+ die(EXIT_FAILURE, "Blum-Blum-Shub key generation failed");
+
+ /* --- Allrighty then --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "n", key_newmp(KCAT_PUB, bp.n));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "p", key_newmp(KCAT_PRIV | KF_BURN, bp.p));
+ key_structsteal(kkd, "q", key_newmp(KCAT_PRIV | KF_BURN, bp.q));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+
+ bbs_privfree(&bp);
+}
+
+static void alg_binparam(keyopts *k)
+{
+ static const char *pl[] = { "p", "q", "g", 0 };
+ if (!copyparam(k, pl)) {
+ gbin_param gb;
+ qd_parse qd;
+ group *g;
+ const char *e;
+ key_data *kd;
+
+ /* --- Decide on a field --- */
+
+ if (!k->bits) k->bits = 128;
+ if (k->curve && strcmp(k->curve, "list") == 0) {
+ unsigned i, w;
+ LIST("Built-in binary fields", stdout,
+ bintab[i].name, bintab[i].name);
+ exit(0);
+ }
+ if (!k->curve) {
+ if (k->bits <= 40) k->curve = "p1363-40";
+ else if (k->bits <= 56) k->curve = "p1363-56";
+ else if (k->bits <= 64) k->curve = "p1363-64";
+ else if (k->bits <= 80) k->curve = "p1363-80";
+ else if (k->bits <= 112) k->curve = "p1363-112";
+ else if (k->bits <= 128) k->curve = "p1363-128";
+ else {
+ die(EXIT_FAILURE,
+ "no built-in binary fields provide %u-bit security",
+ k->bits);
+ }
+ }
+
+ /* --- Check it --- */
+
+ qd.e = 0;
+ qd.p = k->curve;
+ if (dhbin_parse(&qd, &gb))
+ die(EXIT_FAILURE, "error in field spec: %s", qd.e);
+ if (!qd_eofp(&qd))
+ die(EXIT_FAILURE, "junk at end of field spec");
+ if ((g = group_binary(&gb)) == 0)
+ die(EXIT_FAILURE, "invalid binary field");
+ if (!(k->f & f_quiet) && (e = G_CHECK(g, &rand_global)) != 0)
+ moan("WARNING! group check failed: %s", e);
+ G_DESTROYGROUP(g);
+
+ /* --- Write out the answer --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "p", key_newmp(KCAT_SHARE, gb.p));
+ key_structsteal(kd, "q", key_newmp(KCAT_SHARE, gb.q));
+ key_structsteal(kd, "g", key_newmp(KCAT_SHARE, gb.g));
+ mp_drop(gb.q);
+ mp_drop(gb.p);
+ mp_drop(gb.g);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ }
+}
+
+static void alg_bin(keyopts *k)
+{
+ mp *x, *y;
+ mp *p, *q, *g;
+ gfreduce r;
+ key_data *kd, *kkd;
+
+ /* --- Get the shared parameters --- */
+
+ alg_binparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ p = getmp(kd, "p");
+ q = getmp(kd, "q");
+ g = getmp(kd, "g");
+
+ /* --- Choose a suitable private key --- *
+ *
+ * Since %$g$% has order %$q$%, choose %$x < q$%.
+ */
+
+ x = mprand_range(MP_NEWSEC, q, k->r, 0);
+
+ /* --- Compute the public key %$y = g^x \bmod p$% --- */
+
+ gfreduce_create(&r, p);
+ y = gfreduce_exp(&r, MP_NEW, g, x);
+ gfreduce_destroy(&r);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ mp_drop(x); mp_drop(y);
+}
+
+static void alg_ecparam(keyopts *k)
+{
+ static const char *pl[] = { "curve", 0 };
+ if (!copyparam(k, pl)) {
+ ec_info ei;
+ const char *e;
+ key_data *kd;
+
+ /* --- Decide on a curve --- */
+
+ if (!k->bits) k->bits = 256;
+ if (k->curve && strcmp(k->curve, "list") == 0) {
+ unsigned i, w;
+ LIST("Built-in elliptic curves", stdout,
+ ectab[i].name, ectab[i].name);
+ exit(0);
+ }
+ if (!k->curve) {
+ if (k->bits <= 56) k->curve = "secp112r1";
+ else if (k->bits <= 64) k->curve = "secp128r1";
+ else if (k->bits <= 80) k->curve = "secp160r1";
+ else if (k->bits <= 96) k->curve = "secp192r1";
+ else if (k->bits <= 112) k->curve = "secp224r1";
+ else if (k->bits <= 128) k->curve = "secp256r1";
+ else if (k->bits <= 192) k->curve = "secp384r1";
+ else if (k->bits <= 256) k->curve = "secp521r1";
+ else
+ die(EXIT_FAILURE, "no built-in curves provide %u-bit security",
+ k->bits);
+ }
+
+ /* --- Check it --- */
+
+ if ((e = ec_getinfo(&ei, k->curve)) != 0)
+ die(EXIT_FAILURE, "error in curve spec: %s", e);
+ if (!(k->f & f_quiet) && (e = ec_checkinfo(&ei, k->r)) != 0)
+ moan("WARNING! curve check failed: %s", e);
+ ec_freeinfo(&ei);
+
+ /* --- Write out the answer --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "curve", key_newstring(KCAT_SHARE, k->curve));
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ }
+}
+
+static void alg_ec(keyopts *k)
+{
+ key_data *kd;
+ key_data *kkd;
+ mp *x = MP_NEW;
+ ec p = EC_INIT;
+ const char *e;
+ ec_info ei;
+
+ /* --- Get the curve --- */
+
+ alg_ecparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ if ((kkd = key_structfind(kd, "curve")) == 0)
+ die(EXIT_FAILURE, "unexpected failure looking up subkey `curve')");
+ if ((kkd->e & KF_ENCMASK) != KENC_STRING)
+ die(EXIT_FAILURE, "subkey `curve' is not a string");
+ if ((e = ec_getinfo(&ei, kkd->u.p)) != 0)
+ die(EXIT_FAILURE, "error in curve spec: %s", e);
+
+ /* --- Invent a private exponent and compute the public key --- */
+
+ x = mprand_range(MP_NEWSEC, ei.r, k->r, 0);
+ ec_mul(ei.c, &p, &ei.g, x);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "p", key_newec(KCAT_PUB, &p));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ /* --- Done --- */
+
+ ec_freeinfo(&ei);
+ mp_drop(x);
+}
+
+/* --- The algorithm tables --- */
+
+typedef struct keyalg {
+ const char *name;
+ void (*proc)(keyopts *o);
+ const char *help;
+} keyalg;
+
+static keyalg algtab[] = {
+ { "binary", alg_binary, "Plain binary data" },
+ { "des", alg_des, "Binary with DES-style parity" },
+ { "rsa", alg_rsa, "RSA public-key encryption" },
+ { "bbs", alg_bbs, "Blum-Blum-Shub generator" },
+ { "dsa", alg_dsa, "DSA digital signatures" },
+ { "dsa-param", alg_dsaparam, "DSA shared parameters" },
+ { "dh", alg_dh, "Diffie-Hellman key exchange" },
+ { "dh-param", alg_dhparam, "Diffie-Hellman parameters" },
+ { "bindh", alg_bin, "DH over a binary field" },
+ { "bindh-param", alg_binparam, "Binary-field DH parameters" },
+ { "ec-param", alg_ecparam, "Elliptic curve parameters" },
+ { "ec", alg_ec, "Elliptic curve crypto" },
+ { 0, 0 }
+};