7 * (c) 2004 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Header files ------------------------------------------------------*/
34 #include <mLib/report.h>
49 /*----- Main code ---------------------------------------------------------*/
51 /* --- RSA PKCS1 --- */
53 typedef struct rsap1_sigctx
{
59 static sig
*rsap1_siginit(key
*k
, void *kd
, const gchash
*hc
)
61 rsap1_sigctx
*rs
= CREATE(rsap1_sigctx
);
62 rsa_privcreate(&rs
->rp
, kd
, &rand_global
);
63 rs
->p1
.r
= &rand_global
;
65 rs
->p1
.epsz
= strlen(hc
->name
) + 1;
70 static int rsap1_sigdoit(sig
*s
, dstr
*d
)
72 rsap1_sigctx
*rs
= (rsap1_sigctx
*)s
;
74 mp
*m
= rsa_sign(&rs
->rp
, MP_NEW
,
75 GH_DONE(s
->h
, 0), GH_CLASS(s
->h
)->hashsz
,
76 pkcs1_sigencode
, &rs
->p1
);
78 n
= mp_octets(rs
->rp
.rp
->n
); dstr_ensure(d
, n
); mp_storeb(m
, d
->buf
, n
);
79 d
->len
+= n
; mp_drop(m
);
83 static const char *rsa_lengthcheck(mp
*n
)
85 if (mp_bits(n
) < 1024) return ("key too short");
89 static const char *rsap1_sigcheck(sig
*s
)
91 rsap1_sigctx
*rs
= (rsap1_sigctx
*)s
;
93 if ((e
= rsa_lengthcheck(rs
->rp
.rp
->n
)) != 0) return (e
);
97 static void rsap1_sigdestroy(sig
*s
)
99 rsap1_sigctx
*rs
= (rsap1_sigctx
*)s
;
100 rsa_privdestroy(&rs
->rp
);
104 static const sigops rsap1_sig
= {
105 rsa_privfetch
, sizeof(rsa_priv
),
106 rsap1_siginit
, rsap1_sigdoit
, rsap1_sigcheck
, rsap1_sigdestroy
109 typedef struct rsap1_vrfctx
{
115 static sig
*rsap1_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
117 rsap1_vrfctx
*rv
= CREATE(rsap1_vrfctx
);
118 rsa_pubcreate(&rv
->rp
, kd
);
119 rv
->p1
.r
= &rand_global
;
120 rv
->p1
.ep
= hc
->name
;
121 rv
->p1
.epsz
= strlen(hc
->name
) + 1;
126 static int rsap1_vrfdoit(sig
*s
, dstr
*d
)
128 rsap1_vrfctx
*rv
= (rsap1_vrfctx
*)s
;
129 mp
*m
= mp_loadb(MP_NEW
, d
->buf
, d
->len
);
130 int rc
= rsa_verify(&rv
->rp
, m
,
131 GH_DONE(s
->h
, 0), GH_CLASS(s
->h
)->hashsz
,
132 0, pkcs1_sigdecode
, &rv
->p1
);
137 static const char *rsap1_vrfcheck(sig
*s
)
139 rsap1_vrfctx
*rv
= (rsap1_vrfctx
*)s
;
141 if ((e
= rsa_lengthcheck(rv
->rp
.rp
->n
)) != 0) return (e
);
145 static void rsap1_vrfdestroy(sig
*s
)
147 rsap1_vrfctx
*rv
= (rsap1_vrfctx
*)s
;
148 rsa_pubdestroy(&rv
->rp
);
152 static const sigops rsap1_vrf
= {
153 rsa_pubfetch
, sizeof(rsa_pub
),
154 rsap1_vrfinit
, rsap1_vrfdoit
, rsap1_vrfcheck
, rsap1_vrfdestroy
157 /* --- RSA PSS --- */
159 static const gccipher
*getmgf(key
*k
, const gchash
*hc
)
165 if ((mm
= key_getattr(0, k
, "mgf")) == 0) {
166 dstr_putf(&d
, "%s-mgf", hc
->name
);
169 if ((gc
= gcipher_byname(mm
)) == 0)
170 die(EXIT_FAILURE
, "unknown encryption scheme `%s'", mm
);
175 typedef struct rsapss_sigctx
{
181 static sig
*rsapss_siginit(key
*k
, void *kd
, const gchash
*hc
)
183 rsapss_sigctx
*rs
= CREATE(rsapss_sigctx
);
184 rsa_privcreate(&rs
->rp
, kd
, &rand_global
);
185 rs
->p
.r
= &rand_global
;
186 rs
->p
.cc
= getmgf(k
, hc
);
188 rs
->p
.ssz
= hc
->hashsz
;
189 rsa_privdestroy(&rs
->rp
);
193 static int rsapss_sigdoit(sig
*s
, dstr
*d
)
195 rsapss_sigctx
*rs
= (rsapss_sigctx
*)s
;
197 mp
*m
= rsa_sign(&rs
->rp
, MP_NEW
,
198 GH_DONE(s
->h
, 0), GH_CLASS(s
->h
)->hashsz
,
201 n
= mp_octets(rs
->rp
.rp
->n
); dstr_ensure(d
, n
); mp_storeb(m
, d
->buf
, n
);
202 d
->len
+= n
; mp_drop(m
);
206 static const char *rsapss_sigcheck(sig
*s
)
208 rsapss_sigctx
*rs
= (rsapss_sigctx
*)s
;
210 if ((e
= rsa_lengthcheck(rs
->rp
.rp
->n
)) != 0) return (e
);
214 static void rsapss_sigdestroy(sig
*s
)
216 rsapss_sigctx
*rs
= (rsapss_sigctx
*)s
;
217 rsa_privdestroy(&rs
->rp
);
221 static const sigops rsapss_sig
= {
222 rsa_privfetch
, sizeof(rsa_priv
),
223 rsapss_siginit
, rsapss_sigdoit
, rsapss_sigcheck
, rsapss_sigdestroy
226 typedef struct rsapss_vrfctx
{
232 static sig
*rsapss_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
234 rsapss_vrfctx
*rv
= CREATE(rsapss_vrfctx
);
235 rsa_pubcreate(&rv
->rp
, kd
);
236 rv
->p
.r
= &rand_global
;
237 rv
->p
.cc
= getmgf(k
, hc
);
239 rv
->p
.ssz
= hc
->hashsz
;
243 static int rsapss_vrfdoit(sig
*s
, dstr
*d
)
245 rsapss_vrfctx
*rv
= (rsapss_vrfctx
*)s
;
246 mp
*m
= mp_loadb(MP_NEW
, d
->buf
, d
->len
);
247 int rc
= rsa_verify(&rv
->rp
, m
,
248 GH_DONE(s
->h
, 0), GH_CLASS(s
->h
)->hashsz
,
249 0, pss_decode
, &rv
->p
);
254 static const char *rsapss_vrfcheck(sig
*s
)
256 rsapss_vrfctx
*rv
= (rsapss_vrfctx
*)s
;
258 if ((e
= rsa_lengthcheck(rv
->rp
.rp
->n
)) != 0) return (e
);
262 static void rsapss_vrfdestroy(sig
*s
)
264 rsapss_vrfctx
*rv
= (rsapss_vrfctx
*)s
;
265 rsa_pubdestroy(&rv
->rp
);
269 static const sigops rsapss_vrf
= {
270 rsa_pubfetch
, sizeof(rsa_pub
),
271 rsapss_vrfinit
, rsapss_vrfdoit
, rsapss_vrfcheck
, rsapss_vrfdestroy
274 /* --- DSA and ECDSA --- */
276 typedef struct dsa_sigctx
{
281 static void dsa_initcommon(dsa_sigctx
*ds
, const gchash
*hc
,
284 ds
->g
.r
= &rand_global
;
290 static dsa_sigctx
*dsa_doinit(key
*k
, const gprime_param
*gp
,
291 mp
*y
, const gchash
*hc
,
292 group
*(*makegroup
)(const gprime_param
*),
295 dsa_sigctx
*ds
= CREATE(dsa_sigctx
);
299 if ((ds
->g
.g
= makegroup(gp
)) == 0)
300 die(EXIT_FAILURE
, "bad %s group in key `%s'", what
, t
.buf
);
301 ds
->g
.p
= G_CREATE(ds
->g
.g
);
302 if (G_FROMINT(ds
->g
.g
, ds
->g
.p
, y
))
303 die(EXIT_FAILURE
, "bad public key in key `%s'", t
.buf
);
304 dsa_initcommon(ds
, hc
, t
.buf
);
309 static dsa_sigctx
*ecdsa_doinit(key
*k
, const char *cstr
,
310 ec
*y
, const gchash
*hc
)
312 dsa_sigctx
*ds
= CREATE(dsa_sigctx
);
318 if ((e
= ec_getinfo(&ei
, cstr
)) != 0)
319 die(EXIT_FAILURE
, "bad curve in key `%s': %s", t
.buf
, e
);
320 ds
->g
.g
= group_ec(&ei
);
321 ds
->g
.p
= G_CREATE(ds
->g
.g
);
322 if (G_FROMEC(ds
->g
.g
, ds
->g
.p
, y
))
323 die(EXIT_FAILURE
, "bad public key in key `%s'", t
.buf
);
324 dsa_initcommon(ds
, hc
, t
.buf
);
329 static sig
*dsa_siginit(key
*k
, void *kd
, const gchash
*hc
)
332 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_prime
, "prime");
333 ds
->g
.u
= MP_COPY(dp
->x
);
337 static sig
*bindsa_siginit(key
*k
, void *kd
, const gchash
*hc
)
340 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_binary
, "binary");
341 ds
->g
.u
= MP_COPY(dp
->x
);
345 static sig
*ecdsa_siginit(key
*k
, void *kd
, const gchash
*hc
)
348 dsa_sigctx
*ds
= ecdsa_doinit(k
, ep
->cstr
, &ep
->p
, hc
);
349 ds
->g
.u
= MP_COPY(ep
->x
);
353 static int dsa_sigdoit(sig
*s
, dstr
*d
)
355 dsa_sigctx
*ds
= (dsa_sigctx
*)s
;
356 gdsa_sig ss
= GDSA_SIG_INIT
;
357 size_t n
= mp_octets(ds
->g
.g
->r
);
359 gdsa_sign(&ds
->g
, &ss
, GH_DONE(ds
->s
.h
, 0), 0);
360 dstr_ensure(d
, 2 * n
);
361 mp_storeb(ss
.r
, d
->buf
, n
);
362 mp_storeb(ss
.s
, d
->buf
+ n
, n
);
364 mp_drop(ss
.r
); mp_drop(ss
.s
);
368 static const char *dsa_sigcheck(sig
*s
)
370 dsa_sigctx
*ds
= (dsa_sigctx
*)s
;
372 if ((e
= G_CHECK(ds
->g
.g
, &rand_global
)) != 0)
374 if (group_check(ds
->g
.g
, ds
->g
.p
))
375 return ("public key not in subgroup");
379 static void dsa_sigdestroy(sig
*s
)
381 dsa_sigctx
*ds
= (dsa_sigctx
*)s
;
382 G_DESTROY(ds
->g
.g
, ds
->g
.p
);
384 G_DESTROYGROUP(ds
->g
.g
);
387 static const sigops dsa_sig
= {
388 dh_privfetch
, sizeof(dh_priv
),
389 dsa_siginit
, dsa_sigdoit
, dsa_sigcheck
, dsa_sigdestroy
392 static const sigops bindsa_sig
= {
393 dh_privfetch
, sizeof(dh_priv
),
394 bindsa_siginit
, dsa_sigdoit
, dsa_sigcheck
, dsa_sigdestroy
397 static const sigops ecdsa_sig
= {
398 ec_privfetch
, sizeof(ec_priv
),
399 ecdsa_siginit
, dsa_sigdoit
, dsa_sigcheck
, dsa_sigdestroy
402 static sig
*dsa_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
405 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_prime
, "prime");
409 static sig
*bindsa_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
412 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_binary
, "binary");
416 static sig
*ecdsa_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
419 dsa_sigctx
*ds
= ecdsa_doinit(k
, ep
->cstr
, &ep
->p
, hc
);
423 static int dsa_vrfdoit(sig
*s
, dstr
*d
)
425 dsa_sigctx
*ds
= (dsa_sigctx
*)s
;
430 ss
.r
= mp_loadb(MP_NEW
, d
->buf
, n
);
431 ss
.s
= mp_loadb(MP_NEW
, d
->buf
+ n
, d
->len
- n
);
432 rc
= gdsa_verify(&ds
->g
, &ss
, GH_DONE(ds
->s
.h
, 0));
433 mp_drop(ss
.r
); mp_drop(ss
.s
);
437 static const sigops dsa_vrf
= {
438 dh_pubfetch
, sizeof(dh_pub
),
439 dsa_vrfinit
, dsa_vrfdoit
, dsa_sigcheck
, dsa_sigdestroy
442 static const sigops bindsa_vrf
= {
443 dh_pubfetch
, sizeof(dh_pub
),
444 bindsa_vrfinit
, dsa_vrfdoit
, dsa_sigcheck
, dsa_sigdestroy
447 static const sigops ecdsa_vrf
= {
448 ec_pubfetch
, sizeof(ec_pub
),
449 ecdsa_vrfinit
, dsa_vrfdoit
, dsa_sigcheck
, dsa_sigdestroy
452 /* --- KCDSA and ECKCDSA --- */
454 static void kcdsa_privkey(dsa_sigctx
*ds
, mp
*x
)
455 { ds
->g
.u
= mp_modinv(MP_NEW
, x
, ds
->g
.g
->r
); }
457 static void kcdsa_sethash(dsa_sigctx
*ds
, const gchash
*hc
)
458 { ds
->s
.h
= gkcdsa_beginhash(&ds
->g
); }
460 static sig
*kcdsa_siginit(key
*k
, void *kd
, const gchash
*hc
)
463 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_prime
, "prime");
464 kcdsa_privkey(ds
, dp
->x
);
465 kcdsa_sethash(ds
, hc
);
469 static sig
*binkcdsa_siginit(key
*k
, void *kd
, const gchash
*hc
)
472 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_binary
, "binary");
473 kcdsa_privkey(ds
, dp
->x
);
474 kcdsa_sethash(ds
, hc
);
478 static sig
*eckcdsa_siginit(key
*k
, void *kd
, const gchash
*hc
)
481 dsa_sigctx
*ds
= ecdsa_doinit(k
, ep
->cstr
, &ep
->p
, hc
);
482 kcdsa_privkey(ds
, ep
->x
);
483 kcdsa_sethash(ds
, hc
);
487 static int kcdsa_sigdoit(sig
*s
, dstr
*d
)
489 dsa_sigctx
*ds
= (dsa_sigctx
*)s
;
490 gkcdsa_sig ss
= GKCDSA_SIG_INIT
;
491 size_t hsz
= ds
->g
.h
->hashsz
, n
= mp_octets(ds
->g
.g
->r
);
493 gkcdsa_sign(&ds
->g
, &ss
, GH_DONE(ds
->s
.h
, 0), 0);
494 dstr_ensure(d
, hsz
+ n
);
495 memcpy(d
->buf
, ss
.r
, hsz
);
496 mp_storeb(ss
.s
, d
->buf
+ hsz
, n
);
498 xfree(ss
.r
); mp_drop(ss
.s
);
502 static const sigops kcdsa_sig
= {
503 dh_privfetch
, sizeof(dh_priv
),
504 kcdsa_siginit
, kcdsa_sigdoit
, dsa_sigcheck
, dsa_sigdestroy
507 static const sigops binkcdsa_sig
= {
508 dh_privfetch
, sizeof(dh_priv
),
509 binkcdsa_siginit
, kcdsa_sigdoit
, dsa_sigcheck
, dsa_sigdestroy
512 static const sigops eckcdsa_sig
= {
513 ec_privfetch
, sizeof(ec_priv
),
514 eckcdsa_siginit
, kcdsa_sigdoit
, dsa_sigcheck
, dsa_sigdestroy
517 static sig
*kcdsa_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
520 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_prime
, "prime");
521 kcdsa_sethash(ds
, hc
);
525 static sig
*binkcdsa_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
528 dsa_sigctx
*ds
= dsa_doinit(k
, &dp
->dp
, dp
->y
, hc
, group_binary
, "binary");
529 kcdsa_sethash(ds
, hc
);
533 static sig
*eckcdsa_vrfinit(key
*k
, void *kd
, const gchash
*hc
)
536 dsa_sigctx
*ds
= ecdsa_doinit(k
, ep
->cstr
, &ep
->p
, hc
);
537 kcdsa_sethash(ds
, hc
);
541 static int kcdsa_vrfdoit(sig
*s
, dstr
*d
)
543 dsa_sigctx
*ds
= (dsa_sigctx
*)s
;
545 size_t hsz
= ds
->g
.h
->hashsz
, n
= d
->len
- hsz
;
550 ss
.r
= (octet
*)d
->buf
;
551 ss
.s
= mp_loadb(MP_NEW
, d
->buf
+ hsz
, n
);
552 rc
= gkcdsa_verify(&ds
->g
, &ss
, GH_DONE(ds
->s
.h
, 0));
557 static const sigops kcdsa_vrf
= {
558 dh_pubfetch
, sizeof(dh_pub
),
559 kcdsa_vrfinit
, kcdsa_vrfdoit
, dsa_sigcheck
, dsa_sigdestroy
562 static const sigops binkcdsa_vrf
= {
563 dh_pubfetch
, sizeof(dh_pub
),
564 binkcdsa_vrfinit
, kcdsa_vrfdoit
, dsa_sigcheck
, dsa_sigdestroy
567 static const sigops eckcdsa_vrf
= {
568 ec_pubfetch
, sizeof(ec_pub
),
569 eckcdsa_vrfinit
, kcdsa_vrfdoit
, dsa_sigcheck
, dsa_sigdestroy
572 /* --- The switch table --- */
574 const struct sigtab sigtab
[] = {
575 { "rsapkcs1", &rsap1_sig
, &rsap1_vrf
, &sha
},
576 { "rsapss", &rsapss_sig
, &rsapss_vrf
, &sha
},
577 { "dsa", &dsa_sig
, &dsa_vrf
, &sha
},
578 { "bindsa", &bindsa_sig
, &bindsa_vrf
, &sha
},
579 { "ecdsa", &ecdsa_sig
, &ecdsa_vrf
, &sha
},
580 { "kcdsa", &kcdsa_sig
, &kcdsa_vrf
, &has160
},
581 { "binkcdsa", &binkcdsa_sig
, &binkcdsa_vrf
, &has160
},
582 { "eckcdsa", &eckcdsa_sig
, &eckcdsa_vrf
, &has160
},
586 /* --- @getsig@ --- *
588 * Arguments: @key *k@ = the key to load
589 * @const char *app@ = application name
590 * @int wantpriv@ = nonzero if we want to sign
592 * Returns: A signature-making thing.
594 * Use: Loads a key and starts hashing.
597 sig
*getsig(key
*k
, const char *app
, int wantpriv
)
599 const char *salg
, *halg
= 0;
606 const struct sigtab
*st
;
613 /* --- Setup stuff --- */
617 /* --- Get the signature algorithm --- *
619 * Take the attribute if it's there; otherwise use the key type.
623 if ((q
= key_getattr(0, k
, "sig")) != 0) {
626 } else if (strncmp(k
->type
, app
, n
) == 0 && k
->type
[n
] == '-') {
627 dstr_puts(&d
, k
->type
);
630 die(EXIT_FAILURE
, "no signature algorithm for key `%s'", t
.buf
);
632 /* --- Grab the hash algorithm --- *
634 * Grab it from the signature algorithm if it's there. But override that
635 * from the attribute.
639 if ((p
= strchr(p
, '/')) != 0) {
643 if ((q
= key_getattr(0, k
, "hash")) != 0)
646 /* --- Look up the algorithms in the table --- */
648 for (st
= sigtab
; st
->name
; st
++) {
649 if (strcmp(st
->name
, salg
) == 0)
652 die(EXIT_FAILURE
, "signature algorithm `%s' not found in key `%s'",
658 if ((ch
= ghash_byname(halg
)) == 0) {
659 die(EXIT_FAILURE
, "hash algorithm `%s' not found in key `%s'",
663 so
= wantpriv ? st
->signops
: st
->verifyops
;
665 /* --- Load the key --- */
667 kd
= xmalloc(so
->kdsz
);
668 kp
= key_fetchinit(so
->kf
, 0, kd
);
669 if ((e
= key_fetch(kp
, k
)) != 0)
670 die(EXIT_FAILURE
, "error fetching key `%s': %s", t
.buf
, key_strerror(e
));
671 s
= so
->init(k
, kd
, ch
);
678 /* --- Free stuff up --- */
685 /* --- @freesig@ --- *
687 * Arguments: @sig *s@ = signature-making thing
691 * Use: Frees up a signature-making thing
697 key_fetchdone(s
->kp
);
702 /*----- That's all, folks -------------------------------------------------*/