2 This file is part of GNUnet
3 Copyright (C) 2014,2016,2019 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
22 * @file util/crypto_rsa.c
23 * @brief Chaum-style Blind signatures based on RSA
24 * @author Sree Harsha Totakura <sreeharsha@totakura.in>
25 * @author Christian Grothoff
26 * @author Jeffrey Burdges <burdges@gnunet.org>
30 #include "gnunet_crypto_lib.h"
31 #include "benchmark.h"
33 #define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__)
37 * The private information of an RSA key pair.
39 struct GNUNET_CRYPTO_RsaPrivateKey
42 * Libgcrypt S-expression for the RSA private key.
49 * The public information of an RSA key pair.
51 struct GNUNET_CRYPTO_RsaPublicKey
54 * Libgcrypt S-expression for the RSA public key.
61 * @brief an RSA signature
63 struct GNUNET_CRYPTO_RsaSignature
66 * Libgcrypt S-expression for the RSA signature.
73 * @brief RSA blinding key
78 * Random value used for blinding.
85 * Extract values from an S-expression.
87 * @param array where to store the result(s)
88 * @param sexp S-expression to parse
89 * @param topname top-level name in the S-expression that is of interest
90 * @param elems names of the elements to extract
91 * @return 0 on success
94 key_from_sexp (gcry_mpi_t *array,
104 if (! (list = gcry_sexp_find_token (sexp, topname, 0)))
106 l2 = gcry_sexp_cadr (list);
107 gcry_sexp_release (list);
112 for (s = elems; *s; s++, idx++)
114 if (! (l2 = gcry_sexp_find_token (list, s, 1)))
116 for (unsigned int i = 0; i < idx; i++)
118 gcry_free (array[i]);
121 gcry_sexp_release (list);
122 return 3; /* required parameter not found */
124 array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
125 gcry_sexp_release (l2);
128 for (unsigned int i = 0; i < idx; i++)
130 gcry_free (array[i]);
133 gcry_sexp_release (list);
134 return 4; /* required parameter is invalid */
137 gcry_sexp_release (list);
143 * Create a new private key. Caller must free return value.
145 * @param len length of the key in bits (i.e. 2048)
146 * @return fresh private key
148 struct GNUNET_CRYPTO_RsaPrivateKey *
149 GNUNET_CRYPTO_rsa_private_key_create (unsigned int len)
151 struct GNUNET_CRYPTO_RsaPrivateKey *ret;
153 gcry_sexp_t s_keyparam;
155 BENCHMARK_START (rsa_private_key_create);
158 gcry_sexp_build (&s_keyparam,
160 "(genkey(rsa(nbits %d)))",
163 gcry_pk_genkey (&s_key,
165 gcry_sexp_release (s_keyparam);
168 gcry_pk_testkey (s_key));
170 ret = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
172 BENCHMARK_END (rsa_private_key_create);
178 * Free memory occupied by the private key.
180 * @param key pointer to the memory to free
183 GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key)
185 gcry_sexp_release (key->sexp);
191 * Encode the private key in a format suitable for
192 * storing it into a file.
194 * @param key the private key
195 * @param[out] buffer set to a buffer with the encoded key
196 * @return size of memory allocated in @a buffer
199 GNUNET_CRYPTO_rsa_private_key_encode (const struct
200 GNUNET_CRYPTO_RsaPrivateKey *key,
206 n = gcry_sexp_sprint (key->sexp,
207 GCRYSEXP_FMT_DEFAULT,
210 b = GNUNET_malloc (n);
211 GNUNET_assert ((n - 1) == /* since the last byte is \0 */
212 gcry_sexp_sprint (key->sexp,
213 GCRYSEXP_FMT_DEFAULT,
222 * Decode the private key from the data-format back
223 * to the "normal", internal format.
225 * @param buf the buffer where the private key data is stored
226 * @param buf_size the size of the data in @a buf
227 * @return NULL on error
229 struct GNUNET_CRYPTO_RsaPrivateKey *
230 GNUNET_CRYPTO_rsa_private_key_decode (const void *buf,
233 struct GNUNET_CRYPTO_RsaPrivateKey *key;
235 key = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
237 gcry_sexp_new (&key->sexp,
242 LOG (GNUNET_ERROR_TYPE_WARNING,
243 "Decoded private key is not valid\n");
247 if (0 != gcry_pk_testkey (key->sexp))
249 LOG (GNUNET_ERROR_TYPE_WARNING,
250 "Decoded private key is not valid\n");
251 GNUNET_CRYPTO_rsa_private_key_free (key);
259 * Extract the public key of the given private key.
261 * @param priv the private key
262 * @retur NULL on error, otherwise the public key
264 struct GNUNET_CRYPTO_RsaPublicKey *
265 GNUNET_CRYPTO_rsa_private_key_get_public (const struct
266 GNUNET_CRYPTO_RsaPrivateKey *priv)
268 struct GNUNET_CRYPTO_RsaPublicKey *pub;
273 BENCHMARK_START (rsa_private_key_get_public);
275 rc = key_from_sexp (ne, priv->sexp, "public-key", "ne");
277 rc = key_from_sexp (ne, priv->sexp, "private-key", "ne");
279 rc = key_from_sexp (ne, priv->sexp, "rsa", "ne");
285 rc = gcry_sexp_build (&result,
287 "(public-key(rsa(n %m)(e %m)))",
290 gcry_mpi_release (ne[0]);
291 gcry_mpi_release (ne[1]);
292 pub = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
294 BENCHMARK_END (rsa_private_key_get_public);
300 * Free memory occupied by the public key.
302 * @param key pointer to the memory to free
305 GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_RsaPublicKey *key)
307 gcry_sexp_release (key->sexp);
312 GNUNET_NETWORK_STRUCT_BEGIN
315 * Format of the header of a serialized RSA public key.
317 struct GNUNET_CRYPTO_RsaPublicKeyHeaderP
320 * length of modulus 'n' in bytes, in NBO
322 uint16_t modulus_length GNUNET_PACKED;
325 * length of exponent in bytes, in NBO
327 uint16_t public_exponent_length GNUNET_PACKED;
329 /* followed by variable-size modulus and
330 public exponent follows as big-endian encoded
334 GNUNET_NETWORK_STRUCT_END
338 * Encode the public key in a format suitable for
339 * storing it into a file.
341 * @param key the private key
342 * @param[out] buffer set to a buffer with the encoded key
343 * @return size of memory allocated in @a buffer
346 GNUNET_CRYPTO_rsa_public_key_encode (
347 const struct GNUNET_CRYPTO_RsaPublicKey *key,
356 struct GNUNET_CRYPTO_RsaPublicKeyHeaderP hdr;
359 ret = key_from_sexp (ne, key->sexp, "public-key", "ne");
361 ret = key_from_sexp (ne, key->sexp, "rsa", "ne");
368 gcry_mpi_print (GCRYMPI_FMT_USG,
373 gcry_mpi_print (GCRYMPI_FMT_USG,
378 if ( (e_size > UINT16_MAX) ||
379 (n_size > UINT16_MAX) )
383 gcry_mpi_release (ne[0]);
384 gcry_mpi_release (ne[1]);
387 buf_size = n_size + e_size + sizeof (hdr);
388 buf = GNUNET_malloc (buf_size);
389 hdr.modulus_length = htons ((uint16_t) n_size);
390 hdr.public_exponent_length = htons ((uint16_t) e_size);
391 memcpy (buf, &hdr, sizeof (hdr));
393 gcry_mpi_print (GCRYMPI_FMT_USG,
394 (unsigned char *) &buf[sizeof (hdr)],
400 gcry_mpi_print (GCRYMPI_FMT_USG,
401 (unsigned char *) &buf[sizeof (hdr) + n_size],
406 gcry_mpi_release (ne[0]);
407 gcry_mpi_release (ne[1]);
413 * Compute hash over the public key.
415 * @param key public key to hash
416 * @param hc where to store the hash code
419 GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key,
420 struct GNUNET_HashCode *hc)
425 buf_size = GNUNET_CRYPTO_rsa_public_key_encode (key,
427 GNUNET_CRYPTO_hash (buf,
435 * Decode the public key from the data-format back
436 * to the "normal", internal format.
438 * @param buf the buffer where the public key data is stored
439 * @param len the length of the data in @a buf
440 * @return NULL on error
442 struct GNUNET_CRYPTO_RsaPublicKey *
443 GNUNET_CRYPTO_rsa_public_key_decode (const char *buf,
446 struct GNUNET_CRYPTO_RsaPublicKey *key;
447 struct GNUNET_CRYPTO_RsaPublicKeyHeaderP hdr;
454 if (len < sizeof (hdr))
459 memcpy (&hdr, buf, sizeof (hdr));
460 n_size = ntohs (hdr.modulus_length);
461 e_size = ntohs (hdr.public_exponent_length);
462 if (len != sizeof (hdr) + e_size + n_size)
480 &buf[sizeof (hdr) + n_size],
485 gcry_mpi_release (n);
490 gcry_sexp_build (&data,
492 "(public-key(rsa(n %m)(e %m)))",
497 gcry_mpi_release (n);
498 gcry_mpi_release (e);
501 gcry_mpi_release (n);
502 gcry_mpi_release (e);
503 key = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
510 * Test for malicious RSA key.
512 * Assuming n is an RSA modulous and r is generated using a call to
513 * GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a
514 * malicious RSA key designed to deanomize the user.
516 * @param r KDF result
517 * @param n RSA modulus
518 * @return True if gcd(r,n) = 1, False means RSA key is malicious
521 rsa_gcd_validate (gcry_mpi_t r, gcry_mpi_t n)
526 g = gcry_mpi_new (0);
527 t = gcry_mpi_gcd (g, r, n);
528 gcry_mpi_release (g);
534 * Create a blinding key
536 * @param len length of the key in bits (i.e. 2048)
537 * @param bks pre-secret to use to derive the blinding key
538 * @return the newly created blinding key, NULL if RSA key is malicious
540 static struct RsaBlindingKey *
541 rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
542 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks)
544 char *xts = "Blinding KDF extrator HMAC key"; /* Trusts bks' randomness more */
545 struct RsaBlindingKey *blind;
548 blind = GNUNET_new (struct RsaBlindingKey);
549 GNUNET_assert (NULL != blind);
551 /* Extract the composite n from the RSA public key */
552 GNUNET_assert (0 == key_from_sexp (&n, pkey->sexp, "rsa", "n"));
553 /* Assert that it at least looks like an RSA key */
554 GNUNET_assert (0 == gcry_mpi_get_flag (n, GCRYMPI_FLAG_OPAQUE));
556 GNUNET_CRYPTO_kdf_mod_mpi (&blind->r,
561 if (0 == rsa_gcd_validate (blind->r, n))
567 gcry_mpi_release (n);
573 We originally added GNUNET_CRYPTO_kdf_mod_mpi for the benifit of the
576 There was previously a call to GNUNET_CRYPTO_kdf in
577 bkey = rsa_blinding_key_derive (len, bks);
578 that gives exactly len bits where
579 len = GNUNET_CRYPTO_rsa_public_key_len (pkey);
581 Now r = 2^(len-1)/pkey.n is the probability that a set high bit being
582 okay, meaning bkey < pkey.n. It follows that (1-r)/2 of the time bkey >
583 pkey.n making the effective bkey be
584 bkey mod pkey.n = bkey - pkey.n
585 so the effective bkey has its high bit set with probability r/2.
587 We expect r to be close to 1/2 if the exchange is honest, but the
588 exchange can choose r otherwise.
590 In blind signing, the exchange sees
591 B = bkey * S mod pkey.n
592 On deposit, the exchange sees S so they can compute bkey' = B/S mod
593 pkey.n for all B they recorded to see if bkey' has it's high bit set.
594 Also, note the exchange can compute 1/S efficiently since they know the
597 I suppose that happens with probability r/(1+r) if its the wrong B, not
598 completely sure. If otoh we've the right B, then we've the probability
599 r/2 of a set high bit in the effective bkey.
601 Interestingly, r^2-r has a maximum at the default r=1/2 anyways, giving
602 the wrong and right probabilities 1/3 and 1/4, respectively.
604 I feared this gives the exchange a meaningful fraction of a bit of
605 information per coin involved in the transaction. It sounds damaging if
606 numerous coins were involved. And it could run across transactions in
609 We fixed this by using a more uniform deterministic pseudo-random number
610 generator for blinding factors. I do not believe this to be a problem
611 for the rsa_full_domain_hash routine, but better safe than sorry.
616 * Compare the values of two signatures.
618 * @param s1 one signature
619 * @param s2 the other signature
620 * @return 0 if the two are equal
623 GNUNET_CRYPTO_rsa_signature_cmp (struct GNUNET_CRYPTO_RsaSignature *s1,
624 struct GNUNET_CRYPTO_RsaSignature *s2)
632 z1 = GNUNET_CRYPTO_rsa_signature_encode (s1,
634 z2 = GNUNET_CRYPTO_rsa_signature_encode (s2,
649 * Compare the values of two public keys.
651 * @param p1 one public key
652 * @param p2 the other public key
653 * @return 0 if the two are equal
656 GNUNET_CRYPTO_rsa_public_key_cmp (struct GNUNET_CRYPTO_RsaPublicKey *p1,
657 struct GNUNET_CRYPTO_RsaPublicKey *p2)
665 z1 = GNUNET_CRYPTO_rsa_public_key_encode (p1,
667 z2 = GNUNET_CRYPTO_rsa_public_key_encode (p2,
682 * Compare the values of two private keys.
684 * @param p1 one private key
685 * @param p2 the other private key
686 * @return 0 if the two are equal
689 GNUNET_CRYPTO_rsa_private_key_cmp (struct GNUNET_CRYPTO_RsaPrivateKey *p1,
690 struct GNUNET_CRYPTO_RsaPrivateKey *p2)
698 z1 = GNUNET_CRYPTO_rsa_private_key_encode (p1,
700 z2 = GNUNET_CRYPTO_rsa_private_key_encode (p2,
715 * Obtain the length of the RSA key in bits.
717 * @param key the public key to introspect
718 * @return length of the key in bits
721 GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key)
726 if (0 != key_from_sexp (&n, key->sexp, "rsa", "n"))
727 { /* Not an RSA public key */
731 rval = gcry_mpi_get_nbits (n);
732 gcry_mpi_release (n);
738 * Destroy a blinding key
740 * @param bkey the blinding key to destroy
743 rsa_blinding_key_free (struct RsaBlindingKey *bkey)
745 gcry_mpi_release (bkey->r);
751 * Print an MPI to a newly created buffer
753 * @param v MPI to print.
754 * @param[out] newly allocated buffer containing the result
755 * @return number of bytes stored in @a buffer
758 numeric_mpi_alloc_n_print (gcry_mpi_t v,
765 gcry_mpi_print (GCRYMPI_FMT_USG,
770 b = GNUNET_malloc (n);
772 gcry_mpi_print (GCRYMPI_FMT_USG,
783 * Computes a full domain hash seeded by the given public key.
784 * This gives a measure of provable security to the Taler exchange
785 * against one-more forgery attacks. See:
786 * https://eprint.iacr.org/2001/002.pdf
787 * http://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf
789 * @param hash initial hash of the message to sign
790 * @param pkey the public key of the signer
791 * @param rsize If not NULL, the number of bytes actually stored in buffer
792 * @return MPI value set to the FDH, NULL if RSA key is malicious
795 rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
796 const struct GNUNET_HashCode *hash)
803 /* Extract the composite n from the RSA public key */
804 GNUNET_assert (0 == key_from_sexp (&n, pkey->sexp, "rsa", "n"));
805 /* Assert that it at least looks like an RSA key */
806 GNUNET_assert (0 == gcry_mpi_get_flag (n, GCRYMPI_FLAG_OPAQUE));
808 /* We key with the public denomination key as a homage to RSA-PSS by *
809 * Mihir Bellare and Phillip Rogaway. Doing this lowers the degree *
810 * of the hypothetical polyomial-time attack on RSA-KTI created by a *
811 * polynomial-time one-more forgary attack. Yey seeding! */
812 xts_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey, &xts);
814 GNUNET_CRYPTO_kdf_mod_mpi (&r,
821 ok = rsa_gcd_validate (r, n);
822 gcry_mpi_release (n);
825 gcry_mpi_release (r);
831 * Blinds the given message with the given blinding key
833 * @param hash hash of the message to sign
834 * @param bkey the blinding key
835 * @param pkey the public key of the signer
836 * @param[out] buf set to a buffer with the blinded message to be signed
837 * @param[out] buf_size number of bytes stored in @a buf
838 * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious
841 GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
842 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
843 struct GNUNET_CRYPTO_RsaPublicKey *pkey,
847 struct RsaBlindingKey *bkey;
854 BENCHMARK_START (rsa_blind);
856 GNUNET_assert (buf != NULL);
857 GNUNET_assert (buf_size != NULL);
858 ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne");
860 ret = key_from_sexp (ne, pkey->sexp, "rsa", "ne");
869 data = rsa_full_domain_hash (pkey, hash);
871 goto rsa_gcd_validate_failure;
873 bkey = rsa_blinding_key_derive (pkey, bks);
876 gcry_mpi_release (data);
877 goto rsa_gcd_validate_failure;
880 r_e = gcry_mpi_new (0);
885 data_r_e = gcry_mpi_new (0);
886 gcry_mpi_mulm (data_r_e,
890 gcry_mpi_release (data);
891 gcry_mpi_release (ne[0]);
892 gcry_mpi_release (ne[1]);
893 gcry_mpi_release (r_e);
894 rsa_blinding_key_free (bkey);
896 *buf_size = numeric_mpi_alloc_n_print (data_r_e,
898 gcry_mpi_release (data_r_e);
900 BENCHMARK_END (rsa_blind);
904 rsa_gcd_validate_failure:
905 /* We know the RSA key is malicious here, so warn the wallet. */
906 /* GNUNET_break_op (0); */
907 gcry_mpi_release (ne[0]);
908 gcry_mpi_release (ne[1]);
916 * Convert an MPI to an S-expression suitable for signature operations.
918 * @param value pointer to the data to convert
919 * @return converted s-expression
922 mpi_to_sexp (gcry_mpi_t value)
924 gcry_sexp_t data = NULL;
927 gcry_sexp_build (&data,
929 "(data (flags raw) (value %M))",
936 * Sign the given MPI.
938 * @param key private key to use for the signing
939 * @param value the MPI to sign
940 * @return NULL on error, signature on success
942 static struct GNUNET_CRYPTO_RsaSignature *
943 rsa_sign_mpi (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
946 struct GNUNET_CRYPTO_RsaSignature *sig;
951 data = mpi_to_sexp (value);
954 (rc = gcry_pk_sign (&result,
958 LOG (GNUNET_ERROR_TYPE_WARNING,
959 _ ("RSA signing failed at %s:%d: %s\n"),
967 /* Lenstra protection was first added to libgcrypt 1.6.4
968 * with commit c17f84bd02d7ee93845e92e20f6ddba814961588.
970 #if GCRYPT_VERSION_NUMBER < 0x010604
971 /* verify signature (guards against Lenstra's attack with fault injection...) */
972 struct GNUNET_CRYPTO_RsaPublicKey *public_key =
973 GNUNET_CRYPTO_rsa_private_key_get_public (key);
975 gcry_pk_verify (result,
980 GNUNET_CRYPTO_rsa_public_key_free (public_key);
981 gcry_sexp_release (data);
982 gcry_sexp_release (result);
985 GNUNET_CRYPTO_rsa_public_key_free (public_key);
988 /* return signature */
989 gcry_sexp_release (data);
990 sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
997 * Sign a blinded value, which must be a full domain hash of a message.
999 * @param key private key to use for the signing
1000 * @param msg the message to sign
1001 * @param msg_len number of bytes in @a msg to sign
1002 * @return NULL on error, signature on success
1004 struct GNUNET_CRYPTO_RsaSignature *
1005 GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
1009 gcry_mpi_t v = NULL;
1010 struct GNUNET_CRYPTO_RsaSignature *sig;
1012 BENCHMARK_START (rsa_sign_blinded);
1021 sig = rsa_sign_mpi (key, v);
1022 gcry_mpi_release (v);
1023 BENCHMARK_END (rsa_sign_blinded);
1029 * Create and sign a full domain hash of a message.
1031 * @param key private key to use for the signing
1032 * @param hash the hash of the message to sign
1033 * @return NULL on error, including a malicious RSA key, signature on success
1035 struct GNUNET_CRYPTO_RsaSignature *
1036 GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
1037 const struct GNUNET_HashCode *hash)
1039 struct GNUNET_CRYPTO_RsaPublicKey *pkey;
1040 gcry_mpi_t v = NULL;
1041 struct GNUNET_CRYPTO_RsaSignature *sig;
1043 pkey = GNUNET_CRYPTO_rsa_private_key_get_public (key);
1044 v = rsa_full_domain_hash (pkey, hash);
1045 GNUNET_CRYPTO_rsa_public_key_free (pkey);
1046 if (NULL == v) /* rsa_gcd_validate failed meaning */
1047 return NULL; /* our *own* RSA key is malicious. */
1049 sig = rsa_sign_mpi (key, v);
1050 gcry_mpi_release (v);
1056 * Free memory occupied by signature.
1058 * @param sig memory to freee
1061 GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig)
1063 gcry_sexp_release (sig->sexp);
1069 * Encode the given signature in a format suitable for storing it into a file.
1071 * @param sig the signature
1072 * @param[out] buffer set to a buffer with the encoded key
1073 * @return size of memory allocated in @a buffer
1076 GNUNET_CRYPTO_rsa_signature_encode (
1077 const struct GNUNET_CRYPTO_RsaSignature *sig,
1086 ret = key_from_sexp (&s,
1091 ret = key_from_sexp (&s,
1095 GNUNET_assert (0 == ret);
1096 gcry_mpi_print (GCRYMPI_FMT_USG,
1101 buf = GNUNET_malloc (buf_size);
1103 gcry_mpi_print (GCRYMPI_FMT_USG,
1108 GNUNET_assert (rsize == buf_size);
1109 *buffer = (void *) buf;
1110 gcry_mpi_release (s);
1116 * Decode the signature from the data-format back to the "normal", internal
1119 * @param buf the buffer where the public key data is stored
1120 * @param buf_size the size of the data in @a buf
1121 * @return NULL on error
1123 struct GNUNET_CRYPTO_RsaSignature *
1124 GNUNET_CRYPTO_rsa_signature_decode (const void *buf,
1127 struct GNUNET_CRYPTO_RsaSignature *sig;
1138 GNUNET_break_op (0);
1143 gcry_sexp_build (&data,
1145 "(sig-val(rsa(s %M)))",
1149 gcry_mpi_release (s);
1152 gcry_mpi_release (s);
1153 sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
1160 * Duplicate the given public key
1162 * @param key the public key to duplicate
1163 * @return the duplicate key; NULL upon error
1165 struct GNUNET_CRYPTO_RsaPublicKey *
1166 GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key)
1168 struct GNUNET_CRYPTO_RsaPublicKey *dup;
1169 gcry_sexp_t dup_sexp;
1172 /* check if we really are exporting a public key */
1173 dup_sexp = gcry_sexp_find_token (key->sexp, "public-key", 0);
1174 GNUNET_assert (NULL != dup_sexp);
1175 gcry_sexp_release (dup_sexp);
1177 GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", key->sexp));
1178 dup = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
1179 dup->sexp = dup_sexp;
1185 * Unblind a blind-signed signature. The signature should have been generated
1186 * with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with
1187 * #GNUNET_CRYPTO_rsa_blind().
1189 * @param sig the signature made on the blinded signature purpose
1190 * @param bks the blinding key secret used to blind the signature purpose
1191 * @param pkey the public key of the signer
1192 * @return unblinded signature on success, NULL if RSA key is bad or malicious.
1194 struct GNUNET_CRYPTO_RsaSignature *
1195 GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig,
1196 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
1197 struct GNUNET_CRYPTO_RsaPublicKey *pkey)
1199 struct RsaBlindingKey *bkey;
1205 struct GNUNET_CRYPTO_RsaSignature *sret;
1207 BENCHMARK_START (rsa_unblind);
1209 ret = key_from_sexp (&n, pkey->sexp, "public-key", "n");
1211 ret = key_from_sexp (&n, pkey->sexp, "rsa", "n");
1214 GNUNET_break_op (0);
1217 ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
1219 ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
1222 gcry_mpi_release (n);
1223 GNUNET_break_op (0);
1227 bkey = rsa_blinding_key_derive (pkey, bks);
1230 /* RSA key is malicious since rsa_gcd_validate failed here.
1231 * It should have failed during GNUNET_CRYPTO_rsa_blind too though,
1232 * so the exchange is being malicious in an unfamilair way, maybe
1233 * just trying to crash us. */
1234 GNUNET_break_op (0);
1235 gcry_mpi_release (n);
1236 gcry_mpi_release (s);
1240 r_inv = gcry_mpi_new (0);
1242 gcry_mpi_invm (r_inv,
1246 /* We cannot find r mod n, so gcd(r,n) != 1, which should get *
1247 * caught above, but we handle it the same here. */
1248 GNUNET_break_op (0);
1249 gcry_mpi_release (r_inv);
1250 rsa_blinding_key_free (bkey);
1251 gcry_mpi_release (n);
1252 gcry_mpi_release (s);
1256 ubsig = gcry_mpi_new (0);
1257 gcry_mpi_mulm (ubsig, s, r_inv, n);
1258 gcry_mpi_release (n);
1259 gcry_mpi_release (r_inv);
1260 gcry_mpi_release (s);
1261 rsa_blinding_key_free (bkey);
1263 sret = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
1265 gcry_sexp_build (&sret->sexp,
1267 "(sig-val (rsa (s %M)))",
1269 gcry_mpi_release (ubsig);
1270 BENCHMARK_END (rsa_unblind);
1276 * Verify whether the given hash corresponds to the given signature and
1277 * the signature is valid with respect to the given public key.
1279 * @param hash hash of the message to verify to match the @a sig
1280 * @param sig signature that is being validated
1281 * @param pkey public key of the signer
1282 * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature is invalid
1285 GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
1286 const struct GNUNET_CRYPTO_RsaSignature *sig,
1287 const struct GNUNET_CRYPTO_RsaPublicKey *pkey)
1293 BENCHMARK_START (rsa_verify);
1295 r = rsa_full_domain_hash (pkey, hash);
1298 GNUNET_break_op (0);
1299 /* RSA key is malicious since rsa_gcd_validate failed here.
1300 * It should have failed during GNUNET_CRYPTO_rsa_blind too though,
1301 * so the exchange is being malicious in an unfamilair way, maybe
1302 * just trying to crash us. Arguably, we've only an internal error
1303 * though because we should've detected this in our previous call
1304 * to GNUNET_CRYPTO_rsa_unblind. */return GNUNET_NO;
1307 data = mpi_to_sexp (r);
1308 gcry_mpi_release (r);
1310 rc = gcry_pk_verify (sig->sexp,
1313 gcry_sexp_release (data);
1316 LOG (GNUNET_ERROR_TYPE_WARNING,
1317 _ ("RSA signature verification failed at %s:%d: %s\n"),
1320 gcry_strerror (rc));
1321 return GNUNET_SYSERR;
1322 BENCHMARK_END (rsa_verify);
1324 BENCHMARK_END (rsa_verify);
1330 * Duplicate the given private key
1332 * @param key the private key to duplicate
1333 * @return the duplicate key; NULL upon error
1335 struct GNUNET_CRYPTO_RsaPrivateKey *
1336 GNUNET_CRYPTO_rsa_private_key_dup (const struct
1337 GNUNET_CRYPTO_RsaPrivateKey *key)
1339 struct GNUNET_CRYPTO_RsaPrivateKey *dup;
1340 gcry_sexp_t dup_sexp;
1343 /* check if we really are exporting a private key */
1344 dup_sexp = gcry_sexp_find_token (key->sexp, "private-key", 0);
1345 GNUNET_assert (NULL != dup_sexp);
1346 gcry_sexp_release (dup_sexp);
1348 GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", key->sexp));
1349 dup = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
1350 dup->sexp = dup_sexp;
1356 * Duplicate the given private key
1358 * @param key the private key to duplicate
1359 * @return the duplicate key; NULL upon error
1361 struct GNUNET_CRYPTO_RsaSignature *
1362 GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig)
1364 struct GNUNET_CRYPTO_RsaSignature *dup;
1365 gcry_sexp_t dup_sexp;
1370 /* verify that this is an RSA signature */
1371 ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
1373 ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
1374 GNUNET_assert (0 == ret);
1375 gcry_mpi_release (s);
1377 GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", sig->sexp));
1378 dup = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
1379 dup->sexp = dup_sexp;
1384 /* end of util/rsa.c */
projects / oweals / gnunet.git / blob