rsa.c
来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 423 行
C
423 行
/* * The contents of this file are subject to the Mozilla Public * License Version 1.1 (the "License"); you may not use this file * except in compliance with the License. You may obtain a copy of * the License at http://www.mozilla.org/MPL/ * * Software distributed under the License is distributed on an "AS * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or * implied. See the License for the specific language governing * rights and limitations under the License. * * The Original Code is the Netscape security libraries. * * The Initial Developer of the Original Code is Netscape * Communications Corporation. Portions created by Netscape are * Copyright (C) 1994-2000 Netscape Communications Corporation. All * Rights Reserved. * * Contributor(s): * * Alternatively, the contents of this file may be used under the * terms of the GNU General Public License Version 2 or later (the * "GPL"), in which case the provisions of the GPL are applicable * instead of those above. If you wish to allow use of your * version of this file only under the terms of the GPL and not to * allow others to use your version of this file under the MPL, * indicate your decision by deleting the provisions above and * replace them with the notice and other provisions required by * the GPL. If you do not delete the provisions above, a recipient * may use your version of this file under either the MPL or the * GPL. * *//* * RSA key generation, public key op, private key op. * * $Id: rsa.c,v 1.17 2000/10/02 17:39:37 mcgreer%netscape.com Exp $ */#include "secerr.h"#include "blapi.h"#include "mpi.h"#include "mpprime.h"#include "secmpi.h"#include "secitem.h"/*** RSA encryption/decryption. When encrypting/decrypting the output** buffer must be at least the size of the public key modulus.*/static SECStatusrsa_keygen_from_primes(mp_int *p, mp_int *q, mp_int *e, RSAPrivateKey *key){ mp_int n, d, phi; mp_int psub1, qsub1, tmp; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; MP_DIGITS(&n) = 0; MP_DIGITS(&d) = 0; MP_DIGITS(&phi) = 0; MP_DIGITS(&psub1) = 0; MP_DIGITS(&qsub1) = 0; MP_DIGITS(&tmp) = 0; CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&d) ); CHECK_MPI_OK( mp_init(&phi) ); CHECK_MPI_OK( mp_init(&psub1) ); CHECK_MPI_OK( mp_init(&qsub1) ); CHECK_MPI_OK( mp_init(&tmp) ); /* 1. Compute n = p*q */ CHECK_MPI_OK( mp_mul(p, q, &n) ); /* 2. Compute phi = (p-1)*(q-1) */ CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) ); CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) ); CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) ); /* 3. Compute d = e**-1 mod(phi) using extended Euclidean algorithm */ CHECK_MPI_OK( mp_xgcd(e, &phi, &tmp, &d, NULL) ); CHECK_MPI_OK( mp_mod(&d, &phi, &d) ); /* Verify that phi(n) and e have no common divisors */ if (mp_cmp_d(&tmp, 1) != 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); rv = SECFailure; goto cleanup; } MPINT_TO_SECITEM(&n, &key->modulus, key->arena); MPINT_TO_SECITEM(&d, &key->privateExponent, key->arena); /* 4. Compute exponent1 = d mod (p-1) */ CHECK_MPI_OK( mp_mod(&d, &psub1, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena); /* 5. Compute exponent2 = d mod (q-1) */ CHECK_MPI_OK( mp_mod(&d, &qsub1, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena); /* 6. Compute coefficient = q**-1 mod p */ CHECK_MPI_OK( mp_invmod(q, p, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena);cleanup: mp_clear(&n); mp_clear(&d); mp_clear(&phi); mp_clear(&psub1); mp_clear(&qsub1); mp_clear(&tmp); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } return rv;}/*** Generate and return a new RSA public and private key.** Both keys are encoded in a single RSAPrivateKey structure.** "cx" is the random number generator context** "keySizeInBits" is the size of the key to be generated, in bits.** 512, 1024, etc.** "publicExponent" when not NULL is a pointer to some data that** represents the public exponent to use. The data is a byte** encoded integer, in "big endian" order.*/RSAPrivateKey *RSA_NewKey(int keySizeInBits, SECItem *publicExponent){ unsigned char *pb = NULL, *qb = NULL; unsigned int primeLen; unsigned long counter; mp_int p, q, e; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; int prerr = 0; RSAPrivateKey *key = NULL; PRArenaPool *arena = NULL; /* Require key size to be a multiple of 16 bits. */ if (!publicExponent || keySizeInBits % 16 != 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } /* length of primes p and q (in bytes) */ primeLen = keySizeInBits / (2 * BITS_PER_BYTE); MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&e) = 0; CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); CHECK_MPI_OK( mp_init(&e) ); /* 1. Allocate arena & key */ arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE); if (!arena) { PORT_SetError(SEC_ERROR_NO_MEMORY); return NULL; } key = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(RSAPrivateKey)); if (!key) { PORT_SetError(SEC_ERROR_NO_MEMORY); PORT_FreeArena(arena, PR_TRUE); return NULL; } key->arena = arena; /* 2. Set the version number (PKCS1 v1.5 says it should be zero) */ SECITEM_AllocItem(arena, &key->version, 1); key->version.data[0] = 0; /* 3. Set the public exponent */ SECITEM_CopyItem(arena, &key->publicExponent, publicExponent); SECITEM_TO_MPINT(*publicExponent, &e); /* 4. Generate primes p and q */ pb = PORT_Alloc(primeLen); qb = PORT_Alloc(primeLen); do { CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) ); CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(qb, primeLen) ); pb[0] |= 0x80; /* set high-order bit */ pb[primeLen-1] |= 0x01; /* set low-order bit */ qb[0] |= 0x80; /* set high-order bit */ qb[primeLen-1] |= 0x01; /* set low-order bit */ CHECK_MPI_OK( mp_read_unsigned_octets(&p, pb, primeLen) ); CHECK_MPI_OK( mp_read_unsigned_octets(&q, qb, primeLen) ); CHECK_MPI_OK( mpp_make_prime(&p, primeLen * 8, PR_FALSE, &counter) ); CHECK_MPI_OK( mpp_make_prime(&q, primeLen * 8, PR_FALSE, &counter) ); rv = rsa_keygen_from_primes(&p, &q, &e, key); if (rv == SECSuccess) break; /* generated two good primes */ prerr = PORT_GetError(); } while (prerr == SEC_ERROR_NEED_RANDOM); /* loop until have primes */ MPINT_TO_SECITEM(&p, &key->prime1, arena); MPINT_TO_SECITEM(&q, &key->prime2, arena);cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&e); if (pb) PORT_ZFree(pb, primeLen); if (qb) PORT_ZFree(qb, primeLen); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } if (rv && arena) { PORT_FreeArena(arena, PR_TRUE); } return key;}static unsigned intrsa_modulusLen(SECItem *modulus){ unsigned char byteZero = modulus->data[0]; unsigned int modLen = modulus->len - !byteZero; return modLen;}/*** Perform a raw public-key operation ** Length of input and output buffers are equal to key's modulus len.*/SECStatus RSA_PublicKeyOp(RSAPublicKey *key, unsigned char *output, unsigned char *input){ unsigned int modLen; mp_int n, e, m, c; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; if (!key || !output || !input) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } MP_DIGITS(&n) = 0; MP_DIGITS(&e) = 0; MP_DIGITS(&m) = 0; MP_DIGITS(&c) = 0; CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&e) ); CHECK_MPI_OK( mp_init(&m) ); CHECK_MPI_OK( mp_init(&c) ); modLen = rsa_modulusLen(&key->modulus); /* 1. Obtain public key (n, e) */ SECITEM_TO_MPINT(key->modulus, &n); SECITEM_TO_MPINT(key->publicExponent, &e); /* 2. Represent message as integer in range [0..n-1] */ CHECK_MPI_OK( mp_read_unsigned_octets(&m, input, modLen) ); /* 3. Compute c = m**e mod n */#ifdef USE_MPI_EXPT_D /* XXX see which is faster */ if (MP_USED(&e) == 1) { CHECK_MPI_OK( mp_exptmod_d(&m, MP_DIGIT(&e, 0), &n, &c) ); } else#endif CHECK_MPI_OK( mp_exptmod(&m, &e, &n, &c) ); /* 4. result c is ciphertext */ err = mp_to_fixlen_octets(&c, output, modLen); if (err >= 0) err = MP_OKAY;cleanup: mp_clear(&n); mp_clear(&e); mp_clear(&m); mp_clear(&c); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } return rv;}/*** RSA Private key operation (no CRT).*/static SECStatus rsa_PrivateKeyOp(RSAPrivateKey *key, unsigned char *output, unsigned char *input){ mp_int n, d, m, c; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; unsigned int modLen; modLen = rsa_modulusLen(&key->modulus); MP_DIGITS(&n) = 0; MP_DIGITS(&d) = 0; MP_DIGITS(&m) = 0; MP_DIGITS(&c) = 0; CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&d) ); CHECK_MPI_OK( mp_init(&m) ); CHECK_MPI_OK( mp_init(&c) ); /* copy private key parameters into mp integers */ SECITEM_TO_MPINT(key->modulus, &n); /* n */ SECITEM_TO_MPINT(key->privateExponent, &d); /* d */ /* copy input into mp integer c */ OCTETS_TO_MPINT(input, &c, modLen); /* 1. m = c**d mod n */ CHECK_MPI_OK( mp_exptmod(&c, &d, &n, &m) ); /* m is the output */ err = mp_to_fixlen_octets(&m, output, modLen); if (err >= 0) err = MP_OKAY;cleanup: mp_clear(&n); mp_clear(&d); mp_clear(&m); mp_clear(&c); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } return rv;}/*** RSA Private key operation using CRT.*/static SECStatus rsa_PrivateKeyOpCRT(RSAPrivateKey *key, unsigned char *output, unsigned char *input){ mp_int p, q, d_p, d_q, qInv; mp_int m, m1, m2, b2, h, c, ctmp; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; unsigned int modLen; modLen = rsa_modulusLen(&key->modulus); MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&d_p) = 0; MP_DIGITS(&d_q) = 0; MP_DIGITS(&qInv) = 0; MP_DIGITS(&m) = 0; MP_DIGITS(&m1) = 0; MP_DIGITS(&m2) = 0; MP_DIGITS(&b2) = 0; MP_DIGITS(&h) = 0; MP_DIGITS(&c) = 0; MP_DIGITS(&ctmp) = 0; CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); CHECK_MPI_OK( mp_init(&d_p) ); CHECK_MPI_OK( mp_init(&d_q) ); CHECK_MPI_OK( mp_init(&qInv) ); CHECK_MPI_OK( mp_init(&m) ); CHECK_MPI_OK( mp_init(&m1) ); CHECK_MPI_OK( mp_init(&m2) ); CHECK_MPI_OK( mp_init(&b2) ); CHECK_MPI_OK( mp_init(&h) ); CHECK_MPI_OK( mp_init(&c) ); CHECK_MPI_OK( mp_init(&ctmp) ); /* copy private key parameters into mp integers */ SECITEM_TO_MPINT(key->prime1, &p); /* p */ SECITEM_TO_MPINT(key->prime2, &q); /* q */ SECITEM_TO_MPINT(key->exponent1, &d_p); /* d_p = d mod (p-1) */ SECITEM_TO_MPINT(key->exponent2, &d_q); /* d_p = d mod (q-1) */ SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */ /* copy input into mp integer c */ OCTETS_TO_MPINT(input, &c, modLen); /* 1. m1 = c**d_p mod p */ CHECK_MPI_OK( mp_mod(&c, &p, &ctmp) ); CHECK_MPI_OK( mp_exptmod(&ctmp, &d_p, &p, &m1) ); /* 2. m2 = c**d_q mod q */ CHECK_MPI_OK( mp_mod(&c, &q, &ctmp) ); CHECK_MPI_OK( mp_exptmod(&ctmp, &d_q, &q, &m2) ); /* 3. h = (m1 - m2) * qInv mod p */ CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) ); CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h) ); /* 4. m = m2 + h * q */ CHECK_MPI_OK( mp_mul(&h, &q, &m) ); CHECK_MPI_OK( mp_add(&m, &m2, &m) ); /* m is the output */ err = mp_to_fixlen_octets(&m, output, modLen); if (err >= 0) err = MP_OKAY;cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&d_p); mp_clear(&d_q); mp_clear(&qInv); mp_clear(&m); mp_clear(&m1); mp_clear(&m2); mp_clear(&b2); mp_clear(&h); mp_clear(&c); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } return rv;}/*** Perform a raw private-key operation ** Length of input and output buffers are equal to key's modulus len.*/SECStatus RSA_PrivateKeyOp(RSAPrivateKey *key, unsigned char *output, unsigned char *input){ unsigned int modLen; unsigned int offset; if (!key || !output || !input) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* check input out of range (needs to be in range [0..n-1]) */ modLen = rsa_modulusLen(&key->modulus); offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */ if (memcmp(input, key->modulus.data + offset, modLen) >= 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if ( key->prime1.len == 0 || key->prime2.len == 0 || key->exponent1.len == 0 || key->exponent2.len == 0 || key->coefficient.len == 0) { return rsa_PrivateKeyOp(key, output, input); } else { return rsa_PrivateKeyOpCRT(key, output, input); }}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?