22
#include <nettle/rsa.h>
24
#include "qemu/osdep.h"
25
#include "qemu/host-utils.h"
26
#include "crypto/akcipher.h"
27
#include "crypto/random.h"
28
#include "qapi/error.h"
29
#include "sysemu/cryptodev.h"
32
typedef struct QCryptoNettleRSA {
33
QCryptoAkCipher akcipher;
34
struct rsa_public_key pub;
35
struct rsa_private_key priv;
36
QCryptoRSAPaddingAlgorithm padding_alg;
37
QCryptoHashAlgorithm hash_alg;
40
static void qcrypto_nettle_rsa_free(QCryptoAkCipher *akcipher)
42
QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
47
rsa_public_key_clear(&rsa->pub);
48
rsa_private_key_clear(&rsa->priv);
52
static QCryptoAkCipher *qcrypto_nettle_rsa_new(
53
const QCryptoAkCipherOptionsRSA *opt,
54
QCryptoAkCipherKeyType type,
55
const uint8_t *key, size_t keylen,
58
QCryptoAkCipher *qcrypto_akcipher_new(const QCryptoAkCipherOptions *opts,
59
QCryptoAkCipherKeyType type,
60
const uint8_t *key, size_t keylen,
64
case QCRYPTO_AKCIPHER_ALG_RSA:
65
return qcrypto_nettle_rsa_new(&opts->u.rsa, type, key, keylen, errp);
68
error_setg(errp, "Unsupported algorithm: %u", opts->alg);
75
static void qcrypto_nettle_rsa_set_akcipher_size(QCryptoAkCipher *akcipher,
78
akcipher->max_plaintext_len = key_size;
79
akcipher->max_ciphertext_len = key_size;
80
akcipher->max_signature_len = key_size;
81
akcipher->max_dgst_len = key_size;
84
static int qcrypt_nettle_parse_rsa_private_key(QCryptoNettleRSA *rsa,
89
g_autoptr(QCryptoAkCipherRSAKey) rsa_key = qcrypto_akcipher_rsakey_parse(
90
QCRYPTO_AKCIPHER_KEY_TYPE_PRIVATE, key, keylen, errp);
96
nettle_mpz_init_set_str_256_u(rsa->pub.n, rsa_key->n.len, rsa_key->n.data);
97
nettle_mpz_init_set_str_256_u(rsa->pub.e, rsa_key->e.len, rsa_key->e.data);
98
nettle_mpz_init_set_str_256_u(rsa->priv.d, rsa_key->d.len, rsa_key->d.data);
99
nettle_mpz_init_set_str_256_u(rsa->priv.p, rsa_key->p.len, rsa_key->p.data);
100
nettle_mpz_init_set_str_256_u(rsa->priv.q, rsa_key->q.len, rsa_key->q.data);
101
nettle_mpz_init_set_str_256_u(rsa->priv.a, rsa_key->dp.len,
103
nettle_mpz_init_set_str_256_u(rsa->priv.b, rsa_key->dq.len,
105
nettle_mpz_init_set_str_256_u(rsa->priv.c, rsa_key->u.len, rsa_key->u.data);
107
if (!rsa_public_key_prepare(&rsa->pub)) {
108
error_setg(errp, "Failed to check RSA key");
116
if (rsa_key->p.len > 1 &&
117
rsa_key->q.len > 1 &&
118
rsa_key->dp.len > 1 &&
119
rsa_key->dq.len > 1 &&
120
rsa_key->u.len > 1) {
121
if (!rsa_private_key_prepare(&rsa->priv)) {
122
error_setg(errp, "Failed to check RSA key");
126
rsa->priv.size = rsa->pub.size;
128
qcrypto_nettle_rsa_set_akcipher_size(
129
(QCryptoAkCipher *)rsa, rsa->priv.size);
134
static int qcrypt_nettle_parse_rsa_public_key(QCryptoNettleRSA *rsa,
139
g_autoptr(QCryptoAkCipherRSAKey) rsa_key = qcrypto_akcipher_rsakey_parse(
140
QCRYPTO_AKCIPHER_KEY_TYPE_PUBLIC, key, keylen, errp);
145
nettle_mpz_init_set_str_256_u(rsa->pub.n, rsa_key->n.len, rsa_key->n.data);
146
nettle_mpz_init_set_str_256_u(rsa->pub.e, rsa_key->e.len, rsa_key->e.data);
148
if (!rsa_public_key_prepare(&rsa->pub)) {
149
error_setg(errp, "Failed to check RSA key");
152
qcrypto_nettle_rsa_set_akcipher_size(
153
(QCryptoAkCipher *)rsa, rsa->pub.size);
158
static void wrap_nettle_random_func(void *ctx, size_t len, uint8_t *out)
160
qcrypto_random_bytes(out, len, &error_abort);
163
static int qcrypto_nettle_rsa_encrypt(QCryptoAkCipher *akcipher,
164
const void *data, size_t data_len,
165
void *enc, size_t enc_len,
169
QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
173
if (data_len > rsa->pub.size) {
174
error_setg(errp, "Plaintext length %zu is greater than key size: %zu",
175
data_len, rsa->pub.size);
179
if (enc_len < rsa->pub.size) {
180
error_setg(errp, "Ciphertext buffer length %zu is less than "
181
"key size: %zu", enc_len, rsa->pub.size);
186
switch (rsa->padding_alg) {
187
case QCRYPTO_RSA_PADDING_ALG_RAW:
188
error_setg(errp, "RSA with raw padding is not supported");
191
case QCRYPTO_RSA_PADDING_ALG_PKCS1:
193
if (rsa_encrypt(&rsa->pub, NULL, wrap_nettle_random_func,
194
data_len, (uint8_t *)data, c) != 1) {
195
error_setg(errp, "Failed to encrypt");
197
nettle_mpz_get_str_256(enc_len, (uint8_t *)enc, c);
198
ret = nettle_mpz_sizeinbase_256_u(c);
204
error_setg(errp, "Unknown padding");
210
static int qcrypto_nettle_rsa_decrypt(QCryptoAkCipher *akcipher,
211
const void *enc, size_t enc_len,
212
void *data, size_t data_len,
215
QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
219
if (enc_len > rsa->priv.size) {
220
error_setg(errp, "Ciphertext length %zu is greater than key size: %zu",
221
enc_len, rsa->priv.size);
225
switch (rsa->padding_alg) {
226
case QCRYPTO_RSA_PADDING_ALG_RAW:
227
error_setg(errp, "RSA with raw padding is not supported");
230
case QCRYPTO_RSA_PADDING_ALG_PKCS1:
231
nettle_mpz_init_set_str_256_u(c, enc_len, enc);
232
if (!rsa_decrypt(&rsa->priv, &data_len, (uint8_t *)data, c)) {
233
error_setg(errp, "Failed to decrypt");
242
error_setg(errp, "Unknown padding algorithm: %d", rsa->padding_alg);
248
static int qcrypto_nettle_rsa_sign(QCryptoAkCipher *akcipher,
249
const void *data, size_t data_len,
250
void *sig, size_t sig_len, Error **errp)
252
QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
260
if (rsa->padding_alg == QCRYPTO_RSA_PADDING_ALG_RAW) {
261
error_setg(errp, "Try to make signature without padding");
265
if (data_len > rsa->priv.size) {
266
error_setg(errp, "Data length %zu is greater than key size: %zu",
267
data_len, rsa->priv.size);
271
if (sig_len < rsa->priv.size) {
272
error_setg(errp, "Signature buffer length %zu is less than "
273
"key size: %zu", sig_len, rsa->priv.size);
278
switch (rsa->hash_alg) {
279
case QCRYPTO_HASH_ALG_MD5:
280
rv = rsa_md5_sign_digest(&rsa->priv, data, s);
283
case QCRYPTO_HASH_ALG_SHA1:
284
rv = rsa_sha1_sign_digest(&rsa->priv, data, s);
287
case QCRYPTO_HASH_ALG_SHA256:
288
rv = rsa_sha256_sign_digest(&rsa->priv, data, s);
291
case QCRYPTO_HASH_ALG_SHA512:
292
rv = rsa_sha512_sign_digest(&rsa->priv, data, s);
296
error_setg(errp, "Unknown hash algorithm: %d", rsa->hash_alg);
301
error_setg(errp, "Failed to make signature");
304
nettle_mpz_get_str_256(sig_len, (uint8_t *)sig, s);
305
ret = nettle_mpz_sizeinbase_256_u(s);
313
static int qcrypto_nettle_rsa_verify(QCryptoAkCipher *akcipher,
314
const void *sig, size_t sig_len,
315
const void *data, size_t data_len,
318
QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
327
if (rsa->padding_alg == QCRYPTO_RSA_PADDING_ALG_RAW) {
328
error_setg(errp, "Try to verify signature without padding");
331
if (data_len > rsa->pub.size) {
332
error_setg(errp, "Data length %zu is greater than key size: %zu",
333
data_len, rsa->pub.size);
336
if (sig_len < rsa->pub.size) {
337
error_setg(errp, "Signature length %zu is greater than key size: %zu",
338
sig_len, rsa->pub.size);
342
nettle_mpz_init_set_str_256_u(s, sig_len, sig);
343
switch (rsa->hash_alg) {
344
case QCRYPTO_HASH_ALG_MD5:
345
rv = rsa_md5_verify_digest(&rsa->pub, data, s);
348
case QCRYPTO_HASH_ALG_SHA1:
349
rv = rsa_sha1_verify_digest(&rsa->pub, data, s);
352
case QCRYPTO_HASH_ALG_SHA256:
353
rv = rsa_sha256_verify_digest(&rsa->pub, data, s);
356
case QCRYPTO_HASH_ALG_SHA512:
357
rv = rsa_sha512_verify_digest(&rsa->pub, data, s);
361
error_setg(errp, "Unsupported hash algorithm: %d", rsa->hash_alg);
366
error_setg(errp, "Failed to verify signature");
377
QCryptoAkCipherDriver nettle_rsa = {
378
.encrypt = qcrypto_nettle_rsa_encrypt,
379
.decrypt = qcrypto_nettle_rsa_decrypt,
380
.sign = qcrypto_nettle_rsa_sign,
381
.verify = qcrypto_nettle_rsa_verify,
382
.free = qcrypto_nettle_rsa_free,
385
static QCryptoAkCipher *qcrypto_nettle_rsa_new(
386
const QCryptoAkCipherOptionsRSA *opt,
387
QCryptoAkCipherKeyType type,
388
const uint8_t *key, size_t keylen,
391
QCryptoNettleRSA *rsa = g_new0(QCryptoNettleRSA, 1);
393
rsa->padding_alg = opt->padding_alg;
394
rsa->hash_alg = opt->hash_alg;
395
rsa->akcipher.driver = &nettle_rsa;
396
rsa_public_key_init(&rsa->pub);
397
rsa_private_key_init(&rsa->priv);
400
case QCRYPTO_AKCIPHER_KEY_TYPE_PRIVATE:
401
if (qcrypt_nettle_parse_rsa_private_key(rsa, key, keylen, errp) != 0) {
406
case QCRYPTO_AKCIPHER_KEY_TYPE_PUBLIC:
407
if (qcrypt_nettle_parse_rsa_public_key(rsa, key, keylen, errp) != 0) {
413
error_setg(errp, "Unknown akcipher key type %d", type);
417
return (QCryptoAkCipher *)rsa;
420
qcrypto_nettle_rsa_free((QCryptoAkCipher *)rsa);
425
bool qcrypto_akcipher_supports(QCryptoAkCipherOptions *opts)
428
case QCRYPTO_AKCIPHER_ALG_RSA:
429
switch (opts->u.rsa.padding_alg) {
430
case QCRYPTO_RSA_PADDING_ALG_PKCS1:
431
switch (opts->u.rsa.hash_alg) {
432
case QCRYPTO_HASH_ALG_MD5:
433
case QCRYPTO_HASH_ALG_SHA1:
434
case QCRYPTO_HASH_ALG_SHA256:
435
case QCRYPTO_HASH_ALG_SHA512:
442
case QCRYPTO_RSA_PADDING_ALG_RAW: