// Copyright (c) 2009 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/crypto/rsa_private_key.h"
#include <list>
#include "base/logging.h"
#include "base/scoped_ptr.h"
// This file manually encodes and decodes RSA private keys using PrivateKeyInfo
// from PKCS #8 and RSAPrivateKey from PKCS #1. These structures are:
//
// PrivateKeyInfo ::= SEQUENCE {
// version Version,
// privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
// privateKey PrivateKey,
// attributes [0] IMPLICIT Attributes OPTIONAL
// }
//
// RSAPrivateKey ::= SEQUENCE {
// version Version,
// modulus INTEGER,
// publicExponent INTEGER,
// privateExponent INTEGER,
// prime1 INTEGER,
// prime2 INTEGER,
// exponent1 INTEGER,
// exponent2 INTEGER,
// coefficient INTEGER
// }
namespace {
// ASN.1 encoding of the AlgorithmIdentifier from PKCS #8.
const uint8 kRsaAlgorithmIdentifier[] = {
0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
0x05, 0x00
};
// ASN.1 tags for some types we use.
const uint8 kSequenceTag = 0x30;
const uint8 kIntegerTag = 0x02;
const uint8 kNullTag = 0x05;
const uint8 kOctetStringTag = 0x04;
// Helper function to prepend an array of bytes into a list, reversing their
// order. This is needed because ASN.1 integers are big-endian, while CryptoAPI
// uses little-endian.
static void PrependBytesInReverseOrder(uint8* val, int num_bytes,
std::list<uint8>* data) {
for (int i = 0; i < num_bytes; ++i)
data->push_front(val[i]);
}
// Helper to prepend an ASN.1 length field.
static void PrependLength(size_t size, std::list<uint8>* data) {
// The high bit is used to indicate whether additional octets are needed to
// represent the length.
if (size < 0x80) {
data->push_front(static_cast<uint8>(size));
} else {
uint8 num_bytes = 0;
while (size > 0) {
data->push_front(static_cast<uint8>(size & 0xFF));
size >>= 8;
num_bytes++;
}
CHECK(num_bytes <= 4);
data->push_front(0x80 | num_bytes);
}
}
// Helper to prepend an ASN.1 type header.
static void PrependTypeHeaderAndLength(uint8 type, uint32 length,
std::list<uint8>* output) {
PrependLength(length, output);
output->push_front(type);
}
// Helper to prepend an ASN.1 integer.
static void PrependInteger(uint8* val, int num_bytes, std::list<uint8>* data) {
// If the MSB is set, we need an extra null byte at the front.
bool needs_null_byte = !(val[num_bytes - 1] & 0x80);
int length = needs_null_byte ? num_bytes + 1 : num_bytes;
PrependBytesInReverseOrder(val, num_bytes, data);
// Add a null byte to force the integer to be positive if necessary.
if (needs_null_byte)
data->push_front(0x00);
PrependTypeHeaderAndLength(kIntegerTag, length, data);
}
// Helper for error handling during key import.
#define READ_ASSERT(truth) \
if (!(truth)) { \
NOTREACHED(); \
return false; \
}
// Read an ASN.1 length field. This also checks that the length does not extend
// beyond |end|.
static bool ReadLength(uint8** pos, uint8* end, uint32* result) {
READ_ASSERT(*pos < end);
int length = 0;
// If the MSB is not set, the length is just the byte itself.
if (!(**pos & 0x80)) {
length = **pos;
(*pos)++;
} else {
// Otherwise, the lower 7 indicate the length of the length.
int length_of_length = **pos & 0x7F;
READ_ASSERT(length_of_length <= 4);
(*pos)++;
READ_ASSERT(*pos + length_of_length < end);
length = 0;
for (int i = 0; i < length_of_length; ++i) {
length <<= 8;
length |= **pos;
(*pos)++;
}
}
READ_ASSERT(*pos + length <= end);
if (result) *result = length;
return true;
}
// Read an ASN.1 type header and its length.
static bool ReadTypeHeaderAndLength(uint8** pos, uint8* end,
uint8 expected_tag, uint32* length) {
READ_ASSERT(*pos < end);
READ_ASSERT(**pos == expected_tag);
(*pos)++;
return ReadLength(pos, end, length);
}
// Read an ASN.1 sequence declaration. This consumes the type header and length
// field, but not the contents of the sequence.
static bool ReadSequence(uint8** pos, uint8* end) {
return ReadTypeHeaderAndLength(pos, end, kSequenceTag, NULL);
}
// Read the RSA AlgorithmIdentifier.
static bool ReadAlgorithmIdentifier(uint8** pos, uint8* end) {
READ_ASSERT(*pos + sizeof(kRsaAlgorithmIdentifier) < end);
READ_ASSERT(memcmp(*pos, kRsaAlgorithmIdentifier,
sizeof(kRsaAlgorithmIdentifier)) == 0);
(*pos) += sizeof(kRsaAlgorithmIdentifier);
return true;
}
// Read one of the two version fields in PrivateKeyInfo.
static bool ReadVersion(uint8** pos, uint8* end) {
uint32 length = 0;
if (!ReadTypeHeaderAndLength(pos, end, kIntegerTag, &length))
return false;
// The version should be zero.
for (uint32 i = 0; i < length; ++i) {
READ_ASSERT(**pos == 0x00);
(*pos)++;
}
return true;
}
// Read an ASN.1 integer.
static bool ReadInteger(uint8** pos, uint8* end, std::vector<uint8>* out) {
uint32 length = 0;
if (!ReadTypeHeaderAndLength(pos, end, kIntegerTag, &length))
return false;
// Read the bytes out in reverse order because of endianness.
for (uint32 i = length - 1; i > 0; --i)
out->push_back(*(*pos + i));
// The last byte can be zero to force positiveness. We can ignore this.
if (**pos != 0x00)
out->push_back(**pos);
(*pos) += length;
return true;
}
} // namespace
namespace base {
// static
RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) {
scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
if (!result->InitProvider())
return NULL;
DWORD flags = CRYPT_EXPORTABLE;
// The size is encoded as the upper 16 bits of the flags. :: sigh ::.
flags |= (num_bits << 16);
if (!CryptGenKey(result->provider_, CALG_RSA_SIGN, flags, &result->key_))
return NULL;
return result.release();
}
// static
RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo(
const std::vector<uint8>& input) {
scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
if (!result->InitProvider())
return NULL;
uint8* src = const_cast<uint8*>(&input.front());
uint8* end = src + input.size();
int version = -1;
std::vector<uint8> modulus;
std::vector<uint8> public_exponent;
std::vector<uint8> private_exponent;
std::vector<uint8> prime1;
std::vector<uint8> prime2;
std::vector<uint8> exponent1;
std::vector<uint8> exponent2;
std::vector<uint8> coefficient;
if (!ReadSequence(&src, end) ||
!ReadVersion(&src, end) ||
!ReadAlgorithmIdentifier(&src, end) ||
!ReadTypeHeaderAndLength(&src, end, kOctetStringTag, NULL) ||
!ReadSequence(&src, end) ||
!ReadVersion(&src, end) ||
!ReadInteger(&src, end, &modulus) ||
!ReadInteger(&src, end, &public_exponent) ||
!ReadInteger(&src, end, &private_exponent) ||
!ReadInteger(&src, end, &prime1) ||
!ReadInteger(&src, end, &prime2) ||
!ReadInteger(&src, end, &exponent1) ||
!ReadInteger(&src, end, &exponent2) ||
!ReadInteger(&src, end, &coefficient))
return false;
READ_ASSERT(src == end);
int blob_size = sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY) + modulus.size() +
prime1.size() + prime2.size() +
exponent1.size() + exponent2.size() +
coefficient.size() + private_exponent.size();
scoped_array<BYTE> blob(new BYTE[blob_size]);
uint8* dest = blob.get();
PUBLICKEYSTRUC* public_key_struc = reinterpret_cast<PUBLICKEYSTRUC*>(dest);
public_key_struc->bType = PRIVATEKEYBLOB;
public_key_struc->bVersion = 0x02;
public_key_struc->reserved = 0;
public_key_struc->aiKeyAlg = CALG_RSA_SIGN;
dest += sizeof(PUBLICKEYSTRUC);
RSAPUBKEY* rsa_pub_key = reinterpret_cast<RSAPUBKEY*>(dest);
rsa_pub_key->magic = 0x32415352;
rsa_pub_key->bitlen = modulus.size() * 8;
int public_exponent_int = 0;
for (size_t i = public_exponent.size(); i > 0; --i) {
public_exponent_int <<= 8;
public_exponent_int |= public_exponent[i - 1];
}
rsa_pub_key->pubexp = public_exponent_int;
dest += sizeof(RSAPUBKEY);
memcpy(dest, &modulus.front(), modulus.size());
dest += modulus.size();
memcpy(dest, &prime1.front(), prime1.size());
dest += prime1.size();
memcpy(dest, &prime2.front(), prime2.size());
dest += prime2.size();
memcpy(dest, &exponent1.front(), exponent1.size());
dest += exponent1.size();
memcpy(dest, &exponent2.front(), exponent2.size());
dest += exponent2.size();
memcpy(dest, &coefficient.front(), coefficient.size());
dest += coefficient.size();
memcpy(dest, &private_exponent.front(), private_exponent.size());
dest += private_exponent.size();
READ_ASSERT(dest == blob.get() + blob_size);
if (!CryptImportKey(
result->provider_, reinterpret_cast<uint8*>(public_key_struc), blob_size,
NULL, CRYPT_EXPORTABLE, &result->key_)) {
return NULL;
}
return result.release();
}
RSAPrivateKey::RSAPrivateKey() : provider_(NULL), key_(NULL) {}
RSAPrivateKey::~RSAPrivateKey() {
if (key_) {
if (!CryptDestroyKey(key_))
NOTREACHED();
}
if (provider_) {
if (!CryptReleaseContext(provider_, 0))
NOTREACHED();
}
}
bool RSAPrivateKey::InitProvider() {
return FALSE != CryptAcquireContext(&provider_, NULL, NULL,
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
}
bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) {
// Export the key
DWORD blob_length = 0;
if (!CryptExportKey(key_, NULL, PRIVATEKEYBLOB, 0, NULL, &blob_length)) {
NOTREACHED();
return false;
}
scoped_array<uint8> blob(new uint8[blob_length]);
if (!CryptExportKey(key_, NULL, PRIVATEKEYBLOB, 0, blob.get(),
&blob_length)) {
NOTREACHED();
return false;
}
uint8* pos = blob.get();
PUBLICKEYSTRUC *publickey_struct = reinterpret_cast<PUBLICKEYSTRUC*>(pos);
pos += sizeof(PUBLICKEYSTRUC);
RSAPUBKEY *rsa_pub_key = reinterpret_cast<RSAPUBKEY*>(pos);
pos += sizeof(RSAPUBKEY);
int mod_size = rsa_pub_key->bitlen / 8;
int primes_size = rsa_pub_key->bitlen / 16;
int exponents_size = primes_size;
int coefficient_size = primes_size;
int private_exponent_size = mod_size;
uint8* modulus = pos;
pos += mod_size;
uint8* prime1 = pos;
pos += primes_size;
uint8* prime2 = pos;
pos += primes_size;
uint8* exponent1 = pos;
pos += exponents_size;
uint8* exponent2 = pos;
pos += exponents_size;
uint8* coefficient = pos;
pos += coefficient_size;
uint8* private_exponent = pos;
pos += private_exponent_size;
CHECK((pos - blob_length) == reinterpret_cast<BYTE*>(publickey_struct));
std::list<uint8> content;
// Version (always zero)
uint8 version = 0;
// We build up the output in reverse order to prevent having to do copies to
// figure out the length.
PrependInteger(coefficient, coefficient_size, &content);
PrependInteger(exponent2, exponents_size, &content);
PrependInteger(exponent1, exponents_size, &content);
PrependInteger(prime2, primes_size, &content);
PrependInteger(prime1, primes_size, &content);
PrependInteger(private_exponent, private_exponent_size, &content);
PrependInteger(reinterpret_cast<uint8*>(&rsa_pub_key->pubexp), 4, &content);
PrependInteger(modulus, mod_size, &content);
PrependInteger(&version, 1, &content);
PrependTypeHeaderAndLength(kSequenceTag, content.size(), &content);
PrependTypeHeaderAndLength(kOctetStringTag, content.size(), &content);
// RSA algorithm OID
for (size_t i = sizeof(kRsaAlgorithmIdentifier); i > 0; --i)
content.push_front(kRsaAlgorithmIdentifier[i - 1]);
PrependInteger(&version, 1, &content);
PrependTypeHeaderAndLength(kSequenceTag, content.size(), &content);
// Copy everying into the output.
output->reserve(content.size());
for (std::list<uint8>::iterator i = content.begin(); i != content.end(); ++i)
output->push_back(*i);
return true;
}
bool RSAPrivateKey::ExportPublicKey(std::vector<uint8>* output) {
DWORD key_info_len;
if (!CryptExportPublicKeyInfo(
provider_, AT_SIGNATURE, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
NULL, &key_info_len)) {
NOTREACHED();
return false;
}
scoped_array<uint8> key_info(new uint8[key_info_len]);
if (!CryptExportPublicKeyInfo(
provider_, AT_SIGNATURE, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
reinterpret_cast<CERT_PUBLIC_KEY_INFO*>(key_info.get()), &key_info_len)) {
NOTREACHED();
return false;
}
DWORD encoded_length;
if (!CryptEncodeObject(
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, X509_PUBLIC_KEY_INFO,
reinterpret_cast<CERT_PUBLIC_KEY_INFO*>(key_info.get()), NULL,
&encoded_length)) {
NOTREACHED();
return false;
}
scoped_array<BYTE> encoded(new BYTE[encoded_length]);
if (!CryptEncodeObject(
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, X509_PUBLIC_KEY_INFO,
reinterpret_cast<CERT_PUBLIC_KEY_INFO*>(key_info.get()), encoded.get(),
&encoded_length)) {
NOTREACHED();
return false;
}
for (size_t i = 0; i < encoded_length; ++i)
output->push_back(encoded[i]);
return true;
}
} // namespace base