--- /dev/null
+/* Copyright (c) 1998,2011-2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT
+ * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE
+ * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE
+ * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE,
+ * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL
+ * EXPOSE YOU TO LIABILITY.
+ ***************************************************************************
+ *
+ * feePublicKey.c - Portable FEE public key object.
+ *
+ * Revision History
+ * ----------------
+ * 11/27/98 dmitch
+ * Added ECDSA_VERIFY_ONLY dependencies.
+ * 10/06/98 ap
+ * Changed to compile with C++.
+ * 9 Sep 98 at NeXT
+ * Major changes for IEEE P1363 compliance.
+ * 23 Mar 98 at Apple
+ * Added blob support.
+ * 21 Jan 98 at Apple
+ * Fixed feePubKeyBitsize bitlen bug for PT_GENERAL case.
+ * 05 Jan 98 at Apple
+ * ECDSA now uses SHA-1 hash. Imcompatible with old ECDSA signatures.
+ * 17 Jul 97 at Apple
+ * Added ECDSA signature routines.
+ * 12 Jun 97 at Apple
+ * Added feePubKeyInitGiants()
+ * Deleted obsolete code
+ * Changes for lesserX1OrderJustify (was curveOrderJustify)
+ * 31 Mar 97 at Apple
+ * Fixed leak in feePubKeyCreateKeyString()
+ * 15 Jan 97 at NeXT
+ * PUBLIC_KEY_STRING_VERSION = 3; broke compatibility with all older
+ * versions.
+ * Cleaned up which_curve/index code to use CURVE_MINUS/CURVE_PLUS.
+ * 12 Dec 96 at NeXT
+ * Added initFromEnc64KeyStr().
+ * 20 Aug 96 at NeXT
+ * Ported to C.
+ * ???? 1994 Blaine Garst at NeXT
+ * Created.
+ */
+
+#include "ckconfig.h"
+#include "feePublicKey.h"
+#include "feePublicKeyPrivate.h"
+#include "ckutilities.h"
+#include "giantIntegers.h"
+#include "elliptic.h"
+#include "curveParams.h"
+#include "falloc.h"
+#include "feeTypes.h"
+#include "feeDebug.h"
+#include "feeHash.h"
+#include "ckSHA1.h"
+#include "feeDigitalSignature.h"
+#include "feeECDSA.h"
+#include "platform.h"
+#include "enc64.h"
+#include "feeDES.h"
+#include "byteRep.h"
+#if CRYPTKIT_DER_ENABLE
+#include "CryptKitDER.h"
+#endif
+#include <stdio.h>
+
+/*
+ * 11/27/98 dmitch: The ECDSA_VERIFY_ONLY symbol, when #defined, disables all
+ * of the code in this module except that which is necessary for ECDSA
+ * siggnature verification.
+ */
+
+#ifndef NULL
+#define NULL ((void *)0)
+#endif // NULL
+
+/*
+ * Magic number for a portable key blobs. Must be in sync with static
+ * final PUBLIC_KEY_STRING_MAGIC in JavaFee/PublicKey.java.
+ */
+#define PUBLIC_KEY_BLOB_MAGIC_PUB 0xfeeddeef
+#define PUBLIC_KEY_BLOB_MAGIC_PRIV 0xfeeddeed
+#define PUBLIC_KEY_BLOB_VERSION 6
+#define PUBLIC_KEY_BLOB_MINVERSION 6
+
+#if CRYPTKIT_DER_ENABLE
+#define PUBLIC_DER_KEY_BLOB_VERSION 1
+#endif
+
+/*
+ * Private data. All "instance" routines are passed a feePubKey (actually
+ * a void *) which is actually a pointer to one of these.
+ */
+typedef struct {
+ key plus;
+ key minus; // not needed for ECDSA
+ curveParams *cp; // common params shared by minus, plus
+ giant privGiant; // private key
+} pubKeyInst;
+
+static feeReturn feeGenPrivate(pubKeyInst *pkinst,
+ const unsigned char *passwd,
+ unsigned passwdLen,
+ char hashPasswd);
+static pubKeyInst *pubKeyInstAlloc(void);
+static void pubKeyInstFree(pubKeyInst *pkinst);
+#if GIANTS_VIA_STACK
+static void feePubKeyInitGiants(void);
+#endif
+static feeReturn createKeyBlob(pubKeyInst *pkinst,
+ int isPrivate, // 0 : public 1 : private
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen); // RETURNED
+static feeReturn feePubKeyInitFromKeyBlob(feePubKey pubKey,
+ unsigned char *keyBlob,
+ unsigned keyBlobLen);
+
+#pragma mark --- General public API function ---
+
+/*
+ * Obatin a newly allocated feePubKey.
+ */
+feePubKey feePubKeyAlloc(void)
+{
+ pubKeyInst *pkinst = pubKeyInstAlloc();
+
+ #if GIANTS_VIA_STACK
+ feePubKeyInitGiants();
+ #endif
+ return pkinst;
+}
+
+void feePubKeyFree(feePubKey pubKey)
+{
+ pubKeyInstFree((pubKeyInst*) pubKey);
+}
+
+#ifndef ECDSA_VERIFY_ONLY
+/*
+ * Init feePubKey from private key data.
+ */
+feeReturn feePubKeyInitFromPrivDataKeyBits(feePubKey pubKey,
+ const unsigned char *privData,
+ unsigned privDataLen,
+ unsigned keyBits, /* key size in bits */
+ feePrimeType primeType, /* FPT_Fefault means "best one" */
+ feeCurveType curveType, /* FCT_Default means "best one" */
+ char hashPrivData)
+{
+ feeReturn frtn;
+ feeDepth depth;
+
+ frtn = feeKeyBitsToDepth(keyBits, primeType, curveType, &depth);
+ if(frtn) {
+ return frtn;
+ }
+ return feePubKeyInitFromPrivDataDepth(pubKey,
+ privData,
+ privDataLen,
+ depth,
+ hashPrivData);
+}
+
+feeReturn feePubKeyInitFromPrivDataDepth(feePubKey pubKey,
+ const unsigned char *privData,
+ unsigned privDataLen,
+ feeDepth depth,
+ char hashPrivData)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ feeReturn frtn;
+
+ #if ENGINE_127_BITS
+ if(depth != FEE_DEPTH_127_1) {
+ dbgLog(("Illegal Depth\n"));
+ return FR_IllegalDepth;
+ }
+ #endif // ENGINE_127_BITS
+ if(depth > FEE_DEPTH_MAX) {
+ dbgLog(("Illegal Depth\n"));
+ return FR_IllegalDepth;
+ }
+
+ pkinst->cp = curveParamsForDepth(depth);
+ pkinst->plus = new_public(pkinst->cp, CURVE_PLUS);
+ if(pkinst->cp->x1Minus != NULL) {
+ pkinst->minus = new_public(pkinst->cp, CURVE_MINUS);
+ }
+ /* else only usable for ECDSA */
+
+ frtn = feeGenPrivate(pkinst, privData, privDataLen, hashPrivData);
+ if(frtn) {
+ return frtn;
+ }
+ set_priv_key_giant(pkinst->plus, pkinst->privGiant);
+ if(pkinst->cp->x1Minus != NULL) {
+ set_priv_key_giant(pkinst->minus, pkinst->privGiant);
+ }
+ return FR_Success;
+}
+
+#endif /* ECDSA_VERIFY_ONLY */
+
+/*
+ * Init feePubKey from curve parameters matching existing oldKey.
+ */
+feeReturn feePubKeyInitFromKey(feePubKey pubKey,
+ const unsigned char *privData,
+ unsigned privDataLen,
+ feePubKey oldKey,
+ char hashPrivData)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ pubKeyInst *oldInst = (pubKeyInst *) oldKey;
+ feeReturn frtn;
+
+ if(oldKey == NULL) {
+ dbgLog(("NULL existing key\n"));
+ return FR_BadPubKey;
+ }
+
+ pkinst->cp = curveParamsCopy(oldInst->cp);
+ if(pkinst->cp->x1Minus != NULL) {
+ pkinst->minus = new_public(pkinst->cp, CURVE_MINUS);
+ if(pkinst->minus == NULL) {
+ goto abort;
+ }
+ }
+ /* else this curve only usable for ECDSA */
+
+ pkinst->plus = new_public(pkinst->cp, CURVE_PLUS);
+ if(pkinst->plus == NULL) {
+ goto abort;
+ }
+ frtn = feeGenPrivate(pkinst, privData, privDataLen, hashPrivData);
+ if(frtn) {
+ return frtn;
+ }
+ set_priv_key_giant(pkinst->plus, pkinst->privGiant);
+ if(pkinst->cp->x1Minus != NULL) {
+ set_priv_key_giant(pkinst->minus, pkinst->privGiant);
+ }
+ return FR_Success;
+
+abort:
+ dbgLog(("Bad Existing Public Key\n"));
+ return FR_BadPubKey;
+}
+
+/***
+ *** Public KeyString support.
+ ***/
+/*
+ * Init feePubKey from a public key string.
+ *
+ * See ByteRep.doc for info on the format of the public key string and blobs;
+ * PLEASE UPDATE THIS DOCUMENT WHEN YOU MAKE CHANGES TO THE STRING FORMAT.
+ */
+feeReturn feePubKeyInitFromKeyString(feePubKey pubKey,
+ const char *keyStr,
+ unsigned keyStrLen)
+{
+ unsigned char *blob = NULL;
+ unsigned blobLen;
+ feeReturn frtn;
+
+ blob = dec64((unsigned char *)keyStr, keyStrLen, &blobLen);
+ if(blob == NULL) {
+ dbgLog(("Bad Public Key String (not enc64)\n"));
+ return FR_BadPubKeyString;
+ }
+ frtn = feePubKeyInitFromKeyBlob(pubKey, blob, blobLen);
+ ffree(blob);
+ return frtn;
+}
+
+/*
+ * Create a public key in the form of a null-terminated C string.
+ * This string contains an encoded version of all of our ivars except for
+ * privGiant.
+ *
+ * See ByteRep.doc for info on the format of the public key string and blobs;
+ * PLEASE UPDATE THIS DOCUMENT WHEN YOU MAKE CHANGES TO THE STRING FORMAT.
+ */
+feeReturn feePubKeyCreateKeyString(feePubKey pubKey,
+ char **pubKeyString, /* RETURNED */
+ unsigned *pubKeyStringLen) /* RETURNED */
+{
+ unsigned char *blob;
+ unsigned blobLen;
+ feeReturn frtn;
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+
+ /* get binary pub blob, encode the blob, free the blob */
+ frtn = createKeyBlob(pkinst,
+ 0, // isPrivate
+ &blob,
+ &blobLen);
+ if(frtn) {
+ return frtn;
+ }
+
+ *pubKeyString = (char *)enc64(blob, blobLen, pubKeyStringLen);
+ ffree(blob);
+ return FR_Success;
+}
+
+/***
+ *** Native key blob support.
+ ***/
+
+#ifndef ECDSA_VERIFY_ONLY
+
+/*
+ * Obtain portable public and private key blobs from a key.
+ */
+feeReturn feePubKeyCreatePubBlob(feePubKey pubKey,
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+
+ return createKeyBlob(pkinst,
+ 0,
+ keyBlob,
+ keyBlobLen);
+}
+
+feeReturn feePubKeyCreatePrivBlob(feePubKey pubKey,
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+
+ if(pkinst->privGiant == NULL) {
+ return FR_IncompatibleKey;
+ }
+ return createKeyBlob(pkinst,
+ 1,
+ keyBlob,
+ keyBlobLen);
+}
+
+/*
+ * Given private-capable privKey, initialize pubKey to be its corresponding
+ * public key.
+ */
+feeReturn feePubKeyInitPubKeyFromPriv(feePubKey privKey,
+ feePubKey pubKey)
+{
+ pubKeyInst *privInst = (pubKeyInst *)privKey;
+ pubKeyInst *pubInst = (pubKeyInst *)pubKey;
+
+ if((privInst == NULL) || (pubInst == NULL)) {
+ return FR_BadPubKey;
+ }
+ if(privInst->privGiant == NULL) {
+ return FR_IncompatibleKey;
+ }
+ pubInst->cp = curveParamsCopy(privInst->cp);
+ if(pubInst == NULL) {
+ return FR_Memory;
+ }
+ pubInst->plus = new_public_with_key(privInst->plus, pubInst->cp);
+ if(pubInst->plus == NULL) {
+ return FR_Memory;
+ }
+ if(pubInst->cp->x1Minus != NULL) {
+ pubInst->minus = new_public_with_key(privInst->minus, pubInst->cp);
+ if(pubInst->minus == NULL) {
+ return FR_Memory;
+ }
+ }
+ return FR_Success;
+}
+
+#endif /* ECDSA_VERIFY_ONLY */
+
+/*
+ * Returns non-zero if two keys are equivalent.
+ */
+int feePubKeyIsEqual(feePubKey key1, feePubKey key2)
+{
+ pubKeyInst *pkinst1 = (pubKeyInst *) key1;
+ pubKeyInst *pkinst2 = (pubKeyInst *) key2;
+
+ if ((pkinst1 == NULL) || (pkinst2 == NULL)) {
+ return 0;
+ }
+ if((pkinst1->minus != NULL) && (pkinst2->minus != NULL)) {
+ if(key_equal(pkinst1->minus, pkinst2->minus) == 0) {
+ return 0;
+ }
+ }
+ if(key_equal(pkinst1->plus, pkinst2->plus) == 0) {
+ return 0;
+ }
+ return 1;
+}
+
+/*
+ * Returns non-zero if key is private-capable (i.e., capable of signing
+ * and decrypting).
+ */
+int feePubKeyIsPrivate(feePubKey key)
+{
+ pubKeyInst *myPkinst = (pubKeyInst *)key;
+
+ return ((myPkinst->privGiant != NULL) ? 1 : 0);
+}
+
+#ifndef ECDSA_VERIFY_ONLY
+
+#if CRYPTKIT_KEY_EXCHANGE
+
+feeReturn feePubKeyCreatePad(feePubKey myKey,
+ feePubKey theirKey,
+ unsigned char **padData, /* RETURNED */
+ unsigned *padDataLen) /* RETURNED padData length in bytes */
+{
+ pubKeyInst *myPkinst = (pubKeyInst *) myKey;
+ pubKeyInst *theirPkinst = (pubKeyInst *) theirKey;
+ giant pad;
+ unsigned char *result;
+ unsigned padLen;
+ key pkey;
+
+ /*
+ * Do some compatibility checking (myKey, theirKey) here...?
+ */
+ if(DEFAULT_CURVE == CURVE_PLUS) {
+ pkey = theirPkinst->plus;
+ }
+ else {
+ pkey = theirPkinst->minus;
+ }
+ pad = make_pad(myPkinst->privGiant, pkey);
+ result = mem_from_giant(pad, &padLen);
+ freeGiant(pad);
+
+ /*
+ * Ensure we have a the minimum necessary for DES. A bit of a hack,
+ * to be sure.
+ */
+ if(padLen >= FEE_DES_MIN_STATE_SIZE) {
+ *padData = result;
+ *padDataLen = padLen;
+ }
+ else {
+ *padData = (unsigned char*) fmalloc(FEE_DES_MIN_STATE_SIZE);
+ *padDataLen = FEE_DES_MIN_STATE_SIZE;
+ bzero(*padData, FEE_DES_MIN_STATE_SIZE);
+ bcopy(result, *padData, padLen);
+ ffree(result);
+ }
+ return FR_Success;
+}
+
+#endif /* CRYPTKIT_KEY_EXCHANGE */
+
+#if CRYPTKIT_HIGH_LEVEL_SIG
+
+#warning HLS
+/*
+ * Generate digital signature, ElGamal style.
+ */
+feeReturn feePubKeyCreateSignature(feePubKey pubKey,
+ const unsigned char *data,
+ unsigned dataLen,
+ unsigned char **signature, /* fmalloc'd and RETURNED */
+ unsigned *signatureLen) /* RETURNED */
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ feeHash hash;
+ feeSig sig;
+ unsigned char *Pm = NULL;
+ unsigned PmLen;
+ feeReturn frtn;
+
+ if(pkinst->privGiant == NULL) {
+ dbgLog(("feePubKeyCreateSignature: Attempt to Sign without"
+ " private data\n"));
+ return FR_BadPubKey;
+ }
+ hash = feeHashAlloc();
+ sig = feeSigNewWithKey(pubKey, NULL, NULL);
+ if(sig == NULL) {
+ /*
+ * Shouldn't happen, but...
+ */
+ feeHashFree(hash);
+ return FR_BadPubKey;
+ }
+
+ /*
+ * Get Pm to salt hash object
+ */
+ Pm = feeSigPm(sig, &PmLen);
+ feeHashAddData(hash, Pm, PmLen);
+
+ /*
+ * Now hash the data proper, then sign the hash
+ */
+ feeHashAddData(hash, data, dataLen);
+ frtn = feeSigSign(sig,
+ feeHashDigest(hash),
+ feeHashDigestLen(),
+ pubKey);
+ if(frtn == FR_Success) {
+ frtn = feeSigData(sig, signature, signatureLen);
+ }
+ feeHashFree(hash);
+ feeSigFree(sig);
+ ffree(Pm);
+ return frtn;
+}
+
+/*
+ * Verify digital signature, ElGamal style. If the signature is ECDSA,
+ * we'll use that format for compatibility.
+ */
+feeReturn feePubKeyVerifySignature(feePubKey pubKey,
+ const unsigned char *data,
+ unsigned dataLen,
+ const unsigned char *signature,
+ unsigned signatureLen)
+{
+ feeHash hash;
+ feeSig sig;
+ unsigned char *Pm = NULL;
+ unsigned PmLen;
+ feeReturn frtn;
+
+ hash = feeHashAlloc();
+ frtn = feeSigParse(signature, signatureLen, &sig);
+ if(frtn) {
+ feeHashFree(hash);
+ #if CRYPTKIT_ECDSA_ENABLE
+ if(frtn == FR_WrongSignatureType) {
+ return feePubKeyVerifyECDSASignature(pubKey,
+ data,
+ dataLen,
+ signature,
+ signatureLen);
+ }
+ #endif /* CRYPTKIT_ECDSA_ENABLE */
+ return frtn;
+ }
+
+ /*
+ * Get PM as salt; eat salt, then hash data
+ */
+ Pm = feeSigPm(sig, &PmLen);
+ feeHashAddData(hash, Pm, PmLen);
+ feeHashAddData(hash, data, dataLen);
+ frtn = feeSigVerify(sig,
+ feeHashDigest(hash),
+ feeHashDigestLen(),
+ pubKey);
+
+ feeHashFree(hash);
+ feeSigFree(sig);
+ ffree(Pm);
+ return frtn;
+}
+
+#pragma mark --- ECDSA signature: high level routines ---
+
+#if CRYPTKIT_ECDSA_ENABLE
+/*
+ * Generate digital signature, ECDSA style.
+ */
+feeReturn feePubKeyCreateECDSASignature(feePubKey pubKey,
+ const unsigned char *data,
+ unsigned dataLen,
+ unsigned char **signature, /* fmalloc'd and RETURNED */
+ unsigned *signatureLen) /* RETURNED */
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ sha1Obj sha1;
+ feeReturn frtn;
+
+ if(pkinst->privGiant == NULL) {
+ dbgLog(("feePubKeyCreateECDSASignature: Attempt to Sign "
+ "without private data\n"));
+ return FR_BadPubKey;
+ }
+ sha1 = sha1Alloc();
+ sha1AddData(sha1, data, dataLen);
+ frtn = feeECDSASign(pubKey,
+ sha1Digest(sha1),
+ sha1DigestLen(),
+ NULL, // randFcn
+ NULL,
+ signature,
+ signatureLen);
+ sha1Free(sha1);
+ return frtn;
+}
+#endif /* CRYPTKIT_ECDSA_ENABLE */
+#endif /* CRYPTKIT_HIGH_LEVEL_SIG */
+#endif /* ECDSA_VERIFY_ONLY */
+
+#if CRYPTKIT_HIGH_LEVEL_SIG
+
+#if CRYPTKIT_ECDSA_ENABLE
+
+/*
+ * Verify digital signature, ECDSA style.
+ */
+feeReturn feePubKeyVerifyECDSASignature(feePubKey pubKey,
+ const unsigned char *data,
+ unsigned dataLen,
+ const unsigned char *signature,
+ unsigned signatureLen)
+{
+ sha1Obj sha1;
+ feeReturn frtn;
+
+ sha1 = sha1Alloc();
+ sha1AddData(sha1, data, dataLen);
+ frtn = feeECDSAVerify(signature,
+ signatureLen,
+ sha1Digest(sha1),
+ sha1DigestLen(),
+ pubKey);
+ sha1Free(sha1);
+ return frtn;
+}
+
+#endif /* CRYPTKIT_ECDSA_ENABLE */
+
+#endif /* CRYPTKIT_HIGH_LEVEL_SIG */
+
+#pragma mark --- ECDH ---
+
+/*
+ * Diffie-Hellman. Public key is specified either as a feePubKey or
+ * a ANSI X9.62 format public key string (0x04 | x | y). In either case
+ * the caller must ensure that the two keys are on the same curve.
+ * Output data is fmalloc'd here; caller must free. Output data is
+ * exactly the size of the curve's modulus in bytes.
+ */
+feeReturn feePubKeyECDH(
+ feePubKey privKey,
+ /* one of the following two is non-NULL */
+ feePubKey pubKey,
+ const unsigned char *pubKeyStr,
+ unsigned pubKeyStrLen,
+ /* output fmallocd and RETURNED here */
+ unsigned char **output,
+ unsigned *outputLen)
+{
+ feePubKey theirPub = pubKey;
+ feeReturn frtn = FR_Success;
+ pubKeyInst *privInst = (pubKeyInst *) privKey;
+
+ if(privInst->privGiant == NULL) {
+ dbgLog(("feePubKeyECDH: privKey not a private key\n"));
+ return FR_IncompatibleKey;
+ }
+
+ if(theirPub == NULL) {
+ if(pubKeyStr == NULL) {
+ return FR_IllegalArg;
+ }
+
+ /* Cook up a public key with the same curveParams as the private key */
+ feeDepth depth;
+ frtn = curveParamsDepth(privInst->cp, &depth);
+ if(frtn) {
+ return frtn;
+ }
+ theirPub = feePubKeyAlloc();
+ if(theirPub == NULL) {
+ return FR_Memory;
+ }
+ frtn = feePubKeyInitFromECDSAPubBlob(theirPub, pubKeyStr, pubKeyStrLen, depth);
+ if(frtn) {
+ goto errOut;
+ }
+ }
+
+ pubKeyInst *pubInst = (pubKeyInst *) theirPub;
+
+ giant outputGiant = make_pad(privInst->privGiant, pubInst->plus);
+ if(outputGiant == NULL) {
+ dbgLog(("feePubKeyECDH: make_pad error\n"));
+ frtn = FR_Internal;
+ }
+ else {
+ *outputLen = (privInst->cp->q + 7) / 8;
+ *output = (unsigned char *)fmalloc(*outputLen);
+ if(*output == NULL) {
+ frtn = FR_Memory;
+ goto errOut;
+ }
+ serializeGiant(outputGiant, *output, *outputLen);
+ freeGiant(outputGiant);
+ }
+errOut:
+ if((pubKey == NULL) && (theirPub != NULL)) {
+ feePubKeyFree(theirPub);
+ }
+ return frtn;
+}
+
+#pragma mark --- feePubKey data accessors ---
+
+unsigned feePubKeyBitsize(feePubKey pubKey)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ switch(pkinst->cp->primeType) {
+ case FPT_General: /* cp->q is here for just this purpose */
+ case FPT_Mersenne:
+ return pkinst->cp->q;
+ case FPT_FEE: /* could be larger or smaller than 2^q-1 */
+ default:
+ return bitlen(pkinst->cp->basePrime);
+ }
+ /* NOT REACHED */
+ return 0;
+}
+
+/*
+ * Accessor routines.
+ */
+/* private only...*/
+key feePubKeyPlusCurve(feePubKey pubKey)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+
+ return pkinst->plus;
+}
+
+key feePubKeyMinusCurve(feePubKey pubKey)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+
+ return pkinst->minus;
+}
+
+curveParams *feePubKeyCurveParams(feePubKey pubKey)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+
+ return pkinst->cp;
+}
+
+giant feePubKeyPrivData(feePubKey pubKey)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+
+ return pkinst->privGiant;
+}
+
+const char *feePubKeyAlgorithmName(void)
+{
+ return "Elliptic Curve - FEE by Apple Computer";
+}
+
+#pragma mark --- Private functions ---
+
+/*
+ * alloc, free pubKeyInst
+ */
+static pubKeyInst *pubKeyInstAlloc(void)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) fmalloc(sizeof(pubKeyInst));
+
+ bzero(pkinst, sizeof(pubKeyInst));
+ return pkinst;
+}
+
+static void pubKeyInstFree(pubKeyInst *pkinst)
+{
+ if(pkinst->minus) {
+ free_key(pkinst->minus);
+ }
+ if(pkinst->plus) {
+ free_key(pkinst->plus);
+ }
+ if(pkinst->cp) {
+ freeCurveParams(pkinst->cp);
+ }
+ if(pkinst->privGiant) {
+ /*
+ * Zero out the private data...
+ */
+ clearGiant(pkinst->privGiant);
+ freeGiant(pkinst->privGiant);
+ }
+ ffree(pkinst);
+}
+
+#ifndef ECDSA_VERIFY_ONLY
+
+/*
+ * Create a pubKeyInst.privGiant given a password of
+ * arbitrary length.
+ * Currently, the only error is "private data too short" (FR_IllegalArg).
+ */
+
+#define NO_PRIV_MUNGE 0 /* skip this step */
+
+static feeReturn feeGenPrivate(pubKeyInst *pkinst,
+ const unsigned char *passwd,
+ unsigned passwdLen,
+ char hashPasswd)
+{
+ unsigned privLen; // desired size of pkinst->privData
+ feeHash *hash = NULL; // a malloc'd array
+ unsigned digestLen; // size of MD5 digest
+ unsigned dataSize; // min(privLen, passwdLen)
+ unsigned numDigests = 0;
+ unsigned i;
+ unsigned char *cp;
+ unsigned toMove; // for this digest
+ unsigned moved; // total digested
+ unsigned char *digest = NULL;
+ unsigned char *privData = NULL; // temp, before modg(curveOrder)
+ giant corder; // lesser of two curve orders
+
+ /*
+ * generate privData which is just larger than the smaller
+ * curve order.
+ * We'll take the result mod the curve order when we're done.
+ * Note we do *not* have to free corder - it's a pointer to a giant
+ * in pkinst->cp.
+ */
+ corder = lesserX1Order(pkinst->cp);
+ CKASSERT(!isZero(corder));
+ privLen = (bitlen(corder) / 8) + 1;
+
+ if(!hashPasswd) {
+ /*
+ * Caller trusts the incoming entropy. Verify it's big enough and proceed.
+ */
+ if(passwdLen < privLen) {
+ return FR_ShortPrivData;
+ }
+ privLen = passwdLen;
+ privData = (unsigned char *)passwd;
+ goto finishUp;
+ }
+ if(passwdLen < 2) {
+ return FR_IllegalArg;
+ }
+
+
+ /*
+ * Calculate how many MD5 digests we'll generate.
+ */
+ if(privLen > passwdLen) {
+ dataSize = passwdLen;
+ }
+ else {
+ dataSize = privLen;
+ }
+ digestLen = feeHashDigestLen();
+ numDigests = (dataSize + digestLen - 1) / digestLen;
+
+ hash = (void**) fmalloc(numDigests * sizeof(feeHash));
+ for(i=0; i<numDigests; i++) {
+ hash[i] = feeHashAlloc();
+ }
+
+ /*
+ * fill digests with passwd data, digestLen (or resid length)
+ * at a time. If (passwdLen > privLen), last digest will hash all
+ * remaining passwd data.
+ */
+ cp = (unsigned char *)passwd;
+ moved = 0;
+ for(i=0; i<numDigests; i++) {
+ if(i == (numDigests - 1)) { // last digest
+ toMove = passwdLen - moved;
+ }
+ else {
+ toMove = digestLen;
+ }
+ feeHashAddData(hash[i], cp, toMove);
+ cp += toMove;
+ moved += toMove;
+ }
+
+ /*
+ * copy digests to privData, up to privLen bytes. Pad with
+ * additional copies of digests if necessary.
+ */
+ privData = (unsigned char*) fmalloc(privLen);
+ cp = privData;
+ moved = 0;
+ i = 0; // digest number
+ for(moved=0; moved<privLen; ) {
+ if((moved + digestLen) > privLen) {
+ toMove = privLen - moved;
+ }
+ else {
+ toMove = digestLen;
+ }
+ digest = feeHashDigest(hash[i++]);
+ bcopy(digest, cp, toMove);
+ cp += toMove;
+ moved += toMove;
+ if(i == numDigests) {
+ i = 0; // wrap to 0, start padding
+ }
+ }
+
+finishUp:
+ /*
+ * Convert to giant, justify result to within [2, lesserX1Order]
+ */
+ pkinst->privGiant = giant_with_data(privData, privLen);
+
+ #if FEE_DEBUG
+ if(isZero(pkinst->privGiant)) {
+ printf("feeGenPrivate: privData = 0!\n");
+ }
+ #endif // FEE_DEBUG
+
+ lesserX1OrderJustify(pkinst->privGiant, pkinst->cp);
+ if(hashPasswd) {
+ memset(privData, 0, privLen);
+ ffree(privData);
+ for(i=0; i<numDigests; i++) {
+ feeHashFree(hash[i]);
+ }
+ ffree(hash);
+ }
+ return FR_Success;
+}
+
+#endif /* ECDSA_VERIFY_ONLY */
+
+#if FEE_DEBUG
+
+void printPubKey(feePubKey pubKey)
+{
+ pubKeyInst *pkinst = pubKey;
+
+ printf("\ncurveParams:\n");
+ printCurveParams(pkinst->cp);
+ printf("plus:\n");
+ printKey(pkinst->plus);
+ printf("minus:\n");
+ printKey(pkinst->minus);
+ if(pkinst->privGiant != NULL) {
+ printf("privGiant : ");
+ printGiant(pkinst->privGiant);
+ }
+}
+
+#else // FEE_DEBUG
+void printPubKey(feePubKey pubKey) {}
+#endif // FEE_DEBUG
+
+/*
+ * Prime the curveParams and giants modules for quick allocs of giants.
+ */
+#if GIANTS_VIA_STACK
+
+static int giantsInitd = 0;
+
+static void feePubKeyInitGiants(void)
+{
+ if(giantsInitd) {
+ return;
+ }
+ curveParamsInitGiants();
+ giantsInitd = 1;
+}
+#endif
+
+#pragma mark --- Native (custom) key blob formatting ---
+
+/*
+ * Exported key blob support. New, 23 Mar 1998.
+ *
+ * Convert to public or private key blob.
+ */
+
+#ifndef ECDSA_VERIFY_ONLY
+
+/***
+ *** Common native blob support
+ ***/
+static feeReturn createKeyBlob(pubKeyInst *pkinst,
+ int isPrivate, // 0 : public 1 : private
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ unsigned char *s; // running ptr into *origS
+ unsigned sLen;
+ int magic;
+
+ /* common blob elements */
+ sLen = (4 * sizeof(int)) + // magic, version, minVersion,
+ // spare
+ lengthOfByteRepCurveParams(pkinst->cp);
+ if(isPrivate) {
+ /* private only */
+ sLen += lengthOfByteRepGiant(pkinst->privGiant);
+ magic = PUBLIC_KEY_BLOB_MAGIC_PRIV;
+ }
+ else {
+ /* public only */
+ sLen += (lengthOfByteRepKey(pkinst->plus) +
+ lengthOfByteRepKey(pkinst->minus));
+ magic = PUBLIC_KEY_BLOB_MAGIC_PUB;
+ }
+ *keyBlob = s = (unsigned char*) fmalloc(sLen);
+ s += intToByteRep(magic, s);
+ s += intToByteRep(PUBLIC_KEY_BLOB_VERSION, s);
+ s += intToByteRep(PUBLIC_KEY_BLOB_MINVERSION, s);
+ s += intToByteRep(0, s); // spare
+ s += curveParamsToByteRep(pkinst->cp, s);
+ if(isPrivate) {
+ s += giantToByteRep(pkinst->privGiant, s);
+ }
+ else {
+ /* keyToByteRep writes y for plus curve only */
+ s += keyToByteRep(pkinst->plus, s);
+ if(pkinst->minus != NULL) {
+ s += keyToByteRep(pkinst->minus, s);
+ }
+ else {
+ /* TBD */
+ dbgLog(("work needed here for blobs with no minus key\n"));
+ }
+ }
+ *keyBlobLen = sLen;
+ return FR_Success;
+}
+
+#endif /* ECDSA_VERIFY_ONLY */
+
+/*
+ * Init an empty feePubKey from a native blob (non-DER format).
+ */
+static feeReturn feePubKeyInitFromKeyBlob(feePubKey pubKey,
+ unsigned char *keyBlob,
+ unsigned keyBlobLen)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ unsigned char *s; // running pointer
+ unsigned sLen; // bytes remaining in *s
+ int magic;
+ unsigned len; // for length of individual components
+ int minVersion;
+ int version;
+ int isPrivate;
+
+ s = keyBlob;
+ sLen = keyBlobLen;
+ if(sLen < (4 * sizeof(int))) { // magic, version, minVersion, spare
+ /*
+ * Too short for all the ints we need
+ */
+ dbgLog(("feePublicKey: key blob (1)\n"));
+ return FR_BadKeyBlob;
+ }
+
+ magic = byteRepToInt(s);
+ s += sizeof(int);
+ sLen -= sizeof(int);
+ switch(magic) {
+ case PUBLIC_KEY_BLOB_MAGIC_PUB:
+ isPrivate = 0;
+ break;
+ case PUBLIC_KEY_BLOB_MAGIC_PRIV:
+ isPrivate = 1;
+ break;
+ default:
+ dbgLog(("feePublicKey: Bad Public Key Magic Number\n"));
+ return FR_BadKeyBlob;
+ }
+
+ /*
+ * Switch on this for version-specific cases
+ */
+ version = byteRepToInt(s);
+ s += sizeof(int);
+ sLen -= sizeof(int);
+
+ minVersion = byteRepToInt(s);
+ s += sizeof(int);
+ sLen -= sizeof(int);
+ if(minVersion > PUBLIC_KEY_BLOB_VERSION) {
+ /*
+ * old code, newer key blob - can't parse
+ */
+ dbgLog(("feePublicKey: Incompatible Public Key (1)\n"));
+ return FR_BadKeyBlob;
+ }
+
+ s += sizeof(int); // skip spare
+ sLen -= sizeof(int);
+
+ pkinst->cp = byteRepToCurveParams(s, sLen, &len);
+ if(pkinst->cp == NULL) {
+ dbgLog(("feePublicKey: Bad Key Blob(2)\n"));
+ return FR_BadKeyBlob;
+ }
+ s += len;
+ sLen -= len;
+
+ /*
+ * Private key blob: privGiant.
+ * Public Key blob: plusX, minusX, plusY.
+ */
+ if(isPrivate) {
+ pkinst->privGiant = byteRepToGiant(s, sLen, &len);
+ if(pkinst->privGiant == NULL) {
+ dbgLog(("feePublicKey: Bad Key Blob(3)\n"));
+ return FR_BadKeyBlob;
+ }
+ s += len;
+ sLen -= len;
+ }
+ else {
+ /* this writes x and y */
+ pkinst->plus = byteRepToKey(s,
+ sLen,
+ CURVE_PLUS, // twist
+ pkinst->cp,
+ &len);
+ if(pkinst->plus == NULL) {
+ dbgLog(("feePublicKey: Bad Key Blob(4)\n"));
+ return FR_BadKeyBlob;
+ }
+ s += len;
+ sLen -= len;
+
+ /* this only writes x */
+ pkinst->minus = byteRepToKey(s,
+ sLen,
+ CURVE_MINUS, // twist
+ pkinst->cp,
+ &len);
+ if(pkinst->minus == NULL) {
+ dbgLog(("feePublicKey: Bad Key Blob(5)\n"));
+ return FR_BadKeyBlob;
+ }
+ s += len;
+ sLen -= len;
+ }
+
+ /*
+ * One more thing: cook up public plusX and minusX for private key
+ * blob case.
+ */
+ if(isPrivate) {
+ pkinst->plus = new_public(pkinst->cp, CURVE_PLUS);
+ pkinst->minus = new_public(pkinst->cp, CURVE_MINUS);
+ set_priv_key_giant(pkinst->plus, pkinst->privGiant);
+ set_priv_key_giant(pkinst->minus, pkinst->privGiant);
+ }
+ return FR_Success;
+
+}
+
+feeReturn feePubKeyInitFromPubBlob(feePubKey pubKey,
+ unsigned char *keyBlob,
+ unsigned keyBlobLen)
+{
+ return feePubKeyInitFromKeyBlob(pubKey, keyBlob, keyBlobLen);
+}
+
+#ifndef ECDSA_VERIFY_ONLY
+
+feeReturn feePubKeyInitFromPrivBlob(feePubKey pubKey,
+ unsigned char *keyBlob,
+ unsigned keyBlobLen)
+{
+ return feePubKeyInitFromKeyBlob(pubKey, keyBlob, keyBlobLen);
+}
+
+#endif /* ECDSA_VERIFY_ONLY */
+
+#if CRYPTKIT_DER_ENABLE
+#ifndef ECDSA_VERIFY_ONLY
+
+/*
+ * DER format support.
+ * Obtain portable public and private DER-encoded key blobs from a key.
+ */
+feeReturn feePubKeyCreateDERPubBlob(feePubKey pubKey,
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+ if(pkinst->minus == NULL) {
+ /* Only ECDSA key formats supported */
+ return FR_IncompatibleKey;
+ }
+ return feeDEREncodePublicKey(PUBLIC_DER_KEY_BLOB_VERSION,
+ pkinst->cp,
+ pkinst->plus->x,
+ pkinst->minus->x,
+ isZero(pkinst->plus->y) ? NULL : pkinst->plus->y,
+ keyBlob,
+ keyBlobLen);
+}
+
+feeReturn feePubKeyCreateDERPrivBlob(feePubKey pubKey,
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+ if(pkinst->privGiant == NULL) {
+ return FR_IncompatibleKey;
+ }
+ if(pkinst->minus == NULL) {
+ /* Only ECDSA key formats supported */
+ return FR_IncompatibleKey;
+ }
+ return feeDEREncodePrivateKey(PUBLIC_DER_KEY_BLOB_VERSION,
+ pkinst->cp,
+ pkinst->privGiant,
+ keyBlob,
+ keyBlobLen);
+}
+
+#endif /* ECDSA_VERIFY_ONLY */
+
+/*
+ * Init an empty feePubKey from a DER-encoded blob, public and private key versions.
+ */
+feeReturn feePubKeyInitFromDERPubBlob(feePubKey pubKey,
+ unsigned char *keyBlob,
+ size_t keyBlobLen)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ feeReturn frtn;
+ int version;
+
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+
+ /* kind of messy, maybe we should clean this up. But new_public() does too
+ * much - e.g., it allocates the x and y which we really don't want */
+ memset(pkinst, 0, sizeof(pubKeyInst));
+ pkinst->plus = (key) fmalloc(sizeof(keystruct));
+ pkinst->minus = (key) fmalloc(sizeof(keystruct));
+ if((pkinst->plus == NULL) || (pkinst->minus == NULL)) {
+ return FR_Memory;
+ }
+ memset(pkinst->plus, 0, sizeof(keystruct));
+ memset(pkinst->minus, 0, sizeof(keystruct));
+ pkinst->cp = NULL;
+ pkinst->privGiant = NULL;
+ pkinst->plus->twist = CURVE_PLUS;
+ pkinst->minus->twist = CURVE_MINUS;
+ frtn = feeDERDecodePublicKey(keyBlob,
+ (unsigned)keyBlobLen,
+ &version, // currently unused
+ &pkinst->cp,
+ &pkinst->plus->x,
+ &pkinst->minus->x,
+ &pkinst->plus->y);
+ if(frtn) {
+ return frtn;
+ }
+ /* minus curve, y is not used */
+ pkinst->minus->y = newGiant(1);
+ int_to_giant(0, pkinst->minus->y);
+ pkinst->plus->cp = pkinst->minus->cp = pkinst->cp;
+ return FR_Success;
+}
+
+#ifndef ECDSA_VERIFY_ONLY
+
+feeReturn feePubKeyInitFromDERPrivBlob(feePubKey pubKey,
+ unsigned char *keyBlob,
+ size_t keyBlobLen)
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ int version;
+ feeReturn frtn;
+
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+ memset(pkinst, 0, sizeof(pubKeyInst));
+ frtn = feeDERDecodePrivateKey(keyBlob,
+ (unsigned)keyBlobLen,
+ &version, // currently unused
+ &pkinst->cp,
+ &pkinst->privGiant);
+ if(frtn) {
+ return frtn;
+ }
+
+ /* since this blob only had the private data, infer the remaining fields */
+ pkinst->plus = new_public(pkinst->cp, CURVE_PLUS);
+ pkinst->minus = new_public(pkinst->cp, CURVE_MINUS);
+ set_priv_key_giant(pkinst->plus, pkinst->privGiant);
+ set_priv_key_giant(pkinst->minus, pkinst->privGiant);
+ return FR_Success;
+}
+
+#endif /* ECDSA_VERIFY_ONLY */
+
+#pragma mark --- X509 (public) and PKCS8 (private) key formatting ---
+
+feeReturn feePubKeyCreateX509Blob(
+ feePubKey pubKey, // public key
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ unsigned char *xyStr = NULL;
+ unsigned xyStrLen = 0;
+ feeReturn frtn = feeCreateECDSAPubBlob(pubKey, &xyStr, &xyStrLen);
+ if(frtn) {
+ return frtn;
+ }
+ frtn = feeDEREncodeX509PublicKey(xyStr, xyStrLen, pkinst->cp, keyBlob, keyBlobLen);
+ ffree(xyStr);
+ return frtn;
+}
+
+feeReturn feePubKeyCreatePKCS8Blob(
+ feePubKey pubKey, // private key
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ unsigned char *privStr = NULL;
+ unsigned privStrLen = 0;
+ feeReturn frtn = feeCreateECDSAPrivBlob(pubKey, &privStr, &privStrLen);
+ if(frtn) {
+ return frtn;
+ }
+ unsigned char *pubStr = NULL;
+ unsigned pubStrLen = 0;
+ frtn = feeCreateECDSAPubBlob(pubKey, &pubStr, &pubStrLen);
+ if(frtn) {
+ goto errOut;
+ }
+ frtn = feeDEREncodePKCS8PrivateKey(privStr, privStrLen,
+ pubStr, pubStrLen,
+ pkinst->cp, keyBlob, keyBlobLen);
+errOut:
+ if(privStr) {
+ ffree(privStr);
+ }
+ if(pubStr) {
+ ffree(pubStr);
+ }
+ return frtn;
+}
+
+feeReturn feePubKeyInitFromX509Blob(
+ feePubKey pubKey, // public key
+ unsigned char *keyBlob,
+ size_t keyBlobLen)
+{
+ feeDepth depth;
+ unsigned char *xyStr = NULL;
+ unsigned xyStrLen = 0;
+
+ /* obtain x/y and depth from X509 encoding */
+ feeReturn frtn = feeDERDecodeX509PublicKey(keyBlob, (unsigned)keyBlobLen, &depth,
+ &xyStr, &xyStrLen);
+ if(frtn) {
+ return frtn;
+ }
+
+ frtn = feePubKeyInitFromECDSAPubBlob(pubKey, xyStr, xyStrLen, depth);
+ ffree(xyStr);
+ return frtn;
+}
+
+
+feeReturn feePubKeyInitFromPKCS8Blob(
+ feePubKey pubKey, // private key
+ unsigned char *keyBlob,
+ size_t keyBlobLen)
+{
+ feeDepth depth;
+ unsigned char *privStr = NULL;
+ unsigned privStrLen = 0;
+
+ /* obtain x/y and depth from PKCS8 encoding */
+ /* For now we ignore the possible public key string */
+ feeReturn frtn = feeDERDecodePKCS8PrivateKey(keyBlob, (unsigned)keyBlobLen, &depth,
+ &privStr, &privStrLen, NULL, NULL);
+ if(frtn) {
+ return frtn;
+ }
+
+ frtn = feePubKeyInitFromECDSAPrivBlob(pubKey, privStr, privStrLen, depth);
+ ffree(privStr);
+ return frtn;
+}
+
+#pragma mark --- OpenSSL key formatting ---
+
+/*
+ * The native OpenSSL ECDSA key format contains both the private and public
+ * components in one blob. This throws a bit of a monkey wrench into the API
+ * here, as we only have one encoder - which requires a private key - and one
+ * decoder, which can result in the decoding of either a public or a private
+ * key.
+ */
+feeReturn feePubKeyCreateOpenSSLBlob(
+ feePubKey pubKey, // private key
+ unsigned char **keyBlob, // mallocd and RETURNED
+ unsigned *keyBlobLen) // RETURNED
+{
+ pubKeyInst *pkinst = (pubKeyInst *) pubKey;
+ unsigned char *privStr = NULL;
+ unsigned privStrLen = 0;
+ feeReturn frtn = feeCreateECDSAPrivBlob(pubKey, &privStr, &privStrLen);
+ if(frtn) {
+ return frtn;
+ }
+ unsigned char *pubStr = NULL;
+ unsigned pubStrLen = 0;
+ frtn = feeCreateECDSAPubBlob(pubKey, &pubStr, &pubStrLen);
+ if(frtn) {
+ goto errOut;
+ }
+ frtn = feeDEREncodeOpenSSLPrivateKey(privStr, privStrLen,
+ pubStr, pubStrLen,
+ pkinst->cp, keyBlob, keyBlobLen);
+errOut:
+ if(privStr) {
+ ffree(privStr);
+ }
+ if(pubStr) {
+ ffree(pubStr);
+ }
+ return frtn;
+}
+
+feeReturn feePubKeyInitFromOpenSSLBlob(
+ feePubKey pubKey, // private or public key
+ int pubOnly,
+ unsigned char *keyBlob,
+ size_t keyBlobLen)
+{
+ feeDepth depth;
+ unsigned char *privStr = NULL;
+ unsigned privStrLen = 0;
+ unsigned char *pubStr = NULL;
+ unsigned pubStrLen = 0;
+
+ /* obtain x/y, public bit string, and depth from PKCS8 encoding */
+ feeReturn frtn = feeDERDecodeOpenSSLKey(keyBlob, (unsigned)keyBlobLen, &depth,
+ &privStr, &privStrLen, &pubStr, &pubStrLen);
+ if(frtn) {
+ return frtn;
+ }
+
+ if(pubOnly) {
+ frtn = feePubKeyInitFromECDSAPubBlob(pubKey, pubStr, pubStrLen, depth);
+ }
+ else {
+ frtn = feePubKeyInitFromECDSAPrivBlob(pubKey, privStr, privStrLen, depth);
+ }
+ if(privStr) {
+ ffree(privStr);
+ }
+ if(pubStr) {
+ ffree(pubStr);
+ }
+ return frtn;
+}
+
+#endif /* CRYPTKIT_DER_ENABLE */
+
+/*
+ * ANSI X9.62/Certicom key support.
+ * Public key is 04 || x || y
+ * Private key is privData per Certicom SEC1 C.4.
+ */
+feeReturn feeCreateECDSAPubBlob(feePubKey pubKey,
+ unsigned char **keyBlob,
+ unsigned *keyBlobLen)
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+
+ unsigned giantBytes = (pkinst->cp->q + 7) / 8;
+ unsigned blobSize = 1 + (2 * giantBytes);
+ unsigned char *blob = fmalloc(blobSize);
+ if(blob == NULL) {
+ return FR_Memory;
+ }
+ *blob = 0x04;
+ serializeGiant(pkinst->plus->x, blob+1, giantBytes);
+ serializeGiant(pkinst->plus->y, blob+1+giantBytes, giantBytes);
+ *keyBlob = blob;
+ *keyBlobLen = blobSize;
+ return FR_Success;
+}
+
+feeReturn feeCreateECDSAPrivBlob(feePubKey pubKey,
+ unsigned char **keyBlob,
+ unsigned *keyBlobLen)
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+ if(pkinst->privGiant == NULL) {
+ return FR_IncompatibleKey;
+ }
+
+ /*
+ * Return the raw private key bytes padded with zeroes in
+ * the m.s. end to fill exactly one prime-size byte array.
+ */
+ unsigned giantBytes = (pkinst->cp->q + 7) / 8;
+ unsigned char *blob = fmalloc(giantBytes);
+ if(blob == NULL) {
+ return FR_Memory;
+ }
+ serializeGiant(pkinst->privGiant, blob, giantBytes);
+ *keyBlob = blob;
+ *keyBlobLen = giantBytes;
+ return FR_Success;
+}
+
+/* Caller determines depth from other sources (e.g. AlgId.Params) */
+feeReturn feePubKeyInitFromECDSAPubBlob(feePubKey pubKey,
+ const unsigned char *keyBlob,
+ unsigned keyBlobLen,
+ feeDepth depth)
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+ curveParams *cp = curveParamsForDepth(depth);
+ if(cp == NULL) {
+ return FR_IllegalDepth;
+ }
+ unsigned giantBytes = (cp->q + 7) / 8;
+ unsigned blobSize = 1 + (2 * giantBytes);
+ if(keyBlobLen != blobSize) {
+ dbgLog(("feePubKeyInitFromECDSAPubBlob: bad blobLen\n"));
+ return FR_BadKeyBlob;
+ }
+ if(*keyBlob != 0x04) {
+ dbgLog(("feePubKeyInitFromECDSAPubBlob: bad blob leader\n"));
+ return FR_BadKeyBlob;
+ }
+
+ pkinst->cp = cp;
+ pkinst->plus = new_public(cp, CURVE_PLUS);
+ deserializeGiant(keyBlob+1, pkinst->plus->x, giantBytes);
+ deserializeGiant(keyBlob+1+giantBytes, pkinst->plus->y, giantBytes);
+ return FR_Success;
+}
+
+feeReturn feePubKeyInitFromECDSAPrivBlob(feePubKey pubKey,
+ const unsigned char *keyBlob,
+ unsigned keyBlobLen,
+ feeDepth depth)
+{
+ pubKeyInst *pkinst = (pubKeyInst *)pubKey;
+ if(pkinst == NULL) {
+ return FR_BadPubKey;
+ }
+ curveParams *cp = curveParamsForDepth(depth);
+ if(cp == NULL) {
+ return FR_IllegalDepth;
+ }
+ unsigned giantDigits = cp->basePrime->sign;
+ unsigned giantBytes = (cp->q + 7) / 8;
+
+ /*
+ * The specified private key can be one byte smaller than the modulus */
+ if((keyBlobLen > giantBytes) || (keyBlobLen < (giantBytes - 1))) {
+ dbgLog(("feePubKeyInitFromECDSAPrivBlob: bad blobLen\n"));
+ return FR_BadKeyBlob;
+ }
+
+ pkinst->cp = cp;
+
+ /* cook up a new private giant */
+ pkinst->privGiant = newGiant(giantDigits);
+ if(pkinst->privGiant == NULL) {
+ return FR_Memory;
+ }
+ deserializeGiant(keyBlob, pkinst->privGiant, keyBlobLen);
+
+ /* since this blob only had the private data, infer the remaining fields */
+ pkinst->plus = new_public(pkinst->cp, CURVE_PLUS);
+ set_priv_key_giant(pkinst->plus, pkinst->privGiant);
+ return FR_Success;
+}
+
projects / apple / security.git / blobdiff