os/security/cryptoplugins/cryptospiplugins/source/softwarecrypto/dsakeypairgenimpl.cpp
First public contribution.
2 * Copyright (c) 2007-2009 Nokia Corporation and/or its subsidiary(-ies).
4 * This component and the accompanying materials are made available
5 * under the terms of the License "Eclipse Public License v1.0"
6 * which accompanies this distribution, and is available
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html".
9 * Initial Contributors:
10 * Nokia Corporation - initial contribution.
15 * DSA Keypair implementation
16 * DSA keypair generation implementation
25 #include "dsakeypairgenimpl.h"
26 #include "pluginconfig.h"
28 #include "common/inlines.h" // For TClassSwap
32 #include <securityerr.h>
35 const TUint KShaSize = 20;
36 const TUint KMinPrimeLength = 512;
37 const TUint KMaxPrimeLength = 1024;
38 const TUint KPrimeLengthMultiple = 64;
40 using namespace SoftwareCrypto;
43 /* CDSAPrimeCertificate */
45 CDSAPrimeCertificate* CDSAPrimeCertificate::NewL(const TDesC8& aSeed, TUint aCounter)
47 CDSAPrimeCertificate* self = NewLC(aSeed, aCounter);
52 CDSAPrimeCertificate* CDSAPrimeCertificate::NewLC(const TDesC8& aSeed, TUint aCounter)
54 CDSAPrimeCertificate* self = new(ELeave) CDSAPrimeCertificate(aCounter);
55 CleanupStack::PushL(self);
56 self->ConstructL(aSeed);
60 const TDesC8& CDSAPrimeCertificate::Seed() const
65 TUint CDSAPrimeCertificate::Counter() const
70 CDSAPrimeCertificate::~CDSAPrimeCertificate()
72 delete const_cast<HBufC8*>(iSeed);
75 void CDSAPrimeCertificate::ConstructL(const TDesC8& aSeed)
77 iSeed = aSeed.AllocL();
80 CDSAPrimeCertificate::CDSAPrimeCertificate(TUint aCounter)
85 CDSAPrimeCertificate::CDSAPrimeCertificate()
90 /* CDSAKeyPairGenImpl */
91 CDSAKeyPairGenImpl::CDSAKeyPairGenImpl()
95 CDSAKeyPairGenImpl::~CDSAKeyPairGenImpl()
97 delete iPrimeCertificate;
100 CDSAKeyPairGenImpl* CDSAKeyPairGenImpl::NewL()
102 CDSAKeyPairGenImpl* self = CDSAKeyPairGenImpl::NewLC();
103 CleanupStack::Pop(self);
107 CDSAKeyPairGenImpl* CDSAKeyPairGenImpl::NewLC()
109 CDSAKeyPairGenImpl* self = new(ELeave) CDSAKeyPairGenImpl();
110 CleanupStack::PushL(self);
115 void CDSAKeyPairGenImpl::ConstructL(void)
117 CKeyPairGenImpl::ConstructL();
120 CExtendedCharacteristics* CDSAKeyPairGenImpl::CreateExtendedCharacteristicsL()
122 // All Symbian software plug-ins have unlimited concurrency, cannot be reserved
123 // for exclusive use and are not CERTIFIED to be standards compliant.
124 return CExtendedCharacteristics::NewL(KMaxTInt, EFalse);
127 const CExtendedCharacteristics* CDSAKeyPairGenImpl::GetExtendedCharacteristicsL()
129 return CDSAKeyPairGenImpl::CreateExtendedCharacteristicsL();
132 TUid CDSAKeyPairGenImpl::ImplementationUid() const
134 return KCryptoPluginDsaKeyPairGenUid;
137 void CDSAKeyPairGenImpl::Reset()
139 // does nothing in this plugin
142 TBool CDSAKeyPairGenImpl::ValidPrimeLength(TUint aPrimeBits)
144 return (aPrimeBits >= KMinPrimeLength &&
145 aPrimeBits <= KMaxPrimeLength &&
146 aPrimeBits % KPrimeLengthMultiple == 0);
149 TBool CDSAKeyPairGenImpl::GeneratePrimesL(const TDesC8& aSeed,
154 TBool aUseInputCounter)
156 //This follows the steps in FIPS 186-2
157 //See DSS Appendix 2.2
158 //Note. Step 1 is performed prior to calling GeneratePrimesL, so that this
159 //routine can be used for both generation and validation.
160 //Step 1. Choose an arbitrary sequence of at least 160 bits and call it
161 //SEED. Let g be the length of SEED in bits.
163 if(!ValidPrimeLength(aL))
165 User::Leave(KErrNotSupported);
168 CSHA1Impl* sha1 = CSHA1Impl::NewL();
169 CleanupStack::PushL(sha1);
171 HBufC8* seedBuf = aSeed.AllocLC();
172 TPtr8 seed = seedBuf->Des();
173 TUint gBytes = aSeed.Size();
175 //Note that the DSS's g = BytesToBits(gBytes) ie. the number of random bits
177 //This function has made the assumption (for ease of computation) that g%8
178 //is 0. Ie the seed is a whole number of random bytes.
180 TBuf8<KShaSize> temp;
181 const TUint n = (aL-1)/160;
182 const TUint b = (aL-1)%160;
183 HBufC8* Wbuf = HBufC8::NewMaxLC((n+1) * KShaSize);
184 TUint8* W = const_cast<TUint8*>(Wbuf->Ptr());
186 U.Copy(sha1->Final(seed));
188 //Step 2. U = SHA-1[SEED] XOR SHA-1[(SEED+1) mod 2^g]
189 for(TInt i=gBytes - 1, carry=ETrue; i>=0 && carry; i--)
191 //!++(TUint) adds one to the current word which if it overflows to zero
192 //sets carry to 1 thus letting the loop continue. It's a poor man's
193 //multi-word addition. Swift eh?
194 carry = !++(seed[i]);
197 temp.Copy(sha1->Final(seed));
198 XorBuf(const_cast<TUint8*>(U.Ptr()), temp.Ptr(), KShaSize);
200 //Step 3. Form q from U by setting the most significant bit (2^159)
201 //and the least significant bit to 1.
205 aQ = RInteger::NewL(U);
206 CleanupStack::PushL(aQ);
208 //Step 4. Use a robust primality testing algo to test if q is prime
209 //The robust part is the calling codes problem. This will use whatever
210 //random number generator you set for the thread. To attempt FIPS 186-2
211 //compliance, set a FIPS 186-2 compliant RNG.
214 //Step 5. If not exit and get a new seed
215 CleanupStack::PopAndDestroy(4, sha1);
219 TUint counterEnd = aUseInputCounter ? aCounter+1 : 4096;
221 //Step 6. Let counter = 0 and offset = 2
222 //Note 1. that the DSS speaks of SEED + offset + k because they always
223 //refer to a constant SEED. We update our seed as we go so the offset
224 //variable has already been added to seed in the previous iterations.
225 //Note 2. We've already added 1 to our seed, so the first time through this
226 //the offset in DSS speak will be 2.
227 for(TUint counter=0; counter < counterEnd; counter++)
229 //Step 7. For k=0, ..., n let
230 // Vk = SHA-1[(SEED + offset + k) mod 2^g]
231 //I'm storing the Vk's inside of a big W buffer.
232 for(TUint k=0; k<=n; k++)
234 for(TInt i=gBytes-1, carry=ETrue; i>=0 && carry; i--)
236 carry = !++(seed[i]);
238 if(!aUseInputCounter || counter == aCounter)
240 TPtr8 Wptr(W+(n-k)*KShaSize, gBytes);
241 Wptr.Copy(sha1->Final(seed));
244 if(!aUseInputCounter || counter == aCounter)
246 //Step 8. Let W be the integer... and let X = W + 2^(L-1)
247 const_cast<TUint8&>((*Wbuf)[KShaSize - 1 - b/8]) |= 0x80;
248 TPtr8 Wptr(W + KShaSize - 1 - b/8, aL/8, aL/8);
249 RInteger X = RInteger::NewL(Wptr);
250 CleanupStack::PushL(X);
251 //Step 9. Let c = X mod 2q and set p = X - (c-1)
252 RInteger twoQ = aQ.TimesL(TInteger::Two());
253 CleanupStack::PushL(twoQ);
254 RInteger c = X.ModuloL(twoQ);
255 CleanupStack::PushL(c);
258 CleanupStack::PopAndDestroy(3, &X); //twoQ, c, X
259 CleanupStack::PushL(aP);
261 //Step 10 and 11: if p >= 2^(L-1) and p is prime
262 if( aP.Bit(aL-1) && aP.IsPrimeL() )
265 CleanupStack::Pop(2, &aQ);
266 CleanupStack::PopAndDestroy(3, sha1);
269 CleanupStack::PopAndDestroy(&aP);
272 CleanupStack::PopAndDestroy(4, &sha1);
276 void CDSAKeyPairGenImpl::GenerateKeyPairL(TInt aKeySize,
277 const CCryptoParams& aKeyParameters,
280 //This is the first step of DSA prime generation. The remaining steps are
281 //performed in CDSAParameters::GeneratePrimesL
282 //Step 1. Choose an arbitrary sequence of at least 160 bits and call it
283 //SEED. Let g be the length of SEED in bits.
284 TBuf8<KShaSize> seed(KShaSize);
291 TRAPD(err, GenerateRandomBytesL(seed));
292 if((err != KErrNone) && (err != KErrNotSecure))
295 while(!GeneratePrimesL(seed, c, p, aKeySize, q));
297 //Double PushL will not fail as GeneratePrimesL uses the CleanupStack
298 //(at least one push and pop ;)
299 CleanupStack::PushL(p);
300 CleanupStack::PushL(q);
302 iPrimeCertificate = CDSAPrimeCertificate::NewL(seed, c);
304 // aKeyParameters isn't const here anymore
305 CCryptoParams& paramRef=const_cast<CCryptoParams&>(aKeyParameters);
306 paramRef.AddL(c, KDsaKeyGenerationCounterUid);
307 paramRef.AddL(seed, KDsaKeyGenerationSeedUid);
309 CMontgomeryStructure* montP = CMontgomeryStructure::NewLC(p);
314 RInteger e = p.DividedByL(q);
315 CleanupStack::PushL(e);
317 --p; //now it's p-2 :)
320 const TInteger* g = 0;
323 // find a random h | 1 < h < p-1
324 h = RInteger::NewRandomL(TInteger::Two(), p);
325 CleanupStack::PushL(h);
327 g = &(montP->ExponentiateL(h, e));
328 CleanupStack::PopAndDestroy(&h);
330 while( *g <= TInteger::One() );
331 CleanupStack::PopAndDestroy(&e);
333 ++p; //reincrement p to original value
337 RInteger g1 = RInteger::NewL(*g); //take a copy of montP's g
338 CleanupStack::PushL(g1);
340 // select random x | 0 < x < q
341 RInteger x = RInteger::NewRandomL(TInteger::One(), q);
342 CleanupStack::PushL(x);
346 // create the keys parameters
347 CCryptoParams* privateKeyParameters = CCryptoParams::NewLC();
348 privateKeyParameters->AddL(p, KDsaKeyParameterPUid);
349 privateKeyParameters->AddL(q, KDsaKeyParameterQUid);
350 privateKeyParameters->AddL(g1, KDsaKeyParameterGUid);
351 privateKeyParameters->AddL(x, KDsaKeyParameterXUid);
352 TKeyProperty privateKeyProperties = {KDSAKeyPairGeneratorUid,
353 KCryptoPluginDsaKeyPairGenUid,
357 CCryptoParams* publicKeyParameters = CCryptoParams::NewLC();
358 publicKeyParameters->AddL(p, KDsaKeyParameterPUid);
359 publicKeyParameters->AddL(q, KDsaKeyParameterQUid);
360 publicKeyParameters->AddL(g1, KDsaKeyParameterGUid);
361 RInteger y = RInteger::NewL(montP->ExponentiateL(*g, x));
362 CleanupStack::PushL(y);
363 publicKeyParameters->AddL(y, KDsaKeyParameterYUid);
364 TKeyProperty publicKeyProperties = {KDSAKeyPairGeneratorUid,
365 KCryptoPluginDsaKeyPairGenUid,
370 // create the private key
372 CKey* privateKey = CKey::NewL(privateKeyProperties, *privateKeyParameters);
373 CleanupStack::PushL(privateKey);
376 // create the public key
378 CKey* publicKey = CKey::NewL(publicKeyProperties, *publicKeyParameters);
379 CleanupStack::PushL(publicKey);
381 aKeyPair = CKeyPair::NewL(publicKey, privateKey);
383 //publicKey, publicKeyParameters, y, privateKey, privateKeyParameters, x, g1, montP, q, p
384 CleanupStack::Pop(2, privateKey);
385 CleanupStack::PopAndDestroy(8, &p);