os/security/cryptoplugins/cryptospiplugins/source/softwarecrypto/dsakeypairgenimpl.cpp
author sl@SLION-WIN7.fritz.box
Fri, 15 Jun 2012 03:10:57 +0200
changeset 0 bde4ae8d615e
permissions -rw-r--r--
First public contribution.
     1 /*
     2 * Copyright (c) 2007-2009 Nokia Corporation and/or its subsidiary(-ies).
     3 * All rights reserved.
     4 * This component and the accompanying materials are made available
     5 * under the terms of the License "Eclipse Public License v1.0"
     6 * which accompanies this distribution, and is available
     7 * at the URL "http://www.eclipse.org/legal/epl-v10.html".
     8 *
     9 * Initial Contributors:
    10 * Nokia Corporation - initial contribution.
    11 *
    12 * Contributors:
    13 *
    14 * Description: 
    15 * DSA Keypair implementation
    16 * DSA keypair generation implementation
    17 *
    18 */
    19 
    20 
    21 /**
    22  @file
    23 */
    24 
    25 #include "dsakeypairgenimpl.h"
    26 #include "pluginconfig.h"
    27 #include "keypair.h"
    28 #include "common/inlines.h"    // For TClassSwap
    29 #include "mont.h"
    30 #include "sha1impl.h"
    31 #include <random.h>
    32 #include <securityerr.h>
    33 
    34 
    35 const TUint KShaSize = 20;
    36 const TUint KMinPrimeLength = 512;
    37 const TUint KMaxPrimeLength = 1024;
    38 const TUint KPrimeLengthMultiple = 64;
    39 
    40 using namespace SoftwareCrypto;
    41 
    42 
    43 /* CDSAPrimeCertificate */
    44 
    45 CDSAPrimeCertificate* CDSAPrimeCertificate::NewL(const TDesC8& aSeed, TUint aCounter)
    46 	{
    47 	CDSAPrimeCertificate* self = NewLC(aSeed, aCounter);
    48 	CleanupStack::Pop();
    49 	return self;
    50 	}
    51 
    52 CDSAPrimeCertificate* CDSAPrimeCertificate::NewLC(const TDesC8& aSeed, TUint aCounter)
    53 	{
    54 	CDSAPrimeCertificate* self = new(ELeave) CDSAPrimeCertificate(aCounter);
    55 	CleanupStack::PushL(self);
    56 	self->ConstructL(aSeed);
    57 	return self;
    58 	}
    59 
    60 const TDesC8& CDSAPrimeCertificate::Seed() const
    61 	{
    62 	return *iSeed;
    63 	}
    64 
    65 TUint CDSAPrimeCertificate::Counter() const
    66 	{
    67 	return iCounter;
    68 	}
    69 
    70 CDSAPrimeCertificate::~CDSAPrimeCertificate() 
    71 	{
    72 	delete const_cast<HBufC8*>(iSeed);
    73 	}
    74 
    75 void CDSAPrimeCertificate::ConstructL(const TDesC8& aSeed)
    76 	{
    77 	iSeed = aSeed.AllocL();
    78 	}
    79 
    80 CDSAPrimeCertificate::CDSAPrimeCertificate(TUint aCounter) 
    81 	: iCounter(aCounter)
    82 	{
    83 	}
    84 
    85 CDSAPrimeCertificate::CDSAPrimeCertificate() 
    86 	{
    87 	}
    88 
    89 
    90 /* CDSAKeyPairGenImpl */
    91 CDSAKeyPairGenImpl::CDSAKeyPairGenImpl()
    92 	{
    93 	}
    94 
    95 CDSAKeyPairGenImpl::~CDSAKeyPairGenImpl()
    96 	{
    97 	delete iPrimeCertificate;
    98 	}
    99 
   100 CDSAKeyPairGenImpl* CDSAKeyPairGenImpl::NewL()
   101 	{
   102 	CDSAKeyPairGenImpl* self = CDSAKeyPairGenImpl::NewLC();
   103 	CleanupStack::Pop(self);
   104 	return self;
   105 	}
   106 
   107 CDSAKeyPairGenImpl* CDSAKeyPairGenImpl::NewLC()
   108 	{
   109 	CDSAKeyPairGenImpl* self = new(ELeave) CDSAKeyPairGenImpl();
   110 	CleanupStack::PushL(self);
   111 	self->ConstructL();
   112 	return self;
   113 	}
   114 
   115 void CDSAKeyPairGenImpl::ConstructL(void)
   116 	{
   117 	CKeyPairGenImpl::ConstructL();
   118 	}
   119 
   120 CExtendedCharacteristics* CDSAKeyPairGenImpl::CreateExtendedCharacteristicsL()
   121 	{
   122 	// All Symbian software plug-ins have unlimited concurrency, cannot be reserved
   123 	// for exclusive use and are not CERTIFIED to be standards compliant.
   124 	return CExtendedCharacteristics::NewL(KMaxTInt, EFalse);
   125 	}
   126 
   127 const CExtendedCharacteristics* CDSAKeyPairGenImpl::GetExtendedCharacteristicsL()
   128 	{
   129 	return CDSAKeyPairGenImpl::CreateExtendedCharacteristicsL();
   130 	}
   131 
   132 TUid CDSAKeyPairGenImpl::ImplementationUid() const
   133 	{
   134 	return KCryptoPluginDsaKeyPairGenUid;
   135 	}
   136 
   137 void CDSAKeyPairGenImpl::Reset()
   138 	{
   139 	// does nothing in this plugin
   140 	}
   141 
   142 TBool CDSAKeyPairGenImpl::ValidPrimeLength(TUint aPrimeBits)
   143 	{
   144 	return (aPrimeBits >= KMinPrimeLength &&
   145 			aPrimeBits <= KMaxPrimeLength &&
   146 			aPrimeBits % KPrimeLengthMultiple == 0);
   147 	}
   148 
   149 TBool CDSAKeyPairGenImpl::GeneratePrimesL(const TDesC8& aSeed,
   150 										 TUint& aCounter, 
   151 										 RInteger& aP, 
   152 										 TUint aL, 
   153 										 RInteger& aQ, 
   154 										 TBool aUseInputCounter)
   155 	{
   156 	//This follows the steps in FIPS 186-2 
   157 	//See DSS Appendix 2.2
   158 	//Note. Step 1 is performed prior to calling GeneratePrimesL, so that this
   159 	//routine can be used for both generation and validation.
   160 	//Step 1.  Choose an arbitrary sequence of at least 160 bits and call it
   161 	//SEED.  Let g be the length of SEED in bits.
   162 
   163 	if(!ValidPrimeLength(aL))
   164 		{
   165 		User::Leave(KErrNotSupported);
   166 		}
   167 	
   168 	CSHA1Impl* sha1 = CSHA1Impl::NewL();
   169 	CleanupStack::PushL(sha1);
   170 
   171 	HBufC8* seedBuf = aSeed.AllocLC();
   172 	TPtr8 seed = seedBuf->Des();
   173 	TUint gBytes = aSeed.Size();
   174 	
   175 	//Note that the DSS's g = BytesToBits(gBytes) ie. the number of random bits
   176 	//in the seed.  
   177 	//This function has made the assumption (for ease of computation) that g%8
   178 	//is 0.  Ie the seed is a whole number of random bytes.
   179 	TBuf8<KShaSize> U; 
   180 	TBuf8<KShaSize> temp; 
   181 	const TUint n = (aL-1)/160;
   182 	const TUint b = (aL-1)%160;
   183 	HBufC8* Wbuf = HBufC8::NewMaxLC((n+1) * KShaSize);
   184 	TUint8* W = const_cast<TUint8*>(Wbuf->Ptr());
   185 
   186 	U.Copy(sha1->Final(seed));
   187 	
   188 	//Step 2. U = SHA-1[SEED] XOR SHA-1[(SEED+1) mod 2^g]
   189 	for(TInt i=gBytes - 1, carry=ETrue; i>=0 && carry; i--)
   190 		{
   191 		//!++(TUint) adds one to the current word which if it overflows to zero
   192 		//sets carry to 1 thus letting the loop continue.  It's a poor man's
   193 		//multi-word addition.  Swift eh?
   194 		carry = !++(seed[i]);
   195 		}
   196 
   197 	temp.Copy(sha1->Final(seed));
   198 	XorBuf(const_cast<TUint8*>(U.Ptr()), temp.Ptr(), KShaSize);
   199 
   200 	//Step 3. Form q from U by setting the most significant bit (2^159)
   201 	//and the least significant bit to 1.
   202 	U[0] |= 0x80;
   203 	U[KShaSize-1] |= 1;
   204 
   205 	aQ = RInteger::NewL(U);
   206 	CleanupStack::PushL(aQ);
   207 
   208 	//Step 4. Use a robust primality testing algo to test if q is prime
   209 	//The robust part is the calling codes problem.  This will use whatever
   210 	//random number generator you set for the thread.  To attempt FIPS 186-2
   211 	//compliance, set a FIPS 186-2 compliant RNG.
   212 	if( !aQ.IsPrimeL() )
   213 		{
   214 		//Step 5. If not exit and get a new seed
   215 		CleanupStack::PopAndDestroy(4, sha1);
   216 		return EFalse;
   217 		}
   218 	
   219 	TUint counterEnd = aUseInputCounter ? aCounter+1 : 4096;
   220 	
   221 	//Step 6. Let counter = 0 and offset = 2
   222 	//Note 1. that the DSS speaks of SEED + offset + k because they always
   223 	//refer to a constant SEED.  We update our seed as we go so the offset
   224 	//variable has already been added to seed in the previous iterations.
   225 	//Note 2. We've already added 1 to our seed, so the first time through this
   226 	//the offset in DSS speak will be 2.
   227 	for(TUint counter=0; counter < counterEnd; counter++)
   228 		{
   229 		//Step 7. For k=0, ..., n let
   230 		// Vk = SHA-1[(SEED + offset + k) mod 2^g]
   231 		//I'm storing the Vk's inside of a big W buffer.
   232 		for(TUint k=0; k<=n; k++)
   233 			{
   234 			for(TInt i=gBytes-1, carry=ETrue; i>=0 && carry; i--)
   235 				{
   236 				carry = !++(seed[i]);
   237 				}
   238 			if(!aUseInputCounter || counter == aCounter)
   239 				{
   240 				TPtr8 Wptr(W+(n-k)*KShaSize, gBytes);
   241 				Wptr.Copy(sha1->Final(seed));
   242 				}
   243 			}
   244 		if(!aUseInputCounter || counter == aCounter)
   245 			{
   246 			//Step 8. Let W be the integer...  and let X = W + 2^(L-1)
   247 			const_cast<TUint8&>((*Wbuf)[KShaSize - 1 - b/8]) |= 0x80;
   248 			TPtr8 Wptr(W + KShaSize - 1 - b/8, aL/8, aL/8);
   249 			RInteger X = RInteger::NewL(Wptr);
   250 			CleanupStack::PushL(X);
   251 			//Step 9. Let c = X mod 2q and set p = X - (c-1)
   252 			RInteger twoQ = aQ.TimesL(TInteger::Two());
   253 			CleanupStack::PushL(twoQ);
   254 			RInteger c = X.ModuloL(twoQ);
   255 			CleanupStack::PushL(c);
   256 			--c;
   257 			aP = X.MinusL(c);
   258 			CleanupStack::PopAndDestroy(3, &X); //twoQ, c, X
   259 			CleanupStack::PushL(aP);
   260 			
   261 			//Step 10 and 11: if p >= 2^(L-1) and p is prime
   262 			if( aP.Bit(aL-1) && aP.IsPrimeL() )
   263 				{
   264 				aCounter = counter;
   265 				CleanupStack::Pop(2, &aQ);
   266 				CleanupStack::PopAndDestroy(3, sha1);
   267 				return ETrue;
   268 				}
   269 			CleanupStack::PopAndDestroy(&aP);
   270 			}
   271 		}
   272 	CleanupStack::PopAndDestroy(4, &sha1);
   273 	return EFalse;
   274 	}
   275 
   276 void CDSAKeyPairGenImpl::GenerateKeyPairL(TInt aKeySize, 
   277 										const CCryptoParams& aKeyParameters,
   278 										CKeyPair*& aKeyPair)
   279 	{
   280 	//This is the first step of DSA prime generation.  The remaining steps are
   281 	//performed in CDSAParameters::GeneratePrimesL
   282 	//Step 1.  Choose an arbitrary sequence of at least 160 bits and call it
   283 	//SEED.  Let g be the length of SEED in bits.	
   284 	TBuf8<KShaSize> seed(KShaSize);
   285 	TUint c;
   286 	RInteger p;
   287 	RInteger q;
   288 	
   289 	do 
   290 		{
   291 	    TRAPD(err, GenerateRandomBytesL(seed));
   292 	    if((err != KErrNone) && (err != KErrNotSecure))
   293 	        User::Leave(err);
   294 		}
   295 	while(!GeneratePrimesL(seed, c, p, aKeySize, q));
   296 	
   297 	//Double PushL will not fail as GeneratePrimesL uses the CleanupStack
   298 	//(at least one push and pop ;)
   299 	CleanupStack::PushL(p);
   300 	CleanupStack::PushL(q);
   301 
   302 	iPrimeCertificate = CDSAPrimeCertificate::NewL(seed, c);
   303 	
   304 	// aKeyParameters isn't const here anymore
   305 	CCryptoParams& paramRef=const_cast<CCryptoParams&>(aKeyParameters);
   306 	paramRef.AddL(c, KDsaKeyGenerationCounterUid);
   307 	paramRef.AddL(seed, KDsaKeyGenerationSeedUid);
   308 	
   309 	CMontgomeryStructure* montP = CMontgomeryStructure::NewLC(p);
   310 	
   311 	--p;
   312 
   313 	// e = (p-1)/q
   314 	RInteger e = p.DividedByL(q);
   315 	CleanupStack::PushL(e);
   316 
   317 	--p; //now it's p-2 :)
   318 
   319 	RInteger h;
   320 	const TInteger* g = 0;
   321 	do
   322 		{
   323 		// find a random h | 1 < h < p-1
   324 		h = RInteger::NewRandomL(TInteger::Two(), p);
   325 		CleanupStack::PushL(h);
   326 		// g = h^e mod p
   327 		g = &(montP->ExponentiateL(h, e));
   328 		CleanupStack::PopAndDestroy(&h); 
   329 		}
   330 	while( *g <= TInteger::One() );
   331 	CleanupStack::PopAndDestroy(&e);
   332 
   333 	++p; //reincrement p to original value
   334 	++p;
   335 
   336 
   337 	RInteger g1 = RInteger::NewL(*g); //take a copy of montP's g
   338 	CleanupStack::PushL(g1);
   339 	--q;
   340 	// select random x | 0 < x < q
   341 	RInteger x = RInteger::NewRandomL(TInteger::One(), q);
   342 	CleanupStack::PushL(x);
   343 	++q;
   344 
   345 	//
   346 	// create the keys parameters
   347 	CCryptoParams* privateKeyParameters = CCryptoParams::NewLC();
   348 	privateKeyParameters->AddL(p, KDsaKeyParameterPUid);
   349 	privateKeyParameters->AddL(q, KDsaKeyParameterQUid);
   350 	privateKeyParameters->AddL(g1, KDsaKeyParameterGUid);
   351 	privateKeyParameters->AddL(x, KDsaKeyParameterXUid);
   352 	TKeyProperty privateKeyProperties = {KDSAKeyPairGeneratorUid, 
   353 										 KCryptoPluginDsaKeyPairGenUid,
   354 									     KDsaPrivateKeyUid, 
   355 									     KNonEmbeddedKeyUid};
   356 
   357 	CCryptoParams* publicKeyParameters = CCryptoParams::NewLC();
   358 	publicKeyParameters->AddL(p, KDsaKeyParameterPUid);
   359 	publicKeyParameters->AddL(q, KDsaKeyParameterQUid);
   360 	publicKeyParameters->AddL(g1, KDsaKeyParameterGUid);
   361 	RInteger y = RInteger::NewL(montP->ExponentiateL(*g, x));
   362 	CleanupStack::PushL(y);
   363 	publicKeyParameters->AddL(y, KDsaKeyParameterYUid);
   364 	TKeyProperty publicKeyProperties = {KDSAKeyPairGeneratorUid,
   365 										KCryptoPluginDsaKeyPairGenUid, 
   366 										KDsaPublicKeyUid,
   367 										KNonEmbeddedKeyUid};
   368 
   369 	//
   370 	// create the private key
   371 	//
   372 	CKey* privateKey = CKey::NewL(privateKeyProperties, *privateKeyParameters);
   373 	CleanupStack::PushL(privateKey);
   374 
   375 	//
   376 	// create the public key
   377 	//
   378 	CKey* publicKey = CKey::NewL(publicKeyProperties, *publicKeyParameters);
   379 	CleanupStack::PushL(publicKey);
   380 
   381 	aKeyPair = CKeyPair::NewL(publicKey, privateKey);
   382 
   383 	//publicKey, publicKeyParameters, y, privateKey, privateKeyParameters, x, g1, montP, q, p
   384 	CleanupStack::Pop(2, privateKey);
   385 	CleanupStack::PopAndDestroy(8, &p);	
   386 	}