Chaum-style Blind signatures based on RSA. More...

#include "platform.h"
#include <gcrypt.h>
#include "gnunet_util_lib.h"
#include "benchmark.h"

Include dependency graph for crypto_rsa.c:

Data Structures
struct	GNUNET_CRYPTO_RsaPrivateKey
	The private information of an RSA key pair. More...

struct	GNUNET_CRYPTO_RsaPublicKey
	The public information of an RSA key pair. More...

struct	GNUNET_CRYPTO_RsaSignature
	an RSA signature More...

struct	RsaBlindingKey
	RSA blinding key. More...

struct	GNUNET_CRYPTO_RsaPublicKeyHeaderP
	Format of the header of a serialized RSA public key. More...

Macros
#define	LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__)

Functions
static int	key_from_sexp (gcry_mpi_t array, gcry_sexp_t sexp, const char topname, const char *elems)
	Extract values from an S-expression. More...

struct GNUNET_CRYPTO_RsaPrivateKey *	GNUNET_CRYPTO_rsa_private_key_create (unsigned int len)
	Create a new private key. More...

void	GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key)
	Free memory occupied by the private key. More...

size_t	GNUNET_CRYPTO_rsa_private_key_encode (const struct GNUNET_CRYPTO_RsaPrivateKey key, void *buffer)
	Encode the private key in a format suitable for storing it into a file. More...

struct GNUNET_CRYPTO_RsaPrivateKey *	GNUNET_CRYPTO_rsa_private_key_decode (const void *buf, size_t buf_size)
	Decode the private key from the data-format back to the "normal", internal format. More...

struct GNUNET_CRYPTO_RsaPublicKey *	GNUNET_CRYPTO_rsa_private_key_get_public (const struct GNUNET_CRYPTO_RsaPrivateKey *priv)
	Extract the public key of the given private key. More...

void	GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_RsaPublicKey *key)
	Free memory occupied by the public key. More...

GNUNET_NETWORK_STRUCT_END bool	GNUNET_CRYPTO_rsa_public_key_check (const struct GNUNET_CRYPTO_RsaPublicKey *key)
	Check if key is well-formed. More...

size_t	GNUNET_CRYPTO_rsa_public_key_encode (const struct GNUNET_CRYPTO_RsaPublicKey key, void *buffer)
	Encode the public key in a format suitable for storing it into a file. More...

void	GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey key, struct GNUNET_HashCode hc)
	Compute hash over the public key. More...

struct GNUNET_CRYPTO_RsaPublicKey *	GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, size_t len)
	Decode the public key from the data-format back to the "normal", internal format. More...

static int	rsa_gcd_validate (gcry_mpi_t r, gcry_mpi_t n)
	Test for malicious RSA key. More...

static struct RsaBlindingKey *	rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey pkey, const struct GNUNET_CRYPTO_RsaBlindingKeySecret bks)
	Create a blinding key. More...

int	GNUNET_CRYPTO_rsa_signature_cmp (const struct GNUNET_CRYPTO_RsaSignature s1, const struct GNUNET_CRYPTO_RsaSignature s2)
	Compare the values of two signatures. More...

int	GNUNET_CRYPTO_rsa_public_key_cmp (const struct GNUNET_CRYPTO_RsaPublicKey p1, const struct GNUNET_CRYPTO_RsaPublicKey p2)
	Compare the values of two public keys. More...

int	GNUNET_CRYPTO_rsa_private_key_cmp (const struct GNUNET_CRYPTO_RsaPrivateKey p1, const struct GNUNET_CRYPTO_RsaPrivateKey p2)
	Compare the values of two private keys. More...

unsigned int	GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key)
	Obtain the length of the RSA key in bits. More...

static void	rsa_blinding_key_free (struct RsaBlindingKey *bkey)
	Destroy a blinding key. More...

static size_t	numeric_mpi_alloc_n_print (gcry_mpi_t v, char **buffer)
	Print an MPI to a newly created buffer. More...

static gcry_mpi_t	rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey pkey, const void message, size_t message_size)
	Computes a full domain hash seeded by the given public key. More...

void	GNUNET_CRYPTO_rsa_blinded_message_free (struct GNUNET_CRYPTO_RsaBlindedMessage *bm)
	Free memory occupied by blinded message. More...

enum GNUNET_GenericReturnValue	GNUNET_CRYPTO_rsa_blind (const void message, size_t message_size, const struct GNUNET_CRYPTO_RsaBlindingKeySecret bks, struct GNUNET_CRYPTO_RsaPublicKey pkey, struct GNUNET_CRYPTO_RsaBlindedMessage bm)
	Blinds the given message with the given blinding key. More...

static gcry_sexp_t	mpi_to_sexp (gcry_mpi_t value)
	Convert an MPI to an S-expression suitable for signature operations. More...

static struct GNUNET_CRYPTO_RsaSignature *	rsa_sign_mpi (const struct GNUNET_CRYPTO_RsaPrivateKey *key, gcry_mpi_t value)
	Sign the given MPI. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey key, const struct GNUNET_CRYPTO_RsaBlindedMessage bm)
	Sign a blinded value, which must be a full domain hash of a message. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey key, const void message, size_t message_size)
	Create and sign a full domain hash of a message. More...

void	GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig)
	Free memory occupied by signature. More...

size_t	GNUNET_CRYPTO_rsa_signature_encode (const struct GNUNET_CRYPTO_RsaSignature sig, void *buffer)
	Encode the given signature in a format suitable for storing it into a file. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_signature_decode (const void *buf, size_t buf_size)
	Decode the signature from the data-format back to the "normal", internal format. More...

struct GNUNET_CRYPTO_RsaPublicKey *	GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key)
	Duplicate the given public key. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature sig, const struct GNUNET_CRYPTO_RsaBlindingKeySecret bks, struct GNUNET_CRYPTO_RsaPublicKey *pkey)
	Unblind a blind-signed signature. More...

enum GNUNET_GenericReturnValue	GNUNET_CRYPTO_rsa_verify (const void message, size_t message_size, const struct GNUNET_CRYPTO_RsaSignature sig, const struct GNUNET_CRYPTO_RsaPublicKey *pkey)
	Verify whether the given hash corresponds to the given signature and the signature is valid with respect to the given public key. More...

struct GNUNET_CRYPTO_RsaPrivateKey *	GNUNET_CRYPTO_rsa_private_key_dup (const struct GNUNET_CRYPTO_RsaPrivateKey *key)
	Duplicate the given private key. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig)
	Duplicate the given rsa signature. More...

Detailed Description

Chaum-style Blind signatures based on RSA.

Author: Sree Harsha Totakura sreeh.nosp@m.arsh.nosp@m.a@tot.nosp@m.akur.nosp@m.a.in; Christian Grothoff; Jeffrey Burdges burdg.nosp@m.es@g.nosp@m.nunet.nosp@m..org

Definition in file crypto_rsa.c.

Macro Definition Documentation

◆ LOG

#define LOG	(	kind,
		...
	)	GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__)

Definition at line 34 of file crypto_rsa.c.

Function Documentation

◆ key_from_sexp()

static int key_from_sexp	(	gcry_mpi_t *	array,
		gcry_sexp_t	sexp,
		const char *	topname,
		const char *	elems
	)

static

Extract values from an S-expression.

Parameters

array	where to store the result(s)
sexp	S-expression to parse
topname	top-level name in the S-expression that is of interest
elems	names of the elements to extract

Returns: 0 on success

Definition at line 95 of file crypto_rsa.c.

{
  gcry_sexp_t list;
  gcry_sexp_t l2;
  const char *s;
  unsigned int idx;
 
  if (! (list = gcry_sexp_find_token (sexp, topname, 0)))
    return 1;
  l2 = gcry_sexp_cadr (list);
  gcry_sexp_release (list);
  list = l2;
  if (! list)
    return 2;
  idx = 0;
  for (s = elems; *s; s++, idx++)
  {
    if (! (l2 = gcry_sexp_find_token (list, s, 1)))
    {
      for (unsigned int i = 0; i < idx; i++)
      {
        gcry_free (array[i]);
        array[i] = NULL;
      }
      gcry_sexp_release (list);
      return 3;                 /* required parameter not found */
    }
    array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
    gcry_sexp_release (l2);
    if (! array[idx])
    {
      for (unsigned int i = 0; i < idx; i++)
      {
        gcry_free (array[i]);
        array[i] = NULL;
      }
      gcry_sexp_release (list);
      return 4;                 /* required parameter is invalid */
    }
  }
  gcry_sexp_release (list);
  return 0;
}

References list.

Referenced by GNUNET_CRYPTO_rsa_blind(), GNUNET_CRYPTO_rsa_private_key_get_public(), GNUNET_CRYPTO_rsa_public_key_check(), GNUNET_CRYPTO_rsa_public_key_encode(), GNUNET_CRYPTO_rsa_public_key_len(), GNUNET_CRYPTO_rsa_signature_dup(), GNUNET_CRYPTO_rsa_signature_encode(), GNUNET_CRYPTO_rsa_unblind(), rsa_blinding_key_derive(), and rsa_full_domain_hash().

Here is the caller graph for this function:

◆ rsa_gcd_validate()

static int rsa_gcd_validate	(	gcry_mpi_t	r,
		gcry_mpi_t	n
	)

static

Test for malicious RSA key.

Assuming n is an RSA modulous and r is generated using a call to GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a malicious RSA key designed to deanomize the user.

Parameters

r	KDF result
n	RSA modulus

Returns: True if gcd(r,n) = 1, False means RSA key is malicious

Definition at line 501 of file crypto_rsa.c.

{
  gcry_mpi_t g;
  int t;
 
  g = gcry_mpi_new (0);
  t = gcry_mpi_gcd (g, r, n);
  gcry_mpi_release (g);
  return t;
}

References t.

Referenced by rsa_blinding_key_derive(), and rsa_full_domain_hash().

Here is the caller graph for this function:

◆ rsa_blinding_key_derive()

static struct RsaBlindingKey * rsa_blinding_key_derive	(	const struct GNUNET_CRYPTO_RsaPublicKey *	pkey,
		const struct GNUNET_CRYPTO_RsaBlindingKeySecret *	bks
	)

static

Create a blinding key.

Parameters

len	length of the key in bits (e.g. 2048)
bks	pre-secret to use to derive the blinding key

Returns: the newly created blinding key, NULL if RSA key is malicious

Definition at line 522 of file crypto_rsa.c.

{
  const char *xts = "Blinding KDF extractor HMAC key";  /* Trusts bks' randomness more */
  struct RsaBlindingKey *blind;
  gcry_mpi_t n;
 
  blind = GNUNET_new (struct RsaBlindingKey);
 
  /* Extract the composite n from the RSA public key */
  GNUNET_assert (0 ==
                 key_from_sexp (&n,
                                pkey->sexp,
                                "rsa",
                                "n"));
  /* Assert that it at least looks like an RSA key */
  GNUNET_assert (0 ==
                 gcry_mpi_get_flag (n,
                                    GCRYMPI_FLAG_OPAQUE));
  GNUNET_CRYPTO_kdf_mod_mpi (&blind->r,
                             n,
                             xts, strlen (xts),
                             bks, sizeof(*bks),
                             "Blinding KDF");
  if (0 == rsa_gcd_validate (blind->r,
                             n))
  {
    gcry_mpi_release (blind->r);
    GNUNET_free (blind);
    blind = NULL;
  }
  gcry_mpi_release (n);
  return blind;
}

References GNUNET_assert, GNUNET_CRYPTO_kdf_mod_mpi(), GNUNET_free, GNUNET_new, key_from_sexp(), pkey, RsaBlindingKey::r, and rsa_gcd_validate().

Referenced by GNUNET_CRYPTO_rsa_blind(), and GNUNET_CRYPTO_rsa_unblind().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rsa_blinding_key_free()

static void rsa_blinding_key_free ( struct RsaBlindingKey * bkey )

static

Destroy a blinding key.

Parameters

bkey	the blinding key to destroy

Definition at line 702 of file crypto_rsa.c.

{
  gcry_mpi_release (bkey->r);
  GNUNET_free (bkey);
}

References GNUNET_free, and RsaBlindingKey::r.

Referenced by GNUNET_CRYPTO_rsa_blind(), and GNUNET_CRYPTO_rsa_unblind().

Here is the caller graph for this function:

◆ numeric_mpi_alloc_n_print()

static size_t numeric_mpi_alloc_n_print	(	gcry_mpi_t	v,
		char **	buffer
	)

static

Print an MPI to a newly created buffer.

Parameters

	v	MPI to print.
[out]	buffer	newly allocated buffer containing the result

Returns: number of bytes stored in buffer

Definition at line 717 of file crypto_rsa.c.

{
  size_t n;
  char *b;
  size_t rsize;
 
  gcry_mpi_print (GCRYMPI_FMT_USG,
                  NULL,
                  0,
                  &n,
                  v);
  b = GNUNET_malloc (n);
  GNUNET_assert (0 ==
                 gcry_mpi_print (GCRYMPI_FMT_USG,
                                 (unsigned char *) b,
                                 n,
                                 &rsize,
                                 v));
  *buffer = b;
  return n;
}

References GNUNET_assert, and GNUNET_malloc.

Referenced by GNUNET_CRYPTO_rsa_blind().

Here is the caller graph for this function:

◆ rsa_full_domain_hash()

static gcry_mpi_t rsa_full_domain_hash	(	const struct GNUNET_CRYPTO_RsaPublicKey *	pkey,
		const void *	message,
		size_t	message_size
	)

static

Computes a full domain hash seeded by the given public key.

This gives a measure of provable security to the Taler exchange against one-more forgery attacks. See: https://eprint.iacr.org/2001/002.pdf http://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf

Parameters

message	the message to sign
message_size	number of bytes in message
pkey	the public key of the signer
rsize	If not NULL, the number of bytes actually stored in buffer

Returns: MPI value set to the FDH, NULL if RSA key is malicious

Definition at line 755 of file crypto_rsa.c.

{
  gcry_mpi_t r;
  gcry_mpi_t n;
  void *xts;
  size_t xts_len;
  int ok;
 
  /* Extract the composite n from the RSA public key */
  GNUNET_assert (0 ==
                 key_from_sexp (&n,
                                pkey->sexp,
                                "rsa",
                                "n"));
  /* Assert that it at least looks like an RSA key */
  GNUNET_assert (0 ==
                 gcry_mpi_get_flag (n,
                                    GCRYMPI_FLAG_OPAQUE));
 
  /* We key with the public denomination key as a homage to RSA-PSS by  *
  * Mihir Bellare and Phillip Rogaway.  Doing this lowers the degree   *
  * of the hypothetical polyomial-time attack on RSA-KTI created by a  *
  * polynomial-time one-more forgary attack.  Yey seeding!       */
  xts_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey,
                                                 &xts);
 
  GNUNET_CRYPTO_kdf_mod_mpi (&r,
                             n,
                             xts, xts_len,
                             message, message_size,
                             "RSA-FDA FTpsW!");
  GNUNET_free (xts);
  ok = rsa_gcd_validate (r, n);
  gcry_mpi_release (n);
  if (ok)
    return r;
  gcry_mpi_release (r);
  return NULL;
}

References GNUNET_assert, GNUNET_CRYPTO_kdf_mod_mpi(), GNUNET_CRYPTO_rsa_public_key_encode(), GNUNET_free, key_from_sexp(), pkey, RsaBlindingKey::r, and rsa_gcd_validate().

Referenced by GNUNET_CRYPTO_rsa_blind(), GNUNET_CRYPTO_rsa_sign_fdh(), and GNUNET_CRYPTO_rsa_verify().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mpi_to_sexp()

static gcry_sexp_t mpi_to_sexp ( gcry_mpi_t value )

static

Convert an MPI to an S-expression suitable for signature operations.

Parameters

value pointer to the data to convert

Returns: converted s-expression

Definition at line 894 of file crypto_rsa.c.

{
  gcry_sexp_t data = NULL;
 
  GNUNET_assert (0 ==
                 gcry_sexp_build (&data,
                                  NULL,
                                  "(data (flags raw) (value %M))",
                                  value));
  return data;
}

References data, GNUNET_assert, and value.

Referenced by GNUNET_CRYPTO_rsa_verify(), and rsa_sign_mpi().

Here is the caller graph for this function:

◆ rsa_sign_mpi()

static struct GNUNET_CRYPTO_RsaSignature * rsa_sign_mpi	(	const struct GNUNET_CRYPTO_RsaPrivateKey *	key,
		gcry_mpi_t	value
	)

static

Sign the given MPI.

Parameters

key	private key to use for the signing
value	the MPI to sign

Returns: NULL on error, signature on success

Definition at line 915 of file crypto_rsa.c.

{
  struct GNUNET_CRYPTO_RsaSignature *sig;
  gcry_sexp_t data;
  gcry_sexp_t result;
  int rc;
 
  data = mpi_to_sexp (value);
 
  if (0 !=
      (rc = gcry_pk_sign (&result,
                          data,
                          key->sexp)))
  {
    LOG (GNUNET_ERROR_TYPE_WARNING,
         _ ("RSA signing failed at %s:%d: %s\n"),
         __FILE__,
         __LINE__,
         gcry_strerror (rc));
    gcry_sexp_release (data);
    GNUNET_break (0);
    return NULL;
  }
 
  /* Lenstra protection was first added to libgcrypt 1.6.4
   * with commit c17f84bd02d7ee93845e92e20f6ddba814961588.
   */
#if GCRYPT_VERSION_NUMBER < 0x010604
  /* verify signature (guards against Lenstra's attack with fault injection...) */
  struct GNUNET_CRYPTO_RsaPublicKey *public_key =
    GNUNET_CRYPTO_rsa_private_key_get_public (key);
  if (0 !=
      gcry_pk_verify (result,
                      data,
                      public_key->sexp))
  {
    GNUNET_break (0);
    GNUNET_CRYPTO_rsa_public_key_free (public_key);
    gcry_sexp_release (data);
    gcry_sexp_release (result);
    return NULL;
  }
  GNUNET_CRYPTO_rsa_public_key_free (public_key);
#endif
 
  /* return signature */
  gcry_sexp_release (data);
  sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
  sig->sexp = result;
  return sig;
}

References _, data, GNUNET_break, GNUNET_CRYPTO_rsa_private_key_get_public(), GNUNET_CRYPTO_rsa_public_key_free(), GNUNET_ERROR_TYPE_WARNING, GNUNET_new, key, LOG, mpi_to_sexp(), result, GNUNET_CRYPTO_RsaPublicKey::sexp, GNUNET_CRYPTO_RsaSignature::sexp, and value.

Referenced by GNUNET_CRYPTO_rsa_sign_blinded(), and GNUNET_CRYPTO_rsa_sign_fdh().

Here is the call graph for this function:

Here is the caller graph for this function:

Data Structures

Macros

Functions

Detailed Description

Macro Definition Documentation

◆ LOG

Function Documentation

◆ key_from_sexp()

◆ rsa_gcd_validate()

◆ rsa_blinding_key_derive()

◆ rsa_blinding_key_free()

◆ numeric_mpi_alloc_n_print()

◆ rsa_full_domain_hash()

◆ mpi_to_sexp()

◆ rsa_sign_mpi()