1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains RSA helper routines common to 28 * the PKCS11 soft token code and the kernel RSA code. 29 */ 30 31 #include <sys/types.h> 32 #include <bignum.h> 33 34 #ifdef _KERNEL 35 #include <sys/param.h> 36 #else 37 #include <strings.h> 38 #include <cryptoutil.h> 39 #endif 40 41 #include <sys/crypto/common.h> 42 #include "rsa_impl.h" 43 44 /* 45 * DER encoding T of the DigestInfo values for MD5, SHA1, and SHA2 46 * from PKCS#1 v2.1: RSA Cryptography Standard Section 9.2 Note 1 47 * 48 * MD5: (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 || H 49 * SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H 50 * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H. 51 * SHA-384: (0x)30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30 || H. 52 * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H. 53 * 54 * Where H is the digested output from MD5 or SHA1. We define the constant 55 * byte array (the prefix) here and use it rather than doing the DER 56 * encoding of the OID in a separate routine. 57 */ 58 const CK_BYTE MD5_DER_PREFIX[MD5_DER_PREFIX_Len] = {0x30, 0x20, 0x30, 0x0c, 59 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 60 0x04, 0x10}; 61 62 const CK_BYTE SHA1_DER_PREFIX[SHA1_DER_PREFIX_Len] = {0x30, 0x21, 0x30, 63 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; 64 65 const CK_BYTE SHA1_DER_PREFIX_OID[SHA1_DER_PREFIX_OID_Len] = {0x30, 0x1f, 0x30, 66 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14}; 67 68 const CK_BYTE SHA256_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x31, 0x30, 0x0d, 69 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 70 0x00, 0x04, 0x20}; 71 72 const CK_BYTE SHA384_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x41, 0x30, 0x0d, 73 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 74 0x00, 0x04, 0x30}; 75 76 const CK_BYTE SHA512_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x51, 0x30, 0x0d, 77 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 78 0x00, 0x04, 0x40}; 79 80 const CK_BYTE DEFAULT_PUB_EXPO[DEFAULT_PUB_EXPO_Len] = { 0x01, 0x00, 0x01 }; 81 82 83 static CK_RV 84 convert_rv(BIG_ERR_CODE err) 85 { 86 switch (err) { 87 88 case BIG_OK: 89 return (CKR_OK); 90 91 case BIG_NO_MEM: 92 return (CKR_HOST_MEMORY); 93 94 case BIG_NO_RANDOM: 95 return (CKR_DEVICE_ERROR); 96 97 case BIG_INVALID_ARGS: 98 return (CKR_ARGUMENTS_BAD); 99 100 case BIG_DIV_BY_0: 101 default: 102 return (CKR_GENERAL_ERROR); 103 } 104 } 105 106 /* psize and qsize are in bits */ 107 static BIG_ERR_CODE 108 RSA_key_init(RSAkey *key, int psize, int qsize) 109 { 110 BIG_ERR_CODE err = BIG_OK; 111 112 /* EXPORT DELETE START */ 113 114 int plen, qlen, nlen; 115 116 plen = BITLEN2BIGNUMLEN(psize); 117 qlen = BITLEN2BIGNUMLEN(qsize); 118 nlen = plen + qlen; 119 key->size = psize + qsize; 120 if ((err = big_init(&(key->p), plen)) != BIG_OK) 121 return (err); 122 if ((err = big_init(&(key->q), qlen)) != BIG_OK) 123 goto ret1; 124 if ((err = big_init(&(key->n), nlen)) != BIG_OK) 125 goto ret2; 126 if ((err = big_init(&(key->d), nlen)) != BIG_OK) 127 goto ret3; 128 if ((err = big_init(&(key->e), nlen)) != BIG_OK) 129 goto ret4; 130 if ((err = big_init(&(key->dmodpminus1), plen)) != BIG_OK) 131 goto ret5; 132 if ((err = big_init(&(key->dmodqminus1), qlen)) != BIG_OK) 133 goto ret6; 134 if ((err = big_init(&(key->pinvmodq), qlen)) != BIG_OK) 135 goto ret7; 136 if ((err = big_init(&(key->p_rr), plen)) != BIG_OK) 137 goto ret8; 138 if ((err = big_init(&(key->q_rr), qlen)) != BIG_OK) 139 goto ret9; 140 if ((err = big_init(&(key->n_rr), nlen)) != BIG_OK) 141 goto ret10; 142 143 return (BIG_OK); 144 145 ret10: 146 big_finish(&(key->q_rr)); 147 ret9: 148 big_finish(&(key->p_rr)); 149 ret8: 150 big_finish(&(key->pinvmodq)); 151 ret7: 152 big_finish(&(key->dmodqminus1)); 153 ret6: 154 big_finish(&(key->dmodpminus1)); 155 ret5: 156 big_finish(&(key->e)); 157 ret4: 158 big_finish(&(key->d)); 159 ret3: 160 big_finish(&(key->n)); 161 ret2: 162 big_finish(&(key->q)); 163 ret1: 164 big_finish(&(key->p)); 165 166 /* EXPORT DELETE END */ 167 168 return (err); 169 } 170 171 static void 172 RSA_key_finish(RSAkey *key) 173 { 174 175 /* EXPORT DELETE START */ 176 177 big_finish(&(key->n_rr)); 178 big_finish(&(key->q_rr)); 179 big_finish(&(key->p_rr)); 180 big_finish(&(key->pinvmodq)); 181 big_finish(&(key->dmodqminus1)); 182 big_finish(&(key->dmodpminus1)); 183 big_finish(&(key->e)); 184 big_finish(&(key->d)); 185 big_finish(&(key->n)); 186 big_finish(&(key->q)); 187 big_finish(&(key->p)); 188 189 /* EXPORT DELETE END */ 190 191 } 192 193 /* 194 * Generate RSA key 195 */ 196 static CK_RV 197 generate_rsa_key(RSAkey *key, int psize, int qsize, BIGNUM *pubexp, 198 int (*rfunc)(void *, size_t)) 199 { 200 CK_RV rv = CKR_OK; 201 202 /* EXPORT DELETE START */ 203 204 int (*rf)(void *, size_t); 205 BIGNUM a, b, c, d, e, f, g, h; 206 int len, keylen, size; 207 BIG_ERR_CODE brv = BIG_OK; 208 209 size = psize + qsize; 210 keylen = BITLEN2BIGNUMLEN(size); 211 len = keylen * 2 + 1; 212 key->size = size; 213 214 /* 215 * Note: It is not really necessary to compute e, it is in pubexp: 216 * (void) big_copy(&(key->e), pubexp); 217 */ 218 219 a.malloced = 0; 220 b.malloced = 0; 221 c.malloced = 0; 222 d.malloced = 0; 223 e.malloced = 0; 224 f.malloced = 0; 225 g.malloced = 0; 226 h.malloced = 0; 227 228 if ((big_init(&a, len) != BIG_OK) || 229 (big_init(&b, len) != BIG_OK) || 230 (big_init(&c, len) != BIG_OK) || 231 (big_init(&d, len) != BIG_OK) || 232 (big_init(&e, len) != BIG_OK) || 233 (big_init(&f, len) != BIG_OK) || 234 (big_init(&g, len) != BIG_OK) || 235 (big_init(&h, len) != BIG_OK)) { 236 big_finish(&h); 237 big_finish(&g); 238 big_finish(&f); 239 big_finish(&e); 240 big_finish(&d); 241 big_finish(&c); 242 big_finish(&b); 243 big_finish(&a); 244 245 return (CKR_HOST_MEMORY); 246 } 247 248 rf = rfunc; 249 if (rf == NULL) { 250 #ifdef _KERNEL 251 rf = (int (*)(void *, size_t))random_get_pseudo_bytes; 252 #else 253 rf = pkcs11_get_urandom; 254 #endif 255 } 256 257 nextp: 258 if ((brv = big_random(&a, psize, rf)) != BIG_OK) { 259 goto ret; 260 } 261 262 if ((brv = big_nextprime_pos(&b, &a)) != BIG_OK) { 263 goto ret; 264 } 265 /* b now contains the potential prime p */ 266 267 (void) big_sub_pos(&a, &b, &big_One); 268 if ((brv = big_ext_gcd_pos(&f, &d, &g, pubexp, &a)) != BIG_OK) { 269 goto ret; 270 } 271 if (big_cmp_abs(&f, &big_One) != 0) { 272 goto nextp; 273 } 274 275 if ((brv = big_random(&c, qsize, rf)) != BIG_OK) { 276 goto ret; 277 } 278 279 nextq: 280 (void) big_add(&a, &c, &big_Two); 281 282 if (big_bitlength(&a) != qsize) { 283 goto nextp; 284 } 285 if (big_cmp_abs(&a, &b) == 0) { 286 goto nextp; 287 } 288 if ((brv = big_nextprime_pos(&c, &a)) != BIG_OK) { 289 goto ret; 290 } 291 /* c now contains the potential prime q */ 292 293 if ((brv = big_mul(&g, &b, &c)) != BIG_OK) { 294 goto ret; 295 } 296 if (big_bitlength(&g) != size) { 297 goto nextp; 298 } 299 /* g now contains the potential modulus n */ 300 301 (void) big_sub_pos(&a, &b, &big_One); 302 (void) big_sub_pos(&d, &c, &big_One); 303 304 if ((brv = big_mul(&a, &a, &d)) != BIG_OK) { 305 goto ret; 306 } 307 if ((brv = big_ext_gcd_pos(&f, &d, &h, pubexp, &a)) != BIG_OK) { 308 goto ret; 309 } 310 if (big_cmp_abs(&f, &big_One) != 0) { 311 goto nextq; 312 } else { 313 (void) big_copy(&e, pubexp); 314 } 315 if (d.sign == -1) { 316 if ((brv = big_add(&d, &d, &a)) != BIG_OK) { 317 goto ret; 318 } 319 } 320 (void) big_copy(&(key->p), &b); 321 (void) big_copy(&(key->q), &c); 322 (void) big_copy(&(key->n), &g); 323 (void) big_copy(&(key->d), &d); 324 (void) big_copy(&(key->e), &e); 325 326 if ((brv = big_ext_gcd_pos(&a, &f, &h, &b, &c)) != BIG_OK) { 327 goto ret; 328 } 329 if (f.sign == -1) { 330 if ((brv = big_add(&f, &f, &c)) != BIG_OK) { 331 goto ret; 332 } 333 } 334 (void) big_copy(&(key->pinvmodq), &f); 335 336 (void) big_sub(&a, &b, &big_One); 337 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) { 338 goto ret; 339 } 340 (void) big_copy(&(key->dmodpminus1), &f); 341 (void) big_sub(&a, &c, &big_One); 342 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) { 343 goto ret; 344 } 345 (void) big_copy(&(key->dmodqminus1), &f); 346 347 /* pairwise consistency check: decrypt and encrypt restores value */ 348 if ((brv = big_random(&h, size, rf)) != BIG_OK) { 349 goto ret; 350 } 351 if ((brv = big_div_pos(&a, &h, &h, &g)) != BIG_OK) { 352 goto ret; 353 } 354 if ((brv = big_modexp(&a, &h, &d, &g, NULL)) != BIG_OK) { 355 goto ret; 356 } 357 358 if ((brv = big_modexp(&b, &a, &e, &g, NULL)) != BIG_OK) { 359 goto ret; 360 } 361 362 if (big_cmp_abs(&b, &h) != 0) { 363 /* this should not happen */ 364 rv = generate_rsa_key(key, psize, qsize, pubexp, rf); 365 goto ret1; 366 } else { 367 brv = BIG_OK; 368 } 369 370 ret: 371 rv = convert_rv(brv); 372 ret1: 373 big_finish(&h); 374 big_finish(&g); 375 big_finish(&f); 376 big_finish(&e); 377 big_finish(&d); 378 big_finish(&c); 379 big_finish(&b); 380 big_finish(&a); 381 382 /* EXPORT DELETE END */ 383 384 return (rv); 385 } 386 387 CK_RV 388 rsa_genkey_pair(RSAbytekey *bkey) 389 { 390 /* 391 * NOTE: Whomever originally wrote this function swapped p and q. 392 * This table shows the mapping between name convention used here 393 * versus what is used in most texts that describe RSA key generation. 394 * This function: Standard convention: 395 * -------------- -------------------- 396 * modulus, n -same- 397 * prime 1, q prime 1, p 398 * prime 2, p prime 2, q 399 * private exponent, d -same- 400 * public exponent, e -same- 401 * exponent 1, d mod (q-1) d mod (p-1) 402 * exponent 2, d mod (p-1) d mod (q-1) 403 * coefficient, p^-1 mod q q^-1 mod p 404 * 405 * Also notice the struct member for coefficient is named .pinvmodq 406 * rather than .qinvmodp, reflecting the switch. 407 * 408 * The code here wasn't unswapped, because "it works". Further, 409 * p and q are interchangeable as long as exponent 1 and 2 and 410 * the coefficient are kept straight too. This note is here to 411 * make the reader aware of the switcheroo. 412 */ 413 CK_RV rv = CKR_OK; 414 415 /* EXPORT DELETE START */ 416 417 BIGNUM public_exponent = {0}; 418 RSAkey rsakey; 419 uint32_t modulus_bytes; 420 421 if (bkey == NULL) 422 return (CKR_ARGUMENTS_BAD); 423 424 /* Must have modulus bits set */ 425 if (bkey->modulus_bits == 0) 426 return (CKR_ARGUMENTS_BAD); 427 428 /* Must have public exponent set */ 429 if (bkey->pubexpo_bytes == 0 || bkey->pubexpo == NULL) 430 return (CKR_ARGUMENTS_BAD); 431 432 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */ 433 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits); 434 435 /* Modulus length needs to be between min key size and max key size. */ 436 if ((modulus_bytes < MIN_RSA_KEYLENGTH_IN_BYTES) || 437 (modulus_bytes > MAX_RSA_KEYLENGTH_IN_BYTES)) { 438 return (CKR_KEY_SIZE_RANGE); 439 } 440 441 /* 442 * Initialize the RSA key. 443 */ 444 if (RSA_key_init(&rsakey, modulus_bytes * 4, modulus_bytes * 4) != 445 BIG_OK) { 446 return (CKR_HOST_MEMORY); 447 } 448 449 /* Create a public exponent in bignum format. */ 450 if (big_init(&public_exponent, 451 CHARLEN2BIGNUMLEN(bkey->pubexpo_bytes)) != BIG_OK) { 452 rv = CKR_HOST_MEMORY; 453 goto clean1; 454 } 455 bytestring2bignum(&public_exponent, bkey->pubexpo, bkey->pubexpo_bytes); 456 457 /* Generate RSA key pair. */ 458 if ((rv = generate_rsa_key(&rsakey, 459 modulus_bytes * 4, modulus_bytes * 4, &public_exponent, 460 bkey->rfunc)) != CKR_OK) { 461 big_finish(&public_exponent); 462 goto clean1; 463 } 464 big_finish(&public_exponent); 465 466 /* modulus_bytes = rsakey.n.len * (int)sizeof (BIG_CHUNK_TYPE); */ 467 bignum2bytestring(bkey->modulus, &(rsakey.n), modulus_bytes); 468 469 bkey->privexpo_bytes = rsakey.d.len * (int)sizeof (BIG_CHUNK_TYPE); 470 bignum2bytestring(bkey->privexpo, &(rsakey.d), bkey->privexpo_bytes); 471 472 bkey->pubexpo_bytes = rsakey.e.len * (int)sizeof (BIG_CHUNK_TYPE); 473 bignum2bytestring(bkey->pubexpo, &(rsakey.e), bkey->pubexpo_bytes); 474 475 bkey->prime1_bytes = rsakey.q.len * (int)sizeof (BIG_CHUNK_TYPE); 476 bignum2bytestring(bkey->prime1, &(rsakey.q), bkey->prime1_bytes); 477 478 bkey->prime2_bytes = rsakey.p.len * (int)sizeof (BIG_CHUNK_TYPE); 479 bignum2bytestring(bkey->prime2, &(rsakey.p), bkey->prime2_bytes); 480 481 bkey->expo1_bytes = 482 rsakey.dmodqminus1.len * (int)sizeof (BIG_CHUNK_TYPE); 483 bignum2bytestring(bkey->expo1, &(rsakey.dmodqminus1), 484 bkey->expo1_bytes); 485 486 bkey->expo2_bytes = 487 rsakey.dmodpminus1.len * (int)sizeof (BIG_CHUNK_TYPE); 488 bignum2bytestring(bkey->expo2, 489 &(rsakey.dmodpminus1), bkey->expo2_bytes); 490 491 bkey->coeff_bytes = 492 rsakey.pinvmodq.len * (int)sizeof (BIG_CHUNK_TYPE); 493 bignum2bytestring(bkey->coeff, &(rsakey.pinvmodq), bkey->coeff_bytes); 494 495 clean1: 496 RSA_key_finish(&rsakey); 497 498 /* EXPORT DELETE END */ 499 500 return (rv); 501 } 502 503 /* 504 * RSA encrypt operation 505 */ 506 CK_RV 507 rsa_encrypt(RSAbytekey *bkey, uchar_t *in, uint32_t in_len, uchar_t *out) 508 { 509 CK_RV rv = CKR_OK; 510 511 /* EXPORT DELETE START */ 512 513 BIGNUM msg; 514 RSAkey rsakey; 515 uint32_t modulus_bytes; 516 517 if (bkey == NULL) 518 return (CKR_ARGUMENTS_BAD); 519 520 /* Must have modulus and public exponent set */ 521 if (bkey->modulus_bits == 0 || bkey->modulus == NULL || 522 bkey->pubexpo_bytes == 0 || bkey->pubexpo == NULL) 523 return (CKR_ARGUMENTS_BAD); 524 525 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */ 526 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits); 527 528 if (bkey->pubexpo_bytes > modulus_bytes) { 529 return (CKR_KEY_SIZE_RANGE); 530 } 531 532 /* psize and qsize for RSA_key_init is in bits. */ 533 if (RSA_key_init(&rsakey, modulus_bytes * 4, modulus_bytes * 4) != 534 BIG_OK) { 535 return (CKR_HOST_MEMORY); 536 } 537 538 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 539 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 540 rv = CKR_HOST_MEMORY; 541 goto clean2; 542 } 543 bytestring2bignum(&msg, in, in_len); 544 545 /* Convert public exponent and modulus to big integer format. */ 546 bytestring2bignum(&(rsakey.e), bkey->pubexpo, bkey->pubexpo_bytes); 547 bytestring2bignum(&(rsakey.n), bkey->modulus, modulus_bytes); 548 549 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) { 550 rv = CKR_DATA_LEN_RANGE; 551 goto clean3; 552 } 553 554 /* Perform RSA computation on big integer input data. */ 555 if (big_modexp(&msg, &msg, &(rsakey.e), &(rsakey.n), NULL) != 556 BIG_OK) { 557 rv = CKR_HOST_MEMORY; 558 goto clean3; 559 } 560 561 /* Convert the big integer output data to octet string. */ 562 bignum2bytestring(out, &msg, modulus_bytes); 563 564 clean3: 565 big_finish(&msg); 566 clean2: 567 RSA_key_finish(&rsakey); 568 569 /* EXPORT DELETE END */ 570 571 return (rv); 572 } 573 574 /* 575 * RSA decrypt operation 576 */ 577 CK_RV 578 rsa_decrypt(RSAbytekey *bkey, uchar_t *in, uint32_t in_len, uchar_t *out) 579 { 580 CK_RV rv = CKR_OK; 581 582 /* EXPORT DELETE START */ 583 584 BIGNUM msg; 585 RSAkey rsakey; 586 uint32_t modulus_bytes; 587 588 if (bkey == NULL) 589 return (CKR_ARGUMENTS_BAD); 590 591 /* Must have modulus, prime1, prime2, expo1, expo2, and coeff set */ 592 if (bkey->modulus_bits == 0 || bkey->modulus == NULL || 593 bkey->prime1_bytes == 0 || bkey->prime1 == NULL || 594 bkey->prime2_bytes == 0 || bkey->prime2 == NULL || 595 bkey->expo1_bytes == 0 || bkey->expo1 == NULL || 596 bkey->expo2_bytes == 0 || bkey->expo2 == NULL || 597 bkey->coeff_bytes == 0 || bkey->coeff == NULL) 598 return (CKR_ARGUMENTS_BAD); 599 600 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */ 601 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits); 602 603 /* psize and qsize for RSA_key_init is in bits. */ 604 if (RSA_key_init(&rsakey, CRYPTO_BYTES2BITS(bkey->prime2_bytes), 605 CRYPTO_BYTES2BITS(bkey->prime1_bytes)) != BIG_OK) { 606 return (CKR_HOST_MEMORY); 607 } 608 609 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 610 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 611 rv = CKR_HOST_MEMORY; 612 goto clean3; 613 } 614 /* Convert octet string input data to big integer format. */ 615 bytestring2bignum(&msg, in, in_len); 616 617 /* Convert octet string modulus to big integer format. */ 618 bytestring2bignum(&(rsakey.n), bkey->modulus, modulus_bytes); 619 620 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) { 621 rv = CKR_DATA_LEN_RANGE; 622 goto clean4; 623 } 624 625 /* Convert the rest of private key attributes to big integer format. */ 626 bytestring2bignum(&(rsakey.q), bkey->prime1, bkey->prime1_bytes); 627 bytestring2bignum(&(rsakey.p), bkey->prime2, bkey->prime2_bytes); 628 bytestring2bignum(&(rsakey.dmodqminus1), 629 bkey->expo1, bkey->expo1_bytes); 630 bytestring2bignum(&(rsakey.dmodpminus1), 631 bkey->expo2, bkey->expo2_bytes); 632 bytestring2bignum(&(rsakey.pinvmodq), 633 bkey->coeff, bkey->coeff_bytes); 634 635 if ((big_cmp_abs(&(rsakey.dmodpminus1), &(rsakey.p)) > 0) || 636 (big_cmp_abs(&(rsakey.dmodqminus1), &(rsakey.q)) > 0) || 637 (big_cmp_abs(&(rsakey.pinvmodq), &(rsakey.q)) > 0)) { 638 rv = CKR_KEY_SIZE_RANGE; 639 goto clean4; 640 } 641 642 /* Perform RSA computation on big integer input data. */ 643 if (big_modexp_crt(&msg, &msg, &(rsakey.dmodpminus1), 644 &(rsakey.dmodqminus1), &(rsakey.p), &(rsakey.q), 645 &(rsakey.pinvmodq), NULL, NULL) != BIG_OK) { 646 rv = CKR_HOST_MEMORY; 647 goto clean4; 648 } 649 650 /* Convert the big integer output data to octet string. */ 651 bignum2bytestring(out, &msg, modulus_bytes); 652 653 clean4: 654 big_finish(&msg); 655 clean3: 656 RSA_key_finish(&rsakey); 657 658 /* EXPORT DELETE END */ 659 660 return (rv); 661 } 662