1 \ Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 \ Permission is hereby granted, free of charge, to any person obtaining
4 \ a copy of this software and associated documentation files (the
5 \ "Software"), to deal in the Software without restriction, including
6 \ without limitation the rights to use, copy, modify, merge, publish,
7 \ distribute, sublicense, and/or sell copies of the Software, and to
8 \ permit persons to whom the Software is furnished to do so, subject to
9 \ the following conditions:
11 \ The above copyright notice and this permission notice shall be
12 \ included in all copies or substantial portions of the Software.
14 \ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15 \ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 \ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 \ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
18 \ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
19 \ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 \ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
27 #define CTX ((br_skey_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_skey_decoder_context, cpu)))
28 #define CONTEXT_NAME br_skey_decoder_context
30 /* see bearssl_x509.h */
32 br_skey_decoder_init(br_skey_decoder_context *ctx)
34 memset(ctx, 0, sizeof *ctx);
35 ctx->cpu.dp = &ctx->dp_stack[0];
36 ctx->cpu.rp = &ctx->rp_stack[0];
37 br_skey_decoder_init_main(&ctx->cpu);
38 br_skey_decoder_run(&ctx->cpu);
41 /* see bearssl_x509.h */
43 br_skey_decoder_push(br_skey_decoder_context *ctx,
44 const void *data, size_t len)
48 br_skey_decoder_run(&ctx->cpu);
56 cc: read8-low ( -- x ) {
61 T0_PUSH(*CTX->hbuf ++);
65 cc: read-blob-inner ( addr len -- addr len ) {
66 uint32_t len = T0_POP();
67 uint32_t addr = T0_POP();
68 size_t clen = CTX->hlen;
73 memcpy((unsigned char *)CTX + addr, CTX->hbuf, clen);
81 \ Get the length of the key_data buffer.
83 CX 0 8191 { 3 * BR_X509_BUFSIZE_KEY } ;
85 \ Get the address and length for the key_data buffer.
86 : addr-len-key_data ( -- addr len )
87 addr-key_data len-key_data ;
89 \ Set the private key (RSA).
90 cc: set-rsa-key ( n_bitlen plen qlen dplen dqlen iqlen -- ) {
91 size_t iqlen = T0_POP();
92 size_t dqlen = T0_POP();
93 size_t dplen = T0_POP();
94 size_t qlen = T0_POP();
95 size_t plen = T0_POP();
96 uint32_t n_bitlen = T0_POP();
99 CTX->key.rsa.n_bitlen = n_bitlen;
100 CTX->key.rsa.p = CTX->key_data;
101 CTX->key.rsa.plen = plen;
103 CTX->key.rsa.q = CTX->key_data + off;
104 CTX->key.rsa.qlen = qlen;
106 CTX->key.rsa.dp = CTX->key_data + off;
107 CTX->key.rsa.dplen = dplen;
109 CTX->key.rsa.dq = CTX->key_data + off;
110 CTX->key.rsa.dqlen = dqlen;
112 CTX->key.rsa.iq = CTX->key_data + off;
113 CTX->key.rsa.iqlen = iqlen;
116 \ Set the private key (EC).
117 cc: set-ec-key ( curve xlen -- ) {
118 size_t xlen = T0_POP();
119 uint32_t curve = T0_POP();
120 CTX->key.ec.curve = curve;
121 CTX->key.ec.x = CTX->key_data;
122 CTX->key.ec.xlen = xlen;
125 \ Get the bit length for an integer (unsigned).
126 : int-bit-length ( x -- bitlen )
128 begin dup while 1 u>> swap 1+ swap repeat
131 \ Read an INTEGER into the key_data buffer, but then ignore it.
132 : read-integer-ignore ( lim -- lim )
133 addr-len-key_data read-integer drop ;
135 \ Read an INTEGER into the key_data buffer, at the provided offset.
136 \ Returned value is the integer length (in bytes).
137 : read-integer-off ( lim off -- lim dlen )
138 dup addr-len-key_data rot - swap rot + swap read-integer ;
140 \ Decode RSA key, starting with the SEQUENCE tag.
141 : decode-RSA ( lim -- lim )
144 \ Version should be 0.
145 read-tag 0x02 check-tag-primitive read-small-int-value if
146 ERR_X509_UNSUPPORTED fail
149 \ Read tag for the modulus; should be INTEGER. Then use the
150 \ decode-RSA-next function for the remainder of the key.
151 read-tag 0x02 check-tag-primitive
154 \ Close the SEQUENCE.
157 \ Decode RSA key; the version, and the tag for the modulus, have been
159 : decode-RSA-next ( lim -- lim )
160 \ Modulus: we read it but we do not keep it; we merely gather
161 \ the modulus bit length.
162 addr-len-key_data read-integer-next
163 dup ifnot ERR_X509_UNEXPECTED fail then
164 1- 3 << addr-key_data get8 int-bit-length + { n_bitlen }
166 \ Public exponent: read but skip.
169 \ Private exponent: read but skip.
172 \ First prime factor.
173 addr-len-key_data read-integer dup dup { off plen }
175 \ Second prime factor.
176 read-integer-off dup { qlen } off + dup >off
178 \ First reduced private exponent.
179 read-integer-off dup { dplen } off + dup >off
181 \ Second reduced private exponent.
182 read-integer-off dup { dqlen } off + dup >off
185 read-integer-off { iqlen }
188 n_bitlen plen qlen dplen dqlen iqlen set-rsa-key
190 \ The caller will close the sequence, thereby validating that there
194 \ Decode an EC key, starting with the SEQUENCE tag.
195 : decode-EC ( lim curve -- lim )
199 \ Version should be 1.
200 read-tag 0x02 check-tag-primitive read-small-int-value 1- if
201 ERR_X509_UNSUPPORTED fail
204 \ Read tag for the private key; should be OCTET STRING. Then use the
205 \ decode-EC-next function for the remainder of the key.
206 read-tag 0x04 check-tag-primitive
209 \ Close the SEQUENCE.
212 \ Decode an EC key; the version, and the tag for the OCTET STRING, have
213 \ already been read. The curve ID is provided (0 if unknown).
214 : decode-EC-next ( lim curve -- lim )
217 \ Read the private key proper.
219 dup dup { xlen } len-key_data > if ERR_X509_UNSUPPORTED fail then
220 addr-key_data read-blob
222 \ Next element might be the curve identifier.
229 \ Curve parameters; we support only named curves.
231 check-constructed read-length-open-elt
234 curve <> if ERR_X509_INVALID_VALUE fail then
241 \ Public key. We ignore it.
242 0x21 of check-constructed endof
244 ERR_X509_UNSUPPORTED fail
248 \ The curve must have been defined one way or another.
249 curve ifnot ERR_X509_UNSUPPORTED fail then
252 curve xlen set-ec-key
254 \ The caller will close the sequence.
257 \ Decode a PKCS#8 object. The version and the tag for the AlgorithmIdentifier
258 \ structure have already been read. This function returns the key type.
259 : decode-PKCS8-next ( lim -- lim keytype )
260 \ Decode the AlgorithmIdentifier.
262 read-OID ifnot ERR_X509_UNSUPPORTED fail then
265 rsaEncryption eqOID uf
266 \ RSA private key. We ignore the parameters.
267 skip-remaining -1 >is-rsa
269 id-ecPublicKey eqOID uf
270 \ EC private key. Parameters, if present, shall
271 \ identify the curve.
273 dup if read-curve-ID else 0 then >curve
276 ERR_X509_UNSUPPORTED fail
280 \ Open private key value and decode it.
281 read-tag 0x04 check-tag-primitive
290 \ We ignore any extra field, i.e. attributes or public key.
293 \ Return the key type.
294 is-rsa if KEYTYPE_RSA else KEYTYPE_EC then
297 \ Decode a private key.
299 \ RSA private key format is defined in PKCS#1 (RFC 3447):
300 \ RSAPrivateKey ::= SEQUENCE {
301 \ version INTEGER, -- 0 or 1
310 \ other OtherPrimeInfos OPTIONAL
312 \ We do not support keys with more than two primes (these have
313 \ version 1); thus, we expect the version field to be 0, and
314 \ the 'other' field to be absent.
316 \ EC private key format is defined in RFC 5915:
317 \ ECPrivateKey ::= SEQUENCE {
318 \ version INTEGER, -- always 1
319 \ privateKey OCTET STRING,
320 \ parameters [0] EXPLICIT OBJECT IDENTIFIER OPTIONAL,
321 \ publicKey [1] EXPLICIT BIT STRING OPTIONAL
323 \ The "parameters" might conceptually be a complex curve description
324 \ structure but we support only named curves. The private key
325 \ contents are the unsigned big-endian encoding of the key value,
326 \ which is exactly what we want.
328 \ PKCS#8 (unencrypted) is:
329 \ OneAsymmetricKey ::= SEQUENCE {
330 \ version INTEGER, -- 0 or 1
331 \ algorithm AlgorithmIdentifier,
332 \ privateKey OCTET STRING,
333 \ attributes [0] IMPLICIT Attributes OPTIONAL,
334 \ publicKey [1] IMPLICIT BIT STRING OPTIONAL
336 \ The 'publicKey' field is an add-on from RFC 5958 and may be
337 \ present only if the 'version' is v2 (i.e. has value 1). We
340 \ An arbitrary upper limit on the private key size.
343 \ Open the outer SEQUENCE.
346 \ All our schemas begin with a small INTEGER which is either 0 or
347 \ 1. We don't care which it is.
348 read-tag 0x02 check-tag-primitive read-small-int-value 1 > if
349 ERR_X509_UNSUPPORTED fail
352 \ Get next tag: it should be either an INTEGER (RSA private key),
353 \ an OCTET STRING (EC private key), or a SEQUENCE (for an
354 \ AlgorithmIdentifier, in a PKCS#8 object).
357 0x02 of check-primitive decode-RSA-next KEYTYPE_RSA endof
358 0x04 of check-primitive 0 decode-EC-next KEYTYPE_EC endof
359 0x10 of check-constructed decode-PKCS8-next endof
360 ERR_X509_UNSUPPORTED fail
364 \ Close the SEQUENCE.
367 \ Set the key type, which marks the decoding as a success.
368 key-type addr-key_type set8
370 \ Read one byte, then fail: if the read succeeds, then there is
371 \ some trailing byte.
372 read8-nc ERR_X509_EXTRA_ELEMENT fail