rsa_chk.c revision 306195
1/* crypto/rsa/rsa_chk.c */ 2/* ==================================================================== 3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@OpenSSL.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 */ 50 51#include <openssl/bn.h> 52#include <openssl/err.h> 53#include <openssl/rsa.h> 54 55int RSA_check_key(const RSA *key) 56{ 57 BIGNUM *i, *j, *k, *l, *m; 58 BN_CTX *ctx; 59 int ret = 1; 60 61 if (!key->p || !key->q || !key->n || !key->e || !key->d) { 62 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING); 63 return 0; 64 } 65 66 i = BN_new(); 67 j = BN_new(); 68 k = BN_new(); 69 l = BN_new(); 70 m = BN_new(); 71 ctx = BN_CTX_new(); 72 if (i == NULL || j == NULL || k == NULL || l == NULL 73 || m == NULL || ctx == NULL) { 74 ret = -1; 75 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); 76 goto err; 77 } 78 79 if (BN_is_one(key->e)) { 80 ret = 0; 81 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE); 82 } 83 if (!BN_is_odd(key->e)) { 84 ret = 0; 85 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE); 86 } 87 88 /* p prime? */ 89 if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL) != 1) { 90 ret = 0; 91 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); 92 } 93 94 /* q prime? */ 95 if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL) != 1) { 96 ret = 0; 97 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); 98 } 99 100 /* n = p*q? */ 101 if (!BN_mul(i, key->p, key->q, ctx)) { 102 ret = -1; 103 goto err; 104 } 105 if (BN_cmp(i, key->n) != 0) { 106 ret = 0; 107 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); 108 } 109 110 /* d*e = 1 mod lcm(p-1,q-1)? */ 111 if (!BN_sub(i, key->p, BN_value_one())) { 112 ret = -1; 113 goto err; 114 } 115 if (!BN_sub(j, key->q, BN_value_one())) { 116 ret = -1; 117 goto err; 118 } 119 120 /* now compute k = lcm(i,j) */ 121 if (!BN_mul(l, i, j, ctx)) { 122 ret = -1; 123 goto err; 124 } 125 if (!BN_gcd(m, i, j, ctx)) { 126 ret = -1; 127 goto err; 128 } 129 if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ 130 ret = -1; 131 goto err; 132 } 133 if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { 134 ret = -1; 135 goto err; 136 } 137 138 if (!BN_is_one(i)) { 139 ret = 0; 140 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); 141 } 142 143 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { 144 /* dmp1 = d mod (p-1)? */ 145 if (!BN_sub(i, key->p, BN_value_one())) { 146 ret = -1; 147 goto err; 148 } 149 if (!BN_mod(j, key->d, i, ctx)) { 150 ret = -1; 151 goto err; 152 } 153 if (BN_cmp(j, key->dmp1) != 0) { 154 ret = 0; 155 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMP1_NOT_CONGRUENT_TO_D); 156 } 157 158 /* dmq1 = d mod (q-1)? */ 159 if (!BN_sub(i, key->q, BN_value_one())) { 160 ret = -1; 161 goto err; 162 } 163 if (!BN_mod(j, key->d, i, ctx)) { 164 ret = -1; 165 goto err; 166 } 167 if (BN_cmp(j, key->dmq1) != 0) { 168 ret = 0; 169 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); 170 } 171 172 /* iqmp = q^-1 mod p? */ 173 if (!BN_mod_inverse(i, key->q, key->p, ctx)) { 174 ret = -1; 175 goto err; 176 } 177 if (BN_cmp(i, key->iqmp) != 0) { 178 ret = 0; 179 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_IQMP_NOT_INVERSE_OF_Q); 180 } 181 } 182 183 err: 184 BN_free(i); 185 BN_free(j); 186 BN_free(k); 187 BN_free(l); 188 BN_free(m); 189 BN_CTX_free(ctx); 190 return ret; 191} 192