2022-08-26 15:44:59 +00:00
|
|
|
// Copyright 2014 Google LLC. All rights reserved.
|
2014-02-14 23:21:05 +00:00
|
|
|
//
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file or at
|
|
|
|
// https://developers.google.com/open-source/licenses/bsd
|
2014-01-06 23:38:39 +00:00
|
|
|
//
|
|
|
|
// RSA signature details:
|
|
|
|
// Algorithm: RSASSA-PSS
|
|
|
|
// Hash algorithm: SHA1
|
|
|
|
// Mask generation function: mgf1SHA1
|
|
|
|
// Salt length: 20 bytes
|
|
|
|
// Trailer field: 0xbc
|
|
|
|
//
|
|
|
|
// RSA encryption details:
|
|
|
|
// Algorithm: RSA-OAEP
|
|
|
|
// Mask generation function: mgf1SHA1
|
|
|
|
// Label (encoding paramter): empty std::string
|
|
|
|
|
2023-10-10 23:51:11 +00:00
|
|
|
#include <packager/media/base/rsa_key.h>
|
2014-01-06 23:38:39 +00:00
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
#include <memory>
|
2014-01-06 23:38:39 +00:00
|
|
|
#include <vector>
|
|
|
|
|
2023-10-13 19:42:47 +00:00
|
|
|
#include <absl/log/check.h>
|
|
|
|
#include <absl/log/log.h>
|
2023-10-09 23:21:41 +00:00
|
|
|
#include <mbedtls/error.h>
|
|
|
|
#include <mbedtls/md.h>
|
2014-01-06 23:38:39 +00:00
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
|
|
|
const size_t kPssSaltLength = 20u;
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
std::string mbedtls_strerr(int rv) {
|
|
|
|
// There is always a "high level" error.
|
|
|
|
std::string output(mbedtls_high_level_strerr(rv));
|
|
|
|
|
|
|
|
// Some errors have a "low level" error, which is like an inner error code
|
|
|
|
// with a deeper explanation. But on mac and Windows, ostream crashes if you
|
|
|
|
// give it NULL. So we combine them ourselves with a NULL check.
|
|
|
|
const char* low_level_error = mbedtls_low_level_strerr(rv);
|
|
|
|
if (low_level_error) {
|
|
|
|
output += ": ";
|
|
|
|
output += low_level_error;
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
return output;
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
std::string sha1(const std::string& message) {
|
|
|
|
const mbedtls_md_info_t* md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
|
|
|
|
DCHECK(md_info);
|
2014-01-06 23:38:39 +00:00
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
std::string hash(mbedtls_md_get_size(md_info), 0);
|
|
|
|
CHECK_EQ(0,
|
|
|
|
mbedtls_md(md_info, reinterpret_cast<const uint8_t*>(message.data()),
|
|
|
|
message.size(), reinterpret_cast<uint8_t*>(hash.data())));
|
|
|
|
|
|
|
|
return hash;
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace
|
|
|
|
|
2016-05-20 21:19:33 +00:00
|
|
|
namespace shaka {
|
2014-01-06 23:38:39 +00:00
|
|
|
namespace media {
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
RsaPrivateKey::RsaPrivateKey() {
|
|
|
|
mbedtls_pk_init(&pk_context_);
|
|
|
|
mbedtls_entropy_init(&entropy_context_);
|
|
|
|
mbedtls_ctr_drbg_init(&prng_context_);
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
2022-11-02 15:34:06 +00:00
|
|
|
|
2014-01-06 23:38:39 +00:00
|
|
|
RsaPrivateKey::~RsaPrivateKey() {
|
2022-11-02 15:34:06 +00:00
|
|
|
mbedtls_pk_free(&pk_context_);
|
|
|
|
mbedtls_entropy_free(&entropy_context_);
|
|
|
|
mbedtls_ctr_drbg_free(&prng_context_);
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
RsaPrivateKey* RsaPrivateKey::Create(const std::string& serialized_key) {
|
2022-11-02 15:34:06 +00:00
|
|
|
std::unique_ptr<RsaPrivateKey> key(new RsaPrivateKey());
|
|
|
|
if (!key->Deserialize(serialized_key)) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
return key.release();
|
|
|
|
}
|
|
|
|
|
|
|
|
bool RsaPrivateKey::Deserialize(const std::string& serialized_key) {
|
|
|
|
const mbedtls_pk_info_t* pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
|
|
|
|
DCHECK(pk_info);
|
|
|
|
|
|
|
|
CHECK_EQ(mbedtls_ctr_drbg_seed(&prng_context_, mbedtls_entropy_func,
|
|
|
|
&entropy_context_, /* custom= */ NULL,
|
|
|
|
/* custom_len= */ 0),
|
|
|
|
0);
|
|
|
|
|
|
|
|
int rv = mbedtls_pk_parse_key(
|
|
|
|
&pk_context_, reinterpret_cast<const uint8_t*>(serialized_key.data()),
|
|
|
|
serialized_key.size(),
|
|
|
|
/* password= */ NULL,
|
|
|
|
/* password_len= */ 0, mbedtls_ctr_drbg_random, &prng_context_);
|
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA private key failed to load: " << mbedtls_strerr(rv);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set the padding mode and digest mode.
|
|
|
|
mbedtls_rsa_context* rsa_context = mbedtls_pk_rsa(pk_context_);
|
|
|
|
rv = mbedtls_rsa_set_padding(rsa_context, MBEDTLS_RSA_PKCS_V21,
|
|
|
|
MBEDTLS_MD_SHA1);
|
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA private key failed to set padding: "
|
|
|
|
<< mbedtls_strerr(rv);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
bool RsaPrivateKey::Decrypt(const std::string& encrypted_message,
|
|
|
|
std::string* decrypted_message) {
|
|
|
|
DCHECK(decrypted_message);
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
mbedtls_rsa_context* rsa_context = mbedtls_pk_rsa(pk_context_);
|
|
|
|
|
|
|
|
size_t rsa_size = mbedtls_rsa_get_len(rsa_context);
|
2014-01-06 23:38:39 +00:00
|
|
|
if (encrypted_message.size() != rsa_size) {
|
|
|
|
LOG(ERROR) << "Encrypted RSA message has the wrong size (expected "
|
|
|
|
<< rsa_size << ", actual " << encrypted_message.size() << ").";
|
|
|
|
return false;
|
|
|
|
}
|
2022-11-02 15:34:06 +00:00
|
|
|
decrypted_message->resize(encrypted_message.size());
|
|
|
|
|
|
|
|
size_t decrypted_size = 0;
|
|
|
|
int rv = mbedtls_rsa_rsaes_oaep_decrypt(
|
|
|
|
rsa_context, mbedtls_ctr_drbg_random, &prng_context_,
|
|
|
|
/* label= */ NULL,
|
|
|
|
/* label_len= */ 0, &decrypted_size,
|
|
|
|
reinterpret_cast<const uint8_t*>(encrypted_message.data()),
|
|
|
|
reinterpret_cast<uint8_t*>(decrypted_message->data()),
|
|
|
|
decrypted_message->size());
|
|
|
|
|
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA private decrypt failure: " << mbedtls_strerr(rv);
|
2014-01-06 23:38:39 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
decrypted_message->resize(decrypted_size);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool RsaPrivateKey::GenerateSignature(const std::string& message,
|
|
|
|
std::string* signature) {
|
|
|
|
DCHECK(signature);
|
|
|
|
if (message.empty()) {
|
|
|
|
LOG(ERROR) << "Message to be signed is empty.";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
mbedtls_rsa_context* rsa_context = mbedtls_pk_rsa(pk_context_);
|
2014-01-06 23:38:39 +00:00
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
size_t rsa_size = mbedtls_rsa_get_len(rsa_context);
|
2014-01-06 23:38:39 +00:00
|
|
|
signature->resize(rsa_size);
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
std::string hash = sha1(message);
|
|
|
|
int rv = mbedtls_rsa_rsassa_pss_sign_ext(
|
|
|
|
rsa_context, mbedtls_ctr_drbg_random, &prng_context_, MBEDTLS_MD_SHA1,
|
|
|
|
static_cast<unsigned int>(hash.size()),
|
|
|
|
reinterpret_cast<const uint8_t*>(hash.data()), kPssSaltLength,
|
|
|
|
reinterpret_cast<uint8_t*>(signature->data()));
|
|
|
|
|
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA sign failure: " << mbedtls_strerr(rv);
|
2014-01-06 23:38:39 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
RsaPublicKey::RsaPublicKey() {
|
|
|
|
mbedtls_pk_init(&pk_context_);
|
|
|
|
mbedtls_entropy_init(&entropy_context_);
|
|
|
|
mbedtls_ctr_drbg_init(&prng_context_);
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
2022-11-02 15:34:06 +00:00
|
|
|
|
2014-01-06 23:38:39 +00:00
|
|
|
RsaPublicKey::~RsaPublicKey() {
|
2022-11-02 15:34:06 +00:00
|
|
|
mbedtls_pk_free(&pk_context_);
|
|
|
|
mbedtls_entropy_free(&entropy_context_);
|
|
|
|
mbedtls_ctr_drbg_free(&prng_context_);
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
RsaPublicKey* RsaPublicKey::Create(const std::string& serialized_key) {
|
2022-11-02 15:34:06 +00:00
|
|
|
std::unique_ptr<RsaPublicKey> key(new RsaPublicKey());
|
|
|
|
if (!key->Deserialize(serialized_key)) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
return key.release();
|
|
|
|
}
|
|
|
|
|
|
|
|
bool RsaPublicKey::Deserialize(const std::string& serialized_key) {
|
|
|
|
const mbedtls_pk_info_t* pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
|
|
|
|
DCHECK(pk_info);
|
|
|
|
|
|
|
|
CHECK_EQ(mbedtls_ctr_drbg_seed(&prng_context_, mbedtls_entropy_func,
|
|
|
|
&entropy_context_, /* custom= */ NULL,
|
|
|
|
/* custom_len= */ 0),
|
|
|
|
0);
|
|
|
|
|
|
|
|
int rv = mbedtls_pk_parse_public_key(
|
|
|
|
&pk_context_, reinterpret_cast<const uint8_t*>(serialized_key.data()),
|
|
|
|
serialized_key.size());
|
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA public key failed to load: " << mbedtls_strerr(rv);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set the padding mode and digest mode.
|
|
|
|
mbedtls_rsa_context* rsa_context = mbedtls_pk_rsa(pk_context_);
|
|
|
|
rv = mbedtls_rsa_set_padding(rsa_context, MBEDTLS_RSA_PKCS_V21,
|
|
|
|
MBEDTLS_MD_SHA1);
|
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA public key failed to set padding: "
|
|
|
|
<< mbedtls_strerr(rv);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
bool RsaPublicKey::Encrypt(const std::string& clear_message,
|
|
|
|
std::string* encrypted_message) {
|
|
|
|
DCHECK(encrypted_message);
|
|
|
|
if (clear_message.empty()) {
|
|
|
|
LOG(ERROR) << "Message to be encrypted is empty.";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
mbedtls_rsa_context* rsa_context = mbedtls_pk_rsa(pk_context_);
|
|
|
|
|
|
|
|
size_t rsa_size = mbedtls_rsa_get_len(rsa_context);
|
2014-01-06 23:38:39 +00:00
|
|
|
encrypted_message->resize(rsa_size);
|
2022-11-02 15:34:06 +00:00
|
|
|
|
|
|
|
int rv = mbedtls_rsa_rsaes_oaep_encrypt(
|
|
|
|
rsa_context, mbedtls_ctr_drbg_random, &prng_context_,
|
|
|
|
/* label= */ NULL,
|
|
|
|
/* label_len= */ 0, clear_message.size(),
|
|
|
|
reinterpret_cast<const uint8_t*>(clear_message.data()),
|
|
|
|
reinterpret_cast<uint8_t*>(encrypted_message->data()));
|
|
|
|
|
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA public encrypt failure: " << mbedtls_strerr(rv);
|
2014-01-06 23:38:39 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool RsaPublicKey::VerifySignature(const std::string& message,
|
|
|
|
const std::string& signature) {
|
|
|
|
if (message.empty()) {
|
|
|
|
LOG(ERROR) << "Signed message is empty.";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
mbedtls_rsa_context* rsa_context = mbedtls_pk_rsa(pk_context_);
|
|
|
|
|
|
|
|
size_t rsa_size = mbedtls_rsa_get_len(rsa_context);
|
2014-01-06 23:38:39 +00:00
|
|
|
if (signature.size() != rsa_size) {
|
|
|
|
LOG(ERROR) << "Message signature is of the wrong size (expected "
|
|
|
|
<< rsa_size << ", actual " << signature.size() << ").";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
// Verify the signature.
|
|
|
|
std::string hash = sha1(message);
|
|
|
|
int rv = mbedtls_rsa_rsassa_pss_verify_ext(
|
|
|
|
rsa_context, MBEDTLS_MD_SHA1, static_cast<unsigned int>(hash.size()),
|
|
|
|
reinterpret_cast<const uint8_t*>(hash.data()), MBEDTLS_MD_SHA1,
|
|
|
|
kPssSaltLength, reinterpret_cast<const uint8_t*>(signature.data()));
|
2014-01-06 23:38:39 +00:00
|
|
|
|
2022-11-02 15:34:06 +00:00
|
|
|
if (rv != 0) {
|
|
|
|
LOG(ERROR) << "RSA signature verification failed: " << mbedtls_strerr(rv);
|
2014-01-06 23:38:39 +00:00
|
|
|
return false;
|
|
|
|
}
|
2022-11-02 15:34:06 +00:00
|
|
|
return true;
|
2014-01-06 23:38:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace media
|
2016-05-20 21:19:33 +00:00
|
|
|
} // namespace shaka
|