Google Git
Sign in
quiche / quiche / 86c7cec5fa5434b26587a594bbcea3628ac87c74 / . / quiche / blind_sign_auth / anonymous_tokens / cpp / crypto / crypto_utils.cc
blob: f6f70e0220aa0235e3f3c261ed5aa91f0c2ea9b8 [file] [log] [blame]
// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/crypto_utils.h"
#include <stddef.h>
#include <stdint.h>
#include <cstdint>
#include <iterator>
#include <string>
#include <utility>
#include <vector>
#include "absl/status/status.h"
#include "absl/status/statusor.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/string_view.h"
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/constants.h"
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/shared/status_utils.h"
#include "quiche/blind_sign_auth/anonymous_tokens/proto/anonymous_tokens.pb.h"
#include "openssl/err.h"
#include "openssl/hkdf.h"
#include "openssl/rsa.h"
namespace private_membership {
namespace anonymous_tokens {
namespace internal {
BN_ULONG TOBN(BN_ULONG hi, BN_ULONG lo) {
return ((BN_ULONG)(hi) << 32 | (lo));
}
// Approximation of sqrt(2) taken from
// //depot/google3/third_party/openssl/boringssl/src/crypto/fipsmodule/rsa/rsa_impl.c;l=997
const BN_ULONG kBoringSSLRSASqrtTwo[] = {
TOBN(0x4d7c60a5, 0xe633e3e1), TOBN(0x5fcf8f7b, 0xca3ea33b),
TOBN(0xc246785e, 0x92957023), TOBN(0xf9acce41, 0x797f2805),
TOBN(0xfdfe170f, 0xd3b1f780), TOBN(0xd24f4a76, 0x3facb882),
TOBN(0x18838a2e, 0xaff5f3b2), TOBN(0xc1fcbdde, 0xa2f7dc33),
TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),
TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),
TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651),
TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd),
TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e),
TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc),
TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a),
TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e),
TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a),
TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3),
TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),
TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484),
};
const int kBoringSSLRSASqrtTwoLen = 32;
absl::StatusOr<bssl::UniquePtr<BIGNUM>> PublicMetadataHashWithHKDF(
absl::string_view public_metadata, absl::string_view rsa_modulus_str,
size_t out_len_bytes) {
const EVP_MD* evp_md_sha_384 = EVP_sha384();
// Prepend "key" to input.
std::string modified_input = absl::StrCat("key", public_metadata);
std::vector<uint8_t> input_buffer(modified_input.begin(),
modified_input.end());
// Append 0x00 to input.
input_buffer.push_back(0x00);
std::string out_e;
// We set the out_e size beyond out_len_bytes so that out_e bytes are
// indifferentiable from truly random bytes even after truncations.
//
// Expanding to 16 more bytes is sufficient.
// https://cfrg.github.io/draft-irtf-cfrg-hash-to-curve/draft-irtf-cfrg-hash-to-curve.html#name-hashing-to-a-finite-field
const size_t hkdf_output_size = out_len_bytes + 16;
out_e.resize(hkdf_output_size);
// The modulus is used as salt to ensure different outputs for same metadata
// and different modulus.
if (HKDF(reinterpret_cast<uint8_t*>(out_e.data()), hkdf_output_size,
evp_md_sha_384, input_buffer.data(), input_buffer.size(),
reinterpret_cast<const uint8_t*>(rsa_modulus_str.data()),
rsa_modulus_str.size(),
reinterpret_cast<const uint8_t*>(kHkdfPublicMetadataInfo.data()),
kHkdfPublicMetadataInfoSizeInBytes) != kBsslSuccess) {
return absl::InternalError("HKDF failed in public_metadata_crypto_utils");
}
// Truncate out_e to out_len_bytes
out_e.resize(out_len_bytes);
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> out,
StringToBignum(out_e));
return out;
}
} // namespace internal
absl::StatusOr<BnCtxPtr> GetAndStartBigNumCtx() {
// Create context to be used in intermediate computation.
BnCtxPtr bn_ctx = BnCtxPtr(BN_CTX_new());
if (!bn_ctx.get()) {
return absl::InternalError("Error generating bignum context.");
}
BN_CTX_start(bn_ctx.get());
return bn_ctx;
}
absl::StatusOr<bssl::UniquePtr<BIGNUM>> NewBigNum() {
bssl::UniquePtr<BIGNUM> bn(BN_new());
if (!bn.get()) {
return absl::InternalError("Error generating bignum.");
}
return bn;
}
absl::StatusOr<std::string> BignumToString(const BIGNUM& big_num,
const size_t output_len) {
std::vector<uint8_t> serialization(output_len);
if (BN_bn2bin_padded(serialization.data(), serialization.size(), &big_num) !=
kBsslSuccess) {
return absl::InternalError(
absl::StrCat("Function BN_bn2bin_padded failed: ", GetSslErrors()));
}
return std::string(std::make_move_iterator(serialization.begin()),
std::make_move_iterator(serialization.end()));
}
absl::StatusOr<bssl::UniquePtr<BIGNUM>> StringToBignum(
const absl::string_view input_str) {
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> output, NewBigNum());
if (!BN_bin2bn(reinterpret_cast<const uint8_t*>(input_str.data()),
input_str.size(), output.get())) {
return absl::InternalError(
absl::StrCat("Function BN_bin2bn failed: ", GetSslErrors()));
}
if (!output.get()) {
return absl::InternalError("Function BN_bin2bn failed.");
}
return output;
}
std::string GetSslErrors() {
std::string ret;
ERR_print_errors_cb(
[](const char* str, size_t len, void* ctx) -> int {
static_cast<std::string*>(ctx)->append(str, len);
return 1;
},
&ret);
return ret;
}
std::string MaskMessageConcat(absl::string_view mask,
absl::string_view message) {
return absl::StrCat(mask, message);
}
absl::StatusOr<bssl::UniquePtr<BIGNUM>> GetRsaSqrtTwo(int x) {
// Compute hard-coded sqrt(2).
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> sqrt2, NewBigNum());
for (int i = internal::kBoringSSLRSASqrtTwoLen - 1; i >= 0; --i) {
if (BN_add_word(sqrt2.get(), internal::kBoringSSLRSASqrtTwo[i]) != 1) {
return absl::InternalError(absl::StrCat(
"Cannot add word to compute RSA sqrt(2): ", GetSslErrors()));
}
if (i > 0) {
if (BN_lshift(sqrt2.get(), sqrt2.get(), 64) != 1) {
return absl::InternalError(absl::StrCat(
"Cannot shift to compute RSA sqrt(2): ", GetSslErrors()));
}
}
}
// Check that hard-coded result is correct length.
int sqrt2_bits = 64 * internal::kBoringSSLRSASqrtTwoLen;
if (BN_num_bits(sqrt2.get()) != sqrt2_bits) {
return absl::InternalError("RSA sqrt(2) is not correct length.");
}
// Either shift left or right depending on value x.
if (sqrt2_bits > x) {
if (BN_rshift(sqrt2.get(), sqrt2.get(), sqrt2_bits - x) != 1) {
return absl::InternalError(
absl::StrCat("Cannot rshift to compute 2^(x-1/2): ", GetSslErrors()));
}
} else {
// Round up and be pessimistic about minimium factors.
if (BN_add_word(sqrt2.get(), 1) != 1 ||
BN_lshift(sqrt2.get(), sqrt2.get(), x - sqrt2_bits) != 1) {
return absl::InternalError(absl::StrCat(
"Cannot add/lshift to compute 2^(x-1/2): ", GetSslErrors()));
}
}
// Check that 2^(x - 1/2) is correct length.
if (BN_num_bits(sqrt2.get()) != x) {
return absl::InternalError(
"2^(x-1/2) is not correct length after shifting.");
}
return std::move(sqrt2);
}
absl::StatusOr<bssl::UniquePtr<BIGNUM>> ComputePowerOfTwo(int x) {
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> ret, NewBigNum());
if (BN_set_bit(ret.get(), x) != 1) {
return absl::InternalError(
absl::StrCat("Unable to set bit to compute 2^x: ", GetSslErrors()));
}
if (!BN_is_pow2(ret.get()) || !BN_is_bit_set(ret.get(), x)) {
return absl::InternalError(absl::StrCat("Unable to compute 2^", x, "."));
}
return ret;
}
absl::StatusOr<std::string> ComputeHash(absl::string_view input,
const EVP_MD& hasher) {
std::string digest;
digest.resize(EVP_MAX_MD_SIZE);
uint32_t digest_length = 0;
if (EVP_Digest(input.data(), input.length(),
reinterpret_cast<uint8_t*>(&digest[0]), &digest_length,
&hasher, /*impl=*/nullptr) != 1) {
return absl::InternalError(absl::StrCat(
"Openssl internal error computing hash: ", GetSslErrors()));
}
digest.resize(digest_length);
return digest;
}
absl::StatusOr<bssl::UniquePtr<RSA>> AnonymousTokensRSAPrivateKeyToRSA(
const RSAPrivateKey& private_key) {
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> n,
StringToBignum(private_key.n()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> e,
StringToBignum(private_key.e()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> d,
StringToBignum(private_key.d()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> p,
StringToBignum(private_key.p()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> q,
StringToBignum(private_key.q()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> dp,
StringToBignum(private_key.dp()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> dq,
StringToBignum(private_key.dq()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> crt,
StringToBignum(private_key.crt()));
bssl::UniquePtr<RSA> rsa_private_key(RSA_new());
// Populate private key.
if (!rsa_private_key.get()) {
return absl::InternalError(
absl::StrCat("RSA_new failed: ", GetSslErrors()));
} else if (RSA_set0_key(rsa_private_key.get(), n.get(), e.get(), d.get()) !=
kBsslSuccess) {
return absl::InternalError(
absl::StrCat("RSA_set0_key failed: ", GetSslErrors()));
} else if (RSA_set0_factors(rsa_private_key.get(), p.get(), q.get()) !=
kBsslSuccess) {
return absl::InternalError(
absl::StrCat("RSA_set0_factors failed: ", GetSslErrors()));
} else if (RSA_set0_crt_params(rsa_private_key.get(), dp.get(), dq.get(),
crt.get()) != kBsslSuccess) {
return absl::InternalError(
absl::StrCat("RSA_set0_crt_params failed: ", GetSslErrors()));
} else {
n.release();
e.release();
d.release();
p.release();
q.release();
dp.release();
dq.release();
crt.release();
}
return std::move(rsa_private_key);
}
absl::StatusOr<bssl::UniquePtr<RSA>> AnonymousTokensRSAPublicKeyToRSA(
const RSAPublicKey& public_key) {
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> rsa_modulus,
StringToBignum(public_key.n()));
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> rsa_e,
StringToBignum(public_key.e()));
// Convert to OpenSSL RSA.
bssl::UniquePtr<RSA> rsa_public_key(RSA_new());
if (!rsa_public_key.get()) {
return absl::InternalError(
absl::StrCat("RSA_new failed: ", GetSslErrors()));
} else if (RSA_set0_key(rsa_public_key.get(), rsa_modulus.get(), rsa_e.get(),
nullptr) != kBsslSuccess) {
return absl::InternalError(
absl::StrCat("RSA_set0_key failed: ", GetSslErrors()));
}
// RSA_set0_key takes ownership of the pointers under rsa_modulus, new_e on
// success.
rsa_modulus.release();
rsa_e.release();
return rsa_public_key;
}
absl::StatusOr<bssl::UniquePtr<BIGNUM>> ComputeCarmichaelLcm(
const BIGNUM& phi_p, const BIGNUM& phi_q, BN_CTX& bn_ctx) {
// To compute lcm(phi(p), phi(q)), we first compute phi(n) =
// (p-1)(q-1). As n is assumed to be a safe RSA modulus (signing_key is
// assumed to be part of a strong rsa key pair), phi(n) = (p-1)(q-1) =
// (2 phi(p))(2 phi(q)) = 4 * phi(p) * phi(q) where phi(p) and phi(q) are also
// primes. So we get the lcm by outputting phi(n) >> 1 = 2 * phi(p) * phi(q).
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> phi_n, NewBigNum());
if (BN_mul(phi_n.get(), &phi_p, &phi_q, &bn_ctx) != 1) {
return absl::InternalError(
absl::StrCat("Unable to compute phi(n): ", GetSslErrors()));
}
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> lcm, NewBigNum());
if (BN_rshift1(lcm.get(), phi_n.get()) != 1) {
return absl::InternalError(absl::StrCat(
"Could not compute LCM(phi(p), phi(q)): ", GetSslErrors()));
}
return lcm;
}
absl::StatusOr<bssl::UniquePtr<BIGNUM>> PublicMetadataExponent(
const BIGNUM& n, absl::string_view public_metadata) {
// Check modulus length.
if (BN_num_bits(&n) % 2 == 1) {
return absl::InvalidArgumentError(
"Strong RSA modulus should be even length.");
}
int modulus_bytes = BN_num_bytes(&n);
// The integer modulus_bytes is expected to be a power of 2.
int prime_bytes = modulus_bytes / 2;
ANON_TOKENS_ASSIGN_OR_RETURN(std::string rsa_modulus_str,
BignumToString(n, modulus_bytes));
// Get HKDF output of length prime_bytes.
ANON_TOKENS_ASSIGN_OR_RETURN(
bssl::UniquePtr<BIGNUM> exponent,
internal::PublicMetadataHashWithHKDF(public_metadata, rsa_modulus_str,
prime_bytes));
// We need to generate random odd exponents < 2^(primes_bits - 2) where
// prime_bits = prime_bytes * 8. This will guarantee that the resulting
// exponent is coprime to phi(N) = 4p'q' as 2^(prime_bits - 2) < p', q' <
// 2^(prime_bits - 1).
//
// To do this, we can truncate the HKDF output (exponent) which is prime_bits
// long, to prime_bits - 2, by clearing its top two bits. We then set the
// least significant bit to 1. This way the final exponent will be less than
// 2^(primes_bits - 2) and will always be odd.
if (BN_clear_bit(exponent.get(), (prime_bytes * 8) - 1) != kBsslSuccess ||
BN_clear_bit(exponent.get(), (prime_bytes * 8) - 2) != kBsslSuccess ||
BN_set_bit(exponent.get(), 0) != kBsslSuccess) {
return absl::InvalidArgumentError(absl::StrCat(
"Could not clear the two most significant bits and set the least "
"significant bit to zero: ",
GetSslErrors()));
}
// Check that exponent is small enough to ensure it is coprime to phi(n).
if (BN_num_bits(exponent.get()) >= (8 * prime_bytes - 1)) {
return absl::InternalError("Generated exponent is too large.");
}
return exponent;
}
absl::StatusOr<bssl::UniquePtr<BIGNUM>> ComputeFinalExponentUnderPublicMetadata(
const BIGNUM& n, const BIGNUM& e, absl::string_view public_metadata) {
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> md_exp,
PublicMetadataExponent(n, public_metadata));
ANON_TOKENS_ASSIGN_OR_RETURN(BnCtxPtr bn_ctx, GetAndStartBigNumCtx());
// new_e=e*md_exp
ANON_TOKENS_ASSIGN_OR_RETURN(bssl::UniquePtr<BIGNUM> new_e, NewBigNum());
if (BN_mul(new_e.get(), md_exp.get(), &e, bn_ctx.get()) != kBsslSuccess) {
return absl::InternalError(
absl::StrCat("Unable to multiply e with md_exp: ", GetSslErrors()));
}
return new_e;
}
} // namespace anonymous_tokens
} // namespace private_membership