module Codec.Crypto.RSA.Pure(
RSAError(..)
, HashInfo(..)
, PrivateKey(..)
, PublicKey(..)
, generateKeyPair
, encrypt
, encryptOAEP
, encryptPKCS
, decrypt
, decryptOAEP
, decryptPKCS
, sign
, verify
, MGF
, generateMGF1
, rsaes_oaep_encrypt
, rsaes_oaep_decrypt
, rsaes_pkcs1_v1_5_encrypt
, rsaes_pkcs1_v1_5_decrypt
, rsassa_pkcs1_v1_5_sign
, rsassa_pkcs1_v1_5_verify
, hashMD5, hashSHA1
, hashSHA224, hashSHA256, hashSHA384, hashSHA512
, largeRandomPrime
, generatePQ
, chunkify
, os2ip, i2osp
, rsa_dp, rsa_ep
, rsa_vp1, rsa_sp1
, modular_inverse
, modular_exponentiation
, randomBS, randomNZBS
)
where
import Control.Exception
import Control.Monad
import Crypto.Random
import Crypto.Types.PubKey.RSA
import Data.Binary
import Data.Binary.Get
import Data.Binary.Put
import Data.Bits
import Data.ByteString.Lazy(ByteString)
import qualified Data.ByteString.Lazy as BS
import qualified Data.Digest.Pure.MD5 as MD5
import Data.Digest.Pure.SHA
import Data.Int
import Data.Typeable
data RSAError = RSAError String
| RSAKeySizeTooSmall
| RSAIntegerTooLargeToPack
| RSAMessageRepOutOfRange
| RSACipherRepOutOfRange
| RSAMessageTooShort
| RSAMessageTooLong
| RSAMaskTooLong
| RSAIncorrectSigSize
| RSAIncorrectMsgSize
| RSADecryptionError
| RSAGenError GenError
deriving (Show, Typeable)
instance Exception RSAError
data HashInfo = HashInfo {
algorithmIdent :: ByteString
, hashFunction :: ByteString -> ByteString
}
instance Show SystemRandom where
show _ = "SystemRandom"
class RSAKey a where
genKeySize :: a -> Int
instance RSAKey PublicKey where
genKeySize = public_size
instance RSAKey PrivateKey where
genKeySize = private_size
instance Binary PublicKey where
put pk = do sizeBS <- failOnError (i2osp (public_size pk) 8)
nBS <- failOnError (i2osp (public_n pk) (public_size pk))
putLazyByteString sizeBS
putLazyByteString nBS
get = do len <- (fromIntegral . os2ip) `fmap` getLazyByteString 8
n <- os2ip `fmap` getLazyByteString len
return (PublicKey (fromIntegral len) n 65537)
instance Binary PrivateKey where
put pk = do put (private_pub pk)
dBS <- failOnError (i2osp (private_d pk) (public_size (private_pub pk)))
putLazyByteString dBS
get = do pub <- get
d <- os2ip `fmap` getLazyByteString (fromIntegral (public_size pub))
return (PrivateKey pub d 0 0 0 0 0)
failOnError :: (Monad m, Show a) => Either a b -> m b
failOnError (Left e) = fail (show e)
failOnError (Right b) = return b
generateKeyPair :: CryptoRandomGen g =>
g -> Int ->
Either RSAError (PublicKey, PrivateKey, g)
generateKeyPair g sizeBits = do
let keyLength = fromIntegral (sizeBits `div` 8)
(p, q, g') <- generatePQ g keyLength
let n = p * q
phi = (p 1) * (q 1)
e = 65537
d = modular_inverse e phi
let publicKey = PublicKey keyLength n e
privateKey = PrivateKey publicKey d p q 0 0 0
return (publicKey, privateKey, g')
sign :: PrivateKey -> ByteString -> Either RSAError ByteString
sign = rsassa_pkcs1_v1_5_sign hashSHA256
verify :: PublicKey ->
ByteString ->
ByteString ->
Either RSAError Bool
verify = rsassa_pkcs1_v1_5_verify hashSHA256
encrypt :: CryptoRandomGen g =>
g -> PublicKey -> ByteString ->
Either RSAError (ByteString, g)
encrypt g k m = encryptOAEP g sha256' (generateMGF1 sha256') BS.empty k m
where sha256' = bytestringDigest . sha256
encryptOAEP :: CryptoRandomGen g =>
g ->
(ByteString -> ByteString) ->
MGF ->
ByteString ->
PublicKey ->
ByteString ->
Either RSAError (ByteString, g)
encryptOAEP g hash mgf l k m =
do unless ((keySize (2 * hashLength) 2) > 0) $ Left RSAKeySizeTooSmall
let chunks = chunkBSForOAEP k hash m
(chunks', g') <- mapM' g chunks (\ x -> rsaes_oaep_encrypt x hash mgf k l)
return (BS.concat chunks', g')
where
keySize = public_size k
hashLength = fromIntegral (BS.length (hash BS.empty))
encryptPKCS :: CryptoRandomGen g =>
g -> PublicKey -> ByteString ->
Either RSAError (ByteString, g)
encryptPKCS g k m =
do let chunks = chunkBSForPKCS k m
(chunks', g') <- mapM' g chunks (\ x -> rsaes_pkcs1_v1_5_encrypt x k)
return (BS.concat chunks', g')
mapM' :: CryptoRandomGen g =>
g -> [ByteString] ->
(g -> ByteString -> Either RSAError (ByteString, g)) ->
Either RSAError ([ByteString], g)
mapM' g [] _ = Right ([], g)
mapM' g (x:rest) f =
do (x', g') <- f g x
(rest', g'') <- mapM' g' rest f
return (x':rest', g'')
decrypt :: PrivateKey -> ByteString -> Either RSAError ByteString
decrypt k m = decryptOAEP sha256' (generateMGF1 sha256') BS.empty k m
where sha256' = bytestringDigest . sha256
decryptOAEP :: (ByteString -> ByteString) ->
MGF ->
ByteString ->
PrivateKey ->
ByteString ->
Either RSAError ByteString
decryptOAEP hash mgf l k m =
do let chunks = chunkify m (fromIntegral (private_size k))
chunks' <- forM chunks (rsaes_oaep_decrypt hash mgf k l)
return (BS.concat chunks')
decryptPKCS :: PrivateKey -> ByteString -> Either RSAError ByteString
decryptPKCS k m =
do let chunks = chunkify m (fromIntegral (private_size k))
chunks' <- forM chunks (rsaes_pkcs1_v1_5_decrypt k)
return (BS.concat chunks')
chunkBSForOAEP :: RSAKey k =>
k ->
(ByteString -> ByteString) ->
ByteString ->
[ByteString]
chunkBSForOAEP k hash bs = chunkify bs chunkSize
where
chunkSize = fromIntegral (genKeySize k) (2 * hashLen) 2
hashLen = BS.length (hash BS.empty)
chunkBSForPKCS :: RSAKey k => k -> ByteString -> [ByteString]
chunkBSForPKCS k bstr = chunkify bstr (fromIntegral (genKeySize k) 11)
chunkify :: ByteString -> Int64 -> [ByteString]
chunkify bs size
| BS.length bs == 0 = []
| otherwise = let (start, end) = BS.splitAt size bs
in start : chunkify end size
rsaes_oaep_encrypt :: CryptoRandomGen g =>
g ->
(ByteString->ByteString) ->
MGF ->
PublicKey ->
ByteString ->
ByteString ->
Either RSAError (ByteString, g)
rsaes_oaep_encrypt g hash mgf k l m =
do let hashLength = fromIntegral (BS.length (hash BS.empty))
keySize = public_size k
msgLength = fromIntegral (BS.length m)
when (msgLength > (keySize (2 * hashLength) 2)) $
Left RSAMessageTooLong
let lHash = hash l
let zeros = BS.repeat 0
numZeros = keySize msgLength (2 * hashLength) 2
ps = BS.take (fromIntegral numZeros) zeros
let db = BS.concat [lHash, ps, BS.singleton 1, m]
(seed, g') <- randomBS g hashLength
dbMask <- mgf seed (fromIntegral (keySize hashLength 1))
let maskedDB = db `xorBS` dbMask
seedMask <- mgf maskedDB (fromIntegral hashLength)
let maskedSeed = seed `xorBS` seedMask
let em = BS.concat [BS.singleton 0, maskedSeed, maskedDB]
let m_i = os2ip em
c_i <- rsa_ep (public_n k) (public_e k) m_i
c <- i2osp c_i (public_size k)
return (c, g')
rsaes_oaep_decrypt :: (ByteString->ByteString) ->
MGF ->
PrivateKey ->
ByteString ->
ByteString ->
Either RSAError ByteString
rsaes_oaep_decrypt hash mgf k l c =
do let hashLength = BS.length (hash BS.empty)
keySize = private_size k
unless (BS.length c == fromIntegral keySize) $
Left RSADecryptionError
unless (fromIntegral keySize >= ((2 * hashLength) + 2)) $
Left RSADecryptionError
let c_ip = os2ip c
m_ip <- rsa_dp (private_n k) (private_d k) c_ip
em <- i2osp m_ip keySize
let lHash = hash l
let (y, seed_db) = BS.splitAt 1 em
(maskedSeed, maskedDB) = BS.splitAt (fromIntegral hashLength) seed_db
seedMask <- mgf maskedDB hashLength
let seed = maskedSeed `xorBS` seedMask
dbMask <- mgf seed (fromIntegral keySize hashLength 1)
let db = maskedDB `xorBS` dbMask
let (lHash', ps_o_m) = BS.splitAt hashLength db
(ps, o_m) = BS.span (== 0) ps_o_m
(o, m) = BS.splitAt 1 o_m
unless (BS.unpack o == [1]) $ Left RSADecryptionError
unless (lHash' == lHash) $ Left RSADecryptionError
unless (BS.unpack y == [0]) $ Left RSADecryptionError
unless (BS.all (== 0) ps) $ Left RSADecryptionError
return m
rsaes_pkcs1_v1_5_encrypt :: CryptoRandomGen g =>
g ->
PublicKey ->
ByteString ->
Either RSAError (ByteString, g)
rsaes_pkcs1_v1_5_encrypt g k m =
do unless (fromIntegral (BS.length m) <= (public_size k 11)) $
Left RSAIncorrectMsgSize
(ps, g') <- randomNZBS g (public_size k fromIntegral (BS.length m) 3)
let em = BS.concat [BS.singleton 0, BS.singleton 2, ps, BS.singleton 0, m]
let m' = os2ip em
c_i <- rsa_ep (public_n k) (public_e k) m'
res <- i2osp c_i (fromIntegral (public_size k))
return (res, g')
rsaes_pkcs1_v1_5_decrypt :: PrivateKey -> ByteString ->
Either RSAError ByteString
rsaes_pkcs1_v1_5_decrypt k c =
do unless (fromIntegral (BS.length c) == private_size k) $
Left RSAIncorrectMsgSize
let c_i = os2ip c
m_i <- rsa_dp (private_n k) (private_d k) c_i
em <- i2osp m_i (private_size k)
let (zt, ps_z_m) = BS.splitAt 2 em
(ps, z_m) = BS.span (/= 0) ps_z_m
(z, m) = BS.splitAt 1 z_m
when (BS.unpack zt /= [0,2]) $ Left RSADecryptionError
when (BS.unpack z /= [0]) $ Left RSADecryptionError
when (BS.length ps < 8 ) $ Left RSADecryptionError
return m
rsassa_pkcs1_v1_5_sign :: HashInfo ->
PrivateKey ->
ByteString ->
Either RSAError ByteString
rsassa_pkcs1_v1_5_sign hi k m =
do em <- emsa_pkcs1_v1_5_encode hi m (private_size k)
let m_i = os2ip em
s <- rsa_sp1 (private_n k) (private_d k) m_i
sig <- i2osp s (private_size k)
return sig
rsassa_pkcs1_v1_5_verify :: HashInfo ->
PublicKey ->
ByteString ->
ByteString ->
Either RSAError Bool
rsassa_pkcs1_v1_5_verify hi k m s
| BS.length s /= fromIntegral (public_size k) = Left RSAIncorrectSigSize
| otherwise =
do let s_i = os2ip s
m_i <- rsa_vp1 (public_n k) (public_e k) s_i
em <- i2osp m_i (public_size k)
em' <- emsa_pkcs1_v1_5_encode hi m (public_size k)
return (em == em')
type MGF = ByteString -> Int64 -> Either RSAError ByteString
generateMGF1 :: (ByteString -> ByteString) -> MGF
generateMGF1 hash mgfSeed maskLen
| BS.length mgfSeed > ((2 ^ (32::Integer)) * hLen) = Left RSAMaskTooLong
| otherwise = loop BS.empty 0
where
hLen = BS.length (hash BS.empty)
endCounter = (maskLen `divCeil` hLen) 1
loop t counter
| counter > endCounter = Right (BS.take maskLen t)
| otherwise = do c <- i2osp counter 4
let bs = mgfSeed `BS.append` c
t' = t `BS.append` hash bs
loop t' (counter + 1)
i2osp :: Integral a => a -> Int -> Either RSAError ByteString
i2osp x len | isTooLarge = Left RSAIntegerTooLargeToPack
| otherwise = Right (padding `BS.append` digits)
where
isTooLarge = (fromIntegral x :: Integer) >=
(256 ^ (fromIntegral len :: Integer))
padding = BS.replicate (fromIntegral len BS.length digits) 0
digits = BS.reverse (BS.unfoldr digitize x)
digitize 0 = Nothing
digitize v = let (q, r) = divMod v 256
in Just (fromIntegral r, q)
os2ip :: ByteString -> Integer
os2ip = BS.foldl (\ a b -> (256 * a) + (fromIntegral b)) 0
rsa_ep :: Integer -> Integer -> Integer -> Either RSAError Integer
rsa_ep n _ m | (m < 0) || (m >= n) = Left RSAMessageRepOutOfRange
rsa_ep n e m = Right (modular_exponentiation m e n)
rsa_dp :: Integer -> Integer -> Integer -> Either RSAError Integer
rsa_dp n _ c | (c < 0) || (c >= n) = Left RSACipherRepOutOfRange
rsa_dp n d c = Right (modular_exponentiation c d n)
rsa_sp1 :: Integer -> Integer -> Integer -> Either RSAError Integer
rsa_sp1 n _ m | (m < 0) || (m >= n) = Left RSAMessageRepOutOfRange
rsa_sp1 n d m = Right (modular_exponentiation m d n)
rsa_vp1 :: Integer -> Integer -> Integer -> Either RSAError Integer
rsa_vp1 n _ s | (s < 0) || (s >= n) = Left RSACipherRepOutOfRange
rsa_vp1 n e s = Right (modular_exponentiation s e n)
emsa_pkcs1_v1_5_encode :: HashInfo -> ByteString -> Int ->
Either RSAError ByteString
emsa_pkcs1_v1_5_encode (HashInfo ident hash) m emLen
| fromIntegral emLen < (tLen + 1) = Left RSAMessageTooShort
| otherwise = Right em
where
h = hash m
t = ident `BS.append` h
tLen = BS.length t
ps = BS.replicate (fromIntegral emLen tLen 3) 0xFF
em = BS.concat [BS.singleton 0x00,BS.singleton 0x01,ps,BS.singleton 0x00,t]
xorBS :: ByteString -> ByteString -> ByteString
xorBS a b = BS.pack (BS.zipWith xor a b)
divCeil :: Integral a => a -> a -> a
divCeil a b = let (q, r) = divMod a b
in if r /= 0 then (q + 1) else q
generatePQ :: CryptoRandomGen g =>
g ->
Int ->
Either RSAError (Integer, Integer, g)
generatePQ g len
| len < 2 = Left RSAKeySizeTooSmall
| otherwise = do (baseP, g') <- largeRandomPrime g (len `div` 2)
(baseQ, g'') <- largeRandomPrime g' (len (len `div` 2))
case () of
() | baseP == baseQ -> generatePQ g'' len
| baseP < baseQ -> return (baseQ, baseP, g'')
| otherwise -> return (baseP, baseQ, g'')
largeRandomPrime :: CryptoRandomGen g =>
g -> Int ->
Either RSAError (Integer, g)
largeRandomPrime g len =
do (h_t, g') <- randomBS g 2
let [startH, startT] = BS.unpack h_t
(startMids, g'') <- randomBS g' (len 2)
let bstr = BS.concat [BS.singleton (startH .|. 0xc0),
startMids, BS.singleton (startT .|. 1)]
findNextPrime g'' (os2ip bstr)
randomBS :: CryptoRandomGen g => g -> Int -> Either RSAError (ByteString, g)
randomBS g n =
case genBytes n g of
Left e -> Left (RSAGenError e)
Right (bs, g') -> Right (BS.fromChunks [bs], g')
randomNZBS :: CryptoRandomGen g => g -> Int -> Either RSAError (ByteString, g)
randomNZBS gen 0 = return (BS.empty, gen)
randomNZBS gen size =
do (bstr, gen') <- randomBS gen size
let nzbstr = BS.filter (/= 0) bstr
(rest, gen'') <- randomNZBS gen' (size fromIntegral (BS.length nzbstr))
return (nzbstr `BS.append` rest, gen'')
findNextPrime :: CryptoRandomGen g =>
g -> Integer ->
Either RSAError (Integer, g)
findNextPrime g n
| even n = findNextPrime g (n + 1)
| n `mod` 65537 == 1 = findNextPrime g (n + 2)
| otherwise = case isProbablyPrime g n of
Left e -> Left e
Right (True, g') -> Right (n, g')
Right (False, g') -> findNextPrime g' (n + 2)
isProbablyPrime :: CryptoRandomGen g =>
g ->
Integer ->
Either RSAError (Bool, g)
isProbablyPrime g n
| n < 541 = Right (n `elem` small_primes, g)
| any (\ x -> n `mod` x == 0) small_primes = Right (False, g)
| otherwise = millerRabin g n 100
small_primes :: [Integer]
small_primes = [
2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
73, 79, 83, 89, 97, 101, 103, 107, 109, 113,
127, 131, 137, 139, 149, 151, 157, 163, 167, 173,
179, 181, 191, 193, 197, 199, 211, 223, 227, 229,
233, 239, 241, 251, 257, 263, 269, 271, 277, 281,
283, 293, 307, 311, 313, 317, 331, 337, 347, 349,
353, 359, 367, 373, 379, 383, 389, 397, 401, 409,
419, 421, 431, 433, 439, 443, 449, 457, 461, 463,
467, 479, 487, 491, 499, 503, 509, 521, 523, 541,
547, 557, 563, 569, 571, 577, 587, 593, 599, 601,
607, 613, 617, 619, 631, 641, 643, 647, 653, 659,
661, 673, 677, 683, 691, 701, 709, 719, 727, 733,
739, 743, 751, 757, 761, 769, 773, 787, 797, 809,
811, 821, 823, 827, 829, 839, 853, 857, 859, 863,
877, 881, 883, 887, 907, 911, 919, 929, 937, 941,
947, 953, 967, 971, 977, 983, 991, 997, 1009, 1013,
1019, 1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069,
1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223
]
millerRabin :: CryptoRandomGen g =>
g ->
Integer ->
Int ->
Either RSAError (Bool, g)
millerRabin g n k
| n <= 0 = Left (RSAError "Primality test on negative number or 0.")
| n == 1 = Right (False, g)
| n == 2 = Right (True, g)
| n == 3 = Right (True, g)
| otherwise =
let (s, d) = oddify 0 (n 1)
in checkLoop g s d k
where
generateSize = bitsize (n 2) 8 `div` 8
checkLoop :: CryptoRandomGen g =>
g -> Integer -> Integer -> Int ->
Either RSAError (Bool, g)
checkLoop g' _ _ 0 = Right (True, g')
checkLoop g' s d c =
case genBytes generateSize g' of
Left e -> Left (RSAGenError e)
Right (bstr, g'') ->
let a = os2ip (BS.fromStrict bstr)
x = modular_exponentiation a d n
in if | (a < 2) -> checkLoop g'' s d c
| (a > (n 2)) -> checkLoop g'' s d c
| x == 1 -> checkLoop g'' s d (c 1)
| x == (n 1) -> checkLoop g'' s d (c 1)
| otherwise -> checkWitnesses g'' s d x c (s 1)
checkWitnesses g'' _ _ _ _ 0 = Right (False, g'')
checkWitnesses g'' s d x c1 c2 =
case (x * x) `mod` n of
1 -> Right (False, g'')
y | y == (n 1) -> checkLoop g'' s d (c1 1)
_ -> checkWitnesses g'' s d x c1 (c2 1)
oddify s x | testBit x 0 = (s, x)
| otherwise = oddify (s + 1) (x `shiftR` 1)
bitsize v x | (1 `shiftL` x) > v = x
| otherwise = bitsize v (x + 8)
modular_exponentiation :: Integer -> Integer -> Integer -> Integer
modular_exponentiation x y m = m_e_loop x y 1
where
m_e_loop _ 0 result = result
m_e_loop b e result = m_e_loop b' e' result'
where
b' = (b * b) `mod` m
e' = e `shiftR` 1
result' = if testBit e 0 then (result * b) `mod` m else result
modular_inverse :: Integer ->
Integer ->
Integer
modular_inverse e phi = x `mod` phi
where (_, x, _) = extended_euclidean e phi
extended_euclidean :: Integer -> Integer -> (Integer, Integer, Integer)
extended_euclidean a b | d < 0 = (d, x, y)
| otherwise = (d, x, y)
where
(d, x, y) = egcd a b
egcd :: Integer -> Integer -> (Integer, Integer, Integer)
egcd 0 b = (b, 0, 1)
egcd a b = let (g, y, x) = egcd (b `mod` a) a
in (g, x ((b `div` a) * y), y)
hashMD5 :: HashInfo
hashMD5 = HashInfo {
algorithmIdent = BS.pack [0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,0x48,
0x86,0xf7,0x0d,0x02,0x05,0x05,0x00,0x04,0x10]
, hashFunction = encode . MD5.md5
}
hashSHA1 :: HashInfo
hashSHA1 = HashInfo {
algorithmIdent = BS.pack [0x30,0x21,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,
0x02,0x1a,0x05,0x00,0x04,0x14]
, hashFunction = bytestringDigest . sha1
}
hashSHA224 :: HashInfo
hashSHA224 = HashInfo {
algorithmIdent = BS.pack [0x30,0x2d,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,
0x01,0x65,0x03,0x04,0x02,0x04,0x05,0x00,0x04,
0x1c]
, hashFunction = bytestringDigest . sha224
}
hashSHA256 :: HashInfo
hashSHA256 = HashInfo {
algorithmIdent = BS.pack [0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,
0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0x04,
0x20]
, hashFunction = bytestringDigest . sha256
}
hashSHA384 :: HashInfo
hashSHA384 = HashInfo {
algorithmIdent = BS.pack [0x30,0x41,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,
0x01,0x65,0x03,0x04,0x02,0x02,0x05,0x00,0x04,
0x30]
, hashFunction = bytestringDigest . sha384
}
hashSHA512 :: HashInfo
hashSHA512 = HashInfo {
algorithmIdent = BS.pack [0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,
0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0x04,
0x40]
, hashFunction = bytestringDigest . sha512
}