/usr/lib/swi-prolog/library/crypto.pl is in swi-prolog-nox 7.6.4+dfsg-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 | /* Part of SWI-Prolog
Author: Markus Triska and Matt Lilley
WWW: http://www.swi-prolog.org
Copyright (c) 2004-2017, SWI-Prolog Foundation
VU University Amsterdam
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
:- module(crypto,
[ crypto_n_random_bytes/2, % +N, -Bytes
crypto_data_hash/3, % +Data, -Hash, +Options
crypto_file_hash/3, % +File, -Hash, +Options
crypto_context_new/2, % -Context, +Options
crypto_data_context/3, % +Data, +C0, -C
crypto_context_hash/2, % +Context, -Hash
crypto_open_hash_stream/3, % +InStream, -HashStream, +Options
crypto_stream_hash/2, % +HashStream, -Hash
crypto_password_hash/2, % +Password, ?Hash
crypto_password_hash/3, % +Password, ?Hash, +Options
crypto_data_hkdf/4, % +Data, +Length, -Bytes, +Options
ecdsa_sign/4, % +Key, +Data, -Signature, +Options
ecdsa_verify/4, % +Key, +Data, +Signature, +Options
crypto_data_decrypt/6, % +CipherText, +Algorithm, +Key, +IV, -PlainText, +Options
crypto_data_encrypt/6, % +PlainText, +Algorithm, +Key, +IV, -CipherText, +Options
hex_bytes/2, % ?Hex, ?List
rsa_private_decrypt/4, % +Key, +Ciphertext, -Plaintext, +Enc
rsa_private_encrypt/4, % +Key, +Plaintext, -Ciphertext, +Enc
rsa_public_decrypt/4, % +Key, +Ciphertext, -Plaintext, +Enc
rsa_public_encrypt/4, % +Key, +Plaintext, -Ciphertext, +Enc
rsa_sign/4, % +Key, +Data, -Signature, +Options
rsa_verify/4, % +Key, +Data, +Signature, +Options
crypto_modular_inverse/3, % +X, +M, -Y
crypto_generate_prime/3, % +N, -P, +Options
crypto_is_prime/2, % +P, +Options
crypto_name_curve/2, % +Name, -Curve
crypto_curve_order/2, % +Curve, -Order
crypto_curve_generator/2, % +Curve, -Generator
crypto_curve_scalar_mult/4 % +Curve, +Scalar, +Point, -Result
]).
:- use_module(library(option)).
:- use_foreign_library(foreign(crypto4pl)).
/** <module> Cryptography and authentication library
This library provides bindings to functionality of OpenSSL that is
related to cryptography and authentication, not necessarily involving
connections, sockets or streams.
The hash functionality of this library subsumes and extends that of
`library(sha)`, `library(hash_stream)` and `library(md5)` by providing a
unified interface to all available digest algorithms.
The underlying OpenSSL library (`libcrypto`) is dynamically loaded if
_either_ `library(crypto)` or `library(ssl)` are loaded. Therefore, if
your application uses `library(ssl)`, you can use `library(crypto)` for
hashing without increasing the memory footprint of your application. In
other cases, the specialised hashing libraries are more lightweight but
less general alternatives to `library(crypto)`.
@author [Markus Triska](https://www.metalevel.at)
@author Matt Lilley
*/
%% crypto_n_random_bytes(+N, -Bytes) is det
%
% Bytes is unified with a list of N cryptographically secure
% pseudo-random bytes. Each byte is an integer between 0 and 255. If
% the internal pseudo-random number generator (PRNG) has not been
% seeded with enough entropy to ensure an unpredictable byte
% sequence, an exception is thrown.
%
% One way to relate such a list of bytes to an _integer_ is to use
% CLP(FD) constraints as follows:
%
% ==
% :- use_module(library(clpfd)).
%
% bytes_integer(Bs, N) :-
% foldl(pow, Bs, 0-0, N-_).
%
% pow(B, N0-I0, N-I) :-
% B in 0..255,
% N #= N0 + B*256^I0,
% I #= I0 + 1.
% ==
%
% With this definition, you can generate a random 256-bit integer
% _from_ a list of 32 random _bytes_:
%
% ==
% ?- crypto_n_random_bytes(32, Bs),
% bytes_integer(Bs, I).
% Bs = [98, 9, 35, 100, 126, 174, 48, 176, 246|...],
% I = 109798276762338328820827...(53 digits omitted).
% ==
%
% The above relation also works in the other direction, letting you
% translate an integer _to_ a list of bytes. In addition, you can
% use hex_bytes/2 to convert bytes to _tokens_ that can be easily
% exchanged in your applications. This also works if you have
% compiled SWI-Prolog without support for large integers.
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SHA256 is the current default for several hash-related predicates.
It is deemed sufficiently secure for the foreseeable future. Yet,
application programmers must be aware that the default may change in
future versions. The hash predicates all yield the algorithm they
used if a Prolog variable is used for the pertaining option.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
default_hash(sha256).
functor_hash_options(F, Hash, Options0, [Option|Options]) :-
Option =.. [F,Hash],
( select(Option, Options0, Options) ->
( var(Hash) ->
default_hash(Hash)
; must_be(atom, Hash)
)
; Options = Options0,
default_hash(Hash)
).
%% crypto_data_hash(+Data, -Hash, +Options) is det
%
% Hash is the hash of Data. The conversion is controlled
% by Options:
%
% * algorithm(+Algorithm)
% One of =md5= (_insecure_), =sha1= (_insecure_), =ripemd160=,
% =sha224=, =sha256=, =sha384=, =sha512=, =sha3_224=, =sha3_256=,
% =sha3_384=, =sha3_512=, =blake2s256= or =blake2b512=. The BLAKE
% digest algorithms require OpenSSL 1.1.0 or greater, and the SHA-3
% algorithms require OpenSSL 1.1.1 or greater. The default is a
% cryptographically secure algorithm. If you specify a variable,
% then that variable is unified with the algorithm that was used.
% * encoding(+Encoding)
% If Data is a sequence of character _codes_, this must be
% translated into a sequence of _bytes_, because that is what
% the hashing requires. The default encoding is =utf8=. The
% other meaningful value is =octet=, claiming that Data contains
% raw bytes.
% * hmac(+Key)
% If this option is specified, a _hash-based message authentication
% code_ (HMAC) is computed, using the specified Key which is either
% an atom, string or list of _bytes_. Any of the available digest
% algorithms can be used with this option. The cryptographic
% strength of the HMAC depends on that of the chosen algorithm and
% also on the key. This option requires OpenSSL 1.1.0 or greater.
%
% @param Data is either an atom, string or code-list
% @param Hash is an atom that represents the hash in hexadecimal encoding.
%
% @see hex_bytes/2 for conversion between hexadecimal encoding and
% lists of bytes.
% @see crypto_password_hash/2 for the important use case of passwords.
crypto_data_hash(Data, Hash, Options) :-
crypto_context_new(Context0, Options),
crypto_data_context(Data, Context0, Context),
crypto_context_hash(Context, Hash).
%! crypto_file_hash(+File, -Hash, +Options) is det.
%
% True if Hash is the hash of the content of File. For Options,
% see crypto_data_hash/3.
crypto_file_hash(File, Hash, Options) :-
setup_call_cleanup(open(File, read, In, [type(binary)]),
crypto_stream_hash(In, Hash, Options),
close(In)).
crypto_stream_hash(Stream, Hash, Options) :-
crypto_context_new(Context0, Options),
update_hash(Stream, Context0, Context),
crypto_context_hash(Context, Hash).
update_hash(In, Context0, Context) :-
( at_end_of_stream(In)
-> Context = Context0
; read_pending_codes(In, Data, []),
crypto_data_context(Data, Context0, Context1),
update_hash(In, Context1, Context)
).
%! crypto_context_new(-Context, +Options) is det.
%
% Context is unified with the empty context, taking into account
% Options. The context can be used in crypto_data_context/3. For
% Options, see crypto_data_hash/3.
%
% @param Context is an opaque pure Prolog term that is subject to
% garbage collection.
crypto_context_new(Context, Options0) :-
functor_hash_options(algorithm, _, Options0, Options),
'_crypto_context_new'(Context, Options).
%! crypto_data_context(+Data, +Context0, -Context) is det
%
% Context0 is an existing computation context, and Context is the
% new context after hashing Data in addition to the previously
% hashed data. Context0 may be produced by a prior invocation of
% either crypto_context_new/2 or crypto_data_context/3 itself.
%
% This predicate allows a hash to be computed in chunks, which may
% be important while working with Metalink (RFC 5854), BitTorrent
% or similar technologies, or simply with big files.
crypto_data_context(Data, Context0, Context) :-
'_crypto_hash_context_copy'(Context0, Context),
'_crypto_update_hash_context'(Data, Context).
%! crypto_context_hash(+Context, -Hash)
%
% Obtain the hash code of Context. Hash is an atom representing
% the hash code that is associated with the current state of the
% computation context Context.
crypto_context_hash(Context, Hash) :-
'_crypto_hash_context_copy'(Context, Copy),
'_crypto_hash_context_hash'(Copy, List),
hex_bytes(Hash, List).
%! crypto_open_hash_stream(+OrgStream, -HashStream, +Options) is det.
%
% Open a filter stream on OrgStream that maintains a hash. The hash
% can be retrieved at any time using crypto_stream_hash/2. Available
% Options in addition to those of crypto_data_hash/3 are:
%
% - close_parent(+Bool)
% If `true` (default), closing the filter stream also closes the
% original (parent) stream.
crypto_open_hash_stream(OrgStream, HashStream, Options) :-
crypto_context_new(Context, Options),
'_crypto_open_hash_stream'(OrgStream, HashStream, Context).
%! crypto_stream_hash(+HashStream, -Hash) is det.
%
% Unify Hash with a hash for the bytes sent to or read from
% HashStream. Note that the hash is computed on the stream
% buffers. If the stream is an output stream, it is first flushed
% and the Digest represents the hash at the current location. If
% the stream is an input stream the Digest represents the hash of
% the processed input including the already buffered data.
crypto_stream_hash(Stream, Hash) :-
'_crypto_stream_hash_context'(Stream, Context),
crypto_context_hash(Context, Hash).
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The so-called modular crypt format (MCF) is a standard for encoding
password hash strings. However, there's no official specification
document describing it. Nor is there a central registry of
identifiers or rules. This page describes what is known about it:
https://pythonhosted.org/passlib/modular_crypt_format.html
As of 2016, the MCF is deprecated in favor of the PHC String Format:
https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
This is what we are using below. For the time being, it is best to
treat these hashes as opaque atoms in applications. Please let me
know if you need to rely on any specifics of this format.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
%! crypto_password_hash(+Password, ?Hash) is semidet.
%
% If Hash is instantiated, the predicate succeeds _iff_ the hash
% matches the given password. Otherwise, the call is equivalent to
% crypto_password_hash(Password, Hash, []) and computes a
% password-based hash using the default options.
crypto_password_hash(Password, Hash) :-
( nonvar(Hash) ->
must_be(atom, Hash),
split_string(Hash, "$", "$", ["pbkdf2-sha512",Ps,SaltB64,HashB64]),
atom_to_term(Ps, t=Iterations, []),
bytes_base64(SaltBytes, SaltB64),
bytes_base64(HashBytes, HashB64),
'_crypto_password_hash'(Password, SaltBytes, Iterations, HashBytes)
; crypto_password_hash(Password, Hash, [])
).
%! crypto_password_hash(+Password, -Hash, +Options) is det.
%
% Derive Hash based on Password. This predicate is similar to
% crypto_data_hash/3 in that it derives a hash from given data.
% However, it is tailored for the specific use case of
% _passwords_. One essential distinction is that for this use case,
% the derivation of a hash should be _as slow as possible_ to
% counteract brute-force attacks over possible passwords.
%
% Another important distinction is that equal passwords must yield,
% with very high probability, _different_ hashes. For this reason,
% cryptographically strong random numbers are automatically added to
% the password before a hash is derived.
%
% Hash is unified with an atom that contains the computed hash and all
% parameters that were used, except for the password. Instead of
% storing passwords, store these hashes. Later, you can verify the
% validity of a password with crypto_password_hash/2, comparing the
% then entered password to the stored hash. If you need to export this
% atom, you should treat it as opaque ASCII data with up to 255 bytes
% of length. The maximal length may increase in the future.
%
% Admissible options are:
%
% - algorithm(+Algorithm)
% The algorithm to use. Currently, the only available algorithm
% is =|pbkdf2-sha512|=, which is therefore also the default.
% - cost(+C)
% C is an integer, denoting the binary logarithm of the number
% of _iterations_ used for the derivation of the hash. This
% means that the number of iterations is set to 2^C. Currently,
% the default is 17, and thus more than one hundred _thousand_
% iterations. You should set this option as high as your server
% and users can tolerate. The default is subject to change and
% will likely increase in the future or adapt to new algorithms.
% - salt(+Salt)
% Use the given list of bytes as salt. By default,
% cryptographically secure random numbers are generated for this
% purpose. The default is intended to be secure, and constitutes
% the typical use case of this predicate.
%
% Currently, PBKDF2 with SHA-512 is used as the hash derivation
% function, using 128 bits of salt. All default parameters, including
% the algorithm, are subject to change, and other algorithms will also
% become available in the future. Since computed hashes store all
% parameters that were used during their derivation, such changes will
% not affect the operation of existing deployments. Note though that
% new hashes will then be computed with the new default parameters.
%
% @see crypto_data_hkdf/4 for generating keys from Hash.
crypto_password_hash(Password, Hash, Options) :-
must_be(list, Options),
option(cost(C), Options, 17),
Iterations is 2^C,
Algorithm = 'pbkdf2-sha512', % current default and only option
option(algorithm(Algorithm), Options, Algorithm),
( option(salt(SaltBytes), Options) ->
true
; crypto_n_random_bytes(16, SaltBytes)
),
'_crypto_password_hash'(Password, SaltBytes, Iterations, HashBytes),
bytes_base64(HashBytes, HashB64),
bytes_base64(SaltBytes, SaltB64),
format(atom(Hash),
"$pbkdf2-sha512$t=~d$~w$~w", [Iterations,SaltB64,HashB64]).
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Bidirectional Bytes <-> Base64 conversion as required by PHC format.
Note that *no padding* must be used, and that we must be able
to encode the whole range of bytes, not only UTF-8 sequences!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
bytes_base64(Bytes, Base64) :-
( var(Bytes) ->
base64_encoded(Atom, Base64, [padding(false)]),
atom_codes(Atom, Bytes)
; atom_codes(Atom, Bytes),
base64_encoded(Atom, Base64, [padding(false)])
).
%! crypto_data_hkdf(+Data, +Length, -Bytes, +Options) is det.
%
% Concentrate possibly dispersed entropy of Data and then expand it to
% the desired length. Bytes is unified with a list of _bytes_ of
% length Length, and is suitable as input keying material and
% initialization vectors to the symmetric encryption predicates.
%
% Admissible options are:
%
% - algorithm(+Algorithm)
% A hashing algorithm as specified to crypto_data_hash/3. The
% default is a cryptographically secure algorithm. If you
% specify a variable, then it is unified with the algorithm
% that was used.
% - info(+Info)
% Optional context and application specific information,
% specified as an atom, string or list of _bytes_. The default
% is the zero length atom ''.
% - salt(+List)
% Optionally, a list of _bytes_ that are used as salt. The
% default is all zeroes.
% - encoding(+Atom)
% Either =|utf8|= (default) or =|octet|=, denoting
% the representation of Data as in crypto_data_hash/3.
%
% The `info/1` option can be used to generate multiple keys from a
% single master key, using for example values such as =|key|= and
% =|iv|=, or the name of a file that is to be encrypted.
%
% This predicate requires OpenSSL 1.1.0 or greater.
%
% @see crypto_n_random_bytes/2 to obtain a suitable salt.
crypto_data_hkdf(Data, L, Bytes, Options0) :-
functor_hash_options(algorithm, Algorithm, Options0, Options),
option(salt(SaltBytes), Options, []),
option(info(Info), Options, ''),
option(encoding(Enc), Options, utf8),
'_crypto_data_hkdf'(Data, SaltBytes, Info, Algorithm, Enc, L, Bytes).
%! ecdsa_sign(+Key, +Data, -Signature, +Options)
%
% Create an ECDSA signature for Data with EC private key Key.
% Among the most common cases is signing a hash that was created
% with crypto_data_hash/3 or other predicates of this library. For
% this reason, the default encoding (`hex`) assumes that Data is
% an atom, string, character list or code list representing the
% data in hexadecimal notation. See rsa_sign/4 for an example.
%
% Options:
%
% - encoding(+Encoding)
% Encoding to use for Data. Default is `hex`. Alternatives
% are `octet`, `utf8` and `text`.
ecdsa_sign(private_key(ec(Private,Public0,Curve)), Data0, Signature, Options) :-
option(encoding(Enc0), Options, hex),
hex_encoding(Enc0, Data0, Enc, Data),
hex_bytes(Public0, Public),
'_crypto_ecdsa_sign'(ec(Private,Public,Curve), Data, Enc, Signature).
hex_encoding(hex, Data0, octet, Data) :- !,
hex_bytes(Data0, Data).
hex_encoding(Enc, Data, Enc, Data).
%! ecdsa_verify(+Key, +Data, +Signature, +Options) is semidet.
%
% True iff Signature can be verified as the ECDSA signature for
% Data, using the EC public key Key.
%
% Options:
%
% - encoding(+Encoding)
% Encoding to use for Data. Default is `hex`. Alternatives
% are `octet`, `utf8` and `text`.
ecdsa_verify(public_key(ec(Private,Public0,Curve)), Data0, Signature0, Options) :-
option(encoding(Enc0), Options, hex),
hex_encoding(Enc0, Data0, Enc, Data),
hex_bytes(Public0, Public),
hex_bytes(Signature0, Signature),
'_crypto_ecdsa_verify'(ec(Private,Public,Curve), Data, Enc, Signature).
%! hex_bytes(?Hex, ?List) is det.
%
% Relation between a hexadecimal sequence and a list of bytes. Hex
% is an atom, string, list of characters or list of codes in
% hexadecimal encoding. This is the format that is used by
% crypto_data_hash/3 and related predicates to represent _hashes_.
% Bytes is a list of _integers_ between 0 and 255 that represent the
% sequence as a list of bytes. At least one of the arguments must
% be instantiated. When converting List _to_ Hex, an _atom_ is used
% to represent the sequence of hexadecimal digits.
%
% Example:
%
% ==
% ?- hex_bytes('501ACE', Bs).
% Bs = [80, 26, 206].
% ==
%
% @see base64_encoded/3 for Base64 encoding, which is often used to
% transfer or embed binary data in applications.
hex_bytes(Hs, Bytes) :-
( ground(Hs) ->
string_chars(Hs, Chars),
( phrase(hex_bytes(Chars), Bytes)
-> true
; domain_error(hex_encoding, Hs)
)
; must_be(list(between(0,255)), Bytes),
phrase(bytes_hex(Bytes), Chars),
atom_chars(Hs, Chars)
).
hex_bytes([]) --> [].
hex_bytes([H1,H2|Hs]) --> [Byte],
{ char_type(H1, xdigit(High)),
char_type(H2, xdigit(Low)),
Byte is High*16 + Low },
hex_bytes(Hs).
bytes_hex([]) --> [].
bytes_hex([B|Bs]) -->
{ High is B>>4,
Low is B /\ 0xf,
char_type(C0, xdigit(High)),
char_type(C1, xdigit(Low))
},
[C0,C1],
bytes_hex(Bs).
%! rsa_private_decrypt(+PrivateKey, +CipherText, -PlainText, +Options) is det.
%! rsa_private_encrypt(+PrivateKey, +PlainText, -CipherText, +Options) is det.
%! rsa_public_decrypt(+PublicKey, +CipherText, -PlainText, +Options) is det.
%! rsa_public_encrypt(+PublicKey, +PlainText, -CipherText, +Options) is det.
%
% RSA Public key encryption and decryption primitives. A string
% can be safely communicated by first encrypting it and have the
% peer decrypt it with the matching key and predicate. The length
% of the string is limited by the key length.
%
% Options:
%
% - encoding(+Encoding)
% Encoding to use for Data. Default is `utf8`. Alternatives
% are `utf8` and `octet`.
%
% - padding(+PaddingScheme)
% Padding scheme to use. Default is `pkcs1`. Alternatives
% are `pkcs1_oaep`, `sslv23` and `none`. Note that `none` should
% only be used if you implement cryptographically sound padding
% modes in your application code as encrypting unpadded data with
% RSA is insecure
%
% @see load_private_key/3, load_public_key/2 can be use to load
% keys from a file. The predicate load_certificate/2 can be used
% to obtain the public key from a certificate.
%
% @error ssl_error(Code, LibName, FuncName, Reason) is raised if
% there is an error, e.g., if the text is too long for the key.
%! rsa_sign(+Key, +Data, -Signature, +Options) is det.
%
% Create an RSA signature for Data with private key Key. Options:
%
% - type(+Type)
% SHA algorithm used to compute the digest. Values are
% `sha1`, `sha224`, `sha256`, `sha384` or `sha512`. The
% default is a cryptographically secure algorithm. If you
% specify a variable, then it is unified with the algorithm that
% was used.
%
% - encoding(+Encoding)
% Encoding to use for Data. Default is `hex`. Alternatives
% are `octet`, `utf8` and `text`.
%
% This predicate can be used to compute a =|sha256WithRSAEncryption|=
% signature as follows:
%
% ```
% sha256_with_rsa(PemKeyFile, Password, Data, Signature) :-
% Algorithm = sha256,
% read_key(PemKeyFile, Password, Key),
% crypto_data_hash(Data, Hash, [algorithm(Algorithm),
% encoding(octet)]),
% rsa_sign(Key, Hash, Signature, [type(Algorithm)]).
%
% read_key(File, Password, Key) :-
% setup_call_cleanup(
% open(File, read, In, [type(binary)]),
% load_private_key(In, Password, Key),
% close(In)).
% ```
%
% Note that a hash that is computed by crypto_data_hash/3 can be
% directly used in rsa_sign/4 as well as ecdsa_sign/4.
rsa_sign(Key, Data0, Signature, Options0) :-
functor_hash_options(type, Type, Options0, Options),
option(encoding(Enc0), Options, hex),
hex_encoding(Enc0, Data0, Enc, Data),
rsa_sign(Key, Type, Enc, Data, Signature).
%! rsa_verify(+Key, +Data, +Signature, +Options) is semidet.
%
% Verify an RSA signature for Data with public key Key.
%
% Options:
%
% - type(+Type)
% SHA algorithm used to compute the digest. Values are `sha1`,
% `sha224`, `sha256`, `sha384` or `sha512`. The default is the
% same as for rsa_sign/4. This option must match the algorithm
% that was used for signing. When operating with different parties,
% the used algorithm must be communicated over an authenticated
% channel.
%
% - encoding(+Encoding)
% Encoding to use for Data. Default is `hex`. Alternatives
% are `octet`, `utf8` and `text`.
rsa_verify(Key, Data0, Signature0, Options0) :-
functor_hash_options(type, Type, Options0, Options),
option(encoding(Enc0), Options, hex),
hex_encoding(Enc0, Data0, Enc, Data),
hex_bytes(Signature0, Signature),
rsa_verify(Key, Type, Enc, Data, Signature).
%! crypto_data_decrypt(+CipherText,
%! +Algorithm,
%! +Key,
%! +IV,
%! -PlainText,
%! +Options).
%
% Decrypt the given CipherText, using the symmetric algorithm
% Algorithm, key Key, and initialization vector IV, to give PlainText.
% CipherText must be a string, atom or list of codes or characters,
% and PlainText is created as a string. Key and IV are typically
% lists of _bytes_, though atoms and strings are also permitted.
% Algorithm must be an algorithm which your copy of OpenSSL knows. See
% crypto_data_encrypt/6 for an example.
%
% - encoding(+Encoding)
% Encoding to use for CipherText. Default is `utf8`.
% Alternatives are `utf8` and `octet`.
%
% - padding(+PaddingScheme)
% For block ciphers, the padding scheme to use. Default is
% `block`. You can disable padding by supplying `none` here.
%
% - tag(+Tag)
% For authenticated encryption schemes, the tag must be specified as
% a list of bytes exactly as they were generated upon encryption.
% This option requires OpenSSL 1.1.0 or greater.
%
% - min_tag_length(+Length)
% If the tag length is smaller than 16, this option must be used
% to permit such shorter tags. This is used as a safeguard against
% truncation attacks, where an attacker provides a short tag that
% is easier to guess.
crypto_data_decrypt(CipherText, Algorithm, Key, IV, PlainText, Options) :-
( option(tag(Tag), Options) ->
option(min_tag_length(MinTagLength), Options, 16),
length(Tag, TagLength),
compare(C, TagLength, MinTagLength),
tag_length_ok(C, Tag)
; Tag = []
),
'_crypto_data_decrypt'(CipherText, Algorithm, Key, IV,
Tag, PlainText, Options).
% This test is important to prevent truncation attacks of the tag.
tag_length_ok(=, _).
tag_length_ok(>, _).
tag_length_ok(<, Tag) :- domain_error(tag_is_too_short, Tag).
%! crypto_data_encrypt(+PlainText,
%! +Algorithm,
%! +Key,
%! +IV,
%! -CipherText,
%! +Options).
%
% Encrypt the given PlainText, using the symmetric algorithm
% Algorithm, key Key, and initialization vector (or nonce) IV, to give
% CipherText.
%
% PlainText must be a string, atom or list of codes or characters, and
% CipherText is created as a string. Key and IV are typically lists
% of _bytes_, though atoms and strings are also permitted. Algorithm
% must be an algorithm which your copy of OpenSSL knows
% about.
%
% Keys and IVs can be chosen at random (using for example
% crypto_n_random_bytes/2) or derived from input keying material (IKM)
% using for example crypto_data_hkdf/4. This input is often a shared
% secret, such as a negotiated point on an elliptic curve, or the hash
% that was computed from a password via crypto_password_hash/3 with a
% freshly generated and specified _salt_.
%
% Reusing the same combination of Key and IV typically leaks at least
% _some_ information about the plaintext. For example, identical
% plaintexts will then correspond to identical ciphertexts. For some
% algorithms, reusing an IV with the same Key has disastrous results
% and can cause the loss of all properties that are otherwise
% guaranteed. Especially in such cases, an IV is also called a
% _nonce_ (number used once). If an IV is not needed for your
% algorithm (such as =|'aes-128-ecb'|=) then any value can be provided
% as it will be ignored by the underlying implementation. Note that
% such algorithms do not provide _semantic security_ and are thus
% insecure. You should use stronger algorithms instead.
%
% It is safe to store and transfer the used initialization vector (or
% nonce) in plain text, but the key _must be kept secret_.
%
% Commonly used algorithms include:
%
% $ =|'chacha20-poly1305'|= :
% A powerful and efficient _authenticated_ encryption scheme,
% providing secrecy and at the same time reliable protection
% against undetected _modifications_ of the encrypted data. This
% is a very good choice for virtually all use cases. It is a
% _stream cipher_ and can encrypt data of any length up to 256 GB.
% Further, the encrypted data has exactly the same length
% as the original, and no padding is used. It requires OpenSSL
% 1.1.0 or greater. See below for an example.
%
% $ =|'aes-128-gcm'|= :
% Also an authenticated encryption scheme. It uses a 128-bit
% (i.e., 16 bytes) key and a 96-bit (i.e., 12 bytes) nonce. It
% requires OpenSSL 1.1.0 or greater.
%
% $ =|'aes-128-cbc'|= :
% A _block cipher_ that provides secrecy, but does not protect
% against unintended modifications of the cipher text. This
% algorithm uses 128-bit (16 bytes) keys and initialization
% vectors. It works with all supported versions of OpenSSL. If
% possible, consider using an authenticated encryption scheme
% instead.
%
% Options:
%
% - encoding(+Encoding)
% Encoding to use for PlainText. Default is `utf8`. Alternatives
% are `utf8` and `octet`.
%
% - padding(+PaddingScheme)
% For block ciphers, the padding scheme to use. Default is
% `block`. You can disable padding by supplying `none` here. If
% padding is disabled for block ciphers, then the length of the
% ciphertext must be a multiple of the block size.
%
% - tag(-List)
% For authenticated encryption schemes, List is unified with a
% list of _bytes_ holding the tag. This tag must be provided for
% decryption. Authenticated encryption requires OpenSSL 1.1.0 or
% greater.
%
% - tag_length(+Length)
% For authenticated encryption schemes, the desired length of the
% tag, specified as the number of bytes. The default is
% 16. Smaller numbers are not recommended.
%
% For example, with OpenSSL 1.1.0 and greater, we can use the ChaCha20
% stream cipher with the Poly1305 authenticator. This cipher uses a
% 256-bit key and a 96-bit _nonce_, i.e., 32 and 12 _bytes_,
% respectively:
%
% ```
% ?- Algorithm = 'chacha20-poly1305',
% crypto_n_random_bytes(32, Key),
% crypto_n_random_bytes(12, IV),
% crypto_data_encrypt("this is some input", Algorithm,
% Key, IV, CipherText, [tag(Tag)]),
% crypto_data_decrypt(CipherText, Algorithm,
% Key, IV, RecoveredText, [tag(Tag)]).
% Algorithm = 'chacha20-poly1305',
% Key = [65, 147, 140, 197, 27, 60, 198, 50, 218|...],
% IV = [253, 232, 174, 84, 168, 208, 218, 168, 228|...],
% CipherText = <binary string>,
% Tag = [248, 220, 46, 62, 255, 9, 178, 130, 250|...],
% RecoveredText = "this is some input".
% ```
%
% In this example, we use crypto_n_random_bytes/2 to generate a key
% and nonce from cryptographically secure random numbers. For
% repeated applications, you must ensure that a nonce is only used
% _once_ together with the same key. Note that for _authenticated_
% encryption schemes, the _tag_ that was computed during encryption is
% necessary for decryption. It is safe to store and transfer the tag
% in plain text.
%
% @see crypto_data_decrypt/6.
% @see hex_bytes/2 for conversion between bytes and hex encoding.
crypto_data_encrypt(PlainText, Algorithm, Key, IV, CipherText, Options) :-
( option(tag(AuthTag), Options) ->
option(tag_length(AuthLength), Options, 16)
; AuthTag = _,
AuthLength = -1
),
'_crypto_data_encrypt'(PlainText, Algorithm, Key, IV,
AuthLength, AuthTag, CipherText, Options).
%% crypto_modular_inverse(+X, +M, -Y) is det
%
% Compute the modular multiplicative inverse of the integer X. Y is
% unified with an integer such that X*Y is congruent to 1 modulo M.
crypto_modular_inverse(X, M, Y) :-
integer_serialized(X, XS),
integer_serialized(M, MS),
'_crypto_modular_inverse'(XS, MS, YHex),
hex_to_integer(YHex, Y).
integer_serialized(I, serialized(S)) :-
must_be(integer, I),
integer_atomic_sign(I, Sign),
Abs is abs(I),
format(atom(A0), "~16r", [Abs]),
atom_length(A0, L),
Rem is L mod 2,
hex_pad(Rem, Sign, A0, S).
integer_atomic_sign(I, S) :-
Sign is sign(I),
sign_atom(Sign, S).
sign_atom(-1, '-').
sign_atom( 0, '').
sign_atom( 1, '').
hex_pad(0, Sign, A0, A) :- atom_concat(Sign, A0, A).
hex_pad(1, Sign, A0, A) :- atomic_list_concat([Sign,'0',A0], A).
pow256(Byte, N0-I0, N-I) :-
N is N0 + Byte*256^I0,
I is I0 + 1.
hex_to_integer(Hex, N) :-
hex_bytes(Hex, Bytes0),
reverse(Bytes0, Bytes),
foldl(pow256, Bytes, 0-0, N-_).
%% crypto_generate_prime(+N, -P, +Options) is det
%
% Generate a prime P with at least N bits. Options is a list of options.
% Currently, the only supported option is:
%
% * safe(Boolean)
% If `Boolean` is `true` (default is `false`), then a _safe_ prime
% is generated. This means that P is of the form 2*Q + 1 where Q
% is also prime.
crypto_generate_prime(Bits, P, Options) :-
must_be(list, Options),
option(safe(Safe), Options, false),
'_crypto_generate_prime'(Bits, Hex, Safe, Options),
hex_to_integer(Hex, P).
%% crypto_is_prime(+P, +Options) is semidet
%
% True iff P passes a probabilistic primality test. Options is a
% list of options. Currently, the only supported option is:
%
% * iterations(N)
% N is the number of iterations that are performed. If this option
% is not specified, a number of iterations is used such that the
% probability of a false positive is at most 2^(-80).
crypto_is_prime(P0, Options) :-
must_be(integer, P0),
must_be(list, Options),
option(iterations(N), Options, -1),
integer_serialized(P0, P),
'_crypto_is_prime'(P, N).
%% crypto_name_curve(+Name, -Curve) is det
%
% Obtain a handle for a _named_ elliptic curve. Name is an atom, and
% Curve is unified with an opaque object that represents the curve.
% Currently, only elliptic curves over prime fields are
% supported. Examples of such curves are `prime256v1` and
% `secp256k1`.
%
% If you have OpenSSL installed, you can get a list of supported
% curves via:
%
% ==
% $ openssl ecparam -list_curves
% ==
%% crypto_curve_order(+Curve, -Order) is det
%
% Obtain the order of an elliptic curve. Order is an integer,
% denoting how many points on the curve can be reached by
% multiplying the curve's generator with a scalar.
crypto_curve_order(Curve, Order) :-
'_crypto_curve_order'(Curve, Hex),
hex_to_integer(Hex, Order).
%% crypto_curve_generator(+Curve, -Point) is det
%
% Point is the _generator_ of the elliptic curve Curve.
crypto_curve_generator(Curve, point(X,Y)) :-
'_crypto_curve_generator'(Curve, X0, Y0),
hex_to_integer(X0, X),
hex_to_integer(Y0, Y).
%% crypto_curve_scalar_mult(+Curve, +N, +Point, -R) is det
%
% R is the result of N times Point on the elliptic curve Curve. N
% must be an integer, and Point must be a point on the curve.
crypto_curve_scalar_mult(Curve, S0, point(X0,Y0), point(A,B)) :-
maplist(integer_serialized, [S0,X0,Y0], [S,X,Y]),
'_crypto_curve_scalar_mult'(Curve, S, X, Y, A0, B0),
hex_to_integer(A0, A),
hex_to_integer(B0, B).
/*******************************
* Sandboxing *
*******************************/
:- multifile sandbox:safe_primitive/1.
sandbox:safe_primitive(crypto:hex_bytes(_,_)).
sandbox:safe_primitive(crypto:crypto_n_random_bytes(_,_)).
sandbox:safe_primitive(crypto:crypto_data_hash(_,_,_)).
sandbox:safe_primitive(crypto:crypto_data_context(_,_,_)).
sandbox:safe_primitive(crypto:crypto_context_new(_,_)).
sandbox:safe_primitive(crypto:crypto_context_hash(_,_)).
sandbox:safe_primitive(crypto:crypto_password_hash(_,_)).
sandbox:safe_primitive(crypto:crypto_password_hash(_,_,_)).
sandbox:safe_primitive(crypto:crypto_data_hkdf(_,_,_,_)).
sandbox:safe_primitive(crypto:ecdsa_sign(_,_,_,_)).
sandbox:safe_primitive(crypto:ecdsa_verify(_,_,_,_)).
sandbox:safe_primitive(crypto:rsa_sign(_,_,_,_)).
sandbox:safe_primitive(crypto:rsa_verify(_,_,_,_)).
sandbox:safe_primitive(crypto:rsa_public_encrypt(_,_,_,_)).
sandbox:safe_primitive(crypto:rsa_public_decrypt(_,_,_,_)).
sandbox:safe_primitive(crypto:rsa_private_encrypt(_,_,_,_)).
sandbox:safe_primitive(crypto:rsa_private_decrypt(_,_,_,_)).
sandbox:safe_primitive(crypto:crypto_data_decrypt(_,_,_,_,_,_)).
sandbox:safe_primitive(crypto:crypto_data_encrypt(_,_,_,_,_,_)).
sandbox:safe_primitive(crypto:crypto_modular_inverse(_,_,_)).
sandbox:safe_primitive(crypto:crypto_generate_prime(_,_,_)).
sandbox:safe_primitive(crypto:crypto_is_prime(_,_)).
sandbox:safe_primitive(crypto:crypto_name_curve(_,_)).
sandbox:safe_primitive(crypto:crypto_curve_order(_,_)).
sandbox:safe_primitive(crypto:crypto_curve_generator(_,_)).
sandbox:safe_primitive(crypto:crypto_curve_scalar_mult(_,_,_,_)).
/*******************************
* MESSAGES *
*******************************/
:- multifile
prolog:error_message//1.
prolog:error_message(ssl_error(ID, _Library, Function, Reason)) -->
[ 'SSL(~w) ~w: ~w'-[ID, Function, Reason] ].
|