use anyhow::Result; use bitreader::BitReader; use openssl::{ bn::{BigNum, BigNumContext, MsbOption}, ec::{EcGroup, EcPoint}, sha::sha1, }; use crate::key::{base24_decode, base24_encode}; const FIELD_BITS: i32 = 384; const FIELD_BYTES: usize = 48; const SHA_MSG_LENGTH: usize = 4 + 2 * FIELD_BYTES; #[derive(Clone, Copy, Debug)] struct ProductKey { upgrade: bool, serial: u32, hash: u32, signature: u64, } pub fn verify( e_curve: &EcGroup, base_point: &EcPoint, public_key: &EcPoint, p_key: &str, ) -> Result { let mut num_context = BigNumContext::new()?; let p_raw = base24_decode(p_key); let product_key = unpack(&p_raw)?; let p_data = product_key.serial << 1 | product_key.upgrade as u32; let e = BigNum::from_u32(product_key.hash)?; let s = BigNum::from_slice(&product_key.signature.to_be_bytes())?; let mut x = BigNum::new()?; let mut y = BigNum::new()?; let mut t = EcPoint::new(e_curve)?; let mut p = EcPoint::new(e_curve)?; let mut p_2 = EcPoint::new(e_curve)?; t.mul(e_curve, base_point, &s, &num_context)?; p.mul(e_curve, public_key, &e, &num_context)?; p_2.mul(e_curve, public_key, &e, &num_context)?; p.add(e_curve, &t, &p_2, &mut num_context)?; p.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?; let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH]; let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?; x_bin.reverse(); let mut y_bin = y.to_vec_padded(FIELD_BYTES as i32)?; y_bin.reverse(); msg_buffer[0..4].copy_from_slice(&p_data.to_le_bytes()); msg_buffer[4..4 + FIELD_BYTES].copy_from_slice(&x_bin); msg_buffer[4 + FIELD_BYTES..4 + FIELD_BYTES * 2].copy_from_slice(&y_bin); let msg_digest = sha1(&msg_buffer); let hash: u32 = u32::from_le_bytes(msg_digest[0..4].try_into().unwrap()) >> 4 & bitmask(28) as u32; Ok(hash == product_key.hash) } pub fn generate( e_curve: &EcGroup, base_point: &EcPoint, gen_order: &BigNum, private_key: &BigNum, p_serial: u32, p_upgrade: bool, ) -> Result { let mut num_context = BigNumContext::new().unwrap(); let mut c = BigNum::new()?; let mut s = BigNum::new()?; let mut s_2 = BigNum::new()?; let mut x = BigNum::new()?; let mut y = BigNum::new()?; let p_data = p_serial << 1 | p_upgrade as u32; let p_raw = loop { let mut r = EcPoint::new(e_curve)?; // Generate a random number c consisting of 384 bits without any constraints. c.rand(FIELD_BITS, MsbOption::MAYBE_ZERO, false)?; // Pick a random derivative of the base point on the elliptic curve. // R = cG; r.mul(e_curve, base_point, &c, &num_context)?; // Acquire its coordinates. // x = R.x; y = R.y; r.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?; let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH]; let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?; x_bin.reverse(); let mut y_bin = y.to_vec_padded(FIELD_BYTES as i32)?; y_bin.reverse(); msg_buffer[0..4].copy_from_slice(&p_data.to_le_bytes()); msg_buffer[4..4 + FIELD_BYTES].copy_from_slice(&x_bin); msg_buffer[4 + FIELD_BYTES..4 + FIELD_BYTES * 2].copy_from_slice(&y_bin); let msg_digest = sha1(&msg_buffer); let p_hash: u32 = u32::from_le_bytes(msg_digest[0..4].try_into().unwrap()) >> 4 & bitmask(28) as u32; s_2.copy_from_slice(&private_key.to_vec())?; s_2.mul_word(p_hash)?; s.mod_add(&s_2, &c, gen_order, &mut num_context)?; let p_signature = u64::from_be_bytes(s.to_vec_padded(8)?.try_into().unwrap()); if p_signature <= bitmask(55) { break pack(ProductKey { upgrade: p_upgrade, serial: p_serial, hash: p_hash, signature: p_signature, }); } }; Ok(base24_encode(&p_raw)) } const HASH_LENGTH_BITS: u8 = 28; const SERIAL_LENGTH_BITS: u8 = 30; const UPGRADE_LENGTH_BITS: u8 = 1; const EVERYTHING_ELSE: u8 = HASH_LENGTH_BITS + SERIAL_LENGTH_BITS + UPGRADE_LENGTH_BITS; fn unpack(p_raw: &[u8]) -> Result { let mut reader = BitReader::new(p_raw); // The signature length is unknown, but everything else is, so we can calculate it let signature_length_bits = (p_raw.len() * 8) as u8 - EVERYTHING_ELSE; let p_signature = reader.read_u64(signature_length_bits)?; let p_hash = reader.read_u32(HASH_LENGTH_BITS)?; let p_serial = reader.read_u32(SERIAL_LENGTH_BITS)?; let p_upgrade = reader.read_bool()?; Ok(ProductKey { upgrade: p_upgrade, serial: p_serial, hash: p_hash, signature: p_signature, }) } fn pack(p_key: ProductKey) -> Vec { let mut p_raw: u128 = 0; p_raw |= (p_key.signature as u128) << EVERYTHING_ELSE; p_raw |= (p_key.hash as u128) << (SERIAL_LENGTH_BITS + UPGRADE_LENGTH_BITS); p_raw |= (p_key.serial as u128) << UPGRADE_LENGTH_BITS; p_raw |= p_key.upgrade as u128; p_raw .to_be_bytes() .into_iter() .skip_while(|&x| x == 0) .collect() } fn bitmask(n: u64) -> u64 { (1 << n) - 1 } #[cfg(test)] mod tests { use std::{fs::File, io::BufReader}; use serde_json::from_reader; use crate::crypto::initialize_elliptic_curve; #[test] fn verify_test() { // Example product key and its BINK ID let product_key = "D9924-R6BG2-39J83-RYKHF-W47TT"; let bink_id = "2E"; // Load keys.json let path = "keys.json"; let file = File::open(path).unwrap(); let reader = BufReader::new(file); let keys: serde_json::Value = from_reader(reader).unwrap(); let bink = &keys["BINK"][&bink_id]; let p = bink["p"].as_str().unwrap(); let a = bink["a"].as_str().unwrap(); let b = bink["b"].as_str().unwrap(); let gx = bink["g"]["x"].as_str().unwrap(); let gy = bink["g"]["y"].as_str().unwrap(); let kx = bink["pub"]["x"].as_str().unwrap(); let ky = bink["pub"]["y"].as_str().unwrap(); let (e_curve, gen_point, pub_point) = initialize_elliptic_curve(p, a, b, gx, gy, kx, ky); assert!(super::verify(&e_curve, &gen_point, &pub_point, product_key).unwrap()); assert!(!super::verify( &e_curve, &gen_point, &pub_point, "11111-R6BG2-39J83-RYKHF-W47TT" ) .unwrap()); } #[test] fn pack_test() { let p_key = super::ProductKey { upgrade: false, serial: 640010550, hash: 39185432, signature: 6939952665262054, }; let p_raw = super::pack(p_key); assert_eq!( p_raw, vec![ 0xC5, 0x3E, 0xCD, 0x2A, 0xF7, 0xBF, 0x31, 0x2A, 0xF6, 0x0C, 0x4C, 0x4B, 0x92, 0x6C ] ); } }