umskt-rs/src/bink1998.rs

use anyhow::Result;
use bitreader::BitReader;
use openssl::{
    bn::{BigNum, BigNumContext, MsbOption},
    ec::{EcGroup, EcPoint},
    sha::sha1,
};

use crate::key::{base24_decode, base24_encode};

const FIELD_BITS: i32 = 384;
const FIELD_BYTES: usize = 48;
const SHA_MSG_LENGTH: usize = 4 + 2 * FIELD_BYTES;

#[derive(Clone, Copy, Debug)]
struct ProductKey {
    upgrade: bool,
    serial: u32,
    hash: u32,
    signature: u64,
}

pub fn verify(
    e_curve: &EcGroup,
    base_point: &EcPoint,
    public_key: &EcPoint,
    p_key: &str,
) -> Result<bool> {
    let mut num_context = BigNumContext::new()?;

    let p_raw = base24_decode(p_key);
    let product_key = unpack(&p_raw)?;

    let p_data = product_key.serial << 1 | product_key.upgrade as u32;

    let e = BigNum::from_u32(product_key.hash)?;
    let s = BigNum::from_slice(&product_key.signature.to_be_bytes())?;
    let mut x = BigNum::new()?;
    let mut y = BigNum::new()?;

    let mut t = EcPoint::new(e_curve)?;
    let mut p = EcPoint::new(e_curve)?;
    let mut p_2 = EcPoint::new(e_curve)?;

    t.mul(e_curve, base_point, &s, &num_context)?;
    p.mul(e_curve, public_key, &e, &num_context)?;
    p_2.mul(e_curve, public_key, &e, &num_context)?;

    p.add(e_curve, &t, &p_2, &mut num_context)?;

    p.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?;

    let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH];

    let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?;
    x_bin.reverse();
    let mut y_bin = y.to_vec_padded(FIELD_BYTES as i32)?;
    y_bin.reverse();

    msg_buffer[0..4].copy_from_slice(&p_data.to_le_bytes());
    msg_buffer[4..4 + FIELD_BYTES].copy_from_slice(&x_bin);
    msg_buffer[4 + FIELD_BYTES..4 + FIELD_BYTES * 2].copy_from_slice(&y_bin);

    let msg_digest = sha1(&msg_buffer);

    let hash: u32 =
        u32::from_le_bytes(msg_digest[0..4].try_into().unwrap()) >> 4 & bitmask(28) as u32;

    Ok(hash == product_key.hash)
}

pub fn generate(
    e_curve: &EcGroup,
    base_point: &EcPoint,
    gen_order: &BigNum,
    private_key: &BigNum,
    p_serial: u32,
    p_upgrade: bool,
) -> Result<String> {
    let mut num_context = BigNumContext::new().unwrap();

    let mut c = BigNum::new()?;
    let mut s = BigNum::new()?;
    let mut s_2 = BigNum::new()?;
    let mut x = BigNum::new()?;
    let mut y = BigNum::new()?;

    let p_data = p_serial << 1 | p_upgrade as u32;

    let p_raw = loop {
        let mut r = EcPoint::new(e_curve)?;

        // Generate a random number c consisting of 384 bits without any constraints.
        c.rand(FIELD_BITS, MsbOption::MAYBE_ZERO, false)?;

        // Pick a random derivative of the base point on the elliptic curve.
        // R = cG;
        r.mul(e_curve, base_point, &c, &num_context)?;

        // Acquire its coordinates.
        // x = R.x; y = R.y;
        r.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?;

        let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH];

        let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?;
        x_bin.reverse();
        let mut y_bin = y.to_vec_padded(FIELD_BYTES as i32)?;
        y_bin.reverse();

        msg_buffer[0..4].copy_from_slice(&p_data.to_le_bytes());
        msg_buffer[4..4 + FIELD_BYTES].copy_from_slice(&x_bin);
        msg_buffer[4 + FIELD_BYTES..4 + FIELD_BYTES * 2].copy_from_slice(&y_bin);

        let msg_digest = sha1(&msg_buffer);

        let p_hash: u32 =
            u32::from_le_bytes(msg_digest[0..4].try_into().unwrap()) >> 4 & bitmask(28) as u32;

        s_2.copy_from_slice(&private_key.to_vec())?;
        s_2.mul_word(p_hash)?;

        s.mod_add(&s_2, &c, gen_order, &mut num_context)?;

        let p_signature = u64::from_be_bytes(s.to_vec_padded(8)?.try_into().unwrap());

        if p_signature <= bitmask(55) {
            break pack(ProductKey {
                upgrade: p_upgrade,
                serial: p_serial,
                hash: p_hash,
                signature: p_signature,
            });
        }
    };

    Ok(base24_encode(&p_raw))
}

const HASH_LENGTH_BITS: u8 = 28;
const SERIAL_LENGTH_BITS: u8 = 30;
const UPGRADE_LENGTH_BITS: u8 = 1;
const EVERYTHING_ELSE: u8 = HASH_LENGTH_BITS + SERIAL_LENGTH_BITS + UPGRADE_LENGTH_BITS;

fn unpack(p_raw: &[u8]) -> Result<ProductKey> {
    let mut reader = BitReader::new(p_raw);
    // The signature length is unknown, but everything else is, so we can calculate it
    let signature_length_bits = (p_raw.len() * 8) as u8 - EVERYTHING_ELSE;

    let p_signature = reader.read_u64(signature_length_bits)?;
    let p_hash = reader.read_u32(HASH_LENGTH_BITS)?;
    let p_serial = reader.read_u32(SERIAL_LENGTH_BITS)?;
    let p_upgrade = reader.read_bool()?;

    Ok(ProductKey {
        upgrade: p_upgrade,
        serial: p_serial,
        hash: p_hash,
        signature: p_signature,
    })
}

fn pack(p_key: ProductKey) -> Vec<u8> {
    let mut p_raw: u128 = 0;

    p_raw |= (p_key.signature as u128) << EVERYTHING_ELSE;
    p_raw |= (p_key.hash as u128) << (SERIAL_LENGTH_BITS + UPGRADE_LENGTH_BITS);
    p_raw |= (p_key.serial as u128) << UPGRADE_LENGTH_BITS;
    p_raw |= p_key.upgrade as u128;

    p_raw
        .to_be_bytes()
        .into_iter()
        .skip_while(|&x| x == 0)
        .collect()
}

fn bitmask(n: u64) -> u64 {
    (1 << n) - 1
}

#[cfg(test)]
mod tests {
    use std::{fs::File, io::BufReader};

    use serde_json::from_reader;

    use crate::crypto::initialize_elliptic_curve;

    #[test]
    fn verify_test() {
        // Example product key and its BINK ID
        let product_key = "D9924-R6BG2-39J83-RYKHF-W47TT";
        let bink_id = "2E";

        // Load keys.json
        let path = "keys.json";
        let file = File::open(path).unwrap();
        let reader = BufReader::new(file);
        let keys: serde_json::Value = from_reader(reader).unwrap();

        let bink = &keys["BINK"][&bink_id];

        let p = bink["p"].as_str().unwrap();
        let a = bink["a"].as_str().unwrap();
        let b = bink["b"].as_str().unwrap();
        let gx = bink["g"]["x"].as_str().unwrap();
        let gy = bink["g"]["y"].as_str().unwrap();
        let kx = bink["pub"]["x"].as_str().unwrap();
        let ky = bink["pub"]["y"].as_str().unwrap();

        let (e_curve, gen_point, pub_point) = initialize_elliptic_curve(p, a, b, gx, gy, kx, ky);

        assert!(super::verify(&e_curve, &gen_point, &pub_point, product_key).unwrap());
        assert!(!super::verify(
            &e_curve,
            &gen_point,
            &pub_point,
            "11111-R6BG2-39J83-RYKHF-W47TT"
        )
        .unwrap());
    }

    #[test]
    fn pack_test() {
        let p_key = super::ProductKey {
            upgrade: false,
            serial: 640010550,
            hash: 39185432,
            signature: 6939952665262054,
        };

        let p_raw = super::pack(p_key);

        assert_eq!(
            p_raw,
            vec![
                0xC5, 0x3E, 0xCD, 0x2A, 0xF7, 0xBF, 0x31, 0x2A, 0xF6, 0x0C, 0x4C, 0x4B, 0x92, 0x6C
            ]
        );
    }
}