rsa_ameth.c 29 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102
  1. /*
  2. * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/asn1t.h>
  12. #include <openssl/x509.h>
  13. #include <openssl/bn.h>
  14. #include <openssl/cms.h>
  15. #include "internal/asn1_int.h"
  16. #include "internal/evp_int.h"
  17. #include "rsa_locl.h"
  18. #ifndef OPENSSL_NO_CMS
  19. static int rsa_cms_sign(CMS_SignerInfo *si);
  20. static int rsa_cms_verify(CMS_SignerInfo *si);
  21. static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
  22. static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
  23. #endif
  24. static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
  25. /* Set any parameters associated with pkey */
  26. static int rsa_param_encode(const EVP_PKEY *pkey,
  27. ASN1_STRING **pstr, int *pstrtype)
  28. {
  29. const RSA *rsa = pkey->pkey.rsa;
  30. *pstr = NULL;
  31. /* If RSA it's just NULL type */
  32. if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
  33. *pstrtype = V_ASN1_NULL;
  34. return 1;
  35. }
  36. /* If no PSS parameters we omit parameters entirely */
  37. if (rsa->pss == NULL) {
  38. *pstrtype = V_ASN1_UNDEF;
  39. return 1;
  40. }
  41. /* Encode PSS parameters */
  42. if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL)
  43. return 0;
  44. *pstrtype = V_ASN1_SEQUENCE;
  45. return 1;
  46. }
  47. /* Decode any parameters and set them in RSA structure */
  48. static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
  49. {
  50. const ASN1_OBJECT *algoid;
  51. const void *algp;
  52. int algptype;
  53. X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
  54. if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
  55. return 1;
  56. if (algptype == V_ASN1_UNDEF)
  57. return 1;
  58. if (algptype != V_ASN1_SEQUENCE) {
  59. RSAerr(RSA_F_RSA_PARAM_DECODE, RSA_R_INVALID_PSS_PARAMETERS);
  60. return 0;
  61. }
  62. rsa->pss = rsa_pss_decode(alg);
  63. if (rsa->pss == NULL)
  64. return 0;
  65. return 1;
  66. }
  67. static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
  68. {
  69. unsigned char *penc = NULL;
  70. int penclen;
  71. ASN1_STRING *str;
  72. int strtype;
  73. if (!rsa_param_encode(pkey, &str, &strtype))
  74. return 0;
  75. penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
  76. if (penclen <= 0)
  77. return 0;
  78. if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
  79. strtype, str, penc, penclen))
  80. return 1;
  81. OPENSSL_free(penc);
  82. return 0;
  83. }
  84. static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
  85. {
  86. const unsigned char *p;
  87. int pklen;
  88. X509_ALGOR *alg;
  89. RSA *rsa = NULL;
  90. if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
  91. return 0;
  92. if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
  93. RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
  94. return 0;
  95. }
  96. if (!rsa_param_decode(rsa, alg)) {
  97. RSA_free(rsa);
  98. return 0;
  99. }
  100. EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
  101. return 1;
  102. }
  103. static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
  104. {
  105. if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
  106. || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
  107. return 0;
  108. return 1;
  109. }
  110. static int old_rsa_priv_decode(EVP_PKEY *pkey,
  111. const unsigned char **pder, int derlen)
  112. {
  113. RSA *rsa;
  114. if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
  115. RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
  116. return 0;
  117. }
  118. EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
  119. return 1;
  120. }
  121. static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
  122. {
  123. return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
  124. }
  125. static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
  126. {
  127. unsigned char *rk = NULL;
  128. int rklen;
  129. ASN1_STRING *str;
  130. int strtype;
  131. if (!rsa_param_encode(pkey, &str, &strtype))
  132. return 0;
  133. rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
  134. if (rklen <= 0) {
  135. RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
  136. ASN1_STRING_free(str);
  137. return 0;
  138. }
  139. if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
  140. strtype, str, rk, rklen)) {
  141. RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
  142. ASN1_STRING_free(str);
  143. return 0;
  144. }
  145. return 1;
  146. }
  147. static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
  148. {
  149. const unsigned char *p;
  150. RSA *rsa;
  151. int pklen;
  152. const X509_ALGOR *alg;
  153. if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
  154. return 0;
  155. rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
  156. if (rsa == NULL) {
  157. RSAerr(RSA_F_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
  158. return 0;
  159. }
  160. if (!rsa_param_decode(rsa, alg)) {
  161. RSA_free(rsa);
  162. return 0;
  163. }
  164. EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
  165. return 1;
  166. }
  167. static int int_rsa_size(const EVP_PKEY *pkey)
  168. {
  169. return RSA_size(pkey->pkey.rsa);
  170. }
  171. static int rsa_bits(const EVP_PKEY *pkey)
  172. {
  173. return BN_num_bits(pkey->pkey.rsa->n);
  174. }
  175. static int rsa_security_bits(const EVP_PKEY *pkey)
  176. {
  177. return RSA_security_bits(pkey->pkey.rsa);
  178. }
  179. static void int_rsa_free(EVP_PKEY *pkey)
  180. {
  181. RSA_free(pkey->pkey.rsa);
  182. }
  183. static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
  184. {
  185. if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
  186. return NULL;
  187. return ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(X509_ALGOR),
  188. alg->parameter);
  189. }
  190. static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss,
  191. int indent)
  192. {
  193. int rv = 0;
  194. X509_ALGOR *maskHash = NULL;
  195. if (!BIO_indent(bp, indent, 128))
  196. goto err;
  197. if (pss_key) {
  198. if (pss == NULL) {
  199. if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
  200. return 0;
  201. return 1;
  202. } else {
  203. if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
  204. return 0;
  205. }
  206. } else if (pss == NULL) {
  207. if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
  208. return 0;
  209. return 1;
  210. }
  211. if (BIO_puts(bp, "\n") <= 0)
  212. goto err;
  213. if (pss_key)
  214. indent += 2;
  215. if (!BIO_indent(bp, indent, 128))
  216. goto err;
  217. if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
  218. goto err;
  219. if (pss->hashAlgorithm) {
  220. if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
  221. goto err;
  222. } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
  223. goto err;
  224. }
  225. if (BIO_puts(bp, "\n") <= 0)
  226. goto err;
  227. if (!BIO_indent(bp, indent, 128))
  228. goto err;
  229. if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
  230. goto err;
  231. if (pss->maskGenAlgorithm) {
  232. if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
  233. goto err;
  234. if (BIO_puts(bp, " with ") <= 0)
  235. goto err;
  236. maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
  237. if (maskHash != NULL) {
  238. if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
  239. goto err;
  240. } else if (BIO_puts(bp, "INVALID") <= 0) {
  241. goto err;
  242. }
  243. } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
  244. goto err;
  245. }
  246. BIO_puts(bp, "\n");
  247. if (!BIO_indent(bp, indent, 128))
  248. goto err;
  249. if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
  250. goto err;
  251. if (pss->saltLength) {
  252. if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
  253. goto err;
  254. } else if (BIO_puts(bp, "14 (default)") <= 0) {
  255. goto err;
  256. }
  257. BIO_puts(bp, "\n");
  258. if (!BIO_indent(bp, indent, 128))
  259. goto err;
  260. if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
  261. goto err;
  262. if (pss->trailerField) {
  263. if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
  264. goto err;
  265. } else if (BIO_puts(bp, "BC (default)") <= 0) {
  266. goto err;
  267. }
  268. BIO_puts(bp, "\n");
  269. rv = 1;
  270. err:
  271. X509_ALGOR_free(maskHash);
  272. return rv;
  273. }
  274. static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
  275. {
  276. const RSA *x = pkey->pkey.rsa;
  277. char *str;
  278. const char *s;
  279. int ret = 0, mod_len = 0, ex_primes;
  280. if (x->n != NULL)
  281. mod_len = BN_num_bits(x->n);
  282. ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos);
  283. if (!BIO_indent(bp, off, 128))
  284. goto err;
  285. if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0)
  286. goto err;
  287. if (priv && x->d) {
  288. if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n",
  289. mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0)
  290. goto err;
  291. str = "modulus:";
  292. s = "publicExponent:";
  293. } else {
  294. if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
  295. goto err;
  296. str = "Modulus:";
  297. s = "Exponent:";
  298. }
  299. if (!ASN1_bn_print(bp, str, x->n, NULL, off))
  300. goto err;
  301. if (!ASN1_bn_print(bp, s, x->e, NULL, off))
  302. goto err;
  303. if (priv) {
  304. int i;
  305. if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off))
  306. goto err;
  307. if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off))
  308. goto err;
  309. if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off))
  310. goto err;
  311. if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off))
  312. goto err;
  313. if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off))
  314. goto err;
  315. if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off))
  316. goto err;
  317. for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) {
  318. /* print multi-prime info */
  319. BIGNUM *bn = NULL;
  320. RSA_PRIME_INFO *pinfo;
  321. int j;
  322. pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i);
  323. for (j = 0; j < 3; j++) {
  324. if (!BIO_indent(bp, off, 128))
  325. goto err;
  326. switch (j) {
  327. case 0:
  328. if (BIO_printf(bp, "prime%d:", i + 3) <= 0)
  329. goto err;
  330. bn = pinfo->r;
  331. break;
  332. case 1:
  333. if (BIO_printf(bp, "exponent%d:", i + 3) <= 0)
  334. goto err;
  335. bn = pinfo->d;
  336. break;
  337. case 2:
  338. if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0)
  339. goto err;
  340. bn = pinfo->t;
  341. break;
  342. default:
  343. break;
  344. }
  345. if (!ASN1_bn_print(bp, "", bn, NULL, off))
  346. goto err;
  347. }
  348. }
  349. }
  350. if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
  351. goto err;
  352. ret = 1;
  353. err:
  354. return ret;
  355. }
  356. static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  357. ASN1_PCTX *ctx)
  358. {
  359. return pkey_rsa_print(bp, pkey, indent, 0);
  360. }
  361. static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  362. ASN1_PCTX *ctx)
  363. {
  364. return pkey_rsa_print(bp, pkey, indent, 1);
  365. }
  366. static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg)
  367. {
  368. RSA_PSS_PARAMS *pss;
  369. pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
  370. alg->parameter);
  371. if (pss == NULL)
  372. return NULL;
  373. if (pss->maskGenAlgorithm != NULL) {
  374. pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
  375. if (pss->maskHash == NULL) {
  376. RSA_PSS_PARAMS_free(pss);
  377. return NULL;
  378. }
  379. }
  380. return pss;
  381. }
  382. static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
  383. const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx)
  384. {
  385. if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
  386. int rv;
  387. RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
  388. rv = rsa_pss_param_print(bp, 0, pss, indent);
  389. RSA_PSS_PARAMS_free(pss);
  390. if (!rv)
  391. return 0;
  392. } else if (!sig && BIO_puts(bp, "\n") <= 0) {
  393. return 0;
  394. }
  395. if (sig)
  396. return X509_signature_dump(bp, sig, indent);
  397. return 1;
  398. }
  399. static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
  400. {
  401. X509_ALGOR *alg = NULL;
  402. switch (op) {
  403. case ASN1_PKEY_CTRL_PKCS7_SIGN:
  404. if (arg1 == 0)
  405. PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
  406. break;
  407. case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
  408. if (pkey_is_pss(pkey))
  409. return -2;
  410. if (arg1 == 0)
  411. PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
  412. break;
  413. #ifndef OPENSSL_NO_CMS
  414. case ASN1_PKEY_CTRL_CMS_SIGN:
  415. if (arg1 == 0)
  416. return rsa_cms_sign(arg2);
  417. else if (arg1 == 1)
  418. return rsa_cms_verify(arg2);
  419. break;
  420. case ASN1_PKEY_CTRL_CMS_ENVELOPE:
  421. if (pkey_is_pss(pkey))
  422. return -2;
  423. if (arg1 == 0)
  424. return rsa_cms_encrypt(arg2);
  425. else if (arg1 == 1)
  426. return rsa_cms_decrypt(arg2);
  427. break;
  428. case ASN1_PKEY_CTRL_CMS_RI_TYPE:
  429. if (pkey_is_pss(pkey))
  430. return -2;
  431. *(int *)arg2 = CMS_RECIPINFO_TRANS;
  432. return 1;
  433. #endif
  434. case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
  435. *(int *)arg2 = NID_sha256;
  436. return 1;
  437. default:
  438. return -2;
  439. }
  440. if (alg)
  441. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
  442. return 1;
  443. }
  444. /* allocate and set algorithm ID from EVP_MD, default SHA1 */
  445. static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
  446. {
  447. if (md == NULL || EVP_MD_type(md) == NID_sha1)
  448. return 1;
  449. *palg = X509_ALGOR_new();
  450. if (*palg == NULL)
  451. return 0;
  452. X509_ALGOR_set_md(*palg, md);
  453. return 1;
  454. }
  455. /* Allocate and set MGF1 algorithm ID from EVP_MD */
  456. static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
  457. {
  458. X509_ALGOR *algtmp = NULL;
  459. ASN1_STRING *stmp = NULL;
  460. *palg = NULL;
  461. if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
  462. return 1;
  463. /* need to embed algorithm ID inside another */
  464. if (!rsa_md_to_algor(&algtmp, mgf1md))
  465. goto err;
  466. if (ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp) == NULL)
  467. goto err;
  468. *palg = X509_ALGOR_new();
  469. if (*palg == NULL)
  470. goto err;
  471. X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
  472. stmp = NULL;
  473. err:
  474. ASN1_STRING_free(stmp);
  475. X509_ALGOR_free(algtmp);
  476. if (*palg)
  477. return 1;
  478. return 0;
  479. }
  480. /* convert algorithm ID to EVP_MD, default SHA1 */
  481. static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg)
  482. {
  483. const EVP_MD *md;
  484. if (!alg)
  485. return EVP_sha1();
  486. md = EVP_get_digestbyobj(alg->algorithm);
  487. if (md == NULL)
  488. RSAerr(RSA_F_RSA_ALGOR_TO_MD, RSA_R_UNKNOWN_DIGEST);
  489. return md;
  490. }
  491. /*
  492. * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
  493. * suitable for setting an AlgorithmIdentifier.
  494. */
  495. static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
  496. {
  497. const EVP_MD *sigmd, *mgf1md;
  498. EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
  499. int saltlen;
  500. if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
  501. return NULL;
  502. if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
  503. return NULL;
  504. if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
  505. return NULL;
  506. if (saltlen == -1) {
  507. saltlen = EVP_MD_size(sigmd);
  508. } else if (saltlen == -2) {
  509. saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
  510. if ((EVP_PKEY_bits(pk) & 0x7) == 1)
  511. saltlen--;
  512. }
  513. return rsa_pss_params_create(sigmd, mgf1md, saltlen);
  514. }
  515. RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd,
  516. const EVP_MD *mgf1md, int saltlen)
  517. {
  518. RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
  519. if (pss == NULL)
  520. goto err;
  521. if (saltlen != 20) {
  522. pss->saltLength = ASN1_INTEGER_new();
  523. if (pss->saltLength == NULL)
  524. goto err;
  525. if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
  526. goto err;
  527. }
  528. if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))
  529. goto err;
  530. if (mgf1md == NULL)
  531. mgf1md = sigmd;
  532. if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
  533. goto err;
  534. if (!rsa_md_to_algor(&pss->maskHash, mgf1md))
  535. goto err;
  536. return pss;
  537. err:
  538. RSA_PSS_PARAMS_free(pss);
  539. return NULL;
  540. }
  541. static ASN1_STRING *rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx)
  542. {
  543. RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx);
  544. ASN1_STRING *os;
  545. if (pss == NULL)
  546. return NULL;
  547. os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL);
  548. RSA_PSS_PARAMS_free(pss);
  549. return os;
  550. }
  551. /*
  552. * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
  553. * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
  554. * passed to pkctx instead.
  555. */
  556. static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
  557. X509_ALGOR *sigalg, EVP_PKEY *pkey)
  558. {
  559. int rv = -1;
  560. int saltlen;
  561. const EVP_MD *mgf1md = NULL, *md = NULL;
  562. RSA_PSS_PARAMS *pss;
  563. /* Sanity check: make sure it is PSS */
  564. if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
  565. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
  566. return -1;
  567. }
  568. /* Decode PSS parameters */
  569. pss = rsa_pss_decode(sigalg);
  570. if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
  571. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_PSS_PARAMETERS);
  572. goto err;
  573. }
  574. /* We have all parameters now set up context */
  575. if (pkey) {
  576. if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
  577. goto err;
  578. } else {
  579. const EVP_MD *checkmd;
  580. if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
  581. goto err;
  582. if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
  583. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_DIGEST_DOES_NOT_MATCH);
  584. goto err;
  585. }
  586. }
  587. if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
  588. goto err;
  589. if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
  590. goto err;
  591. if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
  592. goto err;
  593. /* Carry on */
  594. rv = 1;
  595. err:
  596. RSA_PSS_PARAMS_free(pss);
  597. return rv;
  598. }
  599. int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
  600. const EVP_MD **pmgf1md, int *psaltlen)
  601. {
  602. if (pss == NULL)
  603. return 0;
  604. *pmd = rsa_algor_to_md(pss->hashAlgorithm);
  605. if (*pmd == NULL)
  606. return 0;
  607. *pmgf1md = rsa_algor_to_md(pss->maskHash);
  608. if (*pmgf1md == NULL)
  609. return 0;
  610. if (pss->saltLength) {
  611. *psaltlen = ASN1_INTEGER_get(pss->saltLength);
  612. if (*psaltlen < 0) {
  613. RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_SALT_LENGTH);
  614. return 0;
  615. }
  616. } else {
  617. *psaltlen = 20;
  618. }
  619. /*
  620. * low-level routines support only trailer field 0xbc (value 1) and
  621. * PKCS#1 says we should reject any other value anyway.
  622. */
  623. if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
  624. RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_TRAILER);
  625. return 0;
  626. }
  627. return 1;
  628. }
  629. #ifndef OPENSSL_NO_CMS
  630. static int rsa_cms_verify(CMS_SignerInfo *si)
  631. {
  632. int nid, nid2;
  633. X509_ALGOR *alg;
  634. EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
  635. CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
  636. nid = OBJ_obj2nid(alg->algorithm);
  637. if (nid == EVP_PKEY_RSA_PSS)
  638. return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
  639. /* Only PSS allowed for PSS keys */
  640. if (pkey_ctx_is_pss(pkctx)) {
  641. RSAerr(RSA_F_RSA_CMS_VERIFY, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
  642. return 0;
  643. }
  644. if (nid == NID_rsaEncryption)
  645. return 1;
  646. /* Workaround for some implementation that use a signature OID */
  647. if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
  648. if (nid2 == NID_rsaEncryption)
  649. return 1;
  650. }
  651. return 0;
  652. }
  653. #endif
  654. /*
  655. * Customised RSA item verification routine. This is called when a signature
  656. * is encountered requiring special handling. We currently only handle PSS.
  657. */
  658. static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
  659. X509_ALGOR *sigalg, ASN1_BIT_STRING *sig,
  660. EVP_PKEY *pkey)
  661. {
  662. /* Sanity check: make sure it is PSS */
  663. if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
  664. RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
  665. return -1;
  666. }
  667. if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
  668. /* Carry on */
  669. return 2;
  670. }
  671. return -1;
  672. }
  673. #ifndef OPENSSL_NO_CMS
  674. static int rsa_cms_sign(CMS_SignerInfo *si)
  675. {
  676. int pad_mode = RSA_PKCS1_PADDING;
  677. X509_ALGOR *alg;
  678. EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
  679. ASN1_STRING *os = NULL;
  680. CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
  681. if (pkctx) {
  682. if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
  683. return 0;
  684. }
  685. if (pad_mode == RSA_PKCS1_PADDING) {
  686. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
  687. return 1;
  688. }
  689. /* We don't support it */
  690. if (pad_mode != RSA_PKCS1_PSS_PADDING)
  691. return 0;
  692. os = rsa_ctx_to_pss_string(pkctx);
  693. if (!os)
  694. return 0;
  695. X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
  696. return 1;
  697. }
  698. #endif
  699. static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
  700. X509_ALGOR *alg1, X509_ALGOR *alg2,
  701. ASN1_BIT_STRING *sig)
  702. {
  703. int pad_mode;
  704. EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx);
  705. if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
  706. return 0;
  707. if (pad_mode == RSA_PKCS1_PADDING)
  708. return 2;
  709. if (pad_mode == RSA_PKCS1_PSS_PADDING) {
  710. ASN1_STRING *os1 = NULL;
  711. os1 = rsa_ctx_to_pss_string(pkctx);
  712. if (!os1)
  713. return 0;
  714. /* Duplicate parameters if we have to */
  715. if (alg2) {
  716. ASN1_STRING *os2 = ASN1_STRING_dup(os1);
  717. if (!os2) {
  718. ASN1_STRING_free(os1);
  719. return 0;
  720. }
  721. X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
  722. V_ASN1_SEQUENCE, os2);
  723. }
  724. X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
  725. V_ASN1_SEQUENCE, os1);
  726. return 3;
  727. }
  728. return 2;
  729. }
  730. static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
  731. const ASN1_STRING *sig)
  732. {
  733. int rv = 0;
  734. int mdnid, saltlen;
  735. uint32_t flags;
  736. const EVP_MD *mgf1md = NULL, *md = NULL;
  737. RSA_PSS_PARAMS *pss;
  738. /* Sanity check: make sure it is PSS */
  739. if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
  740. return 0;
  741. /* Decode PSS parameters */
  742. pss = rsa_pss_decode(sigalg);
  743. if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
  744. goto err;
  745. mdnid = EVP_MD_type(md);
  746. /*
  747. * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
  748. * match and salt length must equal digest size
  749. */
  750. if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
  751. && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md))
  752. flags = X509_SIG_INFO_TLS;
  753. else
  754. flags = 0;
  755. /* Note: security bits half number of digest bits */
  756. X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4,
  757. flags);
  758. rv = 1;
  759. err:
  760. RSA_PSS_PARAMS_free(pss);
  761. return rv;
  762. }
  763. #ifndef OPENSSL_NO_CMS
  764. static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg)
  765. {
  766. RSA_OAEP_PARAMS *oaep;
  767. oaep = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS),
  768. alg->parameter);
  769. if (oaep == NULL)
  770. return NULL;
  771. if (oaep->maskGenFunc != NULL) {
  772. oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
  773. if (oaep->maskHash == NULL) {
  774. RSA_OAEP_PARAMS_free(oaep);
  775. return NULL;
  776. }
  777. }
  778. return oaep;
  779. }
  780. static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
  781. {
  782. EVP_PKEY_CTX *pkctx;
  783. X509_ALGOR *cmsalg;
  784. int nid;
  785. int rv = -1;
  786. unsigned char *label = NULL;
  787. int labellen = 0;
  788. const EVP_MD *mgf1md = NULL, *md = NULL;
  789. RSA_OAEP_PARAMS *oaep;
  790. pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  791. if (pkctx == NULL)
  792. return 0;
  793. if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
  794. return -1;
  795. nid = OBJ_obj2nid(cmsalg->algorithm);
  796. if (nid == NID_rsaEncryption)
  797. return 1;
  798. if (nid != NID_rsaesOaep) {
  799. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
  800. return -1;
  801. }
  802. /* Decode OAEP parameters */
  803. oaep = rsa_oaep_decode(cmsalg);
  804. if (oaep == NULL) {
  805. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_OAEP_PARAMETERS);
  806. goto err;
  807. }
  808. mgf1md = rsa_algor_to_md(oaep->maskHash);
  809. if (mgf1md == NULL)
  810. goto err;
  811. md = rsa_algor_to_md(oaep->hashFunc);
  812. if (md == NULL)
  813. goto err;
  814. if (oaep->pSourceFunc != NULL) {
  815. X509_ALGOR *plab = oaep->pSourceFunc;
  816. if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
  817. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
  818. goto err;
  819. }
  820. if (plab->parameter->type != V_ASN1_OCTET_STRING) {
  821. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
  822. goto err;
  823. }
  824. label = plab->parameter->value.octet_string->data;
  825. /* Stop label being freed when OAEP parameters are freed */
  826. plab->parameter->value.octet_string->data = NULL;
  827. labellen = plab->parameter->value.octet_string->length;
  828. }
  829. if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
  830. goto err;
  831. if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
  832. goto err;
  833. if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
  834. goto err;
  835. if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
  836. goto err;
  837. /* Carry on */
  838. rv = 1;
  839. err:
  840. RSA_OAEP_PARAMS_free(oaep);
  841. return rv;
  842. }
  843. static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
  844. {
  845. const EVP_MD *md, *mgf1md;
  846. RSA_OAEP_PARAMS *oaep = NULL;
  847. ASN1_STRING *os = NULL;
  848. X509_ALGOR *alg;
  849. EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  850. int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
  851. unsigned char *label;
  852. if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0)
  853. return 0;
  854. if (pkctx) {
  855. if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
  856. return 0;
  857. }
  858. if (pad_mode == RSA_PKCS1_PADDING) {
  859. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
  860. return 1;
  861. }
  862. /* Not supported */
  863. if (pad_mode != RSA_PKCS1_OAEP_PADDING)
  864. return 0;
  865. if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
  866. goto err;
  867. if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
  868. goto err;
  869. labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
  870. if (labellen < 0)
  871. goto err;
  872. oaep = RSA_OAEP_PARAMS_new();
  873. if (oaep == NULL)
  874. goto err;
  875. if (!rsa_md_to_algor(&oaep->hashFunc, md))
  876. goto err;
  877. if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
  878. goto err;
  879. if (labellen > 0) {
  880. ASN1_OCTET_STRING *los;
  881. oaep->pSourceFunc = X509_ALGOR_new();
  882. if (oaep->pSourceFunc == NULL)
  883. goto err;
  884. los = ASN1_OCTET_STRING_new();
  885. if (los == NULL)
  886. goto err;
  887. if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
  888. ASN1_OCTET_STRING_free(los);
  889. goto err;
  890. }
  891. X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
  892. V_ASN1_OCTET_STRING, los);
  893. }
  894. /* create string with pss parameter encoding. */
  895. if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
  896. goto err;
  897. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
  898. os = NULL;
  899. rv = 1;
  900. err:
  901. RSA_OAEP_PARAMS_free(oaep);
  902. ASN1_STRING_free(os);
  903. return rv;
  904. }
  905. #endif
  906. static int rsa_pkey_check(const EVP_PKEY *pkey)
  907. {
  908. return RSA_check_key_ex(pkey->pkey.rsa, NULL);
  909. }
  910. const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
  911. {
  912. EVP_PKEY_RSA,
  913. EVP_PKEY_RSA,
  914. ASN1_PKEY_SIGPARAM_NULL,
  915. "RSA",
  916. "OpenSSL RSA method",
  917. rsa_pub_decode,
  918. rsa_pub_encode,
  919. rsa_pub_cmp,
  920. rsa_pub_print,
  921. rsa_priv_decode,
  922. rsa_priv_encode,
  923. rsa_priv_print,
  924. int_rsa_size,
  925. rsa_bits,
  926. rsa_security_bits,
  927. 0, 0, 0, 0, 0, 0,
  928. rsa_sig_print,
  929. int_rsa_free,
  930. rsa_pkey_ctrl,
  931. old_rsa_priv_decode,
  932. old_rsa_priv_encode,
  933. rsa_item_verify,
  934. rsa_item_sign,
  935. rsa_sig_info_set,
  936. rsa_pkey_check
  937. },
  938. {
  939. EVP_PKEY_RSA2,
  940. EVP_PKEY_RSA,
  941. ASN1_PKEY_ALIAS}
  942. };
  943. const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
  944. EVP_PKEY_RSA_PSS,
  945. EVP_PKEY_RSA_PSS,
  946. ASN1_PKEY_SIGPARAM_NULL,
  947. "RSA-PSS",
  948. "OpenSSL RSA-PSS method",
  949. rsa_pub_decode,
  950. rsa_pub_encode,
  951. rsa_pub_cmp,
  952. rsa_pub_print,
  953. rsa_priv_decode,
  954. rsa_priv_encode,
  955. rsa_priv_print,
  956. int_rsa_size,
  957. rsa_bits,
  958. rsa_security_bits,
  959. 0, 0, 0, 0, 0, 0,
  960. rsa_sig_print,
  961. int_rsa_free,
  962. rsa_pkey_ctrl,
  963. 0, 0,
  964. rsa_item_verify,
  965. rsa_item_sign,
  966. 0,
  967. rsa_pkey_check
  968. };