asn1_dsa.c 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252
  1. /*
  2. * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * A simple ASN.1 DER encoder/decoder for DSA-Sig-Value and ECDSA-Sig-Value.
  11. *
  12. * DSA-Sig-Value ::= SEQUENCE {
  13. * r INTEGER,
  14. * s INTEGER
  15. * }
  16. *
  17. * ECDSA-Sig-Value ::= SEQUENCE {
  18. * r INTEGER,
  19. * s INTEGER
  20. * }
  21. */
  22. #include <openssl/crypto.h>
  23. #include <openssl/bn.h>
  24. #include "crypto/asn1_dsa.h"
  25. #include "internal/packet.h"
  26. #define ID_SEQUENCE 0x30
  27. #define ID_INTEGER 0x02
  28. /*
  29. * Outputs the encoding of the length octets for a DER value with a content
  30. * length of cont_len bytes to pkt. The maximum supported content length is
  31. * 65535 (0xffff) bytes.
  32. *
  33. * Returns 1 on success or 0 on error.
  34. */
  35. int ossl_encode_der_length(WPACKET *pkt, size_t cont_len)
  36. {
  37. if (cont_len > 0xffff)
  38. return 0; /* Too large for supported length encodings */
  39. if (cont_len > 0xff) {
  40. if (!WPACKET_put_bytes_u8(pkt, 0x82)
  41. || !WPACKET_put_bytes_u16(pkt, cont_len))
  42. return 0;
  43. } else {
  44. if (cont_len > 0x7f
  45. && !WPACKET_put_bytes_u8(pkt, 0x81))
  46. return 0;
  47. if (!WPACKET_put_bytes_u8(pkt, cont_len))
  48. return 0;
  49. }
  50. return 1;
  51. }
  52. /*
  53. * Outputs the DER encoding of a positive ASN.1 INTEGER to pkt.
  54. *
  55. * Results in an error if n is negative or too large.
  56. *
  57. * Returns 1 on success or 0 on error.
  58. */
  59. int ossl_encode_der_integer(WPACKET *pkt, const BIGNUM *n)
  60. {
  61. unsigned char *bnbytes;
  62. size_t cont_len;
  63. if (BN_is_negative(n))
  64. return 0;
  65. /*
  66. * Calculate the ASN.1 INTEGER DER content length for n.
  67. * This is the number of whole bytes required to represent n (i.e. rounded
  68. * down), plus one.
  69. * If n is zero then the content is a single zero byte (length = 1).
  70. * If the number of bits of n is a multiple of 8 then an extra zero padding
  71. * byte is included to ensure that the value is still treated as positive
  72. * in the INTEGER two's complement representation.
  73. */
  74. cont_len = BN_num_bits(n) / 8 + 1;
  75. if (!WPACKET_start_sub_packet(pkt)
  76. || !WPACKET_put_bytes_u8(pkt, ID_INTEGER)
  77. || !ossl_encode_der_length(pkt, cont_len)
  78. || !WPACKET_allocate_bytes(pkt, cont_len, &bnbytes)
  79. || !WPACKET_close(pkt))
  80. return 0;
  81. if (bnbytes != NULL
  82. && BN_bn2binpad(n, bnbytes, (int)cont_len) != (int)cont_len)
  83. return 0;
  84. return 1;
  85. }
  86. /*
  87. * Outputs the DER encoding of a DSA-Sig-Value or ECDSA-Sig-Value to pkt. pkt
  88. * may be initialised with a NULL buffer which enables pkt to be used to
  89. * calculate how many bytes would be needed.
  90. *
  91. * Returns 1 on success or 0 on error.
  92. */
  93. int ossl_encode_der_dsa_sig(WPACKET *pkt, const BIGNUM *r, const BIGNUM *s)
  94. {
  95. WPACKET tmppkt, *dummypkt;
  96. size_t cont_len;
  97. int isnull = WPACKET_is_null_buf(pkt);
  98. if (!WPACKET_start_sub_packet(pkt))
  99. return 0;
  100. if (!isnull) {
  101. if (!WPACKET_init_null(&tmppkt, 0))
  102. return 0;
  103. dummypkt = &tmppkt;
  104. } else {
  105. /* If the input packet has a NULL buffer, we don't need a dummy packet */
  106. dummypkt = pkt;
  107. }
  108. /* Calculate the content length */
  109. if (!ossl_encode_der_integer(dummypkt, r)
  110. || !ossl_encode_der_integer(dummypkt, s)
  111. || !WPACKET_get_length(dummypkt, &cont_len)
  112. || (!isnull && !WPACKET_finish(dummypkt))) {
  113. if (!isnull)
  114. WPACKET_cleanup(dummypkt);
  115. return 0;
  116. }
  117. /* Add the tag and length bytes */
  118. if (!WPACKET_put_bytes_u8(pkt, ID_SEQUENCE)
  119. || !ossl_encode_der_length(pkt, cont_len)
  120. /*
  121. * Really encode the integers. We already wrote to the main pkt
  122. * if it had a NULL buffer, so don't do it again
  123. */
  124. || (!isnull && !ossl_encode_der_integer(pkt, r))
  125. || (!isnull && !ossl_encode_der_integer(pkt, s))
  126. || !WPACKET_close(pkt))
  127. return 0;
  128. return 1;
  129. }
  130. /*
  131. * Decodes the DER length octets in pkt and initialises subpkt with the
  132. * following bytes of that length.
  133. *
  134. * Returns 1 on success or 0 on failure.
  135. */
  136. int ossl_decode_der_length(PACKET *pkt, PACKET *subpkt)
  137. {
  138. unsigned int byte;
  139. if (!PACKET_get_1(pkt, &byte))
  140. return 0;
  141. if (byte < 0x80)
  142. return PACKET_get_sub_packet(pkt, subpkt, (size_t)byte);
  143. if (byte == 0x81)
  144. return PACKET_get_length_prefixed_1(pkt, subpkt);
  145. if (byte == 0x82)
  146. return PACKET_get_length_prefixed_2(pkt, subpkt);
  147. /* Too large, invalid, or not DER. */
  148. return 0;
  149. }
  150. /*
  151. * Decodes a single ASN.1 INTEGER value from pkt, which must be DER encoded,
  152. * and updates n with the decoded value.
  153. *
  154. * The BIGNUM, n, must have already been allocated by calling BN_new().
  155. * pkt must not be NULL.
  156. *
  157. * An attempt to consume more than len bytes results in an error.
  158. * Returns 1 on success or 0 on error.
  159. *
  160. * If the PACKET is supposed to only contain a single INTEGER value with no
  161. * trailing garbage then it is up to the caller to verify that all bytes
  162. * were consumed.
  163. */
  164. int ossl_decode_der_integer(PACKET *pkt, BIGNUM *n)
  165. {
  166. PACKET contpkt, tmppkt;
  167. unsigned int tag, tmp;
  168. /* Check we have an integer and get the content bytes */
  169. if (!PACKET_get_1(pkt, &tag)
  170. || tag != ID_INTEGER
  171. || !ossl_decode_der_length(pkt, &contpkt))
  172. return 0;
  173. /* Peek ahead at the first bytes to check for proper encoding */
  174. tmppkt = contpkt;
  175. /* The INTEGER must be positive */
  176. if (!PACKET_get_1(&tmppkt, &tmp)
  177. || (tmp & 0x80) != 0)
  178. return 0;
  179. /* If there a zero padding byte the next byte must have the msb set */
  180. if (PACKET_remaining(&tmppkt) > 0 && tmp == 0) {
  181. if (!PACKET_get_1(&tmppkt, &tmp)
  182. || (tmp & 0x80) == 0)
  183. return 0;
  184. }
  185. if (BN_bin2bn(PACKET_data(&contpkt),
  186. (int)PACKET_remaining(&contpkt), n) == NULL)
  187. return 0;
  188. return 1;
  189. }
  190. /*
  191. * Decodes a single DSA-Sig-Value or ECDSA-Sig-Value from *ppin, which must be
  192. * DER encoded, updates r and s with the decoded values, and increments *ppin
  193. * past the data that was consumed.
  194. *
  195. * The BIGNUMs, r and s, must have already been allocated by calls to BN_new().
  196. * ppin and *ppin must not be NULL.
  197. *
  198. * An attempt to consume more than len bytes results in an error.
  199. * Returns the number of bytes of input consumed or 0 if an error occurs.
  200. *
  201. * If the buffer is supposed to only contain a single [EC]DSA-Sig-Value with no
  202. * trailing garbage then it is up to the caller to verify that all bytes
  203. * were consumed.
  204. */
  205. size_t ossl_decode_der_dsa_sig(BIGNUM *r, BIGNUM *s,
  206. const unsigned char **ppin, size_t len)
  207. {
  208. size_t consumed;
  209. PACKET pkt, contpkt;
  210. unsigned int tag;
  211. if (!PACKET_buf_init(&pkt, *ppin, len)
  212. || !PACKET_get_1(&pkt, &tag)
  213. || tag != ID_SEQUENCE
  214. || !ossl_decode_der_length(&pkt, &contpkt)
  215. || !ossl_decode_der_integer(&contpkt, r)
  216. || !ossl_decode_der_integer(&contpkt, s)
  217. || PACKET_remaining(&contpkt) != 0)
  218. return 0;
  219. consumed = PACKET_data(&pkt) - *ppin;
  220. *ppin += consumed;
  221. return consumed;
  222. }