der_rsa_key.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400
  1. /*
  2. * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * RSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <openssl/obj_mac.h>
  15. #include "internal/cryptlib.h"
  16. #include "prov/der_rsa.h"
  17. #include "prov/der_digests.h"
  18. /* More complex pre-compiled sequences. */
  19. /*-
  20. * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
  21. *
  22. * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
  23. * { OID id-sha1 PARAMETERS NULL }|
  24. * { OID id-sha224 PARAMETERS NULL }|
  25. * { OID id-sha256 PARAMETERS NULL }|
  26. * { OID id-sha384 PARAMETERS NULL }|
  27. * { OID id-sha512 PARAMETERS NULL }|
  28. * { OID id-sha512-224 PARAMETERS NULL }|
  29. * { OID id-sha512-256 PARAMETERS NULL },
  30. * ... -- Allows for future expansion --
  31. * }
  32. */
  33. #define DER_V_NULL DER_P_NULL, 0
  34. #define DER_SZ_NULL 2
  35. /*
  36. * The names for the hash function AlgorithmIdentifiers are borrowed and
  37. * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
  38. *
  39. * sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
  40. * sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
  41. * sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
  42. * sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
  43. * sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
  44. */
  45. /*
  46. * NOTE: Some of the arrays aren't used other than inside sizeof(), which
  47. * clang complains about (-Wno-unneeded-internal-declaration). To get
  48. * around that, we make them non-static, and declare them an extra time to
  49. * avoid compilers complaining about definitions without declarations.
  50. */
  51. #define DER_AID_V_sha1Identifier \
  52. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  53. DER_OID_SZ_id_sha1 + DER_SZ_NULL, \
  54. DER_OID_V_id_sha1, \
  55. DER_V_NULL
  56. extern const unsigned char ossl_der_aid_sha1Identifier[];
  57. const unsigned char ossl_der_aid_sha1Identifier[] = {
  58. DER_AID_V_sha1Identifier
  59. };
  60. #define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)
  61. #define DER_AID_V_sha224Identifier \
  62. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  63. DER_OID_SZ_id_sha224 + DER_SZ_NULL, \
  64. DER_OID_V_id_sha224, \
  65. DER_V_NULL
  66. extern const unsigned char ossl_der_aid_sha224Identifier[];
  67. const unsigned char ossl_der_aid_sha224Identifier[] = {
  68. DER_AID_V_sha224Identifier
  69. };
  70. #define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)
  71. #define DER_AID_V_sha256Identifier \
  72. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  73. DER_OID_SZ_id_sha256 + DER_SZ_NULL, \
  74. DER_OID_V_id_sha256, \
  75. DER_V_NULL
  76. extern const unsigned char ossl_der_aid_sha256Identifier[];
  77. const unsigned char ossl_der_aid_sha256Identifier[] = {
  78. DER_AID_V_sha256Identifier
  79. };
  80. #define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)
  81. #define DER_AID_V_sha384Identifier \
  82. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  83. DER_OID_SZ_id_sha384 + DER_SZ_NULL, \
  84. DER_OID_V_id_sha384, \
  85. DER_V_NULL
  86. extern const unsigned char ossl_der_aid_sha384Identifier[];
  87. const unsigned char ossl_der_aid_sha384Identifier[] = {
  88. DER_AID_V_sha384Identifier
  89. };
  90. #define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)
  91. #define DER_AID_V_sha512Identifier \
  92. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  93. DER_OID_SZ_id_sha512 + DER_SZ_NULL, \
  94. DER_OID_V_id_sha512, \
  95. DER_V_NULL
  96. extern const unsigned char ossl_der_aid_sha512Identifier[];
  97. const unsigned char ossl_der_aid_sha512Identifier[] = {
  98. DER_AID_V_sha512Identifier
  99. };
  100. #define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)
  101. #define DER_AID_V_sha512_224Identifier \
  102. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  103. DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \
  104. DER_OID_V_id_sha512_224, \
  105. DER_V_NULL
  106. extern const unsigned char ossl_der_aid_sha512_224Identifier[];
  107. const unsigned char ossl_der_aid_sha512_224Identifier[] = {
  108. DER_AID_V_sha512_224Identifier
  109. };
  110. #define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)
  111. #define DER_AID_V_sha512_256Identifier \
  112. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  113. DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \
  114. DER_OID_V_id_sha512_256, \
  115. DER_V_NULL
  116. extern const unsigned char ossl_der_aid_sha512_256Identifier[];
  117. const unsigned char ossl_der_aid_sha512_256Identifier[] = {
  118. DER_AID_V_sha512_256Identifier
  119. };
  120. #define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)
  121. /*-
  122. * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
  123. *
  124. * HashAlgorithm ::= AlgorithmIdentifier {
  125. * {OAEP-PSSDigestAlgorithms}
  126. * }
  127. *
  128. * ...
  129. *
  130. * PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
  131. * { OID id-mgf1 PARAMETERS HashAlgorithm },
  132. * ... -- Allows for future expansion --
  133. * }
  134. */
  135. /*
  136. * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
  137. * from https://tools.ietf.org/html/rfc4055#section-2.1
  138. *
  139. * mgf1SHA1Identifier AlgorithmIdentifier ::=
  140. * { id-mgf1, sha1Identifier }
  141. * mgf1SHA224Identifier AlgorithmIdentifier ::=
  142. * { id-mgf1, sha224Identifier }
  143. * mgf1SHA256Identifier AlgorithmIdentifier ::=
  144. * { id-mgf1, sha256Identifier }
  145. * mgf1SHA384Identifier AlgorithmIdentifier ::=
  146. * { id-mgf1, sha384Identifier }
  147. * mgf1SHA512Identifier AlgorithmIdentifier ::=
  148. * { id-mgf1, sha512Identifier }
  149. */
  150. #if 0 /* Currently unused */
  151. #define DER_AID_V_mgf1SHA1Identifier \
  152. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  153. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \
  154. DER_OID_V_id_mgf1, \
  155. DER_AID_V_sha1Identifier
  156. static const unsigned char der_aid_mgf1SHA1Identifier[] = {
  157. DER_AID_V_mgf1SHA1Identifier
  158. };
  159. #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
  160. #endif
  161. #define DER_AID_V_mgf1SHA224Identifier \
  162. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  163. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \
  164. DER_OID_V_id_mgf1, \
  165. DER_AID_V_sha224Identifier
  166. static const unsigned char der_aid_mgf1SHA224Identifier[] = {
  167. DER_AID_V_mgf1SHA224Identifier
  168. };
  169. #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
  170. #define DER_AID_V_mgf1SHA256Identifier \
  171. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  172. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \
  173. DER_OID_V_id_mgf1, \
  174. DER_AID_V_sha256Identifier
  175. static const unsigned char der_aid_mgf1SHA256Identifier[] = {
  176. DER_AID_V_mgf1SHA256Identifier
  177. };
  178. #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
  179. #define DER_AID_V_mgf1SHA384Identifier \
  180. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  181. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \
  182. DER_OID_V_id_mgf1, \
  183. DER_AID_V_sha384Identifier
  184. static const unsigned char der_aid_mgf1SHA384Identifier[] = {
  185. DER_AID_V_mgf1SHA384Identifier
  186. };
  187. #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
  188. #define DER_AID_V_mgf1SHA512Identifier \
  189. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  190. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \
  191. DER_OID_V_id_mgf1, \
  192. DER_AID_V_sha512Identifier
  193. static const unsigned char der_aid_mgf1SHA512Identifier[] = {
  194. DER_AID_V_mgf1SHA512Identifier
  195. };
  196. #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
  197. #define DER_AID_V_mgf1SHA512_224Identifier \
  198. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  199. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \
  200. DER_OID_V_id_mgf1, \
  201. DER_AID_V_sha512_224Identifier
  202. static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
  203. DER_AID_V_mgf1SHA512_224Identifier
  204. };
  205. #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
  206. #define DER_AID_V_mgf1SHA512_256Identifier \
  207. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  208. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \
  209. DER_OID_V_id_mgf1, \
  210. DER_AID_V_sha512_256Identifier
  211. static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
  212. DER_AID_V_mgf1SHA512_256Identifier
  213. };
  214. #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
  215. #define MGF1_SHA_CASE(bits, var) \
  216. case NID_sha##bits: \
  217. var = der_aid_mgf1SHA##bits##Identifier; \
  218. var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \
  219. break;
  220. /*-
  221. * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
  222. *
  223. * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
  224. */
  225. static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
  226. const RSA_PSS_PARAMS_30 *pss)
  227. {
  228. if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
  229. int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
  230. const unsigned char *maskgenalg = NULL;
  231. size_t maskgenalg_sz = 0;
  232. switch (maskgenhashalg_nid) {
  233. case NID_sha1:
  234. break;
  235. MGF1_SHA_CASE(224, maskgenalg);
  236. MGF1_SHA_CASE(256, maskgenalg);
  237. MGF1_SHA_CASE(384, maskgenalg);
  238. MGF1_SHA_CASE(512, maskgenalg);
  239. MGF1_SHA_CASE(512_224, maskgenalg);
  240. MGF1_SHA_CASE(512_256, maskgenalg);
  241. default:
  242. return 0;
  243. }
  244. /* If there is none (or it was the default), we write nothing */
  245. if (maskgenalg == NULL)
  246. return 1;
  247. return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
  248. }
  249. return 0;
  250. }
  251. #define OAEP_PSS_MD_CASE(name, var) \
  252. case NID_##name: \
  253. var = ossl_der_aid_##name##Identifier; \
  254. var##_sz = sizeof(ossl_der_aid_##name##Identifier); \
  255. break;
  256. int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
  257. const RSA_PSS_PARAMS_30 *pss)
  258. {
  259. int hashalg_nid, default_hashalg_nid;
  260. int saltlen, default_saltlen;
  261. int trailerfield, default_trailerfield;
  262. const unsigned char *hashalg = NULL;
  263. size_t hashalg_sz = 0;
  264. /*
  265. * For an unrestricted key, this function should not have been called;
  266. * the caller must be in control, because unrestricted keys are permitted
  267. * in some situations (when encoding the public key in a SubjectKeyInfo,
  268. * for example) while not in others, and this function doesn't know the
  269. * intent. Therefore, we assert that here, the PSS parameters must show
  270. * that the key is restricted.
  271. */
  272. if (!ossl_assert(pss != NULL
  273. && !ossl_rsa_pss_params_30_is_unrestricted(pss)))
  274. return 0;
  275. hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
  276. saltlen = ossl_rsa_pss_params_30_saltlen(pss);
  277. trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
  278. if (saltlen < 0) {
  279. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
  280. return 0;
  281. }
  282. if (trailerfield != 1) {
  283. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
  284. return 0;
  285. }
  286. /* Getting default values */
  287. default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
  288. default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
  289. default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);
  290. /*
  291. * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
  292. *
  293. * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
  294. * { OID id-sha1 PARAMETERS NULL }|
  295. * { OID id-sha224 PARAMETERS NULL }|
  296. * { OID id-sha256 PARAMETERS NULL }|
  297. * { OID id-sha384 PARAMETERS NULL }|
  298. * { OID id-sha512 PARAMETERS NULL }|
  299. * { OID id-sha512-224 PARAMETERS NULL }|
  300. * { OID id-sha512-256 PARAMETERS NULL },
  301. * ... -- Allows for future expansion --
  302. * }
  303. */
  304. switch (hashalg_nid) {
  305. OAEP_PSS_MD_CASE(sha1, hashalg);
  306. OAEP_PSS_MD_CASE(sha224, hashalg);
  307. OAEP_PSS_MD_CASE(sha256, hashalg);
  308. OAEP_PSS_MD_CASE(sha384, hashalg);
  309. OAEP_PSS_MD_CASE(sha512, hashalg);
  310. OAEP_PSS_MD_CASE(sha512_224, hashalg);
  311. OAEP_PSS_MD_CASE(sha512_256, hashalg);
  312. default:
  313. return 0;
  314. }
  315. return ossl_DER_w_begin_sequence(pkt, tag)
  316. && (trailerfield == default_trailerfield
  317. || ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))
  318. && (saltlen == default_saltlen || ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))
  319. && DER_w_MaskGenAlgorithm(pkt, 1, pss)
  320. && (hashalg_nid == default_hashalg_nid
  321. || ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
  322. && ossl_DER_w_end_sequence(pkt, tag);
  323. }
  324. /* Aliases so we can have a uniform RSA_CASE */
  325. #define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS
  326. #define RSA_CASE(name, var) \
  327. var##_nid = NID_##name; \
  328. var##_oid = ossl_der_oid_##name; \
  329. var##_oid_sz = sizeof(ossl_der_oid_##name); \
  330. break;
  331. int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,
  332. int rsa_type,
  333. const RSA_PSS_PARAMS_30 *pss)
  334. {
  335. int rsa_nid = NID_undef;
  336. const unsigned char *rsa_oid = NULL;
  337. size_t rsa_oid_sz = 0;
  338. switch (rsa_type) {
  339. case RSA_FLAG_TYPE_RSA:
  340. RSA_CASE(rsaEncryption, rsa);
  341. case RSA_FLAG_TYPE_RSASSAPSS:
  342. RSA_CASE(rsassaPss, rsa);
  343. }
  344. if (rsa_oid == NULL)
  345. return 0;
  346. return ossl_DER_w_begin_sequence(pkt, tag)
  347. && (rsa_nid != NID_rsassaPss
  348. || ossl_rsa_pss_params_30_is_unrestricted(pss)
  349. || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))
  350. && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
  351. && ossl_DER_w_end_sequence(pkt, tag);
  352. }
  353. int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
  354. {
  355. int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
  356. RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
  357. return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,
  358. pss_params);
  359. }