der_rsa_key.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382
  1. /*
  2. * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * RSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <openssl/obj_mac.h>
  15. #include "internal/cryptlib.h"
  16. #include "prov/der_rsa.h"
  17. #include "prov/der_digests.h"
  18. /* More complex pre-compiled sequences. TODO(3.0) refactor? */
  19. /*-
  20. * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
  21. *
  22. * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
  23. * { OID id-sha1 PARAMETERS NULL }|
  24. * { OID id-sha224 PARAMETERS NULL }|
  25. * { OID id-sha256 PARAMETERS NULL }|
  26. * { OID id-sha384 PARAMETERS NULL }|
  27. * { OID id-sha512 PARAMETERS NULL }|
  28. * { OID id-sha512-224 PARAMETERS NULL }|
  29. * { OID id-sha512-256 PARAMETERS NULL },
  30. * ... -- Allows for future expansion --
  31. * }
  32. */
  33. #define DER_V_NULL DER_P_NULL, 0
  34. #define DER_SZ_NULL 2
  35. /*
  36. * The names for the hash function AlgorithmIdentifiers are borrowed and
  37. * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
  38. *
  39. * sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
  40. * sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
  41. * sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
  42. * sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
  43. * sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
  44. */
  45. /*
  46. * NOTE: Some of the arrays aren't used other than inside sizeof(), which
  47. * clang complains about (-Wno-unneeded-internal-declaration). To get
  48. * around that, we make them non-static, and declare them an extra time to
  49. * avoid compilers complaining about definitions without declarations.
  50. */
  51. #if 0 /* Currently unused */
  52. #define DER_AID_V_sha1Identifier \
  53. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  54. DER_OID_SZ_id_sha1 + DER_SZ_NULL, \
  55. DER_OID_V_id_sha1, \
  56. DER_V_NULL
  57. extern const unsigned char der_aid_sha1Identifier[];
  58. const unsigned char der_aid_sha1Identifier[] = {
  59. DER_AID_V_sha1Identifier
  60. };
  61. #define DER_AID_SZ_sha1Identifier sizeof(der_aid_sha1Identifier)
  62. #endif
  63. #define DER_AID_V_sha224Identifier \
  64. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  65. DER_OID_SZ_id_sha224 + DER_SZ_NULL, \
  66. DER_OID_V_id_sha224, \
  67. DER_V_NULL
  68. extern const unsigned char ossl_der_aid_sha224Identifier[];
  69. const unsigned char ossl_der_aid_sha224Identifier[] = {
  70. DER_AID_V_sha224Identifier
  71. };
  72. #define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)
  73. #define DER_AID_V_sha256Identifier \
  74. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  75. DER_OID_SZ_id_sha256 + DER_SZ_NULL, \
  76. DER_OID_V_id_sha256, \
  77. DER_V_NULL
  78. extern const unsigned char ossl_der_aid_sha256Identifier[];
  79. const unsigned char ossl_der_aid_sha256Identifier[] = {
  80. DER_AID_V_sha256Identifier
  81. };
  82. #define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)
  83. #define DER_AID_V_sha384Identifier \
  84. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  85. DER_OID_SZ_id_sha384 + DER_SZ_NULL, \
  86. DER_OID_V_id_sha384, \
  87. DER_V_NULL
  88. extern const unsigned char ossl_der_aid_sha384Identifier[];
  89. const unsigned char ossl_der_aid_sha384Identifier[] = {
  90. DER_AID_V_sha384Identifier
  91. };
  92. #define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)
  93. #define DER_AID_V_sha512Identifier \
  94. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  95. DER_OID_SZ_id_sha512 + DER_SZ_NULL, \
  96. DER_OID_V_id_sha512, \
  97. DER_V_NULL
  98. extern const unsigned char ossl_der_aid_sha512Identifier[];
  99. const unsigned char ossl_der_aid_sha512Identifier[] = {
  100. DER_AID_V_sha512Identifier
  101. };
  102. #define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)
  103. #define DER_AID_V_sha512_224Identifier \
  104. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  105. DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \
  106. DER_OID_V_id_sha512_224, \
  107. DER_V_NULL
  108. extern const unsigned char ossl_der_aid_sha512_224Identifier[];
  109. const unsigned char ossl_der_aid_sha512_224Identifier[] = {
  110. DER_AID_V_sha512_224Identifier
  111. };
  112. #define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)
  113. #define DER_AID_V_sha512_256Identifier \
  114. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  115. DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \
  116. DER_OID_V_id_sha512_256, \
  117. DER_V_NULL
  118. extern const unsigned char ossl_der_aid_sha512_256Identifier[];
  119. const unsigned char ossl_der_aid_sha512_256Identifier[] = {
  120. DER_AID_V_sha512_256Identifier
  121. };
  122. #define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)
  123. /*-
  124. * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
  125. *
  126. * HashAlgorithm ::= AlgorithmIdentifier {
  127. * {OAEP-PSSDigestAlgorithms}
  128. * }
  129. *
  130. * ...
  131. *
  132. * PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
  133. * { OID id-mgf1 PARAMETERS HashAlgorithm },
  134. * ... -- Allows for future expansion --
  135. * }
  136. */
  137. /*
  138. * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
  139. * from https://tools.ietf.org/html/rfc4055#section-2.1
  140. *
  141. * mgf1SHA1Identifier AlgorithmIdentifier ::=
  142. * { id-mgf1, sha1Identifier }
  143. * mgf1SHA224Identifier AlgorithmIdentifier ::=
  144. * { id-mgf1, sha224Identifier }
  145. * mgf1SHA256Identifier AlgorithmIdentifier ::=
  146. * { id-mgf1, sha256Identifier }
  147. * mgf1SHA384Identifier AlgorithmIdentifier ::=
  148. * { id-mgf1, sha384Identifier }
  149. * mgf1SHA512Identifier AlgorithmIdentifier ::=
  150. * { id-mgf1, sha512Identifier }
  151. */
  152. #if 0 /* Currently unused */
  153. #define DER_AID_V_mgf1SHA1Identifier \
  154. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  155. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \
  156. DER_OID_V_id_mgf1, \
  157. DER_AID_V_sha1Identifier
  158. static const unsigned char der_aid_mgf1SHA1Identifier[] = {
  159. DER_AID_V_mgf1SHA1Identifier
  160. };
  161. #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
  162. #endif
  163. #define DER_AID_V_mgf1SHA224Identifier \
  164. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  165. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \
  166. DER_OID_V_id_mgf1, \
  167. DER_AID_V_sha224Identifier
  168. static const unsigned char der_aid_mgf1SHA224Identifier[] = {
  169. DER_AID_V_mgf1SHA224Identifier
  170. };
  171. #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
  172. #define DER_AID_V_mgf1SHA256Identifier \
  173. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  174. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \
  175. DER_OID_V_id_mgf1, \
  176. DER_AID_V_sha256Identifier
  177. static const unsigned char der_aid_mgf1SHA256Identifier[] = {
  178. DER_AID_V_mgf1SHA256Identifier
  179. };
  180. #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
  181. #define DER_AID_V_mgf1SHA384Identifier \
  182. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  183. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \
  184. DER_OID_V_id_mgf1, \
  185. DER_AID_V_sha384Identifier
  186. static const unsigned char der_aid_mgf1SHA384Identifier[] = {
  187. DER_AID_V_mgf1SHA384Identifier
  188. };
  189. #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
  190. #define DER_AID_V_mgf1SHA512Identifier \
  191. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  192. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \
  193. DER_OID_V_id_mgf1, \
  194. DER_AID_V_sha512Identifier
  195. static const unsigned char der_aid_mgf1SHA512Identifier[] = {
  196. DER_AID_V_mgf1SHA512Identifier
  197. };
  198. #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
  199. #define DER_AID_V_mgf1SHA512_224Identifier \
  200. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  201. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \
  202. DER_OID_V_id_mgf1, \
  203. DER_AID_V_sha512_224Identifier
  204. static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
  205. DER_AID_V_mgf1SHA512_224Identifier
  206. };
  207. #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
  208. #define DER_AID_V_mgf1SHA512_256Identifier \
  209. DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
  210. DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \
  211. DER_OID_V_id_mgf1, \
  212. DER_AID_V_sha512_256Identifier
  213. static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
  214. DER_AID_V_mgf1SHA512_256Identifier
  215. };
  216. #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
  217. #define MGF1_SHA_CASE(bits, var) \
  218. case NID_sha##bits: \
  219. var = der_aid_mgf1SHA##bits##Identifier; \
  220. var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \
  221. break;
  222. /*-
  223. * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
  224. *
  225. * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
  226. */
  227. static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
  228. const RSA_PSS_PARAMS_30 *pss)
  229. {
  230. if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
  231. int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
  232. const unsigned char *maskgenalg = NULL;
  233. size_t maskgenalg_sz = 0;
  234. switch (maskgenhashalg_nid) {
  235. case NID_sha1:
  236. break;
  237. MGF1_SHA_CASE(224, maskgenalg);
  238. MGF1_SHA_CASE(256, maskgenalg);
  239. MGF1_SHA_CASE(384, maskgenalg);
  240. MGF1_SHA_CASE(512, maskgenalg);
  241. MGF1_SHA_CASE(512_224, maskgenalg);
  242. MGF1_SHA_CASE(512_256, maskgenalg);
  243. default:
  244. return 0;
  245. }
  246. /* If there is none (or it was the default), we write nothing */
  247. if (maskgenalg == NULL)
  248. return 1;
  249. return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
  250. }
  251. return 0;
  252. }
  253. #define OAEP_PSS_MD_CASE(name, var) \
  254. case NID_##name: \
  255. var = ossl_der_oid_id_##name; \
  256. var##_sz = sizeof(ossl_der_oid_id_##name); \
  257. break;
  258. int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
  259. const RSA_PSS_PARAMS_30 *pss)
  260. {
  261. int hashalg_nid, default_hashalg_nid;
  262. int saltlen, default_saltlen;
  263. int trailerfield, default_trailerfield;
  264. const unsigned char *hashalg = NULL;
  265. size_t hashalg_sz = 0;
  266. /*
  267. * For an unrestricted key, this function should not have been called;
  268. * the caller must be in control, because unrestricted keys are permitted
  269. * in some situations (when encoding the public key in a SubjectKeyInfo,
  270. * for example) while not in others, and this function doesn't know the
  271. * intent. Therefore, we assert that here, the PSS parameters must show
  272. * that the key is restricted.
  273. */
  274. if (!ossl_assert(pss != NULL
  275. && !ossl_rsa_pss_params_30_is_unrestricted(pss)))
  276. return 0;
  277. hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
  278. saltlen = ossl_rsa_pss_params_30_saltlen(pss);
  279. trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
  280. /* Getting default values */
  281. default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
  282. default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
  283. default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);
  284. /*
  285. * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
  286. *
  287. * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
  288. * { OID id-sha1 PARAMETERS NULL }|
  289. * { OID id-sha224 PARAMETERS NULL }|
  290. * { OID id-sha256 PARAMETERS NULL }|
  291. * { OID id-sha384 PARAMETERS NULL }|
  292. * { OID id-sha512 PARAMETERS NULL }|
  293. * { OID id-sha512-224 PARAMETERS NULL }|
  294. * { OID id-sha512-256 PARAMETERS NULL },
  295. * ... -- Allows for future expansion --
  296. * }
  297. */
  298. switch (hashalg_nid) {
  299. OAEP_PSS_MD_CASE(sha1, hashalg);
  300. OAEP_PSS_MD_CASE(sha224, hashalg);
  301. OAEP_PSS_MD_CASE(sha256, hashalg);
  302. OAEP_PSS_MD_CASE(sha384, hashalg);
  303. OAEP_PSS_MD_CASE(sha512, hashalg);
  304. OAEP_PSS_MD_CASE(sha512_224, hashalg);
  305. OAEP_PSS_MD_CASE(sha512_256, hashalg);
  306. default:
  307. return 0;
  308. }
  309. return ossl_DER_w_begin_sequence(pkt, tag)
  310. && (trailerfield == default_trailerfield
  311. || ossl_DER_w_ulong(pkt, 3, trailerfield))
  312. && (saltlen == default_saltlen || ossl_DER_w_ulong(pkt, 2, saltlen))
  313. && DER_w_MaskGenAlgorithm(pkt, 1, pss)
  314. && (hashalg_nid == default_hashalg_nid
  315. || ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
  316. && ossl_DER_w_end_sequence(pkt, tag);
  317. }
  318. /* Aliases so we can have a uniform RSA_CASE */
  319. #define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS
  320. #define RSA_CASE(name, var) \
  321. var##_nid = NID_##name; \
  322. var##_oid = ossl_der_oid_##name; \
  323. var##_oid_sz = sizeof(ossl_der_oid_##name); \
  324. break;
  325. int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
  326. {
  327. int rsa_nid = NID_undef;
  328. const unsigned char *rsa_oid = NULL;
  329. size_t rsa_oid_sz = 0;
  330. RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
  331. switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
  332. case RSA_FLAG_TYPE_RSA:
  333. RSA_CASE(rsaEncryption, rsa);
  334. case RSA_FLAG_TYPE_RSASSAPSS:
  335. RSA_CASE(rsassaPss, rsa);
  336. }
  337. if (rsa_oid == NULL)
  338. return 0;
  339. return ossl_DER_w_begin_sequence(pkt, tag)
  340. && (rsa_nid != NID_rsassaPss
  341. || ossl_rsa_pss_params_30_is_unrestricted(pss_params)
  342. || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss_params))
  343. && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
  344. && ossl_DER_w_end_sequence(pkt, tag);
  345. }