2
0

rsa_ameth.c 32 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133
  1. /*
  2. * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * RSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdio.h>
  15. #include "internal/cryptlib.h"
  16. #include <openssl/asn1t.h>
  17. #include <openssl/x509.h>
  18. #include <openssl/bn.h>
  19. #include <openssl/core_names.h>
  20. #include <openssl/param_build.h>
  21. #include "crypto/asn1.h"
  22. #include "crypto/evp.h"
  23. #include "crypto/rsa.h"
  24. #include "rsa_local.h"
  25. static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
  26. static int rsa_sync_to_pss_params_30(RSA *rsa);
  27. /* Set any parameters associated with pkey */
  28. static int rsa_param_encode(const EVP_PKEY *pkey,
  29. ASN1_STRING **pstr, int *pstrtype)
  30. {
  31. const RSA *rsa = pkey->pkey.rsa;
  32. *pstr = NULL;
  33. /* If RSA it's just NULL type */
  34. if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) != RSA_FLAG_TYPE_RSASSAPSS) {
  35. *pstrtype = V_ASN1_NULL;
  36. return 1;
  37. }
  38. /* If no PSS parameters we omit parameters entirely */
  39. if (rsa->pss == NULL) {
  40. *pstrtype = V_ASN1_UNDEF;
  41. return 1;
  42. }
  43. /* Encode PSS parameters */
  44. if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL)
  45. return 0;
  46. *pstrtype = V_ASN1_SEQUENCE;
  47. return 1;
  48. }
  49. /* Decode any parameters and set them in RSA structure */
  50. static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
  51. {
  52. const ASN1_OBJECT *algoid;
  53. const void *algp;
  54. int algptype;
  55. X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
  56. if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
  57. return 1;
  58. if (algptype == V_ASN1_UNDEF)
  59. return 1;
  60. if (algptype != V_ASN1_SEQUENCE) {
  61. RSAerr(RSA_F_RSA_PARAM_DECODE, RSA_R_INVALID_PSS_PARAMETERS);
  62. return 0;
  63. }
  64. rsa->pss = rsa_pss_decode(alg);
  65. if (rsa->pss == NULL)
  66. return 0;
  67. if (!rsa_sync_to_pss_params_30(rsa))
  68. return 0;
  69. return 1;
  70. }
  71. static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
  72. {
  73. unsigned char *penc = NULL;
  74. int penclen;
  75. ASN1_STRING *str;
  76. int strtype;
  77. if (!rsa_param_encode(pkey, &str, &strtype))
  78. return 0;
  79. penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
  80. if (penclen <= 0)
  81. return 0;
  82. if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
  83. strtype, str, penc, penclen))
  84. return 1;
  85. OPENSSL_free(penc);
  86. return 0;
  87. }
  88. static int rsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey)
  89. {
  90. const unsigned char *p;
  91. int pklen;
  92. X509_ALGOR *alg;
  93. RSA *rsa = NULL;
  94. if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
  95. return 0;
  96. if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL)
  97. return 0;
  98. if (!rsa_param_decode(rsa, alg)) {
  99. RSA_free(rsa);
  100. return 0;
  101. }
  102. RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
  103. switch (pkey->ameth->pkey_id) {
  104. case EVP_PKEY_RSA:
  105. RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
  106. break;
  107. case EVP_PKEY_RSA_PSS:
  108. RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
  109. break;
  110. default:
  111. /* Leave the type bits zero */
  112. break;
  113. }
  114. if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
  115. RSA_free(rsa);
  116. return 0;
  117. }
  118. return 1;
  119. }
  120. static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
  121. {
  122. /*
  123. * Don't check the public/private key, this is mostly for smart
  124. * cards.
  125. */
  126. if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
  127. || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
  128. return 1;
  129. }
  130. if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
  131. || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
  132. return 0;
  133. return 1;
  134. }
  135. static int old_rsa_priv_decode(EVP_PKEY *pkey,
  136. const unsigned char **pder, int derlen)
  137. {
  138. RSA *rsa;
  139. if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL)
  140. return 0;
  141. EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
  142. return 1;
  143. }
  144. static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
  145. {
  146. return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
  147. }
  148. static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
  149. {
  150. unsigned char *rk = NULL;
  151. int rklen;
  152. ASN1_STRING *str;
  153. int strtype;
  154. if (!rsa_param_encode(pkey, &str, &strtype))
  155. return 0;
  156. rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
  157. if (rklen <= 0) {
  158. RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
  159. ASN1_STRING_free(str);
  160. return 0;
  161. }
  162. if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
  163. strtype, str, rk, rklen)) {
  164. RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
  165. ASN1_STRING_free(str);
  166. return 0;
  167. }
  168. return 1;
  169. }
  170. static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
  171. {
  172. const unsigned char *p;
  173. RSA *rsa;
  174. int pklen;
  175. const X509_ALGOR *alg;
  176. if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
  177. return 0;
  178. rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
  179. if (rsa == NULL) {
  180. RSAerr(RSA_F_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
  181. return 0;
  182. }
  183. if (!rsa_param_decode(rsa, alg)) {
  184. RSA_free(rsa);
  185. return 0;
  186. }
  187. RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
  188. switch (pkey->ameth->pkey_id) {
  189. case EVP_PKEY_RSA:
  190. RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
  191. break;
  192. case EVP_PKEY_RSA_PSS:
  193. RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
  194. break;
  195. default:
  196. /* Leave the type bits zero */
  197. break;
  198. }
  199. EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
  200. return 1;
  201. }
  202. static int int_rsa_size(const EVP_PKEY *pkey)
  203. {
  204. return RSA_size(pkey->pkey.rsa);
  205. }
  206. static int rsa_bits(const EVP_PKEY *pkey)
  207. {
  208. return BN_num_bits(pkey->pkey.rsa->n);
  209. }
  210. static int rsa_security_bits(const EVP_PKEY *pkey)
  211. {
  212. return RSA_security_bits(pkey->pkey.rsa);
  213. }
  214. static void int_rsa_free(EVP_PKEY *pkey)
  215. {
  216. RSA_free(pkey->pkey.rsa);
  217. }
  218. static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss,
  219. int indent)
  220. {
  221. int rv = 0;
  222. X509_ALGOR *maskHash = NULL;
  223. if (!BIO_indent(bp, indent, 128))
  224. goto err;
  225. if (pss_key) {
  226. if (pss == NULL) {
  227. if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
  228. return 0;
  229. return 1;
  230. } else {
  231. if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
  232. return 0;
  233. }
  234. } else if (pss == NULL) {
  235. if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
  236. return 0;
  237. return 1;
  238. }
  239. if (BIO_puts(bp, "\n") <= 0)
  240. goto err;
  241. if (pss_key)
  242. indent += 2;
  243. if (!BIO_indent(bp, indent, 128))
  244. goto err;
  245. if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
  246. goto err;
  247. if (pss->hashAlgorithm) {
  248. if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
  249. goto err;
  250. } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
  251. goto err;
  252. }
  253. if (BIO_puts(bp, "\n") <= 0)
  254. goto err;
  255. if (!BIO_indent(bp, indent, 128))
  256. goto err;
  257. if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
  258. goto err;
  259. if (pss->maskGenAlgorithm) {
  260. if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
  261. goto err;
  262. if (BIO_puts(bp, " with ") <= 0)
  263. goto err;
  264. maskHash = x509_algor_mgf1_decode(pss->maskGenAlgorithm);
  265. if (maskHash != NULL) {
  266. if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
  267. goto err;
  268. } else if (BIO_puts(bp, "INVALID") <= 0) {
  269. goto err;
  270. }
  271. } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
  272. goto err;
  273. }
  274. BIO_puts(bp, "\n");
  275. if (!BIO_indent(bp, indent, 128))
  276. goto err;
  277. if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
  278. goto err;
  279. if (pss->saltLength) {
  280. if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
  281. goto err;
  282. } else if (BIO_puts(bp, "14 (default)") <= 0) {
  283. goto err;
  284. }
  285. BIO_puts(bp, "\n");
  286. if (!BIO_indent(bp, indent, 128))
  287. goto err;
  288. if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
  289. goto err;
  290. if (pss->trailerField) {
  291. if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
  292. goto err;
  293. } else if (BIO_puts(bp, "BC (default)") <= 0) {
  294. goto err;
  295. }
  296. BIO_puts(bp, "\n");
  297. rv = 1;
  298. err:
  299. X509_ALGOR_free(maskHash);
  300. return rv;
  301. }
  302. static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
  303. {
  304. const RSA *x = pkey->pkey.rsa;
  305. char *str;
  306. const char *s;
  307. int ret = 0, mod_len = 0, ex_primes;
  308. if (x->n != NULL)
  309. mod_len = BN_num_bits(x->n);
  310. ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos);
  311. if (!BIO_indent(bp, off, 128))
  312. goto err;
  313. if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0)
  314. goto err;
  315. if (priv && x->d) {
  316. if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n",
  317. mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0)
  318. goto err;
  319. str = "modulus:";
  320. s = "publicExponent:";
  321. } else {
  322. if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
  323. goto err;
  324. str = "Modulus:";
  325. s = "Exponent:";
  326. }
  327. if (!ASN1_bn_print(bp, str, x->n, NULL, off))
  328. goto err;
  329. if (!ASN1_bn_print(bp, s, x->e, NULL, off))
  330. goto err;
  331. if (priv) {
  332. int i;
  333. if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off))
  334. goto err;
  335. if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off))
  336. goto err;
  337. if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off))
  338. goto err;
  339. if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off))
  340. goto err;
  341. if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off))
  342. goto err;
  343. if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off))
  344. goto err;
  345. for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) {
  346. /* print multi-prime info */
  347. BIGNUM *bn = NULL;
  348. RSA_PRIME_INFO *pinfo;
  349. int j;
  350. pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i);
  351. for (j = 0; j < 3; j++) {
  352. if (!BIO_indent(bp, off, 128))
  353. goto err;
  354. switch (j) {
  355. case 0:
  356. if (BIO_printf(bp, "prime%d:", i + 3) <= 0)
  357. goto err;
  358. bn = pinfo->r;
  359. break;
  360. case 1:
  361. if (BIO_printf(bp, "exponent%d:", i + 3) <= 0)
  362. goto err;
  363. bn = pinfo->d;
  364. break;
  365. case 2:
  366. if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0)
  367. goto err;
  368. bn = pinfo->t;
  369. break;
  370. default:
  371. break;
  372. }
  373. if (!ASN1_bn_print(bp, "", bn, NULL, off))
  374. goto err;
  375. }
  376. }
  377. }
  378. if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
  379. goto err;
  380. ret = 1;
  381. err:
  382. return ret;
  383. }
  384. static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  385. ASN1_PCTX *ctx)
  386. {
  387. return pkey_rsa_print(bp, pkey, indent, 0);
  388. }
  389. static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  390. ASN1_PCTX *ctx)
  391. {
  392. return pkey_rsa_print(bp, pkey, indent, 1);
  393. }
  394. static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg)
  395. {
  396. RSA_PSS_PARAMS *pss;
  397. pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
  398. alg->parameter);
  399. if (pss == NULL)
  400. return NULL;
  401. if (pss->maskGenAlgorithm != NULL) {
  402. pss->maskHash = x509_algor_mgf1_decode(pss->maskGenAlgorithm);
  403. if (pss->maskHash == NULL) {
  404. RSA_PSS_PARAMS_free(pss);
  405. return NULL;
  406. }
  407. }
  408. return pss;
  409. }
  410. static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
  411. const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx)
  412. {
  413. if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
  414. int rv;
  415. RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
  416. rv = rsa_pss_param_print(bp, 0, pss, indent);
  417. RSA_PSS_PARAMS_free(pss);
  418. if (!rv)
  419. return 0;
  420. } else if (BIO_puts(bp, "\n") <= 0) {
  421. return 0;
  422. }
  423. if (sig)
  424. return X509_signature_dump(bp, sig, indent);
  425. return 1;
  426. }
  427. static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
  428. {
  429. X509_ALGOR *alg = NULL;
  430. const EVP_MD *md;
  431. const EVP_MD *mgf1md;
  432. int min_saltlen;
  433. switch (op) {
  434. case ASN1_PKEY_CTRL_PKCS7_SIGN:
  435. if (arg1 == 0)
  436. PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
  437. break;
  438. case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
  439. if (pkey_is_pss(pkey))
  440. return -2;
  441. if (arg1 == 0)
  442. PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
  443. break;
  444. case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
  445. if (pkey->pkey.rsa->pss != NULL) {
  446. if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
  447. &min_saltlen)) {
  448. RSAerr(0, ERR_R_INTERNAL_ERROR);
  449. return 0;
  450. }
  451. *(int *)arg2 = EVP_MD_type(md);
  452. /* Return of 2 indicates this MD is mandatory */
  453. return 2;
  454. }
  455. *(int *)arg2 = NID_sha256;
  456. return 1;
  457. default:
  458. return -2;
  459. }
  460. if (alg)
  461. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
  462. return 1;
  463. }
  464. /*
  465. * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
  466. * suitable for setting an AlgorithmIdentifier.
  467. */
  468. static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
  469. {
  470. const EVP_MD *sigmd, *mgf1md;
  471. EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
  472. int saltlen;
  473. if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
  474. return NULL;
  475. if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
  476. return NULL;
  477. if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
  478. return NULL;
  479. if (saltlen == -1) {
  480. saltlen = EVP_MD_size(sigmd);
  481. } else if (saltlen == -2 || saltlen == -3) {
  482. saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
  483. if ((EVP_PKEY_bits(pk) & 0x7) == 1)
  484. saltlen--;
  485. if (saltlen < 0)
  486. return NULL;
  487. }
  488. return rsa_pss_params_create(sigmd, mgf1md, saltlen);
  489. }
  490. RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd,
  491. const EVP_MD *mgf1md, int saltlen)
  492. {
  493. RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
  494. if (pss == NULL)
  495. goto err;
  496. if (saltlen != 20) {
  497. pss->saltLength = ASN1_INTEGER_new();
  498. if (pss->saltLength == NULL)
  499. goto err;
  500. if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
  501. goto err;
  502. }
  503. if (!x509_algor_new_from_md(&pss->hashAlgorithm, sigmd))
  504. goto err;
  505. if (mgf1md == NULL)
  506. mgf1md = sigmd;
  507. if (!x509_algor_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
  508. goto err;
  509. if (!x509_algor_new_from_md(&pss->maskHash, mgf1md))
  510. goto err;
  511. return pss;
  512. err:
  513. RSA_PSS_PARAMS_free(pss);
  514. return NULL;
  515. }
  516. ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx)
  517. {
  518. RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx);
  519. ASN1_STRING *os;
  520. if (pss == NULL)
  521. return NULL;
  522. os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL);
  523. RSA_PSS_PARAMS_free(pss);
  524. return os;
  525. }
  526. /*
  527. * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
  528. * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
  529. * passed to pkctx instead.
  530. */
  531. int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
  532. const X509_ALGOR *sigalg, EVP_PKEY *pkey)
  533. {
  534. int rv = -1;
  535. int saltlen;
  536. const EVP_MD *mgf1md = NULL, *md = NULL;
  537. RSA_PSS_PARAMS *pss;
  538. /* Sanity check: make sure it is PSS */
  539. if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
  540. RSAerr(0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
  541. return -1;
  542. }
  543. /* Decode PSS parameters */
  544. pss = rsa_pss_decode(sigalg);
  545. if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
  546. RSAerr(0, RSA_R_INVALID_PSS_PARAMETERS);
  547. goto err;
  548. }
  549. /* We have all parameters now set up context */
  550. if (pkey) {
  551. if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
  552. goto err;
  553. } else {
  554. const EVP_MD *checkmd;
  555. if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
  556. goto err;
  557. if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
  558. RSAerr(0, RSA_R_DIGEST_DOES_NOT_MATCH);
  559. goto err;
  560. }
  561. }
  562. if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
  563. goto err;
  564. if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
  565. goto err;
  566. if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
  567. goto err;
  568. /* Carry on */
  569. rv = 1;
  570. err:
  571. RSA_PSS_PARAMS_free(pss);
  572. return rv;
  573. }
  574. static int rsa_pss_verify_param(const EVP_MD **pmd, const EVP_MD **pmgf1md,
  575. int *psaltlen, int *ptrailerField)
  576. {
  577. if (psaltlen != NULL && *psaltlen < 0) {
  578. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
  579. return 0;
  580. }
  581. /*
  582. * low-level routines support only trailer field 0xbc (value 1) and
  583. * PKCS#1 says we should reject any other value anyway.
  584. */
  585. if (ptrailerField != NULL && *ptrailerField != 1) {
  586. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
  587. return 0;
  588. }
  589. return 1;
  590. }
  591. static int rsa_pss_get_param_unverified(const RSA_PSS_PARAMS *pss,
  592. const EVP_MD **pmd,
  593. const EVP_MD **pmgf1md,
  594. int *psaltlen, int *ptrailerField)
  595. {
  596. RSA_PSS_PARAMS_30 pss_params;
  597. /* Get the defaults from the ONE place */
  598. (void)ossl_rsa_pss_params_30_set_defaults(&pss_params);
  599. if (pss == NULL)
  600. return 0;
  601. *pmd = x509_algor_get_md(pss->hashAlgorithm);
  602. if (*pmd == NULL)
  603. return 0;
  604. *pmgf1md = x509_algor_get_md(pss->maskHash);
  605. if (*pmgf1md == NULL)
  606. return 0;
  607. if (pss->saltLength)
  608. *psaltlen = ASN1_INTEGER_get(pss->saltLength);
  609. else
  610. *psaltlen = ossl_rsa_pss_params_30_saltlen(&pss_params);
  611. if (pss->trailerField)
  612. *ptrailerField = ASN1_INTEGER_get(pss->trailerField);
  613. else
  614. *ptrailerField = ossl_rsa_pss_params_30_trailerfield(&pss_params);;
  615. return 1;
  616. }
  617. int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
  618. const EVP_MD **pmgf1md, int *psaltlen)
  619. {
  620. /*
  621. * Callers do not care about the trailer field, and yet, we must
  622. * pass it from get_param to verify_param, since the latter checks
  623. * its value.
  624. *
  625. * When callers start caring, it's a simple thing to add another
  626. * argument to this function.
  627. */
  628. int trailerField = 0;
  629. return rsa_pss_get_param_unverified(pss, pmd, pmgf1md, psaltlen,
  630. &trailerField)
  631. && rsa_pss_verify_param(pmd, pmgf1md, psaltlen, &trailerField);
  632. }
  633. static int rsa_sync_to_pss_params_30(RSA *rsa)
  634. {
  635. if (rsa != NULL && rsa->pss != NULL) {
  636. const EVP_MD *md = NULL, *mgf1md = NULL;
  637. int md_nid, mgf1md_nid, saltlen, trailerField;
  638. RSA_PSS_PARAMS_30 pss_params;
  639. /*
  640. * We don't care about the validity of the fields here, we just
  641. * want to synchronise values. Verifying here makes it impossible
  642. * to even read a key with invalid values, making it hard to test
  643. * a bad situation.
  644. *
  645. * Other routines use rsa_pss_get_param(), so the values will be
  646. * checked, eventually.
  647. */
  648. if (!rsa_pss_get_param_unverified(rsa->pss, &md, &mgf1md,
  649. &saltlen, &trailerField))
  650. return 0;
  651. md_nid = EVP_MD_type(md);
  652. mgf1md_nid = EVP_MD_type(mgf1md);
  653. if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
  654. || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid)
  655. || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
  656. mgf1md_nid)
  657. || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
  658. || !ossl_rsa_pss_params_30_set_trailerfield(&pss_params,
  659. trailerField))
  660. return 0;
  661. rsa->pss_params = pss_params;
  662. }
  663. return 1;
  664. }
  665. /*
  666. * Customised RSA item verification routine. This is called when a signature
  667. * is encountered requiring special handling. We currently only handle PSS.
  668. */
  669. static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it,
  670. const void *asn, const X509_ALGOR *sigalg,
  671. const ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
  672. {
  673. /* Sanity check: make sure it is PSS */
  674. if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
  675. RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
  676. return -1;
  677. }
  678. if (ossl_rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
  679. /* Carry on */
  680. return 2;
  681. }
  682. return -1;
  683. }
  684. static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
  685. X509_ALGOR *alg1, X509_ALGOR *alg2,
  686. ASN1_BIT_STRING *sig)
  687. {
  688. int pad_mode;
  689. EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx);
  690. if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
  691. return 0;
  692. if (pad_mode == RSA_PKCS1_PADDING)
  693. return 2;
  694. if (pad_mode == RSA_PKCS1_PSS_PADDING) {
  695. ASN1_STRING *os1 = NULL;
  696. os1 = ossl_rsa_ctx_to_pss_string(pkctx);
  697. if (!os1)
  698. return 0;
  699. /* Duplicate parameters if we have to */
  700. if (alg2) {
  701. ASN1_STRING *os2 = ASN1_STRING_dup(os1);
  702. if (!os2) {
  703. ASN1_STRING_free(os1);
  704. return 0;
  705. }
  706. X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
  707. V_ASN1_SEQUENCE, os2);
  708. }
  709. X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
  710. V_ASN1_SEQUENCE, os1);
  711. return 3;
  712. }
  713. return 2;
  714. }
  715. static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
  716. const ASN1_STRING *sig)
  717. {
  718. int rv = 0;
  719. int mdnid, saltlen;
  720. uint32_t flags;
  721. const EVP_MD *mgf1md = NULL, *md = NULL;
  722. RSA_PSS_PARAMS *pss;
  723. int secbits;
  724. /* Sanity check: make sure it is PSS */
  725. if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
  726. return 0;
  727. /* Decode PSS parameters */
  728. pss = rsa_pss_decode(sigalg);
  729. if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
  730. goto err;
  731. mdnid = EVP_MD_type(md);
  732. /*
  733. * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
  734. * match and salt length must equal digest size
  735. */
  736. if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
  737. && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md))
  738. flags = X509_SIG_INFO_TLS;
  739. else
  740. flags = 0;
  741. /* Note: security bits half number of digest bits */
  742. secbits = EVP_MD_size(md) * 4;
  743. /*
  744. * SHA1 and MD5 are known to be broken. Reduce security bits so that
  745. * they're no longer accepted at security level 1. The real values don't
  746. * really matter as long as they're lower than 80, which is our security
  747. * level 1.
  748. * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
  749. * 2^63.4
  750. * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
  751. * puts a chosen-prefix attack for MD5 at 2^39.
  752. */
  753. if (mdnid == NID_sha1)
  754. secbits = 64;
  755. else if (mdnid == NID_md5_sha1)
  756. secbits = 68;
  757. else if (mdnid == NID_md5)
  758. secbits = 39;
  759. X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits,
  760. flags);
  761. rv = 1;
  762. err:
  763. RSA_PSS_PARAMS_free(pss);
  764. return rv;
  765. }
  766. static int rsa_pkey_check(const EVP_PKEY *pkey)
  767. {
  768. return RSA_check_key_ex(pkey->pkey.rsa, NULL);
  769. }
  770. static size_t rsa_pkey_dirty_cnt(const EVP_PKEY *pkey)
  771. {
  772. return pkey->pkey.rsa->dirty_cnt;
  773. }
  774. /*
  775. * For the moment, we trust the call path, where keys going through
  776. * rsa_pkey_export_to() match a KEYMGMT for the "RSA" keytype, while
  777. * keys going through rsa_pss_pkey_export_to() match a KEYMGMT for the
  778. * "RSA-PSS" keytype.
  779. * TODO(3.0) Investigate whether we should simply continue to trust the
  780. * call path, or if we should strengthen this function by checking that
  781. * |rsa_type| matches the RSA key subtype. The latter requires ensuring
  782. * that the type flag for the RSA key is properly set by other functions
  783. * in this file.
  784. */
  785. static int rsa_int_export_to(const EVP_PKEY *from, int rsa_type,
  786. void *to_keydata, EVP_KEYMGMT *to_keymgmt,
  787. OSSL_LIB_CTX *libctx, const char *propq)
  788. {
  789. RSA *rsa = from->pkey.rsa;
  790. OSSL_PARAM_BLD *tmpl = OSSL_PARAM_BLD_new();
  791. OSSL_PARAM *params = NULL;
  792. int selection = 0;
  793. int rv = 0;
  794. if (tmpl == NULL)
  795. return 0;
  796. /*
  797. * If the RSA method is foreign, then we can't be sure of anything, and
  798. * can therefore not export or pretend to export.
  799. */
  800. if (RSA_get_method(rsa) != RSA_PKCS1_OpenSSL())
  801. goto err;
  802. /* Public parameters must always be present */
  803. if (RSA_get0_n(rsa) == NULL || RSA_get0_e(rsa) == NULL)
  804. goto err;
  805. if (!ossl_rsa_todata(rsa, tmpl, NULL))
  806. goto err;
  807. selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
  808. if (RSA_get0_d(rsa) != NULL)
  809. selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
  810. if (rsa->pss != NULL) {
  811. const EVP_MD *md = NULL, *mgf1md = NULL;
  812. int md_nid, mgf1md_nid, saltlen, trailerfield;
  813. RSA_PSS_PARAMS_30 pss_params;
  814. if (!rsa_pss_get_param_unverified(rsa->pss, &md, &mgf1md,
  815. &saltlen, &trailerfield))
  816. goto err;
  817. md_nid = EVP_MD_type(md);
  818. mgf1md_nid = EVP_MD_type(mgf1md);
  819. if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
  820. || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid)
  821. || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
  822. mgf1md_nid)
  823. || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
  824. || !ossl_rsa_pss_params_30_todata(&pss_params, tmpl, NULL))
  825. goto err;
  826. selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
  827. }
  828. if ((params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL)
  829. goto err;
  830. /* We export, the provider imports */
  831. rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
  832. err:
  833. OSSL_PARAM_BLD_free_params(params);
  834. OSSL_PARAM_BLD_free(tmpl);
  835. return rv;
  836. }
  837. static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx,
  838. int rsa_type)
  839. {
  840. EVP_PKEY_CTX *pctx = vpctx;
  841. EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
  842. RSA *rsa = ossl_rsa_new_with_ctx(pctx->libctx);
  843. RSA_PSS_PARAMS_30 rsa_pss_params = { 0, };
  844. int ok = 0;
  845. if (rsa == NULL) {
  846. ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
  847. return 0;
  848. }
  849. RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
  850. RSA_set_flags(rsa, rsa_type);
  851. if (!ossl_rsa_pss_params_30_fromdata(&rsa_pss_params, params, pctx->libctx))
  852. goto err;
  853. switch (rsa_type) {
  854. case RSA_FLAG_TYPE_RSA:
  855. /*
  856. * Were PSS parameters filled in?
  857. * In that case, something's wrong
  858. */
  859. if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params))
  860. goto err;
  861. break;
  862. case RSA_FLAG_TYPE_RSASSAPSS:
  863. /*
  864. * Were PSS parameters filled in? In that case, create the old
  865. * RSA_PSS_PARAMS structure. Otherwise, this is an unrestricted key.
  866. */
  867. if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params)) {
  868. /* Create the older RSA_PSS_PARAMS from RSA_PSS_PARAMS_30 data */
  869. int mdnid = ossl_rsa_pss_params_30_hashalg(&rsa_pss_params);
  870. int mgf1mdnid = ossl_rsa_pss_params_30_maskgenhashalg(&rsa_pss_params);
  871. int saltlen = ossl_rsa_pss_params_30_saltlen(&rsa_pss_params);
  872. const EVP_MD *md = EVP_get_digestbynid(mdnid);
  873. const EVP_MD *mgf1md = EVP_get_digestbynid(mgf1mdnid);
  874. if ((rsa->pss = rsa_pss_params_create(md, mgf1md, saltlen)) == NULL)
  875. goto err;
  876. }
  877. break;
  878. default:
  879. /* RSA key sub-types we don't know how to handle yet */
  880. goto err;
  881. }
  882. if (!ossl_rsa_fromdata(rsa, params))
  883. goto err;
  884. switch (rsa_type) {
  885. case RSA_FLAG_TYPE_RSA:
  886. ok = EVP_PKEY_assign_RSA(pkey, rsa);
  887. break;
  888. case RSA_FLAG_TYPE_RSASSAPSS:
  889. ok = EVP_PKEY_assign(pkey, EVP_PKEY_RSA_PSS, rsa);
  890. break;
  891. }
  892. err:
  893. if (!ok)
  894. RSA_free(rsa);
  895. return ok;
  896. }
  897. static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
  898. EVP_KEYMGMT *to_keymgmt, OSSL_LIB_CTX *libctx,
  899. const char *propq)
  900. {
  901. return rsa_int_export_to(from, RSA_FLAG_TYPE_RSA, to_keydata,
  902. to_keymgmt, libctx, propq);
  903. }
  904. static int rsa_pss_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
  905. EVP_KEYMGMT *to_keymgmt, OSSL_LIB_CTX *libctx,
  906. const char *propq)
  907. {
  908. return rsa_int_export_to(from, RSA_FLAG_TYPE_RSASSAPSS, to_keydata,
  909. to_keymgmt, libctx, propq);
  910. }
  911. static int rsa_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
  912. {
  913. return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSA);
  914. }
  915. static int rsa_pss_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
  916. {
  917. return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSASSAPSS);
  918. }
  919. const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
  920. {
  921. EVP_PKEY_RSA,
  922. EVP_PKEY_RSA,
  923. ASN1_PKEY_SIGPARAM_NULL,
  924. "RSA",
  925. "OpenSSL RSA method",
  926. rsa_pub_decode,
  927. rsa_pub_encode,
  928. rsa_pub_cmp,
  929. rsa_pub_print,
  930. rsa_priv_decode,
  931. rsa_priv_encode,
  932. rsa_priv_print,
  933. int_rsa_size,
  934. rsa_bits,
  935. rsa_security_bits,
  936. 0, 0, 0, 0, 0, 0,
  937. rsa_sig_print,
  938. int_rsa_free,
  939. rsa_pkey_ctrl,
  940. old_rsa_priv_decode,
  941. old_rsa_priv_encode,
  942. rsa_item_verify,
  943. rsa_item_sign,
  944. rsa_sig_info_set,
  945. rsa_pkey_check,
  946. 0, 0,
  947. 0, 0, 0, 0,
  948. rsa_pkey_dirty_cnt,
  949. rsa_pkey_export_to,
  950. rsa_pkey_import_from
  951. },
  952. {
  953. EVP_PKEY_RSA2,
  954. EVP_PKEY_RSA,
  955. ASN1_PKEY_ALIAS}
  956. };
  957. const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
  958. EVP_PKEY_RSA_PSS,
  959. EVP_PKEY_RSA_PSS,
  960. ASN1_PKEY_SIGPARAM_NULL,
  961. "RSA-PSS",
  962. "OpenSSL RSA-PSS method",
  963. rsa_pub_decode,
  964. rsa_pub_encode,
  965. rsa_pub_cmp,
  966. rsa_pub_print,
  967. rsa_priv_decode,
  968. rsa_priv_encode,
  969. rsa_priv_print,
  970. int_rsa_size,
  971. rsa_bits,
  972. rsa_security_bits,
  973. 0, 0, 0, 0, 0, 0,
  974. rsa_sig_print,
  975. int_rsa_free,
  976. rsa_pkey_ctrl,
  977. 0, 0,
  978. rsa_item_verify,
  979. rsa_item_sign,
  980. 0,
  981. rsa_pkey_check,
  982. 0, 0,
  983. 0, 0, 0, 0,
  984. rsa_pkey_dirty_cnt,
  985. rsa_pss_pkey_export_to,
  986. rsa_pss_pkey_import_from
  987. };