1 /* $NetBSD: pkcs11rsa_link.c,v 1.8 2023/01/25 21:43:30 christos Exp $ */
2
3 /*
4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5 *
6 * SPDX-License-Identifier: MPL-2.0
7 *
8 * This Source Code Form is subject to the terms of the Mozilla Public
9 * License, v. 2.0. If a copy of the MPL was not distributed with this
10 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11 *
12 * See the COPYRIGHT file distributed with this work for additional
13 * information regarding copyright ownership.
14 */
15
16 /*! \file */
17
18 #if USE_PKCS11
19
20 #include <inttypes.h>
21 #include <stdbool.h>
22
23 #include <isc/mem.h>
24 #include <isc/safe.h>
25 #include <isc/string.h>
26 #include <isc/util.h>
27
28 #include <pk11/internal.h>
29 #include <pk11/site.h>
30
31 #include <dst/result.h>
32
33 #include "dst_internal.h"
34 #include "dst_parse.h"
35 #include "dst_pkcs11.h"
36
37 /*
38 * Limit the size of public exponents.
39 */
40 #ifndef RSA_MAX_PUBEXP_BITS
41 #define RSA_MAX_PUBEXP_BITS 35
42 #endif /* ifndef RSA_MAX_PUBEXP_BITS */
43
44 #define DST_RET(a) \
45 { \
46 ret = a; \
47 goto err; \
48 }
49
50 static CK_BBOOL truevalue = TRUE;
51 static CK_BBOOL falsevalue = FALSE;
52
53 static void
54 pkcs11rsa_destroy(dst_key_t *key);
55
56 #ifndef PK11_RSA_PKCS_REPLACE
57
58 static isc_result_t
pkcs11rsa_createctx_sign(dst_key_t * key,dst_context_t * dctx)59 pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
60 CK_RV rv;
61 CK_MECHANISM mech = { 0, NULL, 0 };
62 CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
63 CK_KEY_TYPE keyType = CKK_RSA;
64 CK_ATTRIBUTE keyTemplate[] = {
65 { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
66 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
67 { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
68 { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
69 { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
70 { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
71 { CKA_MODULUS, NULL, 0 },
72 { CKA_PUBLIC_EXPONENT, NULL, 0 },
73 { CKA_PRIVATE_EXPONENT, NULL, 0 },
74 { CKA_PRIME_1, NULL, 0 },
75 { CKA_PRIME_2, NULL, 0 },
76 { CKA_EXPONENT_1, NULL, 0 },
77 { CKA_EXPONENT_2, NULL, 0 },
78 { CKA_COEFFICIENT, NULL, 0 }
79 };
80 CK_ATTRIBUTE *attr;
81 CK_SLOT_ID slotid;
82 pk11_object_t *rsa;
83 pk11_context_t *pk11_ctx;
84 isc_result_t ret;
85 unsigned int i;
86
87 REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
88 key->key_alg == DST_ALG_NSEC3RSASHA1 ||
89 key->key_alg == DST_ALG_RSASHA256 ||
90 key->key_alg == DST_ALG_RSASHA512);
91
92 /*
93 * Reject incorrect RSA key lengths.
94 */
95 switch (dctx->key->key_alg) {
96 case DST_ALG_RSASHA1:
97 case DST_ALG_NSEC3RSASHA1:
98 /* From RFC 3110 */
99 if (dctx->key->key_size > 4096) {
100 return (ISC_R_FAILURE);
101 }
102 break;
103 case DST_ALG_RSASHA256:
104 /* From RFC 5702 */
105 if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
106 {
107 return (ISC_R_FAILURE);
108 }
109 break;
110 case DST_ALG_RSASHA512:
111 /* From RFC 5702 */
112 if ((dctx->key->key_size < 1024) ||
113 (dctx->key->key_size > 4096))
114 {
115 return (ISC_R_FAILURE);
116 }
117 break;
118 default:
119 UNREACHABLE();
120 }
121
122 rsa = key->keydata.pkey;
123
124 pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
125 memset(pk11_ctx, 0, sizeof(*pk11_ctx));
126 if (rsa->ontoken) {
127 slotid = rsa->slot;
128 } else {
129 slotid = pk11_get_best_token(OP_RSA);
130 }
131 ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
132 NULL, slotid);
133 if (ret != ISC_R_SUCCESS) {
134 goto err;
135 }
136
137 if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
138 pk11_ctx->ontoken = rsa->ontoken;
139 pk11_ctx->object = rsa->object;
140 goto token_key;
141 }
142
143 for (attr = pk11_attribute_first(rsa); attr != NULL;
144 attr = pk11_attribute_next(rsa, attr))
145 {
146 switch (attr->type) {
147 case CKA_MODULUS:
148 INSIST(keyTemplate[6].type == attr->type);
149 keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
150 attr->ulValueLen);
151 memmove(keyTemplate[6].pValue, attr->pValue,
152 attr->ulValueLen);
153 keyTemplate[6].ulValueLen = attr->ulValueLen;
154 break;
155 case CKA_PUBLIC_EXPONENT:
156 INSIST(keyTemplate[7].type == attr->type);
157 keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
158 attr->ulValueLen);
159 memmove(keyTemplate[7].pValue, attr->pValue,
160 attr->ulValueLen);
161 keyTemplate[7].ulValueLen = attr->ulValueLen;
162 break;
163 case CKA_PRIVATE_EXPONENT:
164 INSIST(keyTemplate[8].type == attr->type);
165 keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
166 attr->ulValueLen);
167 memmove(keyTemplate[8].pValue, attr->pValue,
168 attr->ulValueLen);
169 keyTemplate[8].ulValueLen = attr->ulValueLen;
170 break;
171 case CKA_PRIME_1:
172 INSIST(keyTemplate[9].type == attr->type);
173 keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
174 attr->ulValueLen);
175 memmove(keyTemplate[9].pValue, attr->pValue,
176 attr->ulValueLen);
177 keyTemplate[9].ulValueLen = attr->ulValueLen;
178 break;
179 case CKA_PRIME_2:
180 INSIST(keyTemplate[10].type == attr->type);
181 keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
182 attr->ulValueLen);
183 memmove(keyTemplate[10].pValue, attr->pValue,
184 attr->ulValueLen);
185 keyTemplate[10].ulValueLen = attr->ulValueLen;
186 break;
187 case CKA_EXPONENT_1:
188 INSIST(keyTemplate[11].type == attr->type);
189 keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
190 attr->ulValueLen);
191 memmove(keyTemplate[11].pValue, attr->pValue,
192 attr->ulValueLen);
193 keyTemplate[11].ulValueLen = attr->ulValueLen;
194 break;
195 case CKA_EXPONENT_2:
196 INSIST(keyTemplate[12].type == attr->type);
197 keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
198 attr->ulValueLen);
199 memmove(keyTemplate[12].pValue, attr->pValue,
200 attr->ulValueLen);
201 keyTemplate[12].ulValueLen = attr->ulValueLen;
202 break;
203 case CKA_COEFFICIENT:
204 INSIST(keyTemplate[13].type == attr->type);
205 keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
206 attr->ulValueLen);
207 memmove(keyTemplate[13].pValue, attr->pValue,
208 attr->ulValueLen);
209 keyTemplate[13].ulValueLen = attr->ulValueLen;
210 break;
211 }
212 }
213 pk11_ctx->object = CK_INVALID_HANDLE;
214 pk11_ctx->ontoken = false;
215 PK11_RET(pkcs_C_CreateObject,
216 (pk11_ctx->session, keyTemplate, (CK_ULONG)14,
217 &pk11_ctx->object),
218 ISC_R_FAILURE);
219
220 token_key:
221
222 switch (dctx->key->key_alg) {
223 case DST_ALG_RSASHA1:
224 case DST_ALG_NSEC3RSASHA1:
225 mech.mechanism = CKM_SHA1_RSA_PKCS;
226 break;
227 case DST_ALG_RSASHA256:
228 mech.mechanism = CKM_SHA256_RSA_PKCS;
229 break;
230 case DST_ALG_RSASHA512:
231 mech.mechanism = CKM_SHA512_RSA_PKCS;
232 break;
233 default:
234 UNREACHABLE();
235 }
236
237 PK11_RET(pkcs_C_SignInit, (pk11_ctx->session, &mech, pk11_ctx->object),
238 ISC_R_FAILURE);
239
240 dctx->ctxdata.pk11_ctx = pk11_ctx;
241
242 for (i = 6; i <= 13; i++) {
243 if (keyTemplate[i].pValue != NULL) {
244 {
245 isc_safe_memwipe(keyTemplate[i].pValue,
246 keyTemplate[i].ulValueLen);
247 isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
248 keyTemplate[i].ulValueLen);
249 }
250 }
251 }
252
253 return (ISC_R_SUCCESS);
254
255 err:
256 if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) {
257 (void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
258 }
259 for (i = 6; i <= 13; i++) {
260 if (keyTemplate[i].pValue != NULL) {
261 {
262 isc_safe_memwipe(keyTemplate[i].pValue,
263 keyTemplate[i].ulValueLen);
264 isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
265 keyTemplate[i].ulValueLen);
266 }
267 }
268 }
269 pk11_return_session(pk11_ctx);
270 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
271 isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
272
273 return (ret);
274 }
275
276 static isc_result_t
pkcs11rsa_createctx_verify(dst_key_t * key,unsigned int maxbits,dst_context_t * dctx)277 pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
278 dst_context_t *dctx) {
279 CK_RV rv;
280 CK_MECHANISM mech = { 0, NULL, 0 };
281 CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
282 CK_KEY_TYPE keyType = CKK_RSA;
283 CK_ATTRIBUTE keyTemplate[] = {
284 { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
285 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
286 { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
287 { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
288 { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
289 { CKA_MODULUS, NULL, 0 },
290 { CKA_PUBLIC_EXPONENT, NULL, 0 },
291 };
292 CK_ATTRIBUTE *attr;
293 pk11_object_t *rsa;
294 pk11_context_t *pk11_ctx;
295 isc_result_t ret;
296 unsigned int i;
297
298 REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
299 key->key_alg == DST_ALG_NSEC3RSASHA1 ||
300 key->key_alg == DST_ALG_RSASHA256 ||
301 key->key_alg == DST_ALG_RSASHA512);
302 REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
303
304 /*
305 * Reject incorrect RSA key lengths.
306 */
307 switch (dctx->key->key_alg) {
308 case DST_ALG_RSASHA1:
309 case DST_ALG_NSEC3RSASHA1:
310 /* From RFC 3110 */
311 if (dctx->key->key_size > 4096) {
312 return (ISC_R_FAILURE);
313 }
314 break;
315 case DST_ALG_RSASHA256:
316 /* From RFC 5702 */
317 if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
318 {
319 return (ISC_R_FAILURE);
320 }
321 break;
322 case DST_ALG_RSASHA512:
323 /* From RFC 5702 */
324 if ((dctx->key->key_size < 1024) ||
325 (dctx->key->key_size > 4096))
326 {
327 return (ISC_R_FAILURE);
328 }
329 break;
330 default:
331 UNREACHABLE();
332 }
333
334 rsa = key->keydata.pkey;
335
336 pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
337 ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
338 NULL, pk11_get_best_token(OP_RSA));
339 if (ret != ISC_R_SUCCESS) {
340 goto err;
341 }
342
343 for (attr = pk11_attribute_first(rsa); attr != NULL;
344 attr = pk11_attribute_next(rsa, attr))
345 {
346 unsigned int bits;
347
348 switch (attr->type) {
349 case CKA_MODULUS:
350 INSIST(keyTemplate[5].type == attr->type);
351 keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
352 attr->ulValueLen);
353 memmove(keyTemplate[5].pValue, attr->pValue,
354 attr->ulValueLen);
355 keyTemplate[5].ulValueLen = attr->ulValueLen;
356 break;
357 case CKA_PUBLIC_EXPONENT:
358 INSIST(keyTemplate[6].type == attr->type);
359 keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
360 attr->ulValueLen);
361 memmove(keyTemplate[6].pValue, attr->pValue,
362 attr->ulValueLen);
363 keyTemplate[6].ulValueLen = attr->ulValueLen;
364 ret = pk11_numbits(attr->pValue, attr->ulValueLen,
365 &bits);
366 if (ret != ISC_R_SUCCESS ||
367 (bits > maxbits && maxbits != 0))
368 {
369 DST_RET(DST_R_VERIFYFAILURE);
370 }
371 break;
372 }
373 }
374 pk11_ctx->object = CK_INVALID_HANDLE;
375 pk11_ctx->ontoken = false;
376 PK11_RET(pkcs_C_CreateObject,
377 (pk11_ctx->session, keyTemplate, (CK_ULONG)7,
378 &pk11_ctx->object),
379 ISC_R_FAILURE);
380
381 switch (dctx->key->key_alg) {
382 case DST_ALG_RSASHA1:
383 case DST_ALG_NSEC3RSASHA1:
384 mech.mechanism = CKM_SHA1_RSA_PKCS;
385 break;
386 case DST_ALG_RSASHA256:
387 mech.mechanism = CKM_SHA256_RSA_PKCS;
388 break;
389 case DST_ALG_RSASHA512:
390 mech.mechanism = CKM_SHA512_RSA_PKCS;
391 break;
392 default:
393 UNREACHABLE();
394 }
395
396 PK11_RET(pkcs_C_VerifyInit,
397 (pk11_ctx->session, &mech, pk11_ctx->object), ISC_R_FAILURE);
398
399 dctx->ctxdata.pk11_ctx = pk11_ctx;
400
401 for (i = 5; i <= 6; i++) {
402 if (keyTemplate[i].pValue != NULL) {
403 {
404 isc_safe_memwipe(keyTemplate[i].pValue,
405 keyTemplate[i].ulValueLen);
406 isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
407 keyTemplate[i].ulValueLen);
408 }
409 }
410 }
411
412 return (ISC_R_SUCCESS);
413
414 err:
415 if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) {
416 (void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
417 }
418 for (i = 5; i <= 6; i++) {
419 if (keyTemplate[i].pValue != NULL) {
420 {
421 isc_safe_memwipe(keyTemplate[i].pValue,
422 keyTemplate[i].ulValueLen);
423 isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
424 keyTemplate[i].ulValueLen);
425 }
426 }
427 }
428 pk11_return_session(pk11_ctx);
429 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
430 isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
431
432 return (ret);
433 }
434
435 static isc_result_t
pkcs11rsa_createctx(dst_key_t * key,dst_context_t * dctx)436 pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
437 if (dctx->use == DO_SIGN) {
438 return (pkcs11rsa_createctx_sign(key, dctx));
439 } else {
440 return (pkcs11rsa_createctx_verify(key, 0U, dctx));
441 }
442 }
443
444 static isc_result_t
pkcs11rsa_createctx2(dst_key_t * key,int maxbits,dst_context_t * dctx)445 pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) {
446 if (dctx->use == DO_SIGN) {
447 return (pkcs11rsa_createctx_sign(key, dctx));
448 } else {
449 return (pkcs11rsa_createctx_verify(key, (unsigned)maxbits,
450 dctx));
451 }
452 }
453
454 static void
pkcs11rsa_destroyctx(dst_context_t * dctx)455 pkcs11rsa_destroyctx(dst_context_t *dctx) {
456 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
457
458 if (pk11_ctx != NULL) {
459 if (!pk11_ctx->ontoken &&
460 (pk11_ctx->object != CK_INVALID_HANDLE))
461 {
462 (void)pkcs_C_DestroyObject(pk11_ctx->session,
463 pk11_ctx->object);
464 }
465 pk11_return_session(pk11_ctx);
466 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
467 isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
468 dctx->ctxdata.pk11_ctx = NULL;
469 }
470 }
471
472 static isc_result_t
pkcs11rsa_adddata(dst_context_t * dctx,const isc_region_t * data)473 pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
474 CK_RV rv;
475 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
476 isc_result_t ret = ISC_R_SUCCESS;
477
478 if (dctx->use == DO_SIGN) {
479 PK11_CALL(pkcs_C_SignUpdate,
480 (pk11_ctx->session, (CK_BYTE_PTR)data->base,
481 (CK_ULONG)data->length),
482 ISC_R_FAILURE);
483 } else {
484 PK11_CALL(pkcs_C_VerifyUpdate,
485 (pk11_ctx->session, (CK_BYTE_PTR)data->base,
486 (CK_ULONG)data->length),
487 ISC_R_FAILURE);
488 }
489 return (ret);
490 }
491
492 static isc_result_t
pkcs11rsa_sign(dst_context_t * dctx,isc_buffer_t * sig)493 pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
494 CK_RV rv;
495 CK_ULONG siglen = 0;
496 isc_region_t r;
497 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
498 isc_result_t ret = ISC_R_SUCCESS;
499
500 PK11_RET(pkcs_C_SignFinal, (pk11_ctx->session, NULL, &siglen),
501 DST_R_SIGNFAILURE);
502
503 isc_buffer_availableregion(sig, &r);
504
505 if (r.length < (unsigned int)siglen) {
506 return (ISC_R_NOSPACE);
507 }
508
509 PK11_RET(pkcs_C_SignFinal,
510 (pk11_ctx->session, (CK_BYTE_PTR)r.base, &siglen),
511 DST_R_SIGNFAILURE);
512
513 isc_buffer_add(sig, (unsigned int)siglen);
514
515 err:
516 return (ret);
517 }
518
519 static isc_result_t
pkcs11rsa_verify(dst_context_t * dctx,const isc_region_t * sig)520 pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
521 CK_RV rv;
522 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
523 isc_result_t ret = ISC_R_SUCCESS;
524
525 PK11_CALL(pkcs_C_VerifyFinal,
526 (pk11_ctx->session, (CK_BYTE_PTR)sig->base,
527 (CK_ULONG)sig->length),
528 DST_R_VERIFYFAILURE);
529 return (ret);
530 }
531
532 #else /* ifndef PK11_RSA_PKCS_REPLACE */
533
534 /*
535 * CKM_<hash>_RSA_PKCS mechanisms are not available so fall back
536 * to CKM_RSA_PKCS and do the EMSA-PKCS#1-v1.5 encapsulation by hand.
537 */
538
539 CK_BYTE md5_der[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
540 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
541 CK_BYTE sha1_der[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
542 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
543 CK_BYTE sha256_der[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
544 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
545 0x01, 0x05, 0x00, 0x04, 0x20 };
546 CK_BYTE sha512_der[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
547 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
548 0x03, 0x05, 0x00, 0x04, 0x40 };
549 #define MAX_DER_SIZE 19
550 #define MIN_PKCS1_PADLEN 11
551
552 static isc_result_t
pkcs11rsa_createctx(dst_key_t * key,dst_context_t * dctx)553 pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
554 CK_RV rv;
555 CK_MECHANISM mech = { 0, NULL, 0 };
556 CK_SLOT_ID slotid;
557 pk11_object_t *rsa = key->keydata.pkey;
558 pk11_context_t *pk11_ctx;
559 isc_result_t ret;
560
561 REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
562 key->key_alg == DST_ALG_NSEC3RSASHA1 ||
563 key->key_alg == DST_ALG_RSASHA256 ||
564 key->key_alg == DST_ALG_RSASHA512);
565 REQUIRE(rsa != NULL);
566
567 /*
568 * Reject incorrect RSA key lengths.
569 */
570 switch (dctx->key->key_alg) {
571 case DST_ALG_RSASHA1:
572 case DST_ALG_NSEC3RSASHA1:
573 /* From RFC 3110 */
574 if (dctx->key->key_size > 4096) {
575 return (ISC_R_FAILURE);
576 }
577 break;
578 case DST_ALG_RSASHA256:
579 /* From RFC 5702 */
580 if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
581 {
582 return (ISC_R_FAILURE);
583 }
584 break;
585 case DST_ALG_RSASHA512:
586 /* From RFC 5702 */
587 if ((dctx->key->key_size < 1024) ||
588 (dctx->key->key_size > 4096))
589 {
590 return (ISC_R_FAILURE);
591 }
592 break;
593 default:
594 UNREACHABLE();
595 }
596
597 switch (key->key_alg) {
598 case DST_ALG_RSASHA1:
599 case DST_ALG_NSEC3RSASHA1:
600 mech.mechanism = CKM_SHA_1;
601 break;
602 case DST_ALG_RSASHA256:
603 mech.mechanism = CKM_SHA256;
604 break;
605 case DST_ALG_RSASHA512:
606 mech.mechanism = CKM_SHA512;
607 break;
608 default:
609 UNREACHABLE();
610 }
611
612 pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
613 memset(pk11_ctx, 0, sizeof(*pk11_ctx));
614 if (rsa->ontoken) {
615 slotid = rsa->slot;
616 } else {
617 slotid = pk11_get_best_token(OP_RSA);
618 }
619 ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
620 NULL, slotid);
621 if (ret != ISC_R_SUCCESS) {
622 goto err;
623 }
624
625 PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
626 dctx->ctxdata.pk11_ctx = pk11_ctx;
627 return (ISC_R_SUCCESS);
628
629 err:
630 pk11_return_session(pk11_ctx);
631 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
632 isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
633
634 return (ret);
635 }
636
637 static void
pkcs11rsa_destroyctx(dst_context_t * dctx)638 pkcs11rsa_destroyctx(dst_context_t *dctx) {
639 CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
640 CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
641 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
642
643 if (pk11_ctx != NULL) {
644 (void)pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
645 isc_safe_memwipe(garbage, sizeof(garbage));
646 pk11_return_session(pk11_ctx);
647 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
648 isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
649 dctx->ctxdata.pk11_ctx = NULL;
650 }
651 }
652
653 static isc_result_t
pkcs11rsa_adddata(dst_context_t * dctx,const isc_region_t * data)654 pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
655 CK_RV rv;
656 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
657 isc_result_t ret = ISC_R_SUCCESS;
658
659 PK11_CALL(pkcs_C_DigestUpdate,
660 (pk11_ctx->session, (CK_BYTE_PTR)data->base,
661 (CK_ULONG)data->length),
662 ISC_R_FAILURE);
663
664 return (ret);
665 }
666
667 static isc_result_t
pkcs11rsa_sign(dst_context_t * dctx,isc_buffer_t * sig)668 pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
669 CK_RV rv;
670 CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
671 CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
672 CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
673 CK_KEY_TYPE keyType = CKK_RSA;
674 CK_ATTRIBUTE keyTemplate[] = {
675 { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
676 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
677 { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
678 { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
679 { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
680 { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
681 { CKA_MODULUS, NULL, 0 },
682 { CKA_PUBLIC_EXPONENT, NULL, 0 },
683 { CKA_PRIVATE_EXPONENT, NULL, 0 },
684 { CKA_PRIME_1, NULL, 0 },
685 { CKA_PRIME_2, NULL, 0 },
686 { CKA_EXPONENT_1, NULL, 0 },
687 { CKA_EXPONENT_2, NULL, 0 },
688 { CKA_COEFFICIENT, NULL, 0 }
689 };
690 CK_ATTRIBUTE *attr;
691 CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
692 CK_BYTE *der;
693 CK_ULONG derlen;
694 CK_ULONG hashlen;
695 CK_ULONG dgstlen;
696 CK_ULONG siglen = 0;
697 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
698 dst_key_t *key = dctx->key;
699 pk11_object_t *rsa = key->keydata.pkey;
700 isc_region_t r;
701 isc_result_t ret = ISC_R_SUCCESS;
702 unsigned int i;
703
704 REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
705 key->key_alg == DST_ALG_NSEC3RSASHA1 ||
706 key->key_alg == DST_ALG_RSASHA256 ||
707 key->key_alg == DST_ALG_RSASHA512);
708 REQUIRE(rsa != NULL);
709
710 /*
711 * Reject incorrect RSA key lengths.
712 */
713 switch (dctx->key->key_alg) {
714 case DST_ALG_RSASHA1:
715 case DST_ALG_NSEC3RSASHA1:
716 /* From RFC 3110 */
717 if (dctx->key->key_size > 4096) {
718 return (ISC_R_FAILURE);
719 }
720 break;
721 case DST_ALG_RSASHA256:
722 /* From RFC 5702 */
723 if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
724 {
725 return (ISC_R_FAILURE);
726 }
727 break;
728 case DST_ALG_RSASHA512:
729 /* From RFC 5702 */
730 if ((dctx->key->key_size < 1024) ||
731 (dctx->key->key_size > 4096))
732 {
733 return (ISC_R_FAILURE);
734 }
735 break;
736 default:
737 UNREACHABLE();
738 }
739
740 switch (key->key_alg) {
741 case DST_ALG_RSASHA1:
742 case DST_ALG_NSEC3RSASHA1:
743 der = sha1_der;
744 derlen = sizeof(sha1_der);
745 hashlen = ISC_SHA1_DIGESTLENGTH;
746 break;
747 case DST_ALG_RSASHA256:
748 der = sha256_der;
749 derlen = sizeof(sha256_der);
750 hashlen = ISC_SHA256_DIGESTLENGTH;
751 break;
752 case DST_ALG_RSASHA512:
753 der = sha512_der;
754 derlen = sizeof(sha512_der);
755 hashlen = ISC_SHA512_DIGESTLENGTH;
756 break;
757 default:
758 UNREACHABLE();
759 }
760 dgstlen = derlen + hashlen;
761 INSIST(dgstlen <= sizeof(digest));
762 memmove(digest, der, derlen);
763
764 PK11_RET(pkcs_C_DigestFinal,
765 (pk11_ctx->session, digest + derlen, &hashlen),
766 DST_R_SIGNFAILURE);
767
768 isc_buffer_availableregion(sig, &r);
769 if (r.length < (unsigned int)dgstlen + MIN_PKCS1_PADLEN) {
770 return (ISC_R_NOSPACE);
771 }
772
773 if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
774 pk11_ctx->ontoken = rsa->ontoken;
775 pk11_ctx->object = rsa->object;
776 goto token_key;
777 }
778
779 for (attr = pk11_attribute_first(rsa); attr != NULL;
780 attr = pk11_attribute_next(rsa, attr))
781 {
782 switch (attr->type) {
783 case CKA_MODULUS:
784 INSIST(keyTemplate[6].type == attr->type);
785 keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
786 attr->ulValueLen);
787 memmove(keyTemplate[6].pValue, attr->pValue,
788 attr->ulValueLen);
789 keyTemplate[6].ulValueLen = attr->ulValueLen;
790 break;
791 case CKA_PUBLIC_EXPONENT:
792 INSIST(keyTemplate[7].type == attr->type);
793 keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
794 attr->ulValueLen);
795 memmove(keyTemplate[7].pValue, attr->pValue,
796 attr->ulValueLen);
797 keyTemplate[7].ulValueLen = attr->ulValueLen;
798 break;
799 case CKA_PRIVATE_EXPONENT:
800 INSIST(keyTemplate[8].type == attr->type);
801 keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
802 attr->ulValueLen);
803 memmove(keyTemplate[8].pValue, attr->pValue,
804 attr->ulValueLen);
805 keyTemplate[8].ulValueLen = attr->ulValueLen;
806 break;
807 case CKA_PRIME_1:
808 INSIST(keyTemplate[9].type == attr->type);
809 keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
810 attr->ulValueLen);
811 memmove(keyTemplate[9].pValue, attr->pValue,
812 attr->ulValueLen);
813 keyTemplate[9].ulValueLen = attr->ulValueLen;
814 break;
815 case CKA_PRIME_2:
816 INSIST(keyTemplate[10].type == attr->type);
817 keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
818 attr->ulValueLen);
819 memmove(keyTemplate[10].pValue, attr->pValue,
820 attr->ulValueLen);
821 keyTemplate[10].ulValueLen = attr->ulValueLen;
822 break;
823 case CKA_EXPONENT_1:
824 INSIST(keyTemplate[11].type == attr->type);
825 keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
826 attr->ulValueLen);
827 memmove(keyTemplate[11].pValue, attr->pValue,
828 attr->ulValueLen);
829 keyTemplate[11].ulValueLen = attr->ulValueLen;
830 break;
831 case CKA_EXPONENT_2:
832 INSIST(keyTemplate[12].type == attr->type);
833 keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
834 attr->ulValueLen);
835 memmove(keyTemplate[12].pValue, attr->pValue,
836 attr->ulValueLen);
837 keyTemplate[12].ulValueLen = attr->ulValueLen;
838 break;
839 case CKA_COEFFICIENT:
840 INSIST(keyTemplate[13].type == attr->type);
841 keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
842 attr->ulValueLen);
843 memmove(keyTemplate[13].pValue, attr->pValue,
844 attr->ulValueLen);
845 keyTemplate[13].ulValueLen = attr->ulValueLen;
846 break;
847 }
848 }
849 pk11_ctx->object = CK_INVALID_HANDLE;
850 pk11_ctx->ontoken = false;
851 PK11_RET(pkcs_C_CreateObject,
852 (pk11_ctx->session, keyTemplate, (CK_ULONG)14, &hKey),
853 ISC_R_FAILURE);
854
855 token_key:
856
857 PK11_RET(pkcs_C_SignInit,
858 (pk11_ctx->session, &mech,
859 pk11_ctx->ontoken ? pk11_ctx->object : hKey),
860 ISC_R_FAILURE);
861
862 PK11_RET(pkcs_C_Sign,
863 (pk11_ctx->session, digest, dgstlen, NULL, &siglen),
864 DST_R_SIGNFAILURE);
865
866 if (r.length < (unsigned int)siglen) {
867 return (ISC_R_NOSPACE);
868 }
869
870 PK11_RET(pkcs_C_Sign,
871 (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)r.base,
872 &siglen),
873 DST_R_SIGNFAILURE);
874
875 isc_buffer_add(sig, (unsigned int)siglen);
876
877 err:
878 if (hKey != CK_INVALID_HANDLE) {
879 (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
880 }
881 for (i = 6; i <= 13; i++) {
882 if (keyTemplate[i].pValue != NULL) {
883 {
884 isc_safe_memwipe(keyTemplate[i].pValue,
885 keyTemplate[i].ulValueLen);
886 isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
887 keyTemplate[i].ulValueLen);
888 }
889 }
890 }
891 pk11_return_session(pk11_ctx);
892 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
893 isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
894 dctx->ctxdata.pk11_ctx = NULL;
895
896 return (ret);
897 }
898
899 static isc_result_t
pkcs11rsa_verify(dst_context_t * dctx,const isc_region_t * sig)900 pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
901 CK_RV rv;
902 CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
903 CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
904 CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
905 CK_KEY_TYPE keyType = CKK_RSA;
906 CK_ATTRIBUTE keyTemplate[] = {
907 { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
908 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
909 { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
910 { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
911 { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
912 { CKA_MODULUS, NULL, 0 },
913 { CKA_PUBLIC_EXPONENT, NULL, 0 },
914 };
915 CK_ATTRIBUTE *attr;
916 CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
917 CK_BYTE *der;
918 CK_ULONG derlen;
919 CK_ULONG hashlen;
920 CK_ULONG dgstlen;
921 pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
922 dst_key_t *key = dctx->key;
923 pk11_object_t *rsa = key->keydata.pkey;
924 isc_result_t ret = ISC_R_SUCCESS;
925 unsigned int i;
926
927 REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
928 key->key_alg == DST_ALG_NSEC3RSASHA1 ||
929 key->key_alg == DST_ALG_RSASHA256 ||
930 key->key_alg == DST_ALG_RSASHA512);
931 REQUIRE(rsa != NULL);
932
933 switch (key->key_alg) {
934 case DST_ALG_RSASHA1:
935 case DST_ALG_NSEC3RSASHA1:
936 der = sha1_der;
937 derlen = sizeof(sha1_der);
938 hashlen = ISC_SHA1_DIGESTLENGTH;
939 break;
940 case DST_ALG_RSASHA256:
941 der = sha256_der;
942 derlen = sizeof(sha256_der);
943 hashlen = ISC_SHA256_DIGESTLENGTH;
944 break;
945 case DST_ALG_RSASHA512:
946 der = sha512_der;
947 derlen = sizeof(sha512_der);
948 hashlen = ISC_SHA512_DIGESTLENGTH;
949 break;
950 default:
951 UNREACHABLE();
952 }
953 dgstlen = derlen + hashlen;
954 INSIST(dgstlen <= sizeof(digest));
955 memmove(digest, der, derlen);
956
957 PK11_RET(pkcs_C_DigestFinal,
958 (pk11_ctx->session, digest + derlen, &hashlen),
959 DST_R_SIGNFAILURE);
960
961 for (attr = pk11_attribute_first(rsa); attr != NULL;
962 attr = pk11_attribute_next(rsa, attr))
963 {
964 unsigned int bits;
965
966 switch (attr->type) {
967 case CKA_MODULUS:
968 INSIST(keyTemplate[5].type == attr->type);
969 keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
970 attr->ulValueLen);
971 memmove(keyTemplate[5].pValue, attr->pValue,
972 attr->ulValueLen);
973 keyTemplate[5].ulValueLen = attr->ulValueLen;
974 break;
975 case CKA_PUBLIC_EXPONENT:
976 INSIST(keyTemplate[6].type == attr->type);
977 keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
978 attr->ulValueLen);
979 memmove(keyTemplate[6].pValue, attr->pValue,
980 attr->ulValueLen);
981 keyTemplate[6].ulValueLen = attr->ulValueLen;
982 ret = pk11_numbits(attr->pValue, attr->ulValueLen,
983 &bits);
984 if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
985 {
986 DST_RET(DST_R_VERIFYFAILURE);
987 }
988 break;
989 }
990 }
991 pk11_ctx->object = CK_INVALID_HANDLE;
992 pk11_ctx->ontoken = false;
993 PK11_RET(pkcs_C_CreateObject,
994 (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
995 ISC_R_FAILURE);
996
997 PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey),
998 ISC_R_FAILURE);
999
1000 PK11_RET(pkcs_C_Verify,
1001 (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)sig->base,
1002 (CK_ULONG)sig->length),
1003 DST_R_VERIFYFAILURE);
1004
1005 err:
1006 if (hKey != CK_INVALID_HANDLE) {
1007 (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
1008 }
1009 for (i = 5; i <= 6; i++) {
1010 if (keyTemplate[i].pValue != NULL) {
1011 {
1012 isc_safe_memwipe(keyTemplate[i].pValue,
1013 keyTemplate[i].ulValueLen);
1014 isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
1015 keyTemplate[i].ulValueLen);
1016 }
1017 }
1018 }
1019 pk11_return_session(pk11_ctx);
1020 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
1021 isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
1022 dctx->ctxdata.pk11_ctx = NULL;
1023
1024 return (ret);
1025 }
1026 #endif /* ifndef PK11_RSA_PKCS_REPLACE */
1027
1028 static bool
pkcs11rsa_compare(const dst_key_t * key1,const dst_key_t * key2)1029 pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
1030 pk11_object_t *rsa1, *rsa2;
1031 CK_ATTRIBUTE *attr1, *attr2;
1032
1033 rsa1 = key1->keydata.pkey;
1034 rsa2 = key2->keydata.pkey;
1035
1036 if ((rsa1 == NULL) && (rsa2 == NULL)) {
1037 return (true);
1038 } else if ((rsa1 == NULL) || (rsa2 == NULL)) {
1039 return (false);
1040 }
1041
1042 attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS);
1043 attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS);
1044 if ((attr1 == NULL) && (attr2 == NULL)) {
1045 return (true);
1046 } else if ((attr1 == NULL) || (attr2 == NULL) ||
1047 (attr1->ulValueLen != attr2->ulValueLen) ||
1048 !isc_safe_memequal(attr1->pValue, attr2->pValue,
1049 attr1->ulValueLen))
1050 {
1051 return (false);
1052 }
1053
1054 attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT);
1055 attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT);
1056 if ((attr1 == NULL) && (attr2 == NULL)) {
1057 return (true);
1058 } else if ((attr1 == NULL) || (attr2 == NULL) ||
1059 (attr1->ulValueLen != attr2->ulValueLen) ||
1060 !isc_safe_memequal(attr1->pValue, attr2->pValue,
1061 attr1->ulValueLen))
1062 {
1063 return (false);
1064 }
1065
1066 attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT);
1067 attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT);
1068 if (((attr1 != NULL) || (attr2 != NULL)) &&
1069 ((attr1 == NULL) || (attr2 == NULL) ||
1070 (attr1->ulValueLen != attr2->ulValueLen) ||
1071 !isc_safe_memequal(attr1->pValue, attr2->pValue,
1072 attr1->ulValueLen)))
1073 {
1074 return (false);
1075 }
1076
1077 if (!rsa1->ontoken && !rsa2->ontoken) {
1078 return (true);
1079 } else if (rsa1->ontoken || rsa2->ontoken ||
1080 (rsa1->object != rsa2->object))
1081 {
1082 return (false);
1083 }
1084
1085 return (true);
1086 }
1087
1088 static isc_result_t
pkcs11rsa_generate(dst_key_t * key,int exp,void (* callback)(int))1089 pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
1090 CK_RV rv;
1091 CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
1092 CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
1093 CK_ULONG bits = 0;
1094 CK_BYTE pubexp[5];
1095 CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
1096 CK_KEY_TYPE keyType = CKK_RSA;
1097 CK_ATTRIBUTE pubTemplate[] = {
1098 { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
1099 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
1100 { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
1101 { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
1102 { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
1103 { CKA_MODULUS_BITS, &bits, (CK_ULONG)sizeof(bits) },
1104 { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG)sizeof(pubexp) }
1105 };
1106 CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
1107 CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
1108 CK_ATTRIBUTE privTemplate[] = {
1109 { CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
1110 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
1111 { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
1112 { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
1113 { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
1114 { CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) },
1115 { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
1116 };
1117 CK_ATTRIBUTE *attr;
1118 pk11_object_t *rsa;
1119 pk11_context_t *pk11_ctx;
1120 isc_result_t ret;
1121 unsigned int i;
1122
1123 UNUSED(callback);
1124
1125 /*
1126 * Reject incorrect RSA key lengths.
1127 */
1128 switch (key->key_alg) {
1129 case DST_ALG_RSASHA1:
1130 case DST_ALG_NSEC3RSASHA1:
1131 /* From RFC 3110 */
1132 if (key->key_size > 4096) {
1133 return (ISC_R_FAILURE);
1134 }
1135 break;
1136 case DST_ALG_RSASHA256:
1137 /* From RFC 5702 */
1138 if ((key->key_size < 512) || (key->key_size > 4096)) {
1139 return (ISC_R_FAILURE);
1140 }
1141 break;
1142 case DST_ALG_RSASHA512:
1143 /* From RFC 5702 */
1144 if ((key->key_size < 1024) || (key->key_size > 4096)) {
1145 return (ISC_R_FAILURE);
1146 }
1147 break;
1148 default:
1149 UNREACHABLE();
1150 }
1151
1152 pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
1153 ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, false, NULL,
1154 pk11_get_best_token(OP_RSA));
1155 if (ret != ISC_R_SUCCESS) {
1156 goto err;
1157 }
1158
1159 bits = key->key_size;
1160 if (exp == 0) {
1161 /* RSA_F4 0x10001 */
1162 pubexp[0] = 1;
1163 pubexp[1] = 0;
1164 pubexp[2] = 1;
1165 pubTemplate[6].ulValueLen = 3;
1166 } else {
1167 /* F5 0x100000001 */
1168 pubexp[0] = 1;
1169 pubexp[1] = 0;
1170 pubexp[2] = 0;
1171 pubexp[3] = 0;
1172 pubexp[4] = 1;
1173 pubTemplate[6].ulValueLen = 5;
1174 }
1175
1176 PK11_RET(pkcs_C_GenerateKeyPair,
1177 (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)7,
1178 privTemplate, (CK_ULONG)7, &pub, &priv),
1179 DST_R_CRYPTOFAILURE);
1180
1181 rsa = isc_mem_get(key->mctx, sizeof(*rsa));
1182 memset(rsa, 0, sizeof(*rsa));
1183 key->keydata.pkey = rsa;
1184 rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8);
1185 memset(rsa->repr, 0, sizeof(*attr) * 8);
1186 rsa->attrcnt = 8;
1187
1188 attr = rsa->repr;
1189 attr[0].type = CKA_MODULUS;
1190 attr[1].type = CKA_PUBLIC_EXPONENT;
1191 attr[2].type = CKA_PRIVATE_EXPONENT;
1192 attr[3].type = CKA_PRIME_1;
1193 attr[4].type = CKA_PRIME_2;
1194 attr[5].type = CKA_EXPONENT_1;
1195 attr[6].type = CKA_EXPONENT_2;
1196 attr[7].type = CKA_COEFFICIENT;
1197
1198 PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2),
1199 DST_R_CRYPTOFAILURE);
1200 for (i = 0; i <= 1; i++) {
1201 attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
1202 memset(attr[i].pValue, 0, attr[i].ulValueLen);
1203 }
1204 PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2),
1205 DST_R_CRYPTOFAILURE);
1206
1207 attr += 2;
1208 PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6),
1209 DST_R_CRYPTOFAILURE);
1210 for (i = 0; i <= 5; i++) {
1211 attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
1212 memset(attr[i].pValue, 0, attr[i].ulValueLen);
1213 }
1214 PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6),
1215 DST_R_CRYPTOFAILURE);
1216
1217 (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
1218 (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
1219 pk11_return_session(pk11_ctx);
1220 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
1221 isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
1222
1223 return (ISC_R_SUCCESS);
1224
1225 err:
1226 pkcs11rsa_destroy(key);
1227 if (priv != CK_INVALID_HANDLE) {
1228 (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
1229 }
1230 if (pub != CK_INVALID_HANDLE) {
1231 (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
1232 }
1233 pk11_return_session(pk11_ctx);
1234 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
1235 isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
1236
1237 return (ret);
1238 }
1239
1240 static bool
pkcs11rsa_isprivate(const dst_key_t * key)1241 pkcs11rsa_isprivate(const dst_key_t *key) {
1242 pk11_object_t *rsa = key->keydata.pkey;
1243 CK_ATTRIBUTE *attr;
1244
1245 if (rsa == NULL) {
1246 return (false);
1247 }
1248 attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
1249 return (attr != NULL || rsa->ontoken);
1250 }
1251
1252 static void
pkcs11rsa_destroy(dst_key_t * key)1253 pkcs11rsa_destroy(dst_key_t *key) {
1254 pk11_object_t *rsa = key->keydata.pkey;
1255 CK_ATTRIBUTE *attr;
1256
1257 if (rsa == NULL) {
1258 return;
1259 }
1260
1261 INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken);
1262
1263 for (attr = pk11_attribute_first(rsa); attr != NULL;
1264 attr = pk11_attribute_next(rsa, attr))
1265 {
1266 switch (attr->type) {
1267 case CKA_LABEL:
1268 case CKA_ID:
1269 case CKA_MODULUS:
1270 case CKA_PUBLIC_EXPONENT:
1271 case CKA_PRIVATE_EXPONENT:
1272 case CKA_PRIME_1:
1273 case CKA_PRIME_2:
1274 case CKA_EXPONENT_1:
1275 case CKA_EXPONENT_2:
1276 case CKA_COEFFICIENT:
1277 if (attr->pValue != NULL) {
1278 isc_safe_memwipe(attr->pValue,
1279 attr->ulValueLen);
1280 isc_mem_put(key->mctx, attr->pValue,
1281 attr->ulValueLen);
1282 }
1283 break;
1284 }
1285 }
1286 if (rsa->repr != NULL) {
1287 isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr));
1288 isc_mem_put(key->mctx, rsa->repr, rsa->attrcnt * sizeof(*attr));
1289 }
1290 isc_safe_memwipe(rsa, sizeof(*rsa));
1291 isc_mem_put(key->mctx, rsa, sizeof(*rsa));
1292 key->keydata.pkey = NULL;
1293 }
1294
1295 static isc_result_t
pkcs11rsa_todns(const dst_key_t * key,isc_buffer_t * data)1296 pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
1297 pk11_object_t *rsa;
1298 CK_ATTRIBUTE *attr;
1299 isc_region_t r;
1300 unsigned int e_bytes = 0, mod_bytes = 0;
1301 CK_BYTE *exponent = NULL, *modulus = NULL;
1302
1303 REQUIRE(key->keydata.pkey != NULL);
1304
1305 rsa = key->keydata.pkey;
1306
1307 for (attr = pk11_attribute_first(rsa); attr != NULL;
1308 attr = pk11_attribute_next(rsa, attr))
1309 {
1310 switch (attr->type) {
1311 case CKA_PUBLIC_EXPONENT:
1312 exponent = (CK_BYTE *)attr->pValue;
1313 e_bytes = (unsigned int)attr->ulValueLen;
1314 break;
1315 case CKA_MODULUS:
1316 modulus = (CK_BYTE *)attr->pValue;
1317 mod_bytes = (unsigned int)attr->ulValueLen;
1318 break;
1319 }
1320 }
1321 REQUIRE((exponent != NULL) && (modulus != NULL));
1322
1323 isc_buffer_availableregion(data, &r);
1324
1325 if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
1326 if (r.length < 1) {
1327 return (ISC_R_NOSPACE);
1328 }
1329 isc_buffer_putuint8(data, (uint8_t)e_bytes);
1330 isc_region_consume(&r, 1);
1331 } else {
1332 if (r.length < 3) {
1333 return (ISC_R_NOSPACE);
1334 }
1335 isc_buffer_putuint8(data, 0);
1336 isc_buffer_putuint16(data, (uint16_t)e_bytes);
1337 isc_region_consume(&r, 3);
1338 }
1339
1340 if (r.length < e_bytes + mod_bytes) {
1341 return (ISC_R_NOSPACE);
1342 }
1343
1344 memmove(r.base, exponent, e_bytes);
1345 isc_region_consume(&r, e_bytes);
1346 memmove(r.base, modulus, mod_bytes);
1347
1348 isc_buffer_add(data, e_bytes + mod_bytes);
1349
1350 return (ISC_R_SUCCESS);
1351 }
1352
1353 static isc_result_t
pkcs11rsa_fromdns(dst_key_t * key,isc_buffer_t * data)1354 pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
1355 pk11_object_t *rsa;
1356 isc_region_t r;
1357 unsigned int e_bytes, mod_bytes;
1358 CK_BYTE *exponent = NULL, *modulus = NULL;
1359 CK_ATTRIBUTE *attr;
1360 unsigned int length;
1361 unsigned int bits;
1362 isc_result_t ret = ISC_R_SUCCESS;
1363
1364 isc_buffer_remainingregion(data, &r);
1365 if (r.length == 0) {
1366 return (ISC_R_SUCCESS);
1367 }
1368 length = r.length;
1369
1370 rsa = isc_mem_get(key->mctx, sizeof(*rsa));
1371
1372 memset(rsa, 0, sizeof(*rsa));
1373
1374 e_bytes = *r.base;
1375 isc_region_consume(&r, 1);
1376
1377 if (e_bytes == 0) {
1378 if (r.length < 2) {
1379 DST_RET(DST_R_INVALIDPUBLICKEY);
1380 }
1381 e_bytes = (*r.base) << 8;
1382 isc_region_consume(&r, 1);
1383 e_bytes += *r.base;
1384 isc_region_consume(&r, 1);
1385 }
1386
1387 if (r.length < e_bytes) {
1388 DST_RET(DST_R_INVALIDPUBLICKEY);
1389 }
1390 exponent = r.base;
1391 isc_region_consume(&r, e_bytes);
1392 modulus = r.base;
1393 mod_bytes = r.length;
1394
1395 ret = pk11_numbits(modulus, mod_bytes, &bits);
1396 if (ret != ISC_R_SUCCESS) {
1397 goto err;
1398 }
1399 key->key_size = bits;
1400
1401 isc_buffer_forward(data, length);
1402
1403 rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
1404 memset(rsa->repr, 0, sizeof(*attr) * 2);
1405 rsa->attrcnt = 2;
1406 attr = rsa->repr;
1407 attr[0].type = CKA_MODULUS;
1408 attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
1409 memmove(attr[0].pValue, modulus, mod_bytes);
1410 attr[0].ulValueLen = (CK_ULONG)mod_bytes;
1411 attr[1].type = CKA_PUBLIC_EXPONENT;
1412 attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
1413 memmove(attr[1].pValue, exponent, e_bytes);
1414 attr[1].ulValueLen = (CK_ULONG)e_bytes;
1415
1416 key->keydata.pkey = rsa;
1417
1418 return (ISC_R_SUCCESS);
1419 err:
1420 isc_safe_memwipe(rsa, sizeof(*rsa));
1421 isc_mem_put(key->mctx, rsa, sizeof(*rsa));
1422 return (ret);
1423 }
1424
1425 static isc_result_t
pkcs11rsa_tofile(const dst_key_t * key,const char * directory)1426 pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
1427 int i;
1428 pk11_object_t *rsa;
1429 CK_ATTRIBUTE *attr;
1430 CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
1431 CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL;
1432 CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
1433 dst_private_t priv;
1434 unsigned char *bufs[10];
1435 isc_result_t result;
1436
1437 if (key->keydata.pkey == NULL) {
1438 return (DST_R_NULLKEY);
1439 }
1440
1441 if (key->external) {
1442 priv.nelements = 0;
1443 return (dst__privstruct_writefile(key, &priv, directory));
1444 }
1445
1446 rsa = key->keydata.pkey;
1447
1448 for (attr = pk11_attribute_first(rsa); attr != NULL;
1449 attr = pk11_attribute_next(rsa, attr))
1450 {
1451 switch (attr->type) {
1452 case CKA_MODULUS:
1453 modulus = attr;
1454 break;
1455 case CKA_PUBLIC_EXPONENT:
1456 exponent = attr;
1457 break;
1458 case CKA_PRIVATE_EXPONENT:
1459 d = attr;
1460 break;
1461 case CKA_PRIME_1:
1462 p = attr;
1463 break;
1464 case CKA_PRIME_2:
1465 q = attr;
1466 break;
1467 case CKA_EXPONENT_1:
1468 dmp1 = attr;
1469 break;
1470 case CKA_EXPONENT_2:
1471 dmq1 = attr;
1472 break;
1473 case CKA_COEFFICIENT:
1474 iqmp = attr;
1475 break;
1476 }
1477 }
1478 if ((modulus == NULL) || (exponent == NULL)) {
1479 return (DST_R_NULLKEY);
1480 }
1481
1482 memset(bufs, 0, sizeof(bufs));
1483
1484 for (i = 0; i < 10; i++) {
1485 bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen);
1486 memset(bufs[i], 0, modulus->ulValueLen);
1487 }
1488
1489 i = 0;
1490
1491 priv.elements[i].tag = TAG_RSA_MODULUS;
1492 priv.elements[i].length = (unsigned short)modulus->ulValueLen;
1493 memmove(bufs[i], modulus->pValue, modulus->ulValueLen);
1494 priv.elements[i].data = bufs[i];
1495 i++;
1496
1497 priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
1498 priv.elements[i].length = (unsigned short)exponent->ulValueLen;
1499 memmove(bufs[i], exponent->pValue, exponent->ulValueLen);
1500 priv.elements[i].data = bufs[i];
1501 i++;
1502
1503 if (d != NULL) {
1504 priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
1505 priv.elements[i].length = (unsigned short)d->ulValueLen;
1506 memmove(bufs[i], d->pValue, d->ulValueLen);
1507 priv.elements[i].data = bufs[i];
1508 i++;
1509 }
1510
1511 if (p != NULL) {
1512 priv.elements[i].tag = TAG_RSA_PRIME1;
1513 priv.elements[i].length = (unsigned short)p->ulValueLen;
1514 memmove(bufs[i], p->pValue, p->ulValueLen);
1515 priv.elements[i].data = bufs[i];
1516 i++;
1517 }
1518
1519 if (q != NULL) {
1520 priv.elements[i].tag = TAG_RSA_PRIME2;
1521 priv.elements[i].length = (unsigned short)q->ulValueLen;
1522 memmove(bufs[i], q->pValue, q->ulValueLen);
1523 priv.elements[i].data = bufs[i];
1524 i++;
1525 }
1526
1527 if (dmp1 != NULL) {
1528 priv.elements[i].tag = TAG_RSA_EXPONENT1;
1529 priv.elements[i].length = (unsigned short)dmp1->ulValueLen;
1530 memmove(bufs[i], dmp1->pValue, dmp1->ulValueLen);
1531 priv.elements[i].data = bufs[i];
1532 i++;
1533 }
1534
1535 if (dmq1 != NULL) {
1536 priv.elements[i].tag = TAG_RSA_EXPONENT2;
1537 priv.elements[i].length = (unsigned short)dmq1->ulValueLen;
1538 memmove(bufs[i], dmq1->pValue, dmq1->ulValueLen);
1539 priv.elements[i].data = bufs[i];
1540 i++;
1541 }
1542
1543 if (iqmp != NULL) {
1544 priv.elements[i].tag = TAG_RSA_COEFFICIENT;
1545 priv.elements[i].length = (unsigned short)iqmp->ulValueLen;
1546 memmove(bufs[i], iqmp->pValue, iqmp->ulValueLen);
1547 priv.elements[i].data = bufs[i];
1548 i++;
1549 }
1550
1551 if (key->engine != NULL) {
1552 priv.elements[i].tag = TAG_RSA_ENGINE;
1553 priv.elements[i].length = (unsigned short)strlen(key->engine) +
1554 1;
1555 priv.elements[i].data = (unsigned char *)key->engine;
1556 i++;
1557 }
1558
1559 if (key->label != NULL) {
1560 priv.elements[i].tag = TAG_RSA_LABEL;
1561 priv.elements[i].length = (unsigned short)strlen(key->label) +
1562 1;
1563 priv.elements[i].data = (unsigned char *)key->label;
1564 i++;
1565 }
1566
1567 priv.nelements = i;
1568 result = dst__privstruct_writefile(key, &priv, directory);
1569 for (i = 0; i < 10; i++) {
1570 if (bufs[i] == NULL) {
1571 break;
1572 }
1573 isc_safe_memwipe(bufs[i], modulus->ulValueLen);
1574 isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
1575 }
1576 return (result);
1577 }
1578
1579 static isc_result_t
pkcs11rsa_fetch(dst_key_t * key,const char * engine,const char * label,dst_key_t * pub)1580 pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
1581 dst_key_t *pub) {
1582 CK_RV rv;
1583 CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
1584 CK_KEY_TYPE keyType = CKK_RSA;
1585 CK_ATTRIBUTE searchTemplate[] = {
1586 { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
1587 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
1588 { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
1589 { CKA_LABEL, NULL, 0 }
1590 };
1591 CK_ULONG cnt;
1592 CK_ATTRIBUTE *attr;
1593 CK_ATTRIBUTE *pubattr;
1594 pk11_object_t *rsa;
1595 pk11_object_t *pubrsa;
1596 pk11_context_t *pk11_ctx = NULL;
1597 isc_result_t ret;
1598 unsigned int bits;
1599
1600 if (label == NULL) {
1601 return (DST_R_NOENGINE);
1602 }
1603
1604 rsa = key->keydata.pkey;
1605 pubrsa = pub->keydata.pkey;
1606
1607 rsa->object = CK_INVALID_HANDLE;
1608 rsa->ontoken = true;
1609 rsa->reqlogon = true;
1610 rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
1611 memset(rsa->repr, 0, sizeof(*attr) * 2);
1612 rsa->attrcnt = 2;
1613 attr = rsa->repr;
1614
1615 attr->type = CKA_MODULUS;
1616 pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
1617 INSIST(pubattr != NULL);
1618 attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
1619 memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
1620 attr->ulValueLen = pubattr->ulValueLen;
1621 attr++;
1622
1623 attr->type = CKA_PUBLIC_EXPONENT;
1624 pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
1625 INSIST(pubattr != NULL);
1626 attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
1627 memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
1628 attr->ulValueLen = pubattr->ulValueLen;
1629
1630 ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
1631 if (ret != ISC_R_SUCCESS) {
1632 goto err;
1633 }
1634
1635 pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
1636 ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
1637 NULL, rsa->slot);
1638 if (ret != ISC_R_SUCCESS) {
1639 goto err;
1640 }
1641
1642 attr = pk11_attribute_bytype(rsa, CKA_LABEL);
1643 if (attr == NULL) {
1644 attr = pk11_attribute_bytype(rsa, CKA_ID);
1645 INSIST(attr != NULL);
1646 searchTemplate[3].type = CKA_ID;
1647 }
1648 searchTemplate[3].pValue = attr->pValue;
1649 searchTemplate[3].ulValueLen = attr->ulValueLen;
1650
1651 PK11_RET(pkcs_C_FindObjectsInit,
1652 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
1653 DST_R_CRYPTOFAILURE);
1654 PK11_RET(pkcs_C_FindObjects,
1655 (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt),
1656 DST_R_CRYPTOFAILURE);
1657 (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
1658 if (cnt == 0) {
1659 DST_RET(ISC_R_NOTFOUND);
1660 }
1661 if (cnt > 1) {
1662 DST_RET(ISC_R_EXISTS);
1663 }
1664
1665 if (engine != NULL) {
1666 key->engine = isc_mem_strdup(key->mctx, engine);
1667 }
1668
1669 key->label = isc_mem_strdup(key->mctx, label);
1670
1671 pk11_return_session(pk11_ctx);
1672 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
1673 isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
1674
1675 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
1676 INSIST(attr != NULL);
1677 ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
1678 if (ret != ISC_R_SUCCESS) {
1679 goto err;
1680 }
1681 key->key_size = bits;
1682
1683 return (ISC_R_SUCCESS);
1684
1685 err:
1686 if (pk11_ctx != NULL) {
1687 pk11_return_session(pk11_ctx);
1688 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
1689 isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
1690 }
1691
1692 return (ret);
1693 }
1694
1695 static isc_result_t
rsa_check(pk11_object_t * rsa,pk11_object_t * pubrsa)1696 rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) {
1697 CK_ATTRIBUTE *pubattr, *privattr;
1698 CK_BYTE *priv_exp = NULL, *priv_mod = NULL;
1699 CK_BYTE *pub_exp = NULL, *pub_mod = NULL;
1700 unsigned int priv_explen = 0, priv_modlen = 0;
1701 unsigned int pub_explen = 0, pub_modlen = 0;
1702
1703 REQUIRE(rsa != NULL && pubrsa != NULL);
1704
1705 privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
1706 INSIST(privattr != NULL);
1707 priv_exp = privattr->pValue;
1708 priv_explen = privattr->ulValueLen;
1709
1710 pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
1711 INSIST(pubattr != NULL);
1712 pub_exp = pubattr->pValue;
1713 pub_explen = pubattr->ulValueLen;
1714
1715 if (priv_exp != NULL) {
1716 if (priv_explen != pub_explen) {
1717 return (DST_R_INVALIDPRIVATEKEY);
1718 }
1719 if (!isc_safe_memequal(priv_exp, pub_exp, pub_explen)) {
1720 return (DST_R_INVALIDPRIVATEKEY);
1721 }
1722 } else {
1723 privattr->pValue = pub_exp;
1724 privattr->ulValueLen = pub_explen;
1725 pubattr->pValue = NULL;
1726 pubattr->ulValueLen = 0;
1727 }
1728
1729 if (privattr->pValue == NULL) {
1730 return (DST_R_INVALIDPRIVATEKEY);
1731 }
1732
1733 privattr = pk11_attribute_bytype(rsa, CKA_MODULUS);
1734 INSIST(privattr != NULL);
1735 priv_mod = privattr->pValue;
1736 priv_modlen = privattr->ulValueLen;
1737
1738 pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
1739 INSIST(pubattr != NULL);
1740 pub_mod = pubattr->pValue;
1741 pub_modlen = pubattr->ulValueLen;
1742
1743 if (priv_mod != NULL) {
1744 if (priv_modlen != pub_modlen) {
1745 return (DST_R_INVALIDPRIVATEKEY);
1746 }
1747 if (!isc_safe_memequal(priv_mod, pub_mod, pub_modlen)) {
1748 return (DST_R_INVALIDPRIVATEKEY);
1749 }
1750 } else {
1751 privattr->pValue = pub_mod;
1752 privattr->ulValueLen = pub_modlen;
1753 pubattr->pValue = NULL;
1754 pubattr->ulValueLen = 0;
1755 }
1756
1757 if (privattr->pValue == NULL) {
1758 return (DST_R_INVALIDPRIVATEKEY);
1759 }
1760
1761 return (ISC_R_SUCCESS);
1762 }
1763
1764 static isc_result_t
pkcs11rsa_parse(dst_key_t * key,isc_lex_t * lexer,dst_key_t * pub)1765 pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
1766 dst_private_t priv;
1767 isc_result_t ret;
1768 int i;
1769 pk11_object_t *rsa;
1770 CK_ATTRIBUTE *attr;
1771 isc_mem_t *mctx = key->mctx;
1772 const char *engine = NULL, *label = NULL;
1773 unsigned int bits;
1774
1775 /* read private key file */
1776 ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
1777 if (ret != ISC_R_SUCCESS) {
1778 return (ret);
1779 }
1780
1781 if (key->external) {
1782 if (priv.nelements != 0) {
1783 DST_RET(DST_R_INVALIDPRIVATEKEY);
1784 }
1785 if (pub == NULL) {
1786 DST_RET(DST_R_INVALIDPRIVATEKEY);
1787 }
1788
1789 key->keydata.pkey = pub->keydata.pkey;
1790 pub->keydata.pkey = NULL;
1791 key->key_size = pub->key_size;
1792
1793 dst__privstruct_free(&priv, mctx);
1794 isc_safe_memwipe(&priv, sizeof(priv));
1795
1796 return (ISC_R_SUCCESS);
1797 }
1798
1799 for (i = 0; i < priv.nelements; i++) {
1800 switch (priv.elements[i].tag) {
1801 case TAG_RSA_ENGINE:
1802 engine = (char *)priv.elements[i].data;
1803 break;
1804 case TAG_RSA_LABEL:
1805 label = (char *)priv.elements[i].data;
1806 break;
1807 default:
1808 break;
1809 }
1810 }
1811 rsa = isc_mem_get(key->mctx, sizeof(*rsa));
1812 memset(rsa, 0, sizeof(*rsa));
1813 key->keydata.pkey = rsa;
1814
1815 /* Is this key is stored in a HSM? See if we can fetch it. */
1816 if ((label != NULL) || (engine != NULL)) {
1817 ret = pkcs11rsa_fetch(key, engine, label, pub);
1818 if (ret != ISC_R_SUCCESS) {
1819 goto err;
1820 }
1821 dst__privstruct_free(&priv, mctx);
1822 isc_safe_memwipe(&priv, sizeof(priv));
1823 return (ret);
1824 }
1825
1826 rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8);
1827 memset(rsa->repr, 0, sizeof(*attr) * 8);
1828 rsa->attrcnt = 8;
1829 attr = rsa->repr;
1830 attr[0].type = CKA_MODULUS;
1831 attr[1].type = CKA_PUBLIC_EXPONENT;
1832 attr[2].type = CKA_PRIVATE_EXPONENT;
1833 attr[3].type = CKA_PRIME_1;
1834 attr[4].type = CKA_PRIME_2;
1835 attr[5].type = CKA_EXPONENT_1;
1836 attr[6].type = CKA_EXPONENT_2;
1837 attr[7].type = CKA_COEFFICIENT;
1838
1839 for (i = 0; i < priv.nelements; i++) {
1840 CK_BYTE *bn;
1841
1842 switch (priv.elements[i].tag) {
1843 case TAG_RSA_ENGINE:
1844 continue;
1845 case TAG_RSA_LABEL:
1846 continue;
1847 default:
1848 bn = isc_mem_get(key->mctx, priv.elements[i].length);
1849 memmove(bn, priv.elements[i].data,
1850 priv.elements[i].length);
1851 }
1852
1853 switch (priv.elements[i].tag) {
1854 case TAG_RSA_MODULUS:
1855 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
1856 INSIST(attr != NULL);
1857 attr->pValue = bn;
1858 attr->ulValueLen = priv.elements[i].length;
1859 break;
1860 case TAG_RSA_PUBLICEXPONENT:
1861 attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
1862 INSIST(attr != NULL);
1863 attr->pValue = bn;
1864 attr->ulValueLen = priv.elements[i].length;
1865 break;
1866 case TAG_RSA_PRIVATEEXPONENT:
1867 attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
1868 INSIST(attr != NULL);
1869 attr->pValue = bn;
1870 attr->ulValueLen = priv.elements[i].length;
1871 break;
1872 case TAG_RSA_PRIME1:
1873 attr = pk11_attribute_bytype(rsa, CKA_PRIME_1);
1874 INSIST(attr != NULL);
1875 attr->pValue = bn;
1876 attr->ulValueLen = priv.elements[i].length;
1877 break;
1878 case TAG_RSA_PRIME2:
1879 attr = pk11_attribute_bytype(rsa, CKA_PRIME_2);
1880 INSIST(attr != NULL);
1881 attr->pValue = bn;
1882 attr->ulValueLen = priv.elements[i].length;
1883 break;
1884 case TAG_RSA_EXPONENT1:
1885 attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_1);
1886 INSIST(attr != NULL);
1887 attr->pValue = bn;
1888 attr->ulValueLen = priv.elements[i].length;
1889 break;
1890 case TAG_RSA_EXPONENT2:
1891 attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_2);
1892 INSIST(attr != NULL);
1893 attr->pValue = bn;
1894 attr->ulValueLen = priv.elements[i].length;
1895 break;
1896 case TAG_RSA_COEFFICIENT:
1897 attr = pk11_attribute_bytype(rsa, CKA_COEFFICIENT);
1898 INSIST(attr != NULL);
1899 attr->pValue = bn;
1900 attr->ulValueLen = priv.elements[i].length;
1901 break;
1902 }
1903 }
1904
1905 if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) {
1906 DST_RET(DST_R_INVALIDPRIVATEKEY);
1907 }
1908
1909 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
1910 INSIST(attr != NULL);
1911 ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
1912 if (ret != ISC_R_SUCCESS) {
1913 goto err;
1914 }
1915 key->key_size = bits;
1916
1917 attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
1918 INSIST(attr != NULL);
1919
1920 ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
1921 if (ret != ISC_R_SUCCESS) {
1922 goto err;
1923 }
1924 if (bits > RSA_MAX_PUBEXP_BITS) {
1925 DST_RET(ISC_R_RANGE);
1926 }
1927
1928 dst__privstruct_free(&priv, mctx);
1929 isc_safe_memwipe(&priv, sizeof(priv));
1930
1931 return (ISC_R_SUCCESS);
1932
1933 err:
1934 pkcs11rsa_destroy(key);
1935 dst__privstruct_free(&priv, mctx);
1936 isc_safe_memwipe(&priv, sizeof(priv));
1937 return (ret);
1938 }
1939
1940 static isc_result_t
pkcs11rsa_fromlabel(dst_key_t * key,const char * engine,const char * label,const char * pin)1941 pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
1942 const char *pin) {
1943 CK_RV rv;
1944 CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
1945 CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
1946 CK_KEY_TYPE keyType = CKK_RSA;
1947 CK_ATTRIBUTE searchTemplate[] = {
1948 { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
1949 { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
1950 { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
1951 { CKA_LABEL, NULL, 0 }
1952 };
1953 CK_ULONG cnt;
1954 CK_ATTRIBUTE *attr;
1955 pk11_object_t *rsa;
1956 pk11_context_t *pk11_ctx = NULL;
1957 isc_result_t ret;
1958 unsigned int i;
1959 unsigned int bits;
1960
1961 UNUSED(pin);
1962
1963 rsa = isc_mem_get(key->mctx, sizeof(*rsa));
1964 memset(rsa, 0, sizeof(*rsa));
1965 rsa->object = CK_INVALID_HANDLE;
1966 rsa->ontoken = true;
1967 rsa->reqlogon = true;
1968 key->keydata.pkey = rsa;
1969
1970 rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
1971 memset(rsa->repr, 0, sizeof(*attr) * 2);
1972 rsa->attrcnt = 2;
1973 attr = rsa->repr;
1974 attr[0].type = CKA_MODULUS;
1975 attr[1].type = CKA_PUBLIC_EXPONENT;
1976
1977 ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
1978 if (ret != ISC_R_SUCCESS) {
1979 goto err;
1980 }
1981
1982 pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
1983 ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
1984 NULL, rsa->slot);
1985 if (ret != ISC_R_SUCCESS) {
1986 goto err;
1987 }
1988
1989 attr = pk11_attribute_bytype(rsa, CKA_LABEL);
1990 if (attr == NULL) {
1991 attr = pk11_attribute_bytype(rsa, CKA_ID);
1992 INSIST(attr != NULL);
1993 searchTemplate[3].type = CKA_ID;
1994 }
1995 searchTemplate[3].pValue = attr->pValue;
1996 searchTemplate[3].ulValueLen = attr->ulValueLen;
1997
1998 PK11_RET(pkcs_C_FindObjectsInit,
1999 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
2000 DST_R_CRYPTOFAILURE);
2001 PK11_RET(pkcs_C_FindObjects,
2002 (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt),
2003 DST_R_CRYPTOFAILURE);
2004 (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
2005 if (cnt == 0) {
2006 DST_RET(ISC_R_NOTFOUND);
2007 }
2008 if (cnt > 1) {
2009 DST_RET(ISC_R_EXISTS);
2010 }
2011
2012 attr = rsa->repr;
2013 PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
2014 DST_R_CRYPTOFAILURE);
2015 for (i = 0; i <= 1; i++) {
2016 attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
2017 memset(attr[i].pValue, 0, attr[i].ulValueLen);
2018 }
2019 PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
2020 DST_R_CRYPTOFAILURE);
2021
2022 keyClass = CKO_PRIVATE_KEY;
2023 PK11_RET(pkcs_C_FindObjectsInit,
2024 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
2025 DST_R_CRYPTOFAILURE);
2026 PK11_RET(pkcs_C_FindObjects,
2027 (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt),
2028 DST_R_CRYPTOFAILURE);
2029 (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
2030 if (cnt == 0) {
2031 DST_RET(ISC_R_NOTFOUND);
2032 }
2033 if (cnt > 1) {
2034 DST_RET(ISC_R_EXISTS);
2035 }
2036
2037 if (engine != NULL) {
2038 key->engine = isc_mem_strdup(key->mctx, engine);
2039 }
2040
2041 key->label = isc_mem_strdup(key->mctx, label);
2042
2043 attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
2044 INSIST(attr != NULL);
2045
2046 ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
2047 if (ret != ISC_R_SUCCESS) {
2048 goto err;
2049 }
2050 if (bits > RSA_MAX_PUBEXP_BITS) {
2051 DST_RET(ISC_R_RANGE);
2052 }
2053
2054 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
2055 INSIST(attr != NULL);
2056 ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
2057 if (ret != ISC_R_SUCCESS) {
2058 goto err;
2059 }
2060 key->key_size = bits;
2061
2062 pk11_return_session(pk11_ctx);
2063 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
2064 isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
2065
2066 return (ISC_R_SUCCESS);
2067
2068 err:
2069 pkcs11rsa_destroy(key);
2070 if (pk11_ctx != NULL) {
2071 pk11_return_session(pk11_ctx);
2072 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
2073 isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
2074 }
2075
2076 return (ret);
2077 }
2078
2079 static dst_func_t pkcs11rsa_functions = {
2080 pkcs11rsa_createctx,
2081 #ifndef PK11_RSA_PKCS_REPLACE
2082 pkcs11rsa_createctx2,
2083 #else /* ifndef PK11_RSA_PKCS_REPLACE */
2084 NULL, /*%< createctx2 */
2085 #endif /* ifndef PK11_RSA_PKCS_REPLACE */
2086 pkcs11rsa_destroyctx,
2087 pkcs11rsa_adddata,
2088 pkcs11rsa_sign,
2089 pkcs11rsa_verify,
2090 NULL, /*%< verify2 */
2091 NULL, /*%< computesecret */
2092 pkcs11rsa_compare,
2093 NULL, /*%< paramcompare */
2094 pkcs11rsa_generate,
2095 pkcs11rsa_isprivate,
2096 pkcs11rsa_destroy,
2097 pkcs11rsa_todns,
2098 pkcs11rsa_fromdns,
2099 pkcs11rsa_tofile,
2100 pkcs11rsa_parse,
2101 NULL, /*%< cleanup */
2102 pkcs11rsa_fromlabel,
2103 NULL, /*%< dump */
2104 NULL, /*%< restore */
2105 };
2106
2107 isc_result_t
dst__pkcs11rsa_init(dst_func_t ** funcp)2108 dst__pkcs11rsa_init(dst_func_t **funcp) {
2109 REQUIRE(funcp != NULL);
2110
2111 if (*funcp == NULL) {
2112 *funcp = &pkcs11rsa_functions;
2113 }
2114 return (ISC_R_SUCCESS);
2115 }
2116
2117 #endif /* USE_PKCS11 */
2118