1*e0c4386eSCy Schubert /*
2*e0c4386eSCy Schubert * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3*e0c4386eSCy Schubert *
4*e0c4386eSCy Schubert * Licensed under the Apache License 2.0 (the "License"). You may not use
5*e0c4386eSCy Schubert * this file except in compliance with the License. You can obtain a copy
6*e0c4386eSCy Schubert * in the file LICENSE in the source distribution or at
7*e0c4386eSCy Schubert * https://www.openssl.org/source/license.html
8*e0c4386eSCy Schubert */
9*e0c4386eSCy Schubert
10*e0c4386eSCy Schubert #include <stdio.h>
11*e0c4386eSCy Schubert #include <stdlib.h>
12*e0c4386eSCy Schubert #include <openssl/core_names.h>
13*e0c4386eSCy Schubert #include <openssl/evp.h>
14*e0c4386eSCy Schubert #include <openssl/rsa.h>
15*e0c4386eSCy Schubert #include <openssl/params.h>
16*e0c4386eSCy Schubert #include <openssl/err.h>
17*e0c4386eSCy Schubert #include <openssl/bio.h>
18*e0c4386eSCy Schubert #include "rsa_pss.h"
19*e0c4386eSCy Schubert
20*e0c4386eSCy Schubert /*
21*e0c4386eSCy Schubert * The digest to be signed. This should be the output of a hash function.
22*e0c4386eSCy Schubert * Here we sign an all-zeroes digest for demonstration purposes.
23*e0c4386eSCy Schubert */
24*e0c4386eSCy Schubert static const unsigned char test_digest[32] = {0};
25*e0c4386eSCy Schubert
26*e0c4386eSCy Schubert /* A property query used for selecting algorithm implementations. */
27*e0c4386eSCy Schubert static const char *propq = NULL;
28*e0c4386eSCy Schubert
29*e0c4386eSCy Schubert /*
30*e0c4386eSCy Schubert * This function demonstrates RSA signing of a SHA-256 digest using the PSS
31*e0c4386eSCy Schubert * padding scheme. You must already have hashed the data you want to sign.
32*e0c4386eSCy Schubert * For a higher-level demonstration which does the hashing for you, see
33*e0c4386eSCy Schubert * rsa_pss_hash.c.
34*e0c4386eSCy Schubert *
35*e0c4386eSCy Schubert * For more information, see RFC 8017 section 9.1. The digest passed in
36*e0c4386eSCy Schubert * (test_digest above) corresponds to the 'mHash' value.
37*e0c4386eSCy Schubert */
sign(OSSL_LIB_CTX * libctx,unsigned char ** sig,size_t * sig_len)38*e0c4386eSCy Schubert static int sign(OSSL_LIB_CTX *libctx, unsigned char **sig, size_t *sig_len)
39*e0c4386eSCy Schubert {
40*e0c4386eSCy Schubert int rv = 0;
41*e0c4386eSCy Schubert EVP_PKEY *pkey = NULL;
42*e0c4386eSCy Schubert EVP_PKEY_CTX *ctx = NULL;
43*e0c4386eSCy Schubert EVP_MD *md = NULL;
44*e0c4386eSCy Schubert const unsigned char *ppriv_key = NULL;
45*e0c4386eSCy Schubert
46*e0c4386eSCy Schubert *sig = NULL;
47*e0c4386eSCy Schubert
48*e0c4386eSCy Schubert /* Load DER-encoded RSA private key. */
49*e0c4386eSCy Schubert ppriv_key = rsa_priv_key;
50*e0c4386eSCy Schubert pkey = d2i_PrivateKey_ex(EVP_PKEY_RSA, NULL, &ppriv_key,
51*e0c4386eSCy Schubert sizeof(rsa_priv_key), libctx, propq);
52*e0c4386eSCy Schubert if (pkey == NULL) {
53*e0c4386eSCy Schubert fprintf(stderr, "Failed to load private key\n");
54*e0c4386eSCy Schubert goto end;
55*e0c4386eSCy Schubert }
56*e0c4386eSCy Schubert
57*e0c4386eSCy Schubert /* Fetch hash algorithm we want to use. */
58*e0c4386eSCy Schubert md = EVP_MD_fetch(libctx, "SHA256", propq);
59*e0c4386eSCy Schubert if (md == NULL) {
60*e0c4386eSCy Schubert fprintf(stderr, "Failed to fetch hash algorithm\n");
61*e0c4386eSCy Schubert goto end;
62*e0c4386eSCy Schubert }
63*e0c4386eSCy Schubert
64*e0c4386eSCy Schubert /* Create signing context. */
65*e0c4386eSCy Schubert ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
66*e0c4386eSCy Schubert if (ctx == NULL) {
67*e0c4386eSCy Schubert fprintf(stderr, "Failed to create signing context\n");
68*e0c4386eSCy Schubert goto end;
69*e0c4386eSCy Schubert }
70*e0c4386eSCy Schubert
71*e0c4386eSCy Schubert /* Initialize context for signing and set options. */
72*e0c4386eSCy Schubert if (EVP_PKEY_sign_init(ctx) == 0) {
73*e0c4386eSCy Schubert fprintf(stderr, "Failed to initialize signing context\n");
74*e0c4386eSCy Schubert goto end;
75*e0c4386eSCy Schubert }
76*e0c4386eSCy Schubert
77*e0c4386eSCy Schubert if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) == 0) {
78*e0c4386eSCy Schubert fprintf(stderr, "Failed to configure padding\n");
79*e0c4386eSCy Schubert goto end;
80*e0c4386eSCy Schubert }
81*e0c4386eSCy Schubert
82*e0c4386eSCy Schubert if (EVP_PKEY_CTX_set_signature_md(ctx, md) == 0) {
83*e0c4386eSCy Schubert fprintf(stderr, "Failed to configure digest type\n");
84*e0c4386eSCy Schubert goto end;
85*e0c4386eSCy Schubert }
86*e0c4386eSCy Schubert
87*e0c4386eSCy Schubert /* Determine length of signature. */
88*e0c4386eSCy Schubert if (EVP_PKEY_sign(ctx, NULL, sig_len,
89*e0c4386eSCy Schubert test_digest, sizeof(test_digest)) == 0) {
90*e0c4386eSCy Schubert fprintf(stderr, "Failed to get signature length\n");
91*e0c4386eSCy Schubert goto end;
92*e0c4386eSCy Schubert }
93*e0c4386eSCy Schubert
94*e0c4386eSCy Schubert /* Allocate memory for signature. */
95*e0c4386eSCy Schubert *sig = OPENSSL_malloc(*sig_len);
96*e0c4386eSCy Schubert if (*sig == NULL) {
97*e0c4386eSCy Schubert fprintf(stderr, "Failed to allocate memory for signature\n");
98*e0c4386eSCy Schubert goto end;
99*e0c4386eSCy Schubert }
100*e0c4386eSCy Schubert
101*e0c4386eSCy Schubert /* Generate signature. */
102*e0c4386eSCy Schubert if (EVP_PKEY_sign(ctx, *sig, sig_len,
103*e0c4386eSCy Schubert test_digest, sizeof(test_digest)) != 1) {
104*e0c4386eSCy Schubert fprintf(stderr, "Failed to sign\n");
105*e0c4386eSCy Schubert goto end;
106*e0c4386eSCy Schubert }
107*e0c4386eSCy Schubert
108*e0c4386eSCy Schubert rv = 1;
109*e0c4386eSCy Schubert end:
110*e0c4386eSCy Schubert EVP_PKEY_CTX_free(ctx);
111*e0c4386eSCy Schubert EVP_PKEY_free(pkey);
112*e0c4386eSCy Schubert EVP_MD_free(md);
113*e0c4386eSCy Schubert
114*e0c4386eSCy Schubert if (rv == 0)
115*e0c4386eSCy Schubert OPENSSL_free(*sig);
116*e0c4386eSCy Schubert
117*e0c4386eSCy Schubert return rv;
118*e0c4386eSCy Schubert }
119*e0c4386eSCy Schubert
120*e0c4386eSCy Schubert /*
121*e0c4386eSCy Schubert * This function demonstrates verification of an RSA signature over a SHA-256
122*e0c4386eSCy Schubert * digest using the PSS signature scheme.
123*e0c4386eSCy Schubert */
verify(OSSL_LIB_CTX * libctx,const unsigned char * sig,size_t sig_len)124*e0c4386eSCy Schubert static int verify(OSSL_LIB_CTX *libctx, const unsigned char *sig, size_t sig_len)
125*e0c4386eSCy Schubert {
126*e0c4386eSCy Schubert int rv = 0;
127*e0c4386eSCy Schubert const unsigned char *ppub_key = NULL;
128*e0c4386eSCy Schubert EVP_PKEY *pkey = NULL;
129*e0c4386eSCy Schubert EVP_PKEY_CTX *ctx = NULL;
130*e0c4386eSCy Schubert EVP_MD *md = NULL;
131*e0c4386eSCy Schubert
132*e0c4386eSCy Schubert /* Load DER-encoded RSA public key. */
133*e0c4386eSCy Schubert ppub_key = rsa_pub_key;
134*e0c4386eSCy Schubert pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ppub_key, sizeof(rsa_pub_key));
135*e0c4386eSCy Schubert if (pkey == NULL) {
136*e0c4386eSCy Schubert fprintf(stderr, "Failed to load public key\n");
137*e0c4386eSCy Schubert goto end;
138*e0c4386eSCy Schubert }
139*e0c4386eSCy Schubert
140*e0c4386eSCy Schubert /* Fetch hash algorithm we want to use. */
141*e0c4386eSCy Schubert md = EVP_MD_fetch(libctx, "SHA256", propq);
142*e0c4386eSCy Schubert if (md == NULL) {
143*e0c4386eSCy Schubert fprintf(stderr, "Failed to fetch hash algorithm\n");
144*e0c4386eSCy Schubert goto end;
145*e0c4386eSCy Schubert }
146*e0c4386eSCy Schubert
147*e0c4386eSCy Schubert /* Create verification context. */
148*e0c4386eSCy Schubert ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
149*e0c4386eSCy Schubert if (ctx == NULL) {
150*e0c4386eSCy Schubert fprintf(stderr, "Failed to create verification context\n");
151*e0c4386eSCy Schubert goto end;
152*e0c4386eSCy Schubert }
153*e0c4386eSCy Schubert
154*e0c4386eSCy Schubert /* Initialize context for verification and set options. */
155*e0c4386eSCy Schubert if (EVP_PKEY_verify_init(ctx) == 0) {
156*e0c4386eSCy Schubert fprintf(stderr, "Failed to initialize verification context\n");
157*e0c4386eSCy Schubert goto end;
158*e0c4386eSCy Schubert }
159*e0c4386eSCy Schubert
160*e0c4386eSCy Schubert if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) == 0) {
161*e0c4386eSCy Schubert fprintf(stderr, "Failed to configure padding\n");
162*e0c4386eSCy Schubert goto end;
163*e0c4386eSCy Schubert }
164*e0c4386eSCy Schubert
165*e0c4386eSCy Schubert if (EVP_PKEY_CTX_set_signature_md(ctx, md) == 0) {
166*e0c4386eSCy Schubert fprintf(stderr, "Failed to configure digest type\n");
167*e0c4386eSCy Schubert goto end;
168*e0c4386eSCy Schubert }
169*e0c4386eSCy Schubert
170*e0c4386eSCy Schubert /* Verify signature. */
171*e0c4386eSCy Schubert if (EVP_PKEY_verify(ctx, sig, sig_len,
172*e0c4386eSCy Schubert test_digest, sizeof(test_digest)) == 0) {
173*e0c4386eSCy Schubert fprintf(stderr, "Failed to verify signature; "
174*e0c4386eSCy Schubert "signature may be invalid\n");
175*e0c4386eSCy Schubert goto end;
176*e0c4386eSCy Schubert }
177*e0c4386eSCy Schubert
178*e0c4386eSCy Schubert rv = 1;
179*e0c4386eSCy Schubert end:
180*e0c4386eSCy Schubert EVP_PKEY_CTX_free(ctx);
181*e0c4386eSCy Schubert EVP_PKEY_free(pkey);
182*e0c4386eSCy Schubert EVP_MD_free(md);
183*e0c4386eSCy Schubert return rv;
184*e0c4386eSCy Schubert }
185*e0c4386eSCy Schubert
main(int argc,char ** argv)186*e0c4386eSCy Schubert int main(int argc, char **argv)
187*e0c4386eSCy Schubert {
188*e0c4386eSCy Schubert int rv = 1;
189*e0c4386eSCy Schubert OSSL_LIB_CTX *libctx = NULL;
190*e0c4386eSCy Schubert unsigned char *sig = NULL;
191*e0c4386eSCy Schubert size_t sig_len = 0;
192*e0c4386eSCy Schubert
193*e0c4386eSCy Schubert if (sign(libctx, &sig, &sig_len) == 0)
194*e0c4386eSCy Schubert goto end;
195*e0c4386eSCy Schubert
196*e0c4386eSCy Schubert if (verify(libctx, sig, sig_len) == 0)
197*e0c4386eSCy Schubert goto end;
198*e0c4386eSCy Schubert
199*e0c4386eSCy Schubert rv = 0;
200*e0c4386eSCy Schubert end:
201*e0c4386eSCy Schubert OPENSSL_free(sig);
202*e0c4386eSCy Schubert OSSL_LIB_CTX_free(libctx);
203*e0c4386eSCy Schubert return rv;
204*e0c4386eSCy Schubert }
205