1 /* $OpenBSD: rsa_ameth.c,v 1.24 2019/11/20 10:46:17 inoguchi Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2006. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <stdio.h> 60 61 #include <openssl/opensslconf.h> 62 63 #include <openssl/asn1t.h> 64 #include <openssl/bn.h> 65 #include <openssl/cms.h> 66 #include <openssl/err.h> 67 #include <openssl/x509.h> 68 69 #include "asn1_locl.h" 70 #include "cryptlib.h" 71 #include "evp_locl.h" 72 #include "rsa_locl.h" 73 74 #ifndef OPENSSL_NO_CMS 75 static int rsa_cms_sign(CMS_SignerInfo *si); 76 static int rsa_cms_verify(CMS_SignerInfo *si); 77 static int rsa_cms_decrypt(CMS_RecipientInfo *ri); 78 static int rsa_cms_encrypt(CMS_RecipientInfo *ri); 79 #endif 80 81 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg); 82 83 /* Set any parameters associated with pkey */ 84 static int 85 rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype) 86 { 87 const RSA *rsa = pkey->pkey.rsa; 88 89 *pstr = NULL; 90 91 /* If RSA it's just NULL type */ 92 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { 93 *pstrtype = V_ASN1_NULL; 94 return 1; 95 } 96 97 /* If no PSS parameters we omit parameters entirely */ 98 if (rsa->pss == NULL) { 99 *pstrtype = V_ASN1_UNDEF; 100 return 1; 101 } 102 103 /* Encode PSS parameters */ 104 if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL) 105 return 0; 106 107 *pstrtype = V_ASN1_SEQUENCE; 108 return 1; 109 } 110 111 /* Decode any parameters and set them in RSA structure */ 112 static int 113 rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) 114 { 115 const ASN1_OBJECT *algoid; 116 const void *algp; 117 int algptype; 118 119 X509_ALGOR_get0(&algoid, &algptype, &algp, alg); 120 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) 121 return 1; 122 if (algptype == V_ASN1_UNDEF) 123 return 1; 124 if (algptype != V_ASN1_SEQUENCE) { 125 RSAerror(RSA_R_INVALID_PSS_PARAMETERS); 126 return 0; 127 } 128 rsa->pss = rsa_pss_decode(alg); 129 if (rsa->pss == NULL) 130 return 0; 131 return 1; 132 } 133 134 static int 135 rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 136 { 137 unsigned char *penc = NULL; 138 int penclen; 139 ASN1_STRING *str; 140 int strtype; 141 142 if (!rsa_param_encode(pkey, &str, &strtype)) 143 return 0; 144 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); 145 if (penclen <= 0) 146 return 0; 147 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), 148 strtype, str, penc, penclen)) 149 return 1; 150 151 free(penc); 152 153 return 0; 154 } 155 156 static int 157 rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 158 { 159 const unsigned char *p; 160 int pklen; 161 X509_ALGOR *alg; 162 RSA *rsa = NULL; 163 164 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) 165 return 0; 166 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) { 167 RSAerror(ERR_R_RSA_LIB); 168 return 0; 169 } 170 if (!rsa_param_decode(rsa, alg)) { 171 RSA_free(rsa); 172 return 0; 173 } 174 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { 175 RSA_free(rsa); 176 return 0; 177 } 178 return 1; 179 } 180 181 static int 182 rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 183 { 184 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 || 185 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) 186 return 0; 187 188 return 1; 189 } 190 191 static int 192 old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) 193 { 194 RSA *rsa; 195 196 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) { 197 RSAerror(ERR_R_RSA_LIB); 198 return 0; 199 } 200 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 201 return 1; 202 } 203 204 static int 205 old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 206 { 207 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 208 } 209 210 static int 211 rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 212 { 213 unsigned char *rk = NULL; 214 int rklen; 215 ASN1_STRING *str; 216 int strtype; 217 218 if (!rsa_param_encode(pkey, &str, &strtype)) 219 return 0; 220 221 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 222 if (rklen <= 0) { 223 RSAerror(ERR_R_MALLOC_FAILURE); 224 ASN1_STRING_free(str); 225 return 0; 226 } 227 228 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, 229 strtype, str, rk, rklen)) { 230 RSAerror(ERR_R_MALLOC_FAILURE); 231 ASN1_STRING_free(str); 232 return 0; 233 } 234 235 return 1; 236 } 237 238 static int 239 rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 240 { 241 const unsigned char *p; 242 RSA *rsa; 243 int pklen; 244 const X509_ALGOR *alg; 245 246 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8)) 247 return 0; 248 rsa = d2i_RSAPrivateKey(NULL, &p, pklen); 249 if (rsa == NULL) { 250 RSAerror(ERR_R_RSA_LIB); 251 return 0; 252 } 253 if (!rsa_param_decode(rsa, alg)) { 254 RSA_free(rsa); 255 return 0; 256 } 257 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 258 259 return 1; 260 } 261 262 static int 263 int_rsa_size(const EVP_PKEY *pkey) 264 { 265 return RSA_size(pkey->pkey.rsa); 266 } 267 268 static int 269 rsa_bits(const EVP_PKEY *pkey) 270 { 271 return BN_num_bits(pkey->pkey.rsa->n); 272 } 273 274 static void 275 int_rsa_free(EVP_PKEY *pkey) 276 { 277 RSA_free(pkey->pkey.rsa); 278 } 279 280 static X509_ALGOR * 281 rsa_mgf1_decode(X509_ALGOR *alg) 282 { 283 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) 284 return NULL; 285 286 return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter); 287 } 288 289 static RSA_PSS_PARAMS * 290 rsa_pss_decode(const X509_ALGOR *alg) 291 { 292 RSA_PSS_PARAMS *pss; 293 294 pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter); 295 if (pss == NULL) 296 return NULL; 297 298 if (pss->maskGenAlgorithm != NULL) { 299 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 300 if (pss->maskHash == NULL) { 301 RSA_PSS_PARAMS_free(pss); 302 return NULL; 303 } 304 } 305 306 return pss; 307 } 308 309 static int 310 rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent) 311 { 312 int rv = 0; 313 X509_ALGOR *maskHash = NULL; 314 315 if (!BIO_indent(bp, indent, 128)) 316 goto err; 317 if (pss_key) { 318 if (pss == NULL) { 319 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) 320 return 0; 321 return 1; 322 } else { 323 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) 324 return 0; 325 } 326 } else if (pss == NULL) { 327 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) 328 return 0; 329 return 1; 330 } 331 if (BIO_puts(bp, "\n") <= 0) 332 goto err; 333 if (pss_key) 334 indent += 2; 335 if (!BIO_indent(bp, indent, 128)) 336 goto err; 337 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 338 goto err; 339 340 if (pss->hashAlgorithm) { 341 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 342 goto err; 343 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 344 goto err; 345 } 346 347 if (BIO_puts(bp, "\n") <= 0) 348 goto err; 349 350 if (!BIO_indent(bp, indent, 128)) 351 goto err; 352 353 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 354 goto err; 355 if (pss->maskGenAlgorithm) { 356 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 357 goto err; 358 if (BIO_puts(bp, " with ") <= 0) 359 goto err; 360 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 361 if (maskHash != NULL) { 362 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 363 goto err; 364 } else if (BIO_puts(bp, "INVALID") <= 0) { 365 goto err; 366 } 367 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 368 goto err; 369 } 370 BIO_puts(bp, "\n"); 371 372 if (!BIO_indent(bp, indent, 128)) 373 goto err; 374 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) 375 goto err; 376 if (pss->saltLength) { 377 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 378 goto err; 379 } else if (BIO_puts(bp, "14 (default)") <= 0) { 380 goto err; 381 } 382 BIO_puts(bp, "\n"); 383 384 if (!BIO_indent(bp, indent, 128)) 385 goto err; 386 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 387 goto err; 388 if (pss->trailerField) { 389 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 390 goto err; 391 } else if (BIO_puts(bp, "BC (default)") <= 0) { 392 goto err; 393 } 394 BIO_puts(bp, "\n"); 395 396 rv = 1; 397 398 err: 399 X509_ALGOR_free(maskHash); 400 return rv; 401 402 } 403 404 static void 405 update_buflen(const BIGNUM *b, size_t *pbuflen) 406 { 407 size_t i; 408 409 if (!b) 410 return; 411 if (*pbuflen < (i = (size_t)BN_num_bytes(b))) 412 *pbuflen = i; 413 } 414 415 static int 416 pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) 417 { 418 const RSA *x = pkey->pkey.rsa; 419 unsigned char *m = NULL; 420 char *str; 421 const char *s; 422 int ret = 0, mod_len = 0; 423 size_t buf_len = 0; 424 425 update_buflen(x->n, &buf_len); 426 update_buflen(x->e, &buf_len); 427 428 if (priv) { 429 update_buflen(x->d, &buf_len); 430 update_buflen(x->p, &buf_len); 431 update_buflen(x->q, &buf_len); 432 update_buflen(x->dmp1, &buf_len); 433 update_buflen(x->dmq1, &buf_len); 434 update_buflen(x->iqmp, &buf_len); 435 } 436 437 m = malloc(buf_len + 10); 438 if (m == NULL) { 439 RSAerror(ERR_R_MALLOC_FAILURE); 440 goto err; 441 } 442 443 if (x->n != NULL) 444 mod_len = BN_num_bits(x->n); 445 446 if (!BIO_indent(bp, off, 128)) 447 goto err; 448 449 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0) 450 goto err; 451 452 if (priv && x->d != NULL) { 453 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0) 454 goto err; 455 str = "modulus:"; 456 s = "publicExponent:"; 457 } else { 458 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) 459 goto err; 460 str = "Modulus:"; 461 s = "Exponent:"; 462 } 463 if (!ASN1_bn_print(bp, str, x->n, m, off)) 464 goto err; 465 if (!ASN1_bn_print(bp, s, x->e, m, off)) 466 goto err; 467 if (priv) { 468 if (!ASN1_bn_print(bp, "privateExponent:", x->d, m, off)) 469 goto err; 470 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off)) 471 goto err; 472 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off)) 473 goto err; 474 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off)) 475 goto err; 476 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off)) 477 goto err; 478 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off)) 479 goto err; 480 } 481 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off)) 482 goto err; 483 ret = 1; 484 err: 485 free(m); 486 return ret; 487 } 488 489 static int 490 rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 491 { 492 return pkey_rsa_print(bp, pkey, indent, 0); 493 } 494 495 static int 496 rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 497 { 498 return pkey_rsa_print(bp, pkey, indent, 1); 499 } 500 501 static int 502 rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig, 503 int indent, ASN1_PCTX *pctx) 504 { 505 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { 506 int rv; 507 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg); 508 509 rv = rsa_pss_param_print(bp, 0, pss, indent); 510 RSA_PSS_PARAMS_free(pss); 511 if (!rv) 512 return 0; 513 } else if (!sig && BIO_puts(bp, "\n") <= 0) { 514 return 0; 515 } 516 if (sig) 517 return X509_signature_dump(bp, sig, indent); 518 return 1; 519 } 520 521 static int 522 rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 523 { 524 X509_ALGOR *alg = NULL; 525 const EVP_MD *md; 526 const EVP_MD *mgf1md; 527 int min_saltlen; 528 529 switch (op) { 530 case ASN1_PKEY_CTRL_PKCS7_SIGN: 531 if (arg1 == 0) 532 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); 533 break; 534 535 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: 536 if (pkey_is_pss(pkey)) 537 return -2; 538 if (arg1 == 0) 539 PKCS7_RECIP_INFO_get0_alg(arg2, &alg); 540 break; 541 #ifndef OPENSSL_NO_CMS 542 case ASN1_PKEY_CTRL_CMS_SIGN: 543 if (arg1 == 0) 544 return rsa_cms_sign(arg2); 545 else if (arg1 == 1) 546 return rsa_cms_verify(arg2); 547 break; 548 549 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 550 if (pkey_is_pss(pkey)) 551 return -2; 552 if (arg1 == 0) 553 return rsa_cms_encrypt(arg2); 554 else if (arg1 == 1) 555 return rsa_cms_decrypt(arg2); 556 break; 557 558 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 559 if (pkey_is_pss(pkey)) 560 return -2; 561 *(int *)arg2 = CMS_RECIPINFO_TRANS; 562 return 1; 563 #endif 564 565 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 566 if (pkey->pkey.rsa->pss != NULL) { 567 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, 568 &min_saltlen)) { 569 RSAerror(ERR_R_INTERNAL_ERROR); 570 return 0; 571 } 572 *(int *)arg2 = EVP_MD_type(md); 573 /* Return of 2 indicates this MD is mandatory */ 574 return 2; 575 } 576 *(int *)arg2 = NID_sha256; 577 return 1; 578 579 default: 580 return -2; 581 } 582 583 if (alg) 584 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), 585 V_ASN1_NULL, 0); 586 587 return 1; 588 } 589 590 /* Allocate and set algorithm ID from EVP_MD, defaults to SHA1. */ 591 static int 592 rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) 593 { 594 if (md == NULL || EVP_MD_type(md) == NID_sha1) 595 return 1; 596 *palg = X509_ALGOR_new(); 597 if (*palg == NULL) 598 return 0; 599 X509_ALGOR_set_md(*palg, md); 600 return 1; 601 } 602 603 /* Allocate and set MGF1 algorithm ID from EVP_MD. */ 604 static int 605 rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) 606 { 607 X509_ALGOR *algtmp = NULL; 608 ASN1_STRING *stmp = NULL; 609 610 *palg = NULL; 611 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1) 612 return 1; 613 /* need to embed algorithm ID inside another */ 614 if (!rsa_md_to_algor(&algtmp, mgf1md)) 615 goto err; 616 if (ASN1_item_pack(algtmp, &X509_ALGOR_it, &stmp) == NULL) 617 goto err; 618 *palg = X509_ALGOR_new(); 619 if (*palg == NULL) 620 goto err; 621 X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); 622 stmp = NULL; 623 err: 624 ASN1_STRING_free(stmp); 625 X509_ALGOR_free(algtmp); 626 if (*palg) 627 return 1; 628 return 0; 629 } 630 631 /* Convert algorithm ID to EVP_MD, defaults to SHA1. */ 632 static const EVP_MD * 633 rsa_algor_to_md(X509_ALGOR *alg) 634 { 635 const EVP_MD *md; 636 637 if (!alg) 638 return EVP_sha1(); 639 md = EVP_get_digestbyobj(alg->algorithm); 640 if (md == NULL) 641 RSAerror(RSA_R_UNKNOWN_DIGEST); 642 return md; 643 } 644 645 /* 646 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, 647 * suitable for setting an AlgorithmIdentifier. 648 */ 649 static RSA_PSS_PARAMS * 650 rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) 651 { 652 const EVP_MD *sigmd, *mgf1md; 653 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 654 int saltlen; 655 656 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) 657 return NULL; 658 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 659 return NULL; 660 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) 661 return NULL; 662 if (saltlen == -1) { 663 saltlen = EVP_MD_size(sigmd); 664 } else if (saltlen == -2 || saltlen == -3) { 665 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 666 if ((EVP_PKEY_bits(pk) & 0x7) == 1) 667 saltlen--; 668 if (saltlen < 0) 669 return NULL; 670 } 671 672 return rsa_pss_params_create(sigmd, mgf1md, saltlen); 673 } 674 675 RSA_PSS_PARAMS * 676 rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen) 677 { 678 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new(); 679 680 if (pss == NULL) 681 goto err; 682 if (saltlen != 20) { 683 pss->saltLength = ASN1_INTEGER_new(); 684 if (pss->saltLength == NULL) 685 goto err; 686 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 687 goto err; 688 } 689 if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd)) 690 goto err; 691 if (mgf1md == NULL) 692 mgf1md = sigmd; 693 if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) 694 goto err; 695 if (!rsa_md_to_algor(&pss->maskHash, mgf1md)) 696 goto err; 697 return pss; 698 err: 699 RSA_PSS_PARAMS_free(pss); 700 return NULL; 701 } 702 703 static ASN1_STRING * 704 rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx) 705 { 706 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx); 707 ASN1_STRING *os; 708 709 if (pss == NULL) 710 return NULL; 711 712 os = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL); 713 RSA_PSS_PARAMS_free(pss); 714 return os; 715 } 716 717 /* 718 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL 719 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are 720 * passed to pkctx instead. 721 */ 722 723 static int 724 rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, 725 X509_ALGOR *sigalg, EVP_PKEY *pkey) 726 { 727 int rv = -1; 728 int saltlen; 729 const EVP_MD *mgf1md = NULL, *md = NULL; 730 RSA_PSS_PARAMS *pss; 731 732 /* Sanity check: make sure it is PSS */ 733 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 734 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 735 return -1; 736 } 737 /* Decode PSS parameters */ 738 pss = rsa_pss_decode(sigalg); 739 740 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { 741 RSAerror(RSA_R_INVALID_PSS_PARAMETERS); 742 goto err; 743 } 744 745 /* We have all parameters now set up context */ 746 if (pkey) { 747 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) 748 goto err; 749 } else { 750 const EVP_MD *checkmd; 751 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) 752 goto err; 753 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { 754 RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH); 755 goto err; 756 } 757 } 758 759 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) 760 goto err; 761 762 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) 763 goto err; 764 765 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 766 goto err; 767 /* Carry on */ 768 rv = 1; 769 770 err: 771 RSA_PSS_PARAMS_free(pss); 772 return rv; 773 } 774 775 int 776 rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, 777 const EVP_MD **pmgf1md, int *psaltlen) 778 { 779 if (pss == NULL) 780 return 0; 781 *pmd = rsa_algor_to_md(pss->hashAlgorithm); 782 if (*pmd == NULL) 783 return 0; 784 *pmgf1md = rsa_algor_to_md(pss->maskHash); 785 if (*pmgf1md == NULL) 786 return 0; 787 if (pss->saltLength) { 788 *psaltlen = ASN1_INTEGER_get(pss->saltLength); 789 if (*psaltlen < 0) { 790 RSAerror(RSA_R_INVALID_SALT_LENGTH); 791 return 0; 792 } 793 } else { 794 *psaltlen = 20; 795 } 796 797 /* 798 * low-level routines support only trailer field 0xbc (value 1) and 799 * PKCS#1 says we should reject any other value anyway. 800 */ 801 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { 802 RSAerror(RSA_R_INVALID_TRAILER); 803 return 0; 804 } 805 806 return 1; 807 } 808 809 #ifndef OPENSSL_NO_CMS 810 static int 811 rsa_cms_verify(CMS_SignerInfo *si) 812 { 813 int nid, nid2; 814 X509_ALGOR *alg; 815 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); 816 817 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 818 nid = OBJ_obj2nid(alg->algorithm); 819 if (nid == EVP_PKEY_RSA_PSS) 820 return rsa_pss_to_ctx(NULL, pkctx, alg, NULL); 821 /* Only PSS allowed for PSS keys */ 822 if (pkey_ctx_is_pss(pkctx)) { 823 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 824 return 0; 825 } 826 if (nid == NID_rsaEncryption) 827 return 1; 828 /* Workaround for some implementation that use a signature OID */ 829 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) { 830 if (nid2 == NID_rsaEncryption) 831 return 1; 832 } 833 return 0; 834 } 835 #endif 836 837 /* 838 * Customised RSA item verification routine. This is called when a signature 839 * is encountered requiring special handling. We currently only handle PSS. 840 */ 841 static int 842 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 843 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey) 844 { 845 /* Sanity check: make sure it is PSS */ 846 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 847 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 848 return -1; 849 } 850 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { 851 /* Carry on */ 852 return 2; 853 } 854 return -1; 855 } 856 857 #ifndef OPENSSL_NO_CMS 858 static int 859 rsa_cms_sign(CMS_SignerInfo *si) 860 { 861 int pad_mode = RSA_PKCS1_PADDING; 862 X509_ALGOR *alg; 863 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); 864 ASN1_STRING *os = NULL; 865 866 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 867 if (pkctx) { 868 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 869 return 0; 870 } 871 if (pad_mode == RSA_PKCS1_PADDING) { 872 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 873 return 1; 874 } 875 /* We don't support it */ 876 if (pad_mode != RSA_PKCS1_PSS_PADDING) 877 return 0; 878 os = rsa_ctx_to_pss_string(pkctx); 879 if (!os) 880 return 0; 881 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); 882 return 1; 883 } 884 #endif 885 886 static int 887 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 888 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig) 889 { 890 EVP_PKEY_CTX *pkctx = ctx->pctx; 891 int pad_mode; 892 893 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 894 return 0; 895 if (pad_mode == RSA_PKCS1_PADDING) 896 return 2; 897 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 898 ASN1_STRING *os1 = NULL; 899 os1 = rsa_ctx_to_pss_string(pkctx); 900 if (!os1) 901 return 0; 902 /* Duplicate parameters if we have to */ 903 if (alg2) { 904 ASN1_STRING *os2 = ASN1_STRING_dup(os1); 905 if (!os2) { 906 ASN1_STRING_free(os1); 907 return 0; 908 } 909 X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 910 V_ASN1_SEQUENCE, os2); 911 } 912 X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 913 V_ASN1_SEQUENCE, os1); 914 return 3; 915 } 916 return 2; 917 } 918 919 #ifndef OPENSSL_NO_CMS 920 static RSA_OAEP_PARAMS * 921 rsa_oaep_decode(const X509_ALGOR *alg) 922 { 923 RSA_OAEP_PARAMS *oaep; 924 925 oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter); 926 if (oaep == NULL) 927 return NULL; 928 929 if (oaep->maskGenFunc != NULL) { 930 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc); 931 if (oaep->maskHash == NULL) { 932 RSA_OAEP_PARAMS_free(oaep); 933 return NULL; 934 } 935 } 936 return oaep; 937 } 938 939 static int 940 rsa_cms_decrypt(CMS_RecipientInfo *ri) 941 { 942 EVP_PKEY_CTX *pkctx; 943 X509_ALGOR *cmsalg; 944 int nid; 945 int rv = -1; 946 unsigned char *label = NULL; 947 int labellen = 0; 948 const EVP_MD *mgf1md = NULL, *md = NULL; 949 RSA_OAEP_PARAMS *oaep; 950 951 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 952 if (pkctx == NULL) 953 return 0; 954 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg)) 955 return -1; 956 nid = OBJ_obj2nid(cmsalg->algorithm); 957 if (nid == NID_rsaEncryption) 958 return 1; 959 if (nid != NID_rsaesOaep) { 960 RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE); 961 return -1; 962 } 963 /* Decode OAEP parameters */ 964 oaep = rsa_oaep_decode(cmsalg); 965 966 if (oaep == NULL) { 967 RSAerror(RSA_R_INVALID_OAEP_PARAMETERS); 968 goto err; 969 } 970 971 mgf1md = rsa_algor_to_md(oaep->maskHash); 972 if (mgf1md == NULL) 973 goto err; 974 md = rsa_algor_to_md(oaep->hashFunc); 975 if (md == NULL) 976 goto err; 977 978 if (oaep->pSourceFunc != NULL) { 979 X509_ALGOR *plab = oaep->pSourceFunc; 980 981 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { 982 RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE); 983 goto err; 984 } 985 if (plab->parameter->type != V_ASN1_OCTET_STRING) { 986 RSAerror(RSA_R_INVALID_LABEL); 987 goto err; 988 } 989 990 label = plab->parameter->value.octet_string->data; 991 992 /* Stop label being freed when OAEP parameters are freed */ 993 /* XXX - this leaks label on error... */ 994 plab->parameter->value.octet_string->data = NULL; 995 labellen = plab->parameter->value.octet_string->length; 996 } 997 998 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) 999 goto err; 1000 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0) 1001 goto err; 1002 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 1003 goto err; 1004 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) 1005 goto err; 1006 1007 rv = 1; 1008 1009 err: 1010 RSA_OAEP_PARAMS_free(oaep); 1011 return rv; 1012 } 1013 1014 static int 1015 rsa_cms_encrypt(CMS_RecipientInfo *ri) 1016 { 1017 const EVP_MD *md, *mgf1md; 1018 RSA_OAEP_PARAMS *oaep = NULL; 1019 ASN1_STRING *os = NULL; 1020 X509_ALGOR *alg; 1021 EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 1022 int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen; 1023 unsigned char *label; 1024 1025 if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0) 1026 return 0; 1027 if (pkctx) { 1028 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 1029 return 0; 1030 } 1031 if (pad_mode == RSA_PKCS1_PADDING) { 1032 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 1033 return 1; 1034 } 1035 /* Not supported */ 1036 if (pad_mode != RSA_PKCS1_OAEP_PADDING) 1037 return 0; 1038 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0) 1039 goto err; 1040 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 1041 goto err; 1042 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label); 1043 if (labellen < 0) 1044 goto err; 1045 oaep = RSA_OAEP_PARAMS_new(); 1046 if (oaep == NULL) 1047 goto err; 1048 if (!rsa_md_to_algor(&oaep->hashFunc, md)) 1049 goto err; 1050 if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md)) 1051 goto err; 1052 if (labellen > 0) { 1053 ASN1_OCTET_STRING *los; 1054 oaep->pSourceFunc = X509_ALGOR_new(); 1055 if (oaep->pSourceFunc == NULL) 1056 goto err; 1057 los = ASN1_OCTET_STRING_new(); 1058 if (los == NULL) 1059 goto err; 1060 if (!ASN1_OCTET_STRING_set(los, label, labellen)) { 1061 ASN1_OCTET_STRING_free(los); 1062 goto err; 1063 } 1064 X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified), 1065 V_ASN1_OCTET_STRING, los); 1066 } 1067 /* create string with pss parameter encoding. */ 1068 if (!ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, &os)) 1069 goto err; 1070 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os); 1071 os = NULL; 1072 rv = 1; 1073 err: 1074 RSA_OAEP_PARAMS_free(oaep); 1075 ASN1_STRING_free(os); 1076 return rv; 1077 } 1078 #endif 1079 1080 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { 1081 { 1082 .pkey_id = EVP_PKEY_RSA, 1083 .pkey_base_id = EVP_PKEY_RSA, 1084 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, 1085 1086 .pem_str = "RSA", 1087 .info = "OpenSSL RSA method", 1088 1089 .pub_decode = rsa_pub_decode, 1090 .pub_encode = rsa_pub_encode, 1091 .pub_cmp = rsa_pub_cmp, 1092 .pub_print = rsa_pub_print, 1093 1094 .priv_decode = rsa_priv_decode, 1095 .priv_encode = rsa_priv_encode, 1096 .priv_print = rsa_priv_print, 1097 1098 .pkey_size = int_rsa_size, 1099 .pkey_bits = rsa_bits, 1100 1101 .sig_print = rsa_sig_print, 1102 1103 .pkey_free = int_rsa_free, 1104 .pkey_ctrl = rsa_pkey_ctrl, 1105 .old_priv_decode = old_rsa_priv_decode, 1106 .old_priv_encode = old_rsa_priv_encode, 1107 .item_verify = rsa_item_verify, 1108 .item_sign = rsa_item_sign 1109 }, 1110 1111 { 1112 .pkey_id = EVP_PKEY_RSA2, 1113 .pkey_base_id = EVP_PKEY_RSA, 1114 .pkey_flags = ASN1_PKEY_ALIAS 1115 } 1116 }; 1117 1118 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { 1119 .pkey_id = EVP_PKEY_RSA_PSS, 1120 .pkey_base_id = EVP_PKEY_RSA_PSS, 1121 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, 1122 1123 .pem_str = "RSA-PSS", 1124 .info = "OpenSSL RSA-PSS method", 1125 1126 .pub_decode = rsa_pub_decode, 1127 .pub_encode = rsa_pub_encode, 1128 .pub_cmp = rsa_pub_cmp, 1129 .pub_print = rsa_pub_print, 1130 1131 .priv_decode = rsa_priv_decode, 1132 .priv_encode = rsa_priv_encode, 1133 .priv_print = rsa_priv_print, 1134 1135 .pkey_size = int_rsa_size, 1136 .pkey_bits = rsa_bits, 1137 1138 .sig_print = rsa_sig_print, 1139 1140 .pkey_free = int_rsa_free, 1141 .pkey_ctrl = rsa_pkey_ctrl, 1142 .item_verify = rsa_item_verify, 1143 .item_sign = rsa_item_sign 1144 }; 1145