1*b077aed3SPierre Pronchery /*
2*b077aed3SPierre Pronchery * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
3*b077aed3SPierre Pronchery *
4*b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use
5*b077aed3SPierre Pronchery * this file except in compliance with the License. You can obtain a copy
6*b077aed3SPierre Pronchery * in the file LICENSE in the source distribution or at
7*b077aed3SPierre Pronchery * https://www.openssl.org/source/license.html
8*b077aed3SPierre Pronchery */
9*b077aed3SPierre Pronchery
10*b077aed3SPierre Pronchery /*
11*b077aed3SPierre Pronchery * RSA low level APIs are deprecated for public use, but still ok for
12*b077aed3SPierre Pronchery * internal use.
13*b077aed3SPierre Pronchery */
14*b077aed3SPierre Pronchery #include "internal/deprecated.h"
15*b077aed3SPierre Pronchery
16*b077aed3SPierre Pronchery #include <openssl/obj_mac.h>
17*b077aed3SPierre Pronchery #include "internal/cryptlib.h"
18*b077aed3SPierre Pronchery #include "prov/der_rsa.h"
19*b077aed3SPierre Pronchery #include "prov/der_digests.h"
20*b077aed3SPierre Pronchery
21*b077aed3SPierre Pronchery /* More complex pre-compiled sequences. */
22*b077aed3SPierre Pronchery
23*b077aed3SPierre Pronchery /*-
24*b077aed3SPierre Pronchery * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
25*b077aed3SPierre Pronchery *
26*b077aed3SPierre Pronchery * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
27*b077aed3SPierre Pronchery * { OID id-sha1 PARAMETERS NULL }|
28*b077aed3SPierre Pronchery * { OID id-sha224 PARAMETERS NULL }|
29*b077aed3SPierre Pronchery * { OID id-sha256 PARAMETERS NULL }|
30*b077aed3SPierre Pronchery * { OID id-sha384 PARAMETERS NULL }|
31*b077aed3SPierre Pronchery * { OID id-sha512 PARAMETERS NULL }|
32*b077aed3SPierre Pronchery * { OID id-sha512-224 PARAMETERS NULL }|
33*b077aed3SPierre Pronchery * { OID id-sha512-256 PARAMETERS NULL },
34*b077aed3SPierre Pronchery * ... -- Allows for future expansion --
35*b077aed3SPierre Pronchery * }
36*b077aed3SPierre Pronchery */
37*b077aed3SPierre Pronchery #define DER_V_NULL DER_P_NULL, 0
38*b077aed3SPierre Pronchery #define DER_SZ_NULL 2
39*b077aed3SPierre Pronchery
40*b077aed3SPierre Pronchery /*
41*b077aed3SPierre Pronchery * The names for the hash function AlgorithmIdentifiers are borrowed and
42*b077aed3SPierre Pronchery * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
43*b077aed3SPierre Pronchery *
44*b077aed3SPierre Pronchery * sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
45*b077aed3SPierre Pronchery * sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
46*b077aed3SPierre Pronchery * sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
47*b077aed3SPierre Pronchery * sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
48*b077aed3SPierre Pronchery * sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
49*b077aed3SPierre Pronchery */
50*b077aed3SPierre Pronchery /*
51*b077aed3SPierre Pronchery * NOTE: Some of the arrays aren't used other than inside sizeof(), which
52*b077aed3SPierre Pronchery * clang complains about (-Wno-unneeded-internal-declaration). To get
53*b077aed3SPierre Pronchery * around that, we make them non-static, and declare them an extra time to
54*b077aed3SPierre Pronchery * avoid compilers complaining about definitions without declarations.
55*b077aed3SPierre Pronchery */
56*b077aed3SPierre Pronchery #define DER_AID_V_sha1Identifier \
57*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
58*b077aed3SPierre Pronchery DER_OID_SZ_id_sha1 + DER_SZ_NULL, \
59*b077aed3SPierre Pronchery DER_OID_V_id_sha1, \
60*b077aed3SPierre Pronchery DER_V_NULL
61*b077aed3SPierre Pronchery extern const unsigned char ossl_der_aid_sha1Identifier[];
62*b077aed3SPierre Pronchery const unsigned char ossl_der_aid_sha1Identifier[] = {
63*b077aed3SPierre Pronchery DER_AID_V_sha1Identifier
64*b077aed3SPierre Pronchery };
65*b077aed3SPierre Pronchery #define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)
66*b077aed3SPierre Pronchery
67*b077aed3SPierre Pronchery #define DER_AID_V_sha224Identifier \
68*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
69*b077aed3SPierre Pronchery DER_OID_SZ_id_sha224 + DER_SZ_NULL, \
70*b077aed3SPierre Pronchery DER_OID_V_id_sha224, \
71*b077aed3SPierre Pronchery DER_V_NULL
72*b077aed3SPierre Pronchery extern const unsigned char ossl_der_aid_sha224Identifier[];
73*b077aed3SPierre Pronchery const unsigned char ossl_der_aid_sha224Identifier[] = {
74*b077aed3SPierre Pronchery DER_AID_V_sha224Identifier
75*b077aed3SPierre Pronchery };
76*b077aed3SPierre Pronchery #define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)
77*b077aed3SPierre Pronchery
78*b077aed3SPierre Pronchery #define DER_AID_V_sha256Identifier \
79*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
80*b077aed3SPierre Pronchery DER_OID_SZ_id_sha256 + DER_SZ_NULL, \
81*b077aed3SPierre Pronchery DER_OID_V_id_sha256, \
82*b077aed3SPierre Pronchery DER_V_NULL
83*b077aed3SPierre Pronchery extern const unsigned char ossl_der_aid_sha256Identifier[];
84*b077aed3SPierre Pronchery const unsigned char ossl_der_aid_sha256Identifier[] = {
85*b077aed3SPierre Pronchery DER_AID_V_sha256Identifier
86*b077aed3SPierre Pronchery };
87*b077aed3SPierre Pronchery #define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)
88*b077aed3SPierre Pronchery
89*b077aed3SPierre Pronchery #define DER_AID_V_sha384Identifier \
90*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
91*b077aed3SPierre Pronchery DER_OID_SZ_id_sha384 + DER_SZ_NULL, \
92*b077aed3SPierre Pronchery DER_OID_V_id_sha384, \
93*b077aed3SPierre Pronchery DER_V_NULL
94*b077aed3SPierre Pronchery extern const unsigned char ossl_der_aid_sha384Identifier[];
95*b077aed3SPierre Pronchery const unsigned char ossl_der_aid_sha384Identifier[] = {
96*b077aed3SPierre Pronchery DER_AID_V_sha384Identifier
97*b077aed3SPierre Pronchery };
98*b077aed3SPierre Pronchery #define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)
99*b077aed3SPierre Pronchery
100*b077aed3SPierre Pronchery #define DER_AID_V_sha512Identifier \
101*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
102*b077aed3SPierre Pronchery DER_OID_SZ_id_sha512 + DER_SZ_NULL, \
103*b077aed3SPierre Pronchery DER_OID_V_id_sha512, \
104*b077aed3SPierre Pronchery DER_V_NULL
105*b077aed3SPierre Pronchery extern const unsigned char ossl_der_aid_sha512Identifier[];
106*b077aed3SPierre Pronchery const unsigned char ossl_der_aid_sha512Identifier[] = {
107*b077aed3SPierre Pronchery DER_AID_V_sha512Identifier
108*b077aed3SPierre Pronchery };
109*b077aed3SPierre Pronchery #define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)
110*b077aed3SPierre Pronchery
111*b077aed3SPierre Pronchery #define DER_AID_V_sha512_224Identifier \
112*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
113*b077aed3SPierre Pronchery DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \
114*b077aed3SPierre Pronchery DER_OID_V_id_sha512_224, \
115*b077aed3SPierre Pronchery DER_V_NULL
116*b077aed3SPierre Pronchery extern const unsigned char ossl_der_aid_sha512_224Identifier[];
117*b077aed3SPierre Pronchery const unsigned char ossl_der_aid_sha512_224Identifier[] = {
118*b077aed3SPierre Pronchery DER_AID_V_sha512_224Identifier
119*b077aed3SPierre Pronchery };
120*b077aed3SPierre Pronchery #define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)
121*b077aed3SPierre Pronchery
122*b077aed3SPierre Pronchery #define DER_AID_V_sha512_256Identifier \
123*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
124*b077aed3SPierre Pronchery DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \
125*b077aed3SPierre Pronchery DER_OID_V_id_sha512_256, \
126*b077aed3SPierre Pronchery DER_V_NULL
127*b077aed3SPierre Pronchery extern const unsigned char ossl_der_aid_sha512_256Identifier[];
128*b077aed3SPierre Pronchery const unsigned char ossl_der_aid_sha512_256Identifier[] = {
129*b077aed3SPierre Pronchery DER_AID_V_sha512_256Identifier
130*b077aed3SPierre Pronchery };
131*b077aed3SPierre Pronchery #define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)
132*b077aed3SPierre Pronchery
133*b077aed3SPierre Pronchery /*-
134*b077aed3SPierre Pronchery * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
135*b077aed3SPierre Pronchery *
136*b077aed3SPierre Pronchery * HashAlgorithm ::= AlgorithmIdentifier {
137*b077aed3SPierre Pronchery * {OAEP-PSSDigestAlgorithms}
138*b077aed3SPierre Pronchery * }
139*b077aed3SPierre Pronchery *
140*b077aed3SPierre Pronchery * ...
141*b077aed3SPierre Pronchery *
142*b077aed3SPierre Pronchery * PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
143*b077aed3SPierre Pronchery * { OID id-mgf1 PARAMETERS HashAlgorithm },
144*b077aed3SPierre Pronchery * ... -- Allows for future expansion --
145*b077aed3SPierre Pronchery * }
146*b077aed3SPierre Pronchery */
147*b077aed3SPierre Pronchery
148*b077aed3SPierre Pronchery /*
149*b077aed3SPierre Pronchery * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
150*b077aed3SPierre Pronchery * from https://tools.ietf.org/html/rfc4055#section-2.1
151*b077aed3SPierre Pronchery *
152*b077aed3SPierre Pronchery * mgf1SHA1Identifier AlgorithmIdentifier ::=
153*b077aed3SPierre Pronchery * { id-mgf1, sha1Identifier }
154*b077aed3SPierre Pronchery * mgf1SHA224Identifier AlgorithmIdentifier ::=
155*b077aed3SPierre Pronchery * { id-mgf1, sha224Identifier }
156*b077aed3SPierre Pronchery * mgf1SHA256Identifier AlgorithmIdentifier ::=
157*b077aed3SPierre Pronchery * { id-mgf1, sha256Identifier }
158*b077aed3SPierre Pronchery * mgf1SHA384Identifier AlgorithmIdentifier ::=
159*b077aed3SPierre Pronchery * { id-mgf1, sha384Identifier }
160*b077aed3SPierre Pronchery * mgf1SHA512Identifier AlgorithmIdentifier ::=
161*b077aed3SPierre Pronchery * { id-mgf1, sha512Identifier }
162*b077aed3SPierre Pronchery */
163*b077aed3SPierre Pronchery #if 0 /* Currently unused */
164*b077aed3SPierre Pronchery #define DER_AID_V_mgf1SHA1Identifier \
165*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
166*b077aed3SPierre Pronchery DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \
167*b077aed3SPierre Pronchery DER_OID_V_id_mgf1, \
168*b077aed3SPierre Pronchery DER_AID_V_sha1Identifier
169*b077aed3SPierre Pronchery static const unsigned char der_aid_mgf1SHA1Identifier[] = {
170*b077aed3SPierre Pronchery DER_AID_V_mgf1SHA1Identifier
171*b077aed3SPierre Pronchery };
172*b077aed3SPierre Pronchery #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
173*b077aed3SPierre Pronchery #endif
174*b077aed3SPierre Pronchery
175*b077aed3SPierre Pronchery #define DER_AID_V_mgf1SHA224Identifier \
176*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
177*b077aed3SPierre Pronchery DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \
178*b077aed3SPierre Pronchery DER_OID_V_id_mgf1, \
179*b077aed3SPierre Pronchery DER_AID_V_sha224Identifier
180*b077aed3SPierre Pronchery static const unsigned char der_aid_mgf1SHA224Identifier[] = {
181*b077aed3SPierre Pronchery DER_AID_V_mgf1SHA224Identifier
182*b077aed3SPierre Pronchery };
183*b077aed3SPierre Pronchery #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
184*b077aed3SPierre Pronchery
185*b077aed3SPierre Pronchery #define DER_AID_V_mgf1SHA256Identifier \
186*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
187*b077aed3SPierre Pronchery DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \
188*b077aed3SPierre Pronchery DER_OID_V_id_mgf1, \
189*b077aed3SPierre Pronchery DER_AID_V_sha256Identifier
190*b077aed3SPierre Pronchery static const unsigned char der_aid_mgf1SHA256Identifier[] = {
191*b077aed3SPierre Pronchery DER_AID_V_mgf1SHA256Identifier
192*b077aed3SPierre Pronchery };
193*b077aed3SPierre Pronchery #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
194*b077aed3SPierre Pronchery
195*b077aed3SPierre Pronchery #define DER_AID_V_mgf1SHA384Identifier \
196*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
197*b077aed3SPierre Pronchery DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \
198*b077aed3SPierre Pronchery DER_OID_V_id_mgf1, \
199*b077aed3SPierre Pronchery DER_AID_V_sha384Identifier
200*b077aed3SPierre Pronchery static const unsigned char der_aid_mgf1SHA384Identifier[] = {
201*b077aed3SPierre Pronchery DER_AID_V_mgf1SHA384Identifier
202*b077aed3SPierre Pronchery };
203*b077aed3SPierre Pronchery #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
204*b077aed3SPierre Pronchery
205*b077aed3SPierre Pronchery #define DER_AID_V_mgf1SHA512Identifier \
206*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
207*b077aed3SPierre Pronchery DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \
208*b077aed3SPierre Pronchery DER_OID_V_id_mgf1, \
209*b077aed3SPierre Pronchery DER_AID_V_sha512Identifier
210*b077aed3SPierre Pronchery static const unsigned char der_aid_mgf1SHA512Identifier[] = {
211*b077aed3SPierre Pronchery DER_AID_V_mgf1SHA512Identifier
212*b077aed3SPierre Pronchery };
213*b077aed3SPierre Pronchery #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
214*b077aed3SPierre Pronchery
215*b077aed3SPierre Pronchery #define DER_AID_V_mgf1SHA512_224Identifier \
216*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
217*b077aed3SPierre Pronchery DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \
218*b077aed3SPierre Pronchery DER_OID_V_id_mgf1, \
219*b077aed3SPierre Pronchery DER_AID_V_sha512_224Identifier
220*b077aed3SPierre Pronchery static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
221*b077aed3SPierre Pronchery DER_AID_V_mgf1SHA512_224Identifier
222*b077aed3SPierre Pronchery };
223*b077aed3SPierre Pronchery #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
224*b077aed3SPierre Pronchery
225*b077aed3SPierre Pronchery #define DER_AID_V_mgf1SHA512_256Identifier \
226*b077aed3SPierre Pronchery DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
227*b077aed3SPierre Pronchery DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \
228*b077aed3SPierre Pronchery DER_OID_V_id_mgf1, \
229*b077aed3SPierre Pronchery DER_AID_V_sha512_256Identifier
230*b077aed3SPierre Pronchery static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
231*b077aed3SPierre Pronchery DER_AID_V_mgf1SHA512_256Identifier
232*b077aed3SPierre Pronchery };
233*b077aed3SPierre Pronchery #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
234*b077aed3SPierre Pronchery
235*b077aed3SPierre Pronchery
236*b077aed3SPierre Pronchery #define MGF1_SHA_CASE(bits, var) \
237*b077aed3SPierre Pronchery case NID_sha##bits: \
238*b077aed3SPierre Pronchery var = der_aid_mgf1SHA##bits##Identifier; \
239*b077aed3SPierre Pronchery var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \
240*b077aed3SPierre Pronchery break;
241*b077aed3SPierre Pronchery
242*b077aed3SPierre Pronchery /*-
243*b077aed3SPierre Pronchery * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
244*b077aed3SPierre Pronchery *
245*b077aed3SPierre Pronchery * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
246*b077aed3SPierre Pronchery */
DER_w_MaskGenAlgorithm(WPACKET * pkt,int tag,const RSA_PSS_PARAMS_30 * pss)247*b077aed3SPierre Pronchery static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
248*b077aed3SPierre Pronchery const RSA_PSS_PARAMS_30 *pss)
249*b077aed3SPierre Pronchery {
250*b077aed3SPierre Pronchery if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
251*b077aed3SPierre Pronchery int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
252*b077aed3SPierre Pronchery const unsigned char *maskgenalg = NULL;
253*b077aed3SPierre Pronchery size_t maskgenalg_sz = 0;
254*b077aed3SPierre Pronchery
255*b077aed3SPierre Pronchery switch (maskgenhashalg_nid) {
256*b077aed3SPierre Pronchery case NID_sha1:
257*b077aed3SPierre Pronchery break;
258*b077aed3SPierre Pronchery MGF1_SHA_CASE(224, maskgenalg);
259*b077aed3SPierre Pronchery MGF1_SHA_CASE(256, maskgenalg);
260*b077aed3SPierre Pronchery MGF1_SHA_CASE(384, maskgenalg);
261*b077aed3SPierre Pronchery MGF1_SHA_CASE(512, maskgenalg);
262*b077aed3SPierre Pronchery MGF1_SHA_CASE(512_224, maskgenalg);
263*b077aed3SPierre Pronchery MGF1_SHA_CASE(512_256, maskgenalg);
264*b077aed3SPierre Pronchery default:
265*b077aed3SPierre Pronchery return 0;
266*b077aed3SPierre Pronchery }
267*b077aed3SPierre Pronchery
268*b077aed3SPierre Pronchery /* If there is none (or it was the default), we write nothing */
269*b077aed3SPierre Pronchery if (maskgenalg == NULL)
270*b077aed3SPierre Pronchery return 1;
271*b077aed3SPierre Pronchery
272*b077aed3SPierre Pronchery return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
273*b077aed3SPierre Pronchery }
274*b077aed3SPierre Pronchery return 0;
275*b077aed3SPierre Pronchery }
276*b077aed3SPierre Pronchery
277*b077aed3SPierre Pronchery #define OAEP_PSS_MD_CASE(name, var) \
278*b077aed3SPierre Pronchery case NID_##name: \
279*b077aed3SPierre Pronchery var = ossl_der_aid_##name##Identifier; \
280*b077aed3SPierre Pronchery var##_sz = sizeof(ossl_der_aid_##name##Identifier); \
281*b077aed3SPierre Pronchery break;
282*b077aed3SPierre Pronchery
ossl_DER_w_RSASSA_PSS_params(WPACKET * pkt,int tag,const RSA_PSS_PARAMS_30 * pss)283*b077aed3SPierre Pronchery int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
284*b077aed3SPierre Pronchery const RSA_PSS_PARAMS_30 *pss)
285*b077aed3SPierre Pronchery {
286*b077aed3SPierre Pronchery int hashalg_nid, default_hashalg_nid;
287*b077aed3SPierre Pronchery int saltlen, default_saltlen;
288*b077aed3SPierre Pronchery int trailerfield, default_trailerfield;
289*b077aed3SPierre Pronchery const unsigned char *hashalg = NULL;
290*b077aed3SPierre Pronchery size_t hashalg_sz = 0;
291*b077aed3SPierre Pronchery
292*b077aed3SPierre Pronchery /*
293*b077aed3SPierre Pronchery * For an unrestricted key, this function should not have been called;
294*b077aed3SPierre Pronchery * the caller must be in control, because unrestricted keys are permitted
295*b077aed3SPierre Pronchery * in some situations (when encoding the public key in a SubjectKeyInfo,
296*b077aed3SPierre Pronchery * for example) while not in others, and this function doesn't know the
297*b077aed3SPierre Pronchery * intent. Therefore, we assert that here, the PSS parameters must show
298*b077aed3SPierre Pronchery * that the key is restricted.
299*b077aed3SPierre Pronchery */
300*b077aed3SPierre Pronchery if (!ossl_assert(pss != NULL
301*b077aed3SPierre Pronchery && !ossl_rsa_pss_params_30_is_unrestricted(pss)))
302*b077aed3SPierre Pronchery return 0;
303*b077aed3SPierre Pronchery
304*b077aed3SPierre Pronchery hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
305*b077aed3SPierre Pronchery saltlen = ossl_rsa_pss_params_30_saltlen(pss);
306*b077aed3SPierre Pronchery trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
307*b077aed3SPierre Pronchery
308*b077aed3SPierre Pronchery if (saltlen < 0) {
309*b077aed3SPierre Pronchery ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
310*b077aed3SPierre Pronchery return 0;
311*b077aed3SPierre Pronchery }
312*b077aed3SPierre Pronchery if (trailerfield != 1) {
313*b077aed3SPierre Pronchery ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
314*b077aed3SPierre Pronchery return 0;
315*b077aed3SPierre Pronchery }
316*b077aed3SPierre Pronchery
317*b077aed3SPierre Pronchery /* Getting default values */
318*b077aed3SPierre Pronchery default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
319*b077aed3SPierre Pronchery default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
320*b077aed3SPierre Pronchery default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);
321*b077aed3SPierre Pronchery
322*b077aed3SPierre Pronchery /*
323*b077aed3SPierre Pronchery * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
324*b077aed3SPierre Pronchery *
325*b077aed3SPierre Pronchery * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
326*b077aed3SPierre Pronchery * { OID id-sha1 PARAMETERS NULL }|
327*b077aed3SPierre Pronchery * { OID id-sha224 PARAMETERS NULL }|
328*b077aed3SPierre Pronchery * { OID id-sha256 PARAMETERS NULL }|
329*b077aed3SPierre Pronchery * { OID id-sha384 PARAMETERS NULL }|
330*b077aed3SPierre Pronchery * { OID id-sha512 PARAMETERS NULL }|
331*b077aed3SPierre Pronchery * { OID id-sha512-224 PARAMETERS NULL }|
332*b077aed3SPierre Pronchery * { OID id-sha512-256 PARAMETERS NULL },
333*b077aed3SPierre Pronchery * ... -- Allows for future expansion --
334*b077aed3SPierre Pronchery * }
335*b077aed3SPierre Pronchery */
336*b077aed3SPierre Pronchery switch (hashalg_nid) {
337*b077aed3SPierre Pronchery OAEP_PSS_MD_CASE(sha1, hashalg);
338*b077aed3SPierre Pronchery OAEP_PSS_MD_CASE(sha224, hashalg);
339*b077aed3SPierre Pronchery OAEP_PSS_MD_CASE(sha256, hashalg);
340*b077aed3SPierre Pronchery OAEP_PSS_MD_CASE(sha384, hashalg);
341*b077aed3SPierre Pronchery OAEP_PSS_MD_CASE(sha512, hashalg);
342*b077aed3SPierre Pronchery OAEP_PSS_MD_CASE(sha512_224, hashalg);
343*b077aed3SPierre Pronchery OAEP_PSS_MD_CASE(sha512_256, hashalg);
344*b077aed3SPierre Pronchery default:
345*b077aed3SPierre Pronchery return 0;
346*b077aed3SPierre Pronchery }
347*b077aed3SPierre Pronchery
348*b077aed3SPierre Pronchery return ossl_DER_w_begin_sequence(pkt, tag)
349*b077aed3SPierre Pronchery && (trailerfield == default_trailerfield
350*b077aed3SPierre Pronchery || ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))
351*b077aed3SPierre Pronchery && (saltlen == default_saltlen || ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))
352*b077aed3SPierre Pronchery && DER_w_MaskGenAlgorithm(pkt, 1, pss)
353*b077aed3SPierre Pronchery && (hashalg_nid == default_hashalg_nid
354*b077aed3SPierre Pronchery || ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
355*b077aed3SPierre Pronchery && ossl_DER_w_end_sequence(pkt, tag);
356*b077aed3SPierre Pronchery }
357*b077aed3SPierre Pronchery
358*b077aed3SPierre Pronchery /* Aliases so we can have a uniform RSA_CASE */
359*b077aed3SPierre Pronchery #define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS
360*b077aed3SPierre Pronchery
361*b077aed3SPierre Pronchery #define RSA_CASE(name, var) \
362*b077aed3SPierre Pronchery var##_nid = NID_##name; \
363*b077aed3SPierre Pronchery var##_oid = ossl_der_oid_##name; \
364*b077aed3SPierre Pronchery var##_oid_sz = sizeof(ossl_der_oid_##name); \
365*b077aed3SPierre Pronchery break;
366*b077aed3SPierre Pronchery
ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET * pkt,int tag,int rsa_type,const RSA_PSS_PARAMS_30 * pss)367*b077aed3SPierre Pronchery int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,
368*b077aed3SPierre Pronchery int rsa_type,
369*b077aed3SPierre Pronchery const RSA_PSS_PARAMS_30 *pss)
370*b077aed3SPierre Pronchery {
371*b077aed3SPierre Pronchery int rsa_nid = NID_undef;
372*b077aed3SPierre Pronchery const unsigned char *rsa_oid = NULL;
373*b077aed3SPierre Pronchery size_t rsa_oid_sz = 0;
374*b077aed3SPierre Pronchery
375*b077aed3SPierre Pronchery switch (rsa_type) {
376*b077aed3SPierre Pronchery case RSA_FLAG_TYPE_RSA:
377*b077aed3SPierre Pronchery RSA_CASE(rsaEncryption, rsa);
378*b077aed3SPierre Pronchery case RSA_FLAG_TYPE_RSASSAPSS:
379*b077aed3SPierre Pronchery RSA_CASE(rsassaPss, rsa);
380*b077aed3SPierre Pronchery }
381*b077aed3SPierre Pronchery
382*b077aed3SPierre Pronchery if (rsa_oid == NULL)
383*b077aed3SPierre Pronchery return 0;
384*b077aed3SPierre Pronchery
385*b077aed3SPierre Pronchery return ossl_DER_w_begin_sequence(pkt, tag)
386*b077aed3SPierre Pronchery && (rsa_nid != NID_rsassaPss
387*b077aed3SPierre Pronchery || ossl_rsa_pss_params_30_is_unrestricted(pss)
388*b077aed3SPierre Pronchery || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))
389*b077aed3SPierre Pronchery && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
390*b077aed3SPierre Pronchery && ossl_DER_w_end_sequence(pkt, tag);
391*b077aed3SPierre Pronchery }
392*b077aed3SPierre Pronchery
ossl_DER_w_algorithmIdentifier_RSA(WPACKET * pkt,int tag,RSA * rsa)393*b077aed3SPierre Pronchery int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
394*b077aed3SPierre Pronchery {
395*b077aed3SPierre Pronchery int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
396*b077aed3SPierre Pronchery RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
397*b077aed3SPierre Pronchery
398*b077aed3SPierre Pronchery return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,
399*b077aed3SPierre Pronchery pss_params);
400*b077aed3SPierre Pronchery }
401