1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file contains RSA helper routines common to 30 * the PKCS11 soft token code and the kernel RSA code. 31 */ 32 33 #include <sys/types.h> 34 #include "rsa_impl.h" 35 36 #ifdef _KERNEL 37 #include <sys/param.h> 38 #else 39 #include <strings.h> 40 #include "softRandom.h" 41 #endif 42 43 /* 44 * DER encoding T of the DigestInfo values for MD5, SHA1, and SHA2 45 * from PKCS#1 v2.1: RSA Cryptography Standard Section 9.2 Note 1 46 * 47 * MD5: (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 || H 48 * SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H 49 * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H. 50 * SHA-384: (0x)30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30 || H. 51 * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H. 52 * 53 * Where H is the digested output from MD5 or SHA1. We define the constant 54 * byte array (the prefix) here and use it rather than doing the DER 55 * encoding of the OID in a separate routine. 56 */ 57 const CK_BYTE MD5_DER_PREFIX[MD5_DER_PREFIX_Len] = {0x30, 0x20, 0x30, 0x0c, 58 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 59 0x04, 0x10}; 60 61 const CK_BYTE SHA1_DER_PREFIX[SHA1_DER_PREFIX_Len] = {0x30, 0x21, 0x30, 62 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; 63 64 const CK_BYTE SHA1_DER_PREFIX_OID[SHA1_DER_PREFIX_OID_Len] = {0x30, 0x1f, 0x30, 65 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14}; 66 67 const CK_BYTE SHA256_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x31, 0x30, 0x0d, 68 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 69 0x00, 0x04, 0x20}; 70 71 const CK_BYTE SHA384_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x41, 0x30, 0x0d, 72 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 73 0x00, 0x04, 0x30}; 74 75 const CK_BYTE SHA512_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x51, 0x30, 0x0d, 76 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 77 0x00, 0x04, 0x40}; 78 79 80 /* psize and qsize are in bits */ 81 BIG_ERR_CODE 82 RSA_key_init(RSAkey *key, int psize, int qsize) 83 { 84 BIG_ERR_CODE err = BIG_OK; 85 86 /* EXPORT DELETE START */ 87 88 int plen, qlen, nlen; 89 90 plen = BITLEN2BIGNUMLEN(psize); 91 qlen = BITLEN2BIGNUMLEN(qsize); 92 nlen = plen + qlen; 93 key->size = psize + qsize; 94 if ((err = big_init(&(key->p), plen)) != BIG_OK) 95 return (err); 96 if ((err = big_init(&(key->q), qlen)) != BIG_OK) 97 goto ret1; 98 if ((err = big_init(&(key->n), nlen)) != BIG_OK) 99 goto ret2; 100 if ((err = big_init(&(key->d), nlen)) != BIG_OK) 101 goto ret3; 102 if ((err = big_init(&(key->e), nlen)) != BIG_OK) 103 goto ret4; 104 if ((err = big_init(&(key->dmodpminus1), plen)) != BIG_OK) 105 goto ret5; 106 if ((err = big_init(&(key->dmodqminus1), qlen)) != BIG_OK) 107 goto ret6; 108 if ((err = big_init(&(key->pinvmodq), qlen)) != BIG_OK) 109 goto ret7; 110 if ((err = big_init(&(key->p_rr), plen)) != BIG_OK) 111 goto ret8; 112 if ((err = big_init(&(key->q_rr), qlen)) != BIG_OK) 113 goto ret9; 114 if ((err = big_init(&(key->n_rr), nlen)) != BIG_OK) 115 goto ret10; 116 117 return (BIG_OK); 118 119 ret10: 120 big_finish(&(key->q_rr)); 121 ret9: 122 big_finish(&(key->p_rr)); 123 ret8: 124 big_finish(&(key->pinvmodq)); 125 ret7: 126 big_finish(&(key->dmodqminus1)); 127 ret6: 128 big_finish(&(key->dmodpminus1)); 129 ret5: 130 big_finish(&(key->e)); 131 ret4: 132 big_finish(&(key->d)); 133 ret3: 134 big_finish(&(key->n)); 135 ret2: 136 big_finish(&(key->q)); 137 ret1: 138 big_finish(&(key->p)); 139 140 /* EXPORT DELETE END */ 141 142 return (err); 143 } 144 145 146 void 147 RSA_key_finish(RSAkey *key) 148 { 149 150 /* EXPORT DELETE START */ 151 152 big_finish(&(key->n_rr)); 153 big_finish(&(key->q_rr)); 154 big_finish(&(key->p_rr)); 155 big_finish(&(key->pinvmodq)); 156 big_finish(&(key->dmodqminus1)); 157 big_finish(&(key->dmodpminus1)); 158 big_finish(&(key->e)); 159 big_finish(&(key->d)); 160 big_finish(&(key->n)); 161 big_finish(&(key->q)); 162 big_finish(&(key->p)); 163 164 /* EXPORT DELETE END */ 165 166 } 167 168 169 /* 170 * To create a block type "02" encryption block for RSA PKCS encryption 171 * process. 172 * 173 * The RSA PKCS Padding before encryption is in the following format: 174 * +------+--------------------+----+-----------------------------+ 175 * |0x0002| 8 bytes or more RN |0x00| DATA | 176 * +------+--------------------+----+-----------------------------+ 177 * 178 */ 179 CK_RV 180 soft_encrypt_rsa_pkcs_encode(uint8_t *databuf, 181 size_t datalen, uint8_t *padbuf, size_t padbuflen) 182 { 183 184 /* EXPORT DELETE START */ 185 186 size_t padlen; 187 CK_RV rv; 188 189 padlen = padbuflen - datalen; 190 if (padlen < MIN_PKCS1_PADLEN) { 191 return (CKR_DATA_LEN_RANGE); 192 } 193 194 /* Pad with 0x0002+non-zero pseudorandom numbers+0x00. */ 195 padbuf[0] = 0x00; 196 padbuf[1] = 0x02; 197 #ifdef _KERNEL 198 rv = knzero_random_generator(padbuf + 2, padbuflen - 3); 199 #else 200 rv = soft_nzero_random_generator(padbuf + 2, padbuflen - 3); 201 #endif 202 if (rv != CKR_OK) { 203 return (rv); 204 } 205 padbuf[padlen - 1] = 0x00; 206 207 bcopy(databuf, padbuf + padlen, datalen); 208 209 /* EXPORT DELETE END */ 210 211 return (CKR_OK); 212 } 213 214 215 /* 216 * The RSA PKCS Padding after decryption is in the following format: 217 * +------+--------------------+----+-----------------------------+ 218 * |0x0002| 8 bytes or more RN |0x00| DATA | 219 * +------+--------------------+----+-----------------------------+ 220 * 221 * 'padbuf' points to the recovered message which is the modulus 222 * length. As a result, 'plen' is changed to hold the actual data length. 223 */ 224 CK_RV 225 soft_decrypt_rsa_pkcs_decode(uint8_t *padbuf, int *plen) 226 { 227 228 /* EXPORT DELETE START */ 229 230 int i; 231 232 /* Check to see if the recovered data is padded is 0x0002. */ 233 if (padbuf[0] != 0x00 || padbuf[1] != 0x02) { 234 return (CKR_ENCRYPTED_DATA_INVALID); 235 } 236 237 /* Remove all the random bits up to 0x00 (= NULL char) */ 238 for (i = 2; (*plen - i) > 0; i++) { 239 if (padbuf[i] == 0x00) { 240 i++; 241 if (i < MIN_PKCS1_PADLEN) { 242 return (CKR_ENCRYPTED_DATA_INVALID); 243 } 244 *plen -= i; 245 246 return (CKR_OK); 247 } 248 } 249 250 /* EXPORT DELETE END */ 251 252 return (CKR_ENCRYPTED_DATA_INVALID); 253 } 254 255 /* 256 * To create a block type "01" block for RSA PKCS signature process. 257 * 258 * The RSA PKCS Padding before Signing is in the following format: 259 * +------+--------------+----+-----------------------------+ 260 * |0x0001| 0xFFFF.......|0x00| DATA | 261 * +------+--------------+----+-----------------------------+ 262 */ 263 CK_RV 264 soft_sign_rsa_pkcs_encode(uint8_t *pData, size_t dataLen, uint8_t *data, 265 size_t mbit_l) 266 { 267 268 /* EXPORT DELETE START */ 269 270 size_t padlen; 271 272 padlen = mbit_l - dataLen; 273 if (padlen < MIN_PKCS1_PADLEN) { 274 return (CKR_DATA_LEN_RANGE); 275 } 276 277 padlen -= 3; 278 data[0] = 0x00; 279 data[1] = 0x01; 280 #ifdef _KERNEL 281 kmemset(data + 2, 0xFF, padlen); 282 #else 283 (void) memset(data + 2, 0xFF, padlen); 284 #endif 285 data[padlen + 2] = 0x00; 286 bcopy(pData, data + padlen + 3, dataLen); 287 288 /* EXPORT DELETE END */ 289 290 return (CKR_OK); 291 } 292 293 294 CK_RV 295 soft_verify_rsa_pkcs_decode(uint8_t *data, int *mbit_l) 296 { 297 298 /* EXPORT DELETE START */ 299 300 int i; 301 302 /* Check to see if the padding of recovered data starts with 0x0001. */ 303 if ((data[0] != 0x00) || (data[1] != 0x01)) { 304 return (CKR_SIGNATURE_INVALID); 305 } 306 /* Check to see if the recovered data is padded with 0xFFF...00. */ 307 for (i = 2; i < *mbit_l; i++) { 308 if (data[i] == 0x00) { 309 i++; 310 if (i < MIN_PKCS1_PADLEN) { 311 return (CKR_SIGNATURE_INVALID); 312 } 313 *mbit_l -= i; 314 315 return (CKR_OK); 316 } else if (data[i] != 0xFF) { 317 return (CKR_SIGNATURE_INVALID); 318 } 319 } 320 321 /* EXPORT DELETE END */ 322 323 return (CKR_SIGNATURE_INVALID); 324 } 325