1 /* $OpenBSD: rsa_ameth.c,v 1.62 2024/11/02 07:11:14 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5 /* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #include <stdint.h>
60 #include <stdio.h>
61 #include <stdlib.h>
62
63 #include <openssl/opensslconf.h>
64
65 #include <openssl/asn1.h>
66 #include <openssl/bio.h>
67 #include <openssl/bn.h>
68 #include <openssl/cms.h>
69 #include <openssl/err.h>
70 #include <openssl/evp.h>
71 #include <openssl/objects.h>
72 #include <openssl/pkcs7.h>
73 #include <openssl/rsa.h>
74 #include <openssl/sha.h>
75 #include <openssl/x509.h>
76
77 #include "asn1_local.h"
78 #include "bn_local.h"
79 #include "evp_local.h"
80 #include "rsa_local.h"
81 #include "x509_local.h"
82
83 #ifndef OPENSSL_NO_CMS
84 static int rsa_cms_sign(CMS_SignerInfo *si);
85 static int rsa_cms_verify(CMS_SignerInfo *si);
86 static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
87 static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
88 #endif
89
90 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
91
92 static int rsa_alg_set_pkcs1_padding(X509_ALGOR *alg);
93
94 /* Set any parameters associated with pkey */
95 static int
rsa_param_encode(const EVP_PKEY * pkey,ASN1_STRING ** pstr,int * pstrtype)96 rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype)
97 {
98 const RSA *rsa = pkey->pkey.rsa;
99
100 *pstr = NULL;
101
102 /* If RSA it's just NULL type */
103 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
104 *pstrtype = V_ASN1_NULL;
105 return 1;
106 }
107
108 /* If no PSS parameters we omit parameters entirely */
109 if (rsa->pss == NULL) {
110 *pstrtype = V_ASN1_UNDEF;
111 return 1;
112 }
113
114 /* Encode PSS parameters */
115 if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL)
116 return 0;
117
118 *pstrtype = V_ASN1_SEQUENCE;
119 return 1;
120 }
121
122 /* Decode any parameters and set them in RSA structure */
123 static int
rsa_param_decode(RSA * rsa,const X509_ALGOR * alg)124 rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
125 {
126 const ASN1_OBJECT *algoid;
127 const void *algp;
128 int algptype;
129
130 X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
131 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
132 return 1;
133 if (algptype == V_ASN1_UNDEF)
134 return 1;
135 if (algptype != V_ASN1_SEQUENCE) {
136 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
137 return 0;
138 }
139 rsa->pss = rsa_pss_decode(alg);
140 if (rsa->pss == NULL)
141 return 0;
142 return 1;
143 }
144
145 static int
rsa_pub_encode(X509_PUBKEY * pk,const EVP_PKEY * pkey)146 rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
147 {
148 ASN1_STRING *str = NULL;
149 int strtype;
150 unsigned char *penc = NULL;
151 int penclen = 0;
152 ASN1_OBJECT *aobj;
153
154 if (!rsa_param_encode(pkey, &str, &strtype))
155 goto err;
156 if ((penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc)) <= 0) {
157 penclen = 0;
158 goto err;
159 }
160 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
161 goto err;
162 if (!X509_PUBKEY_set0_param(pk, aobj, strtype, str, penc, penclen))
163 goto err;
164
165 return 1;
166
167 err:
168 ASN1_STRING_free(str);
169 freezero(penc, penclen);
170
171 return 0;
172 }
173
174 static int
rsa_pub_decode(EVP_PKEY * pkey,X509_PUBKEY * pubkey)175 rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
176 {
177 const unsigned char *p;
178 int pklen;
179 X509_ALGOR *alg;
180 RSA *rsa = NULL;
181
182 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
183 return 0;
184 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
185 RSAerror(ERR_R_RSA_LIB);
186 return 0;
187 }
188 if (!rsa_param_decode(rsa, alg)) {
189 RSA_free(rsa);
190 return 0;
191 }
192 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
193 RSA_free(rsa);
194 return 0;
195 }
196 return 1;
197 }
198
199 static int
rsa_pub_cmp(const EVP_PKEY * a,const EVP_PKEY * b)200 rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
201 {
202 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
203 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
204 return 0;
205
206 return 1;
207 }
208
209 static int
old_rsa_priv_decode(EVP_PKEY * pkey,const unsigned char ** pder,int derlen)210 old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
211 {
212 RSA *rsa;
213 int ret = 0;
214
215 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
216 RSAerror(ERR_R_RSA_LIB);
217 goto err;
218 }
219 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa))
220 goto err;
221 rsa = NULL;
222
223 ret = 1;
224
225 err:
226 RSA_free(rsa);
227
228 return ret;
229 }
230
231 static int
old_rsa_priv_encode(const EVP_PKEY * pkey,unsigned char ** pder)232 old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
233 {
234 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
235 }
236
237 static int
rsa_priv_encode(PKCS8_PRIV_KEY_INFO * p8,const EVP_PKEY * pkey)238 rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
239 {
240 ASN1_STRING *str = NULL;
241 ASN1_OBJECT *aobj;
242 int strtype;
243 unsigned char *rk = NULL;
244 int rklen = 0;
245
246 if (!rsa_param_encode(pkey, &str, &strtype))
247 goto err;
248 if ((rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk)) <= 0) {
249 RSAerror(ERR_R_MALLOC_FAILURE);
250 rklen = 0;
251 goto err;
252 }
253 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
254 goto err;
255 if (!PKCS8_pkey_set0(p8, aobj, 0, strtype, str, rk, rklen)) {
256 RSAerror(ERR_R_MALLOC_FAILURE);
257 goto err;
258 }
259
260 return 1;
261
262 err:
263 ASN1_STRING_free(str);
264 freezero(rk, rklen);
265
266 return 0;
267 }
268
269 static int
rsa_priv_decode(EVP_PKEY * pkey,const PKCS8_PRIV_KEY_INFO * p8)270 rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
271 {
272 const unsigned char *p;
273 RSA *rsa = NULL;
274 int pklen;
275 const X509_ALGOR *alg;
276 int ret = 0;
277
278 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
279 goto err;
280 if ((rsa = d2i_RSAPrivateKey(NULL, &p, pklen)) == NULL)
281 goto err;
282 if (!rsa_param_decode(rsa, alg))
283 goto err;
284 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa))
285 goto err;
286 rsa = NULL;
287
288 ret = 1;
289
290 err:
291 RSA_free(rsa);
292
293 return ret;
294 }
295
296 static int
rsa_size(const EVP_PKEY * pkey)297 rsa_size(const EVP_PKEY *pkey)
298 {
299 return RSA_size(pkey->pkey.rsa);
300 }
301
302 static int
rsa_bits(const EVP_PKEY * pkey)303 rsa_bits(const EVP_PKEY *pkey)
304 {
305 return BN_num_bits(pkey->pkey.rsa->n);
306 }
307
308 static int
rsa_security_bits(const EVP_PKEY * pkey)309 rsa_security_bits(const EVP_PKEY *pkey)
310 {
311 return RSA_security_bits(pkey->pkey.rsa);
312 }
313
314 static void
rsa_free(EVP_PKEY * pkey)315 rsa_free(EVP_PKEY *pkey)
316 {
317 RSA_free(pkey->pkey.rsa);
318 }
319
320 static X509_ALGOR *
rsa_mgf1_decode(X509_ALGOR * alg)321 rsa_mgf1_decode(X509_ALGOR *alg)
322 {
323 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
324 return NULL;
325
326 return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter);
327 }
328
329 static RSA_PSS_PARAMS *
rsa_pss_decode(const X509_ALGOR * alg)330 rsa_pss_decode(const X509_ALGOR *alg)
331 {
332 RSA_PSS_PARAMS *pss;
333
334 pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter);
335 if (pss == NULL)
336 return NULL;
337
338 if (pss->maskGenAlgorithm != NULL) {
339 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
340 if (pss->maskHash == NULL) {
341 RSA_PSS_PARAMS_free(pss);
342 return NULL;
343 }
344 }
345
346 return pss;
347 }
348
349 static int
rsa_pss_param_print(BIO * bp,int pss_key,RSA_PSS_PARAMS * pss,int indent)350 rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent)
351 {
352 int rv = 0;
353 X509_ALGOR *maskHash = NULL;
354
355 if (!BIO_indent(bp, indent, 128))
356 goto err;
357 if (pss_key) {
358 if (pss == NULL) {
359 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
360 return 0;
361 return 1;
362 } else {
363 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
364 return 0;
365 }
366 } else if (pss == NULL) {
367 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
368 return 0;
369 return 1;
370 }
371 if (BIO_puts(bp, "\n") <= 0)
372 goto err;
373 if (pss_key)
374 indent += 2;
375 if (!BIO_indent(bp, indent, 128))
376 goto err;
377 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
378 goto err;
379
380 if (pss->hashAlgorithm) {
381 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
382 goto err;
383 } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
384 goto err;
385 }
386
387 if (BIO_puts(bp, "\n") <= 0)
388 goto err;
389
390 if (!BIO_indent(bp, indent, 128))
391 goto err;
392
393 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
394 goto err;
395 if (pss->maskGenAlgorithm) {
396 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
397 goto err;
398 if (BIO_puts(bp, " with ") <= 0)
399 goto err;
400 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
401 if (maskHash != NULL) {
402 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
403 goto err;
404 } else if (BIO_puts(bp, "INVALID") <= 0) {
405 goto err;
406 }
407 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
408 goto err;
409 }
410 BIO_puts(bp, "\n");
411
412 if (!BIO_indent(bp, indent, 128))
413 goto err;
414 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
415 goto err;
416 if (pss->saltLength) {
417 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
418 goto err;
419 } else if (BIO_puts(bp, "14 (default)") <= 0) {
420 goto err;
421 }
422 BIO_puts(bp, "\n");
423
424 if (!BIO_indent(bp, indent, 128))
425 goto err;
426 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
427 goto err;
428 if (pss->trailerField) {
429 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
430 goto err;
431 } else if (BIO_puts(bp, "BC (default)") <= 0) {
432 goto err;
433 }
434 BIO_puts(bp, "\n");
435
436 rv = 1;
437
438 err:
439 X509_ALGOR_free(maskHash);
440 return rv;
441
442 }
443
444 static int
pkey_rsa_print(BIO * bp,const EVP_PKEY * pkey,int off,int priv)445 pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
446 {
447 const RSA *x = pkey->pkey.rsa;
448 char *str;
449 const char *s;
450 int ret = 0, mod_len = 0;
451
452 if (x->n != NULL)
453 mod_len = BN_num_bits(x->n);
454
455 if (!BIO_indent(bp, off, 128))
456 goto err;
457
458 if (BIO_printf(bp, "%s ",
459 pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS ? "RSA-PSS" : "RSA") <= 0)
460 goto err;
461
462 if (priv && x->d != NULL) {
463 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
464 goto err;
465 str = "modulus:";
466 s = "publicExponent:";
467 } else {
468 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
469 goto err;
470 str = "Modulus:";
471 s = "Exponent:";
472 }
473 if (!bn_printf(bp, x->n, off, "%s", str))
474 goto err;
475 if (!bn_printf(bp, x->e, off, "%s", s))
476 goto err;
477 if (priv) {
478 if (!bn_printf(bp, x->d, off, "privateExponent:"))
479 goto err;
480 if (!bn_printf(bp, x->p, off, "prime1:"))
481 goto err;
482 if (!bn_printf(bp, x->q, off, "prime2:"))
483 goto err;
484 if (!bn_printf(bp, x->dmp1, off, "exponent1:"))
485 goto err;
486 if (!bn_printf(bp, x->dmq1, off, "exponent2:"))
487 goto err;
488 if (!bn_printf(bp, x->iqmp, off, "coefficient:"))
489 goto err;
490 }
491 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS &&
492 !rsa_pss_param_print(bp, 1, x->pss, off))
493 goto err;
494 ret = 1;
495 err:
496 return ret;
497 }
498
499 static int
rsa_pub_print(BIO * bp,const EVP_PKEY * pkey,int indent,ASN1_PCTX * ctx)500 rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
501 {
502 return pkey_rsa_print(bp, pkey, indent, 0);
503 }
504
505 static int
rsa_priv_print(BIO * bp,const EVP_PKEY * pkey,int indent,ASN1_PCTX * ctx)506 rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
507 {
508 return pkey_rsa_print(bp, pkey, indent, 1);
509 }
510
511 static int
rsa_sig_print(BIO * bp,const X509_ALGOR * sigalg,const ASN1_STRING * sig,int indent,ASN1_PCTX * pctx)512 rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
513 int indent, ASN1_PCTX *pctx)
514 {
515 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
516 int rv;
517 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
518
519 rv = rsa_pss_param_print(bp, 0, pss, indent);
520 RSA_PSS_PARAMS_free(pss);
521 if (!rv)
522 return 0;
523 } else if (!sig && BIO_puts(bp, "\n") <= 0) {
524 return 0;
525 }
526 if (sig)
527 return X509_signature_dump(bp, sig, indent);
528 return 1;
529 }
530
531 static int
rsa_pkey_ctrl(EVP_PKEY * pkey,int op,long arg1,void * arg2)532 rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
533 {
534 X509_ALGOR *alg = NULL;
535 const EVP_MD *md;
536 const EVP_MD *mgf1md;
537 int min_saltlen;
538
539 switch (op) {
540 case ASN1_PKEY_CTRL_PKCS7_SIGN:
541 if (arg1 == 0)
542 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
543 break;
544
545 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
546 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
547 return -2;
548 if (arg1 == 0)
549 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
550 break;
551 #ifndef OPENSSL_NO_CMS
552 case ASN1_PKEY_CTRL_CMS_SIGN:
553 if (arg1 == 0)
554 return rsa_cms_sign(arg2);
555 else if (arg1 == 1)
556 return rsa_cms_verify(arg2);
557 break;
558
559 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
560 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
561 return -2;
562 if (arg1 == 0)
563 return rsa_cms_encrypt(arg2);
564 else if (arg1 == 1)
565 return rsa_cms_decrypt(arg2);
566 break;
567
568 case ASN1_PKEY_CTRL_CMS_RI_TYPE:
569 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
570 return -2;
571 *(int *)arg2 = CMS_RECIPINFO_TRANS;
572 return 1;
573 #endif
574
575 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
576 if (pkey->pkey.rsa->pss != NULL) {
577 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
578 &min_saltlen)) {
579 RSAerror(ERR_R_INTERNAL_ERROR);
580 return 0;
581 }
582 *(int *)arg2 = EVP_MD_type(md);
583 /* Return of 2 indicates this MD is mandatory */
584 return 2;
585 }
586 *(int *)arg2 = NID_sha256;
587 return 1;
588
589 default:
590 return -2;
591 }
592
593 if (alg != NULL)
594 return rsa_alg_set_pkcs1_padding(alg);
595
596 return 1;
597 }
598
599 static int
rsa_md_to_algor(const EVP_MD * md,X509_ALGOR ** out_alg)600 rsa_md_to_algor(const EVP_MD *md, X509_ALGOR **out_alg)
601 {
602 X509_ALGOR *alg = NULL;
603 int ret = 0;
604
605 X509_ALGOR_free(*out_alg);
606 *out_alg = NULL;
607
608 /* RFC 8017 - default hash is SHA-1 and hence omitted. */
609 if (md == NULL || EVP_MD_type(md) == NID_sha1)
610 goto done;
611
612 if ((alg = X509_ALGOR_new()) == NULL)
613 goto err;
614 /*
615 * XXX - This omits the parameters, whereas RFC 4055, section 2.1
616 * explicitly states that an explicit ASN.1 NULL is required.
617 */
618 if (!X509_ALGOR_set_evp_md(alg, md))
619 goto err;
620
621 done:
622 *out_alg = alg;
623 alg = NULL;
624
625 ret = 1;
626
627 err:
628 X509_ALGOR_free(alg);
629
630 return ret;
631 }
632
633 /*
634 * RFC 8017, A.2.1 and A.2.3 - encode maskGenAlgorithm for RSAES-OAEP
635 * and RSASSA-PSS. The default is mgfSHA1 and hence omitted.
636 */
637 static int
rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD * mgf1md,X509_ALGOR ** out_alg)638 rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD *mgf1md, X509_ALGOR **out_alg)
639 {
640 X509_ALGOR *alg = NULL;
641 X509_ALGOR *inner_alg = NULL;
642 ASN1_STRING *astr = NULL;
643 int ret = 0;
644
645 X509_ALGOR_free(*out_alg);
646 *out_alg = NULL;
647
648 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
649 goto done;
650
651 if ((inner_alg = X509_ALGOR_new()) == NULL)
652 goto err;
653 /*
654 * XXX - This omits the parameters, whereas RFC 4055, section 2.1
655 * explicitly states that an explicit ASN.1 NULL is required.
656 */
657 if (!X509_ALGOR_set_evp_md(inner_alg, mgf1md))
658 goto err;
659 if ((astr = ASN1_item_pack(inner_alg, &X509_ALGOR_it, NULL)) == NULL)
660 goto err;
661
662 if ((alg = X509_ALGOR_new()) == NULL)
663 goto err;
664 if (!X509_ALGOR_set0_by_nid(alg, NID_mgf1, V_ASN1_SEQUENCE, astr))
665 goto err;
666 astr = NULL;
667
668 done:
669 *out_alg = alg;
670 alg = NULL;
671
672 ret = 1;
673
674 err:
675 X509_ALGOR_free(alg);
676 X509_ALGOR_free(inner_alg);
677 ASN1_STRING_free(astr);
678
679 return ret;
680 }
681
682 /* Convert algorithm ID to EVP_MD, defaults to SHA1. */
683 static const EVP_MD *
rsa_algor_to_md(X509_ALGOR * alg)684 rsa_algor_to_md(X509_ALGOR *alg)
685 {
686 const EVP_MD *md;
687
688 if (!alg)
689 return EVP_sha1();
690 md = EVP_get_digestbyobj(alg->algorithm);
691 if (md == NULL)
692 RSAerror(RSA_R_UNKNOWN_DIGEST);
693 return md;
694 }
695
696 /*
697 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
698 * suitable for setting an AlgorithmIdentifier.
699 */
700 static RSA_PSS_PARAMS *
rsa_ctx_to_pss(EVP_PKEY_CTX * pkey_ctx)701 rsa_ctx_to_pss(EVP_PKEY_CTX *pkey_ctx)
702 {
703 const EVP_MD *sigmd, *mgf1md;
704 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkey_ctx);
705 int saltlen;
706
707 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &sigmd) <= 0)
708 return NULL;
709 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0)
710 return NULL;
711 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
712 return NULL;
713 if (saltlen == -1) {
714 saltlen = EVP_MD_size(sigmd);
715 } else if (saltlen == -2 || saltlen == -3) {
716 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
717 if ((EVP_PKEY_bits(pk) & 0x7) == 1)
718 saltlen--;
719 if (saltlen < 0)
720 return NULL;
721 }
722
723 return rsa_pss_params_create(sigmd, mgf1md, saltlen);
724 }
725
726 RSA_PSS_PARAMS *
rsa_pss_params_create(const EVP_MD * sigmd,const EVP_MD * mgf1md,int saltlen)727 rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen)
728 {
729 RSA_PSS_PARAMS *pss = NULL;
730
731 if (mgf1md == NULL)
732 mgf1md = sigmd;
733
734 if ((pss = RSA_PSS_PARAMS_new()) == NULL)
735 goto err;
736
737 if (!rsa_md_to_algor(sigmd, &pss->hashAlgorithm))
738 goto err;
739 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &pss->maskGenAlgorithm))
740 goto err;
741
742 /* Translate mgf1md to X509_ALGOR in decoded form for internal use. */
743 if (!rsa_md_to_algor(mgf1md, &pss->maskHash))
744 goto err;
745
746 /* RFC 8017, A.2.3 - default saltLength is SHA_DIGEST_LENGTH. */
747 if (saltlen != SHA_DIGEST_LENGTH) {
748 if ((pss->saltLength = ASN1_INTEGER_new()) == NULL)
749 goto err;
750 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
751 goto err;
752 }
753
754 return pss;
755
756 err:
757 RSA_PSS_PARAMS_free(pss);
758
759 return NULL;
760 }
761
762 /*
763 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
764 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
765 * passed to pkey_ctx instead.
766 */
767
768 static int
rsa_pss_to_ctx(EVP_MD_CTX * ctx,EVP_PKEY_CTX * pkey_ctx,X509_ALGOR * sigalg,EVP_PKEY * pkey)769 rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkey_ctx,
770 X509_ALGOR *sigalg, EVP_PKEY *pkey)
771 {
772 int rv = -1;
773 int saltlen;
774 const EVP_MD *mgf1md = NULL, *md = NULL;
775 RSA_PSS_PARAMS *pss;
776
777 /* Sanity check: make sure it is PSS */
778 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
779 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
780 return -1;
781 }
782 /* Decode PSS parameters */
783 pss = rsa_pss_decode(sigalg);
784
785 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
786 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
787 goto err;
788 }
789
790 /* We have all parameters now set up context */
791 if (pkey) {
792 if (!EVP_DigestVerifyInit(ctx, &pkey_ctx, md, NULL, pkey))
793 goto err;
794 } else {
795 const EVP_MD *checkmd;
796 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &checkmd) <= 0)
797 goto err;
798 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
799 RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH);
800 goto err;
801 }
802 }
803
804 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0)
805 goto err;
806
807 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, saltlen) <= 0)
808 goto err;
809
810 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1md) <= 0)
811 goto err;
812 /* Carry on */
813 rv = 1;
814
815 err:
816 RSA_PSS_PARAMS_free(pss);
817 return rv;
818 }
819
820 int
rsa_pss_get_param(const RSA_PSS_PARAMS * pss,const EVP_MD ** pmd,const EVP_MD ** pmgf1md,int * psaltlen)821 rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
822 const EVP_MD **pmgf1md, int *psaltlen)
823 {
824 if (pss == NULL)
825 return 0;
826 *pmd = rsa_algor_to_md(pss->hashAlgorithm);
827 if (*pmd == NULL)
828 return 0;
829 *pmgf1md = rsa_algor_to_md(pss->maskHash);
830 if (*pmgf1md == NULL)
831 return 0;
832 if (pss->saltLength) {
833 *psaltlen = ASN1_INTEGER_get(pss->saltLength);
834 if (*psaltlen < 0) {
835 RSAerror(RSA_R_INVALID_SALT_LENGTH);
836 return 0;
837 }
838 } else {
839 *psaltlen = 20;
840 }
841
842 /*
843 * low-level routines support only trailer field 0xbc (value 1) and
844 * PKCS#1 says we should reject any other value anyway.
845 */
846 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
847 RSAerror(RSA_R_INVALID_TRAILER);
848 return 0;
849 }
850
851 return 1;
852 }
853
854 static int
rsa_pss_signature_info(const X509_ALGOR * alg,int * out_md_nid,int * out_pkey_nid,int * out_security_bits,uint32_t * out_flags)855 rsa_pss_signature_info(const X509_ALGOR *alg, int *out_md_nid,
856 int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags)
857 {
858 RSA_PSS_PARAMS *pss = NULL;
859 const ASN1_OBJECT *aobj;
860 const EVP_MD *md, *mgf1md;
861 int md_len, salt_len;
862 int md_nid = NID_undef, pkey_nid = NID_undef;
863 int security_bits = -1;
864 uint32_t flags = 0;
865
866 X509_ALGOR_get0(&aobj, NULL, NULL, alg);
867 if (OBJ_obj2nid(aobj) != EVP_PKEY_RSA_PSS)
868 goto err;
869
870 if ((pss = rsa_pss_decode(alg)) == NULL)
871 goto err;
872 if (!rsa_pss_get_param(pss, &md, &mgf1md, &salt_len))
873 goto err;
874
875 if ((md_nid = EVP_MD_type(md)) == NID_undef)
876 goto err;
877 if ((md_len = EVP_MD_size(md)) <= 0)
878 goto err;
879
880 /*
881 * RFC 8446, section 4.2.3 - restricts the digest algorithm:
882 * - it must be one of SHA256, SHA384, and SHA512;
883 * - the same digest must be used in the mask generation function;
884 * - the salt length must match the output length of the digest.
885 * XXX - consider separate flags for these checks.
886 */
887 if (md_nid == NID_sha256 || md_nid == NID_sha384 || md_nid == NID_sha512) {
888 if (md_nid == EVP_MD_type(mgf1md) && salt_len == md_len)
889 flags |= X509_SIG_INFO_TLS;
890 }
891
892 security_bits = md_len * 4;
893 flags |= X509_SIG_INFO_VALID;
894
895 *out_md_nid = md_nid;
896 *out_pkey_nid = pkey_nid;
897 *out_security_bits = security_bits;
898 *out_flags = flags;
899
900 err:
901 RSA_PSS_PARAMS_free(pss);
902
903 return (flags & X509_SIG_INFO_VALID) != 0;
904 }
905
906 #ifndef OPENSSL_NO_CMS
907 static int
rsa_cms_verify(CMS_SignerInfo * si)908 rsa_cms_verify(CMS_SignerInfo *si)
909 {
910 int nid, nid2;
911 X509_ALGOR *alg;
912 EVP_PKEY_CTX *pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si);
913
914 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
915 nid = OBJ_obj2nid(alg->algorithm);
916 if (nid == EVP_PKEY_RSA_PSS)
917 return rsa_pss_to_ctx(NULL, pkey_ctx, alg, NULL);
918 /* Only PSS allowed for PSS keys */
919 if (pkey_ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
920 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
921 return 0;
922 }
923 if (nid == NID_rsaEncryption)
924 return 1;
925 /* Workaround for some implementation that use a signature OID */
926 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
927 if (nid2 == NID_rsaEncryption)
928 return 1;
929 }
930 return 0;
931 }
932 #endif
933
934 /*
935 * Customised RSA item verification routine. This is called when a signature
936 * is encountered requiring special handling. We currently only handle PSS.
937 */
938 static int
rsa_item_verify(EVP_MD_CTX * ctx,const ASN1_ITEM * it,void * asn,X509_ALGOR * sigalg,ASN1_BIT_STRING * sig,EVP_PKEY * pkey)939 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
940 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
941 {
942 /* Sanity check: make sure it is PSS */
943 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
944 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
945 return -1;
946 }
947 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
948 /* Carry on */
949 return 2;
950 }
951 return -1;
952 }
953
954 static int
rsa_alg_set_pkcs1_padding(X509_ALGOR * alg)955 rsa_alg_set_pkcs1_padding(X509_ALGOR *alg)
956 {
957 return X509_ALGOR_set0_by_nid(alg, NID_rsaEncryption, V_ASN1_NULL, NULL);
958 }
959
960 static int
rsa_alg_set_pss_padding(X509_ALGOR * alg,EVP_PKEY_CTX * pkey_ctx)961 rsa_alg_set_pss_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx)
962 {
963 RSA_PSS_PARAMS *pss = NULL;
964 ASN1_STRING *astr = NULL;
965 int ret = 0;
966
967 if (pkey_ctx == NULL)
968 goto err;
969
970 if ((pss = rsa_ctx_to_pss(pkey_ctx)) == NULL)
971 goto err;
972 if ((astr = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL)) == NULL)
973 goto err;
974 if (!X509_ALGOR_set0_by_nid(alg, EVP_PKEY_RSA_PSS, V_ASN1_SEQUENCE, astr))
975 goto err;
976 astr = NULL;
977
978 ret = 1;
979
980 err:
981 ASN1_STRING_free(astr);
982 RSA_PSS_PARAMS_free(pss);
983
984 return ret;
985 }
986
987 #ifndef OPENSSL_NO_CMS
988 static int
rsa_alg_set_oaep_padding(X509_ALGOR * alg,EVP_PKEY_CTX * pkey_ctx)989 rsa_alg_set_oaep_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx)
990 {
991 const EVP_MD *md, *mgf1md;
992 RSA_OAEP_PARAMS *oaep = NULL;
993 ASN1_STRING *astr = NULL;
994 ASN1_OCTET_STRING *ostr = NULL;
995 unsigned char *label;
996 int labellen;
997 int ret = 0;
998
999 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkey_ctx, &md) <= 0)
1000 goto err;
1001 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0)
1002 goto err;
1003 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkey_ctx, &label);
1004 if (labellen < 0)
1005 goto err;
1006
1007 if ((oaep = RSA_OAEP_PARAMS_new()) == NULL)
1008 goto err;
1009
1010 if (!rsa_md_to_algor(md, &oaep->hashFunc))
1011 goto err;
1012 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &oaep->maskGenFunc))
1013 goto err;
1014
1015 /* XXX - why do we not set oaep->maskHash here? */
1016
1017 if (labellen > 0) {
1018 if ((oaep->pSourceFunc = X509_ALGOR_new()) == NULL)
1019 goto err;
1020 if ((ostr = ASN1_OCTET_STRING_new()) == NULL)
1021 goto err;
1022 if (!ASN1_OCTET_STRING_set(ostr, label, labellen))
1023 goto err;
1024 if (!X509_ALGOR_set0_by_nid(oaep->pSourceFunc, NID_pSpecified,
1025 V_ASN1_OCTET_STRING, ostr))
1026 goto err;
1027 ostr = NULL;
1028 }
1029
1030 if ((astr = ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, NULL)) == NULL)
1031 goto err;
1032 if (!X509_ALGOR_set0_by_nid(alg, NID_rsaesOaep, V_ASN1_SEQUENCE, astr))
1033 goto err;
1034 astr = NULL;
1035
1036 ret = 1;
1037
1038 err:
1039 RSA_OAEP_PARAMS_free(oaep);
1040 ASN1_STRING_free(astr);
1041 ASN1_OCTET_STRING_free(ostr);
1042
1043 return ret;
1044 }
1045
1046 static int
rsa_cms_sign(CMS_SignerInfo * si)1047 rsa_cms_sign(CMS_SignerInfo *si)
1048 {
1049 EVP_PKEY_CTX *pkey_ctx;
1050 X509_ALGOR *alg;
1051 int pad_mode = RSA_PKCS1_PADDING;
1052
1053 if ((pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si)) != NULL) {
1054 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1055 return 0;
1056 }
1057
1058 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
1059 if (pad_mode == RSA_PKCS1_PADDING)
1060 return rsa_alg_set_pkcs1_padding(alg);
1061 if (pad_mode == RSA_PKCS1_PSS_PADDING)
1062 return rsa_alg_set_pss_padding(alg, pkey_ctx);
1063
1064 return 0;
1065 }
1066 #endif
1067
1068 static int
rsa_item_sign(EVP_MD_CTX * ctx,const ASN1_ITEM * it,void * asn,X509_ALGOR * alg1,X509_ALGOR * alg2,ASN1_BIT_STRING * sig)1069 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
1070 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
1071 {
1072 EVP_PKEY_CTX *pkey_ctx = ctx->pctx;
1073 int pad_mode;
1074
1075 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1076 return 0;
1077 if (pad_mode == RSA_PKCS1_PADDING)
1078 return 2;
1079 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
1080 if (!rsa_alg_set_pss_padding(alg1, pkey_ctx))
1081 return 0;
1082 if (alg2 != NULL) {
1083 if (!rsa_alg_set_pss_padding(alg2, pkey_ctx))
1084 return 0;
1085 }
1086 return 3;
1087 }
1088 return 2;
1089 }
1090
1091 #ifndef OPENSSL_NO_CMS
1092 static RSA_OAEP_PARAMS *
rsa_oaep_decode(const X509_ALGOR * alg)1093 rsa_oaep_decode(const X509_ALGOR *alg)
1094 {
1095 RSA_OAEP_PARAMS *oaep;
1096
1097 oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter);
1098 if (oaep == NULL)
1099 return NULL;
1100
1101 if (oaep->maskGenFunc != NULL) {
1102 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
1103 if (oaep->maskHash == NULL) {
1104 RSA_OAEP_PARAMS_free(oaep);
1105 return NULL;
1106 }
1107 }
1108 return oaep;
1109 }
1110
1111 static int
rsa_cms_decrypt(CMS_RecipientInfo * ri)1112 rsa_cms_decrypt(CMS_RecipientInfo *ri)
1113 {
1114 EVP_PKEY_CTX *pkctx;
1115 X509_ALGOR *cmsalg;
1116 int nid;
1117 int rv = -1;
1118 unsigned char *label = NULL;
1119 int labellen = 0;
1120 const EVP_MD *mgf1md = NULL, *md = NULL;
1121 RSA_OAEP_PARAMS *oaep;
1122
1123 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
1124 if (pkctx == NULL)
1125 return 0;
1126 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
1127 return -1;
1128 nid = OBJ_obj2nid(cmsalg->algorithm);
1129 if (nid == NID_rsaEncryption)
1130 return 1;
1131 if (nid != NID_rsaesOaep) {
1132 RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
1133 return -1;
1134 }
1135 /* Decode OAEP parameters */
1136 oaep = rsa_oaep_decode(cmsalg);
1137
1138 if (oaep == NULL) {
1139 RSAerror(RSA_R_INVALID_OAEP_PARAMETERS);
1140 goto err;
1141 }
1142
1143 mgf1md = rsa_algor_to_md(oaep->maskHash);
1144 if (mgf1md == NULL)
1145 goto err;
1146 md = rsa_algor_to_md(oaep->hashFunc);
1147 if (md == NULL)
1148 goto err;
1149
1150 if (oaep->pSourceFunc != NULL) {
1151 X509_ALGOR *plab = oaep->pSourceFunc;
1152
1153 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
1154 RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE);
1155 goto err;
1156 }
1157 if (plab->parameter->type != V_ASN1_OCTET_STRING) {
1158 RSAerror(RSA_R_INVALID_LABEL);
1159 goto err;
1160 }
1161
1162 label = plab->parameter->value.octet_string->data;
1163
1164 /* Stop label being freed when OAEP parameters are freed */
1165 /* XXX - this leaks label on error... */
1166 plab->parameter->value.octet_string->data = NULL;
1167 labellen = plab->parameter->value.octet_string->length;
1168 }
1169
1170 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
1171 goto err;
1172 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
1173 goto err;
1174 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
1175 goto err;
1176 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
1177 goto err;
1178
1179 rv = 1;
1180
1181 err:
1182 RSA_OAEP_PARAMS_free(oaep);
1183 return rv;
1184 }
1185
1186 static int
rsa_cms_encrypt(CMS_RecipientInfo * ri)1187 rsa_cms_encrypt(CMS_RecipientInfo *ri)
1188 {
1189 X509_ALGOR *alg;
1190 EVP_PKEY_CTX *pkey_ctx;
1191 int pad_mode = RSA_PKCS1_PADDING;
1192
1193 if ((pkey_ctx = CMS_RecipientInfo_get0_pkey_ctx(ri)) != NULL) {
1194 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0)
1195 return 0;
1196 }
1197
1198 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg))
1199 return 0;
1200 if (pad_mode == RSA_PKCS1_PADDING)
1201 return rsa_alg_set_pkcs1_padding(alg);
1202 if (pad_mode == RSA_PKCS1_OAEP_PADDING)
1203 return rsa_alg_set_oaep_padding(alg, pkey_ctx);
1204
1205 return 0;
1206 }
1207 #endif
1208
1209 const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
1210 .base_method = &rsa_asn1_meth,
1211 .pkey_id = EVP_PKEY_RSA,
1212 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1213
1214 .pem_str = "RSA",
1215 .info = "OpenSSL RSA method",
1216
1217 .pub_decode = rsa_pub_decode,
1218 .pub_encode = rsa_pub_encode,
1219 .pub_cmp = rsa_pub_cmp,
1220 .pub_print = rsa_pub_print,
1221
1222 .priv_decode = rsa_priv_decode,
1223 .priv_encode = rsa_priv_encode,
1224 .priv_print = rsa_priv_print,
1225
1226 .pkey_size = rsa_size,
1227 .pkey_bits = rsa_bits,
1228 .pkey_security_bits = rsa_security_bits,
1229
1230 .sig_print = rsa_sig_print,
1231
1232 .pkey_free = rsa_free,
1233 .pkey_ctrl = rsa_pkey_ctrl,
1234 .old_priv_decode = old_rsa_priv_decode,
1235 .old_priv_encode = old_rsa_priv_encode,
1236 .item_verify = rsa_item_verify,
1237 .item_sign = rsa_item_sign,
1238 };
1239
1240 const EVP_PKEY_ASN1_METHOD rsa2_asn1_meth = {
1241 .base_method = &rsa_asn1_meth,
1242 .pkey_id = EVP_PKEY_RSA2,
1243 .pkey_flags = ASN1_PKEY_ALIAS,
1244 };
1245
1246 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1247 .base_method = &rsa_pss_asn1_meth,
1248 .pkey_id = EVP_PKEY_RSA_PSS,
1249 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1250
1251 .pem_str = "RSA-PSS",
1252 .info = "OpenSSL RSA-PSS method",
1253
1254 .pub_decode = rsa_pub_decode,
1255 .pub_encode = rsa_pub_encode,
1256 .pub_cmp = rsa_pub_cmp,
1257 .pub_print = rsa_pub_print,
1258
1259 .priv_decode = rsa_priv_decode,
1260 .priv_encode = rsa_priv_encode,
1261 .priv_print = rsa_priv_print,
1262
1263 .pkey_size = rsa_size,
1264 .pkey_bits = rsa_bits,
1265 .pkey_security_bits = rsa_security_bits,
1266
1267 .signature_info = rsa_pss_signature_info,
1268
1269 .sig_print = rsa_sig_print,
1270
1271 .pkey_free = rsa_free,
1272 .pkey_ctrl = rsa_pkey_ctrl,
1273 .item_verify = rsa_item_verify,
1274 .item_sign = rsa_item_sign
1275 };
1276