rsa_ameth.c 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968
  1. /* crypto/rsa/rsa_ameth.c */
  2. /*
  3. * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  4. * 2006.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * licensing@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. #include <stdio.h>
  60. #include "cryptlib.h"
  61. #include <openssl/asn1t.h>
  62. #include <openssl/x509.h>
  63. #include <openssl/rsa.h>
  64. #include <openssl/bn.h>
  65. #ifndef OPENSSL_NO_CMS
  66. # include <openssl/cms.h>
  67. #endif
  68. #include "asn1_locl.h"
  69. #ifndef OPENSSL_NO_CMS
  70. static int rsa_cms_sign(CMS_SignerInfo *si);
  71. static int rsa_cms_verify(CMS_SignerInfo *si);
  72. static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
  73. static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
  74. #endif
  75. static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
  76. {
  77. unsigned char *penc = NULL;
  78. int penclen;
  79. penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
  80. if (penclen <= 0)
  81. return 0;
  82. if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
  83. V_ASN1_NULL, NULL, penc, penclen))
  84. return 1;
  85. OPENSSL_free(penc);
  86. return 0;
  87. }
  88. static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
  89. {
  90. const unsigned char *p;
  91. int pklen;
  92. RSA *rsa = NULL;
  93. if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
  94. return 0;
  95. if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
  96. RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
  97. return 0;
  98. }
  99. EVP_PKEY_assign_RSA(pkey, rsa);
  100. return 1;
  101. }
  102. static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
  103. {
  104. if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
  105. || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
  106. return 0;
  107. return 1;
  108. }
  109. static int old_rsa_priv_decode(EVP_PKEY *pkey,
  110. const unsigned char **pder, int derlen)
  111. {
  112. RSA *rsa;
  113. if (!(rsa = d2i_RSAPrivateKey(NULL, pder, derlen))) {
  114. RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
  115. return 0;
  116. }
  117. EVP_PKEY_assign_RSA(pkey, rsa);
  118. return 1;
  119. }
  120. static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
  121. {
  122. return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
  123. }
  124. static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
  125. {
  126. unsigned char *rk = NULL;
  127. int rklen;
  128. rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
  129. if (rklen <= 0) {
  130. RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
  131. return 0;
  132. }
  133. if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
  134. V_ASN1_NULL, NULL, rk, rklen)) {
  135. RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
  136. return 0;
  137. }
  138. return 1;
  139. }
  140. static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
  141. {
  142. const unsigned char *p;
  143. int pklen;
  144. if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
  145. return 0;
  146. return old_rsa_priv_decode(pkey, &p, pklen);
  147. }
  148. static int int_rsa_size(const EVP_PKEY *pkey)
  149. {
  150. return RSA_size(pkey->pkey.rsa);
  151. }
  152. static int rsa_bits(const EVP_PKEY *pkey)
  153. {
  154. return BN_num_bits(pkey->pkey.rsa->n);
  155. }
  156. static void int_rsa_free(EVP_PKEY *pkey)
  157. {
  158. RSA_free(pkey->pkey.rsa);
  159. }
  160. static void update_buflen(const BIGNUM *b, size_t *pbuflen)
  161. {
  162. size_t i;
  163. if (!b)
  164. return;
  165. if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
  166. *pbuflen = i;
  167. }
  168. static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
  169. {
  170. char *str;
  171. const char *s;
  172. unsigned char *m = NULL;
  173. int ret = 0, mod_len = 0;
  174. size_t buf_len = 0;
  175. update_buflen(x->n, &buf_len);
  176. update_buflen(x->e, &buf_len);
  177. if (priv) {
  178. update_buflen(x->d, &buf_len);
  179. update_buflen(x->p, &buf_len);
  180. update_buflen(x->q, &buf_len);
  181. update_buflen(x->dmp1, &buf_len);
  182. update_buflen(x->dmq1, &buf_len);
  183. update_buflen(x->iqmp, &buf_len);
  184. }
  185. m = (unsigned char *)OPENSSL_malloc(buf_len + 10);
  186. if (m == NULL) {
  187. RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE);
  188. goto err;
  189. }
  190. if (x->n != NULL)
  191. mod_len = BN_num_bits(x->n);
  192. if (!BIO_indent(bp, off, 128))
  193. goto err;
  194. if (priv && x->d) {
  195. if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len)
  196. <= 0)
  197. goto err;
  198. str = "modulus:";
  199. s = "publicExponent:";
  200. } else {
  201. if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len)
  202. <= 0)
  203. goto err;
  204. str = "Modulus:";
  205. s = "Exponent:";
  206. }
  207. if (!ASN1_bn_print(bp, str, x->n, m, off))
  208. goto err;
  209. if (!ASN1_bn_print(bp, s, x->e, m, off))
  210. goto err;
  211. if (priv) {
  212. if (!ASN1_bn_print(bp, "privateExponent:", x->d, m, off))
  213. goto err;
  214. if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
  215. goto err;
  216. if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
  217. goto err;
  218. if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
  219. goto err;
  220. if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
  221. goto err;
  222. if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
  223. goto err;
  224. }
  225. ret = 1;
  226. err:
  227. if (m != NULL)
  228. OPENSSL_free(m);
  229. return (ret);
  230. }
  231. static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  232. ASN1_PCTX *ctx)
  233. {
  234. return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
  235. }
  236. static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  237. ASN1_PCTX *ctx)
  238. {
  239. return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
  240. }
  241. /* Given an MGF1 Algorithm ID decode to an Algorithm Identifier */
  242. static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
  243. {
  244. const unsigned char *p;
  245. int plen;
  246. if (alg == NULL || alg->parameter == NULL)
  247. return NULL;
  248. if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
  249. return NULL;
  250. if (alg->parameter->type != V_ASN1_SEQUENCE)
  251. return NULL;
  252. p = alg->parameter->value.sequence->data;
  253. plen = alg->parameter->value.sequence->length;
  254. return d2i_X509_ALGOR(NULL, &p, plen);
  255. }
  256. static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
  257. X509_ALGOR **pmaskHash)
  258. {
  259. const unsigned char *p;
  260. int plen;
  261. RSA_PSS_PARAMS *pss;
  262. *pmaskHash = NULL;
  263. if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
  264. return NULL;
  265. p = alg->parameter->value.sequence->data;
  266. plen = alg->parameter->value.sequence->length;
  267. pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
  268. if (!pss)
  269. return NULL;
  270. *pmaskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
  271. return pss;
  272. }
  273. static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
  274. X509_ALGOR *maskHash, int indent)
  275. {
  276. int rv = 0;
  277. if (!pss) {
  278. if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
  279. return 0;
  280. return 1;
  281. }
  282. if (BIO_puts(bp, "\n") <= 0)
  283. goto err;
  284. if (!BIO_indent(bp, indent, 128))
  285. goto err;
  286. if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
  287. goto err;
  288. if (pss->hashAlgorithm) {
  289. if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
  290. goto err;
  291. } else if (BIO_puts(bp, "sha1 (default)") <= 0)
  292. goto err;
  293. if (BIO_puts(bp, "\n") <= 0)
  294. goto err;
  295. if (!BIO_indent(bp, indent, 128))
  296. goto err;
  297. if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
  298. goto err;
  299. if (pss->maskGenAlgorithm) {
  300. if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
  301. goto err;
  302. if (BIO_puts(bp, " with ") <= 0)
  303. goto err;
  304. if (maskHash) {
  305. if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
  306. goto err;
  307. } else if (BIO_puts(bp, "INVALID") <= 0)
  308. goto err;
  309. } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
  310. goto err;
  311. BIO_puts(bp, "\n");
  312. if (!BIO_indent(bp, indent, 128))
  313. goto err;
  314. if (BIO_puts(bp, "Salt Length: 0x") <= 0)
  315. goto err;
  316. if (pss->saltLength) {
  317. if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
  318. goto err;
  319. } else if (BIO_puts(bp, "14 (default)") <= 0)
  320. goto err;
  321. BIO_puts(bp, "\n");
  322. if (!BIO_indent(bp, indent, 128))
  323. goto err;
  324. if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
  325. goto err;
  326. if (pss->trailerField) {
  327. if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
  328. goto err;
  329. } else if (BIO_puts(bp, "BC (default)") <= 0)
  330. goto err;
  331. BIO_puts(bp, "\n");
  332. rv = 1;
  333. err:
  334. return rv;
  335. }
  336. static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
  337. const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx)
  338. {
  339. if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
  340. int rv;
  341. RSA_PSS_PARAMS *pss;
  342. X509_ALGOR *maskHash;
  343. pss = rsa_pss_decode(sigalg, &maskHash);
  344. rv = rsa_pss_param_print(bp, pss, maskHash, indent);
  345. if (pss)
  346. RSA_PSS_PARAMS_free(pss);
  347. if (maskHash)
  348. X509_ALGOR_free(maskHash);
  349. if (!rv)
  350. return 0;
  351. } else if (!sig && BIO_puts(bp, "\n") <= 0)
  352. return 0;
  353. if (sig)
  354. return X509_signature_dump(bp, sig, indent);
  355. return 1;
  356. }
  357. static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
  358. {
  359. X509_ALGOR *alg = NULL;
  360. switch (op) {
  361. case ASN1_PKEY_CTRL_PKCS7_SIGN:
  362. if (arg1 == 0)
  363. PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
  364. break;
  365. case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
  366. if (arg1 == 0)
  367. PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
  368. break;
  369. #ifndef OPENSSL_NO_CMS
  370. case ASN1_PKEY_CTRL_CMS_SIGN:
  371. if (arg1 == 0)
  372. return rsa_cms_sign(arg2);
  373. else if (arg1 == 1)
  374. return rsa_cms_verify(arg2);
  375. break;
  376. case ASN1_PKEY_CTRL_CMS_ENVELOPE:
  377. if (arg1 == 0)
  378. return rsa_cms_encrypt(arg2);
  379. else if (arg1 == 1)
  380. return rsa_cms_decrypt(arg2);
  381. break;
  382. case ASN1_PKEY_CTRL_CMS_RI_TYPE:
  383. *(int *)arg2 = CMS_RECIPINFO_TRANS;
  384. return 1;
  385. #endif
  386. case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
  387. *(int *)arg2 = NID_sha256;
  388. return 1;
  389. default:
  390. return -2;
  391. }
  392. if (alg)
  393. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
  394. return 1;
  395. }
  396. /* allocate and set algorithm ID from EVP_MD, default SHA1 */
  397. static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
  398. {
  399. if (EVP_MD_type(md) == NID_sha1)
  400. return 1;
  401. *palg = X509_ALGOR_new();
  402. if (!*palg)
  403. return 0;
  404. X509_ALGOR_set_md(*palg, md);
  405. return 1;
  406. }
  407. /* Allocate and set MGF1 algorithm ID from EVP_MD */
  408. static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
  409. {
  410. X509_ALGOR *algtmp = NULL;
  411. ASN1_STRING *stmp = NULL;
  412. *palg = NULL;
  413. if (EVP_MD_type(mgf1md) == NID_sha1)
  414. return 1;
  415. /* need to embed algorithm ID inside another */
  416. if (!rsa_md_to_algor(&algtmp, mgf1md))
  417. goto err;
  418. if (!ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp))
  419. goto err;
  420. *palg = X509_ALGOR_new();
  421. if (!*palg)
  422. goto err;
  423. X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
  424. stmp = NULL;
  425. err:
  426. if (stmp)
  427. ASN1_STRING_free(stmp);
  428. if (algtmp)
  429. X509_ALGOR_free(algtmp);
  430. if (*palg)
  431. return 1;
  432. return 0;
  433. }
  434. /* convert algorithm ID to EVP_MD, default SHA1 */
  435. static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg)
  436. {
  437. const EVP_MD *md;
  438. if (!alg)
  439. return EVP_sha1();
  440. md = EVP_get_digestbyobj(alg->algorithm);
  441. if (md == NULL)
  442. RSAerr(RSA_F_RSA_ALGOR_TO_MD, RSA_R_UNKNOWN_DIGEST);
  443. return md;
  444. }
  445. /* convert MGF1 algorithm ID to EVP_MD, default SHA1 */
  446. static const EVP_MD *rsa_mgf1_to_md(X509_ALGOR *alg, X509_ALGOR *maskHash)
  447. {
  448. const EVP_MD *md;
  449. if (!alg)
  450. return EVP_sha1();
  451. /* Check mask and lookup mask hash algorithm */
  452. if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) {
  453. RSAerr(RSA_F_RSA_MGF1_TO_MD, RSA_R_UNSUPPORTED_MASK_ALGORITHM);
  454. return NULL;
  455. }
  456. if (!maskHash) {
  457. RSAerr(RSA_F_RSA_MGF1_TO_MD, RSA_R_UNSUPPORTED_MASK_PARAMETER);
  458. return NULL;
  459. }
  460. md = EVP_get_digestbyobj(maskHash->algorithm);
  461. if (md == NULL) {
  462. RSAerr(RSA_F_RSA_MGF1_TO_MD, RSA_R_UNKNOWN_MASK_DIGEST);
  463. return NULL;
  464. }
  465. return md;
  466. }
  467. /*
  468. * Convert EVP_PKEY_CTX is PSS mode into corresponding algorithm parameter,
  469. * suitable for setting an AlgorithmIdentifier.
  470. */
  471. static ASN1_STRING *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
  472. {
  473. const EVP_MD *sigmd, *mgf1md;
  474. RSA_PSS_PARAMS *pss = NULL;
  475. ASN1_STRING *os = NULL;
  476. EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
  477. int saltlen, rv = 0;
  478. if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
  479. goto err;
  480. if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
  481. goto err;
  482. if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
  483. goto err;
  484. if (saltlen == -1)
  485. saltlen = EVP_MD_size(sigmd);
  486. else if (saltlen == -2) {
  487. saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
  488. if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
  489. saltlen--;
  490. }
  491. pss = RSA_PSS_PARAMS_new();
  492. if (!pss)
  493. goto err;
  494. if (saltlen != 20) {
  495. pss->saltLength = ASN1_INTEGER_new();
  496. if (!pss->saltLength)
  497. goto err;
  498. if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
  499. goto err;
  500. }
  501. if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))
  502. goto err;
  503. if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
  504. goto err;
  505. /* Finally create string with pss parameter encoding. */
  506. if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os))
  507. goto err;
  508. rv = 1;
  509. err:
  510. if (pss)
  511. RSA_PSS_PARAMS_free(pss);
  512. if (rv)
  513. return os;
  514. if (os)
  515. ASN1_STRING_free(os);
  516. return NULL;
  517. }
  518. /*
  519. * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
  520. * then the EVP_MD_CTX is setup and initalised. If it is NULL parameters are
  521. * passed to pkctx instead.
  522. */
  523. static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
  524. X509_ALGOR *sigalg, EVP_PKEY *pkey)
  525. {
  526. int rv = -1;
  527. int saltlen;
  528. const EVP_MD *mgf1md = NULL, *md = NULL;
  529. RSA_PSS_PARAMS *pss;
  530. X509_ALGOR *maskHash;
  531. /* Sanity check: make sure it is PSS */
  532. if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
  533. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
  534. return -1;
  535. }
  536. /* Decode PSS parameters */
  537. pss = rsa_pss_decode(sigalg, &maskHash);
  538. if (pss == NULL) {
  539. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_PSS_PARAMETERS);
  540. goto err;
  541. }
  542. mgf1md = rsa_mgf1_to_md(pss->maskGenAlgorithm, maskHash);
  543. if (!mgf1md)
  544. goto err;
  545. md = rsa_algor_to_md(pss->hashAlgorithm);
  546. if (!md)
  547. goto err;
  548. if (pss->saltLength) {
  549. saltlen = ASN1_INTEGER_get(pss->saltLength);
  550. /*
  551. * Could perform more salt length sanity checks but the main RSA
  552. * routines will trap other invalid values anyway.
  553. */
  554. if (saltlen < 0) {
  555. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_SALT_LENGTH);
  556. goto err;
  557. }
  558. } else
  559. saltlen = 20;
  560. /*
  561. * low-level routines support only trailer field 0xbc (value 1) and
  562. * PKCS#1 says we should reject any other value anyway.
  563. */
  564. if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
  565. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_TRAILER);
  566. goto err;
  567. }
  568. /* We have all parameters now set up context */
  569. if (pkey) {
  570. if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
  571. goto err;
  572. } else {
  573. const EVP_MD *checkmd;
  574. if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
  575. goto err;
  576. if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
  577. RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_DIGEST_DOES_NOT_MATCH);
  578. goto err;
  579. }
  580. }
  581. if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
  582. goto err;
  583. if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
  584. goto err;
  585. if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
  586. goto err;
  587. /* Carry on */
  588. rv = 1;
  589. err:
  590. RSA_PSS_PARAMS_free(pss);
  591. if (maskHash)
  592. X509_ALGOR_free(maskHash);
  593. return rv;
  594. }
  595. #ifndef OPENSSL_NO_CMS
  596. static int rsa_cms_verify(CMS_SignerInfo *si)
  597. {
  598. int nid, nid2;
  599. X509_ALGOR *alg;
  600. EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
  601. CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
  602. nid = OBJ_obj2nid(alg->algorithm);
  603. if (nid == NID_rsaEncryption)
  604. return 1;
  605. if (nid == NID_rsassaPss)
  606. return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
  607. /* Workaround for some implementation that use a signature OID */
  608. if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
  609. if (nid2 == NID_rsaEncryption)
  610. return 1;
  611. }
  612. return 0;
  613. }
  614. #endif
  615. /*
  616. * Customised RSA item verification routine. This is called when a signature
  617. * is encountered requiring special handling. We currently only handle PSS.
  618. */
  619. static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
  620. X509_ALGOR *sigalg, ASN1_BIT_STRING *sig,
  621. EVP_PKEY *pkey)
  622. {
  623. /* Sanity check: make sure it is PSS */
  624. if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
  625. RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
  626. return -1;
  627. }
  628. if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
  629. /* Carry on */
  630. return 2;
  631. }
  632. return -1;
  633. }
  634. #ifndef OPENSSL_NO_CMS
  635. static int rsa_cms_sign(CMS_SignerInfo *si)
  636. {
  637. int pad_mode = RSA_PKCS1_PADDING;
  638. X509_ALGOR *alg;
  639. EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
  640. ASN1_STRING *os = NULL;
  641. CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
  642. if (pkctx) {
  643. if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
  644. return 0;
  645. }
  646. if (pad_mode == RSA_PKCS1_PADDING) {
  647. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
  648. return 1;
  649. }
  650. /* We don't support it */
  651. if (pad_mode != RSA_PKCS1_PSS_PADDING)
  652. return 0;
  653. os = rsa_ctx_to_pss(pkctx);
  654. if (!os)
  655. return 0;
  656. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
  657. return 1;
  658. }
  659. #endif
  660. static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
  661. X509_ALGOR *alg1, X509_ALGOR *alg2,
  662. ASN1_BIT_STRING *sig)
  663. {
  664. int pad_mode;
  665. EVP_PKEY_CTX *pkctx = ctx->pctx;
  666. if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
  667. return 0;
  668. if (pad_mode == RSA_PKCS1_PADDING)
  669. return 2;
  670. if (pad_mode == RSA_PKCS1_PSS_PADDING) {
  671. ASN1_STRING *os1 = NULL;
  672. os1 = rsa_ctx_to_pss(pkctx);
  673. if (!os1)
  674. return 0;
  675. /* Duplicate parameters if we have to */
  676. if (alg2) {
  677. ASN1_STRING *os2 = ASN1_STRING_dup(os1);
  678. if (!os2) {
  679. ASN1_STRING_free(os1);
  680. return 0;
  681. }
  682. X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
  683. V_ASN1_SEQUENCE, os2);
  684. }
  685. X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
  686. V_ASN1_SEQUENCE, os1);
  687. return 3;
  688. }
  689. return 2;
  690. }
  691. static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
  692. X509_ALGOR **pmaskHash)
  693. {
  694. const unsigned char *p;
  695. int plen;
  696. RSA_OAEP_PARAMS *pss;
  697. *pmaskHash = NULL;
  698. if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
  699. return NULL;
  700. p = alg->parameter->value.sequence->data;
  701. plen = alg->parameter->value.sequence->length;
  702. pss = d2i_RSA_OAEP_PARAMS(NULL, &p, plen);
  703. if (!pss)
  704. return NULL;
  705. *pmaskHash = rsa_mgf1_decode(pss->maskGenFunc);
  706. return pss;
  707. }
  708. #ifndef OPENSSL_NO_CMS
  709. static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
  710. {
  711. EVP_PKEY_CTX *pkctx;
  712. X509_ALGOR *cmsalg;
  713. int nid;
  714. int rv = -1;
  715. unsigned char *label = NULL;
  716. int labellen = 0;
  717. const EVP_MD *mgf1md = NULL, *md = NULL;
  718. RSA_OAEP_PARAMS *oaep;
  719. X509_ALGOR *maskHash;
  720. pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  721. if (!pkctx)
  722. return 0;
  723. if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
  724. return -1;
  725. nid = OBJ_obj2nid(cmsalg->algorithm);
  726. if (nid == NID_rsaEncryption)
  727. return 1;
  728. if (nid != NID_rsaesOaep) {
  729. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
  730. return -1;
  731. }
  732. /* Decode OAEP parameters */
  733. oaep = rsa_oaep_decode(cmsalg, &maskHash);
  734. if (oaep == NULL) {
  735. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_OAEP_PARAMETERS);
  736. goto err;
  737. }
  738. mgf1md = rsa_mgf1_to_md(oaep->maskGenFunc, maskHash);
  739. if (!mgf1md)
  740. goto err;
  741. md = rsa_algor_to_md(oaep->hashFunc);
  742. if (!md)
  743. goto err;
  744. if (oaep->pSourceFunc) {
  745. X509_ALGOR *plab = oaep->pSourceFunc;
  746. if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
  747. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
  748. goto err;
  749. }
  750. if (plab->parameter->type != V_ASN1_OCTET_STRING) {
  751. RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
  752. goto err;
  753. }
  754. label = plab->parameter->value.octet_string->data;
  755. /* Stop label being freed when OAEP parameters are freed */
  756. plab->parameter->value.octet_string->data = NULL;
  757. labellen = plab->parameter->value.octet_string->length;
  758. }
  759. if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
  760. goto err;
  761. if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
  762. goto err;
  763. if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
  764. goto err;
  765. if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
  766. goto err;
  767. /* Carry on */
  768. rv = 1;
  769. err:
  770. RSA_OAEP_PARAMS_free(oaep);
  771. if (maskHash)
  772. X509_ALGOR_free(maskHash);
  773. return rv;
  774. }
  775. static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
  776. {
  777. const EVP_MD *md, *mgf1md;
  778. RSA_OAEP_PARAMS *oaep = NULL;
  779. ASN1_STRING *os = NULL;
  780. X509_ALGOR *alg;
  781. EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  782. int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
  783. unsigned char *label;
  784. CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg);
  785. if (pkctx) {
  786. if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
  787. return 0;
  788. }
  789. if (pad_mode == RSA_PKCS1_PADDING) {
  790. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
  791. return 1;
  792. }
  793. /* Not supported */
  794. if (pad_mode != RSA_PKCS1_OAEP_PADDING)
  795. return 0;
  796. if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
  797. goto err;
  798. if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
  799. goto err;
  800. labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
  801. if (labellen < 0)
  802. goto err;
  803. oaep = RSA_OAEP_PARAMS_new();
  804. if (!oaep)
  805. goto err;
  806. if (!rsa_md_to_algor(&oaep->hashFunc, md))
  807. goto err;
  808. if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
  809. goto err;
  810. if (labellen > 0) {
  811. ASN1_OCTET_STRING *los = ASN1_OCTET_STRING_new();
  812. oaep->pSourceFunc = X509_ALGOR_new();
  813. if (!oaep->pSourceFunc)
  814. goto err;
  815. if (!los)
  816. goto err;
  817. if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
  818. ASN1_OCTET_STRING_free(los);
  819. goto err;
  820. }
  821. X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
  822. V_ASN1_OCTET_STRING, los);
  823. }
  824. /* create string with pss parameter encoding. */
  825. if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
  826. goto err;
  827. X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
  828. os = NULL;
  829. rv = 1;
  830. err:
  831. if (oaep)
  832. RSA_OAEP_PARAMS_free(oaep);
  833. if (os)
  834. ASN1_STRING_free(os);
  835. return rv;
  836. }
  837. #endif
  838. const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
  839. {
  840. EVP_PKEY_RSA,
  841. EVP_PKEY_RSA,
  842. ASN1_PKEY_SIGPARAM_NULL,
  843. "RSA",
  844. "OpenSSL RSA method",
  845. rsa_pub_decode,
  846. rsa_pub_encode,
  847. rsa_pub_cmp,
  848. rsa_pub_print,
  849. rsa_priv_decode,
  850. rsa_priv_encode,
  851. rsa_priv_print,
  852. int_rsa_size,
  853. rsa_bits,
  854. 0, 0, 0, 0, 0, 0,
  855. rsa_sig_print,
  856. int_rsa_free,
  857. rsa_pkey_ctrl,
  858. old_rsa_priv_decode,
  859. old_rsa_priv_encode,
  860. rsa_item_verify,
  861. rsa_item_sign},
  862. {
  863. EVP_PKEY_RSA2,
  864. EVP_PKEY_RSA,
  865. ASN1_PKEY_ALIAS}
  866. };