1 /* $OpenBSD: rsa_ameth.c,v 1.26 2022/06/27 12:36:06 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5 /* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #include <stdio.h>
60
61 #include <openssl/opensslconf.h>
62
63 #include <openssl/asn1t.h>
64 #include <openssl/bn.h>
65 #include <openssl/cms.h>
66 #include <openssl/err.h>
67 #include <openssl/x509.h>
68
69 #include "asn1_locl.h"
70 #include "cryptlib.h"
71 #include "evp_locl.h"
72 #include "rsa_locl.h"
73
74 #ifndef OPENSSL_NO_CMS
75 static int rsa_cms_sign(CMS_SignerInfo *si);
76 static int rsa_cms_verify(CMS_SignerInfo *si);
77 static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
78 static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
79 #endif
80
81 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
82
83 /* Set any parameters associated with pkey */
84 static int
rsa_param_encode(const EVP_PKEY * pkey,ASN1_STRING ** pstr,int * pstrtype)85 rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype)
86 {
87 const RSA *rsa = pkey->pkey.rsa;
88
89 *pstr = NULL;
90
91 /* If RSA it's just NULL type */
92 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
93 *pstrtype = V_ASN1_NULL;
94 return 1;
95 }
96
97 /* If no PSS parameters we omit parameters entirely */
98 if (rsa->pss == NULL) {
99 *pstrtype = V_ASN1_UNDEF;
100 return 1;
101 }
102
103 /* Encode PSS parameters */
104 if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL)
105 return 0;
106
107 *pstrtype = V_ASN1_SEQUENCE;
108 return 1;
109 }
110
111 /* Decode any parameters and set them in RSA structure */
112 static int
rsa_param_decode(RSA * rsa,const X509_ALGOR * alg)113 rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
114 {
115 const ASN1_OBJECT *algoid;
116 const void *algp;
117 int algptype;
118
119 X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
120 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
121 return 1;
122 if (algptype == V_ASN1_UNDEF)
123 return 1;
124 if (algptype != V_ASN1_SEQUENCE) {
125 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
126 return 0;
127 }
128 rsa->pss = rsa_pss_decode(alg);
129 if (rsa->pss == NULL)
130 return 0;
131 return 1;
132 }
133
134 static int
rsa_pub_encode(X509_PUBKEY * pk,const EVP_PKEY * pkey)135 rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
136 {
137 unsigned char *penc = NULL;
138 int penclen;
139 ASN1_STRING *str;
140 int strtype;
141
142 if (!rsa_param_encode(pkey, &str, &strtype))
143 return 0;
144 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
145 if (penclen <= 0)
146 return 0;
147 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
148 strtype, str, penc, penclen))
149 return 1;
150
151 free(penc);
152
153 return 0;
154 }
155
156 static int
rsa_pub_decode(EVP_PKEY * pkey,X509_PUBKEY * pubkey)157 rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
158 {
159 const unsigned char *p;
160 int pklen;
161 X509_ALGOR *alg;
162 RSA *rsa = NULL;
163
164 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
165 return 0;
166 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
167 RSAerror(ERR_R_RSA_LIB);
168 return 0;
169 }
170 if (!rsa_param_decode(rsa, alg)) {
171 RSA_free(rsa);
172 return 0;
173 }
174 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
175 RSA_free(rsa);
176 return 0;
177 }
178 return 1;
179 }
180
181 static int
rsa_pub_cmp(const EVP_PKEY * a,const EVP_PKEY * b)182 rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
183 {
184 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
185 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
186 return 0;
187
188 return 1;
189 }
190
191 static int
old_rsa_priv_decode(EVP_PKEY * pkey,const unsigned char ** pder,int derlen)192 old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
193 {
194 RSA *rsa;
195
196 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
197 RSAerror(ERR_R_RSA_LIB);
198 return 0;
199 }
200 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
201 return 1;
202 }
203
204 static int
old_rsa_priv_encode(const EVP_PKEY * pkey,unsigned char ** pder)205 old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
206 {
207 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
208 }
209
210 static int
rsa_priv_encode(PKCS8_PRIV_KEY_INFO * p8,const EVP_PKEY * pkey)211 rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
212 {
213 unsigned char *rk = NULL;
214 int rklen;
215 ASN1_STRING *str;
216 int strtype;
217
218 if (!rsa_param_encode(pkey, &str, &strtype))
219 return 0;
220
221 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
222 if (rklen <= 0) {
223 RSAerror(ERR_R_MALLOC_FAILURE);
224 ASN1_STRING_free(str);
225 return 0;
226 }
227
228 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
229 strtype, str, rk, rklen)) {
230 RSAerror(ERR_R_MALLOC_FAILURE);
231 ASN1_STRING_free(str);
232 return 0;
233 }
234
235 return 1;
236 }
237
238 static int
rsa_priv_decode(EVP_PKEY * pkey,const PKCS8_PRIV_KEY_INFO * p8)239 rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
240 {
241 const unsigned char *p;
242 RSA *rsa;
243 int pklen;
244 const X509_ALGOR *alg;
245
246 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
247 return 0;
248 rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
249 if (rsa == NULL) {
250 RSAerror(ERR_R_RSA_LIB);
251 return 0;
252 }
253 if (!rsa_param_decode(rsa, alg)) {
254 RSA_free(rsa);
255 return 0;
256 }
257 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
258
259 return 1;
260 }
261
262 static int
int_rsa_size(const EVP_PKEY * pkey)263 int_rsa_size(const EVP_PKEY *pkey)
264 {
265 return RSA_size(pkey->pkey.rsa);
266 }
267
268 static int
rsa_bits(const EVP_PKEY * pkey)269 rsa_bits(const EVP_PKEY *pkey)
270 {
271 return BN_num_bits(pkey->pkey.rsa->n);
272 }
273
274 static int
rsa_security_bits(const EVP_PKEY * pkey)275 rsa_security_bits(const EVP_PKEY *pkey)
276 {
277 return RSA_security_bits(pkey->pkey.rsa);
278 }
279
280 static void
int_rsa_free(EVP_PKEY * pkey)281 int_rsa_free(EVP_PKEY *pkey)
282 {
283 RSA_free(pkey->pkey.rsa);
284 }
285
286 static X509_ALGOR *
rsa_mgf1_decode(X509_ALGOR * alg)287 rsa_mgf1_decode(X509_ALGOR *alg)
288 {
289 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
290 return NULL;
291
292 return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter);
293 }
294
295 static RSA_PSS_PARAMS *
rsa_pss_decode(const X509_ALGOR * alg)296 rsa_pss_decode(const X509_ALGOR *alg)
297 {
298 RSA_PSS_PARAMS *pss;
299
300 pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter);
301 if (pss == NULL)
302 return NULL;
303
304 if (pss->maskGenAlgorithm != NULL) {
305 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
306 if (pss->maskHash == NULL) {
307 RSA_PSS_PARAMS_free(pss);
308 return NULL;
309 }
310 }
311
312 return pss;
313 }
314
315 static int
rsa_pss_param_print(BIO * bp,int pss_key,RSA_PSS_PARAMS * pss,int indent)316 rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent)
317 {
318 int rv = 0;
319 X509_ALGOR *maskHash = NULL;
320
321 if (!BIO_indent(bp, indent, 128))
322 goto err;
323 if (pss_key) {
324 if (pss == NULL) {
325 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
326 return 0;
327 return 1;
328 } else {
329 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
330 return 0;
331 }
332 } else if (pss == NULL) {
333 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
334 return 0;
335 return 1;
336 }
337 if (BIO_puts(bp, "\n") <= 0)
338 goto err;
339 if (pss_key)
340 indent += 2;
341 if (!BIO_indent(bp, indent, 128))
342 goto err;
343 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
344 goto err;
345
346 if (pss->hashAlgorithm) {
347 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
348 goto err;
349 } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
350 goto err;
351 }
352
353 if (BIO_puts(bp, "\n") <= 0)
354 goto err;
355
356 if (!BIO_indent(bp, indent, 128))
357 goto err;
358
359 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
360 goto err;
361 if (pss->maskGenAlgorithm) {
362 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
363 goto err;
364 if (BIO_puts(bp, " with ") <= 0)
365 goto err;
366 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
367 if (maskHash != NULL) {
368 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
369 goto err;
370 } else if (BIO_puts(bp, "INVALID") <= 0) {
371 goto err;
372 }
373 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
374 goto err;
375 }
376 BIO_puts(bp, "\n");
377
378 if (!BIO_indent(bp, indent, 128))
379 goto err;
380 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
381 goto err;
382 if (pss->saltLength) {
383 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
384 goto err;
385 } else if (BIO_puts(bp, "14 (default)") <= 0) {
386 goto err;
387 }
388 BIO_puts(bp, "\n");
389
390 if (!BIO_indent(bp, indent, 128))
391 goto err;
392 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
393 goto err;
394 if (pss->trailerField) {
395 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
396 goto err;
397 } else if (BIO_puts(bp, "BC (default)") <= 0) {
398 goto err;
399 }
400 BIO_puts(bp, "\n");
401
402 rv = 1;
403
404 err:
405 X509_ALGOR_free(maskHash);
406 return rv;
407
408 }
409
410 static void
update_buflen(const BIGNUM * b,size_t * pbuflen)411 update_buflen(const BIGNUM *b, size_t *pbuflen)
412 {
413 size_t i;
414
415 if (!b)
416 return;
417 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
418 *pbuflen = i;
419 }
420
421 static int
pkey_rsa_print(BIO * bp,const EVP_PKEY * pkey,int off,int priv)422 pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
423 {
424 const RSA *x = pkey->pkey.rsa;
425 unsigned char *m = NULL;
426 char *str;
427 const char *s;
428 int ret = 0, mod_len = 0;
429 size_t buf_len = 0;
430
431 update_buflen(x->n, &buf_len);
432 update_buflen(x->e, &buf_len);
433
434 if (priv) {
435 update_buflen(x->d, &buf_len);
436 update_buflen(x->p, &buf_len);
437 update_buflen(x->q, &buf_len);
438 update_buflen(x->dmp1, &buf_len);
439 update_buflen(x->dmq1, &buf_len);
440 update_buflen(x->iqmp, &buf_len);
441 }
442
443 m = malloc(buf_len + 10);
444 if (m == NULL) {
445 RSAerror(ERR_R_MALLOC_FAILURE);
446 goto err;
447 }
448
449 if (x->n != NULL)
450 mod_len = BN_num_bits(x->n);
451
452 if (!BIO_indent(bp, off, 128))
453 goto err;
454
455 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0)
456 goto err;
457
458 if (priv && x->d != NULL) {
459 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
460 goto err;
461 str = "modulus:";
462 s = "publicExponent:";
463 } else {
464 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
465 goto err;
466 str = "Modulus:";
467 s = "Exponent:";
468 }
469 if (!ASN1_bn_print(bp, str, x->n, m, off))
470 goto err;
471 if (!ASN1_bn_print(bp, s, x->e, m, off))
472 goto err;
473 if (priv) {
474 if (!ASN1_bn_print(bp, "privateExponent:", x->d, m, off))
475 goto err;
476 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
477 goto err;
478 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
479 goto err;
480 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
481 goto err;
482 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
483 goto err;
484 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
485 goto err;
486 }
487 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
488 goto err;
489 ret = 1;
490 err:
491 free(m);
492 return ret;
493 }
494
495 static int
rsa_pub_print(BIO * bp,const EVP_PKEY * pkey,int indent,ASN1_PCTX * ctx)496 rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
497 {
498 return pkey_rsa_print(bp, pkey, indent, 0);
499 }
500
501 static int
rsa_priv_print(BIO * bp,const EVP_PKEY * pkey,int indent,ASN1_PCTX * ctx)502 rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
503 {
504 return pkey_rsa_print(bp, pkey, indent, 1);
505 }
506
507 static int
rsa_sig_print(BIO * bp,const X509_ALGOR * sigalg,const ASN1_STRING * sig,int indent,ASN1_PCTX * pctx)508 rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
509 int indent, ASN1_PCTX *pctx)
510 {
511 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
512 int rv;
513 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
514
515 rv = rsa_pss_param_print(bp, 0, pss, indent);
516 RSA_PSS_PARAMS_free(pss);
517 if (!rv)
518 return 0;
519 } else if (!sig && BIO_puts(bp, "\n") <= 0) {
520 return 0;
521 }
522 if (sig)
523 return X509_signature_dump(bp, sig, indent);
524 return 1;
525 }
526
527 static int
rsa_pkey_ctrl(EVP_PKEY * pkey,int op,long arg1,void * arg2)528 rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
529 {
530 X509_ALGOR *alg = NULL;
531 const EVP_MD *md;
532 const EVP_MD *mgf1md;
533 int min_saltlen;
534
535 switch (op) {
536 case ASN1_PKEY_CTRL_PKCS7_SIGN:
537 if (arg1 == 0)
538 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
539 break;
540
541 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
542 if (pkey_is_pss(pkey))
543 return -2;
544 if (arg1 == 0)
545 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
546 break;
547 #ifndef OPENSSL_NO_CMS
548 case ASN1_PKEY_CTRL_CMS_SIGN:
549 if (arg1 == 0)
550 return rsa_cms_sign(arg2);
551 else if (arg1 == 1)
552 return rsa_cms_verify(arg2);
553 break;
554
555 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
556 if (pkey_is_pss(pkey))
557 return -2;
558 if (arg1 == 0)
559 return rsa_cms_encrypt(arg2);
560 else if (arg1 == 1)
561 return rsa_cms_decrypt(arg2);
562 break;
563
564 case ASN1_PKEY_CTRL_CMS_RI_TYPE:
565 if (pkey_is_pss(pkey))
566 return -2;
567 *(int *)arg2 = CMS_RECIPINFO_TRANS;
568 return 1;
569 #endif
570
571 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
572 if (pkey->pkey.rsa->pss != NULL) {
573 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
574 &min_saltlen)) {
575 RSAerror(ERR_R_INTERNAL_ERROR);
576 return 0;
577 }
578 *(int *)arg2 = EVP_MD_type(md);
579 /* Return of 2 indicates this MD is mandatory */
580 return 2;
581 }
582 *(int *)arg2 = NID_sha256;
583 return 1;
584
585 default:
586 return -2;
587 }
588
589 if (alg)
590 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
591 V_ASN1_NULL, 0);
592
593 return 1;
594 }
595
596 /* Allocate and set algorithm ID from EVP_MD, defaults to SHA1. */
597 static int
rsa_md_to_algor(X509_ALGOR ** palg,const EVP_MD * md)598 rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
599 {
600 if (md == NULL || EVP_MD_type(md) == NID_sha1)
601 return 1;
602 *palg = X509_ALGOR_new();
603 if (*palg == NULL)
604 return 0;
605 X509_ALGOR_set_md(*palg, md);
606 return 1;
607 }
608
609 /* Allocate and set MGF1 algorithm ID from EVP_MD. */
610 static int
rsa_md_to_mgf1(X509_ALGOR ** palg,const EVP_MD * mgf1md)611 rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
612 {
613 X509_ALGOR *algtmp = NULL;
614 ASN1_STRING *stmp = NULL;
615
616 *palg = NULL;
617 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1)
618 return 1;
619 /* need to embed algorithm ID inside another */
620 if (!rsa_md_to_algor(&algtmp, mgf1md))
621 goto err;
622 if (ASN1_item_pack(algtmp, &X509_ALGOR_it, &stmp) == NULL)
623 goto err;
624 *palg = X509_ALGOR_new();
625 if (*palg == NULL)
626 goto err;
627 X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
628 stmp = NULL;
629 err:
630 ASN1_STRING_free(stmp);
631 X509_ALGOR_free(algtmp);
632 if (*palg)
633 return 1;
634 return 0;
635 }
636
637 /* Convert algorithm ID to EVP_MD, defaults to SHA1. */
638 static const EVP_MD *
rsa_algor_to_md(X509_ALGOR * alg)639 rsa_algor_to_md(X509_ALGOR *alg)
640 {
641 const EVP_MD *md;
642
643 if (!alg)
644 return EVP_sha1();
645 md = EVP_get_digestbyobj(alg->algorithm);
646 if (md == NULL)
647 RSAerror(RSA_R_UNKNOWN_DIGEST);
648 return md;
649 }
650
651 /*
652 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
653 * suitable for setting an AlgorithmIdentifier.
654 */
655 static RSA_PSS_PARAMS *
rsa_ctx_to_pss(EVP_PKEY_CTX * pkctx)656 rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
657 {
658 const EVP_MD *sigmd, *mgf1md;
659 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
660 int saltlen;
661
662 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
663 return NULL;
664 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
665 return NULL;
666 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
667 return NULL;
668 if (saltlen == -1) {
669 saltlen = EVP_MD_size(sigmd);
670 } else if (saltlen == -2 || saltlen == -3) {
671 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
672 if ((EVP_PKEY_bits(pk) & 0x7) == 1)
673 saltlen--;
674 if (saltlen < 0)
675 return NULL;
676 }
677
678 return rsa_pss_params_create(sigmd, mgf1md, saltlen);
679 }
680
681 RSA_PSS_PARAMS *
rsa_pss_params_create(const EVP_MD * sigmd,const EVP_MD * mgf1md,int saltlen)682 rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen)
683 {
684 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
685
686 if (pss == NULL)
687 goto err;
688 if (saltlen != 20) {
689 pss->saltLength = ASN1_INTEGER_new();
690 if (pss->saltLength == NULL)
691 goto err;
692 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
693 goto err;
694 }
695 if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd))
696 goto err;
697 if (mgf1md == NULL)
698 mgf1md = sigmd;
699 if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
700 goto err;
701 if (!rsa_md_to_algor(&pss->maskHash, mgf1md))
702 goto err;
703 return pss;
704 err:
705 RSA_PSS_PARAMS_free(pss);
706 return NULL;
707 }
708
709 static ASN1_STRING *
rsa_ctx_to_pss_string(EVP_PKEY_CTX * pkctx)710 rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx)
711 {
712 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx);
713 ASN1_STRING *os;
714
715 if (pss == NULL)
716 return NULL;
717
718 os = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL);
719 RSA_PSS_PARAMS_free(pss);
720 return os;
721 }
722
723 /*
724 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
725 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
726 * passed to pkctx instead.
727 */
728
729 static int
rsa_pss_to_ctx(EVP_MD_CTX * ctx,EVP_PKEY_CTX * pkctx,X509_ALGOR * sigalg,EVP_PKEY * pkey)730 rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
731 X509_ALGOR *sigalg, EVP_PKEY *pkey)
732 {
733 int rv = -1;
734 int saltlen;
735 const EVP_MD *mgf1md = NULL, *md = NULL;
736 RSA_PSS_PARAMS *pss;
737
738 /* Sanity check: make sure it is PSS */
739 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
740 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
741 return -1;
742 }
743 /* Decode PSS parameters */
744 pss = rsa_pss_decode(sigalg);
745
746 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
747 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
748 goto err;
749 }
750
751 /* We have all parameters now set up context */
752 if (pkey) {
753 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
754 goto err;
755 } else {
756 const EVP_MD *checkmd;
757 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
758 goto err;
759 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
760 RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH);
761 goto err;
762 }
763 }
764
765 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
766 goto err;
767
768 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
769 goto err;
770
771 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
772 goto err;
773 /* Carry on */
774 rv = 1;
775
776 err:
777 RSA_PSS_PARAMS_free(pss);
778 return rv;
779 }
780
781 int
rsa_pss_get_param(const RSA_PSS_PARAMS * pss,const EVP_MD ** pmd,const EVP_MD ** pmgf1md,int * psaltlen)782 rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
783 const EVP_MD **pmgf1md, int *psaltlen)
784 {
785 if (pss == NULL)
786 return 0;
787 *pmd = rsa_algor_to_md(pss->hashAlgorithm);
788 if (*pmd == NULL)
789 return 0;
790 *pmgf1md = rsa_algor_to_md(pss->maskHash);
791 if (*pmgf1md == NULL)
792 return 0;
793 if (pss->saltLength) {
794 *psaltlen = ASN1_INTEGER_get(pss->saltLength);
795 if (*psaltlen < 0) {
796 RSAerror(RSA_R_INVALID_SALT_LENGTH);
797 return 0;
798 }
799 } else {
800 *psaltlen = 20;
801 }
802
803 /*
804 * low-level routines support only trailer field 0xbc (value 1) and
805 * PKCS#1 says we should reject any other value anyway.
806 */
807 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
808 RSAerror(RSA_R_INVALID_TRAILER);
809 return 0;
810 }
811
812 return 1;
813 }
814
815 #ifndef OPENSSL_NO_CMS
816 static int
rsa_cms_verify(CMS_SignerInfo * si)817 rsa_cms_verify(CMS_SignerInfo *si)
818 {
819 int nid, nid2;
820 X509_ALGOR *alg;
821 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
822
823 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
824 nid = OBJ_obj2nid(alg->algorithm);
825 if (nid == EVP_PKEY_RSA_PSS)
826 return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
827 /* Only PSS allowed for PSS keys */
828 if (pkey_ctx_is_pss(pkctx)) {
829 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
830 return 0;
831 }
832 if (nid == NID_rsaEncryption)
833 return 1;
834 /* Workaround for some implementation that use a signature OID */
835 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
836 if (nid2 == NID_rsaEncryption)
837 return 1;
838 }
839 return 0;
840 }
841 #endif
842
843 /*
844 * Customised RSA item verification routine. This is called when a signature
845 * is encountered requiring special handling. We currently only handle PSS.
846 */
847 static int
rsa_item_verify(EVP_MD_CTX * ctx,const ASN1_ITEM * it,void * asn,X509_ALGOR * sigalg,ASN1_BIT_STRING * sig,EVP_PKEY * pkey)848 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
849 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
850 {
851 /* Sanity check: make sure it is PSS */
852 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
853 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
854 return -1;
855 }
856 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
857 /* Carry on */
858 return 2;
859 }
860 return -1;
861 }
862
863 #ifndef OPENSSL_NO_CMS
864 static int
rsa_cms_sign(CMS_SignerInfo * si)865 rsa_cms_sign(CMS_SignerInfo *si)
866 {
867 int pad_mode = RSA_PKCS1_PADDING;
868 X509_ALGOR *alg;
869 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
870 ASN1_STRING *os = NULL;
871
872 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
873 if (pkctx) {
874 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
875 return 0;
876 }
877 if (pad_mode == RSA_PKCS1_PADDING) {
878 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
879 return 1;
880 }
881 /* We don't support it */
882 if (pad_mode != RSA_PKCS1_PSS_PADDING)
883 return 0;
884 os = rsa_ctx_to_pss_string(pkctx);
885 if (!os)
886 return 0;
887 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
888 return 1;
889 }
890 #endif
891
892 static int
rsa_item_sign(EVP_MD_CTX * ctx,const ASN1_ITEM * it,void * asn,X509_ALGOR * alg1,X509_ALGOR * alg2,ASN1_BIT_STRING * sig)893 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
894 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
895 {
896 EVP_PKEY_CTX *pkctx = ctx->pctx;
897 int pad_mode;
898
899 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
900 return 0;
901 if (pad_mode == RSA_PKCS1_PADDING)
902 return 2;
903 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
904 ASN1_STRING *os1 = NULL;
905 os1 = rsa_ctx_to_pss_string(pkctx);
906 if (!os1)
907 return 0;
908 /* Duplicate parameters if we have to */
909 if (alg2) {
910 ASN1_STRING *os2 = ASN1_STRING_dup(os1);
911 if (!os2) {
912 ASN1_STRING_free(os1);
913 return 0;
914 }
915 X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
916 V_ASN1_SEQUENCE, os2);
917 }
918 X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
919 V_ASN1_SEQUENCE, os1);
920 return 3;
921 }
922 return 2;
923 }
924
925 static int
rsa_pkey_check(const EVP_PKEY * pkey)926 rsa_pkey_check(const EVP_PKEY *pkey)
927 {
928 return RSA_check_key(pkey->pkey.rsa);
929 }
930
931 #ifndef OPENSSL_NO_CMS
932 static RSA_OAEP_PARAMS *
rsa_oaep_decode(const X509_ALGOR * alg)933 rsa_oaep_decode(const X509_ALGOR *alg)
934 {
935 RSA_OAEP_PARAMS *oaep;
936
937 oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter);
938 if (oaep == NULL)
939 return NULL;
940
941 if (oaep->maskGenFunc != NULL) {
942 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
943 if (oaep->maskHash == NULL) {
944 RSA_OAEP_PARAMS_free(oaep);
945 return NULL;
946 }
947 }
948 return oaep;
949 }
950
951 static int
rsa_cms_decrypt(CMS_RecipientInfo * ri)952 rsa_cms_decrypt(CMS_RecipientInfo *ri)
953 {
954 EVP_PKEY_CTX *pkctx;
955 X509_ALGOR *cmsalg;
956 int nid;
957 int rv = -1;
958 unsigned char *label = NULL;
959 int labellen = 0;
960 const EVP_MD *mgf1md = NULL, *md = NULL;
961 RSA_OAEP_PARAMS *oaep;
962
963 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
964 if (pkctx == NULL)
965 return 0;
966 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
967 return -1;
968 nid = OBJ_obj2nid(cmsalg->algorithm);
969 if (nid == NID_rsaEncryption)
970 return 1;
971 if (nid != NID_rsaesOaep) {
972 RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
973 return -1;
974 }
975 /* Decode OAEP parameters */
976 oaep = rsa_oaep_decode(cmsalg);
977
978 if (oaep == NULL) {
979 RSAerror(RSA_R_INVALID_OAEP_PARAMETERS);
980 goto err;
981 }
982
983 mgf1md = rsa_algor_to_md(oaep->maskHash);
984 if (mgf1md == NULL)
985 goto err;
986 md = rsa_algor_to_md(oaep->hashFunc);
987 if (md == NULL)
988 goto err;
989
990 if (oaep->pSourceFunc != NULL) {
991 X509_ALGOR *plab = oaep->pSourceFunc;
992
993 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
994 RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE);
995 goto err;
996 }
997 if (plab->parameter->type != V_ASN1_OCTET_STRING) {
998 RSAerror(RSA_R_INVALID_LABEL);
999 goto err;
1000 }
1001
1002 label = plab->parameter->value.octet_string->data;
1003
1004 /* Stop label being freed when OAEP parameters are freed */
1005 /* XXX - this leaks label on error... */
1006 plab->parameter->value.octet_string->data = NULL;
1007 labellen = plab->parameter->value.octet_string->length;
1008 }
1009
1010 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
1011 goto err;
1012 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
1013 goto err;
1014 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
1015 goto err;
1016 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
1017 goto err;
1018
1019 rv = 1;
1020
1021 err:
1022 RSA_OAEP_PARAMS_free(oaep);
1023 return rv;
1024 }
1025
1026 static int
rsa_cms_encrypt(CMS_RecipientInfo * ri)1027 rsa_cms_encrypt(CMS_RecipientInfo *ri)
1028 {
1029 const EVP_MD *md, *mgf1md;
1030 RSA_OAEP_PARAMS *oaep = NULL;
1031 ASN1_STRING *os = NULL;
1032 X509_ALGOR *alg;
1033 EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
1034 int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
1035 unsigned char *label;
1036
1037 if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0)
1038 return 0;
1039 if (pkctx) {
1040 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
1041 return 0;
1042 }
1043 if (pad_mode == RSA_PKCS1_PADDING) {
1044 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
1045 return 1;
1046 }
1047 /* Not supported */
1048 if (pad_mode != RSA_PKCS1_OAEP_PADDING)
1049 return 0;
1050 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
1051 goto err;
1052 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
1053 goto err;
1054 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
1055 if (labellen < 0)
1056 goto err;
1057 oaep = RSA_OAEP_PARAMS_new();
1058 if (oaep == NULL)
1059 goto err;
1060 if (!rsa_md_to_algor(&oaep->hashFunc, md))
1061 goto err;
1062 if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
1063 goto err;
1064 if (labellen > 0) {
1065 ASN1_OCTET_STRING *los;
1066 oaep->pSourceFunc = X509_ALGOR_new();
1067 if (oaep->pSourceFunc == NULL)
1068 goto err;
1069 los = ASN1_OCTET_STRING_new();
1070 if (los == NULL)
1071 goto err;
1072 if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
1073 ASN1_OCTET_STRING_free(los);
1074 goto err;
1075 }
1076 X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
1077 V_ASN1_OCTET_STRING, los);
1078 }
1079 /* create string with pss parameter encoding. */
1080 if (!ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, &os))
1081 goto err;
1082 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
1083 os = NULL;
1084 rv = 1;
1085 err:
1086 RSA_OAEP_PARAMS_free(oaep);
1087 ASN1_STRING_free(os);
1088 return rv;
1089 }
1090 #endif
1091
1092 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
1093 {
1094 .pkey_id = EVP_PKEY_RSA,
1095 .pkey_base_id = EVP_PKEY_RSA,
1096 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1097
1098 .pem_str = "RSA",
1099 .info = "OpenSSL RSA method",
1100
1101 .pub_decode = rsa_pub_decode,
1102 .pub_encode = rsa_pub_encode,
1103 .pub_cmp = rsa_pub_cmp,
1104 .pub_print = rsa_pub_print,
1105
1106 .priv_decode = rsa_priv_decode,
1107 .priv_encode = rsa_priv_encode,
1108 .priv_print = rsa_priv_print,
1109
1110 .pkey_size = int_rsa_size,
1111 .pkey_bits = rsa_bits,
1112 .pkey_security_bits = rsa_security_bits,
1113
1114 .sig_print = rsa_sig_print,
1115
1116 .pkey_free = int_rsa_free,
1117 .pkey_ctrl = rsa_pkey_ctrl,
1118 .old_priv_decode = old_rsa_priv_decode,
1119 .old_priv_encode = old_rsa_priv_encode,
1120 .item_verify = rsa_item_verify,
1121 .item_sign = rsa_item_sign,
1122
1123 .pkey_check = rsa_pkey_check,
1124 },
1125
1126 {
1127 .pkey_id = EVP_PKEY_RSA2,
1128 .pkey_base_id = EVP_PKEY_RSA,
1129 .pkey_flags = ASN1_PKEY_ALIAS,
1130
1131 .pkey_check = rsa_pkey_check,
1132 },
1133 };
1134
1135 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1136 .pkey_id = EVP_PKEY_RSA_PSS,
1137 .pkey_base_id = EVP_PKEY_RSA_PSS,
1138 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
1139
1140 .pem_str = "RSA-PSS",
1141 .info = "OpenSSL RSA-PSS method",
1142
1143 .pub_decode = rsa_pub_decode,
1144 .pub_encode = rsa_pub_encode,
1145 .pub_cmp = rsa_pub_cmp,
1146 .pub_print = rsa_pub_print,
1147
1148 .priv_decode = rsa_priv_decode,
1149 .priv_encode = rsa_priv_encode,
1150 .priv_print = rsa_priv_print,
1151
1152 .pkey_size = int_rsa_size,
1153 .pkey_bits = rsa_bits,
1154
1155 .sig_print = rsa_sig_print,
1156
1157 .pkey_free = int_rsa_free,
1158 .pkey_ctrl = rsa_pkey_ctrl,
1159 .item_verify = rsa_item_verify,
1160 .item_sign = rsa_item_sign
1161 };
1162