1 /* $OpenBSD: rsa_ameth.c,v 1.19 2018/08/24 20:22:15 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
61 #include <openssl/opensslconf.h>
63 #include <openssl/asn1t.h>
64 #include <openssl/bn.h>
65 #include <openssl/err.h>
66 #include <openssl/rsa.h>
67 #include <openssl/x509.h>
70 #include "asn1_locl.h"
73 rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
75 unsigned char *penc = NULL;
78 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
81 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
82 V_ASN1_NULL, NULL, penc, penclen))
90 rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
92 const unsigned char *p;
96 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
98 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
99 RSAerror(ERR_R_RSA_LIB);
102 EVP_PKEY_assign_RSA (pkey, rsa);
107 rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
109 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
110 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
116 old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
120 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) {
121 RSAerror(ERR_R_RSA_LIB);
124 EVP_PKEY_assign_RSA(pkey, rsa);
129 old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
131 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
135 rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
137 unsigned char *rk = NULL;
140 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
143 RSAerror(ERR_R_MALLOC_FAILURE);
147 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
148 V_ASN1_NULL, NULL, rk, rklen)) {
149 RSAerror(ERR_R_MALLOC_FAILURE);
157 rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
159 const unsigned char *p;
162 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
164 return old_rsa_priv_decode(pkey, &p, pklen);
168 int_rsa_size(const EVP_PKEY *pkey)
170 return RSA_size(pkey->pkey.rsa);
174 rsa_bits(const EVP_PKEY *pkey)
176 return BN_num_bits(pkey->pkey.rsa->n);
180 int_rsa_free(EVP_PKEY *pkey)
182 RSA_free(pkey->pkey.rsa);
186 update_buflen(const BIGNUM *b, size_t *pbuflen)
192 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
197 do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
201 unsigned char *m = NULL;
202 int ret = 0, mod_len = 0;
205 update_buflen(x->n, &buf_len);
206 update_buflen(x->e, &buf_len);
209 update_buflen(x->d, &buf_len);
210 update_buflen(x->p, &buf_len);
211 update_buflen(x->q, &buf_len);
212 update_buflen(x->dmp1, &buf_len);
213 update_buflen(x->dmq1, &buf_len);
214 update_buflen(x->iqmp, &buf_len);
217 m = malloc(buf_len + 10);
219 RSAerror(ERR_R_MALLOC_FAILURE);
224 mod_len = BN_num_bits(x->n);
226 if (!BIO_indent(bp, off, 128))
230 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
233 s = "publicExponent:";
235 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
240 if (!ASN1_bn_print(bp, str, x->n, m, off))
242 if (!ASN1_bn_print(bp, s, x->e, m, off))
245 if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off))
247 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
249 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
251 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
253 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
255 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
265 rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
267 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
271 rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
273 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
276 static RSA_PSS_PARAMS *
277 rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash)
279 const unsigned char *p;
285 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
288 p = alg->parameter->value.sequence->data;
289 plen = alg->parameter->value.sequence->length;
290 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
295 if (pss->maskGenAlgorithm) {
296 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
297 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
298 param && param->type == V_ASN1_SEQUENCE) {
299 p = param->value.sequence->data;
300 plen = param->value.sequence->length;
301 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
309 rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash,
315 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
319 if (BIO_puts(bp, "\n") <= 0)
321 if (!BIO_indent(bp, indent, 128))
323 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
326 if (pss->hashAlgorithm) {
327 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
329 } else if (BIO_puts(bp, "sha1 (default)") <= 0)
332 if (BIO_puts(bp, "\n") <= 0)
335 if (!BIO_indent(bp, indent, 128))
338 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
340 if (pss->maskGenAlgorithm) {
341 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
343 if (BIO_puts(bp, " with ") <= 0)
346 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
348 } else if (BIO_puts(bp, "INVALID") <= 0)
350 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
354 if (!BIO_indent(bp, indent, 128))
356 if (BIO_puts(bp, "Salt Length: 0x") <= 0)
358 if (pss->saltLength) {
359 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
361 } else if (BIO_puts(bp, "14 (default)") <= 0)
365 if (!BIO_indent(bp, indent, 128))
367 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
369 if (pss->trailerField) {
370 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
372 } else if (BIO_puts(bp, "BC (default)") <= 0)
383 rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
384 int indent, ASN1_PCTX *pctx)
386 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
389 X509_ALGOR *maskHash;
390 pss = rsa_pss_decode(sigalg, &maskHash);
391 rv = rsa_pss_param_print(bp, pss, maskHash, indent);
393 RSA_PSS_PARAMS_free(pss);
395 X509_ALGOR_free(maskHash);
398 } else if (!sig && BIO_puts(bp, "\n") <= 0)
401 return X509_signature_dump(bp, sig, indent);
406 rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
408 X509_ALGOR *alg = NULL;
411 case ASN1_PKEY_CTRL_PKCS7_SIGN:
413 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
416 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
418 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
421 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
422 *(int *)arg2 = NID_sha1;
430 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
436 /* Customised RSA item verification routine. This is called
437 * when a signature is encountered requiring special handling. We
438 * currently only handle PSS.
441 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
442 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
446 const EVP_MD *mgf1md = NULL, *md = NULL;
448 X509_ALGOR *maskHash;
451 /* Sanity check: make sure it is PSS */
452 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
453 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
457 /* Decode PSS parameters */
458 pss = rsa_pss_decode(sigalg, &maskHash);
461 RSAerror(RSA_R_INVALID_PSS_PARAMETERS);
464 /* Check mask and lookup mask hash algorithm */
465 if (pss->maskGenAlgorithm) {
466 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) {
467 RSAerror(RSA_R_UNSUPPORTED_MASK_ALGORITHM);
471 RSAerror(RSA_R_UNSUPPORTED_MASK_PARAMETER);
474 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
475 if (mgf1md == NULL) {
476 RSAerror(RSA_R_UNKNOWN_MASK_DIGEST);
482 if (pss->hashAlgorithm) {
483 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
485 RSAerror(RSA_R_UNKNOWN_PSS_DIGEST);
491 if (pss->saltLength) {
492 saltlen = ASN1_INTEGER_get(pss->saltLength);
494 /* Could perform more salt length sanity checks but the main
495 * RSA routines will trap other invalid values anyway.
498 RSAerror(RSA_R_INVALID_SALT_LENGTH);
504 /* low-level routines support only trailer field 0xbc (value 1)
505 * and PKCS#1 says we should reject any other value anyway.
507 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
508 RSAerror(RSA_R_INVALID_TRAILER);
512 /* We have all parameters now set up context */
514 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
517 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
520 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
523 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
529 RSA_PSS_PARAMS_free(pss);
531 X509_ALGOR_free(maskHash);
536 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
537 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
540 EVP_PKEY_CTX *pkctx = ctx->pctx;
542 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
544 if (pad_mode == RSA_PKCS1_PADDING)
546 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
547 const EVP_MD *sigmd, *mgf1md;
548 RSA_PSS_PARAMS *pss = NULL;
549 X509_ALGOR *mgf1alg = NULL;
550 ASN1_STRING *os1 = NULL, *os2 = NULL;
551 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
554 sigmd = EVP_MD_CTX_md(ctx);
555 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
557 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
560 saltlen = EVP_MD_size(sigmd);
561 else if (saltlen == -2) {
562 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
563 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
566 pss = RSA_PSS_PARAMS_new();
570 pss->saltLength = ASN1_INTEGER_new();
571 if (!pss->saltLength)
573 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
576 if (EVP_MD_type(sigmd) != NID_sha1) {
577 pss->hashAlgorithm = X509_ALGOR_new();
578 if (!pss->hashAlgorithm)
580 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
582 if (EVP_MD_type(mgf1md) != NID_sha1) {
583 ASN1_STRING *stmp = NULL;
584 /* need to embed algorithm ID inside another */
585 mgf1alg = X509_ALGOR_new();
586 X509_ALGOR_set_md(mgf1alg, mgf1md);
587 if (!ASN1_item_pack(mgf1alg, &X509_ALGOR_it,
590 pss->maskGenAlgorithm = X509_ALGOR_new();
591 if (!pss->maskGenAlgorithm)
593 X509_ALGOR_set0(pss->maskGenAlgorithm,
594 OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
596 /* Finally create string with pss parameter encoding. */
597 if (!ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, &os1))
600 os2 = ASN1_STRING_dup(os1);
603 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
604 V_ASN1_SEQUENCE, os2);
606 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
607 V_ASN1_SEQUENCE, os1);
612 X509_ALGOR_free(mgf1alg);
614 RSA_PSS_PARAMS_free(pss);
615 ASN1_STRING_free(os1);
621 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
623 .pkey_id = EVP_PKEY_RSA,
624 .pkey_base_id = EVP_PKEY_RSA,
625 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
628 .info = "OpenSSL RSA method",
630 .pub_decode = rsa_pub_decode,
631 .pub_encode = rsa_pub_encode,
632 .pub_cmp = rsa_pub_cmp,
633 .pub_print = rsa_pub_print,
635 .priv_decode = rsa_priv_decode,
636 .priv_encode = rsa_priv_encode,
637 .priv_print = rsa_priv_print,
639 .pkey_size = int_rsa_size,
640 .pkey_bits = rsa_bits,
642 .sig_print = rsa_sig_print,
644 .pkey_free = int_rsa_free,
645 .pkey_ctrl = rsa_pkey_ctrl,
646 .old_priv_decode = old_rsa_priv_decode,
647 .old_priv_encode = old_rsa_priv_encode,
648 .item_verify = rsa_item_verify,
649 .item_sign = rsa_item_sign
653 .pkey_id = EVP_PKEY_RSA2,
654 .pkey_base_id = EVP_PKEY_RSA,
655 .pkey_flags = ASN1_PKEY_ALIAS