1 /* $OpenBSD: rsa_ameth.c,v 1.14 2015/02/11 04:05:14 beck Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
61 #include <openssl/opensslconf.h>
63 #include <openssl/asn1t.h>
64 #include <openssl/bn.h>
65 #include <openssl/err.h>
66 #include <openssl/rsa.h>
67 #include <openssl/x509.h>
69 #ifndef OPENSSL_NO_CMS
70 #include <openssl/cms.h>
73 #include "asn1_locl.h"
76 rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
78 unsigned char *penc = NULL;
81 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
84 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
85 V_ASN1_NULL, NULL, penc, penclen))
93 rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
95 const unsigned char *p;
99 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
101 if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
102 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
105 EVP_PKEY_assign_RSA (pkey, rsa);
110 rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
112 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 ||
113 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
119 old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
123 if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) {
124 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
127 EVP_PKEY_assign_RSA(pkey, rsa);
132 old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
134 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
138 rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
140 unsigned char *rk = NULL;
143 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
146 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
150 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
151 V_ASN1_NULL, NULL, rk, rklen)) {
152 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
160 rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
162 const unsigned char *p;
165 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
167 return old_rsa_priv_decode(pkey, &p, pklen);
171 int_rsa_size(const EVP_PKEY *pkey)
173 return RSA_size(pkey->pkey.rsa);
177 rsa_bits(const EVP_PKEY *pkey)
179 return BN_num_bits(pkey->pkey.rsa->n);
183 int_rsa_free(EVP_PKEY *pkey)
185 RSA_free(pkey->pkey.rsa);
189 update_buflen(const BIGNUM *b, size_t *pbuflen)
195 if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
200 do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
204 unsigned char *m = NULL;
205 int ret = 0, mod_len = 0;
208 update_buflen(x->n, &buf_len);
209 update_buflen(x->e, &buf_len);
212 update_buflen(x->d, &buf_len);
213 update_buflen(x->p, &buf_len);
214 update_buflen(x->q, &buf_len);
215 update_buflen(x->dmp1, &buf_len);
216 update_buflen(x->dmq1, &buf_len);
217 update_buflen(x->iqmp, &buf_len);
220 m = malloc(buf_len + 10);
222 RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE);
227 mod_len = BN_num_bits(x->n);
229 if (!BIO_indent(bp, off, 128))
233 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
236 s = "publicExponent:";
238 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
243 if (!ASN1_bn_print(bp, str, x->n, m, off))
245 if (!ASN1_bn_print(bp, s, x->e, m, off))
248 if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off))
250 if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
252 if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
254 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
256 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
258 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
268 rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
270 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
274 rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
276 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
279 static RSA_PSS_PARAMS *
280 rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash)
282 const unsigned char *p;
288 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
291 p = alg->parameter->value.sequence->data;
292 plen = alg->parameter->value.sequence->length;
293 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
298 if (pss->maskGenAlgorithm) {
299 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
300 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
301 param && param->type == V_ASN1_SEQUENCE) {
302 p = param->value.sequence->data;
303 plen = param->value.sequence->length;
304 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
312 rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash,
318 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0)
322 if (BIO_puts(bp, "\n") <= 0)
324 if (!BIO_indent(bp, indent, 128))
326 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
329 if (pss->hashAlgorithm) {
330 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
332 } else if (BIO_puts(bp, "sha1 (default)") <= 0)
335 if (BIO_puts(bp, "\n") <= 0)
338 if (!BIO_indent(bp, indent, 128))
341 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
343 if (pss->maskGenAlgorithm) {
344 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
346 if (BIO_puts(bp, " with ") <= 0)
349 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
351 } else if (BIO_puts(bp, "INVALID") <= 0)
353 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0)
357 if (!BIO_indent(bp, indent, 128))
359 if (BIO_puts(bp, "Salt Length: 0x") <= 0)
361 if (pss->saltLength) {
362 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
364 } else if (BIO_puts(bp, "14 (default)") <= 0)
368 if (!BIO_indent(bp, indent, 128))
370 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
372 if (pss->trailerField) {
373 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
375 } else if (BIO_puts(bp, "BC (default)") <= 0)
386 rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
387 int indent, ASN1_PCTX *pctx)
389 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
392 X509_ALGOR *maskHash;
393 pss = rsa_pss_decode(sigalg, &maskHash);
394 rv = rsa_pss_param_print(bp, pss, maskHash, indent);
396 RSA_PSS_PARAMS_free(pss);
398 X509_ALGOR_free(maskHash);
401 } else if (!sig && BIO_puts(bp, "\n") <= 0)
404 return X509_signature_dump(bp, sig, indent);
409 rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
411 X509_ALGOR *alg = NULL;
414 case ASN1_PKEY_CTRL_PKCS7_SIGN:
416 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
419 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
421 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
423 #ifndef OPENSSL_NO_CMS
424 case ASN1_PKEY_CTRL_CMS_SIGN:
426 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
429 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
431 CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
435 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
436 *(int *)arg2 = NID_sha1;
444 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
450 /* Customised RSA item verification routine. This is called
451 * when a signature is encountered requiring special handling. We
452 * currently only handle PSS.
455 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
456 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
460 const EVP_MD *mgf1md = NULL, *md = NULL;
462 X509_ALGOR *maskHash;
465 /* Sanity check: make sure it is PSS */
466 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
467 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
471 /* Decode PSS parameters */
472 pss = rsa_pss_decode(sigalg, &maskHash);
475 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_PSS_PARAMETERS);
478 /* Check mask and lookup mask hash algorithm */
479 if (pss->maskGenAlgorithm) {
480 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) {
481 RSAerr(RSA_F_RSA_ITEM_VERIFY,
482 RSA_R_UNSUPPORTED_MASK_ALGORITHM);
486 RSAerr(RSA_F_RSA_ITEM_VERIFY,
487 RSA_R_UNSUPPORTED_MASK_PARAMETER);
490 mgf1md = EVP_get_digestbyobj(maskHash->algorithm);
491 if (mgf1md == NULL) {
492 RSAerr(RSA_F_RSA_ITEM_VERIFY,
493 RSA_R_UNKNOWN_MASK_DIGEST);
499 if (pss->hashAlgorithm) {
500 md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm);
502 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNKNOWN_PSS_DIGEST);
508 if (pss->saltLength) {
509 saltlen = ASN1_INTEGER_get(pss->saltLength);
511 /* Could perform more salt length sanity checks but the main
512 * RSA routines will trap other invalid values anyway.
515 RSAerr(RSA_F_RSA_ITEM_VERIFY,
516 RSA_R_INVALID_SALT_LENGTH);
522 /* low-level routines support only trailer field 0xbc (value 1)
523 * and PKCS#1 says we should reject any other value anyway.
525 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
526 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
530 /* We have all parameters now set up context */
532 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
535 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
538 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
541 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
547 RSA_PSS_PARAMS_free(pss);
549 X509_ALGOR_free(maskHash);
554 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
555 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig)
558 EVP_PKEY_CTX *pkctx = ctx->pctx;
560 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
562 if (pad_mode == RSA_PKCS1_PADDING)
564 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
565 const EVP_MD *sigmd, *mgf1md;
566 RSA_PSS_PARAMS *pss = NULL;
567 X509_ALGOR *mgf1alg = NULL;
568 ASN1_STRING *os1 = NULL, *os2 = NULL;
569 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
572 sigmd = EVP_MD_CTX_md(ctx);
573 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
575 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
578 saltlen = EVP_MD_size(sigmd);
579 else if (saltlen == -2) {
580 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
581 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
584 pss = RSA_PSS_PARAMS_new();
588 pss->saltLength = ASN1_INTEGER_new();
589 if (!pss->saltLength)
591 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
594 if (EVP_MD_type(sigmd) != NID_sha1) {
595 pss->hashAlgorithm = X509_ALGOR_new();
596 if (!pss->hashAlgorithm)
598 X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
600 if (EVP_MD_type(mgf1md) != NID_sha1) {
601 ASN1_STRING *stmp = NULL;
602 /* need to embed algorithm ID inside another */
603 mgf1alg = X509_ALGOR_new();
604 X509_ALGOR_set_md(mgf1alg, mgf1md);
605 if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
608 pss->maskGenAlgorithm = X509_ALGOR_new();
609 if (!pss->maskGenAlgorithm)
611 X509_ALGOR_set0(pss->maskGenAlgorithm,
612 OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
614 /* Finally create string with pss parameter encoding. */
615 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
618 os2 = ASN1_STRING_dup(os1);
621 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
622 V_ASN1_SEQUENCE, os2);
624 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
625 V_ASN1_SEQUENCE, os1);
630 X509_ALGOR_free(mgf1alg);
632 RSA_PSS_PARAMS_free(pss);
633 ASN1_STRING_free(os1);
639 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
641 .pkey_id = EVP_PKEY_RSA,
642 .pkey_base_id = EVP_PKEY_RSA,
643 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL,
646 .info = "OpenSSL RSA method",
648 .pub_decode = rsa_pub_decode,
649 .pub_encode = rsa_pub_encode,
650 .pub_cmp = rsa_pub_cmp,
651 .pub_print = rsa_pub_print,
653 .priv_decode = rsa_priv_decode,
654 .priv_encode = rsa_priv_encode,
655 .priv_print = rsa_priv_print,
657 .pkey_size = int_rsa_size,
658 .pkey_bits = rsa_bits,
660 .sig_print = rsa_sig_print,
662 .pkey_free = int_rsa_free,
663 .pkey_ctrl = rsa_pkey_ctrl,
664 .old_priv_decode = old_rsa_priv_decode,
665 .old_priv_encode = old_rsa_priv_encode,
666 .item_verify = rsa_item_verify,
667 .item_sign = rsa_item_sign
671 .pkey_id = EVP_PKEY_RSA2,
672 .pkey_base_id = EVP_PKEY_RSA,
673 .pkey_flags = ASN1_PKEY_ALIAS