1 /*
2 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <openssl/obj_mac.h>
17 #include "internal/cryptlib.h"
18 #include "prov/der_rsa.h"
19 #include "prov/der_digests.h"
20
21 /* More complex pre-compiled sequences. */
22
23 /*-
24 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
25 *
26 * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
27 * { OID id-sha1 PARAMETERS NULL }|
28 * { OID id-sha224 PARAMETERS NULL }|
29 * { OID id-sha256 PARAMETERS NULL }|
30 * { OID id-sha384 PARAMETERS NULL }|
31 * { OID id-sha512 PARAMETERS NULL }|
32 * { OID id-sha512-224 PARAMETERS NULL }|
33 * { OID id-sha512-256 PARAMETERS NULL },
34 * ... -- Allows for future expansion --
35 * }
36 */
37 #define DER_V_NULL DER_P_NULL, 0
38 #define DER_SZ_NULL 2
39
40 /*
41 * The names for the hash function AlgorithmIdentifiers are borrowed and
42 * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
43 *
44 * sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
45 * sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
46 * sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
47 * sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
48 * sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
49 */
50 /*
51 * NOTE: Some of the arrays aren't used other than inside sizeof(), which
52 * clang complains about (-Wno-unneeded-internal-declaration). To get
53 * around that, we make them non-static, and declare them an extra time to
54 * avoid compilers complaining about definitions without declarations.
55 */
56 #define DER_AID_V_sha1Identifier \
57 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
58 DER_OID_SZ_id_sha1 + DER_SZ_NULL, \
59 DER_OID_V_id_sha1, \
60 DER_V_NULL
61 extern const unsigned char ossl_der_aid_sha1Identifier[];
62 const unsigned char ossl_der_aid_sha1Identifier[] = {
63 DER_AID_V_sha1Identifier
64 };
65 #define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)
66
67 #define DER_AID_V_sha224Identifier \
68 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
69 DER_OID_SZ_id_sha224 + DER_SZ_NULL, \
70 DER_OID_V_id_sha224, \
71 DER_V_NULL
72 extern const unsigned char ossl_der_aid_sha224Identifier[];
73 const unsigned char ossl_der_aid_sha224Identifier[] = {
74 DER_AID_V_sha224Identifier
75 };
76 #define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)
77
78 #define DER_AID_V_sha256Identifier \
79 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
80 DER_OID_SZ_id_sha256 + DER_SZ_NULL, \
81 DER_OID_V_id_sha256, \
82 DER_V_NULL
83 extern const unsigned char ossl_der_aid_sha256Identifier[];
84 const unsigned char ossl_der_aid_sha256Identifier[] = {
85 DER_AID_V_sha256Identifier
86 };
87 #define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)
88
89 #define DER_AID_V_sha384Identifier \
90 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
91 DER_OID_SZ_id_sha384 + DER_SZ_NULL, \
92 DER_OID_V_id_sha384, \
93 DER_V_NULL
94 extern const unsigned char ossl_der_aid_sha384Identifier[];
95 const unsigned char ossl_der_aid_sha384Identifier[] = {
96 DER_AID_V_sha384Identifier
97 };
98 #define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)
99
100 #define DER_AID_V_sha512Identifier \
101 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
102 DER_OID_SZ_id_sha512 + DER_SZ_NULL, \
103 DER_OID_V_id_sha512, \
104 DER_V_NULL
105 extern const unsigned char ossl_der_aid_sha512Identifier[];
106 const unsigned char ossl_der_aid_sha512Identifier[] = {
107 DER_AID_V_sha512Identifier
108 };
109 #define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)
110
111 #define DER_AID_V_sha512_224Identifier \
112 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
113 DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \
114 DER_OID_V_id_sha512_224, \
115 DER_V_NULL
116 extern const unsigned char ossl_der_aid_sha512_224Identifier[];
117 const unsigned char ossl_der_aid_sha512_224Identifier[] = {
118 DER_AID_V_sha512_224Identifier
119 };
120 #define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)
121
122 #define DER_AID_V_sha512_256Identifier \
123 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
124 DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \
125 DER_OID_V_id_sha512_256, \
126 DER_V_NULL
127 extern const unsigned char ossl_der_aid_sha512_256Identifier[];
128 const unsigned char ossl_der_aid_sha512_256Identifier[] = {
129 DER_AID_V_sha512_256Identifier
130 };
131 #define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)
132
133 /*-
134 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
135 *
136 * HashAlgorithm ::= AlgorithmIdentifier {
137 * {OAEP-PSSDigestAlgorithms}
138 * }
139 *
140 * ...
141 *
142 * PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
143 * { OID id-mgf1 PARAMETERS HashAlgorithm },
144 * ... -- Allows for future expansion --
145 * }
146 */
147
148 /*
149 * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
150 * from https://tools.ietf.org/html/rfc4055#section-2.1
151 *
152 * mgf1SHA1Identifier AlgorithmIdentifier ::=
153 * { id-mgf1, sha1Identifier }
154 * mgf1SHA224Identifier AlgorithmIdentifier ::=
155 * { id-mgf1, sha224Identifier }
156 * mgf1SHA256Identifier AlgorithmIdentifier ::=
157 * { id-mgf1, sha256Identifier }
158 * mgf1SHA384Identifier AlgorithmIdentifier ::=
159 * { id-mgf1, sha384Identifier }
160 * mgf1SHA512Identifier AlgorithmIdentifier ::=
161 * { id-mgf1, sha512Identifier }
162 */
163 #if 0 /* Currently unused */
164 #define DER_AID_V_mgf1SHA1Identifier \
165 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
166 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \
167 DER_OID_V_id_mgf1, \
168 DER_AID_V_sha1Identifier
169 static const unsigned char der_aid_mgf1SHA1Identifier[] = {
170 DER_AID_V_mgf1SHA1Identifier
171 };
172 #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
173 #endif
174
175 #define DER_AID_V_mgf1SHA224Identifier \
176 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
177 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \
178 DER_OID_V_id_mgf1, \
179 DER_AID_V_sha224Identifier
180 static const unsigned char der_aid_mgf1SHA224Identifier[] = {
181 DER_AID_V_mgf1SHA224Identifier
182 };
183 #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
184
185 #define DER_AID_V_mgf1SHA256Identifier \
186 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
187 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \
188 DER_OID_V_id_mgf1, \
189 DER_AID_V_sha256Identifier
190 static const unsigned char der_aid_mgf1SHA256Identifier[] = {
191 DER_AID_V_mgf1SHA256Identifier
192 };
193 #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
194
195 #define DER_AID_V_mgf1SHA384Identifier \
196 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
197 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \
198 DER_OID_V_id_mgf1, \
199 DER_AID_V_sha384Identifier
200 static const unsigned char der_aid_mgf1SHA384Identifier[] = {
201 DER_AID_V_mgf1SHA384Identifier
202 };
203 #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
204
205 #define DER_AID_V_mgf1SHA512Identifier \
206 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
207 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \
208 DER_OID_V_id_mgf1, \
209 DER_AID_V_sha512Identifier
210 static const unsigned char der_aid_mgf1SHA512Identifier[] = {
211 DER_AID_V_mgf1SHA512Identifier
212 };
213 #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
214
215 #define DER_AID_V_mgf1SHA512_224Identifier \
216 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
217 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \
218 DER_OID_V_id_mgf1, \
219 DER_AID_V_sha512_224Identifier
220 static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
221 DER_AID_V_mgf1SHA512_224Identifier
222 };
223 #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
224
225 #define DER_AID_V_mgf1SHA512_256Identifier \
226 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
227 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \
228 DER_OID_V_id_mgf1, \
229 DER_AID_V_sha512_256Identifier
230 static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
231 DER_AID_V_mgf1SHA512_256Identifier
232 };
233 #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
234
235
236 #define MGF1_SHA_CASE(bits, var) \
237 case NID_sha##bits: \
238 var = der_aid_mgf1SHA##bits##Identifier; \
239 var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \
240 break;
241
242 /*-
243 * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
244 *
245 * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
246 */
DER_w_MaskGenAlgorithm(WPACKET * pkt,int tag,const RSA_PSS_PARAMS_30 * pss)247 static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
248 const RSA_PSS_PARAMS_30 *pss)
249 {
250 if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
251 int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
252 const unsigned char *maskgenalg = NULL;
253 size_t maskgenalg_sz = 0;
254
255 switch (maskgenhashalg_nid) {
256 case NID_sha1:
257 break;
258 MGF1_SHA_CASE(224, maskgenalg);
259 MGF1_SHA_CASE(256, maskgenalg);
260 MGF1_SHA_CASE(384, maskgenalg);
261 MGF1_SHA_CASE(512, maskgenalg);
262 MGF1_SHA_CASE(512_224, maskgenalg);
263 MGF1_SHA_CASE(512_256, maskgenalg);
264 default:
265 return 0;
266 }
267
268 /* If there is none (or it was the default), we write nothing */
269 if (maskgenalg == NULL)
270 return 1;
271
272 return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
273 }
274 return 0;
275 }
276
277 #define OAEP_PSS_MD_CASE(name, var) \
278 case NID_##name: \
279 var = ossl_der_aid_##name##Identifier; \
280 var##_sz = sizeof(ossl_der_aid_##name##Identifier); \
281 break;
282
ossl_DER_w_RSASSA_PSS_params(WPACKET * pkt,int tag,const RSA_PSS_PARAMS_30 * pss)283 int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
284 const RSA_PSS_PARAMS_30 *pss)
285 {
286 int hashalg_nid, default_hashalg_nid;
287 int saltlen, default_saltlen;
288 int trailerfield, default_trailerfield;
289 const unsigned char *hashalg = NULL;
290 size_t hashalg_sz = 0;
291
292 /*
293 * For an unrestricted key, this function should not have been called;
294 * the caller must be in control, because unrestricted keys are permitted
295 * in some situations (when encoding the public key in a SubjectKeyInfo,
296 * for example) while not in others, and this function doesn't know the
297 * intent. Therefore, we assert that here, the PSS parameters must show
298 * that the key is restricted.
299 */
300 if (!ossl_assert(pss != NULL
301 && !ossl_rsa_pss_params_30_is_unrestricted(pss)))
302 return 0;
303
304 hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
305 saltlen = ossl_rsa_pss_params_30_saltlen(pss);
306 trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
307
308 if (saltlen < 0) {
309 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
310 return 0;
311 }
312 if (trailerfield != 1) {
313 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
314 return 0;
315 }
316
317 /* Getting default values */
318 default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
319 default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
320 default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);
321
322 /*
323 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
324 *
325 * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
326 * { OID id-sha1 PARAMETERS NULL }|
327 * { OID id-sha224 PARAMETERS NULL }|
328 * { OID id-sha256 PARAMETERS NULL }|
329 * { OID id-sha384 PARAMETERS NULL }|
330 * { OID id-sha512 PARAMETERS NULL }|
331 * { OID id-sha512-224 PARAMETERS NULL }|
332 * { OID id-sha512-256 PARAMETERS NULL },
333 * ... -- Allows for future expansion --
334 * }
335 */
336 switch (hashalg_nid) {
337 OAEP_PSS_MD_CASE(sha1, hashalg);
338 OAEP_PSS_MD_CASE(sha224, hashalg);
339 OAEP_PSS_MD_CASE(sha256, hashalg);
340 OAEP_PSS_MD_CASE(sha384, hashalg);
341 OAEP_PSS_MD_CASE(sha512, hashalg);
342 OAEP_PSS_MD_CASE(sha512_224, hashalg);
343 OAEP_PSS_MD_CASE(sha512_256, hashalg);
344 default:
345 return 0;
346 }
347
348 return ossl_DER_w_begin_sequence(pkt, tag)
349 && (trailerfield == default_trailerfield
350 || ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))
351 && (saltlen == default_saltlen || ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))
352 && DER_w_MaskGenAlgorithm(pkt, 1, pss)
353 && (hashalg_nid == default_hashalg_nid
354 || ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
355 && ossl_DER_w_end_sequence(pkt, tag);
356 }
357
358 /* Aliases so we can have a uniform RSA_CASE */
359 #define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS
360
361 #define RSA_CASE(name, var) \
362 var##_nid = NID_##name; \
363 var##_oid = ossl_der_oid_##name; \
364 var##_oid_sz = sizeof(ossl_der_oid_##name); \
365 break;
366
ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET * pkt,int tag,int rsa_type,const RSA_PSS_PARAMS_30 * pss)367 int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,
368 int rsa_type,
369 const RSA_PSS_PARAMS_30 *pss)
370 {
371 int rsa_nid = NID_undef;
372 const unsigned char *rsa_oid = NULL;
373 size_t rsa_oid_sz = 0;
374
375 switch (rsa_type) {
376 case RSA_FLAG_TYPE_RSA:
377 RSA_CASE(rsaEncryption, rsa);
378 case RSA_FLAG_TYPE_RSASSAPSS:
379 RSA_CASE(rsassaPss, rsa);
380 }
381
382 if (rsa_oid == NULL)
383 return 0;
384
385 return ossl_DER_w_begin_sequence(pkt, tag)
386 && (rsa_nid != NID_rsassaPss
387 || ossl_rsa_pss_params_30_is_unrestricted(pss)
388 || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))
389 && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
390 && ossl_DER_w_end_sequence(pkt, tag);
391 }
392
ossl_DER_w_algorithmIdentifier_RSA(WPACKET * pkt,int tag,RSA * rsa)393 int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
394 {
395 int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
396 RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
397
398 return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,
399 pss_params);
400 }
401