1 /* 2 * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdio.h> 17 #include "internal/cryptlib.h" 18 #include <openssl/asn1t.h> 19 #include <openssl/x509.h> 20 #include <openssl/bn.h> 21 #include <openssl/core_names.h> 22 #include <openssl/param_build.h> 23 #include "crypto/asn1.h" 24 #include "crypto/evp.h" 25 #include "crypto/rsa.h" 26 #include "rsa_local.h" 27 28 /* Set any parameters associated with pkey */ 29 static int rsa_param_encode(const EVP_PKEY *pkey, 30 ASN1_STRING **pstr, int *pstrtype) 31 { 32 const RSA *rsa = pkey->pkey.rsa; 33 34 *pstr = NULL; 35 /* If RSA it's just NULL type */ 36 if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) != RSA_FLAG_TYPE_RSASSAPSS) { 37 *pstrtype = V_ASN1_NULL; 38 return 1; 39 } 40 /* If no PSS parameters we omit parameters entirely */ 41 if (rsa->pss == NULL) { 42 *pstrtype = V_ASN1_UNDEF; 43 return 1; 44 } 45 /* Encode PSS parameters */ 46 if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL) 47 return 0; 48 49 *pstrtype = V_ASN1_SEQUENCE; 50 return 1; 51 } 52 /* Decode any parameters and set them in RSA structure */ 53 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 54 { 55 unsigned char *penc = NULL; 56 int penclen; 57 ASN1_STRING *str; 58 int strtype; 59 60 if (!rsa_param_encode(pkey, &str, &strtype)) 61 return 0; 62 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); 63 if (penclen <= 0) 64 return 0; 65 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), 66 strtype, str, penc, penclen)) 67 return 1; 68 69 OPENSSL_free(penc); 70 return 0; 71 } 72 73 static int rsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) 74 { 75 const unsigned char *p; 76 int pklen; 77 X509_ALGOR *alg; 78 RSA *rsa = NULL; 79 80 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) 81 return 0; 82 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) 83 return 0; 84 if (!ossl_rsa_param_decode(rsa, alg)) { 85 RSA_free(rsa); 86 return 0; 87 } 88 89 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK); 90 switch (pkey->ameth->pkey_id) { 91 case EVP_PKEY_RSA: 92 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA); 93 break; 94 case EVP_PKEY_RSA_PSS: 95 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS); 96 break; 97 default: 98 /* Leave the type bits zero */ 99 break; 100 } 101 102 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { 103 RSA_free(rsa); 104 return 0; 105 } 106 return 1; 107 } 108 109 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 110 { 111 /* 112 * Don't check the public/private key, this is mostly for smart 113 * cards. 114 */ 115 if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) 116 || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) { 117 return 1; 118 } 119 120 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 121 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) 122 return 0; 123 return 1; 124 } 125 126 static int old_rsa_priv_decode(EVP_PKEY *pkey, 127 const unsigned char **pder, int derlen) 128 { 129 RSA *rsa; 130 131 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) 132 return 0; 133 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 134 return 1; 135 } 136 137 static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 138 { 139 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 140 } 141 142 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 143 { 144 unsigned char *rk = NULL; 145 int rklen; 146 ASN1_STRING *str; 147 int strtype; 148 149 if (!rsa_param_encode(pkey, &str, &strtype)) 150 return 0; 151 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 152 153 if (rklen <= 0) { 154 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 155 ASN1_STRING_free(str); 156 return 0; 157 } 158 159 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, 160 strtype, str, rk, rklen)) { 161 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 162 ASN1_STRING_free(str); 163 OPENSSL_clear_free(rk, rklen); 164 return 0; 165 } 166 167 return 1; 168 } 169 170 static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 171 { 172 int ret = 0; 173 RSA *rsa = ossl_rsa_key_from_pkcs8(p8, NULL, NULL); 174 175 if (rsa != NULL) { 176 ret = 1; 177 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 178 } 179 return ret; 180 } 181 182 static int int_rsa_size(const EVP_PKEY *pkey) 183 { 184 return RSA_size(pkey->pkey.rsa); 185 } 186 187 static int rsa_bits(const EVP_PKEY *pkey) 188 { 189 return BN_num_bits(pkey->pkey.rsa->n); 190 } 191 192 static int rsa_security_bits(const EVP_PKEY *pkey) 193 { 194 return RSA_security_bits(pkey->pkey.rsa); 195 } 196 197 static void int_rsa_free(EVP_PKEY *pkey) 198 { 199 RSA_free(pkey->pkey.rsa); 200 } 201 202 static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, 203 int indent) 204 { 205 int rv = 0; 206 X509_ALGOR *maskHash = NULL; 207 208 if (!BIO_indent(bp, indent, 128)) 209 goto err; 210 if (pss_key) { 211 if (pss == NULL) { 212 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) 213 return 0; 214 return 1; 215 } else { 216 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) 217 return 0; 218 } 219 } else if (pss == NULL) { 220 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) 221 return 0; 222 return 1; 223 } 224 if (BIO_puts(bp, "\n") <= 0) 225 goto err; 226 if (pss_key) 227 indent += 2; 228 if (!BIO_indent(bp, indent, 128)) 229 goto err; 230 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 231 goto err; 232 233 if (pss->hashAlgorithm) { 234 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 235 goto err; 236 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 237 goto err; 238 } 239 240 if (BIO_puts(bp, "\n") <= 0) 241 goto err; 242 243 if (!BIO_indent(bp, indent, 128)) 244 goto err; 245 246 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 247 goto err; 248 if (pss->maskGenAlgorithm) { 249 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 250 goto err; 251 if (BIO_puts(bp, " with ") <= 0) 252 goto err; 253 maskHash = ossl_x509_algor_mgf1_decode(pss->maskGenAlgorithm); 254 if (maskHash != NULL) { 255 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 256 goto err; 257 } else if (BIO_puts(bp, "INVALID") <= 0) { 258 goto err; 259 } 260 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 261 goto err; 262 } 263 BIO_puts(bp, "\n"); 264 265 if (!BIO_indent(bp, indent, 128)) 266 goto err; 267 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) 268 goto err; 269 if (pss->saltLength) { 270 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 271 goto err; 272 } else if (BIO_puts(bp, "14 (default)") <= 0) { 273 goto err; 274 } 275 BIO_puts(bp, "\n"); 276 277 if (!BIO_indent(bp, indent, 128)) 278 goto err; 279 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 280 goto err; 281 if (pss->trailerField) { 282 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 283 goto err; 284 } else if (BIO_puts(bp, "01 (default)") <= 0) { 285 goto err; 286 } 287 BIO_puts(bp, "\n"); 288 289 rv = 1; 290 291 err: 292 X509_ALGOR_free(maskHash); 293 return rv; 294 295 } 296 297 static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) 298 { 299 const RSA *x = pkey->pkey.rsa; 300 char *str; 301 const char *s; 302 int ret = 0, mod_len = 0, ex_primes; 303 304 if (x->n != NULL) 305 mod_len = BN_num_bits(x->n); 306 ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos); 307 308 if (!BIO_indent(bp, off, 128)) 309 goto err; 310 311 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0) 312 goto err; 313 314 if (priv && x->d) { 315 if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n", 316 mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0) 317 goto err; 318 str = "modulus:"; 319 s = "publicExponent:"; 320 } else { 321 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) 322 goto err; 323 str = "Modulus:"; 324 s = "Exponent:"; 325 } 326 if (!ASN1_bn_print(bp, str, x->n, NULL, off)) 327 goto err; 328 if (!ASN1_bn_print(bp, s, x->e, NULL, off)) 329 goto err; 330 if (priv) { 331 int i; 332 333 if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off)) 334 goto err; 335 if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off)) 336 goto err; 337 if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off)) 338 goto err; 339 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off)) 340 goto err; 341 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off)) 342 goto err; 343 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off)) 344 goto err; 345 for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) { 346 /* print multi-prime info */ 347 BIGNUM *bn = NULL; 348 RSA_PRIME_INFO *pinfo; 349 int j; 350 351 pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i); 352 for (j = 0; j < 3; j++) { 353 if (!BIO_indent(bp, off, 128)) 354 goto err; 355 switch (j) { 356 case 0: 357 if (BIO_printf(bp, "prime%d:", i + 3) <= 0) 358 goto err; 359 bn = pinfo->r; 360 break; 361 case 1: 362 if (BIO_printf(bp, "exponent%d:", i + 3) <= 0) 363 goto err; 364 bn = pinfo->d; 365 break; 366 case 2: 367 if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0) 368 goto err; 369 bn = pinfo->t; 370 break; 371 default: 372 break; 373 } 374 if (!ASN1_bn_print(bp, "", bn, NULL, off)) 375 goto err; 376 } 377 } 378 } 379 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off)) 380 goto err; 381 ret = 1; 382 err: 383 return ret; 384 } 385 386 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 387 ASN1_PCTX *ctx) 388 { 389 return pkey_rsa_print(bp, pkey, indent, 0); 390 } 391 392 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 393 ASN1_PCTX *ctx) 394 { 395 return pkey_rsa_print(bp, pkey, indent, 1); 396 } 397 398 static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 399 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) 400 { 401 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { 402 int rv; 403 RSA_PSS_PARAMS *pss = ossl_rsa_pss_decode(sigalg); 404 405 rv = rsa_pss_param_print(bp, 0, pss, indent); 406 RSA_PSS_PARAMS_free(pss); 407 if (!rv) 408 return 0; 409 } else if (BIO_puts(bp, "\n") <= 0) { 410 return 0; 411 } 412 if (sig) 413 return X509_signature_dump(bp, sig, indent); 414 return 1; 415 } 416 417 static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 418 { 419 const EVP_MD *md; 420 const EVP_MD *mgf1md; 421 int min_saltlen; 422 423 switch (op) { 424 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 425 if (pkey->pkey.rsa->pss != NULL) { 426 if (!ossl_rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, 427 &min_saltlen)) { 428 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); 429 return 0; 430 } 431 *(int *)arg2 = EVP_MD_get_type(md); 432 /* Return of 2 indicates this MD is mandatory */ 433 return 2; 434 } 435 *(int *)arg2 = NID_sha256; 436 return 1; 437 438 default: 439 return -2; 440 } 441 } 442 443 /* 444 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, 445 * suitable for setting an AlgorithmIdentifier. 446 */ 447 448 static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) 449 { 450 const EVP_MD *sigmd, *mgf1md; 451 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 452 int saltlen; 453 454 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) 455 return NULL; 456 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 457 return NULL; 458 if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0) 459 return NULL; 460 if (saltlen == -1) { 461 saltlen = EVP_MD_get_size(sigmd); 462 } else if (saltlen == -2 || saltlen == -3) { 463 saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2; 464 if ((EVP_PKEY_get_bits(pk) & 0x7) == 1) 465 saltlen--; 466 if (saltlen < 0) 467 return NULL; 468 } 469 470 return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen); 471 } 472 473 RSA_PSS_PARAMS *ossl_rsa_pss_params_create(const EVP_MD *sigmd, 474 const EVP_MD *mgf1md, int saltlen) 475 { 476 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new(); 477 478 if (pss == NULL) 479 goto err; 480 if (saltlen != 20) { 481 pss->saltLength = ASN1_INTEGER_new(); 482 if (pss->saltLength == NULL) 483 goto err; 484 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 485 goto err; 486 } 487 if (!ossl_x509_algor_new_from_md(&pss->hashAlgorithm, sigmd)) 488 goto err; 489 if (mgf1md == NULL) 490 mgf1md = sigmd; 491 if (!ossl_x509_algor_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) 492 goto err; 493 if (!ossl_x509_algor_new_from_md(&pss->maskHash, mgf1md)) 494 goto err; 495 return pss; 496 err: 497 RSA_PSS_PARAMS_free(pss); 498 return NULL; 499 } 500 501 ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx) 502 { 503 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx); 504 ASN1_STRING *os; 505 506 if (pss == NULL) 507 return NULL; 508 509 os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL); 510 RSA_PSS_PARAMS_free(pss); 511 return os; 512 } 513 514 /* 515 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL 516 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are 517 * passed to pkctx instead. 518 */ 519 520 int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, 521 const X509_ALGOR *sigalg, EVP_PKEY *pkey) 522 { 523 int rv = -1; 524 int saltlen; 525 const EVP_MD *mgf1md = NULL, *md = NULL; 526 RSA_PSS_PARAMS *pss; 527 528 /* Sanity check: make sure it is PSS */ 529 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 530 ERR_raise(ERR_LIB_RSA, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 531 return -1; 532 } 533 /* Decode PSS parameters */ 534 pss = ossl_rsa_pss_decode(sigalg); 535 536 if (!ossl_rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { 537 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_PARAMETERS); 538 goto err; 539 } 540 541 /* We have all parameters now set up context */ 542 if (pkey) { 543 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) 544 goto err; 545 } else { 546 const EVP_MD *checkmd; 547 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) 548 goto err; 549 if (EVP_MD_get_type(md) != EVP_MD_get_type(checkmd)) { 550 ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_DOES_NOT_MATCH); 551 goto err; 552 } 553 } 554 555 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) 556 goto err; 557 558 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) 559 goto err; 560 561 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 562 goto err; 563 /* Carry on */ 564 rv = 1; 565 566 err: 567 RSA_PSS_PARAMS_free(pss); 568 return rv; 569 } 570 571 static int rsa_pss_verify_param(const EVP_MD **pmd, const EVP_MD **pmgf1md, 572 int *psaltlen, int *ptrailerField) 573 { 574 if (psaltlen != NULL && *psaltlen < 0) { 575 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH); 576 return 0; 577 } 578 /* 579 * low-level routines support only trailer field 0xbc (value 1) and 580 * PKCS#1 says we should reject any other value anyway. 581 */ 582 if (ptrailerField != NULL && *ptrailerField != 1) { 583 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER); 584 return 0; 585 } 586 return 1; 587 } 588 589 int ossl_rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, 590 const EVP_MD **pmgf1md, int *psaltlen) 591 { 592 /* 593 * Callers do not care about the trailer field, and yet, we must 594 * pass it from get_param to verify_param, since the latter checks 595 * its value. 596 * 597 * When callers start caring, it's a simple thing to add another 598 * argument to this function. 599 */ 600 int trailerField = 0; 601 602 return ossl_rsa_pss_get_param_unverified(pss, pmd, pmgf1md, psaltlen, 603 &trailerField) 604 && rsa_pss_verify_param(pmd, pmgf1md, psaltlen, &trailerField); 605 } 606 607 /* 608 * Customised RSA item verification routine. This is called when a signature 609 * is encountered requiring special handling. We currently only handle PSS. 610 */ 611 612 static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, 613 const void *asn, const X509_ALGOR *sigalg, 614 const ASN1_BIT_STRING *sig, EVP_PKEY *pkey) 615 { 616 /* Sanity check: make sure it is PSS */ 617 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 618 ERR_raise(ERR_LIB_RSA, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 619 return -1; 620 } 621 if (ossl_rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { 622 /* Carry on */ 623 return 2; 624 } 625 return -1; 626 } 627 628 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn, 629 X509_ALGOR *alg1, X509_ALGOR *alg2, 630 ASN1_BIT_STRING *sig) 631 { 632 int pad_mode; 633 EVP_PKEY_CTX *pkctx = EVP_MD_CTX_get_pkey_ctx(ctx); 634 635 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 636 return 0; 637 if (pad_mode == RSA_PKCS1_PADDING) 638 return 2; 639 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 640 unsigned char aid[128]; 641 size_t aid_len = 0; 642 OSSL_PARAM params[2]; 643 644 if (evp_pkey_ctx_is_legacy(pkctx)) { 645 /* No provider -> we cannot query it for algorithm ID. */ 646 ASN1_STRING *os1 = NULL; 647 648 os1 = ossl_rsa_ctx_to_pss_string(pkctx); 649 if (os1 == NULL) 650 return 0; 651 /* Duplicate parameters if we have to */ 652 if (alg2 != NULL) { 653 ASN1_STRING *os2 = ASN1_STRING_dup(os1); 654 655 if (os2 == NULL) { 656 ASN1_STRING_free(os1); 657 return 0; 658 } 659 if (!X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 660 V_ASN1_SEQUENCE, os2)) { 661 ASN1_STRING_free(os1); 662 ASN1_STRING_free(os2); 663 return 0; 664 } 665 } 666 if (!X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 667 V_ASN1_SEQUENCE, os1)) { 668 ASN1_STRING_free(os1); 669 return 0; 670 } 671 return 3; 672 } 673 674 params[0] = OSSL_PARAM_construct_octet_string( 675 OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); 676 params[1] = OSSL_PARAM_construct_end(); 677 678 if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) 679 return 0; 680 if ((aid_len = params[0].return_size) == 0) 681 return 0; 682 683 if (alg1 != NULL) { 684 const unsigned char *pp = aid; 685 686 if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL) 687 return 0; 688 } 689 if (alg2 != NULL) { 690 const unsigned char *pp = aid; 691 692 if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL) 693 return 0; 694 } 695 696 return 3; 697 } 698 return 2; 699 } 700 701 static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, 702 const ASN1_STRING *sig) 703 { 704 int rv = 0; 705 int mdnid, saltlen; 706 uint32_t flags; 707 const EVP_MD *mgf1md = NULL, *md = NULL; 708 RSA_PSS_PARAMS *pss; 709 int secbits; 710 711 /* Sanity check: make sure it is PSS */ 712 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) 713 return 0; 714 /* Decode PSS parameters */ 715 pss = ossl_rsa_pss_decode(sigalg); 716 if (!ossl_rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) 717 goto err; 718 mdnid = EVP_MD_get_type(md); 719 /* 720 * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must 721 * match and salt length must equal digest size 722 */ 723 if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512) 724 && mdnid == EVP_MD_get_type(mgf1md) 725 && saltlen == EVP_MD_get_size(md)) 726 flags = X509_SIG_INFO_TLS; 727 else 728 flags = 0; 729 /* Note: security bits half number of digest bits */ 730 secbits = EVP_MD_get_size(md) * 4; 731 /* 732 * SHA1 and MD5 are known to be broken. Reduce security bits so that 733 * they're no longer accepted at security level 1. The real values don't 734 * really matter as long as they're lower than 80, which is our security 735 * level 1. 736 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at 737 * 2^63.4 738 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 739 * puts a chosen-prefix attack for MD5 at 2^39. 740 */ 741 if (mdnid == NID_sha1) 742 secbits = 64; 743 else if (mdnid == NID_md5_sha1) 744 secbits = 68; 745 else if (mdnid == NID_md5) 746 secbits = 39; 747 X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits, 748 flags); 749 rv = 1; 750 err: 751 RSA_PSS_PARAMS_free(pss); 752 return rv; 753 } 754 755 static int rsa_pkey_check(const EVP_PKEY *pkey) 756 { 757 return RSA_check_key_ex(pkey->pkey.rsa, NULL); 758 } 759 760 static size_t rsa_pkey_dirty_cnt(const EVP_PKEY *pkey) 761 { 762 return pkey->pkey.rsa->dirty_cnt; 763 } 764 765 /* 766 * There is no need to do RSA_test_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS) 767 * checks in this method since the caller tests EVP_KEYMGMT_is_a() first. 768 */ 769 static int rsa_int_export_to(const EVP_PKEY *from, int rsa_type, 770 void *to_keydata, 771 OSSL_FUNC_keymgmt_import_fn *importer, 772 OSSL_LIB_CTX *libctx, const char *propq) 773 { 774 RSA *rsa = from->pkey.rsa; 775 OSSL_PARAM_BLD *tmpl = OSSL_PARAM_BLD_new(); 776 OSSL_PARAM *params = NULL; 777 int selection = 0; 778 int rv = 0; 779 780 if (tmpl == NULL) 781 return 0; 782 /* Public parameters must always be present */ 783 if (RSA_get0_n(rsa) == NULL || RSA_get0_e(rsa) == NULL) 784 goto err; 785 786 if (!ossl_rsa_todata(rsa, tmpl, NULL, 1)) 787 goto err; 788 789 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; 790 if (RSA_get0_d(rsa) != NULL) 791 selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; 792 793 if (rsa->pss != NULL) { 794 const EVP_MD *md = NULL, *mgf1md = NULL; 795 int md_nid, mgf1md_nid, saltlen, trailerfield; 796 RSA_PSS_PARAMS_30 pss_params; 797 798 if (!ossl_rsa_pss_get_param_unverified(rsa->pss, &md, &mgf1md, 799 &saltlen, &trailerfield)) 800 goto err; 801 md_nid = EVP_MD_get_type(md); 802 mgf1md_nid = EVP_MD_get_type(mgf1md); 803 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 804 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid) 805 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 806 mgf1md_nid) 807 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 808 || !ossl_rsa_pss_params_30_todata(&pss_params, tmpl, NULL)) 809 goto err; 810 selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS; 811 } 812 813 if ((params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) 814 goto err; 815 816 /* We export, the provider imports */ 817 rv = importer(to_keydata, selection, params); 818 819 err: 820 OSSL_PARAM_free(params); 821 OSSL_PARAM_BLD_free(tmpl); 822 return rv; 823 } 824 825 static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx, 826 int rsa_type) 827 { 828 EVP_PKEY_CTX *pctx = vpctx; 829 EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx); 830 RSA *rsa = ossl_rsa_new_with_ctx(pctx->libctx); 831 RSA_PSS_PARAMS_30 rsa_pss_params = { 0, }; 832 int pss_defaults_set = 0; 833 int ok = 0; 834 835 if (rsa == NULL) { 836 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); 837 return 0; 838 } 839 840 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK); 841 RSA_set_flags(rsa, rsa_type); 842 843 if (!ossl_rsa_pss_params_30_fromdata(&rsa_pss_params, &pss_defaults_set, 844 params, pctx->libctx)) 845 goto err; 846 847 switch (rsa_type) { 848 case RSA_FLAG_TYPE_RSA: 849 /* 850 * Were PSS parameters filled in? 851 * In that case, something's wrong 852 */ 853 if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params)) 854 goto err; 855 break; 856 case RSA_FLAG_TYPE_RSASSAPSS: 857 /* 858 * Were PSS parameters filled in? In that case, create the old 859 * RSA_PSS_PARAMS structure. Otherwise, this is an unrestricted key. 860 */ 861 if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params)) { 862 /* Create the older RSA_PSS_PARAMS from RSA_PSS_PARAMS_30 data */ 863 int mdnid = ossl_rsa_pss_params_30_hashalg(&rsa_pss_params); 864 int mgf1mdnid = ossl_rsa_pss_params_30_maskgenhashalg(&rsa_pss_params); 865 int saltlen = ossl_rsa_pss_params_30_saltlen(&rsa_pss_params); 866 const EVP_MD *md = EVP_get_digestbynid(mdnid); 867 const EVP_MD *mgf1md = EVP_get_digestbynid(mgf1mdnid); 868 869 if ((rsa->pss = ossl_rsa_pss_params_create(md, mgf1md, 870 saltlen)) == NULL) 871 goto err; 872 } 873 break; 874 default: 875 /* RSA key sub-types we don't know how to handle yet */ 876 goto err; 877 } 878 879 if (!ossl_rsa_fromdata(rsa, params, 1)) 880 goto err; 881 882 switch (rsa_type) { 883 case RSA_FLAG_TYPE_RSA: 884 ok = EVP_PKEY_assign_RSA(pkey, rsa); 885 break; 886 case RSA_FLAG_TYPE_RSASSAPSS: 887 ok = EVP_PKEY_assign(pkey, EVP_PKEY_RSA_PSS, rsa); 888 break; 889 } 890 891 err: 892 if (!ok) 893 RSA_free(rsa); 894 return ok; 895 } 896 897 static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, 898 OSSL_FUNC_keymgmt_import_fn *importer, 899 OSSL_LIB_CTX *libctx, const char *propq) 900 { 901 return rsa_int_export_to(from, RSA_FLAG_TYPE_RSA, to_keydata, 902 importer, libctx, propq); 903 } 904 905 static int rsa_pss_pkey_export_to(const EVP_PKEY *from, void *to_keydata, 906 OSSL_FUNC_keymgmt_import_fn *importer, 907 OSSL_LIB_CTX *libctx, const char *propq) 908 { 909 return rsa_int_export_to(from, RSA_FLAG_TYPE_RSASSAPSS, to_keydata, 910 importer, libctx, propq); 911 } 912 913 static int rsa_pkey_import_from(const OSSL_PARAM params[], void *vpctx) 914 { 915 return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSA); 916 } 917 918 static int rsa_pss_pkey_import_from(const OSSL_PARAM params[], void *vpctx) 919 { 920 return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSASSAPSS); 921 } 922 923 static int rsa_pkey_copy(EVP_PKEY *to, EVP_PKEY *from) 924 { 925 RSA *rsa = from->pkey.rsa; 926 RSA *dupkey = NULL; 927 int ret; 928 929 if (rsa != NULL) { 930 dupkey = ossl_rsa_dup(rsa, OSSL_KEYMGMT_SELECT_ALL); 931 if (dupkey == NULL) 932 return 0; 933 } 934 935 ret = EVP_PKEY_assign(to, from->type, dupkey); 936 if (!ret) 937 RSA_free(dupkey); 938 return ret; 939 } 940 941 const EVP_PKEY_ASN1_METHOD ossl_rsa_asn1_meths[2] = { 942 { 943 EVP_PKEY_RSA, 944 EVP_PKEY_RSA, 945 ASN1_PKEY_SIGPARAM_NULL, 946 947 "RSA", 948 "OpenSSL RSA method", 949 950 rsa_pub_decode, 951 rsa_pub_encode, 952 rsa_pub_cmp, 953 rsa_pub_print, 954 955 rsa_priv_decode, 956 rsa_priv_encode, 957 rsa_priv_print, 958 959 int_rsa_size, 960 rsa_bits, 961 rsa_security_bits, 962 963 0, 0, 0, 0, 0, 0, 964 965 rsa_sig_print, 966 int_rsa_free, 967 rsa_pkey_ctrl, 968 old_rsa_priv_decode, 969 old_rsa_priv_encode, 970 rsa_item_verify, 971 rsa_item_sign, 972 rsa_sig_info_set, 973 rsa_pkey_check, 974 975 0, 0, 976 0, 0, 0, 0, 977 978 rsa_pkey_dirty_cnt, 979 rsa_pkey_export_to, 980 rsa_pkey_import_from, 981 rsa_pkey_copy 982 }, 983 984 { 985 EVP_PKEY_RSA2, 986 EVP_PKEY_RSA, 987 ASN1_PKEY_ALIAS} 988 }; 989 990 const EVP_PKEY_ASN1_METHOD ossl_rsa_pss_asn1_meth = { 991 EVP_PKEY_RSA_PSS, 992 EVP_PKEY_RSA_PSS, 993 ASN1_PKEY_SIGPARAM_NULL, 994 995 "RSA-PSS", 996 "OpenSSL RSA-PSS method", 997 998 rsa_pub_decode, 999 rsa_pub_encode, 1000 rsa_pub_cmp, 1001 rsa_pub_print, 1002 1003 rsa_priv_decode, 1004 rsa_priv_encode, 1005 rsa_priv_print, 1006 1007 int_rsa_size, 1008 rsa_bits, 1009 rsa_security_bits, 1010 1011 0, 0, 0, 0, 0, 0, 1012 1013 rsa_sig_print, 1014 int_rsa_free, 1015 rsa_pkey_ctrl, 1016 0, 0, 1017 rsa_item_verify, 1018 rsa_item_sign, 1019 rsa_sig_info_set, 1020 rsa_pkey_check, 1021 1022 0, 0, 1023 0, 0, 0, 0, 1024 1025 rsa_pkey_dirty_cnt, 1026 rsa_pss_pkey_export_to, 1027 rsa_pss_pkey_import_from, 1028 rsa_pkey_copy 1029 }; 1030