1 /* 2 * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdio.h> 17 #include "internal/cryptlib.h" 18 #include <openssl/asn1t.h> 19 #include <openssl/x509.h> 20 #include <openssl/bn.h> 21 #include <openssl/core_names.h> 22 #include <openssl/param_build.h> 23 #include "crypto/asn1.h" 24 #include "crypto/evp.h" 25 #include "crypto/rsa.h" 26 #include "rsa_local.h" 27 28 /* Set any parameters associated with pkey */ 29 static int rsa_param_encode(const EVP_PKEY *pkey, 30 ASN1_STRING **pstr, int *pstrtype) 31 { 32 const RSA *rsa = pkey->pkey.rsa; 33 34 *pstr = NULL; 35 /* If RSA it's just NULL type */ 36 if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) != RSA_FLAG_TYPE_RSASSAPSS) { 37 *pstrtype = V_ASN1_NULL; 38 return 1; 39 } 40 /* If no PSS parameters we omit parameters entirely */ 41 if (rsa->pss == NULL) { 42 *pstrtype = V_ASN1_UNDEF; 43 return 1; 44 } 45 /* Encode PSS parameters */ 46 if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL) 47 return 0; 48 49 *pstrtype = V_ASN1_SEQUENCE; 50 return 1; 51 } 52 /* Decode any parameters and set them in RSA structure */ 53 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 54 { 55 unsigned char *penc = NULL; 56 int penclen; 57 ASN1_STRING *str; 58 int strtype; 59 60 if (!rsa_param_encode(pkey, &str, &strtype)) 61 return 0; 62 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); 63 if (penclen <= 0) { 64 ASN1_STRING_free(str); 65 return 0; 66 } 67 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), 68 strtype, str, penc, penclen)) 69 return 1; 70 71 OPENSSL_free(penc); 72 ASN1_STRING_free(str); 73 return 0; 74 } 75 76 static int rsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) 77 { 78 const unsigned char *p; 79 int pklen; 80 X509_ALGOR *alg; 81 RSA *rsa = NULL; 82 83 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) 84 return 0; 85 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) 86 return 0; 87 if (!ossl_rsa_param_decode(rsa, alg)) { 88 RSA_free(rsa); 89 return 0; 90 } 91 92 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK); 93 switch (pkey->ameth->pkey_id) { 94 case EVP_PKEY_RSA: 95 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA); 96 break; 97 case EVP_PKEY_RSA_PSS: 98 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS); 99 break; 100 default: 101 /* Leave the type bits zero */ 102 break; 103 } 104 105 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { 106 RSA_free(rsa); 107 return 0; 108 } 109 return 1; 110 } 111 112 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 113 { 114 /* 115 * Don't check the public/private key, this is mostly for smart 116 * cards. 117 */ 118 if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) 119 || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) { 120 return 1; 121 } 122 123 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 124 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) 125 return 0; 126 return 1; 127 } 128 129 static int old_rsa_priv_decode(EVP_PKEY *pkey, 130 const unsigned char **pder, int derlen) 131 { 132 RSA *rsa; 133 134 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) 135 return 0; 136 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 137 return 1; 138 } 139 140 static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 141 { 142 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 143 } 144 145 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 146 { 147 unsigned char *rk = NULL; 148 int rklen; 149 ASN1_STRING *str; 150 int strtype; 151 152 if (!rsa_param_encode(pkey, &str, &strtype)) 153 return 0; 154 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 155 156 if (rklen <= 0) { 157 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 158 ASN1_STRING_free(str); 159 return 0; 160 } 161 162 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, 163 strtype, str, rk, rklen)) { 164 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 165 ASN1_STRING_free(str); 166 OPENSSL_clear_free(rk, rklen); 167 return 0; 168 } 169 170 return 1; 171 } 172 173 static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 174 { 175 int ret = 0; 176 RSA *rsa = ossl_rsa_key_from_pkcs8(p8, NULL, NULL); 177 178 if (rsa != NULL) { 179 ret = 1; 180 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 181 } 182 return ret; 183 } 184 185 static int int_rsa_size(const EVP_PKEY *pkey) 186 { 187 return RSA_size(pkey->pkey.rsa); 188 } 189 190 static int rsa_bits(const EVP_PKEY *pkey) 191 { 192 return BN_num_bits(pkey->pkey.rsa->n); 193 } 194 195 static int rsa_security_bits(const EVP_PKEY *pkey) 196 { 197 return RSA_security_bits(pkey->pkey.rsa); 198 } 199 200 static void int_rsa_free(EVP_PKEY *pkey) 201 { 202 RSA_free(pkey->pkey.rsa); 203 } 204 205 static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, 206 int indent) 207 { 208 int rv = 0; 209 X509_ALGOR *maskHash = NULL; 210 211 if (!BIO_indent(bp, indent, 128)) 212 goto err; 213 if (pss_key) { 214 if (pss == NULL) { 215 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) 216 return 0; 217 return 1; 218 } else { 219 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) 220 return 0; 221 } 222 } else if (pss == NULL) { 223 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) 224 return 0; 225 return 1; 226 } 227 if (BIO_puts(bp, "\n") <= 0) 228 goto err; 229 if (pss_key) 230 indent += 2; 231 if (!BIO_indent(bp, indent, 128)) 232 goto err; 233 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 234 goto err; 235 236 if (pss->hashAlgorithm) { 237 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 238 goto err; 239 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 240 goto err; 241 } 242 243 if (BIO_puts(bp, "\n") <= 0) 244 goto err; 245 246 if (!BIO_indent(bp, indent, 128)) 247 goto err; 248 249 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 250 goto err; 251 if (pss->maskGenAlgorithm) { 252 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 253 goto err; 254 if (BIO_puts(bp, " with ") <= 0) 255 goto err; 256 maskHash = ossl_x509_algor_mgf1_decode(pss->maskGenAlgorithm); 257 if (maskHash != NULL) { 258 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 259 goto err; 260 } else if (BIO_puts(bp, "INVALID") <= 0) { 261 goto err; 262 } 263 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 264 goto err; 265 } 266 BIO_puts(bp, "\n"); 267 268 if (!BIO_indent(bp, indent, 128)) 269 goto err; 270 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) 271 goto err; 272 if (pss->saltLength) { 273 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 274 goto err; 275 } else if (BIO_puts(bp, "14 (default)") <= 0) { 276 goto err; 277 } 278 BIO_puts(bp, "\n"); 279 280 if (!BIO_indent(bp, indent, 128)) 281 goto err; 282 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 283 goto err; 284 if (pss->trailerField) { 285 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 286 goto err; 287 } else if (BIO_puts(bp, "01 (default)") <= 0) { 288 goto err; 289 } 290 BIO_puts(bp, "\n"); 291 292 rv = 1; 293 294 err: 295 X509_ALGOR_free(maskHash); 296 return rv; 297 298 } 299 300 static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) 301 { 302 const RSA *x = pkey->pkey.rsa; 303 char *str; 304 const char *s; 305 int ret = 0, mod_len = 0, ex_primes; 306 307 if (x->n != NULL) 308 mod_len = BN_num_bits(x->n); 309 ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos); 310 311 if (!BIO_indent(bp, off, 128)) 312 goto err; 313 314 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0) 315 goto err; 316 317 if (priv && x->d) { 318 if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n", 319 mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0) 320 goto err; 321 str = "modulus:"; 322 s = "publicExponent:"; 323 } else { 324 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) 325 goto err; 326 str = "Modulus:"; 327 s = "Exponent:"; 328 } 329 if (!ASN1_bn_print(bp, str, x->n, NULL, off)) 330 goto err; 331 if (!ASN1_bn_print(bp, s, x->e, NULL, off)) 332 goto err; 333 if (priv) { 334 int i; 335 336 if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off)) 337 goto err; 338 if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off)) 339 goto err; 340 if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off)) 341 goto err; 342 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off)) 343 goto err; 344 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off)) 345 goto err; 346 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off)) 347 goto err; 348 for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) { 349 /* print multi-prime info */ 350 BIGNUM *bn = NULL; 351 RSA_PRIME_INFO *pinfo; 352 int j; 353 354 pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i); 355 for (j = 0; j < 3; j++) { 356 if (!BIO_indent(bp, off, 128)) 357 goto err; 358 switch (j) { 359 case 0: 360 if (BIO_printf(bp, "prime%d:", i + 3) <= 0) 361 goto err; 362 bn = pinfo->r; 363 break; 364 case 1: 365 if (BIO_printf(bp, "exponent%d:", i + 3) <= 0) 366 goto err; 367 bn = pinfo->d; 368 break; 369 case 2: 370 if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0) 371 goto err; 372 bn = pinfo->t; 373 break; 374 default: 375 break; 376 } 377 if (!ASN1_bn_print(bp, "", bn, NULL, off)) 378 goto err; 379 } 380 } 381 } 382 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off)) 383 goto err; 384 ret = 1; 385 err: 386 return ret; 387 } 388 389 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 390 ASN1_PCTX *ctx) 391 { 392 return pkey_rsa_print(bp, pkey, indent, 0); 393 } 394 395 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 396 ASN1_PCTX *ctx) 397 { 398 return pkey_rsa_print(bp, pkey, indent, 1); 399 } 400 401 static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 402 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) 403 { 404 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { 405 int rv; 406 RSA_PSS_PARAMS *pss = ossl_rsa_pss_decode(sigalg); 407 408 rv = rsa_pss_param_print(bp, 0, pss, indent); 409 RSA_PSS_PARAMS_free(pss); 410 if (!rv) 411 return 0; 412 } else if (BIO_puts(bp, "\n") <= 0) { 413 return 0; 414 } 415 if (sig) 416 return X509_signature_dump(bp, sig, indent); 417 return 1; 418 } 419 420 static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 421 { 422 const EVP_MD *md; 423 const EVP_MD *mgf1md; 424 int min_saltlen; 425 426 switch (op) { 427 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 428 if (pkey->pkey.rsa->pss != NULL) { 429 if (!ossl_rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, 430 &min_saltlen)) { 431 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); 432 return 0; 433 } 434 *(int *)arg2 = EVP_MD_get_type(md); 435 /* Return of 2 indicates this MD is mandatory */ 436 return 2; 437 } 438 *(int *)arg2 = NID_sha256; 439 return 1; 440 441 default: 442 return -2; 443 } 444 } 445 446 /* 447 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, 448 * suitable for setting an AlgorithmIdentifier. 449 */ 450 451 static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) 452 { 453 const EVP_MD *sigmd, *mgf1md; 454 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 455 int saltlen; 456 457 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) 458 return NULL; 459 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 460 return NULL; 461 if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0) 462 return NULL; 463 if (saltlen == -1) { 464 saltlen = EVP_MD_get_size(sigmd); 465 } else if (saltlen == -2 || saltlen == -3) { 466 saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2; 467 if ((EVP_PKEY_get_bits(pk) & 0x7) == 1) 468 saltlen--; 469 if (saltlen < 0) 470 return NULL; 471 } 472 473 return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen); 474 } 475 476 RSA_PSS_PARAMS *ossl_rsa_pss_params_create(const EVP_MD *sigmd, 477 const EVP_MD *mgf1md, int saltlen) 478 { 479 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new(); 480 481 if (pss == NULL) 482 goto err; 483 if (saltlen != 20) { 484 pss->saltLength = ASN1_INTEGER_new(); 485 if (pss->saltLength == NULL) 486 goto err; 487 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 488 goto err; 489 } 490 if (!ossl_x509_algor_new_from_md(&pss->hashAlgorithm, sigmd)) 491 goto err; 492 if (mgf1md == NULL) 493 mgf1md = sigmd; 494 if (!ossl_x509_algor_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) 495 goto err; 496 if (!ossl_x509_algor_new_from_md(&pss->maskHash, mgf1md)) 497 goto err; 498 return pss; 499 err: 500 RSA_PSS_PARAMS_free(pss); 501 return NULL; 502 } 503 504 ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx) 505 { 506 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx); 507 ASN1_STRING *os; 508 509 if (pss == NULL) 510 return NULL; 511 512 os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL); 513 RSA_PSS_PARAMS_free(pss); 514 return os; 515 } 516 517 /* 518 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL 519 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are 520 * passed to pkctx instead. 521 */ 522 523 int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, 524 const X509_ALGOR *sigalg, EVP_PKEY *pkey) 525 { 526 int rv = -1; 527 int saltlen; 528 const EVP_MD *mgf1md = NULL, *md = NULL; 529 RSA_PSS_PARAMS *pss; 530 531 /* Sanity check: make sure it is PSS */ 532 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 533 ERR_raise(ERR_LIB_RSA, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 534 return -1; 535 } 536 /* Decode PSS parameters */ 537 pss = ossl_rsa_pss_decode(sigalg); 538 539 if (!ossl_rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { 540 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_PARAMETERS); 541 goto err; 542 } 543 544 /* We have all parameters now set up context */ 545 if (pkey) { 546 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) 547 goto err; 548 } else { 549 const EVP_MD *checkmd; 550 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) 551 goto err; 552 if (EVP_MD_get_type(md) != EVP_MD_get_type(checkmd)) { 553 ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_DOES_NOT_MATCH); 554 goto err; 555 } 556 } 557 558 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) 559 goto err; 560 561 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) 562 goto err; 563 564 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 565 goto err; 566 /* Carry on */ 567 rv = 1; 568 569 err: 570 RSA_PSS_PARAMS_free(pss); 571 return rv; 572 } 573 574 static int rsa_pss_verify_param(const EVP_MD **pmd, const EVP_MD **pmgf1md, 575 int *psaltlen, int *ptrailerField) 576 { 577 if (psaltlen != NULL && *psaltlen < 0) { 578 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH); 579 return 0; 580 } 581 /* 582 * low-level routines support only trailer field 0xbc (value 1) and 583 * PKCS#1 says we should reject any other value anyway. 584 */ 585 if (ptrailerField != NULL && *ptrailerField != 1) { 586 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER); 587 return 0; 588 } 589 return 1; 590 } 591 592 int ossl_rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, 593 const EVP_MD **pmgf1md, int *psaltlen) 594 { 595 /* 596 * Callers do not care about the trailer field, and yet, we must 597 * pass it from get_param to verify_param, since the latter checks 598 * its value. 599 * 600 * When callers start caring, it's a simple thing to add another 601 * argument to this function. 602 */ 603 int trailerField = 0; 604 605 return ossl_rsa_pss_get_param_unverified(pss, pmd, pmgf1md, psaltlen, 606 &trailerField) 607 && rsa_pss_verify_param(pmd, pmgf1md, psaltlen, &trailerField); 608 } 609 610 /* 611 * Customised RSA item verification routine. This is called when a signature 612 * is encountered requiring special handling. We currently only handle PSS. 613 */ 614 615 static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, 616 const void *asn, const X509_ALGOR *sigalg, 617 const ASN1_BIT_STRING *sig, EVP_PKEY *pkey) 618 { 619 /* Sanity check: make sure it is PSS */ 620 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 621 ERR_raise(ERR_LIB_RSA, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 622 return -1; 623 } 624 if (ossl_rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { 625 /* Carry on */ 626 return 2; 627 } 628 return -1; 629 } 630 631 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn, 632 X509_ALGOR *alg1, X509_ALGOR *alg2, 633 ASN1_BIT_STRING *sig) 634 { 635 int pad_mode; 636 EVP_PKEY_CTX *pkctx = EVP_MD_CTX_get_pkey_ctx(ctx); 637 638 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 639 return 0; 640 if (pad_mode == RSA_PKCS1_PADDING) 641 return 2; 642 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 643 unsigned char aid[128]; 644 size_t aid_len = 0; 645 OSSL_PARAM params[2]; 646 647 if (evp_pkey_ctx_is_legacy(pkctx)) { 648 /* No provider -> we cannot query it for algorithm ID. */ 649 ASN1_STRING *os1 = NULL; 650 651 os1 = ossl_rsa_ctx_to_pss_string(pkctx); 652 if (os1 == NULL) 653 return 0; 654 /* Duplicate parameters if we have to */ 655 if (alg2 != NULL) { 656 ASN1_STRING *os2 = ASN1_STRING_dup(os1); 657 658 if (os2 == NULL) { 659 ASN1_STRING_free(os1); 660 return 0; 661 } 662 if (!X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 663 V_ASN1_SEQUENCE, os2)) { 664 ASN1_STRING_free(os1); 665 ASN1_STRING_free(os2); 666 return 0; 667 } 668 } 669 if (!X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 670 V_ASN1_SEQUENCE, os1)) { 671 ASN1_STRING_free(os1); 672 return 0; 673 } 674 return 3; 675 } 676 677 params[0] = OSSL_PARAM_construct_octet_string( 678 OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); 679 params[1] = OSSL_PARAM_construct_end(); 680 681 if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) 682 return 0; 683 if ((aid_len = params[0].return_size) == 0) 684 return 0; 685 686 if (alg1 != NULL) { 687 const unsigned char *pp = aid; 688 689 if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL) 690 return 0; 691 } 692 if (alg2 != NULL) { 693 const unsigned char *pp = aid; 694 695 if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL) 696 return 0; 697 } 698 699 return 3; 700 } 701 return 2; 702 } 703 704 static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, 705 const ASN1_STRING *sig) 706 { 707 int rv = 0; 708 int mdnid, saltlen; 709 uint32_t flags; 710 const EVP_MD *mgf1md = NULL, *md = NULL; 711 RSA_PSS_PARAMS *pss; 712 int secbits; 713 714 /* Sanity check: make sure it is PSS */ 715 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) 716 return 0; 717 /* Decode PSS parameters */ 718 pss = ossl_rsa_pss_decode(sigalg); 719 if (!ossl_rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) 720 goto err; 721 mdnid = EVP_MD_get_type(md); 722 /* 723 * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must 724 * match and salt length must equal digest size 725 */ 726 if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512) 727 && mdnid == EVP_MD_get_type(mgf1md) 728 && saltlen == EVP_MD_get_size(md)) 729 flags = X509_SIG_INFO_TLS; 730 else 731 flags = 0; 732 /* Note: security bits half number of digest bits */ 733 secbits = EVP_MD_get_size(md) * 4; 734 /* 735 * SHA1 and MD5 are known to be broken. Reduce security bits so that 736 * they're no longer accepted at security level 1. The real values don't 737 * really matter as long as they're lower than 80, which is our security 738 * level 1. 739 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at 740 * 2^63.4 741 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf 742 * puts a chosen-prefix attack for MD5 at 2^39. 743 */ 744 if (mdnid == NID_sha1) 745 secbits = 64; 746 else if (mdnid == NID_md5_sha1) 747 secbits = 68; 748 else if (mdnid == NID_md5) 749 secbits = 39; 750 X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits, 751 flags); 752 rv = 1; 753 err: 754 RSA_PSS_PARAMS_free(pss); 755 return rv; 756 } 757 758 static int rsa_pkey_check(const EVP_PKEY *pkey) 759 { 760 return RSA_check_key_ex(pkey->pkey.rsa, NULL); 761 } 762 763 static size_t rsa_pkey_dirty_cnt(const EVP_PKEY *pkey) 764 { 765 return pkey->pkey.rsa->dirty_cnt; 766 } 767 768 /* 769 * There is no need to do RSA_test_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS) 770 * checks in this method since the caller tests EVP_KEYMGMT_is_a() first. 771 */ 772 static int rsa_int_export_to(const EVP_PKEY *from, int rsa_type, 773 void *to_keydata, 774 OSSL_FUNC_keymgmt_import_fn *importer, 775 OSSL_LIB_CTX *libctx, const char *propq) 776 { 777 RSA *rsa = from->pkey.rsa; 778 OSSL_PARAM_BLD *tmpl = OSSL_PARAM_BLD_new(); 779 OSSL_PARAM *params = NULL; 780 int selection = 0; 781 int rv = 0; 782 783 if (tmpl == NULL) 784 return 0; 785 /* Public parameters must always be present */ 786 if (RSA_get0_n(rsa) == NULL || RSA_get0_e(rsa) == NULL) 787 goto err; 788 789 if (!ossl_rsa_todata(rsa, tmpl, NULL, 1)) 790 goto err; 791 792 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; 793 if (RSA_get0_d(rsa) != NULL) 794 selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; 795 796 if (rsa->pss != NULL) { 797 const EVP_MD *md = NULL, *mgf1md = NULL; 798 int md_nid, mgf1md_nid, saltlen, trailerfield; 799 RSA_PSS_PARAMS_30 pss_params; 800 801 if (!ossl_rsa_pss_get_param_unverified(rsa->pss, &md, &mgf1md, 802 &saltlen, &trailerfield)) 803 goto err; 804 md_nid = EVP_MD_get_type(md); 805 mgf1md_nid = EVP_MD_get_type(mgf1md); 806 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 807 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid) 808 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 809 mgf1md_nid) 810 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 811 || !ossl_rsa_pss_params_30_todata(&pss_params, tmpl, NULL)) 812 goto err; 813 selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS; 814 } 815 816 if ((params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) 817 goto err; 818 819 /* We export, the provider imports */ 820 rv = importer(to_keydata, selection, params); 821 822 err: 823 OSSL_PARAM_free(params); 824 OSSL_PARAM_BLD_free(tmpl); 825 return rv; 826 } 827 828 static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx, 829 int rsa_type) 830 { 831 EVP_PKEY_CTX *pctx = vpctx; 832 EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx); 833 RSA *rsa = ossl_rsa_new_with_ctx(pctx->libctx); 834 RSA_PSS_PARAMS_30 rsa_pss_params = { 0, }; 835 int pss_defaults_set = 0; 836 int ok = 0; 837 838 if (rsa == NULL) { 839 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); 840 return 0; 841 } 842 843 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK); 844 RSA_set_flags(rsa, rsa_type); 845 846 if (!ossl_rsa_pss_params_30_fromdata(&rsa_pss_params, &pss_defaults_set, 847 params, pctx->libctx)) 848 goto err; 849 850 switch (rsa_type) { 851 case RSA_FLAG_TYPE_RSA: 852 /* 853 * Were PSS parameters filled in? 854 * In that case, something's wrong 855 */ 856 if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params)) 857 goto err; 858 break; 859 case RSA_FLAG_TYPE_RSASSAPSS: 860 /* 861 * Were PSS parameters filled in? In that case, create the old 862 * RSA_PSS_PARAMS structure. Otherwise, this is an unrestricted key. 863 */ 864 if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params)) { 865 /* Create the older RSA_PSS_PARAMS from RSA_PSS_PARAMS_30 data */ 866 int mdnid = ossl_rsa_pss_params_30_hashalg(&rsa_pss_params); 867 int mgf1mdnid = ossl_rsa_pss_params_30_maskgenhashalg(&rsa_pss_params); 868 int saltlen = ossl_rsa_pss_params_30_saltlen(&rsa_pss_params); 869 const EVP_MD *md = EVP_get_digestbynid(mdnid); 870 const EVP_MD *mgf1md = EVP_get_digestbynid(mgf1mdnid); 871 872 if ((rsa->pss = ossl_rsa_pss_params_create(md, mgf1md, 873 saltlen)) == NULL) 874 goto err; 875 } 876 break; 877 default: 878 /* RSA key sub-types we don't know how to handle yet */ 879 goto err; 880 } 881 882 if (!ossl_rsa_fromdata(rsa, params, 1)) 883 goto err; 884 885 switch (rsa_type) { 886 case RSA_FLAG_TYPE_RSA: 887 ok = EVP_PKEY_assign_RSA(pkey, rsa); 888 break; 889 case RSA_FLAG_TYPE_RSASSAPSS: 890 ok = EVP_PKEY_assign(pkey, EVP_PKEY_RSA_PSS, rsa); 891 break; 892 } 893 894 err: 895 if (!ok) 896 RSA_free(rsa); 897 return ok; 898 } 899 900 static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, 901 OSSL_FUNC_keymgmt_import_fn *importer, 902 OSSL_LIB_CTX *libctx, const char *propq) 903 { 904 return rsa_int_export_to(from, RSA_FLAG_TYPE_RSA, to_keydata, 905 importer, libctx, propq); 906 } 907 908 static int rsa_pss_pkey_export_to(const EVP_PKEY *from, void *to_keydata, 909 OSSL_FUNC_keymgmt_import_fn *importer, 910 OSSL_LIB_CTX *libctx, const char *propq) 911 { 912 return rsa_int_export_to(from, RSA_FLAG_TYPE_RSASSAPSS, to_keydata, 913 importer, libctx, propq); 914 } 915 916 static int rsa_pkey_import_from(const OSSL_PARAM params[], void *vpctx) 917 { 918 return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSA); 919 } 920 921 static int rsa_pss_pkey_import_from(const OSSL_PARAM params[], void *vpctx) 922 { 923 return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSASSAPSS); 924 } 925 926 static int rsa_pkey_copy(EVP_PKEY *to, EVP_PKEY *from) 927 { 928 RSA *rsa = from->pkey.rsa; 929 RSA *dupkey = NULL; 930 int ret; 931 932 if (rsa != NULL) { 933 dupkey = ossl_rsa_dup(rsa, OSSL_KEYMGMT_SELECT_ALL); 934 if (dupkey == NULL) 935 return 0; 936 } 937 938 ret = EVP_PKEY_assign(to, from->type, dupkey); 939 if (!ret) 940 RSA_free(dupkey); 941 return ret; 942 } 943 944 const EVP_PKEY_ASN1_METHOD ossl_rsa_asn1_meths[2] = { 945 { 946 EVP_PKEY_RSA, 947 EVP_PKEY_RSA, 948 ASN1_PKEY_SIGPARAM_NULL, 949 950 "RSA", 951 "OpenSSL RSA method", 952 953 rsa_pub_decode, 954 rsa_pub_encode, 955 rsa_pub_cmp, 956 rsa_pub_print, 957 958 rsa_priv_decode, 959 rsa_priv_encode, 960 rsa_priv_print, 961 962 int_rsa_size, 963 rsa_bits, 964 rsa_security_bits, 965 966 0, 0, 0, 0, 0, 0, 967 968 rsa_sig_print, 969 int_rsa_free, 970 rsa_pkey_ctrl, 971 old_rsa_priv_decode, 972 old_rsa_priv_encode, 973 rsa_item_verify, 974 rsa_item_sign, 975 rsa_sig_info_set, 976 rsa_pkey_check, 977 978 0, 0, 979 0, 0, 0, 0, 980 981 rsa_pkey_dirty_cnt, 982 rsa_pkey_export_to, 983 rsa_pkey_import_from, 984 rsa_pkey_copy 985 }, 986 987 { 988 EVP_PKEY_RSA2, 989 EVP_PKEY_RSA, 990 ASN1_PKEY_ALIAS} 991 }; 992 993 const EVP_PKEY_ASN1_METHOD ossl_rsa_pss_asn1_meth = { 994 EVP_PKEY_RSA_PSS, 995 EVP_PKEY_RSA_PSS, 996 ASN1_PKEY_SIGPARAM_NULL, 997 998 "RSA-PSS", 999 "OpenSSL RSA-PSS method", 1000 1001 rsa_pub_decode, 1002 rsa_pub_encode, 1003 rsa_pub_cmp, 1004 rsa_pub_print, 1005 1006 rsa_priv_decode, 1007 rsa_priv_encode, 1008 rsa_priv_print, 1009 1010 int_rsa_size, 1011 rsa_bits, 1012 rsa_security_bits, 1013 1014 0, 0, 0, 0, 0, 0, 1015 1016 rsa_sig_print, 1017 int_rsa_free, 1018 rsa_pkey_ctrl, 1019 0, 0, 1020 rsa_item_verify, 1021 rsa_item_sign, 1022 rsa_sig_info_set, 1023 rsa_pkey_check, 1024 1025 0, 0, 1026 0, 0, 0, 0, 1027 1028 rsa_pkey_dirty_cnt, 1029 rsa_pss_pkey_export_to, 1030 rsa_pss_pkey_import_from, 1031 rsa_pkey_copy 1032 }; 1033