1 /* 2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/asn1t.h> 13 #include <openssl/x509.h> 14 #include <openssl/bn.h> 15 #include <openssl/cms.h> 16 #include "crypto/asn1.h" 17 #include "crypto/evp.h" 18 #include "rsa_local.h" 19 20 #ifndef OPENSSL_NO_CMS 21 static int rsa_cms_sign(CMS_SignerInfo *si); 22 static int rsa_cms_verify(CMS_SignerInfo *si); 23 static int rsa_cms_decrypt(CMS_RecipientInfo *ri); 24 static int rsa_cms_encrypt(CMS_RecipientInfo *ri); 25 #endif 26 27 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg); 28 29 /* Set any parameters associated with pkey */ 30 static int rsa_param_encode(const EVP_PKEY *pkey, 31 ASN1_STRING **pstr, int *pstrtype) 32 { 33 const RSA *rsa = pkey->pkey.rsa; 34 35 *pstr = NULL; 36 /* If RSA it's just NULL type */ 37 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { 38 *pstrtype = V_ASN1_NULL; 39 return 1; 40 } 41 /* If no PSS parameters we omit parameters entirely */ 42 if (rsa->pss == NULL) { 43 *pstrtype = V_ASN1_UNDEF; 44 return 1; 45 } 46 /* Encode PSS parameters */ 47 if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL) 48 return 0; 49 50 *pstrtype = V_ASN1_SEQUENCE; 51 return 1; 52 } 53 /* Decode any parameters and set them in RSA structure */ 54 static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) 55 { 56 const ASN1_OBJECT *algoid; 57 const void *algp; 58 int algptype; 59 60 X509_ALGOR_get0(&algoid, &algptype, &algp, alg); 61 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) 62 return 1; 63 if (algptype == V_ASN1_UNDEF) 64 return 1; 65 if (algptype != V_ASN1_SEQUENCE) { 66 RSAerr(RSA_F_RSA_PARAM_DECODE, RSA_R_INVALID_PSS_PARAMETERS); 67 return 0; 68 } 69 rsa->pss = rsa_pss_decode(alg); 70 if (rsa->pss == NULL) 71 return 0; 72 return 1; 73 } 74 75 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 76 { 77 unsigned char *penc = NULL; 78 int penclen; 79 ASN1_STRING *str; 80 int strtype; 81 82 if (!rsa_param_encode(pkey, &str, &strtype)) 83 return 0; 84 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); 85 if (penclen <= 0) 86 return 0; 87 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), 88 strtype, str, penc, penclen)) 89 return 1; 90 91 OPENSSL_free(penc); 92 return 0; 93 } 94 95 static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 96 { 97 const unsigned char *p; 98 int pklen; 99 X509_ALGOR *alg; 100 RSA *rsa = NULL; 101 102 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) 103 return 0; 104 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) { 105 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB); 106 return 0; 107 } 108 if (!rsa_param_decode(rsa, alg)) { 109 RSA_free(rsa); 110 return 0; 111 } 112 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { 113 RSA_free(rsa); 114 return 0; 115 } 116 return 1; 117 } 118 119 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 120 { 121 /* 122 * Don't check the public/private key, this is mostly for smart 123 * cards. 124 */ 125 if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) 126 || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) { 127 return 1; 128 } 129 130 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 131 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) 132 return 0; 133 return 1; 134 } 135 136 static int old_rsa_priv_decode(EVP_PKEY *pkey, 137 const unsigned char **pder, int derlen) 138 { 139 RSA *rsa; 140 141 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) { 142 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB); 143 return 0; 144 } 145 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 146 return 1; 147 } 148 149 static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 150 { 151 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 152 } 153 154 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 155 { 156 unsigned char *rk = NULL; 157 int rklen; 158 ASN1_STRING *str; 159 int strtype; 160 161 if (!rsa_param_encode(pkey, &str, &strtype)) 162 return 0; 163 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 164 165 if (rklen <= 0) { 166 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 167 ASN1_STRING_free(str); 168 return 0; 169 } 170 171 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, 172 strtype, str, rk, rklen)) { 173 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 174 ASN1_STRING_free(str); 175 OPENSSL_clear_free(rk, rklen); 176 return 0; 177 } 178 179 return 1; 180 } 181 182 static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 183 { 184 const unsigned char *p; 185 RSA *rsa; 186 int pklen; 187 const X509_ALGOR *alg; 188 189 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8)) 190 return 0; 191 rsa = d2i_RSAPrivateKey(NULL, &p, pklen); 192 if (rsa == NULL) { 193 RSAerr(RSA_F_RSA_PRIV_DECODE, ERR_R_RSA_LIB); 194 return 0; 195 } 196 if (!rsa_param_decode(rsa, alg)) { 197 RSA_free(rsa); 198 return 0; 199 } 200 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 201 return 1; 202 } 203 204 static int int_rsa_size(const EVP_PKEY *pkey) 205 { 206 return RSA_size(pkey->pkey.rsa); 207 } 208 209 static int rsa_bits(const EVP_PKEY *pkey) 210 { 211 return BN_num_bits(pkey->pkey.rsa->n); 212 } 213 214 static int rsa_security_bits(const EVP_PKEY *pkey) 215 { 216 return RSA_security_bits(pkey->pkey.rsa); 217 } 218 219 static void int_rsa_free(EVP_PKEY *pkey) 220 { 221 RSA_free(pkey->pkey.rsa); 222 } 223 224 static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) 225 { 226 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) 227 return NULL; 228 return ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(X509_ALGOR), 229 alg->parameter); 230 } 231 232 static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, 233 int indent) 234 { 235 int rv = 0; 236 X509_ALGOR *maskHash = NULL; 237 238 if (!BIO_indent(bp, indent, 128)) 239 goto err; 240 if (pss_key) { 241 if (pss == NULL) { 242 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) 243 return 0; 244 return 1; 245 } else { 246 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) 247 return 0; 248 } 249 } else if (pss == NULL) { 250 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) 251 return 0; 252 return 1; 253 } 254 if (BIO_puts(bp, "\n") <= 0) 255 goto err; 256 if (pss_key) 257 indent += 2; 258 if (!BIO_indent(bp, indent, 128)) 259 goto err; 260 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 261 goto err; 262 263 if (pss->hashAlgorithm) { 264 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 265 goto err; 266 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 267 goto err; 268 } 269 270 if (BIO_puts(bp, "\n") <= 0) 271 goto err; 272 273 if (!BIO_indent(bp, indent, 128)) 274 goto err; 275 276 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 277 goto err; 278 if (pss->maskGenAlgorithm) { 279 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 280 goto err; 281 if (BIO_puts(bp, " with ") <= 0) 282 goto err; 283 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 284 if (maskHash != NULL) { 285 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 286 goto err; 287 } else if (BIO_puts(bp, "INVALID") <= 0) { 288 goto err; 289 } 290 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 291 goto err; 292 } 293 BIO_puts(bp, "\n"); 294 295 if (!BIO_indent(bp, indent, 128)) 296 goto err; 297 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) 298 goto err; 299 if (pss->saltLength) { 300 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 301 goto err; 302 } else if (BIO_puts(bp, "14 (default)") <= 0) { 303 goto err; 304 } 305 BIO_puts(bp, "\n"); 306 307 if (!BIO_indent(bp, indent, 128)) 308 goto err; 309 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 310 goto err; 311 if (pss->trailerField) { 312 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 313 goto err; 314 } else if (BIO_puts(bp, "BC (default)") <= 0) { 315 goto err; 316 } 317 BIO_puts(bp, "\n"); 318 319 rv = 1; 320 321 err: 322 X509_ALGOR_free(maskHash); 323 return rv; 324 325 } 326 327 static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) 328 { 329 const RSA *x = pkey->pkey.rsa; 330 char *str; 331 const char *s; 332 int ret = 0, mod_len = 0, ex_primes; 333 334 if (x->n != NULL) 335 mod_len = BN_num_bits(x->n); 336 ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos); 337 338 if (!BIO_indent(bp, off, 128)) 339 goto err; 340 341 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0) 342 goto err; 343 344 if (priv && x->d) { 345 if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n", 346 mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0) 347 goto err; 348 str = "modulus:"; 349 s = "publicExponent:"; 350 } else { 351 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) 352 goto err; 353 str = "Modulus:"; 354 s = "Exponent:"; 355 } 356 if (!ASN1_bn_print(bp, str, x->n, NULL, off)) 357 goto err; 358 if (!ASN1_bn_print(bp, s, x->e, NULL, off)) 359 goto err; 360 if (priv) { 361 int i; 362 363 if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off)) 364 goto err; 365 if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off)) 366 goto err; 367 if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off)) 368 goto err; 369 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off)) 370 goto err; 371 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off)) 372 goto err; 373 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off)) 374 goto err; 375 for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) { 376 /* print multi-prime info */ 377 BIGNUM *bn = NULL; 378 RSA_PRIME_INFO *pinfo; 379 int j; 380 381 pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i); 382 for (j = 0; j < 3; j++) { 383 if (!BIO_indent(bp, off, 128)) 384 goto err; 385 switch (j) { 386 case 0: 387 if (BIO_printf(bp, "prime%d:", i + 3) <= 0) 388 goto err; 389 bn = pinfo->r; 390 break; 391 case 1: 392 if (BIO_printf(bp, "exponent%d:", i + 3) <= 0) 393 goto err; 394 bn = pinfo->d; 395 break; 396 case 2: 397 if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0) 398 goto err; 399 bn = pinfo->t; 400 break; 401 default: 402 break; 403 } 404 if (!ASN1_bn_print(bp, "", bn, NULL, off)) 405 goto err; 406 } 407 } 408 } 409 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off)) 410 goto err; 411 ret = 1; 412 err: 413 return ret; 414 } 415 416 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 417 ASN1_PCTX *ctx) 418 { 419 return pkey_rsa_print(bp, pkey, indent, 0); 420 } 421 422 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 423 ASN1_PCTX *ctx) 424 { 425 return pkey_rsa_print(bp, pkey, indent, 1); 426 } 427 428 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg) 429 { 430 RSA_PSS_PARAMS *pss; 431 432 pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS), 433 alg->parameter); 434 435 if (pss == NULL) 436 return NULL; 437 438 if (pss->maskGenAlgorithm != NULL) { 439 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 440 if (pss->maskHash == NULL) { 441 RSA_PSS_PARAMS_free(pss); 442 return NULL; 443 } 444 } 445 446 return pss; 447 } 448 449 static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 450 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) 451 { 452 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { 453 int rv; 454 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg); 455 456 rv = rsa_pss_param_print(bp, 0, pss, indent); 457 RSA_PSS_PARAMS_free(pss); 458 if (!rv) 459 return 0; 460 } else if (!sig && BIO_puts(bp, "\n") <= 0) { 461 return 0; 462 } 463 if (sig) 464 return X509_signature_dump(bp, sig, indent); 465 return 1; 466 } 467 468 static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 469 { 470 X509_ALGOR *alg = NULL; 471 const EVP_MD *md; 472 const EVP_MD *mgf1md; 473 int min_saltlen; 474 475 switch (op) { 476 477 case ASN1_PKEY_CTRL_PKCS7_SIGN: 478 if (arg1 == 0) 479 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); 480 break; 481 482 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: 483 if (pkey_is_pss(pkey)) 484 return -2; 485 if (arg1 == 0) 486 PKCS7_RECIP_INFO_get0_alg(arg2, &alg); 487 break; 488 #ifndef OPENSSL_NO_CMS 489 case ASN1_PKEY_CTRL_CMS_SIGN: 490 if (arg1 == 0) 491 return rsa_cms_sign(arg2); 492 else if (arg1 == 1) 493 return rsa_cms_verify(arg2); 494 break; 495 496 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 497 if (pkey_is_pss(pkey)) 498 return -2; 499 if (arg1 == 0) 500 return rsa_cms_encrypt(arg2); 501 else if (arg1 == 1) 502 return rsa_cms_decrypt(arg2); 503 break; 504 505 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 506 if (pkey_is_pss(pkey)) 507 return -2; 508 *(int *)arg2 = CMS_RECIPINFO_TRANS; 509 return 1; 510 #endif 511 512 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 513 if (pkey->pkey.rsa->pss != NULL) { 514 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, 515 &min_saltlen)) { 516 RSAerr(0, ERR_R_INTERNAL_ERROR); 517 return 0; 518 } 519 *(int *)arg2 = EVP_MD_type(md); 520 /* Return of 2 indicates this MD is mandatory */ 521 return 2; 522 } 523 *(int *)arg2 = NID_sha256; 524 return 1; 525 526 default: 527 return -2; 528 529 } 530 531 if (alg) 532 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 533 534 return 1; 535 536 } 537 538 /* allocate and set algorithm ID from EVP_MD, default SHA1 */ 539 static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) 540 { 541 if (md == NULL || EVP_MD_type(md) == NID_sha1) 542 return 1; 543 *palg = X509_ALGOR_new(); 544 if (*palg == NULL) 545 return 0; 546 X509_ALGOR_set_md(*palg, md); 547 return 1; 548 } 549 550 /* Allocate and set MGF1 algorithm ID from EVP_MD */ 551 static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) 552 { 553 X509_ALGOR *algtmp = NULL; 554 ASN1_STRING *stmp = NULL; 555 556 *palg = NULL; 557 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1) 558 return 1; 559 /* need to embed algorithm ID inside another */ 560 if (!rsa_md_to_algor(&algtmp, mgf1md)) 561 goto err; 562 if (ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp) == NULL) 563 goto err; 564 *palg = X509_ALGOR_new(); 565 if (*palg == NULL) 566 goto err; 567 X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); 568 stmp = NULL; 569 err: 570 ASN1_STRING_free(stmp); 571 X509_ALGOR_free(algtmp); 572 if (*palg) 573 return 1; 574 return 0; 575 } 576 577 /* convert algorithm ID to EVP_MD, default SHA1 */ 578 static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg) 579 { 580 const EVP_MD *md; 581 582 if (!alg) 583 return EVP_sha1(); 584 md = EVP_get_digestbyobj(alg->algorithm); 585 if (md == NULL) 586 RSAerr(RSA_F_RSA_ALGOR_TO_MD, RSA_R_UNKNOWN_DIGEST); 587 return md; 588 } 589 590 /* 591 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, 592 * suitable for setting an AlgorithmIdentifier. 593 */ 594 595 static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) 596 { 597 const EVP_MD *sigmd, *mgf1md; 598 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 599 int saltlen; 600 601 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) 602 return NULL; 603 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 604 return NULL; 605 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) 606 return NULL; 607 if (saltlen == -1) { 608 saltlen = EVP_MD_size(sigmd); 609 } else if (saltlen == -2 || saltlen == -3) { 610 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 611 if ((EVP_PKEY_bits(pk) & 0x7) == 1) 612 saltlen--; 613 if (saltlen < 0) 614 return NULL; 615 } 616 617 return rsa_pss_params_create(sigmd, mgf1md, saltlen); 618 } 619 620 RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd, 621 const EVP_MD *mgf1md, int saltlen) 622 { 623 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new(); 624 625 if (pss == NULL) 626 goto err; 627 if (saltlen != 20) { 628 pss->saltLength = ASN1_INTEGER_new(); 629 if (pss->saltLength == NULL) 630 goto err; 631 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 632 goto err; 633 } 634 if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd)) 635 goto err; 636 if (mgf1md == NULL) 637 mgf1md = sigmd; 638 if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) 639 goto err; 640 if (!rsa_md_to_algor(&pss->maskHash, mgf1md)) 641 goto err; 642 return pss; 643 err: 644 RSA_PSS_PARAMS_free(pss); 645 return NULL; 646 } 647 648 static ASN1_STRING *rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx) 649 { 650 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx); 651 ASN1_STRING *os; 652 653 if (pss == NULL) 654 return NULL; 655 656 os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL); 657 RSA_PSS_PARAMS_free(pss); 658 return os; 659 } 660 661 /* 662 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL 663 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are 664 * passed to pkctx instead. 665 */ 666 667 static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, 668 X509_ALGOR *sigalg, EVP_PKEY *pkey) 669 { 670 int rv = -1; 671 int saltlen; 672 const EVP_MD *mgf1md = NULL, *md = NULL; 673 RSA_PSS_PARAMS *pss; 674 675 /* Sanity check: make sure it is PSS */ 676 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 677 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 678 return -1; 679 } 680 /* Decode PSS parameters */ 681 pss = rsa_pss_decode(sigalg); 682 683 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { 684 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_PSS_PARAMETERS); 685 goto err; 686 } 687 688 /* We have all parameters now set up context */ 689 if (pkey) { 690 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) 691 goto err; 692 } else { 693 const EVP_MD *checkmd; 694 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) 695 goto err; 696 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { 697 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_DIGEST_DOES_NOT_MATCH); 698 goto err; 699 } 700 } 701 702 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) 703 goto err; 704 705 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) 706 goto err; 707 708 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 709 goto err; 710 /* Carry on */ 711 rv = 1; 712 713 err: 714 RSA_PSS_PARAMS_free(pss); 715 return rv; 716 } 717 718 int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, 719 const EVP_MD **pmgf1md, int *psaltlen) 720 { 721 if (pss == NULL) 722 return 0; 723 *pmd = rsa_algor_to_md(pss->hashAlgorithm); 724 if (*pmd == NULL) 725 return 0; 726 *pmgf1md = rsa_algor_to_md(pss->maskHash); 727 if (*pmgf1md == NULL) 728 return 0; 729 if (pss->saltLength) { 730 *psaltlen = ASN1_INTEGER_get(pss->saltLength); 731 if (*psaltlen < 0) { 732 RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_SALT_LENGTH); 733 return 0; 734 } 735 } else { 736 *psaltlen = 20; 737 } 738 739 /* 740 * low-level routines support only trailer field 0xbc (value 1) and 741 * PKCS#1 says we should reject any other value anyway. 742 */ 743 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { 744 RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_TRAILER); 745 return 0; 746 } 747 748 return 1; 749 } 750 751 #ifndef OPENSSL_NO_CMS 752 static int rsa_cms_verify(CMS_SignerInfo *si) 753 { 754 int nid, nid2; 755 X509_ALGOR *alg; 756 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); 757 758 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 759 nid = OBJ_obj2nid(alg->algorithm); 760 if (nid == EVP_PKEY_RSA_PSS) 761 return rsa_pss_to_ctx(NULL, pkctx, alg, NULL); 762 /* Only PSS allowed for PSS keys */ 763 if (pkey_ctx_is_pss(pkctx)) { 764 RSAerr(RSA_F_RSA_CMS_VERIFY, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 765 return 0; 766 } 767 if (nid == NID_rsaEncryption) 768 return 1; 769 /* Workaround for some implementation that use a signature OID */ 770 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) { 771 if (nid2 == NID_rsaEncryption) 772 return 1; 773 } 774 return 0; 775 } 776 #endif 777 778 /* 779 * Customised RSA item verification routine. This is called when a signature 780 * is encountered requiring special handling. We currently only handle PSS. 781 */ 782 783 static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 784 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, 785 EVP_PKEY *pkey) 786 { 787 /* Sanity check: make sure it is PSS */ 788 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 789 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 790 return -1; 791 } 792 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { 793 /* Carry on */ 794 return 2; 795 } 796 return -1; 797 } 798 799 #ifndef OPENSSL_NO_CMS 800 static int rsa_cms_sign(CMS_SignerInfo *si) 801 { 802 int pad_mode = RSA_PKCS1_PADDING; 803 X509_ALGOR *alg; 804 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); 805 ASN1_STRING *os = NULL; 806 807 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 808 if (pkctx) { 809 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 810 return 0; 811 } 812 if (pad_mode == RSA_PKCS1_PADDING) { 813 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 814 return 1; 815 } 816 /* We don't support it */ 817 if (pad_mode != RSA_PKCS1_PSS_PADDING) 818 return 0; 819 os = rsa_ctx_to_pss_string(pkctx); 820 if (!os) 821 return 0; 822 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); 823 return 1; 824 } 825 #endif 826 827 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 828 X509_ALGOR *alg1, X509_ALGOR *alg2, 829 ASN1_BIT_STRING *sig) 830 { 831 int pad_mode; 832 EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx); 833 834 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 835 return 0; 836 if (pad_mode == RSA_PKCS1_PADDING) 837 return 2; 838 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 839 ASN1_STRING *os1 = NULL; 840 os1 = rsa_ctx_to_pss_string(pkctx); 841 if (!os1) 842 return 0; 843 /* Duplicate parameters if we have to */ 844 if (alg2) { 845 ASN1_STRING *os2 = ASN1_STRING_dup(os1); 846 if (!os2) { 847 ASN1_STRING_free(os1); 848 return 0; 849 } 850 X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 851 V_ASN1_SEQUENCE, os2); 852 } 853 X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 854 V_ASN1_SEQUENCE, os1); 855 return 3; 856 } 857 return 2; 858 } 859 860 static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, 861 const ASN1_STRING *sig) 862 { 863 int rv = 0; 864 int mdnid, saltlen; 865 uint32_t flags; 866 const EVP_MD *mgf1md = NULL, *md = NULL; 867 RSA_PSS_PARAMS *pss; 868 869 /* Sanity check: make sure it is PSS */ 870 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) 871 return 0; 872 /* Decode PSS parameters */ 873 pss = rsa_pss_decode(sigalg); 874 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) 875 goto err; 876 mdnid = EVP_MD_type(md); 877 /* 878 * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must 879 * match and salt length must equal digest size 880 */ 881 if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512) 882 && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md)) 883 flags = X509_SIG_INFO_TLS; 884 else 885 flags = 0; 886 /* Note: security bits half number of digest bits */ 887 X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4, 888 flags); 889 rv = 1; 890 err: 891 RSA_PSS_PARAMS_free(pss); 892 return rv; 893 } 894 895 #ifndef OPENSSL_NO_CMS 896 static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg) 897 { 898 RSA_OAEP_PARAMS *oaep; 899 900 oaep = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS), 901 alg->parameter); 902 903 if (oaep == NULL) 904 return NULL; 905 906 if (oaep->maskGenFunc != NULL) { 907 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc); 908 if (oaep->maskHash == NULL) { 909 RSA_OAEP_PARAMS_free(oaep); 910 return NULL; 911 } 912 } 913 return oaep; 914 } 915 916 static int rsa_cms_decrypt(CMS_RecipientInfo *ri) 917 { 918 EVP_PKEY_CTX *pkctx; 919 X509_ALGOR *cmsalg; 920 int nid; 921 int rv = -1; 922 unsigned char *label = NULL; 923 int labellen = 0; 924 const EVP_MD *mgf1md = NULL, *md = NULL; 925 RSA_OAEP_PARAMS *oaep; 926 927 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 928 if (pkctx == NULL) 929 return 0; 930 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg)) 931 return -1; 932 nid = OBJ_obj2nid(cmsalg->algorithm); 933 if (nid == NID_rsaEncryption) 934 return 1; 935 if (nid != NID_rsaesOaep) { 936 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_ENCRYPTION_TYPE); 937 return -1; 938 } 939 /* Decode OAEP parameters */ 940 oaep = rsa_oaep_decode(cmsalg); 941 942 if (oaep == NULL) { 943 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_OAEP_PARAMETERS); 944 goto err; 945 } 946 947 mgf1md = rsa_algor_to_md(oaep->maskHash); 948 if (mgf1md == NULL) 949 goto err; 950 md = rsa_algor_to_md(oaep->hashFunc); 951 if (md == NULL) 952 goto err; 953 954 if (oaep->pSourceFunc != NULL) { 955 X509_ALGOR *plab = oaep->pSourceFunc; 956 957 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { 958 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE); 959 goto err; 960 } 961 if (plab->parameter->type != V_ASN1_OCTET_STRING) { 962 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL); 963 goto err; 964 } 965 966 label = plab->parameter->value.octet_string->data; 967 /* Stop label being freed when OAEP parameters are freed */ 968 plab->parameter->value.octet_string->data = NULL; 969 labellen = plab->parameter->value.octet_string->length; 970 } 971 972 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) 973 goto err; 974 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0) 975 goto err; 976 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 977 goto err; 978 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) 979 goto err; 980 /* Carry on */ 981 rv = 1; 982 983 err: 984 RSA_OAEP_PARAMS_free(oaep); 985 return rv; 986 } 987 988 static int rsa_cms_encrypt(CMS_RecipientInfo *ri) 989 { 990 const EVP_MD *md, *mgf1md; 991 RSA_OAEP_PARAMS *oaep = NULL; 992 ASN1_STRING *os = NULL; 993 X509_ALGOR *alg; 994 EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 995 int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen; 996 unsigned char *label; 997 998 if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0) 999 return 0; 1000 if (pkctx) { 1001 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 1002 return 0; 1003 } 1004 if (pad_mode == RSA_PKCS1_PADDING) { 1005 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 1006 return 1; 1007 } 1008 /* Not supported */ 1009 if (pad_mode != RSA_PKCS1_OAEP_PADDING) 1010 return 0; 1011 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0) 1012 goto err; 1013 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 1014 goto err; 1015 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label); 1016 if (labellen < 0) 1017 goto err; 1018 oaep = RSA_OAEP_PARAMS_new(); 1019 if (oaep == NULL) 1020 goto err; 1021 if (!rsa_md_to_algor(&oaep->hashFunc, md)) 1022 goto err; 1023 if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md)) 1024 goto err; 1025 if (labellen > 0) { 1026 ASN1_OCTET_STRING *los; 1027 oaep->pSourceFunc = X509_ALGOR_new(); 1028 if (oaep->pSourceFunc == NULL) 1029 goto err; 1030 los = ASN1_OCTET_STRING_new(); 1031 if (los == NULL) 1032 goto err; 1033 if (!ASN1_OCTET_STRING_set(los, label, labellen)) { 1034 ASN1_OCTET_STRING_free(los); 1035 goto err; 1036 } 1037 X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified), 1038 V_ASN1_OCTET_STRING, los); 1039 } 1040 /* create string with pss parameter encoding. */ 1041 if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os)) 1042 goto err; 1043 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os); 1044 os = NULL; 1045 rv = 1; 1046 err: 1047 RSA_OAEP_PARAMS_free(oaep); 1048 ASN1_STRING_free(os); 1049 return rv; 1050 } 1051 #endif 1052 1053 static int rsa_pkey_check(const EVP_PKEY *pkey) 1054 { 1055 return RSA_check_key_ex(pkey->pkey.rsa, NULL); 1056 } 1057 1058 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = { 1059 { 1060 EVP_PKEY_RSA, 1061 EVP_PKEY_RSA, 1062 ASN1_PKEY_SIGPARAM_NULL, 1063 1064 "RSA", 1065 "OpenSSL RSA method", 1066 1067 rsa_pub_decode, 1068 rsa_pub_encode, 1069 rsa_pub_cmp, 1070 rsa_pub_print, 1071 1072 rsa_priv_decode, 1073 rsa_priv_encode, 1074 rsa_priv_print, 1075 1076 int_rsa_size, 1077 rsa_bits, 1078 rsa_security_bits, 1079 1080 0, 0, 0, 0, 0, 0, 1081 1082 rsa_sig_print, 1083 int_rsa_free, 1084 rsa_pkey_ctrl, 1085 old_rsa_priv_decode, 1086 old_rsa_priv_encode, 1087 rsa_item_verify, 1088 rsa_item_sign, 1089 rsa_sig_info_set, 1090 rsa_pkey_check 1091 }, 1092 1093 { 1094 EVP_PKEY_RSA2, 1095 EVP_PKEY_RSA, 1096 ASN1_PKEY_ALIAS} 1097 }; 1098 1099 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { 1100 EVP_PKEY_RSA_PSS, 1101 EVP_PKEY_RSA_PSS, 1102 ASN1_PKEY_SIGPARAM_NULL, 1103 1104 "RSA-PSS", 1105 "OpenSSL RSA-PSS method", 1106 1107 rsa_pub_decode, 1108 rsa_pub_encode, 1109 rsa_pub_cmp, 1110 rsa_pub_print, 1111 1112 rsa_priv_decode, 1113 rsa_priv_encode, 1114 rsa_priv_print, 1115 1116 int_rsa_size, 1117 rsa_bits, 1118 rsa_security_bits, 1119 1120 0, 0, 0, 0, 0, 0, 1121 1122 rsa_sig_print, 1123 int_rsa_free, 1124 rsa_pkey_ctrl, 1125 0, 0, 1126 rsa_item_verify, 1127 rsa_item_sign, 1128 0, 1129 rsa_pkey_check 1130 }; 1131