1 /* 2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/asn1t.h> 13 #include <openssl/x509.h> 14 #include <openssl/bn.h> 15 #include <openssl/cms.h> 16 #include "crypto/asn1.h" 17 #include "crypto/evp.h" 18 #include "rsa_local.h" 19 20 #ifndef OPENSSL_NO_CMS 21 static int rsa_cms_sign(CMS_SignerInfo *si); 22 static int rsa_cms_verify(CMS_SignerInfo *si); 23 static int rsa_cms_decrypt(CMS_RecipientInfo *ri); 24 static int rsa_cms_encrypt(CMS_RecipientInfo *ri); 25 #endif 26 27 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg); 28 29 /* Set any parameters associated with pkey */ 30 static int rsa_param_encode(const EVP_PKEY *pkey, 31 ASN1_STRING **pstr, int *pstrtype) 32 { 33 const RSA *rsa = pkey->pkey.rsa; 34 35 *pstr = NULL; 36 /* If RSA it's just NULL type */ 37 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { 38 *pstrtype = V_ASN1_NULL; 39 return 1; 40 } 41 /* If no PSS parameters we omit parameters entirely */ 42 if (rsa->pss == NULL) { 43 *pstrtype = V_ASN1_UNDEF; 44 return 1; 45 } 46 /* Encode PSS parameters */ 47 if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL) 48 return 0; 49 50 *pstrtype = V_ASN1_SEQUENCE; 51 return 1; 52 } 53 /* Decode any parameters and set them in RSA structure */ 54 static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) 55 { 56 const ASN1_OBJECT *algoid; 57 const void *algp; 58 int algptype; 59 60 X509_ALGOR_get0(&algoid, &algptype, &algp, alg); 61 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) 62 return 1; 63 if (algptype == V_ASN1_UNDEF) 64 return 1; 65 if (algptype != V_ASN1_SEQUENCE) { 66 RSAerr(RSA_F_RSA_PARAM_DECODE, RSA_R_INVALID_PSS_PARAMETERS); 67 return 0; 68 } 69 rsa->pss = rsa_pss_decode(alg); 70 if (rsa->pss == NULL) 71 return 0; 72 return 1; 73 } 74 75 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 76 { 77 unsigned char *penc = NULL; 78 int penclen; 79 ASN1_STRING *str; 80 int strtype; 81 82 if (!rsa_param_encode(pkey, &str, &strtype)) 83 return 0; 84 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); 85 if (penclen <= 0) 86 return 0; 87 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), 88 strtype, str, penc, penclen)) 89 return 1; 90 91 OPENSSL_free(penc); 92 return 0; 93 } 94 95 static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 96 { 97 const unsigned char *p; 98 int pklen; 99 X509_ALGOR *alg; 100 RSA *rsa = NULL; 101 102 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) 103 return 0; 104 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) { 105 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB); 106 return 0; 107 } 108 if (!rsa_param_decode(rsa, alg)) { 109 RSA_free(rsa); 110 return 0; 111 } 112 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { 113 RSA_free(rsa); 114 return 0; 115 } 116 return 1; 117 } 118 119 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 120 { 121 /* 122 * Don't check the public/private key, this is mostly for smart 123 * cards. 124 */ 125 if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) 126 || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) { 127 return 1; 128 } 129 130 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 131 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) 132 return 0; 133 return 1; 134 } 135 136 static int old_rsa_priv_decode(EVP_PKEY *pkey, 137 const unsigned char **pder, int derlen) 138 { 139 RSA *rsa; 140 141 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) { 142 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB); 143 return 0; 144 } 145 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 146 return 1; 147 } 148 149 static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 150 { 151 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 152 } 153 154 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 155 { 156 unsigned char *rk = NULL; 157 int rklen; 158 ASN1_STRING *str; 159 int strtype; 160 161 if (!rsa_param_encode(pkey, &str, &strtype)) 162 return 0; 163 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 164 165 if (rklen <= 0) { 166 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 167 ASN1_STRING_free(str); 168 return 0; 169 } 170 171 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, 172 strtype, str, rk, rklen)) { 173 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 174 ASN1_STRING_free(str); 175 return 0; 176 } 177 178 return 1; 179 } 180 181 static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 182 { 183 const unsigned char *p; 184 RSA *rsa; 185 int pklen; 186 const X509_ALGOR *alg; 187 188 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8)) 189 return 0; 190 rsa = d2i_RSAPrivateKey(NULL, &p, pklen); 191 if (rsa == NULL) { 192 RSAerr(RSA_F_RSA_PRIV_DECODE, ERR_R_RSA_LIB); 193 return 0; 194 } 195 if (!rsa_param_decode(rsa, alg)) { 196 RSA_free(rsa); 197 return 0; 198 } 199 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); 200 return 1; 201 } 202 203 static int int_rsa_size(const EVP_PKEY *pkey) 204 { 205 return RSA_size(pkey->pkey.rsa); 206 } 207 208 static int rsa_bits(const EVP_PKEY *pkey) 209 { 210 return BN_num_bits(pkey->pkey.rsa->n); 211 } 212 213 static int rsa_security_bits(const EVP_PKEY *pkey) 214 { 215 return RSA_security_bits(pkey->pkey.rsa); 216 } 217 218 static void int_rsa_free(EVP_PKEY *pkey) 219 { 220 RSA_free(pkey->pkey.rsa); 221 } 222 223 static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) 224 { 225 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) 226 return NULL; 227 return ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(X509_ALGOR), 228 alg->parameter); 229 } 230 231 static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, 232 int indent) 233 { 234 int rv = 0; 235 X509_ALGOR *maskHash = NULL; 236 237 if (!BIO_indent(bp, indent, 128)) 238 goto err; 239 if (pss_key) { 240 if (pss == NULL) { 241 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) 242 return 0; 243 return 1; 244 } else { 245 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) 246 return 0; 247 } 248 } else if (pss == NULL) { 249 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) 250 return 0; 251 return 1; 252 } 253 if (BIO_puts(bp, "\n") <= 0) 254 goto err; 255 if (pss_key) 256 indent += 2; 257 if (!BIO_indent(bp, indent, 128)) 258 goto err; 259 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 260 goto err; 261 262 if (pss->hashAlgorithm) { 263 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 264 goto err; 265 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 266 goto err; 267 } 268 269 if (BIO_puts(bp, "\n") <= 0) 270 goto err; 271 272 if (!BIO_indent(bp, indent, 128)) 273 goto err; 274 275 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 276 goto err; 277 if (pss->maskGenAlgorithm) { 278 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 279 goto err; 280 if (BIO_puts(bp, " with ") <= 0) 281 goto err; 282 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 283 if (maskHash != NULL) { 284 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 285 goto err; 286 } else if (BIO_puts(bp, "INVALID") <= 0) { 287 goto err; 288 } 289 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 290 goto err; 291 } 292 BIO_puts(bp, "\n"); 293 294 if (!BIO_indent(bp, indent, 128)) 295 goto err; 296 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) 297 goto err; 298 if (pss->saltLength) { 299 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 300 goto err; 301 } else if (BIO_puts(bp, "14 (default)") <= 0) { 302 goto err; 303 } 304 BIO_puts(bp, "\n"); 305 306 if (!BIO_indent(bp, indent, 128)) 307 goto err; 308 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 309 goto err; 310 if (pss->trailerField) { 311 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 312 goto err; 313 } else if (BIO_puts(bp, "BC (default)") <= 0) { 314 goto err; 315 } 316 BIO_puts(bp, "\n"); 317 318 rv = 1; 319 320 err: 321 X509_ALGOR_free(maskHash); 322 return rv; 323 324 } 325 326 static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) 327 { 328 const RSA *x = pkey->pkey.rsa; 329 char *str; 330 const char *s; 331 int ret = 0, mod_len = 0, ex_primes; 332 333 if (x->n != NULL) 334 mod_len = BN_num_bits(x->n); 335 ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos); 336 337 if (!BIO_indent(bp, off, 128)) 338 goto err; 339 340 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0) 341 goto err; 342 343 if (priv && x->d) { 344 if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n", 345 mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0) 346 goto err; 347 str = "modulus:"; 348 s = "publicExponent:"; 349 } else { 350 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) 351 goto err; 352 str = "Modulus:"; 353 s = "Exponent:"; 354 } 355 if (!ASN1_bn_print(bp, str, x->n, NULL, off)) 356 goto err; 357 if (!ASN1_bn_print(bp, s, x->e, NULL, off)) 358 goto err; 359 if (priv) { 360 int i; 361 362 if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off)) 363 goto err; 364 if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off)) 365 goto err; 366 if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off)) 367 goto err; 368 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off)) 369 goto err; 370 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off)) 371 goto err; 372 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off)) 373 goto err; 374 for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) { 375 /* print multi-prime info */ 376 BIGNUM *bn = NULL; 377 RSA_PRIME_INFO *pinfo; 378 int j; 379 380 pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i); 381 for (j = 0; j < 3; j++) { 382 if (!BIO_indent(bp, off, 128)) 383 goto err; 384 switch (j) { 385 case 0: 386 if (BIO_printf(bp, "prime%d:", i + 3) <= 0) 387 goto err; 388 bn = pinfo->r; 389 break; 390 case 1: 391 if (BIO_printf(bp, "exponent%d:", i + 3) <= 0) 392 goto err; 393 bn = pinfo->d; 394 break; 395 case 2: 396 if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0) 397 goto err; 398 bn = pinfo->t; 399 break; 400 default: 401 break; 402 } 403 if (!ASN1_bn_print(bp, "", bn, NULL, off)) 404 goto err; 405 } 406 } 407 } 408 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off)) 409 goto err; 410 ret = 1; 411 err: 412 return ret; 413 } 414 415 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 416 ASN1_PCTX *ctx) 417 { 418 return pkey_rsa_print(bp, pkey, indent, 0); 419 } 420 421 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 422 ASN1_PCTX *ctx) 423 { 424 return pkey_rsa_print(bp, pkey, indent, 1); 425 } 426 427 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg) 428 { 429 RSA_PSS_PARAMS *pss; 430 431 pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS), 432 alg->parameter); 433 434 if (pss == NULL) 435 return NULL; 436 437 if (pss->maskGenAlgorithm != NULL) { 438 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 439 if (pss->maskHash == NULL) { 440 RSA_PSS_PARAMS_free(pss); 441 return NULL; 442 } 443 } 444 445 return pss; 446 } 447 448 static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 449 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) 450 { 451 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { 452 int rv; 453 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg); 454 455 rv = rsa_pss_param_print(bp, 0, pss, indent); 456 RSA_PSS_PARAMS_free(pss); 457 if (!rv) 458 return 0; 459 } else if (!sig && BIO_puts(bp, "\n") <= 0) { 460 return 0; 461 } 462 if (sig) 463 return X509_signature_dump(bp, sig, indent); 464 return 1; 465 } 466 467 static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 468 { 469 X509_ALGOR *alg = NULL; 470 const EVP_MD *md; 471 const EVP_MD *mgf1md; 472 int min_saltlen; 473 474 switch (op) { 475 476 case ASN1_PKEY_CTRL_PKCS7_SIGN: 477 if (arg1 == 0) 478 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); 479 break; 480 481 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: 482 if (pkey_is_pss(pkey)) 483 return -2; 484 if (arg1 == 0) 485 PKCS7_RECIP_INFO_get0_alg(arg2, &alg); 486 break; 487 #ifndef OPENSSL_NO_CMS 488 case ASN1_PKEY_CTRL_CMS_SIGN: 489 if (arg1 == 0) 490 return rsa_cms_sign(arg2); 491 else if (arg1 == 1) 492 return rsa_cms_verify(arg2); 493 break; 494 495 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 496 if (pkey_is_pss(pkey)) 497 return -2; 498 if (arg1 == 0) 499 return rsa_cms_encrypt(arg2); 500 else if (arg1 == 1) 501 return rsa_cms_decrypt(arg2); 502 break; 503 504 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 505 if (pkey_is_pss(pkey)) 506 return -2; 507 *(int *)arg2 = CMS_RECIPINFO_TRANS; 508 return 1; 509 #endif 510 511 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 512 if (pkey->pkey.rsa->pss != NULL) { 513 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, 514 &min_saltlen)) { 515 RSAerr(0, ERR_R_INTERNAL_ERROR); 516 return 0; 517 } 518 *(int *)arg2 = EVP_MD_type(md); 519 /* Return of 2 indicates this MD is mandatory */ 520 return 2; 521 } 522 *(int *)arg2 = NID_sha256; 523 return 1; 524 525 default: 526 return -2; 527 528 } 529 530 if (alg) 531 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 532 533 return 1; 534 535 } 536 537 /* allocate and set algorithm ID from EVP_MD, default SHA1 */ 538 static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) 539 { 540 if (md == NULL || EVP_MD_type(md) == NID_sha1) 541 return 1; 542 *palg = X509_ALGOR_new(); 543 if (*palg == NULL) 544 return 0; 545 X509_ALGOR_set_md(*palg, md); 546 return 1; 547 } 548 549 /* Allocate and set MGF1 algorithm ID from EVP_MD */ 550 static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) 551 { 552 X509_ALGOR *algtmp = NULL; 553 ASN1_STRING *stmp = NULL; 554 555 *palg = NULL; 556 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1) 557 return 1; 558 /* need to embed algorithm ID inside another */ 559 if (!rsa_md_to_algor(&algtmp, mgf1md)) 560 goto err; 561 if (ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp) == NULL) 562 goto err; 563 *palg = X509_ALGOR_new(); 564 if (*palg == NULL) 565 goto err; 566 X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); 567 stmp = NULL; 568 err: 569 ASN1_STRING_free(stmp); 570 X509_ALGOR_free(algtmp); 571 if (*palg) 572 return 1; 573 return 0; 574 } 575 576 /* convert algorithm ID to EVP_MD, default SHA1 */ 577 static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg) 578 { 579 const EVP_MD *md; 580 581 if (!alg) 582 return EVP_sha1(); 583 md = EVP_get_digestbyobj(alg->algorithm); 584 if (md == NULL) 585 RSAerr(RSA_F_RSA_ALGOR_TO_MD, RSA_R_UNKNOWN_DIGEST); 586 return md; 587 } 588 589 /* 590 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, 591 * suitable for setting an AlgorithmIdentifier. 592 */ 593 594 static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) 595 { 596 const EVP_MD *sigmd, *mgf1md; 597 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 598 int saltlen; 599 600 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) 601 return NULL; 602 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 603 return NULL; 604 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) 605 return NULL; 606 if (saltlen == -1) { 607 saltlen = EVP_MD_size(sigmd); 608 } else if (saltlen == -2 || saltlen == -3) { 609 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 610 if ((EVP_PKEY_bits(pk) & 0x7) == 1) 611 saltlen--; 612 if (saltlen < 0) 613 return NULL; 614 } 615 616 return rsa_pss_params_create(sigmd, mgf1md, saltlen); 617 } 618 619 RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd, 620 const EVP_MD *mgf1md, int saltlen) 621 { 622 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new(); 623 624 if (pss == NULL) 625 goto err; 626 if (saltlen != 20) { 627 pss->saltLength = ASN1_INTEGER_new(); 628 if (pss->saltLength == NULL) 629 goto err; 630 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 631 goto err; 632 } 633 if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd)) 634 goto err; 635 if (mgf1md == NULL) 636 mgf1md = sigmd; 637 if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) 638 goto err; 639 if (!rsa_md_to_algor(&pss->maskHash, mgf1md)) 640 goto err; 641 return pss; 642 err: 643 RSA_PSS_PARAMS_free(pss); 644 return NULL; 645 } 646 647 static ASN1_STRING *rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx) 648 { 649 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx); 650 ASN1_STRING *os; 651 652 if (pss == NULL) 653 return NULL; 654 655 os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL); 656 RSA_PSS_PARAMS_free(pss); 657 return os; 658 } 659 660 /* 661 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL 662 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are 663 * passed to pkctx instead. 664 */ 665 666 static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, 667 X509_ALGOR *sigalg, EVP_PKEY *pkey) 668 { 669 int rv = -1; 670 int saltlen; 671 const EVP_MD *mgf1md = NULL, *md = NULL; 672 RSA_PSS_PARAMS *pss; 673 674 /* Sanity check: make sure it is PSS */ 675 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 676 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 677 return -1; 678 } 679 /* Decode PSS parameters */ 680 pss = rsa_pss_decode(sigalg); 681 682 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { 683 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_PSS_PARAMETERS); 684 goto err; 685 } 686 687 /* We have all parameters now set up context */ 688 if (pkey) { 689 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) 690 goto err; 691 } else { 692 const EVP_MD *checkmd; 693 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) 694 goto err; 695 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { 696 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_DIGEST_DOES_NOT_MATCH); 697 goto err; 698 } 699 } 700 701 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) 702 goto err; 703 704 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) 705 goto err; 706 707 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 708 goto err; 709 /* Carry on */ 710 rv = 1; 711 712 err: 713 RSA_PSS_PARAMS_free(pss); 714 return rv; 715 } 716 717 int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, 718 const EVP_MD **pmgf1md, int *psaltlen) 719 { 720 if (pss == NULL) 721 return 0; 722 *pmd = rsa_algor_to_md(pss->hashAlgorithm); 723 if (*pmd == NULL) 724 return 0; 725 *pmgf1md = rsa_algor_to_md(pss->maskHash); 726 if (*pmgf1md == NULL) 727 return 0; 728 if (pss->saltLength) { 729 *psaltlen = ASN1_INTEGER_get(pss->saltLength); 730 if (*psaltlen < 0) { 731 RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_SALT_LENGTH); 732 return 0; 733 } 734 } else { 735 *psaltlen = 20; 736 } 737 738 /* 739 * low-level routines support only trailer field 0xbc (value 1) and 740 * PKCS#1 says we should reject any other value anyway. 741 */ 742 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { 743 RSAerr(RSA_F_RSA_PSS_GET_PARAM, RSA_R_INVALID_TRAILER); 744 return 0; 745 } 746 747 return 1; 748 } 749 750 #ifndef OPENSSL_NO_CMS 751 static int rsa_cms_verify(CMS_SignerInfo *si) 752 { 753 int nid, nid2; 754 X509_ALGOR *alg; 755 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); 756 757 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 758 nid = OBJ_obj2nid(alg->algorithm); 759 if (nid == EVP_PKEY_RSA_PSS) 760 return rsa_pss_to_ctx(NULL, pkctx, alg, NULL); 761 /* Only PSS allowed for PSS keys */ 762 if (pkey_ctx_is_pss(pkctx)) { 763 RSAerr(RSA_F_RSA_CMS_VERIFY, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 764 return 0; 765 } 766 if (nid == NID_rsaEncryption) 767 return 1; 768 /* Workaround for some implementation that use a signature OID */ 769 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) { 770 if (nid2 == NID_rsaEncryption) 771 return 1; 772 } 773 return 0; 774 } 775 #endif 776 777 /* 778 * Customised RSA item verification routine. This is called when a signature 779 * is encountered requiring special handling. We currently only handle PSS. 780 */ 781 782 static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 783 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, 784 EVP_PKEY *pkey) 785 { 786 /* Sanity check: make sure it is PSS */ 787 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 788 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 789 return -1; 790 } 791 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { 792 /* Carry on */ 793 return 2; 794 } 795 return -1; 796 } 797 798 #ifndef OPENSSL_NO_CMS 799 static int rsa_cms_sign(CMS_SignerInfo *si) 800 { 801 int pad_mode = RSA_PKCS1_PADDING; 802 X509_ALGOR *alg; 803 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); 804 ASN1_STRING *os = NULL; 805 806 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 807 if (pkctx) { 808 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 809 return 0; 810 } 811 if (pad_mode == RSA_PKCS1_PADDING) { 812 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 813 return 1; 814 } 815 /* We don't support it */ 816 if (pad_mode != RSA_PKCS1_PSS_PADDING) 817 return 0; 818 os = rsa_ctx_to_pss_string(pkctx); 819 if (!os) 820 return 0; 821 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); 822 return 1; 823 } 824 #endif 825 826 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 827 X509_ALGOR *alg1, X509_ALGOR *alg2, 828 ASN1_BIT_STRING *sig) 829 { 830 int pad_mode; 831 EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx); 832 833 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 834 return 0; 835 if (pad_mode == RSA_PKCS1_PADDING) 836 return 2; 837 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 838 ASN1_STRING *os1 = NULL; 839 os1 = rsa_ctx_to_pss_string(pkctx); 840 if (!os1) 841 return 0; 842 /* Duplicate parameters if we have to */ 843 if (alg2) { 844 ASN1_STRING *os2 = ASN1_STRING_dup(os1); 845 if (!os2) { 846 ASN1_STRING_free(os1); 847 return 0; 848 } 849 X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 850 V_ASN1_SEQUENCE, os2); 851 } 852 X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), 853 V_ASN1_SEQUENCE, os1); 854 return 3; 855 } 856 return 2; 857 } 858 859 static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, 860 const ASN1_STRING *sig) 861 { 862 int rv = 0; 863 int mdnid, saltlen; 864 uint32_t flags; 865 const EVP_MD *mgf1md = NULL, *md = NULL; 866 RSA_PSS_PARAMS *pss; 867 868 /* Sanity check: make sure it is PSS */ 869 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) 870 return 0; 871 /* Decode PSS parameters */ 872 pss = rsa_pss_decode(sigalg); 873 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) 874 goto err; 875 mdnid = EVP_MD_type(md); 876 /* 877 * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must 878 * match and salt length must equal digest size 879 */ 880 if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512) 881 && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md)) 882 flags = X509_SIG_INFO_TLS; 883 else 884 flags = 0; 885 /* Note: security bits half number of digest bits */ 886 X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4, 887 flags); 888 rv = 1; 889 err: 890 RSA_PSS_PARAMS_free(pss); 891 return rv; 892 } 893 894 #ifndef OPENSSL_NO_CMS 895 static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg) 896 { 897 RSA_OAEP_PARAMS *oaep; 898 899 oaep = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS), 900 alg->parameter); 901 902 if (oaep == NULL) 903 return NULL; 904 905 if (oaep->maskGenFunc != NULL) { 906 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc); 907 if (oaep->maskHash == NULL) { 908 RSA_OAEP_PARAMS_free(oaep); 909 return NULL; 910 } 911 } 912 return oaep; 913 } 914 915 static int rsa_cms_decrypt(CMS_RecipientInfo *ri) 916 { 917 EVP_PKEY_CTX *pkctx; 918 X509_ALGOR *cmsalg; 919 int nid; 920 int rv = -1; 921 unsigned char *label = NULL; 922 int labellen = 0; 923 const EVP_MD *mgf1md = NULL, *md = NULL; 924 RSA_OAEP_PARAMS *oaep; 925 926 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 927 if (pkctx == NULL) 928 return 0; 929 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg)) 930 return -1; 931 nid = OBJ_obj2nid(cmsalg->algorithm); 932 if (nid == NID_rsaEncryption) 933 return 1; 934 if (nid != NID_rsaesOaep) { 935 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_ENCRYPTION_TYPE); 936 return -1; 937 } 938 /* Decode OAEP parameters */ 939 oaep = rsa_oaep_decode(cmsalg); 940 941 if (oaep == NULL) { 942 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_OAEP_PARAMETERS); 943 goto err; 944 } 945 946 mgf1md = rsa_algor_to_md(oaep->maskHash); 947 if (mgf1md == NULL) 948 goto err; 949 md = rsa_algor_to_md(oaep->hashFunc); 950 if (md == NULL) 951 goto err; 952 953 if (oaep->pSourceFunc != NULL) { 954 X509_ALGOR *plab = oaep->pSourceFunc; 955 956 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { 957 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE); 958 goto err; 959 } 960 if (plab->parameter->type != V_ASN1_OCTET_STRING) { 961 RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL); 962 goto err; 963 } 964 965 label = plab->parameter->value.octet_string->data; 966 /* Stop label being freed when OAEP parameters are freed */ 967 plab->parameter->value.octet_string->data = NULL; 968 labellen = plab->parameter->value.octet_string->length; 969 } 970 971 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) 972 goto err; 973 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0) 974 goto err; 975 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 976 goto err; 977 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) 978 goto err; 979 /* Carry on */ 980 rv = 1; 981 982 err: 983 RSA_OAEP_PARAMS_free(oaep); 984 return rv; 985 } 986 987 static int rsa_cms_encrypt(CMS_RecipientInfo *ri) 988 { 989 const EVP_MD *md, *mgf1md; 990 RSA_OAEP_PARAMS *oaep = NULL; 991 ASN1_STRING *os = NULL; 992 X509_ALGOR *alg; 993 EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 994 int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen; 995 unsigned char *label; 996 997 if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0) 998 return 0; 999 if (pkctx) { 1000 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) 1001 return 0; 1002 } 1003 if (pad_mode == RSA_PKCS1_PADDING) { 1004 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 1005 return 1; 1006 } 1007 /* Not supported */ 1008 if (pad_mode != RSA_PKCS1_OAEP_PADDING) 1009 return 0; 1010 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0) 1011 goto err; 1012 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) 1013 goto err; 1014 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label); 1015 if (labellen < 0) 1016 goto err; 1017 oaep = RSA_OAEP_PARAMS_new(); 1018 if (oaep == NULL) 1019 goto err; 1020 if (!rsa_md_to_algor(&oaep->hashFunc, md)) 1021 goto err; 1022 if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md)) 1023 goto err; 1024 if (labellen > 0) { 1025 ASN1_OCTET_STRING *los; 1026 oaep->pSourceFunc = X509_ALGOR_new(); 1027 if (oaep->pSourceFunc == NULL) 1028 goto err; 1029 los = ASN1_OCTET_STRING_new(); 1030 if (los == NULL) 1031 goto err; 1032 if (!ASN1_OCTET_STRING_set(los, label, labellen)) { 1033 ASN1_OCTET_STRING_free(los); 1034 goto err; 1035 } 1036 X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified), 1037 V_ASN1_OCTET_STRING, los); 1038 } 1039 /* create string with pss parameter encoding. */ 1040 if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os)) 1041 goto err; 1042 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os); 1043 os = NULL; 1044 rv = 1; 1045 err: 1046 RSA_OAEP_PARAMS_free(oaep); 1047 ASN1_STRING_free(os); 1048 return rv; 1049 } 1050 #endif 1051 1052 static int rsa_pkey_check(const EVP_PKEY *pkey) 1053 { 1054 return RSA_check_key_ex(pkey->pkey.rsa, NULL); 1055 } 1056 1057 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = { 1058 { 1059 EVP_PKEY_RSA, 1060 EVP_PKEY_RSA, 1061 ASN1_PKEY_SIGPARAM_NULL, 1062 1063 "RSA", 1064 "OpenSSL RSA method", 1065 1066 rsa_pub_decode, 1067 rsa_pub_encode, 1068 rsa_pub_cmp, 1069 rsa_pub_print, 1070 1071 rsa_priv_decode, 1072 rsa_priv_encode, 1073 rsa_priv_print, 1074 1075 int_rsa_size, 1076 rsa_bits, 1077 rsa_security_bits, 1078 1079 0, 0, 0, 0, 0, 0, 1080 1081 rsa_sig_print, 1082 int_rsa_free, 1083 rsa_pkey_ctrl, 1084 old_rsa_priv_decode, 1085 old_rsa_priv_encode, 1086 rsa_item_verify, 1087 rsa_item_sign, 1088 rsa_sig_info_set, 1089 rsa_pkey_check 1090 }, 1091 1092 { 1093 EVP_PKEY_RSA2, 1094 EVP_PKEY_RSA, 1095 ASN1_PKEY_ALIAS} 1096 }; 1097 1098 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { 1099 EVP_PKEY_RSA_PSS, 1100 EVP_PKEY_RSA_PSS, 1101 ASN1_PKEY_SIGPARAM_NULL, 1102 1103 "RSA-PSS", 1104 "OpenSSL RSA-PSS method", 1105 1106 rsa_pub_decode, 1107 rsa_pub_encode, 1108 rsa_pub_cmp, 1109 rsa_pub_print, 1110 1111 rsa_priv_decode, 1112 rsa_priv_encode, 1113 rsa_priv_print, 1114 1115 int_rsa_size, 1116 rsa_bits, 1117 rsa_security_bits, 1118 1119 0, 0, 0, 0, 0, 0, 1120 1121 rsa_sig_print, 1122 int_rsa_free, 1123 rsa_pkey_ctrl, 1124 0, 0, 1125 rsa_item_verify, 1126 rsa_item_sign, 1127 0, 1128 rsa_pkey_check 1129 }; 1130