xref: /freebsd/crypto/openssl/providers/common/der/der_rsa_key.c (revision a03411e84728e9b267056fd31c7d1d9d1dc1b01e)
1 /*
2  * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * RSA low level APIs are deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <openssl/obj_mac.h>
17 #include "internal/cryptlib.h"
18 #include "prov/der_rsa.h"
19 #include "prov/der_digests.h"
20 
21 /* More complex pre-compiled sequences. */
22 
23 /*-
24  * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
25  *
26  * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
27  *     { OID id-sha1       PARAMETERS NULL }|
28  *     { OID id-sha224     PARAMETERS NULL }|
29  *     { OID id-sha256     PARAMETERS NULL }|
30  *     { OID id-sha384     PARAMETERS NULL }|
31  *     { OID id-sha512     PARAMETERS NULL }|
32  *     { OID id-sha512-224 PARAMETERS NULL }|
33  *     { OID id-sha512-256 PARAMETERS NULL },
34  *     ...  -- Allows for future expansion --
35  * }
36  */
37 #define DER_V_NULL DER_P_NULL, 0
38 #define DER_SZ_NULL 2
39 
40 /*
41  * The names for the hash function AlgorithmIdentifiers are borrowed and
42  * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
43  *
44  * sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
45  * sha224Identifier  AlgorithmIdentifier  ::=  { id-sha224, NULL }
46  * sha256Identifier  AlgorithmIdentifier  ::=  { id-sha256, NULL }
47  * sha384Identifier  AlgorithmIdentifier  ::=  { id-sha384, NULL }
48  * sha512Identifier  AlgorithmIdentifier  ::=  { id-sha512, NULL }
49  */
50 /*
51  * NOTE: Some of the arrays aren't used other than inside sizeof(), which
52  * clang complains about (-Wno-unneeded-internal-declaration).  To get
53  * around that, we make them non-static, and declare them an extra time to
54  * avoid compilers complaining about definitions without declarations.
55  */
56 #define DER_AID_V_sha1Identifier                                        \
57     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
58         DER_OID_SZ_id_sha1 + DER_SZ_NULL,                               \
59         DER_OID_V_id_sha1,                                              \
60         DER_V_NULL
61 extern const unsigned char ossl_der_aid_sha1Identifier[];
62 const unsigned char ossl_der_aid_sha1Identifier[] = {
63     DER_AID_V_sha1Identifier
64 };
65 #define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)
66 
67 #define DER_AID_V_sha224Identifier                                      \
68     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
69         DER_OID_SZ_id_sha224 + DER_SZ_NULL,                             \
70         DER_OID_V_id_sha224,                                            \
71         DER_V_NULL
72 extern const unsigned char ossl_der_aid_sha224Identifier[];
73 const unsigned char ossl_der_aid_sha224Identifier[] = {
74     DER_AID_V_sha224Identifier
75 };
76 #define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)
77 
78 #define DER_AID_V_sha256Identifier                                      \
79     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
80         DER_OID_SZ_id_sha256 + DER_SZ_NULL,                             \
81         DER_OID_V_id_sha256,                                            \
82         DER_V_NULL
83 extern const unsigned char ossl_der_aid_sha256Identifier[];
84 const unsigned char ossl_der_aid_sha256Identifier[] = {
85     DER_AID_V_sha256Identifier
86 };
87 #define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)
88 
89 #define DER_AID_V_sha384Identifier                                      \
90     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
91         DER_OID_SZ_id_sha384 + DER_SZ_NULL,                             \
92         DER_OID_V_id_sha384,                                            \
93         DER_V_NULL
94 extern const unsigned char ossl_der_aid_sha384Identifier[];
95 const unsigned char ossl_der_aid_sha384Identifier[] = {
96     DER_AID_V_sha384Identifier
97 };
98 #define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)
99 
100 #define DER_AID_V_sha512Identifier                                      \
101     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
102         DER_OID_SZ_id_sha512 + DER_SZ_NULL,                             \
103         DER_OID_V_id_sha512,                                            \
104         DER_V_NULL
105 extern const unsigned char ossl_der_aid_sha512Identifier[];
106 const unsigned char ossl_der_aid_sha512Identifier[] = {
107     DER_AID_V_sha512Identifier
108 };
109 #define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)
110 
111 #define DER_AID_V_sha512_224Identifier                                  \
112     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
113         DER_OID_SZ_id_sha512_224 + DER_SZ_NULL,                         \
114         DER_OID_V_id_sha512_224,                                        \
115         DER_V_NULL
116 extern const unsigned char ossl_der_aid_sha512_224Identifier[];
117 const unsigned char ossl_der_aid_sha512_224Identifier[] = {
118     DER_AID_V_sha512_224Identifier
119 };
120 #define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)
121 
122 #define DER_AID_V_sha512_256Identifier                                  \
123     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
124         DER_OID_SZ_id_sha512_256 + DER_SZ_NULL,                         \
125         DER_OID_V_id_sha512_256,                                        \
126         DER_V_NULL
127 extern const unsigned char ossl_der_aid_sha512_256Identifier[];
128 const unsigned char ossl_der_aid_sha512_256Identifier[] = {
129     DER_AID_V_sha512_256Identifier
130 };
131 #define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)
132 
133 /*-
134  * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
135  *
136  * HashAlgorithm ::= AlgorithmIdentifier {
137  *    {OAEP-PSSDigestAlgorithms}
138  * }
139  *
140  * ...
141  *
142  * PKCS1MGFAlgorithms    ALGORITHM-IDENTIFIER ::= {
143  *     { OID id-mgf1 PARAMETERS HashAlgorithm },
144  *     ...  -- Allows for future expansion --
145  * }
146  */
147 
148 /*
149  * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
150  * from https://tools.ietf.org/html/rfc4055#section-2.1
151  *
152  * mgf1SHA1Identifier  AlgorithmIdentifier  ::=
153  *                      { id-mgf1, sha1Identifier }
154  * mgf1SHA224Identifier  AlgorithmIdentifier  ::=
155  *                      { id-mgf1, sha224Identifier }
156  * mgf1SHA256Identifier  AlgorithmIdentifier  ::=
157  *                      { id-mgf1, sha256Identifier }
158  * mgf1SHA384Identifier  AlgorithmIdentifier  ::=
159  *                      { id-mgf1, sha384Identifier }
160  * mgf1SHA512Identifier  AlgorithmIdentifier  ::=
161  *                      { id-mgf1, sha512Identifier }
162  */
163 #if 0                            /* Currently unused */
164 #define DER_AID_V_mgf1SHA1Identifier                                    \
165     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
166         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier,                 \
167         DER_OID_V_id_mgf1,                                              \
168         DER_AID_V_sha1Identifier
169 static const unsigned char der_aid_mgf1SHA1Identifier[] = {
170     DER_AID_V_mgf1SHA1Identifier
171 };
172 #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
173 #endif
174 
175 #define DER_AID_V_mgf1SHA224Identifier                          \
176     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
177         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier,       \
178         DER_OID_V_id_mgf1,                                      \
179         DER_AID_V_sha224Identifier
180 static const unsigned char der_aid_mgf1SHA224Identifier[] = {
181     DER_AID_V_mgf1SHA224Identifier
182 };
183 #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
184 
185 #define DER_AID_V_mgf1SHA256Identifier                          \
186     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
187         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier,       \
188         DER_OID_V_id_mgf1,                                      \
189         DER_AID_V_sha256Identifier
190 static const unsigned char der_aid_mgf1SHA256Identifier[] = {
191     DER_AID_V_mgf1SHA256Identifier
192 };
193 #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
194 
195 #define DER_AID_V_mgf1SHA384Identifier                          \
196     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
197         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier,       \
198         DER_OID_V_id_mgf1,                                      \
199         DER_AID_V_sha384Identifier
200 static const unsigned char der_aid_mgf1SHA384Identifier[] = {
201     DER_AID_V_mgf1SHA384Identifier
202 };
203 #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
204 
205 #define DER_AID_V_mgf1SHA512Identifier                          \
206     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
207         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier,       \
208         DER_OID_V_id_mgf1,                                      \
209         DER_AID_V_sha512Identifier
210 static const unsigned char der_aid_mgf1SHA512Identifier[] = {
211     DER_AID_V_mgf1SHA512Identifier
212 };
213 #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
214 
215 #define DER_AID_V_mgf1SHA512_224Identifier                      \
216     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
217         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier,   \
218         DER_OID_V_id_mgf1,                                      \
219         DER_AID_V_sha512_224Identifier
220 static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
221     DER_AID_V_mgf1SHA512_224Identifier
222 };
223 #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
224 
225 #define DER_AID_V_mgf1SHA512_256Identifier                      \
226     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
227         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier,   \
228         DER_OID_V_id_mgf1,                                      \
229         DER_AID_V_sha512_256Identifier
230 static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
231     DER_AID_V_mgf1SHA512_256Identifier
232 };
233 #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
234 
235 
236 #define MGF1_SHA_CASE(bits, var)                                \
237     case NID_sha##bits:                                         \
238         var = der_aid_mgf1SHA##bits##Identifier;                \
239         var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier);   \
240         break;
241 
242 /*-
243  * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
244  *
245  * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
246  */
247 static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
248                                   const RSA_PSS_PARAMS_30 *pss)
249 {
250     if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
251         int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
252         const unsigned char *maskgenalg = NULL;
253         size_t maskgenalg_sz = 0;
254 
255         switch (maskgenhashalg_nid) {
256         case NID_sha1:
257             break;
258             MGF1_SHA_CASE(224, maskgenalg);
259             MGF1_SHA_CASE(256, maskgenalg);
260             MGF1_SHA_CASE(384, maskgenalg);
261             MGF1_SHA_CASE(512, maskgenalg);
262             MGF1_SHA_CASE(512_224, maskgenalg);
263             MGF1_SHA_CASE(512_256, maskgenalg);
264         default:
265             return 0;
266         }
267 
268         /* If there is none (or it was the default), we write nothing */
269         if (maskgenalg == NULL)
270             return 1;
271 
272         return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
273     }
274     return 0;
275 }
276 
277 #define OAEP_PSS_MD_CASE(name, var)                                     \
278     case NID_##name:                                                    \
279         var = ossl_der_aid_##name##Identifier;                          \
280         var##_sz = sizeof(ossl_der_aid_##name##Identifier);             \
281         break;
282 
283 int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
284                                  const RSA_PSS_PARAMS_30 *pss)
285 {
286     int hashalg_nid, default_hashalg_nid;
287     int saltlen, default_saltlen;
288     int trailerfield, default_trailerfield;
289     const unsigned char *hashalg = NULL;
290     size_t hashalg_sz = 0;
291 
292     /*
293      * For an unrestricted key, this function should not have been called;
294      * the caller must be in control, because unrestricted keys are permitted
295      * in some situations (when encoding the public key in a SubjectKeyInfo,
296      * for example) while not in others, and this function doesn't know the
297      * intent.  Therefore, we assert that here, the PSS parameters must show
298      * that the key is restricted.
299      */
300     if (!ossl_assert(pss != NULL
301                      && !ossl_rsa_pss_params_30_is_unrestricted(pss)))
302         return 0;
303 
304     hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
305     saltlen = ossl_rsa_pss_params_30_saltlen(pss);
306     trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
307 
308     if (saltlen < 0) {
309         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
310         return 0;
311     }
312     if (trailerfield != 1) {
313         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
314         return 0;
315     }
316 
317     /* Getting default values */
318     default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
319     default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
320     default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);
321 
322     /*
323      * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
324      *
325      * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
326      *     { OID id-sha1       PARAMETERS NULL }|
327      *     { OID id-sha224     PARAMETERS NULL }|
328      *     { OID id-sha256     PARAMETERS NULL }|
329      *     { OID id-sha384     PARAMETERS NULL }|
330      *     { OID id-sha512     PARAMETERS NULL }|
331      *     { OID id-sha512-224 PARAMETERS NULL }|
332      *     { OID id-sha512-256 PARAMETERS NULL },
333      *     ...  -- Allows for future expansion --
334      * }
335      */
336     switch (hashalg_nid) {
337         OAEP_PSS_MD_CASE(sha1, hashalg);
338         OAEP_PSS_MD_CASE(sha224, hashalg);
339         OAEP_PSS_MD_CASE(sha256, hashalg);
340         OAEP_PSS_MD_CASE(sha384, hashalg);
341         OAEP_PSS_MD_CASE(sha512, hashalg);
342         OAEP_PSS_MD_CASE(sha512_224, hashalg);
343         OAEP_PSS_MD_CASE(sha512_256, hashalg);
344     default:
345         return 0;
346     }
347 
348     return ossl_DER_w_begin_sequence(pkt, tag)
349         && (trailerfield == default_trailerfield
350             || ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))
351         && (saltlen == default_saltlen || ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))
352         && DER_w_MaskGenAlgorithm(pkt, 1, pss)
353         && (hashalg_nid == default_hashalg_nid
354             || ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
355         && ossl_DER_w_end_sequence(pkt, tag);
356 }
357 
358 /* Aliases so we can have a uniform RSA_CASE */
359 #define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS
360 
361 #define RSA_CASE(name, var)                                             \
362     var##_nid = NID_##name;                                             \
363     var##_oid = ossl_der_oid_##name;                                    \
364     var##_oid_sz = sizeof(ossl_der_oid_##name);                         \
365     break;
366 
367 int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,
368                                            int rsa_type,
369                                            const RSA_PSS_PARAMS_30 *pss)
370 {
371     int rsa_nid = NID_undef;
372     const unsigned char *rsa_oid = NULL;
373     size_t rsa_oid_sz = 0;
374 
375     switch (rsa_type) {
376     case RSA_FLAG_TYPE_RSA:
377         RSA_CASE(rsaEncryption, rsa);
378     case RSA_FLAG_TYPE_RSASSAPSS:
379         RSA_CASE(rsassaPss, rsa);
380     }
381 
382     if (rsa_oid == NULL)
383         return 0;
384 
385     return ossl_DER_w_begin_sequence(pkt, tag)
386         && (rsa_nid != NID_rsassaPss
387             || ossl_rsa_pss_params_30_is_unrestricted(pss)
388             || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))
389         && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
390         && ossl_DER_w_end_sequence(pkt, tag);
391 }
392 
393 int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
394 {
395     int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
396     RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
397 
398     return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,
399                                                   pss_params);
400 }
401