xref: /freebsd/crypto/openssl/providers/implementations/keymgmt/rsa_kmgmt.c (revision a03411e84728e9b267056fd31c7d1d9d1dc1b01e)
1 /*
2  * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * RSA low level APIs are deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <openssl/core_dispatch.h>
17 #include <openssl/core_names.h>
18 #include <openssl/bn.h>
19 #include <openssl/err.h>
20 #include <openssl/rsa.h>
21 #include <openssl/evp.h>
22 #include <openssl/proverr.h>
23 #include "prov/implementations.h"
24 #include "prov/providercommon.h"
25 #include "prov/provider_ctx.h"
26 #include "crypto/rsa.h"
27 #include "crypto/cryptlib.h"
28 #include "internal/param_build_set.h"
29 
30 static OSSL_FUNC_keymgmt_new_fn rsa_newdata;
31 static OSSL_FUNC_keymgmt_new_fn rsapss_newdata;
32 static OSSL_FUNC_keymgmt_gen_init_fn rsa_gen_init;
33 static OSSL_FUNC_keymgmt_gen_init_fn rsapss_gen_init;
34 static OSSL_FUNC_keymgmt_gen_set_params_fn rsa_gen_set_params;
35 static OSSL_FUNC_keymgmt_gen_settable_params_fn rsa_gen_settable_params;
36 static OSSL_FUNC_keymgmt_gen_settable_params_fn rsapss_gen_settable_params;
37 static OSSL_FUNC_keymgmt_gen_fn rsa_gen;
38 static OSSL_FUNC_keymgmt_gen_cleanup_fn rsa_gen_cleanup;
39 static OSSL_FUNC_keymgmt_load_fn rsa_load;
40 static OSSL_FUNC_keymgmt_load_fn rsapss_load;
41 static OSSL_FUNC_keymgmt_free_fn rsa_freedata;
42 static OSSL_FUNC_keymgmt_get_params_fn rsa_get_params;
43 static OSSL_FUNC_keymgmt_gettable_params_fn rsa_gettable_params;
44 static OSSL_FUNC_keymgmt_has_fn rsa_has;
45 static OSSL_FUNC_keymgmt_match_fn rsa_match;
46 static OSSL_FUNC_keymgmt_validate_fn rsa_validate;
47 static OSSL_FUNC_keymgmt_import_fn rsa_import;
48 static OSSL_FUNC_keymgmt_import_types_fn rsa_import_types;
49 static OSSL_FUNC_keymgmt_export_fn rsa_export;
50 static OSSL_FUNC_keymgmt_export_types_fn rsa_export_types;
51 static OSSL_FUNC_keymgmt_query_operation_name_fn rsa_query_operation_name;
52 static OSSL_FUNC_keymgmt_dup_fn rsa_dup;
53 
54 #define RSA_DEFAULT_MD "SHA256"
55 #define RSA_PSS_DEFAULT_MD OSSL_DIGEST_NAME_SHA1
56 #define RSA_POSSIBLE_SELECTIONS                                        \
57     (OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS)
58 
59 DEFINE_STACK_OF(BIGNUM)
60 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
61 
62 static int pss_params_fromdata(RSA_PSS_PARAMS_30 *pss_params, int *defaults_set,
63                                const OSSL_PARAM params[], int rsa_type,
64                                OSSL_LIB_CTX *libctx)
65 {
66     if (!ossl_rsa_pss_params_30_fromdata(pss_params, defaults_set,
67                                          params, libctx))
68         return 0;
69 
70     /* If not a PSS type RSA, sending us PSS parameters is wrong */
71     if (rsa_type != RSA_FLAG_TYPE_RSASSAPSS
72         && !ossl_rsa_pss_params_30_is_unrestricted(pss_params))
73         return 0;
74 
75     return 1;
76 }
77 
78 static void *rsa_newdata(void *provctx)
79 {
80     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
81     RSA *rsa;
82 
83     if (!ossl_prov_is_running())
84         return NULL;
85 
86     rsa = ossl_rsa_new_with_ctx(libctx);
87     if (rsa != NULL) {
88         RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
89         RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
90     }
91     return rsa;
92 }
93 
94 static void *rsapss_newdata(void *provctx)
95 {
96     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
97     RSA *rsa;
98 
99     if (!ossl_prov_is_running())
100         return NULL;
101 
102     rsa = ossl_rsa_new_with_ctx(libctx);
103     if (rsa != NULL) {
104         RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
105         RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
106     }
107     return rsa;
108 }
109 
110 static void rsa_freedata(void *keydata)
111 {
112     RSA_free(keydata);
113 }
114 
115 static int rsa_has(const void *keydata, int selection)
116 {
117     const RSA *rsa = keydata;
118     int ok = 1;
119 
120     if (rsa == NULL || !ossl_prov_is_running())
121         return 0;
122     if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
123         return 1; /* the selection is not missing */
124 
125     /* OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS are always available even if empty */
126     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
127         ok = ok && (RSA_get0_n(rsa) != NULL);
128     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
129         ok = ok && (RSA_get0_e(rsa) != NULL);
130     if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
131         ok = ok && (RSA_get0_d(rsa) != NULL);
132     return ok;
133 }
134 
135 static int rsa_match(const void *keydata1, const void *keydata2, int selection)
136 {
137     const RSA *rsa1 = keydata1;
138     const RSA *rsa2 = keydata2;
139     int ok = 1;
140 
141     if (!ossl_prov_is_running())
142         return 0;
143 
144     /* There is always an |e| */
145     ok = ok && BN_cmp(RSA_get0_e(rsa1), RSA_get0_e(rsa2)) == 0;
146     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
147         int key_checked = 0;
148 
149         if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
150             const BIGNUM *pa = RSA_get0_n(rsa1);
151             const BIGNUM *pb = RSA_get0_n(rsa2);
152 
153             if (pa != NULL && pb != NULL) {
154                 ok = ok && BN_cmp(pa, pb) == 0;
155                 key_checked = 1;
156             }
157         }
158         if (!key_checked
159             && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
160             const BIGNUM *pa = RSA_get0_d(rsa1);
161             const BIGNUM *pb = RSA_get0_d(rsa2);
162 
163             if (pa != NULL && pb != NULL) {
164                 ok = ok && BN_cmp(pa, pb) == 0;
165                 key_checked = 1;
166             }
167         }
168         ok = ok && key_checked;
169     }
170     return ok;
171 }
172 
173 static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
174 {
175     RSA *rsa = keydata;
176     int rsa_type;
177     int ok = 1;
178     int pss_defaults_set = 0;
179 
180     if (!ossl_prov_is_running() || rsa == NULL)
181         return 0;
182 
183     if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
184         return 0;
185 
186     rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
187 
188     if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
189         ok = ok && pss_params_fromdata(ossl_rsa_get0_pss_params_30(rsa),
190                                        &pss_defaults_set,
191                                        params, rsa_type,
192                                        ossl_rsa_get0_libctx(rsa));
193     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
194         int include_private =
195             selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
196 
197         ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
198     }
199 
200     return ok;
201 }
202 
203 static int rsa_export(void *keydata, int selection,
204                       OSSL_CALLBACK *param_callback, void *cbarg)
205 {
206     RSA *rsa = keydata;
207     const RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
208     OSSL_PARAM_BLD *tmpl;
209     OSSL_PARAM *params = NULL;
210     int ok = 1;
211 
212     if (!ossl_prov_is_running() || rsa == NULL)
213         return 0;
214 
215     if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
216         return 0;
217 
218     tmpl = OSSL_PARAM_BLD_new();
219     if (tmpl == NULL)
220         return 0;
221 
222     if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
223         ok = ok && (ossl_rsa_pss_params_30_is_unrestricted(pss_params)
224                     || ossl_rsa_pss_params_30_todata(pss_params, tmpl, NULL));
225     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
226         int include_private =
227             selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
228 
229         ok = ok && ossl_rsa_todata(rsa, tmpl, NULL, include_private);
230     }
231 
232     if (!ok || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
233         ok = 0;
234         goto err;
235     }
236 
237     ok = param_callback(params, cbarg);
238     OSSL_PARAM_free(params);
239 err:
240     OSSL_PARAM_BLD_free(tmpl);
241     return ok;
242 }
243 
244 #ifdef FIPS_MODULE
245 /* In fips mode there are no multi-primes. */
246 # define RSA_KEY_MP_TYPES()                                                    \
247 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, NULL, 0),                           \
248 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, NULL, 0),                           \
249 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, NULL, 0),                         \
250 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, NULL, 0),                         \
251 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, NULL, 0),
252 #else
253 /*
254  * We allow up to 10 prime factors (starting with p, q).
255  * NOTE: there is only 9 OSSL_PKEY_PARAM_RSA_COEFFICIENT
256  */
257 # define RSA_KEY_MP_TYPES()                                                    \
258 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, NULL, 0),                           \
259 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, NULL, 0),                           \
260 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR3, NULL, 0),                           \
261 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR4, NULL, 0),                           \
262 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR5, NULL, 0),                           \
263 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR6, NULL, 0),                           \
264 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR7, NULL, 0),                           \
265 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR8, NULL, 0),                           \
266 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR9, NULL, 0),                           \
267 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR10, NULL, 0),                          \
268 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, NULL, 0),                         \
269 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, NULL, 0),                         \
270 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT3, NULL, 0),                         \
271 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT4, NULL, 0),                         \
272 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT5, NULL, 0),                         \
273 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT6, NULL, 0),                         \
274 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT7, NULL, 0),                         \
275 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT8, NULL, 0),                         \
276 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT9, NULL, 0),                         \
277 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT10, NULL, 0),                        \
278 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, NULL, 0),                      \
279 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT2, NULL, 0),                      \
280 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT3, NULL, 0),                      \
281 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT4, NULL, 0),                      \
282 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT5, NULL, 0),                      \
283 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT6, NULL, 0),                      \
284 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT7, NULL, 0),                      \
285 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT8, NULL, 0),                      \
286 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT9, NULL, 0),
287 #endif
288 
289 #define RSA_KEY_TYPES()                                                        \
290 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),                                 \
291 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),                                 \
292 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, NULL, 0),                                 \
293 RSA_KEY_MP_TYPES()
294 
295 /*
296  * This provider can export everything in an RSA key, so we use the exact
297  * same type description for export as for import.  Other providers might
298  * choose to import full keys, but only export the public parts, and will
299  * therefore have the importkey_types and importkey_types functions return
300  * different arrays.
301  */
302 static const OSSL_PARAM rsa_key_types[] = {
303     RSA_KEY_TYPES()
304     OSSL_PARAM_END
305 };
306 /*
307  * We lied about the amount of factors, exponents and coefficients, the
308  * export and import functions can really deal with an infinite amount
309  * of these numbers.  However, RSA keys with too many primes are futile,
310  * so we at least pretend to have some limits.
311  */
312 
313 static const OSSL_PARAM *rsa_imexport_types(int selection)
314 {
315     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
316         return rsa_key_types;
317     return NULL;
318 }
319 
320 static const OSSL_PARAM *rsa_import_types(int selection)
321 {
322     return rsa_imexport_types(selection);
323 }
324 
325 static const OSSL_PARAM *rsa_export_types(int selection)
326 {
327     return rsa_imexport_types(selection);
328 }
329 
330 static int rsa_get_params(void *key, OSSL_PARAM params[])
331 {
332     RSA *rsa = key;
333     const RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
334     int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
335     OSSL_PARAM *p;
336     int empty = RSA_get0_n(rsa) == NULL;
337 
338     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
339         && (empty || !OSSL_PARAM_set_int(p, RSA_bits(rsa))))
340         return 0;
341     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL
342         && (empty || !OSSL_PARAM_set_int(p, RSA_security_bits(rsa))))
343         return 0;
344     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
345         && (empty || !OSSL_PARAM_set_int(p, RSA_size(rsa))))
346         return 0;
347 
348     /*
349      * For restricted RSA-PSS keys, we ignore the default digest request.
350      * With RSA-OAEP keys, this may need to be amended.
351      */
352     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL
353         && (rsa_type != RSA_FLAG_TYPE_RSASSAPSS
354             || ossl_rsa_pss_params_30_is_unrestricted(pss_params))) {
355         if (!OSSL_PARAM_set_utf8_string(p, RSA_DEFAULT_MD))
356             return 0;
357     }
358 
359     /*
360      * For non-RSA-PSS keys, we ignore the mandatory digest request.
361      * With RSA-OAEP keys, this may need to be amended.
362      */
363     if ((p = OSSL_PARAM_locate(params,
364                                OSSL_PKEY_PARAM_MANDATORY_DIGEST)) != NULL
365         && rsa_type == RSA_FLAG_TYPE_RSASSAPSS
366         && !ossl_rsa_pss_params_30_is_unrestricted(pss_params)) {
367         const char *mdname =
368             ossl_rsa_oaeppss_nid2name(ossl_rsa_pss_params_30_hashalg(pss_params));
369 
370         if (mdname == NULL || !OSSL_PARAM_set_utf8_string(p, mdname))
371             return 0;
372     }
373     return (rsa_type != RSA_FLAG_TYPE_RSASSAPSS
374             || ossl_rsa_pss_params_30_todata(pss_params, NULL, params))
375         && ossl_rsa_todata(rsa, NULL, params, 1);
376 }
377 
378 static const OSSL_PARAM rsa_params[] = {
379     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
380     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
381     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
382     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, NULL, 0),
383     RSA_KEY_TYPES()
384     OSSL_PARAM_END
385 };
386 
387 static const OSSL_PARAM *rsa_gettable_params(void *provctx)
388 {
389     return rsa_params;
390 }
391 
392 static int rsa_validate(const void *keydata, int selection, int checktype)
393 {
394     const RSA *rsa = keydata;
395     int ok = 1;
396 
397     if (!ossl_prov_is_running())
398         return 0;
399 
400     if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
401         return 1; /* nothing to validate */
402 
403     /* If the whole key is selected, we do a pairwise validation */
404     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR)
405         == OSSL_KEYMGMT_SELECT_KEYPAIR) {
406         ok = ok && ossl_rsa_validate_pairwise(rsa);
407     } else {
408         if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
409             ok = ok && ossl_rsa_validate_private(rsa);
410         if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
411             ok = ok && ossl_rsa_validate_public(rsa);
412     }
413     return ok;
414 }
415 
416 struct rsa_gen_ctx {
417     OSSL_LIB_CTX *libctx;
418     const char *propq;
419 
420     int rsa_type;
421 
422     size_t nbits;
423     BIGNUM *pub_exp;
424     size_t primes;
425 
426     /* For PSS */
427     RSA_PSS_PARAMS_30 pss_params;
428     int pss_defaults_set;
429 
430     /* For generation callback */
431     OSSL_CALLBACK *cb;
432     void *cbarg;
433 
434 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
435     /* ACVP test parameters */
436     OSSL_PARAM *acvp_test_params;
437 #endif
438 };
439 
440 static int rsa_gencb(int p, int n, BN_GENCB *cb)
441 {
442     struct rsa_gen_ctx *gctx = BN_GENCB_get_arg(cb);
443     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END };
444 
445     params[0] = OSSL_PARAM_construct_int(OSSL_GEN_PARAM_POTENTIAL, &p);
446     params[1] = OSSL_PARAM_construct_int(OSSL_GEN_PARAM_ITERATION, &n);
447     return gctx->cb(params, gctx->cbarg);
448 }
449 
450 static void *gen_init(void *provctx, int selection, int rsa_type,
451                       const OSSL_PARAM params[])
452 {
453     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
454     struct rsa_gen_ctx *gctx = NULL;
455 
456     if (!ossl_prov_is_running())
457         return NULL;
458 
459     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
460         return NULL;
461 
462     if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) {
463         gctx->libctx = libctx;
464         if ((gctx->pub_exp = BN_new()) == NULL
465             || !BN_set_word(gctx->pub_exp, RSA_F4)) {
466             goto err;
467         }
468         gctx->nbits = 2048;
469         gctx->primes = RSA_DEFAULT_PRIME_NUM;
470         gctx->rsa_type = rsa_type;
471     } else {
472         goto err;
473     }
474 
475     if (!rsa_gen_set_params(gctx, params))
476         goto err;
477     return gctx;
478 
479 err:
480     if (gctx != NULL)
481         BN_free(gctx->pub_exp);
482     OPENSSL_free(gctx);
483     return NULL;
484 }
485 
486 static void *rsa_gen_init(void *provctx, int selection,
487                           const OSSL_PARAM params[])
488 {
489     return gen_init(provctx, selection, RSA_FLAG_TYPE_RSA, params);
490 }
491 
492 static void *rsapss_gen_init(void *provctx, int selection,
493                              const OSSL_PARAM params[])
494 {
495     return gen_init(provctx, selection, RSA_FLAG_TYPE_RSASSAPSS, params);
496 }
497 
498 /*
499  * This function is common for all RSA sub-types, to detect possible
500  * misuse, such as PSS parameters being passed when a plain RSA key
501  * is generated.
502  */
503 static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
504 {
505     struct rsa_gen_ctx *gctx = genctx;
506     const OSSL_PARAM *p;
507 
508     if (params == NULL)
509         return 1;
510 
511     if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL) {
512         if (!OSSL_PARAM_get_size_t(p, &gctx->nbits))
513             return 0;
514         if (gctx->nbits < RSA_MIN_MODULUS_BITS) {
515             ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
516             return 0;
517         }
518     }
519     if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_PRIMES)) != NULL
520         && !OSSL_PARAM_get_size_t(p, &gctx->primes))
521         return 0;
522     if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E)) != NULL
523         && !OSSL_PARAM_get_BN(p, &gctx->pub_exp))
524         return 0;
525     /* Only attempt to get PSS parameters when generating an RSA-PSS key */
526     if (gctx->rsa_type == RSA_FLAG_TYPE_RSASSAPSS
527         && !pss_params_fromdata(&gctx->pss_params, &gctx->pss_defaults_set, params,
528                                 gctx->rsa_type, gctx->libctx))
529         return 0;
530 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
531     /* Any ACVP test related parameters are copied into a params[] */
532     if (!ossl_rsa_acvp_test_gen_params_new(&gctx->acvp_test_params, params))
533         return 0;
534 #endif
535     return 1;
536 }
537 
538 #define rsa_gen_basic                                           \
539     OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_BITS, NULL),          \
540     OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, NULL),        \
541     OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0)
542 
543 /*
544  * The following must be kept in sync with ossl_rsa_pss_params_30_fromdata()
545  * in crypto/rsa/rsa_backend.c
546  */
547 #define rsa_gen_pss                                                     \
548     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_RSA_DIGEST, NULL, 0),        \
549     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, NULL, 0),  \
550     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_RSA_MASKGENFUNC, NULL, 0),   \
551     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_RSA_MGF1_DIGEST, NULL, 0),   \
552     OSSL_PARAM_int(OSSL_PKEY_PARAM_RSA_PSS_SALTLEN, NULL)
553 
554 static const OSSL_PARAM *rsa_gen_settable_params(ossl_unused void *genctx,
555                                                  ossl_unused void *provctx)
556 {
557     static OSSL_PARAM settable[] = {
558         rsa_gen_basic,
559         OSSL_PARAM_END
560     };
561 
562     return settable;
563 }
564 
565 static const OSSL_PARAM *rsapss_gen_settable_params(ossl_unused void *genctx,
566                                                     ossl_unused void *provctx)
567 {
568     static OSSL_PARAM settable[] = {
569         rsa_gen_basic,
570         rsa_gen_pss,
571         OSSL_PARAM_END
572     };
573 
574     return settable;
575 }
576 
577 static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
578 {
579     struct rsa_gen_ctx *gctx = genctx;
580     RSA *rsa = NULL, *rsa_tmp = NULL;
581     BN_GENCB *gencb = NULL;
582 
583     if (!ossl_prov_is_running() || gctx == NULL)
584         return NULL;
585 
586     switch (gctx->rsa_type) {
587     case RSA_FLAG_TYPE_RSA:
588         /* For plain RSA keys, PSS parameters must not be set */
589         if (!ossl_rsa_pss_params_30_is_unrestricted(&gctx->pss_params))
590             goto err;
591         break;
592     case RSA_FLAG_TYPE_RSASSAPSS:
593         /*
594          * For plain RSA-PSS keys, PSS parameters may be set but don't have
595          * to, so not check.
596          */
597         break;
598     default:
599         /* Unsupported RSA key sub-type... */
600         return NULL;
601     }
602 
603     if ((rsa_tmp = ossl_rsa_new_with_ctx(gctx->libctx)) == NULL)
604         return NULL;
605 
606     gctx->cb = osslcb;
607     gctx->cbarg = cbarg;
608     gencb = BN_GENCB_new();
609     if (gencb != NULL)
610         BN_GENCB_set(gencb, rsa_gencb, genctx);
611 
612 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
613     if (gctx->acvp_test_params != NULL) {
614         if (!ossl_rsa_acvp_test_set_params(rsa_tmp, gctx->acvp_test_params))
615             goto err;
616     }
617 #endif
618 
619     if (!RSA_generate_multi_prime_key(rsa_tmp,
620                                       (int)gctx->nbits, (int)gctx->primes,
621                                       gctx->pub_exp, gencb))
622         goto err;
623 
624     if (!ossl_rsa_pss_params_30_copy(ossl_rsa_get0_pss_params_30(rsa_tmp),
625                                      &gctx->pss_params))
626         goto err;
627 
628     RSA_clear_flags(rsa_tmp, RSA_FLAG_TYPE_MASK);
629     RSA_set_flags(rsa_tmp, gctx->rsa_type);
630 
631     rsa = rsa_tmp;
632     rsa_tmp = NULL;
633  err:
634     BN_GENCB_free(gencb);
635     RSA_free(rsa_tmp);
636     return rsa;
637 }
638 
639 static void rsa_gen_cleanup(void *genctx)
640 {
641     struct rsa_gen_ctx *gctx = genctx;
642 
643     if (gctx == NULL)
644         return;
645 #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
646     ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
647     gctx->acvp_test_params = NULL;
648 #endif
649     BN_clear_free(gctx->pub_exp);
650     OPENSSL_free(gctx);
651 }
652 
653 static void *common_load(const void *reference, size_t reference_sz,
654                          int expected_rsa_type)
655 {
656     RSA *rsa = NULL;
657 
658     if (ossl_prov_is_running() && reference_sz == sizeof(rsa)) {
659         /* The contents of the reference is the address to our object */
660         rsa = *(RSA **)reference;
661 
662         if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) != expected_rsa_type)
663             return NULL;
664 
665         /* We grabbed, so we detach it */
666         *(RSA **)reference = NULL;
667         return rsa;
668     }
669     return NULL;
670 }
671 
672 static void *rsa_load(const void *reference, size_t reference_sz)
673 {
674     return common_load(reference, reference_sz, RSA_FLAG_TYPE_RSA);
675 }
676 
677 static void *rsapss_load(const void *reference, size_t reference_sz)
678 {
679     return common_load(reference, reference_sz, RSA_FLAG_TYPE_RSASSAPSS);
680 }
681 
682 static void *rsa_dup(const void *keydata_from, int selection)
683 {
684     if (ossl_prov_is_running()
685         /* do not allow creating empty keys by duplication */
686         && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
687         return ossl_rsa_dup(keydata_from, selection);
688     return NULL;
689 }
690 
691 /* For any RSA key, we use the "RSA" algorithms regardless of sub-type. */
692 static const char *rsa_query_operation_name(int operation_id)
693 {
694     return "RSA";
695 }
696 
697 const OSSL_DISPATCH ossl_rsa_keymgmt_functions[] = {
698     { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))rsa_newdata },
699     { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))rsa_gen_init },
700     { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
701       (void (*)(void))rsa_gen_set_params },
702     { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
703       (void (*)(void))rsa_gen_settable_params },
704     { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))rsa_gen },
705     { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))rsa_gen_cleanup },
706     { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))rsa_load },
707     { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))rsa_freedata },
708     { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))rsa_get_params },
709     { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))rsa_gettable_params },
710     { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))rsa_has },
711     { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))rsa_match },
712     { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))rsa_validate },
713     { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))rsa_import },
714     { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))rsa_import_types },
715     { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))rsa_export },
716     { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))rsa_export_types },
717     { OSSL_FUNC_KEYMGMT_DUP, (void (*)(void))rsa_dup },
718     { 0, NULL }
719 };
720 
721 const OSSL_DISPATCH ossl_rsapss_keymgmt_functions[] = {
722     { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))rsapss_newdata },
723     { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))rsapss_gen_init },
724     { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (void (*)(void))rsa_gen_set_params },
725     { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
726       (void (*)(void))rsapss_gen_settable_params },
727     { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))rsa_gen },
728     { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))rsa_gen_cleanup },
729     { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))rsapss_load },
730     { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))rsa_freedata },
731     { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))rsa_get_params },
732     { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))rsa_gettable_params },
733     { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))rsa_has },
734     { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))rsa_match },
735     { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))rsa_validate },
736     { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))rsa_import },
737     { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))rsa_import_types },
738     { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))rsa_export },
739     { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))rsa_export_types },
740     { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME,
741       (void (*)(void))rsa_query_operation_name },
742     { OSSL_FUNC_KEYMGMT_DUP, (void (*)(void))rsa_dup },
743     { 0, NULL }
744 };
745