1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains RSA helper routines common to 28 * the PKCS11 soft token code and the kernel RSA code. 29 */ 30 31 #include <sys/types.h> 32 #include <bignum.h> 33 34 #ifdef _KERNEL 35 #include <sys/param.h> 36 #else 37 #include <strings.h> 38 #include <cryptoutil.h> 39 #endif 40 41 #include <sys/crypto/common.h> 42 #include "rsa_impl.h" 43 44 /* 45 * DER encoding T of the DigestInfo values for MD5, SHA1, and SHA2 46 * from PKCS#1 v2.1: RSA Cryptography Standard Section 9.2 Note 1 47 * 48 * MD5: (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 || H 49 * SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H 50 * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H. 51 * SHA-384: (0x)30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30 || H. 52 * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H. 53 * 54 * Where H is the digested output from MD5 or SHA1. We define the constant 55 * byte array (the prefix) here and use it rather than doing the DER 56 * encoding of the OID in a separate routine. 57 */ 58 const CK_BYTE MD5_DER_PREFIX[MD5_DER_PREFIX_Len] = {0x30, 0x20, 0x30, 0x0c, 59 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 60 0x04, 0x10}; 61 62 const CK_BYTE SHA1_DER_PREFIX[SHA1_DER_PREFIX_Len] = {0x30, 0x21, 0x30, 63 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; 64 65 const CK_BYTE SHA1_DER_PREFIX_OID[SHA1_DER_PREFIX_OID_Len] = {0x30, 0x1f, 0x30, 66 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14}; 67 68 const CK_BYTE SHA256_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x31, 0x30, 0x0d, 69 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 70 0x00, 0x04, 0x20}; 71 72 const CK_BYTE SHA384_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x41, 0x30, 0x0d, 73 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 74 0x00, 0x04, 0x30}; 75 76 const CK_BYTE SHA512_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x51, 0x30, 0x0d, 77 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 78 0x00, 0x04, 0x40}; 79 80 const CK_BYTE DEFAULT_PUB_EXPO[DEFAULT_PUB_EXPO_Len] = { 0x01, 0x00, 0x01 }; 81 82 83 static CK_RV 84 convert_rv(BIG_ERR_CODE err) 85 { 86 switch (err) { 87 88 case BIG_OK: 89 return (CKR_OK); 90 91 case BIG_NO_MEM: 92 return (CKR_HOST_MEMORY); 93 94 case BIG_NO_RANDOM: 95 return (CKR_DEVICE_ERROR); 96 97 case BIG_INVALID_ARGS: 98 return (CKR_ARGUMENTS_BAD); 99 100 case BIG_DIV_BY_0: 101 default: 102 return (CKR_GENERAL_ERROR); 103 } 104 } 105 106 /* psize and qsize are in bits */ 107 static BIG_ERR_CODE 108 RSA_key_init(RSAkey *key, int psize, int qsize) 109 { 110 BIG_ERR_CODE err = BIG_OK; 111 112 int plen, qlen, nlen; 113 114 plen = BITLEN2BIGNUMLEN(psize); 115 qlen = BITLEN2BIGNUMLEN(qsize); 116 nlen = plen + qlen; 117 key->size = psize + qsize; 118 if ((err = big_init(&(key->p), plen)) != BIG_OK) 119 return (err); 120 if ((err = big_init(&(key->q), qlen)) != BIG_OK) 121 goto ret1; 122 if ((err = big_init(&(key->n), nlen)) != BIG_OK) 123 goto ret2; 124 if ((err = big_init(&(key->d), nlen)) != BIG_OK) 125 goto ret3; 126 if ((err = big_init(&(key->e), nlen)) != BIG_OK) 127 goto ret4; 128 if ((err = big_init(&(key->dmodpminus1), plen)) != BIG_OK) 129 goto ret5; 130 if ((err = big_init(&(key->dmodqminus1), qlen)) != BIG_OK) 131 goto ret6; 132 if ((err = big_init(&(key->pinvmodq), qlen)) != BIG_OK) 133 goto ret7; 134 if ((err = big_init(&(key->p_rr), plen)) != BIG_OK) 135 goto ret8; 136 if ((err = big_init(&(key->q_rr), qlen)) != BIG_OK) 137 goto ret9; 138 if ((err = big_init(&(key->n_rr), nlen)) != BIG_OK) 139 goto ret10; 140 141 return (BIG_OK); 142 143 ret10: 144 big_finish(&(key->q_rr)); 145 ret9: 146 big_finish(&(key->p_rr)); 147 ret8: 148 big_finish(&(key->pinvmodq)); 149 ret7: 150 big_finish(&(key->dmodqminus1)); 151 ret6: 152 big_finish(&(key->dmodpminus1)); 153 ret5: 154 big_finish(&(key->e)); 155 ret4: 156 big_finish(&(key->d)); 157 ret3: 158 big_finish(&(key->n)); 159 ret2: 160 big_finish(&(key->q)); 161 ret1: 162 big_finish(&(key->p)); 163 164 return (err); 165 } 166 167 static void 168 RSA_key_finish(RSAkey *key) 169 { 170 big_finish(&(key->n_rr)); 171 big_finish(&(key->q_rr)); 172 big_finish(&(key->p_rr)); 173 big_finish(&(key->pinvmodq)); 174 big_finish(&(key->dmodqminus1)); 175 big_finish(&(key->dmodpminus1)); 176 big_finish(&(key->e)); 177 big_finish(&(key->d)); 178 big_finish(&(key->n)); 179 big_finish(&(key->q)); 180 big_finish(&(key->p)); 181 } 182 183 /* 184 * Generate RSA key 185 */ 186 static CK_RV 187 generate_rsa_key(RSAkey *key, int psize, int qsize, BIGNUM *pubexp, 188 int (*rfunc)(void *, size_t)) 189 { 190 CK_RV rv = CKR_OK; 191 192 int (*rf)(void *, size_t); 193 BIGNUM a, b, c, d, e, f, g, h; 194 int len, keylen, size; 195 BIG_ERR_CODE brv = BIG_OK; 196 197 size = psize + qsize; 198 keylen = BITLEN2BIGNUMLEN(size); 199 len = keylen * 2 + 1; 200 key->size = size; 201 202 /* 203 * Note: It is not really necessary to compute e, it is in pubexp: 204 * (void) big_copy(&(key->e), pubexp); 205 */ 206 207 a.malloced = 0; 208 b.malloced = 0; 209 c.malloced = 0; 210 d.malloced = 0; 211 e.malloced = 0; 212 f.malloced = 0; 213 g.malloced = 0; 214 h.malloced = 0; 215 216 if ((big_init(&a, len) != BIG_OK) || 217 (big_init(&b, len) != BIG_OK) || 218 (big_init(&c, len) != BIG_OK) || 219 (big_init(&d, len) != BIG_OK) || 220 (big_init(&e, len) != BIG_OK) || 221 (big_init(&f, len) != BIG_OK) || 222 (big_init(&g, len) != BIG_OK) || 223 (big_init(&h, len) != BIG_OK)) { 224 big_finish(&h); 225 big_finish(&g); 226 big_finish(&f); 227 big_finish(&e); 228 big_finish(&d); 229 big_finish(&c); 230 big_finish(&b); 231 big_finish(&a); 232 233 return (CKR_HOST_MEMORY); 234 } 235 236 rf = rfunc; 237 if (rf == NULL) { 238 #ifdef _KERNEL 239 rf = (int (*)(void *, size_t))random_get_pseudo_bytes; 240 #else 241 rf = pkcs11_get_urandom; 242 #endif 243 } 244 245 nextp: 246 if ((brv = big_random(&a, psize, rf)) != BIG_OK) { 247 goto ret; 248 } 249 250 if ((brv = big_nextprime_pos(&b, &a)) != BIG_OK) { 251 goto ret; 252 } 253 /* b now contains the potential prime p */ 254 255 (void) big_sub_pos(&a, &b, &big_One); 256 if ((brv = big_ext_gcd_pos(&f, &d, &g, pubexp, &a)) != BIG_OK) { 257 goto ret; 258 } 259 if (big_cmp_abs(&f, &big_One) != 0) { 260 goto nextp; 261 } 262 263 if ((brv = big_random(&c, qsize, rf)) != BIG_OK) { 264 goto ret; 265 } 266 267 nextq: 268 (void) big_add(&a, &c, &big_Two); 269 270 if (big_bitlength(&a) != qsize) { 271 goto nextp; 272 } 273 if (big_cmp_abs(&a, &b) == 0) { 274 goto nextp; 275 } 276 if ((brv = big_nextprime_pos(&c, &a)) != BIG_OK) { 277 goto ret; 278 } 279 /* c now contains the potential prime q */ 280 281 if ((brv = big_mul(&g, &b, &c)) != BIG_OK) { 282 goto ret; 283 } 284 if (big_bitlength(&g) != size) { 285 goto nextp; 286 } 287 /* g now contains the potential modulus n */ 288 289 (void) big_sub_pos(&a, &b, &big_One); 290 (void) big_sub_pos(&d, &c, &big_One); 291 292 if ((brv = big_mul(&a, &a, &d)) != BIG_OK) { 293 goto ret; 294 } 295 if ((brv = big_ext_gcd_pos(&f, &d, &h, pubexp, &a)) != BIG_OK) { 296 goto ret; 297 } 298 if (big_cmp_abs(&f, &big_One) != 0) { 299 goto nextq; 300 } else { 301 (void) big_copy(&e, pubexp); 302 } 303 if (d.sign == -1) { 304 if ((brv = big_add(&d, &d, &a)) != BIG_OK) { 305 goto ret; 306 } 307 } 308 (void) big_copy(&(key->p), &b); 309 (void) big_copy(&(key->q), &c); 310 (void) big_copy(&(key->n), &g); 311 (void) big_copy(&(key->d), &d); 312 (void) big_copy(&(key->e), &e); 313 314 if ((brv = big_ext_gcd_pos(&a, &f, &h, &b, &c)) != BIG_OK) { 315 goto ret; 316 } 317 if (f.sign == -1) { 318 if ((brv = big_add(&f, &f, &c)) != BIG_OK) { 319 goto ret; 320 } 321 } 322 (void) big_copy(&(key->pinvmodq), &f); 323 324 (void) big_sub(&a, &b, &big_One); 325 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) { 326 goto ret; 327 } 328 (void) big_copy(&(key->dmodpminus1), &f); 329 (void) big_sub(&a, &c, &big_One); 330 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) { 331 goto ret; 332 } 333 (void) big_copy(&(key->dmodqminus1), &f); 334 335 /* pairwise consistency check: decrypt and encrypt restores value */ 336 if ((brv = big_random(&h, size, rf)) != BIG_OK) { 337 goto ret; 338 } 339 if ((brv = big_div_pos(&a, &h, &h, &g)) != BIG_OK) { 340 goto ret; 341 } 342 if ((brv = big_modexp(&a, &h, &d, &g, NULL)) != BIG_OK) { 343 goto ret; 344 } 345 346 if ((brv = big_modexp(&b, &a, &e, &g, NULL)) != BIG_OK) { 347 goto ret; 348 } 349 350 if (big_cmp_abs(&b, &h) != 0) { 351 /* this should not happen */ 352 rv = generate_rsa_key(key, psize, qsize, pubexp, rf); 353 goto ret1; 354 } else { 355 brv = BIG_OK; 356 } 357 358 ret: 359 rv = convert_rv(brv); 360 ret1: 361 big_finish(&h); 362 big_finish(&g); 363 big_finish(&f); 364 big_finish(&e); 365 big_finish(&d); 366 big_finish(&c); 367 big_finish(&b); 368 big_finish(&a); 369 370 return (rv); 371 } 372 373 CK_RV 374 rsa_genkey_pair(RSAbytekey *bkey) 375 { 376 /* 377 * NOTE: Whomever originally wrote this function swapped p and q. 378 * This table shows the mapping between name convention used here 379 * versus what is used in most texts that describe RSA key generation. 380 * This function: Standard convention: 381 * -------------- -------------------- 382 * modulus, n -same- 383 * prime 1, q prime 1, p 384 * prime 2, p prime 2, q 385 * private exponent, d -same- 386 * public exponent, e -same- 387 * exponent 1, d mod (q-1) d mod (p-1) 388 * exponent 2, d mod (p-1) d mod (q-1) 389 * coefficient, p^-1 mod q q^-1 mod p 390 * 391 * Also notice the struct member for coefficient is named .pinvmodq 392 * rather than .qinvmodp, reflecting the switch. 393 * 394 * The code here wasn't unswapped, because "it works". Further, 395 * p and q are interchangeable as long as exponent 1 and 2 and 396 * the coefficient are kept straight too. This note is here to 397 * make the reader aware of the switcheroo. 398 */ 399 CK_RV rv = CKR_OK; 400 401 BIGNUM public_exponent = {0}; 402 RSAkey rsakey; 403 uint32_t modulus_bytes; 404 405 if (bkey == NULL) 406 return (CKR_ARGUMENTS_BAD); 407 408 /* Must have modulus bits set */ 409 if (bkey->modulus_bits == 0) 410 return (CKR_ARGUMENTS_BAD); 411 412 /* Must have public exponent set */ 413 if (bkey->pubexpo_bytes == 0 || bkey->pubexpo == NULL) 414 return (CKR_ARGUMENTS_BAD); 415 416 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */ 417 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits); 418 419 /* Modulus length needs to be between min key size and max key size. */ 420 if ((modulus_bytes < MIN_RSA_KEYLENGTH_IN_BYTES) || 421 (modulus_bytes > MAX_RSA_KEYLENGTH_IN_BYTES)) { 422 return (CKR_KEY_SIZE_RANGE); 423 } 424 425 /* 426 * Initialize the RSA key. 427 */ 428 if (RSA_key_init(&rsakey, modulus_bytes * 4, modulus_bytes * 4) != 429 BIG_OK) { 430 return (CKR_HOST_MEMORY); 431 } 432 433 /* Create a public exponent in bignum format. */ 434 if (big_init(&public_exponent, 435 CHARLEN2BIGNUMLEN(bkey->pubexpo_bytes)) != BIG_OK) { 436 rv = CKR_HOST_MEMORY; 437 goto clean1; 438 } 439 bytestring2bignum(&public_exponent, bkey->pubexpo, bkey->pubexpo_bytes); 440 441 /* Generate RSA key pair. */ 442 if ((rv = generate_rsa_key(&rsakey, 443 modulus_bytes * 4, modulus_bytes * 4, &public_exponent, 444 bkey->rfunc)) != CKR_OK) { 445 big_finish(&public_exponent); 446 goto clean1; 447 } 448 big_finish(&public_exponent); 449 450 /* modulus_bytes = rsakey.n.len * (int)sizeof (BIG_CHUNK_TYPE); */ 451 bignum2bytestring(bkey->modulus, &(rsakey.n), modulus_bytes); 452 453 bkey->privexpo_bytes = rsakey.d.len * (int)sizeof (BIG_CHUNK_TYPE); 454 bignum2bytestring(bkey->privexpo, &(rsakey.d), bkey->privexpo_bytes); 455 456 bkey->pubexpo_bytes = rsakey.e.len * (int)sizeof (BIG_CHUNK_TYPE); 457 bignum2bytestring(bkey->pubexpo, &(rsakey.e), bkey->pubexpo_bytes); 458 459 bkey->prime1_bytes = rsakey.q.len * (int)sizeof (BIG_CHUNK_TYPE); 460 bignum2bytestring(bkey->prime1, &(rsakey.q), bkey->prime1_bytes); 461 462 bkey->prime2_bytes = rsakey.p.len * (int)sizeof (BIG_CHUNK_TYPE); 463 bignum2bytestring(bkey->prime2, &(rsakey.p), bkey->prime2_bytes); 464 465 bkey->expo1_bytes = 466 rsakey.dmodqminus1.len * (int)sizeof (BIG_CHUNK_TYPE); 467 bignum2bytestring(bkey->expo1, &(rsakey.dmodqminus1), 468 bkey->expo1_bytes); 469 470 bkey->expo2_bytes = 471 rsakey.dmodpminus1.len * (int)sizeof (BIG_CHUNK_TYPE); 472 bignum2bytestring(bkey->expo2, 473 &(rsakey.dmodpminus1), bkey->expo2_bytes); 474 475 bkey->coeff_bytes = 476 rsakey.pinvmodq.len * (int)sizeof (BIG_CHUNK_TYPE); 477 bignum2bytestring(bkey->coeff, &(rsakey.pinvmodq), bkey->coeff_bytes); 478 479 clean1: 480 RSA_key_finish(&rsakey); 481 482 return (rv); 483 } 484 485 /* 486 * RSA encrypt operation 487 */ 488 CK_RV 489 rsa_encrypt(RSAbytekey *bkey, uchar_t *in, uint32_t in_len, uchar_t *out) 490 { 491 CK_RV rv = CKR_OK; 492 493 BIGNUM msg; 494 RSAkey rsakey; 495 uint32_t modulus_bytes; 496 497 if (bkey == NULL) 498 return (CKR_ARGUMENTS_BAD); 499 500 /* Must have modulus and public exponent set */ 501 if (bkey->modulus_bits == 0 || bkey->modulus == NULL || 502 bkey->pubexpo_bytes == 0 || bkey->pubexpo == NULL) 503 return (CKR_ARGUMENTS_BAD); 504 505 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */ 506 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits); 507 508 if (bkey->pubexpo_bytes > modulus_bytes) { 509 return (CKR_KEY_SIZE_RANGE); 510 } 511 512 /* psize and qsize for RSA_key_init is in bits. */ 513 if (RSA_key_init(&rsakey, modulus_bytes * 4, modulus_bytes * 4) != 514 BIG_OK) { 515 return (CKR_HOST_MEMORY); 516 } 517 518 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 519 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 520 rv = CKR_HOST_MEMORY; 521 goto clean2; 522 } 523 bytestring2bignum(&msg, in, in_len); 524 525 /* Convert public exponent and modulus to big integer format. */ 526 bytestring2bignum(&(rsakey.e), bkey->pubexpo, bkey->pubexpo_bytes); 527 bytestring2bignum(&(rsakey.n), bkey->modulus, modulus_bytes); 528 529 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) { 530 rv = CKR_DATA_LEN_RANGE; 531 goto clean3; 532 } 533 534 /* Perform RSA computation on big integer input data. */ 535 if (big_modexp(&msg, &msg, &(rsakey.e), &(rsakey.n), NULL) != 536 BIG_OK) { 537 rv = CKR_HOST_MEMORY; 538 goto clean3; 539 } 540 541 /* Convert the big integer output data to octet string. */ 542 bignum2bytestring(out, &msg, modulus_bytes); 543 544 clean3: 545 big_finish(&msg); 546 clean2: 547 RSA_key_finish(&rsakey); 548 549 return (rv); 550 } 551 552 /* 553 * RSA decrypt operation 554 */ 555 CK_RV 556 rsa_decrypt(RSAbytekey *bkey, uchar_t *in, uint32_t in_len, uchar_t *out) 557 { 558 CK_RV rv = CKR_OK; 559 560 BIGNUM msg; 561 RSAkey rsakey; 562 uint32_t modulus_bytes; 563 564 if (bkey == NULL) 565 return (CKR_ARGUMENTS_BAD); 566 567 /* Must have modulus, prime1, prime2, expo1, expo2, and coeff set */ 568 if (bkey->modulus_bits == 0 || bkey->modulus == NULL || 569 bkey->prime1_bytes == 0 || bkey->prime1 == NULL || 570 bkey->prime2_bytes == 0 || bkey->prime2 == NULL || 571 bkey->expo1_bytes == 0 || bkey->expo1 == NULL || 572 bkey->expo2_bytes == 0 || bkey->expo2 == NULL || 573 bkey->coeff_bytes == 0 || bkey->coeff == NULL) 574 return (CKR_ARGUMENTS_BAD); 575 576 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */ 577 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits); 578 579 /* psize and qsize for RSA_key_init is in bits. */ 580 if (RSA_key_init(&rsakey, CRYPTO_BYTES2BITS(bkey->prime2_bytes), 581 CRYPTO_BYTES2BITS(bkey->prime1_bytes)) != BIG_OK) { 582 return (CKR_HOST_MEMORY); 583 } 584 585 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 586 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 587 rv = CKR_HOST_MEMORY; 588 goto clean3; 589 } 590 /* Convert octet string input data to big integer format. */ 591 bytestring2bignum(&msg, in, in_len); 592 593 /* Convert octet string modulus to big integer format. */ 594 bytestring2bignum(&(rsakey.n), bkey->modulus, modulus_bytes); 595 596 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) { 597 rv = CKR_DATA_LEN_RANGE; 598 goto clean4; 599 } 600 601 /* Convert the rest of private key attributes to big integer format. */ 602 bytestring2bignum(&(rsakey.q), bkey->prime1, bkey->prime1_bytes); 603 bytestring2bignum(&(rsakey.p), bkey->prime2, bkey->prime2_bytes); 604 bytestring2bignum(&(rsakey.dmodqminus1), 605 bkey->expo1, bkey->expo1_bytes); 606 bytestring2bignum(&(rsakey.dmodpminus1), 607 bkey->expo2, bkey->expo2_bytes); 608 bytestring2bignum(&(rsakey.pinvmodq), 609 bkey->coeff, bkey->coeff_bytes); 610 611 if ((big_cmp_abs(&(rsakey.dmodpminus1), &(rsakey.p)) > 0) || 612 (big_cmp_abs(&(rsakey.dmodqminus1), &(rsakey.q)) > 0) || 613 (big_cmp_abs(&(rsakey.pinvmodq), &(rsakey.q)) > 0)) { 614 rv = CKR_KEY_SIZE_RANGE; 615 goto clean4; 616 } 617 618 /* Perform RSA computation on big integer input data. */ 619 if (big_modexp_crt(&msg, &msg, &(rsakey.dmodpminus1), 620 &(rsakey.dmodqminus1), &(rsakey.p), &(rsakey.q), 621 &(rsakey.pinvmodq), NULL, NULL) != BIG_OK) { 622 rv = CKR_HOST_MEMORY; 623 goto clean4; 624 } 625 626 /* Convert the big integer output data to octet string. */ 627 bignum2bytestring(out, &msg, modulus_bytes); 628 629 clean4: 630 big_finish(&msg); 631 clean3: 632 RSA_key_finish(&rsakey); 633 634 return (rv); 635 } 636