xref: /illumos-gate/usr/src/common/crypto/rsa/rsa_impl.c (revision ed5289f91b9bf164dccd6c75398362be77a4478d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * This file contains RSA helper routines common to
30  * the PKCS11 soft token code and the kernel RSA code.
31  */
32 
33 #include <sys/types.h>
34 #include "rsa_impl.h"
35 
36 #ifdef _KERNEL
37 #include <sys/param.h>
38 #else
39 #include <strings.h>
40 #include "softRandom.h"
41 #endif
42 
43 /*
44  * DER encoding T of the DigestInfo values for MD5, SHA1, and SHA2
45  * from PKCS#1 v2.1: RSA Cryptography Standard Section 9.2 Note 1
46  *
47  * MD5:     (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 || H
48  * SHA-1:   (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H
49  * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H.
50  * SHA-384: (0x)30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30 || H.
51  * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H.
52  *
53  * Where H is the digested output from MD5 or SHA1. We define the constant
54  * byte array (the prefix) here and use it rather than doing the DER
55  * encoding of the OID in a separate routine.
56  */
57 const CK_BYTE MD5_DER_PREFIX[MD5_DER_PREFIX_Len] = {0x30, 0x20, 0x30, 0x0c,
58     0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00,
59     0x04, 0x10};
60 
61 const CK_BYTE SHA1_DER_PREFIX[SHA1_DER_PREFIX_Len] = {0x30, 0x21, 0x30,
62     0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
63 
64 const CK_BYTE SHA1_DER_PREFIX_OID[SHA1_DER_PREFIX_OID_Len] = {0x30, 0x1f, 0x30,
65     0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14};
66 
67 const CK_BYTE SHA256_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x31, 0x30, 0x0d,
68     0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
69     0x00, 0x04, 0x20};
70 
71 const CK_BYTE SHA384_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x41, 0x30, 0x0d,
72     0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
73     0x00, 0x04, 0x30};
74 
75 const CK_BYTE SHA512_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x51, 0x30, 0x0d,
76     0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
77     0x00, 0x04, 0x40};
78 
79 
80 /* psize and qsize are in bits */
81 BIG_ERR_CODE
82 RSA_key_init(RSAkey *key, int psize, int qsize)
83 {
84 	BIG_ERR_CODE err = BIG_OK;
85 
86 /* EXPORT DELETE START */
87 
88 	int plen, qlen, nlen;
89 
90 	plen = BITLEN2BIGNUMLEN(psize);
91 	qlen = BITLEN2BIGNUMLEN(qsize);
92 	nlen = plen + qlen;
93 	key->size = psize + qsize;
94 	if ((err = big_init(&(key->p), plen)) != BIG_OK)
95 		return (err);
96 	if ((err = big_init(&(key->q), qlen)) != BIG_OK)
97 		goto ret1;
98 	if ((err = big_init(&(key->n), nlen)) != BIG_OK)
99 		goto ret2;
100 	if ((err = big_init(&(key->d), nlen)) != BIG_OK)
101 		goto ret3;
102 	if ((err = big_init(&(key->e), nlen)) != BIG_OK)
103 		goto ret4;
104 	if ((err = big_init(&(key->dmodpminus1), plen)) != BIG_OK)
105 		goto ret5;
106 	if ((err = big_init(&(key->dmodqminus1), qlen)) != BIG_OK)
107 		goto ret6;
108 	if ((err = big_init(&(key->pinvmodq), qlen)) != BIG_OK)
109 		goto ret7;
110 	if ((err = big_init(&(key->p_rr), plen)) != BIG_OK)
111 		goto ret8;
112 	if ((err = big_init(&(key->q_rr), qlen)) != BIG_OK)
113 		goto ret9;
114 	if ((err = big_init(&(key->n_rr), nlen)) != BIG_OK)
115 		goto ret10;
116 
117 	return (BIG_OK);
118 
119 ret10:
120 	big_finish(&(key->q_rr));
121 ret9:
122 	big_finish(&(key->p_rr));
123 ret8:
124 	big_finish(&(key->pinvmodq));
125 ret7:
126 	big_finish(&(key->dmodqminus1));
127 ret6:
128 	big_finish(&(key->dmodpminus1));
129 ret5:
130 	big_finish(&(key->e));
131 ret4:
132 	big_finish(&(key->d));
133 ret3:
134 	big_finish(&(key->n));
135 ret2:
136 	big_finish(&(key->q));
137 ret1:
138 	big_finish(&(key->p));
139 
140 /* EXPORT DELETE END */
141 
142 	return (err);
143 }
144 
145 
146 void
147 RSA_key_finish(RSAkey *key)
148 {
149 
150 /* EXPORT DELETE START */
151 
152 	big_finish(&(key->n_rr));
153 	big_finish(&(key->q_rr));
154 	big_finish(&(key->p_rr));
155 	big_finish(&(key->pinvmodq));
156 	big_finish(&(key->dmodqminus1));
157 	big_finish(&(key->dmodpminus1));
158 	big_finish(&(key->e));
159 	big_finish(&(key->d));
160 	big_finish(&(key->n));
161 	big_finish(&(key->q));
162 	big_finish(&(key->p));
163 
164 /* EXPORT DELETE END */
165 
166 }
167 
168 
169 /*
170  * To create a block type "02" encryption block for RSA PKCS encryption
171  * process.
172  *
173  * The RSA PKCS Padding before encryption is in the following format:
174  * +------+--------------------+----+-----------------------------+
175  * |0x0002| 8 bytes or more RN |0x00|       DATA                  |
176  * +------+--------------------+----+-----------------------------+
177  *
178  */
179 CK_RV
180 soft_encrypt_rsa_pkcs_encode(uint8_t *databuf,
181     size_t datalen, uint8_t *padbuf, size_t padbuflen)
182 {
183 
184 /* EXPORT DELETE START */
185 
186 	size_t	padlen;
187 	CK_RV	rv;
188 
189 	padlen = padbuflen - datalen;
190 	if (padlen < MIN_PKCS1_PADLEN) {
191 		return (CKR_DATA_LEN_RANGE);
192 	}
193 
194 	/* Pad with 0x0002+non-zero pseudorandom numbers+0x00. */
195 	padbuf[0] = 0x00;
196 	padbuf[1] = 0x02;
197 #ifdef _KERNEL
198 	rv = knzero_random_generator(padbuf + 2, padbuflen - 3);
199 #else
200 	rv = soft_nzero_random_generator(padbuf + 2, padbuflen - 3);
201 #endif
202 	if (rv != CKR_OK) {
203 		return (rv);
204 	}
205 	padbuf[padlen - 1] = 0x00;
206 
207 	bcopy(databuf, padbuf + padlen, datalen);
208 
209 /* EXPORT DELETE END */
210 
211 	return (CKR_OK);
212 }
213 
214 
215 /*
216  * The RSA PKCS Padding after decryption is in the following format:
217  * +------+--------------------+----+-----------------------------+
218  * |0x0002| 8 bytes or more RN |0x00|       DATA                  |
219  * +------+--------------------+----+-----------------------------+
220  *
221  * 'padbuf' points to the recovered message which is the modulus
222  * length. As a result, 'plen' is changed to hold the actual data length.
223  */
224 CK_RV
225 soft_decrypt_rsa_pkcs_decode(uint8_t *padbuf, int *plen)
226 {
227 
228 /* EXPORT DELETE START */
229 
230 	int	i;
231 
232 	/* Check to see if the recovered data is padded is 0x0002. */
233 	if (padbuf[0] != 0x00 || padbuf[1] != 0x02) {
234 		return (CKR_ENCRYPTED_DATA_INVALID);
235 	}
236 
237 	/* Remove all the random bits up to 0x00 (= NULL char) */
238 	for (i = 2; (*plen - i) > 0; i++) {
239 		if (padbuf[i] == 0x00) {
240 			i++;
241 			if (i < MIN_PKCS1_PADLEN) {
242 				return (CKR_ENCRYPTED_DATA_INVALID);
243 			}
244 			*plen -= i;
245 
246 			return (CKR_OK);
247 		}
248 	}
249 
250 /* EXPORT DELETE END */
251 
252 	return (CKR_ENCRYPTED_DATA_INVALID);
253 }
254 
255 /*
256  * To create a block type "01" block for RSA PKCS signature process.
257  *
258  * The RSA PKCS Padding before Signing is in the following format:
259  * +------+--------------+----+-----------------------------+
260  * |0x0001| 0xFFFF.......|0x00|          DATA               |
261  * +------+--------------+----+-----------------------------+
262  */
263 CK_RV
264 soft_sign_rsa_pkcs_encode(uint8_t *pData, size_t dataLen, uint8_t *data,
265     size_t mbit_l)
266 {
267 
268 /* EXPORT DELETE START */
269 
270 	size_t	padlen;
271 
272 	padlen = mbit_l - dataLen;
273 	if (padlen < MIN_PKCS1_PADLEN) {
274 		return (CKR_DATA_LEN_RANGE);
275 	}
276 
277 	padlen -= 3;
278 	data[0] = 0x00;
279 	data[1] = 0x01;
280 #ifdef _KERNEL
281 	kmemset(data + 2, 0xFF, padlen);
282 #else
283 	(void) memset(data + 2, 0xFF, padlen);
284 #endif
285 	data[padlen + 2] = 0x00;
286 	bcopy(pData, data + padlen + 3, dataLen);
287 
288 /* EXPORT DELETE END */
289 
290 	return (CKR_OK);
291 }
292 
293 
294 CK_RV
295 soft_verify_rsa_pkcs_decode(uint8_t *data, int *mbit_l)
296 {
297 
298 /* EXPORT DELETE START */
299 
300 	int i;
301 
302 	/* Check to see if the padding of recovered data starts with 0x0001. */
303 	if ((data[0] != 0x00) || (data[1] != 0x01)) {
304 		return (CKR_SIGNATURE_INVALID);
305 	}
306 	/* Check to see if the recovered data is padded with 0xFFF...00. */
307 	for (i = 2; i < *mbit_l; i++) {
308 		if (data[i] == 0x00) {
309 			i++;
310 			if (i < MIN_PKCS1_PADLEN) {
311 				return (CKR_SIGNATURE_INVALID);
312 			}
313 			*mbit_l -= i;
314 
315 			return (CKR_OK);
316 		} else if (data[i] != 0xFF) {
317 			return (CKR_SIGNATURE_INVALID);
318 		}
319 	}
320 
321 /* EXPORT DELETE END */
322 
323 	return (CKR_SIGNATURE_INVALID);
324 }
325