1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <pthread.h> 30 #include <stdlib.h> 31 #include <string.h> 32 #include <strings.h> 33 #include <sys/types.h> 34 #include <security/cryptoki.h> 35 #include <bignum.h> 36 #include "softGlobal.h" 37 #include "softSession.h" 38 #include "softObject.h" 39 #include "softOps.h" 40 #include "softRSA.h" 41 #include "softMAC.h" 42 #include "softRandom.h" 43 #include "softCrypt.h" 44 45 CK_RV 46 soft_rsa_encrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len, 47 CK_BYTE_PTR out, int realpublic) 48 { 49 50 CK_RV rv = CKR_OK; 51 52 /* EXPORT DELETE START */ 53 54 uchar_t expo[MAX_KEY_ATTR_BUFLEN]; 55 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 56 uint32_t expo_len = sizeof (expo); 57 uint32_t modulus_len = sizeof (modulus); 58 BIGNUM msg; 59 RSAkey *rsakey; 60 61 if (realpublic) { 62 rv = soft_get_public_attr(key, CKA_PUBLIC_EXPONENT, expo, 63 &expo_len); 64 if (rv != CKR_OK) { 65 goto clean1; 66 } 67 } else { 68 rv = soft_get_private_attr(key, CKA_PRIVATE_EXPONENT, expo, 69 &expo_len); 70 if (rv != CKR_OK) { 71 goto clean1; 72 } 73 } 74 75 rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len); 76 if (rv != CKR_OK) { 77 goto clean1; 78 } 79 80 if (expo_len > modulus_len) { 81 rv = CKR_KEY_SIZE_RANGE; 82 goto clean1; 83 } 84 85 rsakey = calloc(1, sizeof (RSAkey)); 86 if (rsakey == NULL) { 87 rv = CKR_HOST_MEMORY; 88 goto clean1; 89 } 90 91 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 92 rv = CKR_HOST_MEMORY; 93 goto clean4; 94 } 95 96 /* Size for big_init is in (32-bit) words. */ 97 if (big_init(&msg, (in_len + (int)sizeof (uint32_t) - 1) / 98 (int)sizeof (uint32_t)) != BIG_OK) { 99 rv = CKR_HOST_MEMORY; 100 goto clean5; 101 } 102 103 /* Convert octet string exponent to big integer format. */ 104 bytestring2bignum(&(rsakey->e), expo, expo_len); 105 106 /* Convert octet string modulus to big integer format. */ 107 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 108 109 /* Convert octet string input data to big integer format. */ 110 bytestring2bignum(&msg, (uchar_t *)in, in_len); 111 112 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 113 rv = CKR_DATA_LEN_RANGE; 114 goto clean6; 115 } 116 117 /* Perform RSA computation on big integer input data. */ 118 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) != 119 BIG_OK) { 120 rv = CKR_HOST_MEMORY; 121 goto clean6; 122 } 123 124 /* Convert the big integer output data to octet string. */ 125 bignum2bytestring((uchar_t *)out, &msg, modulus_len); 126 127 clean6: 128 big_finish(&msg); 129 clean5: 130 RSA_key_finish(rsakey); 131 clean4: 132 free(rsakey); 133 clean1: 134 135 /* EXPORT DELETE END */ 136 137 return (rv); 138 } 139 140 141 CK_RV 142 soft_rsa_decrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len, 143 CK_BYTE_PTR out) 144 { 145 146 CK_RV rv = CKR_OK; 147 148 /* EXPORT DELETE START */ 149 150 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 151 uchar_t prime1[MAX_KEY_ATTR_BUFLEN]; 152 uchar_t prime2[MAX_KEY_ATTR_BUFLEN]; 153 uchar_t expo1[MAX_KEY_ATTR_BUFLEN]; 154 uchar_t expo2[MAX_KEY_ATTR_BUFLEN]; 155 uchar_t coef[MAX_KEY_ATTR_BUFLEN]; 156 uint32_t modulus_len = sizeof (modulus); 157 uint32_t prime1_len = sizeof (prime1); 158 uint32_t prime2_len = sizeof (prime2); 159 uint32_t expo1_len = sizeof (expo1); 160 uint32_t expo2_len = sizeof (expo2); 161 uint32_t coef_len = sizeof (coef); 162 BIGNUM msg; 163 RSAkey *rsakey; 164 165 rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len); 166 if (rv != CKR_OK) { 167 goto clean1; 168 } 169 170 rv = soft_get_private_attr(key, CKA_PRIME_1, prime1, &prime1_len); 171 172 if ((prime1_len == 0) && (rv == CKR_OK)) { 173 rv = soft_rsa_encrypt(key, in, in_len, out, 0); 174 goto clean1; 175 } else { 176 if (rv != CKR_OK) 177 goto clean1; 178 } 179 180 rv = soft_get_private_attr(key, CKA_PRIME_2, prime2, &prime2_len); 181 182 if ((prime2_len == 0) && (rv == CKR_OK)) { 183 rv = soft_rsa_encrypt(key, in, in_len, out, 0); 184 goto clean1; 185 } else { 186 if (rv != CKR_OK) 187 goto clean1; 188 } 189 190 rv = soft_get_private_attr(key, CKA_EXPONENT_1, expo1, &expo1_len); 191 192 if ((expo1_len == 0) && (rv == CKR_OK)) { 193 rv = soft_rsa_encrypt(key, in, in_len, out, 0); 194 goto clean1; 195 } else { 196 if (rv != CKR_OK) 197 goto clean1; 198 } 199 200 rv = soft_get_private_attr(key, CKA_EXPONENT_2, expo2, &expo2_len); 201 202 if ((expo2_len == 0) && (rv == CKR_OK)) { 203 rv = soft_rsa_encrypt(key, in, in_len, out, 0); 204 goto clean1; 205 } else { 206 if (rv != CKR_OK) 207 goto clean1; 208 } 209 210 rv = soft_get_private_attr(key, CKA_COEFFICIENT, coef, &coef_len); 211 212 if ((coef_len == 0) && (rv == CKR_OK)) { 213 rv = soft_rsa_encrypt(key, in, in_len, out, 0); 214 goto clean1; 215 } else { 216 if (rv != CKR_OK) 217 goto clean1; 218 } 219 220 rsakey = calloc(1, sizeof (RSAkey)); 221 if (rsakey == NULL) { 222 rv = CKR_HOST_MEMORY; 223 goto clean1; 224 } 225 226 /* psize and qsize for RSA_key_init is in bits. */ 227 if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) { 228 rv = CKR_HOST_MEMORY; 229 goto clean8; 230 } 231 232 /* Size for big_init is in (32-bit) words. */ 233 if (big_init(&msg, (in_len + (int)sizeof (uint32_t) - 1) / 234 (int)sizeof (uint32_t)) != BIG_OK) { 235 rv = CKR_HOST_MEMORY; 236 goto clean9; 237 } 238 239 /* Convert octet string input data to big integer format. */ 240 bytestring2bignum(&msg, (uchar_t *)in, in_len); 241 242 /* Convert octet string modulus to big integer format. */ 243 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 244 245 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 246 rv = CKR_DATA_LEN_RANGE; 247 goto clean10; 248 } 249 250 /* Convert the rest of private key attributes to big integer format. */ 251 bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len); 252 bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len); 253 bytestring2bignum(&(rsakey->p), prime2, prime2_len); 254 bytestring2bignum(&(rsakey->q), prime1, prime1_len); 255 bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len); 256 257 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 258 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 259 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 260 rv = CKR_KEY_SIZE_RANGE; 261 goto clean10; 262 } 263 264 /* Perform RSA computation on big integer input data. */ 265 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 266 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 267 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 268 rv = CKR_HOST_MEMORY; 269 goto clean10; 270 } 271 272 /* Convert the big integer output data to octet string. */ 273 bignum2bytestring((uchar_t *)out, &msg, modulus_len); 274 275 clean10: 276 big_finish(&msg); 277 clean9: 278 RSA_key_finish(rsakey); 279 clean8: 280 free(rsakey); 281 clean1: 282 283 /* EXPORT DELETE END */ 284 285 return (rv); 286 } 287 288 /* 289 * Allocate a RSA context for the active encryption or decryption operation. 290 * This function is called without the session lock held. 291 */ 292 CK_RV 293 soft_rsa_crypt_init_common(soft_session_t *session_p, 294 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, 295 boolean_t encrypt) 296 { 297 298 soft_rsa_ctx_t *rsa_ctx; 299 soft_object_t *tmp_key = NULL; 300 CK_RV rv; 301 302 rsa_ctx = calloc(1, sizeof (soft_rsa_ctx_t)); 303 if (rsa_ctx == NULL) { 304 return (CKR_HOST_MEMORY); 305 } 306 307 /* 308 * Make a copy of the encryption or decryption key, and save it 309 * in the RSA crypto context since it will be used later for 310 * encryption/decryption. We don't want to hold any object reference 311 * on this original key while doing encryption/decryption. 312 */ 313 (void) pthread_mutex_lock(&key_p->object_mutex); 314 rv = soft_copy_object(key_p, &tmp_key, SOFT_COPY_OBJ_ORIG_SH, 315 NULL); 316 317 if ((rv != CKR_OK) || (tmp_key == NULL)) { 318 /* Most likely we ran out of space. */ 319 (void) pthread_mutex_unlock(&key_p->object_mutex); 320 free(rsa_ctx); 321 return (rv); 322 } 323 324 /* No need to hold the lock on the old object. */ 325 (void) pthread_mutex_unlock(&key_p->object_mutex); 326 rsa_ctx->key = tmp_key; 327 328 (void) pthread_mutex_lock(&session_p->session_mutex); 329 if (encrypt) { 330 /* Called by C_EncryptInit. */ 331 session_p->encrypt.context = rsa_ctx; 332 session_p->encrypt.mech.mechanism = pMechanism->mechanism; 333 } else { 334 /* Called by C_DecryptInit. */ 335 session_p->decrypt.context = rsa_ctx; 336 session_p->decrypt.mech.mechanism = pMechanism->mechanism; 337 } 338 (void) pthread_mutex_unlock(&session_p->session_mutex); 339 340 return (CKR_OK); 341 } 342 343 CK_RV 344 soft_rsa_encrypt_common(soft_session_t *session_p, CK_BYTE_PTR pData, 345 CK_ULONG ulDataLen, CK_BYTE_PTR pEncrypted, 346 CK_ULONG_PTR pulEncryptedLen, CK_MECHANISM_TYPE mechanism) 347 { 348 349 soft_rsa_ctx_t *rsa_ctx = session_p->encrypt.context; 350 soft_object_t *key = rsa_ctx->key; 351 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 352 uint32_t modulus_len = sizeof (modulus); 353 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 354 CK_BYTE cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 355 CK_RV rv = CKR_OK; 356 357 rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len); 358 if (rv != CKR_OK) { 359 goto clean_exit; 360 } 361 362 if (pEncrypted == NULL) { 363 /* 364 * Application asks for the length of the output buffer 365 * to hold the ciphertext. 366 */ 367 *pulEncryptedLen = modulus_len; 368 rv = CKR_OK; 369 goto clean1; 370 } 371 372 if (mechanism == CKM_RSA_PKCS) { 373 /* 374 * Input data length needs to be <= 375 * modulus length-MIN_PKCS1_PADLEN. 376 */ 377 if (ulDataLen > ((CK_ULONG)modulus_len - MIN_PKCS1_PADLEN)) { 378 *pulEncryptedLen = modulus_len; 379 rv = CKR_DATA_LEN_RANGE; 380 goto clean_exit; 381 } 382 } else { 383 /* Input data length needs to be <= modulus length. */ 384 if (ulDataLen > (CK_ULONG)modulus_len) { 385 *pulEncryptedLen = modulus_len; 386 rv = CKR_DATA_LEN_RANGE; 387 goto clean_exit; 388 } 389 } 390 391 /* Is the application-supplied buffer large enough? */ 392 if (*pulEncryptedLen < (CK_ULONG)modulus_len) { 393 *pulEncryptedLen = modulus_len; 394 rv = CKR_BUFFER_TOO_SMALL; 395 goto clean1; 396 } 397 398 if (mechanism == CKM_RSA_PKCS) { 399 /* 400 * Add PKCS padding to the input data to format a block 401 * type "02" encryption block. 402 */ 403 rv = soft_encrypt_rsa_pkcs_encode(pData, ulDataLen, plain_data, 404 modulus_len); 405 406 if (rv != CKR_OK) 407 goto clean_exit; 408 } else { 409 /* Pad zeros for the leading bytes of the input data. */ 410 (void) memset(plain_data, 0x0, modulus_len - ulDataLen); 411 (void) memcpy(&plain_data[modulus_len - ulDataLen], pData, 412 ulDataLen); 413 } 414 415 rv = soft_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1); 416 if (rv == CKR_OK) { 417 (void) memcpy(pEncrypted, cipher_data, modulus_len); 418 *pulEncryptedLen = modulus_len; 419 } 420 421 clean_exit: 422 (void) pthread_mutex_lock(&session_p->session_mutex); 423 free(session_p->encrypt.context); 424 session_p->encrypt.context = NULL; 425 (void) pthread_mutex_unlock(&session_p->session_mutex); 426 soft_cleanup_object(key); 427 free(key); 428 clean1: 429 return (rv); 430 } 431 432 433 CK_RV 434 soft_rsa_decrypt_common(soft_session_t *session_p, CK_BYTE_PTR pEncrypted, 435 CK_ULONG ulEncryptedLen, CK_BYTE_PTR pData, 436 CK_ULONG_PTR pulDataLen, CK_MECHANISM_TYPE mechanism) 437 { 438 439 soft_rsa_ctx_t *rsa_ctx = session_p->decrypt.context; 440 soft_object_t *key = rsa_ctx->key; 441 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 442 uint32_t modulus_len = sizeof (modulus); 443 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 444 CK_RV rv = CKR_OK; 445 446 rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len); 447 if (rv != CKR_OK) { 448 goto clean_exit; 449 } 450 451 if (ulEncryptedLen != (CK_ULONG)modulus_len) { 452 rv = CKR_ENCRYPTED_DATA_LEN_RANGE; 453 goto clean_exit; 454 } 455 456 if (pData == NULL) { 457 /* 458 * Application asks for the length of the output buffer 459 * to hold the recovered data. 460 */ 461 *pulDataLen = modulus_len; 462 rv = CKR_OK; 463 goto clean1; 464 } 465 466 if (mechanism == CKM_RSA_X_509) { 467 if (*pulDataLen < (CK_ULONG)modulus_len) { 468 *pulDataLen = modulus_len; 469 rv = CKR_BUFFER_TOO_SMALL; 470 goto clean1; 471 } 472 } 473 474 rv = soft_rsa_decrypt(key, pEncrypted, modulus_len, plain_data); 475 if (rv != CKR_OK) { 476 goto clean_exit; 477 } 478 479 if (mechanism == CKM_RSA_PKCS) { 480 int plain_len = modulus_len; 481 uint32_t num_padding; 482 483 /* Strip off the PKCS block formatting data. */ 484 rv = soft_decrypt_rsa_pkcs_decode(plain_data, &plain_len); 485 if (rv != CKR_OK) 486 goto clean_exit; 487 488 num_padding = modulus_len - plain_len; 489 if (ulEncryptedLen - num_padding > *pulDataLen) { 490 *pulDataLen = plain_len; 491 rv = CKR_BUFFER_TOO_SMALL; 492 goto clean1; 493 } 494 495 (void) memcpy(pData, &plain_data[num_padding], plain_len); 496 *pulDataLen = plain_len; 497 } else { 498 (void) memcpy(pData, plain_data, modulus_len); 499 *pulDataLen = modulus_len; 500 } 501 502 clean_exit: 503 (void) pthread_mutex_lock(&session_p->session_mutex); 504 free(session_p->decrypt.context); 505 session_p->decrypt.context = NULL; 506 (void) pthread_mutex_unlock(&session_p->session_mutex); 507 soft_cleanup_object(key); 508 free(key); 509 510 clean1: 511 return (rv); 512 } 513 514 /* 515 * Allocate a RSA context for the active sign or verify operation. 516 * This function is called without the session lock held. 517 */ 518 CK_RV 519 soft_rsa_sign_verify_init_common(soft_session_t *session_p, 520 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, 521 boolean_t sign) 522 { 523 CK_RV rv = CKR_OK; 524 soft_rsa_ctx_t *rsa_ctx; 525 CK_MECHANISM digest_mech; 526 soft_object_t *tmp_key = NULL; 527 528 if (sign) { 529 if ((key_p->class != CKO_PRIVATE_KEY) || 530 (key_p->key_type != CKK_RSA)) 531 return (CKR_KEY_TYPE_INCONSISTENT); 532 } else { 533 if ((key_p->class != CKO_PUBLIC_KEY) || 534 (key_p->key_type != CKK_RSA)) 535 return (CKR_KEY_TYPE_INCONSISTENT); 536 } 537 538 switch (pMechanism->mechanism) { 539 case CKM_MD5_RSA_PKCS: 540 digest_mech.mechanism = CKM_MD5; 541 rv = soft_digest_init_internal(session_p, &digest_mech); 542 if (rv != CKR_OK) 543 return (rv); 544 break; 545 546 case CKM_SHA1_RSA_PKCS: 547 digest_mech.mechanism = CKM_SHA_1; 548 rv = soft_digest_init_internal(session_p, &digest_mech); 549 if (rv != CKR_OK) 550 return (rv); 551 break; 552 553 case CKM_SHA256_RSA_PKCS: 554 digest_mech.mechanism = CKM_SHA256; 555 rv = soft_digest_init_internal(session_p, &digest_mech); 556 if (rv != CKR_OK) 557 return (rv); 558 break; 559 560 case CKM_SHA384_RSA_PKCS: 561 digest_mech.mechanism = CKM_SHA384; 562 rv = soft_digest_init_internal(session_p, &digest_mech); 563 if (rv != CKR_OK) 564 return (rv); 565 break; 566 567 case CKM_SHA512_RSA_PKCS: 568 digest_mech.mechanism = CKM_SHA512; 569 rv = soft_digest_init_internal(session_p, &digest_mech); 570 if (rv != CKR_OK) 571 return (rv); 572 break; 573 } 574 575 rsa_ctx = malloc(sizeof (soft_rsa_ctx_t)); 576 577 if (rsa_ctx == NULL) { 578 rv = CKR_HOST_MEMORY; 579 goto clean_exit; 580 } 581 582 (void) pthread_mutex_lock(&key_p->object_mutex); 583 rv = soft_copy_object(key_p, &tmp_key, SOFT_COPY_OBJ_ORIG_SH, 584 NULL); 585 586 if ((rv != CKR_OK) || (tmp_key == NULL)) { 587 /* Most likely we ran out of space. */ 588 (void) pthread_mutex_unlock(&key_p->object_mutex); 589 free(rsa_ctx); 590 goto clean_exit; 591 } 592 593 /* No need to hold the lock on the old object. */ 594 (void) pthread_mutex_unlock(&key_p->object_mutex); 595 rsa_ctx->key = tmp_key; 596 597 (void) pthread_mutex_lock(&session_p->session_mutex); 598 599 if (sign) { 600 session_p->sign.context = rsa_ctx; 601 session_p->sign.mech.mechanism = pMechanism->mechanism; 602 } else { 603 session_p->verify.context = rsa_ctx; 604 session_p->verify.mech.mechanism = pMechanism->mechanism; 605 } 606 607 (void) pthread_mutex_unlock(&session_p->session_mutex); 608 609 return (CKR_OK); 610 611 clean_exit: 612 (void) pthread_mutex_lock(&session_p->session_mutex); 613 if (session_p->digest.context != NULL) { 614 free(session_p->digest.context); 615 session_p->digest.context = NULL; 616 session_p->digest.flags = 0; 617 } 618 (void) pthread_mutex_unlock(&session_p->session_mutex); 619 return (rv); 620 621 } 622 623 624 CK_RV 625 soft_rsa_sign_common(soft_session_t *session_p, CK_BYTE_PTR pData, 626 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, 627 CK_ULONG_PTR pulSignedLen, CK_MECHANISM_TYPE mechanism) 628 { 629 630 CK_RV rv = CKR_OK; 631 soft_rsa_ctx_t *rsa_ctx = session_p->sign.context; 632 soft_object_t *key = rsa_ctx->key; 633 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 634 uint32_t modulus_len = sizeof (modulus); 635 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 636 CK_BYTE signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 637 638 rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len); 639 if (rv != CKR_OK) { 640 goto clean_exit; 641 } 642 643 if (pSigned == NULL) { 644 /* Application asks for the length of the output buffer. */ 645 *pulSignedLen = modulus_len; 646 rv = CKR_OK; 647 goto clean1; 648 } 649 650 switch (mechanism) { 651 652 case CKM_RSA_PKCS: 653 654 /* 655 * Input data length needs to be <= 656 * modulus length-MIN_PKCS1_PADLEN. 657 */ 658 if (ulDataLen > ((CK_ULONG)modulus_len - MIN_PKCS1_PADLEN)) { 659 *pulSignedLen = modulus_len; 660 rv = CKR_DATA_LEN_RANGE; 661 goto clean_exit; 662 } 663 break; 664 665 case CKM_RSA_X_509: 666 667 /* Input data length needs to be <= modulus length. */ 668 if (ulDataLen > (CK_ULONG)modulus_len) { 669 *pulSignedLen = modulus_len; 670 rv = CKR_DATA_LEN_RANGE; 671 goto clean_exit; 672 } 673 break; 674 } 675 676 /* Is the application-supplied buffer large enough? */ 677 if (*pulSignedLen < (CK_ULONG)modulus_len) { 678 *pulSignedLen = modulus_len; 679 rv = CKR_BUFFER_TOO_SMALL; 680 goto clean1; 681 } 682 683 switch (mechanism) { 684 685 case CKM_RSA_PKCS: 686 case CKM_MD5_RSA_PKCS: 687 case CKM_SHA1_RSA_PKCS: 688 case CKM_SHA256_RSA_PKCS: 689 case CKM_SHA384_RSA_PKCS: 690 case CKM_SHA512_RSA_PKCS: 691 /* 692 * Add PKCS padding to the input data to format a block 693 * type "01" encryption block. 694 */ 695 rv = soft_sign_rsa_pkcs_encode(pData, ulDataLen, plain_data, 696 modulus_len); 697 698 if (rv != CKR_OK) { 699 goto clean_exit; 700 } 701 break; 702 703 case CKM_RSA_X_509: 704 705 /* Pad zeros for the leading bytes of the input data. */ 706 (void) memset(plain_data, 0x0, modulus_len - ulDataLen); 707 (void) memcpy(&plain_data[modulus_len - ulDataLen], pData, 708 ulDataLen); 709 break; 710 } 711 712 /* 713 * Perform RSA encryption with the signer's RSA private key 714 * for signature process. 715 */ 716 rv = soft_rsa_decrypt(key, plain_data, modulus_len, signed_data); 717 718 if (rv == CKR_OK) { 719 (void) memcpy(pSigned, signed_data, modulus_len); 720 *pulSignedLen = modulus_len; 721 } 722 723 clean_exit: 724 (void) pthread_mutex_lock(&session_p->session_mutex); 725 free(session_p->sign.context); 726 session_p->sign.context = NULL; 727 if (session_p->digest.context != NULL) { 728 free(session_p->digest.context); 729 session_p->digest.context = NULL; 730 session_p->digest.flags = 0; 731 } 732 (void) pthread_mutex_unlock(&session_p->session_mutex); 733 soft_cleanup_object(key); 734 free(key); 735 736 clean1: 737 return (rv); 738 } 739 740 741 CK_RV 742 soft_rsa_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData, 743 CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, 744 CK_ULONG ulSignatureLen, CK_MECHANISM_TYPE mechanism) 745 { 746 747 CK_RV rv = CKR_OK; 748 soft_rsa_ctx_t *rsa_ctx = session_p->verify.context; 749 soft_object_t *key = rsa_ctx->key; 750 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 751 uint32_t modulus_len = sizeof (modulus); 752 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 753 754 rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len); 755 if (rv != CKR_OK) { 756 goto clean_exit; 757 } 758 759 if (ulSignatureLen != (CK_ULONG)modulus_len) { 760 rv = CKR_SIGNATURE_LEN_RANGE; 761 goto clean_exit; 762 } 763 764 /* 765 * Perform RSA decryption with the signer's RSA public key 766 * for verification process. 767 */ 768 rv = soft_rsa_encrypt(key, pSignature, modulus_len, plain_data, 1); 769 if (rv == CKR_OK) { 770 switch (mechanism) { 771 772 case CKM_RSA_PKCS: 773 case CKM_MD5_RSA_PKCS: 774 case CKM_SHA1_RSA_PKCS: 775 case CKM_SHA256_RSA_PKCS: 776 case CKM_SHA384_RSA_PKCS: 777 case CKM_SHA512_RSA_PKCS: 778 { 779 /* 780 * Strip off the encoded padding bytes in front of the 781 * recovered data, then compare the recovered data with 782 * the original data. 783 */ 784 int data_len = modulus_len; 785 786 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 787 if (rv != CKR_OK) { 788 goto clean_exit; 789 } 790 791 if ((CK_ULONG)data_len != ulDataLen) { 792 rv = CKR_SIGNATURE_LEN_RANGE; 793 goto clean_exit; 794 } else if (memcmp(pData, 795 &plain_data[modulus_len - data_len], 796 ulDataLen) != 0) { 797 rv = CKR_SIGNATURE_INVALID; 798 goto clean_exit; 799 } 800 break; 801 } 802 803 case CKM_RSA_X_509: 804 /* 805 * Strip off the encoded padding bytes in front of the 806 * recovered plain_data, then compare the input data 807 * with the recovered data. 808 */ 809 if (memcmp(pData, 810 plain_data + ulSignatureLen - ulDataLen, 811 ulDataLen) != 0) { 812 rv = CKR_SIGNATURE_INVALID; 813 goto clean_exit; 814 } 815 break; 816 } 817 } 818 819 if (rv == CKR_DATA_LEN_RANGE) { 820 if ((mechanism == CKM_MD5_RSA_PKCS) || 821 (mechanism == CKM_SHA1_RSA_PKCS) || 822 (mechanism == CKM_SHA256_RSA_PKCS) || 823 (mechanism == CKM_SHA384_RSA_PKCS) || 824 (mechanism == CKM_SHA512_RSA_PKCS)) 825 rv = CKR_SIGNATURE_INVALID; 826 } 827 828 clean_exit: 829 (void) pthread_mutex_lock(&session_p->session_mutex); 830 free(session_p->verify.context); 831 session_p->verify.context = NULL; 832 if (session_p->digest.context != NULL) { 833 free(session_p->digest.context); 834 session_p->digest.context = NULL; 835 session_p->digest.flags = 0; 836 } 837 (void) pthread_mutex_unlock(&session_p->session_mutex); 838 soft_cleanup_object(key); 839 free(key); 840 return (rv); 841 } 842 843 CK_RV 844 soft_genRSAkey_set_attribute(soft_object_t *key, RSAkey *rsakey, 845 CK_ATTRIBUTE_TYPE type, uint32_t modulus_len, boolean_t public) 846 { 847 848 uchar_t *buf, *buf1; 849 uint32_t buflen; 850 CK_RV rv = CKR_OK; 851 biginteger_t *dst = NULL; 852 biginteger_t src; 853 854 /* 855 * Allocate the buffer used to store the value of key fields 856 * for bignum2bytestring. Since bignum only deals with a buffer 857 * whose size is multiple of 4, modulus_len is rounded up to be 858 * multiple of 4. 859 */ 860 if ((buf1 = malloc((modulus_len + 3) & ~3)) == NULL) { 861 rv = CKR_HOST_MEMORY; 862 goto cleanexit; 863 } 864 865 buf = buf1; 866 867 switch (type) { 868 869 case CKA_MODULUS: 870 871 buflen = rsakey->n.len * (int)sizeof (uint32_t); 872 bignum2bytestring(buf, &rsakey->n, buflen); 873 if (public) 874 dst = OBJ_PUB_RSA_MOD(key); 875 else 876 dst = OBJ_PRI_RSA_MOD(key); 877 break; 878 879 case CKA_PUBLIC_EXPONENT: 880 881 buflen = rsakey->e.len * (int)sizeof (uint32_t); 882 bignum2bytestring(buf, &rsakey->e, buflen); 883 if (public) 884 dst = OBJ_PUB_RSA_PUBEXPO(key); 885 else 886 dst = OBJ_PRI_RSA_PUBEXPO(key); 887 break; 888 889 case CKA_PRIVATE_EXPONENT: 890 891 buflen = rsakey->d.len * (int)sizeof (uint32_t); 892 bignum2bytestring(buf, &rsakey->d, buflen); 893 dst = OBJ_PRI_RSA_PRIEXPO(key); 894 break; 895 896 case CKA_PRIME_1: 897 898 buflen = rsakey->q.len * (int)sizeof (uint32_t); 899 bignum2bytestring(buf, &rsakey->q, buflen); 900 dst = OBJ_PRI_RSA_PRIME1(key); 901 break; 902 903 case CKA_PRIME_2: 904 905 buflen = rsakey->p.len * (int)sizeof (uint32_t); 906 bignum2bytestring(buf, &rsakey->p, buflen); 907 dst = OBJ_PRI_RSA_PRIME2(key); 908 break; 909 910 case CKA_EXPONENT_1: 911 912 buflen = rsakey->dmodqminus1.len * (int)sizeof (uint32_t); 913 bignum2bytestring(buf, &rsakey->dmodqminus1, buflen); 914 dst = OBJ_PRI_RSA_EXPO1(key); 915 break; 916 917 case CKA_EXPONENT_2: 918 919 buflen = rsakey->dmodpminus1.len * (int)sizeof (uint32_t); 920 bignum2bytestring(buf, &rsakey->dmodpminus1, buflen); 921 dst = OBJ_PRI_RSA_EXPO2(key); 922 break; 923 924 case CKA_COEFFICIENT: 925 926 buflen = rsakey->pinvmodq.len * (int)sizeof (uint32_t); 927 bignum2bytestring(buf, &rsakey->pinvmodq, buflen); 928 dst = OBJ_PRI_RSA_COEF(key); 929 break; 930 } 931 932 while (buf[0] == 0) { /* remove proceeding 0x00 */ 933 buf++; 934 buflen--; 935 } 936 937 src.big_value_len = buflen; 938 939 if ((src.big_value = malloc(buflen)) == NULL) { 940 rv = CKR_HOST_MEMORY; 941 goto cleanexit; 942 } 943 (void) memcpy(src.big_value, buf, buflen); 944 945 /* Copy the attribute in the key object. */ 946 copy_bigint_attr(&src, dst); 947 948 cleanexit: 949 free(buf1); 950 return (rv); 951 952 } 953 954 955 CK_RV 956 generate_rsa_key(RSAkey *key, int psize, int qsize, BIGNUM * pubexp, 957 boolean_t token_obj) 958 { 959 CK_RV rv = CKR_OK; 960 961 /* EXPORT DELETE START */ 962 963 BIGNUM a, b, c, d, e, f, g, h; 964 int len, keylen, size; 965 BIG_ERR_CODE brv = BIG_OK; 966 967 size = psize + qsize; 968 keylen = (size + 31) / 32; 969 len = keylen * 2 + 1; 970 key->size = size; 971 972 a.malloced = 0; 973 b.malloced = 0; 974 c.malloced = 0; 975 d.malloced = 0; 976 e.malloced = 0; 977 f.malloced = 0; 978 g.malloced = 0; 979 h.malloced = 0; 980 981 if ((big_init(&a, len) != BIG_OK) || 982 (big_init(&b, len) != BIG_OK) || 983 (big_init(&c, len) != BIG_OK) || 984 (big_init(&d, len) != BIG_OK) || 985 (big_init(&e, len) != BIG_OK) || 986 (big_init(&f, len) != BIG_OK) || 987 (big_init(&g, len) != BIG_OK) || 988 (big_init(&h, len) != BIG_OK)) { 989 big_finish(&h); 990 big_finish(&g); 991 big_finish(&f); 992 big_finish(&e); 993 big_finish(&d); 994 big_finish(&c); 995 big_finish(&b); 996 big_finish(&a); 997 998 return (CKR_HOST_MEMORY); 999 } 1000 nextp: 1001 if ((brv = random_bignum(&a, psize, token_obj)) != BIG_OK) { 1002 goto ret; 1003 } 1004 1005 if ((brv = big_nextprime_pos(&b, &a)) != BIG_OK) { 1006 goto ret; 1007 } 1008 (void) big_sub_pos(&a, &b, &One); 1009 if ((brv = big_ext_gcd_pos(&f, &d, &g, pubexp, &a)) != BIG_OK) { 1010 goto ret; 1011 } 1012 if (big_cmp_abs(&f, &One) != 0) { 1013 goto nextp; 1014 } 1015 1016 if ((brv = random_bignum(&c, qsize, token_obj)) != BIG_OK) { 1017 goto ret; 1018 } 1019 1020 nextq: 1021 (void) big_add(&a, &c, &Two); 1022 1023 if (big_bitlength(&a) != qsize) { 1024 goto nextp; 1025 } 1026 if (big_cmp_abs(&a, &b) == 0) { 1027 goto nextp; 1028 } 1029 if ((brv = big_nextprime_pos(&c, &a)) != BIG_OK) { 1030 goto ret; 1031 } 1032 if ((brv = big_mul(&g, &b, &c)) != BIG_OK) { 1033 goto ret; 1034 } 1035 if (big_bitlength(&g) != size) { 1036 goto nextp; 1037 } 1038 1039 (void) big_sub_pos(&a, &b, &One); 1040 (void) big_sub_pos(&d, &c, &One); 1041 1042 if ((brv = big_mul(&a, &a, &d)) != BIG_OK) { 1043 goto ret; 1044 } 1045 if ((brv = big_ext_gcd_pos(&f, &d, &h, pubexp, &a)) != BIG_OK) { 1046 goto ret; 1047 } 1048 if (big_cmp_abs(&f, &One) != 0) { 1049 goto nextq; 1050 } else { 1051 (void) big_copy(&e, pubexp); 1052 } 1053 if (d.sign == -1) { 1054 if ((brv = big_add(&d, &d, &a)) != BIG_OK) { 1055 goto ret; 1056 } 1057 } 1058 (void) big_copy(&(key->p), &b); 1059 (void) big_copy(&(key->q), &c); 1060 (void) big_copy(&(key->n), &g); 1061 (void) big_copy(&(key->d), &d); 1062 (void) big_copy(&(key->e), &e); 1063 1064 if ((brv = big_ext_gcd_pos(&a, &f, &h, &b, &c)) != BIG_OK) { 1065 goto ret; 1066 } 1067 if (f.sign == -1) { 1068 if ((brv = big_add(&f, &f, &c)) != BIG_OK) { 1069 goto ret; 1070 } 1071 } 1072 (void) big_copy(&(key->pinvmodq), &f); 1073 1074 (void) big_sub(&a, &b, &One); 1075 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) { 1076 goto ret; 1077 } 1078 (void) big_copy(&(key->dmodpminus1), &f); 1079 (void) big_sub(&a, &c, &One); 1080 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) { 1081 goto ret; 1082 } 1083 (void) big_copy(&(key->dmodqminus1), &f); 1084 1085 if ((brv = random_bignum(&h, size, token_obj)) != BIG_OK) { 1086 goto ret; 1087 } 1088 if ((brv = big_div_pos(&a, &h, &h, &g)) != BIG_OK) { 1089 goto ret; 1090 } 1091 if ((brv = big_modexp(&a, &h, &d, &g, NULL)) != BIG_OK) { 1092 goto ret; 1093 } 1094 1095 if ((brv = big_modexp(&b, &a, &e, &g, NULL)) != BIG_OK) { 1096 goto ret; 1097 } 1098 1099 if (big_cmp_abs(&b, &h) != 0) { 1100 rv = generate_rsa_key(key, psize, qsize, pubexp, token_obj); 1101 goto ret1; 1102 } else { 1103 brv = BIG_OK; 1104 } 1105 1106 ret: 1107 rv = convert_rv(brv); 1108 ret1: 1109 big_finish(&h); 1110 big_finish(&g); 1111 big_finish(&f); 1112 big_finish(&e); 1113 big_finish(&d); 1114 big_finish(&c); 1115 big_finish(&b); 1116 big_finish(&a); 1117 1118 /* EXPORT DELETE END */ 1119 1120 return (rv); 1121 } 1122 1123 1124 CK_RV 1125 soft_rsa_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey) 1126 { 1127 1128 CK_RV rv = CKR_OK; 1129 uint32_t modulus_len; 1130 uchar_t pub_expo[MAX_KEY_ATTR_BUFLEN]; 1131 uint32_t pub_expo_len = sizeof (pub_expo); 1132 BIGNUM public_exponent = {0}; 1133 RSAkey rsakey = {0}; 1134 CK_ATTRIBUTE template; 1135 1136 if ((pubkey == NULL) || (prikey == NULL)) { 1137 return (CKR_ARGUMENTS_BAD); 1138 } 1139 1140 template.pValue = malloc(sizeof (CK_ULONG)); 1141 1142 if (template.pValue == NULL) { 1143 return (CKR_HOST_MEMORY); 1144 } 1145 1146 template.ulValueLen = sizeof (CK_ULONG); 1147 1148 rv = get_ulong_attr_from_object(OBJ_PUB_RSA_MOD_BITS(pubkey), 1149 &template); 1150 1151 if (rv != CKR_OK) { 1152 goto clean0; 1153 } 1154 1155 #ifdef __sparcv9 1156 /* LINTED */ 1157 modulus_len = (uint32_t)(*((CK_ULONG *)(template.pValue))); 1158 #else /* !__sparcv9 */ 1159 modulus_len = *((CK_ULONG *)(template.pValue)); 1160 #endif /* __sparcv9 */ 1161 1162 /* Convert modulus length from bit length to byte length. */ 1163 modulus_len = (modulus_len + 7) / 8; 1164 1165 /* Modulus length needs to be between min key size and max key size. */ 1166 if ((modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES) || 1167 (modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)) { 1168 rv = CKR_ATTRIBUTE_VALUE_INVALID; 1169 goto clean0; 1170 } 1171 1172 rv = soft_get_public_attr(pubkey, CKA_PUBLIC_EXPONENT, pub_expo, 1173 &pub_expo_len); 1174 if (rv != CKR_OK) { 1175 goto clean0; 1176 } 1177 1178 /* Create a public exponent in bignum format. */ 1179 if (big_init(&public_exponent, (modulus_len + 3)/4) != BIG_OK) { 1180 rv = CKR_HOST_MEMORY; 1181 goto clean0; 1182 } 1183 bytestring2bignum(&public_exponent, pub_expo, pub_expo_len); 1184 1185 if (RSA_key_init(&rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 1186 rv = CKR_HOST_MEMORY; 1187 goto clean2; 1188 } 1189 1190 /* Generate RSA key pair. */ 1191 if ((rv = generate_rsa_key(&rsakey, modulus_len * 4, modulus_len * 4, 1192 &public_exponent, (IS_TOKEN_OBJECT(pubkey) || 1193 IS_TOKEN_OBJECT(prikey)))) != CKR_OK) { 1194 goto clean3; 1195 } 1196 1197 /* 1198 * Add modulus in public template, and add all eight key fields 1199 * in private template. 1200 */ 1201 if ((rv = soft_genRSAkey_set_attribute(pubkey, &rsakey, 1202 CKA_MODULUS, modulus_len, B_TRUE)) != CKR_OK) { 1203 goto clean3; 1204 } 1205 1206 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1207 CKA_MODULUS, modulus_len, B_FALSE)) != CKR_OK) { 1208 goto clean3; 1209 } 1210 1211 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1212 CKA_PRIVATE_EXPONENT, modulus_len, B_FALSE)) != CKR_OK) { 1213 goto clean3; 1214 } 1215 1216 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1217 CKA_PUBLIC_EXPONENT, modulus_len, B_FALSE)) != CKR_OK) { 1218 goto clean3; 1219 } 1220 1221 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1222 CKA_PRIME_1, modulus_len, B_FALSE)) != CKR_OK) { 1223 goto clean3; 1224 } 1225 1226 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1227 CKA_PRIME_2, modulus_len, B_FALSE)) != CKR_OK) { 1228 goto clean3; 1229 } 1230 1231 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1232 CKA_EXPONENT_1, modulus_len, B_FALSE)) != CKR_OK) { 1233 goto clean3; 1234 } 1235 1236 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1237 CKA_EXPONENT_2, modulus_len, B_FALSE)) != CKR_OK) { 1238 goto clean3; 1239 } 1240 1241 if ((rv = soft_genRSAkey_set_attribute(prikey, &rsakey, 1242 CKA_COEFFICIENT, modulus_len, B_FALSE)) != CKR_OK) { 1243 goto clean3; 1244 } 1245 1246 clean3: 1247 RSA_key_finish(&rsakey); 1248 clean2: 1249 big_finish(&public_exponent); 1250 clean0: 1251 free(template.pValue); 1252 1253 return (rv); 1254 } 1255 1256 CK_RV 1257 soft_rsa_digest_sign_common(soft_session_t *session_p, CK_BYTE_PTR pData, 1258 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, 1259 CK_ULONG_PTR pulSignedLen, CK_MECHANISM_TYPE mechanism, boolean_t Final) 1260 { 1261 1262 CK_RV rv = CKR_OK; 1263 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */ 1264 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 1265 /* space enough for all mechs */ 1266 CK_BYTE der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1267 CK_ULONG der_data_len; 1268 soft_rsa_ctx_t *rsa_ctx = session_p->sign.context; 1269 soft_object_t *key = rsa_ctx->key; 1270 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 1271 uint32_t modulus_len = sizeof (modulus); 1272 1273 rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len); 1274 if (rv != CKR_OK) { 1275 (void) pthread_mutex_lock(&session_p->session_mutex); 1276 free(session_p->digest.context); 1277 session_p->digest.context = NULL; 1278 session_p->digest.flags = 0; 1279 (void) pthread_mutex_unlock(&session_p->session_mutex); 1280 soft_cleanup_object(key); 1281 free(key); 1282 goto clean1; 1283 } 1284 1285 /* Check arguments before performing message digest. */ 1286 if (pSigned == NULL) { 1287 /* Application asks for the length of the output buffer. */ 1288 *pulSignedLen = modulus_len; 1289 rv = CKR_OK; 1290 goto clean1; 1291 } 1292 1293 /* Is the application-supplied buffer large enough? */ 1294 if (*pulSignedLen < (CK_ULONG)modulus_len) { 1295 *pulSignedLen = modulus_len; 1296 rv = CKR_BUFFER_TOO_SMALL; 1297 goto clean1; 1298 } 1299 1300 if (Final) { 1301 rv = soft_digest_final(session_p, hash, &hash_len); 1302 } else { 1303 rv = soft_digest(session_p, pData, ulDataLen, hash, &hash_len); 1304 } 1305 1306 if (rv != CKR_OK) { 1307 /* free the signature key */ 1308 soft_cleanup_object(key); 1309 free(key); 1310 goto clean_exit; 1311 } 1312 1313 /* 1314 * Prepare the DER encoding of the DigestInfo value as follows: 1315 * MD5: MD5_DER_PREFIX || H 1316 * SHA-1: SHA1_DER_PREFIX || H 1317 * SHA2: SHA2_DER_PREFIX || H 1318 * 1319 * See rsa_impl.c for more details. 1320 */ 1321 switch (session_p->digest.mech.mechanism) { 1322 case CKM_MD5: 1323 (void) memcpy(der_data, MD5_DER_PREFIX, MD5_DER_PREFIX_Len); 1324 (void) memcpy(der_data + MD5_DER_PREFIX_Len, hash, hash_len); 1325 der_data_len = MD5_DER_PREFIX_Len + hash_len; 1326 break; 1327 case CKM_SHA_1: 1328 (void) memcpy(der_data, SHA1_DER_PREFIX, SHA1_DER_PREFIX_Len); 1329 (void) memcpy(der_data + SHA1_DER_PREFIX_Len, hash, hash_len); 1330 der_data_len = SHA1_DER_PREFIX_Len + hash_len; 1331 break; 1332 case CKM_SHA256: 1333 (void) memcpy(der_data, SHA256_DER_PREFIX, 1334 SHA2_DER_PREFIX_Len); 1335 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 1336 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 1337 break; 1338 case CKM_SHA384: 1339 (void) memcpy(der_data, SHA384_DER_PREFIX, 1340 SHA2_DER_PREFIX_Len); 1341 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 1342 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 1343 break; 1344 case CKM_SHA512: 1345 (void) memcpy(der_data, SHA512_DER_PREFIX, 1346 SHA2_DER_PREFIX_Len); 1347 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 1348 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 1349 break; 1350 } 1351 1352 /* 1353 * Now, we are ready to sign the DER_ENCODED data 1354 * soft_rsa_sign_common() will free the signature key. 1355 */ 1356 rv = soft_rsa_sign_common(session_p, der_data, der_data_len, 1357 pSigned, pulSignedLen, mechanism); 1358 1359 clean_exit: 1360 (void) pthread_mutex_lock(&session_p->session_mutex); 1361 /* soft_digest_common() has freed the digest context */ 1362 session_p->digest.flags = 0; 1363 (void) pthread_mutex_unlock(&session_p->session_mutex); 1364 1365 clean1: 1366 return (rv); 1367 } 1368 1369 1370 CK_RV 1371 soft_rsa_digest_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData, 1372 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, 1373 CK_ULONG ulSignedLen, CK_MECHANISM_TYPE mechanism, boolean_t Final) 1374 { 1375 1376 CK_RV rv = CKR_OK; 1377 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space for all mechs */ 1378 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 1379 CK_BYTE der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1380 CK_ULONG der_data_len; 1381 soft_rsa_ctx_t *rsa_ctx = session_p->verify.context; 1382 soft_object_t *key = rsa_ctx->key; 1383 1384 if (Final) { 1385 rv = soft_digest_final(session_p, hash, &hash_len); 1386 } else { 1387 rv = soft_digest(session_p, pData, ulDataLen, hash, &hash_len); 1388 } 1389 1390 if (rv != CKR_OK) { 1391 /* free the verification key */ 1392 soft_cleanup_object(key); 1393 free(key); 1394 goto clean_exit; 1395 } 1396 1397 /* 1398 * Prepare the DER encoding of the DigestInfo value as follows: 1399 * MD5: MD5_DER_PREFIX || H 1400 * SHA-1: SHA1_DER_PREFIX || H 1401 * SHA2: SHA2_DER_PREFIX || H 1402 * 1403 * See rsa_impl.c for more details. 1404 */ 1405 switch (session_p->digest.mech.mechanism) { 1406 case CKM_MD5: 1407 (void) memcpy(der_data, MD5_DER_PREFIX, MD5_DER_PREFIX_Len); 1408 (void) memcpy(der_data + MD5_DER_PREFIX_Len, hash, hash_len); 1409 der_data_len = MD5_DER_PREFIX_Len + hash_len; 1410 break; 1411 case CKM_SHA_1: 1412 (void) memcpy(der_data, SHA1_DER_PREFIX, SHA1_DER_PREFIX_Len); 1413 (void) memcpy(der_data + SHA1_DER_PREFIX_Len, hash, hash_len); 1414 der_data_len = SHA1_DER_PREFIX_Len + hash_len; 1415 break; 1416 case CKM_SHA256: 1417 (void) memcpy(der_data, SHA256_DER_PREFIX, 1418 SHA2_DER_PREFIX_Len); 1419 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 1420 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 1421 break; 1422 case CKM_SHA384: 1423 (void) memcpy(der_data, SHA384_DER_PREFIX, 1424 SHA2_DER_PREFIX_Len); 1425 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 1426 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 1427 break; 1428 case CKM_SHA512: 1429 (void) memcpy(der_data, SHA512_DER_PREFIX, 1430 SHA2_DER_PREFIX_Len); 1431 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len); 1432 der_data_len = SHA2_DER_PREFIX_Len + hash_len; 1433 break; 1434 } 1435 1436 /* 1437 * Now, we are ready to verify the DER_ENCODED data using signature. 1438 * soft_rsa_verify_common() will free the verification key. 1439 */ 1440 rv = soft_rsa_verify_common(session_p, der_data, der_data_len, 1441 pSigned, ulSignedLen, mechanism); 1442 1443 clean_exit: 1444 (void) pthread_mutex_lock(&session_p->session_mutex); 1445 /* soft_digest_common() has freed the digest context */ 1446 session_p->digest.flags = 0; 1447 (void) pthread_mutex_unlock(&session_p->session_mutex); 1448 1449 return (rv); 1450 1451 } 1452 1453 1454 CK_RV 1455 soft_rsa_verify_recover(soft_session_t *session_p, CK_BYTE_PTR pSignature, 1456 CK_ULONG ulSignatureLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) 1457 { 1458 1459 CK_RV rv = CKR_OK; 1460 soft_rsa_ctx_t *rsa_ctx = session_p->verify.context; 1461 CK_MECHANISM_TYPE mechanism = session_p->verify.mech.mechanism; 1462 soft_object_t *key = rsa_ctx->key; 1463 uchar_t modulus[MAX_KEY_ATTR_BUFLEN]; 1464 uint32_t modulus_len = sizeof (modulus); 1465 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1466 1467 rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len); 1468 if (rv != CKR_OK) { 1469 goto clean_exit; 1470 } 1471 1472 if (ulSignatureLen != (CK_ULONG)modulus_len) { 1473 rv = CKR_SIGNATURE_LEN_RANGE; 1474 goto clean_exit; 1475 } 1476 1477 /* 1478 * Perform RSA decryption with the signer's RSA public key 1479 * for verification process. 1480 */ 1481 rv = soft_rsa_encrypt(key, pSignature, modulus_len, plain_data, 1); 1482 if (rv == CKR_OK) { 1483 switch (mechanism) { 1484 1485 case CKM_RSA_PKCS: 1486 { 1487 /* 1488 * Strip off the encoded padding bytes in front of the 1489 * recovered data. 1490 */ 1491 int data_len = modulus_len; 1492 1493 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1494 if (rv != CKR_OK) { 1495 goto clean_exit; 1496 } 1497 1498 /* 1499 * If application asks for the length of the output 1500 * buffer? 1501 */ 1502 if (pData == NULL) { 1503 *pulDataLen = data_len; 1504 rv = CKR_OK; 1505 goto clean1; 1506 } 1507 1508 /* Is the application-supplied buffer large enough? */ 1509 if (*pulDataLen < (CK_ULONG)data_len) { 1510 *pulDataLen = data_len; 1511 rv = CKR_BUFFER_TOO_SMALL; 1512 goto clean1; 1513 } 1514 1515 (void) memcpy(pData, 1516 &plain_data[modulus_len - data_len], data_len); 1517 *pulDataLen = data_len; 1518 1519 break; 1520 } 1521 1522 case CKM_RSA_X_509: 1523 /* 1524 * If application asks for the length of the output 1525 * buffer? 1526 */ 1527 if (pData == NULL) { 1528 *pulDataLen = modulus_len; 1529 rv = CKR_OK; 1530 goto clean1; 1531 } 1532 1533 /* Is the application-supplied buffer large enough? */ 1534 if (*pulDataLen < (CK_ULONG)modulus_len) { 1535 *pulDataLen = modulus_len; 1536 rv = CKR_BUFFER_TOO_SMALL; 1537 goto clean1; 1538 } 1539 1540 (void) memcpy(pData, plain_data, modulus_len); 1541 *pulDataLen = modulus_len; 1542 1543 break; 1544 } 1545 } 1546 1547 clean_exit: 1548 (void) pthread_mutex_lock(&session_p->session_mutex); 1549 free(session_p->verify.context); 1550 session_p->verify.context = NULL; 1551 (void) pthread_mutex_unlock(&session_p->session_mutex); 1552 soft_cleanup_object(key); 1553 free(key); 1554 1555 clean1: 1556 return (rv); 1557 } 1558