1 /* $OpenBSD: rsa_ameth.c,v 1.62 2024/11/02 07:11:14 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2006. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <stdint.h> 60 #include <stdio.h> 61 #include <stdlib.h> 62 63 #include <openssl/opensslconf.h> 64 65 #include <openssl/asn1.h> 66 #include <openssl/bio.h> 67 #include <openssl/bn.h> 68 #include <openssl/cms.h> 69 #include <openssl/err.h> 70 #include <openssl/evp.h> 71 #include <openssl/objects.h> 72 #include <openssl/pkcs7.h> 73 #include <openssl/rsa.h> 74 #include <openssl/sha.h> 75 #include <openssl/x509.h> 76 77 #include "asn1_local.h" 78 #include "bn_local.h" 79 #include "evp_local.h" 80 #include "rsa_local.h" 81 #include "x509_local.h" 82 83 #ifndef OPENSSL_NO_CMS 84 static int rsa_cms_sign(CMS_SignerInfo *si); 85 static int rsa_cms_verify(CMS_SignerInfo *si); 86 static int rsa_cms_decrypt(CMS_RecipientInfo *ri); 87 static int rsa_cms_encrypt(CMS_RecipientInfo *ri); 88 #endif 89 90 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg); 91 92 static int rsa_alg_set_pkcs1_padding(X509_ALGOR *alg); 93 94 /* Set any parameters associated with pkey */ 95 static int 96 rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype) 97 { 98 const RSA *rsa = pkey->pkey.rsa; 99 100 *pstr = NULL; 101 102 /* If RSA it's just NULL type */ 103 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { 104 *pstrtype = V_ASN1_NULL; 105 return 1; 106 } 107 108 /* If no PSS parameters we omit parameters entirely */ 109 if (rsa->pss == NULL) { 110 *pstrtype = V_ASN1_UNDEF; 111 return 1; 112 } 113 114 /* Encode PSS parameters */ 115 if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL) 116 return 0; 117 118 *pstrtype = V_ASN1_SEQUENCE; 119 return 1; 120 } 121 122 /* Decode any parameters and set them in RSA structure */ 123 static int 124 rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) 125 { 126 const ASN1_OBJECT *algoid; 127 const void *algp; 128 int algptype; 129 130 X509_ALGOR_get0(&algoid, &algptype, &algp, alg); 131 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) 132 return 1; 133 if (algptype == V_ASN1_UNDEF) 134 return 1; 135 if (algptype != V_ASN1_SEQUENCE) { 136 RSAerror(RSA_R_INVALID_PSS_PARAMETERS); 137 return 0; 138 } 139 rsa->pss = rsa_pss_decode(alg); 140 if (rsa->pss == NULL) 141 return 0; 142 return 1; 143 } 144 145 static int 146 rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 147 { 148 ASN1_STRING *str = NULL; 149 int strtype; 150 unsigned char *penc = NULL; 151 int penclen = 0; 152 ASN1_OBJECT *aobj; 153 154 if (!rsa_param_encode(pkey, &str, &strtype)) 155 goto err; 156 if ((penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc)) <= 0) { 157 penclen = 0; 158 goto err; 159 } 160 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL) 161 goto err; 162 if (!X509_PUBKEY_set0_param(pk, aobj, strtype, str, penc, penclen)) 163 goto err; 164 165 return 1; 166 167 err: 168 ASN1_STRING_free(str); 169 freezero(penc, penclen); 170 171 return 0; 172 } 173 174 static int 175 rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 176 { 177 const unsigned char *p; 178 int pklen; 179 X509_ALGOR *alg; 180 RSA *rsa = NULL; 181 182 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) 183 return 0; 184 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) { 185 RSAerror(ERR_R_RSA_LIB); 186 return 0; 187 } 188 if (!rsa_param_decode(rsa, alg)) { 189 RSA_free(rsa); 190 return 0; 191 } 192 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { 193 RSA_free(rsa); 194 return 0; 195 } 196 return 1; 197 } 198 199 static int 200 rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 201 { 202 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 || 203 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) 204 return 0; 205 206 return 1; 207 } 208 209 static int 210 old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) 211 { 212 RSA *rsa; 213 int ret = 0; 214 215 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) { 216 RSAerror(ERR_R_RSA_LIB); 217 goto err; 218 } 219 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) 220 goto err; 221 rsa = NULL; 222 223 ret = 1; 224 225 err: 226 RSA_free(rsa); 227 228 return ret; 229 } 230 231 static int 232 old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 233 { 234 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 235 } 236 237 static int 238 rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 239 { 240 ASN1_STRING *str = NULL; 241 ASN1_OBJECT *aobj; 242 int strtype; 243 unsigned char *rk = NULL; 244 int rklen = 0; 245 246 if (!rsa_param_encode(pkey, &str, &strtype)) 247 goto err; 248 if ((rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk)) <= 0) { 249 RSAerror(ERR_R_MALLOC_FAILURE); 250 rklen = 0; 251 goto err; 252 } 253 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL) 254 goto err; 255 if (!PKCS8_pkey_set0(p8, aobj, 0, strtype, str, rk, rklen)) { 256 RSAerror(ERR_R_MALLOC_FAILURE); 257 goto err; 258 } 259 260 return 1; 261 262 err: 263 ASN1_STRING_free(str); 264 freezero(rk, rklen); 265 266 return 0; 267 } 268 269 static int 270 rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 271 { 272 const unsigned char *p; 273 RSA *rsa = NULL; 274 int pklen; 275 const X509_ALGOR *alg; 276 int ret = 0; 277 278 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8)) 279 goto err; 280 if ((rsa = d2i_RSAPrivateKey(NULL, &p, pklen)) == NULL) 281 goto err; 282 if (!rsa_param_decode(rsa, alg)) 283 goto err; 284 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) 285 goto err; 286 rsa = NULL; 287 288 ret = 1; 289 290 err: 291 RSA_free(rsa); 292 293 return ret; 294 } 295 296 static int 297 rsa_size(const EVP_PKEY *pkey) 298 { 299 return RSA_size(pkey->pkey.rsa); 300 } 301 302 static int 303 rsa_bits(const EVP_PKEY *pkey) 304 { 305 return BN_num_bits(pkey->pkey.rsa->n); 306 } 307 308 static int 309 rsa_security_bits(const EVP_PKEY *pkey) 310 { 311 return RSA_security_bits(pkey->pkey.rsa); 312 } 313 314 static void 315 rsa_free(EVP_PKEY *pkey) 316 { 317 RSA_free(pkey->pkey.rsa); 318 } 319 320 static X509_ALGOR * 321 rsa_mgf1_decode(X509_ALGOR *alg) 322 { 323 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) 324 return NULL; 325 326 return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter); 327 } 328 329 static RSA_PSS_PARAMS * 330 rsa_pss_decode(const X509_ALGOR *alg) 331 { 332 RSA_PSS_PARAMS *pss; 333 334 pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter); 335 if (pss == NULL) 336 return NULL; 337 338 if (pss->maskGenAlgorithm != NULL) { 339 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 340 if (pss->maskHash == NULL) { 341 RSA_PSS_PARAMS_free(pss); 342 return NULL; 343 } 344 } 345 346 return pss; 347 } 348 349 static int 350 rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent) 351 { 352 int rv = 0; 353 X509_ALGOR *maskHash = NULL; 354 355 if (!BIO_indent(bp, indent, 128)) 356 goto err; 357 if (pss_key) { 358 if (pss == NULL) { 359 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) 360 return 0; 361 return 1; 362 } else { 363 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) 364 return 0; 365 } 366 } else if (pss == NULL) { 367 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) 368 return 0; 369 return 1; 370 } 371 if (BIO_puts(bp, "\n") <= 0) 372 goto err; 373 if (pss_key) 374 indent += 2; 375 if (!BIO_indent(bp, indent, 128)) 376 goto err; 377 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 378 goto err; 379 380 if (pss->hashAlgorithm) { 381 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 382 goto err; 383 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 384 goto err; 385 } 386 387 if (BIO_puts(bp, "\n") <= 0) 388 goto err; 389 390 if (!BIO_indent(bp, indent, 128)) 391 goto err; 392 393 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 394 goto err; 395 if (pss->maskGenAlgorithm) { 396 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 397 goto err; 398 if (BIO_puts(bp, " with ") <= 0) 399 goto err; 400 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 401 if (maskHash != NULL) { 402 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 403 goto err; 404 } else if (BIO_puts(bp, "INVALID") <= 0) { 405 goto err; 406 } 407 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 408 goto err; 409 } 410 BIO_puts(bp, "\n"); 411 412 if (!BIO_indent(bp, indent, 128)) 413 goto err; 414 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) 415 goto err; 416 if (pss->saltLength) { 417 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 418 goto err; 419 } else if (BIO_puts(bp, "14 (default)") <= 0) { 420 goto err; 421 } 422 BIO_puts(bp, "\n"); 423 424 if (!BIO_indent(bp, indent, 128)) 425 goto err; 426 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 427 goto err; 428 if (pss->trailerField) { 429 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 430 goto err; 431 } else if (BIO_puts(bp, "BC (default)") <= 0) { 432 goto err; 433 } 434 BIO_puts(bp, "\n"); 435 436 rv = 1; 437 438 err: 439 X509_ALGOR_free(maskHash); 440 return rv; 441 442 } 443 444 static int 445 pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) 446 { 447 const RSA *x = pkey->pkey.rsa; 448 char *str; 449 const char *s; 450 int ret = 0, mod_len = 0; 451 452 if (x->n != NULL) 453 mod_len = BN_num_bits(x->n); 454 455 if (!BIO_indent(bp, off, 128)) 456 goto err; 457 458 if (BIO_printf(bp, "%s ", 459 pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS ? "RSA-PSS" : "RSA") <= 0) 460 goto err; 461 462 if (priv && x->d != NULL) { 463 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0) 464 goto err; 465 str = "modulus:"; 466 s = "publicExponent:"; 467 } else { 468 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) 469 goto err; 470 str = "Modulus:"; 471 s = "Exponent:"; 472 } 473 if (!bn_printf(bp, x->n, off, "%s", str)) 474 goto err; 475 if (!bn_printf(bp, x->e, off, "%s", s)) 476 goto err; 477 if (priv) { 478 if (!bn_printf(bp, x->d, off, "privateExponent:")) 479 goto err; 480 if (!bn_printf(bp, x->p, off, "prime1:")) 481 goto err; 482 if (!bn_printf(bp, x->q, off, "prime2:")) 483 goto err; 484 if (!bn_printf(bp, x->dmp1, off, "exponent1:")) 485 goto err; 486 if (!bn_printf(bp, x->dmq1, off, "exponent2:")) 487 goto err; 488 if (!bn_printf(bp, x->iqmp, off, "coefficient:")) 489 goto err; 490 } 491 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS && 492 !rsa_pss_param_print(bp, 1, x->pss, off)) 493 goto err; 494 ret = 1; 495 err: 496 return ret; 497 } 498 499 static int 500 rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 501 { 502 return pkey_rsa_print(bp, pkey, indent, 0); 503 } 504 505 static int 506 rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 507 { 508 return pkey_rsa_print(bp, pkey, indent, 1); 509 } 510 511 static int 512 rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig, 513 int indent, ASN1_PCTX *pctx) 514 { 515 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { 516 int rv; 517 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg); 518 519 rv = rsa_pss_param_print(bp, 0, pss, indent); 520 RSA_PSS_PARAMS_free(pss); 521 if (!rv) 522 return 0; 523 } else if (!sig && BIO_puts(bp, "\n") <= 0) { 524 return 0; 525 } 526 if (sig) 527 return X509_signature_dump(bp, sig, indent); 528 return 1; 529 } 530 531 static int 532 rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 533 { 534 X509_ALGOR *alg = NULL; 535 const EVP_MD *md; 536 const EVP_MD *mgf1md; 537 int min_saltlen; 538 539 switch (op) { 540 case ASN1_PKEY_CTRL_PKCS7_SIGN: 541 if (arg1 == 0) 542 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); 543 break; 544 545 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: 546 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) 547 return -2; 548 if (arg1 == 0) 549 PKCS7_RECIP_INFO_get0_alg(arg2, &alg); 550 break; 551 #ifndef OPENSSL_NO_CMS 552 case ASN1_PKEY_CTRL_CMS_SIGN: 553 if (arg1 == 0) 554 return rsa_cms_sign(arg2); 555 else if (arg1 == 1) 556 return rsa_cms_verify(arg2); 557 break; 558 559 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 560 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) 561 return -2; 562 if (arg1 == 0) 563 return rsa_cms_encrypt(arg2); 564 else if (arg1 == 1) 565 return rsa_cms_decrypt(arg2); 566 break; 567 568 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 569 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) 570 return -2; 571 *(int *)arg2 = CMS_RECIPINFO_TRANS; 572 return 1; 573 #endif 574 575 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 576 if (pkey->pkey.rsa->pss != NULL) { 577 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, 578 &min_saltlen)) { 579 RSAerror(ERR_R_INTERNAL_ERROR); 580 return 0; 581 } 582 *(int *)arg2 = EVP_MD_type(md); 583 /* Return of 2 indicates this MD is mandatory */ 584 return 2; 585 } 586 *(int *)arg2 = NID_sha256; 587 return 1; 588 589 default: 590 return -2; 591 } 592 593 if (alg != NULL) 594 return rsa_alg_set_pkcs1_padding(alg); 595 596 return 1; 597 } 598 599 static int 600 rsa_md_to_algor(const EVP_MD *md, X509_ALGOR **out_alg) 601 { 602 X509_ALGOR *alg = NULL; 603 int ret = 0; 604 605 X509_ALGOR_free(*out_alg); 606 *out_alg = NULL; 607 608 /* RFC 8017 - default hash is SHA-1 and hence omitted. */ 609 if (md == NULL || EVP_MD_type(md) == NID_sha1) 610 goto done; 611 612 if ((alg = X509_ALGOR_new()) == NULL) 613 goto err; 614 /* 615 * XXX - This omits the parameters, whereas RFC 4055, section 2.1 616 * explicitly states that an explicit ASN.1 NULL is required. 617 */ 618 if (!X509_ALGOR_set_evp_md(alg, md)) 619 goto err; 620 621 done: 622 *out_alg = alg; 623 alg = NULL; 624 625 ret = 1; 626 627 err: 628 X509_ALGOR_free(alg); 629 630 return ret; 631 } 632 633 /* 634 * RFC 8017, A.2.1 and A.2.3 - encode maskGenAlgorithm for RSAES-OAEP 635 * and RSASSA-PSS. The default is mgfSHA1 and hence omitted. 636 */ 637 static int 638 rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD *mgf1md, X509_ALGOR **out_alg) 639 { 640 X509_ALGOR *alg = NULL; 641 X509_ALGOR *inner_alg = NULL; 642 ASN1_STRING *astr = NULL; 643 int ret = 0; 644 645 X509_ALGOR_free(*out_alg); 646 *out_alg = NULL; 647 648 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1) 649 goto done; 650 651 if ((inner_alg = X509_ALGOR_new()) == NULL) 652 goto err; 653 /* 654 * XXX - This omits the parameters, whereas RFC 4055, section 2.1 655 * explicitly states that an explicit ASN.1 NULL is required. 656 */ 657 if (!X509_ALGOR_set_evp_md(inner_alg, mgf1md)) 658 goto err; 659 if ((astr = ASN1_item_pack(inner_alg, &X509_ALGOR_it, NULL)) == NULL) 660 goto err; 661 662 if ((alg = X509_ALGOR_new()) == NULL) 663 goto err; 664 if (!X509_ALGOR_set0_by_nid(alg, NID_mgf1, V_ASN1_SEQUENCE, astr)) 665 goto err; 666 astr = NULL; 667 668 done: 669 *out_alg = alg; 670 alg = NULL; 671 672 ret = 1; 673 674 err: 675 X509_ALGOR_free(alg); 676 X509_ALGOR_free(inner_alg); 677 ASN1_STRING_free(astr); 678 679 return ret; 680 } 681 682 /* Convert algorithm ID to EVP_MD, defaults to SHA1. */ 683 static const EVP_MD * 684 rsa_algor_to_md(X509_ALGOR *alg) 685 { 686 const EVP_MD *md; 687 688 if (!alg) 689 return EVP_sha1(); 690 md = EVP_get_digestbyobj(alg->algorithm); 691 if (md == NULL) 692 RSAerror(RSA_R_UNKNOWN_DIGEST); 693 return md; 694 } 695 696 /* 697 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, 698 * suitable for setting an AlgorithmIdentifier. 699 */ 700 static RSA_PSS_PARAMS * 701 rsa_ctx_to_pss(EVP_PKEY_CTX *pkey_ctx) 702 { 703 const EVP_MD *sigmd, *mgf1md; 704 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkey_ctx); 705 int saltlen; 706 707 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &sigmd) <= 0) 708 return NULL; 709 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0) 710 return NULL; 711 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen)) 712 return NULL; 713 if (saltlen == -1) { 714 saltlen = EVP_MD_size(sigmd); 715 } else if (saltlen == -2 || saltlen == -3) { 716 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 717 if ((EVP_PKEY_bits(pk) & 0x7) == 1) 718 saltlen--; 719 if (saltlen < 0) 720 return NULL; 721 } 722 723 return rsa_pss_params_create(sigmd, mgf1md, saltlen); 724 } 725 726 RSA_PSS_PARAMS * 727 rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen) 728 { 729 RSA_PSS_PARAMS *pss = NULL; 730 731 if (mgf1md == NULL) 732 mgf1md = sigmd; 733 734 if ((pss = RSA_PSS_PARAMS_new()) == NULL) 735 goto err; 736 737 if (!rsa_md_to_algor(sigmd, &pss->hashAlgorithm)) 738 goto err; 739 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &pss->maskGenAlgorithm)) 740 goto err; 741 742 /* Translate mgf1md to X509_ALGOR in decoded form for internal use. */ 743 if (!rsa_md_to_algor(mgf1md, &pss->maskHash)) 744 goto err; 745 746 /* RFC 8017, A.2.3 - default saltLength is SHA_DIGEST_LENGTH. */ 747 if (saltlen != SHA_DIGEST_LENGTH) { 748 if ((pss->saltLength = ASN1_INTEGER_new()) == NULL) 749 goto err; 750 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 751 goto err; 752 } 753 754 return pss; 755 756 err: 757 RSA_PSS_PARAMS_free(pss); 758 759 return NULL; 760 } 761 762 /* 763 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL 764 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are 765 * passed to pkey_ctx instead. 766 */ 767 768 static int 769 rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkey_ctx, 770 X509_ALGOR *sigalg, EVP_PKEY *pkey) 771 { 772 int rv = -1; 773 int saltlen; 774 const EVP_MD *mgf1md = NULL, *md = NULL; 775 RSA_PSS_PARAMS *pss; 776 777 /* Sanity check: make sure it is PSS */ 778 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 779 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 780 return -1; 781 } 782 /* Decode PSS parameters */ 783 pss = rsa_pss_decode(sigalg); 784 785 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { 786 RSAerror(RSA_R_INVALID_PSS_PARAMETERS); 787 goto err; 788 } 789 790 /* We have all parameters now set up context */ 791 if (pkey) { 792 if (!EVP_DigestVerifyInit(ctx, &pkey_ctx, md, NULL, pkey)) 793 goto err; 794 } else { 795 const EVP_MD *checkmd; 796 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &checkmd) <= 0) 797 goto err; 798 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { 799 RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH); 800 goto err; 801 } 802 } 803 804 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0) 805 goto err; 806 807 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, saltlen) <= 0) 808 goto err; 809 810 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1md) <= 0) 811 goto err; 812 /* Carry on */ 813 rv = 1; 814 815 err: 816 RSA_PSS_PARAMS_free(pss); 817 return rv; 818 } 819 820 int 821 rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, 822 const EVP_MD **pmgf1md, int *psaltlen) 823 { 824 if (pss == NULL) 825 return 0; 826 *pmd = rsa_algor_to_md(pss->hashAlgorithm); 827 if (*pmd == NULL) 828 return 0; 829 *pmgf1md = rsa_algor_to_md(pss->maskHash); 830 if (*pmgf1md == NULL) 831 return 0; 832 if (pss->saltLength) { 833 *psaltlen = ASN1_INTEGER_get(pss->saltLength); 834 if (*psaltlen < 0) { 835 RSAerror(RSA_R_INVALID_SALT_LENGTH); 836 return 0; 837 } 838 } else { 839 *psaltlen = 20; 840 } 841 842 /* 843 * low-level routines support only trailer field 0xbc (value 1) and 844 * PKCS#1 says we should reject any other value anyway. 845 */ 846 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { 847 RSAerror(RSA_R_INVALID_TRAILER); 848 return 0; 849 } 850 851 return 1; 852 } 853 854 static int 855 rsa_pss_signature_info(const X509_ALGOR *alg, int *out_md_nid, 856 int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags) 857 { 858 RSA_PSS_PARAMS *pss = NULL; 859 const ASN1_OBJECT *aobj; 860 const EVP_MD *md, *mgf1md; 861 int md_len, salt_len; 862 int md_nid = NID_undef, pkey_nid = NID_undef; 863 int security_bits = -1; 864 uint32_t flags = 0; 865 866 X509_ALGOR_get0(&aobj, NULL, NULL, alg); 867 if (OBJ_obj2nid(aobj) != EVP_PKEY_RSA_PSS) 868 goto err; 869 870 if ((pss = rsa_pss_decode(alg)) == NULL) 871 goto err; 872 if (!rsa_pss_get_param(pss, &md, &mgf1md, &salt_len)) 873 goto err; 874 875 if ((md_nid = EVP_MD_type(md)) == NID_undef) 876 goto err; 877 if ((md_len = EVP_MD_size(md)) <= 0) 878 goto err; 879 880 /* 881 * RFC 8446, section 4.2.3 - restricts the digest algorithm: 882 * - it must be one of SHA256, SHA384, and SHA512; 883 * - the same digest must be used in the mask generation function; 884 * - the salt length must match the output length of the digest. 885 * XXX - consider separate flags for these checks. 886 */ 887 if (md_nid == NID_sha256 || md_nid == NID_sha384 || md_nid == NID_sha512) { 888 if (md_nid == EVP_MD_type(mgf1md) && salt_len == md_len) 889 flags |= X509_SIG_INFO_TLS; 890 } 891 892 security_bits = md_len * 4; 893 flags |= X509_SIG_INFO_VALID; 894 895 *out_md_nid = md_nid; 896 *out_pkey_nid = pkey_nid; 897 *out_security_bits = security_bits; 898 *out_flags = flags; 899 900 err: 901 RSA_PSS_PARAMS_free(pss); 902 903 return (flags & X509_SIG_INFO_VALID) != 0; 904 } 905 906 #ifndef OPENSSL_NO_CMS 907 static int 908 rsa_cms_verify(CMS_SignerInfo *si) 909 { 910 int nid, nid2; 911 X509_ALGOR *alg; 912 EVP_PKEY_CTX *pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si); 913 914 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 915 nid = OBJ_obj2nid(alg->algorithm); 916 if (nid == EVP_PKEY_RSA_PSS) 917 return rsa_pss_to_ctx(NULL, pkey_ctx, alg, NULL); 918 /* Only PSS allowed for PSS keys */ 919 if (pkey_ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { 920 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 921 return 0; 922 } 923 if (nid == NID_rsaEncryption) 924 return 1; 925 /* Workaround for some implementation that use a signature OID */ 926 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) { 927 if (nid2 == NID_rsaEncryption) 928 return 1; 929 } 930 return 0; 931 } 932 #endif 933 934 /* 935 * Customised RSA item verification routine. This is called when a signature 936 * is encountered requiring special handling. We currently only handle PSS. 937 */ 938 static int 939 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 940 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey) 941 { 942 /* Sanity check: make sure it is PSS */ 943 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 944 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 945 return -1; 946 } 947 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { 948 /* Carry on */ 949 return 2; 950 } 951 return -1; 952 } 953 954 static int 955 rsa_alg_set_pkcs1_padding(X509_ALGOR *alg) 956 { 957 return X509_ALGOR_set0_by_nid(alg, NID_rsaEncryption, V_ASN1_NULL, NULL); 958 } 959 960 static int 961 rsa_alg_set_pss_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx) 962 { 963 RSA_PSS_PARAMS *pss = NULL; 964 ASN1_STRING *astr = NULL; 965 int ret = 0; 966 967 if (pkey_ctx == NULL) 968 goto err; 969 970 if ((pss = rsa_ctx_to_pss(pkey_ctx)) == NULL) 971 goto err; 972 if ((astr = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL)) == NULL) 973 goto err; 974 if (!X509_ALGOR_set0_by_nid(alg, EVP_PKEY_RSA_PSS, V_ASN1_SEQUENCE, astr)) 975 goto err; 976 astr = NULL; 977 978 ret = 1; 979 980 err: 981 ASN1_STRING_free(astr); 982 RSA_PSS_PARAMS_free(pss); 983 984 return ret; 985 } 986 987 #ifndef OPENSSL_NO_CMS 988 static int 989 rsa_alg_set_oaep_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx) 990 { 991 const EVP_MD *md, *mgf1md; 992 RSA_OAEP_PARAMS *oaep = NULL; 993 ASN1_STRING *astr = NULL; 994 ASN1_OCTET_STRING *ostr = NULL; 995 unsigned char *label; 996 int labellen; 997 int ret = 0; 998 999 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkey_ctx, &md) <= 0) 1000 goto err; 1001 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0) 1002 goto err; 1003 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkey_ctx, &label); 1004 if (labellen < 0) 1005 goto err; 1006 1007 if ((oaep = RSA_OAEP_PARAMS_new()) == NULL) 1008 goto err; 1009 1010 if (!rsa_md_to_algor(md, &oaep->hashFunc)) 1011 goto err; 1012 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &oaep->maskGenFunc)) 1013 goto err; 1014 1015 /* XXX - why do we not set oaep->maskHash here? */ 1016 1017 if (labellen > 0) { 1018 if ((oaep->pSourceFunc = X509_ALGOR_new()) == NULL) 1019 goto err; 1020 if ((ostr = ASN1_OCTET_STRING_new()) == NULL) 1021 goto err; 1022 if (!ASN1_OCTET_STRING_set(ostr, label, labellen)) 1023 goto err; 1024 if (!X509_ALGOR_set0_by_nid(oaep->pSourceFunc, NID_pSpecified, 1025 V_ASN1_OCTET_STRING, ostr)) 1026 goto err; 1027 ostr = NULL; 1028 } 1029 1030 if ((astr = ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, NULL)) == NULL) 1031 goto err; 1032 if (!X509_ALGOR_set0_by_nid(alg, NID_rsaesOaep, V_ASN1_SEQUENCE, astr)) 1033 goto err; 1034 astr = NULL; 1035 1036 ret = 1; 1037 1038 err: 1039 RSA_OAEP_PARAMS_free(oaep); 1040 ASN1_STRING_free(astr); 1041 ASN1_OCTET_STRING_free(ostr); 1042 1043 return ret; 1044 } 1045 1046 static int 1047 rsa_cms_sign(CMS_SignerInfo *si) 1048 { 1049 EVP_PKEY_CTX *pkey_ctx; 1050 X509_ALGOR *alg; 1051 int pad_mode = RSA_PKCS1_PADDING; 1052 1053 if ((pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si)) != NULL) { 1054 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0) 1055 return 0; 1056 } 1057 1058 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 1059 if (pad_mode == RSA_PKCS1_PADDING) 1060 return rsa_alg_set_pkcs1_padding(alg); 1061 if (pad_mode == RSA_PKCS1_PSS_PADDING) 1062 return rsa_alg_set_pss_padding(alg, pkey_ctx); 1063 1064 return 0; 1065 } 1066 #endif 1067 1068 static int 1069 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 1070 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig) 1071 { 1072 EVP_PKEY_CTX *pkey_ctx = ctx->pctx; 1073 int pad_mode; 1074 1075 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0) 1076 return 0; 1077 if (pad_mode == RSA_PKCS1_PADDING) 1078 return 2; 1079 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 1080 if (!rsa_alg_set_pss_padding(alg1, pkey_ctx)) 1081 return 0; 1082 if (alg2 != NULL) { 1083 if (!rsa_alg_set_pss_padding(alg2, pkey_ctx)) 1084 return 0; 1085 } 1086 return 3; 1087 } 1088 return 2; 1089 } 1090 1091 #ifndef OPENSSL_NO_CMS 1092 static RSA_OAEP_PARAMS * 1093 rsa_oaep_decode(const X509_ALGOR *alg) 1094 { 1095 RSA_OAEP_PARAMS *oaep; 1096 1097 oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter); 1098 if (oaep == NULL) 1099 return NULL; 1100 1101 if (oaep->maskGenFunc != NULL) { 1102 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc); 1103 if (oaep->maskHash == NULL) { 1104 RSA_OAEP_PARAMS_free(oaep); 1105 return NULL; 1106 } 1107 } 1108 return oaep; 1109 } 1110 1111 static int 1112 rsa_cms_decrypt(CMS_RecipientInfo *ri) 1113 { 1114 EVP_PKEY_CTX *pkctx; 1115 X509_ALGOR *cmsalg; 1116 int nid; 1117 int rv = -1; 1118 unsigned char *label = NULL; 1119 int labellen = 0; 1120 const EVP_MD *mgf1md = NULL, *md = NULL; 1121 RSA_OAEP_PARAMS *oaep; 1122 1123 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 1124 if (pkctx == NULL) 1125 return 0; 1126 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg)) 1127 return -1; 1128 nid = OBJ_obj2nid(cmsalg->algorithm); 1129 if (nid == NID_rsaEncryption) 1130 return 1; 1131 if (nid != NID_rsaesOaep) { 1132 RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE); 1133 return -1; 1134 } 1135 /* Decode OAEP parameters */ 1136 oaep = rsa_oaep_decode(cmsalg); 1137 1138 if (oaep == NULL) { 1139 RSAerror(RSA_R_INVALID_OAEP_PARAMETERS); 1140 goto err; 1141 } 1142 1143 mgf1md = rsa_algor_to_md(oaep->maskHash); 1144 if (mgf1md == NULL) 1145 goto err; 1146 md = rsa_algor_to_md(oaep->hashFunc); 1147 if (md == NULL) 1148 goto err; 1149 1150 if (oaep->pSourceFunc != NULL) { 1151 X509_ALGOR *plab = oaep->pSourceFunc; 1152 1153 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { 1154 RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE); 1155 goto err; 1156 } 1157 if (plab->parameter->type != V_ASN1_OCTET_STRING) { 1158 RSAerror(RSA_R_INVALID_LABEL); 1159 goto err; 1160 } 1161 1162 label = plab->parameter->value.octet_string->data; 1163 1164 /* Stop label being freed when OAEP parameters are freed */ 1165 /* XXX - this leaks label on error... */ 1166 plab->parameter->value.octet_string->data = NULL; 1167 labellen = plab->parameter->value.octet_string->length; 1168 } 1169 1170 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) 1171 goto err; 1172 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0) 1173 goto err; 1174 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 1175 goto err; 1176 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) 1177 goto err; 1178 1179 rv = 1; 1180 1181 err: 1182 RSA_OAEP_PARAMS_free(oaep); 1183 return rv; 1184 } 1185 1186 static int 1187 rsa_cms_encrypt(CMS_RecipientInfo *ri) 1188 { 1189 X509_ALGOR *alg; 1190 EVP_PKEY_CTX *pkey_ctx; 1191 int pad_mode = RSA_PKCS1_PADDING; 1192 1193 if ((pkey_ctx = CMS_RecipientInfo_get0_pkey_ctx(ri)) != NULL) { 1194 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0) 1195 return 0; 1196 } 1197 1198 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg)) 1199 return 0; 1200 if (pad_mode == RSA_PKCS1_PADDING) 1201 return rsa_alg_set_pkcs1_padding(alg); 1202 if (pad_mode == RSA_PKCS1_OAEP_PADDING) 1203 return rsa_alg_set_oaep_padding(alg, pkey_ctx); 1204 1205 return 0; 1206 } 1207 #endif 1208 1209 const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = { 1210 .base_method = &rsa_asn1_meth, 1211 .pkey_id = EVP_PKEY_RSA, 1212 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, 1213 1214 .pem_str = "RSA", 1215 .info = "OpenSSL RSA method", 1216 1217 .pub_decode = rsa_pub_decode, 1218 .pub_encode = rsa_pub_encode, 1219 .pub_cmp = rsa_pub_cmp, 1220 .pub_print = rsa_pub_print, 1221 1222 .priv_decode = rsa_priv_decode, 1223 .priv_encode = rsa_priv_encode, 1224 .priv_print = rsa_priv_print, 1225 1226 .pkey_size = rsa_size, 1227 .pkey_bits = rsa_bits, 1228 .pkey_security_bits = rsa_security_bits, 1229 1230 .sig_print = rsa_sig_print, 1231 1232 .pkey_free = rsa_free, 1233 .pkey_ctrl = rsa_pkey_ctrl, 1234 .old_priv_decode = old_rsa_priv_decode, 1235 .old_priv_encode = old_rsa_priv_encode, 1236 .item_verify = rsa_item_verify, 1237 .item_sign = rsa_item_sign, 1238 }; 1239 1240 const EVP_PKEY_ASN1_METHOD rsa2_asn1_meth = { 1241 .base_method = &rsa_asn1_meth, 1242 .pkey_id = EVP_PKEY_RSA2, 1243 .pkey_flags = ASN1_PKEY_ALIAS, 1244 }; 1245 1246 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { 1247 .base_method = &rsa_pss_asn1_meth, 1248 .pkey_id = EVP_PKEY_RSA_PSS, 1249 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, 1250 1251 .pem_str = "RSA-PSS", 1252 .info = "OpenSSL RSA-PSS method", 1253 1254 .pub_decode = rsa_pub_decode, 1255 .pub_encode = rsa_pub_encode, 1256 .pub_cmp = rsa_pub_cmp, 1257 .pub_print = rsa_pub_print, 1258 1259 .priv_decode = rsa_priv_decode, 1260 .priv_encode = rsa_priv_encode, 1261 .priv_print = rsa_priv_print, 1262 1263 .pkey_size = rsa_size, 1264 .pkey_bits = rsa_bits, 1265 .pkey_security_bits = rsa_security_bits, 1266 1267 .signature_info = rsa_pss_signature_info, 1268 1269 .sig_print = rsa_sig_print, 1270 1271 .pkey_free = rsa_free, 1272 .pkey_ctrl = rsa_pkey_ctrl, 1273 .item_verify = rsa_item_verify, 1274 .item_sign = rsa_item_sign 1275 }; 1276