10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 56557Sfr41279 * Common Development and Distribution License (the "License"). 66557Sfr41279 * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*9127SDina.Nimeh@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate /* 270Sstevel@tonic-gate * This file contains RSA helper routines common to 280Sstevel@tonic-gate * the PKCS11 soft token code and the kernel RSA code. 290Sstevel@tonic-gate */ 300Sstevel@tonic-gate 310Sstevel@tonic-gate #include <sys/types.h> 320Sstevel@tonic-gate #include "rsa_impl.h" 330Sstevel@tonic-gate 340Sstevel@tonic-gate #ifdef _KERNEL 350Sstevel@tonic-gate #include <sys/param.h> 360Sstevel@tonic-gate #else 370Sstevel@tonic-gate #include <strings.h> 38*9127SDina.Nimeh@Sun.COM #include <cryptoutil.h> 390Sstevel@tonic-gate #include "softRandom.h" 400Sstevel@tonic-gate #endif 410Sstevel@tonic-gate 420Sstevel@tonic-gate /* 43676Sizick * DER encoding T of the DigestInfo values for MD5, SHA1, and SHA2 440Sstevel@tonic-gate * from PKCS#1 v2.1: RSA Cryptography Standard Section 9.2 Note 1 450Sstevel@tonic-gate * 460Sstevel@tonic-gate * MD5: (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 || H 470Sstevel@tonic-gate * SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H 48676Sizick * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H. 49676Sizick * SHA-384: (0x)30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30 || H. 50676Sizick * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H. 510Sstevel@tonic-gate * 520Sstevel@tonic-gate * Where H is the digested output from MD5 or SHA1. We define the constant 530Sstevel@tonic-gate * byte array (the prefix) here and use it rather than doing the DER 540Sstevel@tonic-gate * encoding of the OID in a separate routine. 550Sstevel@tonic-gate */ 560Sstevel@tonic-gate const CK_BYTE MD5_DER_PREFIX[MD5_DER_PREFIX_Len] = {0x30, 0x20, 0x30, 0x0c, 570Sstevel@tonic-gate 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 580Sstevel@tonic-gate 0x04, 0x10}; 590Sstevel@tonic-gate 600Sstevel@tonic-gate const CK_BYTE SHA1_DER_PREFIX[SHA1_DER_PREFIX_Len] = {0x30, 0x21, 0x30, 610Sstevel@tonic-gate 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; 620Sstevel@tonic-gate 63872Sizick const CK_BYTE SHA1_DER_PREFIX_OID[SHA1_DER_PREFIX_OID_Len] = {0x30, 0x1f, 0x30, 64872Sizick 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14}; 65872Sizick 66676Sizick const CK_BYTE SHA256_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x31, 0x30, 0x0d, 67676Sizick 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 68676Sizick 0x00, 0x04, 0x20}; 69676Sizick 70676Sizick const CK_BYTE SHA384_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x41, 0x30, 0x0d, 71676Sizick 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 72676Sizick 0x00, 0x04, 0x30}; 73676Sizick 74676Sizick const CK_BYTE SHA512_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x51, 0x30, 0x0d, 75676Sizick 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 76676Sizick 0x00, 0x04, 0x40}; 77676Sizick 786557Sfr41279 796557Sfr41279 /* psize and qsize are in bits */ 800Sstevel@tonic-gate BIG_ERR_CODE 810Sstevel@tonic-gate RSA_key_init(RSAkey *key, int psize, int qsize) 820Sstevel@tonic-gate { 830Sstevel@tonic-gate BIG_ERR_CODE err = BIG_OK; 840Sstevel@tonic-gate 850Sstevel@tonic-gate /* EXPORT DELETE START */ 860Sstevel@tonic-gate 870Sstevel@tonic-gate int plen, qlen, nlen; 880Sstevel@tonic-gate 896557Sfr41279 plen = BITLEN2BIGNUMLEN(psize); 906557Sfr41279 qlen = BITLEN2BIGNUMLEN(qsize); 910Sstevel@tonic-gate nlen = plen + qlen; 920Sstevel@tonic-gate key->size = psize + qsize; 930Sstevel@tonic-gate if ((err = big_init(&(key->p), plen)) != BIG_OK) 940Sstevel@tonic-gate return (err); 950Sstevel@tonic-gate if ((err = big_init(&(key->q), qlen)) != BIG_OK) 960Sstevel@tonic-gate goto ret1; 970Sstevel@tonic-gate if ((err = big_init(&(key->n), nlen)) != BIG_OK) 980Sstevel@tonic-gate goto ret2; 990Sstevel@tonic-gate if ((err = big_init(&(key->d), nlen)) != BIG_OK) 1000Sstevel@tonic-gate goto ret3; 1010Sstevel@tonic-gate if ((err = big_init(&(key->e), nlen)) != BIG_OK) 1020Sstevel@tonic-gate goto ret4; 1030Sstevel@tonic-gate if ((err = big_init(&(key->dmodpminus1), plen)) != BIG_OK) 1040Sstevel@tonic-gate goto ret5; 1050Sstevel@tonic-gate if ((err = big_init(&(key->dmodqminus1), qlen)) != BIG_OK) 1060Sstevel@tonic-gate goto ret6; 1070Sstevel@tonic-gate if ((err = big_init(&(key->pinvmodq), qlen)) != BIG_OK) 1080Sstevel@tonic-gate goto ret7; 1090Sstevel@tonic-gate if ((err = big_init(&(key->p_rr), plen)) != BIG_OK) 1100Sstevel@tonic-gate goto ret8; 1110Sstevel@tonic-gate if ((err = big_init(&(key->q_rr), qlen)) != BIG_OK) 1120Sstevel@tonic-gate goto ret9; 1130Sstevel@tonic-gate if ((err = big_init(&(key->n_rr), nlen)) != BIG_OK) 1140Sstevel@tonic-gate goto ret10; 1150Sstevel@tonic-gate 1160Sstevel@tonic-gate return (BIG_OK); 1170Sstevel@tonic-gate 1180Sstevel@tonic-gate ret10: 1190Sstevel@tonic-gate big_finish(&(key->q_rr)); 1200Sstevel@tonic-gate ret9: 1210Sstevel@tonic-gate big_finish(&(key->p_rr)); 1220Sstevel@tonic-gate ret8: 1230Sstevel@tonic-gate big_finish(&(key->pinvmodq)); 1240Sstevel@tonic-gate ret7: 1250Sstevel@tonic-gate big_finish(&(key->dmodqminus1)); 1260Sstevel@tonic-gate ret6: 1270Sstevel@tonic-gate big_finish(&(key->dmodpminus1)); 1280Sstevel@tonic-gate ret5: 1290Sstevel@tonic-gate big_finish(&(key->e)); 1300Sstevel@tonic-gate ret4: 1310Sstevel@tonic-gate big_finish(&(key->d)); 1320Sstevel@tonic-gate ret3: 1330Sstevel@tonic-gate big_finish(&(key->n)); 1340Sstevel@tonic-gate ret2: 1350Sstevel@tonic-gate big_finish(&(key->q)); 1360Sstevel@tonic-gate ret1: 1370Sstevel@tonic-gate big_finish(&(key->p)); 1380Sstevel@tonic-gate 1390Sstevel@tonic-gate /* EXPORT DELETE END */ 1400Sstevel@tonic-gate 1410Sstevel@tonic-gate return (err); 1420Sstevel@tonic-gate } 1430Sstevel@tonic-gate 1440Sstevel@tonic-gate 1450Sstevel@tonic-gate void 1460Sstevel@tonic-gate RSA_key_finish(RSAkey *key) 1470Sstevel@tonic-gate { 1480Sstevel@tonic-gate 1490Sstevel@tonic-gate /* EXPORT DELETE START */ 1500Sstevel@tonic-gate 1510Sstevel@tonic-gate big_finish(&(key->n_rr)); 1520Sstevel@tonic-gate big_finish(&(key->q_rr)); 1530Sstevel@tonic-gate big_finish(&(key->p_rr)); 1540Sstevel@tonic-gate big_finish(&(key->pinvmodq)); 1550Sstevel@tonic-gate big_finish(&(key->dmodqminus1)); 1560Sstevel@tonic-gate big_finish(&(key->dmodpminus1)); 1570Sstevel@tonic-gate big_finish(&(key->e)); 1580Sstevel@tonic-gate big_finish(&(key->d)); 1590Sstevel@tonic-gate big_finish(&(key->n)); 1600Sstevel@tonic-gate big_finish(&(key->q)); 1610Sstevel@tonic-gate big_finish(&(key->p)); 1620Sstevel@tonic-gate 1630Sstevel@tonic-gate /* EXPORT DELETE END */ 1640Sstevel@tonic-gate 1650Sstevel@tonic-gate } 1660Sstevel@tonic-gate 1670Sstevel@tonic-gate 1680Sstevel@tonic-gate /* 1690Sstevel@tonic-gate * To create a block type "02" encryption block for RSA PKCS encryption 1700Sstevel@tonic-gate * process. 1710Sstevel@tonic-gate * 1720Sstevel@tonic-gate * The RSA PKCS Padding before encryption is in the following format: 1730Sstevel@tonic-gate * +------+--------------------+----+-----------------------------+ 1740Sstevel@tonic-gate * |0x0002| 8 bytes or more RN |0x00| DATA | 1750Sstevel@tonic-gate * +------+--------------------+----+-----------------------------+ 1760Sstevel@tonic-gate * 1770Sstevel@tonic-gate */ 1780Sstevel@tonic-gate CK_RV 1790Sstevel@tonic-gate soft_encrypt_rsa_pkcs_encode(uint8_t *databuf, 1800Sstevel@tonic-gate size_t datalen, uint8_t *padbuf, size_t padbuflen) 1810Sstevel@tonic-gate { 1820Sstevel@tonic-gate 1830Sstevel@tonic-gate /* EXPORT DELETE START */ 1840Sstevel@tonic-gate 1850Sstevel@tonic-gate size_t padlen; 1860Sstevel@tonic-gate CK_RV rv; 1870Sstevel@tonic-gate 1880Sstevel@tonic-gate padlen = padbuflen - datalen; 1890Sstevel@tonic-gate if (padlen < MIN_PKCS1_PADLEN) { 1900Sstevel@tonic-gate return (CKR_DATA_LEN_RANGE); 1910Sstevel@tonic-gate } 1920Sstevel@tonic-gate 1930Sstevel@tonic-gate /* Pad with 0x0002+non-zero pseudorandom numbers+0x00. */ 1940Sstevel@tonic-gate padbuf[0] = 0x00; 1950Sstevel@tonic-gate padbuf[1] = 0x02; 1960Sstevel@tonic-gate #ifdef _KERNEL 1970Sstevel@tonic-gate rv = knzero_random_generator(padbuf + 2, padbuflen - 3); 1980Sstevel@tonic-gate #else 199*9127SDina.Nimeh@Sun.COM rv = CKR_OK; 200*9127SDina.Nimeh@Sun.COM if (pkcs11_get_nzero_urandom(padbuf + 2, padbuflen - 3) < 0) 201*9127SDina.Nimeh@Sun.COM rv = CKR_DEVICE_ERROR; 2020Sstevel@tonic-gate #endif 2030Sstevel@tonic-gate if (rv != CKR_OK) { 2040Sstevel@tonic-gate return (rv); 2050Sstevel@tonic-gate } 2060Sstevel@tonic-gate padbuf[padlen - 1] = 0x00; 2070Sstevel@tonic-gate 2080Sstevel@tonic-gate bcopy(databuf, padbuf + padlen, datalen); 2090Sstevel@tonic-gate 2100Sstevel@tonic-gate /* EXPORT DELETE END */ 2110Sstevel@tonic-gate 2120Sstevel@tonic-gate return (CKR_OK); 2130Sstevel@tonic-gate } 2140Sstevel@tonic-gate 2150Sstevel@tonic-gate 2160Sstevel@tonic-gate /* 2170Sstevel@tonic-gate * The RSA PKCS Padding after decryption is in the following format: 2180Sstevel@tonic-gate * +------+--------------------+----+-----------------------------+ 2190Sstevel@tonic-gate * |0x0002| 8 bytes or more RN |0x00| DATA | 2200Sstevel@tonic-gate * +------+--------------------+----+-----------------------------+ 2210Sstevel@tonic-gate * 2220Sstevel@tonic-gate * 'padbuf' points to the recovered message which is the modulus 2230Sstevel@tonic-gate * length. As a result, 'plen' is changed to hold the actual data length. 2240Sstevel@tonic-gate */ 2250Sstevel@tonic-gate CK_RV 2260Sstevel@tonic-gate soft_decrypt_rsa_pkcs_decode(uint8_t *padbuf, int *plen) 2270Sstevel@tonic-gate { 2280Sstevel@tonic-gate 2290Sstevel@tonic-gate /* EXPORT DELETE START */ 2300Sstevel@tonic-gate 2310Sstevel@tonic-gate int i; 2320Sstevel@tonic-gate 2330Sstevel@tonic-gate /* Check to see if the recovered data is padded is 0x0002. */ 2340Sstevel@tonic-gate if (padbuf[0] != 0x00 || padbuf[1] != 0x02) { 2350Sstevel@tonic-gate return (CKR_ENCRYPTED_DATA_INVALID); 2360Sstevel@tonic-gate } 2370Sstevel@tonic-gate 2380Sstevel@tonic-gate /* Remove all the random bits up to 0x00 (= NULL char) */ 2390Sstevel@tonic-gate for (i = 2; (*plen - i) > 0; i++) { 2400Sstevel@tonic-gate if (padbuf[i] == 0x00) { 2410Sstevel@tonic-gate i++; 2420Sstevel@tonic-gate if (i < MIN_PKCS1_PADLEN) { 2430Sstevel@tonic-gate return (CKR_ENCRYPTED_DATA_INVALID); 2440Sstevel@tonic-gate } 2450Sstevel@tonic-gate *plen -= i; 2460Sstevel@tonic-gate 2470Sstevel@tonic-gate return (CKR_OK); 2480Sstevel@tonic-gate } 2490Sstevel@tonic-gate } 2500Sstevel@tonic-gate 2510Sstevel@tonic-gate /* EXPORT DELETE END */ 2520Sstevel@tonic-gate 2530Sstevel@tonic-gate return (CKR_ENCRYPTED_DATA_INVALID); 2540Sstevel@tonic-gate } 2550Sstevel@tonic-gate 2560Sstevel@tonic-gate /* 2570Sstevel@tonic-gate * To create a block type "01" block for RSA PKCS signature process. 2580Sstevel@tonic-gate * 2590Sstevel@tonic-gate * The RSA PKCS Padding before Signing is in the following format: 2600Sstevel@tonic-gate * +------+--------------+----+-----------------------------+ 2610Sstevel@tonic-gate * |0x0001| 0xFFFF.......|0x00| DATA | 2620Sstevel@tonic-gate * +------+--------------+----+-----------------------------+ 2630Sstevel@tonic-gate */ 2640Sstevel@tonic-gate CK_RV 2650Sstevel@tonic-gate soft_sign_rsa_pkcs_encode(uint8_t *pData, size_t dataLen, uint8_t *data, 2660Sstevel@tonic-gate size_t mbit_l) 2670Sstevel@tonic-gate { 2680Sstevel@tonic-gate 2690Sstevel@tonic-gate /* EXPORT DELETE START */ 2700Sstevel@tonic-gate 2710Sstevel@tonic-gate size_t padlen; 2720Sstevel@tonic-gate 2730Sstevel@tonic-gate padlen = mbit_l - dataLen; 2740Sstevel@tonic-gate if (padlen < MIN_PKCS1_PADLEN) { 2750Sstevel@tonic-gate return (CKR_DATA_LEN_RANGE); 2760Sstevel@tonic-gate } 2770Sstevel@tonic-gate 2780Sstevel@tonic-gate padlen -= 3; 2790Sstevel@tonic-gate data[0] = 0x00; 2800Sstevel@tonic-gate data[1] = 0x01; 2810Sstevel@tonic-gate #ifdef _KERNEL 2820Sstevel@tonic-gate kmemset(data + 2, 0xFF, padlen); 2830Sstevel@tonic-gate #else 2840Sstevel@tonic-gate (void) memset(data + 2, 0xFF, padlen); 2850Sstevel@tonic-gate #endif 2860Sstevel@tonic-gate data[padlen + 2] = 0x00; 2870Sstevel@tonic-gate bcopy(pData, data + padlen + 3, dataLen); 2880Sstevel@tonic-gate 2890Sstevel@tonic-gate /* EXPORT DELETE END */ 2900Sstevel@tonic-gate 2910Sstevel@tonic-gate return (CKR_OK); 2920Sstevel@tonic-gate } 2930Sstevel@tonic-gate 2940Sstevel@tonic-gate 2950Sstevel@tonic-gate CK_RV 2960Sstevel@tonic-gate soft_verify_rsa_pkcs_decode(uint8_t *data, int *mbit_l) 2970Sstevel@tonic-gate { 2980Sstevel@tonic-gate 2990Sstevel@tonic-gate /* EXPORT DELETE START */ 3000Sstevel@tonic-gate 3010Sstevel@tonic-gate int i; 3020Sstevel@tonic-gate 3030Sstevel@tonic-gate /* Check to see if the padding of recovered data starts with 0x0001. */ 3040Sstevel@tonic-gate if ((data[0] != 0x00) || (data[1] != 0x01)) { 3050Sstevel@tonic-gate return (CKR_SIGNATURE_INVALID); 3060Sstevel@tonic-gate } 3070Sstevel@tonic-gate /* Check to see if the recovered data is padded with 0xFFF...00. */ 3080Sstevel@tonic-gate for (i = 2; i < *mbit_l; i++) { 3090Sstevel@tonic-gate if (data[i] == 0x00) { 3100Sstevel@tonic-gate i++; 3110Sstevel@tonic-gate if (i < MIN_PKCS1_PADLEN) { 3120Sstevel@tonic-gate return (CKR_SIGNATURE_INVALID); 3130Sstevel@tonic-gate } 3140Sstevel@tonic-gate *mbit_l -= i; 3150Sstevel@tonic-gate 3160Sstevel@tonic-gate return (CKR_OK); 3170Sstevel@tonic-gate } else if (data[i] != 0xFF) { 3180Sstevel@tonic-gate return (CKR_SIGNATURE_INVALID); 3190Sstevel@tonic-gate } 3200Sstevel@tonic-gate } 3210Sstevel@tonic-gate 3220Sstevel@tonic-gate /* EXPORT DELETE END */ 3230Sstevel@tonic-gate 3240Sstevel@tonic-gate return (CKR_SIGNATURE_INVALID); 3250Sstevel@tonic-gate } 326