1 /* $OpenBSD: dsa_ameth.c,v 1.29 2021/12/12 21:30:13 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2006. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <stdio.h> 60 61 #include <openssl/opensslconf.h> 62 63 #include <openssl/asn1.h> 64 #include <openssl/bn.h> 65 #include <openssl/cms.h> 66 #include <openssl/dsa.h> 67 #include <openssl/err.h> 68 #include <openssl/x509.h> 69 70 #include "asn1_locl.h" 71 #include "bn_lcl.h" 72 #include "evp_locl.h" 73 74 static int 75 dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 76 { 77 const unsigned char *p, *pm; 78 int pklen, pmlen; 79 int ptype; 80 const void *pval; 81 const ASN1_STRING *pstr; 82 X509_ALGOR *palg; 83 ASN1_INTEGER *public_key = NULL; 84 85 DSA *dsa = NULL; 86 87 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) 88 return 0; 89 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 90 91 if (ptype == V_ASN1_SEQUENCE) { 92 pstr = pval; 93 pm = pstr->data; 94 pmlen = pstr->length; 95 96 if (!(dsa = d2i_DSAparams(NULL, &pm, pmlen))) { 97 DSAerror(DSA_R_DECODE_ERROR); 98 goto err; 99 } 100 } else if (ptype == V_ASN1_NULL || ptype == V_ASN1_UNDEF) { 101 if (!(dsa = DSA_new())) { 102 DSAerror(ERR_R_MALLOC_FAILURE); 103 goto err; 104 } 105 } else { 106 DSAerror(DSA_R_PARAMETER_ENCODING_ERROR); 107 goto err; 108 } 109 110 if (!(public_key=d2i_ASN1_INTEGER(NULL, &p, pklen))) { 111 DSAerror(DSA_R_DECODE_ERROR); 112 goto err; 113 } 114 115 if (!(dsa->pub_key = ASN1_INTEGER_to_BN(public_key, NULL))) { 116 DSAerror(DSA_R_BN_DECODE_ERROR); 117 goto err; 118 } 119 120 ASN1_INTEGER_free(public_key); 121 EVP_PKEY_assign_DSA(pkey, dsa); 122 return 1; 123 124 err: 125 if (public_key) 126 ASN1_INTEGER_free(public_key); 127 DSA_free(dsa); 128 return 0; 129 } 130 131 static int 132 dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 133 { 134 DSA *dsa; 135 void *pval = NULL; 136 int ptype; 137 unsigned char *penc = NULL; 138 int penclen; 139 140 dsa = pkey->pkey.dsa; 141 if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) { 142 ASN1_STRING *str; 143 144 str = ASN1_STRING_new(); 145 if (str == NULL) { 146 DSAerror(ERR_R_MALLOC_FAILURE); 147 goto err; 148 } 149 str->length = i2d_DSAparams(dsa, &str->data); 150 if (str->length <= 0) { 151 DSAerror(ERR_R_MALLOC_FAILURE); 152 ASN1_STRING_free(str); 153 goto err; 154 } 155 pval = str; 156 ptype = V_ASN1_SEQUENCE; 157 } else 158 ptype = V_ASN1_UNDEF; 159 160 dsa->write_params = 0; 161 162 penclen = i2d_DSAPublicKey(dsa, &penc); 163 164 if (penclen <= 0) { 165 DSAerror(ERR_R_MALLOC_FAILURE); 166 goto err; 167 } 168 169 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA), ptype, pval, 170 penc, penclen)) 171 return 1; 172 173 err: 174 free(penc); 175 ASN1_STRING_free(pval); 176 177 return 0; 178 } 179 180 /* In PKCS#8 DSA: you just get a private key integer and parameters in the 181 * AlgorithmIdentifier the pubkey must be recalculated. 182 */ 183 static int 184 dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 185 { 186 const unsigned char *p, *pm; 187 int pklen, pmlen; 188 int ptype; 189 const void *pval; 190 const ASN1_STRING *pstr; 191 const X509_ALGOR *palg; 192 ASN1_INTEGER *privkey = NULL; 193 BN_CTX *ctx = NULL; 194 DSA *dsa = NULL; 195 196 int ret = 0; 197 198 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) 199 return 0; 200 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 201 if (ptype != V_ASN1_SEQUENCE) 202 goto decerr; 203 204 if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL) 205 goto decerr; 206 if (privkey->type == V_ASN1_NEG_INTEGER) 207 goto decerr; 208 209 pstr = pval; 210 pm = pstr->data; 211 pmlen = pstr->length; 212 if (!(dsa = d2i_DSAparams(NULL, &pm, pmlen))) 213 goto decerr; 214 /* We have parameters now set private key */ 215 if (!(dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL))) { 216 DSAerror(DSA_R_BN_ERROR); 217 goto dsaerr; 218 } 219 /* Calculate public key */ 220 if (!(dsa->pub_key = BN_new())) { 221 DSAerror(ERR_R_MALLOC_FAILURE); 222 goto dsaerr; 223 } 224 if (!(ctx = BN_CTX_new())) { 225 DSAerror(ERR_R_MALLOC_FAILURE); 226 goto dsaerr; 227 } 228 229 if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { 230 DSAerror(DSA_R_BN_ERROR); 231 goto dsaerr; 232 } 233 234 if (!EVP_PKEY_assign_DSA(pkey, dsa)) 235 goto decerr; 236 237 ret = 1; 238 goto done; 239 240 decerr: 241 DSAerror(DSA_R_DECODE_ERROR); 242 dsaerr: 243 DSA_free(dsa); 244 done: 245 BN_CTX_free(ctx); 246 ASN1_INTEGER_free(privkey); 247 return ret; 248 } 249 250 static int 251 dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 252 { 253 ASN1_STRING *params = NULL; 254 ASN1_INTEGER *prkey = NULL; 255 unsigned char *dp = NULL; 256 int dplen; 257 258 params = ASN1_STRING_new(); 259 if (!params) { 260 DSAerror(ERR_R_MALLOC_FAILURE); 261 goto err; 262 } 263 264 params->length = i2d_DSAparams(pkey->pkey.dsa, ¶ms->data); 265 if (params->length <= 0) { 266 DSAerror(ERR_R_MALLOC_FAILURE); 267 goto err; 268 } 269 params->type = V_ASN1_SEQUENCE; 270 271 /* Get private key into integer */ 272 prkey = BN_to_ASN1_INTEGER(pkey->pkey.dsa->priv_key, NULL); 273 if (!prkey) { 274 DSAerror(DSA_R_BN_ERROR); 275 goto err; 276 } 277 278 dplen = i2d_ASN1_INTEGER(prkey, &dp); 279 280 ASN1_INTEGER_free(prkey); 281 prkey = NULL; 282 283 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dsa), 0, V_ASN1_SEQUENCE, 284 params, dp, dplen)) 285 goto err; 286 287 return 1; 288 289 err: 290 free(dp); 291 ASN1_STRING_free(params); 292 ASN1_INTEGER_free(prkey); 293 return 0; 294 } 295 296 static int 297 int_dsa_size(const EVP_PKEY *pkey) 298 { 299 return DSA_size(pkey->pkey.dsa); 300 } 301 302 static int 303 dsa_bits(const EVP_PKEY *pkey) 304 { 305 return BN_num_bits(pkey->pkey.dsa->p); 306 } 307 308 static int 309 dsa_missing_parameters(const EVP_PKEY *pkey) 310 { 311 DSA *dsa; 312 313 dsa = pkey->pkey.dsa; 314 if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) 315 return 1; 316 return 0; 317 } 318 319 static int 320 dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) 321 { 322 BIGNUM *a; 323 324 if ((a = BN_dup(from->pkey.dsa->p)) == NULL) 325 return 0; 326 BN_free(to->pkey.dsa->p); 327 to->pkey.dsa->p = a; 328 329 if ((a = BN_dup(from->pkey.dsa->q)) == NULL) 330 return 0; 331 BN_free(to->pkey.dsa->q); 332 to->pkey.dsa->q = a; 333 334 if ((a = BN_dup(from->pkey.dsa->g)) == NULL) 335 return 0; 336 BN_free(to->pkey.dsa->g); 337 to->pkey.dsa->g = a; 338 return 1; 339 } 340 341 static int 342 dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) 343 { 344 if (BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) || 345 BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) || 346 BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g)) 347 return 0; 348 else 349 return 1; 350 } 351 352 static int 353 dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 354 { 355 if (BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) != 0) 356 return 0; 357 else 358 return 1; 359 } 360 361 static void 362 int_dsa_free(EVP_PKEY *pkey) 363 { 364 DSA_free(pkey->pkey.dsa); 365 } 366 367 static void 368 update_buflen(const BIGNUM *b, size_t *pbuflen) 369 { 370 size_t i; 371 372 if (!b) 373 return; 374 if (*pbuflen < (i = (size_t)BN_num_bytes(b))) 375 *pbuflen = i; 376 } 377 378 static int 379 do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) 380 { 381 unsigned char *m = NULL; 382 int ret = 0; 383 size_t buf_len = 0; 384 const char *ktype = NULL; 385 const BIGNUM *priv_key, *pub_key; 386 387 if (ptype == 2) 388 priv_key = x->priv_key; 389 else 390 priv_key = NULL; 391 392 if (ptype > 0) 393 pub_key = x->pub_key; 394 else 395 pub_key = NULL; 396 397 if (ptype == 2) 398 ktype = "Private-Key"; 399 else if (ptype == 1) 400 ktype = "Public-Key"; 401 else 402 ktype = "DSA-Parameters"; 403 404 update_buflen(x->p, &buf_len); 405 update_buflen(x->q, &buf_len); 406 update_buflen(x->g, &buf_len); 407 update_buflen(priv_key, &buf_len); 408 update_buflen(pub_key, &buf_len); 409 410 m = malloc(buf_len + 10); 411 if (m == NULL) { 412 DSAerror(ERR_R_MALLOC_FAILURE); 413 goto err; 414 } 415 416 if (priv_key) { 417 if (!BIO_indent(bp, off, 128)) 418 goto err; 419 if (BIO_printf(bp, "%s: (%d bit)\n", ktype, 420 BN_num_bits(x->p)) <= 0) 421 goto err; 422 } 423 424 if (!ASN1_bn_print(bp, "priv:", priv_key, m, off)) 425 goto err; 426 if (!ASN1_bn_print(bp, "pub: ", pub_key, m, off)) 427 goto err; 428 if (!ASN1_bn_print(bp, "P: ", x->p, m, off)) 429 goto err; 430 if (!ASN1_bn_print(bp, "Q: ", x->q, m, off)) 431 goto err; 432 if (!ASN1_bn_print(bp, "G: ", x->g, m, off)) 433 goto err; 434 ret = 1; 435 err: 436 free(m); 437 return(ret); 438 } 439 440 static int 441 dsa_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) 442 { 443 DSA *dsa; 444 445 if (!(dsa = d2i_DSAparams(NULL, pder, derlen))) { 446 DSAerror(ERR_R_DSA_LIB); 447 return 0; 448 } 449 EVP_PKEY_assign_DSA(pkey, dsa); 450 return 1; 451 } 452 453 static int 454 dsa_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 455 { 456 return i2d_DSAparams(pkey->pkey.dsa, pder); 457 } 458 459 static int 460 dsa_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 461 { 462 return do_dsa_print(bp, pkey->pkey.dsa, indent, 0); 463 } 464 465 static int 466 dsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 467 { 468 return do_dsa_print(bp, pkey->pkey.dsa, indent, 1); 469 } 470 471 static int 472 dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 473 { 474 return do_dsa_print(bp, pkey->pkey.dsa, indent, 2); 475 } 476 477 static int 478 old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) 479 { 480 DSA *dsa; 481 BN_CTX *ctx = NULL; 482 BIGNUM *j, *p1, *newp1; 483 484 if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) { 485 DSAerror(ERR_R_DSA_LIB); 486 return 0; 487 } 488 489 ctx = BN_CTX_new(); 490 if (ctx == NULL) 491 goto err; 492 493 /* 494 * Check that p and q are consistent with each other. 495 */ 496 497 j = BN_CTX_get(ctx); 498 p1 = BN_CTX_get(ctx); 499 newp1 = BN_CTX_get(ctx); 500 if (j == NULL || p1 == NULL || newp1 == NULL) 501 goto err; 502 /* p1 = p - 1 */ 503 if (BN_sub(p1, dsa->p, BN_value_one()) == 0) 504 goto err; 505 /* j = (p - 1) / q */ 506 if (BN_div_ct(j, NULL, p1, dsa->q, ctx) == 0) 507 goto err; 508 /* q * j should == p - 1 */ 509 if (BN_mul(newp1, dsa->q, j, ctx) == 0) 510 goto err; 511 if (BN_cmp(newp1, p1) != 0) { 512 DSAerror(DSA_R_BAD_Q_VALUE); 513 goto err; 514 } 515 516 /* 517 * Check that q is not a composite number. 518 */ 519 520 if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) <= 0) { 521 DSAerror(DSA_R_BAD_Q_VALUE); 522 goto err; 523 } 524 525 BN_CTX_free(ctx); 526 527 EVP_PKEY_assign_DSA(pkey, dsa); 528 return 1; 529 530 err: 531 BN_CTX_free(ctx); 532 DSA_free(dsa); 533 return 0; 534 } 535 536 static int 537 old_dsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 538 { 539 return i2d_DSAPrivateKey(pkey->pkey.dsa, pder); 540 } 541 542 static int 543 dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig, 544 int indent, ASN1_PCTX *pctx) 545 { 546 DSA_SIG *dsa_sig; 547 const unsigned char *p; 548 549 if (!sig) { 550 if (BIO_puts(bp, "\n") <= 0) 551 return 0; 552 else 553 return 1; 554 } 555 p = sig->data; 556 dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length); 557 if (dsa_sig) { 558 int rv = 0; 559 size_t buf_len = 0; 560 unsigned char *m = NULL; 561 562 update_buflen(dsa_sig->r, &buf_len); 563 update_buflen(dsa_sig->s, &buf_len); 564 m = malloc(buf_len + 10); 565 if (m == NULL) { 566 DSAerror(ERR_R_MALLOC_FAILURE); 567 goto err; 568 } 569 570 if (BIO_write(bp, "\n", 1) != 1) 571 goto err; 572 573 if (!ASN1_bn_print(bp, "r: ", dsa_sig->r, m, indent)) 574 goto err; 575 if (!ASN1_bn_print(bp, "s: ", dsa_sig->s, m, indent)) 576 goto err; 577 rv = 1; 578 err: 579 free(m); 580 DSA_SIG_free(dsa_sig); 581 return rv; 582 } 583 return X509_signature_dump(bp, sig, indent); 584 } 585 586 static int 587 dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 588 { 589 switch (op) { 590 case ASN1_PKEY_CTRL_PKCS7_SIGN: 591 if (arg1 == 0) { 592 int snid, hnid; 593 X509_ALGOR *alg1, *alg2; 594 595 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); 596 if (alg1 == NULL || alg1->algorithm == NULL) 597 return -1; 598 hnid = OBJ_obj2nid(alg1->algorithm); 599 if (hnid == NID_undef) 600 return -1; 601 if (!OBJ_find_sigid_by_algs(&snid, hnid, 602 EVP_PKEY_id(pkey))) 603 return -1; 604 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 605 0); 606 } 607 return 1; 608 609 #ifndef OPENSSL_NO_CMS 610 case ASN1_PKEY_CTRL_CMS_SIGN: 611 if (arg1 == 0) { 612 int snid, hnid; 613 X509_ALGOR *alg1, *alg2; 614 615 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); 616 if (alg1 == NULL || alg1->algorithm == NULL) 617 return -1; 618 hnid = OBJ_obj2nid(alg1->algorithm); 619 if (hnid == NID_undef) 620 return -1; 621 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 622 return -1; 623 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 624 } 625 return 1; 626 627 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 628 *(int *)arg2 = CMS_RECIPINFO_NONE; 629 return 1; 630 #endif 631 632 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 633 *(int *)arg2 = NID_sha1; 634 return 2; 635 636 default: 637 return -2; 638 } 639 } 640 641 /* NB these are sorted in pkey_id order, lowest first */ 642 643 const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = { 644 { 645 .pkey_id = EVP_PKEY_DSA2, 646 .pkey_base_id = EVP_PKEY_DSA, 647 .pkey_flags = ASN1_PKEY_ALIAS 648 }, 649 650 { 651 .pkey_id = EVP_PKEY_DSA1, 652 .pkey_base_id = EVP_PKEY_DSA, 653 .pkey_flags = ASN1_PKEY_ALIAS 654 }, 655 656 { 657 .pkey_id = EVP_PKEY_DSA4, 658 .pkey_base_id = EVP_PKEY_DSA, 659 .pkey_flags = ASN1_PKEY_ALIAS 660 }, 661 662 { 663 .pkey_id = EVP_PKEY_DSA3, 664 .pkey_base_id = EVP_PKEY_DSA, 665 .pkey_flags = ASN1_PKEY_ALIAS 666 }, 667 668 { 669 .pkey_id = EVP_PKEY_DSA, 670 .pkey_base_id = EVP_PKEY_DSA, 671 672 .pem_str = "DSA", 673 .info = "OpenSSL DSA method", 674 675 .pub_decode = dsa_pub_decode, 676 .pub_encode = dsa_pub_encode, 677 .pub_cmp = dsa_pub_cmp, 678 .pub_print = dsa_pub_print, 679 680 .priv_decode = dsa_priv_decode, 681 .priv_encode = dsa_priv_encode, 682 .priv_print = dsa_priv_print, 683 684 .pkey_size = int_dsa_size, 685 .pkey_bits = dsa_bits, 686 687 .param_decode = dsa_param_decode, 688 .param_encode = dsa_param_encode, 689 .param_missing = dsa_missing_parameters, 690 .param_copy = dsa_copy_parameters, 691 .param_cmp = dsa_cmp_parameters, 692 .param_print = dsa_param_print, 693 .sig_print = dsa_sig_print, 694 695 .pkey_free = int_dsa_free, 696 .pkey_ctrl = dsa_pkey_ctrl, 697 .old_priv_decode = old_dsa_priv_decode, 698 .old_priv_encode = old_dsa_priv_encode 699 } 700 }; 701