1 /* $OpenBSD: rsa_ameth.c,v 1.57 2024/01/10 14:59:19 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2006. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <stdio.h> 60 61 #include <openssl/opensslconf.h> 62 63 #include <openssl/asn1t.h> 64 #include <openssl/bn.h> 65 #include <openssl/cms.h> 66 #include <openssl/err.h> 67 #include <openssl/rsa.h> 68 #include <openssl/x509.h> 69 70 #include "asn1_local.h" 71 #include "bn_local.h" 72 #include "cryptlib.h" 73 #include "evp_local.h" 74 #include "rsa_local.h" 75 #include "x509_local.h" 76 77 #ifndef OPENSSL_NO_CMS 78 static int rsa_cms_sign(CMS_SignerInfo *si); 79 static int rsa_cms_verify(CMS_SignerInfo *si); 80 static int rsa_cms_decrypt(CMS_RecipientInfo *ri); 81 static int rsa_cms_encrypt(CMS_RecipientInfo *ri); 82 #endif 83 84 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg); 85 86 static int rsa_alg_set_pkcs1_padding(X509_ALGOR *alg); 87 88 /* Set any parameters associated with pkey */ 89 static int 90 rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype) 91 { 92 const RSA *rsa = pkey->pkey.rsa; 93 94 *pstr = NULL; 95 96 /* If RSA it's just NULL type */ 97 if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { 98 *pstrtype = V_ASN1_NULL; 99 return 1; 100 } 101 102 /* If no PSS parameters we omit parameters entirely */ 103 if (rsa->pss == NULL) { 104 *pstrtype = V_ASN1_UNDEF; 105 return 1; 106 } 107 108 /* Encode PSS parameters */ 109 if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL) 110 return 0; 111 112 *pstrtype = V_ASN1_SEQUENCE; 113 return 1; 114 } 115 116 /* Decode any parameters and set them in RSA structure */ 117 static int 118 rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) 119 { 120 const ASN1_OBJECT *algoid; 121 const void *algp; 122 int algptype; 123 124 X509_ALGOR_get0(&algoid, &algptype, &algp, alg); 125 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) 126 return 1; 127 if (algptype == V_ASN1_UNDEF) 128 return 1; 129 if (algptype != V_ASN1_SEQUENCE) { 130 RSAerror(RSA_R_INVALID_PSS_PARAMETERS); 131 return 0; 132 } 133 rsa->pss = rsa_pss_decode(alg); 134 if (rsa->pss == NULL) 135 return 0; 136 return 1; 137 } 138 139 static int 140 rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 141 { 142 ASN1_STRING *str = NULL; 143 int strtype; 144 unsigned char *penc = NULL; 145 int penclen = 0; 146 ASN1_OBJECT *aobj; 147 148 if (!rsa_param_encode(pkey, &str, &strtype)) 149 goto err; 150 if ((penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc)) <= 0) { 151 penclen = 0; 152 goto err; 153 } 154 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL) 155 goto err; 156 if (!X509_PUBKEY_set0_param(pk, aobj, strtype, str, penc, penclen)) 157 goto err; 158 159 return 1; 160 161 err: 162 ASN1_STRING_free(str); 163 freezero(penc, penclen); 164 165 return 0; 166 } 167 168 static int 169 rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 170 { 171 const unsigned char *p; 172 int pklen; 173 X509_ALGOR *alg; 174 RSA *rsa = NULL; 175 176 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) 177 return 0; 178 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) { 179 RSAerror(ERR_R_RSA_LIB); 180 return 0; 181 } 182 if (!rsa_param_decode(rsa, alg)) { 183 RSA_free(rsa); 184 return 0; 185 } 186 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { 187 RSA_free(rsa); 188 return 0; 189 } 190 return 1; 191 } 192 193 static int 194 rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 195 { 196 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 || 197 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) 198 return 0; 199 200 return 1; 201 } 202 203 static int 204 old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) 205 { 206 RSA *rsa; 207 int ret = 0; 208 209 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) { 210 RSAerror(ERR_R_RSA_LIB); 211 goto err; 212 } 213 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) 214 goto err; 215 rsa = NULL; 216 217 ret = 1; 218 219 err: 220 RSA_free(rsa); 221 222 return ret; 223 } 224 225 static int 226 old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 227 { 228 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 229 } 230 231 static int 232 rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 233 { 234 ASN1_STRING *str = NULL; 235 ASN1_OBJECT *aobj; 236 int strtype; 237 unsigned char *rk = NULL; 238 int rklen = 0; 239 240 if (!rsa_param_encode(pkey, &str, &strtype)) 241 goto err; 242 if ((rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk)) <= 0) { 243 RSAerror(ERR_R_MALLOC_FAILURE); 244 rklen = 0; 245 goto err; 246 } 247 if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL) 248 goto err; 249 if (!PKCS8_pkey_set0(p8, aobj, 0, strtype, str, rk, rklen)) { 250 RSAerror(ERR_R_MALLOC_FAILURE); 251 goto err; 252 } 253 254 return 1; 255 256 err: 257 ASN1_STRING_free(str); 258 freezero(rk, rklen); 259 260 return 0; 261 } 262 263 static int 264 rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 265 { 266 const unsigned char *p; 267 RSA *rsa = NULL; 268 int pklen; 269 const X509_ALGOR *alg; 270 int ret = 0; 271 272 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8)) 273 goto err; 274 if ((rsa = d2i_RSAPrivateKey(NULL, &p, pklen)) == NULL) 275 goto err; 276 if (!rsa_param_decode(rsa, alg)) 277 goto err; 278 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) 279 goto err; 280 rsa = NULL; 281 282 ret = 1; 283 284 err: 285 RSA_free(rsa); 286 287 return ret; 288 } 289 290 static int 291 rsa_size(const EVP_PKEY *pkey) 292 { 293 return RSA_size(pkey->pkey.rsa); 294 } 295 296 static int 297 rsa_bits(const EVP_PKEY *pkey) 298 { 299 return BN_num_bits(pkey->pkey.rsa->n); 300 } 301 302 static int 303 rsa_security_bits(const EVP_PKEY *pkey) 304 { 305 return RSA_security_bits(pkey->pkey.rsa); 306 } 307 308 static void 309 rsa_free(EVP_PKEY *pkey) 310 { 311 RSA_free(pkey->pkey.rsa); 312 } 313 314 static X509_ALGOR * 315 rsa_mgf1_decode(X509_ALGOR *alg) 316 { 317 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) 318 return NULL; 319 320 return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter); 321 } 322 323 static RSA_PSS_PARAMS * 324 rsa_pss_decode(const X509_ALGOR *alg) 325 { 326 RSA_PSS_PARAMS *pss; 327 328 pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter); 329 if (pss == NULL) 330 return NULL; 331 332 if (pss->maskGenAlgorithm != NULL) { 333 pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 334 if (pss->maskHash == NULL) { 335 RSA_PSS_PARAMS_free(pss); 336 return NULL; 337 } 338 } 339 340 return pss; 341 } 342 343 static int 344 rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent) 345 { 346 int rv = 0; 347 X509_ALGOR *maskHash = NULL; 348 349 if (!BIO_indent(bp, indent, 128)) 350 goto err; 351 if (pss_key) { 352 if (pss == NULL) { 353 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) 354 return 0; 355 return 1; 356 } else { 357 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) 358 return 0; 359 } 360 } else if (pss == NULL) { 361 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) 362 return 0; 363 return 1; 364 } 365 if (BIO_puts(bp, "\n") <= 0) 366 goto err; 367 if (pss_key) 368 indent += 2; 369 if (!BIO_indent(bp, indent, 128)) 370 goto err; 371 if (BIO_puts(bp, "Hash Algorithm: ") <= 0) 372 goto err; 373 374 if (pss->hashAlgorithm) { 375 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) 376 goto err; 377 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 378 goto err; 379 } 380 381 if (BIO_puts(bp, "\n") <= 0) 382 goto err; 383 384 if (!BIO_indent(bp, indent, 128)) 385 goto err; 386 387 if (BIO_puts(bp, "Mask Algorithm: ") <= 0) 388 goto err; 389 if (pss->maskGenAlgorithm) { 390 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) 391 goto err; 392 if (BIO_puts(bp, " with ") <= 0) 393 goto err; 394 maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 395 if (maskHash != NULL) { 396 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) 397 goto err; 398 } else if (BIO_puts(bp, "INVALID") <= 0) { 399 goto err; 400 } 401 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 402 goto err; 403 } 404 BIO_puts(bp, "\n"); 405 406 if (!BIO_indent(bp, indent, 128)) 407 goto err; 408 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) 409 goto err; 410 if (pss->saltLength) { 411 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 412 goto err; 413 } else if (BIO_puts(bp, "14 (default)") <= 0) { 414 goto err; 415 } 416 BIO_puts(bp, "\n"); 417 418 if (!BIO_indent(bp, indent, 128)) 419 goto err; 420 if (BIO_puts(bp, "Trailer Field: 0x") <= 0) 421 goto err; 422 if (pss->trailerField) { 423 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 424 goto err; 425 } else if (BIO_puts(bp, "BC (default)") <= 0) { 426 goto err; 427 } 428 BIO_puts(bp, "\n"); 429 430 rv = 1; 431 432 err: 433 X509_ALGOR_free(maskHash); 434 return rv; 435 436 } 437 438 static int 439 pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) 440 { 441 const RSA *x = pkey->pkey.rsa; 442 char *str; 443 const char *s; 444 int ret = 0, mod_len = 0; 445 446 if (x->n != NULL) 447 mod_len = BN_num_bits(x->n); 448 449 if (!BIO_indent(bp, off, 128)) 450 goto err; 451 452 if (BIO_printf(bp, "%s ", 453 pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS ? "RSA-PSS" : "RSA") <= 0) 454 goto err; 455 456 if (priv && x->d != NULL) { 457 if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0) 458 goto err; 459 str = "modulus:"; 460 s = "publicExponent:"; 461 } else { 462 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) 463 goto err; 464 str = "Modulus:"; 465 s = "Exponent:"; 466 } 467 if (!bn_printf(bp, x->n, off, "%s", str)) 468 goto err; 469 if (!bn_printf(bp, x->e, off, "%s", s)) 470 goto err; 471 if (priv) { 472 if (!bn_printf(bp, x->d, off, "privateExponent:")) 473 goto err; 474 if (!bn_printf(bp, x->p, off, "prime1:")) 475 goto err; 476 if (!bn_printf(bp, x->q, off, "prime2:")) 477 goto err; 478 if (!bn_printf(bp, x->dmp1, off, "exponent1:")) 479 goto err; 480 if (!bn_printf(bp, x->dmq1, off, "exponent2:")) 481 goto err; 482 if (!bn_printf(bp, x->iqmp, off, "coefficient:")) 483 goto err; 484 } 485 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS && 486 !rsa_pss_param_print(bp, 1, x->pss, off)) 487 goto err; 488 ret = 1; 489 err: 490 return ret; 491 } 492 493 static int 494 rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 495 { 496 return pkey_rsa_print(bp, pkey, indent, 0); 497 } 498 499 static int 500 rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) 501 { 502 return pkey_rsa_print(bp, pkey, indent, 1); 503 } 504 505 static int 506 rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig, 507 int indent, ASN1_PCTX *pctx) 508 { 509 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { 510 int rv; 511 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg); 512 513 rv = rsa_pss_param_print(bp, 0, pss, indent); 514 RSA_PSS_PARAMS_free(pss); 515 if (!rv) 516 return 0; 517 } else if (!sig && BIO_puts(bp, "\n") <= 0) { 518 return 0; 519 } 520 if (sig) 521 return X509_signature_dump(bp, sig, indent); 522 return 1; 523 } 524 525 static int 526 rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 527 { 528 X509_ALGOR *alg = NULL; 529 const EVP_MD *md; 530 const EVP_MD *mgf1md; 531 int min_saltlen; 532 533 switch (op) { 534 case ASN1_PKEY_CTRL_PKCS7_SIGN: 535 if (arg1 == 0) 536 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); 537 break; 538 539 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: 540 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) 541 return -2; 542 if (arg1 == 0) 543 PKCS7_RECIP_INFO_get0_alg(arg2, &alg); 544 break; 545 #ifndef OPENSSL_NO_CMS 546 case ASN1_PKEY_CTRL_CMS_SIGN: 547 if (arg1 == 0) 548 return rsa_cms_sign(arg2); 549 else if (arg1 == 1) 550 return rsa_cms_verify(arg2); 551 break; 552 553 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 554 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) 555 return -2; 556 if (arg1 == 0) 557 return rsa_cms_encrypt(arg2); 558 else if (arg1 == 1) 559 return rsa_cms_decrypt(arg2); 560 break; 561 562 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 563 if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) 564 return -2; 565 *(int *)arg2 = CMS_RECIPINFO_TRANS; 566 return 1; 567 #endif 568 569 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 570 if (pkey->pkey.rsa->pss != NULL) { 571 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, 572 &min_saltlen)) { 573 RSAerror(ERR_R_INTERNAL_ERROR); 574 return 0; 575 } 576 *(int *)arg2 = EVP_MD_type(md); 577 /* Return of 2 indicates this MD is mandatory */ 578 return 2; 579 } 580 *(int *)arg2 = NID_sha256; 581 return 1; 582 583 default: 584 return -2; 585 } 586 587 if (alg != NULL) 588 return rsa_alg_set_pkcs1_padding(alg); 589 590 return 1; 591 } 592 593 static int 594 rsa_md_to_algor(const EVP_MD *md, X509_ALGOR **out_alg) 595 { 596 X509_ALGOR *alg = NULL; 597 int ret = 0; 598 599 X509_ALGOR_free(*out_alg); 600 *out_alg = NULL; 601 602 /* RFC 8017 - default hash is SHA-1 and hence omitted. */ 603 if (md == NULL || EVP_MD_type(md) == NID_sha1) 604 goto done; 605 606 if ((alg = X509_ALGOR_new()) == NULL) 607 goto err; 608 if (!X509_ALGOR_set_evp_md(alg, md)) 609 goto err; 610 611 done: 612 *out_alg = alg; 613 alg = NULL; 614 615 ret = 1; 616 617 err: 618 X509_ALGOR_free(alg); 619 620 return ret; 621 } 622 623 /* 624 * RFC 8017, A.2.1 and A.2.3 - encode maskGenAlgorithm for RSAES-OAEP 625 * and RSASSA-PSS. The default is mgfSHA1 and hence omitted. 626 */ 627 static int 628 rsa_mgf1md_to_maskGenAlgorithm(const EVP_MD *mgf1md, X509_ALGOR **out_alg) 629 { 630 X509_ALGOR *alg = NULL; 631 X509_ALGOR *inner_alg = NULL; 632 ASN1_STRING *astr = NULL; 633 int ret = 0; 634 635 X509_ALGOR_free(*out_alg); 636 *out_alg = NULL; 637 638 if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1) 639 goto done; 640 641 if ((inner_alg = X509_ALGOR_new()) == NULL) 642 goto err; 643 if (!X509_ALGOR_set_evp_md(inner_alg, mgf1md)) 644 goto err; 645 if ((astr = ASN1_item_pack(inner_alg, &X509_ALGOR_it, NULL)) == NULL) 646 goto err; 647 648 if ((alg = X509_ALGOR_new()) == NULL) 649 goto err; 650 if (!X509_ALGOR_set0_by_nid(alg, NID_mgf1, V_ASN1_SEQUENCE, astr)) 651 goto err; 652 astr = NULL; 653 654 done: 655 *out_alg = alg; 656 alg = NULL; 657 658 ret = 1; 659 660 err: 661 X509_ALGOR_free(alg); 662 X509_ALGOR_free(inner_alg); 663 ASN1_STRING_free(astr); 664 665 return ret; 666 } 667 668 /* Convert algorithm ID to EVP_MD, defaults to SHA1. */ 669 static const EVP_MD * 670 rsa_algor_to_md(X509_ALGOR *alg) 671 { 672 const EVP_MD *md; 673 674 if (!alg) 675 return EVP_sha1(); 676 md = EVP_get_digestbyobj(alg->algorithm); 677 if (md == NULL) 678 RSAerror(RSA_R_UNKNOWN_DIGEST); 679 return md; 680 } 681 682 /* 683 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, 684 * suitable for setting an AlgorithmIdentifier. 685 */ 686 static RSA_PSS_PARAMS * 687 rsa_ctx_to_pss(EVP_PKEY_CTX *pkey_ctx) 688 { 689 const EVP_MD *sigmd, *mgf1md; 690 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkey_ctx); 691 int saltlen; 692 693 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &sigmd) <= 0) 694 return NULL; 695 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0) 696 return NULL; 697 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen)) 698 return NULL; 699 if (saltlen == -1) { 700 saltlen = EVP_MD_size(sigmd); 701 } else if (saltlen == -2 || saltlen == -3) { 702 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 703 if ((EVP_PKEY_bits(pk) & 0x7) == 1) 704 saltlen--; 705 if (saltlen < 0) 706 return NULL; 707 } 708 709 return rsa_pss_params_create(sigmd, mgf1md, saltlen); 710 } 711 712 RSA_PSS_PARAMS * 713 rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen) 714 { 715 RSA_PSS_PARAMS *pss = NULL; 716 717 if (mgf1md == NULL) 718 mgf1md = sigmd; 719 720 if ((pss = RSA_PSS_PARAMS_new()) == NULL) 721 goto err; 722 723 if (!rsa_md_to_algor(sigmd, &pss->hashAlgorithm)) 724 goto err; 725 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &pss->maskGenAlgorithm)) 726 goto err; 727 728 /* Translate mgf1md to X509_ALGOR in decoded form for internal use. */ 729 if (!rsa_md_to_algor(mgf1md, &pss->maskHash)) 730 goto err; 731 732 /* RFC 8017, A.2.3 - default saltLength is SHA_DIGEST_LENGTH. */ 733 if (saltlen != SHA_DIGEST_LENGTH) { 734 if ((pss->saltLength = ASN1_INTEGER_new()) == NULL) 735 goto err; 736 if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) 737 goto err; 738 } 739 740 return pss; 741 742 err: 743 RSA_PSS_PARAMS_free(pss); 744 745 return NULL; 746 } 747 748 /* 749 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL 750 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are 751 * passed to pkey_ctx instead. 752 */ 753 754 static int 755 rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkey_ctx, 756 X509_ALGOR *sigalg, EVP_PKEY *pkey) 757 { 758 int rv = -1; 759 int saltlen; 760 const EVP_MD *mgf1md = NULL, *md = NULL; 761 RSA_PSS_PARAMS *pss; 762 763 /* Sanity check: make sure it is PSS */ 764 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 765 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 766 return -1; 767 } 768 /* Decode PSS parameters */ 769 pss = rsa_pss_decode(sigalg); 770 771 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { 772 RSAerror(RSA_R_INVALID_PSS_PARAMETERS); 773 goto err; 774 } 775 776 /* We have all parameters now set up context */ 777 if (pkey) { 778 if (!EVP_DigestVerifyInit(ctx, &pkey_ctx, md, NULL, pkey)) 779 goto err; 780 } else { 781 const EVP_MD *checkmd; 782 if (EVP_PKEY_CTX_get_signature_md(pkey_ctx, &checkmd) <= 0) 783 goto err; 784 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { 785 RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH); 786 goto err; 787 } 788 } 789 790 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0) 791 goto err; 792 793 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, saltlen) <= 0) 794 goto err; 795 796 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1md) <= 0) 797 goto err; 798 /* Carry on */ 799 rv = 1; 800 801 err: 802 RSA_PSS_PARAMS_free(pss); 803 return rv; 804 } 805 806 int 807 rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, 808 const EVP_MD **pmgf1md, int *psaltlen) 809 { 810 if (pss == NULL) 811 return 0; 812 *pmd = rsa_algor_to_md(pss->hashAlgorithm); 813 if (*pmd == NULL) 814 return 0; 815 *pmgf1md = rsa_algor_to_md(pss->maskHash); 816 if (*pmgf1md == NULL) 817 return 0; 818 if (pss->saltLength) { 819 *psaltlen = ASN1_INTEGER_get(pss->saltLength); 820 if (*psaltlen < 0) { 821 RSAerror(RSA_R_INVALID_SALT_LENGTH); 822 return 0; 823 } 824 } else { 825 *psaltlen = 20; 826 } 827 828 /* 829 * low-level routines support only trailer field 0xbc (value 1) and 830 * PKCS#1 says we should reject any other value anyway. 831 */ 832 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { 833 RSAerror(RSA_R_INVALID_TRAILER); 834 return 0; 835 } 836 837 return 1; 838 } 839 840 #ifndef OPENSSL_NO_CMS 841 static int 842 rsa_cms_verify(CMS_SignerInfo *si) 843 { 844 int nid, nid2; 845 X509_ALGOR *alg; 846 EVP_PKEY_CTX *pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si); 847 848 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 849 nid = OBJ_obj2nid(alg->algorithm); 850 if (nid == EVP_PKEY_RSA_PSS) 851 return rsa_pss_to_ctx(NULL, pkey_ctx, alg, NULL); 852 /* Only PSS allowed for PSS keys */ 853 if (pkey_ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { 854 RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); 855 return 0; 856 } 857 if (nid == NID_rsaEncryption) 858 return 1; 859 /* Workaround for some implementation that use a signature OID */ 860 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) { 861 if (nid2 == NID_rsaEncryption) 862 return 1; 863 } 864 return 0; 865 } 866 #endif 867 868 /* 869 * Customised RSA item verification routine. This is called when a signature 870 * is encountered requiring special handling. We currently only handle PSS. 871 */ 872 static int 873 rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 874 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey) 875 { 876 /* Sanity check: make sure it is PSS */ 877 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { 878 RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); 879 return -1; 880 } 881 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { 882 /* Carry on */ 883 return 2; 884 } 885 return -1; 886 } 887 888 static int 889 rsa_alg_set_pkcs1_padding(X509_ALGOR *alg) 890 { 891 return X509_ALGOR_set0_by_nid(alg, NID_rsaEncryption, V_ASN1_NULL, NULL); 892 } 893 894 static int 895 rsa_alg_set_pss_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx) 896 { 897 RSA_PSS_PARAMS *pss = NULL; 898 ASN1_STRING *astr = NULL; 899 int ret = 0; 900 901 if (pkey_ctx == NULL) 902 goto err; 903 904 if ((pss = rsa_ctx_to_pss(pkey_ctx)) == NULL) 905 goto err; 906 if ((astr = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL)) == NULL) 907 goto err; 908 if (!X509_ALGOR_set0_by_nid(alg, EVP_PKEY_RSA_PSS, V_ASN1_SEQUENCE, astr)) 909 goto err; 910 astr = NULL; 911 912 ret = 1; 913 914 err: 915 ASN1_STRING_free(astr); 916 RSA_PSS_PARAMS_free(pss); 917 918 return ret; 919 } 920 921 #ifndef OPENSSL_NO_CMS 922 static int 923 rsa_alg_set_oaep_padding(X509_ALGOR *alg, EVP_PKEY_CTX *pkey_ctx) 924 { 925 const EVP_MD *md, *mgf1md; 926 RSA_OAEP_PARAMS *oaep = NULL; 927 ASN1_STRING *astr = NULL; 928 ASN1_OCTET_STRING *ostr = NULL; 929 unsigned char *label; 930 int labellen; 931 int ret = 0; 932 933 if (EVP_PKEY_CTX_get_rsa_oaep_md(pkey_ctx, &md) <= 0) 934 goto err; 935 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkey_ctx, &mgf1md) <= 0) 936 goto err; 937 labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkey_ctx, &label); 938 if (labellen < 0) 939 goto err; 940 941 if ((oaep = RSA_OAEP_PARAMS_new()) == NULL) 942 goto err; 943 944 if (!rsa_md_to_algor(md, &oaep->hashFunc)) 945 goto err; 946 if (!rsa_mgf1md_to_maskGenAlgorithm(mgf1md, &oaep->maskGenFunc)) 947 goto err; 948 949 /* XXX - why do we not set oaep->maskHash here? */ 950 951 if (labellen > 0) { 952 if ((oaep->pSourceFunc = X509_ALGOR_new()) == NULL) 953 goto err; 954 if ((ostr = ASN1_OCTET_STRING_new()) == NULL) 955 goto err; 956 if (!ASN1_OCTET_STRING_set(ostr, label, labellen)) 957 goto err; 958 if (!X509_ALGOR_set0_by_nid(oaep->pSourceFunc, NID_pSpecified, 959 V_ASN1_OCTET_STRING, ostr)) 960 goto err; 961 ostr = NULL; 962 } 963 964 if ((astr = ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, NULL)) == NULL) 965 goto err; 966 if (!X509_ALGOR_set0_by_nid(alg, NID_rsaesOaep, V_ASN1_SEQUENCE, astr)) 967 goto err; 968 astr = NULL; 969 970 ret = 1; 971 972 err: 973 RSA_OAEP_PARAMS_free(oaep); 974 ASN1_STRING_free(astr); 975 ASN1_OCTET_STRING_free(ostr); 976 977 return ret; 978 } 979 980 static int 981 rsa_cms_sign(CMS_SignerInfo *si) 982 { 983 EVP_PKEY_CTX *pkey_ctx; 984 X509_ALGOR *alg; 985 int pad_mode = RSA_PKCS1_PADDING; 986 987 if ((pkey_ctx = CMS_SignerInfo_get0_pkey_ctx(si)) != NULL) { 988 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0) 989 return 0; 990 } 991 992 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); 993 if (pad_mode == RSA_PKCS1_PADDING) 994 return rsa_alg_set_pkcs1_padding(alg); 995 if (pad_mode == RSA_PKCS1_PSS_PADDING) 996 return rsa_alg_set_pss_padding(alg, pkey_ctx); 997 998 return 0; 999 } 1000 #endif 1001 1002 static int 1003 rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 1004 X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig) 1005 { 1006 EVP_PKEY_CTX *pkey_ctx = ctx->pctx; 1007 int pad_mode; 1008 1009 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0) 1010 return 0; 1011 if (pad_mode == RSA_PKCS1_PADDING) 1012 return 2; 1013 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 1014 if (!rsa_alg_set_pss_padding(alg1, pkey_ctx)) 1015 return 0; 1016 if (alg2 != NULL) { 1017 if (!rsa_alg_set_pss_padding(alg2, pkey_ctx)) 1018 return 0; 1019 } 1020 return 3; 1021 } 1022 return 2; 1023 } 1024 1025 static int 1026 rsa_pkey_check(const EVP_PKEY *pkey) 1027 { 1028 return RSA_check_key(pkey->pkey.rsa); 1029 } 1030 1031 #ifndef OPENSSL_NO_CMS 1032 static RSA_OAEP_PARAMS * 1033 rsa_oaep_decode(const X509_ALGOR *alg) 1034 { 1035 RSA_OAEP_PARAMS *oaep; 1036 1037 oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter); 1038 if (oaep == NULL) 1039 return NULL; 1040 1041 if (oaep->maskGenFunc != NULL) { 1042 oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc); 1043 if (oaep->maskHash == NULL) { 1044 RSA_OAEP_PARAMS_free(oaep); 1045 return NULL; 1046 } 1047 } 1048 return oaep; 1049 } 1050 1051 static int 1052 rsa_cms_decrypt(CMS_RecipientInfo *ri) 1053 { 1054 EVP_PKEY_CTX *pkctx; 1055 X509_ALGOR *cmsalg; 1056 int nid; 1057 int rv = -1; 1058 unsigned char *label = NULL; 1059 int labellen = 0; 1060 const EVP_MD *mgf1md = NULL, *md = NULL; 1061 RSA_OAEP_PARAMS *oaep; 1062 1063 pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 1064 if (pkctx == NULL) 1065 return 0; 1066 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg)) 1067 return -1; 1068 nid = OBJ_obj2nid(cmsalg->algorithm); 1069 if (nid == NID_rsaEncryption) 1070 return 1; 1071 if (nid != NID_rsaesOaep) { 1072 RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE); 1073 return -1; 1074 } 1075 /* Decode OAEP parameters */ 1076 oaep = rsa_oaep_decode(cmsalg); 1077 1078 if (oaep == NULL) { 1079 RSAerror(RSA_R_INVALID_OAEP_PARAMETERS); 1080 goto err; 1081 } 1082 1083 mgf1md = rsa_algor_to_md(oaep->maskHash); 1084 if (mgf1md == NULL) 1085 goto err; 1086 md = rsa_algor_to_md(oaep->hashFunc); 1087 if (md == NULL) 1088 goto err; 1089 1090 if (oaep->pSourceFunc != NULL) { 1091 X509_ALGOR *plab = oaep->pSourceFunc; 1092 1093 if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { 1094 RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE); 1095 goto err; 1096 } 1097 if (plab->parameter->type != V_ASN1_OCTET_STRING) { 1098 RSAerror(RSA_R_INVALID_LABEL); 1099 goto err; 1100 } 1101 1102 label = plab->parameter->value.octet_string->data; 1103 1104 /* Stop label being freed when OAEP parameters are freed */ 1105 /* XXX - this leaks label on error... */ 1106 plab->parameter->value.octet_string->data = NULL; 1107 labellen = plab->parameter->value.octet_string->length; 1108 } 1109 1110 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) 1111 goto err; 1112 if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0) 1113 goto err; 1114 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) 1115 goto err; 1116 if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) 1117 goto err; 1118 1119 rv = 1; 1120 1121 err: 1122 RSA_OAEP_PARAMS_free(oaep); 1123 return rv; 1124 } 1125 1126 static int 1127 rsa_cms_encrypt(CMS_RecipientInfo *ri) 1128 { 1129 X509_ALGOR *alg; 1130 EVP_PKEY_CTX *pkey_ctx; 1131 int pad_mode = RSA_PKCS1_PADDING; 1132 1133 if ((pkey_ctx = CMS_RecipientInfo_get0_pkey_ctx(ri)) != NULL) { 1134 if (EVP_PKEY_CTX_get_rsa_padding(pkey_ctx, &pad_mode) <= 0) 1135 return 0; 1136 } 1137 1138 if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg)) 1139 return 0; 1140 if (pad_mode == RSA_PKCS1_PADDING) 1141 return rsa_alg_set_pkcs1_padding(alg); 1142 if (pad_mode == RSA_PKCS1_OAEP_PADDING) 1143 return rsa_alg_set_oaep_padding(alg, pkey_ctx); 1144 1145 return 0; 1146 } 1147 #endif 1148 1149 const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = { 1150 .base_method = &rsa_asn1_meth, 1151 .pkey_id = EVP_PKEY_RSA, 1152 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, 1153 1154 .pem_str = "RSA", 1155 .info = "OpenSSL RSA method", 1156 1157 .pub_decode = rsa_pub_decode, 1158 .pub_encode = rsa_pub_encode, 1159 .pub_cmp = rsa_pub_cmp, 1160 .pub_print = rsa_pub_print, 1161 1162 .priv_decode = rsa_priv_decode, 1163 .priv_encode = rsa_priv_encode, 1164 .priv_print = rsa_priv_print, 1165 1166 .pkey_size = rsa_size, 1167 .pkey_bits = rsa_bits, 1168 .pkey_security_bits = rsa_security_bits, 1169 1170 .sig_print = rsa_sig_print, 1171 1172 .pkey_free = rsa_free, 1173 .pkey_ctrl = rsa_pkey_ctrl, 1174 .old_priv_decode = old_rsa_priv_decode, 1175 .old_priv_encode = old_rsa_priv_encode, 1176 .item_verify = rsa_item_verify, 1177 .item_sign = rsa_item_sign, 1178 1179 .pkey_check = rsa_pkey_check, 1180 }; 1181 1182 const EVP_PKEY_ASN1_METHOD rsa2_asn1_meth = { 1183 .base_method = &rsa_asn1_meth, 1184 .pkey_id = EVP_PKEY_RSA2, 1185 .pkey_flags = ASN1_PKEY_ALIAS, 1186 1187 .pkey_check = rsa_pkey_check, 1188 }; 1189 1190 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { 1191 .base_method = &rsa_pss_asn1_meth, 1192 .pkey_id = EVP_PKEY_RSA_PSS, 1193 .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, 1194 1195 .pem_str = "RSA-PSS", 1196 .info = "OpenSSL RSA-PSS method", 1197 1198 .pub_decode = rsa_pub_decode, 1199 .pub_encode = rsa_pub_encode, 1200 .pub_cmp = rsa_pub_cmp, 1201 .pub_print = rsa_pub_print, 1202 1203 .priv_decode = rsa_priv_decode, 1204 .priv_encode = rsa_priv_encode, 1205 .priv_print = rsa_priv_print, 1206 1207 .pkey_size = rsa_size, 1208 .pkey_bits = rsa_bits, 1209 .pkey_security_bits = rsa_security_bits, 1210 1211 .sig_print = rsa_sig_print, 1212 1213 .pkey_free = rsa_free, 1214 .pkey_ctrl = rsa_pkey_ctrl, 1215 .item_verify = rsa_item_verify, 1216 .item_sign = rsa_item_sign 1217 }; 1218