]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/common/der/der_rsa_key.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Refactor the provider side DER constants and writers
[thirdparty/openssl.git] / providers / common / der / der_rsa_key.c
1 /*
2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/obj_mac.h>
11 #include "internal/cryptlib.h"
12 #include "prov/der_rsa.h"
13 #include "prov/der_digests.h"
14
15 /* More complex pre-compiled sequences. TODO(3.0) refactor? */
16 /*-
17 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
18 *
19 * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
20 * { OID id-sha1 PARAMETERS NULL }|
21 * { OID id-sha224 PARAMETERS NULL }|
22 * { OID id-sha256 PARAMETERS NULL }|
23 * { OID id-sha384 PARAMETERS NULL }|
24 * { OID id-sha512 PARAMETERS NULL }|
25 * { OID id-sha512-224 PARAMETERS NULL }|
26 * { OID id-sha512-256 PARAMETERS NULL },
27 * ... -- Allows for future expansion --
28 * }
29 */
30 #define DER_V_NULL DER_P_NULL, 0
31 #define DER_SZ_NULL 2
32
33 /*
34 * The names for the hash function AlgorithmIdentifiers are borrowed and
35 * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
36 *
37 * sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
38 * sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
39 * sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
40 * sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
41 * sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
42 */
43 /*
44 * NOTE: Some of the arrays aren't used other than inside sizeof(), which
45 * clang complains about (-Wno-unneeded-internal-declaration). To get
46 * around that, we make them non-static, and declare them an extra time to
47 * avoid compilers complaining about definitions without declarations.
48 */
49 #if 0 /* Currently unused */
50 #define DER_AID_V_sha1Identifier \
51 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
52 DER_OID_SZ_id_sha1 + DER_SZ_NULL, \
53 DER_OID_V_id_sha1, \
54 DER_V_NULL
55 extern const unsigned char der_aid_sha1Identifier[];
56 const unsigned char der_aid_sha1Identifier[] = {
57 DER_AID_V_sha1Identifier
58 };
59 #define DER_AID_SZ_sha1Identifier sizeof(der_aid_sha1Identifier)
60 #endif
61
62 #define DER_AID_V_sha224Identifier \
63 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
64 DER_OID_SZ_id_sha224 + DER_SZ_NULL, \
65 DER_OID_V_id_sha224, \
66 DER_V_NULL
67 extern const unsigned char der_aid_sha224Identifier[];
68 const unsigned char der_aid_sha224Identifier[] = {
69 DER_AID_V_sha224Identifier
70 };
71 #define DER_AID_SZ_sha224Identifier sizeof(der_aid_sha224Identifier)
72
73 #define DER_AID_V_sha256Identifier \
74 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
75 DER_OID_SZ_id_sha256 + DER_SZ_NULL, \
76 DER_OID_V_id_sha256, \
77 DER_V_NULL
78 extern const unsigned char der_aid_sha256Identifier[];
79 const unsigned char der_aid_sha256Identifier[] = {
80 DER_AID_V_sha256Identifier
81 };
82 #define DER_AID_SZ_sha256Identifier sizeof(der_aid_sha256Identifier)
83
84 #define DER_AID_V_sha384Identifier \
85 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
86 DER_OID_SZ_id_sha384 + DER_SZ_NULL, \
87 DER_OID_V_id_sha384, \
88 DER_V_NULL
89 extern const unsigned char der_aid_sha384Identifier[];
90 const unsigned char der_aid_sha384Identifier[] = {
91 DER_AID_V_sha384Identifier
92 };
93 #define DER_AID_SZ_sha384Identifier sizeof(der_aid_sha384Identifier)
94
95 #define DER_AID_V_sha512Identifier \
96 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
97 DER_OID_SZ_id_sha512 + DER_SZ_NULL, \
98 DER_OID_V_id_sha512, \
99 DER_V_NULL
100 extern const unsigned char der_aid_sha512Identifier[];
101 const unsigned char der_aid_sha512Identifier[] = {
102 DER_AID_V_sha512Identifier
103 };
104 #define DER_AID_SZ_sha512Identifier sizeof(der_aid_sha512Identifier)
105
106 #define DER_AID_V_sha512_224Identifier \
107 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
108 DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \
109 DER_OID_V_id_sha512_224, \
110 DER_V_NULL
111 extern const unsigned char der_aid_sha512_224Identifier[];
112 const unsigned char der_aid_sha512_224Identifier[] = {
113 DER_AID_V_sha512_224Identifier
114 };
115 #define DER_AID_SZ_sha512_224Identifier sizeof(der_aid_sha512_224Identifier)
116
117 #define DER_AID_V_sha512_256Identifier \
118 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
119 DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \
120 DER_OID_V_id_sha512_256, \
121 DER_V_NULL
122 extern const unsigned char der_aid_sha512_256Identifier[];
123 const unsigned char der_aid_sha512_256Identifier[] = {
124 DER_AID_V_sha512_256Identifier
125 };
126 #define DER_AID_SZ_sha512_256Identifier sizeof(der_aid_sha512_256Identifier)
127
128 /*-
129 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
130 *
131 * HashAlgorithm ::= AlgorithmIdentifier {
132 * {OAEP-PSSDigestAlgorithms}
133 * }
134 *
135 * ...
136 *
137 * PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
138 * { OID id-mgf1 PARAMETERS HashAlgorithm },
139 * ... -- Allows for future expansion --
140 * }
141 */
142
143 /*
144 * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
145 * from https://tools.ietf.org/html/rfc4055#section-2.1
146 *
147 * mgf1SHA1Identifier AlgorithmIdentifier ::=
148 * { id-mgf1, sha1Identifier }
149 * mgf1SHA224Identifier AlgorithmIdentifier ::=
150 * { id-mgf1, sha224Identifier }
151 * mgf1SHA256Identifier AlgorithmIdentifier ::=
152 * { id-mgf1, sha256Identifier }
153 * mgf1SHA384Identifier AlgorithmIdentifier ::=
154 * { id-mgf1, sha384Identifier }
155 * mgf1SHA512Identifier AlgorithmIdentifier ::=
156 * { id-mgf1, sha512Identifier }
157 */
158 #if 0 /* Currently unused */
159 #define DER_AID_V_mgf1SHA1Identifier \
160 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
161 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \
162 DER_OID_V_id_mgf1, \
163 DER_AID_V_sha1Identifier
164 static const unsigned char der_aid_mgf1SHA1Identifier[] = {
165 DER_AID_V_mgf1SHA1Identifier
166 };
167 #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
168 #endif
169
170 #define DER_AID_V_mgf1SHA224Identifier \
171 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
172 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \
173 DER_OID_V_id_mgf1, \
174 DER_AID_V_sha224Identifier
175 static const unsigned char der_aid_mgf1SHA224Identifier[] = {
176 DER_AID_V_mgf1SHA224Identifier
177 };
178 #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
179
180 #define DER_AID_V_mgf1SHA256Identifier \
181 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
182 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \
183 DER_OID_V_id_mgf1, \
184 DER_AID_V_sha256Identifier
185 static const unsigned char der_aid_mgf1SHA256Identifier[] = {
186 DER_AID_V_mgf1SHA256Identifier
187 };
188 #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
189
190 #define DER_AID_V_mgf1SHA384Identifier \
191 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
192 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \
193 DER_OID_V_id_mgf1, \
194 DER_AID_V_sha384Identifier
195 static const unsigned char der_aid_mgf1SHA384Identifier[] = {
196 DER_AID_V_mgf1SHA384Identifier
197 };
198 #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
199
200 #define DER_AID_V_mgf1SHA512Identifier \
201 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
202 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \
203 DER_OID_V_id_mgf1, \
204 DER_AID_V_sha512Identifier
205 static const unsigned char der_aid_mgf1SHA512Identifier[] = {
206 DER_AID_V_mgf1SHA512Identifier
207 };
208 #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
209
210 #define DER_AID_V_mgf1SHA512_224Identifier \
211 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
212 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \
213 DER_OID_V_id_mgf1, \
214 DER_AID_V_sha512_224Identifier
215 static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
216 DER_AID_V_mgf1SHA512_224Identifier
217 };
218 #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
219
220 #define DER_AID_V_mgf1SHA512_256Identifier \
221 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
222 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \
223 DER_OID_V_id_mgf1, \
224 DER_AID_V_sha512_256Identifier
225 static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
226 DER_AID_V_mgf1SHA512_256Identifier
227 };
228 #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
229
230
231 #define MGF1_SHA_CASE(bits, var) \
232 case NID_sha##bits: \
233 var = der_aid_mgf1SHA##bits##Identifier; \
234 var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \
235 break;
236
237 /*-
238 * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
239 *
240 * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
241 */
242 static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
243 const RSA_PSS_PARAMS_30 *pss)
244 {
245 if (pss != NULL && rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
246 int maskgenhashalg_nid = rsa_pss_params_30_maskgenhashalg(pss);
247 const unsigned char *maskgenalg = NULL;
248 size_t maskgenalg_sz = 0;
249
250 switch (maskgenhashalg_nid) {
251 case NID_sha1:
252 break;
253 MGF1_SHA_CASE(224, maskgenalg);
254 MGF1_SHA_CASE(256, maskgenalg);
255 MGF1_SHA_CASE(384, maskgenalg);
256 MGF1_SHA_CASE(512, maskgenalg);
257 MGF1_SHA_CASE(512_224, maskgenalg);
258 MGF1_SHA_CASE(512_256, maskgenalg);
259 default:
260 return 0;
261 }
262
263 /* If there is none (or it was the default), we write nothing */
264 if (maskgenalg == NULL)
265 return 1;
266
267 return DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
268 }
269 return 0;
270 }
271
272 #define OAEP_PSS_MD_CASE(name, var) \
273 case NID_##name: \
274 var = der_oid_id_##name; \
275 var##_sz = sizeof(der_oid_id_##name); \
276 break;
277
278 int DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag, const RSA_PSS_PARAMS_30 *pss)
279 {
280 int hashalg_nid, default_hashalg_nid;
281 int saltlen, default_saltlen;
282 int trailerfield, default_trailerfield;
283 const unsigned char *hashalg = NULL;
284 size_t hashalg_sz = 0;
285
286 /*
287 * For an unrestricted key, this function should not have been called;
288 * the caller must be in control, because unrestricted keys are permitted
289 * in some situations (when encoding the public key in a SubjectKeyInfo,
290 * for example) while not in others, and this function doesn't know the
291 * intent. Therefore, we assert that here, the PSS parameters must show
292 * that the key is restricted.
293 */
294 if (!ossl_assert(pss != NULL && !rsa_pss_params_30_is_unrestricted(pss)))
295 return 0;
296
297 hashalg_nid = rsa_pss_params_30_hashalg(pss);
298 saltlen = rsa_pss_params_30_saltlen(pss);
299 trailerfield = rsa_pss_params_30_trailerfield(pss);
300
301 /* Getting default values */
302 default_hashalg_nid = rsa_pss_params_30_hashalg(NULL);
303 default_saltlen = rsa_pss_params_30_saltlen(NULL);
304 default_trailerfield = rsa_pss_params_30_trailerfield(NULL);
305
306 /*
307 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
308 *
309 * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
310 * { OID id-sha1 PARAMETERS NULL }|
311 * { OID id-sha224 PARAMETERS NULL }|
312 * { OID id-sha256 PARAMETERS NULL }|
313 * { OID id-sha384 PARAMETERS NULL }|
314 * { OID id-sha512 PARAMETERS NULL }|
315 * { OID id-sha512-224 PARAMETERS NULL }|
316 * { OID id-sha512-256 PARAMETERS NULL },
317 * ... -- Allows for future expansion --
318 * }
319 */
320 switch (hashalg_nid) {
321 OAEP_PSS_MD_CASE(sha1, hashalg);
322 OAEP_PSS_MD_CASE(sha224, hashalg);
323 OAEP_PSS_MD_CASE(sha256, hashalg);
324 OAEP_PSS_MD_CASE(sha384, hashalg);
325 OAEP_PSS_MD_CASE(sha512, hashalg);
326 OAEP_PSS_MD_CASE(sha512_224, hashalg);
327 OAEP_PSS_MD_CASE(sha512_256, hashalg);
328 default:
329 return 0;
330 }
331
332 return DER_w_begin_sequence(pkt, tag)
333 && (trailerfield == default_trailerfield
334 || DER_w_ulong(pkt, 3, trailerfield))
335 && (saltlen == default_saltlen || DER_w_ulong(pkt, 2, saltlen))
336 && DER_w_MaskGenAlgorithm(pkt, 1, pss)
337 && (hashalg_nid == default_hashalg_nid
338 || DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
339 && DER_w_end_sequence(pkt, tag);
340 }
341
342 /* Aliases so we can have a uniform RSA_CASE */
343 #define der_oid_rsassaPss der_oid_id_RSASSA_PSS
344
345 #define RSA_CASE(name, var) \
346 var##_nid = NID_##name; \
347 var##_oid = der_oid_##name; \
348 var##_oid_sz = sizeof(der_oid_##name); \
349 break;
350
351 int DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
352 {
353 int rsa_nid = NID_undef;
354 const unsigned char *rsa_oid = NULL;
355 size_t rsa_oid_sz = 0;
356 RSA_PSS_PARAMS_30 *pss_params = rsa_get0_pss_params_30(rsa);
357
358 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
359 case RSA_FLAG_TYPE_RSA:
360 RSA_CASE(rsaEncryption, rsa);
361 case RSA_FLAG_TYPE_RSASSAPSS:
362 RSA_CASE(rsassaPss, rsa);
363 }
364
365 if (rsa_oid == NULL)
366 return 0;
367
368 return DER_w_begin_sequence(pkt, tag)
369 && (rsa_nid != NID_rsassaPss
370 || rsa_pss_params_30_is_unrestricted(pss_params)
371 || DER_w_RSASSA_PSS_params(pkt, -1, pss_params))
372 && DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
373 && DER_w_end_sequence(pkt, tag);
374 }
A mirror of the official openssl repository