2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2009 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 #include <openssl/opensslconf.h>
19 #ifndef OPENSSL_NO_RSA
21 #include "openssl_rsa_public_key.h"
22 #include "openssl_hasher.h"
23 #include "openssl_util.h"
25 #include <utils/debug.h>
26 #include <credentials/keys/signature_params.h>
28 #include <openssl/bn.h>
29 #include <openssl/evp.h>
30 #include <openssl/rsa.h>
31 #include <openssl/x509.h>
33 #if OPENSSL_VERSION_NUMBER < 0x10100000L
34 OPENSSL_KEY_FALLBACK(RSA
, key
, n
, e
, d
)
37 typedef struct private_openssl_rsa_public_key_t private_openssl_rsa_public_key_t
;
40 * Private data structure with signing context.
42 struct private_openssl_rsa_public_key_t
{
44 * Public interface for this signer.
46 openssl_rsa_public_key_t
public;
49 * RSA object from OpenSSL
60 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
63 * Verify RSA signature
65 static bool verify_signature(private_openssl_rsa_public_key_t
*this,
66 const EVP_MD
*md
, rsa_pss_params_t
*pss
,
67 chunk_t data
, chunk_t signature
)
69 EVP_PKEY_CTX
*pctx
= NULL
;
70 EVP_MD_CTX
*mctx
= NULL
;
72 int rsa_size
= RSA_size(this->rsa
);
75 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
76 if (signature
.len
> rsa_size
)
78 signature
= chunk_skip(signature
, signature
.len
- rsa_size
);
81 mctx
= EVP_MD_CTX_create();
87 if (!EVP_PKEY_set1_RSA(key
, this->rsa
))
91 if (EVP_DigestVerifyInit(mctx
, &pctx
, md
, NULL
, key
) <= 0)
97 const EVP_MD
*mgf1md
= openssl_get_md(pss
->mgf1_hash
);
98 if (EVP_PKEY_CTX_set_rsa_padding(pctx
, RSA_PKCS1_PSS_PADDING
) <= 0 ||
99 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx
, pss
->salt_len
) <= 0 ||
100 EVP_PKEY_CTX_set_rsa_mgf1_md(pctx
, mgf1md
) <= 0)
105 if (EVP_DigestVerifyUpdate(mctx
, data
.ptr
, data
.len
) <= 0)
109 valid
= (EVP_DigestVerifyFinal(mctx
, signature
.ptr
, signature
.len
) == 1);
118 EVP_MD_CTX_destroy(mctx
);
124 * Verification of a signature without hashing
126 static bool verify_plain_signature(private_openssl_rsa_public_key_t
*this,
127 chunk_t data
, chunk_t signature
)
130 int len
, rsa_size
= RSA_size(this->rsa
);
133 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
134 if (signature
.len
> rsa_size
)
136 signature
= chunk_skip(signature
, signature
.len
- rsa_size
);
138 buf
= malloc(rsa_size
);
139 len
= RSA_public_decrypt(signature
.len
, signature
.ptr
, buf
, this->rsa
,
143 valid
= chunk_equals_const(data
, chunk_create(buf
, len
));
150 * Verification of an EMSA PKCS1 signature described in PKCS#1
152 static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t
*this,
153 int type
, chunk_t data
, chunk_t signature
)
157 if (type
== NID_undef
)
159 return verify_plain_signature(this, data
, signature
);
161 md
= EVP_get_digestbynid(type
);
162 return md
&& verify_signature(this, md
, NULL
, data
, signature
);
166 * Verification of an EMSA PSS signature described in PKCS#1
168 static bool verify_emsa_pss_signature(private_openssl_rsa_public_key_t
*this,
169 rsa_pss_params_t
*params
, chunk_t data
,
178 md
= openssl_get_md(params
->hash
);
179 return md
&& verify_signature(this, md
, params
, data
, signature
);
182 #else /* OPENSSL_VERSION_NUMBER < 1.0 */
185 * Verification of an EMSA PKCS1 signature described in PKCS#1
187 static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t
*this,
188 int type
, chunk_t data
, chunk_t signature
)
191 int rsa_size
= RSA_size(this->rsa
);
193 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
194 if (signature
.len
> rsa_size
)
196 signature
= chunk_skip(signature
, signature
.len
- rsa_size
);
199 if (type
== NID_undef
)
204 buf
= malloc(rsa_size
);
205 len
= RSA_public_decrypt(signature
.len
, signature
.ptr
, buf
, this->rsa
,
209 valid
= chunk_equals_const(data
, chunk_create(buf
, len
));
217 const EVP_MD
*hasher
;
219 hasher
= EVP_get_digestbynid(type
);
225 ctx
= EVP_MD_CTX_create();
226 key
= EVP_PKEY_new();
232 if (!EVP_PKEY_set1_RSA(key
, this->rsa
))
236 if (!EVP_VerifyInit_ex(ctx
, hasher
, NULL
))
240 if (!EVP_VerifyUpdate(ctx
, data
.ptr
, data
.len
))
244 valid
= (EVP_VerifyFinal(ctx
, signature
.ptr
, signature
.len
, key
) == 1);
253 EVP_MD_CTX_destroy(ctx
);
259 #endif /* OPENSSL_VERSION_NUMBER < 1.0 */
261 METHOD(public_key_t
, get_type
, key_type_t
,
262 private_openssl_rsa_public_key_t
*this)
267 METHOD(public_key_t
, verify
, bool,
268 private_openssl_rsa_public_key_t
*this, signature_scheme_t scheme
,
269 void *params
, chunk_t data
, chunk_t signature
)
273 case SIGN_RSA_EMSA_PKCS1_NULL
:
274 return verify_emsa_pkcs1_signature(this, NID_undef
, data
, signature
);
275 case SIGN_RSA_EMSA_PKCS1_SHA2_224
:
276 return verify_emsa_pkcs1_signature(this, NID_sha224
, data
, signature
);
277 case SIGN_RSA_EMSA_PKCS1_SHA2_256
:
278 return verify_emsa_pkcs1_signature(this, NID_sha256
, data
, signature
);
279 case SIGN_RSA_EMSA_PKCS1_SHA2_384
:
280 return verify_emsa_pkcs1_signature(this, NID_sha384
, data
, signature
);
281 case SIGN_RSA_EMSA_PKCS1_SHA2_512
:
282 return verify_emsa_pkcs1_signature(this, NID_sha512
, data
, signature
);
283 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3)
284 case SIGN_RSA_EMSA_PKCS1_SHA3_224
:
285 return verify_emsa_pkcs1_signature(this, NID_sha3_224
, data
, signature
);
286 case SIGN_RSA_EMSA_PKCS1_SHA3_256
:
287 return verify_emsa_pkcs1_signature(this, NID_sha3_256
, data
, signature
);
288 case SIGN_RSA_EMSA_PKCS1_SHA3_384
:
289 return verify_emsa_pkcs1_signature(this, NID_sha3_384
, data
, signature
);
290 case SIGN_RSA_EMSA_PKCS1_SHA3_512
:
291 return verify_emsa_pkcs1_signature(this, NID_sha3_512
, data
, signature
);
293 case SIGN_RSA_EMSA_PKCS1_SHA1
:
294 return verify_emsa_pkcs1_signature(this, NID_sha1
, data
, signature
);
295 case SIGN_RSA_EMSA_PKCS1_MD5
:
296 return verify_emsa_pkcs1_signature(this, NID_md5
, data
, signature
);
297 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
298 case SIGN_RSA_EMSA_PSS
:
299 return verify_emsa_pss_signature(this, params
, data
, signature
);
302 DBG1(DBG_LIB
, "signature scheme %N not supported in RSA",
303 signature_scheme_names
, scheme
);
308 METHOD(public_key_t
, encrypt
, bool,
309 private_openssl_rsa_public_key_t
*this, encryption_scheme_t scheme
,
310 chunk_t plain
, chunk_t
*crypto
)
317 case ENCRYPT_RSA_PKCS1
:
318 padding
= RSA_PKCS1_PADDING
;
320 case ENCRYPT_RSA_OAEP_SHA1
:
321 padding
= RSA_PKCS1_OAEP_PADDING
;
324 DBG1(DBG_LIB
, "decryption scheme %N not supported via openssl",
325 encryption_scheme_names
, scheme
);
328 encrypted
= malloc(RSA_size(this->rsa
));
329 len
= RSA_public_encrypt(plain
.len
, plain
.ptr
, encrypted
,
333 DBG1(DBG_LIB
, "RSA decryption failed");
337 *crypto
= chunk_create(encrypted
, len
);
341 METHOD(public_key_t
, get_keysize
, int,
342 private_openssl_rsa_public_key_t
*this)
344 return RSA_size(this->rsa
) * 8;
348 * Calculate fingerprint from a RSA key, also used in rsa private key.
350 bool openssl_rsa_fingerprint(RSA
*rsa
, cred_encoding_type_t type
, chunk_t
*fp
)
356 if (lib
->encoding
->get_cache(lib
->encoding
, type
, rsa
, fp
))
362 case KEYID_PUBKEY_SHA1
:
363 key
= chunk_alloc(i2d_RSAPublicKey(rsa
, NULL
));
365 i2d_RSAPublicKey(rsa
, &p
);
367 case KEYID_PUBKEY_INFO_SHA1
:
368 key
= chunk_alloc(i2d_RSA_PUBKEY(rsa
, NULL
));
370 i2d_RSA_PUBKEY(rsa
, &p
);
374 const BIGNUM
*bn_n
, *bn_e
;
375 chunk_t n
= chunk_empty
, e
= chunk_empty
;
376 bool success
= FALSE
;
378 RSA_get0_key(rsa
, &bn_n
, &bn_e
, NULL
);
379 if (openssl_bn2chunk(bn_n
, &n
) &&
380 openssl_bn2chunk(bn_e
, &e
))
382 success
= lib
->encoding
->encode(lib
->encoding
, type
, rsa
, fp
,
383 CRED_PART_RSA_MODULUS
, n
,
384 CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
391 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
392 if (!hasher
|| !hasher
->allocate_hash(hasher
, key
, fp
))
394 DBG1(DBG_LIB
, "SHA1 hash algorithm not supported, fingerprinting failed");
400 hasher
->destroy(hasher
);
401 lib
->encoding
->cache(lib
->encoding
, type
, rsa
, *fp
);
405 METHOD(public_key_t
, get_fingerprint
, bool,
406 private_openssl_rsa_public_key_t
*this, cred_encoding_type_t type
,
407 chunk_t
*fingerprint
)
409 return openssl_rsa_fingerprint(this->rsa
, type
, fingerprint
);
412 METHOD(public_key_t
, get_encoding
, bool,
413 private_openssl_rsa_public_key_t
*this, cred_encoding_type_t type
,
416 bool success
= FALSE
;
421 case PUBKEY_SPKI_ASN1_DER
:
424 *encoding
= chunk_alloc(i2d_RSA_PUBKEY(this->rsa
, NULL
));
426 i2d_RSA_PUBKEY(this->rsa
, &p
);
429 if (type
== PUBKEY_PEM
)
431 chunk_t asn1_encoding
= *encoding
;
433 success
= lib
->encoding
->encode(lib
->encoding
, PUBKEY_PEM
,
434 NULL
, encoding
, CRED_PART_RSA_PUB_ASN1_DER
,
435 asn1_encoding
, CRED_PART_END
);
436 chunk_clear(&asn1_encoding
);
440 case PUBKEY_ASN1_DER
:
442 *encoding
= chunk_alloc(i2d_RSAPublicKey(this->rsa
, NULL
));
444 i2d_RSAPublicKey(this->rsa
, &p
);
449 const BIGNUM
*bn_n
, *bn_e
;
450 chunk_t n
= chunk_empty
, e
= chunk_empty
;
452 RSA_get0_key(this->rsa
, &bn_n
, &bn_e
, NULL
);
453 if (openssl_bn2chunk(bn_n
, &n
) &&
454 openssl_bn2chunk(bn_e
, &e
))
456 success
= lib
->encoding
->encode(lib
->encoding
, type
, NULL
,
457 encoding
, CRED_PART_RSA_MODULUS
, n
,
458 CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
467 METHOD(public_key_t
, get_ref
, public_key_t
*,
468 private_openssl_rsa_public_key_t
*this)
471 return &this->public.key
;
474 METHOD(public_key_t
, destroy
, void,
475 private_openssl_rsa_public_key_t
*this)
477 if (ref_put(&this->ref
))
481 lib
->encoding
->clear_cache(lib
->encoding
, this->rsa
);
489 * Generic private constructor
491 static private_openssl_rsa_public_key_t
*create_empty()
493 private_openssl_rsa_public_key_t
*this;
498 .get_type
= _get_type
,
501 .equals
= public_key_equals
,
502 .get_keysize
= _get_keysize
,
503 .get_fingerprint
= _get_fingerprint
,
504 .has_fingerprint
= public_key_has_fingerprint
,
505 .get_encoding
= _get_encoding
,
519 openssl_rsa_public_key_t
*openssl_rsa_public_key_load(key_type_t type
,
522 private_openssl_rsa_public_key_t
*this;
525 n
= e
= blob
= chunk_empty
;
528 switch (va_arg(args
, builder_part_t
))
530 case BUILD_BLOB_ASN1_DER
:
531 blob
= va_arg(args
, chunk_t
);
533 case BUILD_RSA_MODULUS
:
534 n
= va_arg(args
, chunk_t
);
536 case BUILD_RSA_PUB_EXP
:
537 e
= va_arg(args
, chunk_t
);
547 this = create_empty();
553 this->rsa
= d2i_RSA_PUBKEY(NULL
, (const u_char
**)&blob
.ptr
,
557 this->rsa
= d2i_RSAPublicKey(NULL
, (const u_char
**)&blob
.ptr
,
565 return &this->public;
568 else if (n
.ptr
&& e
.ptr
&& type
== KEY_RSA
)
572 this->rsa
= RSA_new();
573 bn_n
= BN_bin2bn((const u_char
*)n
.ptr
, n
.len
, NULL
);
574 bn_e
= BN_bin2bn((const u_char
*)e
.ptr
, e
.len
, NULL
);
575 if (RSA_set0_key(this->rsa
, bn_n
, bn_e
, NULL
))
577 return &this->public;
584 #endif /* OPENSSL_NO_RSA */