2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2009 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 #include <openssl/opensslconf.h>
19 #ifndef OPENSSL_NO_RSA
21 #include "openssl_rsa_public_key.h"
22 #include "openssl_hasher.h"
23 #include "openssl_util.h"
25 #include <utils/debug.h>
26 #include <credentials/keys/signature_params.h>
28 #include <openssl/bn.h>
29 #include <openssl/crypto.h>
30 #include <openssl/evp.h>
31 #include <openssl/rsa.h>
32 #include <openssl/x509.h>
34 #if OPENSSL_VERSION_NUMBER < 0x10100000L
35 OPENSSL_KEY_FALLBACK(RSA
, key
, n
, e
, d
)
38 typedef struct private_openssl_rsa_public_key_t private_openssl_rsa_public_key_t
;
41 * Private data structure with signing context.
43 struct private_openssl_rsa_public_key_t
{
45 * Public interface for this signer.
47 openssl_rsa_public_key_t
public;
50 * RSA object from OpenSSL
61 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
64 * Verify RSA signature
66 static bool verify_signature(private_openssl_rsa_public_key_t
*this,
67 const EVP_MD
*md
, rsa_pss_params_t
*pss
,
68 chunk_t data
, chunk_t signature
)
70 EVP_PKEY_CTX
*pctx
= NULL
;
71 EVP_MD_CTX
*mctx
= NULL
;
73 int rsa_size
= RSA_size(this->rsa
);
76 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
77 if (signature
.len
> rsa_size
)
79 signature
= chunk_skip(signature
, signature
.len
- rsa_size
);
82 mctx
= EVP_MD_CTX_create();
88 if (!EVP_PKEY_set1_RSA(key
, this->rsa
))
92 if (EVP_DigestVerifyInit(mctx
, &pctx
, md
, NULL
, key
) <= 0)
98 const EVP_MD
*mgf1md
= openssl_get_md(pss
->mgf1_hash
);
99 if (EVP_PKEY_CTX_set_rsa_padding(pctx
, RSA_PKCS1_PSS_PADDING
) <= 0 ||
100 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx
, pss
->salt_len
) <= 0 ||
101 EVP_PKEY_CTX_set_rsa_mgf1_md(pctx
, mgf1md
) <= 0)
106 if (EVP_DigestVerifyUpdate(mctx
, data
.ptr
, data
.len
) <= 0)
110 valid
= (EVP_DigestVerifyFinal(mctx
, signature
.ptr
, signature
.len
) == 1);
119 EVP_MD_CTX_destroy(mctx
);
125 * Verification of a signature without hashing
127 static bool verify_plain_signature(private_openssl_rsa_public_key_t
*this,
128 chunk_t data
, chunk_t signature
)
131 int len
, rsa_size
= RSA_size(this->rsa
);
134 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
135 if (signature
.len
> rsa_size
)
137 signature
= chunk_skip(signature
, signature
.len
- rsa_size
);
139 buf
= malloc(rsa_size
);
140 len
= RSA_public_decrypt(signature
.len
, signature
.ptr
, buf
, this->rsa
,
144 valid
= chunk_equals_const(data
, chunk_create(buf
, len
));
151 * Verification of an EMSA PKCS1 signature described in PKCS#1
153 static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t
*this,
154 int type
, chunk_t data
, chunk_t signature
)
158 if (type
== NID_undef
)
160 return verify_plain_signature(this, data
, signature
);
162 md
= EVP_get_digestbynid(type
);
163 return md
&& verify_signature(this, md
, NULL
, data
, signature
);
167 * Verification of an EMSA PSS signature described in PKCS#1
169 static bool verify_emsa_pss_signature(private_openssl_rsa_public_key_t
*this,
170 rsa_pss_params_t
*params
, chunk_t data
,
179 md
= openssl_get_md(params
->hash
);
180 return md
&& verify_signature(this, md
, params
, data
, signature
);
183 #else /* OPENSSL_VERSION_NUMBER < 1.0 */
186 * Verification of an EMSA PKCS1 signature described in PKCS#1
188 static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t
*this,
189 int type
, chunk_t data
, chunk_t signature
)
192 int rsa_size
= RSA_size(this->rsa
);
194 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
195 if (signature
.len
> rsa_size
)
197 signature
= chunk_skip(signature
, signature
.len
- rsa_size
);
200 if (type
== NID_undef
)
205 buf
= malloc(rsa_size
);
206 len
= RSA_public_decrypt(signature
.len
, signature
.ptr
, buf
, this->rsa
,
210 valid
= chunk_equals_const(data
, chunk_create(buf
, len
));
218 const EVP_MD
*hasher
;
220 hasher
= EVP_get_digestbynid(type
);
226 ctx
= EVP_MD_CTX_create();
227 key
= EVP_PKEY_new();
233 if (!EVP_PKEY_set1_RSA(key
, this->rsa
))
237 if (!EVP_VerifyInit_ex(ctx
, hasher
, NULL
))
241 if (!EVP_VerifyUpdate(ctx
, data
.ptr
, data
.len
))
245 valid
= (EVP_VerifyFinal(ctx
, signature
.ptr
, signature
.len
, key
) == 1);
254 EVP_MD_CTX_destroy(ctx
);
260 #endif /* OPENSSL_VERSION_NUMBER < 1.0 */
262 METHOD(public_key_t
, get_type
, key_type_t
,
263 private_openssl_rsa_public_key_t
*this)
268 METHOD(public_key_t
, verify
, bool,
269 private_openssl_rsa_public_key_t
*this, signature_scheme_t scheme
,
270 void *params
, chunk_t data
, chunk_t signature
)
274 case SIGN_RSA_EMSA_PKCS1_NULL
:
275 return verify_emsa_pkcs1_signature(this, NID_undef
, data
, signature
);
276 case SIGN_RSA_EMSA_PKCS1_SHA2_224
:
277 return verify_emsa_pkcs1_signature(this, NID_sha224
, data
, signature
);
278 case SIGN_RSA_EMSA_PKCS1_SHA2_256
:
279 return verify_emsa_pkcs1_signature(this, NID_sha256
, data
, signature
);
280 case SIGN_RSA_EMSA_PKCS1_SHA2_384
:
281 return verify_emsa_pkcs1_signature(this, NID_sha384
, data
, signature
);
282 case SIGN_RSA_EMSA_PKCS1_SHA2_512
:
283 return verify_emsa_pkcs1_signature(this, NID_sha512
, data
, signature
);
284 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3)
285 case SIGN_RSA_EMSA_PKCS1_SHA3_224
:
286 return verify_emsa_pkcs1_signature(this, NID_sha3_224
, data
, signature
);
287 case SIGN_RSA_EMSA_PKCS1_SHA3_256
:
288 return verify_emsa_pkcs1_signature(this, NID_sha3_256
, data
, signature
);
289 case SIGN_RSA_EMSA_PKCS1_SHA3_384
:
290 return verify_emsa_pkcs1_signature(this, NID_sha3_384
, data
, signature
);
291 case SIGN_RSA_EMSA_PKCS1_SHA3_512
:
292 return verify_emsa_pkcs1_signature(this, NID_sha3_512
, data
, signature
);
294 case SIGN_RSA_EMSA_PKCS1_SHA1
:
295 return verify_emsa_pkcs1_signature(this, NID_sha1
, data
, signature
);
296 case SIGN_RSA_EMSA_PKCS1_MD5
:
297 return verify_emsa_pkcs1_signature(this, NID_md5
, data
, signature
);
298 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
299 case SIGN_RSA_EMSA_PSS
:
300 return verify_emsa_pss_signature(this, params
, data
, signature
);
303 DBG1(DBG_LIB
, "signature scheme %N not supported in RSA",
304 signature_scheme_names
, scheme
);
309 METHOD(public_key_t
, encrypt
, bool,
310 private_openssl_rsa_public_key_t
*this, encryption_scheme_t scheme
,
311 void *params
, chunk_t plain
, chunk_t
*crypto
)
313 EVP_PKEY_CTX
*ctx
= NULL
;
314 EVP_PKEY
*evp_key
= NULL
;
315 chunk_t label
= chunk_empty
;
316 hash_algorithm_t hash_alg
= HASH_UNKNOWN
;
320 bool success
= FALSE
;
324 case ENCRYPT_RSA_PKCS1
:
325 padding
= RSA_PKCS1_PADDING
;
327 case ENCRYPT_RSA_OAEP_SHA1
:
328 hash_alg
= HASH_SHA1
;
329 padding
= RSA_PKCS1_OAEP_PADDING
;
331 case ENCRYPT_RSA_OAEP_SHA224
:
332 hash_alg
= HASH_SHA224
;
333 padding
= RSA_PKCS1_OAEP_PADDING
;
335 case ENCRYPT_RSA_OAEP_SHA256
:
336 hash_alg
= HASH_SHA256
;
337 padding
= RSA_PKCS1_OAEP_PADDING
;
339 case ENCRYPT_RSA_OAEP_SHA384
:
340 hash_alg
= HASH_SHA384
;
341 padding
= RSA_PKCS1_OAEP_PADDING
;
343 case ENCRYPT_RSA_OAEP_SHA512
:
344 hash_alg
= HASH_SHA512
;
345 padding
= RSA_PKCS1_OAEP_PADDING
;
348 DBG1(DBG_LIB
, "encryption scheme %N not supported by openssl",
349 encryption_scheme_names
, scheme
);
353 evp_key
= EVP_PKEY_new();
356 DBG1(DBG_LIB
, "could not create EVP key");
359 if (EVP_PKEY_set1_RSA(evp_key
, this->rsa
) <= 0)
361 DBG1(DBG_LIB
, "could not set EVP key to RSA key");
365 ctx
= EVP_PKEY_CTX_new(evp_key
, NULL
);
368 DBG1(DBG_LIB
, "could not create EVP context");
372 if (EVP_PKEY_encrypt_init(ctx
) <= 0)
374 DBG1(DBG_LIB
, "could not initialize RSA encryption");
377 if (EVP_PKEY_CTX_set_rsa_padding(ctx
, padding
) <= 0)
379 DBG1(DBG_LIB
, "could not set RSA padding");
382 if (padding
== RSA_PKCS1_OAEP_PADDING
)
384 const EVP_MD
*md
= openssl_get_md(hash_alg
);
386 if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx
, md
) <= 0)
388 DBG1(DBG_LIB
, "could not set RSA OAEP hash algorithm");
394 label
= *(chunk_t
*)params
;
400 /* Openssl requires a copy of its own */
401 label_cpy
= (uint8_t *)OPENSSL_malloc(label
.len
);
402 memcpy(label_cpy
, label
.ptr
, label
.len
);
404 if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx
, label_cpy
, label
.len
) <= 0)
406 OPENSSL_free(label_cpy
);
407 DBG1(DBG_LIB
, "could not set RSA OAEP label");
413 /* determine maximum ciphertext size */
414 len
= RSA_size(this->rsa
);
415 encrypted
= malloc(len
);
418 if (EVP_PKEY_encrypt(ctx
, encrypted
, &len
, plain
.ptr
, plain
.len
) <= 0)
420 DBG1(DBG_LIB
, "RSA encryption failed");
424 *crypto
= chunk_create(encrypted
, len
);
430 EVP_PKEY_CTX_free(ctx
);
434 EVP_PKEY_free(evp_key
);
439 METHOD(public_key_t
, get_keysize
, int,
440 private_openssl_rsa_public_key_t
*this)
442 return RSA_size(this->rsa
) * 8;
446 * Calculate fingerprint from a RSA key, also used in rsa private key.
448 bool openssl_rsa_fingerprint(RSA
*rsa
, cred_encoding_type_t type
, chunk_t
*fp
)
454 if (lib
->encoding
->get_cache(lib
->encoding
, type
, rsa
, fp
))
460 case KEYID_PUBKEY_SHA1
:
461 key
= chunk_alloc(i2d_RSAPublicKey(rsa
, NULL
));
463 i2d_RSAPublicKey(rsa
, &p
);
465 case KEYID_PUBKEY_INFO_SHA1
:
466 key
= chunk_alloc(i2d_RSA_PUBKEY(rsa
, NULL
));
468 i2d_RSA_PUBKEY(rsa
, &p
);
472 const BIGNUM
*bn_n
, *bn_e
;
473 chunk_t n
= chunk_empty
, e
= chunk_empty
;
474 bool success
= FALSE
;
476 RSA_get0_key(rsa
, &bn_n
, &bn_e
, NULL
);
477 if (openssl_bn2chunk(bn_n
, &n
) &&
478 openssl_bn2chunk(bn_e
, &e
))
480 success
= lib
->encoding
->encode(lib
->encoding
, type
, rsa
, fp
,
481 CRED_PART_RSA_MODULUS
, n
,
482 CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
489 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
490 if (!hasher
|| !hasher
->allocate_hash(hasher
, key
, fp
))
492 DBG1(DBG_LIB
, "SHA1 hash algorithm not supported, fingerprinting failed");
498 hasher
->destroy(hasher
);
499 lib
->encoding
->cache(lib
->encoding
, type
, rsa
, *fp
);
503 METHOD(public_key_t
, get_fingerprint
, bool,
504 private_openssl_rsa_public_key_t
*this, cred_encoding_type_t type
,
505 chunk_t
*fingerprint
)
507 return openssl_rsa_fingerprint(this->rsa
, type
, fingerprint
);
510 METHOD(public_key_t
, get_encoding
, bool,
511 private_openssl_rsa_public_key_t
*this, cred_encoding_type_t type
,
514 bool success
= FALSE
;
519 case PUBKEY_SPKI_ASN1_DER
:
522 *encoding
= chunk_alloc(i2d_RSA_PUBKEY(this->rsa
, NULL
));
524 i2d_RSA_PUBKEY(this->rsa
, &p
);
527 if (type
== PUBKEY_PEM
)
529 chunk_t asn1_encoding
= *encoding
;
531 success
= lib
->encoding
->encode(lib
->encoding
, PUBKEY_PEM
,
532 NULL
, encoding
, CRED_PART_RSA_PUB_ASN1_DER
,
533 asn1_encoding
, CRED_PART_END
);
534 chunk_clear(&asn1_encoding
);
538 case PUBKEY_ASN1_DER
:
540 *encoding
= chunk_alloc(i2d_RSAPublicKey(this->rsa
, NULL
));
542 i2d_RSAPublicKey(this->rsa
, &p
);
547 const BIGNUM
*bn_n
, *bn_e
;
548 chunk_t n
= chunk_empty
, e
= chunk_empty
;
550 RSA_get0_key(this->rsa
, &bn_n
, &bn_e
, NULL
);
551 if (openssl_bn2chunk(bn_n
, &n
) &&
552 openssl_bn2chunk(bn_e
, &e
))
554 success
= lib
->encoding
->encode(lib
->encoding
, type
, NULL
,
555 encoding
, CRED_PART_RSA_MODULUS
, n
,
556 CRED_PART_RSA_PUB_EXP
, e
, CRED_PART_END
);
565 METHOD(public_key_t
, get_ref
, public_key_t
*,
566 private_openssl_rsa_public_key_t
*this)
569 return &this->public.key
;
572 METHOD(public_key_t
, destroy
, void,
573 private_openssl_rsa_public_key_t
*this)
575 if (ref_put(&this->ref
))
579 lib
->encoding
->clear_cache(lib
->encoding
, this->rsa
);
587 * Generic private constructor
589 static private_openssl_rsa_public_key_t
*create_empty()
591 private_openssl_rsa_public_key_t
*this;
596 .get_type
= _get_type
,
599 .equals
= public_key_equals
,
600 .get_keysize
= _get_keysize
,
601 .get_fingerprint
= _get_fingerprint
,
602 .has_fingerprint
= public_key_has_fingerprint
,
603 .get_encoding
= _get_encoding
,
617 openssl_rsa_public_key_t
*openssl_rsa_public_key_load(key_type_t type
,
620 private_openssl_rsa_public_key_t
*this;
623 n
= e
= blob
= chunk_empty
;
626 switch (va_arg(args
, builder_part_t
))
628 case BUILD_BLOB_ASN1_DER
:
629 blob
= va_arg(args
, chunk_t
);
631 case BUILD_RSA_MODULUS
:
632 n
= va_arg(args
, chunk_t
);
634 case BUILD_RSA_PUB_EXP
:
635 e
= va_arg(args
, chunk_t
);
645 this = create_empty();
651 this->rsa
= d2i_RSA_PUBKEY(NULL
, (const u_char
**)&blob
.ptr
,
655 this->rsa
= d2i_RSAPublicKey(NULL
, (const u_char
**)&blob
.ptr
,
663 return &this->public;
666 else if (n
.ptr
&& e
.ptr
&& type
== KEY_RSA
)
670 this->rsa
= RSA_new();
671 bn_n
= BN_bin2bn((const u_char
*)n
.ptr
, n
.len
, NULL
);
672 bn_e
= BN_bin2bn((const u_char
*)e
.ptr
, e
.len
, NULL
);
673 if (RSA_set0_key(this->rsa
, bn_n
, bn_e
, NULL
))
675 return &this->public;
682 #endif /* OPENSSL_NO_RSA */