]> git.ipfire.org Git - people/ms/strongswan.git/blob - src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
projects / people / ms / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'rsa-oaep-encryption'
[people/ms/strongswan.git] / src / libstrongswan / plugins / openssl / openssl_rsa_public_key.c
1 /*
2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2009 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <openssl/opensslconf.h>
18
19 #ifndef OPENSSL_NO_RSA
20
21 #include "openssl_rsa_public_key.h"
22 #include "openssl_hasher.h"
23 #include "openssl_util.h"
24
25 #include <utils/debug.h>
26 #include <credentials/keys/signature_params.h>
27
28 #include <openssl/bn.h>
29 #include <openssl/crypto.h>
30 #include <openssl/evp.h>
31 #include <openssl/rsa.h>
32 #include <openssl/x509.h>
33
34 #if OPENSSL_VERSION_NUMBER < 0x10100000L
35 OPENSSL_KEY_FALLBACK(RSA, key, n, e, d)
36 #endif
37
38 typedef struct private_openssl_rsa_public_key_t private_openssl_rsa_public_key_t;
39
40 /**
41 * Private data structure with signing context.
42 */
43 struct private_openssl_rsa_public_key_t {
44 /**
45 * Public interface for this signer.
46 */
47 openssl_rsa_public_key_t public;
48
49 /**
50 * RSA object from OpenSSL
51 */
52 RSA *rsa;
53
54 /**
55 * reference counter
56 */
57 refcount_t ref;
58 };
59
60
61 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
62
63 /**
64 * Verify RSA signature
65 */
66 static bool verify_signature(private_openssl_rsa_public_key_t *this,
67 const EVP_MD *md, rsa_pss_params_t *pss,
68 chunk_t data, chunk_t signature)
69 {
70 EVP_PKEY_CTX *pctx = NULL;
71 EVP_MD_CTX *mctx = NULL;
72 EVP_PKEY *key;
73 int rsa_size = RSA_size(this->rsa);
74 bool valid = FALSE;
75
76 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
77 if (signature.len > rsa_size)
78 {
79 signature = chunk_skip(signature, signature.len - rsa_size);
80 }
81
82 mctx = EVP_MD_CTX_create();
83 key = EVP_PKEY_new();
84 if (!mctx || !key)
85 {
86 goto error;
87 }
88 if (!EVP_PKEY_set1_RSA(key, this->rsa))
89 {
90 goto error;
91 }
92 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, key) <= 0)
93 {
94 goto error;
95 }
96 if (pss)
97 {
98 const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash);
99 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 ||
100 EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, pss->salt_len) <= 0 ||
101 EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0)
102 {
103 goto error;
104 }
105 }
106 if (EVP_DigestVerifyUpdate(mctx, data.ptr, data.len) <= 0)
107 {
108 goto error;
109 }
110 valid = (EVP_DigestVerifyFinal(mctx, signature.ptr, signature.len) == 1);
111
112 error:
113 if (key)
114 {
115 EVP_PKEY_free(key);
116 }
117 if (mctx)
118 {
119 EVP_MD_CTX_destroy(mctx);
120 }
121 return valid;
122 }
123
124 /**
125 * Verification of a signature without hashing
126 */
127 static bool verify_plain_signature(private_openssl_rsa_public_key_t *this,
128 chunk_t data, chunk_t signature)
129 {
130 char *buf;
131 int len, rsa_size = RSA_size(this->rsa);
132 bool valid = FALSE;
133
134 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
135 if (signature.len > rsa_size)
136 {
137 signature = chunk_skip(signature, signature.len - rsa_size);
138 }
139 buf = malloc(rsa_size);
140 len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa,
141 RSA_PKCS1_PADDING);
142 if (len != -1)
143 {
144 valid = chunk_equals_const(data, chunk_create(buf, len));
145 }
146 free(buf);
147 return valid;
148 }
149
150 /**
151 * Verification of an EMSA PKCS1 signature described in PKCS#1
152 */
153 static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
154 int type, chunk_t data, chunk_t signature)
155 {
156 const EVP_MD *md;
157
158 if (type == NID_undef)
159 {
160 return verify_plain_signature(this, data, signature);
161 }
162 md = EVP_get_digestbynid(type);
163 return md && verify_signature(this, md, NULL, data, signature);
164 }
165
166 /**
167 * Verification of an EMSA PSS signature described in PKCS#1
168 */
169 static bool verify_emsa_pss_signature(private_openssl_rsa_public_key_t *this,
170 rsa_pss_params_t *params, chunk_t data,
171 chunk_t signature)
172 {
173 const EVP_MD *md;
174
175 if (!params)
176 {
177 return FALSE;
178 }
179 md = openssl_get_md(params->hash);
180 return md && verify_signature(this, md, params, data, signature);
181 }
182
183 #else /* OPENSSL_VERSION_NUMBER < 1.0 */
184
185 /**
186 * Verification of an EMSA PKCS1 signature described in PKCS#1
187 */
188 static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
189 int type, chunk_t data, chunk_t signature)
190 {
191 bool valid = FALSE;
192 int rsa_size = RSA_size(this->rsa);
193
194 /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
195 if (signature.len > rsa_size)
196 {
197 signature = chunk_skip(signature, signature.len - rsa_size);
198 }
199
200 if (type == NID_undef)
201 {
202 char *buf;
203 int len;
204
205 buf = malloc(rsa_size);
206 len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa,
207 RSA_PKCS1_PADDING);
208 if (len != -1)
209 {
210 valid = chunk_equals_const(data, chunk_create(buf, len));
211 }
212 free(buf);
213 }
214 else
215 {
216 EVP_MD_CTX *ctx;
217 EVP_PKEY *key;
218 const EVP_MD *hasher;
219
220 hasher = EVP_get_digestbynid(type);
221 if (!hasher)
222 {
223 return FALSE;
224 }
225
226 ctx = EVP_MD_CTX_create();
227 key = EVP_PKEY_new();
228
229 if (!ctx || !key)
230 {
231 goto error;
232 }
233 if (!EVP_PKEY_set1_RSA(key, this->rsa))
234 {
235 goto error;
236 }
237 if (!EVP_VerifyInit_ex(ctx, hasher, NULL))
238 {
239 goto error;
240 }
241 if (!EVP_VerifyUpdate(ctx, data.ptr, data.len))
242 {
243 goto error;
244 }
245 valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
246
247 error:
248 if (key)
249 {
250 EVP_PKEY_free(key);
251 }
252 if (ctx)
253 {
254 EVP_MD_CTX_destroy(ctx);
255 }
256 }
257 return valid;
258 }
259
260 #endif /* OPENSSL_VERSION_NUMBER < 1.0 */
261
262 METHOD(public_key_t, get_type, key_type_t,
263 private_openssl_rsa_public_key_t *this)
264 {
265 return KEY_RSA;
266 }
267
268 METHOD(public_key_t, verify, bool,
269 private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
270 void *params, chunk_t data, chunk_t signature)
271 {
272 switch (scheme)
273 {
274 case SIGN_RSA_EMSA_PKCS1_NULL:
275 return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
276 case SIGN_RSA_EMSA_PKCS1_SHA2_224:
277 return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature);
278 case SIGN_RSA_EMSA_PKCS1_SHA2_256:
279 return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature);
280 case SIGN_RSA_EMSA_PKCS1_SHA2_384:
281 return verify_emsa_pkcs1_signature(this, NID_sha384, data, signature);
282 case SIGN_RSA_EMSA_PKCS1_SHA2_512:
283 return verify_emsa_pkcs1_signature(this, NID_sha512, data, signature);
284 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3)
285 case SIGN_RSA_EMSA_PKCS1_SHA3_224:
286 return verify_emsa_pkcs1_signature(this, NID_sha3_224, data, signature);
287 case SIGN_RSA_EMSA_PKCS1_SHA3_256:
288 return verify_emsa_pkcs1_signature(this, NID_sha3_256, data, signature);
289 case SIGN_RSA_EMSA_PKCS1_SHA3_384:
290 return verify_emsa_pkcs1_signature(this, NID_sha3_384, data, signature);
291 case SIGN_RSA_EMSA_PKCS1_SHA3_512:
292 return verify_emsa_pkcs1_signature(this, NID_sha3_512, data, signature);
293 #endif
294 case SIGN_RSA_EMSA_PKCS1_SHA1:
295 return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
296 case SIGN_RSA_EMSA_PKCS1_MD5:
297 return verify_emsa_pkcs1_signature(this, NID_md5, data, signature);
298 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
299 case SIGN_RSA_EMSA_PSS:
300 return verify_emsa_pss_signature(this, params, data, signature);
301 #endif
302 default:
303 DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
304 signature_scheme_names, scheme);
305 return FALSE;
306 }
307 }
308
309 METHOD(public_key_t, encrypt, bool,
310 private_openssl_rsa_public_key_t *this, encryption_scheme_t scheme,
311 void *params, chunk_t plain, chunk_t *crypto)
312 {
313 EVP_PKEY_CTX *ctx = NULL;
314 EVP_PKEY *evp_key = NULL;
315 chunk_t label = chunk_empty;
316 hash_algorithm_t hash_alg = HASH_UNKNOWN;
317 size_t len;
318 int padding;
319 char *encrypted;
320 bool success = FALSE;
321
322 switch (scheme)
323 {
324 case ENCRYPT_RSA_PKCS1:
325 padding = RSA_PKCS1_PADDING;
326 break;
327 case ENCRYPT_RSA_OAEP_SHA1:
328 hash_alg = HASH_SHA1;
329 padding = RSA_PKCS1_OAEP_PADDING;
330 break;
331 case ENCRYPT_RSA_OAEP_SHA224:
332 hash_alg = HASH_SHA224;
333 padding = RSA_PKCS1_OAEP_PADDING;
334 break;
335 case ENCRYPT_RSA_OAEP_SHA256:
336 hash_alg = HASH_SHA256;
337 padding = RSA_PKCS1_OAEP_PADDING;
338 break;
339 case ENCRYPT_RSA_OAEP_SHA384:
340 hash_alg = HASH_SHA384;
341 padding = RSA_PKCS1_OAEP_PADDING;
342 break;
343 case ENCRYPT_RSA_OAEP_SHA512:
344 hash_alg = HASH_SHA512;
345 padding = RSA_PKCS1_OAEP_PADDING;
346 break;
347 default:
348 DBG1(DBG_LIB, "encryption scheme %N not supported by openssl",
349 encryption_scheme_names, scheme);
350 return FALSE;
351 }
352
353 evp_key = EVP_PKEY_new();
354 if (!evp_key)
355 {
356 DBG1(DBG_LIB, "could not create EVP key");
357 goto error;
358 }
359 if (EVP_PKEY_set1_RSA(evp_key, this->rsa) <= 0)
360 {
361 DBG1(DBG_LIB, "could not set EVP key to RSA key");
362 goto error;
363 }
364
365 ctx = EVP_PKEY_CTX_new(evp_key, NULL);
366 if (!ctx)
367 {
368 DBG1(DBG_LIB, "could not create EVP context");
369 goto error;
370 }
371
372 if (EVP_PKEY_encrypt_init(ctx) <= 0)
373 {
374 DBG1(DBG_LIB, "could not initialize RSA encryption");
375 goto error;
376 }
377 if (EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0)
378 {
379 DBG1(DBG_LIB, "could not set RSA padding");
380 goto error;
381 }
382 if (padding == RSA_PKCS1_OAEP_PADDING)
383 {
384 const EVP_MD *md = openssl_get_md(hash_alg);
385
386 if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0)
387 {
388 DBG1(DBG_LIB, "could not set RSA OAEP hash algorithm");
389 goto error;
390 }
391
392 if (params)
393 {
394 label = *(chunk_t *)params;
395 }
396 if (label.len > 0)
397 {
398 uint8_t *label_cpy;
399
400 /* Openssl requires a copy of its own */
401 label_cpy = (uint8_t *)OPENSSL_malloc(label.len);
402 memcpy(label_cpy, label.ptr, label.len);
403
404 if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_cpy, label.len) <= 0)
405 {
406 OPENSSL_free(label_cpy);
407 DBG1(DBG_LIB, "could not set RSA OAEP label");
408 goto error;
409 }
410 }
411 }
412
413 /* determine maximum ciphertext size */
414 len = RSA_size(this->rsa);
415 encrypted = malloc(len);
416
417 /* decrypt data */
418 if (EVP_PKEY_encrypt(ctx, encrypted, &len, plain.ptr, plain.len) <= 0)
419 {
420 DBG1(DBG_LIB, "RSA encryption failed");
421 free(encrypted);
422 goto error;
423 }
424 *crypto = chunk_create(encrypted, len);
425 success = TRUE;
426
427 error:
428 if (ctx)
429 {
430 EVP_PKEY_CTX_free(ctx);
431 }
432 if (evp_key)
433 {
434 EVP_PKEY_free(evp_key);
435 }
436 return success;
437 }
438
439 METHOD(public_key_t, get_keysize, int,
440 private_openssl_rsa_public_key_t *this)
441 {
442 return RSA_size(this->rsa) * 8;
443 }
444
445 /**
446 * Calculate fingerprint from a RSA key, also used in rsa private key.
447 */
448 bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
449 {
450 hasher_t *hasher;
451 chunk_t key;
452 u_char *p;
453
454 if (lib->encoding->get_cache(lib->encoding, type, rsa, fp))
455 {
456 return TRUE;
457 }
458 switch (type)
459 {
460 case KEYID_PUBKEY_SHA1:
461 key = chunk_alloc(i2d_RSAPublicKey(rsa, NULL));
462 p = key.ptr;
463 i2d_RSAPublicKey(rsa, &p);
464 break;
465 case KEYID_PUBKEY_INFO_SHA1:
466 key = chunk_alloc(i2d_RSA_PUBKEY(rsa, NULL));
467 p = key.ptr;
468 i2d_RSA_PUBKEY(rsa, &p);
469 break;
470 default:
471 {
472 const BIGNUM *bn_n, *bn_e;
473 chunk_t n = chunk_empty, e = chunk_empty;
474 bool success = FALSE;
475
476 RSA_get0_key(rsa, &bn_n, &bn_e, NULL);
477 if (openssl_bn2chunk(bn_n, &n) &&
478 openssl_bn2chunk(bn_e, &e))
479 {
480 success = lib->encoding->encode(lib->encoding, type, rsa, fp,
481 CRED_PART_RSA_MODULUS, n,
482 CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
483 }
484 chunk_free(&n);
485 chunk_free(&e);
486 return success;
487 }
488 }
489 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
490 if (!hasher || !hasher->allocate_hash(hasher, key, fp))
491 {
492 DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
493 DESTROY_IF(hasher);
494 free(key.ptr);
495 return FALSE;
496 }
497 free(key.ptr);
498 hasher->destroy(hasher);
499 lib->encoding->cache(lib->encoding, type, rsa, *fp);
500 return TRUE;
501 }
502
503 METHOD(public_key_t, get_fingerprint, bool,
504 private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
505 chunk_t *fingerprint)
506 {
507 return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
508 }
509
510 METHOD(public_key_t, get_encoding, bool,
511 private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
512 chunk_t *encoding)
513 {
514 bool success = FALSE;
515 u_char *p;
516
517 switch (type)
518 {
519 case PUBKEY_SPKI_ASN1_DER:
520 case PUBKEY_PEM:
521 {
522 *encoding = chunk_alloc(i2d_RSA_PUBKEY(this->rsa, NULL));
523 p = encoding->ptr;
524 i2d_RSA_PUBKEY(this->rsa, &p);
525 success = TRUE;
526
527 if (type == PUBKEY_PEM)
528 {
529 chunk_t asn1_encoding = *encoding;
530
531 success = lib->encoding->encode(lib->encoding, PUBKEY_PEM,
532 NULL, encoding, CRED_PART_RSA_PUB_ASN1_DER,
533 asn1_encoding, CRED_PART_END);
534 chunk_clear(&asn1_encoding);
535 }
536 return success;
537 }
538 case PUBKEY_ASN1_DER:
539 {
540 *encoding = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL));
541 p = encoding->ptr;
542 i2d_RSAPublicKey(this->rsa, &p);
543 return TRUE;
544 }
545 default:
546 {
547 const BIGNUM *bn_n, *bn_e;
548 chunk_t n = chunk_empty, e = chunk_empty;
549
550 RSA_get0_key(this->rsa, &bn_n, &bn_e, NULL);
551 if (openssl_bn2chunk(bn_n, &n) &&
552 openssl_bn2chunk(bn_e, &e))
553 {
554 success = lib->encoding->encode(lib->encoding, type, NULL,
555 encoding, CRED_PART_RSA_MODULUS, n,
556 CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
557 }
558 chunk_free(&n);
559 chunk_free(&e);
560 return success;
561 }
562 }
563 }
564
565 METHOD(public_key_t, get_ref, public_key_t*,
566 private_openssl_rsa_public_key_t *this)
567 {
568 ref_get(&this->ref);
569 return &this->public.key;
570 }
571
572 METHOD(public_key_t, destroy, void,
573 private_openssl_rsa_public_key_t *this)
574 {
575 if (ref_put(&this->ref))
576 {
577 if (this->rsa)
578 {
579 lib->encoding->clear_cache(lib->encoding, this->rsa);
580 RSA_free(this->rsa);
581 }
582 free(this);
583 }
584 }
585
586 /**
587 * Generic private constructor
588 */
589 static private_openssl_rsa_public_key_t *create_empty()
590 {
591 private_openssl_rsa_public_key_t *this;
592
593 INIT(this,
594 .public = {
595 .key = {
596 .get_type = _get_type,
597 .verify = _verify,
598 .encrypt = _encrypt,
599 .equals = public_key_equals,
600 .get_keysize = _get_keysize,
601 .get_fingerprint = _get_fingerprint,
602 .has_fingerprint = public_key_has_fingerprint,
603 .get_encoding = _get_encoding,
604 .get_ref = _get_ref,
605 .destroy = _destroy,
606 },
607 },
608 .ref = 1,
609 );
610
611 return this;
612 }
613
614 /**
615 * See header.
616 */
617 openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type,
618 va_list args)
619 {
620 private_openssl_rsa_public_key_t *this;
621 chunk_t blob, n, e;
622
623 n = e = blob = chunk_empty;
624 while (TRUE)
625 {
626 switch (va_arg(args, builder_part_t))
627 {
628 case BUILD_BLOB_ASN1_DER:
629 blob = va_arg(args, chunk_t);
630 continue;
631 case BUILD_RSA_MODULUS:
632 n = va_arg(args, chunk_t);
633 continue;
634 case BUILD_RSA_PUB_EXP:
635 e = va_arg(args, chunk_t);
636 continue;
637 case BUILD_END:
638 break;
639 default:
640 return NULL;
641 }
642 break;
643 }
644
645 this = create_empty();
646 if (blob.ptr)
647 {
648 switch (type)
649 {
650 case KEY_ANY:
651 this->rsa = d2i_RSA_PUBKEY(NULL, (const u_char**)&blob.ptr,
652 blob.len);
653 break;
654 case KEY_RSA:
655 this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr,
656 blob.len);
657 break;
658 default:
659 break;
660 }
661 if (this->rsa)
662 {
663 return &this->public;
664 }
665 }
666 else if (n.ptr && e.ptr && type == KEY_RSA)
667 {
668 BIGNUM *bn_n, *bn_e;
669
670 this->rsa = RSA_new();
671 bn_n = BN_bin2bn((const u_char*)n.ptr, n.len, NULL);
672 bn_e = BN_bin2bn((const u_char*)e.ptr, e.len, NULL);
673 if (RSA_set0_key(this->rsa, bn_n, bn_e, NULL))
674 {
675 return &this->public;
676 }
677 }
678 destroy(this);
679 return NULL;
680 }
681
682 #endif /* OPENSSL_NO_RSA */
Michael's strongswan development tree