[thirdparty/openssl.git] / crypto / rsa / rsa_backend.c

/*
 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include "internal/sizes.h"
#include "internal/param_build_set.h"
#include "crypto/asn1.h"
#include "crypto/rsa.h"
#include "rsa_local.h"

#include "e_os.h"                /* strcasecmp for Windows() */

/*
 * The intention with the "backend" source file is to offer backend support
 * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider
 * implementations alike.
 */

DEFINE_STACK_OF(BIGNUM)

static int collect_numbers(STACK_OF(BIGNUM) *numbers,
                           const OSSL_PARAM params[], const char *names[])
{
    const OSSL_PARAM *p = NULL;
    int i;

    if (numbers == NULL)
        return 0;

    for (i = 0; names[i] != NULL; i++){
        p = OSSL_PARAM_locate_const(params, names[i]);
        if (p != NULL) {
            BIGNUM *tmp = NULL;

            if (!OSSL_PARAM_get_BN(p, &tmp)
                || sk_BIGNUM_push(numbers, tmp) == 0)
                return 0;
        }
    }

    return 1;
}

int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[])
{
    const OSSL_PARAM *param_n, *param_e,  *param_d;
    BIGNUM *n = NULL, *e = NULL, *d = NULL;
    STACK_OF(BIGNUM) *factors = NULL, *exps = NULL, *coeffs = NULL;
    int is_private = 0;

    if (rsa == NULL)
        return 0;

    param_n = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N);
    param_e = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E);
    param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D);

    if ((param_n != NULL && !OSSL_PARAM_get_BN(param_n, &n))
        || (param_e != NULL && !OSSL_PARAM_get_BN(param_e, &e))
        || (param_d != NULL && !OSSL_PARAM_get_BN(param_d, &d)))
        goto err;

    is_private = (d != NULL);

    if (!RSA_set0_key(rsa, n, e, d))
        goto err;
    n = e = d = NULL;

    if (is_private) {
        if (!collect_numbers(factors = sk_BIGNUM_new_null(), params,
                             ossl_rsa_mp_factor_names)
            || !collect_numbers(exps = sk_BIGNUM_new_null(), params,
                                ossl_rsa_mp_exp_names)
            || !collect_numbers(coeffs = sk_BIGNUM_new_null(), params,
                                ossl_rsa_mp_coeff_names))
            goto err;

        /* It's ok if this private key just has n, e and d */
        if (sk_BIGNUM_num(factors) != 0
            && !ossl_rsa_set0_all_params(rsa, factors, exps, coeffs))
            goto err;
    }


    sk_BIGNUM_free(factors);
    sk_BIGNUM_free(exps);
    sk_BIGNUM_free(coeffs);
    return 1;

 err:
    BN_free(n);
    BN_free(e);
    BN_free(d);
    sk_BIGNUM_pop_free(factors, BN_free);
    sk_BIGNUM_pop_free(exps, BN_free);
    sk_BIGNUM_pop_free(coeffs, BN_free);
    return 0;
}

DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)

int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[])
{
    int ret = 0;
    const BIGNUM *rsa_d = NULL, *rsa_n = NULL, *rsa_e = NULL;
    STACK_OF(BIGNUM_const) *factors = sk_BIGNUM_const_new_null();
    STACK_OF(BIGNUM_const) *exps = sk_BIGNUM_const_new_null();
    STACK_OF(BIGNUM_const) *coeffs = sk_BIGNUM_const_new_null();

    if (rsa == NULL || factors == NULL || exps == NULL || coeffs == NULL)
        goto err;

    RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
    ossl_rsa_get0_all_params(rsa, factors, exps, coeffs);

    if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_N, rsa_n)
        || !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_E, rsa_e))
        goto err;

    /* Check private key data integrity */
    if (rsa_d != NULL) {
        int numprimes = sk_BIGNUM_const_num(factors);
        int numexps = sk_BIGNUM_const_num(exps);
        int numcoeffs = sk_BIGNUM_const_num(coeffs);

        /*
         * It's permissible to have zero primes, i.e. no CRT params.
         * Otherwise, there must be at least two, as many exponents,
         * and one coefficient less.
         */
        if (numprimes != 0
            && (numprimes < 2 || numexps < 2 || numcoeffs < 1))
            goto err;

        if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_D,
                                     rsa_d)
            || !ossl_param_build_set_multi_key_bn(bld, params,
                                                  ossl_rsa_mp_factor_names,
                                                  factors)
            || !ossl_param_build_set_multi_key_bn(bld, params,
                                                  ossl_rsa_mp_exp_names, exps)
            || !ossl_param_build_set_multi_key_bn(bld, params,
                                                  ossl_rsa_mp_coeff_names,
                                                  coeffs))
        goto err;
    }

#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
    /* The acvp test results are not meant for export so check for bld == NULL */
    if (bld == NULL)
        ossl_rsa_acvp_test_get_params(rsa, params);
#endif
    ret = 1;
 err:
    sk_BIGNUM_const_free(factors);
    sk_BIGNUM_const_free(exps);
    sk_BIGNUM_const_free(coeffs);
    return ret;
}

int ossl_rsa_pss_params_30_todata(const RSA_PSS_PARAMS_30 *pss,
                                  OSSL_PARAM_BLD *bld, OSSL_PARAM params[])
{
    if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
        int hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
        int maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(pss);
        int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
        int saltlen = ossl_rsa_pss_params_30_saltlen(pss);
        int default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
        int default_maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(NULL);
        int default_maskgenhashalg_nid =
                ossl_rsa_pss_params_30_maskgenhashalg(NULL);
        const char *mdname =
            (hashalg_nid == default_hashalg_nid
             ? NULL : ossl_rsa_oaeppss_nid2name(hashalg_nid));
        const char *mgfname =
            (maskgenalg_nid == default_maskgenalg_nid
             ? NULL : ossl_rsa_oaeppss_nid2name(maskgenalg_nid));
        const char *mgf1mdname =
            (maskgenhashalg_nid == default_maskgenhashalg_nid
             ? NULL : ossl_rsa_oaeppss_nid2name(maskgenhashalg_nid));
        const char *key_md = OSSL_PKEY_PARAM_RSA_DIGEST;
        const char *key_mgf = OSSL_PKEY_PARAM_RSA_MASKGENFUNC;
        const char *key_mgf1_md = OSSL_PKEY_PARAM_RSA_MGF1_DIGEST;
        const char *key_saltlen = OSSL_PKEY_PARAM_RSA_PSS_SALTLEN;

        /*
         * To ensure that the key isn't seen as unrestricted by the recipient,
         * we make sure that at least one PSS-related parameter is passed, even
         * if it has a default value; saltlen.
         */
        if ((mdname != NULL
             && !ossl_param_build_set_utf8_string(bld, params, key_md, mdname))
            || (mgfname != NULL
                && !ossl_param_build_set_utf8_string(bld, params,
                                                     key_mgf, mgfname))
            || (mgf1mdname != NULL
                && !ossl_param_build_set_utf8_string(bld, params,
                                                     key_mgf1_md, mgf1mdname))
            || (!ossl_param_build_set_int(bld, params, key_saltlen, saltlen)))
            return 0;
    }
    return 1;
}

int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params,
                                    int *defaults_set,
                                    const OSSL_PARAM params[],
                                    OSSL_LIB_CTX *libctx)
{
    const OSSL_PARAM *param_md, *param_mgf, *param_mgf1md,  *param_saltlen;
    const OSSL_PARAM *param_propq;
    const char *propq = NULL;
    EVP_MD *md = NULL, *mgf1md = NULL;
    int saltlen;
    int ret = 0;

    if (pss_params == NULL)
        return 0;
    param_propq =
        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_DIGEST_PROPS);
    param_md =
        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_DIGEST);
    param_mgf =
        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_MASKGENFUNC);
    param_mgf1md =
        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_MGF1_DIGEST);
    param_saltlen =
        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_PSS_SALTLEN);

    if (param_propq != NULL) {
        if (param_propq->data_type == OSSL_PARAM_UTF8_STRING)
            propq = param_propq->data;
    }
    /*
     * If we get any of the parameters, we know we have at least some
     * restrictions, so we start by setting default values, and let each
     * parameter override their specific restriction data.
     */
    if (!*defaults_set
        && (param_md != NULL || param_mgf != NULL || param_mgf1md != NULL
            || param_saltlen != NULL)) {
        if (!ossl_rsa_pss_params_30_set_defaults(pss_params))
            return 0;
        *defaults_set = 1;
    }

    if (param_mgf != NULL) {
        int default_maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(NULL);
        const char *mgfname = NULL;

        if (param_mgf->data_type == OSSL_PARAM_UTF8_STRING)
            mgfname = param_mgf->data;
        else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgfname))
            return 0;

        /* TODO Revisit this if / when a new MGF algorithm appears */
        if (strcasecmp(param_mgf->data,
                       ossl_rsa_mgf_nid2name(default_maskgenalg_nid)) != 0)
            return 0;
    }

    /*
     * We're only interested in the NIDs that correspond to the MDs, so the
     * exact propquery is unimportant in the EVP_MD_fetch() calls below.
     */

    if (param_md != NULL) {
        const char *mdname = NULL;

        if (param_md->data_type == OSSL_PARAM_UTF8_STRING)
            mdname = param_md->data;
        else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mdname))
            goto err;

        if ((md = EVP_MD_fetch(libctx, mdname, propq)) == NULL
            || !ossl_rsa_pss_params_30_set_hashalg(pss_params,
                                                   ossl_rsa_oaeppss_md2nid(md)))
            goto err;
    }

    if (param_mgf1md != NULL) {
        const char *mgf1mdname = NULL;

        if (param_mgf1md->data_type == OSSL_PARAM_UTF8_STRING)
            mgf1mdname = param_mgf1md->data;
        else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgf1mdname))
            goto err;

        if ((mgf1md = EVP_MD_fetch(libctx, mgf1mdname, propq)) == NULL
            || !ossl_rsa_pss_params_30_set_maskgenhashalg(
                    pss_params, ossl_rsa_oaeppss_md2nid(mgf1md)))
            goto err;
    }

    if (param_saltlen != NULL) {
        if (!OSSL_PARAM_get_int(param_saltlen, &saltlen)
            || !ossl_rsa_pss_params_30_set_saltlen(pss_params, saltlen))
            goto err;
    }

    ret = 1;

 err:
    EVP_MD_free(md);
    EVP_MD_free(mgf1md);
    return ret;
}

int ossl_rsa_is_foreign(const RSA *rsa)
{
#ifndef FIPS_MODULE
    if (rsa->engine != NULL || RSA_get_method(rsa) != RSA_PKCS1_OpenSSL())
        return 1;
#endif
    return 0;
}

static ossl_inline int rsa_bn_dup_check(BIGNUM **out, const BIGNUM *f)
{
    if (f != NULL && (*out = BN_dup(f)) == NULL)
        return 0;
    return 1;
}

RSA *ossl_rsa_dup(const RSA *rsa, int selection)
{
    RSA *dupkey = NULL;
#ifndef FIPS_MODULE
    int pnum, i;
#endif

    /* Do not try to duplicate foreign RSA keys */
    if (ossl_rsa_is_foreign(rsa))
        return NULL;

    if ((dupkey = ossl_rsa_new_with_ctx(rsa->libctx)) == NULL)
        return NULL;

    /* public key */
    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
        if (!rsa_bn_dup_check(&dupkey->n, rsa->n))
            goto err;
        if (!rsa_bn_dup_check(&dupkey->e, rsa->e))
            goto err;
    }

    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {

        /* private key */
        if (!rsa_bn_dup_check(&dupkey->d, rsa->d))
            goto err;

        /* factors and crt params */
        if (!rsa_bn_dup_check(&dupkey->p, rsa->p))
            goto err;
        if (!rsa_bn_dup_check(&dupkey->q, rsa->q))
            goto err;
        if (!rsa_bn_dup_check(&dupkey->dmp1, rsa->dmp1))
            goto err;
        if (!rsa_bn_dup_check(&dupkey->dmq1, rsa->dmq1))
            goto err;
        if (!rsa_bn_dup_check(&dupkey->iqmp, rsa->iqmp))
            goto err;
    }

    dupkey->version = rsa->version;
    dupkey->flags = rsa->flags;
    /* we always copy the PSS parameters regardless of selection */
    dupkey->pss_params = rsa->pss_params;

#ifndef FIPS_MODULE
    /* multiprime */
    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
        && (pnum = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) > 0) {
        dupkey->prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
        for (i = 0; i < pnum; i++) {
            const RSA_PRIME_INFO *pinfo = NULL;
            RSA_PRIME_INFO *duppinfo = NULL;

            if ((duppinfo = OPENSSL_zalloc(sizeof(*duppinfo))) == NULL) {
                ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
                goto err;
            }
            /* push first so cleanup in error case works */
            (void)sk_RSA_PRIME_INFO_push(dupkey->prime_infos, duppinfo);

            pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
            if (!rsa_bn_dup_check(&duppinfo->r, pinfo->r))
                goto err;
            if (!rsa_bn_dup_check(&duppinfo->d, pinfo->d))
                goto err;
            if (!rsa_bn_dup_check(&duppinfo->t, pinfo->t))
                goto err;
        }
        if (!ossl_rsa_multip_calc_product(dupkey))
            goto err;
    }

    if (rsa->pss != NULL) {
        dupkey->pss = RSA_PSS_PARAMS_dup(rsa->pss);
        if (rsa->pss->maskGenAlgorithm != NULL
            && dupkey->pss->maskGenAlgorithm == NULL) {
            dupkey->pss->maskHash = ossl_x509_algor_mgf1_decode(rsa->pss->maskGenAlgorithm);
            if (dupkey->pss->maskHash == NULL)
                goto err;
        }
    }
    if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_RSA,
                            &dupkey->ex_data, &rsa->ex_data))
        goto err;
#endif

    return dupkey;

 err:
    RSA_free(dupkey);
    return NULL;
}

#ifndef FIPS_MODULE
RSA_PSS_PARAMS *ossl_rsa_pss_decode(const X509_ALGOR *alg)
{
    RSA_PSS_PARAMS *pss;

    pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
                                    alg->parameter);

    if (pss == NULL)
        return NULL;

    if (pss->maskGenAlgorithm != NULL) {
        pss->maskHash = ossl_x509_algor_mgf1_decode(pss->maskGenAlgorithm);
        if (pss->maskHash == NULL) {
            RSA_PSS_PARAMS_free(pss);
            return NULL;
        }
    }

    return pss;
}

static int ossl_rsa_sync_to_pss_params_30(RSA *rsa)
{
    const RSA_PSS_PARAMS *legacy_pss = NULL;
    RSA_PSS_PARAMS_30 *pss = NULL;

    if (rsa != NULL
        && (legacy_pss = RSA_get0_pss_params(rsa)) != NULL
        && (pss = ossl_rsa_get0_pss_params_30(rsa)) != NULL) {
        const EVP_MD *md = NULL, *mgf1md = NULL;
        int md_nid, mgf1md_nid, saltlen, trailerField;
        RSA_PSS_PARAMS_30 pss_params;

        /*
         * We don't care about the validity of the fields here, we just
         * want to synchronise values.  Verifying here makes it impossible
         * to even read a key with invalid values, making it hard to test
         * a bad situation.
         *
         * Other routines use ossl_rsa_pss_get_param(), so the values will
         * be checked, eventually.
         */
        if (!ossl_rsa_pss_get_param_unverified(legacy_pss, &md, &mgf1md,
                                               &saltlen, &trailerField))
            return 0;
        md_nid = EVP_MD_get_type(md);
        mgf1md_nid = EVP_MD_get_type(mgf1md);
        if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
            || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid)
            || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
                                                          mgf1md_nid)
            || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
            || !ossl_rsa_pss_params_30_set_trailerfield(&pss_params,
                                                        trailerField))
            return 0;
        *pss = pss_params;
    }
    return 1;
}

int ossl_rsa_pss_get_param_unverified(const RSA_PSS_PARAMS *pss,
                                      const EVP_MD **pmd, const EVP_MD **pmgf1md,
                                      int *psaltlen, int *ptrailerField)
{
    RSA_PSS_PARAMS_30 pss_params;

    /* Get the defaults from the ONE place */
    (void)ossl_rsa_pss_params_30_set_defaults(&pss_params);

    if (pss == NULL)
        return 0;
    *pmd = ossl_x509_algor_get_md(pss->hashAlgorithm);
    if (*pmd == NULL)
        return 0;
    *pmgf1md = ossl_x509_algor_get_md(pss->maskHash);
    if (*pmgf1md == NULL)
        return 0;
    if (pss->saltLength)
        *psaltlen = ASN1_INTEGER_get(pss->saltLength);
    else
        *psaltlen = ossl_rsa_pss_params_30_saltlen(&pss_params);
    if (pss->trailerField)
        *ptrailerField = ASN1_INTEGER_get(pss->trailerField);
    else
        *ptrailerField = ossl_rsa_pss_params_30_trailerfield(&pss_params);;

    return 1;
}

int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
{
    RSA_PSS_PARAMS *pss;
    const ASN1_OBJECT *algoid;
    const void *algp;
    int algptype;

    X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
    if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
        return 1;
    if (algptype == V_ASN1_UNDEF)
        return 1;
    if (algptype != V_ASN1_SEQUENCE) {
        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_PARAMETERS);
        return 0;
    }
    if ((pss = ossl_rsa_pss_decode(alg)) == NULL
        || !ossl_rsa_set0_pss_params(rsa, pss)) {
        RSA_PSS_PARAMS_free(pss);
        return 0;
    }
    if (!ossl_rsa_sync_to_pss_params_30(rsa))
        return 0;
    return 1;
}

RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
                             OSSL_LIB_CTX *libctx, const char *propq)
{
    const unsigned char *p;
    RSA *rsa;
    int pklen;
    const X509_ALGOR *alg;

    if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8inf))
        return 0;
    rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
    if (rsa == NULL) {
        ERR_raise(ERR_LIB_RSA, ERR_R_RSA_LIB);
        return NULL;
    }
    if (!ossl_rsa_param_decode(rsa, alg)) {
        RSA_free(rsa);
        return NULL;
    }

    RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
    switch (OBJ_obj2nid(alg->algorithm)) {
    case EVP_PKEY_RSA:
        RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
        break;
    case EVP_PKEY_RSA_PSS:
        RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
        break;
    default:
        /* Leave the type bits zero */
        break;
    }

    return rsa;
}
#endif
Commit	Line	Data
0abae163	1	/*
a28d06f3	2	* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
0abae163 RL	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
d7e498ac RL	10	/*
	11	* RSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
	15
15671090	16	#include <string.h>
0abae163 RL	17	#include <openssl/core_names.h>
0abae163 RL	18	#include <openssl/params.h>
cf333799	19	#include <openssl/err.h>
15671090 RL	20	#include <openssl/evp.h>
	21	#include "internal/sizes.h"
	22	#include "internal/param_build_set.h"
cf333799	23	#include "crypto/asn1.h"
0abae163	24	#include "crypto/rsa.h"
4a9fe33c	25	#include "rsa_local.h"
0abae163	26
15671090 RL	27	#include "e_os.h" /* strcasecmp for Windows() */
15671090 RL	28
0abae163 RL	29	/*
	30	* The intention with the "backend" source file is to offer backend support
	31	* for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider
	32	* implementations alike.
	33	*/
	34
	35	DEFINE_STACK_OF(BIGNUM)
	36
	37	static int collect_numbers(STACK_OF(BIGNUM) *numbers,
96ebe52e	38	const OSSL_PARAM params[], const char *names[])
0abae163 RL	39	{
0abae163 RL	40	const OSSL_PARAM *p = NULL;
96ebe52e	41	int i;
0abae163 RL	42
	43	if (numbers == NULL)
	44	return 0;
	45
96ebe52e SL	46	for (i = 0; names[i] != NULL; i++){
	47	p = OSSL_PARAM_locate_const(params, names[i]);
	48	if (p != NULL) {
	49	BIGNUM *tmp = NULL;
0abae163	50
96ebe52e SL	51	if (!OSSL_PARAM_get_BN(p, &tmp)
	52	\|\| sk_BIGNUM_push(numbers, tmp) == 0)
	53	return 0;
	54	}
0abae163 RL	55	}
	56
	57	return 1;
	58	}
	59
23b2fc0b	60	int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[])
0abae163 RL	61	{
	62	const OSSL_PARAM param_n, param_e, *param_d;
	63	BIGNUM n = NULL, e = NULL, *d = NULL;
	64	STACK_OF(BIGNUM) factors = NULL, exps = NULL, *coeffs = NULL;
	65	int is_private = 0;
	66
	67	if (rsa == NULL)
	68	return 0;
	69
	70	param_n = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N);
	71	param_e = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E);
	72	param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D);
	73
	74	if ((param_n != NULL && !OSSL_PARAM_get_BN(param_n, &n))
	75	\|\| (param_e != NULL && !OSSL_PARAM_get_BN(param_e, &e))
	76	\|\| (param_d != NULL && !OSSL_PARAM_get_BN(param_d, &d)))
	77	goto err;
	78
	79	is_private = (d != NULL);
	80
	81	if (!RSA_set0_key(rsa, n, e, d))
	82	goto err;
	83	n = e = d = NULL;
	84
	85	if (is_private) {
	86	if (!collect_numbers(factors = sk_BIGNUM_new_null(), params,
23b2fc0b	87	ossl_rsa_mp_factor_names)
0abae163	88	\|\| !collect_numbers(exps = sk_BIGNUM_new_null(), params,
23b2fc0b	89	ossl_rsa_mp_exp_names)
0abae163	90	\|\| !collect_numbers(coeffs = sk_BIGNUM_new_null(), params,
23b2fc0b	91	ossl_rsa_mp_coeff_names))
0abae163 RL	92	goto err;
	93
	94	/* It's ok if this private key just has n, e and d */
	95	if (sk_BIGNUM_num(factors) != 0
23b2fc0b	96	&& !ossl_rsa_set0_all_params(rsa, factors, exps, coeffs))
0abae163 RL	97	goto err;
	98	}
	99
4f2271d5	100
0abae163 RL	101	sk_BIGNUM_free(factors);
	102	sk_BIGNUM_free(exps);
	103	sk_BIGNUM_free(coeffs);
	104	return 1;
	105
	106	err:
	107	BN_free(n);
	108	BN_free(e);
	109	BN_free(d);
	110	sk_BIGNUM_pop_free(factors, BN_free);
	111	sk_BIGNUM_pop_free(exps, BN_free);
	112	sk_BIGNUM_pop_free(coeffs, BN_free);
	113	return 0;
	114	}
	115
645a541a RL	116	DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
645a541a RL	117
23b2fc0b	118	int ossl_rsa_todata(RSA rsa, OSSL_PARAM_BLD bld, OSSL_PARAM params[])
645a541a RL	119	{
	120	int ret = 0;
	121	const BIGNUM rsa_d = NULL, rsa_n = NULL, *rsa_e = NULL;
	122	STACK_OF(BIGNUM_const) *factors = sk_BIGNUM_const_new_null();
	123	STACK_OF(BIGNUM_const) *exps = sk_BIGNUM_const_new_null();
	124	STACK_OF(BIGNUM_const) *coeffs = sk_BIGNUM_const_new_null();
	125
	126	if (rsa == NULL \|\| factors == NULL \|\| exps == NULL \|\| coeffs == NULL)
	127	goto err;
	128
	129	RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
23b2fc0b	130	ossl_rsa_get0_all_params(rsa, factors, exps, coeffs);
645a541a	131
26a8f2ac RL	132	if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_N, rsa_n)
	133	\|\| !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_E, rsa_e))
	134	goto err;
	135
645a541a RL	136	/* Check private key data integrity */
	137	if (rsa_d != NULL) {
	138	int numprimes = sk_BIGNUM_const_num(factors);
	139	int numexps = sk_BIGNUM_const_num(exps);
	140	int numcoeffs = sk_BIGNUM_const_num(coeffs);
	141
	142	/*
4f2271d5	143	* It's permissible to have zero primes, i.e. no CRT params.
645a541a RL	144	* Otherwise, there must be at least two, as many exponents,
	145	* and one coefficient less.
	146	*/
	147	if (numprimes != 0
	148	&& (numprimes < 2 \|\| numexps < 2 \|\| numcoeffs < 1))
	149	goto err;
645a541a	150
26a8f2ac RL	151	if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_D,
	152	rsa_d)
	153	\|\| !ossl_param_build_set_multi_key_bn(bld, params,
23b2fc0b P	154	ossl_rsa_mp_factor_names,
23b2fc0b P	155	factors)
26a8f2ac	156	\|\| !ossl_param_build_set_multi_key_bn(bld, params,
23b2fc0b	157	ossl_rsa_mp_exp_names, exps)
26a8f2ac	158	\|\| !ossl_param_build_set_multi_key_bn(bld, params,
23b2fc0b P	159	ossl_rsa_mp_coeff_names,
23b2fc0b P	160	coeffs))
645a541a	161	goto err;
26a8f2ac RL	162	}
26a8f2ac RL	163
4f2271d5 SL	164	#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
	165	/* The acvp test results are not meant for export so check for bld == NULL */
	166	if (bld == NULL)
4158b0dc	167	ossl_rsa_acvp_test_get_params(rsa, params);
4f2271d5	168	#endif
645a541a RL	169	ret = 1;
	170	err:
	171	sk_BIGNUM_const_free(factors);
	172	sk_BIGNUM_const_free(exps);
	173	sk_BIGNUM_const_free(coeffs);
	174	return ret;
	175	}
15671090	176
23b2fc0b P	177	int ossl_rsa_pss_params_30_todata(const RSA_PSS_PARAMS_30 *pss,
23b2fc0b P	178	OSSL_PARAM_BLD *bld, OSSL_PARAM params[])
15671090	179	{
23b2fc0b P	180	if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
	181	int hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
	182	int maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(pss);
	183	int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
	184	int saltlen = ossl_rsa_pss_params_30_saltlen(pss);
	185	int default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
	186	int default_maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(NULL);
	187	int default_maskgenhashalg_nid =
	188	ossl_rsa_pss_params_30_maskgenhashalg(NULL);
15671090 RL	189	const char *mdname =
15671090 RL	190	(hashalg_nid == default_hashalg_nid
23b2fc0b	191	? NULL : ossl_rsa_oaeppss_nid2name(hashalg_nid));
15671090 RL	192	const char *mgfname =
15671090 RL	193	(maskgenalg_nid == default_maskgenalg_nid
23b2fc0b	194	? NULL : ossl_rsa_oaeppss_nid2name(maskgenalg_nid));
15671090 RL	195	const char *mgf1mdname =
15671090 RL	196	(maskgenhashalg_nid == default_maskgenhashalg_nid
23b2fc0b	197	? NULL : ossl_rsa_oaeppss_nid2name(maskgenhashalg_nid));
15671090 RL	198	const char *key_md = OSSL_PKEY_PARAM_RSA_DIGEST;
	199	const char *key_mgf = OSSL_PKEY_PARAM_RSA_MASKGENFUNC;
	200	const char *key_mgf1_md = OSSL_PKEY_PARAM_RSA_MGF1_DIGEST;
	201	const char *key_saltlen = OSSL_PKEY_PARAM_RSA_PSS_SALTLEN;
	202
	203	/*
	204	* To ensure that the key isn't seen as unrestricted by the recipient,
	205	* we make sure that at least one PSS-related parameter is passed, even
	206	* if it has a default value; saltlen.
	207	*/
	208	if ((mdname != NULL
	209	&& !ossl_param_build_set_utf8_string(bld, params, key_md, mdname))
	210	\|\| (mgfname != NULL
	211	&& !ossl_param_build_set_utf8_string(bld, params,
	212	key_mgf, mgfname))
	213	\|\| (mgf1mdname != NULL
	214	&& !ossl_param_build_set_utf8_string(bld, params,
	215	key_mgf1_md, mgf1mdname))
	216	\|\| (!ossl_param_build_set_int(bld, params, key_saltlen, saltlen)))
	217	return 0;
	218	}
	219	return 1;
	220	}
	221
23b2fc0b	222	int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params,
bbde8566	223	int *defaults_set,
23b2fc0b	224	const OSSL_PARAM params[],
b4250010	225	OSSL_LIB_CTX *libctx)
15671090 RL	226	{
15671090 RL	227	const OSSL_PARAM param_md, param_mgf, param_mgf1md, param_saltlen;
719523c7 SL	228	const OSSL_PARAM *param_propq;
719523c7 SL	229	const char *propq = NULL;
15671090 RL	230	EVP_MD md = NULL, mgf1md = NULL;
	231	int saltlen;
	232	int ret = 0;
	233
	234	if (pss_params == NULL)
	235	return 0;
719523c7 SL	236	param_propq =
719523c7 SL	237	OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_DIGEST_PROPS);
15671090 RL	238	param_md =
	239	OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_DIGEST);
	240	param_mgf =
	241	OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_MASKGENFUNC);
	242	param_mgf1md =
	243	OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_MGF1_DIGEST);
	244	param_saltlen =
	245	OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_PSS_SALTLEN);
	246
719523c7 SL	247	if (param_propq != NULL) {
	248	if (param_propq->data_type == OSSL_PARAM_UTF8_STRING)
	249	propq = param_propq->data;
	250	}
15671090 RL	251	/*
	252	* If we get any of the parameters, we know we have at least some
	253	* restrictions, so we start by setting default values, and let each
	254	* parameter override their specific restriction data.
	255	*/
bbde8566 TM	256	if (!*defaults_set
	257	&& (param_md != NULL \|\| param_mgf != NULL \|\| param_mgf1md != NULL
	258	\|\| param_saltlen != NULL)) {
23b2fc0b	259	if (!ossl_rsa_pss_params_30_set_defaults(pss_params))
15671090	260	return 0;
bbde8566 TM	261	*defaults_set = 1;
bbde8566 TM	262	}
15671090 RL	263
15671090 RL	264	if (param_mgf != NULL) {
23b2fc0b	265	int default_maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(NULL);
15671090 RL	266	const char *mgfname = NULL;
	267
	268	if (param_mgf->data_type == OSSL_PARAM_UTF8_STRING)
	269	mgfname = param_mgf->data;
	270	else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgfname))
	271	return 0;
	272
	273	/* TODO Revisit this if / when a new MGF algorithm appears */
	274	if (strcasecmp(param_mgf->data,
23b2fc0b	275	ossl_rsa_mgf_nid2name(default_maskgenalg_nid)) != 0)
15671090 RL	276	return 0;
	277	}
	278
	279	/*
	280	* We're only interested in the NIDs that correspond to the MDs, so the
	281	* exact propquery is unimportant in the EVP_MD_fetch() calls below.
	282	*/
	283
	284	if (param_md != NULL) {
	285	const char *mdname = NULL;
	286
	287	if (param_md->data_type == OSSL_PARAM_UTF8_STRING)
	288	mdname = param_md->data;
	289	else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mdname))
	290	goto err;
	291
719523c7	292	if ((md = EVP_MD_fetch(libctx, mdname, propq)) == NULL
23b2fc0b P	293	\|\| !ossl_rsa_pss_params_30_set_hashalg(pss_params,
23b2fc0b P	294	ossl_rsa_oaeppss_md2nid(md)))
15671090 RL	295	goto err;
	296	}
	297
	298	if (param_mgf1md != NULL) {
	299	const char *mgf1mdname = NULL;
	300
	301	if (param_mgf1md->data_type == OSSL_PARAM_UTF8_STRING)
	302	mgf1mdname = param_mgf1md->data;
	303	else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgf1mdname))
	304	goto err;
	305
719523c7	306	if ((mgf1md = EVP_MD_fetch(libctx, mgf1mdname, propq)) == NULL
23b2fc0b P	307	\|\| !ossl_rsa_pss_params_30_set_maskgenhashalg(
23b2fc0b P	308	pss_params, ossl_rsa_oaeppss_md2nid(mgf1md)))
15671090 RL	309	goto err;
	310	}
	311
	312	if (param_saltlen != NULL) {
	313	if (!OSSL_PARAM_get_int(param_saltlen, &saltlen)
23b2fc0b	314	\|\| !ossl_rsa_pss_params_30_set_saltlen(pss_params, saltlen))
15671090 RL	315	goto err;
	316	}
	317
	318	ret = 1;
	319
	320	err:
	321	EVP_MD_free(md);
	322	EVP_MD_free(mgf1md);
	323	return ret;
	324	}
cf333799	325
b247113c TM	326	int ossl_rsa_is_foreign(const RSA *rsa)
	327	{
	328	#ifndef FIPS_MODULE
	329	if (rsa->engine != NULL \|\| RSA_get_method(rsa) != RSA_PKCS1_OpenSSL())
	330	return 1;
	331	#endif
	332	return 0;
	333	}
	334
4a9fe33c TM	335	static ossl_inline int rsa_bn_dup_check(BIGNUM *out, const BIGNUM f)
	336	{
	337	if (f != NULL && (*out = BN_dup(f)) == NULL)
	338	return 0;
	339	return 1;
	340	}
	341
b4f447c0	342	RSA ossl_rsa_dup(const RSA rsa, int selection)
4a9fe33c TM	343	{
	344	RSA *dupkey = NULL;
	345	#ifndef FIPS_MODULE
	346	int pnum, i;
b247113c	347	#endif
4a9fe33c TM	348
4a9fe33c TM	349	/* Do not try to duplicate foreign RSA keys */
b247113c	350	if (ossl_rsa_is_foreign(rsa))
4a9fe33c	351	return NULL;
4a9fe33c TM	352
	353	if ((dupkey = ossl_rsa_new_with_ctx(rsa->libctx)) == NULL)
	354	return NULL;
	355
b4f447c0 TM	356	/* public key */
	357	if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
	358	if (!rsa_bn_dup_check(&dupkey->n, rsa->n))
	359	goto err;
	360	if (!rsa_bn_dup_check(&dupkey->e, rsa->e))
	361	goto err;
	362	}
4a9fe33c	363
b4f447c0 TM	364	if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
	365
	366	/* private key */
	367	if (!rsa_bn_dup_check(&dupkey->d, rsa->d))
	368	goto err;
	369
	370	/* factors and crt params */
	371	if (!rsa_bn_dup_check(&dupkey->p, rsa->p))
	372	goto err;
	373	if (!rsa_bn_dup_check(&dupkey->q, rsa->q))
	374	goto err;
	375	if (!rsa_bn_dup_check(&dupkey->dmp1, rsa->dmp1))
	376	goto err;
	377	if (!rsa_bn_dup_check(&dupkey->dmq1, rsa->dmq1))
	378	goto err;
	379	if (!rsa_bn_dup_check(&dupkey->iqmp, rsa->iqmp))
	380	goto err;
	381	}
4a9fe33c TM	382
	383	dupkey->version = rsa->version;
	384	dupkey->flags = rsa->flags;
b4f447c0	385	/* we always copy the PSS parameters regardless of selection */
4a9fe33c TM	386	dupkey->pss_params = rsa->pss_params;
	387
	388	#ifndef FIPS_MODULE
	389	/* multiprime */
b4f447c0 TM	390	if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
b4f447c0 TM	391	&& (pnum = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) > 0) {
4a9fe33c TM	392	dupkey->prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
	393	for (i = 0; i < pnum; i++) {
	394	const RSA_PRIME_INFO *pinfo = NULL;
	395	RSA_PRIME_INFO *duppinfo = NULL;
	396
	397	if ((duppinfo = OPENSSL_zalloc(sizeof(*duppinfo))) == NULL) {
	398	ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
	399	goto err;
	400	}
	401	/* push first so cleanup in error case works */
	402	(void)sk_RSA_PRIME_INFO_push(dupkey->prime_infos, duppinfo);
	403
	404	pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
	405	if (!rsa_bn_dup_check(&duppinfo->r, pinfo->r))
	406	goto err;
	407	if (!rsa_bn_dup_check(&duppinfo->d, pinfo->d))
	408	goto err;
	409	if (!rsa_bn_dup_check(&duppinfo->t, pinfo->t))
	410	goto err;
	411	}
	412	if (!ossl_rsa_multip_calc_product(dupkey))
	413	goto err;
	414	}
	415
	416	if (rsa->pss != NULL) {
	417	dupkey->pss = RSA_PSS_PARAMS_dup(rsa->pss);
	418	if (rsa->pss->maskGenAlgorithm != NULL
	419	&& dupkey->pss->maskGenAlgorithm == NULL) {
	420	dupkey->pss->maskHash = ossl_x509_algor_mgf1_decode(rsa->pss->maskGenAlgorithm);
	421	if (dupkey->pss->maskHash == NULL)
	422	goto err;
	423	}
	424	}
	425	if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_RSA,
	426	&dupkey->ex_data, &rsa->ex_data))
	427	goto err;
	428	#endif
	429
	430	return dupkey;
	431
	432	err:
	433	RSA_free(dupkey);
	434	return NULL;
	435	}
	436
cf333799 RL	437	#ifndef FIPS_MODULE
	438	RSA_PSS_PARAMS ossl_rsa_pss_decode(const X509_ALGOR alg)
	439	{
	440	RSA_PSS_PARAMS *pss;
	441
	442	pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
	443	alg->parameter);
	444
	445	if (pss == NULL)
	446	return NULL;
	447
	448	if (pss->maskGenAlgorithm != NULL) {
	449	pss->maskHash = ossl_x509_algor_mgf1_decode(pss->maskGenAlgorithm);
	450	if (pss->maskHash == NULL) {
	451	RSA_PSS_PARAMS_free(pss);
	452	return NULL;
	453	}
	454	}
	455
	456	return pss;
	457	}
	458
	459	static int ossl_rsa_sync_to_pss_params_30(RSA *rsa)
	460	{
	461	const RSA_PSS_PARAMS *legacy_pss = NULL;
	462	RSA_PSS_PARAMS_30 *pss = NULL;
	463
	464	if (rsa != NULL
	465	&& (legacy_pss = RSA_get0_pss_params(rsa)) != NULL
	466	&& (pss = ossl_rsa_get0_pss_params_30(rsa)) != NULL) {
	467	const EVP_MD md = NULL, mgf1md = NULL;
	468	int md_nid, mgf1md_nid, saltlen, trailerField;
	469	RSA_PSS_PARAMS_30 pss_params;
	470
	471	/*
	472	* We don't care about the validity of the fields here, we just
	473	* want to synchronise values. Verifying here makes it impossible
	474	* to even read a key with invalid values, making it hard to test
	475	* a bad situation.
	476	*
	477	* Other routines use ossl_rsa_pss_get_param(), so the values will
	478	* be checked, eventually.
	479	*/
	480	if (!ossl_rsa_pss_get_param_unverified(legacy_pss, &md, &mgf1md,
	481	&saltlen, &trailerField))
	482	return 0;
ed576acd TM	483	md_nid = EVP_MD_get_type(md);
ed576acd TM	484	mgf1md_nid = EVP_MD_get_type(mgf1md);
cf333799 RL	485	if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
	486	\|\| !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid)
	487	\|\| !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
	488	mgf1md_nid)
	489	\|\| !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
	490	\|\| !ossl_rsa_pss_params_30_set_trailerfield(&pss_params,
	491	trailerField))
	492	return 0;
	493	*pss = pss_params;
	494	}
	495	return 1;
	496	}
	497
	498	int ossl_rsa_pss_get_param_unverified(const RSA_PSS_PARAMS *pss,
	499	const EVP_MD pmd, const EVP_MD pmgf1md,
	500	int psaltlen, int ptrailerField)
	501	{
	502	RSA_PSS_PARAMS_30 pss_params;
	503
	504	/* Get the defaults from the ONE place */
	505	(void)ossl_rsa_pss_params_30_set_defaults(&pss_params);
	506
	507	if (pss == NULL)
	508	return 0;
	509	*pmd = ossl_x509_algor_get_md(pss->hashAlgorithm);
	510	if (*pmd == NULL)
	511	return 0;
	512	*pmgf1md = ossl_x509_algor_get_md(pss->maskHash);
	513	if (*pmgf1md == NULL)
	514	return 0;
	515	if (pss->saltLength)
	516	*psaltlen = ASN1_INTEGER_get(pss->saltLength);
	517	else
	518	*psaltlen = ossl_rsa_pss_params_30_saltlen(&pss_params);
	519	if (pss->trailerField)
	520	*ptrailerField = ASN1_INTEGER_get(pss->trailerField);
	521	else
	522	*ptrailerField = ossl_rsa_pss_params_30_trailerfield(&pss_params);;
	523
	524	return 1;
	525	}
	526
	527	int ossl_rsa_param_decode(RSA rsa, const X509_ALGOR alg)
	528	{
	529	RSA_PSS_PARAMS *pss;
	530	const ASN1_OBJECT *algoid;
	531	const void *algp;
	532	int algptype;
	533
	534	X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
	535	if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
	536	return 1;
	537	if (algptype == V_ASN1_UNDEF)
	538	return 1;
	539	if (algptype != V_ASN1_SEQUENCE) {
	540	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_PARAMETERS);
	541	return 0;
	542	}
	543	if ((pss = ossl_rsa_pss_decode(alg)) == NULL
	544	\|\| !ossl_rsa_set0_pss_params(rsa, pss)) {
	545	RSA_PSS_PARAMS_free(pss);
	546	return 0;
	547	}
	548	if (!ossl_rsa_sync_to_pss_params_30(rsa))
549	return 0;
550	return 1;
551	}
552
553	RSA ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO p8inf,
554	OSSL_LIB_CTX libctx, const char propq)
555	{
556	const unsigned char *p;
557	RSA *rsa;
558	int pklen;
559	const X509_ALGOR *alg;
560
561	if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8inf))
562	return 0;
563	rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
564	if (rsa == NULL) {
565	ERR_raise(ERR_LIB_RSA, ERR_R_RSA_LIB);
566	return NULL;
567	}
568	if (!ossl_rsa_param_decode(rsa, alg)) {
569	RSA_free(rsa);
570	return NULL;
571	}
572
573	RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
574	switch (OBJ_obj2nid(alg->algorithm)) {
575	case EVP_PKEY_RSA:
576	RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
577	break;
578	case EVP_PKEY_RSA_PSS:
579	RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
580	break;
581	default:
582	/* Leave the type bits zero */
583	break;
584	}
585
586	return rsa;
587	}
588	#endif