]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/rsa/rsa_ameth.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Move CMS enveloping code out of the algorithms and into CMS
[thirdparty/openssl.git] / crypto / rsa / rsa_ameth.c
1 /*
2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <stdio.h>
17 #include "internal/cryptlib.h"
18 #include <openssl/asn1t.h>
19 #include <openssl/x509.h>
20 #include <openssl/bn.h>
21 #include <openssl/cms.h>
22 #include <openssl/core_names.h>
23 #include <openssl/param_build.h>
24 #include "crypto/asn1.h"
25 #include "crypto/evp.h"
26 #include "crypto/rsa.h"
27 #include "rsa_local.h"
28
29 #ifndef OPENSSL_NO_CMS
30 static int rsa_cms_sign(CMS_SignerInfo *si);
31 static int rsa_cms_verify(CMS_SignerInfo *si);
32 #endif
33
34 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg);
35 static int rsa_sync_to_pss_params_30(RSA *rsa);
36
37 /* Set any parameters associated with pkey */
38 static int rsa_param_encode(const EVP_PKEY *pkey,
39 ASN1_STRING **pstr, int *pstrtype)
40 {
41 const RSA *rsa = pkey->pkey.rsa;
42
43 *pstr = NULL;
44 /* If RSA it's just NULL type */
45 if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) != RSA_FLAG_TYPE_RSASSAPSS) {
46 *pstrtype = V_ASN1_NULL;
47 return 1;
48 }
49 /* If no PSS parameters we omit parameters entirely */
50 if (rsa->pss == NULL) {
51 *pstrtype = V_ASN1_UNDEF;
52 return 1;
53 }
54 /* Encode PSS parameters */
55 if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL)
56 return 0;
57
58 *pstrtype = V_ASN1_SEQUENCE;
59 return 1;
60 }
61 /* Decode any parameters and set them in RSA structure */
62 static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
63 {
64 const ASN1_OBJECT *algoid;
65 const void *algp;
66 int algptype;
67
68 X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
69 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
70 return 1;
71 if (algptype == V_ASN1_UNDEF)
72 return 1;
73 if (algptype != V_ASN1_SEQUENCE) {
74 RSAerr(RSA_F_RSA_PARAM_DECODE, RSA_R_INVALID_PSS_PARAMETERS);
75 return 0;
76 }
77 rsa->pss = rsa_pss_decode(alg);
78 if (rsa->pss == NULL)
79 return 0;
80 if (!rsa_sync_to_pss_params_30(rsa))
81 return 0;
82 return 1;
83 }
84
85 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
86 {
87 unsigned char *penc = NULL;
88 int penclen;
89 ASN1_STRING *str;
90 int strtype;
91
92 if (!rsa_param_encode(pkey, &str, &strtype))
93 return 0;
94 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
95 if (penclen <= 0)
96 return 0;
97 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
98 strtype, str, penc, penclen))
99 return 1;
100
101 OPENSSL_free(penc);
102 return 0;
103 }
104
105 static int rsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey)
106 {
107 const unsigned char *p;
108 int pklen;
109 X509_ALGOR *alg;
110 RSA *rsa = NULL;
111
112 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
113 return 0;
114 if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL)
115 return 0;
116 if (!rsa_param_decode(rsa, alg)) {
117 RSA_free(rsa);
118 return 0;
119 }
120
121 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
122 switch (pkey->ameth->pkey_id) {
123 case EVP_PKEY_RSA:
124 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
125 break;
126 case EVP_PKEY_RSA_PSS:
127 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
128 break;
129 default:
130 /* Leave the type bits zero */
131 break;
132 }
133
134 if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
135 RSA_free(rsa);
136 return 0;
137 }
138 return 1;
139 }
140
141 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
142 {
143 /*
144 * Don't check the public/private key, this is mostly for smart
145 * cards.
146 */
147 if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
148 || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
149 return 1;
150 }
151
152 if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
153 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
154 return 0;
155 return 1;
156 }
157
158 static int old_rsa_priv_decode(EVP_PKEY *pkey,
159 const unsigned char **pder, int derlen)
160 {
161 RSA *rsa;
162
163 if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL)
164 return 0;
165 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
166 return 1;
167 }
168
169 static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
170 {
171 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
172 }
173
174 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
175 {
176 unsigned char *rk = NULL;
177 int rklen;
178 ASN1_STRING *str;
179 int strtype;
180
181 if (!rsa_param_encode(pkey, &str, &strtype))
182 return 0;
183 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
184
185 if (rklen <= 0) {
186 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
187 ASN1_STRING_free(str);
188 return 0;
189 }
190
191 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
192 strtype, str, rk, rklen)) {
193 RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
194 ASN1_STRING_free(str);
195 return 0;
196 }
197
198 return 1;
199 }
200
201 static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
202 {
203 const unsigned char *p;
204 RSA *rsa;
205 int pklen;
206 const X509_ALGOR *alg;
207
208 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8))
209 return 0;
210 rsa = d2i_RSAPrivateKey(NULL, &p, pklen);
211 if (rsa == NULL) {
212 RSAerr(RSA_F_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
213 return 0;
214 }
215 if (!rsa_param_decode(rsa, alg)) {
216 RSA_free(rsa);
217 return 0;
218 }
219
220 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
221 switch (pkey->ameth->pkey_id) {
222 case EVP_PKEY_RSA:
223 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
224 break;
225 case EVP_PKEY_RSA_PSS:
226 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
227 break;
228 default:
229 /* Leave the type bits zero */
230 break;
231 }
232
233 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
234 return 1;
235 }
236
237 static int int_rsa_size(const EVP_PKEY *pkey)
238 {
239 return RSA_size(pkey->pkey.rsa);
240 }
241
242 static int rsa_bits(const EVP_PKEY *pkey)
243 {
244 return BN_num_bits(pkey->pkey.rsa->n);
245 }
246
247 static int rsa_security_bits(const EVP_PKEY *pkey)
248 {
249 return RSA_security_bits(pkey->pkey.rsa);
250 }
251
252 static void int_rsa_free(EVP_PKEY *pkey)
253 {
254 RSA_free(pkey->pkey.rsa);
255 }
256
257 static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss,
258 int indent)
259 {
260 int rv = 0;
261 X509_ALGOR *maskHash = NULL;
262
263 if (!BIO_indent(bp, indent, 128))
264 goto err;
265 if (pss_key) {
266 if (pss == NULL) {
267 if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
268 return 0;
269 return 1;
270 } else {
271 if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
272 return 0;
273 }
274 } else if (pss == NULL) {
275 if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0)
276 return 0;
277 return 1;
278 }
279 if (BIO_puts(bp, "\n") <= 0)
280 goto err;
281 if (pss_key)
282 indent += 2;
283 if (!BIO_indent(bp, indent, 128))
284 goto err;
285 if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
286 goto err;
287
288 if (pss->hashAlgorithm) {
289 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
290 goto err;
291 } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
292 goto err;
293 }
294
295 if (BIO_puts(bp, "\n") <= 0)
296 goto err;
297
298 if (!BIO_indent(bp, indent, 128))
299 goto err;
300
301 if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
302 goto err;
303 if (pss->maskGenAlgorithm) {
304 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
305 goto err;
306 if (BIO_puts(bp, " with ") <= 0)
307 goto err;
308 maskHash = x509_algor_mgf1_decode(pss->maskGenAlgorithm);
309 if (maskHash != NULL) {
310 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
311 goto err;
312 } else if (BIO_puts(bp, "INVALID") <= 0) {
313 goto err;
314 }
315 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
316 goto err;
317 }
318 BIO_puts(bp, "\n");
319
320 if (!BIO_indent(bp, indent, 128))
321 goto err;
322 if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
323 goto err;
324 if (pss->saltLength) {
325 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
326 goto err;
327 } else if (BIO_puts(bp, "14 (default)") <= 0) {
328 goto err;
329 }
330 BIO_puts(bp, "\n");
331
332 if (!BIO_indent(bp, indent, 128))
333 goto err;
334 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
335 goto err;
336 if (pss->trailerField) {
337 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
338 goto err;
339 } else if (BIO_puts(bp, "BC (default)") <= 0) {
340 goto err;
341 }
342 BIO_puts(bp, "\n");
343
344 rv = 1;
345
346 err:
347 X509_ALGOR_free(maskHash);
348 return rv;
349
350 }
351
352 static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
353 {
354 const RSA *x = pkey->pkey.rsa;
355 char *str;
356 const char *s;
357 int ret = 0, mod_len = 0, ex_primes;
358
359 if (x->n != NULL)
360 mod_len = BN_num_bits(x->n);
361 ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos);
362
363 if (!BIO_indent(bp, off, 128))
364 goto err;
365
366 if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0)
367 goto err;
368
369 if (priv && x->d) {
370 if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n",
371 mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0)
372 goto err;
373 str = "modulus:";
374 s = "publicExponent:";
375 } else {
376 if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
377 goto err;
378 str = "Modulus:";
379 s = "Exponent:";
380 }
381 if (!ASN1_bn_print(bp, str, x->n, NULL, off))
382 goto err;
383 if (!ASN1_bn_print(bp, s, x->e, NULL, off))
384 goto err;
385 if (priv) {
386 int i;
387
388 if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off))
389 goto err;
390 if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off))
391 goto err;
392 if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off))
393 goto err;
394 if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off))
395 goto err;
396 if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off))
397 goto err;
398 if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off))
399 goto err;
400 for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) {
401 /* print multi-prime info */
402 BIGNUM *bn = NULL;
403 RSA_PRIME_INFO *pinfo;
404 int j;
405
406 pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i);
407 for (j = 0; j < 3; j++) {
408 if (!BIO_indent(bp, off, 128))
409 goto err;
410 switch (j) {
411 case 0:
412 if (BIO_printf(bp, "prime%d:", i + 3) <= 0)
413 goto err;
414 bn = pinfo->r;
415 break;
416 case 1:
417 if (BIO_printf(bp, "exponent%d:", i + 3) <= 0)
418 goto err;
419 bn = pinfo->d;
420 break;
421 case 2:
422 if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0)
423 goto err;
424 bn = pinfo->t;
425 break;
426 default:
427 break;
428 }
429 if (!ASN1_bn_print(bp, "", bn, NULL, off))
430 goto err;
431 }
432 }
433 }
434 if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
435 goto err;
436 ret = 1;
437 err:
438 return ret;
439 }
440
441 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
442 ASN1_PCTX *ctx)
443 {
444 return pkey_rsa_print(bp, pkey, indent, 0);
445 }
446
447 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
448 ASN1_PCTX *ctx)
449 {
450 return pkey_rsa_print(bp, pkey, indent, 1);
451 }
452
453 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg)
454 {
455 RSA_PSS_PARAMS *pss;
456
457 pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
458 alg->parameter);
459
460 if (pss == NULL)
461 return NULL;
462
463 if (pss->maskGenAlgorithm != NULL) {
464 pss->maskHash = x509_algor_mgf1_decode(pss->maskGenAlgorithm);
465 if (pss->maskHash == NULL) {
466 RSA_PSS_PARAMS_free(pss);
467 return NULL;
468 }
469 }
470
471 return pss;
472 }
473
474 static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
475 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx)
476 {
477 if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
478 int rv;
479 RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
480
481 rv = rsa_pss_param_print(bp, 0, pss, indent);
482 RSA_PSS_PARAMS_free(pss);
483 if (!rv)
484 return 0;
485 } else if (BIO_puts(bp, "\n") <= 0) {
486 return 0;
487 }
488 if (sig)
489 return X509_signature_dump(bp, sig, indent);
490 return 1;
491 }
492
493 static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
494 {
495 X509_ALGOR *alg = NULL;
496 const EVP_MD *md;
497 const EVP_MD *mgf1md;
498 int min_saltlen;
499
500 switch (op) {
501
502 case ASN1_PKEY_CTRL_PKCS7_SIGN:
503 if (arg1 == 0)
504 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
505 break;
506
507 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
508 if (pkey_is_pss(pkey))
509 return -2;
510 if (arg1 == 0)
511 PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
512 break;
513 #ifndef OPENSSL_NO_CMS
514 case ASN1_PKEY_CTRL_CMS_SIGN:
515 if (arg1 == 0)
516 return rsa_cms_sign(arg2);
517 else if (arg1 == 1)
518 return rsa_cms_verify(arg2);
519 break;
520
521 case ASN1_PKEY_CTRL_CMS_RI_TYPE:
522 if (pkey_is_pss(pkey))
523 return -2;
524 *(int *)arg2 = CMS_RECIPINFO_TRANS;
525 return 1;
526 #endif
527
528 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
529 if (pkey->pkey.rsa->pss != NULL) {
530 if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
531 &min_saltlen)) {
532 RSAerr(0, ERR_R_INTERNAL_ERROR);
533 return 0;
534 }
535 *(int *)arg2 = EVP_MD_type(md);
536 /* Return of 2 indicates this MD is mandatory */
537 return 2;
538 }
539 *(int *)arg2 = NID_sha256;
540 return 1;
541
542 default:
543 return -2;
544
545 }
546
547 if (alg)
548 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
549
550 return 1;
551
552 }
553
554 /*
555 * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
556 * suitable for setting an AlgorithmIdentifier.
557 */
558
559 static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
560 {
561 const EVP_MD *sigmd, *mgf1md;
562 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
563 RSA *rsa = EVP_PKEY_get0_RSA(pk);
564 int saltlen;
565
566 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
567 return NULL;
568 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
569 return NULL;
570 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
571 return NULL;
572 if (saltlen == -1) {
573 saltlen = EVP_MD_size(sigmd);
574 } else if (saltlen == -2 || saltlen == -3) {
575 saltlen = RSA_size(rsa) - EVP_MD_size(sigmd) - 2;
576 if ((EVP_PKEY_bits(pk) & 0x7) == 1)
577 saltlen--;
578 if (saltlen < 0)
579 return NULL;
580 }
581
582 return rsa_pss_params_create(sigmd, mgf1md, saltlen);
583 }
584
585 RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd,
586 const EVP_MD *mgf1md, int saltlen)
587 {
588 RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
589
590 if (pss == NULL)
591 goto err;
592 if (saltlen != 20) {
593 pss->saltLength = ASN1_INTEGER_new();
594 if (pss->saltLength == NULL)
595 goto err;
596 if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
597 goto err;
598 }
599 if (!x509_algor_new_from_md(&pss->hashAlgorithm, sigmd))
600 goto err;
601 if (mgf1md == NULL)
602 mgf1md = sigmd;
603 if (!x509_algor_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
604 goto err;
605 if (!x509_algor_new_from_md(&pss->maskHash, mgf1md))
606 goto err;
607 return pss;
608 err:
609 RSA_PSS_PARAMS_free(pss);
610 return NULL;
611 }
612
613 static ASN1_STRING *rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx)
614 {
615 RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx);
616 ASN1_STRING *os;
617
618 if (pss == NULL)
619 return NULL;
620
621 os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL);
622 RSA_PSS_PARAMS_free(pss);
623 return os;
624 }
625
626 /*
627 * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
628 * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
629 * passed to pkctx instead.
630 */
631
632 static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
633 const X509_ALGOR *sigalg, EVP_PKEY *pkey)
634 {
635 int rv = -1;
636 int saltlen;
637 const EVP_MD *mgf1md = NULL, *md = NULL;
638 RSA_PSS_PARAMS *pss;
639
640 /* Sanity check: make sure it is PSS */
641 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
642 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
643 return -1;
644 }
645 /* Decode PSS parameters */
646 pss = rsa_pss_decode(sigalg);
647
648 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
649 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_INVALID_PSS_PARAMETERS);
650 goto err;
651 }
652
653 /* We have all parameters now set up context */
654 if (pkey) {
655 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
656 goto err;
657 } else {
658 const EVP_MD *checkmd;
659 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
660 goto err;
661 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) {
662 RSAerr(RSA_F_RSA_PSS_TO_CTX, RSA_R_DIGEST_DOES_NOT_MATCH);
663 goto err;
664 }
665 }
666
667 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
668 goto err;
669
670 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
671 goto err;
672
673 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
674 goto err;
675 /* Carry on */
676 rv = 1;
677
678 err:
679 RSA_PSS_PARAMS_free(pss);
680 return rv;
681 }
682
683 static int rsa_pss_verify_param(const EVP_MD **pmd, const EVP_MD **pmgf1md,
684 int *psaltlen, int *ptrailerField)
685 {
686 if (psaltlen != NULL && *psaltlen < 0) {
687 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
688 return 0;
689 }
690 /*
691 * low-level routines support only trailer field 0xbc (value 1) and
692 * PKCS#1 says we should reject any other value anyway.
693 */
694 if (ptrailerField != NULL && *ptrailerField != 1) {
695 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
696 return 0;
697 }
698 return 1;
699 }
700
701 static int rsa_pss_get_param_unverified(const RSA_PSS_PARAMS *pss,
702 const EVP_MD **pmd,
703 const EVP_MD **pmgf1md,
704 int *psaltlen, int *ptrailerField)
705 {
706 RSA_PSS_PARAMS_30 pss_params;
707
708 /* Get the defaults from the ONE place */
709 (void)ossl_rsa_pss_params_30_set_defaults(&pss_params);
710
711 if (pss == NULL)
712 return 0;
713 *pmd = x509_algor_get_md(pss->hashAlgorithm);
714 if (*pmd == NULL)
715 return 0;
716 *pmgf1md = x509_algor_get_md(pss->maskHash);
717 if (*pmgf1md == NULL)
718 return 0;
719 if (pss->saltLength)
720 *psaltlen = ASN1_INTEGER_get(pss->saltLength);
721 else
722 *psaltlen = ossl_rsa_pss_params_30_saltlen(&pss_params);
723 if (pss->trailerField)
724 *ptrailerField = ASN1_INTEGER_get(pss->trailerField);
725 else
726 *ptrailerField = ossl_rsa_pss_params_30_trailerfield(&pss_params);;
727
728 return 1;
729 }
730
731 int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
732 const EVP_MD **pmgf1md, int *psaltlen)
733 {
734 /*
735 * Callers do not care about the trailer field, and yet, we must
736 * pass it from get_param to verify_param, since the latter checks
737 * its value.
738 *
739 * When callers start caring, it's a simple thing to add another
740 * argument to this function.
741 */
742 int trailerField = 0;
743
744 return rsa_pss_get_param_unverified(pss, pmd, pmgf1md, psaltlen,
745 &trailerField)
746 && rsa_pss_verify_param(pmd, pmgf1md, psaltlen, &trailerField);
747 }
748
749 static int rsa_sync_to_pss_params_30(RSA *rsa)
750 {
751 if (rsa != NULL && rsa->pss != NULL) {
752 const EVP_MD *md = NULL, *mgf1md = NULL;
753 int md_nid, mgf1md_nid, saltlen, trailerField;
754 RSA_PSS_PARAMS_30 pss_params;
755
756 /*
757 * We don't care about the validity of the fields here, we just
758 * want to synchronise values. Verifying here makes it impossible
759 * to even read a key with invalid values, making it hard to test
760 * a bad situation.
761 *
762 * Other routines use rsa_pss_get_param(), so the values will be
763 * checked, eventually.
764 */
765 if (!rsa_pss_get_param_unverified(rsa->pss, &md, &mgf1md,
766 &saltlen, &trailerField))
767 return 0;
768 md_nid = EVP_MD_type(md);
769 mgf1md_nid = EVP_MD_type(mgf1md);
770 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
771 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid)
772 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
773 mgf1md_nid)
774 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
775 || !ossl_rsa_pss_params_30_set_trailerfield(&pss_params,
776 trailerField))
777 return 0;
778 rsa->pss_params = pss_params;
779 }
780 return 1;
781 }
782
783 #ifndef OPENSSL_NO_CMS
784 static int rsa_cms_verify(CMS_SignerInfo *si)
785 {
786 int nid, nid2;
787 X509_ALGOR *alg;
788 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
789
790 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
791 nid = OBJ_obj2nid(alg->algorithm);
792 if (nid == EVP_PKEY_RSA_PSS)
793 return rsa_pss_to_ctx(NULL, pkctx, alg, NULL);
794 /* Only PSS allowed for PSS keys */
795 if (pkey_ctx_is_pss(pkctx)) {
796 RSAerr(RSA_F_RSA_CMS_VERIFY, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
797 return 0;
798 }
799 if (nid == NID_rsaEncryption)
800 return 1;
801 /* Workaround for some implementation that use a signature OID */
802 if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
803 if (nid2 == NID_rsaEncryption)
804 return 1;
805 }
806 return 0;
807 }
808 #endif
809
810 /*
811 * Customised RSA item verification routine. This is called when a signature
812 * is encountered requiring special handling. We currently only handle PSS.
813 */
814
815 static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it,
816 const void *asn, const X509_ALGOR *sigalg,
817 const ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
818 {
819 /* Sanity check: make sure it is PSS */
820 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
821 RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
822 return -1;
823 }
824 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
825 /* Carry on */
826 return 2;
827 }
828 return -1;
829 }
830
831 #ifndef OPENSSL_NO_CMS
832 static int rsa_cms_sign(CMS_SignerInfo *si)
833 {
834 int pad_mode = RSA_PKCS1_PADDING;
835 X509_ALGOR *alg;
836 EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
837 ASN1_STRING *os = NULL;
838
839 CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
840 if (pkctx) {
841 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
842 return 0;
843 }
844 if (pad_mode == RSA_PKCS1_PADDING) {
845 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
846 return 1;
847 }
848 /* We don't support it */
849 if (pad_mode != RSA_PKCS1_PSS_PADDING)
850 return 0;
851 os = rsa_ctx_to_pss_string(pkctx);
852 if (!os)
853 return 0;
854 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
855 return 1;
856 }
857 #endif
858
859 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
860 X509_ALGOR *alg1, X509_ALGOR *alg2,
861 ASN1_BIT_STRING *sig)
862 {
863 int pad_mode;
864 EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx);
865
866 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
867 return 0;
868 if (pad_mode == RSA_PKCS1_PADDING)
869 return 2;
870 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
871 ASN1_STRING *os1 = NULL;
872 os1 = rsa_ctx_to_pss_string(pkctx);
873 if (!os1)
874 return 0;
875 /* Duplicate parameters if we have to */
876 if (alg2) {
877 ASN1_STRING *os2 = ASN1_STRING_dup(os1);
878 if (!os2) {
879 ASN1_STRING_free(os1);
880 return 0;
881 }
882 X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
883 V_ASN1_SEQUENCE, os2);
884 }
885 X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
886 V_ASN1_SEQUENCE, os1);
887 return 3;
888 }
889 return 2;
890 }
891
892 static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
893 const ASN1_STRING *sig)
894 {
895 int rv = 0;
896 int mdnid, saltlen;
897 uint32_t flags;
898 const EVP_MD *mgf1md = NULL, *md = NULL;
899 RSA_PSS_PARAMS *pss;
900 int secbits;
901
902 /* Sanity check: make sure it is PSS */
903 if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
904 return 0;
905 /* Decode PSS parameters */
906 pss = rsa_pss_decode(sigalg);
907 if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
908 goto err;
909 mdnid = EVP_MD_type(md);
910 /*
911 * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
912 * match and salt length must equal digest size
913 */
914 if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
915 && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md))
916 flags = X509_SIG_INFO_TLS;
917 else
918 flags = 0;
919 /* Note: security bits half number of digest bits */
920 secbits = EVP_MD_size(md) * 4;
921 /*
922 * SHA1 and MD5 are known to be broken. Reduce security bits so that
923 * they're no longer accepted at security level 1. The real values don't
924 * really matter as long as they're lower than 80, which is our security
925 * level 1.
926 * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
927 * 2^63.4
928 * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
929 * puts a chosen-prefix attack for MD5 at 2^39.
930 */
931 if (mdnid == NID_sha1)
932 secbits = 64;
933 else if (mdnid == NID_md5_sha1)
934 secbits = 68;
935 else if (mdnid == NID_md5)
936 secbits = 39;
937 X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits,
938 flags);
939 rv = 1;
940 err:
941 RSA_PSS_PARAMS_free(pss);
942 return rv;
943 }
944
945 static int rsa_pkey_check(const EVP_PKEY *pkey)
946 {
947 return RSA_check_key_ex(pkey->pkey.rsa, NULL);
948 }
949
950 static size_t rsa_pkey_dirty_cnt(const EVP_PKEY *pkey)
951 {
952 return pkey->pkey.rsa->dirty_cnt;
953 }
954
955 /*
956 * For the moment, we trust the call path, where keys going through
957 * rsa_pkey_export_to() match a KEYMGMT for the "RSA" keytype, while
958 * keys going through rsa_pss_pkey_export_to() match a KEYMGMT for the
959 * "RSA-PSS" keytype.
960 * TODO(3.0) Investigate whether we should simply continue to trust the
961 * call path, or if we should strengthen this function by checking that
962 * |rsa_type| matches the RSA key subtype. The latter requires ensuring
963 * that the type flag for the RSA key is properly set by other functions
964 * in this file.
965 */
966 static int rsa_int_export_to(const EVP_PKEY *from, int rsa_type,
967 void *to_keydata, EVP_KEYMGMT *to_keymgmt,
968 OPENSSL_CTX *libctx, const char *propq)
969 {
970 RSA *rsa = from->pkey.rsa;
971 OSSL_PARAM_BLD *tmpl = OSSL_PARAM_BLD_new();
972 OSSL_PARAM *params = NULL;
973 int selection = 0;
974 int rv = 0;
975
976 if (tmpl == NULL)
977 return 0;
978 /*
979 * If the RSA method is foreign, then we can't be sure of anything, and
980 * can therefore not export or pretend to export.
981 */
982 if (RSA_get_method(rsa) != RSA_PKCS1_OpenSSL())
983 goto err;
984
985 /* Public parameters must always be present */
986 if (RSA_get0_n(rsa) == NULL || RSA_get0_e(rsa) == NULL)
987 goto err;
988
989 if (!ossl_rsa_todata(rsa, tmpl, NULL))
990 goto err;
991
992 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
993 if (RSA_get0_d(rsa) != NULL)
994 selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
995
996 if (rsa->pss != NULL) {
997 const EVP_MD *md = NULL, *mgf1md = NULL;
998 int md_nid, mgf1md_nid, saltlen, trailerfield;
999 RSA_PSS_PARAMS_30 pss_params;
1000
1001 if (!rsa_pss_get_param_unverified(rsa->pss, &md, &mgf1md,
1002 &saltlen, &trailerfield))
1003 goto err;
1004 md_nid = EVP_MD_type(md);
1005 mgf1md_nid = EVP_MD_type(mgf1md);
1006 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
1007 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid)
1008 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
1009 mgf1md_nid)
1010 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
1011 || !ossl_rsa_pss_params_30_todata(&pss_params, tmpl, NULL))
1012 goto err;
1013 selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
1014 }
1015
1016 if ((params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL)
1017 goto err;
1018
1019 /* We export, the provider imports */
1020 rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
1021
1022 err:
1023 OSSL_PARAM_BLD_free_params(params);
1024 OSSL_PARAM_BLD_free(tmpl);
1025 return rv;
1026 }
1027
1028 static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx,
1029 int rsa_type)
1030 {
1031 EVP_PKEY_CTX *pctx = vpctx;
1032 EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
1033 RSA *rsa = ossl_rsa_new_with_ctx(pctx->libctx);
1034 RSA_PSS_PARAMS_30 rsa_pss_params = { 0, };
1035 int ok = 0;
1036
1037 if (rsa == NULL) {
1038 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
1039 return 0;
1040 }
1041
1042 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
1043 RSA_set_flags(rsa, rsa_type);
1044
1045 if (!ossl_rsa_pss_params_30_fromdata(&rsa_pss_params, params, pctx->libctx))
1046 goto err;
1047
1048 switch (rsa_type) {
1049 case RSA_FLAG_TYPE_RSA:
1050 /*
1051 * Were PSS parameters filled in?
1052 * In that case, something's wrong
1053 */
1054 if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params))
1055 goto err;
1056 break;
1057 case RSA_FLAG_TYPE_RSASSAPSS:
1058 /*
1059 * Were PSS parameters filled in? In that case, create the old
1060 * RSA_PSS_PARAMS structure. Otherwise, this is an unrestricted key.
1061 */
1062 if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params)) {
1063 /* Create the older RSA_PSS_PARAMS from RSA_PSS_PARAMS_30 data */
1064 int mdnid = ossl_rsa_pss_params_30_hashalg(&rsa_pss_params);
1065 int mgf1mdnid = ossl_rsa_pss_params_30_maskgenhashalg(&rsa_pss_params);
1066 int saltlen = ossl_rsa_pss_params_30_saltlen(&rsa_pss_params);
1067 const EVP_MD *md = EVP_get_digestbynid(mdnid);
1068 const EVP_MD *mgf1md = EVP_get_digestbynid(mgf1mdnid);
1069
1070 if ((rsa->pss = rsa_pss_params_create(md, mgf1md, saltlen)) == NULL)
1071 goto err;
1072 }
1073 break;
1074 default:
1075 /* RSA key sub-types we don't know how to handle yet */
1076 goto err;
1077 }
1078
1079 if (!ossl_rsa_fromdata(rsa, params))
1080 goto err;
1081
1082 switch (rsa_type) {
1083 case RSA_FLAG_TYPE_RSA:
1084 ok = EVP_PKEY_assign_RSA(pkey, rsa);
1085 break;
1086 case RSA_FLAG_TYPE_RSASSAPSS:
1087 ok = EVP_PKEY_assign(pkey, EVP_PKEY_RSA_PSS, rsa);
1088 break;
1089 }
1090
1091 err:
1092 if (!ok)
1093 RSA_free(rsa);
1094 return ok;
1095 }
1096
1097 static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
1098 EVP_KEYMGMT *to_keymgmt, OPENSSL_CTX *libctx,
1099 const char *propq)
1100 {
1101 return rsa_int_export_to(from, RSA_FLAG_TYPE_RSA, to_keydata,
1102 to_keymgmt, libctx, propq);
1103 }
1104
1105 static int rsa_pss_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
1106 EVP_KEYMGMT *to_keymgmt, OPENSSL_CTX *libctx,
1107 const char *propq)
1108 {
1109 return rsa_int_export_to(from, RSA_FLAG_TYPE_RSASSAPSS, to_keydata,
1110 to_keymgmt, libctx, propq);
1111 }
1112
1113 static int rsa_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
1114 {
1115 return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSA);
1116 }
1117
1118 static int rsa_pss_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
1119 {
1120 return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSASSAPSS);
1121 }
1122
1123 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
1124 {
1125 EVP_PKEY_RSA,
1126 EVP_PKEY_RSA,
1127 ASN1_PKEY_SIGPARAM_NULL,
1128
1129 "RSA",
1130 "OpenSSL RSA method",
1131
1132 rsa_pub_decode,
1133 rsa_pub_encode,
1134 rsa_pub_cmp,
1135 rsa_pub_print,
1136
1137 rsa_priv_decode,
1138 rsa_priv_encode,
1139 rsa_priv_print,
1140
1141 int_rsa_size,
1142 rsa_bits,
1143 rsa_security_bits,
1144
1145 0, 0, 0, 0, 0, 0,
1146
1147 rsa_sig_print,
1148 int_rsa_free,
1149 rsa_pkey_ctrl,
1150 old_rsa_priv_decode,
1151 old_rsa_priv_encode,
1152 rsa_item_verify,
1153 rsa_item_sign,
1154 rsa_sig_info_set,
1155 rsa_pkey_check,
1156
1157 0, 0,
1158 0, 0, 0, 0,
1159
1160 rsa_pkey_dirty_cnt,
1161 rsa_pkey_export_to,
1162 rsa_pkey_import_from
1163 },
1164
1165 {
1166 EVP_PKEY_RSA2,
1167 EVP_PKEY_RSA,
1168 ASN1_PKEY_ALIAS}
1169 };
1170
1171 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
1172 EVP_PKEY_RSA_PSS,
1173 EVP_PKEY_RSA_PSS,
1174 ASN1_PKEY_SIGPARAM_NULL,
1175
1176 "RSA-PSS",
1177 "OpenSSL RSA-PSS method",
1178
1179 rsa_pub_decode,
1180 rsa_pub_encode,
1181 rsa_pub_cmp,
1182 rsa_pub_print,
1183
1184 rsa_priv_decode,
1185 rsa_priv_encode,
1186 rsa_priv_print,
1187
1188 int_rsa_size,
1189 rsa_bits,
1190 rsa_security_bits,
1191
1192 0, 0, 0, 0, 0, 0,
1193
1194 rsa_sig_print,
1195 int_rsa_free,
1196 rsa_pkey_ctrl,
1197 0, 0,
1198 rsa_item_verify,
1199 rsa_item_sign,
1200 0,
1201 rsa_pkey_check,
1202
1203 0, 0,
1204 0, 0, 0, 0,
1205
1206 rsa_pkey_dirty_cnt,
1207 rsa_pss_pkey_export_to,
1208 rsa_pss_pkey_import_from
1209 };
A mirror of the official openssl repository