4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
27 * RSA provider for the Kernel Cryptographic Framework (KCF)
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
35 #include <sys/crypto/spi.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsun.h>
42 #include <sys/random.h>
43 #include <sys/crypto/impl.h>
44 #include <sha1/sha1_impl.h>
45 #include <sha2/sha2_impl.h>
46 #include <padding/padding.h>
47 #include <rsa/rsa_impl.h>
49 extern struct mod_ops mod_cryptoops
;
52 * Module linkage information for the kernel.
54 static struct modlcrypto modlcrypto
= {
56 "RSA Kernel SW Provider"
59 static struct modlinkage modlinkage
= {
66 * CSPI information (entry points, provider info, etc.)
68 typedef enum rsa_mech_type
{
69 RSA_PKCS_MECH_INFO_TYPE
, /* SUN_CKM_RSA_PKCS */
70 RSA_X_509_MECH_INFO_TYPE
, /* SUN_CKM_RSA_X_509 */
71 MD5_RSA_PKCS_MECH_INFO_TYPE
, /* SUN_MD5_RSA_PKCS */
72 SHA1_RSA_PKCS_MECH_INFO_TYPE
, /* SUN_SHA1_RSA_PKCS */
73 SHA256_RSA_PKCS_MECH_INFO_TYPE
, /* SUN_SHA256_RSA_PKCS */
74 SHA384_RSA_PKCS_MECH_INFO_TYPE
, /* SUN_SHA384_RSA_PKCS */
75 SHA512_RSA_PKCS_MECH_INFO_TYPE
/* SUN_SHA512_RSA_PKCS */
79 * Context for RSA_PKCS and RSA_X_509 mechanisms.
81 typedef struct rsa_ctx
{
82 rsa_mech_type_t mech_type
;
88 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
90 typedef struct digest_rsa_ctx
{
91 rsa_mech_type_t mech_type
;
101 #define md5_ctx dctx_u.md5ctx
102 #define sha1_ctx dctx_u.sha1ctx
103 #define sha2_ctx dctx_u.sha2ctx
106 * Mechanism info structure passed to KCF during registration.
108 static crypto_mech_info_t rsa_mech_info_tab
[] = {
110 {SUN_CKM_RSA_PKCS
, RSA_PKCS_MECH_INFO_TYPE
,
111 CRYPTO_FG_ENCRYPT
| CRYPTO_FG_ENCRYPT_ATOMIC
|
112 CRYPTO_FG_DECRYPT
| CRYPTO_FG_DECRYPT_ATOMIC
|
113 CRYPTO_FG_SIGN
| CRYPTO_FG_SIGN_ATOMIC
|
114 CRYPTO_FG_VERIFY
| CRYPTO_FG_VERIFY_ATOMIC
|
115 CRYPTO_FG_SIGN_RECOVER
| CRYPTO_FG_SIGN_RECOVER_ATOMIC
|
116 CRYPTO_FG_VERIFY_RECOVER
| CRYPTO_FG_VERIFY_RECOVER_ATOMIC
,
117 RSA_MIN_KEY_LEN
, RSA_MAX_KEY_LEN
, CRYPTO_KEYSIZE_UNIT_IN_BITS
},
120 {SUN_CKM_RSA_X_509
, RSA_X_509_MECH_INFO_TYPE
,
121 CRYPTO_FG_ENCRYPT
| CRYPTO_FG_ENCRYPT_ATOMIC
|
122 CRYPTO_FG_DECRYPT
| CRYPTO_FG_DECRYPT_ATOMIC
|
123 CRYPTO_FG_SIGN
| CRYPTO_FG_SIGN_ATOMIC
|
124 CRYPTO_FG_VERIFY
| CRYPTO_FG_VERIFY_ATOMIC
|
125 CRYPTO_FG_SIGN_RECOVER
| CRYPTO_FG_SIGN_RECOVER_ATOMIC
|
126 CRYPTO_FG_VERIFY_RECOVER
| CRYPTO_FG_VERIFY_RECOVER_ATOMIC
,
127 RSA_MIN_KEY_LEN
, RSA_MAX_KEY_LEN
, CRYPTO_KEYSIZE_UNIT_IN_BITS
},
130 {SUN_CKM_MD5_RSA_PKCS
, MD5_RSA_PKCS_MECH_INFO_TYPE
,
131 CRYPTO_FG_SIGN
| CRYPTO_FG_SIGN_ATOMIC
|
132 CRYPTO_FG_VERIFY
| CRYPTO_FG_VERIFY_ATOMIC
,
133 RSA_MIN_KEY_LEN
, RSA_MAX_KEY_LEN
, CRYPTO_KEYSIZE_UNIT_IN_BITS
},
136 {SUN_CKM_SHA1_RSA_PKCS
, SHA1_RSA_PKCS_MECH_INFO_TYPE
,
137 CRYPTO_FG_SIGN
| CRYPTO_FG_SIGN_ATOMIC
|
138 CRYPTO_FG_VERIFY
| CRYPTO_FG_VERIFY_ATOMIC
,
139 RSA_MIN_KEY_LEN
, RSA_MAX_KEY_LEN
, CRYPTO_KEYSIZE_UNIT_IN_BITS
},
141 /* SHA256_RSA_PKCS */
142 {SUN_CKM_SHA256_RSA_PKCS
, SHA256_RSA_PKCS_MECH_INFO_TYPE
,
143 CRYPTO_FG_SIGN
| CRYPTO_FG_SIGN_ATOMIC
|
144 CRYPTO_FG_VERIFY
| CRYPTO_FG_VERIFY_ATOMIC
,
145 RSA_MIN_KEY_LEN
, RSA_MAX_KEY_LEN
, CRYPTO_KEYSIZE_UNIT_IN_BITS
},
147 /* SHA384_RSA_PKCS */
148 {SUN_CKM_SHA384_RSA_PKCS
, SHA384_RSA_PKCS_MECH_INFO_TYPE
,
149 CRYPTO_FG_SIGN
| CRYPTO_FG_SIGN_ATOMIC
|
150 CRYPTO_FG_VERIFY
| CRYPTO_FG_VERIFY_ATOMIC
,
151 RSA_MIN_KEY_LEN
, RSA_MAX_KEY_LEN
, CRYPTO_KEYSIZE_UNIT_IN_BITS
},
153 /* SHA512_RSA_PKCS */
154 {SUN_CKM_SHA512_RSA_PKCS
, SHA512_RSA_PKCS_MECH_INFO_TYPE
,
155 CRYPTO_FG_SIGN
| CRYPTO_FG_SIGN_ATOMIC
|
156 CRYPTO_FG_VERIFY
| CRYPTO_FG_VERIFY_ATOMIC
,
157 RSA_MIN_KEY_LEN
, RSA_MAX_KEY_LEN
, CRYPTO_KEYSIZE_UNIT_IN_BITS
}
161 #define RSA_VALID_MECH(mech) \
162 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \
163 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \
164 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \
165 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \
166 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \
167 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \
168 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
170 /* operations are in-place if the output buffer is NULL */
171 #define RSA_ARG_INPLACE(input, output) \
172 if ((output) == NULL) \
175 static void rsa_provider_status(crypto_provider_handle_t
, uint_t
*);
177 static crypto_control_ops_t rsa_control_ops
= {
181 static int rsa_common_init(crypto_ctx_t
*, crypto_mechanism_t
*,
182 crypto_key_t
*, crypto_spi_ctx_template_t
, crypto_req_handle_t
);
183 static int rsaprov_encrypt(crypto_ctx_t
*, crypto_data_t
*, crypto_data_t
*,
184 crypto_req_handle_t
);
185 static int rsa_encrypt_atomic(crypto_provider_handle_t
, crypto_session_id_t
,
186 crypto_mechanism_t
*, crypto_key_t
*, crypto_data_t
*,
187 crypto_data_t
*, crypto_spi_ctx_template_t
, crypto_req_handle_t
);
188 static int rsaprov_decrypt(crypto_ctx_t
*, crypto_data_t
*, crypto_data_t
*,
189 crypto_req_handle_t
);
190 static int rsa_decrypt_atomic(crypto_provider_handle_t
, crypto_session_id_t
,
191 crypto_mechanism_t
*, crypto_key_t
*, crypto_data_t
*,
192 crypto_data_t
*, crypto_spi_ctx_template_t
, crypto_req_handle_t
);
195 * The RSA mechanisms do not have multiple-part cipher operations.
196 * So, the update and final routines are set to NULL.
198 static crypto_cipher_ops_t rsa_cipher_ops
= {
211 static int rsa_sign_verify_common_init(crypto_ctx_t
*, crypto_mechanism_t
*,
212 crypto_key_t
*, crypto_spi_ctx_template_t
, crypto_req_handle_t
);
213 static int rsaprov_sign(crypto_ctx_t
*, crypto_data_t
*, crypto_data_t
*,
214 crypto_req_handle_t
);
215 static int rsa_sign_update(crypto_ctx_t
*, crypto_data_t
*,
216 crypto_req_handle_t
);
217 static int rsa_sign_final(crypto_ctx_t
*, crypto_data_t
*,
218 crypto_req_handle_t
);
219 static int rsa_sign_atomic(crypto_provider_handle_t
, crypto_session_id_t
,
220 crypto_mechanism_t
*, crypto_key_t
*, crypto_data_t
*, crypto_data_t
*,
221 crypto_spi_ctx_template_t
, crypto_req_handle_t
);
224 * We use the same routine for sign_init and sign_recover_init fields
225 * as they do the same thing. Same holds for sign and sign_recover fields,
226 * and sign_atomic and sign_recover_atomic fields.
228 static crypto_sign_ops_t rsa_sign_ops
= {
229 rsa_sign_verify_common_init
,
234 rsa_sign_verify_common_init
,
239 static int rsaprov_verify(crypto_ctx_t
*, crypto_data_t
*, crypto_data_t
*,
240 crypto_req_handle_t
);
241 static int rsa_verify_update(crypto_ctx_t
*, crypto_data_t
*,
242 crypto_req_handle_t
);
243 static int rsa_verify_final(crypto_ctx_t
*, crypto_data_t
*,
244 crypto_req_handle_t
);
245 static int rsa_verify_atomic(crypto_provider_handle_t
, crypto_session_id_t
,
246 crypto_mechanism_t
*, crypto_key_t
*, crypto_data_t
*,
247 crypto_data_t
*, crypto_spi_ctx_template_t
, crypto_req_handle_t
);
248 static int rsa_verify_recover(crypto_ctx_t
*, crypto_data_t
*,
249 crypto_data_t
*, crypto_req_handle_t
);
250 static int rsa_verify_recover_atomic(crypto_provider_handle_t
,
251 crypto_session_id_t
, crypto_mechanism_t
*, crypto_key_t
*,
252 crypto_data_t
*, crypto_data_t
*, crypto_spi_ctx_template_t
,
253 crypto_req_handle_t
);
256 * We use the same routine (rsa_sign_verify_common_init) for verify_init
257 * and verify_recover_init fields as they do the same thing.
259 static crypto_verify_ops_t rsa_verify_ops
= {
260 rsa_sign_verify_common_init
,
265 rsa_sign_verify_common_init
,
267 rsa_verify_recover_atomic
270 static int rsa_free_context(crypto_ctx_t
*);
272 static crypto_ctx_ops_t rsa_ctx_ops
= {
277 static crypto_ops_t rsa_crypto_ops
= {
297 static crypto_provider_info_t rsa_prov_info
= {
298 CRYPTO_SPI_VERSION_4
,
299 "RSA Software Provider",
304 sizeof (rsa_mech_info_tab
)/sizeof (crypto_mech_info_t
),
308 static int rsa_encrypt_common(rsa_mech_type_t
, crypto_key_t
*,
309 crypto_data_t
*, crypto_data_t
*);
310 static int rsa_decrypt_common(rsa_mech_type_t
, crypto_key_t
*,
311 crypto_data_t
*, crypto_data_t
*);
312 static int rsa_sign_common(rsa_mech_type_t
, crypto_key_t
*,
313 crypto_data_t
*, crypto_data_t
*);
314 static int rsa_verify_common(rsa_mech_type_t
, crypto_key_t
*,
315 crypto_data_t
*, crypto_data_t
*);
316 static int compare_data(crypto_data_t
*, uchar_t
*);
318 /* EXPORT DELETE START */
320 static int core_rsa_encrypt(crypto_key_t
*, uchar_t
*, int, uchar_t
*, int);
321 static int core_rsa_decrypt(crypto_key_t
*, uchar_t
*, int, uchar_t
*);
323 /* EXPORT DELETE END */
325 static crypto_kcf_provider_handle_t rsa_prov_handle
= NULL
;
332 if ((ret
= mod_install(&modlinkage
)) != 0)
335 /* Register with KCF. If the registration fails, remove the module. */
336 if (crypto_register_provider(&rsa_prov_info
, &rsa_prov_handle
)) {
337 (void) mod_remove(&modlinkage
);
347 /* Unregister from KCF if module is registered */
348 if (rsa_prov_handle
!= NULL
) {
349 if (crypto_unregister_provider(rsa_prov_handle
))
352 rsa_prov_handle
= NULL
;
355 return (mod_remove(&modlinkage
));
359 _info(struct modinfo
*modinfop
)
361 return (mod_info(&modlinkage
, modinfop
));
366 rsa_provider_status(crypto_provider_handle_t provider
, uint_t
*status
)
368 *status
= CRYPTO_PROVIDER_READY
;
372 check_mech_and_key(crypto_mechanism_t
*mechanism
, crypto_key_t
*key
)
374 int rv
= CRYPTO_FAILED
;
376 /* EXPORT DELETE START */
379 ssize_t modulus_len
; /* In bytes */
381 if (!RSA_VALID_MECH(mechanism
))
382 return (CRYPTO_MECHANISM_INVALID
);
385 * We only support RSA keys that are passed as a list of
388 if (key
->ck_format
!= CRYPTO_KEY_ATTR_LIST
) {
389 return (CRYPTO_KEY_TYPE_INCONSISTENT
);
392 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
393 &modulus_len
)) != CRYPTO_SUCCESS
) {
396 if (modulus_len
< MIN_RSA_KEYLENGTH_IN_BYTES
||
397 modulus_len
> MAX_RSA_KEYLENGTH_IN_BYTES
)
398 return (CRYPTO_KEY_SIZE_RANGE
);
400 /* EXPORT DELETE END */
406 kmemset(uint8_t *buf
, char pattern
, size_t len
)
415 * This function guarantees to return non-zero random numbers.
416 * This is needed as the /dev/urandom kernel interface,
417 * random_get_pseudo_bytes(), may return zeros.
420 knzero_random_generator(uint8_t *ran_out
, size_t ran_len
)
423 size_t ebc
= 0; /* count of extra bytes in extrarand */
425 uint8_t extrarand
[32];
426 size_t extrarand_len
;
428 if ((rv
= random_get_pseudo_bytes(ran_out
, ran_len
)) != 0)
432 * Walk through the returned random numbers pointed by ran_out,
433 * and look for any random number which is zero.
434 * If we find zero, call random_get_pseudo_bytes() to generate
435 * another 32 random numbers pool. Replace any zeros in ran_out[]
436 * from the random number in pool.
438 while (i
< ran_len
) {
439 if (ran_out
[i
] != 0) {
445 * Note that it is 'while' so we are guaranteed a
446 * non-zero value on exit.
449 /* refresh extrarand */
450 extrarand_len
= sizeof (extrarand
);
451 if ((rv
= random_get_pseudo_bytes(extrarand
,
452 extrarand_len
)) != 0) {
458 /* Replace zero with byte from extrarand. */
462 * The new random byte zero/non-zero will be checked in
463 * the next pass through the loop.
465 ran_out
[i
] = extrarand
[ebc
];
468 return (CRYPTO_SUCCESS
);
472 compare_data(crypto_data_t
*data
, uchar_t
*buf
)
477 len
= data
->cd_length
;
478 switch (data
->cd_format
) {
479 case CRYPTO_DATA_RAW
:
480 dptr
= (uchar_t
*)(data
->cd_raw
.iov_base
+
483 return (bcmp(dptr
, buf
, len
));
485 case CRYPTO_DATA_UIO
:
486 return (crypto_uio_data(data
, buf
, len
,
487 COMPARE_TO_DATA
, NULL
, NULL
));
489 case CRYPTO_DATA_MBLK
:
490 return (crypto_mblk_data(data
, buf
, len
,
491 COMPARE_TO_DATA
, NULL
, NULL
));
494 return (CRYPTO_FAILED
);
499 rsa_common_init(crypto_ctx_t
*ctx
, crypto_mechanism_t
*mechanism
,
500 crypto_key_t
*key
, crypto_spi_ctx_template_t
template,
501 crypto_req_handle_t req
)
507 if ((rv
= check_mech_and_key(mechanism
, key
)) != CRYPTO_SUCCESS
)
511 * Allocate a RSA context.
513 kmflag
= crypto_kmflag(req
);
514 if ((ctxp
= kmem_zalloc(sizeof (rsa_ctx_t
), kmflag
)) == NULL
)
515 return (CRYPTO_HOST_MEMORY
);
517 if ((rv
= crypto_copy_key_to_ctx(key
, &ctxp
->key
, &ctxp
->keychunk_size
,
518 kmflag
)) != CRYPTO_SUCCESS
) {
519 kmem_free(ctxp
, sizeof (rsa_ctx_t
));
522 ctxp
->mech_type
= mechanism
->cm_type
;
524 ctx
->cc_provider_private
= ctxp
;
526 return (CRYPTO_SUCCESS
);
531 rsaprov_encrypt(crypto_ctx_t
*ctx
, crypto_data_t
*plaintext
,
532 crypto_data_t
*ciphertext
, crypto_req_handle_t req
)
537 ASSERT(ctx
->cc_provider_private
!= NULL
);
538 ctxp
= ctx
->cc_provider_private
;
540 RSA_ARG_INPLACE(plaintext
, ciphertext
);
543 * Note on the KM_SLEEP flag passed to the routine below -
544 * rsaprov_encrypt() is a single-part encryption routine which is
545 * currently usable only by /dev/crypto. Since /dev/crypto calls are
546 * always synchronous, we can safely pass KM_SLEEP here.
548 rv
= rsa_encrypt_common(ctxp
->mech_type
, ctxp
->key
, plaintext
,
551 if (rv
!= CRYPTO_BUFFER_TOO_SMALL
)
552 (void) rsa_free_context(ctx
);
559 rsa_encrypt_atomic(crypto_provider_handle_t provider
,
560 crypto_session_id_t session_id
, crypto_mechanism_t
*mechanism
,
561 crypto_key_t
*key
, crypto_data_t
*plaintext
, crypto_data_t
*ciphertext
,
562 crypto_spi_ctx_template_t
template, crypto_req_handle_t req
)
566 if ((rv
= check_mech_and_key(mechanism
, key
)) != CRYPTO_SUCCESS
)
568 RSA_ARG_INPLACE(plaintext
, ciphertext
);
570 return (rsa_encrypt_common(mechanism
->cm_type
, key
, plaintext
,
575 rsa_free_context(crypto_ctx_t
*ctx
)
577 rsa_ctx_t
*ctxp
= ctx
->cc_provider_private
;
580 bzero(ctxp
->key
, ctxp
->keychunk_size
);
581 kmem_free(ctxp
->key
, ctxp
->keychunk_size
);
583 if (ctxp
->mech_type
== RSA_PKCS_MECH_INFO_TYPE
||
584 ctxp
->mech_type
== RSA_X_509_MECH_INFO_TYPE
)
585 kmem_free(ctxp
, sizeof (rsa_ctx_t
));
587 kmem_free(ctxp
, sizeof (digest_rsa_ctx_t
));
589 ctx
->cc_provider_private
= NULL
;
592 return (CRYPTO_SUCCESS
);
596 rsa_encrypt_common(rsa_mech_type_t mech_type
, crypto_key_t
*key
,
597 crypto_data_t
*plaintext
, crypto_data_t
*ciphertext
)
599 int rv
= CRYPTO_FAILED
;
601 /* EXPORT DELETE START */
607 uchar_t tmp_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
608 uchar_t plain_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
609 uchar_t cipher_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
611 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
612 &modulus_len
)) != CRYPTO_SUCCESS
) {
616 plen
= plaintext
->cd_length
;
617 if (mech_type
== RSA_PKCS_MECH_INFO_TYPE
) {
618 if (plen
> (modulus_len
- MIN_PKCS1_PADLEN
))
619 return (CRYPTO_DATA_LEN_RANGE
);
621 if (plen
> modulus_len
)
622 return (CRYPTO_DATA_LEN_RANGE
);
626 * Output buf len must not be less than RSA modulus size.
628 if (ciphertext
->cd_length
< modulus_len
) {
629 ciphertext
->cd_length
= modulus_len
;
630 return (CRYPTO_BUFFER_TOO_SMALL
);
633 ASSERT(plaintext
->cd_length
<= sizeof (tmp_data
));
634 if ((rv
= crypto_get_input_data(plaintext
, &ptptr
, tmp_data
))
638 if (mech_type
== RSA_PKCS_MECH_INFO_TYPE
) {
639 rv
= pkcs1_encode(PKCS1_ENCRYPT
, ptptr
, plen
,
640 plain_data
, modulus_len
);
642 if (rv
!= CRYPTO_SUCCESS
)
645 bzero(plain_data
, modulus_len
- plen
);
646 bcopy(ptptr
, &plain_data
[modulus_len
- plen
], plen
);
649 rv
= core_rsa_encrypt(key
, plain_data
, modulus_len
, cipher_data
, 1);
650 if (rv
== CRYPTO_SUCCESS
) {
651 /* copy out to ciphertext */
652 if ((rv
= crypto_put_output_data(cipher_data
,
653 ciphertext
, modulus_len
)) != CRYPTO_SUCCESS
)
656 ciphertext
->cd_length
= modulus_len
;
659 /* EXPORT DELETE END */
664 /* EXPORT DELETE START */
667 core_rsa_encrypt(crypto_key_t
*key
, uchar_t
*in
,
668 int in_len
, uchar_t
*out
, int is_public
)
671 uchar_t
*expo
, *modulus
;
677 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_PUBLIC_EXPONENT
,
678 &expo
, &expo_len
)) != CRYPTO_SUCCESS
)
682 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
683 * RSA secret key. See the comments in core_rsa_decrypt
684 * routine which calls this routine with a private key.
686 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_PRIVATE_EXPONENT
,
687 &expo
, &expo_len
)) != CRYPTO_SUCCESS
)
691 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
692 &modulus_len
)) != CRYPTO_SUCCESS
) {
697 k
.modulus_bits
= CRYPTO_BYTES2BITS(modulus_len
);
699 k
.pubexpo_bytes
= expo_len
;
702 rv
= rsa_encrypt(&k
, in
, in_len
, out
);
707 /* EXPORT DELETE END */
711 rsaprov_decrypt(crypto_ctx_t
*ctx
, crypto_data_t
*ciphertext
,
712 crypto_data_t
*plaintext
, crypto_req_handle_t req
)
717 ASSERT(ctx
->cc_provider_private
!= NULL
);
718 ctxp
= ctx
->cc_provider_private
;
720 RSA_ARG_INPLACE(ciphertext
, plaintext
);
722 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
723 rv
= rsa_decrypt_common(ctxp
->mech_type
, ctxp
->key
,
724 ciphertext
, plaintext
);
726 if (rv
!= CRYPTO_BUFFER_TOO_SMALL
)
727 (void) rsa_free_context(ctx
);
734 rsa_decrypt_atomic(crypto_provider_handle_t provider
,
735 crypto_session_id_t session_id
, crypto_mechanism_t
*mechanism
,
736 crypto_key_t
*key
, crypto_data_t
*ciphertext
, crypto_data_t
*plaintext
,
737 crypto_spi_ctx_template_t
template, crypto_req_handle_t req
)
741 if ((rv
= check_mech_and_key(mechanism
, key
)) != CRYPTO_SUCCESS
)
743 RSA_ARG_INPLACE(ciphertext
, plaintext
);
745 return (rsa_decrypt_common(mechanism
->cm_type
, key
, ciphertext
,
750 rsa_decrypt_common(rsa_mech_type_t mech_type
, crypto_key_t
*key
,
751 crypto_data_t
*ciphertext
, crypto_data_t
*plaintext
)
753 int rv
= CRYPTO_FAILED
;
755 /* EXPORT DELETE START */
761 uchar_t plain_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
762 uchar_t tmp_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
764 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
765 &modulus_len
)) != CRYPTO_SUCCESS
) {
770 * Ciphertext length must be equal to RSA modulus size.
772 if (ciphertext
->cd_length
!= modulus_len
)
773 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE
);
775 ASSERT(ciphertext
->cd_length
<= sizeof (tmp_data
));
776 if ((rv
= crypto_get_input_data(ciphertext
, &ctptr
, tmp_data
))
780 rv
= core_rsa_decrypt(key
, ctptr
, modulus_len
, plain_data
);
781 if (rv
== CRYPTO_SUCCESS
) {
782 plain_len
= modulus_len
;
784 if (mech_type
== RSA_PKCS_MECH_INFO_TYPE
) {
785 /* Strip off the PKCS block formatting data. */
786 rv
= pkcs1_decode(PKCS1_DECRYPT
, plain_data
,
788 if (rv
!= CRYPTO_SUCCESS
)
792 if (plain_len
> plaintext
->cd_length
) {
793 plaintext
->cd_length
= plain_len
;
794 return (CRYPTO_BUFFER_TOO_SMALL
);
797 if ((rv
= crypto_put_output_data(
798 plain_data
+ modulus_len
- plain_len
,
799 plaintext
, plain_len
)) != CRYPTO_SUCCESS
)
802 plaintext
->cd_length
= plain_len
;
805 /* EXPORT DELETE END */
810 /* EXPORT DELETE START */
813 core_rsa_decrypt(crypto_key_t
*key
, uchar_t
*in
, int in_len
, uchar_t
*out
)
816 uchar_t
*modulus
, *prime1
, *prime2
, *expo1
, *expo2
, *coef
;
818 ssize_t prime1_len
, prime2_len
;
819 ssize_t expo1_len
, expo2_len
, coef_len
;
822 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
823 &modulus_len
)) != CRYPTO_SUCCESS
) {
828 * The following attributes are not required to be
829 * present in a RSA secret key. If any of them is not present
830 * we call the encrypt routine with a flag indicating use of
831 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
832 * a required attribute for a RSA secret key.
834 if ((crypto_get_key_attr(key
, SUN_CKA_PRIME_1
, &prime1
, &prime1_len
)
835 != CRYPTO_SUCCESS
) ||
836 (crypto_get_key_attr(key
, SUN_CKA_PRIME_2
, &prime2
, &prime2_len
)
837 != CRYPTO_SUCCESS
) ||
838 (crypto_get_key_attr(key
, SUN_CKA_EXPONENT_1
, &expo1
, &expo1_len
)
839 != CRYPTO_SUCCESS
) ||
840 (crypto_get_key_attr(key
, SUN_CKA_EXPONENT_2
, &expo2
, &expo2_len
)
841 != CRYPTO_SUCCESS
) ||
842 (crypto_get_key_attr(key
, SUN_CKA_COEFFICIENT
, &coef
, &coef_len
)
843 != CRYPTO_SUCCESS
)) {
844 return (core_rsa_encrypt(key
, in
, in_len
, out
, 0));
848 k
.modulus_bits
= CRYPTO_BYTES2BITS(modulus_len
);
850 k
.prime1_bytes
= prime1_len
;
852 k
.prime2_bytes
= prime2_len
;
854 k
.expo1_bytes
= expo1_len
;
856 k
.expo2_bytes
= expo2_len
;
858 k
.coeff_bytes
= coef_len
;
861 rv
= rsa_decrypt(&k
, in
, in_len
, out
);
866 /* EXPORT DELETE END */
870 rsa_sign_verify_common_init(crypto_ctx_t
*ctx
, crypto_mechanism_t
*mechanism
,
871 crypto_key_t
*key
, crypto_spi_ctx_template_t ctx_template
,
872 crypto_req_handle_t req
)
877 digest_rsa_ctx_t
*dctxp
;
879 if ((rv
= check_mech_and_key(mechanism
, key
)) != CRYPTO_SUCCESS
)
883 * Allocate a RSA context.
885 kmflag
= crypto_kmflag(req
);
886 switch (mechanism
->cm_type
) {
887 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
888 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
889 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
890 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
891 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
892 dctxp
= kmem_zalloc(sizeof (digest_rsa_ctx_t
), kmflag
);
893 ctxp
= (rsa_ctx_t
*)dctxp
;
896 ctxp
= kmem_zalloc(sizeof (rsa_ctx_t
), kmflag
);
901 return (CRYPTO_HOST_MEMORY
);
903 ctxp
->mech_type
= mechanism
->cm_type
;
904 if ((rv
= crypto_copy_key_to_ctx(key
, &ctxp
->key
, &ctxp
->keychunk_size
,
905 kmflag
)) != CRYPTO_SUCCESS
) {
906 switch (mechanism
->cm_type
) {
907 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
908 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
909 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
910 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
911 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
912 kmem_free(dctxp
, sizeof (digest_rsa_ctx_t
));
915 kmem_free(ctxp
, sizeof (rsa_ctx_t
));
921 switch (mechanism
->cm_type
) {
922 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
923 MD5Init(&(dctxp
->md5_ctx
));
926 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
927 SHA1Init(&(dctxp
->sha1_ctx
));
930 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
931 SHA2Init(SHA256
, &(dctxp
->sha2_ctx
));
934 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
935 SHA2Init(SHA384
, &(dctxp
->sha2_ctx
));
938 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
939 SHA2Init(SHA512
, &(dctxp
->sha2_ctx
));
943 ctx
->cc_provider_private
= ctxp
;
945 return (CRYPTO_SUCCESS
);
948 #define SHA1_DIGEST_SIZE 20
949 #define MD5_DIGEST_SIZE 16
951 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \
952 (data).cd_format = CRYPTO_DATA_RAW; \
953 (data).cd_offset = 0; \
954 (data).cd_raw.iov_base = (char *)base; \
955 (data).cd_raw.iov_len = len; \
956 (data).cd_length = cd_len;
959 rsa_digest_svrfy_common(digest_rsa_ctx_t
*ctxp
, crypto_data_t
*data
,
960 crypto_data_t
*signature
, uchar_t flag
)
962 int rv
= CRYPTO_FAILED
;
964 /* EXPORT DELETE START */
966 uchar_t digest
[SHA512_DIGEST_LENGTH
];
967 /* The der_data size is enough for MD5 also */
968 uchar_t der_data
[SHA512_DIGEST_LENGTH
+ SHA2_DER_PREFIX_Len
];
969 ulong_t der_data_len
;
970 crypto_data_t der_cd
;
971 rsa_mech_type_t mech_type
;
973 ASSERT(flag
& CRYPTO_DO_SIGN
|| flag
& CRYPTO_DO_VERIFY
);
974 ASSERT(data
!= NULL
|| (flag
& CRYPTO_DO_FINAL
));
976 mech_type
= ctxp
->mech_type
;
977 if (mech_type
== RSA_PKCS_MECH_INFO_TYPE
||
978 mech_type
== RSA_X_509_MECH_INFO_TYPE
)
979 return (CRYPTO_MECHANISM_INVALID
);
982 * We need to do the BUFFER_TOO_SMALL check before digesting
983 * the data. No check is needed for verify as signature is not
984 * an output argument for verify.
986 if (flag
& CRYPTO_DO_SIGN
) {
990 if ((rv
= crypto_get_key_attr(ctxp
->key
, SUN_CKA_MODULUS
,
991 &modulus
, &modulus_len
)) != CRYPTO_SUCCESS
) {
995 if (signature
->cd_length
< modulus_len
) {
996 signature
->cd_length
= modulus_len
;
997 return (CRYPTO_BUFFER_TOO_SMALL
);
1001 if (mech_type
== MD5_RSA_PKCS_MECH_INFO_TYPE
)
1002 rv
= crypto_digest_data(data
, &(ctxp
->md5_ctx
),
1003 digest
, MD5Update
, MD5Final
, flag
| CRYPTO_DO_MD5
);
1005 else if (mech_type
== SHA1_RSA_PKCS_MECH_INFO_TYPE
)
1006 rv
= crypto_digest_data(data
, &(ctxp
->sha1_ctx
),
1007 digest
, SHA1Update
, SHA1Final
, flag
| CRYPTO_DO_SHA1
);
1010 rv
= crypto_digest_data(data
, &(ctxp
->sha2_ctx
),
1011 digest
, SHA2Update
, SHA2Final
, flag
| CRYPTO_DO_SHA2
);
1013 if (rv
!= CRYPTO_SUCCESS
)
1018 * Prepare the DER encoding of the DigestInfo value as follows:
1019 * MD5: MD5_DER_PREFIX || H
1020 * SHA-1: SHA1_DER_PREFIX || H
1022 * See rsa_impl.c for more details.
1024 switch (mech_type
) {
1025 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
1026 bcopy(MD5_DER_PREFIX
, der_data
, MD5_DER_PREFIX_Len
);
1027 bcopy(digest
, der_data
+ MD5_DER_PREFIX_Len
, MD5_DIGEST_SIZE
);
1028 der_data_len
= MD5_DER_PREFIX_Len
+ MD5_DIGEST_SIZE
;
1031 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
1032 bcopy(SHA1_DER_PREFIX
, der_data
, SHA1_DER_PREFIX_Len
);
1033 bcopy(digest
, der_data
+ SHA1_DER_PREFIX_Len
,
1035 der_data_len
= SHA1_DER_PREFIX_Len
+ SHA1_DIGEST_SIZE
;
1038 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
1039 bcopy(SHA256_DER_PREFIX
, der_data
, SHA2_DER_PREFIX_Len
);
1040 bcopy(digest
, der_data
+ SHA2_DER_PREFIX_Len
,
1041 SHA256_DIGEST_LENGTH
);
1042 der_data_len
= SHA2_DER_PREFIX_Len
+ SHA256_DIGEST_LENGTH
;
1045 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
1046 bcopy(SHA384_DER_PREFIX
, der_data
, SHA2_DER_PREFIX_Len
);
1047 bcopy(digest
, der_data
+ SHA2_DER_PREFIX_Len
,
1048 SHA384_DIGEST_LENGTH
);
1049 der_data_len
= SHA2_DER_PREFIX_Len
+ SHA384_DIGEST_LENGTH
;
1052 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
1053 bcopy(SHA512_DER_PREFIX
, der_data
, SHA2_DER_PREFIX_Len
);
1054 bcopy(digest
, der_data
+ SHA2_DER_PREFIX_Len
,
1055 SHA512_DIGEST_LENGTH
);
1056 der_data_len
= SHA2_DER_PREFIX_Len
+ SHA512_DIGEST_LENGTH
;
1060 INIT_RAW_CRYPTO_DATA(der_cd
, der_data
, der_data_len
, der_data_len
);
1062 * Now, we are ready to sign or verify the DER_ENCODED data.
1064 if (flag
& CRYPTO_DO_SIGN
)
1065 rv
= rsa_sign_common(mech_type
, ctxp
->key
, &der_cd
,
1068 rv
= rsa_verify_common(mech_type
, ctxp
->key
, &der_cd
,
1071 /* EXPORT DELETE END */
1077 rsa_sign_common(rsa_mech_type_t mech_type
, crypto_key_t
*key
,
1078 crypto_data_t
*data
, crypto_data_t
*signature
)
1080 int rv
= CRYPTO_FAILED
;
1082 /* EXPORT DELETE START */
1085 uchar_t
*dataptr
, *modulus
;
1086 ssize_t modulus_len
;
1087 uchar_t tmp_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
1088 uchar_t plain_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
1089 uchar_t signed_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
1091 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
1092 &modulus_len
)) != CRYPTO_SUCCESS
) {
1096 dlen
= data
->cd_length
;
1097 switch (mech_type
) {
1098 case RSA_PKCS_MECH_INFO_TYPE
:
1099 if (dlen
> (modulus_len
- MIN_PKCS1_PADLEN
))
1100 return (CRYPTO_DATA_LEN_RANGE
);
1102 case RSA_X_509_MECH_INFO_TYPE
:
1103 if (dlen
> modulus_len
)
1104 return (CRYPTO_DATA_LEN_RANGE
);
1108 if (signature
->cd_length
< modulus_len
) {
1109 signature
->cd_length
= modulus_len
;
1110 return (CRYPTO_BUFFER_TOO_SMALL
);
1113 ASSERT(data
->cd_length
<= sizeof (tmp_data
));
1114 if ((rv
= crypto_get_input_data(data
, &dataptr
, tmp_data
))
1118 switch (mech_type
) {
1119 case RSA_PKCS_MECH_INFO_TYPE
:
1120 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
1121 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
1122 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
1123 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
1124 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
1126 * Add PKCS padding to the input data to format a block
1127 * type "01" encryption block.
1129 rv
= pkcs1_encode(PKCS1_SIGN
, dataptr
, dlen
, plain_data
,
1131 if (rv
!= CRYPTO_SUCCESS
)
1136 case RSA_X_509_MECH_INFO_TYPE
:
1137 bzero(plain_data
, modulus_len
- dlen
);
1138 bcopy(dataptr
, &plain_data
[modulus_len
- dlen
], dlen
);
1142 rv
= core_rsa_decrypt(key
, plain_data
, modulus_len
, signed_data
);
1143 if (rv
== CRYPTO_SUCCESS
) {
1144 /* copy out to signature */
1145 if ((rv
= crypto_put_output_data(signed_data
,
1146 signature
, modulus_len
)) != CRYPTO_SUCCESS
)
1149 signature
->cd_length
= modulus_len
;
1152 /* EXPORT DELETE END */
1159 rsaprov_sign(crypto_ctx_t
*ctx
, crypto_data_t
*data
, crypto_data_t
*signature
,
1160 crypto_req_handle_t req
)
1165 ASSERT(ctx
->cc_provider_private
!= NULL
);
1166 ctxp
= ctx
->cc_provider_private
;
1168 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1169 switch (ctxp
->mech_type
) {
1170 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
1171 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
1172 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
1173 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
1174 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
1175 rv
= rsa_digest_svrfy_common((digest_rsa_ctx_t
*)ctxp
, data
,
1176 signature
, CRYPTO_DO_SIGN
| CRYPTO_DO_UPDATE
|
1180 rv
= rsa_sign_common(ctxp
->mech_type
, ctxp
->key
, data
,
1185 if (rv
!= CRYPTO_BUFFER_TOO_SMALL
)
1186 (void) rsa_free_context(ctx
);
1193 rsa_sign_update(crypto_ctx_t
*ctx
, crypto_data_t
*data
, crypto_req_handle_t req
)
1196 digest_rsa_ctx_t
*ctxp
;
1197 rsa_mech_type_t mech_type
;
1199 ASSERT(ctx
->cc_provider_private
!= NULL
);
1200 ctxp
= ctx
->cc_provider_private
;
1201 mech_type
= ctxp
->mech_type
;
1203 if (mech_type
== RSA_PKCS_MECH_INFO_TYPE
||
1204 mech_type
== RSA_X_509_MECH_INFO_TYPE
)
1205 return (CRYPTO_MECHANISM_INVALID
);
1207 if (mech_type
== MD5_RSA_PKCS_MECH_INFO_TYPE
)
1208 rv
= crypto_digest_data(data
, &(ctxp
->md5_ctx
),
1209 NULL
, MD5Update
, MD5Final
,
1210 CRYPTO_DO_MD5
| CRYPTO_DO_UPDATE
);
1212 else if (mech_type
== SHA1_RSA_PKCS_MECH_INFO_TYPE
)
1213 rv
= crypto_digest_data(data
, &(ctxp
->sha1_ctx
),
1214 NULL
, SHA1Update
, SHA1Final
, CRYPTO_DO_SHA1
|
1218 rv
= crypto_digest_data(data
, &(ctxp
->sha2_ctx
),
1219 NULL
, SHA2Update
, SHA2Final
, CRYPTO_DO_SHA2
|
1227 rsa_sign_final(crypto_ctx_t
*ctx
, crypto_data_t
*signature
,
1228 crypto_req_handle_t req
)
1231 digest_rsa_ctx_t
*ctxp
;
1233 ASSERT(ctx
->cc_provider_private
!= NULL
);
1234 ctxp
= ctx
->cc_provider_private
;
1236 rv
= rsa_digest_svrfy_common(ctxp
, NULL
, signature
,
1237 CRYPTO_DO_SIGN
| CRYPTO_DO_FINAL
);
1238 if (rv
!= CRYPTO_BUFFER_TOO_SMALL
)
1239 (void) rsa_free_context(ctx
);
1246 rsa_sign_atomic(crypto_provider_handle_t provider
,
1247 crypto_session_id_t session_id
, crypto_mechanism_t
*mechanism
,
1248 crypto_key_t
*key
, crypto_data_t
*data
, crypto_data_t
*signature
,
1249 crypto_spi_ctx_template_t ctx_template
, crypto_req_handle_t req
)
1252 digest_rsa_ctx_t dctx
;
1254 if ((rv
= check_mech_and_key(mechanism
, key
)) != CRYPTO_SUCCESS
)
1257 if (mechanism
->cm_type
== RSA_PKCS_MECH_INFO_TYPE
||
1258 mechanism
->cm_type
== RSA_X_509_MECH_INFO_TYPE
)
1259 rv
= rsa_sign_common(mechanism
->cm_type
, key
, data
,
1263 dctx
.mech_type
= mechanism
->cm_type
;
1265 switch (mechanism
->cm_type
) {
1266 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
1267 MD5Init(&(dctx
.md5_ctx
));
1270 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
1271 SHA1Init(&(dctx
.sha1_ctx
));
1274 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
1275 SHA2Init(SHA256
, &(dctx
.sha2_ctx
));
1278 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
1279 SHA2Init(SHA384
, &(dctx
.sha2_ctx
));
1282 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
1283 SHA2Init(SHA512
, &(dctx
.sha2_ctx
));
1287 rv
= rsa_digest_svrfy_common(&dctx
, data
, signature
,
1288 CRYPTO_DO_SIGN
| CRYPTO_DO_UPDATE
| CRYPTO_DO_FINAL
);
1295 rsa_verify_common(rsa_mech_type_t mech_type
, crypto_key_t
*key
,
1296 crypto_data_t
*data
, crypto_data_t
*signature
)
1298 int rv
= CRYPTO_FAILED
;
1300 /* EXPORT DELETE START */
1302 uchar_t
*sigptr
, *modulus
;
1303 ssize_t modulus_len
;
1304 uchar_t plain_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
1305 uchar_t tmp_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
1307 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
1308 &modulus_len
)) != CRYPTO_SUCCESS
) {
1312 if (signature
->cd_length
!= modulus_len
)
1313 return (CRYPTO_SIGNATURE_LEN_RANGE
);
1315 ASSERT(signature
->cd_length
<= sizeof (tmp_data
));
1316 if ((rv
= crypto_get_input_data(signature
, &sigptr
, tmp_data
))
1320 rv
= core_rsa_encrypt(key
, sigptr
, modulus_len
, plain_data
, 1);
1321 if (rv
!= CRYPTO_SUCCESS
)
1324 if (mech_type
== RSA_X_509_MECH_INFO_TYPE
) {
1325 if (compare_data(data
, (plain_data
+ modulus_len
1326 - data
->cd_length
)) != 0)
1327 rv
= CRYPTO_SIGNATURE_INVALID
;
1330 size_t data_len
= modulus_len
;
1333 * Strip off the encoded padding bytes in front of the
1334 * recovered data, then compare the recovered data with
1335 * the original data.
1337 rv
= pkcs1_decode(PKCS1_VERIFY
, plain_data
, &data_len
);
1338 if (rv
!= CRYPTO_SUCCESS
)
1341 if (data_len
!= data
->cd_length
)
1342 return (CRYPTO_SIGNATURE_LEN_RANGE
);
1344 if (compare_data(data
, (plain_data
+ modulus_len
1346 rv
= CRYPTO_SIGNATURE_INVALID
;
1349 /* EXPORT DELETE END */
1356 rsaprov_verify(crypto_ctx_t
*ctx
, crypto_data_t
*data
,
1357 crypto_data_t
*signature
, crypto_req_handle_t req
)
1362 ASSERT(ctx
->cc_provider_private
!= NULL
);
1363 ctxp
= ctx
->cc_provider_private
;
1365 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1366 switch (ctxp
->mech_type
) {
1367 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
1368 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
1369 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
1370 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
1371 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
1372 rv
= rsa_digest_svrfy_common((digest_rsa_ctx_t
*)ctxp
, data
,
1373 signature
, CRYPTO_DO_VERIFY
| CRYPTO_DO_UPDATE
|
1377 rv
= rsa_verify_common(ctxp
->mech_type
, ctxp
->key
, data
,
1382 if (rv
!= CRYPTO_BUFFER_TOO_SMALL
)
1383 (void) rsa_free_context(ctx
);
1390 rsa_verify_update(crypto_ctx_t
*ctx
, crypto_data_t
*data
,
1391 crypto_req_handle_t req
)
1394 digest_rsa_ctx_t
*ctxp
;
1396 ASSERT(ctx
->cc_provider_private
!= NULL
);
1397 ctxp
= ctx
->cc_provider_private
;
1399 switch (ctxp
->mech_type
) {
1401 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
1402 rv
= crypto_digest_data(data
, &(ctxp
->md5_ctx
),
1403 NULL
, MD5Update
, MD5Final
, CRYPTO_DO_MD5
|
1407 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
1408 rv
= crypto_digest_data(data
, &(ctxp
->sha1_ctx
),
1409 NULL
, SHA1Update
, SHA1Final
, CRYPTO_DO_SHA1
|
1413 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
1414 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
1415 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
1416 rv
= crypto_digest_data(data
, &(ctxp
->sha2_ctx
),
1417 NULL
, SHA2Update
, SHA2Final
, CRYPTO_DO_SHA2
|
1422 return (CRYPTO_MECHANISM_INVALID
);
1430 rsa_verify_final(crypto_ctx_t
*ctx
, crypto_data_t
*signature
,
1431 crypto_req_handle_t req
)
1434 digest_rsa_ctx_t
*ctxp
;
1436 ASSERT(ctx
->cc_provider_private
!= NULL
);
1437 ctxp
= ctx
->cc_provider_private
;
1439 rv
= rsa_digest_svrfy_common(ctxp
, NULL
, signature
,
1440 CRYPTO_DO_VERIFY
| CRYPTO_DO_FINAL
);
1441 if (rv
!= CRYPTO_BUFFER_TOO_SMALL
)
1442 (void) rsa_free_context(ctx
);
1450 rsa_verify_atomic(crypto_provider_handle_t provider
,
1451 crypto_session_id_t session_id
,
1452 crypto_mechanism_t
*mechanism
, crypto_key_t
*key
, crypto_data_t
*data
,
1453 crypto_data_t
*signature
, crypto_spi_ctx_template_t ctx_template
,
1454 crypto_req_handle_t req
)
1457 digest_rsa_ctx_t dctx
;
1459 if ((rv
= check_mech_and_key(mechanism
, key
)) != CRYPTO_SUCCESS
)
1462 if (mechanism
->cm_type
== RSA_PKCS_MECH_INFO_TYPE
||
1463 mechanism
->cm_type
== RSA_X_509_MECH_INFO_TYPE
)
1464 rv
= rsa_verify_common(mechanism
->cm_type
, key
, data
,
1468 dctx
.mech_type
= mechanism
->cm_type
;
1471 switch (mechanism
->cm_type
) {
1472 case MD5_RSA_PKCS_MECH_INFO_TYPE
:
1473 MD5Init(&(dctx
.md5_ctx
));
1476 case SHA1_RSA_PKCS_MECH_INFO_TYPE
:
1477 SHA1Init(&(dctx
.sha1_ctx
));
1480 case SHA256_RSA_PKCS_MECH_INFO_TYPE
:
1481 SHA2Init(SHA256
, &(dctx
.sha2_ctx
));
1484 case SHA384_RSA_PKCS_MECH_INFO_TYPE
:
1485 SHA2Init(SHA384
, &(dctx
.sha2_ctx
));
1488 case SHA512_RSA_PKCS_MECH_INFO_TYPE
:
1489 SHA2Init(SHA512
, &(dctx
.sha2_ctx
));
1493 rv
= rsa_digest_svrfy_common(&dctx
, data
, signature
,
1494 CRYPTO_DO_VERIFY
| CRYPTO_DO_UPDATE
| CRYPTO_DO_FINAL
);
1501 rsa_verify_recover_common(rsa_mech_type_t mech_type
, crypto_key_t
*key
,
1502 crypto_data_t
*signature
, crypto_data_t
*data
)
1504 int rv
= CRYPTO_FAILED
;
1506 /* EXPORT DELETE START */
1509 uchar_t
*sigptr
, *modulus
;
1510 ssize_t modulus_len
;
1511 uchar_t plain_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
1512 uchar_t tmp_data
[MAX_RSA_KEYLENGTH_IN_BYTES
];
1514 if ((rv
= crypto_get_key_attr(key
, SUN_CKA_MODULUS
, &modulus
,
1515 &modulus_len
)) != CRYPTO_SUCCESS
) {
1519 if (signature
->cd_length
!= modulus_len
)
1520 return (CRYPTO_SIGNATURE_LEN_RANGE
);
1522 ASSERT(signature
->cd_length
<= sizeof (tmp_data
));
1523 if ((rv
= crypto_get_input_data(signature
, &sigptr
, tmp_data
))
1527 rv
= core_rsa_encrypt(key
, sigptr
, modulus_len
, plain_data
, 1);
1528 if (rv
!= CRYPTO_SUCCESS
)
1531 data_len
= modulus_len
;
1533 if (mech_type
== RSA_PKCS_MECH_INFO_TYPE
) {
1535 * Strip off the encoded padding bytes in front of the
1536 * recovered data, then compare the recovered data with
1537 * the original data.
1539 rv
= pkcs1_decode(PKCS1_VERIFY
, plain_data
, &data_len
);
1540 if (rv
!= CRYPTO_SUCCESS
)
1544 if (data
->cd_length
< data_len
) {
1545 data
->cd_length
= data_len
;
1546 return (CRYPTO_BUFFER_TOO_SMALL
);
1549 if ((rv
= crypto_put_output_data(plain_data
+ modulus_len
- data_len
,
1550 data
, data_len
)) != CRYPTO_SUCCESS
)
1552 data
->cd_length
= data_len
;
1554 /* EXPORT DELETE END */
1561 rsa_verify_recover(crypto_ctx_t
*ctx
, crypto_data_t
*signature
,
1562 crypto_data_t
*data
, crypto_req_handle_t req
)
1567 ASSERT(ctx
->cc_provider_private
!= NULL
);
1568 ctxp
= ctx
->cc_provider_private
;
1570 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1571 rv
= rsa_verify_recover_common(ctxp
->mech_type
, ctxp
->key
,
1574 if (rv
!= CRYPTO_BUFFER_TOO_SMALL
)
1575 (void) rsa_free_context(ctx
);
1582 rsa_verify_recover_atomic(crypto_provider_handle_t provider
,
1583 crypto_session_id_t session_id
, crypto_mechanism_t
*mechanism
,
1584 crypto_key_t
*key
, crypto_data_t
*signature
, crypto_data_t
*data
,
1585 crypto_spi_ctx_template_t ctx_template
, crypto_req_handle_t req
)
1589 if ((rv
= check_mech_and_key(mechanism
, key
)) != CRYPTO_SUCCESS
)
1592 return (rsa_verify_recover_common(mechanism
->cm_type
, key
,