1 /* crypto/rsa/rsa_ameth.c */
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
6 /* ====================================================================
7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
62 #include <openssl/asn1t.h>
63 #include <openssl/x509.h>
64 #include <openssl/rsa.h>
65 #include <openssl/bn.h>
66 #ifndef OPENSSL_NO_CMS
67 # include <openssl/cms.h>
69 #include "asn1_locl.h"
71 static int rsa_pub_encode(X509_PUBKEY
*pk
, const EVP_PKEY
*pkey
)
73 unsigned char *penc
= NULL
;
75 penclen
= i2d_RSAPublicKey(pkey
->pkey
.rsa
, &penc
);
78 if (X509_PUBKEY_set0_param(pk
, OBJ_nid2obj(EVP_PKEY_RSA
),
79 V_ASN1_NULL
, NULL
, penc
, penclen
))
86 static int rsa_pub_decode(EVP_PKEY
*pkey
, X509_PUBKEY
*pubkey
)
88 const unsigned char *p
;
91 if (!X509_PUBKEY_get0_param(NULL
, &p
, &pklen
, NULL
, pubkey
))
93 if (!(rsa
= d2i_RSAPublicKey(NULL
, &p
, pklen
))) {
94 RSAerr(RSA_F_RSA_PUB_DECODE
, ERR_R_RSA_LIB
);
97 EVP_PKEY_assign_RSA(pkey
, rsa
);
101 static int rsa_pub_cmp(const EVP_PKEY
*a
, const EVP_PKEY
*b
)
103 if (BN_cmp(b
->pkey
.rsa
->n
, a
->pkey
.rsa
->n
) != 0
104 || BN_cmp(b
->pkey
.rsa
->e
, a
->pkey
.rsa
->e
) != 0)
109 static int old_rsa_priv_decode(EVP_PKEY
*pkey
,
110 const unsigned char **pder
, int derlen
)
113 if (!(rsa
= d2i_RSAPrivateKey(NULL
, pder
, derlen
))) {
114 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE
, ERR_R_RSA_LIB
);
117 EVP_PKEY_assign_RSA(pkey
, rsa
);
121 static int old_rsa_priv_encode(const EVP_PKEY
*pkey
, unsigned char **pder
)
123 return i2d_RSAPrivateKey(pkey
->pkey
.rsa
, pder
);
126 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO
*p8
, const EVP_PKEY
*pkey
)
128 unsigned char *rk
= NULL
;
130 rklen
= i2d_RSAPrivateKey(pkey
->pkey
.rsa
, &rk
);
133 RSAerr(RSA_F_RSA_PRIV_ENCODE
, ERR_R_MALLOC_FAILURE
);
137 if (!PKCS8_pkey_set0(p8
, OBJ_nid2obj(NID_rsaEncryption
), 0,
138 V_ASN1_NULL
, NULL
, rk
, rklen
)) {
139 RSAerr(RSA_F_RSA_PRIV_ENCODE
, ERR_R_MALLOC_FAILURE
);
146 static int rsa_priv_decode(EVP_PKEY
*pkey
, PKCS8_PRIV_KEY_INFO
*p8
)
148 const unsigned char *p
;
150 if (!PKCS8_pkey_get0(NULL
, &p
, &pklen
, NULL
, p8
))
152 return old_rsa_priv_decode(pkey
, &p
, pklen
);
155 static int int_rsa_size(const EVP_PKEY
*pkey
)
157 return RSA_size(pkey
->pkey
.rsa
);
160 static int rsa_bits(const EVP_PKEY
*pkey
)
162 return BN_num_bits(pkey
->pkey
.rsa
->n
);
165 static void int_rsa_free(EVP_PKEY
*pkey
)
167 RSA_free(pkey
->pkey
.rsa
);
170 static void update_buflen(const BIGNUM
*b
, size_t *pbuflen
)
175 if (*pbuflen
< (i
= (size_t)BN_num_bytes(b
)))
179 static int do_rsa_print(BIO
*bp
, const RSA
*x
, int off
, int priv
)
183 unsigned char *m
= NULL
;
184 int ret
= 0, mod_len
= 0;
187 update_buflen(x
->n
, &buf_len
);
188 update_buflen(x
->e
, &buf_len
);
191 update_buflen(x
->d
, &buf_len
);
192 update_buflen(x
->p
, &buf_len
);
193 update_buflen(x
->q
, &buf_len
);
194 update_buflen(x
->dmp1
, &buf_len
);
195 update_buflen(x
->dmq1
, &buf_len
);
196 update_buflen(x
->iqmp
, &buf_len
);
199 m
= (unsigned char *)OPENSSL_malloc(buf_len
+ 10);
201 RSAerr(RSA_F_DO_RSA_PRINT
, ERR_R_MALLOC_FAILURE
);
206 mod_len
= BN_num_bits(x
->n
);
208 if (!BIO_indent(bp
, off
, 128))
212 if (BIO_printf(bp
, "Private-Key: (%d bit)\n", mod_len
)
216 s
= "publicExponent:";
218 if (BIO_printf(bp
, "Public-Key: (%d bit)\n", mod_len
)
224 if (!ASN1_bn_print(bp
, str
, x
->n
, m
, off
))
226 if (!ASN1_bn_print(bp
, s
, x
->e
, m
, off
))
229 if (!ASN1_bn_print(bp
, "privateExponent:", x
->d
, m
, off
))
231 if (!ASN1_bn_print(bp
, "prime1:", x
->p
, m
, off
))
233 if (!ASN1_bn_print(bp
, "prime2:", x
->q
, m
, off
))
235 if (!ASN1_bn_print(bp
, "exponent1:", x
->dmp1
, m
, off
))
237 if (!ASN1_bn_print(bp
, "exponent2:", x
->dmq1
, m
, off
))
239 if (!ASN1_bn_print(bp
, "coefficient:", x
->iqmp
, m
, off
))
249 static int rsa_pub_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
252 return do_rsa_print(bp
, pkey
->pkey
.rsa
, indent
, 0);
255 static int rsa_priv_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
258 return do_rsa_print(bp
, pkey
->pkey
.rsa
, indent
, 1);
261 static RSA_PSS_PARAMS
*rsa_pss_decode(const X509_ALGOR
*alg
,
262 X509_ALGOR
**pmaskHash
)
264 const unsigned char *p
;
270 if (!alg
->parameter
|| alg
->parameter
->type
!= V_ASN1_SEQUENCE
)
272 p
= alg
->parameter
->value
.sequence
->data
;
273 plen
= alg
->parameter
->value
.sequence
->length
;
274 pss
= d2i_RSA_PSS_PARAMS(NULL
, &p
, plen
);
279 if (pss
->maskGenAlgorithm
) {
280 ASN1_TYPE
*param
= pss
->maskGenAlgorithm
->parameter
;
281 if (OBJ_obj2nid(pss
->maskGenAlgorithm
->algorithm
) == NID_mgf1
282 && param
->type
== V_ASN1_SEQUENCE
) {
283 p
= param
->value
.sequence
->data
;
284 plen
= param
->value
.sequence
->length
;
285 *pmaskHash
= d2i_X509_ALGOR(NULL
, &p
, plen
);
292 static int rsa_pss_param_print(BIO
*bp
, RSA_PSS_PARAMS
*pss
,
293 X509_ALGOR
*maskHash
, int indent
)
297 if (BIO_puts(bp
, " (INVALID PSS PARAMETERS)\n") <= 0)
301 if (BIO_puts(bp
, "\n") <= 0)
303 if (!BIO_indent(bp
, indent
, 128))
305 if (BIO_puts(bp
, "Hash Algorithm: ") <= 0)
308 if (pss
->hashAlgorithm
) {
309 if (i2a_ASN1_OBJECT(bp
, pss
->hashAlgorithm
->algorithm
) <= 0)
311 } else if (BIO_puts(bp
, "sha1 (default)") <= 0)
314 if (BIO_puts(bp
, "\n") <= 0)
317 if (!BIO_indent(bp
, indent
, 128))
320 if (BIO_puts(bp
, "Mask Algorithm: ") <= 0)
322 if (pss
->maskGenAlgorithm
) {
323 if (i2a_ASN1_OBJECT(bp
, pss
->maskGenAlgorithm
->algorithm
) <= 0)
325 if (BIO_puts(bp
, " with ") <= 0)
328 if (i2a_ASN1_OBJECT(bp
, maskHash
->algorithm
) <= 0)
330 } else if (BIO_puts(bp
, "INVALID") <= 0)
332 } else if (BIO_puts(bp
, "mgf1 with sha1 (default)") <= 0)
336 if (!BIO_indent(bp
, indent
, 128))
338 if (BIO_puts(bp
, "Salt Length: 0x") <= 0)
340 if (pss
->saltLength
) {
341 if (i2a_ASN1_INTEGER(bp
, pss
->saltLength
) <= 0)
343 } else if (BIO_puts(bp
, "14 (default)") <= 0)
347 if (!BIO_indent(bp
, indent
, 128))
349 if (BIO_puts(bp
, "Trailer Field: 0x") <= 0)
351 if (pss
->trailerField
) {
352 if (i2a_ASN1_INTEGER(bp
, pss
->trailerField
) <= 0)
354 } else if (BIO_puts(bp
, "BC (default)") <= 0)
365 static int rsa_sig_print(BIO
*bp
, const X509_ALGOR
*sigalg
,
366 const ASN1_STRING
*sig
, int indent
, ASN1_PCTX
*pctx
)
368 if (OBJ_obj2nid(sigalg
->algorithm
) == NID_rsassaPss
) {
371 X509_ALGOR
*maskHash
;
372 pss
= rsa_pss_decode(sigalg
, &maskHash
);
373 rv
= rsa_pss_param_print(bp
, pss
, maskHash
, indent
);
375 RSA_PSS_PARAMS_free(pss
);
377 X509_ALGOR_free(maskHash
);
380 } else if (!sig
&& BIO_puts(bp
, "\n") <= 0)
383 return X509_signature_dump(bp
, sig
, indent
);
387 static int rsa_pkey_ctrl(EVP_PKEY
*pkey
, int op
, long arg1
, void *arg2
)
389 X509_ALGOR
*alg
= NULL
;
392 case ASN1_PKEY_CTRL_PKCS7_SIGN
:
394 PKCS7_SIGNER_INFO_get0_algs(arg2
, NULL
, NULL
, &alg
);
397 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT
:
399 PKCS7_RECIP_INFO_get0_alg(arg2
, &alg
);
401 #ifndef OPENSSL_NO_CMS
402 case ASN1_PKEY_CTRL_CMS_SIGN
:
404 CMS_SignerInfo_get0_algs(arg2
, NULL
, NULL
, NULL
, &alg
);
407 case ASN1_PKEY_CTRL_CMS_ENVELOPE
:
409 CMS_RecipientInfo_ktri_get0_algs(arg2
, NULL
, NULL
, &alg
);
413 case ASN1_PKEY_CTRL_DEFAULT_MD_NID
:
414 *(int *)arg2
= NID_sha1
;
423 X509_ALGOR_set0(alg
, OBJ_nid2obj(NID_rsaEncryption
), V_ASN1_NULL
, 0);
430 * Customised RSA item verification routine. This is called when a signature
431 * is encountered requiring special handling. We currently only handle PSS.
434 static int rsa_item_verify(EVP_MD_CTX
*ctx
, const ASN1_ITEM
*it
, void *asn
,
435 X509_ALGOR
*sigalg
, ASN1_BIT_STRING
*sig
,
440 const EVP_MD
*mgf1md
= NULL
, *md
= NULL
;
442 X509_ALGOR
*maskHash
;
444 /* Sanity check: make sure it is PSS */
445 if (OBJ_obj2nid(sigalg
->algorithm
) != NID_rsassaPss
) {
446 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_UNSUPPORTED_SIGNATURE_TYPE
);
449 /* Decode PSS parameters */
450 pss
= rsa_pss_decode(sigalg
, &maskHash
);
453 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_INVALID_PSS_PARAMETERS
);
456 /* Check mask and lookup mask hash algorithm */
457 if (pss
->maskGenAlgorithm
) {
458 if (OBJ_obj2nid(pss
->maskGenAlgorithm
->algorithm
) != NID_mgf1
) {
459 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_UNSUPPORTED_MASK_ALGORITHM
);
463 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_UNSUPPORTED_MASK_PARAMETER
);
466 mgf1md
= EVP_get_digestbyobj(maskHash
->algorithm
);
467 if (mgf1md
== NULL
) {
468 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_UNKNOWN_MASK_DIGEST
);
474 if (pss
->hashAlgorithm
) {
475 md
= EVP_get_digestbyobj(pss
->hashAlgorithm
->algorithm
);
477 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_UNKNOWN_PSS_DIGEST
);
483 if (pss
->saltLength
) {
484 saltlen
= ASN1_INTEGER_get(pss
->saltLength
);
487 * Could perform more salt length sanity checks but the main RSA
488 * routines will trap other invalid values anyway.
491 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_INVALID_SALT_LENGTH
);
498 * low-level routines support only trailer field 0xbc (value 1) and
499 * PKCS#1 says we should reject any other value anyway.
501 if (pss
->trailerField
&& ASN1_INTEGER_get(pss
->trailerField
) != 1) {
502 RSAerr(RSA_F_RSA_ITEM_VERIFY
, RSA_R_INVALID_TRAILER
);
506 /* We have all parameters now set up context */
508 if (!EVP_DigestVerifyInit(ctx
, &pkctx
, md
, NULL
, pkey
))
511 if (EVP_PKEY_CTX_set_rsa_padding(pkctx
, RSA_PKCS1_PSS_PADDING
) <= 0)
514 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx
, saltlen
) <= 0)
517 if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx
, mgf1md
) <= 0)
523 RSA_PSS_PARAMS_free(pss
);
525 X509_ALGOR_free(maskHash
);
529 static int rsa_item_sign(EVP_MD_CTX
*ctx
, const ASN1_ITEM
*it
, void *asn
,
530 X509_ALGOR
*alg1
, X509_ALGOR
*alg2
,
531 ASN1_BIT_STRING
*sig
)
534 EVP_PKEY_CTX
*pkctx
= ctx
->pctx
;
535 if (EVP_PKEY_CTX_get_rsa_padding(pkctx
, &pad_mode
) <= 0)
537 if (pad_mode
== RSA_PKCS1_PADDING
)
539 if (pad_mode
== RSA_PKCS1_PSS_PADDING
) {
540 const EVP_MD
*sigmd
, *mgf1md
;
541 RSA_PSS_PARAMS
*pss
= NULL
;
542 X509_ALGOR
*mgf1alg
= NULL
;
543 ASN1_STRING
*os1
= NULL
, *os2
= NULL
;
544 EVP_PKEY
*pk
= EVP_PKEY_CTX_get0_pkey(pkctx
);
546 sigmd
= EVP_MD_CTX_md(ctx
);
547 if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx
, &mgf1md
) <= 0)
549 if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx
, &saltlen
))
552 saltlen
= EVP_MD_size(sigmd
);
553 else if (saltlen
== -2) {
554 saltlen
= EVP_PKEY_size(pk
) - EVP_MD_size(sigmd
) - 2;
555 if (((EVP_PKEY_bits(pk
) - 1) & 0x7) == 0)
558 pss
= RSA_PSS_PARAMS_new();
562 pss
->saltLength
= ASN1_INTEGER_new();
563 if (!pss
->saltLength
)
565 if (!ASN1_INTEGER_set(pss
->saltLength
, saltlen
))
568 if (EVP_MD_type(sigmd
) != NID_sha1
) {
569 pss
->hashAlgorithm
= X509_ALGOR_new();
570 if (!pss
->hashAlgorithm
)
572 X509_ALGOR_set_md(pss
->hashAlgorithm
, sigmd
);
574 if (EVP_MD_type(mgf1md
) != NID_sha1
) {
575 ASN1_STRING
*stmp
= NULL
;
576 /* need to embed algorithm ID inside another */
577 mgf1alg
= X509_ALGOR_new();
578 X509_ALGOR_set_md(mgf1alg
, mgf1md
);
579 if (!ASN1_item_pack(mgf1alg
, ASN1_ITEM_rptr(X509_ALGOR
), &stmp
))
581 pss
->maskGenAlgorithm
= X509_ALGOR_new();
582 if (!pss
->maskGenAlgorithm
)
584 X509_ALGOR_set0(pss
->maskGenAlgorithm
,
585 OBJ_nid2obj(NID_mgf1
), V_ASN1_SEQUENCE
, stmp
);
587 /* Finally create string with pss parameter encoding. */
588 if (!ASN1_item_pack(pss
, ASN1_ITEM_rptr(RSA_PSS_PARAMS
), &os1
))
591 os2
= ASN1_STRING_dup(os1
);
594 X509_ALGOR_set0(alg2
, OBJ_nid2obj(NID_rsassaPss
),
595 V_ASN1_SEQUENCE
, os2
);
597 X509_ALGOR_set0(alg1
, OBJ_nid2obj(NID_rsassaPss
),
598 V_ASN1_SEQUENCE
, os1
);
603 X509_ALGOR_free(mgf1alg
);
605 RSA_PSS_PARAMS_free(pss
);
607 ASN1_STRING_free(os1
);
614 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths
[] = {
618 ASN1_PKEY_SIGPARAM_NULL
,
621 "OpenSSL RSA method",