• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2018 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #include "tink/signature/rsa_ssa_pss_verify_key_manager.h"
18 
19 #include <memory>
20 #include <utility>
21 
22 #include "absl/status/status.h"
23 #include "absl/strings/str_cat.h"
24 #include "absl/strings/string_view.h"
25 #include "tink/internal/bn_util.h"
26 #include "tink/internal/md_util.h"
27 #include "tink/internal/rsa_util.h"
28 #include "tink/internal/ssl_unique_ptr.h"
29 #include "tink/public_key_verify.h"
30 #include "tink/subtle/rsa_ssa_pss_verify_boringssl.h"
31 #include "tink/util/enums.h"
32 #include "tink/util/errors.h"
33 #include "tink/util/protobuf_helper.h"
34 #include "tink/util/status.h"
35 #include "tink/util/statusor.h"
36 #include "tink/util/validation.h"
37 #include "proto/rsa_ssa_pss.pb.h"
38 #include "proto/tink.pb.h"
39 
40 namespace crypto {
41 namespace tink {
42 
43 using crypto::tink::util::Enums;
44 using crypto::tink::util::Status;
45 using crypto::tink::util::StatusOr;
46 using google::crypto::tink::RsaSsaPssParams;
47 using google::crypto::tink::RsaSsaPssPublicKey;
48 
49 StatusOr<std::unique_ptr<PublicKeyVerify>>
Create(const RsaSsaPssPublicKey & rsa_ssa_pss_public_key) const50 RsaSsaPssVerifyKeyManager::PublicKeyVerifyFactory::Create(
51     const RsaSsaPssPublicKey& rsa_ssa_pss_public_key) const {
52   internal::RsaPublicKey rsa_pub_key;
53   rsa_pub_key.n = rsa_ssa_pss_public_key.n();
54   rsa_pub_key.e = rsa_ssa_pss_public_key.e();
55 
56   internal::RsaSsaPssParams params;
57   RsaSsaPssParams rsa_ssa_pss_params = rsa_ssa_pss_public_key.params();
58   params.sig_hash = Enums::ProtoToSubtle(rsa_ssa_pss_params.sig_hash());
59   params.mgf1_hash = Enums::ProtoToSubtle(rsa_ssa_pss_params.mgf1_hash());
60   params.salt_length = rsa_ssa_pss_params.salt_length();
61 
62   auto rsa_ssa_pss_result =
63       subtle::RsaSsaPssVerifyBoringSsl::New(rsa_pub_key, params);
64   if (!rsa_ssa_pss_result.ok()) return rsa_ssa_pss_result.status();
65   return {std::move(rsa_ssa_pss_result).value()};
66 }
67 
ValidateKey(const RsaSsaPssPublicKey & key) const68 Status RsaSsaPssVerifyKeyManager::ValidateKey(
69     const RsaSsaPssPublicKey& key) const {
70   Status status = ValidateVersion(key.version(), get_version());
71   if (!status.ok()) return status;
72   StatusOr<internal::SslUniquePtr<BIGNUM>> n =
73       internal::StringToBignum(key.n());
74   if (!n.ok()) {
75     return n.status();
76   }
77   Status modulus_status =
78       internal::ValidateRsaModulusSize(BN_num_bits(n->get()));
79   if (!modulus_status.ok()) {
80     return modulus_status;
81   }
82   Status exponent_status = internal::ValidateRsaPublicExponent(key.e());
83   if (!exponent_status.ok()) {
84     return exponent_status;
85   }
86   return ValidateParams(key.params());
87 }
88 
ValidateParams(const RsaSsaPssParams & params) const89 Status RsaSsaPssVerifyKeyManager::ValidateParams(
90     const RsaSsaPssParams& params) const {
91   util::Status hash_result = internal::IsHashTypeSafeForSignature(
92       Enums::ProtoToSubtle(params.sig_hash()));
93   if (!hash_result.ok()) {
94     return hash_result;
95   }
96   // The most common use case is that MGF1 hash is the same as signature hash.
97   // This is recommended by RFC https://tools.ietf.org/html/rfc8017#section-8.1.
98   // While using different hashes doesn't cause security vulnerabilities, there
99   // is also no good reason to support different hashes. Furthermore:
100   //
101   //  - Golang does not support different hashes.
102   //
103   //  - BoringSSL supports different hashes just because of historical reason.
104   // There is no real use case.
105   //
106   //  - Conscrypt/BouncyCastle do not support different hashes.
107   if (params.mgf1_hash() != params.sig_hash()) {
108     return util::Status(absl::StatusCode::kInvalidArgument,
109                         absl::StrCat("MGF1 hash '", params.mgf1_hash(),
110                                      "' is different from signature hash '",
111                                      params.sig_hash(), "'"));
112   }
113   if (params.salt_length() < 0) {
114     return util::Status(absl::StatusCode::kInvalidArgument,
115                         "salt length is negative");
116   }
117   return util::OkStatus();
118 }
119 
120 }  // namespace tink
121 }  // namespace crypto
122