1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/x509.h>
11
12 #include <openssl/asn1.h>
13 #include <openssl/digest.h>
14 #include <openssl/err.h>
15 #include <openssl/evp.h>
16 #include <openssl/obj.h>
17
18 #include "internal.h"
19
20 // Restrict the digests that are allowed in X509 certificates
x509_digest_nid_ok(const int digest_nid)21 static int x509_digest_nid_ok(const int digest_nid) {
22 switch (digest_nid) {
23 case NID_md4:
24 case NID_md5:
25 return 0;
26 }
27 return 1;
28 }
29
x509_digest_sign_algorithm(EVP_MD_CTX * ctx,X509_ALGOR * algor)30 int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor) {
31 EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);
32 if (pkey == NULL) {
33 OPENSSL_PUT_ERROR(ASN1, ASN1_R_CONTEXT_NOT_INITIALISED);
34 return 0;
35 }
36
37 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
38 int pad_mode;
39 if (!EVP_PKEY_CTX_get_rsa_padding(ctx->pctx, &pad_mode)) {
40 return 0;
41 }
42 // RSA-PSS has special signature algorithm logic.
43 if (pad_mode == RSA_PKCS1_PSS_PADDING) {
44 return x509_rsa_ctx_to_pss(ctx, algor);
45 }
46 }
47
48 if (EVP_PKEY_id(pkey) == EVP_PKEY_ED25519) {
49 return X509_ALGOR_set0(algor, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
50 }
51
52 // Default behavior: look up the OID for the algorithm/hash pair and encode
53 // that.
54 const EVP_MD *digest = EVP_MD_CTX_get0_md(ctx);
55 if (digest == NULL) {
56 OPENSSL_PUT_ERROR(ASN1, ASN1_R_CONTEXT_NOT_INITIALISED);
57 return 0;
58 }
59
60 const int digest_nid = EVP_MD_type(digest);
61 int sign_nid;
62 if (!x509_digest_nid_ok(digest_nid) ||
63 !OBJ_find_sigid_by_algs(&sign_nid, digest_nid, EVP_PKEY_id(pkey))) {
64 OPENSSL_PUT_ERROR(ASN1, ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
65 return 0;
66 }
67
68 // RSA signature algorithms include an explicit NULL parameter. Others omit
69 // it.
70 int paramtype =
71 (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) ? V_ASN1_NULL : V_ASN1_UNDEF;
72 return X509_ALGOR_set0(algor, OBJ_nid2obj(sign_nid), paramtype, NULL);
73 }
74
x509_digest_verify_init(EVP_MD_CTX * ctx,const X509_ALGOR * sigalg,EVP_PKEY * pkey)75 int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
76 EVP_PKEY *pkey) {
77 // Convert the signature OID into digest and public key OIDs.
78 int sigalg_nid = OBJ_obj2nid(sigalg->algorithm);
79 int digest_nid, pkey_nid;
80 if (!OBJ_find_sigid_algs(sigalg_nid, &digest_nid, &pkey_nid)) {
81 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
82 return 0;
83 }
84
85 // Check the public key OID matches the public key type.
86 if (pkey_nid != EVP_PKEY_id(pkey)) {
87 OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_PUBLIC_KEY_TYPE);
88 return 0;
89 }
90
91 // Check for permitted digest algorithms
92 if (!x509_digest_nid_ok(digest_nid)) {
93 OPENSSL_PUT_ERROR(ASN1, ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
94 return 0;
95 }
96
97 // NID_undef signals that there are custom parameters to set.
98 if (digest_nid == NID_undef) {
99 if (sigalg_nid == NID_rsassaPss) {
100 return x509_rsa_pss_to_ctx(ctx, sigalg, pkey);
101 }
102 if (sigalg_nid == NID_ED25519) {
103 if (sigalg->parameter != NULL) {
104 OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PARAMETER);
105 return 0;
106 }
107 return EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey);
108 }
109 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
110 return 0;
111 }
112
113 // The parameter should be an explicit NULL for RSA and omitted for ECDSA. For
114 // compatibility, we allow either for both algorithms. See b/167375496.
115 //
116 // TODO(davidben): Chromium's verifier allows both forms for RSA, but enforces
117 // ECDSA more strictly. Align with Chromium and add a flag for b/167375496.
118 if (sigalg->parameter != NULL && sigalg->parameter->type != V_ASN1_NULL) {
119 OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PARAMETER);
120 return 0;
121 }
122
123 // Otherwise, initialize with the digest from the OID.
124 const EVP_MD *digest = EVP_get_digestbynid(digest_nid);
125 if (digest == NULL) {
126 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
127 return 0;
128 }
129
130 return EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey);
131 }
132