• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2  * project 2006.
3  */
4 /* ====================================================================
5  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com). */
55 
56 #include <openssl/evp.h>
57 
58 #include <openssl/asn1.h>
59 #include <openssl/asn1t.h>
60 #include <openssl/bytestring.h>
61 #include <openssl/digest.h>
62 #include <openssl/err.h>
63 #include <openssl/mem.h>
64 #include <openssl/obj.h>
65 #include <openssl/rsa.h>
66 #include <openssl/x509.h>
67 
68 #include "../rsa/internal.h"
69 #include "internal.h"
70 
71 
rsa_pub_encode(X509_PUBKEY * pk,const EVP_PKEY * pkey)72 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) {
73   uint8_t *encoded;
74   size_t encoded_len;
75   if (!RSA_public_key_to_bytes(&encoded, &encoded_len, pkey->pkey.rsa)) {
76     return 0;
77   }
78 
79   if (!X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA), V_ASN1_NULL, NULL,
80                               encoded, encoded_len)) {
81     OPENSSL_free(encoded);
82     return 0;
83   }
84 
85   return 1;
86 }
87 
rsa_pub_decode(EVP_PKEY * pkey,X509_PUBKEY * pubkey)88 static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) {
89   const uint8_t *p;
90   int pklen;
91   if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey)) {
92     return 0;
93   }
94 
95   /* Estonian IDs issued between September 2014 to September 2015 are
96    * broken. See https://crbug.com/532048 and https://crbug.com/534766.
97    *
98    * TODO(davidben): Switch this to the strict version in March 2016 or when
99    * Chromium can force client certificates down a different codepath, whichever
100    * comes first. */
101   CBS cbs;
102   CBS_init(&cbs, p, pklen);
103   RSA *rsa = RSA_parse_public_key_buggy(&cbs);
104   if (rsa == NULL || CBS_len(&cbs) != 0) {
105     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
106     RSA_free(rsa);
107     return 0;
108   }
109 
110   EVP_PKEY_assign_RSA(pkey, rsa);
111   return 1;
112 }
113 
rsa_pub_cmp(const EVP_PKEY * a,const EVP_PKEY * b)114 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
115   return BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) == 0 &&
116          BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) == 0;
117 }
118 
rsa_priv_encode(PKCS8_PRIV_KEY_INFO * p8,const EVP_PKEY * pkey)119 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) {
120   uint8_t *encoded;
121   size_t encoded_len;
122   if (!RSA_private_key_to_bytes(&encoded, &encoded_len, pkey->pkey.rsa)) {
123     return 0;
124   }
125 
126   /* TODO(fork): const correctness in next line. */
127   if (!PKCS8_pkey_set0(p8, (ASN1_OBJECT *)OBJ_nid2obj(NID_rsaEncryption), 0,
128                        V_ASN1_NULL, NULL, encoded, encoded_len)) {
129     OPENSSL_free(encoded);
130     OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
131     return 0;
132   }
133 
134   return 1;
135 }
136 
rsa_priv_decode(EVP_PKEY * pkey,PKCS8_PRIV_KEY_INFO * p8)137 static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) {
138   const uint8_t *p;
139   int pklen;
140   if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8)) {
141     OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
142     return 0;
143   }
144 
145   RSA *rsa = RSA_private_key_from_bytes(p, pklen);
146   if (rsa == NULL) {
147     OPENSSL_PUT_ERROR(EVP, ERR_R_RSA_LIB);
148     return 0;
149   }
150 
151   EVP_PKEY_assign_RSA(pkey, rsa);
152   return 1;
153 }
154 
rsa_opaque(const EVP_PKEY * pkey)155 static int rsa_opaque(const EVP_PKEY *pkey) {
156   return RSA_is_opaque(pkey->pkey.rsa);
157 }
158 
rsa_supports_digest(const EVP_PKEY * pkey,const EVP_MD * md)159 static int rsa_supports_digest(const EVP_PKEY *pkey, const EVP_MD *md) {
160   return RSA_supports_digest(pkey->pkey.rsa, md);
161 }
162 
int_rsa_size(const EVP_PKEY * pkey)163 static int int_rsa_size(const EVP_PKEY *pkey) {
164   return RSA_size(pkey->pkey.rsa);
165 }
166 
rsa_bits(const EVP_PKEY * pkey)167 static int rsa_bits(const EVP_PKEY *pkey) {
168   return BN_num_bits(pkey->pkey.rsa->n);
169 }
170 
int_rsa_free(EVP_PKEY * pkey)171 static void int_rsa_free(EVP_PKEY *pkey) { RSA_free(pkey->pkey.rsa); }
172 
update_buflen(const BIGNUM * b,size_t * pbuflen)173 static void update_buflen(const BIGNUM *b, size_t *pbuflen) {
174   size_t i;
175 
176   if (!b) {
177     return;
178   }
179 
180   i = BN_num_bytes(b);
181   if (*pbuflen < i) {
182     *pbuflen = i;
183   }
184 }
185 
do_rsa_print(BIO * out,const RSA * rsa,int off,int include_private)186 static int do_rsa_print(BIO *out, const RSA *rsa, int off,
187                         int include_private) {
188   char *str;
189   const char *s;
190   uint8_t *m = NULL;
191   int ret = 0, mod_len = 0;
192   size_t buf_len = 0;
193 
194   update_buflen(rsa->n, &buf_len);
195   update_buflen(rsa->e, &buf_len);
196 
197   if (include_private) {
198     update_buflen(rsa->d, &buf_len);
199     update_buflen(rsa->p, &buf_len);
200     update_buflen(rsa->q, &buf_len);
201     update_buflen(rsa->dmp1, &buf_len);
202     update_buflen(rsa->dmq1, &buf_len);
203     update_buflen(rsa->iqmp, &buf_len);
204 
205     if (rsa->additional_primes != NULL) {
206       size_t i;
207 
208       for (i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes);
209            i++) {
210         const RSA_additional_prime *ap =
211             sk_RSA_additional_prime_value(rsa->additional_primes, i);
212         update_buflen(ap->prime, &buf_len);
213         update_buflen(ap->exp, &buf_len);
214         update_buflen(ap->coeff, &buf_len);
215       }
216     }
217   }
218 
219   m = (uint8_t *)OPENSSL_malloc(buf_len + 10);
220   if (m == NULL) {
221     OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
222     goto err;
223   }
224 
225   if (rsa->n != NULL) {
226     mod_len = BN_num_bits(rsa->n);
227   }
228 
229   if (!BIO_indent(out, off, 128)) {
230     goto err;
231   }
232 
233   if (include_private && rsa->d) {
234     if (BIO_printf(out, "Private-Key: (%d bit)\n", mod_len) <= 0) {
235       goto err;
236     }
237     str = "modulus:";
238     s = "publicExponent:";
239   } else {
240     if (BIO_printf(out, "Public-Key: (%d bit)\n", mod_len) <= 0) {
241       goto err;
242     }
243     str = "Modulus:";
244     s = "Exponent:";
245   }
246   if (!ASN1_bn_print(out, str, rsa->n, m, off) ||
247       !ASN1_bn_print(out, s, rsa->e, m, off)) {
248     goto err;
249   }
250 
251   if (include_private) {
252     if (!ASN1_bn_print(out, "privateExponent:", rsa->d, m, off) ||
253         !ASN1_bn_print(out, "prime1:", rsa->p, m, off) ||
254         !ASN1_bn_print(out, "prime2:", rsa->q, m, off) ||
255         !ASN1_bn_print(out, "exponent1:", rsa->dmp1, m, off) ||
256         !ASN1_bn_print(out, "exponent2:", rsa->dmq1, m, off) ||
257         !ASN1_bn_print(out, "coefficient:", rsa->iqmp, m, off)) {
258       goto err;
259     }
260 
261     if (rsa->additional_primes != NULL &&
262         sk_RSA_additional_prime_num(rsa->additional_primes) > 0) {
263       size_t i;
264 
265       if (BIO_printf(out, "otherPrimeInfos:\n") <= 0) {
266         goto err;
267       }
268       for (i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes);
269            i++) {
270         const RSA_additional_prime *ap =
271             sk_RSA_additional_prime_value(rsa->additional_primes, i);
272 
273         if (BIO_printf(out, "otherPrimeInfo (prime %u):\n",
274                        (unsigned)(i + 3)) <= 0 ||
275             !ASN1_bn_print(out, "prime:", ap->prime, m, off) ||
276             !ASN1_bn_print(out, "exponent:", ap->exp, m, off) ||
277             !ASN1_bn_print(out, "coeff:", ap->coeff, m, off)) {
278           goto err;
279         }
280       }
281     }
282   }
283   ret = 1;
284 
285 err:
286   OPENSSL_free(m);
287   return ret;
288 }
289 
rsa_pub_print(BIO * bp,const EVP_PKEY * pkey,int indent,ASN1_PCTX * ctx)290 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
291                          ASN1_PCTX *ctx) {
292   return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
293 }
294 
295 
rsa_priv_print(BIO * bp,const EVP_PKEY * pkey,int indent,ASN1_PCTX * ctx)296 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
297                           ASN1_PCTX *ctx) {
298   return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
299 }
300 
301 /* Given an MGF1 Algorithm ID decode to an Algorithm Identifier */
rsa_mgf1_decode(X509_ALGOR * alg)302 static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) {
303   const uint8_t *p;
304   int plen;
305 
306   if (alg == NULL || alg->parameter == NULL ||
307       OBJ_obj2nid(alg->algorithm) != NID_mgf1 ||
308       alg->parameter->type != V_ASN1_SEQUENCE) {
309     return NULL;
310   }
311 
312   p = alg->parameter->value.sequence->data;
313   plen = alg->parameter->value.sequence->length;
314   return d2i_X509_ALGOR(NULL, &p, plen);
315 }
316 
rsa_pss_decode(const X509_ALGOR * alg,X509_ALGOR ** pmaskHash)317 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
318                                       X509_ALGOR **pmaskHash) {
319   const uint8_t *p;
320   int plen;
321   RSA_PSS_PARAMS *pss;
322 
323   *pmaskHash = NULL;
324 
325   if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE) {
326     return NULL;
327   }
328   p = alg->parameter->value.sequence->data;
329   plen = alg->parameter->value.sequence->length;
330   pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
331 
332   if (!pss) {
333     return NULL;
334   }
335 
336   *pmaskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
337 
338   return pss;
339 }
340 
rsa_pss_param_print(BIO * bp,RSA_PSS_PARAMS * pss,X509_ALGOR * maskHash,int indent)341 static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
342                                X509_ALGOR *maskHash, int indent) {
343   int rv = 0;
344 
345   if (!pss) {
346     if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) {
347       return 0;
348     }
349     return 1;
350   }
351 
352   if (BIO_puts(bp, "\n") <= 0 ||
353       !BIO_indent(bp, indent, 128) ||
354       BIO_puts(bp, "Hash Algorithm: ") <= 0) {
355     goto err;
356   }
357 
358   if (pss->hashAlgorithm) {
359     if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) {
360       goto err;
361     }
362   } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
363     goto err;
364   }
365 
366   if (BIO_puts(bp, "\n") <= 0 ||
367       !BIO_indent(bp, indent, 128) ||
368       BIO_puts(bp, "Mask Algorithm: ") <= 0) {
369     goto err;
370   }
371 
372   if (pss->maskGenAlgorithm) {
373     if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0 ||
374         BIO_puts(bp, " with ") <= 0) {
375       goto err;
376     }
377 
378     if (maskHash) {
379       if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) {
380         goto err;
381       }
382     } else if (BIO_puts(bp, "INVALID") <= 0) {
383       goto err;
384     }
385   } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
386     goto err;
387   }
388   BIO_puts(bp, "\n");
389 
390   if (!BIO_indent(bp, indent, 128) ||
391       BIO_puts(bp, "Salt Length: 0x") <= 0) {
392     goto err;
393   }
394 
395   if (pss->saltLength) {
396     if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) {
397       goto err;
398     }
399   } else if (BIO_puts(bp, "14 (default)") <= 0) {
400     goto err;
401   }
402   BIO_puts(bp, "\n");
403 
404   if (!BIO_indent(bp, indent, 128) ||
405       BIO_puts(bp, "Trailer Field: 0x") <= 0) {
406     goto err;
407   }
408 
409   if (pss->trailerField) {
410     if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) {
411       goto err;
412     }
413   } else if (BIO_puts(bp, "BC (default)") <= 0) {
414     goto err;
415   }
416   BIO_puts(bp, "\n");
417 
418   rv = 1;
419 
420 err:
421   return rv;
422 }
423 
rsa_sig_print(BIO * bp,const X509_ALGOR * sigalg,const ASN1_STRING * sig,int indent,ASN1_PCTX * pctx)424 static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
425                          const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) {
426   if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) {
427     int rv;
428     RSA_PSS_PARAMS *pss;
429     X509_ALGOR *maskHash;
430 
431     pss = rsa_pss_decode(sigalg, &maskHash);
432     rv = rsa_pss_param_print(bp, pss, maskHash, indent);
433     RSA_PSS_PARAMS_free(pss);
434     X509_ALGOR_free(maskHash);
435     if (!rv) {
436       return 0;
437     }
438   } else if (!sig && BIO_puts(bp, "\n") <= 0) {
439     return 0;
440   }
441 
442   if (sig) {
443     return X509_signature_dump(bp, sig, indent);
444   }
445   return 1;
446 }
447 
old_rsa_priv_decode(EVP_PKEY * pkey,const uint8_t ** pder,int derlen)448 static int old_rsa_priv_decode(EVP_PKEY *pkey, const uint8_t **pder,
449                                int derlen) {
450   RSA *rsa = d2i_RSAPrivateKey(NULL, pder, derlen);
451   if (rsa == NULL) {
452     OPENSSL_PUT_ERROR(EVP, ERR_R_RSA_LIB);
453     return 0;
454   }
455   EVP_PKEY_assign_RSA(pkey, rsa);
456   return 1;
457 }
458 
old_rsa_priv_encode(const EVP_PKEY * pkey,uint8_t ** pder)459 static int old_rsa_priv_encode(const EVP_PKEY *pkey, uint8_t **pder) {
460   return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
461 }
462 
463 /* allocate and set algorithm ID from EVP_MD, default SHA1 */
rsa_md_to_algor(X509_ALGOR ** palg,const EVP_MD * md)464 static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) {
465   if (EVP_MD_type(md) == NID_sha1) {
466     return 1;
467   }
468   *palg = X509_ALGOR_new();
469   if (!*palg) {
470     return 0;
471   }
472   X509_ALGOR_set_md(*palg, md);
473   return 1;
474 }
475 
476 /* Allocate and set MGF1 algorithm ID from EVP_MD */
rsa_md_to_mgf1(X509_ALGOR ** palg,const EVP_MD * mgf1md)477 static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) {
478   X509_ALGOR *algtmp = NULL;
479   ASN1_STRING *stmp = NULL;
480   *palg = NULL;
481 
482   if (EVP_MD_type(mgf1md) == NID_sha1) {
483     return 1;
484   }
485   /* need to embed algorithm ID inside another */
486   if (!rsa_md_to_algor(&algtmp, mgf1md) ||
487       !ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp)) {
488     goto err;
489   }
490   *palg = X509_ALGOR_new();
491   if (!*palg) {
492     goto err;
493   }
494   X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
495   stmp = NULL;
496 
497 err:
498   ASN1_STRING_free(stmp);
499   X509_ALGOR_free(algtmp);
500   if (*palg) {
501     return 1;
502   }
503 
504   return 0;
505 }
506 
507 /* convert algorithm ID to EVP_MD, default SHA1 */
rsa_algor_to_md(X509_ALGOR * alg)508 static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg) {
509   const EVP_MD *md;
510   if (!alg) {
511     return EVP_sha1();
512   }
513   md = EVP_get_digestbyobj(alg->algorithm);
514   if (md == NULL) {
515     OPENSSL_PUT_ERROR(EVP, EVP_R_UNKNOWN_DIGEST);
516   }
517   return md;
518 }
519 
520 /* convert MGF1 algorithm ID to EVP_MD, default SHA1 */
rsa_mgf1_to_md(X509_ALGOR * alg,X509_ALGOR * maskHash)521 static const EVP_MD *rsa_mgf1_to_md(X509_ALGOR *alg, X509_ALGOR *maskHash) {
522   const EVP_MD *md;
523   if (!alg) {
524     return EVP_sha1();
525   }
526   /* Check mask and lookup mask hash algorithm */
527   if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) {
528     OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_MASK_ALGORITHM);
529     return NULL;
530   }
531   if (!maskHash) {
532     OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_MASK_PARAMETER);
533     return NULL;
534   }
535   md = EVP_get_digestbyobj(maskHash->algorithm);
536   if (md == NULL) {
537     OPENSSL_PUT_ERROR(EVP, EVP_R_UNKNOWN_MASK_DIGEST);
538     return NULL;
539   }
540   return md;
541 }
542 
543 /* rsa_ctx_to_pss converts EVP_PKEY_CTX in PSS mode into corresponding
544  * algorithm parameter, suitable for setting as an AlgorithmIdentifier. */
rsa_ctx_to_pss(EVP_PKEY_CTX * pkctx)545 static ASN1_STRING *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) {
546   const EVP_MD *sigmd, *mgf1md;
547   RSA_PSS_PARAMS *pss = NULL;
548   ASN1_STRING *os = NULL;
549   EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
550   int saltlen, rv = 0;
551 
552   if (!EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) ||
553       !EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) ||
554       !EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) {
555     goto err;
556   }
557 
558   if (saltlen == -1) {
559     saltlen = EVP_MD_size(sigmd);
560   } else if (saltlen == -2) {
561     saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
562     if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0) {
563       saltlen--;
564     }
565   } else {
566     goto err;
567   }
568 
569   pss = RSA_PSS_PARAMS_new();
570   if (!pss) {
571     goto err;
572   }
573 
574   if (saltlen != 20) {
575     pss->saltLength = ASN1_INTEGER_new();
576     if (!pss->saltLength ||
577         !ASN1_INTEGER_set(pss->saltLength, saltlen)) {
578       goto err;
579     }
580   }
581 
582   if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd) ||
583       !rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) {
584     goto err;
585   }
586 
587   /* Finally create string with pss parameter encoding. */
588   if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os)) {
589     goto err;
590   }
591   rv = 1;
592 
593 err:
594   if (pss) {
595     RSA_PSS_PARAMS_free(pss);
596   }
597   if (rv) {
598     return os;
599   }
600   if (os) {
601     ASN1_STRING_free(os);
602   }
603   return NULL;
604 }
605 
606 /* From PSS AlgorithmIdentifier set public key parameters. */
rsa_pss_to_ctx(EVP_MD_CTX * ctx,X509_ALGOR * sigalg,EVP_PKEY * pkey)607 static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, X509_ALGOR *sigalg, EVP_PKEY *pkey) {
608   int ret = 0;
609   int saltlen;
610   const EVP_MD *mgf1md = NULL, *md = NULL;
611   RSA_PSS_PARAMS *pss;
612   X509_ALGOR *maskHash;
613   EVP_PKEY_CTX *pkctx;
614 
615   /* Sanity check: make sure it is PSS */
616   if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
617     OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_SIGNATURE_TYPE);
618     return 0;
619   }
620   /* Decode PSS parameters */
621   pss = rsa_pss_decode(sigalg, &maskHash);
622   if (pss == NULL) {
623     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_PARAMETERS);
624     goto err;
625   }
626 
627   mgf1md = rsa_mgf1_to_md(pss->maskGenAlgorithm, maskHash);
628   if (!mgf1md) {
629     goto err;
630   }
631   md = rsa_algor_to_md(pss->hashAlgorithm);
632   if (!md) {
633     goto err;
634   }
635 
636   saltlen = 20;
637   if (pss->saltLength) {
638     saltlen = ASN1_INTEGER_get(pss->saltLength);
639 
640     /* Could perform more salt length sanity checks but the main
641      * RSA routines will trap other invalid values anyway. */
642     if (saltlen < 0) {
643       OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SALT_LENGTH);
644       goto err;
645     }
646   }
647 
648   /* low-level routines support only trailer field 0xbc (value 1)
649    * and PKCS#1 says we should reject any other value anyway. */
650   if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) {
651     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_TRAILER);
652     goto err;
653   }
654 
655   if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey) ||
656       !EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) ||
657       !EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) ||
658       !EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md)) {
659     goto err;
660   }
661 
662   ret = 1;
663 
664 err:
665   RSA_PSS_PARAMS_free(pss);
666   if (maskHash) {
667     X509_ALGOR_free(maskHash);
668   }
669   return ret;
670 }
671 
672 /* Customised RSA AlgorithmIdentifier handling. This is called when a signature
673  * is encountered requiring special handling. We currently only handle PSS. */
rsa_digest_verify_init_from_algorithm(EVP_MD_CTX * ctx,X509_ALGOR * sigalg,EVP_PKEY * pkey)674 static int rsa_digest_verify_init_from_algorithm(EVP_MD_CTX *ctx,
675                                                  X509_ALGOR *sigalg,
676                                                  EVP_PKEY *pkey) {
677   /* Sanity check: make sure it is PSS */
678   if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) {
679     OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_SIGNATURE_TYPE);
680     return 0;
681   }
682   return rsa_pss_to_ctx(ctx, sigalg, pkey);
683 }
684 
rsa_digest_sign_algorithm(EVP_MD_CTX * ctx,X509_ALGOR * sigalg)685 static evp_digest_sign_algorithm_result_t rsa_digest_sign_algorithm(
686     EVP_MD_CTX *ctx, X509_ALGOR *sigalg) {
687   int pad_mode;
688   EVP_PKEY_CTX *pkctx = ctx->pctx;
689   if (!EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode)) {
690     return EVP_DIGEST_SIGN_ALGORITHM_ERROR;
691   }
692   if (pad_mode == RSA_PKCS1_PSS_PADDING) {
693     ASN1_STRING *os1 = rsa_ctx_to_pss(pkctx);
694     if (!os1) {
695       return EVP_DIGEST_SIGN_ALGORITHM_ERROR;
696     }
697     X509_ALGOR_set0(sigalg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os1);
698     return EVP_DIGEST_SIGN_ALGORITHM_SUCCESS;
699   }
700 
701   /* Other padding schemes use the default behavior. */
702   return EVP_DIGEST_SIGN_ALGORITHM_DEFAULT;
703 }
704 
705 const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
706   EVP_PKEY_RSA,
707   EVP_PKEY_RSA,
708   ASN1_PKEY_SIGPARAM_NULL,
709 
710   "RSA",
711 
712   rsa_pub_decode,
713   rsa_pub_encode,
714   rsa_pub_cmp,
715   rsa_pub_print,
716 
717   rsa_priv_decode,
718   rsa_priv_encode,
719   rsa_priv_print,
720 
721   rsa_opaque,
722   rsa_supports_digest,
723 
724   int_rsa_size,
725   rsa_bits,
726 
727   0,0,0,0,0,0,
728 
729   rsa_sig_print,
730   int_rsa_free,
731 
732   old_rsa_priv_decode,
733   old_rsa_priv_encode,
734 
735   rsa_digest_verify_init_from_algorithm,
736   rsa_digest_sign_algorithm,
737 };
738