2015-01-22 11:40:55 +08:00
|
|
|
/*
|
2022-05-03 18:52:38 +08:00
|
|
|
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
|
2006-03-20 20:22:24 +08:00
|
|
|
*
|
2018-12-06 20:54:02 +08:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-18 02:51:34 +08:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
2006-03-20 20:22:24 +08:00
|
|
|
*/
|
|
|
|
|
|
2020-02-12 13:03:51 +08:00
|
|
|
/*
|
|
|
|
|
* RSA low level APIs are deprecated for public use, but still ok for
|
|
|
|
|
* internal use.
|
|
|
|
|
*/
|
|
|
|
|
#include "internal/deprecated.h"
|
|
|
|
|
|
2006-03-20 20:22:24 +08:00
|
|
|
#include <stdio.h>
|
2015-05-14 22:56:48 +08:00
|
|
|
#include "internal/cryptlib.h"
|
2006-03-20 20:22:24 +08:00
|
|
|
#include <openssl/asn1t.h>
|
|
|
|
|
#include <openssl/x509.h>
|
2008-03-17 05:05:46 +08:00
|
|
|
#include <openssl/bn.h>
|
2019-10-16 03:31:45 +08:00
|
|
|
#include <openssl/core_names.h>
|
2020-04-01 13:51:18 +08:00
|
|
|
#include <openssl/param_build.h>
|
2019-09-28 06:45:33 +08:00
|
|
|
#include "crypto/asn1.h"
|
|
|
|
|
#include "crypto/evp.h"
|
2019-10-16 03:31:45 +08:00
|
|
|
#include "crypto/rsa.h"
|
2019-09-28 06:45:40 +08:00
|
|
|
#include "rsa_local.h"
|
2006-03-20 20:22:24 +08:00
|
|
|
|
2016-11-24 08:58:33 +08:00
|
|
|
/* Set any parameters associated with pkey */
|
|
|
|
|
static int rsa_param_encode(const EVP_PKEY *pkey,
|
|
|
|
|
ASN1_STRING **pstr, int *pstrtype)
|
|
|
|
|
{
|
|
|
|
|
const RSA *rsa = pkey->pkey.rsa;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2016-11-24 08:58:33 +08:00
|
|
|
*pstr = NULL;
|
|
|
|
|
/* If RSA it's just NULL type */
|
2020-05-02 17:22:23 +08:00
|
|
|
if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) != RSA_FLAG_TYPE_RSASSAPSS) {
|
2016-11-24 08:58:33 +08:00
|
|
|
*pstrtype = V_ASN1_NULL;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
/* If no PSS parameters we omit parameters entirely */
|
|
|
|
|
if (rsa->pss == NULL) {
|
|
|
|
|
*pstrtype = V_ASN1_UNDEF;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
/* Encode PSS parameters */
|
2017-01-07 01:51:28 +08:00
|
|
|
if (ASN1_item_pack(rsa->pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), pstr) == NULL)
|
2016-11-24 08:58:33 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
*pstrtype = V_ASN1_SEQUENCE;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
/* Decode any parameters and set them in RSA structure */
|
2006-03-21 01:56:05 +08:00
|
|
|
static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
unsigned char *penc = NULL;
|
|
|
|
|
int penclen;
|
2016-11-24 08:58:33 +08:00
|
|
|
ASN1_STRING *str;
|
|
|
|
|
int strtype;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2016-11-24 08:58:33 +08:00
|
|
|
if (!rsa_param_encode(pkey, &str, &strtype))
|
|
|
|
|
return 0;
|
2015-01-22 11:40:55 +08:00
|
|
|
penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
|
|
|
|
|
if (penclen <= 0)
|
|
|
|
|
return 0;
|
2016-11-24 08:58:33 +08:00
|
|
|
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
|
|
|
|
|
strtype, str, penc, penclen))
|
2015-01-22 11:40:55 +08:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
OPENSSL_free(penc);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2006-03-20 20:22:24 +08:00
|
|
|
|
2020-05-25 00:28:06 +08:00
|
|
|
static int rsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
const unsigned char *p;
|
|
|
|
|
int pklen;
|
2016-11-24 08:58:33 +08:00
|
|
|
X509_ALGOR *alg;
|
2015-01-22 11:40:55 +08:00
|
|
|
RSA *rsa = NULL;
|
2015-05-07 01:43:59 +08:00
|
|
|
|
2016-11-24 08:58:33 +08:00
|
|
|
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
|
2015-01-22 11:40:55 +08:00
|
|
|
return 0;
|
2020-09-16 18:52:09 +08:00
|
|
|
if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL)
|
2015-01-22 11:40:55 +08:00
|
|
|
return 0;
|
2021-03-18 17:41:53 +08:00
|
|
|
if (!ossl_rsa_param_decode(rsa, alg)) {
|
2016-11-24 08:58:33 +08:00
|
|
|
RSA_free(rsa);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2020-07-28 00:39:55 +08:00
|
|
|
|
|
|
|
|
RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
|
|
|
|
|
switch (pkey->ameth->pkey_id) {
|
|
|
|
|
case EVP_PKEY_RSA:
|
|
|
|
|
RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
|
|
|
|
|
break;
|
|
|
|
|
case EVP_PKEY_RSA_PSS:
|
|
|
|
|
RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
/* Leave the type bits zero */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-28 05:18:21 +08:00
|
|
|
if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
|
|
|
|
|
RSA_free(rsa);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-01-22 11:40:55 +08:00
|
|
|
return 1;
|
|
|
|
|
}
|
2006-03-20 20:22:24 +08:00
|
|
|
|
2006-03-21 01:56:05 +08:00
|
|
|
static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2020-07-11 07:01:32 +08:00
|
|
|
/*
|
|
|
|
|
* Don't check the public/private key, this is mostly for smart
|
|
|
|
|
* cards.
|
|
|
|
|
*/
|
|
|
|
|
if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
|
|
|
|
|
|| (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
|
|
|
|
|
|| BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2006-03-21 01:56:05 +08:00
|
|
|
|
2006-03-24 02:02:23 +08:00
|
|
|
static int old_rsa_priv_decode(EVP_PKEY *pkey,
|
2015-01-22 11:40:55 +08:00
|
|
|
const unsigned char **pder, int derlen)
|
|
|
|
|
{
|
|
|
|
|
RSA *rsa;
|
2015-05-07 01:43:59 +08:00
|
|
|
|
2020-09-16 18:52:09 +08:00
|
|
|
if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL)
|
2015-01-22 11:40:55 +08:00
|
|
|
return 0;
|
2016-11-20 12:17:30 +08:00
|
|
|
EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
|
2015-01-22 11:40:55 +08:00
|
|
|
return 1;
|
|
|
|
|
}
|
2006-03-20 20:22:24 +08:00
|
|
|
|
2006-03-24 02:02:23 +08:00
|
|
|
static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
|
|
|
|
|
}
|
2006-03-24 02:02:23 +08:00
|
|
|
|
2006-03-21 01:56:05 +08:00
|
|
|
static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
unsigned char *rk = NULL;
|
|
|
|
|
int rklen;
|
2016-11-24 08:58:33 +08:00
|
|
|
ASN1_STRING *str;
|
|
|
|
|
int strtype;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2016-11-24 08:58:33 +08:00
|
|
|
if (!rsa_param_encode(pkey, &str, &strtype))
|
|
|
|
|
return 0;
|
2015-01-22 11:40:55 +08:00
|
|
|
rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
|
|
|
|
|
|
|
|
|
|
if (rklen <= 0) {
|
2022-09-29 19:57:34 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_ASN1_LIB);
|
2017-01-06 21:12:17 +08:00
|
|
|
ASN1_STRING_free(str);
|
2015-01-22 11:40:55 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-20 12:17:30 +08:00
|
|
|
if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
|
2016-11-24 08:58:33 +08:00
|
|
|
strtype, str, rk, rklen)) {
|
2022-09-29 19:57:34 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_ASN1_LIB);
|
2017-01-06 21:12:17 +08:00
|
|
|
ASN1_STRING_free(str);
|
2022-06-12 21:11:01 +08:00
|
|
|
OPENSSL_clear_free(rk, rklen);
|
2015-01-22 11:40:55 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2006-03-20 20:22:24 +08:00
|
|
|
|
2016-08-17 07:21:55 +08:00
|
|
|
static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2021-03-18 17:41:53 +08:00
|
|
|
int ret = 0;
|
|
|
|
|
RSA *rsa = ossl_rsa_key_from_pkcs8(p8, NULL, NULL);
|
2016-11-24 08:58:33 +08:00
|
|
|
|
2021-03-18 17:41:53 +08:00
|
|
|
if (rsa != NULL) {
|
|
|
|
|
ret = 1;
|
|
|
|
|
EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
|
2016-11-24 08:58:33 +08:00
|
|
|
}
|
2021-03-18 17:41:53 +08:00
|
|
|
return ret;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2006-03-24 02:02:23 +08:00
|
|
|
|
2006-03-21 01:56:05 +08:00
|
|
|
static int int_rsa_size(const EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
return RSA_size(pkey->pkey.rsa);
|
|
|
|
|
}
|
2006-03-21 01:56:05 +08:00
|
|
|
|
|
|
|
|
static int rsa_bits(const EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
return BN_num_bits(pkey->pkey.rsa->n);
|
|
|
|
|
}
|
2006-03-21 01:56:05 +08:00
|
|
|
|
2014-01-18 22:51:40 +08:00
|
|
|
static int rsa_security_bits(const EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
return RSA_security_bits(pkey->pkey.rsa);
|
|
|
|
|
}
|
2014-01-18 22:51:40 +08:00
|
|
|
|
2006-03-21 01:56:05 +08:00
|
|
|
static void int_rsa_free(EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
RSA_free(pkey->pkey.rsa);
|
|
|
|
|
}
|
2006-03-22 21:09:35 +08:00
|
|
|
|
2016-11-24 22:22:22 +08:00
|
|
|
static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss,
|
|
|
|
|
int indent)
|
|
|
|
|
{
|
|
|
|
|
int rv = 0;
|
|
|
|
|
X509_ALGOR *maskHash = NULL;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2016-11-24 22:22:22 +08:00
|
|
|
if (!BIO_indent(bp, indent, 128))
|
|
|
|
|
goto err;
|
|
|
|
|
if (pss_key) {
|
|
|
|
|
if (pss == NULL) {
|
|
|
|
|
if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
} else {
|
|
|
|
|
if (BIO_puts(bp, "PSS parameter restrictions:") <= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
} else if (pss == NULL) {
|
2021-10-26 15:16:18 +08:00
|
|
|
if (BIO_puts(bp, "(INVALID PSS PARAMETERS)\n") <= 0)
|
2016-11-24 22:22:22 +08:00
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
if (BIO_puts(bp, "\n") <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
if (pss_key)
|
|
|
|
|
indent += 2;
|
|
|
|
|
if (!BIO_indent(bp, indent, 128))
|
|
|
|
|
goto err;
|
|
|
|
|
if (BIO_puts(bp, "Hash Algorithm: ") <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if (pss->hashAlgorithm) {
|
|
|
|
|
if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0)
|
|
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
} else if (BIO_puts(bp, "sha1 (default)") <= 0) {
|
2016-11-24 22:22:22 +08:00
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
}
|
2016-11-24 22:22:22 +08:00
|
|
|
|
|
|
|
|
if (BIO_puts(bp, "\n") <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if (!BIO_indent(bp, indent, 128))
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if (BIO_puts(bp, "Mask Algorithm: ") <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
if (pss->maskGenAlgorithm) {
|
|
|
|
|
if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
if (BIO_puts(bp, " with ") <= 0)
|
|
|
|
|
goto err;
|
2021-03-09 07:48:16 +08:00
|
|
|
maskHash = ossl_x509_algor_mgf1_decode(pss->maskGenAlgorithm);
|
2016-11-24 22:22:22 +08:00
|
|
|
if (maskHash != NULL) {
|
|
|
|
|
if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0)
|
|
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
} else if (BIO_puts(bp, "INVALID") <= 0) {
|
2016-11-24 22:22:22 +08:00
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
}
|
|
|
|
|
} else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
|
2016-11-24 22:22:22 +08:00
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
}
|
2016-11-24 22:22:22 +08:00
|
|
|
BIO_puts(bp, "\n");
|
|
|
|
|
|
|
|
|
|
if (!BIO_indent(bp, indent, 128))
|
|
|
|
|
goto err;
|
|
|
|
|
if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
if (pss->saltLength) {
|
|
|
|
|
if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
|
|
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
} else if (BIO_puts(bp, "14 (default)") <= 0) {
|
2016-11-24 22:22:22 +08:00
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
}
|
2016-11-24 22:22:22 +08:00
|
|
|
BIO_puts(bp, "\n");
|
|
|
|
|
|
|
|
|
|
if (!BIO_indent(bp, indent, 128))
|
|
|
|
|
goto err;
|
|
|
|
|
if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
if (pss->trailerField) {
|
|
|
|
|
if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
|
|
|
|
|
goto err;
|
2021-03-25 02:51:01 +08:00
|
|
|
} else if (BIO_puts(bp, "01 (default)") <= 0) {
|
2016-11-24 22:22:22 +08:00
|
|
|
goto err;
|
2017-08-23 01:36:49 +08:00
|
|
|
}
|
2016-11-24 22:22:22 +08:00
|
|
|
BIO_puts(bp, "\n");
|
|
|
|
|
|
|
|
|
|
rv = 1;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
X509_ALGOR_free(maskHash);
|
|
|
|
|
return rv;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2016-11-24 22:22:22 +08:00
|
|
|
const RSA *x = pkey->pkey.rsa;
|
2015-01-22 11:40:55 +08:00
|
|
|
char *str;
|
|
|
|
|
const char *s;
|
2017-08-02 02:19:43 +08:00
|
|
|
int ret = 0, mod_len = 0, ex_primes;
|
2015-01-22 11:40:55 +08:00
|
|
|
|
|
|
|
|
if (x->n != NULL)
|
|
|
|
|
mod_len = BN_num_bits(x->n);
|
2017-08-02 02:19:43 +08:00
|
|
|
ex_primes = sk_RSA_PRIME_INFO_num(x->prime_infos);
|
2015-01-22 11:40:55 +08:00
|
|
|
|
|
|
|
|
if (!BIO_indent(bp, off, 128))
|
|
|
|
|
goto err;
|
|
|
|
|
|
2016-12-02 05:46:31 +08:00
|
|
|
if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0)
|
2016-11-24 22:22:22 +08:00
|
|
|
goto err;
|
|
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
if (priv && x->d) {
|
2017-08-02 02:19:43 +08:00
|
|
|
if (BIO_printf(bp, "Private-Key: (%d bit, %d primes)\n",
|
|
|
|
|
mod_len, ex_primes <= 0 ? 2 : ex_primes + 2) <= 0)
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
|
|
|
|
str = "modulus:";
|
|
|
|
|
s = "publicExponent:";
|
|
|
|
|
} else {
|
2016-02-14 11:33:56 +08:00
|
|
|
if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
|
|
|
|
str = "Modulus:";
|
|
|
|
|
s = "Exponent:";
|
|
|
|
|
}
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, str, x->n, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, s, x->e, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
|
|
|
|
if (priv) {
|
2017-08-02 02:19:43 +08:00
|
|
|
int i;
|
|
|
|
|
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2016-02-14 11:33:56 +08:00
|
|
|
if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2017-08-02 02:19:43 +08:00
|
|
|
for (i = 0; i < sk_RSA_PRIME_INFO_num(x->prime_infos); i++) {
|
|
|
|
|
/* print multi-prime info */
|
|
|
|
|
BIGNUM *bn = NULL;
|
|
|
|
|
RSA_PRIME_INFO *pinfo;
|
|
|
|
|
int j;
|
|
|
|
|
|
|
|
|
|
pinfo = sk_RSA_PRIME_INFO_value(x->prime_infos, i);
|
|
|
|
|
for (j = 0; j < 3; j++) {
|
|
|
|
|
if (!BIO_indent(bp, off, 128))
|
|
|
|
|
goto err;
|
|
|
|
|
switch (j) {
|
|
|
|
|
case 0:
|
|
|
|
|
if (BIO_printf(bp, "prime%d:", i + 3) <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
bn = pinfo->r;
|
|
|
|
|
break;
|
|
|
|
|
case 1:
|
|
|
|
|
if (BIO_printf(bp, "exponent%d:", i + 3) <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
bn = pinfo->d;
|
|
|
|
|
break;
|
|
|
|
|
case 2:
|
|
|
|
|
if (BIO_printf(bp, "coefficient%d:", i + 3) <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
bn = pinfo->t;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (!ASN1_bn_print(bp, "", bn, NULL, off))
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2016-12-02 05:46:31 +08:00
|
|
|
if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
|
2016-11-24 22:22:22 +08:00
|
|
|
goto err;
|
2015-01-22 11:40:55 +08:00
|
|
|
ret = 1;
|
|
|
|
|
err:
|
2016-11-24 22:22:22 +08:00
|
|
|
return ret;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2006-03-22 21:09:35 +08:00
|
|
|
|
|
|
|
|
static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
|
2015-01-22 11:40:55 +08:00
|
|
|
ASN1_PCTX *ctx)
|
|
|
|
|
{
|
2016-11-24 22:22:22 +08:00
|
|
|
return pkey_rsa_print(bp, pkey, indent, 0);
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2006-03-22 21:09:35 +08:00
|
|
|
|
|
|
|
|
static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
|
2015-01-22 11:40:55 +08:00
|
|
|
ASN1_PCTX *ctx)
|
|
|
|
|
{
|
2016-11-24 22:22:22 +08:00
|
|
|
return pkey_rsa_print(bp, pkey, indent, 1);
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2013-06-20 01:21:37 +08:00
|
|
|
|
2010-03-07 03:55:25 +08:00
|
|
|
static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
|
2015-01-22 11:40:55 +08:00
|
|
|
const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx)
|
|
|
|
|
{
|
2016-11-25 05:50:26 +08:00
|
|
|
if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) {
|
2015-01-22 11:40:55 +08:00
|
|
|
int rv;
|
2021-03-18 17:41:53 +08:00
|
|
|
RSA_PSS_PARAMS *pss = ossl_rsa_pss_decode(sigalg);
|
2017-01-08 01:17:30 +08:00
|
|
|
|
2016-11-24 22:22:22 +08:00
|
|
|
rv = rsa_pss_param_print(bp, 0, pss, indent);
|
2015-05-02 02:37:16 +08:00
|
|
|
RSA_PSS_PARAMS_free(pss);
|
2015-01-22 11:40:55 +08:00
|
|
|
if (!rv)
|
|
|
|
|
return 0;
|
2018-01-29 23:54:40 +08:00
|
|
|
} else if (BIO_puts(bp, "\n") <= 0) {
|
2015-01-22 11:40:55 +08:00
|
|
|
return 0;
|
2017-01-06 07:18:28 +08:00
|
|
|
}
|
2015-01-22 11:40:55 +08:00
|
|
|
if (sig)
|
|
|
|
|
return X509_signature_dump(bp, sig, indent);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2006-04-18 01:12:23 +08:00
|
|
|
|
|
|
|
|
static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
2019-08-08 16:13:51 +08:00
|
|
|
const EVP_MD *md;
|
|
|
|
|
const EVP_MD *mgf1md;
|
|
|
|
|
int min_saltlen;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
switch (op) {
|
|
|
|
|
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
|
2019-08-08 16:13:51 +08:00
|
|
|
if (pkey->pkey.rsa->pss != NULL) {
|
2021-03-09 08:14:45 +08:00
|
|
|
if (!ossl_rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
|
|
|
|
|
&min_saltlen)) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
|
2019-08-08 16:13:51 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
*(int *)arg2 = EVP_MD_get_type(md);
|
2019-08-08 16:13:51 +08:00
|
|
|
/* Return of 2 indicates this MD is mandatory */
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2015-01-22 11:40:55 +08:00
|
|
|
*(int *)arg2 = NID_sha256;
|
|
|
|
|
return 1;
|
2006-05-08 01:09:39 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
default:
|
|
|
|
|
return -2;
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-04-18 01:12:23 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
/*
|
2016-11-21 09:35:30 +08:00
|
|
|
* Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter,
|
2013-06-20 01:21:37 +08:00
|
|
|
* suitable for setting an AlgorithmIdentifier.
|
2010-03-09 02:10:35 +08:00
|
|
|
*/
|
|
|
|
|
|
2016-11-21 09:35:30 +08:00
|
|
|
static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
const EVP_MD *sigmd, *mgf1md;
|
|
|
|
|
EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
|
2016-11-21 09:35:30 +08:00
|
|
|
int saltlen;
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
int saltlenMax = -1;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
|
2016-11-21 09:35:30 +08:00
|
|
|
return NULL;
|
2015-01-22 11:40:55 +08:00
|
|
|
if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
|
2016-11-21 09:35:30 +08:00
|
|
|
return NULL;
|
2022-05-24 23:38:39 +08:00
|
|
|
if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0)
|
2016-11-21 09:35:30 +08:00
|
|
|
return NULL;
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
saltlen = EVP_MD_get_size(sigmd);
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
} else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
|
|
|
|
/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm",
|
|
|
|
|
* subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in
|
|
|
|
|
* bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where
|
|
|
|
|
* hLen is the length of the hash function output block (in bytes)."
|
|
|
|
|
*
|
|
|
|
|
* Provide a way to use at most the digest length, so that the default
|
|
|
|
|
* does not violate FIPS 186-4. */
|
|
|
|
|
saltlen = RSA_PSS_SALTLEN_MAX;
|
|
|
|
|
saltlenMax = EVP_MD_get_size(sigmd);
|
|
|
|
|
}
|
|
|
|
|
if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2;
|
|
|
|
|
if ((EVP_PKEY_get_bits(pk) & 0x7) == 1)
|
2015-01-22 11:40:55 +08:00
|
|
|
saltlen--;
|
2019-03-31 19:56:23 +08:00
|
|
|
if (saltlen < 0)
|
|
|
|
|
return NULL;
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
if (saltlenMax >= 0 && saltlen > saltlenMax)
|
|
|
|
|
saltlen = saltlenMax;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2016-11-21 09:35:30 +08:00
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen);
|
2016-11-21 09:35:30 +08:00
|
|
|
}
|
|
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
RSA_PSS_PARAMS *ossl_rsa_pss_params_create(const EVP_MD *sigmd,
|
|
|
|
|
const EVP_MD *mgf1md, int saltlen)
|
2016-11-21 09:35:30 +08:00
|
|
|
{
|
|
|
|
|
RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2015-10-30 19:12:26 +08:00
|
|
|
if (pss == NULL)
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
|
|
|
|
if (saltlen != 20) {
|
|
|
|
|
pss->saltLength = ASN1_INTEGER_new();
|
2015-10-30 19:12:26 +08:00
|
|
|
if (pss->saltLength == NULL)
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
|
|
|
|
if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2021-03-09 07:48:16 +08:00
|
|
|
if (!ossl_x509_algor_new_from_md(&pss->hashAlgorithm, sigmd))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2016-11-21 09:35:30 +08:00
|
|
|
if (mgf1md == NULL)
|
2017-01-06 21:12:28 +08:00
|
|
|
mgf1md = sigmd;
|
2021-03-09 07:48:16 +08:00
|
|
|
if (!ossl_x509_algor_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md))
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
2021-03-09 07:48:16 +08:00
|
|
|
if (!ossl_x509_algor_new_from_md(&pss->maskHash, mgf1md))
|
2017-07-13 20:37:57 +08:00
|
|
|
goto err;
|
2016-11-21 09:35:30 +08:00
|
|
|
return pss;
|
2015-01-22 11:40:55 +08:00
|
|
|
err:
|
2015-05-02 02:37:16 +08:00
|
|
|
RSA_PSS_PARAMS_free(pss);
|
2015-01-22 11:40:55 +08:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-07 21:45:22 +08:00
|
|
|
ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx)
|
2016-11-21 09:35:30 +08:00
|
|
|
{
|
|
|
|
|
RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx);
|
2017-01-07 01:51:28 +08:00
|
|
|
ASN1_STRING *os;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2016-11-21 09:35:30 +08:00
|
|
|
if (pss == NULL)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2017-01-07 01:51:28 +08:00
|
|
|
os = ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), NULL);
|
2016-11-21 09:35:30 +08:00
|
|
|
RSA_PSS_PARAMS_free(pss);
|
|
|
|
|
return os;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
/*
|
|
|
|
|
* From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
|
2016-02-06 04:23:54 +08:00
|
|
|
* then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
|
2015-01-22 11:40:55 +08:00
|
|
|
* passed to pkctx instead.
|
2013-06-20 01:21:37 +08:00
|
|
|
*/
|
2010-03-09 02:10:35 +08:00
|
|
|
|
2020-10-07 21:45:22 +08:00
|
|
|
int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
|
|
|
|
|
const X509_ALGOR *sigalg, EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
int rv = -1;
|
|
|
|
|
int saltlen;
|
|
|
|
|
const EVP_MD *mgf1md = NULL, *md = NULL;
|
|
|
|
|
RSA_PSS_PARAMS *pss;
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
/* Sanity check: make sure it is PSS */
|
2016-11-25 05:50:26 +08:00
|
|
|
if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
|
2015-01-22 11:40:55 +08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
/* Decode PSS parameters */
|
2021-03-18 17:41:53 +08:00
|
|
|
pss = ossl_rsa_pss_decode(sigalg);
|
2015-01-22 11:40:55 +08:00
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
if (!ossl_rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_PARAMETERS);
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* We have all parameters now set up context */
|
|
|
|
|
if (pkey) {
|
|
|
|
|
if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey))
|
|
|
|
|
goto err;
|
|
|
|
|
} else {
|
|
|
|
|
const EVP_MD *checkmd;
|
|
|
|
|
if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0)
|
|
|
|
|
goto err;
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
if (EVP_MD_get_type(md) != EVP_MD_get_type(checkmd)) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_DOES_NOT_MATCH);
|
2015-01-22 11:40:55 +08:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
/* Carry on */
|
|
|
|
|
rv = 1;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
RSA_PSS_PARAMS_free(pss);
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
2006-04-18 01:12:23 +08:00
|
|
|
|
2020-07-28 00:39:55 +08:00
|
|
|
static int rsa_pss_verify_param(const EVP_MD **pmd, const EVP_MD **pmgf1md,
|
|
|
|
|
int *psaltlen, int *ptrailerField)
|
|
|
|
|
{
|
|
|
|
|
if (psaltlen != NULL && *psaltlen < 0) {
|
|
|
|
|
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* low-level routines support only trailer field 0xbc (value 1) and
|
|
|
|
|
* PKCS#1 says we should reject any other value anyway.
|
|
|
|
|
*/
|
|
|
|
|
if (ptrailerField != NULL && *ptrailerField != 1) {
|
|
|
|
|
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
int ossl_rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
|
|
|
|
|
const EVP_MD **pmgf1md, int *psaltlen)
|
2020-07-28 00:39:55 +08:00
|
|
|
{
|
2016-12-05 22:00:48 +08:00
|
|
|
/*
|
2020-07-28 00:39:55 +08:00
|
|
|
* Callers do not care about the trailer field, and yet, we must
|
|
|
|
|
* pass it from get_param to verify_param, since the latter checks
|
|
|
|
|
* its value.
|
|
|
|
|
*
|
|
|
|
|
* When callers start caring, it's a simple thing to add another
|
|
|
|
|
* argument to this function.
|
2016-12-05 22:00:48 +08:00
|
|
|
*/
|
2020-07-28 00:39:55 +08:00
|
|
|
int trailerField = 0;
|
2016-12-05 22:00:48 +08:00
|
|
|
|
2021-03-18 17:41:53 +08:00
|
|
|
return ossl_rsa_pss_get_param_unverified(pss, pmd, pmgf1md, psaltlen,
|
|
|
|
|
&trailerField)
|
2020-07-28 00:39:55 +08:00
|
|
|
&& rsa_pss_verify_param(pmd, pmgf1md, psaltlen, &trailerField);
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
/*
|
|
|
|
|
* Customised RSA item verification routine. This is called when a signature
|
|
|
|
|
* is encountered requiring special handling. We currently only handle PSS.
|
2013-06-20 01:21:37 +08:00
|
|
|
*/
|
|
|
|
|
|
2020-05-15 03:09:49 +08:00
|
|
|
static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it,
|
|
|
|
|
const void *asn, const X509_ALGOR *sigalg,
|
|
|
|
|
const ASN1_BIT_STRING *sig, EVP_PKEY *pkey)
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
/* Sanity check: make sure it is PSS */
|
2016-11-25 05:50:26 +08:00
|
|
|
if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_RSA, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
|
2015-01-22 11:40:55 +08:00
|
|
|
return -1;
|
|
|
|
|
}
|
2020-10-07 21:45:22 +08:00
|
|
|
if (ossl_rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
|
2015-01-22 11:40:55 +08:00
|
|
|
/* Carry on */
|
|
|
|
|
return 2;
|
2015-03-10 07:16:33 +08:00
|
|
|
}
|
2015-01-22 11:40:55 +08:00
|
|
|
return -1;
|
|
|
|
|
}
|
2013-06-20 01:21:37 +08:00
|
|
|
|
2020-05-15 03:09:49 +08:00
|
|
|
static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
|
2015-01-22 11:40:55 +08:00
|
|
|
X509_ALGOR *alg1, X509_ALGOR *alg2,
|
|
|
|
|
ASN1_BIT_STRING *sig)
|
|
|
|
|
{
|
|
|
|
|
int pad_mode;
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
EVP_PKEY_CTX *pkctx = EVP_MD_CTX_get_pkey_ctx(ctx);
|
2017-01-06 07:18:28 +08:00
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
if (pad_mode == RSA_PKCS1_PADDING)
|
|
|
|
|
return 2;
|
|
|
|
|
if (pad_mode == RSA_PKCS1_PSS_PADDING) {
|
2022-11-21 21:33:57 +08:00
|
|
|
unsigned char aid[128];
|
|
|
|
|
size_t aid_len = 0;
|
|
|
|
|
OSSL_PARAM params[2];
|
2021-08-06 18:11:13 +08:00
|
|
|
|
2023-05-22 21:08:38 +08:00
|
|
|
if (evp_pkey_ctx_is_legacy(pkctx)) {
|
|
|
|
|
/* No provider -> we cannot query it for algorithm ID. */
|
|
|
|
|
ASN1_STRING *os1 = NULL;
|
|
|
|
|
|
|
|
|
|
os1 = ossl_rsa_ctx_to_pss_string(pkctx);
|
|
|
|
|
if (os1 == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
/* Duplicate parameters if we have to */
|
|
|
|
|
if (alg2 != NULL) {
|
|
|
|
|
ASN1_STRING *os2 = ASN1_STRING_dup(os1);
|
|
|
|
|
|
|
|
|
|
if (os2 == NULL) {
|
|
|
|
|
ASN1_STRING_free(os1);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
if (!X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
|
|
|
|
V_ASN1_SEQUENCE, os2)) {
|
|
|
|
|
ASN1_STRING_free(os1);
|
|
|
|
|
ASN1_STRING_free(os2);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
|
|
|
|
V_ASN1_SEQUENCE, os1)) {
|
|
|
|
|
ASN1_STRING_free(os1);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 3;
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
params[0] = OSSL_PARAM_construct_octet_string(
|
|
|
|
|
OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
|
|
|
|
params[1] = OSSL_PARAM_construct_end();
|
|
|
|
|
|
|
|
|
|
if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
if ((aid_len = params[0].return_size) == 0)
|
2015-01-22 11:40:55 +08:00
|
|
|
return 0;
|
2021-08-06 18:11:13 +08:00
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
if (alg1 != NULL) {
|
|
|
|
|
const unsigned char *pp = aid;
|
2023-05-22 21:08:38 +08:00
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL)
|
|
|
|
|
return 0;
|
2015-01-22 11:40:55 +08:00
|
|
|
}
|
2022-11-21 21:33:57 +08:00
|
|
|
if (alg2 != NULL) {
|
|
|
|
|
const unsigned char *pp = aid;
|
2023-05-22 21:08:38 +08:00
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:40:55 +08:00
|
|
|
return 3;
|
|
|
|
|
}
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2010-03-11 22:06:46 +08:00
|
|
|
|
2017-04-25 07:09:55 +08:00
|
|
|
static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
|
|
|
|
|
const ASN1_STRING *sig)
|
|
|
|
|
{
|
|
|
|
|
int rv = 0;
|
|
|
|
|
int mdnid, saltlen;
|
|
|
|
|
uint32_t flags;
|
|
|
|
|
const EVP_MD *mgf1md = NULL, *md = NULL;
|
|
|
|
|
RSA_PSS_PARAMS *pss;
|
2020-01-03 06:25:27 +08:00
|
|
|
int secbits;
|
2017-04-25 07:09:55 +08:00
|
|
|
|
|
|
|
|
/* Sanity check: make sure it is PSS */
|
|
|
|
|
if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
|
|
|
|
|
return 0;
|
|
|
|
|
/* Decode PSS parameters */
|
2021-03-18 17:41:53 +08:00
|
|
|
pss = ossl_rsa_pss_decode(sigalg);
|
2021-03-09 08:14:45 +08:00
|
|
|
if (!ossl_rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
|
2017-04-25 07:09:55 +08:00
|
|
|
goto err;
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
mdnid = EVP_MD_get_type(md);
|
2017-04-25 07:09:55 +08:00
|
|
|
/*
|
|
|
|
|
* For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
|
|
|
|
|
* match and salt length must equal digest size
|
|
|
|
|
*/
|
|
|
|
|
if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
&& mdnid == EVP_MD_get_type(mgf1md)
|
|
|
|
|
&& saltlen == EVP_MD_get_size(md))
|
2017-04-25 07:09:55 +08:00
|
|
|
flags = X509_SIG_INFO_TLS;
|
|
|
|
|
else
|
|
|
|
|
flags = 0;
|
|
|
|
|
/* Note: security bits half number of digest bits */
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
secbits = EVP_MD_get_size(md) * 4;
|
2020-01-03 06:25:27 +08:00
|
|
|
/*
|
|
|
|
|
* SHA1 and MD5 are known to be broken. Reduce security bits so that
|
|
|
|
|
* they're no longer accepted at security level 1. The real values don't
|
|
|
|
|
* really matter as long as they're lower than 80, which is our security
|
|
|
|
|
* level 1.
|
|
|
|
|
* https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
|
|
|
|
|
* 2^63.4
|
|
|
|
|
* https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
|
|
|
|
|
* puts a chosen-prefix attack for MD5 at 2^39.
|
|
|
|
|
*/
|
|
|
|
|
if (mdnid == NID_sha1)
|
|
|
|
|
secbits = 64;
|
|
|
|
|
else if (mdnid == NID_md5_sha1)
|
|
|
|
|
secbits = 68;
|
|
|
|
|
else if (mdnid == NID_md5)
|
|
|
|
|
secbits = 39;
|
|
|
|
|
X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits,
|
2017-04-25 07:09:55 +08:00
|
|
|
flags);
|
|
|
|
|
rv = 1;
|
|
|
|
|
err:
|
|
|
|
|
RSA_PSS_PARAMS_free(pss);
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-04 22:02:59 +08:00
|
|
|
static int rsa_pkey_check(const EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
return RSA_check_key_ex(pkey->pkey.rsa, NULL);
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-16 03:31:45 +08:00
|
|
|
static size_t rsa_pkey_dirty_cnt(const EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
return pkey->pkey.rsa->dirty_cnt;
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-02 19:14:04 +08:00
|
|
|
/*
|
2021-03-12 10:32:44 +08:00
|
|
|
* There is no need to do RSA_test_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS)
|
|
|
|
|
* checks in this method since the caller tests EVP_KEYMGMT_is_a() first.
|
2020-05-02 19:14:04 +08:00
|
|
|
*/
|
|
|
|
|
static int rsa_int_export_to(const EVP_PKEY *from, int rsa_type,
|
2021-05-15 13:43:06 +08:00
|
|
|
void *to_keydata,
|
|
|
|
|
OSSL_FUNC_keymgmt_import_fn *importer,
|
2020-10-15 17:55:50 +08:00
|
|
|
OSSL_LIB_CTX *libctx, const char *propq)
|
2019-10-16 03:31:45 +08:00
|
|
|
{
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
|
|
|
RSA *rsa = from->pkey.rsa;
|
2020-03-26 07:28:01 +08:00
|
|
|
OSSL_PARAM_BLD *tmpl = OSSL_PARAM_BLD_new();
|
2019-10-16 03:31:45 +08:00
|
|
|
OSSL_PARAM *params = NULL;
|
2020-03-20 05:29:10 +08:00
|
|
|
int selection = 0;
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
|
|
|
int rv = 0;
|
2019-10-16 03:31:45 +08:00
|
|
|
|
2020-03-26 07:28:01 +08:00
|
|
|
if (tmpl == NULL)
|
|
|
|
|
return 0;
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
|
|
|
/* Public parameters must always be present */
|
2020-05-02 19:02:29 +08:00
|
|
|
if (RSA_get0_n(rsa) == NULL || RSA_get0_e(rsa) == NULL)
|
2019-10-16 03:31:45 +08:00
|
|
|
goto err;
|
|
|
|
|
|
2021-12-06 07:27:12 +08:00
|
|
|
if (!ossl_rsa_todata(rsa, tmpl, NULL, 1))
|
2019-10-16 03:31:45 +08:00
|
|
|
goto err;
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
|
|
|
|
2020-05-02 19:02:29 +08:00
|
|
|
selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
|
|
|
|
|
if (RSA_get0_d(rsa) != NULL)
|
2020-03-20 05:29:10 +08:00
|
|
|
selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
|
2019-10-16 03:31:45 +08:00
|
|
|
|
2020-05-02 19:14:04 +08:00
|
|
|
if (rsa->pss != NULL) {
|
|
|
|
|
const EVP_MD *md = NULL, *mgf1md = NULL;
|
2020-08-05 14:01:59 +08:00
|
|
|
int md_nid, mgf1md_nid, saltlen, trailerfield;
|
2020-05-02 19:14:04 +08:00
|
|
|
RSA_PSS_PARAMS_30 pss_params;
|
|
|
|
|
|
2021-03-18 17:41:53 +08:00
|
|
|
if (!ossl_rsa_pss_get_param_unverified(rsa->pss, &md, &mgf1md,
|
|
|
|
|
&saltlen, &trailerfield))
|
2020-05-02 19:14:04 +08:00
|
|
|
goto err;
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
md_nid = EVP_MD_get_type(md);
|
|
|
|
|
mgf1md_nid = EVP_MD_get_type(mgf1md);
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
|
|
|
|
|
|| !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid)
|
|
|
|
|
|| !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
|
|
|
|
|
mgf1md_nid)
|
|
|
|
|
|| !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
|
|
|
|
|
|| !ossl_rsa_pss_params_30_todata(&pss_params, tmpl, NULL))
|
2020-05-02 19:14:04 +08:00
|
|
|
goto err;
|
|
|
|
|
selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
|
2019-10-16 03:31:45 +08:00
|
|
|
}
|
|
|
|
|
|
2020-03-26 07:28:01 +08:00
|
|
|
if ((params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL)
|
2019-10-16 03:31:45 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
/* We export, the provider imports */
|
2021-05-15 13:43:06 +08:00
|
|
|
rv = importer(to_keydata, selection, params);
|
2019-10-16 03:31:45 +08:00
|
|
|
|
|
|
|
|
err:
|
2021-04-07 11:45:19 +08:00
|
|
|
OSSL_PARAM_free(params);
|
2020-03-26 07:28:01 +08:00
|
|
|
OSSL_PARAM_BLD_free(tmpl);
|
Redesign the KEYMGMT libcrypto <-> provider interface - the basics
The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:
1. provider side domain parameters and key data isn't mutable. In
other words, as soon as a key has been created in any (loaded,
imported data, ...), it's set in stone.
2. provider side domain parameters can be strictly separated from the
key data.
This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:
- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key
To remedy all this, we:
1. let go of the distinction between domain parameters and key
material proper in the libcrypto <-> provider interface.
As a consequence, functions that still need it gain a selection
argument, which is a set of bits that indicate what parts of the
key object are to be considered in a specific call. This allows
a reduction of very similar functions into one.
2. Rework the libcrypto <-> provider interface so provider side key
objects are created and destructed with a separate function, and
get their data filled and extracted in through import and export.
(future work will see other key object constructors and other
functions to fill them with data)
Fixes #10979
squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics
Remedy 1 needs a rewrite:
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
2020-02-03 01:56:07 +08:00
|
|
|
return rv;
|
2019-10-16 03:31:45 +08:00
|
|
|
}
|
|
|
|
|
|
2020-05-02 19:14:04 +08:00
|
|
|
static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx,
|
|
|
|
|
int rsa_type)
|
2020-03-23 12:40:47 +08:00
|
|
|
{
|
2020-04-11 01:28:24 +08:00
|
|
|
EVP_PKEY_CTX *pctx = vpctx;
|
|
|
|
|
EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
RSA *rsa = ossl_rsa_new_with_ctx(pctx->libctx);
|
2020-05-02 19:14:04 +08:00
|
|
|
RSA_PSS_PARAMS_30 rsa_pss_params = { 0, };
|
2021-01-30 00:02:32 +08:00
|
|
|
int pss_defaults_set = 0;
|
2020-05-02 19:14:04 +08:00
|
|
|
int ok = 0;
|
2020-03-23 12:40:47 +08:00
|
|
|
|
|
|
|
|
if (rsa == NULL) {
|
2022-09-29 19:57:34 +08:00
|
|
|
ERR_raise(ERR_LIB_DH, ERR_R_RSA_LIB);
|
2020-03-23 12:40:47 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-02 19:14:04 +08:00
|
|
|
RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
|
|
|
|
|
RSA_set_flags(rsa, rsa_type);
|
|
|
|
|
|
2021-01-30 00:02:32 +08:00
|
|
|
if (!ossl_rsa_pss_params_30_fromdata(&rsa_pss_params, &pss_defaults_set,
|
|
|
|
|
params, pctx->libctx))
|
2020-05-02 19:14:04 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
switch (rsa_type) {
|
|
|
|
|
case RSA_FLAG_TYPE_RSA:
|
|
|
|
|
/*
|
|
|
|
|
* Were PSS parameters filled in?
|
|
|
|
|
* In that case, something's wrong
|
|
|
|
|
*/
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params))
|
2020-05-02 19:14:04 +08:00
|
|
|
goto err;
|
|
|
|
|
break;
|
|
|
|
|
case RSA_FLAG_TYPE_RSASSAPSS:
|
|
|
|
|
/*
|
|
|
|
|
* Were PSS parameters filled in? In that case, create the old
|
|
|
|
|
* RSA_PSS_PARAMS structure. Otherwise, this is an unrestricted key.
|
|
|
|
|
*/
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
if (!ossl_rsa_pss_params_30_is_unrestricted(&rsa_pss_params)) {
|
2020-05-02 19:14:04 +08:00
|
|
|
/* Create the older RSA_PSS_PARAMS from RSA_PSS_PARAMS_30 data */
|
rsa: add ossl_ prefix to internal rsa_ calls.
The functions being:
rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
rsa_check_prime_factor, rsa_check_prime_factor_range,
rsa_check_private_exponent, rsa_check_public_exponent,
rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
rsa_padding_add_PKCS1_type_2_with_libctx,
rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
rsa_validate_private and rsa_validate_public.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)
2020-09-30 12:20:14 +08:00
|
|
|
int mdnid = ossl_rsa_pss_params_30_hashalg(&rsa_pss_params);
|
|
|
|
|
int mgf1mdnid = ossl_rsa_pss_params_30_maskgenhashalg(&rsa_pss_params);
|
|
|
|
|
int saltlen = ossl_rsa_pss_params_30_saltlen(&rsa_pss_params);
|
2020-05-02 19:14:04 +08:00
|
|
|
const EVP_MD *md = EVP_get_digestbynid(mdnid);
|
|
|
|
|
const EVP_MD *mgf1md = EVP_get_digestbynid(mgf1mdnid);
|
|
|
|
|
|
2021-03-09 08:14:45 +08:00
|
|
|
if ((rsa->pss = ossl_rsa_pss_params_create(md, mgf1md,
|
|
|
|
|
saltlen)) == NULL)
|
2020-05-02 19:14:04 +08:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
/* RSA key sub-types we don't know how to handle yet */
|
|
|
|
|
goto err;
|
2020-03-23 12:40:47 +08:00
|
|
|
}
|
2020-05-02 19:14:04 +08:00
|
|
|
|
2021-12-06 07:27:12 +08:00
|
|
|
if (!ossl_rsa_fromdata(rsa, params, 1))
|
2020-05-02 19:14:04 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
switch (rsa_type) {
|
|
|
|
|
case RSA_FLAG_TYPE_RSA:
|
|
|
|
|
ok = EVP_PKEY_assign_RSA(pkey, rsa);
|
|
|
|
|
break;
|
|
|
|
|
case RSA_FLAG_TYPE_RSASSAPSS:
|
|
|
|
|
ok = EVP_PKEY_assign(pkey, EVP_PKEY_RSA_PSS, rsa);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
if (!ok)
|
|
|
|
|
RSA_free(rsa);
|
|
|
|
|
return ok;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
|
2021-05-15 13:43:06 +08:00
|
|
|
OSSL_FUNC_keymgmt_import_fn *importer,
|
|
|
|
|
OSSL_LIB_CTX *libctx, const char *propq)
|
2020-05-02 19:14:04 +08:00
|
|
|
{
|
|
|
|
|
return rsa_int_export_to(from, RSA_FLAG_TYPE_RSA, to_keydata,
|
2021-05-15 13:43:06 +08:00
|
|
|
importer, libctx, propq);
|
2020-05-02 19:14:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int rsa_pss_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
|
2021-05-15 13:43:06 +08:00
|
|
|
OSSL_FUNC_keymgmt_import_fn *importer,
|
|
|
|
|
OSSL_LIB_CTX *libctx, const char *propq)
|
2020-05-02 19:14:04 +08:00
|
|
|
{
|
|
|
|
|
return rsa_int_export_to(from, RSA_FLAG_TYPE_RSASSAPSS, to_keydata,
|
2021-05-15 13:43:06 +08:00
|
|
|
importer, libctx, propq);
|
2020-05-02 19:14:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int rsa_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
|
|
|
|
|
{
|
|
|
|
|
return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSA);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int rsa_pss_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
|
|
|
|
|
{
|
|
|
|
|
return rsa_int_import_from(params, vpctx, RSA_FLAG_TYPE_RSASSAPSS);
|
2020-03-23 12:40:47 +08:00
|
|
|
}
|
|
|
|
|
|
2021-03-20 01:45:43 +08:00
|
|
|
static int rsa_pkey_copy(EVP_PKEY *to, EVP_PKEY *from)
|
|
|
|
|
{
|
|
|
|
|
RSA *rsa = from->pkey.rsa;
|
|
|
|
|
RSA *dupkey = NULL;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (rsa != NULL) {
|
2021-04-09 00:25:26 +08:00
|
|
|
dupkey = ossl_rsa_dup(rsa, OSSL_KEYMGMT_SELECT_ALL);
|
2021-03-20 01:45:43 +08:00
|
|
|
if (dupkey == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = EVP_PKEY_assign(to, from->type, dupkey);
|
|
|
|
|
if (!ret)
|
|
|
|
|
RSA_free(dupkey);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-09 07:48:16 +08:00
|
|
|
const EVP_PKEY_ASN1_METHOD ossl_rsa_asn1_meths[2] = {
|
2015-01-22 11:40:55 +08:00
|
|
|
{
|
|
|
|
|
EVP_PKEY_RSA,
|
|
|
|
|
EVP_PKEY_RSA,
|
|
|
|
|
ASN1_PKEY_SIGPARAM_NULL,
|
|
|
|
|
|
|
|
|
|
"RSA",
|
|
|
|
|
"OpenSSL RSA method",
|
|
|
|
|
|
|
|
|
|
rsa_pub_decode,
|
|
|
|
|
rsa_pub_encode,
|
|
|
|
|
rsa_pub_cmp,
|
|
|
|
|
rsa_pub_print,
|
|
|
|
|
|
|
|
|
|
rsa_priv_decode,
|
|
|
|
|
rsa_priv_encode,
|
|
|
|
|
rsa_priv_print,
|
|
|
|
|
|
|
|
|
|
int_rsa_size,
|
|
|
|
|
rsa_bits,
|
|
|
|
|
rsa_security_bits,
|
|
|
|
|
|
|
|
|
|
0, 0, 0, 0, 0, 0,
|
|
|
|
|
|
|
|
|
|
rsa_sig_print,
|
|
|
|
|
int_rsa_free,
|
|
|
|
|
rsa_pkey_ctrl,
|
|
|
|
|
old_rsa_priv_decode,
|
|
|
|
|
old_rsa_priv_encode,
|
|
|
|
|
rsa_item_verify,
|
2017-04-25 07:09:55 +08:00
|
|
|
rsa_item_sign,
|
2017-09-04 22:02:59 +08:00
|
|
|
rsa_sig_info_set,
|
2019-10-16 03:31:45 +08:00
|
|
|
rsa_pkey_check,
|
|
|
|
|
|
|
|
|
|
0, 0,
|
|
|
|
|
0, 0, 0, 0,
|
|
|
|
|
|
|
|
|
|
rsa_pkey_dirty_cnt,
|
2020-03-23 12:40:47 +08:00
|
|
|
rsa_pkey_export_to,
|
2021-03-20 01:45:43 +08:00
|
|
|
rsa_pkey_import_from,
|
|
|
|
|
rsa_pkey_copy
|
2017-04-25 07:09:55 +08:00
|
|
|
},
|
2015-01-22 11:40:55 +08:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
EVP_PKEY_RSA2,
|
|
|
|
|
EVP_PKEY_RSA,
|
|
|
|
|
ASN1_PKEY_ALIAS}
|
|
|
|
|
};
|
2016-11-25 05:42:49 +08:00
|
|
|
|
2021-03-09 07:48:16 +08:00
|
|
|
const EVP_PKEY_ASN1_METHOD ossl_rsa_pss_asn1_meth = {
|
2016-11-25 05:42:49 +08:00
|
|
|
EVP_PKEY_RSA_PSS,
|
|
|
|
|
EVP_PKEY_RSA_PSS,
|
|
|
|
|
ASN1_PKEY_SIGPARAM_NULL,
|
|
|
|
|
|
|
|
|
|
"RSA-PSS",
|
|
|
|
|
"OpenSSL RSA-PSS method",
|
|
|
|
|
|
|
|
|
|
rsa_pub_decode,
|
|
|
|
|
rsa_pub_encode,
|
|
|
|
|
rsa_pub_cmp,
|
|
|
|
|
rsa_pub_print,
|
|
|
|
|
|
|
|
|
|
rsa_priv_decode,
|
|
|
|
|
rsa_priv_encode,
|
|
|
|
|
rsa_priv_print,
|
|
|
|
|
|
|
|
|
|
int_rsa_size,
|
|
|
|
|
rsa_bits,
|
|
|
|
|
rsa_security_bits,
|
|
|
|
|
|
|
|
|
|
0, 0, 0, 0, 0, 0,
|
|
|
|
|
|
|
|
|
|
rsa_sig_print,
|
|
|
|
|
int_rsa_free,
|
|
|
|
|
rsa_pkey_ctrl,
|
|
|
|
|
0, 0,
|
|
|
|
|
rsa_item_verify,
|
|
|
|
|
rsa_item_sign,
|
2021-01-27 17:30:58 +08:00
|
|
|
rsa_sig_info_set,
|
2019-10-16 03:31:45 +08:00
|
|
|
rsa_pkey_check,
|
|
|
|
|
|
|
|
|
|
0, 0,
|
|
|
|
|
0, 0, 0, 0,
|
|
|
|
|
|
|
|
|
|
rsa_pkey_dirty_cnt,
|
2020-05-02 19:14:04 +08:00
|
|
|
rsa_pss_pkey_export_to,
|
2021-03-20 01:45:43 +08:00
|
|
|
rsa_pss_pkey_import_from,
|
|
|
|
|
rsa_pkey_copy
|
2016-11-25 05:42:49 +08:00
|
|
|
};
|
