1/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2 * project 2006. 3 */ 4/* ==================================================================== 5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing@OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay@cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh@cryptsoft.com). */ 55 56#include <openssl/evp.h> 57 58#include <openssl/asn1.h> 59#include <openssl/asn1t.h> 60#include <openssl/digest.h> 61#include <openssl/err.h> 62#include <openssl/mem.h> 63#include <openssl/obj.h> 64#include <openssl/rsa.h> 65#include <openssl/x509.h> 66 67#include "../rsa/internal.h" 68#include "internal.h" 69 70 71static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { 72 uint8_t *encoded = NULL; 73 int len; 74 len = i2d_RSAPublicKey(pkey->pkey.rsa, &encoded); 75 76 if (len <= 0) { 77 return 0; 78 } 79 80 if (!X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA), V_ASN1_NULL, NULL, 81 encoded, len)) { 82 OPENSSL_free(encoded); 83 return 0; 84 } 85 86 return 1; 87} 88 89static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) { 90 const uint8_t *p; 91 int pklen; 92 RSA *rsa; 93 94 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey)) { 95 return 0; 96 } 97 rsa = d2i_RSAPublicKey(NULL, &p, pklen); 98 if (rsa == NULL) { 99 OPENSSL_PUT_ERROR(EVP, rsa_pub_decode, ERR_R_RSA_LIB); 100 return 0; 101 } 102 EVP_PKEY_assign_RSA(pkey, rsa); 103 return 1; 104} 105 106static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { 107 return BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) == 0 && 108 BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) == 0; 109} 110 111static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) { 112 uint8_t *rk = NULL; 113 int rklen; 114 115 rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); 116 117 if (rklen <= 0) { 118 OPENSSL_PUT_ERROR(EVP, rsa_priv_encode, ERR_R_MALLOC_FAILURE); 119 return 0; 120 } 121 122 /* TODO(fork): const correctness in next line. */ 123 if (!PKCS8_pkey_set0(p8, (ASN1_OBJECT *)OBJ_nid2obj(NID_rsaEncryption), 0, 124 V_ASN1_NULL, NULL, rk, rklen)) { 125 OPENSSL_PUT_ERROR(EVP, rsa_priv_encode, ERR_R_MALLOC_FAILURE); 126 return 0; 127 } 128 129 return 1; 130} 131 132static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) { 133 const uint8_t *p; 134 int pklen; 135 RSA *rsa; 136 137 if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8)) { 138 OPENSSL_PUT_ERROR(EVP, rsa_priv_decode, ERR_R_MALLOC_FAILURE); 139 return 0; 140 } 141 142 rsa = d2i_RSAPrivateKey(NULL, &p, pklen); 143 if (rsa == NULL) { 144 OPENSSL_PUT_ERROR(EVP, rsa_priv_decode, ERR_R_RSA_LIB); 145 return 0; 146 } 147 148 EVP_PKEY_assign_RSA(pkey, rsa); 149 return 1; 150} 151 152static int rsa_opaque(const EVP_PKEY *pkey) { 153 return RSA_is_opaque(pkey->pkey.rsa); 154} 155 156static int int_rsa_size(const EVP_PKEY *pkey) { 157 return RSA_size(pkey->pkey.rsa); 158} 159 160static int rsa_bits(const EVP_PKEY *pkey) { 161 return BN_num_bits(pkey->pkey.rsa->n); 162} 163 164static void int_rsa_free(EVP_PKEY *pkey) { RSA_free(pkey->pkey.rsa); } 165 166static void update_buflen(const BIGNUM *b, size_t *pbuflen) { 167 size_t i; 168 169 if (!b) { 170 return; 171 } 172 173 i = BN_num_bytes(b); 174 if (*pbuflen < i) { 175 *pbuflen = i; 176 } 177} 178 179static int do_rsa_print(BIO *out, const RSA *rsa, int off, 180 int include_private) { 181 char *str; 182 const char *s; 183 uint8_t *m = NULL; 184 int ret = 0, mod_len = 0; 185 size_t buf_len = 0; 186 187 update_buflen(rsa->n, &buf_len); 188 update_buflen(rsa->e, &buf_len); 189 190 if (include_private) { 191 update_buflen(rsa->d, &buf_len); 192 update_buflen(rsa->p, &buf_len); 193 update_buflen(rsa->q, &buf_len); 194 update_buflen(rsa->dmp1, &buf_len); 195 update_buflen(rsa->dmq1, &buf_len); 196 update_buflen(rsa->iqmp, &buf_len); 197 } 198 199 m = (uint8_t *)OPENSSL_malloc(buf_len + 10); 200 if (m == NULL) { 201 OPENSSL_PUT_ERROR(EVP, do_rsa_print, ERR_R_MALLOC_FAILURE); 202 goto err; 203 } 204 205 if (rsa->n != NULL) { 206 mod_len = BN_num_bits(rsa->n); 207 } 208 209 if (!BIO_indent(out, off, 128)) { 210 goto err; 211 } 212 213 if (include_private && rsa->d) { 214 if (BIO_printf(out, "Private-Key: (%d bit)\n", mod_len) <= 0) { 215 goto err; 216 } 217 str = "modulus:"; 218 s = "publicExponent:"; 219 } else { 220 if (BIO_printf(out, "Public-Key: (%d bit)\n", mod_len) <= 0) { 221 goto err; 222 } 223 str = "Modulus:"; 224 s = "Exponent:"; 225 } 226 if (!ASN1_bn_print(out, str, rsa->n, m, off) || 227 !ASN1_bn_print(out, s, rsa->e, m, off)) { 228 goto err; 229 } 230 231 if (include_private) { 232 if (!ASN1_bn_print(out, "privateExponent:", rsa->d, m, off) || 233 !ASN1_bn_print(out, "prime1:", rsa->p, m, off) || 234 !ASN1_bn_print(out, "prime2:", rsa->q, m, off) || 235 !ASN1_bn_print(out, "exponent1:", rsa->dmp1, m, off) || 236 !ASN1_bn_print(out, "exponent2:", rsa->dmq1, m, off) || 237 !ASN1_bn_print(out, "coefficient:", rsa->iqmp, m, off)) { 238 goto err; 239 } 240 } 241 ret = 1; 242 243err: 244 if (m != NULL) { 245 OPENSSL_free(m); 246 } 247 return ret; 248} 249 250static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 251 ASN1_PCTX *ctx) { 252 return do_rsa_print(bp, pkey->pkey.rsa, indent, 0); 253} 254 255 256static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 257 ASN1_PCTX *ctx) { 258 return do_rsa_print(bp, pkey->pkey.rsa, indent, 1); 259} 260 261/* Given an MGF1 Algorithm ID decode to an Algorithm Identifier */ 262static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) { 263 const uint8_t *p; 264 int plen; 265 266 if (alg == NULL || 267 OBJ_obj2nid(alg->algorithm) != NID_mgf1 || 268 alg->parameter->type != V_ASN1_SEQUENCE) { 269 return NULL; 270 } 271 272 p = alg->parameter->value.sequence->data; 273 plen = alg->parameter->value.sequence->length; 274 return d2i_X509_ALGOR(NULL, &p, plen); 275} 276 277static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg, 278 X509_ALGOR **pmaskHash) { 279 const uint8_t *p; 280 int plen; 281 RSA_PSS_PARAMS *pss; 282 283 *pmaskHash = NULL; 284 285 if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE) { 286 return NULL; 287 } 288 p = alg->parameter->value.sequence->data; 289 plen = alg->parameter->value.sequence->length; 290 pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen); 291 292 if (!pss) { 293 return NULL; 294 } 295 296 *pmaskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); 297 298 return pss; 299} 300 301static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, 302 X509_ALGOR *maskHash, int indent) { 303 int rv = 0; 304 305 if (!pss) { 306 if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) { 307 return 0; 308 } 309 return 1; 310 } 311 312 if (BIO_puts(bp, "\n") <= 0 || 313 !BIO_indent(bp, indent, 128) || 314 BIO_puts(bp, "Hash Algorithm: ") <= 0) { 315 goto err; 316 } 317 318 if (pss->hashAlgorithm) { 319 if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) { 320 goto err; 321 } 322 } else if (BIO_puts(bp, "sha1 (default)") <= 0) { 323 goto err; 324 } 325 326 if (BIO_puts(bp, "\n") <= 0 || 327 !BIO_indent(bp, indent, 128) || 328 BIO_puts(bp, "Mask Algorithm: ") <= 0) { 329 goto err; 330 } 331 332 if (pss->maskGenAlgorithm) { 333 if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0 || 334 BIO_puts(bp, " with ") <= 0) { 335 goto err; 336 } 337 338 if (maskHash) { 339 if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) { 340 goto err; 341 } 342 } else if (BIO_puts(bp, "INVALID") <= 0) { 343 goto err; 344 } 345 } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { 346 goto err; 347 } 348 BIO_puts(bp, "\n"); 349 350 if (!BIO_indent(bp, indent, 128) || 351 BIO_puts(bp, "Salt Length: 0x") <= 0) { 352 goto err; 353 } 354 355 if (pss->saltLength) { 356 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) { 357 goto err; 358 } 359 } else if (BIO_puts(bp, "14 (default)") <= 0) { 360 goto err; 361 } 362 BIO_puts(bp, "\n"); 363 364 if (!BIO_indent(bp, indent, 128) || 365 BIO_puts(bp, "Trailer Field: 0x") <= 0) { 366 goto err; 367 } 368 369 if (pss->trailerField) { 370 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) { 371 goto err; 372 } 373 } else if (BIO_puts(bp, "BC (default)") <= 0) { 374 goto err; 375 } 376 BIO_puts(bp, "\n"); 377 378 rv = 1; 379 380err: 381 return rv; 382} 383 384static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 385 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) { 386 if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) { 387 int rv; 388 RSA_PSS_PARAMS *pss; 389 X509_ALGOR *maskHash; 390 391 pss = rsa_pss_decode(sigalg, &maskHash); 392 rv = rsa_pss_param_print(bp, pss, maskHash, indent); 393 if (pss) { 394 RSA_PSS_PARAMS_free(pss); 395 } 396 if (maskHash) { 397 X509_ALGOR_free(maskHash); 398 } 399 if (!rv) { 400 return 0; 401 } 402 } else if (!sig && BIO_puts(bp, "\n") <= 0) { 403 return 0; 404 } 405 406 if (sig) { 407 return X509_signature_dump(bp, sig, indent); 408 } 409 return 1; 410} 411 412static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { 413 X509_ALGOR *alg = NULL; 414 switch (op) { 415 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 416 *(int *)arg2 = NID_sha1; 417 return 1; 418 419 default: 420 return -2; 421 } 422 423 if (alg) { 424 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); 425 } 426 427 return 1; 428} 429 430static int old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, 431 int derlen) { 432 RSA *rsa = d2i_RSAPrivateKey(NULL, pder, derlen); 433 if (rsa == NULL) { 434 OPENSSL_PUT_ERROR(EVP, old_rsa_priv_decode, ERR_R_RSA_LIB); 435 return 0; 436 } 437 EVP_PKEY_assign_RSA(pkey, rsa); 438 return 1; 439} 440 441static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) { 442 return i2d_RSAPrivateKey(pkey->pkey.rsa, pder); 443} 444 445/* allocate and set algorithm ID from EVP_MD, default SHA1 */ 446static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) { 447 if (EVP_MD_type(md) == NID_sha1) { 448 return 1; 449 } 450 *palg = X509_ALGOR_new(); 451 if (!*palg) { 452 return 0; 453 } 454 X509_ALGOR_set_md(*palg, md); 455 return 1; 456} 457 458/* Allocate and set MGF1 algorithm ID from EVP_MD */ 459static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) { 460 X509_ALGOR *algtmp = NULL; 461 ASN1_STRING *stmp = NULL; 462 *palg = NULL; 463 464 if (EVP_MD_type(mgf1md) == NID_sha1) { 465 return 1; 466 } 467 /* need to embed algorithm ID inside another */ 468 if (!rsa_md_to_algor(&algtmp, mgf1md) || 469 !ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp)) { 470 goto err; 471 } 472 *palg = X509_ALGOR_new(); 473 if (!*palg) { 474 goto err; 475 } 476 X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); 477 stmp = NULL; 478 479err: 480 if (stmp) 481 ASN1_STRING_free(stmp); 482 if (algtmp) 483 X509_ALGOR_free(algtmp); 484 if (*palg) 485 return 1; 486 487 return 0; 488} 489 490/* convert algorithm ID to EVP_MD, default SHA1 */ 491static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg) { 492 const EVP_MD *md; 493 if (!alg) { 494 return EVP_sha1(); 495 } 496 md = EVP_get_digestbyobj(alg->algorithm); 497 if (md == NULL) { 498 OPENSSL_PUT_ERROR(EVP, rsa_algor_to_md, EVP_R_UNKNOWN_DIGEST); 499 } 500 return md; 501} 502 503/* convert MGF1 algorithm ID to EVP_MD, default SHA1 */ 504static const EVP_MD *rsa_mgf1_to_md(X509_ALGOR *alg, X509_ALGOR *maskHash) { 505 const EVP_MD *md; 506 if (!alg) { 507 return EVP_sha1(); 508 } 509 /* Check mask and lookup mask hash algorithm */ 510 if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) { 511 OPENSSL_PUT_ERROR(EVP, rsa_mgf1_to_md, EVP_R_UNSUPPORTED_MASK_ALGORITHM); 512 return NULL; 513 } 514 if (!maskHash) { 515 OPENSSL_PUT_ERROR(EVP, rsa_mgf1_to_md, EVP_R_UNSUPPORTED_MASK_PARAMETER); 516 return NULL; 517 } 518 md = EVP_get_digestbyobj(maskHash->algorithm); 519 if (md == NULL) { 520 OPENSSL_PUT_ERROR(EVP, rsa_mgf1_to_md, EVP_R_UNKNOWN_MASK_DIGEST); 521 return NULL; 522 } 523 return md; 524} 525 526/* rsa_ctx_to_pss converts EVP_PKEY_CTX in PSS mode into corresponding 527 * algorithm parameter, suitable for setting as an AlgorithmIdentifier. */ 528static ASN1_STRING *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) { 529 const EVP_MD *sigmd, *mgf1md; 530 RSA_PSS_PARAMS *pss = NULL; 531 ASN1_STRING *os = NULL; 532 EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); 533 int saltlen, rv = 0; 534 535 if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0 || 536 EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0 || 537 !EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) { 538 goto err; 539 } 540 541 if (saltlen == -1) { 542 saltlen = EVP_MD_size(sigmd); 543 } else if (saltlen == -2) { 544 saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; 545 if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0) { 546 saltlen--; 547 } 548 } else { 549 goto err; 550 } 551 552 pss = RSA_PSS_PARAMS_new(); 553 if (!pss) { 554 goto err; 555 } 556 557 if (saltlen != 20) { 558 pss->saltLength = ASN1_INTEGER_new(); 559 if (!pss->saltLength || 560 !ASN1_INTEGER_set(pss->saltLength, saltlen)) { 561 goto err; 562 } 563 } 564 565 if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd) || 566 !rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) { 567 goto err; 568 } 569 570 /* Finally create string with pss parameter encoding. */ 571 if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os)) { 572 goto err; 573 } 574 rv = 1; 575 576err: 577 if (pss) 578 RSA_PSS_PARAMS_free(pss); 579 if (rv) 580 return os; 581 if (os) 582 ASN1_STRING_free(os); 583 return NULL; 584} 585 586/* From PSS AlgorithmIdentifier set public key parameters. If pkey 587 * isn't NULL then the EVP_MD_CTX is setup and initalised. If it 588 * is NULL parameters are passed to pkctx instead. */ 589static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, 590 X509_ALGOR *sigalg, EVP_PKEY *pkey) { 591 int ret = -1; 592 int saltlen; 593 const EVP_MD *mgf1md = NULL, *md = NULL; 594 RSA_PSS_PARAMS *pss; 595 X509_ALGOR *maskHash; 596 597 /* Sanity check: make sure it is PSS */ 598 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) { 599 OPENSSL_PUT_ERROR(EVP, rsa_pss_to_ctx, EVP_R_UNSUPPORTED_SIGNATURE_TYPE); 600 return -1; 601 } 602 /* Decode PSS parameters */ 603 pss = rsa_pss_decode(sigalg, &maskHash); 604 if (pss == NULL) { 605 OPENSSL_PUT_ERROR(EVP, rsa_pss_to_ctx, EVP_R_INVALID_PSS_PARAMETERS); 606 goto err; 607 } 608 609 mgf1md = rsa_mgf1_to_md(pss->maskGenAlgorithm, maskHash); 610 if (!mgf1md) { 611 goto err; 612 } 613 md = rsa_algor_to_md(pss->hashAlgorithm); 614 if (!md) { 615 goto err; 616 } 617 618 saltlen = 20; 619 if (pss->saltLength) { 620 saltlen = ASN1_INTEGER_get(pss->saltLength); 621 622 /* Could perform more salt length sanity checks but the main 623 * RSA routines will trap other invalid values anyway. */ 624 if (saltlen < 0) { 625 OPENSSL_PUT_ERROR(EVP, rsa_pss_to_ctx, EVP_R_INVALID_SALT_LENGTH); 626 goto err; 627 } 628 } 629 630 /* low-level routines support only trailer field 0xbc (value 1) 631 * and PKCS#1 says we should reject any other value anyway. */ 632 if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { 633 OPENSSL_PUT_ERROR(EVP, rsa_pss_to_ctx, EVP_R_INVALID_TRAILER); 634 goto err; 635 } 636 637 if (pkey) { 638 if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) { 639 goto err; 640 } 641 } else { 642 const EVP_MD *checkmd; 643 if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) { 644 goto err; 645 } 646 if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { 647 OPENSSL_PUT_ERROR(EVP, rsa_pss_to_ctx, EVP_R_DIGEST_DOES_NOT_MATCH); 648 goto err; 649 } 650 } 651 652 if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0 || 653 EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0 || 654 EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) { 655 goto err; 656 } 657 658 ret = 1; 659 660err: 661 RSA_PSS_PARAMS_free(pss); 662 if (maskHash) { 663 X509_ALGOR_free(maskHash); 664 } 665 return ret; 666} 667 668/* Customised RSA item verification routine. This is called 669 * when a signature is encountered requiring special handling. We 670 * currently only handle PSS. */ 671static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 672 X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, 673 EVP_PKEY *pkey) { 674 /* Sanity check: make sure it is PSS */ 675 if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) { 676 OPENSSL_PUT_ERROR(EVP, rsa_item_verify, EVP_R_UNSUPPORTED_SIGNATURE_TYPE); 677 return -1; 678 } 679 if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey)) { 680 /* Carry on */ 681 return 2; 682 } 683 684 return -1; 685} 686 687static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, 688 X509_ALGOR *alg1, X509_ALGOR *alg2, 689 ASN1_BIT_STRING *sig) { 690 int pad_mode; 691 EVP_PKEY_CTX *pkctx = ctx->pctx; 692 if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) { 693 return 0; 694 } 695 if (pad_mode == RSA_PKCS1_PADDING) { 696 return 2; 697 } 698 if (pad_mode == RSA_PKCS1_PSS_PADDING) { 699 ASN1_STRING *os1 = rsa_ctx_to_pss(pkctx); 700 if (!os1) { 701 return 0; 702 } 703 /* Duplicate parameters if we have to */ 704 if (alg2) { 705 ASN1_STRING *os2 = ASN1_STRING_dup(os1); 706 if (!os2) { 707 ASN1_STRING_free(os1); 708 return 0; 709 } 710 X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os2); 711 } 712 X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os1); 713 return 3; 714 } 715 return 2; 716} 717 718const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = { 719 EVP_PKEY_RSA, 720 EVP_PKEY_RSA, 721 ASN1_PKEY_SIGPARAM_NULL, 722 723 "RSA", 724 "OpenSSL RSA method", 725 726 rsa_pub_decode, 727 rsa_pub_encode, 728 rsa_pub_cmp, 729 rsa_pub_print, 730 731 rsa_priv_decode, 732 rsa_priv_encode, 733 rsa_priv_print, 734 735 rsa_opaque, 736 737 int_rsa_size, 738 rsa_bits, 739 740 0,0,0,0,0,0, 741 742 rsa_sig_print, 743 int_rsa_free, 744 rsa_pkey_ctrl, 745 746 old_rsa_priv_decode, 747 old_rsa_priv_encode, 748 749 rsa_item_verify, 750 rsa_item_sign, 751}; 752 753const EVP_PKEY_ASN1_METHOD rsa_asn1_meth_2 = { 754 EVP_PKEY_RSA2, 755 EVP_PKEY_RSA, 756 ASN1_PKEY_ALIAS, 757}; 758