Path: blob/main/crypto/openssl/providers/common/der/der_rsa_key.c
48383 views
/*1* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89/*10* RSA low level APIs are deprecated for public use, but still ok for11* internal use.12*/13#include "internal/deprecated.h"1415#include <openssl/obj_mac.h>16#include "internal/cryptlib.h"17#include "prov/der_rsa.h"18#include "prov/der_digests.h"1920/* More complex pre-compiled sequences. */2122/*-23* From https://tools.ietf.org/html/rfc8017#appendix-A.2.124*25* OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {26* { OID id-sha1 PARAMETERS NULL }|27* { OID id-sha224 PARAMETERS NULL }|28* { OID id-sha256 PARAMETERS NULL }|29* { OID id-sha384 PARAMETERS NULL }|30* { OID id-sha512 PARAMETERS NULL }|31* { OID id-sha512-224 PARAMETERS NULL }|32* { OID id-sha512-256 PARAMETERS NULL },33* ... -- Allows for future expansion --34* }35*/36#define DER_V_NULL DER_P_NULL, 037#define DER_SZ_NULL 23839/*40* The names for the hash function AlgorithmIdentifiers are borrowed and41* expanded from https://tools.ietf.org/html/rfc4055#section-2.142*43* sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }44* sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }45* sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }46* sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }47* sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }48*/49/*50* NOTE: Some of the arrays aren't used other than inside sizeof(), which51* clang complains about (-Wno-unneeded-internal-declaration). To get52* around that, we make them non-static, and declare them an extra time to53* avoid compilers complaining about definitions without declarations.54*/55#define DER_AID_V_sha1Identifier \56DER_P_SEQUENCE|DER_F_CONSTRUCTED, \57DER_OID_SZ_id_sha1 + DER_SZ_NULL, \58DER_OID_V_id_sha1, \59DER_V_NULL60extern const unsigned char ossl_der_aid_sha1Identifier[];61const unsigned char ossl_der_aid_sha1Identifier[] = {62DER_AID_V_sha1Identifier63};64#define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)6566#define DER_AID_V_sha224Identifier \67DER_P_SEQUENCE|DER_F_CONSTRUCTED, \68DER_OID_SZ_id_sha224 + DER_SZ_NULL, \69DER_OID_V_id_sha224, \70DER_V_NULL71extern const unsigned char ossl_der_aid_sha224Identifier[];72const unsigned char ossl_der_aid_sha224Identifier[] = {73DER_AID_V_sha224Identifier74};75#define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)7677#define DER_AID_V_sha256Identifier \78DER_P_SEQUENCE|DER_F_CONSTRUCTED, \79DER_OID_SZ_id_sha256 + DER_SZ_NULL, \80DER_OID_V_id_sha256, \81DER_V_NULL82extern const unsigned char ossl_der_aid_sha256Identifier[];83const unsigned char ossl_der_aid_sha256Identifier[] = {84DER_AID_V_sha256Identifier85};86#define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)8788#define DER_AID_V_sha384Identifier \89DER_P_SEQUENCE|DER_F_CONSTRUCTED, \90DER_OID_SZ_id_sha384 + DER_SZ_NULL, \91DER_OID_V_id_sha384, \92DER_V_NULL93extern const unsigned char ossl_der_aid_sha384Identifier[];94const unsigned char ossl_der_aid_sha384Identifier[] = {95DER_AID_V_sha384Identifier96};97#define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)9899#define DER_AID_V_sha512Identifier \100DER_P_SEQUENCE|DER_F_CONSTRUCTED, \101DER_OID_SZ_id_sha512 + DER_SZ_NULL, \102DER_OID_V_id_sha512, \103DER_V_NULL104extern const unsigned char ossl_der_aid_sha512Identifier[];105const unsigned char ossl_der_aid_sha512Identifier[] = {106DER_AID_V_sha512Identifier107};108#define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)109110#define DER_AID_V_sha512_224Identifier \111DER_P_SEQUENCE|DER_F_CONSTRUCTED, \112DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \113DER_OID_V_id_sha512_224, \114DER_V_NULL115extern const unsigned char ossl_der_aid_sha512_224Identifier[];116const unsigned char ossl_der_aid_sha512_224Identifier[] = {117DER_AID_V_sha512_224Identifier118};119#define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)120121#define DER_AID_V_sha512_256Identifier \122DER_P_SEQUENCE|DER_F_CONSTRUCTED, \123DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \124DER_OID_V_id_sha512_256, \125DER_V_NULL126extern const unsigned char ossl_der_aid_sha512_256Identifier[];127const unsigned char ossl_der_aid_sha512_256Identifier[] = {128DER_AID_V_sha512_256Identifier129};130#define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)131132/*-133* From https://tools.ietf.org/html/rfc8017#appendix-A.2.1134*135* HashAlgorithm ::= AlgorithmIdentifier {136* {OAEP-PSSDigestAlgorithms}137* }138*139* ...140*141* PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {142* { OID id-mgf1 PARAMETERS HashAlgorithm },143* ... -- Allows for future expansion --144* }145*/146147/*148* The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded149* from https://tools.ietf.org/html/rfc4055#section-2.1150*151* mgf1SHA1Identifier AlgorithmIdentifier ::=152* { id-mgf1, sha1Identifier }153* mgf1SHA224Identifier AlgorithmIdentifier ::=154* { id-mgf1, sha224Identifier }155* mgf1SHA256Identifier AlgorithmIdentifier ::=156* { id-mgf1, sha256Identifier }157* mgf1SHA384Identifier AlgorithmIdentifier ::=158* { id-mgf1, sha384Identifier }159* mgf1SHA512Identifier AlgorithmIdentifier ::=160* { id-mgf1, sha512Identifier }161*/162#if 0 /* Currently unused */163#define DER_AID_V_mgf1SHA1Identifier \164DER_P_SEQUENCE|DER_F_CONSTRUCTED, \165DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \166DER_OID_V_id_mgf1, \167DER_AID_V_sha1Identifier168static const unsigned char der_aid_mgf1SHA1Identifier[] = {169DER_AID_V_mgf1SHA1Identifier170};171#define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)172#endif173174#define DER_AID_V_mgf1SHA224Identifier \175DER_P_SEQUENCE|DER_F_CONSTRUCTED, \176DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \177DER_OID_V_id_mgf1, \178DER_AID_V_sha224Identifier179static const unsigned char der_aid_mgf1SHA224Identifier[] = {180DER_AID_V_mgf1SHA224Identifier181};182#define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)183184#define DER_AID_V_mgf1SHA256Identifier \185DER_P_SEQUENCE|DER_F_CONSTRUCTED, \186DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \187DER_OID_V_id_mgf1, \188DER_AID_V_sha256Identifier189static const unsigned char der_aid_mgf1SHA256Identifier[] = {190DER_AID_V_mgf1SHA256Identifier191};192#define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)193194#define DER_AID_V_mgf1SHA384Identifier \195DER_P_SEQUENCE|DER_F_CONSTRUCTED, \196DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \197DER_OID_V_id_mgf1, \198DER_AID_V_sha384Identifier199static const unsigned char der_aid_mgf1SHA384Identifier[] = {200DER_AID_V_mgf1SHA384Identifier201};202#define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)203204#define DER_AID_V_mgf1SHA512Identifier \205DER_P_SEQUENCE|DER_F_CONSTRUCTED, \206DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \207DER_OID_V_id_mgf1, \208DER_AID_V_sha512Identifier209static const unsigned char der_aid_mgf1SHA512Identifier[] = {210DER_AID_V_mgf1SHA512Identifier211};212#define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)213214#define DER_AID_V_mgf1SHA512_224Identifier \215DER_P_SEQUENCE|DER_F_CONSTRUCTED, \216DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \217DER_OID_V_id_mgf1, \218DER_AID_V_sha512_224Identifier219static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {220DER_AID_V_mgf1SHA512_224Identifier221};222#define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)223224#define DER_AID_V_mgf1SHA512_256Identifier \225DER_P_SEQUENCE|DER_F_CONSTRUCTED, \226DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \227DER_OID_V_id_mgf1, \228DER_AID_V_sha512_256Identifier229static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {230DER_AID_V_mgf1SHA512_256Identifier231};232#define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)233234235#define MGF1_SHA_CASE(bits, var) \236case NID_sha##bits: \237var = der_aid_mgf1SHA##bits##Identifier; \238var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \239break;240241/*-242* The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1243*244* MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }245*/246static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,247const RSA_PSS_PARAMS_30 *pss)248{249if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {250int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);251const unsigned char *maskgenalg = NULL;252size_t maskgenalg_sz = 0;253254switch (maskgenhashalg_nid) {255case NID_sha1:256break;257MGF1_SHA_CASE(224, maskgenalg);258MGF1_SHA_CASE(256, maskgenalg);259MGF1_SHA_CASE(384, maskgenalg);260MGF1_SHA_CASE(512, maskgenalg);261MGF1_SHA_CASE(512_224, maskgenalg);262MGF1_SHA_CASE(512_256, maskgenalg);263default:264return 0;265}266267/* If there is none (or it was the default), we write nothing */268if (maskgenalg == NULL)269return 1;270271return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);272}273return 0;274}275276#define OAEP_PSS_MD_CASE(name, var) \277case NID_##name: \278var = ossl_der_aid_##name##Identifier; \279var##_sz = sizeof(ossl_der_aid_##name##Identifier); \280break;281282int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,283const RSA_PSS_PARAMS_30 *pss)284{285int hashalg_nid, default_hashalg_nid;286int saltlen, default_saltlen;287int trailerfield, default_trailerfield;288const unsigned char *hashalg = NULL;289size_t hashalg_sz = 0;290291/*292* For an unrestricted key, this function should not have been called;293* the caller must be in control, because unrestricted keys are permitted294* in some situations (when encoding the public key in a SubjectKeyInfo,295* for example) while not in others, and this function doesn't know the296* intent. Therefore, we assert that here, the PSS parameters must show297* that the key is restricted.298*/299if (!ossl_assert(pss != NULL300&& !ossl_rsa_pss_params_30_is_unrestricted(pss)))301return 0;302303hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);304saltlen = ossl_rsa_pss_params_30_saltlen(pss);305trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);306307if (saltlen < 0) {308ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);309return 0;310}311if (trailerfield != 1) {312ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);313return 0;314}315316/* Getting default values */317default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);318default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);319default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);320321/*322* From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:323*324* OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {325* { OID id-sha1 PARAMETERS NULL }|326* { OID id-sha224 PARAMETERS NULL }|327* { OID id-sha256 PARAMETERS NULL }|328* { OID id-sha384 PARAMETERS NULL }|329* { OID id-sha512 PARAMETERS NULL }|330* { OID id-sha512-224 PARAMETERS NULL }|331* { OID id-sha512-256 PARAMETERS NULL },332* ... -- Allows for future expansion --333* }334*/335switch (hashalg_nid) {336OAEP_PSS_MD_CASE(sha1, hashalg);337OAEP_PSS_MD_CASE(sha224, hashalg);338OAEP_PSS_MD_CASE(sha256, hashalg);339OAEP_PSS_MD_CASE(sha384, hashalg);340OAEP_PSS_MD_CASE(sha512, hashalg);341OAEP_PSS_MD_CASE(sha512_224, hashalg);342OAEP_PSS_MD_CASE(sha512_256, hashalg);343default:344return 0;345}346347return ossl_DER_w_begin_sequence(pkt, tag)348&& (trailerfield == default_trailerfield349|| ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))350&& (saltlen == default_saltlen || ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))351&& DER_w_MaskGenAlgorithm(pkt, 1, pss)352&& (hashalg_nid == default_hashalg_nid353|| ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))354&& ossl_DER_w_end_sequence(pkt, tag);355}356357/* Aliases so we can have a uniform RSA_CASE */358#define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS359360#define RSA_CASE(name, var) \361var##_nid = NID_##name; \362var##_oid = ossl_der_oid_##name; \363var##_oid_sz = sizeof(ossl_der_oid_##name); \364break;365366int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,367int rsa_type,368const RSA_PSS_PARAMS_30 *pss)369{370int rsa_nid = NID_undef;371const unsigned char *rsa_oid = NULL;372size_t rsa_oid_sz = 0;373374switch (rsa_type) {375case RSA_FLAG_TYPE_RSA:376RSA_CASE(rsaEncryption, rsa);377case RSA_FLAG_TYPE_RSASSAPSS:378RSA_CASE(rsassaPss, rsa);379}380381if (rsa_oid == NULL)382return 0;383384return ossl_DER_w_begin_sequence(pkt, tag)385&& (rsa_nid != NID_rsassaPss386|| ossl_rsa_pss_params_30_is_unrestricted(pss)387|| ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))388&& ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)389&& ossl_DER_w_end_sequence(pkt, tag);390}391392int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)393{394int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);395RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);396397return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,398pss_params);399}400401402