Path: blob/main/crypto/openssl/providers/common/der/der_rsa_key.c
108106 views
/*1* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89/*10* RSA low level APIs are deprecated for public use, but still ok for11* internal use.12*/13#include "internal/deprecated.h"1415#include <openssl/obj_mac.h>16#include "internal/cryptlib.h"17#include "prov/der_rsa.h"18#include "prov/der_digests.h"1920/* More complex pre-compiled sequences. */2122/*-23* From https://tools.ietf.org/html/rfc8017#appendix-A.2.124*25* OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {26* { OID id-sha1 PARAMETERS NULL }|27* { OID id-sha224 PARAMETERS NULL }|28* { OID id-sha256 PARAMETERS NULL }|29* { OID id-sha384 PARAMETERS NULL }|30* { OID id-sha512 PARAMETERS NULL }|31* { OID id-sha512-224 PARAMETERS NULL }|32* { OID id-sha512-256 PARAMETERS NULL },33* ... -- Allows for future expansion --34* }35*/36#define DER_V_NULL DER_P_NULL, 037#define DER_SZ_NULL 23839/*40* The names for the hash function AlgorithmIdentifiers are borrowed and41* expanded from https://tools.ietf.org/html/rfc4055#section-2.142*43* sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }44* sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }45* sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }46* sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }47* sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }48*/49/*50* NOTE: Some of the arrays aren't used other than inside sizeof(), which51* clang complains about (-Wno-unneeded-internal-declaration). To get52* around that, we make them non-static, and declare them an extra time to53* avoid compilers complaining about definitions without declarations.54*/55#define DER_AID_V_sha1Identifier \56DER_P_SEQUENCE | DER_F_CONSTRUCTED, \57DER_OID_SZ_id_sha1 + DER_SZ_NULL, \58DER_OID_V_id_sha1, \59DER_V_NULL60extern const unsigned char ossl_der_aid_sha1Identifier[];61const unsigned char ossl_der_aid_sha1Identifier[] = {62DER_AID_V_sha1Identifier63};64#define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)6566#define DER_AID_V_sha224Identifier \67DER_P_SEQUENCE | DER_F_CONSTRUCTED, \68DER_OID_SZ_id_sha224 + DER_SZ_NULL, \69DER_OID_V_id_sha224, \70DER_V_NULL71extern const unsigned char ossl_der_aid_sha224Identifier[];72const unsigned char ossl_der_aid_sha224Identifier[] = {73DER_AID_V_sha224Identifier74};75#define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)7677#define DER_AID_V_sha256Identifier \78DER_P_SEQUENCE | DER_F_CONSTRUCTED, \79DER_OID_SZ_id_sha256 + DER_SZ_NULL, \80DER_OID_V_id_sha256, \81DER_V_NULL82extern const unsigned char ossl_der_aid_sha256Identifier[];83const unsigned char ossl_der_aid_sha256Identifier[] = {84DER_AID_V_sha256Identifier85};86#define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)8788#define DER_AID_V_sha384Identifier \89DER_P_SEQUENCE | DER_F_CONSTRUCTED, \90DER_OID_SZ_id_sha384 + DER_SZ_NULL, \91DER_OID_V_id_sha384, \92DER_V_NULL93extern const unsigned char ossl_der_aid_sha384Identifier[];94const unsigned char ossl_der_aid_sha384Identifier[] = {95DER_AID_V_sha384Identifier96};97#define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)9899#define DER_AID_V_sha512Identifier \100DER_P_SEQUENCE | DER_F_CONSTRUCTED, \101DER_OID_SZ_id_sha512 + DER_SZ_NULL, \102DER_OID_V_id_sha512, \103DER_V_NULL104extern const unsigned char ossl_der_aid_sha512Identifier[];105const unsigned char ossl_der_aid_sha512Identifier[] = {106DER_AID_V_sha512Identifier107};108#define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)109110#define DER_AID_V_sha512_224Identifier \111DER_P_SEQUENCE | DER_F_CONSTRUCTED, \112DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \113DER_OID_V_id_sha512_224, \114DER_V_NULL115extern const unsigned char ossl_der_aid_sha512_224Identifier[];116const unsigned char ossl_der_aid_sha512_224Identifier[] = {117DER_AID_V_sha512_224Identifier118};119#define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)120121#define DER_AID_V_sha512_256Identifier \122DER_P_SEQUENCE | DER_F_CONSTRUCTED, \123DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \124DER_OID_V_id_sha512_256, \125DER_V_NULL126extern const unsigned char ossl_der_aid_sha512_256Identifier[];127const unsigned char ossl_der_aid_sha512_256Identifier[] = {128DER_AID_V_sha512_256Identifier129};130#define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)131132/*-133* From https://tools.ietf.org/html/rfc8017#appendix-A.2.1134*135* HashAlgorithm ::= AlgorithmIdentifier {136* {OAEP-PSSDigestAlgorithms}137* }138*139* ...140*141* PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {142* { OID id-mgf1 PARAMETERS HashAlgorithm },143* ... -- Allows for future expansion --144* }145*/146147/*148* The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded149* from https://tools.ietf.org/html/rfc4055#section-2.1150*151* mgf1SHA1Identifier AlgorithmIdentifier ::=152* { id-mgf1, sha1Identifier }153* mgf1SHA224Identifier AlgorithmIdentifier ::=154* { id-mgf1, sha224Identifier }155* mgf1SHA256Identifier AlgorithmIdentifier ::=156* { id-mgf1, sha256Identifier }157* mgf1SHA384Identifier AlgorithmIdentifier ::=158* { id-mgf1, sha384Identifier }159* mgf1SHA512Identifier AlgorithmIdentifier ::=160* { id-mgf1, sha512Identifier }161*/162#if 0 /* Currently unused */163#define DER_AID_V_mgf1SHA1Identifier \164DER_P_SEQUENCE | DER_F_CONSTRUCTED, \165DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \166DER_OID_V_id_mgf1, \167DER_AID_V_sha1Identifier168static const unsigned char der_aid_mgf1SHA1Identifier[] = {169DER_AID_V_mgf1SHA1Identifier170};171#define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)172#endif173174#define DER_AID_V_mgf1SHA224Identifier \175DER_P_SEQUENCE | DER_F_CONSTRUCTED, \176DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \177DER_OID_V_id_mgf1, \178DER_AID_V_sha224Identifier179static const unsigned char der_aid_mgf1SHA224Identifier[] = {180DER_AID_V_mgf1SHA224Identifier181};182#define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)183184#define DER_AID_V_mgf1SHA256Identifier \185DER_P_SEQUENCE | DER_F_CONSTRUCTED, \186DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \187DER_OID_V_id_mgf1, \188DER_AID_V_sha256Identifier189static const unsigned char der_aid_mgf1SHA256Identifier[] = {190DER_AID_V_mgf1SHA256Identifier191};192#define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)193194#define DER_AID_V_mgf1SHA384Identifier \195DER_P_SEQUENCE | DER_F_CONSTRUCTED, \196DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \197DER_OID_V_id_mgf1, \198DER_AID_V_sha384Identifier199static const unsigned char der_aid_mgf1SHA384Identifier[] = {200DER_AID_V_mgf1SHA384Identifier201};202#define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)203204#define DER_AID_V_mgf1SHA512Identifier \205DER_P_SEQUENCE | DER_F_CONSTRUCTED, \206DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \207DER_OID_V_id_mgf1, \208DER_AID_V_sha512Identifier209static const unsigned char der_aid_mgf1SHA512Identifier[] = {210DER_AID_V_mgf1SHA512Identifier211};212#define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)213214#define DER_AID_V_mgf1SHA512_224Identifier \215DER_P_SEQUENCE | DER_F_CONSTRUCTED, \216DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \217DER_OID_V_id_mgf1, \218DER_AID_V_sha512_224Identifier219static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {220DER_AID_V_mgf1SHA512_224Identifier221};222#define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)223224#define DER_AID_V_mgf1SHA512_256Identifier \225DER_P_SEQUENCE | DER_F_CONSTRUCTED, \226DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \227DER_OID_V_id_mgf1, \228DER_AID_V_sha512_256Identifier229static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {230DER_AID_V_mgf1SHA512_256Identifier231};232#define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)233234#define MGF1_SHA_CASE(bits, var) \235case NID_sha##bits: \236var = der_aid_mgf1SHA##bits##Identifier; \237var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \238break;239240/*-241* The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1242*243* MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }244*/245static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,246const RSA_PSS_PARAMS_30 *pss)247{248if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {249int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);250const unsigned char *maskgenalg = NULL;251size_t maskgenalg_sz = 0;252253switch (maskgenhashalg_nid) {254case NID_sha1:255break;256MGF1_SHA_CASE(224, maskgenalg);257MGF1_SHA_CASE(256, maskgenalg);258MGF1_SHA_CASE(384, maskgenalg);259MGF1_SHA_CASE(512, maskgenalg);260MGF1_SHA_CASE(512_224, maskgenalg);261MGF1_SHA_CASE(512_256, maskgenalg);262default:263return 0;264}265266/* If there is none (or it was the default), we write nothing */267if (maskgenalg == NULL)268return 1;269270return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);271}272return 0;273}274275#define OAEP_PSS_MD_CASE(name, var) \276case NID_##name: \277var = ossl_der_aid_##name##Identifier; \278var##_sz = sizeof(ossl_der_aid_##name##Identifier); \279break;280281int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,282const RSA_PSS_PARAMS_30 *pss)283{284int hashalg_nid, default_hashalg_nid;285int saltlen, default_saltlen;286int trailerfield, default_trailerfield;287const unsigned char *hashalg = NULL;288size_t hashalg_sz = 0;289290/*291* For an unrestricted key, this function should not have been called;292* the caller must be in control, because unrestricted keys are permitted293* in some situations (when encoding the public key in a SubjectKeyInfo,294* for example) while not in others, and this function doesn't know the295* intent. Therefore, we assert that here, the PSS parameters must show296* that the key is restricted.297*/298if (!ossl_assert(pss != NULL299&& !ossl_rsa_pss_params_30_is_unrestricted(pss)))300return 0;301302hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);303saltlen = ossl_rsa_pss_params_30_saltlen(pss);304trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);305306if (saltlen < 0) {307ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);308return 0;309}310if (trailerfield != 1) {311ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);312return 0;313}314315/* Getting default values */316default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);317default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);318default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);319320/*321* From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:322*323* OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {324* { OID id-sha1 PARAMETERS NULL }|325* { OID id-sha224 PARAMETERS NULL }|326* { OID id-sha256 PARAMETERS NULL }|327* { OID id-sha384 PARAMETERS NULL }|328* { OID id-sha512 PARAMETERS NULL }|329* { OID id-sha512-224 PARAMETERS NULL }|330* { OID id-sha512-256 PARAMETERS NULL },331* ... -- Allows for future expansion --332* }333*/334switch (hashalg_nid) {335OAEP_PSS_MD_CASE(sha1, hashalg);336OAEP_PSS_MD_CASE(sha224, hashalg);337OAEP_PSS_MD_CASE(sha256, hashalg);338OAEP_PSS_MD_CASE(sha384, hashalg);339OAEP_PSS_MD_CASE(sha512, hashalg);340OAEP_PSS_MD_CASE(sha512_224, hashalg);341OAEP_PSS_MD_CASE(sha512_256, hashalg);342default:343return 0;344}345346return ossl_DER_w_begin_sequence(pkt, tag)347&& (trailerfield == default_trailerfield348|| ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))349&& (saltlen == default_saltlen || ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))350&& DER_w_MaskGenAlgorithm(pkt, 1, pss)351&& (hashalg_nid == default_hashalg_nid352|| ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))353&& ossl_DER_w_end_sequence(pkt, tag);354}355356/* Aliases so we can have a uniform RSA_CASE */357#define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS358359#define RSA_CASE(name, var) \360var##_nid = NID_##name; \361var##_oid = ossl_der_oid_##name; \362var##_oid_sz = sizeof(ossl_der_oid_##name); \363break;364365int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,366int rsa_type,367const RSA_PSS_PARAMS_30 *pss)368{369int rsa_nid = NID_undef;370const unsigned char *rsa_oid = NULL;371size_t rsa_oid_sz = 0;372373switch (rsa_type) {374case RSA_FLAG_TYPE_RSA:375RSA_CASE(rsaEncryption, rsa);376case RSA_FLAG_TYPE_RSASSAPSS:377RSA_CASE(rsassaPss, rsa);378}379380if (rsa_oid == NULL)381return 0;382383return ossl_DER_w_begin_sequence(pkt, tag)384&& (rsa_nid != NID_rsassaPss385|| ossl_rsa_pss_params_30_is_unrestricted(pss)386|| ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))387&& ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)388&& ossl_DER_w_end_sequence(pkt, tag);389}390391int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)392{393int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);394RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);395396return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,397pss_params);398}399400401