2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bn.h>
11 #include <openssl/obj_mac.h>
12 #include "internal/cryptlib.h"
13 #include "prov/der_rsa.h"
14 #include "prov/der_digests.h"
16 /* Well known OIDs precompiled */
18 $OUT = oids_to_c::process_leaves('providers/common/der/NIST.asn1',
19 'providers/common/der/DIGESTS.asn1',
20 'providers/common/der/RSA.asn1',
21 { dir => $config{sourcedir},
22 filter => \&oids_to_c::filter_to_C });
25 /* More complex pre-compiled sequences. TODO(3.0) refactor? */
27 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
29 * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
30 * { OID id-sha1 PARAMETERS NULL }|
31 * { OID id-sha224 PARAMETERS NULL }|
32 * { OID id-sha256 PARAMETERS NULL }|
33 * { OID id-sha384 PARAMETERS NULL }|
34 * { OID id-sha512 PARAMETERS NULL }|
35 * { OID id-sha512-224 PARAMETERS NULL }|
36 * { OID id-sha512-256 PARAMETERS NULL },
37 * ... -- Allows for future expansion --
40 #define DER_V_NULL DER_P_NULL, 0
44 * The names for the hash function AlgorithmIdentifiers are borrowed and
45 * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
47 * sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
48 * sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
49 * sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
50 * sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
51 * sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
53 #if 0 /* Currently unused */
54 #define DER_AID_V_sha1Identifier \
55 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
56 DER_OID_SZ_id_sha1 + DER_SZ_NULL, \
59 static const unsigned char der_aid_sha1Identifier[] = {
60 DER_AID_V_sha1Identifier
62 #define DER_AID_SZ_sha1Identifier sizeof(der_aid_sha1Identifier)
65 #define DER_AID_V_sha224Identifier \
66 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
67 DER_OID_SZ_id_sha224 + DER_SZ_NULL, \
68 DER_OID_V_id_sha224, \
70 static const unsigned char der_aid_sha224Identifier[] = {
71 DER_AID_V_sha224Identifier
73 #define DER_AID_SZ_sha224Identifier sizeof(der_aid_sha224Identifier)
75 #define DER_AID_V_sha256Identifier \
76 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
77 DER_OID_SZ_id_sha256 + DER_SZ_NULL, \
78 DER_OID_V_id_sha256, \
80 static const unsigned char der_aid_sha256Identifier[] = {
81 DER_AID_V_sha256Identifier
83 #define DER_AID_SZ_sha256Identifier sizeof(der_aid_sha256Identifier)
85 #define DER_AID_V_sha384Identifier \
86 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
87 DER_OID_SZ_id_sha384 + DER_SZ_NULL, \
88 DER_OID_V_id_sha384, \
90 static const unsigned char der_aid_sha384Identifier[] = {
91 DER_AID_V_sha384Identifier
93 #define DER_AID_SZ_sha384Identifier sizeof(der_aid_sha384Identifier)
95 #define DER_AID_V_sha512Identifier \
96 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
97 DER_OID_SZ_id_sha512 + DER_SZ_NULL, \
98 DER_OID_V_id_sha512, \
100 static const unsigned char der_aid_sha512Identifier[] = {
101 DER_AID_V_sha512Identifier
103 #define DER_AID_SZ_sha512Identifier sizeof(der_aid_sha512Identifier)
105 #define DER_AID_V_sha512_224Identifier \
106 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
107 DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \
108 DER_OID_V_id_sha512_224, \
110 static const unsigned char der_aid_sha512_224Identifier[] = {
111 DER_AID_V_sha512_224Identifier
113 #define DER_AID_SZ_sha512_224Identifier sizeof(der_aid_sha512_224Identifier)
115 #define DER_AID_V_sha512_256Identifier \
116 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
117 DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \
118 DER_OID_V_id_sha512_256, \
120 static const unsigned char der_aid_sha512_256Identifier[] = {
121 DER_AID_V_sha512_256Identifier
123 #define DER_AID_SZ_sha512_256Identifier sizeof(der_aid_sha512_256Identifier)
126 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
128 * HashAlgorithm ::= AlgorithmIdentifier {
129 * {OAEP-PSSDigestAlgorithms}
134 * PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
135 * { OID id-mgf1 PARAMETERS HashAlgorithm },
136 * ... -- Allows for future expansion --
141 * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
142 * from https://tools.ietf.org/html/rfc4055#section-2.1
144 * mgf1SHA1Identifier AlgorithmIdentifier ::=
145 * { id-mgf1, sha1Identifier }
146 * mgf1SHA224Identifier AlgorithmIdentifier ::=
147 * { id-mgf1, sha224Identifier }
148 * mgf1SHA256Identifier AlgorithmIdentifier ::=
149 * { id-mgf1, sha256Identifier }
150 * mgf1SHA384Identifier AlgorithmIdentifier ::=
151 * { id-mgf1, sha384Identifier }
152 * mgf1SHA512Identifier AlgorithmIdentifier ::=
153 * { id-mgf1, sha512Identifier }
155 #if 0 /* Currently unused */
156 #define DER_AID_V_mgf1SHA1Identifier \
157 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
158 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \
160 DER_AID_V_sha1Identifier
161 static const unsigned char der_aid_mgf1SHA1Identifier[] = {
162 DER_AID_V_mgf1SHA1Identifier
164 #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
167 #define DER_AID_V_mgf1SHA224Identifier \
168 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
169 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \
171 DER_AID_V_sha224Identifier
172 static const unsigned char der_aid_mgf1SHA224Identifier[] = {
173 DER_AID_V_mgf1SHA224Identifier
175 #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
177 #define DER_AID_V_mgf1SHA256Identifier \
178 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
179 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \
181 DER_AID_V_sha256Identifier
182 static const unsigned char der_aid_mgf1SHA256Identifier[] = {
183 DER_AID_V_mgf1SHA256Identifier
185 #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
187 #define DER_AID_V_mgf1SHA384Identifier \
188 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
189 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \
191 DER_AID_V_sha384Identifier
192 static const unsigned char der_aid_mgf1SHA384Identifier[] = {
193 DER_AID_V_mgf1SHA384Identifier
195 #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
197 #define DER_AID_V_mgf1SHA512Identifier \
198 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
199 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \
201 DER_AID_V_sha512Identifier
202 static const unsigned char der_aid_mgf1SHA512Identifier[] = {
203 DER_AID_V_mgf1SHA512Identifier
205 #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
207 #define DER_AID_V_mgf1SHA512_224Identifier \
208 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
209 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \
211 DER_AID_V_sha512_224Identifier
212 static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
213 DER_AID_V_mgf1SHA512_224Identifier
215 #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
217 #define DER_AID_V_mgf1SHA512_256Identifier \
218 DER_P_SEQUENCE|DER_F_CONSTRUCTED, \
219 DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \
221 DER_AID_V_sha512_256Identifier
222 static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
223 DER_AID_V_mgf1SHA512_256Identifier
225 #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
228 #define MGF1_SHA_CASE(bits, var) \
229 case NID_sha##bits: \
230 var = der_aid_mgf1SHA##bits##Identifier; \
231 var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \
235 * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
237 * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
239 static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
240 const RSA_PSS_PARAMS_30 *pss)
242 if (pss != NULL && rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
243 int maskgenhashalg_nid = rsa_pss_params_30_maskgenhashalg(pss);
244 const unsigned char *maskgenalg = NULL;
245 size_t maskgenalg_sz = 0;
247 switch (maskgenhashalg_nid) {
250 MGF1_SHA_CASE(224, maskgenalg);
251 MGF1_SHA_CASE(256, maskgenalg);
252 MGF1_SHA_CASE(384, maskgenalg);
253 MGF1_SHA_CASE(512, maskgenalg);
254 MGF1_SHA_CASE(512_224, maskgenalg);
255 MGF1_SHA_CASE(512_256, maskgenalg);
260 /* If there is none (or it was the default), we write nothing */
261 if (maskgenalg == NULL)
264 return DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
269 #define OAEP_PSS_MD_CASE(name, var) \
271 var = der_oid_id_##name; \
272 var##_sz = sizeof(der_oid_id_##name); \
275 int DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag, const RSA_PSS_PARAMS_30 *pss)
277 int hashalg_nid, default_hashalg_nid;
278 int saltlen, default_saltlen;
279 int trailerfield, default_trailerfield;
280 const unsigned char *hashalg = NULL;
281 size_t hashalg_sz = 0;
284 * For an unrestricted key, this function should not have been called;
285 * the caller must be in control, because unrestricted keys are permitted
286 * in some situations (when encoding the public key in a SubjectKeyInfo,
287 * for example) while not in others, and this function doesn't know the
288 * intent. Therefore, we assert that here, the PSS parameters must show
289 * that the key is restricted.
291 if (!ossl_assert(pss != NULL && !rsa_pss_params_30_is_unrestricted(pss)))
294 hashalg_nid = rsa_pss_params_30_hashalg(pss);
295 saltlen = rsa_pss_params_30_saltlen(pss);
296 trailerfield = rsa_pss_params_30_trailerfield(pss);
298 /* Getting default values */
299 default_hashalg_nid = rsa_pss_params_30_hashalg(NULL);
300 default_saltlen = rsa_pss_params_30_saltlen(NULL);
301 default_trailerfield = rsa_pss_params_30_trailerfield(NULL);
304 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
306 * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
307 * { OID id-sha1 PARAMETERS NULL }|
308 * { OID id-sha224 PARAMETERS NULL }|
309 * { OID id-sha256 PARAMETERS NULL }|
310 * { OID id-sha384 PARAMETERS NULL }|
311 * { OID id-sha512 PARAMETERS NULL }|
312 * { OID id-sha512-224 PARAMETERS NULL }|
313 * { OID id-sha512-256 PARAMETERS NULL },
314 * ... -- Allows for future expansion --
317 switch (hashalg_nid) {
318 OAEP_PSS_MD_CASE(sha1, hashalg);
319 OAEP_PSS_MD_CASE(sha224, hashalg);
320 OAEP_PSS_MD_CASE(sha256, hashalg);
321 OAEP_PSS_MD_CASE(sha384, hashalg);
322 OAEP_PSS_MD_CASE(sha512, hashalg);
323 OAEP_PSS_MD_CASE(sha512_224, hashalg);
324 OAEP_PSS_MD_CASE(sha512_256, hashalg);
329 return DER_w_begin_sequence(pkt, tag)
330 && (trailerfield == default_trailerfield
331 || DER_w_ulong(pkt, 3, trailerfield))
332 && (saltlen == default_saltlen || DER_w_ulong(pkt, 2, saltlen))
333 && DER_w_MaskGenAlgorithm(pkt, 1, pss)
334 && (hashalg_nid == default_hashalg_nid
335 || DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
336 && DER_w_end_sequence(pkt, tag);
339 /* Aliases so we can have a uniform RSA_CASE */
340 #define der_oid_rsassaPss der_oid_id_RSASSA_PSS
342 #define RSA_CASE(name, var) \
343 var##_nid = NID_##name; \
344 var##_oid = der_oid_##name; \
345 var##_oid_sz = sizeof(der_oid_##name); \
348 int DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
350 int rsa_nid = NID_undef;
351 const unsigned char *rsa_oid = NULL;
352 size_t rsa_oid_sz = 0;
353 RSA_PSS_PARAMS_30 *pss_params = rsa_get0_pss_params_30(rsa);
355 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
356 case RSA_FLAG_TYPE_RSA:
357 RSA_CASE(rsaEncryption, rsa);
358 case RSA_FLAG_TYPE_RSASSAPSS:
359 RSA_CASE(rsassaPss, rsa);
365 return DER_w_begin_sequence(pkt, tag)
366 && (rsa_nid != NID_rsassaPss
367 || rsa_pss_params_30_is_unrestricted(pss_params)
368 || DER_w_RSASSA_PSS_params(pkt, -1, pss_params))
369 && DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
370 && DER_w_end_sequence(pkt, tag);
373 /* Aliases so we can have a uniform MD_with_RSA_CASE */
374 #define der_oid_sha3_224WithRSAEncryption \
375 der_oid_id_rsassa_pkcs1_v1_5_with_sha3_224
376 #define der_oid_sha3_256WithRSAEncryption \
377 der_oid_id_rsassa_pkcs1_v1_5_with_sha3_256
378 #define der_oid_sha3_384WithRSAEncryption \
379 der_oid_id_rsassa_pkcs1_v1_5_with_sha3_384
380 #define der_oid_sha3_512WithRSAEncryption \
381 der_oid_id_rsassa_pkcs1_v1_5_with_sha3_512
383 #define MD_with_RSA_CASE(name, var) \
385 var = der_oid_##name##WithRSAEncryption; \
386 var##_sz = sizeof(der_oid_##name##WithRSAEncryption); \
389 int DER_w_algorithmIdentifier_RSA_with(WPACKET *pkt, int tag,
392 const unsigned char *precompiled = NULL;
393 size_t precompiled_sz = 0;
397 MD_with_RSA_CASE(md2, precompiled);
398 MD_with_RSA_CASE(md5, precompiled);
399 MD_with_RSA_CASE(md4, precompiled);
400 MD_with_RSA_CASE(ripemd160, precompiled);
401 /* TODO(3.0) Decide what to do about mdc2 and md5_sha1 */
403 MD_with_RSA_CASE(sha1, precompiled);
404 MD_with_RSA_CASE(sha224, precompiled);
405 MD_with_RSA_CASE(sha256, precompiled);
406 MD_with_RSA_CASE(sha384, precompiled);
407 MD_with_RSA_CASE(sha512, precompiled);
408 MD_with_RSA_CASE(sha512_224, precompiled);
409 MD_with_RSA_CASE(sha512_256, precompiled);
410 MD_with_RSA_CASE(sha3_224, precompiled);
411 MD_with_RSA_CASE(sha3_256, precompiled);
412 MD_with_RSA_CASE(sha3_384, precompiled);
413 MD_with_RSA_CASE(sha3_512, precompiled);
418 return DER_w_begin_sequence(pkt, tag)
419 /* No parameters (yet?) */
420 && DER_w_precompiled(pkt, -1, precompiled, precompiled_sz)
421 && DER_w_end_sequence(pkt, tag);