- X509_ALGOR *alg1, X509_ALGOR *alg2,
- ASN1_BIT_STRING *sig)
- {
- int pad_mode;
- EVP_PKEY_CTX *pkctx = ctx->pctx;
- if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
- return 0;
- if (pad_mode == RSA_PKCS1_PADDING)
- return 2;
- if (pad_mode == RSA_PKCS1_PSS_PADDING)
- {
- const EVP_MD *sigmd, *mgf1md;
- RSA_PSS_PARAMS *pss = NULL;
- X509_ALGOR *mgf1alg = NULL;
- ASN1_STRING *os1 = NULL, *os2 = NULL;
- EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
- int saltlen, rv = 0;
- sigmd = EVP_MD_CTX_md(ctx);
- if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
- goto err;
- if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
- goto err;
- if (saltlen == -1)
- saltlen = EVP_MD_size(sigmd);
- else if (saltlen == -2)
- {
- saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
- if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)
- saltlen--;
- }
- pss = RSA_PSS_PARAMS_new();
- if (!pss)
- goto err;
- if (saltlen != 20)
- {
- pss->saltLength = ASN1_INTEGER_new();
- if (!pss->saltLength)
- goto err;
- if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
- goto err;
- }
- if (EVP_MD_type(sigmd) != NID_sha1)
- {
- pss->hashAlgorithm = X509_ALGOR_new();
- if (!pss->hashAlgorithm)
- goto err;
- X509_ALGOR_set_md(pss->hashAlgorithm, sigmd);
- }
- if (EVP_MD_type(mgf1md) != NID_sha1)
- {
- ASN1_STRING *stmp = NULL;
- /* need to embed algorithm ID inside another */
- mgf1alg = X509_ALGOR_new();
- X509_ALGOR_set_md(mgf1alg, mgf1md);
- if (!ASN1_item_pack(mgf1alg, ASN1_ITEM_rptr(X509_ALGOR),
- &stmp))
- goto err;
- pss->maskGenAlgorithm = X509_ALGOR_new();
- if (!pss->maskGenAlgorithm)
- goto err;
- X509_ALGOR_set0(pss->maskGenAlgorithm,
- OBJ_nid2obj(NID_mgf1),
- V_ASN1_SEQUENCE, stmp);
- }
- /* Finally create string with pss parameter encoding. */
- if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os1))
- goto err;
- if (alg2)
- {
- os2 = ASN1_STRING_dup(os1);
- if (!os2)
- goto err;
- X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss),
- V_ASN1_SEQUENCE, os2);
- }
- X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss),
- V_ASN1_SEQUENCE, os1);
- os1 = os2 = NULL;
- rv = 3;
- err:
- if (mgf1alg)
- X509_ALGOR_free(mgf1alg);
- if (pss)
- RSA_PSS_PARAMS_free(pss);
- if (os1)
- ASN1_STRING_free(os1);
- return rv;
-
- }
- return 2;
- }
-
-const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =
- {
- {
- EVP_PKEY_RSA,
- EVP_PKEY_RSA,
- ASN1_PKEY_SIGPARAM_NULL,
-
- "RSA",
- "OpenSSL RSA method",
-
- rsa_pub_decode,
- rsa_pub_encode,
- rsa_pub_cmp,
- rsa_pub_print,
-
- rsa_priv_decode,
- rsa_priv_encode,
- rsa_priv_print,
-
- int_rsa_size,
- rsa_bits,
-
- 0,0,0,0,0,0,
-
- rsa_sig_print,
- int_rsa_free,
- rsa_pkey_ctrl,
- old_rsa_priv_decode,
- old_rsa_priv_encode,
- rsa_item_verify,
- rsa_item_sign
- },
-
- {
- EVP_PKEY_RSA2,
- EVP_PKEY_RSA,
- ASN1_PKEY_ALIAS
- }
- };
+ X509_ALGOR *alg1, X509_ALGOR *alg2,
+ ASN1_BIT_STRING *sig)
+{
+ int pad_mode;
+ EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx);
+
+ if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
+ return 0;
+ if (pad_mode == RSA_PKCS1_PADDING)
+ return 2;
+ if (pad_mode == RSA_PKCS1_PSS_PADDING) {
+ ASN1_STRING *os1 = NULL;
+ os1 = rsa_ctx_to_pss_string(pkctx);
+ if (!os1)
+ return 0;
+ /* Duplicate parameters if we have to */
+ if (alg2) {
+ ASN1_STRING *os2 = ASN1_STRING_dup(os1);
+ if (!os2) {
+ ASN1_STRING_free(os1);
+ return 0;
+ }
+ X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
+ V_ASN1_SEQUENCE, os2);
+ }
+ X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
+ V_ASN1_SEQUENCE, os1);
+ return 3;
+ }
+ return 2;
+}
+
+static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
+ const ASN1_STRING *sig)
+{
+ int rv = 0;
+ int mdnid, saltlen;
+ uint32_t flags;
+ const EVP_MD *mgf1md = NULL, *md = NULL;
+ RSA_PSS_PARAMS *pss;
+ int secbits;
+
+ /* Sanity check: make sure it is PSS */
+ if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
+ return 0;
+ /* Decode PSS parameters */
+ pss = rsa_pss_decode(sigalg);
+ if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
+ goto err;
+ mdnid = EVP_MD_type(md);
+ /*
+ * For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
+ * match and salt length must equal digest size
+ */
+ if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
+ && mdnid == EVP_MD_type(mgf1md) && saltlen == EVP_MD_size(md))
+ flags = X509_SIG_INFO_TLS;
+ else
+ flags = 0;
+ /* Note: security bits half number of digest bits */
+ secbits = EVP_MD_size(md) * 4;
+ /*
+ * SHA1 and MD5 are known to be broken. Reduce security bits so that
+ * they're no longer accepted at security level 1. The real values don't
+ * really matter as long as they're lower than 80, which is our security
+ * level 1.
+ * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
+ * 2^63.4
+ * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
+ * puts a chosen-prefix attack for MD5 at 2^39.
+ */
+ if (mdnid == NID_sha1)
+ secbits = 64;
+ else if (mdnid == NID_md5_sha1)
+ secbits = 68;
+ else if (mdnid == NID_md5)
+ secbits = 39;
+ X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits,
+ flags);
+ rv = 1;
+ err:
+ RSA_PSS_PARAMS_free(pss);
+ return rv;
+}
+
+#ifndef OPENSSL_NO_CMS
+static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg)
+{
+ RSA_OAEP_PARAMS *oaep;
+
+ oaep = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS),
+ alg->parameter);
+
+ if (oaep == NULL)
+ return NULL;
+
+ if (oaep->maskGenFunc != NULL) {
+ oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc);
+ if (oaep->maskHash == NULL) {
+ RSA_OAEP_PARAMS_free(oaep);
+ return NULL;
+ }
+ }
+ return oaep;
+}
+
+static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+{
+ EVP_PKEY_CTX *pkctx;
+ X509_ALGOR *cmsalg;
+ int nid;
+ int rv = -1;
+ unsigned char *label = NULL;
+ int labellen = 0;
+ const EVP_MD *mgf1md = NULL, *md = NULL;
+ RSA_OAEP_PARAMS *oaep;
+
+ pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+ if (pkctx == NULL)
+ return 0;
+ if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
+ return -1;
+ nid = OBJ_obj2nid(cmsalg->algorithm);
+ if (nid == NID_rsaEncryption)
+ return 1;
+ if (nid != NID_rsaesOaep) {
+ RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_ENCRYPTION_TYPE);
+ return -1;
+ }
+ /* Decode OAEP parameters */
+ oaep = rsa_oaep_decode(cmsalg);
+
+ if (oaep == NULL) {
+ RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_OAEP_PARAMETERS);
+ goto err;
+ }
+
+ mgf1md = rsa_algor_to_md(oaep->maskHash);
+ if (mgf1md == NULL)
+ goto err;
+ md = rsa_algor_to_md(oaep->hashFunc);
+ if (md == NULL)
+ goto err;
+
+ if (oaep->pSourceFunc != NULL) {
+ X509_ALGOR *plab = oaep->pSourceFunc;
+
+ if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
+ RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
+ goto err;
+ }
+ if (plab->parameter->type != V_ASN1_OCTET_STRING) {
+ RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
+ goto err;
+ }
+
+ label = plab->parameter->value.octet_string->data;
+ /* Stop label being freed when OAEP parameters are freed */
+ plab->parameter->value.octet_string->data = NULL;
+ labellen = plab->parameter->value.octet_string->length;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
+ goto err;
+ if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
+ goto err;
+ if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
+ goto err;
+ if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
+ goto err;
+ /* Carry on */
+ rv = 1;
+
+ err:
+ RSA_OAEP_PARAMS_free(oaep);
+ return rv;
+}
+
+static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
+{
+ const EVP_MD *md, *mgf1md;
+ RSA_OAEP_PARAMS *oaep = NULL;
+ ASN1_STRING *os = NULL;
+ X509_ALGOR *alg;
+ EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+ int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
+ unsigned char *label;
+
+ if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0)
+ return 0;
+ if (pkctx) {
+ if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
+ return 0;
+ }
+ if (pad_mode == RSA_PKCS1_PADDING) {
+ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
+ return 1;
+ }
+ /* Not supported */
+ if (pad_mode != RSA_PKCS1_OAEP_PADDING)
+ return 0;
+ if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
+ goto err;
+ if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
+ goto err;
+ labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
+ if (labellen < 0)
+ goto err;
+ oaep = RSA_OAEP_PARAMS_new();
+ if (oaep == NULL)
+ goto err;
+ if (!rsa_md_to_algor(&oaep->hashFunc, md))
+ goto err;
+ if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
+ goto err;
+ if (labellen > 0) {
+ ASN1_OCTET_STRING *los;
+ oaep->pSourceFunc = X509_ALGOR_new();
+ if (oaep->pSourceFunc == NULL)
+ goto err;
+ los = ASN1_OCTET_STRING_new();
+ if (los == NULL)
+ goto err;
+ if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
+ ASN1_OCTET_STRING_free(los);
+ goto err;
+ }
+ X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
+ V_ASN1_OCTET_STRING, los);
+ }
+ /* create string with pss parameter encoding. */
+ if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
+ goto err;
+ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
+ os = NULL;
+ rv = 1;
+ err:
+ RSA_OAEP_PARAMS_free(oaep);
+ ASN1_STRING_free(os);
+ return rv;
+}
+#endif
+
+static int rsa_pkey_check(const EVP_PKEY *pkey)
+{
+ return RSA_check_key_ex(pkey->pkey.rsa, NULL);
+}
+
+static size_t rsa_pkey_dirty_cnt(const EVP_PKEY *pkey)
+{
+ return pkey->pkey.rsa->dirty_cnt;
+}
+
+DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
+
+static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
+ EVP_KEYMGMT *to_keymgmt)
+{
+ RSA *rsa = from->pkey.rsa;
+ OSSL_PARAM_BLD tmpl;
+ const BIGNUM *n = RSA_get0_n(rsa), *e = RSA_get0_e(rsa);
+ const BIGNUM *d = RSA_get0_d(rsa);
+ STACK_OF(BIGNUM_const) *primes = NULL, *exps = NULL, *coeffs = NULL;
+ int numprimes = 0, numexps = 0, numcoeffs = 0;
+ OSSL_PARAM *params = NULL;
+ int selection = 0;
+ int rv = 0;
+
+ /*
+ * If the RSA method is foreign, then we can't be sure of anything, and
+ * can therefore not export or pretend to export.
+ */
+ if (RSA_get_method(rsa) != RSA_PKCS1_OpenSSL())
+ return 0;
+
+ /* Public parameters must always be present */
+ if (n == NULL || e == NULL)
+ goto err;
+
+ ossl_param_bld_init(&tmpl);
+
+ /* |e| and |n| are always present */
+ if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_E, e))
+ goto err;
+ if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_N, n))
+ goto err;
+ selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+
+ if (d != NULL) {
+ int i;
+
+ /* Get all the primes and CRT params */
+ if ((primes = sk_BIGNUM_const_new_null()) == NULL
+ || (exps = sk_BIGNUM_const_new_null()) == NULL
+ || (coeffs = sk_BIGNUM_const_new_null()) == NULL)
+ goto err;
+
+ if (!rsa_get0_all_params(rsa, primes, exps, coeffs))
+ goto err;
+
+ numprimes = sk_BIGNUM_const_num(primes);
+ numexps = sk_BIGNUM_const_num(exps);
+ numcoeffs = sk_BIGNUM_const_num(coeffs);
+
+ /*
+ * It's permisssible to have zero primes, i.e. no CRT params.
+ * Otherwise, there must be at least two, as many exponents,
+ * and one coefficient less.
+ */
+ if (numprimes != 0
+ && (numprimes < 2 || numexps < 2 || numcoeffs < 1))
+ goto err;
+
+ /* assert that an OSSL_PARAM_BLD has enough space. */
+ if (!ossl_assert(/* n, e */ 2 + /* d */ 1 + /* numprimes */ 1
+ + numprimes + numexps + numcoeffs
+ <= OSSL_PARAM_BLD_MAX))
+ goto err;
+
+ if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_D, d))
+ goto err;
+ selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+
+ for (i = 0; i < numprimes; i++) {
+ const BIGNUM *num = sk_BIGNUM_const_value(primes, i);
+
+ if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_FACTOR,
+ num))
+ goto err;
+ }
+
+ for (i = 0; i < numexps; i++) {
+ const BIGNUM *num = sk_BIGNUM_const_value(exps, i);
+
+ if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_EXPONENT,
+ num))
+ goto err;
+ }
+
+ for (i = 0; i < numcoeffs; i++) {
+ const BIGNUM *num = sk_BIGNUM_const_value(coeffs, i);
+
+ if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_COEFFICIENT,
+ num))
+ goto err;
+ }
+ }
+
+ if ((params = ossl_param_bld_to_param(&tmpl)) == NULL)
+ goto err;
+
+ /* We export, the provider imports */
+ rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
+
+ err:
+ sk_BIGNUM_const_free(primes);
+ sk_BIGNUM_const_free(exps);
+ sk_BIGNUM_const_free(coeffs);
+ ossl_param_bld_free(params);
+ return rv;
+}
+
+const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
+ {
+ EVP_PKEY_RSA,
+ EVP_PKEY_RSA,
+ ASN1_PKEY_SIGPARAM_NULL,
+
+ "RSA",
+ "OpenSSL RSA method",
+
+ rsa_pub_decode,
+ rsa_pub_encode,
+ rsa_pub_cmp,
+ rsa_pub_print,
+
+ rsa_priv_decode,
+ rsa_priv_encode,
+ rsa_priv_print,
+
+ int_rsa_size,
+ rsa_bits,
+ rsa_security_bits,
+
+ 0, 0, 0, 0, 0, 0,
+
+ rsa_sig_print,
+ int_rsa_free,
+ rsa_pkey_ctrl,
+ old_rsa_priv_decode,
+ old_rsa_priv_encode,
+ rsa_item_verify,
+ rsa_item_sign,
+ rsa_sig_info_set,
+ rsa_pkey_check,
+
+ 0, 0,
+ 0, 0, 0, 0,
+
+ rsa_pkey_dirty_cnt,
+ rsa_pkey_export_to
+ },
+
+ {
+ EVP_PKEY_RSA2,
+ EVP_PKEY_RSA,
+ ASN1_PKEY_ALIAS}
+};
+
+const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
+ EVP_PKEY_RSA_PSS,
+ EVP_PKEY_RSA_PSS,
+ ASN1_PKEY_SIGPARAM_NULL,
+
+ "RSA-PSS",
+ "OpenSSL RSA-PSS method",
+
+ rsa_pub_decode,
+ rsa_pub_encode,
+ rsa_pub_cmp,
+ rsa_pub_print,
+
+ rsa_priv_decode,
+ rsa_priv_encode,
+ rsa_priv_print,
+
+ int_rsa_size,
+ rsa_bits,
+ rsa_security_bits,
+
+ 0, 0, 0, 0, 0, 0,
+
+ rsa_sig_print,
+ int_rsa_free,
+ rsa_pkey_ctrl,
+ 0, 0,
+ rsa_item_verify,
+ rsa_item_sign,
+ 0,
+ rsa_pkey_check,
+
+ 0, 0,
+ 0, 0, 0, 0,
+
+ rsa_pkey_dirty_cnt,
+ rsa_pkey_export_to
+};