2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * RSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include "internal/packet.h"
17 #include "crypto/rsa.h" /* rsa_get0_all_params() */
18 #include "prov/bio.h" /* ossl_prov_bio_printf() */
19 #include "prov/der_rsa.h" /* DER_w_RSASSA_PSS_params() */
20 #include "prov/implementations.h" /* rsa_keymgmt_functions */
21 #include "serializer_local.h"
23 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
25 OSSL_FUNC_keymgmt_new_fn *ossl_prov_get_keymgmt_rsa_new(void)
27 return ossl_prov_get_keymgmt_new(rsa_keymgmt_functions);
30 OSSL_FUNC_keymgmt_new_fn *ossl_prov_get_keymgmt_rsapss_new(void)
32 return ossl_prov_get_keymgmt_new(rsapss_keymgmt_functions);
35 OSSL_FUNC_keymgmt_free_fn *ossl_prov_get_keymgmt_rsa_free(void)
37 return ossl_prov_get_keymgmt_free(rsa_keymgmt_functions);
40 OSSL_FUNC_keymgmt_import_fn *ossl_prov_get_keymgmt_rsa_import(void)
42 return ossl_prov_get_keymgmt_import(rsa_keymgmt_functions);
45 OSSL_FUNC_keymgmt_export_fn *ossl_prov_get_keymgmt_rsa_export(void)
47 return ossl_prov_get_keymgmt_export(rsa_keymgmt_functions);
50 OSSL_FUNC_keymgmt_export_fn *ossl_prov_get_keymgmt_rsapss_export(void)
52 return ossl_prov_get_keymgmt_export(rsapss_keymgmt_functions);
55 int ossl_prov_print_rsa(BIO *out, RSA *rsa, int priv)
57 const char *modulus_label;
58 const char *exponent_label;
59 const BIGNUM *rsa_d = NULL, *rsa_n = NULL, *rsa_e = NULL;
60 STACK_OF(BIGNUM_const) *factors = sk_BIGNUM_const_new_null();
61 STACK_OF(BIGNUM_const) *exps = sk_BIGNUM_const_new_null();
62 STACK_OF(BIGNUM_const) *coeffs = sk_BIGNUM_const_new_null();
63 RSA_PSS_PARAMS_30 *pss_params = rsa_get0_pss_params_30(rsa);
66 if (rsa == NULL || factors == NULL || exps == NULL || coeffs == NULL)
69 RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
70 rsa_get0_all_params(rsa, factors, exps, coeffs);
72 if (priv && rsa_d != NULL) {
73 if (BIO_printf(out, "Private-Key: (%d bit, %d primes)\n",
75 sk_BIGNUM_const_num(factors)) <= 0)
77 modulus_label = "modulus:";
78 exponent_label = "publicExponent:";
80 if (BIO_printf(out, "Public-Key: (%d bit)\n", BN_num_bits(rsa_n)) <= 0)
82 modulus_label = "Modulus:";
83 exponent_label = "Exponent:";
85 if (!ossl_prov_print_labeled_bignum(out, modulus_label, rsa_n))
87 if (!ossl_prov_print_labeled_bignum(out, exponent_label, rsa_e))
92 if (!ossl_prov_print_labeled_bignum(out, "privateExponent:", rsa_d))
94 if (!ossl_prov_print_labeled_bignum(out, "prime1:",
95 sk_BIGNUM_const_value(factors, 0)))
97 if (!ossl_prov_print_labeled_bignum(out, "prime2:",
98 sk_BIGNUM_const_value(factors, 1)))
100 if (!ossl_prov_print_labeled_bignum(out, "exponent1:",
101 sk_BIGNUM_const_value(exps, 0)))
103 if (!ossl_prov_print_labeled_bignum(out, "exponent2:",
104 sk_BIGNUM_const_value(exps, 1)))
106 if (!ossl_prov_print_labeled_bignum(out, "coefficient:",
107 sk_BIGNUM_const_value(coeffs, 0)))
109 for (i = 2; i < sk_BIGNUM_const_num(factors); i++) {
110 if (BIO_printf(out, "prime%d:", i + 1) <= 0)
112 if (!ossl_prov_print_labeled_bignum(out, NULL,
113 sk_BIGNUM_const_value(factors,
116 if (BIO_printf(out, "exponent%d:", i + 1) <= 0)
118 if (!ossl_prov_print_labeled_bignum(out, NULL,
119 sk_BIGNUM_const_value(exps, i)))
121 if (BIO_printf(out, "coefficient%d:", i + 1) <= 0)
123 if (!ossl_prov_print_labeled_bignum(out, NULL,
124 sk_BIGNUM_const_value(coeffs,
130 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
131 case RSA_FLAG_TYPE_RSA:
132 if (!rsa_pss_params_30_is_unrestricted(pss_params)) {
133 if (BIO_printf(out, "(INVALID PSS PARAMETERS)\n") <= 0)
137 case RSA_FLAG_TYPE_RSASSAPSS:
138 if (rsa_pss_params_30_is_unrestricted(pss_params)) {
139 if (BIO_printf(out, "No PSS parameter restrictions\n") <= 0)
142 int hashalg_nid = rsa_pss_params_30_hashalg(pss_params);
143 int maskgenalg_nid = rsa_pss_params_30_maskgenalg(pss_params);
144 int maskgenhashalg_nid =
145 rsa_pss_params_30_maskgenhashalg(pss_params);
146 int saltlen = rsa_pss_params_30_saltlen(pss_params);
147 int trailerfield = rsa_pss_params_30_trailerfield(pss_params);
149 if (BIO_printf(out, "PSS parameter restrictions:\n") <= 0)
151 if (BIO_printf(out, " Hash Algorithm: %s%s\n",
152 rsa_oaeppss_nid2name(hashalg_nid),
153 (hashalg_nid == NID_sha1
154 ? " (default)" : "")) <= 0)
156 if (BIO_printf(out, " Mask Algorithm: %s with %s%s\n",
157 rsa_mgf_nid2name(maskgenalg_nid),
158 rsa_oaeppss_nid2name(maskgenhashalg_nid),
159 (maskgenalg_nid == NID_mgf1
160 && maskgenhashalg_nid == NID_sha1
161 ? " (default)" : "")) <= 0)
163 if (BIO_printf(out, " Minimum Salt Length: %d%s\n",
165 (saltlen == 20 ? " (default)" : "")) <= 0)
168 * TODO(3.0) Should we show the ASN.1 trailerField value, or
169 * the actual trailerfield byte (i.e. 0xBC for 1)?
170 * crypto/rsa/rsa_ameth.c isn't very clear on that, as it
171 * does display 0xBC when the default applies, but the ASN.1
172 * trailerField value otherwise...
174 if (BIO_printf(out, " Trailer Field: 0x%x%s\n",
176 (trailerfield == 1 ? " (default)" : ""))
185 sk_BIGNUM_const_free(factors);
186 sk_BIGNUM_const_free(exps);
187 sk_BIGNUM_const_free(coeffs);
192 * Helper functions to prepare RSA-PSS params for serialization. We would
193 * have simply written the whole AlgorithmIdentifier, but existing libcrypto
194 * functionality doesn't allow that.
197 int ossl_prov_prepare_rsa_params(const void *rsa, int nid,
198 void **pstr, int *pstrtype)
200 const RSA_PSS_PARAMS_30 *pss = rsa_get0_pss_params_30((RSA *)rsa);
204 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
205 case RSA_FLAG_TYPE_RSA:
206 /* If plain RSA, the parameters shall be NULL */
207 *pstrtype = V_ASN1_NULL;
209 case RSA_FLAG_TYPE_RSASSAPSS:
210 if (rsa_pss_params_30_is_unrestricted(pss)) {
211 *pstrtype = V_ASN1_UNDEF;
214 ASN1_STRING *astr = NULL;
216 unsigned char *str = NULL;
220 for (i = 0; i < 2; i++) {
223 if (!WPACKET_init_null_der(&pkt))
227 if ((str = OPENSSL_malloc(str_sz)) == NULL
228 || !WPACKET_init_der(&pkt, str, str_sz)) {
233 if (!DER_w_RSASSA_PSS_params(&pkt, -1, pss)
234 || !WPACKET_finish(&pkt)
235 || !WPACKET_get_total_written(&pkt, &str_sz))
237 WPACKET_cleanup(&pkt);
240 * If no PSS parameters are going to be written, there's no
241 * point going for another iteration.
242 * This saves us from getting |str| allocated just to have it
243 * immediately de-allocated.
249 if ((astr = ASN1_STRING_new()) == NULL)
251 *pstrtype = V_ASN1_SEQUENCE;
252 ASN1_STRING_set0(astr, str, (int)str_sz);
262 /* Currently unsupported RSA key type */
266 int ossl_prov_rsa_type_to_evp(const RSA *rsa)
268 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
269 case RSA_FLAG_TYPE_RSA:
271 case RSA_FLAG_TYPE_RSASSAPSS:
272 return EVP_PKEY_RSA_PSS;
275 /* Currently unsupported RSA key type */
276 return EVP_PKEY_NONE;