2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * A simple ASN.1 DER encoder/decoder for DSA-Sig-Value and ECDSA-Sig-Value.
13 * DSA-Sig-Value ::= SEQUENCE {
18 * ECDSA-Sig-Value ::= SEQUENCE {
24 #include <openssl/crypto.h>
25 #include <openssl/bn.h>
26 #include "internal/asn1_dsa.h"
28 #define ID_SEQUENCE 0x30
29 #define ID_INTEGER 0x02
32 * Outputs the encoding of the length octets for a DER value with a content
33 * length of cont_len bytes to *ppout and, if successful, increments *ppout
34 * past the data just written.
36 * The maximum supported content length is 65535 (0xffff) bytes.
37 * The maximum returned length in bytes of the encoded output is 3.
39 * If ppout is NULL then the output size is calculated and returned but no
41 * If ppout is not NULL then *ppout must not be NULL.
43 * An attempt to produce more than len bytes results in an error.
44 * Returns the number of bytes of output produced (or that would be produced)
45 * or 0 if an error occurs.
47 size_t encode_der_length(size_t cont_len, unsigned char **ppout, size_t len)
51 if (cont_len <= 0x7f) {
53 } else if (cont_len <= 0xff) {
55 } else if (cont_len <= 0xffff) {
58 /* Too large for supported length encodings */
61 if (encoded_len > len)
64 unsigned char *out = *ppout;
65 switch (encoded_len) {
71 *out++ = (unsigned char)(cont_len >> 8);
74 *out++ = (unsigned char)cont_len;
81 * Outputs the DER encoding of a positive ASN.1 INTEGER to *ppout and, if
82 * successful, increments *ppout past the data just written.
84 * If n is negative then an error results.
85 * If ppout is NULL then the output size is calculated and returned but no
87 * If ppout is not NULL then *ppout must not be NULL.
89 * An attempt to produce more than len bytes results in an error.
90 * Returns the number of bytes of output produced (or that would be produced)
91 * or 0 if an error occurs.
93 size_t encode_der_integer(const BIGNUM *n, unsigned char **ppout, size_t len)
95 unsigned char *out = NULL;
96 unsigned char **pp = NULL;
101 if (len < 1 || BN_is_negative(n))
105 * Calculate the ASN.1 INTEGER DER content length for n.
106 * This is the number of whole bytes required to represent n (i.e. rounded
108 * If n is zero then the content is a single zero byte (length = 1).
109 * If the number of bits of n is a multiple of 8 then an extra zero padding
110 * byte is included to ensure that the value is still treated as positive
111 * in the INTEGER two's complement representation.
113 cont_len = BN_num_bits(n) / 8 + 1;
121 if ((c = encode_der_length(cont_len, pp, len - produced)) == 0)
124 if (cont_len > len - produced)
127 if (BN_bn2binpad(n, out, (int)cont_len) != (int)cont_len)
132 produced += cont_len;
137 * Outputs the DER encoding of a DSA-Sig-Value or ECDSA-Sig-Value to *ppout
138 * and increments *ppout past the data just written.
140 * If ppout is NULL then the output size is calculated and returned but no
141 * output is produced.
142 * If ppout is not NULL then *ppout must not be NULL.
144 * An attempt to produce more than len bytes results in an error.
145 * Returns the number of bytes of output produced (or that would be produced)
146 * or 0 if an error occurs.
148 size_t encode_der_dsa_sig(const BIGNUM *r, const BIGNUM *s,
149 unsigned char **ppout, size_t len)
151 unsigned char *out = NULL;
152 unsigned char **pp = NULL;
160 || (r_der_len = encode_der_integer(r, NULL, SIZE_MAX)) == 0
161 || (s_der_len = encode_der_integer(s, NULL, SIZE_MAX)) == 0)
164 cont_len = r_der_len + s_der_len;
169 *out++ = ID_SEQUENCE;
172 if ((c = encode_der_length(cont_len, pp, len - produced)) == 0)
175 if ((c = encode_der_integer(r, pp, len - produced)) == 0)
178 if ((c = encode_der_integer(s, pp, len - produced)) == 0)
187 * Decodes the DER length octets at *ppin, stores the decoded length to
188 * *pcont_len and, if successful, increments *ppin past the data that was
191 * pcont_len, ppin and *ppin must not be NULL.
193 * An attempt to consume more than len bytes results in an error.
194 * Returns the number of bytes of input consumed or 0 if an error occurs.
196 size_t decode_der_length(size_t *pcont_len, const unsigned char **ppin,
199 const unsigned char *in = *ppin;
208 if (n == 0x81 && len - consumed >= 1) {
211 return 0; /* Not DER. */
213 } else if (n == 0x82 && len - consumed >= 2) {
217 return 0; /* Not DER. */
220 return 0; /* Too large, invalid, or not DER. */
229 * Decodes a single ASN.1 INTEGER value from *ppin, which must be DER encoded,
230 * updates n with the decoded value, and, if successful, increments *ppin past
231 * the data that was consumed.
233 * The BIGNUM, n, must have already been allocated by calling BN_new().
234 * ppin and *ppin must not be NULL.
236 * An attempt to consume more than len bytes results in an error.
237 * Returns the number of bytes of input consumed or 0 if an error occurs.
239 * If the buffer is supposed to only contain a single INTEGER value with no
240 * trailing garbage then it is up to the caller to verify that all bytes
243 size_t decode_der_integer(BIGNUM *n, const unsigned char **ppin, size_t len)
245 const unsigned char *in = *ppin;
250 if (len < 1 || n == NULL || *in++ != ID_INTEGER)
253 if ((c = decode_der_length(&cont_len, &in, len - consumed)) == 0)
256 /* Check for a positive INTEGER with valid content encoding and decode. */
257 if (cont_len > len - consumed || cont_len < 1 || (in[0] & 0x80) != 0
258 || (cont_len >= 2 && in[0] == 0 && (in[1] & 0x80) == 0)
259 || BN_bin2bn(in, (int)cont_len, n) == NULL)
262 consumed += cont_len;
267 static size_t decode_dsa_sig_content(BIGNUM *r, BIGNUM *s,
268 const unsigned char **ppin, size_t len)
270 const unsigned char *in = *ppin;
274 if ((c = decode_der_integer(r, &in, len - consumed)) == 0)
277 if ((c = decode_der_integer(s, &in, len - consumed)) == 0)
285 * Decodes a single DSA-Sig-Value or ECDSA-Sig-Value from *ppin, which must be
286 * DER encoded, updates r and s with the decoded values, and increments *ppin
287 * past the data that was consumed.
289 * The BIGNUMs, r and s, must have already been allocated by calls to BN_new().
290 * ppin and *ppin must not be NULL.
292 * An attempt to consume more than len bytes results in an error.
293 * Returns the number of bytes of input consumed or 0 if an error occurs.
295 * If the buffer is supposed to only contain a single [EC]DSA-Sig-Value with no
296 * trailing garbage then it is up to the caller to verify that all bytes
299 size_t decode_der_dsa_sig(BIGNUM *r, BIGNUM *s, const unsigned char **ppin,
302 const unsigned char *in = *ppin;
307 if (len < 1 || *in++ != ID_SEQUENCE)
310 if ((c = decode_der_length(&cont_len, &in, len - consumed)) == 0)
313 if (cont_len > len - consumed
314 || (c = decode_dsa_sig_content(r, s, &in, cont_len)) == 0