rsa: add ossl_ prefix to internal rsa_ calls.
[openssl.git] / providers / common / der / der_rsa_key.c
1 /*
2  * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/obj_mac.h>
11 #include "internal/cryptlib.h"
12 #include "prov/der_rsa.h"
13 #include "prov/der_digests.h"
14
15 /* More complex pre-compiled sequences.  TODO(3.0) refactor? */
16 /*-
17  * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
18  *
19  * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
20  *     { OID id-sha1       PARAMETERS NULL }|
21  *     { OID id-sha224     PARAMETERS NULL }|
22  *     { OID id-sha256     PARAMETERS NULL }|
23  *     { OID id-sha384     PARAMETERS NULL }|
24  *     { OID id-sha512     PARAMETERS NULL }|
25  *     { OID id-sha512-224 PARAMETERS NULL }|
26  *     { OID id-sha512-256 PARAMETERS NULL },
27  *     ...  -- Allows for future expansion --
28  * }
29  */
30 #define DER_V_NULL DER_P_NULL, 0
31 #define DER_SZ_NULL 2
32
33 /*
34  * The names for the hash function AlgorithmIdentifiers are borrowed and
35  * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
36  *
37  * sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
38  * sha224Identifier  AlgorithmIdentifier  ::=  { id-sha224, NULL }
39  * sha256Identifier  AlgorithmIdentifier  ::=  { id-sha256, NULL }
40  * sha384Identifier  AlgorithmIdentifier  ::=  { id-sha384, NULL }
41  * sha512Identifier  AlgorithmIdentifier  ::=  { id-sha512, NULL }
42  */
43 /*
44  * NOTE: Some of the arrays aren't used other than inside sizeof(), which
45  * clang complains about (-Wno-unneeded-internal-declaration).  To get
46  * around that, we make them non-static, and declare them an extra time to
47  * avoid compilers complaining about definitions without declarations.
48  */
49 #if 0                            /* Currently unused */
50 #define DER_AID_V_sha1Identifier                                        \
51     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
52         DER_OID_SZ_id_sha1 + DER_SZ_NULL,                               \
53         DER_OID_V_id_sha1,                                              \
54         DER_V_NULL
55 extern const unsigned char der_aid_sha1Identifier[];
56 const unsigned char der_aid_sha1Identifier[] = {
57     DER_AID_V_sha1Identifier
58 };
59 #define DER_AID_SZ_sha1Identifier sizeof(der_aid_sha1Identifier)
60 #endif
61
62 #define DER_AID_V_sha224Identifier                                      \
63     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
64         DER_OID_SZ_id_sha224 + DER_SZ_NULL,                             \
65         DER_OID_V_id_sha224,                                            \
66         DER_V_NULL
67 extern const unsigned char ossl_der_aid_sha224Identifier[];
68 const unsigned char ossl_der_aid_sha224Identifier[] = {
69     DER_AID_V_sha224Identifier
70 };
71 #define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)
72
73 #define DER_AID_V_sha256Identifier                                      \
74     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
75         DER_OID_SZ_id_sha256 + DER_SZ_NULL,                             \
76         DER_OID_V_id_sha256,                                            \
77         DER_V_NULL
78 extern const unsigned char ossl_der_aid_sha256Identifier[];
79 const unsigned char ossl_der_aid_sha256Identifier[] = {
80     DER_AID_V_sha256Identifier
81 };
82 #define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)
83
84 #define DER_AID_V_sha384Identifier                                      \
85     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
86         DER_OID_SZ_id_sha384 + DER_SZ_NULL,                             \
87         DER_OID_V_id_sha384,                                            \
88         DER_V_NULL
89 extern const unsigned char ossl_der_aid_sha384Identifier[];
90 const unsigned char ossl_der_aid_sha384Identifier[] = {
91     DER_AID_V_sha384Identifier
92 };
93 #define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)
94
95 #define DER_AID_V_sha512Identifier                                      \
96     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
97         DER_OID_SZ_id_sha512 + DER_SZ_NULL,                             \
98         DER_OID_V_id_sha512,                                            \
99         DER_V_NULL
100 extern const unsigned char ossl_der_aid_sha512Identifier[];
101 const unsigned char ossl_der_aid_sha512Identifier[] = {
102     DER_AID_V_sha512Identifier
103 };
104 #define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)
105
106 #define DER_AID_V_sha512_224Identifier                                  \
107     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
108         DER_OID_SZ_id_sha512_224 + DER_SZ_NULL,                         \
109         DER_OID_V_id_sha512_224,                                        \
110         DER_V_NULL
111 extern const unsigned char ossl_der_aid_sha512_224Identifier[];
112 const unsigned char ossl_der_aid_sha512_224Identifier[] = {
113     DER_AID_V_sha512_224Identifier
114 };
115 #define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)
116
117 #define DER_AID_V_sha512_256Identifier                                  \
118     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
119         DER_OID_SZ_id_sha512_256 + DER_SZ_NULL,                         \
120         DER_OID_V_id_sha512_256,                                        \
121         DER_V_NULL
122 extern const unsigned char ossl_der_aid_sha512_256Identifier[];
123 const unsigned char ossl_der_aid_sha512_256Identifier[] = {
124     DER_AID_V_sha512_256Identifier
125 };
126 #define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)
127
128 /*-
129  * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
130  *
131  * HashAlgorithm ::= AlgorithmIdentifier {
132  *    {OAEP-PSSDigestAlgorithms}
133  * }
134  *
135  * ...
136  *
137  * PKCS1MGFAlgorithms    ALGORITHM-IDENTIFIER ::= {
138  *     { OID id-mgf1 PARAMETERS HashAlgorithm },
139  *     ...  -- Allows for future expansion --
140  * }
141  */
142
143 /*
144  * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
145  * from https://tools.ietf.org/html/rfc4055#section-2.1
146  *
147  * mgf1SHA1Identifier  AlgorithmIdentifier  ::=
148  *                      { id-mgf1, sha1Identifier }
149  * mgf1SHA224Identifier  AlgorithmIdentifier  ::=
150  *                      { id-mgf1, sha224Identifier }
151  * mgf1SHA256Identifier  AlgorithmIdentifier  ::=
152  *                      { id-mgf1, sha256Identifier }
153  * mgf1SHA384Identifier  AlgorithmIdentifier  ::=
154  *                      { id-mgf1, sha384Identifier }
155  * mgf1SHA512Identifier  AlgorithmIdentifier  ::=
156  *                      { id-mgf1, sha512Identifier }
157  */
158 #if 0                            /* Currently unused */
159 #define DER_AID_V_mgf1SHA1Identifier                                    \
160     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
161         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier,                 \
162         DER_OID_V_id_mgf1,                                              \
163         DER_AID_V_sha1Identifier
164 static const unsigned char der_aid_mgf1SHA1Identifier[] = {
165     DER_AID_V_mgf1SHA1Identifier
166 };
167 #define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
168 #endif
169
170 #define DER_AID_V_mgf1SHA224Identifier                          \
171     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
172         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier,       \
173         DER_OID_V_id_mgf1,                                      \
174         DER_AID_V_sha224Identifier
175 static const unsigned char der_aid_mgf1SHA224Identifier[] = {
176     DER_AID_V_mgf1SHA224Identifier
177 };
178 #define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
179
180 #define DER_AID_V_mgf1SHA256Identifier                          \
181     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
182         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier,       \
183         DER_OID_V_id_mgf1,                                      \
184         DER_AID_V_sha256Identifier
185 static const unsigned char der_aid_mgf1SHA256Identifier[] = {
186     DER_AID_V_mgf1SHA256Identifier
187 };
188 #define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
189
190 #define DER_AID_V_mgf1SHA384Identifier                          \
191     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
192         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier,       \
193         DER_OID_V_id_mgf1,                                      \
194         DER_AID_V_sha384Identifier
195 static const unsigned char der_aid_mgf1SHA384Identifier[] = {
196     DER_AID_V_mgf1SHA384Identifier
197 };
198 #define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
199
200 #define DER_AID_V_mgf1SHA512Identifier                          \
201     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
202         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier,       \
203         DER_OID_V_id_mgf1,                                      \
204         DER_AID_V_sha512Identifier
205 static const unsigned char der_aid_mgf1SHA512Identifier[] = {
206     DER_AID_V_mgf1SHA512Identifier
207 };
208 #define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
209
210 #define DER_AID_V_mgf1SHA512_224Identifier                      \
211     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
212         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier,   \
213         DER_OID_V_id_mgf1,                                      \
214         DER_AID_V_sha512_224Identifier
215 static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
216     DER_AID_V_mgf1SHA512_224Identifier
217 };
218 #define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
219
220 #define DER_AID_V_mgf1SHA512_256Identifier                      \
221     DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
222         DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier,   \
223         DER_OID_V_id_mgf1,                                      \
224         DER_AID_V_sha512_256Identifier
225 static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
226     DER_AID_V_mgf1SHA512_256Identifier
227 };
228 #define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
229
230
231 #define MGF1_SHA_CASE(bits, var)                                \
232     case NID_sha##bits:                                         \
233         var = der_aid_mgf1SHA##bits##Identifier;                \
234         var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier);   \
235         break;
236
237 /*-
238  * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
239  *
240  * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
241  */
242 static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
243                                   const RSA_PSS_PARAMS_30 *pss)
244 {
245     if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
246         int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
247         const unsigned char *maskgenalg = NULL;
248         size_t maskgenalg_sz = 0;
249
250         switch (maskgenhashalg_nid) {
251         case NID_sha1:
252             break;
253             MGF1_SHA_CASE(224, maskgenalg);
254             MGF1_SHA_CASE(256, maskgenalg);
255             MGF1_SHA_CASE(384, maskgenalg);
256             MGF1_SHA_CASE(512, maskgenalg);
257             MGF1_SHA_CASE(512_224, maskgenalg);
258             MGF1_SHA_CASE(512_256, maskgenalg);
259         default:
260             return 0;
261         }
262
263         /* If there is none (or it was the default), we write nothing */
264         if (maskgenalg == NULL)
265             return 1;
266
267         return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
268     }
269     return 0;
270 }
271
272 #define OAEP_PSS_MD_CASE(name, var)                                     \
273     case NID_##name:                                                    \
274         var = ossl_der_oid_id_##name;                                   \
275         var##_sz = sizeof(ossl_der_oid_id_##name);                      \
276         break;
277
278 int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
279                                  const RSA_PSS_PARAMS_30 *pss)
280 {
281     int hashalg_nid, default_hashalg_nid;
282     int saltlen, default_saltlen;
283     int trailerfield, default_trailerfield;
284     const unsigned char *hashalg = NULL;
285     size_t hashalg_sz = 0;
286
287     /*
288      * For an unrestricted key, this function should not have been called;
289      * the caller must be in control, because unrestricted keys are permitted
290      * in some situations (when encoding the public key in a SubjectKeyInfo,
291      * for example) while not in others, and this function doesn't know the
292      * intent.  Therefore, we assert that here, the PSS parameters must show
293      * that the key is restricted.
294      */
295     if (!ossl_assert(pss != NULL
296                      && !ossl_rsa_pss_params_30_is_unrestricted(pss)))
297         return 0;
298
299     hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
300     saltlen = ossl_rsa_pss_params_30_saltlen(pss);
301     trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
302
303     /* Getting default values */
304     default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
305     default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
306     default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);
307
308     /*
309      * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
310      *
311      * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
312      *     { OID id-sha1       PARAMETERS NULL }|
313      *     { OID id-sha224     PARAMETERS NULL }|
314      *     { OID id-sha256     PARAMETERS NULL }|
315      *     { OID id-sha384     PARAMETERS NULL }|
316      *     { OID id-sha512     PARAMETERS NULL }|
317      *     { OID id-sha512-224 PARAMETERS NULL }|
318      *     { OID id-sha512-256 PARAMETERS NULL },
319      *     ...  -- Allows for future expansion --
320      * }
321      */
322     switch (hashalg_nid) {
323         OAEP_PSS_MD_CASE(sha1, hashalg);
324         OAEP_PSS_MD_CASE(sha224, hashalg);
325         OAEP_PSS_MD_CASE(sha256, hashalg);
326         OAEP_PSS_MD_CASE(sha384, hashalg);
327         OAEP_PSS_MD_CASE(sha512, hashalg);
328         OAEP_PSS_MD_CASE(sha512_224, hashalg);
329         OAEP_PSS_MD_CASE(sha512_256, hashalg);
330     default:
331         return 0;
332     }
333
334     return ossl_DER_w_begin_sequence(pkt, tag)
335         && (trailerfield == default_trailerfield
336             || ossl_DER_w_ulong(pkt, 3, trailerfield))
337         && (saltlen == default_saltlen || ossl_DER_w_ulong(pkt, 2, saltlen))
338         && DER_w_MaskGenAlgorithm(pkt, 1, pss)
339         && (hashalg_nid == default_hashalg_nid
340             || ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
341         && ossl_DER_w_end_sequence(pkt, tag);
342 }
343
344 /* Aliases so we can have a uniform RSA_CASE */
345 #define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS
346
347 #define RSA_CASE(name, var)                                             \
348     var##_nid = NID_##name;                                             \
349     var##_oid = ossl_der_oid_##name;                                    \
350     var##_oid_sz = sizeof(ossl_der_oid_##name);                         \
351     break;
352
353 int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
354 {
355     int rsa_nid = NID_undef;
356     const unsigned char *rsa_oid = NULL;
357     size_t rsa_oid_sz = 0;
358     RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
359
360     switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
361     case RSA_FLAG_TYPE_RSA:
362         RSA_CASE(rsaEncryption, rsa);
363     case RSA_FLAG_TYPE_RSASSAPSS:
364         RSA_CASE(rsassaPss, rsa);
365     }
366
367     if (rsa_oid == NULL)
368         return 0;
369
370     return ossl_DER_w_begin_sequence(pkt, tag)
371         && (rsa_nid != NID_rsassaPss
372             || ossl_rsa_pss_params_30_is_unrestricted(pss_params)
373             || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss_params))
374         && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
375         && ossl_DER_w_end_sequence(pkt, tag);
376 }