1/* 2 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * RSA low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14#include "internal/deprecated.h" 15 16#include <string.h> 17#include <openssl/core_names.h> 18#include <openssl/params.h> 19#include <openssl/err.h> 20#include <openssl/evp.h> 21#ifndef FIPS_MODULE 22# include <openssl/x509.h> 23# include "crypto/asn1.h" 24#endif 25#include "internal/sizes.h" 26#include "internal/param_build_set.h" 27#include "crypto/rsa.h" 28#include "rsa_local.h" 29 30/* 31 * The intention with the "backend" source file is to offer backend support 32 * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider 33 * implementations alike. 34 */ 35 36DEFINE_STACK_OF(BIGNUM) 37 38static int collect_numbers(STACK_OF(BIGNUM) *numbers, 39 const OSSL_PARAM params[], const char *names[]) 40{ 41 const OSSL_PARAM *p = NULL; 42 int i; 43 44 if (numbers == NULL) 45 return 0; 46 47 for (i = 0; names[i] != NULL; i++){ 48 p = OSSL_PARAM_locate_const(params, names[i]); 49 if (p != NULL) { 50 BIGNUM *tmp = NULL; 51 52 if (!OSSL_PARAM_get_BN(p, &tmp)) 53 return 0; 54 if (sk_BIGNUM_push(numbers, tmp) == 0) { 55 BN_clear_free(tmp); 56 return 0; 57 } 58 } 59 } 60 61 return 1; 62} 63 64int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[], int include_private) 65{ 66 const OSSL_PARAM *param_n, *param_e, *param_d = NULL; 67 BIGNUM *n = NULL, *e = NULL, *d = NULL; 68 STACK_OF(BIGNUM) *factors = NULL, *exps = NULL, *coeffs = NULL; 69 int is_private = 0; 70 71 if (rsa == NULL) 72 return 0; 73 74 param_n = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N); 75 param_e = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E); 76 if (include_private) 77 param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D); 78 79 if ((param_n != NULL && !OSSL_PARAM_get_BN(param_n, &n)) 80 || (param_e != NULL && !OSSL_PARAM_get_BN(param_e, &e)) 81 || (param_d != NULL && !OSSL_PARAM_get_BN(param_d, &d))) 82 goto err; 83 84 is_private = (d != NULL); 85 86 if (!RSA_set0_key(rsa, n, e, d)) 87 goto err; 88 n = e = d = NULL; 89 90 if (is_private) { 91 if (!collect_numbers(factors = sk_BIGNUM_new_null(), params, 92 ossl_rsa_mp_factor_names) 93 || !collect_numbers(exps = sk_BIGNUM_new_null(), params, 94 ossl_rsa_mp_exp_names) 95 || !collect_numbers(coeffs = sk_BIGNUM_new_null(), params, 96 ossl_rsa_mp_coeff_names)) 97 goto err; 98 99 /* It's ok if this private key just has n, e and d */ 100 if (sk_BIGNUM_num(factors) != 0 101 && !ossl_rsa_set0_all_params(rsa, factors, exps, coeffs)) 102 goto err; 103 } 104 105 106 sk_BIGNUM_free(factors); 107 sk_BIGNUM_free(exps); 108 sk_BIGNUM_free(coeffs); 109 return 1; 110 111 err: 112 BN_free(n); 113 BN_free(e); 114 BN_free(d); 115 sk_BIGNUM_pop_free(factors, BN_free); 116 sk_BIGNUM_pop_free(exps, BN_free); 117 sk_BIGNUM_pop_free(coeffs, BN_free); 118 return 0; 119} 120 121DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) 122 123int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[], 124 int include_private) 125{ 126 int ret = 0; 127 const BIGNUM *rsa_d = NULL, *rsa_n = NULL, *rsa_e = NULL; 128 STACK_OF(BIGNUM_const) *factors = sk_BIGNUM_const_new_null(); 129 STACK_OF(BIGNUM_const) *exps = sk_BIGNUM_const_new_null(); 130 STACK_OF(BIGNUM_const) *coeffs = sk_BIGNUM_const_new_null(); 131 132 if (rsa == NULL || factors == NULL || exps == NULL || coeffs == NULL) 133 goto err; 134 135 RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); 136 ossl_rsa_get0_all_params(rsa, factors, exps, coeffs); 137 138 if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_N, rsa_n) 139 || !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_E, rsa_e)) 140 goto err; 141 142 /* Check private key data integrity */ 143 if (include_private && rsa_d != NULL) { 144 int numprimes = sk_BIGNUM_const_num(factors); 145 int numexps = sk_BIGNUM_const_num(exps); 146 int numcoeffs = sk_BIGNUM_const_num(coeffs); 147 148 /* 149 * It's permissible to have zero primes, i.e. no CRT params. 150 * Otherwise, there must be at least two, as many exponents, 151 * and one coefficient less. 152 */ 153 if (numprimes != 0 154 && (numprimes < 2 || numexps < 2 || numcoeffs < 1)) 155 goto err; 156 157 if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_D, 158 rsa_d) 159 || !ossl_param_build_set_multi_key_bn(bld, params, 160 ossl_rsa_mp_factor_names, 161 factors) 162 || !ossl_param_build_set_multi_key_bn(bld, params, 163 ossl_rsa_mp_exp_names, exps) 164 || !ossl_param_build_set_multi_key_bn(bld, params, 165 ossl_rsa_mp_coeff_names, 166 coeffs)) 167 goto err; 168 } 169 170#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) 171 /* The acvp test results are not meant for export so check for bld == NULL */ 172 if (bld == NULL) 173 ossl_rsa_acvp_test_get_params(rsa, params); 174#endif 175 ret = 1; 176 err: 177 sk_BIGNUM_const_free(factors); 178 sk_BIGNUM_const_free(exps); 179 sk_BIGNUM_const_free(coeffs); 180 return ret; 181} 182 183int ossl_rsa_pss_params_30_todata(const RSA_PSS_PARAMS_30 *pss, 184 OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) 185{ 186 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) { 187 int hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss); 188 int maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(pss); 189 int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss); 190 int saltlen = ossl_rsa_pss_params_30_saltlen(pss); 191 int default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL); 192 int default_maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(NULL); 193 int default_maskgenhashalg_nid = 194 ossl_rsa_pss_params_30_maskgenhashalg(NULL); 195 const char *mdname = 196 (hashalg_nid == default_hashalg_nid 197 ? NULL : ossl_rsa_oaeppss_nid2name(hashalg_nid)); 198 const char *mgfname = 199 (maskgenalg_nid == default_maskgenalg_nid 200 ? NULL : ossl_rsa_oaeppss_nid2name(maskgenalg_nid)); 201 const char *mgf1mdname = 202 (maskgenhashalg_nid == default_maskgenhashalg_nid 203 ? NULL : ossl_rsa_oaeppss_nid2name(maskgenhashalg_nid)); 204 const char *key_md = OSSL_PKEY_PARAM_RSA_DIGEST; 205 const char *key_mgf = OSSL_PKEY_PARAM_RSA_MASKGENFUNC; 206 const char *key_mgf1_md = OSSL_PKEY_PARAM_RSA_MGF1_DIGEST; 207 const char *key_saltlen = OSSL_PKEY_PARAM_RSA_PSS_SALTLEN; 208 209 /* 210 * To ensure that the key isn't seen as unrestricted by the recipient, 211 * we make sure that at least one PSS-related parameter is passed, even 212 * if it has a default value; saltlen. 213 */ 214 if ((mdname != NULL 215 && !ossl_param_build_set_utf8_string(bld, params, key_md, mdname)) 216 || (mgfname != NULL 217 && !ossl_param_build_set_utf8_string(bld, params, 218 key_mgf, mgfname)) 219 || (mgf1mdname != NULL 220 && !ossl_param_build_set_utf8_string(bld, params, 221 key_mgf1_md, mgf1mdname)) 222 || (!ossl_param_build_set_int(bld, params, key_saltlen, saltlen))) 223 return 0; 224 } 225 return 1; 226} 227 228int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params, 229 int *defaults_set, 230 const OSSL_PARAM params[], 231 OSSL_LIB_CTX *libctx) 232{ 233 const OSSL_PARAM *param_md, *param_mgf, *param_mgf1md, *param_saltlen; 234 const OSSL_PARAM *param_propq; 235 const char *propq = NULL; 236 EVP_MD *md = NULL, *mgf1md = NULL; 237 int saltlen; 238 int ret = 0; 239 240 if (pss_params == NULL) 241 return 0; 242 param_propq = 243 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_DIGEST_PROPS); 244 param_md = 245 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_DIGEST); 246 param_mgf = 247 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_MASKGENFUNC); 248 param_mgf1md = 249 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_MGF1_DIGEST); 250 param_saltlen = 251 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_PSS_SALTLEN); 252 253 if (param_propq != NULL) { 254 if (param_propq->data_type == OSSL_PARAM_UTF8_STRING) 255 propq = param_propq->data; 256 } 257 /* 258 * If we get any of the parameters, we know we have at least some 259 * restrictions, so we start by setting default values, and let each 260 * parameter override their specific restriction data. 261 */ 262 if (!*defaults_set 263 && (param_md != NULL || param_mgf != NULL || param_mgf1md != NULL 264 || param_saltlen != NULL)) { 265 if (!ossl_rsa_pss_params_30_set_defaults(pss_params)) 266 return 0; 267 *defaults_set = 1; 268 } 269 270 if (param_mgf != NULL) { 271 int default_maskgenalg_nid = ossl_rsa_pss_params_30_maskgenalg(NULL); 272 const char *mgfname = NULL; 273 274 if (param_mgf->data_type == OSSL_PARAM_UTF8_STRING) 275 mgfname = param_mgf->data; 276 else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgfname)) 277 return 0; 278 279 if (OPENSSL_strcasecmp(param_mgf->data, 280 ossl_rsa_mgf_nid2name(default_maskgenalg_nid)) != 0) 281 return 0; 282 } 283 284 /* 285 * We're only interested in the NIDs that correspond to the MDs, so the 286 * exact propquery is unimportant in the EVP_MD_fetch() calls below. 287 */ 288 289 if (param_md != NULL) { 290 const char *mdname = NULL; 291 292 if (param_md->data_type == OSSL_PARAM_UTF8_STRING) 293 mdname = param_md->data; 294 else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mdname)) 295 goto err; 296 297 if ((md = EVP_MD_fetch(libctx, mdname, propq)) == NULL 298 || !ossl_rsa_pss_params_30_set_hashalg(pss_params, 299 ossl_rsa_oaeppss_md2nid(md))) 300 goto err; 301 } 302 303 if (param_mgf1md != NULL) { 304 const char *mgf1mdname = NULL; 305 306 if (param_mgf1md->data_type == OSSL_PARAM_UTF8_STRING) 307 mgf1mdname = param_mgf1md->data; 308 else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgf1mdname)) 309 goto err; 310 311 if ((mgf1md = EVP_MD_fetch(libctx, mgf1mdname, propq)) == NULL 312 || !ossl_rsa_pss_params_30_set_maskgenhashalg( 313 pss_params, ossl_rsa_oaeppss_md2nid(mgf1md))) 314 goto err; 315 } 316 317 if (param_saltlen != NULL) { 318 if (!OSSL_PARAM_get_int(param_saltlen, &saltlen) 319 || !ossl_rsa_pss_params_30_set_saltlen(pss_params, saltlen)) 320 goto err; 321 } 322 323 ret = 1; 324 325 err: 326 EVP_MD_free(md); 327 EVP_MD_free(mgf1md); 328 return ret; 329} 330 331int ossl_rsa_is_foreign(const RSA *rsa) 332{ 333#ifndef FIPS_MODULE 334 if (rsa->engine != NULL || RSA_get_method(rsa) != RSA_PKCS1_OpenSSL()) 335 return 1; 336#endif 337 return 0; 338} 339 340static ossl_inline int rsa_bn_dup_check(BIGNUM **out, const BIGNUM *f) 341{ 342 if (f != NULL && (*out = BN_dup(f)) == NULL) 343 return 0; 344 return 1; 345} 346 347RSA *ossl_rsa_dup(const RSA *rsa, int selection) 348{ 349 RSA *dupkey = NULL; 350#ifndef FIPS_MODULE 351 int pnum, i; 352#endif 353 354 /* Do not try to duplicate foreign RSA keys */ 355 if (ossl_rsa_is_foreign(rsa)) 356 return NULL; 357 358 if ((dupkey = ossl_rsa_new_with_ctx(rsa->libctx)) == NULL) 359 return NULL; 360 361 /* public key */ 362 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { 363 if (!rsa_bn_dup_check(&dupkey->n, rsa->n)) 364 goto err; 365 if (!rsa_bn_dup_check(&dupkey->e, rsa->e)) 366 goto err; 367 } 368 369 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { 370 371 /* private key */ 372 if (!rsa_bn_dup_check(&dupkey->d, rsa->d)) 373 goto err; 374 375 /* factors and crt params */ 376 if (!rsa_bn_dup_check(&dupkey->p, rsa->p)) 377 goto err; 378 if (!rsa_bn_dup_check(&dupkey->q, rsa->q)) 379 goto err; 380 if (!rsa_bn_dup_check(&dupkey->dmp1, rsa->dmp1)) 381 goto err; 382 if (!rsa_bn_dup_check(&dupkey->dmq1, rsa->dmq1)) 383 goto err; 384 if (!rsa_bn_dup_check(&dupkey->iqmp, rsa->iqmp)) 385 goto err; 386 } 387 388 dupkey->version = rsa->version; 389 dupkey->flags = rsa->flags; 390 /* we always copy the PSS parameters regardless of selection */ 391 dupkey->pss_params = rsa->pss_params; 392 393#ifndef FIPS_MODULE 394 /* multiprime */ 395 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 396 && (pnum = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) > 0) { 397 dupkey->prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum); 398 if (dupkey->prime_infos == NULL) 399 goto err; 400 for (i = 0; i < pnum; i++) { 401 const RSA_PRIME_INFO *pinfo = NULL; 402 RSA_PRIME_INFO *duppinfo = NULL; 403 404 if ((duppinfo = OPENSSL_zalloc(sizeof(*duppinfo))) == NULL) { 405 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); 406 goto err; 407 } 408 /* push first so cleanup in error case works */ 409 (void)sk_RSA_PRIME_INFO_push(dupkey->prime_infos, duppinfo); 410 411 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); 412 if (!rsa_bn_dup_check(&duppinfo->r, pinfo->r)) 413 goto err; 414 if (!rsa_bn_dup_check(&duppinfo->d, pinfo->d)) 415 goto err; 416 if (!rsa_bn_dup_check(&duppinfo->t, pinfo->t)) 417 goto err; 418 } 419 if (!ossl_rsa_multip_calc_product(dupkey)) 420 goto err; 421 } 422 423 if (rsa->pss != NULL) { 424 dupkey->pss = RSA_PSS_PARAMS_dup(rsa->pss); 425 if (rsa->pss->maskGenAlgorithm != NULL 426 && dupkey->pss->maskGenAlgorithm == NULL) { 427 dupkey->pss->maskHash = ossl_x509_algor_mgf1_decode(rsa->pss->maskGenAlgorithm); 428 if (dupkey->pss->maskHash == NULL) 429 goto err; 430 } 431 } 432 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_RSA, 433 &dupkey->ex_data, &rsa->ex_data)) 434 goto err; 435#endif 436 437 return dupkey; 438 439 err: 440 RSA_free(dupkey); 441 return NULL; 442} 443 444#ifndef FIPS_MODULE 445RSA_PSS_PARAMS *ossl_rsa_pss_decode(const X509_ALGOR *alg) 446{ 447 RSA_PSS_PARAMS *pss; 448 449 pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS), 450 alg->parameter); 451 452 if (pss == NULL) 453 return NULL; 454 455 if (pss->maskGenAlgorithm != NULL) { 456 pss->maskHash = ossl_x509_algor_mgf1_decode(pss->maskGenAlgorithm); 457 if (pss->maskHash == NULL) { 458 RSA_PSS_PARAMS_free(pss); 459 return NULL; 460 } 461 } 462 463 return pss; 464} 465 466static int ossl_rsa_sync_to_pss_params_30(RSA *rsa) 467{ 468 const RSA_PSS_PARAMS *legacy_pss = NULL; 469 RSA_PSS_PARAMS_30 *pss = NULL; 470 471 if (rsa != NULL 472 && (legacy_pss = RSA_get0_pss_params(rsa)) != NULL 473 && (pss = ossl_rsa_get0_pss_params_30(rsa)) != NULL) { 474 const EVP_MD *md = NULL, *mgf1md = NULL; 475 int md_nid, mgf1md_nid, saltlen, trailerField; 476 RSA_PSS_PARAMS_30 pss_params; 477 478 /* 479 * We don't care about the validity of the fields here, we just 480 * want to synchronise values. Verifying here makes it impossible 481 * to even read a key with invalid values, making it hard to test 482 * a bad situation. 483 * 484 * Other routines use ossl_rsa_pss_get_param(), so the values will 485 * be checked, eventually. 486 */ 487 if (!ossl_rsa_pss_get_param_unverified(legacy_pss, &md, &mgf1md, 488 &saltlen, &trailerField)) 489 return 0; 490 md_nid = EVP_MD_get_type(md); 491 mgf1md_nid = EVP_MD_get_type(mgf1md); 492 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params) 493 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, md_nid) 494 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params, 495 mgf1md_nid) 496 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen) 497 || !ossl_rsa_pss_params_30_set_trailerfield(&pss_params, 498 trailerField)) 499 return 0; 500 *pss = pss_params; 501 } 502 return 1; 503} 504 505int ossl_rsa_pss_get_param_unverified(const RSA_PSS_PARAMS *pss, 506 const EVP_MD **pmd, const EVP_MD **pmgf1md, 507 int *psaltlen, int *ptrailerField) 508{ 509 RSA_PSS_PARAMS_30 pss_params; 510 511 /* Get the defaults from the ONE place */ 512 (void)ossl_rsa_pss_params_30_set_defaults(&pss_params); 513 514 if (pss == NULL) 515 return 0; 516 *pmd = ossl_x509_algor_get_md(pss->hashAlgorithm); 517 if (*pmd == NULL) 518 return 0; 519 *pmgf1md = ossl_x509_algor_get_md(pss->maskHash); 520 if (*pmgf1md == NULL) 521 return 0; 522 if (pss->saltLength) 523 *psaltlen = ASN1_INTEGER_get(pss->saltLength); 524 else 525 *psaltlen = ossl_rsa_pss_params_30_saltlen(&pss_params); 526 if (pss->trailerField) 527 *ptrailerField = ASN1_INTEGER_get(pss->trailerField); 528 else 529 *ptrailerField = ossl_rsa_pss_params_30_trailerfield(&pss_params);; 530 531 return 1; 532} 533 534int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) 535{ 536 RSA_PSS_PARAMS *pss; 537 const ASN1_OBJECT *algoid; 538 const void *algp; 539 int algptype; 540 541 X509_ALGOR_get0(&algoid, &algptype, &algp, alg); 542 if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) 543 return 1; 544 if (algptype == V_ASN1_UNDEF) 545 return 1; 546 if (algptype != V_ASN1_SEQUENCE) { 547 ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PSS_PARAMETERS); 548 return 0; 549 } 550 if ((pss = ossl_rsa_pss_decode(alg)) == NULL 551 || !ossl_rsa_set0_pss_params(rsa, pss)) { 552 RSA_PSS_PARAMS_free(pss); 553 return 0; 554 } 555 if (!ossl_rsa_sync_to_pss_params_30(rsa)) 556 return 0; 557 return 1; 558} 559 560RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, 561 OSSL_LIB_CTX *libctx, const char *propq) 562{ 563 const unsigned char *p; 564 RSA *rsa; 565 int pklen; 566 const X509_ALGOR *alg; 567 568 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8inf)) 569 return 0; 570 rsa = d2i_RSAPrivateKey(NULL, &p, pklen); 571 if (rsa == NULL) { 572 ERR_raise(ERR_LIB_RSA, ERR_R_RSA_LIB); 573 return NULL; 574 } 575 if (!ossl_rsa_param_decode(rsa, alg)) { 576 RSA_free(rsa); 577 return NULL; 578 } 579 580 RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK); 581 switch (OBJ_obj2nid(alg->algorithm)) { 582 case EVP_PKEY_RSA: 583 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA); 584 break; 585 case EVP_PKEY_RSA_PSS: 586 RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS); 587 break; 588 default: 589 /* Leave the type bits zero */ 590 break; 591 } 592 593 return rsa; 594} 595#endif 596