1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 2000. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). */ 55 56 #include <openssl/rsa.h> 57 58 #include <assert.h> 59 #include <limits.h> 60 #include <string.h> 61 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/bn.h> 65 #include <openssl/bytestring.h> 66 #include <openssl/err.h> 67 #include <openssl/mem.h> 68 69 #include "internal.h" 70 71 72 static int parse_integer_buggy(CBS *cbs, BIGNUM **out, int buggy) { 73 assert(*out == NULL); 74 *out = BN_new(); 75 if (*out == NULL) { 76 return 0; 77 } 78 if (buggy) { 79 return BN_cbs2unsigned_buggy(cbs, *out); 80 } 81 return BN_cbs2unsigned(cbs, *out); 82 } 83 84 static int parse_integer(CBS *cbs, BIGNUM **out) { 85 return parse_integer_buggy(cbs, out, 0 /* not buggy */); 86 } 87 88 static int marshal_integer(CBB *cbb, BIGNUM *bn) { 89 if (bn == NULL) { 90 /* An RSA object may be missing some components. */ 91 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 92 return 0; 93 } 94 return BN_bn2cbb(cbb, bn); 95 } 96 97 static RSA *parse_public_key(CBS *cbs, int buggy) { 98 RSA *ret = RSA_new(); 99 if (ret == NULL) { 100 return NULL; 101 } 102 CBS child; 103 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || 104 !parse_integer_buggy(&child, &ret->n, buggy) || 105 !parse_integer(&child, &ret->e) || 106 CBS_len(&child) != 0) { 107 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 108 RSA_free(ret); 109 return NULL; 110 } 111 112 if (!BN_is_odd(ret->e) || 113 BN_num_bits(ret->e) < 2) { 114 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); 115 RSA_free(ret); 116 return NULL; 117 } 118 119 return ret; 120 } 121 122 RSA *RSA_parse_public_key(CBS *cbs) { 123 return parse_public_key(cbs, 0 /* not buggy */); 124 } 125 126 RSA *RSA_parse_public_key_buggy(CBS *cbs) { 127 /* Estonian IDs issued between September 2014 to September 2015 are 128 * broken. See https://crbug.com/532048 and https://crbug.com/534766. 129 * 130 * TODO(davidben): Remove this code and callers in March 2016. */ 131 return parse_public_key(cbs, 1 /* buggy */); 132 } 133 134 RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) { 135 CBS cbs; 136 CBS_init(&cbs, in, in_len); 137 RSA *ret = RSA_parse_public_key(&cbs); 138 if (ret == NULL || CBS_len(&cbs) != 0) { 139 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 140 RSA_free(ret); 141 return NULL; 142 } 143 return ret; 144 } 145 146 int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) { 147 CBB child; 148 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || 149 !marshal_integer(&child, rsa->n) || 150 !marshal_integer(&child, rsa->e) || 151 !CBB_flush(cbb)) { 152 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 153 return 0; 154 } 155 return 1; 156 } 157 158 int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, 159 const RSA *rsa) { 160 CBB cbb; 161 CBB_zero(&cbb); 162 if (!CBB_init(&cbb, 0) || 163 !RSA_marshal_public_key(&cbb, rsa) || 164 !CBB_finish(&cbb, out_bytes, out_len)) { 165 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 166 CBB_cleanup(&cbb); 167 return 0; 168 } 169 return 1; 170 } 171 172 /* kVersionTwoPrime and kVersionMulti are the supported values of the version 173 * field of an RSAPrivateKey structure (RFC 3447). */ 174 static const uint64_t kVersionTwoPrime = 0; 175 static const uint64_t kVersionMulti = 1; 176 177 /* rsa_parse_additional_prime parses a DER-encoded OtherPrimeInfo from |cbs| and 178 * advances |cbs|. It returns a newly-allocated |RSA_additional_prime| on 179 * success or NULL on error. The |r| and |mont| fields of the result are set to 180 * NULL. */ 181 static RSA_additional_prime *rsa_parse_additional_prime(CBS *cbs) { 182 RSA_additional_prime *ret = OPENSSL_malloc(sizeof(RSA_additional_prime)); 183 if (ret == NULL) { 184 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 185 return 0; 186 } 187 memset(ret, 0, sizeof(RSA_additional_prime)); 188 189 CBS child; 190 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || 191 !parse_integer(&child, &ret->prime) || 192 !parse_integer(&child, &ret->exp) || 193 !parse_integer(&child, &ret->coeff) || 194 CBS_len(&child) != 0) { 195 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 196 RSA_additional_prime_free(ret); 197 return NULL; 198 } 199 200 return ret; 201 } 202 203 RSA *RSA_parse_private_key(CBS *cbs) { 204 BN_CTX *ctx = NULL; 205 BIGNUM *product_of_primes_so_far = NULL; 206 RSA *ret = RSA_new(); 207 if (ret == NULL) { 208 return NULL; 209 } 210 211 CBS child; 212 uint64_t version; 213 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || 214 !CBS_get_asn1_uint64(&child, &version)) { 215 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 216 goto err; 217 } 218 219 if (version != kVersionTwoPrime && version != kVersionMulti) { 220 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION); 221 goto err; 222 } 223 224 if (!parse_integer(&child, &ret->n) || 225 !parse_integer(&child, &ret->e) || 226 !parse_integer(&child, &ret->d) || 227 !parse_integer(&child, &ret->p) || 228 !parse_integer(&child, &ret->q) || 229 !parse_integer(&child, &ret->dmp1) || 230 !parse_integer(&child, &ret->dmq1) || 231 !parse_integer(&child, &ret->iqmp)) { 232 goto err; 233 } 234 235 /* Multi-prime RSA requires a newer version. */ 236 if (version == kVersionMulti && 237 CBS_peek_asn1_tag(&child, CBS_ASN1_SEQUENCE)) { 238 CBS other_prime_infos; 239 if (!CBS_get_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE) || 240 CBS_len(&other_prime_infos) == 0) { 241 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 242 goto err; 243 } 244 ret->additional_primes = sk_RSA_additional_prime_new_null(); 245 if (ret->additional_primes == NULL) { 246 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 247 goto err; 248 } 249 250 ctx = BN_CTX_new(); 251 product_of_primes_so_far = BN_new(); 252 if (ctx == NULL || 253 product_of_primes_so_far == NULL || 254 !BN_mul(product_of_primes_so_far, ret->p, ret->q, ctx)) { 255 goto err; 256 } 257 258 while (CBS_len(&other_prime_infos) > 0) { 259 RSA_additional_prime *ap = rsa_parse_additional_prime(&other_prime_infos); 260 if (ap == NULL) { 261 goto err; 262 } 263 if (!sk_RSA_additional_prime_push(ret->additional_primes, ap)) { 264 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 265 RSA_additional_prime_free(ap); 266 goto err; 267 } 268 ap->r = BN_dup(product_of_primes_so_far); 269 if (ap->r == NULL || 270 !BN_mul(product_of_primes_so_far, product_of_primes_so_far, 271 ap->prime, ctx)) { 272 goto err; 273 } 274 } 275 } 276 277 if (CBS_len(&child) != 0) { 278 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 279 goto err; 280 } 281 282 BN_CTX_free(ctx); 283 BN_free(product_of_primes_so_far); 284 return ret; 285 286 err: 287 BN_CTX_free(ctx); 288 BN_free(product_of_primes_so_far); 289 RSA_free(ret); 290 return NULL; 291 } 292 293 RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) { 294 CBS cbs; 295 CBS_init(&cbs, in, in_len); 296 RSA *ret = RSA_parse_private_key(&cbs); 297 if (ret == NULL || CBS_len(&cbs) != 0) { 298 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 299 RSA_free(ret); 300 return NULL; 301 } 302 return ret; 303 } 304 305 int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) { 306 const int is_multiprime = 307 sk_RSA_additional_prime_num(rsa->additional_primes) > 0; 308 309 CBB child; 310 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || 311 !CBB_add_asn1_uint64(&child, 312 is_multiprime ? kVersionMulti : kVersionTwoPrime) || 313 !marshal_integer(&child, rsa->n) || 314 !marshal_integer(&child, rsa->e) || 315 !marshal_integer(&child, rsa->d) || 316 !marshal_integer(&child, rsa->p) || 317 !marshal_integer(&child, rsa->q) || 318 !marshal_integer(&child, rsa->dmp1) || 319 !marshal_integer(&child, rsa->dmq1) || 320 !marshal_integer(&child, rsa->iqmp)) { 321 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 322 return 0; 323 } 324 325 if (is_multiprime) { 326 CBB other_prime_infos; 327 if (!CBB_add_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE)) { 328 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 329 return 0; 330 } 331 size_t i; 332 for (i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes); i++) { 333 RSA_additional_prime *ap = 334 sk_RSA_additional_prime_value(rsa->additional_primes, i); 335 CBB other_prime_info; 336 if (!CBB_add_asn1(&other_prime_infos, &other_prime_info, 337 CBS_ASN1_SEQUENCE) || 338 !marshal_integer(&other_prime_info, ap->prime) || 339 !marshal_integer(&other_prime_info, ap->exp) || 340 !marshal_integer(&other_prime_info, ap->coeff)) { 341 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 342 return 0; 343 } 344 } 345 } 346 347 if (!CBB_flush(cbb)) { 348 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 349 return 0; 350 } 351 return 1; 352 } 353 354 int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len, 355 const RSA *rsa) { 356 CBB cbb; 357 CBB_zero(&cbb); 358 if (!CBB_init(&cbb, 0) || 359 !RSA_marshal_private_key(&cbb, rsa) || 360 !CBB_finish(&cbb, out_bytes, out_len)) { 361 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 362 CBB_cleanup(&cbb); 363 return 0; 364 } 365 return 1; 366 } 367 368 RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) { 369 if (len < 0) { 370 return NULL; 371 } 372 CBS cbs; 373 CBS_init(&cbs, *inp, (size_t)len); 374 RSA *ret = RSA_parse_public_key(&cbs); 375 if (ret == NULL) { 376 return NULL; 377 } 378 if (out != NULL) { 379 RSA_free(*out); 380 *out = ret; 381 } 382 *inp += (size_t)len - CBS_len(&cbs); 383 return ret; 384 } 385 386 int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) { 387 uint8_t *der; 388 size_t der_len; 389 if (!RSA_public_key_to_bytes(&der, &der_len, in)) { 390 return -1; 391 } 392 if (der_len > INT_MAX) { 393 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 394 OPENSSL_free(der); 395 return -1; 396 } 397 if (outp != NULL) { 398 if (*outp == NULL) { 399 *outp = der; 400 der = NULL; 401 } else { 402 memcpy(*outp, der, der_len); 403 *outp += der_len; 404 } 405 } 406 OPENSSL_free(der); 407 return (int)der_len; 408 } 409 410 RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) { 411 if (len < 0) { 412 return NULL; 413 } 414 CBS cbs; 415 CBS_init(&cbs, *inp, (size_t)len); 416 RSA *ret = RSA_parse_private_key(&cbs); 417 if (ret == NULL) { 418 return NULL; 419 } 420 if (out != NULL) { 421 RSA_free(*out); 422 *out = ret; 423 } 424 *inp += (size_t)len - CBS_len(&cbs); 425 return ret; 426 } 427 428 int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) { 429 uint8_t *der; 430 size_t der_len; 431 if (!RSA_private_key_to_bytes(&der, &der_len, in)) { 432 return -1; 433 } 434 if (der_len > INT_MAX) { 435 OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW); 436 OPENSSL_free(der); 437 return -1; 438 } 439 if (outp != NULL) { 440 if (*outp == NULL) { 441 *outp = der; 442 der = NULL; 443 } else { 444 memcpy(*outp, der, der_len); 445 *outp += der_len; 446 } 447 } 448 OPENSSL_free(der); 449 return (int)der_len; 450 } 451 452 ASN1_SEQUENCE(RSA_PSS_PARAMS) = { 453 ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0), 454 ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1), 455 ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2), 456 ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3), 457 } ASN1_SEQUENCE_END(RSA_PSS_PARAMS); 458 459 IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS); 460 461 RSA *RSAPublicKey_dup(const RSA *rsa) { 462 uint8_t *der; 463 size_t der_len; 464 if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) { 465 return NULL; 466 } 467 RSA *ret = RSA_public_key_from_bytes(der, der_len); 468 OPENSSL_free(der); 469 return ret; 470 } 471 472 RSA *RSAPrivateKey_dup(const RSA *rsa) { 473 uint8_t *der; 474 size_t der_len; 475 if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) { 476 return NULL; 477 } 478 RSA *ret = RSA_private_key_from_bytes(der, der_len); 479 OPENSSL_free(der); 480 return ret; 481 } 482
