Home | History | Annotate | Download | only in rsa
      1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL
      2  * project 2000.
      3  */
      4 /* ====================================================================
      5  * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
      6  *
      7  * Redistribution and use in source and binary forms, with or without
      8  * modification, are permitted provided that the following conditions
      9  * are met:
     10  *
     11  * 1. Redistributions of source code must retain the above copyright
     12  *    notice, this list of conditions and the following disclaimer.
     13  *
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in
     16  *    the documentation and/or other materials provided with the
     17  *    distribution.
     18  *
     19  * 3. All advertising materials mentioning features or use of this
     20  *    software must display the following acknowledgment:
     21  *    "This product includes software developed by the OpenSSL Project
     22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     23  *
     24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     25  *    endorse or promote products derived from this software without
     26  *    prior written permission. For written permission, please contact
     27  *    licensing (at) OpenSSL.org.
     28  *
     29  * 5. Products derived from this software may not be called "OpenSSL"
     30  *    nor may "OpenSSL" appear in their names without prior written
     31  *    permission of the OpenSSL Project.
     32  *
     33  * 6. Redistributions of any form whatsoever must retain the following
     34  *    acknowledgment:
     35  *    "This product includes software developed by the OpenSSL Project
     36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     37  *
     38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     49  * OF THE POSSIBILITY OF SUCH DAMAGE.
     50  * ====================================================================
     51  *
     52  * This product includes cryptographic software written by Eric Young
     53  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     54  * Hudson (tjh (at) cryptsoft.com). */
     55 
     56 #include <openssl/rsa.h>
     57 
     58 #include <assert.h>
     59 #include <limits.h>
     60 #include <string.h>
     61 
     62 #include <openssl/asn1.h>
     63 #include <openssl/asn1t.h>
     64 #include <openssl/bn.h>
     65 #include <openssl/bytestring.h>
     66 #include <openssl/err.h>
     67 #include <openssl/mem.h>
     68 
     69 #include "internal.h"
     70 
     71 
     72 static int parse_integer_buggy(CBS *cbs, BIGNUM **out, int buggy) {
     73   assert(*out == NULL);
     74   *out = BN_new();
     75   if (*out == NULL) {
     76     return 0;
     77   }
     78   if (buggy) {
     79     return BN_cbs2unsigned_buggy(cbs, *out);
     80   }
     81   return BN_cbs2unsigned(cbs, *out);
     82 }
     83 
     84 static int parse_integer(CBS *cbs, BIGNUM **out) {
     85   return parse_integer_buggy(cbs, out, 0 /* not buggy */);
     86 }
     87 
     88 static int marshal_integer(CBB *cbb, BIGNUM *bn) {
     89   if (bn == NULL) {
     90     /* An RSA object may be missing some components. */
     91     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
     92     return 0;
     93   }
     94   return BN_bn2cbb(cbb, bn);
     95 }
     96 
     97 static RSA *parse_public_key(CBS *cbs, int buggy) {
     98   RSA *ret = RSA_new();
     99   if (ret == NULL) {
    100     return NULL;
    101   }
    102   CBS child;
    103   if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
    104       !parse_integer_buggy(&child, &ret->n, buggy) ||
    105       !parse_integer(&child, &ret->e) ||
    106       CBS_len(&child) != 0) {
    107     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    108     RSA_free(ret);
    109     return NULL;
    110   }
    111 
    112   if (!BN_is_odd(ret->e) ||
    113       BN_num_bits(ret->e) < 2) {
    114     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
    115     RSA_free(ret);
    116     return NULL;
    117   }
    118 
    119   return ret;
    120 }
    121 
    122 RSA *RSA_parse_public_key(CBS *cbs) {
    123   return parse_public_key(cbs, 0 /* not buggy */);
    124 }
    125 
    126 RSA *RSA_parse_public_key_buggy(CBS *cbs) {
    127   /* Estonian IDs issued between September 2014 to September 2015 are
    128    * broken. See https://crbug.com/532048 and https://crbug.com/534766.
    129    *
    130    * TODO(davidben): Remove this code and callers in March 2016. */
    131   return parse_public_key(cbs, 1 /* buggy */);
    132 }
    133 
    134 RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) {
    135   CBS cbs;
    136   CBS_init(&cbs, in, in_len);
    137   RSA *ret = RSA_parse_public_key(&cbs);
    138   if (ret == NULL || CBS_len(&cbs) != 0) {
    139     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    140     RSA_free(ret);
    141     return NULL;
    142   }
    143   return ret;
    144 }
    145 
    146 int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) {
    147   CBB child;
    148   if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
    149       !marshal_integer(&child, rsa->n) ||
    150       !marshal_integer(&child, rsa->e) ||
    151       !CBB_flush(cbb)) {
    152     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    153     return 0;
    154   }
    155   return 1;
    156 }
    157 
    158 int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
    159                             const RSA *rsa) {
    160   CBB cbb;
    161   CBB_zero(&cbb);
    162   if (!CBB_init(&cbb, 0) ||
    163       !RSA_marshal_public_key(&cbb, rsa) ||
    164       !CBB_finish(&cbb, out_bytes, out_len)) {
    165     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    166     CBB_cleanup(&cbb);
    167     return 0;
    168   }
    169   return 1;
    170 }
    171 
    172 /* kVersionTwoPrime and kVersionMulti are the supported values of the version
    173  * field of an RSAPrivateKey structure (RFC 3447). */
    174 static const uint64_t kVersionTwoPrime = 0;
    175 static const uint64_t kVersionMulti = 1;
    176 
    177 /* rsa_parse_additional_prime parses a DER-encoded OtherPrimeInfo from |cbs| and
    178  * advances |cbs|. It returns a newly-allocated |RSA_additional_prime| on
    179  * success or NULL on error. The |r| and |mont| fields of the result are set to
    180  * NULL. */
    181 static RSA_additional_prime *rsa_parse_additional_prime(CBS *cbs) {
    182   RSA_additional_prime *ret = OPENSSL_malloc(sizeof(RSA_additional_prime));
    183   if (ret == NULL) {
    184     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
    185     return 0;
    186   }
    187   memset(ret, 0, sizeof(RSA_additional_prime));
    188 
    189   CBS child;
    190   if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
    191       !parse_integer(&child, &ret->prime) ||
    192       !parse_integer(&child, &ret->exp) ||
    193       !parse_integer(&child, &ret->coeff) ||
    194       CBS_len(&child) != 0) {
    195     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    196     RSA_additional_prime_free(ret);
    197     return NULL;
    198   }
    199 
    200   return ret;
    201 }
    202 
    203 RSA *RSA_parse_private_key(CBS *cbs) {
    204   BN_CTX *ctx = NULL;
    205   BIGNUM *product_of_primes_so_far = NULL;
    206   RSA *ret = RSA_new();
    207   if (ret == NULL) {
    208     return NULL;
    209   }
    210 
    211   CBS child;
    212   uint64_t version;
    213   if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
    214       !CBS_get_asn1_uint64(&child, &version)) {
    215     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    216     goto err;
    217   }
    218 
    219   if (version != kVersionTwoPrime && version != kVersionMulti) {
    220     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
    221     goto err;
    222   }
    223 
    224   if (!parse_integer(&child, &ret->n) ||
    225       !parse_integer(&child, &ret->e) ||
    226       !parse_integer(&child, &ret->d) ||
    227       !parse_integer(&child, &ret->p) ||
    228       !parse_integer(&child, &ret->q) ||
    229       !parse_integer(&child, &ret->dmp1) ||
    230       !parse_integer(&child, &ret->dmq1) ||
    231       !parse_integer(&child, &ret->iqmp)) {
    232     goto err;
    233   }
    234 
    235   /* Multi-prime RSA requires a newer version. */
    236   if (version == kVersionMulti &&
    237       CBS_peek_asn1_tag(&child, CBS_ASN1_SEQUENCE)) {
    238     CBS other_prime_infos;
    239     if (!CBS_get_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE) ||
    240         CBS_len(&other_prime_infos) == 0) {
    241       OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    242       goto err;
    243     }
    244     ret->additional_primes = sk_RSA_additional_prime_new_null();
    245     if (ret->additional_primes == NULL) {
    246       OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
    247       goto err;
    248     }
    249 
    250     ctx = BN_CTX_new();
    251     product_of_primes_so_far = BN_new();
    252     if (ctx == NULL ||
    253         product_of_primes_so_far == NULL ||
    254         !BN_mul(product_of_primes_so_far, ret->p, ret->q, ctx)) {
    255       goto err;
    256     }
    257 
    258     while (CBS_len(&other_prime_infos) > 0) {
    259       RSA_additional_prime *ap = rsa_parse_additional_prime(&other_prime_infos);
    260       if (ap == NULL) {
    261         goto err;
    262       }
    263       if (!sk_RSA_additional_prime_push(ret->additional_primes, ap)) {
    264         OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
    265         RSA_additional_prime_free(ap);
    266         goto err;
    267       }
    268       ap->r = BN_dup(product_of_primes_so_far);
    269       if (ap->r == NULL ||
    270           !BN_mul(product_of_primes_so_far, product_of_primes_so_far,
    271                   ap->prime, ctx)) {
    272         goto err;
    273       }
    274     }
    275   }
    276 
    277   if (CBS_len(&child) != 0) {
    278     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    279     goto err;
    280   }
    281 
    282   BN_CTX_free(ctx);
    283   BN_free(product_of_primes_so_far);
    284   return ret;
    285 
    286 err:
    287   BN_CTX_free(ctx);
    288   BN_free(product_of_primes_so_far);
    289   RSA_free(ret);
    290   return NULL;
    291 }
    292 
    293 RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {
    294   CBS cbs;
    295   CBS_init(&cbs, in, in_len);
    296   RSA *ret = RSA_parse_private_key(&cbs);
    297   if (ret == NULL || CBS_len(&cbs) != 0) {
    298     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    299     RSA_free(ret);
    300     return NULL;
    301   }
    302   return ret;
    303 }
    304 
    305 int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {
    306   const int is_multiprime =
    307       sk_RSA_additional_prime_num(rsa->additional_primes) > 0;
    308 
    309   CBB child;
    310   if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
    311       !CBB_add_asn1_uint64(&child,
    312                            is_multiprime ? kVersionMulti : kVersionTwoPrime) ||
    313       !marshal_integer(&child, rsa->n) ||
    314       !marshal_integer(&child, rsa->e) ||
    315       !marshal_integer(&child, rsa->d) ||
    316       !marshal_integer(&child, rsa->p) ||
    317       !marshal_integer(&child, rsa->q) ||
    318       !marshal_integer(&child, rsa->dmp1) ||
    319       !marshal_integer(&child, rsa->dmq1) ||
    320       !marshal_integer(&child, rsa->iqmp)) {
    321     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    322     return 0;
    323   }
    324 
    325   if (is_multiprime) {
    326     CBB other_prime_infos;
    327     if (!CBB_add_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE)) {
    328       OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    329       return 0;
    330     }
    331     size_t i;
    332     for (i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes); i++) {
    333       RSA_additional_prime *ap =
    334               sk_RSA_additional_prime_value(rsa->additional_primes, i);
    335       CBB other_prime_info;
    336       if (!CBB_add_asn1(&other_prime_infos, &other_prime_info,
    337                         CBS_ASN1_SEQUENCE) ||
    338           !marshal_integer(&other_prime_info, ap->prime) ||
    339           !marshal_integer(&other_prime_info, ap->exp) ||
    340           !marshal_integer(&other_prime_info, ap->coeff)) {
    341         OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    342         return 0;
    343       }
    344     }
    345   }
    346 
    347   if (!CBB_flush(cbb)) {
    348     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    349     return 0;
    350   }
    351   return 1;
    352 }
    353 
    354 int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
    355                              const RSA *rsa) {
    356   CBB cbb;
    357   CBB_zero(&cbb);
    358   if (!CBB_init(&cbb, 0) ||
    359       !RSA_marshal_private_key(&cbb, rsa) ||
    360       !CBB_finish(&cbb, out_bytes, out_len)) {
    361     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    362     CBB_cleanup(&cbb);
    363     return 0;
    364   }
    365   return 1;
    366 }
    367 
    368 RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) {
    369   if (len < 0) {
    370     return NULL;
    371   }
    372   CBS cbs;
    373   CBS_init(&cbs, *inp, (size_t)len);
    374   RSA *ret = RSA_parse_public_key(&cbs);
    375   if (ret == NULL) {
    376     return NULL;
    377   }
    378   if (out != NULL) {
    379     RSA_free(*out);
    380     *out = ret;
    381   }
    382   *inp += (size_t)len - CBS_len(&cbs);
    383   return ret;
    384 }
    385 
    386 int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) {
    387   uint8_t *der;
    388   size_t der_len;
    389   if (!RSA_public_key_to_bytes(&der, &der_len, in)) {
    390     return -1;
    391   }
    392   if (der_len > INT_MAX) {
    393     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
    394     OPENSSL_free(der);
    395     return -1;
    396   }
    397   if (outp != NULL) {
    398     if (*outp == NULL) {
    399       *outp = der;
    400       der = NULL;
    401     } else {
    402       memcpy(*outp, der, der_len);
    403       *outp += der_len;
    404     }
    405   }
    406   OPENSSL_free(der);
    407   return (int)der_len;
    408 }
    409 
    410 RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) {
    411   if (len < 0) {
    412     return NULL;
    413   }
    414   CBS cbs;
    415   CBS_init(&cbs, *inp, (size_t)len);
    416   RSA *ret = RSA_parse_private_key(&cbs);
    417   if (ret == NULL) {
    418     return NULL;
    419   }
    420   if (out != NULL) {
    421     RSA_free(*out);
    422     *out = ret;
    423   }
    424   *inp += (size_t)len - CBS_len(&cbs);
    425   return ret;
    426 }
    427 
    428 int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) {
    429   uint8_t *der;
    430   size_t der_len;
    431   if (!RSA_private_key_to_bytes(&der, &der_len, in)) {
    432     return -1;
    433   }
    434   if (der_len > INT_MAX) {
    435     OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
    436     OPENSSL_free(der);
    437     return -1;
    438   }
    439   if (outp != NULL) {
    440     if (*outp == NULL) {
    441       *outp = der;
    442       der = NULL;
    443     } else {
    444       memcpy(*outp, der, der_len);
    445       *outp += der_len;
    446     }
    447   }
    448   OPENSSL_free(der);
    449   return (int)der_len;
    450 }
    451 
    452 ASN1_SEQUENCE(RSA_PSS_PARAMS) = {
    453   ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0),
    454   ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1),
    455   ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2),
    456   ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3),
    457 } ASN1_SEQUENCE_END(RSA_PSS_PARAMS);
    458 
    459 IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS);
    460 
    461 RSA *RSAPublicKey_dup(const RSA *rsa) {
    462   uint8_t *der;
    463   size_t der_len;
    464   if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
    465     return NULL;
    466   }
    467   RSA *ret = RSA_public_key_from_bytes(der, der_len);
    468   OPENSSL_free(der);
    469   return ret;
    470 }
    471 
    472 RSA *RSAPrivateKey_dup(const RSA *rsa) {
    473   uint8_t *der;
    474   size_t der_len;
    475   if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
    476     return NULL;
    477   }
    478   RSA *ret = RSA_private_key_from_bytes(der, der_len);
    479   OPENSSL_free(der);
    480   return ret;
    481 }
    482