1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 2000. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). */ 55 56 #include <openssl/rsa.h> 57 58 #include <assert.h> 59 #include <limits.h> 60 #include <string.h> 61 62 #include <openssl/bn.h> 63 #include <openssl/bytestring.h> 64 #include <openssl/err.h> 65 #include <openssl/mem.h> 66 67 #include "internal.h" 68 #include "../bytestring/internal.h" 69 #include "../internal.h" 70 71 72 static int parse_integer_buggy(CBS *cbs, BIGNUM **out, int buggy) { 73 assert(*out == NULL); 74 *out = BN_new(); 75 if (*out == NULL) { 76 return 0; 77 } 78 if (buggy) { 79 return BN_parse_asn1_unsigned_buggy(cbs, *out); 80 } 81 return BN_parse_asn1_unsigned(cbs, *out); 82 } 83 84 static int parse_integer(CBS *cbs, BIGNUM **out) { 85 return parse_integer_buggy(cbs, out, 0 /* not buggy */); 86 } 87 88 static int marshal_integer(CBB *cbb, BIGNUM *bn) { 89 if (bn == NULL) { 90 /* An RSA object may be missing some components. */ 91 OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); 92 return 0; 93 } 94 return BN_marshal_asn1(cbb, bn); 95 } 96 97 static RSA *parse_public_key(CBS *cbs, int buggy) { 98 RSA *ret = RSA_new(); 99 if (ret == NULL) { 100 return NULL; 101 } 102 CBS child; 103 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || 104 !parse_integer_buggy(&child, &ret->n, buggy) || 105 !parse_integer(&child, &ret->e) || 106 CBS_len(&child) != 0) { 107 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 108 RSA_free(ret); 109 return NULL; 110 } 111 112 if (!BN_is_odd(ret->e) || 113 BN_num_bits(ret->e) < 2) { 114 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); 115 RSA_free(ret); 116 return NULL; 117 } 118 119 return ret; 120 } 121 122 RSA *RSA_parse_public_key(CBS *cbs) { 123 return parse_public_key(cbs, 0 /* not buggy */); 124 } 125 126 RSA *RSA_parse_public_key_buggy(CBS *cbs) { 127 /* Estonian IDs issued between September 2014 to September 2015 are 128 * broken. See https://crbug.com/532048 and https://crbug.com/534766. 129 * 130 * TODO(davidben): Remove this code and callers in March 2016. */ 131 return parse_public_key(cbs, 1 /* buggy */); 132 } 133 134 RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) { 135 CBS cbs; 136 CBS_init(&cbs, in, in_len); 137 RSA *ret = RSA_parse_public_key(&cbs); 138 if (ret == NULL || CBS_len(&cbs) != 0) { 139 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 140 RSA_free(ret); 141 return NULL; 142 } 143 return ret; 144 } 145 146 int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) { 147 CBB child; 148 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || 149 !marshal_integer(&child, rsa->n) || 150 !marshal_integer(&child, rsa->e) || 151 !CBB_flush(cbb)) { 152 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 153 return 0; 154 } 155 return 1; 156 } 157 158 int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, 159 const RSA *rsa) { 160 CBB cbb; 161 CBB_zero(&cbb); 162 if (!CBB_init(&cbb, 0) || 163 !RSA_marshal_public_key(&cbb, rsa) || 164 !CBB_finish(&cbb, out_bytes, out_len)) { 165 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 166 CBB_cleanup(&cbb); 167 return 0; 168 } 169 return 1; 170 } 171 172 /* kVersionTwoPrime and kVersionMulti are the supported values of the version 173 * field of an RSAPrivateKey structure (RFC 3447). */ 174 static const uint64_t kVersionTwoPrime = 0; 175 static const uint64_t kVersionMulti = 1; 176 177 /* rsa_parse_additional_prime parses a DER-encoded OtherPrimeInfo from |cbs| and 178 * advances |cbs|. It returns a newly-allocated |RSA_additional_prime| on 179 * success or NULL on error. The |r| and |mont| fields of the result are set to 180 * NULL. */ 181 static RSA_additional_prime *rsa_parse_additional_prime(CBS *cbs) { 182 RSA_additional_prime *ret = OPENSSL_malloc(sizeof(RSA_additional_prime)); 183 if (ret == NULL) { 184 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 185 return 0; 186 } 187 OPENSSL_memset(ret, 0, sizeof(RSA_additional_prime)); 188 189 CBS child; 190 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || 191 !parse_integer(&child, &ret->prime) || 192 !parse_integer(&child, &ret->exp) || 193 !parse_integer(&child, &ret->coeff) || 194 CBS_len(&child) != 0) { 195 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 196 RSA_additional_prime_free(ret); 197 return NULL; 198 } 199 200 return ret; 201 } 202 203 RSA *RSA_parse_private_key(CBS *cbs) { 204 BN_CTX *ctx = NULL; 205 BIGNUM *product_of_primes_so_far = NULL; 206 RSA *ret = RSA_new(); 207 if (ret == NULL) { 208 return NULL; 209 } 210 211 CBS child; 212 uint64_t version; 213 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || 214 !CBS_get_asn1_uint64(&child, &version)) { 215 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 216 goto err; 217 } 218 219 if (version != kVersionTwoPrime && version != kVersionMulti) { 220 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION); 221 goto err; 222 } 223 224 if (!parse_integer(&child, &ret->n) || 225 !parse_integer(&child, &ret->e) || 226 !parse_integer(&child, &ret->d) || 227 !parse_integer(&child, &ret->p) || 228 !parse_integer(&child, &ret->q) || 229 !parse_integer(&child, &ret->dmp1) || 230 !parse_integer(&child, &ret->dmq1) || 231 !parse_integer(&child, &ret->iqmp)) { 232 goto err; 233 } 234 235 if (version == kVersionMulti) { 236 /* Although otherPrimeInfos is written as OPTIONAL in RFC 3447, it later 237 * says "[otherPrimeInfos] shall be omitted if version is 0 and shall 238 * contain at least one instance of OtherPrimeInfo if version is 1." The 239 * OPTIONAL is just so both versions share a single definition. */ 240 CBS other_prime_infos; 241 if (!CBS_get_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE) || 242 CBS_len(&other_prime_infos) == 0) { 243 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 244 goto err; 245 } 246 ret->additional_primes = sk_RSA_additional_prime_new_null(); 247 if (ret->additional_primes == NULL) { 248 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 249 goto err; 250 } 251 252 ctx = BN_CTX_new(); 253 product_of_primes_so_far = BN_new(); 254 if (ctx == NULL || 255 product_of_primes_so_far == NULL || 256 !BN_mul(product_of_primes_so_far, ret->p, ret->q, ctx)) { 257 goto err; 258 } 259 260 while (CBS_len(&other_prime_infos) > 0) { 261 RSA_additional_prime *ap = rsa_parse_additional_prime(&other_prime_infos); 262 if (ap == NULL) { 263 goto err; 264 } 265 if (!sk_RSA_additional_prime_push(ret->additional_primes, ap)) { 266 OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); 267 RSA_additional_prime_free(ap); 268 goto err; 269 } 270 ap->r = BN_dup(product_of_primes_so_far); 271 if (ap->r == NULL || 272 !BN_mul(product_of_primes_so_far, product_of_primes_so_far, 273 ap->prime, ctx)) { 274 goto err; 275 } 276 } 277 } 278 279 if (CBS_len(&child) != 0) { 280 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 281 goto err; 282 } 283 284 if (!RSA_check_key(ret)) { 285 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); 286 goto err; 287 } 288 289 BN_CTX_free(ctx); 290 BN_free(product_of_primes_so_far); 291 return ret; 292 293 err: 294 BN_CTX_free(ctx); 295 BN_free(product_of_primes_so_far); 296 RSA_free(ret); 297 return NULL; 298 } 299 300 RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) { 301 CBS cbs; 302 CBS_init(&cbs, in, in_len); 303 RSA *ret = RSA_parse_private_key(&cbs); 304 if (ret == NULL || CBS_len(&cbs) != 0) { 305 OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); 306 RSA_free(ret); 307 return NULL; 308 } 309 return ret; 310 } 311 312 int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) { 313 const int is_multiprime = 314 sk_RSA_additional_prime_num(rsa->additional_primes) > 0; 315 316 CBB child; 317 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || 318 !CBB_add_asn1_uint64(&child, 319 is_multiprime ? kVersionMulti : kVersionTwoPrime) || 320 !marshal_integer(&child, rsa->n) || 321 !marshal_integer(&child, rsa->e) || 322 !marshal_integer(&child, rsa->d) || 323 !marshal_integer(&child, rsa->p) || 324 !marshal_integer(&child, rsa->q) || 325 !marshal_integer(&child, rsa->dmp1) || 326 !marshal_integer(&child, rsa->dmq1) || 327 !marshal_integer(&child, rsa->iqmp)) { 328 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 329 return 0; 330 } 331 332 CBB other_prime_infos; 333 if (is_multiprime) { 334 if (!CBB_add_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE)) { 335 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 336 return 0; 337 } 338 for (size_t i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes); 339 i++) { 340 RSA_additional_prime *ap = 341 sk_RSA_additional_prime_value(rsa->additional_primes, i); 342 CBB other_prime_info; 343 if (!CBB_add_asn1(&other_prime_infos, &other_prime_info, 344 CBS_ASN1_SEQUENCE) || 345 !marshal_integer(&other_prime_info, ap->prime) || 346 !marshal_integer(&other_prime_info, ap->exp) || 347 !marshal_integer(&other_prime_info, ap->coeff) || 348 !CBB_flush(&other_prime_infos)) { 349 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 350 return 0; 351 } 352 } 353 } 354 355 if (!CBB_flush(cbb)) { 356 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 357 return 0; 358 } 359 return 1; 360 } 361 362 int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len, 363 const RSA *rsa) { 364 CBB cbb; 365 CBB_zero(&cbb); 366 if (!CBB_init(&cbb, 0) || 367 !RSA_marshal_private_key(&cbb, rsa) || 368 !CBB_finish(&cbb, out_bytes, out_len)) { 369 OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); 370 CBB_cleanup(&cbb); 371 return 0; 372 } 373 return 1; 374 } 375 376 RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) { 377 if (len < 0) { 378 return NULL; 379 } 380 CBS cbs; 381 CBS_init(&cbs, *inp, (size_t)len); 382 RSA *ret = RSA_parse_public_key(&cbs); 383 if (ret == NULL) { 384 return NULL; 385 } 386 if (out != NULL) { 387 RSA_free(*out); 388 *out = ret; 389 } 390 *inp = CBS_data(&cbs); 391 return ret; 392 } 393 394 int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) { 395 CBB cbb; 396 if (!CBB_init(&cbb, 0) || 397 !RSA_marshal_public_key(&cbb, in)) { 398 CBB_cleanup(&cbb); 399 return -1; 400 } 401 return CBB_finish_i2d(&cbb, outp); 402 } 403 404 RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) { 405 if (len < 0) { 406 return NULL; 407 } 408 CBS cbs; 409 CBS_init(&cbs, *inp, (size_t)len); 410 RSA *ret = RSA_parse_private_key(&cbs); 411 if (ret == NULL) { 412 return NULL; 413 } 414 if (out != NULL) { 415 RSA_free(*out); 416 *out = ret; 417 } 418 *inp = CBS_data(&cbs); 419 return ret; 420 } 421 422 int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) { 423 CBB cbb; 424 if (!CBB_init(&cbb, 0) || 425 !RSA_marshal_private_key(&cbb, in)) { 426 CBB_cleanup(&cbb); 427 return -1; 428 } 429 return CBB_finish_i2d(&cbb, outp); 430 } 431 432 RSA *RSAPublicKey_dup(const RSA *rsa) { 433 uint8_t *der; 434 size_t der_len; 435 if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) { 436 return NULL; 437 } 438 RSA *ret = RSA_public_key_from_bytes(der, der_len); 439 OPENSSL_free(der); 440 return ret; 441 } 442 443 RSA *RSAPrivateKey_dup(const RSA *rsa) { 444 uint8_t *der; 445 size_t der_len; 446 if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) { 447 return NULL; 448 } 449 RSA *ret = RSA_private_key_from_bytes(der, der_len); 450 OPENSSL_free(der); 451 return ret; 452 } 453
