2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * RSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include "internal/packet.h"
17 #include "crypto/rsa.h" /* rsa_get0_all_params() */
18 #include "prov/bio.h" /* ossl_prov_bio_printf() */
19 #include "prov/der_rsa.h" /* DER_w_RSASSA_PSS_params() */
20 #include "prov/implementations.h" /* rsa_keymgmt_functions */
21 #include "serializer_local.h"
23 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
25 OSSL_OP_keymgmt_new_fn *ossl_prov_get_keymgmt_rsa_new(void)
27 return ossl_prov_get_keymgmt_new(rsa_keymgmt_functions);
30 OSSL_OP_keymgmt_free_fn *ossl_prov_get_keymgmt_rsa_free(void)
32 return ossl_prov_get_keymgmt_free(rsa_keymgmt_functions);
35 OSSL_OP_keymgmt_import_fn *ossl_prov_get_keymgmt_rsa_import(void)
37 return ossl_prov_get_keymgmt_import(rsa_keymgmt_functions);
40 int ossl_prov_print_rsa(BIO *out, RSA *rsa, int priv)
42 const char *modulus_label;
43 const char *exponent_label;
44 const BIGNUM *rsa_d = NULL, *rsa_n = NULL, *rsa_e = NULL;
45 STACK_OF(BIGNUM_const) *factors = sk_BIGNUM_const_new_null();
46 STACK_OF(BIGNUM_const) *exps = sk_BIGNUM_const_new_null();
47 STACK_OF(BIGNUM_const) *coeffs = sk_BIGNUM_const_new_null();
48 RSA_PSS_PARAMS_30 *pss_params = rsa_get0_pss_params_30(rsa);
51 if (rsa == NULL || factors == NULL || exps == NULL || coeffs == NULL)
54 RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
55 rsa_get0_all_params(rsa, factors, exps, coeffs);
57 if (priv && rsa_d != NULL) {
58 if (ossl_prov_bio_printf(out, "Private-Key: (%d bit, %d primes)\n",
60 sk_BIGNUM_const_num(factors)) <= 0)
62 modulus_label = "modulus:";
63 exponent_label = "publicExponent:";
65 if (ossl_prov_bio_printf(out, "Public-Key: (%d bit)\n",
66 BN_num_bits(rsa_n)) <= 0)
68 modulus_label = "Modulus:";
69 exponent_label = "Exponent:";
71 if (!ossl_prov_print_labeled_bignum(out, modulus_label, rsa_n))
73 if (!ossl_prov_print_labeled_bignum(out, exponent_label, rsa_e))
78 if (!ossl_prov_print_labeled_bignum(out, "privateExponent:", rsa_d))
80 if (!ossl_prov_print_labeled_bignum(out, "prime1:",
81 sk_BIGNUM_const_value(factors, 0)))
83 if (!ossl_prov_print_labeled_bignum(out, "prime2:",
84 sk_BIGNUM_const_value(factors, 1)))
86 if (!ossl_prov_print_labeled_bignum(out, "exponent1:",
87 sk_BIGNUM_const_value(exps, 0)))
89 if (!ossl_prov_print_labeled_bignum(out, "exponent2:",
90 sk_BIGNUM_const_value(exps, 1)))
92 if (!ossl_prov_print_labeled_bignum(out, "coefficient:",
93 sk_BIGNUM_const_value(coeffs, 0)))
95 for (i = 2; i < sk_BIGNUM_const_num(factors); i++) {
96 if (ossl_prov_bio_printf(out, "prime%d:", i + 1) <= 0)
98 if (!ossl_prov_print_labeled_bignum(out, NULL,
99 sk_BIGNUM_const_value(factors,
102 if (ossl_prov_bio_printf(out, "exponent%d:", i + 1) <= 0)
104 if (!ossl_prov_print_labeled_bignum(out, NULL,
105 sk_BIGNUM_const_value(exps, i)))
107 if (ossl_prov_bio_printf(out, "coefficient%d:", i + 1) <= 0)
109 if (!ossl_prov_print_labeled_bignum(out, NULL,
110 sk_BIGNUM_const_value(coeffs,
116 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
117 case RSA_FLAG_TYPE_RSA:
118 if (!rsa_pss_params_30_is_unrestricted(pss_params)) {
119 if (ossl_prov_bio_printf(out, "(INVALID PSS PARAMETERS)\n") <= 0)
123 case RSA_FLAG_TYPE_RSASSAPSS:
124 if (rsa_pss_params_30_is_unrestricted(pss_params)) {
125 if (ossl_prov_bio_printf(out,
126 "No PSS parameter restrictions\n") <= 0)
129 int hashalg_nid = rsa_pss_params_30_hashalg(pss_params);
130 int maskgenalg_nid = rsa_pss_params_30_maskgenalg(pss_params);
131 int maskgenhashalg_nid =
132 rsa_pss_params_30_maskgenhashalg(pss_params);
133 int saltlen = rsa_pss_params_30_saltlen(pss_params);
134 int trailerfield = rsa_pss_params_30_trailerfield(pss_params);
136 if (ossl_prov_bio_printf(out, "PSS parameter restrictions:\n") <= 0)
138 if (ossl_prov_bio_printf(out, " Hash Algorithm: %s%s\n",
139 rsa_oaeppss_nid2name(hashalg_nid),
140 (hashalg_nid == NID_sha1
141 ? " (default)" : "")) <= 0)
143 if (ossl_prov_bio_printf(out, " Mask Algorithm: %s with %s%s\n",
144 rsa_mgf_nid2name(maskgenalg_nid),
145 rsa_oaeppss_nid2name(maskgenhashalg_nid),
146 (maskgenalg_nid == NID_mgf1
147 && maskgenhashalg_nid == NID_sha1
148 ? " (default)" : "")) <= 0)
150 if (ossl_prov_bio_printf(out, " Minimum Salt Length: %d%s\n",
152 (saltlen == 20 ? " (default)" : "")) <= 0)
155 * TODO(3.0) Should we show the ASN.1 trailerField value, or
156 * the actual trailerfield byte (i.e. 0xBC for 1)?
157 * crypto/rsa/rsa_ameth.c isn't very clear on that, as it
158 * does display 0xBC when the default applies, but the ASN.1
159 * trailerField value otherwise...
161 if (ossl_prov_bio_printf(out, " Trailer Field: 0x%x%s\n",
163 (trailerfield == 1 ? " (default)" : ""))
172 sk_BIGNUM_const_free(factors);
173 sk_BIGNUM_const_free(exps);
174 sk_BIGNUM_const_free(coeffs);
179 * Helper functions to prepare RSA-PSS params for serialization. We would
180 * have simply written the whole AlgorithmIdentifier, but existing libcrypto
181 * functionality doesn't allow that.
184 int ossl_prov_prepare_rsa_params(const void *rsa, int nid,
185 void **pstr, int *pstrtype)
187 const RSA_PSS_PARAMS_30 *pss = rsa_get0_pss_params_30((RSA *)rsa);
191 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
192 case RSA_FLAG_TYPE_RSA:
193 /* If plain RSA, the parameters shall be NULL */
194 *pstrtype = V_ASN1_NULL;
196 case RSA_FLAG_TYPE_RSASSAPSS:
197 if (rsa_pss_params_30_is_unrestricted(pss)) {
198 *pstrtype = V_ASN1_UNDEF;
200 ASN1_STRING *astr = NULL;
202 unsigned char *str = NULL;
206 for (i = 0; i < 2; i++) {
209 if (!WPACKET_init_null_der(&pkt))
213 if ((str = OPENSSL_malloc(str_sz)) == NULL
214 || !WPACKET_init_der(&pkt, str, str_sz)) {
219 if (!DER_w_RSASSA_PSS_params(&pkt, -1, pss)
220 || !WPACKET_finish(&pkt))
222 WPACKET_get_total_written(&pkt, &str_sz);
223 WPACKET_cleanup(&pkt);
226 * If no PSS parameters are going to be written, there's no
227 * point going for another iteration.
228 * This saves us from getting |str| allocated just to have it
229 * immediately de-allocated.
235 if ((astr = ASN1_STRING_new()) == NULL)
237 *pstrtype = V_ASN1_SEQUENCE;
238 ASN1_STRING_set0(astr, str, (int)str_sz);
248 /* Currently unsupported RSA key type */
252 int ossl_prov_rsa_type_to_evp(const RSA *rsa)
254 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
255 case RSA_FLAG_TYPE_RSA:
257 case RSA_FLAG_TYPE_RSASSAPSS:
258 return EVP_PKEY_RSA_PSS;
261 /* Currently unsupported RSA key type */
262 return EVP_PKEY_NONE;