2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * RSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include "internal/packet.h"
17 #include "crypto/rsa.h" /* rsa_get0_all_params() */
18 #include "prov/bio.h" /* ossl_prov_bio_printf() */
19 #include "prov/der_rsa.h" /* DER_w_RSASSA_PSS_params() */
20 #include "prov/implementations.h" /* rsa_keymgmt_functions */
21 #include "serializer_local.h"
23 DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
25 OSSL_FUNC_keymgmt_new_fn *ossl_prov_get_keymgmt_rsa_new(void)
27 return ossl_prov_get_keymgmt_new(rsa_keymgmt_functions);
30 OSSL_FUNC_keymgmt_free_fn *ossl_prov_get_keymgmt_rsa_free(void)
32 return ossl_prov_get_keymgmt_free(rsa_keymgmt_functions);
35 OSSL_FUNC_keymgmt_import_fn *ossl_prov_get_keymgmt_rsa_import(void)
37 return ossl_prov_get_keymgmt_import(rsa_keymgmt_functions);
40 int ossl_prov_print_rsa(BIO *out, RSA *rsa, int priv)
42 const char *modulus_label;
43 const char *exponent_label;
44 const BIGNUM *rsa_d = NULL, *rsa_n = NULL, *rsa_e = NULL;
45 STACK_OF(BIGNUM_const) *factors = sk_BIGNUM_const_new_null();
46 STACK_OF(BIGNUM_const) *exps = sk_BIGNUM_const_new_null();
47 STACK_OF(BIGNUM_const) *coeffs = sk_BIGNUM_const_new_null();
48 RSA_PSS_PARAMS_30 *pss_params = rsa_get0_pss_params_30(rsa);
51 if (rsa == NULL || factors == NULL || exps == NULL || coeffs == NULL)
54 RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
55 rsa_get0_all_params(rsa, factors, exps, coeffs);
57 if (priv && rsa_d != NULL) {
58 if (BIO_printf(out, "Private-Key: (%d bit, %d primes)\n",
60 sk_BIGNUM_const_num(factors)) <= 0)
62 modulus_label = "modulus:";
63 exponent_label = "publicExponent:";
65 if (BIO_printf(out, "Public-Key: (%d bit)\n", BN_num_bits(rsa_n)) <= 0)
67 modulus_label = "Modulus:";
68 exponent_label = "Exponent:";
70 if (!ossl_prov_print_labeled_bignum(out, modulus_label, rsa_n))
72 if (!ossl_prov_print_labeled_bignum(out, exponent_label, rsa_e))
77 if (!ossl_prov_print_labeled_bignum(out, "privateExponent:", rsa_d))
79 if (!ossl_prov_print_labeled_bignum(out, "prime1:",
80 sk_BIGNUM_const_value(factors, 0)))
82 if (!ossl_prov_print_labeled_bignum(out, "prime2:",
83 sk_BIGNUM_const_value(factors, 1)))
85 if (!ossl_prov_print_labeled_bignum(out, "exponent1:",
86 sk_BIGNUM_const_value(exps, 0)))
88 if (!ossl_prov_print_labeled_bignum(out, "exponent2:",
89 sk_BIGNUM_const_value(exps, 1)))
91 if (!ossl_prov_print_labeled_bignum(out, "coefficient:",
92 sk_BIGNUM_const_value(coeffs, 0)))
94 for (i = 2; i < sk_BIGNUM_const_num(factors); i++) {
95 if (BIO_printf(out, "prime%d:", i + 1) <= 0)
97 if (!ossl_prov_print_labeled_bignum(out, NULL,
98 sk_BIGNUM_const_value(factors,
101 if (BIO_printf(out, "exponent%d:", i + 1) <= 0)
103 if (!ossl_prov_print_labeled_bignum(out, NULL,
104 sk_BIGNUM_const_value(exps, i)))
106 if (BIO_printf(out, "coefficient%d:", i + 1) <= 0)
108 if (!ossl_prov_print_labeled_bignum(out, NULL,
109 sk_BIGNUM_const_value(coeffs,
115 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
116 case RSA_FLAG_TYPE_RSA:
117 if (!rsa_pss_params_30_is_unrestricted(pss_params)) {
118 if (BIO_printf(out, "(INVALID PSS PARAMETERS)\n") <= 0)
122 case RSA_FLAG_TYPE_RSASSAPSS:
123 if (rsa_pss_params_30_is_unrestricted(pss_params)) {
124 if (BIO_printf(out, "No PSS parameter restrictions\n") <= 0)
127 int hashalg_nid = rsa_pss_params_30_hashalg(pss_params);
128 int maskgenalg_nid = rsa_pss_params_30_maskgenalg(pss_params);
129 int maskgenhashalg_nid =
130 rsa_pss_params_30_maskgenhashalg(pss_params);
131 int saltlen = rsa_pss_params_30_saltlen(pss_params);
132 int trailerfield = rsa_pss_params_30_trailerfield(pss_params);
134 if (BIO_printf(out, "PSS parameter restrictions:\n") <= 0)
136 if (BIO_printf(out, " Hash Algorithm: %s%s\n",
137 rsa_oaeppss_nid2name(hashalg_nid),
138 (hashalg_nid == NID_sha1
139 ? " (default)" : "")) <= 0)
141 if (BIO_printf(out, " Mask Algorithm: %s with %s%s\n",
142 rsa_mgf_nid2name(maskgenalg_nid),
143 rsa_oaeppss_nid2name(maskgenhashalg_nid),
144 (maskgenalg_nid == NID_mgf1
145 && maskgenhashalg_nid == NID_sha1
146 ? " (default)" : "")) <= 0)
148 if (BIO_printf(out, " Minimum Salt Length: %d%s\n",
150 (saltlen == 20 ? " (default)" : "")) <= 0)
153 * TODO(3.0) Should we show the ASN.1 trailerField value, or
154 * the actual trailerfield byte (i.e. 0xBC for 1)?
155 * crypto/rsa/rsa_ameth.c isn't very clear on that, as it
156 * does display 0xBC when the default applies, but the ASN.1
157 * trailerField value otherwise...
159 if (BIO_printf(out, " Trailer Field: 0x%x%s\n",
161 (trailerfield == 1 ? " (default)" : ""))
170 sk_BIGNUM_const_free(factors);
171 sk_BIGNUM_const_free(exps);
172 sk_BIGNUM_const_free(coeffs);
177 * Helper functions to prepare RSA-PSS params for serialization. We would
178 * have simply written the whole AlgorithmIdentifier, but existing libcrypto
179 * functionality doesn't allow that.
182 int ossl_prov_prepare_rsa_params(const void *rsa, int nid,
183 void **pstr, int *pstrtype)
185 const RSA_PSS_PARAMS_30 *pss = rsa_get0_pss_params_30((RSA *)rsa);
189 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
190 case RSA_FLAG_TYPE_RSA:
191 /* If plain RSA, the parameters shall be NULL */
192 *pstrtype = V_ASN1_NULL;
194 case RSA_FLAG_TYPE_RSASSAPSS:
195 if (rsa_pss_params_30_is_unrestricted(pss)) {
196 *pstrtype = V_ASN1_UNDEF;
198 ASN1_STRING *astr = NULL;
200 unsigned char *str = NULL;
204 for (i = 0; i < 2; i++) {
207 if (!WPACKET_init_null_der(&pkt))
211 if ((str = OPENSSL_malloc(str_sz)) == NULL
212 || !WPACKET_init_der(&pkt, str, str_sz)) {
217 if (!DER_w_RSASSA_PSS_params(&pkt, -1, pss)
218 || !WPACKET_finish(&pkt)
219 || !WPACKET_get_total_written(&pkt, &str_sz))
221 WPACKET_cleanup(&pkt);
224 * If no PSS parameters are going to be written, there's no
225 * point going for another iteration.
226 * This saves us from getting |str| allocated just to have it
227 * immediately de-allocated.
233 if ((astr = ASN1_STRING_new()) == NULL)
235 *pstrtype = V_ASN1_SEQUENCE;
236 ASN1_STRING_set0(astr, str, (int)str_sz);
246 /* Currently unsupported RSA key type */
250 int ossl_prov_rsa_type_to_evp(const RSA *rsa)
252 switch (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK)) {
253 case RSA_FLAG_TYPE_RSA:
255 case RSA_FLAG_TYPE_RSASSAPSS:
256 return EVP_PKEY_RSA_PSS;
259 /* Currently unsupported RSA key type */
260 return EVP_PKEY_NONE;