/src/boringssl/crypto/x509/rsa_pss.cc

Source (jump to first uncovered line)
// Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/x509.h>

#include <assert.h>
#include <limits.h>

#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/obj.h>

#include "internal.h"


static int rsa_pss_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
                      void *exarg) {
  if (operation == ASN1_OP_FREE_PRE) {
    RSA_PSS_PARAMS *pss = (RSA_PSS_PARAMS *)*pval;
    X509_ALGOR_free(pss->maskHash);
  }
  return 1;
}

ASN1_SEQUENCE_cb(RSA_PSS_PARAMS, rsa_pss_cb) = {
    ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR, 0),
    ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR, 1),
    ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER, 2),
    ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER, 3),
} ASN1_SEQUENCE_END_cb(RSA_PSS_PARAMS, RSA_PSS_PARAMS)

IMPLEMENT_ASN1_FUNCTIONS_const(RSA_PSS_PARAMS)


// Given an MGF1 Algorithm ID decode to an Algorithm Identifier
static X509_ALGOR *rsa_mgf1_decode(const X509_ALGOR *alg) {
  if (OBJ_obj2nid(alg->algorithm) != NID_mgf1 || alg->parameter == NULL ||
      alg->parameter->type != V_ASN1_SEQUENCE) {
    return NULL;
  }

  const uint8_t *p = alg->parameter->value.sequence->data;
  int plen = alg->parameter->value.sequence->length;
  return d2i_X509_ALGOR(NULL, &p, plen);
}

static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg) {
  if (alg->parameter == NULL || alg->parameter->type != V_ASN1_SEQUENCE) {
    return NULL;
  }

  const uint8_t *p = alg->parameter->value.sequence->data;
  int plen = alg->parameter->value.sequence->length;
  return d2i_RSA_PSS_PARAMS(NULL, &p, plen);
}

static int is_allowed_pss_md(const EVP_MD *md) {
  int md_type = EVP_MD_type(md);
  return md_type == NID_sha256 || md_type == NID_sha384 ||
         md_type == NID_sha512;
}

// rsa_md_to_algor sets |*palg| to an |X509_ALGOR| describing the digest |md|,
// which must be an allowed PSS digest.
static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) {
  // SHA-1 should be omitted (DEFAULT), but we do not allow SHA-1.
  assert(is_allowed_pss_md(md));
  *palg = X509_ALGOR_new();
  if (*palg == NULL) {
    return 0;
  }
  if (!X509_ALGOR_set_md(*palg, md)) {
    X509_ALGOR_free(*palg);
    *palg = NULL;
    return 0;
  }
  return 1;
}

// rsa_md_to_mgf1 sets |*palg| to an |X509_ALGOR| describing MGF-1 with the
// digest |mgf1md|, which must be an allowed PSS digest.
static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) {
  // SHA-1 should be omitted (DEFAULT), but we do not allow SHA-1.
  assert(is_allowed_pss_md(mgf1md));
  X509_ALGOR *algtmp = NULL;
  ASN1_STRING *stmp = NULL;
  // need to embed algorithm ID inside another
  if (!rsa_md_to_algor(&algtmp, mgf1md) ||
      !ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp)) {
    goto err;
  }
  *palg = X509_ALGOR_new();
  if (!*palg) {
    goto err;
  }
  if (!X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp)) {
    goto err;
  }
  stmp = NULL;

err:
  ASN1_STRING_free(stmp);
  X509_ALGOR_free(algtmp);
  if (*palg) {
    return 1;
  }

  return 0;
}

static const EVP_MD *rsa_algor_to_md(const X509_ALGOR *alg) {
  if (!alg) {
    // If omitted, PSS defaults to SHA-1, which we do not allow.
    OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
    return NULL;
  }
  const EVP_MD *md = EVP_get_digestbyobj(alg->algorithm);
  if (md == NULL || !is_allowed_pss_md(md)) {
    OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
    return NULL;
  }
  return md;
}

static const EVP_MD *rsa_mgf1_to_md(const X509_ALGOR *alg) {
  if (!alg) {
    // If omitted, PSS defaults to MGF-1 with SHA-1, which we do not allow.
    OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
    return NULL;
  }
  // Check mask and lookup mask hash algorithm.
  X509_ALGOR *maskHash = rsa_mgf1_decode(alg);
  if (maskHash == NULL) {
    OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
    return NULL;
  }
  const EVP_MD *ret = rsa_algor_to_md(maskHash);
  X509_ALGOR_free(maskHash);
  return ret;
}

int x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor) {
  const EVP_MD *sigmd, *mgf1md;
  int saltlen;
  if (!EVP_PKEY_CTX_get_signature_md(ctx->pctx, &sigmd) ||
      !EVP_PKEY_CTX_get_rsa_mgf1_md(ctx->pctx, &mgf1md) ||
      !EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx->pctx, &saltlen)) {
    return 0;
  }

  if (sigmd != mgf1md || !is_allowed_pss_md(sigmd)) {
    OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
    return 0;
  }
  int md_len = (int)EVP_MD_size(sigmd);
  if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
    saltlen = md_len;
  } else if (saltlen != md_len) {
    OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
    return 0;
  }

  int ret = 0;
  ASN1_STRING *os = NULL;
  RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
  if (!pss) {
    goto err;
  }

  // The DEFAULT value is 20, but this does not match any supported digest.
  assert(saltlen != 20);
  pss->saltLength = ASN1_INTEGER_new();
  if (!pss->saltLength ||  //
      !ASN1_INTEGER_set_int64(pss->saltLength, saltlen)) {
    goto err;
  }

  if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd) ||
      !rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) {
    goto err;
  }

  // Finally create string with pss parameter encoding.
  if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os)) {
    goto err;
  }

  if (!X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE,
                       os)) {
    goto err;
  }
  os = NULL;
  ret = 1;

err:
  RSA_PSS_PARAMS_free(pss);
  ASN1_STRING_free(os);
  return ret;
}

int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
                        EVP_PKEY *pkey) {
  assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);

  // Decode PSS parameters
  int ret = 0;
  RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);

  {
    if (pss == NULL) {
      OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
      goto err;
    }

    const EVP_MD *mgf1md = rsa_mgf1_to_md(pss->maskGenAlgorithm);
    const EVP_MD *md = rsa_algor_to_md(pss->hashAlgorithm);
    if (mgf1md == NULL || md == NULL) {
      goto err;
    }

    // We require the MGF-1 and signing hashes to match.
    if (mgf1md != md) {
      OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
      goto err;
    }

    // We require the salt length be the hash length. The DEFAULT value is 20,
    // but this does not match any supported salt length.
    uint64_t salt_len = 0;
    if (pss->saltLength == NULL ||
        !ASN1_INTEGER_get_uint64(&salt_len, pss->saltLength) ||
        salt_len != EVP_MD_size(md)) {
      OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
      goto err;
    }
    assert(salt_len <= INT_MAX);

    // The trailer field must be 1 (0xbc). This value is DEFAULT, so the
    // structure is required to omit it in DER. Although a syntax error, we also
    // tolerate an explicitly-encoded value. See the certificates in
    // cl/362617931.
    if (pss->trailerField != NULL && ASN1_INTEGER_get(pss->trailerField) != 1) {
      OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
      goto err;
    }

    EVP_PKEY_CTX *pctx;
    if (!EVP_DigestVerifyInit(ctx, &pctx, md, NULL, pkey) ||
        !EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
        !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, (int)salt_len) ||
        !EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md)) {
      goto err;
    }

    ret = 1;
  }

err:
  RSA_PSS_PARAMS_free(pss);
  return ret;
}

int x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent,
                              ASN1_PCTX *pctx) {
  assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);

  int rv = 0;
  X509_ALGOR *maskHash = NULL;
  RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
  if (!pss) {
    if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) {
      goto err;
    }
    rv = 1;
    goto err;
  }

  if (BIO_puts(bp, "\n") <= 0 ||       //
      !BIO_indent(bp, indent, 128) ||  //
      BIO_puts(bp, "Hash Algorithm: ") <= 0) {
    goto err;
  }

  if (pss->hashAlgorithm) {
    if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) {
      goto err;
    }
  } else if (BIO_puts(bp, "sha1 (default)") <= 0) {
    goto err;
  }

  if (BIO_puts(bp, "\n") <= 0 ||       //
      !BIO_indent(bp, indent, 128) ||  //
      BIO_puts(bp, "Mask Algorithm: ") <= 0) {
    goto err;
  }

  if (pss->maskGenAlgorithm) {
    maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
    if (maskHash == NULL) {
      if (BIO_puts(bp, "INVALID") <= 0) {
        goto err;
      }
    } else {
      if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0 ||
          BIO_puts(bp, " with ") <= 0 ||
          i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) {
        goto err;
      }
    }
  } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
    goto err;
  }
  BIO_puts(bp, "\n");

  if (!BIO_indent(bp, indent, 128) ||  //
      BIO_puts(bp, "Salt Length: 0x") <= 0) {
    goto err;
  }

  if (pss->saltLength) {
    if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) {
      goto err;
    }
  } else if (BIO_puts(bp, "14 (default)") <= 0) {
    goto err;
  }
  BIO_puts(bp, "\n");

  if (!BIO_indent(bp, indent, 128) ||  //
      BIO_puts(bp, "Trailer Field: 0x") <= 0) {
    goto err;
  }

  if (pss->trailerField) {
    if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) {
      goto err;
    }
  } else if (BIO_puts(bp, "BC (default)") <= 0) {
    goto err;
  }
  BIO_puts(bp, "\n");

  rv = 1;

err:
  RSA_PSS_PARAMS_free(pss);
  X509_ALGOR_free(maskHash);
  return rv;
}

Coverage Report

Created: 2025-06-24 07:00

Line	Count	Source (jump to first uncovered line)
1		// Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/x509.h>
16
17		#include <assert.h>
18		#include <limits.h>
19
20		#include <openssl/asn1.h>
21		#include <openssl/asn1t.h>
22		#include <openssl/bio.h>
23		#include <openssl/err.h>
24		#include <openssl/evp.h>
25		#include <openssl/obj.h>
26
27		#include "internal.h"
28
29
30		static int rsa_pss_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
31	230	void *exarg) {
32	230	if (operation == ASN1_OP_FREE_PRE) {
33	39	RSA_PSS_PARAMS pss = (RSA_PSS_PARAMS )*pval;
34	39	X509_ALGOR_free(pss->maskHash);
35	39	}
36	230	return 1;
37	230	}
38
39		ASN1_SEQUENCE_cb(RSA_PSS_PARAMS, rsa_pss_cb) = {
40		ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR, 0),
41		ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR, 1),
42		ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER, 2),
43		ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER, 3),
44		} ASN1_SEQUENCE_END_cb(RSA_PSS_PARAMS, RSA_PSS_PARAMS)
45
46		IMPLEMENT_ASN1_FUNCTIONS_const(RSA_PSS_PARAMS)
47
48
49		// Given an MGF1 Algorithm ID decode to an Algorithm Identifier
50	19	static X509_ALGOR rsa_mgf1_decode(const X509_ALGOR alg) {
51	19	if (OBJ_obj2nid(alg->algorithm) != NID_mgf1 \|\| alg->parameter == NULL \|\|
52	19	alg->parameter->type != V_ASN1_SEQUENCE) {
53	14	return NULL;
54	14	}
55
56	5	const uint8_t *p = alg->parameter->value.sequence->data;
57	5	int plen = alg->parameter->value.sequence->length;
58	5	return d2i_X509_ALGOR(NULL, &p, plen);
59	19	}
60
61	61	static RSA_PSS_PARAMS rsa_pss_decode(const X509_ALGOR alg) {
62	61	if (alg->parameter == NULL \|\| alg->parameter->type != V_ASN1_SEQUENCE) {
63	22	return NULL;
64	22	}
65
66	39	const uint8_t *p = alg->parameter->value.sequence->data;
67	39	int plen = alg->parameter->value.sequence->length;
68	39	return d2i_RSA_PSS_PARAMS(NULL, &p, plen);
69	61	}
70
71	0	static int is_allowed_pss_md(const EVP_MD *md) {
72	0	int md_type = EVP_MD_type(md);
73	0	return md_type == NID_sha256 \|\| md_type == NID_sha384 \|\|
74	0	md_type == NID_sha512;
75	0	}
76
77		// rsa_md_to_algor sets \|*palg\| to an \|X509_ALGOR\| describing the digest \|md\|,
78		// which must be an allowed PSS digest.
79	0	static int rsa_md_to_algor(X509_ALGOR *palg, const EVP_MD md) {
80		// SHA-1 should be omitted (DEFAULT), but we do not allow SHA-1.
81	0	assert(is_allowed_pss_md(md));
82	0	*palg = X509_ALGOR_new();
83	0	if (*palg == NULL) {
84	0	return 0;
85	0	}
86	0	if (!X509_ALGOR_set_md(*palg, md)) {
87	0	X509_ALGOR_free(*palg);
88	0	*palg = NULL;
89	0	return 0;
90	0	}
91	0	return 1;
92	0	}
93
94		// rsa_md_to_mgf1 sets \|*palg\| to an \|X509_ALGOR\| describing MGF-1 with the
95		// digest \|mgf1md\|, which must be an allowed PSS digest.
96	0	static int rsa_md_to_mgf1(X509_ALGOR *palg, const EVP_MD mgf1md) {
97		// SHA-1 should be omitted (DEFAULT), but we do not allow SHA-1.
98	0	assert(is_allowed_pss_md(mgf1md));
99	0	X509_ALGOR *algtmp = NULL;
100	0	ASN1_STRING *stmp = NULL;
101		// need to embed algorithm ID inside another
102	0	if (!rsa_md_to_algor(&algtmp, mgf1md) \|\|
103	0	!ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp)) {
104	0	goto err;
105	0	}
106	0	*palg = X509_ALGOR_new();
107	0	if (!*palg) {
108	0	goto err;
109	0	}
110	0	if (!X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp)) {
111	0	goto err;
112	0	}
113	0	stmp = NULL;
114
115	0	err:
116	0	ASN1_STRING_free(stmp);
117	0	X509_ALGOR_free(algtmp);
118	0	if (*palg) {
119	0	return 1;
120	0	}
121
122	0	return 0;
123	0	}
124
125	0	static const EVP_MD rsa_algor_to_md(const X509_ALGOR alg) {
126	0	if (!alg) {
127		// If omitted, PSS defaults to SHA-1, which we do not allow.
128	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
129	0	return NULL;
130	0	}
131	0	const EVP_MD *md = EVP_get_digestbyobj(alg->algorithm);
132	0	if (md == NULL \|\| !is_allowed_pss_md(md)) {
133	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
134	0	return NULL;
135	0	}
136	0	return md;
137	0	}
138
139	0	static const EVP_MD rsa_mgf1_to_md(const X509_ALGOR alg) {
140	0	if (!alg) {
141		// If omitted, PSS defaults to MGF-1 with SHA-1, which we do not allow.
142	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
143	0	return NULL;
144	0	}
145		// Check mask and lookup mask hash algorithm.
146	0	X509_ALGOR *maskHash = rsa_mgf1_decode(alg);
147	0	if (maskHash == NULL) {
148	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
149	0	return NULL;
150	0	}
151	0	const EVP_MD *ret = rsa_algor_to_md(maskHash);
152	0	X509_ALGOR_free(maskHash);
153	0	return ret;
154	0	}
155
156	0	int x509_rsa_ctx_to_pss(EVP_MD_CTX ctx, X509_ALGOR algor) {
157	0	const EVP_MD sigmd, mgf1md;
158	0	int saltlen;
159	0	if (!EVP_PKEY_CTX_get_signature_md(ctx->pctx, &sigmd) \|\|
160	0	!EVP_PKEY_CTX_get_rsa_mgf1_md(ctx->pctx, &mgf1md) \|\|
161	0	!EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx->pctx, &saltlen)) {
162	0	return 0;
163	0	}
164
165	0	if (sigmd != mgf1md \|\| !is_allowed_pss_md(sigmd)) {
166	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
167	0	return 0;
168	0	}
169	0	int md_len = (int)EVP_MD_size(sigmd);
170	0	if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
171	0	saltlen = md_len;
172	0	} else if (saltlen != md_len) {
173	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
174	0	return 0;
175	0	}
176
177	0	int ret = 0;
178	0	ASN1_STRING *os = NULL;
179	0	RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();
180	0	if (!pss) {
181	0	goto err;
182	0	}
183
184		// The DEFAULT value is 20, but this does not match any supported digest.
185	0	assert(saltlen != 20);
186	0	pss->saltLength = ASN1_INTEGER_new();
187	0	if (!pss->saltLength \|\| //
188	0	!ASN1_INTEGER_set_int64(pss->saltLength, saltlen)) {
189	0	goto err;
190	0	}
191
192	0	if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd) \|\|
193	0	!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) {
194	0	goto err;
195	0	}
196
197		// Finally create string with pss parameter encoding.
198	0	if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os)) {
199	0	goto err;
200	0	}
201
202	0	if (!X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE,
203	0	os)) {
204	0	goto err;
205	0	}
206	0	os = NULL;
207	0	ret = 1;
208
209	0	err:
210	0	RSA_PSS_PARAMS_free(pss);
211	0	ASN1_STRING_free(os);
212	0	return ret;
213	0	}
214
215		int x509_rsa_pss_to_ctx(EVP_MD_CTX ctx, const X509_ALGOR sigalg,
216	0	EVP_PKEY *pkey) {
217	0	assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);
218
219		// Decode PSS parameters
220	0	int ret = 0;
221	0	RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
222
223	0	{
224	0	if (pss == NULL) {
225	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
226	0	goto err;
227	0	}
228
229	0	const EVP_MD *mgf1md = rsa_mgf1_to_md(pss->maskGenAlgorithm);
230	0	const EVP_MD *md = rsa_algor_to_md(pss->hashAlgorithm);
231	0	if (mgf1md == NULL \|\| md == NULL) {
232	0	goto err;
233	0	}
234
235		// We require the MGF-1 and signing hashes to match.
236	0	if (mgf1md != md) {
237	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
238	0	goto err;
239	0	}
240
241		// We require the salt length be the hash length. The DEFAULT value is 20,
242		// but this does not match any supported salt length.
243	0	uint64_t salt_len = 0;
244	0	if (pss->saltLength == NULL \|\|
245	0	!ASN1_INTEGER_get_uint64(&salt_len, pss->saltLength) \|\|
246	0	salt_len != EVP_MD_size(md)) {
247	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
248	0	goto err;
249	0	}
250	0	assert(salt_len <= INT_MAX);
251
252		// The trailer field must be 1 (0xbc). This value is DEFAULT, so the
253		// structure is required to omit it in DER. Although a syntax error, we also
254		// tolerate an explicitly-encoded value. See the certificates in
255		// cl/362617931.
256	0	if (pss->trailerField != NULL && ASN1_INTEGER_get(pss->trailerField) != 1) {
257	0	OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
258	0	goto err;
259	0	}
260
261	0	EVP_PKEY_CTX *pctx;
262	0	if (!EVP_DigestVerifyInit(ctx, &pctx, md, NULL, pkey) \|\|
263	0	!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) \|\|
264	0	!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, (int)salt_len) \|\|
265	0	!EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md)) {
266	0	goto err;
267	0	}
268
269	0	ret = 1;
270	0	}
271
272	0	err:
273	0	RSA_PSS_PARAMS_free(pss);
274	0	return ret;
275	0	}
276
277		int x509_print_rsa_pss_params(BIO bp, const X509_ALGOR sigalg, int indent,
278	61	ASN1_PCTX *pctx) {
279	61	assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);
280
281	61	int rv = 0;
282	61	X509_ALGOR *maskHash = NULL;
283	61	RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);
284	61	if (!pss) {
285	26	if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) {
286	0	goto err;
287	0	}
288	26	rv = 1;
289	26	goto err;
290	26	}
291
292	35	if (BIO_puts(bp, "\n") <= 0 \|\| //
293	35	!BIO_indent(bp, indent, 128) \|\| //
294	35	BIO_puts(bp, "Hash Algorithm: ") <= 0) {
295	0	goto err;
296	0	}
297
298	35	if (pss->hashAlgorithm) {
299	19	if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) {
300	0	goto err;
301	0	}
302	19	} else if (BIO_puts(bp, "sha1 (default)") <= 0) {
303	0	goto err;
304	0	}
305
306	35	if (BIO_puts(bp, "\n") <= 0 \|\| //
307	35	!BIO_indent(bp, indent, 128) \|\| //
308	35	BIO_puts(bp, "Mask Algorithm: ") <= 0) {
309	0	goto err;
310	0	}
311
312	35	if (pss->maskGenAlgorithm) {
313	19	maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);
314	19	if (maskHash == NULL) {
315	15	if (BIO_puts(bp, "INVALID") <= 0) {
316	0	goto err;
317	0	}
318	15	} else {
319	4	if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0 \|\|
320	4	BIO_puts(bp, " with ") <= 0 \|\|
321	4	i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) {
322	0	goto err;
323	0	}
324	4	}
325	19	} else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) {
326	0	goto err;
327	0	}
328	35	BIO_puts(bp, "\n");
329
330	35	if (!BIO_indent(bp, indent, 128) \|\| //
331	35	BIO_puts(bp, "Salt Length: 0x") <= 0) {
332	0	goto err;
333	0	}
334
335	35	if (pss->saltLength) {
336	6	if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) {
337	0	goto err;
338	0	}
339	29	} else if (BIO_puts(bp, "14 (default)") <= 0) {
340	0	goto err;
341	0	}
342	35	BIO_puts(bp, "\n");
343
344	35	if (!BIO_indent(bp, indent, 128) \|\| //
345	35	BIO_puts(bp, "Trailer Field: 0x") <= 0) {
346	0	goto err;
347	0	}
348
349	35	if (pss->trailerField) {
350	13	if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) {
351	0	goto err;
352	0	}
353	22	} else if (BIO_puts(bp, "BC (default)") <= 0) {
354	0	goto err;
355	0	}
356	35	BIO_puts(bp, "\n");
357
358	35	rv = 1;
359
360	61	err:
361	61	RSA_PSS_PARAMS_free(pss);
362	61	X509_ALGOR_free(maskHash);
363	61	return rv;
364	35	}