/src/boringssl/crypto/rsa/rsa_asn1.cc

Source
// Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/rsa.h>

#include <assert.h>
#include <limits.h>
#include <string.h>

#include <openssl/bn.h>
#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/nid.h>
#include <openssl/span.h>
#include <openssl/x509.h>

#include "../bytestring/internal.h"
#include "../fipsmodule/rsa/internal.h"
#include "../internal.h"
#include "internal.h"


using namespace bssl;

static int parse_integer(CBS *cbs, BIGNUM **out) {
  assert(*out == nullptr);
  *out = BN_new();
  if (*out == nullptr) {
    return 0;
  }
  return BN_parse_asn1_unsigned(cbs, *out);
}

static int marshal_integer(CBB *cbb, BIGNUM *bn) {
  if (bn == nullptr) {
    // An RSA object may be missing some components.
    OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
    return 0;
  }
  return BN_marshal_asn1(cbb, bn);
}

RSA *RSA_parse_public_key(CBS *cbs) {
  RSAImpl *ret = FromOpaque(RSA_new());
  if (ret == nullptr) {
    return nullptr;
  }
  CBS child;
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
      !parse_integer(&child, &ret->n) ||
      !parse_integer(&child, &ret->e) ||
      CBS_len(&child) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    RSA_free(ret);
    return nullptr;
  }

  if (!RSA_check_key(ret)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
    RSA_free(ret);
    return nullptr;
  }

  return ret;
}

RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) {
  CBS cbs;
  CBS_init(&cbs, in, in_len);
  RSA *ret = RSA_parse_public_key(&cbs);
  if (ret == nullptr || CBS_len(&cbs) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    RSA_free(ret);
    return nullptr;
  }
  return ret;
}

int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) {
  CBB child;
  const RSAImpl *impl = FromOpaque(rsa);
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
      !marshal_integer(&child, impl->n) || !marshal_integer(&child, impl->e) ||
      !CBB_flush(cbb)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    return 0;
  }
  return 1;
}

int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
                            const RSA *rsa) {
  CBB cbb;
  CBB_zero(&cbb);
  if (!CBB_init(&cbb, 0) ||
      !RSA_marshal_public_key(&cbb, rsa) ||
      !CBB_finish(&cbb, out_bytes, out_len)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    CBB_cleanup(&cbb);
    return 0;
  }
  return 1;
}

// kVersionTwoPrime is the value of the version field for a two-prime
// RSAPrivateKey structure (RFC 8017).
static const uint64_t kVersionTwoPrime = 0;

RSA *RSA_parse_private_key(CBS *cbs) {
  RSAImpl *ret = FromOpaque(RSA_new());
  if (ret == nullptr) {
    return nullptr;
  }

  CBS child;
  uint64_t version;
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1_uint64(&child, &version)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    goto err;
  }

  if (version != kVersionTwoPrime) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
    goto err;
  }

  if (!parse_integer(&child, &ret->n) ||
      !parse_integer(&child, &ret->e) ||
      !parse_integer(&child, &ret->d) ||
      !parse_integer(&child, &ret->p) ||
      !parse_integer(&child, &ret->q) ||
      !parse_integer(&child, &ret->dmp1) ||
      !parse_integer(&child, &ret->dmq1) ||
      !parse_integer(&child, &ret->iqmp)) {
    goto err;
  }

  if (CBS_len(&child) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    goto err;
  }

  if (!RSA_check_key(ret)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
    goto err;
  }

  return ret;

err:
  RSA_free(ret);
  return nullptr;
}

RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {
  CBS cbs;
  CBS_init(&cbs, in, in_len);
  RSA *ret = RSA_parse_private_key(&cbs);
  if (ret == nullptr || CBS_len(&cbs) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    RSA_free(ret);
    return nullptr;
  }
  return ret;
}

int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {
  const RSAImpl *impl = FromOpaque(rsa);
  CBB child;
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
      !CBB_add_asn1_uint64(&child, kVersionTwoPrime) ||
      !marshal_integer(&child, impl->n) || !marshal_integer(&child, impl->e) ||
      !marshal_integer(&child, impl->d) || !marshal_integer(&child, impl->p) ||
      !marshal_integer(&child, impl->q) ||
      !marshal_integer(&child, impl->dmp1) ||
      !marshal_integer(&child, impl->dmq1) ||
      !marshal_integer(&child, impl->iqmp) || !CBB_flush(cbb)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    return 0;
  }
  return 1;
}

int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
                             const RSA *rsa) {
  CBB cbb;
  CBB_zero(&cbb);
  if (!CBB_init(&cbb, 0) ||
      !RSA_marshal_private_key(&cbb, rsa) ||
      !CBB_finish(&cbb, out_bytes, out_len)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    CBB_cleanup(&cbb);
    return 0;
  }
  return 1;
}

RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) {
  return D2IFromCBS(out, inp, len, RSA_parse_public_key);
}

int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) {
  return I2DFromCBB(
      /*initial_capacity=*/256, outp,
      [&](CBB *cbb) -> bool { return RSA_marshal_public_key(cbb, in); });
}

RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) {
  return D2IFromCBS(out, inp, len, RSA_parse_private_key);
}

int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) {
  return I2DFromCBB(
      /*initial_capacity=*/512, outp,
      [&](CBB *cbb) -> bool { return RSA_marshal_private_key(cbb, in); });
}

RSA *RSAPublicKey_dup(const RSA *rsa) {
  uint8_t *der;
  size_t der_len;
  if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
    return nullptr;
  }
  RSA *ret = RSA_public_key_from_bytes(der, der_len);
  OPENSSL_free(der);
  return ret;
}

RSA *RSAPrivateKey_dup(const RSA *rsa) {
  uint8_t *der;
  size_t der_len;
  if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
    return nullptr;
  }
  RSA *ret = RSA_private_key_from_bytes(der, der_len);
  OPENSSL_free(der);
  return ret;
}

static const uint8_t kPSSParamsSHA256[] = {
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
    0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa1, 0x1c, 0x30,
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x20};

static const uint8_t kPSSParamsSHA384[] = {
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
    0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa1, 0x1c, 0x30,
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x30};

static const uint8_t kPSSParamsSHA512[] = {
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
    0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa1, 0x1c, 0x30,
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x40};

const EVP_MD *bssl::rsa_pss_params_get_md(rsa_pss_params_t params) {
  switch (params) {
    case rsa_pss_none:
      return nullptr;
    case rsa_pss_sha256:
      return EVP_sha256();
    case rsa_pss_sha384:
      return EVP_sha384();
    case rsa_pss_sha512:
      return EVP_sha512();
  }
  abort();
}

int bssl::rsa_marshal_pss_params(CBB *cbb, rsa_pss_params_t params) {
  Span<const uint8_t> bytes;
  switch (params) {
    case rsa_pss_none:
      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
      return 0;
    case rsa_pss_sha256:
      bytes = kPSSParamsSHA256;
      break;
    case rsa_pss_sha384:
      bytes = kPSSParamsSHA384;
      break;
    case rsa_pss_sha512:
      bytes = kPSSParamsSHA512;
      break;
  }

  return CBB_add_bytes(cbb, bytes.data(), bytes.size());
}

// 1.2.840.113549.1.1.8
static const uint8_t kMGF1OID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
                                   0x0d, 0x01, 0x01, 0x08};

int bssl::rsa_parse_pss_params(CBS *cbs, rsa_pss_params_t *out,
                               int allow_explicit_trailer) {
  // See RFC 4055, section 3.1.
  //
  // hashAlgorithm, maskGenAlgorithm, and saltLength all have DEFAULTs
  // corresponding to SHA-1. We do not support SHA-1 with PSS, so we do not
  // bother recognizing the omitted versions.
  CBS params, hash_wrapper, mask_wrapper, mask_alg, mask_oid, salt_wrapper;
  uint64_t salt_len;
  if (!CBS_get_asn1(cbs, &params, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1(&params, &hash_wrapper,
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
      // |hash_wrapper| will be parsed below.
      !CBS_get_asn1(&params, &mask_wrapper,
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
      !CBS_get_asn1(&mask_wrapper, &mask_alg, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1(&mask_alg, &mask_oid, CBS_ASN1_OBJECT) ||
      // We only support MGF-1.
      Span<const uint8_t>(mask_oid) != kMGF1OID ||
      // The remainder of |mask_alg| will be parsed below.
      CBS_len(&mask_wrapper) != 0 ||
      !CBS_get_asn1(&params, &salt_wrapper,
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
      !CBS_get_asn1_uint64(&salt_wrapper, &salt_len) ||
      CBS_len(&salt_wrapper) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  // The trailer field must be 1 (0xbc). This value is DEFAULT, so the structure
  // is required to omit it in DER.
  if (CBS_len(&params) != 0 && allow_explicit_trailer) {
    CBS trailer_wrapper;
    uint64_t trailer;
    if (!CBS_get_asn1(&params, &trailer_wrapper,
                      CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3) ||
        !CBS_get_asn1_uint64(&trailer_wrapper, &trailer) ||  //
        trailer != 1) {
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
      return 0;
    }
  }
  if (CBS_len(&params) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  int hash_nid = EVP_parse_digest_algorithm_nid(&hash_wrapper);
  if (hash_nid == NID_undef || CBS_len(&hash_wrapper) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  // We only support combinations where the MGF-1 hash matches the overall hash.
  int mgf1_hash_nid = EVP_parse_digest_algorithm_nid(&mask_alg);
  if (mgf1_hash_nid != hash_nid || CBS_len(&mask_alg) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  // We only support salt lengths that match the hash length.
  rsa_pss_params_t ret;
  uint64_t hash_len;
  switch (hash_nid) {
    case NID_sha256:
      ret = rsa_pss_sha256;
      hash_len = 32;
      break;
    case NID_sha384:
      ret = rsa_pss_sha384;
      hash_len = 48;
      break;
    case NID_sha512:
      ret = rsa_pss_sha512;
      hash_len = 64;
      break;
    default:
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
      return 0;
  }
  if (salt_len != hash_len) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  *out = ret;
  return 1;
}

Coverage Report

Created: 2026-02-14 06:34

Line	Count	Source
1		// Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/rsa.h>
16
17		#include <assert.h>
18		#include <limits.h>
19		#include <string.h>
20
21		#include <openssl/bn.h>
22		#include <openssl/bytestring.h>
23		#include <openssl/digest.h>
24		#include <openssl/err.h>
25		#include <openssl/mem.h>
26		#include <openssl/nid.h>
27		#include <openssl/span.h>
28		#include <openssl/x509.h>
29
30		#include "../bytestring/internal.h"
31		#include "../fipsmodule/rsa/internal.h"
32		#include "../internal.h"
33		#include "internal.h"
34
35
36		using namespace bssl;
37
38	213k	static int parse_integer(CBS cbs, BIGNUM *out) {
39	213k	assert(*out == nullptr);
40	213k	*out = BN_new();
41	213k	if (*out == nullptr) {
42	0	return 0;
43	0	}
44	213k	return BN_parse_asn1_unsigned(cbs, *out);
45	213k	}
46
47	2.23k	static int marshal_integer(CBB cbb, BIGNUM bn) {
48	2.23k	if (bn == nullptr) {
49		// An RSA object may be missing some components.
50	0	OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
51	0	return 0;
52	0	}
53	2.23k	return BN_marshal_asn1(cbb, bn);
54	2.23k	}
55
56	111k	RSA RSA_parse_public_key(CBS cbs) {
57	111k	RSAImpl *ret = FromOpaque(RSA_new());
58	111k	if (ret == nullptr) {
59	0	return nullptr;
60	0	}
61	111k	CBS child;
62	111k	if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) \|\|
63	107k	!parse_integer(&child, &ret->n) \|\|
64	92.2k	!parse_integer(&child, &ret->e) \|\|
65	90.2k	CBS_len(&child) != 0) {
66	21.5k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
67	21.5k	RSA_free(ret);
68	21.5k	return nullptr;
69	21.5k	}
70
71	89.9k	if (!RSA_check_key(ret)) {
72	1.58k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
73	1.58k	RSA_free(ret);
74	1.58k	return nullptr;
75	1.58k	}
76
77	88.4k	return ret;
78	89.9k	}
79
80	111k	RSA RSA_public_key_from_bytes(const uint8_t in, size_t in_len) {
81	111k	CBS cbs;
82	111k	CBS_init(&cbs, in, in_len);
83	111k	RSA *ret = RSA_parse_public_key(&cbs);
84	111k	if (ret == nullptr \|\| CBS_len(&cbs) != 0) {
85	23.4k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
86	23.4k	RSA_free(ret);
87	23.4k	return nullptr;
88	23.4k	}
89	88.1k	return ret;
90	111k	}
91
92	1.11k	int RSA_marshal_public_key(CBB cbb, const RSA rsa) {
93	1.11k	CBB child;
94	1.11k	const RSAImpl *impl = FromOpaque(rsa);
95	1.11k	if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) \|\|
96	1.11k	!marshal_integer(&child, impl->n) \|\| !marshal_integer(&child, impl->e) \|\|
97	1.11k	!CBB_flush(cbb)) {
98	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
99	0	return 0;
100	0	}
101	1.11k	return 1;
102	1.11k	}
103
104		int RSA_public_key_to_bytes(uint8_t *out_bytes, size_t out_len,
105	0	const RSA *rsa) {
106	0	CBB cbb;
107	0	CBB_zero(&cbb);
108	0	if (!CBB_init(&cbb, 0) \|\|
109	0	!RSA_marshal_public_key(&cbb, rsa) \|\|
110	0	!CBB_finish(&cbb, out_bytes, out_len)) {
111	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
112	0	CBB_cleanup(&cbb);
113	0	return 0;
114	0	}
115	0	return 1;
116	0	}
117
118		// kVersionTwoPrime is the value of the version field for a two-prime
119		// RSAPrivateKey structure (RFC 8017).
120		static const uint64_t kVersionTwoPrime = 0;
121
122	3.15k	RSA RSA_parse_private_key(CBS cbs) {
123	3.15k	RSAImpl *ret = FromOpaque(RSA_new());
124	3.15k	if (ret == nullptr) {
125	0	return nullptr;
126	0	}
127
128	3.15k	CBS child;
129	3.15k	uint64_t version;
130	3.15k	if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) \|\|
131	2.69k	!CBS_get_asn1_uint64(&child, &version)) {
132	654	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
133	654	goto err;
134	654	}
135
136	2.50k	if (version != kVersionTwoPrime) {
137	289	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
138	289	goto err;
139	289	}
140
141	2.21k	if (!parse_integer(&child, &ret->n) \|\|
142	1.70k	!parse_integer(&child, &ret->e) \|\|
143	1.64k	!parse_integer(&child, &ret->d) \|\|
144	1.61k	!parse_integer(&child, &ret->p) \|\|
145	1.59k	!parse_integer(&child, &ret->q) \|\|
146	1.58k	!parse_integer(&child, &ret->dmp1) \|\|
147	1.58k	!parse_integer(&child, &ret->dmq1) \|\|
148	1.57k	!parse_integer(&child, &ret->iqmp)) {
149	648	goto err;
150	648	}
151
152	1.56k	if (CBS_len(&child) != 0) {
153	41	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
154	41	goto err;
155	41	}
156
157	1.52k	if (!RSA_check_key(ret)) {
158	1.49k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
159	1.49k	goto err;
160	1.49k	}
161
162	25	return ret;
163
164	3.13k	err:
165	3.13k	RSA_free(ret);
166	3.13k	return nullptr;
167	1.52k	}
168
169	1.16k	RSA RSA_private_key_from_bytes(const uint8_t in, size_t in_len) {
170	1.16k	CBS cbs;
171	1.16k	CBS_init(&cbs, in, in_len);
172	1.16k	RSA *ret = RSA_parse_private_key(&cbs);
173	1.16k	if (ret == nullptr \|\| CBS_len(&cbs) != 0) {
174	1.14k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
175	1.14k	RSA_free(ret);
176	1.14k	return nullptr;
177	1.14k	}
178	21	return ret;
179	1.16k	}
180
181	2	int RSA_marshal_private_key(CBB cbb, const RSA rsa) {
182	2	const RSAImpl *impl = FromOpaque(rsa);
183	2	CBB child;
184	2	if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) \|\|
185	2	!CBB_add_asn1_uint64(&child, kVersionTwoPrime) \|\|
186	2	!marshal_integer(&child, impl->n) \|\| !marshal_integer(&child, impl->e) \|\|
187	2	!marshal_integer(&child, impl->d) \|\| !marshal_integer(&child, impl->p) \|\|
188	2	!marshal_integer(&child, impl->q) \|\|
189	2	!marshal_integer(&child, impl->dmp1) \|\|
190	2	!marshal_integer(&child, impl->dmq1) \|\|
191	2	!marshal_integer(&child, impl->iqmp) \|\| !CBB_flush(cbb)) {
192	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
193	0	return 0;
194	0	}
195	2	return 1;
196	2	}
197
198		int RSA_private_key_to_bytes(uint8_t *out_bytes, size_t out_len,
199	0	const RSA *rsa) {
200	0	CBB cbb;
201	0	CBB_zero(&cbb);
202	0	if (!CBB_init(&cbb, 0) \|\|
203	0	!RSA_marshal_private_key(&cbb, rsa) \|\|
204	0	!CBB_finish(&cbb, out_bytes, out_len)) {
205	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
206	0	CBB_cleanup(&cbb);
207	0	return 0;
208	0	}
209	0	return 1;
210	0	}
211
212	0	RSA d2i_RSAPublicKey(RSA out, const uint8_t *inp, long len) {
213	0	return D2IFromCBS(out, inp, len, RSA_parse_public_key);
214	0	}
215
216	0	int i2d_RSAPublicKey(const RSA in, uint8_t *outp) {
217	0	return I2DFromCBB(
218	0	/initial_capacity=/256, outp,
219	0	[&](CBB *cbb) -> bool { return RSA_marshal_public_key(cbb, in); });
220	0	}
221
222	2	RSA d2i_RSAPrivateKey(RSA out, const uint8_t *inp, long len) {
223	2	return D2IFromCBS(out, inp, len, RSA_parse_private_key);
224	2	}
225
226	0	int i2d_RSAPrivateKey(const RSA in, uint8_t *outp) {
227	0	return I2DFromCBB(
228	0	/initial_capacity=/512, outp,
229	0	[&](CBB *cbb) -> bool { return RSA_marshal_private_key(cbb, in); });
230	0	}
231
232	0	RSA RSAPublicKey_dup(const RSA rsa) {
233	0	uint8_t *der;
234	0	size_t der_len;
235	0	if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
236	0	return nullptr;
237	0	}
238	0	RSA *ret = RSA_public_key_from_bytes(der, der_len);
239	0	OPENSSL_free(der);
240	0	return ret;
241	0	}
242
243	0	RSA RSAPrivateKey_dup(const RSA rsa) {
244	0	uint8_t *der;
245	0	size_t der_len;
246	0	if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
247	0	return nullptr;
248	0	}
249	0	RSA *ret = RSA_private_key_from_bytes(der, der_len);
250	0	OPENSSL_free(der);
251	0	return ret;
252	0	}
253
254		static const uint8_t kPSSParamsSHA256[] = {
255		0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
256		0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa1, 0x1c, 0x30,
257		0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
258		0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
259		0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x20};
260
261		static const uint8_t kPSSParamsSHA384[] = {
262		0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
263		0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa1, 0x1c, 0x30,
264		0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
265		0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
266		0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x30};
267
268		static const uint8_t kPSSParamsSHA512[] = {
269		0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
270		0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa1, 0x1c, 0x30,
271		0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
272		0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
273		0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x40};
274
275	0	const EVP_MD *bssl::rsa_pss_params_get_md(rsa_pss_params_t params) {
276	0	switch (params) {
277	0	case rsa_pss_none:
278	0	return nullptr;
279	0	case rsa_pss_sha256:
280	0	return EVP_sha256();
281	0	case rsa_pss_sha384:
282	0	return EVP_sha384();
283	0	case rsa_pss_sha512:
284	0	return EVP_sha512();
285	0	}
286	0	abort();
287	0	}
288
289	0	int bssl::rsa_marshal_pss_params(CBB *cbb, rsa_pss_params_t params) {
290	0	Span<const uint8_t> bytes;
291	0	switch (params) {
292	0	case rsa_pss_none:
293	0	OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
294	0	return 0;
295	0	case rsa_pss_sha256:
296	0	bytes = kPSSParamsSHA256;
297	0	break;
298	0	case rsa_pss_sha384:
299	0	bytes = kPSSParamsSHA384;
300	0	break;
301	0	case rsa_pss_sha512:
302	0	bytes = kPSSParamsSHA512;
303	0	break;
304	0	}
305
306	0	return CBB_add_bytes(cbb, bytes.data(), bytes.size());
307	0	}
308
309		// 1.2.840.113549.1.1.8
310		static const uint8_t kMGF1OID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
311		0x0d, 0x01, 0x01, 0x08};
312
313		int bssl::rsa_parse_pss_params(CBS cbs, rsa_pss_params_t out,
314	94	int allow_explicit_trailer) {
315		// See RFC 4055, section 3.1.
316		//
317		// hashAlgorithm, maskGenAlgorithm, and saltLength all have DEFAULTs
318		// corresponding to SHA-1. We do not support SHA-1 with PSS, so we do not
319		// bother recognizing the omitted versions.
320	94	CBS params, hash_wrapper, mask_wrapper, mask_alg, mask_oid, salt_wrapper;
321	94	uint64_t salt_len;
322	94	if (!CBS_get_asn1(cbs, &params, CBS_ASN1_SEQUENCE) \|\|
323	94	!CBS_get_asn1(&params, &hash_wrapper,
324	94	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 0) \|\|
325		// \|hash_wrapper\| will be parsed below.
326	67	!CBS_get_asn1(&params, &mask_wrapper,
327	67	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 1) \|\|
328	66	!CBS_get_asn1(&mask_wrapper, &mask_alg, CBS_ASN1_SEQUENCE) \|\|
329	65	!CBS_get_asn1(&mask_alg, &mask_oid, CBS_ASN1_OBJECT) \|\|
330		// We only support MGF-1.
331	64	Span<const uint8_t>(mask_oid) != kMGF1OID \|\|
332		// The remainder of \|mask_alg\| will be parsed below.
333	59	CBS_len(&mask_wrapper) != 0 \|\|
334	58	!CBS_get_asn1(&params, &salt_wrapper,
335	58	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 2) \|\|
336	55	!CBS_get_asn1_uint64(&salt_wrapper, &salt_len) \|\|
337	54	CBS_len(&salt_wrapper) != 0) {
338	41	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
339	41	return 0;
340	41	}
341
342		// The trailer field must be 1 (0xbc). This value is DEFAULT, so the structure
343		// is required to omit it in DER.
344	53	if (CBS_len(&params) != 0 && allow_explicit_trailer) {
345	5	CBS trailer_wrapper;
346	5	uint64_t trailer;
347	5	if (!CBS_get_asn1(&params, &trailer_wrapper,
348	5	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 3) \|\|
349	4	!CBS_get_asn1_uint64(&trailer_wrapper, &trailer) \|\| //
350	4	trailer != 1) {
351	4	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
352	4	return 0;
353	4	}
354	5	}
355	49	if (CBS_len(&params) != 0) {
356	1	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
357	1	return 0;
358	1	}
359
360	48	int hash_nid = EVP_parse_digest_algorithm_nid(&hash_wrapper);
361	48	if (hash_nid == NID_undef \|\| CBS_len(&hash_wrapper) != 0) {
362	16	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
363	16	return 0;
364	16	}
365
366		// We only support combinations where the MGF-1 hash matches the overall hash.
367	32	int mgf1_hash_nid = EVP_parse_digest_algorithm_nid(&mask_alg);
368	32	if (mgf1_hash_nid != hash_nid \|\| CBS_len(&mask_alg) != 0) {
369	12	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
370	12	return 0;
371	12	}
372
373		// We only support salt lengths that match the hash length.
374	20	rsa_pss_params_t ret;
375	20	uint64_t hash_len;
376	20	switch (hash_nid) {
377	9	case NID_sha256:
378	9	ret = rsa_pss_sha256;
379	9	hash_len = 32;
380	9	break;
381	3	case NID_sha384:
382	3	ret = rsa_pss_sha384;
383	3	hash_len = 48;
384	3	break;
385	4	case NID_sha512:
386	4	ret = rsa_pss_sha512;
387	4	hash_len = 64;
388	4	break;
389	4	default:
390	4	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
391	4	return 0;
392	20	}
393	16	if (salt_len != hash_len) {
394	2	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
395	2	return 0;
396	2	}
397
398	14	*out = ret;
399	14	return 1;
400	16	}