/src/boringssl/crypto/rsa/rsa_asn1.cc

Source
// Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/rsa.h>

#include <assert.h>
#include <limits.h>
#include <string.h>

#include <openssl/bn.h>
#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/nid.h>
#include <openssl/span.h>
#include <openssl/x509.h>

#include "../bytestring/internal.h"
#include "../fipsmodule/rsa/internal.h"
#include "../internal.h"
#include "internal.h"


using namespace bssl;

static int parse_integer(CBS *cbs, UniquePtr<BIGNUM> *out) {
  assert(*out == nullptr);
  out->reset(BN_new());
  if (*out == nullptr) {
    return 0;
  }
  return BN_parse_asn1_unsigned(cbs, out->get());
}

static int marshal_integer(CBB *cbb, const BIGNUM *bn) {
  if (bn == nullptr) {
    // An RSA object may be missing some components.
    OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
    return 0;
  }
  return BN_marshal_asn1(cbb, bn);
}

RSA *RSA_parse_public_key(CBS *cbs) {
  RSAImpl *ret = FromOpaque(RSA_new());
  if (ret == nullptr) {
    return nullptr;
  }
  CBS child;
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
      !parse_integer(&child, &ret->n) ||
      !parse_integer(&child, &ret->e) ||
      CBS_len(&child) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    RSA_free(ret);
    return nullptr;
  }

  if (!RSA_check_key(ret)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
    RSA_free(ret);
    return nullptr;
  }

  return ret;
}

RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) {
  CBS cbs;
  CBS_init(&cbs, in, in_len);
  RSA *ret = RSA_parse_public_key(&cbs);
  if (ret == nullptr || CBS_len(&cbs) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    RSA_free(ret);
    return nullptr;
  }
  return ret;
}

int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) {
  CBB child;
  const RSAImpl *impl = FromOpaque(rsa);
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
      !marshal_integer(&child, impl->n.get()) ||
      !marshal_integer(&child, impl->e.get()) ||  //
      !CBB_flush(cbb)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    return 0;
  }
  return 1;
}

int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
                            const RSA *rsa) {
  CBB cbb;
  CBB_zero(&cbb);
  if (!CBB_init(&cbb, 0) ||
      !RSA_marshal_public_key(&cbb, rsa) ||
      !CBB_finish(&cbb, out_bytes, out_len)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    CBB_cleanup(&cbb);
    return 0;
  }
  return 1;
}

// kVersionTwoPrime is the value of the version field for a two-prime
// RSAPrivateKey structure (RFC 8017).
static const uint64_t kVersionTwoPrime = 0;

RSA *RSA_parse_private_key(CBS *cbs) {
  RSAImpl *ret = FromOpaque(RSA_new());
  if (ret == nullptr) {
    return nullptr;
  }

  CBS child;
  uint64_t version;
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1_uint64(&child, &version)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    goto err;
  }

  if (version != kVersionTwoPrime) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
    goto err;
  }

  if (!parse_integer(&child, &ret->n) ||
      !parse_integer(&child, &ret->e) ||
      !parse_integer(&child, &ret->d) ||
      !parse_integer(&child, &ret->p) ||
      !parse_integer(&child, &ret->q) ||
      !parse_integer(&child, &ret->dmp1) ||
      !parse_integer(&child, &ret->dmq1) ||
      !parse_integer(&child, &ret->iqmp)) {
    goto err;
  }

  if (CBS_len(&child) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    goto err;
  }

  if (!RSA_check_key(ret)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
    goto err;
  }

  return ret;

err:
  RSA_free(ret);
  return nullptr;
}

RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {
  CBS cbs;
  CBS_init(&cbs, in, in_len);
  RSA *ret = RSA_parse_private_key(&cbs);
  if (ret == nullptr || CBS_len(&cbs) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    RSA_free(ret);
    return nullptr;
  }
  return ret;
}

int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {
  const RSAImpl *impl = FromOpaque(rsa);
  CBB child;
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
      !CBB_add_asn1_uint64(&child, kVersionTwoPrime) ||
      !marshal_integer(&child, impl->n.get()) ||
      !marshal_integer(&child, impl->e.get()) ||
      !marshal_integer(&child, impl->d.get()) ||
      !marshal_integer(&child, impl->p.get()) ||
      !marshal_integer(&child, impl->q.get()) ||
      !marshal_integer(&child, impl->dmp1.get()) ||
      !marshal_integer(&child, impl->dmq1.get()) ||
      !marshal_integer(&child, impl->iqmp.get()) ||  //
      !CBB_flush(cbb)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    return 0;
  }
  return 1;
}

int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
                             const RSA *rsa) {
  CBB cbb;
  CBB_zero(&cbb);
  if (!CBB_init(&cbb, 0) ||
      !RSA_marshal_private_key(&cbb, rsa) ||
      !CBB_finish(&cbb, out_bytes, out_len)) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
    CBB_cleanup(&cbb);
    return 0;
  }
  return 1;
}

RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) {
  return D2IFromCBS(out, inp, len, RSA_parse_public_key);
}

int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) {
  return I2DFromCBB(
      /*initial_capacity=*/256, outp,
      [&](CBB *cbb) -> bool { return RSA_marshal_public_key(cbb, in); });
}

RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) {
  return D2IFromCBS(out, inp, len, RSA_parse_private_key);
}

int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) {
  return I2DFromCBB(
      /*initial_capacity=*/512, outp,
      [&](CBB *cbb) -> bool { return RSA_marshal_private_key(cbb, in); });
}

RSA *RSAPublicKey_dup(const RSA *rsa) {
  uint8_t *der;
  size_t der_len;
  if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
    return nullptr;
  }
  RSA *ret = RSA_public_key_from_bytes(der, der_len);
  OPENSSL_free(der);
  return ret;
}

RSA *RSAPrivateKey_dup(const RSA *rsa) {
  uint8_t *der;
  size_t der_len;
  if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
    return nullptr;
  }
  RSA *ret = RSA_private_key_from_bytes(der, der_len);
  OPENSSL_free(der);
  return ret;
}

static const uint8_t kPSSParamsSHA256[] = {
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
    0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa1, 0x1c, 0x30,
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x20};

static const uint8_t kPSSParamsSHA384[] = {
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
    0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa1, 0x1c, 0x30,
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x30};

static const uint8_t kPSSParamsSHA512[] = {
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
    0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa1, 0x1c, 0x30,
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
    0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x40};

const EVP_MD *bssl::rsa_pss_params_get_md(rsa_pss_params_t params) {
  switch (params) {
    case rsa_pss_none:
      return nullptr;
    case rsa_pss_sha256:
      return EVP_sha256();
    case rsa_pss_sha384:
      return EVP_sha384();
    case rsa_pss_sha512:
      return EVP_sha512();
  }
  abort();
}

int bssl::rsa_marshal_pss_params(CBB *cbb, rsa_pss_params_t params) {
  Span<const uint8_t> bytes;
  switch (params) {
    case rsa_pss_none:
      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
      return 0;
    case rsa_pss_sha256:
      bytes = kPSSParamsSHA256;
      break;
    case rsa_pss_sha384:
      bytes = kPSSParamsSHA384;
      break;
    case rsa_pss_sha512:
      bytes = kPSSParamsSHA512;
      break;
  }

  return CBB_add_bytes(cbb, bytes.data(), bytes.size());
}

// 1.2.840.113549.1.1.8
static const uint8_t kMGF1OID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
                                   0x0d, 0x01, 0x01, 0x08};

int bssl::rsa_parse_pss_params(CBS *cbs, rsa_pss_params_t *out,
                               int allow_explicit_trailer) {
  // See RFC 4055, section 3.1.
  //
  // hashAlgorithm, maskGenAlgorithm, and saltLength all have DEFAULTs
  // corresponding to SHA-1. We do not support SHA-1 with PSS, so we do not
  // bother recognizing the omitted versions.
  CBS params, hash_wrapper, mask_wrapper, mask_alg, mask_oid, salt_wrapper;
  uint64_t salt_len;
  if (!CBS_get_asn1(cbs, &params, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1(&params, &hash_wrapper,
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
      // `hash_wrapper` will be parsed below.
      !CBS_get_asn1(&params, &mask_wrapper,
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
      !CBS_get_asn1(&mask_wrapper, &mask_alg, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1(&mask_alg, &mask_oid, CBS_ASN1_OBJECT) ||
      // We only support MGF-1.
      Span<const uint8_t>(mask_oid) != kMGF1OID ||
      // The remainder of `mask_alg` will be parsed below.
      CBS_len(&mask_wrapper) != 0 ||
      !CBS_get_asn1(&params, &salt_wrapper,
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
      !CBS_get_asn1_uint64(&salt_wrapper, &salt_len) ||
      CBS_len(&salt_wrapper) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  // The trailer field must be 1 (0xbc). This value is DEFAULT, so the structure
  // is required to omit it in DER.
  if (CBS_len(&params) != 0 && allow_explicit_trailer) {
    CBS trailer_wrapper;
    uint64_t trailer;
    if (!CBS_get_asn1(&params, &trailer_wrapper,
                      CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3) ||
        !CBS_get_asn1_uint64(&trailer_wrapper, &trailer) ||  //
        trailer != 1) {
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
      return 0;
    }
  }
  if (CBS_len(&params) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  int hash_nid = EVP_parse_digest_algorithm_nid(&hash_wrapper);
  if (hash_nid == NID_undef || CBS_len(&hash_wrapper) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  // We only support combinations where the MGF-1 hash matches the overall hash.
  int mgf1_hash_nid = EVP_parse_digest_algorithm_nid(&mask_alg);
  if (mgf1_hash_nid != hash_nid || CBS_len(&mask_alg) != 0) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  // We only support salt lengths that match the hash length.
  rsa_pss_params_t ret;
  uint64_t hash_len;
  switch (hash_nid) {
    case NID_sha256:
      ret = rsa_pss_sha256;
      hash_len = 32;
      break;
    case NID_sha384:
      ret = rsa_pss_sha384;
      hash_len = 48;
      break;
    case NID_sha512:
      ret = rsa_pss_sha512;
      hash_len = 64;
      break;
    default:
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
      return 0;
  }
  if (salt_len != hash_len) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
    return 0;
  }

  *out = ret;
  return 1;
}

Coverage Report

Created: 2026-06-15 07:04

Line	Count	Source
1		// Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/rsa.h>
16
17		#include <assert.h>
18		#include <limits.h>
19		#include <string.h>
20
21		#include <openssl/bn.h>
22		#include <openssl/bytestring.h>
23		#include <openssl/digest.h>
24		#include <openssl/err.h>
25		#include <openssl/mem.h>
26		#include <openssl/nid.h>
27		#include <openssl/span.h>
28		#include <openssl/x509.h>
29
30		#include "../bytestring/internal.h"
31		#include "../fipsmodule/rsa/internal.h"
32		#include "../internal.h"
33		#include "internal.h"
34
35
36		using namespace bssl;
37
38	239k	static int parse_integer(CBS cbs, UniquePtr<BIGNUM> out) {
39	239k	assert(*out == nullptr);
40	239k	out->reset(BN_new());
41	239k	if (*out == nullptr) {
42	0	return 0;
43	0	}
44	239k	return BN_parse_asn1_unsigned(cbs, out->get());
45	239k	}
46
47	2.48k	static int marshal_integer(CBB cbb, const BIGNUM bn) {
48	2.48k	if (bn == nullptr) {
49		// An RSA object may be missing some components.
50	0	OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
51	0	return 0;
52	0	}
53	2.48k	return BN_marshal_asn1(cbb, bn);
54	2.48k	}
55
56	127k	RSA RSA_parse_public_key(CBS cbs) {
57	127k	RSAImpl *ret = FromOpaque(RSA_new());
58	127k	if (ret == nullptr) {
59	0	return nullptr;
60	0	}
61	127k	CBS child;
62	127k	if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) \|\|
63	123k	!parse_integer(&child, &ret->n) \|\|
64	106k	!parse_integer(&child, &ret->e) \|\|
65	104k	CBS_len(&child) != 0) {
66	23.1k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
67	23.1k	RSA_free(ret);
68	23.1k	return nullptr;
69	23.1k	}
70
71	103k	if (!RSA_check_key(ret)) {
72	1.30k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
73	1.30k	RSA_free(ret);
74	1.30k	return nullptr;
75	1.30k	}
76
77	102k	return ret;
78	103k	}
79
80	127k	RSA RSA_public_key_from_bytes(const uint8_t in, size_t in_len) {
81	127k	CBS cbs;
82	127k	CBS_init(&cbs, in, in_len);
83	127k	RSA *ret = RSA_parse_public_key(&cbs);
84	127k	if (ret == nullptr \|\| CBS_len(&cbs) != 0) {
85	24.6k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
86	24.6k	RSA_free(ret);
87	24.6k	return nullptr;
88	24.6k	}
89	102k	return ret;
90	127k	}
91
92	1.23k	int RSA_marshal_public_key(CBB cbb, const RSA rsa) {
93	1.23k	CBB child;
94	1.23k	const RSAImpl *impl = FromOpaque(rsa);
95	1.23k	if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) \|\|
96	1.23k	!marshal_integer(&child, impl->n.get()) \|\|
97	1.23k	!marshal_integer(&child, impl->e.get()) \|\| //
98	1.23k	!CBB_flush(cbb)) {
99	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
100	0	return 0;
101	0	}
102	1.23k	return 1;
103	1.23k	}
104
105		int RSA_public_key_to_bytes(uint8_t *out_bytes, size_t out_len,
106	0	const RSA *rsa) {
107	0	CBB cbb;
108	0	CBB_zero(&cbb);
109	0	if (!CBB_init(&cbb, 0) \|\|
110	0	!RSA_marshal_public_key(&cbb, rsa) \|\|
111	0	!CBB_finish(&cbb, out_bytes, out_len)) {
112	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
113	0	CBB_cleanup(&cbb);
114	0	return 0;
115	0	}
116	0	return 1;
117	0	}
118
119		// kVersionTwoPrime is the value of the version field for a two-prime
120		// RSAPrivateKey structure (RFC 8017).
121		static const uint64_t kVersionTwoPrime = 0;
122
123	2.85k	RSA RSA_parse_private_key(CBS cbs) {
124	2.85k	RSAImpl *ret = FromOpaque(RSA_new());
125	2.85k	if (ret == nullptr) {
126	0	return nullptr;
127	0	}
128
129	2.85k	CBS child;
130	2.85k	uint64_t version;
131	2.85k	if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) \|\|
132	2.34k	!CBS_get_asn1_uint64(&child, &version)) {
133	706	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
134	706	goto err;
135	706	}
136
137	2.15k	if (version != kVersionTwoPrime) {
138	283	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
139	283	goto err;
140	283	}
141
142	1.86k	if (!parse_integer(&child, &ret->n) \|\|
143	1.27k	!parse_integer(&child, &ret->e) \|\|
144	1.22k	!parse_integer(&child, &ret->d) \|\|
145	1.19k	!parse_integer(&child, &ret->p) \|\|
146	1.18k	!parse_integer(&child, &ret->q) \|\|
147	1.17k	!parse_integer(&child, &ret->dmp1) \|\|
148	1.16k	!parse_integer(&child, &ret->dmq1) \|\|
149	1.15k	!parse_integer(&child, &ret->iqmp)) {
150	721	goto err;
151	721	}
152
153	1.14k	if (CBS_len(&child) != 0) {
154	32	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
155	32	goto err;
156	32	}
157
158	1.11k	if (!RSA_check_key(ret)) {
159	1.08k	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
160	1.08k	goto err;
161	1.08k	}
162
163	27	return ret;
164
165	2.83k	err:
166	2.83k	RSA_free(ret);
167	2.83k	return nullptr;
168	1.11k	}
169
170	876	RSA RSA_private_key_from_bytes(const uint8_t in, size_t in_len) {
171	876	CBS cbs;
172	876	CBS_init(&cbs, in, in_len);
173	876	RSA *ret = RSA_parse_private_key(&cbs);
174	876	if (ret == nullptr \|\| CBS_len(&cbs) != 0) {
175	853	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
176	853	RSA_free(ret);
177	853	return nullptr;
178	853	}
179	23	return ret;
180	876	}
181
182	2	int RSA_marshal_private_key(CBB cbb, const RSA rsa) {
183	2	const RSAImpl *impl = FromOpaque(rsa);
184	2	CBB child;
185	2	if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) \|\|
186	2	!CBB_add_asn1_uint64(&child, kVersionTwoPrime) \|\|
187	2	!marshal_integer(&child, impl->n.get()) \|\|
188	2	!marshal_integer(&child, impl->e.get()) \|\|
189	2	!marshal_integer(&child, impl->d.get()) \|\|
190	2	!marshal_integer(&child, impl->p.get()) \|\|
191	2	!marshal_integer(&child, impl->q.get()) \|\|
192	2	!marshal_integer(&child, impl->dmp1.get()) \|\|
193	2	!marshal_integer(&child, impl->dmq1.get()) \|\|
194	2	!marshal_integer(&child, impl->iqmp.get()) \|\| //
195	2	!CBB_flush(cbb)) {
196	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
197	0	return 0;
198	0	}
199	2	return 1;
200	2	}
201
202		int RSA_private_key_to_bytes(uint8_t *out_bytes, size_t out_len,
203	0	const RSA *rsa) {
204	0	CBB cbb;
205	0	CBB_zero(&cbb);
206	0	if (!CBB_init(&cbb, 0) \|\|
207	0	!RSA_marshal_private_key(&cbb, rsa) \|\|
208	0	!CBB_finish(&cbb, out_bytes, out_len)) {
209	0	OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
210	0	CBB_cleanup(&cbb);
211	0	return 0;
212	0	}
213	0	return 1;
214	0	}
215
216	0	RSA d2i_RSAPublicKey(RSA out, const uint8_t *inp, long len) {
217	0	return D2IFromCBS(out, inp, len, RSA_parse_public_key);
218	0	}
219
220	0	int i2d_RSAPublicKey(const RSA in, uint8_t *outp) {
221	0	return I2DFromCBB(
222	0	/initial_capacity=/256, outp,
223	0	[&](CBB *cbb) -> bool { return RSA_marshal_public_key(cbb, in); });
224	0	}
225
226	2	RSA d2i_RSAPrivateKey(RSA out, const uint8_t *inp, long len) {
227	2	return D2IFromCBS(out, inp, len, RSA_parse_private_key);
228	2	}
229
230	0	int i2d_RSAPrivateKey(const RSA in, uint8_t *outp) {
231	0	return I2DFromCBB(
232	0	/initial_capacity=/512, outp,
233	0	[&](CBB *cbb) -> bool { return RSA_marshal_private_key(cbb, in); });
234	0	}
235
236	0	RSA RSAPublicKey_dup(const RSA rsa) {
237	0	uint8_t *der;
238	0	size_t der_len;
239	0	if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
240	0	return nullptr;
241	0	}
242	0	RSA *ret = RSA_public_key_from_bytes(der, der_len);
243	0	OPENSSL_free(der);
244	0	return ret;
245	0	}
246
247	0	RSA RSAPrivateKey_dup(const RSA rsa) {
248	0	uint8_t *der;
249	0	size_t der_len;
250	0	if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
251	0	return nullptr;
252	0	}
253	0	RSA *ret = RSA_private_key_from_bytes(der, der_len);
254	0	OPENSSL_free(der);
255	0	return ret;
256	0	}
257
258		static const uint8_t kPSSParamsSHA256[] = {
259		0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
260		0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa1, 0x1c, 0x30,
261		0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
262		0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
263		0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x20};
264
265		static const uint8_t kPSSParamsSHA384[] = {
266		0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
267		0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa1, 0x1c, 0x30,
268		0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
269		0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
270		0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x30};
271
272		static const uint8_t kPSSParamsSHA512[] = {
273		0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
274		0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa1, 0x1c, 0x30,
275		0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
276		0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
277		0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x40};
278
279	0	const EVP_MD *bssl::rsa_pss_params_get_md(rsa_pss_params_t params) {
280	0	switch (params) {
281	0	case rsa_pss_none:
282	0	return nullptr;
283	0	case rsa_pss_sha256:
284	0	return EVP_sha256();
285	0	case rsa_pss_sha384:
286	0	return EVP_sha384();
287	0	case rsa_pss_sha512:
288	0	return EVP_sha512();
289	0	}
290	0	abort();
291	0	}
292
293	0	int bssl::rsa_marshal_pss_params(CBB *cbb, rsa_pss_params_t params) {
294	0	Span<const uint8_t> bytes;
295	0	switch (params) {
296	0	case rsa_pss_none:
297	0	OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
298	0	return 0;
299	0	case rsa_pss_sha256:
300	0	bytes = kPSSParamsSHA256;
301	0	break;
302	0	case rsa_pss_sha384:
303	0	bytes = kPSSParamsSHA384;
304	0	break;
305	0	case rsa_pss_sha512:
306	0	bytes = kPSSParamsSHA512;
307	0	break;
308	0	}
309
310	0	return CBB_add_bytes(cbb, bytes.data(), bytes.size());
311	0	}
312
313		// 1.2.840.113549.1.1.8
314		static const uint8_t kMGF1OID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
315		0x0d, 0x01, 0x01, 0x08};
316
317		int bssl::rsa_parse_pss_params(CBS cbs, rsa_pss_params_t out,
318	205	int allow_explicit_trailer) {
319		// See RFC 4055, section 3.1.
320		//
321		// hashAlgorithm, maskGenAlgorithm, and saltLength all have DEFAULTs
322		// corresponding to SHA-1. We do not support SHA-1 with PSS, so we do not
323		// bother recognizing the omitted versions.
324	205	CBS params, hash_wrapper, mask_wrapper, mask_alg, mask_oid, salt_wrapper;
325	205	uint64_t salt_len;
326	205	if (!CBS_get_asn1(cbs, &params, CBS_ASN1_SEQUENCE) \|\|
327	205	!CBS_get_asn1(&params, &hash_wrapper,
328	205	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 0) \|\|
329		// `hash_wrapper` will be parsed below.
330	183	!CBS_get_asn1(&params, &mask_wrapper,
331	183	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 1) \|\|
332	178	!CBS_get_asn1(&mask_wrapper, &mask_alg, CBS_ASN1_SEQUENCE) \|\|
333	174	!CBS_get_asn1(&mask_alg, &mask_oid, CBS_ASN1_OBJECT) \|\|
334		// We only support MGF-1.
335	168	Span<const uint8_t>(mask_oid) != kMGF1OID \|\|
336		// The remainder of `mask_alg` will be parsed below.
337	133	CBS_len(&mask_wrapper) != 0 \|\|
338	130	!CBS_get_asn1(&params, &salt_wrapper,
339	130	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 2) \|\|
340	122	!CBS_get_asn1_uint64(&salt_wrapper, &salt_len) \|\|
341	110	CBS_len(&salt_wrapper) != 0) {
342	100	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
343	100	return 0;
344	100	}
345
346		// The trailer field must be 1 (0xbc). This value is DEFAULT, so the structure
347		// is required to omit it in DER.
348	105	if (CBS_len(&params) != 0 && allow_explicit_trailer) {
349	29	CBS trailer_wrapper;
350	29	uint64_t trailer;
351	29	if (!CBS_get_asn1(&params, &trailer_wrapper,
352	29	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| 3) \|\|
353	26	!CBS_get_asn1_uint64(&trailer_wrapper, &trailer) \|\| //
354	28	trailer != 1) {
355	28	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
356	28	return 0;
357	28	}
358	29	}
359	77	if (CBS_len(&params) != 0) {
360	1	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
361	1	return 0;
362	1	}
363
364	76	int hash_nid = EVP_parse_digest_algorithm_nid(&hash_wrapper);
365	76	if (hash_nid == NID_undef \|\| CBS_len(&hash_wrapper) != 0) {
366	39	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
367	39	return 0;
368	39	}
369
370		// We only support combinations where the MGF-1 hash matches the overall hash.
371	37	int mgf1_hash_nid = EVP_parse_digest_algorithm_nid(&mask_alg);
372	37	if (mgf1_hash_nid != hash_nid \|\| CBS_len(&mask_alg) != 0) {
373	17	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
374	17	return 0;
375	17	}
376
377		// We only support salt lengths that match the hash length.
378	20	rsa_pss_params_t ret;
379	20	uint64_t hash_len;
380	20	switch (hash_nid) {
381	7	case NID_sha256:
382	7	ret = rsa_pss_sha256;
383	7	hash_len = 32;
384	7	break;
385	3	case NID_sha384:
386	3	ret = rsa_pss_sha384;
387	3	hash_len = 48;
388	3	break;
389	4	case NID_sha512:
390	4	ret = rsa_pss_sha512;
391	4	hash_len = 64;
392	4	break;
393	6	default:
394	6	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
395	6	return 0;
396	20	}
397	14	if (salt_len != hash_len) {
398	3	OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
399	3	return 0;
400	3	}
401
402	11	*out = ret;
403	11	return 1;
404	14	}