Coverage Report

Created: 2026-06-28 06:23

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/boringssl/crypto/rsa/rsa_asn1.cc
Line
Count
Source
1
// Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     https://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14
15
#include <openssl/rsa.h>
16
17
#include <assert.h>
18
#include <limits.h>
19
#include <string.h>
20
21
#include <openssl/bn.h>
22
#include <openssl/bytestring.h>
23
#include <openssl/digest.h>
24
#include <openssl/err.h>
25
#include <openssl/mem.h>
26
#include <openssl/nid.h>
27
#include <openssl/span.h>
28
#include <openssl/x509.h>
29
30
#include "../bytestring/internal.h"
31
#include "../fipsmodule/rsa/internal.h"
32
#include "../internal.h"
33
#include "internal.h"
34
35
36
using namespace bssl;
37
38
262k
static int parse_integer(CBS *cbs, UniquePtr<BIGNUM> *out) {
39
262k
  assert(*out == nullptr);
40
262k
  out->reset(BN_new());
41
262k
  if (*out == nullptr) {
42
0
    return 0;
43
0
  }
44
262k
  return BN_parse_asn1_unsigned(cbs, out->get());
45
262k
}
46
47
2.42k
static int marshal_integer(CBB *cbb, const BIGNUM *bn) {
48
2.42k
  if (bn == nullptr) {
49
    // An RSA object may be missing some components.
50
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
51
0
    return 0;
52
0
  }
53
2.42k
  return BN_marshal_asn1(cbb, bn);
54
2.42k
}
55
56
137k
RSA *RSA_parse_public_key(CBS *cbs) {
57
137k
  RSAImpl *ret = FromOpaque(RSA_new());
58
137k
  if (ret == nullptr) {
59
0
    return nullptr;
60
0
  }
61
137k
  CBS child;
62
137k
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
63
133k
      !parse_integer(&child, &ret->n) ||
64
118k
      !parse_integer(&child, &ret->e) ||
65
116k
      CBS_len(&child) != 0) {
66
21.4k
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
67
21.4k
    RSA_free(ret);
68
21.4k
    return nullptr;
69
21.4k
  }
70
71
116k
  if (!RSA_check_key(ret)) {
72
1.25k
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
73
1.25k
    RSA_free(ret);
74
1.25k
    return nullptr;
75
1.25k
  }
76
77
114k
  return ret;
78
116k
}
79
80
137k
RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) {
81
137k
  CBS cbs;
82
137k
  CBS_init(&cbs, in, in_len);
83
137k
  RSA *ret = RSA_parse_public_key(&cbs);
84
137k
  if (ret == nullptr || CBS_len(&cbs) != 0) {
85
22.9k
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
86
22.9k
    RSA_free(ret);
87
22.9k
    return nullptr;
88
22.9k
  }
89
114k
  return ret;
90
137k
}
91
92
1.20k
int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) {
93
1.20k
  CBB child;
94
1.20k
  const RSAImpl *impl = FromOpaque(rsa);
95
1.20k
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
96
1.20k
      !marshal_integer(&child, impl->n.get()) ||
97
1.20k
      !marshal_integer(&child, impl->e.get()) ||  //
98
1.20k
      !CBB_flush(cbb)) {
99
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
100
0
    return 0;
101
0
  }
102
1.20k
  return 1;
103
1.20k
}
104
105
int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
106
0
                            const RSA *rsa) {
107
0
  CBB cbb;
108
0
  CBB_zero(&cbb);
109
0
  if (!CBB_init(&cbb, 0) ||
110
0
      !RSA_marshal_public_key(&cbb, rsa) ||
111
0
      !CBB_finish(&cbb, out_bytes, out_len)) {
112
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
113
0
    CBB_cleanup(&cbb);
114
0
    return 0;
115
0
  }
116
0
  return 1;
117
0
}
118
119
// kVersionTwoPrime is the value of the version field for a two-prime
120
// RSAPrivateKey structure (RFC 8017).
121
static const uint64_t kVersionTwoPrime = 0;
122
123
2.82k
RSA *RSA_parse_private_key(CBS *cbs) {
124
2.82k
  RSAImpl *ret = FromOpaque(RSA_new());
125
2.82k
  if (ret == nullptr) {
126
0
    return nullptr;
127
0
  }
128
129
2.82k
  CBS child;
130
2.82k
  uint64_t version;
131
2.82k
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
132
2.31k
      !CBS_get_asn1_uint64(&child, &version)) {
133
705
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
134
705
    goto err;
135
705
  }
136
137
2.12k
  if (version != kVersionTwoPrime) {
138
298
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
139
298
    goto err;
140
298
  }
141
142
1.82k
  if (!parse_integer(&child, &ret->n) ||
143
1.24k
      !parse_integer(&child, &ret->e) ||
144
1.19k
      !parse_integer(&child, &ret->d) ||
145
1.17k
      !parse_integer(&child, &ret->p) ||
146
1.16k
      !parse_integer(&child, &ret->q) ||
147
1.15k
      !parse_integer(&child, &ret->dmp1) ||
148
1.14k
      !parse_integer(&child, &ret->dmq1) ||
149
1.13k
      !parse_integer(&child, &ret->iqmp)) {
150
696
    goto err;
151
696
  }
152
153
1.12k
  if (CBS_len(&child) != 0) {
154
31
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
155
31
    goto err;
156
31
  }
157
158
1.09k
  if (!RSA_check_key(ret)) {
159
1.07k
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
160
1.07k
    goto err;
161
1.07k
  }
162
163
25
  return ret;
164
165
2.80k
err:
166
2.80k
  RSA_free(ret);
167
2.80k
  return nullptr;
168
1.09k
}
169
170
893
RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {
171
893
  CBS cbs;
172
893
  CBS_init(&cbs, in, in_len);
173
893
  RSA *ret = RSA_parse_private_key(&cbs);
174
893
  if (ret == nullptr || CBS_len(&cbs) != 0) {
175
872
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
176
872
    RSA_free(ret);
177
872
    return nullptr;
178
872
  }
179
21
  return ret;
180
893
}
181
182
2
int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {
183
2
  const RSAImpl *impl = FromOpaque(rsa);
184
2
  CBB child;
185
2
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
186
2
      !CBB_add_asn1_uint64(&child, kVersionTwoPrime) ||
187
2
      !marshal_integer(&child, impl->n.get()) ||
188
2
      !marshal_integer(&child, impl->e.get()) ||
189
2
      !marshal_integer(&child, impl->d.get()) ||
190
2
      !marshal_integer(&child, impl->p.get()) ||
191
2
      !marshal_integer(&child, impl->q.get()) ||
192
2
      !marshal_integer(&child, impl->dmp1.get()) ||
193
2
      !marshal_integer(&child, impl->dmq1.get()) ||
194
2
      !marshal_integer(&child, impl->iqmp.get()) ||  //
195
2
      !CBB_flush(cbb)) {
196
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
197
0
    return 0;
198
0
  }
199
2
  return 1;
200
2
}
201
202
int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
203
0
                             const RSA *rsa) {
204
0
  CBB cbb;
205
0
  CBB_zero(&cbb);
206
0
  if (!CBB_init(&cbb, 0) ||
207
0
      !RSA_marshal_private_key(&cbb, rsa) ||
208
0
      !CBB_finish(&cbb, out_bytes, out_len)) {
209
0
    OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
210
0
    CBB_cleanup(&cbb);
211
0
    return 0;
212
0
  }
213
0
  return 1;
214
0
}
215
216
0
RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) {
217
0
  return D2IFromCBS(out, inp, len, RSA_parse_public_key);
218
0
}
219
220
0
int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) {
221
0
  return I2DFromCBB(
222
0
      /*initial_capacity=*/256, outp,
223
0
      [&](CBB *cbb) -> bool { return RSA_marshal_public_key(cbb, in); });
224
0
}
225
226
2
RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) {
227
2
  return D2IFromCBS(out, inp, len, RSA_parse_private_key);
228
2
}
229
230
0
int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) {
231
0
  return I2DFromCBB(
232
0
      /*initial_capacity=*/512, outp,
233
0
      [&](CBB *cbb) -> bool { return RSA_marshal_private_key(cbb, in); });
234
0
}
235
236
0
RSA *RSAPublicKey_dup(const RSA *rsa) {
237
0
  uint8_t *der;
238
0
  size_t der_len;
239
0
  if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
240
0
    return nullptr;
241
0
  }
242
0
  RSA *ret = RSA_public_key_from_bytes(der, der_len);
243
0
  OPENSSL_free(der);
244
0
  return ret;
245
0
}
246
247
0
RSA *RSAPrivateKey_dup(const RSA *rsa) {
248
0
  uint8_t *der;
249
0
  size_t der_len;
250
0
  if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
251
0
    return nullptr;
252
0
  }
253
0
  RSA *ret = RSA_private_key_from_bytes(der, der_len);
254
0
  OPENSSL_free(der);
255
0
  return ret;
256
0
}
257
258
static const uint8_t kPSSParamsSHA256[] = {
259
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
260
    0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa1, 0x1c, 0x30,
261
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
262
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
263
    0x04, 0x02, 0x01, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x20};
264
265
static const uint8_t kPSSParamsSHA384[] = {
266
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
267
    0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0xa1, 0x1c, 0x30,
268
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
269
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
270
    0x04, 0x02, 0x02, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x30};
271
272
static const uint8_t kPSSParamsSHA512[] = {
273
    0x30, 0x34, 0xa0, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
274
    0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0xa1, 0x1c, 0x30,
275
    0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
276
    0x08, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
277
    0x04, 0x02, 0x03, 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x40};
278
279
0
const EVP_MD *bssl::rsa_pss_params_get_md(rsa_pss_params_t params) {
280
0
  switch (params) {
281
0
    case rsa_pss_none:
282
0
      return nullptr;
283
0
    case rsa_pss_sha256:
284
0
      return EVP_sha256();
285
0
    case rsa_pss_sha384:
286
0
      return EVP_sha384();
287
0
    case rsa_pss_sha512:
288
0
      return EVP_sha512();
289
0
  }
290
0
  abort();
291
0
}
292
293
0
int bssl::rsa_marshal_pss_params(CBB *cbb, rsa_pss_params_t params) {
294
0
  Span<const uint8_t> bytes;
295
0
  switch (params) {
296
0
    case rsa_pss_none:
297
0
      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
298
0
      return 0;
299
0
    case rsa_pss_sha256:
300
0
      bytes = kPSSParamsSHA256;
301
0
      break;
302
0
    case rsa_pss_sha384:
303
0
      bytes = kPSSParamsSHA384;
304
0
      break;
305
0
    case rsa_pss_sha512:
306
0
      bytes = kPSSParamsSHA512;
307
0
      break;
308
0
  }
309
310
0
  return CBB_add_bytes(cbb, bytes.data(), bytes.size());
311
0
}
312
313
// 1.2.840.113549.1.1.8
314
static const uint8_t kMGF1OID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
315
                                   0x0d, 0x01, 0x01, 0x08};
316
317
int bssl::rsa_parse_pss_params(CBS *cbs, rsa_pss_params_t *out,
318
218
                               int allow_explicit_trailer) {
319
  // See RFC 4055, section 3.1.
320
  //
321
  // hashAlgorithm, maskGenAlgorithm, and saltLength all have DEFAULTs
322
  // corresponding to SHA-1. We do not support SHA-1 with PSS, so we do not
323
  // bother recognizing the omitted versions.
324
218
  CBS params, hash_wrapper, mask_wrapper, mask_alg, mask_oid, salt_wrapper;
325
218
  uint64_t salt_len;
326
218
  if (!CBS_get_asn1(cbs, &params, CBS_ASN1_SEQUENCE) ||
327
218
      !CBS_get_asn1(&params, &hash_wrapper,
328
218
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
329
      // `hash_wrapper` will be parsed below.
330
203
      !CBS_get_asn1(&params, &mask_wrapper,
331
203
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
332
195
      !CBS_get_asn1(&mask_wrapper, &mask_alg, CBS_ASN1_SEQUENCE) ||
333
189
      !CBS_get_asn1(&mask_alg, &mask_oid, CBS_ASN1_OBJECT) ||
334
      // We only support MGF-1.
335
183
      Span<const uint8_t>(mask_oid) != kMGF1OID ||
336
      // The remainder of `mask_alg` will be parsed below.
337
139
      CBS_len(&mask_wrapper) != 0 ||
338
136
      !CBS_get_asn1(&params, &salt_wrapper,
339
136
                    CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
340
131
      !CBS_get_asn1_uint64(&salt_wrapper, &salt_len) ||
341
119
      CBS_len(&salt_wrapper) != 0) {
342
102
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
343
102
    return 0;
344
102
  }
345
346
  // The trailer field must be 1 (0xbc). This value is DEFAULT, so the structure
347
  // is required to omit it in DER.
348
116
  if (CBS_len(&params) != 0 && allow_explicit_trailer) {
349
30
    CBS trailer_wrapper;
350
30
    uint64_t trailer;
351
30
    if (!CBS_get_asn1(&params, &trailer_wrapper,
352
30
                      CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3) ||
353
27
        !CBS_get_asn1_uint64(&trailer_wrapper, &trailer) ||  //
354
28
        trailer != 1) {
355
28
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
356
28
      return 0;
357
28
    }
358
30
  }
359
88
  if (CBS_len(&params) != 0) {
360
2
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
361
2
    return 0;
362
2
  }
363
364
86
  int hash_nid = EVP_parse_digest_algorithm_nid(&hash_wrapper);
365
86
  if (hash_nid == NID_undef || CBS_len(&hash_wrapper) != 0) {
366
45
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
367
45
    return 0;
368
45
  }
369
370
  // We only support combinations where the MGF-1 hash matches the overall hash.
371
41
  int mgf1_hash_nid = EVP_parse_digest_algorithm_nid(&mask_alg);
372
41
  if (mgf1_hash_nid != hash_nid || CBS_len(&mask_alg) != 0) {
373
15
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
374
15
    return 0;
375
15
  }
376
377
  // We only support salt lengths that match the hash length.
378
26
  rsa_pss_params_t ret;
379
26
  uint64_t hash_len;
380
26
  switch (hash_nid) {
381
13
    case NID_sha256:
382
13
      ret = rsa_pss_sha256;
383
13
      hash_len = 32;
384
13
      break;
385
4
    case NID_sha384:
386
4
      ret = rsa_pss_sha384;
387
4
      hash_len = 48;
388
4
      break;
389
3
    case NID_sha512:
390
3
      ret = rsa_pss_sha512;
391
3
      hash_len = 64;
392
3
      break;
393
6
    default:
394
6
      OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
395
6
      return 0;
396
26
  }
397
20
  if (salt_len != hash_len) {
398
9
    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
399
9
    return 0;
400
9
  }
401
402
11
  *out = ret;
403
11
  return 1;
404
20
}