/src/openssl/providers/common/der/der_rsa_key.c

Source (jump to first uncovered line)
/*
 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/obj_mac.h>
#include "internal/cryptlib.h"
#include "prov/der_rsa.h"
#include "prov/der_digests.h"

/* More complex pre-compiled sequences. */

/*-
 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
 *
 * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
 *     { OID id-sha1       PARAMETERS NULL }|
 *     { OID id-sha224     PARAMETERS NULL }|
 *     { OID id-sha256     PARAMETERS NULL }|
 *     { OID id-sha384     PARAMETERS NULL }|
 *     { OID id-sha512     PARAMETERS NULL }|
 *     { OID id-sha512-224 PARAMETERS NULL }|
 *     { OID id-sha512-256 PARAMETERS NULL },
 *     ...  -- Allows for future expansion --
 * }
 */
#define DER_V_NULL DER_P_NULL, 0
#define DER_SZ_NULL 2

/*
 * The names for the hash function AlgorithmIdentifiers are borrowed and
 * expanded from https://tools.ietf.org/html/rfc4055#section-2.1
 *
 * sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
 * sha224Identifier  AlgorithmIdentifier  ::=  { id-sha224, NULL }
 * sha256Identifier  AlgorithmIdentifier  ::=  { id-sha256, NULL }
 * sha384Identifier  AlgorithmIdentifier  ::=  { id-sha384, NULL }
 * sha512Identifier  AlgorithmIdentifier  ::=  { id-sha512, NULL }
 */
/*
 * NOTE: Some of the arrays aren't used other than inside sizeof(), which
 * clang complains about (-Wno-unneeded-internal-declaration).  To get
 * around that, we make them non-static, and declare them an extra time to
 * avoid compilers complaining about definitions without declarations.
 */
#define DER_AID_V_sha1Identifier                                        \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_sha1 + DER_SZ_NULL,                               \
        DER_OID_V_id_sha1,                                              \
        DER_V_NULL
extern const unsigned char ossl_der_aid_sha1Identifier[];
const unsigned char ossl_der_aid_sha1Identifier[] = {
    DER_AID_V_sha1Identifier
};
#define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)

#define DER_AID_V_sha224Identifier                                      \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_sha224 + DER_SZ_NULL,                             \
        DER_OID_V_id_sha224,                                            \
        DER_V_NULL
extern const unsigned char ossl_der_aid_sha224Identifier[];
const unsigned char ossl_der_aid_sha224Identifier[] = {
    DER_AID_V_sha224Identifier
};
#define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)

#define DER_AID_V_sha256Identifier                                      \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_sha256 + DER_SZ_NULL,                             \
        DER_OID_V_id_sha256,                                            \
        DER_V_NULL
extern const unsigned char ossl_der_aid_sha256Identifier[];
const unsigned char ossl_der_aid_sha256Identifier[] = {
    DER_AID_V_sha256Identifier
};
#define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)

#define DER_AID_V_sha384Identifier                                      \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_sha384 + DER_SZ_NULL,                             \
        DER_OID_V_id_sha384,                                            \
        DER_V_NULL
extern const unsigned char ossl_der_aid_sha384Identifier[];
const unsigned char ossl_der_aid_sha384Identifier[] = {
    DER_AID_V_sha384Identifier
};
#define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)

#define DER_AID_V_sha512Identifier                                      \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_sha512 + DER_SZ_NULL,                             \
        DER_OID_V_id_sha512,                                            \
        DER_V_NULL
extern const unsigned char ossl_der_aid_sha512Identifier[];
const unsigned char ossl_der_aid_sha512Identifier[] = {
    DER_AID_V_sha512Identifier
};
#define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)

#define DER_AID_V_sha512_224Identifier                                  \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_sha512_224 + DER_SZ_NULL,                         \
        DER_OID_V_id_sha512_224,                                        \
        DER_V_NULL
extern const unsigned char ossl_der_aid_sha512_224Identifier[];
const unsigned char ossl_der_aid_sha512_224Identifier[] = {
    DER_AID_V_sha512_224Identifier
};
#define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)

#define DER_AID_V_sha512_256Identifier                                  \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_sha512_256 + DER_SZ_NULL,                         \
        DER_OID_V_id_sha512_256,                                        \
        DER_V_NULL
extern const unsigned char ossl_der_aid_sha512_256Identifier[];
const unsigned char ossl_der_aid_sha512_256Identifier[] = {
    DER_AID_V_sha512_256Identifier
};
#define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)

/*-
 * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
 *
 * HashAlgorithm ::= AlgorithmIdentifier {
 *    {OAEP-PSSDigestAlgorithms}
 * }
 *
 * ...
 *
 * PKCS1MGFAlgorithms    ALGORITHM-IDENTIFIER ::= {
 *     { OID id-mgf1 PARAMETERS HashAlgorithm },
 *     ...  -- Allows for future expansion --
 * }
 */

/*
 * The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
 * from https://tools.ietf.org/html/rfc4055#section-2.1
 *
 * mgf1SHA1Identifier  AlgorithmIdentifier  ::=
 *                      { id-mgf1, sha1Identifier }
 * mgf1SHA224Identifier  AlgorithmIdentifier  ::=
 *                      { id-mgf1, sha224Identifier }
 * mgf1SHA256Identifier  AlgorithmIdentifier  ::=
 *                      { id-mgf1, sha256Identifier }
 * mgf1SHA384Identifier  AlgorithmIdentifier  ::=
 *                      { id-mgf1, sha384Identifier }
 * mgf1SHA512Identifier  AlgorithmIdentifier  ::=
 *                      { id-mgf1, sha512Identifier }
 */
#if 0                            /* Currently unused */
#define DER_AID_V_mgf1SHA1Identifier                                    \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                                   \
        DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier,                 \
        DER_OID_V_id_mgf1,                                              \
        DER_AID_V_sha1Identifier
static const unsigned char der_aid_mgf1SHA1Identifier[] = {
    DER_AID_V_mgf1SHA1Identifier
};
#define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
#endif

#define DER_AID_V_mgf1SHA224Identifier                          \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
        DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier,       \
        DER_OID_V_id_mgf1,                                      \
        DER_AID_V_sha224Identifier
static const unsigned char der_aid_mgf1SHA224Identifier[] = {
    DER_AID_V_mgf1SHA224Identifier
};
#define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)

#define DER_AID_V_mgf1SHA256Identifier                          \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
        DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier,       \
        DER_OID_V_id_mgf1,                                      \
        DER_AID_V_sha256Identifier
static const unsigned char der_aid_mgf1SHA256Identifier[] = {
    DER_AID_V_mgf1SHA256Identifier
};
#define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)

#define DER_AID_V_mgf1SHA384Identifier                          \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
        DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier,       \
        DER_OID_V_id_mgf1,                                      \
        DER_AID_V_sha384Identifier
static const unsigned char der_aid_mgf1SHA384Identifier[] = {
    DER_AID_V_mgf1SHA384Identifier
};
#define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)

#define DER_AID_V_mgf1SHA512Identifier                          \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
        DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier,       \
        DER_OID_V_id_mgf1,                                      \
        DER_AID_V_sha512Identifier
static const unsigned char der_aid_mgf1SHA512Identifier[] = {
    DER_AID_V_mgf1SHA512Identifier
};
#define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)

#define DER_AID_V_mgf1SHA512_224Identifier                      \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
        DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier,   \
        DER_OID_V_id_mgf1,                                      \
        DER_AID_V_sha512_224Identifier
static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
    DER_AID_V_mgf1SHA512_224Identifier
};
#define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)

#define DER_AID_V_mgf1SHA512_256Identifier                      \
    DER_P_SEQUENCE|DER_F_CONSTRUCTED,                           \
        DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier,   \
        DER_OID_V_id_mgf1,                                      \
        DER_AID_V_sha512_256Identifier
static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
    DER_AID_V_mgf1SHA512_256Identifier
};
#define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)


#define MGF1_SHA_CASE(bits, var)                                \
    case NID_sha##bits:                                         \
        var = der_aid_mgf1SHA##bits##Identifier;                \
        var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier);   \
        break;

/*-
 * The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
 *
 * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
 */
static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
                                  const RSA_PSS_PARAMS_30 *pss)
{
    if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
        int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
        const unsigned char *maskgenalg = NULL;
        size_t maskgenalg_sz = 0;

        switch (maskgenhashalg_nid) {
        case NID_sha1:
            break;
            MGF1_SHA_CASE(224, maskgenalg);
            MGF1_SHA_CASE(256, maskgenalg);
            MGF1_SHA_CASE(384, maskgenalg);
            MGF1_SHA_CASE(512, maskgenalg);
            MGF1_SHA_CASE(512_224, maskgenalg);
            MGF1_SHA_CASE(512_256, maskgenalg);
        default:
            return 0;
        }

        /* If there is none (or it was the default), we write nothing */
        if (maskgenalg == NULL)
            return 1;

        return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
    }
    return 0;
}

#define OAEP_PSS_MD_CASE(name, var)                                     \
    case NID_##name:                                                    \
        var = ossl_der_aid_##name##Identifier;                          \
        var##_sz = sizeof(ossl_der_aid_##name##Identifier);             \
        break;

int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
                                 const RSA_PSS_PARAMS_30 *pss)
{
    int hashalg_nid, default_hashalg_nid;
    int saltlen, default_saltlen;
    int trailerfield, default_trailerfield;
    const unsigned char *hashalg = NULL;
    size_t hashalg_sz = 0;

    /*
     * For an unrestricted key, this function should not have been called;
     * the caller must be in control, because unrestricted keys are permitted
     * in some situations (when encoding the public key in a SubjectKeyInfo,
     * for example) while not in others, and this function doesn't know the
     * intent.  Therefore, we assert that here, the PSS parameters must show
     * that the key is restricted.
     */
    if (!ossl_assert(pss != NULL
                     && !ossl_rsa_pss_params_30_is_unrestricted(pss)))
        return 0;

    hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
    saltlen = ossl_rsa_pss_params_30_saltlen(pss);
    trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);

    if (saltlen < 0) {
        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
        return 0;
    }
    if (trailerfield != 1) {
        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
        return 0;
    }

    /* Getting default values */
    default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
    default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
    default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);

    /*
     * From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
     *
     * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
     *     { OID id-sha1       PARAMETERS NULL }|
     *     { OID id-sha224     PARAMETERS NULL }|
     *     { OID id-sha256     PARAMETERS NULL }|
     *     { OID id-sha384     PARAMETERS NULL }|
     *     { OID id-sha512     PARAMETERS NULL }|
     *     { OID id-sha512-224 PARAMETERS NULL }|
     *     { OID id-sha512-256 PARAMETERS NULL },
     *     ...  -- Allows for future expansion --
     * }
     */
    switch (hashalg_nid) {
        OAEP_PSS_MD_CASE(sha1, hashalg);
        OAEP_PSS_MD_CASE(sha224, hashalg);
        OAEP_PSS_MD_CASE(sha256, hashalg);
        OAEP_PSS_MD_CASE(sha384, hashalg);
        OAEP_PSS_MD_CASE(sha512, hashalg);
        OAEP_PSS_MD_CASE(sha512_224, hashalg);
        OAEP_PSS_MD_CASE(sha512_256, hashalg);
    default:
        return 0;
    }

    return ossl_DER_w_begin_sequence(pkt, tag)
        && (trailerfield == default_trailerfield
            || ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))
        && (saltlen == default_saltlen || ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))
        && DER_w_MaskGenAlgorithm(pkt, 1, pss)
        && (hashalg_nid == default_hashalg_nid
            || ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
        && ossl_DER_w_end_sequence(pkt, tag);
}

/* Aliases so we can have a uniform RSA_CASE */
#define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS

#define RSA_CASE(name, var)                                             \
    var##_nid = NID_##name;                                             \
    var##_oid = ossl_der_oid_##name;                                    \
    var##_oid_sz = sizeof(ossl_der_oid_##name);                         \
    break;

int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,
                                           int rsa_type,
                                           const RSA_PSS_PARAMS_30 *pss)
{
    int rsa_nid = NID_undef;
    const unsigned char *rsa_oid = NULL;
    size_t rsa_oid_sz = 0;

    switch (rsa_type) {
    case RSA_FLAG_TYPE_RSA:
        RSA_CASE(rsaEncryption, rsa);
    case RSA_FLAG_TYPE_RSASSAPSS:
        RSA_CASE(rsassaPss, rsa);
    }

    if (rsa_oid == NULL)
        return 0;

    return ossl_DER_w_begin_sequence(pkt, tag)
        && (rsa_nid != NID_rsassaPss
            || ossl_rsa_pss_params_30_is_unrestricted(pss)
            || ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))
        && ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
        && ossl_DER_w_end_sequence(pkt, tag);
}

int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa)
{
    int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
    RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);

    return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,
                                                  pss_params);
}

Coverage Report

Created: 2025-06-13 06:36

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* RSA low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/obj_mac.h>
17		#include "internal/cryptlib.h"
18		#include "prov/der_rsa.h"
19		#include "prov/der_digests.h"
20
21		/* More complex pre-compiled sequences. */
22
23		/*-
24		* From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
25		*
26		* OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
27		* { OID id-sha1 PARAMETERS NULL }\|
28		* { OID id-sha224 PARAMETERS NULL }\|
29		* { OID id-sha256 PARAMETERS NULL }\|
30		* { OID id-sha384 PARAMETERS NULL }\|
31		* { OID id-sha512 PARAMETERS NULL }\|
32		* { OID id-sha512-224 PARAMETERS NULL }\|
33		* { OID id-sha512-256 PARAMETERS NULL },
34		* ... -- Allows for future expansion --
35		* }
36		*/
37		#define DER_V_NULL DER_P_NULL, 0
38		#define DER_SZ_NULL 2
39
40		/*
41		* The names for the hash function AlgorithmIdentifiers are borrowed and
42		* expanded from https://tools.ietf.org/html/rfc4055#section-2.1
43		*
44		* sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
45		* sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
46		* sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
47		* sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
48		* sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
49		*/
50		/*
51		* NOTE: Some of the arrays aren't used other than inside sizeof(), which
52		* clang complains about (-Wno-unneeded-internal-declaration). To get
53		* around that, we make them non-static, and declare them an extra time to
54		* avoid compilers complaining about definitions without declarations.
55		*/
56		#define DER_AID_V_sha1Identifier \
57		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
58		DER_OID_SZ_id_sha1 + DER_SZ_NULL, \
59		DER_OID_V_id_sha1, \
60		DER_V_NULL
61		extern const unsigned char ossl_der_aid_sha1Identifier[];
62		const unsigned char ossl_der_aid_sha1Identifier[] = {
63		DER_AID_V_sha1Identifier
64		};
65		#define DER_AID_SZ_sha1Identifier sizeof(ossl_der_aid_sha1Identifier)
66
67		#define DER_AID_V_sha224Identifier \
68		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
69		DER_OID_SZ_id_sha224 + DER_SZ_NULL, \
70		DER_OID_V_id_sha224, \
71		DER_V_NULL
72		extern const unsigned char ossl_der_aid_sha224Identifier[];
73		const unsigned char ossl_der_aid_sha224Identifier[] = {
74		DER_AID_V_sha224Identifier
75		};
76		#define DER_AID_SZ_sha224Identifier sizeof(ossl_der_aid_sha224Identifier)
77
78		#define DER_AID_V_sha256Identifier \
79		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
80		DER_OID_SZ_id_sha256 + DER_SZ_NULL, \
81		DER_OID_V_id_sha256, \
82		DER_V_NULL
83		extern const unsigned char ossl_der_aid_sha256Identifier[];
84		const unsigned char ossl_der_aid_sha256Identifier[] = {
85		DER_AID_V_sha256Identifier
86		};
87		#define DER_AID_SZ_sha256Identifier sizeof(ossl_der_aid_sha256Identifier)
88
89		#define DER_AID_V_sha384Identifier \
90		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
91		DER_OID_SZ_id_sha384 + DER_SZ_NULL, \
92		DER_OID_V_id_sha384, \
93		DER_V_NULL
94		extern const unsigned char ossl_der_aid_sha384Identifier[];
95		const unsigned char ossl_der_aid_sha384Identifier[] = {
96		DER_AID_V_sha384Identifier
97		};
98		#define DER_AID_SZ_sha384Identifier sizeof(ossl_der_aid_sha384Identifier)
99
100		#define DER_AID_V_sha512Identifier \
101		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
102		DER_OID_SZ_id_sha512 + DER_SZ_NULL, \
103		DER_OID_V_id_sha512, \
104		DER_V_NULL
105		extern const unsigned char ossl_der_aid_sha512Identifier[];
106		const unsigned char ossl_der_aid_sha512Identifier[] = {
107		DER_AID_V_sha512Identifier
108		};
109		#define DER_AID_SZ_sha512Identifier sizeof(ossl_der_aid_sha512Identifier)
110
111		#define DER_AID_V_sha512_224Identifier \
112		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
113		DER_OID_SZ_id_sha512_224 + DER_SZ_NULL, \
114		DER_OID_V_id_sha512_224, \
115		DER_V_NULL
116		extern const unsigned char ossl_der_aid_sha512_224Identifier[];
117		const unsigned char ossl_der_aid_sha512_224Identifier[] = {
118		DER_AID_V_sha512_224Identifier
119		};
120		#define DER_AID_SZ_sha512_224Identifier sizeof(ossl_der_aid_sha512_224Identifier)
121
122		#define DER_AID_V_sha512_256Identifier \
123		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
124		DER_OID_SZ_id_sha512_256 + DER_SZ_NULL, \
125		DER_OID_V_id_sha512_256, \
126		DER_V_NULL
127		extern const unsigned char ossl_der_aid_sha512_256Identifier[];
128		const unsigned char ossl_der_aid_sha512_256Identifier[] = {
129		DER_AID_V_sha512_256Identifier
130		};
131		#define DER_AID_SZ_sha512_256Identifier sizeof(ossl_der_aid_sha512_256Identifier)
132
133		/*-
134		* From https://tools.ietf.org/html/rfc8017#appendix-A.2.1
135		*
136		* HashAlgorithm ::= AlgorithmIdentifier {
137		* {OAEP-PSSDigestAlgorithms}
138		* }
139		*
140		* ...
141		*
142		* PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
143		* { OID id-mgf1 PARAMETERS HashAlgorithm },
144		* ... -- Allows for future expansion --
145		* }
146		*/
147
148		/*
149		* The names for the MGF1 AlgorithmIdentifiers are borrowed and expanded
150		* from https://tools.ietf.org/html/rfc4055#section-2.1
151		*
152		* mgf1SHA1Identifier AlgorithmIdentifier ::=
153		* { id-mgf1, sha1Identifier }
154		* mgf1SHA224Identifier AlgorithmIdentifier ::=
155		* { id-mgf1, sha224Identifier }
156		* mgf1SHA256Identifier AlgorithmIdentifier ::=
157		* { id-mgf1, sha256Identifier }
158		* mgf1SHA384Identifier AlgorithmIdentifier ::=
159		* { id-mgf1, sha384Identifier }
160		* mgf1SHA512Identifier AlgorithmIdentifier ::=
161		* { id-mgf1, sha512Identifier }
162		*/
163		#if 0 /* Currently unused */
164		#define DER_AID_V_mgf1SHA1Identifier \
165		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
166		DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha1Identifier, \
167		DER_OID_V_id_mgf1, \
168		DER_AID_V_sha1Identifier
169		static const unsigned char der_aid_mgf1SHA1Identifier[] = {
170		DER_AID_V_mgf1SHA1Identifier
171		};
172		#define DER_AID_SZ_mgf1SHA1Identifier sizeof(der_aid_mgf1SHA1Identifier)
173		#endif
174
175		#define DER_AID_V_mgf1SHA224Identifier \
176		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
177		DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha224Identifier, \
178		DER_OID_V_id_mgf1, \
179		DER_AID_V_sha224Identifier
180		static const unsigned char der_aid_mgf1SHA224Identifier[] = {
181		DER_AID_V_mgf1SHA224Identifier
182		};
183		#define DER_AID_SZ_mgf1SHA224Identifier sizeof(der_aid_mgf1SHA224Identifier)
184
185		#define DER_AID_V_mgf1SHA256Identifier \
186		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
187		DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha256Identifier, \
188		DER_OID_V_id_mgf1, \
189		DER_AID_V_sha256Identifier
190		static const unsigned char der_aid_mgf1SHA256Identifier[] = {
191		DER_AID_V_mgf1SHA256Identifier
192		};
193		#define DER_AID_SZ_mgf1SHA256Identifier sizeof(der_aid_mgf1SHA256Identifier)
194
195		#define DER_AID_V_mgf1SHA384Identifier \
196		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
197		DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha384Identifier, \
198		DER_OID_V_id_mgf1, \
199		DER_AID_V_sha384Identifier
200		static const unsigned char der_aid_mgf1SHA384Identifier[] = {
201		DER_AID_V_mgf1SHA384Identifier
202		};
203		#define DER_AID_SZ_mgf1SHA384Identifier sizeof(der_aid_mgf1SHA384Identifier)
204
205		#define DER_AID_V_mgf1SHA512Identifier \
206		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
207		DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512Identifier, \
208		DER_OID_V_id_mgf1, \
209		DER_AID_V_sha512Identifier
210		static const unsigned char der_aid_mgf1SHA512Identifier[] = {
211		DER_AID_V_mgf1SHA512Identifier
212		};
213		#define DER_AID_SZ_mgf1SHA512Identifier sizeof(der_aid_mgf1SHA512Identifier)
214
215		#define DER_AID_V_mgf1SHA512_224Identifier \
216		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
217		DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_224Identifier, \
218		DER_OID_V_id_mgf1, \
219		DER_AID_V_sha512_224Identifier
220		static const unsigned char der_aid_mgf1SHA512_224Identifier[] = {
221		DER_AID_V_mgf1SHA512_224Identifier
222		};
223		#define DER_AID_SZ_mgf1SHA512_224Identifier sizeof(der_aid_mgf1SHA512_224Identifier)
224
225		#define DER_AID_V_mgf1SHA512_256Identifier \
226		DER_P_SEQUENCE\|DER_F_CONSTRUCTED, \
227		DER_OID_SZ_id_mgf1 + DER_AID_SZ_sha512_256Identifier, \
228		DER_OID_V_id_mgf1, \
229		DER_AID_V_sha512_256Identifier
230		static const unsigned char der_aid_mgf1SHA512_256Identifier[] = {
231		DER_AID_V_mgf1SHA512_256Identifier
232		};
233		#define DER_AID_SZ_mgf1SHA512_256Identifier sizeof(der_aid_mgf1SHA512_256Identifier)
234
235
236		#define MGF1_SHA_CASE(bits, var) \
237	0	case NID_sha##bits: \
238	0	var = der_aid_mgf1SHA##bits##Identifier; \
239	0	var##_sz = sizeof(der_aid_mgf1SHA##bits##Identifier); \
240	0	break;
241
242		/*-
243		* The name is borrowed from https://tools.ietf.org/html/rfc8017#appendix-A.2.1
244		*
245		* MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
246		*/
247		static int DER_w_MaskGenAlgorithm(WPACKET *pkt, int tag,
248		const RSA_PSS_PARAMS_30 *pss)
249	0	{
250	0	if (pss != NULL && ossl_rsa_pss_params_30_maskgenalg(pss) == NID_mgf1) {
251	0	int maskgenhashalg_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
252	0	const unsigned char *maskgenalg = NULL;
253	0	size_t maskgenalg_sz = 0;
254
255	0	switch (maskgenhashalg_nid) {
256	0	case NID_sha1:
257	0	break;
258	0	MGF1_SHA_CASE(224, maskgenalg);
259	0	MGF1_SHA_CASE(256, maskgenalg);
260	0	MGF1_SHA_CASE(384, maskgenalg);
261	0	MGF1_SHA_CASE(512, maskgenalg);
262	0	MGF1_SHA_CASE(512_224, maskgenalg);
263	0	MGF1_SHA_CASE(512_256, maskgenalg);
264	0	default:
265	0	return 0;
266	0	}
267
268		/* If there is none (or it was the default), we write nothing */
269	0	if (maskgenalg == NULL)
270	0	return 1;
271
272	0	return ossl_DER_w_precompiled(pkt, tag, maskgenalg, maskgenalg_sz);
273	0	}
274	0	return 0;
275	0	}
276
277		#define OAEP_PSS_MD_CASE(name, var) \
278	0	case NID_##name: \
279	0	var = ossl_der_aid_##name##Identifier; \
280	0	var##_sz = sizeof(ossl_der_aid_##name##Identifier); \
281	0	break;
282
283		int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
284		const RSA_PSS_PARAMS_30 *pss)
285	0	{
286	0	int hashalg_nid, default_hashalg_nid;
287	0	int saltlen, default_saltlen;
288	0	int trailerfield, default_trailerfield;
289	0	const unsigned char *hashalg = NULL;
290	0	size_t hashalg_sz = 0;
291
292		/*
293		* For an unrestricted key, this function should not have been called;
294		* the caller must be in control, because unrestricted keys are permitted
295		* in some situations (when encoding the public key in a SubjectKeyInfo,
296		* for example) while not in others, and this function doesn't know the
297		* intent. Therefore, we assert that here, the PSS parameters must show
298		* that the key is restricted.
299		*/
300	0	if (!ossl_assert(pss != NULL
301	0	&& !ossl_rsa_pss_params_30_is_unrestricted(pss)))
302	0	return 0;
303
304	0	hashalg_nid = ossl_rsa_pss_params_30_hashalg(pss);
305	0	saltlen = ossl_rsa_pss_params_30_saltlen(pss);
306	0	trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
307
308	0	if (saltlen < 0) {
309	0	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
310	0	return 0;
311	0	}
312	0	if (trailerfield != 1) {
313	0	ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
314	0	return 0;
315	0	}
316
317		/* Getting default values */
318	0	default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
319	0	default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
320	0	default_trailerfield = ossl_rsa_pss_params_30_trailerfield(NULL);
321
322		/*
323		* From https://tools.ietf.org/html/rfc8017#appendix-A.2.1:
324		*
325		* OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
326		* { OID id-sha1 PARAMETERS NULL }\|
327		* { OID id-sha224 PARAMETERS NULL }\|
328		* { OID id-sha256 PARAMETERS NULL }\|
329		* { OID id-sha384 PARAMETERS NULL }\|
330		* { OID id-sha512 PARAMETERS NULL }\|
331		* { OID id-sha512-224 PARAMETERS NULL }\|
332		* { OID id-sha512-256 PARAMETERS NULL },
333		* ... -- Allows for future expansion --
334		* }
335		*/
336	0	switch (hashalg_nid) {
337	0	OAEP_PSS_MD_CASE(sha1, hashalg);
338	0	OAEP_PSS_MD_CASE(sha224, hashalg);
339	0	OAEP_PSS_MD_CASE(sha256, hashalg);
340	0	OAEP_PSS_MD_CASE(sha384, hashalg);
341	0	OAEP_PSS_MD_CASE(sha512, hashalg);
342	0	OAEP_PSS_MD_CASE(sha512_224, hashalg);
343	0	OAEP_PSS_MD_CASE(sha512_256, hashalg);
344	0	default:
345	0	return 0;
346	0	}
347
348	0	return ossl_DER_w_begin_sequence(pkt, tag)
349	0	&& (trailerfield == default_trailerfield
350	0	\|\| ossl_DER_w_uint32(pkt, 3, (uint32_t)trailerfield))
351	0	&& (saltlen == default_saltlen \|\| ossl_DER_w_uint32(pkt, 2, (uint32_t)saltlen))
352	0	&& DER_w_MaskGenAlgorithm(pkt, 1, pss)
353	0	&& (hashalg_nid == default_hashalg_nid
354	0	\|\| ossl_DER_w_precompiled(pkt, 0, hashalg, hashalg_sz))
355	0	&& ossl_DER_w_end_sequence(pkt, tag);
356	0	}
357
358		/* Aliases so we can have a uniform RSA_CASE */
359	0	#define ossl_der_oid_rsassaPss ossl_der_oid_id_RSASSA_PSS
360
361		#define RSA_CASE(name, var) \
362	0	var##_nid = NID_##name; \
363	0	var##_oid = ossl_der_oid_##name; \
364	0	var##_oid_sz = sizeof(ossl_der_oid_##name); \
365	0	break;
366
367		int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag,
368		int rsa_type,
369		const RSA_PSS_PARAMS_30 *pss)
370	0	{
371	0	int rsa_nid = NID_undef;
372	0	const unsigned char *rsa_oid = NULL;
373	0	size_t rsa_oid_sz = 0;
374
375	0	switch (rsa_type) {
376	0	case RSA_FLAG_TYPE_RSA:
377	0	RSA_CASE(rsaEncryption, rsa);
378	0	case RSA_FLAG_TYPE_RSASSAPSS:
379	0	RSA_CASE(rsassaPss, rsa);
380	0	}
381
382	0	if (rsa_oid == NULL)
383	0	return 0;
384
385	0	return ossl_DER_w_begin_sequence(pkt, tag)
386	0	&& (rsa_nid != NID_rsassaPss
387	0	\|\| ossl_rsa_pss_params_30_is_unrestricted(pss)
388	0	\|\| ossl_DER_w_RSASSA_PSS_params(pkt, -1, pss))
389	0	&& ossl_DER_w_precompiled(pkt, -1, rsa_oid, rsa_oid_sz)
390	0	&& ossl_DER_w_end_sequence(pkt, tag);
391	0	}
392
393		int ossl_DER_w_algorithmIdentifier_RSA(WPACKET pkt, int tag, RSA rsa)
394	0	{
395	0	int rsa_type = RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK);
396	0	RSA_PSS_PARAMS_30 *pss_params = ossl_rsa_get0_pss_params_30(rsa);
397
398	0	return ossl_DER_w_algorithmIdentifier_RSA_PSS(pkt, tag, rsa_type,
399	0	pss_params);
400	0	}