projects / mirror_edk2.git / blame
| Commit | Line | Data |
|---|---|---|
| 97f98500 HT |
1 | /** @file\r |
| 2 | RSA Asymmetric Cipher Wrapper Implementation over OpenSSL.\r | |
| 3 | \r | |
| 4 | Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r | |
| 5 | This program and the accompanying materials\r | |
| 6 | are licensed and made available under the terms and conditions of the BSD License\r | |
| 7 | which accompanies this distribution. The full text of the license may be found at\r | |
| 8 | http://opensource.org/licenses/bsd-license.php\r | |
| 9 | \r | |
| 10 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
| 11 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
| 12 | \r | |
| 13 | **/\r | |
| 14 | \r | |
| 15 | #include <Library/BaseLib.h>\r | |
| 16 | #include <Library/DebugLib.h>\r | |
| 17 | #include <Library/BaseMemoryLib.h>\r | |
| 18 | \r | |
| 19 | #include <Library/BaseCryptLib.h>\r | |
| 20 | #include <openssl/rsa.h>\r | |
| 21 | \r | |
| 22 | \r | |
| 23 | /**\r | |
| 24 | Allocates and Initializes one RSA Context for subsequent use.\r | |
| 25 | \r | |
| 26 | @return Pointer to the RSA Context that has been initialized.\r | |
| 27 | If the allocations fails, RsaNew() returns NULL.\r | |
| 28 | \r | |
| 29 | **/\r | |
| 30 | VOID *\r | |
| 31 | EFIAPI\r | |
| 32 | RsaNew (\r | |
| 33 | VOID\r | |
| 34 | )\r | |
| 35 | {\r | |
| 36 | //\r | |
| 37 | // Allocates & Initializes RSA Context by OpenSSL RSA_new()\r | |
| 38 | //\r | |
| 39 | return (VOID *)RSA_new ();\r | |
| 40 | }\r | |
| 41 | \r | |
| 42 | \r | |
| 43 | /**\r | |
| 44 | Release the specified RSA Context.\r | |
| 45 | \r | |
| 46 | @param[in] RsaContext Pointer to the RSA context to be released.\r | |
| 47 | \r | |
| 48 | **/\r | |
| 49 | VOID\r | |
| 50 | EFIAPI\r | |
| 51 | RsaFree (\r | |
| 52 | IN VOID *RsaContext\r | |
| 53 | )\r | |
| 54 | {\r | |
| 55 | //\r | |
| 56 | // Free OpenSSL RSA Context\r | |
| 57 | //\r | |
| 58 | RSA_free ((RSA *)RsaContext);\r | |
| 59 | }\r | |
| 60 | \r | |
| 61 | \r | |
| 62 | /**\r | |
| 63 | Sets the tag-designated RSA key component into the established RSA context from\r | |
| 64 | the user-specified nonnegative integer (octet string format represented in RSA\r | |
| 65 | PKCS#1).\r | |
| 66 | \r | |
| 67 | If RsaContext is NULL, then ASSERT().\r | |
| 68 | \r | |
| 69 | @param[in, out] RsaContext Pointer to RSA context being set.\r | |
| 70 | @param[in] KeyTag Tag of RSA key component being set.\r | |
| 71 | @param[in] BigNumber Pointer to octet integer buffer.\r | |
| 72 | @param[in] BnLength Length of big number buffer in bytes.\r | |
| 73 | \r | |
| 74 | @return TRUE RSA key component was set successfully.\r | |
| 75 | @return FALSE Invalid RSA key component tag.\r | |
| 76 | \r | |
| 77 | **/\r | |
| 78 | BOOLEAN\r | |
| 79 | EFIAPI\r | |
| 80 | RsaSetKey (\r | |
| 81 | IN OUT VOID *RsaContext,\r | |
| 82 | IN RSA_KEY_TAG KeyTag,\r | |
| 83 | IN CONST UINT8 *BigNumber,\r | |
| 84 | IN UINTN BnLength\r | |
| 85 | )\r | |
| 86 | {\r | |
| 87 | RSA *RsaKey;\r | |
| 88 | \r | |
| 89 | //\r | |
| 90 | // ASSERT if RsaContext is NULL\r | |
| 91 | //\r | |
| 92 | ASSERT (RsaContext != NULL);\r | |
| 93 | \r | |
| 94 | \r | |
| 95 | RsaKey = (RSA *)RsaContext;\r | |
| 96 | //\r | |
| 97 | // Set RSA Key Components by converting octet string to OpenSSL BN representation.\r | |
| 98 | // NOTE: For RSA public key (used in signature verification), only public components\r | |
| 99 | // (N, e) are needed.\r | |
| 100 | //\r | |
| 101 | switch (KeyTag) {\r | |
| 102 | \r | |
| 103 | //\r | |
| 104 | // RSA Public Modulus (N)\r | |
| 105 | //\r | |
| 106 | case RsaKeyN:\r | |
| 107 | if (RsaKey->n != NULL) {\r | |
| 108 | BN_free (RsaKey->n);\r | |
| 109 | }\r | |
| 110 | RsaKey->n = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->n);\r | |
| 111 | break;\r | |
| 112 | \r | |
| 113 | //\r | |
| 114 | // RSA Public Exponent (e)\r | |
| 115 | //\r | |
| 116 | case RsaKeyE:\r | |
| 117 | if (RsaKey->e != NULL) {\r | |
| 118 | BN_free (RsaKey->e);\r | |
| 119 | }\r | |
| 120 | RsaKey->e = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->e);\r | |
| 121 | break;\r | |
| 122 | \r | |
| 123 | //\r | |
| 124 | // RSA Private Exponent (d)\r | |
| 125 | //\r | |
| 126 | case RsaKeyD:\r | |
| 127 | if (RsaKey->d != NULL) {\r | |
| 128 | BN_free (RsaKey->d);\r | |
| 129 | }\r | |
| 130 | RsaKey->d = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->d);\r | |
| 131 | break;\r | |
| 132 | \r | |
| 133 | //\r | |
| 134 | // RSA Secret Prime Factor of Modulus (p)\r | |
| 135 | //\r | |
| 136 | case RsaKeyP:\r | |
| 137 | if (RsaKey->p != NULL) {\r | |
| 138 | BN_free (RsaKey->p);\r | |
| 139 | }\r | |
| 140 | RsaKey->p = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->p);\r | |
| 141 | break;\r | |
| 142 | \r | |
| 143 | //\r | |
| 144 | // RSA Secret Prime Factor of Modules (q)\r | |
| 145 | //\r | |
| 146 | case RsaKeyQ:\r | |
| 147 | if (RsaKey->q != NULL) {\r | |
| 148 | BN_free (RsaKey->q);\r | |
| 149 | }\r | |
| 150 | RsaKey->q = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->q);\r | |
| 151 | break;\r | |
| 152 | \r | |
| 153 | //\r | |
| 154 | // p's CRT Exponent (== d mod (p - 1))\r | |
| 155 | //\r | |
| 156 | case RsaKeyDp:\r | |
| 157 | if (RsaKey->dmp1 != NULL) {\r | |
| 158 | BN_free (RsaKey->dmp1);\r | |
| 159 | }\r | |
| 160 | RsaKey->dmp1 = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->dmp1);\r | |
| 161 | break;\r | |
| 162 | \r | |
| 163 | //\r | |
| 164 | // q's CRT Exponent (== d mod (q - 1))\r | |
| 165 | //\r | |
| 166 | case RsaKeyDq:\r | |
| 167 | if (RsaKey->dmq1 != NULL) {\r | |
| 168 | BN_free (RsaKey->dmq1);\r | |
| 169 | }\r | |
| 170 | RsaKey->dmq1 = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->dmq1);\r | |
| 171 | break;\r | |
| 172 | \r | |
| 173 | //\r | |
| 174 | // The CRT Coefficient (== 1/q mod p)\r | |
| 175 | //\r | |
| 176 | case RsaKeyQInv:\r | |
| 177 | if (RsaKey->iqmp != NULL) {\r | |
| 178 | BN_free (RsaKey->iqmp);\r | |
| 179 | }\r | |
| 180 | RsaKey->iqmp = BN_bin2bn (BigNumber, (int)BnLength, RsaKey->iqmp);\r | |
| 181 | break;\r | |
| 182 | \r | |
| 183 | default:\r | |
| 184 | return FALSE;\r | |
| 185 | }\r | |
| 186 | \r | |
| 187 | return TRUE;\r | |
| 188 | }\r | |
| 189 | \r | |
| 190 | \r | |
| 191 | /**\r | |
| 192 | Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in\r | |
| 193 | RSA PKCS#1.\r | |
| 194 | \r | |
| 195 | If RsaContext is NULL, then ASSERT().\r | |
| 196 | If MessageHash is NULL, then ASSERT().\r | |
| 197 | If Signature is NULL, then ASSERT().\r | |
| 198 | If HashLength is not equal to the size of MD5, SHA-1 or SHA-256 digest, then ASSERT().\r | |
| 199 | \r | |
| 200 | @param[in] RsaContext Pointer to RSA context for signature verification.\r | |
| 201 | @param[in] MessageHash Pointer to octet message hash to be checked.\r | |
| 202 | @param[in] HashLength Length of the message hash in bytes.\r | |
| 203 | @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified.\r | |
| 204 | @param[in] SigLength Length of signature in bytes.\r | |
| 205 | \r | |
| 206 | @return TRUE Valid signature encoded in PKCS1-v1_5.\r | |
| 207 | @return FALSE Invalid signature or invalid RSA context.\r | |
| 208 | \r | |
| 209 | **/\r | |
| 210 | BOOLEAN\r | |
| 211 | EFIAPI\r | |
| 212 | RsaPkcs1Verify (\r | |
| 213 | IN VOID *RsaContext,\r | |
| 214 | IN CONST UINT8 *MessageHash,\r | |
| 215 | IN UINTN HashLength,\r | |
| 216 | IN UINT8 *Signature,\r | |
| 217 | IN UINTN SigLength\r | |
| 218 | )\r | |
| 219 | {\r | |
| 220 | INTN Length;\r | |
| 221 | \r | |
| 222 | //\r | |
| 223 | // ASSERT if RsaContext, MessageHash or Signature is NULL\r | |
| 224 | //\r | |
| 225 | ASSERT (RsaContext != NULL);\r | |
| 226 | ASSERT (MessageHash != NULL);\r | |
| 227 | ASSERT (Signature != NULL);\r | |
| 228 | \r | |
| 229 | //\r | |
| 230 | // ASSERT if unsupported hash length:\r | |
| 231 | // Only MD5, SHA-1 or SHA-256 digest size is supported\r | |
| 232 | //\r | |
| 233 | ASSERT ((HashLength == MD5_DIGEST_SIZE) || (HashLength == SHA1_DIGEST_SIZE) ||\r | |
| 234 | (HashLength == SHA256_DIGEST_SIZE));\r | |
| 235 | \r | |
| 236 | //\r | |
| 237 | // RSA PKCS#1 Signature Decoding using OpenSSL RSA Decryption with Public Key\r | |
| 238 | //\r | |
| 239 | Length = RSA_public_decrypt (\r | |
| 240 | (int)SigLength,\r | |
| 241 | Signature,\r | |
| 242 | Signature,\r | |
| 243 | RsaContext,\r | |
| 244 | RSA_PKCS1_PADDING\r | |
| 245 | );\r | |
| 246 | \r | |
| 247 | //\r | |
| 248 | // Invalid RSA Key or PKCS#1 Padding Checking Failed (if Length < 0)\r | |
| 249 | // NOTE: Length should be the addition of HashLength and some DER value.\r | |
| 250 | // Ignore more strict length checking here.\r | |
| 251 | //\r | |
| 252 | if (Length < (INTN) HashLength) {\r | |
| 253 | return FALSE;\r | |
| 254 | }\r | |
| 255 | \r | |
| 256 | //\r | |
| 257 | // Validate the MessageHash and Decoded Signature\r | |
| 258 | // NOTE: The decoded Signature should be the DER encoding of the DigestInfo value\r | |
| 259 | // DigestInfo ::= SEQUENCE {\r | |
| 260 | // digestAlgorithm AlgorithmIdentifier\r | |
| 261 | // digest OCTET STRING\r | |
| 262 | // }\r | |
| 263 | // Then Memory Comparing should skip the DER value of the underlying SEQUENCE\r | |
| 264 | // type and AlgorithmIdentifier.\r | |
| 265 | //\r | |
| 266 | if (CompareMem (MessageHash, Signature + Length - HashLength, HashLength) == 0) {\r | |
| 267 | //\r | |
| 268 | // Valid RSA PKCS#1 Signature\r | |
| 269 | //\r | |
| 270 | return TRUE;\r | |
| 271 | } else {\r | |
| 272 | //\r | |
| 273 | // Failed to verification\r | |
| 274 | //\r | |
| 275 | return FALSE;\r | |
| 276 | }\r | |
| 277 | }\r |