2 RSA Asymmetric Cipher Wrapper Implementation over OpenSSL.
4 Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
15 #include "InternalCryptLib.h"
17 #include <openssl/rsa.h>
18 #include <openssl/err.h>
21 // ASN.1 value for Hash Algorithm ID with the Distringuished Encoding Rules (DER)
22 // Refer to Section 9.2 of PKCS#1 v2.1
24 CONST UINT8 Asn1IdMd5
[] = {
25 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
26 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10
29 CONST UINT8 Asn1IdSha1
[] = {
30 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
31 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
34 CONST UINT8 Asn1IdSha256
[] = {
35 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
36 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
42 Allocates and initializes one RSA context for subsequent use.
44 @return Pointer to the RSA context that has been initialized.
45 If the allocations fails, RsaNew() returns NULL.
55 // Allocates & Initializes RSA Context by OpenSSL RSA_new()
57 return (VOID
*)RSA_new ();
61 Release the specified RSA context.
63 If RsaContext is NULL, then return FALSE.
65 @param[in] RsaContext Pointer to the RSA context to be released.
75 // Free OpenSSL RSA Context
77 RSA_free ((RSA
*)RsaContext
);
81 Sets the tag-designated key component into the established RSA context.
83 This function sets the tag-designated RSA key component into the established
84 RSA context from the user-specified non-negative integer (octet string format
85 represented in RSA PKCS#1).
86 If BigNumber is NULL, then the specified key componenet in RSA context is cleared.
88 If RsaContext is NULL, then return FALSE.
90 @param[in, out] RsaContext Pointer to RSA context being set.
91 @param[in] KeyTag Tag of RSA key component being set.
92 @param[in] BigNumber Pointer to octet integer buffer.
93 If NULL, then the specified key componenet in RSA
95 @param[in] BnSize Size of big number buffer in bytes.
96 If BigNumber is NULL, then it is ignored.
98 @retval TRUE RSA key component was set successfully.
99 @retval FALSE Invalid RSA key component tag.
105 IN OUT VOID
*RsaContext
,
106 IN RSA_KEY_TAG KeyTag
,
107 IN CONST UINT8
*BigNumber
,
114 // Check input parameters.
116 if (RsaContext
== NULL
) {
120 RsaKey
= (RSA
*)RsaContext
;
122 // Set RSA Key Components by converting octet string to OpenSSL BN representation.
123 // NOTE: For RSA public key (used in signature verification), only public components
124 // (N, e) are needed.
129 // RSA Public Modulus (N)
132 if (RsaKey
->n
!= NULL
) {
136 if (BigNumber
== NULL
) {
139 RsaKey
->n
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->n
);
143 // RSA Public Exponent (e)
146 if (RsaKey
->e
!= NULL
) {
150 if (BigNumber
== NULL
) {
153 RsaKey
->e
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->e
);
157 // RSA Private Exponent (d)
160 if (RsaKey
->d
!= NULL
) {
164 if (BigNumber
== NULL
) {
167 RsaKey
->d
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->d
);
171 // RSA Secret Prime Factor of Modulus (p)
174 if (RsaKey
->p
!= NULL
) {
178 if (BigNumber
== NULL
) {
181 RsaKey
->p
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->p
);
185 // RSA Secret Prime Factor of Modules (q)
188 if (RsaKey
->q
!= NULL
) {
192 if (BigNumber
== NULL
) {
195 RsaKey
->q
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->q
);
199 // p's CRT Exponent (== d mod (p - 1))
202 if (RsaKey
->dmp1
!= NULL
) {
203 BN_free (RsaKey
->dmp1
);
206 if (BigNumber
== NULL
) {
209 RsaKey
->dmp1
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->dmp1
);
213 // q's CRT Exponent (== d mod (q - 1))
216 if (RsaKey
->dmq1
!= NULL
) {
217 BN_free (RsaKey
->dmq1
);
220 if (BigNumber
== NULL
) {
223 RsaKey
->dmq1
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->dmq1
);
227 // The CRT Coefficient (== 1/q mod p)
230 if (RsaKey
->iqmp
!= NULL
) {
231 BN_free (RsaKey
->iqmp
);
234 if (BigNumber
== NULL
) {
237 RsaKey
->iqmp
= BN_bin2bn (BigNumber
, (UINT32
) BnSize
, RsaKey
->iqmp
);
248 Gets the tag-designated RSA key component from the established RSA context.
250 This function retrieves the tag-designated RSA key component from the
251 established RSA context as a non-negative integer (octet string format
252 represented in RSA PKCS#1).
253 If specified key component has not been set or has been cleared, then returned
255 If the BigNumber buffer is too small to hold the contents of the key, FALSE
256 is returned and BnSize is set to the required buffer size to obtain the key.
258 If RsaContext is NULL, then return FALSE.
259 If BnSize is NULL, then return FALSE.
260 If BnSize is large enough but BigNumber is NULL, then return FALSE.
262 @param[in, out] RsaContext Pointer to RSA context being set.
263 @param[in] KeyTag Tag of RSA key component being set.
264 @param[out] BigNumber Pointer to octet integer buffer.
265 @param[in, out] BnSize On input, the size of big number buffer in bytes.
266 On output, the size of data returned in big number buffer in bytes.
268 @retval TRUE RSA key component was retrieved successfully.
269 @retval FALSE Invalid RSA key component tag.
270 @retval FALSE BnSize is too small.
276 IN OUT VOID
*RsaContext
,
277 IN RSA_KEY_TAG KeyTag
,
278 OUT UINT8
*BigNumber
,
287 // Check input parameters.
289 if (RsaContext
== NULL
|| BnSize
== NULL
) {
293 RsaKey
= (RSA
*) RsaContext
;
300 // RSA Public Modulus (N)
303 if (RsaKey
->n
== NULL
) {
310 // RSA Public Exponent (e)
313 if (RsaKey
->e
== NULL
) {
320 // RSA Private Exponent (d)
323 if (RsaKey
->d
== NULL
) {
330 // RSA Secret Prime Factor of Modulus (p)
333 if (RsaKey
->p
== NULL
) {
340 // RSA Secret Prime Factor of Modules (q)
343 if (RsaKey
->q
== NULL
) {
350 // p's CRT Exponent (== d mod (p - 1))
353 if (RsaKey
->dmp1
== NULL
) {
356 BnKey
= RsaKey
->dmp1
;
360 // q's CRT Exponent (== d mod (q - 1))
363 if (RsaKey
->dmq1
== NULL
) {
366 BnKey
= RsaKey
->dmq1
;
370 // The CRT Coefficient (== 1/q mod p)
373 if (RsaKey
->iqmp
== NULL
) {
376 BnKey
= RsaKey
->iqmp
;
384 Size
= BN_num_bytes (BnKey
);
386 if (*BnSize
< Size
) {
391 if (BigNumber
== NULL
) {
394 *BnSize
= BN_bn2bin (BnKey
, BigNumber
) ;
400 Generates RSA key components.
402 This function generates RSA key components. It takes RSA public exponent E and
403 length in bits of RSA modulus N as input, and generates all key components.
404 If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used.
406 Before this function can be invoked, pseudorandom number generator must be correctly
407 initialized by RandomSeed().
409 If RsaContext is NULL, then return FALSE.
411 @param[in, out] RsaContext Pointer to RSA context being set.
412 @param[in] ModulusLength Length of RSA modulus N in bits.
413 @param[in] PublicExponent Pointer to RSA public exponent.
414 @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes.
416 @retval TRUE RSA key component was generated successfully.
417 @retval FALSE Invalid RSA key component tag.
423 IN OUT VOID
*RsaContext
,
424 IN UINTN ModulusLength
,
425 IN CONST UINT8
*PublicExponent
,
426 IN UINTN PublicExponentSize
433 // Check input parameters.
435 if (RsaContext
== NULL
) {
440 if (PublicExponent
== NULL
) {
441 BN_set_word (KeyE
, 0x10001);
443 BN_bin2bn (PublicExponent
, (UINT32
) PublicExponentSize
, KeyE
);
447 if (RSA_generate_key_ex ((RSA
*) RsaContext
, (UINT32
) ModulusLength
, KeyE
, NULL
) == 1) {
456 Validates key components of RSA context.
458 This function validates key compoents of RSA context in following aspects:
459 - Whether p is a prime
460 - Whether q is a prime
462 - Whether d*e = 1 mod lcm(p-1,q-1)
464 If RsaContext is NULL, then return FALSE.
466 @param[in] RsaContext Pointer to RSA context to check.
468 @retval TRUE RSA key components are valid.
469 @retval FALSE RSA key components are not valid.
481 // Check input parameters.
483 if (RsaContext
== NULL
) {
487 if (RSA_check_key ((RSA
*) RsaContext
) != 1) {
488 Reason
= ERR_GET_REASON (ERR_peek_last_error ());
489 if (Reason
== RSA_R_P_NOT_PRIME
||
490 Reason
== RSA_R_Q_NOT_PRIME
||
491 Reason
== RSA_R_N_DOES_NOT_EQUAL_P_Q
||
492 Reason
== RSA_R_D_E_NOT_CONGRUENT_TO_1
) {
501 Performs the PKCS1-v1_5 encoding methods defined in RSA PKCS #1.
503 @param Message Message buffer to be encoded.
504 @param MessageSize Size of message buffer in bytes.
505 @param DigestInfo Pointer to buffer of digest info for output.
507 @return Size of DigestInfo in bytes.
512 IN CONST UINT8
*Message
,
513 IN UINTN MessageSize
,
514 OUT UINT8
*DigestInfo
517 CONST UINT8
*HashDer
;
521 // Check input parameters.
523 if (Message
== NULL
|| DigestInfo
== NULL
) {
528 // The original message length is used to determine the hash algorithm since
529 // message is digest value hashed by the specified algorithm.
531 switch (MessageSize
) {
532 case MD5_DIGEST_SIZE
:
534 DerSize
= sizeof (Asn1IdMd5
);
537 case SHA1_DIGEST_SIZE
:
538 HashDer
= Asn1IdSha1
;
539 DerSize
= sizeof (Asn1IdSha1
);
542 case SHA256_DIGEST_SIZE
:
543 HashDer
= Asn1IdSha256
;
544 DerSize
= sizeof (Asn1IdSha256
);
551 CopyMem (DigestInfo
, HashDer
, DerSize
);
552 CopyMem (DigestInfo
+ DerSize
, Message
, MessageSize
);
554 return (DerSize
+ MessageSize
);
558 Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme.
560 This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in
562 If the Signature buffer is too small to hold the contents of signature, FALSE
563 is returned and SigSize is set to the required buffer size to obtain the signature.
565 If RsaContext is NULL, then return FALSE.
566 If MessageHash is NULL, then return FALSE.
567 If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE.
568 If SigSize is large enough but Signature is NULL, then return FALSE.
570 @param[in] RsaContext Pointer to RSA context for signature generation.
571 @param[in] MessageHash Pointer to octet message hash to be signed.
572 @param[in] HashSize Size of the message hash in bytes.
573 @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature.
574 @param[in, out] SigSize On input, the size of Signature buffer in bytes.
575 On output, the size of data returned in Signature buffer in bytes.
577 @retval TRUE Signature successfully generated in PKCS1-v1_5.
578 @retval FALSE Signature generation failed.
579 @retval FALSE SigSize is too small.
586 IN CONST UINT8
*MessageHash
,
588 OUT UINT8
*Signature
,
589 IN OUT UINTN
*SigSize
597 // Check input parameters.
599 if (RsaContext
== NULL
|| MessageHash
== NULL
||
600 (HashSize
!= MD5_DIGEST_SIZE
&& HashSize
!= SHA1_DIGEST_SIZE
&& HashSize
!= SHA256_DIGEST_SIZE
)) {
604 Rsa
= (RSA
*) RsaContext
;
605 Size
= BN_num_bytes (Rsa
->n
);
607 if (*SigSize
< Size
) {
612 if (Signature
== NULL
) {
616 Size
= DigestInfoEncoding (MessageHash
, HashSize
, Signature
);
618 ReturnVal
= RSA_private_encrypt (
626 if (ReturnVal
< (INTN
) Size
) {
630 *SigSize
= (UINTN
)ReturnVal
;
635 Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in
638 If RsaContext is NULL, then return FALSE.
639 If MessageHash is NULL, then return FALSE.
640 If Signature is NULL, then return FALSE.
641 If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE.
643 @param[in] RsaContext Pointer to RSA context for signature verification.
644 @param[in] MessageHash Pointer to octet message hash to be checked.
645 @param[in] HashSize Size of the message hash in bytes.
646 @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified.
647 @param[in] SigSize Size of signature in bytes.
649 @retval TRUE Valid signature encoded in PKCS1-v1_5.
650 @retval FALSE Invalid signature or invalid RSA context.
657 IN CONST UINT8
*MessageHash
,
666 // Check input parameters.
668 if (RsaContext
== NULL
|| MessageHash
== NULL
|| Signature
== NULL
) {
674 // Check for unsupported hash size:
675 // Only MD5, SHA-1 or SHA-256 digest size is supported
677 if (HashSize
!= MD5_DIGEST_SIZE
&& HashSize
!= SHA1_DIGEST_SIZE
&& HashSize
!= SHA256_DIGEST_SIZE
) {
682 // RSA PKCS#1 Signature Decoding using OpenSSL RSA Decryption with Public Key
684 Length
= RSA_public_decrypt (
693 // Invalid RSA Key or PKCS#1 Padding Checking Failed (if Length < 0)
694 // NOTE: Length should be the addition of HashSize and some DER value.
695 // Ignore more strict length checking here.
697 if (Length
< (INTN
) HashSize
) {
702 // Validate the MessageHash and Decoded Signature
703 // NOTE: The decoded Signature should be the DER encoding of the DigestInfo value
704 // DigestInfo ::= SEQUENCE {
705 // digestAlgorithm AlgorithmIdentifier
706 // digest OCTET STRING
708 // Then Memory Comparing should skip the DER value of the underlying SEQUENCE
709 // type and AlgorithmIdentifier.
711 if (CompareMem (MessageHash
, Signature
+ Length
- HashSize
, HashSize
) == 0) {
713 // Valid RSA PKCS#1 Signature
718 // Failed to verification