1/* 2 * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include "internal/cryptlib.h" 12#include <openssl/x509.h> 13#include <openssl/asn1.h> 14#include "dsa_local.h" 15#include <openssl/bn.h> 16#include <openssl/cms.h> 17#include "crypto/asn1.h" 18#include "crypto/evp.h" 19 20static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 21{ 22 const unsigned char *p, *pm; 23 int pklen, pmlen; 24 int ptype; 25 const void *pval; 26 const ASN1_STRING *pstr; 27 X509_ALGOR *palg; 28 ASN1_INTEGER *public_key = NULL; 29 30 DSA *dsa = NULL; 31 32 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) 33 return 0; 34 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 35 36 if (ptype == V_ASN1_SEQUENCE) { 37 pstr = pval; 38 pm = pstr->data; 39 pmlen = pstr->length; 40 41 if ((dsa = d2i_DSAparams(NULL, &pm, pmlen)) == NULL) { 42 DSAerr(DSA_F_DSA_PUB_DECODE, DSA_R_DECODE_ERROR); 43 goto err; 44 } 45 46 } else if ((ptype == V_ASN1_NULL) || (ptype == V_ASN1_UNDEF)) { 47 if ((dsa = DSA_new()) == NULL) { 48 DSAerr(DSA_F_DSA_PUB_DECODE, ERR_R_MALLOC_FAILURE); 49 goto err; 50 } 51 } else { 52 DSAerr(DSA_F_DSA_PUB_DECODE, DSA_R_PARAMETER_ENCODING_ERROR); 53 goto err; 54 } 55 56 if ((public_key = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL) { 57 DSAerr(DSA_F_DSA_PUB_DECODE, DSA_R_DECODE_ERROR); 58 goto err; 59 } 60 61 if ((dsa->pub_key = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) { 62 DSAerr(DSA_F_DSA_PUB_DECODE, DSA_R_BN_DECODE_ERROR); 63 goto err; 64 } 65 66 ASN1_INTEGER_free(public_key); 67 EVP_PKEY_assign_DSA(pkey, dsa); 68 return 1; 69 70 err: 71 ASN1_INTEGER_free(public_key); 72 DSA_free(dsa); 73 return 0; 74 75} 76 77static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 78{ 79 DSA *dsa; 80 int ptype; 81 unsigned char *penc = NULL; 82 int penclen; 83 ASN1_STRING *str = NULL; 84 ASN1_INTEGER *pubint = NULL; 85 ASN1_OBJECT *aobj; 86 87 dsa = pkey->pkey.dsa; 88 if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) { 89 str = ASN1_STRING_new(); 90 if (str == NULL) { 91 DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE); 92 goto err; 93 } 94 str->length = i2d_DSAparams(dsa, &str->data); 95 if (str->length <= 0) { 96 DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE); 97 goto err; 98 } 99 ptype = V_ASN1_SEQUENCE; 100 } else 101 ptype = V_ASN1_UNDEF; 102 103 pubint = BN_to_ASN1_INTEGER(dsa->pub_key, NULL); 104 105 if (pubint == NULL) { 106 DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE); 107 goto err; 108 } 109 110 penclen = i2d_ASN1_INTEGER(pubint, &penc); 111 ASN1_INTEGER_free(pubint); 112 113 if (penclen <= 0) { 114 DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE); 115 goto err; 116 } 117 118 aobj = OBJ_nid2obj(EVP_PKEY_DSA); 119 if (aobj == NULL) 120 goto err; 121 122 if (X509_PUBKEY_set0_param(pk, aobj, ptype, str, penc, penclen)) 123 return 1; 124 125 err: 126 OPENSSL_free(penc); 127 ASN1_STRING_free(str); 128 129 return 0; 130} 131 132/* 133 * In PKCS#8 DSA: you just get a private key integer and parameters in the 134 * AlgorithmIdentifier the pubkey must be recalculated. 135 */ 136 137static int dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 138{ 139 const unsigned char *p, *pm; 140 int pklen, pmlen; 141 int ptype; 142 const void *pval; 143 const ASN1_STRING *pstr; 144 const X509_ALGOR *palg; 145 ASN1_INTEGER *privkey = NULL; 146 BN_CTX *ctx = NULL; 147 148 DSA *dsa = NULL; 149 150 int ret = 0; 151 152 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) 153 return 0; 154 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 155 156 if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL) 157 goto decerr; 158 if (privkey->type == V_ASN1_NEG_INTEGER || ptype != V_ASN1_SEQUENCE) 159 goto decerr; 160 161 pstr = pval; 162 pm = pstr->data; 163 pmlen = pstr->length; 164 if ((dsa = d2i_DSAparams(NULL, &pm, pmlen)) == NULL) 165 goto decerr; 166 /* We have parameters now set private key */ 167 if ((dsa->priv_key = BN_secure_new()) == NULL 168 || !ASN1_INTEGER_to_BN(privkey, dsa->priv_key)) { 169 DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR); 170 goto dsaerr; 171 } 172 /* Calculate public key */ 173 if ((dsa->pub_key = BN_new()) == NULL) { 174 DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE); 175 goto dsaerr; 176 } 177 if ((ctx = BN_CTX_new()) == NULL) { 178 DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE); 179 goto dsaerr; 180 } 181 182 BN_set_flags(dsa->priv_key, BN_FLG_CONSTTIME); 183 if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { 184 DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR); 185 goto dsaerr; 186 } 187 188 EVP_PKEY_assign_DSA(pkey, dsa); 189 190 ret = 1; 191 goto done; 192 193 decerr: 194 DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_DECODE_ERROR); 195 dsaerr: 196 DSA_free(dsa); 197 done: 198 BN_CTX_free(ctx); 199 ASN1_STRING_clear_free(privkey); 200 return ret; 201} 202 203static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 204{ 205 ASN1_STRING *params = NULL; 206 ASN1_INTEGER *prkey = NULL; 207 unsigned char *dp = NULL; 208 int dplen; 209 210 if (!pkey->pkey.dsa || !pkey->pkey.dsa->priv_key) { 211 DSAerr(DSA_F_DSA_PRIV_ENCODE, DSA_R_MISSING_PARAMETERS); 212 goto err; 213 } 214 215 params = ASN1_STRING_new(); 216 217 if (params == NULL) { 218 DSAerr(DSA_F_DSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 219 goto err; 220 } 221 222 params->length = i2d_DSAparams(pkey->pkey.dsa, ¶ms->data); 223 if (params->length <= 0) { 224 DSAerr(DSA_F_DSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 225 goto err; 226 } 227 params->type = V_ASN1_SEQUENCE; 228 229 /* Get private key into integer */ 230 prkey = BN_to_ASN1_INTEGER(pkey->pkey.dsa->priv_key, NULL); 231 232 if (!prkey) { 233 DSAerr(DSA_F_DSA_PRIV_ENCODE, DSA_R_BN_ERROR); 234 goto err; 235 } 236 237 dplen = i2d_ASN1_INTEGER(prkey, &dp); 238 239 ASN1_STRING_clear_free(prkey); 240 prkey = NULL; 241 242 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dsa), 0, 243 V_ASN1_SEQUENCE, params, dp, dplen)) 244 goto err; 245 246 return 1; 247 248 err: 249 OPENSSL_free(dp); 250 ASN1_STRING_free(params); 251 ASN1_STRING_clear_free(prkey); 252 return 0; 253} 254 255static int int_dsa_size(const EVP_PKEY *pkey) 256{ 257 return DSA_size(pkey->pkey.dsa); 258} 259 260static int dsa_bits(const EVP_PKEY *pkey) 261{ 262 return DSA_bits(pkey->pkey.dsa); 263} 264 265static int dsa_security_bits(const EVP_PKEY *pkey) 266{ 267 return DSA_security_bits(pkey->pkey.dsa); 268} 269 270static int dsa_missing_parameters(const EVP_PKEY *pkey) 271{ 272 DSA *dsa; 273 dsa = pkey->pkey.dsa; 274 if (dsa == NULL || dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) 275 return 1; 276 return 0; 277} 278 279static int dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) 280{ 281 BIGNUM *a; 282 283 if (to->pkey.dsa == NULL) { 284 to->pkey.dsa = DSA_new(); 285 if (to->pkey.dsa == NULL) 286 return 0; 287 } 288 289 if ((a = BN_dup(from->pkey.dsa->p)) == NULL) 290 return 0; 291 BN_free(to->pkey.dsa->p); 292 to->pkey.dsa->p = a; 293 294 if ((a = BN_dup(from->pkey.dsa->q)) == NULL) 295 return 0; 296 BN_free(to->pkey.dsa->q); 297 to->pkey.dsa->q = a; 298 299 if ((a = BN_dup(from->pkey.dsa->g)) == NULL) 300 return 0; 301 BN_free(to->pkey.dsa->g); 302 to->pkey.dsa->g = a; 303 return 1; 304} 305 306static int dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) 307{ 308 if (BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) || 309 BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) || 310 BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g)) 311 return 0; 312 else 313 return 1; 314} 315 316static int dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 317{ 318 if (BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) != 0) 319 return 0; 320 else 321 return 1; 322} 323 324static void int_dsa_free(EVP_PKEY *pkey) 325{ 326 DSA_free(pkey->pkey.dsa); 327} 328 329static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) 330{ 331 int ret = 0; 332 const char *ktype = NULL; 333 const BIGNUM *priv_key, *pub_key; 334 335 if (ptype == 2) 336 priv_key = x->priv_key; 337 else 338 priv_key = NULL; 339 340 if (ptype > 0) 341 pub_key = x->pub_key; 342 else 343 pub_key = NULL; 344 345 if (ptype == 2) 346 ktype = "Private-Key"; 347 else if (ptype == 1) 348 ktype = "Public-Key"; 349 else 350 ktype = "DSA-Parameters"; 351 352 if (priv_key) { 353 if (!BIO_indent(bp, off, 128)) 354 goto err; 355 if (BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) 356 <= 0) 357 goto err; 358 } 359 360 if (!ASN1_bn_print(bp, "priv:", priv_key, NULL, off)) 361 goto err; 362 if (!ASN1_bn_print(bp, "pub: ", pub_key, NULL, off)) 363 goto err; 364 if (!ASN1_bn_print(bp, "P: ", x->p, NULL, off)) 365 goto err; 366 if (!ASN1_bn_print(bp, "Q: ", x->q, NULL, off)) 367 goto err; 368 if (!ASN1_bn_print(bp, "G: ", x->g, NULL, off)) 369 goto err; 370 ret = 1; 371 err: 372 return ret; 373} 374 375static int dsa_param_decode(EVP_PKEY *pkey, 376 const unsigned char **pder, int derlen) 377{ 378 DSA *dsa; 379 380 if ((dsa = d2i_DSAparams(NULL, pder, derlen)) == NULL) { 381 DSAerr(DSA_F_DSA_PARAM_DECODE, ERR_R_DSA_LIB); 382 return 0; 383 } 384 EVP_PKEY_assign_DSA(pkey, dsa); 385 return 1; 386} 387 388static int dsa_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 389{ 390 return i2d_DSAparams(pkey->pkey.dsa, pder); 391} 392 393static int dsa_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, 394 ASN1_PCTX *ctx) 395{ 396 return do_dsa_print(bp, pkey->pkey.dsa, indent, 0); 397} 398 399static int dsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 400 ASN1_PCTX *ctx) 401{ 402 return do_dsa_print(bp, pkey->pkey.dsa, indent, 1); 403} 404 405static int dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 406 ASN1_PCTX *ctx) 407{ 408 return do_dsa_print(bp, pkey->pkey.dsa, indent, 2); 409} 410 411static int old_dsa_priv_decode(EVP_PKEY *pkey, 412 const unsigned char **pder, int derlen) 413{ 414 DSA *dsa; 415 416 if ((dsa = d2i_DSAPrivateKey(NULL, pder, derlen)) == NULL) { 417 DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB); 418 return 0; 419 } 420 EVP_PKEY_assign_DSA(pkey, dsa); 421 return 1; 422} 423 424static int old_dsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 425{ 426 return i2d_DSAPrivateKey(pkey->pkey.dsa, pder); 427} 428 429static int dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, 430 const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) 431{ 432 DSA_SIG *dsa_sig; 433 const unsigned char *p; 434 435 if (!sig) { 436 if (BIO_puts(bp, "\n") <= 0) 437 return 0; 438 else 439 return 1; 440 } 441 p = sig->data; 442 dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length); 443 if (dsa_sig) { 444 int rv = 0; 445 const BIGNUM *r, *s; 446 447 DSA_SIG_get0(dsa_sig, &r, &s); 448 449 if (BIO_write(bp, "\n", 1) != 1) 450 goto err; 451 452 if (!ASN1_bn_print(bp, "r: ", r, NULL, indent)) 453 goto err; 454 if (!ASN1_bn_print(bp, "s: ", s, NULL, indent)) 455 goto err; 456 rv = 1; 457 err: 458 DSA_SIG_free(dsa_sig); 459 return rv; 460 } 461 return X509_signature_dump(bp, sig, indent); 462} 463 464static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 465{ 466 switch (op) { 467 case ASN1_PKEY_CTRL_PKCS7_SIGN: 468 if (arg1 == 0) { 469 int snid, hnid; 470 X509_ALGOR *alg1, *alg2; 471 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); 472 if (alg1 == NULL || alg1->algorithm == NULL) 473 return -1; 474 hnid = OBJ_obj2nid(alg1->algorithm); 475 if (hnid == NID_undef) 476 return -1; 477 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 478 return -1; 479 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 480 } 481 return 1; 482#ifndef OPENSSL_NO_CMS 483 case ASN1_PKEY_CTRL_CMS_SIGN: 484 if (arg1 == 0) { 485 int snid, hnid; 486 X509_ALGOR *alg1, *alg2; 487 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); 488 if (alg1 == NULL || alg1->algorithm == NULL) 489 return -1; 490 hnid = OBJ_obj2nid(alg1->algorithm); 491 if (hnid == NID_undef) 492 return -1; 493 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 494 return -1; 495 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 496 } 497 return 1; 498 499 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 500 *(int *)arg2 = CMS_RECIPINFO_NONE; 501 return 1; 502#endif 503 504 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 505 *(int *)arg2 = NID_sha256; 506 return 1; 507 508 default: 509 return -2; 510 511 } 512 513} 514 515/* NB these are sorted in pkey_id order, lowest first */ 516 517const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[5] = { 518 519 { 520 EVP_PKEY_DSA2, 521 EVP_PKEY_DSA, 522 ASN1_PKEY_ALIAS}, 523 524 { 525 EVP_PKEY_DSA1, 526 EVP_PKEY_DSA, 527 ASN1_PKEY_ALIAS}, 528 529 { 530 EVP_PKEY_DSA4, 531 EVP_PKEY_DSA, 532 ASN1_PKEY_ALIAS}, 533 534 { 535 EVP_PKEY_DSA3, 536 EVP_PKEY_DSA, 537 ASN1_PKEY_ALIAS}, 538 539 { 540 EVP_PKEY_DSA, 541 EVP_PKEY_DSA, 542 0, 543 544 "DSA", 545 "OpenSSL DSA method", 546 547 dsa_pub_decode, 548 dsa_pub_encode, 549 dsa_pub_cmp, 550 dsa_pub_print, 551 552 dsa_priv_decode, 553 dsa_priv_encode, 554 dsa_priv_print, 555 556 int_dsa_size, 557 dsa_bits, 558 dsa_security_bits, 559 560 dsa_param_decode, 561 dsa_param_encode, 562 dsa_missing_parameters, 563 dsa_copy_parameters, 564 dsa_cmp_parameters, 565 dsa_param_print, 566 dsa_sig_print, 567 568 int_dsa_free, 569 dsa_pkey_ctrl, 570 old_dsa_priv_decode, 571 old_dsa_priv_encode} 572}; 573