Botan  2.7.0
Crypto and TLS for C++11
openssl_rsa.cpp
Go to the documentation of this file.
1 /*
2 * RSA operations provided by OpenSSL
3 * (C) 2015 Jack Lloyd
4 * (C) 2017 Alexander Bluhm
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/internal/openssl.h>
10 
11 #if defined(BOTAN_HAS_RSA)
12 
13 #include <botan/rsa.h>
14 #include <botan/rng.h>
15 #include <botan/internal/pk_ops_impl.h>
16 #include <botan/internal/ct_utils.h>
17 
18 #include <functional>
19 #include <memory>
20 #include <cstdlib>
21 
22 #include <openssl/rsa.h>
23 #include <openssl/x509.h>
24 #include <openssl/err.h>
25 #include <openssl/rand.h>
26 #include <limits.h>
27 
28 namespace Botan {
29 
30 namespace {
31 
32 std::pair<int, size_t> get_openssl_enc_pad(const std::string& eme)
33  {
34  if(eme == "Raw")
35  return std::make_pair(RSA_NO_PADDING, 0);
36  else if(eme == "EME-PKCS1-v1_5")
37  return std::make_pair(RSA_PKCS1_PADDING, 11);
38  else if(eme == "OAEP(SHA-1)" || eme == "EME1(SHA-1)")
39  return std::make_pair(RSA_PKCS1_OAEP_PADDING, 41);
40  else
41  throw Lookup_Error("OpenSSL RSA does not support EME " + eme);
42  }
43 
44 class OpenSSL_RSA_Encryption_Operation final : public PK_Ops::Encryption
45  {
46  public:
47 
48  OpenSSL_RSA_Encryption_Operation(const RSA_PublicKey& rsa, int pad, size_t pad_overhead) :
49  m_openssl_rsa(nullptr, ::RSA_free), m_padding(pad)
50  {
51  const std::vector<uint8_t> der = rsa.public_key_bits();
52  const uint8_t* der_ptr = der.data();
53  m_openssl_rsa.reset(::d2i_RSAPublicKey(nullptr, &der_ptr, der.size()));
54  if(!m_openssl_rsa)
55  throw OpenSSL_Error("d2i_RSAPublicKey");
56 
57  m_bits = 8 * (n_size() - pad_overhead) - 1;
58  }
59 
60  size_t max_input_bits() const override { return m_bits; };
61 
62  secure_vector<uint8_t> encrypt(const uint8_t msg[], size_t msg_len,
63  RandomNumberGenerator&) override
64  {
65  const size_t mod_sz = n_size();
66 
67  if(msg_len > mod_sz)
68  throw Invalid_Argument("Input too large for RSA key");
69 
70  secure_vector<uint8_t> outbuf(mod_sz);
71 
72  secure_vector<uint8_t> inbuf;
73 
74  if(m_padding == RSA_NO_PADDING)
75  {
76  inbuf.resize(mod_sz);
77  copy_mem(&inbuf[mod_sz - msg_len], msg, msg_len);
78  }
79  else
80  {
81  inbuf.assign(msg, msg + msg_len);
82  }
83 
84  int rc = ::RSA_public_encrypt(inbuf.size(), inbuf.data(), outbuf.data(),
85  m_openssl_rsa.get(), m_padding);
86  if(rc < 0)
87  throw OpenSSL_Error("RSA_public_encrypt");
88 
89  return outbuf;
90  }
91 
92  private:
93  size_t n_size() const { return ::RSA_size(m_openssl_rsa.get()); }
94  std::unique_ptr<RSA, std::function<void (RSA*)>> m_openssl_rsa;
95  size_t m_bits = 0;
96  int m_padding = 0;
97  };
98 
99 class OpenSSL_RSA_Decryption_Operation final : public PK_Ops::Decryption
100  {
101  public:
102 
103  OpenSSL_RSA_Decryption_Operation(const RSA_PrivateKey& rsa, int pad) :
104  m_openssl_rsa(nullptr, ::RSA_free), m_padding(pad)
105  {
106  const secure_vector<uint8_t> der = rsa.private_key_bits();
107  const uint8_t* der_ptr = der.data();
108  m_openssl_rsa.reset(d2i_RSAPrivateKey(nullptr, &der_ptr, der.size()));
109  if(!m_openssl_rsa)
110  throw OpenSSL_Error("d2i_RSAPrivateKey");
111  }
112 
113  secure_vector<uint8_t> decrypt(uint8_t& valid_mask,
114  const uint8_t msg[], size_t msg_len) override
115  {
116  secure_vector<uint8_t> buf(::RSA_size(m_openssl_rsa.get()));
117  int rc = ::RSA_private_decrypt(msg_len, msg, buf.data(), m_openssl_rsa.get(), m_padding);
118  if(rc < 0 || static_cast<size_t>(rc) > buf.size())
119  {
120  valid_mask = 0;
121  buf.resize(0);
122  }
123  else
124  {
125  valid_mask = 0xFF;
126  buf.resize(rc);
127  }
128 
129  if(m_padding == RSA_NO_PADDING)
130  {
131  return CT::strip_leading_zeros(buf);
132  }
133 
134  return buf;
135  }
136 
137  private:
138  std::unique_ptr<RSA, std::function<void (RSA*)>> m_openssl_rsa;
139  int m_padding = 0;
140  };
141 
142 class OpenSSL_RSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
143  {
144  public:
145 
146  OpenSSL_RSA_Verification_Operation(const RSA_PublicKey& rsa, const std::string& emsa) :
147  PK_Ops::Verification_with_EMSA(emsa),
148  m_openssl_rsa(nullptr, ::RSA_free)
149  {
150  const std::vector<uint8_t> der = rsa.public_key_bits();
151  const uint8_t* der_ptr = der.data();
152  m_openssl_rsa.reset(::d2i_RSAPublicKey(nullptr, &der_ptr, der.size()));
153  if(!m_openssl_rsa)
154  throw OpenSSL_Error("d2i_RSAPublicKey");
155  }
156 
157  size_t max_input_bits() const override
158  {
159 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
160  return ::BN_num_bits(m_openssl_rsa->n) - 1;
161 #else
162  return ::RSA_bits(m_openssl_rsa.get()) - 1;
163 #endif
164  }
165 
166  bool with_recovery() const override { return true; }
167 
168  secure_vector<uint8_t> verify_mr(const uint8_t msg[], size_t msg_len) override
169  {
170  const size_t mod_sz = ::RSA_size(m_openssl_rsa.get());
171 
172  if(msg_len > mod_sz)
173  throw Invalid_Argument("OpenSSL RSA verify input too large");
174 
175  secure_vector<uint8_t> inbuf(mod_sz);
176 
177  if(msg_len > 0)
178  copy_mem(&inbuf[mod_sz - msg_len], msg, msg_len);
179 
180  secure_vector<uint8_t> outbuf(mod_sz);
181 
182  int rc = ::RSA_public_decrypt(inbuf.size(), inbuf.data(), outbuf.data(),
183  m_openssl_rsa.get(), RSA_NO_PADDING);
184  if(rc < 0)
185  throw Invalid_Argument("RSA_public_decrypt");
186 
187  return CT::strip_leading_zeros(outbuf);
188  }
189  private:
190  std::unique_ptr<RSA, std::function<void (RSA*)>> m_openssl_rsa;
191  };
192 
193 class OpenSSL_RSA_Signing_Operation final : public PK_Ops::Signature_with_EMSA
194  {
195  public:
196 
197  OpenSSL_RSA_Signing_Operation(const RSA_PrivateKey& rsa, const std::string& emsa) :
198  PK_Ops::Signature_with_EMSA(emsa),
199  m_openssl_rsa(nullptr, ::RSA_free)
200  {
201  const secure_vector<uint8_t> der = rsa.private_key_bits();
202  const uint8_t* der_ptr = der.data();
203  m_openssl_rsa.reset(d2i_RSAPrivateKey(nullptr, &der_ptr, der.size()));
204  if(!m_openssl_rsa)
205  throw OpenSSL_Error("d2i_RSAPrivateKey");
206  }
207 
208  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
209  RandomNumberGenerator&) override
210  {
211  const size_t mod_sz = ::RSA_size(m_openssl_rsa.get());
212 
213  if(msg_len > mod_sz)
214  throw Invalid_Argument("OpenSSL RSA sign input too large");
215 
216  secure_vector<uint8_t> inbuf(mod_sz);
217  copy_mem(&inbuf[mod_sz - msg_len], msg, msg_len);
218 
219  secure_vector<uint8_t> outbuf(mod_sz);
220 
221  int rc = ::RSA_private_encrypt(inbuf.size(), inbuf.data(), outbuf.data(),
222  m_openssl_rsa.get(), RSA_NO_PADDING);
223  if(rc < 0)
224  throw OpenSSL_Error("RSA_private_encrypt");
225 
226  return outbuf;
227  }
228 
229  size_t max_input_bits() const override
230  {
231 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
232  return ::BN_num_bits(m_openssl_rsa->n) - 1;
233 #else
234  return ::RSA_bits(m_openssl_rsa.get()) - 1;
235 #endif
236  }
237 
238  private:
239  std::unique_ptr<RSA, std::function<void (RSA*)>> m_openssl_rsa;
240  };
241 
242 }
243 
244 std::unique_ptr<PK_Ops::Encryption>
245 make_openssl_rsa_enc_op(const RSA_PublicKey& key, const std::string& params)
246  {
247  auto pad_info = get_openssl_enc_pad(params);
248  return std::unique_ptr<PK_Ops::Encryption>(
249  new OpenSSL_RSA_Encryption_Operation(key, pad_info.first, pad_info.second));
250  }
251 
252 std::unique_ptr<PK_Ops::Decryption>
253 make_openssl_rsa_dec_op(const RSA_PrivateKey& key, const std::string& params)
254  {
255  auto pad_info = get_openssl_enc_pad(params);
256  return std::unique_ptr<PK_Ops::Decryption>(new OpenSSL_RSA_Decryption_Operation(key, pad_info.first));
257  }
258 
259 std::unique_ptr<PK_Ops::Verification>
260 make_openssl_rsa_ver_op(const RSA_PublicKey& key, const std::string& params)
261  {
262  return std::unique_ptr<PK_Ops::Verification>(new OpenSSL_RSA_Verification_Operation(key, params));
263  }
264 
265 std::unique_ptr<PK_Ops::Signature>
266 make_openssl_rsa_sig_op(const RSA_PrivateKey& key, const std::string& params)
267  {
268  return std::unique_ptr<PK_Ops::Signature>(new OpenSSL_RSA_Signing_Operation(key, params));
269  }
270 
271 std::unique_ptr<RSA_PrivateKey>
272 make_openssl_rsa_private_key(RandomNumberGenerator& rng, size_t rsa_bits)
273  {
274  if (rsa_bits > INT_MAX)
275  throw Internal_Error("rsa_bits overflow");
276 
277  secure_vector<uint8_t> seed(BOTAN_SYSTEM_RNG_POLL_REQUEST);
278  rng.randomize(seed.data(), seed.size());
279  RAND_seed(seed.data(), seed.size());
280 
281  std::unique_ptr<BIGNUM, std::function<void (BIGNUM*)>> bn(BN_new(), BN_free);
282  if(!bn)
283  throw OpenSSL_Error("BN_new");
284  if(!BN_set_word(bn.get(), RSA_F4))
285  throw OpenSSL_Error("BN_set_word");
286 
287  std::unique_ptr<RSA, std::function<void (RSA*)>> rsa(RSA_new(), RSA_free);
288  if(!rsa)
289  throw OpenSSL_Error("RSA_new");
290  if(!RSA_generate_key_ex(rsa.get(), rsa_bits, bn.get(), nullptr))
291  throw OpenSSL_Error("RSA_generate_key_ex");
292 
293  uint8_t* der = nullptr;
294  int bytes = i2d_RSAPrivateKey(rsa.get(), &der);
295  if(bytes < 0)
296  throw OpenSSL_Error("i2d_RSAPrivateKey");
297 
298  const secure_vector<uint8_t> keydata(der, der + bytes);
299  memset(der, 0, bytes);
300  std::free(der);
301  return std::unique_ptr<Botan::RSA_PrivateKey>
302  (new RSA_PrivateKey(AlgorithmIdentifier(), keydata));
303  }
304 }
305 
306 #endif // BOTAN_HAS_RSA
std::string decrypt(const uint8_t input[], size_t input_len, const std::string &passphrase)
Definition: cryptobox.cpp:162
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:108
Definition: alg_id.cpp:13
std::string encrypt(const uint8_t input[], size_t input_len, const std::string &passphrase, RandomNumberGenerator &rng)
Definition: cryptobox.cpp:43
secure_vector< uint8_t > strip_leading_zeros(const uint8_t in[], size_t length)
Definition: ct_utils.h:184