1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains RSA helper routines common to
28  * the PKCS11 soft token code and the kernel RSA code.
29  */
30 
31 #include <sys/types.h>
32 #include "rsa_impl.h"
33 
34 #ifdef _KERNEL
35 #include <sys/param.h>
36 #else
37 #include <strings.h>
38 #include <cryptoutil.h>
39 #include "softRandom.h"
40 #endif
41 
42 /*
43  * DER encoding T of the DigestInfo values for MD5, SHA1, and SHA2
44  * from PKCS#1 v2.1: RSA Cryptography Standard Section 9.2 Note 1
45  *
46  * MD5:     (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 || H
47  * SHA-1:   (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H
48  * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H.
49  * SHA-384: (0x)30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30 || H.
50  * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H.
51  *
52  * Where H is the digested output from MD5 or SHA1. We define the constant
53  * byte array (the prefix) here and use it rather than doing the DER
54  * encoding of the OID in a separate routine.
55  */
56 const CK_BYTE MD5_DER_PREFIX[MD5_DER_PREFIX_Len] = {0x30, 0x20, 0x30, 0x0c,
57     0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00,
58     0x04, 0x10};
59 
60 const CK_BYTE SHA1_DER_PREFIX[SHA1_DER_PREFIX_Len] = {0x30, 0x21, 0x30,
61     0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
62 
63 const CK_BYTE SHA1_DER_PREFIX_OID[SHA1_DER_PREFIX_OID_Len] = {0x30, 0x1f, 0x30,
64     0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14};
65 
66 const CK_BYTE SHA256_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x31, 0x30, 0x0d,
67     0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
68     0x00, 0x04, 0x20};
69 
70 const CK_BYTE SHA384_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x41, 0x30, 0x0d,
71     0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
72     0x00, 0x04, 0x30};
73 
74 const CK_BYTE SHA512_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x51, 0x30, 0x0d,
75     0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
76     0x00, 0x04, 0x40};
77 
78 
79 /* psize and qsize are in bits */
80 BIG_ERR_CODE
81 RSA_key_init(RSAkey *key, int psize, int qsize)
82 {
83 	BIG_ERR_CODE err = BIG_OK;
84 
85 /* EXPORT DELETE START */
86 
87 	int plen, qlen, nlen;
88 
89 	plen = BITLEN2BIGNUMLEN(psize);
90 	qlen = BITLEN2BIGNUMLEN(qsize);
91 	nlen = plen + qlen;
92 	key->size = psize + qsize;
93 	if ((err = big_init(&(key->p), plen)) != BIG_OK)
94 		return (err);
95 	if ((err = big_init(&(key->q), qlen)) != BIG_OK)
96 		goto ret1;
97 	if ((err = big_init(&(key->n), nlen)) != BIG_OK)
98 		goto ret2;
99 	if ((err = big_init(&(key->d), nlen)) != BIG_OK)
100 		goto ret3;
101 	if ((err = big_init(&(key->e), nlen)) != BIG_OK)
102 		goto ret4;
103 	if ((err = big_init(&(key->dmodpminus1), plen)) != BIG_OK)
104 		goto ret5;
105 	if ((err = big_init(&(key->dmodqminus1), qlen)) != BIG_OK)
106 		goto ret6;
107 	if ((err = big_init(&(key->pinvmodq), qlen)) != BIG_OK)
108 		goto ret7;
109 	if ((err = big_init(&(key->p_rr), plen)) != BIG_OK)
110 		goto ret8;
111 	if ((err = big_init(&(key->q_rr), qlen)) != BIG_OK)
112 		goto ret9;
113 	if ((err = big_init(&(key->n_rr), nlen)) != BIG_OK)
114 		goto ret10;
115 
116 	return (BIG_OK);
117 
118 ret10:
119 	big_finish(&(key->q_rr));
120 ret9:
121 	big_finish(&(key->p_rr));
122 ret8:
123 	big_finish(&(key->pinvmodq));
124 ret7:
125 	big_finish(&(key->dmodqminus1));
126 ret6:
127 	big_finish(&(key->dmodpminus1));
128 ret5:
129 	big_finish(&(key->e));
130 ret4:
131 	big_finish(&(key->d));
132 ret3:
133 	big_finish(&(key->n));
134 ret2:
135 	big_finish(&(key->q));
136 ret1:
137 	big_finish(&(key->p));
138 
139 /* EXPORT DELETE END */
140 
141 	return (err);
142 }
143 
144 
145 void
146 RSA_key_finish(RSAkey *key)
147 {
148 
149 /* EXPORT DELETE START */
150 
151 	big_finish(&(key->n_rr));
152 	big_finish(&(key->q_rr));
153 	big_finish(&(key->p_rr));
154 	big_finish(&(key->pinvmodq));
155 	big_finish(&(key->dmodqminus1));
156 	big_finish(&(key->dmodpminus1));
157 	big_finish(&(key->e));
158 	big_finish(&(key->d));
159 	big_finish(&(key->n));
160 	big_finish(&(key->q));
161 	big_finish(&(key->p));
162 
163 /* EXPORT DELETE END */
164 
165 }
166 
167 
168 /*
169  * To create a block type "02" encryption block for RSA PKCS encryption
170  * process.
171  *
172  * The RSA PKCS Padding before encryption is in the following format:
173  * +------+--------------------+----+-----------------------------+
174  * |0x0002| 8 bytes or more RN |0x00|       DATA                  |
175  * +------+--------------------+----+-----------------------------+
176  *
177  */
178 CK_RV
179 soft_encrypt_rsa_pkcs_encode(uint8_t *databuf,
180     size_t datalen, uint8_t *padbuf, size_t padbuflen)
181 {
182 
183 /* EXPORT DELETE START */
184 
185 	size_t	padlen;
186 	CK_RV	rv;
187 
188 	padlen = padbuflen - datalen;
189 	if (padlen < MIN_PKCS1_PADLEN) {
190 		return (CKR_DATA_LEN_RANGE);
191 	}
192 
193 	/* Pad with 0x0002+non-zero pseudorandom numbers+0x00. */
194 	padbuf[0] = 0x00;
195 	padbuf[1] = 0x02;
196 #ifdef _KERNEL
197 	rv = knzero_random_generator(padbuf + 2, padbuflen - 3);
198 #else
199 	rv = CKR_OK;
200 	if (pkcs11_get_nzero_urandom(padbuf + 2, padbuflen - 3) < 0)
201 		rv = CKR_DEVICE_ERROR;
202 #endif
203 	if (rv != CKR_OK) {
204 		return (rv);
205 	}
206 	padbuf[padlen - 1] = 0x00;
207 
208 	bcopy(databuf, padbuf + padlen, datalen);
209 
210 /* EXPORT DELETE END */
211 
212 	return (CKR_OK);
213 }
214 
215 
216 /*
217  * The RSA PKCS Padding after decryption is in the following format:
218  * +------+--------------------+----+-----------------------------+
219  * |0x0002| 8 bytes or more RN |0x00|       DATA                  |
220  * +------+--------------------+----+-----------------------------+
221  *
222  * 'padbuf' points to the recovered message which is the modulus
223  * length. As a result, 'plen' is changed to hold the actual data length.
224  */
225 CK_RV
226 soft_decrypt_rsa_pkcs_decode(uint8_t *padbuf, int *plen)
227 {
228 
229 /* EXPORT DELETE START */
230 
231 	int	i;
232 
233 	/* Check to see if the recovered data is padded is 0x0002. */
234 	if (padbuf[0] != 0x00 || padbuf[1] != 0x02) {
235 		return (CKR_ENCRYPTED_DATA_INVALID);
236 	}
237 
238 	/* Remove all the random bits up to 0x00 (= NULL char) */
239 	for (i = 2; (*plen - i) > 0; i++) {
240 		if (padbuf[i] == 0x00) {
241 			i++;
242 			if (i < MIN_PKCS1_PADLEN) {
243 				return (CKR_ENCRYPTED_DATA_INVALID);
244 			}
245 			*plen -= i;
246 
247 			return (CKR_OK);
248 		}
249 	}
250 
251 /* EXPORT DELETE END */
252 
253 	return (CKR_ENCRYPTED_DATA_INVALID);
254 }
255 
256 /*
257  * To create a block type "01" block for RSA PKCS signature process.
258  *
259  * The RSA PKCS Padding before Signing is in the following format:
260  * +------+--------------+----+-----------------------------+
261  * |0x0001| 0xFFFF.......|0x00|          DATA               |
262  * +------+--------------+----+-----------------------------+
263  */
264 CK_RV
265 soft_sign_rsa_pkcs_encode(uint8_t *pData, size_t dataLen, uint8_t *data,
266     size_t mbit_l)
267 {
268 
269 /* EXPORT DELETE START */
270 
271 	size_t	padlen;
272 
273 	padlen = mbit_l - dataLen;
274 	if (padlen < MIN_PKCS1_PADLEN) {
275 		return (CKR_DATA_LEN_RANGE);
276 	}
277 
278 	padlen -= 3;
279 	data[0] = 0x00;
280 	data[1] = 0x01;
281 #ifdef _KERNEL
282 	kmemset(data + 2, 0xFF, padlen);
283 #else
284 	(void) memset(data + 2, 0xFF, padlen);
285 #endif
286 	data[padlen + 2] = 0x00;
287 	bcopy(pData, data + padlen + 3, dataLen);
288 
289 /* EXPORT DELETE END */
290 
291 	return (CKR_OK);
292 }
293 
294 
295 CK_RV
296 soft_verify_rsa_pkcs_decode(uint8_t *data, int *mbit_l)
297 {
298 
299 /* EXPORT DELETE START */
300 
301 	int i;
302 
303 	/* Check to see if the padding of recovered data starts with 0x0001. */
304 	if ((data[0] != 0x00) || (data[1] != 0x01)) {
305 		return (CKR_SIGNATURE_INVALID);
306 	}
307 	/* Check to see if the recovered data is padded with 0xFFF...00. */
308 	for (i = 2; i < *mbit_l; i++) {
309 		if (data[i] == 0x00) {
310 			i++;
311 			if (i < MIN_PKCS1_PADLEN) {
312 				return (CKR_SIGNATURE_INVALID);
313 			}
314 			*mbit_l -= i;
315 
316 			return (CKR_OK);
317 		} else if (data[i] != 0xFF) {
318 			return (CKR_SIGNATURE_INVALID);
319 		}
320 	}
321 
322 /* EXPORT DELETE END */
323 
324 	return (CKR_SIGNATURE_INVALID);
325 }
326