wolfssl: Add wolfSSL plugin for cryptographic implementations
[strongswan.git] / src / libstrongswan / plugins / wolfssl / wolfssl_rsa_public_key.c
1 /*
2 * Copyright (C) 2019 Sean Parkinson, wolfSSL Inc.
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a copy
5 * of this software and associated documentation files (the "Software"), to deal
6 * in the Software without restriction, including without limitation the rights
7 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8 * copies of the Software, and to permit persons to whom the Software is
9 * furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice shall be included in
12 * all copies or substantial portions of the Software.
13 *
14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
20 * THE SOFTWARE.
21 */
22
23 #include "wolfssl_common.h"
24
25 #ifndef NO_RSA
26
27 #include "wolfssl_rsa_public_key.h"
28 #include "wolfssl_util.h"
29
30 #include <crypto/hashers/hasher.h>
31 #include <utils/debug.h>
32 #include <credentials/keys/signature_params.h>
33
34 #include <wolfssl/wolfcrypt/rsa.h>
35
36
37 typedef struct private_wolfssl_rsa_public_key_t private_wolfssl_rsa_public_key_t;
38
39 /**
40 * Private data structure with signing context.
41 */
42 struct private_wolfssl_rsa_public_key_t {
43 /**
44 * Public interface for this signer.
45 */
46 wolfssl_rsa_public_key_t public;
47
48 /**
49 * RSA key object from wolfSSL.
50 */
51 RsaKey rsa;
52
53 /**
54 * Random number generator to use with RSA operations.
55 */
56 WC_RNG rng;
57
58 /**
59 * reference counter
60 */
61 refcount_t ref;
62 };
63
64
65 /**
66 * Verify RSA signature
67 */
68 static bool verify_signature(private_wolfssl_rsa_public_key_t *this,
69 chunk_t data, chunk_t signature)
70 {
71 bool success = FALSE;
72 int len = wc_RsaEncryptSize(&this->rsa);
73 u_char *buf;
74 u_char *p;
75
76 if (signature.len > len)
77 {
78 signature = chunk_skip(signature, signature.len - len);
79 }
80
81 buf = malloc(len);
82 memcpy(buf + len - signature.len, signature.ptr, signature.len);
83 memset(buf, 0, len - signature.len);
84
85 len = wc_RsaSSL_VerifyInline(buf, len, &p, &this->rsa);
86 if (len > 0)
87 {
88 success = chunk_equals_const(data, chunk_create(p, len));
89 }
90 free(buf);
91
92 return success;
93 }
94
95 /**
96 * Verification of an EMSA PKCS1 signature described in PKCS#1
97 */
98 static bool verify_emsa_pkcs1_signature(private_wolfssl_rsa_public_key_t *this,
99 enum wc_HashType hash, chunk_t data,
100 chunk_t signature)
101 {
102 bool success = FALSE;
103 chunk_t dgst = chunk_empty, encDgst;
104 int len;
105
106 encDgst = chunk_alloc(wc_HashGetDigestSize(hash) + 20);
107 if (wolfssl_hash_chunk(hash, data, &dgst))
108 {
109 len = wc_EncodeSignature(encDgst.ptr, dgst.ptr, dgst.len,
110 wc_HashGetOID(hash));
111 if (len > 0)
112 {
113 encDgst.len = len;
114 success = verify_signature(this, encDgst, signature);
115 }
116 }
117
118 chunk_free(&encDgst);
119 chunk_free(&dgst);
120 return success;
121 }
122
123 #ifdef WC_RSA_PSS
124 /**
125 * Verification of an EMSA PSS signature described in PKCS#1
126 */
127 static bool verify_emsa_pss_signature(private_wolfssl_rsa_public_key_t *this,
128 rsa_pss_params_t *params, chunk_t data,
129 chunk_t signature)
130 {
131 chunk_t dgst = chunk_empty;
132 enum wc_HashType hash;
133 int mgf;
134 bool success = FALSE;
135 int len = 0;
136 u_char *buf = NULL;
137 u_char *p;
138
139 if (!wolfssl_hash2type(params->hash, &hash))
140 {
141 return FALSE;
142 }
143 if (!wolfssl_hash2mgf1(params->mgf1_hash, &mgf))
144 {
145 return FALSE;
146 }
147
148 if (wolfssl_hash_chunk(hash, data, &dgst))
149 {
150 len = wc_RsaEncryptSize(&this->rsa);
151 if (signature.len > len)
152 {
153 signature = chunk_skip(signature, signature.len - len);
154 }
155
156 buf = malloc(len);
157 memcpy(buf + len - signature.len, signature.ptr, signature.len);
158 memset(buf, 0, len - signature.len);
159
160 len = wc_RsaPSS_VerifyInline_ex(buf, len, &p, hash, mgf,
161 params->salt_len, &this->rsa);
162 if (len > 0)
163 {
164 success = wc_RsaPSS_CheckPadding_ex(dgst.ptr, dgst.len, p, len,
165 hash, params->salt_len, mp_count_bits(&this->rsa.n)) == 0;
166 }
167 }
168
169 chunk_free(&dgst);
170 if (buf != NULL)
171 {
172 free(buf);
173 }
174
175 return success;
176 }
177 #endif
178
179 METHOD(public_key_t, get_type, key_type_t,
180 private_wolfssl_rsa_public_key_t *this)
181 {
182 return KEY_RSA;
183 }
184
185 METHOD(public_key_t, verify, bool,
186 private_wolfssl_rsa_public_key_t *this, signature_scheme_t scheme,
187 void *params, chunk_t data, chunk_t signature)
188 {
189 switch (scheme)
190 {
191 case SIGN_RSA_EMSA_PKCS1_NULL:
192 return verify_signature(this, data, signature);
193 case SIGN_RSA_EMSA_PKCS1_SHA2_224:
194 return verify_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA224, data,
195 signature);
196 case SIGN_RSA_EMSA_PKCS1_SHA2_256:
197 return verify_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA256, data,
198 signature);
199 case SIGN_RSA_EMSA_PKCS1_SHA2_384:
200 return verify_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA384, data,
201 signature);
202 case SIGN_RSA_EMSA_PKCS1_SHA2_512:
203 return verify_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA512, data,
204 signature);
205 case SIGN_RSA_EMSA_PKCS1_SHA1:
206 return verify_emsa_pkcs1_signature(this, WC_HASH_TYPE_SHA, data,
207 signature);
208 case SIGN_RSA_EMSA_PKCS1_MD5:
209 return verify_emsa_pkcs1_signature(this, WC_HASH_TYPE_MD5, data,
210 signature);
211 #ifdef WC_RSA_PSS
212 case SIGN_RSA_EMSA_PSS:
213 return verify_emsa_pss_signature(this, params, data, signature);
214 #endif
215 default:
216 DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
217 signature_scheme_names, scheme);
218 return FALSE;
219 }
220 }
221
222 METHOD(public_key_t, encrypt, bool,
223 private_wolfssl_rsa_public_key_t *this, encryption_scheme_t scheme,
224 chunk_t plain, chunk_t *crypto)
225 {
226 int padding, mgf, len;
227 enum wc_HashType hash;
228 char *encrypted;
229
230 switch (scheme)
231 {
232 case ENCRYPT_RSA_PKCS1:
233 padding = WC_RSA_PKCSV15_PAD;
234 hash = WC_HASH_TYPE_NONE;
235 mgf = WC_MGF1NONE;
236 break;
237 #ifndef WC_NO_RSA_OAEP
238 #ifndef NO_SHA
239 case ENCRYPT_RSA_OAEP_SHA1:
240 padding = WC_RSA_OAEP_PAD;
241 hash = WC_HASH_TYPE_SHA;
242 mgf = WC_MGF1SHA1;
243 break;
244 #endif
245 #ifdef WOLFSSL_SHA224
246 case ENCRYPT_RSA_OAEP_SHA224:
247 padding = WC_RSA_OAEP_PAD;
248 hash = WC_HASH_TYPE_SHA224;
249 mgf = WC_MGF1SHA224;
250 break;
251 #endif
252 #ifndef NO_SHA256
253 case ENCRYPT_RSA_OAEP_SHA256:
254 padding = WC_RSA_OAEP_PAD;
255 hash = WC_HASH_TYPE_SHA256;
256 mgf = WC_MGF1SHA256;
257 break;
258 #endif
259 #ifdef WOLFSSL_SHA384
260 case ENCRYPT_RSA_OAEP_SHA384:
261 padding = WC_RSA_OAEP_PAD;
262 hash = WC_HASH_TYPE_SHA384;
263 mgf = WC_MGF1SHA384;
264 break;
265 #endif
266 #ifdef WOLFSSL_SHA512
267 case ENCRYPT_RSA_OAEP_SHA512:
268 padding = WC_RSA_OAEP_PAD;
269 hash = WC_HASH_TYPE_SHA512;
270 mgf = WC_MGF1SHA512;
271 break;
272 #endif
273 #endif
274 default:
275 DBG1(DBG_LIB, "decryption scheme %N not supported via wolfssl",
276 encryption_scheme_names, scheme);
277 return FALSE;
278 }
279 len = wc_RsaEncryptSize(&this->rsa);
280 encrypted = malloc(len);
281 len = wc_RsaPublicEncrypt_ex(plain.ptr, plain.len, encrypted, len,
282 &this->rsa, &this->rng, padding, hash, mgf,
283 NULL, 0);
284 if (len < 0)
285 {
286 DBG1(DBG_LIB, "RSA encryption failed");
287 free(encrypted);
288 return FALSE;
289 }
290 *crypto = chunk_create(encrypted, len);
291 return TRUE;
292 }
293
294 METHOD(public_key_t, get_keysize, int,
295 private_wolfssl_rsa_public_key_t *this)
296 {
297 return wc_RsaEncryptSize(&this->rsa) * 8;
298 }
299
300 /**
301 * Calculate fingerprint from a RSA key, also used in rsa private key.
302 */
303 bool wolfssl_rsa_fingerprint(RsaKey *rsa, cred_encoding_type_t type,
304 chunk_t *fp)
305 {
306 hasher_t *hasher;
307 chunk_t key;
308 int len;
309
310 if (lib->encoding->get_cache(lib->encoding, type, rsa, fp))
311 {
312 return TRUE;
313 }
314 switch (type)
315 {
316 case KEYID_PUBKEY_SHA1:
317 len = wc_RsaEncryptSize(rsa) * 2 + 20;
318 key = chunk_alloc(len);
319 len = wc_RsaKeyToPublicDer(rsa, key.ptr, len);
320 break;
321 default:
322 {
323 chunk_t n = chunk_empty, e = chunk_empty;
324 bool success = FALSE;
325
326 if (wolfssl_mp2chunk(&rsa->n, &n) && wolfssl_mp2chunk(&rsa->e, &e))
327 {
328 success = lib->encoding->encode(lib->encoding, type, rsa, fp,
329 CRED_PART_RSA_MODULUS, n,
330 CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
331 }
332 chunk_free(&n);
333 chunk_free(&e);
334 return success;
335 }
336 }
337 if (len < 0)
338 {
339 chunk_free(&key);
340 return FALSE;
341 }
342 key.len = len;
343
344 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
345 if (!hasher || !hasher->allocate_hash(hasher, key, fp))
346 {
347 DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
348 DESTROY_IF(hasher);
349 free(key.ptr);
350 return FALSE;
351 }
352 free(key.ptr);
353 hasher->destroy(hasher);
354 lib->encoding->cache(lib->encoding, type, rsa, *fp);
355 return TRUE;
356 }
357
358 METHOD(public_key_t, get_fingerprint, bool,
359 private_wolfssl_rsa_public_key_t *this, cred_encoding_type_t type,
360 chunk_t *fingerprint)
361 {
362 return wolfssl_rsa_fingerprint(&this->rsa, type, fingerprint);
363 }
364
365 METHOD(public_key_t, get_encoding, bool,
366 private_wolfssl_rsa_public_key_t *this, cred_encoding_type_t type,
367 chunk_t *encoding)
368 {
369 bool success = FALSE;
370 int len;
371
372 switch (type)
373 {
374 case PUBKEY_ASN1_DER:
375 len = wc_RsaEncryptSize(&this->rsa) * 2 + 20;
376 *encoding = chunk_alloc(len);
377 len = wc_RsaKeyToPublicDer(&this->rsa, encoding->ptr, len);
378 if (len < 0)
379 {
380 DBG1(DBG_LIB, "Public Der failed, get encoding failed");
381 chunk_free(encoding);
382 return FALSE;
383 }
384 encoding->len = len;
385 return TRUE;
386 default:
387 {
388 chunk_t n = chunk_empty, e = chunk_empty;
389
390 if (wolfssl_mp2chunk(&this->rsa.n, &n) &&
391 wolfssl_mp2chunk(&this->rsa.e, &e))
392 {
393 success = lib->encoding->encode(lib->encoding, type, NULL,
394 encoding, CRED_PART_RSA_MODULUS, n,
395 CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
396 }
397 chunk_free(&n);
398 chunk_free(&e);
399 return success;
400 }
401 }
402 }
403
404 METHOD(public_key_t, get_ref, public_key_t*,
405 private_wolfssl_rsa_public_key_t *this)
406 {
407 ref_get(&this->ref);
408 return &this->public.key;
409 }
410
411 METHOD(public_key_t, destroy, void,
412 private_wolfssl_rsa_public_key_t *this)
413 {
414 if (ref_put(&this->ref))
415 {
416 lib->encoding->clear_cache(lib->encoding, &this->rsa);
417 wc_FreeRsaKey(&this->rsa);
418 wc_FreeRng(&this->rng);
419 free(this);
420 }
421 }
422
423 /**
424 * Generic private constructor
425 */
426 static private_wolfssl_rsa_public_key_t *create_empty()
427 {
428 private_wolfssl_rsa_public_key_t *this;
429
430 INIT(this,
431 .public = {
432 .key = {
433 .get_type = _get_type,
434 .verify = _verify,
435 .encrypt = _encrypt,
436 .equals = public_key_equals,
437 .get_keysize = _get_keysize,
438 .get_fingerprint = _get_fingerprint,
439 .has_fingerprint = public_key_has_fingerprint,
440 .get_encoding = _get_encoding,
441 .get_ref = _get_ref,
442 .destroy = _destroy,
443 },
444 },
445 .ref = 1,
446 );
447
448 if (wc_InitRng(&this->rng) != 0)
449 {
450 DBG1(DBG_LIB, "Init RNG, rsa public key load failed");
451 free(this);
452 return NULL;
453 }
454 if (wc_InitRsaKey(&this->rsa, NULL) != 0)
455 {
456 DBG1(DBG_LIB, "Init RSA, rsa public key load failed");
457 wc_FreeRng(&this->rng);
458 free(this);
459 return NULL;
460 }
461 return this;
462 }
463
464 /**
465 * See header.
466 */
467 wolfssl_rsa_public_key_t *wolfssl_rsa_public_key_load(key_type_t type,
468 va_list args)
469 {
470 private_wolfssl_rsa_public_key_t *this;
471 chunk_t blob, n, e;
472 word32 idx;
473
474 n = e = blob = chunk_empty;
475 while (TRUE)
476 {
477 switch (va_arg(args, builder_part_t))
478 {
479 case BUILD_BLOB_ASN1_DER:
480 blob = va_arg(args, chunk_t);
481 continue;
482 case BUILD_RSA_MODULUS:
483 n = va_arg(args, chunk_t);
484 continue;
485 case BUILD_RSA_PUB_EXP:
486 e = va_arg(args, chunk_t);
487 continue;
488 case BUILD_END:
489 break;
490 default:
491 return NULL;
492 }
493 break;
494 }
495
496 this = create_empty();
497 if (this == NULL)
498 {
499 return NULL;
500 }
501
502 if (blob.ptr)
503 {
504 switch (type)
505 {
506 case KEY_ANY:
507 case KEY_RSA:
508 idx = 0;
509 if (wc_RsaPublicKeyDecode(blob.ptr, &idx, &this->rsa,
510 blob.len) != 0)
511 {
512 DBG1(DBG_LIB, "Public , rsa public key load failed");
513 destroy(this);
514 return NULL;
515 }
516 break;
517 default:
518 destroy(this);
519 return NULL;
520 }
521 return &this->public;
522 }
523 else if (n.ptr && e.ptr && type == KEY_RSA)
524 {
525 if (wc_RsaPublicKeyDecodeRaw(n.ptr, n.len, e.ptr, e.len,
526 &this->rsa) != 0)
527 {
528 destroy(this);
529 return NULL;
530 }
531 return &this->public;
532 }
533 destroy(this);
534 return NULL;
535 }
536
537 #endif /* NO_RSA */