Add EVP_PKEY_RSA_PSS decode support. (#140)

* Define RSA_PSS_SALTLEN_DIGEST macro. (#85)

* Define RSA_PSS_SALTLEN_DIGEST macro.

* Replace '-1' with RSA_PSS_SALTLEN_DIGEST.

* Add EVP_PKEY_RSA_PSS ameth. (#86)

* Add EVP_PKEY_RSA_PSS ameth.

* Add test to verify SubjectPublicKeyInfo decode.

* Add EVP_PKEY_RSA_PSS pmeth. (#87)

* Add EVP_PKEY_RSA_PSS ameth.

* Add test to verify SubjectPublicKeyInfo decode.

* Add EVP_PKEY_RSA_PSS pmeth.

* Import RSA_pkey_ctx_ctrl -- OpenSSL 1.1.1@e5e04ee.

* Support pad mode get/set for PSS keys. OpenSSL 1.1.1@a300c72.

* Fix TODO comment.

* Update crypto/fipsmodule/rsa/rsa.c

Co-authored-by: torben-hansen <[email protected]>

* Define new error code -- RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE.

* Move RSA ctrl func from rsa.h to evp/internal.h

* Remove RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE.

* Add '||'

* Remove imports.

Co-authored-by: torben-hansen <[email protected]>

* Add RSASSA-PSS-params decode. (#89)

* Add EVP_PKEY_RSA_PSS ameth.

* Add test to verify SubjectPublicKeyInfo decode.

* Add EVP_PKEY_RSA_PSS pmeth.

* Import RSA_pkey_ctx_ctrl -- OpenSSL 1.1.1@e5e04ee.

* Support pad mode get/set for PSS keys. OpenSSL 1.1.1@a300c72.

* Fix TODO comment.

* Add RSASSA-PSS-params decode.

* Remove trailer field related TODO.

* Fix leaked mem.

* Remove unsupported sha oid.

* Revert "Remove unsupported sha oid."

This reverts commit be955ce.

* Move rsassa_pss from rsa.h to rsassa_pss.h.

* Fix merge conflict.

* Correct error prefix.

* Remove unused import.

* Improve comment.

* Use JDK11 generated DER-encoded RSASSA-PSS-params for test.

* Remove unused comment.

* Update crypto/rsa_extra/rsassa_pss.h

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss.h

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss_asn1.c

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss_asn1.c

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss_asn1.c

Co-authored-by: torben-hansen <[email protected]>

* Apply suggestions from code review

Co-authored-by: torben-hansen <[email protected]>

* Enhance code comments.

* Define tag value index macros.

* Condense code.

* Update crypto/rsa_extra/rsassa_pss_asn1_test.cc

Co-authored-by: torben-hansen <[email protected]>

* Check EVP_PKEY_assign return value.

* Check NID_undef value.

* Correct comments.

* Add more tests.

* Add more tests on trailer field and salt length.

* Rename rsassa_pss.h to internal.h.

Co-authored-by: torben-hansen <[email protected]>

* Validate pss params. (#90)

* Add EVP_PKEY_RSA_PSS ameth.

* Add test to verify SubjectPublicKeyInfo decode.

* Add EVP_PKEY_RSA_PSS pmeth.

* Import RSA_pkey_ctx_ctrl -- OpenSSL 1.1.1@e5e04ee.

* Support pad mode get/set for PSS keys. OpenSSL 1.1.1@a300c72.

* Fix TODO comment.

* Add RSASSA-PSS-params decode.

* Remove trailer field related TODO.

* Fix leaked mem.

* Remove unsupported sha oid.

* Revert "Remove unsupported sha oid."

This reverts commit be955ce.

* Check PSS parameters restrictions.

* Move rsassa_pss from rsa.h to rsassa_pss.h.

* Fix merge conflict.

* Move rsassapss conversion to rsassa_pss_asn1.c.

* Correct error prefix.

* Remove unused import.

* Modify comment.

* Improve comment.

* Rename some functions.

* Add more tests.

* Add more tests.

* Resolve TODO: fix X509Test.TestRsaSsaPss.

* Use JDK11 generated DER-encoded RSASSA-PSS-params for test.

* Disable rsassaPss encrypt and decrypt.

* Remove unused comment.

* Update crypto/rsa_extra/rsassa_pss.h

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss.h

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss_asn1.c

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss_asn1.c

Co-authored-by: torben-hansen <[email protected]>

* Update crypto/rsa_extra/rsassa_pss_asn1.c

Co-authored-by: torben-hansen <[email protected]>

* Apply suggestions from code review

Co-authored-by: torben-hansen <[email protected]>

* Enhance code comments.

* Define tag value index macros.

* Condense code.

* Update crypto/rsa_extra/rsassa_pss_asn1_test.cc

Co-authored-by: torben-hansen <[email protected]>

* Check EVP_PKEY_assign return value.

* Check NID_undef value.

* Correct comments.

* Add more tests.

* Add more tests on trailer field and salt length.

* Rename rsassa_pss.h to internal.h.

* Removed unused test data.

* Modify comments.

* Explicitly check NULL.

* Change method comment.

* Address error code comment.

* Apply suggestions from code review

Co-authored-by: dkostic <[email protected]>
Co-authored-by: torben-hansen <[email protected]>

* Return EVP_PKEY_assign_* value.

* Fix incorrect error code.

* Adjust comment.

* Define macro for default value of salt len and trailer field.

* Fix max salt len.

* Add more comments.

* Check inputs are not NULL.

* Remove saltlen == 0 check in pss_saltlen_create.

* Add ctx->pkey NULL check in pkey_pss_init.

Co-authored-by: torben-hansen <[email protected]>
Co-authored-by: dkostic <[email protected]>

* Avoid double free.

Co-authored-by: torben-hansen <[email protected]>
Co-authored-by: dkostic <[email protected]>

crypto/CMakeLists.txt

@@ -357,6 +357,7 @@ add_library(
   refcount_c11.c
   refcount_lock.c
   rsa_extra/rsa_asn1.c
+  rsa_extra/rsassa_pss_asn1.c
   rsa_extra/rsa_print.c
   stack/stack.c
   siphash/siphash.c
@@ -576,6 +577,7 @@ if(BUILD_TESTING)
     rand_extra/rand_test.cc
     refcount_test.cc
     rsa_extra/rsa_test.cc
+    rsa_extra/rsassa_pss_asn1_test.cc
     self_test.cc
     stack/stack_test.cc
     siphash/siphash_test.cc

crypto/evp/evp.c

@@ -204,6 +204,8 @@ static const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) {
   switch (nid) {
     case EVP_PKEY_RSA:
       return &rsa_asn1_meth;
+    case EVP_PKEY_RSA_PSS:
+      return &rsa_pss_asn1_meth;
     case EVP_PKEY_EC:
       return &ec_asn1_meth;
     case EVP_PKEY_DSA:
@@ -238,7 +240,7 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) {
 }
 
 RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {
-  if (pkey->type != EVP_PKEY_RSA) {
+  if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA_PSS) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_RSA_KEY);
     return NULL;
   }

crypto/evp/evp_asn1.c

@@ -71,6 +71,7 @@
 
 static const EVP_PKEY_ASN1_METHOD *const kASN1Methods[] = {
     &rsa_asn1_meth,
+    &rsa_pss_asn1_meth,
     &ec_asn1_meth,
     &dsa_asn1_meth,
     &ed25519_asn1_meth,

crypto/evp/evp_ctx.c

@@ -68,6 +68,7 @@
 
 static const EVP_PKEY_METHOD *const evp_methods[] = {
     &rsa_pkey_meth,
+    &rsa_pss_pkey_meth,
     &ec_pkey_meth,
     &ed25519_pkey_meth,
     &x25519_pkey_meth,
@@ -219,7 +220,11 @@ int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx) {
   }
 
   ctx->operation = EVP_PKEY_OP_SIGN;
-  return 1;
+  if ((ctx->pmeth->sign_init == NULL) || (ctx->pmeth->sign_init(ctx))) {
+    return 1;
+  }
+  ctx->operation = EVP_PKEY_OP_UNDEFINED;
+  return 0;
 }
 
 int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *sig_len,
@@ -242,7 +247,11 @@ int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx) {
     return 0;
   }
   ctx->operation = EVP_PKEY_OP_VERIFY;
-  return 1;
+  if ((ctx->pmeth->verify_init == NULL) || (ctx->pmeth->verify_init(ctx))) {
+    return 1;
+  }
+  ctx->operation = EVP_PKEY_OP_UNDEFINED;
+  return 0;
 }
 
 int EVP_PKEY_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t sig_len,

crypto/evp/internal.h

@@ -147,6 +147,11 @@ struct evp_pkey_asn1_method_st {
 OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
                                      int cmd, int p1, void *p2);
 
+// EVP_RSA_PKEY_CTX_ctrl is a wrapper of |EVP_PKEY_CTX_ctrl|.
+// Before calling |EVP_PKEY_CTX_ctrl|, a check is added to make sure
+// the |ctx->pmeth->pkey_id| is either |EVP_PKEY_RSA| or |EVP_PKEY_RSA_PSS|.
+int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2);
+
 #define EVP_PKEY_CTRL_MD 1
 #define EVP_PKEY_CTRL_GET_MD 2
 
@@ -203,12 +208,13 @@ struct evp_pkey_method_st {
 
   int (*keygen)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
 
+  int (*sign_init)(EVP_PKEY_CTX *ctx);
   int (*sign)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
               const uint8_t *tbs, size_t tbslen);
 
   int (*sign_message)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
                       const uint8_t *tbs, size_t tbslen);
-
+  int (*verify_init)(EVP_PKEY_CTX *ctx);
   int (*verify)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,
                 const uint8_t *tbs, size_t tbslen);
 
@@ -253,10 +259,12 @@ typedef struct {
 extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD ec_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD x25519_asn1_meth;
 
 extern const EVP_PKEY_METHOD rsa_pkey_meth;
+extern const EVP_PKEY_METHOD rsa_pss_pkey_meth;
 extern const EVP_PKEY_METHOD ec_pkey_meth;
 extern const EVP_PKEY_METHOD ed25519_pkey_meth;
 extern const EVP_PKEY_METHOD x25519_pkey_meth;

crypto/evp/p_ec.c

@@ -259,8 +259,10 @@ const EVP_PKEY_METHOD ec_pkey_meth = {
     pkey_ec_copy,
     pkey_ec_cleanup,
     pkey_ec_keygen,
+    NULL /* sign_init */,
     pkey_ec_sign,
     NULL /* sign_message */,
+    NULL /* verify_init */,
     pkey_ec_verify,
     NULL /* verify_message */,
     NULL /* verify_recover */,

crypto/evp/p_ed25519.c

@@ -91,8 +91,10 @@ const EVP_PKEY_METHOD ed25519_pkey_meth = {
     pkey_ed25519_copy,
     NULL /* cleanup */,
     pkey_ed25519_keygen,
+    NULL /* sign_init */,
     NULL /* sign */,
     pkey_ed25519_sign_message,
+    NULL /* verify_init */,
     NULL /* verify */,
     pkey_ed25519_verify_message,
     NULL /* verify_recover */,