// Copyright 2015-2016 Brian Smith. // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above // copyright notice and this permission notice appear in all copies. // // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. use super::PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN; use crate::{bits, digest, error, io::der}; use untrusted; #[cfg(feature = "use_heap")] use crate::rand; /// Common features of both RSA padding encoding and RSA padding verification. pub trait Padding: 'static + Sync + crate::sealed::Sealed + core::fmt::Debug { // The digest algorithm used for digesting the message (and maybe for // other things). fn digest_alg(&self) -> &'static digest::Algorithm; } /// An RSA signature encoding as described in [RFC 3447 Section 8]. /// /// [RFC 3447 Section 8]: https://tools.ietf.org/html/rfc3447#section-8 #[cfg(feature = "use_heap")] pub trait RsaEncoding: Padding { #[doc(hidden)] fn encode( &self, m_hash: &digest::Digest, m_out: &mut [u8], mod_bits: bits::BitLength, rng: &dyn rand::SecureRandom, ) -> Result<(), error::Unspecified>; } /// Verification of an RSA signature encoding as described in /// [RFC 3447 Section 8]. /// /// [RFC 3447 Section 8]: https://tools.ietf.org/html/rfc3447#section-8 pub trait Verification: Padding { fn verify( &self, m_hash: &digest::Digest, m: &mut untrusted::Reader, mod_bits: bits::BitLength, ) -> Result<(), error::Unspecified>; } /// PKCS#1 1.5 padding as described in [RFC 3447 Section 8.2]. /// /// See "`RSA_PSS_*` Details\" in `ring::signature`'s module-level /// documentation for more details. /// /// [RFC 3447 Section 8.2]: https://tools.ietf.org/html/rfc3447#section-8.2 #[derive(Debug)] pub struct PKCS1 { digest_alg: &'static digest::Algorithm, digestinfo_prefix: &'static [u8], } impl crate::sealed::Sealed for PKCS1 {} impl Padding for PKCS1 { fn digest_alg(&self) -> &'static digest::Algorithm { self.digest_alg } } #[cfg(feature = "use_heap")] impl RsaEncoding for PKCS1 { fn encode( &self, m_hash: &digest::Digest, m_out: &mut [u8], _mod_bits: bits::BitLength, _rng: &dyn rand::SecureRandom, ) -> Result<(), error::Unspecified> { pkcs1_encode(&self, m_hash, m_out); Ok(()) } } impl Verification for PKCS1 { fn verify( &self, m_hash: &digest::Digest, m: &mut untrusted::Reader, mod_bits: bits::BitLength, ) -> Result<(), error::Unspecified> { // `mod_bits.as_usize_bytes_rounded_up() <= // PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN` is ensured by `verify_rsa_()`. let mut calculated = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN]; let calculated = &mut calculated[..mod_bits.as_usize_bytes_rounded_up()]; pkcs1_encode(&self, m_hash, calculated); if m.read_bytes_to_end() != *calculated.as_ref() { return Err(error::Unspecified); } Ok(()) } } // Implement padding procedure per EMSA-PKCS1-v1_5, // https://tools.ietf.org/html/rfc3447#section-9.2. This is used by both // verification and signing so it needs to be able to handle moduli of the // minimum and maximum sizes for both operations. fn pkcs1_encode(pkcs1: &PKCS1, m_hash: &digest::Digest, m_out: &mut [u8]) { let em = m_out; let digest_len = pkcs1.digestinfo_prefix.len() + pkcs1.digest_alg.output_len; // The specification requires at least 8 bytes of padding. Since we // disallow keys smaller than 2048 bits, this should always be true. assert!(em.len() >= digest_len + 11); let pad_len = em.len() - digest_len - 3; em[0] = 0; em[1] = 1; for i in 0..pad_len { em[2 + i] = 0xff; } em[2 + pad_len] = 0; let (digest_prefix, digest_dst) = em[3 + pad_len..].split_at_mut(pkcs1.digestinfo_prefix.len()); digest_prefix.copy_from_slice(pkcs1.digestinfo_prefix); digest_dst.copy_from_slice(m_hash.as_ref()); } macro_rules! rsa_pkcs1_padding { ( $PADDING_ALGORITHM:ident, $digest_alg:expr, $digestinfo_prefix:expr, $doc_str:expr ) => { #[doc=$doc_str] pub static $PADDING_ALGORITHM: PKCS1 = PKCS1 { digest_alg: $digest_alg, digestinfo_prefix: $digestinfo_prefix, }; }; } rsa_pkcs1_padding!( RSA_PKCS1_SHA1_FOR_LEGACY_USE_ONLY, &digest::SHA1_FOR_LEGACY_USE_ONLY, &SHA1_PKCS1_DIGESTINFO_PREFIX, "PKCS#1 1.5 padding using SHA-1 for RSA signatures." ); rsa_pkcs1_padding!( RSA_PKCS1_SHA256, &digest::SHA256, &SHA256_PKCS1_DIGESTINFO_PREFIX, "PKCS#1 1.5 padding using SHA-256 for RSA signatures." ); rsa_pkcs1_padding!( RSA_PKCS1_SHA384, &digest::SHA384, &SHA384_PKCS1_DIGESTINFO_PREFIX, "PKCS#1 1.5 padding using SHA-384 for RSA signatures." ); rsa_pkcs1_padding!( RSA_PKCS1_SHA512, &digest::SHA512, &SHA512_PKCS1_DIGESTINFO_PREFIX, "PKCS#1 1.5 padding using SHA-512 for RSA signatures." ); macro_rules! pkcs1_digestinfo_prefix { ( $name:ident, $digest_len:expr, $digest_oid_len:expr, [ $( $digest_oid:expr ),* ] ) => { static $name: [u8; 2 + 8 + $digest_oid_len] = [ der::Tag::Sequence as u8, 8 + $digest_oid_len + $digest_len, der::Tag::Sequence as u8, 2 + $digest_oid_len + 2, der::Tag::OID as u8, $digest_oid_len, $( $digest_oid ),*, der::Tag::Null as u8, 0, der::Tag::OctetString as u8, $digest_len, ]; } } pkcs1_digestinfo_prefix!( SHA1_PKCS1_DIGESTINFO_PREFIX, 20, 5, [0x2b, 0x0e, 0x03, 0x02, 0x1a] ); pkcs1_digestinfo_prefix!( SHA256_PKCS1_DIGESTINFO_PREFIX, 32, 9, [0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01] ); pkcs1_digestinfo_prefix!( SHA384_PKCS1_DIGESTINFO_PREFIX, 48, 9, [0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02] ); pkcs1_digestinfo_prefix!( SHA512_PKCS1_DIGESTINFO_PREFIX, 64, 9, [0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03] ); /// RSA PSS padding as described in [RFC 3447 Section 8.1]. /// /// See "`RSA_PSS_*` Details\" in `ring::signature`'s module-level /// documentation for more details. /// /// [RFC 3447 Section 8.1]: https://tools.ietf.org/html/rfc3447#section-8.1 #[derive(Debug)] pub struct PSS { digest_alg: &'static digest::Algorithm, } impl crate::sealed::Sealed for PSS {} // Maximum supported length of the salt in bytes. // In practice, this is constrained by the maximum digest length. const MAX_SALT_LEN: usize = digest::MAX_OUTPUT_LEN; impl Padding for PSS { fn digest_alg(&self) -> &'static digest::Algorithm { self.digest_alg } } impl RsaEncoding for PSS { // Implement padding procedure per EMSA-PSS, // https://tools.ietf.org/html/rfc3447#section-9.1. fn encode( &self, m_hash: &digest::Digest, m_out: &mut [u8], mod_bits: bits::BitLength, rng: &dyn rand::SecureRandom, ) -> Result<(), error::Unspecified> { let metrics = PSSMetrics::new(self.digest_alg, mod_bits)?; // The `m_out` this function fills is the big-endian-encoded value of `m` // from the specification, padded to `k` bytes, where `k` is the length // in bytes of the public modulus. The spec says "Note that emLen will // be one less than k if modBits - 1 is divisible by 8 and equal to k // otherwise." In other words we might need to prefix `em` with a // leading zero byte to form a correct value of `m`. let em = if metrics.top_byte_mask == 0xff { m_out[0] = 0; &mut m_out[1..] } else { m_out }; assert_eq!(em.len(), metrics.em_len); // Steps 1 and 2 are done by the caller to produce `m_hash`. // Step 3 is done by `PSSMetrics::new()` above. // Step 4. let mut salt = [0u8; MAX_SALT_LEN]; let salt = &mut salt[..metrics.s_len]; rng.fill(salt)?; // Step 5 and 6. let h_hash = pss_digest(self.digest_alg, m_hash, salt); // Re-order steps 7, 8, 9 and 10 so that we first output the db mask // into `em`, and then XOR the value of db. // Step 9. First output the mask into the out buffer. let (mut masked_db, digest_terminator) = em.split_at_mut(metrics.db_len); mgf1(self.digest_alg, h_hash.as_ref(), &mut masked_db)?; { // Steps 7. let masked_db = masked_db.into_iter(); // `PS` is all zero bytes, so skipping `ps_len` bytes is equivalent // to XORing `PS` onto `db`. let mut masked_db = masked_db.skip(metrics.ps_len); // Step 8. *(masked_db.next().ok_or(error::Unspecified)?) ^= 0x01; // Step 10. for (masked_db_b, salt_b) in masked_db.zip(salt) { *masked_db_b ^= *salt_b; } } // Step 11. masked_db[0] &= metrics.top_byte_mask; // Step 12. digest_terminator[..metrics.h_len].copy_from_slice(h_hash.as_ref()); digest_terminator[metrics.h_len] = 0xbc; Ok(()) } } impl Verification for PSS { // RSASSA-PSS-VERIFY from https://tools.ietf.org/html/rfc3447#section-8.1.2 // where steps 1, 2(a), and 2(b) have been done for us. fn verify( &self, m_hash: &digest::Digest, m: &mut untrusted::Reader, mod_bits: bits::BitLength, ) -> Result<(), error::Unspecified> { let metrics = PSSMetrics::new(self.digest_alg, mod_bits)?; // RSASSA-PSS-VERIFY Step 2(c). The `m` this function is given is the // big-endian-encoded value of `m` from the specification, padded to // `k` bytes, where `k` is the length in bytes of the public modulus. // The spec. says "Note that emLen will be one less than k if // modBits - 1 is divisible by 8 and equal to k otherwise," where `k` // is the length in octets of the RSA public modulus `n`. In other // words, `em` might have an extra leading zero byte that we need to // strip before we start the PSS decoding steps which is an artifact of // the `Verification` interface. if metrics.top_byte_mask == 0xff { if m.read_byte()? != 0 { return Err(error::Unspecified); } }; let em = m; // The rest of this function is EMSA-PSS-VERIFY from // https://tools.ietf.org/html/rfc3447#section-9.1.2. // Steps 1 and 2 are done by the caller to produce `m_hash`. // Step 3 is done by `PSSMetrics::new()` above. // Step 5, out of order. let masked_db = em.read_bytes(metrics.db_len)?; let h_hash = em.read_bytes(metrics.h_len)?; // Step 4. if em.read_byte()? != 0xbc { return Err(error::Unspecified); } // Step 7. let mut db = [0u8; PUBLIC_KEY_PUBLIC_MODULUS_MAX_LEN]; let db = &mut db[..metrics.db_len]; mgf1(self.digest_alg, h_hash.as_slice_less_safe(), db)?; masked_db.read_all(error::Unspecified, |masked_bytes| { // Step 6. Check the top bits of first byte are zero. let b = masked_bytes.read_byte()?; if b & !metrics.top_byte_mask != 0 { return Err(error::Unspecified); } db[0] ^= b; // Step 8. for i in 1..db.len() { db[i] ^= masked_bytes.read_byte()?; } Ok(()) })?; // Step 9. db[0] &= metrics.top_byte_mask; // Step 10. let ps_len = metrics.ps_len; for i in 0..ps_len { if db[i] != 0 { return Err(error::Unspecified); } } if db[metrics.ps_len] != 1 { return Err(error::Unspecified); } // Step 11. let salt = &db[(db.len() - metrics.s_len)..]; // Step 12 and 13. let h_prime = pss_digest(self.digest_alg, m_hash, salt); // Step 14. if h_hash != *h_prime.as_ref() { return Err(error::Unspecified); } Ok(()) } } struct PSSMetrics { #[cfg_attr(not(feature = "use_heap"), allow(dead_code))] em_len: usize, db_len: usize, ps_len: usize, s_len: usize, h_len: usize, top_byte_mask: u8, } impl PSSMetrics { fn new( digest_alg: &'static digest::Algorithm, mod_bits: bits::BitLength, ) -> Result { let em_bits = mod_bits.try_sub_1()?; let em_len = em_bits.as_usize_bytes_rounded_up(); let leading_zero_bits = (8 * em_len) - em_bits.as_usize_bits(); debug_assert!(leading_zero_bits < 8); let top_byte_mask = 0xffu8 >> leading_zero_bits; let h_len = digest_alg.output_len; // We require the salt length to be equal to the digest length. let s_len = h_len; // Step 3 of both `EMSA-PSS-ENCODE` is `EMSA-PSS-VERIFY` requires that // we reject inputs where "emLen < hLen + sLen + 2". The definition of // `emBits` in RFC 3447 Sections 9.1.1 and 9.1.2 says `emBits` must be // "at least 8hLen + 8sLen + 9". Since 9 bits requires two bytes, these // two conditions are equivalent. 9 bits are required as the 0x01 // before the salt requires 1 bit and the 0xbc after the digest // requires 8 bits. let db_len = em_len.checked_sub(1 + s_len).ok_or(error::Unspecified)?; let ps_len = db_len.checked_sub(h_len + 1).ok_or(error::Unspecified)?; debug_assert!(em_bits.as_usize_bits() >= (8 * h_len) + (8 * s_len) + 9); Ok(PSSMetrics { em_len, db_len, ps_len, s_len, h_len, top_byte_mask, }) } } // Mask-generating function MGF1 as described in // https://tools.ietf.org/html/rfc3447#appendix-B.2.1. fn mgf1( digest_alg: &'static digest::Algorithm, seed: &[u8], mask: &mut [u8], ) -> Result<(), error::Unspecified> { let digest_len = digest_alg.output_len; // Maximum counter value is the value of (mask_len / digest_len) rounded up. let ctr_max = (mask.len() - 1) / digest_len; assert!(ctr_max <= u32::max_value() as usize); for (i, mask_chunk) in mask.chunks_mut(digest_len).enumerate() { let mut ctx = digest::Context::new(digest_alg); ctx.update(seed); ctx.update(&u32::to_be_bytes(i as u32)); let digest = ctx.finish(); let mask_chunk_len = mask_chunk.len(); mask_chunk.copy_from_slice(&digest.as_ref()[..mask_chunk_len]); } Ok(()) } fn pss_digest( digest_alg: &'static digest::Algorithm, m_hash: &digest::Digest, salt: &[u8], ) -> digest::Digest { // Fixed prefix. const PREFIX_ZEROS: [u8; 8] = [0u8; 8]; // Encoding step 5 and 6, Verification step 12 and 13. let mut ctx = digest::Context::new(digest_alg); ctx.update(&PREFIX_ZEROS); ctx.update(m_hash.as_ref()); ctx.update(salt); ctx.finish() } macro_rules! rsa_pss_padding { ( $PADDING_ALGORITHM:ident, $digest_alg:expr, $doc_str:expr ) => { #[doc=$doc_str] pub static $PADDING_ALGORITHM: PSS = PSS { digest_alg: $digest_alg, }; }; } rsa_pss_padding!( RSA_PSS_SHA256, &digest::SHA256, "RSA PSS padding using SHA-256 for RSA signatures.\n\nSee \"`RSA_PSS_*` Details\" in `ring::signature`'s module-level documentation for more details." ); rsa_pss_padding!( RSA_PSS_SHA384, &digest::SHA384, "RSA PSS padding using SHA-384 for RSA signatures.\n\nSee \"`RSA_PSS_*` Details\" in `ring::signature`'s module-level documentation for more details." ); rsa_pss_padding!( RSA_PSS_SHA512, &digest::SHA512, "RSA PSS padding using SHA-512 for RSA signatures.\n\nSee \"`RSA_PSS_*` Details\" in `ring::signature`'s module-level documentation for more details." ); #[cfg(test)] mod test { use super::*; use crate::{digest, error, test}; use alloc::vec; use untrusted; #[test] fn test_pss_padding_verify() { test::run( test_file!("rsa_pss_padding_tests.txt"), |section, test_case| { assert_eq!(section, ""); let digest_name = test_case.consume_string("Digest"); let alg = match digest_name.as_ref() { "SHA256" => &RSA_PSS_SHA256, "SHA384" => &RSA_PSS_SHA384, "SHA512" => &RSA_PSS_SHA512, _ => panic!("Unsupported digest: {}", digest_name), }; let msg = test_case.consume_bytes("Msg"); let msg = untrusted::Input::from(&msg); let m_hash = digest::digest(alg.digest_alg(), msg.as_slice_less_safe()); let encoded = test_case.consume_bytes("EM"); let encoded = untrusted::Input::from(&encoded); // Salt is recomputed in verification algorithm. let _ = test_case.consume_bytes("Salt"); let bit_len = test_case.consume_usize_bits("Len"); let is_valid = test_case.consume_string("Result") == "P"; let actual_result = encoded.read_all(error::Unspecified, |m| alg.verify(&m_hash, m, bit_len)); assert_eq!(actual_result.is_ok(), is_valid); Ok(()) }, ); } // Tests PSS encoding for various public modulus lengths. #[cfg(feature = "use_heap")] #[test] fn test_pss_padding_encode() { test::run( test_file!("rsa_pss_padding_tests.txt"), |section, test_case| { assert_eq!(section, ""); let digest_name = test_case.consume_string("Digest"); let alg = match digest_name.as_ref() { "SHA256" => &RSA_PSS_SHA256, "SHA384" => &RSA_PSS_SHA384, "SHA512" => &RSA_PSS_SHA512, _ => panic!("Unsupported digest: {}", digest_name), }; let msg = test_case.consume_bytes("Msg"); let salt = test_case.consume_bytes("Salt"); let encoded = test_case.consume_bytes("EM"); let bit_len = test_case.consume_usize_bits("Len"); let expected_result = test_case.consume_string("Result"); // Only test the valid outputs if expected_result != "P" { return Ok(()); } let rng = test::rand::FixedSliceRandom { bytes: &salt }; let mut m_out = vec![0u8; bit_len.as_usize_bytes_rounded_up()]; let digest = digest::digest(alg.digest_alg(), &msg); alg.encode(&digest, &mut m_out, bit_len, &rng).unwrap(); assert_eq!(m_out, encoded); Ok(()) }, ); } }