1 ebfc5784 2024-01-07 op /* $OpenBSD: tls_signer.c,v 1.9 2023/06/18 19:12:58 tb Exp $ */
3 ebfc5784 2024-01-07 op * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
5 ebfc5784 2024-01-07 op * Permission to use, copy, modify, and distribute this software for any
6 ebfc5784 2024-01-07 op * purpose with or without fee is hereby granted, provided that the above
7 ebfc5784 2024-01-07 op * copyright notice and this permission notice appear in all copies.
9 ebfc5784 2024-01-07 op * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 ebfc5784 2024-01-07 op * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 ebfc5784 2024-01-07 op * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 ebfc5784 2024-01-07 op * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 ebfc5784 2024-01-07 op * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 ebfc5784 2024-01-07 op * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 ebfc5784 2024-01-07 op * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ebfc5784 2024-01-07 op #include "config.h"
20 ebfc5784 2024-01-07 op #include <limits.h>
22 ebfc5784 2024-01-07 op #include <openssl/ecdsa.h>
23 ebfc5784 2024-01-07 op #include <openssl/err.h>
24 ebfc5784 2024-01-07 op #include <openssl/rsa.h>
26 ebfc5784 2024-01-07 op #include "tls.h"
27 ebfc5784 2024-01-07 op #include "tls_internal.h"
29 ebfc5784 2024-01-07 op struct tls_signer_key {
32 ebfc5784 2024-01-07 op EC_KEY *ecdsa;
33 ebfc5784 2024-01-07 op struct tls_signer_key *next;
36 ebfc5784 2024-01-07 op struct tls_signer {
37 ebfc5784 2024-01-07 op struct tls_error error;
38 ebfc5784 2024-01-07 op struct tls_signer_key *keys;
41 ebfc5784 2024-01-07 op struct tls_signer *
42 ebfc5784 2024-01-07 op tls_signer_new(void)
44 ebfc5784 2024-01-07 op struct tls_signer *signer;
46 ebfc5784 2024-01-07 op if ((signer = calloc(1, sizeof(*signer))) == NULL)
47 ebfc5784 2024-01-07 op return (NULL);
49 ebfc5784 2024-01-07 op return (signer);
53 ebfc5784 2024-01-07 op tls_signer_free(struct tls_signer *signer)
55 ebfc5784 2024-01-07 op struct tls_signer_key *skey;
57 ebfc5784 2024-01-07 op if (signer == NULL)
60 ebfc5784 2024-01-07 op tls_error_clear(&signer->error);
62 ebfc5784 2024-01-07 op while (signer->keys) {
63 ebfc5784 2024-01-07 op skey = signer->keys;
64 ebfc5784 2024-01-07 op signer->keys = skey->next;
65 ebfc5784 2024-01-07 op RSA_free(skey->rsa);
66 ebfc5784 2024-01-07 op EC_KEY_free(skey->ecdsa);
67 ebfc5784 2024-01-07 op free(skey->hash);
75 ebfc5784 2024-01-07 op tls_signer_error(struct tls_signer *signer)
77 ebfc5784 2024-01-07 op return (signer->error.msg);
81 ebfc5784 2024-01-07 op tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
82 ebfc5784 2024-01-07 op size_t cert_len, const uint8_t *key, size_t key_len)
84 ebfc5784 2024-01-07 op struct tls_signer_key *skey = NULL;
85 ebfc5784 2024-01-07 op char *errstr = "unknown";
87 ebfc5784 2024-01-07 op EVP_PKEY *pkey = NULL;
88 ebfc5784 2024-01-07 op X509 *x509 = NULL;
89 ebfc5784 2024-01-07 op BIO *bio = NULL;
90 ebfc5784 2024-01-07 op char *hash = NULL;
92 ebfc5784 2024-01-07 op /* Compute certificate hash */
93 ebfc5784 2024-01-07 op if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) {
94 ebfc5784 2024-01-07 op tls_error_setx(&signer->error,
95 ebfc5784 2024-01-07 op "failed to create certificate bio");
98 ebfc5784 2024-01-07 op if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
99 ebfc5784 2024-01-07 op NULL)) == NULL) {
100 ebfc5784 2024-01-07 op if ((ssl_err = ERR_peek_error()) != 0)
101 ebfc5784 2024-01-07 op errstr = ERR_error_string(ssl_err, NULL);
102 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "failed to load certificate: %s",
106 ebfc5784 2024-01-07 op if (tls_cert_pubkey_hash(x509, &hash) == -1) {
107 ebfc5784 2024-01-07 op tls_error_setx(&signer->error,
108 ebfc5784 2024-01-07 op "failed to get certificate hash");
112 ebfc5784 2024-01-07 op X509_free(x509);
114 ebfc5784 2024-01-07 op BIO_free(bio);
117 ebfc5784 2024-01-07 op /* Read private key */
118 ebfc5784 2024-01-07 op if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) {
119 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "failed to create key bio");
122 ebfc5784 2024-01-07 op if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
123 ebfc5784 2024-01-07 op NULL)) == NULL) {
124 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "failed to read private key");
128 ebfc5784 2024-01-07 op if ((skey = calloc(1, sizeof(*skey))) == NULL) {
129 ebfc5784 2024-01-07 op tls_error_set(&signer->error, "failed to create key entry");
132 ebfc5784 2024-01-07 op skey->hash = hash;
133 ebfc5784 2024-01-07 op if ((skey->rsa = EVP_PKEY_get1_RSA(pkey)) == NULL &&
134 ebfc5784 2024-01-07 op (skey->ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) {
135 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "unknown key type");
139 ebfc5784 2024-01-07 op skey->next = signer->keys;
140 ebfc5784 2024-01-07 op signer->keys = skey;
141 ebfc5784 2024-01-07 op EVP_PKEY_free(pkey);
142 ebfc5784 2024-01-07 op BIO_free(bio);
147 ebfc5784 2024-01-07 op EVP_PKEY_free(pkey);
148 ebfc5784 2024-01-07 op X509_free(x509);
149 ebfc5784 2024-01-07 op BIO_free(bio);
157 ebfc5784 2024-01-07 op tls_signer_add_keypair_file(struct tls_signer *signer, const char *cert_file,
158 ebfc5784 2024-01-07 op const char *key_file)
160 ebfc5784 2024-01-07 op char *cert = NULL, *key = NULL;
161 ebfc5784 2024-01-07 op size_t cert_len, key_len;
164 ebfc5784 2024-01-07 op if (tls_config_load_file(&signer->error, "certificate", cert_file,
165 ebfc5784 2024-01-07 op &cert, &cert_len) == -1)
168 ebfc5784 2024-01-07 op if (tls_config_load_file(&signer->error, "key", key_file, &key,
169 ebfc5784 2024-01-07 op &key_len) == -1)
172 ebfc5784 2024-01-07 op rv = tls_signer_add_keypair_mem(signer, cert, cert_len, key, key_len);
182 ebfc5784 2024-01-07 op tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey,
183 ebfc5784 2024-01-07 op const uint8_t *input, size_t input_len, int padding_type,
184 ebfc5784 2024-01-07 op uint8_t **out_signature, size_t *out_signature_len)
186 ebfc5784 2024-01-07 op int rsa_padding, rsa_size, signature_len;
187 ebfc5784 2024-01-07 op char *signature = NULL;
189 ebfc5784 2024-01-07 op *out_signature = NULL;
190 ebfc5784 2024-01-07 op *out_signature_len = 0;
192 ebfc5784 2024-01-07 op if (padding_type == TLS_PADDING_NONE) {
193 ebfc5784 2024-01-07 op rsa_padding = RSA_NO_PADDING;
194 ebfc5784 2024-01-07 op } else if (padding_type == TLS_PADDING_RSA_PKCS1) {
195 ebfc5784 2024-01-07 op rsa_padding = RSA_PKCS1_PADDING;
197 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "invalid RSA padding type (%d)",
198 ebfc5784 2024-01-07 op padding_type);
202 ebfc5784 2024-01-07 op if (input_len > INT_MAX) {
203 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "input too large");
206 ebfc5784 2024-01-07 op if ((rsa_size = RSA_size(skey->rsa)) <= 0) {
207 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "invalid RSA size: %d",
211 ebfc5784 2024-01-07 op if ((signature = calloc(1, rsa_size)) == NULL) {
212 ebfc5784 2024-01-07 op tls_error_set(&signer->error, "RSA signature");
216 ebfc5784 2024-01-07 op if ((signature_len = RSA_private_encrypt((int)input_len, input,
217 ebfc5784 2024-01-07 op signature, skey->rsa, rsa_padding)) <= 0) {
218 ebfc5784 2024-01-07 op /* XXX - include further details from libcrypto. */
219 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "RSA signing failed");
220 ebfc5784 2024-01-07 op free(signature);
224 ebfc5784 2024-01-07 op *out_signature = signature;
225 ebfc5784 2024-01-07 op *out_signature_len = (size_t)signature_len;
231 ebfc5784 2024-01-07 op tls_sign_ecdsa(struct tls_signer *signer, struct tls_signer_key *skey,
232 ebfc5784 2024-01-07 op const uint8_t *input, size_t input_len, int padding_type,
233 ebfc5784 2024-01-07 op uint8_t **out_signature, size_t *out_signature_len)
235 ebfc5784 2024-01-07 op unsigned char *signature;
236 ebfc5784 2024-01-07 op int signature_len;
238 ebfc5784 2024-01-07 op *out_signature = NULL;
239 ebfc5784 2024-01-07 op *out_signature_len = 0;
241 ebfc5784 2024-01-07 op if (padding_type != TLS_PADDING_NONE) {
242 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "invalid ECDSA padding");
246 ebfc5784 2024-01-07 op if (input_len > INT_MAX) {
247 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "digest too large");
250 ebfc5784 2024-01-07 op if ((signature_len = ECDSA_size(skey->ecdsa)) <= 0) {
251 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "invalid ECDSA size: %d",
252 ebfc5784 2024-01-07 op signature_len);
255 ebfc5784 2024-01-07 op if ((signature = calloc(1, signature_len)) == NULL) {
256 ebfc5784 2024-01-07 op tls_error_set(&signer->error, "ECDSA signature");
260 ebfc5784 2024-01-07 op if (!ECDSA_sign(0, input, input_len, signature, &signature_len,
261 ebfc5784 2024-01-07 op skey->ecdsa)) {
262 ebfc5784 2024-01-07 op /* XXX - include further details from libcrypto. */
263 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "ECDSA signing failed");
264 ebfc5784 2024-01-07 op free(signature);
268 ebfc5784 2024-01-07 op *out_signature = signature;
269 ebfc5784 2024-01-07 op *out_signature_len = signature_len;
275 ebfc5784 2024-01-07 op tls_signer_sign(struct tls_signer *signer, const char *pubkey_hash,
276 ebfc5784 2024-01-07 op const uint8_t *input, size_t input_len, int padding_type,
277 ebfc5784 2024-01-07 op uint8_t **out_signature, size_t *out_signature_len)
279 ebfc5784 2024-01-07 op struct tls_signer_key *skey;
281 ebfc5784 2024-01-07 op *out_signature = NULL;
282 ebfc5784 2024-01-07 op *out_signature_len = 0;
284 ebfc5784 2024-01-07 op for (skey = signer->keys; skey; skey = skey->next)
285 ebfc5784 2024-01-07 op if (!strcmp(pubkey_hash, skey->hash))
288 ebfc5784 2024-01-07 op if (skey == NULL) {
289 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "key not found");
293 ebfc5784 2024-01-07 op if (skey->rsa != NULL)
294 ebfc5784 2024-01-07 op return tls_sign_rsa(signer, skey, input, input_len,
295 ebfc5784 2024-01-07 op padding_type, out_signature, out_signature_len);
297 ebfc5784 2024-01-07 op if (skey->ecdsa != NULL)
298 ebfc5784 2024-01-07 op return tls_sign_ecdsa(signer, skey, input, input_len,
299 ebfc5784 2024-01-07 op padding_type, out_signature, out_signature_len);
301 ebfc5784 2024-01-07 op tls_error_setx(&signer->error, "unknown key type");
307 ebfc5784 2024-01-07 op tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
308 ebfc5784 2024-01-07 op RSA *rsa, int rsa_padding)
310 ebfc5784 2024-01-07 op struct tls_config *config;
311 ebfc5784 2024-01-07 op uint8_t *signature = NULL;
312 ebfc5784 2024-01-07 op size_t signature_len = 0;
313 ebfc5784 2024-01-07 op const char *pubkey_hash;
314 ebfc5784 2024-01-07 op int padding_type;
317 ebfc5784 2024-01-07 op * This function is called via RSA_private_encrypt() and has to conform
318 ebfc5784 2024-01-07 op * to its calling convention/signature. The caller is required to
319 ebfc5784 2024-01-07 op * provide a 'to' buffer of at least RSA_size() bytes.
322 ebfc5784 2024-01-07 op pubkey_hash = RSA_get_ex_data(rsa, 0);
323 ebfc5784 2024-01-07 op config = RSA_get_ex_data(rsa, 1);
325 ebfc5784 2024-01-07 op if (pubkey_hash == NULL || config == NULL)
328 ebfc5784 2024-01-07 op if (rsa_padding == RSA_NO_PADDING) {
329 ebfc5784 2024-01-07 op padding_type = TLS_PADDING_NONE;
330 ebfc5784 2024-01-07 op } else if (rsa_padding == RSA_PKCS1_PADDING) {
331 ebfc5784 2024-01-07 op padding_type = TLS_PADDING_RSA_PKCS1;
336 ebfc5784 2024-01-07 op if (from_len < 0)
339 ebfc5784 2024-01-07 op if (config->sign_cb(config->sign_cb_arg, pubkey_hash, from, from_len,
340 ebfc5784 2024-01-07 op padding_type, &signature, &signature_len) == -1)
343 ebfc5784 2024-01-07 op if (signature_len > INT_MAX || (int)signature_len > RSA_size(rsa))
346 ebfc5784 2024-01-07 op memcpy(to, signature, signature_len);
347 ebfc5784 2024-01-07 op free(signature);
349 ebfc5784 2024-01-07 op return ((int)signature_len);
352 ebfc5784 2024-01-07 op free(signature);
358 ebfc5784 2024-01-07 op tls_signer_rsa_method(void)
360 ebfc5784 2024-01-07 op static RSA_METHOD *rsa_method = NULL;
362 ebfc5784 2024-01-07 op if (rsa_method != NULL)
365 ebfc5784 2024-01-07 op rsa_method = RSA_meth_new("libtls RSA method", 0);
366 ebfc5784 2024-01-07 op if (rsa_method == NULL)
369 ebfc5784 2024-01-07 op RSA_meth_set_priv_enc(rsa_method, tls_rsa_priv_enc);
372 ebfc5784 2024-01-07 op return (rsa_method);
375 ebfc5784 2024-01-07 op static ECDSA_SIG *
376 ebfc5784 2024-01-07 op tls_ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
377 ebfc5784 2024-01-07 op const BIGNUM *rp, EC_KEY *eckey)
379 ebfc5784 2024-01-07 op struct tls_config *config;
380 ebfc5784 2024-01-07 op ECDSA_SIG *ecdsa_sig = NULL;
381 ebfc5784 2024-01-07 op uint8_t *signature = NULL;
382 ebfc5784 2024-01-07 op size_t signature_len = 0;
383 ebfc5784 2024-01-07 op const unsigned char *p;
384 ebfc5784 2024-01-07 op const char *pubkey_hash;
387 ebfc5784 2024-01-07 op * This function is called via ECDSA_do_sign_ex() and has to conform
388 ebfc5784 2024-01-07 op * to its calling convention/signature.
391 ebfc5784 2024-01-07 op pubkey_hash = EC_KEY_get_ex_data(eckey, 0);
392 ebfc5784 2024-01-07 op config = EC_KEY_get_ex_data(eckey, 1);
394 ebfc5784 2024-01-07 op if (pubkey_hash == NULL || config == NULL)
397 ebfc5784 2024-01-07 op if (dgst_len < 0)
400 ebfc5784 2024-01-07 op if (config->sign_cb(config->sign_cb_arg, pubkey_hash, dgst, dgst_len,
401 ebfc5784 2024-01-07 op TLS_PADDING_NONE, &signature, &signature_len) == -1)
404 ebfc5784 2024-01-07 op p = signature;
405 ebfc5784 2024-01-07 op if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &p, signature_len)) == NULL)
408 ebfc5784 2024-01-07 op free(signature);
410 ebfc5784 2024-01-07 op return (ecdsa_sig);
413 ebfc5784 2024-01-07 op free(signature);
415 ebfc5784 2024-01-07 op return (NULL);
418 ebfc5784 2024-01-07 op EC_KEY_METHOD *
419 ebfc5784 2024-01-07 op tls_signer_ecdsa_method(void)
421 ebfc5784 2024-01-07 op static EC_KEY_METHOD *ecdsa_method = NULL;
422 ebfc5784 2024-01-07 op const EC_KEY_METHOD *default_method;
423 ebfc5784 2024-01-07 op int (*sign)(int type, const unsigned char *dgst, int dlen,
424 ebfc5784 2024-01-07 op unsigned char *sig, unsigned int *siglen,
425 ebfc5784 2024-01-07 op const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey);
426 ebfc5784 2024-01-07 op int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
427 ebfc5784 2024-01-07 op BIGNUM **kinvp, BIGNUM **rp);
429 ebfc5784 2024-01-07 op if (ecdsa_method != NULL)
432 ebfc5784 2024-01-07 op default_method = EC_KEY_get_default_method();
433 ebfc5784 2024-01-07 op ecdsa_method = EC_KEY_METHOD_new(default_method);
434 ebfc5784 2024-01-07 op if (ecdsa_method == NULL)
437 ebfc5784 2024-01-07 op EC_KEY_METHOD_get_sign(default_method, &sign, &sign_setup, NULL);
438 ebfc5784 2024-01-07 op EC_KEY_METHOD_set_sign(ecdsa_method, sign, sign_setup,
439 ebfc5784 2024-01-07 op tls_ecdsa_do_sign);
442 ebfc5784 2024-01-07 op return (ecdsa_method);