1 /* $OpenBSD: tls_signer.c,v 1.9 2023/06/18 19:12:58 tb Exp $ */
3 * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 #include <openssl/ecdsa.h>
23 #include <openssl/err.h>
24 #include <openssl/rsa.h>
27 #include "tls_internal.h"
29 struct tls_signer_key {
33 struct tls_signer_key *next;
37 struct tls_error error;
38 struct tls_signer_key *keys;
44 struct tls_signer *signer;
46 if ((signer = calloc(1, sizeof(*signer))) == NULL)
53 tls_signer_free(struct tls_signer *signer)
55 struct tls_signer_key *skey;
60 tls_error_clear(&signer->error);
62 while (signer->keys) {
64 signer->keys = skey->next;
66 EC_KEY_free(skey->ecdsa);
75 tls_signer_error(struct tls_signer *signer)
77 return (signer->error.msg);
81 tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
82 size_t cert_len, const uint8_t *key, size_t key_len)
84 struct tls_signer_key *skey = NULL;
85 char *errstr = "unknown";
87 EVP_PKEY *pkey = NULL;
92 /* Compute certificate hash */
93 if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) {
94 tls_error_setx(&signer->error,
95 "failed to create certificate bio");
98 if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
100 if ((ssl_err = ERR_peek_error()) != 0)
101 errstr = ERR_error_string(ssl_err, NULL);
102 tls_error_setx(&signer->error, "failed to load certificate: %s",
106 if (tls_cert_pubkey_hash(x509, &hash) == -1) {
107 tls_error_setx(&signer->error,
108 "failed to get certificate hash");
117 /* Read private key */
118 if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) {
119 tls_error_setx(&signer->error, "failed to create key bio");
122 if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
124 tls_error_setx(&signer->error, "failed to read private key");
128 if ((skey = calloc(1, sizeof(*skey))) == NULL) {
129 tls_error_set(&signer->error, "failed to create key entry");
133 if ((skey->rsa = EVP_PKEY_get1_RSA(pkey)) == NULL &&
134 (skey->ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) {
135 tls_error_setx(&signer->error, "unknown key type");
139 skey->next = signer->keys;
157 tls_signer_add_keypair_file(struct tls_signer *signer, const char *cert_file,
158 const char *key_file)
160 char *cert = NULL, *key = NULL;
161 size_t cert_len, key_len;
164 if (tls_config_load_file(&signer->error, "certificate", cert_file,
165 &cert, &cert_len) == -1)
168 if (tls_config_load_file(&signer->error, "key", key_file, &key,
172 rv = tls_signer_add_keypair_mem(signer, cert, cert_len, key, key_len);
182 tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey,
183 const uint8_t *input, size_t input_len, int padding_type,
184 uint8_t **out_signature, size_t *out_signature_len)
186 int rsa_padding, rsa_size, signature_len;
187 char *signature = NULL;
189 *out_signature = NULL;
190 *out_signature_len = 0;
192 if (padding_type == TLS_PADDING_NONE) {
193 rsa_padding = RSA_NO_PADDING;
194 } else if (padding_type == TLS_PADDING_RSA_PKCS1) {
195 rsa_padding = RSA_PKCS1_PADDING;
197 tls_error_setx(&signer->error, "invalid RSA padding type (%d)",
202 if (input_len > INT_MAX) {
203 tls_error_setx(&signer->error, "input too large");
206 if ((rsa_size = RSA_size(skey->rsa)) <= 0) {
207 tls_error_setx(&signer->error, "invalid RSA size: %d",
211 if ((signature = calloc(1, rsa_size)) == NULL) {
212 tls_error_set(&signer->error, "RSA signature");
216 if ((signature_len = RSA_private_encrypt((int)input_len, input,
217 signature, skey->rsa, rsa_padding)) <= 0) {
218 /* XXX - include further details from libcrypto. */
219 tls_error_setx(&signer->error, "RSA signing failed");
224 *out_signature = signature;
225 *out_signature_len = (size_t)signature_len;
231 tls_sign_ecdsa(struct tls_signer *signer, struct tls_signer_key *skey,
232 const uint8_t *input, size_t input_len, int padding_type,
233 uint8_t **out_signature, size_t *out_signature_len)
235 unsigned char *signature;
238 *out_signature = NULL;
239 *out_signature_len = 0;
241 if (padding_type != TLS_PADDING_NONE) {
242 tls_error_setx(&signer->error, "invalid ECDSA padding");
246 if (input_len > INT_MAX) {
247 tls_error_setx(&signer->error, "digest too large");
250 if ((signature_len = ECDSA_size(skey->ecdsa)) <= 0) {
251 tls_error_setx(&signer->error, "invalid ECDSA size: %d",
255 if ((signature = calloc(1, signature_len)) == NULL) {
256 tls_error_set(&signer->error, "ECDSA signature");
260 if (!ECDSA_sign(0, input, input_len, signature, &signature_len,
262 /* XXX - include further details from libcrypto. */
263 tls_error_setx(&signer->error, "ECDSA signing failed");
268 *out_signature = signature;
269 *out_signature_len = signature_len;
275 tls_signer_sign(struct tls_signer *signer, const char *pubkey_hash,
276 const uint8_t *input, size_t input_len, int padding_type,
277 uint8_t **out_signature, size_t *out_signature_len)
279 struct tls_signer_key *skey;
281 *out_signature = NULL;
282 *out_signature_len = 0;
284 for (skey = signer->keys; skey; skey = skey->next)
285 if (!strcmp(pubkey_hash, skey->hash))
289 tls_error_setx(&signer->error, "key not found");
293 if (skey->rsa != NULL)
294 return tls_sign_rsa(signer, skey, input, input_len,
295 padding_type, out_signature, out_signature_len);
297 if (skey->ecdsa != NULL)
298 return tls_sign_ecdsa(signer, skey, input, input_len,
299 padding_type, out_signature, out_signature_len);
301 tls_error_setx(&signer->error, "unknown key type");
307 tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
308 RSA *rsa, int rsa_padding)
310 struct tls_config *config;
311 uint8_t *signature = NULL;
312 size_t signature_len = 0;
313 const char *pubkey_hash;
317 * This function is called via RSA_private_encrypt() and has to conform
318 * to its calling convention/signature. The caller is required to
319 * provide a 'to' buffer of at least RSA_size() bytes.
322 pubkey_hash = RSA_get_ex_data(rsa, 0);
323 config = RSA_get_ex_data(rsa, 1);
325 if (pubkey_hash == NULL || config == NULL)
328 if (rsa_padding == RSA_NO_PADDING) {
329 padding_type = TLS_PADDING_NONE;
330 } else if (rsa_padding == RSA_PKCS1_PADDING) {
331 padding_type = TLS_PADDING_RSA_PKCS1;
339 if (config->sign_cb(config->sign_cb_arg, pubkey_hash, from, from_len,
340 padding_type, &signature, &signature_len) == -1)
343 if (signature_len > INT_MAX || (int)signature_len > RSA_size(rsa))
346 memcpy(to, signature, signature_len);
349 return ((int)signature_len);
358 tls_signer_rsa_method(void)
360 static RSA_METHOD *rsa_method = NULL;
362 if (rsa_method != NULL)
365 rsa_method = RSA_meth_new("libtls RSA method", 0);
366 if (rsa_method == NULL)
369 RSA_meth_set_priv_enc(rsa_method, tls_rsa_priv_enc);
376 tls_ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
377 const BIGNUM *rp, EC_KEY *eckey)
379 struct tls_config *config;
380 ECDSA_SIG *ecdsa_sig = NULL;
381 uint8_t *signature = NULL;
382 size_t signature_len = 0;
383 const unsigned char *p;
384 const char *pubkey_hash;
387 * This function is called via ECDSA_do_sign_ex() and has to conform
388 * to its calling convention/signature.
391 pubkey_hash = EC_KEY_get_ex_data(eckey, 0);
392 config = EC_KEY_get_ex_data(eckey, 1);
394 if (pubkey_hash == NULL || config == NULL)
400 if (config->sign_cb(config->sign_cb_arg, pubkey_hash, dgst, dgst_len,
401 TLS_PADDING_NONE, &signature, &signature_len) == -1)
405 if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &p, signature_len)) == NULL)
419 tls_signer_ecdsa_method(void)
421 static EC_KEY_METHOD *ecdsa_method = NULL;
422 const EC_KEY_METHOD *default_method;
423 int (*sign)(int type, const unsigned char *dgst, int dlen,
424 unsigned char *sig, unsigned int *siglen,
425 const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey);
426 int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
427 BIGNUM **kinvp, BIGNUM **rp);
429 if (ecdsa_method != NULL)
432 default_method = EC_KEY_get_default_method();
433 ecdsa_method = EC_KEY_METHOD_new(default_method);
434 if (ecdsa_method == NULL)
437 EC_KEY_METHOD_get_sign(default_method, &sign, &sign_setup, NULL);
438 EC_KEY_METHOD_set_sign(ecdsa_method, sign, sign_setup,
442 return (ecdsa_method);