// Copyright 2018 Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // /////////////////////////////////////////////////////////////////////////////// #include "tink/subtle/pem_parser_boringssl.h" #include #include #include #include "absl/memory/memory.h" #include "absl/status/status.h" #include "absl/strings/str_cat.h" #include "absl/strings/string_view.h" #include "openssl/bio.h" #include "openssl/bn.h" #include "openssl/ec.h" #include "openssl/evp.h" #include "openssl/pem.h" #include "openssl/rsa.h" #include "tink/internal/bn_util.h" #include "tink/internal/ec_util.h" #include "tink/internal/rsa_util.h" #include "tink/internal/ssl_unique_ptr.h" #include "tink/internal/ssl_util.h" #include "tink/subtle/common_enums.h" #include "tink/subtle/subtle_util_boringssl.h" #include "tink/util/status.h" #include "tink/util/statusor.h" namespace crypto { namespace tink { namespace subtle { namespace { constexpr int kBsslOk = 1; // Verifies that the given RSA pointer `rsa_key` points to a valid RSA key. util::Status VerifyRsaKey(const RSA* rsa_key) { if (rsa_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "Invalid RSA key format"); } // Check the key parameters. if (RSA_check_key(rsa_key) != kBsslOk) { return util::Status(absl::StatusCode::kInvalidArgument, "Invalid RSA key format"); } return util::OkStatus(); } // Verifies that the given ECDSA pointer `ecdsa_key` points to a valid ECDSA // key. util::Status VerifyEcdsaKey(const EC_KEY* ecdsa_key) { if (ecdsa_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "Invalid ECDSA key format"); } // Check the key parameters. if (EC_KEY_check_key(ecdsa_key) != kBsslOk) { return util::Status(absl::StatusCode::kInvalidArgument, "Invalid ECDSA key format"); } return util::OkStatus(); } // Converts the public portion of a given SubtleUtilBoringSSL::EcKey, // `subtle_ec_key`, into an OpenSSL EC key, `openssl_ec_key`. util::Status EcKeyToSslEcPublicKey( const SubtleUtilBoringSSL::EcKey& subtle_ec_key, EC_KEY* openssl_ec_key) { if (openssl_ec_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "`openssl_ec_key` arg cannot be NULL"); } util::StatusOr> group = internal::EcGroupFromCurveType(subtle_ec_key.curve); if (!group.ok()) { return group.status(); } util::StatusOr> ec_point = internal::GetEcPoint(subtle_ec_key.curve, subtle_ec_key.pub_x, subtle_ec_key.pub_y); if (!ec_point.ok()) { return ec_point.status(); } // Set key's group and EC point. if (!EC_KEY_set_group(openssl_ec_key, group->get())) { return util::Status( absl::StatusCode::kInternal, absl::StrCat("Failed to set key group from EC group for curve ", EnumToString(subtle_ec_key.curve))); } if (!EC_KEY_set_public_key(openssl_ec_key, ec_point->get())) { return util::Status(absl::StatusCode::kInternal, "Failed to set public key"); } return util::OkStatus(); } // Converts a given SubtleUtilBoringSSL::EcKey, `subtle_ec_key`, into an OpenSSL // EC key, `openssl_ec_key`. util::Status EcKeyToSslEcPrivateKey( const SubtleUtilBoringSSL::EcKey& subtle_ec_key, EC_KEY* openssl_ec_key) { if (openssl_ec_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "`openssl_ec_key` arg cannot be NULL"); } util::Status status = EcKeyToSslEcPublicKey(subtle_ec_key, openssl_ec_key); if (!status.ok()) { return status; } util::StatusOr> x = internal::StringToBignum(absl::string_view( reinterpret_cast(subtle_ec_key.priv.data()), subtle_ec_key.priv.size())); if (!x.ok()) { return x.status(); } if (!EC_KEY_set_private_key(openssl_ec_key, x->get())) { return util::Status(absl::StatusCode::kInvalidArgument, "Failed to set private key"); } return VerifyEcdsaKey(openssl_ec_key); } // Converts an OpenSSL BIO (i.e., basic IO stream), `bio`, into a string. util::StatusOr ConvertBioToString(BIO* bio) { BUF_MEM* mem = nullptr; BIO_get_mem_ptr(bio, &mem); std::string pem_material; if (mem->data && mem->length) { pem_material.assign(mem->data, mem->length); } if (pem_material.empty()) { return util::Status(absl::StatusCode::kInvalidArgument, "Failed to retrieve key material from BIO"); } return pem_material; } size_t ScalarSizeInBytes(const EC_GROUP* group) { return BN_num_bytes(EC_GROUP_get0_order(group)); } size_t FieldElementSizeInBytes(const EC_GROUP* group) { unsigned degree_bits = EC_GROUP_get_degree(group); return (degree_bits + 7) / 8; } // We explicitly set a failing passphrase callback function to make sure no // default callback routine is used. static int FailingPassphraseCallback(char* buf, int buf_size, int rwflag, void* u) { return -1; } } // namespace util::StatusOr> PemParser::ParseRsaPublicKey(absl::string_view pem_serialized_key) { // Read the RSA key into EVP_PKEY. internal::SslUniquePtr rsa_key_bio(BIO_new(BIO_s_mem())); BIO_write(rsa_key_bio.get(), pem_serialized_key.data(), pem_serialized_key.size()); internal::SslUniquePtr evp_rsa_key( PEM_read_bio_PUBKEY(rsa_key_bio.get(), /*x=*/nullptr, &FailingPassphraseCallback, /*u=*/nullptr)); if (evp_rsa_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "PEM Public Key parsing failed"); } // No need to free bssl_rsa_key after use. const RSA* bssl_rsa_key = EVP_PKEY_get0_RSA(evp_rsa_key.get()); util::Status verification_res = internal::RsaCheckPublicKey(bssl_rsa_key); if (!verification_res.ok()) { return verification_res; } // Get the public key parameters. const BIGNUM *n_bn, *e_bn, *d_bn; RSA_get0_key(bssl_rsa_key, &n_bn, &e_bn, &d_bn); // Public key should not have d_bn set. if (d_bn != nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "Invalid RSA Public Key format"); } // We are only interested in e and n. auto n_str = internal::BignumToString(n_bn, BN_num_bytes(n_bn)); auto e_str = internal::BignumToString(e_bn, BN_num_bytes(e_bn)); if (!n_str.ok()) { return n_str.status(); } if (!e_str.ok()) { return e_str.status(); } auto rsa_public_key = absl::make_unique(); rsa_public_key->e = *std::move(e_str); rsa_public_key->n = *std::move(n_str); return std::move(rsa_public_key); } util::StatusOr> PemParser::ParseRsaPrivateKey(absl::string_view pem_serialized_key) { // Read the private key into EVP_PKEY. internal::SslUniquePtr rsa_key_bio(BIO_new(BIO_s_mem())); BIO_write(rsa_key_bio.get(), pem_serialized_key.data(), pem_serialized_key.size()); // BoringSSL APIs to parse the PEM data. internal::SslUniquePtr evp_rsa_key( PEM_read_bio_PrivateKey(rsa_key_bio.get(), /*x=*/nullptr, &FailingPassphraseCallback, /*u=*/nullptr)); if (evp_rsa_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "PEM Private Key parsing failed"); } // No need to free bssl_rsa_key after use. const RSA* bssl_rsa_key = EVP_PKEY_get0_RSA(evp_rsa_key.get()); auto is_valid_key = VerifyRsaKey(bssl_rsa_key); if (!is_valid_key.ok()) { return is_valid_key; } const BIGNUM *n_bn, *e_bn, *d_bn; RSA_get0_key(bssl_rsa_key, &n_bn, &e_bn, &d_bn); // Save exponents. auto rsa_private_key = absl::make_unique(); auto n_str = internal::BignumToString(n_bn, BN_num_bytes(n_bn)); auto e_str = internal::BignumToString(e_bn, BN_num_bytes(e_bn)); auto d_str = internal::BignumToSecretData(d_bn, BN_num_bytes(d_bn)); if (!n_str.ok()) { return n_str.status(); } if (!e_str.ok()) { return e_str.status(); } if (!d_str.ok()) { return d_str.status(); } rsa_private_key->n = *std::move(n_str); rsa_private_key->e = *std::move(e_str); rsa_private_key->d = *std::move(d_str); // Save factors. const BIGNUM *p_bn, *q_bn; RSA_get0_factors(bssl_rsa_key, &p_bn, &q_bn); auto p_str = internal::BignumToSecretData(p_bn, BN_num_bytes(p_bn)); auto q_str = internal::BignumToSecretData(q_bn, BN_num_bytes(q_bn)); if (!p_str.ok()) { return p_str.status(); } if (!q_str.ok()) { return q_str.status(); } rsa_private_key->p = *std::move(p_str); rsa_private_key->q = *std::move(q_str); // Save CRT parameters. const BIGNUM *dp_bn, *dq_bn, *crt_bn; RSA_get0_crt_params(bssl_rsa_key, &dp_bn, &dq_bn, &crt_bn); auto dp_str = internal::BignumToSecretData(dp_bn, BN_num_bytes(dp_bn)); auto dq_str = internal::BignumToSecretData(dq_bn, BN_num_bytes(dq_bn)); auto crt_str = internal::BignumToSecretData(crt_bn, BN_num_bytes(crt_bn)); if (!dp_str.ok()) { return dp_str.status(); } if (!dq_str.ok()) { return dq_str.status(); } if (!crt_str.ok()) { return crt_str.status(); } rsa_private_key->dp = *std::move(dp_str); rsa_private_key->dq = *std::move(dq_str); rsa_private_key->crt = *std::move(crt_str); return std::move(rsa_private_key); } util::StatusOr PemParser::WriteRsaPublicKey( const internal::RsaPublicKey& rsa_public_key) { auto rsa_statusor = internal::RsaPublicKeyToRsa(rsa_public_key); if (!rsa_statusor.ok()) { return rsa_statusor.status(); } internal::SslUniquePtr rsa = *std::move(rsa_statusor); internal::SslUniquePtr bio(BIO_new(BIO_s_mem())); if (!PEM_write_bio_RSA_PUBKEY(bio.get(), rsa.get())) { return util::Status(absl::StatusCode::kInvalidArgument, "Failed to write openssl RSA key to write bio"); } return ConvertBioToString(bio.get()); } util::StatusOr PemParser::WriteRsaPrivateKey( const internal::RsaPrivateKey& rsa_private_key) { auto rsa_statusor = internal::RsaPrivateKeyToRsa(rsa_private_key); if (!rsa_statusor.ok()) { return rsa_statusor.status(); } internal::SslUniquePtr rsa = *std::move(rsa_statusor); internal::SslUniquePtr evp(EVP_PKEY_new()); EVP_PKEY_set1_RSA(evp.get(), rsa.get()); internal::SslUniquePtr bio(BIO_new(BIO_s_mem())); if (!PEM_write_bio_PrivateKey(bio.get(), evp.get(), /*enc=*/nullptr, /*kstr=*/nullptr, /*klen=*/0, /*cb=*/nullptr, /*u=*/nullptr)) { return util::Status(absl::StatusCode::kInvalidArgument, "Failed to write openssl RSA key to write bio"); } return ConvertBioToString(bio.get()); } util::StatusOr> PemParser::ParseEcPublicKey(absl::string_view pem_serialized_key) { // Read the ECDSA key into EVP_PKEY. internal::SslUniquePtr ecdsa_key_bio(BIO_new(BIO_s_mem())); BIO_write(ecdsa_key_bio.get(), pem_serialized_key.data(), pem_serialized_key.size()); internal::SslUniquePtr evp_ecdsa_key( PEM_read_bio_PUBKEY(ecdsa_key_bio.get(), /*x=*/nullptr, &FailingPassphraseCallback, /*u=*/nullptr)); if (evp_ecdsa_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "PEM Public Key parsing failed"); } // No need to free bssl_ecdsa_key after use. const EC_KEY* bssl_ecdsa_key = EVP_PKEY_get0_EC_KEY(evp_ecdsa_key.get()); auto is_valid = VerifyEcdsaKey(bssl_ecdsa_key); if (!is_valid.ok()) { return is_valid; } // Get the public key parameters. const EC_POINT* public_point = EC_KEY_get0_public_key(bssl_ecdsa_key); const EC_GROUP* ec_group = EC_KEY_get0_group(bssl_ecdsa_key); internal::SslUniquePtr x_coordinate(BN_new()); internal::SslUniquePtr y_coordinate(BN_new()); EC_POINT_get_affine_coordinates(ec_group, public_point, x_coordinate.get(), y_coordinate.get(), nullptr); // Convert public key parameters and construct Subtle ECKey util::StatusOr x_string = internal::BignumToString( x_coordinate.get(), FieldElementSizeInBytes(ec_group)); if (!x_string.ok()) { return x_string.status(); } util::StatusOr y_string = internal::BignumToString( y_coordinate.get(), FieldElementSizeInBytes(ec_group)); if (!y_string.ok()) { return y_string.status(); } util::StatusOr curve = internal::CurveTypeFromEcGroup(ec_group); if (!curve.ok()) { return curve.status(); } auto ecdsa_public_key = absl::make_unique(); ecdsa_public_key->pub_x = *std::move(x_string); ecdsa_public_key->pub_y = *std::move(y_string); ecdsa_public_key->curve = *std::move(curve); return std::move(ecdsa_public_key); } util::StatusOr> PemParser::ParseEcPrivateKey(absl::string_view pem_serialized_key) { internal::SslUniquePtr ecdsa_key_bio(BIO_new(BIO_s_mem())); BIO_write(ecdsa_key_bio.get(), pem_serialized_key.data(), pem_serialized_key.size()); internal::SslUniquePtr evp_ecdsa_key( PEM_read_bio_PrivateKey(ecdsa_key_bio.get(), /*x=*/nullptr, &FailingPassphraseCallback, /*u=*/nullptr)); if (evp_ecdsa_key == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, "PEM Private Key parsing failed"); } // No need to free bssl_ecdsa_key after use. const EC_KEY* bssl_ecdsa_key = EVP_PKEY_get0_EC_KEY(evp_ecdsa_key.get()); util::Status verify_result = VerifyEcdsaKey(bssl_ecdsa_key); if (!verify_result.ok()) { return verify_result; } internal::SslUniquePtr x_coordinate(BN_new()); internal::SslUniquePtr y_coordinate(BN_new()); const EC_POINT* public_point = EC_KEY_get0_public_key(bssl_ecdsa_key); const EC_GROUP* ec_group = EC_KEY_get0_group(bssl_ecdsa_key); EC_POINT_get_affine_coordinates(ec_group, public_point, x_coordinate.get(), y_coordinate.get(), nullptr); const BIGNUM* priv_key = EC_KEY_get0_private_key(bssl_ecdsa_key); util::StatusOr priv = internal::BignumToSecretData(priv_key, ScalarSizeInBytes(ec_group)); if (!priv.ok()) { return priv.status(); } util::StatusOr x_string = internal::BignumToString( x_coordinate.get(), FieldElementSizeInBytes(ec_group)); if (!x_string.ok()) { return x_string.status(); } util::StatusOr y_string = internal::BignumToString( y_coordinate.get(), FieldElementSizeInBytes(ec_group)); if (!y_string.ok()) { return y_string.status(); } util::StatusOr curve = internal::CurveTypeFromEcGroup(ec_group); if (!curve.ok()) { return curve.status(); } auto ecdsa_private_key = absl::make_unique(); ecdsa_private_key->pub_x = *std::move(x_string); ecdsa_private_key->pub_y = *std::move(y_string); ecdsa_private_key->priv = *std::move(priv); ecdsa_private_key->curve = *std::move(curve); return std::move(ecdsa_private_key); } util::StatusOr PemParser::WriteEcPublicKey( const SubtleUtilBoringSSL::EcKey& ec_key) { internal::SslUniquePtr openssl_ec_key(EC_KEY_new()); util::Status status = EcKeyToSslEcPublicKey(ec_key, openssl_ec_key.get()); if (!status.ok()) { return status; } internal::SslUniquePtr bio(BIO_new(BIO_s_mem())); if (!PEM_write_bio_EC_PUBKEY(bio.get(), openssl_ec_key.get())) { return util::Status(absl::StatusCode::kInvalidArgument, "Failed to write openssl EC key to write bio"); } return ConvertBioToString(bio.get()); } util::StatusOr PemParser::WriteEcPrivateKey( const SubtleUtilBoringSSL::EcKey& ec_key) { internal::SslUniquePtr openssl_ec_key(EC_KEY_new()); util::Status status = EcKeyToSslEcPrivateKey(ec_key, openssl_ec_key.get()); if (!status.ok()) { return status; } internal::SslUniquePtr bio(BIO_new(BIO_s_mem())); if (!PEM_write_bio_ECPrivateKey(bio.get(), openssl_ec_key.get(), /*enc=*/nullptr, /*kstr=*/nullptr, /*klen=*/0, /*cb=*/nullptr, /*u=*/nullptr)) { return util::Status(absl::StatusCode::kInvalidArgument, "Failed to write openssl EC key to write bio"); } return ConvertBioToString(bio.get()); } } // namespace subtle } // namespace tink } // namespace crypto