1/*
2 * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/bn.h>
11#include <openssl/err.h>
12#include "rsa_local.h"
13
14int RSA_check_key(const RSA *key)
15{
16 return RSA_check_key_ex(key, NULL);
17}
18
19/*
20 * NOTE: Key validation requires separate checks to be able to be accessed
21 * individually. These should be visible from the PKEY API..
22 * See rsa_sp800_56b_check_public, rsa_sp800_56b_check_private and
23 * rsa_sp800_56b_check_keypair.
24 */
25int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
26{
27#ifdef FIPS_MODE
28 return rsa_sp800_56b_check_public(key)
29 && rsa_sp800_56b_check_private(key)
30 && rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key));
31#else
32 BIGNUM *i, *j, *k, *l, *m;
33 BN_CTX *ctx;
34 int ret = 1, ex_primes = 0, idx;
35 RSA_PRIME_INFO *pinfo;
36
37 if (key->p == NULL || key->q == NULL || key->n == NULL
38 || key->e == NULL || key->d == NULL) {
39 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_VALUE_MISSING);
40 return 0;
41 }
42
43 /* multi-prime? */
44 if (key->version == RSA_ASN1_VERSION_MULTI) {
45 ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos);
46 if (ex_primes <= 0
47 || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) {
48 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY);
49 return 0;
50 }
51 }
52
53 i = BN_new();
54 j = BN_new();
55 k = BN_new();
56 l = BN_new();
57 m = BN_new();
58 ctx = BN_CTX_new();
59 if (i == NULL || j == NULL || k == NULL || l == NULL
60 || m == NULL || ctx == NULL) {
61 ret = -1;
62 RSAerr(RSA_F_RSA_CHECK_KEY_EX, ERR_R_MALLOC_FAILURE);
63 goto err;
64 }
65
66 if (BN_is_one(key->e)) {
67 ret = 0;
68 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE);
69 }
70 if (!BN_is_odd(key->e)) {
71 ret = 0;
72 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE);
73 }
74
75 /* p prime? */
76 if (BN_check_prime(key->p, NULL, cb) != 1) {
77 ret = 0;
78 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_P_NOT_PRIME);
79 }
80
81 /* q prime? */
82 if (BN_check_prime(key->q, NULL, cb) != 1) {
83 ret = 0;
84 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_Q_NOT_PRIME);
85 }
86
87 /* r_i prime? */
88 for (idx = 0; idx < ex_primes; idx++) {
89 pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
90 if (BN_check_prime(pinfo->r, NULL, cb) != 1) {
91 ret = 0;
92 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_R_NOT_PRIME);
93 }
94 }
95
96 /* n = p*q * r_3...r_i? */
97 if (!BN_mul(i, key->p, key->q, ctx)) {
98 ret = -1;
99 goto err;
100 }
101 for (idx = 0; idx < ex_primes; idx++) {
102 pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
103 if (!BN_mul(i, i, pinfo->r, ctx)) {
104 ret = -1;
105 goto err;
106 }
107 }
108 if (BN_cmp(i, key->n) != 0) {
109 ret = 0;
110 if (ex_primes)
111 RSAerr(RSA_F_RSA_CHECK_KEY_EX,
112 RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES);
113 else
114 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_N_DOES_NOT_EQUAL_P_Q);
115 }
116
117 /* d*e = 1 mod \lambda(n)? */
118 if (!BN_sub(i, key->p, BN_value_one())) {
119 ret = -1;
120 goto err;
121 }
122 if (!BN_sub(j, key->q, BN_value_one())) {
123 ret = -1;
124 goto err;
125 }
126
127 /* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */
128 if (!BN_mul(l, i, j, ctx)) {
129 ret = -1;
130 goto err;
131 }
132 if (!BN_gcd(m, i, j, ctx)) {
133 ret = -1;
134 goto err;
135 }
136 for (idx = 0; idx < ex_primes; idx++) {
137 pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
138 if (!BN_sub(k, pinfo->r, BN_value_one())) {
139 ret = -1;
140 goto err;
141 }
142 if (!BN_mul(l, l, k, ctx)) {
143 ret = -1;
144 goto err;
145 }
146 if (!BN_gcd(m, m, k, ctx)) {
147 ret = -1;
148 goto err;
149 }
150 }
151 if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */
152 ret = -1;
153 goto err;
154 }
155 if (!BN_mod_mul(i, key->d, key->e, k, ctx)) {
156 ret = -1;
157 goto err;
158 }
159
160 if (!BN_is_one(i)) {
161 ret = 0;
162 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_D_E_NOT_CONGRUENT_TO_1);
163 }
164
165 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
166 /* dmp1 = d mod (p-1)? */
167 if (!BN_sub(i, key->p, BN_value_one())) {
168 ret = -1;
169 goto err;
170 }
171 if (!BN_mod(j, key->d, i, ctx)) {
172 ret = -1;
173 goto err;
174 }
175 if (BN_cmp(j, key->dmp1) != 0) {
176 ret = 0;
177 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMP1_NOT_CONGRUENT_TO_D);
178 }
179
180 /* dmq1 = d mod (q-1)? */
181 if (!BN_sub(i, key->q, BN_value_one())) {
182 ret = -1;
183 goto err;
184 }
185 if (!BN_mod(j, key->d, i, ctx)) {
186 ret = -1;
187 goto err;
188 }
189 if (BN_cmp(j, key->dmq1) != 0) {
190 ret = 0;
191 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
192 }
193
194 /* iqmp = q^-1 mod p? */
195 if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
196 ret = -1;
197 goto err;
198 }
199 if (BN_cmp(i, key->iqmp) != 0) {
200 ret = 0;
201 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_IQMP_NOT_INVERSE_OF_Q);
202 }
203 }
204
205 for (idx = 0; idx < ex_primes; idx++) {
206 pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
207 /* d_i = d mod (r_i - 1)? */
208 if (!BN_sub(i, pinfo->r, BN_value_one())) {
209 ret = -1;
210 goto err;
211 }
212 if (!BN_mod(j, key->d, i, ctx)) {
213 ret = -1;
214 goto err;
215 }
216 if (BN_cmp(j, pinfo->d) != 0) {
217 ret = 0;
218 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D);
219 }
220 /* t_i = R_i ^ -1 mod r_i ? */
221 if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) {
222 ret = -1;
223 goto err;
224 }
225 if (BN_cmp(i, pinfo->t) != 0) {
226 ret = 0;
227 RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R);
228 }
229 }
230
231 err:
232 BN_free(i);
233 BN_free(j);
234 BN_free(k);
235 BN_free(l);
236 BN_free(m);
237 BN_CTX_free(ctx);
238 return ret;
239#endif /* FIPS_MODE */
240}
241