rsa key validation test and additions to rsa fromdata test

Author: sebastian-carpenter

src/wp_rsa_kmgmt.c

@@ -1074,6 +1074,27 @@ static int wp_rsa_match(const wp_Rsa* rsa1, const wp_Rsa* rsa2, int selection)
     return ok;
 }
 
+#define VALIDATE_PRIMES_SIZE 133
+static const mp_digit validate_primes[VALIDATE_PRIMES_SIZE] = {
+   0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013,
+   0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035,
+   0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059,
+   0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, 0x0083,
+   0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD,
+   0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF,
+   0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107,
+   0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137,
+   0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167,
+   0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199,
+   0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9,
+   0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7,
+   0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239,
+   0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265,
+   0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293,
+   0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF,
+   0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF,
+};
+
 /**
  * Validate the RSA key.
  *
@@ -1106,22 +1127,72 @@ static int wp_rsa_validate(const wp_Rsa* rsa, int selection, int checkType)
     else
 #endif
     if (checkPriv) {
-        if (mp_isone(&rsa->key.d) || mp_iszero((mp_int*)&rsa->key.d) ||
+        if (mp_iszero((mp_int*)&rsa->key.d) ||
             (mp_cmp((mp_int*)&rsa->key.d, (mp_int*)&rsa->key.n) != MP_LT)) {
             ok = 0;
         }
     }
     else if (checkPub) {
-        if (mp_iseven(&rsa->key.e) || mp_iszero((mp_int*)&rsa->key.e) ||
-            mp_isone(&rsa->key.e)) {
+        int prime;
+        mp_int res;
+
+        if (mp_iszero((mp_int*)&rsa->key.e) || mp_iszero((mp_int*)&rsa->key.n) ||
+                mp_isone((mp_int*)&rsa->key.e) || mp_isone((mp_int*)&rsa->key.n) ||
+                mp_iseven((mp_int*)&rsa->key.e) || mp_iseven((mp_int*)&rsa->key.n)) {
+            ok = 0;
+        }
+
+        if (ok && mp_init(&res) != MP_OKAY) {
             ok = 0;
         }
+
+        if (ok) {
+            for(prime = 0; prime < VALIDATE_PRIMES_SIZE; prime++) {
+                if (mp_set_int(&res, validate_primes[prime]) != MP_OKAY ||
+                        mp_mod((mp_int*)&rsa->key.n, &res, &res) != MP_OKAY ||
+                        mp_iszero(&res)) {
+                    ok = 0;
+                    break;
+                }
+            }
+        }
+
+        mp_clear(&res);
     }
 
     WOLFPROV_LEAVE(WP_LOG_COMP_RSA, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }
 
+/**
+ * Copy an unsigned value from an OSSL param into a provided RSA key parameter.
+ *
+ * @param [out] mp         RSA key parameter.
+ * @param [in]  param      Parameter to copy value from.
+ * @return  1 on success.
+ * @return  0 on failure.
+ */
+static int wp_rsa_import_store_unsigned(mp_int* mp, const OSSL_PARAM* param)
+{
+    int ok = 1;
+
+    if (param->data == NULL){
+        ok = 0;
+    }
+    else if (param->data_type != OSSL_PARAM_UNSIGNED_INTEGER){
+        /* Negative values are stored as NULL by OSSL, for now just set to 0
+         * since NULL can't be stored */
+        ok = mp_set(mp, 0) == MP_OKAY;
+    }
+    else if (!wp_mp_read_unsigned_bin_le(mp, param->data, param->data_size)) {
+        WOLFPROV_MSG(WP_LOG_COMP_RSA,
+            "Failed to read %s from parameters", param->key);
+        ok = 0;
+    }
+
+    return ok;
+}
+
 /**
  * Import the key data into RSA key object from parameters.
  *
@@ -1139,18 +1210,26 @@ static int wp_rsa_import_key_data(wp_Rsa* rsa, const OSSL_PARAM params[],
     int cnt = 0;
     mp_int* mp = NULL;
     const OSSL_PARAM* p = NULL;
+    const OSSL_PARAM* n = NULL;
+    const OSSL_PARAM* e = NULL;
+    const OSSL_PARAM* d = NULL;
 
     WOLFPROV_ENTER(WP_LOG_COMP_RSA, "wp_rsa_import_key_data");
 
     /* N and E params are the only ones required by OSSL, so match that.
      * See ossl_rsa_fromdata() and RSA_set0_key() in OpenSSL. */
-    if (OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N) == NULL || 
-        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E) == NULL) {
+    if ((n = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N)) == NULL ||
+            n->data == NULL ||
+            (e = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E)) == NULL ||
+            e->data == NULL){
         WOLFPROV_MSG(WP_LOG_COMP_RSA, "Param N or E is missing");
         ok = 0;
     }
+    if (ok && priv) {
+        d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D);
+    }
 
-    if (ok) {
+    if (ok && d != NULL) {
         cnt = wp_params_count(params);
         rsa->key.type = priv ? RSA_PRIVATE : RSA_PUBLIC;
 
@@ -1160,7 +1239,7 @@ static int wp_rsa_import_key_data(wp_Rsa* rsa, const OSSL_PARAM params[],
             index = -1;
             for (j = 0; j < (int)ARRAY_SIZE(wp_rsa_param_key); j++) {
                 if (XSTRNCMP(p->key, wp_rsa_param_key[j], XSTRLEN(p->key)) == 0) {
-                    index = j; 
+                    index = j;
                     break;
                 }
             }
@@ -1170,18 +1249,21 @@ static int wp_rsa_import_key_data(wp_Rsa* rsa, const OSSL_PARAM params[],
                     p->key);
                 continue;
             }
-
             /* Read the value into the rsa struct */
             if (ok) {
                 mp = (mp_int*)(((byte*)&rsa->key) + wp_rsa_offset[index]);
-                if (!wp_mp_read_unsigned_bin_le(mp, p->data, p->data_size)) {
-                    WOLFPROV_MSG(WP_LOG_COMP_RSA,
-                        "Failed to read %s from parameters", p->key);
-                    ok = 0;
-                }
+                ok = wp_rsa_import_store_unsigned(mp, p);
             }
         }
     }
+    else if (ok && d == NULL) {
+        mp = &rsa->key.n;
+        ok = wp_rsa_import_store_unsigned(mp, n);
+        if (ok){
+            mp = &rsa->key.e;
+            ok = wp_rsa_import_store_unsigned(mp, e);
+        }
+    }
 
     WOLFPROV_LEAVE(WP_LOG_COMP_RSA, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;