aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/prov/pkcs11/p11_mechanism.cpp
blob: 290465dac7e7868a30c442993296aa907874fedd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
/*
* PKCS#11 Mechanism
* (C) 2016 Daniel Neus, Sirrix AG
* (C) 2016 Philipp Weber, Sirrix AG
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/p11_mechanism.h>
#include <botan/scan_name.h>
#include <botan/emsa.h>

#include <tuple>

namespace Botan {
namespace PKCS11 {

namespace {
using PSS_Params = std::tuple<size_t, MechanismType, MGF>;

// maps a PSS mechanism type to the number of bytes used for the salt, the mechanism type of the underlying hash algorithm and the MGF
static const std::map<MechanismType, PSS_Params> PssOptions =
   {
      { MechanismType::RsaPkcsPss, PSS_Params(0, MechanismType::Sha1, MGF::Mgf1Sha1) },
      { MechanismType::Sha1RsaPkcsPss, PSS_Params(20, MechanismType::Sha1, MGF::Mgf1Sha1) },
      { MechanismType::Sha224RsaPkcsPss, PSS_Params(28, MechanismType::Sha224, MGF::Mgf1Sha224) },
      { MechanismType::Sha256RsaPkcsPss, PSS_Params(32, MechanismType::Sha256, MGF::Mgf1Sha256) },
      { MechanismType::Sha384RsaPkcsPss, PSS_Params(48, MechanismType::Sha384, MGF::Mgf1Sha384) },
      { MechanismType::Sha512RsaPkcsPss, PSS_Params(64, MechanismType::Sha512, MGF::Mgf1Sha512) }
   };

struct MechanismData
   {
   explicit MechanismData(MechanismType _type)
      : type(_type)
      {}

   MechanismData(MechanismData const&) = default;
   MechanismData& operator=(MechanismData const&) = default;
   virtual ~MechanismData() = default;

   // the mechanism to perform
   MechanismType type;
   };

struct RSA_SignMechanism : public MechanismData
   {
   explicit RSA_SignMechanism(MechanismType _type)
      : MechanismData(_type), hash(static_cast<MechanismType>(0)), mgf(static_cast<MGF>(0)), salt_size(0)
      {
      auto pss_option = PssOptions.find(type);
      if(pss_option != PssOptions.end())
         {
         hash = std::get<1>(pss_option->second);
         mgf = std::get<2>(pss_option->second);
         salt_size = std::get<0>(pss_option->second);
         }
      }

   // hash algorithm used in the PSS encoding; if the signature mechanism does not include message hashing,
   // then this value must be the mechanism used by the application to generate the message hash;
   // if the signature mechanism includes hashing, then this value must match the hash algorithm indicated by the signature mechanism
   MechanismType hash;

   // mask generation function to use on the encoded block
   MGF mgf;

   // length, in bytes, of the salt value used in the PSS encoding; typical values are the length of the message hash and zero
   size_t salt_size;
   };

// note: when updating this map, update the documentation for `MechanismWrapper::create_rsa_sign_mechanism`
static std::map<std::string, RSA_SignMechanism> SignMechanisms =
   {
      { "Raw", RSA_SignMechanism(MechanismType::RsaX509) },

      { "EMSA2(Raw)", RSA_SignMechanism(MechanismType::RsaX931) },
      { "EMSA2(SHA-1)", RSA_SignMechanism(MechanismType::Sha1RsaX931) },

      // RSASSA PKCS#1 v1.5
      { "EMSA3(Raw)", RSA_SignMechanism(MechanismType::RsaPkcs) },
      { "EMSA3(SHA-1)", RSA_SignMechanism(MechanismType::Sha1RsaPkcs) },
      { "EMSA3(SHA-224)", RSA_SignMechanism(MechanismType::Sha224RsaPkcs) },
      { "EMSA3(SHA-256)", RSA_SignMechanism(MechanismType::Sha256RsaPkcs) },
      { "EMSA3(SHA-384)", RSA_SignMechanism(MechanismType::Sha384RsaPkcs) },
      { "EMSA3(SHA-512)", RSA_SignMechanism(MechanismType::Sha512RsaPkcs) },

      // RSASSA PKCS#1 PSS
      { "EMSA4(Raw)", RSA_SignMechanism(MechanismType::RsaPkcsPss) },
      { "EMSA4(SHA-1)", RSA_SignMechanism(MechanismType::Sha1RsaPkcsPss) },
      { "EMSA4(SHA-224)", RSA_SignMechanism(MechanismType::Sha224RsaPkcsPss) },
      { "EMSA4(SHA-256)", RSA_SignMechanism(MechanismType::Sha256RsaPkcsPss) },
      { "EMSA4(SHA-384)", RSA_SignMechanism(MechanismType::Sha384RsaPkcsPss) },
      { "EMSA4(SHA-512)", RSA_SignMechanism(MechanismType::Sha512RsaPkcsPss) },

      { "ISO9796", RSA_SignMechanism(MechanismType::Rsa9796) }
   };

struct RSA_CryptMechanism : public MechanismData
   {
   RSA_CryptMechanism(MechanismType _type, size_t _padding_size, MechanismType _hash, MGF _mgf)
      : MechanismData(_type), hash(_hash), mgf(_mgf), padding_size(_padding_size)
      {}

   RSA_CryptMechanism(MechanismType _type, size_t _padding_size)
      : RSA_CryptMechanism(_type, _padding_size, static_cast<MechanismType>(0), static_cast<MGF>(0))
      {}

   // mechanism ID of the message digest algorithm used to calculate the digest of the encoding parameter
   MechanismType hash;

   // mask generation function to use on the encoded block
   MGF mgf;

   // number of bytes required for the padding
   size_t padding_size;
   };

// note: when updating this map, update the documentation for `MechanismWrapper::create_rsa_crypt_mechanism`
static const std::map<std::string, RSA_CryptMechanism> CryptMechanisms =
   {
      { "Raw", RSA_CryptMechanism(MechanismType::RsaX509, 0) },
      { "EME-PKCS1-v1_5", RSA_CryptMechanism(MechanismType::RsaPkcs, 11) },
      { "OAEP(SHA-1)", RSA_CryptMechanism(MechanismType::RsaPkcsOaep, 2 + 2 * 20, MechanismType::Sha1, MGF::Mgf1Sha1) },
      { "OAEP(SHA-224)", RSA_CryptMechanism(MechanismType::RsaPkcsOaep, 2 + 2 * 28, MechanismType::Sha224, MGF::Mgf1Sha224) },
      { "OAEP(SHA-256)", RSA_CryptMechanism(MechanismType::RsaPkcsOaep, 2 + 2 * 32, MechanismType::Sha256, MGF::Mgf1Sha256) },
      { "OAEP(SHA-384)", RSA_CryptMechanism(MechanismType::RsaPkcsOaep, 2 + 2 * 48, MechanismType::Sha384, MGF::Mgf1Sha384) },
      { "OAEP(SHA-512)", RSA_CryptMechanism(MechanismType::RsaPkcsOaep, 2 + 2 * 64, MechanismType::Sha512, MGF::Mgf1Sha512) }
   };

// note: when updating this map, update the documentation for `MechanismWrapper::create_ecdsa_mechanism`
static std::map<std::string, MechanismType> EcdsaHash =
   {
      { "Raw", MechanismType::Ecdsa },
      { "SHA-160", MechanismType::EcdsaSha1 },
      { "SHA-224", MechanismType::EcdsaSha224 },
      { "SHA-256", MechanismType::EcdsaSha256 },
      { "SHA-384", MechanismType::EcdsaSha384 },
      { "SHA-512", MechanismType::EcdsaSha512 }
   };

// note: when updating this map, update the documentation for `MechanismWrapper::create_ecdh_mechanism`
static std::map<std::string, KeyDerivation> EcdhHash =
   {
      { "Raw", KeyDerivation::Null },
      { "SHA-160", KeyDerivation::Sha1Kdf },
      { "SHA-224", KeyDerivation::Sha224Kdf },
      { "SHA-256", KeyDerivation::Sha256Kdf },
      { "SHA-384", KeyDerivation::Sha384Kdf },
      { "SHA-512", KeyDerivation::Sha512Kdf }
   };
}

MechanismWrapper::MechanismWrapper(MechanismType mechanism_type)
   : m_mechanism( { static_cast<CK_MECHANISM_TYPE>(mechanism_type), nullptr, 0 }), m_parameters(nullptr)
   {}

MechanismWrapper MechanismWrapper::create_rsa_crypt_mechanism(const std::string& padding)
   {
   auto mechanism_info_it = CryptMechanisms.find(padding);
   if(mechanism_info_it == CryptMechanisms.end())
      {
      // at this point it would be possible to support additional configurations that are not predefined above by parsing `padding`
      throw Lookup_Error("PKCS#11 RSA encrypt/decrypt does not support EME " + padding);
      }
   RSA_CryptMechanism mechanism_info = mechanism_info_it->second;

   MechanismWrapper mech(mechanism_info.type);
   if(mechanism_info.type == MechanismType::RsaPkcsOaep)
      {
      mech.m_parameters = std::make_shared<MechanismParameters>();
      mech.m_parameters->oaep_params.hashAlg = static_cast<CK_MECHANISM_TYPE>(mechanism_info.hash);
      mech.m_parameters->oaep_params.mgf = static_cast<CK_RSA_PKCS_MGF_TYPE>(mechanism_info.mgf);
      mech.m_parameters->oaep_params.source = CKZ_DATA_SPECIFIED;
      mech.m_parameters->oaep_params.pSourceData = nullptr;
      mech.m_parameters->oaep_params.ulSourceDataLen = 0;
      mech.m_mechanism.pParameter = mech.m_parameters.get();
      mech.m_mechanism.ulParameterLen = sizeof(RsaPkcsOaepParams);
      }
   mech.m_padding_size = mechanism_info.padding_size;
   return mech;
   }

MechanismWrapper MechanismWrapper::create_rsa_sign_mechanism(const std::string& padding)
   {
   auto mechanism_info_it = SignMechanisms.find(padding);
   if(mechanism_info_it == SignMechanisms.end())
      {
      // at this point it would be possible to support additional configurations that are not predefined above by parsing `padding`
      throw Lookup_Error("PKCS#11 RSA sign/verify does not support EMSA " + padding);
      }
   RSA_SignMechanism mechanism_info = mechanism_info_it->second;

   MechanismWrapper mech(mechanism_info.type);
   if(PssOptions.find(mechanism_info.type) != PssOptions.end())
      {
      mech.m_parameters = std::make_shared<MechanismParameters>();
      mech.m_parameters->pss_params.hashAlg = static_cast<CK_MECHANISM_TYPE>(mechanism_info.hash);
      mech.m_parameters->pss_params.mgf = static_cast<CK_RSA_PKCS_MGF_TYPE>(mechanism_info.mgf);
      mech.m_parameters->pss_params.sLen = mechanism_info.salt_size;
      mech.m_mechanism.pParameter = mech.m_parameters.get();
      mech.m_mechanism.ulParameterLen = sizeof(RsaPkcsPssParams);
      }
   return mech;
   }

MechanismWrapper MechanismWrapper::create_ecdsa_mechanism(const std::string& hash)
   {
   std::string hash_name = hash;

   if(hash_name != "Raw")
      {
      hash_name = hash_for_emsa(hash);
      }

   auto mechanism_type = EcdsaHash.find(hash_name);
   if(mechanism_type == EcdsaHash.end())
      {
      throw Lookup_Error("PKCS#11 ECDSA sign/verify does not support " + hash);
      }
   return MechanismWrapper(mechanism_type->second);
   }

MechanismWrapper MechanismWrapper::create_ecdh_mechanism(const std::string& params)
   {
   std::vector<std::string> param_parts = split_on(params, ',');

   if(param_parts.empty() || param_parts.size() > 2)
      throw Invalid_Argument("PKCS #11 ECDH key derivation bad params " + params);

   const bool use_cofactor =
      (param_parts[0] == "Cofactor") ||
      (param_parts.size() == 2 && param_parts[1] == "Cofactor");

   std::string kdf_name = (param_parts[0] == "Cofactor" ? param_parts[1] : param_parts[0]);
   std::string hash = kdf_name;

   if(kdf_name != "Raw")
      {
      SCAN_Name kdf_hash(kdf_name);

      if(kdf_hash.arg_count() > 0)
         {
         hash = kdf_hash.arg(0);
         }
      }

   auto kdf = EcdhHash.find(hash);
   if(kdf == EcdhHash.end())
      {
      throw Lookup_Error("PKCS#11 ECDH key derivation does not support KDF " + kdf_name);
      }
   MechanismWrapper mech(use_cofactor ? MechanismType::Ecdh1CofactorDerive : MechanismType::Ecdh1Derive);
   mech.m_parameters = std::make_shared<MechanismParameters>();
   mech.m_parameters->ecdh_params.kdf = static_cast<CK_EC_KDF_TYPE>(kdf->second);
   mech.m_mechanism.pParameter = mech.m_parameters.get();
   mech.m_mechanism.ulParameterLen = sizeof(Ecdh1DeriveParams);
   return mech;
   }

}
}