Add support functions for RSA OAEP, PSS and PKCS1 (#342)

* test RSA signatures with all support hash objects

* implement SupportsRSAPKCS1Signature

* add support functions

* fix test

* fix test

* fix SupportsRSAOAEP

* fix tests

* optimize testRSAKey

* copilot feedback

* add more tests

* fix tests

Author: qmuntal

evp.go

@@ -48,6 +48,14 @@ func hashToMD(h hash.Hash) ossl.EVP_MD_PTR {
 	return nil
 }
 
+// hashToCryptoHash converts a hash.Hash implementation from this package to a crypto.Hash.
+func hashToCryptoHash(h hash.Hash) crypto.Hash {
+	if h, ok := h.(*Hash); ok {
+		return h.alg.ch
+	}
+	return 0
+}
+
 // hashFuncToMD converts a hash.Hash function to a GOossl.EVP_MD_PTR.
 // See [hashFuncHash] for details on error handling.
 func hashFuncToMD(fn func() hash.Hash) (ossl.EVP_MD_PTR, error) {
@@ -294,92 +302,104 @@ func setupEVP(withKey withKeyFunc, padding int32,
 	}
 	// Each padding type has its own requirements in terms of when to apply the padding,
 	// so it can't be just set at this point.
-	setPadding := func() error {
-		_, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_PADDING, padding, nil)
-		return err
-	}
 	switch padding {
 	case ossl.RSA_PKCS1_OAEP_PADDING:
-		md := hashToMD(h)
-		if md == nil {
-			return nil, errors.New("crypto/rsa: unsupported hash function")
-		}
-		var mgfMD ossl.EVP_MD_PTR
-		if mgfHash != nil {
-			// mgfHash is optional, but if it is set it must match a supported hash function.
-			mgfMD = hashToMD(mgfHash)
-			if mgfMD == nil {
-				return nil, errors.New("crypto/rsa: unsupported hash function")
-			}
-		}
-		// setPadding must happen before setting EVP_PKEY_CTRL_RSA_OAEP_MD.
-		if err := setPadding(); err != nil {
-			return nil, err
-		}
-		if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_OAEP_MD, 0, unsafe.Pointer(md)); err != nil {
-			return nil, err
-		}
-		if mgfHash != nil {
-			if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_MGF1_MD, 0, unsafe.Pointer(mgfMD)); err != nil {
-				return nil, err
-			}
-		}
-		// ctx takes ownership of label, so malloc a copy for OpenSSL to free.
-		// OpenSSL does not take ownership of the label if the length is zero,
-		// so better avoid the allocation.
-		var clabel *byte
-		if len(label) > 0 {
-			clabel = (*byte)(cryptoMalloc(len(label)))
-			copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
-			var err error
-			if major() == 3 {
-				_, err = ossl.EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, unsafe.Pointer(clabel), int32(len(label)))
-			} else {
-				_, err = ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_OAEP_LABEL, int32(len(label)), unsafe.Pointer(clabel))
-			}
-			if err != nil {
-				cryptoFree(unsafe.Pointer(clabel))
-				return nil, err
-			}
-		}
+		err = setOAEPPadding(ctx, h, mgfHash, label)
 	case ossl.RSA_PKCS1_PSS_PADDING:
-		alg := loadHash(ch, false)
-		if alg == nil {
-			return nil, errors.New("crypto/rsa: unsupported hash function")
-		}
-		if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)); err != nil {
-			return nil, err
+		err = setPSSPadding(ctx, saltLen, ch)
+	case ossl.RSA_PKCS1_PADDING:
+		err = setPKCS1Padding(ctx, ch)
+	default:
+		_, err = ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_PADDING, padding, nil)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return ctx, nil
+}
+
+func setPSSPadding(ctx ossl.EVP_PKEY_CTX_PTR, saltLen int32, ch crypto.Hash) error {
+	alg := loadHash(ch, false)
+	if alg == nil {
+		return errors.New("crypto/rsa: unsupported hash function")
+	}
+	if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)); err != nil {
+		return err
+	}
+	// setPadding must happen after setting EVP_PKEY_CTRL_MD.
+	if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_PADDING, ossl.RSA_PKCS1_PSS_PADDING, nil); err != nil {
+		return err
+	}
+	if saltLen != 0 {
+		if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltLen, nil); err != nil {
+			return err
 		}
-		// setPadding must happen after setting EVP_PKEY_CTRL_MD.
-		if err := setPadding(); err != nil {
-			return nil, err
+	}
+	return nil
+}
+
+func setPKCS1Padding(ctx ossl.EVP_PKEY_CTX_PTR, ch crypto.Hash) error {
+	if ch == 0 {
+		// We support unhashed messages.
+		return nil
+	}
+	alg := loadHash(ch, false)
+	if alg == nil {
+		return errors.New("crypto/rsa: unsupported hash function")
+	}
+	if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, -1, -1, ossl.EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)); err != nil {
+		return err
+	}
+	if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_PADDING, ossl.RSA_PKCS1_PADDING, nil); err != nil {
+		return err
+	}
+	return nil
+}
+
+func setOAEPPadding(ctx ossl.EVP_PKEY_CTX_PTR, h, mgfHash hash.Hash, label []byte) error {
+	md := hashToMD(h)
+	if md == nil {
+		return errors.New("crypto/rsa: unsupported hash function")
+	}
+	var mgfMD ossl.EVP_MD_PTR
+	if mgfHash != nil {
+		// mgfHash is optional, but if it is set it must match a supported hash function.
+		mgfMD = hashToMD(mgfHash)
+		if mgfMD == nil {
+			return errors.New("crypto/rsa: unsupported hash function")
 		}
-		if saltLen != 0 {
-			if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltLen, nil); err != nil {
-				return nil, err
-			}
+	}
+	// setPadding must happen before setting EVP_PKEY_CTRL_RSA_OAEP_MD.
+	if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_PADDING, ossl.RSA_PKCS1_OAEP_PADDING, nil); err != nil {
+		return err
+	}
+	if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_OAEP_MD, 0, unsafe.Pointer(md)); err != nil {
+		return err
+	}
+	if mgfHash != nil {
+		if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_MGF1_MD, 0, unsafe.Pointer(mgfMD)); err != nil {
+			return err
 		}
-
-	case ossl.RSA_PKCS1_PADDING:
-		if ch != 0 {
-			// We support unhashed messages.
-			alg := loadHash(ch, false)
-			if alg == nil {
-				return nil, errors.New("crypto/rsa: unsupported hash function")
-			}
-			if _, err := ossl.EVP_PKEY_CTX_ctrl(ctx, -1, -1, ossl.EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)); err != nil {
-				return nil, err
-			}
-			if err := setPadding(); err != nil {
-				return nil, err
-			}
+	}
+	// ctx takes ownership of label, so malloc a copy for OpenSSL to free.
+	// OpenSSL does not take ownership of the label if the length is zero,
+	// so better avoid the allocation.
+	var clabel *byte
+	if len(label) > 0 {
+		clabel = (*byte)(cryptoMalloc(len(label)))
+		copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
+		var err error
+		if major() == 3 {
+			_, err = ossl.EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, unsafe.Pointer(clabel), int32(len(label)))
+		} else {
+			_, err = ossl.EVP_PKEY_CTX_ctrl(ctx, ossl.EVP_PKEY_RSA, -1, ossl.EVP_PKEY_CTRL_RSA_OAEP_LABEL, int32(len(label)), unsafe.Pointer(clabel))
 		}
-	default:
-		if err := setPadding(); err != nil {
-			return nil, err
+		if err != nil {
+			cryptoFree(unsafe.Pointer(clabel))
+			return err
 		}
 	}
-	return ctx, nil
+	return nil
 }
 
 func cryptEVP(withKey withKeyFunc, padding int32,