2 * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/cryptlib.h"
11 #include <openssl/asn1t.h>
12 #include <openssl/pem.h>
13 #include <openssl/x509v3.h>
14 #include <openssl/err.h>
15 #include <openssl/cms.h>
16 #include <openssl/evp.h>
17 #include "crypto/asn1.h"
18 #include "crypto/evp.h"
19 #include "crypto/x509.h"
20 #include "cms_local.h"
22 /* CMS EnvelopedData Utilities */
23 static void cms_env_set_version(CMS_EnvelopedData
*env
);
25 #define CMS_ENVELOPED_STANDARD 1
26 #define CMS_ENVELOPED_AUTH 2
28 static int cms_get_enveloped_type(const CMS_ContentInfo
*cms
)
30 int nid
= OBJ_obj2nid(cms
->contentType
);
33 case NID_pkcs7_enveloped
:
34 return CMS_ENVELOPED_STANDARD
;
36 case NID_id_smime_ct_authEnvelopedData
:
37 return CMS_ENVELOPED_AUTH
;
40 ERR_raise(ERR_LIB_CMS
, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA
);
45 CMS_EnvelopedData
*cms_get0_enveloped(CMS_ContentInfo
*cms
)
47 if (OBJ_obj2nid(cms
->contentType
) != NID_pkcs7_enveloped
) {
48 ERR_raise(ERR_LIB_CMS
, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA
);
51 return cms
->d
.envelopedData
;
54 CMS_AuthEnvelopedData
*cms_get0_auth_enveloped(CMS_ContentInfo
*cms
)
56 if (OBJ_obj2nid(cms
->contentType
) != NID_id_smime_ct_authEnvelopedData
) {
57 ERR_raise(ERR_LIB_CMS
, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA
);
60 return cms
->d
.authEnvelopedData
;
63 static CMS_EnvelopedData
*cms_enveloped_data_init(CMS_ContentInfo
*cms
)
65 if (cms
->d
.other
== NULL
) {
66 cms
->d
.envelopedData
= M_ASN1_new_of(CMS_EnvelopedData
);
67 if (cms
->d
.envelopedData
== NULL
) {
68 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
71 cms
->d
.envelopedData
->version
= 0;
72 cms
->d
.envelopedData
->encryptedContentInfo
->contentType
=
73 OBJ_nid2obj(NID_pkcs7_data
);
74 ASN1_OBJECT_free(cms
->contentType
);
75 cms
->contentType
= OBJ_nid2obj(NID_pkcs7_enveloped
);
76 return cms
->d
.envelopedData
;
78 return cms_get0_enveloped(cms
);
81 static CMS_AuthEnvelopedData
*
82 cms_auth_enveloped_data_init(CMS_ContentInfo
*cms
)
84 if (cms
->d
.other
== NULL
) {
85 cms
->d
.authEnvelopedData
= M_ASN1_new_of(CMS_AuthEnvelopedData
);
86 if (cms
->d
.authEnvelopedData
== NULL
) {
87 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
90 /* Defined in RFC 5083 - Section 2.1. "AuthEnvelopedData Type" */
91 cms
->d
.authEnvelopedData
->version
= 0;
92 cms
->d
.authEnvelopedData
->authEncryptedContentInfo
->contentType
=
93 OBJ_nid2obj(NID_pkcs7_data
);
94 ASN1_OBJECT_free(cms
->contentType
);
95 cms
->contentType
= OBJ_nid2obj(NID_id_smime_ct_authEnvelopedData
);
96 return cms
->d
.authEnvelopedData
;
98 return cms_get0_auth_enveloped(cms
);
101 int cms_env_asn1_ctrl(CMS_RecipientInfo
*ri
, int cmd
)
105 if (ri
->type
== CMS_RECIPINFO_TRANS
)
106 pkey
= ri
->d
.ktri
->pkey
;
107 else if (ri
->type
== CMS_RECIPINFO_AGREE
) {
108 EVP_PKEY_CTX
*pctx
= ri
->d
.kari
->pctx
;
112 pkey
= EVP_PKEY_CTX_get0_pkey(pctx
);
118 if (EVP_PKEY_is_a(pkey
, "DHX") || EVP_PKEY_is_a(pkey
, "DH"))
119 return cms_dh_envelope(ri
, cmd
);
120 else if (EVP_PKEY_is_a(pkey
, "EC"))
121 return cms_ecdh_envelope(ri
, cmd
);
122 else if (EVP_PKEY_is_a(pkey
, "RSA"))
123 return cms_rsa_envelope(ri
, cmd
);
125 /* Something else? We'll give engines etc a chance to handle this */
126 if (pkey
->ameth
== NULL
|| pkey
->ameth
->pkey_ctrl
== NULL
)
128 i
= pkey
->ameth
->pkey_ctrl(pkey
, ASN1_PKEY_CTRL_CMS_ENVELOPE
, cmd
, ri
);
130 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE
);
134 ERR_raise(ERR_LIB_CMS
, CMS_R_CTRL_FAILURE
);
140 CMS_EncryptedContentInfo
* cms_get0_env_enc_content(const CMS_ContentInfo
*cms
)
142 switch (cms_get_enveloped_type(cms
)) {
143 case CMS_ENVELOPED_STANDARD
:
144 return cms
->d
.envelopedData
->encryptedContentInfo
;
146 case CMS_ENVELOPED_AUTH
:
147 return cms
->d
.authEnvelopedData
->authEncryptedContentInfo
;
154 STACK_OF(CMS_RecipientInfo
) *CMS_get0_RecipientInfos(CMS_ContentInfo
*cms
)
156 switch (cms_get_enveloped_type(cms
)) {
157 case CMS_ENVELOPED_STANDARD
:
158 return cms
->d
.envelopedData
->recipientInfos
;
160 case CMS_ENVELOPED_AUTH
:
161 return cms
->d
.authEnvelopedData
->recipientInfos
;
168 void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo
*cms
)
171 CMS_RecipientInfo
*ri
;
172 const CMS_CTX
*ctx
= cms_get0_cmsctx(cms
);
173 STACK_OF(CMS_RecipientInfo
) *rinfos
= CMS_get0_RecipientInfos(cms
);
175 for (i
= 0; i
< sk_CMS_RecipientInfo_num(rinfos
); i
++) {
176 ri
= sk_CMS_RecipientInfo_value(rinfos
, i
);
179 case CMS_RECIPINFO_AGREE
:
180 ri
->d
.kari
->cms_ctx
= ctx
;
182 case CMS_RECIPINFO_TRANS
:
183 ri
->d
.ktri
->cms_ctx
= ctx
;
184 x509_set0_libctx(ri
->d
.ktri
->recip
, cms_ctx_get0_libctx(ctx
),
185 cms_ctx_get0_propq(ctx
));
187 case CMS_RECIPINFO_KEK
:
188 ri
->d
.kekri
->cms_ctx
= ctx
;
190 case CMS_RECIPINFO_PASS
:
191 ri
->d
.pwri
->cms_ctx
= ctx
;
200 int CMS_RecipientInfo_type(CMS_RecipientInfo
*ri
)
205 EVP_PKEY_CTX
*CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo
*ri
)
207 if (ri
->type
== CMS_RECIPINFO_TRANS
)
208 return ri
->d
.ktri
->pctx
;
209 else if (ri
->type
== CMS_RECIPINFO_AGREE
)
210 return ri
->d
.kari
->pctx
;
214 CMS_ContentInfo
*CMS_EnvelopedData_create_ex(const EVP_CIPHER
*cipher
,
215 OSSL_LIB_CTX
*libctx
,
218 CMS_ContentInfo
*cms
;
219 CMS_EnvelopedData
*env
;
221 cms
= CMS_ContentInfo_new_ex(libctx
, propq
);
224 env
= cms_enveloped_data_init(cms
);
228 if (!cms_EncryptedContent_init(env
->encryptedContentInfo
, cipher
, NULL
, 0,
229 cms_get0_cmsctx(cms
)))
233 CMS_ContentInfo_free(cms
);
234 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
238 CMS_ContentInfo
*CMS_EnvelopedData_create(const EVP_CIPHER
*cipher
)
240 return CMS_EnvelopedData_create_ex(cipher
, NULL
, NULL
);
244 CMS_AuthEnvelopedData_create_ex(const EVP_CIPHER
*cipher
, OSSL_LIB_CTX
*libctx
,
247 CMS_ContentInfo
*cms
;
248 CMS_AuthEnvelopedData
*aenv
;
250 cms
= CMS_ContentInfo_new_ex(libctx
, propq
);
253 aenv
= cms_auth_enveloped_data_init(cms
);
256 if (!cms_EncryptedContent_init(aenv
->authEncryptedContentInfo
,
257 cipher
, NULL
, 0, cms_get0_cmsctx(cms
)))
261 CMS_ContentInfo_free(cms
);
262 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
267 CMS_ContentInfo
*CMS_AuthEnvelopedData_create(const EVP_CIPHER
*cipher
)
269 return CMS_AuthEnvelopedData_create_ex(cipher
, NULL
, NULL
);
272 /* Key Transport Recipient Info (KTRI) routines */
274 /* Initialise a ktri based on passed certificate and key */
276 static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo
*ri
, X509
*recip
,
277 EVP_PKEY
*pk
, unsigned int flags
,
280 CMS_KeyTransRecipientInfo
*ktri
;
283 ri
->d
.ktri
= M_ASN1_new_of(CMS_KeyTransRecipientInfo
);
286 ri
->type
= CMS_RECIPINFO_TRANS
;
291 if (flags
& CMS_USE_KEYID
) {
293 idtype
= CMS_RECIPINFO_KEYIDENTIFIER
;
296 idtype
= CMS_RECIPINFO_ISSUER_SERIAL
;
300 * Not a typo: RecipientIdentifier and SignerIdentifier are the same
304 if (!cms_set1_SignerIdentifier(ktri
->rid
, recip
, idtype
, ctx
))
313 if (flags
& CMS_KEY_PARAM
) {
314 ktri
->pctx
= EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx
),
316 cms_ctx_get0_propq(ctx
));
317 if (ktri
->pctx
== NULL
)
319 if (EVP_PKEY_encrypt_init(ktri
->pctx
) <= 0)
321 } else if (!cms_env_asn1_ctrl(ri
, 0))
327 * Add a recipient certificate using appropriate type of RecipientInfo
330 CMS_RecipientInfo
*CMS_add1_recipient(CMS_ContentInfo
*cms
, X509
*recip
,
331 EVP_PKEY
*originatorPrivKey
,
332 X509
*originator
, unsigned int flags
)
334 CMS_RecipientInfo
*ri
= NULL
;
335 STACK_OF(CMS_RecipientInfo
) *ris
;
337 const CMS_CTX
*ctx
= cms_get0_cmsctx(cms
);
339 ris
= CMS_get0_RecipientInfos(cms
);
343 /* Initialize recipient info */
344 ri
= M_ASN1_new_of(CMS_RecipientInfo
);
348 pk
= X509_get0_pubkey(recip
);
350 ERR_raise(ERR_LIB_CMS
, CMS_R_ERROR_GETTING_PUBLIC_KEY
);
354 switch (cms_pkey_get_ri_type(pk
)) {
356 case CMS_RECIPINFO_TRANS
:
357 if (!cms_RecipientInfo_ktri_init(ri
, recip
, pk
, flags
, ctx
))
361 case CMS_RECIPINFO_AGREE
:
362 if (!cms_RecipientInfo_kari_init(ri
, recip
, pk
, originator
,
363 originatorPrivKey
, flags
, ctx
))
368 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE
);
373 if (!sk_CMS_RecipientInfo_push(ris
, ri
))
379 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
381 M_ASN1_free_of(ri
, CMS_RecipientInfo
);
386 CMS_RecipientInfo
*CMS_add1_recipient_cert(CMS_ContentInfo
*cms
, X509
*recip
,
389 return CMS_add1_recipient(cms
, recip
, NULL
, NULL
, flags
);
392 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo
*ri
,
393 EVP_PKEY
**pk
, X509
**recip
,
396 CMS_KeyTransRecipientInfo
*ktri
;
397 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
398 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEY_TRANSPORT
);
407 *recip
= ktri
->recip
;
409 *palg
= ktri
->keyEncryptionAlgorithm
;
413 int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo
*ri
,
414 ASN1_OCTET_STRING
**keyid
,
418 CMS_KeyTransRecipientInfo
*ktri
;
419 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
420 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEY_TRANSPORT
);
425 return cms_SignerIdentifier_get0_signer_id(ktri
->rid
, keyid
, issuer
, sno
);
428 int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo
*ri
, X509
*cert
)
430 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
431 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEY_TRANSPORT
);
434 return cms_SignerIdentifier_cert_cmp(ri
->d
.ktri
->rid
, cert
);
437 int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo
*ri
, EVP_PKEY
*pkey
)
439 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
440 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEY_TRANSPORT
);
443 EVP_PKEY_free(ri
->d
.ktri
->pkey
);
444 ri
->d
.ktri
->pkey
= pkey
;
448 /* Encrypt content key in key transport recipient info */
450 static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo
*cms
,
451 CMS_RecipientInfo
*ri
)
453 CMS_KeyTransRecipientInfo
*ktri
;
454 CMS_EncryptedContentInfo
*ec
;
456 unsigned char *ek
= NULL
;
458 const CMS_CTX
*ctx
= cms_get0_cmsctx(cms
);
462 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
463 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEY_TRANSPORT
);
467 ec
= cms_get0_env_enc_content(cms
);
472 if (!cms_env_asn1_ctrl(ri
, 0))
475 pctx
= EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx
), ktri
->pkey
,
476 cms_ctx_get0_propq(ctx
));
480 if (EVP_PKEY_encrypt_init(pctx
) <= 0)
484 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_ENCRYPT
,
485 EVP_PKEY_CTRL_CMS_ENCRYPT
, 0, ri
) <= 0) {
486 ERR_raise(ERR_LIB_CMS
, CMS_R_CTRL_ERROR
);
490 if (EVP_PKEY_encrypt(pctx
, NULL
, &eklen
, ec
->key
, ec
->keylen
) <= 0)
493 ek
= OPENSSL_malloc(eklen
);
496 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
500 if (EVP_PKEY_encrypt(pctx
, ek
, &eklen
, ec
->key
, ec
->keylen
) <= 0)
503 ASN1_STRING_set0(ktri
->encryptedKey
, ek
, eklen
);
509 EVP_PKEY_CTX_free(pctx
);
515 /* Decrypt content key from KTRI */
517 static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo
*cms
,
518 CMS_RecipientInfo
*ri
)
520 CMS_KeyTransRecipientInfo
*ktri
= ri
->d
.ktri
;
521 EVP_PKEY
*pkey
= ktri
->pkey
;
522 unsigned char *ek
= NULL
;
526 const EVP_CIPHER
*cipher
= NULL
;
527 EVP_CIPHER
*fetched_cipher
= NULL
;
528 CMS_EncryptedContentInfo
*ec
;
529 const CMS_CTX
*ctx
= cms_get0_cmsctx(cms
);
530 OSSL_LIB_CTX
*libctx
= cms_ctx_get0_libctx(ctx
);
531 const char *propq
= cms_ctx_get0_propq(ctx
);
533 ec
= cms_get0_env_enc_content(cms
);
535 if (ktri
->pkey
== NULL
) {
536 ERR_raise(ERR_LIB_CMS
, CMS_R_NO_PRIVATE_KEY
);
540 if (cms
->d
.envelopedData
->encryptedContentInfo
->havenocert
541 && !cms
->d
.envelopedData
->encryptedContentInfo
->debug
) {
542 X509_ALGOR
*calg
= ec
->contentEncryptionAlgorithm
;
543 const char *name
= OBJ_nid2sn(OBJ_obj2nid(calg
->algorithm
));
545 (void)ERR_set_mark();
546 fetched_cipher
= EVP_CIPHER_fetch(libctx
, name
, propq
);
548 if (fetched_cipher
!= NULL
)
549 cipher
= fetched_cipher
;
551 cipher
= EVP_get_cipherbyobj(calg
->algorithm
);
552 if (cipher
== NULL
) {
553 (void)ERR_clear_last_mark();
554 ERR_raise(ERR_LIB_CMS
, CMS_R_UNKNOWN_CIPHER
);
557 (void)ERR_pop_to_mark();
559 fixlen
= EVP_CIPHER_key_length(cipher
);
560 EVP_CIPHER_free(fetched_cipher
);
563 ktri
->pctx
= EVP_PKEY_CTX_new_from_pkey(libctx
, pkey
, propq
);
564 if (ktri
->pctx
== NULL
)
567 if (EVP_PKEY_decrypt_init(ktri
->pctx
) <= 0)
570 if (!cms_env_asn1_ctrl(ri
, 1))
573 if (EVP_PKEY_CTX_ctrl(ktri
->pctx
, -1, EVP_PKEY_OP_DECRYPT
,
574 EVP_PKEY_CTRL_CMS_DECRYPT
, 0, ri
) <= 0) {
575 ERR_raise(ERR_LIB_CMS
, CMS_R_CTRL_ERROR
);
579 if (EVP_PKEY_decrypt(ktri
->pctx
, NULL
, &eklen
,
580 ktri
->encryptedKey
->data
,
581 ktri
->encryptedKey
->length
) <= 0)
584 ek
= OPENSSL_malloc(eklen
);
586 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
590 if (EVP_PKEY_decrypt(ktri
->pctx
, ek
, &eklen
,
591 ktri
->encryptedKey
->data
,
592 ktri
->encryptedKey
->length
) <= 0
594 || (fixlen
!= 0 && eklen
!= fixlen
)) {
595 ERR_raise(ERR_LIB_CMS
, CMS_R_CMS_LIB
);
601 OPENSSL_clear_free(ec
->key
, ec
->keylen
);
606 EVP_PKEY_CTX_free(ktri
->pctx
);
614 /* Key Encrypted Key (KEK) RecipientInfo routines */
616 int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo
*ri
,
617 const unsigned char *id
, size_t idlen
)
619 ASN1_OCTET_STRING tmp_os
;
620 CMS_KEKRecipientInfo
*kekri
;
621 if (ri
->type
!= CMS_RECIPINFO_KEK
) {
622 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEK
);
626 tmp_os
.type
= V_ASN1_OCTET_STRING
;
628 tmp_os
.data
= (unsigned char *)id
;
629 tmp_os
.length
= (int)idlen
;
630 return ASN1_OCTET_STRING_cmp(&tmp_os
, kekri
->kekid
->keyIdentifier
);
633 /* For now hard code AES key wrap info */
635 static size_t aes_wrap_keylen(int nid
)
638 case NID_id_aes128_wrap
:
641 case NID_id_aes192_wrap
:
644 case NID_id_aes256_wrap
:
652 CMS_RecipientInfo
*CMS_add0_recipient_key(CMS_ContentInfo
*cms
, int nid
,
653 unsigned char *key
, size_t keylen
,
654 unsigned char *id
, size_t idlen
,
655 ASN1_GENERALIZEDTIME
*date
,
656 ASN1_OBJECT
*otherTypeId
,
657 ASN1_TYPE
*otherType
)
659 CMS_RecipientInfo
*ri
= NULL
;
660 CMS_KEKRecipientInfo
*kekri
;
661 STACK_OF(CMS_RecipientInfo
) *ris
= CMS_get0_RecipientInfos(cms
);
666 if (nid
== NID_undef
) {
669 nid
= NID_id_aes128_wrap
;
673 nid
= NID_id_aes192_wrap
;
677 nid
= NID_id_aes256_wrap
;
681 ERR_raise(ERR_LIB_CMS
, CMS_R_INVALID_KEY_LENGTH
);
687 size_t exp_keylen
= aes_wrap_keylen(nid
);
690 ERR_raise(ERR_LIB_CMS
, CMS_R_UNSUPPORTED_KEK_ALGORITHM
);
694 if (keylen
!= exp_keylen
) {
695 ERR_raise(ERR_LIB_CMS
, CMS_R_INVALID_KEY_LENGTH
);
701 /* Initialize recipient info */
702 ri
= M_ASN1_new_of(CMS_RecipientInfo
);
706 ri
->d
.kekri
= M_ASN1_new_of(CMS_KEKRecipientInfo
);
709 ri
->type
= CMS_RECIPINFO_KEK
;
714 kekri
->kekid
->other
= M_ASN1_new_of(CMS_OtherKeyAttribute
);
715 if (kekri
->kekid
->other
== NULL
)
719 if (!sk_CMS_RecipientInfo_push(ris
, ri
))
722 /* After this point no calls can fail */
727 kekri
->keylen
= keylen
;
729 ASN1_STRING_set0(kekri
->kekid
->keyIdentifier
, id
, idlen
);
731 kekri
->kekid
->date
= date
;
733 if (kekri
->kekid
->other
) {
734 kekri
->kekid
->other
->keyAttrId
= otherTypeId
;
735 kekri
->kekid
->other
->keyAttr
= otherType
;
738 X509_ALGOR_set0(kekri
->keyEncryptionAlgorithm
,
739 OBJ_nid2obj(nid
), V_ASN1_UNDEF
, NULL
);
744 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
746 M_ASN1_free_of(ri
, CMS_RecipientInfo
);
750 int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo
*ri
,
752 ASN1_OCTET_STRING
**pid
,
753 ASN1_GENERALIZEDTIME
**pdate
,
754 ASN1_OBJECT
**potherid
,
755 ASN1_TYPE
**pothertype
)
757 CMS_KEKIdentifier
*rkid
;
758 if (ri
->type
!= CMS_RECIPINFO_KEK
) {
759 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEK
);
762 rkid
= ri
->d
.kekri
->kekid
;
764 *palg
= ri
->d
.kekri
->keyEncryptionAlgorithm
;
766 *pid
= rkid
->keyIdentifier
;
771 *potherid
= rkid
->other
->keyAttrId
;
777 *pothertype
= rkid
->other
->keyAttr
;
784 int CMS_RecipientInfo_set0_key(CMS_RecipientInfo
*ri
,
785 unsigned char *key
, size_t keylen
)
787 CMS_KEKRecipientInfo
*kekri
;
788 if (ri
->type
!= CMS_RECIPINFO_KEK
) {
789 ERR_raise(ERR_LIB_CMS
, CMS_R_NOT_KEK
);
795 kekri
->keylen
= keylen
;
799 static EVP_CIPHER
*cms_get_key_wrap_cipher(size_t keylen
, const CMS_CTX
*ctx
)
801 const char *alg
= NULL
;
805 alg
= "AES-128-WRAP";
808 alg
= "AES-192-WRAP";
811 alg
= "AES-256-WRAP";
816 return EVP_CIPHER_fetch(cms_ctx_get0_libctx(ctx
), alg
,
817 cms_ctx_get0_propq(ctx
));
821 /* Encrypt content key in KEK recipient info */
823 static int cms_RecipientInfo_kekri_encrypt(const CMS_ContentInfo
*cms
,
824 CMS_RecipientInfo
*ri
)
826 CMS_EncryptedContentInfo
*ec
;
827 CMS_KEKRecipientInfo
*kekri
;
828 unsigned char *wkey
= NULL
;
831 EVP_CIPHER
*cipher
= NULL
;
833 EVP_CIPHER_CTX
*ctx
= NULL
;
834 const CMS_CTX
*cms_ctx
= cms_get0_cmsctx(cms
);
836 ec
= cms_get0_env_enc_content(cms
);
842 if (kekri
->key
== NULL
) {
843 ERR_raise(ERR_LIB_CMS
, CMS_R_NO_KEY
);
847 cipher
= cms_get_key_wrap_cipher(kekri
->keylen
, cms_ctx
);
848 if (cipher
== NULL
) {
849 ERR_raise(ERR_LIB_CMS
, CMS_R_INVALID_KEY_LENGTH
);
853 /* 8 byte prefix for AES wrap ciphers */
854 wkey
= OPENSSL_malloc(ec
->keylen
+ 8);
856 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
860 ctx
= EVP_CIPHER_CTX_new();
862 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
866 EVP_CIPHER_CTX_set_flags(ctx
, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW
);
867 if (!EVP_EncryptInit_ex(ctx
, cipher
, NULL
, kekri
->key
, NULL
)
868 || !EVP_EncryptUpdate(ctx
, wkey
, &wkeylen
, ec
->key
, ec
->keylen
)
869 || !EVP_EncryptFinal_ex(ctx
, wkey
+ wkeylen
, &outlen
)) {
870 ERR_raise(ERR_LIB_CMS
, CMS_R_WRAP_ERROR
);
874 if (!ossl_assert((size_t)wkeylen
== ec
->keylen
+ 8)) {
875 ERR_raise(ERR_LIB_CMS
, CMS_R_WRAP_ERROR
);
879 ASN1_STRING_set0(kekri
->encryptedKey
, wkey
, wkeylen
);
884 EVP_CIPHER_free(cipher
);
887 EVP_CIPHER_CTX_free(ctx
);
892 /* Decrypt content key in KEK recipient info */
894 static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo
*cms
,
895 CMS_RecipientInfo
*ri
)
897 CMS_EncryptedContentInfo
*ec
;
898 CMS_KEKRecipientInfo
*kekri
;
899 unsigned char *ukey
= NULL
;
902 EVP_CIPHER
*cipher
= NULL
;
904 EVP_CIPHER_CTX
*ctx
= NULL
;
905 const CMS_CTX
*cms_ctx
= cms_get0_cmsctx(cms
);
907 ec
= cms_get0_env_enc_content(cms
);
914 ERR_raise(ERR_LIB_CMS
, CMS_R_NO_KEY
);
918 wrap_nid
= OBJ_obj2nid(kekri
->keyEncryptionAlgorithm
->algorithm
);
919 if (aes_wrap_keylen(wrap_nid
) != kekri
->keylen
) {
920 ERR_raise(ERR_LIB_CMS
, CMS_R_INVALID_KEY_LENGTH
);
924 /* If encrypted key length is invalid don't bother */
926 if (kekri
->encryptedKey
->length
< 16) {
927 ERR_raise(ERR_LIB_CMS
, CMS_R_INVALID_ENCRYPTED_KEY_LENGTH
);
931 cipher
= cms_get_key_wrap_cipher(kekri
->keylen
, cms_ctx
);
932 if (cipher
== NULL
) {
933 ERR_raise(ERR_LIB_CMS
, CMS_R_INVALID_KEY_LENGTH
);
937 ukey
= OPENSSL_malloc(kekri
->encryptedKey
->length
- 8);
939 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
943 ctx
= EVP_CIPHER_CTX_new();
945 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
949 if (!EVP_DecryptInit_ex(ctx
, cipher
, NULL
, kekri
->key
, NULL
)
950 || !EVP_DecryptUpdate(ctx
, ukey
, &ukeylen
,
951 kekri
->encryptedKey
->data
,
952 kekri
->encryptedKey
->length
)
953 || !EVP_DecryptFinal_ex(ctx
, ukey
+ ukeylen
, &outlen
)) {
954 ERR_raise(ERR_LIB_CMS
, CMS_R_UNWRAP_ERROR
);
960 ec
->keylen
= ukeylen
;
965 EVP_CIPHER_free(cipher
);
968 EVP_CIPHER_CTX_free(ctx
);
973 int CMS_RecipientInfo_decrypt(CMS_ContentInfo
*cms
, CMS_RecipientInfo
*ri
)
976 case CMS_RECIPINFO_TRANS
:
977 return cms_RecipientInfo_ktri_decrypt(cms
, ri
);
979 case CMS_RECIPINFO_KEK
:
980 return cms_RecipientInfo_kekri_decrypt(cms
, ri
);
982 case CMS_RECIPINFO_PASS
:
983 return cms_RecipientInfo_pwri_crypt(cms
, ri
, 0);
986 ERR_raise(ERR_LIB_CMS
, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE
);
991 int CMS_RecipientInfo_encrypt(const CMS_ContentInfo
*cms
, CMS_RecipientInfo
*ri
)
994 case CMS_RECIPINFO_TRANS
:
995 return cms_RecipientInfo_ktri_encrypt(cms
, ri
);
997 case CMS_RECIPINFO_AGREE
:
998 return cms_RecipientInfo_kari_encrypt(cms
, ri
);
1000 case CMS_RECIPINFO_KEK
:
1001 return cms_RecipientInfo_kekri_encrypt(cms
, ri
);
1003 case CMS_RECIPINFO_PASS
:
1004 return cms_RecipientInfo_pwri_crypt(cms
, ri
, 1);
1007 ERR_raise(ERR_LIB_CMS
, CMS_R_UNSUPPORTED_RECIPIENT_TYPE
);
1012 /* Check structures and fixup version numbers (if necessary) */
1014 static void cms_env_set_originfo_version(CMS_EnvelopedData
*env
)
1016 CMS_OriginatorInfo
*org
= env
->originatorInfo
;
1020 for (i
= 0; i
< sk_CMS_CertificateChoices_num(org
->certificates
); i
++) {
1021 CMS_CertificateChoices
*cch
;
1022 cch
= sk_CMS_CertificateChoices_value(org
->certificates
, i
);
1023 if (cch
->type
== CMS_CERTCHOICE_OTHER
) {
1026 } else if (cch
->type
== CMS_CERTCHOICE_V2ACERT
) {
1027 if (env
->version
< 3)
1032 for (i
= 0; i
< sk_CMS_RevocationInfoChoice_num(org
->crls
); i
++) {
1033 CMS_RevocationInfoChoice
*rch
;
1034 rch
= sk_CMS_RevocationInfoChoice_value(org
->crls
, i
);
1035 if (rch
->type
== CMS_REVCHOICE_OTHER
) {
1042 static void cms_env_set_version(CMS_EnvelopedData
*env
)
1045 CMS_RecipientInfo
*ri
;
1048 * Can't set version higher than 4 so if 4 or more already nothing to do.
1050 if (env
->version
>= 4)
1053 cms_env_set_originfo_version(env
);
1055 if (env
->version
>= 3)
1058 for (i
= 0; i
< sk_CMS_RecipientInfo_num(env
->recipientInfos
); i
++) {
1059 ri
= sk_CMS_RecipientInfo_value(env
->recipientInfos
, i
);
1060 if (ri
->type
== CMS_RECIPINFO_PASS
|| ri
->type
== CMS_RECIPINFO_OTHER
) {
1063 } else if (ri
->type
!= CMS_RECIPINFO_TRANS
1064 || ri
->d
.ktri
->version
!= 0) {
1068 if (env
->originatorInfo
|| env
->unprotectedAttrs
)
1070 if (env
->version
== 2)
1075 static int cms_env_encrypt_content_key(const CMS_ContentInfo
*cms
,
1076 STACK_OF(CMS_RecipientInfo
) *ris
)
1079 CMS_RecipientInfo
*ri
;
1081 for (i
= 0; i
< sk_CMS_RecipientInfo_num(ris
); i
++) {
1082 ri
= sk_CMS_RecipientInfo_value(ris
, i
);
1083 if (CMS_RecipientInfo_encrypt(cms
, ri
) <= 0)
1089 static void cms_env_clear_ec(CMS_EncryptedContentInfo
*ec
)
1092 OPENSSL_clear_free(ec
->key
, ec
->keylen
);
1097 static BIO
*cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo
*cms
)
1099 CMS_EncryptedContentInfo
*ec
= cms
->d
.envelopedData
->encryptedContentInfo
;
1100 BIO
*contentBio
= cms_EncryptedContent_init_bio(ec
, cms_get0_cmsctx(cms
));
1101 EVP_CIPHER_CTX
*ctx
= NULL
;
1103 if (contentBio
== NULL
)
1106 BIO_get_cipher_ctx(contentBio
, &ctx
);
1108 BIO_free(contentBio
);
1112 * If the selected cipher supports unprotected attributes,
1113 * deal with it using special ctrl function
1115 if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx
)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC
)
1116 && EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_PROCESS_UNPROTECTED
, 0,
1117 cms
->d
.envelopedData
->unprotectedAttrs
) <= 0) {
1118 BIO_free(contentBio
);
1124 static BIO
*cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo
*cms
)
1126 CMS_EncryptedContentInfo
*ec
;
1127 STACK_OF(CMS_RecipientInfo
) *rinfos
;
1130 CMS_EnvelopedData
*env
= cms
->d
.envelopedData
;
1132 /* Get BIO first to set up key */
1134 ec
= env
->encryptedContentInfo
;
1135 ret
= cms_EncryptedContent_init_bio(ec
, cms_get0_cmsctx(cms
));
1137 /* If error end of processing */
1141 /* Now encrypt content key according to each RecipientInfo type */
1142 rinfos
= env
->recipientInfos
;
1143 if (cms_env_encrypt_content_key(cms
, rinfos
) < 0) {
1144 ERR_raise(ERR_LIB_CMS
, CMS_R_ERROR_SETTING_RECIPIENTINFO
);
1148 /* And finally set the version */
1149 cms_env_set_version(env
);
1154 cms_env_clear_ec(ec
);
1161 BIO
*cms_EnvelopedData_init_bio(CMS_ContentInfo
*cms
)
1163 if (cms
->d
.envelopedData
->encryptedContentInfo
->cipher
!= NULL
) {
1164 /* If cipher is set it's encryption */
1165 return cms_EnvelopedData_Encryption_init_bio(cms
);
1168 /* If cipher is not set it's decryption */
1169 return cms_EnvelopedData_Decryption_init_bio(cms
);
1172 BIO
*cms_AuthEnvelopedData_init_bio(CMS_ContentInfo
*cms
)
1174 CMS_EncryptedContentInfo
*ec
;
1175 STACK_OF(CMS_RecipientInfo
) *rinfos
;
1178 CMS_AuthEnvelopedData
*aenv
= cms
->d
.authEnvelopedData
;
1180 /* Get BIO first to set up key */
1181 ec
= aenv
->authEncryptedContentInfo
;
1182 /* Set tag for decryption */
1183 if (ec
->cipher
== NULL
) {
1184 ec
->tag
= aenv
->mac
->data
;
1185 ec
->taglen
= aenv
->mac
->length
;
1187 ret
= cms_EncryptedContent_init_bio(ec
, cms_get0_cmsctx(cms
));
1189 /* If error or no cipher end of processing */
1190 if (ret
== NULL
|| ec
->cipher
== NULL
)
1193 /* Now encrypt content key according to each RecipientInfo type */
1194 rinfos
= aenv
->recipientInfos
;
1195 if (cms_env_encrypt_content_key(cms
, rinfos
) < 0) {
1196 ERR_raise(ERR_LIB_CMS
, CMS_R_ERROR_SETTING_RECIPIENTINFO
);
1200 /* And finally set the version */
1206 cms_env_clear_ec(ec
);
1213 int cms_EnvelopedData_final(CMS_ContentInfo
*cms
, BIO
*chain
)
1215 CMS_EnvelopedData
*env
= NULL
;
1216 EVP_CIPHER_CTX
*ctx
= NULL
;
1217 BIO
*mbio
= BIO_find_type(chain
, BIO_TYPE_CIPHER
);
1219 env
= cms_get0_enveloped(cms
);
1224 ERR_raise(ERR_LIB_CMS
, CMS_R_CONTENT_NOT_FOUND
);
1228 BIO_get_cipher_ctx(mbio
, &ctx
);
1231 * If the selected cipher supports unprotected attributes,
1232 * deal with it using special ctrl function
1234 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx
)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC
) {
1235 if (env
->unprotectedAttrs
== NULL
)
1236 env
->unprotectedAttrs
= sk_X509_ATTRIBUTE_new_null();
1238 if (env
->unprotectedAttrs
== NULL
) {
1239 ERR_raise(ERR_LIB_CMS
, ERR_R_MALLOC_FAILURE
);
1243 if (EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_PROCESS_UNPROTECTED
,
1244 1, env
->unprotectedAttrs
) <= 0) {
1245 ERR_raise(ERR_LIB_CMS
, CMS_R_CTRL_FAILURE
);
1250 cms_env_set_version(cms
->d
.envelopedData
);
1254 int cms_AuthEnvelopedData_final(CMS_ContentInfo
*cms
, BIO
*cmsbio
)
1256 EVP_CIPHER_CTX
*ctx
;
1257 unsigned char *tag
= NULL
;
1260 BIO_get_cipher_ctx(cmsbio
, &ctx
);
1263 * The tag is set only for encryption. There is nothing to do for
1266 if (!EVP_CIPHER_CTX_encrypting(ctx
))
1269 taglen
= EVP_CIPHER_CTX_tag_length(ctx
);
1271 || (tag
= OPENSSL_malloc(taglen
)) == NULL
1272 || EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_GET_TAG
, taglen
,
1274 ERR_raise(ERR_LIB_CMS
, CMS_R_CIPHER_GET_TAG
);
1278 if (!ASN1_OCTET_STRING_set(cms
->d
.authEnvelopedData
->mac
, tag
, taglen
))
1288 * Get RecipientInfo type (if any) supported by a key (public or private). To
1289 * retain compatibility with previous behaviour if the ctrl value isn't
1290 * supported we assume key transport.
1292 int cms_pkey_get_ri_type(EVP_PKEY
*pk
)
1294 /* Check types that we know about */
1295 if (EVP_PKEY_is_a(pk
, "DH"))
1296 return CMS_RECIPINFO_AGREE
;
1297 else if (EVP_PKEY_is_a(pk
, "DHX"))
1298 return CMS_RECIPINFO_AGREE
;
1299 else if (EVP_PKEY_is_a(pk
, "DSA"))
1300 return CMS_RECIPINFO_NONE
;
1301 else if (EVP_PKEY_is_a(pk
, "EC"))
1302 return CMS_RECIPINFO_AGREE
;
1303 else if (EVP_PKEY_is_a(pk
, "RSA"))
1304 return CMS_RECIPINFO_TRANS
;
1307 * Otherwise this might ben an engine implementation, so see if we can get
1308 * the type from the ameth.
1310 if (pk
->ameth
&& pk
->ameth
->pkey_ctrl
) {
1312 i
= pk
->ameth
->pkey_ctrl(pk
, ASN1_PKEY_CTRL_CMS_RI_TYPE
, 0, &r
);
1316 return CMS_RECIPINFO_TRANS
;
1319 int cms_pkey_is_ri_type_supported(EVP_PKEY
*pk
, int ri_type
)
1321 int supportedRiType
;
1323 if (pk
->ameth
!= NULL
&& pk
->ameth
->pkey_ctrl
!= NULL
) {
1326 i
= pk
->ameth
->pkey_ctrl(pk
, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED
,
1332 supportedRiType
= cms_pkey_get_ri_type(pk
);
1333 if (supportedRiType
< 0)
1336 return (supportedRiType
== ri_type
);