2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/cms.h>
12 #include <openssl/err.h>
13 #include <openssl/decoder.h>
14 #include "cms_local.h"
15 #include "crypto/evp.h"
18 static EVP_PKEY
*pkey_type2param(int ptype
, const void *pval
,
19 OPENSSL_CTX
*libctx
, const char *propq
)
21 EVP_PKEY
*pkey
= NULL
;
22 EVP_PKEY_CTX
*pctx
= NULL
;
24 if (ptype
== V_ASN1_SEQUENCE
) {
25 const ASN1_STRING
*pstr
= pval
;
26 const unsigned char *pm
= pstr
->data
;
27 int pmlen
= pstr
->length
;
28 OSSL_DECODER_CTX
*ctx
= NULL
;
31 /* TODO(3.0): Need to be able to specify here that only params will do */
32 ctx
= OSSL_DECODER_CTX_new_by_EVP_PKEY(&pkey
, "DER", "EC", libctx
,
37 membio
= BIO_new_mem_buf(pm
, pmlen
);
39 OSSL_DECODER_CTX_free(ctx
);
42 OSSL_DECODER_from_bio(ctx
, membio
);
44 OSSL_DECODER_CTX_free(ctx
);
45 } else if (ptype
== V_ASN1_OBJECT
) {
46 const ASN1_OBJECT
*poid
= pval
;
47 const char *groupname
;
49 /* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID */
50 pctx
= EVP_PKEY_CTX_new_from_name(libctx
, "EC", propq
);
51 if (pctx
== NULL
|| EVP_PKEY_paramgen_init(pctx
) <= 0)
53 groupname
= OBJ_nid2sn(OBJ_obj2nid(poid
));
55 || !EVP_PKEY_CTX_set_group_name(pctx
, groupname
)) {
56 CMSerr(0, CMS_R_DECODE_ERROR
);
59 if (EVP_PKEY_paramgen(pctx
, &pkey
) <= 0)
62 CMSerr(0, CMS_R_DECODE_ERROR
);
70 EVP_PKEY_CTX_free(pctx
);
74 static int ecdh_cms_set_peerkey(EVP_PKEY_CTX
*pctx
,
75 X509_ALGOR
*alg
, ASN1_BIT_STRING
*pubkey
)
77 const ASN1_OBJECT
*aoid
;
81 EVP_PKEY
*pkpeer
= NULL
;
82 const unsigned char *p
;
85 X509_ALGOR_get0(&aoid
, &atype
, &aval
, alg
);
86 if (OBJ_obj2nid(aoid
) != NID_X9_62_id_ecPublicKey
)
89 /* If absent parameters get group from main key */
90 if (atype
== V_ASN1_UNDEF
|| atype
== V_ASN1_NULL
) {
93 pk
= EVP_PKEY_CTX_get0_pkey(pctx
);
97 pkpeer
= EVP_PKEY_new();
100 if (!EVP_PKEY_copy_parameters(pkpeer
, pk
))
103 /* TODO(3.0): Should the get0_libctx/propq calls actually be public API? */
104 pkpeer
= pkey_type2param(atype
, aval
,
105 evp_pkey_ctx_get0_libctx(pctx
),
106 evp_pkey_ctx_get0_propq(pctx
));
110 /* We have parameters now set public key */
111 plen
= ASN1_STRING_length(pubkey
);
112 p
= ASN1_STRING_get0_data(pubkey
);
113 if (p
== NULL
|| plen
== 0)
116 /* TODO(3.0): Terrible name. We need a non-tls specific name */
117 if (!EVP_PKEY_set1_tls_encodedpoint(pkpeer
, p
, plen
))
120 if (EVP_PKEY_derive_set_peer(pctx
, pkpeer
) > 0)
123 EVP_PKEY_free(pkpeer
);
127 /* Set KDF parameters based on KDF NID */
128 static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX
*pctx
, int eckdf_nid
)
130 int kdf_nid
, kdfmd_nid
, cofactor
;
131 const EVP_MD
*kdf_md
;
133 if (eckdf_nid
== NID_undef
)
136 /* Lookup KDF type, cofactor mode and digest */
137 if (!OBJ_find_sigid_algs(eckdf_nid
, &kdfmd_nid
, &kdf_nid
))
140 if (kdf_nid
== NID_dh_std_kdf
)
142 else if (kdf_nid
== NID_dh_cofactor_kdf
)
147 if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx
, cofactor
) <= 0)
150 if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx
, EVP_PKEY_ECDH_KDF_X9_63
) <= 0)
153 kdf_md
= EVP_get_digestbynid(kdfmd_nid
);
157 if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx
, kdf_md
) <= 0)
162 static int ecdh_cms_set_shared_info(EVP_PKEY_CTX
*pctx
, CMS_RecipientInfo
*ri
)
165 X509_ALGOR
*alg
, *kekalg
= NULL
;
166 ASN1_OCTET_STRING
*ukm
;
167 const unsigned char *p
;
168 unsigned char *der
= NULL
;
170 EVP_CIPHER
*kekcipher
= NULL
;
171 EVP_CIPHER_CTX
*kekctx
;
174 if (!CMS_RecipientInfo_kari_get0_alg(ri
, &alg
, &ukm
))
177 if (!ecdh_cms_set_kdf_param(pctx
, OBJ_obj2nid(alg
->algorithm
))) {
178 CMSerr(0, CMS_R_KDF_PARAMETER_ERROR
);
182 if (alg
->parameter
->type
!= V_ASN1_SEQUENCE
)
185 p
= alg
->parameter
->value
.sequence
->data
;
186 plen
= alg
->parameter
->value
.sequence
->length
;
187 kekalg
= d2i_X509_ALGOR(NULL
, &p
, plen
);
190 kekctx
= CMS_RecipientInfo_kari_get0_ctx(ri
);
193 name
= OBJ_nid2sn(OBJ_obj2nid(kekalg
->algorithm
));
194 kekcipher
= EVP_CIPHER_fetch(pctx
->libctx
, name
, pctx
->propquery
);
195 if (kekcipher
== NULL
|| EVP_CIPHER_mode(kekcipher
) != EVP_CIPH_WRAP_MODE
)
197 if (!EVP_EncryptInit_ex(kekctx
, kekcipher
, NULL
, NULL
, NULL
))
199 if (EVP_CIPHER_asn1_to_param(kekctx
, kekalg
->parameter
) <= 0)
202 keylen
= EVP_CIPHER_CTX_key_length(kekctx
);
203 if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx
, keylen
) <= 0)
206 plen
= CMS_SharedInfo_encode(&der
, kekalg
, ukm
, keylen
);
211 if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx
, der
, plen
) <= 0)
217 EVP_CIPHER_free(kekcipher
);
218 X509_ALGOR_free(kekalg
);
223 static int ecdh_cms_decrypt(CMS_RecipientInfo
*ri
)
227 pctx
= CMS_RecipientInfo_get0_pkey_ctx(ri
);
230 /* See if we need to set peer key */
231 if (!EVP_PKEY_CTX_get0_peerkey(pctx
)) {
233 ASN1_BIT_STRING
*pubkey
;
235 if (!CMS_RecipientInfo_kari_get0_orig_id(ri
, &alg
, &pubkey
,
238 if (alg
== NULL
|| pubkey
== NULL
)
240 if (!ecdh_cms_set_peerkey(pctx
, alg
, pubkey
)) {
241 CMSerr(0, CMS_R_PEER_KEY_ERROR
);
245 /* Set ECDH derivation parameters and initialise unwrap context */
246 if (!ecdh_cms_set_shared_info(pctx
, ri
)) {
247 CMSerr(0, CMS_R_SHARED_INFO_ERROR
);
253 static int ecdh_cms_encrypt(CMS_RecipientInfo
*ri
)
259 X509_ALGOR
*talg
, *wrap_alg
= NULL
;
260 const ASN1_OBJECT
*aoid
;
261 ASN1_BIT_STRING
*pubkey
;
262 ASN1_STRING
*wrap_str
;
263 ASN1_OCTET_STRING
*ukm
;
264 unsigned char *penc
= NULL
;
267 int ecdh_nid
, kdf_type
, kdf_nid
, wrap_nid
;
268 const EVP_MD
*kdf_md
;
270 pctx
= CMS_RecipientInfo_get0_pkey_ctx(ri
);
273 /* Get ephemeral key */
274 pkey
= EVP_PKEY_CTX_get0_pkey(pctx
);
275 if (!CMS_RecipientInfo_kari_get0_orig_id(ri
, &talg
, &pubkey
,
278 X509_ALGOR_get0(&aoid
, NULL
, NULL
, talg
);
279 /* Is everything uninitialised? */
280 if (aoid
== OBJ_nid2obj(NID_undef
)) {
283 /* TODO(3.0): Terrible name. Needs a non TLS specific name */
284 penclen
= EVP_PKEY_get1_tls_encodedpoint(pkey
, &penc
);
285 ASN1_STRING_set0(pubkey
, penc
, penclen
);
286 pubkey
->flags
&= ~(ASN1_STRING_FLAG_BITS_LEFT
| 0x07);
287 pubkey
->flags
|= ASN1_STRING_FLAG_BITS_LEFT
;
290 X509_ALGOR_set0(talg
, OBJ_nid2obj(NID_X9_62_id_ecPublicKey
),
294 /* See if custom parameters set */
295 kdf_type
= EVP_PKEY_CTX_get_ecdh_kdf_type(pctx
);
298 if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx
, &kdf_md
))
300 ecdh_nid
= EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx
);
303 else if (ecdh_nid
== 0)
304 ecdh_nid
= NID_dh_std_kdf
;
305 else if (ecdh_nid
== 1)
306 ecdh_nid
= NID_dh_cofactor_kdf
;
308 if (kdf_type
== EVP_PKEY_ECDH_KDF_NONE
) {
309 kdf_type
= EVP_PKEY_ECDH_KDF_X9_63
;
310 if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx
, kdf_type
) <= 0)
315 if (kdf_md
== NULL
) {
316 /* Fixme later for better MD */
318 if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx
, kdf_md
) <= 0)
322 if (!CMS_RecipientInfo_kari_get0_alg(ri
, &talg
, &ukm
))
325 /* Lookup NID for KDF+cofactor+digest */
327 if (!OBJ_find_sigid_by_algs(&kdf_nid
, EVP_MD_type(kdf_md
), ecdh_nid
))
330 ctx
= CMS_RecipientInfo_kari_get0_ctx(ri
);
331 wrap_nid
= EVP_CIPHER_CTX_type(ctx
);
332 keylen
= EVP_CIPHER_CTX_key_length(ctx
);
334 /* Package wrap algorithm in an AlgorithmIdentifier */
336 wrap_alg
= X509_ALGOR_new();
337 if (wrap_alg
== NULL
)
339 wrap_alg
->algorithm
= OBJ_nid2obj(wrap_nid
);
340 wrap_alg
->parameter
= ASN1_TYPE_new();
341 if (wrap_alg
->parameter
== NULL
)
343 if (EVP_CIPHER_param_to_asn1(ctx
, wrap_alg
->parameter
) <= 0)
345 if (ASN1_TYPE_get(wrap_alg
->parameter
) == NID_undef
) {
346 ASN1_TYPE_free(wrap_alg
->parameter
);
347 wrap_alg
->parameter
= NULL
;
350 if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx
, keylen
) <= 0)
353 penclen
= CMS_SharedInfo_encode(&penc
, wrap_alg
, ukm
, keylen
);
358 if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx
, penc
, penclen
) <= 0)
363 * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
364 * of another AlgorithmIdentifier.
366 penclen
= i2d_X509_ALGOR(wrap_alg
, &penc
);
367 if (penc
== NULL
|| penclen
== 0)
369 wrap_str
= ASN1_STRING_new();
370 if (wrap_str
== NULL
)
372 ASN1_STRING_set0(wrap_str
, penc
, penclen
);
374 X509_ALGOR_set0(talg
, OBJ_nid2obj(kdf_nid
), V_ASN1_SEQUENCE
, wrap_str
);
380 X509_ALGOR_free(wrap_alg
);
384 int cms_ecdh_envelope(CMS_RecipientInfo
*ri
, int decrypt
)
386 assert(decrypt
== 0 || decrypt
== 1);
389 return ecdh_cms_decrypt(ri
);
392 return ecdh_cms_encrypt(ri
);
394 CMSerr(0, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE
);
399 /* ECDSA and DSA implementation is the same */
400 int cms_ecdsa_dsa_sign(CMS_SignerInfo
*si
, int verify
)
402 assert(verify
== 0 || verify
== 1);
406 X509_ALGOR
*alg1
, *alg2
;
407 EVP_PKEY
*pkey
= si
->pkey
;
409 CMS_SignerInfo_get0_algs(si
, NULL
, NULL
, &alg1
, &alg2
);
410 if (alg1
== NULL
|| alg1
->algorithm
== NULL
)
412 hnid
= OBJ_obj2nid(alg1
->algorithm
);
413 if (hnid
== NID_undef
)
415 if (!OBJ_find_sigid_by_algs(&snid
, hnid
, EVP_PKEY_id(pkey
)))
417 X509_ALGOR_set0(alg2
, OBJ_nid2obj(snid
), V_ASN1_UNDEF
, 0);