]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
b1322259 | 2 | * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. |
17c2764d | 3 | * |
08ddd302 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
b1322259 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
17c2764d DSH |
8 | */ |
9 | ||
b39fc560 | 10 | #include "internal/cryptlib.h" |
17c2764d DSH |
11 | #include <openssl/asn1t.h> |
12 | #include <openssl/pem.h> | |
13 | #include <openssl/x509v3.h> | |
14 | #include <openssl/err.h> | |
15 | #include <openssl/cms.h> | |
17c2764d DSH |
16 | #include <openssl/aes.h> |
17 | #include "cms_lcl.h" | |
25f2138b | 18 | #include "crypto/asn1.h" |
17c2764d | 19 | |
17c2764d DSH |
20 | /* Key Agreement Recipient Info (KARI) routines */ |
21 | ||
22 | int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, | |
0f113f3e MC |
23 | X509_ALGOR **palg, |
24 | ASN1_OCTET_STRING **pukm) | |
25 | { | |
26 | if (ri->type != CMS_RECIPINFO_AGREE) { | |
27 | CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG, | |
28 | CMS_R_NOT_KEY_AGREEMENT); | |
29 | return 0; | |
30 | } | |
31 | if (palg) | |
32 | *palg = ri->d.kari->keyEncryptionAlgorithm; | |
33 | if (pukm) | |
34 | *pukm = ri->d.kari->ukm; | |
35 | return 1; | |
36 | } | |
17c2764d DSH |
37 | |
38 | /* Retrieve recipient encrypted keys from a kari */ | |
39 | ||
0f113f3e MC |
40 | STACK_OF(CMS_RecipientEncryptedKey) |
41 | *CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri) | |
42 | { | |
43 | if (ri->type != CMS_RECIPINFO_AGREE) { | |
44 | CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS, | |
45 | CMS_R_NOT_KEY_AGREEMENT); | |
46 | return NULL; | |
47 | } | |
48 | return ri->d.kari->recipientEncryptedKeys; | |
49 | } | |
17c2764d DSH |
50 | |
51 | int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri, | |
0f113f3e MC |
52 | X509_ALGOR **pubalg, |
53 | ASN1_BIT_STRING **pubkey, | |
54 | ASN1_OCTET_STRING **keyid, | |
55 | X509_NAME **issuer, | |
56 | ASN1_INTEGER **sno) | |
57 | { | |
58 | CMS_OriginatorIdentifierOrKey *oik; | |
59 | if (ri->type != CMS_RECIPINFO_AGREE) { | |
60 | CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID, | |
61 | CMS_R_NOT_KEY_AGREEMENT); | |
62 | return 0; | |
63 | } | |
64 | oik = ri->d.kari->originator; | |
65 | if (issuer) | |
66 | *issuer = NULL; | |
67 | if (sno) | |
68 | *sno = NULL; | |
69 | if (keyid) | |
70 | *keyid = NULL; | |
71 | if (pubalg) | |
72 | *pubalg = NULL; | |
73 | if (pubkey) | |
74 | *pubkey = NULL; | |
75 | if (oik->type == CMS_OIK_ISSUER_SERIAL) { | |
76 | if (issuer) | |
77 | *issuer = oik->d.issuerAndSerialNumber->issuer; | |
78 | if (sno) | |
79 | *sno = oik->d.issuerAndSerialNumber->serialNumber; | |
80 | } else if (oik->type == CMS_OIK_KEYIDENTIFIER) { | |
81 | if (keyid) | |
82 | *keyid = oik->d.subjectKeyIdentifier; | |
83 | } else if (oik->type == CMS_OIK_PUBKEY) { | |
84 | if (pubalg) | |
85 | *pubalg = oik->d.originatorKey->algorithm; | |
86 | if (pubkey) | |
87 | *pubkey = oik->d.originatorKey->publicKey; | |
88 | } else | |
89 | return 0; | |
90 | return 1; | |
91 | } | |
17c2764d DSH |
92 | |
93 | int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert) | |
0f113f3e MC |
94 | { |
95 | CMS_OriginatorIdentifierOrKey *oik; | |
96 | if (ri->type != CMS_RECIPINFO_AGREE) { | |
97 | CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP, | |
98 | CMS_R_NOT_KEY_AGREEMENT); | |
99 | return -2; | |
100 | } | |
101 | oik = ri->d.kari->originator; | |
102 | if (oik->type == CMS_OIK_ISSUER_SERIAL) | |
103 | return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert); | |
104 | else if (oik->type == CMS_OIK_KEYIDENTIFIER) | |
105 | return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert); | |
106 | return -1; | |
107 | } | |
17c2764d DSH |
108 | |
109 | int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek, | |
0f113f3e MC |
110 | ASN1_OCTET_STRING **keyid, |
111 | ASN1_GENERALIZEDTIME **tm, | |
112 | CMS_OtherKeyAttribute **other, | |
113 | X509_NAME **issuer, ASN1_INTEGER **sno) | |
114 | { | |
115 | CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; | |
116 | if (rid->type == CMS_REK_ISSUER_SERIAL) { | |
117 | if (issuer) | |
118 | *issuer = rid->d.issuerAndSerialNumber->issuer; | |
119 | if (sno) | |
120 | *sno = rid->d.issuerAndSerialNumber->serialNumber; | |
121 | if (keyid) | |
122 | *keyid = NULL; | |
123 | if (tm) | |
124 | *tm = NULL; | |
125 | if (other) | |
126 | *other = NULL; | |
127 | } else if (rid->type == CMS_REK_KEYIDENTIFIER) { | |
128 | if (keyid) | |
129 | *keyid = rid->d.rKeyId->subjectKeyIdentifier; | |
130 | if (tm) | |
131 | *tm = rid->d.rKeyId->date; | |
132 | if (other) | |
133 | *other = rid->d.rKeyId->other; | |
134 | if (issuer) | |
135 | *issuer = NULL; | |
136 | if (sno) | |
137 | *sno = NULL; | |
138 | } else | |
139 | return 0; | |
140 | return 1; | |
141 | } | |
17c2764d DSH |
142 | |
143 | int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek, | |
0f113f3e MC |
144 | X509 *cert) |
145 | { | |
146 | CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; | |
147 | if (rid->type == CMS_REK_ISSUER_SERIAL) | |
148 | return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert); | |
149 | else if (rid->type == CMS_REK_KEYIDENTIFIER) | |
150 | return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert); | |
151 | else | |
152 | return -1; | |
153 | } | |
17c2764d DSH |
154 | |
155 | int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk) | |
0f113f3e MC |
156 | { |
157 | EVP_PKEY_CTX *pctx; | |
158 | CMS_KeyAgreeRecipientInfo *kari = ri->d.kari; | |
25aaa98a RS |
159 | |
160 | EVP_PKEY_CTX_free(kari->pctx); | |
161 | kari->pctx = NULL; | |
0f113f3e MC |
162 | if (!pk) |
163 | return 1; | |
164 | pctx = EVP_PKEY_CTX_new(pk, NULL); | |
165 | if (!pctx || !EVP_PKEY_derive_init(pctx)) | |
166 | goto err; | |
167 | kari->pctx = pctx; | |
168 | return 1; | |
169 | err: | |
c5ba2d99 | 170 | EVP_PKEY_CTX_free(pctx); |
0f113f3e MC |
171 | return 0; |
172 | } | |
17c2764d DSH |
173 | |
174 | EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri) | |
0f113f3e MC |
175 | { |
176 | if (ri->type == CMS_RECIPINFO_AGREE) | |
846ec07d | 177 | return ri->d.kari->ctx; |
0f113f3e MC |
178 | return NULL; |
179 | } | |
180 | ||
181 | /* | |
182 | * Derive KEK and decrypt/encrypt with it to produce either the original CEK | |
183 | * or the encrypted CEK. | |
17c2764d DSH |
184 | */ |
185 | ||
0f113f3e MC |
186 | static int cms_kek_cipher(unsigned char **pout, size_t *poutlen, |
187 | const unsigned char *in, size_t inlen, | |
188 | CMS_KeyAgreeRecipientInfo *kari, int enc) | |
189 | { | |
190 | /* Key encryption key */ | |
191 | unsigned char kek[EVP_MAX_KEY_LENGTH]; | |
192 | size_t keklen; | |
193 | int rv = 0; | |
194 | unsigned char *out = NULL; | |
195 | int outlen; | |
846ec07d | 196 | keklen = EVP_CIPHER_CTX_key_length(kari->ctx); |
0f113f3e MC |
197 | if (keklen > EVP_MAX_KEY_LENGTH) |
198 | return 0; | |
199 | /* Derive KEK */ | |
200 | if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0) | |
201 | goto err; | |
202 | /* Set KEK in context */ | |
846ec07d | 203 | if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc)) |
0f113f3e MC |
204 | goto err; |
205 | /* obtain output length of ciphered key */ | |
846ec07d | 206 | if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen)) |
0f113f3e MC |
207 | goto err; |
208 | out = OPENSSL_malloc(outlen); | |
90945fa3 | 209 | if (out == NULL) |
0f113f3e | 210 | goto err; |
846ec07d | 211 | if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen)) |
0f113f3e MC |
212 | goto err; |
213 | *pout = out; | |
214 | *poutlen = (size_t)outlen; | |
215 | rv = 1; | |
216 | ||
217 | err: | |
218 | OPENSSL_cleanse(kek, keklen); | |
b548a1f1 | 219 | if (!rv) |
0f113f3e | 220 | OPENSSL_free(out); |
846ec07d RL |
221 | EVP_CIPHER_CTX_reset(kari->ctx); |
222 | /* FIXME: WHY IS kari->pctx freed here? /RL */ | |
0f113f3e MC |
223 | EVP_PKEY_CTX_free(kari->pctx); |
224 | kari->pctx = NULL; | |
225 | return rv; | |
226 | } | |
227 | ||
228 | int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, | |
229 | CMS_RecipientInfo *ri, | |
230 | CMS_RecipientEncryptedKey *rek) | |
231 | { | |
232 | int rv = 0; | |
233 | unsigned char *enckey = NULL, *cek = NULL; | |
234 | size_t enckeylen; | |
235 | size_t ceklen; | |
236 | CMS_EncryptedContentInfo *ec; | |
237 | enckeylen = rek->encryptedKey->length; | |
238 | enckey = rek->encryptedKey->data; | |
239 | /* Setup all parameters to derive KEK */ | |
240 | if (!cms_env_asn1_ctrl(ri, 1)) | |
241 | goto err; | |
242 | /* Attempt to decrypt CEK */ | |
243 | if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0)) | |
244 | goto err; | |
245 | ec = cms->d.envelopedData->encryptedContentInfo; | |
4b45c6e5 | 246 | OPENSSL_clear_free(ec->key, ec->keylen); |
0f113f3e MC |
247 | ec->key = cek; |
248 | ec->keylen = ceklen; | |
249 | cek = NULL; | |
250 | rv = 1; | |
251 | err: | |
b548a1f1 | 252 | OPENSSL_free(cek); |
0f113f3e MC |
253 | return rv; |
254 | } | |
17c2764d DSH |
255 | |
256 | /* Create ephemeral key and initialise context based on it */ | |
257 | static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, | |
0f113f3e MC |
258 | EVP_PKEY *pk) |
259 | { | |
260 | EVP_PKEY_CTX *pctx = NULL; | |
261 | EVP_PKEY *ekey = NULL; | |
262 | int rv = 0; | |
263 | pctx = EVP_PKEY_CTX_new(pk, NULL); | |
264 | if (!pctx) | |
265 | goto err; | |
266 | if (EVP_PKEY_keygen_init(pctx) <= 0) | |
267 | goto err; | |
268 | if (EVP_PKEY_keygen(pctx, &ekey) <= 0) | |
269 | goto err; | |
270 | EVP_PKEY_CTX_free(pctx); | |
271 | pctx = EVP_PKEY_CTX_new(ekey, NULL); | |
272 | if (!pctx) | |
273 | goto err; | |
274 | if (EVP_PKEY_derive_init(pctx) <= 0) | |
275 | goto err; | |
276 | kari->pctx = pctx; | |
277 | rv = 1; | |
278 | err: | |
c5ba2d99 | 279 | if (!rv) |
0f113f3e | 280 | EVP_PKEY_CTX_free(pctx); |
c5ba2d99 | 281 | EVP_PKEY_free(ekey); |
0f113f3e MC |
282 | return rv; |
283 | } | |
17c2764d | 284 | |
b754a8a1 | 285 | /* Initialise a kari based on passed certificate and key */ |
17c2764d DSH |
286 | |
287 | int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, | |
0f113f3e MC |
288 | EVP_PKEY *pk, unsigned int flags) |
289 | { | |
290 | CMS_KeyAgreeRecipientInfo *kari; | |
291 | CMS_RecipientEncryptedKey *rek = NULL; | |
292 | ||
293 | ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo); | |
294 | if (!ri->d.kari) | |
295 | return 0; | |
296 | ri->type = CMS_RECIPINFO_AGREE; | |
297 | ||
298 | kari = ri->d.kari; | |
299 | kari->version = 3; | |
300 | ||
301 | rek = M_ASN1_new_of(CMS_RecipientEncryptedKey); | |
b754a8a1 DD |
302 | if (rek == NULL) |
303 | return 0; | |
304 | ||
0f113f3e MC |
305 | if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) { |
306 | M_ASN1_free_of(rek, CMS_RecipientEncryptedKey); | |
307 | return 0; | |
308 | } | |
309 | ||
310 | if (flags & CMS_USE_KEYID) { | |
311 | rek->rid->type = CMS_REK_KEYIDENTIFIER; | |
7a317fa0 DSH |
312 | rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier); |
313 | if (rek->rid->d.rKeyId == NULL) | |
314 | return 0; | |
0f113f3e MC |
315 | if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) |
316 | return 0; | |
317 | } else { | |
318 | rek->rid->type = CMS_REK_ISSUER_SERIAL; | |
319 | if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip)) | |
320 | return 0; | |
321 | } | |
322 | ||
323 | /* Create ephemeral key */ | |
324 | if (!cms_kari_create_ephemeral_key(kari, pk)) | |
325 | return 0; | |
326 | ||
3aeb9348 | 327 | EVP_PKEY_up_ref(pk); |
0f113f3e MC |
328 | rek->pkey = pk; |
329 | return 1; | |
330 | } | |
17c2764d DSH |
331 | |
332 | static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, | |
0f113f3e MC |
333 | const EVP_CIPHER *cipher) |
334 | { | |
846ec07d | 335 | EVP_CIPHER_CTX *ctx = kari->ctx; |
0f113f3e MC |
336 | const EVP_CIPHER *kekcipher; |
337 | int keylen = EVP_CIPHER_key_length(cipher); | |
338 | /* If a suitable wrap algorithm is already set nothing to do */ | |
339 | kekcipher = EVP_CIPHER_CTX_cipher(ctx); | |
340 | ||
341 | if (kekcipher) { | |
342 | if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE) | |
343 | return 0; | |
344 | return 1; | |
345 | } | |
346 | /* | |
347 | * Pick a cipher based on content encryption cipher. If it is DES3 use | |
348 | * DES3 wrap otherwise use AES wrap similar to key size. | |
349 | */ | |
96bea000 | 350 | #ifndef OPENSSL_NO_DES |
0f113f3e MC |
351 | if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc) |
352 | kekcipher = EVP_des_ede3_wrap(); | |
96bea000 MC |
353 | else |
354 | #endif | |
355 | if (keylen <= 16) | |
0f113f3e MC |
356 | kekcipher = EVP_aes_128_wrap(); |
357 | else if (keylen <= 24) | |
358 | kekcipher = EVP_aes_192_wrap(); | |
359 | else | |
360 | kekcipher = EVP_aes_256_wrap(); | |
361 | return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL); | |
362 | } | |
17c2764d DSH |
363 | |
364 | /* Encrypt content key in key agreement recipient info */ | |
365 | ||
9fdcc21f | 366 | int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, |
0f113f3e MC |
367 | CMS_RecipientInfo *ri) |
368 | { | |
369 | CMS_KeyAgreeRecipientInfo *kari; | |
370 | CMS_EncryptedContentInfo *ec; | |
371 | CMS_RecipientEncryptedKey *rek; | |
372 | STACK_OF(CMS_RecipientEncryptedKey) *reks; | |
373 | int i; | |
374 | ||
375 | if (ri->type != CMS_RECIPINFO_AGREE) { | |
376 | CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT); | |
377 | return 0; | |
378 | } | |
379 | kari = ri->d.kari; | |
380 | reks = kari->recipientEncryptedKeys; | |
381 | ec = cms->d.envelopedData->encryptedContentInfo; | |
382 | /* Initialise wrap algorithm parameters */ | |
383 | if (!cms_wrap_init(kari, ec->cipher)) | |
384 | return 0; | |
385 | /* | |
0d4fb843 | 386 | * If no originator key set up initialise for ephemeral key the public key |
0f113f3e MC |
387 | * ASN1 structure will set the actual public key value. |
388 | */ | |
389 | if (kari->originator->type == -1) { | |
390 | CMS_OriginatorIdentifierOrKey *oik = kari->originator; | |
391 | oik->type = CMS_OIK_PUBKEY; | |
392 | oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey); | |
393 | if (!oik->d.originatorKey) | |
394 | return 0; | |
395 | } | |
396 | /* Initialise KDF algorithm */ | |
397 | if (!cms_env_asn1_ctrl(ri, 0)) | |
398 | return 0; | |
399 | /* For each rek, derive KEK, encrypt CEK */ | |
400 | for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) { | |
401 | unsigned char *enckey; | |
402 | size_t enckeylen; | |
403 | rek = sk_CMS_RecipientEncryptedKey_value(reks, i); | |
404 | if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0) | |
405 | return 0; | |
406 | if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen, | |
407 | kari, 1)) | |
408 | return 0; | |
409 | ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen); | |
410 | } | |
411 | ||
412 | return 1; | |
413 | ||
414 | } |