cms_kari.c@ 83531

Last change on this file since 83531 was 83531, checked in by vboxsync, 5 years ago
setting svn:sync-process=export for openssl-1.1.1f, all files except tests
File size: 12.4 KB

Line
1	/*
2	* Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include "internal/cryptlib.h"
11	#include <openssl/asn1t.h>
12	#include <openssl/pem.h>
13	#include <openssl/x509v3.h>
14	#include <openssl/err.h>
15	#include <openssl/cms.h>
16	#include <openssl/aes.h>
17	#include "cms_local.h"
18	#include "crypto/asn1.h"
19
20	/* Key Agreement Recipient Info (KARI) routines */
21
22	int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
23	X509_ALGOR **palg,
24	ASN1_OCTET_STRING **pukm)
25	{
26	if (ri->type != CMS_RECIPINFO_AGREE) {
27	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG,
28	CMS_R_NOT_KEY_AGREEMENT);
29	return 0;
30	}
31	if (palg)
32	*palg = ri->d.kari->keyEncryptionAlgorithm;
33	if (pukm)
34	*pukm = ri->d.kari->ukm;
35	return 1;
36	}
37
38	/* Retrieve recipient encrypted keys from a kari */
39
40	STACK_OF(CMS_RecipientEncryptedKey)
41	CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo ri)
42	{
43	if (ri->type != CMS_RECIPINFO_AGREE) {
44	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS,
45	CMS_R_NOT_KEY_AGREEMENT);
46	return NULL;
47	}
48	return ri->d.kari->recipientEncryptedKeys;
49	}
50
51	int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri,
52	X509_ALGOR **pubalg,
53	ASN1_BIT_STRING **pubkey,
54	ASN1_OCTET_STRING **keyid,
55	X509_NAME **issuer,
56	ASN1_INTEGER **sno)
57	{
58	CMS_OriginatorIdentifierOrKey *oik;
59	if (ri->type != CMS_RECIPINFO_AGREE) {
60	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
61	CMS_R_NOT_KEY_AGREEMENT);
62	return 0;
63	}
64	oik = ri->d.kari->originator;
65	if (issuer)
66	*issuer = NULL;
67	if (sno)
68	*sno = NULL;
69	if (keyid)
70	*keyid = NULL;
71	if (pubalg)
72	*pubalg = NULL;
73	if (pubkey)
74	*pubkey = NULL;
75	if (oik->type == CMS_OIK_ISSUER_SERIAL) {
76	if (issuer)
77	*issuer = oik->d.issuerAndSerialNumber->issuer;
78	if (sno)
79	*sno = oik->d.issuerAndSerialNumber->serialNumber;
80	} else if (oik->type == CMS_OIK_KEYIDENTIFIER) {
81	if (keyid)
82	*keyid = oik->d.subjectKeyIdentifier;
83	} else if (oik->type == CMS_OIK_PUBKEY) {
84	if (pubalg)
85	*pubalg = oik->d.originatorKey->algorithm;
86	if (pubkey)
87	*pubkey = oik->d.originatorKey->publicKey;
88	} else
89	return 0;
90	return 1;
91	}
92
93	int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo ri, X509 cert)
94	{
95	CMS_OriginatorIdentifierOrKey *oik;
96	if (ri->type != CMS_RECIPINFO_AGREE) {
97	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
98	CMS_R_NOT_KEY_AGREEMENT);
99	return -2;
100	}
101	oik = ri->d.kari->originator;
102	if (oik->type == CMS_OIK_ISSUER_SERIAL)
103	return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert);
104	else if (oik->type == CMS_OIK_KEYIDENTIFIER)
105	return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert);
106	return -1;
107	}
108
109	int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
110	ASN1_OCTET_STRING **keyid,
111	ASN1_GENERALIZEDTIME **tm,
112	CMS_OtherKeyAttribute **other,
113	X509_NAME issuer, ASN1_INTEGER sno)
114	{
115	CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
116	if (rid->type == CMS_REK_ISSUER_SERIAL) {
117	if (issuer)
118	*issuer = rid->d.issuerAndSerialNumber->issuer;
119	if (sno)
120	*sno = rid->d.issuerAndSerialNumber->serialNumber;
121	if (keyid)
122	*keyid = NULL;
123	if (tm)
124	*tm = NULL;
125	if (other)
126	*other = NULL;
127	} else if (rid->type == CMS_REK_KEYIDENTIFIER) {
128	if (keyid)
129	*keyid = rid->d.rKeyId->subjectKeyIdentifier;
130	if (tm)
131	*tm = rid->d.rKeyId->date;
132	if (other)
133	*other = rid->d.rKeyId->other;
134	if (issuer)
135	*issuer = NULL;
136	if (sno)
137	*sno = NULL;
138	} else
139	return 0;
140	return 1;
141	}
142
143	int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
144	X509 *cert)
145	{
146	CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
147	if (rid->type == CMS_REK_ISSUER_SERIAL)
148	return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
149	else if (rid->type == CMS_REK_KEYIDENTIFIER)
150	return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert);
151	else
152	return -1;
153	}
154
155	int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo ri, EVP_PKEY pk)
156	{
157	EVP_PKEY_CTX *pctx;
158	CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
159
160	EVP_PKEY_CTX_free(kari->pctx);
161	kari->pctx = NULL;
162	if (!pk)
163	return 1;
164	pctx = EVP_PKEY_CTX_new(pk, NULL);
165	if (!pctx \|\| EVP_PKEY_derive_init(pctx) <= 0)
166	goto err;
167	kari->pctx = pctx;
168	return 1;
169	err:
170	EVP_PKEY_CTX_free(pctx);
171	return 0;
172	}
173
174	EVP_CIPHER_CTX CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo ri)
175	{
176	if (ri->type == CMS_RECIPINFO_AGREE)
177	return ri->d.kari->ctx;
178	return NULL;
179	}
180
181	/*
182	* Derive KEK and decrypt/encrypt with it to produce either the original CEK
183	* or the encrypted CEK.
184	*/
185
186	static int cms_kek_cipher(unsigned char *pout, size_t poutlen,
187	const unsigned char *in, size_t inlen,
188	CMS_KeyAgreeRecipientInfo *kari, int enc)
189	{
190	/* Key encryption key */
191	unsigned char kek[EVP_MAX_KEY_LENGTH];
192	size_t keklen;
193	int rv = 0;
194	unsigned char *out = NULL;
195	int outlen;
196	keklen = EVP_CIPHER_CTX_key_length(kari->ctx);
197	if (keklen > EVP_MAX_KEY_LENGTH)
198	return 0;
199	/* Derive KEK */
200	if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0)
201	goto err;
202	/* Set KEK in context */
203	if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc))
204	goto err;
205	/* obtain output length of ciphered key */
206	if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen))
207	goto err;
208	out = OPENSSL_malloc(outlen);
209	if (out == NULL)
210	goto err;
211	if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen))
212	goto err;
213	*pout = out;
214	*poutlen = (size_t)outlen;
215	rv = 1;
216
217	err:
218	OPENSSL_cleanse(kek, keklen);
219	if (!rv)
220	OPENSSL_free(out);
221	EVP_CIPHER_CTX_reset(kari->ctx);
222	/* FIXME: WHY IS kari->pctx freed here? /RL */
223	EVP_PKEY_CTX_free(kari->pctx);
224	kari->pctx = NULL;
225	return rv;
226	}
227
228	int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
229	CMS_RecipientInfo *ri,
230	CMS_RecipientEncryptedKey *rek)
231	{
232	int rv = 0;
233	unsigned char enckey = NULL, cek = NULL;
234	size_t enckeylen;
235	size_t ceklen;
236	CMS_EncryptedContentInfo *ec;
237	enckeylen = rek->encryptedKey->length;
238	enckey = rek->encryptedKey->data;
239	/* Setup all parameters to derive KEK */
240	if (!cms_env_asn1_ctrl(ri, 1))
241	goto err;
242	/* Attempt to decrypt CEK */
243	if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
244	goto err;
245	ec = cms->d.envelopedData->encryptedContentInfo;
246	OPENSSL_clear_free(ec->key, ec->keylen);
247	ec->key = cek;
248	ec->keylen = ceklen;
249	cek = NULL;
250	rv = 1;
251	err:
252	OPENSSL_free(cek);
253	return rv;
254	}
255
256	/* Create ephemeral key and initialise context based on it */
257	static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
258	EVP_PKEY *pk)
259	{
260	EVP_PKEY_CTX *pctx = NULL;
261	EVP_PKEY *ekey = NULL;
262	int rv = 0;
263	pctx = EVP_PKEY_CTX_new(pk, NULL);
264	if (!pctx)
265	goto err;
266	if (EVP_PKEY_keygen_init(pctx) <= 0)
267	goto err;
268	if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
269	goto err;
270	EVP_PKEY_CTX_free(pctx);
271	pctx = EVP_PKEY_CTX_new(ekey, NULL);
272	if (!pctx)
273	goto err;
274	if (EVP_PKEY_derive_init(pctx) <= 0)
275	goto err;
276	kari->pctx = pctx;
277	rv = 1;
278	err:
279	if (!rv)
280	EVP_PKEY_CTX_free(pctx);
281	EVP_PKEY_free(ekey);
282	return rv;
283	}
284
285	/* Initialise a kari based on passed certificate and key */
286
287	int cms_RecipientInfo_kari_init(CMS_RecipientInfo ri, X509 recip,
288	EVP_PKEY *pk, unsigned int flags)
289	{
290	CMS_KeyAgreeRecipientInfo *kari;
291	CMS_RecipientEncryptedKey *rek = NULL;
292
293	ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
294	if (!ri->d.kari)
295	return 0;
296	ri->type = CMS_RECIPINFO_AGREE;
297
298	kari = ri->d.kari;
299	kari->version = 3;
300
301	rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
302	if (rek == NULL)
303	return 0;
304
305	if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
306	M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
307	return 0;
308	}
309
310	if (flags & CMS_USE_KEYID) {
311	rek->rid->type = CMS_REK_KEYIDENTIFIER;
312	rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier);
313	if (rek->rid->d.rKeyId == NULL)
314	return 0;
315	if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip))
316	return 0;
317	} else {
318	rek->rid->type = CMS_REK_ISSUER_SERIAL;
319	if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip))
320	return 0;
321	}
322
323	/* Create ephemeral key */
324	if (!cms_kari_create_ephemeral_key(kari, pk))
325	return 0;
326
327	EVP_PKEY_up_ref(pk);
328	rek->pkey = pk;
329	return 1;
330	}
331
332	static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
333	const EVP_CIPHER *cipher)
334	{
335	EVP_CIPHER_CTX *ctx = kari->ctx;
336	const EVP_CIPHER *kekcipher;
337	int keylen = EVP_CIPHER_key_length(cipher);
338	/* If a suitable wrap algorithm is already set nothing to do */
339	kekcipher = EVP_CIPHER_CTX_cipher(ctx);
340
341	if (kekcipher) {
342	if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
343	return 0;
344	return 1;
345	}
346	/*
347	* Pick a cipher based on content encryption cipher. If it is DES3 use
348	* DES3 wrap otherwise use AES wrap similar to key size.
349	*/
350	#ifndef OPENSSL_NO_DES
351	if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
352	kekcipher = EVP_des_ede3_wrap();
353	else
354	#endif
355	if (keylen <= 16)
356	kekcipher = EVP_aes_128_wrap();
357	else if (keylen <= 24)
358	kekcipher = EVP_aes_192_wrap();
359	else
360	kekcipher = EVP_aes_256_wrap();
361	return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
362	}
363
364	/* Encrypt content key in key agreement recipient info */
365
366	int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
367	CMS_RecipientInfo *ri)
368	{
369	CMS_KeyAgreeRecipientInfo *kari;
370	CMS_EncryptedContentInfo *ec;
371	CMS_RecipientEncryptedKey *rek;
372	STACK_OF(CMS_RecipientEncryptedKey) *reks;
373	int i;
374
375	if (ri->type != CMS_RECIPINFO_AGREE) {
376	CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
377	return 0;
378	}
379	kari = ri->d.kari;
380	reks = kari->recipientEncryptedKeys;
381	ec = cms->d.envelopedData->encryptedContentInfo;
382	/* Initialise wrap algorithm parameters */
383	if (!cms_wrap_init(kari, ec->cipher))
384	return 0;
385	/*
386	* If no originator key set up initialise for ephemeral key the public key
387	* ASN1 structure will set the actual public key value.
388	*/
389	if (kari->originator->type == -1) {
390	CMS_OriginatorIdentifierOrKey *oik = kari->originator;
391	oik->type = CMS_OIK_PUBKEY;
392	oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
393	if (!oik->d.originatorKey)
394	return 0;
395	}
396	/* Initialise KDF algorithm */
397	if (!cms_env_asn1_ctrl(ri, 0))
398	return 0;
399	/* For each rek, derive KEK, encrypt CEK */
400	for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
401	unsigned char *enckey;
402	size_t enckeylen;
403	rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
404	if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
405	return 0;
406	if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
407	kari, 1))
408	return 0;
409	ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
410	}
411
412	return 1;
413
414	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-1.1.1f/crypto/cms/cms_kari.c@ 83531

Download in other formats: