cms_kari.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414
  1. /*
  2. * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include <openssl/asn1t.h>
  11. #include <openssl/pem.h>
  12. #include <openssl/x509v3.h>
  13. #include <openssl/err.h>
  14. #include <openssl/cms.h>
  15. #include <openssl/aes.h>
  16. #include "cms_lcl.h"
  17. #include "internal/asn1_int.h"
  18. /* Key Agreement Recipient Info (KARI) routines */
  19. int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
  20. X509_ALGOR **palg,
  21. ASN1_OCTET_STRING **pukm)
  22. {
  23. if (ri->type != CMS_RECIPINFO_AGREE) {
  24. CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG,
  25. CMS_R_NOT_KEY_AGREEMENT);
  26. return 0;
  27. }
  28. if (palg)
  29. *palg = ri->d.kari->keyEncryptionAlgorithm;
  30. if (pukm)
  31. *pukm = ri->d.kari->ukm;
  32. return 1;
  33. }
  34. /* Retrieve recipient encrypted keys from a kari */
  35. STACK_OF(CMS_RecipientEncryptedKey)
  36. *CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri)
  37. {
  38. if (ri->type != CMS_RECIPINFO_AGREE) {
  39. CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS,
  40. CMS_R_NOT_KEY_AGREEMENT);
  41. return NULL;
  42. }
  43. return ri->d.kari->recipientEncryptedKeys;
  44. }
  45. int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri,
  46. X509_ALGOR **pubalg,
  47. ASN1_BIT_STRING **pubkey,
  48. ASN1_OCTET_STRING **keyid,
  49. X509_NAME **issuer,
  50. ASN1_INTEGER **sno)
  51. {
  52. CMS_OriginatorIdentifierOrKey *oik;
  53. if (ri->type != CMS_RECIPINFO_AGREE) {
  54. CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
  55. CMS_R_NOT_KEY_AGREEMENT);
  56. return 0;
  57. }
  58. oik = ri->d.kari->originator;
  59. if (issuer)
  60. *issuer = NULL;
  61. if (sno)
  62. *sno = NULL;
  63. if (keyid)
  64. *keyid = NULL;
  65. if (pubalg)
  66. *pubalg = NULL;
  67. if (pubkey)
  68. *pubkey = NULL;
  69. if (oik->type == CMS_OIK_ISSUER_SERIAL) {
  70. if (issuer)
  71. *issuer = oik->d.issuerAndSerialNumber->issuer;
  72. if (sno)
  73. *sno = oik->d.issuerAndSerialNumber->serialNumber;
  74. } else if (oik->type == CMS_OIK_KEYIDENTIFIER) {
  75. if (keyid)
  76. *keyid = oik->d.subjectKeyIdentifier;
  77. } else if (oik->type == CMS_OIK_PUBKEY) {
  78. if (pubalg)
  79. *pubalg = oik->d.originatorKey->algorithm;
  80. if (pubkey)
  81. *pubkey = oik->d.originatorKey->publicKey;
  82. } else
  83. return 0;
  84. return 1;
  85. }
  86. int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert)
  87. {
  88. CMS_OriginatorIdentifierOrKey *oik;
  89. if (ri->type != CMS_RECIPINFO_AGREE) {
  90. CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
  91. CMS_R_NOT_KEY_AGREEMENT);
  92. return -2;
  93. }
  94. oik = ri->d.kari->originator;
  95. if (oik->type == CMS_OIK_ISSUER_SERIAL)
  96. return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert);
  97. else if (oik->type == CMS_OIK_KEYIDENTIFIER)
  98. return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert);
  99. return -1;
  100. }
  101. int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
  102. ASN1_OCTET_STRING **keyid,
  103. ASN1_GENERALIZEDTIME **tm,
  104. CMS_OtherKeyAttribute **other,
  105. X509_NAME **issuer, ASN1_INTEGER **sno)
  106. {
  107. CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
  108. if (rid->type == CMS_REK_ISSUER_SERIAL) {
  109. if (issuer)
  110. *issuer = rid->d.issuerAndSerialNumber->issuer;
  111. if (sno)
  112. *sno = rid->d.issuerAndSerialNumber->serialNumber;
  113. if (keyid)
  114. *keyid = NULL;
  115. if (tm)
  116. *tm = NULL;
  117. if (other)
  118. *other = NULL;
  119. } else if (rid->type == CMS_REK_KEYIDENTIFIER) {
  120. if (keyid)
  121. *keyid = rid->d.rKeyId->subjectKeyIdentifier;
  122. if (tm)
  123. *tm = rid->d.rKeyId->date;
  124. if (other)
  125. *other = rid->d.rKeyId->other;
  126. if (issuer)
  127. *issuer = NULL;
  128. if (sno)
  129. *sno = NULL;
  130. } else
  131. return 0;
  132. return 1;
  133. }
  134. int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
  135. X509 *cert)
  136. {
  137. CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
  138. if (rid->type == CMS_REK_ISSUER_SERIAL)
  139. return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
  140. else if (rid->type == CMS_REK_KEYIDENTIFIER)
  141. return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert);
  142. else
  143. return -1;
  144. }
  145. int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
  146. {
  147. EVP_PKEY_CTX *pctx;
  148. CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
  149. EVP_PKEY_CTX_free(kari->pctx);
  150. kari->pctx = NULL;
  151. if (!pk)
  152. return 1;
  153. pctx = EVP_PKEY_CTX_new(pk, NULL);
  154. if (!pctx || !EVP_PKEY_derive_init(pctx))
  155. goto err;
  156. kari->pctx = pctx;
  157. return 1;
  158. err:
  159. EVP_PKEY_CTX_free(pctx);
  160. return 0;
  161. }
  162. EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
  163. {
  164. if (ri->type == CMS_RECIPINFO_AGREE)
  165. return ri->d.kari->ctx;
  166. return NULL;
  167. }
  168. /*
  169. * Derive KEK and decrypt/encrypt with it to produce either the original CEK
  170. * or the encrypted CEK.
  171. */
  172. static int cms_kek_cipher(unsigned char **pout, size_t *poutlen,
  173. const unsigned char *in, size_t inlen,
  174. CMS_KeyAgreeRecipientInfo *kari, int enc)
  175. {
  176. /* Key encryption key */
  177. unsigned char kek[EVP_MAX_KEY_LENGTH];
  178. size_t keklen;
  179. int rv = 0;
  180. unsigned char *out = NULL;
  181. int outlen;
  182. keklen = EVP_CIPHER_CTX_key_length(kari->ctx);
  183. if (keklen > EVP_MAX_KEY_LENGTH)
  184. return 0;
  185. /* Derive KEK */
  186. if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0)
  187. goto err;
  188. /* Set KEK in context */
  189. if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc))
  190. goto err;
  191. /* obtain output length of ciphered key */
  192. if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen))
  193. goto err;
  194. out = OPENSSL_malloc(outlen);
  195. if (out == NULL)
  196. goto err;
  197. if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen))
  198. goto err;
  199. *pout = out;
  200. *poutlen = (size_t)outlen;
  201. rv = 1;
  202. err:
  203. OPENSSL_cleanse(kek, keklen);
  204. if (!rv)
  205. OPENSSL_free(out);
  206. EVP_CIPHER_CTX_reset(kari->ctx);
  207. /* FIXME: WHY IS kari->pctx freed here? /RL */
  208. EVP_PKEY_CTX_free(kari->pctx);
  209. kari->pctx = NULL;
  210. return rv;
  211. }
  212. int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
  213. CMS_RecipientInfo *ri,
  214. CMS_RecipientEncryptedKey *rek)
  215. {
  216. int rv = 0;
  217. unsigned char *enckey = NULL, *cek = NULL;
  218. size_t enckeylen;
  219. size_t ceklen;
  220. CMS_EncryptedContentInfo *ec;
  221. enckeylen = rek->encryptedKey->length;
  222. enckey = rek->encryptedKey->data;
  223. /* Setup all parameters to derive KEK */
  224. if (!cms_env_asn1_ctrl(ri, 1))
  225. goto err;
  226. /* Attempt to decrypt CEK */
  227. if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
  228. goto err;
  229. ec = cms->d.envelopedData->encryptedContentInfo;
  230. OPENSSL_clear_free(ec->key, ec->keylen);
  231. ec->key = cek;
  232. ec->keylen = ceklen;
  233. cek = NULL;
  234. rv = 1;
  235. err:
  236. OPENSSL_free(cek);
  237. return rv;
  238. }
  239. /* Create ephemeral key and initialise context based on it */
  240. static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
  241. EVP_PKEY *pk)
  242. {
  243. EVP_PKEY_CTX *pctx = NULL;
  244. EVP_PKEY *ekey = NULL;
  245. int rv = 0;
  246. pctx = EVP_PKEY_CTX_new(pk, NULL);
  247. if (!pctx)
  248. goto err;
  249. if (EVP_PKEY_keygen_init(pctx) <= 0)
  250. goto err;
  251. if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
  252. goto err;
  253. EVP_PKEY_CTX_free(pctx);
  254. pctx = EVP_PKEY_CTX_new(ekey, NULL);
  255. if (!pctx)
  256. goto err;
  257. if (EVP_PKEY_derive_init(pctx) <= 0)
  258. goto err;
  259. kari->pctx = pctx;
  260. rv = 1;
  261. err:
  262. if (!rv)
  263. EVP_PKEY_CTX_free(pctx);
  264. EVP_PKEY_free(ekey);
  265. return rv;
  266. }
  267. /* Initialise a kari based on passed certificate and key */
  268. int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
  269. EVP_PKEY *pk, unsigned int flags)
  270. {
  271. CMS_KeyAgreeRecipientInfo *kari;
  272. CMS_RecipientEncryptedKey *rek = NULL;
  273. ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
  274. if (!ri->d.kari)
  275. return 0;
  276. ri->type = CMS_RECIPINFO_AGREE;
  277. kari = ri->d.kari;
  278. kari->version = 3;
  279. rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
  280. if (rek == NULL)
  281. return 0;
  282. if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
  283. M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
  284. return 0;
  285. }
  286. if (flags & CMS_USE_KEYID) {
  287. rek->rid->type = CMS_REK_KEYIDENTIFIER;
  288. rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier);
  289. if (rek->rid->d.rKeyId == NULL)
  290. return 0;
  291. if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip))
  292. return 0;
  293. } else {
  294. rek->rid->type = CMS_REK_ISSUER_SERIAL;
  295. if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip))
  296. return 0;
  297. }
  298. /* Create ephemeral key */
  299. if (!cms_kari_create_ephemeral_key(kari, pk))
  300. return 0;
  301. EVP_PKEY_up_ref(pk);
  302. rek->pkey = pk;
  303. return 1;
  304. }
  305. static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
  306. const EVP_CIPHER *cipher)
  307. {
  308. EVP_CIPHER_CTX *ctx = kari->ctx;
  309. const EVP_CIPHER *kekcipher;
  310. int keylen = EVP_CIPHER_key_length(cipher);
  311. /* If a suitable wrap algorithm is already set nothing to do */
  312. kekcipher = EVP_CIPHER_CTX_cipher(ctx);
  313. if (kekcipher) {
  314. if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
  315. return 0;
  316. return 1;
  317. }
  318. /*
  319. * Pick a cipher based on content encryption cipher. If it is DES3 use
  320. * DES3 wrap otherwise use AES wrap similar to key size.
  321. */
  322. #ifndef OPENSSL_NO_DES
  323. if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
  324. kekcipher = EVP_des_ede3_wrap();
  325. else
  326. #endif
  327. if (keylen <= 16)
  328. kekcipher = EVP_aes_128_wrap();
  329. else if (keylen <= 24)
  330. kekcipher = EVP_aes_192_wrap();
  331. else
  332. kekcipher = EVP_aes_256_wrap();
  333. return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
  334. }
  335. /* Encrypt content key in key agreement recipient info */
  336. int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
  337. CMS_RecipientInfo *ri)
  338. {
  339. CMS_KeyAgreeRecipientInfo *kari;
  340. CMS_EncryptedContentInfo *ec;
  341. CMS_RecipientEncryptedKey *rek;
  342. STACK_OF(CMS_RecipientEncryptedKey) *reks;
  343. int i;
  344. if (ri->type != CMS_RECIPINFO_AGREE) {
  345. CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
  346. return 0;
  347. }
  348. kari = ri->d.kari;
  349. reks = kari->recipientEncryptedKeys;
  350. ec = cms->d.envelopedData->encryptedContentInfo;
  351. /* Initialise wrap algorithm parameters */
  352. if (!cms_wrap_init(kari, ec->cipher))
  353. return 0;
  354. /*
  355. * If no originator key set up initialise for ephemeral key the public key
  356. * ASN1 structure will set the actual public key value.
  357. */
  358. if (kari->originator->type == -1) {
  359. CMS_OriginatorIdentifierOrKey *oik = kari->originator;
  360. oik->type = CMS_OIK_PUBKEY;
  361. oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
  362. if (!oik->d.originatorKey)
  363. return 0;
  364. }
  365. /* Initialise KDF algorithm */
  366. if (!cms_env_asn1_ctrl(ri, 0))
  367. return 0;
  368. /* For each rek, derive KEK, encrypt CEK */
  369. for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
  370. unsigned char *enckey;
  371. size_t enckeylen;
  372. rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
  373. if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
  374. return 0;
  375. if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
  376. kari, 1))
  377. return 0;
  378. ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
  379. }
  380. return 1;
  381. }