cms_ec.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419
  1. /*
  2. * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <assert.h>
  10. #include <openssl/cms.h>
  11. #include <openssl/err.h>
  12. #include <openssl/decoder.h>
  13. #include "cms_local.h"
  14. #include "crypto/evp.h"
  15. #ifndef OPENSSL_NO_EC
  16. static EVP_PKEY *pkey_type2param(int ptype, const void *pval,
  17. OSSL_LIB_CTX *libctx, const char *propq)
  18. {
  19. EVP_PKEY *pkey = NULL;
  20. EVP_PKEY_CTX *pctx = NULL;
  21. if (ptype == V_ASN1_SEQUENCE) {
  22. const ASN1_STRING *pstr = pval;
  23. const unsigned char *pm = pstr->data;
  24. int pmlen = pstr->length;
  25. OSSL_DECODER_CTX *ctx = NULL;
  26. BIO *membio = NULL;
  27. /* TODO(3.0): Need to be able to specify here that only params will do */
  28. ctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(&pkey, "DER", "EC", libctx,
  29. propq);
  30. if (ctx == NULL)
  31. goto err;
  32. membio = BIO_new_mem_buf(pm, pmlen);
  33. if (membio == NULL) {
  34. OSSL_DECODER_CTX_free(ctx);
  35. goto err;
  36. }
  37. OSSL_DECODER_from_bio(ctx, membio);
  38. BIO_free(membio);
  39. OSSL_DECODER_CTX_free(ctx);
  40. } else if (ptype == V_ASN1_OBJECT) {
  41. const ASN1_OBJECT *poid = pval;
  42. const char *groupname;
  43. /* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID */
  44. pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq);
  45. if (pctx == NULL || EVP_PKEY_paramgen_init(pctx) <= 0)
  46. goto err;
  47. groupname = OBJ_nid2sn(OBJ_obj2nid(poid));
  48. if (groupname == NULL
  49. || !EVP_PKEY_CTX_set_group_name(pctx, groupname)) {
  50. CMSerr(0, CMS_R_DECODE_ERROR);
  51. goto err;
  52. }
  53. if (EVP_PKEY_paramgen(pctx, &pkey) <= 0)
  54. goto err;
  55. } else {
  56. CMSerr(0, CMS_R_DECODE_ERROR);
  57. goto err;
  58. }
  59. return pkey;
  60. err:
  61. EVP_PKEY_free(pkey);
  62. EVP_PKEY_CTX_free(pctx);
  63. return NULL;
  64. }
  65. static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
  66. X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
  67. {
  68. const ASN1_OBJECT *aoid;
  69. int atype;
  70. const void *aval;
  71. int rv = 0;
  72. EVP_PKEY *pkpeer = NULL;
  73. const unsigned char *p;
  74. int plen;
  75. X509_ALGOR_get0(&aoid, &atype, &aval, alg);
  76. if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey)
  77. goto err;
  78. /* If absent parameters get group from main key */
  79. if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) {
  80. EVP_PKEY *pk;
  81. pk = EVP_PKEY_CTX_get0_pkey(pctx);
  82. if (pk == NULL)
  83. goto err;
  84. pkpeer = EVP_PKEY_new();
  85. if (pkpeer == NULL)
  86. goto err;
  87. if (!EVP_PKEY_copy_parameters(pkpeer, pk))
  88. goto err;
  89. } else {
  90. pkpeer = pkey_type2param(atype, aval,
  91. EVP_PKEY_CTX_get0_libctx(pctx),
  92. EVP_PKEY_CTX_get0_propq(pctx));
  93. if (pkpeer == NULL)
  94. goto err;
  95. }
  96. /* We have parameters now set public key */
  97. plen = ASN1_STRING_length(pubkey);
  98. p = ASN1_STRING_get0_data(pubkey);
  99. if (p == NULL || plen == 0)
  100. goto err;
  101. /* TODO(3.0): Terrible name. We need a non-tls specific name */
  102. if (!EVP_PKEY_set1_tls_encodedpoint(pkpeer, p, plen))
  103. goto err;
  104. if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
  105. rv = 1;
  106. err:
  107. EVP_PKEY_free(pkpeer);
  108. return rv;
  109. }
  110. /* Set KDF parameters based on KDF NID */
  111. static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
  112. {
  113. int kdf_nid, kdfmd_nid, cofactor;
  114. const EVP_MD *kdf_md;
  115. if (eckdf_nid == NID_undef)
  116. return 0;
  117. /* Lookup KDF type, cofactor mode and digest */
  118. if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid))
  119. return 0;
  120. if (kdf_nid == NID_dh_std_kdf)
  121. cofactor = 0;
  122. else if (kdf_nid == NID_dh_cofactor_kdf)
  123. cofactor = 1;
  124. else
  125. return 0;
  126. if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
  127. return 0;
  128. if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
  129. return 0;
  130. kdf_md = EVP_get_digestbynid(kdfmd_nid);
  131. if (!kdf_md)
  132. return 0;
  133. if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
  134. return 0;
  135. return 1;
  136. }
  137. static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
  138. {
  139. int rv = 0;
  140. X509_ALGOR *alg, *kekalg = NULL;
  141. ASN1_OCTET_STRING *ukm;
  142. const unsigned char *p;
  143. unsigned char *der = NULL;
  144. int plen, keylen;
  145. EVP_CIPHER *kekcipher = NULL;
  146. EVP_CIPHER_CTX *kekctx;
  147. const char *name;
  148. if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
  149. return 0;
  150. if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
  151. CMSerr(0, CMS_R_KDF_PARAMETER_ERROR);
  152. return 0;
  153. }
  154. if (alg->parameter->type != V_ASN1_SEQUENCE)
  155. return 0;
  156. p = alg->parameter->value.sequence->data;
  157. plen = alg->parameter->value.sequence->length;
  158. kekalg = d2i_X509_ALGOR(NULL, &p, plen);
  159. if (kekalg == NULL)
  160. goto err;
  161. kekctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  162. if (kekctx == NULL)
  163. goto err;
  164. name = OBJ_nid2sn(OBJ_obj2nid(kekalg->algorithm));
  165. kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
  166. if (kekcipher == NULL || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
  167. goto err;
  168. if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
  169. goto err;
  170. if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0)
  171. goto err;
  172. keylen = EVP_CIPHER_CTX_key_length(kekctx);
  173. if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
  174. goto err;
  175. plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen);
  176. if (plen <= 0)
  177. goto err;
  178. if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0)
  179. goto err;
  180. der = NULL;
  181. rv = 1;
  182. err:
  183. EVP_CIPHER_free(kekcipher);
  184. X509_ALGOR_free(kekalg);
  185. OPENSSL_free(der);
  186. return rv;
  187. }
  188. static int ecdh_cms_decrypt(CMS_RecipientInfo *ri)
  189. {
  190. EVP_PKEY_CTX *pctx;
  191. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  192. if (pctx == NULL)
  193. return 0;
  194. /* See if we need to set peer key */
  195. if (!EVP_PKEY_CTX_get0_peerkey(pctx)) {
  196. X509_ALGOR *alg;
  197. ASN1_BIT_STRING *pubkey;
  198. if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey,
  199. NULL, NULL, NULL))
  200. return 0;
  201. if (alg == NULL || pubkey == NULL)
  202. return 0;
  203. if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) {
  204. CMSerr(0, CMS_R_PEER_KEY_ERROR);
  205. return 0;
  206. }
  207. }
  208. /* Set ECDH derivation parameters and initialise unwrap context */
  209. if (!ecdh_cms_set_shared_info(pctx, ri)) {
  210. CMSerr(0, CMS_R_SHARED_INFO_ERROR);
  211. return 0;
  212. }
  213. return 1;
  214. }
  215. static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
  216. {
  217. EVP_PKEY_CTX *pctx;
  218. EVP_PKEY *pkey;
  219. EVP_CIPHER_CTX *ctx;
  220. int keylen;
  221. X509_ALGOR *talg, *wrap_alg = NULL;
  222. const ASN1_OBJECT *aoid;
  223. ASN1_BIT_STRING *pubkey;
  224. ASN1_STRING *wrap_str;
  225. ASN1_OCTET_STRING *ukm;
  226. unsigned char *penc = NULL;
  227. size_t penclen;
  228. int rv = 0;
  229. int ecdh_nid, kdf_type, kdf_nid, wrap_nid;
  230. const EVP_MD *kdf_md;
  231. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  232. if (pctx == NULL)
  233. return 0;
  234. /* Get ephemeral key */
  235. pkey = EVP_PKEY_CTX_get0_pkey(pctx);
  236. if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey,
  237. NULL, NULL, NULL))
  238. goto err;
  239. X509_ALGOR_get0(&aoid, NULL, NULL, talg);
  240. /* Is everything uninitialised? */
  241. if (aoid == OBJ_nid2obj(NID_undef)) {
  242. /* Set the key */
  243. /* TODO(3.0): Terrible name. Needs a non TLS specific name */
  244. penclen = EVP_PKEY_get1_tls_encodedpoint(pkey, &penc);
  245. ASN1_STRING_set0(pubkey, penc, penclen);
  246. pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
  247. pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
  248. penc = NULL;
  249. X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
  250. V_ASN1_UNDEF, NULL);
  251. }
  252. /* See if custom parameters set */
  253. kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx);
  254. if (kdf_type <= 0)
  255. goto err;
  256. if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md))
  257. goto err;
  258. ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx);
  259. if (ecdh_nid < 0)
  260. goto err;
  261. else if (ecdh_nid == 0)
  262. ecdh_nid = NID_dh_std_kdf;
  263. else if (ecdh_nid == 1)
  264. ecdh_nid = NID_dh_cofactor_kdf;
  265. if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
  266. kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
  267. if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
  268. goto err;
  269. } else
  270. /* Unknown KDF */
  271. goto err;
  272. if (kdf_md == NULL) {
  273. /* Fixme later for better MD */
  274. kdf_md = EVP_sha1();
  275. if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
  276. goto err;
  277. }
  278. if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm))
  279. goto err;
  280. /* Lookup NID for KDF+cofactor+digest */
  281. if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid))
  282. goto err;
  283. /* Get wrap NID */
  284. ctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  285. wrap_nid = EVP_CIPHER_CTX_type(ctx);
  286. keylen = EVP_CIPHER_CTX_key_length(ctx);
  287. /* Package wrap algorithm in an AlgorithmIdentifier */
  288. wrap_alg = X509_ALGOR_new();
  289. if (wrap_alg == NULL)
  290. goto err;
  291. wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
  292. wrap_alg->parameter = ASN1_TYPE_new();
  293. if (wrap_alg->parameter == NULL)
  294. goto err;
  295. if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
  296. goto err;
  297. if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) {
  298. ASN1_TYPE_free(wrap_alg->parameter);
  299. wrap_alg->parameter = NULL;
  300. }
  301. if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
  302. goto err;
  303. penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen);
  304. if (penclen == 0)
  305. goto err;
  306. if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0)
  307. goto err;
  308. penc = NULL;
  309. /*
  310. * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
  311. * of another AlgorithmIdentifier.
  312. */
  313. penclen = i2d_X509_ALGOR(wrap_alg, &penc);
  314. if (penc == NULL || penclen == 0)
  315. goto err;
  316. wrap_str = ASN1_STRING_new();
  317. if (wrap_str == NULL)
  318. goto err;
  319. ASN1_STRING_set0(wrap_str, penc, penclen);
  320. penc = NULL;
  321. X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
  322. rv = 1;
  323. err:
  324. OPENSSL_free(penc);
  325. X509_ALGOR_free(wrap_alg);
  326. return rv;
  327. }
  328. int cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt)
  329. {
  330. assert(decrypt == 0 || decrypt == 1);
  331. if (decrypt == 1)
  332. return ecdh_cms_decrypt(ri);
  333. if (decrypt == 0)
  334. return ecdh_cms_encrypt(ri);
  335. CMSerr(0, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  336. return 0;
  337. }
  338. #endif
  339. /* ECDSA and DSA implementation is the same */
  340. int cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify)
  341. {
  342. assert(verify == 0 || verify == 1);
  343. if (verify == 0) {
  344. int snid, hnid;
  345. X509_ALGOR *alg1, *alg2;
  346. EVP_PKEY *pkey = si->pkey;
  347. CMS_SignerInfo_get0_algs(si, NULL, NULL, &alg1, &alg2);
  348. if (alg1 == NULL || alg1->algorithm == NULL)
  349. return -1;
  350. hnid = OBJ_obj2nid(alg1->algorithm);
  351. if (hnid == NID_undef)
  352. return -1;
  353. if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
  354. return -1;
  355. X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
  356. }
  357. return 1;
  358. }