cms_ec.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408
  1. /*
  2. * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <assert.h>
  10. #include <openssl/cms.h>
  11. #include <openssl/err.h>
  12. #include <openssl/decoder.h>
  13. #include "cms_local.h"
  14. #include "crypto/evp.h"
  15. static EVP_PKEY *pkey_type2param(int ptype, const void *pval,
  16. OSSL_LIB_CTX *libctx, const char *propq)
  17. {
  18. EVP_PKEY *pkey = NULL;
  19. EVP_PKEY_CTX *pctx = NULL;
  20. if (ptype == V_ASN1_SEQUENCE) {
  21. const ASN1_STRING *pstr = pval;
  22. const unsigned char *pm = pstr->data;
  23. size_t pmlen = (size_t)pstr->length;
  24. OSSL_DECODER_CTX *ctx = NULL;
  25. int selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
  26. ctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, "EC",
  27. selection, libctx, propq);
  28. if (ctx == NULL)
  29. goto err;
  30. OSSL_DECODER_from_data(ctx, &pm, &pmlen);
  31. OSSL_DECODER_CTX_free(ctx);
  32. } else if (ptype == V_ASN1_OBJECT) {
  33. const ASN1_OBJECT *poid = pval;
  34. const char *groupname;
  35. /* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID */
  36. pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq);
  37. if (pctx == NULL || EVP_PKEY_paramgen_init(pctx) <= 0)
  38. goto err;
  39. groupname = OBJ_nid2sn(OBJ_obj2nid(poid));
  40. if (groupname == NULL
  41. || !EVP_PKEY_CTX_set_group_name(pctx, groupname)) {
  42. ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
  43. goto err;
  44. }
  45. if (EVP_PKEY_paramgen(pctx, &pkey) <= 0)
  46. goto err;
  47. } else {
  48. ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
  49. goto err;
  50. }
  51. return pkey;
  52. err:
  53. EVP_PKEY_free(pkey);
  54. EVP_PKEY_CTX_free(pctx);
  55. return NULL;
  56. }
  57. static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
  58. X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
  59. {
  60. const ASN1_OBJECT *aoid;
  61. int atype;
  62. const void *aval;
  63. int rv = 0;
  64. EVP_PKEY *pkpeer = NULL;
  65. const unsigned char *p;
  66. int plen;
  67. X509_ALGOR_get0(&aoid, &atype, &aval, alg);
  68. if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey)
  69. goto err;
  70. /* If absent parameters get group from main key */
  71. if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) {
  72. EVP_PKEY *pk;
  73. pk = EVP_PKEY_CTX_get0_pkey(pctx);
  74. if (pk == NULL)
  75. goto err;
  76. pkpeer = EVP_PKEY_new();
  77. if (pkpeer == NULL)
  78. goto err;
  79. if (!EVP_PKEY_copy_parameters(pkpeer, pk))
  80. goto err;
  81. } else {
  82. pkpeer = pkey_type2param(atype, aval,
  83. EVP_PKEY_CTX_get0_libctx(pctx),
  84. EVP_PKEY_CTX_get0_propq(pctx));
  85. if (pkpeer == NULL)
  86. goto err;
  87. }
  88. /* We have parameters now set public key */
  89. plen = ASN1_STRING_length(pubkey);
  90. p = ASN1_STRING_get0_data(pubkey);
  91. if (p == NULL || plen == 0)
  92. goto err;
  93. if (!EVP_PKEY_set1_encoded_public_key(pkpeer, p, plen))
  94. goto err;
  95. if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
  96. rv = 1;
  97. err:
  98. EVP_PKEY_free(pkpeer);
  99. return rv;
  100. }
  101. /* Set KDF parameters based on KDF NID */
  102. static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
  103. {
  104. int kdf_nid, kdfmd_nid, cofactor;
  105. const EVP_MD *kdf_md;
  106. if (eckdf_nid == NID_undef)
  107. return 0;
  108. /* Lookup KDF type, cofactor mode and digest */
  109. if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid))
  110. return 0;
  111. if (kdf_nid == NID_dh_std_kdf)
  112. cofactor = 0;
  113. else if (kdf_nid == NID_dh_cofactor_kdf)
  114. cofactor = 1;
  115. else
  116. return 0;
  117. if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
  118. return 0;
  119. if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
  120. return 0;
  121. kdf_md = EVP_get_digestbynid(kdfmd_nid);
  122. if (!kdf_md)
  123. return 0;
  124. if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
  125. return 0;
  126. return 1;
  127. }
  128. static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
  129. {
  130. int rv = 0;
  131. X509_ALGOR *alg, *kekalg = NULL;
  132. ASN1_OCTET_STRING *ukm;
  133. const unsigned char *p;
  134. unsigned char *der = NULL;
  135. int plen, keylen;
  136. EVP_CIPHER *kekcipher = NULL;
  137. EVP_CIPHER_CTX *kekctx;
  138. const char *name;
  139. if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
  140. return 0;
  141. if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
  142. ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
  143. return 0;
  144. }
  145. if (alg->parameter->type != V_ASN1_SEQUENCE)
  146. return 0;
  147. p = alg->parameter->value.sequence->data;
  148. plen = alg->parameter->value.sequence->length;
  149. kekalg = d2i_X509_ALGOR(NULL, &p, plen);
  150. if (kekalg == NULL)
  151. goto err;
  152. kekctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  153. if (kekctx == NULL)
  154. goto err;
  155. name = OBJ_nid2sn(OBJ_obj2nid(kekalg->algorithm));
  156. kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
  157. if (kekcipher == NULL || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
  158. goto err;
  159. if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
  160. goto err;
  161. if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0)
  162. goto err;
  163. keylen = EVP_CIPHER_CTX_key_length(kekctx);
  164. if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
  165. goto err;
  166. plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen);
  167. if (plen <= 0)
  168. goto err;
  169. if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0)
  170. goto err;
  171. der = NULL;
  172. rv = 1;
  173. err:
  174. EVP_CIPHER_free(kekcipher);
  175. X509_ALGOR_free(kekalg);
  176. OPENSSL_free(der);
  177. return rv;
  178. }
  179. static int ecdh_cms_decrypt(CMS_RecipientInfo *ri)
  180. {
  181. EVP_PKEY_CTX *pctx;
  182. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  183. if (pctx == NULL)
  184. return 0;
  185. /* See if we need to set peer key */
  186. if (!EVP_PKEY_CTX_get0_peerkey(pctx)) {
  187. X509_ALGOR *alg;
  188. ASN1_BIT_STRING *pubkey;
  189. if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey,
  190. NULL, NULL, NULL))
  191. return 0;
  192. if (alg == NULL || pubkey == NULL)
  193. return 0;
  194. if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) {
  195. ERR_raise(ERR_LIB_CMS, CMS_R_PEER_KEY_ERROR);
  196. return 0;
  197. }
  198. }
  199. /* Set ECDH derivation parameters and initialise unwrap context */
  200. if (!ecdh_cms_set_shared_info(pctx, ri)) {
  201. ERR_raise(ERR_LIB_CMS, CMS_R_SHARED_INFO_ERROR);
  202. return 0;
  203. }
  204. return 1;
  205. }
  206. static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
  207. {
  208. EVP_PKEY_CTX *pctx;
  209. EVP_PKEY *pkey;
  210. EVP_CIPHER_CTX *ctx;
  211. int keylen;
  212. X509_ALGOR *talg, *wrap_alg = NULL;
  213. const ASN1_OBJECT *aoid;
  214. ASN1_BIT_STRING *pubkey;
  215. ASN1_STRING *wrap_str;
  216. ASN1_OCTET_STRING *ukm;
  217. unsigned char *penc = NULL;
  218. size_t penclen;
  219. int rv = 0;
  220. int ecdh_nid, kdf_type, kdf_nid, wrap_nid;
  221. const EVP_MD *kdf_md;
  222. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  223. if (pctx == NULL)
  224. return 0;
  225. /* Get ephemeral key */
  226. pkey = EVP_PKEY_CTX_get0_pkey(pctx);
  227. if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey,
  228. NULL, NULL, NULL))
  229. goto err;
  230. X509_ALGOR_get0(&aoid, NULL, NULL, talg);
  231. /* Is everything uninitialised? */
  232. if (aoid == OBJ_nid2obj(NID_undef)) {
  233. /* Set the key */
  234. penclen = EVP_PKEY_get1_encoded_public_key(pkey, &penc);
  235. ASN1_STRING_set0(pubkey, penc, penclen);
  236. pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
  237. pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
  238. penc = NULL;
  239. X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
  240. V_ASN1_UNDEF, NULL);
  241. }
  242. /* See if custom parameters set */
  243. kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx);
  244. if (kdf_type <= 0)
  245. goto err;
  246. if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md))
  247. goto err;
  248. ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx);
  249. if (ecdh_nid < 0)
  250. goto err;
  251. else if (ecdh_nid == 0)
  252. ecdh_nid = NID_dh_std_kdf;
  253. else if (ecdh_nid == 1)
  254. ecdh_nid = NID_dh_cofactor_kdf;
  255. if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
  256. kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
  257. if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
  258. goto err;
  259. } else
  260. /* Unknown KDF */
  261. goto err;
  262. if (kdf_md == NULL) {
  263. /* Fixme later for better MD */
  264. kdf_md = EVP_sha1();
  265. if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
  266. goto err;
  267. }
  268. if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm))
  269. goto err;
  270. /* Lookup NID for KDF+cofactor+digest */
  271. if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid))
  272. goto err;
  273. /* Get wrap NID */
  274. ctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  275. wrap_nid = EVP_CIPHER_CTX_type(ctx);
  276. keylen = EVP_CIPHER_CTX_key_length(ctx);
  277. /* Package wrap algorithm in an AlgorithmIdentifier */
  278. wrap_alg = X509_ALGOR_new();
  279. if (wrap_alg == NULL)
  280. goto err;
  281. wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
  282. wrap_alg->parameter = ASN1_TYPE_new();
  283. if (wrap_alg->parameter == NULL)
  284. goto err;
  285. if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
  286. goto err;
  287. if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) {
  288. ASN1_TYPE_free(wrap_alg->parameter);
  289. wrap_alg->parameter = NULL;
  290. }
  291. if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
  292. goto err;
  293. penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen);
  294. if (penclen == 0)
  295. goto err;
  296. if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0)
  297. goto err;
  298. penc = NULL;
  299. /*
  300. * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
  301. * of another AlgorithmIdentifier.
  302. */
  303. penclen = i2d_X509_ALGOR(wrap_alg, &penc);
  304. if (penc == NULL || penclen == 0)
  305. goto err;
  306. wrap_str = ASN1_STRING_new();
  307. if (wrap_str == NULL)
  308. goto err;
  309. ASN1_STRING_set0(wrap_str, penc, penclen);
  310. penc = NULL;
  311. X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
  312. rv = 1;
  313. err:
  314. OPENSSL_free(penc);
  315. X509_ALGOR_free(wrap_alg);
  316. return rv;
  317. }
  318. int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt)
  319. {
  320. assert(decrypt == 0 || decrypt == 1);
  321. if (decrypt == 1)
  322. return ecdh_cms_decrypt(ri);
  323. if (decrypt == 0)
  324. return ecdh_cms_encrypt(ri);
  325. ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  326. return 0;
  327. }
  328. /* ECDSA and DSA implementation is the same */
  329. int ossl_cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify)
  330. {
  331. assert(verify == 0 || verify == 1);
  332. if (verify == 0) {
  333. int snid, hnid;
  334. X509_ALGOR *alg1, *alg2;
  335. EVP_PKEY *pkey = si->pkey;
  336. CMS_SignerInfo_get0_algs(si, NULL, NULL, &alg1, &alg2);
  337. if (alg1 == NULL || alg1->algorithm == NULL)
  338. return -1;
  339. hnid = OBJ_obj2nid(alg1->algorithm);
  340. if (hnid == NID_undef)
  341. return -1;
  342. if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
  343. return -1;
  344. X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
  345. }
  346. return 1;
  347. }