1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35
36 struct hx509_crypto;
37
38 struct signature_alg;
39
40 struct hx509_generate_private_context {
41 const heim_oid *key_oid;
42 int isCA;
43 unsigned long num_bits;
44 };
45
46 struct hx509_private_key_ops {
47 const char *pemtype;
48 const heim_oid *key_oid;
49 int (*available)(const hx509_private_key,
50 const AlgorithmIdentifier *);
51 int (*get_spki)(hx509_context,
52 const hx509_private_key,
53 SubjectPublicKeyInfo *);
54 int (*export)(hx509_context context,
55 const hx509_private_key,
56 hx509_key_format_t,
57 heim_octet_string *);
58 int (*import)(hx509_context, const AlgorithmIdentifier *,
59 const void *, size_t, hx509_key_format_t,
60 hx509_private_key);
61 int (*generate_private_key)(hx509_context,
62 struct hx509_generate_private_context *,
63 hx509_private_key);
64 BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
65 };
66
67 struct hx509_private_key {
68 unsigned int ref;
69 const struct signature_alg *md;
70 const heim_oid *signature_alg;
71 union {
72 RSA *rsa;
73 void *keydata;
74 #ifdef HAVE_OPENSSL
75 EC_KEY *ecdsa;
76 #endif
77 } private_key;
78 hx509_private_key_ops *ops;
79 };
80
81 /*
82 *
83 */
84
85 struct signature_alg {
86 const char *name;
87 const heim_oid *sig_oid;
88 const AlgorithmIdentifier *sig_alg;
89 const heim_oid *key_oid;
90 const AlgorithmIdentifier *digest_alg;
91 int flags;
92 #define PROVIDE_CONF 0x1
93 #define REQUIRE_SIGNER 0x2
94 #define SELF_SIGNED_OK 0x4
95
96 #define SIG_DIGEST 0x100
97 #define SIG_PUBLIC_SIG 0x200
98 #define SIG_SECRET 0x400
99
100 #define RA_RSA_USES_DIGEST_INFO 0x1000000
101
102 time_t best_before; /* refuse signature made after best before date */
103 const EVP_MD *(*evp_md)(void);
104 int (*verify_signature)(hx509_context context,
105 const struct signature_alg *,
106 const Certificate *,
107 const AlgorithmIdentifier *,
108 const heim_octet_string *,
109 const heim_octet_string *);
110 int (*create_signature)(hx509_context,
111 const struct signature_alg *,
112 const hx509_private_key,
113 const AlgorithmIdentifier *,
114 const heim_octet_string *,
115 AlgorithmIdentifier *,
116 heim_octet_string *);
117 int digest_size;
118 };
119
120 static const struct signature_alg *
121 find_sig_alg(const heim_oid *oid);
122
123 /*
124 *
125 */
126
127 static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") };
128
129 static const unsigned sha512_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 3 };
130 const AlgorithmIdentifier _hx509_signature_sha512_data = {
131 { 9, rk_UNCONST(sha512_oid_tree) }, rk_UNCONST(&null_entry_oid)
132 };
133
134 static const unsigned sha384_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 2 };
135 const AlgorithmIdentifier _hx509_signature_sha384_data = {
136 { 9, rk_UNCONST(sha384_oid_tree) }, rk_UNCONST(&null_entry_oid)
137 };
138
139 static const unsigned sha256_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 };
140 const AlgorithmIdentifier _hx509_signature_sha256_data = {
141 { 9, rk_UNCONST(sha256_oid_tree) }, rk_UNCONST(&null_entry_oid)
142 };
143
144 static const unsigned sha1_oid_tree[] = { 1, 3, 14, 3, 2, 26 };
145 const AlgorithmIdentifier _hx509_signature_sha1_data = {
146 { 6, rk_UNCONST(sha1_oid_tree) }, rk_UNCONST(&null_entry_oid)
147 };
148
149 static const unsigned md5_oid_tree[] = { 1, 2, 840, 113549, 2, 5 };
150 const AlgorithmIdentifier _hx509_signature_md5_data = {
151 { 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid)
152 };
153
154 static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 };
155 const AlgorithmIdentifier _hx509_signature_ecPublicKey = {
156 { 6, rk_UNCONST(ecPublicKey) }, NULL
157 };
158
159 static const unsigned ecdsa_with_sha256_oid[] ={ 1, 2, 840, 10045, 4, 3, 2 };
160 const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha256_data = {
161 { 7, rk_UNCONST(ecdsa_with_sha256_oid) }, NULL
162 };
163
164 static const unsigned ecdsa_with_sha1_oid[] ={ 1, 2, 840, 10045, 4, 1 };
165 const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha1_data = {
166 { 6, rk_UNCONST(ecdsa_with_sha1_oid) }, NULL
167 };
168
169 static const unsigned rsa_with_sha512_oid[] ={ 1, 2, 840, 113549, 1, 1, 13 };
170 const AlgorithmIdentifier _hx509_signature_rsa_with_sha512_data = {
171 { 7, rk_UNCONST(rsa_with_sha512_oid) }, NULL
172 };
173
174 static const unsigned rsa_with_sha384_oid[] ={ 1, 2, 840, 113549, 1, 1, 12 };
175 const AlgorithmIdentifier _hx509_signature_rsa_with_sha384_data = {
176 { 7, rk_UNCONST(rsa_with_sha384_oid) }, NULL
177 };
178
179 static const unsigned rsa_with_sha256_oid[] ={ 1, 2, 840, 113549, 1, 1, 11 };
180 const AlgorithmIdentifier _hx509_signature_rsa_with_sha256_data = {
181 { 7, rk_UNCONST(rsa_with_sha256_oid) }, NULL
182 };
183
184 static const unsigned rsa_with_sha1_oid[] ={ 1, 2, 840, 113549, 1, 1, 5 };
185 const AlgorithmIdentifier _hx509_signature_rsa_with_sha1_data = {
186 { 7, rk_UNCONST(rsa_with_sha1_oid) }, NULL
187 };
188
189 static const unsigned rsa_with_md5_oid[] ={ 1, 2, 840, 113549, 1, 1, 4 };
190 const AlgorithmIdentifier _hx509_signature_rsa_with_md5_data = {
191 { 7, rk_UNCONST(rsa_with_md5_oid) }, NULL
192 };
193
194 static const unsigned rsa_oid[] ={ 1, 2, 840, 113549, 1, 1, 1 };
195 const AlgorithmIdentifier _hx509_signature_rsa_data = {
196 { 7, rk_UNCONST(rsa_oid) }, NULL
197 };
198
199 static const unsigned rsa_pkcs1_x509_oid[] ={ 1, 2, 752, 43, 16, 1 };
200 const AlgorithmIdentifier _hx509_signature_rsa_pkcs1_x509_data = {
201 { 6, rk_UNCONST(rsa_pkcs1_x509_oid) }, NULL
202 };
203
204 static const unsigned des_rsdi_ede3_cbc_oid[] ={ 1, 2, 840, 113549, 3, 7 };
205 const AlgorithmIdentifier _hx509_des_rsdi_ede3_cbc_oid = {
206 { 6, rk_UNCONST(des_rsdi_ede3_cbc_oid) }, NULL
207 };
208
209 static const unsigned aes128_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 2 };
210 const AlgorithmIdentifier _hx509_crypto_aes128_cbc_data = {
211 { 9, rk_UNCONST(aes128_cbc_oid) }, NULL
212 };
213
214 static const unsigned aes256_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 42 };
215 const AlgorithmIdentifier _hx509_crypto_aes256_cbc_data = {
216 { 9, rk_UNCONST(aes256_cbc_oid) }, NULL
217 };
218
219 /*
220 *
221 */
222
223 static BIGNUM *
heim_int2BN(const heim_integer * i)224 heim_int2BN(const heim_integer *i)
225 {
226 BIGNUM *bn;
227
228 bn = BN_bin2bn(i->data, i->length, NULL);
229 BN_set_negative(bn, i->negative);
230 return bn;
231 }
232
233 /*
234 *
235 */
236
237 static int
set_digest_alg(DigestAlgorithmIdentifier * id,const heim_oid * oid,const void * param,size_t length)238 set_digest_alg(DigestAlgorithmIdentifier *id,
239 const heim_oid *oid,
240 const void *param, size_t length)
241 {
242 int ret;
243 if (param) {
244 id->parameters = malloc(sizeof(*id->parameters));
245 if (id->parameters == NULL)
246 return ENOMEM;
247 id->parameters->data = malloc(length);
248 if (id->parameters->data == NULL) {
249 free(id->parameters);
250 id->parameters = NULL;
251 return ENOMEM;
252 }
253 memcpy(id->parameters->data, param, length);
254 id->parameters->length = length;
255 } else
256 id->parameters = NULL;
257 ret = der_copy_oid(oid, &id->algorithm);
258 if (ret) {
259 if (id->parameters) {
260 free(id->parameters->data);
261 free(id->parameters);
262 id->parameters = NULL;
263 }
264 return ret;
265 }
266 return 0;
267 }
268
269 #ifdef HAVE_OPENSSL
270
271 static int
heim_oid2ecnid(heim_oid * oid)272 heim_oid2ecnid(heim_oid *oid)
273 {
274 /*
275 * Now map to openssl OID fun
276 */
277
278 if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0)
279 return NID_X9_62_prime256v1;
280 else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0)
281 return NID_secp160r1;
282 else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0)
283 return NID_secp160r2;
284
285 return -1;
286 }
287
288 static int
parse_ECParameters(hx509_context context,heim_octet_string * parameters,int * nid)289 parse_ECParameters(hx509_context context,
290 heim_octet_string *parameters, int *nid)
291 {
292 ECParameters ecparam;
293 size_t size;
294 int ret;
295
296 if (parameters == NULL) {
297 ret = HX509_PARSING_KEY_FAILED;
298 hx509_set_error_string(context, 0, ret,
299 "EC parameters missing");
300 return ret;
301 }
302
303 ret = decode_ECParameters(parameters->data, parameters->length,
304 &ecparam, &size);
305 if (ret) {
306 hx509_set_error_string(context, 0, ret,
307 "Failed to decode EC parameters");
308 return ret;
309 }
310
311 if (ecparam.element != choice_ECParameters_namedCurve) {
312 free_ECParameters(&ecparam);
313 hx509_set_error_string(context, 0, ret,
314 "EC parameters is not a named curve");
315 return HX509_CRYPTO_SIG_INVALID_FORMAT;
316 }
317
318 *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
319 free_ECParameters(&ecparam);
320 if (*nid == -1) {
321 hx509_set_error_string(context, 0, ret,
322 "Failed to find matcing NID for EC curve");
323 return HX509_CRYPTO_SIG_INVALID_FORMAT;
324 }
325 return 0;
326 }
327
328
329 /*
330 *
331 */
332
333 static int
ecdsa_verify_signature(hx509_context context,const struct signature_alg * sig_alg,const Certificate * signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,const heim_octet_string * sig)334 ecdsa_verify_signature(hx509_context context,
335 const struct signature_alg *sig_alg,
336 const Certificate *signer,
337 const AlgorithmIdentifier *alg,
338 const heim_octet_string *data,
339 const heim_octet_string *sig)
340 {
341 const AlgorithmIdentifier *digest_alg;
342 const SubjectPublicKeyInfo *spi;
343 heim_octet_string digest;
344 int ret;
345 EC_KEY *key = NULL;
346 int groupnid;
347 EC_GROUP *group;
348 const unsigned char *p;
349 long len;
350
351 digest_alg = sig_alg->digest_alg;
352
353 ret = _hx509_create_signature(context,
354 NULL,
355 digest_alg,
356 data,
357 NULL,
358 &digest);
359 if (ret)
360 return ret;
361
362 /* set up EC KEY */
363 spi = &signer->tbsCertificate.subjectPublicKeyInfo;
364
365 if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0)
366 return HX509_CRYPTO_SIG_INVALID_FORMAT;
367
368 #ifdef HAVE_OPENSSL
369 /*
370 * Find the group id
371 */
372
373 ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
374 if (ret) {
375 der_free_octet_string(&digest);
376 return ret;
377 }
378
379 /*
380 * Create group, key, parse key
381 */
382
383 key = EC_KEY_new();
384 group = EC_GROUP_new_by_curve_name(groupnid);
385 EC_KEY_set_group(key, group);
386 EC_GROUP_free(group);
387
388 p = spi->subjectPublicKey.data;
389 len = spi->subjectPublicKey.length / 8;
390
391 if (o2i_ECPublicKey(&key, &p, len) == NULL) {
392 EC_KEY_free(key);
393 return HX509_CRYPTO_SIG_INVALID_FORMAT;
394 }
395 #else
396 key = SubjectPublicKeyInfo2EC_KEY(spi);
397 #endif
398
399 ret = ECDSA_verify(-1, digest.data, digest.length,
400 sig->data, sig->length, key);
401 der_free_octet_string(&digest);
402 EC_KEY_free(key);
403 if (ret != 1) {
404 ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
405 return ret;
406 }
407
408 return 0;
409 }
410
411 static int
ecdsa_create_signature(hx509_context context,const struct signature_alg * sig_alg,const hx509_private_key signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,AlgorithmIdentifier * signatureAlgorithm,heim_octet_string * sig)412 ecdsa_create_signature(hx509_context context,
413 const struct signature_alg *sig_alg,
414 const hx509_private_key signer,
415 const AlgorithmIdentifier *alg,
416 const heim_octet_string *data,
417 AlgorithmIdentifier *signatureAlgorithm,
418 heim_octet_string *sig)
419 {
420 const AlgorithmIdentifier *digest_alg;
421 heim_octet_string indata;
422 const heim_oid *sig_oid;
423 unsigned int siglen;
424 int ret;
425
426 if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
427 _hx509_abort("internal error passing private key to wrong ops");
428
429 sig_oid = sig_alg->sig_oid;
430 digest_alg = sig_alg->digest_alg;
431
432 if (signatureAlgorithm) {
433 ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
434 if (ret) {
435 hx509_clear_error_string(context);
436 goto error;
437 }
438 }
439
440 ret = _hx509_create_signature(context,
441 NULL,
442 digest_alg,
443 data,
444 NULL,
445 &indata);
446 if (ret) {
447 if (signatureAlgorithm)
448 free_AlgorithmIdentifier(signatureAlgorithm);
449 goto error;
450 }
451
452 sig->length = ECDSA_size(signer->private_key.ecdsa);
453 sig->data = malloc(sig->length);
454 if (sig->data == NULL) {
455 der_free_octet_string(&indata);
456 ret = ENOMEM;
457 hx509_set_error_string(context, 0, ret, "out of memory");
458 goto error;
459 }
460
461 siglen = sig->length;
462
463 ret = ECDSA_sign(-1, indata.data, indata.length,
464 sig->data, &siglen, signer->private_key.ecdsa);
465 der_free_octet_string(&indata);
466 if (ret != 1) {
467 ret = HX509_CMS_FAILED_CREATE_SIGATURE;
468 hx509_set_error_string(context, 0, ret,
469 "ECDSA sign failed: %d", ret);
470 goto error;
471 }
472 if (siglen > sig->length)
473 _hx509_abort("ECDSA signature prelen longer the output len");
474
475 sig->length = siglen;
476
477 return 0;
478 error:
479 if (signatureAlgorithm)
480 free_AlgorithmIdentifier(signatureAlgorithm);
481 return ret;
482 }
483
484 static int
ecdsa_available(const hx509_private_key signer,const AlgorithmIdentifier * sig_alg)485 ecdsa_available(const hx509_private_key signer,
486 const AlgorithmIdentifier *sig_alg)
487 {
488 const struct signature_alg *sig;
489 const EC_GROUP *group;
490 BN_CTX *bnctx = NULL;
491 BIGNUM *order = NULL;
492 int ret = 0;
493
494 if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
495 _hx509_abort("internal error passing private key to wrong ops");
496
497 sig = find_sig_alg(&sig_alg->algorithm);
498
499 if (sig == NULL || sig->digest_size == 0)
500 return 0;
501
502 group = EC_KEY_get0_group(signer->private_key.ecdsa);
503 if (group == NULL)
504 return 0;
505
506 bnctx = BN_CTX_new();
507 order = BN_new();
508 if (order == NULL)
509 goto err;
510
511 if (EC_GROUP_get_order(group, order, bnctx) != 1)
512 goto err;
513
514 if (BN_num_bytes(order) > sig->digest_size)
515 ret = 1;
516 err:
517 if (bnctx)
518 BN_CTX_free(bnctx);
519 if (order)
520 BN_clear_free(order);
521
522 return ret;
523 }
524
525
526 #endif /* HAVE_OPENSSL */
527
528 /*
529 *
530 */
531
532 static int
rsa_verify_signature(hx509_context context,const struct signature_alg * sig_alg,const Certificate * signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,const heim_octet_string * sig)533 rsa_verify_signature(hx509_context context,
534 const struct signature_alg *sig_alg,
535 const Certificate *signer,
536 const AlgorithmIdentifier *alg,
537 const heim_octet_string *data,
538 const heim_octet_string *sig)
539 {
540 const SubjectPublicKeyInfo *spi;
541 DigestInfo di;
542 unsigned char *to;
543 int tosize, retsize;
544 int ret;
545 RSA *rsa;
546 size_t size;
547 const unsigned char *p;
548
549 memset(&di, 0, sizeof(di));
550
551 spi = &signer->tbsCertificate.subjectPublicKeyInfo;
552
553 p = spi->subjectPublicKey.data;
554 size = spi->subjectPublicKey.length / 8;
555
556 rsa = d2i_RSAPublicKey(NULL, &p, size);
557 if (rsa == NULL) {
558 ret = ENOMEM;
559 hx509_set_error_string(context, 0, ret, "out of memory");
560 goto out;
561 }
562
563 tosize = RSA_size(rsa);
564 to = malloc(tosize);
565 if (to == NULL) {
566 ret = ENOMEM;
567 hx509_set_error_string(context, 0, ret, "out of memory");
568 goto out;
569 }
570
571 retsize = RSA_public_decrypt(sig->length, (unsigned char *)sig->data,
572 to, rsa, RSA_PKCS1_PADDING);
573 if (retsize <= 0) {
574 ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
575 hx509_set_error_string(context, 0, ret,
576 "RSA public decrypt failed: %d", retsize);
577 free(to);
578 goto out;
579 }
580 if (retsize > tosize)
581 _hx509_abort("internal rsa decryption failure: ret > tosize");
582
583 if (sig_alg->flags & RA_RSA_USES_DIGEST_INFO) {
584
585 ret = decode_DigestInfo(to, retsize, &di, &size);
586 free(to);
587 if (ret) {
588 goto out;
589 }
590
591 /* Check for extra data inside the sigature */
592 if (size != (size_t)retsize) {
593 ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
594 hx509_set_error_string(context, 0, ret, "size from decryption mismatch");
595 goto out;
596 }
597
598 if (sig_alg->digest_alg &&
599 der_heim_oid_cmp(&di.digestAlgorithm.algorithm,
600 &sig_alg->digest_alg->algorithm) != 0)
601 {
602 ret = HX509_CRYPTO_OID_MISMATCH;
603 hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch");
604 goto out;
605 }
606
607 /* verify that the parameters are NULL or the NULL-type */
608 if (di.digestAlgorithm.parameters != NULL &&
609 (di.digestAlgorithm.parameters->length != 2 ||
610 memcmp(di.digestAlgorithm.parameters->data, "\x05\x00", 2) != 0))
611 {
612 ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
613 hx509_set_error_string(context, 0, ret, "Extra parameters inside RSA signature");
614 goto out;
615 }
616
617 ret = _hx509_verify_signature(context,
618 NULL,
619 &di.digestAlgorithm,
620 data,
621 &di.digest);
622 } else {
623 if ((size_t)retsize != data->length ||
624 ct_memcmp(to, data->data, retsize) != 0)
625 {
626 ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
627 hx509_set_error_string(context, 0, ret, "RSA Signature incorrect");
628 goto out;
629 }
630 free(to);
631 }
632 ret = 0;
633
634 out:
635 free_DigestInfo(&di);
636 if (rsa)
637 RSA_free(rsa);
638 return ret;
639 }
640
641 static int
rsa_create_signature(hx509_context context,const struct signature_alg * sig_alg,const hx509_private_key signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,AlgorithmIdentifier * signatureAlgorithm,heim_octet_string * sig)642 rsa_create_signature(hx509_context context,
643 const struct signature_alg *sig_alg,
644 const hx509_private_key signer,
645 const AlgorithmIdentifier *alg,
646 const heim_octet_string *data,
647 AlgorithmIdentifier *signatureAlgorithm,
648 heim_octet_string *sig)
649 {
650 const AlgorithmIdentifier *digest_alg;
651 heim_octet_string indata;
652 const heim_oid *sig_oid;
653 size_t size;
654 int ret;
655
656 if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) != 0)
657 return HX509_ALG_NOT_SUPP;
658
659 if (alg)
660 sig_oid = &alg->algorithm;
661 else
662 sig_oid = signer->signature_alg;
663
664 if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA512WITHRSAENCRYPTION) == 0) {
665 digest_alg = hx509_signature_sha512();
666 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA384WITHRSAENCRYPTION) == 0) {
667 digest_alg = hx509_signature_sha384();
668 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA256WITHRSAENCRYPTION) == 0) {
669 digest_alg = hx509_signature_sha256();
670 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION) == 0) {
671 digest_alg = hx509_signature_sha1();
672 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION) == 0) {
673 digest_alg = hx509_signature_md5();
674 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION) == 0) {
675 digest_alg = hx509_signature_md5();
676 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_DSA_WITH_SHA1) == 0) {
677 digest_alg = hx509_signature_sha1();
678 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) {
679 digest_alg = hx509_signature_sha1();
680 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_HEIM_RSA_PKCS1_X509) == 0) {
681 digest_alg = NULL;
682 } else
683 return HX509_ALG_NOT_SUPP;
684
685 if (signatureAlgorithm) {
686 ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
687 if (ret) {
688 hx509_clear_error_string(context);
689 return ret;
690 }
691 }
692
693 if (digest_alg) {
694 DigestInfo di;
695 memset(&di, 0, sizeof(di));
696
697 ret = _hx509_create_signature(context,
698 NULL,
699 digest_alg,
700 data,
701 &di.digestAlgorithm,
702 &di.digest);
703 if (ret)
704 return ret;
705 ASN1_MALLOC_ENCODE(DigestInfo,
706 indata.data,
707 indata.length,
708 &di,
709 &size,
710 ret);
711 free_DigestInfo(&di);
712 if (ret) {
713 hx509_set_error_string(context, 0, ret, "out of memory");
714 return ret;
715 }
716 if (indata.length != size)
717 _hx509_abort("internal ASN.1 encoder error");
718 } else {
719 indata = *data;
720 }
721
722 sig->length = RSA_size(signer->private_key.rsa);
723 sig->data = malloc(sig->length);
724 if (sig->data == NULL) {
725 der_free_octet_string(&indata);
726 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
727 return ENOMEM;
728 }
729
730 ret = RSA_private_encrypt(indata.length, indata.data,
731 sig->data,
732 signer->private_key.rsa,
733 RSA_PKCS1_PADDING);
734 if (indata.data != data->data)
735 der_free_octet_string(&indata);
736 if (ret <= 0) {
737 ret = HX509_CMS_FAILED_CREATE_SIGATURE;
738 hx509_set_error_string(context, 0, ret,
739 "RSA private encrypt failed: %d", ret);
740 return ret;
741 }
742 if ((size_t)ret > sig->length)
743 _hx509_abort("RSA signature prelen longer the output len");
744
745 sig->length = ret;
746
747 return 0;
748 }
749
750 static int
rsa_private_key_import(hx509_context context,const AlgorithmIdentifier * keyai,const void * data,size_t len,hx509_key_format_t format,hx509_private_key private_key)751 rsa_private_key_import(hx509_context context,
752 const AlgorithmIdentifier *keyai,
753 const void *data,
754 size_t len,
755 hx509_key_format_t format,
756 hx509_private_key private_key)
757 {
758 switch (format) {
759 case HX509_KEY_FORMAT_DER: {
760 const unsigned char *p = data;
761
762 private_key->private_key.rsa =
763 d2i_RSAPrivateKey(NULL, &p, len);
764 if (private_key->private_key.rsa == NULL) {
765 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
766 "Failed to parse RSA key");
767 return HX509_PARSING_KEY_FAILED;
768 }
769 private_key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION;
770 break;
771
772 }
773 default:
774 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
775 }
776
777 return 0;
778 }
779
780 static int
rsa_private_key2SPKI(hx509_context context,hx509_private_key private_key,SubjectPublicKeyInfo * spki)781 rsa_private_key2SPKI(hx509_context context,
782 hx509_private_key private_key,
783 SubjectPublicKeyInfo *spki)
784 {
785 int len, ret;
786
787 memset(spki, 0, sizeof(*spki));
788
789 len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL);
790
791 spki->subjectPublicKey.data = malloc(len);
792 if (spki->subjectPublicKey.data == NULL) {
793 hx509_set_error_string(context, 0, ENOMEM, "malloc - out of memory");
794 return ENOMEM;
795 }
796 spki->subjectPublicKey.length = len * 8;
797
798 ret = set_digest_alg(&spki->algorithm, ASN1_OID_ID_PKCS1_RSAENCRYPTION,
799 "\x05\x00", 2);
800 if (ret) {
801 hx509_set_error_string(context, 0, ret, "malloc - out of memory");
802 free(spki->subjectPublicKey.data);
803 spki->subjectPublicKey.data = NULL;
804 spki->subjectPublicKey.length = 0;
805 return ret;
806 }
807
808 {
809 unsigned char *pp = spki->subjectPublicKey.data;
810 i2d_RSAPublicKey(private_key->private_key.rsa, &pp);
811 }
812
813 return 0;
814 }
815
816 static int
rsa_generate_private_key(hx509_context context,struct hx509_generate_private_context * ctx,hx509_private_key private_key)817 rsa_generate_private_key(hx509_context context,
818 struct hx509_generate_private_context *ctx,
819 hx509_private_key private_key)
820 {
821 BIGNUM *e;
822 int ret;
823 unsigned long bits;
824
825 static const int default_rsa_e = 65537;
826 static const int default_rsa_bits = 2048;
827
828 private_key->private_key.rsa = RSA_new();
829 if (private_key->private_key.rsa == NULL) {
830 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
831 "Failed to generate RSA key");
832 return HX509_PARSING_KEY_FAILED;
833 }
834
835 e = BN_new();
836 BN_set_word(e, default_rsa_e);
837
838 bits = default_rsa_bits;
839
840 if (ctx->num_bits)
841 bits = ctx->num_bits;
842
843 ret = RSA_generate_key_ex(private_key->private_key.rsa, bits, e, NULL);
844 BN_free(e);
845 if (ret != 1) {
846 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
847 "Failed to generate RSA key");
848 return HX509_PARSING_KEY_FAILED;
849 }
850 private_key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION;
851
852 return 0;
853 }
854
855 static int
rsa_private_key_export(hx509_context context,const hx509_private_key key,hx509_key_format_t format,heim_octet_string * data)856 rsa_private_key_export(hx509_context context,
857 const hx509_private_key key,
858 hx509_key_format_t format,
859 heim_octet_string *data)
860 {
861 int ret;
862
863 data->data = NULL;
864 data->length = 0;
865
866 switch (format) {
867 case HX509_KEY_FORMAT_DER:
868
869 ret = i2d_RSAPrivateKey(key->private_key.rsa, NULL);
870 if (ret <= 0) {
871 ret = EINVAL;
872 hx509_set_error_string(context, 0, ret,
873 "Private key is not exportable");
874 return ret;
875 }
876
877 data->data = malloc(ret);
878 if (data->data == NULL) {
879 ret = ENOMEM;
880 hx509_set_error_string(context, 0, ret, "malloc out of memory");
881 return ret;
882 }
883 data->length = ret;
884
885 {
886 unsigned char *p = data->data;
887 i2d_RSAPrivateKey(key->private_key.rsa, &p);
888 }
889 break;
890 default:
891 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
892 }
893
894 return 0;
895 }
896
897 static BIGNUM *
rsa_get_internal(hx509_context context,hx509_private_key key,const char * type)898 rsa_get_internal(hx509_context context,
899 hx509_private_key key,
900 const char *type)
901 {
902 if (strcasecmp(type, "rsa-modulus") == 0) {
903 return BN_dup(key->private_key.rsa->n);
904 } else if (strcasecmp(type, "rsa-exponent") == 0) {
905 return BN_dup(key->private_key.rsa->e);
906 } else
907 return NULL;
908 }
909
910
911
912 static hx509_private_key_ops rsa_private_key_ops = {
913 "RSA PRIVATE KEY",
914 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
915 NULL,
916 rsa_private_key2SPKI,
917 rsa_private_key_export,
918 rsa_private_key_import,
919 rsa_generate_private_key,
920 rsa_get_internal
921 };
922
923 #ifdef HAVE_OPENSSL
924
925 static int
ecdsa_private_key2SPKI(hx509_context context,hx509_private_key private_key,SubjectPublicKeyInfo * spki)926 ecdsa_private_key2SPKI(hx509_context context,
927 hx509_private_key private_key,
928 SubjectPublicKeyInfo *spki)
929 {
930 memset(spki, 0, sizeof(*spki));
931 return ENOMEM;
932 }
933
934 static int
ecdsa_private_key_export(hx509_context context,const hx509_private_key key,hx509_key_format_t format,heim_octet_string * data)935 ecdsa_private_key_export(hx509_context context,
936 const hx509_private_key key,
937 hx509_key_format_t format,
938 heim_octet_string *data)
939 {
940 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
941 }
942
943 static int
ecdsa_private_key_import(hx509_context context,const AlgorithmIdentifier * keyai,const void * data,size_t len,hx509_key_format_t format,hx509_private_key private_key)944 ecdsa_private_key_import(hx509_context context,
945 const AlgorithmIdentifier *keyai,
946 const void *data,
947 size_t len,
948 hx509_key_format_t format,
949 hx509_private_key private_key)
950 {
951 const unsigned char *p = data;
952 EC_KEY **pkey = NULL;
953
954 if (keyai->parameters) {
955 EC_GROUP *group;
956 int groupnid;
957 EC_KEY *key;
958 int ret;
959
960 ret = parse_ECParameters(context, keyai->parameters, &groupnid);
961 if (ret)
962 return ret;
963
964 key = EC_KEY_new();
965 if (key == NULL)
966 return ENOMEM;
967
968 group = EC_GROUP_new_by_curve_name(groupnid);
969 if (group == NULL) {
970 EC_KEY_free(key);
971 return ENOMEM;
972 }
973 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
974 if (EC_KEY_set_group(key, group) == 0) {
975 EC_KEY_free(key);
976 EC_GROUP_free(group);
977 return ENOMEM;
978 }
979 EC_GROUP_free(group);
980 pkey = &key;
981 }
982
983 switch (format) {
984 case HX509_KEY_FORMAT_DER:
985
986 private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
987 if (private_key->private_key.ecdsa == NULL) {
988 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
989 "Failed to parse EC private key");
990 return HX509_PARSING_KEY_FAILED;
991 }
992 private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
993 break;
994
995 default:
996 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
997 }
998
999 return 0;
1000 }
1001
1002 static int
ecdsa_generate_private_key(hx509_context context,struct hx509_generate_private_context * ctx,hx509_private_key private_key)1003 ecdsa_generate_private_key(hx509_context context,
1004 struct hx509_generate_private_context *ctx,
1005 hx509_private_key private_key)
1006 {
1007 return ENOMEM;
1008 }
1009
1010 static BIGNUM *
ecdsa_get_internal(hx509_context context,hx509_private_key key,const char * type)1011 ecdsa_get_internal(hx509_context context,
1012 hx509_private_key key,
1013 const char *type)
1014 {
1015 return NULL;
1016 }
1017
1018
1019 static hx509_private_key_ops ecdsa_private_key_ops = {
1020 "EC PRIVATE KEY",
1021 ASN1_OID_ID_ECPUBLICKEY,
1022 ecdsa_available,
1023 ecdsa_private_key2SPKI,
1024 ecdsa_private_key_export,
1025 ecdsa_private_key_import,
1026 ecdsa_generate_private_key,
1027 ecdsa_get_internal
1028 };
1029
1030 #endif /* HAVE_OPENSSL */
1031
1032 /*
1033 *
1034 */
1035
1036 static int
dsa_verify_signature(hx509_context context,const struct signature_alg * sig_alg,const Certificate * signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,const heim_octet_string * sig)1037 dsa_verify_signature(hx509_context context,
1038 const struct signature_alg *sig_alg,
1039 const Certificate *signer,
1040 const AlgorithmIdentifier *alg,
1041 const heim_octet_string *data,
1042 const heim_octet_string *sig)
1043 {
1044 const SubjectPublicKeyInfo *spi;
1045 DSAPublicKey pk;
1046 DSAParams param;
1047 size_t size;
1048 DSA *dsa;
1049 int ret;
1050
1051 spi = &signer->tbsCertificate.subjectPublicKeyInfo;
1052
1053 dsa = DSA_new();
1054 if (dsa == NULL) {
1055 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
1056 return ENOMEM;
1057 }
1058
1059 ret = decode_DSAPublicKey(spi->subjectPublicKey.data,
1060 spi->subjectPublicKey.length / 8,
1061 &pk, &size);
1062 if (ret)
1063 goto out;
1064
1065 dsa->pub_key = heim_int2BN(&pk);
1066
1067 free_DSAPublicKey(&pk);
1068
1069 if (dsa->pub_key == NULL) {
1070 ret = ENOMEM;
1071 hx509_set_error_string(context, 0, ret, "out of memory");
1072 goto out;
1073 }
1074
1075 if (spi->algorithm.parameters == NULL) {
1076 ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
1077 hx509_set_error_string(context, 0, ret, "DSA parameters missing");
1078 goto out;
1079 }
1080
1081 ret = decode_DSAParams(spi->algorithm.parameters->data,
1082 spi->algorithm.parameters->length,
1083 ¶m,
1084 &size);
1085 if (ret) {
1086 hx509_set_error_string(context, 0, ret, "DSA parameters failed to decode");
1087 goto out;
1088 }
1089
1090 dsa->p = heim_int2BN(¶m.p);
1091 dsa->q = heim_int2BN(¶m.q);
1092 dsa->g = heim_int2BN(¶m.g);
1093
1094 free_DSAParams(¶m);
1095
1096 if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
1097 ret = ENOMEM;
1098 hx509_set_error_string(context, 0, ret, "out of memory");
1099 goto out;
1100 }
1101
1102 ret = DSA_verify(-1, data->data, data->length,
1103 (unsigned char*)sig->data, sig->length,
1104 dsa);
1105 if (ret == 1)
1106 ret = 0;
1107 else if (ret == 0 || ret == -1) {
1108 ret = HX509_CRYPTO_BAD_SIGNATURE;
1109 hx509_set_error_string(context, 0, ret, "BAD DSA sigature");
1110 } else {
1111 ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
1112 hx509_set_error_string(context, 0, ret, "Invalid format of DSA sigature");
1113 }
1114
1115 out:
1116 DSA_free(dsa);
1117
1118 return ret;
1119 }
1120
1121 #if 0
1122 static int
1123 dsa_parse_private_key(hx509_context context,
1124 const void *data,
1125 size_t len,
1126 hx509_private_key private_key)
1127 {
1128 const unsigned char *p = data;
1129
1130 private_key->private_key.dsa =
1131 d2i_DSAPrivateKey(NULL, &p, len);
1132 if (private_key->private_key.dsa == NULL)
1133 return EINVAL;
1134 private_key->signature_alg = ASN1_OID_ID_DSA_WITH_SHA1;
1135
1136 return 0;
1137 /* else */
1138 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
1139 "No support to parse DSA keys");
1140 return HX509_PARSING_KEY_FAILED;
1141 }
1142 #endif
1143
1144 static int
evp_md_create_signature(hx509_context context,const struct signature_alg * sig_alg,const hx509_private_key signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,AlgorithmIdentifier * signatureAlgorithm,heim_octet_string * sig)1145 evp_md_create_signature(hx509_context context,
1146 const struct signature_alg *sig_alg,
1147 const hx509_private_key signer,
1148 const AlgorithmIdentifier *alg,
1149 const heim_octet_string *data,
1150 AlgorithmIdentifier *signatureAlgorithm,
1151 heim_octet_string *sig)
1152 {
1153 size_t sigsize = EVP_MD_size(sig_alg->evp_md());
1154 EVP_MD_CTX *ctx;
1155
1156 memset(sig, 0, sizeof(*sig));
1157
1158 if (signatureAlgorithm) {
1159 int ret;
1160 ret = set_digest_alg(signatureAlgorithm, sig_alg->sig_oid,
1161 "\x05\x00", 2);
1162 if (ret)
1163 return ret;
1164 }
1165
1166
1167 sig->data = malloc(sigsize);
1168 if (sig->data == NULL) {
1169 sig->length = 0;
1170 return ENOMEM;
1171 }
1172 sig->length = sigsize;
1173
1174 ctx = EVP_MD_CTX_create();
1175 EVP_DigestInit_ex(ctx, sig_alg->evp_md(), NULL);
1176 EVP_DigestUpdate(ctx, data->data, data->length);
1177 EVP_DigestFinal_ex(ctx, sig->data, NULL);
1178 EVP_MD_CTX_destroy(ctx);
1179
1180
1181 return 0;
1182 }
1183
1184 static int
evp_md_verify_signature(hx509_context context,const struct signature_alg * sig_alg,const Certificate * signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,const heim_octet_string * sig)1185 evp_md_verify_signature(hx509_context context,
1186 const struct signature_alg *sig_alg,
1187 const Certificate *signer,
1188 const AlgorithmIdentifier *alg,
1189 const heim_octet_string *data,
1190 const heim_octet_string *sig)
1191 {
1192 unsigned char digest[EVP_MAX_MD_SIZE];
1193 EVP_MD_CTX *ctx;
1194 size_t sigsize = EVP_MD_size(sig_alg->evp_md());
1195
1196 if (sig->length != sigsize || sigsize > sizeof(digest)) {
1197 hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
1198 "SHA256 sigature have wrong length");
1199 return HX509_CRYPTO_SIG_INVALID_FORMAT;
1200 }
1201
1202 ctx = EVP_MD_CTX_create();
1203 EVP_DigestInit_ex(ctx, sig_alg->evp_md(), NULL);
1204 EVP_DigestUpdate(ctx, data->data, data->length);
1205 EVP_DigestFinal_ex(ctx, digest, NULL);
1206 EVP_MD_CTX_destroy(ctx);
1207
1208 if (ct_memcmp(digest, sig->data, sigsize) != 0) {
1209 hx509_set_error_string(context, 0, HX509_CRYPTO_BAD_SIGNATURE,
1210 "Bad %s sigature", sig_alg->name);
1211 return HX509_CRYPTO_BAD_SIGNATURE;
1212 }
1213
1214 return 0;
1215 }
1216
1217 #ifdef HAVE_OPENSSL
1218
1219 static const struct signature_alg ecdsa_with_sha256_alg = {
1220 "ecdsa-with-sha256",
1221 ASN1_OID_ID_ECDSA_WITH_SHA256,
1222 &_hx509_signature_ecdsa_with_sha256_data,
1223 ASN1_OID_ID_ECPUBLICKEY,
1224 &_hx509_signature_sha256_data,
1225 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1226 0,
1227 NULL,
1228 ecdsa_verify_signature,
1229 ecdsa_create_signature,
1230 32
1231 };
1232
1233 static const struct signature_alg ecdsa_with_sha1_alg = {
1234 "ecdsa-with-sha1",
1235 ASN1_OID_ID_ECDSA_WITH_SHA1,
1236 &_hx509_signature_ecdsa_with_sha1_data,
1237 ASN1_OID_ID_ECPUBLICKEY,
1238 &_hx509_signature_sha1_data,
1239 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1240 0,
1241 NULL,
1242 ecdsa_verify_signature,
1243 ecdsa_create_signature,
1244 20
1245 };
1246
1247 #endif
1248
1249 static const struct signature_alg heim_rsa_pkcs1_x509 = {
1250 "rsa-pkcs1-x509",
1251 ASN1_OID_ID_HEIM_RSA_PKCS1_X509,
1252 &_hx509_signature_rsa_pkcs1_x509_data,
1253 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1254 NULL,
1255 PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG,
1256 0,
1257 NULL,
1258 rsa_verify_signature,
1259 rsa_create_signature,
1260 0
1261 };
1262
1263 static const struct signature_alg pkcs1_rsa_sha1_alg = {
1264 "rsa",
1265 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1266 &_hx509_signature_rsa_with_sha1_data,
1267 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1268 NULL,
1269 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1270 0,
1271 NULL,
1272 rsa_verify_signature,
1273 rsa_create_signature,
1274 0
1275 };
1276
1277 static const struct signature_alg rsa_with_sha512_alg = {
1278 "rsa-with-sha512",
1279 ASN1_OID_ID_PKCS1_SHA512WITHRSAENCRYPTION,
1280 &_hx509_signature_rsa_with_sha512_data,
1281 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1282 &_hx509_signature_sha512_data,
1283 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1284 0,
1285 NULL,
1286 rsa_verify_signature,
1287 rsa_create_signature,
1288 0
1289 };
1290
1291 static const struct signature_alg rsa_with_sha384_alg = {
1292 "rsa-with-sha384",
1293 ASN1_OID_ID_PKCS1_SHA384WITHRSAENCRYPTION,
1294 &_hx509_signature_rsa_with_sha384_data,
1295 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1296 &_hx509_signature_sha384_data,
1297 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1298 0,
1299 NULL,
1300 rsa_verify_signature,
1301 rsa_create_signature,
1302 0
1303 };
1304
1305 static const struct signature_alg rsa_with_sha256_alg = {
1306 "rsa-with-sha256",
1307 ASN1_OID_ID_PKCS1_SHA256WITHRSAENCRYPTION,
1308 &_hx509_signature_rsa_with_sha256_data,
1309 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1310 &_hx509_signature_sha256_data,
1311 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1312 0,
1313 NULL,
1314 rsa_verify_signature,
1315 rsa_create_signature,
1316 0
1317 };
1318
1319 static const struct signature_alg rsa_with_sha1_alg = {
1320 "rsa-with-sha1",
1321 ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION,
1322 &_hx509_signature_rsa_with_sha1_data,
1323 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1324 &_hx509_signature_sha1_data,
1325 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1326 0,
1327 NULL,
1328 rsa_verify_signature,
1329 rsa_create_signature,
1330 0
1331 };
1332
1333 static const struct signature_alg rsa_with_sha1_alg_secsig = {
1334 "rsa-with-sha1",
1335 ASN1_OID_ID_SECSIG_SHA_1WITHRSAENCRYPTION,
1336 &_hx509_signature_rsa_with_sha1_data,
1337 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1338 &_hx509_signature_sha1_data,
1339 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
1340 0,
1341 NULL,
1342 rsa_verify_signature,
1343 rsa_create_signature,
1344 0
1345 };
1346
1347 static const struct signature_alg rsa_with_md5_alg = {
1348 "rsa-with-md5",
1349 ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION,
1350 &_hx509_signature_rsa_with_md5_data,
1351 ASN1_OID_ID_PKCS1_RSAENCRYPTION,
1352 &_hx509_signature_md5_data,
1353 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
1354 1230739889,
1355 NULL,
1356 rsa_verify_signature,
1357 rsa_create_signature,
1358 0
1359 };
1360
1361 static const struct signature_alg dsa_sha1_alg = {
1362 "dsa-with-sha1",
1363 ASN1_OID_ID_DSA_WITH_SHA1,
1364 NULL,
1365 ASN1_OID_ID_DSA,
1366 &_hx509_signature_sha1_data,
1367 PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG,
1368 0,
1369 NULL,
1370 dsa_verify_signature,
1371 /* create_signature */ NULL,
1372 0
1373 };
1374
1375 static const struct signature_alg sha512_alg = {
1376 "sha-512",
1377 ASN1_OID_ID_SHA512,
1378 &_hx509_signature_sha512_data,
1379 NULL,
1380 NULL,
1381 SIG_DIGEST,
1382 0,
1383 EVP_sha512,
1384 evp_md_verify_signature,
1385 evp_md_create_signature,
1386 0
1387 };
1388
1389 static const struct signature_alg sha384_alg = {
1390 "sha-384",
1391 ASN1_OID_ID_SHA512,
1392 &_hx509_signature_sha384_data,
1393 NULL,
1394 NULL,
1395 SIG_DIGEST,
1396 0,
1397 EVP_sha384,
1398 evp_md_verify_signature,
1399 evp_md_create_signature,
1400 0
1401 };
1402
1403 static const struct signature_alg sha256_alg = {
1404 "sha-256",
1405 ASN1_OID_ID_SHA256,
1406 &_hx509_signature_sha256_data,
1407 NULL,
1408 NULL,
1409 SIG_DIGEST,
1410 0,
1411 EVP_sha256,
1412 evp_md_verify_signature,
1413 evp_md_create_signature,
1414 0
1415 };
1416
1417 static const struct signature_alg sha1_alg = {
1418 "sha1",
1419 ASN1_OID_ID_SECSIG_SHA_1,
1420 &_hx509_signature_sha1_data,
1421 NULL,
1422 NULL,
1423 SIG_DIGEST,
1424 0,
1425 EVP_sha1,
1426 evp_md_verify_signature,
1427 evp_md_create_signature,
1428 0
1429 };
1430
1431 static const struct signature_alg md5_alg = {
1432 "rsa-md5",
1433 ASN1_OID_ID_RSA_DIGEST_MD5,
1434 &_hx509_signature_md5_data,
1435 NULL,
1436 NULL,
1437 SIG_DIGEST,
1438 0,
1439 EVP_md5,
1440 evp_md_verify_signature,
1441 NULL,
1442 0
1443 };
1444
1445 /*
1446 * Order matter in this structure, "best" first for each "key
1447 * compatible" type (type is ECDSA, RSA, DSA, none, etc)
1448 */
1449
1450 static const struct signature_alg *sig_algs[] = {
1451 #ifdef HAVE_OPENSSL
1452 &ecdsa_with_sha256_alg,
1453 &ecdsa_with_sha1_alg,
1454 #endif
1455 &rsa_with_sha512_alg,
1456 &rsa_with_sha384_alg,
1457 &rsa_with_sha256_alg,
1458 &rsa_with_sha1_alg,
1459 &rsa_with_sha1_alg_secsig,
1460 &pkcs1_rsa_sha1_alg,
1461 &rsa_with_md5_alg,
1462 &heim_rsa_pkcs1_x509,
1463 &dsa_sha1_alg,
1464 &sha512_alg,
1465 &sha384_alg,
1466 &sha256_alg,
1467 &sha1_alg,
1468 &md5_alg,
1469 NULL
1470 };
1471
1472 static const struct signature_alg *
find_sig_alg(const heim_oid * oid)1473 find_sig_alg(const heim_oid *oid)
1474 {
1475 unsigned int i;
1476 for (i = 0; sig_algs[i]; i++)
1477 if (der_heim_oid_cmp(sig_algs[i]->sig_oid, oid) == 0)
1478 return sig_algs[i];
1479 return NULL;
1480 }
1481
1482 static const AlgorithmIdentifier *
alg_for_privatekey(const hx509_private_key pk,int type)1483 alg_for_privatekey(const hx509_private_key pk, int type)
1484 {
1485 const heim_oid *keytype;
1486 unsigned int i;
1487
1488 if (pk->ops == NULL)
1489 return NULL;
1490
1491 keytype = pk->ops->key_oid;
1492
1493 for (i = 0; sig_algs[i]; i++) {
1494 if (sig_algs[i]->key_oid == NULL)
1495 continue;
1496 if (der_heim_oid_cmp(sig_algs[i]->key_oid, keytype) != 0)
1497 continue;
1498 if (pk->ops->available &&
1499 pk->ops->available(pk, sig_algs[i]->sig_alg) == 0)
1500 continue;
1501 if (type == HX509_SELECT_PUBLIC_SIG)
1502 return sig_algs[i]->sig_alg;
1503 if (type == HX509_SELECT_DIGEST)
1504 return sig_algs[i]->digest_alg;
1505
1506 return NULL;
1507 }
1508 return NULL;
1509 }
1510
1511 /*
1512 *
1513 */
1514
1515 static struct hx509_private_key_ops *private_algs[] = {
1516 &rsa_private_key_ops,
1517 #ifdef HAVE_OPENSSL
1518 &ecdsa_private_key_ops,
1519 #endif
1520 NULL
1521 };
1522
1523 hx509_private_key_ops *
hx509_find_private_alg(const heim_oid * oid)1524 hx509_find_private_alg(const heim_oid *oid)
1525 {
1526 int i;
1527 for (i = 0; private_algs[i]; i++) {
1528 if (private_algs[i]->key_oid == NULL)
1529 continue;
1530 if (der_heim_oid_cmp(private_algs[i]->key_oid, oid) == 0)
1531 return private_algs[i];
1532 }
1533 return NULL;
1534 }
1535
1536 /*
1537 * Check if the algorithm `alg' have a best before date, and if it
1538 * des, make sure the its before the time `t'.
1539 */
1540
1541 int
_hx509_signature_best_before(hx509_context context,const AlgorithmIdentifier * alg,time_t t)1542 _hx509_signature_best_before(hx509_context context,
1543 const AlgorithmIdentifier *alg,
1544 time_t t)
1545 {
1546 const struct signature_alg *md;
1547
1548 md = find_sig_alg(&alg->algorithm);
1549 if (md == NULL) {
1550 hx509_clear_error_string(context);
1551 return HX509_SIG_ALG_NO_SUPPORTED;
1552 }
1553 if (md->best_before && md->best_before < t) {
1554 hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
1555 "Algorithm %s has passed it best before date",
1556 md->name);
1557 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
1558 }
1559 return 0;
1560 }
1561
1562 int
_hx509_self_signed_valid(hx509_context context,const AlgorithmIdentifier * alg)1563 _hx509_self_signed_valid(hx509_context context,
1564 const AlgorithmIdentifier *alg)
1565 {
1566 const struct signature_alg *md;
1567
1568 md = find_sig_alg(&alg->algorithm);
1569 if (md == NULL) {
1570 hx509_clear_error_string(context);
1571 return HX509_SIG_ALG_NO_SUPPORTED;
1572 }
1573 if ((md->flags & SELF_SIGNED_OK) == 0) {
1574 hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
1575 "Algorithm %s not trusted for self signatures",
1576 md->name);
1577 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
1578 }
1579 return 0;
1580 }
1581
1582
1583 int
_hx509_verify_signature(hx509_context context,const hx509_cert cert,const AlgorithmIdentifier * alg,const heim_octet_string * data,const heim_octet_string * sig)1584 _hx509_verify_signature(hx509_context context,
1585 const hx509_cert cert,
1586 const AlgorithmIdentifier *alg,
1587 const heim_octet_string *data,
1588 const heim_octet_string *sig)
1589 {
1590 const struct signature_alg *md;
1591 const Certificate *signer = NULL;
1592
1593 if (cert)
1594 signer = _hx509_get_cert(cert);
1595
1596 md = find_sig_alg(&alg->algorithm);
1597 if (md == NULL) {
1598 hx509_clear_error_string(context);
1599 return HX509_SIG_ALG_NO_SUPPORTED;
1600 }
1601 if (signer && (md->flags & PROVIDE_CONF) == 0) {
1602 hx509_clear_error_string(context);
1603 return HX509_CRYPTO_SIG_NO_CONF;
1604 }
1605 if (signer == NULL && (md->flags & REQUIRE_SIGNER)) {
1606 hx509_clear_error_string(context);
1607 return HX509_CRYPTO_SIGNATURE_WITHOUT_SIGNER;
1608 }
1609 if (md->key_oid && signer) {
1610 const SubjectPublicKeyInfo *spi;
1611 spi = &signer->tbsCertificate.subjectPublicKeyInfo;
1612
1613 if (der_heim_oid_cmp(&spi->algorithm.algorithm, md->key_oid) != 0) {
1614 hx509_clear_error_string(context);
1615 return HX509_SIG_ALG_DONT_MATCH_KEY_ALG;
1616 }
1617 }
1618 return (*md->verify_signature)(context, md, signer, alg, data, sig);
1619 }
1620
1621 int
_hx509_create_signature(hx509_context context,const hx509_private_key signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,AlgorithmIdentifier * signatureAlgorithm,heim_octet_string * sig)1622 _hx509_create_signature(hx509_context context,
1623 const hx509_private_key signer,
1624 const AlgorithmIdentifier *alg,
1625 const heim_octet_string *data,
1626 AlgorithmIdentifier *signatureAlgorithm,
1627 heim_octet_string *sig)
1628 {
1629 const struct signature_alg *md;
1630
1631 md = find_sig_alg(&alg->algorithm);
1632 if (md == NULL) {
1633 hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
1634 "algorithm no supported");
1635 return HX509_SIG_ALG_NO_SUPPORTED;
1636 }
1637
1638 if (signer && (md->flags & PROVIDE_CONF) == 0) {
1639 hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
1640 "algorithm provides no conf");
1641 return HX509_CRYPTO_SIG_NO_CONF;
1642 }
1643
1644 return (*md->create_signature)(context, md, signer, alg, data,
1645 signatureAlgorithm, sig);
1646 }
1647
1648 int
_hx509_create_signature_bitstring(hx509_context context,const hx509_private_key signer,const AlgorithmIdentifier * alg,const heim_octet_string * data,AlgorithmIdentifier * signatureAlgorithm,heim_bit_string * sig)1649 _hx509_create_signature_bitstring(hx509_context context,
1650 const hx509_private_key signer,
1651 const AlgorithmIdentifier *alg,
1652 const heim_octet_string *data,
1653 AlgorithmIdentifier *signatureAlgorithm,
1654 heim_bit_string *sig)
1655 {
1656 heim_octet_string os;
1657 int ret;
1658
1659 ret = _hx509_create_signature(context, signer, alg,
1660 data, signatureAlgorithm, &os);
1661 if (ret)
1662 return ret;
1663 sig->data = os.data;
1664 sig->length = os.length * 8;
1665 return 0;
1666 }
1667
1668 int
_hx509_public_encrypt(hx509_context context,const heim_octet_string * cleartext,const Certificate * cert,heim_oid * encryption_oid,heim_octet_string * ciphertext)1669 _hx509_public_encrypt(hx509_context context,
1670 const heim_octet_string *cleartext,
1671 const Certificate *cert,
1672 heim_oid *encryption_oid,
1673 heim_octet_string *ciphertext)
1674 {
1675 const SubjectPublicKeyInfo *spi;
1676 unsigned char *to;
1677 int tosize;
1678 int ret;
1679 RSA *rsa;
1680 size_t size;
1681 const unsigned char *p;
1682
1683 ciphertext->data = NULL;
1684 ciphertext->length = 0;
1685
1686 spi = &cert->tbsCertificate.subjectPublicKeyInfo;
1687
1688 p = spi->subjectPublicKey.data;
1689 size = spi->subjectPublicKey.length / 8;
1690
1691 rsa = d2i_RSAPublicKey(NULL, &p, size);
1692 if (rsa == NULL) {
1693 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
1694 return ENOMEM;
1695 }
1696
1697 tosize = RSA_size(rsa);
1698 to = malloc(tosize);
1699 if (to == NULL) {
1700 RSA_free(rsa);
1701 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
1702 return ENOMEM;
1703 }
1704
1705 ret = RSA_public_encrypt(cleartext->length,
1706 (unsigned char *)cleartext->data,
1707 to, rsa, RSA_PKCS1_PADDING);
1708 RSA_free(rsa);
1709 if (ret <= 0) {
1710 free(to);
1711 hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PUBLIC_ENCRYPT,
1712 "RSA public encrypt failed with %d", ret);
1713 return HX509_CRYPTO_RSA_PUBLIC_ENCRYPT;
1714 }
1715 if (ret > tosize)
1716 _hx509_abort("internal rsa decryption failure: ret > tosize");
1717
1718 ciphertext->length = ret;
1719 ciphertext->data = to;
1720
1721 ret = der_copy_oid(ASN1_OID_ID_PKCS1_RSAENCRYPTION, encryption_oid);
1722 if (ret) {
1723 der_free_octet_string(ciphertext);
1724 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
1725 return ENOMEM;
1726 }
1727
1728 return 0;
1729 }
1730
1731 int
hx509_private_key_private_decrypt(hx509_context context,const heim_octet_string * ciphertext,const heim_oid * encryption_oid,hx509_private_key p,heim_octet_string * cleartext)1732 hx509_private_key_private_decrypt(hx509_context context,
1733 const heim_octet_string *ciphertext,
1734 const heim_oid *encryption_oid,
1735 hx509_private_key p,
1736 heim_octet_string *cleartext)
1737 {
1738 int ret;
1739
1740 cleartext->data = NULL;
1741 cleartext->length = 0;
1742
1743 if (p->private_key.rsa == NULL) {
1744 hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,
1745 "Private RSA key missing");
1746 return HX509_PRIVATE_KEY_MISSING;
1747 }
1748
1749 cleartext->length = RSA_size(p->private_key.rsa);
1750 cleartext->data = malloc(cleartext->length);
1751 if (cleartext->data == NULL) {
1752 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
1753 return ENOMEM;
1754 }
1755 ret = RSA_private_decrypt(ciphertext->length, ciphertext->data,
1756 cleartext->data,
1757 p->private_key.rsa,
1758 RSA_PKCS1_PADDING);
1759 if (ret <= 0) {
1760 der_free_octet_string(cleartext);
1761 hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PRIVATE_DECRYPT,
1762 "Failed to decrypt using private key: %d", ret);
1763 return HX509_CRYPTO_RSA_PRIVATE_DECRYPT;
1764 }
1765 if (cleartext->length < (size_t)ret)
1766 _hx509_abort("internal rsa decryption failure: ret > tosize");
1767
1768 cleartext->length = ret;
1769
1770 return 0;
1771 }
1772
1773
1774 int
hx509_parse_private_key(hx509_context context,const AlgorithmIdentifier * keyai,const void * data,size_t len,hx509_key_format_t format,hx509_private_key * private_key)1775 hx509_parse_private_key(hx509_context context,
1776 const AlgorithmIdentifier *keyai,
1777 const void *data,
1778 size_t len,
1779 hx509_key_format_t format,
1780 hx509_private_key *private_key)
1781 {
1782 struct hx509_private_key_ops *ops;
1783 int ret;
1784
1785 *private_key = NULL;
1786
1787 ops = hx509_find_private_alg(&keyai->algorithm);
1788 if (ops == NULL) {
1789 hx509_clear_error_string(context);
1790 return HX509_SIG_ALG_NO_SUPPORTED;
1791 }
1792
1793 ret = hx509_private_key_init(private_key, ops, NULL);
1794 if (ret) {
1795 hx509_set_error_string(context, 0, ret, "out of memory");
1796 return ret;
1797 }
1798
1799 ret = (*ops->import)(context, keyai, data, len, format, *private_key);
1800 if (ret)
1801 hx509_private_key_free(private_key);
1802
1803 return ret;
1804 }
1805
1806 /*
1807 *
1808 */
1809
1810 int
hx509_private_key2SPKI(hx509_context context,hx509_private_key private_key,SubjectPublicKeyInfo * spki)1811 hx509_private_key2SPKI(hx509_context context,
1812 hx509_private_key private_key,
1813 SubjectPublicKeyInfo *spki)
1814 {
1815 const struct hx509_private_key_ops *ops = private_key->ops;
1816 if (ops == NULL || ops->get_spki == NULL) {
1817 hx509_set_error_string(context, 0, HX509_UNIMPLEMENTED_OPERATION,
1818 "Private key have no key2SPKI function");
1819 return HX509_UNIMPLEMENTED_OPERATION;
1820 }
1821 return (*ops->get_spki)(context, private_key, spki);
1822 }
1823
1824 int
_hx509_generate_private_key_init(hx509_context context,const heim_oid * oid,struct hx509_generate_private_context ** ctx)1825 _hx509_generate_private_key_init(hx509_context context,
1826 const heim_oid *oid,
1827 struct hx509_generate_private_context **ctx)
1828 {
1829 *ctx = NULL;
1830
1831 if (der_heim_oid_cmp(oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) != 0) {
1832 hx509_set_error_string(context, 0, EINVAL,
1833 "private key not an RSA key");
1834 return EINVAL;
1835 }
1836
1837 *ctx = calloc(1, sizeof(**ctx));
1838 if (*ctx == NULL) {
1839 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
1840 return ENOMEM;
1841 }
1842 (*ctx)->key_oid = oid;
1843
1844 return 0;
1845 }
1846
1847 int
_hx509_generate_private_key_is_ca(hx509_context context,struct hx509_generate_private_context * ctx)1848 _hx509_generate_private_key_is_ca(hx509_context context,
1849 struct hx509_generate_private_context *ctx)
1850 {
1851 ctx->isCA = 1;
1852 return 0;
1853 }
1854
1855 int
_hx509_generate_private_key_bits(hx509_context context,struct hx509_generate_private_context * ctx,unsigned long bits)1856 _hx509_generate_private_key_bits(hx509_context context,
1857 struct hx509_generate_private_context *ctx,
1858 unsigned long bits)
1859 {
1860 ctx->num_bits = bits;
1861 return 0;
1862 }
1863
1864
1865 void
_hx509_generate_private_key_free(struct hx509_generate_private_context ** ctx)1866 _hx509_generate_private_key_free(struct hx509_generate_private_context **ctx)
1867 {
1868 free(*ctx);
1869 *ctx = NULL;
1870 }
1871
1872 int
_hx509_generate_private_key(hx509_context context,struct hx509_generate_private_context * ctx,hx509_private_key * private_key)1873 _hx509_generate_private_key(hx509_context context,
1874 struct hx509_generate_private_context *ctx,
1875 hx509_private_key *private_key)
1876 {
1877 struct hx509_private_key_ops *ops;
1878 int ret;
1879
1880 *private_key = NULL;
1881
1882 ops = hx509_find_private_alg(ctx->key_oid);
1883 if (ops == NULL) {
1884 hx509_clear_error_string(context);
1885 return HX509_SIG_ALG_NO_SUPPORTED;
1886 }
1887
1888 ret = hx509_private_key_init(private_key, ops, NULL);
1889 if (ret) {
1890 hx509_set_error_string(context, 0, ret, "out of memory");
1891 return ret;
1892 }
1893
1894 ret = (*ops->generate_private_key)(context, ctx, *private_key);
1895 if (ret)
1896 hx509_private_key_free(private_key);
1897
1898 return ret;
1899 }
1900
1901 /*
1902 *
1903 */
1904
1905 const AlgorithmIdentifier *
hx509_signature_sha512(void)1906 hx509_signature_sha512(void)
1907 { return &_hx509_signature_sha512_data; }
1908
1909 const AlgorithmIdentifier *
hx509_signature_sha384(void)1910 hx509_signature_sha384(void)
1911 { return &_hx509_signature_sha384_data; }
1912
1913 const AlgorithmIdentifier *
hx509_signature_sha256(void)1914 hx509_signature_sha256(void)
1915 { return &_hx509_signature_sha256_data; }
1916
1917 const AlgorithmIdentifier *
hx509_signature_sha1(void)1918 hx509_signature_sha1(void)
1919 { return &_hx509_signature_sha1_data; }
1920
1921 const AlgorithmIdentifier *
hx509_signature_md5(void)1922 hx509_signature_md5(void)
1923 { return &_hx509_signature_md5_data; }
1924
1925 const AlgorithmIdentifier *
hx509_signature_ecPublicKey(void)1926 hx509_signature_ecPublicKey(void)
1927 { return &_hx509_signature_ecPublicKey; }
1928
1929 const AlgorithmIdentifier *
hx509_signature_ecdsa_with_sha256(void)1930 hx509_signature_ecdsa_with_sha256(void)
1931 { return &_hx509_signature_ecdsa_with_sha256_data; }
1932
1933 const AlgorithmIdentifier *
hx509_signature_ecdsa_with_sha1(void)1934 hx509_signature_ecdsa_with_sha1(void)
1935 { return &_hx509_signature_ecdsa_with_sha1_data; }
1936
1937 const AlgorithmIdentifier *
hx509_signature_rsa_with_sha512(void)1938 hx509_signature_rsa_with_sha512(void)
1939 { return &_hx509_signature_rsa_with_sha512_data; }
1940
1941 const AlgorithmIdentifier *
hx509_signature_rsa_with_sha384(void)1942 hx509_signature_rsa_with_sha384(void)
1943 { return &_hx509_signature_rsa_with_sha384_data; }
1944
1945 const AlgorithmIdentifier *
hx509_signature_rsa_with_sha256(void)1946 hx509_signature_rsa_with_sha256(void)
1947 { return &_hx509_signature_rsa_with_sha256_data; }
1948
1949 const AlgorithmIdentifier *
hx509_signature_rsa_with_sha1(void)1950 hx509_signature_rsa_with_sha1(void)
1951 { return &_hx509_signature_rsa_with_sha1_data; }
1952
1953 const AlgorithmIdentifier *
hx509_signature_rsa_with_md5(void)1954 hx509_signature_rsa_with_md5(void)
1955 { return &_hx509_signature_rsa_with_md5_data; }
1956
1957 const AlgorithmIdentifier *
hx509_signature_rsa(void)1958 hx509_signature_rsa(void)
1959 { return &_hx509_signature_rsa_data; }
1960
1961 const AlgorithmIdentifier *
hx509_signature_rsa_pkcs1_x509(void)1962 hx509_signature_rsa_pkcs1_x509(void)
1963 { return &_hx509_signature_rsa_pkcs1_x509_data; }
1964
1965 const AlgorithmIdentifier *
hx509_crypto_des_rsdi_ede3_cbc(void)1966 hx509_crypto_des_rsdi_ede3_cbc(void)
1967 { return &_hx509_des_rsdi_ede3_cbc_oid; }
1968
1969 const AlgorithmIdentifier *
hx509_crypto_aes128_cbc(void)1970 hx509_crypto_aes128_cbc(void)
1971 { return &_hx509_crypto_aes128_cbc_data; }
1972
1973 const AlgorithmIdentifier *
hx509_crypto_aes256_cbc(void)1974 hx509_crypto_aes256_cbc(void)
1975 { return &_hx509_crypto_aes256_cbc_data; }
1976
1977 /*
1978 *
1979 */
1980
1981 const AlgorithmIdentifier * _hx509_crypto_default_sig_alg =
1982 &_hx509_signature_rsa_with_sha256_data;
1983 const AlgorithmIdentifier * _hx509_crypto_default_digest_alg =
1984 &_hx509_signature_sha256_data;
1985 const AlgorithmIdentifier * _hx509_crypto_default_secret_alg =
1986 &_hx509_crypto_aes128_cbc_data;
1987
1988 /*
1989 *
1990 */
1991
1992 int
hx509_private_key_init(hx509_private_key * key,hx509_private_key_ops * ops,void * keydata)1993 hx509_private_key_init(hx509_private_key *key,
1994 hx509_private_key_ops *ops,
1995 void *keydata)
1996 {
1997 *key = calloc(1, sizeof(**key));
1998 if (*key == NULL)
1999 return ENOMEM;
2000 (*key)->ref = 1;
2001 (*key)->ops = ops;
2002 (*key)->private_key.keydata = keydata;
2003 return 0;
2004 }
2005
2006 hx509_private_key
_hx509_private_key_ref(hx509_private_key key)2007 _hx509_private_key_ref(hx509_private_key key)
2008 {
2009 if (key->ref == 0)
2010 _hx509_abort("key refcount <= 0 on ref");
2011 key->ref++;
2012 if (key->ref == UINT_MAX)
2013 _hx509_abort("key refcount == UINT_MAX on ref");
2014 return key;
2015 }
2016
2017 const char *
_hx509_private_pem_name(hx509_private_key key)2018 _hx509_private_pem_name(hx509_private_key key)
2019 {
2020 return key->ops->pemtype;
2021 }
2022
2023 int
hx509_private_key_free(hx509_private_key * key)2024 hx509_private_key_free(hx509_private_key *key)
2025 {
2026 if (key == NULL || *key == NULL)
2027 return 0;
2028
2029 if ((*key)->ref == 0)
2030 _hx509_abort("key refcount == 0 on free");
2031 if (--(*key)->ref > 0)
2032 return 0;
2033
2034 if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) {
2035 if ((*key)->private_key.rsa)
2036 RSA_free((*key)->private_key.rsa);
2037 #ifdef HAVE_OPENSSL
2038 } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0) {
2039 if ((*key)->private_key.ecdsa)
2040 EC_KEY_free((*key)->private_key.ecdsa);
2041 #endif
2042 }
2043 (*key)->private_key.rsa = NULL;
2044 free(*key);
2045 *key = NULL;
2046 return 0;
2047 }
2048
2049 void
hx509_private_key_assign_rsa(hx509_private_key key,void * ptr)2050 hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
2051 {
2052 if (key->private_key.rsa)
2053 RSA_free(key->private_key.rsa);
2054 key->private_key.rsa = ptr;
2055 key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION;
2056 key->md = &pkcs1_rsa_sha1_alg;
2057 }
2058
2059 int
_hx509_private_key_oid(hx509_context context,const hx509_private_key key,heim_oid * data)2060 _hx509_private_key_oid(hx509_context context,
2061 const hx509_private_key key,
2062 heim_oid *data)
2063 {
2064 int ret;
2065 ret = der_copy_oid(key->ops->key_oid, data);
2066 if (ret)
2067 hx509_set_error_string(context, 0, ret, "malloc out of memory");
2068 return ret;
2069 }
2070
2071 int
_hx509_private_key_exportable(hx509_private_key key)2072 _hx509_private_key_exportable(hx509_private_key key)
2073 {
2074 if (key->ops->export == NULL)
2075 return 0;
2076 return 1;
2077 }
2078
2079 BIGNUM *
_hx509_private_key_get_internal(hx509_context context,hx509_private_key key,const char * type)2080 _hx509_private_key_get_internal(hx509_context context,
2081 hx509_private_key key,
2082 const char *type)
2083 {
2084 if (key->ops->get_internal == NULL)
2085 return NULL;
2086 return (*key->ops->get_internal)(context, key, type);
2087 }
2088
2089 int
_hx509_private_key_export(hx509_context context,const hx509_private_key key,hx509_key_format_t format,heim_octet_string * data)2090 _hx509_private_key_export(hx509_context context,
2091 const hx509_private_key key,
2092 hx509_key_format_t format,
2093 heim_octet_string *data)
2094 {
2095 if (key->ops->export == NULL) {
2096 hx509_clear_error_string(context);
2097 return HX509_UNIMPLEMENTED_OPERATION;
2098 }
2099 return (*key->ops->export)(context, key, format, data);
2100 }
2101
2102 /*
2103 *
2104 */
2105
2106 struct hx509cipher {
2107 const char *name;
2108 int flags;
2109 #define CIPHER_WEAK 1
2110 const heim_oid *oid;
2111 const AlgorithmIdentifier *(*ai_func)(void);
2112 const EVP_CIPHER *(*evp_func)(void);
2113 int (*get_params)(hx509_context, const hx509_crypto,
2114 const heim_octet_string *, heim_octet_string *);
2115 int (*set_params)(hx509_context, const heim_octet_string *,
2116 hx509_crypto, heim_octet_string *);
2117 };
2118
2119 struct hx509_crypto_data {
2120 char *name;
2121 int flags;
2122 #define ALLOW_WEAK 1
2123
2124 #define PADDING_NONE 2
2125 #define PADDING_PKCS7 4
2126 #define PADDING_FLAGS (2|4)
2127 const struct hx509cipher *cipher;
2128 const EVP_CIPHER *c;
2129 heim_octet_string key;
2130 heim_oid oid;
2131 void *param;
2132 };
2133
2134 /*
2135 *
2136 */
2137
2138 static unsigned private_rc2_40_oid_data[] = { 127, 1 };
2139
2140 static heim_oid asn1_oid_private_rc2_40 =
2141 { 2, private_rc2_40_oid_data };
2142
2143 /*
2144 *
2145 */
2146
2147 static int
CMSCBCParam_get(hx509_context context,const hx509_crypto crypto,const heim_octet_string * ivec,heim_octet_string * param)2148 CMSCBCParam_get(hx509_context context, const hx509_crypto crypto,
2149 const heim_octet_string *ivec, heim_octet_string *param)
2150 {
2151 size_t size;
2152 int ret;
2153
2154 assert(crypto->param == NULL);
2155 if (ivec == NULL)
2156 return 0;
2157
2158 ASN1_MALLOC_ENCODE(CMSCBCParameter, param->data, param->length,
2159 ivec, &size, ret);
2160 if (ret == 0 && size != param->length)
2161 _hx509_abort("Internal asn1 encoder failure");
2162 if (ret)
2163 hx509_clear_error_string(context);
2164 return ret;
2165 }
2166
2167 static int
CMSCBCParam_set(hx509_context context,const heim_octet_string * param,hx509_crypto crypto,heim_octet_string * ivec)2168 CMSCBCParam_set(hx509_context context, const heim_octet_string *param,
2169 hx509_crypto crypto, heim_octet_string *ivec)
2170 {
2171 int ret;
2172 if (ivec == NULL)
2173 return 0;
2174
2175 ret = decode_CMSCBCParameter(param->data, param->length, ivec, NULL);
2176 if (ret)
2177 hx509_clear_error_string(context);
2178
2179 return ret;
2180 }
2181
2182 struct _RC2_params {
2183 int maximum_effective_key;
2184 };
2185
2186 static int
CMSRC2CBCParam_get(hx509_context context,const hx509_crypto crypto,const heim_octet_string * ivec,heim_octet_string * param)2187 CMSRC2CBCParam_get(hx509_context context, const hx509_crypto crypto,
2188 const heim_octet_string *ivec, heim_octet_string *param)
2189 {
2190 CMSRC2CBCParameter rc2params;
2191 const struct _RC2_params *p = crypto->param;
2192 int maximum_effective_key = 128;
2193 size_t size;
2194 int ret;
2195
2196 memset(&rc2params, 0, sizeof(rc2params));
2197
2198 if (p)
2199 maximum_effective_key = p->maximum_effective_key;
2200
2201 switch(maximum_effective_key) {
2202 case 40:
2203 rc2params.rc2ParameterVersion = 160;
2204 break;
2205 case 64:
2206 rc2params.rc2ParameterVersion = 120;
2207 break;
2208 case 128:
2209 rc2params.rc2ParameterVersion = 58;
2210 break;
2211 }
2212 rc2params.iv = *ivec;
2213
2214 ASN1_MALLOC_ENCODE(CMSRC2CBCParameter, param->data, param->length,
2215 &rc2params, &size, ret);
2216 if (ret == 0 && size != param->length)
2217 _hx509_abort("Internal asn1 encoder failure");
2218
2219 return ret;
2220 }
2221
2222 static int
CMSRC2CBCParam_set(hx509_context context,const heim_octet_string * param,hx509_crypto crypto,heim_octet_string * ivec)2223 CMSRC2CBCParam_set(hx509_context context, const heim_octet_string *param,
2224 hx509_crypto crypto, heim_octet_string *ivec)
2225 {
2226 CMSRC2CBCParameter rc2param;
2227 struct _RC2_params *p;
2228 size_t size;
2229 int ret;
2230
2231 ret = decode_CMSRC2CBCParameter(param->data, param->length,
2232 &rc2param, &size);
2233 if (ret) {
2234 hx509_clear_error_string(context);
2235 return ret;
2236 }
2237
2238 p = calloc(1, sizeof(*p));
2239 if (p == NULL) {
2240 free_CMSRC2CBCParameter(&rc2param);
2241 hx509_clear_error_string(context);
2242 return ENOMEM;
2243 }
2244 switch(rc2param.rc2ParameterVersion) {
2245 case 160:
2246 crypto->c = EVP_rc2_40_cbc();
2247 p->maximum_effective_key = 40;
2248 break;
2249 case 120:
2250 crypto->c = EVP_rc2_64_cbc();
2251 p->maximum_effective_key = 64;
2252 break;
2253 case 58:
2254 crypto->c = EVP_rc2_cbc();
2255 p->maximum_effective_key = 128;
2256 break;
2257 default:
2258 free(p);
2259 free_CMSRC2CBCParameter(&rc2param);
2260 return HX509_CRYPTO_SIG_INVALID_FORMAT;
2261 }
2262 if (ivec)
2263 ret = der_copy_octet_string(&rc2param.iv, ivec);
2264 free_CMSRC2CBCParameter(&rc2param);
2265 if (ret) {
2266 free(p);
2267 hx509_clear_error_string(context);
2268 } else
2269 crypto->param = p;
2270
2271 return ret;
2272 }
2273
2274 /*
2275 *
2276 */
2277
2278 static const struct hx509cipher ciphers[] = {
2279 {
2280 "rc2-cbc",
2281 CIPHER_WEAK,
2282 ASN1_OID_ID_PKCS3_RC2_CBC,
2283 NULL,
2284 EVP_rc2_cbc,
2285 CMSRC2CBCParam_get,
2286 CMSRC2CBCParam_set
2287 },
2288 {
2289 "rc2-cbc",
2290 CIPHER_WEAK,
2291 ASN1_OID_ID_RSADSI_RC2_CBC,
2292 NULL,
2293 EVP_rc2_cbc,
2294 CMSRC2CBCParam_get,
2295 CMSRC2CBCParam_set
2296 },
2297 {
2298 "rc2-40-cbc",
2299 CIPHER_WEAK,
2300 &asn1_oid_private_rc2_40,
2301 NULL,
2302 EVP_rc2_40_cbc,
2303 CMSRC2CBCParam_get,
2304 CMSRC2CBCParam_set
2305 },
2306 {
2307 "des-ede3-cbc",
2308 0,
2309 ASN1_OID_ID_PKCS3_DES_EDE3_CBC,
2310 NULL,
2311 EVP_des_ede3_cbc,
2312 CMSCBCParam_get,
2313 CMSCBCParam_set
2314 },
2315 {
2316 "des-ede3-cbc",
2317 0,
2318 ASN1_OID_ID_RSADSI_DES_EDE3_CBC,
2319 hx509_crypto_des_rsdi_ede3_cbc,
2320 EVP_des_ede3_cbc,
2321 CMSCBCParam_get,
2322 CMSCBCParam_set
2323 },
2324 {
2325 "aes-128-cbc",
2326 0,
2327 ASN1_OID_ID_AES_128_CBC,
2328 hx509_crypto_aes128_cbc,
2329 EVP_aes_128_cbc,
2330 CMSCBCParam_get,
2331 CMSCBCParam_set
2332 },
2333 {
2334 "aes-192-cbc",
2335 0,
2336 ASN1_OID_ID_AES_192_CBC,
2337 NULL,
2338 EVP_aes_192_cbc,
2339 CMSCBCParam_get,
2340 CMSCBCParam_set
2341 },
2342 {
2343 "aes-256-cbc",
2344 0,
2345 ASN1_OID_ID_AES_256_CBC,
2346 hx509_crypto_aes256_cbc,
2347 EVP_aes_256_cbc,
2348 CMSCBCParam_get,
2349 CMSCBCParam_set
2350 }
2351 };
2352
2353 static const struct hx509cipher *
find_cipher_by_oid(const heim_oid * oid)2354 find_cipher_by_oid(const heim_oid *oid)
2355 {
2356 size_t i;
2357
2358 for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
2359 if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0)
2360 return &ciphers[i];
2361
2362 return NULL;
2363 }
2364
2365 static const struct hx509cipher *
find_cipher_by_name(const char * name)2366 find_cipher_by_name(const char *name)
2367 {
2368 size_t i;
2369
2370 for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
2371 if (strcasecmp(name, ciphers[i].name) == 0)
2372 return &ciphers[i];
2373
2374 return NULL;
2375 }
2376
2377
2378 const heim_oid *
hx509_crypto_enctype_by_name(const char * name)2379 hx509_crypto_enctype_by_name(const char *name)
2380 {
2381 const struct hx509cipher *cipher;
2382
2383 cipher = find_cipher_by_name(name);
2384 if (cipher == NULL)
2385 return NULL;
2386 return cipher->oid;
2387 }
2388
2389 int
hx509_crypto_init(hx509_context context,const char * provider,const heim_oid * enctype,hx509_crypto * crypto)2390 hx509_crypto_init(hx509_context context,
2391 const char *provider,
2392 const heim_oid *enctype,
2393 hx509_crypto *crypto)
2394 {
2395 const struct hx509cipher *cipher;
2396
2397 *crypto = NULL;
2398
2399 cipher = find_cipher_by_oid(enctype);
2400 if (cipher == NULL) {
2401 hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
2402 "Algorithm not supported");
2403 return HX509_ALG_NOT_SUPP;
2404 }
2405
2406 *crypto = calloc(1, sizeof(**crypto));
2407 if (*crypto == NULL) {
2408 hx509_clear_error_string(context);
2409 return ENOMEM;
2410 }
2411
2412 (*crypto)->flags = PADDING_PKCS7;
2413 (*crypto)->cipher = cipher;
2414 (*crypto)->c = (*cipher->evp_func)();
2415
2416 if (der_copy_oid(enctype, &(*crypto)->oid)) {
2417 hx509_crypto_destroy(*crypto);
2418 *crypto = NULL;
2419 hx509_clear_error_string(context);
2420 return ENOMEM;
2421 }
2422
2423 return 0;
2424 }
2425
2426 const char *
hx509_crypto_provider(hx509_crypto crypto)2427 hx509_crypto_provider(hx509_crypto crypto)
2428 {
2429 return "unknown";
2430 }
2431
2432 void
hx509_crypto_destroy(hx509_crypto crypto)2433 hx509_crypto_destroy(hx509_crypto crypto)
2434 {
2435 if (crypto->name)
2436 free(crypto->name);
2437 if (crypto->key.data)
2438 free(crypto->key.data);
2439 if (crypto->param)
2440 free(crypto->param);
2441 der_free_oid(&crypto->oid);
2442 memset(crypto, 0, sizeof(*crypto));
2443 free(crypto);
2444 }
2445
2446 int
hx509_crypto_set_key_name(hx509_crypto crypto,const char * name)2447 hx509_crypto_set_key_name(hx509_crypto crypto, const char *name)
2448 {
2449 return 0;
2450 }
2451
2452 void
hx509_crypto_allow_weak(hx509_crypto crypto)2453 hx509_crypto_allow_weak(hx509_crypto crypto)
2454 {
2455 crypto->flags |= ALLOW_WEAK;
2456 }
2457
2458 void
hx509_crypto_set_padding(hx509_crypto crypto,int padding_type)2459 hx509_crypto_set_padding(hx509_crypto crypto, int padding_type)
2460 {
2461 switch (padding_type) {
2462 case HX509_CRYPTO_PADDING_PKCS7:
2463 crypto->flags &= ~PADDING_FLAGS;
2464 crypto->flags |= PADDING_PKCS7;
2465 break;
2466 case HX509_CRYPTO_PADDING_NONE:
2467 crypto->flags &= ~PADDING_FLAGS;
2468 crypto->flags |= PADDING_NONE;
2469 break;
2470 default:
2471 _hx509_abort("Invalid padding");
2472 }
2473 }
2474
2475 int
hx509_crypto_set_key_data(hx509_crypto crypto,const void * data,size_t length)2476 hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
2477 {
2478 if (EVP_CIPHER_key_length(crypto->c) > (int)length)
2479 return HX509_CRYPTO_INTERNAL_ERROR;
2480
2481 if (crypto->key.data) {
2482 free(crypto->key.data);
2483 crypto->key.data = NULL;
2484 crypto->key.length = 0;
2485 }
2486 crypto->key.data = malloc(length);
2487 if (crypto->key.data == NULL)
2488 return ENOMEM;
2489 memcpy(crypto->key.data, data, length);
2490 crypto->key.length = length;
2491
2492 return 0;
2493 }
2494
2495 int
hx509_crypto_set_random_key(hx509_crypto crypto,heim_octet_string * key)2496 hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key)
2497 {
2498 if (crypto->key.data) {
2499 free(crypto->key.data);
2500 crypto->key.length = 0;
2501 }
2502
2503 crypto->key.length = EVP_CIPHER_key_length(crypto->c);
2504 crypto->key.data = malloc(crypto->key.length);
2505 if (crypto->key.data == NULL) {
2506 crypto->key.length = 0;
2507 return ENOMEM;
2508 }
2509 if (RAND_bytes(crypto->key.data, crypto->key.length) <= 0) {
2510 free(crypto->key.data);
2511 crypto->key.data = NULL;
2512 crypto->key.length = 0;
2513 return HX509_CRYPTO_INTERNAL_ERROR;
2514 }
2515 if (key)
2516 return der_copy_octet_string(&crypto->key, key);
2517 else
2518 return 0;
2519 }
2520
2521 int
hx509_crypto_set_params(hx509_context context,hx509_crypto crypto,const heim_octet_string * param,heim_octet_string * ivec)2522 hx509_crypto_set_params(hx509_context context,
2523 hx509_crypto crypto,
2524 const heim_octet_string *param,
2525 heim_octet_string *ivec)
2526 {
2527 return (*crypto->cipher->set_params)(context, param, crypto, ivec);
2528 }
2529
2530 int
hx509_crypto_get_params(hx509_context context,hx509_crypto crypto,const heim_octet_string * ivec,heim_octet_string * param)2531 hx509_crypto_get_params(hx509_context context,
2532 hx509_crypto crypto,
2533 const heim_octet_string *ivec,
2534 heim_octet_string *param)
2535 {
2536 return (*crypto->cipher->get_params)(context, crypto, ivec, param);
2537 }
2538
2539 int
hx509_crypto_random_iv(hx509_crypto crypto,heim_octet_string * ivec)2540 hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec)
2541 {
2542 ivec->length = EVP_CIPHER_iv_length(crypto->c);
2543 ivec->data = malloc(ivec->length);
2544 if (ivec->data == NULL) {
2545 ivec->length = 0;
2546 return ENOMEM;
2547 }
2548
2549 if (RAND_bytes(ivec->data, ivec->length) <= 0) {
2550 free(ivec->data);
2551 ivec->data = NULL;
2552 ivec->length = 0;
2553 return HX509_CRYPTO_INTERNAL_ERROR;
2554 }
2555 return 0;
2556 }
2557
2558 int
hx509_crypto_encrypt(hx509_crypto crypto,const void * data,const size_t length,const heim_octet_string * ivec,heim_octet_string ** ciphertext)2559 hx509_crypto_encrypt(hx509_crypto crypto,
2560 const void *data,
2561 const size_t length,
2562 const heim_octet_string *ivec,
2563 heim_octet_string **ciphertext)
2564 {
2565 EVP_CIPHER_CTX evp;
2566 size_t padsize, bsize;
2567 int ret;
2568
2569 *ciphertext = NULL;
2570
2571 if ((crypto->cipher->flags & CIPHER_WEAK) &&
2572 (crypto->flags & ALLOW_WEAK) == 0)
2573 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
2574
2575 assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length);
2576
2577 EVP_CIPHER_CTX_init(&evp);
2578
2579 ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
2580 crypto->key.data, ivec->data, 1);
2581 if (ret != 1) {
2582 EVP_CIPHER_CTX_cleanup(&evp);
2583 ret = HX509_CRYPTO_INTERNAL_ERROR;
2584 goto out;
2585 }
2586
2587 *ciphertext = calloc(1, sizeof(**ciphertext));
2588 if (*ciphertext == NULL) {
2589 ret = ENOMEM;
2590 goto out;
2591 }
2592
2593 assert(crypto->flags & PADDING_FLAGS);
2594
2595 bsize = EVP_CIPHER_block_size(crypto->c);
2596 padsize = 0;
2597
2598 if (crypto->flags & PADDING_NONE) {
2599 if (bsize != 1 && (length % bsize) != 0)
2600 return HX509_CMS_PADDING_ERROR;
2601 } else if (crypto->flags & PADDING_PKCS7) {
2602 if (bsize != 1)
2603 padsize = bsize - (length % bsize);
2604 }
2605
2606 (*ciphertext)->length = length + padsize;
2607 (*ciphertext)->data = malloc(length + padsize);
2608 if ((*ciphertext)->data == NULL) {
2609 ret = ENOMEM;
2610 goto out;
2611 }
2612
2613 memcpy((*ciphertext)->data, data, length);
2614 if (padsize) {
2615 size_t i;
2616 unsigned char *p = (*ciphertext)->data;
2617 p += length;
2618 for (i = 0; i < padsize; i++)
2619 *p++ = padsize;
2620 }
2621
2622 ret = EVP_Cipher(&evp, (*ciphertext)->data,
2623 (*ciphertext)->data,
2624 length + padsize);
2625 if (ret != 1) {
2626 ret = HX509_CRYPTO_INTERNAL_ERROR;
2627 goto out;
2628 }
2629 ret = 0;
2630
2631 out:
2632 if (ret) {
2633 if (*ciphertext) {
2634 if ((*ciphertext)->data) {
2635 free((*ciphertext)->data);
2636 }
2637 free(*ciphertext);
2638 *ciphertext = NULL;
2639 }
2640 }
2641 EVP_CIPHER_CTX_cleanup(&evp);
2642
2643 return ret;
2644 }
2645
2646 int
hx509_crypto_decrypt(hx509_crypto crypto,const void * data,const size_t length,heim_octet_string * ivec,heim_octet_string * clear)2647 hx509_crypto_decrypt(hx509_crypto crypto,
2648 const void *data,
2649 const size_t length,
2650 heim_octet_string *ivec,
2651 heim_octet_string *clear)
2652 {
2653 EVP_CIPHER_CTX evp;
2654 void *idata = NULL;
2655 int ret;
2656
2657 clear->data = NULL;
2658 clear->length = 0;
2659
2660 if ((crypto->cipher->flags & CIPHER_WEAK) &&
2661 (crypto->flags & ALLOW_WEAK) == 0)
2662 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
2663
2664 if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length)
2665 return HX509_CRYPTO_INTERNAL_ERROR;
2666
2667 if (crypto->key.data == NULL)
2668 return HX509_CRYPTO_INTERNAL_ERROR;
2669
2670 if (ivec)
2671 idata = ivec->data;
2672
2673 EVP_CIPHER_CTX_init(&evp);
2674
2675 ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
2676 crypto->key.data, idata, 0);
2677 if (ret != 1) {
2678 EVP_CIPHER_CTX_cleanup(&evp);
2679 return HX509_CRYPTO_INTERNAL_ERROR;
2680 }
2681
2682 clear->length = length;
2683 clear->data = malloc(length);
2684 if (clear->data == NULL) {
2685 EVP_CIPHER_CTX_cleanup(&evp);
2686 clear->length = 0;
2687 return ENOMEM;
2688 }
2689
2690 if (EVP_Cipher(&evp, clear->data, data, length) != 1) {
2691 return HX509_CRYPTO_INTERNAL_ERROR;
2692 }
2693 EVP_CIPHER_CTX_cleanup(&evp);
2694
2695 if ((crypto->flags & PADDING_PKCS7) && EVP_CIPHER_block_size(crypto->c) > 1) {
2696 int padsize;
2697 unsigned char *p;
2698 int j, bsize = EVP_CIPHER_block_size(crypto->c);
2699
2700 if ((int)clear->length < bsize) {
2701 ret = HX509_CMS_PADDING_ERROR;
2702 goto out;
2703 }
2704
2705 p = clear->data;
2706 p += clear->length - 1;
2707 padsize = *p;
2708 if (padsize > bsize) {
2709 ret = HX509_CMS_PADDING_ERROR;
2710 goto out;
2711 }
2712 clear->length -= padsize;
2713 for (j = 0; j < padsize; j++) {
2714 if (*p-- != padsize) {
2715 ret = HX509_CMS_PADDING_ERROR;
2716 goto out;
2717 }
2718 }
2719 }
2720
2721 return 0;
2722
2723 out:
2724 if (clear->data)
2725 free(clear->data);
2726 clear->data = NULL;
2727 clear->length = 0;
2728 return ret;
2729 }
2730
2731 typedef int (*PBE_string2key_func)(hx509_context,
2732 const char *,
2733 const heim_octet_string *,
2734 hx509_crypto *, heim_octet_string *,
2735 heim_octet_string *,
2736 const heim_oid *, const EVP_MD *);
2737
2738 static int
PBE_string2key(hx509_context context,const char * password,const heim_octet_string * parameters,hx509_crypto * crypto,heim_octet_string * key,heim_octet_string * iv,const heim_oid * enc_oid,const EVP_MD * md)2739 PBE_string2key(hx509_context context,
2740 const char *password,
2741 const heim_octet_string *parameters,
2742 hx509_crypto *crypto,
2743 heim_octet_string *key, heim_octet_string *iv,
2744 const heim_oid *enc_oid,
2745 const EVP_MD *md)
2746 {
2747 PKCS12_PBEParams p12params;
2748 int passwordlen;
2749 hx509_crypto c;
2750 int iter, saltlen, ret;
2751 unsigned char *salt;
2752
2753 passwordlen = password ? strlen(password) : 0;
2754
2755 if (parameters == NULL)
2756 return HX509_ALG_NOT_SUPP;
2757
2758 ret = decode_PKCS12_PBEParams(parameters->data,
2759 parameters->length,
2760 &p12params, NULL);
2761 if (ret)
2762 goto out;
2763
2764 if (p12params.iterations)
2765 iter = *p12params.iterations;
2766 else
2767 iter = 1;
2768 salt = p12params.salt.data;
2769 saltlen = p12params.salt.length;
2770
2771 if (!PKCS12_key_gen (password, passwordlen, salt, saltlen,
2772 PKCS12_KEY_ID, iter, key->length, key->data, md)) {
2773 ret = HX509_CRYPTO_INTERNAL_ERROR;
2774 goto out;
2775 }
2776
2777 if (!PKCS12_key_gen (password, passwordlen, salt, saltlen,
2778 PKCS12_IV_ID, iter, iv->length, iv->data, md)) {
2779 ret = HX509_CRYPTO_INTERNAL_ERROR;
2780 goto out;
2781 }
2782
2783 ret = hx509_crypto_init(context, NULL, enc_oid, &c);
2784 if (ret)
2785 goto out;
2786
2787 hx509_crypto_allow_weak(c);
2788
2789 ret = hx509_crypto_set_key_data(c, key->data, key->length);
2790 if (ret) {
2791 hx509_crypto_destroy(c);
2792 goto out;
2793 }
2794
2795 *crypto = c;
2796 out:
2797 free_PKCS12_PBEParams(&p12params);
2798 return ret;
2799 }
2800
2801 static const heim_oid *
find_string2key(const heim_oid * oid,const EVP_CIPHER ** c,const EVP_MD ** md,PBE_string2key_func * s2k)2802 find_string2key(const heim_oid *oid,
2803 const EVP_CIPHER **c,
2804 const EVP_MD **md,
2805 PBE_string2key_func *s2k)
2806 {
2807 if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC2_CBC) == 0) {
2808 *c = EVP_rc2_40_cbc();
2809 *md = EVP_sha1();
2810 *s2k = PBE_string2key;
2811 return &asn1_oid_private_rc2_40;
2812 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC2_CBC) == 0) {
2813 *c = EVP_rc2_cbc();
2814 *md = EVP_sha1();
2815 *s2k = PBE_string2key;
2816 return ASN1_OID_ID_PKCS3_RC2_CBC;
2817 #if 0
2818 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC4) == 0) {
2819 *c = EVP_rc4_40();
2820 *md = EVP_sha1();
2821 *s2k = PBE_string2key;
2822 return NULL;
2823 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC4) == 0) {
2824 *c = EVP_rc4();
2825 *md = EVP_sha1();
2826 *s2k = PBE_string2key;
2827 return ASN1_OID_ID_PKCS3_RC4;
2828 #endif
2829 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND3_KEYTRIPLEDES_CBC) == 0) {
2830 *c = EVP_des_ede3_cbc();
2831 *md = EVP_sha1();
2832 *s2k = PBE_string2key;
2833 return ASN1_OID_ID_PKCS3_DES_EDE3_CBC;
2834 }
2835
2836 return NULL;
2837 }
2838
2839 /*
2840 *
2841 */
2842
2843 int
_hx509_pbe_encrypt(hx509_context context,hx509_lock lock,const AlgorithmIdentifier * ai,const heim_octet_string * content,heim_octet_string * econtent)2844 _hx509_pbe_encrypt(hx509_context context,
2845 hx509_lock lock,
2846 const AlgorithmIdentifier *ai,
2847 const heim_octet_string *content,
2848 heim_octet_string *econtent)
2849 {
2850 hx509_clear_error_string(context);
2851 return EINVAL;
2852 }
2853
2854 /*
2855 *
2856 */
2857
2858 int
_hx509_pbe_decrypt(hx509_context context,hx509_lock lock,const AlgorithmIdentifier * ai,const heim_octet_string * econtent,heim_octet_string * content)2859 _hx509_pbe_decrypt(hx509_context context,
2860 hx509_lock lock,
2861 const AlgorithmIdentifier *ai,
2862 const heim_octet_string *econtent,
2863 heim_octet_string *content)
2864 {
2865 const struct _hx509_password *pw;
2866 heim_octet_string key, iv;
2867 const heim_oid *enc_oid;
2868 const EVP_CIPHER *c;
2869 const EVP_MD *md;
2870 PBE_string2key_func s2k;
2871 int ret = 0;
2872 size_t i;
2873
2874 memset(&key, 0, sizeof(key));
2875 memset(&iv, 0, sizeof(iv));
2876
2877 memset(content, 0, sizeof(*content));
2878
2879 enc_oid = find_string2key(&ai->algorithm, &c, &md, &s2k);
2880 if (enc_oid == NULL) {
2881 hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
2882 "String to key algorithm not supported");
2883 ret = HX509_ALG_NOT_SUPP;
2884 goto out;
2885 }
2886
2887 key.length = EVP_CIPHER_key_length(c);
2888 key.data = malloc(key.length);
2889 if (key.data == NULL) {
2890 ret = ENOMEM;
2891 hx509_clear_error_string(context);
2892 goto out;
2893 }
2894
2895 iv.length = EVP_CIPHER_iv_length(c);
2896 iv.data = malloc(iv.length);
2897 if (iv.data == NULL) {
2898 ret = ENOMEM;
2899 hx509_clear_error_string(context);
2900 goto out;
2901 }
2902
2903 pw = _hx509_lock_get_passwords(lock);
2904
2905 ret = HX509_CRYPTO_INTERNAL_ERROR;
2906 for (i = 0; i < pw->len + 1; i++) {
2907 hx509_crypto crypto;
2908 const char *password;
2909
2910 if (i < pw->len)
2911 password = pw->val[i];
2912 else if (i < pw->len + 1)
2913 password = "";
2914 else
2915 password = NULL;
2916
2917 ret = (*s2k)(context, password, ai->parameters, &crypto,
2918 &key, &iv, enc_oid, md);
2919 if (ret)
2920 goto out;
2921
2922 ret = hx509_crypto_decrypt(crypto,
2923 econtent->data,
2924 econtent->length,
2925 &iv,
2926 content);
2927 hx509_crypto_destroy(crypto);
2928 if (ret == 0)
2929 goto out;
2930
2931 }
2932 out:
2933 if (key.data)
2934 der_free_octet_string(&key);
2935 if (iv.data)
2936 der_free_octet_string(&iv);
2937 return ret;
2938 }
2939
2940 /*
2941 *
2942 */
2943
2944
2945 static int
match_keys_rsa(hx509_cert c,hx509_private_key private_key)2946 match_keys_rsa(hx509_cert c, hx509_private_key private_key)
2947 {
2948 const Certificate *cert;
2949 const SubjectPublicKeyInfo *spi;
2950 RSAPublicKey pk;
2951 RSA *rsa;
2952 size_t size;
2953 int ret;
2954
2955 if (private_key->private_key.rsa == NULL)
2956 return 0;
2957
2958 rsa = private_key->private_key.rsa;
2959 if (rsa->d == NULL || rsa->p == NULL || rsa->q == NULL)
2960 return 0;
2961
2962 cert = _hx509_get_cert(c);
2963 spi = &cert->tbsCertificate.subjectPublicKeyInfo;
2964
2965 rsa = RSA_new();
2966 if (rsa == NULL)
2967 return 0;
2968
2969 ret = decode_RSAPublicKey(spi->subjectPublicKey.data,
2970 spi->subjectPublicKey.length / 8,
2971 &pk, &size);
2972 if (ret) {
2973 RSA_free(rsa);
2974 return 0;
2975 }
2976 rsa->n = heim_int2BN(&pk.modulus);
2977 rsa->e = heim_int2BN(&pk.publicExponent);
2978
2979 free_RSAPublicKey(&pk);
2980
2981 rsa->d = BN_dup(private_key->private_key.rsa->d);
2982 rsa->p = BN_dup(private_key->private_key.rsa->p);
2983 rsa->q = BN_dup(private_key->private_key.rsa->q);
2984 rsa->dmp1 = BN_dup(private_key->private_key.rsa->dmp1);
2985 rsa->dmq1 = BN_dup(private_key->private_key.rsa->dmq1);
2986 rsa->iqmp = BN_dup(private_key->private_key.rsa->iqmp);
2987
2988 if (rsa->n == NULL || rsa->e == NULL ||
2989 rsa->d == NULL || rsa->p == NULL|| rsa->q == NULL ||
2990 rsa->dmp1 == NULL || rsa->dmq1 == NULL) {
2991 RSA_free(rsa);
2992 return 0;
2993 }
2994
2995 ret = RSA_check_key(rsa);
2996 RSA_free(rsa);
2997
2998 return ret == 1;
2999 }
3000
3001 static int
match_keys_ec(hx509_cert c,hx509_private_key private_key)3002 match_keys_ec(hx509_cert c, hx509_private_key private_key)
3003 {
3004 return 1; /* XXX use EC_KEY_check_key */
3005 }
3006
3007
3008 int
_hx509_match_keys(hx509_cert c,hx509_private_key key)3009 _hx509_match_keys(hx509_cert c, hx509_private_key key)
3010 {
3011 if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0)
3012 return match_keys_rsa(c, key);
3013 if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0)
3014 return match_keys_ec(c, key);
3015 return 0;
3016
3017 }
3018
3019
3020 static const heim_oid *
find_keytype(const hx509_private_key key)3021 find_keytype(const hx509_private_key key)
3022 {
3023 const struct signature_alg *md;
3024
3025 if (key == NULL)
3026 return NULL;
3027
3028 md = find_sig_alg(key->signature_alg);
3029 if (md == NULL)
3030 return NULL;
3031 return md->key_oid;
3032 }
3033
3034 int
hx509_crypto_select(const hx509_context context,int type,const hx509_private_key source,hx509_peer_info peer,AlgorithmIdentifier * selected)3035 hx509_crypto_select(const hx509_context context,
3036 int type,
3037 const hx509_private_key source,
3038 hx509_peer_info peer,
3039 AlgorithmIdentifier *selected)
3040 {
3041 const AlgorithmIdentifier *def = NULL;
3042 size_t i, j;
3043 int ret, bits;
3044
3045 memset(selected, 0, sizeof(*selected));
3046
3047 if (type == HX509_SELECT_DIGEST) {
3048 bits = SIG_DIGEST;
3049 if (source)
3050 def = alg_for_privatekey(source, type);
3051 if (def == NULL)
3052 def = _hx509_crypto_default_digest_alg;
3053 } else if (type == HX509_SELECT_PUBLIC_SIG) {
3054 bits = SIG_PUBLIC_SIG;
3055 /* XXX depend on `source´ and `peer´ */
3056 if (source)
3057 def = alg_for_privatekey(source, type);
3058 if (def == NULL)
3059 def = _hx509_crypto_default_sig_alg;
3060 } else if (type == HX509_SELECT_SECRET_ENC) {
3061 bits = SIG_SECRET;
3062 def = _hx509_crypto_default_secret_alg;
3063 } else {
3064 hx509_set_error_string(context, 0, EINVAL,
3065 "Unknown type %d of selection", type);
3066 return EINVAL;
3067 }
3068
3069 if (peer) {
3070 const heim_oid *keytype = NULL;
3071
3072 keytype = find_keytype(source);
3073
3074 for (i = 0; i < peer->len; i++) {
3075 for (j = 0; sig_algs[j]; j++) {
3076 if ((sig_algs[j]->flags & bits) != bits)
3077 continue;
3078 if (der_heim_oid_cmp(sig_algs[j]->sig_oid,
3079 &peer->val[i].algorithm) != 0)
3080 continue;
3081 if (keytype && sig_algs[j]->key_oid &&
3082 der_heim_oid_cmp(keytype, sig_algs[j]->key_oid))
3083 continue;
3084
3085 /* found one, use that */
3086 ret = copy_AlgorithmIdentifier(&peer->val[i], selected);
3087 if (ret)
3088 hx509_clear_error_string(context);
3089 return ret;
3090 }
3091 if (bits & SIG_SECRET) {
3092 const struct hx509cipher *cipher;
3093
3094 cipher = find_cipher_by_oid(&peer->val[i].algorithm);
3095 if (cipher == NULL)
3096 continue;
3097 if (cipher->ai_func == NULL)
3098 continue;
3099 ret = copy_AlgorithmIdentifier(cipher->ai_func(), selected);
3100 if (ret)
3101 hx509_clear_error_string(context);
3102 return ret;
3103 }
3104 }
3105 }
3106
3107 /* use default */
3108 ret = copy_AlgorithmIdentifier(def, selected);
3109 if (ret)
3110 hx509_clear_error_string(context);
3111 return ret;
3112 }
3113
3114 int
hx509_crypto_available(hx509_context context,int type,hx509_cert source,AlgorithmIdentifier ** val,unsigned int * plen)3115 hx509_crypto_available(hx509_context context,
3116 int type,
3117 hx509_cert source,
3118 AlgorithmIdentifier **val,
3119 unsigned int *plen)
3120 {
3121 const heim_oid *keytype = NULL;
3122 unsigned int len, i;
3123 void *ptr;
3124 int bits, ret;
3125
3126 *val = NULL;
3127
3128 if (type == HX509_SELECT_ALL) {
3129 bits = SIG_DIGEST | SIG_PUBLIC_SIG | SIG_SECRET;
3130 } else if (type == HX509_SELECT_DIGEST) {
3131 bits = SIG_DIGEST;
3132 } else if (type == HX509_SELECT_PUBLIC_SIG) {
3133 bits = SIG_PUBLIC_SIG;
3134 } else {
3135 hx509_set_error_string(context, 0, EINVAL,
3136 "Unknown type %d of available", type);
3137 return EINVAL;
3138 }
3139
3140 if (source)
3141 keytype = find_keytype(_hx509_cert_private_key(source));
3142
3143 len = 0;
3144 for (i = 0; sig_algs[i]; i++) {
3145 if ((sig_algs[i]->flags & bits) == 0)
3146 continue;
3147 if (sig_algs[i]->sig_alg == NULL)
3148 continue;
3149 if (keytype && sig_algs[i]->key_oid &&
3150 der_heim_oid_cmp(sig_algs[i]->key_oid, keytype))
3151 continue;
3152
3153 /* found one, add that to the list */
3154 ptr = realloc(*val, sizeof(**val) * (len + 1));
3155 if (ptr == NULL)
3156 goto out;
3157 *val = ptr;
3158
3159 ret = copy_AlgorithmIdentifier(sig_algs[i]->sig_alg, &(*val)[len]);
3160 if (ret)
3161 goto out;
3162 len++;
3163 }
3164
3165 /* Add AES */
3166 if (bits & SIG_SECRET) {
3167
3168 for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) {
3169
3170 if (ciphers[i].flags & CIPHER_WEAK)
3171 continue;
3172 if (ciphers[i].ai_func == NULL)
3173 continue;
3174
3175 ptr = realloc(*val, sizeof(**val) * (len + 1));
3176 if (ptr == NULL)
3177 goto out;
3178 *val = ptr;
3179
3180 ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]);
3181 if (ret)
3182 goto out;
3183 len++;
3184 }
3185 }
3186
3187 *plen = len;
3188 return 0;
3189
3190 out:
3191 for (i = 0; i < len; i++)
3192 free_AlgorithmIdentifier(&(*val)[i]);
3193 free(*val);
3194 *val = NULL;
3195 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
3196 return ENOMEM;
3197 }
3198
3199 void
hx509_crypto_free_algs(AlgorithmIdentifier * val,unsigned int len)3200 hx509_crypto_free_algs(AlgorithmIdentifier *val,
3201 unsigned int len)
3202 {
3203 unsigned int i;
3204 for (i = 0; i < len; i++)
3205 free_AlgorithmIdentifier(&val[i]);
3206 free(val);
3207 }
3208