1// Copyright 2011 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package packet 6 7import ( 8 "crypto/rsa" 9 "encoding/binary" 10 "io" 11 "math/big" 12 "strconv" 13 14 "golang.org/x/crypto/openpgp/elgamal" 15 "golang.org/x/crypto/openpgp/errors" 16) 17 18const encryptedKeyVersion = 3 19 20// EncryptedKey represents a public-key encrypted session key. See RFC 4880, 21// section 5.1. 22type EncryptedKey struct { 23 KeyId uint64 24 Algo PublicKeyAlgorithm 25 CipherFunc CipherFunction // only valid after a successful Decrypt 26 Key []byte // only valid after a successful Decrypt 27 28 encryptedMPI1, encryptedMPI2 parsedMPI 29} 30 31func (e *EncryptedKey) parse(r io.Reader) (err error) { 32 var buf [10]byte 33 _, err = readFull(r, buf[:]) 34 if err != nil { 35 return 36 } 37 if buf[0] != encryptedKeyVersion { 38 return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0]))) 39 } 40 e.KeyId = binary.BigEndian.Uint64(buf[1:9]) 41 e.Algo = PublicKeyAlgorithm(buf[9]) 42 switch e.Algo { 43 case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: 44 e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) 45 if err != nil { 46 return 47 } 48 case PubKeyAlgoElGamal: 49 e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) 50 if err != nil { 51 return 52 } 53 e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r) 54 if err != nil { 55 return 56 } 57 } 58 _, err = consumeAll(r) 59 return 60} 61 62func checksumKeyMaterial(key []byte) uint16 { 63 var checksum uint16 64 for _, v := range key { 65 checksum += uint16(v) 66 } 67 return checksum 68} 69 70// Decrypt decrypts an encrypted session key with the given private key. The 71// private key must have been decrypted first. 72// If config is nil, sensible defaults will be used. 73func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error { 74 var err error 75 var b []byte 76 77 // TODO(agl): use session key decryption routines here to avoid 78 // padding oracle attacks. 79 switch priv.PubKeyAlgo { 80 case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: 81 k := priv.PrivateKey.(*rsa.PrivateKey) 82 b, err = rsa.DecryptPKCS1v15(config.Random(), k, padToKeySize(&k.PublicKey, e.encryptedMPI1.bytes)) 83 case PubKeyAlgoElGamal: 84 c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes) 85 c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes) 86 b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2) 87 default: 88 err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo))) 89 } 90 91 if err != nil { 92 return err 93 } 94 95 e.CipherFunc = CipherFunction(b[0]) 96 e.Key = b[1 : len(b)-2] 97 expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1]) 98 checksum := checksumKeyMaterial(e.Key) 99 if checksum != expectedChecksum { 100 return errors.StructuralError("EncryptedKey checksum incorrect") 101 } 102 103 return nil 104} 105 106// Serialize writes the encrypted key packet, e, to w. 107func (e *EncryptedKey) Serialize(w io.Writer) error { 108 var mpiLen int 109 switch e.Algo { 110 case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: 111 mpiLen = 2 + len(e.encryptedMPI1.bytes) 112 case PubKeyAlgoElGamal: 113 mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes) 114 default: 115 return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo))) 116 } 117 118 serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen) 119 120 w.Write([]byte{encryptedKeyVersion}) 121 binary.Write(w, binary.BigEndian, e.KeyId) 122 w.Write([]byte{byte(e.Algo)}) 123 124 switch e.Algo { 125 case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: 126 writeMPIs(w, e.encryptedMPI1) 127 case PubKeyAlgoElGamal: 128 writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2) 129 default: 130 panic("internal error") 131 } 132 133 return nil 134} 135 136// SerializeEncryptedKey serializes an encrypted key packet to w that contains 137// key, encrypted to pub. 138// If config is nil, sensible defaults will be used. 139func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error { 140 var buf [10]byte 141 buf[0] = encryptedKeyVersion 142 binary.BigEndian.PutUint64(buf[1:9], pub.KeyId) 143 buf[9] = byte(pub.PubKeyAlgo) 144 145 keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */) 146 keyBlock[0] = byte(cipherFunc) 147 copy(keyBlock[1:], key) 148 checksum := checksumKeyMaterial(key) 149 keyBlock[1+len(key)] = byte(checksum >> 8) 150 keyBlock[1+len(key)+1] = byte(checksum) 151 152 switch pub.PubKeyAlgo { 153 case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: 154 return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock) 155 case PubKeyAlgoElGamal: 156 return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock) 157 case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly: 158 return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) 159 } 160 161 return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) 162} 163 164func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error { 165 cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock) 166 if err != nil { 167 return errors.InvalidArgumentError("RSA encryption failed: " + err.Error()) 168 } 169 170 packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText) 171 172 err = serializeHeader(w, packetTypeEncryptedKey, packetLen) 173 if err != nil { 174 return err 175 } 176 _, err = w.Write(header[:]) 177 if err != nil { 178 return err 179 } 180 return writeMPI(w, 8*uint16(len(cipherText)), cipherText) 181} 182 183func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error { 184 c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock) 185 if err != nil { 186 return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error()) 187 } 188 189 packetLen := 10 /* header length */ 190 packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8 191 packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8 192 193 err = serializeHeader(w, packetTypeEncryptedKey, packetLen) 194 if err != nil { 195 return err 196 } 197 _, err = w.Write(header[:]) 198 if err != nil { 199 return err 200 } 201 err = writeBig(w, c1) 202 if err != nil { 203 return err 204 } 205 return writeBig(w, c2) 206} 207