1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package packet
6
7import (
8	"crypto"
9	"crypto/rsa"
10	"encoding/binary"
11	"io"
12	"math/big"
13	"strconv"
14
15	"golang.org/x/crypto/openpgp/elgamal"
16	"golang.org/x/crypto/openpgp/errors"
17)
18
19const encryptedKeyVersion = 3
20
21// EncryptedKey represents a public-key encrypted session key. See RFC 4880,
22// section 5.1.
23type EncryptedKey struct {
24	KeyId      uint64
25	Algo       PublicKeyAlgorithm
26	CipherFunc CipherFunction // only valid after a successful Decrypt
27	Key        []byte         // only valid after a successful Decrypt
28
29	encryptedMPI1, encryptedMPI2 parsedMPI
30}
31
32func (e *EncryptedKey) parse(r io.Reader) (err error) {
33	var buf [10]byte
34	_, err = readFull(r, buf[:])
35	if err != nil {
36		return
37	}
38	if buf[0] != encryptedKeyVersion {
39		return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0])))
40	}
41	e.KeyId = binary.BigEndian.Uint64(buf[1:9])
42	e.Algo = PublicKeyAlgorithm(buf[9])
43	switch e.Algo {
44	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
45		e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
46		if err != nil {
47			return
48		}
49	case PubKeyAlgoElGamal:
50		e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
51		if err != nil {
52			return
53		}
54		e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r)
55		if err != nil {
56			return
57		}
58	}
59	_, err = consumeAll(r)
60	return
61}
62
63func checksumKeyMaterial(key []byte) uint16 {
64	var checksum uint16
65	for _, v := range key {
66		checksum += uint16(v)
67	}
68	return checksum
69}
70
71// Decrypt decrypts an encrypted session key with the given private key. The
72// private key must have been decrypted first.
73// If config is nil, sensible defaults will be used.
74func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
75	var err error
76	var b []byte
77
78	// TODO(agl): use session key decryption routines here to avoid
79	// padding oracle attacks.
80	switch priv.PubKeyAlgo {
81	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
82		// Supports both *rsa.PrivateKey and crypto.Decrypter
83		k := priv.PrivateKey.(crypto.Decrypter)
84		b, err = k.Decrypt(config.Random(), padToKeySize(k.Public().(*rsa.PublicKey), e.encryptedMPI1.bytes), nil)
85	case PubKeyAlgoElGamal:
86		c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes)
87		c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes)
88		b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2)
89	default:
90		err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo)))
91	}
92
93	if err != nil {
94		return err
95	}
96
97	e.CipherFunc = CipherFunction(b[0])
98	e.Key = b[1 : len(b)-2]
99	expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1])
100	checksum := checksumKeyMaterial(e.Key)
101	if checksum != expectedChecksum {
102		return errors.StructuralError("EncryptedKey checksum incorrect")
103	}
104
105	return nil
106}
107
108// Serialize writes the encrypted key packet, e, to w.
109func (e *EncryptedKey) Serialize(w io.Writer) error {
110	var mpiLen int
111	switch e.Algo {
112	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
113		mpiLen = 2 + len(e.encryptedMPI1.bytes)
114	case PubKeyAlgoElGamal:
115		mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes)
116	default:
117		return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo)))
118	}
119
120	serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen)
121
122	w.Write([]byte{encryptedKeyVersion})
123	binary.Write(w, binary.BigEndian, e.KeyId)
124	w.Write([]byte{byte(e.Algo)})
125
126	switch e.Algo {
127	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
128		writeMPIs(w, e.encryptedMPI1)
129	case PubKeyAlgoElGamal:
130		writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2)
131	default:
132		panic("internal error")
133	}
134
135	return nil
136}
137
138// SerializeEncryptedKey serializes an encrypted key packet to w that contains
139// key, encrypted to pub.
140// If config is nil, sensible defaults will be used.
141func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error {
142	var buf [10]byte
143	buf[0] = encryptedKeyVersion
144	binary.BigEndian.PutUint64(buf[1:9], pub.KeyId)
145	buf[9] = byte(pub.PubKeyAlgo)
146
147	keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */)
148	keyBlock[0] = byte(cipherFunc)
149	copy(keyBlock[1:], key)
150	checksum := checksumKeyMaterial(key)
151	keyBlock[1+len(key)] = byte(checksum >> 8)
152	keyBlock[1+len(key)+1] = byte(checksum)
153
154	switch pub.PubKeyAlgo {
155	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
156		return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock)
157	case PubKeyAlgoElGamal:
158		return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock)
159	case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly:
160		return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
161	}
162
163	return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
164}
165
166func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error {
167	cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock)
168	if err != nil {
169		return errors.InvalidArgumentError("RSA encryption failed: " + err.Error())
170	}
171
172	packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText)
173
174	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
175	if err != nil {
176		return err
177	}
178	_, err = w.Write(header[:])
179	if err != nil {
180		return err
181	}
182	return writeMPI(w, 8*uint16(len(cipherText)), cipherText)
183}
184
185func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error {
186	c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock)
187	if err != nil {
188		return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error())
189	}
190
191	packetLen := 10 /* header length */
192	packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8
193	packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8
194
195	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
196	if err != nil {
197		return err
198	}
199	_, err = w.Write(header[:])
200	if err != nil {
201		return err
202	}
203	err = writeBig(w, c1)
204	if err != nil {
205		return err
206	}
207	return writeBig(w, c2)
208}
209