1 // Copyright (c) 2014-2020 Thomas Fussell
2 //
3 // Permission is hereby granted, free of charge, to any person obtaining a copy
4 // of this software and associated documentation files (the "Software"), to deal
5 // in the Software without restriction, including without limitation the rights
6 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
7 // copies of the Software, and to permit persons to whom the Software is
8 // furnished to do so, subject to the following conditions:
9 //
10 // The above copyright notice and this permission notice shall be included in
11 // all copies or substantial portions of the Software.
12 //
13 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, WRISING FROM,
18 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
19 // THE SOFTWARE
20 //
21 // @license: http://www.opensource.org/licenses/mit-license.php
22 // @author: see AUTHORS file
23
24 #include <xlnt/utils/exceptions.hpp>
25 #include <detail/constants.hpp>
26 #include <detail/cryptography/aes.hpp>
27 #include <detail/cryptography/base64.hpp>
28 #include <detail/cryptography/compound_document.hpp>
29 #include <detail/cryptography/encryption_info.hpp>
30 #include <detail/cryptography/value_traits.hpp>
31 #include <detail/cryptography/xlsx_crypto_producer.hpp>
32 #include <detail/external/include_libstudxml.hpp>
33 #include <detail/serialization/vector_streambuf.hpp>
34 #include <detail/serialization/xlsx_producer.hpp>
35 #include <detail/serialization/zstream.hpp>
36 #include <detail/unicode.hpp>
37
38 namespace {
39
40 using xlnt::detail::encryption_info;
41
generate_encryption_info(const std::u16string &)42 encryption_info generate_encryption_info(const std::u16string & /*password*/)
43 {
44 encryption_info result;
45
46 result.is_agile = true;
47
48 result.agile = encryption_info::agile_encryption_info();
49
50 result.agile.key_data.block_size = 16;
51 result.agile.key_data.cipher_algorithm = "AES";
52 result.agile.key_data.cipher_chaining = "ChainingModeCBC";
53 result.agile.key_data.hash_algorithm = "SHA512";
54 result.agile.key_data.hash_size = 64;
55 result.agile.key_data.key_bits = 256;
56 result.agile.key_data.salt_size = 16;
57 result.agile.key_data.salt_value =
58 {
59 {40, 183, 193, 64, 115, 97, 10, 177, 122, 50, 243, 123, 229, 145, 162, 247}};
60
61 result.agile.data_integrity.hmac_key =
62 {
63 {90, 206, 203, 147, 102, 81, 82, 14, 118, 94, 168, 38, 200, 79, 13, 147, 60,
64 123, 167, 220, 17, 165, 124, 188, 206, 74, 98, 33, 156, 63, 220, 152, 180, 201,
65 167, 183, 141, 252, 182, 55, 90, 189, 187, 167, 230, 186, 61, 239, 80, 49, 54,
66 208, 52, 133, 232, 187, 117, 136, 213, 48, 133, 15, 7, 126}};
67 result.agile.data_integrity.hmac_value =
68 {
69 {49, 128, 174, 178, 161, 48, 1, 82, 241, 103, 72, 223, 103, 111, 204, 73,
70 210, 70, 254, 43, 12, 134, 180, 201, 124, 153, 214, 115, 82, 184, 78, 2,
71 166, 106, 69, 18, 173, 177, 40, 238, 243, 240, 3, 86, 145, 218, 223, 177,
72 36, 34, 44, 159, 104, 163, 217, 42, 203, 135, 173, 14, 218, 172, 72, 224}};
73
74 result.agile.key_encryptor.spin_count = 100000;
75 result.agile.key_encryptor.block_size = 16;
76 result.agile.key_encryptor.cipher_algorithm = "AES";
77 result.agile.key_encryptor.cipher_chaining = "ChainingModeCBC";
78 result.agile.key_encryptor.hash = xlnt::detail::hash_algorithm::sha512;
79 result.agile.key_encryptor.hash_size = 64;
80 result.agile.key_encryptor.key_bits = 256;
81 result.agile.key_encryptor.salt_size = 16;
82 result.agile.key_encryptor.salt_value =
83 {
84 {98, 169, 85, 224, 173, 253, 2, 52, 199, 108, 195, 73, 116, 112, 72, 165}};
85 result.agile.key_encryptor.verifier_hash_input =
86 {
87 {179, 105, 118, 193, 217, 180, 248, 7, 174, 45, 186, 17, 202, 101, 178, 12}};
88 result.agile.key_encryptor.verifier_hash_value =
89 {
90 {82, 190, 235, 102, 30, 33, 103, 191, 3, 160, 153, 30, 127, 117, 8, 195, 65,
91 245, 77, 219, 85, 28, 206, 236, 55, 86, 243, 49, 104, 128, 243, 138, 227, 113,
92 82, 88, 88, 73, 243, 108, 193, 11, 84, 162, 235, 189, 9, 137, 151, 97, 43,
93 137, 197, 72, 164, 192, 65, 252, 253, 227, 236, 242, 252, 179}};
94 result.agile.key_encryptor.encrypted_key_value =
95 {
96 {220, 6, 106, 218, 31, 210, 9, 75, 28, 154, 173, 232, 190, 109, 112, 203, 25,
97 5, 45, 152, 75, 131, 122, 17, 166, 95, 117, 124, 121, 123, 32, 133}};
98
99 return result;
100 }
101
write_agile_encryption_info(const encryption_info & info,std::ostream & info_stream)102 void write_agile_encryption_info(
103 const encryption_info &info,
104 std::ostream &info_stream)
105 {
106 const auto version_major = std::uint16_t(4);
107 const auto version_minor = std::uint16_t(4);
108 const auto encryption_flags = std::uint32_t(0x40);
109
110 info_stream.write(reinterpret_cast<const char *>(&version_major), sizeof(std::uint16_t));
111 info_stream.write(reinterpret_cast<const char *>(&version_minor), sizeof(std::uint16_t));
112 info_stream.write(reinterpret_cast<const char *>(&encryption_flags), sizeof(std::uint32_t));
113
114 static const auto &xmlns = xlnt::constants::ns("encryption");
115 static const auto &xmlns_p = xlnt::constants::ns("encryption-password");
116
117 xml::serializer serializer(info_stream, "EncryptionInfo");
118
119 serializer.start_element(xmlns, "encryption");
120
121 const auto key_data = info.agile.key_data;
122 serializer.start_element(xmlns, "keyData");
123 serializer.attribute("saltSize", key_data.salt_size);
124 serializer.attribute("blockSize", key_data.block_size);
125 serializer.attribute("keyBits", key_data.key_bits);
126 serializer.attribute("hashSize", key_data.hash_size);
127 serializer.attribute("cipherAlgorithm", key_data.cipher_algorithm);
128 serializer.attribute("cipherChaining", key_data.cipher_chaining);
129 serializer.attribute("hashAlgorithm", key_data.hash_algorithm);
130 serializer.attribute("saltValue",
131 xlnt::detail::encode_base64(key_data.salt_value));
132 serializer.end_element(xmlns, "keyData");
133
134 const auto data_integrity = info.agile.data_integrity;
135 serializer.start_element(xmlns, "dataIntegrity");
136 serializer.attribute("encryptedHmacKey",
137 xlnt::detail::encode_base64(data_integrity.hmac_key));
138 serializer.attribute("encryptedHmacValue",
139 xlnt::detail::encode_base64(data_integrity.hmac_value));
140 serializer.end_element(xmlns, "dataIntegrity");
141
142 const auto key_encryptor = info.agile.key_encryptor;
143 serializer.start_element(xmlns, "keyEncryptors");
144 serializer.start_element(xmlns, "keyEncryptor");
145 serializer.attribute("uri", "");
146 serializer.start_element(xmlns_p, "encryptedKey");
147 serializer.attribute("spinCount", key_encryptor.spin_count);
148 serializer.attribute("saltSize", key_encryptor.salt_size);
149 serializer.attribute("blockSize", key_encryptor.block_size);
150 serializer.attribute("keyBits", key_encryptor.key_bits);
151 serializer.attribute("hashSize", key_encryptor.hash_size);
152 serializer.attribute("cipherAlgorithm", key_encryptor.cipher_algorithm);
153 serializer.attribute("cipherChaining", key_encryptor.cipher_chaining);
154 serializer.attribute("hashAlgorithm", key_encryptor.hash);
155 serializer.attribute("saltValue",
156 xlnt::detail::encode_base64(key_encryptor.salt_value));
157 serializer.attribute("encryptedVerifierHashInput",
158 xlnt::detail::encode_base64(key_encryptor.verifier_hash_input));
159 serializer.attribute("encryptedVerifierHashValue",
160 xlnt::detail::encode_base64(key_encryptor.verifier_hash_value));
161 serializer.attribute("encryptedKeyValue",
162 xlnt::detail::encode_base64(key_encryptor.encrypted_key_value));
163 serializer.end_element(xmlns_p, "encryptedKey");
164 serializer.end_element(xmlns, "keyEncryptor");
165 serializer.end_element(xmlns, "keyEncryptors");
166
167 serializer.end_element(xmlns, "encryption");
168 }
169
write_standard_encryption_info(const encryption_info & info,std::ostream & info_stream)170 void write_standard_encryption_info(const encryption_info &info, std::ostream &info_stream)
171 {
172 auto result = std::vector<std::uint8_t>();
173 auto writer = xlnt::detail::binary_writer<std::uint8_t>(result);
174
175 const auto version_major = std::uint16_t(4);
176 const auto version_minor = std::uint16_t(2);
177 const auto encryption_flags = std::uint32_t(0x10 & 0x20);
178
179 writer.write(version_major);
180 writer.write(version_minor);
181 writer.write(encryption_flags);
182
183 const auto header_length = std::uint32_t(32); // calculate this!
184
185 writer.write(header_length);
186 writer.write(std::uint32_t(0)); // skip_flags
187 writer.write(std::uint32_t(0)); // size_extra
188 writer.write(std::uint32_t(0x0000660E));
189 writer.write(std::uint32_t(0x00008004));
190 writer.write(std::uint32_t(info.standard.key_bits));
191 writer.write(std::uint32_t(0x00000018));
192 writer.write(std::uint32_t(0));
193 writer.write(std::uint32_t(0));
194
195 const auto provider = std::u16string(u"Microsoft Enhanced RSA and AES Cryptographic Provider");
196 writer.append(xlnt::detail::string_to_bytes(provider));
197
198 writer.write(std::uint32_t(info.standard.salt.size()));
199 writer.append(info.standard.salt);
200
201 writer.append(info.standard.encrypted_verifier);
202
203 writer.write(std::uint32_t(20));
204 writer.append(info.standard.encrypted_verifier_hash);
205
206 info_stream.write(reinterpret_cast<char *>(result.data()),
207 static_cast<std::streamsize>(result.size()));
208 }
209
encrypt_xlsx_agile(const encryption_info & info,const std::vector<std::uint8_t> & plaintext,std::ostream & ciphertext_stream)210 void encrypt_xlsx_agile(
211 const encryption_info &info,
212 const std::vector<std::uint8_t> &plaintext,
213 std::ostream &ciphertext_stream)
214 {
215 const auto length = static_cast<std::uint64_t>(plaintext.size());
216 ciphertext_stream.write(reinterpret_cast<const char *>(&length), sizeof(std::uint64_t));
217
218 auto key = info.calculate_key();
219
220 auto salt_size = info.agile.key_data.salt_size;
221 auto salt_with_block_key = info.agile.key_data.salt_value;
222 salt_with_block_key.resize(salt_size + sizeof(std::uint32_t), 0);
223 auto &segment_index = *reinterpret_cast<std::uint32_t *>(salt_with_block_key.data() + salt_size);
224
225 auto segment = std::vector<std::uint8_t>(4096, 0);
226
227 for (auto i = std::size_t(0); i < length; i += 4096)
228 {
229 auto iv = hash(info.agile.key_encryptor.hash, salt_with_block_key);
230 iv.resize(16);
231
232 auto start = plaintext.begin() + static_cast<std::ptrdiff_t>(i);
233 auto bytes = std::min(std::size_t(length - i), std::size_t(4096));
234 std::copy(start, start + static_cast<std::ptrdiff_t>(bytes), segment.begin());
235 auto encrypted_segment = xlnt::detail::aes_cbc_encrypt(segment, key, iv);
236 ciphertext_stream.write(reinterpret_cast<char *>(encrypted_segment.data()),
237 static_cast<std::streamsize>(bytes));
238
239 ++segment_index;
240 }
241 }
242
encrypt_xlsx_standard(const encryption_info & info,const std::vector<std::uint8_t> & plaintext,std::ostream & ciphertext_stream)243 void encrypt_xlsx_standard(
244 const encryption_info &info,
245 const std::vector<std::uint8_t> &plaintext,
246 std::ostream &ciphertext_stream)
247 {
248 const auto length = static_cast<std::uint64_t>(plaintext.size());
249 ciphertext_stream.write(reinterpret_cast<const char *>(&length), sizeof(std::uint64_t));
250
251 auto key = info.calculate_key();
252 auto segment = std::vector<std::uint8_t>(4096, 0);
253
254 for (auto i = std::size_t(0); i < length; ++i)
255 {
256 auto start = plaintext.begin() + static_cast<std::ptrdiff_t>(i);
257 auto bytes = std::min(std::size_t(length - i), std::size_t(4096));
258 std::copy(start, start + static_cast<std::ptrdiff_t>(bytes), segment.begin());
259 auto encrypted_segment = xlnt::detail::aes_ecb_encrypt(segment, key);
260 ciphertext_stream.write(reinterpret_cast<char *>(encrypted_segment.data()),
261 static_cast<std::streamsize>(bytes));
262 }
263 }
264
encrypt_xlsx(const std::vector<std::uint8_t> & plaintext,const std::u16string & password)265 std::vector<std::uint8_t> encrypt_xlsx(
266 const std::vector<std::uint8_t> &plaintext,
267 const std::u16string &password)
268 {
269 auto encryption_info = generate_encryption_info(password);
270 encryption_info.password = u"secret";
271
272 auto ciphertext = std::vector<std::uint8_t>();
273
274 xlnt::detail::vector_ostreambuf buffer(ciphertext);
275 std::ostream stream(&buffer);
276 xlnt::detail::compound_document document(stream);
277
278 if (encryption_info.is_agile)
279 {
280 write_agile_encryption_info(encryption_info,
281 document.open_write_stream("/EncryptionInfo"));
282 encrypt_xlsx_agile(encryption_info, plaintext,
283 document.open_write_stream("/EncryptedPackage"));
284 }
285 else
286 {
287 write_standard_encryption_info(encryption_info,
288 document.open_write_stream("/EncryptionInfo"));
289 encrypt_xlsx_standard(encryption_info, plaintext,
290 document.open_write_stream("/EncryptedPackage"));
291 }
292
293 return ciphertext;
294 }
295
296 } // namespace
297
298 namespace xlnt {
299 namespace detail {
300
encrypt_xlsx(const std::vector<std::uint8_t> & plaintext,const std::string & password)301 std::vector<std::uint8_t> XLNT_API encrypt_xlsx(
302 const std::vector<std::uint8_t> &plaintext,
303 const std::string &password)
304 {
305 return ::encrypt_xlsx(plaintext, utf8_to_utf16(password));
306 }
307
write(std::ostream & destination,const std::string & password)308 void xlsx_producer::write(std::ostream &destination, const std::string &password)
309 {
310 std::vector<std::uint8_t> plaintext;
311 vector_ostreambuf plaintext_buffer(plaintext);
312 std::ostream decrypted_stream(&plaintext_buffer);
313 write(decrypted_stream);
314 archive_.reset();
315
316 const auto ciphertext = ::encrypt_xlsx(plaintext, utf8_to_utf16(password));
317 vector_istreambuf encrypted_buffer(ciphertext);
318
319 destination << &encrypted_buffer;
320 }
321
322 } // namespace detail
323 } // namespace xlnt
324