1 /* 2 * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/cryptlib.h" 11 #include <openssl/asn1t.h> 12 #include <openssl/pem.h> 13 #include <openssl/x509v3.h> 14 #include <openssl/err.h> 15 #include <openssl/cms.h> 16 #include <openssl/aes.h> 17 #include "cms_lcl.h" 18 #include "internal/asn1_int.h" 19 20 /* Key Agreement Recipient Info (KARI) routines */ 21 22 int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, 23 X509_ALGOR **palg, 24 ASN1_OCTET_STRING **pukm) 25 { 26 if (ri->type != CMS_RECIPINFO_AGREE) { 27 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG, 28 CMS_R_NOT_KEY_AGREEMENT); 29 return 0; 30 } 31 if (palg) 32 *palg = ri->d.kari->keyEncryptionAlgorithm; 33 if (pukm) 34 *pukm = ri->d.kari->ukm; 35 return 1; 36 } 37 38 /* Retrieve recipient encrypted keys from a kari */ 39 40 STACK_OF(CMS_RecipientEncryptedKey) 41 *CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri) 42 { 43 if (ri->type != CMS_RECIPINFO_AGREE) { 44 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS, 45 CMS_R_NOT_KEY_AGREEMENT); 46 return NULL; 47 } 48 return ri->d.kari->recipientEncryptedKeys; 49 } 50 51 int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri, 52 X509_ALGOR **pubalg, 53 ASN1_BIT_STRING **pubkey, 54 ASN1_OCTET_STRING **keyid, 55 X509_NAME **issuer, 56 ASN1_INTEGER **sno) 57 { 58 CMS_OriginatorIdentifierOrKey *oik; 59 if (ri->type != CMS_RECIPINFO_AGREE) { 60 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID, 61 CMS_R_NOT_KEY_AGREEMENT); 62 return 0; 63 } 64 oik = ri->d.kari->originator; 65 if (issuer) 66 *issuer = NULL; 67 if (sno) 68 *sno = NULL; 69 if (keyid) 70 *keyid = NULL; 71 if (pubalg) 72 *pubalg = NULL; 73 if (pubkey) 74 *pubkey = NULL; 75 if (oik->type == CMS_OIK_ISSUER_SERIAL) { 76 if (issuer) 77 *issuer = oik->d.issuerAndSerialNumber->issuer; 78 if (sno) 79 *sno = oik->d.issuerAndSerialNumber->serialNumber; 80 } else if (oik->type == CMS_OIK_KEYIDENTIFIER) { 81 if (keyid) 82 *keyid = oik->d.subjectKeyIdentifier; 83 } else if (oik->type == CMS_OIK_PUBKEY) { 84 if (pubalg) 85 *pubalg = oik->d.originatorKey->algorithm; 86 if (pubkey) 87 *pubkey = oik->d.originatorKey->publicKey; 88 } else 89 return 0; 90 return 1; 91 } 92 93 int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert) 94 { 95 CMS_OriginatorIdentifierOrKey *oik; 96 if (ri->type != CMS_RECIPINFO_AGREE) { 97 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP, 98 CMS_R_NOT_KEY_AGREEMENT); 99 return -2; 100 } 101 oik = ri->d.kari->originator; 102 if (oik->type == CMS_OIK_ISSUER_SERIAL) 103 return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert); 104 else if (oik->type == CMS_OIK_KEYIDENTIFIER) 105 return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert); 106 return -1; 107 } 108 109 int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek, 110 ASN1_OCTET_STRING **keyid, 111 ASN1_GENERALIZEDTIME **tm, 112 CMS_OtherKeyAttribute **other, 113 X509_NAME **issuer, ASN1_INTEGER **sno) 114 { 115 CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; 116 if (rid->type == CMS_REK_ISSUER_SERIAL) { 117 if (issuer) 118 *issuer = rid->d.issuerAndSerialNumber->issuer; 119 if (sno) 120 *sno = rid->d.issuerAndSerialNumber->serialNumber; 121 if (keyid) 122 *keyid = NULL; 123 if (tm) 124 *tm = NULL; 125 if (other) 126 *other = NULL; 127 } else if (rid->type == CMS_REK_KEYIDENTIFIER) { 128 if (keyid) 129 *keyid = rid->d.rKeyId->subjectKeyIdentifier; 130 if (tm) 131 *tm = rid->d.rKeyId->date; 132 if (other) 133 *other = rid->d.rKeyId->other; 134 if (issuer) 135 *issuer = NULL; 136 if (sno) 137 *sno = NULL; 138 } else 139 return 0; 140 return 1; 141 } 142 143 int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek, 144 X509 *cert) 145 { 146 CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; 147 if (rid->type == CMS_REK_ISSUER_SERIAL) 148 return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert); 149 else if (rid->type == CMS_REK_KEYIDENTIFIER) 150 return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert); 151 else 152 return -1; 153 } 154 155 int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk) 156 { 157 EVP_PKEY_CTX *pctx; 158 CMS_KeyAgreeRecipientInfo *kari = ri->d.kari; 159 160 EVP_PKEY_CTX_free(kari->pctx); 161 kari->pctx = NULL; 162 if (!pk) 163 return 1; 164 pctx = EVP_PKEY_CTX_new(pk, NULL); 165 if (!pctx || !EVP_PKEY_derive_init(pctx)) 166 goto err; 167 kari->pctx = pctx; 168 return 1; 169 err: 170 EVP_PKEY_CTX_free(pctx); 171 return 0; 172 } 173 174 EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri) 175 { 176 if (ri->type == CMS_RECIPINFO_AGREE) 177 return ri->d.kari->ctx; 178 return NULL; 179 } 180 181 /* 182 * Derive KEK and decrypt/encrypt with it to produce either the original CEK 183 * or the encrypted CEK. 184 */ 185 186 static int cms_kek_cipher(unsigned char **pout, size_t *poutlen, 187 const unsigned char *in, size_t inlen, 188 CMS_KeyAgreeRecipientInfo *kari, int enc) 189 { 190 /* Key encryption key */ 191 unsigned char kek[EVP_MAX_KEY_LENGTH]; 192 size_t keklen; 193 int rv = 0; 194 unsigned char *out = NULL; 195 int outlen; 196 keklen = EVP_CIPHER_CTX_key_length(kari->ctx); 197 if (keklen > EVP_MAX_KEY_LENGTH) 198 return 0; 199 /* Derive KEK */ 200 if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0) 201 goto err; 202 /* Set KEK in context */ 203 if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc)) 204 goto err; 205 /* obtain output length of ciphered key */ 206 if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen)) 207 goto err; 208 out = OPENSSL_malloc(outlen); 209 if (out == NULL) 210 goto err; 211 if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen)) 212 goto err; 213 *pout = out; 214 *poutlen = (size_t)outlen; 215 rv = 1; 216 217 err: 218 OPENSSL_cleanse(kek, keklen); 219 if (!rv) 220 OPENSSL_free(out); 221 EVP_CIPHER_CTX_reset(kari->ctx); 222 /* FIXME: WHY IS kari->pctx freed here? /RL */ 223 EVP_PKEY_CTX_free(kari->pctx); 224 kari->pctx = NULL; 225 return rv; 226 } 227 228 int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, 229 CMS_RecipientInfo *ri, 230 CMS_RecipientEncryptedKey *rek) 231 { 232 int rv = 0; 233 unsigned char *enckey = NULL, *cek = NULL; 234 size_t enckeylen; 235 size_t ceklen; 236 CMS_EncryptedContentInfo *ec; 237 enckeylen = rek->encryptedKey->length; 238 enckey = rek->encryptedKey->data; 239 /* Setup all parameters to derive KEK */ 240 if (!cms_env_asn1_ctrl(ri, 1)) 241 goto err; 242 /* Attempt to decrypt CEK */ 243 if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0)) 244 goto err; 245 ec = cms->d.envelopedData->encryptedContentInfo; 246 OPENSSL_clear_free(ec->key, ec->keylen); 247 ec->key = cek; 248 ec->keylen = ceklen; 249 cek = NULL; 250 rv = 1; 251 err: 252 OPENSSL_free(cek); 253 return rv; 254 } 255 256 /* Create ephemeral key and initialise context based on it */ 257 static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, 258 EVP_PKEY *pk) 259 { 260 EVP_PKEY_CTX *pctx = NULL; 261 EVP_PKEY *ekey = NULL; 262 int rv = 0; 263 pctx = EVP_PKEY_CTX_new(pk, NULL); 264 if (!pctx) 265 goto err; 266 if (EVP_PKEY_keygen_init(pctx) <= 0) 267 goto err; 268 if (EVP_PKEY_keygen(pctx, &ekey) <= 0) 269 goto err; 270 EVP_PKEY_CTX_free(pctx); 271 pctx = EVP_PKEY_CTX_new(ekey, NULL); 272 if (!pctx) 273 goto err; 274 if (EVP_PKEY_derive_init(pctx) <= 0) 275 goto err; 276 kari->pctx = pctx; 277 rv = 1; 278 err: 279 if (!rv) 280 EVP_PKEY_CTX_free(pctx); 281 EVP_PKEY_free(ekey); 282 return rv; 283 } 284 285 /* Initialise a ktri based on passed certificate and key */ 286 287 int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, 288 EVP_PKEY *pk, unsigned int flags) 289 { 290 CMS_KeyAgreeRecipientInfo *kari; 291 CMS_RecipientEncryptedKey *rek = NULL; 292 293 ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo); 294 if (!ri->d.kari) 295 return 0; 296 ri->type = CMS_RECIPINFO_AGREE; 297 298 kari = ri->d.kari; 299 kari->version = 3; 300 301 rek = M_ASN1_new_of(CMS_RecipientEncryptedKey); 302 if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) { 303 M_ASN1_free_of(rek, CMS_RecipientEncryptedKey); 304 return 0; 305 } 306 307 if (flags & CMS_USE_KEYID) { 308 rek->rid->type = CMS_REK_KEYIDENTIFIER; 309 rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier); 310 if (rek->rid->d.rKeyId == NULL) 311 return 0; 312 if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) 313 return 0; 314 } else { 315 rek->rid->type = CMS_REK_ISSUER_SERIAL; 316 if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip)) 317 return 0; 318 } 319 320 /* Create ephemeral key */ 321 if (!cms_kari_create_ephemeral_key(kari, pk)) 322 return 0; 323 324 EVP_PKEY_up_ref(pk); 325 rek->pkey = pk; 326 return 1; 327 } 328 329 static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, 330 const EVP_CIPHER *cipher) 331 { 332 EVP_CIPHER_CTX *ctx = kari->ctx; 333 const EVP_CIPHER *kekcipher; 334 int keylen = EVP_CIPHER_key_length(cipher); 335 /* If a suitable wrap algorithm is already set nothing to do */ 336 kekcipher = EVP_CIPHER_CTX_cipher(ctx); 337 338 if (kekcipher) { 339 if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE) 340 return 0; 341 return 1; 342 } 343 /* 344 * Pick a cipher based on content encryption cipher. If it is DES3 use 345 * DES3 wrap otherwise use AES wrap similar to key size. 346 */ 347 #ifndef OPENSSL_NO_DES 348 if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc) 349 kekcipher = EVP_des_ede3_wrap(); 350 else 351 #endif 352 if (keylen <= 16) 353 kekcipher = EVP_aes_128_wrap(); 354 else if (keylen <= 24) 355 kekcipher = EVP_aes_192_wrap(); 356 else 357 kekcipher = EVP_aes_256_wrap(); 358 return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL); 359 } 360 361 /* Encrypt content key in key agreement recipient info */ 362 363 int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, 364 CMS_RecipientInfo *ri) 365 { 366 CMS_KeyAgreeRecipientInfo *kari; 367 CMS_EncryptedContentInfo *ec; 368 CMS_RecipientEncryptedKey *rek; 369 STACK_OF(CMS_RecipientEncryptedKey) *reks; 370 int i; 371 372 if (ri->type != CMS_RECIPINFO_AGREE) { 373 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT); 374 return 0; 375 } 376 kari = ri->d.kari; 377 reks = kari->recipientEncryptedKeys; 378 ec = cms->d.envelopedData->encryptedContentInfo; 379 /* Initialise wrap algorithm parameters */ 380 if (!cms_wrap_init(kari, ec->cipher)) 381 return 0; 382 /* 383 * If no originator key set up initialise for ephemeral key the public key 384 * ASN1 structure will set the actual public key value. 385 */ 386 if (kari->originator->type == -1) { 387 CMS_OriginatorIdentifierOrKey *oik = kari->originator; 388 oik->type = CMS_OIK_PUBKEY; 389 oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey); 390 if (!oik->d.originatorKey) 391 return 0; 392 } 393 /* Initialise KDF algorithm */ 394 if (!cms_env_asn1_ctrl(ri, 0)) 395 return 0; 396 /* For each rek, derive KEK, encrypt CEK */ 397 for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) { 398 unsigned char *enckey; 399 size_t enckeylen; 400 rek = sk_CMS_RecipientEncryptedKey_value(reks, i); 401 if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0) 402 return 0; 403 if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen, 404 kari, 1)) 405 return 0; 406 ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen); 407 } 408 409 return 1; 410 411 } 412