2 * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/cryptlib.h"
11 #include <openssl/asn1t.h>
12 #include <openssl/pem.h>
13 #include <openssl/x509v3.h>
14 #include <openssl/err.h>
15 #include <openssl/cms.h>
16 #include <openssl/evp.h>
17 #include "crypto/asn1.h"
18 #include "crypto/evp.h"
19 #include "crypto/x509.h"
20 #include "cms_local.h"
22 DEFINE_STACK_OF(CMS_RecipientInfo)
23 DEFINE_STACK_OF(CMS_RevocationInfoChoice)
25 /* CMS EnvelopedData Utilities */
26 static void cms_env_set_version(CMS_EnvelopedData *env);
28 #define CMS_ENVELOPED_STANDARD 1
29 #define CMS_ENVELOPED_AUTH 2
31 static int cms_get_enveloped_type(const CMS_ContentInfo *cms)
33 int nid = OBJ_obj2nid(cms->contentType);
36 case NID_pkcs7_enveloped:
37 return CMS_ENVELOPED_STANDARD;
39 case NID_id_smime_ct_authEnvelopedData:
40 return CMS_ENVELOPED_AUTH;
43 CMSerr(0, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
48 CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms)
50 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
51 CMSerr(CMS_F_CMS_GET0_ENVELOPED,
52 CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
55 return cms->d.envelopedData;
58 CMS_AuthEnvelopedData *cms_get0_auth_enveloped(CMS_ContentInfo *cms)
60 if (OBJ_obj2nid(cms->contentType) != NID_id_smime_ct_authEnvelopedData) {
61 CMSerr(0, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
64 return cms->d.authEnvelopedData;
67 static CMS_EnvelopedData *cms_enveloped_data_init(CMS_ContentInfo *cms)
69 if (cms->d.other == NULL) {
70 cms->d.envelopedData = M_ASN1_new_of(CMS_EnvelopedData);
71 if (cms->d.envelopedData == NULL) {
72 CMSerr(CMS_F_CMS_ENVELOPED_DATA_INIT, ERR_R_MALLOC_FAILURE);
75 cms->d.envelopedData->version = 0;
76 cms->d.envelopedData->encryptedContentInfo->contentType =
77 OBJ_nid2obj(NID_pkcs7_data);
78 ASN1_OBJECT_free(cms->contentType);
79 cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped);
80 return cms->d.envelopedData;
82 return cms_get0_enveloped(cms);
85 static CMS_AuthEnvelopedData *
86 cms_auth_enveloped_data_init(CMS_ContentInfo *cms)
88 if (cms->d.other == NULL) {
89 cms->d.authEnvelopedData = M_ASN1_new_of(CMS_AuthEnvelopedData);
90 if (cms->d.authEnvelopedData == NULL) {
91 CMSerr(0, ERR_R_MALLOC_FAILURE);
94 /* Defined in RFC 5083 - Section 2.1. "AuthEnvelopedData Type" */
95 cms->d.authEnvelopedData->version = 0;
96 cms->d.authEnvelopedData->authEncryptedContentInfo->contentType =
97 OBJ_nid2obj(NID_pkcs7_data);
98 ASN1_OBJECT_free(cms->contentType);
99 cms->contentType = OBJ_nid2obj(NID_id_smime_ct_authEnvelopedData);
100 return cms->d.authEnvelopedData;
102 return cms_get0_auth_enveloped(cms);
105 int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
109 if (ri->type == CMS_RECIPINFO_TRANS)
110 pkey = ri->d.ktri->pkey;
111 else if (ri->type == CMS_RECIPINFO_AGREE) {
112 EVP_PKEY_CTX *pctx = ri->d.kari->pctx;
116 pkey = EVP_PKEY_CTX_get0_pkey(pctx);
121 if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL)
123 i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_ENVELOPE, cmd, ri);
125 CMSerr(CMS_F_CMS_ENV_ASN1_CTRL,
126 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
130 CMSerr(CMS_F_CMS_ENV_ASN1_CTRL, CMS_R_CTRL_FAILURE);
136 CMS_EncryptedContentInfo* cms_get0_env_enc_content(const CMS_ContentInfo *cms)
138 switch (cms_get_enveloped_type(cms)) {
139 case CMS_ENVELOPED_STANDARD:
140 return cms->d.envelopedData->encryptedContentInfo;
142 case CMS_ENVELOPED_AUTH:
143 return cms->d.authEnvelopedData->authEncryptedContentInfo;
150 STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms)
152 switch (cms_get_enveloped_type(cms)) {
153 case CMS_ENVELOPED_STANDARD:
154 return cms->d.envelopedData->recipientInfos;
156 case CMS_ENVELOPED_AUTH:
157 return cms->d.authEnvelopedData->recipientInfos;
164 void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms)
167 CMS_RecipientInfo *ri;
168 const CMS_CTX *ctx = cms_get0_cmsctx(cms);
169 STACK_OF(CMS_RecipientInfo) *rinfos = CMS_get0_RecipientInfos(cms);
171 for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
172 ri = sk_CMS_RecipientInfo_value(rinfos, i);
175 case CMS_RECIPINFO_AGREE:
176 ri->d.kari->cms_ctx = ctx;
178 case CMS_RECIPINFO_TRANS:
179 ri->d.ktri->cms_ctx = ctx;
180 x509_set0_libctx(ri->d.ktri->recip, ctx->libctx, ctx->propq);
182 case CMS_RECIPINFO_KEK:
183 ri->d.kekri->cms_ctx = ctx;
185 case CMS_RECIPINFO_PASS:
186 ri->d.pwri->cms_ctx = ctx;
195 int CMS_RecipientInfo_type(CMS_RecipientInfo *ri)
200 EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri)
202 if (ri->type == CMS_RECIPINFO_TRANS)
203 return ri->d.ktri->pctx;
204 else if (ri->type == CMS_RECIPINFO_AGREE)
205 return ri->d.kari->pctx;
209 CMS_ContentInfo *CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
213 CMS_ContentInfo *cms;
214 CMS_EnvelopedData *env;
216 cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
219 env = cms_enveloped_data_init(cms);
223 if (!cms_EncryptedContent_init(env->encryptedContentInfo, cipher, NULL, 0,
224 cms_get0_cmsctx(cms)))
228 CMS_ContentInfo_free(cms);
229 CMSerr(0, ERR_R_MALLOC_FAILURE);
233 CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
235 return CMS_EnvelopedData_create_with_libctx(cipher, NULL, NULL);
239 CMS_AuthEnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
243 CMS_ContentInfo *cms;
244 CMS_AuthEnvelopedData *aenv;
246 cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
249 aenv = cms_auth_enveloped_data_init(cms);
252 if (!cms_EncryptedContent_init(aenv->authEncryptedContentInfo,
253 cipher, NULL, 0, cms_get0_cmsctx(cms)))
257 CMS_ContentInfo_free(cms);
258 CMSerr(0, ERR_R_MALLOC_FAILURE);
263 CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher)
265 return CMS_AuthEnvelopedData_create_with_libctx(cipher, NULL, NULL);
268 /* Key Transport Recipient Info (KTRI) routines */
270 /* Initialise a ktri based on passed certificate and key */
272 static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
273 EVP_PKEY *pk, unsigned int flags,
276 CMS_KeyTransRecipientInfo *ktri;
279 ri->d.ktri = M_ASN1_new_of(CMS_KeyTransRecipientInfo);
282 ri->type = CMS_RECIPINFO_TRANS;
287 if (flags & CMS_USE_KEYID) {
289 idtype = CMS_RECIPINFO_KEYIDENTIFIER;
292 idtype = CMS_RECIPINFO_ISSUER_SERIAL;
296 * Not a typo: RecipientIdentifier and SignerIdentifier are the same
300 if (!cms_set1_SignerIdentifier(ktri->rid, recip, idtype, ctx))
309 if (flags & CMS_KEY_PARAM) {
310 ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey,
312 if (ktri->pctx == NULL)
314 if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
316 } else if (!cms_env_asn1_ctrl(ri, 0))
322 * Add a recipient certificate using appropriate type of RecipientInfo
325 CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
326 EVP_PKEY *originatorPrivKey,
327 X509 *originator, unsigned int flags)
329 CMS_RecipientInfo *ri = NULL;
330 STACK_OF(CMS_RecipientInfo) *ris;
332 const CMS_CTX *ctx = cms_get0_cmsctx(cms);
334 ris = CMS_get0_RecipientInfos(cms);
338 /* Initialize recipient info */
339 ri = M_ASN1_new_of(CMS_RecipientInfo);
343 pk = X509_get0_pubkey(recip);
345 CMSerr(CMS_F_CMS_ADD1_RECIPIENT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
349 switch (cms_pkey_get_ri_type(pk)) {
351 case CMS_RECIPINFO_TRANS:
352 if (!cms_RecipientInfo_ktri_init(ri, recip, pk, flags, ctx))
356 case CMS_RECIPINFO_AGREE:
357 if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator,
358 originatorPrivKey, flags, ctx))
363 CMSerr(CMS_F_CMS_ADD1_RECIPIENT,
364 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
369 if (!sk_CMS_RecipientInfo_push(ris, ri))
375 CMSerr(CMS_F_CMS_ADD1_RECIPIENT, ERR_R_MALLOC_FAILURE);
377 M_ASN1_free_of(ri, CMS_RecipientInfo);
382 CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip,
385 return CMS_add1_recipient(cms, recip, NULL, NULL, flags);
388 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
389 EVP_PKEY **pk, X509 **recip,
392 CMS_KeyTransRecipientInfo *ktri;
393 if (ri->type != CMS_RECIPINFO_TRANS) {
394 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS,
395 CMS_R_NOT_KEY_TRANSPORT);
404 *recip = ktri->recip;
406 *palg = ktri->keyEncryptionAlgorithm;
410 int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri,
411 ASN1_OCTET_STRING **keyid,
415 CMS_KeyTransRecipientInfo *ktri;
416 if (ri->type != CMS_RECIPINFO_TRANS) {
417 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID,
418 CMS_R_NOT_KEY_TRANSPORT);
423 return cms_SignerIdentifier_get0_signer_id(ktri->rid, keyid, issuer, sno);
426 int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert)
428 if (ri->type != CMS_RECIPINFO_TRANS) {
429 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP,
430 CMS_R_NOT_KEY_TRANSPORT);
433 return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert);
436 int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey)
438 if (ri->type != CMS_RECIPINFO_TRANS) {
439 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY, CMS_R_NOT_KEY_TRANSPORT);
442 EVP_PKEY_free(ri->d.ktri->pkey);
443 ri->d.ktri->pkey = pkey;
447 /* Encrypt content key in key transport recipient info */
449 static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
450 CMS_RecipientInfo *ri)
452 CMS_KeyTransRecipientInfo *ktri;
453 CMS_EncryptedContentInfo *ec;
455 unsigned char *ek = NULL;
457 const CMS_CTX *ctx = cms_get0_cmsctx(cms);
461 if (ri->type != CMS_RECIPINFO_TRANS) {
462 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, CMS_R_NOT_KEY_TRANSPORT);
466 ec = cms_get0_env_enc_content(cms);
471 if (!cms_env_asn1_ctrl(ri, 0))
474 pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey, ctx->propq);
478 if (EVP_PKEY_encrypt_init(pctx) <= 0)
482 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
483 EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0) {
484 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, CMS_R_CTRL_ERROR);
488 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
491 ek = OPENSSL_malloc(eklen);
494 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT, ERR_R_MALLOC_FAILURE);
498 if (EVP_PKEY_encrypt(pctx, ek, &eklen, ec->key, ec->keylen) <= 0)
501 ASN1_STRING_set0(ktri->encryptedKey, ek, eklen);
507 EVP_PKEY_CTX_free(pctx);
513 /* Decrypt content key from KTRI */
515 static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
516 CMS_RecipientInfo *ri)
518 CMS_KeyTransRecipientInfo *ktri = ri->d.ktri;
519 EVP_PKEY *pkey = ktri->pkey;
520 unsigned char *ek = NULL;
524 const EVP_CIPHER *cipher = NULL;
525 EVP_CIPHER *fetched_cipher = NULL;
526 CMS_EncryptedContentInfo *ec;
527 const CMS_CTX *ctx = cms_get0_cmsctx(cms);
529 ec = cms_get0_env_enc_content(cms);
531 if (ktri->pkey == NULL) {
532 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_NO_PRIVATE_KEY);
536 if (cms->d.envelopedData->encryptedContentInfo->havenocert
537 && !cms->d.envelopedData->encryptedContentInfo->debug) {
538 X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
539 const char *name = OBJ_nid2sn(OBJ_obj2nid(calg->algorithm));
541 (void)ERR_set_mark();
542 fetched_cipher = EVP_CIPHER_fetch(ctx->libctx, name, ctx->propq);
544 if (fetched_cipher != NULL)
545 cipher = fetched_cipher;
547 cipher = EVP_get_cipherbyobj(calg->algorithm);
548 if (cipher == NULL) {
549 (void)ERR_clear_last_mark();
550 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
553 (void)ERR_pop_to_mark();
555 fixlen = EVP_CIPHER_key_length(cipher);
556 EVP_CIPHER_free(fetched_cipher);
559 ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pkey, ctx->propq);
560 if (ktri->pctx == NULL)
563 if (EVP_PKEY_decrypt_init(ktri->pctx) <= 0)
566 if (!cms_env_asn1_ctrl(ri, 1))
569 if (EVP_PKEY_CTX_ctrl(ktri->pctx, -1, EVP_PKEY_OP_DECRYPT,
570 EVP_PKEY_CTRL_CMS_DECRYPT, 0, ri) <= 0) {
571 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CTRL_ERROR);
575 if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen,
576 ktri->encryptedKey->data,
577 ktri->encryptedKey->length) <= 0)
580 ek = OPENSSL_malloc(eklen);
582 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, ERR_R_MALLOC_FAILURE);
586 if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
587 ktri->encryptedKey->data,
588 ktri->encryptedKey->length) <= 0
590 || (fixlen != 0 && eklen != fixlen)) {
591 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
597 OPENSSL_clear_free(ec->key, ec->keylen);
602 EVP_PKEY_CTX_free(ktri->pctx);
610 /* Key Encrypted Key (KEK) RecipientInfo routines */
612 int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri,
613 const unsigned char *id, size_t idlen)
615 ASN1_OCTET_STRING tmp_os;
616 CMS_KEKRecipientInfo *kekri;
617 if (ri->type != CMS_RECIPINFO_KEK) {
618 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP, CMS_R_NOT_KEK);
622 tmp_os.type = V_ASN1_OCTET_STRING;
624 tmp_os.data = (unsigned char *)id;
625 tmp_os.length = (int)idlen;
626 return ASN1_OCTET_STRING_cmp(&tmp_os, kekri->kekid->keyIdentifier);
629 /* For now hard code AES key wrap info */
631 static size_t aes_wrap_keylen(int nid)
634 case NID_id_aes128_wrap:
637 case NID_id_aes192_wrap:
640 case NID_id_aes256_wrap:
648 CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
649 unsigned char *key, size_t keylen,
650 unsigned char *id, size_t idlen,
651 ASN1_GENERALIZEDTIME *date,
652 ASN1_OBJECT *otherTypeId,
653 ASN1_TYPE *otherType)
655 CMS_RecipientInfo *ri = NULL;
656 CMS_KEKRecipientInfo *kekri;
657 STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms);
662 if (nid == NID_undef) {
665 nid = NID_id_aes128_wrap;
669 nid = NID_id_aes192_wrap;
673 nid = NID_id_aes256_wrap;
677 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, CMS_R_INVALID_KEY_LENGTH);
683 size_t exp_keylen = aes_wrap_keylen(nid);
686 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY,
687 CMS_R_UNSUPPORTED_KEK_ALGORITHM);
691 if (keylen != exp_keylen) {
692 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, CMS_R_INVALID_KEY_LENGTH);
698 /* Initialize recipient info */
699 ri = M_ASN1_new_of(CMS_RecipientInfo);
703 ri->d.kekri = M_ASN1_new_of(CMS_KEKRecipientInfo);
706 ri->type = CMS_RECIPINFO_KEK;
711 kekri->kekid->other = M_ASN1_new_of(CMS_OtherKeyAttribute);
712 if (kekri->kekid->other == NULL)
716 if (!sk_CMS_RecipientInfo_push(ris, ri))
719 /* After this point no calls can fail */
724 kekri->keylen = keylen;
726 ASN1_STRING_set0(kekri->kekid->keyIdentifier, id, idlen);
728 kekri->kekid->date = date;
730 if (kekri->kekid->other) {
731 kekri->kekid->other->keyAttrId = otherTypeId;
732 kekri->kekid->other->keyAttr = otherType;
735 X509_ALGOR_set0(kekri->keyEncryptionAlgorithm,
736 OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL);
741 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, ERR_R_MALLOC_FAILURE);
743 M_ASN1_free_of(ri, CMS_RecipientInfo);
747 int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri,
749 ASN1_OCTET_STRING **pid,
750 ASN1_GENERALIZEDTIME **pdate,
751 ASN1_OBJECT **potherid,
752 ASN1_TYPE **pothertype)
754 CMS_KEKIdentifier *rkid;
755 if (ri->type != CMS_RECIPINFO_KEK) {
756 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID, CMS_R_NOT_KEK);
759 rkid = ri->d.kekri->kekid;
761 *palg = ri->d.kekri->keyEncryptionAlgorithm;
763 *pid = rkid->keyIdentifier;
768 *potherid = rkid->other->keyAttrId;
774 *pothertype = rkid->other->keyAttr;
781 int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri,
782 unsigned char *key, size_t keylen)
784 CMS_KEKRecipientInfo *kekri;
785 if (ri->type != CMS_RECIPINFO_KEK) {
786 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, CMS_R_NOT_KEK);
792 kekri->keylen = keylen;
796 static EVP_CIPHER *cms_get_key_wrap_cipher(size_t keylen, const CMS_CTX *ctx)
798 const char *alg = NULL;
802 alg = "AES-128-WRAP";
805 alg = "AES-192-WRAP";
808 alg = "AES-256-WRAP";
813 return EVP_CIPHER_fetch(ctx->libctx, alg, ctx->propq);
817 /* Encrypt content key in KEK recipient info */
819 static int cms_RecipientInfo_kekri_encrypt(const CMS_ContentInfo *cms,
820 CMS_RecipientInfo *ri)
822 CMS_EncryptedContentInfo *ec;
823 CMS_KEKRecipientInfo *kekri;
824 unsigned char *wkey = NULL;
827 EVP_CIPHER *cipher = NULL;
829 EVP_CIPHER_CTX *ctx = NULL;
830 const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms);
832 ec = cms_get0_env_enc_content(cms);
838 if (kekri->key == NULL) {
839 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_NO_KEY);
843 cipher = cms_get_key_wrap_cipher(kekri->keylen, cms_ctx);
844 if (cipher == NULL) {
845 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_INVALID_KEY_LENGTH);
849 /* 8 byte prefix for AES wrap ciphers */
850 wkey = OPENSSL_malloc(ec->keylen + 8);
852 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, ERR_R_MALLOC_FAILURE);
856 ctx = EVP_CIPHER_CTX_new();
858 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, ERR_R_MALLOC_FAILURE);
862 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
863 if (!EVP_EncryptInit_ex(ctx, cipher, NULL, kekri->key, NULL)
864 || !EVP_EncryptUpdate(ctx, wkey, &wkeylen, ec->key, ec->keylen)
865 || !EVP_EncryptFinal_ex(ctx, wkey + wkeylen, &outlen)) {
866 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_WRAP_ERROR);
870 if (!ossl_assert((size_t)wkeylen == ec->keylen + 8)) {
871 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_WRAP_ERROR);
875 ASN1_STRING_set0(kekri->encryptedKey, wkey, wkeylen);
880 EVP_CIPHER_free(cipher);
883 EVP_CIPHER_CTX_free(ctx);
888 /* Decrypt content key in KEK recipient info */
890 static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms,
891 CMS_RecipientInfo *ri)
893 CMS_EncryptedContentInfo *ec;
894 CMS_KEKRecipientInfo *kekri;
895 unsigned char *ukey = NULL;
898 EVP_CIPHER *cipher = NULL;
900 EVP_CIPHER_CTX *ctx = NULL;
901 const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms);
903 ec = cms_get0_env_enc_content(cms);
910 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, CMS_R_NO_KEY);
914 wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm);
915 if (aes_wrap_keylen(wrap_nid) != kekri->keylen) {
916 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
917 CMS_R_INVALID_KEY_LENGTH);
921 /* If encrypted key length is invalid don't bother */
923 if (kekri->encryptedKey->length < 16) {
924 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT,
925 CMS_R_INVALID_ENCRYPTED_KEY_LENGTH);
929 cipher = cms_get_key_wrap_cipher(kekri->keylen, cms_ctx);
930 if (cipher == NULL) {
931 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, CMS_R_INVALID_KEY_LENGTH);
935 ukey = OPENSSL_malloc(kekri->encryptedKey->length - 8);
937 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, ERR_R_MALLOC_FAILURE);
941 ctx = EVP_CIPHER_CTX_new();
943 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, ERR_R_MALLOC_FAILURE);
947 if (!EVP_DecryptInit_ex(ctx, cipher, NULL, kekri->key, NULL)
948 || !EVP_DecryptUpdate(ctx, ukey, &ukeylen,
949 kekri->encryptedKey->data,
950 kekri->encryptedKey->length)
951 || !EVP_DecryptFinal_ex(ctx, ukey + ukeylen, &outlen)) {
952 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, CMS_R_UNWRAP_ERROR);
958 ec->keylen = ukeylen;
963 EVP_CIPHER_free(cipher);
966 EVP_CIPHER_CTX_free(ctx);
971 int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
974 case CMS_RECIPINFO_TRANS:
975 return cms_RecipientInfo_ktri_decrypt(cms, ri);
977 case CMS_RECIPINFO_KEK:
978 return cms_RecipientInfo_kekri_decrypt(cms, ri);
980 case CMS_RECIPINFO_PASS:
981 return cms_RecipientInfo_pwri_crypt(cms, ri, 0);
984 CMSerr(CMS_F_CMS_RECIPIENTINFO_DECRYPT,
985 CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE);
990 int CMS_RecipientInfo_encrypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
993 case CMS_RECIPINFO_TRANS:
994 return cms_RecipientInfo_ktri_encrypt(cms, ri);
996 case CMS_RECIPINFO_AGREE:
997 return cms_RecipientInfo_kari_encrypt(cms, ri);
999 case CMS_RECIPINFO_KEK:
1000 return cms_RecipientInfo_kekri_encrypt(cms, ri);
1002 case CMS_RECIPINFO_PASS:
1003 return cms_RecipientInfo_pwri_crypt(cms, ri, 1);
1006 CMSerr(CMS_F_CMS_RECIPIENTINFO_ENCRYPT,
1007 CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
1012 /* Check structures and fixup version numbers (if necessary) */
1014 static void cms_env_set_originfo_version(CMS_EnvelopedData *env)
1016 CMS_OriginatorInfo *org = env->originatorInfo;
1020 for (i = 0; i < sk_CMS_CertificateChoices_num(org->certificates); i++) {
1021 CMS_CertificateChoices *cch;
1022 cch = sk_CMS_CertificateChoices_value(org->certificates, i);
1023 if (cch->type == CMS_CERTCHOICE_OTHER) {
1026 } else if (cch->type == CMS_CERTCHOICE_V2ACERT) {
1027 if (env->version < 3)
1032 for (i = 0; i < sk_CMS_RevocationInfoChoice_num(org->crls); i++) {
1033 CMS_RevocationInfoChoice *rch;
1034 rch = sk_CMS_RevocationInfoChoice_value(org->crls, i);
1035 if (rch->type == CMS_REVCHOICE_OTHER) {
1042 static void cms_env_set_version(CMS_EnvelopedData *env)
1045 CMS_RecipientInfo *ri;
1048 * Can't set version higher than 4 so if 4 or more already nothing to do.
1050 if (env->version >= 4)
1053 cms_env_set_originfo_version(env);
1055 if (env->version >= 3)
1058 for (i = 0; i < sk_CMS_RecipientInfo_num(env->recipientInfos); i++) {
1059 ri = sk_CMS_RecipientInfo_value(env->recipientInfos, i);
1060 if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER) {
1063 } else if (ri->type != CMS_RECIPINFO_TRANS
1064 || ri->d.ktri->version != 0) {
1068 if (env->originatorInfo || env->unprotectedAttrs)
1070 if (env->version == 2)
1075 static int cms_env_encrypt_content_key(const CMS_ContentInfo *cms,
1076 STACK_OF(CMS_RecipientInfo) *ris)
1079 CMS_RecipientInfo *ri;
1081 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
1082 ri = sk_CMS_RecipientInfo_value(ris, i);
1083 if (CMS_RecipientInfo_encrypt(cms, ri) <= 0)
1089 static void cms_env_clear_ec(CMS_EncryptedContentInfo *ec)
1092 OPENSSL_clear_free(ec->key, ec->keylen);
1097 static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
1099 CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
1100 BIO *contentBio = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms));
1101 EVP_CIPHER_CTX *ctx = NULL;
1103 if (contentBio == NULL)
1106 BIO_get_cipher_ctx(contentBio, &ctx);
1108 BIO_free(contentBio);
1112 * If the selected cipher supports unprotected attributes,
1113 * deal with it using special ctrl function
1115 if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC)
1116 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0,
1117 cms->d.envelopedData->unprotectedAttrs) <= 0) {
1118 BIO_free(contentBio);
1124 static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms)
1126 CMS_EncryptedContentInfo *ec;
1127 STACK_OF(CMS_RecipientInfo) *rinfos;
1130 CMS_EnvelopedData *env = cms->d.envelopedData;
1132 /* Get BIO first to set up key */
1134 ec = env->encryptedContentInfo;
1135 ret = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms));
1137 /* If error end of processing */
1141 /* Now encrypt content key according to each RecipientInfo type */
1142 rinfos = env->recipientInfos;
1143 if (cms_env_encrypt_content_key(cms, rinfos) < 0) {
1144 CMSerr(CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO,
1145 CMS_R_ERROR_SETTING_RECIPIENTINFO);
1149 /* And finally set the version */
1150 cms_env_set_version(env);
1155 cms_env_clear_ec(ec);
1162 BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
1164 if (cms->d.envelopedData->encryptedContentInfo->cipher != NULL) {
1165 /* If cipher is set it's encryption */
1166 return cms_EnvelopedData_Encryption_init_bio(cms);
1169 /* If cipher is not set it's decryption */
1170 return cms_EnvelopedData_Decryption_init_bio(cms);
1173 BIO *cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms)
1175 CMS_EncryptedContentInfo *ec;
1176 STACK_OF(CMS_RecipientInfo) *rinfos;
1179 CMS_AuthEnvelopedData *aenv = cms->d.authEnvelopedData;
1181 /* Get BIO first to set up key */
1182 ec = aenv->authEncryptedContentInfo;
1183 /* Set tag for decryption */
1184 if (ec->cipher == NULL) {
1185 ec->tag = aenv->mac->data;
1186 ec->taglen = aenv->mac->length;
1188 ret = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms));
1190 /* If error or no cipher end of processing */
1191 if (ret == NULL || ec->cipher == NULL)
1194 /* Now encrypt content key according to each RecipientInfo type */
1195 rinfos = aenv->recipientInfos;
1196 if (cms_env_encrypt_content_key(cms, rinfos) < 0) {
1197 CMSerr(0, CMS_R_ERROR_SETTING_RECIPIENTINFO);
1201 /* And finally set the version */
1207 cms_env_clear_ec(ec);
1214 int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain)
1216 CMS_EnvelopedData *env = NULL;
1217 EVP_CIPHER_CTX *ctx = NULL;
1218 BIO *mbio = BIO_find_type(chain, BIO_TYPE_CIPHER);
1220 env = cms_get0_enveloped(cms);
1225 CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CONTENT_NOT_FOUND);
1229 BIO_get_cipher_ctx(mbio, &ctx);
1232 * If the selected cipher supports unprotected attributes,
1233 * deal with it using special ctrl function
1235 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) {
1236 if (env->unprotectedAttrs == NULL)
1237 env->unprotectedAttrs = sk_X509_ATTRIBUTE_new_null();
1239 if (env->unprotectedAttrs == NULL) {
1240 CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, ERR_R_MALLOC_FAILURE);
1244 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED,
1245 1, env->unprotectedAttrs) <= 0) {
1246 CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CTRL_FAILURE);
1251 cms_env_set_version(cms->d.envelopedData);
1255 int cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio)
1257 EVP_CIPHER_CTX *ctx;
1258 unsigned char *tag = NULL;
1261 BIO_get_cipher_ctx(cmsbio, &ctx);
1264 * The tag is set only for encryption. There is nothing to do for
1267 if (!EVP_CIPHER_CTX_encrypting(ctx))
1270 taglen = EVP_CIPHER_CTX_tag_length(ctx);
1272 || (tag = OPENSSL_malloc(taglen)) == NULL
1273 || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen,
1275 CMSerr(0, CMS_R_CIPHER_GET_TAG);
1279 if (!ASN1_OCTET_STRING_set(cms->d.authEnvelopedData->mac, tag, taglen))
1289 * Get RecipientInfo type (if any) supported by a key (public or private). To
1290 * retain compatibility with previous behaviour if the ctrl value isn't
1291 * supported we assume key transport.
1293 int cms_pkey_get_ri_type(EVP_PKEY *pk)
1295 if (pk->ameth && pk->ameth->pkey_ctrl) {
1297 i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_RI_TYPE, 0, &r);
1301 return CMS_RECIPINFO_TRANS;
1304 int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
1306 int supportedRiType;
1308 if (pk->ameth != NULL && pk->ameth->pkey_ctrl != NULL) {
1311 i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED,
1317 supportedRiType = cms_pkey_get_ri_type(pk);
1318 if (supportedRiType < 0)
1321 return (supportedRiType == ri_type);