crypto/cms/cms_kari.c

   1 /* crypto/cms/cms_kari.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  */
  53
  54 #include "cryptlib.h"
  55 #include <openssl/asn1t.h>
  56 #include <openssl/pem.h>
  57 #include <openssl/x509v3.h>
  58 #include <openssl/err.h>
  59 #include <openssl/cms.h>
  60 #include <openssl/rand.h>
  61 #include <openssl/aes.h>
  62 #include "cms_lcl.h"
  63 #include "asn1_locl.h"
  64
  65 DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo)
  66 DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey)
  67 DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey)
  68
  69 /* Key Agreement Recipient Info (KARI) routines */
  70
  71 int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
  72                                         X509_ALGOR **palg,
  73                                         ASN1_OCTET_STRING **pukm)
  74         {
  75         if (ri->type != CMS_RECIPINFO_AGREE)
  76                 {
  77                 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG,
  78                         CMS_R_NOT_KEY_AGREEMENT);
  79                 return 0;
  80                 }
  81         if (palg)
  82                 *palg = ri->d.kari->keyEncryptionAlgorithm;
  83         if (pukm)
  84                 *pukm = ri->d.kari->ukm;
  85         return 1;
  86         }
  87
  88 /* Retrieve recipient encrypted keys from a kari */
  89
  90 STACK_OF(CMS_RecipientEncryptedKey) *CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri)
  91         {
  92         if (ri->type != CMS_RECIPINFO_AGREE)
  93                 {
  94                 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS,
  95                         CMS_R_NOT_KEY_AGREEMENT);
  96                 return NULL;
  97                 }
  98         return ri->d.kari->recipientEncryptedKeys;
  99         }
 100
 101 int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri,
 102                                         X509_ALGOR **pubalg,
 103                                         ASN1_BIT_STRING **pubkey,
 104                                         ASN1_OCTET_STRING **keyid,
 105                                         X509_NAME **issuer, ASN1_INTEGER **sno)
 106         {
 107         CMS_OriginatorIdentifierOrKey *oik;
 108         if (ri->type != CMS_RECIPINFO_AGREE)
 109                 {
 110                 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
 111                         CMS_R_NOT_KEY_AGREEMENT);
 112                 return 0;
 113                 }
 114         oik = ri->d.kari->originator;
 115         if (issuer)
 116                 *issuer = NULL;
 117         if (sno)
 118                 *sno = NULL;
 119         if (keyid)
 120                 *keyid = NULL;
 121         if (pubalg)
 122                 *pubalg = NULL;
 123         if (pubkey)
 124                 *pubkey = NULL;
 125         if (oik->type == CMS_OIK_ISSUER_SERIAL)
 126                 {
 127                 if (issuer)
 128                         *issuer = oik->d.issuerAndSerialNumber->issuer;
 129                 if (sno)
 130                         *sno = oik->d.issuerAndSerialNumber->serialNumber;
 131                 }
 132         else if (oik->type == CMS_OIK_KEYIDENTIFIER)
 133                 {
 134                 if (keyid)
 135                         *keyid = oik->d.subjectKeyIdentifier;
 136                 }
 137         else if (oik->type == CMS_OIK_PUBKEY)
 138                 {
 139                 if (pubalg)
 140                         *pubalg = oik->d.originatorKey->algorithm;
 141                 if (pubkey)
 142                         *pubkey = oik->d.originatorKey->publicKey;
 143                 }
 144         else
 145                 return 0;
 146         return 1;
 147         }
 148
 149 int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert)
 150         {
 151         CMS_OriginatorIdentifierOrKey *oik;
 152         if (ri->type != CMS_RECIPINFO_AGREE)
 153                 {
 154                 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
 155                         CMS_R_NOT_KEY_AGREEMENT);
 156                 return -2;
 157                 }
 158         oik = ri->d.kari->originator;
 159         if (oik->type == CMS_OIK_ISSUER_SERIAL)
 160                 return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert);
 161         else if (oik->type == CMS_OIK_KEYIDENTIFIER)
 162                 return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert);
 163         return -1;
 164         }
 165
 166 int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
 167                                         ASN1_OCTET_STRING **keyid,
 168                                         ASN1_GENERALIZEDTIME **tm,
 169                                         CMS_OtherKeyAttribute **other,
 170                                         X509_NAME **issuer, ASN1_INTEGER **sno)
 171         {
 172         CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
 173         if (rid->type == CMS_REK_ISSUER_SERIAL)
 174                 {
 175                 if (issuer)
 176                         *issuer = rid->d.issuerAndSerialNumber->issuer;
 177                 if (sno)
 178                         *sno = rid->d.issuerAndSerialNumber->serialNumber;
 179                 if (keyid)
 180                         *keyid = NULL;
 181                 if (tm)
 182                         *tm = NULL;
 183                 if (other)
 184                         *other = NULL;
 185                 }
 186         else if (rid->type == CMS_REK_KEYIDENTIFIER)
 187                 {
 188                 if (keyid)
 189                         *keyid = rid->d.rKeyId->subjectKeyIdentifier;
 190                 if (tm)
 191                         *tm = rid->d.rKeyId->date;
 192                 if (other)
 193                         *other = rid->d.rKeyId->other;
 194                 if (issuer)
 195                         *issuer = NULL;
 196                 if (sno)
 197                         *sno = NULL;
 198                 }
 199         else
 200                 return 0;
 201         return 1;
 202         }
 203
 204 int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
 205                                                 X509 *cert)
 206         {
 207         CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
 208         if (rid->type == CMS_REK_ISSUER_SERIAL)
 209                 return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
 210         else if (rid->type == CMS_REK_KEYIDENTIFIER)
 211                 return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert);
 212         else
 213                 return -1;
 214         }
 215
 216 int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
 217         {
 218         EVP_PKEY_CTX *pctx;
 219         CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
 220         if (kari->pctx)
 221                 {
 222                 EVP_PKEY_CTX_free(kari->pctx);
 223                 kari->pctx = NULL;
 224                 }
 225         if (!pk)
 226                 return 1;
 227         pctx = EVP_PKEY_CTX_new(pk, NULL);
 228         if (!pctx || !EVP_PKEY_derive_init(pctx))
 229                 goto err;
 230         kari->pctx = pctx;
 231         return 1;
 232         err:
 233         if (pctx)
 234                 EVP_PKEY_CTX_free(pctx);
 235         return 0;
 236         }
 237
 238 EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
 239         {
 240         if (ri->type == CMS_RECIPINFO_AGREE)
 241                 return &ri->d.kari->ctx;
 242         return NULL;
 243         }
 244
 245 /* Derive KEK and decrypt/encrypt with it to produce either the
 246  * original CEK or the encrypted CEK.
 247  */
 248
 249 static int cms_kek_cipher(unsigned char **pout, size_t *poutlen,
 250                         const unsigned char *in, size_t inlen,
 251                         CMS_KeyAgreeRecipientInfo *kari, int enc)
 252         {
 253         /* Key encryption key */
 254         unsigned char kek[EVP_MAX_KEY_LENGTH];
 255         size_t keklen;
 256         int rv = 0;
 257         unsigned char *out = NULL;
 258         int outlen;
 259         keklen = EVP_CIPHER_CTX_key_length(&kari->ctx);
 260         if (keklen > EVP_MAX_KEY_LENGTH)
 261                 return 0;
 262         /* Derive KEK */
 263         if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0)
 264                 goto err;
 265         /* Set KEK in context */
 266         if (!EVP_CipherInit_ex(&kari->ctx, NULL, NULL, kek, NULL, enc))
 267                 goto err;
 268         /* obtain output length of ciphered key */
 269         if (!EVP_CipherUpdate(&kari->ctx, NULL, &outlen, in, inlen))
 270                 goto err;
 271         out = OPENSSL_malloc(outlen);
 272         if (!out)
 273                 goto err;
 274         if (!EVP_CipherUpdate(&kari->ctx, out, &outlen, in, inlen))
 275                 goto err;
 276         *pout = out;
 277         *poutlen = (size_t)outlen;
 278         rv = 1;
 279
 280         err:
 281         OPENSSL_cleanse(kek, keklen);
 282         if (!rv && out)
 283                 OPENSSL_free(out);
 284         EVP_CIPHER_CTX_cleanup(&kari->ctx);
 285         EVP_PKEY_CTX_free(kari->pctx);
 286         kari->pctx = NULL;
 287         return rv;
 288         }
 289
 290 int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
 291                                                 CMS_RecipientEncryptedKey *rek)
 292         {
 293         int rv = 0;
 294         unsigned char *enckey = NULL, *cek = NULL;
 295         size_t enckeylen;
 296         size_t ceklen;
 297         CMS_EncryptedContentInfo *ec;
 298         enckeylen = rek->encryptedKey->length;
 299         enckey = rek->encryptedKey->data;
 300         /* Setup all parameters to derive KEK */
 301         if (!cms_env_asn1_ctrl(ri, 1))
 302                 goto err;
 303         /* Attempt to decrypt CEK */
 304         if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
 305                 goto err;
 306         ec = cms->d.envelopedData->encryptedContentInfo;
 307         if (ec->key)
 308                 {
 309                 OPENSSL_cleanse(ec->key, ec->keylen);
 310                 OPENSSL_free(ec->key);
 311                 }
 312         ec->key = cek;
 313         ec->keylen = ceklen;
 314         cek = NULL;
 315         rv = 1;
 316         err:
 317         if (cek)
 318                 OPENSSL_free(cek);
 319         return rv;
 320         }
 321
 322 /* Create ephemeral key and initialise context based on it */
 323 static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
 324                                                 EVP_PKEY *pk)
 325         {
 326         EVP_PKEY_CTX *pctx = NULL;
 327         EVP_PKEY *ekey = NULL;
 328         int rv = 0;
 329         pctx = EVP_PKEY_CTX_new(pk, NULL);
 330         if (!pctx)
 331                 goto err;
 332         if (EVP_PKEY_keygen_init(pctx) <= 0)
 333                 goto err;
 334         if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
 335                 goto err;
 336         EVP_PKEY_CTX_free(pctx);
 337         pctx = EVP_PKEY_CTX_new(ekey, NULL);
 338         if (!pctx)
 339                 goto err;
 340         if (EVP_PKEY_derive_init(pctx) <= 0)
 341                 goto err;
 342         kari->pctx = pctx;
 343         rv = 1;
 344         err:
 345         if (!rv && pctx)
 346                 EVP_PKEY_CTX_free(pctx);
 347         if (ekey)
 348                 EVP_PKEY_free(ekey);
 349         return rv;
 350         }
 351
 352 /* Initialise a ktri based on passed certificate and key */
 353
 354 int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
 355                                 EVP_PKEY *pk, unsigned int flags)
 356         {
 357         CMS_KeyAgreeRecipientInfo *kari;
 358         CMS_RecipientEncryptedKey *rek = NULL;
 359
 360         ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
 361         if (!ri->d.kari)
 362                 return 0;
 363         ri->type = CMS_RECIPINFO_AGREE;
 364
 365         kari = ri->d.kari;
 366         kari->version = 3;
 367
 368         rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
 369         if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek))
 370                 {
 371                 M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
 372                 return 0;
 373                 }
 374
 375         if (flags & CMS_USE_KEYID)
 376                 {
 377                 rek->rid->type = CMS_REK_KEYIDENTIFIER;
 378                 if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip))
 379                         return 0;
 380                 }
 381         else
 382                 {
 383                 rek->rid->type = CMS_REK_ISSUER_SERIAL;
 384                 if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip))
 385                         return 0;
 386                 }
 387
 388         /* Create ephemeral key */
 389         if (!cms_kari_create_ephemeral_key(kari, pk))
 390                 return 0;
 391
 392         CRYPTO_add(&pk->references, 1, CRYPTO_LOCK_EVP_PKEY);
 393         rek->pkey = pk;
 394         return 1;
 395         }
 396
 397 static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
 398                                 const EVP_CIPHER *cipher)
 399         {
 400         EVP_CIPHER_CTX *ctx = &kari->ctx;
 401         const EVP_CIPHER *kekcipher;
 402         int keylen = EVP_CIPHER_key_length(cipher);
 403         /* If a suitable wrap algorithm is already set nothing to do */
 404         kekcipher = EVP_CIPHER_CTX_cipher(ctx);
 405
 406         if (kekcipher)
 407                 {
 408                 if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
 409                         return 0;
 410                 return 1;
 411                 }
 412         /* Pick a cipher based on content encryption cipher. If it is
 413          * DES3 use DES3 wrap otherwise use AES wrap similar to key
 414          * size.
 415          */
 416         if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
 417                 kekcipher = EVP_des_ede3_wrap();
 418         else if (keylen <= 16)
 419                 kekcipher = EVP_aes_128_wrap();
 420         else if (keylen <= 24)
 421                 kekcipher = EVP_aes_192_wrap();
 422         else
 423                 kekcipher = EVP_aes_256_wrap();
 424         return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
 425         }
 426
 427 /* Encrypt content key in key agreement recipient info */
 428
 429 int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
 430         {
 431         CMS_KeyAgreeRecipientInfo *kari;
 432         CMS_EncryptedContentInfo *ec;
 433         CMS_RecipientEncryptedKey *rek;
 434         STACK_OF(CMS_RecipientEncryptedKey) *reks;
 435         int i;
 436
 437         if (ri->type != CMS_RECIPINFO_AGREE)
 438                 {
 439                 CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT,
 440                         CMS_R_NOT_KEY_AGREEMENT);
 441                 return 0;
 442                 }
 443         kari = ri->d.kari;
 444         reks = kari->recipientEncryptedKeys;
 445         ec = cms->d.envelopedData->encryptedContentInfo;
 446         /* Initialise wrap algorithm parameters */
 447         if (!cms_wrap_init(kari, ec->cipher))
 448                 return 0;
 449         /* If no orignator key set up initialise for ephemeral key
 450          * the public key ASN1 structure will set the actual public
 451          * key value.
 452          */
 453         if (kari->originator->type == -1)
 454                 {
 455                 CMS_OriginatorIdentifierOrKey *oik = kari->originator;
 456                 oik->type = CMS_OIK_PUBKEY;
 457                 oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
 458                 if (!oik->d.originatorKey)
 459                         return 0;
 460                 }
 461         /* Initialise KDF algorithm */
 462         if (!cms_env_asn1_ctrl(ri, 0))
 463                 return 0;
 464         /* For each rek, derive KEK, encrypt CEK */
 465         for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++)
 466                 {
 467                 unsigned char *enckey;
 468                 size_t enckeylen;
 469                 rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
 470                 if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
 471                         return 0;
 472                 if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
 473                                                                 kari, 1))
 474                         return 0;
 475                 ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
 476                 }
 477
 478         return 1;
 479
 480         }