--- /dev/null
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation. Portions created by Netscape are
+ * Copyright (C) 1994-2000 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above. If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL. If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS public key crypto
+ */
+
+#include "cmslocal.h"
+
+#include "secitem.h"
+#include "secoid.h"
+#include "cryptohi.h"
+
+#include <security_asn1/secasn1.h>
+#include <security_asn1/secerr.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/Security.h>
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <Security/SecCmsBase.h>
+#include <Security/secasn1t.h>
+#include <security_asn1/plarenas.h>
+#include <Security/keyTemplates.h>
+
+/* ====== RSA ======================================================================= */
+
+/*
+ * SecCmsUtilEncryptSymKeyRSA - wrap a symmetric key with RSA
+ *
+ * this function takes a symmetric key and encrypts it using an RSA public key
+ * according to PKCS#1 and RFC2633 (S/MIME)
+ */
+OSStatus
+SecCmsUtilEncryptSymKeyRSA(PLArenaPool *poolp, SecCertificateRef cert,
+ SecSymmetricKeyRef bulkkey,
+ CSSM_DATA_PTR encKey)
+{
+ OSStatus rv;
+ SecPublicKeyRef publickey;
+
+ rv = SecCertificateCopyPublicKey(cert,&publickey);
+ if (publickey == NULL)
+ return SECFailure;
+
+ rv = SecCmsUtilEncryptSymKeyRSAPubKey(poolp, publickey, bulkkey, encKey);
+ CFRelease(publickey);
+ return rv;
+}
+
+OSStatus
+SecCmsUtilEncryptSymKeyRSAPubKey(PLArenaPool *poolp,
+ SecPublicKeyRef publickey,
+ SecSymmetricKeyRef bulkkey, CSSM_DATA_PTR encKey)
+{
+ OSStatus rv;
+ unsigned int data_len;
+ //KeyType keyType;
+ void *mark = NULL;
+
+ mark = PORT_ArenaMark(poolp);
+ if (!mark)
+ goto loser;
+
+#if 0
+ /* sanity check */
+ keyType = SECKEY_GetPublicKeyType(publickey);
+ PORT_Assert(keyType == rsaKey);
+ if (keyType != rsaKey) {
+ goto loser;
+ }
+#endif
+ /* allocate memory for the encrypted key */
+ rv = SecKeyGetStrengthInBits(publickey, NULL, &data_len);
+ if (rv)
+ goto loser;
+
+ // Convert length to bytes;
+ data_len >>= 2;
+ encKey->Data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len);
+ encKey->Length = data_len;
+ if (encKey->Data == NULL)
+ goto loser;
+
+ /* encrypt the key now */
+ rv = WRAP_PubWrapSymKey(publickey, bulkkey, encKey);
+ if (rv != SECSuccess)
+ goto loser;
+
+ PORT_ArenaUnmark(poolp, mark);
+ return SECSuccess;
+
+loser:
+ if (mark) {
+ PORT_ArenaRelease(poolp, mark);
+ }
+ return SECFailure;
+}
+
+/*
+ * SecCmsUtilDecryptSymKeyRSA - unwrap a RSA-wrapped symmetric key
+ *
+ * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
+ * key handle. Please note that the actual unwrapped key data may not be allowed to leave
+ * a hardware token...
+ */
+SecSymmetricKeyRef
+SecCmsUtilDecryptSymKeyRSA(SecPrivateKeyRef privkey, CSSM_DATA_PTR encKey, SECOidTag bulkalgtag)
+{
+ /* that's easy */
+ return WRAP_PubUnwrapSymKey(privkey, encKey, bulkalgtag);
+}
+
+#if 0
+// @@@ Implement Fortezza and Diffie hellman support
+
+/* ====== MISSI (Fortezza) ========================================================== */
+
+extern const SecAsn1Template NSS_SMIMEKEAParamTemplateAllParams[];
+
+OSStatus
+SecCmsUtilEncryptSymKeyMISSI(PLArenaPool *poolp, SecCertificateRef cert, SecSymmetricKeyRef bulkkey,
+ SECOidTag symalgtag, CSSM_DATA_PTR encKey, CSSM_DATA_PTR *pparams, void *pwfn_arg)
+{
+ SECOidTag certalgtag; /* the certificate's encryption algorithm */
+ SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */
+ OSStatus rv = SECFailure;
+ CSSM_DATA_PTR params = NULL;
+ OSStatus err;
+ SecSymmetricKeyRef tek;
+ SecCertificateRef ourCert;
+ SecPublicKeyRef ourPubKey, *publickey = NULL;
+ SecPrivateKeyRef ourPrivKey = NULL;
+ SecCmsKEATemplateSelector whichKEA = SecCmsKEAInvalid;
+ SecCmsSMIMEKEAParameters keaParams;
+ PLArenaPool *arena = NULL;
+ extern const SecAsn1Template *nss_cms_get_kea_template(SecCmsKEATemplateSelector whichTemplate);
+ const SECAlgorithmID *algid;
+
+ /* Clear keaParams, since cleanup code checks the lengths */
+ (void) memset(&keaParams, 0, sizeof(keaParams));
+
+ SecCertificateGetAlgorithmID(cert,&algid);
+ certalgtag = SECOID_GetAlgorithmTag(algid);
+ PORT_Assert(certalgtag == SEC_OID_MISSI_KEA_DSS_OLD ||
+ certalgtag == SEC_OID_MISSI_KEA_DSS ||
+ certalgtag == SEC_OID_MISSI_KEA);
+
+#define SMIME_FORTEZZA_RA_LENGTH 128
+#define SMIME_FORTEZZA_IV_LENGTH 24
+#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
+
+ /* We really want to show our KEA tag as the key exchange algorithm tag. */
+ encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
+
+ /* Get the public key of the recipient. */
+ publickey = CERT_ExtractPublicKey(cert);
+ if (publickey == NULL) goto loser;
+
+ /* Find our own cert, and extract its keys. */
+ ourCert = PK11_FindBestKEAMatch(cert, pwfn_arg);
+ if (ourCert == NULL) goto loser;
+
+ arena = PORT_NewArena(1024);
+ if (arena == NULL)
+ goto loser;
+
+ ourPubKey = CERT_ExtractPublicKey(ourCert);
+ if (ourPubKey == NULL) {
+ CERT_DestroyCertificate(ourCert);
+ goto loser;
+ }
+
+ /* While we're here, copy the public key into the outgoing
+ * KEA parameters. */
+ SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey), &(ourPubKey->u.fortezza.KEAKey));
+ SECKEY_DestroyPublicKey(ourPubKey);
+ ourPubKey = NULL;
+
+ /* Extract our private key in order to derive the KEA key. */
+ ourPrivKey = PK11_FindKeyByAnyCert(ourCert, pwfn_arg);
+ CERT_DestroyCertificate(ourCert); /* we're done with this */
+ if (!ourPrivKey)
+ goto loser;
+
+ /* Prepare raItem with 128 bytes (filled with zeros). */
+ keaParams.originatorRA.Data = (unsigned char *)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
+ keaParams.originatorRA.Length = SMIME_FORTEZZA_RA_LENGTH;
+
+ /* Generate the TEK (token exchange key) which we use
+ * to wrap the bulk encryption key. (keaparams.originatorRA) will be
+ * filled with a random seed which we need to send to
+ * the recipient. (user keying material in RFC2630/DSA speak) */
+ tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+ &keaParams.originatorRA, NULL,
+ CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+ CKA_WRAP, 0, pwfn_arg);
+
+ SECKEY_DestroyPublicKey(publickey);
+ SECKEY_DestroyPrivateKey(ourPrivKey);
+ publickey = NULL;
+ ourPrivKey = NULL;
+
+ if (!tek)
+ goto loser;
+
+ /* allocate space for the wrapped key data */
+ encKey->Data = (unsigned char *)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
+ encKey->Length = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+ if (encKey->Data == NULL) {
+ CFRelease(tek);
+ goto loser;
+ }
+
+ /* Wrap the bulk key. What we do with the resulting data
+ depends on whether we're using Skipjack to wrap the key. */
+ switch (PK11_AlgtagToMechanism(symalgtag)) {
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ /* SKIPJACK, we use the wrap mechanism because we can do it on the hardware */
+ err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, bulkkey, encKey);
+ whichKEA = SecCmsKEAUsesSkipjack;
+ break;
+ default:
+ /* Not SKIPJACK, we encrypt the raw key data */
+ keaParams.nonSkipjackIV.Data =
+ (unsigned char *)PORT_ArenaAlloc(arena, SMIME_FORTEZZA_IV_LENGTH);
+ keaParams.nonSkipjackIV.Length = SMIME_FORTEZZA_IV_LENGTH;
+ err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, tek, bulkkey, encKey);
+ if (err != SECSuccess)
+ goto loser;
+
+ if (encKey->Length != PK11_GetKeyLength(bulkkey)) {
+ /* The size of the encrypted key is not the same as
+ that of the original bulk key, presumably due to
+ padding. Encode and store the real size of the
+ bulk key. */
+ if (SEC_ASN1EncodeInteger(arena, &keaParams.bulkKeySize, PK11_GetKeyLength(bulkkey)) == NULL)
+ err = (OSStatus)PORT_GetError();
+ else
+ /* use full template for encoding */
+ whichKEA = SecCmsKEAUsesNonSkipjackWithPaddedEncKey;
+ }
+ else
+ /* enc key length == bulk key length */
+ whichKEA = SecCmsKEAUsesNonSkipjack;
+ break;
+ }
+
+ CFRelease(tek);
+
+ if (err != SECSuccess)
+ goto loser;
+
+ PORT_Assert(whichKEA != SecCmsKEAInvalid);
+
+ /* Encode the KEA parameters into the recipient info. */
+ params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
+ if (params == NULL)
+ goto loser;
+
+ /* pass back the algorithm params */
+ *pparams = params;
+
+ rv = SECSuccess;
+
+loser:
+ if (arena)
+ PORT_FreeArena(arena, PR_FALSE);
+ if (publickey)
+ SECKEY_DestroyPublicKey(publickey);
+ if (ourPrivKey)
+ SECKEY_DestroyPrivateKey(ourPrivKey);
+ return rv;
+}
+
+SecSymmetricKeyRef
+SecCmsUtilDecryptSymKeyMISSI(SecPrivateKeyRef privkey, CSSM_DATA_PTR encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
+{
+ /* fortezza: do a key exchange */
+ OSStatus err;
+ CK_MECHANISM_TYPE bulkType;
+ SecSymmetricKeyRef tek;
+ SecPublicKeyRef originatorPubKey;
+ SecCmsSMIMEKEAParameters keaParams;
+ SecSymmetricKeyRef bulkkey;
+ int bulkLength;
+
+ (void) memset(&keaParams, 0, sizeof(keaParams));
+
+ /* NOTE: this uses the SMIME v2 recipientinfo for compatibility.
+ All additional KEA parameters are DER-encoded in the encryption algorithm parameters */
+
+ /* Decode the KEA algorithm parameters. */
+ err = SEC_ASN1DecodeItem(NULL, &keaParams, NSS_SMIMEKEAParamTemplateAllParams,
+ &(keyEncAlg->parameters));
+ if (err != SECSuccess)
+ goto loser;
+
+ /* get originator's public key */
+ originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.Data,
+ keaParams.originatorKEAKey.Length);
+ if (originatorPubKey == NULL)
+ goto loser;
+
+ /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
+ The Derive function generates a shared secret and combines it with the originatorRA
+ data to come up with an unique session key */
+ tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
+ &keaParams.originatorRA, NULL,
+ CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+ CKA_WRAP, 0, pwfn_arg);
+ SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */
+ if (tek == NULL)
+ goto loser;
+
+ /* Now that we have the TEK, unwrap the bulk key
+ with which to decrypt the message. We have to
+ do one of two different things depending on
+ whether Skipjack was used for *bulk* encryption
+ of the message. */
+ bulkType = PK11_AlgtagToMechanism(bulkalgtag);
+ switch (bulkType) {
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ /* Skipjack is being used as the bulk encryption algorithm.*/
+ /* Unwrap the bulk key. */
+ bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
+ encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+ break;
+ default:
+ /* Skipjack was not used for bulk encryption of this
+ message. Use Skipjack CBC64, with the nonSkipjackIV
+ part of the KEA key parameters, to decrypt
+ the bulk key. If the optional parameter bulkKeySize is present,
+ bulk key size is different than the encrypted key size */
+ if (keaParams.bulkKeySize.Length > 0) {
+ err = SEC_ASN1DecodeItem(NULL, &bulkLength,
+ SEC_ASN1_GET(SEC_IntegerTemplate),
+ &keaParams.bulkKeySize);
+ if (err != SECSuccess)
+ goto loser;
+ }
+
+ bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV,
+ encKey, bulkType, CKA_DECRYPT, bulkLength);
+ break;
+ }
+ return bulkkey;
+loser:
+ return NULL;
+}
+
+/* ====== ESDH (Ephemeral-Static Diffie-Hellman) ==================================== */
+
+OSStatus
+SecCmsUtilEncryptSymKeyESDH(PLArenaPool *poolp, SecCertificateRef cert, SecSymmetricKeyRef key,
+ CSSM_DATA_PTR encKey, CSSM_DATA_PTR ukm, SECAlgorithmID *keyEncAlg,
+ CSSM_DATA_PTR pubKey)
+{
+#if 0 /* not yet done */
+ SECOidTag certalgtag; /* the certificate's encryption algorithm */
+ SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */
+ OSStatus rv;
+ CSSM_DATA_PTR params = NULL;
+ int data_len;
+ OSStatus err;
+ SecSymmetricKeyRef tek;
+ SecCertificateRef ourCert;
+ SecPublicKeyRef ourPubKey;
+ SecCmsKEATemplateSelector whichKEA = SecCmsKEAInvalid;
+
+ certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+ PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
+
+ /* We really want to show our KEA tag as the key exchange algorithm tag. */
+ encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
+
+ /* Get the public key of the recipient. */
+ publickey = CERT_ExtractPublicKey(cert);
+ if (publickey == NULL) goto loser;
+
+ /* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
+ /* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
+ if (ourCert == NULL) goto loser;
+
+ arena = PORT_NewArena(1024);
+ if (arena == NULL) goto loser;
+
+ /* While we're here, extract the key pair's public key data and copy it into */
+ /* the outgoing parameters. */
+ /* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
+ if (ourPubKey == NULL)
+ {
+ goto loser;
+ }
+ SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
+ SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
+ ourPubKey = NULL;
+
+ /* Extract our private key in order to derive the KEA key. */
+ ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
+ CERT_DestroyCertificate(ourCert); /* we're done with this */
+ if (!ourPrivKey) goto loser;
+
+ /* If ukm desired, prepare it - allocate enough space (filled with zeros). */
+ if (ukm) {
+ ukm->Data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
+ ukm->Length = /* XXXX */;
+ }
+
+ /* Generate the KEK (key exchange key) according to RFC2631 which we use
+ * to wrap the bulk encryption key. */
+ kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+ ukm, NULL,
+ /* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
+ CKA_WRAP, 0, wincx);
+
+ SECKEY_DestroyPublicKey(publickey);
+ SECKEY_DestroyPrivateKey(ourPrivKey);
+ publickey = NULL;
+ ourPrivKey = NULL;
+
+ if (!kek)
+ goto loser;
+
+ /* allocate space for the encrypted CEK (bulk key) */
+ encKey->Data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
+ encKey->Length = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+ if (encKey->Data == NULL)
+ {
+ CFRelease(kek);
+ goto loser;
+ }
+
+
+ /* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
+ /* bulk encryption algorithm */
+ switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
+ {
+ case /* XXXX */CKM_SKIPJACK_CFB8:
+ err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
+ whichKEA = SecCmsKEAUsesSkipjack;
+ break;
+ case /* XXXX */CKM_SKIPJACK_CFB8:
+ err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
+ whichKEA = SecCmsKEAUsesSkipjack;
+ break;
+ default:
+ /* XXXX what do we do here? Neither RC2 nor 3DES... */
+ err = SECFailure;
+ /* set error */
+ break;
+ }
+
+ CFRelease(kek); /* we do not need the KEK anymore */
+ if (err != SECSuccess)
+ goto loser;
+
+ PORT_Assert(whichKEA != SecCmsKEAInvalid);
+
+ /* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
+ /* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
+ params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
+ if (params == NULL)
+ goto loser;
+
+ /* now set keyEncAlg */
+ rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* XXXXXXX this is not right yet */
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+ if (publickey) {
+ SECKEY_DestroyPublicKey(publickey);
+ }
+ if (ourPrivKey) {
+ SECKEY_DestroyPrivateKey(ourPrivKey);
+ }
+#endif
+ return SECFailure;
+}
+
+SecSymmetricKeyRef
+SecCmsUtilDecryptSymKeyESDH(SecPrivateKeyRef privkey, CSSM_DATA_PTR encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
+{
+#if 0 /* not yet done */
+ OSStatus err;
+ CK_MECHANISM_TYPE bulkType;
+ SecSymmetricKeyRef tek;
+ SecPublicKeyRef originatorPubKey;
+ SecCmsSMIMEKEAParameters keaParams;
+
+ /* XXXX get originator's public key */
+ originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.Data,
+ keaParams.originatorKEAKey.Length);
+ if (originatorPubKey == NULL)
+ goto loser;
+
+ /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
+ The Derive function generates a shared secret and combines it with the originatorRA
+ data to come up with an unique session key */
+ tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
+ &keaParams.originatorRA, NULL,
+ CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+ CKA_WRAP, 0, pwfn_arg);
+ SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */
+ if (tek == NULL)
+ goto loser;
+
+ /* Now that we have the TEK, unwrap the bulk key
+ with which to decrypt the message. */
+ /* Skipjack is being used as the bulk encryption algorithm.*/
+ /* Unwrap the bulk key. */
+ bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
+ encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+
+ return bulkkey;
+
+loser:
+#endif
+ return NULL;
+}
+
+#endif /* Fortezza, DIffie-Hellman */
+
+#define CFRELEASE(cf) if(cf != NULL) { CFRelease(cf); }
+
+/* ====== ECDH (Ephemeral-Static Diffie-Hellman) ==================================== */
+
+#pragma mark ---- ECDH support functions ----
+
+#ifdef NDEBUG
+#define CSSM_PERROR(f, r)
+#define dprintf(args...)
+#else
+#define CSSM_PERROR(f, r) cssmPerror(f, r)
+#define dprintf(args...) printf(args)
+#endif
+
+/* Length of KeyAgreeRecipientInfo.ukm we create */
+#define UKM_LENGTH 8
+
+/* KEK algorithm info we generate */
+#define ECDH_KEK_ALG_TAG SEC_OID_DES_EDE3_CBC
+#define ECDH_KEK_KEY_CSSM_ALGID CSSM_ALGID_3DES_3KEY
+#define ECDH_KEK_ENCR_CSSM_ALGID CSSM_ALGID_3DES_3KEY_EDE
+#define ECDH_KEK_KEY_LEN_BYTES 24
+#define ECDH_KEK_IV_LEN_BYTES 8
+
+#define CMS_DUMP_BUFS 0
+#if CMS_DUMP_BUFS
+
+static void dumpBuf(
+ const char *label,
+ const CSSM_DATA *cd)
+{
+ unsigned dex;
+
+ printf("%s:\n ", label);
+ for(dex=0; dex<cd->Length; dex++) {
+ printf("%02X ", cd->Data[dex]);
+ if(((dex % 16) == 15) && (dex != (cd->Length - 1))) {
+ printf("\n ");
+ }
+ }
+ putchar('\n');
+}
+
+#else
+#define dumpBuf(l, d)
+#endif /* CMS_DUMP_BUFS */
+
+/*
+ * The ECC-CMS-SharedInfo struct, as defined in RFC 3278 8.2, and the
+ * template for DER encoding and decoding it.
+ */
+typedef struct {
+ SECAlgorithmID algId; /* KEK alg, NULL params */
+ CSSM_DATA entityUInfo; /* optional, ukm */
+ CSSM_DATA suppPubInfo; /* length of KEK in bits as 4-byte integer */
+} ECC_CMS_SharedInfo;
+
+static const SecAsn1Template ECC_CMS_SharedInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ECC_CMS_SharedInfo) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(ECC_CMS_SharedInfo,entityUInfo),
+ kSecAsn1OctetStringTemplate },
+ { SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+ offsetof(ECC_CMS_SharedInfo,suppPubInfo),
+ kSecAsn1OctetStringTemplate },
+ { 0 }
+};
+
+/*
+ * Given a context specified via a CSSM_CC_HANDLE, add a new
+ * CSSM_CONTEXT_ATTRIBUTE to the context as specified by AttributeType,
+ * AttributeLength, and an untyped pointer.
+ */
+/* specify either 32-bit integer or a pointer as an added attribute value */
+typedef enum {
+ CAT_Uint32,
+ CAT_Ptr
+} ContextAttrType;
+
+static CSSM_RETURN cmsAddContextAttribute(
+ CSSM_CC_HANDLE CCHandle,
+ uint32 AttributeType,
+ uint32 AttributeLength,
+ ContextAttrType attrType,
+ /* specify exactly one of these */
+ const void *AttributePtr,
+ uint32 attributeInt)
+{
+ CSSM_CONTEXT_ATTRIBUTE newAttr;
+ CSSM_RETURN crtn;
+
+ newAttr.AttributeType = AttributeType;
+ newAttr.AttributeLength = AttributeLength;
+ if(attrType == CAT_Uint32) {
+ newAttr.Attribute.Uint32 = attributeInt;
+ }
+ else {
+ /* this is a union of a bunch of different pointers...*/
+ newAttr.Attribute.Data = (CSSM_DATA_PTR)AttributePtr;
+ }
+ crtn = CSSM_UpdateContextAttributes(CCHandle, 1, &newAttr);
+ if(crtn) {
+ CSSM_PERROR("CSSM_UpdateContextAttributes", crtn);
+ }
+ return crtn;
+}
+
+static CSSM_RETURN cmsGenRand(
+ CSSM_CSP_HANDLE cspHand,
+ CSSM_SIZE len,
+ uint8 *randOut)
+{
+ CSSM_CC_HANDLE ccHand = 0;
+ CSSM_DATA randData = {len, randOut};
+
+ CSSM_RETURN crtn = CSSM_CSP_CreateRandomGenContext(cspHand,
+ CSSM_ALGID_APPLE_YARROW,
+ NULL, /* seed*/
+ len,
+ &ccHand);
+ if(crtn) {
+ CSSM_PERROR("CSSM_CSP_CreateRandomGenContext", crtn);
+ return crtn;
+ }
+ crtn = CSSM_GenerateRandom(ccHand, &randData);
+ CSSM_DeleteContext(ccHand);
+ if(crtn) {
+ CSSM_PERROR("CSSM_GenerateRandom", crtn);
+ }
+ return crtn;
+}
+
+/* convert uint32 to big-endian 4 bytes */
+static void int32ToBytes(
+ uint32_t i,
+ unsigned char *b)
+{
+ int dex;
+ for(dex=3; dex>=0; dex--) {
+ b[dex] = i;
+ i >>= 8;
+ }
+}
+
+/*
+ * NULL wrap a ref key to raw key in default format.
+ */
+static OSStatus cmsNullWrapKey(
+ CSSM_CSP_HANDLE cspHand,
+ const CSSM_KEY *refKey,
+ CSSM_KEY_PTR rawKey)
+{
+ CSSM_DATA descData = {0, 0};
+ CSSM_RETURN crtn;
+ CSSM_CC_HANDLE ccHand;
+ CSSM_ACCESS_CREDENTIALS creds;
+ uint32 keyAttr;
+
+ memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
+ memset(rawKey, 0, sizeof(CSSM_KEY));
+
+ crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
+ CSSM_ALGID_NONE,
+ CSSM_ALGMODE_NONE,
+ &creds,
+ NULL, // unwrappingKey
+ NULL, // initVector
+ CSSM_PADDING_NONE,
+ 0, // Params
+ &ccHand);
+ if(crtn) {
+ CSSM_PERROR("CSSM_CSP_CreateSymmetricContext", crtn);
+ return crtn;
+ }
+
+ keyAttr = rawKey->KeyHeader.KeyAttr;
+ keyAttr &= ~(CSSM_KEYATTR_ALWAYS_SENSITIVE | CSSM_KEYATTR_NEVER_EXTRACTABLE |
+ CSSM_KEYATTR_MODIFIABLE);
+ keyAttr |= CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE;
+ crtn = CSSM_WrapKey(ccHand,
+ &creds,
+ refKey,
+ &descData,
+ rawKey);
+ if(crtn != CSSM_OK) {
+ CSSM_PERROR("CSSM_WrapKey", crtn);
+ }
+ CSSM_DeleteContext(ccHand);
+ return crtn;
+}
+
+/*
+ * Free memory via specified plugin's app-level allocator
+ */
+static void cmsFreeCssmMemory(
+ CSSM_HANDLE hand,
+ void *p)
+{
+ CSSM_API_MEMORY_FUNCS memFuncs;
+ CSSM_RETURN crtn = CSSM_GetAPIMemoryFunctions(hand, &memFuncs);
+ if(crtn) {
+ return;
+ }
+ memFuncs.free_func(p, memFuncs.AllocRef);
+}
+
+/*
+ * Given an OID tag, return key size and mode.
+ * NOTE: ciphers with variable key sizes, like RC2, RC4, and RC5 cannot
+ * be used here because the message does not contain a key size
+ * indication.
+ */
+static OSStatus encrAlgInfo(
+ SECOidTag oidTag,
+ uint32 *keySizeBits, /* RETURNED */
+ CSSM_ENCRYPT_MODE *mode) /* RETURNED */
+{
+ *keySizeBits = 64; /* default */
+ *mode = CSSM_ALGMODE_CBCPadIV8; /* default */
+
+ switch(oidTag) {
+ case SEC_OID_RC2_CBC:
+ case SEC_OID_RC4:
+ case SEC_OID_RC5_CBC_PAD:
+ dprintf("encrAlgInfo: key size unknowable\n");
+ return errSecDataNotAvailable;
+
+ case SEC_OID_DES_EDE3_CBC:
+ *keySizeBits = 192;
+ break;
+ case SEC_OID_DES_EDE:
+ /* Not sure about this; SecCmsCipherContextStart() treats this
+ * like SEC_OID_DES_EDE3_CBC... */
+ case SEC_OID_DES_ECB:
+ *mode = CSSM_ALGMODE_ECB;
+ break;
+ case SEC_OID_DES_CBC:
+ *mode = CSSM_ALGMODE_CBC;
+ break;
+ case SEC_OID_AES_128_CBC:
+ *keySizeBits = 128;
+ break;
+ case SEC_OID_AES_192_CBC:
+ *keySizeBits = 192;
+ break;
+ case SEC_OID_AES_256_CBC:
+ *keySizeBits = 256;
+ break;
+ case SEC_OID_AES_128_ECB:
+ *keySizeBits = 128;
+ *mode = CSSM_ALGMODE_ECB;
+ break;
+ case SEC_OID_AES_192_ECB:
+ *keySizeBits = 192;
+ *mode = CSSM_ALGMODE_ECB;
+ break;
+ case SEC_OID_AES_256_ECB:
+ *keySizeBits = 256;
+ *mode = CSSM_ALGMODE_ECB;
+ break;
+ case SEC_OID_DES_OFB:
+ *mode = CSSM_ALGMODE_OFB;
+ break;
+ case SEC_OID_DES_CFB:
+ *mode = CSSM_ALGMODE_CFB;
+ break;
+ default:
+ dprintf("encrAlgInfo: unknown alg tag (%d)\n", (int)oidTag);
+ return errSecDataNotAvailable;
+ }
+ return noErr;
+}
+
+#pragma mark ---- ECDH CEK key wrap ----
+
+/*
+ * Encrypt bulk encryption key (a.k.a. content encryption key, CEK) using ECDH
+ */
+OSStatus
+SecCmsUtilEncryptSymKeyECDH(
+ PLArenaPool *poolp,
+ SecCertificateRef cert, /* recipient's cert */
+ SecSymmetricKeyRef key, /* bulk key */
+ /* remaining fields RETURNED */
+ CSSM_DATA_PTR encKey, /* encrypted key --> recipientEncryptedKeys[0].EncryptedKey */
+ CSSM_DATA_PTR ukm, /* random UKM --> KeyAgreeRecipientInfo.ukm */
+ SECAlgorithmID *keyEncAlg, /* alg := dhSinglePass-stdDH-sha1kdf-scheme
+ * params := another encoded AlgId, with the KEK alg and IV */
+ CSSM_DATA_PTR pubKey) /* our pub key as ECPoint -->
+ * KeyAgreeRecipientInfo.originator.OriginatorPublicKey */
+{
+ OSStatus rv = noErr;
+ CSSM_KEY ourPrivKeyCssm;
+ CSSM_KEY ourPubKeyCssm;
+ SecKeyRef theirPubKeyRef = NULL;
+ CSSM_KEY_PTR theirPubKeyCssm = NULL;
+ const CSSM_KEY *cekCssmRef = NULL;
+ uint32 ecdhKeySizeBits;
+ CSSM_CSP_HANDLE rawCspHand = SecCspHandleForAlgorithm(CSSM_ALGID_ECDH);
+ CSSM_CC_HANDLE ccHand = 0;
+ CSSM_RETURN crtn;
+ CSSM_DATA keyLabel = {8, (uint8 *)"tempKey"};
+ SECAlgorithmID kekAlgId;
+ uint8 iv[ECDH_KEK_IV_LEN_BYTES];
+ CSSM_DATA ivData = {ECDH_KEK_IV_LEN_BYTES, iv};
+ SECOidData *kekOid;
+ ECC_CMS_SharedInfo sharedInfo;
+ CSSM_DATA sharedInfoEnc = {0, NULL};
+ uint8 nullData[2] = {SEC_ASN1_NULL, 0};
+ uint8 keyLenAsBytes[4];
+ CSSM_KEY kekDerive;
+ CSSM_DATA certData;
+ CSSM_CL_HANDLE clHand;
+ CSSM_ACCESS_CREDENTIALS creds;
+ CSSM_DATA paramData = {0, NULL};
+ CSSM_KEY cekCssm;
+ CSSM_CSP_HANDLE refCspHand;
+ CSSM_SIZE bytesEncrypted;
+ CSSM_DATA remData = {0, NULL};
+ CSSM_DATA ctext = {0, NULL};
+ CSSM_X509_SUBJECT_PUBLIC_KEY_INFO subjPubKey;
+
+ if(rawCspHand == 0) {
+ return internalComponentErr;
+ }
+
+ memset(&ourPrivKeyCssm, 0, sizeof(CSSM_KEY));
+ memset(&ourPubKeyCssm, 0, sizeof(CSSM_KEY));
+ memset(&cekCssm, 0, sizeof(CSSM_KEY));
+ memset(&kekDerive, 0, sizeof(kekDerive));
+
+ encKey->Data = NULL;
+ encKey->Length = 0;
+
+ /*
+ * Create our ECDH key pair matching the recipient's key.
+ * Get the public key in "read-only" OCTET_STRING format, which
+ * is the ECPoint we put in
+ * KeyAgreeRecipientInfo.originator.OriginatorPublicKey.
+ */
+ rv = SecCertificateGetData(cert, &certData);
+ if(rv) {
+ CSSM_PERROR("SecCertificateGetData", rv);
+ return rv;
+ }
+ rv = SecCertificateGetCLHandle(cert, &clHand);
+ if(rv) {
+ CSSM_PERROR("SecCertificateGetCLHandle", rv);
+ return rv;
+ }
+ rv = CSSM_CL_CertGetKeyInfo(clHand, &certData, &theirPubKeyCssm);
+ if(rv) {
+ CSSM_PERROR("CSSM_CL_CertGetKeyInfo", rv);
+ return rv;
+ }
+
+ /*
+ * Verify the EC curve of the recipient's public key. It's in the
+ * public key's AlgId.parameters as an OID. The key we were
+ * given is in CSSM_X509_SUBJECT_PUBLIC_KEY_INFO form.
+ */
+ memset(&subjPubKey, 0, sizeof(subjPubKey));
+ if(SEC_ASN1DecodeItem(poolp, &subjPubKey, kSecAsn1SubjectPublicKeyInfoTemplate,
+ &theirPubKeyCssm->KeyData)) {
+ dprintf("SecCmsUtilEncryptSymKeyECDH: error decoding SubjPubKey\n");
+ /* oh well, keep going */
+ }
+ else {
+ if(subjPubKey.algorithm.parameters.Data != NULL) {
+ CSSM_DATA curveOid;
+ if(SEC_ASN1DecodeItem(poolp, &curveOid, kSecAsn1ObjectIDTemplate,
+ &subjPubKey.algorithm.parameters)) {
+ dprintf("SecCmsUtilEncryptSymKeyECDH: error decoding curveOid\n");
+ /* oh well, keep going */
+ }
+ else {
+ /* We have the curve OID. Any other errors are fatal. */
+ SECOidTag oidTag = SECOID_FindOIDTag(&curveOid);
+ switch(oidTag) {
+ case SEC_OID_SECP_256_R1:
+ case SEC_OID_SECP_384_R1:
+ case SEC_OID_SECP_521_R1:
+ break;
+ default:
+ dprintf("SecCmsUtilEncryptSymKeyECDH: unsupported curveOid\n");
+ rv = CSSMERR_CSP_INVALID_KEY;
+ goto loser;
+ }
+ }
+ }
+ }
+
+ ecdhKeySizeBits = theirPubKeyCssm->KeyHeader.LogicalKeySizeInBits;
+ crtn = CSSM_CSP_CreateKeyGenContext(rawCspHand,
+ CSSM_ALGID_ECDSA,
+ ecdhKeySizeBits,
+ NULL, // Seed
+ NULL, // Salt
+ NULL, // StartDate
+ NULL, // EndDate
+ NULL, // Params
+ &ccHand);
+ if(crtn) {
+ CSSM_PERROR("CSSM_CSP_CreateKeyGenContext", crtn);
+ rv = crtn;
+ goto loser;
+ }
+ crtn = cmsAddContextAttribute(ccHand,
+ CSSM_ATTRIBUTE_PUBLIC_KEY_FORMAT,
+ sizeof(uint32),
+ CAT_Uint32,
+ NULL,
+ CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
+ if(crtn) {
+ CSSM_PERROR("AddContextAttribute(CSSM_ATTRIBUTE_PUBLIC_KEY_FORMAT)", crtn);
+ rv = crtn;
+ goto loser;
+ }
+
+ crtn = CSSM_GenerateKeyPair(ccHand,
+ CSSM_KEYUSE_DERIVE,
+ CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE,
+ &keyLabel,
+ &ourPubKeyCssm,
+ CSSM_KEYUSE_DERIVE,
+ CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
+ &keyLabel,
+ NULL, // CredAndAclEntry
+ &ourPrivKeyCssm);
+ CSSM_DeleteContext(ccHand);
+ ccHand = 0;
+ if(crtn) {
+ CSSM_PERROR("CSSM_GenerateKeyPair", crtn);
+ rv = crtn;
+ goto loser;
+ }
+ pubKey->Length = ourPubKeyCssm.KeyData.Length;
+ pubKey->Data = (uint8 *)PORT_ArenaAlloc(poolp, pubKey->Length);
+ memmove(pubKey->Data, ourPubKeyCssm.KeyData.Data, pubKey->Length);
+ dumpBuf("sender's public key", pubKey);
+
+ /*
+ * Cook up random UKM
+ */
+ ukm->Data = (uint8 *)PORT_ArenaAlloc(poolp, UKM_LENGTH);
+ ukm->Length = UKM_LENGTH;
+ crtn = cmsGenRand(rawCspHand, UKM_LENGTH, ukm->Data);
+ if(crtn) {
+ goto loser;
+ }
+ dumpBuf("sender UKM", ukm);
+
+ /*
+ * OK, we have to set up a weird SECAlgorithmID.
+ * algorithm = dhSinglePass-stdDH-sha1kdf-scheme
+ * params = an encoded SECAlgorithmID representing the KEK algorithm, with
+ * algorithm = whatever we pick
+ * parameters = IV as octet string (though I haven't seen that specified
+ * anywhere; it's how the CEK IV is encoded)
+ *
+ * First, the 8-byte random IV, encoded as octet string
+ */
+ crtn = cmsGenRand(rawCspHand, ECDH_KEK_IV_LEN_BYTES, iv);
+ if(crtn) {
+ goto loser;
+ }
+ dumpBuf("sender IV", &ivData);
+
+ memset(&kekAlgId, 0, sizeof(kekAlgId));
+ if (!SEC_ASN1EncodeItem(poolp, &kekAlgId.parameters,
+ &ivData, kSecAsn1OctetStringTemplate)) {
+ rv = internalComponentErr;
+ goto loser;
+ }
+
+ /* Drop in the KEK OID and encode the whole thing */
+ kekOid = SECOID_FindOIDByTag(ECDH_KEK_ALG_TAG);
+ if(kekOid == NULL) {
+ dprintf("SecCmsUtilEncryptSymKeyECDH: OID screwup\n");
+ rv = internalComponentErr;
+ goto loser;
+ }
+ kekAlgId.algorithm = kekOid->oid;
+ memset(keyEncAlg, 0, sizeof(*keyEncAlg));
+ if (!SEC_ASN1EncodeItem(poolp, &keyEncAlg->parameters,
+ &kekAlgId, SECOID_AlgorithmIDTemplate)) {
+ rv = internalComponentErr;
+ goto loser;
+ }
+ kekOid = SECOID_FindOIDByTag(SEC_OID_DH_SINGLE_STD_SHA1KDF);
+ if(kekOid == NULL) {
+ dprintf("SecCmsUtilEncryptSymKeyECDH: OID screwup\n");
+ rv = internalComponentErr;
+ goto loser;
+ }
+ keyEncAlg->algorithm = kekOid->oid;
+
+ /*
+ * Now in order to derive the KEK proper, we have to create a
+ * ECC-CMS-SharedInfo, which does not appear in the message, and DER
+ * encode that struct, the result of which is used as the
+ * SharedInfo value in the KEK key derive.
+ */
+ memset(&sharedInfo, 0, sizeof(sharedInfo));
+ kekOid = SECOID_FindOIDByTag(ECDH_KEK_ALG_TAG);
+ sharedInfo.algId.algorithm = kekOid->oid;
+ sharedInfo.algId.parameters.Data = nullData;
+ sharedInfo.algId.parameters.Length = 2;
+ sharedInfo.entityUInfo = *ukm;
+ int32ToBytes(ECDH_KEK_KEY_LEN_BYTES << 3, keyLenAsBytes);
+ sharedInfo.suppPubInfo.Length = 4;
+ sharedInfo.suppPubInfo.Data = keyLenAsBytes;
+ if (!SEC_ASN1EncodeItem(poolp, &sharedInfoEnc,
+ &sharedInfo, ECC_CMS_SharedInfoTemplate)) {
+ rv = internalComponentErr;
+ goto loser;
+ }
+ dumpBuf("sender encoded SharedInfo", &sharedInfoEnc);
+
+ /*
+ * Since we're using the raw CSP here, we can provide the "other" public
+ * key as an actual CSSM_KEY. When unwrapping, we won't be able to do that
+ * since we'll be using our private key obtained from a SecIdentityRef.
+ */
+ memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
+ crtn = CSSM_CSP_CreateDeriveKeyContext(rawCspHand,
+ CSSM_ALGID_ECDH_X963_KDF,
+ ECDH_KEK_KEY_CSSM_ALGID, // algorithm of the KEK
+ ECDH_KEK_KEY_LEN_BYTES * 8,
+ &creds,
+ &ourPrivKeyCssm, // BaseKey
+ 0, // IterationCount
+ &sharedInfoEnc, // Salt
+ 0, // Seed
+ &ccHand);
+ if(crtn) {
+ CSSM_PERROR("CSSM_CSP_CreateDeriveKeyContext", crtn);
+ rv = crtn;
+ goto loser;
+ }
+
+ /* add recipient's pub key as a context attr */
+ crtn = cmsAddContextAttribute(ccHand,
+ CSSM_ATTRIBUTE_PUBLIC_KEY,
+ sizeof(CSSM_KEY),
+ CAT_Ptr,
+ (void *)theirPubKeyCssm,
+ 0);
+ if(crtn) {
+ rv = crtn;
+ goto loser;
+ }
+
+ /* Derive the KEK */
+ crtn = CSSM_DeriveKey(ccHand,
+ ¶mData,
+ CSSM_KEYUSE_ANY,
+ CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE,
+ &keyLabel,
+ NULL, // cread/acl
+ &kekDerive);
+ if(crtn) {
+ CSSM_PERROR("CSSM_DeriveKey", crtn);
+ rv = crtn;
+ goto loser;
+ }
+ CSSM_DeleteContext(ccHand);
+ ccHand = 0;
+
+ /*
+ * Obtain the raw CEK bits.
+ */
+ rv = SecKeyGetCSSMKey(key, &cekCssmRef);
+ if(rv) {
+ CSSM_PERROR("SecKeyGetCSSMKey", rv);
+ goto loser;
+ }
+ rv = SecKeyGetCSPHandle(key, &refCspHand);
+ if(rv) {
+ CSSM_PERROR("SecKeyGetCSPHandle", rv);
+ goto loser;
+ }
+ rv = cmsNullWrapKey(refCspHand, cekCssmRef, &cekCssm);
+ if(rv) {
+ goto loser;
+ }
+
+ /*
+ * Finally, encrypt the raw CEK bits with the KEK we just derived
+ */
+ crtn = CSSM_CSP_CreateSymmetricContext(rawCspHand,
+ ECDH_KEK_ENCR_CSSM_ALGID,
+ CSSM_ALGMODE_CBCPadIV8,
+ NULL, // access cred
+ &kekDerive,
+ &ivData, // InitVector
+ CSSM_PADDING_PKCS7,
+ NULL, // Params
+ &ccHand);
+ if(rv) {
+ CSSM_PERROR("CSSM_CSP_CreateSymmetricContext", rv);
+ goto loser;
+ }
+ rv = CSSM_EncryptData(ccHand,
+ &cekCssm.KeyData,
+ 1,
+ &ctext,
+ 1,
+ &bytesEncrypted,
+ &remData);
+ if(rv) {
+ CSSM_PERROR("CSSM_EncryptData", rv);
+ goto loser;
+ }
+ encKey->Data = PORT_ArenaAlloc(poolp, bytesEncrypted);
+ encKey->Length = bytesEncrypted;
+ memmove(encKey->Data, ctext.Data, ctext.Length);
+ if(bytesEncrypted != ctext.Length) {
+ memmove(encKey->Data + ctext.Length, remData.Data, remData.Length);
+ }
+ dumpBuf("sender encKey", encKey);
+
+loser:
+ if(ccHand) {
+ CSSM_DeleteContext(ccHand);
+ }
+ CFRELEASE(theirPubKeyRef);
+ if(ourPubKeyCssm.KeyData.Data) {
+ CSSM_FreeKey(rawCspHand, NULL, &ourPubKeyCssm, CSSM_FALSE);
+ }
+ if(ourPrivKeyCssm.KeyData.Data) {
+ CSSM_FreeKey(rawCspHand, NULL, &ourPrivKeyCssm, CSSM_FALSE);
+ }
+ if(ctext.Data) {
+ cmsFreeCssmMemory(rawCspHand, ctext.Data);
+ }
+ if(remData.Data) {
+ cmsFreeCssmMemory(rawCspHand, remData.Data);
+ }
+ if(cekCssm.KeyData.Data) {
+ CSSM_FreeKey(refCspHand, NULL, &cekCssm, CSSM_FALSE);
+ }
+ if(kekDerive.KeyData.Data) {
+ CSSM_FreeKey(rawCspHand, NULL, &kekDerive, CSSM_FALSE);
+ }
+ if(theirPubKeyCssm) {
+ /* Allocated by CL */
+ cmsFreeCssmMemory(clHand, theirPubKeyCssm->KeyData.Data);
+ cmsFreeCssmMemory(clHand, theirPubKeyCssm);
+ }
+ return rv;
+}
+
+#pragma mark ---- ECDH CEK key unwrap ----
+
+SecSymmetricKeyRef
+SecCmsUtilDecryptSymKeyECDH(
+ SecPrivateKeyRef privkey, /* our private key */
+ CSSM_DATA_PTR encKey, /* encrypted CEK */
+ CSSM_DATA_PTR ukm, /* random UKM from KeyAgreeRecipientInfo.ukm */
+ SECAlgorithmID *keyEncAlg, /* alg := dhSinglePass-stdDH-sha1kdf-scheme
+ * params := another encoded AlgId, with the KEK alg and IV */
+ SECOidTag bulkalgtag, /* algorithm of returned key */
+ CSSM_DATA_PTR pubKey) /* sender's pub key as ECPoint from
+ * KeyAgreeRecipientInfo.originator.OriginatorPublicKey */
+
+{
+ SecSymmetricKeyRef outKey = NULL;
+ OSStatus rv = noErr;
+ const CSSM_KEY *ourPrivKeyCssm;
+ PLArenaPool *pool = NULL;
+ SECAlgorithmID keyAlgParam;
+ SECOidData *kekOid = NULL;
+ CSSM_DATA iv = {0, NULL};
+ ECC_CMS_SharedInfo sharedInfo;
+ CSSM_DATA sharedInfoEnc = {0, NULL};
+ uint8 nullData[2] = {SEC_ASN1_NULL, 0};
+ uint8 keyLenAsBytes[4];
+ CSSM_ENCRYPT_MODE kekMode;
+ uint32 kekSizeBits;
+ CSSM_KEY kekDerive;
+ CSSM_RETURN crtn;
+ CSSM_ACCESS_CREDENTIALS creds;
+ CSSM_CSP_HANDLE refCspHand;
+ CSSM_CC_HANDLE ccHand = 0;
+ CSSM_DATA keyLabel = {8, (uint8 *)"tempKey"};
+ const CSSM_ACCESS_CREDENTIALS *accessCred;
+ CSSM_KEY wrappedKey;
+ CSSM_KEY unwrappedKey;
+ CSSM_ALGORITHMS bulkAlg;
+ CSSM_DATA descriptiveData = {0, NULL};
+
+ dumpBuf("receiver encKey", encKey);
+
+ memset(&kekDerive, 0, sizeof(kekDerive));
+
+ /* our private key in CSSM form */
+ rv = SecKeyGetCSSMKey(privkey, &ourPrivKeyCssm);
+ if(rv) {
+ CSSM_PERROR("SecKeyGetCSSMKey", rv);
+ goto loser;
+ }
+
+ /*
+ * Decode keyEncAlg.params to get KEK algorithm and IV
+ */
+ pool = PORT_NewArena(1024);
+ if(pool == NULL) {
+ goto loser;
+ }
+ memset(&keyAlgParam, 0, sizeof(keyAlgParam));
+ if(SEC_ASN1DecodeItem(pool, &keyAlgParam, SECOID_AlgorithmIDTemplate,
+ &keyEncAlg->parameters)) {
+ dprintf("SecCmsUtilDecryptSymKeyECDH: error decoding keyAlgParams\n");
+ goto loser;
+ }
+ kekOid = SECOID_FindOID(&keyAlgParam.algorithm);
+ if(kekOid == NULL) {
+ dprintf("SecCmsUtilDecryptSymKeyECDH: unknown KEK enc OID\n");
+ goto loser;
+ }
+ rv = encrAlgInfo(kekOid->offset, &kekSizeBits, &kekMode);
+ if(rv) {
+ goto loser;
+ }
+ /* IV is OCTET STRING in the alg params */
+ if(SEC_ASN1DecodeItem(pool, &iv, kSecAsn1OctetStringTemplate,
+ &keyAlgParam.parameters)) {
+ /*
+ * Not sure here - is it legal to have no IV? I haven't seen this
+ * addressed in any spec. Maybe we should condition the behavior
+ * here on the KEK algorithm.
+ */
+ dprintf("SecCmsUtilDecryptSymKeyECDH: no KEK IV\n");
+ goto loser;
+ }
+
+ /*
+ * Now in order to derive the KEK proper, we have to create a
+ * ECC-CMS-SharedInfo, which does not appear in the message, and DER
+ * encode that struct, the result of which is used as the
+ * SharedInfo value in the KEK key derive.
+ */
+ memset(&sharedInfo, 0, sizeof(sharedInfo));
+ sharedInfo.algId.algorithm = kekOid->oid;
+ sharedInfo.algId.parameters.Data = nullData;
+ sharedInfo.algId.parameters.Length = 2;
+ sharedInfo.entityUInfo = *ukm;
+ int32ToBytes(kekSizeBits, keyLenAsBytes);
+ sharedInfo.suppPubInfo.Length = 4;
+ sharedInfo.suppPubInfo.Data = keyLenAsBytes;
+ if (!SEC_ASN1EncodeItem(pool, &sharedInfoEnc,
+ &sharedInfo, ECC_CMS_SharedInfoTemplate)) {
+ rv = internalComponentErr;
+ goto loser;
+ }
+ dumpBuf("receiver encoded SharedInfo", &sharedInfoEnc);
+ dumpBuf("receiver IV", &iv);
+ dumpBuf("receiver UKM", ukm);
+ dumpBuf("sender's public key", pubKey);
+
+ /*
+ * Using the Sec-layer CSPDL, "other's" public key specified as ECPOint param. Which
+ * is fortunate because that's what we have...
+ */
+ memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
+ rv = SecKeyGetCSPHandle(privkey, &refCspHand);
+ if(rv) {
+ CSSM_PERROR("SecKeyGetCSPHandle", rv);
+ goto loser;
+ }
+ rv = SecKeyGetCredentials(privkey,
+ CSSM_ACL_AUTHORIZATION_DERIVE,
+ kSecCredentialTypeDefault,
+ &accessCred);
+ if (rv) {
+ CSSM_PERROR("SecKeyGetCredentials", rv);
+ goto loser;
+ }
+ crtn = CSSM_CSP_CreateDeriveKeyContext(refCspHand,
+ CSSM_ALGID_ECDH_X963_KDF,
+ kekOid->cssmAlgorithm, // algorithm of the KEK
+ kekSizeBits,
+ &creds,
+ ourPrivKeyCssm, // BaseKey
+ 0, // IterationCount
+ &sharedInfoEnc, // Salt
+ 0, // Seed
+ &ccHand);
+ if(crtn) {
+ CSSM_PERROR("CSSM_CSP_CreateDeriveKeyContext", crtn);
+ goto loser;
+ }
+ crtn = CSSM_DeriveKey(ccHand,
+ pubKey, // param
+ CSSM_KEYUSE_ANY,
+ CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
+ &keyLabel,
+ NULL, // cred/acl
+ &kekDerive);
+ CSSM_DeleteContext(ccHand);
+ ccHand = 0;
+ if(crtn) {
+ CSSM_PERROR("CSSM_DeriveKey", crtn);
+ goto loser;
+ }
+
+ /*
+ * Decrypt the encrypted key bits with the KEK key.
+ */
+ crtn = CSSM_CSP_CreateSymmetricContext(refCspHand,
+ kekOid->cssmAlgorithm,
+ kekMode,
+ NULL, // access cred
+ &kekDerive,
+ &iv, // InitVector
+ /* FIXME is this variable too? */
+ CSSM_PADDING_PKCS7,
+ NULL, // Params
+ &ccHand);
+ if(rv) {
+ CSSM_PERROR("CSSM_CSP_CreateSymmetricContext", rv);
+ goto loser;
+ }
+
+ memset(&wrappedKey, 0, sizeof(CSSM_KEY));
+ memset(&unwrappedKey, 0, sizeof(CSSM_KEY));
+
+ bulkAlg = SECOID_FindyCssmAlgorithmByTag(bulkalgtag);
+ if(bulkAlg == CSSM_ALGID_NONE) {
+ dprintf("SecCmsUtilDecryptSymKeyECDH: unknown bulk alg\n");
+ goto loser;
+ }
+
+ wrappedKey.KeyHeader.HeaderVersion = CSSM_KEYHEADER_VERSION;
+ wrappedKey.KeyHeader.BlobType = CSSM_KEYBLOB_WRAPPED;
+ wrappedKey.KeyHeader.Format = CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7;
+ wrappedKey.KeyHeader.AlgorithmId = bulkAlg;
+ wrappedKey.KeyHeader.KeyClass = CSSM_KEYCLASS_SESSION_KEY;
+ wrappedKey.KeyHeader.WrapAlgorithmId = kekOid->cssmAlgorithm;
+ wrappedKey.KeyHeader.WrapMode = CSSM_ALGMODE_NONE;
+ wrappedKey.KeyData = *encKey;
+
+ crtn = CSSM_UnwrapKey(ccHand,
+ NULL, /* publicKey */
+ &wrappedKey,
+ CSSM_KEYUSE_DECRYPT,
+ CSSM_KEYATTR_EXTRACTABLE,
+ &keyLabel,
+ NULL, /* rcc */
+ &unwrappedKey,
+ &descriptiveData);
+ CSSM_DeleteContext(ccHand);
+ ccHand = 0;
+ if(crtn) {
+ CSSM_PERROR("CSSM_UnwrapKey", crtn);
+ goto loser;
+ }
+ rv = SecKeyCreateWithCSSMKey(&unwrappedKey, &outKey);
+ if (rv) {
+ CSSM_PERROR("SecKeyCreateWithCSSMKey", rv);
+ }
+
+loser:
+ if(pool != NULL) {
+ PORT_FreeArena(pool, PR_FALSE);
+ }
+ if(kekDerive.KeyData.Data) {
+ CSSM_FreeKey(refCspHand, NULL, &kekDerive, CSSM_FALSE);
+ }
+ if(outKey == NULL) {
+ PORT_SetError(SEC_ERROR_NO_KEY);
+ }
+ return outKey;
+}
+
+
+
projects / apple / security.git / blobdiff