1 /* 2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "hx_locl.h" 35 36 struct hx509_crypto; 37 38 struct signature_alg; 39 40 struct hx509_generate_private_context { 41 const heim_oid *key_oid; 42 int isCA; 43 unsigned long num_bits; 44 }; 45 46 struct hx509_private_key_ops { 47 const char *pemtype; 48 const heim_oid *key_oid; 49 int (*available)(const hx509_private_key, 50 const AlgorithmIdentifier *); 51 int (*get_spki)(hx509_context, 52 const hx509_private_key, 53 SubjectPublicKeyInfo *); 54 int (*export)(hx509_context context, 55 const hx509_private_key, 56 hx509_key_format_t, 57 heim_octet_string *); 58 int (*import)(hx509_context, const AlgorithmIdentifier *, 59 const void *, size_t, hx509_key_format_t, 60 hx509_private_key); 61 int (*generate_private_key)(hx509_context, 62 struct hx509_generate_private_context *, 63 hx509_private_key); 64 BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *); 65 }; 66 67 struct hx509_private_key { 68 unsigned int ref; 69 const struct signature_alg *md; 70 const heim_oid *signature_alg; 71 union { 72 RSA *rsa; 73 void *keydata; 74 #ifdef HAVE_OPENSSL 75 EC_KEY *ecdsa; 76 #endif 77 } private_key; 78 hx509_private_key_ops *ops; 79 }; 80 81 /* 82 * 83 */ 84 85 struct signature_alg { 86 const char *name; 87 const heim_oid *sig_oid; 88 const AlgorithmIdentifier *sig_alg; 89 const heim_oid *key_oid; 90 const AlgorithmIdentifier *digest_alg; 91 int flags; 92 #define PROVIDE_CONF 0x1 93 #define REQUIRE_SIGNER 0x2 94 #define SELF_SIGNED_OK 0x4 95 96 #define SIG_DIGEST 0x100 97 #define SIG_PUBLIC_SIG 0x200 98 #define SIG_SECRET 0x400 99 100 #define RA_RSA_USES_DIGEST_INFO 0x1000000 101 102 time_t best_before; /* refuse signature made after best before date */ 103 const EVP_MD *(*evp_md)(void); 104 int (*verify_signature)(hx509_context context, 105 const struct signature_alg *, 106 const Certificate *, 107 const AlgorithmIdentifier *, 108 const heim_octet_string *, 109 const heim_octet_string *); 110 int (*create_signature)(hx509_context, 111 const struct signature_alg *, 112 const hx509_private_key, 113 const AlgorithmIdentifier *, 114 const heim_octet_string *, 115 AlgorithmIdentifier *, 116 heim_octet_string *); 117 int digest_size; 118 }; 119 120 static const struct signature_alg * 121 find_sig_alg(const heim_oid *oid); 122 123 /* 124 * 125 */ 126 127 static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") }; 128 129 static const unsigned sha512_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 3 }; 130 const AlgorithmIdentifier _hx509_signature_sha512_data = { 131 { 9, rk_UNCONST(sha512_oid_tree) }, rk_UNCONST(&null_entry_oid) 132 }; 133 134 static const unsigned sha384_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 2 }; 135 const AlgorithmIdentifier _hx509_signature_sha384_data = { 136 { 9, rk_UNCONST(sha384_oid_tree) }, rk_UNCONST(&null_entry_oid) 137 }; 138 139 static const unsigned sha256_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 }; 140 const AlgorithmIdentifier _hx509_signature_sha256_data = { 141 { 9, rk_UNCONST(sha256_oid_tree) }, rk_UNCONST(&null_entry_oid) 142 }; 143 144 static const unsigned sha1_oid_tree[] = { 1, 3, 14, 3, 2, 26 }; 145 const AlgorithmIdentifier _hx509_signature_sha1_data = { 146 { 6, rk_UNCONST(sha1_oid_tree) }, rk_UNCONST(&null_entry_oid) 147 }; 148 149 static const unsigned md5_oid_tree[] = { 1, 2, 840, 113549, 2, 5 }; 150 const AlgorithmIdentifier _hx509_signature_md5_data = { 151 { 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid) 152 }; 153 154 static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 }; 155 const AlgorithmIdentifier _hx509_signature_ecPublicKey = { 156 { 6, rk_UNCONST(ecPublicKey) }, NULL 157 }; 158 159 static const unsigned ecdsa_with_sha256_oid[] ={ 1, 2, 840, 10045, 4, 3, 2 }; 160 const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha256_data = { 161 { 7, rk_UNCONST(ecdsa_with_sha256_oid) }, NULL 162 }; 163 164 static const unsigned ecdsa_with_sha1_oid[] ={ 1, 2, 840, 10045, 4, 1 }; 165 const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha1_data = { 166 { 6, rk_UNCONST(ecdsa_with_sha1_oid) }, NULL 167 }; 168 169 static const unsigned rsa_with_sha512_oid[] ={ 1, 2, 840, 113549, 1, 1, 13 }; 170 const AlgorithmIdentifier _hx509_signature_rsa_with_sha512_data = { 171 { 7, rk_UNCONST(rsa_with_sha512_oid) }, NULL 172 }; 173 174 static const unsigned rsa_with_sha384_oid[] ={ 1, 2, 840, 113549, 1, 1, 12 }; 175 const AlgorithmIdentifier _hx509_signature_rsa_with_sha384_data = { 176 { 7, rk_UNCONST(rsa_with_sha384_oid) }, NULL 177 }; 178 179 static const unsigned rsa_with_sha256_oid[] ={ 1, 2, 840, 113549, 1, 1, 11 }; 180 const AlgorithmIdentifier _hx509_signature_rsa_with_sha256_data = { 181 { 7, rk_UNCONST(rsa_with_sha256_oid) }, NULL 182 }; 183 184 static const unsigned rsa_with_sha1_oid[] ={ 1, 2, 840, 113549, 1, 1, 5 }; 185 const AlgorithmIdentifier _hx509_signature_rsa_with_sha1_data = { 186 { 7, rk_UNCONST(rsa_with_sha1_oid) }, NULL 187 }; 188 189 static const unsigned rsa_with_md5_oid[] ={ 1, 2, 840, 113549, 1, 1, 4 }; 190 const AlgorithmIdentifier _hx509_signature_rsa_with_md5_data = { 191 { 7, rk_UNCONST(rsa_with_md5_oid) }, NULL 192 }; 193 194 static const unsigned rsa_oid[] ={ 1, 2, 840, 113549, 1, 1, 1 }; 195 const AlgorithmIdentifier _hx509_signature_rsa_data = { 196 { 7, rk_UNCONST(rsa_oid) }, NULL 197 }; 198 199 static const unsigned rsa_pkcs1_x509_oid[] ={ 1, 2, 752, 43, 16, 1 }; 200 const AlgorithmIdentifier _hx509_signature_rsa_pkcs1_x509_data = { 201 { 6, rk_UNCONST(rsa_pkcs1_x509_oid) }, NULL 202 }; 203 204 static const unsigned des_rsdi_ede3_cbc_oid[] ={ 1, 2, 840, 113549, 3, 7 }; 205 const AlgorithmIdentifier _hx509_des_rsdi_ede3_cbc_oid = { 206 { 6, rk_UNCONST(des_rsdi_ede3_cbc_oid) }, NULL 207 }; 208 209 static const unsigned aes128_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 2 }; 210 const AlgorithmIdentifier _hx509_crypto_aes128_cbc_data = { 211 { 9, rk_UNCONST(aes128_cbc_oid) }, NULL 212 }; 213 214 static const unsigned aes256_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 42 }; 215 const AlgorithmIdentifier _hx509_crypto_aes256_cbc_data = { 216 { 9, rk_UNCONST(aes256_cbc_oid) }, NULL 217 }; 218 219 /* 220 * 221 */ 222 223 static BIGNUM * 224 heim_int2BN(const heim_integer *i) 225 { 226 BIGNUM *bn; 227 228 bn = BN_bin2bn(i->data, i->length, NULL); 229 if (bn != NULL) 230 BN_set_negative(bn, i->negative); 231 return bn; 232 } 233 234 /* 235 * 236 */ 237 238 static int 239 set_digest_alg(DigestAlgorithmIdentifier *id, 240 const heim_oid *oid, 241 const void *param, size_t length) 242 { 243 int ret; 244 if (param) { 245 id->parameters = malloc(sizeof(*id->parameters)); 246 if (id->parameters == NULL) 247 return ENOMEM; 248 id->parameters->data = malloc(length); 249 if (id->parameters->data == NULL) { 250 free(id->parameters); 251 id->parameters = NULL; 252 return ENOMEM; 253 } 254 memcpy(id->parameters->data, param, length); 255 id->parameters->length = length; 256 } else 257 id->parameters = NULL; 258 ret = der_copy_oid(oid, &id->algorithm); 259 if (ret) { 260 if (id->parameters) { 261 free(id->parameters->data); 262 free(id->parameters); 263 id->parameters = NULL; 264 } 265 return ret; 266 } 267 return 0; 268 } 269 270 #ifdef HAVE_OPENSSL 271 272 static int 273 heim_oid2ecnid(heim_oid *oid) 274 { 275 /* 276 * Now map to openssl OID fun 277 */ 278 279 if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0) 280 return NID_X9_62_prime256v1; 281 else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0) 282 return NID_secp160r1; 283 else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0) 284 return NID_secp160r2; 285 286 return -1; 287 } 288 289 static int 290 parse_ECParameters(hx509_context context, 291 heim_octet_string *parameters, int *nid) 292 { 293 ECParameters ecparam; 294 size_t size; 295 int ret; 296 297 if (parameters == NULL) { 298 ret = HX509_PARSING_KEY_FAILED; 299 hx509_set_error_string(context, 0, ret, 300 "EC parameters missing"); 301 return ret; 302 } 303 304 ret = decode_ECParameters(parameters->data, parameters->length, 305 &ecparam, &size); 306 if (ret) { 307 hx509_set_error_string(context, 0, ret, 308 "Failed to decode EC parameters"); 309 return ret; 310 } 311 312 if (ecparam.element != choice_ECParameters_namedCurve) { 313 free_ECParameters(&ecparam); 314 hx509_set_error_string(context, 0, ret, 315 "EC parameters is not a named curve"); 316 return HX509_CRYPTO_SIG_INVALID_FORMAT; 317 } 318 319 *nid = heim_oid2ecnid(&ecparam.u.namedCurve); 320 free_ECParameters(&ecparam); 321 if (*nid == -1) { 322 hx509_set_error_string(context, 0, ret, 323 "Failed to find matcing NID for EC curve"); 324 return HX509_CRYPTO_SIG_INVALID_FORMAT; 325 } 326 return 0; 327 } 328 329 330 /* 331 * 332 */ 333 334 static int 335 ecdsa_verify_signature(hx509_context context, 336 const struct signature_alg *sig_alg, 337 const Certificate *signer, 338 const AlgorithmIdentifier *alg, 339 const heim_octet_string *data, 340 const heim_octet_string *sig) 341 { 342 const AlgorithmIdentifier *digest_alg; 343 const SubjectPublicKeyInfo *spi; 344 heim_octet_string digest; 345 int ret; 346 EC_KEY *key = NULL; 347 int groupnid; 348 EC_GROUP *group; 349 const unsigned char *p; 350 long len; 351 352 digest_alg = sig_alg->digest_alg; 353 354 ret = _hx509_create_signature(context, 355 NULL, 356 digest_alg, 357 data, 358 NULL, 359 &digest); 360 if (ret) 361 return ret; 362 363 /* set up EC KEY */ 364 spi = &signer->tbsCertificate.subjectPublicKeyInfo; 365 366 if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0) 367 return HX509_CRYPTO_SIG_INVALID_FORMAT; 368 369 #ifdef HAVE_OPENSSL 370 /* 371 * Find the group id 372 */ 373 374 ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid); 375 if (ret) { 376 der_free_octet_string(&digest); 377 return ret; 378 } 379 380 /* 381 * Create group, key, parse key 382 */ 383 384 key = EC_KEY_new(); 385 group = EC_GROUP_new_by_curve_name(groupnid); 386 EC_KEY_set_group(key, group); 387 EC_GROUP_free(group); 388 389 p = spi->subjectPublicKey.data; 390 len = spi->subjectPublicKey.length / 8; 391 392 if (o2i_ECPublicKey(&key, &p, len) == NULL) { 393 EC_KEY_free(key); 394 return HX509_CRYPTO_SIG_INVALID_FORMAT; 395 } 396 #else 397 key = SubjectPublicKeyInfo2EC_KEY(spi); 398 #endif 399 400 ret = ECDSA_verify(-1, digest.data, digest.length, 401 sig->data, sig->length, key); 402 der_free_octet_string(&digest); 403 EC_KEY_free(key); 404 if (ret != 1) { 405 ret = HX509_CRYPTO_SIG_INVALID_FORMAT; 406 return ret; 407 } 408 409 return 0; 410 } 411 412 static int 413 ecdsa_create_signature(hx509_context context, 414 const struct signature_alg *sig_alg, 415 const hx509_private_key signer, 416 const AlgorithmIdentifier *alg, 417 const heim_octet_string *data, 418 AlgorithmIdentifier *signatureAlgorithm, 419 heim_octet_string *sig) 420 { 421 const AlgorithmIdentifier *digest_alg; 422 heim_octet_string indata; 423 const heim_oid *sig_oid; 424 unsigned int siglen; 425 int ret; 426 427 if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0) 428 _hx509_abort("internal error passing private key to wrong ops"); 429 430 sig_oid = sig_alg->sig_oid; 431 digest_alg = sig_alg->digest_alg; 432 433 if (signatureAlgorithm) { 434 ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2); 435 if (ret) { 436 hx509_clear_error_string(context); 437 goto error; 438 } 439 } 440 441 ret = _hx509_create_signature(context, 442 NULL, 443 digest_alg, 444 data, 445 NULL, 446 &indata); 447 if (ret) { 448 if (signatureAlgorithm) 449 free_AlgorithmIdentifier(signatureAlgorithm); 450 goto error; 451 } 452 453 sig->length = ECDSA_size(signer->private_key.ecdsa); 454 sig->data = malloc(sig->length); 455 if (sig->data == NULL) { 456 der_free_octet_string(&indata); 457 ret = ENOMEM; 458 hx509_set_error_string(context, 0, ret, "out of memory"); 459 goto error; 460 } 461 462 siglen = sig->length; 463 464 ret = ECDSA_sign(-1, indata.data, indata.length, 465 sig->data, &siglen, signer->private_key.ecdsa); 466 der_free_octet_string(&indata); 467 if (ret != 1) { 468 ret = HX509_CMS_FAILED_CREATE_SIGATURE; 469 hx509_set_error_string(context, 0, ret, 470 "ECDSA sign failed: %d", ret); 471 goto error; 472 } 473 if (siglen > sig->length) 474 _hx509_abort("ECDSA signature prelen longer the output len"); 475 476 sig->length = siglen; 477 478 return 0; 479 error: 480 if (signatureAlgorithm) 481 free_AlgorithmIdentifier(signatureAlgorithm); 482 return ret; 483 } 484 485 static int 486 ecdsa_available(const hx509_private_key signer, 487 const AlgorithmIdentifier *sig_alg) 488 { 489 const struct signature_alg *sig; 490 const EC_GROUP *group; 491 BN_CTX *bnctx = NULL; 492 BIGNUM *order = NULL; 493 int ret = 0; 494 495 if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0) 496 _hx509_abort("internal error passing private key to wrong ops"); 497 498 sig = find_sig_alg(&sig_alg->algorithm); 499 500 if (sig == NULL || sig->digest_size == 0) 501 return 0; 502 503 group = EC_KEY_get0_group(signer->private_key.ecdsa); 504 if (group == NULL) 505 return 0; 506 507 bnctx = BN_CTX_new(); 508 order = BN_new(); 509 if (order == NULL) 510 goto err; 511 512 if (EC_GROUP_get_order(group, order, bnctx) != 1) 513 goto err; 514 515 if (BN_num_bytes(order) > sig->digest_size) 516 ret = 1; 517 err: 518 if (bnctx) 519 BN_CTX_free(bnctx); 520 if (order) 521 BN_clear_free(order); 522 523 return ret; 524 } 525 526 527 #endif /* HAVE_OPENSSL */ 528 529 /* 530 * 531 */ 532 533 static int 534 rsa_verify_signature(hx509_context context, 535 const struct signature_alg *sig_alg, 536 const Certificate *signer, 537 const AlgorithmIdentifier *alg, 538 const heim_octet_string *data, 539 const heim_octet_string *sig) 540 { 541 const SubjectPublicKeyInfo *spi; 542 DigestInfo di; 543 unsigned char *to; 544 int tosize, retsize; 545 int ret; 546 RSA *rsa; 547 size_t size; 548 const unsigned char *p; 549 550 memset(&di, 0, sizeof(di)); 551 552 spi = &signer->tbsCertificate.subjectPublicKeyInfo; 553 554 p = spi->subjectPublicKey.data; 555 size = spi->subjectPublicKey.length / 8; 556 557 rsa = d2i_RSAPublicKey(NULL, &p, size); 558 if (rsa == NULL) { 559 ret = ENOMEM; 560 hx509_set_error_string(context, 0, ret, "out of memory"); 561 goto out; 562 } 563 564 tosize = RSA_size(rsa); 565 to = malloc(tosize); 566 if (to == NULL) { 567 ret = ENOMEM; 568 hx509_set_error_string(context, 0, ret, "out of memory"); 569 goto out; 570 } 571 572 retsize = RSA_public_decrypt(sig->length, (unsigned char *)sig->data, 573 to, rsa, RSA_PKCS1_PADDING); 574 if (retsize <= 0) { 575 ret = HX509_CRYPTO_SIG_INVALID_FORMAT; 576 hx509_set_error_string(context, 0, ret, 577 "RSA public decrypt failed: %d", retsize); 578 free(to); 579 goto out; 580 } 581 if (retsize > tosize) 582 _hx509_abort("internal rsa decryption failure: ret > tosize"); 583 584 if (sig_alg->flags & RA_RSA_USES_DIGEST_INFO) { 585 586 ret = decode_DigestInfo(to, retsize, &di, &size); 587 free(to); 588 if (ret) { 589 goto out; 590 } 591 592 /* Check for extra data inside the sigature */ 593 if (size != (size_t)retsize) { 594 ret = HX509_CRYPTO_SIG_INVALID_FORMAT; 595 hx509_set_error_string(context, 0, ret, "size from decryption mismatch"); 596 goto out; 597 } 598 599 if (sig_alg->digest_alg && 600 der_heim_oid_cmp(&di.digestAlgorithm.algorithm, 601 &sig_alg->digest_alg->algorithm) != 0) 602 { 603 ret = HX509_CRYPTO_OID_MISMATCH; 604 hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch"); 605 goto out; 606 } 607 608 /* verify that the parameters are NULL or the NULL-type */ 609 if (di.digestAlgorithm.parameters != NULL && 610 (di.digestAlgorithm.parameters->length != 2 || 611 memcmp(di.digestAlgorithm.parameters->data, "\x05\x00", 2) != 0)) 612 { 613 ret = HX509_CRYPTO_SIG_INVALID_FORMAT; 614 hx509_set_error_string(context, 0, ret, "Extra parameters inside RSA signature"); 615 goto out; 616 } 617 618 ret = _hx509_verify_signature(context, 619 NULL, 620 &di.digestAlgorithm, 621 data, 622 &di.digest); 623 } else { 624 if ((size_t)retsize != data->length || 625 ct_memcmp(to, data->data, retsize) != 0) 626 { 627 ret = HX509_CRYPTO_SIG_INVALID_FORMAT; 628 hx509_set_error_string(context, 0, ret, "RSA Signature incorrect"); 629 goto out; 630 } 631 free(to); 632 } 633 ret = 0; 634 635 out: 636 free_DigestInfo(&di); 637 if (rsa) 638 RSA_free(rsa); 639 return ret; 640 } 641 642 static int 643 rsa_create_signature(hx509_context context, 644 const struct signature_alg *sig_alg, 645 const hx509_private_key signer, 646 const AlgorithmIdentifier *alg, 647 const heim_octet_string *data, 648 AlgorithmIdentifier *signatureAlgorithm, 649 heim_octet_string *sig) 650 { 651 const AlgorithmIdentifier *digest_alg; 652 heim_octet_string indata; 653 const heim_oid *sig_oid; 654 size_t size; 655 int ret; 656 657 if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) != 0) 658 return HX509_ALG_NOT_SUPP; 659 660 if (alg) 661 sig_oid = &alg->algorithm; 662 else 663 sig_oid = signer->signature_alg; 664 665 if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA512WITHRSAENCRYPTION) == 0) { 666 digest_alg = hx509_signature_sha512(); 667 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA384WITHRSAENCRYPTION) == 0) { 668 digest_alg = hx509_signature_sha384(); 669 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA256WITHRSAENCRYPTION) == 0) { 670 digest_alg = hx509_signature_sha256(); 671 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION) == 0) { 672 digest_alg = hx509_signature_sha1(); 673 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION) == 0) { 674 digest_alg = hx509_signature_md5(); 675 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION) == 0) { 676 digest_alg = hx509_signature_md5(); 677 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_DSA_WITH_SHA1) == 0) { 678 digest_alg = hx509_signature_sha1(); 679 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) { 680 digest_alg = hx509_signature_sha1(); 681 } else if (der_heim_oid_cmp(sig_oid, ASN1_OID_ID_HEIM_RSA_PKCS1_X509) == 0) { 682 digest_alg = NULL; 683 } else 684 return HX509_ALG_NOT_SUPP; 685 686 if (signatureAlgorithm) { 687 ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2); 688 if (ret) { 689 hx509_clear_error_string(context); 690 return ret; 691 } 692 } 693 694 if (digest_alg) { 695 DigestInfo di; 696 memset(&di, 0, sizeof(di)); 697 698 ret = _hx509_create_signature(context, 699 NULL, 700 digest_alg, 701 data, 702 &di.digestAlgorithm, 703 &di.digest); 704 if (ret) 705 return ret; 706 ASN1_MALLOC_ENCODE(DigestInfo, 707 indata.data, 708 indata.length, 709 &di, 710 &size, 711 ret); 712 free_DigestInfo(&di); 713 if (ret) { 714 hx509_set_error_string(context, 0, ret, "out of memory"); 715 return ret; 716 } 717 if (indata.length != size) 718 _hx509_abort("internal ASN.1 encoder error"); 719 } else { 720 indata = *data; 721 } 722 723 sig->length = RSA_size(signer->private_key.rsa); 724 sig->data = malloc(sig->length); 725 if (sig->data == NULL) { 726 der_free_octet_string(&indata); 727 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 728 return ENOMEM; 729 } 730 731 ret = RSA_private_encrypt(indata.length, indata.data, 732 sig->data, 733 signer->private_key.rsa, 734 RSA_PKCS1_PADDING); 735 if (indata.data != data->data) 736 der_free_octet_string(&indata); 737 if (ret <= 0) { 738 ret = HX509_CMS_FAILED_CREATE_SIGATURE; 739 hx509_set_error_string(context, 0, ret, 740 "RSA private encrypt failed: %d", ret); 741 return ret; 742 } 743 if ((size_t)ret > sig->length) 744 _hx509_abort("RSA signature prelen longer the output len"); 745 746 sig->length = ret; 747 748 return 0; 749 } 750 751 static int 752 rsa_private_key_import(hx509_context context, 753 const AlgorithmIdentifier *keyai, 754 const void *data, 755 size_t len, 756 hx509_key_format_t format, 757 hx509_private_key private_key) 758 { 759 switch (format) { 760 case HX509_KEY_FORMAT_DER: { 761 const unsigned char *p = data; 762 763 private_key->private_key.rsa = 764 d2i_RSAPrivateKey(NULL, &p, len); 765 if (private_key->private_key.rsa == NULL) { 766 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED, 767 "Failed to parse RSA key"); 768 return HX509_PARSING_KEY_FAILED; 769 } 770 private_key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION; 771 break; 772 773 } 774 default: 775 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED; 776 } 777 778 return 0; 779 } 780 781 static int 782 rsa_private_key2SPKI(hx509_context context, 783 hx509_private_key private_key, 784 SubjectPublicKeyInfo *spki) 785 { 786 int len, ret; 787 788 memset(spki, 0, sizeof(*spki)); 789 790 len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL); 791 792 spki->subjectPublicKey.data = malloc(len); 793 if (spki->subjectPublicKey.data == NULL) { 794 hx509_set_error_string(context, 0, ENOMEM, "malloc - out of memory"); 795 return ENOMEM; 796 } 797 spki->subjectPublicKey.length = len * 8; 798 799 ret = set_digest_alg(&spki->algorithm, ASN1_OID_ID_PKCS1_RSAENCRYPTION, 800 "\x05\x00", 2); 801 if (ret) { 802 hx509_set_error_string(context, 0, ret, "malloc - out of memory"); 803 free(spki->subjectPublicKey.data); 804 spki->subjectPublicKey.data = NULL; 805 spki->subjectPublicKey.length = 0; 806 return ret; 807 } 808 809 { 810 unsigned char *pp = spki->subjectPublicKey.data; 811 i2d_RSAPublicKey(private_key->private_key.rsa, &pp); 812 } 813 814 return 0; 815 } 816 817 static int 818 rsa_generate_private_key(hx509_context context, 819 struct hx509_generate_private_context *ctx, 820 hx509_private_key private_key) 821 { 822 BIGNUM *e; 823 int ret; 824 unsigned long bits; 825 826 static const int default_rsa_e = 65537; 827 static const int default_rsa_bits = 2048; 828 829 private_key->private_key.rsa = RSA_new(); 830 if (private_key->private_key.rsa == NULL) { 831 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED, 832 "Failed to generate RSA key"); 833 return HX509_PARSING_KEY_FAILED; 834 } 835 836 e = BN_new(); 837 BN_set_word(e, default_rsa_e); 838 839 bits = default_rsa_bits; 840 841 if (ctx->num_bits) 842 bits = ctx->num_bits; 843 844 ret = RSA_generate_key_ex(private_key->private_key.rsa, bits, e, NULL); 845 BN_free(e); 846 if (ret != 1) { 847 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED, 848 "Failed to generate RSA key"); 849 return HX509_PARSING_KEY_FAILED; 850 } 851 private_key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION; 852 853 return 0; 854 } 855 856 static int 857 rsa_private_key_export(hx509_context context, 858 const hx509_private_key key, 859 hx509_key_format_t format, 860 heim_octet_string *data) 861 { 862 int ret; 863 864 data->data = NULL; 865 data->length = 0; 866 867 switch (format) { 868 case HX509_KEY_FORMAT_DER: 869 870 ret = i2d_RSAPrivateKey(key->private_key.rsa, NULL); 871 if (ret <= 0) { 872 ret = EINVAL; 873 hx509_set_error_string(context, 0, ret, 874 "Private key is not exportable"); 875 return ret; 876 } 877 878 data->data = malloc(ret); 879 if (data->data == NULL) { 880 ret = ENOMEM; 881 hx509_set_error_string(context, 0, ret, "malloc out of memory"); 882 return ret; 883 } 884 data->length = ret; 885 886 { 887 unsigned char *p = data->data; 888 i2d_RSAPrivateKey(key->private_key.rsa, &p); 889 } 890 break; 891 default: 892 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED; 893 } 894 895 return 0; 896 } 897 898 static BIGNUM * 899 rsa_get_internal(hx509_context context, 900 hx509_private_key key, 901 const char *type) 902 { 903 const BIGNUM *n; 904 905 if (strcasecmp(type, "rsa-modulus") == 0) { 906 RSA_get0_key(key->private_key.rsa, &n, NULL, NULL); 907 } else if (strcasecmp(type, "rsa-exponent") == 0) { 908 RSA_get0_key(key->private_key.rsa, NULL, &n, NULL); 909 } else 910 return NULL; 911 return BN_dup(n); 912 } 913 914 915 916 static hx509_private_key_ops rsa_private_key_ops = { 917 "RSA PRIVATE KEY", 918 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 919 NULL, 920 rsa_private_key2SPKI, 921 rsa_private_key_export, 922 rsa_private_key_import, 923 rsa_generate_private_key, 924 rsa_get_internal 925 }; 926 927 #ifdef HAVE_OPENSSL 928 929 static int 930 ecdsa_private_key2SPKI(hx509_context context, 931 hx509_private_key private_key, 932 SubjectPublicKeyInfo *spki) 933 { 934 memset(spki, 0, sizeof(*spki)); 935 return ENOMEM; 936 } 937 938 static int 939 ecdsa_private_key_export(hx509_context context, 940 const hx509_private_key key, 941 hx509_key_format_t format, 942 heim_octet_string *data) 943 { 944 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED; 945 } 946 947 static int 948 ecdsa_private_key_import(hx509_context context, 949 const AlgorithmIdentifier *keyai, 950 const void *data, 951 size_t len, 952 hx509_key_format_t format, 953 hx509_private_key private_key) 954 { 955 const unsigned char *p = data; 956 EC_KEY **pkey = NULL; 957 958 if (keyai->parameters) { 959 EC_GROUP *group; 960 int groupnid; 961 EC_KEY *key; 962 int ret; 963 964 ret = parse_ECParameters(context, keyai->parameters, &groupnid); 965 if (ret) 966 return ret; 967 968 key = EC_KEY_new(); 969 if (key == NULL) 970 return ENOMEM; 971 972 group = EC_GROUP_new_by_curve_name(groupnid); 973 if (group == NULL) { 974 EC_KEY_free(key); 975 return ENOMEM; 976 } 977 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); 978 if (EC_KEY_set_group(key, group) == 0) { 979 EC_KEY_free(key); 980 EC_GROUP_free(group); 981 return ENOMEM; 982 } 983 EC_GROUP_free(group); 984 pkey = &key; 985 } 986 987 switch (format) { 988 case HX509_KEY_FORMAT_DER: 989 990 private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len); 991 if (private_key->private_key.ecdsa == NULL) { 992 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED, 993 "Failed to parse EC private key"); 994 return HX509_PARSING_KEY_FAILED; 995 } 996 private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256; 997 break; 998 999 default: 1000 return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED; 1001 } 1002 1003 return 0; 1004 } 1005 1006 static int 1007 ecdsa_generate_private_key(hx509_context context, 1008 struct hx509_generate_private_context *ctx, 1009 hx509_private_key private_key) 1010 { 1011 return ENOMEM; 1012 } 1013 1014 static BIGNUM * 1015 ecdsa_get_internal(hx509_context context, 1016 hx509_private_key key, 1017 const char *type) 1018 { 1019 return NULL; 1020 } 1021 1022 1023 static hx509_private_key_ops ecdsa_private_key_ops = { 1024 "EC PRIVATE KEY", 1025 ASN1_OID_ID_ECPUBLICKEY, 1026 ecdsa_available, 1027 ecdsa_private_key2SPKI, 1028 ecdsa_private_key_export, 1029 ecdsa_private_key_import, 1030 ecdsa_generate_private_key, 1031 ecdsa_get_internal 1032 }; 1033 1034 #endif /* HAVE_OPENSSL */ 1035 1036 /* 1037 * 1038 */ 1039 1040 static int 1041 dsa_verify_signature(hx509_context context, 1042 const struct signature_alg *sig_alg, 1043 const Certificate *signer, 1044 const AlgorithmIdentifier *alg, 1045 const heim_octet_string *data, 1046 const heim_octet_string *sig) 1047 { 1048 const SubjectPublicKeyInfo *spi; 1049 DSAPublicKey pk; 1050 DSAParams param; 1051 size_t size; 1052 BIGNUM *key, *p, *q, *g; 1053 DSA *dsa; 1054 int ret; 1055 1056 spi = &signer->tbsCertificate.subjectPublicKeyInfo; 1057 1058 dsa = DSA_new(); 1059 if (dsa == NULL) { 1060 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 1061 return ENOMEM; 1062 } 1063 1064 ret = decode_DSAPublicKey(spi->subjectPublicKey.data, 1065 spi->subjectPublicKey.length / 8, 1066 &pk, &size); 1067 if (ret) 1068 goto out; 1069 1070 key = heim_int2BN(&pk); 1071 1072 free_DSAPublicKey(&pk); 1073 1074 if (key == NULL) { 1075 ret = ENOMEM; 1076 hx509_set_error_string(context, 0, ret, "out of memory"); 1077 goto out; 1078 } 1079 1080 ret = DSA_set0_key(dsa, key, NULL); 1081 1082 if (ret != 1) { 1083 BN_free(key); 1084 ret = EINVAL; 1085 hx509_set_error_string(context, 0, ret, "failed to set DSA key"); 1086 goto out; 1087 } 1088 1089 if (spi->algorithm.parameters == NULL) { 1090 ret = HX509_CRYPTO_SIG_INVALID_FORMAT; 1091 hx509_set_error_string(context, 0, ret, "DSA parameters missing"); 1092 goto out; 1093 } 1094 1095 ret = decode_DSAParams(spi->algorithm.parameters->data, 1096 spi->algorithm.parameters->length, 1097 ¶m, 1098 &size); 1099 if (ret) { 1100 hx509_set_error_string(context, 0, ret, "DSA parameters failed to decode"); 1101 goto out; 1102 } 1103 1104 p = heim_int2BN(¶m.p); 1105 q = heim_int2BN(¶m.q); 1106 g = heim_int2BN(¶m.g); 1107 1108 free_DSAParams(¶m); 1109 1110 if (p == NULL || q == NULL || g == NULL) { 1111 BN_free(p); 1112 BN_free(q); 1113 BN_free(g); 1114 ret = ENOMEM; 1115 hx509_set_error_string(context, 0, ret, "out of memory"); 1116 goto out; 1117 } 1118 1119 ret = DSA_set0_pqg(dsa, p, q, g); 1120 1121 if (ret != 1) { 1122 BN_free(p); 1123 BN_free(q); 1124 BN_free(g); 1125 ret = EINVAL; 1126 hx509_set_error_string(context, 0, ret, "failed to set DSA parameters"); 1127 goto out; 1128 } 1129 1130 ret = DSA_verify(-1, data->data, data->length, 1131 (unsigned char*)sig->data, sig->length, 1132 dsa); 1133 if (ret == 1) 1134 ret = 0; 1135 else if (ret == 0 || ret == -1) { 1136 ret = HX509_CRYPTO_BAD_SIGNATURE; 1137 hx509_set_error_string(context, 0, ret, "BAD DSA sigature"); 1138 } else { 1139 ret = HX509_CRYPTO_SIG_INVALID_FORMAT; 1140 hx509_set_error_string(context, 0, ret, "Invalid format of DSA sigature"); 1141 } 1142 1143 out: 1144 DSA_free(dsa); 1145 1146 return ret; 1147 } 1148 1149 #if 0 1150 static int 1151 dsa_parse_private_key(hx509_context context, 1152 const void *data, 1153 size_t len, 1154 hx509_private_key private_key) 1155 { 1156 const unsigned char *p = data; 1157 1158 private_key->private_key.dsa = 1159 d2i_DSAPrivateKey(NULL, &p, len); 1160 if (private_key->private_key.dsa == NULL) 1161 return EINVAL; 1162 private_key->signature_alg = ASN1_OID_ID_DSA_WITH_SHA1; 1163 1164 return 0; 1165 /* else */ 1166 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED, 1167 "No support to parse DSA keys"); 1168 return HX509_PARSING_KEY_FAILED; 1169 } 1170 #endif 1171 1172 static int 1173 evp_md_create_signature(hx509_context context, 1174 const struct signature_alg *sig_alg, 1175 const hx509_private_key signer, 1176 const AlgorithmIdentifier *alg, 1177 const heim_octet_string *data, 1178 AlgorithmIdentifier *signatureAlgorithm, 1179 heim_octet_string *sig) 1180 { 1181 size_t sigsize = EVP_MD_size(sig_alg->evp_md()); 1182 EVP_MD_CTX *ctx; 1183 1184 memset(sig, 0, sizeof(*sig)); 1185 1186 if (signatureAlgorithm) { 1187 int ret; 1188 ret = set_digest_alg(signatureAlgorithm, sig_alg->sig_oid, 1189 "\x05\x00", 2); 1190 if (ret) 1191 return ret; 1192 } 1193 1194 1195 sig->data = malloc(sigsize); 1196 if (sig->data == NULL) { 1197 sig->length = 0; 1198 return ENOMEM; 1199 } 1200 sig->length = sigsize; 1201 1202 ctx = EVP_MD_CTX_create(); 1203 EVP_DigestInit_ex(ctx, sig_alg->evp_md(), NULL); 1204 EVP_DigestUpdate(ctx, data->data, data->length); 1205 EVP_DigestFinal_ex(ctx, sig->data, NULL); 1206 EVP_MD_CTX_destroy(ctx); 1207 1208 1209 return 0; 1210 } 1211 1212 static int 1213 evp_md_verify_signature(hx509_context context, 1214 const struct signature_alg *sig_alg, 1215 const Certificate *signer, 1216 const AlgorithmIdentifier *alg, 1217 const heim_octet_string *data, 1218 const heim_octet_string *sig) 1219 { 1220 unsigned char digest[EVP_MAX_MD_SIZE]; 1221 EVP_MD_CTX *ctx; 1222 size_t sigsize = EVP_MD_size(sig_alg->evp_md()); 1223 1224 if (sig->length != sigsize || sigsize > sizeof(digest)) { 1225 hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT, 1226 "SHA256 sigature have wrong length"); 1227 return HX509_CRYPTO_SIG_INVALID_FORMAT; 1228 } 1229 1230 ctx = EVP_MD_CTX_create(); 1231 EVP_DigestInit_ex(ctx, sig_alg->evp_md(), NULL); 1232 EVP_DigestUpdate(ctx, data->data, data->length); 1233 EVP_DigestFinal_ex(ctx, digest, NULL); 1234 EVP_MD_CTX_destroy(ctx); 1235 1236 if (ct_memcmp(digest, sig->data, sigsize) != 0) { 1237 hx509_set_error_string(context, 0, HX509_CRYPTO_BAD_SIGNATURE, 1238 "Bad %s sigature", sig_alg->name); 1239 return HX509_CRYPTO_BAD_SIGNATURE; 1240 } 1241 1242 return 0; 1243 } 1244 1245 #ifdef HAVE_OPENSSL 1246 1247 static const struct signature_alg ecdsa_with_sha256_alg = { 1248 "ecdsa-with-sha256", 1249 ASN1_OID_ID_ECDSA_WITH_SHA256, 1250 &_hx509_signature_ecdsa_with_sha256_data, 1251 ASN1_OID_ID_ECPUBLICKEY, 1252 &_hx509_signature_sha256_data, 1253 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1254 0, 1255 NULL, 1256 ecdsa_verify_signature, 1257 ecdsa_create_signature, 1258 32 1259 }; 1260 1261 static const struct signature_alg ecdsa_with_sha1_alg = { 1262 "ecdsa-with-sha1", 1263 ASN1_OID_ID_ECDSA_WITH_SHA1, 1264 &_hx509_signature_ecdsa_with_sha1_data, 1265 ASN1_OID_ID_ECPUBLICKEY, 1266 &_hx509_signature_sha1_data, 1267 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1268 0, 1269 NULL, 1270 ecdsa_verify_signature, 1271 ecdsa_create_signature, 1272 20 1273 }; 1274 1275 #endif 1276 1277 static const struct signature_alg heim_rsa_pkcs1_x509 = { 1278 "rsa-pkcs1-x509", 1279 ASN1_OID_ID_HEIM_RSA_PKCS1_X509, 1280 &_hx509_signature_rsa_pkcs1_x509_data, 1281 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1282 NULL, 1283 PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG, 1284 0, 1285 NULL, 1286 rsa_verify_signature, 1287 rsa_create_signature, 1288 0 1289 }; 1290 1291 static const struct signature_alg pkcs1_rsa_sha1_alg = { 1292 "rsa", 1293 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1294 &_hx509_signature_rsa_with_sha1_data, 1295 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1296 NULL, 1297 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1298 0, 1299 NULL, 1300 rsa_verify_signature, 1301 rsa_create_signature, 1302 0 1303 }; 1304 1305 static const struct signature_alg rsa_with_sha512_alg = { 1306 "rsa-with-sha512", 1307 ASN1_OID_ID_PKCS1_SHA512WITHRSAENCRYPTION, 1308 &_hx509_signature_rsa_with_sha512_data, 1309 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1310 &_hx509_signature_sha512_data, 1311 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1312 0, 1313 NULL, 1314 rsa_verify_signature, 1315 rsa_create_signature, 1316 0 1317 }; 1318 1319 static const struct signature_alg rsa_with_sha384_alg = { 1320 "rsa-with-sha384", 1321 ASN1_OID_ID_PKCS1_SHA384WITHRSAENCRYPTION, 1322 &_hx509_signature_rsa_with_sha384_data, 1323 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1324 &_hx509_signature_sha384_data, 1325 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1326 0, 1327 NULL, 1328 rsa_verify_signature, 1329 rsa_create_signature, 1330 0 1331 }; 1332 1333 static const struct signature_alg rsa_with_sha256_alg = { 1334 "rsa-with-sha256", 1335 ASN1_OID_ID_PKCS1_SHA256WITHRSAENCRYPTION, 1336 &_hx509_signature_rsa_with_sha256_data, 1337 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1338 &_hx509_signature_sha256_data, 1339 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1340 0, 1341 NULL, 1342 rsa_verify_signature, 1343 rsa_create_signature, 1344 0 1345 }; 1346 1347 static const struct signature_alg rsa_with_sha1_alg = { 1348 "rsa-with-sha1", 1349 ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION, 1350 &_hx509_signature_rsa_with_sha1_data, 1351 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1352 &_hx509_signature_sha1_data, 1353 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1354 0, 1355 NULL, 1356 rsa_verify_signature, 1357 rsa_create_signature, 1358 0 1359 }; 1360 1361 static const struct signature_alg rsa_with_sha1_alg_secsig = { 1362 "rsa-with-sha1", 1363 ASN1_OID_ID_SECSIG_SHA_1WITHRSAENCRYPTION, 1364 &_hx509_signature_rsa_with_sha1_data, 1365 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1366 &_hx509_signature_sha1_data, 1367 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 1368 0, 1369 NULL, 1370 rsa_verify_signature, 1371 rsa_create_signature, 1372 0 1373 }; 1374 1375 static const struct signature_alg rsa_with_md5_alg = { 1376 "rsa-with-md5", 1377 ASN1_OID_ID_PKCS1_MD5WITHRSAENCRYPTION, 1378 &_hx509_signature_rsa_with_md5_data, 1379 ASN1_OID_ID_PKCS1_RSAENCRYPTION, 1380 &_hx509_signature_md5_data, 1381 PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, 1382 1230739889, 1383 NULL, 1384 rsa_verify_signature, 1385 rsa_create_signature, 1386 0 1387 }; 1388 1389 static const struct signature_alg dsa_sha1_alg = { 1390 "dsa-with-sha1", 1391 ASN1_OID_ID_DSA_WITH_SHA1, 1392 NULL, 1393 ASN1_OID_ID_DSA, 1394 &_hx509_signature_sha1_data, 1395 PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG, 1396 0, 1397 NULL, 1398 dsa_verify_signature, 1399 /* create_signature */ NULL, 1400 0 1401 }; 1402 1403 static const struct signature_alg sha512_alg = { 1404 "sha-512", 1405 ASN1_OID_ID_SHA512, 1406 &_hx509_signature_sha512_data, 1407 NULL, 1408 NULL, 1409 SIG_DIGEST, 1410 0, 1411 EVP_sha512, 1412 evp_md_verify_signature, 1413 evp_md_create_signature, 1414 0 1415 }; 1416 1417 static const struct signature_alg sha384_alg = { 1418 "sha-384", 1419 ASN1_OID_ID_SHA512, 1420 &_hx509_signature_sha384_data, 1421 NULL, 1422 NULL, 1423 SIG_DIGEST, 1424 0, 1425 EVP_sha384, 1426 evp_md_verify_signature, 1427 evp_md_create_signature, 1428 0 1429 }; 1430 1431 static const struct signature_alg sha256_alg = { 1432 "sha-256", 1433 ASN1_OID_ID_SHA256, 1434 &_hx509_signature_sha256_data, 1435 NULL, 1436 NULL, 1437 SIG_DIGEST, 1438 0, 1439 EVP_sha256, 1440 evp_md_verify_signature, 1441 evp_md_create_signature, 1442 0 1443 }; 1444 1445 static const struct signature_alg sha1_alg = { 1446 "sha1", 1447 ASN1_OID_ID_SECSIG_SHA_1, 1448 &_hx509_signature_sha1_data, 1449 NULL, 1450 NULL, 1451 SIG_DIGEST, 1452 0, 1453 EVP_sha1, 1454 evp_md_verify_signature, 1455 evp_md_create_signature, 1456 0 1457 }; 1458 1459 static const struct signature_alg md5_alg = { 1460 "rsa-md5", 1461 ASN1_OID_ID_RSA_DIGEST_MD5, 1462 &_hx509_signature_md5_data, 1463 NULL, 1464 NULL, 1465 SIG_DIGEST, 1466 0, 1467 EVP_md5, 1468 evp_md_verify_signature, 1469 NULL, 1470 0 1471 }; 1472 1473 /* 1474 * Order matter in this structure, "best" first for each "key 1475 * compatible" type (type is ECDSA, RSA, DSA, none, etc) 1476 */ 1477 1478 static const struct signature_alg *sig_algs[] = { 1479 #ifdef HAVE_OPENSSL 1480 &ecdsa_with_sha256_alg, 1481 &ecdsa_with_sha1_alg, 1482 #endif 1483 &rsa_with_sha512_alg, 1484 &rsa_with_sha384_alg, 1485 &rsa_with_sha256_alg, 1486 &rsa_with_sha1_alg, 1487 &rsa_with_sha1_alg_secsig, 1488 &pkcs1_rsa_sha1_alg, 1489 &rsa_with_md5_alg, 1490 &heim_rsa_pkcs1_x509, 1491 &dsa_sha1_alg, 1492 &sha512_alg, 1493 &sha384_alg, 1494 &sha256_alg, 1495 &sha1_alg, 1496 &md5_alg, 1497 NULL 1498 }; 1499 1500 static const struct signature_alg * 1501 find_sig_alg(const heim_oid *oid) 1502 { 1503 unsigned int i; 1504 for (i = 0; sig_algs[i]; i++) 1505 if (der_heim_oid_cmp(sig_algs[i]->sig_oid, oid) == 0) 1506 return sig_algs[i]; 1507 return NULL; 1508 } 1509 1510 static const AlgorithmIdentifier * 1511 alg_for_privatekey(const hx509_private_key pk, int type) 1512 { 1513 const heim_oid *keytype; 1514 unsigned int i; 1515 1516 if (pk->ops == NULL) 1517 return NULL; 1518 1519 keytype = pk->ops->key_oid; 1520 1521 for (i = 0; sig_algs[i]; i++) { 1522 if (sig_algs[i]->key_oid == NULL) 1523 continue; 1524 if (der_heim_oid_cmp(sig_algs[i]->key_oid, keytype) != 0) 1525 continue; 1526 if (pk->ops->available && 1527 pk->ops->available(pk, sig_algs[i]->sig_alg) == 0) 1528 continue; 1529 if (type == HX509_SELECT_PUBLIC_SIG) 1530 return sig_algs[i]->sig_alg; 1531 if (type == HX509_SELECT_DIGEST) 1532 return sig_algs[i]->digest_alg; 1533 1534 return NULL; 1535 } 1536 return NULL; 1537 } 1538 1539 /* 1540 * 1541 */ 1542 1543 static struct hx509_private_key_ops *private_algs[] = { 1544 &rsa_private_key_ops, 1545 #ifdef HAVE_OPENSSL 1546 &ecdsa_private_key_ops, 1547 #endif 1548 NULL 1549 }; 1550 1551 hx509_private_key_ops * 1552 hx509_find_private_alg(const heim_oid *oid) 1553 { 1554 int i; 1555 for (i = 0; private_algs[i]; i++) { 1556 if (private_algs[i]->key_oid == NULL) 1557 continue; 1558 if (der_heim_oid_cmp(private_algs[i]->key_oid, oid) == 0) 1559 return private_algs[i]; 1560 } 1561 return NULL; 1562 } 1563 1564 /* 1565 * Check if the algorithm `alg' have a best before date, and if it 1566 * des, make sure the its before the time `t'. 1567 */ 1568 1569 int 1570 _hx509_signature_best_before(hx509_context context, 1571 const AlgorithmIdentifier *alg, 1572 time_t t) 1573 { 1574 const struct signature_alg *md; 1575 1576 md = find_sig_alg(&alg->algorithm); 1577 if (md == NULL) { 1578 hx509_clear_error_string(context); 1579 return HX509_SIG_ALG_NO_SUPPORTED; 1580 } 1581 if (md->best_before && md->best_before < t) { 1582 hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE, 1583 "Algorithm %s has passed it best before date", 1584 md->name); 1585 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; 1586 } 1587 return 0; 1588 } 1589 1590 int 1591 _hx509_self_signed_valid(hx509_context context, 1592 const AlgorithmIdentifier *alg) 1593 { 1594 const struct signature_alg *md; 1595 1596 md = find_sig_alg(&alg->algorithm); 1597 if (md == NULL) { 1598 hx509_clear_error_string(context); 1599 return HX509_SIG_ALG_NO_SUPPORTED; 1600 } 1601 if ((md->flags & SELF_SIGNED_OK) == 0) { 1602 hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE, 1603 "Algorithm %s not trusted for self signatures", 1604 md->name); 1605 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; 1606 } 1607 return 0; 1608 } 1609 1610 1611 int 1612 _hx509_verify_signature(hx509_context context, 1613 const hx509_cert cert, 1614 const AlgorithmIdentifier *alg, 1615 const heim_octet_string *data, 1616 const heim_octet_string *sig) 1617 { 1618 const struct signature_alg *md; 1619 const Certificate *signer = NULL; 1620 1621 if (cert) 1622 signer = _hx509_get_cert(cert); 1623 1624 md = find_sig_alg(&alg->algorithm); 1625 if (md == NULL) { 1626 hx509_clear_error_string(context); 1627 return HX509_SIG_ALG_NO_SUPPORTED; 1628 } 1629 if (signer && (md->flags & PROVIDE_CONF) == 0) { 1630 hx509_clear_error_string(context); 1631 return HX509_CRYPTO_SIG_NO_CONF; 1632 } 1633 if (signer == NULL && (md->flags & REQUIRE_SIGNER)) { 1634 hx509_clear_error_string(context); 1635 return HX509_CRYPTO_SIGNATURE_WITHOUT_SIGNER; 1636 } 1637 if (md->key_oid && signer) { 1638 const SubjectPublicKeyInfo *spi; 1639 spi = &signer->tbsCertificate.subjectPublicKeyInfo; 1640 1641 if (der_heim_oid_cmp(&spi->algorithm.algorithm, md->key_oid) != 0) { 1642 hx509_clear_error_string(context); 1643 return HX509_SIG_ALG_DONT_MATCH_KEY_ALG; 1644 } 1645 } 1646 return (*md->verify_signature)(context, md, signer, alg, data, sig); 1647 } 1648 1649 int 1650 _hx509_create_signature(hx509_context context, 1651 const hx509_private_key signer, 1652 const AlgorithmIdentifier *alg, 1653 const heim_octet_string *data, 1654 AlgorithmIdentifier *signatureAlgorithm, 1655 heim_octet_string *sig) 1656 { 1657 const struct signature_alg *md; 1658 1659 md = find_sig_alg(&alg->algorithm); 1660 if (md == NULL) { 1661 hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED, 1662 "algorithm no supported"); 1663 return HX509_SIG_ALG_NO_SUPPORTED; 1664 } 1665 1666 if (signer && (md->flags & PROVIDE_CONF) == 0) { 1667 hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED, 1668 "algorithm provides no conf"); 1669 return HX509_CRYPTO_SIG_NO_CONF; 1670 } 1671 1672 return (*md->create_signature)(context, md, signer, alg, data, 1673 signatureAlgorithm, sig); 1674 } 1675 1676 int 1677 _hx509_create_signature_bitstring(hx509_context context, 1678 const hx509_private_key signer, 1679 const AlgorithmIdentifier *alg, 1680 const heim_octet_string *data, 1681 AlgorithmIdentifier *signatureAlgorithm, 1682 heim_bit_string *sig) 1683 { 1684 heim_octet_string os; 1685 int ret; 1686 1687 ret = _hx509_create_signature(context, signer, alg, 1688 data, signatureAlgorithm, &os); 1689 if (ret) 1690 return ret; 1691 sig->data = os.data; 1692 sig->length = os.length * 8; 1693 return 0; 1694 } 1695 1696 int 1697 _hx509_public_encrypt(hx509_context context, 1698 const heim_octet_string *cleartext, 1699 const Certificate *cert, 1700 heim_oid *encryption_oid, 1701 heim_octet_string *ciphertext) 1702 { 1703 const SubjectPublicKeyInfo *spi; 1704 unsigned char *to; 1705 int tosize; 1706 int ret; 1707 RSA *rsa; 1708 size_t size; 1709 const unsigned char *p; 1710 1711 ciphertext->data = NULL; 1712 ciphertext->length = 0; 1713 1714 spi = &cert->tbsCertificate.subjectPublicKeyInfo; 1715 1716 p = spi->subjectPublicKey.data; 1717 size = spi->subjectPublicKey.length / 8; 1718 1719 rsa = d2i_RSAPublicKey(NULL, &p, size); 1720 if (rsa == NULL) { 1721 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 1722 return ENOMEM; 1723 } 1724 1725 tosize = RSA_size(rsa); 1726 to = malloc(tosize); 1727 if (to == NULL) { 1728 RSA_free(rsa); 1729 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 1730 return ENOMEM; 1731 } 1732 1733 ret = RSA_public_encrypt(cleartext->length, 1734 (unsigned char *)cleartext->data, 1735 to, rsa, RSA_PKCS1_PADDING); 1736 RSA_free(rsa); 1737 if (ret <= 0) { 1738 free(to); 1739 hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PUBLIC_ENCRYPT, 1740 "RSA public encrypt failed with %d", ret); 1741 return HX509_CRYPTO_RSA_PUBLIC_ENCRYPT; 1742 } 1743 if (ret > tosize) 1744 _hx509_abort("internal rsa decryption failure: ret > tosize"); 1745 1746 ciphertext->length = ret; 1747 ciphertext->data = to; 1748 1749 ret = der_copy_oid(ASN1_OID_ID_PKCS1_RSAENCRYPTION, encryption_oid); 1750 if (ret) { 1751 der_free_octet_string(ciphertext); 1752 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 1753 return ENOMEM; 1754 } 1755 1756 return 0; 1757 } 1758 1759 int 1760 hx509_private_key_private_decrypt(hx509_context context, 1761 const heim_octet_string *ciphertext, 1762 const heim_oid *encryption_oid, 1763 hx509_private_key p, 1764 heim_octet_string *cleartext) 1765 { 1766 int ret; 1767 1768 cleartext->data = NULL; 1769 cleartext->length = 0; 1770 1771 if (p->private_key.rsa == NULL) { 1772 hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING, 1773 "Private RSA key missing"); 1774 return HX509_PRIVATE_KEY_MISSING; 1775 } 1776 1777 cleartext->length = RSA_size(p->private_key.rsa); 1778 cleartext->data = malloc(cleartext->length); 1779 if (cleartext->data == NULL) { 1780 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 1781 return ENOMEM; 1782 } 1783 ret = RSA_private_decrypt(ciphertext->length, ciphertext->data, 1784 cleartext->data, 1785 p->private_key.rsa, 1786 RSA_PKCS1_PADDING); 1787 if (ret <= 0) { 1788 der_free_octet_string(cleartext); 1789 hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PRIVATE_DECRYPT, 1790 "Failed to decrypt using private key: %d", ret); 1791 return HX509_CRYPTO_RSA_PRIVATE_DECRYPT; 1792 } 1793 if (cleartext->length < (size_t)ret) 1794 _hx509_abort("internal rsa decryption failure: ret > tosize"); 1795 1796 cleartext->length = ret; 1797 1798 return 0; 1799 } 1800 1801 1802 int 1803 hx509_parse_private_key(hx509_context context, 1804 const AlgorithmIdentifier *keyai, 1805 const void *data, 1806 size_t len, 1807 hx509_key_format_t format, 1808 hx509_private_key *private_key) 1809 { 1810 struct hx509_private_key_ops *ops; 1811 int ret; 1812 1813 *private_key = NULL; 1814 1815 ops = hx509_find_private_alg(&keyai->algorithm); 1816 if (ops == NULL) { 1817 hx509_clear_error_string(context); 1818 return HX509_SIG_ALG_NO_SUPPORTED; 1819 } 1820 1821 ret = hx509_private_key_init(private_key, ops, NULL); 1822 if (ret) { 1823 hx509_set_error_string(context, 0, ret, "out of memory"); 1824 return ret; 1825 } 1826 1827 ret = (*ops->import)(context, keyai, data, len, format, *private_key); 1828 if (ret) 1829 hx509_private_key_free(private_key); 1830 1831 return ret; 1832 } 1833 1834 /* 1835 * 1836 */ 1837 1838 int 1839 hx509_private_key2SPKI(hx509_context context, 1840 hx509_private_key private_key, 1841 SubjectPublicKeyInfo *spki) 1842 { 1843 const struct hx509_private_key_ops *ops = private_key->ops; 1844 if (ops == NULL || ops->get_spki == NULL) { 1845 hx509_set_error_string(context, 0, HX509_UNIMPLEMENTED_OPERATION, 1846 "Private key have no key2SPKI function"); 1847 return HX509_UNIMPLEMENTED_OPERATION; 1848 } 1849 return (*ops->get_spki)(context, private_key, spki); 1850 } 1851 1852 int 1853 _hx509_generate_private_key_init(hx509_context context, 1854 const heim_oid *oid, 1855 struct hx509_generate_private_context **ctx) 1856 { 1857 *ctx = NULL; 1858 1859 if (der_heim_oid_cmp(oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) != 0) { 1860 hx509_set_error_string(context, 0, EINVAL, 1861 "private key not an RSA key"); 1862 return EINVAL; 1863 } 1864 1865 *ctx = calloc(1, sizeof(**ctx)); 1866 if (*ctx == NULL) { 1867 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 1868 return ENOMEM; 1869 } 1870 (*ctx)->key_oid = oid; 1871 1872 return 0; 1873 } 1874 1875 int 1876 _hx509_generate_private_key_is_ca(hx509_context context, 1877 struct hx509_generate_private_context *ctx) 1878 { 1879 ctx->isCA = 1; 1880 return 0; 1881 } 1882 1883 int 1884 _hx509_generate_private_key_bits(hx509_context context, 1885 struct hx509_generate_private_context *ctx, 1886 unsigned long bits) 1887 { 1888 ctx->num_bits = bits; 1889 return 0; 1890 } 1891 1892 1893 void 1894 _hx509_generate_private_key_free(struct hx509_generate_private_context **ctx) 1895 { 1896 free(*ctx); 1897 *ctx = NULL; 1898 } 1899 1900 int 1901 _hx509_generate_private_key(hx509_context context, 1902 struct hx509_generate_private_context *ctx, 1903 hx509_private_key *private_key) 1904 { 1905 struct hx509_private_key_ops *ops; 1906 int ret; 1907 1908 *private_key = NULL; 1909 1910 ops = hx509_find_private_alg(ctx->key_oid); 1911 if (ops == NULL) { 1912 hx509_clear_error_string(context); 1913 return HX509_SIG_ALG_NO_SUPPORTED; 1914 } 1915 1916 ret = hx509_private_key_init(private_key, ops, NULL); 1917 if (ret) { 1918 hx509_set_error_string(context, 0, ret, "out of memory"); 1919 return ret; 1920 } 1921 1922 ret = (*ops->generate_private_key)(context, ctx, *private_key); 1923 if (ret) 1924 hx509_private_key_free(private_key); 1925 1926 return ret; 1927 } 1928 1929 /* 1930 * 1931 */ 1932 1933 const AlgorithmIdentifier * 1934 hx509_signature_sha512(void) 1935 { return &_hx509_signature_sha512_data; } 1936 1937 const AlgorithmIdentifier * 1938 hx509_signature_sha384(void) 1939 { return &_hx509_signature_sha384_data; } 1940 1941 const AlgorithmIdentifier * 1942 hx509_signature_sha256(void) 1943 { return &_hx509_signature_sha256_data; } 1944 1945 const AlgorithmIdentifier * 1946 hx509_signature_sha1(void) 1947 { return &_hx509_signature_sha1_data; } 1948 1949 const AlgorithmIdentifier * 1950 hx509_signature_md5(void) 1951 { return &_hx509_signature_md5_data; } 1952 1953 const AlgorithmIdentifier * 1954 hx509_signature_ecPublicKey(void) 1955 { return &_hx509_signature_ecPublicKey; } 1956 1957 const AlgorithmIdentifier * 1958 hx509_signature_ecdsa_with_sha256(void) 1959 { return &_hx509_signature_ecdsa_with_sha256_data; } 1960 1961 const AlgorithmIdentifier * 1962 hx509_signature_ecdsa_with_sha1(void) 1963 { return &_hx509_signature_ecdsa_with_sha1_data; } 1964 1965 const AlgorithmIdentifier * 1966 hx509_signature_rsa_with_sha512(void) 1967 { return &_hx509_signature_rsa_with_sha512_data; } 1968 1969 const AlgorithmIdentifier * 1970 hx509_signature_rsa_with_sha384(void) 1971 { return &_hx509_signature_rsa_with_sha384_data; } 1972 1973 const AlgorithmIdentifier * 1974 hx509_signature_rsa_with_sha256(void) 1975 { return &_hx509_signature_rsa_with_sha256_data; } 1976 1977 const AlgorithmIdentifier * 1978 hx509_signature_rsa_with_sha1(void) 1979 { return &_hx509_signature_rsa_with_sha1_data; } 1980 1981 const AlgorithmIdentifier * 1982 hx509_signature_rsa_with_md5(void) 1983 { return &_hx509_signature_rsa_with_md5_data; } 1984 1985 const AlgorithmIdentifier * 1986 hx509_signature_rsa(void) 1987 { return &_hx509_signature_rsa_data; } 1988 1989 const AlgorithmIdentifier * 1990 hx509_signature_rsa_pkcs1_x509(void) 1991 { return &_hx509_signature_rsa_pkcs1_x509_data; } 1992 1993 const AlgorithmIdentifier * 1994 hx509_crypto_des_rsdi_ede3_cbc(void) 1995 { return &_hx509_des_rsdi_ede3_cbc_oid; } 1996 1997 const AlgorithmIdentifier * 1998 hx509_crypto_aes128_cbc(void) 1999 { return &_hx509_crypto_aes128_cbc_data; } 2000 2001 const AlgorithmIdentifier * 2002 hx509_crypto_aes256_cbc(void) 2003 { return &_hx509_crypto_aes256_cbc_data; } 2004 2005 /* 2006 * 2007 */ 2008 2009 const AlgorithmIdentifier * _hx509_crypto_default_sig_alg = 2010 &_hx509_signature_rsa_with_sha256_data; 2011 const AlgorithmIdentifier * _hx509_crypto_default_digest_alg = 2012 &_hx509_signature_sha256_data; 2013 const AlgorithmIdentifier * _hx509_crypto_default_secret_alg = 2014 &_hx509_crypto_aes128_cbc_data; 2015 2016 /* 2017 * 2018 */ 2019 2020 int 2021 hx509_private_key_init(hx509_private_key *key, 2022 hx509_private_key_ops *ops, 2023 void *keydata) 2024 { 2025 *key = calloc(1, sizeof(**key)); 2026 if (*key == NULL) 2027 return ENOMEM; 2028 (*key)->ref = 1; 2029 (*key)->ops = ops; 2030 (*key)->private_key.keydata = keydata; 2031 return 0; 2032 } 2033 2034 hx509_private_key 2035 _hx509_private_key_ref(hx509_private_key key) 2036 { 2037 if (key->ref == 0) 2038 _hx509_abort("key refcount <= 0 on ref"); 2039 key->ref++; 2040 if (key->ref == UINT_MAX) 2041 _hx509_abort("key refcount == UINT_MAX on ref"); 2042 return key; 2043 } 2044 2045 const char * 2046 _hx509_private_pem_name(hx509_private_key key) 2047 { 2048 return key->ops->pemtype; 2049 } 2050 2051 int 2052 hx509_private_key_free(hx509_private_key *key) 2053 { 2054 if (key == NULL || *key == NULL) 2055 return 0; 2056 2057 if ((*key)->ref == 0) 2058 _hx509_abort("key refcount == 0 on free"); 2059 if (--(*key)->ref > 0) 2060 return 0; 2061 2062 if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) { 2063 if ((*key)->private_key.rsa) 2064 RSA_free((*key)->private_key.rsa); 2065 #ifdef HAVE_OPENSSL 2066 } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0) { 2067 if ((*key)->private_key.ecdsa) 2068 EC_KEY_free((*key)->private_key.ecdsa); 2069 #endif 2070 } 2071 (*key)->private_key.rsa = NULL; 2072 free(*key); 2073 *key = NULL; 2074 return 0; 2075 } 2076 2077 void 2078 hx509_private_key_assign_rsa(hx509_private_key key, void *ptr) 2079 { 2080 if (key->private_key.rsa) 2081 RSA_free(key->private_key.rsa); 2082 key->private_key.rsa = ptr; 2083 key->signature_alg = ASN1_OID_ID_PKCS1_SHA1WITHRSAENCRYPTION; 2084 key->md = &pkcs1_rsa_sha1_alg; 2085 } 2086 2087 int 2088 _hx509_private_key_oid(hx509_context context, 2089 const hx509_private_key key, 2090 heim_oid *data) 2091 { 2092 int ret; 2093 ret = der_copy_oid(key->ops->key_oid, data); 2094 if (ret) 2095 hx509_set_error_string(context, 0, ret, "malloc out of memory"); 2096 return ret; 2097 } 2098 2099 int 2100 _hx509_private_key_exportable(hx509_private_key key) 2101 { 2102 if (key->ops->export == NULL) 2103 return 0; 2104 return 1; 2105 } 2106 2107 BIGNUM * 2108 _hx509_private_key_get_internal(hx509_context context, 2109 hx509_private_key key, 2110 const char *type) 2111 { 2112 if (key->ops->get_internal == NULL) 2113 return NULL; 2114 return (*key->ops->get_internal)(context, key, type); 2115 } 2116 2117 int 2118 _hx509_private_key_export(hx509_context context, 2119 const hx509_private_key key, 2120 hx509_key_format_t format, 2121 heim_octet_string *data) 2122 { 2123 if (key->ops->export == NULL) { 2124 hx509_clear_error_string(context); 2125 return HX509_UNIMPLEMENTED_OPERATION; 2126 } 2127 return (*key->ops->export)(context, key, format, data); 2128 } 2129 2130 /* 2131 * 2132 */ 2133 2134 struct hx509cipher { 2135 const char *name; 2136 int flags; 2137 #define CIPHER_WEAK 1 2138 const heim_oid *oid; 2139 const AlgorithmIdentifier *(*ai_func)(void); 2140 const EVP_CIPHER *(*evp_func)(void); 2141 int (*get_params)(hx509_context, const hx509_crypto, 2142 const heim_octet_string *, heim_octet_string *); 2143 int (*set_params)(hx509_context, const heim_octet_string *, 2144 hx509_crypto, heim_octet_string *); 2145 }; 2146 2147 struct hx509_crypto_data { 2148 char *name; 2149 int flags; 2150 #define ALLOW_WEAK 1 2151 2152 #define PADDING_NONE 2 2153 #define PADDING_PKCS7 4 2154 #define PADDING_FLAGS (2|4) 2155 const struct hx509cipher *cipher; 2156 const EVP_CIPHER *c; 2157 heim_octet_string key; 2158 heim_oid oid; 2159 void *param; 2160 }; 2161 2162 /* 2163 * 2164 */ 2165 2166 static unsigned private_rc2_40_oid_data[] = { 127, 1 }; 2167 2168 static heim_oid asn1_oid_private_rc2_40 = 2169 { 2, private_rc2_40_oid_data }; 2170 2171 /* 2172 * 2173 */ 2174 2175 static int 2176 CMSCBCParam_get(hx509_context context, const hx509_crypto crypto, 2177 const heim_octet_string *ivec, heim_octet_string *param) 2178 { 2179 size_t size; 2180 int ret; 2181 2182 assert(crypto->param == NULL); 2183 if (ivec == NULL) 2184 return 0; 2185 2186 ASN1_MALLOC_ENCODE(CMSCBCParameter, param->data, param->length, 2187 ivec, &size, ret); 2188 if (ret == 0 && size != param->length) 2189 _hx509_abort("Internal asn1 encoder failure"); 2190 if (ret) 2191 hx509_clear_error_string(context); 2192 return ret; 2193 } 2194 2195 static int 2196 CMSCBCParam_set(hx509_context context, const heim_octet_string *param, 2197 hx509_crypto crypto, heim_octet_string *ivec) 2198 { 2199 int ret; 2200 if (ivec == NULL) 2201 return 0; 2202 2203 ret = decode_CMSCBCParameter(param->data, param->length, ivec, NULL); 2204 if (ret) 2205 hx509_clear_error_string(context); 2206 2207 return ret; 2208 } 2209 2210 struct _RC2_params { 2211 int maximum_effective_key; 2212 }; 2213 2214 static int 2215 CMSRC2CBCParam_get(hx509_context context, const hx509_crypto crypto, 2216 const heim_octet_string *ivec, heim_octet_string *param) 2217 { 2218 CMSRC2CBCParameter rc2params; 2219 const struct _RC2_params *p = crypto->param; 2220 int maximum_effective_key = 128; 2221 size_t size; 2222 int ret; 2223 2224 memset(&rc2params, 0, sizeof(rc2params)); 2225 2226 if (p) 2227 maximum_effective_key = p->maximum_effective_key; 2228 2229 switch(maximum_effective_key) { 2230 case 40: 2231 rc2params.rc2ParameterVersion = 160; 2232 break; 2233 case 64: 2234 rc2params.rc2ParameterVersion = 120; 2235 break; 2236 case 128: 2237 rc2params.rc2ParameterVersion = 58; 2238 break; 2239 } 2240 rc2params.iv = *ivec; 2241 2242 ASN1_MALLOC_ENCODE(CMSRC2CBCParameter, param->data, param->length, 2243 &rc2params, &size, ret); 2244 if (ret == 0 && size != param->length) 2245 _hx509_abort("Internal asn1 encoder failure"); 2246 2247 return ret; 2248 } 2249 2250 static int 2251 CMSRC2CBCParam_set(hx509_context context, const heim_octet_string *param, 2252 hx509_crypto crypto, heim_octet_string *ivec) 2253 { 2254 CMSRC2CBCParameter rc2param; 2255 struct _RC2_params *p; 2256 size_t size; 2257 int ret; 2258 2259 ret = decode_CMSRC2CBCParameter(param->data, param->length, 2260 &rc2param, &size); 2261 if (ret) { 2262 hx509_clear_error_string(context); 2263 return ret; 2264 } 2265 2266 p = calloc(1, sizeof(*p)); 2267 if (p == NULL) { 2268 free_CMSRC2CBCParameter(&rc2param); 2269 hx509_clear_error_string(context); 2270 return ENOMEM; 2271 } 2272 switch(rc2param.rc2ParameterVersion) { 2273 case 160: 2274 crypto->c = EVP_rc2_40_cbc(); 2275 p->maximum_effective_key = 40; 2276 break; 2277 case 120: 2278 crypto->c = EVP_rc2_64_cbc(); 2279 p->maximum_effective_key = 64; 2280 break; 2281 case 58: 2282 crypto->c = EVP_rc2_cbc(); 2283 p->maximum_effective_key = 128; 2284 break; 2285 default: 2286 free(p); 2287 free_CMSRC2CBCParameter(&rc2param); 2288 return HX509_CRYPTO_SIG_INVALID_FORMAT; 2289 } 2290 if (ivec) 2291 ret = der_copy_octet_string(&rc2param.iv, ivec); 2292 free_CMSRC2CBCParameter(&rc2param); 2293 if (ret) { 2294 free(p); 2295 hx509_clear_error_string(context); 2296 } else 2297 crypto->param = p; 2298 2299 return ret; 2300 } 2301 2302 /* 2303 * 2304 */ 2305 2306 static const struct hx509cipher ciphers[] = { 2307 { 2308 "rc2-cbc", 2309 CIPHER_WEAK, 2310 ASN1_OID_ID_PKCS3_RC2_CBC, 2311 NULL, 2312 EVP_rc2_cbc, 2313 CMSRC2CBCParam_get, 2314 CMSRC2CBCParam_set 2315 }, 2316 { 2317 "rc2-cbc", 2318 CIPHER_WEAK, 2319 ASN1_OID_ID_RSADSI_RC2_CBC, 2320 NULL, 2321 EVP_rc2_cbc, 2322 CMSRC2CBCParam_get, 2323 CMSRC2CBCParam_set 2324 }, 2325 { 2326 "rc2-40-cbc", 2327 CIPHER_WEAK, 2328 &asn1_oid_private_rc2_40, 2329 NULL, 2330 EVP_rc2_40_cbc, 2331 CMSRC2CBCParam_get, 2332 CMSRC2CBCParam_set 2333 }, 2334 { 2335 "des-ede3-cbc", 2336 0, 2337 ASN1_OID_ID_PKCS3_DES_EDE3_CBC, 2338 NULL, 2339 EVP_des_ede3_cbc, 2340 CMSCBCParam_get, 2341 CMSCBCParam_set 2342 }, 2343 { 2344 "des-ede3-cbc", 2345 0, 2346 ASN1_OID_ID_RSADSI_DES_EDE3_CBC, 2347 hx509_crypto_des_rsdi_ede3_cbc, 2348 EVP_des_ede3_cbc, 2349 CMSCBCParam_get, 2350 CMSCBCParam_set 2351 }, 2352 { 2353 "aes-128-cbc", 2354 0, 2355 ASN1_OID_ID_AES_128_CBC, 2356 hx509_crypto_aes128_cbc, 2357 EVP_aes_128_cbc, 2358 CMSCBCParam_get, 2359 CMSCBCParam_set 2360 }, 2361 { 2362 "aes-192-cbc", 2363 0, 2364 ASN1_OID_ID_AES_192_CBC, 2365 NULL, 2366 EVP_aes_192_cbc, 2367 CMSCBCParam_get, 2368 CMSCBCParam_set 2369 }, 2370 { 2371 "aes-256-cbc", 2372 0, 2373 ASN1_OID_ID_AES_256_CBC, 2374 hx509_crypto_aes256_cbc, 2375 EVP_aes_256_cbc, 2376 CMSCBCParam_get, 2377 CMSCBCParam_set 2378 } 2379 }; 2380 2381 static const struct hx509cipher * 2382 find_cipher_by_oid(const heim_oid *oid) 2383 { 2384 size_t i; 2385 2386 for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) 2387 if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0) 2388 return &ciphers[i]; 2389 2390 return NULL; 2391 } 2392 2393 static const struct hx509cipher * 2394 find_cipher_by_name(const char *name) 2395 { 2396 size_t i; 2397 2398 for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) 2399 if (strcasecmp(name, ciphers[i].name) == 0) 2400 return &ciphers[i]; 2401 2402 return NULL; 2403 } 2404 2405 2406 const heim_oid * 2407 hx509_crypto_enctype_by_name(const char *name) 2408 { 2409 const struct hx509cipher *cipher; 2410 2411 cipher = find_cipher_by_name(name); 2412 if (cipher == NULL) 2413 return NULL; 2414 return cipher->oid; 2415 } 2416 2417 int 2418 hx509_crypto_init(hx509_context context, 2419 const char *provider, 2420 const heim_oid *enctype, 2421 hx509_crypto *crypto) 2422 { 2423 const struct hx509cipher *cipher; 2424 2425 *crypto = NULL; 2426 2427 cipher = find_cipher_by_oid(enctype); 2428 if (cipher == NULL) { 2429 hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP, 2430 "Algorithm not supported"); 2431 return HX509_ALG_NOT_SUPP; 2432 } 2433 2434 *crypto = calloc(1, sizeof(**crypto)); 2435 if (*crypto == NULL) { 2436 hx509_clear_error_string(context); 2437 return ENOMEM; 2438 } 2439 2440 (*crypto)->flags = PADDING_PKCS7; 2441 (*crypto)->cipher = cipher; 2442 (*crypto)->c = (*cipher->evp_func)(); 2443 2444 if (der_copy_oid(enctype, &(*crypto)->oid)) { 2445 hx509_crypto_destroy(*crypto); 2446 *crypto = NULL; 2447 hx509_clear_error_string(context); 2448 return ENOMEM; 2449 } 2450 2451 return 0; 2452 } 2453 2454 const char * 2455 hx509_crypto_provider(hx509_crypto crypto) 2456 { 2457 return "unknown"; 2458 } 2459 2460 void 2461 hx509_crypto_destroy(hx509_crypto crypto) 2462 { 2463 if (crypto->name) 2464 free(crypto->name); 2465 if (crypto->key.data) 2466 free(crypto->key.data); 2467 if (crypto->param) 2468 free(crypto->param); 2469 der_free_oid(&crypto->oid); 2470 memset(crypto, 0, sizeof(*crypto)); 2471 free(crypto); 2472 } 2473 2474 int 2475 hx509_crypto_set_key_name(hx509_crypto crypto, const char *name) 2476 { 2477 return 0; 2478 } 2479 2480 void 2481 hx509_crypto_allow_weak(hx509_crypto crypto) 2482 { 2483 crypto->flags |= ALLOW_WEAK; 2484 } 2485 2486 void 2487 hx509_crypto_set_padding(hx509_crypto crypto, int padding_type) 2488 { 2489 switch (padding_type) { 2490 case HX509_CRYPTO_PADDING_PKCS7: 2491 crypto->flags &= ~PADDING_FLAGS; 2492 crypto->flags |= PADDING_PKCS7; 2493 break; 2494 case HX509_CRYPTO_PADDING_NONE: 2495 crypto->flags &= ~PADDING_FLAGS; 2496 crypto->flags |= PADDING_NONE; 2497 break; 2498 default: 2499 _hx509_abort("Invalid padding"); 2500 } 2501 } 2502 2503 int 2504 hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length) 2505 { 2506 if (EVP_CIPHER_key_length(crypto->c) > (int)length) 2507 return HX509_CRYPTO_INTERNAL_ERROR; 2508 2509 if (crypto->key.data) { 2510 free(crypto->key.data); 2511 crypto->key.data = NULL; 2512 crypto->key.length = 0; 2513 } 2514 crypto->key.data = malloc(length); 2515 if (crypto->key.data == NULL) 2516 return ENOMEM; 2517 memcpy(crypto->key.data, data, length); 2518 crypto->key.length = length; 2519 2520 return 0; 2521 } 2522 2523 int 2524 hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key) 2525 { 2526 if (crypto->key.data) { 2527 free(crypto->key.data); 2528 crypto->key.length = 0; 2529 } 2530 2531 crypto->key.length = EVP_CIPHER_key_length(crypto->c); 2532 crypto->key.data = malloc(crypto->key.length); 2533 if (crypto->key.data == NULL) { 2534 crypto->key.length = 0; 2535 return ENOMEM; 2536 } 2537 if (RAND_bytes(crypto->key.data, crypto->key.length) <= 0) { 2538 free(crypto->key.data); 2539 crypto->key.data = NULL; 2540 crypto->key.length = 0; 2541 return HX509_CRYPTO_INTERNAL_ERROR; 2542 } 2543 if (key) 2544 return der_copy_octet_string(&crypto->key, key); 2545 else 2546 return 0; 2547 } 2548 2549 int 2550 hx509_crypto_set_params(hx509_context context, 2551 hx509_crypto crypto, 2552 const heim_octet_string *param, 2553 heim_octet_string *ivec) 2554 { 2555 return (*crypto->cipher->set_params)(context, param, crypto, ivec); 2556 } 2557 2558 int 2559 hx509_crypto_get_params(hx509_context context, 2560 hx509_crypto crypto, 2561 const heim_octet_string *ivec, 2562 heim_octet_string *param) 2563 { 2564 return (*crypto->cipher->get_params)(context, crypto, ivec, param); 2565 } 2566 2567 int 2568 hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec) 2569 { 2570 ivec->length = EVP_CIPHER_iv_length(crypto->c); 2571 ivec->data = malloc(ivec->length); 2572 if (ivec->data == NULL) { 2573 ivec->length = 0; 2574 return ENOMEM; 2575 } 2576 2577 if (RAND_bytes(ivec->data, ivec->length) <= 0) { 2578 free(ivec->data); 2579 ivec->data = NULL; 2580 ivec->length = 0; 2581 return HX509_CRYPTO_INTERNAL_ERROR; 2582 } 2583 return 0; 2584 } 2585 2586 int 2587 hx509_crypto_encrypt(hx509_crypto crypto, 2588 const void *data, 2589 const size_t length, 2590 const heim_octet_string *ivec, 2591 heim_octet_string **ciphertext) 2592 { 2593 EVP_CIPHER_CTX *evp; 2594 size_t padsize, bsize; 2595 int ret; 2596 2597 *ciphertext = NULL; 2598 2599 if ((crypto->cipher->flags & CIPHER_WEAK) && 2600 (crypto->flags & ALLOW_WEAK) == 0) 2601 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; 2602 2603 assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length); 2604 2605 evp = EVP_CIPHER_CTX_new(); 2606 if (evp == NULL) 2607 return ENOMEM; 2608 2609 ret = EVP_CipherInit_ex(evp, crypto->c, NULL, 2610 crypto->key.data, ivec->data, 1); 2611 if (ret != 1) { 2612 ret = HX509_CRYPTO_INTERNAL_ERROR; 2613 goto out; 2614 } 2615 2616 *ciphertext = calloc(1, sizeof(**ciphertext)); 2617 if (*ciphertext == NULL) { 2618 ret = ENOMEM; 2619 goto out; 2620 } 2621 2622 assert(crypto->flags & PADDING_FLAGS); 2623 2624 bsize = EVP_CIPHER_block_size(crypto->c); 2625 padsize = 0; 2626 2627 if (crypto->flags & PADDING_NONE) { 2628 if (bsize != 1 && (length % bsize) != 0) 2629 return HX509_CMS_PADDING_ERROR; 2630 } else if (crypto->flags & PADDING_PKCS7) { 2631 if (bsize != 1) 2632 padsize = bsize - (length % bsize); 2633 } 2634 2635 (*ciphertext)->length = length + padsize; 2636 (*ciphertext)->data = malloc(length + padsize); 2637 if ((*ciphertext)->data == NULL) { 2638 ret = ENOMEM; 2639 goto out; 2640 } 2641 2642 memcpy((*ciphertext)->data, data, length); 2643 if (padsize) { 2644 size_t i; 2645 unsigned char *p = (*ciphertext)->data; 2646 p += length; 2647 for (i = 0; i < padsize; i++) 2648 *p++ = padsize; 2649 } 2650 2651 ret = EVP_Cipher(evp, (*ciphertext)->data, 2652 (*ciphertext)->data, 2653 length + padsize); 2654 if (ret != 1) { 2655 ret = HX509_CRYPTO_INTERNAL_ERROR; 2656 goto out; 2657 } 2658 ret = 0; 2659 2660 out: 2661 if (ret) { 2662 if (*ciphertext) { 2663 if ((*ciphertext)->data) { 2664 free((*ciphertext)->data); 2665 } 2666 free(*ciphertext); 2667 *ciphertext = NULL; 2668 } 2669 } 2670 EVP_CIPHER_CTX_free(evp); 2671 2672 return ret; 2673 } 2674 2675 int 2676 hx509_crypto_decrypt(hx509_crypto crypto, 2677 const void *data, 2678 const size_t length, 2679 heim_octet_string *ivec, 2680 heim_octet_string *clear) 2681 { 2682 EVP_CIPHER_CTX *evp; 2683 void *idata = NULL; 2684 int ret; 2685 2686 clear->data = NULL; 2687 clear->length = 0; 2688 2689 if ((crypto->cipher->flags & CIPHER_WEAK) && 2690 (crypto->flags & ALLOW_WEAK) == 0) 2691 return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; 2692 2693 if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length) 2694 return HX509_CRYPTO_INTERNAL_ERROR; 2695 2696 if (crypto->key.data == NULL) 2697 return HX509_CRYPTO_INTERNAL_ERROR; 2698 2699 if (ivec) 2700 idata = ivec->data; 2701 2702 evp = EVP_CIPHER_CTX_new(); 2703 if (evp == NULL) 2704 return ENOMEM; 2705 2706 ret = EVP_CipherInit_ex(evp, crypto->c, NULL, 2707 crypto->key.data, idata, 0); 2708 if (ret != 1) { 2709 EVP_CIPHER_CTX_free(evp); 2710 return HX509_CRYPTO_INTERNAL_ERROR; 2711 } 2712 2713 clear->length = length; 2714 clear->data = malloc(length); 2715 if (clear->data == NULL) { 2716 EVP_CIPHER_CTX_free(evp); 2717 clear->length = 0; 2718 return ENOMEM; 2719 } 2720 2721 if (EVP_Cipher(evp, clear->data, data, length) != 1) { 2722 EVP_CIPHER_CTX_free(evp); 2723 return HX509_CRYPTO_INTERNAL_ERROR; 2724 } 2725 EVP_CIPHER_CTX_free(evp); 2726 2727 if ((crypto->flags & PADDING_PKCS7) && EVP_CIPHER_block_size(crypto->c) > 1) { 2728 int padsize; 2729 unsigned char *p; 2730 int j, bsize = EVP_CIPHER_block_size(crypto->c); 2731 2732 if ((int)clear->length < bsize) { 2733 ret = HX509_CMS_PADDING_ERROR; 2734 goto out; 2735 } 2736 2737 p = clear->data; 2738 p += clear->length - 1; 2739 padsize = *p; 2740 if (padsize > bsize) { 2741 ret = HX509_CMS_PADDING_ERROR; 2742 goto out; 2743 } 2744 clear->length -= padsize; 2745 for (j = 0; j < padsize; j++) { 2746 if (*p-- != padsize) { 2747 ret = HX509_CMS_PADDING_ERROR; 2748 goto out; 2749 } 2750 } 2751 } 2752 2753 return 0; 2754 2755 out: 2756 if (clear->data) 2757 free(clear->data); 2758 clear->data = NULL; 2759 clear->length = 0; 2760 return ret; 2761 } 2762 2763 typedef int (*PBE_string2key_func)(hx509_context, 2764 const char *, 2765 const heim_octet_string *, 2766 hx509_crypto *, heim_octet_string *, 2767 heim_octet_string *, 2768 const heim_oid *, const EVP_MD *); 2769 2770 static int 2771 PBE_string2key(hx509_context context, 2772 const char *password, 2773 const heim_octet_string *parameters, 2774 hx509_crypto *crypto, 2775 heim_octet_string *key, heim_octet_string *iv, 2776 const heim_oid *enc_oid, 2777 const EVP_MD *md) 2778 { 2779 PKCS12_PBEParams p12params; 2780 int passwordlen; 2781 hx509_crypto c; 2782 int iter, saltlen, ret; 2783 unsigned char *salt; 2784 2785 passwordlen = password ? strlen(password) : 0; 2786 2787 if (parameters == NULL) 2788 return HX509_ALG_NOT_SUPP; 2789 2790 ret = decode_PKCS12_PBEParams(parameters->data, 2791 parameters->length, 2792 &p12params, NULL); 2793 if (ret) 2794 goto out; 2795 2796 if (p12params.iterations) 2797 iter = *p12params.iterations; 2798 else 2799 iter = 1; 2800 salt = p12params.salt.data; 2801 saltlen = p12params.salt.length; 2802 2803 if (!PKCS12_key_gen (password, passwordlen, salt, saltlen, 2804 PKCS12_KEY_ID, iter, key->length, key->data, md)) { 2805 ret = HX509_CRYPTO_INTERNAL_ERROR; 2806 goto out; 2807 } 2808 2809 if (!PKCS12_key_gen (password, passwordlen, salt, saltlen, 2810 PKCS12_IV_ID, iter, iv->length, iv->data, md)) { 2811 ret = HX509_CRYPTO_INTERNAL_ERROR; 2812 goto out; 2813 } 2814 2815 ret = hx509_crypto_init(context, NULL, enc_oid, &c); 2816 if (ret) 2817 goto out; 2818 2819 hx509_crypto_allow_weak(c); 2820 2821 ret = hx509_crypto_set_key_data(c, key->data, key->length); 2822 if (ret) { 2823 hx509_crypto_destroy(c); 2824 goto out; 2825 } 2826 2827 *crypto = c; 2828 out: 2829 free_PKCS12_PBEParams(&p12params); 2830 return ret; 2831 } 2832 2833 static const heim_oid * 2834 find_string2key(const heim_oid *oid, 2835 const EVP_CIPHER **c, 2836 const EVP_MD **md, 2837 PBE_string2key_func *s2k) 2838 { 2839 if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC2_CBC) == 0) { 2840 *c = EVP_rc2_40_cbc(); 2841 *md = EVP_sha1(); 2842 *s2k = PBE_string2key; 2843 return &asn1_oid_private_rc2_40; 2844 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC2_CBC) == 0) { 2845 *c = EVP_rc2_cbc(); 2846 *md = EVP_sha1(); 2847 *s2k = PBE_string2key; 2848 return ASN1_OID_ID_PKCS3_RC2_CBC; 2849 #if 0 2850 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC4) == 0) { 2851 *c = EVP_rc4_40(); 2852 *md = EVP_sha1(); 2853 *s2k = PBE_string2key; 2854 return NULL; 2855 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC4) == 0) { 2856 *c = EVP_rc4(); 2857 *md = EVP_sha1(); 2858 *s2k = PBE_string2key; 2859 return ASN1_OID_ID_PKCS3_RC4; 2860 #endif 2861 } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND3_KEYTRIPLEDES_CBC) == 0) { 2862 *c = EVP_des_ede3_cbc(); 2863 *md = EVP_sha1(); 2864 *s2k = PBE_string2key; 2865 return ASN1_OID_ID_PKCS3_DES_EDE3_CBC; 2866 } 2867 2868 return NULL; 2869 } 2870 2871 /* 2872 * 2873 */ 2874 2875 int 2876 _hx509_pbe_encrypt(hx509_context context, 2877 hx509_lock lock, 2878 const AlgorithmIdentifier *ai, 2879 const heim_octet_string *content, 2880 heim_octet_string *econtent) 2881 { 2882 hx509_clear_error_string(context); 2883 return EINVAL; 2884 } 2885 2886 /* 2887 * 2888 */ 2889 2890 int 2891 _hx509_pbe_decrypt(hx509_context context, 2892 hx509_lock lock, 2893 const AlgorithmIdentifier *ai, 2894 const heim_octet_string *econtent, 2895 heim_octet_string *content) 2896 { 2897 const struct _hx509_password *pw; 2898 heim_octet_string key, iv; 2899 const heim_oid *enc_oid; 2900 const EVP_CIPHER *c; 2901 const EVP_MD *md; 2902 PBE_string2key_func s2k; 2903 int ret = 0; 2904 size_t i; 2905 2906 memset(&key, 0, sizeof(key)); 2907 memset(&iv, 0, sizeof(iv)); 2908 2909 memset(content, 0, sizeof(*content)); 2910 2911 enc_oid = find_string2key(&ai->algorithm, &c, &md, &s2k); 2912 if (enc_oid == NULL) { 2913 hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP, 2914 "String to key algorithm not supported"); 2915 ret = HX509_ALG_NOT_SUPP; 2916 goto out; 2917 } 2918 2919 key.length = EVP_CIPHER_key_length(c); 2920 key.data = malloc(key.length); 2921 if (key.data == NULL) { 2922 ret = ENOMEM; 2923 hx509_clear_error_string(context); 2924 goto out; 2925 } 2926 2927 iv.length = EVP_CIPHER_iv_length(c); 2928 iv.data = malloc(iv.length); 2929 if (iv.data == NULL) { 2930 ret = ENOMEM; 2931 hx509_clear_error_string(context); 2932 goto out; 2933 } 2934 2935 pw = _hx509_lock_get_passwords(lock); 2936 2937 ret = HX509_CRYPTO_INTERNAL_ERROR; 2938 for (i = 0; i < pw->len + 1; i++) { 2939 hx509_crypto crypto; 2940 const char *password; 2941 2942 if (i < pw->len) 2943 password = pw->val[i]; 2944 else if (i < pw->len + 1) 2945 password = ""; 2946 else 2947 password = NULL; 2948 2949 ret = (*s2k)(context, password, ai->parameters, &crypto, 2950 &key, &iv, enc_oid, md); 2951 if (ret) 2952 goto out; 2953 2954 ret = hx509_crypto_decrypt(crypto, 2955 econtent->data, 2956 econtent->length, 2957 &iv, 2958 content); 2959 hx509_crypto_destroy(crypto); 2960 if (ret == 0) 2961 goto out; 2962 2963 } 2964 out: 2965 if (key.data) 2966 der_free_octet_string(&key); 2967 if (iv.data) 2968 der_free_octet_string(&iv); 2969 return ret; 2970 } 2971 2972 /* 2973 * 2974 */ 2975 2976 2977 static int 2978 match_keys_rsa(hx509_cert c, hx509_private_key private_key) 2979 { 2980 const Certificate *cert; 2981 const SubjectPublicKeyInfo *spi; 2982 RSAPublicKey pk; 2983 RSA *rsa; 2984 const BIGNUM *d, *p, *q, *dmp1, *dmq1, *iqmp; 2985 BIGNUM *new_d, *new_p, *new_q, *new_dmp1, *new_dmq1, *new_iqmp, *n, *e; 2986 size_t size; 2987 int ret; 2988 2989 if (private_key->private_key.rsa == NULL) 2990 return 0; 2991 2992 rsa = private_key->private_key.rsa; 2993 RSA_get0_key(rsa, NULL, NULL, &d); 2994 RSA_get0_factors(rsa, &p, &q); 2995 RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); 2996 if (d == NULL || p == NULL || q == NULL) 2997 return 0; 2998 2999 cert = _hx509_get_cert(c); 3000 spi = &cert->tbsCertificate.subjectPublicKeyInfo; 3001 3002 rsa = RSA_new(); 3003 if (rsa == NULL) 3004 return 0; 3005 3006 ret = decode_RSAPublicKey(spi->subjectPublicKey.data, 3007 spi->subjectPublicKey.length / 8, 3008 &pk, &size); 3009 if (ret) { 3010 RSA_free(rsa); 3011 return 0; 3012 } 3013 n = heim_int2BN(&pk.modulus); 3014 e = heim_int2BN(&pk.publicExponent); 3015 3016 free_RSAPublicKey(&pk); 3017 3018 new_d = BN_dup(d); 3019 new_p = BN_dup(p); 3020 new_q = BN_dup(q); 3021 new_dmp1 = BN_dup(dmp1); 3022 new_dmq1 = BN_dup(dmq1); 3023 new_iqmp = BN_dup(iqmp); 3024 3025 if (n == NULL || e == NULL || 3026 new_d == NULL || new_p == NULL|| new_q == NULL || 3027 new_dmp1 == NULL || new_dmq1 == NULL || new_iqmp == NULL) { 3028 BN_free(n); 3029 BN_free(e); 3030 BN_free(new_d); 3031 BN_free(new_p); 3032 BN_free(new_q); 3033 BN_free(new_dmp1); 3034 BN_free(new_dmq1); 3035 BN_free(new_iqmp); 3036 RSA_free(rsa); 3037 return 0; 3038 } 3039 3040 ret = RSA_set0_key(rsa, new_d, n, e); 3041 3042 if (ret != 1) { 3043 BN_free(n); 3044 BN_free(e); 3045 BN_free(new_d); 3046 BN_free(new_p); 3047 BN_free(new_q); 3048 BN_free(new_dmp1); 3049 BN_free(new_dmq1); 3050 BN_free(new_iqmp); 3051 RSA_free(rsa); 3052 return 0; 3053 } 3054 3055 ret = RSA_set0_factors(rsa, new_p, new_q); 3056 3057 if (ret != 1) { 3058 BN_free(new_p); 3059 BN_free(new_q); 3060 BN_free(new_dmp1); 3061 BN_free(new_dmq1); 3062 BN_free(new_iqmp); 3063 RSA_free(rsa); 3064 return 0; 3065 } 3066 3067 ret = RSA_set0_crt_params(rsa, new_dmp1, new_dmq1, new_iqmp); 3068 3069 if (ret != 1) { 3070 BN_free(new_dmp1); 3071 BN_free(new_dmq1); 3072 BN_free(new_iqmp); 3073 RSA_free(rsa); 3074 return 0; 3075 } 3076 3077 ret = RSA_check_key(rsa); 3078 RSA_free(rsa); 3079 3080 return ret == 1; 3081 } 3082 3083 static int 3084 match_keys_ec(hx509_cert c, hx509_private_key private_key) 3085 { 3086 return 1; /* XXX use EC_KEY_check_key */ 3087 } 3088 3089 3090 int 3091 _hx509_match_keys(hx509_cert c, hx509_private_key key) 3092 { 3093 if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) 3094 return match_keys_rsa(c, key); 3095 if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0) 3096 return match_keys_ec(c, key); 3097 return 0; 3098 3099 } 3100 3101 3102 static const heim_oid * 3103 find_keytype(const hx509_private_key key) 3104 { 3105 const struct signature_alg *md; 3106 3107 if (key == NULL) 3108 return NULL; 3109 3110 md = find_sig_alg(key->signature_alg); 3111 if (md == NULL) 3112 return NULL; 3113 return md->key_oid; 3114 } 3115 3116 int 3117 hx509_crypto_select(const hx509_context context, 3118 int type, 3119 const hx509_private_key source, 3120 hx509_peer_info peer, 3121 AlgorithmIdentifier *selected) 3122 { 3123 const AlgorithmIdentifier *def = NULL; 3124 size_t i, j; 3125 int ret, bits; 3126 3127 memset(selected, 0, sizeof(*selected)); 3128 3129 if (type == HX509_SELECT_DIGEST) { 3130 bits = SIG_DIGEST; 3131 if (source) 3132 def = alg_for_privatekey(source, type); 3133 if (def == NULL) 3134 def = _hx509_crypto_default_digest_alg; 3135 } else if (type == HX509_SELECT_PUBLIC_SIG) { 3136 bits = SIG_PUBLIC_SIG; 3137 /* XXX depend on `source´ and `peer´ */ 3138 if (source) 3139 def = alg_for_privatekey(source, type); 3140 if (def == NULL) 3141 def = _hx509_crypto_default_sig_alg; 3142 } else if (type == HX509_SELECT_SECRET_ENC) { 3143 bits = SIG_SECRET; 3144 def = _hx509_crypto_default_secret_alg; 3145 } else { 3146 hx509_set_error_string(context, 0, EINVAL, 3147 "Unknown type %d of selection", type); 3148 return EINVAL; 3149 } 3150 3151 if (peer) { 3152 const heim_oid *keytype = NULL; 3153 3154 keytype = find_keytype(source); 3155 3156 for (i = 0; i < peer->len; i++) { 3157 for (j = 0; sig_algs[j]; j++) { 3158 if ((sig_algs[j]->flags & bits) != bits) 3159 continue; 3160 if (der_heim_oid_cmp(sig_algs[j]->sig_oid, 3161 &peer->val[i].algorithm) != 0) 3162 continue; 3163 if (keytype && sig_algs[j]->key_oid && 3164 der_heim_oid_cmp(keytype, sig_algs[j]->key_oid)) 3165 continue; 3166 3167 /* found one, use that */ 3168 ret = copy_AlgorithmIdentifier(&peer->val[i], selected); 3169 if (ret) 3170 hx509_clear_error_string(context); 3171 return ret; 3172 } 3173 if (bits & SIG_SECRET) { 3174 const struct hx509cipher *cipher; 3175 3176 cipher = find_cipher_by_oid(&peer->val[i].algorithm); 3177 if (cipher == NULL) 3178 continue; 3179 if (cipher->ai_func == NULL) 3180 continue; 3181 ret = copy_AlgorithmIdentifier(cipher->ai_func(), selected); 3182 if (ret) 3183 hx509_clear_error_string(context); 3184 return ret; 3185 } 3186 } 3187 } 3188 3189 /* use default */ 3190 ret = copy_AlgorithmIdentifier(def, selected); 3191 if (ret) 3192 hx509_clear_error_string(context); 3193 return ret; 3194 } 3195 3196 int 3197 hx509_crypto_available(hx509_context context, 3198 int type, 3199 hx509_cert source, 3200 AlgorithmIdentifier **val, 3201 unsigned int *plen) 3202 { 3203 const heim_oid *keytype = NULL; 3204 unsigned int len, i; 3205 void *ptr; 3206 int bits, ret; 3207 3208 *val = NULL; 3209 3210 if (type == HX509_SELECT_ALL) { 3211 bits = SIG_DIGEST | SIG_PUBLIC_SIG | SIG_SECRET; 3212 } else if (type == HX509_SELECT_DIGEST) { 3213 bits = SIG_DIGEST; 3214 } else if (type == HX509_SELECT_PUBLIC_SIG) { 3215 bits = SIG_PUBLIC_SIG; 3216 } else { 3217 hx509_set_error_string(context, 0, EINVAL, 3218 "Unknown type %d of available", type); 3219 return EINVAL; 3220 } 3221 3222 if (source) 3223 keytype = find_keytype(_hx509_cert_private_key(source)); 3224 3225 len = 0; 3226 for (i = 0; sig_algs[i]; i++) { 3227 if ((sig_algs[i]->flags & bits) == 0) 3228 continue; 3229 if (sig_algs[i]->sig_alg == NULL) 3230 continue; 3231 if (keytype && sig_algs[i]->key_oid && 3232 der_heim_oid_cmp(sig_algs[i]->key_oid, keytype)) 3233 continue; 3234 3235 /* found one, add that to the list */ 3236 ptr = realloc(*val, sizeof(**val) * (len + 1)); 3237 if (ptr == NULL) 3238 goto out; 3239 *val = ptr; 3240 3241 ret = copy_AlgorithmIdentifier(sig_algs[i]->sig_alg, &(*val)[len]); 3242 if (ret) 3243 goto out; 3244 len++; 3245 } 3246 3247 /* Add AES */ 3248 if (bits & SIG_SECRET) { 3249 3250 for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) { 3251 3252 if (ciphers[i].flags & CIPHER_WEAK) 3253 continue; 3254 if (ciphers[i].ai_func == NULL) 3255 continue; 3256 3257 ptr = realloc(*val, sizeof(**val) * (len + 1)); 3258 if (ptr == NULL) 3259 goto out; 3260 *val = ptr; 3261 3262 ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]); 3263 if (ret) 3264 goto out; 3265 len++; 3266 } 3267 } 3268 3269 *plen = len; 3270 return 0; 3271 3272 out: 3273 for (i = 0; i < len; i++) 3274 free_AlgorithmIdentifier(&(*val)[i]); 3275 free(*val); 3276 *val = NULL; 3277 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 3278 return ENOMEM; 3279 } 3280 3281 void 3282 hx509_crypto_free_algs(AlgorithmIdentifier *val, 3283 unsigned int len) 3284 { 3285 unsigned int i; 3286 for (i = 0; i < len; i++) 3287 free_AlgorithmIdentifier(&val[i]); 3288 free(val); 3289 } 3290