OpenSSL: openssl/apps/ cms.c openssl/crypto/cms/ cms.h cms

Thread: OpenSSL: openssl/apps/ cms.c openssl/crypto/cms/ cms.h cms_env.c

Search this list only Search all lists
OpenSSL: openssl/apps/ cms.c openssl/crypto/cms/ cms.h cms_env.c
Germany	2008-03-19 08:53:52
OpenSSL CVS Repository http://cvs.openssl.org/ ____________________________________________________________ ________________ Server: cvs.openssl.org Name: Dr. Stephen Henson Root: /v/openssl/cvs Email: steveopenssl.org Module: openssl Date: 19-Mar-2008 14:53:52 Branch: HEAD Handle: 2008031913535101 Modified files: openssl/apps cms.c openssl/crypto/cms cms.h cms_env.c Log: Add support for KEKRecipientInfo in cms application. Summary: Revision Changes Path 1.9 +48 -9 openssl/apps/cms.c 1.13 +7 -0 openssl/crypto/cms/cms.h 1.9 +204 -161 openssl/crypto/cms/cms_env.c ____________________________________________________________ ________________ patch -p0 <<' .' Index: openssl/apps/cms.c ============================================================ ================ $ cvs diff -u -r1.8 -r1.9 cms.c --- openssl/apps/cms.c 18 Mar 2008 19:03:03 -0000 1.8 +++ openssl/apps/cms.c 19 Mar 2008 13:53:51 -0000 1.9 -122,8 +122,8 #ifndef OPENSSL_NO_ENGINE char engine=NULL; #endif - unsigned char secret_key = NULL; - size_t secret_keylen = 0; + unsigned char secret_key = NULL, secret_keyid = NULL; + size_t secret_keylen = 0, secret_keyidlen = 0; X509_VERIFY_PARAM vpm = NULL; -254,6 +254,20 } secret_keylen = (size_t)ltmp; } + else if (!strcmp(args,"-secretkeyid")) + { + long ltmp; + if (!args[1]) + goto argerr; + args++; + secret_keyid = string_to_hex(args, &ltmp); + if (!secret_keyid) + { + BIO_printf(bio_err, "Invalid id %sn", args); + goto argerr; + } + secret_keyidlen = (size_t)ltmp; + } else if (!strcmp(args,"-rand")) { if (!args[1]) -459,7 +473,7 } else if (operation == SMIME_ENCRYPT) { - if (!args) + if (!args && !secret_key) { BIO_printf(bio_err, "No recipient(s) certificate(s) specifiedn"); badarg = 1; -592,17 +606,20 goto end; #endif } - encerts = sk_X509_new_null(); + + if (secret_key && !secret_keyid) + { + BIO_printf(bio_err, "No sectre key idn"); + goto end; + } + + if (args) + encerts = sk_X509_new_null(); while (args) { if (!(cert = load_cert(bio_err,args,FORMAT_PEM, NULL, e, "recipient certificate file"))) - { -#if 0 /* An appropriate message is already printed / - BIO_printf(bio_err, "Can't read recipient certificate file %sn", args); -#endif goto end; - } sk_X509_push(encerts, cert); cert = NULL; args++; -737,13 +754,33 } else if (operation == SMIME_ENCRYPT) { + flags \|= CMS_PARTIAL; cms = CMS_encrypt(encerts, in, cipher, flags); + if (!cms) + goto end; + if (secret_key) + { + if (!CMS_add0_recipient_key(cms, NID_undef, + secret_key, secret_keylen, + secret_keyid, secret_keyidlen, + NULL, NULL, NULL)) + goto end; + /* NULL these because call absorbs them / + secret_key = NULL; + secret_keyid = NULL; + } + if (!(flags & CMS_STREAM)) + { + if (!CMS_final(cms, in, flags)) + goto end; + } } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { cms = CMS_EncryptedData_encrypt(in, cipher, secret_key, secret_keylen, flags); + } else if (operation & SMIME_SIGNERS) { -903,6 +940,8 sk_free(skkeys); if (secret_key) OPENSSL_free(secret_key); + if (secret_keyid) + OPENSSL_free(secret_keyid); X509_STORE_free(store); X509_free(cert); X509_free(recip); . patch -p0 <<' .' Index: openssl/crypto/cms/cms.h ============================================================ ================ $ cvs diff -u -r1.12 -r1.13 cms.h --- openssl/crypto/cms/cms.h 18 Mar 2008 01:00:37 -0000 1.12 +++ openssl/crypto/cms/cms.h 19 Mar 2008 13:53:52 -0000 1.13 -181,6 +181,13 ASN1_OCTET_STRING keyid, X509_NAME issuer, ASN1_INTEGER sno); +CMS_RecipientInfo CMS_add0_recipient_key(CMS_ContentInfo cms, int nid, + unsigned char key, size_t keylen, + unsigned char id, size_t idlen, + ASN1_GENERALIZEDTIME date, + ASN1_OBJECT otherTypeId, + ASN1_TYPE otherType); + int CMS_RecipientInfo_decrypt(CMS_ContentInfo cms, CMS_RecipientInfo ri); int CMS_uncompress(CMS_ContentInfo cms, BIO dcont, BIO out, . patch -p0 <<' .' Index: openssl/crypto/cms/cms_env.c ============================================================ ================ $ cvs diff -u -r1.8 -r1.9 cms_env.c --- openssl/crypto/cms/cms_env.c 18 Mar 2008 18:18:25 -0000 1.8 +++ openssl/crypto/cms/cms_env.c 19 Mar 2008 13:53:52 -0000 1.9 -139,9 +139,12 return NULL; } +/ Key Transport Recipient Info (KTRI) routines / + / Add a recipient certificate. For now only handle key transport. * If we ever handle key agreement will need updating. / + CMS_RecipientInfo CMS_add1_recipient_cert(CMS_ContentInfo cms, X509 recip, unsigned int flags) { -230,144 +233,6 } -int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo ri, - X509_ALGOR palg, - ASN1_OCTET_STRING pid, - ASN1_GENERALIZEDTIME pdate, - ASN1_OBJECT potherid, - ASN1_TYPE pothertype) - { - CMS_KEKIdentifier rkid; - if (ri->type != CMS_RECIPINFO_KEK) - { - CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID, CMS_R_NOT_KEK); - return 0; - } - rkid = ri->d.kekri->kekid; - if (palg) - palg = ri->d.kekri->keyEncryptionAlgorithm; - if (pid) - pid = rkid->keyIdentifier; - if (pdate) - pdate = rkid->date; - if (potherid) - { - if (rkid->other) - potherid = rkid->other->keyAttrId; - else - potherid = NULL; - } - if (pothertype) - { - if (rkid->other) - pothertype = rkid->other->keyAttr; - else - pothertype = NULL; - } - return 1; - } - -/ For now hard code AES key wrap info / - -static int aes_wrap_keylen(int nid) - { - switch (nid) - { - case NID_id_aes128_wrap: - return 16; - - case NID_id_aes192_wrap: - return 24; - - case NID_id_aes256_wrap: - return 32; - - default: - return 0; - } - } - - -CMS_RecipientInfo CMS_add0_recipient_key(CMS_ContentInfo cms, int nid, - unsigned char key, size_t keylen, - unsigned char id, size_t idlen, - ASN1_GENERALIZEDTIME date, - ASN1_OBJECT otherTypeId, - ASN1_TYPE otherType) - { - CMS_RecipientInfo ri = NULL; - CMS_EnvelopedData env; - CMS_KEKRecipientInfo kekri; - size_t exp_keylen = 0; - env = cms_get0_enveloped(cms); - if (!env) - goto err; - - exp_keylen = aes_wrap_keylen(nid); - - if (!exp_keylen) - { - CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, - CMS_R_UNSUPPORTED_KEK_ALGORITHM); - goto err; - } - - if (keylen != exp_keylen) - { - CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, CMS_R_INVALID_KEY_LENGTH); - goto err; - } - - / Initialize recipient info / - ri = M_ASN1_new_of(CMS_RecipientInfo); - if (!ri) - goto merr; - - ri->d.kekri = M_ASN1_new_of(CMS_KEKRecipientInfo); - if (!ri->d.kekri) - goto merr; - ri->type = CMS_RECIPINFO_KEK; - - kekri = ri->d.kekri; - - if (otherTypeId) - { - kekri->kekid->other = M_ASN1_new_of(CMS_OtherKeyAttribute); - if (kekri->kekid->other == NULL) - goto merr; - } - - if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) - goto merr; - - / After this point no calls can fail / - - kekri->version = 4; - - kekri->key = key; - kekri->keylen = keylen; - - ASN1_STRING_set0(kekri->kekid->keyIdentifier, id, idlen); - - kekri->kekid->date = date; - - kekri->kekid->other->keyAttrId = otherTypeId; - kekri->kekid->other->keyAttr = otherType; - - X509_ALGOR_set0(kekri->keyEncryptionAlgorithm, - OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL); - - return ri; - - merr: - CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, ERR_R_MALLOC_FAILURE); - err: - if (ri) - M_ASN1_free_of(ri, CMS_RecipientInfo); - return NULL; - - } - int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo ri, EVP_PKEY pk, X509 recip, X509_ALGOR *palg) -431,29 +296,6 return 1; } -int CMS_RecipientInfo_set0_key(CMS_RecipientInfo ri, - unsigned char key, size_t keylen) - { - CMS_KEKRecipientInfo kekri; - int wrap_nid; - if (ri->type != CMS_RECIPINFO_KEK) - { - CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, CMS_R_NOT_KEK); - return 0; - } - kekri = ri->d.kekri; - wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm); - if (aes_wrap_keylen(wrap_nid) != keylen) - { - CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, - CMS_R_INVALID_KEY_LENGTH); - return 0; - } - kekri->key = key; - kekri->keylen = keylen; - return 1; - } - /* Encrypt content key in key transport recipient info / static int cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo cms, -519,6 +361,8 } +/* Decrypt content key from KTRI / + static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo cms, CMS_RecipientInfo ri) { -585,6 +429,201 return ret; } +/ Key Encrypted Key (KEK) RecipientInfo routines / + +/ For now hard code AES key wrap info / + +static size_t aes_wrap_keylen(int nid) + { + switch (nid) + { + case NID_id_aes128_wrap: + return 16; + + case NID_id_aes192_wrap: + return 24; + + case NID_id_aes256_wrap: + return 32; + + default: + return 0; + } + } + +CMS_RecipientInfo CMS_add0_recipient_key(CMS_ContentInfo cms, int nid, + unsigned char key, size_t keylen, + unsigned char id, size_t idlen, + ASN1_GENERALIZEDTIME date, + ASN1_OBJECT otherTypeId, + ASN1_TYPE otherType) + { + CMS_RecipientInfo ri = NULL; + CMS_EnvelopedData env; + CMS_KEKRecipientInfo kekri; + env = cms_get0_enveloped(cms); + if (!env) + goto err; + + if (nid == NID_undef) + { + switch (keylen) + { + case 16: + nid = NID_id_aes128_wrap; + break; + + case 24: + nid = NID_id_aes192_wrap; + break; + + case 32: + nid = NID_id_aes256_wrap; + break; + + default: + CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, + CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + } + else + { + + size_t exp_keylen = aes_wrap_keylen(nid); + + if (!exp_keylen) + { + CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, + CMS_R_UNSUPPORTED_KEK_ALGORITHM); + goto err; + } + + if (keylen != exp_keylen) + { + CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, + CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + } + + / Initialize recipient info / + ri = M_ASN1_new_of(CMS_RecipientInfo); + if (!ri) + goto merr; + + ri->d.kekri = M_ASN1_new_of(CMS_KEKRecipientInfo); + if (!ri->d.kekri) + goto merr; + ri->type = CMS_RECIPINFO_KEK; + + kekri = ri->d.kekri; + + if (otherTypeId) + { + kekri->kekid->other = M_ASN1_new_of(CMS_OtherKeyAttribute); + if (kekri->kekid->other == NULL) + goto merr; + } + + if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) + goto merr; + + + / After this point no calls can fail / + + kekri->version = 4; + + kekri->key = key; + kekri->keylen = keylen; + + ASN1_STRING_set0(kekri->kekid->keyIdentifier, id, idlen); + + kekri->kekid->date = date; + + if (kekri->kekid->other) + { + kekri->kekid->other->keyAttrId = otherTypeId; + kekri->kekid->other->keyAttr = otherType; + } + + X509_ALGOR_set0(kekri->keyEncryptionAlgorithm, + OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL); + + return ri; + + merr: + CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, ERR_R_MALLOC_FAILURE); + err: + if (ri) + M_ASN1_free_of(ri, CMS_RecipientInfo); + return NULL; + + } + +int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo ri, + X509_ALGOR palg, + ASN1_OCTET_STRING pid, + ASN1_GENERALIZEDTIME pdate, + ASN1_OBJECT potherid, + ASN1_TYPE *pothertype) + { + CMS_KEKIdentifier rkid; + if (ri->type != CMS_RECIPINFO_KEK) + { + CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID, CMS_R_NOT_KEK); + return 0; + } + rkid = ri->d.kekri->kekid; + if (palg) + palg = ri->d.kekri->keyEncryptionAlgorithm; + if (pid) + pid = rkid->keyIdentifier; + if (pdate) + pdate = rkid->date; + if (potherid) + { + if (rkid->other) + potherid = rkid->other->keyAttrId; + else + potherid = NULL; + } + if (pothertype) + { + if (rkid->other) + pothertype = rkid->other->keyAttr; + else + pothertype = NULL; + } + return 1; + } + + +int CMS_RecipientInfo_set0_key(CMS_RecipientInfo ri, + unsigned char key, size_t keylen) + { + CMS_KEKRecipientInfo kekri; + int wrap_nid; + if (ri->type != CMS_RECIPINFO_KEK) + { + CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, CMS_R_NOT_KEK); + return 0; + } + kekri = ri->d.kekri; + wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm); + if (aes_wrap_keylen(wrap_nid) != keylen) + { + CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY, + CMS_R_INVALID_KEY_LENGTH); + return 0; + } + kekri->key = key; + kekri->keylen = keylen; + return 1; + } + /* Encrypt content key in KEK recipient info / -646,6 +685,8 } +/ Decrypt content key in KEK recipient info / + static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo cms, CMS_RecipientInfo ri) { -752,6 +793,8 if (!ret \|\| !ec->cipher) return ret; + / Now encrypt content key according to each RecipientInfo type */ + rinfos = cms->d.envelopedData->recipientInfos; for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) . ____________________________________________________________ __________ OpenSSL Project http://www.openssl.org CVS Repository Commit List openssl-cvsopenssl.org Automated List Manager majordomoopenssl.org

[1]

about | contact Other archives ( Real Estate discussion Medical topics )