X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
const char *pass, int passlen,
unsigned char *salt, int saltlen, int iter,
PKCS8_PRIV_KEY_INFO *p8inf)
{
X509_SIG *p8 = NULL;
X509_ALGOR *pbe;
if (!(p8 = X509_SIG_new())) {
PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
if(!pbe) {
PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
goto err;
}
X509_ALGOR_free(p8->algor);
p8->algor = pbe;
M_ASN1_OCTET_STRING_free(p8->digest);
p8->digest = PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO),
pass, passlen, p8inf, 1);
if(!p8->digest) {
PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
goto err;
}
return p8;
err:
X509_SIG_free(p8);
return NULL;
}
X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
const char *pass, int passlen,
unsigned char *salt, int saltlen, int iter,
PKCS8_PRIV_KEY_INFO *p8inf)
{
X509_SIG *p8 = NULL;
X509_ALGOR *pbe;
if (pbe_nid == -1)
pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
pbe = PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, pbe_nid);
else {
ERR_clear_error();
pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
}
if (!pbe) {
PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
return NULL;
}
p8 = PKCS8_set0_pbe(pass, passlen, p8inf, pbe);
if (p8 == NULL) {
X509_ALGOR_free(pbe);
return NULL;
}
return p8;
}
X509_SIG *PKCS8_encrypt_pbe(int pbe_nid,
const uint8_t *pass_raw, size_t pass_raw_len,
uint8_t *salt, size_t salt_len,
int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
X509_SIG *pkcs8 = NULL;
X509_ALGOR *pbe;
pkcs8 = X509_SIG_new();
if (pkcs8 == NULL) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_MALLOC_FAILURE);
goto err;
}
pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len);
if (!pbe) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_ASN1_LIB);
goto err;
}
X509_ALGOR_free(pkcs8->algor);
pkcs8->algor = pbe;
M_ASN1_OCTET_STRING_free(pkcs8->digest);
pkcs8->digest = pkcs12_item_i2d_encrypt(
pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf);
if (!pkcs8->digest) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, PKCS8_R_ENCRYPT_ERROR);
goto err;
}
return pkcs8;
err:
X509_SIG_free(pkcs8);
return NULL;
}
/* //////////////////////////// PRIVATE/PROTECTED //////////////////////////////////// */
OsStatus OsEncryption::init(Direction direction)
{
OsStatus retval = OS_FAILED;
#if defined(OSENCRYPTION)
release();
if (mKeyLen > 0 && mKey != NULL && mDataLen > 0 && mData != NULL)
{
ERR_clear_error();
SSLeay_add_all_algorithms();
mAlgorithm = PKCS5_pbe_set(NID_pbeWithMD5AndDES_CBC,
PKCS5_DEFAULT_ITER, mSalt, mSaltLen);
if (mAlgorithm != NULL)
{
EVP_CIPHER_CTX_init(&(mContext));
if (EVP_PBE_CipherInit(mAlgorithm->algorithm, (const char *)mKey, mKeyLen,
mAlgorithm->parameter, &(mContext), (int)direction))
{
int blockSize = EVP_CIPHER_CTX_block_size(&mContext);
int allocLen = mDataLen + mHeaderLen + blockSize + 1; // plus 1 for null terminator on decrypt
mResults = (unsigned char *)OPENSSL_malloc(allocLen);
if (mResults == NULL)
{
OsSysLog::add(FAC_AUTH, PRI_ERR, "Could not allocate cryption buffer(size=%d)",
allocLen);
}
else
{
retval = OS_SUCCESS;
}
}
else
{
OsSysLog::add(FAC_AUTH, PRI_ERR, "Could not initialize cipher");
}
}
else
{
OsSysLog::add(FAC_AUTH, PRI_ERR, "Could not initialize cryption algorithm");
}
}
else
{
OsSysLog::add(FAC_AUTH, PRI_ERR, "No encryption key(%d) or data(%d) set.\n",
mKeyLen, mDataLen);
}
#endif
return retval;
}
