PK11SymKey *
NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
{
#if 0 /* not yet done */
SECStatus err;
CK_MECHANISM_TYPE bulkType;
PK11SymKey *tek;
SECKEYPublicKey *originatorPubKey;
NSSCMSSMIMEKEAParameters keaParams;
/* XXXX get originator's public key */
originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
keaParams.originatorKEAKey.len);
if (originatorPubKey == NULL)
goto loser;
/* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
The Derive function generates a shared secret and combines it with the originatorRA
data to come up with an unique session key */
tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
&keaParams.originatorRA, NULL,
CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
CKA_WRAP, 0, pwfn_arg);
SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */
if (tek == NULL)
goto loser;
/* Now that we have the TEK, unwrap the bulk key
with which to decrypt the message. */
/* Skipjack is being used as the bulk encryption algorithm.*/
/* Unwrap the bulk key. */
bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
return bulkkey;
loser:
#endif
return NULL;
}
SECStatus
NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
SECItem *pubKey)
{
#if 0 /* not yet done */
SECOidTag certalgtag; /* the certificate's encryption algorithm */
SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */
SECStatus rv;
SECItem *params = NULL;
int data_len;
SECStatus err;
PK11SymKey *tek;
CERTCertificate *ourCert;
SECKEYPublicKey *ourPubKey;
NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
/* We really want to show our KEA tag as the key exchange algorithm tag. */
encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
/* Get the public key of the recipient. */
publickey = CERT_ExtractPublicKey(cert);
if (publickey == NULL) goto loser;
/* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
/* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
if (ourCert == NULL) goto loser;
arena = PORT_NewArena(1024);
if (arena == NULL) goto loser;
/* While we're here, extract the key pair's public key data and copy it into */
/* the outgoing parameters. */
/* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
if (ourPubKey == NULL)
{
goto loser;
}
SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
ourPubKey = NULL;
/* Extract our private key in order to derive the KEA key. */
ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
CERT_DestroyCertificate(ourCert); /* we're done with this */
if (!ourPrivKey) goto loser;
/* If ukm desired, prepare it - allocate enough space (filled with zeros). */
if (ukm) {
ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
ukm->len = /* XXXX */;
}
/* Generate the KEK (key exchange key) according to RFC2631 which we use
* to wrap the bulk encryption key. */
kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
ukm, NULL,
/* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
CKA_WRAP, 0, wincx);
SECKEY_DestroyPublicKey(publickey);
SECKEY_DestroyPrivateKey(ourPrivKey);
publickey = NULL;
ourPrivKey = NULL;
if (!kek)
goto loser;
/* allocate space for the encrypted CEK (bulk key) */
encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
if (encKey->data == NULL)
{
PK11_FreeSymKey(kek);
goto loser;
}
/* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
/* bulk encryption algorithm */
switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
{
case /* XXXX */CKM_SKIPJACK_CFB8:
err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
whichKEA = NSSCMSKEAUsesSkipjack;
break;
case /* XXXX */CKM_SKIPJACK_CFB8:
err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
whichKEA = NSSCMSKEAUsesSkipjack;
break;
default:
/* XXXX what do we do here? Neither RC2 nor 3DES... */
err = SECFailure;
/* set error */
break;
}
PK11_FreeSymKey(kek); /* we do not need the KEK anymore */
if (err != SECSuccess)
goto loser;
PORT_Assert(whichKEA != NSSCMSKEAInvalid);
/* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
/* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
if (params == NULL)
goto loser;
/* now set keyEncAlg */
rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
if (rv != SECSuccess)
goto loser;
/* XXXXXXX this is not right yet */
loser:
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
if (publickey) {
SECKEY_DestroyPublicKey(publickey);
}
if (ourPrivKey) {
SECKEY_DestroyPrivateKey(ourPrivKey);
}
#endif
return SECFailure;
}
PK11SymKey *
NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
{
/* fortezza: do a key exchange */
SECStatus err;
CK_MECHANISM_TYPE bulkType;
PK11SymKey *tek;
SECKEYPublicKey *originatorPubKey;
NSSCMSSMIMEKEAParameters keaParams;
PK11SymKey *bulkkey;
int bulkLength;
(void) memset(&keaParams, 0, sizeof(keaParams));
/* NOTE: this uses the SMIME v2 recipientinfo for compatibility.
All additional KEA parameters are DER-encoded in the encryption algorithm parameters */
/* Decode the KEA algorithm parameters. */
err = SEC_ASN1DecodeItem(NULL, &keaParams, NSS_SMIMEKEAParamTemplateAllParams,
&(keyEncAlg->parameters));
if (err != SECSuccess)
goto loser;
/* get originator's public key */
originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
keaParams.originatorKEAKey.len);
if (originatorPubKey == NULL)
goto loser;
/* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
The Derive function generates a shared secret and combines it with the originatorRA
data to come up with an unique session key */
tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
&keaParams.originatorRA, NULL,
CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
CKA_WRAP, 0, pwfn_arg);
SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */
if (tek == NULL)
goto loser;
/* Now that we have the TEK, unwrap the bulk key
with which to decrypt the message. We have to
do one of two different things depending on
whether Skipjack was used for *bulk* encryption
of the message. */
bulkType = PK11_AlgtagToMechanism(bulkalgtag);
switch (bulkType) {
case CKM_SKIPJACK_CBC64:
case CKM_SKIPJACK_ECB64:
case CKM_SKIPJACK_OFB64:
case CKM_SKIPJACK_CFB64:
case CKM_SKIPJACK_CFB32:
case CKM_SKIPJACK_CFB16:
case CKM_SKIPJACK_CFB8:
/* Skipjack is being used as the bulk encryption algorithm.*/
/* Unwrap the bulk key. */
bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
break;
default:
/* Skipjack was not used for bulk encryption of this
message. Use Skipjack CBC64, with the nonSkipjackIV
part of the KEA key parameters, to decrypt
the bulk key. If the optional parameter bulkKeySize is present,
bulk key size is different than the encrypted key size */
if (keaParams.bulkKeySize.len > 0) {
err = SEC_ASN1DecodeItem(NULL, &bulkLength,
SEC_ASN1_GET(SEC_IntegerTemplate),
&keaParams.bulkKeySize);
if (err != SECSuccess)
goto loser;
}
bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV,
encKey, bulkType, CKA_DECRYPT, bulkLength);
break;
}
return bulkkey;
loser:
return NULL;
}
SECStatus
NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey,
SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg)
{
SECOidTag certalgtag; /* the certificate's encryption algorithm */
SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */
SECStatus rv = SECFailure;
SECItem *params = NULL;
SECStatus err;
PK11SymKey *tek;
CERTCertificate *ourCert;
SECKEYPublicKey *ourPubKey, *publickey = NULL;
SECKEYPrivateKey *ourPrivKey = NULL;
NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
NSSCMSSMIMEKEAParameters keaParams;
PLArenaPool *arena = NULL;
extern const SEC_ASN1Template *nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate);
/* Clear keaParams, since cleanup code checks the lengths */
(void) memset(&keaParams, 0, sizeof(keaParams));
certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
PORT_Assert(certalgtag == SEC_OID_MISSI_KEA_DSS_OLD ||
certalgtag == SEC_OID_MISSI_KEA_DSS ||
certalgtag == SEC_OID_MISSI_KEA);
#define SMIME_FORTEZZA_RA_LENGTH 128
#define SMIME_FORTEZZA_IV_LENGTH 24
#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
/* We really want to show our KEA tag as the key exchange algorithm tag. */
encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
/* Get the public key of the recipient. */
publickey = CERT_ExtractPublicKey(cert);
if (publickey == NULL) goto loser;
/* Find our own cert, and extract its keys. */
ourCert = PK11_FindBestKEAMatch(cert, pwfn_arg);
if (ourCert == NULL) goto loser;
arena = PORT_NewArena(1024);
if (arena == NULL)
goto loser;
ourPubKey = CERT_ExtractPublicKey(ourCert);
if (ourPubKey == NULL) {
CERT_DestroyCertificate(ourCert);
goto loser;
}
/* While we're here, copy the public key into the outgoing
* KEA parameters. */
SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey), &(ourPubKey->u.fortezza.KEAKey));
SECKEY_DestroyPublicKey(ourPubKey);
ourPubKey = NULL;
/* Extract our private key in order to derive the KEA key. */
ourPrivKey = PK11_FindKeyByAnyCert(ourCert, pwfn_arg);
CERT_DestroyCertificate(ourCert); /* we're done with this */
if (!ourPrivKey)
goto loser;
/* Prepare raItem with 128 bytes (filled with zeros). */
keaParams.originatorRA.data = (unsigned char *)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
/* Generate the TEK (token exchange key) which we use
* to wrap the bulk encryption key. (keaparams.originatorRA) will be
* filled with a random seed which we need to send to
* the recipient. (user keying material in RFC2630/DSA speak) */
tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
&keaParams.originatorRA, NULL,
CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
CKA_WRAP, 0, pwfn_arg);
SECKEY_DestroyPublicKey(publickey);
SECKEY_DestroyPrivateKey(ourPrivKey);
publickey = NULL;
ourPrivKey = NULL;
if (!tek)
goto loser;
/* allocate space for the wrapped key data */
encKey->data = (unsigned char *)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
if (encKey->data == NULL) {
PK11_FreeSymKey(tek);
goto loser;
}
/* Wrap the bulk key. What we do with the resulting data
depends on whether we're using Skipjack to wrap the key. */
switch (PK11_AlgtagToMechanism(symalgtag)) {
case CKM_SKIPJACK_CBC64:
case CKM_SKIPJACK_ECB64:
case CKM_SKIPJACK_OFB64:
case CKM_SKIPJACK_CFB64:
case CKM_SKIPJACK_CFB32:
case CKM_SKIPJACK_CFB16:
case CKM_SKIPJACK_CFB8:
/* SKIPJACK, we use the wrap mechanism because we can do it on the hardware */
err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, bulkkey, encKey);
whichKEA = NSSCMSKEAUsesSkipjack;
break;
default:
/* Not SKIPJACK, we encrypt the raw key data */
keaParams.nonSkipjackIV.data =
(unsigned char *)PORT_ArenaAlloc(arena, SMIME_FORTEZZA_IV_LENGTH);
keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, tek, bulkkey, encKey);
if (err != SECSuccess)
goto loser;
if (encKey->len != PK11_GetKeyLength(bulkkey)) {
/* The size of the encrypted key is not the same as
that of the original bulk key, presumably due to
padding. Encode and store the real size of the
bulk key. */
if (SEC_ASN1EncodeInteger(arena, &keaParams.bulkKeySize, PK11_GetKeyLength(bulkkey)) == NULL)
err = (SECStatus)PORT_GetError();
else
/* use full template for encoding */
whichKEA = NSSCMSKEAUsesNonSkipjackWithPaddedEncKey;
}
else
/* enc key length == bulk key length */
whichKEA = NSSCMSKEAUsesNonSkipjack;
break;
}
PK11_FreeSymKey(tek);
if (err != SECSuccess)
goto loser;
PORT_Assert(whichKEA != NSSCMSKEAInvalid);
/* Encode the KEA parameters into the recipient info. */
params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
if (params == NULL)
goto loser;
/* pass back the algorithm params */
*pparams = params;
rv = SECSuccess;
loser:
if (arena)
PORT_FreeArena(arena, PR_FALSE);
if (publickey)
SECKEY_DestroyPublicKey(publickey);
if (ourPrivKey)
SECKEY_DestroyPrivateKey(ourPrivKey);
return rv;
}
/* MUST BE THREAD-SAFE */
static PK11SymKey *calc_dh_shared(const chunk_t g, /* converted to SECItem */
/*const*/ SECKEYPrivateKey *privk, /* NSS doesn't do const */
const struct oakley_group_desc *group,
const SECKEYPublicKey *local_pubk)
{
struct timeval tv0;
SECKEYPublicKey *remote_pubk;
SECItem nss_g;
PK11SymKey *dhshared;
PRArenaPool *arena;
SECStatus status;
unsigned int dhshared_len;
DBG(DBG_CRYPT,
DBG_log("Started DH shared-secret computation in NSS:"));
gettimeofday(&tv0, NULL);
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
passert(arena != NULL);
remote_pubk = (SECKEYPublicKey *)
PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
remote_pubk->arena = arena;
remote_pubk->keyType = dhKey;
remote_pubk->pkcs11Slot = NULL;
remote_pubk->pkcs11ID = CK_INVALID_HANDLE;
nss_g.data = g.ptr;
nss_g.len = (unsigned int)g.len;
nss_g.type = siBuffer;
status = SECITEM_CopyItem(remote_pubk->arena, &remote_pubk->u.dh.prime,
&local_pubk->u.dh.prime);
passert(status == SECSuccess);
status = SECITEM_CopyItem(remote_pubk->arena, &remote_pubk->u.dh.base,
&local_pubk->u.dh.base);
passert(status == SECSuccess);
status = SECITEM_CopyItem(remote_pubk->arena,
&remote_pubk->u.dh.publicValue, &nss_g);
passert(status == SECSuccess);
dhshared = PK11_PubDerive(privk, remote_pubk, PR_FALSE, NULL, NULL,
CKM_DH_PKCS_DERIVE,
CKM_CONCATENATE_DATA_AND_BASE,
CKA_DERIVE, group->bytes,
lsw_return_nss_password_file_info());
passert(dhshared != NULL);
dhshared_len = PK11_GetKeyLength(dhshared);
if (group->bytes > dhshared_len) {
DBG(DBG_CRYPT,
DBG_log("Dropped %lu leading zeros",
group->bytes - dhshared_len));
chunk_t zeros;
PK11SymKey *newdhshared;
CK_KEY_DERIVATION_STRING_DATA string_params;
SECItem params;
zeros = hmac_pads(0x00, group->bytes - dhshared_len);
params.data = (unsigned char *)&string_params;
params.len = sizeof(string_params);
string_params.pData = zeros.ptr;
string_params.ulLen = zeros.len;
newdhshared = PK11_Derive(dhshared,
CKM_CONCATENATE_DATA_AND_BASE,
¶ms,
CKM_CONCATENATE_DATA_AND_BASE,
CKA_DERIVE, 0);
passert(newdhshared != NULL);
PK11_FreeSymKey(dhshared);
dhshared = newdhshared;
freeanychunk(zeros);
} else {
DBG(DBG_CRYPT,
DBG_log("Dropped no leading zeros %d", dhshared_len));
}
/* nss_symkey_log(dhshared, "dhshared"); */
DBG(DBG_CRYPT, {
struct timeval tv1;
unsigned long tv_diff;
gettimeofday(&tv1, NULL);
tv_diff = (tv1.tv_sec - tv0.tv_sec) * 1000000 +
(tv1.tv_usec - tv0.tv_usec);
DBG_log("calc_dh_shared(): time elapsed (%s): %ld usec",
enum_show(&oakley_group_names, group->group),
tv_diff);
});
/* MUST BE THREAD-SAFE */
PK11SymKey *calc_dh_shared(const chunk_t g, /* converted to SECItem */
/*const*/ SECKEYPrivateKey *privk, /* NSS doesn't do const */
const struct oakley_group_desc *group,
const SECKEYPublicKey *local_pubk, const char **story)
{
SECStatus status;
DBG(DBG_CRYPT,
DBG_log("Started DH shared-secret computation in NSS:"));
PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
passert(arena != NULL);
SECKEYPublicKey *remote_pubk = (SECKEYPublicKey *)
PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
remote_pubk->arena = arena;
remote_pubk->keyType = dhKey;
remote_pubk->pkcs11Slot = NULL;
remote_pubk->pkcs11ID = CK_INVALID_HANDLE;
SECItem nss_g = {
.data = g.ptr,
.len = (unsigned int)g.len,
.type = siBuffer
};
status = SECITEM_CopyItem(remote_pubk->arena, &remote_pubk->u.dh.prime,
&local_pubk->u.dh.prime);
passert(status == SECSuccess);
status = SECITEM_CopyItem(remote_pubk->arena, &remote_pubk->u.dh.base,
&local_pubk->u.dh.base);
passert(status == SECSuccess);
status = SECITEM_CopyItem(remote_pubk->arena,
&remote_pubk->u.dh.publicValue, &nss_g);
passert(status == SECSuccess);
PK11SymKey *dhshared = PK11_PubDerive(privk, remote_pubk, PR_FALSE, NULL, NULL,
CKM_DH_PKCS_DERIVE,
CKM_CONCATENATE_DATA_AND_BASE,
CKA_DERIVE, group->bytes,
lsw_return_nss_password_file_info());
if (dhshared != NULL) {
unsigned int shortfall = group->bytes - PK11_GetKeyLength(dhshared);
if (shortfall > 0) {
/*
* We've got to pad the result with [shortfall] 0x00 bytes.
* The chance of shortfall being n should be 1 in 256^n.
* So really zauto ought to be big enough for the zeros.
* If it isn't, we allocate space on the heap
* (this will likely never be executed).
*/
DBG(DBG_CRYPT,
DBG_log("restoring %u DHshared leading zeros", shortfall));
unsigned char zauto[10];
unsigned char *z =
shortfall <= sizeof(zauto) ?
zauto : alloc_bytes(shortfall, "DH shortfall");
memset(z, 0x00, shortfall);
CK_KEY_DERIVATION_STRING_DATA string_params = {
.pData = z,
.ulLen = shortfall
};
SECItem params = {
.data = (unsigned char *)&string_params,
.len = sizeof(string_params)
};
PK11SymKey *newdhshared =
PK11_Derive(dhshared,
CKM_CONCATENATE_DATA_AND_BASE,
¶ms,
CKM_CONCATENATE_DATA_AND_BASE,
CKA_DERIVE, 0);
passert(newdhshared != NULL);
if (z != zauto)
pfree(z);
free_any_symkey("dhshared", &dhshared);
dhshared = newdhshared;
}
}
*story = enum_name(&oakley_group_names, group->group);
SECKEY_DestroyPublicKey(remote_pubk);
return dhshared;
}
