struct dh_message *dh_shared_secret(EVP_PKEY *priv_key, EVP_PKEY *peer_key)
{
EVP_PKEY_CTX *derive_ctx;
struct dh_message *msg = NULL, *digest = NULL;
if ((msg = OPENSSL_malloc(sizeof(struct dh_message))) == NULL)
return NULL;
if ((derive_ctx = EVP_PKEY_CTX_new(priv_key, NULL)) == NULL)
goto BAILOUT1;
if (EVP_PKEY_derive_init(derive_ctx) != 1
|| EVP_PKEY_derive_set_peer(derive_ctx, peer_key) != 1
|| EVP_PKEY_derive(derive_ctx, NULL, &msg->message_len) != 1
|| (msg->message = OPENSSL_malloc(msg->message_len)) == NULL)
goto BAILOUT2;
if (EVP_PKEY_derive(derive_ctx, msg->message, &msg->message_len) != 1)
goto BAILOUT3;
EVP_PKEY_CTX_free(derive_ctx);
digest = digest_message(msg);
free_dh_message(msg);
return digest;
BAILOUT3:
OPENSSL_free(msg->message);
BAILOUT2:
EVP_PKEY_CTX_free(derive_ctx);
BAILOUT1:
OPENSSL_free(msg);
return NULL;
}
static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
{
ASN1_OBJECT *aoid;
int atype;
void *aval;
ASN1_INTEGER *public_key = NULL;
int rv = 0;
EVP_PKEY *pkpeer = NULL, *pk = NULL;
DH *dhpeer = NULL;
const unsigned char *p;
int plen;
X509_ALGOR_get0(&aoid, &atype, &aval, alg);
if (OBJ_obj2nid(aoid) != NID_dhpublicnumber)
goto err;
/* Only absent parameters allowed in RFC XXXX */
if (atype != V_ASN1_UNDEF && atype == V_ASN1_NULL)
goto err;
pk = EVP_PKEY_CTX_get0_pkey(pctx);
if (!pk)
goto err;
if (pk->type != EVP_PKEY_DHX)
goto err;
/* Get parameters from parent key */
dhpeer = DHparams_dup(pk->pkey.dh);
/* We have parameters now set public key */
plen = ASN1_STRING_length(pubkey);
p = ASN1_STRING_data(pubkey);
if (!p || !plen)
goto err;
if (!(public_key = d2i_ASN1_INTEGER(NULL, &p, plen))) {
DHerr(DH_F_DH_CMS_SET_PEERKEY, DH_R_DECODE_ERROR);
goto err;
}
/* We have parameters now set public key */
if (!(dhpeer->pub_key = ASN1_INTEGER_to_BN(public_key, NULL))) {
DHerr(DH_F_DH_CMS_SET_PEERKEY, DH_R_BN_DECODE_ERROR);
goto err;
}
pkpeer = EVP_PKEY_new();
if (!pkpeer)
goto err;
EVP_PKEY_assign(pkpeer, pk->ameth->pkey_id, dhpeer);
dhpeer = NULL;
if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
rv = 1;
err:
if (public_key)
ASN1_INTEGER_free(public_key);
if (pkpeer)
EVP_PKEY_free(pkpeer);
if (dhpeer)
DH_free(dhpeer);
return rv;
}
static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
const char *file)
{
EVP_PKEY *peer = NULL;
int ret;
if (!ctx)
{
BIO_puts(err, "-peerkey command before -inkey\n");
return 0;
}
peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
if (!peer)
{
BIO_printf(bio_err, "Error reading peer key %s\n", file);
ERR_print_errors(err);
return 0;
}
ret = EVP_PKEY_derive_set_peer(ctx, peer);
EVP_PKEY_free(peer);
if (ret <= 0)
ERR_print_errors(err);
return ret;
}
soter_status_t soter_asym_ka_derive(soter_asym_ka_t* asym_ka_ctx, const void* peer_key, size_t peer_key_length, void *shared_secret, size_t* shared_secret_length)
{
EVP_PKEY *peer_pkey = EVP_PKEY_new();
soter_status_t res;
size_t out_length;
if (NULL == peer_pkey)
{
return SOTER_NO_MEMORY;
}
if ((!asym_ka_ctx) || (!shared_secret_length))
{
EVP_PKEY_free(peer_pkey);
return SOTER_INVALID_PARAMETER;
}
res = soter_ec_pub_key_to_engine_specific((const soter_container_hdr_t *)peer_key, peer_key_length, ((soter_engine_specific_ec_key_t **)&peer_pkey));
if (SOTER_SUCCESS != res)
{
EVP_PKEY_free(peer_pkey);
return res;
}
if (1 != EVP_PKEY_derive_init(asym_ka_ctx->pkey_ctx))
{
EVP_PKEY_free(peer_pkey);
return SOTER_FAIL;
}
if (1 != EVP_PKEY_derive_set_peer(asym_ka_ctx->pkey_ctx, peer_pkey))
{
EVP_PKEY_free(peer_pkey);
return SOTER_FAIL;
}
if (1 != EVP_PKEY_derive(asym_ka_ctx->pkey_ctx, NULL, &out_length))
{
EVP_PKEY_free(peer_pkey);
return SOTER_FAIL;
}
if (out_length > *shared_secret_length)
{
EVP_PKEY_free(peer_pkey);
*shared_secret_length = out_length;
return SOTER_BUFFER_TOO_SMALL;
}
if (1 != EVP_PKEY_derive(asym_ka_ctx->pkey_ctx, (unsigned char *)shared_secret, shared_secret_length))
{
EVP_PKEY_free(peer_pkey);
return SOTER_FAIL;
}
EVP_PKEY_free(peer_pkey);
return SOTER_SUCCESS;
}
static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
{
ASN1_OBJECT *aoid;
int atype;
void *aval;
int rv = 0;
EVP_PKEY *pkpeer = NULL;
EC_KEY *ecpeer = NULL;
const unsigned char *p;
int plen;
X509_ALGOR_get0(&aoid, &atype, &aval, alg);
if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey)
goto err;
/* If absent parameters get group from main key */
if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL)
{
const EC_GROUP *grp;
EVP_PKEY *pk;
pk = EVP_PKEY_CTX_get0_pkey(pctx);
if (!pk)
goto err;
grp = EC_KEY_get0_group(pk->pkey.ec);
ecpeer = EC_KEY_new();
if (!ecpeer)
goto err;
if (!EC_KEY_set_group(ecpeer, grp))
goto err;
}
else
{
ecpeer = eckey_type2param(atype, aval);
if (!ecpeer)
goto err;
}
/* We have parameters now set public key */
plen = ASN1_STRING_length(pubkey);
p = ASN1_STRING_data(pubkey);
if (!p || !plen)
goto err;
if (!o2i_ECPublicKey(&ecpeer, &p, plen))
goto err;
pkpeer = EVP_PKEY_new();
if (!pkpeer)
goto err;
EVP_PKEY_set1_EC_KEY(pkpeer, ecpeer);
if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
rv = 1;
err:
if (ecpeer)
EC_KEY_free(ecpeer);
if (pkpeer)
EVP_PKEY_free(pkpeer);
return rv;
}
int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
CMS_RecipientInfo *ri)
{
CMS_KeyAgreeRecipientInfo *kari;
CMS_EncryptedContentInfo *ec;
CMS_RecipientEncryptedKey *rek;
STACK_OF(CMS_RecipientEncryptedKey) *reks;
int i;
if (ri->type != CMS_RECIPINFO_AGREE) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
return 0;
}
kari = ri->d.kari;
reks = kari->recipientEncryptedKeys;
ec = cms->d.envelopedData->encryptedContentInfo;
/* Initialise wrap algorithm parameters */
if (!cms_wrap_init(kari, ec->cipher))
return 0;
/*
* If no orignator key set up initialise for ephemeral key the public key
* ASN1 structure will set the actual public key value.
*/
if (kari->originator->type == -1) {
CMS_OriginatorIdentifierOrKey *oik = kari->originator;
oik->type = CMS_OIK_PUBKEY;
oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey);
if (!oik->d.originatorKey)
return 0;
}
/* Initialise KDF algorithm */
if (!cms_env_asn1_ctrl(ri, 0))
return 0;
/* For each rek, derive KEK, encrypt CEK */
for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
unsigned char *enckey;
size_t enckeylen;
rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0)
return 0;
if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen,
kari, 1))
return 0;
ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen);
}
return 1;
}
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
ENGINE* e)
{
EVP_PKEY *peer = NULL;
ENGINE* engine = NULL;
int ret;
if (peerform == FORMAT_ENGINE)
engine = e;
peer = load_pubkey(file, peerform, 0, NULL, engine, "Peer Key");
if (!peer) {
BIO_printf(bio_err, "Error reading peer key %s\n", file);
ERR_print_errors(bio_err);
return 0;
}
ret = EVP_PKEY_derive_set_peer(ctx, peer);
EVP_PKEY_free(peer);
if (ret <= 0)
ERR_print_errors(bio_err);
return ret;
}
cjose_jwk_t *cjose_jwk_derive_ecdh_ephemeral_key(
cjose_jwk_t *jwk_self,
cjose_jwk_t *jwk_peer,
cjose_err *err)
{
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *pkey_self = NULL;
EVP_PKEY *pkey_peer = NULL;
uint8_t *secret = NULL;
size_t secret_len = 0;
uint8_t *ephemeral_key = NULL;
size_t ephemeral_key_len = 0;
cjose_jwk_t *jwk_ephemeral_key = NULL;
// get EVP_KEY from jwk_self
if (!_cjose_jwk_evp_key_from_ec_key(jwk_self, &pkey_self, err))
{
goto _cjose_jwk_derive_shared_secret_fail;
}
// get EVP_KEY from jwk_peer
if (!_cjose_jwk_evp_key_from_ec_key(jwk_peer, &pkey_peer, err))
{
goto _cjose_jwk_derive_shared_secret_fail;
}
// create derivation context based on local key pair
ctx = EVP_PKEY_CTX_new(pkey_self, NULL);
if (NULL == ctx)
{
CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
goto _cjose_jwk_derive_shared_secret_fail;
}
// initialize derivation context
if (1 != EVP_PKEY_derive_init(ctx))
{
CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
goto _cjose_jwk_derive_shared_secret_fail;
}
// provide the peer public key
if (1 != EVP_PKEY_derive_set_peer(ctx, pkey_peer))
{
CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
goto _cjose_jwk_derive_shared_secret_fail;
}
// determine buffer length for shared secret
if(1 != EVP_PKEY_derive(ctx, NULL, &secret_len))
{
CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
goto _cjose_jwk_derive_shared_secret_fail;
}
// allocate buffer for shared secret
secret = (uint8_t *)cjose_get_alloc()(secret_len);
if (NULL == secret)
{
CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
goto _cjose_jwk_derive_shared_secret_fail;
}
memset(secret, 0, secret_len);
// derive the shared secret
if (1 != (EVP_PKEY_derive(ctx, secret, &secret_len)))
{
CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
goto _cjose_jwk_derive_shared_secret_fail;
}
// HKDF of the DH shared secret (SHA256, no salt, no info, 256 bit expand)
ephemeral_key_len = 32;
ephemeral_key = (uint8_t *)cjose_get_alloc()(ephemeral_key_len);
if (!cjose_jwk_hkdf(EVP_sha256(), (uint8_t *)"", 0, (uint8_t *)"", 0,
secret, secret_len, ephemeral_key, ephemeral_key_len, err))
{
goto _cjose_jwk_derive_shared_secret_fail;
}
// create a JWK of the shared secret
jwk_ephemeral_key = cjose_jwk_create_oct_spec(
ephemeral_key, ephemeral_key_len, err);
if (NULL == jwk_ephemeral_key)
{
goto _cjose_jwk_derive_shared_secret_fail;
}
// happy path
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey_self);
EVP_PKEY_free(pkey_peer);
cjose_get_dealloc()(secret);
cjose_get_dealloc()(ephemeral_key);
return jwk_ephemeral_key;
// fail path
_cjose_jwk_derive_shared_secret_fail:
if (NULL != ctx)
{
EVP_PKEY_CTX_free(ctx);
}
if (NULL != pkey_self)
{
EVP_PKEY_free(pkey_self);
}
if (NULL != pkey_peer)
{
EVP_PKEY_free(pkey_peer);
}
if (NULL != jwk_ephemeral_key)
{
cjose_jwk_release(jwk_ephemeral_key);
}
cjose_get_dealloc()(secret);
cjose_get_dealloc()(ephemeral_key);
return NULL;
}
/*
* EVP_PKEY_METHOD callback decrypt
* Implementation of GOST2001 key transport, cryptopo variation
*/
int pkey_GOST01cp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key,
size_t *key_len, const unsigned char *in,
size_t in_len)
{
const unsigned char *p = in;
EVP_PKEY *priv = EVP_PKEY_CTX_get0_pkey(pctx);
GOST_KEY_TRANSPORT *gkt = NULL;
int ret = 0;
unsigned char wrappedKey[44];
unsigned char sharedKey[32];
gost_ctx ctx;
const struct gost_cipher_info *param = NULL;
EVP_PKEY *eph_key = NULL, *peerkey = NULL;
if (!key) {
*key_len = 32;
return 1;
}
gkt = d2i_GOST_KEY_TRANSPORT(NULL, (const unsigned char **)&p, in_len);
if (!gkt) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT,
GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO);
return -1;
}
/* If key transport structure contains public key, use it */
eph_key = X509_PUBKEY_get(gkt->key_agreement_info->ephem_key);
if (eph_key) {
if (EVP_PKEY_derive_set_peer(pctx, eph_key) <= 0) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT,
GOST_R_INCOMPATIBLE_PEER_KEY);
goto err;
}
} else {
/* Set control "public key from client certificate used" */
if (EVP_PKEY_CTX_ctrl(pctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL)
<= 0) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, GOST_R_CTRL_CALL_FAILED);
goto err;
}
}
peerkey = EVP_PKEY_CTX_get0_peerkey(pctx);
if (!peerkey) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, GOST_R_NO_PEER_KEY);
goto err;
}
param = get_encryption_params(gkt->key_agreement_info->cipher);
if (!param) {
goto err;
}
gost_init(&ctx, param->sblock);
OPENSSL_assert(gkt->key_agreement_info->eph_iv->length == 8);
memcpy(wrappedKey, gkt->key_agreement_info->eph_iv->data, 8);
OPENSSL_assert(gkt->key_info->encrypted_key->length == 32);
memcpy(wrappedKey + 8, gkt->key_info->encrypted_key->data, 32);
OPENSSL_assert(gkt->key_info->imit->length == 4);
memcpy(wrappedKey + 40, gkt->key_info->imit->data, 4);
VKO_compute_key(sharedKey, 32,
EC_KEY_get0_public_key(EVP_PKEY_get0(peerkey)),
EVP_PKEY_get0(priv), wrappedKey);
if (!keyUnwrapCryptoPro(&ctx, sharedKey, wrappedKey, key)) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT,
GOST_R_ERROR_COMPUTING_SHARED_KEY);
goto err;
}
ret = 1;
err:
EVP_PKEY_free(eph_key);
GOST_KEY_TRANSPORT_free(gkt);
return ret;
}
/* EVP_PLEY_METHOD callback decrypt for
* GOST R 34.10-94 cryptopro modification
*/
int pkey_GOST94cp_decrypt(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *key_len,const unsigned char *in, size_t in_len) {
const unsigned char *p = in;
GOST_KEY_TRANSPORT *gkt = NULL;
unsigned char wrappedKey[44];
unsigned char sharedKey[32];
gost_ctx cctx;
const struct gost_cipher_info *param=NULL;
EVP_PKEY *eph_key=NULL, *peerkey=NULL;
EVP_PKEY *priv= EVP_PKEY_CTX_get0_pkey(ctx);
if (!key)
{
*key_len = 32;
return 1;
}
gkt = d2i_GOST_KEY_TRANSPORT(NULL,(const unsigned char **)&p,
in_len);
if (!gkt)
{
GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO);
return 0;
}
eph_key = X509_PUBKEY_get(gkt->key_agreement_info->ephem_key);
if (eph_key)
{
if (EVP_PKEY_derive_set_peer(ctx, eph_key) <= 0)
{
GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,
GOST_R_INCOMPATIBLE_PEER_KEY);
goto err;
}
}
else
{
/* Set control "public key from client certificate used" */
if (EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL) <= 0)
{
GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,
GOST_R_CTRL_CALL_FAILED);
goto err;
}
}
peerkey = EVP_PKEY_CTX_get0_peerkey(ctx);
if (!peerkey)
{
GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,
GOST_R_NO_PEER_KEY);
goto err;
}
param = get_encryption_params(gkt->key_agreement_info->cipher);
gost_init(&cctx,param->sblock);
OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
TINYCLR_SSL_MEMCPY(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
OPENSSL_assert(gkt->key_info->encrypted_key->length==32);
TINYCLR_SSL_MEMCPY(wrappedKey+8,gkt->key_info->encrypted_key->data,32);
OPENSSL_assert(gkt->key_info->imit->length==4);
TINYCLR_SSL_MEMCPY(wrappedKey+40,gkt->key_info->imit->data,4);
make_cp_exchange_key(gost_get0_priv_key(priv),peerkey,sharedKey);
if (!keyUnwrapCryptoPro(&cctx,sharedKey,wrappedKey,key))
{
GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,
GOST_R_ERROR_COMPUTING_SHARED_KEY);
goto err;
}
EVP_PKEY_free(eph_key);
GOST_KEY_TRANSPORT_free(gkt);
return 1;
err:
EVP_PKEY_free(eph_key);
GOST_KEY_TRANSPORT_free(gkt);
return -1;
}
int main()
{
EVP_PKEY_CTX *pctx, *kctx;
EVP_PKEY_CTX *ctx;
unsigned char *secret;
EVP_PKEY *pkey = NULL, *peerkey, *params = NULL;
/* NB: assumes pkey, peerkey have been already set up */
/* Create the context for parameter generation */
if(NULL == (pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL))) handleErrors();
/* Initialise the parameter generation */
if(1 != EVP_PKEY_paramgen_init(pctx)) handleErrors();
/* We're going to use the ANSI X9.62 Prime 256v1 curve */
if(1 != EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1)) handleErrors();
/* Create the parameter object params */
if (!EVP_PKEY_paramgen(pctx, ¶ms)) handleErrors();
/* Create the context for the key generation */
if(NULL == (kctx = EVP_PKEY_CTX_new(params, NULL))) handleErrors();
/* Generate the key */
if(1 != EVP_PKEY_keygen_init(kctx)) handleErrors();
if (1 != EVP_PKEY_keygen(kctx, &pkey)) handleErrors();
/* Get the peer's public key, and provide the peer with our public key -
* how this is done will be specific to your circumstances */
peerkey = get_peerkey(pkey);
/* Create the context for the shared secret derivation */
if(NULL == (ctx = EVP_PKEY_CTX_new(pkey, NULL))) handleErrors();
/* Initialise */
if(1 != EVP_PKEY_derive_init(ctx)) handleErrors();
/* Provide the peer public key */
if(1 != EVP_PKEY_derive_set_peer(ctx, peerkey)) handleErrors();
/* Determine buffer length for shared secret */
if(1 != EVP_PKEY_derive(ctx, NULL, secret_len)) handleErrors();
/* Create the buffer */
if(NULL == (secret = OPENSSL_malloc(*secret_len))) handleErrors();
/* Derive the shared secret */
if(1 != (EVP_PKEY_derive(ctx, secret, secret_len))) handleErrors();
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(peerkey);
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(kctx);
EVP_PKEY_free(params);
EVP_PKEY_CTX_free(pctx);
/* Never use a derived secret directly. Typically it is passed
* through some hash function to produce a key */
return 0;
}
