/* * Decrypt the contents of a NSS_P7_EncryptedData */ void P12Coder::encryptedDataDecrypt( const NSS_P7_EncryptedData &edata, SecNssCoder &localCdr, NSS_P12_PBE_Params *pbep, // preparsed CSSM_DATA &ptext) // result goes here in localCdr space { p12DecodeLog("encryptedDataDecrypt"); /* see if we can grok the encr alg */ CSSM_ALGORITHMS keyAlg; // e.g., CSSM_ALGID_DES CSSM_ALGORITHMS encrAlg; // e.g., CSSM_ALGID_3DES_3KEY_EDE CSSM_ALGORITHMS pbeHashAlg; // SHA1 or MD5 uint32 keySizeInBits; uint32 blockSizeInBytes; // for IV, optional CSSM_PADDING padding; // CSSM_PADDING_PKCS7, etc. CSSM_ENCRYPT_MODE mode; // CSSM_ALGMODE_CBCPadIV8, etc. PKCS_Which pkcs; bool found = pkcsOidToParams(&edata.contentInfo.encrAlg.algorithm, keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes, padding, mode, pkcs); if(!found || (pkcs != PW_PKCS12)) { p12ErrorLog("EncryptedData encrAlg not understood\n"); CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM); } uint32 iterCount; if(!p12DataToInt(pbep->iterations, iterCount)) { p12ErrorLog("encryptedDataDecrypt: badly formed iterCount\n"); P12_THROW_DECODE; } const CSSM_DATA *pwd = getEncrPassPhrase(); const CSSM_KEY *passKey = getEncrPassKey(); if((pwd == NULL) && (passKey == NULL)) { p12ErrorLog("no passphrase set\n"); CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE); } /* go */ CSSM_RETURN crtn = p12Decrypt(mCspHand, edata.contentInfo.encrContent, keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes, padding, mode, iterCount, pbep->salt, pwd, passKey, localCdr, ptext); if(crtn) { CssmError::throwMe(crtn); } }
/* * Verify MAC on an existing PFX. */ CSSM_RETURN p12VerifyMac( const NSS_P12_DecodedPFX &pfx, CSSM_CSP_HANDLE cspHand, const CSSM_DATA *pwd, // unicode, double null terminated const CSSM_KEY *passKey, SecNssCoder &coder) // for temp mallocs { if(pfx.macData == NULL) { return CSSMERR_CSP_INVALID_SIGNATURE; } NSS_P12_MacData &macData = *pfx.macData; NSS_P7_DigestInfo &digestInfo = macData.mac; CSSM_OID &algOid = digestInfo.digestAlgorithm.algorithm; CSSM_ALGORITHMS macAlg; if(!cssmOidToAlg(&algOid, &macAlg)) { return CSSMERR_CSP_INVALID_ALGORITHM; } uint32 iterCount = 0; CSSM_DATA &citer = macData.iterations; if(!p12DataToInt(citer, iterCount)) { return CSSMERR_CSP_INVALID_ATTR_ROUNDS; } if(iterCount == 0) { /* optional, default 1 */ iterCount = 1; } /* * In classic fashion, the PKCS12 spec now says: * * When password integrity mode is used to secure a PFX PDU, * an SHA-1 HMAC is computed on the BER-encoding of the contents * of the content field of the authSafe field in the PFX PDU. * * So here we go. */ CSSM_DATA genMac; CSSM_RETURN crtn = p12GenMac(cspHand, *pfx.authSafe.content.data, macAlg, iterCount, macData.macSalt, pwd, passKey, coder, genMac); if(crtn) { return crtn; } if(nssCompareCssmData(&genMac, &digestInfo.digest)) { return CSSM_OK; } else { return CSSMERR_CSP_VERIFY_FAILED; } }
/* * Generate random label string to allow associating an imported private * key with a cert. */ void p12GenLabel( CSSM_DATA &label, SecNssCoder &coder) { /* first a random uint32 */ uint8 d[4]; DevRandomGenerator rng; rng.random(d, 4); CSSM_DATA cd = {4, d}; uint32 i; p12DataToInt(cd, i); /* sprintf that into a real string */ coder.allocItem(label, 9); memset(label.Data, 0, 9); sprintf((char *)label.Data, "%08X", (unsigned)i); }
static int p12VerifyMac(pkcs12_context * context, const NSS_P12_DecodedPFX *pfx) { NSS_P12_MacData *macData = pfx->macData; require(macData, out); NSS_P7_DigestInfo *digestInfo = &macData->mac; require(digestInfo, out); SecAsn1Item *algOid = &digestInfo->digestAlgorithm.algorithm; require(algOid, out); /* has to be OID_OIW_SHA1 */ DERItem algOidItem = { algOid->Data, algOid->Length }; require(algOidItem.length && DEROidCompare(&oidSha1, &algOidItem), out); uint32_t iterCount = 0; require_noerr_quiet(p12DataToInt(&macData->iterations, &iterCount), out); if (iterCount == 0) { /* optional, default 1 */ iterCount = 1; } /* * In classic fashion, the PKCS12 spec now says: * * When password integrity mode is used to secure a PFX PDU, * an SHA-1 HMAC is computed on the BER-encoding of the contents * of the content field of the authSafe field in the PFX PDU. * * So here we go. */ uint8_t hmac_key[CC_SHA1_DIGEST_LENGTH]; require_noerr_quiet(p12_pbe_gen(context->passphrase, macData->macSalt.Data, macData->macSalt.Length, iterCount, PBE_ID_MAC, hmac_key, sizeof(hmac_key)), out); /* prealloc the mac data */ SecAsn1Item verifyMac; alloc_item(context, &verifyMac, CC_SHA1_DIGEST_LENGTH); SecAsn1Item *ptext = pfx->authSafe.content.data; CCHmac(kCCHmacAlgSHA1, hmac_key, CC_SHA1_DIGEST_LENGTH, ptext->Data, ptext->Length, verifyMac.Data); require_quiet(nssCompareSecAsn1Items(&verifyMac, &digestInfo->digest), out); return 0; out: return -1; }
static int p12Decrypt(pkcs12_context * context, const SecAsn1AlgId *algId, const SecAsn1Item *cipherText, SecAsn1Item *plainText) { NSS_P12_PBE_Params pbep; // XXX/cs not requiring decoding, but if pbep is uninit this will fail later algIdParse(context, algId, &pbep); CCAlgorithm alg = 0; uint32_t keySizeInBits = 0; uint32_t blockSizeInBytes = 0; // for IV, optional CCOptions options = 0; require_noerr_quiet(pkcsOidToParams(&algId->algorithm, &alg, &keySizeInBits, &blockSizeInBytes, &options), out); uint32_t iterCount = 0; require_noerr(p12DataToInt(&pbep.iterations, &iterCount), out); /* P12 style key derivation */ SecAsn1Item key = {0, NULL}; if(keySizeInBits) alloc_item(context, &key, (keySizeInBits+7)/8); require_noerr(p12_pbe_gen(context->passphrase, pbep.salt.Data, pbep.salt.Length, iterCount, PBE_ID_Key, key.Data, key.Length), out); /* P12 style IV derivation, optional */ SecAsn1Item iv = {0, NULL}; if(blockSizeInBytes) { alloc_item(context, &iv, blockSizeInBytes); require_noerr(p12_pbe_gen(context->passphrase, pbep.salt.Data, pbep.salt.Length, iterCount, PBE_ID_IV, iv.Data, iv.Length), out); } SecAsn1Item ourPtext = {0, NULL}; alloc_item(context, &ourPtext, cipherText->Length); require_noerr(CCCrypt(kCCDecrypt, alg, options/*kCCOptionPKCS7Padding*/, key.Data, key.Length, iv.Data, cipherText->Data, cipherText->Length, ourPtext.Data, ourPtext.Length, &ourPtext.Length), out); *plainText = ourPtext; return 0; out: return -1; }
/* * ShroudedKeyBag parser w/decrypt */ void P12Coder::shroudedKeyBagParse( const NSS_P12_SafeBag &safeBag, SecNssCoder &localCdr) { p12DecodeLog("Found shrouded key bag"); if(mPrivKeyImportState == PKIS_NoMore) { CssmError::throwMe(errSecMultiplePrivKeys); } const NSS_P12_ShroudedKeyBag *keyBag = safeBag.bagValue.shroudedKeyBag; const CSSM_X509_ALGORITHM_IDENTIFIER &algId = keyBag->algorithm; NSS_P12_PBE_Params pbep; algIdParse(algId, &pbep, localCdr); /* * Prepare for decryption */ CSSM_ALGORITHMS keyAlg; // e.g., CSSM_ALGID_DES CSSM_ALGORITHMS encrAlg; // e.g., CSSM_ALGID_3DES_3KEY_EDE CSSM_ALGORITHMS pbeHashAlg; // SHA1 or MD5 uint32 keySizeInBits; uint32 blockSizeInBytes; // for IV, optional CSSM_PADDING padding; // CSSM_PADDING_PKCS7, etc. CSSM_ENCRYPT_MODE mode; // CSSM_ALGMODE_CBCPadIV8, etc. PKCS_Which pkcs; bool found = pkcsOidToParams(&algId.algorithm, keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes, padding, mode, pkcs); if(!found || (pkcs != PW_PKCS12)) { p12ErrorLog("ShroudedKeyBag encrAlg not understood\n"); CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM); } uint32 iterCount; if(!p12DataToInt(pbep.iterations, iterCount)) { p12ErrorLog("ShroudedKeyBag: badly formed iterCount\n"); P12_THROW_DECODE; } const CSSM_DATA *encrPhrase = getEncrPassPhrase(); const CSSM_KEY *passKey = getEncrPassKey(); if((encrPhrase == NULL) && (passKey == NULL)) { p12ErrorLog("no passphrase set\n"); CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_PASSPHRASE); } /* We'll own the actual CSSM_KEY memory */ CSSM_KEY_PTR privKey = (CSSM_KEY_PTR)mCoder.malloc(sizeof(CSSM_KEY)); memset(privKey, 0, sizeof(CSSM_KEY)); CSSM_DATA labelData; p12GenLabel(labelData, localCdr); CSSM_RETURN crtn = p12UnwrapKey(mCspHand, mDlDbHand.DLHandle ? &mDlDbHand : NULL, mImportFlags & kSecImportKeys, keyBag->encryptedData, keyAlg, encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes, padding, mode, iterCount, pbep.salt, encrPhrase, passKey, localCdr, labelData, mAccess, mNoAcl, mKeyUsage, mKeyAttrs, privKey); if(crtn) { p12ErrorLog("Error unwrapping private key\n"); CssmError::throwMe(crtn); } p12DecodeLog("unwrapped shrouded key bag"); P12KeyBag *p12bag = new P12KeyBag(privKey, mCspHand, safeBag.bagAttrs, labelData, mCoder); addKey(p12bag); if(mPrivKeyImportState == PKIS_AllowOne) { mPrivKeyImportState = PKIS_NoMore; } }