Browse Source

CMS KARI: Temporarly downgrade newly generated EVP_PKEYs to legacy

The EVP_PKEY_ASN1_METHOD code used by CMS_RecipientInfo_kari_decrypt()
and cms_RecipientInfo_kari_encrypt() is quite complex and needs more
careful thought to work with provider side keys.  Unfortunately, we
need to get key generation in place, among others for ECC keys, so we
add a temporary hack, similar to what's already done in TLS code, that
downgrades a provider side EVP_PKEY to become EVP_PKEY_ASN1_METHOD /
EVP_PKEY_METHOD based.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11501)
master
Richard Levitte 2 years ago
parent
commit
aec8de1a5f
4 changed files with 50 additions and 1 deletions
  1. +1
    -1
      crypto/cms/cms_err.c
  2. +47
    -0
      crypto/cms/cms_kari.c
  3. +1
    -0
      crypto/err/openssl.txt
  4. +1
    -0
      include/openssl/cmserr.h

+ 1
- 1
crypto/cms/cms_err.c View File

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy


+ 47
- 0
crypto/cms/cms_kari.c View File

@ -248,6 +248,27 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
size_t enckeylen;
size_t ceklen;
CMS_EncryptedContentInfo *ec;
{
/*
* TODO(3.0) Remove this when we have functionality to deserialize
* parameters in EVP_PKEY form from an X509_ALGOR.
* This is needed to be able to replace the EC_KEY specific decoding
* that happens in ecdh_cms_set_peerkey() (crypto/ec/ec_ameth.c)
*
* THIS IS TEMPORARY
*/
EVP_PKEY_CTX *pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
EVP_PKEY_get0(pkey);
if (EVP_PKEY_id(pkey) == EVP_PKEY_NONE) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT,
CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
goto err;
}
}
enckeylen = rek->encryptedKey->length;
enckey = rek->encryptedKey->data;
/* Setup all parameters to derive KEK */
@ -446,6 +467,32 @@ int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
STACK_OF(CMS_RecipientEncryptedKey) *reks;
int i;
{
/*
* TODO(3.0) Remove this when we have figured out all the details
* need to set up encryption right. With legacy keys, a *lot* is
* happening in the CMS specific EVP_PKEY_ASN1_METHOD functions,
* such as automatically setting a default KDF type, KDF digest,
* all that kind of stuff.
* With EVP_SIGNATURE, setting a default digest is done by getting
* the default MD for the key, and then inject that back into the
* signature implementation... we could do something similar with
* CMS, possibly using CMS specific OSSL_PARAM keys, just like we
* have for certain AlgorithmIdentifier retrievals.
*
* THIS IS TEMPORARY
*/
EVP_PKEY_CTX *pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
EVP_PKEY_get0(pkey);
if (EVP_PKEY_id(pkey) == EVP_PKEY_NONE) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT,
CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
return 0;
}
}
if (ri->type != CMS_RECIPINFO_AGREE) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT, CMS_R_NOT_KEY_AGREEMENT);
return 0;


+ 1
- 0
crypto/err/openssl.txt View File

@ -291,6 +291,7 @@ CMS_F_CMS_RECEIPTREQUEST_CREATE0:159:CMS_ReceiptRequest_create0
CMS_F_CMS_RECEIPT_VERIFY:160:cms_Receipt_verify
CMS_F_CMS_RECIPIENTINFO_DECRYPT:134:CMS_RecipientInfo_decrypt
CMS_F_CMS_RECIPIENTINFO_ENCRYPT:169:CMS_RecipientInfo_encrypt
CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT:188:
CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT:178:cms_RecipientInfo_kari_encrypt
CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG:175:CMS_RecipientInfo_kari_get0_alg
CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID:173:\


+ 1
- 0
include/openssl/cmserr.h View File

@ -87,6 +87,7 @@ int ERR_load_CMS_strings(void);
# define CMS_F_CMS_RECEIPT_VERIFY 0
# define CMS_F_CMS_RECIPIENTINFO_DECRYPT 0
# define CMS_F_CMS_RECIPIENTINFO_ENCRYPT 0
# define CMS_F_CMS_RECIPIENTINFO_KARI_DECRYPT 0
# define CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT 0
# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG 0
# define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID 0


Loading…
Cancel
Save