PKIFPlatformCryptUtils.cpp

Go to the documentation of this file.

#include "PKIFCryptUtils.h"
#include "PKIFNSSDatabase.h"
#include "PKIFNSSPasswordStorage.h"

#ifdef _WIN32
#include "PKIFCAPIRaw.h"
#include "PKIFCAPI2.h"
#include "PKIFBCryptGuard.h"
#include "PKIFCNGCAPI.h"
#include "PKIFCNGCAPIRaw.h"
#else
#include "PKIFCryptoPPRaw.h"
#endif //_WIN32

#include "PKIFKeyMaterial.h"
#include "Buffer.h"
#include "IPKIFCryptoRaw.h"
#include "ToolkitUtils.h"
#include "components.h"
#include "PKIFAlgorithm.h"
#include "PKIFCryptoConstants.h"
#include "PKIFCryptoErrors.h"
#include "PKIFCryptoException.h"
#include "PKIFMemoryUtils.h"
#include "OID.h"

#include <cstring>
#include <sstream>
#include <boost/scoped_array.hpp>
#include <boost/cstdint.hpp>
using namespace std;
using namespace boost;
#ifdef _WIN32
static CPKIFCAPIRaw sRaw;
#else
static CPKIFCryptoPPRaw sRaw;
#endif //_WIN32

static bool sInited = false;

static const unsigned char rfc3394iv[] = { 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6 };
static const int rfc3394ivLen = 8;
static void increment_and_xor(unsigned char *A, unsigned char *T);
static void xor_and_decrement(unsigned char *A, unsigned char *T);
static void set_t(unsigned char *pt, unsigned long t);
static CPKIFAlgorithm * get_symmetric_alg_for_wrap_alg(const CPKIFKeyMaterialPtr & km);

IPKIFCryptoRaw * GetPlatformCryptoRaw(void)
{
    if(!sInited) 
    {
        sRaw.Initialize();
        sInited = true;
    }
    return &sRaw;
}

IPKIFCryptoMisc * GetPlatformCryptoMisc(void)
{
    if(!sInited) 
    {
        sRaw.Initialize();
        sInited = true;
    }
    return &sRaw;
}

IPKIFColleaguePtr MakeDefaultKeyIDColleague(void)
{
#ifdef _WIN32
    CPKIFBCryptGuard cngGuard;
    if(!cngGuard.IsCNGAvailable())
    {
        CPKIFCAPI2Ptr tmp(new CPKIFCAPI2);
        return dynamic_pointer_cast<IPKIFColleague, CPKIFCAPI2>(tmp);
    } else {
        CPKIFCNGCAPIPtr tmp(new CPKIFCNGCAPI);
        return dynamic_pointer_cast<IPKIFColleague, CPKIFCNGCAPI>(tmp);
    }
#else
    IPKIFColleaguePtr empty;
    return empty;
#endif //_WIN32
}

IPKIFColleaguePtr MakeDefaultRawColleague(void)
{
#ifdef _WIN32
    CPKIFBCryptGuard cngGuard;
    if(!cngGuard.IsCNGAvailable())
    {
        CPKIFCAPIRawPtr tmp(new CPKIFCAPIRaw);
        return dynamic_pointer_cast<IPKIFColleague, CPKIFCAPIRaw>(tmp);
    } else {
        CPKIFCNGCAPIRawPtr tmp(new CPKIFCNGCAPIRaw);
        return dynamic_pointer_cast<IPKIFColleague, CPKIFCNGCAPIRaw>(tmp);
    }
#else 
    CPKIFCryptoPPRawPtr tmp(new CPKIFCryptoPPRaw);
    return dynamic_pointer_cast<IPKIFColleague, CPKIFCryptoPPRaw>(tmp);
#endif //_WIN32
}

void ShutdownCrypto(void)
{
    CPKIFNSSDatabase * db = 0;
    try {
        db = CPKIFNSSDatabase::GetInstance();
    }catch(...){
        // if that throws but somehow created a database first, make sure it gets shutdown next
    }
    try {
        if(db) {
            CPKIFNSSPasswordStorage::SetUserCallback(0);
            db->Shutdown();
        }
    }catch(...) {
        // if this fails it didn't need to happen anyway, so just ignore it
    }
}
std::string GetCurrentNSSDBDir(void)
{
    CPKIFNSSDatabase * db = CPKIFNSSDatabase::GetInstance();
    std::string rv = db->GetDBDir();

    return rv;
}
bool IsNSSDBInitialized(void)
{
    return CPKIFNSSDatabase::IsInitialized();
}

CPKIFBufferPtr WrapSymmKey(
                           const CPKIFKeyMaterialPtr & kek,
                           const CPKIFKeyMaterialPtr & key,
                           const IPKIFCryptoRawOperations * crypto)
{
    CPKIFBufferPtr rv;
    // XXX *** need to cast off const-ness because SupportsAlgorithm() is not
    // but should be const. That requires touching too many files for today.
    // we should fix it then remove this cast.
    IPKIFCryptoRawOperations * cc = const_cast<IPKIFCryptoRawOperations *>(crypto);
    if(!kek) throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"WrapSymmKey called without a KEK");
    if(!key) throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"WrapSymmKey called without a key");
    CPKIFAlgorithm * kwAlg = CPKIFAlgorithm::GetAlg(kek->GetSymmetricKeyAlgorithm());
    if(!kwAlg) {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,CRYPTO_ALG_NOT_SUPPORTED,"WrapSymmKey called with invalid KEK");
    } else {
        CPKIFOIDPtr kwOid = kwAlg->OID();
        if( *kwOid != *g_aes128Wrap &&
            *kwOid != *g_aes192Wrap &&
            *kwOid != *g_aes256Wrap )
        {
            ostringstream oss;
            oss << kwOid->ToString() << " is not a supported key wrap algorithm." << endl;
            throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,CRYPTO_ALG_NOT_SUPPORTED,oss.str().c_str());
        }
    }
    if(0 != key->GetSymmetricKeyLength() % kwAlg->BlockSize()) {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"WrapSymmKey called with a key that can't be wrapped using this algorithm");
    }
    if(!cc) {
        cc = GetPlatformCryptoRaw();        
    }
    CPKIFAlgorithm * baseAlg = get_symmetric_alg_for_wrap_alg(kek);
    if(!baseAlg) {  
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"WrapSymmKey called with an unimplemented wrap algorithm");
    }

    CPKIFKeyMaterialPtr baseKM = CPKIFKeyMaterial::CreateWithSymmetricKey(kek);
    baseKM->SetSymmetricKeyAlgorithm(baseAlg->SymkeyAlg());
    baseKM->SetMode(baseAlg->SymkeyMode());

    // need to consider merging RawOperations and AlgorithmSupport!
    if(!cc || !cc->SupportsAlgorithm(*baseKM))
    {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,CRYPTO_ALG_NOT_SUPPORTED,
            "No colleague was specified and the default can't be used.");
    }

    int ivLen = 0;
    baseKM->GetIV(NULL,&ivLen);

    if(!ivLen) {
        baseKM->SetIV(rfc3394iv,rfc3394ivLen);
        ivLen = rfc3394ivLen;
    }
    
    scoped_array<unsigned char> iv(new unsigned char[ivLen]);
    baseKM->GetIV(iv.get(),&ivLen);
    if(ivLen != rfc3394ivLen) {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,
            "An IV was supplied for AES Key wrap but the length was incorrect.");
    }


    rv = CPKIFBufferPtr(new CPKIFBuffer());
    int bs = kwAlg->BlockSize();
    int plainLen = key->GetSymmetricKeyLength();
    unsigned char * ctBuf =
        rv->AllocateBuffer(plainLen+bs);
    const unsigned char * plainBuf = key->GetSymmetricKey();
    unsigned int n = plainLen/bs;
    boost::scoped_array<boost::uint64_t> Rp(new boost::uint64_t[n+1]);
    boost::uint64_t * R = Rp.get();
    boost::uint64_t wbuf[2];
    boost::uint64_t * A = &wbuf[0];
    boost::uint64_t t;
    memset(&t,0x00,sizeof(boost::uint64_t));
    int baseBS = baseAlg->BlockSize();
    int baseOut = baseBS;
    // Straight out of the RFC
    // this started as a naiive implementation of the steps from 3394, but I actually find
    // the NSS version easier to read, so this bears more resemblance to that than to
    // the pseudocode in the RFC.
    memcpy(A,iv.get(),rfc3394ivLen);
    // R is now sensitive. zero before leaving
    memcpy(&R[1],plainBuf,plainLen);
    try {   
        for(unsigned int j = 0; j <= 5; ++j)
        {
            for(unsigned int i = 1; i <= n; ++i)
            {
/*              B = AES(K, A | R[i])
                A = MSB(64, B) ^ t where t = (n*j)+i
                R[i] = LSB(64, B)
*/
                wbuf[1] = R[i]; //wbuf = A|R[i]
                cc->Encrypt(*baseKM,(unsigned char *)wbuf,baseBS,
                    (unsigned char *)wbuf,&baseOut,false);
                increment_and_xor((unsigned char *)A,(unsigned char *)&t);
                R[i] = wbuf[1];
            }
        }
        R[0] = *A;
        memcpy(ctBuf,R,plainLen+bs);
        // R is no longer sensitive... no need to worry about zeroing upon success
    }catch(...){
        // encrypt can throw, and I don't have a secure array pointer lying around
        // for an array of uint64_t
        PKIFZero(R,n+1*sizeof(boost::uint64_t));
        throw;
    }

    return rv;

}

CPKIFKeyMaterialPtr UnwrapSymmKey(
                           const CPKIFKeyMaterialPtr & kek,
                           const CPKIFBufferPtr & key,
                           const IPKIFCryptoRawOperations * crypto)
{
    CPKIFKeyMaterialPtr rv;
    // XXX *** need to cast off const-ness because SupportsAlgorithm() is not
    // but should be const. That requires touching too many files for today.
    // we should fix it then remove this cast.
    IPKIFCryptoRawOperations * cc = const_cast<IPKIFCryptoRawOperations *>(crypto);
    if(!kek) throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"UnwrapSymmKey called without a KEK");
    if(!key) throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"UnwrapSymmKey called without a key");
    CPKIFAlgorithm * kwAlg = CPKIFAlgorithm::GetAlg(kek->GetSymmetricKeyAlgorithm());
    if(!kwAlg) {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,CRYPTO_ALG_NOT_SUPPORTED,"UnwrapSymmKey called with invalid KEK");
    } else {
        CPKIFOIDPtr kwOid = kwAlg->OID();
        if( *kwOid != *g_aes128Wrap &&
            *kwOid != *g_aes192Wrap &&
            *kwOid != *g_aes256Wrap )
        {
            ostringstream oss;
            oss << kwOid->ToString() << " is not a supported key wrap algorithm." << endl;
            throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,CRYPTO_ALG_NOT_SUPPORTED,oss.str().c_str());
        }
    }
    if(!cc) {
        cc = GetPlatformCryptoRaw();        
    }
    CPKIFAlgorithm * baseAlg = get_symmetric_alg_for_wrap_alg(kek);
    if(!baseAlg) {  
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"UnwrapSymmKey called with an unimplemented wrap algorithm");
    }
    
    int bs = kwAlg->BlockSize();
    int cipherLen = key->GetLength();
    if( cipherLen < bs*3 && 0 != (cipherLen % bs)) {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,"UnwrapSymmKey called with invalid ciphertext");
    }

    CPKIFKeyMaterialPtr baseKM = CPKIFKeyMaterial::CreateWithSymmetricKey(kek);
    baseKM->SetSymmetricKeyAlgorithm(baseAlg->SymkeyAlg());
    baseKM->SetMode(baseAlg->SymkeyMode());

    // need to consider merging RawOperations and AlgorithmSupport!
    if(!cc /*|| !cc->SupportsAlgorithm(*baseKM)*/)
    {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,CRYPTO_ALG_NOT_SUPPORTED,
            "No colleague was specified and the default can't be used.");
    }

    int ivLen = 0;
    baseKM->GetIV(NULL,&ivLen);

    if(!ivLen) {
        baseKM->SetIV(rfc3394iv,rfc3394ivLen);
        ivLen = rfc3394ivLen;
    }
    
    scoped_array<unsigned char> iv(new unsigned char[ivLen]);
    baseKM->GetIV(iv.get(),&ivLen);
    if(ivLen != rfc3394ivLen) {
        throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,
            "An IV was supplied for AES Key wrap but the length was incorrect.");
    }


    rv = CPKIFKeyMaterialPtr(new CPKIFKeyMaterial());

    const unsigned char * ctBuf = key->GetBuffer();
    unsigned int n = cipherLen/bs;
    // R needs to be treated as potentially sensitive once Decrypt() is called for the first time.
    boost::scoped_array<boost::uint64_t> Rp(new boost::uint64_t[n]);
    boost::uint64_t * R = Rp.get();
    boost::uint64_t wbuf[2];
    boost::uint64_t t;
    memset(&t,0x00,sizeof(boost::uint64_t));
    int baseBS = baseAlg->BlockSize();
    int baseOut = baseBS;
    int outLen = cipherLen-bs;
    int nOut = outLen/bs;

    // this started as a naiive implementation of the steps from 3394, but I actually find
    // the NSS version easier to read, so this bears more resemblance to that than to
    // the pseudocode in the RFC.
    memcpy(&R[0],ctBuf,cipherLen);
    boost::uint64_t * A = &wbuf[0];
    *A = R[0];
    set_t((unsigned char *)&t,(unsigned long)6*nOut);
    try {   
        for(unsigned int j = 0; j <= 5; ++j)
        {
            for(unsigned int i = nOut; i != 0; --i)
            {
                xor_and_decrement((unsigned char *)A,(unsigned char *)&t);
                wbuf[1] = R[i]; //wbuf = A|R[i]
                cc->Decrypt(*baseKM,(unsigned char *)wbuf,baseBS,
                    (unsigned char *)wbuf,&baseOut,false);
                R[i] = wbuf[1];
            }
        }
        if(0 != memcmp(baseKM->GetIV(),A,bs)) {
            throw CPKIFCryptoException(TOOLKIT_CRYPTO_MISC,COMMON_INVALID_INPUT,
                "Bad ciphertext.");
        }
        rv->SetSymmetricKey((unsigned char  *)(&R[1]),outLen);
        PKIFZero(wbuf,2*sizeof(boost::uint64_t));
        PKIFZero(R,cipherLen);

    }catch(...){
        // encrypt can throw, and I don't have a secure array pointer lying around
        // for an array of uint64_t
        PKIFZero(wbuf,2*sizeof(boost::uint64_t));
        PKIFZero(R,cipherLen);
        throw;
    }

    return rv;

}

// return the symmetric cipher that will be used internally for wrapping/unwrapping
// given a key material pointer.
static CPKIFAlgorithm * get_symmetric_alg_for_wrap_alg(const CPKIFKeyMaterialPtr & km)
{
    CPKIFAlgorithm * baseAlg = 0;
    switch(km->GetSymmetricKeyAlgorithm())
    {
    case PKIFCRYPTO::AES128Wrap:
        baseAlg = CPKIFAlgorithm::GetAlg(PKIFCRYPTO::AES128);
        break;
    case PKIFCRYPTO::AES192Wrap:
        baseAlg = CPKIFAlgorithm::GetAlg(PKIFCRYPTO::AES192);
        break;
    case PKIFCRYPTO::AES256Wrap:
        baseAlg = CPKIFAlgorithm::GetAlg(PKIFCRYPTO::AES256);
        break;
    default:
        break;
    }
    return baseAlg;
}

// increment_and_xor, xor_and_decrement, and set_t are all taken verbatim from
// the NSS freebl library. They're from security/nss/lib/freebl/aeskeywrap.c
// which is a MPL/GPL/LGPL licensed.

/* The AES Key Wrap algorithm has 64-bit values that are ALWAYS big-endian
** (Most significant byte first) in memory.  The only ALU operations done
** on them are increment, decrement, and XOR.  So, on little-endian CPUs,
** and on CPUs that lack 64-bit registers, these big-endian 64-bit operations
** are simulated in the following code.  This is thought to be faster and
** simpler than trying to convert the data to little-endian and back.
*/

/* A and T point to two 64-bit values stored most signficant byte first
** (big endian).  This function increments the 64-bit value T, and then
** XORs it with A, changing A.
*/ 
static void
increment_and_xor(unsigned char *A, unsigned char *T)
{
    if (!++T[7])
        if (!++T[6])
        if (!++T[5])
        if (!++T[4])
            if (!++T[3])
            if (!++T[2])
                if (!++T[1])
                 ++T[0];

    A[0] ^= T[0];
    A[1] ^= T[1];
    A[2] ^= T[2];
    A[3] ^= T[3];
    A[4] ^= T[4];
    A[5] ^= T[5];
    A[6] ^= T[6];
    A[7] ^= T[7];
}

/* A and T point to two 64-bit values stored most signficant byte first
** (big endian).  This function XORs T with A, giving a new A, then 
** decrements the 64-bit value T.
*/ 
static void
xor_and_decrement(unsigned char *A, unsigned char *T)
{
    A[0] ^= T[0];
    A[1] ^= T[1];
    A[2] ^= T[2];
    A[3] ^= T[3];
    A[4] ^= T[4];
    A[5] ^= T[5];
    A[6] ^= T[6];
    A[7] ^= T[7];

    if (!T[7]--)
        if (!T[6]--)
        if (!T[5]--)
        if (!T[4]--)
            if (!T[3]--)
            if (!T[2]--)
                if (!T[1]--)
                 T[0]--;

}

/* Given an unsigned long t (in host byte order), store this value as a
** 64-bit big-endian value (MSB first) in *pt.
*/
static void
set_t(unsigned char *pt, unsigned long t)
{
    pt[7] = (unsigned char)t; t >>= 8;
    pt[6] = (unsigned char)t; t >>= 8;
    pt[5] = (unsigned char)t; t >>= 8;
    pt[4] = (unsigned char)t; t >>= 8;
    pt[3] = (unsigned char)t; t >>= 8;
    pt[2] = (unsigned char)t; t >>= 8;
    pt[1] = (unsigned char)t; t >>= 8;
    pt[0] = (unsigned char)t;
}