]>
Commit | Line | Data |
---|---|---|
c680a8e1 RS |
1 | // Copyright 2011 The Go Authors. All rights reserved. |
2 | // Use of this source code is governed by a BSD-style | |
3 | // license that can be found in the LICENSE file. | |
4 | ||
5 | package packet | |
6 | ||
7 | import ( | |
8 | "crypto/rsa" | |
9 | "encoding/binary" | |
10 | "io" | |
11 | "math/big" | |
12 | "strconv" | |
13 | ||
14 | "golang.org/x/crypto/openpgp/elgamal" | |
15 | "golang.org/x/crypto/openpgp/errors" | |
16 | ) | |
17 | ||
18 | const encryptedKeyVersion = 3 | |
19 | ||
20 | // EncryptedKey represents a public-key encrypted session key. See RFC 4880, | |
21 | // section 5.1. | |
22 | type EncryptedKey struct { | |
23 | KeyId uint64 | |
24 | Algo PublicKeyAlgorithm | |
25 | CipherFunc CipherFunction // only valid after a successful Decrypt | |
26 | Key []byte // only valid after a successful Decrypt | |
27 | ||
28 | encryptedMPI1, encryptedMPI2 parsedMPI | |
29 | } | |
30 | ||
31 | func (e *EncryptedKey) parse(r io.Reader) (err error) { | |
32 | var buf [10]byte | |
33 | _, err = readFull(r, buf[:]) | |
34 | if err != nil { | |
35 | return | |
36 | } | |
37 | if buf[0] != encryptedKeyVersion { | |
38 | return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0]))) | |
39 | } | |
40 | e.KeyId = binary.BigEndian.Uint64(buf[1:9]) | |
41 | e.Algo = PublicKeyAlgorithm(buf[9]) | |
42 | switch e.Algo { | |
43 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | |
44 | e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) | |
107c1cdb ND |
45 | if err != nil { |
46 | return | |
47 | } | |
c680a8e1 RS |
48 | case PubKeyAlgoElGamal: |
49 | e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) | |
50 | if err != nil { | |
51 | return | |
52 | } | |
53 | e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r) | |
107c1cdb ND |
54 | if err != nil { |
55 | return | |
56 | } | |
c680a8e1 RS |
57 | } |
58 | _, err = consumeAll(r) | |
59 | return | |
60 | } | |
61 | ||
62 | func checksumKeyMaterial(key []byte) uint16 { | |
63 | var checksum uint16 | |
64 | for _, v := range key { | |
65 | checksum += uint16(v) | |
66 | } | |
67 | return checksum | |
68 | } | |
69 | ||
70 | // Decrypt decrypts an encrypted session key with the given private key. The | |
71 | // private key must have been decrypted first. | |
72 | // If config is nil, sensible defaults will be used. | |
73 | func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error { | |
74 | var err error | |
75 | var b []byte | |
76 | ||
77 | // TODO(agl): use session key decryption routines here to avoid | |
78 | // padding oracle attacks. | |
79 | switch priv.PubKeyAlgo { | |
80 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | |
107c1cdb ND |
81 | k := priv.PrivateKey.(*rsa.PrivateKey) |
82 | b, err = rsa.DecryptPKCS1v15(config.Random(), k, padToKeySize(&k.PublicKey, e.encryptedMPI1.bytes)) | |
c680a8e1 RS |
83 | case PubKeyAlgoElGamal: |
84 | c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes) | |
85 | c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes) | |
86 | b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2) | |
87 | default: | |
88 | err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo))) | |
89 | } | |
90 | ||
91 | if err != nil { | |
92 | return err | |
93 | } | |
94 | ||
95 | e.CipherFunc = CipherFunction(b[0]) | |
96 | e.Key = b[1 : len(b)-2] | |
97 | expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1]) | |
98 | checksum := checksumKeyMaterial(e.Key) | |
99 | if checksum != expectedChecksum { | |
100 | return errors.StructuralError("EncryptedKey checksum incorrect") | |
101 | } | |
102 | ||
103 | return nil | |
104 | } | |
105 | ||
106 | // Serialize writes the encrypted key packet, e, to w. | |
107 | func (e *EncryptedKey) Serialize(w io.Writer) error { | |
108 | var mpiLen int | |
109 | switch e.Algo { | |
110 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | |
111 | mpiLen = 2 + len(e.encryptedMPI1.bytes) | |
112 | case PubKeyAlgoElGamal: | |
113 | mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes) | |
114 | default: | |
115 | return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo))) | |
116 | } | |
117 | ||
118 | serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen) | |
119 | ||
120 | w.Write([]byte{encryptedKeyVersion}) | |
121 | binary.Write(w, binary.BigEndian, e.KeyId) | |
122 | w.Write([]byte{byte(e.Algo)}) | |
123 | ||
124 | switch e.Algo { | |
125 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | |
126 | writeMPIs(w, e.encryptedMPI1) | |
127 | case PubKeyAlgoElGamal: | |
128 | writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2) | |
129 | default: | |
130 | panic("internal error") | |
131 | } | |
132 | ||
133 | return nil | |
134 | } | |
135 | ||
136 | // SerializeEncryptedKey serializes an encrypted key packet to w that contains | |
137 | // key, encrypted to pub. | |
138 | // If config is nil, sensible defaults will be used. | |
139 | func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error { | |
140 | var buf [10]byte | |
141 | buf[0] = encryptedKeyVersion | |
142 | binary.BigEndian.PutUint64(buf[1:9], pub.KeyId) | |
143 | buf[9] = byte(pub.PubKeyAlgo) | |
144 | ||
145 | keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */) | |
146 | keyBlock[0] = byte(cipherFunc) | |
147 | copy(keyBlock[1:], key) | |
148 | checksum := checksumKeyMaterial(key) | |
149 | keyBlock[1+len(key)] = byte(checksum >> 8) | |
150 | keyBlock[1+len(key)+1] = byte(checksum) | |
151 | ||
152 | switch pub.PubKeyAlgo { | |
153 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | |
154 | return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock) | |
155 | case PubKeyAlgoElGamal: | |
156 | return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock) | |
157 | case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly: | |
158 | return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) | |
159 | } | |
160 | ||
161 | return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) | |
162 | } | |
163 | ||
164 | func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error { | |
165 | cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock) | |
166 | if err != nil { | |
167 | return errors.InvalidArgumentError("RSA encryption failed: " + err.Error()) | |
168 | } | |
169 | ||
170 | packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText) | |
171 | ||
172 | err = serializeHeader(w, packetTypeEncryptedKey, packetLen) | |
173 | if err != nil { | |
174 | return err | |
175 | } | |
176 | _, err = w.Write(header[:]) | |
177 | if err != nil { | |
178 | return err | |
179 | } | |
180 | return writeMPI(w, 8*uint16(len(cipherText)), cipherText) | |
181 | } | |
182 | ||
183 | func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error { | |
184 | c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock) | |
185 | if err != nil { | |
186 | return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error()) | |
187 | } | |
188 | ||
189 | packetLen := 10 /* header length */ | |
190 | packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8 | |
191 | packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8 | |
192 | ||
193 | err = serializeHeader(w, packetTypeEncryptedKey, packetLen) | |
194 | if err != nil { | |
195 | return err | |
196 | } | |
197 | _, err = w.Write(header[:]) | |
198 | if err != nil { | |
199 | return err | |
200 | } | |
201 | err = writeBig(w, c1) | |
202 | if err != nil { | |
203 | return err | |
204 | } | |
205 | return writeBig(w, c2) | |
206 | } |