doc/pkcs5__decrypt_8c_source.html

/**

 * @file pkcs5_decrypt.c

 * @brief PKCS #5 decryption routines

 *

 * @section License

 *

 * SPDX-License-Identifier: GPL-2.0-or-later

 *

 * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.

 *

 * This file is part of CycloneCRYPTO Open.

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public License

 * as published by the Free Software Foundation; either version 2

 * of the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 *

 * @author Oryx Embedded SARL (www.oryx-embedded.com)

 * @version 2.4.4

 **/


//Switch to the appropriate trace level

#define TRACE_LEVEL CRYPTO_TRACE_LEVEL


//Dependencies

#include "core/crypto.h"

#include "pkix/pkcs5_common.h"

#include "pkix/pkcs5_decrypt.h"

#include "encoding/asn1.h"

#include "encoding/oid.h"

#include "cipher/cipher_algorithms.h"

#include "cipher_modes/cbc.h"

#include "mac/hmac.h"

#include "kdf/pbkdf.h"

#include "debug.h"


//Check crypto library configuration

#if (PKCS5_SUPPORT == ENABLED)


/**

 * @brief PKCS #5 decryption operation

 * @param[in] encryptionAlgoId Encryption algorithm identifier

 * @param[in] password NULL-terminated string containing the password

 * @param[in] ciphertext Pointer to the ciphertext data

 * @param[in] ciphertextLen Length of the ciphertext data, in bytes

 * @param[out] plaintext Pointer to the plaintext data

 * @param[out] plaintextLen Length of the plaintext data, in bytes

 * @return Error code

 **/


error_t pkcs5Decrypt(const X509AlgoId *encryptionAlgoId,

   const char_t *password, const uint8_t *ciphertext, size_t ciphertextLen,

   uint8_t *plaintext, size_t *plaintextLen)

{

   error_t error;


   //Check parameters

   if(encryptionAlgoId != NULL && password != NULL && ciphertext != NULL &&

      plaintext != NULL && plaintextLen != NULL)

   {

      //Check encryption algorithm identifier

      if(!oidComp(encryptionAlgoId->oid.value, encryptionAlgoId->oid.length,

         PBES2_OID, sizeof(PBES2_OID)))

      {

         //Perform PBES2 decryption operation

         error = pkcs5DecryptPbes2(encryptionAlgoId, password, ciphertext,

            ciphertextLen, plaintext, plaintextLen);

      }

      else

      {

         //Perform PBES1 decryption operation

         error = pkcs5DecryptPbes1(encryptionAlgoId, password, ciphertext,

            ciphertextLen, plaintext, plaintextLen);

      }

   }

   else

   {

      //Report an error

      return ERROR_INVALID_PARAMETER;

   }


   //Return status code

   return error;

}


/**

 * @brief PBES1 decryption operation

 * @param[in] encryptionAlgoId Encryption algorithm identifier

 * @param[in] password NULL-terminated string containing the password

 * @param[in] ciphertext Pointer to the ciphertext data

 * @param[in] ciphertextLen Length of the ciphertext data, in bytes

 * @param[out] plaintext Pointer to the plaintext data

 * @param[out] plaintextLen Length of the plaintext data, in bytes

 * @return Error code

 **/


error_t pkcs5DecryptPbes1(const X509AlgoId *encryptionAlgoId,

   const char_t *password, const uint8_t *ciphertext, size_t ciphertextLen,

   uint8_t *plaintext, size_t *plaintextLen)

{

   error_t error;

   size_t i;

   size_t psLen;

   size_t passwordLen;

   uint8_t *k;

   uint8_t *iv;

   uint8_t dk[16];

   Pkcs5Pbes1Params pbes1Params;

   const HashAlgo *hashAlgo;

   const CipherAlgo *cipherAlgo;

#if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)

   CipherContext *cipherContext;

#else

   CipherContext cipherContext[1];

#endif


   //Check the length of the encrypted data

   if(ciphertextLen == 0)

      return ERROR_DECRYPTION_FAILED;


   //Obtain the eight-octet salt S and the iteration count c

   error = pkcs5ParsePbes1Params(encryptionAlgoId->params.value,

      encryptionAlgoId->params.length, &pbes1Params);

   //Any error to report?

   if(error)

      return error;


   //Retrieve hash algorithm

   hashAlgo = pkcs5GetPbes1HashAlgo(encryptionAlgoId->oid.value,

      encryptionAlgoId->oid.length);

   //Invalid hash algorithm?

   if(hashAlgo == NULL)

      return ERROR_UNSUPPORTED_HASH_ALGO;


   //Retrieve cipher algorithm

   cipherAlgo = pkcs5GetPbes1CipherAlgo(encryptionAlgoId->oid.value,

      encryptionAlgoId->oid.length);

   //Invalid cipher algorithm?

   if(cipherAlgo == NULL)

      return ERROR_UNSUPPORTED_CIPHER_ALGO;


   //If the length in octets of the ciphertext C is not a multiple of eight,

   //output a decryption error and stop

   if((ciphertextLen % cipherAlgo->blockSize) != 0)

      return ERROR_DECRYPTION_FAILED;


   //Retrieve the length of the password

   passwordLen = osStrlen(password);


   //Apply the PBKDF1 key derivation function to the password P, the salt S,

   //and the iteration count c to produce a derived key DK of length 16 octets

   error = pbkdf1(hashAlgo, (uint8_t *) password, passwordLen,

      pbes1Params.salt.value, pbes1Params.salt.length,

      pbes1Params.iterationCount, dk, 16);

   //Any error to report?

   if(error)

      return error;


   //Separate the derived key DK into an encryption key K consisting of the

   //first eight octets of DK and an initialization vector IV consisting of

   //the next eight octets

   k = dk;

   iv = dk + 8;


#if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)

   //Allocate a memory buffer to hold the cipher context

   cipherContext = cryptoAllocMem(cipherAlgo->contextSize);

   //Failed to allocate memory?

   if(cipherContext == NULL)

      return ERROR_OUT_OF_MEMORY;

#endif


   //Load encryption key K

   error = cipherAlgo->init(cipherContext, k, 8);


   //Check status code

   if(!error)

   {

      //Decrypt the ciphertext C with the underlying block cipher (DES or

      //RC2) in CBC mode under the encryption key K with initialization

      //vector IV to recover an encoded message EM

      error = cbcDecrypt(cipherAlgo, cipherContext, iv, ciphertext,

         plaintext, ciphertextLen);

   }


   //Erase cipher context

   cipherAlgo->deinit(cipherContext);


#if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)

   //Release previously allocated memory

   cryptoFreeMem(cipherContext);

#endif


   //Any error to report?

   if(error)

      return error;


   //Retrieve the length of the padding string PS

   psLen = plaintext[ciphertextLen - 1];


   //Ensure that psLen is between 1 and 8

   if(psLen < 1 || psLen > 8)

      return ERROR_DECRYPTION_FAILED;


   //Malformed padding?

   if(psLen > ciphertextLen)

      return ERROR_DECRYPTION_FAILED;


   //Verify padding string

   for(i = 0; i < psLen; i++)

   {

      //The padding string PS consists of psLen octets each with value psLen

      if(plaintext[ciphertextLen - i - 1] != psLen)

         return ERROR_DECRYPTION_FAILED;

   }


   //Strip padding bytes from the encoded message EM

   *plaintextLen = ciphertextLen - psLen;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief PBES2 decryption operation

 * @param[in] encryptionAlgoId Encryption algorithm identifier

 * @param[in] password NULL-terminated string containing the password

 * @param[in] ciphertext Pointer to the ciphertext data

 * @param[in] ciphertextLen Length of the ciphertext data, in bytes

 * @param[out] plaintext Pointer to the plaintext data

 * @param[out] plaintextLen Length of the plaintext data, in bytes

 * @return Error code

 **/


error_t pkcs5DecryptPbes2(const X509AlgoId *encryptionAlgoId,

   const char_t *password, const uint8_t *ciphertext, size_t ciphertextLen,

   uint8_t *plaintext, size_t *plaintextLen)

{

   error_t error;

   size_t i;

   size_t dkLen;

   size_t psLen;

   size_t passwordLen;

   uint8_t dk[32];

   uint8_t iv[16];

   Pkcs5Pbes2Params pbes2Params;

   const HashAlgo *hashAlgo;

   const CipherAlgo *cipherAlgo;

#if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)

   CipherContext *cipherContext;

#else

   CipherContext cipherContext[1];

#endif


   //Check the length of the encrypted data

   if(ciphertextLen == 0)

      return ERROR_DECRYPTION_FAILED;


   //Obtain the salt S for the operation and the iteration count c for the

   //key derivation function

   error = pkcs5ParsePbes2Params(encryptionAlgoId->params.value,

      encryptionAlgoId->params.length, &pbes2Params);

   //Any error to report?

   if(error)

      return error;


   //Retrieve PRF hash algorithm

   hashAlgo = pkcs5GetPbes2HashAlgo(pbes2Params.keyDerivationFunc.prfAlgoId.value,

      pbes2Params.keyDerivationFunc.prfAlgoId.length);

   //Invalid hash algorithm?

   if(hashAlgo == NULL)

      return ERROR_UNSUPPORTED_HASH_ALGO;


   //Retrieve cipher algorithm

   cipherAlgo = pkcs5GetPbes2CipherAlgo(pbes2Params.encryptionScheme.oid.value,

      pbes2Params.encryptionScheme.oid.length);

   //Invalid cipher algorithm?

   if(cipherAlgo == NULL)

      return ERROR_UNSUPPORTED_CIPHER_ALGO;


   //Obtain the key length in octets, dkLen, for the derived key for the

   //underlying encryption scheme

   dkLen = pkcs5GetPbes2KeyLength(pbes2Params.encryptionScheme.oid.value,

      pbes2Params.encryptionScheme.oid.length);

   //Invalid key length?

   if(dkLen == 0)

      return ERROR_UNSUPPORTED_CIPHER_ALGO;


   //If the length in octets of the ciphertext C is not a multiple of the block

   //size, output a decryption error and stop

   if((ciphertextLen % cipherAlgo->blockSize) != 0)

      return ERROR_DECRYPTION_FAILED;


   //Check the length of the IV

   if(pbes2Params.encryptionScheme.iv.length != cipherAlgo->blockSize)

      return ERROR_DECRYPTION_FAILED;


   //Copy initialization vector

   osMemcpy(iv, pbes2Params.encryptionScheme.iv.value, cipherAlgo->blockSize);


   //Retrieve the length of the password

   passwordLen = osStrlen(password);


   //Apply the selected KDF function to the password P, the salt S, and the

   //iteration count c to produce a derived key DK of length dkLen octets

   error = pbkdf2(hashAlgo, (uint8_t *) password, passwordLen,

      pbes2Params.keyDerivationFunc.salt.value,

      pbes2Params.keyDerivationFunc.salt.length,

      pbes2Params.keyDerivationFunc.iterationCount, dk, dkLen);

   //Any error to report?

   if(error)

      return error;


#if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)

   //Allocate a memory buffer to hold the cipher context

   cipherContext = cryptoAllocMem(cipherAlgo->contextSize);

   //Failed to allocate memory?

   if(cipherContext == NULL)

      return ERROR_OUT_OF_MEMORY;

#endif


   //Load encryption key DK

   error = cipherAlgo->init(cipherContext, dk, dkLen);


   //Check status code

   if(!error)

   {

      //Decrypt the ciphertext C with the underlying encryption scheme

      //under the derived key DK to recover a message M

      error = cbcDecrypt(cipherAlgo, cipherContext, iv, ciphertext,

         plaintext, ciphertextLen);

   }


   //Erase cipher context

   cipherAlgo->deinit(cipherContext);


#if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)

   //Release previously allocated memory

   cryptoFreeMem(cipherContext);

#endif


   //Any error to report?

   if(error)

      return error;


   //Retrieve the length of the padding string PS

   psLen = plaintext[ciphertextLen - 1];


   //Ensure that psLen is valid

   if(psLen < 1 || psLen > cipherAlgo->blockSize)

      return ERROR_DECRYPTION_FAILED;


   //Malformed padding?

   if(psLen > ciphertextLen)

      return ERROR_DECRYPTION_FAILED;


   //Verify padding string

   for(i = 0; i < psLen; i++)

   {

      //The padding string PS consists of psLen octets each with value psLen

      if(plaintext[ciphertextLen - i - 1] != psLen)

         return ERROR_DECRYPTION_FAILED;

   }


   //Strip padding bytes from the encoded message EM

   *plaintextLen = ciphertextLen - psLen;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Parse PBES1 parameters

 * @param[in] data Pointer to the ASN.1 structure to parse

 * @param[in] length Length of the ASN.1 structure

 * @param[out] pbes1Params Information resulting from the parsing process

 * @return Error code

 **/


error_t pkcs5ParsePbes1Params(const uint8_t *data, size_t length,

   Pkcs5Pbes1Params *pbes1Params)

{

   error_t error;

   int32_t value;

   Asn1Tag tag;


   //The PBES1 parameters are encapsulated within a sequence

   error = asn1ReadSequence(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Point to the first field of the sequence

   data = tag.value;

   length = tag.length;


   //Read salt

   error = asn1ReadOctetString(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //The salt must be an eight-octet string

   if(tag.length != 8)

      return ERROR_INVALID_SYNTAX;


   //Save salt value

   pbes1Params->salt.value = tag.value;

   pbes1Params->salt.length = tag.length;


   //Point to the next field

   data += tag.totalLength;

   length -= tag.totalLength;


   //Read iteration count

   error = asn1ReadInt32(data, length, &tag, &value);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //The iteration count must be a positive integer

   if(value < 0)

      return ERROR_INVALID_SYNTAX;


   //Save iteration count

   pbes1Params->iterationCount = value;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Parse PBES2 parameters

 * @param[in] data Pointer to the ASN.1 structure to parse

 * @param[in] length Length of the ASN.1 structure

 * @param[out] pbes2Params Information resulting from the parsing process

 * @return Error code

 **/


error_t pkcs5ParsePbes2Params(const uint8_t *data, size_t length,

   Pkcs5Pbes2Params *pbes2Params)

{

   error_t error;

   size_t n;

   Asn1Tag tag;


   //The PBES2 parameters are encapsulated within a sequence

   error = asn1ReadSequence(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Point to the first field of the sequence

   data = tag.value;

   length = tag.length;


   //KeyDerivationFunc identifies the underlying key derivation function. It

   //shall be an algorithm ID with an OID in the set PBES2-KDFs, which for

   //this version of PKCS #5 shall consist of id-PBKDF2

   error = pkcs5ParseKeyDerivationFunc(data, length, &n,

      &pbes2Params->keyDerivationFunc);

   //Any error to report?

   if(error)

      return error;


   //Point to the next field

   data += n;

   length -= n;


   //EncryptionScheme identifies the underlying encryption scheme. It shall be

   //an algorithm ID with an OID in the set PBES2-Encs, whose definition is

   //left to the application

   error = pkcs5ParseEncryptionScheme(data, length, &n,

      &pbes2Params->encryptionScheme);

   //Any error to report?

   if(error)

      return error;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Parse KeyDerivationFunc structure

 * @param[in] data Pointer to the ASN.1 structure to parse

 * @param[in] length Length of the ASN.1 structure

 * @param[out] totalLength Number of bytes that have been parsed

 * @param[out] keyDerivationFunc Information resulting from the parsing process

 * @return Error code

 **/


error_t pkcs5ParseKeyDerivationFunc(const uint8_t *data, size_t length,

   size_t *totalLength, Pkcs5KeyDerivationFunc *keyDerivationFunc)

{

   error_t error;

   Asn1Tag tag;


   //Read KeyDerivationFunc structure

   error = asn1ReadSequence(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Save the total length of the field

   *totalLength = tag.totalLength;


   //Point to the first field of the sequence

   data = tag.value;

   length = tag.length;


   //Read the KDF algorithm identifier

   error = asn1ReadOid(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Save algorithm identifier

   keyDerivationFunc->kdfAlgoId.value = tag.value;

   keyDerivationFunc->kdfAlgoId.length = tag.length;


   //Check KDF algorithm identifier

   if(oidComp(keyDerivationFunc->kdfAlgoId.value,

      keyDerivationFunc->kdfAlgoId.length, PBKDF2_OID, arraysize(PBKDF2_OID)))

   {

      return ERROR_WRONG_IDENTIFIER;

   }


   //Point to the next field

   data += tag.totalLength;

   length -= tag.totalLength;


   //Parse PBKDF2 parameters

   error = pkcs5ParsePbkdf2Params(data, length, keyDerivationFunc);

   //Any error to report?

   if(error)

      return error;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Parse PBKDF2 parameters

 * @param[in] data Pointer to the ASN.1 structure to parse

 * @param[in] length Length of the ASN.1 structure

 * @param[out] keyDerivationFunc Information resulting from the parsing process

 * @return Error code

 **/


error_t pkcs5ParsePbkdf2Params(const uint8_t *data, size_t length,

   Pkcs5KeyDerivationFunc *keyDerivationFunc)

{

   error_t error;

   int32_t value;

   Asn1Tag tag;


   //The PBKDF2 parameters are encapsulated within a sequence

   error = asn1ReadSequence(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Point to the first field of the sequence

   data = tag.value;

   length = tag.length;


   //The 'salt' field specifies the salt value or the source of the salt value.

   //It shall either be an octet string or an algorithm ID with an OID in the

   //set PBKDF2-SaltSources, which is reserved for future versions of PKCS #5

   error = asn1ReadOctetString(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Save salt value

   keyDerivationFunc->salt.value = tag.value;

   keyDerivationFunc->salt.length = tag.length;


   //Point to the next field

   data += tag.totalLength;

   length -= tag.totalLength;


   //The 'iterationCount' field specifies the iteration count

   error = asn1ReadInt32(data, length, &tag, &value);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //The iteration count must be a positive integer

   if(value < 0)

      return ERROR_INVALID_SYNTAX;


   //Save iteration count

   keyDerivationFunc->iterationCount = value;


   //Point to the next field

   data += tag.totalLength;

   length -= tag.totalLength;


   //The 'keyLength' field is the length in octets of the derived key

   error = asn1ReadInt32(data, length, &tag, &value);


   //This field is optional

   if(!error)

   {

      //The key length must be a positive integer

      if(value < 0)

         return ERROR_INVALID_SYNTAX;


      //Save key length

      keyDerivationFunc->keyLen = value;


      //Point to the next field

      data += tag.totalLength;

      length -= tag.totalLength;

   }

   else

   {

      //The 'keyLength' field is no present

      keyDerivationFunc->keyLen = 0;

   }


   //Check whether the 'prf' field is present

   if(length > 0)

   {

      //The PRF algorithm identifier is encapsulated within a sequence

      error = asn1ReadSequence(data, length, &tag);

      //Failed to decode ASN.1 tag?

      if(error)

         return error;


      //Point to the first field of the sequence

      data = tag.value;

      length = tag.length;


      //Read the PRF algorithm identifier

      error = asn1ReadOid(data, length, &tag);

      //Failed to decode ASN.1 tag?

      if(error)

         return error;


      //Save algorithm identifier

      keyDerivationFunc->prfAlgoId.value = tag.value;

      keyDerivationFunc->prfAlgoId.length = tag.length;

   }

   else

   {

      //The default pseudorandom function is HMAC-SHA-1 (refer to RFC 8018,

      //section A.2)

      keyDerivationFunc->prfAlgoId.value = HMAC_WITH_SHA1_OID;

      keyDerivationFunc->prfAlgoId.length = sizeof(HMAC_WITH_SHA1_OID);

   }


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Parse EncryptionScheme structure

 * @param[in] data Pointer to the ASN.1 structure to parse

 * @param[in] length Length of the ASN.1 structure

 * @param[out] totalLength Number of bytes that have been parsed

 * @param[out] encryptionScheme Information resulting from the parsing process

 * @return Error code

 **/


error_t pkcs5ParseEncryptionScheme(const uint8_t *data, size_t length,

   size_t *totalLength, Pkcs5EncryptionScheme *encryptionScheme)

{

   error_t error;

   Asn1Tag tag;


   //Read EncryptionScheme structure

   error = asn1ReadSequence(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Save the total length of the field of the sequence

   *totalLength = tag.totalLength;


   //Point to the first field

   data = tag.value;

   length = tag.length;


   //Read the encryption algorithm identifier

   error = asn1ReadOid(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Save algorithm identifier

   encryptionScheme->oid.value = tag.value;

   encryptionScheme->oid.length = tag.length;


   //Point to the next field

   data += tag.totalLength;

   length -= tag.totalLength;


   //The parameters field for DES-CBC-Pad, DES-EDE3-CBC-Pad and AES-CBC-Pad

   //encryption schemes shall have type OCTET STRING specifying the

   //initialization vector for CBC mode

   error = asn1ReadOctetString(data, length, &tag);

   //Failed to decode ASN.1 tag?

   if(error)

      return error;


   //Save initialization vector

   encryptionScheme->iv.value = tag.value;

   encryptionScheme->iv.length = tag.length;


   //Successful processing

   return NO_ERROR;

}


#endif