aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public_key/src/pubkey_pbe.erl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2011-10-18 18:01:40 +0200
committerIngela Anderton Andin <[email protected]>2011-11-01 16:54:26 +0100
commitb211df3a0cca478822d57836dac3dd6452aab32a (patch)
treef825012c084fd9bc88b4ed6fb0c04d079a3ca747 /lib/public_key/src/pubkey_pbe.erl
parentca4d1197fdf66fda5241edd645c12d2451b67ec8 (diff)
downloadotp-b211df3a0cca478822d57836dac3dd6452aab32a.tar.gz
otp-b211df3a0cca478822d57836dac3dd6452aab32a.tar.bz2
otp-b211df3a0cca478822d57836dac3dd6452aab32a.zip
Additions to crypto and public_key needed for full PKCS-8 support
Diffstat (limited to 'lib/public_key/src/pubkey_pbe.erl')
-rw-r--r--lib/public_key/src/pubkey_pbe.erl105
1 files changed, 63 insertions, 42 deletions
diff --git a/lib/public_key/src/pubkey_pbe.erl b/lib/public_key/src/pubkey_pbe.erl
index f471871d35..32be347039 100644
--- a/lib/public_key/src/pubkey_pbe.erl
+++ b/lib/public_key/src/pubkey_pbe.erl
@@ -27,35 +27,43 @@
-define(DEFAULT_SHA_MAC_KEYLEN, 20).
--define(OCTET_STR, 4).
--define(IV_LEN, 8).
+-define(ASN1_OCTET_STR_TAG, 4).
+-define(IV_LEN, 8).
%%====================================================================
%% Internal application API
%%====================================================================
-pbdkdf2(Password, Salt, Count, DerivedKeyLen, PrfLen, Prf)->
- NumBlocks = ceiling(DerivedKeyLen / PrfLen),
- NumLastBlockOctets = DerivedKeyLen - (NumBlocks - 1) * PrfLen ,
- blocks(NumBlocks, NumLastBlockOctets, 1, Password, Salt, Count, Prf, PrfLen, <<>>).
+pbdkdf2(Password, Salt, Count, DerivedKeyLen, Prf, PrfOutputLen)->
+ NumBlocks = ceiling(DerivedKeyLen / PrfOutputLen),
+ NumLastBlockOctets = DerivedKeyLen - (NumBlocks - 1) * PrfOutputLen ,
+ blocks(NumBlocks, NumLastBlockOctets, 1, Password, Salt, Count, Prf, PrfOutputLen, <<>>).
encode(Data, Password, "DES-CBC" = Cipher, KeyDevParams) ->
- {Key, IV} = password_to_key_and_iv(Password, derived_key_length(Cipher), KeyDevParams),
+ {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
crypto:des_cbc_encrypt(Key, IV, Data);
encode(Data, Password, "DES-EDE3-CBC" = Cipher, KeyDevParams) ->
- {Key, IV} = password_to_key_and_iv(Password, derived_key_length(Cipher), KeyDevParams),
+ {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
<<Key1:8/binary, Key2:8/binary, Key3:8/binary>> = Key,
- crypto:des_ede3_cbc_encrypt(Key1, Key2, Key3, IV, Data).
+ crypto:des_ede3_cbc_encrypt(Key1, Key2, Key3, IV, Data);
+
+encode(Data, Password, "RC2-CBC" = Cipher, KeyDevParams) ->
+ {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
+ crypto:rc2_cbc_encrypt(Key, IV, Data).
decode(Data, Password,"DES-CBC"= Cipher, KeyDevParams) ->
- {Key, IV} = password_to_key_and_iv(Password, derived_key_length(Cipher), KeyDevParams),
+ {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
crypto:des_cbc_decrypt(Key, IV, Data);
decode(Data, Password,"DES-EDE3-CBC" = Cipher, KeyDevParams) ->
- {Key, IV} = password_to_key_and_iv(Password, derived_key_length(Cipher), KeyDevParams),
+ {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
<<Key1:8/binary, Key2:8/binary, Key3:8/binary>> = Key,
- crypto:des_ede3_cbc_decrypt(Key1, Key2, Key3, IV, Data).
+ crypto:des_ede3_cbc_decrypt(Key1, Key2, Key3, IV, Data);
+
+decode(Data, Password,"RC2-CBC"= Cipher, KeyDevParams) ->
+ {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
+ crypto:rc2_cbc_decrypt(Key, IV, Data).
%%--------------------------------------------------------------------
-spec pbdkdf1(string(), iodata(), integer(), atom()) -> binary().
@@ -94,13 +102,20 @@ decrypt_parameters(#'EncryptedPrivateKeyInfo_encryptionAlgorithm'{
%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
-password_to_key_and_iv(Password, KeyLen, {salt, Salt}) ->
+password_to_key_and_iv(Password, Cipher, {salt, Salt}) ->
+ KeyLen = derived_key_length(Cipher, undefined),
<<Key:KeyLen/binary, _/binary>> =
pem_encrypt(<<>>, Password, Salt, ceiling(KeyLen div 16), <<>>, md5),
%% Old PEM encryption does not use standard encryption method
%% pbdkdf1 and uses then salt as IV
{Key, Salt}.
+password_to_key_and_iv(Password, _, #'PBES2-params'{} = Params) ->
+ {Salt, ItrCount, KeyLen, PseudoRandomFunction, PseudoOtputLen, IV} =
+ key_derivation_params(Params),
+ <<Key:KeyLen/binary, _/binary>> =
+ pbdkdf2(Password, Salt, ItrCount, KeyLen, PseudoRandomFunction, PseudoOtputLen),
+ {Key, IV}.
pem_encrypt(_, _, _, 0, Acc, _) ->
Acc;
pem_encrypt(Prev, Password, Salt, Count, Acc, Hash) ->
@@ -118,8 +133,12 @@ iv(#'PBES2-params_encryptionScheme'{algorithm = Algo,
(Algo == ?'des-EDE3-CBC') ->
%% This is an so called open ASN1-type that in this
%% case will be an octet-string of length 8
- <<?OCTET_STR, ?IV_LEN, IV:?IV_LEN/binary>> = ASNIV,
- IV.
+ <<?ASN1_OCTET_STR_TAG, ?IV_LEN, IV:?IV_LEN/binary>> = ASNIV,
+ IV;
+iv(#'PBES2-params_encryptionScheme'{algorithm = ?'rc2CBC',
+ parameters = ASN1IV}) ->
+ {ok, #'RC2-CBC-Parameter'{iv = IV}} = 'PKCS-FRAME':decode('RC2-CBC-Parameter', ASN1IV),
+ iolist_to_binary(IV).
blocks(1, N, Index, Password, Salt, Count, Prf, PrfLen, Acc) ->
<<XorSum:N/binary, _/binary>> = xor_sum(Password, Salt, Count, Index, Prf, PrfLen),
@@ -129,53 +148,55 @@ blocks(NumBlocks, N, Index, Password, Salt, Count, Prf, PrfLen, Acc) ->
blocks(NumBlocks -1, N, Index +1, Password, Salt, Count, Prf, PrfLen, <<Acc/binary, XorSum/binary>>).
xor_sum(Password, Salt, Count, Index, Prf, PrfLen) ->
- %%Result = Prf(Password, [Salt,<<Index:32/unsigned-big-integer>>], PrfLen),
- Result = Prf(Password, [Salt,<<Index:32/unsigned-big-integer>>]),
+ Result = Prf(Password, [Salt,<<Index:32/unsigned-big-integer>>], PrfLen),
do_xor_sum(Prf, PrfLen, Result, Password, Count-1, Result).
do_xor_sum(_, _, _, _, 0, Acc) ->
Acc;
do_xor_sum(Prf, PrfLen, Prev, Password, Count, Acc)->
- %%Result = Prf(Password, Prev, PrfLen),
- Result = Prf(Password, Prev),
+ Result = Prf(Password, Prev, PrfLen),
do_xor_sum(Prf, PrfLen, Result, Password, Count-1, crypto:exor(Acc, Result)).
decrypt_parameters(?'id-PBES2', DekParams) ->
{ok, Params} = 'PKCS-FRAME':decode('PBES2-params', DekParams),
{cipher(Params#'PBES2-params'.encryptionScheme), Params}.
-key_derivation_params(#'PBES2-params_keyDerivationFunc'{algorithm = ?'id-PBKDF2',
- parameters =
- #'PBKDF2-params'{salt = {specified, OctetSalt},
- iterationCount = Count,
- keyLength = Length,
- prf = Prf}}) ->
- PseudoRandomFunction = pseudo_random_function(Prf),
- KeyLen = pseudo_key_length(Length, Prf),
- {iolist_to_binary(OctetSalt), Count, KeyLen, PseudoRandomFunction}.
-
+key_derivation_params(#'PBES2-params'{keyDerivationFunc = KeyDerivationFunc,
+ encryptionScheme = EncScheme}) ->
+ #'PBES2-params_keyDerivationFunc'{algorithm = ?'id-PBKDF2',
+ parameters =
+ #'PBKDF2-params'{salt = {specified, OctetSalt},
+ iterationCount = Count,
+ keyLength = Length,
+ prf = Prf}} = KeyDerivationFunc,
+ #'PBES2-params_encryptionScheme'{algorithm = Algo} = EncScheme,
+ {PseudoRandomFunction, PseudoOtputLen} = pseudo_random_function(Prf),
+ KeyLen = derived_key_length(Algo, Length),
+ {iolist_to_binary(OctetSalt), Count, KeyLen, PseudoRandomFunction, PseudoOtputLen, iv(EncScheme)}.
+
+%% This function currently matches a tuple that ougth to be the value ?'id-hmacWithSHA1,
+%% but we need some kind of ASN1-fix for this.
pseudo_random_function(#'PBKDF2-params_prf'{algorithm = {_,_, _,'id-hmacWithSHA1'}}) ->
- %%fun crypto:sha_mac_n/3.
- fun crypto:sha_mac/2.
+ {fun crypto:sha_mac/3, pseudo_output_length(?'id-hmacWithSHA1')}.
-pseudo_key_length(asn1_NOVALUE, #'PBKDF2-params_prf'{algorithm = {_,_, _,'id-hmacWithSHA1'}}) ->
- ?DEFAULT_SHA_MAC_KEYLEN;
-pseudo_key_length(Len, _) when is_integer(Len) ->
- Len.
+pseudo_output_length(?'id-hmacWithSHA1') ->
+ ?DEFAULT_SHA_MAC_KEYLEN.
-derived_key_length("DES-CBC") ->
+derived_key_length(_, Len) when is_integer(Len) ->
+ Len;
+derived_key_length(Cipher,_) when (Cipher == ?'desCBC') or (Cipher == "DES-CBC") ->
8;
-%% derived_key_length("RC2-CBC") ->
-%% 5;
-derived_key_length("DES-EDE3-CBC") ->
+derived_key_length(Cipher,_) when (Cipher == ?'rc2CBC') or (Cipher == "RC2-CBC") ->
+ 16;
+derived_key_length(Cipher,_) when (Cipher == ?'des-EDE3-CBC') or (Cipher == "DES-EDE3-CBC") ->
24.
cipher(#'PBES2-params_encryptionScheme'{algorithm = ?'desCBC'}) ->
"DES-CBC";
cipher(#'PBES2-params_encryptionScheme'{algorithm = ?'des-EDE3-CBC'}) ->
- "DES-EDE3-CBC".
-%% cipher(#'PBES2-params_encryptionScheme'{algorithm = ?'rc2CBC'}) ->
-%% "RC2-CBC".
+ "DES-EDE3-CBC";
+cipher(#'PBES2-params_encryptionScheme'{algorithm = ?'rc2CBC'}) ->
+ "RC2-CBC".
ceiling(Float) ->
erlang:round(Float + 0.5).