...
Run Format

Source file src/crypto/x509/pem_decrypt.go

Documentation: crypto/x509

  // Copyright 2012 The Go Authors. All rights reserved.
  // Use of this source code is governed by a BSD-style
  // license that can be found in the LICENSE file.
  
  package x509
  
  // RFC 1423 describes the encryption of PEM blocks. The algorithm used to
  // generate a key from the password was derived by looking at the OpenSSL
  // implementation.
  
  import (
  	"crypto/aes"
  	"crypto/cipher"
  	"crypto/des"
  	"crypto/md5"
  	"encoding/hex"
  	"encoding/pem"
  	"errors"
  	"io"
  	"strings"
  )
  
  type PEMCipher int
  
  // Possible values for the EncryptPEMBlock encryption algorithm.
  const (
  	_ PEMCipher = iota
  	PEMCipherDES
  	PEMCipher3DES
  	PEMCipherAES128
  	PEMCipherAES192
  	PEMCipherAES256
  )
  
  // rfc1423Algo holds a method for enciphering a PEM block.
  type rfc1423Algo struct {
  	cipher     PEMCipher
  	name       string
  	cipherFunc func(key []byte) (cipher.Block, error)
  	keySize    int
  	blockSize  int
  }
  
  // rfc1423Algos holds a slice of the possible ways to encrypt a PEM
  // block. The ivSize numbers were taken from the OpenSSL source.
  var rfc1423Algos = []rfc1423Algo{{
  	cipher:     PEMCipherDES,
  	name:       "DES-CBC",
  	cipherFunc: des.NewCipher,
  	keySize:    8,
  	blockSize:  des.BlockSize,
  }, {
  	cipher:     PEMCipher3DES,
  	name:       "DES-EDE3-CBC",
  	cipherFunc: des.NewTripleDESCipher,
  	keySize:    24,
  	blockSize:  des.BlockSize,
  }, {
  	cipher:     PEMCipherAES128,
  	name:       "AES-128-CBC",
  	cipherFunc: aes.NewCipher,
  	keySize:    16,
  	blockSize:  aes.BlockSize,
  }, {
  	cipher:     PEMCipherAES192,
  	name:       "AES-192-CBC",
  	cipherFunc: aes.NewCipher,
  	keySize:    24,
  	blockSize:  aes.BlockSize,
  }, {
  	cipher:     PEMCipherAES256,
  	name:       "AES-256-CBC",
  	cipherFunc: aes.NewCipher,
  	keySize:    32,
  	blockSize:  aes.BlockSize,
  },
  }
  
  // deriveKey uses a key derivation function to stretch the password into a key
  // with the number of bits our cipher requires. This algorithm was derived from
  // the OpenSSL source.
  func (c rfc1423Algo) deriveKey(password, salt []byte) []byte {
  	hash := md5.New()
  	out := make([]byte, c.keySize)
  	var digest []byte
  
  	for i := 0; i < len(out); i += len(digest) {
  		hash.Reset()
  		hash.Write(digest)
  		hash.Write(password)
  		hash.Write(salt)
  		digest = hash.Sum(digest[:0])
  		copy(out[i:], digest)
  	}
  	return out
  }
  
  // IsEncryptedPEMBlock returns if the PEM block is password encrypted.
  func IsEncryptedPEMBlock(b *pem.Block) bool {
  	_, ok := b.Headers["DEK-Info"]
  	return ok
  }
  
  // IncorrectPasswordError is returned when an incorrect password is detected.
  var IncorrectPasswordError = errors.New("x509: decryption password incorrect")
  
  // DecryptPEMBlock takes a password encrypted PEM block and the password used to
  // encrypt it and returns a slice of decrypted DER encoded bytes. It inspects
  // the DEK-Info header to determine the algorithm used for decryption. If no
  // DEK-Info header is present, an error is returned. If an incorrect password
  // is detected an IncorrectPasswordError is returned. Because of deficiencies
  // in the encrypted-PEM format, it's not always possible to detect an incorrect
  // password. In these cases no error will be returned but the decrypted DER
  // bytes will be random noise.
  func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error) {
  	dek, ok := b.Headers["DEK-Info"]
  	if !ok {
  		return nil, errors.New("x509: no DEK-Info header in block")
  	}
  
  	idx := strings.Index(dek, ",")
  	if idx == -1 {
  		return nil, errors.New("x509: malformed DEK-Info header")
  	}
  
  	mode, hexIV := dek[:idx], dek[idx+1:]
  	ciph := cipherByName(mode)
  	if ciph == nil {
  		return nil, errors.New("x509: unknown encryption mode")
  	}
  	iv, err := hex.DecodeString(hexIV)
  	if err != nil {
  		return nil, err
  	}
  	if len(iv) != ciph.blockSize {
  		return nil, errors.New("x509: incorrect IV size")
  	}
  
  	// Based on the OpenSSL implementation. The salt is the first 8 bytes
  	// of the initialization vector.
  	key := ciph.deriveKey(password, iv[:8])
  	block, err := ciph.cipherFunc(key)
  	if err != nil {
  		return nil, err
  	}
  
  	if len(b.Bytes)%block.BlockSize() != 0 {
  		return nil, errors.New("x509: encrypted PEM data is not a multiple of the block size")
  	}
  
  	data := make([]byte, len(b.Bytes))
  	dec := cipher.NewCBCDecrypter(block, iv)
  	dec.CryptBlocks(data, b.Bytes)
  
  	// Blocks are padded using a scheme where the last n bytes of padding are all
  	// equal to n. It can pad from 1 to blocksize bytes inclusive. See RFC 1423.
  	// For example:
  	//	[x y z 2 2]
  	//	[x y 7 7 7 7 7 7 7]
  	// If we detect a bad padding, we assume it is an invalid password.
  	dlen := len(data)
  	if dlen == 0 || dlen%ciph.blockSize != 0 {
  		return nil, errors.New("x509: invalid padding")
  	}
  	last := int(data[dlen-1])
  	if dlen < last {
  		return nil, IncorrectPasswordError
  	}
  	if last == 0 || last > ciph.blockSize {
  		return nil, IncorrectPasswordError
  	}
  	for _, val := range data[dlen-last:] {
  		if int(val) != last {
  			return nil, IncorrectPasswordError
  		}
  	}
  	return data[:dlen-last], nil
  }
  
  // EncryptPEMBlock returns a PEM block of the specified type holding the
  // given DER-encoded data encrypted with the specified algorithm and
  // password.
  func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error) {
  	ciph := cipherByKey(alg)
  	if ciph == nil {
  		return nil, errors.New("x509: unknown encryption mode")
  	}
  	iv := make([]byte, ciph.blockSize)
  	if _, err := io.ReadFull(rand, iv); err != nil {
  		return nil, errors.New("x509: cannot generate IV: " + err.Error())
  	}
  	// The salt is the first 8 bytes of the initialization vector,
  	// matching the key derivation in DecryptPEMBlock.
  	key := ciph.deriveKey(password, iv[:8])
  	block, err := ciph.cipherFunc(key)
  	if err != nil {
  		return nil, err
  	}
  	enc := cipher.NewCBCEncrypter(block, iv)
  	pad := ciph.blockSize - len(data)%ciph.blockSize
  	encrypted := make([]byte, len(data), len(data)+pad)
  	// We could save this copy by encrypting all the whole blocks in
  	// the data separately, but it doesn't seem worth the additional
  	// code.
  	copy(encrypted, data)
  	// See RFC 1423, section 1.1
  	for i := 0; i < pad; i++ {
  		encrypted = append(encrypted, byte(pad))
  	}
  	enc.CryptBlocks(encrypted, encrypted)
  
  	return &pem.Block{
  		Type: blockType,
  		Headers: map[string]string{
  			"Proc-Type": "4,ENCRYPTED",
  			"DEK-Info":  ciph.name + "," + hex.EncodeToString(iv),
  		},
  		Bytes: encrypted,
  	}, nil
  }
  
  func cipherByName(name string) *rfc1423Algo {
  	for i := range rfc1423Algos {
  		alg := &rfc1423Algos[i]
  		if alg.name == name {
  			return alg
  		}
  	}
  	return nil
  }
  
  func cipherByKey(key PEMCipher) *rfc1423Algo {
  	for i := range rfc1423Algos {
  		alg := &rfc1423Algos[i]
  		if alg.cipher == key {
  			return alg
  		}
  	}
  	return nil
  }
  

View as plain text