1 // Copyright 2012 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package x509 6 7 // RFC 1423 describes the encryption of PEM blocks. The algorithm used to 8 // generate a key from the password was derived by looking at the OpenSSL 9 // implementation. 10 11 import ( 12 "crypto/aes" 13 "crypto/cipher" 14 "crypto/des" 15 "crypto/md5" 16 "encoding/hex" 17 "encoding/pem" 18 "errors" 19 "io" 20 "strings" 21 ) 22 23 type PEMCipher int 24 25 // Possible values for the EncryptPEMBlock encryption algorithm. 26 const ( 27 _ PEMCipher = iota 28 PEMCipherDES 29 PEMCipher3DES 30 PEMCipherAES128 31 PEMCipherAES192 32 PEMCipherAES256 33 ) 34 35 // rfc1423Algo holds a method for enciphering a PEM block. 36 type rfc1423Algo struct { 37 cipher PEMCipher 38 name string 39 cipherFunc func(key []byte) (cipher.Block, error) 40 keySize int 41 blockSize int 42 } 43 44 // rfc1423Algos holds a slice of the possible ways to encrypt a PEM 45 // block. The ivSize numbers were taken from the OpenSSL source. 46 var rfc1423Algos = []rfc1423Algo{{ 47 cipher: PEMCipherDES, 48 name: "DES-CBC", 49 cipherFunc: des.NewCipher, 50 keySize: 8, 51 blockSize: des.BlockSize, 52 }, { 53 cipher: PEMCipher3DES, 54 name: "DES-EDE3-CBC", 55 cipherFunc: des.NewTripleDESCipher, 56 keySize: 24, 57 blockSize: des.BlockSize, 58 }, { 59 cipher: PEMCipherAES128, 60 name: "AES-128-CBC", 61 cipherFunc: aes.NewCipher, 62 keySize: 16, 63 blockSize: aes.BlockSize, 64 }, { 65 cipher: PEMCipherAES192, 66 name: "AES-192-CBC", 67 cipherFunc: aes.NewCipher, 68 keySize: 24, 69 blockSize: aes.BlockSize, 70 }, { 71 cipher: PEMCipherAES256, 72 name: "AES-256-CBC", 73 cipherFunc: aes.NewCipher, 74 keySize: 32, 75 blockSize: aes.BlockSize, 76 }, 77 } 78 79 // deriveKey uses a key derivation function to stretch the password into a key 80 // with the number of bits our cipher requires. This algorithm was derived from 81 // the OpenSSL source. 82 func (c rfc1423Algo) deriveKey(password, salt []byte) []byte { 83 hash := md5.New() 84 out := make([]byte, c.keySize) 85 var digest []byte 86 87 for i := 0; i < len(out); i += len(digest) { 88 hash.Reset() 89 hash.Write(digest) 90 hash.Write(password) 91 hash.Write(salt) 92 digest = hash.Sum(digest[:0]) 93 copy(out[i:], digest) 94 } 95 return out 96 } 97 98 // IsEncryptedPEMBlock returns if the PEM block is password encrypted. 99 func IsEncryptedPEMBlock(b *pem.Block) bool { 100 _, ok := b.Headers["DEK-Info"] 101 return ok 102 } 103 104 // IncorrectPasswordError is returned when an incorrect password is detected. 105 var IncorrectPasswordError = errors.New("x509: decryption password incorrect") 106 107 // DecryptPEMBlock takes a password encrypted PEM block and the password used to 108 // encrypt it and returns a slice of decrypted DER encoded bytes. It inspects 109 // the DEK-Info header to determine the algorithm used for decryption. If no 110 // DEK-Info header is present, an error is returned. If an incorrect password 111 // is detected an IncorrectPasswordError is returned. Because of deficiencies 112 // in the encrypted-PEM format, it's not always possible to detect an incorrect 113 // password. In these cases no error will be returned but the decrypted DER 114 // bytes will be random noise. 115 func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error) { 116 dek, ok := b.Headers["DEK-Info"] 117 if !ok { 118 return nil, errors.New("x509: no DEK-Info header in block") 119 } 120 121 idx := strings.Index(dek, ",") 122 if idx == -1 { 123 return nil, errors.New("x509: malformed DEK-Info header") 124 } 125 126 mode, hexIV := dek[:idx], dek[idx+1:] 127 ciph := cipherByName(mode) 128 if ciph == nil { 129 return nil, errors.New("x509: unknown encryption mode") 130 } 131 iv, err := hex.DecodeString(hexIV) 132 if err != nil { 133 return nil, err 134 } 135 if len(iv) != ciph.blockSize { 136 return nil, errors.New("x509: incorrect IV size") 137 } 138 139 // Based on the OpenSSL implementation. The salt is the first 8 bytes 140 // of the initialization vector. 141 key := ciph.deriveKey(password, iv[:8]) 142 block, err := ciph.cipherFunc(key) 143 if err != nil { 144 return nil, err 145 } 146 147 if len(b.Bytes)%block.BlockSize() != 0 { 148 return nil, errors.New("x509: encrypted PEM data is not a multiple of the block size") 149 } 150 151 data := make([]byte, len(b.Bytes)) 152 dec := cipher.NewCBCDecrypter(block, iv) 153 dec.CryptBlocks(data, b.Bytes) 154 155 // Blocks are padded using a scheme where the last n bytes of padding are all 156 // equal to n. It can pad from 1 to blocksize bytes inclusive. See RFC 1423. 157 // For example: 158 // [x y z 2 2] 159 // [x y 7 7 7 7 7 7 7] 160 // If we detect a bad padding, we assume it is an invalid password. 161 dlen := len(data) 162 if dlen == 0 || dlen%ciph.blockSize != 0 { 163 return nil, errors.New("x509: invalid padding") 164 } 165 last := int(data[dlen-1]) 166 if dlen < last { 167 return nil, IncorrectPasswordError 168 } 169 if last == 0 || last > ciph.blockSize { 170 return nil, IncorrectPasswordError 171 } 172 for _, val := range data[dlen-last:] { 173 if int(val) != last { 174 return nil, IncorrectPasswordError 175 } 176 } 177 return data[:dlen-last], nil 178 } 179 180 // EncryptPEMBlock returns a PEM block of the specified type holding the 181 // given DER-encoded data encrypted with the specified algorithm and 182 // password. 183 func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error) { 184 ciph := cipherByKey(alg) 185 if ciph == nil { 186 return nil, errors.New("x509: unknown encryption mode") 187 } 188 iv := make([]byte, ciph.blockSize) 189 if _, err := io.ReadFull(rand, iv); err != nil { 190 return nil, errors.New("x509: cannot generate IV: " + err.Error()) 191 } 192 // The salt is the first 8 bytes of the initialization vector, 193 // matching the key derivation in DecryptPEMBlock. 194 key := ciph.deriveKey(password, iv[:8]) 195 block, err := ciph.cipherFunc(key) 196 if err != nil { 197 return nil, err 198 } 199 enc := cipher.NewCBCEncrypter(block, iv) 200 pad := ciph.blockSize - len(data)%ciph.blockSize 201 encrypted := make([]byte, len(data), len(data)+pad) 202 // We could save this copy by encrypting all the whole blocks in 203 // the data separately, but it doesn't seem worth the additional 204 // code. 205 copy(encrypted, data) 206 // See RFC 1423, section 1.1 207 for i := 0; i < pad; i++ { 208 encrypted = append(encrypted, byte(pad)) 209 } 210 enc.CryptBlocks(encrypted, encrypted) 211 212 return &pem.Block{ 213 Type: blockType, 214 Headers: map[string]string{ 215 "Proc-Type": "4,ENCRYPTED", 216 "DEK-Info": ciph.name + "," + hex.EncodeToString(iv), 217 }, 218 Bytes: encrypted, 219 }, nil 220 } 221 222 func cipherByName(name string) *rfc1423Algo { 223 for i := range rfc1423Algos { 224 alg := &rfc1423Algos[i] 225 if alg.name == name { 226 return alg 227 } 228 } 229 return nil 230 } 231 232 func cipherByKey(key PEMCipher) *rfc1423Algo { 233 for i := range rfc1423Algos { 234 alg := &rfc1423Algos[i] 235 if alg.cipher == key { 236 return alg 237 } 238 } 239 return nil 240 } 241
