go_S-MIME/oid/key_wrap.go

package oid

import (
	"crypto/aes"
	"crypto/cipher"
	"crypto/subtle"
	"crypto/x509/pkix"
	"encoding/asn1"
	"encoding/binary"
	"errors"
)

// KeyWrap wraps and unwraps key with the key encrytion key (KEK) for a given (KeyWrapAlgorithm)
type KeyWrap struct {
	KEK              []byte
	KeyWrapAlgorithm asn1.ObjectIdentifier
}

// Wrap wraps the content encryption key (cek)
func (kw *KeyWrap) Wrap(cek []byte) (ciphertext []byte, err error) {

	var block cipher.Block
	switch kw.KeyWrapAlgorithm.String() {
	case AES128Wrap.String(), AES192Wrap.String(), AES256Wrap.String():
		block, err = aes.NewCipher(kw.KEK)
		if err != nil {
			return
		}
	}

	return Wrap(block, cek)

}

// UnWrap unwraps the encrypted key (encKey)
func (kw *KeyWrap) UnWrap(encKey []byte) (cek []byte, err error) {

	var block cipher.Block
	switch kw.KeyWrapAlgorithm.String() {
	case AES128Wrap.String(), AES192Wrap.String(), AES256Wrap.String():
		block, err = aes.NewCipher(kw.KEK)
		if err != nil {
			return
		}
	}

	return Unwrap(block, encKey)

}

// KeyLen returns the key lenght of the key wrap algorithm
func (kw *KeyWrap) KeyLen() (len int) {

	switch kw.KeyWrapAlgorithm.String() {
	case AES128Wrap.String():
		len = 16
	case AES192Wrap.String():
		len = 24
	case AES256Wrap.String():
		len = 32
	}

	return
}

// AlgorithmIdentifier returns the OID of the key wrap algorithm
func (kw *KeyWrap) AlgorithmIdentifier() (algID pkix.AlgorithmIdentifier) {

	switch kw.KeyWrapAlgorithm.String() {
	case AES128Wrap.String(), AES192Wrap.String(), AES256Wrap.String():
		algID = pkix.AlgorithmIdentifier{Algorithm: kw.KeyWrapAlgorithm}
	}

	return
}

// defaultIV from RFC-3394
var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}

// Wrap encrypts the content encryption key (cek) with the given AES cipher (block), using the AES Key Wrap algorithm (RFC-3394)
func Wrap(block cipher.Block, cek []byte) (encKey []byte, err error) {
	if len(cek)%8 != 0 {
		return nil, errors.New("Lenght of cek must be in 8-byte blocks")
	}

	// 1. Initialize variables

	// Set A = IV, an initial value (see 2.2.3)
	B := make([]byte, 16)
	copy(B, defaultIV)

	// For i = 1 to n
	// R[i] = P[i]
	encKey = make([]byte, len(cek)+8)
	copy(encKey[8:], cek)

	n := len(cek) / 8

	// 2. Calculate intermediate values.
	for j := 0; j <= 5; j++ {
		for i := 1; i <= n; i++ {

			// B = AES(K, A | R[i])
			copy(B[8:], encKey[i*8:(i+1)*8])
			block.Encrypt(B, B)

			// A = MSB(64, B) ^ t where t = (n*j)+i
			t := uint64(n*j + i)
			b := binary.BigEndian.Uint64(B[:8]) ^ t
			binary.BigEndian.PutUint64(B[:8], b)

			// R[i] = LSB(64, B)
			copy(encKey[i*8:(i+1)*8], B[8:])
		}
	}

	// 3. Output the results.
	copy(encKey[:8], B[:8])
	return
}

// Unwrap decrypts the provided encrypted key (encKey) with the given AES cipher (block), using the AES Key Wrap algorithm (RFC-3394).
// Returns an error if validation fails.
func Unwrap(block cipher.Block, encKey []byte) (cek []byte, err error) {
	if len(cek)%8 != 0 {
		return nil, errors.New("Length of encKey must multiple 8-bytes")
	}

	//Initialize variables
	B := make([]byte, 16)
	copy(B, encKey[:8])

	cek = make([]byte, len(encKey)-8)
	copy(cek, encKey[8:])

	n := (len(encKey) / 8) - 1

	//Compute intermediate values
	for j := 5; j >= 0; j-- {
		for i := n; i >= 1; i-- {

			// B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
			copy(B[8:], cek[(i-1)*8:i*8])
			t := uint64(n*j + i)
			b := binary.BigEndian.Uint64(B[:8]) ^ t
			binary.BigEndian.PutUint64(B[:8], b)

			block.Decrypt(B, B)

			// A = MSB(64, B)
			// R[i] = LSB(64, B)
			copy(cek[(i-1)*8:i*8], B[8:])

		}
	}

	if subtle.ConstantTimeCompare(B[:8], defaultIV) != 1 {
		return nil, errors.New("Integrity check failed - unexpected IV")
	}

	//Output
	return
}
Added support for ECDH in enveloped data with ECDSA certificates. - fixed parsing of choice(was compatible with Apple mail.app which tagged kari explicitly) - minor fixes 2018-12-10 16:18:29 +00:00			`package oid`

			`import (`
			`"crypto/aes"`
			`"crypto/cipher"`
			`"crypto/subtle"`
			`"crypto/x509/pkix"`
			`"encoding/asn1"`
			`"encoding/binary"`
			`"errors"`
			`)`

			`// KeyWrap wraps and unwraps key with the key encrytion key (KEK) for a given (KeyWrapAlgorithm)`
			`type KeyWrap struct {`
			`KEK []byte`
			`KeyWrapAlgorithm asn1.ObjectIdentifier`
			`}`

			`// Wrap wraps the content encryption key (cek)`
			`func (kw *KeyWrap) Wrap(cek []byte) (ciphertext []byte, err error) {`

			`var block cipher.Block`
			`switch kw.KeyWrapAlgorithm.String() {`
			`case AES128Wrap.String(), AES192Wrap.String(), AES256Wrap.String():`
			`block, err = aes.NewCipher(kw.KEK)`
			`if err != nil {`
			`return`
			`}`
			`}`

			`return Wrap(block, cek)`

			`}`

			`// UnWrap unwraps the encrypted key (encKey)`
			`func (kw *KeyWrap) UnWrap(encKey []byte) (cek []byte, err error) {`

			`var block cipher.Block`
			`switch kw.KeyWrapAlgorithm.String() {`
			`case AES128Wrap.String(), AES192Wrap.String(), AES256Wrap.String():`
			`block, err = aes.NewCipher(kw.KEK)`
			`if err != nil {`
			`return`
			`}`
			`}`

			`return Unwrap(block, encKey)`

			`}`

			`// KeyLen returns the key lenght of the key wrap algorithm`
			`func (kw *KeyWrap) KeyLen() (len int) {`

			`switch kw.KeyWrapAlgorithm.String() {`
			`case AES128Wrap.String():`
			`len = 16`
			`case AES192Wrap.String():`
			`len = 24`
			`case AES256Wrap.String():`
			`len = 32`
			`}`

			`return`
			`}`

			`// AlgorithmIdentifier returns the OID of the key wrap algorithm`
			`func (kw *KeyWrap) AlgorithmIdentifier() (algID pkix.AlgorithmIdentifier) {`

			`switch kw.KeyWrapAlgorithm.String() {`
			`case AES128Wrap.String(), AES192Wrap.String(), AES256Wrap.String():`
			`algID = pkix.AlgorithmIdentifier{Algorithm: kw.KeyWrapAlgorithm}`
			`}`

			`return`
			`}`

			`// defaultIV from RFC-3394`
			`var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}`

			`// Wrap encrypts the content encryption key (cek) with the given AES cipher (block), using the AES Key Wrap algorithm (RFC-3394)`
			`func Wrap(block cipher.Block, cek []byte) (encKey []byte, err error) {`
			`if len(cek)%8 != 0 {`
			`return nil, errors.New("Lenght of cek must be in 8-byte blocks")`
			`}`

			`// 1. Initialize variables`

			`// Set A = IV, an initial value (see 2.2.3)`
			`B := make([]byte, 16)`
			`copy(B, defaultIV)`

			`// For i = 1 to n`
			`// R[i] = P[i]`
			`encKey = make([]byte, len(cek)+8)`
			`copy(encKey[8:], cek)`

			`n := len(cek) / 8`

			`// 2. Calculate intermediate values.`
			`for j := 0; j <= 5; j++ {`
			`for i := 1; i <= n; i++ {`

			`// B = AES(K, A \| R[i])`
			`copy(B[8:], encKey[i8:(i+1)8])`
			`block.Encrypt(B, B)`

			`// A = MSB(64, B) ^ t where t = (n*j)+i`
			`t := uint64(n*j + i)`
			`b := binary.BigEndian.Uint64(B[:8]) ^ t`
			`binary.BigEndian.PutUint64(B[:8], b)`

			`// R[i] = LSB(64, B)`
			`copy(encKey[i8:(i+1)8], B[8:])`
			`}`
			`}`

			`// 3. Output the results.`
			`copy(encKey[:8], B[:8])`
			`return`
			`}`

			`// Unwrap decrypts the provided encrypted key (encKey) with the given AES cipher (block), using the AES Key Wrap algorithm (RFC-3394).`
			`// Returns an error if validation fails.`
			`func Unwrap(block cipher.Block, encKey []byte) (cek []byte, err error) {`
			`if len(cek)%8 != 0 {`
			`return nil, errors.New("Length of encKey must multiple 8-bytes")`
			`}`

			`//Initialize variables`
			`B := make([]byte, 16)`
			`copy(B, encKey[:8])`

			`cek = make([]byte, len(encKey)-8)`
			`copy(cek, encKey[8:])`

			`n := (len(encKey) / 8) - 1`

			`//Compute intermediate values`
			`for j := 5; j >= 0; j-- {`
			`for i := n; i >= 1; i-- {`

			`// B = AES-1(K, (A ^ t) \| R[i]) where t = n*j+i`
			`copy(B[8:], cek[(i-1)8:i8])`
			`t := uint64(n*j + i)`
			`b := binary.BigEndian.Uint64(B[:8]) ^ t`
			`binary.BigEndian.PutUint64(B[:8], b)`

			`block.Decrypt(B, B)`

			`// A = MSB(64, B)`
			`// R[i] = LSB(64, B)`
			`copy(cek[(i-1)8:i8], B[8:])`

			`}`
			`}`

			`if subtle.ConstantTimeCompare(B[:8], defaultIV) != 1 {`
			`return nil, errors.New("Integrity check failed - unexpected IV")`
			`}`

			`//Output`
			`return`
			`}`