search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
(DISTFILES): Comment out a few missing files.
[mono-project.git] / mcs / class / System.Security / System.Security.Cryptography.Xml / SymmetricKeyWrap.cs
blobdc2c30ed5243cf77a2960f6cc31c41be0fab000b
1 //
2 // SymmetricKeyWrap.cs - Implements symmetric key wrap algorithms
3 //
4 // Author:
5 // Tim Coleman (tim@timcoleman.com)
6 //
7 // Copyright (C) Tim Coleman, 2004
8 //
9
10 //
11 // Permission is hereby granted, free of charge, to any person obtaining
12 // a copy of this software and associated documentation files (the
13 // "Software"), to deal in the Software without restriction, including
14 // without limitation the rights to use, copy, modify, merge, publish,
15 // distribute, sublicense, and/or sell copies of the Software, and to
16 // permit persons to whom the Software is furnished to do so, subject to
17 // the following conditions:
18 //
19 // The above copyright notice and this permission notice shall be
20 // included in all copies or substantial portions of the Software.
21 //
22 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
23 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
24 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
25 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
26 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
27 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
30
31 #if NET_2_0
32
33 using System.IO;
34 using System.Security.Cryptography;
35
36 namespace System.Security.Cryptography.Xml {
37
38 internal class SymmetricKeyWrap {
39
40 public SymmetricKeyWrap ()
41 {
42 }
43
44 public static byte[] AESKeyWrapEncrypt (byte[] rgbKey, byte[] rgbWrappedKeyData)
45 {
46 SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create ("Rijndael");
47
48 // Apparently no one felt the need to document that this requires Electronic Codebook mode.
49 symAlg.Mode = CipherMode.ECB;
50
51 // This was also not documented anywhere.
52 symAlg.IV = new byte [16] {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
53
54 ICryptoTransform transform = symAlg.CreateEncryptor (rgbKey, symAlg.IV);
55
56 int N = rgbWrappedKeyData.Length / 8;
57 byte[] A;
58 byte[] B = new Byte [16];
59 byte [] C = new byte [8 * (N + 1)];
60
61 // 1. if N is 1:
62 // B = AES(K)enc(0xA6A6A6A6A6A6A6A6|P(1))
63 // C(0) = MSB(B)
64 // C(1) = LSB(B)
65 if (N == 1) {
66 A = new byte [8] {0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6};
67 transform.TransformBlock (Concatenate (A, rgbWrappedKeyData), 0, 16, B, 0);
68 Buffer.BlockCopy (MSB(B), 0, C, 0, 8);
69 Buffer.BlockCopy (LSB(B), 0, C, 8, 8);
70 } else {
71 // if N > 1, perform the following steps:
72 // 2. Initialize variables:
73 // Set A to 0xA6A6A6A6A6A6A6A6
74 // For i = 1 to N,
75 // R(i) = P(i)
76 A = new byte [8] {0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6};
77
78 byte[][] R = new byte [N + 1][];
79 for (int i = 1; i <= N; i += 1) {
80 R [i] = new byte [8];
81 Buffer.BlockCopy (rgbWrappedKeyData, 8 * (i - 1), R [i], 0, 8);
82 }
83
84 // 3. Calculate intermediate values:
85 // For j = 0 to 5
86 // For i = 1 to N
87 // t = i + j * N
88 // B = AES(K)enc(A|R(i))
89 // A = XOR(t, MSB(B))
90 // R(i) = LSB(B)
91
92 for (int j = 0; j <= 5; j += 1) {
93 for (int i = 1; i <= N; i += 1) {
94 transform.TransformBlock (Concatenate (A, R [i]), 0, 16, B, 0);
95
96 // Yawn. It was nice of those at NIST to document how exactly we should XOR
97 // an integer value with a byte array. Not.
98 byte[] T = BitConverter.GetBytes ((long) (N * j + i));
99
100 // This is nice.
101 if (BitConverter.IsLittleEndian)
102 Array.Reverse (T);
103
104 A = Xor (T, MSB(B));
105 R [i] = LSB (B);
106 }
107 }
108
109 // 4. Output the results:
110 // Set C(0) = A
111 // For i = 1 to N
112 // C(i) = R(i)
113 Buffer.BlockCopy (A, 0, C, 0, 8);
114 for (int i = 1; i <= N; i += 1)
115 Buffer.BlockCopy (R [i], 0, C, 8 * i, 8);
116 }
117 return C;
118 }
119
120 public static byte[] AESKeyWrapDecrypt (byte[] rgbKey, byte[] rgbEncryptedWrappedKeyData)
121 {
122 SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create ("Rijndael");
123 symAlg.Mode = CipherMode.ECB;
124 symAlg.Key = rgbKey;
125
126 int N = ( rgbEncryptedWrappedKeyData.Length / 8 ) - 1;
127
128 // From RFC 3394 - Advanced Encryption Standard (AES) Key Wrap Algorithm
129 //
130 // Inputs: Ciphertext, (n+1) 64-bit values (C0, C1, ..., Cn), and Key, K (the KEK)
131 // Outputs: Plaintext, n 64-bit values (P1, P2, ..., Pn)
132 //
133 // 1. Initialize variables.
134 // Set A = C[0]
135
136 byte[] A = new byte [8];
137 Buffer.BlockCopy (rgbEncryptedWrappedKeyData, 0, A, 0, 8);
138
139 // For i = 1 to n
140 // R[i] = C[i]
141
142 byte[] R = new byte [N * 8];
143 Buffer.BlockCopy (rgbEncryptedWrappedKeyData, 8, R, 0, rgbEncryptedWrappedKeyData.Length - 8);
144
145 // 2. Compute intermediate values.
146 // For j = 5 to 0
147 // For i = n to 1
148 // B = AES-1(K, (A^t) | R[i]) where t = n*j+i
149 // A = MSB (64,B)
150 // R[i] = LSB (64,B)
151
152 ICryptoTransform transform = symAlg.CreateDecryptor ();
153
154 for (int j = 5; j >= 0; j -= 1) {
155 for (int i = N; i >= 1; i -= 1) {
156 byte[] T = BitConverter.GetBytes ((long) N * j + i);
157 if (BitConverter.IsLittleEndian)
158 Array.Reverse (T);
159
160 byte[] B = new Byte [16];
161 byte[] r = new Byte [8];
162 Buffer.BlockCopy (R, 8 * (i - 1), r, 0, 8);
163 byte[] ciphertext = Concatenate (Xor (A, T), r);
164 transform.TransformBlock (ciphertext, 0, 16, B, 0);
165 A = MSB (B);
166 Buffer.BlockCopy (LSB (B), 0, R, 8 * (i - 1), 8);
167 }
168 }
169
170 // 3. Output results
171 // If A is an appropriate initial value
172 // Then
173 // For i = 1 to n
174 // P[i] = R[i]
175 // Else
176 // Return an error
177
178 return R;
179 }
180
181 public static byte[] TripleDESKeyWrapEncrypt (byte[] rgbKey, byte[] rgbWrappedKeyData)
182 {
183 SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create ("TripleDES");
184
185 // Algorithm from http://www.w3.org/TR/xmlenc-core/#sec-Alg-SymmetricKeyWrap
186 // The following algorithm wraps (encrypts) a key (the wrapped key, WK) under a TRIPLEDES
187 // key-encryption-key (KEK) as adopted from [CMS-Algorithms].
188
189 // 1. Represent the key being wrapped as an octet sequence. If it is a TRIPLEDES key,
190 // this is 24 octets (192 bits) with odd parity bit as the bottom bit of each octet.
191
192 // rgbWrappedKeyData is the key being wrapped.
193
194 // 2. Compute the CMS key checksum (Section 5.6.1) call this CKS.
195
196 byte[] cks = ComputeCMSKeyChecksum (rgbWrappedKeyData);
197
198 // 3. Let WKCKS = WK || CKS, where || is concatenation.
199
200 byte[] wkcks = Concatenate (rgbWrappedKeyData, cks);
201
202 // 4. Generate 8 random octets and call this IV.
203 symAlg.GenerateIV ();
204
205 // 5. Encrypt WKCKS in CBC mode using KEK as the key and IV as the initialization vector.
206 // Call the results TEMP1.
207
208 symAlg.Mode = CipherMode.CBC;
209 symAlg.Padding = PaddingMode.None;
210 symAlg.Key = rgbKey;
211 byte[] temp1 = Transform (wkcks, symAlg.CreateEncryptor ());
212
213 // 6. Let TEMP2 = IV || TEMP1.
214
215 byte[] temp2 = Concatenate (symAlg.IV, temp1);
216
217 // 7. Reverse the order of the octets in TEMP2 and call the result TEMP3.
218
219 Array.Reverse (temp2); // TEMP3 is TEMP2
220
221 // 8. Encrypt TEMP3 in CBC mode using the KEK and an initialization vector of 0x4adda22c79e82105.
222 // The resulting cipher text is the desired result. It is 40 octets long if a 168 bit key
223 // is being wrapped.
224
225 symAlg.IV = new Byte [8] {0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05};
226
227 byte[] rtnval = Transform (temp2, symAlg.CreateEncryptor ());
228
229 return rtnval;
230 }
231
232 public static byte[] TripleDESKeyWrapDecrypt (byte[] rgbKey, byte[] rgbEncryptedWrappedKeyData)
233 {
234 SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create ("TripleDES");
235
236 // Algorithm from http://www.w3.org/TR/xmlenc-core/#sec-Alg-SymmetricKeyWrap
237 // The following algorithm unwraps (decrypts) a key as adopted from [CMS-Algorithms].
238
239 // 1. Check the length of the cipher text is reasonable given the key type. It must be
240 // 40 bytes for a 168 bit key and either 32, 40, or 48 bytes for a 128, 192, or 256 bit
241 // key. If the length is not supported or inconsistent with the algorithm for which the
242 // key is intended, return error.
243
244 // 2. Decrypt the cipher text with TRIPLEDES in CBC mode using the KEK and an initialization
245 // vector (IV) of 0x4adda22c79e82105. Call the output TEMP3.
246
247 symAlg.Mode = CipherMode.CBC;
248 symAlg.Padding = PaddingMode.None;
249 symAlg.Key = rgbKey;
250 symAlg.IV = new Byte [8] {0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05};
251
252 byte[] temp3 = Transform (rgbEncryptedWrappedKeyData, symAlg.CreateDecryptor ());
253
254 // 3. Reverse the order of the octets in TEMP3 and call the result TEMP2.
255
256 Array.Reverse (temp3); // TEMP2 is TEMP3.
257
258 // 4. Decompose TEMP2 into IV, the first 8 octets, and TEMP1, the remaining octets.
259
260 byte[] temp1 = new Byte [temp3.Length - 8];
261 byte[] iv = new Byte [8];
262
263 Buffer.BlockCopy (temp3, 0, iv, 0, 8);
264 Buffer.BlockCopy (temp3, 8, temp1, 0, temp1.Length);
265
266 // 5. Decrypt TEMP1 using TRIPLEDES in CBC mode using the KEK and the IV found in the previous step.
267 // Call the result WKCKS.
268
269 symAlg.IV = iv;
270 byte[] wkcks = Transform (temp1, symAlg.CreateDecryptor ());
271
272 // 6. Decompose WKCKS. CKS is the last 8 octets and WK, the wrapped key, are those octets before
273 // the CKS.
274
275 byte[] cks = new byte [8];
276 byte[] wk = new byte [wkcks.Length - 8];
277
278 Buffer.BlockCopy (wkcks, 0, wk, 0, wk.Length);
279 Buffer.BlockCopy (wkcks, wk.Length, cks, 0, 8);
280
281 // 7. Calculate the CMS key checksum over the WK and compare with the CKS extracted in the above
282 // step. If they are not equal, return error.
283
284 // 8. WK is the wrapped key, now extracted for use in data decryption.
285 return wk;
286 }
287
288 private static byte[] Transform (byte[] data, ICryptoTransform t)
289 {
290 MemoryStream output = new MemoryStream ();
291 CryptoStream crypto = new CryptoStream (output, t, CryptoStreamMode.Write);
292
293 crypto.Write (data, 0, data.Length);
294 crypto.FlushFinalBlock ();
295
296 byte[] result = output.ToArray ();
297
298 output.Close ();
299 crypto.Close ();
300
301 return result;
302 }
303
304 private static byte[] ComputeCMSKeyChecksum (byte[] data)
305 {
306 byte[] hash = HashAlgorithm.Create ("SHA1").ComputeHash (data);
307 byte[] output = new byte [8];
308
309 Buffer.BlockCopy (hash, 0, output, 0, 8);
310
311 return output;
312 }
313
314 private static byte[] Concatenate (byte[] buf1, byte[] buf2)
315 {
316 byte[] output = new byte [buf1.Length + buf2.Length];
317 Buffer.BlockCopy (buf1, 0, output, 0, buf1.Length);
318 Buffer.BlockCopy (buf2, 0, output, buf1.Length, buf2.Length);
319 return output;
320 }
321
322 private static byte[] MSB (byte[] input)
323 {
324 return MSB (input, 8);
325 }
326
327 private static byte[] MSB (byte[] input, int bytes)
328 {
329 byte[] output = new byte [bytes];
330 Buffer.BlockCopy (input, 0, output, 0, bytes);
331 return output;
332 }
333
334 private static byte[] LSB (byte[] input)
335 {
336 return LSB (input, 8);
337 }
338
339 private static byte[] LSB (byte[] input, int bytes)
340 {
341 byte[] output = new byte [bytes];
342 Buffer.BlockCopy (input, bytes, output, 0, bytes);
343 return output;
344 }
345
346 private static byte[] Xor (byte[] x, byte[] y)
347 {
348 // This should *not* happen.
349 if (x.Length != y.Length)
350 throw new CryptographicException ("Error performing Xor: arrays different length.");
351
352 byte[] output = new byte [x.Length];
353 for (int i = 0; i < x.Length; i += 1)
354 output [i] = (byte) (x [i] ^ y [i]);
355 return output;
356 }
357
358 private static byte[] Xor (byte[] x, int n)
359 {
360 byte[] output = new Byte [x.Length];
361 for (int i = 0; i < x.Length; i += 1)
362 output [i] = (byte) ((int) x [i] ^ n);
363 return output;
364 }
365 }
366 }
367
368 #endif
Mirror of the official Mono project git repository