pkcs5: initial scrypt params support (#434)

Support for parsing scrypt parameters from a PBES2 AlgorithmIdentifier.

No support for actually deriving an `EncryptionKey` using scrypt is yet
included, but that's the next logical step.

Additionally adds a test vector generated using OpenSSL:

$ openssl pkcs8 -v2 aes-256-cbc -scrypt -topk8 -inform der -in ed25519-priv.der -out ed25519-encpriv-aes256-scrypt.pem

Author: tarcieri

Cargo.lock

@@ -17,7 +17,7 @@ readme = "README.md"
 der = { version = "0.3", features = ["oid"], path = "../der" }
 spki = { version = "0.3", path = "../spki" }
 
-aes = { version = "0.7", optional = true }
+aes = { version = "0.7.3", optional = true }
 block-modes = { version = "0.8", optional = true, default-features = false }
 hmac = { version = "0.11", optional = true, default-features = false }
 pbkdf2 = { version = "0.8", optional = true, default-features = false }

pkcs5/Cargo.toml

@@ -2,30 +2,20 @@
 //!
 //! [RFC 8018 Section 6.2]: https://tools.ietf.org/html/rfc8018#section-6.2
 
+mod kdf;
+
 #[cfg(feature = "pbes2")]
 mod encryption;
 
+pub use self::kdf::*;
+
 use crate::{AlgorithmIdentifier, CryptoError, ObjectIdentifier};
 use core::convert::{TryFrom, TryInto};
 use der::{Any, Decodable, Encodable, Encoder, Error, ErrorKind, Length, Message, OctetString};
 
 #[cfg(all(feature = "alloc", feature = "pbes2"))]
 use alloc::vec::Vec;
 
-/// Password-Based Encryption Scheme 2 (PBES2) OID.
-///
-/// <https://tools.ietf.org/html/rfc8018#section-6.2>
-pub const PBES2_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.113549.1.5.13");
-
-/// Password-Based Key Derivation Function (PBKDF2) OID.
-pub const PBKDF2_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.113549.1.5.12");
-
-/// HMAC-SHA1 (for use with PBKDF2)
-pub const HMAC_WITH_SHA1_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.113549.2.7");
-
-/// HMAC-SHA-256 (for use with PBKDF2)
-pub const HMAC_WITH_SHA256_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.113549.2.9");
-
 /// 128-bit Advanced Encryption Standard (AES) algorithm with Cipher-Block
 /// Chaining (CBC) mode of operation.
 pub const AES_128_CBC_OID: ObjectIdentifier = ObjectIdentifier::new("2.16.840.1.101.3.4.1.2");
@@ -34,6 +24,11 @@ pub const AES_128_CBC_OID: ObjectIdentifier = ObjectIdentifier::new("2.16.840.1.
 /// Chaining (CBC) mode of operation.
 pub const AES_256_CBC_OID: ObjectIdentifier = ObjectIdentifier::new("2.16.840.1.101.3.4.1.42");
 
+/// Password-Based Encryption Scheme 2 (PBES2) OID.
+///
+/// <https://tools.ietf.org/html/rfc8018#section-6.2>
+pub const PBES2_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.113549.1.5.13");
+
 /// AES cipher block size
 const AES_BLOCK_SIZE: usize = 16;
 
@@ -175,253 +170,6 @@ impl<'a> Message<'a> for Parameters<'a> {
     }
 }
 
-/// Password-based key derivation function.
-#[derive(Clone, Debug, Eq, PartialEq)]
-#[non_exhaustive]
-pub enum Kdf<'a> {
-    /// Password-Based Key Derivation Function 2 (PBKDF2).
-    Pbkdf2(Pbkdf2Params<'a>),
-}
-
-impl<'a> Kdf<'a> {
-    /// Get the [`ObjectIdentifier`] (a.k.a OID) for this algorithm.
-    pub fn oid(&self) -> ObjectIdentifier {
-        match self {
-            Self::Pbkdf2(_) => PBKDF2_OID,
-        }
-    }
-
-    /// Get [`Pbkdf2Params`] if it is the selected algorithm.
-    pub fn pbkdf2(&self) -> Option<&Pbkdf2Params<'a>> {
-        match self {
-            Self::Pbkdf2(params) => Some(params),
-        }
-    }
-
-    /// Is the selected KDF PBKDF2?
-    pub fn is_pbkdf2(&self) -> bool {
-        self.pbkdf2().is_some()
-    }
-}
-
-impl<'a> From<Pbkdf2Params<'a>> for Kdf<'a> {
-    fn from(params: Pbkdf2Params<'a>) -> Self {
-        Kdf::Pbkdf2(params)
-    }
-}
-
-impl<'a> TryFrom<Any<'a>> for Kdf<'a> {
-    type Error = Error;
-
-    fn try_from(any: Any<'a>) -> der::Result<Self> {
-        AlgorithmIdentifier::try_from(any).and_then(TryInto::try_into)
-    }
-}
-
-impl<'a> TryFrom<AlgorithmIdentifier<'a>> for Kdf<'a> {
-    type Error = Error;
-
-    fn try_from(alg: AlgorithmIdentifier<'a>) -> der::Result<Self> {
-        match alg.oid {
-            PBKDF2_OID => alg
-                .parameters_any()
-                .and_then(TryFrom::try_from)
-                .map(Self::Pbkdf2),
-            oid => Err(ErrorKind::UnknownOid { oid }.into()),
-        }
-    }
-}
-
-impl<'a> Message<'a> for Kdf<'a> {
-    fn fields<F, T>(&self, f: F) -> der::Result<T>
-    where
-        F: FnOnce(&[&dyn Encodable]) -> der::Result<T>,
-    {
-        match self {
-            Self::Pbkdf2(params) => f(&[&self.oid(), params]),
-        }
-    }
-}
-
-/// Password-Based Key Derivation Scheme 2 parameters as defined in
-/// [RFC 8018 Appendix A.2].
-///
-/// ```text
-/// PBKDF2-params ::= SEQUENCE {
-///     salt CHOICE {
-///         specified OCTET STRING,
-///         otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
-///     },
-///     iterationCount INTEGER (1..MAX),
-///     keyLength INTEGER (1..MAX) OPTIONAL,
-///     prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
-///     algid-hmacWithSHA1 }
-/// ```
-///
-/// [RFC 8018 Appendix A.2]: https://tools.ietf.org/html/rfc8018#appendix-A.2
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
-pub struct Pbkdf2Params<'a> {
-    /// PBKDF2 salt
-    // TODO(tarcieri): support `CHOICE` with `otherSource`
-    pub salt: &'a [u8],
-
-    /// PBKDF2 iteration count
-    pub iteration_count: u16,
-
-    /// PBKDF2 output length
-    // TODO(tarcieri): support this OPTIONAL field
-    // Blocked on: https://github.com/RustCrypto/utils/issues/271
-    pub key_length: Option<u16>,
-
-    /// Pseudo-random function to use with PBKDF2
-    pub prf: Pbkdf2Prf,
-}
-
-impl<'a> Pbkdf2Params<'a> {
-    /// Initialize PBKDF2-SHA256 with the given iteration count and salt
-    pub fn hmac_with_sha256(iteration_count: u16, salt: &'a [u8]) -> Result<Self, CryptoError> {
-        Ok(Self {
-            salt,
-            iteration_count,
-            key_length: None,
-            prf: Pbkdf2Prf::HmacWithSha256,
-        })
-    }
-}
-
-impl<'a> TryFrom<Any<'a>> for Pbkdf2Params<'a> {
-    type Error = Error;
-
-    fn try_from(any: Any<'a>) -> der::Result<Self> {
-        any.sequence(|params| {
-            // TODO(tarcieri): support salt `CHOICE` w\ `AlgorithmIdentifier`
-            let salt = params.octet_string()?;
-            let iteration_count = params.decode()?;
-
-            // TODO(tarcieri): support OPTIONAL key length field
-            // Blocked on: https://github.com/RustCrypto/utils/issues/271
-            let key_length = None;
-            let prf: Option<AlgorithmIdentifier<'_>> = params.optional()?;
-
-            Ok(Self {
-                salt: salt.as_bytes(),
-                iteration_count,
-                key_length,
-                prf: prf.map(TryInto::try_into).transpose()?.unwrap_or_default(),
-            })
-        })
-    }
-}
-
-impl<'a> Message<'a> for Pbkdf2Params<'a> {
-    fn fields<F, T>(&self, f: F) -> der::Result<T>
-    where
-        F: FnOnce(&[&dyn Encodable]) -> der::Result<T>,
-    {
-        if self.prf == Pbkdf2Prf::default() {
-            f(&[
-                &OctetString::new(self.salt)?,
-                &self.iteration_count,
-                &self.key_length,
-            ])
-        } else {
-            f(&[
-                &OctetString::new(self.salt)?,
-                &self.iteration_count,
-                &self.key_length,
-                &self.prf,
-            ])
-        }
-    }
-}
-
-/// Pseudo-random function used by PBKDF2.
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
-#[non_exhaustive]
-pub enum Pbkdf2Prf {
-    /// HMAC with SHA1
-    HmacWithSha1,
-
-    /// HMAC with SHA-256
-    HmacWithSha256,
-}
-
-impl Pbkdf2Prf {
-    /// Get the [`ObjectIdentifier`] (a.k.a OID) for this algorithm.
-    pub fn oid(self) -> ObjectIdentifier {
-        match self {
-            Self::HmacWithSha1 => HMAC_WITH_SHA1_OID,
-            Self::HmacWithSha256 => HMAC_WITH_SHA256_OID,
-        }
-    }
-}
-
-/// Default PRF as specified in RFC 8018 Appendix A.2:
-///
-/// ```text
-/// prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1
-/// ```
-///
-/// Note that modern usage should avoid the use of SHA-1, despite it being
-/// the "default" here.
-impl Default for Pbkdf2Prf {
-    fn default() -> Self {
-        Self::HmacWithSha1
-    }
-}
-
-impl<'a> TryFrom<Any<'a>> for Pbkdf2Prf {
-    type Error = Error;
-
-    fn try_from(any: Any<'a>) -> der::Result<Self> {
-        AlgorithmIdentifier::try_from(any).and_then(TryInto::try_into)
-    }
-}
-
-impl<'a> TryFrom<AlgorithmIdentifier<'a>> for Pbkdf2Prf {
-    type Error = Error;
-
-    fn try_from(alg: AlgorithmIdentifier<'a>) -> der::Result<Self> {
-        if let Some(params) = alg.parameters {
-            // TODO(tarcieri): support non-NULL parameters?
-            if !params.is_null() {
-                return Err(ErrorKind::Value { tag: params.tag() }.into());
-            }
-        } else {
-            // TODO(tarcieri): support OPTIONAL parameters?
-            return Err(ErrorKind::Truncated.into());
-        }
-
-        match alg.oid {
-            HMAC_WITH_SHA1_OID => Ok(Self::HmacWithSha1),
-            HMAC_WITH_SHA256_OID => Ok(Self::HmacWithSha256),
-            oid => Err(ErrorKind::UnknownOid { oid }.into()),
-        }
-    }
-}
-
-impl<'a> From<Pbkdf2Prf> for AlgorithmIdentifier<'a> {
-    fn from(prf: Pbkdf2Prf) -> Self {
-        // TODO(tarcieri): support non-NULL parameters?
-        let parameters = der::Null;
-
-        AlgorithmIdentifier {
-            oid: prf.oid(),
-            parameters: Some(parameters.into()),
-        }
-    }
-}
-
-impl Encodable for Pbkdf2Prf {
-    fn encoded_len(&self) -> der::Result<Length> {
-        AlgorithmIdentifier::try_from(*self)?.encoded_len()
-    }
-
-    fn encode(&self, encoder: &mut Encoder<'_>) -> der::Result<()> {
-        AlgorithmIdentifier::try_from(*self)?.encode(encoder)
-    }
-}
-
 /// Symmetric encryption scheme used by PBES2.
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
 #[non_exhaustive]