add ecdsa key support and enable 4,092 RSA

* apcssh: add descriptive error when required file(s) not passed * create: dont create key+cert file when key isn't supported by NMC2 * config: fix usage messages re: key types * p15 files: dont generate key+cert when it isn't needed (aka NMC2 doesn't support key) * pkcs15: pre-calculate envelope when making the p15 struct * pkcs15: omit key ID 8 & 9 from EC keys * pkcs15: update key decode logic * pkcs15: add key type value for easy determination of compatibility * pkcs15: add ec key support * pkcs15: separate functions for key and key+cert p15 files * update README see: https://github.com/gregtwallace/apc-p15-tool/issues/6
2025-07-07 00:16:34 +00:00 · 2024-09-17 18:44:33 -04:00 · 2024-09-17 18:44:33 -04:00 · cbb831e009
commit cbb831e009
parent 51e5847409
12 changed files with 508 additions and 266 deletions
--- a/pkg/pkcs15/encrypted_envelope.go
+++ b/pkg/pkcs15/encrypted_envelope.go
@ -21,14 +21,19 @@ const (
 	apcKEKIterations = 5000
 )

-// encryptedKeyEnvelope encrypts p15's rsa private key using the algorithms and
-// params expected in the APC file. Salt values are always random.
-func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
+// encryptedKeyEnvelope encrypts p15's private key using the algorithms and
+// params expected in the APC file.
+func (p15 *pkcs15KeyCert) computeEncryptedKeyEnvelope() error {
+	// if computation already performed, this is a no-op (keep existing envelope)
+	if p15.envelopedPrivateKey != nil && len(p15.envelopedPrivateKey) != 0 {
+		return nil
+	}
+
 	// calculate values for the object
 	kekSalt := make([]byte, 8)
 	_, err := rand.Read(kekSalt)
 	if err != nil {
-		return nil, err
+		return err
 	}

 	// kek hash alg
@ -42,7 +47,7 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	// make DES cipher from KEK for CEK
 	cekDesCipher, err := des.NewTripleDESCipher(kek)
 	if err != nil {
-		return nil, err
+		return err
 	}

 	// cek (16 bytes for authEnc128) -- see: rfc3211
@ -50,7 +55,7 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	cek := make([]byte, cekLen)
 	_, err = rand.Read(cek)
 	if err != nil {
-		return nil, err
+		return err
 	}

 	// LEN + Check Val [3]
@ -71,7 +76,7 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	cekPadding := make([]byte, cekPadLen)
 	_, err = rand.Read(cekPadding)
 	if err != nil {
-		return nil, err
+		return err
 	}

 	wrappedCEK = append(wrappedCEK, cekPadding...)
@ -80,7 +85,7 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	cekEncryptSalt := make([]byte, 8)
 	_, err = rand.Read(cekEncryptSalt)
 	if err != nil {
-		return nil, err
+		return err
 	}

 	cekEncrypter := cipher.NewCBCEncrypter(cekDesCipher, cekEncryptSalt)
@ -94,13 +99,13 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	contentEncSalt := make([]byte, 8)
 	_, err = rand.Read(contentEncSalt)
 	if err != nil {
-		return nil, err
+		return err
 	}

 	contentEncryptKey := pbkdf2.Key(cek, []byte("encryption"), 1, 24, sha1.New)
 	contentDesCipher, err := des.NewTripleDESCipher(contentEncryptKey)
 	if err != nil {
-		return nil, err
+		return err
 	}

 	// envelope content (that will be encrypted)
@ -151,7 +156,7 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	// make MAC
 	_, err = macHasher.Write(hashMe)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	mac := macHasher.Sum(nil)

@ -218,5 +223,7 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 		finalEnv = append(finalEnv, envelope[i]...)
 	}

-	return finalEnv, nil
+	// set p15 struct envelope
+	p15.envelopedPrivateKey = finalEnv
+	return nil
 }