KeyCheck should be verified when attempting user keys from vault storage (currently only from initial passphrase)

[danielweck]

The KeyCheck is correctly verified in DecryptUserKey():

readium-lcp-client/src/lcp-client-lib/CryptoppCryptoProvider.cpp

Lines 232 to 276 in e4c02fd

	Status CryptoppCryptoProvider::DecryptUserKey(
	const std::string & userPassphrase,
	ILicense * license,
	KeyType & userKey1,
	KeyType & userKey2
	)
	{
	try
	{
	#if ENABLE_PROFILE_NAMES
	IEncryptionProfile * profile = m_encryptionProfilesManager->GetProfile(license->Crypto()->EncryptionProfile());
	if (profile == nullptr)
	{
	return Status(StatusCode::ErrorCommonEncryptionProfileNotFound, "ErrorCommonEncryptionProfileNotFound");
	}
	#else
	IEncryptionProfile * profile = m_encryptionProfilesManager->GetProfile();
	#endif //ENABLE_PROFILE_NAMES
	std::unique_ptr<IHashAlgorithm> hashAlgorithm(profile->CreateUserKeyAlgorithm());
	hashAlgorithm->UpdateHash(userPassphrase);
	userKey1 = hashAlgorithm->Hash();
	Status resx = this->LegacyPassphraseUserKey(userKey1, userKey2);
	if (!Status::IsSuccess(resx)) {
	return resx;
	}
	//http://www.w3.org/2009/xmlenc11#aes256-gcm
	//http://www.w3.org/2001/04/xmlenc#aes256-cbc
	const std::string algorithm = license->Crypto()->ContentKeyAlgorithm();
	std::unique_ptr<ISymmetricAlgorithm> contentKeyAlgorithm(profile->CreateContentKeyAlgorithm(userKey2, algorithm));
	std::string id = contentKeyAlgorithm->Decrypt(license->Crypto()->UserKeyCheck());
	if (!EqualsUtf8(id, license->Id()))
	{
	return Status(StatusCode::ErrorDecryptionUserPassphraseNotValid, "ErrorDecryptionUserPassphraseNotValid");
	}
	return Status(StatusCode::ErrorCommonSuccess);
	}
	catch (const CryptoPP::Exception & ex)
	{
	return Status(StatusCode::ErrorDecryptionUserPassphraseNotValid, "ErrorDecryptionUserPassphraseNotValid: " + ex.GetWhat());
	}
	}

However, it should also be verified in DecryptContentKey():

readium-lcp-client/src/lcp-client-lib/CryptoppCryptoProvider.cpp

Lines 278 to 310 in e4c02fd

	Status CryptoppCryptoProvider::DecryptContentKey(
	const KeyType & userKey,
	ILicense * license,
	KeyType & contentKey
	)
	{
	try
	{
	#if ENABLE_PROFILE_NAMES
	IEncryptionProfile * profile = m_encryptionProfilesManager->GetProfile(license->Crypto()->EncryptionProfile());
	if (profile == nullptr)
	{
	return Status(StatusCode::ErrorCommonEncryptionProfileNotFound, "ErrorCommonEncryptionProfileNotFound");
	}
	#else
	IEncryptionProfile * profile = m_encryptionProfilesManager->GetProfile();
	#endif //ENABLE_PROFILE_NAMES
	//http://www.w3.org/2009/xmlenc11#aes256-gcm
	//http://www.w3.org/2001/04/xmlenc#aes256-cbc
	const std::string algorithm = license->Crypto()->ContentKeyAlgorithm();
	std::unique_ptr<ISymmetricAlgorithm> contentKeyAlgorithm(profile->CreateContentKeyAlgorithm(userKey, algorithm));
	std::string decryptedContentKey = contentKeyAlgorithm->Decrypt(license->Crypto()->ContentKey());
	contentKey.assign(decryptedContentKey.begin(), decryptedContentKey.end());
	return Status(StatusCode::ErrorCommonSuccess);
	}
	catch (const CryptoPP::Exception & ex)
	{
	return Status(StatusCode::ErrorDecryptionLicenseEncrypted, "ErrorDecryptionLicenseEncrypted: " + ex.GetWhat());
	}
	}

The only reason why the current code "works" is because of a fortunate side effect from the CryptoPP lib, which emits an error when an attempt to decrypt a cypher using the wrong key is made, because of incorrect padding number parsing:

readium-lcp-client/src/third-parties/cryptopp/filters.cpp

Line 762 in e4c02fd

throw InvalidCiphertext("StreamTransformationFilter: invalid W3C block padding found");

The source of the problem is DecryptLicenseByStorage():

readium-lcp-client/src/lcp-client-lib/LcpService.cpp

Lines 410 to 459 in e4c02fd

	Status LcpService::DecryptLicenseByStorage(ILicense * license)
	{
	if (m_storageProvider == nullptr)
	{
	return Status(StatusCode::ErrorCommonNoStorageProvider, "ErrorCommonNoStorageProvider");
	}
	std::string userKeyHex = m_storageProvider->GetValue(
	UserKeysVaultId,
	BuildStorageProviderKey(license)
	);
	if (!userKeyHex.empty())
	{
	KeyType userKey1;
	Status res = m_cryptoProvider->ConvertHexToRaw(userKeyHex, userKey1);
	if (!Status::IsSuccess(res))
	return res;
	KeyType userKey2;
	res = m_cryptoProvider->LegacyPassphraseUserKey(userKey1, userKey2);
	if (!Status::IsSuccess(res))
	return res;
	res = this->DecryptLicenseByUserKey(license, userKey2);
	if (Status::IsSuccess(res)) {
	return res;
	}
	}
	std::unique_ptr<KvStringsIterator> it(m_storageProvider->EnumerateVault(UserKeysVaultId));
	for (it->First(); !it->IsDone(); it->Next())
	{
	std::string userKeyHex = it->Current();
	KeyType userKey1;
	Status res = m_cryptoProvider->ConvertHexToRaw(userKeyHex, userKey1);
	if (!Status::IsSuccess(res))
	continue;
	KeyType userKey2;
	res = m_cryptoProvider->LegacyPassphraseUserKey(userKey1, userKey2);
	if (!Status::IsSuccess(res))
	continue;
	res = this->DecryptLicenseByUserKey(license, userKey2);
	if (Status::IsSuccess(res))
	return res;
	}
	return Status(StatusCode::ErrorDecryptionLicenseEncrypted, "ErrorDecryptionLicenseEncrypted");
	}

...more specifically m_storageProvider->EnumerateVault which will find the first existing user key that "works", without actually verifying the KeyCheck!

This is the call chain:

OpenLicense() => CheckDecrypted() => DecryptLicenseOnOpening() => DecryptLicenseByStorage()

Then DecryptLicenseByUserKey() => DecryptContentKey() where the KeyCheck verification is missing. Thankfully, we have the CryptoPP "crash" to simulate the KeyCheck verification, but this is VERY hacky!

The line that crashes:

readium-lcp-client/src/lcp-client-lib/CryptoppCryptoProvider.cpp

Line 301 in e4c02fd

std::string decryptedContentKey = contentKeyAlgorithm->Decrypt(license->Crypto()->ContentKey());

...is caught here:

readium-lcp-client/src/lcp-client-lib/CryptoppCryptoProvider.cpp

Lines 306 to 309 in e4c02fd

	catch (const CryptoPP::Exception & ex)
	{
	return Status(StatusCode::ErrorDecryptionLicenseEncrypted, "ErrorDecryptionLicenseEncrypted: " + ex.GetWhat());
	}

...which allows graceful continuation of the m_storageProvider->EnumerateVault iteration, here:

readium-lcp-client/src/lcp-client-lib/LcpService.cpp

Lines 454 to 456 in e4c02fd

	res = this->DecryptLicenseByUserKey(license, userKey2);
	if (Status::IsSuccess(res))
	return res;

[danielweck]

Fixed in the feature/latest-working-build-config branch (Pull Request #49)
f89dcac

[danielweck]

Follow-up fix for more general UTF8 validation checks:
1c4bb3f