Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 1615f2ecf2537db7b302eb9b5be4394f711fd815 / . / key_blob.cpp
blob: 6c14e4ad22fdbea98a94b5cb73b8232c8c909e44 [file] [log] [blame]
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <assert.h>
18
19#include <openssl/aes.h>
20#include <openssl/sha.h>
21
22#include "ae.h"
23#include "key_blob.h"
24#include "google_keymaster_utils.h"
25
26namespace keymaster {
27
28struct AeCtxDelete {
29 void operator()(ae_ctx* p) {
30 ae_clear(p);
31 ae_free(p);
32 }
33};
34
35const size_t KeyBlob::NONCE_LENGTH;
36const size_t KeyBlob::TAG_LENGTH;
37
38KeyBlob::KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced,
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]39 const AuthorizationSet& hidden, const keymaster_key_blob_t& key,
Shawn Willdenebf627f2014-08-12 11:15:29 -0600[diff] [blame]40 const keymaster_key_blob_t& master_key, const uint8_t nonce[NONCE_LENGTH])
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]41 : error_(KM_ERROR_OK), enforced_(enforced), unenforced_(unenforced), hidden_(hidden) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]42 if (enforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE ||
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]43 unenforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE ||
44 hidden_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]45 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
46 return;
47 }
48
49 if (enforced_.is_valid() != AuthorizationSet::OK ||
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]50 unenforced_.is_valid() != AuthorizationSet::OK ||
51 hidden_.is_valid() != AuthorizationSet::OK) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]52 error_ = KM_ERROR_UNKNOWN_ERROR;
53 return;
54 }
55
Shawn Willden1615f2e2014-08-13 10:37:40 -0600[diff] [blame^]56 if (!ExtractKeyCharacteristics())
57 return;
58
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]59 memcpy(nonce_, nonce, NONCE_LENGTH);
60
61 key_material_length_ = key.key_material_size;
62 key_material_.reset(new uint8_t[key_material_length_]);
63 encrypted_key_material_.reset(new uint8_t[key_material_length_]);
64
65 if (key_material_.get() == NULL || encrypted_key_material_.get() == NULL) {
66 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
67 return;
68 }
69
70 memcpy(key_material_.get(), key.key_material, key_material_length_);
71 EncryptKey(master_key);
72}
73
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]74KeyBlob::KeyBlob(const keymaster_key_blob_t& key, const AuthorizationSet& hidden,
75 const keymaster_key_blob_t& master_key)
76 : hidden_(hidden) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]77 if (!Deserialize(const_cast<const uint8_t**>(&(key.key_material)),
78 key.key_material + key.key_material_size))
79 return;
80 DecryptKey(master_key);
81}
82
83size_t KeyBlob::SerializedSize() const {
84 return NONCE_LENGTH + sizeof(uint32_t) + key_material_length() + TAG_LENGTH +
85 enforced_.SerializedSize() + unenforced_.SerializedSize();
86}
87
88uint8_t* KeyBlob::Serialize(uint8_t* buf, const uint8_t* end) const {
89 const uint8_t* start = buf;
90 buf = append_to_buf(buf, end, nonce(), NONCE_LENGTH);
91 buf = append_size_and_data_to_buf(buf, end, encrypted_key_material(), key_material_length());
92 buf = append_to_buf(buf, end, tag(), TAG_LENGTH);
93 buf = enforced_.Serialize(buf, end);
94 buf = unenforced_.Serialize(buf, end);
95 assert(buf - start == static_cast<ptrdiff_t>(SerializedSize()));
96 return buf;
97}
98
99bool KeyBlob::Deserialize(const uint8_t** buf, const uint8_t* end) {
100 uint8_t* tmp_key_ptr = NULL;
101
102 if (!copy_from_buf(buf, end, nonce_, NONCE_LENGTH) ||
103 !copy_size_and_data_from_buf(buf, end, &key_material_length_, &tmp_key_ptr) ||
104 !copy_from_buf(buf, end, tag_, TAG_LENGTH) || !enforced_.Deserialize(buf, end) ||
105 !unenforced_.Deserialize(buf, end)) {
106 if (tmp_key_ptr != NULL)
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]107 delete[] tmp_key_ptr;
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]108 error_ = KM_ERROR_INVALID_KEY_BLOB;
109 return false;
110 }
111
Shawn Willden1615f2e2014-08-13 10:37:40 -0600[diff] [blame^]112 if (!ExtractKeyCharacteristics())
113 return false;
114
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]115 encrypted_key_material_.reset(tmp_key_ptr);
116 key_material_.reset(new uint8_t[key_material_length_]);
117 return true;
118}
119
120void KeyBlob::EncryptKey(const keymaster_key_blob_t& master_key) {
121 UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
122 if (error_ != KM_ERROR_OK)
123 return;
124
125 int ae_err = ae_encrypt(ctx.get(), nonce_, key_material(), key_material_length(),
126 NULL /* additional data */, 0 /* additional data length */,
127 encrypted_key_material_.get(), tag_, 1 /* final */);
128 if (ae_err < 0) {
129 error_ = KM_ERROR_UNKNOWN_ERROR;
130 return;
131 }
132 assert(ae_err == static_cast<int>(key_material_length_));
133 error_ = KM_ERROR_OK;
134}
135
136void KeyBlob::DecryptKey(const keymaster_key_blob_t& master_key) {
137 UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
138 if (error_ != KM_ERROR_OK)
139 return;
140
141 int ae_err = ae_decrypt(ctx.get(), nonce_, encrypted_key_material(), key_material_length(),
142 NULL /* additional data */, 0 /* additional data length */,
143 key_material_.get(), tag(), 1 /* final */);
144 if (ae_err == AE_INVALID) {
145 // Authentication failed! Decryption probably succeeded(ish), but we don't want to return
146 // any data when the authentication fails, so clear it.
Shawn Willden74aff352014-08-11 14:08:31 -0600[diff] [blame]147 memset_s(key_material_.get(), 0, key_material_length());
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]148 error_ = KM_ERROR_INVALID_KEY_BLOB;
149 return;
150 } else if (ae_err < 0) {
151 error_ = KM_ERROR_UNKNOWN_ERROR;
152 return;
153 }
154 assert(ae_err == static_cast<int>(key_material_length_));
155 error_ = KM_ERROR_OK;
156}
157
158ae_ctx* KeyBlob::InitializeKeyWrappingContext(const keymaster_key_blob_t& master_key,
159 keymaster_error_t* error) const {
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]160 size_t derivation_data_length;
161 UniquePtr<const uint8_t[]> derivation_data(BuildDerivationData(&derivation_data_length));
162 if (derivation_data.get() == NULL) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]163 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
164 return NULL;
165 }
166
167 *error = KM_ERROR_OK;
168 UniquePtr<ae_ctx, AeCtxDelete> ctx(ae_allocate(NULL));
169
170 SHA256_CTX sha256_ctx;
171 UniquePtr<uint8_t[]> hash_buf(new uint8_t[SHA256_DIGEST_LENGTH]);
172 Eraser hash_eraser(hash_buf.get(), SHA256_DIGEST_LENGTH);
173 UniquePtr<uint8_t[]> derived_key(new uint8_t[AES_BLOCK_SIZE]);
174 Eraser derived_key_eraser(derived_key.get(), AES_BLOCK_SIZE);
175
176 if (ctx.get() == NULL || hash_buf.get() == NULL || derived_key.get() == NULL) {
177 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
178 return NULL;
179 }
180
181 Eraser sha256_ctx_eraser(sha256_ctx);
182
183 // Hash derivation data.
184 SHA256_Init(&sha256_ctx);
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]185 SHA256_Update(&sha256_ctx, derivation_data.get(), derivation_data_length);
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]186 SHA256_Final(hash_buf.get(), &sha256_ctx);
187
188 // Encrypt hash with master key to build derived key.
189 AES_KEY aes_key;
190 Eraser aes_key_eraser(AES_KEY);
191 if (AES_set_encrypt_key(master_key.key_material, master_key.key_material_size * 8, &aes_key) !=
192 0) {
193 *error = KM_ERROR_UNKNOWN_ERROR;
194 return NULL;
195 }
196 AES_encrypt(hash_buf.get(), derived_key.get(), &aes_key);
197
198 // Set up AES OCB context using derived key.
199 if (ae_init(ctx.get(), derived_key.get(), AES_BLOCK_SIZE, NONCE_LENGTH, TAG_LENGTH) ==
200 AE_SUCCESS)
201 return ctx.release();
202 else {
Shawn Willden74aff352014-08-11 14:08:31 -0600[diff] [blame]203 memset_s(ctx.get(), 0, ae_ctx_sizeof());
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]204 return NULL;
205 }
206}
207
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]208const uint8_t* KeyBlob::BuildDerivationData(size_t* derivation_data_length) const {
209 *derivation_data_length =
210 hidden_.SerializedSize() + enforced_.SerializedSize() + unenforced_.SerializedSize();
211 uint8_t* derivation_data = new uint8_t[*derivation_data_length];
212 if (derivation_data != NULL) {
213 uint8_t* buf = derivation_data;
214 uint8_t* end = derivation_data + *derivation_data_length;
215 buf = hidden_.Serialize(buf, end);
216 buf = enforced_.Serialize(buf, end);
217 buf = unenforced_.Serialize(buf, end);
218 }
219 return derivation_data;
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]220}
221
Shawn Willden1615f2e2014-08-13 10:37:40 -0600[diff] [blame^]222bool KeyBlob::ExtractKeyCharacteristics() {
223 if (!enforced_.GetTagValue(TAG_ALGORITHM, &algorithm_) &&
224 !unenforced_.GetTagValue(TAG_ALGORITHM, &algorithm_)) {
225 error_ = KM_ERROR_UNSUPPORTED_ALGORITHM;
226 return false;
227 }
228 if (!enforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_) &&
229 !unenforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_)) {
230 error_ = KM_ERROR_UNSUPPORTED_KEY_SIZE;
231 return false;
232 }
233 return true;
234}
235
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]236} // namespace keymaster