ecdsa_operation.cpp

/*
 * Copyright 2014 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <openssl/ecdsa.h>

#include "ec_key.h"
#include "ecdsa_operation.h"
#include "openssl_err.h"
#include "openssl_utils.h"

namespace keymaster {

static const keymaster_digest_t supported_digests[] = {KM_DIGEST_NONE};

class EcdsaOperationFactory : public OperationFactory {
  private:
    KeyType registry_key() const override { return KeyType(KM_ALGORITHM_EC, purpose()); }
    Operation* CreateOperation(const Key& key, const AuthorizationSet& begin_params,
                               keymaster_error_t* error) override;
    const keymaster_digest_t* SupportedDigests(size_t* digest_count) const override;

    virtual keymaster_purpose_t purpose() const = 0;
    virtual Operation* InstantiateOperation(keymaster_digest_t digest, EC_KEY* key) = 0;
};

Operation* EcdsaOperationFactory::CreateOperation(const Key& key,
                                                  const AuthorizationSet& begin_params,
                                                  keymaster_error_t* error) {
    const EcKey* ecdsa_key = static_cast<const EcKey*>(&key);
    if (!ecdsa_key) {
        *error = KM_ERROR_UNKNOWN_ERROR;
        return nullptr;
    }

    *error = KM_ERROR_UNSUPPORTED_DIGEST;
    keymaster_digest_t digest;
    if (!begin_params.GetTagValue(TAG_DIGEST, &digest)) {
        LOG_E("%d digests specified in begin params", begin_params.GetTagCount(TAG_DIGEST));
        return nullptr;
    } else if (!supported(digest)) {
        LOG_E("Digest %d not supported", digest);
        return nullptr;
    } else if (!ecdsa_key->authorizations().Contains(TAG_DIGEST, digest) &&
               !ecdsa_key->authorizations().Contains(TAG_DIGEST_OLD, digest)) {
        LOG_E("Digest %d was specified, but not authorized by key", digest);
        *error = KM_ERROR_INCOMPATIBLE_DIGEST;
        return NULL;
    }
    *error = KM_ERROR_OK;

    Operation* op = InstantiateOperation(digest, ecdsa_key->key());
    if (!op)
        *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
    return op;
}

const keymaster_digest_t* EcdsaOperationFactory::SupportedDigests(size_t* digest_count) const {
    *digest_count = array_length(supported_digests);
    return supported_digests;
}

class EcdsaSignOperationFactory : public EcdsaOperationFactory {
  private:
    keymaster_purpose_t purpose() const override { return KM_PURPOSE_SIGN; }
    Operation* InstantiateOperation(keymaster_digest_t digest, EC_KEY* key) {
        return new EcdsaSignOperation(purpose(), digest, key);
    }
};

static OperationFactoryRegistry::Registration<EcdsaSignOperationFactory> sign_registration;

class EcdsaVerifyOperationFactory : public EcdsaOperationFactory {
  public:
    keymaster_purpose_t purpose() const override { return KM_PURPOSE_VERIFY; }
    Operation* InstantiateOperation(keymaster_digest_t digest, EC_KEY* key) {
        return new EcdsaVerifyOperation(KM_PURPOSE_VERIFY, digest, key);
    }
};
static OperationFactoryRegistry::Registration<EcdsaVerifyOperationFactory> verify_registration;

EcdsaOperation::~EcdsaOperation() {
    if (ecdsa_key_ != NULL)
        EC_KEY_free(ecdsa_key_);
}

keymaster_error_t EcdsaOperation::Update(const AuthorizationSet& /* additional_params */,
                                         const Buffer& input, Buffer* /* output */,
                                         size_t* input_consumed) {
    assert(input_consumed);
    switch (purpose()) {
    default:
        return KM_ERROR_UNIMPLEMENTED;
    case KM_PURPOSE_SIGN:
    case KM_PURPOSE_VERIFY:
        return StoreData(input, input_consumed);
    }
}

keymaster_error_t EcdsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
    if (!data_.reserve(data_.available_read() + input.available_read()) ||
        !data_.write(input.peek_read(), input.available_read()))
        return KM_ERROR_MEMORY_ALLOCATION_FAILED;
    *input_consumed = input.available_read();
    return KM_ERROR_OK;
}

keymaster_error_t EcdsaSignOperation::Finish(const AuthorizationSet& /* additional_params */,
                                             const Buffer& /* signature */, Buffer* output) {
    assert(output);
    output->Reinitialize(ECDSA_size(ecdsa_key_));
    unsigned int siglen;
    if (!ECDSA_sign(0 /* type -- ignored */, data_.peek_read(), data_.available_read(),
                    output->peek_write(), &siglen, ecdsa_key_))
        return TranslateLastOpenSslError();
    output->advance_write(siglen);
    return KM_ERROR_OK;
}

keymaster_error_t EcdsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */,
                                               const Buffer& signature, Buffer* /* output */) {
    int result = ECDSA_verify(0 /* type -- ignored */, data_.peek_read(), data_.available_read(),
                              signature.peek_read(), signature.available_read(), ecdsa_key_);
    if (result < 0)
        return TranslateLastOpenSslError();
    else if (result == 0)
        return KM_ERROR_VERIFICATION_FAILED;
    else
        return KM_ERROR_OK;
}

}  // namespace keymaster