key_blob.cpp

/*
 * Copyright 2014 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <assert.h>

#include <openssl/aes.h>
#include <openssl/sha.h>

#include <keymaster/google_keymaster_utils.h>

#include "ae.h"
#include "key_blob.h"

namespace keymaster {

struct AeCtxDelete {
    void operator()(ae_ctx* p) {
        ae_clear(p);
        ae_free(p);
    }
};

const size_t KeyBlob::NONCE_LENGTH;
const size_t KeyBlob::TAG_LENGTH;

KeyBlob::KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced,
                 const AuthorizationSet& hidden, const keymaster_key_blob_t& key,
                 const keymaster_key_blob_t& master_key, const uint8_t nonce[NONCE_LENGTH])
    : error_(KM_ERROR_OK), nonce_(new uint8_t[NONCE_LENGTH]), tag_(new uint8_t[TAG_LENGTH]),
      enforced_(enforced), unenforced_(unenforced), hidden_(hidden) {
    if (!nonce_.get() || !tag_.get()) {
        error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return;
    }
    error_ = KM_ERROR_OK;

    if (enforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE ||
        unenforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE ||
        hidden_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE) {
        error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return;
    }

    if (enforced_.is_valid() != AuthorizationSet::OK ||
        unenforced_.is_valid() != AuthorizationSet::OK ||
        hidden_.is_valid() != AuthorizationSet::OK) {
        error_ = KM_ERROR_UNKNOWN_ERROR;
        return;
    }

    if (!ExtractKeyCharacteristics())
        return;

    key_material_length_ = key.key_material_size;
    key_material_.reset(new uint8_t[key_material_length_]);
    encrypted_key_material_.reset(new uint8_t[key_material_length_]);

    if (!key_material_.get() || !encrypted_key_material_.get() || !nonce_.get() || !tag_.get()) {
        error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return;
    }

    memcpy(nonce_.get(), nonce, NONCE_LENGTH);
    memcpy(key_material_.get(), key.key_material, key_material_length_);
    EncryptKey(master_key);
}

KeyBlob::KeyBlob(const keymaster_key_blob_t& key, const AuthorizationSet& hidden,
                 const keymaster_key_blob_t& master_key)
    : nonce_(new uint8_t[NONCE_LENGTH]), tag_(new uint8_t[TAG_LENGTH]), hidden_(hidden) {
    if (!nonce_.get() || !tag_.get()) {
        error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return;
    }
    error_ = KM_ERROR_OK;

    const uint8_t* p = key.key_material;
    if (!Deserialize(&p, key.key_material + key.key_material_size))
        return;
    DecryptKey(master_key);
}

KeyBlob::KeyBlob(const uint8_t* key_blob, size_t blob_size)
    : nonce_(new uint8_t[NONCE_LENGTH]), tag_(new uint8_t[TAG_LENGTH]) {
    if (!nonce_.get() || !tag_.get()) {
        error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return;
    }
    error_ = KM_ERROR_OK;

    if (!Deserialize(&key_blob, key_blob + blob_size))
        return;
}

size_t KeyBlob::SerializedSize() const {
    return NONCE_LENGTH + sizeof(uint32_t) + key_material_length() + TAG_LENGTH +
           enforced_.SerializedSize() + unenforced_.SerializedSize();
}

uint8_t* KeyBlob::Serialize(uint8_t* buf, const uint8_t* end) const {
    const uint8_t* start = buf;
    buf = append_to_buf(buf, end, nonce(), NONCE_LENGTH);
    buf = append_size_and_data_to_buf(buf, end, encrypted_key_material(), key_material_length());
    buf = append_to_buf(buf, end, tag(), TAG_LENGTH);
    buf = enforced_.Serialize(buf, end);
    buf = unenforced_.Serialize(buf, end);
    assert(buf - start == static_cast<ptrdiff_t>(SerializedSize()));
    return buf;
}

bool KeyBlob::Deserialize(const uint8_t** buf_ptr, const uint8_t* end) {
    UniquePtr<uint8_t[]> tmp_key_ptr;
    if (!copy_from_buf(buf_ptr, end, nonce_.get(), NONCE_LENGTH) ||
        !copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_, &tmp_key_ptr) ||
        !copy_from_buf(buf_ptr, end, tag_.get(), TAG_LENGTH) ||
        !enforced_.Deserialize(buf_ptr, end) || !unenforced_.Deserialize(buf_ptr, end)) {
        error_ = KM_ERROR_INVALID_KEY_BLOB;
        return false;
    }

    if (!ExtractKeyCharacteristics())
        return false;

    encrypted_key_material_.reset(tmp_key_ptr.release());
    key_material_.reset(new uint8_t[key_material_length_]);
    return true;
}

void KeyBlob::EncryptKey(const keymaster_key_blob_t& master_key) {
    UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
    if (error_ != KM_ERROR_OK)
        return;

    int ae_err = ae_encrypt(ctx.get(), nonce_.get(), key_material(), key_material_length(),
                            NULL /* additional data */, 0 /* additional data length */,
                            encrypted_key_material_.get(), tag_.get(), 1 /* final */);
    if (ae_err < 0) {
        error_ = KM_ERROR_UNKNOWN_ERROR;
        return;
    }
    assert(ae_err == static_cast<int>(key_material_length_));
    error_ = KM_ERROR_OK;
}

void KeyBlob::DecryptKey(const keymaster_key_blob_t& master_key) {
    UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
    if (error_ != KM_ERROR_OK)
        return;

    int ae_err =
        ae_decrypt(ctx.get(), nonce_.get(), encrypted_key_material(), key_material_length(),
                   NULL /* additional data */, 0 /* additional data length */, key_material_.get(),
                   tag_.get(), 1 /* final */);
    if (ae_err == AE_INVALID) {
        // Authentication failed!  Decryption probably succeeded(ish), but we don't want to return
        // any data when the authentication fails, so clear it.
        memset_s(key_material_.get(), 0, key_material_length());
        error_ = KM_ERROR_INVALID_KEY_BLOB;
        return;
    } else if (ae_err < 0) {
        error_ = KM_ERROR_UNKNOWN_ERROR;
        return;
    }
    assert(ae_err == static_cast<int>(key_material_length()));
    error_ = KM_ERROR_OK;
}

ae_ctx* KeyBlob::InitializeKeyWrappingContext(const keymaster_key_blob_t& master_key,
                                              keymaster_error_t* error) const {
    size_t derivation_data_length;
    UniquePtr<const uint8_t[]> derivation_data(BuildDerivationData(&derivation_data_length));
    if (derivation_data.get() == NULL) {
        *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return NULL;
    }

    *error = KM_ERROR_OK;
    UniquePtr<ae_ctx, AeCtxDelete> ctx(ae_allocate(NULL));

    SHA256_CTX sha256_ctx;
    UniquePtr<uint8_t[]> hash_buf(new uint8_t[SHA256_DIGEST_LENGTH]);
    Eraser hash_eraser(hash_buf.get(), SHA256_DIGEST_LENGTH);
    UniquePtr<uint8_t[]> derived_key(new uint8_t[AES_BLOCK_SIZE]);
    Eraser derived_key_eraser(derived_key.get(), AES_BLOCK_SIZE);

    if (ctx.get() == NULL || hash_buf.get() == NULL || derived_key.get() == NULL) {
        *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return NULL;
    }

    Eraser sha256_ctx_eraser(sha256_ctx);

    // Hash derivation data.
    SHA256_Init(&sha256_ctx);
    SHA256_Update(&sha256_ctx, derivation_data.get(), derivation_data_length);
    SHA256_Final(hash_buf.get(), &sha256_ctx);

    // Encrypt hash with master key to build derived key.
    AES_KEY aes_key;
    Eraser aes_key_eraser(AES_KEY);
    if (AES_set_encrypt_key(master_key.key_material, master_key.key_material_size * 8, &aes_key) !=
        0) {
        *error = KM_ERROR_UNKNOWN_ERROR;
        return NULL;
    }
    AES_encrypt(hash_buf.get(), derived_key.get(), &aes_key);

    // Set up AES OCB context using derived key.
    if (ae_init(ctx.get(), derived_key.get(), AES_BLOCK_SIZE, NONCE_LENGTH, TAG_LENGTH) ==
        AE_SUCCESS)
        return ctx.release();
    else {
        memset_s(ctx.get(), 0, ae_ctx_sizeof());
        return NULL;
    }
}

const uint8_t* KeyBlob::BuildDerivationData(size_t* derivation_data_length) const {
    *derivation_data_length =
        hidden_.SerializedSize() + enforced_.SerializedSize() + unenforced_.SerializedSize();
    uint8_t* derivation_data = new uint8_t[*derivation_data_length];
    if (derivation_data != NULL) {
        uint8_t* buf = derivation_data;
        uint8_t* end = derivation_data + *derivation_data_length;
        buf = hidden_.Serialize(buf, end);
        buf = enforced_.Serialize(buf, end);
        buf = unenforced_.Serialize(buf, end);
    }
    return derivation_data;
}

bool KeyBlob::ExtractKeyCharacteristics() {
    if (!enforced_.GetTagValue(TAG_ALGORITHM, &algorithm_) &&
        !unenforced_.GetTagValue(TAG_ALGORITHM, &algorithm_)) {
        error_ = KM_ERROR_UNSUPPORTED_ALGORITHM;
        return false;
    }
    if (!enforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_) &&
        !unenforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_)) {
        error_ = KM_ERROR_UNSUPPORTED_KEY_SIZE;
        return false;
    }
    return true;
}

}  // namespace keymaster