Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 2f3be368e5ad911cc0b014421dd3682130260ffc / . / key_blob.cpp
blob: 3f354e3b27729059c65d76a2884957c7dc7259ab [file] [log] [blame]
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <assert.h>
18
19#include <openssl/aes.h>
20#include <openssl/sha.h>
21
22#include "ae.h"
23#include "key_blob.h"
24#include "google_keymaster_utils.h"
25
26namespace keymaster {
27
28struct AeCtxDelete {
29 void operator()(ae_ctx* p) {
30 ae_clear(p);
31 ae_free(p);
32 }
33};
34
35const size_t KeyBlob::NONCE_LENGTH;
36const size_t KeyBlob::TAG_LENGTH;
37
38KeyBlob::KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced,
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]39 const AuthorizationSet& hidden, const keymaster_key_blob_t& key,
Shawn Willdenebf627f2014-08-12 11:15:29 -0600[diff] [blame]40 const keymaster_key_blob_t& master_key, const uint8_t nonce[NONCE_LENGTH])
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]41 : error_(KM_ERROR_OK), nonce_(new uint8_t[NONCE_LENGTH]), tag_(new uint8_t[TAG_LENGTH]),
42 enforced_(enforced), unenforced_(unenforced), hidden_(hidden) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]43 if (enforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE ||
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]44 unenforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE ||
45 hidden_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]46 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
47 return;
48 }
49
50 if (enforced_.is_valid() != AuthorizationSet::OK ||
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]51 unenforced_.is_valid() != AuthorizationSet::OK ||
52 hidden_.is_valid() != AuthorizationSet::OK) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]53 error_ = KM_ERROR_UNKNOWN_ERROR;
54 return;
55 }
56
Shawn Willden1615f2e2014-08-13 10:37:40 -0600[diff] [blame]57 if (!ExtractKeyCharacteristics())
58 return;
59
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]60 key_material_length_ = key.key_material_size;
61 key_material_.reset(new uint8_t[key_material_length_]);
62 encrypted_key_material_.reset(new uint8_t[key_material_length_]);
63
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]64 if (!key_material_.get() || !encrypted_key_material_.get() || !nonce_.get() || !tag_.get()) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]65 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
66 return;
67 }
68
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]69 memcpy(nonce_.get(), nonce, NONCE_LENGTH);
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]70 memcpy(key_material_.get(), key.key_material, key_material_length_);
71 EncryptKey(master_key);
72}
73
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]74KeyBlob::KeyBlob(const keymaster_key_blob_t& key, const AuthorizationSet& hidden,
75 const keymaster_key_blob_t& master_key)
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]76 : nonce_(new uint8_t[NONCE_LENGTH]), tag_(new uint8_t[TAG_LENGTH]), hidden_(hidden) {
Shawn Willden172f8c92014-08-17 07:50:34 -0600[diff] [blame]77 const uint8_t* p = key.key_material;
78 if (!Deserialize(&p, key.key_material + key.key_material_size))
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]79 return;
80 DecryptKey(master_key);
81}
82
83size_t KeyBlob::SerializedSize() const {
84 return NONCE_LENGTH + sizeof(uint32_t) + key_material_length() + TAG_LENGTH +
85 enforced_.SerializedSize() + unenforced_.SerializedSize();
86}
87
88uint8_t* KeyBlob::Serialize(uint8_t* buf, const uint8_t* end) const {
89 const uint8_t* start = buf;
90 buf = append_to_buf(buf, end, nonce(), NONCE_LENGTH);
91 buf = append_size_and_data_to_buf(buf, end, encrypted_key_material(), key_material_length());
92 buf = append_to_buf(buf, end, tag(), TAG_LENGTH);
93 buf = enforced_.Serialize(buf, end);
94 buf = unenforced_.Serialize(buf, end);
95 assert(buf - start == static_cast<ptrdiff_t>(SerializedSize()));
96 return buf;
97}
98
Shawn Willden172f8c92014-08-17 07:50:34 -0600[diff] [blame]99bool KeyBlob::Deserialize(const uint8_t** buf_ptr, const uint8_t* end) {
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]100 UniquePtr<uint8_t[]> tmp_key_ptr;
101 if (!copy_from_buf(buf_ptr, end, nonce_.get(), NONCE_LENGTH) ||
Shawn Willden172f8c92014-08-17 07:50:34 -0600[diff] [blame]102 !copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_, &tmp_key_ptr) ||
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]103 !copy_from_buf(buf_ptr, end, tag_.get(), TAG_LENGTH) ||
104 !enforced_.Deserialize(buf_ptr, end) || !unenforced_.Deserialize(buf_ptr, end)) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]105 error_ = KM_ERROR_INVALID_KEY_BLOB;
106 return false;
107 }
108
Shawn Willden1615f2e2014-08-13 10:37:40 -0600[diff] [blame]109 if (!ExtractKeyCharacteristics())
110 return false;
111
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]112 encrypted_key_material_.reset(tmp_key_ptr.release());
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]113 key_material_.reset(new uint8_t[key_material_length_]);
114 return true;
115}
116
117void KeyBlob::EncryptKey(const keymaster_key_blob_t& master_key) {
118 UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
119 if (error_ != KM_ERROR_OK)
120 return;
121
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]122 int ae_err = ae_encrypt(ctx.get(), nonce_.get(), key_material(), key_material_length(),
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]123 NULL /* additional data */, 0 /* additional data length */,
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]124 encrypted_key_material_.get(), tag_.get(), 1 /* final */);
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]125 if (ae_err < 0) {
126 error_ = KM_ERROR_UNKNOWN_ERROR;
127 return;
128 }
129 assert(ae_err == static_cast<int>(key_material_length_));
130 error_ = KM_ERROR_OK;
131}
132
133void KeyBlob::DecryptKey(const keymaster_key_blob_t& master_key) {
134 UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
135 if (error_ != KM_ERROR_OK)
136 return;
137
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]138 int ae_err =
139 ae_decrypt(ctx.get(), nonce_.get(), encrypted_key_material(), key_material_length(),
140 NULL /* additional data */, 0 /* additional data length */, key_material_.get(),
141 tag_.get(), 1 /* final */);
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]142 if (ae_err == AE_INVALID) {
143 // Authentication failed! Decryption probably succeeded(ish), but we don't want to return
144 // any data when the authentication fails, so clear it.
Shawn Willden74aff352014-08-11 14:08:31 -0600[diff] [blame]145 memset_s(key_material_.get(), 0, key_material_length());
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]146 error_ = KM_ERROR_INVALID_KEY_BLOB;
147 return;
148 } else if (ae_err < 0) {
149 error_ = KM_ERROR_UNKNOWN_ERROR;
150 return;
151 }
Shawn Willdenf2282b32014-08-25 06:49:54 -0600[diff] [blame]152 assert(ae_err == static_cast<int>(key_material_length()));
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]153 error_ = KM_ERROR_OK;
154}
155
156ae_ctx* KeyBlob::InitializeKeyWrappingContext(const keymaster_key_blob_t& master_key,
157 keymaster_error_t* error) const {
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]158 size_t derivation_data_length;
159 UniquePtr<const uint8_t[]> derivation_data(BuildDerivationData(&derivation_data_length));
160 if (derivation_data.get() == NULL) {
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]161 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
162 return NULL;
163 }
164
165 *error = KM_ERROR_OK;
166 UniquePtr<ae_ctx, AeCtxDelete> ctx(ae_allocate(NULL));
167
168 SHA256_CTX sha256_ctx;
169 UniquePtr<uint8_t[]> hash_buf(new uint8_t[SHA256_DIGEST_LENGTH]);
170 Eraser hash_eraser(hash_buf.get(), SHA256_DIGEST_LENGTH);
171 UniquePtr<uint8_t[]> derived_key(new uint8_t[AES_BLOCK_SIZE]);
172 Eraser derived_key_eraser(derived_key.get(), AES_BLOCK_SIZE);
173
174 if (ctx.get() == NULL || hash_buf.get() == NULL || derived_key.get() == NULL) {
175 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
176 return NULL;
177 }
178
179 Eraser sha256_ctx_eraser(sha256_ctx);
180
181 // Hash derivation data.
182 SHA256_Init(&sha256_ctx);
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]183 SHA256_Update(&sha256_ctx, derivation_data.get(), derivation_data_length);
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]184 SHA256_Final(hash_buf.get(), &sha256_ctx);
185
186 // Encrypt hash with master key to build derived key.
187 AES_KEY aes_key;
188 Eraser aes_key_eraser(AES_KEY);
189 if (AES_set_encrypt_key(master_key.key_material, master_key.key_material_size * 8, &aes_key) !=
190 0) {
191 *error = KM_ERROR_UNKNOWN_ERROR;
192 return NULL;
193 }
194 AES_encrypt(hash_buf.get(), derived_key.get(), &aes_key);
195
196 // Set up AES OCB context using derived key.
197 if (ae_init(ctx.get(), derived_key.get(), AES_BLOCK_SIZE, NONCE_LENGTH, TAG_LENGTH) ==
198 AE_SUCCESS)
199 return ctx.release();
200 else {
Shawn Willden74aff352014-08-11 14:08:31 -0600[diff] [blame]201 memset_s(ctx.get(), 0, ae_ctx_sizeof());
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]202 return NULL;
203 }
204}
205
Shawn Willden39b970b2014-08-11 09:11:21 -0600[diff] [blame]206const uint8_t* KeyBlob::BuildDerivationData(size_t* derivation_data_length) const {
207 *derivation_data_length =
208 hidden_.SerializedSize() + enforced_.SerializedSize() + unenforced_.SerializedSize();
209 uint8_t* derivation_data = new uint8_t[*derivation_data_length];
210 if (derivation_data != NULL) {
211 uint8_t* buf = derivation_data;
212 uint8_t* end = derivation_data + *derivation_data_length;
213 buf = hidden_.Serialize(buf, end);
214 buf = enforced_.Serialize(buf, end);
215 buf = unenforced_.Serialize(buf, end);
216 }
217 return derivation_data;
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]218}
219
Shawn Willden1615f2e2014-08-13 10:37:40 -0600[diff] [blame]220bool KeyBlob::ExtractKeyCharacteristics() {
221 if (!enforced_.GetTagValue(TAG_ALGORITHM, &algorithm_) &&
222 !unenforced_.GetTagValue(TAG_ALGORITHM, &algorithm_)) {
223 error_ = KM_ERROR_UNSUPPORTED_ALGORITHM;
224 return false;
225 }
226 if (!enforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_) &&
227 !unenforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_)) {
228 error_ = KM_ERROR_UNSUPPORTED_KEY_SIZE;
229 return false;
230 }
231 return true;
232}
233
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame]234} // namespace keymaster