Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 4db3fbdda292c0c3120dfe160c1b49670aa18600 / . / key_blob.cpp
blob: a75e8dd438cd01181247e4d51428fd07274c49cc [file] [log] [blame]
Shawn Willden4db3fbd2014-08-08 22:13:44 -0600[diff] [blame^]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <assert.h>
18
19#include <openssl/aes.h>
20#include <openssl/sha.h>
21
22#include "ae.h"
23#include "key_blob.h"
24#include "google_keymaster_utils.h"
25
26namespace keymaster {
27
28struct AeCtxDelete {
29 void operator()(ae_ctx* p) {
30 ae_clear(p);
31 ae_free(p);
32 }
33};
34
35const size_t KeyBlob::NONCE_LENGTH;
36const size_t KeyBlob::TAG_LENGTH;
37
38KeyBlob::KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced,
39 const keymaster_key_blob_t& key, const keymaster_key_blob_t& master_key,
40 uint8_t nonce[NONCE_LENGTH])
41 : error_(KM_ERROR_OK), enforced_(enforced), unenforced_(unenforced) {
42 if (enforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE ||
43 unenforced_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE) {
44 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
45 return;
46 }
47
48 if (enforced_.is_valid() != AuthorizationSet::OK ||
49 unenforced_.is_valid() != AuthorizationSet::OK) {
50 error_ = KM_ERROR_UNKNOWN_ERROR;
51 return;
52 }
53
54 memcpy(nonce_, nonce, NONCE_LENGTH);
55
56 key_material_length_ = key.key_material_size;
57 key_material_.reset(new uint8_t[key_material_length_]);
58 encrypted_key_material_.reset(new uint8_t[key_material_length_]);
59
60 if (key_material_.get() == NULL || encrypted_key_material_.get() == NULL) {
61 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
62 return;
63 }
64
65 memcpy(key_material_.get(), key.key_material, key_material_length_);
66 EncryptKey(master_key);
67}
68
69KeyBlob::KeyBlob(const keymaster_key_blob_t& key, const keymaster_key_blob_t& master_key) {
70 if (!Deserialize(const_cast<const uint8_t**>(&(key.key_material)),
71 key.key_material + key.key_material_size))
72 return;
73 DecryptKey(master_key);
74}
75
76size_t KeyBlob::SerializedSize() const {
77 return NONCE_LENGTH + sizeof(uint32_t) + key_material_length() + TAG_LENGTH +
78 enforced_.SerializedSize() + unenforced_.SerializedSize();
79}
80
81uint8_t* KeyBlob::Serialize(uint8_t* buf, const uint8_t* end) const {
82 const uint8_t* start = buf;
83 buf = append_to_buf(buf, end, nonce(), NONCE_LENGTH);
84 buf = append_size_and_data_to_buf(buf, end, encrypted_key_material(), key_material_length());
85 buf = append_to_buf(buf, end, tag(), TAG_LENGTH);
86 buf = enforced_.Serialize(buf, end);
87 buf = unenforced_.Serialize(buf, end);
88 assert(buf - start == static_cast<ptrdiff_t>(SerializedSize()));
89 return buf;
90}
91
92bool KeyBlob::Deserialize(const uint8_t** buf, const uint8_t* end) {
93 uint8_t* tmp_key_ptr = NULL;
94
95 if (!copy_from_buf(buf, end, nonce_, NONCE_LENGTH) ||
96 !copy_size_and_data_from_buf(buf, end, &key_material_length_, &tmp_key_ptr) ||
97 !copy_from_buf(buf, end, tag_, TAG_LENGTH) || !enforced_.Deserialize(buf, end) ||
98 !unenforced_.Deserialize(buf, end)) {
99 if (tmp_key_ptr != NULL)
100 delete [] tmp_key_ptr;
101 error_ = KM_ERROR_INVALID_KEY_BLOB;
102 return false;
103 }
104
105 encrypted_key_material_.reset(tmp_key_ptr);
106 key_material_.reset(new uint8_t[key_material_length_]);
107 return true;
108}
109
110void KeyBlob::EncryptKey(const keymaster_key_blob_t& master_key) {
111 UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
112 if (error_ != KM_ERROR_OK)
113 return;
114
115 int ae_err = ae_encrypt(ctx.get(), nonce_, key_material(), key_material_length(),
116 NULL /* additional data */, 0 /* additional data length */,
117 encrypted_key_material_.get(), tag_, 1 /* final */);
118 if (ae_err < 0) {
119 error_ = KM_ERROR_UNKNOWN_ERROR;
120 return;
121 }
122 assert(ae_err == static_cast<int>(key_material_length_));
123 error_ = KM_ERROR_OK;
124}
125
126void KeyBlob::DecryptKey(const keymaster_key_blob_t& master_key) {
127 UniquePtr<ae_ctx, AeCtxDelete> ctx(InitializeKeyWrappingContext(master_key, &error_));
128 if (error_ != KM_ERROR_OK)
129 return;
130
131 int ae_err = ae_decrypt(ctx.get(), nonce_, encrypted_key_material(), key_material_length(),
132 NULL /* additional data */, 0 /* additional data length */,
133 key_material_.get(), tag(), 1 /* final */);
134 if (ae_err == AE_INVALID) {
135 // Authentication failed! Decryption probably succeeded(ish), but we don't want to return
136 // any data when the authentication fails, so clear it.
137 memset(key_material_.get(), 0, key_material_length());
138 error_ = KM_ERROR_INVALID_KEY_BLOB;
139 return;
140 } else if (ae_err < 0) {
141 error_ = KM_ERROR_UNKNOWN_ERROR;
142 return;
143 }
144 assert(ae_err == static_cast<int>(key_material_length_));
145 error_ = KM_ERROR_OK;
146}
147
148ae_ctx* KeyBlob::InitializeKeyWrappingContext(const keymaster_key_blob_t& master_key,
149 keymaster_error_t* error) const {
150 size_t auth_data_length;
151 UniquePtr<const uint8_t[]> auth_data(BuildAuthData(&auth_data_length));
152 if (auth_data.get() == NULL) {
153 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
154 return NULL;
155 }
156
157 *error = KM_ERROR_OK;
158 UniquePtr<ae_ctx, AeCtxDelete> ctx(ae_allocate(NULL));
159
160 SHA256_CTX sha256_ctx;
161 UniquePtr<uint8_t[]> hash_buf(new uint8_t[SHA256_DIGEST_LENGTH]);
162 Eraser hash_eraser(hash_buf.get(), SHA256_DIGEST_LENGTH);
163 UniquePtr<uint8_t[]> derived_key(new uint8_t[AES_BLOCK_SIZE]);
164 Eraser derived_key_eraser(derived_key.get(), AES_BLOCK_SIZE);
165
166 if (ctx.get() == NULL || hash_buf.get() == NULL || derived_key.get() == NULL) {
167 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
168 return NULL;
169 }
170
171 Eraser sha256_ctx_eraser(sha256_ctx);
172
173 // Hash derivation data.
174 SHA256_Init(&sha256_ctx);
175 SHA256_Update(&sha256_ctx, auth_data.get(), auth_data_length);
176 SHA256_Final(hash_buf.get(), &sha256_ctx);
177
178 // Encrypt hash with master key to build derived key.
179 AES_KEY aes_key;
180 Eraser aes_key_eraser(AES_KEY);
181 if (AES_set_encrypt_key(master_key.key_material, master_key.key_material_size * 8, &aes_key) !=
182 0) {
183 *error = KM_ERROR_UNKNOWN_ERROR;
184 return NULL;
185 }
186 AES_encrypt(hash_buf.get(), derived_key.get(), &aes_key);
187
188 // Set up AES OCB context using derived key.
189 if (ae_init(ctx.get(), derived_key.get(), AES_BLOCK_SIZE, NONCE_LENGTH, TAG_LENGTH) ==
190 AE_SUCCESS)
191 return ctx.release();
192 else {
193 memset(ctx.get(), 0, ae_ctx_sizeof());
194 return NULL;
195 }
196}
197
198const uint8_t* KeyBlob::BuildAuthData(size_t* auth_data_length) const {
199 *auth_data_length = enforced_.SerializedSize() + unenforced_.SerializedSize();
200 uint8_t* auth_data = new uint8_t[*auth_data_length];
201 if (auth_data == NULL)
202 return NULL;
203
204 uint8_t* end = auth_data + *auth_data_length;
205 uint8_t* buf = auth_data;
206 buf = enforced_.Serialize(buf, end);
207 buf = unenforced_.Serialize(buf, end);
208
209 return auth_data;
210}
211
212} // namespace keymaster