Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 51d5e0e6be1d77b06715028abbc42211411cf671 / . / rsa_operation.cpp
blob: a25231bcdc33a505b3023e0b3deff07bafec6ba7 [file] [log] [blame]
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]17#include "rsa_operation.h"
18
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]19#include <limits.h>
20
21#include <openssl/err.h>
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]22
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]23#include <keymaster/logger.h>
24
25#include "openssl_err.h"
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]26#include "openssl_utils.h"
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]27#include "rsa_key.h"
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]28
29namespace keymaster {
30
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]31/**
32 * Abstract base for all RSA operation factories. This class exists mainly to centralize some code
33 * common to all RSA operation factories.
34 */
35class RsaOperationFactory : public OperationFactory {
36 public:
37 virtual KeyType registry_key() const { return KeyType(KM_ALGORITHM_RSA, purpose()); }
38 virtual keymaster_purpose_t purpose() const = 0;
39
40 protected:
41 bool GetAndValidatePadding(const Key& key, keymaster_padding_t* padding,
42 keymaster_error_t* error) const;
43 bool GetAndValidateDigest(const Key& key, keymaster_digest_t* digest,
44 keymaster_error_t* error) const;
45 static RSA* GetRsaKey(const Key& key, keymaster_error_t* error);
46};
47
48bool RsaOperationFactory::GetAndValidatePadding(const Key& key, keymaster_padding_t* padding,
49 keymaster_error_t* error) const {
50 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
51 if (!key.authorizations().GetTagValue(TAG_PADDING, padding))
52 return false;
53
54 size_t padding_count;
55 const keymaster_padding_t* supported_paddings = SupportedPaddingModes(&padding_count);
56 for (size_t i = 0; i < padding_count; ++i) {
57 if (*padding == supported_paddings[i]) {
58 *error = KM_ERROR_OK;
59 return true;
60 }
61 }
62 return false;
63}
64
65bool RsaOperationFactory::GetAndValidateDigest(const Key& key, keymaster_digest_t* digest,
66 keymaster_error_t* error) const {
67 *error = KM_ERROR_UNSUPPORTED_DIGEST;
68 if (!key.authorizations().GetTagValue(TAG_DIGEST, digest))
69 return false;
70
71 size_t digest_count;
72 const keymaster_digest_t* supported_digests = SupportedDigests(&digest_count);
73 for (size_t i = 0; i < digest_count; ++i) {
74 if (*digest == supported_digests[i]) {
75 *error = KM_ERROR_OK;
76 return true;
77 }
78 }
79 return false;
80}
81
82/* static */
83RSA* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) {
84 const RsaKey* rsa_key = static_cast<const RsaKey*>(&key);
85 assert(rsa_key);
86 if (!rsa_key || !rsa_key->key()) {
87 *error = KM_ERROR_UNKNOWN_ERROR;
88 return NULL;
89 }
Shawn Willden28eed512015-02-25 19:16:36 -0700[diff] [blame]90 RSA_up_ref(rsa_key->key());
91 return rsa_key->key();
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]92}
93
94static const keymaster_digest_t supported_digests[] = {KM_DIGEST_NONE};
95static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE};
96
97/**
98 * Abstract base for RSA operations that digest their input (signing and verification). This class
99 * does most of the work of creation of RSA digesting operations, delegating only the actual
100 * operation instantiation.
101 */
102class RsaDigestingOperationFactory : public RsaOperationFactory {
103 public:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]104 virtual Operation* CreateOperation(const Key& key, keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]105
106 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
107 *digest_count = array_length(supported_digests);
108 return supported_digests;
109 }
110
111 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
112 *padding_mode_count = array_length(supported_sig_padding);
113 return supported_sig_padding;
114 }
115
116 private:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]117 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
118 RSA* key) = 0;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]119};
120
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]121Operation* RsaDigestingOperationFactory::CreateOperation(const Key& key, keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]122 keymaster_padding_t padding;
123 keymaster_digest_t digest;
124 RSA* rsa;
125 if (!GetAndValidateDigest(key, &digest, error) ||
126 !GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error)))
127 return NULL;
128
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]129 Operation* op = InstantiateOperation(digest, padding, rsa);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]130 if (!op)
131 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
132 return op;
133}
134
135static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_RSA_OAEP,
136 KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
137
138/**
139 * Abstract base for en/de-crypting RSA operation factories. This class does most of the work of
140 * creating such operations, delegating only the actual operation instantiation.
141 */
142class RsaCryptingOperationFactory : public RsaOperationFactory {
143 public:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]144 virtual Operation* CreateOperation(const Key& key, keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]145
146 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
147 *padding_mode_count = array_length(supported_crypt_padding);
148 return supported_crypt_padding;
149 }
150
151 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
152 *digest_count = 0;
153 return NULL;
154 }
155
156 private:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]157 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) = 0;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]158};
159
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]160Operation* RsaCryptingOperationFactory::CreateOperation(const Key& key, keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]161 keymaster_padding_t padding;
162 RSA* rsa;
163 if (!GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error)))
164 return NULL;
165
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]166 Operation* op = InstantiateOperation(padding, rsa);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]167 if (!op)
168 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
169 return op;
170}
171
172/**
173 * Concrete factory for RSA signing operations.
174 */
175class RsaSigningOperationFactory : public RsaDigestingOperationFactory {
176 public:
177 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_SIGN; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]178 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
179 RSA* key) {
180 return new RsaSignOperation(digest, padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]181 }
182};
183static OperationFactoryRegistry::Registration<RsaSigningOperationFactory> sign_registration;
184
185/**
186 * Concrete factory for RSA signing operations.
187 */
188class RsaVerificationOperationFactory : public RsaDigestingOperationFactory {
189 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_VERIFY; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]190 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
191 RSA* key) {
192 return new RsaVerifyOperation(digest, padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]193 }
194};
195static OperationFactoryRegistry::Registration<RsaVerificationOperationFactory> verify_registration;
196
197/**
198 * Concrete factory for RSA signing operations.
199 */
200class RsaEncryptionOperationFactory : public RsaCryptingOperationFactory {
201 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_ENCRYPT; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]202 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) {
203 return new RsaEncryptOperation(padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]204 }
205};
206static OperationFactoryRegistry::Registration<RsaEncryptionOperationFactory> encrypt_registration;
207
208/**
209 * Concrete factory for RSA signing operations.
210 */
211class RsaDecryptionOperationFactory : public RsaCryptingOperationFactory {
212 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_DECRYPT; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]213 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) {
214 return new RsaDecryptOperation(padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]215 }
216};
217
218static OperationFactoryRegistry::Registration<RsaDecryptionOperationFactory> decrypt_registration;
219
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]220struct RSA_Delete {
221 void operator()(RSA* p) const { RSA_free(p); }
222};
223
224RsaOperation::~RsaOperation() {
225 if (rsa_key_ != NULL)
226 RSA_free(rsa_key_);
227}
228
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]229keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */,
230 const Buffer& input, Buffer* /* output */,
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]231 size_t* input_consumed) {
232 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]233 switch (purpose()) {
234 default:
235 return KM_ERROR_UNIMPLEMENTED;
236 case KM_PURPOSE_SIGN:
237 case KM_PURPOSE_VERIFY:
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]238 case KM_PURPOSE_ENCRYPT:
239 case KM_PURPOSE_DECRYPT:
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]240 return StoreData(input, input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]241 }
242}
243
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]244keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
245 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]246 if (!data_.reserve(data_.available_read() + input.available_read()) ||
247 !data_.write(input.peek_read(), input.available_read()))
248 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]249 *input_consumed = input.available_read();
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]250 return KM_ERROR_OK;
251}
252
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]253keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& /* additional_params */,
254 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]255 assert(output);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]256 output->Reinitialize(RSA_size(rsa_key_));
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]257 int bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
258 output->peek_write(), rsa_key_, RSA_NO_PADDING);
259 if (bytes_encrypted < 0)
260 return KM_ERROR_UNKNOWN_ERROR;
261 assert(bytes_encrypted == RSA_size(rsa_key_));
262 output->advance_write(bytes_encrypted);
263 return KM_ERROR_OK;
264}
265
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]266keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */,
267 const Buffer& signature, Buffer* /* output */) {
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]268#if defined(OPENSSL_IS_BORINGSSL)
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]269 size_t message_size = data_.available_read();
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]270#else
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]271 if (data_.available_read() > INT_MAX)
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]272 return KM_ERROR_INVALID_INPUT_LENGTH;
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]273 int message_size = (int)data_.available_read();
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]274#endif
275
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]276 if (message_size != RSA_size(rsa_key_))
277 return KM_ERROR_INVALID_INPUT_LENGTH;
278
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]279 if (data_.available_read() != signature.available_read())
280 return KM_ERROR_VERIFICATION_FAILED;
281
282 UniquePtr<uint8_t[]> decrypted_data(new uint8_t[RSA_size(rsa_key_)]);
283 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(),
284 decrypted_data.get(), rsa_key_, RSA_NO_PADDING);
285 if (bytes_decrypted < 0)
286 return KM_ERROR_UNKNOWN_ERROR;
287 assert(bytes_decrypted == RSA_size(rsa_key_));
288
289 if (memcmp_s(decrypted_data.get(), data_.peek_read(), data_.available_read()) == 0)
290 return KM_ERROR_OK;
291 return KM_ERROR_VERIFICATION_FAILED;
292}
293
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]294const int OAEP_PADDING_OVERHEAD = 41;
295const int PKCS1_PADDING_OVERHEAD = 11;
296
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]297keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& /* additional_params */,
298 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]299 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]300 int openssl_padding;
301
302#if defined(OPENSSL_IS_BORINGSSL)
303 size_t message_size = data_.available_read();
304#else
305 if (data_.available_read() > INT_MAX)
306 return KM_ERROR_INVALID_INPUT_LENGTH;
307 int message_size = (int)data_.available_read();
308#endif
309
310 switch (padding_) {
311 case KM_PAD_RSA_OAEP:
312 openssl_padding = RSA_PKCS1_OAEP_PADDING;
313 if (message_size >= RSA_size(rsa_key_) - OAEP_PADDING_OVERHEAD) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]314 LOG_E("Cannot encrypt %d bytes with %d-byte key and OAEP padding",
315 data_.available_read(), RSA_size(rsa_key_));
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]316 return KM_ERROR_INVALID_INPUT_LENGTH;
317 }
318 break;
319 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
320 openssl_padding = RSA_PKCS1_PADDING;
321 if (message_size >= RSA_size(rsa_key_) - PKCS1_PADDING_OVERHEAD) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]322 LOG_E("Cannot encrypt %d bytes with %d-byte key and PKCS1 padding",
323 data_.available_read(), RSA_size(rsa_key_));
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]324 return KM_ERROR_INVALID_INPUT_LENGTH;
325 }
326 break;
327 default:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]328 LOG_E("Padding mode %d not supported", padding_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]329 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
330 }
331
332 output->Reinitialize(RSA_size(rsa_key_));
333 int bytes_encrypted = RSA_public_encrypt(data_.available_read(), data_.peek_read(),
334 output->peek_write(), rsa_key_, openssl_padding);
335
336 if (bytes_encrypted < 0) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]337 LOG_E("Error %d encrypting data with RSA", ERR_get_error());
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]338 return KM_ERROR_UNKNOWN_ERROR;
339 }
340 assert(bytes_encrypted == RSA_size(rsa_key_));
341 output->advance_write(bytes_encrypted);
342
343 return KM_ERROR_OK;
344}
345
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]346keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& /* additional_params */,
347 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]348 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]349 int openssl_padding;
350 switch (padding_) {
351 case KM_PAD_RSA_OAEP:
352 openssl_padding = RSA_PKCS1_OAEP_PADDING;
353 break;
354 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
355 openssl_padding = RSA_PKCS1_PADDING;
356 break;
357 default:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]358 LOG_E("Padding mode %d not supported", padding_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]359 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
360 }
361
362 output->Reinitialize(RSA_size(rsa_key_));
363 int bytes_decrypted = RSA_private_decrypt(data_.available_read(), data_.peek_read(),
364 output->peek_write(), rsa_key_, openssl_padding);
365
366 if (bytes_decrypted < 0) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]367 LOG_E("Error %d decrypting data with RSA", ERR_get_error());
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]368 return KM_ERROR_UNKNOWN_ERROR;
369 }
370 output->advance_write(bytes_decrypted);
371
372 return KM_ERROR_OK;
373}
374
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]375} // namespace keymaster