Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2014 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 17 | #include "rsa_operation.h" |
| 18 | |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 19 | #include <limits.h> |
| 20 | |
| 21 | #include <openssl/err.h> |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 22 | |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 23 | #include <keymaster/logger.h> |
| 24 | |
| 25 | #include "openssl_err.h" |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 26 | #include "openssl_utils.h" |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 27 | #include "rsa_key.h" |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 28 | |
| 29 | namespace keymaster { |
| 30 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 31 | static const int MIN_PSS_SALT_LEN = 8 /* salt len */ + 2 /* overhead */; |
| 32 | |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 33 | /** |
| 34 | * Abstract base for all RSA operation factories. This class exists mainly to centralize some code |
| 35 | * common to all RSA operation factories. |
| 36 | */ |
| 37 | class RsaOperationFactory : public OperationFactory { |
| 38 | public: |
| 39 | virtual KeyType registry_key() const { return KeyType(KM_ALGORITHM_RSA, purpose()); } |
| 40 | virtual keymaster_purpose_t purpose() const = 0; |
| 41 | |
| 42 | protected: |
| 43 | bool GetAndValidatePadding(const Key& key, keymaster_padding_t* padding, |
| 44 | keymaster_error_t* error) const; |
| 45 | bool GetAndValidateDigest(const Key& key, keymaster_digest_t* digest, |
| 46 | keymaster_error_t* error) const; |
| 47 | static RSA* GetRsaKey(const Key& key, keymaster_error_t* error); |
| 48 | }; |
| 49 | |
| 50 | bool RsaOperationFactory::GetAndValidatePadding(const Key& key, keymaster_padding_t* padding, |
| 51 | keymaster_error_t* error) const { |
| 52 | *error = KM_ERROR_UNSUPPORTED_PADDING_MODE; |
Shawn Willden | d92591d | 2014-12-30 18:19:10 -0700 | [diff] [blame] | 53 | if (!key.authorizations().GetTagValue(TAG_PADDING, padding) || !supported(*padding)) |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 54 | return false; |
| 55 | |
Shawn Willden | d92591d | 2014-12-30 18:19:10 -0700 | [diff] [blame] | 56 | *error = KM_ERROR_OK; |
| 57 | return true; |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 58 | } |
| 59 | |
| 60 | bool RsaOperationFactory::GetAndValidateDigest(const Key& key, keymaster_digest_t* digest, |
| 61 | keymaster_error_t* error) const { |
| 62 | *error = KM_ERROR_UNSUPPORTED_DIGEST; |
Shawn Willden | d92591d | 2014-12-30 18:19:10 -0700 | [diff] [blame] | 63 | if (!key.authorizations().GetTagValue(TAG_DIGEST, digest) || !supported(*digest)) |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 64 | return false; |
| 65 | |
Shawn Willden | d92591d | 2014-12-30 18:19:10 -0700 | [diff] [blame] | 66 | *error = KM_ERROR_OK; |
| 67 | return true; |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 68 | } |
| 69 | |
| 70 | /* static */ |
| 71 | RSA* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) { |
| 72 | const RsaKey* rsa_key = static_cast<const RsaKey*>(&key); |
| 73 | assert(rsa_key); |
| 74 | if (!rsa_key || !rsa_key->key()) { |
| 75 | *error = KM_ERROR_UNKNOWN_ERROR; |
| 76 | return NULL; |
| 77 | } |
Shawn Willden | 28eed51 | 2015-02-25 19:16:36 -0700 | [diff] [blame] | 78 | RSA_up_ref(rsa_key->key()); |
| 79 | return rsa_key->key(); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 80 | } |
| 81 | |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 82 | static const keymaster_digest_t supported_digests[] = {KM_DIGEST_NONE, KM_DIGEST_SHA_2_256}; |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 83 | static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, |
| 84 | KM_PAD_RSA_PSS}; |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 85 | |
| 86 | /** |
| 87 | * Abstract base for RSA operations that digest their input (signing and verification). This class |
| 88 | * does most of the work of creation of RSA digesting operations, delegating only the actual |
| 89 | * operation instantiation. |
| 90 | */ |
| 91 | class RsaDigestingOperationFactory : public RsaOperationFactory { |
| 92 | public: |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 93 | virtual Operation* CreateOperation(const Key& key, keymaster_error_t* error); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 94 | |
| 95 | virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const { |
| 96 | *digest_count = array_length(supported_digests); |
| 97 | return supported_digests; |
| 98 | } |
| 99 | |
| 100 | virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const { |
| 101 | *padding_mode_count = array_length(supported_sig_padding); |
| 102 | return supported_sig_padding; |
| 103 | } |
| 104 | |
| 105 | private: |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 106 | virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding, |
| 107 | RSA* key) = 0; |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 108 | }; |
| 109 | |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 110 | Operation* RsaDigestingOperationFactory::CreateOperation(const Key& key, keymaster_error_t* error) { |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 111 | keymaster_padding_t padding; |
| 112 | keymaster_digest_t digest; |
| 113 | RSA* rsa; |
| 114 | if (!GetAndValidateDigest(key, &digest, error) || |
| 115 | !GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error))) |
| 116 | return NULL; |
| 117 | |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 118 | Operation* op = InstantiateOperation(digest, padding, rsa); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 119 | if (!op) |
| 120 | *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; |
| 121 | return op; |
| 122 | } |
| 123 | |
| 124 | static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_RSA_OAEP, |
| 125 | KM_PAD_RSA_PKCS1_1_5_ENCRYPT}; |
| 126 | |
| 127 | /** |
| 128 | * Abstract base for en/de-crypting RSA operation factories. This class does most of the work of |
| 129 | * creating such operations, delegating only the actual operation instantiation. |
| 130 | */ |
| 131 | class RsaCryptingOperationFactory : public RsaOperationFactory { |
| 132 | public: |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 133 | virtual Operation* CreateOperation(const Key& key, keymaster_error_t* error); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 134 | |
| 135 | virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const { |
| 136 | *padding_mode_count = array_length(supported_crypt_padding); |
| 137 | return supported_crypt_padding; |
| 138 | } |
| 139 | |
| 140 | virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const { |
| 141 | *digest_count = 0; |
| 142 | return NULL; |
| 143 | } |
| 144 | |
| 145 | private: |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 146 | virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) = 0; |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 147 | }; |
| 148 | |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 149 | Operation* RsaCryptingOperationFactory::CreateOperation(const Key& key, keymaster_error_t* error) { |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 150 | keymaster_padding_t padding; |
| 151 | RSA* rsa; |
| 152 | if (!GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error))) |
| 153 | return NULL; |
| 154 | |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 155 | Operation* op = InstantiateOperation(padding, rsa); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 156 | if (!op) |
| 157 | *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; |
| 158 | return op; |
| 159 | } |
| 160 | |
| 161 | /** |
| 162 | * Concrete factory for RSA signing operations. |
| 163 | */ |
| 164 | class RsaSigningOperationFactory : public RsaDigestingOperationFactory { |
| 165 | public: |
| 166 | virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_SIGN; } |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 167 | virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding, |
| 168 | RSA* key) { |
| 169 | return new RsaSignOperation(digest, padding, key); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 170 | } |
| 171 | }; |
| 172 | static OperationFactoryRegistry::Registration<RsaSigningOperationFactory> sign_registration; |
| 173 | |
| 174 | /** |
| 175 | * Concrete factory for RSA signing operations. |
| 176 | */ |
| 177 | class RsaVerificationOperationFactory : public RsaDigestingOperationFactory { |
| 178 | virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_VERIFY; } |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 179 | virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding, |
| 180 | RSA* key) { |
| 181 | return new RsaVerifyOperation(digest, padding, key); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 182 | } |
| 183 | }; |
| 184 | static OperationFactoryRegistry::Registration<RsaVerificationOperationFactory> verify_registration; |
| 185 | |
| 186 | /** |
| 187 | * Concrete factory for RSA signing operations. |
| 188 | */ |
| 189 | class RsaEncryptionOperationFactory : public RsaCryptingOperationFactory { |
| 190 | virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_ENCRYPT; } |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 191 | virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) { |
| 192 | return new RsaEncryptOperation(padding, key); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 193 | } |
| 194 | }; |
| 195 | static OperationFactoryRegistry::Registration<RsaEncryptionOperationFactory> encrypt_registration; |
| 196 | |
| 197 | /** |
| 198 | * Concrete factory for RSA signing operations. |
| 199 | */ |
| 200 | class RsaDecryptionOperationFactory : public RsaCryptingOperationFactory { |
| 201 | virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_DECRYPT; } |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 202 | virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) { |
| 203 | return new RsaDecryptOperation(padding, key); |
Shawn Willden | 63ac043 | 2014-12-29 14:07:08 -0700 | [diff] [blame] | 204 | } |
| 205 | }; |
| 206 | |
| 207 | static OperationFactoryRegistry::Registration<RsaDecryptionOperationFactory> decrypt_registration; |
| 208 | |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 209 | struct RSA_Delete { |
| 210 | void operator()(RSA* p) const { RSA_free(p); } |
| 211 | }; |
| 212 | |
| 213 | RsaOperation::~RsaOperation() { |
| 214 | if (rsa_key_ != NULL) |
| 215 | RSA_free(rsa_key_); |
| 216 | } |
| 217 | |
Shawn Willden | 6bfbff0 | 2015-02-06 19:48:24 -0700 | [diff] [blame] | 218 | keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */, |
| 219 | const Buffer& input, Buffer* /* output */, |
Shawn Willden | b736113 | 2014-12-08 08:15:14 -0700 | [diff] [blame] | 220 | size_t* input_consumed) { |
| 221 | assert(input_consumed); |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 222 | switch (purpose()) { |
| 223 | default: |
| 224 | return KM_ERROR_UNIMPLEMENTED; |
| 225 | case KM_PURPOSE_SIGN: |
| 226 | case KM_PURPOSE_VERIFY: |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 227 | case KM_PURPOSE_ENCRYPT: |
| 228 | case KM_PURPOSE_DECRYPT: |
Shawn Willden | b736113 | 2014-12-08 08:15:14 -0700 | [diff] [blame] | 229 | return StoreData(input, input_consumed); |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 230 | } |
| 231 | } |
| 232 | |
Shawn Willden | b736113 | 2014-12-08 08:15:14 -0700 | [diff] [blame] | 233 | keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) { |
| 234 | assert(input_consumed); |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 235 | if (!data_.reserve(data_.available_read() + input.available_read()) || |
| 236 | !data_.write(input.peek_read(), input.available_read())) |
| 237 | return KM_ERROR_MEMORY_ALLOCATION_FAILED; |
Shawn Willden | b736113 | 2014-12-08 08:15:14 -0700 | [diff] [blame] | 238 | *input_consumed = input.available_read(); |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 239 | return KM_ERROR_OK; |
| 240 | } |
| 241 | |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 242 | RsaDigestingOperation::RsaDigestingOperation(keymaster_purpose_t purpose, keymaster_digest_t digest, |
| 243 | keymaster_padding_t padding, RSA* key) |
| 244 | : RsaOperation(purpose, padding, key), digest_(digest), digest_algorithm_(NULL) { |
| 245 | EVP_MD_CTX_init(&digest_ctx_); |
| 246 | } |
| 247 | RsaDigestingOperation::~RsaDigestingOperation() { |
| 248 | EVP_MD_CTX_cleanup(&digest_ctx_); |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 249 | memset_s(digest_buf_, 0, sizeof(digest_buf_)); |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 250 | } |
| 251 | |
| 252 | keymaster_error_t RsaDigestingOperation::Begin(const AuthorizationSet& /* input_params */, |
| 253 | AuthorizationSet* /* output_params */) { |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 254 | if (require_digest() && digest_ == KM_DIGEST_NONE) |
| 255 | return KM_ERROR_INCOMPATIBLE_DIGEST; |
| 256 | return InitDigest(); |
| 257 | } |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 258 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 259 | keymaster_error_t RsaDigestingOperation::Update(const AuthorizationSet& additional_params, |
| 260 | const Buffer& input, Buffer* output, |
| 261 | size_t* input_consumed) { |
| 262 | if (digest_ == KM_DIGEST_NONE) |
| 263 | return RsaOperation::Update(additional_params, input, output, input_consumed); |
| 264 | else |
| 265 | return UpdateDigest(input, input_consumed); |
| 266 | } |
| 267 | |
| 268 | keymaster_error_t RsaDigestingOperation::InitDigest() { |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 269 | switch (digest_) { |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 270 | case KM_DIGEST_NONE: |
| 271 | return KM_ERROR_OK; |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 272 | case KM_DIGEST_SHA_2_256: |
| 273 | digest_algorithm_ = EVP_sha256(); |
| 274 | break; |
| 275 | default: |
| 276 | return KM_ERROR_UNSUPPORTED_DIGEST; |
| 277 | } |
| 278 | |
| 279 | if (!EVP_DigestInit_ex(&digest_ctx_, digest_algorithm_, NULL /* engine */)) { |
| 280 | int err = ERR_get_error(); |
| 281 | LOG_E("Failed to initialize digest: %d %s", err, ERR_error_string(err, NULL)); |
| 282 | return KM_ERROR_UNKNOWN_ERROR; |
| 283 | } |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 284 | return KM_ERROR_OK; |
| 285 | } |
| 286 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 287 | keymaster_error_t RsaDigestingOperation::UpdateDigest(const Buffer& input, size_t* input_consumed) { |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 288 | if (!EVP_DigestUpdate(&digest_ctx_, input.peek_read(), input.available_read())) { |
| 289 | int err = ERR_get_error(); |
| 290 | LOG_E("Failed to update digest: %d %s", err, ERR_error_string(err, NULL)); |
| 291 | return KM_ERROR_UNKNOWN_ERROR; |
| 292 | } |
| 293 | *input_consumed = input.available_read(); |
| 294 | return KM_ERROR_OK; |
| 295 | } |
| 296 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 297 | keymaster_error_t RsaDigestingOperation::FinishDigest(unsigned* digest_size) { |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 298 | assert(digest_algorithm_ != NULL); |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 299 | if (!EVP_DigestFinal_ex(&digest_ctx_, digest_buf_, digest_size)) { |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 300 | int err = ERR_get_error(); |
| 301 | LOG_E("Failed to finalize digest: %d %s", err, ERR_error_string(err, NULL)); |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 302 | return KM_ERROR_UNKNOWN_ERROR; |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 303 | } |
| 304 | assert(*digest_size == static_cast<unsigned>(EVP_MD_size(digest_algorithm_))); |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 305 | return KM_ERROR_OK; |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 306 | } |
| 307 | |
Shawn Willden | 6bfbff0 | 2015-02-06 19:48:24 -0700 | [diff] [blame] | 308 | keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& /* additional_params */, |
| 309 | const Buffer& /* signature */, Buffer* output) { |
Shawn Willden | b736113 | 2014-12-08 08:15:14 -0700 | [diff] [blame] | 310 | assert(output); |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 311 | output->Reinitialize(RSA_size(rsa_key_)); |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 312 | if (digest_ == KM_DIGEST_NONE) |
| 313 | return SignUndigested(output); |
| 314 | else |
| 315 | return SignDigested(output); |
| 316 | } |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 317 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 318 | keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) { |
| 319 | int bytes_encrypted; |
| 320 | switch (padding_) { |
| 321 | case KM_PAD_NONE: |
| 322 | bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(), |
| 323 | output->peek_write(), rsa_key_, RSA_NO_PADDING); |
| 324 | break; |
| 325 | case KM_PAD_RSA_PKCS1_1_5_SIGN: |
| 326 | bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(), |
| 327 | output->peek_write(), rsa_key_, RSA_PKCS1_PADDING); |
| 328 | break; |
| 329 | default: |
| 330 | return KM_ERROR_UNSUPPORTED_PADDING_MODE; |
| 331 | } |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 332 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 333 | if (bytes_encrypted <= 0) |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 334 | return KM_ERROR_UNKNOWN_ERROR; |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 335 | output->advance_write(bytes_encrypted); |
| 336 | return KM_ERROR_OK; |
| 337 | } |
| 338 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 339 | keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) { |
| 340 | unsigned digest_size = 0; |
| 341 | keymaster_error_t error = FinishDigest(&digest_size); |
| 342 | if (error != KM_ERROR_OK) |
| 343 | return error; |
| 344 | |
| 345 | UniquePtr<uint8_t[]> padded_digest; |
| 346 | switch (padding_) { |
| 347 | case KM_PAD_NONE: |
| 348 | return PrivateEncrypt(digest_buf_, digest_size, RSA_NO_PADDING, output); |
| 349 | case KM_PAD_RSA_PKCS1_1_5_SIGN: |
| 350 | return PrivateEncrypt(digest_buf_, digest_size, RSA_PKCS1_PADDING, output); |
| 351 | case KM_PAD_RSA_PSS: |
| 352 | // OpenSSL doesn't verify that the key is large enough for the digest size. This can cause |
| 353 | // a segfault in some cases, and in others can result in a unsafely-small salt. |
Shawn Willden | 2c24200 | 2015-02-27 07:01:02 -0700 | [diff] [blame] | 354 | if ((unsigned)RSA_size(rsa_key_) < MIN_PSS_SALT_LEN + digest_size) |
| 355 | // TODO(swillden): Add a better return code for this. |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 356 | return KM_ERROR_INCOMPATIBLE_DIGEST; |
| 357 | |
| 358 | if ((error = PssPadDigest(&padded_digest)) != KM_ERROR_OK) |
| 359 | return error; |
| 360 | return PrivateEncrypt(padded_digest.get(), RSA_size(rsa_key_), RSA_NO_PADDING, output); |
| 361 | default: |
| 362 | return KM_ERROR_UNSUPPORTED_PADDING_MODE; |
| 363 | } |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 364 | } |
| 365 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 366 | keymaster_error_t RsaSignOperation::PssPadDigest(UniquePtr<uint8_t[]>* padded_digest) { |
| 367 | padded_digest->reset(new uint8_t[RSA_size(rsa_key_)]); |
| 368 | if (!padded_digest->get()) |
| 369 | return KM_ERROR_MEMORY_ALLOCATION_FAILED; |
| 370 | |
Adam Langley | adb0f33 | 2015-03-05 19:57:29 -0800 | [diff] [blame] | 371 | if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa_key_, padded_digest->get(), digest_buf_, |
| 372 | digest_algorithm_, NULL, |
| 373 | -2 /* Indicates maximum salt length */)) { |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 374 | LOG_E("%s", "Failed to apply PSS padding"); |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 375 | return KM_ERROR_UNKNOWN_ERROR; |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 376 | } |
| 377 | return KM_ERROR_OK; |
| 378 | } |
| 379 | |
| 380 | keymaster_error_t RsaSignOperation::PrivateEncrypt(uint8_t* to_encrypt, size_t len, |
| 381 | int openssl_padding, Buffer* output) { |
| 382 | int bytes_encrypted = |
| 383 | RSA_private_encrypt(len, to_encrypt, output->peek_write(), rsa_key_, openssl_padding); |
| 384 | if (bytes_encrypted <= 0) |
| 385 | return KM_ERROR_UNKNOWN_ERROR; |
| 386 | output->advance_write(bytes_encrypted); |
| 387 | return KM_ERROR_OK; |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 388 | } |
| 389 | |
Shawn Willden | 6bfbff0 | 2015-02-06 19:48:24 -0700 | [diff] [blame] | 390 | keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */, |
| 391 | const Buffer& signature, Buffer* /* output */) { |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 392 | if (digest_ == KM_DIGEST_NONE) |
| 393 | return VerifyUndigested(signature); |
| 394 | else |
| 395 | return VerifyDigested(signature); |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 396 | } |
| 397 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 398 | keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) { |
| 399 | return DecryptAndMatch(signature, data_.peek_read(), data_.available_read()); |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 400 | } |
| 401 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 402 | keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) { |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 403 | unsigned digest_size = 0; |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 404 | keymaster_error_t error = FinishDigest(&digest_size); |
| 405 | if (error != KM_ERROR_OK) |
| 406 | return error; |
| 407 | return DecryptAndMatch(signature, digest_buf_, digest_size); |
| 408 | } |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 409 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 410 | keymaster_error_t RsaVerifyOperation::DecryptAndMatch(const Buffer& signature, |
| 411 | const uint8_t* to_match, size_t len) { |
| 412 | #ifdef OPENSSL_IS_BORINGSSL |
| 413 | size_t key_len = RSA_size(rsa_key_); |
| 414 | #else |
| 415 | size_t key_len = (size_t)RSA_size(rsa_key_); |
| 416 | #endif |
| 417 | |
| 418 | int openssl_padding; |
| 419 | switch (padding_) { |
| 420 | case KM_PAD_NONE: |
| 421 | if (len != key_len) |
| 422 | return KM_ERROR_INVALID_INPUT_LENGTH; |
| 423 | if (len != signature.available_read()) |
| 424 | return KM_ERROR_VERIFICATION_FAILED; |
| 425 | openssl_padding = RSA_NO_PADDING; |
| 426 | break; |
| 427 | case KM_PAD_RSA_PSS: // Do a raw decrypt for PSS |
| 428 | openssl_padding = RSA_NO_PADDING; |
| 429 | break; |
| 430 | case KM_PAD_RSA_PKCS1_1_5_SIGN: |
| 431 | openssl_padding = RSA_PKCS1_PADDING; |
| 432 | break; |
| 433 | default: |
| 434 | return KM_ERROR_UNSUPPORTED_PADDING_MODE; |
| 435 | } |
| 436 | |
| 437 | UniquePtr<uint8_t[]> decrypted_data(new uint8_t[key_len]); |
| 438 | int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(), |
| 439 | decrypted_data.get(), rsa_key_, openssl_padding); |
| 440 | if (bytes_decrypted < 0) |
| 441 | return KM_ERROR_VERIFICATION_FAILED; |
| 442 | |
| 443 | if (padding_ == KM_PAD_RSA_PSS && |
Adam Langley | adb0f33 | 2015-03-05 19:57:29 -0800 | [diff] [blame] | 444 | RSA_verify_PKCS1_PSS_mgf1(rsa_key_, to_match, digest_algorithm_, NULL, decrypted_data.get(), |
| 445 | -2 /* salt length recovered from signature */)) |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 446 | return KM_ERROR_OK; |
| 447 | else if (padding_ != KM_PAD_RSA_PSS && memcmp_s(decrypted_data.get(), to_match, len) == 0) |
Shawn Willden | 6190236 | 2014-12-18 10:33:24 -0700 | [diff] [blame] | 448 | return KM_ERROR_OK; |
| 449 | |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 450 | return KM_ERROR_VERIFICATION_FAILED; |
| 451 | } |
| 452 | |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 453 | const int OAEP_PADDING_OVERHEAD = 41; |
| 454 | const int PKCS1_PADDING_OVERHEAD = 11; |
| 455 | |
Shawn Willden | 6bfbff0 | 2015-02-06 19:48:24 -0700 | [diff] [blame] | 456 | keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& /* additional_params */, |
| 457 | const Buffer& /* signature */, Buffer* output) { |
Shawn Willden | b736113 | 2014-12-08 08:15:14 -0700 | [diff] [blame] | 458 | assert(output); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 459 | int openssl_padding; |
| 460 | |
| 461 | #if defined(OPENSSL_IS_BORINGSSL) |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 462 | size_t key_len = RSA_size(rsa_key_); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 463 | #else |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 464 | size_t key_len = (size_t)RSA_size(rsa_key_); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 465 | #endif |
| 466 | |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 467 | size_t message_size = data_.available_read(); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 468 | switch (padding_) { |
| 469 | case KM_PAD_RSA_OAEP: |
| 470 | openssl_padding = RSA_PKCS1_OAEP_PADDING; |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 471 | if (message_size + OAEP_PADDING_OVERHEAD >= key_len) { |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 472 | LOG_E("Cannot encrypt %d bytes with %d-byte key and OAEP padding", |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 473 | data_.available_read(), key_len); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 474 | return KM_ERROR_INVALID_INPUT_LENGTH; |
| 475 | } |
| 476 | break; |
| 477 | case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: |
| 478 | openssl_padding = RSA_PKCS1_PADDING; |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 479 | if (message_size + PKCS1_PADDING_OVERHEAD >= key_len) { |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 480 | LOG_E("Cannot encrypt %d bytes with %d-byte key and PKCS1 padding", |
Shawn Willden | f90f235 | 2014-12-18 23:01:15 -0700 | [diff] [blame] | 481 | data_.available_read(), key_len); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 482 | return KM_ERROR_INVALID_INPUT_LENGTH; |
| 483 | } |
| 484 | break; |
| 485 | default: |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 486 | LOG_E("Padding mode %d not supported", padding_); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 487 | return KM_ERROR_UNSUPPORTED_PADDING_MODE; |
| 488 | } |
| 489 | |
| 490 | output->Reinitialize(RSA_size(rsa_key_)); |
| 491 | int bytes_encrypted = RSA_public_encrypt(data_.available_read(), data_.peek_read(), |
| 492 | output->peek_write(), rsa_key_, openssl_padding); |
| 493 | |
| 494 | if (bytes_encrypted < 0) { |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 495 | LOG_E("Error %d encrypting data with RSA", ERR_get_error()); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 496 | return KM_ERROR_UNKNOWN_ERROR; |
| 497 | } |
| 498 | assert(bytes_encrypted == RSA_size(rsa_key_)); |
| 499 | output->advance_write(bytes_encrypted); |
| 500 | |
| 501 | return KM_ERROR_OK; |
| 502 | } |
| 503 | |
Shawn Willden | 6bfbff0 | 2015-02-06 19:48:24 -0700 | [diff] [blame] | 504 | keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& /* additional_params */, |
| 505 | const Buffer& /* signature */, Buffer* output) { |
Shawn Willden | b736113 | 2014-12-08 08:15:14 -0700 | [diff] [blame] | 506 | assert(output); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 507 | int openssl_padding; |
| 508 | switch (padding_) { |
| 509 | case KM_PAD_RSA_OAEP: |
| 510 | openssl_padding = RSA_PKCS1_OAEP_PADDING; |
| 511 | break; |
| 512 | case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: |
| 513 | openssl_padding = RSA_PKCS1_PADDING; |
| 514 | break; |
| 515 | default: |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 516 | LOG_E("Padding mode %d not supported", padding_); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 517 | return KM_ERROR_UNSUPPORTED_PADDING_MODE; |
| 518 | } |
| 519 | |
| 520 | output->Reinitialize(RSA_size(rsa_key_)); |
| 521 | int bytes_decrypted = RSA_private_decrypt(data_.available_read(), data_.peek_read(), |
| 522 | output->peek_write(), rsa_key_, openssl_padding); |
| 523 | |
| 524 | if (bytes_decrypted < 0) { |
Shawn Willden | 567a4a0 | 2014-12-31 12:14:46 -0700 | [diff] [blame] | 525 | LOG_E("Error %d decrypting data with RSA", ERR_get_error()); |
Shawn Willden | 4200f21 | 2014-12-02 07:01:21 -0700 | [diff] [blame] | 526 | return KM_ERROR_UNKNOWN_ERROR; |
| 527 | } |
| 528 | output->advance_write(bytes_decrypted); |
| 529 | |
| 530 | return KM_ERROR_OK; |
| 531 | } |
| 532 | |
Shawn Willden | 0a4df7e | 2014-08-28 16:09:05 -0600 | [diff] [blame] | 533 | } // namespace keymaster |