Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 6270aca8571399aca8ea538acd7386ddecdcc112 / . / rsa_operation.cpp
blob: 776173001f1966c679ff5d22022e1cb2895e9c1e [file] [log] [blame]
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]17#include "rsa_operation.h"
18
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]19#include <limits.h>
20
21#include <openssl/err.h>
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]22
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]23#include <keymaster/logger.h>
24
25#include "openssl_err.h"
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]26#include "openssl_utils.h"
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]27#include "rsa_key.h"
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]28
29namespace keymaster {
30
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]31static const int MIN_PSS_SALT_LEN = 8 /* salt len */ + 2 /* overhead */;
32
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]33/**
34 * Abstract base for all RSA operation factories. This class exists mainly to centralize some code
35 * common to all RSA operation factories.
36 */
37class RsaOperationFactory : public OperationFactory {
38 public:
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]39 KeyType registry_key() const override { return KeyType(KM_ALGORITHM_RSA, purpose()); }
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]40 virtual keymaster_purpose_t purpose() const = 0;
41
42 protected:
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]43 bool GetAndValidatePadding(const AuthorizationSet& begin_params, const Key& key,
44 keymaster_padding_t* padding, keymaster_error_t* error) const;
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]45 bool GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
46 keymaster_digest_t* digest, keymaster_error_t* error) const;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]47 static RSA* GetRsaKey(const Key& key, keymaster_error_t* error);
48};
49
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]50bool RsaOperationFactory::GetAndValidatePadding(const AuthorizationSet& begin_params,
51 const Key& key, keymaster_padding_t* padding,
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]52 keymaster_error_t* error) const {
53 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]54 if (!begin_params.GetTagValue(TAG_PADDING, padding)) {
55 LOG_E("%d padding modes specified in begin params", begin_params.GetTagCount(TAG_PADDING));
Shawn Willdend9d7acf2015-02-25 17:37:20 -0700[diff] [blame]56 return false;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]57 } else if (!supported(*padding)) {
58 LOG_E("Padding mode %d not supported", *padding);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]59 return false;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]60 } else if (!key.authorizations().Contains(TAG_PADDING, *padding) &&
61 !key.authorizations().Contains(TAG_PADDING_OLD, *padding)) {
62 LOG_E("Padding mode %d was specified, but not authorized by key", *padding);
63 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
64 return false;
65 }
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]66
Shawn Willdend92591d2014-12-30 18:19:10 -0700[diff] [blame]67 *error = KM_ERROR_OK;
68 return true;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]69}
70
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]71bool RsaOperationFactory::GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
72 keymaster_digest_t* digest,
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]73 keymaster_error_t* error) const {
74 *error = KM_ERROR_UNSUPPORTED_DIGEST;
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]75 if (!begin_params.GetTagValue(TAG_DIGEST, digest)) {
76 LOG_E("%d digests specified in begin params", begin_params.GetTagCount(TAG_DIGEST));
Shawn Willden0bd61a82015-04-13 19:09:32 -0700[diff] [blame]77 return false;
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]78 } else if (!supported(*digest)) {
79 LOG_E("Digest %d not supported", *digest);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]80 return false;
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]81 } else if (!key.authorizations().Contains(TAG_DIGEST, *digest) &&
82 !key.authorizations().Contains(TAG_DIGEST_OLD, *digest)) {
83 LOG_E("Digest %d was specified, but not authorized by key", *digest);
84 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
85 return false;
86 }
Shawn Willdend92591d2014-12-30 18:19:10 -0700[diff] [blame]87 *error = KM_ERROR_OK;
88 return true;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]89}
90
91/* static */
92RSA* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) {
93 const RsaKey* rsa_key = static_cast<const RsaKey*>(&key);
94 assert(rsa_key);
95 if (!rsa_key || !rsa_key->key()) {
96 *error = KM_ERROR_UNKNOWN_ERROR;
97 return NULL;
98 }
Shawn Willden28eed512015-02-25 19:16:36 -0700[diff] [blame]99 RSA_up_ref(rsa_key->key());
100 return rsa_key->key();
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]101}
102
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]103static const keymaster_digest_t supported_digests[] = {KM_DIGEST_NONE, KM_DIGEST_SHA_2_256};
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]104static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN,
105 KM_PAD_RSA_PSS};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]106
107/**
108 * Abstract base for RSA operations that digest their input (signing and verification). This class
109 * does most of the work of creation of RSA digesting operations, delegating only the actual
110 * operation instantiation.
111 */
112class RsaDigestingOperationFactory : public RsaOperationFactory {
113 public:
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]114 virtual Operation* CreateOperation(const Key& key, const AuthorizationSet& begin_params,
115 keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]116
117 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
118 *digest_count = array_length(supported_digests);
119 return supported_digests;
120 }
121
122 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
123 *padding_mode_count = array_length(supported_sig_padding);
124 return supported_sig_padding;
125 }
126
127 private:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]128 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
129 RSA* key) = 0;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]130};
131
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]132Operation* RsaDigestingOperationFactory::CreateOperation(const Key& key,
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]133 const AuthorizationSet& begin_params,
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]134 keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]135 keymaster_padding_t padding;
136 keymaster_digest_t digest;
137 RSA* rsa;
Shawn Willden226746b2015-05-08 11:36:56 -0600[diff] [blame]138 if (!GetAndValidateDigest(begin_params, key, &digest, error) ||
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]139 !GetAndValidatePadding(begin_params, key, &padding, error) ||
140 !(rsa = GetRsaKey(key, error)))
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]141 return NULL;
142
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]143 Operation* op = InstantiateOperation(digest, padding, rsa);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]144 if (!op)
145 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
146 return op;
147}
148
149static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_RSA_OAEP,
150 KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
151
152/**
153 * Abstract base for en/de-crypting RSA operation factories. This class does most of the work of
154 * creating such operations, delegating only the actual operation instantiation.
155 */
156class RsaCryptingOperationFactory : public RsaOperationFactory {
157 public:
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]158 virtual Operation* CreateOperation(const Key& key, const AuthorizationSet& begin_params,
159 keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]160
161 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
162 *padding_mode_count = array_length(supported_crypt_padding);
163 return supported_crypt_padding;
164 }
165
166 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
167 *digest_count = 0;
168 return NULL;
169 }
170
171 private:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]172 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) = 0;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]173};
174
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]175Operation* RsaCryptingOperationFactory::CreateOperation(const Key& key,
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]176 const AuthorizationSet& begin_params,
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]177 keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]178 keymaster_padding_t padding;
179 RSA* rsa;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]180 if (!GetAndValidatePadding(begin_params, key, &padding, error) ||
181 !(rsa = GetRsaKey(key, error)))
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]182 return NULL;
183
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]184 Operation* op = InstantiateOperation(padding, rsa);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]185 if (!op)
186 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
187 return op;
188}
189
190/**
191 * Concrete factory for RSA signing operations.
192 */
193class RsaSigningOperationFactory : public RsaDigestingOperationFactory {
194 public:
195 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_SIGN; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]196 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
197 RSA* key) {
198 return new RsaSignOperation(digest, padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]199 }
200};
201static OperationFactoryRegistry::Registration<RsaSigningOperationFactory> sign_registration;
202
203/**
204 * Concrete factory for RSA signing operations.
205 */
206class RsaVerificationOperationFactory : public RsaDigestingOperationFactory {
207 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_VERIFY; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]208 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
209 RSA* key) {
210 return new RsaVerifyOperation(digest, padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]211 }
212};
213static OperationFactoryRegistry::Registration<RsaVerificationOperationFactory> verify_registration;
214
215/**
216 * Concrete factory for RSA signing operations.
217 */
218class RsaEncryptionOperationFactory : public RsaCryptingOperationFactory {
219 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_ENCRYPT; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]220 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) {
221 return new RsaEncryptOperation(padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]222 }
223};
224static OperationFactoryRegistry::Registration<RsaEncryptionOperationFactory> encrypt_registration;
225
226/**
227 * Concrete factory for RSA signing operations.
228 */
229class RsaDecryptionOperationFactory : public RsaCryptingOperationFactory {
230 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_DECRYPT; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]231 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) {
232 return new RsaDecryptOperation(padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]233 }
234};
235
236static OperationFactoryRegistry::Registration<RsaDecryptionOperationFactory> decrypt_registration;
237
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]238RsaOperation::~RsaOperation() {
239 if (rsa_key_ != NULL)
240 RSA_free(rsa_key_);
241}
242
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]243keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */,
244 const Buffer& input, Buffer* /* output */,
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]245 size_t* input_consumed) {
246 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]247 switch (purpose()) {
248 default:
249 return KM_ERROR_UNIMPLEMENTED;
250 case KM_PURPOSE_SIGN:
251 case KM_PURPOSE_VERIFY:
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]252 case KM_PURPOSE_ENCRYPT:
253 case KM_PURPOSE_DECRYPT:
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]254 return StoreData(input, input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]255 }
256}
257
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]258keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
259 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]260 if (!data_.reserve(data_.available_read() + input.available_read()) ||
261 !data_.write(input.peek_read(), input.available_read()))
262 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]263 *input_consumed = input.available_read();
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]264 return KM_ERROR_OK;
265}
266
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]267RsaDigestingOperation::RsaDigestingOperation(keymaster_purpose_t purpose, keymaster_digest_t digest,
268 keymaster_padding_t padding, RSA* key)
269 : RsaOperation(purpose, padding, key), digest_(digest), digest_algorithm_(NULL) {
270 EVP_MD_CTX_init(&digest_ctx_);
271}
272RsaDigestingOperation::~RsaDigestingOperation() {
273 EVP_MD_CTX_cleanup(&digest_ctx_);
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]274 memset_s(digest_buf_, 0, sizeof(digest_buf_));
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]275}
276
277keymaster_error_t RsaDigestingOperation::Begin(const AuthorizationSet& /* input_params */,
278 AuthorizationSet* /* output_params */) {
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]279 if (require_digest() && digest_ == KM_DIGEST_NONE)
280 return KM_ERROR_INCOMPATIBLE_DIGEST;
281 return InitDigest();
282}
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]283
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]284keymaster_error_t RsaDigestingOperation::Update(const AuthorizationSet& additional_params,
285 const Buffer& input, Buffer* output,
286 size_t* input_consumed) {
287 if (digest_ == KM_DIGEST_NONE)
288 return RsaOperation::Update(additional_params, input, output, input_consumed);
289 else
290 return UpdateDigest(input, input_consumed);
291}
292
293keymaster_error_t RsaDigestingOperation::InitDigest() {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]294 switch (digest_) {
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]295 case KM_DIGEST_NONE:
296 return KM_ERROR_OK;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]297 case KM_DIGEST_SHA_2_256:
298 digest_algorithm_ = EVP_sha256();
299 break;
300 default:
301 return KM_ERROR_UNSUPPORTED_DIGEST;
302 }
303
304 if (!EVP_DigestInit_ex(&digest_ctx_, digest_algorithm_, NULL /* engine */)) {
305 int err = ERR_get_error();
306 LOG_E("Failed to initialize digest: %d %s", err, ERR_error_string(err, NULL));
307 return KM_ERROR_UNKNOWN_ERROR;
308 }
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]309 return KM_ERROR_OK;
310}
311
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]312keymaster_error_t RsaDigestingOperation::UpdateDigest(const Buffer& input, size_t* input_consumed) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]313 if (!EVP_DigestUpdate(&digest_ctx_, input.peek_read(), input.available_read())) {
314 int err = ERR_get_error();
315 LOG_E("Failed to update digest: %d %s", err, ERR_error_string(err, NULL));
316 return KM_ERROR_UNKNOWN_ERROR;
317 }
318 *input_consumed = input.available_read();
319 return KM_ERROR_OK;
320}
321
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]322keymaster_error_t RsaDigestingOperation::FinishDigest(unsigned* digest_size) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]323 assert(digest_algorithm_ != NULL);
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]324 if (!EVP_DigestFinal_ex(&digest_ctx_, digest_buf_, digest_size)) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]325 int err = ERR_get_error();
326 LOG_E("Failed to finalize digest: %d %s", err, ERR_error_string(err, NULL));
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]327 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]328 }
329 assert(*digest_size == static_cast<unsigned>(EVP_MD_size(digest_algorithm_)));
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]330 return KM_ERROR_OK;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]331}
332
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]333keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& /* additional_params */,
334 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]335 assert(output);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]336 output->Reinitialize(RSA_size(rsa_key_));
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]337 if (digest_ == KM_DIGEST_NONE)
338 return SignUndigested(output);
339 else
340 return SignDigested(output);
341}
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]342
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]343keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) {
344 int bytes_encrypted;
345 switch (padding_) {
346 case KM_PAD_NONE:
347 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
348 output->peek_write(), rsa_key_, RSA_NO_PADDING);
349 break;
350 case KM_PAD_RSA_PKCS1_1_5_SIGN:
351 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
352 output->peek_write(), rsa_key_, RSA_PKCS1_PADDING);
353 break;
354 default:
355 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
356 }
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]357
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]358 if (bytes_encrypted <= 0)
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]359 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]360 output->advance_write(bytes_encrypted);
361 return KM_ERROR_OK;
362}
363
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]364keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) {
365 unsigned digest_size = 0;
366 keymaster_error_t error = FinishDigest(&digest_size);
367 if (error != KM_ERROR_OK)
368 return error;
369
370 UniquePtr<uint8_t[]> padded_digest;
371 switch (padding_) {
372 case KM_PAD_NONE:
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]373 LOG_E("Digesting requires padding", 0);
374 return KM_ERROR_INCOMPATIBLE_PADDING_MODE;
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]375 case KM_PAD_RSA_PKCS1_1_5_SIGN:
376 return PrivateEncrypt(digest_buf_, digest_size, RSA_PKCS1_PADDING, output);
377 case KM_PAD_RSA_PSS:
378 // OpenSSL doesn't verify that the key is large enough for the digest size. This can cause
379 // a segfault in some cases, and in others can result in a unsafely-small salt.
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]380 if ((unsigned)RSA_size(rsa_key_) < MIN_PSS_SALT_LEN + digest_size) {
381 LOG_E("%d-byte too small for PSS padding and %d-byte digest", RSA_size(rsa_key_),
382 digest_size);
Shawn Willden2c242002015-02-27 07:01:02 -0700[diff] [blame]383 // TODO(swillden): Add a better return code for this.
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]384 return KM_ERROR_INCOMPATIBLE_DIGEST;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]385 }
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]386
387 if ((error = PssPadDigest(&padded_digest)) != KM_ERROR_OK)
388 return error;
389 return PrivateEncrypt(padded_digest.get(), RSA_size(rsa_key_), RSA_NO_PADDING, output);
390 default:
391 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
392 }
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]393}
394
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]395keymaster_error_t RsaSignOperation::PssPadDigest(UniquePtr<uint8_t[]>* padded_digest) {
396 padded_digest->reset(new uint8_t[RSA_size(rsa_key_)]);
397 if (!padded_digest->get())
398 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
399
Adam Langleyadb0f332015-03-05 19:57:29 -0800[diff] [blame]400 if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa_key_, padded_digest->get(), digest_buf_,
401 digest_algorithm_, NULL,
402 -2 /* Indicates maximum salt length */)) {
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]403 LOG_E("%s", "Failed to apply PSS padding");
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]404 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]405 }
406 return KM_ERROR_OK;
407}
408
409keymaster_error_t RsaSignOperation::PrivateEncrypt(uint8_t* to_encrypt, size_t len,
410 int openssl_padding, Buffer* output) {
411 int bytes_encrypted =
412 RSA_private_encrypt(len, to_encrypt, output->peek_write(), rsa_key_, openssl_padding);
413 if (bytes_encrypted <= 0)
414 return KM_ERROR_UNKNOWN_ERROR;
415 output->advance_write(bytes_encrypted);
416 return KM_ERROR_OK;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]417}
418
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]419keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */,
420 const Buffer& signature, Buffer* /* output */) {
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]421 if (digest_ == KM_DIGEST_NONE)
422 return VerifyUndigested(signature);
423 else
424 return VerifyDigested(signature);
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]425}
426
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]427keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) {
428 return DecryptAndMatch(signature, data_.peek_read(), data_.available_read());
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]429}
430
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]431keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]432 unsigned digest_size = 0;
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]433 keymaster_error_t error = FinishDigest(&digest_size);
434 if (error != KM_ERROR_OK)
435 return error;
436 return DecryptAndMatch(signature, digest_buf_, digest_size);
437}
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]438
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]439keymaster_error_t RsaVerifyOperation::DecryptAndMatch(const Buffer& signature,
440 const uint8_t* to_match, size_t len) {
441#ifdef OPENSSL_IS_BORINGSSL
442 size_t key_len = RSA_size(rsa_key_);
443#else
444 size_t key_len = (size_t)RSA_size(rsa_key_);
445#endif
446
447 int openssl_padding;
448 switch (padding_) {
449 case KM_PAD_NONE:
450 if (len != key_len)
451 return KM_ERROR_INVALID_INPUT_LENGTH;
452 if (len != signature.available_read())
453 return KM_ERROR_VERIFICATION_FAILED;
454 openssl_padding = RSA_NO_PADDING;
455 break;
456 case KM_PAD_RSA_PSS: // Do a raw decrypt for PSS
457 openssl_padding = RSA_NO_PADDING;
458 break;
459 case KM_PAD_RSA_PKCS1_1_5_SIGN:
460 openssl_padding = RSA_PKCS1_PADDING;
461 break;
462 default:
463 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
464 }
465
466 UniquePtr<uint8_t[]> decrypted_data(new uint8_t[key_len]);
467 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(),
468 decrypted_data.get(), rsa_key_, openssl_padding);
469 if (bytes_decrypted < 0)
470 return KM_ERROR_VERIFICATION_FAILED;
471
472 if (padding_ == KM_PAD_RSA_PSS &&
Adam Langleyadb0f332015-03-05 19:57:29 -0800[diff] [blame]473 RSA_verify_PKCS1_PSS_mgf1(rsa_key_, to_match, digest_algorithm_, NULL, decrypted_data.get(),
474 -2 /* salt length recovered from signature */))
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]475 return KM_ERROR_OK;
Shawn Willden197d9af2015-05-09 12:48:16 +0000[diff] [blame]476 else if (padding_ != KM_PAD_RSA_PSS && memcmp_s(decrypted_data.get(), to_match, len) == 0)
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]477 return KM_ERROR_OK;
478
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]479 return KM_ERROR_VERIFICATION_FAILED;
480}
481
Shawn Willden7bae1322015-05-26 10:16:49 -0600[diff] [blame]482const int OAEP_PADDING_OVERHEAD = 42;
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]483const int PKCS1_PADDING_OVERHEAD = 11;
484
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]485keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& /* additional_params */,
486 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]487 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]488 int openssl_padding;
489
490#if defined(OPENSSL_IS_BORINGSSL)
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]491 size_t key_len = RSA_size(rsa_key_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]492#else
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]493 size_t key_len = (size_t)RSA_size(rsa_key_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]494#endif
495
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]496 size_t message_size = data_.available_read();
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]497 switch (padding_) {
498 case KM_PAD_RSA_OAEP:
499 openssl_padding = RSA_PKCS1_OAEP_PADDING;
Shawn Willden7bae1322015-05-26 10:16:49 -0600[diff] [blame]500 if (message_size + OAEP_PADDING_OVERHEAD > key_len) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]501 LOG_E("Cannot encrypt %d bytes with %d-byte key and OAEP padding",
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]502 data_.available_read(), key_len);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]503 return KM_ERROR_INVALID_INPUT_LENGTH;
504 }
505 break;
506 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
507 openssl_padding = RSA_PKCS1_PADDING;
Shawn Willden7bae1322015-05-26 10:16:49 -0600[diff] [blame]508 if (message_size + PKCS1_PADDING_OVERHEAD > key_len) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]509 LOG_E("Cannot encrypt %d bytes with %d-byte key and PKCS1 padding",
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame]510 data_.available_read(), key_len);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]511 return KM_ERROR_INVALID_INPUT_LENGTH;
512 }
513 break;
514 default:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]515 LOG_E("Padding mode %d not supported", padding_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]516 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
517 }
518
519 output->Reinitialize(RSA_size(rsa_key_));
520 int bytes_encrypted = RSA_public_encrypt(data_.available_read(), data_.peek_read(),
521 output->peek_write(), rsa_key_, openssl_padding);
522
523 if (bytes_encrypted < 0) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]524 LOG_E("Error %d encrypting data with RSA", ERR_get_error());
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]525 return KM_ERROR_UNKNOWN_ERROR;
526 }
Shawn Willden67380a92015-05-13 12:07:50 -0600[diff] [blame]527 assert(bytes_encrypted == (int)RSA_size(rsa_key_));
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]528 output->advance_write(bytes_encrypted);
529
530 return KM_ERROR_OK;
531}
532
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]533keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& /* additional_params */,
534 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]535 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]536 int openssl_padding;
537 switch (padding_) {
538 case KM_PAD_RSA_OAEP:
539 openssl_padding = RSA_PKCS1_OAEP_PADDING;
540 break;
541 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
542 openssl_padding = RSA_PKCS1_PADDING;
543 break;
544 default:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]545 LOG_E("Padding mode %d not supported", padding_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]546 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
547 }
548
549 output->Reinitialize(RSA_size(rsa_key_));
550 int bytes_decrypted = RSA_private_decrypt(data_.available_read(), data_.peek_read(),
551 output->peek_write(), rsa_key_, openssl_padding);
552
553 if (bytes_decrypted < 0) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]554 LOG_E("Error %d decrypting data with RSA", ERR_get_error());
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]555 return KM_ERROR_UNKNOWN_ERROR;
556 }
557 output->advance_write(bytes_decrypted);
558
559 return KM_ERROR_OK;
560}
561
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]562} // namespace keymaster