Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 63ac043f81f8e2a15bbadcb6628b92096295ab6a / . / rsa_operation.cpp
blob: 27394a6529c9a936ec2004ade28eb6dba68e637d [file] [log] [blame]
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame^]17#include "rsa_operation.h"
18
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]19#include <limits.h>
20
21#include <openssl/err.h>
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]22
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]23#include "openssl_utils.h"
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame^]24#include "rsa_key.h"
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]25
26namespace keymaster {
27
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame^]28/**
29 * Abstract base for all RSA operation factories. This class exists mainly to centralize some code
30 * common to all RSA operation factories.
31 */
32class RsaOperationFactory : public OperationFactory {
33 public:
34 virtual KeyType registry_key() const { return KeyType(KM_ALGORITHM_RSA, purpose()); }
35 virtual keymaster_purpose_t purpose() const = 0;
36
37 protected:
38 bool GetAndValidatePadding(const Key& key, keymaster_padding_t* padding,
39 keymaster_error_t* error) const;
40 bool GetAndValidateDigest(const Key& key, keymaster_digest_t* digest,
41 keymaster_error_t* error) const;
42 static RSA* GetRsaKey(const Key& key, keymaster_error_t* error);
43};
44
45bool RsaOperationFactory::GetAndValidatePadding(const Key& key, keymaster_padding_t* padding,
46 keymaster_error_t* error) const {
47 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
48 if (!key.authorizations().GetTagValue(TAG_PADDING, padding))
49 return false;
50
51 size_t padding_count;
52 const keymaster_padding_t* supported_paddings = SupportedPaddingModes(&padding_count);
53 for (size_t i = 0; i < padding_count; ++i) {
54 if (*padding == supported_paddings[i]) {
55 *error = KM_ERROR_OK;
56 return true;
57 }
58 }
59 return false;
60}
61
62bool RsaOperationFactory::GetAndValidateDigest(const Key& key, keymaster_digest_t* digest,
63 keymaster_error_t* error) const {
64 *error = KM_ERROR_UNSUPPORTED_DIGEST;
65 if (!key.authorizations().GetTagValue(TAG_DIGEST, digest))
66 return false;
67
68 size_t digest_count;
69 const keymaster_digest_t* supported_digests = SupportedDigests(&digest_count);
70 for (size_t i = 0; i < digest_count; ++i) {
71 if (*digest == supported_digests[i]) {
72 *error = KM_ERROR_OK;
73 return true;
74 }
75 }
76 return false;
77}
78
79/* static */
80RSA* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) {
81 const RsaKey* rsa_key = static_cast<const RsaKey*>(&key);
82 assert(rsa_key);
83 if (!rsa_key || !rsa_key->key()) {
84 *error = KM_ERROR_UNKNOWN_ERROR;
85 return NULL;
86 }
87 return RSAPrivateKey_dup(rsa_key->key());
88}
89
90static const keymaster_digest_t supported_digests[] = {KM_DIGEST_NONE};
91static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE};
92
93/**
94 * Abstract base for RSA operations that digest their input (signing and verification). This class
95 * does most of the work of creation of RSA digesting operations, delegating only the actual
96 * operation instantiation.
97 */
98class RsaDigestingOperationFactory : public RsaOperationFactory {
99 public:
100 virtual Operation* CreateOperation(const Key& key, const Logger& logger,
101 keymaster_error_t* error);
102
103 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
104 *digest_count = array_length(supported_digests);
105 return supported_digests;
106 }
107
108 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
109 *padding_mode_count = array_length(supported_sig_padding);
110 return supported_sig_padding;
111 }
112
113 private:
114 virtual Operation* InstantiateOperation(const Logger& logger, keymaster_digest_t digest,
115 keymaster_padding_t padding, RSA* key) = 0;
116};
117
118Operation* RsaDigestingOperationFactory::CreateOperation(const Key& key, const Logger& logger,
119 keymaster_error_t* error) {
120 keymaster_padding_t padding;
121 keymaster_digest_t digest;
122 RSA* rsa;
123 if (!GetAndValidateDigest(key, &digest, error) ||
124 !GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error)))
125 return NULL;
126
127 Operation* op = InstantiateOperation(logger, digest, padding, rsa);
128 if (!op)
129 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
130 return op;
131}
132
133static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_RSA_OAEP,
134 KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
135
136/**
137 * Abstract base for en/de-crypting RSA operation factories. This class does most of the work of
138 * creating such operations, delegating only the actual operation instantiation.
139 */
140class RsaCryptingOperationFactory : public RsaOperationFactory {
141 public:
142 virtual Operation* CreateOperation(const Key& key, const Logger& logger,
143 keymaster_error_t* error);
144
145 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
146 *padding_mode_count = array_length(supported_crypt_padding);
147 return supported_crypt_padding;
148 }
149
150 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
151 *digest_count = 0;
152 return NULL;
153 }
154
155 private:
156 virtual Operation* InstantiateOperation(const Logger& logger, keymaster_padding_t padding,
157 RSA* key) = 0;
158};
159
160Operation* RsaCryptingOperationFactory::CreateOperation(const Key& key, const Logger& logger,
161 keymaster_error_t* error) {
162 keymaster_padding_t padding;
163 RSA* rsa;
164 if (!GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error)))
165 return NULL;
166
167 Operation* op = InstantiateOperation(logger, padding, rsa);
168 if (!op)
169 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
170 return op;
171}
172
173/**
174 * Concrete factory for RSA signing operations.
175 */
176class RsaSigningOperationFactory : public RsaDigestingOperationFactory {
177 public:
178 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_SIGN; }
179 virtual Operation* InstantiateOperation(const Logger& logger, keymaster_digest_t digest,
180 keymaster_padding_t padding, RSA* key) {
181 return new RsaSignOperation(logger, digest, padding, key);
182 }
183};
184static OperationFactoryRegistry::Registration<RsaSigningOperationFactory> sign_registration;
185
186/**
187 * Concrete factory for RSA signing operations.
188 */
189class RsaVerificationOperationFactory : public RsaDigestingOperationFactory {
190 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_VERIFY; }
191 virtual Operation* InstantiateOperation(const Logger& logger, keymaster_digest_t digest,
192 keymaster_padding_t padding, RSA* key) {
193 return new RsaVerifyOperation(logger, digest, padding, key);
194 }
195};
196static OperationFactoryRegistry::Registration<RsaVerificationOperationFactory> verify_registration;
197
198/**
199 * Concrete factory for RSA signing operations.
200 */
201class RsaEncryptionOperationFactory : public RsaCryptingOperationFactory {
202 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_ENCRYPT; }
203 virtual Operation* InstantiateOperation(const Logger& logger, keymaster_padding_t padding,
204 RSA* key) {
205 return new RsaEncryptOperation(logger, padding, key);
206 }
207};
208static OperationFactoryRegistry::Registration<RsaEncryptionOperationFactory> encrypt_registration;
209
210/**
211 * Concrete factory for RSA signing operations.
212 */
213class RsaDecryptionOperationFactory : public RsaCryptingOperationFactory {
214 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_DECRYPT; }
215 virtual Operation* InstantiateOperation(const Logger& logger, keymaster_padding_t padding,
216 RSA* key) {
217 return new RsaDecryptOperation(logger, padding, key);
218 }
219};
220
221static OperationFactoryRegistry::Registration<RsaDecryptionOperationFactory> decrypt_registration;
222
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]223struct RSA_Delete {
224 void operator()(RSA* p) const { RSA_free(p); }
225};
226
227RsaOperation::~RsaOperation() {
228 if (rsa_key_ != NULL)
229 RSA_free(rsa_key_);
230}
231
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]232keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */,
233 const Buffer& input, Buffer* /* output */,
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]234 size_t* input_consumed) {
235 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]236 switch (purpose()) {
237 default:
238 return KM_ERROR_UNIMPLEMENTED;
239 case KM_PURPOSE_SIGN:
240 case KM_PURPOSE_VERIFY:
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]241 case KM_PURPOSE_ENCRYPT:
242 case KM_PURPOSE_DECRYPT:
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]243 return StoreData(input, input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]244 }
245}
246
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]247keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
248 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]249 if (!data_.reserve(data_.available_read() + input.available_read()) ||
250 !data_.write(input.peek_read(), input.available_read()))
251 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]252 *input_consumed = input.available_read();
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]253 return KM_ERROR_OK;
254}
255
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]256keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& /* additional_params */,
257 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]258 assert(output);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]259 output->Reinitialize(RSA_size(rsa_key_));
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]260 int bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
261 output->peek_write(), rsa_key_, RSA_NO_PADDING);
262 if (bytes_encrypted < 0)
263 return KM_ERROR_UNKNOWN_ERROR;
264 assert(bytes_encrypted == RSA_size(rsa_key_));
265 output->advance_write(bytes_encrypted);
266 return KM_ERROR_OK;
267}
268
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]269keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */,
270 const Buffer& signature, Buffer* /* output */) {
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]271#if defined(OPENSSL_IS_BORINGSSL)
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]272 size_t message_size = data_.available_read();
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]273#else
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]274 if (data_.available_read() > INT_MAX)
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]275 return KM_ERROR_INVALID_INPUT_LENGTH;
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]276 int message_size = (int)data_.available_read();
Adam Langleyf2aefdf2014-09-26 11:16:10 -0700[diff] [blame]277#endif
278
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]279 if (message_size != RSA_size(rsa_key_))
280 return KM_ERROR_INVALID_INPUT_LENGTH;
281
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]282 if (data_.available_read() != signature.available_read())
283 return KM_ERROR_VERIFICATION_FAILED;
284
285 UniquePtr<uint8_t[]> decrypted_data(new uint8_t[RSA_size(rsa_key_)]);
286 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(),
287 decrypted_data.get(), rsa_key_, RSA_NO_PADDING);
288 if (bytes_decrypted < 0)
289 return KM_ERROR_UNKNOWN_ERROR;
290 assert(bytes_decrypted == RSA_size(rsa_key_));
291
292 if (memcmp_s(decrypted_data.get(), data_.peek_read(), data_.available_read()) == 0)
293 return KM_ERROR_OK;
294 return KM_ERROR_VERIFICATION_FAILED;
295}
296
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]297const int OAEP_PADDING_OVERHEAD = 41;
298const int PKCS1_PADDING_OVERHEAD = 11;
299
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]300keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& /* additional_params */,
301 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]302 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]303 int openssl_padding;
304
305#if defined(OPENSSL_IS_BORINGSSL)
306 size_t message_size = data_.available_read();
307#else
308 if (data_.available_read() > INT_MAX)
309 return KM_ERROR_INVALID_INPUT_LENGTH;
310 int message_size = (int)data_.available_read();
311#endif
312
313 switch (padding_) {
314 case KM_PAD_RSA_OAEP:
315 openssl_padding = RSA_PKCS1_OAEP_PADDING;
316 if (message_size >= RSA_size(rsa_key_) - OAEP_PADDING_OVERHEAD) {
317 logger().error("Cannot encrypt %d bytes with %d-byte key and OAEP padding",
318 data_.available_read(), RSA_size(rsa_key_));
319 return KM_ERROR_INVALID_INPUT_LENGTH;
320 }
321 break;
322 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
323 openssl_padding = RSA_PKCS1_PADDING;
324 if (message_size >= RSA_size(rsa_key_) - PKCS1_PADDING_OVERHEAD) {
325 logger().error("Cannot encrypt %d bytes with %d-byte key and PKCS1 padding",
326 data_.available_read(), RSA_size(rsa_key_));
327 return KM_ERROR_INVALID_INPUT_LENGTH;
328 }
329 break;
330 default:
331 logger().error("Padding mode %d not supported", padding_);
332 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
333 }
334
335 output->Reinitialize(RSA_size(rsa_key_));
336 int bytes_encrypted = RSA_public_encrypt(data_.available_read(), data_.peek_read(),
337 output->peek_write(), rsa_key_, openssl_padding);
338
339 if (bytes_encrypted < 0) {
340 logger().error("Error %d encrypting data with RSA", ERR_get_error());
341 return KM_ERROR_UNKNOWN_ERROR;
342 }
343 assert(bytes_encrypted == RSA_size(rsa_key_));
344 output->advance_write(bytes_encrypted);
345
346 return KM_ERROR_OK;
347}
348
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]349keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& /* additional_params */,
350 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]351 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]352 int openssl_padding;
353 switch (padding_) {
354 case KM_PAD_RSA_OAEP:
355 openssl_padding = RSA_PKCS1_OAEP_PADDING;
356 break;
357 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
358 openssl_padding = RSA_PKCS1_PADDING;
359 break;
360 default:
361 logger().error("Padding mode %d not supported", padding_);
362 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
363 }
364
365 output->Reinitialize(RSA_size(rsa_key_));
366 int bytes_decrypted = RSA_private_decrypt(data_.available_read(), data_.peek_read(),
367 output->peek_write(), rsa_key_, openssl_padding);
368
369 if (bytes_decrypted < 0) {
370 logger().error("Error %d decrypting data with RSA", ERR_get_error());
371 return KM_ERROR_UNKNOWN_ERROR;
372 }
373 output->advance_write(bytes_decrypted);
374
375 return KM_ERROR_OK;
376}
377
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]378} // namespace keymaster