Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / e5abbe5d3d4128be6771c80890dc5cd9b2a67a24 / . / keymaster0_engine.cpp
blob: 4ee5f9c45809055fb7347e038da6d42e4bbf0454 [file] [log] [blame]
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]1/*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "keymaster0_engine.h"
18
19#include <assert.h>
20
21#include <memory>
22
23#define LOG_TAG "Keymaster0Engine"
24#include <cutils/log.h>
25
26#include "keymaster/android_keymaster_utils.h"
27
28#include <openssl/ec_key.h>
29#include <openssl/ecdsa.h>
30
31#include "openssl_utils.h"
32
33using std::shared_ptr;
34using std::unique_ptr;
35
36namespace keymaster {
37
38// int Keymaster0Engine::rsa_index_ = -1;
39// int Keymaster0Engine::ec_key_index_ = -1;
40Keymaster0Engine* Keymaster0Engine::instance_ = nullptr;
41const RSA_METHOD Keymaster0Engine::rsa_method_ = {
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]42 .common =
43 {
44 0, // references
45 1 // is_static
46 },
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]47 .app_data = nullptr,
48 .init = nullptr,
49 .finish = nullptr,
50 .size = nullptr,
51 .sign = nullptr,
52 .verify = nullptr,
53
54 .encrypt = nullptr,
55 .sign_raw = nullptr,
56 .decrypt = nullptr,
57 .verify_raw = nullptr,
58
59 .private_transform = Keymaster0Engine::rsa_private_transform,
60
61 .mod_exp = nullptr,
62 .bn_mod_exp = BN_mod_exp_mont,
63
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]64 .flags = RSA_FLAG_OPAQUE,
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]65
66 .keygen = nullptr,
67 .supports_digest = nullptr,
68};
69
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]70const ECDSA_METHOD Keymaster0Engine::ecdsa_method_ = {
71 .common =
72 {
73 0, // references
74 1 // is_static
75 },
76 .app_data = nullptr,
77 .init = nullptr,
78 .finish = nullptr,
79 .group_order_size = nullptr,
80 .sign = Keymaster0Engine::ecdsa_sign,
81 .verify = nullptr,
82 .flags = ECDSA_FLAG_OPAQUE,
83};
84
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]85Keymaster0Engine::Keymaster0Engine(const keymaster0_device_t* keymaster0_device)
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]86 : keymaster0_device_(keymaster0_device), engine_(ENGINE_new()), supports_ec_(false) {
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]87 assert(!instance_);
88 instance_ = this;
89
90 rsa_index_ = RSA_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
91 keyblob_dup, keyblob_free);
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]92 ec_key_index_ = EC_KEY_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
93 keyblob_dup, keyblob_free);
94
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]95 ENGINE_set_RSA_method(engine_, &rsa_method_, sizeof(rsa_method_));
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]96
97 if ((keymaster0_device_->flags & KEYMASTER_SUPPORTS_EC) != 0) {
98 supports_ec_ = true;
99 ENGINE_set_ECDSA_method(engine_, &ecdsa_method_, sizeof(ecdsa_method_));
100 }
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]101}
102
103Keymaster0Engine::~Keymaster0Engine() {
104 if (keymaster0_device_)
105 keymaster0_device_->common.close(
106 reinterpret_cast<hw_device_t*>(const_cast<keymaster0_device_t*>(keymaster0_device_)));
107 ENGINE_free(engine_);
108 instance_ = nullptr;
109}
110
111bool Keymaster0Engine::GenerateRsaKey(uint64_t public_exponent, uint32_t public_modulus,
112 KeymasterKeyBlob* key_material) const {
113 assert(key_material);
114 keymaster_rsa_keygen_params_t params;
115 params.public_exponent = public_exponent;
116 params.modulus_size = public_modulus;
117
118 uint8_t* key_blob = 0;
119 if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_RSA, &params, &key_blob,
120 &key_material->key_material_size) < 0) {
121 ALOGE("Error generating RSA key pair with keymaster0 device");
122 return false;
123 }
124 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
125 key_material->key_material = dup_buffer(key_blob, key_material->key_material_size);
126 return true;
127}
128
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]129bool Keymaster0Engine::GenerateEcKey(uint32_t key_size, KeymasterKeyBlob* key_material) const {
130 assert(key_material);
131 keymaster_ec_keygen_params_t params;
132 params.field_size = key_size;
133
134 uint8_t* key_blob = 0;
135 if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_EC, &params, &key_blob,
136 &key_material->key_material_size) < 0) {
137 ALOGE("Error generating EC key pair with keymaster0 device");
138 return false;
139 }
140 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
141 key_material->key_material = dup_buffer(key_blob, key_material->key_material_size);
142 return true;
143}
144
145bool Keymaster0Engine::ImportKey(keymaster_key_format_t key_format,
146 const KeymasterKeyBlob& to_import,
147 KeymasterKeyBlob* imported_key) const {
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]148 assert(imported_key);
149 if (key_format != KM_KEY_FORMAT_PKCS8)
150 return false;
151
152 uint8_t* key_blob = 0;
153 if (keymaster0_device_->import_keypair(keymaster0_device_, to_import.key_material,
154 to_import.key_material_size, &key_blob,
155 &imported_key->key_material_size) < 0) {
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]156 ALOGW("Error importing keypair with keymaster0 device");
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]157 return false;
158 }
159 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
160 imported_key->key_material = dup_buffer(key_blob, imported_key->key_material_size);
161 return true;
162}
163
164static keymaster_key_blob_t* duplicate_blob(const uint8_t* key_data, size_t key_data_size) {
Shawn Willdene5abbe52015-06-20 09:16:30 -0600[diff] [blame^]165 unique_ptr<uint8_t[]> key_material_copy(dup_buffer(key_data, key_data_size));
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]166 if (!key_material_copy)
167 return nullptr;
168
Shawn Willdene5abbe52015-06-20 09:16:30 -0600[diff] [blame^]169 unique_ptr<keymaster_key_blob_t> blob_copy(new (std::nothrow) keymaster_key_blob_t);
170 if (!blob_copy.get())
171 return nullptr;
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]172 blob_copy->key_material_size = key_data_size;
173 blob_copy->key_material = key_material_copy.release();
174 return blob_copy.release();
175}
176
177inline keymaster_key_blob_t* duplicate_blob(const keymaster_key_blob_t& blob) {
178 return duplicate_blob(blob.key_material, blob.key_material_size);
179}
180
181RSA* Keymaster0Engine::BlobToRsaKey(const KeymasterKeyBlob& blob) const {
182 // Create new RSA key (with engine methods) and insert blob
183 unique_ptr<RSA, RSA_Delete> rsa(RSA_new_method(engine_));
184 if (!rsa)
185 return nullptr;
186
187 keymaster_key_blob_t* blob_copy = duplicate_blob(blob);
188 if (!blob_copy->key_material || !RSA_set_ex_data(rsa.get(), rsa_index_, blob_copy))
189 return nullptr;
190
191 // Copy public key into new RSA key
192 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob));
193 if (!pkey)
194 return nullptr;
195 unique_ptr<RSA, RSA_Delete> public_rsa(EVP_PKEY_get1_RSA(pkey.get()));
196 if (!public_rsa)
197 return nullptr;
198 rsa->n = BN_dup(public_rsa->n);
199 rsa->e = BN_dup(public_rsa->e);
200 if (!rsa->n || !rsa->e)
201 return nullptr;
202
203 return rsa.release();
204}
205
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]206EC_KEY* Keymaster0Engine::BlobToEcKey(const KeymasterKeyBlob& blob) const {
207 // Create new EC key (with engine methods) and insert blob
208 unique_ptr<EC_KEY, EC_Delete> ec_key(EC_KEY_new_method(engine_));
209 if (!ec_key)
210 return nullptr;
211
212 keymaster_key_blob_t* blob_copy = duplicate_blob(blob);
213 if (!blob_copy->key_material || !EC_KEY_set_ex_data(ec_key.get(), ec_key_index_, blob_copy))
214 return nullptr;
215
216 // Copy public key into new EC key
217 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob));
218 if (!pkey)
219 return nullptr;
220
221 unique_ptr<EC_KEY, EC_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
222 if (!public_ec_key)
223 return nullptr;
224
225 if (!EC_KEY_set_group(ec_key.get(), EC_KEY_get0_group(public_ec_key.get())) ||
226 !EC_KEY_set_public_key(ec_key.get(), EC_KEY_get0_public_key(public_ec_key.get())))
227 return nullptr;
228
229 return ec_key.release();
230}
231
232const keymaster_key_blob_t* Keymaster0Engine::RsaKeyToBlob(const RSA* rsa) const {
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]233 return reinterpret_cast<keymaster_key_blob_t*>(RSA_get_ex_data(rsa, rsa_index_));
234}
235
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]236const keymaster_key_blob_t* Keymaster0Engine::EcKeyToBlob(const EC_KEY* ec_key) const {
237 return reinterpret_cast<keymaster_key_blob_t*>(EC_KEY_get_ex_data(ec_key, ec_key_index_));
238}
239
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]240/* static */
241int Keymaster0Engine::keyblob_dup(CRYPTO_EX_DATA* /* to */, const CRYPTO_EX_DATA* /* from */,
242 void** from_d, int /* index */, long /* argl */,
243 void* /* argp */) {
244 keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(*from_d);
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]245 if (!blob)
246 return 1;
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]247 *from_d = duplicate_blob(*blob);
248 if (*from_d)
249 return 1;
250 return 0;
251}
252
253/* static */
254void Keymaster0Engine::keyblob_free(void* /* parent */, void* ptr, CRYPTO_EX_DATA* /* data */,
255 int /* index*/, long /* argl */, void* /* argp */) {
256 keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(ptr);
257 if (blob) {
258 delete[] blob->key_material;
259 delete blob;
260 }
261}
262
263/* static */
264int Keymaster0Engine::rsa_private_transform(RSA* rsa, uint8_t* out, const uint8_t* in, size_t len) {
265 ALOGV("rsa_private_transform(%p, %p, %p, %u)", rsa, out, in, (unsigned)len);
266
267 assert(instance_);
268 return instance_->RsaPrivateTransform(rsa, out, in, len);
269}
270
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]271/* static */
272int Keymaster0Engine::ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
273 unsigned int* sig_len, EC_KEY* ec_key) {
274 ALOGV("ecdsa_sign(%p, %u, %p)", digest, (unsigned)digest_len, ec_key);
275 assert(instance_);
276 return instance_->EcdsaSign(digest, digest_len, sig, sig_len, ec_key);
277}
278
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]279bool Keymaster0Engine::Keymaster0Sign(const void* signing_params, const keymaster_key_blob_t& blob,
280 const uint8_t* data, const size_t data_length,
281 unique_ptr<uint8_t[], Malloc_Delete>* signature,
282 size_t* signature_length) const {
283 uint8_t* signed_data;
284 int err = keymaster0_device_->sign_data(keymaster0_device_, signing_params, blob.key_material,
285 blob.key_material_size, data, data_length, &signed_data,
286 signature_length);
287 if (err < 0) {
288 ALOGE("Keymaster0 signing failed with error %d", err);
289 return false;
290 }
291
292 signature->reset(signed_data);
293 return true;
294}
295
296EVP_PKEY* Keymaster0Engine::GetKeymaster0PublicKey(const KeymasterKeyBlob& blob) const {
297 uint8_t* pub_key_data;
298 size_t pub_key_data_length;
299 int err = keymaster0_device_->get_keypair_public(keymaster0_device_, blob.key_material,
300 blob.key_material_size, &pub_key_data,
301 &pub_key_data_length);
302 if (err < 0) {
303 ALOGE("Error %d extracting public key", err);
304 return nullptr;
305 }
306 unique_ptr<uint8_t, Malloc_Delete> pub_key(pub_key_data);
307
308 const uint8_t* p = pub_key_data;
309 return d2i_PUBKEY(nullptr /* allocate new struct */, &p, pub_key_data_length);
310}
311
312int Keymaster0Engine::RsaPrivateTransform(RSA* rsa, uint8_t* out, const uint8_t* in,
313 size_t len) const {
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]314 const keymaster_key_blob_t* key_blob = RsaKeyToBlob(rsa);
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]315 if (key_blob == NULL) {
316 ALOGE("key had no key_blob!");
317 return 0;
318 }
319
320 keymaster_rsa_sign_params_t sign_params = {DIGEST_NONE, PADDING_NONE};
321 unique_ptr<uint8_t[], Malloc_Delete> signature;
322 size_t signature_length;
323 if (!Keymaster0Sign(&sign_params, *key_blob, in, len, &signature, &signature_length))
324 return 0;
325 Eraser eraser(signature.get(), signature_length);
326
327 if (signature_length > len) {
328 /* The result of the RSA operation can never be larger than the size of
329 * the modulus so we assume that the result has extra zeros on the
330 * left. This provides attackers with an oracle, but there's nothing
331 * that we can do about it here. */
332 memcpy(out, signature.get() + signature_length - len, len);
333 } else if (signature_length < len) {
334 /* If the keymaster0 implementation returns a short value we assume that
335 * it's because it removed leading zeros from the left side. This is
336 * bad because it provides attackers with an oracle but we cannot do
337 * anything about a broken keymaster0 implementation here. */
338 memset(out, 0, len);
339 memcpy(out + len - signature_length, signature.get(), signature_length);
340 } else {
341 memcpy(out, signature.get(), len);
342 }
343
344 ALOGV("rsa=%p keystore_rsa_priv_dec successful", rsa);
345 return 1;
346}
347
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]348int Keymaster0Engine::EcdsaSign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
349 unsigned int* sig_len, EC_KEY* ec_key) const {
350 const keymaster_key_blob_t* key_blob = EcKeyToBlob(ec_key);
351 if (key_blob == NULL) {
352 ALOGE("key had no key_blob!");
353 return 0;
354 }
355
356 keymaster_ec_sign_params_t sign_params = {DIGEST_NONE};
357 unique_ptr<uint8_t[], Malloc_Delete> signature;
358 size_t signature_length;
359 if (!Keymaster0Sign(&sign_params, *key_blob, digest, digest_len, &signature, &signature_length))
360 return 0;
361 Eraser eraser(signature.get(), signature_length);
362
363 if (signature_length == 0) {
364 ALOGW("No valid signature returned");
365 return 0;
366 } else if (signature_length > ECDSA_size(ec_key)) {
367 ALOGW("Signature is too large");
368 return 0;
369 } else {
370 memcpy(sig, signature.get(), signature_length);
371 *sig_len = signature_length;
372 }
373
374 ALOGV("ecdsa_sign(%p, %u, %p) => success", digest, (unsigned)digest_len, ec_key);
375 return 1;
376}
377
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]378} // namespace keymaster