Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / e9fb087a8245e26483e8865515c919c83ed84c5b / . / keymaster0_engine.cpp
blob: 70c0d89fc9104b06e7cb4ffba8b2431adfb3e937 [file] [log] [blame]
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]1/*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "keymaster0_engine.h"
18
19#include <assert.h>
20
21#include <memory>
22
23#define LOG_TAG "Keymaster0Engine"
24#include <cutils/log.h>
25
26#include "keymaster/android_keymaster_utils.h"
27
Shawn Willden9a1cd6d2015-07-08 17:12:16 -0600[diff] [blame]28#include <openssl/bn.h>
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]29#include <openssl/ec_key.h>
30#include <openssl/ecdsa.h>
31
32#include "openssl_utils.h"
33
34using std::shared_ptr;
35using std::unique_ptr;
36
37namespace keymaster {
38
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]39Keymaster0Engine* Keymaster0Engine::instance_ = nullptr;
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]40
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]41Keymaster0Engine::Keymaster0Engine(const keymaster0_device_t* keymaster0_device)
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]42 : keymaster0_device_(keymaster0_device), engine_(ENGINE_new()), supports_ec_(false) {
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]43 assert(!instance_);
44 instance_ = this;
45
46 rsa_index_ = RSA_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
47 keyblob_dup, keyblob_free);
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]48 ec_key_index_ = EC_KEY_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
49 keyblob_dup, keyblob_free);
50
Shawn Willden2ff74dc2015-07-27 16:58:30 -0600[diff] [blame]51 rsa_method_.common.references = 0;
52 rsa_method_.common.is_static = 1;
53 rsa_method_.app_data = nullptr;
54 rsa_method_.init = nullptr;
55 rsa_method_.finish = nullptr;
56 rsa_method_.size = nullptr;
57 rsa_method_.sign = nullptr;
58 rsa_method_.verify = nullptr;
59 rsa_method_.encrypt = nullptr;
60 rsa_method_.sign_raw = nullptr;
61 rsa_method_.decrypt = nullptr;
62 rsa_method_.verify_raw = nullptr;
63 rsa_method_.private_transform = Keymaster0Engine::rsa_private_transform;
64 rsa_method_.mod_exp = nullptr;
65 rsa_method_.bn_mod_exp = BN_mod_exp_mont;
66 rsa_method_.flags = RSA_FLAG_OPAQUE;
67 rsa_method_.keygen = nullptr;
68 rsa_method_.supports_digest = nullptr;
69
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]70 ENGINE_set_RSA_method(engine_, &rsa_method_, sizeof(rsa_method_));
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]71
72 if ((keymaster0_device_->flags & KEYMASTER_SUPPORTS_EC) != 0) {
73 supports_ec_ = true;
Shawn Willden2ff74dc2015-07-27 16:58:30 -0600[diff] [blame]74
75 ecdsa_method_.common.references = 0;
76 ecdsa_method_.common.is_static = 1;
77 ecdsa_method_.app_data = nullptr;
78 ecdsa_method_.init = nullptr;
79 ecdsa_method_.finish = nullptr;
80 ecdsa_method_.group_order_size = nullptr;
81 ecdsa_method_.sign = Keymaster0Engine::ecdsa_sign;
82 ecdsa_method_.verify = nullptr;
83 ecdsa_method_.flags = ECDSA_FLAG_OPAQUE;
84
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]85 ENGINE_set_ECDSA_method(engine_, &ecdsa_method_, sizeof(ecdsa_method_));
86 }
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]87}
88
89Keymaster0Engine::~Keymaster0Engine() {
90 if (keymaster0_device_)
91 keymaster0_device_->common.close(
92 reinterpret_cast<hw_device_t*>(const_cast<keymaster0_device_t*>(keymaster0_device_)));
93 ENGINE_free(engine_);
94 instance_ = nullptr;
95}
96
97bool Keymaster0Engine::GenerateRsaKey(uint64_t public_exponent, uint32_t public_modulus,
98 KeymasterKeyBlob* key_material) const {
99 assert(key_material);
100 keymaster_rsa_keygen_params_t params;
101 params.public_exponent = public_exponent;
102 params.modulus_size = public_modulus;
103
104 uint8_t* key_blob = 0;
105 if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_RSA, &params, &key_blob,
106 &key_material->key_material_size) < 0) {
107 ALOGE("Error generating RSA key pair with keymaster0 device");
108 return false;
109 }
110 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
111 key_material->key_material = dup_buffer(key_blob, key_material->key_material_size);
112 return true;
113}
114
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]115bool Keymaster0Engine::GenerateEcKey(uint32_t key_size, KeymasterKeyBlob* key_material) const {
116 assert(key_material);
117 keymaster_ec_keygen_params_t params;
118 params.field_size = key_size;
119
120 uint8_t* key_blob = 0;
121 if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_EC, &params, &key_blob,
122 &key_material->key_material_size) < 0) {
123 ALOGE("Error generating EC key pair with keymaster0 device");
124 return false;
125 }
126 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
127 key_material->key_material = dup_buffer(key_blob, key_material->key_material_size);
128 return true;
129}
130
131bool Keymaster0Engine::ImportKey(keymaster_key_format_t key_format,
132 const KeymasterKeyBlob& to_import,
133 KeymasterKeyBlob* imported_key) const {
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]134 assert(imported_key);
135 if (key_format != KM_KEY_FORMAT_PKCS8)
136 return false;
137
138 uint8_t* key_blob = 0;
139 if (keymaster0_device_->import_keypair(keymaster0_device_, to_import.key_material,
140 to_import.key_material_size, &key_blob,
141 &imported_key->key_material_size) < 0) {
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]142 ALOGW("Error importing keypair with keymaster0 device");
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]143 return false;
144 }
145 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
146 imported_key->key_material = dup_buffer(key_blob, imported_key->key_material_size);
147 return true;
148}
149
150static keymaster_key_blob_t* duplicate_blob(const uint8_t* key_data, size_t key_data_size) {
Shawn Willden661b2b12015-06-20 09:16:30 -0600[diff] [blame]151 unique_ptr<uint8_t[]> key_material_copy(dup_buffer(key_data, key_data_size));
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]152 if (!key_material_copy)
153 return nullptr;
154
Shawn Willden9a1cd6d2015-07-08 17:12:16 -0600[diff] [blame]155 unique_ptr<keymaster_key_blob_t> blob_copy(new (std::nothrow) keymaster_key_blob_t);
Shawn Willden661b2b12015-06-20 09:16:30 -0600[diff] [blame]156 if (!blob_copy.get())
157 return nullptr;
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]158 blob_copy->key_material_size = key_data_size;
159 blob_copy->key_material = key_material_copy.release();
160 return blob_copy.release();
161}
162
163inline keymaster_key_blob_t* duplicate_blob(const keymaster_key_blob_t& blob) {
164 return duplicate_blob(blob.key_material, blob.key_material_size);
165}
166
167RSA* Keymaster0Engine::BlobToRsaKey(const KeymasterKeyBlob& blob) const {
168 // Create new RSA key (with engine methods) and insert blob
169 unique_ptr<RSA, RSA_Delete> rsa(RSA_new_method(engine_));
170 if (!rsa)
171 return nullptr;
172
173 keymaster_key_blob_t* blob_copy = duplicate_blob(blob);
174 if (!blob_copy->key_material || !RSA_set_ex_data(rsa.get(), rsa_index_, blob_copy))
175 return nullptr;
176
177 // Copy public key into new RSA key
178 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob));
179 if (!pkey)
180 return nullptr;
181 unique_ptr<RSA, RSA_Delete> public_rsa(EVP_PKEY_get1_RSA(pkey.get()));
182 if (!public_rsa)
183 return nullptr;
184 rsa->n = BN_dup(public_rsa->n);
185 rsa->e = BN_dup(public_rsa->e);
186 if (!rsa->n || !rsa->e)
187 return nullptr;
188
189 return rsa.release();
190}
191
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]192EC_KEY* Keymaster0Engine::BlobToEcKey(const KeymasterKeyBlob& blob) const {
193 // Create new EC key (with engine methods) and insert blob
194 unique_ptr<EC_KEY, EC_Delete> ec_key(EC_KEY_new_method(engine_));
195 if (!ec_key)
196 return nullptr;
197
198 keymaster_key_blob_t* blob_copy = duplicate_blob(blob);
199 if (!blob_copy->key_material || !EC_KEY_set_ex_data(ec_key.get(), ec_key_index_, blob_copy))
200 return nullptr;
201
202 // Copy public key into new EC key
203 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob));
204 if (!pkey)
205 return nullptr;
206
207 unique_ptr<EC_KEY, EC_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
208 if (!public_ec_key)
209 return nullptr;
210
211 if (!EC_KEY_set_group(ec_key.get(), EC_KEY_get0_group(public_ec_key.get())) ||
212 !EC_KEY_set_public_key(ec_key.get(), EC_KEY_get0_public_key(public_ec_key.get())))
213 return nullptr;
214
215 return ec_key.release();
216}
217
218const keymaster_key_blob_t* Keymaster0Engine::RsaKeyToBlob(const RSA* rsa) const {
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]219 return reinterpret_cast<keymaster_key_blob_t*>(RSA_get_ex_data(rsa, rsa_index_));
220}
221
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]222const keymaster_key_blob_t* Keymaster0Engine::EcKeyToBlob(const EC_KEY* ec_key) const {
223 return reinterpret_cast<keymaster_key_blob_t*>(EC_KEY_get_ex_data(ec_key, ec_key_index_));
224}
225
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]226/* static */
227int Keymaster0Engine::keyblob_dup(CRYPTO_EX_DATA* /* to */, const CRYPTO_EX_DATA* /* from */,
228 void** from_d, int /* index */, long /* argl */,
229 void* /* argp */) {
230 keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(*from_d);
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]231 if (!blob)
232 return 1;
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]233 *from_d = duplicate_blob(*blob);
234 if (*from_d)
235 return 1;
236 return 0;
237}
238
239/* static */
240void Keymaster0Engine::keyblob_free(void* /* parent */, void* ptr, CRYPTO_EX_DATA* /* data */,
241 int /* index*/, long /* argl */, void* /* argp */) {
242 keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(ptr);
243 if (blob) {
244 delete[] blob->key_material;
245 delete blob;
246 }
247}
248
249/* static */
250int Keymaster0Engine::rsa_private_transform(RSA* rsa, uint8_t* out, const uint8_t* in, size_t len) {
251 ALOGV("rsa_private_transform(%p, %p, %p, %u)", rsa, out, in, (unsigned)len);
252
253 assert(instance_);
254 return instance_->RsaPrivateTransform(rsa, out, in, len);
255}
256
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]257/* static */
258int Keymaster0Engine::ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
259 unsigned int* sig_len, EC_KEY* ec_key) {
260 ALOGV("ecdsa_sign(%p, %u, %p)", digest, (unsigned)digest_len, ec_key);
261 assert(instance_);
262 return instance_->EcdsaSign(digest, digest_len, sig, sig_len, ec_key);
263}
264
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]265bool Keymaster0Engine::Keymaster0Sign(const void* signing_params, const keymaster_key_blob_t& blob,
266 const uint8_t* data, const size_t data_length,
267 unique_ptr<uint8_t[], Malloc_Delete>* signature,
268 size_t* signature_length) const {
269 uint8_t* signed_data;
270 int err = keymaster0_device_->sign_data(keymaster0_device_, signing_params, blob.key_material,
271 blob.key_material_size, data, data_length, &signed_data,
272 signature_length);
273 if (err < 0) {
274 ALOGE("Keymaster0 signing failed with error %d", err);
275 return false;
276 }
277
278 signature->reset(signed_data);
279 return true;
280}
281
282EVP_PKEY* Keymaster0Engine::GetKeymaster0PublicKey(const KeymasterKeyBlob& blob) const {
283 uint8_t* pub_key_data;
284 size_t pub_key_data_length;
285 int err = keymaster0_device_->get_keypair_public(keymaster0_device_, blob.key_material,
286 blob.key_material_size, &pub_key_data,
287 &pub_key_data_length);
288 if (err < 0) {
289 ALOGE("Error %d extracting public key", err);
290 return nullptr;
291 }
292 unique_ptr<uint8_t, Malloc_Delete> pub_key(pub_key_data);
293
294 const uint8_t* p = pub_key_data;
295 return d2i_PUBKEY(nullptr /* allocate new struct */, &p, pub_key_data_length);
296}
297
Shawn Willdene9fb0872015-10-23 10:11:40 -0600[diff] [blame^]298static bool data_too_large_for_public_modulus(const uint8_t* data, size_t len, const RSA* rsa) {
299 unique_ptr<BIGNUM, BIGNUM_Delete> input_as_bn(
300 BN_bin2bn(data, len, nullptr /* allocate result */));
301 return input_as_bn && BN_ucmp(input_as_bn.get(), rsa->n) >= 0;
302}
303
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]304int Keymaster0Engine::RsaPrivateTransform(RSA* rsa, uint8_t* out, const uint8_t* in,
305 size_t len) const {
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]306 const keymaster_key_blob_t* key_blob = RsaKeyToBlob(rsa);
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]307 if (key_blob == NULL) {
308 ALOGE("key had no key_blob!");
309 return 0;
310 }
311
312 keymaster_rsa_sign_params_t sign_params = {DIGEST_NONE, PADDING_NONE};
313 unique_ptr<uint8_t[], Malloc_Delete> signature;
314 size_t signature_length;
Shawn Willdene9fb0872015-10-23 10:11:40 -0600[diff] [blame^]315 if (!Keymaster0Sign(&sign_params, *key_blob, in, len, &signature, &signature_length)) {
316 if (data_too_large_for_public_modulus(in, len, rsa)) {
317 ALOGE("Keymaster0 signing failed because data is too large.");
318 OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
319 } else {
320 // We don't know what error code is correct; force an "unknown error" return
321 OPENSSL_PUT_ERROR(USER, KM_ERROR_UNKNOWN_ERROR);
322 }
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]323 return 0;
Shawn Willdene9fb0872015-10-23 10:11:40 -0600[diff] [blame^]324 }
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]325 Eraser eraser(signature.get(), signature_length);
326
327 if (signature_length > len) {
328 /* The result of the RSA operation can never be larger than the size of
329 * the modulus so we assume that the result has extra zeros on the
330 * left. This provides attackers with an oracle, but there's nothing
331 * that we can do about it here. */
332 memcpy(out, signature.get() + signature_length - len, len);
333 } else if (signature_length < len) {
334 /* If the keymaster0 implementation returns a short value we assume that
335 * it's because it removed leading zeros from the left side. This is
336 * bad because it provides attackers with an oracle but we cannot do
337 * anything about a broken keymaster0 implementation here. */
338 memset(out, 0, len);
339 memcpy(out + len - signature_length, signature.get(), signature_length);
340 } else {
341 memcpy(out, signature.get(), len);
342 }
343
344 ALOGV("rsa=%p keystore_rsa_priv_dec successful", rsa);
345 return 1;
346}
347
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]348int Keymaster0Engine::EcdsaSign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
349 unsigned int* sig_len, EC_KEY* ec_key) const {
350 const keymaster_key_blob_t* key_blob = EcKeyToBlob(ec_key);
351 if (key_blob == NULL) {
352 ALOGE("key had no key_blob!");
353 return 0;
354 }
355
Shawn Willden9a1cd6d2015-07-08 17:12:16 -0600[diff] [blame]356 // Truncate digest if it's too long
357 size_t max_input_len = (ec_group_size_bits(ec_key) + 7) / 8;
358 if (digest_len > max_input_len)
359 digest_len = max_input_len;
360
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]361 keymaster_ec_sign_params_t sign_params = {DIGEST_NONE};
362 unique_ptr<uint8_t[], Malloc_Delete> signature;
363 size_t signature_length;
Shawn Willdene9fb0872015-10-23 10:11:40 -0600[diff] [blame^]364 if (!Keymaster0Sign(&sign_params, *key_blob, digest, digest_len, &signature,
365 &signature_length)) {
366 // We don't know what error code is correct; force an "unknown error" return
367 OPENSSL_PUT_ERROR(USER, KM_ERROR_UNKNOWN_ERROR);
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]368 return 0;
Shawn Willdene9fb0872015-10-23 10:11:40 -0600[diff] [blame^]369 }
Shawn Willden24bdfc22015-05-26 13:12:24 -0600[diff] [blame]370 Eraser eraser(signature.get(), signature_length);
371
372 if (signature_length == 0) {
373 ALOGW("No valid signature returned");
374 return 0;
375 } else if (signature_length > ECDSA_size(ec_key)) {
376 ALOGW("Signature is too large");
377 return 0;
378 } else {
379 memcpy(sig, signature.get(), signature_length);
380 *sig_len = signature_length;
381 }
382
383 ALOGV("ecdsa_sign(%p, %u, %p) => success", digest, (unsigned)digest_len, ec_key);
384 return 1;
385}
386
Shawn Willdenac398062015-05-20 16:36:24 -0600[diff] [blame]387} // namespace keymaster