key_blob.cpp

/*
 * Copyright 2014 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <assert.h>

#include <keymaster/google_keymaster_utils.h>
#include <keymaster/key_blob.h>
#include <keymaster/logger.h>

namespace keymaster {

const size_t KeyBlob::NONCE_LENGTH;
const size_t KeyBlob::TAG_LENGTH;

KeyBlob::KeyBlob(const uint8_t* key_blob, size_t key_blob_length) : error_(KM_ERROR_OK) {
    Deserialize(&key_blob, key_blob + key_blob_length);
}

KeyBlob::KeyBlob(const keymaster_key_blob_t& key_blob) : error_(KM_ERROR_OK) {
    const uint8_t* key_material = key_blob.key_material;
    Deserialize(&key_material, key_blob.key_material + key_blob.key_material_size);
}

size_t KeyBlob::SerializedSize() const {
    return 1 /* version byte */ + sizeof(uint32_t) /* nonce length */ + NONCE_LENGTH +
           sizeof(uint32_t) + key_material_length() + sizeof(uint32_t) /* tag length */ +
           TAG_LENGTH + enforced_.SerializedSize() + unenforced_.SerializedSize();
}

const uint8_t BLOB_VERSION = 0;

uint8_t* KeyBlob::Serialize(uint8_t* buf, const uint8_t* end) const {
    const uint8_t* start __attribute__((__unused__)) = buf;
    *buf++ = BLOB_VERSION;
    buf = append_size_and_data_to_buf(buf, end, nonce(), NONCE_LENGTH);
    buf = append_size_and_data_to_buf(buf, end, encrypted_key_material(), key_material_length());
    buf = append_size_and_data_to_buf(buf, end, tag(), TAG_LENGTH);
    buf = enforced_.Serialize(buf, end);
    buf = unenforced_.Serialize(buf, end);
    assert(buf - start == static_cast<ptrdiff_t>(SerializedSize()));
    return buf;
}

bool KeyBlob::Deserialize(const uint8_t** buf_ptr, const uint8_t* end) {
    const uint8_t* start = *buf_ptr;
    uint8_t version = *(*buf_ptr)++;
    size_t nonce_length;
    size_t tag_length;
    if (version != BLOB_VERSION ||
        !copy_size_and_data_from_buf(buf_ptr, end, &nonce_length, &nonce_) ||
        nonce_length != NONCE_LENGTH ||
        !copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_,
                                     &encrypted_key_material_) ||
        !copy_size_and_data_from_buf(buf_ptr, end, &tag_length, &tag_) ||
        tag_length != TAG_LENGTH || !enforced_.Deserialize(buf_ptr, end) ||
        !unenforced_.Deserialize(buf_ptr, end)) {
        *buf_ptr = start;
        // This blob failed to parse.  Either it's corrupted or it's a blob generated by an earlier
        // version of keymaster using a previous blob format which did not include the version byte
        // or the nonce or tag length fields.  So we try to parse it as that previous version.
        //
        // Note that it's not really a problem if we erronously parse a corrupted blob, because
        // decryption will fail the authentication check.
        //
        // A bigger potential problem is: What if a valid unversioned blob appears to parse
        // correctly as a versioned blob?  It would then be rejected during decryption, causing a
        // valid key to become unusable.  If this is a disk encryption key, upgrading to a keymaster
        // version with the new format would destroy the user's data.
        //
        // What is the probability that an unversioned key could be successfully parsed as a version
        // 0 key?  The first 12 bytes of an unversioned key are the nonce, which, in the only
        // keymaster version released with unversioned keys, is chosen randomly.  In order for an
        // unversioned key to parse as a version 0 key, the following must be true about the first
        // five of those random bytes:
        //
        // 1.  The first byte must be zero.  This will happen with probability 1/2^8.
        //
        // 2.  The second through fifth bytes must contain an unsigned integer value equal to
        //     NONCE_LENGTH.  This will happen with probability 1/2^32.
        //
        // Based on those two checks alone, the probability of interpreting an unversioned blob as a
        // version 0 blob is 1/2^40.  That's small enough to be negligible, but there are additional
        // checks which lower it further.
        LOG_I("Failed to deserialize versioned key blob.  Assuming unversioned.");
        *buf_ptr = start;
        if (!DeserializeUnversionedBlob(buf_ptr, end))
            return false;
    }
    return ExtractKeyCharacteristics();
}

bool KeyBlob::DeserializeUnversionedBlob(const uint8_t** buf_ptr, const uint8_t* end) {
    nonce_.reset(new uint8_t[NONCE_LENGTH]);
    tag_.reset(new uint8_t[TAG_LENGTH]);
    if (!nonce_.get() || !tag_.get()) {
        error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
        return false;
    }

    if (!copy_from_buf(buf_ptr, end, nonce_.get(), NONCE_LENGTH) ||
        !copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_,
                                     &encrypted_key_material_) ||
        !copy_from_buf(buf_ptr, end, tag_.get(), TAG_LENGTH) ||
        !enforced_.Deserialize(buf_ptr, end) || !unenforced_.Deserialize(buf_ptr, end)) {
        encrypted_key_material_.reset();
        LOG_E("Failed to deserialize unversioned blob", 0);
        error_ = KM_ERROR_INVALID_KEY_BLOB;
        return false;
    }
    return ExtractKeyCharacteristics();
}

KeyBlob::KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced)
    : error_(KM_ERROR_OK), enforced_(enforced), unenforced_(unenforced) {
}

void KeyBlob::SetEncryptedKey(uint8_t* encrypted_key_material, size_t encrypted_key_material_length,
                              uint8_t* nonce, uint8_t* tag) {
    ClearKeyData();
    encrypted_key_material_.reset(encrypted_key_material);
    key_material_length_ = encrypted_key_material_length;
    nonce_.reset(nonce);
    tag_.reset(tag);
}

bool KeyBlob::ExtractKeyCharacteristics() {
    if (!enforced_.GetTagValue(TAG_ALGORITHM, &algorithm_) &&
        !unenforced_.GetTagValue(TAG_ALGORITHM, &algorithm_)) {
        error_ = KM_ERROR_UNSUPPORTED_ALGORITHM;
        return false;
    }
    if (!enforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_) &&
        !unenforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_)) {
        error_ = KM_ERROR_UNSUPPORTED_KEY_SIZE;
        return false;
    }
    return true;
}

keymaster_key_origin_t KeyBlob::origin() const {
    keymaster_key_origin_t origin = KM_ORIGIN_SOFTWARE;
    if (!enforced_.GetTagValue(TAG_ORIGIN, &origin) &&
        !unenforced_.GetTagValue(TAG_ORIGIN, &origin))
        // This should be impossible.
        assert(false);
    return origin;
}

}  // namespace keymaster