Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / f90f235636cc3cbfb393e5006b673aef00df825a / . / rsa_operation.cpp
blob: b336ef8631882c98ce1d5f5f59b7139493c15b67 [file] [log] [blame]
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]17#include "rsa_operation.h"
18
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]19#include <limits.h>
20
21#include <openssl/err.h>
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]22
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]23#include <keymaster/logger.h>
24
25#include "openssl_err.h"
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]26#include "openssl_utils.h"
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]27#include "rsa_key.h"
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]28
29namespace keymaster {
30
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]31static const int MIN_PSS_SALT_LEN = 8 /* salt len */ + 2 /* overhead */;
32
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]33/**
34 * Abstract base for all RSA operation factories. This class exists mainly to centralize some code
35 * common to all RSA operation factories.
36 */
37class RsaOperationFactory : public OperationFactory {
38 public:
39 virtual KeyType registry_key() const { return KeyType(KM_ALGORITHM_RSA, purpose()); }
40 virtual keymaster_purpose_t purpose() const = 0;
41
42 protected:
43 bool GetAndValidatePadding(const Key& key, keymaster_padding_t* padding,
44 keymaster_error_t* error) const;
45 bool GetAndValidateDigest(const Key& key, keymaster_digest_t* digest,
46 keymaster_error_t* error) const;
47 static RSA* GetRsaKey(const Key& key, keymaster_error_t* error);
48};
49
50bool RsaOperationFactory::GetAndValidatePadding(const Key& key, keymaster_padding_t* padding,
51 keymaster_error_t* error) const {
52 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
53 if (!key.authorizations().GetTagValue(TAG_PADDING, padding))
54 return false;
55
56 size_t padding_count;
57 const keymaster_padding_t* supported_paddings = SupportedPaddingModes(&padding_count);
58 for (size_t i = 0; i < padding_count; ++i) {
59 if (*padding == supported_paddings[i]) {
60 *error = KM_ERROR_OK;
61 return true;
62 }
63 }
64 return false;
65}
66
67bool RsaOperationFactory::GetAndValidateDigest(const Key& key, keymaster_digest_t* digest,
68 keymaster_error_t* error) const {
69 *error = KM_ERROR_UNSUPPORTED_DIGEST;
70 if (!key.authorizations().GetTagValue(TAG_DIGEST, digest))
71 return false;
72
73 size_t digest_count;
74 const keymaster_digest_t* supported_digests = SupportedDigests(&digest_count);
75 for (size_t i = 0; i < digest_count; ++i) {
76 if (*digest == supported_digests[i]) {
77 *error = KM_ERROR_OK;
78 return true;
79 }
80 }
81 return false;
82}
83
84/* static */
85RSA* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) {
86 const RsaKey* rsa_key = static_cast<const RsaKey*>(&key);
87 assert(rsa_key);
88 if (!rsa_key || !rsa_key->key()) {
89 *error = KM_ERROR_UNKNOWN_ERROR;
90 return NULL;
91 }
Shawn Willden28eed512015-02-25 19:16:36 -0700[diff] [blame]92 RSA_up_ref(rsa_key->key());
93 return rsa_key->key();
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]94}
95
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]96static const keymaster_digest_t supported_digests[] = {KM_DIGEST_NONE, KM_DIGEST_SHA_2_256};
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]97static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN,
98 KM_PAD_RSA_PSS};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]99
100/**
101 * Abstract base for RSA operations that digest their input (signing and verification). This class
102 * does most of the work of creation of RSA digesting operations, delegating only the actual
103 * operation instantiation.
104 */
105class RsaDigestingOperationFactory : public RsaOperationFactory {
106 public:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]107 virtual Operation* CreateOperation(const Key& key, keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]108
109 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
110 *digest_count = array_length(supported_digests);
111 return supported_digests;
112 }
113
114 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
115 *padding_mode_count = array_length(supported_sig_padding);
116 return supported_sig_padding;
117 }
118
119 private:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]120 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
121 RSA* key) = 0;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]122};
123
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]124Operation* RsaDigestingOperationFactory::CreateOperation(const Key& key, keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]125 keymaster_padding_t padding;
126 keymaster_digest_t digest;
127 RSA* rsa;
128 if (!GetAndValidateDigest(key, &digest, error) ||
129 !GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error)))
130 return NULL;
131
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]132 Operation* op = InstantiateOperation(digest, padding, rsa);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]133 if (!op)
134 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
135 return op;
136}
137
138static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_RSA_OAEP,
139 KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
140
141/**
142 * Abstract base for en/de-crypting RSA operation factories. This class does most of the work of
143 * creating such operations, delegating only the actual operation instantiation.
144 */
145class RsaCryptingOperationFactory : public RsaOperationFactory {
146 public:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]147 virtual Operation* CreateOperation(const Key& key, keymaster_error_t* error);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]148
149 virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_mode_count) const {
150 *padding_mode_count = array_length(supported_crypt_padding);
151 return supported_crypt_padding;
152 }
153
154 virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
155 *digest_count = 0;
156 return NULL;
157 }
158
159 private:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]160 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) = 0;
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]161};
162
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]163Operation* RsaCryptingOperationFactory::CreateOperation(const Key& key, keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]164 keymaster_padding_t padding;
165 RSA* rsa;
166 if (!GetAndValidatePadding(key, &padding, error) || !(rsa = GetRsaKey(key, error)))
167 return NULL;
168
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]169 Operation* op = InstantiateOperation(padding, rsa);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]170 if (!op)
171 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
172 return op;
173}
174
175/**
176 * Concrete factory for RSA signing operations.
177 */
178class RsaSigningOperationFactory : public RsaDigestingOperationFactory {
179 public:
180 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_SIGN; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]181 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
182 RSA* key) {
183 return new RsaSignOperation(digest, padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]184 }
185};
186static OperationFactoryRegistry::Registration<RsaSigningOperationFactory> sign_registration;
187
188/**
189 * Concrete factory for RSA signing operations.
190 */
191class RsaVerificationOperationFactory : public RsaDigestingOperationFactory {
192 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_VERIFY; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]193 virtual Operation* InstantiateOperation(keymaster_digest_t digest, keymaster_padding_t padding,
194 RSA* key) {
195 return new RsaVerifyOperation(digest, padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]196 }
197};
198static OperationFactoryRegistry::Registration<RsaVerificationOperationFactory> verify_registration;
199
200/**
201 * Concrete factory for RSA signing operations.
202 */
203class RsaEncryptionOperationFactory : public RsaCryptingOperationFactory {
204 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_ENCRYPT; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]205 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) {
206 return new RsaEncryptOperation(padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]207 }
208};
209static OperationFactoryRegistry::Registration<RsaEncryptionOperationFactory> encrypt_registration;
210
211/**
212 * Concrete factory for RSA signing operations.
213 */
214class RsaDecryptionOperationFactory : public RsaCryptingOperationFactory {
215 virtual keymaster_purpose_t purpose() const { return KM_PURPOSE_DECRYPT; }
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]216 virtual Operation* InstantiateOperation(keymaster_padding_t padding, RSA* key) {
217 return new RsaDecryptOperation(padding, key);
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]218 }
219};
220
221static OperationFactoryRegistry::Registration<RsaDecryptionOperationFactory> decrypt_registration;
222
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]223struct RSA_Delete {
224 void operator()(RSA* p) const { RSA_free(p); }
225};
226
227RsaOperation::~RsaOperation() {
228 if (rsa_key_ != NULL)
229 RSA_free(rsa_key_);
230}
231
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]232keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */,
233 const Buffer& input, Buffer* /* output */,
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]234 size_t* input_consumed) {
235 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]236 switch (purpose()) {
237 default:
238 return KM_ERROR_UNIMPLEMENTED;
239 case KM_PURPOSE_SIGN:
240 case KM_PURPOSE_VERIFY:
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]241 case KM_PURPOSE_ENCRYPT:
242 case KM_PURPOSE_DECRYPT:
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]243 return StoreData(input, input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]244 }
245}
246
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]247keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
248 assert(input_consumed);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]249 if (!data_.reserve(data_.available_read() + input.available_read()) ||
250 !data_.write(input.peek_read(), input.available_read()))
251 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]252 *input_consumed = input.available_read();
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]253 return KM_ERROR_OK;
254}
255
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]256RsaDigestingOperation::RsaDigestingOperation(keymaster_purpose_t purpose, keymaster_digest_t digest,
257 keymaster_padding_t padding, RSA* key)
258 : RsaOperation(purpose, padding, key), digest_(digest), digest_algorithm_(NULL) {
259 EVP_MD_CTX_init(&digest_ctx_);
260}
261RsaDigestingOperation::~RsaDigestingOperation() {
262 EVP_MD_CTX_cleanup(&digest_ctx_);
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]263 memset_s(digest_buf_, 0, sizeof(digest_buf_));
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]264}
265
266keymaster_error_t RsaDigestingOperation::Begin(const AuthorizationSet& /* input_params */,
267 AuthorizationSet* /* output_params */) {
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]268 if (require_digest() && digest_ == KM_DIGEST_NONE)
269 return KM_ERROR_INCOMPATIBLE_DIGEST;
270 return InitDigest();
271}
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]272
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]273keymaster_error_t RsaDigestingOperation::Update(const AuthorizationSet& additional_params,
274 const Buffer& input, Buffer* output,
275 size_t* input_consumed) {
276 if (digest_ == KM_DIGEST_NONE)
277 return RsaOperation::Update(additional_params, input, output, input_consumed);
278 else
279 return UpdateDigest(input, input_consumed);
280}
281
282keymaster_error_t RsaDigestingOperation::InitDigest() {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]283 switch (digest_) {
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]284 case KM_DIGEST_NONE:
285 return KM_ERROR_OK;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]286 case KM_DIGEST_SHA_2_256:
287 digest_algorithm_ = EVP_sha256();
288 break;
289 default:
290 return KM_ERROR_UNSUPPORTED_DIGEST;
291 }
292
293 if (!EVP_DigestInit_ex(&digest_ctx_, digest_algorithm_, NULL /* engine */)) {
294 int err = ERR_get_error();
295 LOG_E("Failed to initialize digest: %d %s", err, ERR_error_string(err, NULL));
296 return KM_ERROR_UNKNOWN_ERROR;
297 }
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]298 return KM_ERROR_OK;
299}
300
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]301keymaster_error_t RsaDigestingOperation::UpdateDigest(const Buffer& input, size_t* input_consumed) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]302 if (!EVP_DigestUpdate(&digest_ctx_, input.peek_read(), input.available_read())) {
303 int err = ERR_get_error();
304 LOG_E("Failed to update digest: %d %s", err, ERR_error_string(err, NULL));
305 return KM_ERROR_UNKNOWN_ERROR;
306 }
307 *input_consumed = input.available_read();
308 return KM_ERROR_OK;
309}
310
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]311keymaster_error_t RsaDigestingOperation::FinishDigest(unsigned* digest_size) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]312 assert(digest_algorithm_ != NULL);
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]313 if (!EVP_DigestFinal_ex(&digest_ctx_, digest_buf_, digest_size)) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]314 int err = ERR_get_error();
315 LOG_E("Failed to finalize digest: %d %s", err, ERR_error_string(err, NULL));
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]316 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]317 }
318 assert(*digest_size == static_cast<unsigned>(EVP_MD_size(digest_algorithm_)));
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]319 return KM_ERROR_OK;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]320}
321
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]322keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& /* additional_params */,
323 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]324 assert(output);
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]325 output->Reinitialize(RSA_size(rsa_key_));
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]326 if (digest_ == KM_DIGEST_NONE)
327 return SignUndigested(output);
328 else
329 return SignDigested(output);
330}
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]331
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]332keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) {
333 int bytes_encrypted;
334 switch (padding_) {
335 case KM_PAD_NONE:
336 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
337 output->peek_write(), rsa_key_, RSA_NO_PADDING);
338 break;
339 case KM_PAD_RSA_PKCS1_1_5_SIGN:
340 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
341 output->peek_write(), rsa_key_, RSA_PKCS1_PADDING);
342 break;
343 default:
344 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
345 }
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]346
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]347 if (bytes_encrypted <= 0)
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]348 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]349 output->advance_write(bytes_encrypted);
350 return KM_ERROR_OK;
351}
352
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]353keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) {
354 unsigned digest_size = 0;
355 keymaster_error_t error = FinishDigest(&digest_size);
356 if (error != KM_ERROR_OK)
357 return error;
358
359 UniquePtr<uint8_t[]> padded_digest;
360 switch (padding_) {
361 case KM_PAD_NONE:
362 return PrivateEncrypt(digest_buf_, digest_size, RSA_NO_PADDING, output);
363 case KM_PAD_RSA_PKCS1_1_5_SIGN:
364 return PrivateEncrypt(digest_buf_, digest_size, RSA_PKCS1_PADDING, output);
365 case KM_PAD_RSA_PSS:
366 // OpenSSL doesn't verify that the key is large enough for the digest size. This can cause
367 // a segfault in some cases, and in others can result in a unsafely-small salt.
368 if (RSA_size(rsa_key_) < MIN_PSS_SALT_LEN + (int)digest_size)
369 return KM_ERROR_INCOMPATIBLE_DIGEST;
370
371 if ((error = PssPadDigest(&padded_digest)) != KM_ERROR_OK)
372 return error;
373 return PrivateEncrypt(padded_digest.get(), RSA_size(rsa_key_), RSA_NO_PADDING, output);
374 default:
375 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
376 }
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]377}
378
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]379keymaster_error_t RsaSignOperation::PssPadDigest(UniquePtr<uint8_t[]>* padded_digest) {
380 padded_digest->reset(new uint8_t[RSA_size(rsa_key_)]);
381 if (!padded_digest->get())
382 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
383
384 if (!RSA_padding_add_PKCS1_PSS(rsa_key_, padded_digest->get(), digest_buf_, digest_algorithm_,
385 -2 /* Indicates maximum salt length */)) {
386 LOG_E("%s", "Failed to apply PSS padding");
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]387 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]388 }
389 return KM_ERROR_OK;
390}
391
392keymaster_error_t RsaSignOperation::PrivateEncrypt(uint8_t* to_encrypt, size_t len,
393 int openssl_padding, Buffer* output) {
394 int bytes_encrypted =
395 RSA_private_encrypt(len, to_encrypt, output->peek_write(), rsa_key_, openssl_padding);
396 if (bytes_encrypted <= 0)
397 return KM_ERROR_UNKNOWN_ERROR;
398 output->advance_write(bytes_encrypted);
399 return KM_ERROR_OK;
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]400}
401
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]402keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */,
403 const Buffer& signature, Buffer* /* output */) {
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]404 if (digest_ == KM_DIGEST_NONE)
405 return VerifyUndigested(signature);
406 else
407 return VerifyDigested(signature);
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]408}
409
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]410keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) {
411 return DecryptAndMatch(signature, data_.peek_read(), data_.available_read());
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]412}
413
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]414keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) {
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]415 unsigned digest_size = 0;
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]416 keymaster_error_t error = FinishDigest(&digest_size);
417 if (error != KM_ERROR_OK)
418 return error;
419 return DecryptAndMatch(signature, digest_buf_, digest_size);
420}
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]421
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]422keymaster_error_t RsaVerifyOperation::DecryptAndMatch(const Buffer& signature,
423 const uint8_t* to_match, size_t len) {
424#ifdef OPENSSL_IS_BORINGSSL
425 size_t key_len = RSA_size(rsa_key_);
426#else
427 size_t key_len = (size_t)RSA_size(rsa_key_);
428#endif
429
430 int openssl_padding;
431 switch (padding_) {
432 case KM_PAD_NONE:
433 if (len != key_len)
434 return KM_ERROR_INVALID_INPUT_LENGTH;
435 if (len != signature.available_read())
436 return KM_ERROR_VERIFICATION_FAILED;
437 openssl_padding = RSA_NO_PADDING;
438 break;
439 case KM_PAD_RSA_PSS: // Do a raw decrypt for PSS
440 openssl_padding = RSA_NO_PADDING;
441 break;
442 case KM_PAD_RSA_PKCS1_1_5_SIGN:
443 openssl_padding = RSA_PKCS1_PADDING;
444 break;
445 default:
446 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
447 }
448
449 UniquePtr<uint8_t[]> decrypted_data(new uint8_t[key_len]);
450 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(),
451 decrypted_data.get(), rsa_key_, openssl_padding);
452 if (bytes_decrypted < 0)
453 return KM_ERROR_VERIFICATION_FAILED;
454
455 if (padding_ == KM_PAD_RSA_PSS &&
456 RSA_verify_PKCS1_PSS(rsa_key_, to_match, digest_algorithm_, decrypted_data.get(),
457 -2 /* salt length recovered from signature */))
458 return KM_ERROR_OK;
459 else if (padding_ != KM_PAD_RSA_PSS && memcmp_s(decrypted_data.get(), to_match, len) == 0)
Shawn Willden61902362014-12-18 10:33:24 -0700[diff] [blame]460 return KM_ERROR_OK;
461
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]462 return KM_ERROR_VERIFICATION_FAILED;
463}
464
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]465const int OAEP_PADDING_OVERHEAD = 41;
466const int PKCS1_PADDING_OVERHEAD = 11;
467
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]468keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& /* additional_params */,
469 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]470 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]471 int openssl_padding;
472
473#if defined(OPENSSL_IS_BORINGSSL)
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]474 size_t key_len = RSA_size(rsa_key_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]475#else
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]476 size_t key_len = (size_t)RSA_size(rsa_key_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]477#endif
478
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]479 size_t message_size = data_.available_read();
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]480 switch (padding_) {
481 case KM_PAD_RSA_OAEP:
482 openssl_padding = RSA_PKCS1_OAEP_PADDING;
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]483 if (message_size + OAEP_PADDING_OVERHEAD >= key_len) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]484 LOG_E("Cannot encrypt %d bytes with %d-byte key and OAEP padding",
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]485 data_.available_read(), key_len);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]486 return KM_ERROR_INVALID_INPUT_LENGTH;
487 }
488 break;
489 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
490 openssl_padding = RSA_PKCS1_PADDING;
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]491 if (message_size + PKCS1_PADDING_OVERHEAD >= key_len) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]492 LOG_E("Cannot encrypt %d bytes with %d-byte key and PKCS1 padding",
Shawn Willdenf90f2352014-12-18 23:01:15 -0700[diff] [blame^]493 data_.available_read(), key_len);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]494 return KM_ERROR_INVALID_INPUT_LENGTH;
495 }
496 break;
497 default:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]498 LOG_E("Padding mode %d not supported", padding_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]499 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
500 }
501
502 output->Reinitialize(RSA_size(rsa_key_));
503 int bytes_encrypted = RSA_public_encrypt(data_.available_read(), data_.peek_read(),
504 output->peek_write(), rsa_key_, openssl_padding);
505
506 if (bytes_encrypted < 0) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]507 LOG_E("Error %d encrypting data with RSA", ERR_get_error());
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]508 return KM_ERROR_UNKNOWN_ERROR;
509 }
510 assert(bytes_encrypted == RSA_size(rsa_key_));
511 output->advance_write(bytes_encrypted);
512
513 return KM_ERROR_OK;
514}
515
Shawn Willden6bfbff02015-02-06 19:48:24 -0700[diff] [blame]516keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& /* additional_params */,
517 const Buffer& /* signature */, Buffer* output) {
Shawn Willdenb7361132014-12-08 08:15:14 -0700[diff] [blame]518 assert(output);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]519 int openssl_padding;
520 switch (padding_) {
521 case KM_PAD_RSA_OAEP:
522 openssl_padding = RSA_PKCS1_OAEP_PADDING;
523 break;
524 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
525 openssl_padding = RSA_PKCS1_PADDING;
526 break;
527 default:
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]528 LOG_E("Padding mode %d not supported", padding_);
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]529 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
530 }
531
532 output->Reinitialize(RSA_size(rsa_key_));
533 int bytes_decrypted = RSA_private_decrypt(data_.available_read(), data_.peek_read(),
534 output->peek_write(), rsa_key_, openssl_padding);
535
536 if (bytes_decrypted < 0) {
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]537 LOG_E("Error %d decrypting data with RSA", ERR_get_error());
Shawn Willden4200f212014-12-02 07:01:21 -0700[diff] [blame]538 return KM_ERROR_UNKNOWN_ERROR;
539 }
540 output->advance_write(bytes_decrypted);
541
542 return KM_ERROR_OK;
543}
544
Shawn Willden0a4df7e2014-08-28 16:09:05 -0600[diff] [blame]545} // namespace keymaster