1 /*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/km_openssl/rsa_operation.h>
18
19 #include <limits.h>
20
21 #include <openssl/err.h>
22
23 #include <keymaster/km_openssl/openssl_err.h>
24 #include <keymaster/km_openssl/openssl_utils.h>
25 #include <keymaster/km_openssl/rsa_key.h>
26 #include <keymaster/logger.h>
27 #include <keymaster/new>
28
29 namespace keymaster {
30
31 const size_t kPssOverhead = 2;
32
33 // Overhead for PKCS#1 v1.5 signature padding of undigested messages. Digested messages have
34 // additional overhead, for the digest algorithmIdentifier required by PKCS#1.
35 const size_t kPkcs1UndigestedSignaturePaddingOverhead = 11;
36
37 /* static */
GetRsaKey(Key && key,keymaster_error_t * error)38 EVP_PKEY* RsaOperationFactory::GetRsaKey(Key&& key, keymaster_error_t* error) {
39 const RsaKey& rsa_key = static_cast<RsaKey&>(key);
40 if (!rsa_key.key()) {
41 *error = KM_ERROR_UNKNOWN_ERROR;
42 return nullptr;
43 }
44
45 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
46 if (!rsa_key.InternalToEvp(pkey.get())) {
47 *error = KM_ERROR_UNKNOWN_ERROR;
48 return nullptr;
49 }
50 return pkey.release();
51 }
52
53 static const keymaster_digest_t supported_digests[] = {
54 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
55 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
56
SupportedDigests(size_t * digest_count) const57 const keymaster_digest_t* RsaOperationFactory::SupportedDigests(size_t* digest_count) const {
58 *digest_count = array_length(supported_digests);
59 return supported_digests;
60 }
61
CreateRsaOperation(Key && key,const AuthorizationSet & begin_params,keymaster_error_t * error) const62 RsaOperation* RsaOperationFactory::CreateRsaOperation(Key&& key,
63 const AuthorizationSet& begin_params,
64 keymaster_error_t* error) const {
65 keymaster_padding_t padding;
66 if (!GetAndValidatePadding(begin_params, key, &padding, error)) return nullptr;
67
68 bool require_digest = (purpose() == KM_PURPOSE_SIGN || purpose() == KM_PURPOSE_VERIFY ||
69 padding == KM_PAD_RSA_OAEP);
70
71 keymaster_digest_t digest = KM_DIGEST_NONE;
72 if (require_digest && !GetAndValidateDigest(begin_params, key, &digest, error)) return nullptr;
73
74 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> rsa(GetRsaKey(move(key), error));
75 if (!rsa.get()) return nullptr;
76
77 RsaOperation* op = InstantiateOperation(key.hw_enforced_move(), key.sw_enforced_move(), digest,
78 padding, rsa.release());
79 if (!op) *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
80 return op;
81 }
82
83 static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN,
84 KM_PAD_RSA_PSS};
85 const keymaster_padding_t*
SupportedPaddingModes(size_t * padding_mode_count) const86 RsaDigestingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
87 *padding_mode_count = array_length(supported_sig_padding);
88 return supported_sig_padding;
89 }
90
CreateRsaOperation(Key && key,const AuthorizationSet & begin_params,keymaster_error_t * error) const91 RsaOperation* RsaCryptingOperationFactory::CreateRsaOperation(Key&& key,
92 const AuthorizationSet& begin_params,
93 keymaster_error_t* error) const {
94 UniquePtr<RsaOperation> op(
95 RsaOperationFactory::CreateRsaOperation(move(key), begin_params, error));
96 if (op.get()) {
97 switch (op->padding()) {
98 case KM_PAD_NONE:
99 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
100 if (op->digest() != KM_DIGEST_NONE) {
101 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
102 return nullptr;
103 }
104 break;
105
106 case KM_PAD_RSA_OAEP:
107 if (op->digest() == KM_DIGEST_NONE) {
108 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
109 return nullptr;
110 }
111 break;
112
113 default:
114 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
115 return nullptr;
116 }
117 }
118 return op.release();
119 }
120
121 static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_NONE, KM_PAD_RSA_OAEP,
122 KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
123 const keymaster_padding_t*
SupportedPaddingModes(size_t * padding_mode_count) const124 RsaCryptingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
125 *padding_mode_count = array_length(supported_crypt_padding);
126 return supported_crypt_padding;
127 }
128
~RsaOperation()129 RsaOperation::~RsaOperation() {
130 if (rsa_key_ != nullptr)
131 EVP_PKEY_free(rsa_key_);
132 }
133
Begin(const AuthorizationSet &,AuthorizationSet *)134 keymaster_error_t RsaOperation::Begin(const AuthorizationSet& /* input_params */,
135 AuthorizationSet* /* output_params */) {
136 auto rc = GenerateRandom(reinterpret_cast<uint8_t*>(&operation_handle_),
137 (size_t)sizeof(operation_handle_));
138 if (rc != KM_ERROR_OK) return rc;
139
140 return InitDigest();
141 }
142
Update(const AuthorizationSet &,const Buffer & input,AuthorizationSet *,Buffer *,size_t * input_consumed)143 keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */,
144 const Buffer& input, AuthorizationSet* /* output_params */,
145 Buffer* /* output */, size_t* input_consumed) {
146 assert(input_consumed);
147 switch (purpose()) {
148 default:
149 return KM_ERROR_UNIMPLEMENTED;
150 case KM_PURPOSE_SIGN:
151 case KM_PURPOSE_VERIFY:
152 case KM_PURPOSE_ENCRYPT:
153 case KM_PURPOSE_DECRYPT:
154 return StoreData(input, input_consumed);
155 }
156 }
157
StoreData(const Buffer & input,size_t * input_consumed)158 keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
159 assert(input_consumed);
160
161 if (!data_.reserve(EVP_PKEY_size(rsa_key_)))
162 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
163 // If the write fails, it's because input length exceeds key size.
164 if (!data_.write(input.peek_read(), input.available_read())) {
165 LOG_E("Input too long: cannot operate on %u bytes of data with %u-byte RSA key",
166 input.available_read() + data_.available_read(), EVP_PKEY_size(rsa_key_));
167 return KM_ERROR_INVALID_INPUT_LENGTH;
168 }
169
170 *input_consumed = input.available_read();
171 return KM_ERROR_OK;
172 }
173
SetRsaPaddingInEvpContext(EVP_PKEY_CTX * pkey_ctx,bool signing)174 keymaster_error_t RsaOperation::SetRsaPaddingInEvpContext(EVP_PKEY_CTX* pkey_ctx, bool signing) {
175 keymaster_error_t error;
176 int openssl_padding = GetOpensslPadding(&error);
177 if (error != KM_ERROR_OK)
178 return error;
179
180 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, openssl_padding) <= 0)
181 return TranslateLastOpenSslError();
182
183 if (signing && openssl_padding == RSA_PKCS1_PSS_PADDING) {
184 // Also need to set the length of the salt used in the padding generation. We set it equal
185 // to the length of the selected digest.
186 assert(digest_algorithm_);
187 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(digest_algorithm_)) <= 0)
188 return TranslateLastOpenSslError();
189 }
190
191 return KM_ERROR_OK;
192 }
193
InitDigest()194 keymaster_error_t RsaOperation::InitDigest() {
195 if (digest_ == KM_DIGEST_NONE) {
196 if (require_digest())
197 return KM_ERROR_INCOMPATIBLE_DIGEST;
198 return KM_ERROR_OK;
199 }
200
201 switch (digest_) {
202 case KM_DIGEST_NONE:
203 return KM_ERROR_OK;
204 case KM_DIGEST_MD5:
205 digest_algorithm_ = EVP_md5();
206 return KM_ERROR_OK;
207 case KM_DIGEST_SHA1:
208 digest_algorithm_ = EVP_sha1();
209 return KM_ERROR_OK;
210 case KM_DIGEST_SHA_2_224:
211 digest_algorithm_ = EVP_sha224();
212 return KM_ERROR_OK;
213 case KM_DIGEST_SHA_2_256:
214 digest_algorithm_ = EVP_sha256();
215 return KM_ERROR_OK;
216 case KM_DIGEST_SHA_2_384:
217 digest_algorithm_ = EVP_sha384();
218 return KM_ERROR_OK;
219 case KM_DIGEST_SHA_2_512:
220 digest_algorithm_ = EVP_sha512();
221 return KM_ERROR_OK;
222 default:
223 return KM_ERROR_UNSUPPORTED_DIGEST;
224 }
225 }
226
RsaDigestingOperation(AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,keymaster_purpose_t purpose,keymaster_digest_t digest,keymaster_padding_t padding,EVP_PKEY * key)227 RsaDigestingOperation::RsaDigestingOperation(AuthorizationSet&& hw_enforced,
228 AuthorizationSet&& sw_enforced,
229 keymaster_purpose_t purpose, keymaster_digest_t digest,
230 keymaster_padding_t padding, EVP_PKEY* key)
231 : RsaOperation(move(hw_enforced), move(sw_enforced), purpose, digest, padding, key) {
232 EVP_MD_CTX_init(&digest_ctx_);
233 }
~RsaDigestingOperation()234 RsaDigestingOperation::~RsaDigestingOperation() {
235 EVP_MD_CTX_cleanup(&digest_ctx_);
236 }
237
GetOpensslPadding(keymaster_error_t * error)238 int RsaDigestingOperation::GetOpensslPadding(keymaster_error_t* error) {
239 *error = KM_ERROR_OK;
240 switch (padding_) {
241 case KM_PAD_NONE:
242 return RSA_NO_PADDING;
243 case KM_PAD_RSA_PKCS1_1_5_SIGN:
244 return RSA_PKCS1_PADDING;
245 case KM_PAD_RSA_PSS:
246 if (digest_ == KM_DIGEST_NONE) {
247 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
248 return -1;
249 }
250 if (EVP_MD_size(digest_algorithm_) * 2 + kPssOverhead > (size_t)EVP_PKEY_size(rsa_key_)) {
251 LOG_E("Input too long: %d-byte digest cannot be used with %d-byte RSA key in PSS "
252 "padding mode",
253 EVP_MD_size(digest_algorithm_), EVP_PKEY_size(rsa_key_));
254 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
255 return -1;
256 }
257 return RSA_PKCS1_PSS_PADDING;
258 default:
259 return -1;
260 }
261 }
262
Begin(const AuthorizationSet & input_params,AuthorizationSet * output_params)263 keymaster_error_t RsaSignOperation::Begin(const AuthorizationSet& input_params,
264 AuthorizationSet* output_params) {
265 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params);
266 if (error != KM_ERROR_OK)
267 return error;
268
269 if (digest_ == KM_DIGEST_NONE)
270 return KM_ERROR_OK;
271
272 EVP_PKEY_CTX* pkey_ctx;
273 if (EVP_DigestSignInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, nullptr /* engine */,
274 rsa_key_) != 1)
275 return TranslateLastOpenSslError();
276 return SetRsaPaddingInEvpContext(pkey_ctx, true /* signing */);
277 }
278
Update(const AuthorizationSet & additional_params,const Buffer & input,AuthorizationSet * output_params,Buffer * output,size_t * input_consumed)279 keymaster_error_t RsaSignOperation::Update(const AuthorizationSet& additional_params,
280 const Buffer& input, AuthorizationSet* output_params,
281 Buffer* output, size_t* input_consumed) {
282 if (digest_ == KM_DIGEST_NONE)
283 // Just buffer the data.
284 return RsaOperation::Update(additional_params, input, output_params, output,
285 input_consumed);
286
287 if (EVP_DigestSignUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1)
288 return TranslateLastOpenSslError();
289 *input_consumed = input.available_read();
290 return KM_ERROR_OK;
291 }
292
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer &,AuthorizationSet *,Buffer * output)293 keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& additional_params,
294 const Buffer& input, const Buffer& /* signature */,
295 AuthorizationSet* /* output_params */, Buffer* output) {
296 assert(output);
297
298 keymaster_error_t error = UpdateForFinish(additional_params, input);
299 if (error != KM_ERROR_OK)
300 return error;
301
302 if (digest_ == KM_DIGEST_NONE)
303 return SignUndigested(output);
304 else
305 return SignDigested(output);
306 }
307
zero_pad_left(UniquePtr<uint8_t[]> * dest,size_t padded_len,Buffer & src)308 static keymaster_error_t zero_pad_left(UniquePtr<uint8_t[]>* dest, size_t padded_len, Buffer& src) {
309 assert(padded_len > src.available_read());
310
311 dest->reset(new(std::nothrow) uint8_t[padded_len]);
312 if (!dest->get())
313 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
314
315 size_t padding_len = padded_len - src.available_read();
316 memset(dest->get(), 0, padding_len);
317 if (!src.read(dest->get() + padding_len, src.available_read()))
318 return KM_ERROR_UNKNOWN_ERROR;
319
320 return KM_ERROR_OK;
321 }
322
SignUndigested(Buffer * output)323 keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) {
324 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_)));
325 if (!rsa.get())
326 return TranslateLastOpenSslError();
327
328 if (!output->Reinitialize(RSA_size(rsa.get())))
329 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
330
331 size_t key_len = EVP_PKEY_size(rsa_key_);
332 int bytes_encrypted;
333 switch (padding_) {
334 case KM_PAD_NONE: {
335 const uint8_t* to_encrypt = data_.peek_read();
336 UniquePtr<uint8_t[]> zero_padded;
337 if (data_.available_read() > key_len) {
338 return KM_ERROR_INVALID_INPUT_LENGTH;
339 } else if (data_.available_read() < key_len) {
340 keymaster_error_t error = zero_pad_left(&zero_padded, key_len, data_);
341 if (error != KM_ERROR_OK)
342 return error;
343 to_encrypt = zero_padded.get();
344 }
345 bytes_encrypted = RSA_private_encrypt(key_len, to_encrypt, output->peek_write(), rsa.get(),
346 RSA_NO_PADDING);
347 break;
348 }
349 case KM_PAD_RSA_PKCS1_1_5_SIGN:
350 // Does PKCS1 padding without digesting even make sense? Dunno. We'll support it.
351 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) {
352 LOG_E("Input too long: cannot sign %u-byte message with PKCS1 padding with %u-bit key",
353 data_.available_read(), EVP_PKEY_size(rsa_key_) * 8);
354 return KM_ERROR_INVALID_INPUT_LENGTH;
355 }
356 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
357 output->peek_write(), rsa.get(), RSA_PKCS1_PADDING);
358 break;
359
360 default:
361 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
362 }
363
364 if (bytes_encrypted <= 0)
365 return TranslateLastOpenSslError();
366 if (!output->advance_write(bytes_encrypted))
367 return KM_ERROR_UNKNOWN_ERROR;
368 return KM_ERROR_OK;
369 }
370
SignDigested(Buffer * output)371 keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) {
372 size_t siglen;
373 if (EVP_DigestSignFinal(&digest_ctx_, nullptr /* signature */, &siglen) != 1)
374 return TranslateLastOpenSslError();
375
376 if (!output->Reinitialize(siglen))
377 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
378
379 if (EVP_DigestSignFinal(&digest_ctx_, output->peek_write(), &siglen) <= 0)
380 return TranslateLastOpenSslError();
381 if (!output->advance_write(siglen))
382 return KM_ERROR_UNKNOWN_ERROR;
383
384 return KM_ERROR_OK;
385 }
386
Begin(const AuthorizationSet & input_params,AuthorizationSet * output_params)387 keymaster_error_t RsaVerifyOperation::Begin(const AuthorizationSet& input_params,
388 AuthorizationSet* output_params) {
389 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params);
390 if (error != KM_ERROR_OK)
391 return error;
392
393 if (digest_ == KM_DIGEST_NONE)
394 return KM_ERROR_OK;
395
396 EVP_PKEY_CTX* pkey_ctx;
397 if (EVP_DigestVerifyInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, nullptr, rsa_key_) != 1)
398 return TranslateLastOpenSslError();
399 return SetRsaPaddingInEvpContext(pkey_ctx, false /* signing */);
400 }
401
Update(const AuthorizationSet & additional_params,const Buffer & input,AuthorizationSet * output_params,Buffer * output,size_t * input_consumed)402 keymaster_error_t RsaVerifyOperation::Update(const AuthorizationSet& additional_params,
403 const Buffer& input, AuthorizationSet* output_params,
404 Buffer* output, size_t* input_consumed) {
405 if (digest_ == KM_DIGEST_NONE)
406 // Just buffer the data.
407 return RsaOperation::Update(additional_params, input, output_params, output,
408 input_consumed);
409
410 if (EVP_DigestVerifyUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1)
411 return TranslateLastOpenSslError();
412 *input_consumed = input.available_read();
413 return KM_ERROR_OK;
414 }
415
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer & signature,AuthorizationSet *,Buffer *)416 keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& additional_params,
417 const Buffer& input, const Buffer& signature,
418 AuthorizationSet* /* output_params */,
419 Buffer* /* output */) {
420 keymaster_error_t error = UpdateForFinish(additional_params, input);
421 if (error != KM_ERROR_OK)
422 return error;
423
424 if (digest_ == KM_DIGEST_NONE)
425 return VerifyUndigested(signature);
426 else
427 return VerifyDigested(signature);
428 }
429
VerifyUndigested(const Buffer & signature)430 keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) {
431 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_)));
432 if (!rsa.get())
433 return KM_ERROR_UNKNOWN_ERROR;
434
435 size_t key_len = RSA_size(rsa.get());
436 int openssl_padding;
437 switch (padding_) {
438 case KM_PAD_NONE:
439 if (data_.available_read() > key_len)
440 return KM_ERROR_INVALID_INPUT_LENGTH;
441 if (key_len != signature.available_read())
442 return KM_ERROR_VERIFICATION_FAILED;
443 openssl_padding = RSA_NO_PADDING;
444 break;
445 case KM_PAD_RSA_PKCS1_1_5_SIGN:
446 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) {
447 LOG_E("Input too long: cannot verify %u-byte message with PKCS1 padding && %u-bit key",
448 data_.available_read(), key_len * 8);
449 return KM_ERROR_INVALID_INPUT_LENGTH;
450 }
451 openssl_padding = RSA_PKCS1_PADDING;
452 break;
453 default:
454 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
455 }
456
457 UniquePtr<uint8_t[]> decrypted_data(new (std::nothrow) uint8_t[key_len]);
458 if (!decrypted_data.get())
459 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
460 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(),
461 decrypted_data.get(), rsa.get(), openssl_padding);
462 if (bytes_decrypted < 0)
463 return KM_ERROR_VERIFICATION_FAILED;
464
465 const uint8_t* compare_pos = decrypted_data.get();
466 size_t bytes_to_compare = bytes_decrypted;
467 uint8_t zero_check_result = 0;
468 if (padding_ == KM_PAD_NONE && data_.available_read() < bytes_to_compare) {
469 // If the data is short, for "unpadded" signing we zero-pad to the left. So during
470 // verification we should have zeros on the left of the decrypted data. Do a constant-time
471 // check.
472 const uint8_t* zero_end = compare_pos + bytes_to_compare - data_.available_read();
473 while (compare_pos < zero_end)
474 zero_check_result |= *compare_pos++;
475 bytes_to_compare = data_.available_read();
476 }
477 if (memcmp_s(compare_pos, data_.peek_read(), bytes_to_compare) != 0 || zero_check_result != 0)
478 return KM_ERROR_VERIFICATION_FAILED;
479 return KM_ERROR_OK;
480 }
481
VerifyDigested(const Buffer & signature)482 keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) {
483 if (!EVP_DigestVerifyFinal(&digest_ctx_, signature.peek_read(), signature.available_read()))
484 return KM_ERROR_VERIFICATION_FAILED;
485 return KM_ERROR_OK;
486 }
487
SetOaepDigestIfRequired(EVP_PKEY_CTX * pkey_ctx)488 keymaster_error_t RsaCryptOperation::SetOaepDigestIfRequired(EVP_PKEY_CTX* pkey_ctx) {
489 if (padding() != KM_PAD_RSA_OAEP)
490 return KM_ERROR_OK;
491
492 assert(digest_algorithm_ != nullptr);
493 if (!EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, digest_algorithm_))
494 return TranslateLastOpenSslError();
495
496 // MGF1 MD is always SHA1.
497 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha1()))
498 return TranslateLastOpenSslError();
499
500 return KM_ERROR_OK;
501 }
502
GetOpensslPadding(keymaster_error_t * error)503 int RsaCryptOperation::GetOpensslPadding(keymaster_error_t* error) {
504 *error = KM_ERROR_OK;
505 switch (padding_) {
506 case KM_PAD_NONE:
507 return RSA_NO_PADDING;
508 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
509 return RSA_PKCS1_PADDING;
510 case KM_PAD_RSA_OAEP:
511 return RSA_PKCS1_OAEP_PADDING;
512 default:
513 return -1;
514 }
515 }
516
517 struct EVP_PKEY_CTX_Delete {
operator ()keymaster::EVP_PKEY_CTX_Delete518 void operator()(EVP_PKEY_CTX* p) { EVP_PKEY_CTX_free(p); }
519 };
520
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer &,AuthorizationSet *,Buffer * output)521 keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& additional_params,
522 const Buffer& input, const Buffer& /* signature */,
523 AuthorizationSet* /* output_params */,
524 Buffer* output) {
525 if (!output)
526 return KM_ERROR_OUTPUT_PARAMETER_NULL;
527
528 keymaster_error_t error = UpdateForFinish(additional_params, input);
529 if (error != KM_ERROR_OK)
530 return error;
531
532 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx(
533 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */));
534 if (!ctx.get())
535 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
536
537 if (EVP_PKEY_encrypt_init(ctx.get()) <= 0)
538 return TranslateLastOpenSslError();
539
540 error = SetRsaPaddingInEvpContext(ctx.get(), false /* signing */);
541 if (error != KM_ERROR_OK)
542 return error;
543 error = SetOaepDigestIfRequired(ctx.get());
544 if (error != KM_ERROR_OK)
545 return error;
546
547 size_t outlen;
548 if (EVP_PKEY_encrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(),
549 data_.available_read()) <= 0)
550 return TranslateLastOpenSslError();
551
552 if (!output->Reinitialize(outlen))
553 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
554
555 const uint8_t* to_encrypt = data_.peek_read();
556 size_t to_encrypt_len = data_.available_read();
557 UniquePtr<uint8_t[]> zero_padded;
558 if (padding_ == KM_PAD_NONE && to_encrypt_len < outlen) {
559 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_);
560 if (error != KM_ERROR_OK)
561 return error;
562 to_encrypt = zero_padded.get();
563 to_encrypt_len = outlen;
564 }
565
566 if (EVP_PKEY_encrypt(ctx.get(), output->peek_write(), &outlen, to_encrypt, to_encrypt_len) <= 0)
567 return TranslateLastOpenSslError();
568 if (!output->advance_write(outlen))
569 return KM_ERROR_UNKNOWN_ERROR;
570
571 return KM_ERROR_OK;
572 }
573
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer &,AuthorizationSet *,Buffer * output)574 keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& additional_params,
575 const Buffer& input, const Buffer& /* signature */,
576 AuthorizationSet* /* output_params */,
577 Buffer* output) {
578 if (!output)
579 return KM_ERROR_OUTPUT_PARAMETER_NULL;
580
581 keymaster_error_t error = UpdateForFinish(additional_params, input);
582 if (error != KM_ERROR_OK)
583 return error;
584
585 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx(
586 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */));
587 if (!ctx.get())
588 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
589
590 if (EVP_PKEY_decrypt_init(ctx.get()) <= 0)
591 return TranslateLastOpenSslError();
592
593 error = SetRsaPaddingInEvpContext(ctx.get(), false /* signing */);
594 if (error != KM_ERROR_OK)
595 return error;
596 error = SetOaepDigestIfRequired(ctx.get());
597 if (error != KM_ERROR_OK)
598 return error;
599
600 size_t outlen;
601 if (EVP_PKEY_decrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(),
602 data_.available_read()) <= 0)
603 return TranslateLastOpenSslError();
604
605 if (!output->Reinitialize(outlen))
606 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
607
608 const uint8_t* to_decrypt = data_.peek_read();
609 size_t to_decrypt_len = data_.available_read();
610 UniquePtr<uint8_t[]> zero_padded;
611 if (padding_ == KM_PAD_NONE && to_decrypt_len < outlen) {
612 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_);
613 if (error != KM_ERROR_OK)
614 return error;
615 to_decrypt = zero_padded.get();
616 to_decrypt_len = outlen;
617 }
618
619 if (EVP_PKEY_decrypt(ctx.get(), output->peek_write(), &outlen, to_decrypt, to_decrypt_len) <= 0)
620 return TranslateLastOpenSslError();
621 if (!output->advance_write(outlen))
622 return KM_ERROR_UNKNOWN_ERROR;
623
624 return KM_ERROR_OK;
625 }
626
627 } // namespace keymaster
628