1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/km_openssl/openssl_utils.h>
18
19 #include <keymaster/android_keymaster_utils.h>
20 #include <openssl/mem.h>
21 #include <openssl/rand.h>
22
23 #include <keymaster/km_openssl/openssl_err.h>
24
25 namespace keymaster {
26
27 constexpr uint32_t kAffinePointLength = 32;
28
ec_get_group_size(const EC_GROUP * group,size_t * key_size_bits)29 keymaster_error_t ec_get_group_size(const EC_GROUP* group, size_t* key_size_bits) {
30 switch (EC_GROUP_get_curve_name(group)) {
31 case NID_secp224r1:
32 *key_size_bits = 224;
33 break;
34 case NID_X9_62_prime256v1:
35 *key_size_bits = 256;
36 break;
37 case NID_secp384r1:
38 *key_size_bits = 384;
39 break;
40 case NID_secp521r1:
41 *key_size_bits = 521;
42 break;
43 default:
44 return KM_ERROR_UNSUPPORTED_EC_FIELD;
45 }
46 return KM_ERROR_OK;
47 }
48
ec_get_group(keymaster_ec_curve_t curve)49 EC_GROUP* ec_get_group(keymaster_ec_curve_t curve) {
50 switch (curve) {
51 case KM_EC_CURVE_P_224:
52 return EC_GROUP_new_by_curve_name(NID_secp224r1);
53 break;
54 case KM_EC_CURVE_P_256:
55 return EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
56 break;
57 case KM_EC_CURVE_P_384:
58 return EC_GROUP_new_by_curve_name(NID_secp384r1);
59 break;
60 case KM_EC_CURVE_P_521:
61 return EC_GROUP_new_by_curve_name(NID_secp521r1);
62 break;
63 default:
64 return nullptr;
65 break;
66 }
67 }
68
convert_pkcs8_blob_to_evp(const uint8_t * key_data,size_t key_length,keymaster_algorithm_t expected_algorithm,UniquePtr<EVP_PKEY,EVP_PKEY_Delete> * pkey)69 keymaster_error_t convert_pkcs8_blob_to_evp(const uint8_t* key_data, size_t key_length,
70 keymaster_algorithm_t expected_algorithm,
71 UniquePtr<EVP_PKEY, EVP_PKEY_Delete>* pkey) {
72 if (key_data == nullptr || key_length <= 0) return KM_ERROR_INVALID_KEY_BLOB;
73
74 UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> pkcs8(
75 d2i_PKCS8_PRIV_KEY_INFO(nullptr, &key_data, key_length));
76 if (pkcs8.get() == nullptr) return TranslateLastOpenSslError(true /* log_message */);
77
78 pkey->reset(EVP_PKCS82PKEY(pkcs8.get()));
79 if (!pkey->get()) return TranslateLastOpenSslError(true /* log_message */);
80
81 // Check the key type detected from the PKCS8 blob matches the KM algorithm we expect.
82 keymaster_algorithm_t got_algorithm;
83 switch (EVP_PKEY_id(pkey->get())) {
84 case EVP_PKEY_RSA:
85 got_algorithm = KM_ALGORITHM_RSA;
86 break;
87 case EVP_PKEY_EC:
88 case EVP_PKEY_ED25519:
89 case EVP_PKEY_X25519:
90 got_algorithm = KM_ALGORITHM_EC;
91 break;
92 default:
93 LOG_E("EVP key algorithm was unknown (type %d), not the expected %d",
94 EVP_PKEY_id(pkey->get()), expected_algorithm);
95 return KM_ERROR_INVALID_KEY_BLOB;
96 }
97
98 if (expected_algorithm != got_algorithm) {
99 LOG_E("EVP key algorithm was %d (from type %d), not the expected %d", got_algorithm,
100 EVP_PKEY_id(pkey->get()), expected_algorithm);
101 return KM_ERROR_INVALID_KEY_BLOB;
102 }
103
104 return KM_ERROR_OK;
105 }
106
KeyMaterialToEvpKey(keymaster_key_format_t key_format,const KeymasterKeyBlob & key_material,keymaster_algorithm_t expected_algorithm,EVP_PKEY_Ptr * pkey)107 keymaster_error_t KeyMaterialToEvpKey(keymaster_key_format_t key_format,
108 const KeymasterKeyBlob& key_material,
109 keymaster_algorithm_t expected_algorithm,
110 EVP_PKEY_Ptr* pkey) {
111 if (key_format != KM_KEY_FORMAT_PKCS8) return KM_ERROR_UNSUPPORTED_KEY_FORMAT;
112
113 return convert_pkcs8_blob_to_evp(key_material.key_material, key_material.key_material_size,
114 expected_algorithm, pkey);
115 }
116
EvpKeyToKeyMaterial(const EVP_PKEY * pkey,KeymasterKeyBlob * key_blob)117 keymaster_error_t EvpKeyToKeyMaterial(const EVP_PKEY* pkey, KeymasterKeyBlob* key_blob) {
118 switch (EVP_PKEY_id(pkey)) {
119 case EVP_PKEY_ED25519:
120 case EVP_PKEY_X25519: {
121 // BoringSSL's i2d_PrivateKey does not handle curve 25519 keys.
122 uint8_t* data = nullptr;
123 size_t data_len;
124 CBB cbb;
125 if (!CBB_init(&cbb, 0) || !EVP_marshal_private_key(&cbb, pkey) ||
126 !CBB_finish(&cbb, &data, &data_len)) {
127 CBB_cleanup(&cbb);
128 OPENSSL_free(data);
129 return KM_ERROR_UNKNOWN_ERROR;
130 }
131
132 if (!key_blob->Reset(data_len)) {
133 OPENSSL_free(data);
134 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
135 }
136 memcpy(key_blob->writable_data(), data, data_len);
137 OPENSSL_free(data);
138 break;
139 }
140 default: {
141 int key_data_size = i2d_PrivateKey(pkey, nullptr /* key_data*/);
142 if (key_data_size <= 0) return TranslateLastOpenSslError();
143
144 if (!key_blob->Reset(key_data_size)) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
145
146 uint8_t* tmp = key_blob->writable_data();
147 i2d_PrivateKey(pkey, &tmp);
148 break;
149 }
150 }
151
152 return KM_ERROR_OK;
153 }
154
155 // Remote provisioning helper function
GetEcdsa256KeyFromCert(const keymaster_blob_t * km_cert,uint8_t * x_coord,size_t x_length,uint8_t * y_coord,size_t y_length)156 keymaster_error_t GetEcdsa256KeyFromCert(const keymaster_blob_t* km_cert, uint8_t* x_coord,
157 size_t x_length, uint8_t* y_coord, size_t y_length) {
158 if (km_cert == nullptr || x_coord == nullptr || y_coord == nullptr) {
159 return KM_ERROR_UNEXPECTED_NULL_POINTER;
160 }
161 if (x_length != kAffinePointLength || y_length != kAffinePointLength) {
162 return KM_ERROR_INVALID_ARGUMENT;
163 }
164 const uint8_t* temp = km_cert->data;
165 X509_Ptr cert(d2i_X509(NULL, &temp, km_cert->data_length));
166 if (!cert.get()) return TranslateLastOpenSslError();
167 EVP_PKEY_Ptr pubKey(X509_get_pubkey(cert.get()));
168 if (!pubKey.get()) return TranslateLastOpenSslError();
169 EC_KEY* ecKey = EVP_PKEY_get0_EC_KEY(pubKey.get());
170 if (!ecKey) return TranslateLastOpenSslError();
171 const EC_POINT* jacobian_coords = EC_KEY_get0_public_key(ecKey);
172 if (!jacobian_coords) return TranslateLastOpenSslError();
173 bssl::UniquePtr<BIGNUM> x(BN_new());
174 bssl::UniquePtr<BIGNUM> y(BN_new());
175 BN_CTX_Ptr ctx(BN_CTX_new());
176 if (!ctx.get()) return TranslateLastOpenSslError();
177 if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ecKey), jacobian_coords, x.get(),
178 y.get(), ctx.get())) {
179 return TranslateLastOpenSslError();
180 }
181 uint8_t* tmp_x = x_coord;
182 if (BN_bn2binpad(x.get(), tmp_x, kAffinePointLength) != kAffinePointLength) {
183 return TranslateLastOpenSslError();
184 }
185 uint8_t* tmp_y = y_coord;
186 if (BN_bn2binpad(y.get(), tmp_y, kAffinePointLength) != kAffinePointLength) {
187 return TranslateLastOpenSslError();
188 }
189 return KM_ERROR_OK;
190 }
191
ec_group_size_bits(EC_KEY * ec_key)192 size_t ec_group_size_bits(EC_KEY* ec_key) {
193 const EC_GROUP* group = EC_KEY_get0_group(ec_key);
194 UniquePtr<BN_CTX, BN_CTX_Delete> bn_ctx(BN_CTX_new());
195 UniquePtr<BIGNUM, BIGNUM_Delete> order(BN_new());
196 if (!EC_GROUP_get_order(group, order.get(), bn_ctx.get())) {
197 LOG_E("Failed to get EC group order", 0);
198 return 0;
199 }
200 return BN_num_bits(order.get());
201 }
202
GenerateRandom(uint8_t * buf,size_t length)203 keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) {
204 if (RAND_bytes(buf, length) != 1) return KM_ERROR_UNKNOWN_ERROR;
205 return KM_ERROR_OK;
206 }
207
208 } // namespace keymaster
209