1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <crypto_utils/android_pubkey.h>
18
19 #include <assert.h>
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include <openssl/bn.h>
24
25 // Better safe than sorry.
26 #if (ANDROID_PUBKEY_MODULUS_SIZE % 4) != 0
27 #error RSA modulus size must be multiple of the word size!
28 #endif
29
30 // Size of the RSA modulus in words.
31 #define ANDROID_PUBKEY_MODULUS_SIZE_WORDS (ANDROID_PUBKEY_MODULUS_SIZE / 4)
32
33 // This file implements encoding and decoding logic for Android's custom RSA
34 // public key binary format. Public keys are stored as a sequence of
35 // little-endian 32 bit words. Note that Android only supports little-endian
36 // processors, so we don't do any byte order conversions when parsing the binary
37 // struct.
38 struct RSAPublicKey {
39 // Modulus length. This must be ANDROID_PUBKEY_MODULUS_SIZE.
40 uint32_t modulus_size_words;
41
42 // Precomputed montgomery parameter: -1 / n[0] mod 2^32
43 uint32_t n0inv;
44
45 // RSA modulus as a little-endian array.
46 uint8_t modulus[ANDROID_PUBKEY_MODULUS_SIZE];
47
48 // Montgomery parameter R^2 as a little-endian array.
49 uint8_t rr[ANDROID_PUBKEY_MODULUS_SIZE];
50
51 // RSA modulus: 3 or 65537
52 uint32_t exponent;
53 };
54
android_pubkey_decode(const uint8_t * key_buffer,size_t size,RSA ** key)55 bool android_pubkey_decode(const uint8_t* key_buffer, size_t size, RSA** key) {
56 const RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
57 bool ret = false;
58 RSA* new_key = RSA_new();
59 BIGNUM* n = NULL;
60 BIGNUM* e = NULL;
61 if (!new_key) {
62 goto cleanup;
63 }
64
65 // Check |size| is large enough and the modulus size is correct.
66 if (size < sizeof(RSAPublicKey)) {
67 goto cleanup;
68 }
69 if (key_struct->modulus_size_words != ANDROID_PUBKEY_MODULUS_SIZE_WORDS) {
70 goto cleanup;
71 }
72
73 // Convert the modulus to big-endian byte order as expected by BN_bin2bn.
74 n = BN_le2bn(key_struct->modulus, ANDROID_PUBKEY_MODULUS_SIZE, NULL);
75 if (!n) {
76 goto cleanup;
77 }
78
79 // Read the exponent.
80 e = BN_new();
81 if (!e || !BN_set_word(e, key_struct->exponent)) {
82 goto cleanup;
83 }
84
85 if (!RSA_set0_key(new_key, n, e, NULL)) {
86 goto cleanup;
87 }
88 // RSA_set0_key takes ownership of its inputs on success.
89 n = NULL;
90 e = NULL;
91
92 // Note that we don't extract the montgomery parameters n0inv and rr from
93 // the RSAPublicKey structure. They assume a word size of 32 bits, but
94 // BoringSSL may use a word size of 64 bits internally, so we're lacking the
95 // top 32 bits of n0inv in general. For now, we just ignore the parameters
96 // and have BoringSSL recompute them internally. More sophisticated logic can
97 // be added here if/when we want the additional speedup from using the
98 // pre-computed montgomery parameters.
99
100 *key = new_key;
101 new_key = NULL;
102 ret = true;
103
104 cleanup:
105 RSA_free(new_key);
106 BN_free(n);
107 BN_free(e);
108 return ret;
109 }
110
android_pubkey_encode(const RSA * key,uint8_t * key_buffer,size_t size)111 bool android_pubkey_encode(const RSA* key, uint8_t* key_buffer, size_t size) {
112 RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
113 bool ret = false;
114 BN_CTX* ctx = BN_CTX_new();
115 BIGNUM* r32 = BN_new();
116 BIGNUM* n0inv = BN_new();
117 BIGNUM* rr = BN_new();
118
119 if (sizeof(RSAPublicKey) > size || RSA_size(key) != ANDROID_PUBKEY_MODULUS_SIZE) {
120 goto cleanup;
121 }
122
123 // Store the modulus size.
124 key_struct->modulus_size_words = ANDROID_PUBKEY_MODULUS_SIZE_WORDS;
125
126 // Compute and store n0inv = -1 / N[0] mod 2^32.
127 if (!ctx || !r32 || !n0inv || !BN_set_bit(r32, 32) || !BN_mod(n0inv, RSA_get0_n(key), r32, ctx) ||
128 !BN_mod_inverse(n0inv, n0inv, r32, ctx) || !BN_sub(n0inv, r32, n0inv)) {
129 goto cleanup;
130 }
131 key_struct->n0inv = (uint32_t)BN_get_word(n0inv);
132
133 // Store the modulus.
134 if (!BN_bn2le_padded(key_struct->modulus, ANDROID_PUBKEY_MODULUS_SIZE, RSA_get0_n(key))) {
135 goto cleanup;
136 }
137
138 // Compute and store rr = (2^(rsa_size)) ^ 2 mod N.
139 if (!ctx || !rr || !BN_set_bit(rr, ANDROID_PUBKEY_MODULUS_SIZE * 8) ||
140 !BN_mod_sqr(rr, rr, RSA_get0_n(key), ctx) ||
141 !BN_bn2le_padded(key_struct->rr, ANDROID_PUBKEY_MODULUS_SIZE, rr)) {
142 goto cleanup;
143 }
144
145 // Store the exponent.
146 key_struct->exponent = (uint32_t)BN_get_word(RSA_get0_e(key));
147
148 ret = true;
149
150 cleanup:
151 BN_free(rr);
152 BN_free(n0inv);
153 BN_free(r32);
154 BN_CTX_free(ctx);
155 return ret;
156 }
157