1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/android/keystore_openssl.h"
6
7 #include <jni.h>
8 #include <openssl/bn.h>
9 // This include is required to get the ECDSA_METHOD structure definition
10 // which isn't currently part of the OpenSSL official ABI. This should
11 // not be a concern for Chromium which always links against its own
12 // version of the library on Android.
13 #include <openssl/crypto/ecdsa/ecs_locl.h>
14 // And this one is needed for the EC_GROUP definition.
15 #include <openssl/crypto/ec/ec_lcl.h>
16 #include <openssl/dsa.h>
17 #include <openssl/ec.h>
18 #include <openssl/engine.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21
22 #include "base/android/build_info.h"
23 #include "base/android/jni_android.h"
24 #include "base/android/scoped_java_ref.h"
25 #include "base/basictypes.h"
26 #include "base/lazy_instance.h"
27 #include "base/logging.h"
28 #include "crypto/openssl_util.h"
29 #include "net/android/keystore.h"
30 #include "net/ssl/ssl_client_cert_type.h"
31
32 // IMPORTANT NOTE: The following code will currently only work when used
33 // to implement client certificate support with OpenSSL. That's because
34 // only the signing operations used in this use case are implemented here.
35 //
36 // Generally speaking, OpenSSL provides many different ways to sign
37 // digests. This code doesn't support all these cases, only the ones that
38 // are required to sign the digest during the OpenSSL handshake for TLS.
39 //
40 // The OpenSSL EVP_PKEY type is a generic wrapper around key pairs.
41 // Internally, it can hold a pointer to a RSA, DSA or ECDSA structure,
42 // which model keypair implementations of each respective crypto
43 // algorithm.
44 //
45 // The RSA type has a 'method' field pointer to a vtable-like structure
46 // called a RSA_METHOD. This contains several function pointers that
47 // correspond to operations on RSA keys (e.g. decode/encode with public
48 // key, decode/encode with private key, signing, validation), as well as
49 // a few flags.
50 //
51 // For example, the RSA_sign() function will call "method->rsa_sign()" if
52 // method->rsa_sign is not NULL, otherwise, it will perform a regular
53 // signing operation using the other fields in the RSA structure (which
54 // are used to hold the typical modulus / exponent / parameters for the
55 // key pair).
56 //
57 // This source file thus defines a custom RSA_METHOD structure whose
58 // fields point to static methods used to implement the corresponding
59 // RSA operation using platform Android APIs.
60 //
61 // However, the platform APIs require a jobject JNI reference to work.
62 // It must be stored in the RSA instance, or made accessible when the
63 // custom RSA methods are called. This is done by using RSA_set_app_data()
64 // and RSA_get_app_data().
65 //
66 // One can thus _directly_ create a new EVP_PKEY that uses a custom RSA
67 // object with the following:
68 //
69 // RSA* rsa = RSA_new()
70 // RSA_set_method(&custom_rsa_method);
71 // RSA_set_app_data(rsa, jni_private_key);
72 //
73 // EVP_PKEY* pkey = EVP_PKEY_new();
74 // EVP_PKEY_assign_RSA(pkey, rsa);
75 //
76 // Note that because EVP_PKEY_assign_RSA() is used, instead of
77 // EVP_PKEY_set1_RSA(), the new EVP_PKEY now owns the RSA object, and
78 // will destroy it when it is itself destroyed.
79 //
80 // Unfortunately, such objects cannot be used with RSA_size(), which
81 // totally ignores the RSA_METHOD pointers. Instead, it is necessary
82 // to manually setup the modulus field (n) in the RSA object, with a
83 // value that matches the wrapped PrivateKey object. See GetRsaPkeyWrapper
84 // for full details.
85 //
86 // Similarly, custom DSA_METHOD and ECDSA_METHOD are defined by this source
87 // file, and appropriate field setups are performed to ensure that
88 // DSA_size() and ECDSA_size() work properly with the wrapper EVP_PKEY.
89 //
90 // Note that there is no need to define an OpenSSL ENGINE here. These
91 // are objects that can be used to expose custom methods (i.e. either
92 // RSA_METHOD, DSA_METHOD, ECDSA_METHOD, and a large number of other ones
93 // for types not related to this source file), and make them used by
94 // default for a lot of operations. Very fortunately, this is not needed
95 // here, which saves a lot of complexity.
96
97 using base::android::ScopedJavaGlobalRef;
98
99 namespace net {
100 namespace android {
101
102 namespace {
103
104 typedef crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ScopedEVP_PKEY;
105 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA;
106 typedef crypto::ScopedOpenSSL<DSA, DSA_free> ScopedDSA;
107 typedef crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ScopedEC_KEY;
108 typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> ScopedEC_GROUP;
109
110 // Custom RSA_METHOD that uses the platform APIs.
111 // Note that for now, only signing through RSA_sign() is really supported.
112 // all other method pointers are either stubs returning errors, or no-ops.
113 // See <openssl/rsa.h> for exact declaration of RSA_METHOD.
114
RsaMethodPubEnc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)115 int RsaMethodPubEnc(int flen,
116 const unsigned char* from,
117 unsigned char* to,
118 RSA* rsa,
119 int padding) {
120 NOTIMPLEMENTED();
121 RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
122 return -1;
123 }
124
RsaMethodPubDec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)125 int RsaMethodPubDec(int flen,
126 const unsigned char* from,
127 unsigned char* to,
128 RSA* rsa,
129 int padding) {
130 NOTIMPLEMENTED();
131 RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
132 return -1;
133 }
134
135 // See RSA_eay_private_encrypt in
136 // third_party/openssl/openssl/crypto/rsa/rsa_eay.c for the default
137 // implementation of this function.
RsaMethodPrivEnc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)138 int RsaMethodPrivEnc(int flen,
139 const unsigned char *from,
140 unsigned char *to,
141 RSA *rsa,
142 int padding) {
143 DCHECK_EQ(RSA_PKCS1_PADDING, padding);
144 if (padding != RSA_PKCS1_PADDING) {
145 // TODO(davidben): If we need to, we can implement RSA_NO_PADDING
146 // by using javax.crypto.Cipher and picking either the
147 // "RSA/ECB/NoPadding" or "RSA/ECB/PKCS1Padding" transformation as
148 // appropriate. I believe support for both of these was added in
149 // the same Android version as the "NONEwithRSA"
150 // java.security.Signature algorithm, so the same version checks
151 // for GetRsaLegacyKey should work.
152 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
153 return -1;
154 }
155
156 // Retrieve private key JNI reference.
157 jobject private_key = reinterpret_cast<jobject>(RSA_get_app_data(rsa));
158 if (!private_key) {
159 LOG(WARNING) << "Null JNI reference passed to RsaMethodPrivEnc!";
160 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
161 return -1;
162 }
163
164 base::StringPiece from_piece(reinterpret_cast<const char*>(from), flen);
165 std::vector<uint8> result;
166 // For RSA keys, this function behaves as RSA_private_encrypt with
167 // PKCS#1 padding.
168 if (!RawSignDigestWithPrivateKey(private_key, from_piece, &result)) {
169 LOG(WARNING) << "Could not sign message in RsaMethodPrivEnc!";
170 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
171 return -1;
172 }
173
174 size_t expected_size = static_cast<size_t>(RSA_size(rsa));
175 if (result.size() > expected_size) {
176 LOG(ERROR) << "RSA Signature size mismatch, actual: "
177 << result.size() << ", expected <= " << expected_size;
178 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
179 return -1;
180 }
181
182 // Copy result to OpenSSL-provided buffer. RawSignDigestWithPrivateKey
183 // should pad with leading 0s, but if it doesn't, pad the result.
184 size_t zero_pad = expected_size - result.size();
185 memset(to, 0, zero_pad);
186 memcpy(to + zero_pad, &result[0], result.size());
187
188 return expected_size;
189 }
190
RsaMethodPrivDec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)191 int RsaMethodPrivDec(int flen,
192 const unsigned char* from,
193 unsigned char* to,
194 RSA* rsa,
195 int padding) {
196 NOTIMPLEMENTED();
197 RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
198 return -1;
199 }
200
RsaMethodInit(RSA * rsa)201 int RsaMethodInit(RSA* rsa) {
202 return 0;
203 }
204
RsaMethodFinish(RSA * rsa)205 int RsaMethodFinish(RSA* rsa) {
206 // Ensure the global JNI reference created with this wrapper is
207 // properly destroyed with it.
208 jobject key = reinterpret_cast<jobject>(RSA_get_app_data(rsa));
209 if (key != NULL) {
210 RSA_set_app_data(rsa, NULL);
211 ReleaseKey(key);
212 }
213 // Actual return value is ignored by OpenSSL. There are no docs
214 // explaining what this is supposed to be.
215 return 0;
216 }
217
218 const RSA_METHOD android_rsa_method = {
219 /* .name = */ "Android signing-only RSA method",
220 /* .rsa_pub_enc = */ RsaMethodPubEnc,
221 /* .rsa_pub_dec = */ RsaMethodPubDec,
222 /* .rsa_priv_enc = */ RsaMethodPrivEnc,
223 /* .rsa_priv_dec = */ RsaMethodPrivDec,
224 /* .rsa_mod_exp = */ NULL,
225 /* .bn_mod_exp = */ NULL,
226 /* .init = */ RsaMethodInit,
227 /* .finish = */ RsaMethodFinish,
228 // This flag is necessary to tell OpenSSL to avoid checking the content
229 // (i.e. internal fields) of the private key. Otherwise, it will complain
230 // it's not valid for the certificate.
231 /* .flags = */ RSA_METHOD_FLAG_NO_CHECK,
232 /* .app_data = */ NULL,
233 /* .rsa_sign = */ NULL,
234 /* .rsa_verify = */ NULL,
235 /* .rsa_keygen = */ NULL,
236 };
237
238 // Copy the contents of an encoded big integer into an existing BIGNUM.
239 // This function modifies |*num| in-place.
240 // |new_bytes| is the byte encoding of the new value.
241 // |num| points to the BIGNUM which will be assigned with the new value.
242 // Returns true on success, false otherwise. On failure, |*num| is
243 // not modified.
CopyBigNumFromBytes(const std::vector<uint8> & new_bytes,BIGNUM * num)244 bool CopyBigNumFromBytes(const std::vector<uint8>& new_bytes,
245 BIGNUM* num) {
246 BIGNUM* ret = BN_bin2bn(
247 reinterpret_cast<const unsigned char*>(&new_bytes[0]),
248 static_cast<int>(new_bytes.size()),
249 num);
250 return (ret != NULL);
251 }
252
253 // Decode the contents of an encoded big integer and either create a new
254 // BIGNUM object (if |*num_ptr| is NULL on input) or copy it (if
255 // |*num_ptr| is not NULL).
256 // |new_bytes| is the byte encoding of the new value.
257 // |num_ptr| is the address of a BIGNUM pointer. |*num_ptr| can be NULL.
258 // Returns true on success, false otherwise. On failure, |*num_ptr| is
259 // not modified. On success, |*num_ptr| will always be non-NULL and
260 // point to a valid BIGNUM object.
SwapBigNumPtrFromBytes(const std::vector<uint8> & new_bytes,BIGNUM ** num_ptr)261 bool SwapBigNumPtrFromBytes(const std::vector<uint8>& new_bytes,
262 BIGNUM** num_ptr) {
263 BIGNUM* old_num = *num_ptr;
264 BIGNUM* new_num = BN_bin2bn(
265 reinterpret_cast<const unsigned char*>(&new_bytes[0]),
266 static_cast<int>(new_bytes.size()),
267 old_num);
268 if (new_num == NULL)
269 return false;
270
271 if (old_num == NULL)
272 *num_ptr = new_num;
273 return true;
274 }
275
276 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object.
277 // |private_key| is the JNI reference (local or global) to the object.
278 // |pkey| is the EVP_PKEY to setup as a wrapper.
279 // Returns true on success, false otherwise.
280 // On success, this creates a new global JNI reference to the object
281 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can
282 // free |private_key| after the call.
283 // IMPORTANT: The EVP_PKEY will *only* work on Android >= 4.2. For older
284 // platforms, use GetRsaLegacyKey() instead.
GetRsaPkeyWrapper(jobject private_key,EVP_PKEY * pkey)285 bool GetRsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) {
286 ScopedRSA rsa(RSA_new());
287 RSA_set_method(rsa.get(), &android_rsa_method);
288
289 // HACK: RSA_size() doesn't work with custom RSA_METHODs. To ensure that
290 // it will return the right value, set the 'n' field of the RSA object
291 // to match the private key's modulus.
292 std::vector<uint8> modulus;
293 if (!GetRSAKeyModulus(private_key, &modulus)) {
294 LOG(ERROR) << "Failed to get private key modulus";
295 return false;
296 }
297 if (!SwapBigNumPtrFromBytes(modulus, &rsa.get()->n)) {
298 LOG(ERROR) << "Failed to decode private key modulus";
299 return false;
300 }
301
302 ScopedJavaGlobalRef<jobject> global_key;
303 global_key.Reset(NULL, private_key);
304 if (global_key.is_null()) {
305 LOG(ERROR) << "Could not create global JNI reference";
306 return false;
307 }
308 RSA_set_app_data(rsa.get(), global_key.Release());
309 EVP_PKEY_assign_RSA(pkey, rsa.release());
310 return true;
311 }
312
313 // On Android < 4.2, the libkeystore.so ENGINE uses CRYPTO_EX_DATA and is not
314 // added to the global engine list. If all references to it are dropped, OpenSSL
315 // will dlclose the module, leaving a dangling function pointer in the RSA
316 // CRYPTO_EX_DATA class. To work around this, leak an extra reference to the
317 // ENGINE we extract in GetRsaLegacyKey.
318 //
319 // In 4.2, this change avoids the problem:
320 // https://android.googlesource.com/platform/libcore/+/106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61
321 //
322 // https://crbug.com/381465
323 class KeystoreEngineWorkaround {
324 public:
KeystoreEngineWorkaround()325 KeystoreEngineWorkaround() : leaked_engine_(false) {}
326
LeakRsaEngine(EVP_PKEY * pkey)327 void LeakRsaEngine(EVP_PKEY* pkey) {
328 if (leaked_engine_)
329 return;
330 ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey));
331 if (!rsa.get() ||
332 !rsa.get()->engine ||
333 strcmp(ENGINE_get_id(rsa.get()->engine), "keystore") ||
334 !ENGINE_init(rsa.get()->engine)) {
335 NOTREACHED();
336 return;
337 }
338 leaked_engine_ = true;
339 }
340
341 private:
342 bool leaked_engine_;
343 };
344
LeakRsaEngine(EVP_PKEY * pkey)345 void LeakRsaEngine(EVP_PKEY* pkey) {
346 static base::LazyInstance<KeystoreEngineWorkaround>::Leaky s_instance =
347 LAZY_INSTANCE_INITIALIZER;
348 s_instance.Get().LeakRsaEngine(pkey);
349 }
350
351 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object
352 // for Android 4.0 to 4.1.x. Must only be used on Android < 4.2.
353 // |private_key| is a JNI reference (local or global) to the object.
354 // |pkey| is the EVP_PKEY to setup as a wrapper.
355 // Returns true on success, false otherwise.
GetRsaLegacyKey(jobject private_key)356 EVP_PKEY* GetRsaLegacyKey(jobject private_key) {
357 EVP_PKEY* sys_pkey =
358 GetOpenSSLSystemHandleForPrivateKey(private_key);
359 if (sys_pkey != NULL) {
360 CRYPTO_add(&sys_pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
361 LeakRsaEngine(sys_pkey);
362 } else {
363 // GetOpenSSLSystemHandleForPrivateKey() will fail on Android
364 // 4.0.3 and earlier. However, it is possible to get the key
365 // content with PrivateKey.getEncoded() on these platforms.
366 // Note that this method may return NULL on 4.0.4 and later.
367 std::vector<uint8> encoded;
368 if (!GetPrivateKeyEncodedBytes(private_key, &encoded)) {
369 LOG(ERROR) << "Can't get private key data!";
370 return NULL;
371 }
372 const unsigned char* p =
373 reinterpret_cast<const unsigned char*>(&encoded[0]);
374 int len = static_cast<int>(encoded.size());
375 sys_pkey = d2i_AutoPrivateKey(NULL, &p, len);
376 if (sys_pkey == NULL) {
377 LOG(ERROR) << "Can't convert private key data!";
378 return NULL;
379 }
380 }
381 return sys_pkey;
382 }
383
384 // Custom DSA_METHOD that uses the platform APIs.
385 // Note that for now, only signing through DSA_sign() is really supported.
386 // all other method pointers are either stubs returning errors, or no-ops.
387 // See <openssl/dsa.h> for exact declaration of DSA_METHOD.
388 //
389 // Note: There is no DSA_set_app_data() and DSA_get_app_data() functions,
390 // but RSA_set_app_data() is defined as a simple macro that calls
391 // RSA_set_ex_data() with a hard-coded index of 0, so this code
392 // does the same thing here.
393
DsaMethodDoSign(const unsigned char * dgst,int dlen,DSA * dsa)394 DSA_SIG* DsaMethodDoSign(const unsigned char* dgst,
395 int dlen,
396 DSA* dsa) {
397 // Extract the JNI reference to the PrivateKey object.
398 jobject private_key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa, 0));
399 if (private_key == NULL)
400 return NULL;
401
402 // Sign the message with it, calling platform APIs.
403 std::vector<uint8> signature;
404 if (!RawSignDigestWithPrivateKey(
405 private_key,
406 base::StringPiece(
407 reinterpret_cast<const char*>(dgst),
408 static_cast<size_t>(dlen)),
409 &signature)) {
410 return NULL;
411 }
412
413 // Note: With DSA, the actual signature might be smaller than DSA_size().
414 size_t max_expected_size = static_cast<size_t>(DSA_size(dsa));
415 if (signature.size() > max_expected_size) {
416 LOG(ERROR) << "DSA Signature size mismatch, actual: "
417 << signature.size() << ", expected <= "
418 << max_expected_size;
419 return NULL;
420 }
421
422 // Convert the signature into a DSA_SIG object.
423 const unsigned char* sigbuf =
424 reinterpret_cast<const unsigned char*>(&signature[0]);
425 int siglen = static_cast<size_t>(signature.size());
426 DSA_SIG* dsa_sig = d2i_DSA_SIG(NULL, &sigbuf, siglen);
427 return dsa_sig;
428 }
429
DsaMethodSignSetup(DSA * dsa,BN_CTX * ctx_in,BIGNUM ** kinvp,BIGNUM ** rp)430 int DsaMethodSignSetup(DSA* dsa,
431 BN_CTX* ctx_in,
432 BIGNUM** kinvp,
433 BIGNUM** rp) {
434 NOTIMPLEMENTED();
435 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_DIGEST_TYPE);
436 return -1;
437 }
438
DsaMethodDoVerify(const unsigned char * dgst,int dgst_len,DSA_SIG * sig,DSA * dsa)439 int DsaMethodDoVerify(const unsigned char* dgst,
440 int dgst_len,
441 DSA_SIG* sig,
442 DSA* dsa) {
443 NOTIMPLEMENTED();
444 DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_INVALID_DIGEST_TYPE);
445 return -1;
446 }
447
DsaMethodFinish(DSA * dsa)448 int DsaMethodFinish(DSA* dsa) {
449 // Free the global JNI reference that was created with this
450 // wrapper key.
451 jobject key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa,0));
452 if (key != NULL) {
453 DSA_set_ex_data(dsa, 0, NULL);
454 ReleaseKey(key);
455 }
456 // Actual return value is ignored by OpenSSL. There are no docs
457 // explaining what this is supposed to be.
458 return 0;
459 }
460
461 const DSA_METHOD android_dsa_method = {
462 /* .name = */ "Android signing-only DSA method",
463 /* .dsa_do_sign = */ DsaMethodDoSign,
464 /* .dsa_sign_setup = */ DsaMethodSignSetup,
465 /* .dsa_do_verify = */ DsaMethodDoVerify,
466 /* .dsa_mod_exp = */ NULL,
467 /* .bn_mod_exp = */ NULL,
468 /* .init = */ NULL, // nothing to do here.
469 /* .finish = */ DsaMethodFinish,
470 /* .flags = */ 0,
471 /* .app_data = */ NULL,
472 /* .dsa_paramgem = */ NULL,
473 /* .dsa_keygen = */ NULL
474 };
475
476 // Setup an EVP_PKEY to wrap an existing DSA platform PrivateKey object.
477 // |private_key| is a JNI reference (local or global) to the object.
478 // |pkey| is the EVP_PKEY to setup as a wrapper.
479 // Returns true on success, false otherwise.
480 // On success, this creates a global JNI reference to the same object
481 // that will be owned by and destroyed with the EVP_PKEY.
GetDsaPkeyWrapper(jobject private_key,EVP_PKEY * pkey)482 bool GetDsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) {
483 ScopedDSA dsa(DSA_new());
484 DSA_set_method(dsa.get(), &android_dsa_method);
485
486 // DSA_size() doesn't work with custom DSA_METHODs. To ensure it
487 // returns the right value, set the 'q' field in the DSA object to
488 // match the parameter from the platform key.
489 std::vector<uint8> q;
490 if (!GetDSAKeyParamQ(private_key, &q)) {
491 LOG(ERROR) << "Can't extract Q parameter from DSA private key";
492 return false;
493 }
494 if (!SwapBigNumPtrFromBytes(q, &dsa.get()->q)) {
495 LOG(ERROR) << "Can't decode Q parameter from DSA private key";
496 return false;
497 }
498
499 ScopedJavaGlobalRef<jobject> global_key;
500 global_key.Reset(NULL, private_key);
501 if (global_key.is_null()) {
502 LOG(ERROR) << "Could not create global JNI reference";
503 return false;
504 }
505 DSA_set_ex_data(dsa.get(), 0, global_key.Release());
506 EVP_PKEY_assign_DSA(pkey, dsa.release());
507 return true;
508 }
509
510 // Custom ECDSA_METHOD that uses the platform APIs.
511 // Note that for now, only signing through ECDSA_sign() is really supported.
512 // all other method pointers are either stubs returning errors, or no-ops.
513 //
514 // Note: The ECDSA_METHOD structure doesn't have init/finish
515 // methods. As such, the only way to to ensure the global
516 // JNI reference is properly released when the EVP_PKEY is
517 // destroyed is to use a custom EX_DATA type.
518
519 // Used to ensure that the global JNI reference associated with a custom
520 // EC_KEY + ECDSA_METHOD wrapper is released when its EX_DATA is destroyed
521 // (this function is called when EVP_PKEY_free() is called on the wrapper).
ExDataFree(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int idx,long argl,void * argp)522 void ExDataFree(void* parent,
523 void* ptr,
524 CRYPTO_EX_DATA* ad,
525 int idx,
526 long argl,
527 void* argp) {
528 jobject private_key = reinterpret_cast<jobject>(ptr);
529 if (private_key == NULL)
530 return;
531
532 CRYPTO_set_ex_data(ad, idx, NULL);
533 ReleaseKey(private_key);
534 }
535
ExDataDup(CRYPTO_EX_DATA * to,CRYPTO_EX_DATA * from,void * from_d,int idx,long argl,void * argp)536 int ExDataDup(CRYPTO_EX_DATA* to,
537 CRYPTO_EX_DATA* from,
538 void* from_d,
539 int idx,
540 long argl,
541 void* argp) {
542 // This callback shall never be called with the current OpenSSL
543 // implementation (the library only ever duplicates EX_DATA items
544 // for SSL and BIO objects). But provide this to catch regressions
545 // in the future.
546 CHECK(false) << "ExDataDup was called for ECDSA custom key !?";
547 // Return value is currently ignored by OpenSSL.
548 return 0;
549 }
550
551 class EcdsaExDataIndex {
552 public:
ex_data_index()553 int ex_data_index() { return ex_data_index_; }
554
EcdsaExDataIndex()555 EcdsaExDataIndex() {
556 ex_data_index_ = ECDSA_get_ex_new_index(0, // argl
557 NULL, // argp
558 NULL, // new_func
559 ExDataDup, // dup_func
560 ExDataFree); // free_func
561 }
562
563 private:
564 int ex_data_index_;
565 };
566
567 // Returns the index of the custom EX_DATA used to store the JNI reference.
EcdsaGetExDataIndex(void)568 int EcdsaGetExDataIndex(void) {
569 // Use a LazyInstance to perform thread-safe lazy initialization.
570 // Use a leaky one, since OpenSSL doesn't provide a way to release
571 // allocated EX_DATA indices.
572 static base::LazyInstance<EcdsaExDataIndex>::Leaky s_instance =
573 LAZY_INSTANCE_INITIALIZER;
574 return s_instance.Get().ex_data_index();
575 }
576
EcdsaMethodDoSign(const unsigned char * dgst,int dgst_len,const BIGNUM * inv,const BIGNUM * rp,EC_KEY * eckey)577 ECDSA_SIG* EcdsaMethodDoSign(const unsigned char* dgst,
578 int dgst_len,
579 const BIGNUM* inv,
580 const BIGNUM* rp,
581 EC_KEY* eckey) {
582 // Retrieve private key JNI reference.
583 jobject private_key = reinterpret_cast<jobject>(
584 ECDSA_get_ex_data(eckey, EcdsaGetExDataIndex()));
585 if (!private_key) {
586 LOG(WARNING) << "Null JNI reference passed to EcdsaMethodDoSign!";
587 return NULL;
588 }
589 // Sign message with it through JNI.
590 std::vector<uint8> signature;
591 base::StringPiece digest(
592 reinterpret_cast<const char*>(dgst),
593 static_cast<size_t>(dgst_len));
594 if (!RawSignDigestWithPrivateKey(
595 private_key, digest, &signature)) {
596 LOG(WARNING) << "Could not sign message in EcdsaMethodDoSign!";
597 return NULL;
598 }
599
600 // Note: With ECDSA, the actual signature may be smaller than
601 // ECDSA_size().
602 size_t max_expected_size = static_cast<size_t>(ECDSA_size(eckey));
603 if (signature.size() > max_expected_size) {
604 LOG(ERROR) << "ECDSA Signature size mismatch, actual: "
605 << signature.size() << ", expected <= "
606 << max_expected_size;
607 return NULL;
608 }
609
610 // Convert signature to ECDSA_SIG object
611 const unsigned char* sigbuf =
612 reinterpret_cast<const unsigned char*>(&signature[0]);
613 long siglen = static_cast<long>(signature.size());
614 return d2i_ECDSA_SIG(NULL, &sigbuf, siglen);
615 }
616
EcdsaMethodSignSetup(EC_KEY * eckey,BN_CTX * ctx,BIGNUM ** kinv,BIGNUM ** r)617 int EcdsaMethodSignSetup(EC_KEY* eckey,
618 BN_CTX* ctx,
619 BIGNUM** kinv,
620 BIGNUM** r) {
621 NOTIMPLEMENTED();
622 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_ERR_EC_LIB);
623 return -1;
624 }
625
EcdsaMethodDoVerify(const unsigned char * dgst,int dgst_len,const ECDSA_SIG * sig,EC_KEY * eckey)626 int EcdsaMethodDoVerify(const unsigned char* dgst,
627 int dgst_len,
628 const ECDSA_SIG* sig,
629 EC_KEY* eckey) {
630 NOTIMPLEMENTED();
631 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_ERR_EC_LIB);
632 return -1;
633 }
634
635 const ECDSA_METHOD android_ecdsa_method = {
636 /* .name = */ "Android signing-only ECDSA method",
637 /* .ecdsa_do_sign = */ EcdsaMethodDoSign,
638 /* .ecdsa_sign_setup = */ EcdsaMethodSignSetup,
639 /* .ecdsa_do_verify = */ EcdsaMethodDoVerify,
640 /* .flags = */ 0,
641 /* .app_data = */ NULL,
642 };
643
644 // Setup an EVP_PKEY to wrap an existing platform PrivateKey object.
645 // |private_key| is the JNI reference (local or global) to the object.
646 // |pkey| is the EVP_PKEY to setup as a wrapper.
647 // Returns true on success, false otherwise.
648 // On success, this creates a global JNI reference to the object that
649 // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall
650 // always free |private_key| after the call.
GetEcdsaPkeyWrapper(jobject private_key,EVP_PKEY * pkey)651 bool GetEcdsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) {
652 ScopedEC_KEY eckey(EC_KEY_new());
653 ECDSA_set_method(eckey.get(), &android_ecdsa_method);
654
655 // To ensure that ECDSA_size() works properly, craft a custom EC_GROUP
656 // that has the same order than the private key.
657 std::vector<uint8> order;
658 if (!GetECKeyOrder(private_key, &order)) {
659 LOG(ERROR) << "Can't extract order parameter from EC private key";
660 return false;
661 }
662 ScopedEC_GROUP group(EC_GROUP_new(EC_GFp_nist_method()));
663 if (!group.get()) {
664 LOG(ERROR) << "Can't create new EC_GROUP";
665 return false;
666 }
667 if (!CopyBigNumFromBytes(order, &group.get()->order)) {
668 LOG(ERROR) << "Can't decode order from PrivateKey";
669 return false;
670 }
671 EC_KEY_set_group(eckey.get(), group.release());
672
673 ScopedJavaGlobalRef<jobject> global_key;
674 global_key.Reset(NULL, private_key);
675 if (global_key.is_null()) {
676 LOG(ERROR) << "Can't create global JNI reference";
677 return false;
678 }
679 ECDSA_set_ex_data(eckey.get(),
680 EcdsaGetExDataIndex(),
681 global_key.Release());
682
683 EVP_PKEY_assign_EC_KEY(pkey, eckey.release());
684 return true;
685 }
686
687 } // namespace
688
GetOpenSSLPrivateKeyWrapper(jobject private_key)689 EVP_PKEY* GetOpenSSLPrivateKeyWrapper(jobject private_key) {
690 // Create new empty EVP_PKEY instance.
691 ScopedEVP_PKEY pkey(EVP_PKEY_new());
692 if (!pkey.get())
693 return NULL;
694
695 // Create sub key type, depending on private key's algorithm type.
696 PrivateKeyType key_type = GetPrivateKeyType(private_key);
697 switch (key_type) {
698 case PRIVATE_KEY_TYPE_RSA:
699 {
700 // Route around platform bug: if Android < 4.2, then
701 // base::android::RawSignDigestWithPrivateKey() cannot work, so
702 // instead, obtain a raw EVP_PKEY* to the system object
703 // backing this PrivateKey object.
704 const int kAndroid42ApiLevel = 17;
705 if (base::android::BuildInfo::GetInstance()->sdk_int() <
706 kAndroid42ApiLevel) {
707 EVP_PKEY* legacy_key = GetRsaLegacyKey(private_key);
708 if (legacy_key == NULL)
709 return NULL;
710 pkey.reset(legacy_key);
711 } else {
712 // Running on Android 4.2.
713 if (!GetRsaPkeyWrapper(private_key, pkey.get()))
714 return NULL;
715 }
716 }
717 break;
718 case PRIVATE_KEY_TYPE_DSA:
719 if (!GetDsaPkeyWrapper(private_key, pkey.get()))
720 return NULL;
721 break;
722 case PRIVATE_KEY_TYPE_ECDSA:
723 if (!GetEcdsaPkeyWrapper(private_key, pkey.get()))
724 return NULL;
725 break;
726 default:
727 LOG(WARNING)
728 << "GetOpenSSLPrivateKeyWrapper() called with invalid key type";
729 return NULL;
730 }
731 return pkey.release();
732 }
733
734 } // namespace android
735 } // namespace net
736