1 /*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "rsa_operation.h"
18
19 #include <limits.h>
20
21 #include <new>
22
23 #include <openssl/err.h>
24
25 #include <keymaster/logger.h>
26
27 #include "openssl_err.h"
28 #include "openssl_utils.h"
29 #include "rsa_key.h"
30
31 namespace keymaster {
32
33 const size_t kPssOverhead = 2;
34 const size_t kMinPssSaltSize = 20;
35
36 // Overhead for PKCS#1 v1.5 signature padding of undigested messages. Digested messages have
37 // additional overhead, for the digest algorithmIdentifier required by PKCS#1.
38 const size_t kPkcs1UndigestedSignaturePaddingOverhead = 11;
39
40 /* static */
GetRsaKey(const Key & key,keymaster_error_t * error)41 EVP_PKEY* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) {
42 const RsaKey* rsa_key = static_cast<const RsaKey*>(&key);
43 assert(rsa_key);
44 if (!rsa_key || !rsa_key->key()) {
45 *error = KM_ERROR_UNKNOWN_ERROR;
46 return nullptr;
47 }
48
49 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
50 if (!rsa_key->InternalToEvp(pkey.get())) {
51 *error = KM_ERROR_UNKNOWN_ERROR;
52 return nullptr;
53 }
54 return pkey.release();
55 }
56
57 static const keymaster_digest_t supported_digests[] = {
58 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
59 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
60
SupportedDigests(size_t * digest_count) const61 const keymaster_digest_t* RsaOperationFactory::SupportedDigests(size_t* digest_count) const {
62 *digest_count = array_length(supported_digests);
63 return supported_digests;
64 }
65
CreateRsaOperation(const Key & key,const AuthorizationSet & begin_params,keymaster_error_t * error)66 RsaOperation* RsaOperationFactory::CreateRsaOperation(const Key& key,
67 const AuthorizationSet& begin_params,
68 keymaster_error_t* error) {
69 keymaster_padding_t padding;
70 if (!GetAndValidatePadding(begin_params, key, &padding, error))
71 return nullptr;
72
73 bool require_digest = (purpose() == KM_PURPOSE_SIGN || purpose() == KM_PURPOSE_VERIFY ||
74 padding == KM_PAD_RSA_OAEP);
75
76 keymaster_digest_t digest = KM_DIGEST_NONE;
77 if (require_digest && !GetAndValidateDigest(begin_params, key, &digest, error))
78 return nullptr;
79
80 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> rsa(GetRsaKey(key, error));
81 if (!rsa.get())
82 return nullptr;
83
84 RsaOperation* op = InstantiateOperation(digest, padding, rsa.release());
85 if (!op)
86 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
87 return op;
88 }
89
90 static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN,
91 KM_PAD_RSA_PSS};
92 const keymaster_padding_t*
SupportedPaddingModes(size_t * padding_mode_count) const93 RsaDigestingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
94 *padding_mode_count = array_length(supported_sig_padding);
95 return supported_sig_padding;
96 }
97
CreateRsaOperation(const Key & key,const AuthorizationSet & begin_params,keymaster_error_t * error)98 RsaOperation* RsaCryptingOperationFactory::CreateRsaOperation(const Key& key,
99 const AuthorizationSet& begin_params,
100 keymaster_error_t* error) {
101 UniquePtr<RsaOperation> op(RsaOperationFactory::CreateRsaOperation(key, begin_params, error));
102 if (op.get()) {
103 switch (op->padding()) {
104 case KM_PAD_NONE:
105 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
106 if (op->digest() != KM_DIGEST_NONE) {
107 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
108 return nullptr;
109 }
110 break;
111
112 case KM_PAD_RSA_OAEP:
113 if (op->digest() == KM_DIGEST_NONE) {
114 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
115 return nullptr;
116 }
117 break;
118
119 default:
120 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
121 return nullptr;
122 }
123 }
124 return op.release();
125 }
126
127 static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_NONE, KM_PAD_RSA_OAEP,
128 KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
129 const keymaster_padding_t*
SupportedPaddingModes(size_t * padding_mode_count) const130 RsaCryptingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
131 *padding_mode_count = array_length(supported_crypt_padding);
132 return supported_crypt_padding;
133 }
134
~RsaOperation()135 RsaOperation::~RsaOperation() {
136 if (rsa_key_ != NULL)
137 EVP_PKEY_free(rsa_key_);
138 }
139
Begin(const AuthorizationSet &,AuthorizationSet *)140 keymaster_error_t RsaOperation::Begin(const AuthorizationSet& /* input_params */,
141 AuthorizationSet* /* output_params */) {
142 return InitDigest();
143 }
144
Update(const AuthorizationSet &,const Buffer & input,AuthorizationSet *,Buffer *,size_t * input_consumed)145 keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */,
146 const Buffer& input, AuthorizationSet* /* output_params */,
147 Buffer* /* output */, size_t* input_consumed) {
148 assert(input_consumed);
149 switch (purpose()) {
150 default:
151 return KM_ERROR_UNIMPLEMENTED;
152 case KM_PURPOSE_SIGN:
153 case KM_PURPOSE_VERIFY:
154 case KM_PURPOSE_ENCRYPT:
155 case KM_PURPOSE_DECRYPT:
156 return StoreData(input, input_consumed);
157 }
158 }
159
StoreData(const Buffer & input,size_t * input_consumed)160 keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) {
161 assert(input_consumed);
162
163 if (!data_.reserve(EVP_PKEY_size(rsa_key_)))
164 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
165 // If the write fails, it's because input length exceeds key size.
166 if (!data_.write(input.peek_read(), input.available_read())) {
167 LOG_E("Input too long: cannot operate on %u bytes of data with %u-byte RSA key",
168 input.available_read() + data_.available_read(), EVP_PKEY_size(rsa_key_));
169 return KM_ERROR_INVALID_INPUT_LENGTH;
170 }
171
172 *input_consumed = input.available_read();
173 return KM_ERROR_OK;
174 }
175
SetRsaPaddingInEvpContext(EVP_PKEY_CTX * pkey_ctx)176 keymaster_error_t RsaOperation::SetRsaPaddingInEvpContext(EVP_PKEY_CTX* pkey_ctx) {
177 keymaster_error_t error;
178 int openssl_padding = GetOpensslPadding(&error);
179 if (error != KM_ERROR_OK)
180 return error;
181
182 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, openssl_padding) <= 0)
183 return TranslateLastOpenSslError();
184 return KM_ERROR_OK;
185 }
186
InitDigest()187 keymaster_error_t RsaOperation::InitDigest() {
188 if (digest_ == KM_DIGEST_NONE) {
189 if (require_digest())
190 return KM_ERROR_INCOMPATIBLE_DIGEST;
191 return KM_ERROR_OK;
192 }
193
194 switch (digest_) {
195 case KM_DIGEST_NONE:
196 return KM_ERROR_OK;
197 case KM_DIGEST_MD5:
198 digest_algorithm_ = EVP_md5();
199 return KM_ERROR_OK;
200 case KM_DIGEST_SHA1:
201 digest_algorithm_ = EVP_sha1();
202 return KM_ERROR_OK;
203 case KM_DIGEST_SHA_2_224:
204 digest_algorithm_ = EVP_sha224();
205 return KM_ERROR_OK;
206 case KM_DIGEST_SHA_2_256:
207 digest_algorithm_ = EVP_sha256();
208 return KM_ERROR_OK;
209 case KM_DIGEST_SHA_2_384:
210 digest_algorithm_ = EVP_sha384();
211 return KM_ERROR_OK;
212 case KM_DIGEST_SHA_2_512:
213 digest_algorithm_ = EVP_sha512();
214 return KM_ERROR_OK;
215 default:
216 return KM_ERROR_UNSUPPORTED_DIGEST;
217 }
218 }
219
RsaDigestingOperation(keymaster_purpose_t purpose,keymaster_digest_t digest,keymaster_padding_t padding,EVP_PKEY * key)220 RsaDigestingOperation::RsaDigestingOperation(keymaster_purpose_t purpose, keymaster_digest_t digest,
221 keymaster_padding_t padding, EVP_PKEY* key)
222 : RsaOperation(purpose, digest, padding, key) {
223 EVP_MD_CTX_init(&digest_ctx_);
224 }
~RsaDigestingOperation()225 RsaDigestingOperation::~RsaDigestingOperation() {
226 EVP_MD_CTX_cleanup(&digest_ctx_);
227 }
228
GetOpensslPadding(keymaster_error_t * error)229 int RsaDigestingOperation::GetOpensslPadding(keymaster_error_t* error) {
230 *error = KM_ERROR_OK;
231 switch (padding_) {
232 case KM_PAD_NONE:
233 return RSA_NO_PADDING;
234 case KM_PAD_RSA_PKCS1_1_5_SIGN:
235 return RSA_PKCS1_PADDING;
236 case KM_PAD_RSA_PSS:
237 if (digest_ == KM_DIGEST_NONE) {
238 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
239 return -1;
240 }
241 if (EVP_MD_size(digest_algorithm_) + kPssOverhead + kMinPssSaltSize >
242 (size_t)EVP_PKEY_size(rsa_key_)) {
243 LOG_E("Input too long: %d-byte digest cannot be used with %d-byte RSA key in PSS "
244 "padding mode",
245 EVP_MD_size(digest_algorithm_), EVP_PKEY_size(rsa_key_));
246 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
247 return -1;
248 }
249 return RSA_PKCS1_PSS_PADDING;
250 default:
251 return -1;
252 }
253 }
254
Begin(const AuthorizationSet & input_params,AuthorizationSet * output_params)255 keymaster_error_t RsaSignOperation::Begin(const AuthorizationSet& input_params,
256 AuthorizationSet* output_params) {
257 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params);
258 if (error != KM_ERROR_OK)
259 return error;
260
261 if (digest_ == KM_DIGEST_NONE)
262 return KM_ERROR_OK;
263
264 EVP_PKEY_CTX* pkey_ctx;
265 if (EVP_DigestSignInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, nullptr /* engine */,
266 rsa_key_) != 1)
267 return TranslateLastOpenSslError();
268 return SetRsaPaddingInEvpContext(pkey_ctx);
269 }
270
Update(const AuthorizationSet & additional_params,const Buffer & input,AuthorizationSet * output_params,Buffer * output,size_t * input_consumed)271 keymaster_error_t RsaSignOperation::Update(const AuthorizationSet& additional_params,
272 const Buffer& input, AuthorizationSet* output_params,
273 Buffer* output, size_t* input_consumed) {
274 if (digest_ == KM_DIGEST_NONE)
275 // Just buffer the data.
276 return RsaOperation::Update(additional_params, input, output_params, output,
277 input_consumed);
278
279 if (EVP_DigestSignUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1)
280 return TranslateLastOpenSslError();
281 *input_consumed = input.available_read();
282 return KM_ERROR_OK;
283 }
284
Finish(const AuthorizationSet &,const Buffer &,AuthorizationSet *,Buffer * output)285 keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& /* additional_params */,
286 const Buffer& /* signature */,
287 AuthorizationSet* /* output_params */, Buffer* output) {
288 assert(output);
289
290 if (digest_ == KM_DIGEST_NONE)
291 return SignUndigested(output);
292 else
293 return SignDigested(output);
294 }
295
zero_pad_left(UniquePtr<uint8_t[]> * dest,size_t padded_len,Buffer & src)296 static keymaster_error_t zero_pad_left(UniquePtr<uint8_t[]>* dest, size_t padded_len, Buffer& src) {
297 assert(padded_len > src.available_read());
298
299 dest->reset(new uint8_t[padded_len]);
300 if (!dest->get())
301 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
302
303 size_t padding_len = padded_len - src.available_read();
304 memset(dest->get(), 0, padding_len);
305 if (!src.read(dest->get() + padding_len, src.available_read()))
306 return KM_ERROR_UNKNOWN_ERROR;
307
308 return KM_ERROR_OK;
309 }
310
SignUndigested(Buffer * output)311 keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) {
312 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_)));
313 if (!rsa.get())
314 return TranslateLastOpenSslError();
315
316 if (!output->Reinitialize(RSA_size(rsa.get())))
317 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
318
319 size_t key_len = EVP_PKEY_size(rsa_key_);
320 int bytes_encrypted;
321 switch (padding_) {
322 case KM_PAD_NONE: {
323 const uint8_t* to_encrypt = data_.peek_read();
324 UniquePtr<uint8_t[]> zero_padded;
325 if (data_.available_read() > key_len) {
326 return KM_ERROR_INVALID_INPUT_LENGTH;
327 } else if (data_.available_read() < key_len) {
328 keymaster_error_t error = zero_pad_left(&zero_padded, key_len, data_);
329 if (error != KM_ERROR_OK)
330 return error;
331 to_encrypt = zero_padded.get();
332 }
333 bytes_encrypted = RSA_private_encrypt(key_len, to_encrypt, output->peek_write(), rsa.get(),
334 RSA_NO_PADDING);
335 break;
336 }
337 case KM_PAD_RSA_PKCS1_1_5_SIGN:
338 // Does PKCS1 padding without digesting even make sense? Dunno. We'll support it.
339 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) {
340 LOG_E("Input too long: cannot sign %u-byte message with PKCS1 padding with %u-bit key",
341 data_.available_read(), EVP_PKEY_size(rsa_key_) * 8);
342 return KM_ERROR_INVALID_INPUT_LENGTH;
343 }
344 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(),
345 output->peek_write(), rsa.get(), RSA_PKCS1_PADDING);
346 break;
347
348 default:
349 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
350 }
351
352 if (bytes_encrypted <= 0)
353 return TranslateLastOpenSslError();
354 if (!output->advance_write(bytes_encrypted))
355 return KM_ERROR_UNKNOWN_ERROR;
356 return KM_ERROR_OK;
357 }
358
SignDigested(Buffer * output)359 keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) {
360 size_t siglen;
361 if (EVP_DigestSignFinal(&digest_ctx_, nullptr /* signature */, &siglen) != 1)
362 return TranslateLastOpenSslError();
363
364 if (!output->Reinitialize(siglen))
365 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
366
367 if (EVP_DigestSignFinal(&digest_ctx_, output->peek_write(), &siglen) <= 0)
368 return TranslateLastOpenSslError();
369 if (!output->advance_write(siglen))
370 return KM_ERROR_UNKNOWN_ERROR;
371
372 return KM_ERROR_OK;
373 }
374
Begin(const AuthorizationSet & input_params,AuthorizationSet * output_params)375 keymaster_error_t RsaVerifyOperation::Begin(const AuthorizationSet& input_params,
376 AuthorizationSet* output_params) {
377 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params);
378 if (error != KM_ERROR_OK)
379 return error;
380
381 if (digest_ == KM_DIGEST_NONE)
382 return KM_ERROR_OK;
383
384 EVP_PKEY_CTX* pkey_ctx;
385 if (EVP_DigestVerifyInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, NULL, rsa_key_) != 1)
386 return TranslateLastOpenSslError();
387 return SetRsaPaddingInEvpContext(pkey_ctx);
388 }
389
Update(const AuthorizationSet & additional_params,const Buffer & input,AuthorizationSet * output_params,Buffer * output,size_t * input_consumed)390 keymaster_error_t RsaVerifyOperation::Update(const AuthorizationSet& additional_params,
391 const Buffer& input, AuthorizationSet* output_params,
392 Buffer* output, size_t* input_consumed) {
393 if (digest_ == KM_DIGEST_NONE)
394 // Just buffer the data.
395 return RsaOperation::Update(additional_params, input, output_params, output,
396 input_consumed);
397
398 if (EVP_DigestVerifyUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1)
399 return TranslateLastOpenSslError();
400 *input_consumed = input.available_read();
401 return KM_ERROR_OK;
402 }
403
Finish(const AuthorizationSet &,const Buffer & signature,AuthorizationSet *,Buffer *)404 keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& /* additional_params */,
405 const Buffer& signature,
406 AuthorizationSet* /* output_params */,
407 Buffer* /* output */) {
408 if (digest_ == KM_DIGEST_NONE)
409 return VerifyUndigested(signature);
410 else
411 return VerifyDigested(signature);
412 }
413
VerifyUndigested(const Buffer & signature)414 keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) {
415 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_)));
416 if (!rsa.get())
417 return KM_ERROR_UNKNOWN_ERROR;
418
419 size_t key_len = RSA_size(rsa.get());
420 int openssl_padding;
421 switch (padding_) {
422 case KM_PAD_NONE:
423 if (data_.available_read() > key_len)
424 return KM_ERROR_INVALID_INPUT_LENGTH;
425 if (key_len != signature.available_read())
426 return KM_ERROR_VERIFICATION_FAILED;
427 openssl_padding = RSA_NO_PADDING;
428 break;
429 case KM_PAD_RSA_PKCS1_1_5_SIGN:
430 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) {
431 LOG_E("Input too long: cannot verify %u-byte message with PKCS1 padding && %u-bit key",
432 data_.available_read(), key_len * 8);
433 return KM_ERROR_INVALID_INPUT_LENGTH;
434 }
435 openssl_padding = RSA_PKCS1_PADDING;
436 break;
437 default:
438 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
439 }
440
441 UniquePtr<uint8_t[]> decrypted_data(new (std::nothrow) uint8_t[key_len]);
442 if (!decrypted_data.get())
443 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
444 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(),
445 decrypted_data.get(), rsa.get(), openssl_padding);
446 if (bytes_decrypted < 0)
447 return KM_ERROR_VERIFICATION_FAILED;
448
449 const uint8_t* compare_pos = decrypted_data.get();
450 size_t bytes_to_compare = bytes_decrypted;
451 uint8_t zero_check_result = 0;
452 if (padding_ == KM_PAD_NONE && data_.available_read() < bytes_to_compare) {
453 // If the data is short, for "unpadded" signing we zero-pad to the left. So during
454 // verification we should have zeros on the left of the decrypted data. Do a constant-time
455 // check.
456 const uint8_t* zero_end = compare_pos + bytes_to_compare - data_.available_read();
457 while (compare_pos < zero_end)
458 zero_check_result |= *compare_pos++;
459 bytes_to_compare = data_.available_read();
460 }
461 if (memcmp_s(compare_pos, data_.peek_read(), bytes_to_compare) != 0 || zero_check_result != 0)
462 return KM_ERROR_VERIFICATION_FAILED;
463 return KM_ERROR_OK;
464 }
465
VerifyDigested(const Buffer & signature)466 keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) {
467 if (!EVP_DigestVerifyFinal(&digest_ctx_, signature.peek_read(), signature.available_read()))
468 return KM_ERROR_VERIFICATION_FAILED;
469 return KM_ERROR_OK;
470 }
471
SetOaepDigestIfRequired(EVP_PKEY_CTX * pkey_ctx)472 keymaster_error_t RsaCryptOperation::SetOaepDigestIfRequired(EVP_PKEY_CTX* pkey_ctx) {
473 if (padding() != KM_PAD_RSA_OAEP)
474 return KM_ERROR_OK;
475
476 assert(digest_algorithm_ != nullptr);
477 if (!EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, digest_algorithm_))
478 return TranslateLastOpenSslError();
479
480 // MGF1 MD is always SHA1.
481 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha1()))
482 return TranslateLastOpenSslError();
483
484 return KM_ERROR_OK;
485 }
486
GetOpensslPadding(keymaster_error_t * error)487 int RsaCryptOperation::GetOpensslPadding(keymaster_error_t* error) {
488 *error = KM_ERROR_OK;
489 switch (padding_) {
490 case KM_PAD_NONE:
491 return RSA_NO_PADDING;
492 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
493 return RSA_PKCS1_PADDING;
494 case KM_PAD_RSA_OAEP:
495 return RSA_PKCS1_OAEP_PADDING;
496 default:
497 return -1;
498 }
499 }
500
501 struct EVP_PKEY_CTX_Delete {
operator ()keymaster::EVP_PKEY_CTX_Delete502 void operator()(EVP_PKEY_CTX* p) { EVP_PKEY_CTX_free(p); }
503 };
504
Finish(const AuthorizationSet &,const Buffer &,AuthorizationSet *,Buffer * output)505 keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& /* additional_params */,
506 const Buffer& /* signature */,
507 AuthorizationSet* /* output_params */,
508 Buffer* output) {
509 assert(output);
510
511 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx(
512 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */));
513 if (!ctx.get())
514 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
515
516 if (EVP_PKEY_encrypt_init(ctx.get()) <= 0)
517 return TranslateLastOpenSslError();
518
519 keymaster_error_t error = SetRsaPaddingInEvpContext(ctx.get());
520 if (error != KM_ERROR_OK)
521 return error;
522 error = SetOaepDigestIfRequired(ctx.get());
523 if (error != KM_ERROR_OK)
524 return error;
525
526 size_t outlen;
527 if (EVP_PKEY_encrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(),
528 data_.available_read()) <= 0)
529 return TranslateLastOpenSslError();
530
531 if (!output->Reinitialize(outlen))
532 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
533
534 const uint8_t* to_encrypt = data_.peek_read();
535 size_t to_encrypt_len = data_.available_read();
536 UniquePtr<uint8_t[]> zero_padded;
537 if (padding_ == KM_PAD_NONE && to_encrypt_len < outlen) {
538 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_);
539 if (error != KM_ERROR_OK)
540 return error;
541 to_encrypt = zero_padded.get();
542 to_encrypt_len = outlen;
543 }
544
545 if (EVP_PKEY_encrypt(ctx.get(), output->peek_write(), &outlen, to_encrypt, to_encrypt_len) <= 0)
546 return TranslateLastOpenSslError();
547 if (!output->advance_write(outlen))
548 return KM_ERROR_UNKNOWN_ERROR;
549
550 return KM_ERROR_OK;
551 }
552
Finish(const AuthorizationSet &,const Buffer &,AuthorizationSet *,Buffer * output)553 keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& /* additional_params */,
554 const Buffer& /* signature */,
555 AuthorizationSet* /* output_params */,
556 Buffer* output) {
557 assert(output);
558
559 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx(
560 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */));
561 if (!ctx.get())
562 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
563
564 if (EVP_PKEY_decrypt_init(ctx.get()) <= 0)
565 return TranslateLastOpenSslError();
566
567 keymaster_error_t error = SetRsaPaddingInEvpContext(ctx.get());
568 if (error != KM_ERROR_OK)
569 return error;
570 error = SetOaepDigestIfRequired(ctx.get());
571 if (error != KM_ERROR_OK)
572 return error;
573
574 size_t outlen;
575 if (EVP_PKEY_decrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(),
576 data_.available_read()) <= 0)
577 return TranslateLastOpenSslError();
578
579 if (!output->Reinitialize(outlen))
580 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
581
582 const uint8_t* to_decrypt = data_.peek_read();
583 size_t to_decrypt_len = data_.available_read();
584 UniquePtr<uint8_t[]> zero_padded;
585 if (padding_ == KM_PAD_NONE && to_decrypt_len < outlen) {
586 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_);
587 if (error != KM_ERROR_OK)
588 return error;
589 to_decrypt = zero_padded.get();
590 to_decrypt_len = outlen;
591 }
592
593 if (EVP_PKEY_decrypt(ctx.get(), output->peek_write(), &outlen, to_decrypt, to_decrypt_len) <= 0)
594 return TranslateLastOpenSslError();
595 if (!output->advance_write(outlen))
596 return KM_ERROR_UNKNOWN_ERROR;
597
598 return KM_ERROR_OK;
599 }
600
601 } // namespace keymaster
602