• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright 2014 The Android Open Source Project
2  *
3  * Redistribution and use in source and binary forms, with or without
4  * modification, are permitted provided that the following conditions
5  * are met:
6  * 1. Redistributions of source code must retain the above copyright
7  *    notice, this list of conditions and the following disclaimer.
8  * 2. Redistributions in binary form must reproduce the above copyright
9  *    notice, this list of conditions and the following disclaimer in the
10  *    documentation and/or other materials provided with the distribution.
11  *
12  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
13  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
14  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
15  * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
16  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
17  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
18  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
19  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
20  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
21  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
22 
23 #include <UniquePtr.h>
24 
25 #include <sys/socket.h>
26 #include <stdarg.h>
27 #include <string.h>
28 #include <unistd.h>
29 
30 #include <openssl/bn.h>
31 #include <openssl/ec.h>
32 #include <openssl/ec_key.h>
33 #include <openssl/ecdsa.h>
34 #include <openssl/engine.h>
35 #include <openssl/evp.h>
36 #include <openssl/rsa.h>
37 #include <openssl/x509.h>
38 
39 #include <binder/IServiceManager.h>
40 #include <keystore/keystore.h>
41 #include <keystore/IKeystoreService.h>
42 
43 using namespace android;
44 
45 namespace {
46 
47 extern const RSA_METHOD keystore_rsa_method;
48 extern const ECDSA_METHOD keystore_ecdsa_method;
49 
50 /* key_id_dup is called when one of the RSA or EC_KEY objects is duplicated. */
key_id_dup(CRYPTO_EX_DATA *,const CRYPTO_EX_DATA *,void ** from_d,int,long,void *)51 int key_id_dup(CRYPTO_EX_DATA* /* to */,
52                const CRYPTO_EX_DATA* /* from */,
53                void** from_d,
54                int /* index */,
55                long /* argl */,
56                void* /* argp */) {
57     char *key_id = reinterpret_cast<char *>(*from_d);
58     if (key_id != NULL) {
59         *from_d = strdup(key_id);
60     }
61     return 1;
62 }
63 
64 /* key_id_free is called when one of the RSA, DSA or EC_KEY object is freed. */
key_id_free(void *,void * ptr,CRYPTO_EX_DATA *,int,long,void *)65 void key_id_free(void* /* parent */,
66                  void* ptr,
67                  CRYPTO_EX_DATA* /* ad */,
68                  int /* index */,
69                  long /* argl */,
70                  void* /* argp */) {
71     char *key_id = reinterpret_cast<char *>(ptr);
72     free(key_id);
73 }
74 
75 /* KeystoreEngine is a BoringSSL ENGINE that implements RSA and ECDSA by
76  * forwarding the requested operations to Keystore. */
77 class KeystoreEngine {
78  public:
KeystoreEngine()79   KeystoreEngine()
80       : rsa_index_(RSA_get_ex_new_index(0 /* argl */,
81                                         NULL /* argp */,
82                                         NULL /* new_func */,
83                                         key_id_dup,
84                                         key_id_free)),
85         ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */,
86                                               NULL /* argp */,
87                                               NULL /* new_func */,
88                                               key_id_dup,
89                                               key_id_free)),
90         engine_(ENGINE_new()) {
91     ENGINE_set_RSA_method(
92         engine_, &keystore_rsa_method, sizeof(keystore_rsa_method));
93     ENGINE_set_ECDSA_method(
94         engine_, &keystore_ecdsa_method, sizeof(keystore_ecdsa_method));
95   }
96 
rsa_ex_index() const97   int rsa_ex_index() const { return rsa_index_; }
ec_key_ex_index() const98   int ec_key_ex_index() const { return ec_key_index_; }
99 
engine() const100   const ENGINE* engine() const { return engine_; }
101 
102  private:
103   const int rsa_index_;
104   const int ec_key_index_;
105   ENGINE* const engine_;
106 };
107 
108 pthread_once_t g_keystore_engine_once = PTHREAD_ONCE_INIT;
109 KeystoreEngine *g_keystore_engine;
110 
111 /* init_keystore_engine is called to initialize |g_keystore_engine|. This
112  * should only be called by |pthread_once|. */
init_keystore_engine()113 void init_keystore_engine() {
114     g_keystore_engine = new KeystoreEngine;
115 }
116 
117 /* ensure_keystore_engine ensures that |g_keystore_engine| is pointing to a
118  * valid |KeystoreEngine| object and creates one if not. */
ensure_keystore_engine()119 void ensure_keystore_engine() {
120     pthread_once(&g_keystore_engine_once, init_keystore_engine);
121 }
122 
123 /* Many OpenSSL APIs take ownership of an argument on success but don't free
124  * the argument on failure. This means we need to tell our scoped pointers when
125  * we've transferred ownership, without triggering a warning by not using the
126  * result of release(). */
127 #define OWNERSHIP_TRANSFERRED(obj) \
128     typeof (obj.release()) _dummy __attribute__((unused)) = obj.release()
129 
rsa_get_key_id(const RSA * rsa)130 const char* rsa_get_key_id(const RSA* rsa) {
131   return reinterpret_cast<char*>(
132       RSA_get_ex_data(rsa, g_keystore_engine->rsa_ex_index()));
133 }
134 
135 /* rsa_private_transform takes a big-endian integer from |in|, calculates the
136  * d'th power of it, modulo the RSA modulus, and writes the result as a
137  * big-endian integer to |out|. Both |in| and |out| are |len| bytes long. It
138  * returns one on success and zero otherwise. */
rsa_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)139 int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len) {
140     ALOGV("rsa_private_transform(%p, %p, %p, %u)", rsa, out, in, (unsigned) len);
141 
142     const char *key_id = rsa_get_key_id(rsa);
143     if (key_id == NULL) {
144         ALOGE("key had no key_id!");
145         return 0;
146     }
147 
148     sp<IServiceManager> sm = defaultServiceManager();
149     sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
150     sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
151 
152     if (service == NULL) {
153         ALOGE("could not contact keystore");
154         return 0;
155     }
156 
157     uint8_t* reply = NULL;
158     size_t reply_len;
159     int32_t ret = service->sign(String16(key_id), in, len, &reply, &reply_len);
160     if (ret < 0) {
161         ALOGW("There was an error during rsa_decrypt: could not connect");
162         return 0;
163     } else if (ret != 0) {
164         ALOGW("Error during sign from keystore: %d", ret);
165         return 0;
166     } else if (reply_len == 0) {
167         ALOGW("No valid signature returned");
168         free(reply);
169         return 0;
170     }
171 
172     if (reply_len > len) {
173         /* The result of the RSA operation can never be larger than the size of
174          * the modulus so we assume that the result has extra zeros on the
175          * left. This provides attackers with an oracle, but there's nothing
176          * that we can do about it here. */
177         memcpy(out, reply + reply_len - len, len);
178     } else if (reply_len < len) {
179         /* If the Keystore implementation returns a short value we assume that
180          * it's because it removed leading zeros from the left side. This is
181          * bad because it provides attackers with an oracle but we cannot do
182          * anything about a broken Keystore implementation here. */
183         memset(out, 0, len);
184         memcpy(out + len - reply_len, reply, reply_len);
185     } else {
186         memcpy(out, reply, len);
187     }
188 
189     free(reply);
190 
191     ALOGV("rsa=%p keystore_rsa_priv_dec successful", rsa);
192     return 1;
193 }
194 
195 const struct rsa_meth_st keystore_rsa_method = {
196   {
197     0 /* references */,
198     1 /* is_static */,
199   },
200   NULL /* app_data */,
201 
202   NULL /* init */,
203   NULL /* finish */,
204 
205   NULL /* size */,
206 
207   NULL /* sign */,
208   NULL /* verify */,
209 
210   NULL /* encrypt */,
211   NULL /* sign_raw */,
212   NULL /* decrypt */,
213   NULL /* verify_raw */,
214 
215   rsa_private_transform,
216 
217   NULL /* mod_exp */,
218   NULL /* bn_mod_exp */,
219 
220   RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_OPAQUE | RSA_FLAG_EXT_PKEY,
221 
222   NULL /* keygen */,
223   NULL /* multi_prime_keygen */,
224   NULL /* supports_digest */,
225 };
226 
ecdsa_get_key_id(const EC_KEY * ec_key)227 const char* ecdsa_get_key_id(const EC_KEY* ec_key) {
228     return reinterpret_cast<char*>(
229         EC_KEY_get_ex_data(ec_key, g_keystore_engine->ec_key_ex_index()));
230 }
231 
232 /* ecdsa_sign signs |digest_len| bytes from |digest| with |ec_key| and writes
233  * the resulting signature (an ASN.1 encoded blob) to |sig|. It returns one on
234  * success and zero otherwise. */
ecdsa_sign(const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * sig_len,EC_KEY * ec_key)235 static int ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
236                       unsigned int* sig_len, EC_KEY* ec_key) {
237     ALOGV("ecdsa_sign(%p, %u, %p)", digest, (unsigned) digest_len, ec_key);
238 
239     const char *key_id = ecdsa_get_key_id(ec_key);
240     if (key_id == NULL) {
241         ALOGE("key had no key_id!");
242         return 0;
243     }
244 
245     sp<IServiceManager> sm = defaultServiceManager();
246     sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
247     sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
248 
249     if (service == NULL) {
250         ALOGE("could not contact keystore");
251         return 0;
252     }
253 
254     size_t ecdsa_size = ECDSA_size(ec_key);
255 
256     uint8_t* reply = NULL;
257     size_t reply_len;
258     int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)),
259                                 digest, digest_len, &reply, &reply_len);
260     if (ret < 0) {
261         ALOGW("There was an error during ecdsa_sign: could not connect");
262         return 0;
263     } else if (ret != 0) {
264         ALOGW("Error during sign from keystore: %d", ret);
265         return 0;
266     } else if (reply_len == 0) {
267         ALOGW("No valid signature returned");
268         free(reply);
269         return 0;
270     } else if (reply_len > ecdsa_size) {
271         ALOGW("Signature is too large");
272         free(reply);
273         return 0;
274     }
275 
276     memcpy(sig, reply, reply_len);
277     *sig_len = reply_len;
278 
279     ALOGV("ecdsa_sign(%p, %u, %p) => success", digest, (unsigned)digest_len,
280           ec_key);
281     return 1;
282 }
283 
284 const ECDSA_METHOD keystore_ecdsa_method = {
285     {
286      0 /* references */,
287      1 /* is_static */
288     } /* common */,
289     NULL /* app_data */,
290 
291     NULL /* init */,
292     NULL /* finish */,
293     NULL /* group_order_size */,
294     ecdsa_sign,
295     NULL /* verify */,
296     ECDSA_FLAG_OPAQUE,
297 };
298 
299 struct EVP_PKEY_Delete {
operator ()__anon110653d50111::EVP_PKEY_Delete300     void operator()(EVP_PKEY* p) const {
301         EVP_PKEY_free(p);
302     }
303 };
304 typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY;
305 
306 struct RSA_Delete {
operator ()__anon110653d50111::RSA_Delete307     void operator()(RSA* p) const {
308         RSA_free(p);
309     }
310 };
311 typedef UniquePtr<RSA, RSA_Delete> Unique_RSA;
312 
313 struct EC_KEY_Delete {
operator ()__anon110653d50111::EC_KEY_Delete314     void operator()(EC_KEY* ec) const {
315         EC_KEY_free(ec);
316     }
317 };
318 typedef UniquePtr<EC_KEY, EC_KEY_Delete> Unique_EC_KEY;
319 
320 /* wrap_rsa returns an |EVP_PKEY| that contains an RSA key where the public
321  * part is taken from |public_rsa| and the private operations are forwarded to
322  * KeyStore and operate on the key named |key_id|. */
wrap_rsa(const char * key_id,const RSA * public_rsa)323 static EVP_PKEY *wrap_rsa(const char *key_id, const RSA *public_rsa) {
324     Unique_RSA rsa(RSA_new_method(g_keystore_engine->engine()));
325     if (rsa.get() == NULL) {
326         return NULL;
327     }
328 
329     char *key_id_copy = strdup(key_id);
330     if (key_id_copy == NULL) {
331         return NULL;
332     }
333 
334     if (!RSA_set_ex_data(rsa.get(), g_keystore_engine->rsa_ex_index(),
335                          key_id_copy)) {
336         free(key_id_copy);
337         return NULL;
338     }
339 
340     rsa->n = BN_dup(public_rsa->n);
341     rsa->e = BN_dup(public_rsa->e);
342     if (rsa->n == NULL || rsa->e == NULL) {
343         return NULL;
344     }
345 
346     Unique_EVP_PKEY result(EVP_PKEY_new());
347     if (result.get() == NULL ||
348         !EVP_PKEY_assign_RSA(result.get(), rsa.get())) {
349         return NULL;
350     }
351     OWNERSHIP_TRANSFERRED(rsa);
352 
353     return result.release();
354 }
355 
356 /* wrap_ecdsa returns an |EVP_PKEY| that contains an ECDSA key where the public
357  * part is taken from |public_rsa| and the private operations are forwarded to
358  * KeyStore and operate on the key named |key_id|. */
wrap_ecdsa(const char * key_id,const EC_KEY * public_ecdsa)359 static EVP_PKEY *wrap_ecdsa(const char *key_id, const EC_KEY *public_ecdsa) {
360     Unique_EC_KEY ec(EC_KEY_new_method(g_keystore_engine->engine()));
361     if (ec.get() == NULL) {
362         return NULL;
363     }
364 
365     if (!EC_KEY_set_group(ec.get(), EC_KEY_get0_group(public_ecdsa)) ||
366         !EC_KEY_set_public_key(ec.get(), EC_KEY_get0_public_key(public_ecdsa))) {
367         return NULL;
368     }
369 
370     char *key_id_copy = strdup(key_id);
371     if (key_id_copy == NULL) {
372         return NULL;
373     }
374 
375     if (!EC_KEY_set_ex_data(ec.get(), g_keystore_engine->ec_key_ex_index(),
376                             key_id_copy)) {
377         free(key_id_copy);
378         return NULL;
379     }
380 
381     Unique_EVP_PKEY result(EVP_PKEY_new());
382     if (result.get() == NULL ||
383         !EVP_PKEY_assign_EC_KEY(result.get(), ec.get())) {
384         return NULL;
385     }
386     OWNERSHIP_TRANSFERRED(ec);
387 
388     return result.release();
389 }
390 
391 }  /* anonymous namespace */
392 
393 extern "C" {
394 
395 EVP_PKEY* EVP_PKEY_from_keystore(const char* key_id) __attribute__((visibility("default")));
396 
397 /* EVP_PKEY_from_keystore returns an |EVP_PKEY| that contains either an RSA or
398  * ECDSA key where the public part of the key reflects the value of the key
399  * named |key_id| in Keystore and the private operations are forwarded onto
400  * KeyStore. */
EVP_PKEY_from_keystore(const char * key_id)401 EVP_PKEY* EVP_PKEY_from_keystore(const char* key_id) {
402     ALOGV("EVP_PKEY_from_keystore(\"%s\")", key_id);
403 
404     sp<IServiceManager> sm = defaultServiceManager();
405     sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
406     sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
407 
408     if (service == NULL) {
409         ALOGE("could not contact keystore");
410         return 0;
411     }
412 
413     uint8_t *pubkey = NULL;
414     size_t pubkey_len;
415     int32_t ret = service->get_pubkey(String16(key_id), &pubkey, &pubkey_len);
416     if (ret < 0) {
417         ALOGW("could not contact keystore");
418         return NULL;
419     } else if (ret != 0) {
420         ALOGW("keystore reports error: %d", ret);
421         return NULL;
422     }
423 
424     const uint8_t *inp = pubkey;
425     Unique_EVP_PKEY pkey(d2i_PUBKEY(NULL, &inp, pubkey_len));
426     free(pubkey);
427     if (pkey.get() == NULL) {
428         ALOGW("Cannot convert pubkey");
429         return NULL;
430     }
431 
432     ensure_keystore_engine();
433 
434     EVP_PKEY *result;
435     switch (EVP_PKEY_type(pkey->type)) {
436     case EVP_PKEY_RSA: {
437         Unique_RSA public_rsa(EVP_PKEY_get1_RSA(pkey.get()));
438         result = wrap_rsa(key_id, public_rsa.get());
439         break;
440     }
441     case EVP_PKEY_EC: {
442         Unique_EC_KEY public_ecdsa(EVP_PKEY_get1_EC_KEY(pkey.get()));
443         result = wrap_ecdsa(key_id, public_ecdsa.get());
444         break;
445     }
446     default:
447         ALOGE("Unsupported key type %d", EVP_PKEY_type(pkey->type));
448         result = NULL;
449     }
450 
451     return result;
452 }
453 
454 }  // extern "C"
455