• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "keymaster1_engine.h"
18 
19 #include <assert.h>
20 
21 #include <algorithm>
22 #include <memory>
23 
24 #define LOG_TAG "Keymaster1Engine"
25 #include <cutils/log.h>
26 
27 #include "keymaster/android_keymaster_utils.h"
28 
29 #include <openssl/bn.h>
30 #include <openssl/ec_key.h>
31 #include <openssl/ecdsa.h>
32 
33 #include "openssl_err.h"
34 #include "openssl_utils.h"
35 
36 using std::shared_ptr;
37 using std::unique_ptr;
38 
39 namespace keymaster {
40 
41 Keymaster1Engine* Keymaster1Engine::instance_ = nullptr;
42 
Keymaster1Engine(const keymaster1_device_t * keymaster1_device)43 Keymaster1Engine::Keymaster1Engine(const keymaster1_device_t* keymaster1_device)
44     : keymaster1_device_(keymaster1_device), engine_(ENGINE_new()),
45       rsa_index_(RSA_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
46                                       Keymaster1Engine::duplicate_key_data,
47                                       Keymaster1Engine::free_key_data)),
48       ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
49                                             Keymaster1Engine::duplicate_key_data,
50                                             Keymaster1Engine::free_key_data)),
51       rsa_method_(BuildRsaMethod()), ecdsa_method_(BuildEcdsaMethod()) {
52     assert(rsa_index_ != -1);
53     assert(ec_key_index_ != -1);
54     assert(keymaster1_device);
55     assert(!instance_);
56 
57     instance_ = this;
58 
59     ENGINE_set_RSA_method(engine_.get(), &rsa_method_, sizeof(rsa_method_));
60     ENGINE_set_ECDSA_method(engine_.get(), &ecdsa_method_, sizeof(ecdsa_method_));
61 }
62 
~Keymaster1Engine()63 Keymaster1Engine::~Keymaster1Engine() {
64     keymaster1_device_->common.close(
65         reinterpret_cast<hw_device_t*>(const_cast<keymaster1_device_t*>(keymaster1_device_)));
66     instance_ = nullptr;
67 }
68 
ConvertCharacteristics(keymaster_key_characteristics_t * characteristics,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced)69 static void ConvertCharacteristics(keymaster_key_characteristics_t* characteristics,
70                                    AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) {
71     unique_ptr<keymaster_key_characteristics_t, Characteristics_Delete> characteristics_deleter(
72         characteristics);
73     if (hw_enforced)
74         hw_enforced->Reinitialize(characteristics->hw_enforced);
75     if (sw_enforced)
76         sw_enforced->Reinitialize(characteristics->sw_enforced);
77 }
78 
GenerateKey(const AuthorizationSet & key_description,KeymasterKeyBlob * key_blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced) const79 keymaster_error_t Keymaster1Engine::GenerateKey(const AuthorizationSet& key_description,
80                                                 KeymasterKeyBlob* key_blob,
81                                                 AuthorizationSet* hw_enforced,
82                                                 AuthorizationSet* sw_enforced) const {
83     assert(key_blob);
84 
85     keymaster_key_characteristics_t* characteristics;
86     keymaster_key_blob_t blob;
87     keymaster_error_t error = keymaster1_device_->generate_key(keymaster1_device_, &key_description,
88                                                                &blob, &characteristics);
89     if (error != KM_ERROR_OK)
90         return error;
91     unique_ptr<uint8_t, Malloc_Delete> blob_deleter(const_cast<uint8_t*>(blob.key_material));
92     key_blob->key_material = dup_buffer(blob.key_material, blob.key_material_size);
93     key_blob->key_material_size = blob.key_material_size;
94 
95     ConvertCharacteristics(characteristics, hw_enforced, sw_enforced);
96     return error;
97 }
98 
ImportKey(const AuthorizationSet & key_description,keymaster_key_format_t input_key_material_format,const KeymasterKeyBlob & input_key_material,KeymasterKeyBlob * output_key_blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced) const99 keymaster_error_t Keymaster1Engine::ImportKey(const AuthorizationSet& key_description,
100                                               keymaster_key_format_t input_key_material_format,
101                                               const KeymasterKeyBlob& input_key_material,
102                                               KeymasterKeyBlob* output_key_blob,
103                                               AuthorizationSet* hw_enforced,
104                                               AuthorizationSet* sw_enforced) const {
105     assert(output_key_blob);
106 
107     keymaster_key_characteristics_t* characteristics;
108     const keymaster_blob_t input_key = {input_key_material.key_material,
109                                         input_key_material.key_material_size};
110     keymaster_key_blob_t blob;
111     keymaster_error_t error = keymaster1_device_->import_key(keymaster1_device_, &key_description,
112                                                              input_key_material_format, &input_key,
113                                                              &blob, &characteristics);
114     if (error != KM_ERROR_OK)
115         return error;
116     unique_ptr<uint8_t, Malloc_Delete> blob_deleter(const_cast<uint8_t*>(blob.key_material));
117     output_key_blob->key_material = dup_buffer(blob.key_material, blob.key_material_size);
118     output_key_blob->key_material_size = blob.key_material_size;
119 
120     ConvertCharacteristics(characteristics, hw_enforced, sw_enforced);
121     return error;
122 }
123 
DeleteKey(const KeymasterKeyBlob & blob) const124 keymaster_error_t Keymaster1Engine::DeleteKey(const KeymasterKeyBlob& blob) const {
125     if (!keymaster1_device_->delete_key)
126         return KM_ERROR_OK;
127     return keymaster1_device_->delete_key(keymaster1_device_, &blob);
128 }
129 
DeleteAllKeys() const130 keymaster_error_t Keymaster1Engine::DeleteAllKeys() const {
131     if (!keymaster1_device_->delete_all_keys)
132         return KM_ERROR_OK;
133     return keymaster1_device_->delete_all_keys(keymaster1_device_);
134 }
135 
BuildRsaKey(const KeymasterKeyBlob & blob,const AuthorizationSet & additional_params,keymaster_error_t * error) const136 RSA* Keymaster1Engine::BuildRsaKey(const KeymasterKeyBlob& blob,
137                                    const AuthorizationSet& additional_params,
138                                    keymaster_error_t* error) const {
139     // Create new RSA key (with engine methods) and add metadata
140     unique_ptr<RSA, RSA_Delete> rsa(RSA_new_method(engine_.get()));
141     if (!rsa) {
142         *error = TranslateLastOpenSslError();
143         return nullptr;
144     }
145 
146     KeyData* key_data = new KeyData(blob, additional_params);
147     if (!RSA_set_ex_data(rsa.get(), rsa_index_, key_data)) {
148         *error = TranslateLastOpenSslError();
149         delete key_data;
150         return nullptr;
151     }
152 
153     // Copy public key into new RSA key
154     unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
155         GetKeymaster1PublicKey(key_data->key_material, key_data->begin_params, error));
156     if (!pkey) {
157         *error = TranslateLastOpenSslError();
158         return nullptr;
159     }
160 
161     unique_ptr<RSA, RSA_Delete> public_rsa(EVP_PKEY_get1_RSA(pkey.get()));
162     if (!public_rsa) {
163         *error = TranslateLastOpenSslError();
164         return nullptr;
165     }
166 
167     rsa->n = BN_dup(public_rsa->n);
168     rsa->e = BN_dup(public_rsa->e);
169     if (!rsa->n || !rsa->e) {
170         *error = TranslateLastOpenSslError();
171         return nullptr;
172     }
173 
174     *error = KM_ERROR_OK;
175     return rsa.release();
176 }
177 
BuildEcKey(const KeymasterKeyBlob & blob,const AuthorizationSet & additional_params,keymaster_error_t * error) const178 EC_KEY* Keymaster1Engine::BuildEcKey(const KeymasterKeyBlob& blob,
179                                      const AuthorizationSet& additional_params,
180                                      keymaster_error_t* error) const {
181     // Create new EC key (with engine methods) and insert blob
182     unique_ptr<EC_KEY, EC_KEY_Delete> ec_key(EC_KEY_new_method(engine_.get()));
183     if (!ec_key) {
184         *error = TranslateLastOpenSslError();
185         return nullptr;
186     }
187 
188     KeyData* key_data = new KeyData(blob, additional_params);
189     if (!EC_KEY_set_ex_data(ec_key.get(), ec_key_index_, key_data)) {
190         *error = TranslateLastOpenSslError();
191         delete key_data;
192         return nullptr;
193     }
194 
195     // Copy public key into new EC key
196     unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
197         GetKeymaster1PublicKey(blob, additional_params, error));
198     if (!pkey) {
199         *error = TranslateLastOpenSslError();
200         return nullptr;
201     }
202 
203     unique_ptr<EC_KEY, EC_KEY_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
204     if (!public_ec_key) {
205         *error = TranslateLastOpenSslError();
206         return nullptr;
207     }
208 
209     if (!EC_KEY_set_group(ec_key.get(), EC_KEY_get0_group(public_ec_key.get())) ||
210         !EC_KEY_set_public_key(ec_key.get(), EC_KEY_get0_public_key(public_ec_key.get()))) {
211         *error = TranslateLastOpenSslError();
212         return nullptr;
213     }
214 
215     *error = KM_ERROR_OK;
216     return ec_key.release();
217 }
218 
GetData(EVP_PKEY * key) const219 Keymaster1Engine::KeyData* Keymaster1Engine::GetData(EVP_PKEY* key) const {
220     switch (EVP_PKEY_type(key->type)) {
221     case EVP_PKEY_RSA: {
222         unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(key));
223         return GetData(rsa.get());
224     }
225 
226     case EVP_PKEY_EC: {
227         unique_ptr<EC_KEY, EC_KEY_Delete> ec_key(EVP_PKEY_get1_EC_KEY(key));
228         return GetData(ec_key.get());
229     }
230 
231     default:
232         return nullptr;
233     };
234 }
235 
GetData(const RSA * rsa) const236 Keymaster1Engine::KeyData* Keymaster1Engine::GetData(const RSA* rsa) const {
237     if (!rsa)
238         return nullptr;
239     return reinterpret_cast<KeyData*>(RSA_get_ex_data(rsa, rsa_index_));
240 }
241 
GetData(const EC_KEY * ec_key) const242 Keymaster1Engine::KeyData* Keymaster1Engine::GetData(const EC_KEY* ec_key) const {
243     if (!ec_key)
244         return nullptr;
245     return reinterpret_cast<KeyData*>(EC_KEY_get_ex_data(ec_key, ec_key_index_));
246 }
247 
248 /* static */
duplicate_key_data(CRYPTO_EX_DATA *,const CRYPTO_EX_DATA *,void ** from_d,int,long,void *)249 int Keymaster1Engine::duplicate_key_data(CRYPTO_EX_DATA* /* to */, const CRYPTO_EX_DATA* /* from */,
250                                          void** from_d, int /* index */, long /* argl */,
251                                          void* /* argp */) {
252     KeyData* data = reinterpret_cast<KeyData*>(*from_d);
253     if (!data)
254         return 1;
255 
256     // Default copy ctor is good.
257     *from_d = new KeyData(*data);
258     if (*from_d)
259         return 1;
260     return 0;
261 }
262 
263 /* static */
free_key_data(void *,void * ptr,CRYPTO_EX_DATA *,int,long,void *)264 void Keymaster1Engine::free_key_data(void* /* parent */, void* ptr, CRYPTO_EX_DATA* /* data */,
265                                      int /* index*/, long /* argl */, void* /* argp */) {
266     delete reinterpret_cast<KeyData*>(ptr);
267 }
268 
Keymaster1Finish(const KeyData * key_data,const keymaster_blob_t & input,keymaster_blob_t * output)269 keymaster_error_t Keymaster1Engine::Keymaster1Finish(const KeyData* key_data,
270                                                      const keymaster_blob_t& input,
271                                                      keymaster_blob_t* output) {
272     if (key_data->op_handle == 0)
273         return KM_ERROR_UNKNOWN_ERROR;
274 
275     size_t input_consumed;
276     // Note: devices are required to consume all input in a single update call for undigested
277     // signing operations and encryption operations.  No need to loop here.
278     keymaster_error_t error =
279         device()->update(device(), key_data->op_handle, &key_data->finish_params, &input,
280                          &input_consumed, nullptr /* out_params */, nullptr /* output */);
281     if (error != KM_ERROR_OK)
282         return error;
283 
284     return device()->finish(device(), key_data->op_handle, &key_data->finish_params,
285                             nullptr /* signature */, nullptr /* out_params */, output);
286 }
287 
288 /* static */
rsa_sign_raw(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)289 int Keymaster1Engine::rsa_sign_raw(RSA* rsa, size_t* out_len, uint8_t* out, size_t max_out,
290                                    const uint8_t* in, size_t in_len, int padding) {
291     KeyData* key_data = instance_->GetData(rsa);
292     if (!key_data)
293         return 0;
294 
295     if (padding != key_data->expected_openssl_padding) {
296         LOG_E("Expected sign_raw with padding %d but got padding %d",
297               key_data->expected_openssl_padding, padding);
298         return KM_ERROR_UNKNOWN_ERROR;
299     }
300 
301     keymaster_blob_t input = {in, in_len};
302     keymaster_blob_t output;
303     key_data->error = instance_->Keymaster1Finish(key_data, input, &output);
304     if (key_data->error != KM_ERROR_OK)
305         return 0;
306     unique_ptr<uint8_t, Malloc_Delete> output_deleter(const_cast<uint8_t*>(output.data));
307 
308     *out_len = std::min(output.data_length, max_out);
309     memcpy(out, output.data, *out_len);
310     return 1;
311 }
312 
313 /* static */
rsa_decrypt(RSA * rsa,size_t * out_len,uint8_t * out,size_t max_out,const uint8_t * in,size_t in_len,int padding)314 int Keymaster1Engine::rsa_decrypt(RSA* rsa, size_t* out_len, uint8_t* out, size_t max_out,
315                                   const uint8_t* in, size_t in_len, int padding) {
316     KeyData* key_data = instance_->GetData(rsa);
317     if (!key_data)
318         return 0;
319 
320     if (padding != key_data->expected_openssl_padding) {
321         LOG_E("Expected sign_raw with padding %d but got padding %d",
322               key_data->expected_openssl_padding, padding);
323         return KM_ERROR_UNKNOWN_ERROR;
324     }
325 
326     keymaster_blob_t input = {in, in_len};
327     keymaster_blob_t output;
328     key_data->error = instance_->Keymaster1Finish(key_data, input, &output);
329     if (key_data->error != KM_ERROR_OK)
330         return 0;
331     unique_ptr<uint8_t, Malloc_Delete> output_deleter(const_cast<uint8_t*>(output.data));
332 
333     *out_len = std::min(output.data_length, max_out);
334     memcpy(out, output.data, *out_len);
335     return 1;
336 }
337 
338 /* static */
ecdsa_sign(const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * sig_len,EC_KEY * ec_key)339 int Keymaster1Engine::ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
340                                  unsigned int* sig_len, EC_KEY* ec_key) {
341     KeyData* key_data = instance_->GetData(ec_key);
342     if (!key_data)
343         return 0;
344 
345     // Truncate digest if it's too long
346     size_t max_input_len = (ec_group_size_bits(ec_key) + 7) / 8;
347     if (digest_len > max_input_len)
348         digest_len = max_input_len;
349 
350     keymaster_blob_t input = {digest, digest_len};
351     keymaster_blob_t output;
352     key_data->error = instance_->Keymaster1Finish(key_data, input, &output);
353     if (key_data->error != KM_ERROR_OK)
354         return 0;
355     unique_ptr<uint8_t, Malloc_Delete> output_deleter(const_cast<uint8_t*>(output.data));
356 
357     *sig_len = std::min(output.data_length, ECDSA_size(ec_key));
358     memcpy(sig, output.data, *sig_len);
359     return 1;
360 }
361 
GetKeymaster1PublicKey(const KeymasterKeyBlob & blob,const AuthorizationSet & additional_params,keymaster_error_t * error) const362 EVP_PKEY* Keymaster1Engine::GetKeymaster1PublicKey(const KeymasterKeyBlob& blob,
363                                                    const AuthorizationSet& additional_params,
364                                                    keymaster_error_t* error) const {
365     keymaster_blob_t client_id = {nullptr, 0};
366     keymaster_blob_t app_data = {nullptr, 0};
367     keymaster_blob_t* client_id_ptr = nullptr;
368     keymaster_blob_t* app_data_ptr = nullptr;
369     if (additional_params.GetTagValue(TAG_APPLICATION_ID, &client_id))
370         client_id_ptr = &client_id;
371     if (additional_params.GetTagValue(TAG_APPLICATION_DATA, &app_data))
372         app_data_ptr = &app_data;
373 
374     keymaster_blob_t export_data = {nullptr, 0};
375     *error = keymaster1_device_->export_key(keymaster1_device_, KM_KEY_FORMAT_X509, &blob,
376                                             client_id_ptr, app_data_ptr, &export_data);
377     if (*error != KM_ERROR_OK)
378         return nullptr;
379 
380     unique_ptr<uint8_t, Malloc_Delete> pub_key(const_cast<uint8_t*>(export_data.data));
381 
382     const uint8_t* p = export_data.data;
383     return d2i_PUBKEY(nullptr /* allocate new struct */, &p, export_data.data_length);
384 }
385 
BuildRsaMethod()386 RSA_METHOD Keymaster1Engine::BuildRsaMethod() {
387     RSA_METHOD method;
388 
389     method.common.references = 0;
390     method.common.is_static = 1;
391     method.app_data = nullptr;
392     method.init = nullptr;
393     method.finish = nullptr;
394     method.size = nullptr;
395     method.sign = nullptr;
396     method.verify = nullptr;
397     method.encrypt = nullptr;
398     method.sign_raw = Keymaster1Engine::rsa_sign_raw;
399     method.decrypt = Keymaster1Engine::rsa_decrypt;
400     method.verify_raw = nullptr;
401     method.private_transform = nullptr;
402     method.mod_exp = nullptr;
403     method.bn_mod_exp = BN_mod_exp_mont;
404     method.flags = RSA_FLAG_OPAQUE;
405     method.keygen = nullptr;
406     method.supports_digest = nullptr;
407 
408     return method;
409 }
410 
BuildEcdsaMethod()411 ECDSA_METHOD Keymaster1Engine::BuildEcdsaMethod() {
412     ECDSA_METHOD method;
413 
414     method.common.references = 0;
415     method.common.is_static = 1;
416     method.app_data = nullptr;
417     method.init = nullptr;
418     method.finish = nullptr;
419     method.group_order_size = nullptr;
420     method.sign = Keymaster1Engine::ecdsa_sign;
421     method.verify = nullptr;
422     method.flags = ECDSA_FLAG_OPAQUE;
423 
424     return method;
425 }
426 
427 }  // namespace keymaster
428