1/*
2 * Copyright 2012 The Android Open Source Project
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
16 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
17 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
18 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
19 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
20 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 *
24 */
25
26#include <utils/UniquePtr.h>
27
28//#define LOG_NDEBUG 0
29#define LOG_TAG "OpenSSL-keystore-rsa"
30#include <cutils/log.h>
31
32#include <binder/IServiceManager.h>
33#include <keystore/IKeystoreService.h>
34
35#include <openssl/rsa.h>
36#include <openssl/engine.h>
37
38#include "methods.h"
39
40
41using namespace android;
42
43
44int keystore_rsa_priv_enc(int flen, const unsigned char* from, unsigned char* to, RSA* rsa,
45        int padding) {
46    ALOGV("keystore_rsa_priv_enc(%d, %p, %p, %p, %d)", flen, from, to, rsa, padding);
47
48    int num = RSA_size(rsa);
49    UniquePtr<uint8_t> padded(new uint8_t[num]);
50    if (padded.get() == NULL) {
51        ALOGE("could not allocate padded signature");
52        return 0;
53    }
54
55    switch (padding) {
56    case RSA_PKCS1_PADDING:
57        if (!RSA_padding_add_PKCS1_type_1(padded.get(), num, from, flen)) {
58            return 0;
59        }
60        break;
61    case RSA_X931_PADDING:
62        if (!RSA_padding_add_X931(padded.get(), num, from, flen)) {
63            return 0;
64        }
65        break;
66    case RSA_NO_PADDING:
67        if (!RSA_padding_add_none(padded.get(), num, from, flen)) {
68            return 0;
69        }
70        break;
71    default:
72        ALOGE("Unknown padding type: %d", padding);
73        return 0;
74    }
75
76    uint8_t* key_id = reinterpret_cast<uint8_t*>(RSA_get_ex_data(rsa, rsa_key_handle));
77    if (key_id == NULL) {
78        ALOGE("key had no key_id!");
79        return 0;
80    }
81
82    sp<IServiceManager> sm = defaultServiceManager();
83    sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
84    sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
85
86    if (service == NULL) {
87        ALOGE("could not contact keystore");
88        return 0;
89    }
90
91    uint8_t* reply = NULL;
92    size_t replyLen;
93    int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), padded.get(),
94            num, &reply, &replyLen);
95    if (ret < 0) {
96        ALOGW("There was an error during signing: could not connect");
97        free(reply);
98        return 0;
99    } else if (ret != 0) {
100        ALOGW("Error during signing from keystore: %d", ret);
101        free(reply);
102        return 0;
103    } else if (replyLen <= 0) {
104        ALOGW("No valid signature returned");
105        return 0;
106    }
107
108    memcpy(to, reply, replyLen);
109    free(reply);
110
111    ALOGV("rsa=%p keystore_rsa_priv_enc => returning %p len %llu", rsa, to,
112            (unsigned long long) replyLen);
113    return static_cast<int>(replyLen);
114}
115
116int keystore_rsa_priv_dec(int flen, const unsigned char* from, unsigned char* to, RSA* rsa,
117        int padding) {
118    ALOGV("keystore_rsa_priv_dec(%d, %p, %p, %p, %d)", flen, from, to, rsa, padding);
119
120    uint8_t* key_id = reinterpret_cast<uint8_t*>(RSA_get_ex_data(rsa, rsa_key_handle));
121    if (key_id == NULL) {
122        ALOGE("key had no key_id!");
123        return 0;
124    }
125
126    sp<IServiceManager> sm = defaultServiceManager();
127    sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
128    sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
129
130    if (service == NULL) {
131        ALOGE("could not contact keystore");
132        return 0;
133    }
134
135    int num = RSA_size(rsa);
136
137    uint8_t* reply = NULL;
138    size_t replyLen;
139    int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), from,
140            flen, &reply, &replyLen);
141    if (ret < 0) {
142        ALOGW("There was an error during rsa_mod_exp: could not connect");
143        return 0;
144    } else if (ret != 0) {
145        ALOGW("Error during sign from keystore: %d", ret);
146        return 0;
147    } else if (replyLen <= 0) {
148        ALOGW("No valid signature returned");
149        return 0;
150    }
151
152    /* Trim off the top zero if it's there */
153    uint8_t* alignedReply;
154    if (*reply == 0x00) {
155        alignedReply = reply + 1;
156        replyLen--;
157    } else {
158        alignedReply = reply;
159    }
160
161    int outSize;
162    switch (padding) {
163    case RSA_PKCS1_PADDING:
164        outSize = RSA_padding_check_PKCS1_type_2(to, num, alignedReply, replyLen, num);
165        break;
166    case RSA_X931_PADDING:
167        outSize = RSA_padding_check_X931(to, num, alignedReply, replyLen, num);
168        break;
169    case RSA_NO_PADDING:
170        outSize = RSA_padding_check_none(to, num, alignedReply, replyLen, num);
171        break;
172    default:
173        ALOGE("Unknown padding type: %d", padding);
174        outSize = -1;
175        break;
176    }
177
178    free(reply);
179
180    ALOGV("rsa=%p keystore_rsa_priv_dec => returning %p len %llu", rsa, to, outSize);
181    return outSize;
182}
183
184static RSA_METHOD keystore_rsa_meth = {
185        kKeystoreEngineId,
186        NULL, /* rsa_pub_enc (wrap) */
187        NULL, /* rsa_pub_dec (verification) */
188        keystore_rsa_priv_enc, /* rsa_priv_enc (signing) */
189        keystore_rsa_priv_dec, /* rsa_priv_dec (unwrap) */
190        NULL, /* rsa_mod_exp */
191        NULL, /* bn_mod_exp */
192        NULL, /* init */
193        NULL, /* finish */
194        RSA_FLAG_EXT_PKEY | RSA_FLAG_NO_BLINDING, /* flags */
195        NULL, /* app_data */
196        NULL, /* rsa_sign */
197        NULL, /* rsa_verify */
198        NULL, /* rsa_keygen */
199};
200
201static int register_rsa_methods() {
202    const RSA_METHOD* rsa_meth = RSA_PKCS1_SSLeay();
203
204    keystore_rsa_meth.rsa_pub_enc = rsa_meth->rsa_pub_enc;
205    keystore_rsa_meth.rsa_pub_dec = rsa_meth->rsa_pub_dec;
206    keystore_rsa_meth.rsa_mod_exp = rsa_meth->rsa_mod_exp;
207    keystore_rsa_meth.bn_mod_exp = rsa_meth->bn_mod_exp;
208
209    return 1;
210}
211
212int rsa_pkey_setup(ENGINE *e, EVP_PKEY *pkey, const char *key_id) {
213    Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey));
214    if (!RSA_set_ex_data(rsa.get(), rsa_key_handle, reinterpret_cast<void*>(strdup(key_id)))) {
215        ALOGW("Could not set ex_data for loaded RSA key");
216        return 0;
217    }
218
219    RSA_set_method(rsa.get(), &keystore_rsa_meth);
220    RSA_blinding_off(rsa.get());
221
222    /*
223     * "RSA_set_ENGINE()" should probably be an OpenSSL API. Since it isn't,
224     * and EVP_PKEY_free() calls ENGINE_finish(), we need to call ENGINE_init()
225     * here.
226     */
227    ENGINE_init(e);
228    rsa->engine = e;
229    rsa->flags |= RSA_FLAG_EXT_PKEY;
230
231    return 1;
232}
233
234int rsa_register(ENGINE* e) {
235    if (!ENGINE_set_RSA(e, &keystore_rsa_meth)
236            || !register_rsa_methods()) {
237        ALOGE("Could not set up keystore RSA methods");
238        return 0;
239    }
240
241    return 1;
242}
243