1ac3980627ab3420463ca787be441ac363726ed12Shawn Willden/* 2ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * Copyright 2015 The Android Open Source Project 3ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * 4ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * Licensed under the Apache License, Version 2.0 (the "License"); 5ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * you may not use this file except in compliance with the License. 6ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * You may obtain a copy of the License at 7ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * 8ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * http://www.apache.org/licenses/LICENSE-2.0 9ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * 10ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * Unless required by applicable law or agreed to in writing, software 11ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * distributed under the License is distributed on an "AS IS" BASIS, 12ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * See the License for the specific language governing permissions and 14ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * limitations under the License. 15ac3980627ab3420463ca787be441ac363726ed12Shawn Willden */ 16ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 17ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include "keymaster0_engine.h" 18ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 19ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include <assert.h> 20ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 21ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include <memory> 22ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 23ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#define LOG_TAG "Keymaster0Engine" 24ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include <cutils/log.h> 25ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 26ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include "keymaster/android_keymaster_utils.h" 27ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 289a1cd6d88dabe29fb921ff26612695b59aaf125cShawn Willden#include <openssl/bn.h> 29ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include <openssl/ec_key.h> 30ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include <openssl/ecdsa.h> 31ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 32ac3980627ab3420463ca787be441ac363726ed12Shawn Willden#include "openssl_utils.h" 33ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 34ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenusing std::shared_ptr; 35ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenusing std::unique_ptr; 36ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 37ac3980627ab3420463ca787be441ac363726ed12Shawn Willdennamespace keymaster { 38ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 39ac3980627ab3420463ca787be441ac363726ed12Shawn WilldenKeymaster0Engine* Keymaster0Engine::instance_ = nullptr; 4024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 41ac3980627ab3420463ca787be441ac363726ed12Shawn WilldenKeymaster0Engine::Keymaster0Engine(const keymaster0_device_t* keymaster0_device) 4224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden : keymaster0_device_(keymaster0_device), engine_(ENGINE_new()), supports_ec_(false) { 43ac3980627ab3420463ca787be441ac363726ed12Shawn Willden assert(!instance_); 44ac3980627ab3420463ca787be441ac363726ed12Shawn Willden instance_ = this; 45ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 46ac3980627ab3420463ca787be441ac363726ed12Shawn Willden rsa_index_ = RSA_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */, 47ac3980627ab3420463ca787be441ac363726ed12Shawn Willden keyblob_dup, keyblob_free); 4824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ec_key_index_ = EC_KEY_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */, 4924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden keyblob_dup, keyblob_free); 5024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 512ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.common.references = 0; 522ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.common.is_static = 1; 532ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.app_data = nullptr; 542ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.init = nullptr; 552ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.finish = nullptr; 562ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.size = nullptr; 572ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.sign = nullptr; 582ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.verify = nullptr; 592ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.encrypt = nullptr; 602ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.sign_raw = nullptr; 612ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.decrypt = nullptr; 622ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.verify_raw = nullptr; 632ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.private_transform = Keymaster0Engine::rsa_private_transform; 642ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.mod_exp = nullptr; 652ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.bn_mod_exp = BN_mod_exp_mont; 662ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.flags = RSA_FLAG_OPAQUE; 672ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.keygen = nullptr; 682ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden rsa_method_.supports_digest = nullptr; 692ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden 70ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ENGINE_set_RSA_method(engine_, &rsa_method_, sizeof(rsa_method_)); 7124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 7224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if ((keymaster0_device_->flags & KEYMASTER_SUPPORTS_EC) != 0) { 7324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden supports_ec_ = true; 742ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden 752ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.common.references = 0; 762ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.common.is_static = 1; 772ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.app_data = nullptr; 782ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.init = nullptr; 792ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.finish = nullptr; 802ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.group_order_size = nullptr; 812ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.sign = Keymaster0Engine::ecdsa_sign; 822ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.verify = nullptr; 832ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden ecdsa_method_.flags = ECDSA_FLAG_OPAQUE; 842ff74dcb3817ae32850e23e3a70bcf8cb274d442Shawn Willden 8524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ENGINE_set_ECDSA_method(engine_, &ecdsa_method_, sizeof(ecdsa_method_)); 8624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden } 87ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 88ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 89ac3980627ab3420463ca787be441ac363726ed12Shawn WilldenKeymaster0Engine::~Keymaster0Engine() { 90ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (keymaster0_device_) 91ac3980627ab3420463ca787be441ac363726ed12Shawn Willden keymaster0_device_->common.close( 92ac3980627ab3420463ca787be441ac363726ed12Shawn Willden reinterpret_cast<hw_device_t*>(const_cast<keymaster0_device_t*>(keymaster0_device_))); 93ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ENGINE_free(engine_); 94ac3980627ab3420463ca787be441ac363726ed12Shawn Willden instance_ = nullptr; 95ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 96ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 97ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenbool Keymaster0Engine::GenerateRsaKey(uint64_t public_exponent, uint32_t public_modulus, 98ac3980627ab3420463ca787be441ac363726ed12Shawn Willden KeymasterKeyBlob* key_material) const { 99ac3980627ab3420463ca787be441ac363726ed12Shawn Willden assert(key_material); 100ac3980627ab3420463ca787be441ac363726ed12Shawn Willden keymaster_rsa_keygen_params_t params; 101ac3980627ab3420463ca787be441ac363726ed12Shawn Willden params.public_exponent = public_exponent; 102ac3980627ab3420463ca787be441ac363726ed12Shawn Willden params.modulus_size = public_modulus; 103ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 104ac3980627ab3420463ca787be441ac363726ed12Shawn Willden uint8_t* key_blob = 0; 105ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_RSA, ¶ms, &key_blob, 106ac3980627ab3420463ca787be441ac363726ed12Shawn Willden &key_material->key_material_size) < 0) { 107ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ALOGE("Error generating RSA key pair with keymaster0 device"); 108ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return false; 109ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } 110ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob); 111ac3980627ab3420463ca787be441ac363726ed12Shawn Willden key_material->key_material = dup_buffer(key_blob, key_material->key_material_size); 112ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return true; 113ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 114ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 11524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willdenbool Keymaster0Engine::GenerateEcKey(uint32_t key_size, KeymasterKeyBlob* key_material) const { 11624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden assert(key_material); 11724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden keymaster_ec_keygen_params_t params; 11824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden params.field_size = key_size; 11924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 12024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden uint8_t* key_blob = 0; 12124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_EC, ¶ms, &key_blob, 12224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden &key_material->key_material_size) < 0) { 12324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ALOGE("Error generating EC key pair with keymaster0 device"); 12424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return false; 12524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden } 12624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob); 12724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden key_material->key_material = dup_buffer(key_blob, key_material->key_material_size); 12824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return true; 12924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden} 13024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 13124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willdenbool Keymaster0Engine::ImportKey(keymaster_key_format_t key_format, 13224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden const KeymasterKeyBlob& to_import, 13324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden KeymasterKeyBlob* imported_key) const { 134ac3980627ab3420463ca787be441ac363726ed12Shawn Willden assert(imported_key); 135ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (key_format != KM_KEY_FORMAT_PKCS8) 136ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return false; 137ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 138ac3980627ab3420463ca787be441ac363726ed12Shawn Willden uint8_t* key_blob = 0; 139ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (keymaster0_device_->import_keypair(keymaster0_device_, to_import.key_material, 140ac3980627ab3420463ca787be441ac363726ed12Shawn Willden to_import.key_material_size, &key_blob, 141ac3980627ab3420463ca787be441ac363726ed12Shawn Willden &imported_key->key_material_size) < 0) { 14224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ALOGW("Error importing keypair with keymaster0 device"); 143ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return false; 144ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } 145ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob); 146ac3980627ab3420463ca787be441ac363726ed12Shawn Willden imported_key->key_material = dup_buffer(key_blob, imported_key->key_material_size); 147ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return true; 148ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 149ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 15001d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willdenbool Keymaster0Engine::DeleteKey(const KeymasterKeyBlob& blob) const { 15101d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden if (!keymaster0_device_->delete_keypair) 15201d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden return true; 15301d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden return (keymaster0_device_->delete_keypair(keymaster0_device_, blob.key_material, 15401d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden blob.key_material_size) == 0); 15501d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden} 15601d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden 15701d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willdenbool Keymaster0Engine::DeleteAllKeys() const { 15801d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden if (!keymaster0_device_->delete_all) 15901d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden return true; 16001d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden return (keymaster0_device_->delete_all(keymaster0_device_) == 0); 16101d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden} 16201d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden 163ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenstatic keymaster_key_blob_t* duplicate_blob(const uint8_t* key_data, size_t key_data_size) { 164661b2b1bdff194b6a872b2d92389b76a365e5061Shawn Willden unique_ptr<uint8_t[]> key_material_copy(dup_buffer(key_data, key_data_size)); 165ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (!key_material_copy) 166ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return nullptr; 167ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 1689a1cd6d88dabe29fb921ff26612695b59aaf125cShawn Willden unique_ptr<keymaster_key_blob_t> blob_copy(new (std::nothrow) keymaster_key_blob_t); 169661b2b1bdff194b6a872b2d92389b76a365e5061Shawn Willden if (!blob_copy.get()) 170661b2b1bdff194b6a872b2d92389b76a365e5061Shawn Willden return nullptr; 171ac3980627ab3420463ca787be441ac363726ed12Shawn Willden blob_copy->key_material_size = key_data_size; 172ac3980627ab3420463ca787be441ac363726ed12Shawn Willden blob_copy->key_material = key_material_copy.release(); 173ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return blob_copy.release(); 174ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 175ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 176ac3980627ab3420463ca787be441ac363726ed12Shawn Willdeninline keymaster_key_blob_t* duplicate_blob(const keymaster_key_blob_t& blob) { 177ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return duplicate_blob(blob.key_material, blob.key_material_size); 178ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 179ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 180ac3980627ab3420463ca787be441ac363726ed12Shawn WilldenRSA* Keymaster0Engine::BlobToRsaKey(const KeymasterKeyBlob& blob) const { 181ac3980627ab3420463ca787be441ac363726ed12Shawn Willden // Create new RSA key (with engine methods) and insert blob 182ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<RSA, RSA_Delete> rsa(RSA_new_method(engine_)); 183ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (!rsa) 184ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return nullptr; 185ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 186ac3980627ab3420463ca787be441ac363726ed12Shawn Willden keymaster_key_blob_t* blob_copy = duplicate_blob(blob); 187ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (!blob_copy->key_material || !RSA_set_ex_data(rsa.get(), rsa_index_, blob_copy)) 188ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return nullptr; 189ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 190ac3980627ab3420463ca787be441ac363726ed12Shawn Willden // Copy public key into new RSA key 191ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob)); 192ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (!pkey) 193ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return nullptr; 194ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<RSA, RSA_Delete> public_rsa(EVP_PKEY_get1_RSA(pkey.get())); 195ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (!public_rsa) 196ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return nullptr; 197ac3980627ab3420463ca787be441ac363726ed12Shawn Willden rsa->n = BN_dup(public_rsa->n); 198ac3980627ab3420463ca787be441ac363726ed12Shawn Willden rsa->e = BN_dup(public_rsa->e); 199ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (!rsa->n || !rsa->e) 200ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return nullptr; 201ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 202ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return rsa.release(); 203ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 204ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 20524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn WilldenEC_KEY* Keymaster0Engine::BlobToEcKey(const KeymasterKeyBlob& blob) const { 20624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden // Create new EC key (with engine methods) and insert blob 207fabacaf3e6019804cc8a98a2b8296be1d0125519Thai Duong unique_ptr<EC_KEY, EC_KEY_Delete> ec_key(EC_KEY_new_method(engine_)); 20824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (!ec_key) 20924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return nullptr; 21024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 21124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden keymaster_key_blob_t* blob_copy = duplicate_blob(blob); 21224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (!blob_copy->key_material || !EC_KEY_set_ex_data(ec_key.get(), ec_key_index_, blob_copy)) 21324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return nullptr; 21424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 21524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden // Copy public key into new EC key 21624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob)); 21724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (!pkey) 21824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return nullptr; 21924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 220fabacaf3e6019804cc8a98a2b8296be1d0125519Thai Duong unique_ptr<EC_KEY, EC_KEY_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get())); 22124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (!public_ec_key) 22224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return nullptr; 22324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 22424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (!EC_KEY_set_group(ec_key.get(), EC_KEY_get0_group(public_ec_key.get())) || 22524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden !EC_KEY_set_public_key(ec_key.get(), EC_KEY_get0_public_key(public_ec_key.get()))) 22624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return nullptr; 22724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 22824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return ec_key.release(); 22924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden} 23024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 23124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willdenconst keymaster_key_blob_t* Keymaster0Engine::RsaKeyToBlob(const RSA* rsa) const { 232ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return reinterpret_cast<keymaster_key_blob_t*>(RSA_get_ex_data(rsa, rsa_index_)); 233ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 234ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 23524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willdenconst keymaster_key_blob_t* Keymaster0Engine::EcKeyToBlob(const EC_KEY* ec_key) const { 23624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return reinterpret_cast<keymaster_key_blob_t*>(EC_KEY_get_ex_data(ec_key, ec_key_index_)); 23724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden} 23824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 239ac3980627ab3420463ca787be441ac363726ed12Shawn Willden/* static */ 240ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenint Keymaster0Engine::keyblob_dup(CRYPTO_EX_DATA* /* to */, const CRYPTO_EX_DATA* /* from */, 241ac3980627ab3420463ca787be441ac363726ed12Shawn Willden void** from_d, int /* index */, long /* argl */, 242ac3980627ab3420463ca787be441ac363726ed12Shawn Willden void* /* argp */) { 243ac3980627ab3420463ca787be441ac363726ed12Shawn Willden keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(*from_d); 24424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (!blob) 24524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return 1; 246ac3980627ab3420463ca787be441ac363726ed12Shawn Willden *from_d = duplicate_blob(*blob); 247ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (*from_d) 248ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return 1; 249ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return 0; 250ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 251ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 252ac3980627ab3420463ca787be441ac363726ed12Shawn Willden/* static */ 253ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenvoid Keymaster0Engine::keyblob_free(void* /* parent */, void* ptr, CRYPTO_EX_DATA* /* data */, 254ac3980627ab3420463ca787be441ac363726ed12Shawn Willden int /* index*/, long /* argl */, void* /* argp */) { 255ac3980627ab3420463ca787be441ac363726ed12Shawn Willden keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(ptr); 256ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (blob) { 257ac3980627ab3420463ca787be441ac363726ed12Shawn Willden delete[] blob->key_material; 258ac3980627ab3420463ca787be441ac363726ed12Shawn Willden delete blob; 259ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } 260ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 261ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 262ac3980627ab3420463ca787be441ac363726ed12Shawn Willden/* static */ 263ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenint Keymaster0Engine::rsa_private_transform(RSA* rsa, uint8_t* out, const uint8_t* in, size_t len) { 264ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ALOGV("rsa_private_transform(%p, %p, %p, %u)", rsa, out, in, (unsigned)len); 265ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 266ac3980627ab3420463ca787be441ac363726ed12Shawn Willden assert(instance_); 267ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return instance_->RsaPrivateTransform(rsa, out, in, len); 268ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 269ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 27024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden/* static */ 27124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willdenint Keymaster0Engine::ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig, 27224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden unsigned int* sig_len, EC_KEY* ec_key) { 27324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ALOGV("ecdsa_sign(%p, %u, %p)", digest, (unsigned)digest_len, ec_key); 27424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden assert(instance_); 27524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return instance_->EcdsaSign(digest, digest_len, sig, sig_len, ec_key); 27624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden} 27724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 278ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenbool Keymaster0Engine::Keymaster0Sign(const void* signing_params, const keymaster_key_blob_t& blob, 279ac3980627ab3420463ca787be441ac363726ed12Shawn Willden const uint8_t* data, const size_t data_length, 280ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<uint8_t[], Malloc_Delete>* signature, 281ac3980627ab3420463ca787be441ac363726ed12Shawn Willden size_t* signature_length) const { 282ac3980627ab3420463ca787be441ac363726ed12Shawn Willden uint8_t* signed_data; 283ac3980627ab3420463ca787be441ac363726ed12Shawn Willden int err = keymaster0_device_->sign_data(keymaster0_device_, signing_params, blob.key_material, 284ac3980627ab3420463ca787be441ac363726ed12Shawn Willden blob.key_material_size, data, data_length, &signed_data, 285ac3980627ab3420463ca787be441ac363726ed12Shawn Willden signature_length); 286ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (err < 0) { 287ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ALOGE("Keymaster0 signing failed with error %d", err); 288ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return false; 289ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } 290ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 291ac3980627ab3420463ca787be441ac363726ed12Shawn Willden signature->reset(signed_data); 292ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return true; 293ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 294ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 295ac3980627ab3420463ca787be441ac363726ed12Shawn WilldenEVP_PKEY* Keymaster0Engine::GetKeymaster0PublicKey(const KeymasterKeyBlob& blob) const { 296ac3980627ab3420463ca787be441ac363726ed12Shawn Willden uint8_t* pub_key_data; 297ac3980627ab3420463ca787be441ac363726ed12Shawn Willden size_t pub_key_data_length; 298ac3980627ab3420463ca787be441ac363726ed12Shawn Willden int err = keymaster0_device_->get_keypair_public(keymaster0_device_, blob.key_material, 299ac3980627ab3420463ca787be441ac363726ed12Shawn Willden blob.key_material_size, &pub_key_data, 300ac3980627ab3420463ca787be441ac363726ed12Shawn Willden &pub_key_data_length); 301ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (err < 0) { 302ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ALOGE("Error %d extracting public key", err); 303ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return nullptr; 304ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } 305ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<uint8_t, Malloc_Delete> pub_key(pub_key_data); 306ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 307ac3980627ab3420463ca787be441ac363726ed12Shawn Willden const uint8_t* p = pub_key_data; 308ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return d2i_PUBKEY(nullptr /* allocate new struct */, &p, pub_key_data_length); 309ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 310ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 311e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willdenstatic bool data_too_large_for_public_modulus(const uint8_t* data, size_t len, const RSA* rsa) { 312e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden unique_ptr<BIGNUM, BIGNUM_Delete> input_as_bn( 313e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden BN_bin2bn(data, len, nullptr /* allocate result */)); 314e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden return input_as_bn && BN_ucmp(input_as_bn.get(), rsa->n) >= 0; 315e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden} 316e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden 317ac3980627ab3420463ca787be441ac363726ed12Shawn Willdenint Keymaster0Engine::RsaPrivateTransform(RSA* rsa, uint8_t* out, const uint8_t* in, 318ac3980627ab3420463ca787be441ac363726ed12Shawn Willden size_t len) const { 31924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden const keymaster_key_blob_t* key_blob = RsaKeyToBlob(rsa); 320ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (key_blob == NULL) { 321ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ALOGE("key had no key_blob!"); 322ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return 0; 323ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } 324ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 325ac3980627ab3420463ca787be441ac363726ed12Shawn Willden keymaster_rsa_sign_params_t sign_params = {DIGEST_NONE, PADDING_NONE}; 326ac3980627ab3420463ca787be441ac363726ed12Shawn Willden unique_ptr<uint8_t[], Malloc_Delete> signature; 327ac3980627ab3420463ca787be441ac363726ed12Shawn Willden size_t signature_length; 328e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden if (!Keymaster0Sign(&sign_params, *key_blob, in, len, &signature, &signature_length)) { 329e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden if (data_too_large_for_public_modulus(in, len, rsa)) { 330e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden ALOGE("Keymaster0 signing failed because data is too large."); 331e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 332e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden } else { 333e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden // We don't know what error code is correct; force an "unknown error" return 334e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden OPENSSL_PUT_ERROR(USER, KM_ERROR_UNKNOWN_ERROR); 335e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden } 336ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return 0; 337e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden } 338ac3980627ab3420463ca787be441ac363726ed12Shawn Willden Eraser eraser(signature.get(), signature_length); 339ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 340ac3980627ab3420463ca787be441ac363726ed12Shawn Willden if (signature_length > len) { 341ac3980627ab3420463ca787be441ac363726ed12Shawn Willden /* The result of the RSA operation can never be larger than the size of 342ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * the modulus so we assume that the result has extra zeros on the 343ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * left. This provides attackers with an oracle, but there's nothing 344ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * that we can do about it here. */ 345ac3980627ab3420463ca787be441ac363726ed12Shawn Willden memcpy(out, signature.get() + signature_length - len, len); 346ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } else if (signature_length < len) { 347ac3980627ab3420463ca787be441ac363726ed12Shawn Willden /* If the keymaster0 implementation returns a short value we assume that 348ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * it's because it removed leading zeros from the left side. This is 349ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * bad because it provides attackers with an oracle but we cannot do 350ac3980627ab3420463ca787be441ac363726ed12Shawn Willden * anything about a broken keymaster0 implementation here. */ 351ac3980627ab3420463ca787be441ac363726ed12Shawn Willden memset(out, 0, len); 352ac3980627ab3420463ca787be441ac363726ed12Shawn Willden memcpy(out + len - signature_length, signature.get(), signature_length); 353ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } else { 354ac3980627ab3420463ca787be441ac363726ed12Shawn Willden memcpy(out, signature.get(), len); 355ac3980627ab3420463ca787be441ac363726ed12Shawn Willden } 356ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 357ac3980627ab3420463ca787be441ac363726ed12Shawn Willden ALOGV("rsa=%p keystore_rsa_priv_dec successful", rsa); 358ac3980627ab3420463ca787be441ac363726ed12Shawn Willden return 1; 359ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} 360ac3980627ab3420463ca787be441ac363726ed12Shawn Willden 36124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willdenint Keymaster0Engine::EcdsaSign(const uint8_t* digest, size_t digest_len, uint8_t* sig, 36224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden unsigned int* sig_len, EC_KEY* ec_key) const { 36324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden const keymaster_key_blob_t* key_blob = EcKeyToBlob(ec_key); 36424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (key_blob == NULL) { 36524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ALOGE("key had no key_blob!"); 36624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return 0; 36724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden } 36824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 3699a1cd6d88dabe29fb921ff26612695b59aaf125cShawn Willden // Truncate digest if it's too long 3709a1cd6d88dabe29fb921ff26612695b59aaf125cShawn Willden size_t max_input_len = (ec_group_size_bits(ec_key) + 7) / 8; 3719a1cd6d88dabe29fb921ff26612695b59aaf125cShawn Willden if (digest_len > max_input_len) 3729a1cd6d88dabe29fb921ff26612695b59aaf125cShawn Willden digest_len = max_input_len; 3739a1cd6d88dabe29fb921ff26612695b59aaf125cShawn Willden 37424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden keymaster_ec_sign_params_t sign_params = {DIGEST_NONE}; 37524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden unique_ptr<uint8_t[], Malloc_Delete> signature; 37624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden size_t signature_length; 377e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden if (!Keymaster0Sign(&sign_params, *key_blob, digest, digest_len, &signature, 378e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden &signature_length)) { 379e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden // We don't know what error code is correct; force an "unknown error" return 380e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden OPENSSL_PUT_ERROR(USER, KM_ERROR_UNKNOWN_ERROR); 38124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return 0; 382e9fb087a8245e26483e8865515c919c83ed84c5bShawn Willden } 38324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden Eraser eraser(signature.get(), signature_length); 38424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 38524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden if (signature_length == 0) { 38624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ALOGW("No valid signature returned"); 38724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return 0; 38824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden } else if (signature_length > ECDSA_size(ec_key)) { 38924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ALOGW("Signature is too large"); 39024bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return 0; 39124bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden } else { 39224bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden memcpy(sig, signature.get(), signature_length); 39324bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden *sig_len = signature_length; 39424bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden } 39524bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 39624bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden ALOGV("ecdsa_sign(%p, %u, %p) => success", digest, (unsigned)digest_len, ec_key); 39724bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden return 1; 39824bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden} 39924bdfc2558c96c76e850e7c366618c638efeb1c4Shawn Willden 400ac3980627ab3420463ca787be441ac363726ed12Shawn Willden} // namespace keymaster 401