1d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden/* 2d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * Copyright 2015 The Android Open Source Project 3d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * 4d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * Licensed under the Apache License, Version 2.0 (the "License"); 5d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * you may not use this file except in compliance with the License. 6d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * You may obtain a copy of the License at 7d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * 8d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * http://www.apache.org/licenses/LICENSE-2.0 9d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * 10d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * Unless required by applicable law or agreed to in writing, software 11d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * distributed under the License is distributed on an "AS IS" BASIS, 12d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * See the License for the specific language governing permissions and 14d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * limitations under the License. 15d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden */ 16d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 17d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include "rsa_keymaster1_operation.h" 18d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 19d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <memory> 20d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 21d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <keymaster/android_keymaster_utils.h> 22d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 23d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include "openssl_err.h" 24d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include "openssl_utils.h" 25d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include "rsa_keymaster1_key.h" 26d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 27d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenusing std::unique_ptr; 28d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 29d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdennamespace keymaster { 30d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 31d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenkeymaster_error_t RsaKeymaster1WrappedOperation::Begin(EVP_PKEY* rsa_key, 32d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const AuthorizationSet& input_params) { 33d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden Keymaster1Engine::KeyData* key_data = engine_->GetData(rsa_key); 34d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!key_data) 35d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return KM_ERROR_UNKNOWN_ERROR; 36d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 37d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // Copy the input params and substitute KM_DIGEST_NONE for whatever was specified. Also change 38d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // KM_PAD_RSA_PSS and KM_PAD_OAEP to KM_PAD_NONE, if necessary. These are the params we'll pass 39d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // to the hardware module. The regular Rsa*Operation classes will do software digesting and 40d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // padding where we've told the HW not to. 41d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // 42d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // The reason we don't change KM_PAD_RSA_PKCS1_1_5_SIGN or KM_PAD_RSA_PKCS1_1_5_ENCRYPT to 43d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // KM_PAD_NONE is because the hardware can perform those padding modes, since they don't involve 44d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // digesting. 45d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // 46d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // We also cache in the key the padding value that we expect to be passed to the engine crypto 47d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // operation. This just allows us to double-check that the correct padding value is reaching 48d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden // that layer. 49d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden AuthorizationSet begin_params(input_params); 50d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden int pos = begin_params.find(TAG_DIGEST); 51d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (pos == -1) 52d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return KM_ERROR_UNSUPPORTED_DIGEST; 53d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden begin_params[pos].enumerated = KM_DIGEST_NONE; 54d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 55d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden pos = begin_params.find(TAG_PADDING); 56d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (pos == -1) 57d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return KM_ERROR_UNSUPPORTED_PADDING_MODE; 58d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden switch (begin_params[pos].enumerated) { 59d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 60d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PAD_RSA_PSS: 61d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PAD_RSA_OAEP: 62d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden key_data->expected_openssl_padding = RSA_NO_PADDING; 63d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden begin_params[pos].enumerated = KM_PAD_NONE; 64d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden break; 65d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 66d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: 67d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PAD_RSA_PKCS1_1_5_SIGN: 68d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden key_data->expected_openssl_padding = RSA_PKCS1_PADDING; 69d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden break; 70d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden } 71d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 72d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return engine_->device()->begin(engine_->device(), purpose_, &key_data->key_material, 73d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden &begin_params, nullptr /* out_params */, &operation_handle_); 74d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 75d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 76d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenkeymaster_error_t 77d599b15c0693950bdc72fb867872044fdc484ef5Shawn WilldenRsaKeymaster1WrappedOperation::PrepareFinish(EVP_PKEY* rsa_key, 78d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const AuthorizationSet& input_params) { 79d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden Keymaster1Engine::KeyData* key_data = engine_->GetData(rsa_key); 80d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!key_data) { 81d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden LOG_E("Could not get extended key data... not a Keymaster1Engine key?", 0); 82d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return KM_ERROR_UNKNOWN_ERROR; 83d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden } 84d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden key_data->op_handle = operation_handle_; 85d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden key_data->finish_params.Reinitialize(input_params); 86d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 87d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return KM_ERROR_OK; 88d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 89d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 90d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenkeymaster_error_t RsaKeymaster1WrappedOperation::Abort() { 91d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return engine_->device()->abort(engine_->device(), operation_handle_); 92d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 93d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 94d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenkeymaster_error_t RsaKeymaster1WrappedOperation::GetError(EVP_PKEY* rsa_key) { 95d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden Keymaster1Engine::KeyData* key_data = engine_->GetData(rsa_key); // key_data is owned by rsa 96d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!key_data) 97d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return KM_ERROR_UNKNOWN_ERROR; 98d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return key_data->error; 99d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 100d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 101d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenstatic EVP_PKEY* GetEvpKey(const RsaKeymaster1Key& key, keymaster_error_t* error) { 102d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!key.key()) { 103d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden *error = KM_ERROR_UNKNOWN_ERROR; 104d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return nullptr; 105d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden } 106d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 107d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new()); 108d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!key.InternalToEvp(pkey.get())) { 109d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden *error = KM_ERROR_UNKNOWN_ERROR; 110d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return nullptr; 111d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden } 112d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return pkey.release(); 113d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 114d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 115d599b15c0693950bdc72fb867872044fdc484ef5Shawn WilldenOperation* RsaKeymaster1OperationFactory::CreateOperation(const Key& key, 116d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const AuthorizationSet& begin_params, 117d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t* error) { 118d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_digest_t digest; 119d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!GetAndValidateDigest(begin_params, key, &digest, error)) 120d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return nullptr; 121d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 122d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_padding_t padding; 123d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!GetAndValidatePadding(begin_params, key, &padding, error)) 124d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return nullptr; 125d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 126d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const RsaKeymaster1Key& rsa_km1_key(static_cast<const RsaKeymaster1Key&>(key)); 127d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden unique_ptr<EVP_PKEY, EVP_PKEY_Delete> rsa(GetEvpKey(rsa_km1_key, error)); 128d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden if (!rsa) 129d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return nullptr; 130d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 131d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden switch (purpose_) { 132d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PURPOSE_SIGN: 133d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return new RsaKeymaster1Operation<RsaSignOperation>(digest, padding, rsa.release(), 134d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden engine_); 135d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PURPOSE_DECRYPT: 136d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return new RsaKeymaster1Operation<RsaDecryptOperation>(digest, padding, rsa.release(), 137d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden engine_); 138d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden default: 139d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden LOG_E("Bug: Pubkey operation requested. Those should be handled by normal RSA operations.", 140d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 0); 141d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden *error = KM_ERROR_UNSUPPORTED_PURPOSE; 142d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return nullptr; 143d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden } 144d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 145d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 146d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenstatic const keymaster_digest_t supported_digests[] = { 147d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 148d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}; 149d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 150d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenconst keymaster_digest_t* 151d599b15c0693950bdc72fb867872044fdc484ef5Shawn WilldenRsaKeymaster1OperationFactory::SupportedDigests(size_t* digest_count) const { 152d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden *digest_count = array_length(supported_digests); 153d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return supported_digests; 154d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 155d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 156d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenstatic const keymaster_padding_t supported_sig_padding[] = { 157d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS, 158d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden}; 159d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenstatic const keymaster_padding_t supported_crypt_padding[] = { 160d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_ENCRYPT, KM_PAD_RSA_OAEP, 161d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden}; 162d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 163d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenconst keymaster_padding_t* 164d599b15c0693950bdc72fb867872044fdc484ef5Shawn WilldenRsaKeymaster1OperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 165d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden switch (purpose_) { 166d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PURPOSE_SIGN: 167d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PURPOSE_VERIFY: 168d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden *padding_mode_count = array_length(supported_sig_padding); 169d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return supported_sig_padding; 170d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PURPOSE_ENCRYPT: 171d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden case KM_PURPOSE_DECRYPT: 172d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden *padding_mode_count = array_length(supported_crypt_padding); 173d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return supported_crypt_padding; 174d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden default: 175d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden *padding_mode_count = 0; 176d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden return nullptr; 177d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden } 178d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} 179d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 180d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} // namespace keymaster 181