1/* 2 * Copyright 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include "rsa_operation.h" 18 19#include <limits.h> 20 21#include <new> 22 23#include <openssl/err.h> 24 25#include <keymaster/logger.h> 26 27#include "openssl_err.h" 28#include "openssl_utils.h" 29#include "rsa_key.h" 30 31namespace keymaster { 32 33const size_t kPssOverhead = 2; 34 35// Overhead for PKCS#1 v1.5 signature padding of undigested messages. Digested messages have 36// additional overhead, for the digest algorithmIdentifier required by PKCS#1. 37const size_t kPkcs1UndigestedSignaturePaddingOverhead = 11; 38 39/* static */ 40EVP_PKEY* RsaOperationFactory::GetRsaKey(const Key& key, keymaster_error_t* error) { 41 const RsaKey* rsa_key = static_cast<const RsaKey*>(&key); 42 assert(rsa_key); 43 if (!rsa_key || !rsa_key->key()) { 44 *error = KM_ERROR_UNKNOWN_ERROR; 45 return nullptr; 46 } 47 48 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new()); 49 if (!rsa_key->InternalToEvp(pkey.get())) { 50 *error = KM_ERROR_UNKNOWN_ERROR; 51 return nullptr; 52 } 53 return pkey.release(); 54} 55 56static const keymaster_digest_t supported_digests[] = { 57 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 58 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}; 59 60const keymaster_digest_t* RsaOperationFactory::SupportedDigests(size_t* digest_count) const { 61 *digest_count = array_length(supported_digests); 62 return supported_digests; 63} 64 65RsaOperation* RsaOperationFactory::CreateRsaOperation(const Key& key, 66 const AuthorizationSet& begin_params, 67 keymaster_error_t* error) { 68 keymaster_padding_t padding; 69 if (!GetAndValidatePadding(begin_params, key, &padding, error)) 70 return nullptr; 71 72 bool require_digest = (purpose() == KM_PURPOSE_SIGN || purpose() == KM_PURPOSE_VERIFY || 73 padding == KM_PAD_RSA_OAEP); 74 75 keymaster_digest_t digest = KM_DIGEST_NONE; 76 if (require_digest && !GetAndValidateDigest(begin_params, key, &digest, error)) 77 return nullptr; 78 79 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> rsa(GetRsaKey(key, error)); 80 if (!rsa.get()) 81 return nullptr; 82 83 RsaOperation* op = InstantiateOperation(digest, padding, rsa.release()); 84 if (!op) 85 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 86 return op; 87} 88 89static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, 90 KM_PAD_RSA_PSS}; 91const keymaster_padding_t* 92RsaDigestingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 93 *padding_mode_count = array_length(supported_sig_padding); 94 return supported_sig_padding; 95} 96 97RsaOperation* RsaCryptingOperationFactory::CreateRsaOperation(const Key& key, 98 const AuthorizationSet& begin_params, 99 keymaster_error_t* error) { 100 UniquePtr<RsaOperation> op(RsaOperationFactory::CreateRsaOperation(key, begin_params, error)); 101 if (op.get()) { 102 switch (op->padding()) { 103 case KM_PAD_NONE: 104 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: 105 if (op->digest() != KM_DIGEST_NONE) { 106 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 107 return nullptr; 108 } 109 break; 110 111 case KM_PAD_RSA_OAEP: 112 if (op->digest() == KM_DIGEST_NONE) { 113 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 114 return nullptr; 115 } 116 break; 117 118 default: 119 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE; 120 return nullptr; 121 } 122 } 123 return op.release(); 124} 125 126static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_NONE, KM_PAD_RSA_OAEP, 127 KM_PAD_RSA_PKCS1_1_5_ENCRYPT}; 128const keymaster_padding_t* 129RsaCryptingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 130 *padding_mode_count = array_length(supported_crypt_padding); 131 return supported_crypt_padding; 132} 133 134RsaOperation::~RsaOperation() { 135 if (rsa_key_ != NULL) 136 EVP_PKEY_free(rsa_key_); 137} 138 139keymaster_error_t RsaOperation::Begin(const AuthorizationSet& /* input_params */, 140 AuthorizationSet* /* output_params */) { 141 return InitDigest(); 142} 143 144keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */, 145 const Buffer& input, AuthorizationSet* /* output_params */, 146 Buffer* /* output */, size_t* input_consumed) { 147 assert(input_consumed); 148 switch (purpose()) { 149 default: 150 return KM_ERROR_UNIMPLEMENTED; 151 case KM_PURPOSE_SIGN: 152 case KM_PURPOSE_VERIFY: 153 case KM_PURPOSE_ENCRYPT: 154 case KM_PURPOSE_DECRYPT: 155 return StoreData(input, input_consumed); 156 } 157} 158 159keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) { 160 assert(input_consumed); 161 162 if (!data_.reserve(EVP_PKEY_size(rsa_key_))) 163 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 164 // If the write fails, it's because input length exceeds key size. 165 if (!data_.write(input.peek_read(), input.available_read())) { 166 LOG_E("Input too long: cannot operate on %u bytes of data with %u-byte RSA key", 167 input.available_read() + data_.available_read(), EVP_PKEY_size(rsa_key_)); 168 return KM_ERROR_INVALID_INPUT_LENGTH; 169 } 170 171 *input_consumed = input.available_read(); 172 return KM_ERROR_OK; 173} 174 175keymaster_error_t RsaOperation::SetRsaPaddingInEvpContext(EVP_PKEY_CTX* pkey_ctx, bool signing) { 176 keymaster_error_t error; 177 int openssl_padding = GetOpensslPadding(&error); 178 if (error != KM_ERROR_OK) 179 return error; 180 181 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, openssl_padding) <= 0) 182 return TranslateLastOpenSslError(); 183 184 if (signing && openssl_padding == RSA_PKCS1_PSS_PADDING) { 185 // Also need to set the length of the salt used in the padding generation. We set it equal 186 // to the length of the selected digest. 187 assert(digest_algorithm_); 188 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(digest_algorithm_)) <= 0) 189 return TranslateLastOpenSslError(); 190 } 191 192 return KM_ERROR_OK; 193} 194 195keymaster_error_t RsaOperation::InitDigest() { 196 if (digest_ == KM_DIGEST_NONE) { 197 if (require_digest()) 198 return KM_ERROR_INCOMPATIBLE_DIGEST; 199 return KM_ERROR_OK; 200 } 201 202 switch (digest_) { 203 case KM_DIGEST_NONE: 204 return KM_ERROR_OK; 205 case KM_DIGEST_MD5: 206 digest_algorithm_ = EVP_md5(); 207 return KM_ERROR_OK; 208 case KM_DIGEST_SHA1: 209 digest_algorithm_ = EVP_sha1(); 210 return KM_ERROR_OK; 211 case KM_DIGEST_SHA_2_224: 212 digest_algorithm_ = EVP_sha224(); 213 return KM_ERROR_OK; 214 case KM_DIGEST_SHA_2_256: 215 digest_algorithm_ = EVP_sha256(); 216 return KM_ERROR_OK; 217 case KM_DIGEST_SHA_2_384: 218 digest_algorithm_ = EVP_sha384(); 219 return KM_ERROR_OK; 220 case KM_DIGEST_SHA_2_512: 221 digest_algorithm_ = EVP_sha512(); 222 return KM_ERROR_OK; 223 default: 224 return KM_ERROR_UNSUPPORTED_DIGEST; 225 } 226} 227 228RsaDigestingOperation::RsaDigestingOperation(keymaster_purpose_t purpose, keymaster_digest_t digest, 229 keymaster_padding_t padding, EVP_PKEY* key) 230 : RsaOperation(purpose, digest, padding, key) { 231 EVP_MD_CTX_init(&digest_ctx_); 232} 233RsaDigestingOperation::~RsaDigestingOperation() { 234 EVP_MD_CTX_cleanup(&digest_ctx_); 235} 236 237int RsaDigestingOperation::GetOpensslPadding(keymaster_error_t* error) { 238 *error = KM_ERROR_OK; 239 switch (padding_) { 240 case KM_PAD_NONE: 241 return RSA_NO_PADDING; 242 case KM_PAD_RSA_PKCS1_1_5_SIGN: 243 return RSA_PKCS1_PADDING; 244 case KM_PAD_RSA_PSS: 245 if (digest_ == KM_DIGEST_NONE) { 246 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE; 247 return -1; 248 } 249 if (EVP_MD_size(digest_algorithm_) * 2 + kPssOverhead > (size_t)EVP_PKEY_size(rsa_key_)) { 250 LOG_E("Input too long: %d-byte digest cannot be used with %d-byte RSA key in PSS " 251 "padding mode", 252 EVP_MD_size(digest_algorithm_), EVP_PKEY_size(rsa_key_)); 253 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 254 return -1; 255 } 256 return RSA_PKCS1_PSS_PADDING; 257 default: 258 return -1; 259 } 260} 261 262keymaster_error_t RsaSignOperation::Begin(const AuthorizationSet& input_params, 263 AuthorizationSet* output_params) { 264 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params); 265 if (error != KM_ERROR_OK) 266 return error; 267 268 if (digest_ == KM_DIGEST_NONE) 269 return KM_ERROR_OK; 270 271 EVP_PKEY_CTX* pkey_ctx; 272 if (EVP_DigestSignInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, nullptr /* engine */, 273 rsa_key_) != 1) 274 return TranslateLastOpenSslError(); 275 return SetRsaPaddingInEvpContext(pkey_ctx, true /* signing */); 276} 277 278keymaster_error_t RsaSignOperation::Update(const AuthorizationSet& additional_params, 279 const Buffer& input, AuthorizationSet* output_params, 280 Buffer* output, size_t* input_consumed) { 281 if (digest_ == KM_DIGEST_NONE) 282 // Just buffer the data. 283 return RsaOperation::Update(additional_params, input, output_params, output, 284 input_consumed); 285 286 if (EVP_DigestSignUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1) 287 return TranslateLastOpenSslError(); 288 *input_consumed = input.available_read(); 289 return KM_ERROR_OK; 290} 291 292keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& additional_params, 293 const Buffer& input, const Buffer& /* signature */, 294 AuthorizationSet* /* output_params */, Buffer* output) { 295 assert(output); 296 297 keymaster_error_t error = UpdateForFinish(additional_params, input); 298 if (error != KM_ERROR_OK) 299 return error; 300 301 if (digest_ == KM_DIGEST_NONE) 302 return SignUndigested(output); 303 else 304 return SignDigested(output); 305} 306 307static keymaster_error_t zero_pad_left(UniquePtr<uint8_t[]>* dest, size_t padded_len, Buffer& src) { 308 assert(padded_len > src.available_read()); 309 310 dest->reset(new uint8_t[padded_len]); 311 if (!dest->get()) 312 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 313 314 size_t padding_len = padded_len - src.available_read(); 315 memset(dest->get(), 0, padding_len); 316 if (!src.read(dest->get() + padding_len, src.available_read())) 317 return KM_ERROR_UNKNOWN_ERROR; 318 319 return KM_ERROR_OK; 320} 321 322keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) { 323 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_))); 324 if (!rsa.get()) 325 return TranslateLastOpenSslError(); 326 327 if (!output->Reinitialize(RSA_size(rsa.get()))) 328 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 329 330 size_t key_len = EVP_PKEY_size(rsa_key_); 331 int bytes_encrypted; 332 switch (padding_) { 333 case KM_PAD_NONE: { 334 const uint8_t* to_encrypt = data_.peek_read(); 335 UniquePtr<uint8_t[]> zero_padded; 336 if (data_.available_read() > key_len) { 337 return KM_ERROR_INVALID_INPUT_LENGTH; 338 } else if (data_.available_read() < key_len) { 339 keymaster_error_t error = zero_pad_left(&zero_padded, key_len, data_); 340 if (error != KM_ERROR_OK) 341 return error; 342 to_encrypt = zero_padded.get(); 343 } 344 bytes_encrypted = RSA_private_encrypt(key_len, to_encrypt, output->peek_write(), rsa.get(), 345 RSA_NO_PADDING); 346 break; 347 } 348 case KM_PAD_RSA_PKCS1_1_5_SIGN: 349 // Does PKCS1 padding without digesting even make sense? Dunno. We'll support it. 350 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) { 351 LOG_E("Input too long: cannot sign %u-byte message with PKCS1 padding with %u-bit key", 352 data_.available_read(), EVP_PKEY_size(rsa_key_) * 8); 353 return KM_ERROR_INVALID_INPUT_LENGTH; 354 } 355 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(), 356 output->peek_write(), rsa.get(), RSA_PKCS1_PADDING); 357 break; 358 359 default: 360 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 361 } 362 363 if (bytes_encrypted <= 0) 364 return TranslateLastOpenSslError(); 365 if (!output->advance_write(bytes_encrypted)) 366 return KM_ERROR_UNKNOWN_ERROR; 367 return KM_ERROR_OK; 368} 369 370keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) { 371 size_t siglen; 372 if (EVP_DigestSignFinal(&digest_ctx_, nullptr /* signature */, &siglen) != 1) 373 return TranslateLastOpenSslError(); 374 375 if (!output->Reinitialize(siglen)) 376 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 377 378 if (EVP_DigestSignFinal(&digest_ctx_, output->peek_write(), &siglen) <= 0) 379 return TranslateLastOpenSslError(); 380 if (!output->advance_write(siglen)) 381 return KM_ERROR_UNKNOWN_ERROR; 382 383 return KM_ERROR_OK; 384} 385 386keymaster_error_t RsaVerifyOperation::Begin(const AuthorizationSet& input_params, 387 AuthorizationSet* output_params) { 388 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params); 389 if (error != KM_ERROR_OK) 390 return error; 391 392 if (digest_ == KM_DIGEST_NONE) 393 return KM_ERROR_OK; 394 395 EVP_PKEY_CTX* pkey_ctx; 396 if (EVP_DigestVerifyInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, NULL, rsa_key_) != 1) 397 return TranslateLastOpenSslError(); 398 return SetRsaPaddingInEvpContext(pkey_ctx, false /* signing */); 399} 400 401keymaster_error_t RsaVerifyOperation::Update(const AuthorizationSet& additional_params, 402 const Buffer& input, AuthorizationSet* output_params, 403 Buffer* output, size_t* input_consumed) { 404 if (digest_ == KM_DIGEST_NONE) 405 // Just buffer the data. 406 return RsaOperation::Update(additional_params, input, output_params, output, 407 input_consumed); 408 409 if (EVP_DigestVerifyUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1) 410 return TranslateLastOpenSslError(); 411 *input_consumed = input.available_read(); 412 return KM_ERROR_OK; 413} 414 415keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& additional_params, 416 const Buffer& input, const Buffer& signature, 417 AuthorizationSet* /* output_params */, 418 Buffer* /* output */) { 419 keymaster_error_t error = UpdateForFinish(additional_params, input); 420 if (error != KM_ERROR_OK) 421 return error; 422 423 if (digest_ == KM_DIGEST_NONE) 424 return VerifyUndigested(signature); 425 else 426 return VerifyDigested(signature); 427} 428 429keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) { 430 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_))); 431 if (!rsa.get()) 432 return KM_ERROR_UNKNOWN_ERROR; 433 434 size_t key_len = RSA_size(rsa.get()); 435 int openssl_padding; 436 switch (padding_) { 437 case KM_PAD_NONE: 438 if (data_.available_read() > key_len) 439 return KM_ERROR_INVALID_INPUT_LENGTH; 440 if (key_len != signature.available_read()) 441 return KM_ERROR_VERIFICATION_FAILED; 442 openssl_padding = RSA_NO_PADDING; 443 break; 444 case KM_PAD_RSA_PKCS1_1_5_SIGN: 445 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) { 446 LOG_E("Input too long: cannot verify %u-byte message with PKCS1 padding && %u-bit key", 447 data_.available_read(), key_len * 8); 448 return KM_ERROR_INVALID_INPUT_LENGTH; 449 } 450 openssl_padding = RSA_PKCS1_PADDING; 451 break; 452 default: 453 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 454 } 455 456 UniquePtr<uint8_t[]> decrypted_data(new (std::nothrow) uint8_t[key_len]); 457 if (!decrypted_data.get()) 458 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 459 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(), 460 decrypted_data.get(), rsa.get(), openssl_padding); 461 if (bytes_decrypted < 0) 462 return KM_ERROR_VERIFICATION_FAILED; 463 464 const uint8_t* compare_pos = decrypted_data.get(); 465 size_t bytes_to_compare = bytes_decrypted; 466 uint8_t zero_check_result = 0; 467 if (padding_ == KM_PAD_NONE && data_.available_read() < bytes_to_compare) { 468 // If the data is short, for "unpadded" signing we zero-pad to the left. So during 469 // verification we should have zeros on the left of the decrypted data. Do a constant-time 470 // check. 471 const uint8_t* zero_end = compare_pos + bytes_to_compare - data_.available_read(); 472 while (compare_pos < zero_end) 473 zero_check_result |= *compare_pos++; 474 bytes_to_compare = data_.available_read(); 475 } 476 if (memcmp_s(compare_pos, data_.peek_read(), bytes_to_compare) != 0 || zero_check_result != 0) 477 return KM_ERROR_VERIFICATION_FAILED; 478 return KM_ERROR_OK; 479} 480 481keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) { 482 if (!EVP_DigestVerifyFinal(&digest_ctx_, signature.peek_read(), signature.available_read())) 483 return KM_ERROR_VERIFICATION_FAILED; 484 return KM_ERROR_OK; 485} 486 487keymaster_error_t RsaCryptOperation::SetOaepDigestIfRequired(EVP_PKEY_CTX* pkey_ctx) { 488 if (padding() != KM_PAD_RSA_OAEP) 489 return KM_ERROR_OK; 490 491 assert(digest_algorithm_ != nullptr); 492 if (!EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, digest_algorithm_)) 493 return TranslateLastOpenSslError(); 494 495 // MGF1 MD is always SHA1. 496 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha1())) 497 return TranslateLastOpenSslError(); 498 499 return KM_ERROR_OK; 500} 501 502int RsaCryptOperation::GetOpensslPadding(keymaster_error_t* error) { 503 *error = KM_ERROR_OK; 504 switch (padding_) { 505 case KM_PAD_NONE: 506 return RSA_NO_PADDING; 507 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: 508 return RSA_PKCS1_PADDING; 509 case KM_PAD_RSA_OAEP: 510 return RSA_PKCS1_OAEP_PADDING; 511 default: 512 return -1; 513 } 514} 515 516struct EVP_PKEY_CTX_Delete { 517 void operator()(EVP_PKEY_CTX* p) { EVP_PKEY_CTX_free(p); } 518}; 519 520keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& additional_params, 521 const Buffer& input, const Buffer& /* signature */, 522 AuthorizationSet* /* output_params */, 523 Buffer* output) { 524 if (!output) 525 return KM_ERROR_OUTPUT_PARAMETER_NULL; 526 527 keymaster_error_t error = UpdateForFinish(additional_params, input); 528 if (error != KM_ERROR_OK) 529 return error; 530 531 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx( 532 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */)); 533 if (!ctx.get()) 534 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 535 536 if (EVP_PKEY_encrypt_init(ctx.get()) <= 0) 537 return TranslateLastOpenSslError(); 538 539 error = SetRsaPaddingInEvpContext(ctx.get(), false /* signing */); 540 if (error != KM_ERROR_OK) 541 return error; 542 error = SetOaepDigestIfRequired(ctx.get()); 543 if (error != KM_ERROR_OK) 544 return error; 545 546 size_t outlen; 547 if (EVP_PKEY_encrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(), 548 data_.available_read()) <= 0) 549 return TranslateLastOpenSslError(); 550 551 if (!output->Reinitialize(outlen)) 552 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 553 554 const uint8_t* to_encrypt = data_.peek_read(); 555 size_t to_encrypt_len = data_.available_read(); 556 UniquePtr<uint8_t[]> zero_padded; 557 if (padding_ == KM_PAD_NONE && to_encrypt_len < outlen) { 558 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_); 559 if (error != KM_ERROR_OK) 560 return error; 561 to_encrypt = zero_padded.get(); 562 to_encrypt_len = outlen; 563 } 564 565 if (EVP_PKEY_encrypt(ctx.get(), output->peek_write(), &outlen, to_encrypt, to_encrypt_len) <= 0) 566 return TranslateLastOpenSslError(); 567 if (!output->advance_write(outlen)) 568 return KM_ERROR_UNKNOWN_ERROR; 569 570 return KM_ERROR_OK; 571} 572 573keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& additional_params, 574 const Buffer& input, const Buffer& /* signature */, 575 AuthorizationSet* /* output_params */, 576 Buffer* output) { 577 if (!output) 578 return KM_ERROR_OUTPUT_PARAMETER_NULL; 579 580 keymaster_error_t error = UpdateForFinish(additional_params, input); 581 if (error != KM_ERROR_OK) 582 return error; 583 584 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx( 585 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */)); 586 if (!ctx.get()) 587 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 588 589 if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) 590 return TranslateLastOpenSslError(); 591 592 error = SetRsaPaddingInEvpContext(ctx.get(), false /* signing */); 593 if (error != KM_ERROR_OK) 594 return error; 595 error = SetOaepDigestIfRequired(ctx.get()); 596 if (error != KM_ERROR_OK) 597 return error; 598 599 size_t outlen; 600 if (EVP_PKEY_decrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(), 601 data_.available_read()) <= 0) 602 return TranslateLastOpenSslError(); 603 604 if (!output->Reinitialize(outlen)) 605 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 606 607 const uint8_t* to_decrypt = data_.peek_read(); 608 size_t to_decrypt_len = data_.available_read(); 609 UniquePtr<uint8_t[]> zero_padded; 610 if (padding_ == KM_PAD_NONE && to_decrypt_len < outlen) { 611 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_); 612 if (error != KM_ERROR_OK) 613 return error; 614 to_decrypt = zero_padded.get(); 615 to_decrypt_len = outlen; 616 } 617 618 if (EVP_PKEY_decrypt(ctx.get(), output->peek_write(), &outlen, to_decrypt, to_decrypt_len) <= 0) 619 return TranslateLastOpenSslError(); 620 if (!output->advance_write(outlen)) 621 return KM_ERROR_UNKNOWN_ERROR; 622 623 return KM_ERROR_OK; 624} 625 626} // namespace keymaster 627