android_pubkey.c revision b62146dcabedcacf99349793c1947797a173f0e6 
1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <crypto_utils/android_pubkey.h>
18
19#include <assert.h>
20#include <stdlib.h>
21#include <string.h>
22
23// Better safe than sorry.
24#if (ANDROID_PUBKEY_MODULUS_SIZE % 4) != 0
25#error RSA modulus size must be multiple of the word size!
26#endif
27
28// Size of the RSA modulus in words.
29#define ANDROID_PUBKEY_MODULUS_SIZE_WORDS (ANDROID_PUBKEY_MODULUS_SIZE / 4)
30
31// This file implements encoding and decoding logic for Android's custom RSA
32// public key binary format. Public keys are stored as a sequence of
33// little-endian 32 bit words. Note that Android only supports little-endian
34// processors, so we don't do any byte order conversions when parsing the binary
35// struct.
36typedef struct RSAPublicKey {
37    // Modulus length. This must be ANDROID_PUBKEY_MODULUS_SIZE.
38    uint32_t modulus_size_words;
39
40    // Precomputed montgomery parameter: -1 / n[0] mod 2^32
41    uint32_t n0inv;
42
43    // RSA modulus as a little-endian array.
44    uint8_t modulus[ANDROID_PUBKEY_MODULUS_SIZE];
45
46    // Montgomery parameter R^2 as a little-endian array of little-endian words.
47    uint8_t rr[ANDROID_PUBKEY_MODULUS_SIZE];
48
49    // RSA modulus: 3 or 65537
50    uint32_t exponent;
51} RSAPublicKey;
52
53// Reverses byte order in |buffer|.
54static void reverse_bytes(uint8_t* buffer, size_t size) {
55  for (size_t i = 0; i < (size + 1) / 2; ++i) {
56    uint8_t tmp = buffer[i];
57    buffer[i] = buffer[size - i - 1];
58    buffer[size - i - 1] = tmp;
59  }
60}
61
62bool android_pubkey_decode(const uint8_t* key_buffer, size_t size, RSA** key) {
63  const RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
64  bool ret = false;
65  uint8_t modulus_buffer[ANDROID_PUBKEY_MODULUS_SIZE];
66  RSA* new_key = RSA_new();
67  if (!new_key) {
68    goto cleanup;
69  }
70
71  // Check |size| is large enough and the modulus size is correct.
72  if (size < sizeof(RSAPublicKey)) {
73    goto cleanup;
74  }
75  if (key_struct->modulus_size_words != ANDROID_PUBKEY_MODULUS_SIZE_WORDS) {
76    goto cleanup;
77  }
78
79  // Convert the modulus to big-endian byte order as expected by BN_bin2bn.
80  memcpy(modulus_buffer, key_struct->modulus, sizeof(modulus_buffer));
81  reverse_bytes(modulus_buffer, sizeof(modulus_buffer));
82  new_key->n = BN_bin2bn(modulus_buffer, sizeof(modulus_buffer), NULL);
83  if (!new_key->n) {
84    goto cleanup;
85  }
86
87  // Read the exponent.
88  new_key->e = BN_new();
89  if (!new_key->e || !BN_set_word(new_key->e, key_struct->exponent)) {
90    goto cleanup;
91  }
92
93  // Note that we don't extract the montgomery parameters n0inv and rr from
94  // the RSAPublicKey structure. They assume a word size of 32 bits, but
95  // BoringSSL may use a word size of 64 bits internally, so we're lacking the
96  // top 32 bits of n0inv in general. For now, we just ignore the parameters
97  // and have BoringSSL recompute them internally. More sophisticated logic can
98  // be added here if/when we want the additional speedup from using the
99  // pre-computed montgomery parameters.
100
101  *key = new_key;
102  ret = true;
103
104cleanup:
105  if (!ret && new_key) {
106    RSA_free(new_key);
107  }
108  return ret;
109}
110
111static bool android_pubkey_encode_bignum(const BIGNUM* num, uint8_t* buffer) {
112  if (!BN_bn2bin_padded(buffer, ANDROID_PUBKEY_MODULUS_SIZE, num)) {
113    return false;
114  }
115
116  reverse_bytes(buffer, ANDROID_PUBKEY_MODULUS_SIZE);
117  return true;
118}
119
120bool android_pubkey_encode(const RSA* key, uint8_t* key_buffer, size_t size) {
121  RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
122  bool ret = false;
123  BN_CTX* ctx = BN_CTX_new();
124  BIGNUM* r32 = BN_new();
125  BIGNUM* n0inv = BN_new();
126  BIGNUM* rr = BN_new();
127
128  if (sizeof(RSAPublicKey) > size ||
129      RSA_size(key) != ANDROID_PUBKEY_MODULUS_SIZE) {
130    goto cleanup;
131  }
132
133  // Store the modulus size.
134  key_struct->modulus_size_words = ANDROID_PUBKEY_MODULUS_SIZE_WORDS;
135
136  // Compute and store n0inv = -1 / N[0] mod 2^32.
137  if (!ctx || !r32 || !n0inv || !BN_set_bit(r32, 32) ||
138      !BN_mod(n0inv, key->n, r32, ctx) ||
139      !BN_mod_inverse(n0inv, n0inv, r32, ctx) || !BN_sub(n0inv, r32, n0inv)) {
140    goto cleanup;
141  }
142  key_struct->n0inv = (uint32_t)BN_get_word(n0inv);
143
144  // Store the modulus.
145  if (!android_pubkey_encode_bignum(key->n, key_struct->modulus)) {
146    goto cleanup;
147  }
148
149  // Compute and store rr = (2^(rsa_size)) ^ 2 mod N.
150  if (!ctx || !rr || !BN_set_bit(rr, ANDROID_PUBKEY_MODULUS_SIZE * 8) ||
151      !BN_mod_sqr(rr, rr, key->n, ctx) ||
152      !android_pubkey_encode_bignum(rr, key_struct->rr)) {
153    goto cleanup;
154  }
155
156  // Store the exponent.
157  key_struct->exponent = (uint32_t)BN_get_word(key->e);
158
159  ret = true;
160
161cleanup:
162  BN_free(rr);
163  BN_free(n0inv);
164  BN_free(r32);
165  BN_CTX_free(ctx);
166  return ret;
167}
168