1 /* 2 * Copyright 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <keymaster/km_openssl/rsa_operation.h> 18 19 #include <limits.h> 20 21 #include <openssl/err.h> 22 23 #include <keymaster/km_openssl/openssl_err.h> 24 #include <keymaster/km_openssl/openssl_utils.h> 25 #include <keymaster/km_openssl/rsa_key.h> 26 #include <keymaster/logger.h> 27 #include <keymaster/new.h> 28 29 namespace keymaster { 30 31 const size_t kPssOverhead = 2; 32 33 // Overhead for PKCS#1 v1.5 signature padding of undigested messages. Digested messages have 34 // additional overhead, for the digest algorithmIdentifier required by PKCS#1. 35 const size_t kPkcs1UndigestedSignaturePaddingOverhead = 11; 36 37 /* static */ 38 EVP_PKEY* RsaOperationFactory::GetRsaKey(Key&& key, keymaster_error_t* error) { 39 const RsaKey& rsa_key = static_cast<RsaKey&>(key); 40 if (!rsa_key.key()) { 41 *error = KM_ERROR_UNKNOWN_ERROR; 42 return nullptr; 43 } 44 45 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new()); 46 if (!rsa_key.InternalToEvp(pkey.get())) { 47 *error = KM_ERROR_UNKNOWN_ERROR; 48 return nullptr; 49 } 50 return pkey.release(); 51 } 52 53 static const keymaster_digest_t supported_digests[] = { 54 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 55 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}; 56 57 const keymaster_digest_t* RsaOperationFactory::SupportedDigests(size_t* digest_count) const { 58 *digest_count = array_length(supported_digests); 59 return supported_digests; 60 } 61 62 RsaOperation* RsaOperationFactory::CreateRsaOperation(Key&& key, 63 const AuthorizationSet& begin_params, 64 keymaster_error_t* error) { 65 keymaster_padding_t padding; 66 if (!GetAndValidatePadding(begin_params, key, &padding, error)) return nullptr; 67 68 bool require_digest = (purpose() == KM_PURPOSE_SIGN || purpose() == KM_PURPOSE_VERIFY || 69 padding == KM_PAD_RSA_OAEP); 70 71 keymaster_digest_t digest = KM_DIGEST_NONE; 72 73 if (require_digest && !GetAndValidateDigest(begin_params, key, &digest, error, true)) { 74 return nullptr; 75 } 76 77 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> rsa(GetRsaKey(move(key), error)); 78 if (!rsa.get()) return nullptr; 79 80 RsaOperation* op = InstantiateOperation(key.hw_enforced_move(), key.sw_enforced_move(), digest, 81 padding, rsa.release()); 82 if (!op) *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 83 return op; 84 } 85 86 static const keymaster_padding_t supported_sig_padding[] = {KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, 87 KM_PAD_RSA_PSS}; 88 const keymaster_padding_t* 89 RsaDigestingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 90 *padding_mode_count = array_length(supported_sig_padding); 91 return supported_sig_padding; 92 } 93 94 RsaOperation* RsaCryptingOperationFactory::CreateRsaOperation(Key&& key, 95 const AuthorizationSet& begin_params, 96 keymaster_error_t* error) { 97 UniquePtr<RsaOperation> op( 98 RsaOperationFactory::CreateRsaOperation(move(key), begin_params, error)); 99 if (op.get()) { 100 switch (op->padding()) { 101 case KM_PAD_NONE: 102 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: 103 if (op->digest() != KM_DIGEST_NONE) { 104 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 105 return nullptr; 106 } 107 break; 108 109 case KM_PAD_RSA_OAEP: 110 if (op->digest() == KM_DIGEST_NONE) { 111 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 112 return nullptr; 113 } 114 break; 115 116 default: 117 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE; 118 return nullptr; 119 } 120 } 121 return op.release(); 122 } 123 124 static const keymaster_padding_t supported_crypt_padding[] = {KM_PAD_NONE, KM_PAD_RSA_OAEP, 125 KM_PAD_RSA_PKCS1_1_5_ENCRYPT}; 126 const keymaster_padding_t* 127 RsaCryptingOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 128 *padding_mode_count = array_length(supported_crypt_padding); 129 return supported_crypt_padding; 130 } 131 132 RsaOperation::~RsaOperation() { 133 if (rsa_key_ != nullptr) 134 EVP_PKEY_free(rsa_key_); 135 } 136 137 keymaster_error_t RsaOperation::Begin(const AuthorizationSet& /* input_params */, 138 AuthorizationSet* /* output_params */) { 139 auto rc = GenerateRandom(reinterpret_cast<uint8_t*>(&operation_handle_), 140 (size_t)sizeof(operation_handle_)); 141 if (rc != KM_ERROR_OK) return rc; 142 143 return InitDigest(); 144 } 145 146 keymaster_error_t RsaOperation::Update(const AuthorizationSet& /* additional_params */, 147 const Buffer& input, AuthorizationSet* /* output_params */, 148 Buffer* /* output */, size_t* input_consumed) { 149 assert(input_consumed); 150 switch (purpose()) { 151 default: 152 return KM_ERROR_UNIMPLEMENTED; 153 case KM_PURPOSE_SIGN: 154 case KM_PURPOSE_VERIFY: 155 case KM_PURPOSE_ENCRYPT: 156 case KM_PURPOSE_DECRYPT: 157 return StoreData(input, input_consumed); 158 } 159 } 160 161 keymaster_error_t RsaOperation::StoreData(const Buffer& input, size_t* input_consumed) { 162 assert(input_consumed); 163 164 if (!data_.reserve(EVP_PKEY_size(rsa_key_))) 165 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 166 // If the write fails, it's because input length exceeds key size. 167 if (!data_.write(input.peek_read(), input.available_read())) { 168 LOG_E("Input too long: cannot operate on %u bytes of data with %u-byte RSA key", 169 input.available_read() + data_.available_read(), EVP_PKEY_size(rsa_key_)); 170 return KM_ERROR_INVALID_INPUT_LENGTH; 171 } 172 173 *input_consumed = input.available_read(); 174 return KM_ERROR_OK; 175 } 176 177 keymaster_error_t RsaOperation::SetRsaPaddingInEvpContext(EVP_PKEY_CTX* pkey_ctx, bool signing) { 178 keymaster_error_t error; 179 int openssl_padding = GetOpensslPadding(&error); 180 if (error != KM_ERROR_OK) 181 return error; 182 183 if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, openssl_padding) <= 0) 184 return TranslateLastOpenSslError(); 185 186 if (signing && openssl_padding == RSA_PKCS1_PSS_PADDING) { 187 // Also need to set the length of the salt used in the padding generation. We set it equal 188 // to the length of the selected digest. 189 assert(digest_algorithm_); 190 if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(digest_algorithm_)) <= 0) 191 return TranslateLastOpenSslError(); 192 } 193 194 return KM_ERROR_OK; 195 } 196 197 keymaster_error_t RsaOperation::InitDigest() { 198 if (digest_ == KM_DIGEST_NONE) { 199 if (require_digest()) 200 return KM_ERROR_INCOMPATIBLE_DIGEST; 201 return KM_ERROR_OK; 202 } 203 204 switch (digest_) { 205 case KM_DIGEST_NONE: 206 return KM_ERROR_OK; 207 case KM_DIGEST_MD5: 208 digest_algorithm_ = EVP_md5(); 209 return KM_ERROR_OK; 210 case KM_DIGEST_SHA1: 211 digest_algorithm_ = EVP_sha1(); 212 return KM_ERROR_OK; 213 case KM_DIGEST_SHA_2_224: 214 digest_algorithm_ = EVP_sha224(); 215 return KM_ERROR_OK; 216 case KM_DIGEST_SHA_2_256: 217 digest_algorithm_ = EVP_sha256(); 218 return KM_ERROR_OK; 219 case KM_DIGEST_SHA_2_384: 220 digest_algorithm_ = EVP_sha384(); 221 return KM_ERROR_OK; 222 case KM_DIGEST_SHA_2_512: 223 digest_algorithm_ = EVP_sha512(); 224 return KM_ERROR_OK; 225 default: 226 return KM_ERROR_UNSUPPORTED_DIGEST; 227 } 228 } 229 230 RsaDigestingOperation::RsaDigestingOperation(AuthorizationSet&& hw_enforced, 231 AuthorizationSet&& sw_enforced, 232 keymaster_purpose_t purpose, keymaster_digest_t digest, 233 keymaster_padding_t padding, EVP_PKEY* key) 234 : RsaOperation(move(hw_enforced), move(sw_enforced), purpose, digest, padding, key) { 235 EVP_MD_CTX_init(&digest_ctx_); 236 } 237 RsaDigestingOperation::~RsaDigestingOperation() { 238 EVP_MD_CTX_cleanup(&digest_ctx_); 239 } 240 241 int RsaDigestingOperation::GetOpensslPadding(keymaster_error_t* error) { 242 *error = KM_ERROR_OK; 243 switch (padding_) { 244 case KM_PAD_NONE: 245 return RSA_NO_PADDING; 246 case KM_PAD_RSA_PKCS1_1_5_SIGN: 247 return RSA_PKCS1_PADDING; 248 case KM_PAD_RSA_PSS: 249 if (digest_ == KM_DIGEST_NONE) { 250 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE; 251 return -1; 252 } 253 if (EVP_MD_size(digest_algorithm_) * 2 + kPssOverhead > (size_t)EVP_PKEY_size(rsa_key_)) { 254 LOG_E("Input too long: %d-byte digest cannot be used with %d-byte RSA key in PSS " 255 "padding mode", 256 EVP_MD_size(digest_algorithm_), EVP_PKEY_size(rsa_key_)); 257 *error = KM_ERROR_INCOMPATIBLE_DIGEST; 258 return -1; 259 } 260 return RSA_PKCS1_PSS_PADDING; 261 default: 262 return -1; 263 } 264 } 265 266 keymaster_error_t RsaSignOperation::Begin(const AuthorizationSet& input_params, 267 AuthorizationSet* output_params) { 268 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params); 269 if (error != KM_ERROR_OK) 270 return error; 271 272 if (digest_ == KM_DIGEST_NONE) 273 return KM_ERROR_OK; 274 275 EVP_PKEY_CTX* pkey_ctx; 276 if (EVP_DigestSignInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, nullptr /* engine */, 277 rsa_key_) != 1) 278 return TranslateLastOpenSslError(); 279 return SetRsaPaddingInEvpContext(pkey_ctx, true /* signing */); 280 } 281 282 keymaster_error_t RsaSignOperation::Update(const AuthorizationSet& additional_params, 283 const Buffer& input, AuthorizationSet* output_params, 284 Buffer* output, size_t* input_consumed) { 285 if (digest_ == KM_DIGEST_NONE) 286 // Just buffer the data. 287 return RsaOperation::Update(additional_params, input, output_params, output, 288 input_consumed); 289 290 if (EVP_DigestSignUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1) 291 return TranslateLastOpenSslError(); 292 *input_consumed = input.available_read(); 293 return KM_ERROR_OK; 294 } 295 296 keymaster_error_t RsaSignOperation::Finish(const AuthorizationSet& additional_params, 297 const Buffer& input, const Buffer& /* signature */, 298 AuthorizationSet* /* output_params */, Buffer* output) { 299 assert(output); 300 301 keymaster_error_t error = UpdateForFinish(additional_params, input); 302 if (error != KM_ERROR_OK) 303 return error; 304 305 if (digest_ == KM_DIGEST_NONE) 306 return SignUndigested(output); 307 else 308 return SignDigested(output); 309 } 310 311 static keymaster_error_t zero_pad_left(UniquePtr<uint8_t[]>* dest, size_t padded_len, Buffer& src) { 312 assert(padded_len > src.available_read()); 313 314 dest->reset(new(std::nothrow) uint8_t[padded_len]); 315 if (!dest->get()) 316 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 317 318 size_t padding_len = padded_len - src.available_read(); 319 memset(dest->get(), 0, padding_len); 320 if (!src.read(dest->get() + padding_len, src.available_read())) 321 return KM_ERROR_UNKNOWN_ERROR; 322 323 return KM_ERROR_OK; 324 } 325 326 keymaster_error_t RsaSignOperation::SignUndigested(Buffer* output) { 327 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_))); 328 if (!rsa.get()) 329 return TranslateLastOpenSslError(); 330 331 if (!output->Reinitialize(RSA_size(rsa.get()))) 332 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 333 334 size_t key_len = EVP_PKEY_size(rsa_key_); 335 int bytes_encrypted; 336 switch (padding_) { 337 case KM_PAD_NONE: { 338 const uint8_t* to_encrypt = data_.peek_read(); 339 UniquePtr<uint8_t[]> zero_padded; 340 if (data_.available_read() > key_len) { 341 return KM_ERROR_INVALID_INPUT_LENGTH; 342 } else if (data_.available_read() < key_len) { 343 keymaster_error_t error = zero_pad_left(&zero_padded, key_len, data_); 344 if (error != KM_ERROR_OK) 345 return error; 346 to_encrypt = zero_padded.get(); 347 } 348 bytes_encrypted = RSA_private_encrypt(key_len, to_encrypt, output->peek_write(), rsa.get(), 349 RSA_NO_PADDING); 350 break; 351 } 352 case KM_PAD_RSA_PKCS1_1_5_SIGN: 353 // Does PKCS1 padding without digesting even make sense? Dunno. We'll support it. 354 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) { 355 LOG_E("Input too long: cannot sign %u-byte message with PKCS1 padding with %u-bit key", 356 data_.available_read(), EVP_PKEY_size(rsa_key_) * 8); 357 return KM_ERROR_INVALID_INPUT_LENGTH; 358 } 359 bytes_encrypted = RSA_private_encrypt(data_.available_read(), data_.peek_read(), 360 output->peek_write(), rsa.get(), RSA_PKCS1_PADDING); 361 break; 362 363 default: 364 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 365 } 366 367 if (bytes_encrypted <= 0) 368 return TranslateLastOpenSslError(); 369 if (!output->advance_write(bytes_encrypted)) 370 return KM_ERROR_UNKNOWN_ERROR; 371 return KM_ERROR_OK; 372 } 373 374 keymaster_error_t RsaSignOperation::SignDigested(Buffer* output) { 375 size_t siglen; 376 if (EVP_DigestSignFinal(&digest_ctx_, nullptr /* signature */, &siglen) != 1) 377 return TranslateLastOpenSslError(); 378 379 if (!output->Reinitialize(siglen)) 380 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 381 382 if (EVP_DigestSignFinal(&digest_ctx_, output->peek_write(), &siglen) <= 0) 383 return TranslateLastOpenSslError(); 384 if (!output->advance_write(siglen)) 385 return KM_ERROR_UNKNOWN_ERROR; 386 387 return KM_ERROR_OK; 388 } 389 390 keymaster_error_t RsaVerifyOperation::Begin(const AuthorizationSet& input_params, 391 AuthorizationSet* output_params) { 392 keymaster_error_t error = RsaDigestingOperation::Begin(input_params, output_params); 393 if (error != KM_ERROR_OK) 394 return error; 395 396 if (digest_ == KM_DIGEST_NONE) 397 return KM_ERROR_OK; 398 399 EVP_PKEY_CTX* pkey_ctx; 400 if (EVP_DigestVerifyInit(&digest_ctx_, &pkey_ctx, digest_algorithm_, nullptr, rsa_key_) != 1) 401 return TranslateLastOpenSslError(); 402 return SetRsaPaddingInEvpContext(pkey_ctx, false /* signing */); 403 } 404 405 keymaster_error_t RsaVerifyOperation::Update(const AuthorizationSet& additional_params, 406 const Buffer& input, AuthorizationSet* output_params, 407 Buffer* output, size_t* input_consumed) { 408 if (digest_ == KM_DIGEST_NONE) 409 // Just buffer the data. 410 return RsaOperation::Update(additional_params, input, output_params, output, 411 input_consumed); 412 413 if (EVP_DigestVerifyUpdate(&digest_ctx_, input.peek_read(), input.available_read()) != 1) 414 return TranslateLastOpenSslError(); 415 *input_consumed = input.available_read(); 416 return KM_ERROR_OK; 417 } 418 419 keymaster_error_t RsaVerifyOperation::Finish(const AuthorizationSet& additional_params, 420 const Buffer& input, const Buffer& signature, 421 AuthorizationSet* /* output_params */, 422 Buffer* /* output */) { 423 keymaster_error_t error = UpdateForFinish(additional_params, input); 424 if (error != KM_ERROR_OK) 425 return error; 426 427 if (digest_ == KM_DIGEST_NONE) 428 return VerifyUndigested(signature); 429 else 430 return VerifyDigested(signature); 431 } 432 433 keymaster_error_t RsaVerifyOperation::VerifyUndigested(const Buffer& signature) { 434 UniquePtr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(rsa_key_))); 435 if (!rsa.get()) 436 return KM_ERROR_UNKNOWN_ERROR; 437 438 size_t key_len = RSA_size(rsa.get()); 439 int openssl_padding; 440 switch (padding_) { 441 case KM_PAD_NONE: 442 if (data_.available_read() > key_len) 443 return KM_ERROR_INVALID_INPUT_LENGTH; 444 if (key_len != signature.available_read()) 445 return KM_ERROR_VERIFICATION_FAILED; 446 openssl_padding = RSA_NO_PADDING; 447 break; 448 case KM_PAD_RSA_PKCS1_1_5_SIGN: 449 if (data_.available_read() + kPkcs1UndigestedSignaturePaddingOverhead > key_len) { 450 LOG_E("Input too long: cannot verify %u-byte message with PKCS1 padding && %u-bit key", 451 data_.available_read(), key_len * 8); 452 return KM_ERROR_INVALID_INPUT_LENGTH; 453 } 454 openssl_padding = RSA_PKCS1_PADDING; 455 break; 456 default: 457 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 458 } 459 460 UniquePtr<uint8_t[]> decrypted_data(new (std::nothrow) uint8_t[key_len]); 461 if (!decrypted_data.get()) 462 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 463 int bytes_decrypted = RSA_public_decrypt(signature.available_read(), signature.peek_read(), 464 decrypted_data.get(), rsa.get(), openssl_padding); 465 if (bytes_decrypted < 0) 466 return KM_ERROR_VERIFICATION_FAILED; 467 468 const uint8_t* compare_pos = decrypted_data.get(); 469 size_t bytes_to_compare = bytes_decrypted; 470 uint8_t zero_check_result = 0; 471 if (padding_ == KM_PAD_NONE && data_.available_read() < bytes_to_compare) { 472 // If the data is short, for "unpadded" signing we zero-pad to the left. So during 473 // verification we should have zeros on the left of the decrypted data. Do a constant-time 474 // check. 475 const uint8_t* zero_end = compare_pos + bytes_to_compare - data_.available_read(); 476 while (compare_pos < zero_end) 477 zero_check_result |= *compare_pos++; 478 bytes_to_compare = data_.available_read(); 479 } 480 if (memcmp_s(compare_pos, data_.peek_read(), bytes_to_compare) != 0 || zero_check_result != 0) 481 return KM_ERROR_VERIFICATION_FAILED; 482 return KM_ERROR_OK; 483 } 484 485 keymaster_error_t RsaVerifyOperation::VerifyDigested(const Buffer& signature) { 486 if (!EVP_DigestVerifyFinal(&digest_ctx_, signature.peek_read(), signature.available_read())) 487 return KM_ERROR_VERIFICATION_FAILED; 488 return KM_ERROR_OK; 489 } 490 491 keymaster_error_t RsaCryptOperation::SetOaepDigestIfRequired(EVP_PKEY_CTX* pkey_ctx) { 492 if (padding() != KM_PAD_RSA_OAEP) 493 return KM_ERROR_OK; 494 495 assert(digest_algorithm_ != nullptr); 496 if (!EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, digest_algorithm_)) 497 return TranslateLastOpenSslError(); 498 499 // MGF1 MD is always SHA1. 500 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha1())) 501 return TranslateLastOpenSslError(); 502 503 return KM_ERROR_OK; 504 } 505 506 int RsaCryptOperation::GetOpensslPadding(keymaster_error_t* error) { 507 *error = KM_ERROR_OK; 508 switch (padding_) { 509 case KM_PAD_NONE: 510 return RSA_NO_PADDING; 511 case KM_PAD_RSA_PKCS1_1_5_ENCRYPT: 512 return RSA_PKCS1_PADDING; 513 case KM_PAD_RSA_OAEP: 514 return RSA_PKCS1_OAEP_PADDING; 515 default: 516 return -1; 517 } 518 } 519 520 struct EVP_PKEY_CTX_Delete { 521 void operator()(EVP_PKEY_CTX* p) { EVP_PKEY_CTX_free(p); } 522 }; 523 524 keymaster_error_t RsaEncryptOperation::Finish(const AuthorizationSet& additional_params, 525 const Buffer& input, const Buffer& /* signature */, 526 AuthorizationSet* /* output_params */, 527 Buffer* output) { 528 if (!output) 529 return KM_ERROR_OUTPUT_PARAMETER_NULL; 530 531 keymaster_error_t error = UpdateForFinish(additional_params, input); 532 if (error != KM_ERROR_OK) 533 return error; 534 535 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx( 536 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */)); 537 if (!ctx.get()) 538 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 539 540 if (EVP_PKEY_encrypt_init(ctx.get()) <= 0) 541 return TranslateLastOpenSslError(); 542 543 error = SetRsaPaddingInEvpContext(ctx.get(), false /* signing */); 544 if (error != KM_ERROR_OK) 545 return error; 546 error = SetOaepDigestIfRequired(ctx.get()); 547 if (error != KM_ERROR_OK) 548 return error; 549 550 size_t outlen; 551 if (EVP_PKEY_encrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(), 552 data_.available_read()) <= 0) 553 return TranslateLastOpenSslError(); 554 555 if (!output->Reinitialize(outlen)) 556 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 557 558 const uint8_t* to_encrypt = data_.peek_read(); 559 size_t to_encrypt_len = data_.available_read(); 560 UniquePtr<uint8_t[]> zero_padded; 561 if (padding_ == KM_PAD_NONE && to_encrypt_len < outlen) { 562 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_); 563 if (error != KM_ERROR_OK) 564 return error; 565 to_encrypt = zero_padded.get(); 566 to_encrypt_len = outlen; 567 } 568 569 if (EVP_PKEY_encrypt(ctx.get(), output->peek_write(), &outlen, to_encrypt, to_encrypt_len) <= 0) 570 return TranslateLastOpenSslError(); 571 if (!output->advance_write(outlen)) 572 return KM_ERROR_UNKNOWN_ERROR; 573 574 return KM_ERROR_OK; 575 } 576 577 keymaster_error_t RsaDecryptOperation::Finish(const AuthorizationSet& additional_params, 578 const Buffer& input, const Buffer& /* signature */, 579 AuthorizationSet* /* output_params */, 580 Buffer* output) { 581 if (!output) 582 return KM_ERROR_OUTPUT_PARAMETER_NULL; 583 584 keymaster_error_t error = UpdateForFinish(additional_params, input); 585 if (error != KM_ERROR_OK) 586 return error; 587 588 UniquePtr<EVP_PKEY_CTX, EVP_PKEY_CTX_Delete> ctx( 589 EVP_PKEY_CTX_new(rsa_key_, nullptr /* engine */)); 590 if (!ctx.get()) 591 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 592 593 if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) 594 return TranslateLastOpenSslError(); 595 596 error = SetRsaPaddingInEvpContext(ctx.get(), false /* signing */); 597 if (error != KM_ERROR_OK) 598 return error; 599 error = SetOaepDigestIfRequired(ctx.get()); 600 if (error != KM_ERROR_OK) 601 return error; 602 603 size_t outlen; 604 if (EVP_PKEY_decrypt(ctx.get(), nullptr /* out */, &outlen, data_.peek_read(), 605 data_.available_read()) <= 0) 606 return TranslateLastOpenSslError(); 607 608 if (!output->Reinitialize(outlen)) 609 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 610 611 const uint8_t* to_decrypt = data_.peek_read(); 612 size_t to_decrypt_len = data_.available_read(); 613 UniquePtr<uint8_t[]> zero_padded; 614 if (padding_ == KM_PAD_NONE && to_decrypt_len < outlen) { 615 keymaster_error_t error = zero_pad_left(&zero_padded, outlen, data_); 616 if (error != KM_ERROR_OK) 617 return error; 618 to_decrypt = zero_padded.get(); 619 to_decrypt_len = outlen; 620 } 621 622 if (EVP_PKEY_decrypt(ctx.get(), output->peek_write(), &outlen, to_decrypt, to_decrypt_len) <= 0) 623 return TranslateLastOpenSslError(); 624 if (!output->advance_write(outlen)) 625 return KM_ERROR_UNKNOWN_ERROR; 626 627 return KM_ERROR_OK; 628 } 629 630 } // namespace keymaster 631