1 /* Copyright 2014 The Android Open Source Project 2 * 3 * Redistribution and use in source and binary forms, with or without 4 * modification, are permitted provided that the following conditions 5 * are met: 6 * 1. Redistributions of source code must retain the above copyright 7 * notice, this list of conditions and the following disclaimer. 8 * 2. Redistributions in binary form must reproduce the above copyright 9 * notice, this list of conditions and the following disclaimer in the 10 * documentation and/or other materials provided with the distribution. 11 * 12 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY 13 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 14 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 15 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY 16 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 17 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 18 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 19 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 20 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 21 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 22 23 #define LOG_TAG "keystore-engine" 24 25 #include <pthread.h> 26 #include <sys/socket.h> 27 #include <stdarg.h> 28 #include <string.h> 29 #include <unistd.h> 30 31 #include <log/log.h> 32 33 #include <openssl/bn.h> 34 #include <openssl/ec.h> 35 #include <openssl/ec_key.h> 36 #include <openssl/ecdsa.h> 37 #include <openssl/engine.h> 38 #include <openssl/evp.h> 39 #include <openssl/rsa.h> 40 #include <openssl/x509.h> 41 42 #include <memory> 43 44 #ifndef BACKEND_WIFI_HIDL 45 #include "keystore_backend_binder.h" 46 #else 47 #include "keystore_backend_hidl.h" 48 #endif 49 50 namespace { 51 KeystoreBackend *g_keystore_backend; 52 void ensure_keystore_engine(); 53 54 /* key_id_dup is called when one of the RSA or EC_KEY objects is duplicated. */ 55 int key_id_dup(CRYPTO_EX_DATA* /* to */, 56 const CRYPTO_EX_DATA* /* from */, 57 void** from_d, 58 int /* index */, 59 long /* argl */, 60 void* /* argp */) { 61 char *key_id = reinterpret_cast<char *>(*from_d); 62 if (key_id != nullptr) { 63 *from_d = strdup(key_id); 64 } 65 return 1; 66 } 67 68 /* key_id_free is called when one of the RSA, DSA or EC_KEY object is freed. */ 69 void key_id_free(void* /* parent */, 70 void* ptr, 71 CRYPTO_EX_DATA* /* ad */, 72 int /* index */, 73 long /* argl */, 74 void* /* argp */) { 75 char *key_id = reinterpret_cast<char *>(ptr); 76 free(key_id); 77 } 78 79 /* Many OpenSSL APIs take ownership of an argument on success but don't free 80 * the argument on failure. This means we need to tell our scoped pointers when 81 * we've transferred ownership, without triggering a warning by not using the 82 * result of release(). */ 83 #define OWNERSHIP_TRANSFERRED(obj) auto _dummy __attribute__((unused)) = (obj).release() 84 85 const char* rsa_get_key_id(const RSA* rsa); 86 87 /* rsa_private_transform takes a big-endian integer from |in|, calculates the 88 * d'th power of it, modulo the RSA modulus, and writes the result as a 89 * big-endian integer to |out|. Both |in| and |out| are |len| bytes long. It 90 * returns one on success and zero otherwise. */ 91 int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len) { 92 ALOGV("rsa_private_transform(%p, %p, %p, %u)", rsa, out, in, (unsigned) len); 93 94 ensure_keystore_engine(); 95 96 const char *key_id = rsa_get_key_id(rsa); 97 if (key_id == nullptr) { 98 ALOGE("key had no key_id!"); 99 return 0; 100 } 101 102 uint8_t* reply = nullptr; 103 size_t reply_len; 104 int32_t ret = g_keystore_backend->sign(key_id, in, len, &reply, &reply_len); 105 if (ret < 0) { 106 ALOGW("There was an error during rsa_decrypt: could not connect"); 107 return 0; 108 } else if (ret != 0) { 109 ALOGW("Error during sign from keystore: %d", ret); 110 return 0; 111 } else if (reply_len == 0 || reply == nullptr) { 112 ALOGW("No valid signature returned"); 113 return 0; 114 } 115 116 if (reply_len > len) { 117 /* The result of the RSA operation can never be larger than the size of 118 * the modulus so we assume that the result has extra zeros on the 119 * left. This provides attackers with an oracle, but there's nothing 120 * that we can do about it here. */ 121 ALOGW("Reply len %zu greater than expected %zu", reply_len, len); 122 memcpy(out, &reply[reply_len - len], len); 123 } else if (reply_len < len) { 124 /* If the Keystore implementation returns a short value we assume that 125 * it's because it removed leading zeros from the left side. This is 126 * bad because it provides attackers with an oracle but we cannot do 127 * anything about a broken Keystore implementation here. */ 128 ALOGW("Reply len %zu lesser than expected %zu", reply_len, len); 129 memset(out, 0, len); 130 memcpy(out + len - reply_len, &reply[0], reply_len); 131 } else { 132 memcpy(out, &reply[0], len); 133 } 134 135 ALOGV("rsa=%p keystore_rsa_priv_dec successful", rsa); 136 return 1; 137 } 138 139 const char* ecdsa_get_key_id(const EC_KEY* ec_key); 140 141 /* ecdsa_sign signs |digest_len| bytes from |digest| with |ec_key| and writes 142 * the resulting signature (an ASN.1 encoded blob) to |sig|. It returns one on 143 * success and zero otherwise. */ 144 static int ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig, 145 unsigned int* sig_len, EC_KEY* ec_key) { 146 ALOGV("ecdsa_sign(%p, %u, %p)", digest, (unsigned) digest_len, ec_key); 147 148 ensure_keystore_engine(); 149 150 const char *key_id = ecdsa_get_key_id(ec_key); 151 if (key_id == nullptr) { 152 ALOGE("key had no key_id!"); 153 return 0; 154 } 155 156 size_t ecdsa_size = ECDSA_size(ec_key); 157 158 uint8_t* reply = nullptr; 159 size_t reply_len; 160 int32_t ret = g_keystore_backend->sign( 161 key_id, digest, digest_len, &reply, &reply_len); 162 if (ret < 0) { 163 ALOGW("There was an error during ecdsa_sign: could not connect"); 164 return 0; 165 } else if (reply_len == 0 || reply == nullptr) { 166 ALOGW("No valid signature returned"); 167 return 0; 168 } else if (reply_len > ecdsa_size) { 169 ALOGW("Signature is too large"); 170 return 0; 171 } 172 173 // Reviewer: should't sig_len be checked here? Or is it just assumed that it is at least ecdsa_size? 174 memcpy(sig, &reply[0], reply_len); 175 *sig_len = reply_len; 176 177 ALOGV("ecdsa_sign(%p, %u, %p) => success", digest, (unsigned)digest_len, 178 ec_key); 179 return 1; 180 } 181 182 /* KeystoreEngine is a BoringSSL ENGINE that implements RSA and ECDSA by 183 * forwarding the requested operations to Keystore. */ 184 class KeystoreEngine { 185 public: 186 KeystoreEngine() 187 : rsa_index_(RSA_get_ex_new_index(0 /* argl */, 188 nullptr /* argp */, 189 nullptr /* new_func */, 190 key_id_dup, 191 key_id_free)), 192 ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */, 193 nullptr /* argp */, 194 nullptr /* new_func */, 195 key_id_dup, 196 key_id_free)), 197 engine_(ENGINE_new()) { 198 memset(&rsa_method_, 0, sizeof(rsa_method_)); 199 rsa_method_.common.is_static = 1; 200 rsa_method_.private_transform = rsa_private_transform; 201 rsa_method_.flags = RSA_FLAG_OPAQUE; 202 ENGINE_set_RSA_method(engine_, &rsa_method_, sizeof(rsa_method_)); 203 204 memset(&ecdsa_method_, 0, sizeof(ecdsa_method_)); 205 ecdsa_method_.common.is_static = 1; 206 ecdsa_method_.sign = ecdsa_sign; 207 ecdsa_method_.flags = ECDSA_FLAG_OPAQUE; 208 ENGINE_set_ECDSA_method(engine_, &ecdsa_method_, sizeof(ecdsa_method_)); 209 } 210 211 int rsa_ex_index() const { return rsa_index_; } 212 int ec_key_ex_index() const { return ec_key_index_; } 213 214 const ENGINE* engine() const { return engine_; } 215 216 private: 217 const int rsa_index_; 218 const int ec_key_index_; 219 RSA_METHOD rsa_method_; 220 ECDSA_METHOD ecdsa_method_; 221 ENGINE* const engine_; 222 }; 223 224 pthread_once_t g_keystore_engine_once = PTHREAD_ONCE_INIT; 225 KeystoreEngine *g_keystore_engine; 226 227 /* init_keystore_engine is called to initialize |g_keystore_engine|. This 228 * should only be called by |pthread_once|. */ 229 void init_keystore_engine() { 230 g_keystore_engine = new KeystoreEngine; 231 #ifndef BACKEND_WIFI_HIDL 232 g_keystore_backend = new KeystoreBackendBinder; 233 #else 234 g_keystore_backend = new KeystoreBackendHidl; 235 #endif 236 } 237 238 /* ensure_keystore_engine ensures that |g_keystore_engine| is pointing to a 239 * valid |KeystoreEngine| object and creates one if not. */ 240 void ensure_keystore_engine() { 241 pthread_once(&g_keystore_engine_once, init_keystore_engine); 242 } 243 244 const char* rsa_get_key_id(const RSA* rsa) { 245 return reinterpret_cast<char*>( 246 RSA_get_ex_data(rsa, g_keystore_engine->rsa_ex_index())); 247 } 248 249 const char* ecdsa_get_key_id(const EC_KEY* ec_key) { 250 return reinterpret_cast<char*>( 251 EC_KEY_get_ex_data(ec_key, g_keystore_engine->ec_key_ex_index())); 252 } 253 254 /* wrap_rsa returns an |EVP_PKEY| that contains an RSA key where the public 255 * part is taken from |public_rsa| and the private operations are forwarded to 256 * KeyStore and operate on the key named |key_id|. */ 257 static EVP_PKEY *wrap_rsa(const char *key_id, const RSA *public_rsa) { 258 bssl::UniquePtr<RSA> rsa(RSA_new_method(g_keystore_engine->engine())); 259 if (rsa.get() == nullptr) { 260 return nullptr; 261 } 262 263 char *key_id_copy = strdup(key_id); 264 if (key_id_copy == nullptr) { 265 return nullptr; 266 } 267 268 if (!RSA_set_ex_data(rsa.get(), g_keystore_engine->rsa_ex_index(), 269 key_id_copy)) { 270 free(key_id_copy); 271 return nullptr; 272 } 273 274 rsa->n = BN_dup(public_rsa->n); 275 rsa->e = BN_dup(public_rsa->e); 276 if (rsa->n == nullptr || rsa->e == nullptr) { 277 return nullptr; 278 } 279 280 bssl::UniquePtr<EVP_PKEY> result(EVP_PKEY_new()); 281 if (result.get() == nullptr || 282 !EVP_PKEY_assign_RSA(result.get(), rsa.get())) { 283 return nullptr; 284 } 285 OWNERSHIP_TRANSFERRED(rsa); 286 287 return result.release(); 288 } 289 290 /* wrap_ecdsa returns an |EVP_PKEY| that contains an ECDSA key where the public 291 * part is taken from |public_rsa| and the private operations are forwarded to 292 * KeyStore and operate on the key named |key_id|. */ 293 static EVP_PKEY *wrap_ecdsa(const char *key_id, const EC_KEY *public_ecdsa) { 294 bssl::UniquePtr<EC_KEY> ec(EC_KEY_new_method(g_keystore_engine->engine())); 295 if (ec.get() == nullptr) { 296 return nullptr; 297 } 298 299 if (!EC_KEY_set_group(ec.get(), EC_KEY_get0_group(public_ecdsa)) || 300 !EC_KEY_set_public_key(ec.get(), EC_KEY_get0_public_key(public_ecdsa))) { 301 return nullptr; 302 } 303 304 char *key_id_copy = strdup(key_id); 305 if (key_id_copy == nullptr) { 306 return nullptr; 307 } 308 309 if (!EC_KEY_set_ex_data(ec.get(), g_keystore_engine->ec_key_ex_index(), 310 key_id_copy)) { 311 free(key_id_copy); 312 return nullptr; 313 } 314 315 bssl::UniquePtr<EVP_PKEY> result(EVP_PKEY_new()); 316 if (result.get() == nullptr || 317 !EVP_PKEY_assign_EC_KEY(result.get(), ec.get())) { 318 return nullptr; 319 } 320 OWNERSHIP_TRANSFERRED(ec); 321 322 return result.release(); 323 } 324 325 } /* anonymous namespace */ 326 327 extern "C" { 328 329 EVP_PKEY* EVP_PKEY_from_keystore(const char* key_id) __attribute__((visibility("default"))); 330 331 /* EVP_PKEY_from_keystore returns an |EVP_PKEY| that contains either an RSA or 332 * ECDSA key where the public part of the key reflects the value of the key 333 * named |key_id| in Keystore and the private operations are forwarded onto 334 * KeyStore. */ 335 EVP_PKEY* EVP_PKEY_from_keystore(const char* key_id) { 336 ALOGV("EVP_PKEY_from_keystore(\"%s\")", key_id); 337 338 ensure_keystore_engine(); 339 340 uint8_t *pubkey = nullptr; 341 size_t pubkey_len; 342 int32_t ret = g_keystore_backend->get_pubkey(key_id, &pubkey, &pubkey_len); 343 if (ret < 0) { 344 ALOGW("could not contact keystore"); 345 return nullptr; 346 } else if (ret != 0 || pubkey == nullptr) { 347 ALOGW("keystore reports error: %d", ret); 348 return nullptr; 349 } 350 351 const uint8_t *inp = pubkey; 352 bssl::UniquePtr<EVP_PKEY> pkey(d2i_PUBKEY(nullptr, &inp, pubkey_len)); 353 if (pkey.get() == nullptr) { 354 ALOGW("Cannot convert pubkey"); 355 return nullptr; 356 } 357 358 EVP_PKEY *result; 359 switch (EVP_PKEY_type(pkey->type)) { 360 case EVP_PKEY_RSA: { 361 bssl::UniquePtr<RSA> public_rsa(EVP_PKEY_get1_RSA(pkey.get())); 362 result = wrap_rsa(key_id, public_rsa.get()); 363 break; 364 } 365 case EVP_PKEY_EC: { 366 bssl::UniquePtr<EC_KEY> public_ecdsa(EVP_PKEY_get1_EC_KEY(pkey.get())); 367 result = wrap_ecdsa(key_id, public_ecdsa.get()); 368 break; 369 } 370 default: 371 ALOGE("Unsupported key type %d", EVP_PKEY_type(pkey->type)); 372 result = nullptr; 373 } 374 375 return result; 376 } 377 378 } // extern "C" 379