1 /*
2 * Copyright (C) 2011 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include <errno.h>
17 #include <string.h>
18 #include <stdint.h>
19
20 // For debugging
21 #define LOG_NDEBUG 0
22
23 // TEE is the Trusted Execution Environment
24 #define LOG_TAG "TEEKeyMaster"
25 #include <cutils/log.h>
26
27 #include <hardware/hardware.h>
28 #include <hardware/keymaster.h>
29
30 #include <openssl/bn.h>
31 #include <openssl/err.h>
32 #include <openssl/evp.h>
33 #include <openssl/rand.h>
34 #include <openssl/x509.h>
35
36 #include <cryptoki.h>
37 #include <pkcs11.h>
38
39 #include <UniquePtr.h>
40
41
42 /** The size of a key ID in bytes */
43 #define ID_LENGTH 32
44
45 /** The current stored key version. */
46 const static uint32_t KEY_VERSION = 1;
47
48
49 struct EVP_PKEY_Delete {
operator ()EVP_PKEY_Delete50 void operator()(EVP_PKEY* p) const {
51 EVP_PKEY_free(p);
52 }
53 };
54 typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY;
55
56 struct RSA_Delete {
operator ()RSA_Delete57 void operator()(RSA* p) const {
58 RSA_free(p);
59 }
60 };
61 typedef UniquePtr<RSA, RSA_Delete> Unique_RSA;
62
63 struct PKCS8_PRIV_KEY_INFO_Delete {
operator ()PKCS8_PRIV_KEY_INFO_Delete64 void operator()(PKCS8_PRIV_KEY_INFO* p) const {
65 PKCS8_PRIV_KEY_INFO_free(p);
66 }
67 };
68 typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> Unique_PKCS8_PRIV_KEY_INFO;
69
70 typedef UniquePtr<keymaster_device_t> Unique_keymaster_device_t;
71
72 typedef UniquePtr<CK_BYTE[]> Unique_CK_BYTE;
73
74 typedef UniquePtr<CK_ATTRIBUTE[]> Unique_CK_ATTRIBUTE;
75
76 class ByteArray {
77 public:
ByteArray(CK_BYTE * array,size_t len)78 ByteArray(CK_BYTE* array, size_t len) :
79 mArray(array), mLength(len) {
80 }
81
ByteArray(size_t len)82 ByteArray(size_t len) :
83 mLength(len) {
84 mArray = new CK_BYTE[len];
85 }
86
~ByteArray()87 ~ByteArray() {
88 if (mArray != NULL) {
89 delete[] mArray;
90 }
91 }
92
get() const93 CK_BYTE* get() const {
94 return mArray;
95 }
96
setLength(size_t length)97 void setLength(size_t length) {
98 mLength = length;
99 }
100
length() const101 size_t length() const {
102 return mLength;
103 }
104
release()105 CK_BYTE* release() {
106 CK_BYTE* array = mArray;
107 mArray = NULL;
108 return array;
109 }
110
111 private:
112 CK_BYTE* mArray;
113 size_t mLength;
114 };
115 typedef UniquePtr<ByteArray> Unique_ByteArray;
116
117 class CryptoSession {
118 public:
CryptoSession(CK_SESSION_HANDLE masterHandle)119 CryptoSession(CK_SESSION_HANDLE masterHandle) :
120 mHandle(masterHandle), mSubsession(CK_INVALID_HANDLE) {
121 CK_SESSION_HANDLE subsessionHandle = mHandle;
122 CK_RV openSessionRV = C_OpenSession(CKV_TOKEN_USER,
123 CKF_SERIAL_SESSION | CKF_RW_SESSION | CKVF_OPEN_SUB_SESSION,
124 NULL,
125 NULL,
126 &subsessionHandle);
127
128 if (openSessionRV != CKR_OK || subsessionHandle == CK_INVALID_HANDLE) {
129 (void) C_Finalize(NULL_PTR);
130 ALOGE("Error opening secondary session with TEE: 0x%x", openSessionRV);
131 } else {
132 ALOGV("Opening subsession 0x%x", subsessionHandle);
133 mSubsession = subsessionHandle;
134 }
135 }
136
~CryptoSession()137 ~CryptoSession() {
138 if (mSubsession != CK_INVALID_HANDLE) {
139 CK_RV rv = C_CloseSession(mSubsession);
140 ALOGV("Closing subsession 0x%x: 0x%x", mSubsession, rv);
141 mSubsession = CK_INVALID_HANDLE;
142 }
143 }
144
get() const145 CK_SESSION_HANDLE get() const {
146 return mSubsession;
147 }
148
getPrimary() const149 CK_SESSION_HANDLE getPrimary() const {
150 return mHandle;
151 }
152
153 private:
154 CK_SESSION_HANDLE mHandle;
155 CK_SESSION_HANDLE mSubsession;
156 };
157
158 class ObjectHandle {
159 public:
ObjectHandle(const CryptoSession * session,CK_OBJECT_HANDLE handle=CK_INVALID_HANDLE)160 ObjectHandle(const CryptoSession* session, CK_OBJECT_HANDLE handle = CK_INVALID_HANDLE) :
161 mSession(session), mHandle(handle) {
162 }
163
~ObjectHandle()164 ~ObjectHandle() {
165 if (mHandle != CK_INVALID_HANDLE) {
166 CK_RV rv = C_CloseObjectHandle(mSession->getPrimary(), mHandle);
167 if (rv != CKR_OK) {
168 ALOGW("Couldn't close object handle 0x%x: 0x%x", mHandle, rv);
169 } else {
170 ALOGV("Closing object handle 0x%x", mHandle);
171 mHandle = CK_INVALID_HANDLE;
172 }
173 }
174 }
175
get() const176 CK_OBJECT_HANDLE get() const {
177 return mHandle;
178 }
179
reset(CK_OBJECT_HANDLE handle)180 void reset(CK_OBJECT_HANDLE handle) {
181 mHandle = handle;
182 }
183
184 private:
185 const CryptoSession* mSession;
186 CK_OBJECT_HANDLE mHandle;
187 };
188
189
190 /**
191 * Many OpenSSL APIs take ownership of an argument on success but don't free the argument
192 * on failure. This means we need to tell our scoped pointers when we've transferred ownership,
193 * without triggering a warning by not using the result of release().
194 */
195 #define OWNERSHIP_TRANSFERRED(obj) \
196 typeof (obj.release()) _dummy __attribute__((unused)) = obj.release()
197
198
199 /*
200 * Checks this thread's OpenSSL error queue and logs if
201 * necessary.
202 */
logOpenSSLError(const char * location)203 static void logOpenSSLError(const char* location) {
204 int error = ERR_get_error();
205
206 if (error != 0) {
207 char message[256];
208 ERR_error_string_n(error, message, sizeof(message));
209 ALOGE("OpenSSL error in %s %d: %s", location, error, message);
210 }
211
212 ERR_clear_error();
213 ERR_remove_state(0);
214 }
215
216
217 /**
218 * Convert from OpenSSL's BIGNUM format to TEE's Big Integer format.
219 */
bignum_to_array(const BIGNUM * bn)220 static ByteArray* bignum_to_array(const BIGNUM* bn) {
221 const int bignumSize = BN_num_bytes(bn);
222
223 Unique_CK_BYTE bytes(new CK_BYTE[bignumSize]);
224
225 unsigned char* tmp = reinterpret_cast<unsigned char*>(bytes.get());
226 if (BN_bn2bin(bn, tmp) != bignumSize) {
227 ALOGE("public exponent size wasn't what was expected");
228 return NULL;
229 }
230
231 return new ByteArray(bytes.release(), bignumSize);
232 }
233
set_attribute(CK_ATTRIBUTE * attrib,CK_ATTRIBUTE_TYPE type,void * pValue,CK_ULONG ulValueLen)234 static void set_attribute(CK_ATTRIBUTE* attrib, CK_ATTRIBUTE_TYPE type, void* pValue,
235 CK_ULONG ulValueLen) {
236 attrib->type = type;
237 attrib->pValue = pValue;
238 attrib->ulValueLen = ulValueLen;
239 }
240
generate_random_id()241 static ByteArray* generate_random_id() {
242 Unique_ByteArray id(new ByteArray(ID_LENGTH));
243 if (RAND_pseudo_bytes(reinterpret_cast<unsigned char*>(id->get()), id->length()) < 0) {
244 return NULL;
245 }
246
247 return id.release();
248 }
249
keyblob_save(ByteArray * objId,uint8_t ** key_blob,size_t * key_blob_length)250 static int keyblob_save(ByteArray* objId, uint8_t** key_blob, size_t* key_blob_length) {
251 Unique_ByteArray handleBlob(new ByteArray(sizeof(uint32_t) + objId->length()));
252 if (handleBlob.get() == NULL) {
253 ALOGE("Could not allocate key blob");
254 return -1;
255 }
256 uint8_t* tmp = handleBlob->get();
257 for (size_t i = 0; i < sizeof(uint32_t); i++) {
258 *tmp++ = KEY_VERSION >> ((sizeof(uint32_t) - i - 1) * 8);
259 }
260 memcpy(tmp, objId->get(), objId->length());
261
262 *key_blob_length = handleBlob->length();
263 *key_blob = handleBlob->get();
264 ByteArray* unused __attribute__((unused)) = handleBlob.release();
265
266 return 0;
267 }
268
find_single_object(const uint8_t * obj_id,const size_t obj_id_length,CK_OBJECT_CLASS obj_class,const CryptoSession * session,ObjectHandle * object)269 static int find_single_object(const uint8_t* obj_id, const size_t obj_id_length,
270 CK_OBJECT_CLASS obj_class, const CryptoSession* session, ObjectHandle* object) {
271
272 // Note that the CKA_ID attribute is never written, so we can cast away const here.
273 void* obj_id_ptr = reinterpret_cast<void*>(const_cast<uint8_t*>(obj_id));
274 CK_ATTRIBUTE attributes[] = {
275 { CKA_ID, obj_id_ptr, obj_id_length },
276 { CKA_CLASS, &obj_class, sizeof(obj_class) },
277 };
278
279 CK_RV rv = C_FindObjectsInit(session->get(), attributes,
280 sizeof(attributes) / sizeof(CK_ATTRIBUTE));
281 if (rv != CKR_OK) {
282 ALOGE("Error in C_FindObjectsInit: 0x%x", rv);
283 return -1;
284 }
285
286 CK_OBJECT_HANDLE tmpHandle;
287 CK_ULONG tmpCount;
288
289 rv = C_FindObjects(session->get(), &tmpHandle, 1, &tmpCount);
290 ALOGV("Found %d object 0x%x : class 0x%x", tmpCount, tmpHandle, obj_class);
291 if (rv != CKR_OK || tmpCount != 1) {
292 C_FindObjectsFinal(session->get());
293 ALOGE("Couldn't find key!");
294 return -1;
295 }
296 C_FindObjectsFinal(session->get());
297
298 object->reset(tmpHandle);
299 return 0;
300 }
301
keyblob_restore(const CryptoSession * session,const uint8_t * keyBlob,const size_t keyBlobLength,ObjectHandle * public_key,ObjectHandle * private_key)302 static int keyblob_restore(const CryptoSession* session, const uint8_t* keyBlob,
303 const size_t keyBlobLength, ObjectHandle* public_key, ObjectHandle* private_key) {
304 if (keyBlob == NULL) {
305 ALOGE("key blob was null");
306 return -1;
307 }
308
309 if (keyBlobLength < (sizeof(KEY_VERSION) + ID_LENGTH)) {
310 ALOGE("key blob is not correct size");
311 return -1;
312 }
313
314 uint32_t keyVersion = 0;
315
316 const uint8_t* p = keyBlob;
317 for (size_t i = 0; i < sizeof(keyVersion); i++) {
318 keyVersion = (keyVersion << 8) | *p++;
319 }
320
321 if (keyVersion != 1) {
322 ALOGE("Invalid key version %d", keyVersion);
323 return -1;
324 }
325
326 return find_single_object(p, ID_LENGTH, CKO_PUBLIC_KEY, session, public_key)
327 || find_single_object(p, ID_LENGTH, CKO_PRIVATE_KEY, session, private_key);
328 }
329
tee_generate_keypair(const keymaster_device_t * dev,const keymaster_keypair_t type,const void * key_params,uint8_t ** key_blob,size_t * key_blob_length)330 static int tee_generate_keypair(const keymaster_device_t* dev,
331 const keymaster_keypair_t type, const void* key_params,
332 uint8_t** key_blob, size_t* key_blob_length) {
333 CK_BBOOL bTRUE = CK_TRUE;
334
335 if (type != TYPE_RSA) {
336 ALOGW("Unknown key type %d", type);
337 return -1;
338 }
339
340 if (key_params == NULL) {
341 ALOGW("generate_keypair params were NULL");
342 return -1;
343 }
344
345 keymaster_rsa_keygen_params_t* rsa_params = (keymaster_rsa_keygen_params_t*) key_params;
346
347 CK_MECHANISM mechanism = {
348 CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0,
349 };
350 CK_ULONG modulusBits = (CK_ULONG) rsa_params->modulus_size;
351
352 /**
353 * Convert our unsigned 64-bit integer to the TEE Big Integer class. It's
354 * an unsigned array of bytes with MSB first.
355 */
356 CK_BYTE publicExponent[sizeof(uint64_t)];
357 const uint64_t exp = rsa_params->public_exponent;
358 size_t offset = sizeof(publicExponent) - 1;
359 for (size_t i = 0; i < sizeof(publicExponent); i++) {
360 publicExponent[offset--] = (exp >> (i * CHAR_BIT)) & 0xFF;
361 }
362
363 Unique_ByteArray objId(generate_random_id());
364 if (objId.get() == NULL) {
365 ALOGE("Couldn't generate random key ID");
366 return -1;
367 }
368
369 CK_ATTRIBUTE publicKeyTemplate[] = {
370 {CKA_ID, objId->get(), objId->length()},
371 {CKA_TOKEN, &bTRUE, sizeof(bTRUE)},
372 {CKA_ENCRYPT, &bTRUE, sizeof(bTRUE)},
373 {CKA_VERIFY, &bTRUE, sizeof(bTRUE)},
374 {CKA_MODULUS_BITS, &modulusBits, sizeof(modulusBits)},
375 {CKA_PUBLIC_EXPONENT, publicExponent, sizeof(publicExponent)},
376 };
377
378 CK_ATTRIBUTE privateKeyTemplate[] = {
379 {CKA_ID, objId->get(), objId->length()},
380 {CKA_TOKEN, &bTRUE, sizeof(bTRUE)},
381 {CKA_DECRYPT, &bTRUE, sizeof(bTRUE)},
382 {CKA_SIGN, &bTRUE, sizeof(bTRUE)},
383 };
384
385 CryptoSession session(reinterpret_cast<CK_SESSION_HANDLE>(dev->context));
386
387 CK_OBJECT_HANDLE hPublicKey, hPrivateKey;
388 CK_RV rv = C_GenerateKeyPair(session.get(),
389 &mechanism,
390 publicKeyTemplate,
391 sizeof(publicKeyTemplate)/sizeof(CK_ATTRIBUTE),
392 privateKeyTemplate,
393 sizeof(privateKeyTemplate)/sizeof(CK_ATTRIBUTE),
394 &hPublicKey,
395 &hPrivateKey);
396
397 if (rv != CKR_OK) {
398 ALOGE("Generate keypair failed: 0x%x", rv);
399 return -1;
400 }
401
402 ObjectHandle publicKey(&session, hPublicKey);
403 ObjectHandle privateKey(&session, hPrivateKey);
404 ALOGV("public handle = 0x%x, private handle = 0x%x", publicKey.get(), privateKey.get());
405
406 return keyblob_save(objId.get(), key_blob, key_blob_length);
407 }
408
tee_import_keypair(const keymaster_device_t * dev,const uint8_t * key,const size_t key_length,uint8_t ** key_blob,size_t * key_blob_length)409 static int tee_import_keypair(const keymaster_device_t* dev,
410 const uint8_t* key, const size_t key_length,
411 uint8_t** key_blob, size_t* key_blob_length) {
412 CK_RV rv;
413 CK_BBOOL bTRUE = CK_TRUE;
414
415 if (key == NULL) {
416 ALOGW("provided key is null");
417 return -1;
418 }
419
420 Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &key, key_length));
421 if (pkcs8.get() == NULL) {
422 logOpenSSLError("tee_import_keypair");
423 return -1;
424 }
425
426 /* assign to EVP */
427 Unique_EVP_PKEY pkey(EVP_PKCS82PKEY(pkcs8.get()));
428 if (pkey.get() == NULL) {
429 logOpenSSLError("tee_import_keypair");
430 return -1;
431 }
432
433 if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA) {
434 ALOGE("Unsupported key type: %d", EVP_PKEY_type(pkey->type));
435 return -1;
436 }
437
438 Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey.get()));
439 if (rsa.get() == NULL) {
440 logOpenSSLError("tee_import_keypair");
441 return -1;
442 }
443
444 Unique_ByteArray modulus(bignum_to_array(rsa->n));
445 if (modulus.get() == NULL) {
446 ALOGW("Could not convert modulus to array");
447 return -1;
448 }
449
450 Unique_ByteArray publicExponent(bignum_to_array(rsa->e));
451 if (publicExponent.get() == NULL) {
452 ALOGW("Could not convert publicExponent to array");
453 return -1;
454 }
455
456 CK_KEY_TYPE rsaType = CKK_RSA;
457
458 CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
459
460 Unique_ByteArray objId(generate_random_id());
461 if (objId.get() == NULL) {
462 ALOGE("Couldn't generate random key ID");
463 return -1;
464 }
465
466 CK_ATTRIBUTE publicKeyTemplate[] = {
467 {CKA_ID, objId->get(), objId->length()},
468 {CKA_TOKEN, &bTRUE, sizeof(bTRUE)},
469 {CKA_CLASS, &pubClass, sizeof(pubClass)},
470 {CKA_KEY_TYPE, &rsaType, sizeof(rsaType)},
471 {CKA_ENCRYPT, &bTRUE, sizeof(bTRUE)},
472 {CKA_VERIFY, &bTRUE, sizeof(bTRUE)},
473 {CKA_MODULUS, modulus->get(), modulus->length()},
474 {CKA_PUBLIC_EXPONENT, publicExponent->get(), publicExponent->length()},
475 };
476
477 CryptoSession session(reinterpret_cast<CK_SESSION_HANDLE>(dev->context));
478
479 CK_OBJECT_HANDLE hPublicKey;
480 rv = C_CreateObject(session.get(),
481 publicKeyTemplate,
482 sizeof(publicKeyTemplate)/sizeof(CK_ATTRIBUTE),
483 &hPublicKey);
484 if (rv != CKR_OK) {
485 ALOGE("Creation of public key failed: 0x%x", rv);
486 return -1;
487 }
488 ObjectHandle publicKey(&session, hPublicKey);
489
490 Unique_ByteArray privateExponent(bignum_to_array(rsa->d));
491 if (privateExponent.get() == NULL) {
492 ALOGW("Could not convert private exponent");
493 return -1;
494 }
495
496
497 /*
498 * Normally we need:
499 * CKA_ID
500 * CKA_TOKEN
501 * CKA_CLASS
502 * CKA_KEY_TYPE
503 *
504 * CKA_DECRYPT
505 * CKA_SIGN
506 *
507 * CKA_MODULUS
508 * CKA_PUBLIC_EXPONENT
509 * CKA_PRIVATE_EXPONENT
510 */
511 #define PRIV_ATTRIB_NORMAL_NUM (4 + 2 + 3)
512
513 /*
514 * For additional private key values:
515 * CKA_PRIME_1
516 * CKA_PRIME_2
517 *
518 * CKA_EXPONENT_1
519 * CKA_EXPONENT_2
520 *
521 * CKA_COEFFICIENT
522 */
523 #define PRIV_ATTRIB_EXTENDED_NUM (PRIV_ATTRIB_NORMAL_NUM + 5)
524
525 /*
526 * If we have the prime, prime exponents, and coefficient, we can
527 * copy them in.
528 */
529 bool has_extra_data = (rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&
530 (rsa->dmq1 != NULL) && (rsa->iqmp != NULL);
531
532 Unique_CK_ATTRIBUTE privateKeyTemplate(new CK_ATTRIBUTE[
533 has_extra_data ? PRIV_ATTRIB_EXTENDED_NUM : PRIV_ATTRIB_NORMAL_NUM]);
534
535 CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
536
537 size_t templateOffset = 0;
538
539 set_attribute(&privateKeyTemplate[templateOffset++], CKA_ID, objId->get(), objId->length());
540 set_attribute(&privateKeyTemplate[templateOffset++], CKA_TOKEN, &bTRUE, sizeof(bTRUE));
541 set_attribute(&privateKeyTemplate[templateOffset++], CKA_CLASS, &privClass, sizeof(privClass));
542 set_attribute(&privateKeyTemplate[templateOffset++], CKA_KEY_TYPE, &rsaType, sizeof(rsaType));
543
544 set_attribute(&privateKeyTemplate[templateOffset++], CKA_DECRYPT, &bTRUE, sizeof(bTRUE));
545 set_attribute(&privateKeyTemplate[templateOffset++], CKA_SIGN, &bTRUE, sizeof(bTRUE));
546
547 set_attribute(&privateKeyTemplate[templateOffset++], CKA_MODULUS, modulus->get(),
548 modulus->length());
549 set_attribute(&privateKeyTemplate[templateOffset++], CKA_PUBLIC_EXPONENT,
550 publicExponent->get(), publicExponent->length());
551 set_attribute(&privateKeyTemplate[templateOffset++], CKA_PRIVATE_EXPONENT,
552 privateExponent->get(), privateExponent->length());
553
554 Unique_ByteArray prime1, prime2, exp1, exp2, coeff;
555 if (has_extra_data) {
556 prime1.reset(bignum_to_array(rsa->p));
557 if (prime1->get() == NULL) {
558 ALOGW("Could not convert prime1");
559 return -1;
560 }
561 set_attribute(&privateKeyTemplate[templateOffset++], CKA_PRIME_1, prime1->get(),
562 prime1->length());
563
564 prime2.reset(bignum_to_array(rsa->q));
565 if (prime2->get() == NULL) {
566 ALOGW("Could not convert prime2");
567 return -1;
568 }
569 set_attribute(&privateKeyTemplate[templateOffset++], CKA_PRIME_2, prime2->get(),
570 prime2->length());
571
572 exp1.reset(bignum_to_array(rsa->dmp1));
573 if (exp1->get() == NULL) {
574 ALOGW("Could not convert exponent 1");
575 return -1;
576 }
577 set_attribute(&privateKeyTemplate[templateOffset++], CKA_EXPONENT_1, exp1->get(),
578 exp1->length());
579
580 exp2.reset(bignum_to_array(rsa->dmq1));
581 if (exp2->get() == NULL) {
582 ALOGW("Could not convert exponent 2");
583 return -1;
584 }
585 set_attribute(&privateKeyTemplate[templateOffset++], CKA_EXPONENT_2, exp2->get(),
586 exp2->length());
587
588 coeff.reset(bignum_to_array(rsa->iqmp));
589 if (coeff->get() == NULL) {
590 ALOGW("Could not convert coefficient");
591 return -1;
592 }
593 set_attribute(&privateKeyTemplate[templateOffset++], CKA_COEFFICIENT, coeff->get(),
594 coeff->length());
595 }
596
597 CK_OBJECT_HANDLE hPrivateKey;
598 rv = C_CreateObject(session.get(),
599 privateKeyTemplate.get(),
600 templateOffset,
601 &hPrivateKey);
602 if (rv != CKR_OK) {
603 ALOGE("Creation of private key failed: 0x%x", rv);
604 return -1;
605 }
606 ObjectHandle privateKey(&session, hPrivateKey);
607
608 ALOGV("public handle = 0x%x, private handle = 0x%x", publicKey.get(), privateKey.get());
609
610 return keyblob_save(objId.get(), key_blob, key_blob_length);
611 }
612
tee_get_keypair_public(const struct keymaster_device * dev,const uint8_t * key_blob,const size_t key_blob_length,uint8_t ** x509_data,size_t * x509_data_length)613 static int tee_get_keypair_public(const struct keymaster_device* dev,
614 const uint8_t* key_blob, const size_t key_blob_length,
615 uint8_t** x509_data, size_t* x509_data_length) {
616
617 CryptoSession session(reinterpret_cast<CK_SESSION_HANDLE>(dev->context));
618
619 ObjectHandle publicKey(&session);
620 ObjectHandle privateKey(&session);
621
622 if (keyblob_restore(&session, key_blob, key_blob_length, &publicKey, &privateKey)) {
623 return -1;
624 }
625
626 if (x509_data == NULL || x509_data_length == NULL) {
627 ALOGW("Provided destination variables were null");
628 return -1;
629 }
630
631 CK_ATTRIBUTE attributes[] = {
632 {CKA_MODULUS, NULL, 0},
633 {CKA_PUBLIC_EXPONENT, NULL, 0},
634 };
635
636 // Call first to get the sizes of the values.
637 CK_RV rv = C_GetAttributeValue(session.get(), publicKey.get(), attributes,
638 sizeof(attributes)/sizeof(CK_ATTRIBUTE));
639 if (rv != CKR_OK) {
640 ALOGW("Could not query attribute value sizes: 0x%02x", rv);
641 return -1;
642 }
643
644 ByteArray modulus(new CK_BYTE[attributes[0].ulValueLen], attributes[0].ulValueLen);
645 ByteArray exponent(new CK_BYTE[attributes[1].ulValueLen], attributes[1].ulValueLen);
646
647 attributes[0].pValue = modulus.get();
648 attributes[1].pValue = exponent.get();
649
650 rv = C_GetAttributeValue(session.get(), publicKey.get(), attributes,
651 sizeof(attributes) / sizeof(CK_ATTRIBUTE));
652 if (rv != CKR_OK) {
653 ALOGW("Could not query attribute values: 0x%02x", rv);
654 return -1;
655 }
656
657 ALOGV("modulus is %d (ret=%d), exponent is %d (ret=%d)",
658 modulus.length(), attributes[0].ulValueLen,
659 exponent.length(), attributes[1].ulValueLen);
660
661 /*
662 * Work around a bug in the implementation. The first call to measure how large the array
663 * should be sometimes returns values that are too large. The call to get the actual value
664 * returns the correct length of the array, so use that instead.
665 */
666 modulus.setLength(attributes[0].ulValueLen);
667 exponent.setLength(attributes[1].ulValueLen);
668
669 Unique_RSA rsa(RSA_new());
670 if (rsa.get() == NULL) {
671 ALOGE("Could not allocate RSA structure");
672 return -1;
673 }
674
675 rsa->n = BN_bin2bn(reinterpret_cast<const unsigned char*>(modulus.get()), modulus.length(),
676 NULL);
677 if (rsa->n == NULL) {
678 logOpenSSLError("tee_get_keypair_public");
679 return -1;
680 }
681
682 rsa->e = BN_bin2bn(reinterpret_cast<const unsigned char*>(exponent.get()), exponent.length(),
683 NULL);
684 if (rsa->e == NULL) {
685 logOpenSSLError("tee_get_keypair_public");
686 return -1;
687 }
688
689 Unique_EVP_PKEY pkey(EVP_PKEY_new());
690 if (pkey.get() == NULL) {
691 ALOGE("Could not allocate EVP_PKEY structure");
692 return -1;
693 }
694 if (EVP_PKEY_assign_RSA(pkey.get(), rsa.get()) != 1) {
695 logOpenSSLError("tee_get_keypair_public");
696 return -1;
697 }
698 OWNERSHIP_TRANSFERRED(rsa);
699
700 int len = i2d_PUBKEY(pkey.get(), NULL);
701 if (len <= 0) {
702 logOpenSSLError("tee_get_keypair_public");
703 return -1;
704 }
705
706 UniquePtr<uint8_t> key(static_cast<uint8_t*>(malloc(len)));
707 if (key.get() == NULL) {
708 ALOGE("Could not allocate memory for public key data");
709 return -1;
710 }
711
712 unsigned char* tmp = reinterpret_cast<unsigned char*>(key.get());
713 if (i2d_PUBKEY(pkey.get(), &tmp) != len) {
714 logOpenSSLError("tee_get_keypair_public");
715 return -1;
716 }
717
718 ALOGV("Length of x509 data is %d", len);
719 *x509_data_length = len;
720 *x509_data = key.release();
721
722 return 0;
723 }
724
tee_delete_keypair(const struct keymaster_device * dev,const uint8_t * key_blob,const size_t key_blob_length)725 static int tee_delete_keypair(const struct keymaster_device* dev,
726 const uint8_t* key_blob, const size_t key_blob_length) {
727
728 CryptoSession session(reinterpret_cast<CK_SESSION_HANDLE>(dev->context));
729
730 ObjectHandle publicKey(&session);
731 ObjectHandle privateKey(&session);
732
733 if (keyblob_restore(&session, key_blob, key_blob_length, &publicKey, &privateKey)) {
734 return -1;
735 }
736
737 // Delete the private key.
738 CK_RV rv = C_DestroyObject(session.get(), privateKey.get());
739 if (rv != CKR_OK) {
740 ALOGW("Could destroy private key object: 0x%02x", rv);
741 return -1;
742 }
743
744 // Delete the public key.
745 rv = C_DestroyObject(session.get(), publicKey.get());
746 if (rv != CKR_OK) {
747 ALOGW("Could destroy public key object: 0x%02x", rv);
748 return -1;
749 }
750
751 return 0;
752 }
753
tee_sign_data(const keymaster_device_t * dev,const void * params,const uint8_t * key_blob,const size_t key_blob_length,const uint8_t * data,const size_t dataLength,uint8_t ** signedData,size_t * signedDataLength)754 static int tee_sign_data(const keymaster_device_t* dev,
755 const void* params,
756 const uint8_t* key_blob, const size_t key_blob_length,
757 const uint8_t* data, const size_t dataLength,
758 uint8_t** signedData, size_t* signedDataLength) {
759 ALOGV("tee_sign_data(%p, %p, %llu, %p, %llu, %p, %p)", dev, key_blob,
760 (unsigned long long) key_blob_length, data, (unsigned long long) dataLength, signedData,
761 signedDataLength);
762
763 if (params == NULL) {
764 ALOGW("Signing params were null");
765 return -1;
766 }
767
768 CryptoSession session(reinterpret_cast<CK_SESSION_HANDLE>(dev->context));
769
770 ObjectHandle publicKey(&session);
771 ObjectHandle privateKey(&session);
772
773 if (keyblob_restore(&session, key_blob, key_blob_length, &publicKey, &privateKey)) {
774 return -1;
775 }
776 ALOGV("public handle = 0x%x, private handle = 0x%x", publicKey.get(), privateKey.get());
777
778 keymaster_rsa_sign_params_t* sign_params = (keymaster_rsa_sign_params_t*) params;
779 if (sign_params->digest_type != DIGEST_NONE) {
780 ALOGW("Cannot handle digest type %d", sign_params->digest_type);
781 return -1;
782 } else if (sign_params->padding_type != PADDING_NONE) {
783 ALOGW("Cannot handle padding type %d", sign_params->padding_type);
784 return -1;
785 }
786
787 CK_MECHANISM rawRsaMechanism = {
788 CKM_RSA_X_509, NULL, 0
789 };
790
791 CK_RV rv = C_SignInit(session.get(), &rawRsaMechanism, privateKey.get());
792 if (rv != CKR_OK) {
793 ALOGV("C_SignInit failed: 0x%x", rv);
794 return -1;
795 }
796
797 CK_BYTE signature[1024];
798 CK_ULONG signatureLength = 1024;
799
800 rv = C_Sign(session.get(), data, dataLength, signature, &signatureLength);
801 if (rv != CKR_OK) {
802 ALOGV("C_SignFinal failed: 0x%x", rv);
803 return -1;
804 }
805
806 UniquePtr<uint8_t[]> finalSignature(new uint8_t[signatureLength]);
807 if (finalSignature.get() == NULL) {
808 ALOGE("Couldn't allocate memory to copy signature");
809 return -1;
810 }
811
812 memcpy(finalSignature.get(), signature, signatureLength);
813
814 *signedData = finalSignature.release();
815 *signedDataLength = static_cast<size_t>(signatureLength);
816
817 ALOGV("tee_sign_data(%p, %p, %llu, %p, %llu, %p, %p) => %p size %llu", dev, key_blob,
818 (unsigned long long) key_blob_length, data, (unsigned long long) dataLength, signedData,
819 signedDataLength, *signedData, (unsigned long long) *signedDataLength);
820
821 return 0;
822 }
823
tee_verify_data(const keymaster_device_t * dev,const void * params,const uint8_t * keyBlob,const size_t keyBlobLength,const uint8_t * signedData,const size_t signedDataLength,const uint8_t * signature,const size_t signatureLength)824 static int tee_verify_data(const keymaster_device_t* dev,
825 const void* params,
826 const uint8_t* keyBlob, const size_t keyBlobLength,
827 const uint8_t* signedData, const size_t signedDataLength,
828 const uint8_t* signature, const size_t signatureLength) {
829 ALOGV("tee_verify_data(%p, %p, %llu, %p, %llu, %p, %llu)", dev, keyBlob,
830 (unsigned long long) keyBlobLength, signedData, (unsigned long long) signedDataLength,
831 signature, (unsigned long long) signatureLength);
832
833 if (params == NULL) {
834 ALOGW("Verification params were null");
835 return -1;
836 }
837
838 CryptoSession session(reinterpret_cast<CK_SESSION_HANDLE>(dev->context));
839
840 ObjectHandle publicKey(&session);
841 ObjectHandle privateKey(&session);
842
843 if (keyblob_restore(&session, keyBlob, keyBlobLength, &publicKey, &privateKey)) {
844 return -1;
845 }
846 ALOGV("public handle = 0x%x, private handle = 0x%x", publicKey.get(), privateKey.get());
847
848 keymaster_rsa_sign_params_t* sign_params = (keymaster_rsa_sign_params_t*) params;
849 if (sign_params->digest_type != DIGEST_NONE) {
850 ALOGW("Cannot handle digest type %d", sign_params->digest_type);
851 return -1;
852 } else if (sign_params->padding_type != PADDING_NONE) {
853 ALOGW("Cannot handle padding type %d", sign_params->padding_type);
854 return -1;
855 }
856
857 CK_MECHANISM rawRsaMechanism = {
858 CKM_RSA_X_509, NULL, 0
859 };
860
861 CK_RV rv = C_VerifyInit(session.get(), &rawRsaMechanism, publicKey.get());
862 if (rv != CKR_OK) {
863 ALOGV("C_VerifyInit failed: 0x%x", rv);
864 return -1;
865 }
866
867 // This is a bad prototype for this function. C_Verify should have only const args.
868 rv = C_Verify(session.get(), signedData, signedDataLength,
869 const_cast<unsigned char*>(signature), signatureLength);
870 if (rv != CKR_OK) {
871 ALOGV("C_Verify failed: 0x%x", rv);
872 return -1;
873 }
874
875 return 0;
876 }
877
878 /* Close an opened OpenSSL instance */
tee_close(hw_device_t * dev)879 static int tee_close(hw_device_t *dev) {
880 keymaster_device_t *keymaster_dev = (keymaster_device_t *) dev;
881 if (keymaster_dev != NULL) {
882 CK_SESSION_HANDLE handle = reinterpret_cast<CK_SESSION_HANDLE>(keymaster_dev->context);
883 if (handle != CK_INVALID_HANDLE) {
884 C_CloseSession(handle);
885 }
886 }
887
888 CK_RV finalizeRV = C_Finalize(NULL_PTR);
889 if (finalizeRV != CKR_OK) {
890 ALOGE("Error closing the TEE");
891 }
892 free(dev);
893
894 return 0;
895 }
896
897 /*
898 * Generic device handling
899 */
tee_open(const hw_module_t * module,const char * name,hw_device_t ** device)900 static int tee_open(const hw_module_t* module, const char* name,
901 hw_device_t** device) {
902 if (strcmp(name, KEYSTORE_KEYMASTER) != 0)
903 return -EINVAL;
904
905 Unique_keymaster_device_t dev(new keymaster_device_t);
906 if (dev.get() == NULL)
907 return -ENOMEM;
908
909 dev->common.tag = HARDWARE_DEVICE_TAG;
910 dev->common.version = 1;
911 dev->common.module = (struct hw_module_t*) module;
912 dev->common.close = tee_close;
913 dev->flags = 0;
914
915 dev->generate_keypair = tee_generate_keypair;
916 dev->import_keypair = tee_import_keypair;
917 dev->get_keypair_public = tee_get_keypair_public;
918 dev->delete_keypair = tee_delete_keypair;
919 dev->sign_data = tee_sign_data;
920 dev->verify_data = tee_verify_data;
921 dev->delete_all = NULL;
922
923 CK_RV initializeRV = C_Initialize(NULL);
924 if (initializeRV != CKR_OK) {
925 ALOGE("Error initializing TEE: 0x%x", initializeRV);
926 return -ENODEV;
927 }
928
929 CK_INFO info;
930 CK_RV infoRV = C_GetInfo(&info);
931 if (infoRV != CKR_OK) {
932 (void) C_Finalize(NULL_PTR);
933 ALOGE("Error getting information about TEE during initialization: 0x%x", infoRV);
934 return -ENODEV;
935 }
936
937 ALOGI("C_GetInfo cryptokiVer=%d.%d manufID=%s flags=%d libDesc=%s libVer=%d.%d\n",
938 info.cryptokiVersion.major, info.cryptokiVersion.minor,
939 info.manufacturerID, info.flags, info.libraryDescription,
940 info.libraryVersion.major, info.libraryVersion.minor);
941
942 CK_SESSION_HANDLE sessionHandle = CK_INVALID_HANDLE;
943
944 CK_RV openSessionRV = C_OpenSession(CKV_TOKEN_USER,
945 CKF_SERIAL_SESSION | CKF_RW_SESSION,
946 NULL,
947 NULL,
948 &sessionHandle);
949
950 if (openSessionRV != CKR_OK || sessionHandle == CK_INVALID_HANDLE) {
951 (void) C_Finalize(NULL_PTR);
952 ALOGE("Error opening primary session with TEE: 0x%x", openSessionRV);
953 return -1;
954 }
955
956 ERR_load_crypto_strings();
957 ERR_load_BIO_strings();
958
959 dev->context = reinterpret_cast<void*>(sessionHandle);
960 *device = reinterpret_cast<hw_device_t*>(dev.release());
961
962 return 0;
963 }
964
965 static struct hw_module_methods_t keystore_module_methods = {
966 open: tee_open,
967 };
968
969 struct keystore_module HAL_MODULE_INFO_SYM
970 __attribute__ ((visibility ("default"))) = {
971 common: {
972 tag: HARDWARE_MODULE_TAG,
973 module_api_version: KEYMASTER_MODULE_API_VERSION_0_3,
974 hal_api_version: HARDWARE_HAL_API_VERSION,
975 id: KEYSTORE_HARDWARE_MODULE_ID,
976 name: "Keymaster TEE HAL",
977 author: "The Android Open Source Project",
978 methods: &keystore_module_methods,
979 dso: 0,
980 reserved: {},
981 },
982 };
983