1 /*
2 * Copyright 2013 The Android Open Source Project
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
16 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
17 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
18 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
19 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
20 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 *
24 */
25
26 #include <UniquePtr.h>
27
28 //#define LOG_NDEBUG 0
29 #define LOG_TAG "OpenSSL-keystore-dsa"
30 #include <cutils/log.h>
31
32 #include <binder/IServiceManager.h>
33 #include <keystore/IKeystoreService.h>
34
35 #include <openssl/dsa.h>
36 #include <openssl/engine.h>
37
38 #include "methods.h"
39
40
41 using namespace android;
42
43 struct DSA_SIG_Delete {
operator ()DSA_SIG_Delete44 void operator()(DSA_SIG* p) const {
45 DSA_SIG_free(p);
46 }
47 };
48 typedef UniquePtr<DSA_SIG, struct DSA_SIG_Delete> Unique_DSA_SIG;
49
keystore_dsa_do_sign(const unsigned char * dgst,int dlen,DSA * dsa)50 static DSA_SIG* keystore_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) {
51 ALOGV("keystore_dsa_do_sign(%p, %d, %p)", dgst, dlen, dsa);
52
53 uint8_t* key_id = reinterpret_cast<uint8_t*>(DSA_get_ex_data(dsa, dsa_key_handle));
54 if (key_id == NULL) {
55 ALOGE("key had no key_id!");
56 return 0;
57 }
58
59 sp<IServiceManager> sm = defaultServiceManager();
60 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
61 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
62
63 if (service == NULL) {
64 ALOGE("could not contact keystore");
65 return 0;
66 }
67
68 int num = DSA_size(dsa);
69
70 uint8_t* reply = NULL;
71 size_t replyLen;
72 int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), dgst,
73 dlen, &reply, &replyLen);
74 if (ret < 0) {
75 ALOGW("There was an error during dsa_do_sign: could not connect");
76 return 0;
77 } else if (ret != 0) {
78 ALOGW("Error during sign from keystore: %d", ret);
79 return 0;
80 } else if (replyLen <= 0) {
81 ALOGW("No valid signature returned");
82 return 0;
83 } else if (replyLen > (size_t) num) {
84 ALOGW("Signature is too large");
85 return 0;
86 }
87
88 Unique_DSA_SIG dsa_sig(d2i_DSA_SIG(NULL,
89 const_cast<const unsigned char**>(reinterpret_cast<unsigned char**>(&reply)),
90 replyLen));
91 if (dsa_sig.get() == NULL) {
92 ALOGW("conversion from DER to DSA_SIG failed");
93 return 0;
94 }
95
96 ALOGV("keystore_dsa_do_sign(%p, %d, %p) => returning %p len %zu", dgst, dlen, dsa,
97 dsa_sig.get(), replyLen);
98 return dsa_sig.release();
99 }
100
101 static DSA_METHOD keystore_dsa_meth = {
102 kKeystoreEngineId, /* name */
103 keystore_dsa_do_sign, /* dsa_do_sign */
104 NULL, /* dsa_sign_setup */
105 NULL, /* dsa_do_verify */
106 NULL, /* dsa_mod_exp */
107 NULL, /* bn_mod_exp */
108 NULL, /* init */
109 NULL, /* finish */
110 0, /* flags */
111 NULL, /* app_data */
112 NULL, /* dsa_paramgen */
113 NULL, /* dsa_keygen */
114 };
115
register_dsa_methods()116 static int register_dsa_methods() {
117 const DSA_METHOD* dsa_meth = DSA_OpenSSL();
118
119 keystore_dsa_meth.dsa_do_verify = dsa_meth->dsa_do_verify;
120
121 return 1;
122 }
123
dsa_pkey_setup(ENGINE * e,EVP_PKEY * pkey,const char * key_id)124 int dsa_pkey_setup(ENGINE *e, EVP_PKEY *pkey, const char *key_id) {
125 Unique_DSA dsa(EVP_PKEY_get1_DSA(pkey));
126 if (!DSA_set_ex_data(dsa.get(), dsa_key_handle, reinterpret_cast<void*>(strdup(key_id)))) {
127 ALOGW("Could not set ex_data for loaded DSA key");
128 return 0;
129 }
130
131 DSA_set_method(dsa.get(), &keystore_dsa_meth);
132
133 /*
134 * "DSA_set_ENGINE()" should probably be an OpenSSL API. Since it isn't,
135 * and EVP_PKEY_free() calls ENGINE_finish(), we need to call ENGINE_init()
136 * here.
137 */
138 ENGINE_init(e);
139 dsa->engine = e;
140
141 return 1;
142 }
143
dsa_register(ENGINE * e)144 int dsa_register(ENGINE* e) {
145 if (!ENGINE_set_DSA(e, &keystore_dsa_meth)
146 || !register_dsa_methods()) {
147 ALOGE("Could not set up keystore DSA methods");
148 return 0;
149 }
150
151 return 1;
152 }
153