1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "keymaster0_engine.h"
18
19 #include <assert.h>
20
21 #include <memory>
22
23 #define LOG_TAG "Keymaster0Engine"
24 #include <cutils/log.h>
25
26 #include "keymaster/android_keymaster_utils.h"
27
28 #include <openssl/bn.h>
29 #include <openssl/ec_key.h>
30 #include <openssl/ecdsa.h>
31
32 #include "openssl_utils.h"
33
34 using std::shared_ptr;
35 using std::unique_ptr;
36
37 namespace keymaster {
38
39 // int Keymaster0Engine::rsa_index_ = -1;
40 // int Keymaster0Engine::ec_key_index_ = -1;
41 Keymaster0Engine* Keymaster0Engine::instance_ = nullptr;
42 const RSA_METHOD Keymaster0Engine::rsa_method_ = {
43 .common =
44 {
45 0, // references
46 1 // is_static
47 },
48 .app_data = nullptr,
49 .init = nullptr,
50 .finish = nullptr,
51 .size = nullptr,
52 .sign = nullptr,
53 .verify = nullptr,
54
55 .encrypt = nullptr,
56 .sign_raw = nullptr,
57 .decrypt = nullptr,
58 .verify_raw = nullptr,
59
60 .private_transform = Keymaster0Engine::rsa_private_transform,
61
62 .mod_exp = nullptr,
63 .bn_mod_exp = BN_mod_exp_mont,
64
65 .flags = RSA_FLAG_OPAQUE,
66
67 .keygen = nullptr,
68 .supports_digest = nullptr,
69 };
70
71 const ECDSA_METHOD Keymaster0Engine::ecdsa_method_ = {
72 .common =
73 {
74 0, // references
75 1 // is_static
76 },
77 .app_data = nullptr,
78 .init = nullptr,
79 .finish = nullptr,
80 .group_order_size = nullptr,
81 .sign = Keymaster0Engine::ecdsa_sign,
82 .verify = nullptr,
83 .flags = ECDSA_FLAG_OPAQUE,
84 };
85
Keymaster0Engine(const keymaster0_device_t * keymaster0_device)86 Keymaster0Engine::Keymaster0Engine(const keymaster0_device_t* keymaster0_device)
87 : keymaster0_device_(keymaster0_device), engine_(ENGINE_new()), supports_ec_(false) {
88 assert(!instance_);
89 instance_ = this;
90
91 rsa_index_ = RSA_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
92 keyblob_dup, keyblob_free);
93 ec_key_index_ = EC_KEY_get_ex_new_index(0 /* argl */, NULL /* argp */, NULL /* new_func */,
94 keyblob_dup, keyblob_free);
95
96 ENGINE_set_RSA_method(engine_, &rsa_method_, sizeof(rsa_method_));
97
98 if ((keymaster0_device_->flags & KEYMASTER_SUPPORTS_EC) != 0) {
99 supports_ec_ = true;
100 ENGINE_set_ECDSA_method(engine_, &ecdsa_method_, sizeof(ecdsa_method_));
101 }
102 }
103
~Keymaster0Engine()104 Keymaster0Engine::~Keymaster0Engine() {
105 if (keymaster0_device_)
106 keymaster0_device_->common.close(
107 reinterpret_cast<hw_device_t*>(const_cast<keymaster0_device_t*>(keymaster0_device_)));
108 ENGINE_free(engine_);
109 instance_ = nullptr;
110 }
111
GenerateRsaKey(uint64_t public_exponent,uint32_t public_modulus,KeymasterKeyBlob * key_material) const112 bool Keymaster0Engine::GenerateRsaKey(uint64_t public_exponent, uint32_t public_modulus,
113 KeymasterKeyBlob* key_material) const {
114 assert(key_material);
115 keymaster_rsa_keygen_params_t params;
116 params.public_exponent = public_exponent;
117 params.modulus_size = public_modulus;
118
119 uint8_t* key_blob = 0;
120 if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_RSA, ¶ms, &key_blob,
121 &key_material->key_material_size) < 0) {
122 ALOGE("Error generating RSA key pair with keymaster0 device");
123 return false;
124 }
125 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
126 key_material->key_material = dup_buffer(key_blob, key_material->key_material_size);
127 return true;
128 }
129
GenerateEcKey(uint32_t key_size,KeymasterKeyBlob * key_material) const130 bool Keymaster0Engine::GenerateEcKey(uint32_t key_size, KeymasterKeyBlob* key_material) const {
131 assert(key_material);
132 keymaster_ec_keygen_params_t params;
133 params.field_size = key_size;
134
135 uint8_t* key_blob = 0;
136 if (keymaster0_device_->generate_keypair(keymaster0_device_, TYPE_EC, ¶ms, &key_blob,
137 &key_material->key_material_size) < 0) {
138 ALOGE("Error generating EC key pair with keymaster0 device");
139 return false;
140 }
141 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
142 key_material->key_material = dup_buffer(key_blob, key_material->key_material_size);
143 return true;
144 }
145
ImportKey(keymaster_key_format_t key_format,const KeymasterKeyBlob & to_import,KeymasterKeyBlob * imported_key) const146 bool Keymaster0Engine::ImportKey(keymaster_key_format_t key_format,
147 const KeymasterKeyBlob& to_import,
148 KeymasterKeyBlob* imported_key) const {
149 assert(imported_key);
150 if (key_format != KM_KEY_FORMAT_PKCS8)
151 return false;
152
153 uint8_t* key_blob = 0;
154 if (keymaster0_device_->import_keypair(keymaster0_device_, to_import.key_material,
155 to_import.key_material_size, &key_blob,
156 &imported_key->key_material_size) < 0) {
157 ALOGW("Error importing keypair with keymaster0 device");
158 return false;
159 }
160 unique_ptr<uint8_t, Malloc_Delete> key_blob_deleter(key_blob);
161 imported_key->key_material = dup_buffer(key_blob, imported_key->key_material_size);
162 return true;
163 }
164
duplicate_blob(const uint8_t * key_data,size_t key_data_size)165 static keymaster_key_blob_t* duplicate_blob(const uint8_t* key_data, size_t key_data_size) {
166 unique_ptr<uint8_t[]> key_material_copy(dup_buffer(key_data, key_data_size));
167 if (!key_material_copy)
168 return nullptr;
169
170 unique_ptr<keymaster_key_blob_t> blob_copy(new (std::nothrow) keymaster_key_blob_t);
171 if (!blob_copy.get())
172 return nullptr;
173 blob_copy->key_material_size = key_data_size;
174 blob_copy->key_material = key_material_copy.release();
175 return blob_copy.release();
176 }
177
duplicate_blob(const keymaster_key_blob_t & blob)178 inline keymaster_key_blob_t* duplicate_blob(const keymaster_key_blob_t& blob) {
179 return duplicate_blob(blob.key_material, blob.key_material_size);
180 }
181
BlobToRsaKey(const KeymasterKeyBlob & blob) const182 RSA* Keymaster0Engine::BlobToRsaKey(const KeymasterKeyBlob& blob) const {
183 // Create new RSA key (with engine methods) and insert blob
184 unique_ptr<RSA, RSA_Delete> rsa(RSA_new_method(engine_));
185 if (!rsa)
186 return nullptr;
187
188 keymaster_key_blob_t* blob_copy = duplicate_blob(blob);
189 if (!blob_copy->key_material || !RSA_set_ex_data(rsa.get(), rsa_index_, blob_copy))
190 return nullptr;
191
192 // Copy public key into new RSA key
193 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob));
194 if (!pkey)
195 return nullptr;
196 unique_ptr<RSA, RSA_Delete> public_rsa(EVP_PKEY_get1_RSA(pkey.get()));
197 if (!public_rsa)
198 return nullptr;
199 rsa->n = BN_dup(public_rsa->n);
200 rsa->e = BN_dup(public_rsa->e);
201 if (!rsa->n || !rsa->e)
202 return nullptr;
203
204 return rsa.release();
205 }
206
BlobToEcKey(const KeymasterKeyBlob & blob) const207 EC_KEY* Keymaster0Engine::BlobToEcKey(const KeymasterKeyBlob& blob) const {
208 // Create new EC key (with engine methods) and insert blob
209 unique_ptr<EC_KEY, EC_Delete> ec_key(EC_KEY_new_method(engine_));
210 if (!ec_key)
211 return nullptr;
212
213 keymaster_key_blob_t* blob_copy = duplicate_blob(blob);
214 if (!blob_copy->key_material || !EC_KEY_set_ex_data(ec_key.get(), ec_key_index_, blob_copy))
215 return nullptr;
216
217 // Copy public key into new EC key
218 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(GetKeymaster0PublicKey(blob));
219 if (!pkey)
220 return nullptr;
221
222 unique_ptr<EC_KEY, EC_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
223 if (!public_ec_key)
224 return nullptr;
225
226 if (!EC_KEY_set_group(ec_key.get(), EC_KEY_get0_group(public_ec_key.get())) ||
227 !EC_KEY_set_public_key(ec_key.get(), EC_KEY_get0_public_key(public_ec_key.get())))
228 return nullptr;
229
230 return ec_key.release();
231 }
232
RsaKeyToBlob(const RSA * rsa) const233 const keymaster_key_blob_t* Keymaster0Engine::RsaKeyToBlob(const RSA* rsa) const {
234 return reinterpret_cast<keymaster_key_blob_t*>(RSA_get_ex_data(rsa, rsa_index_));
235 }
236
EcKeyToBlob(const EC_KEY * ec_key) const237 const keymaster_key_blob_t* Keymaster0Engine::EcKeyToBlob(const EC_KEY* ec_key) const {
238 return reinterpret_cast<keymaster_key_blob_t*>(EC_KEY_get_ex_data(ec_key, ec_key_index_));
239 }
240
241 /* static */
keyblob_dup(CRYPTO_EX_DATA *,const CRYPTO_EX_DATA *,void ** from_d,int,long,void *)242 int Keymaster0Engine::keyblob_dup(CRYPTO_EX_DATA* /* to */, const CRYPTO_EX_DATA* /* from */,
243 void** from_d, int /* index */, long /* argl */,
244 void* /* argp */) {
245 keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(*from_d);
246 if (!blob)
247 return 1;
248 *from_d = duplicate_blob(*blob);
249 if (*from_d)
250 return 1;
251 return 0;
252 }
253
254 /* static */
keyblob_free(void *,void * ptr,CRYPTO_EX_DATA *,int,long,void *)255 void Keymaster0Engine::keyblob_free(void* /* parent */, void* ptr, CRYPTO_EX_DATA* /* data */,
256 int /* index*/, long /* argl */, void* /* argp */) {
257 keymaster_key_blob_t* blob = reinterpret_cast<keymaster_key_blob_t*>(ptr);
258 if (blob) {
259 delete[] blob->key_material;
260 delete blob;
261 }
262 }
263
264 /* static */
rsa_private_transform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len)265 int Keymaster0Engine::rsa_private_transform(RSA* rsa, uint8_t* out, const uint8_t* in, size_t len) {
266 ALOGV("rsa_private_transform(%p, %p, %p, %u)", rsa, out, in, (unsigned)len);
267
268 assert(instance_);
269 return instance_->RsaPrivateTransform(rsa, out, in, len);
270 }
271
272 /* static */
ecdsa_sign(const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * sig_len,EC_KEY * ec_key)273 int Keymaster0Engine::ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
274 unsigned int* sig_len, EC_KEY* ec_key) {
275 ALOGV("ecdsa_sign(%p, %u, %p)", digest, (unsigned)digest_len, ec_key);
276 assert(instance_);
277 return instance_->EcdsaSign(digest, digest_len, sig, sig_len, ec_key);
278 }
279
Keymaster0Sign(const void * signing_params,const keymaster_key_blob_t & blob,const uint8_t * data,const size_t data_length,unique_ptr<uint8_t[],Malloc_Delete> * signature,size_t * signature_length) const280 bool Keymaster0Engine::Keymaster0Sign(const void* signing_params, const keymaster_key_blob_t& blob,
281 const uint8_t* data, const size_t data_length,
282 unique_ptr<uint8_t[], Malloc_Delete>* signature,
283 size_t* signature_length) const {
284 uint8_t* signed_data;
285 int err = keymaster0_device_->sign_data(keymaster0_device_, signing_params, blob.key_material,
286 blob.key_material_size, data, data_length, &signed_data,
287 signature_length);
288 if (err < 0) {
289 ALOGE("Keymaster0 signing failed with error %d", err);
290 return false;
291 }
292
293 signature->reset(signed_data);
294 return true;
295 }
296
GetKeymaster0PublicKey(const KeymasterKeyBlob & blob) const297 EVP_PKEY* Keymaster0Engine::GetKeymaster0PublicKey(const KeymasterKeyBlob& blob) const {
298 uint8_t* pub_key_data;
299 size_t pub_key_data_length;
300 int err = keymaster0_device_->get_keypair_public(keymaster0_device_, blob.key_material,
301 blob.key_material_size, &pub_key_data,
302 &pub_key_data_length);
303 if (err < 0) {
304 ALOGE("Error %d extracting public key", err);
305 return nullptr;
306 }
307 unique_ptr<uint8_t, Malloc_Delete> pub_key(pub_key_data);
308
309 const uint8_t* p = pub_key_data;
310 return d2i_PUBKEY(nullptr /* allocate new struct */, &p, pub_key_data_length);
311 }
312
RsaPrivateTransform(RSA * rsa,uint8_t * out,const uint8_t * in,size_t len) const313 int Keymaster0Engine::RsaPrivateTransform(RSA* rsa, uint8_t* out, const uint8_t* in,
314 size_t len) const {
315 const keymaster_key_blob_t* key_blob = RsaKeyToBlob(rsa);
316 if (key_blob == NULL) {
317 ALOGE("key had no key_blob!");
318 return 0;
319 }
320
321 keymaster_rsa_sign_params_t sign_params = {DIGEST_NONE, PADDING_NONE};
322 unique_ptr<uint8_t[], Malloc_Delete> signature;
323 size_t signature_length;
324 if (!Keymaster0Sign(&sign_params, *key_blob, in, len, &signature, &signature_length))
325 return 0;
326 Eraser eraser(signature.get(), signature_length);
327
328 if (signature_length > len) {
329 /* The result of the RSA operation can never be larger than the size of
330 * the modulus so we assume that the result has extra zeros on the
331 * left. This provides attackers with an oracle, but there's nothing
332 * that we can do about it here. */
333 memcpy(out, signature.get() + signature_length - len, len);
334 } else if (signature_length < len) {
335 /* If the keymaster0 implementation returns a short value we assume that
336 * it's because it removed leading zeros from the left side. This is
337 * bad because it provides attackers with an oracle but we cannot do
338 * anything about a broken keymaster0 implementation here. */
339 memset(out, 0, len);
340 memcpy(out + len - signature_length, signature.get(), signature_length);
341 } else {
342 memcpy(out, signature.get(), len);
343 }
344
345 ALOGV("rsa=%p keystore_rsa_priv_dec successful", rsa);
346 return 1;
347 }
348
ec_group_size_bits(EC_KEY * ec_key)349 static size_t ec_group_size_bits(EC_KEY* ec_key) {
350 const EC_GROUP* group = EC_KEY_get0_group(ec_key);
351 unique_ptr<BN_CTX, BN_CTX_Delete> bn_ctx(BN_CTX_new());
352 unique_ptr<BIGNUM, BIGNUM_Delete> order(BN_new());
353 if (!EC_GROUP_get_order(group, order.get(), bn_ctx.get())) {
354 ALOGE("Failed to get EC group order");
355 return 0;
356 }
357 return BN_num_bits(order.get());
358 }
359
EcdsaSign(const uint8_t * digest,size_t digest_len,uint8_t * sig,unsigned int * sig_len,EC_KEY * ec_key) const360 int Keymaster0Engine::EcdsaSign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
361 unsigned int* sig_len, EC_KEY* ec_key) const {
362 const keymaster_key_blob_t* key_blob = EcKeyToBlob(ec_key);
363 if (key_blob == NULL) {
364 ALOGE("key had no key_blob!");
365 return 0;
366 }
367
368 // Truncate digest if it's too long
369 size_t max_input_len = (ec_group_size_bits(ec_key) + 7) / 8;
370 if (digest_len > max_input_len)
371 digest_len = max_input_len;
372
373 keymaster_ec_sign_params_t sign_params = {DIGEST_NONE};
374 unique_ptr<uint8_t[], Malloc_Delete> signature;
375 size_t signature_length;
376 if (!Keymaster0Sign(&sign_params, *key_blob, digest, digest_len, &signature, &signature_length))
377 return 0;
378 Eraser eraser(signature.get(), signature_length);
379
380 if (signature_length == 0) {
381 ALOGW("No valid signature returned");
382 return 0;
383 } else if (signature_length > ECDSA_size(ec_key)) {
384 ALOGW("Signature is too large");
385 return 0;
386 } else {
387 memcpy(sig, signature.get(), signature_length);
388 *sig_len = signature_length;
389 }
390
391 ALOGV("ecdsa_sign(%p, %u, %p) => success", digest, (unsigned)digest_len, ec_key);
392 return 1;
393 }
394
395 } // namespace keymaster
396