1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <keymaster/km_openssl/openssl_utils.h> 18 19 #include <keymaster/android_keymaster_utils.h> 20 #include <openssl/mem.h> 21 #include <openssl/rand.h> 22 23 #include <keymaster/km_openssl/openssl_err.h> 24 25 namespace keymaster { 26 27 constexpr uint32_t kAffinePointLength = 32; 28 ec_get_group_size(const EC_GROUP * group,size_t * key_size_bits)29 keymaster_error_t ec_get_group_size(const EC_GROUP* group, size_t* key_size_bits) { 30 switch (EC_GROUP_get_curve_name(group)) { 31 case NID_secp224r1: 32 *key_size_bits = 224; 33 break; 34 case NID_X9_62_prime256v1: 35 *key_size_bits = 256; 36 break; 37 case NID_secp384r1: 38 *key_size_bits = 384; 39 break; 40 case NID_secp521r1: 41 *key_size_bits = 521; 42 break; 43 default: 44 return KM_ERROR_UNSUPPORTED_EC_FIELD; 45 } 46 return KM_ERROR_OK; 47 } 48 ec_get_group(keymaster_ec_curve_t curve)49 EC_GROUP* ec_get_group(keymaster_ec_curve_t curve) { 50 switch (curve) { 51 case KM_EC_CURVE_P_224: 52 return EC_GROUP_new_by_curve_name(NID_secp224r1); 53 break; 54 case KM_EC_CURVE_P_256: 55 return EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); 56 break; 57 case KM_EC_CURVE_P_384: 58 return EC_GROUP_new_by_curve_name(NID_secp384r1); 59 break; 60 case KM_EC_CURVE_P_521: 61 return EC_GROUP_new_by_curve_name(NID_secp521r1); 62 break; 63 default: 64 return nullptr; 65 break; 66 } 67 } 68 convert_pkcs8_blob_to_evp(const uint8_t * key_data,size_t key_length,keymaster_algorithm_t expected_algorithm,UniquePtr<EVP_PKEY,EVP_PKEY_Delete> * pkey)69 keymaster_error_t convert_pkcs8_blob_to_evp(const uint8_t* key_data, size_t key_length, 70 keymaster_algorithm_t expected_algorithm, 71 UniquePtr<EVP_PKEY, EVP_PKEY_Delete>* pkey) { 72 if (key_data == nullptr || key_length <= 0) return KM_ERROR_INVALID_KEY_BLOB; 73 74 UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> pkcs8( 75 d2i_PKCS8_PRIV_KEY_INFO(nullptr, &key_data, key_length)); 76 if (pkcs8.get() == nullptr) return TranslateLastOpenSslError(true /* log_message */); 77 78 pkey->reset(EVP_PKCS82PKEY(pkcs8.get())); 79 if (!pkey->get()) return TranslateLastOpenSslError(true /* log_message */); 80 81 // Check the key type detected from the PKCS8 blob matches the KM algorithm we expect. 82 keymaster_algorithm_t got_algorithm; 83 switch (EVP_PKEY_id(pkey->get())) { 84 case EVP_PKEY_RSA: 85 got_algorithm = KM_ALGORITHM_RSA; 86 break; 87 case EVP_PKEY_EC: 88 case EVP_PKEY_ED25519: 89 case EVP_PKEY_X25519: 90 got_algorithm = KM_ALGORITHM_EC; 91 break; 92 default: 93 LOG_E("EVP key algorithm was unknown (type %d), not the expected %d", 94 EVP_PKEY_id(pkey->get()), expected_algorithm); 95 return KM_ERROR_INVALID_KEY_BLOB; 96 } 97 98 if (expected_algorithm != got_algorithm) { 99 LOG_E("EVP key algorithm was %d (from type %d), not the expected %d", got_algorithm, 100 EVP_PKEY_id(pkey->get()), expected_algorithm); 101 return KM_ERROR_INVALID_KEY_BLOB; 102 } 103 104 return KM_ERROR_OK; 105 } 106 KeyMaterialToEvpKey(keymaster_key_format_t key_format,const KeymasterKeyBlob & key_material,keymaster_algorithm_t expected_algorithm,EVP_PKEY_Ptr * pkey)107 keymaster_error_t KeyMaterialToEvpKey(keymaster_key_format_t key_format, 108 const KeymasterKeyBlob& key_material, 109 keymaster_algorithm_t expected_algorithm, 110 EVP_PKEY_Ptr* pkey) { 111 if (key_format != KM_KEY_FORMAT_PKCS8) return KM_ERROR_UNSUPPORTED_KEY_FORMAT; 112 113 return convert_pkcs8_blob_to_evp(key_material.key_material, key_material.key_material_size, 114 expected_algorithm, pkey); 115 } 116 EvpKeyToKeyMaterial(const EVP_PKEY * pkey,KeymasterKeyBlob * key_blob)117 keymaster_error_t EvpKeyToKeyMaterial(const EVP_PKEY* pkey, KeymasterKeyBlob* key_blob) { 118 switch (EVP_PKEY_id(pkey)) { 119 case EVP_PKEY_ED25519: 120 case EVP_PKEY_X25519: { 121 // BoringSSL's i2d_PrivateKey does not handle curve 25519 keys. 122 uint8_t* data = nullptr; 123 size_t data_len; 124 CBB cbb; 125 if (!CBB_init(&cbb, 0) || !EVP_marshal_private_key(&cbb, pkey) || 126 !CBB_finish(&cbb, &data, &data_len)) { 127 CBB_cleanup(&cbb); 128 OPENSSL_free(data); 129 return KM_ERROR_UNKNOWN_ERROR; 130 } 131 132 if (!key_blob->Reset(data_len)) { 133 OPENSSL_free(data); 134 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 135 } 136 memcpy(key_blob->writable_data(), data, data_len); 137 OPENSSL_free(data); 138 break; 139 } 140 default: { 141 int key_data_size = i2d_PrivateKey(pkey, nullptr /* key_data*/); 142 if (key_data_size <= 0) return TranslateLastOpenSslError(); 143 144 if (!key_blob->Reset(key_data_size)) return KM_ERROR_MEMORY_ALLOCATION_FAILED; 145 146 uint8_t* tmp = key_blob->writable_data(); 147 i2d_PrivateKey(pkey, &tmp); 148 break; 149 } 150 } 151 152 return KM_ERROR_OK; 153 } 154 155 // Remote provisioning helper function GetEcdsa256KeyFromCert(const keymaster_blob_t * km_cert,uint8_t * x_coord,size_t x_length,uint8_t * y_coord,size_t y_length)156 keymaster_error_t GetEcdsa256KeyFromCert(const keymaster_blob_t* km_cert, uint8_t* x_coord, 157 size_t x_length, uint8_t* y_coord, size_t y_length) { 158 if (km_cert == nullptr || x_coord == nullptr || y_coord == nullptr) { 159 return KM_ERROR_UNEXPECTED_NULL_POINTER; 160 } 161 if (x_length != kAffinePointLength || y_length != kAffinePointLength) { 162 return KM_ERROR_INVALID_ARGUMENT; 163 } 164 const uint8_t* temp = km_cert->data; 165 X509_Ptr cert(d2i_X509(NULL, &temp, km_cert->data_length)); 166 if (!cert.get()) return TranslateLastOpenSslError(); 167 EVP_PKEY_Ptr pubKey(X509_get_pubkey(cert.get())); 168 if (!pubKey.get()) return TranslateLastOpenSslError(); 169 EC_KEY* ecKey = EVP_PKEY_get0_EC_KEY(pubKey.get()); 170 if (!ecKey) return TranslateLastOpenSslError(); 171 const EC_POINT* jacobian_coords = EC_KEY_get0_public_key(ecKey); 172 if (!jacobian_coords) return TranslateLastOpenSslError(); 173 bssl::UniquePtr<BIGNUM> x(BN_new()); 174 bssl::UniquePtr<BIGNUM> y(BN_new()); 175 BN_CTX_Ptr ctx(BN_CTX_new()); 176 if (!ctx.get()) return TranslateLastOpenSslError(); 177 if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ecKey), jacobian_coords, x.get(), 178 y.get(), ctx.get())) { 179 return TranslateLastOpenSslError(); 180 } 181 uint8_t* tmp_x = x_coord; 182 if (BN_bn2binpad(x.get(), tmp_x, kAffinePointLength) != kAffinePointLength) { 183 return TranslateLastOpenSslError(); 184 } 185 uint8_t* tmp_y = y_coord; 186 if (BN_bn2binpad(y.get(), tmp_y, kAffinePointLength) != kAffinePointLength) { 187 return TranslateLastOpenSslError(); 188 } 189 return KM_ERROR_OK; 190 } 191 ec_group_size_bits(EC_KEY * ec_key)192 size_t ec_group_size_bits(EC_KEY* ec_key) { 193 const EC_GROUP* group = EC_KEY_get0_group(ec_key); 194 UniquePtr<BN_CTX, BN_CTX_Delete> bn_ctx(BN_CTX_new()); 195 UniquePtr<BIGNUM, BIGNUM_Delete> order(BN_new()); 196 if (!EC_GROUP_get_order(group, order.get(), bn_ctx.get())) { 197 LOG_E("Failed to get EC group order"); 198 return 0; 199 } 200 return BN_num_bits(order.get()); 201 } 202 GenerateRandom(uint8_t * buf,size_t length)203 keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) { 204 if (RAND_bytes(buf, length) != 1) return KM_ERROR_UNKNOWN_ERROR; 205 return KM_ERROR_OK; 206 } 207 208 } // namespace keymaster 209