1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "rsa_keymaster1_operation.h"
18 
19 #include <memory>
20 
21 #include <keymaster/android_keymaster_utils.h>
22 #include <keymaster/km_openssl/openssl_err.h>
23 #include <keymaster/km_openssl/openssl_utils.h>
24 #include <keymaster/legacy_support/rsa_keymaster1_key.h>
25 
26 using std::unique_ptr;
27 
28 namespace keymaster {
29 
Begin(EVP_PKEY * rsa_key,const AuthorizationSet & input_params)30 keymaster_error_t RsaKeymaster1WrappedOperation::Begin(EVP_PKEY* rsa_key,
31                                                        const AuthorizationSet& input_params) {
32     Keymaster1Engine::KeyData* key_data = engine_->GetData(rsa_key);
33     if (!key_data)
34         return KM_ERROR_UNKNOWN_ERROR;
35 
36     // Copy the input params and substitute KM_DIGEST_NONE for whatever was specified.  Also change
37     // KM_PAD_RSA_PSS and KM_PAD_OAEP to KM_PAD_NONE, if necessary. These are the params we'll pass
38     // to the hardware module.  The regular Rsa*Operation classes will do software digesting and
39     // padding where we've told the HW not to.
40     //
41     // The reason we don't change KM_PAD_RSA_PKCS1_1_5_SIGN or KM_PAD_RSA_PKCS1_1_5_ENCRYPT to
42     // KM_PAD_NONE is because the hardware can perform those padding modes, since they don't involve
43     // digesting.
44     //
45     // We also cache in the key the padding value that we expect to be passed to the engine crypto
46     // operation.  This just allows us to double-check that the correct padding value is reaching
47     // that layer.
48     AuthorizationSet begin_params(input_params);
49     int pos = begin_params.find(TAG_DIGEST);
50     if (pos == -1) {
51         // If we reach this point with no digest given. It was verified that KM_DIGEST_NONE was
52         // authorized by OperationFactory::GetAndValidateDigest. So no DIGEST given may imply
53         // KM_DIGEST_NONE.
54         begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
55     } else {
56         begin_params[pos].enumerated = KM_DIGEST_NONE;
57     }
58 
59     pos = begin_params.find(TAG_PADDING);
60     if (pos == -1)
61         return KM_ERROR_UNSUPPORTED_PADDING_MODE;
62     switch (begin_params[pos].enumerated) {
63     case KM_PAD_NONE:
64     case KM_PAD_RSA_PSS:
65     case KM_PAD_RSA_OAEP:
66         key_data->expected_openssl_padding = RSA_NO_PADDING;
67         begin_params[pos].enumerated = KM_PAD_NONE;
68         break;
69 
70     case KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
71     case KM_PAD_RSA_PKCS1_1_5_SIGN:
72         key_data->expected_openssl_padding = RSA_PKCS1_PADDING;
73         break;
74     }
75 
76     return engine_->device()->begin(engine_->device(), purpose_, &key_data->key_material,
77                                     &begin_params, nullptr /* out_params */, &operation_handle_);
78 }
79 
80 keymaster_error_t
PrepareFinish(EVP_PKEY * rsa_key,const AuthorizationSet & input_params)81 RsaKeymaster1WrappedOperation::PrepareFinish(EVP_PKEY* rsa_key,
82                                              const AuthorizationSet& input_params) {
83     Keymaster1Engine::KeyData* key_data = engine_->GetData(rsa_key);
84     if (!key_data) {
85         LOG_E("Could not get extended key data... not a Keymaster1Engine key?", 0);
86         return KM_ERROR_UNKNOWN_ERROR;
87     }
88     key_data->op_handle = operation_handle_;
89     key_data->finish_params.Reinitialize(input_params);
90 
91     return KM_ERROR_OK;
92 }
93 
Abort()94 keymaster_error_t RsaKeymaster1WrappedOperation::Abort() {
95     return engine_->device()->abort(engine_->device(), operation_handle_);
96 }
97 
GetError(EVP_PKEY * rsa_key)98 keymaster_error_t RsaKeymaster1WrappedOperation::GetError(EVP_PKEY* rsa_key) {
99     Keymaster1Engine::KeyData* key_data = engine_->GetData(rsa_key);  // key_data is owned by rsa
100     if (!key_data)
101         return KM_ERROR_UNKNOWN_ERROR;
102     return key_data->error;
103 }
104 
GetEvpKey(const RsaKeymaster1Key & key,keymaster_error_t * error)105 static EVP_PKEY* GetEvpKey(const RsaKeymaster1Key& key, keymaster_error_t* error) {
106     if (!key.key()) {
107         *error = KM_ERROR_UNKNOWN_ERROR;
108         return nullptr;
109     }
110 
111     UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
112     if (!key.InternalToEvp(pkey.get())) {
113         *error = KM_ERROR_UNKNOWN_ERROR;
114         return nullptr;
115     }
116     return pkey.release();
117 }
118 
CreateOperation(Key && key,const AuthorizationSet & begin_params,keymaster_error_t * error)119 OperationPtr RsaKeymaster1OperationFactory::CreateOperation(Key&& key,
120                                                             const AuthorizationSet& begin_params,
121                                                             keymaster_error_t* error) {
122     keymaster_digest_t digest;
123     if (!GetAndValidateDigest(begin_params, key, &digest, error)) return nullptr;
124 
125     keymaster_padding_t padding;
126     if (!GetAndValidatePadding(begin_params, key, &padding, error)) return nullptr;
127 
128     const RsaKeymaster1Key& rsa_km1_key = static_cast<RsaKeymaster1Key&>(key);
129     unique_ptr<EVP_PKEY, EVP_PKEY_Delete> rsa(GetEvpKey(rsa_km1_key, error));
130     if (!rsa) return nullptr;
131 
132     switch (purpose_) {
133     case KM_PURPOSE_SIGN:
134         return OperationPtr(new RsaKeymaster1Operation<RsaSignOperation>(
135             key.hw_enforced_move(), key.sw_enforced_move(), digest, padding, rsa.release(),
136             engine_));
137     case KM_PURPOSE_DECRYPT:
138         return OperationPtr(new RsaKeymaster1Operation<RsaDecryptOperation>(
139             key.hw_enforced_move(), key.sw_enforced_move(), digest, padding, rsa.release(),
140             engine_));
141     default:
142         LOG_E("Bug: Pubkey operation requested.  Those should be handled by normal RSA operations.",
143               0);
144         *error = KM_ERROR_UNSUPPORTED_PURPOSE;
145         return nullptr;
146     }
147 }
148 
149 static const keymaster_digest_t supported_digests[] = {
150     KM_DIGEST_NONE,      KM_DIGEST_MD5,       KM_DIGEST_SHA1,     KM_DIGEST_SHA_2_224,
151     KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
152 
153 const keymaster_digest_t*
SupportedDigests(size_t * digest_count) const154 RsaKeymaster1OperationFactory::SupportedDigests(size_t* digest_count) const {
155     *digest_count = array_length(supported_digests);
156     return supported_digests;
157 }
158 
159 static const keymaster_padding_t supported_sig_padding[] = {
160     KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS,
161 };
162 static const keymaster_padding_t supported_crypt_padding[] = {
163     KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_ENCRYPT, KM_PAD_RSA_OAEP,
164 };
165 
166 const keymaster_padding_t*
SupportedPaddingModes(size_t * padding_mode_count) const167 RsaKeymaster1OperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
168     switch (purpose_) {
169     case KM_PURPOSE_SIGN:
170     case KM_PURPOSE_VERIFY:
171         *padding_mode_count = array_length(supported_sig_padding);
172         return supported_sig_padding;
173     case KM_PURPOSE_ENCRYPT:
174     case KM_PURPOSE_DECRYPT:
175         *padding_mode_count = array_length(supported_crypt_padding);
176         return supported_crypt_padding;
177     default:
178         *padding_mode_count = 0;
179         return nullptr;
180     }
181 }
182 
183 }  // namespace keymaster
184