Commit | Line | Data |
---|---|---|
e3534476 T |
1 | /* |
2 | * Copyright (C) 2012 Samsung Electronics Co., LTD | |
3 | * Copyright (C) 2012 The Android Open Source Project | |
4 | * | |
5 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
6 | * you may not use this file except in compliance with the License. | |
7 | * You may obtain a copy of the License at | |
8 | * | |
9 | * http://www.apache.org/licenses/LICENSE-2.0 | |
10 | * | |
11 | * Unless required by applicable law or agreed to in writing, software | |
12 | * distributed under the License is distributed on an "AS IS" BASIS, | |
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
14 | * See the License for the specific language governing permissions and | |
15 | * limitations under the License. | |
16 | */ | |
17 | ||
18 | #include <errno.h> | |
19 | #include <string.h> | |
20 | #include <stdint.h> | |
21 | ||
22 | #include <hardware/hardware.h> | |
23 | #include <hardware/keymaster0.h> | |
24 | ||
25 | #include <openssl/evp.h> | |
26 | #include <openssl/bio.h> | |
27 | #include <openssl/rsa.h> | |
28 | #include <openssl/err.h> | |
29 | #include <openssl/x509.h> | |
30 | ||
31 | #include <UniquePtr.h> | |
32 | ||
33 | #define LOG_TAG "ExynosKeyMaster" | |
34 | #include <cutils/log.h> | |
35 | ||
36 | #include <tlcTeeKeymaster_if.h> | |
37 | ||
38 | #define RSA_KEY_BUFFER_SIZE 1536 | |
39 | #define RSA_KEY_MAX_SIZE (2048 >> 3) | |
40 | ||
41 | struct BIGNUM_Delete { | |
42 | void operator()(BIGNUM* p) const { | |
43 | BN_free(p); | |
44 | } | |
45 | }; | |
46 | typedef UniquePtr<BIGNUM, BIGNUM_Delete> Unique_BIGNUM; | |
47 | ||
48 | struct EVP_PKEY_Delete { | |
49 | void operator()(EVP_PKEY* p) const { | |
50 | EVP_PKEY_free(p); | |
51 | } | |
52 | }; | |
53 | typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY; | |
54 | ||
55 | struct PKCS8_PRIV_KEY_INFO_Delete { | |
56 | void operator()(PKCS8_PRIV_KEY_INFO* p) const { | |
57 | PKCS8_PRIV_KEY_INFO_free(p); | |
58 | } | |
59 | }; | |
60 | typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> Unique_PKCS8_PRIV_KEY_INFO; | |
61 | ||
62 | struct RSA_Delete { | |
63 | void operator()(RSA* p) const { | |
64 | RSA_free(p); | |
65 | } | |
66 | }; | |
67 | typedef UniquePtr<RSA, RSA_Delete> Unique_RSA; | |
68 | ||
69 | typedef UniquePtr<keymaster0_device_t> Unique_keymaster0_device_t; | |
70 | ||
71 | /** | |
72 | * Many OpenSSL APIs take ownership of an argument on success but don't free the argument | |
73 | * on failure. This means we need to tell our scoped pointers when we've transferred ownership, | |
74 | * without triggering a warning by not using the result of release(). | |
75 | */ | |
76 | #define OWNERSHIP_TRANSFERRED(obj) \ | |
77 | typeof (obj.release()) _dummy __attribute__((unused)) = obj.release() | |
78 | ||
79 | /* | |
80 | * Checks this thread's error queue and logs if necessary. | |
81 | */ | |
82 | static void logOpenSSLError(const char* location) { | |
83 | int error = ERR_get_error(); | |
84 | ||
85 | if (error != 0) { | |
86 | char message[256]; | |
87 | ERR_error_string_n(error, message, sizeof(message)); | |
88 | ALOGE("OpenSSL error in %s %d: %s", location, error, message); | |
89 | } | |
90 | ||
91 | ERR_clear_error(); | |
92 | ERR_remove_state(0); | |
93 | } | |
94 | ||
95 | static int exynos_km_generate_keypair(const keymaster0_device_t*, | |
96 | const keymaster_keypair_t key_type, const void* key_params, | |
97 | uint8_t** keyBlob, size_t* keyBlobLength) { | |
98 | teeResult_t ret = TEE_ERR_NONE; | |
99 | ||
100 | if (key_type != TYPE_RSA) { | |
101 | ALOGE("Unsupported key type %d", key_type); | |
102 | return -1; | |
103 | } else if (key_params == NULL) { | |
104 | ALOGE("key_params == null"); | |
105 | return -1; | |
106 | } | |
107 | ||
108 | keymaster_rsa_keygen_params_t* rsa_params = (keymaster_rsa_keygen_params_t*) key_params; | |
109 | ||
110 | if ((rsa_params->modulus_size != 512) && | |
111 | (rsa_params->modulus_size != 1024) && | |
112 | (rsa_params->modulus_size != 2048)) { | |
113 | ALOGE("key size(%d) is not supported\n", rsa_params->modulus_size); | |
114 | return -1; | |
115 | } | |
116 | ||
117 | UniquePtr<uint8_t> keyDataPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_BUFFER_SIZE))); | |
118 | if (keyDataPtr.get() == NULL) { | |
119 | ALOGE("memory allocation is failed"); | |
120 | return -1; | |
121 | } | |
122 | ||
123 | ret = TEE_RSAGenerateKeyPair(TEE_KEYPAIR_RSACRT, keyDataPtr.get(), RSA_KEY_BUFFER_SIZE, | |
124 | rsa_params->modulus_size, (uint32_t)rsa_params->public_exponent, | |
125 | (uint32_t *)keyBlobLength); | |
126 | if (ret != TEE_ERR_NONE) { | |
127 | ALOGE("TEE_RSAGenerateKeyPair() is failed: %d", ret); | |
128 | return -1; | |
129 | } | |
130 | ||
131 | *keyBlob = keyDataPtr.release(); | |
132 | ||
133 | return 0; | |
134 | } | |
135 | ||
136 | static int exynos_km_import_keypair(const keymaster0_device_t*, | |
137 | const uint8_t* key, const size_t key_length, | |
138 | uint8_t** key_blob, size_t* key_blob_length) { | |
139 | uint8_t kbuf[RSA_KEY_BUFFER_SIZE]; | |
140 | teeRsaKeyMeta_t metadata; | |
141 | uint32_t key_len = 0; | |
142 | BIGNUM *tmp = NULL; | |
143 | BN_CTX *ctx = NULL; | |
144 | teeResult_t ret = TEE_ERR_NONE; | |
145 | ||
146 | if (key == NULL) { | |
147 | ALOGE("input key == NULL"); | |
148 | return -1; | |
149 | } else if (key_blob == NULL || key_blob_length == NULL) { | |
150 | ALOGE("output key blob or length == NULL"); | |
151 | return -1; | |
152 | } | |
153 | ||
154 | /* decoding */ | |
155 | Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &key, key_length)); | |
156 | if (pkcs8.get() == NULL) { | |
157 | logOpenSSLError("pkcs4.get"); | |
158 | return -1; | |
159 | } | |
160 | ||
161 | /* assign to EVP */ | |
162 | Unique_EVP_PKEY pkey(EVP_PKCS82PKEY(pkcs8.get())); | |
163 | if (pkey.get() == NULL) { | |
164 | logOpenSSLError("pkey.get"); | |
165 | return -1; | |
166 | } | |
167 | OWNERSHIP_TRANSFERRED(pkcs8); | |
168 | ||
169 | /* change key format */ | |
170 | Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey.get())); | |
171 | if (rsa.get() == NULL) { | |
172 | logOpenSSLError("get rsa key format"); | |
173 | return -1; | |
174 | } | |
175 | ||
176 | if (BN_cmp(rsa->p, rsa->q) < 0) { | |
177 | /* p <-> q */ | |
178 | tmp = rsa->p; | |
179 | rsa->p = rsa->q; | |
180 | rsa->q = tmp; | |
181 | /* dp <-> dq */ | |
182 | tmp = rsa->dmp1; | |
183 | rsa->dmp1 = rsa->dmq1; | |
184 | rsa->dmq1 = tmp; | |
185 | /* calulate inverse of q mod p */ | |
186 | ctx = BN_CTX_new(); | |
187 | if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) { | |
188 | ALOGE("Calculating inverse of q mod p is failed\n"); | |
189 | BN_CTX_free(ctx); | |
190 | return -1; | |
191 | } | |
192 | BN_CTX_free(ctx); | |
193 | } | |
194 | ||
195 | key_len += sizeof(metadata); | |
196 | ||
197 | metadata.lenpubmod = BN_bn2bin(rsa->n, kbuf + key_len); | |
198 | key_len += metadata.lenpubmod; | |
199 | if (metadata.lenpubmod == (512 >> 3)) | |
200 | metadata.keysize = TEE_RSA_KEY_SIZE_512; | |
201 | else if (metadata.lenpubmod == (1024 >> 3)) | |
202 | metadata.keysize = TEE_RSA_KEY_SIZE_1024; | |
203 | else if (metadata.lenpubmod == (2048 >> 3)) | |
204 | metadata.keysize = TEE_RSA_KEY_SIZE_2048; | |
205 | else { | |
206 | ALOGE("key size(%d) is not supported\n", metadata.lenpubmod << 3); | |
207 | return -1; | |
208 | } | |
209 | ||
210 | metadata.lenpubexp = BN_bn2bin(rsa->e, kbuf + key_len); | |
211 | key_len += metadata.lenpubexp; | |
212 | ||
213 | if ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) && | |
214 | (rsa->dmq1 != NULL) && (rsa->iqmp != NULL)) | |
215 | { | |
216 | metadata.keytype = TEE_KEYPAIR_RSACRT; | |
217 | metadata.rsacrtpriv.lenp = BN_bn2bin(rsa->p, kbuf + key_len); | |
218 | key_len += metadata.rsacrtpriv.lenp; | |
219 | metadata.rsacrtpriv.lenq = BN_bn2bin(rsa->q, kbuf + key_len); | |
220 | key_len += metadata.rsacrtpriv.lenq; | |
221 | metadata.rsacrtpriv.lendp = BN_bn2bin(rsa->dmp1, kbuf + key_len); | |
222 | key_len += metadata.rsacrtpriv.lendp; | |
223 | metadata.rsacrtpriv.lendq = BN_bn2bin(rsa->dmq1, kbuf + key_len); | |
224 | key_len += metadata.rsacrtpriv.lendq; | |
225 | metadata.rsacrtpriv.lenqinv = BN_bn2bin(rsa->iqmp, kbuf + key_len); | |
226 | key_len += metadata.rsacrtpriv.lenqinv; | |
227 | } else { | |
228 | metadata.keytype = TEE_KEYPAIR_RSA; | |
229 | metadata.rsapriv.lenpriexp = BN_bn2bin(rsa->d, kbuf + key_len); | |
230 | key_len += metadata.rsapriv.lenpriexp; | |
231 | } | |
232 | ||
233 | metadata.rfu = 0; | |
234 | metadata.rfulen = 0; | |
235 | ||
236 | memcpy(kbuf, &metadata, sizeof(metadata)); | |
237 | ||
238 | UniquePtr<uint8_t> outPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_BUFFER_SIZE))); | |
239 | if (outPtr.get() == NULL) { | |
240 | ALOGE("memory allocation is failed"); | |
241 | return -1; | |
242 | } | |
243 | ||
244 | *key_blob_length = RSA_KEY_BUFFER_SIZE; | |
245 | ||
246 | ret = TEE_KeyImport(kbuf, key_len, outPtr.get(), (uint32_t *)key_blob_length); | |
247 | if (ret != TEE_ERR_NONE) { | |
248 | ALOGE("TEE_KeyImport() is failed: %d", ret); | |
249 | return -1; | |
250 | } | |
251 | ||
252 | *key_blob = outPtr.release(); | |
253 | ||
254 | return 0; | |
255 | } | |
256 | ||
257 | static int exynos_km_get_keypair_public(const struct keymaster0_device*, | |
258 | const uint8_t* key_blob, const size_t key_blob_length, | |
259 | uint8_t** x509_data, size_t* x509_data_length) { | |
260 | uint32_t bin_mod_len; | |
261 | uint32_t bin_exp_len; | |
262 | teeResult_t ret = TEE_ERR_NONE; | |
263 | ||
264 | if (x509_data == NULL || x509_data_length == NULL) { | |
265 | ALOGE("output public key buffer == NULL"); | |
266 | return -1; | |
267 | } | |
268 | ||
269 | UniquePtr<uint8_t> binModPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_MAX_SIZE))); | |
270 | if (binModPtr.get() == NULL) { | |
271 | ALOGE("memory allocation is failed"); | |
272 | return -1; | |
273 | } | |
274 | ||
275 | UniquePtr<uint8_t> binExpPtr(reinterpret_cast<uint8_t*>(malloc(sizeof(uint32_t)))); | |
276 | if (binExpPtr.get() == NULL) { | |
277 | ALOGE("memory allocation is failed"); | |
278 | return -1; | |
279 | } | |
280 | ||
281 | bin_mod_len = RSA_KEY_MAX_SIZE; | |
282 | bin_exp_len = sizeof(uint32_t); | |
283 | ||
284 | ret = TEE_GetPubKey(key_blob, key_blob_length, binModPtr.get(), &bin_mod_len, binExpPtr.get(), | |
285 | &bin_exp_len); | |
286 | if (ret != TEE_ERR_NONE) { | |
287 | ALOGE("TEE_GetPubKey() is failed: %d", ret); | |
288 | return -1; | |
289 | } | |
290 | ||
291 | Unique_BIGNUM bn_mod(BN_new()); | |
292 | if (bn_mod.get() == NULL) { | |
293 | ALOGE("memory allocation is failed"); | |
294 | return -1; | |
295 | } | |
296 | ||
297 | Unique_BIGNUM bn_exp(BN_new()); | |
298 | if (bn_exp.get() == NULL) { | |
299 | ALOGE("memory allocation is failed"); | |
300 | return -1; | |
301 | } | |
302 | ||
303 | BN_bin2bn(binModPtr.get(), bin_mod_len, bn_mod.get()); | |
304 | BN_bin2bn(binExpPtr.get(), bin_exp_len, bn_exp.get()); | |
305 | ||
306 | /* assign to RSA */ | |
307 | Unique_RSA rsa(RSA_new()); | |
308 | if (rsa.get() == NULL) { | |
309 | logOpenSSLError("rsa.get"); | |
310 | return -1; | |
311 | } | |
312 | ||
313 | RSA* rsa_tmp = rsa.get(); | |
314 | ||
315 | rsa_tmp->n = bn_mod.release(); | |
316 | rsa_tmp->e = bn_exp.release(); | |
317 | ||
318 | /* assign to EVP */ | |
319 | Unique_EVP_PKEY pkey(EVP_PKEY_new()); | |
320 | if (pkey.get() == NULL) { | |
321 | logOpenSSLError("allocate EVP_PKEY"); | |
322 | return -1; | |
323 | } | |
324 | ||
325 | if (EVP_PKEY_assign_RSA(pkey.get(), rsa.get()) == 0) { | |
326 | logOpenSSLError("assing RSA to EVP_PKEY"); | |
327 | return -1; | |
328 | } | |
329 | OWNERSHIP_TRANSFERRED(rsa); | |
330 | ||
331 | /* change to x.509 format */ | |
332 | int len = i2d_PUBKEY(pkey.get(), NULL); | |
333 | if (len <= 0) { | |
334 | logOpenSSLError("i2d_PUBKEY"); | |
335 | return -1; | |
336 | } | |
337 | ||
338 | UniquePtr<uint8_t> key(static_cast<uint8_t*>(malloc(len))); | |
339 | if (key.get() == NULL) { | |
340 | ALOGE("Could not allocate memory for public key data"); | |
341 | return -1; | |
342 | } | |
343 | ||
344 | unsigned char* tmp = reinterpret_cast<unsigned char*>(key.get()); | |
345 | if (i2d_PUBKEY(pkey.get(), &tmp) != len) { | |
346 | logOpenSSLError("Compare results"); | |
347 | return -1; | |
348 | } | |
349 | ||
350 | *x509_data_length = len; | |
351 | *x509_data = key.release(); | |
352 | ||
353 | return 0; | |
354 | } | |
355 | ||
356 | static int exynos_km_sign_data(const keymaster0_device_t*, | |
357 | const void* params, | |
358 | const uint8_t* keyBlob, const size_t keyBlobLength, | |
359 | const uint8_t* data, const size_t dataLength, | |
360 | uint8_t** signedData, size_t* signedDataLength) { | |
361 | teeResult_t ret = TEE_ERR_NONE; | |
362 | ||
363 | if (data == NULL) { | |
364 | ALOGE("input data to sign == NULL"); | |
365 | return -1; | |
366 | } else if (signedData == NULL || signedDataLength == NULL) { | |
367 | ALOGE("output signature buffer == NULL"); | |
368 | return -1; | |
369 | } | |
370 | ||
371 | keymaster_rsa_sign_params_t* sign_params = (keymaster_rsa_sign_params_t*) params; | |
372 | if (sign_params->digest_type != DIGEST_NONE) { | |
373 | ALOGE("Cannot handle digest type %d", sign_params->digest_type); | |
374 | return -1; | |
375 | } else if (sign_params->padding_type != PADDING_NONE) { | |
376 | ALOGE("Cannot handle padding type %d", sign_params->padding_type); | |
377 | return -1; | |
378 | } | |
379 | ||
380 | UniquePtr<uint8_t> signedDataPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_MAX_SIZE))); | |
381 | if (signedDataPtr.get() == NULL) { | |
382 | ALOGE("memory allocation is failed"); | |
383 | return -1; | |
384 | } | |
385 | ||
386 | *signedDataLength = RSA_KEY_MAX_SIZE; | |
387 | ||
388 | /* binder gives us read-only mappings we can't use with mobicore */ | |
389 | void *tmpData = malloc(dataLength); | |
390 | memcpy(tmpData, data, dataLength); | |
391 | ret = TEE_RSASign(keyBlob, keyBlobLength, (const uint8_t *)tmpData, dataLength, signedDataPtr.get(), | |
392 | (uint32_t *)signedDataLength, TEE_RSA_NODIGEST_NOPADDING); | |
393 | free(tmpData); | |
394 | if (ret != TEE_ERR_NONE) { | |
395 | ALOGE("TEE_RSASign() is failed: %d", ret); | |
396 | return -1; | |
397 | } | |
398 | ||
399 | *signedData = signedDataPtr.release(); | |
400 | ||
401 | return 0; | |
402 | } | |
403 | ||
404 | static int exynos_km_verify_data(const keymaster0_device_t*, | |
405 | const void* params, | |
406 | const uint8_t* keyBlob, const size_t keyBlobLength, | |
407 | const uint8_t* signedData, const size_t signedDataLength, | |
408 | const uint8_t* signature, const size_t signatureLength) { | |
409 | bool result; | |
410 | teeResult_t ret = TEE_ERR_NONE; | |
411 | ||
412 | if (signedData == NULL || signature == NULL) { | |
413 | ALOGE("data or signature buffers == NULL"); | |
414 | return -1; | |
415 | } | |
416 | ||
417 | keymaster_rsa_sign_params_t* sign_params = (keymaster_rsa_sign_params_t*) params; | |
418 | if (sign_params->digest_type != DIGEST_NONE) { | |
419 | ALOGE("Cannot handle digest type %d", sign_params->digest_type); | |
420 | return -1; | |
421 | } else if (sign_params->padding_type != PADDING_NONE) { | |
422 | ALOGE("Cannot handle padding type %d", sign_params->padding_type); | |
423 | return -1; | |
424 | } else if (signatureLength != signedDataLength) { | |
425 | ALOGE("signed data length must be signature length"); | |
426 | return -1; | |
427 | } | |
428 | ||
429 | void *tmpSignedData = malloc(signedDataLength); | |
430 | memcpy(tmpSignedData, signedData, signedDataLength); | |
431 | void *tmpSig = malloc(signatureLength); | |
432 | memcpy(tmpSig, signature, signatureLength); | |
433 | ret = TEE_RSAVerify(keyBlob, keyBlobLength, (const uint8_t*)tmpSignedData, signedDataLength, (const uint8_t *)tmpSig, | |
434 | signatureLength, TEE_RSA_NODIGEST_NOPADDING, &result); | |
435 | free(tmpSignedData); | |
436 | free(tmpSig); | |
437 | if (ret != TEE_ERR_NONE) { | |
438 | ALOGE("TEE_RSAVerify() is failed: %d", ret); | |
439 | return -1; | |
440 | } | |
441 | ||
442 | return (result == true) ? 0 : -1; | |
443 | } | |
444 | ||
445 | /* Close an opened Exynos KM instance */ | |
446 | static int exynos_km_close(hw_device_t *dev) { | |
447 | free(dev); | |
448 | return 0; | |
449 | } | |
450 | ||
451 | /* | |
452 | * Generic device handling | |
453 | */ | |
454 | static int exynos_km_open(const hw_module_t* module, const char* name, | |
455 | hw_device_t** device) { | |
456 | if (strcmp(name, KEYSTORE_KEYMASTER) != 0) | |
457 | return -EINVAL; | |
458 | ||
459 | Unique_keymaster0_device_t dev(new keymaster0_device_t); | |
460 | if (dev.get() == NULL) | |
461 | return -ENOMEM; | |
462 | ||
463 | dev->common.tag = HARDWARE_DEVICE_TAG; | |
464 | dev->common.version = 1; | |
465 | dev->common.module = (struct hw_module_t*) module; | |
466 | dev->common.close = exynos_km_close; | |
467 | ||
468 | dev->flags = 0; | |
469 | ||
470 | dev->generate_keypair = exynos_km_generate_keypair; | |
471 | dev->import_keypair = exynos_km_import_keypair; | |
472 | dev->get_keypair_public = exynos_km_get_keypair_public; | |
473 | dev->delete_keypair = NULL; | |
474 | dev->delete_all = NULL; | |
475 | dev->sign_data = exynos_km_sign_data; | |
476 | dev->verify_data = exynos_km_verify_data; | |
477 | ||
478 | ERR_load_crypto_strings(); | |
479 | ERR_load_BIO_strings(); | |
480 | ||
481 | *device = reinterpret_cast<hw_device_t*>(dev.release()); | |
482 | ||
483 | return 0; | |
484 | } | |
485 | ||
486 | static struct hw_module_methods_t keystore_module_methods = { | |
487 | open: exynos_km_open, | |
488 | }; | |
489 | ||
490 | struct keystore_module HAL_MODULE_INFO_SYM | |
491 | __attribute__ ((visibility ("default"))) = { | |
492 | common: { | |
493 | tag: HARDWARE_MODULE_TAG, | |
494 | version_major: 1, | |
495 | version_minor: 0, | |
496 | id: KEYSTORE_HARDWARE_MODULE_ID, | |
497 | name: "Keymaster Exynos HAL", | |
498 | author: "Samsung S.LSI", | |
499 | methods: &keystore_module_methods, | |
500 | dso: 0, | |
501 | reserved: {}, | |
502 | }, | |
503 | }; |