You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

420 lines
16 KiB

/*
* Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "keystore2_engine.h"
#include <aidl/android/system/keystore2/IKeystoreService.h>
#include <android-base/logging.h>
#include <android-base/strings.h>
#include <android/binder_manager.h>
#include <private/android_filesystem_config.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/ec_key.h>
#include <openssl/ecdsa.h>
#include <openssl/engine.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#define AT __func__ << ":" << __LINE__ << " "
constexpr const char keystore2_service_name[] = "android.system.keystore2.IKeystoreService/default";
const std::string keystore2_grant_id_prefix("ks2_keystore-engine_grant_id:");
/**
* Keystore 2.0 namespace identifiers.
* Keep in sync with system/sepolicy/private/keystore2_key_contexts.
*/
constexpr const int64_t KS2_NAMESPACE_WIFI = 102;
namespace ks2 = ::aidl::android::system::keystore2;
namespace KMV1 = ::aidl::android::hardware::security::keymint;
namespace {
int64_t getNamespaceforCurrentUid() {
auto uid = getuid();
switch (uid) {
case AID_WIFI:
return KS2_NAMESPACE_WIFI;
// 0 is the super user namespace, and nothing has access to this namespace on user builds.
// So this will always fail.
default:
return 0;
}
}
struct Keystore2KeyBackend {
ks2::KeyDescriptor descriptor_;
std::shared_ptr<ks2::IKeystoreSecurityLevel> i_keystore_security_level_;
};
/* key_backend_dup is called when one of the RSA or EC_KEY objects is duplicated. */
extern "C" int key_backend_dup(CRYPTO_EX_DATA* /* to */, const CRYPTO_EX_DATA* /* from */,
void** from_d, int /* index */, long /* argl */, void* /* argp */) {
auto key_backend = reinterpret_cast<std::shared_ptr<Keystore2KeyBackend>*>(*from_d);
if (key_backend != nullptr) {
*from_d = new std::shared_ptr<Keystore2KeyBackend>(*key_backend);
}
return 1;
}
/* key_backend_free is called when one of the RSA, DSA or EC_KEY object is freed. */
extern "C" void key_backend_free(void* /* parent */, void* ptr, CRYPTO_EX_DATA* /* ad */,
int /* index */, long /* argl */, void* /* argp */) {
delete reinterpret_cast<std::shared_ptr<Keystore2KeyBackend>*>(ptr);
}
extern "C" int rsa_private_transform(RSA* rsa, uint8_t* out, const uint8_t* in, size_t len);
extern "C" int ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
unsigned int* sig_len, EC_KEY* ec_key);
/* KeystoreEngine is a BoringSSL ENGINE that implements RSA and ECDSA by
* forwarding the requested operations to Keystore. */
class Keystore2Engine {
public:
Keystore2Engine()
: rsa_index_(RSA_get_ex_new_index(0 /* argl */, nullptr /* argp */, nullptr /* new_func */,
key_backend_dup, key_backend_free)),
ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */, nullptr /* argp */,
nullptr /* new_func */, key_backend_dup,
key_backend_free)),
engine_(ENGINE_new()) {
memset(&rsa_method_, 0, sizeof(rsa_method_));
rsa_method_.common.is_static = 1;
rsa_method_.private_transform = rsa_private_transform;
rsa_method_.flags = RSA_FLAG_OPAQUE;
ENGINE_set_RSA_method(engine_, &rsa_method_, sizeof(rsa_method_));
memset(&ecdsa_method_, 0, sizeof(ecdsa_method_));
ecdsa_method_.common.is_static = 1;
ecdsa_method_.sign = ecdsa_sign;
ecdsa_method_.flags = ECDSA_FLAG_OPAQUE;
ENGINE_set_ECDSA_method(engine_, &ecdsa_method_, sizeof(ecdsa_method_));
}
int rsa_ex_index() const { return rsa_index_; }
int ec_key_ex_index() const { return ec_key_index_; }
const ENGINE* engine() const { return engine_; }
static const Keystore2Engine& get() {
static Keystore2Engine engine;
return engine;
}
private:
const int rsa_index_;
const int ec_key_index_;
RSA_METHOD rsa_method_;
ECDSA_METHOD ecdsa_method_;
ENGINE* const engine_;
};
#define OWNERSHIP_TRANSFERRED(x) x.release()
/* wrap_rsa returns an |EVP_PKEY| that contains an RSA key where the public
* part is taken from |public_rsa| and the private operations are forwarded to
* KeyStore and operate on the key named |key_id|. */
bssl::UniquePtr<EVP_PKEY> wrap_rsa(std::shared_ptr<Keystore2KeyBackend> key_backend,
const RSA* public_rsa) {
bssl::UniquePtr<RSA> rsa(RSA_new_method(Keystore2Engine::get().engine()));
if (rsa.get() == nullptr) {
return nullptr;
}
auto key_backend_copy = new decltype(key_backend)(key_backend);
if (!RSA_set_ex_data(rsa.get(), Keystore2Engine::get().rsa_ex_index(), key_backend_copy)) {
delete key_backend_copy;
return nullptr;
}
rsa->n = BN_dup(public_rsa->n);
rsa->e = BN_dup(public_rsa->e);
if (rsa->n == nullptr || rsa->e == nullptr) {
return nullptr;
}
bssl::UniquePtr<EVP_PKEY> result(EVP_PKEY_new());
if (result.get() == nullptr || !EVP_PKEY_assign_RSA(result.get(), rsa.get())) {
return nullptr;
}
OWNERSHIP_TRANSFERRED(rsa);
return result;
}
/* wrap_ecdsa returns an |EVP_PKEY| that contains an ECDSA key where the public
* part is taken from |public_rsa| and the private operations are forwarded to
* KeyStore and operate on the key named |key_id|. */
bssl::UniquePtr<EVP_PKEY> wrap_ecdsa(std::shared_ptr<Keystore2KeyBackend> key_backend,
const EC_KEY* public_ecdsa) {
bssl::UniquePtr<EC_KEY> ec(EC_KEY_new_method(Keystore2Engine::get().engine()));
if (ec.get() == nullptr) {
return nullptr;
}
if (!EC_KEY_set_group(ec.get(), EC_KEY_get0_group(public_ecdsa)) ||
!EC_KEY_set_public_key(ec.get(), EC_KEY_get0_public_key(public_ecdsa))) {
return nullptr;
}
auto key_backend_copy = new decltype(key_backend)(key_backend);
if (!EC_KEY_set_ex_data(ec.get(), Keystore2Engine::get().ec_key_ex_index(), key_backend_copy)) {
delete key_backend_copy;
return nullptr;
}
bssl::UniquePtr<EVP_PKEY> result(EVP_PKEY_new());
if (result.get() == nullptr || !EVP_PKEY_assign_EC_KEY(result.get(), ec.get())) {
return nullptr;
}
OWNERSHIP_TRANSFERRED(ec);
return result;
}
std::optional<std::vector<uint8_t>> keystore2_sign(const Keystore2KeyBackend& key_backend,
std::vector<uint8_t> input,
KMV1::Algorithm algorithm) {
auto sec_level = key_backend.i_keystore_security_level_;
ks2::CreateOperationResponse response;
std::vector<KMV1::KeyParameter> op_params(4);
op_params[0] = KMV1::KeyParameter{
.tag = KMV1::Tag::PURPOSE,
.value = KMV1::KeyParameterValue::make<KMV1::KeyParameterValue::keyPurpose>(
KMV1::KeyPurpose::SIGN)};
op_params[1] = KMV1::KeyParameter{
.tag = KMV1::Tag::ALGORITHM,
.value = KMV1::KeyParameterValue::make<KMV1::KeyParameterValue::algorithm>(algorithm)};
op_params[2] = KMV1::KeyParameter{
.tag = KMV1::Tag::PADDING,
.value = KMV1::KeyParameterValue::make<KMV1::KeyParameterValue::paddingMode>(
KMV1::PaddingMode::NONE)};
op_params[3] =
KMV1::KeyParameter{.tag = KMV1::Tag::DIGEST,
.value = KMV1::KeyParameterValue::make<KMV1::KeyParameterValue::digest>(
KMV1::Digest::NONE)};
auto rc = sec_level->createOperation(key_backend.descriptor_, op_params, false /* forced */,
&response);
if (!rc.isOk()) {
auto exception_code = rc.getExceptionCode();
if (exception_code == EX_SERVICE_SPECIFIC) {
LOG(ERROR) << AT << "Keystore createOperation returned service specific error: "
<< rc.getServiceSpecificError();
} else {
LOG(ERROR) << AT << "Communication with Keystore createOperation failed error: "
<< exception_code;
}
return std::nullopt;
}
auto op = response.iOperation;
std::optional<std::vector<uint8_t>> output = std::nullopt;
rc = op->finish(std::move(input), {}, &output);
if (!rc.isOk()) {
auto exception_code = rc.getExceptionCode();
if (exception_code == EX_SERVICE_SPECIFIC) {
LOG(ERROR) << AT << "Keystore finish returned service specific error: "
<< rc.getServiceSpecificError();
} else {
LOG(ERROR) << AT
<< "Communication with Keystore finish failed error: " << exception_code;
}
return std::nullopt;
}
if (!output) {
LOG(ERROR) << AT << "We did not get a signature from Keystore.";
}
return output;
}
/* rsa_private_transform takes a big-endian integer from |in|, calculates the
* d'th power of it, modulo the RSA modulus, and writes the result as a
* big-endian integer to |out|. Both |in| and |out| are |len| bytes long. It
* returns one on success and zero otherwise. */
extern "C" int rsa_private_transform(RSA* rsa, uint8_t* out, const uint8_t* in, size_t len) {
auto key_backend = reinterpret_cast<std::shared_ptr<Keystore2KeyBackend>*>(
RSA_get_ex_data(rsa, Keystore2Engine::get().rsa_ex_index()));
if (key_backend == nullptr) {
LOG(ERROR) << AT << "Invalid key.";
return 0;
}
auto output =
keystore2_sign(**key_backend, std::vector<uint8_t>(in, in + len), KMV1::Algorithm::RSA);
if (!output) {
return 0;
}
if (output->size() > len) {
/* The result of the RSA operation can never be larger than the size of
* the modulus so we assume that the result has extra zeros on the
* left. This provides attackers with an oracle, but there's nothing
* that we can do about it here. */
LOG(WARNING) << "Reply len " << output->size() << " greater than expected " << len;
memcpy(out, &output->data()[output->size() - len], len);
} else if (output->size() < len) {
/* If the Keystore implementation returns a short value we assume that
* it's because it removed leading zeros from the left side. This is
* bad because it provides attackers with an oracle but we cannot do
* anything about a broken Keystore implementation here. */
LOG(WARNING) << "Reply len " << output->size() << " less than expected " << len;
memset(out, 0, len);
memcpy(out + len - output->size(), output->data(), output->size());
} else {
memcpy(out, output->data(), len);
}
return 1;
}
/* ecdsa_sign signs |digest_len| bytes from |digest| with |ec_key| and writes
* the resulting signature (an ASN.1 encoded blob) to |sig|. It returns one on
* success and zero otherwise. */
extern "C" int ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
unsigned int* sig_len, EC_KEY* ec_key) {
auto key_backend = reinterpret_cast<std::shared_ptr<Keystore2KeyBackend>*>(
EC_KEY_get_ex_data(ec_key, Keystore2Engine::get().ec_key_ex_index()));
if (key_backend == nullptr) {
LOG(ERROR) << AT << "Invalid key.";
return 0;
}
size_t ecdsa_size = ECDSA_size(ec_key);
auto output = keystore2_sign(**key_backend, std::vector<uint8_t>(digest, digest + digest_len),
KMV1::Algorithm::EC);
if (!output) {
LOG(ERROR) << "There was an error during ecdsa_sign.";
return 0;
}
if (output->size() == 0) {
LOG(ERROR) << "No valid signature returned";
return 0;
} else if (output->size() > ecdsa_size) {
LOG(ERROR) << "Signature is too large";
return 0;
}
memcpy(sig, output->data(), output->size());
*sig_len = output->size();
return 1;
}
} // namespace
/* EVP_PKEY_from_keystore returns an |EVP_PKEY| that contains either an RSA or
* ECDSA key where the public part of the key reflects the value of the key
* named |key_id| in Keystore and the private operations are forwarded onto
* KeyStore. */
extern "C" EVP_PKEY* EVP_PKEY_from_keystore2(const char* key_id) {
::ndk::SpAIBinder keystoreBinder(AServiceManager_checkService(keystore2_service_name));
auto keystore2 = ks2::IKeystoreService::fromBinder(keystoreBinder);
if (!keystore2) {
LOG(ERROR) << AT << "Unable to connect to Keystore 2.0.";
return nullptr;
}
std::string alias = key_id;
if (android::base::StartsWith(alias, "USRPKEY_")) {
LOG(WARNING) << AT << "Keystore backend used with legacy alias prefix - ignoring.";
alias = alias.substr(8);
}
ks2::KeyDescriptor descriptor = {
.domain = ks2::Domain::SELINUX,
.nspace = getNamespaceforCurrentUid(),
.alias = alias,
.blob = std::nullopt,
};
// If the key_id starts with the grant id prefix, we parse the following string as numeric
// grant id. We can then use the grant domain without alias to load the designated key.
if (alias.find(keystore2_grant_id_prefix) == 0) {
std::stringstream s(alias.substr(keystore2_grant_id_prefix.size()));
s >> std::hex >> reinterpret_cast<uint64_t&>(descriptor.nspace);
descriptor.domain = ks2::Domain::GRANT;
descriptor.alias = std::nullopt;
}
ks2::KeyEntryResponse response;
auto rc = keystore2->getKeyEntry(descriptor, &response);
if (!rc.isOk()) {
auto exception_code = rc.getExceptionCode();
if (exception_code == EX_SERVICE_SPECIFIC) {
LOG(ERROR) << AT << "Keystore getKeyEntry returned service specific error: "
<< rc.getServiceSpecificError();
} else {
LOG(ERROR) << AT << "Communication with Keystore getKeyEntry failed error: "
<< exception_code;
}
return nullptr;
}
if (!response.metadata.certificate) {
LOG(ERROR) << AT << "No public key found.";
return nullptr;
}
const uint8_t* p = response.metadata.certificate->data();
bssl::UniquePtr<X509> x509(d2i_X509(nullptr, &p, response.metadata.certificate->size()));
if (!x509) {
LOG(ERROR) << AT << "Failed to parse x509 certificate.";
return nullptr;
}
bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(x509.get()));
if (!pkey) {
LOG(ERROR) << AT << "Failed to extract public key.";
return nullptr;
}
auto key_backend = std::make_shared<Keystore2KeyBackend>(
Keystore2KeyBackend{response.metadata.key, response.iSecurityLevel});
bssl::UniquePtr<EVP_PKEY> result;
switch (EVP_PKEY_type(pkey->type)) {
case EVP_PKEY_RSA: {
bssl::UniquePtr<RSA> public_rsa(EVP_PKEY_get1_RSA(pkey.get()));
result = wrap_rsa(key_backend, public_rsa.get());
break;
}
case EVP_PKEY_EC: {
bssl::UniquePtr<EC_KEY> public_ecdsa(EVP_PKEY_get1_EC_KEY(pkey.get()));
result = wrap_ecdsa(key_backend, public_ecdsa.get());
break;
}
default:
LOG(ERROR) << AT << "Unsupported key type " << EVP_PKEY_type(pkey->type);
return nullptr;
}
return result.release();
}