1 /*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <inttypes.h>
18 #include <iostream>
19 #include <utility>
20
21 #include <openssl/asn1.h>
22 #include <openssl/evp.h>
23 #include <openssl/x509v3.h>
24
25 #include <hardware/keymaster_defs.h>
26 #include <keymaster/android_keymaster_utils.h>
27 #include <keymaster/authorization_set.h>
28 #include <keymaster/km_openssl/asymmetric_key.h>
29 #include <keymaster/km_openssl/certificate_utils.h>
30 #include <keymaster/km_openssl/openssl_err.h>
31 #include <keymaster/logger.h>
32
33 namespace keymaster {
34
35 namespace {
36
37 constexpr const char kDefaultSubject[] = "Android Keystore Key";
38 constexpr int kDataEnciphermentKeyUsageBit = 3;
39 constexpr int kDigitalSignatureKeyUsageBit = 0;
40 constexpr int kKeyEnciphermentKeyUsageBit = 2;
41 constexpr int kKeyAgreementKeyUsageBit = 4;
42 constexpr int kMaxKeyUsageBit = 8;
43
min(T && a,T && b)44 template <typename T> T&& min(T&& a, T&& b) {
45 return (a < b) ? std::forward<T>(a) : std::forward<T>(b);
46 }
47
fake_sign_cert(X509 * cert)48 keymaster_error_t fake_sign_cert(X509* cert) {
49 X509_ALGOR_Ptr algor(X509_ALGOR_new());
50 if (!algor.get()) {
51 return TranslateLastOpenSslError();
52 }
53 X509_ALGOR_set0(algor.get(), OBJ_nid2obj(NID_sha256WithRSAEncryption), V_ASN1_NULL, nullptr);
54
55 // Set signature to a bit string containing a single byte, value 0.
56 uint8_t fake_sig = 0;
57 if (!X509_set1_signature_algo(cert, algor.get()) ||
58 !X509_set1_signature_value(cert, &fake_sig, sizeof(fake_sig))) {
59 return TranslateLastOpenSslError();
60 }
61
62 return KM_ERROR_OK;
63 }
64
65 } // namespace
66
make_name_from_str(const char name[],X509_NAME_Ptr * name_out)67 keymaster_error_t make_name_from_str(const char name[], X509_NAME_Ptr* name_out) {
68 if (name_out == nullptr) return KM_ERROR_UNEXPECTED_NULL_POINTER;
69 X509_NAME_Ptr x509_name(X509_NAME_new());
70 if (!x509_name.get()) {
71 return TranslateLastOpenSslError();
72 }
73 if (!X509_NAME_add_entry_by_txt(x509_name.get(), //
74 "CN", //
75 MBSTRING_ASC, reinterpret_cast<const uint8_t*>(&name[0]),
76 -1, // len
77 -1, // loc
78 0 /* set */)) {
79 return TranslateLastOpenSslError();
80 }
81 *name_out = std::move(x509_name);
82 return KM_ERROR_OK;
83 }
84
make_name_from_der(const keymaster_blob_t & name,X509_NAME_Ptr * name_out)85 keymaster_error_t make_name_from_der(const keymaster_blob_t& name, X509_NAME_Ptr* name_out) {
86 if (!name_out || !name.data) return KM_ERROR_UNEXPECTED_NULL_POINTER;
87
88 const uint8_t* p = name.data;
89 X509_NAME_Ptr x509_name(d2i_X509_NAME(nullptr, &p, name.data_length));
90 if (!x509_name.get()) {
91 return TranslateLastOpenSslError();
92 }
93
94 *name_out = std::move(x509_name);
95 return KM_ERROR_OK;
96 }
97
get_common_name(X509_NAME * name,UniquePtr<const char[]> * name_out)98 keymaster_error_t get_common_name(X509_NAME* name, UniquePtr<const char[]>* name_out) {
99 if (name == nullptr || name_out == nullptr) return KM_ERROR_UNEXPECTED_NULL_POINTER;
100 int len = X509_NAME_get_text_by_NID(name, NID_commonName, nullptr, 0);
101 UniquePtr<char[]> name_ptr(new (std::nothrow) char[len]);
102 if (!name_ptr) {
103 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
104 }
105 X509_NAME_get_text_by_NID(name, NID_commonName, name_ptr.get(), len);
106 *name_out = UniquePtr<const char[]>{name_ptr.release()};
107 return KM_ERROR_OK;
108 }
109
get_certificate_params(const AuthorizationSet & caller_params,CertificateCallerParams * cert_params,KmVersion kmVersion)110 keymaster_error_t get_certificate_params(const AuthorizationSet& caller_params,
111 CertificateCallerParams* cert_params,
112 KmVersion kmVersion) {
113 if (!cert_params) return KM_ERROR_UNEXPECTED_NULL_POINTER;
114
115 BIGNUM_Ptr serial(BN_new());
116 if (!serial) {
117 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
118 }
119
120 keymaster_blob_t serial_blob{.data = nullptr, .data_length = 0};
121 if (caller_params.GetTagValue(TAG_CERTIFICATE_SERIAL, &serial_blob)) {
122 if (BN_bin2bn(serial_blob.data, serial_blob.data_length, serial.get()) == nullptr) {
123 return TranslateLastOpenSslError();
124 }
125 } else {
126 // Default serial is one.
127 BN_one(serial.get());
128 }
129 cert_params->serial = std::move(serial);
130
131 cert_params->active_date_time = 0;
132 cert_params->expire_date_time = kUndefinedExpirationDateTime;
133
134 uint64_t tmp;
135 if (kmVersion < KmVersion::KEYMINT_1) {
136 if (caller_params.GetTagValue(TAG_ACTIVE_DATETIME, &tmp)) {
137 LOG_D("Using TAG_ACTIVE_DATETIME: %" PRIu64, tmp);
138 cert_params->active_date_time = static_cast<int64_t>(tmp);
139 }
140 if (caller_params.GetTagValue(TAG_ORIGINATION_EXPIRE_DATETIME, &tmp)) {
141 LOG_D("Using TAG_ORIGINATION_EXPIRE_DATETIME: %" PRIu64, tmp);
142 cert_params->expire_date_time = static_cast<int64_t>(tmp);
143 }
144 } else {
145 if (!caller_params.GetTagValue(TAG_CERTIFICATE_NOT_BEFORE, &tmp)) {
146 return KM_ERROR_MISSING_NOT_BEFORE;
147 }
148 LOG_D("Using TAG_CERTIFICATE_NOT_BEFORE: %" PRIu64, tmp);
149 cert_params->active_date_time = static_cast<int64_t>(tmp);
150
151 if (!caller_params.GetTagValue(TAG_CERTIFICATE_NOT_AFTER, &tmp)) {
152 return KM_ERROR_MISSING_NOT_AFTER;
153 }
154 LOG_D("Using TAG_CERTIFICATE_NOT_AFTER: %" PRIu64, tmp);
155 cert_params->expire_date_time = static_cast<int64_t>(tmp);
156 }
157
158 LOG_D("Got certificate date params: NotBefore = %" PRId64 ", NotAfter = %" PRId64,
159 cert_params->active_date_time, cert_params->expire_date_time);
160
161 keymaster_blob_t subject{};
162 if (caller_params.GetTagValue(TAG_CERTIFICATE_SUBJECT, &subject) && subject.data_length) {
163 return make_name_from_der(subject, &cert_params->subject_name);
164 }
165
166 return make_name_from_str(kDefaultSubject, &cert_params->subject_name);
167 }
168
make_key_usage_extension(bool is_signing_key,bool is_encryption_key,bool is_key_agreement_key,X509_EXTENSION_Ptr * usage_extension_out)169 keymaster_error_t make_key_usage_extension(bool is_signing_key, bool is_encryption_key,
170 bool is_key_agreement_key,
171 X509_EXTENSION_Ptr* usage_extension_out) {
172 if (usage_extension_out == nullptr) return KM_ERROR_UNEXPECTED_NULL_POINTER;
173
174 // Build BIT_STRING with correct contents.
175 ASN1_BIT_STRING_Ptr key_usage(ASN1_BIT_STRING_new());
176 if (!key_usage) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
177
178 for (size_t i = 0; i <= kMaxKeyUsageBit; ++i) {
179 if (!ASN1_BIT_STRING_set_bit(key_usage.get(), i, 0)) {
180 return TranslateLastOpenSslError();
181 }
182 }
183
184 if (is_signing_key) {
185 if (!ASN1_BIT_STRING_set_bit(key_usage.get(), kDigitalSignatureKeyUsageBit, 1)) {
186 return TranslateLastOpenSslError();
187 }
188 }
189
190 if (is_encryption_key) {
191 if (!ASN1_BIT_STRING_set_bit(key_usage.get(), kKeyEnciphermentKeyUsageBit, 1) ||
192 !ASN1_BIT_STRING_set_bit(key_usage.get(), kDataEnciphermentKeyUsageBit, 1)) {
193 return TranslateLastOpenSslError();
194 }
195 }
196
197 if (is_key_agreement_key) {
198 if (!ASN1_BIT_STRING_set_bit(key_usage.get(), kKeyAgreementKeyUsageBit, 1)) {
199 return TranslateLastOpenSslError();
200 }
201 }
202
203 // Convert to octets
204 int len = i2d_ASN1_BIT_STRING(key_usage.get(), nullptr);
205 if (len < 0) {
206 return TranslateLastOpenSslError();
207 }
208 UniquePtr<uint8_t[]> asn1_key_usage(new (std::nothrow) uint8_t[len]);
209 if (!asn1_key_usage.get()) {
210 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
211 }
212 uint8_t* p = asn1_key_usage.get();
213 len = i2d_ASN1_BIT_STRING(key_usage.get(), &p);
214 if (len < 0) {
215 return TranslateLastOpenSslError();
216 }
217
218 // Build OCTET_STRING
219 ASN1_OCTET_STRING_Ptr key_usage_str(ASN1_OCTET_STRING_new());
220 if (!key_usage_str.get() ||
221 !ASN1_OCTET_STRING_set(key_usage_str.get(), asn1_key_usage.get(), len)) {
222 return TranslateLastOpenSslError();
223 }
224
225 X509_EXTENSION_Ptr key_usage_extension(X509_EXTENSION_create_by_NID(nullptr, //
226 NID_key_usage, //
227 true /* critical */,
228 key_usage_str.get()));
229 if (!key_usage_extension.get()) {
230 return TranslateLastOpenSslError();
231 }
232
233 *usage_extension_out = std::move(key_usage_extension);
234
235 return KM_ERROR_OK;
236 }
237
238 // Creates a rump certificate structure with serial, subject and issuer names, as well as
239 // activation and expiry date.
240 // Callers should pass an empty X509_Ptr and check the return value for KM_ERROR_OK (0) before
241 // accessing the result.
make_cert_rump(const X509_NAME * issuer,const CertificateCallerParams & cert_params,X509_Ptr * cert_out)242 keymaster_error_t make_cert_rump(const X509_NAME* issuer,
243 const CertificateCallerParams& cert_params, X509_Ptr* cert_out) {
244 if (!cert_out || !issuer) return KM_ERROR_UNEXPECTED_NULL_POINTER;
245
246 // Create certificate structure.
247 X509_Ptr certificate(X509_new());
248 if (!certificate.get()) return TranslateLastOpenSslError();
249
250 // Set the X509 version.
251 if (!X509_set_version(certificate.get(), 2 /* version 3 */)) return TranslateLastOpenSslError();
252
253 // Set the certificate serialNumber
254 ASN1_INTEGER_Ptr serial_number(ASN1_INTEGER_new());
255 if (!serial_number.get() || //
256 !BN_to_ASN1_INTEGER(cert_params.serial.get(), serial_number.get()) ||
257 !X509_set_serialNumber(certificate.get(),
258 serial_number.get() /* Don't release; copied */)) {
259 return TranslateLastOpenSslError();
260 }
261
262 if (!X509_set_subject_name(certificate.get(),
263 const_cast<X509_NAME*>(cert_params.subject_name.get()))) {
264 return TranslateLastOpenSslError();
265 }
266
267 if (!X509_set_issuer_name(certificate.get(), const_cast<X509_NAME*>(issuer))) {
268 return TranslateLastOpenSslError();
269 }
270
271 // Set activation date.
272 ASN1_TIME_Ptr notBefore(ASN1_TIME_new());
273 LOG_D("Setting notBefore to %" PRId64, cert_params.active_date_time / 1000);
274 int64_t notBeforeTime = cert_params.active_date_time / 1000;
275 if (!notBefore.get() || !ASN1_TIME_set_posix(notBefore.get(), notBeforeTime) ||
276 !X509_set_notBefore(certificate.get(), notBefore.get() /* Don't release; copied */)) {
277 return TranslateLastOpenSslError();
278 }
279
280 // Set expiration date.
281 ASN1_TIME_Ptr notAfter(ASN1_TIME_new());
282 LOG_D("Setting notAfter to %" PRId64, cert_params.expire_date_time / 1000);
283 int64_t notAfterTime = cert_params.expire_date_time / 1000;
284
285 if (!notAfter.get() || !ASN1_TIME_set_posix(notAfter.get(), notAfterTime) ||
286 !X509_set_notAfter(certificate.get(), notAfter.get() /* Don't release; copied */)) {
287 return TranslateLastOpenSslError();
288 }
289
290 *cert_out = std::move(certificate);
291 return KM_ERROR_OK;
292 }
293
make_cert(const EVP_PKEY * evp_pkey,const X509_NAME * issuer,const CertificateCallerParams & cert_params,X509_Ptr * cert_out)294 keymaster_error_t make_cert(const EVP_PKEY* evp_pkey, const X509_NAME* issuer,
295 const CertificateCallerParams& cert_params, X509_Ptr* cert_out) {
296
297 // Make the rump certificate with serial, subject, not before and not after dates.
298 X509_Ptr certificate;
299 if (keymaster_error_t error = make_cert_rump(issuer, cert_params, &certificate)) {
300 return error;
301 }
302
303 // Set the public key.
304 if (!X509_set_pubkey(certificate.get(), (EVP_PKEY*)evp_pkey)) {
305 return TranslateLastOpenSslError();
306 }
307
308 // Make and add the key usage extension.
309 X509_EXTENSION_Ptr key_usage_extension;
310 if (auto error =
311 make_key_usage_extension(cert_params.is_signing_key, cert_params.is_encryption_key,
312 cert_params.is_agreement_key, &key_usage_extension)) {
313 return error;
314 }
315 if (!X509_add_ext(certificate.get(), key_usage_extension.get() /* Don't release; copied */,
316 -1 /* insert at end */)) {
317 return TranslateLastOpenSslError();
318 }
319
320 *cert_out = std::move(certificate);
321 return KM_ERROR_OK;
322 }
323
sign_cert(X509 * certificate,const EVP_PKEY * signing_key)324 keymaster_error_t sign_cert(X509* certificate, const EVP_PKEY* signing_key) {
325 if (!certificate || !signing_key) return KM_ERROR_UNEXPECTED_NULL_POINTER;
326
327 // X509_sign takes the key as non-const, but per the BoringSSL dev team, that's a legacy
328 // mistake that hasn't yet been corrected.
329 auto sk = const_cast<EVP_PKEY*>(signing_key);
330
331 // Ed25519 has an internal digest so needs to have no digest fed into X509_sign.
332 const EVP_MD* digest = (EVP_PKEY_id(signing_key) == EVP_PKEY_ED25519) ? nullptr : EVP_sha256();
333
334 if (!X509_sign(certificate, sk, digest)) {
335 return TranslateLastOpenSslError();
336 }
337 return KM_ERROR_OK;
338 }
339
generate_self_signed_cert(const AsymmetricKey & key,const AuthorizationSet & params,bool fake_signature,keymaster_error_t * error)340 CertificateChain generate_self_signed_cert(const AsymmetricKey& key, const AuthorizationSet& params,
341 bool fake_signature, keymaster_error_t* error) {
342 keymaster_error_t err;
343 if (!error) error = &err;
344
345 EVP_PKEY_Ptr pkey(key.InternalToEvp());
346 if (pkey.get() == nullptr) {
347 *error = TranslateLastOpenSslError();
348 return {};
349 }
350
351 CertificateCallerParams cert_params{};
352 // Self signed certificates are only generated since Keymint 1.0. To keep the API stable for
353 // now, we pass KEYMINT_1 to get_certificate_params, which has the intended effect. If
354 // get_certificate_params ever has to distinguish between versions of KeyMint this needs to be
355 // changed.
356 *error = get_certificate_params(params, &cert_params, KmVersion::KEYMINT_1);
357 if (*error != KM_ERROR_OK) return {};
358
359 cert_params.is_signing_key =
360 (key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_SIGN) ||
361 key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_ATTEST_KEY));
362 cert_params.is_encryption_key = key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
363 cert_params.is_agreement_key = key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_AGREE_KEY);
364
365 X509_Ptr cert;
366 *error = make_cert(pkey.get(), cert_params.subject_name.get() /* issuer */, cert_params, &cert);
367 if (*error != KM_ERROR_OK) return {};
368
369 if (fake_signature) {
370 *error = fake_sign_cert(cert.get());
371 } else {
372 *error = sign_cert(cert.get(), pkey.get());
373 }
374 if (*error != KM_ERROR_OK) return {};
375
376 CertificateChain result(1);
377 if (!result) {
378 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
379 return {};
380 }
381
382 *error = encode_certificate(cert.get(), &result.entries[0]);
383 if (*error != KM_ERROR_OK) return {};
384
385 return result;
386 }
387
encode_certificate(X509 * certificate,keymaster_blob_t * blob)388 keymaster_error_t encode_certificate(X509* certificate, keymaster_blob_t* blob) {
389 int len = i2d_X509(certificate, nullptr /* ppout */);
390 if (len < 0) return TranslateLastOpenSslError();
391
392 blob->data = new (std::nothrow) uint8_t[len];
393 if (!blob->data) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
394
395 uint8_t* p = const_cast<uint8_t*>(blob->data);
396 blob->data_length = i2d_X509(certificate, &p);
397 return KM_ERROR_OK;
398 }
399
400 } // namespace keymaster
401