1 /*
2  * Copyright 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_KEYMASTER_ECDSA_OPERATION_H_
18 #define SYSTEM_KEYMASTER_ECDSA_OPERATION_H_
19 
20 #include <utility>
21 
22 #include <openssl/ec.h>
23 #include <openssl/evp.h>
24 
25 #include <keymaster/UniquePtr.h>
26 
27 #include <keymaster/key.h>
28 #include <keymaster/km_openssl/curve25519_key.h>
29 #include <keymaster/operation.h>
30 
31 namespace keymaster {
32 
33 class EcdsaOperation : public Operation {
34   public:
EcdsaOperation(AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,keymaster_purpose_t purpose,keymaster_digest_t digest,EVP_PKEY * key)35     EcdsaOperation(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
36                    keymaster_purpose_t purpose, keymaster_digest_t digest, EVP_PKEY* key)
37         : Operation(purpose, std::move(hw_enforced), std::move(sw_enforced)), digest_(digest),
38           digest_algorithm_(nullptr), ecdsa_key_(key) {
39         EVP_MD_CTX_init(&digest_ctx_);
40     }
41     ~EcdsaOperation();
42 
Abort()43     keymaster_error_t Abort() override { return KM_ERROR_OK; }
44 
45   protected:
46     keymaster_error_t StoreData(const Buffer& input, size_t* input_consumed);
47     keymaster_error_t InitDigest();
48 
49     keymaster_digest_t digest_;
50     const EVP_MD* digest_algorithm_;
51     EVP_PKEY* ecdsa_key_;
52     EVP_MD_CTX digest_ctx_;
53     Buffer data_;
54 };
55 
56 class EcdsaSignOperation : public EcdsaOperation {
57   public:
EcdsaSignOperation(AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,keymaster_digest_t digest,EVP_PKEY * key)58     EcdsaSignOperation(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
59                        keymaster_digest_t digest, EVP_PKEY* key)
60         : EcdsaOperation(std::move(hw_enforced), std::move(sw_enforced), KM_PURPOSE_SIGN, digest,
61                          key) {}
62     keymaster_error_t Begin(const AuthorizationSet& input_params,
63                             AuthorizationSet* output_params) override;
64     keymaster_error_t Update(const AuthorizationSet& additional_params, const Buffer& input,
65                              AuthorizationSet* output_params, Buffer* output,
66                              size_t* input_consumed) override;
67     keymaster_error_t Finish(const AuthorizationSet& additional_params, const Buffer& input,
68                              const Buffer& signature, AuthorizationSet* output_params,
69                              Buffer* output) override;
70 };
71 
72 class EcdsaVerifyOperation : public EcdsaOperation {
73   public:
EcdsaVerifyOperation(AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,keymaster_digest_t digest,EVP_PKEY * key)74     EcdsaVerifyOperation(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
75                          keymaster_digest_t digest, EVP_PKEY* key)
76         : EcdsaOperation(std::move(hw_enforced), std::move(sw_enforced), KM_PURPOSE_VERIFY, digest,
77                          key) {}
78     keymaster_error_t Begin(const AuthorizationSet& input_params,
79                             AuthorizationSet* output_params) override;
80     keymaster_error_t Update(const AuthorizationSet& additional_params, const Buffer& input,
81                              AuthorizationSet* output_params, Buffer* output,
82                              size_t* input_consumed) override;
83     keymaster_error_t Finish(const AuthorizationSet& additional_params, const Buffer& input,
84                              const Buffer& signature, AuthorizationSet* output_params,
85                              Buffer* output) override;
86 };
87 
88 class Ed25519SignOperation : public EcdsaSignOperation {
89   public:
Ed25519SignOperation(AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,keymaster_digest_t digest,EVP_PKEY * key)90     Ed25519SignOperation(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
91                          keymaster_digest_t digest, EVP_PKEY* key)
92         : EcdsaSignOperation(std::move(hw_enforced), std::move(sw_enforced), digest, key) {}
93     keymaster_error_t Begin(const AuthorizationSet& input_params,
94                             AuthorizationSet* output_params) override;
95     keymaster_error_t Update(const AuthorizationSet& additional_params, const Buffer& input,
96                              AuthorizationSet* output_params, Buffer* output,
97                              size_t* input_consumed) override;
98     keymaster_error_t Finish(const AuthorizationSet& additional_params, const Buffer& input,
99                              const Buffer& signature, AuthorizationSet* output_params,
100                              Buffer* output) override;
101 
102   protected:
103     keymaster_error_t StoreAllData(const Buffer& input, size_t* input_consumed);
104 };
105 
106 class EcdsaOperationFactory : public OperationFactory {
107   private:
registry_key()108     KeyType registry_key() const override { return KeyType(KM_ALGORITHM_EC, purpose()); }
109     OperationPtr CreateOperation(Key&& key, const AuthorizationSet& begin_params,
110                                  keymaster_error_t* error) override;
111     const keymaster_digest_t* SupportedDigests(size_t* digest_count) const override;
112 
113     virtual keymaster_purpose_t purpose() const = 0;
114     virtual Operation* InstantiateOperation(AuthorizationSet&& hw_enforced,
115                                             AuthorizationSet&& sw_enforced,
116                                             keymaster_digest_t digest, EVP_PKEY* key) = 0;
117 };
118 
119 class EcdsaSignOperationFactory : public EcdsaOperationFactory {
120   private:
purpose()121     keymaster_purpose_t purpose() const override { return KM_PURPOSE_SIGN; }
InstantiateOperation(AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,keymaster_digest_t digest,EVP_PKEY * key)122     Operation* InstantiateOperation(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
123                                     keymaster_digest_t digest, EVP_PKEY* key) override {
124         if (IsEd25519Key(hw_enforced, sw_enforced)) {
125             return new (std::nothrow)
126                 Ed25519SignOperation(std::move(hw_enforced), std::move(sw_enforced), digest, key);
127         } else {
128             return new (std::nothrow)
129                 EcdsaSignOperation(std::move(hw_enforced), std::move(sw_enforced), digest, key);
130         }
131     }
132 };
133 
134 class EcdsaVerifyOperationFactory : public EcdsaOperationFactory {
135   public:
purpose()136     keymaster_purpose_t purpose() const override { return KM_PURPOSE_VERIFY; }
InstantiateOperation(AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,keymaster_digest_t digest,EVP_PKEY * key)137     Operation* InstantiateOperation(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
138                                     keymaster_digest_t digest, EVP_PKEY* key) override {
139         return new (std::nothrow)
140             EcdsaVerifyOperation(std::move(hw_enforced), std::move(sw_enforced), digest, key);
141     }
142 };
143 
144 }  // namespace keymaster
145 
146 #endif  // SYSTEM_KEYMASTER_ECDSA_OPERATION_H_
147