diff --git a/adb/Android.mk b/adb/Android.mk index f1d3bee95..6693619fa 100644 --- a/adb/Android.mk +++ b/adb/Android.mk @@ -108,7 +108,7 @@ LOCAL_SANITIZE := $(adb_target_sanitize) # Even though we're building a static library (and thus there's no link step for # this to take effect), this adds the includes to our path. -LOCAL_STATIC_LIBRARIES := libbase +LOCAL_STATIC_LIBRARIES := libcrypto_utils_static libcrypto_static libbase include $(BUILD_STATIC_LIBRARY) @@ -131,7 +131,7 @@ LOCAL_SANITIZE := $(adb_host_sanitize) # Even though we're building a static library (and thus there's no link step for # this to take effect), this adds the includes to our path. -LOCAL_STATIC_LIBRARIES := libcrypto_static libbase +LOCAL_STATIC_LIBRARIES := libcrypto_utils_static libcrypto_static libbase LOCAL_C_INCLUDES_windows := development/host/windows/usb/api/ LOCAL_MULTILIB := first @@ -151,7 +151,7 @@ LOCAL_SRC_FILES := \ shell_service_test.cpp \ LOCAL_SANITIZE := $(adb_target_sanitize) -LOCAL_STATIC_LIBRARIES := libadbd +LOCAL_STATIC_LIBRARIES := libadbd libcrypto_utils_static libcrypto_static LOCAL_SHARED_LIBRARIES := liblog libbase libcutils include $(BUILD_NATIVE_TEST) @@ -191,6 +191,7 @@ LOCAL_SANITIZE := $(adb_host_sanitize) LOCAL_SHARED_LIBRARIES := libbase LOCAL_STATIC_LIBRARIES := \ libadb \ + libcrypto_utils_static \ libcrypto_static \ libcutils \ libdiagnose_usb \ @@ -219,7 +220,7 @@ LOCAL_CFLAGS_darwin := $(LIBADB_darwin_CFLAGS) LOCAL_SRC_FILES := test_track_devices.cpp LOCAL_SANITIZE := $(adb_host_sanitize) LOCAL_SHARED_LIBRARIES := libbase -LOCAL_STATIC_LIBRARIES := libadb libcrypto_static libcutils +LOCAL_STATIC_LIBRARIES := libadb libcrypto_utils_static libcrypto_static libcutils LOCAL_LDLIBS += -lrt -ldl -lpthread include $(BUILD_HOST_EXECUTABLE) endif @@ -271,6 +272,7 @@ LOCAL_SANITIZE := $(adb_host_sanitize) LOCAL_STATIC_LIBRARIES := \ libadb \ libbase \ + libcrypto_utils_static \ libcrypto_static \ libdiagnose_usb \ liblog \ @@ -342,11 +344,11 @@ LOCAL_STATIC_LIBRARIES := \ libfec_rs \ libselinux \ liblog \ - libmincrypt \ libext4_utils_static \ libsquashfs_utils \ libcutils \ libbase \ + libcrypto_utils_static \ libcrypto_static \ libminijail diff --git a/adb/adb.cpp b/adb/adb.cpp index cb54d04e0..efa18c246 100644 --- a/adb/adb.cpp +++ b/adb/adb.cpp @@ -353,7 +353,8 @@ void handle_packet(apacket *p, atransport *t) send_auth_publickey(t); } } else if (p->msg.arg0 == ADB_AUTH_SIGNATURE) { - if (adb_auth_verify(t->token, p->data, p->msg.data_length)) { + if (adb_auth_verify(t->token, sizeof(t->token), + p->data, p->msg.data_length)) { adb_auth_verified(t); t->failed_auth_attempts = 0; } else { diff --git a/adb/adb_auth.h b/adb/adb_auth.h index a13604a76..1ab5e1ae4 100644 --- a/adb/adb_auth.h +++ b/adb/adb_auth.h @@ -43,9 +43,15 @@ int adb_auth_sign(void *key, const unsigned char* token, size_t token_size, void *adb_auth_nextkey(void *current); int adb_auth_get_userkey(unsigned char *data, size_t len); -static inline int adb_auth_generate_token(void *token, size_t token_size) { return 0; } -static inline int adb_auth_verify(void *token, void *sig, int siglen) { return 0; } -static inline void adb_auth_confirm_key(unsigned char *data, size_t len, atransport *t) { } +static inline int adb_auth_generate_token(void *token, size_t token_size) { + return 0; +} +static inline int adb_auth_verify(void *token, size_t token_size, + void *sig, int siglen) { + return 0; +} +static inline void adb_auth_confirm_key(unsigned char *data, size_t len, + atransport *t) {} #else // !ADB_HOST @@ -54,12 +60,15 @@ static inline int adb_auth_sign(void* key, const unsigned char* token, return 0; } static inline void *adb_auth_nextkey(void *current) { return NULL; } -static inline int adb_auth_get_userkey(unsigned char *data, size_t len) { return 0; } +static inline int adb_auth_get_userkey(unsigned char *data, size_t len) { + return 0; +} void adbd_auth_init(void); void adbd_cloexec_auth_socket(); int adb_auth_generate_token(void *token, size_t token_size); -int adb_auth_verify(uint8_t* token, uint8_t* sig, int siglen); +int adb_auth_verify(uint8_t* token, size_t token_size, + uint8_t* sig, int siglen); void adb_auth_confirm_key(unsigned char *data, size_t len, atransport *t); #endif // ADB_HOST diff --git a/adb/adb_auth_client.cpp b/adb/adb_auth_client.cpp index 128c3dffe..415ab8ed3 100644 --- a/adb/adb_auth_client.cpp +++ b/adb/adb_auth_client.cpp @@ -23,10 +23,14 @@ #include #include +#include +#include +#include + +#include + #include "cutils/list.h" #include "cutils/sockets.h" -#include "mincrypt/rsa.h" -#include "mincrypt/sha.h" #include "adb.h" #include "fdevent.h" @@ -34,7 +38,7 @@ struct adb_public_key { struct listnode node; - RSAPublicKey key; + RSA* key; }; static const char *key_paths[] = { @@ -66,9 +70,8 @@ static void read_keys(const char *file, struct listnode *list) } while (fgets(buf, sizeof(buf), f)) { - /* Allocate 4 extra bytes to decode the base64 data in-place */ auto key = reinterpret_cast( - calloc(1, sizeof(adb_public_key) + 4)); + calloc(1, sizeof(adb_public_key))); if (key == nullptr) { D("Can't malloc key"); break; @@ -78,15 +81,18 @@ static void read_keys(const char *file, struct listnode *list) if (sep) *sep = '\0'; - ret = __b64_pton(buf, (u_char *)&key->key, sizeof(key->key) + 4); - if (ret != sizeof(key->key)) { + // b64_pton requires one additional byte in the target buffer for + // decoding to succeed. See http://b/28035006 for details. + uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1]; + ret = __b64_pton(buf, keybuf, sizeof(keybuf)); + if (ret != ANDROID_PUBKEY_ENCODED_SIZE) { D("%s: Invalid base64 data ret=%d", file, ret); free(key); continue; } - if (key->key.len != RSANUMWORDS) { - D("%s: Invalid key len %d", file, key->key.len); + if (!android_pubkey_decode(keybuf, ret, &key->key)) { + D("%s: Failed to parse key", file); free(key); continue; } @@ -104,7 +110,9 @@ static void free_keys(struct listnode *list) while (!list_empty(list)) { item = list_head(list); list_remove(item); - free(node_to_item(item, struct adb_public_key, node)); + adb_public_key* key = node_to_item(item, struct adb_public_key, node); + RSA_free(key->key); + free(key); } } @@ -139,20 +147,17 @@ int adb_auth_generate_token(void *token, size_t token_size) return ret * token_size; } -int adb_auth_verify(uint8_t* token, uint8_t* sig, int siglen) +int adb_auth_verify(uint8_t* token, size_t token_size, uint8_t* sig, int siglen) { struct listnode *item; struct listnode key_list; int ret = 0; - if (siglen != RSANUMBYTES) - return 0; - load_keys(&key_list); list_for_each(item, &key_list) { adb_public_key* key = node_to_item(item, struct adb_public_key, node); - ret = RSA_verify(&key->key, sig, siglen, token, SHA_DIGEST_SIZE); + ret = RSA_verify(NID_sha1, token, token_size, sig, siglen, key->key); if (ret) break; } diff --git a/adb/adb_auth_host.cpp b/adb/adb_auth_host.cpp index 8f154fd93..ab641eb4f 100644 --- a/adb/adb_auth_host.cpp +++ b/adb/adb_auth_host.cpp @@ -37,14 +37,9 @@ #include "adb.h" -/* HACK: we need the RSAPublicKey struct - * but RSA_verify conflits with openssl */ -#define RSA_verify RSA_verify_mincrypt -#include "mincrypt/rsa.h" -#undef RSA_verify - #include #include +#include #include #include @@ -68,54 +63,6 @@ struct adb_private_key { static struct listnode key_list; -/* Convert OpenSSL RSA private key to android pre-computed RSAPublicKey format */ -static int RSA_to_RSAPublicKey(RSA *rsa, RSAPublicKey *pkey) -{ - int ret = 1; - unsigned int i; - - BN_CTX* ctx = BN_CTX_new(); - BIGNUM* r32 = BN_new(); - BIGNUM* rr = BN_new(); - BIGNUM* r = BN_new(); - BIGNUM* rem = BN_new(); - BIGNUM* n = BN_new(); - BIGNUM* n0inv = BN_new(); - - if (RSA_size(rsa) != RSANUMBYTES) { - ret = 0; - goto out; - } - - BN_set_bit(r32, 32); - BN_copy(n, rsa->n); - BN_set_bit(r, RSANUMWORDS * 32); - BN_mod_sqr(rr, r, n, ctx); - BN_div(NULL, rem, n, r32, ctx); - BN_mod_inverse(n0inv, rem, r32, ctx); - - pkey->len = RSANUMWORDS; - pkey->n0inv = 0 - BN_get_word(n0inv); - for (i = 0; i < RSANUMWORDS; i++) { - BN_div(rr, rem, rr, r32, ctx); - pkey->rr[i] = BN_get_word(rem); - BN_div(n, rem, n, r32, ctx); - pkey->n[i] = BN_get_word(rem); - } - pkey->exponent = BN_get_word(rsa->e); - -out: - BN_free(n0inv); - BN_free(n); - BN_free(rem); - BN_free(r); - BN_free(rr); - BN_free(r32); - BN_CTX_free(ctx); - - return ret; -} - static void get_user_info(char *buf, size_t len) { char hostname[1024], username[1024]; @@ -156,53 +103,55 @@ static void get_user_info(char *buf, size_t len) static int write_public_keyfile(RSA *private_key, const char *private_key_path) { - RSAPublicKey pkey; + uint8_t binary_key_data[ANDROID_PUBKEY_ENCODED_SIZE]; + uint8_t* base64_key_data = nullptr; + size_t base64_key_length = 0; FILE *outfile = NULL; char path[PATH_MAX], info[MAX_PAYLOAD_V1]; - uint8_t* encoded = nullptr; - size_t encoded_length; int ret = 0; - if (snprintf(path, sizeof(path), "%s.pub", private_key_path) >= - (int)sizeof(path)) { - D("Path too long while writing public key"); - return 0; - } - - if (!RSA_to_RSAPublicKey(private_key, &pkey)) { + if (!android_pubkey_encode(private_key, binary_key_data, + sizeof(binary_key_data))) { D("Failed to convert to publickey"); - return 0; - } - - outfile = fopen(path, "w"); - if (!outfile) { - D("Failed to open '%s'", path); - return 0; + goto out; } D("Writing public key to '%s'", path); #if defined(OPENSSL_IS_BORINGSSL) - if (!EVP_EncodedLength(&encoded_length, sizeof(pkey))) { + if (!EVP_EncodedLength(&base64_key_length, sizeof(binary_key_data))) { D("Public key too large to base64 encode"); goto out; } #else /* While we switch from OpenSSL to BoringSSL we have to implement * |EVP_EncodedLength| here. */ - encoded_length = 1 + ((sizeof(pkey) + 2) / 3 * 4); + base64_key_length = 1 + ((sizeof(binary_key_data) + 2) / 3 * 4); #endif - encoded = new uint8_t[encoded_length]; - if (encoded == nullptr) { + base64_key_data = new uint8_t[base64_key_length]; + if (base64_key_data == nullptr) { D("Allocation failure"); goto out; } - encoded_length = EVP_EncodeBlock(encoded, (uint8_t*) &pkey, sizeof(pkey)); + base64_key_length = EVP_EncodeBlock(base64_key_data, binary_key_data, + sizeof(binary_key_data)); get_user_info(info, sizeof(info)); - if (fwrite(encoded, encoded_length, 1, outfile) != 1 || + if (snprintf(path, sizeof(path), "%s.pub", private_key_path) >= + (int)sizeof(path)) { + D("Path too long while writing public key"); + goto out; + } + + outfile = fopen(path, "w"); + if (!outfile) { + D("Failed to open '%s'", path); + goto out; + } + + if (fwrite(base64_key_data, base64_key_length, 1, outfile) != 1 || fwrite(info, strlen(info), 1, outfile) != 1) { D("Write error while writing public key"); goto out; @@ -214,7 +163,7 @@ static int write_public_keyfile(RSA *private_key, const char *private_key_path) if (outfile != NULL) { fclose(outfile); } - delete[] encoded; + delete[] base64_key_data; return ret; } diff --git a/fs_mgr/Android.mk b/fs_mgr/Android.mk index 28fff3f1d..d0d563066 100644 --- a/fs_mgr/Android.mk +++ b/fs_mgr/Android.mk @@ -7,7 +7,7 @@ common_static_libraries := \ libfec \ libfec_rs \ libbase \ - libmincrypt \ + libcrypto_utils_static \ libcrypto_static \ libext4_utils_static \ libsquashfs_utils diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c index ab473121a..9fc5999cb 100644 --- a/fs_mgr/fs_mgr.c +++ b/fs_mgr/fs_mgr.c @@ -14,35 +14,32 @@ * limitations under the License. */ +#include +#include +#include +#include +#include #include #include #include -#include -#include -#include #include #include -#include +#include #include #include -#include #include -#include -#include -#include -#include -#include +#include + +#include +#include +#include -#include -#include #include #include #include +#include #include - -#include "mincrypt/rsa.h" -#include "mincrypt/sha.h" -#include "mincrypt/sha256.h" +#include #include "ext4_utils.h" #include "wipe.h" diff --git a/fs_mgr/fs_mgr_verity.cpp b/fs_mgr/fs_mgr_verity.cpp index b5141c934..129a5bb50 100644 --- a/fs_mgr/fs_mgr_verity.cpp +++ b/fs_mgr/fs_mgr_verity.cpp @@ -14,29 +14,29 @@ * limitations under the License. */ +#include +#include +#include #include +#include #include #include #include -#include -#include -#include #include #include -#include #include #include -#include #include +#include #include -#include +#include #include #include - -#include "mincrypt/rsa.h" -#include "mincrypt/sha.h" -#include "mincrypt/sha256.h" +#include +#include +#include +#include #include "fec/io.h" @@ -83,48 +83,45 @@ struct verity_state { extern struct fs_info info; -static RSAPublicKey *load_key(const char *path) +static RSA *load_key(const char *path) { - RSAPublicKey* key = static_cast(malloc(sizeof(RSAPublicKey))); - if (!key) { - ERROR("Can't malloc key\n"); - return NULL; - } + uint8_t key_data[ANDROID_PUBKEY_ENCODED_SIZE]; FILE* f = fopen(path, "r"); if (!f) { ERROR("Can't open '%s'\n", path); - free(key); + free(key_data); return NULL; } - if (!fread(key, sizeof(*key), 1, f)) { + if (!fread(key_data, sizeof(key_data), 1, f)) { ERROR("Could not read key!\n"); fclose(f); - free(key); - return NULL; - } - - if (key->len != RSANUMWORDS) { - ERROR("Invalid key length %d\n", key->len); - fclose(f); - free(key); + free(key_data); return NULL; } fclose(f); + + RSA* key = NULL; + if (!android_pubkey_decode(key_data, sizeof(key_data), &key)) { + ERROR("Could not parse key!\n"); + free(key_data); + return NULL; + } + return key; } -static int verify_table(const uint8_t *signature, const char *table, - uint32_t table_length) +static int verify_table(const uint8_t *signature, size_t signature_size, + const char *table, uint32_t table_length) { - RSAPublicKey *key; - uint8_t hash_buf[SHA256_DIGEST_SIZE]; + RSA *key; + uint8_t hash_buf[SHA256_DIGEST_LENGTH]; int retval = -1; // Hash the table - SHA256_hash((uint8_t*)table, table_length, hash_buf); + SHA256((uint8_t*)table, table_length, hash_buf); // Now get the public key from the keyfile key = load_key(VERITY_TABLE_RSA_KEY); @@ -134,11 +131,8 @@ static int verify_table(const uint8_t *signature, const char *table, } // verify the result - if (!RSA_verify(key, - signature, - RSANUMBYTES, - (uint8_t*) hash_buf, - SHA256_DIGEST_SIZE)) { + if (!RSA_verify(NID_sha256, hash_buf, sizeof(hash_buf), signature, + signature_size, key)) { ERROR("Couldn't verify table\n"); goto out; } @@ -146,7 +140,7 @@ static int verify_table(const uint8_t *signature, const char *table, retval = 0; out: - free(key); + RSA_free(key); return retval; } @@ -610,8 +604,8 @@ static int compare_last_signature(struct fstab_rec *fstab, int *match) off64_t offset = 0; struct fec_handle *f = NULL; struct fec_verity_metadata verity; - uint8_t curr[SHA256_DIGEST_SIZE]; - uint8_t prev[SHA256_DIGEST_SIZE]; + uint8_t curr[SHA256_DIGEST_LENGTH]; + uint8_t prev[SHA256_DIGEST_LENGTH]; *match = 1; @@ -629,7 +623,7 @@ static int compare_last_signature(struct fstab_rec *fstab, int *match) goto out; } - SHA256_hash(verity.signature, RSANUMBYTES, curr); + SHA256(verity.signature, sizeof(verity.signature), curr); if (snprintf(tag, sizeof(tag), VERITY_LASTSIG_TAG "_%s", basename(fstab->mount_point)) >= (int)sizeof(tag)) { @@ -637,7 +631,7 @@ static int compare_last_signature(struct fstab_rec *fstab, int *match) goto out; } - if (metadata_find(fstab->verity_loc, tag, SHA256_DIGEST_SIZE, + if (metadata_find(fstab->verity_loc, tag, SHA256_DIGEST_LENGTH, &offset) < 0) { goto out; } @@ -656,7 +650,7 @@ static int compare_last_signature(struct fstab_rec *fstab, int *match) goto out; } - *match = !memcmp(curr, prev, SHA256_DIGEST_SIZE); + *match = !memcmp(curr, prev, SHA256_DIGEST_LENGTH); if (!*match) { /* update current signature hash */ @@ -919,7 +913,7 @@ int fs_mgr_setup_verity(struct fstab_rec *fstab) } // verify the signature on the table - if (verify_table(verity.signature, verity.table, + if (verify_table(verity.signature, sizeof(verity.signature), verity.table, verity.table_length) < 0) { if (params.mode == VERITY_MODE_LOGGING) { // the user has been warned, allow mounting without dm-verity diff --git a/init/Android.mk b/init/Android.mk index 4827fa34b..2525b009b 100644 --- a/init/Android.mk +++ b/init/Android.mk @@ -96,7 +96,7 @@ LOCAL_STATIC_LIBRARIES := \ libc \ libselinux \ liblog \ - libmincrypt \ + libcrypto_utils_static \ libcrypto_static \ libc++_static \ libdl \ diff --git a/libcrypto_utils/Android.mk b/libcrypto_utils/Android.mk new file mode 100644 index 000000000..5e9763fe5 --- /dev/null +++ b/libcrypto_utils/Android.mk @@ -0,0 +1,56 @@ +# +# Copyright (C) 2016 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) +LOCAL_MODULE := libcrypto_utils +LOCAL_SRC_FILES := android_pubkey.c +LOCAL_CFLAGS := -Wall -Werror -Wextra -std=c99 +LOCAL_C_INCLUDES := $(LOCAL_PATH)/include +LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include +LOCAL_SHARED_LIBRARIES := libcrypto +include $(BUILD_SHARED_LIBRARY) + +include $(CLEAR_VARS) +LOCAL_MODULE := libcrypto_utils +LOCAL_SRC_FILES := android_pubkey.c +LOCAL_CFLAGS := -Wall -Werror -Wextra -std=c99 +LOCAL_C_INCLUDES := $(LOCAL_PATH)/include +LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include +LOCAL_SHARED_LIBRARIES := libcrypto-host +include $(BUILD_HOST_SHARED_LIBRARY) + +include $(CLEAR_VARS) +LOCAL_MODULE := libcrypto_utils_static +LOCAL_SRC_FILES := android_pubkey.c +LOCAL_CFLAGS := -Wall -Werror -Wextra -std=c99 +LOCAL_C_INCLUDES := $(LOCAL_PATH)/include +LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include +LOCAL_STATIC_LIBRARIES := libcrypto_static +include $(BUILD_STATIC_LIBRARY) + +include $(CLEAR_VARS) +LOCAL_MODULE := libcrypto_utils_static +LOCAL_MODULE_HOST_OS := darwin linux windows +LOCAL_SRC_FILES := android_pubkey.c +LOCAL_CFLAGS := -Wall -Werror -Wextra -std=c99 +LOCAL_C_INCLUDES := $(LOCAL_PATH)/include +LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include +LOCAL_STATIC_LIBRARIES := libcrypto_static +include $(BUILD_HOST_STATIC_LIBRARY) + +include $(call all-makefiles-under,$(LOCAL_PATH)) diff --git a/libcrypto_utils/android_pubkey.c b/libcrypto_utils/android_pubkey.c new file mode 100644 index 000000000..9cd9aabe1 --- /dev/null +++ b/libcrypto_utils/android_pubkey.c @@ -0,0 +1,167 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include +#include +#include + +// Better safe than sorry. +#if (ANDROID_PUBKEY_MODULUS_SIZE % 4) != 0 +#error RSA modulus size must be multiple of the word size! +#endif + +// Size of the RSA modulus in words. +#define ANDROID_PUBKEY_MODULUS_SIZE_WORDS (ANDROID_PUBKEY_MODULUS_SIZE / 4) + +// This file implements encoding and decoding logic for Android's custom RSA +// public key binary format. Public keys are stored as a sequence of +// little-endian 32 bit words. Note that Android only supports little-endian +// processors, so we don't do any byte order conversions when parsing the binary +// struct. +typedef struct RSAPublicKey { + // Modulus length. This must be ANDROID_PUBKEY_MODULUS_SIZE. + uint32_t modulus_size_words; + + // Precomputed montgomery parameter: -1 / n[0] mod 2^32 + uint32_t n0inv; + + // RSA modulus as a little-endian array. + uint8_t modulus[ANDROID_PUBKEY_MODULUS_SIZE]; + + // Montgomery parameter R^2 as a little-endian array of little-endian words. + uint8_t rr[ANDROID_PUBKEY_MODULUS_SIZE]; + + // RSA modulus: 3 or 65537 + uint32_t exponent; +} RSAPublicKey; + +// Reverses byte order in |buffer|. +static void reverse_bytes(uint8_t* buffer, size_t size) { + for (size_t i = 0; i < (size + 1) / 2; ++i) { + uint8_t tmp = buffer[i]; + buffer[i] = buffer[size - i - 1]; + buffer[size - i - 1] = tmp; + } +} + +bool android_pubkey_decode(const uint8_t* key_buffer, size_t size, RSA** key) { + const RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer; + bool ret = false; + uint8_t modulus_buffer[ANDROID_PUBKEY_MODULUS_SIZE]; + RSA* new_key = RSA_new(); + if (!new_key) { + goto cleanup; + } + + // Check |size| is large enough and the modulus size is correct. + if (size < sizeof(RSAPublicKey)) { + goto cleanup; + } + if (key_struct->modulus_size_words != ANDROID_PUBKEY_MODULUS_SIZE_WORDS) { + goto cleanup; + } + + // Convert the modulus to big-endian byte order as expected by BN_bin2bn. + memcpy(modulus_buffer, key_struct->modulus, sizeof(modulus_buffer)); + reverse_bytes(modulus_buffer, sizeof(modulus_buffer)); + new_key->n = BN_bin2bn(modulus_buffer, sizeof(modulus_buffer), NULL); + if (!new_key->n) { + goto cleanup; + } + + // Read the exponent. + new_key->e = BN_new(); + if (!new_key->e || !BN_set_word(new_key->e, key_struct->exponent)) { + goto cleanup; + } + + // Note that we don't extract the montgomery parameters n0inv and rr from + // the RSAPublicKey structure. They assume a word size of 32 bits, but + // BoringSSL may use a word size of 64 bits internally, so we're lacking the + // top 32 bits of n0inv in general. For now, we just ignore the parameters + // and have BoringSSL recompute them internally. More sophisticated logic can + // be added here if/when we want the additional speedup from using the + // pre-computed montgomery parameters. + + *key = new_key; + ret = true; + +cleanup: + if (!ret && new_key) { + RSA_free(new_key); + } + return ret; +} + +static bool android_pubkey_encode_bignum(const BIGNUM* num, uint8_t* buffer) { + if (!BN_bn2bin_padded(buffer, ANDROID_PUBKEY_MODULUS_SIZE, num)) { + return false; + } + + reverse_bytes(buffer, ANDROID_PUBKEY_MODULUS_SIZE); + return true; +} + +bool android_pubkey_encode(const RSA* key, uint8_t* key_buffer, size_t size) { + RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer; + bool ret = false; + BN_CTX* ctx = BN_CTX_new(); + BIGNUM* r32 = BN_new(); + BIGNUM* n0inv = BN_new(); + BIGNUM* rr = BN_new(); + + if (sizeof(RSAPublicKey) > size || + RSA_size(key) != ANDROID_PUBKEY_MODULUS_SIZE) { + goto cleanup; + } + + // Store the modulus size. + key_struct->modulus_size_words = ANDROID_PUBKEY_MODULUS_SIZE_WORDS; + + // Compute and store n0inv = -1 / N[0] mod 2^32. + if (!ctx || !r32 || !n0inv || !BN_set_bit(r32, 32) || + !BN_mod(n0inv, key->n, r32, ctx) || + !BN_mod_inverse(n0inv, n0inv, r32, ctx) || !BN_sub(n0inv, r32, n0inv)) { + goto cleanup; + } + key_struct->n0inv = (uint32_t)BN_get_word(n0inv); + + // Store the modulus. + if (!android_pubkey_encode_bignum(key->n, key_struct->modulus)) { + goto cleanup; + } + + // Compute and store rr = (2^(rsa_size)) ^ 2 mod N. + if (!ctx || !rr || !BN_set_bit(rr, ANDROID_PUBKEY_MODULUS_SIZE * 8) || + !BN_mod_sqr(rr, rr, key->n, ctx) || + !android_pubkey_encode_bignum(rr, key_struct->rr)) { + goto cleanup; + } + + // Store the exponent. + key_struct->exponent = (uint32_t)BN_get_word(key->e); + + ret = true; + +cleanup: + BN_free(rr); + BN_free(n0inv); + BN_free(r32); + BN_CTX_free(ctx); + return ret; +} diff --git a/libcrypto_utils/include/crypto_utils/android_pubkey.h b/libcrypto_utils/include/crypto_utils/android_pubkey.h new file mode 100644 index 000000000..1045eba0f --- /dev/null +++ b/libcrypto_utils/include/crypto_utils/android_pubkey.h @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef CRYPTO_UTILS_ANDROID_PUBKEY_H +#define CRYPTO_UTILS_ANDROID_PUBKEY_H + +#include +#include +#include + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +// Size of an RSA modulus such as an encrypted block or a signature. +#define ANDROID_PUBKEY_MODULUS_SIZE (2048 / 8) + +// Size of an encoded RSA key. +#define ANDROID_PUBKEY_ENCODED_SIZE \ + (3 * sizeof(uint32_t) + 2 * ANDROID_PUBKEY_MODULUS_SIZE) + +/* Allocates a new RSA |key| object, decodes a public RSA key stored in + * Android's custom binary format from |key_buffer| and sets the key parameters + * in |key|. |size| specifies the size of the key buffer and must be at least + * |ANDROID_PUBKEY_ENCODED_SIZE|. The resulting |*key| can be used with the + * standard BoringSSL API to perform public operations. + * + * Returns true if successful, in which case the caller receives ownership of + * the |*key| object, i.e. needs to call RSA_free() when done with it. If there + * is an error, |key| is left untouched and the return value will be false. + */ +bool android_pubkey_decode(const uint8_t* key_buffer, size_t size, RSA** key); + +/* Encodes |key| in the Android RSA public key binary format and stores the + * bytes in |key_buffer|. |key_buffer| should be of size at least + * |ANDROID_PUBKEY_ENCODED_SIZE|. + * + * Returns true if successful, false on error. + */ +bool android_pubkey_encode(const RSA* key, uint8_t* key_buffer, size_t size); + +#ifdef __cplusplus +} // extern "C" +#endif + +#endif // CRYPTO_UTILS_ANDROID_PUBKEY_H diff --git a/libcrypto_utils/tests/Android.mk b/libcrypto_utils/tests/Android.mk new file mode 100644 index 000000000..dad82f70f --- /dev/null +++ b/libcrypto_utils/tests/Android.mk @@ -0,0 +1,24 @@ +# +# Copyright (C) 2016 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) +LOCAL_MODULE := libcrypto_utils_test +LOCAL_SRC_FILES := android_pubkey_test.cpp +LOCAL_CFLAGS := -Wall -Werror -Wextra -std=c++11 +LOCAL_SHARED_LIBRARIES := libcrypto_utils libcrypto-host +include $(BUILD_HOST_NATIVE_TEST) diff --git a/libcrypto_utils/tests/android_pubkey_test.cpp b/libcrypto_utils/tests/android_pubkey_test.cpp new file mode 100644 index 000000000..f8c2e0cae --- /dev/null +++ b/libcrypto_utils/tests/android_pubkey_test.cpp @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include + +#include + +#include +#include + +#include + +// Test digest to verify. +const uint8_t kDigest[] = { + 0x31, 0x5f, 0x5b, 0xdb, 0x76, 0xd0, 0x78, 0xc4, 0x3b, 0x8a, 0xc0, + 0x06, 0x4e, 0x4a, 0x01, 0x64, 0x61, 0x2b, 0x1f, 0xce, 0x77, 0xc8, + 0x69, 0x34, 0x5b, 0xfc, 0x94, 0xc7, 0x58, 0x94, 0xed, 0xd3, +}; + +// 2048 RSA test key. +const uint8_t kKey2048[ANDROID_PUBKEY_ENCODED_SIZE] = { + 0x40, 0x00, 0x00, 0x00, 0x05, 0x75, 0x61, 0xd1, 0x33, 0xf0, 0x2d, 0x12, + 0x45, 0xfb, 0xae, 0x07, 0x02, 0x15, 0x4f, 0x3a, 0x2b, 0xa3, 0xbc, 0x49, + 0xbd, 0x14, 0x07, 0xa0, 0xc0, 0x9f, 0x0c, 0x52, 0x60, 0x77, 0x9f, 0xa2, + 0x31, 0xd0, 0xa7, 0xfb, 0x7e, 0xde, 0xfb, 0xc9, 0x05, 0xc0, 0x97, 0xf7, + 0x74, 0x99, 0xe6, 0xd1, 0x08, 0xa6, 0xc2, 0x59, 0x5a, 0xd8, 0x37, 0x1d, + 0xe0, 0x48, 0x5e, 0x63, 0x44, 0x04, 0x8b, 0x05, 0x20, 0xf6, 0x25, 0x67, + 0x38, 0xb2, 0xb6, 0xf9, 0xbe, 0xb6, 0x1d, 0x7f, 0x1b, 0x71, 0x8a, 0xeb, + 0xb7, 0xf8, 0x01, 0xc1, 0x5e, 0xf7, 0xfe, 0x48, 0x08, 0x27, 0x0f, 0x27, + 0x2a, 0x64, 0x1a, 0x43, 0x8d, 0xcf, 0x5a, 0x33, 0x5c, 0x18, 0xc5, 0xf4, + 0xe7, 0xfe, 0xee, 0xd3, 0x12, 0x62, 0xad, 0x61, 0x78, 0x9a, 0x03, 0xb0, + 0xaf, 0xab, 0x91, 0x57, 0x46, 0xbf, 0x18, 0xc6, 0xbc, 0x0c, 0x6b, 0x55, + 0xcd, 0xda, 0xc4, 0xcc, 0x98, 0x46, 0x91, 0x99, 0xbc, 0xa3, 0xca, 0x6c, + 0x86, 0xa6, 0x1c, 0x8f, 0xca, 0xf8, 0xf6, 0x8a, 0x00, 0x8e, 0x05, 0xd7, + 0x13, 0x43, 0xe2, 0xf2, 0x1a, 0x13, 0xf3, 0x50, 0x13, 0xa4, 0xf2, 0x4e, + 0x41, 0xb1, 0x36, 0x78, 0x55, 0x4c, 0x5e, 0x27, 0xc5, 0xc0, 0x4b, 0xd8, + 0x93, 0xaa, 0x7e, 0xf0, 0x90, 0x08, 0x10, 0x26, 0x72, 0x6d, 0xb9, 0x21, + 0xae, 0x4d, 0x01, 0x4b, 0x55, 0x1d, 0xe7, 0x1e, 0x5e, 0x31, 0x6e, 0x62, + 0xd1, 0x33, 0x26, 0xcb, 0xdb, 0xfe, 0x72, 0x98, 0xc8, 0x06, 0x1c, 0x12, + 0xdf, 0xfc, 0x74, 0xe5, 0x7a, 0x6f, 0xf5, 0xa3, 0x63, 0x08, 0xe3, 0x02, + 0x68, 0x4d, 0x7c, 0x70, 0x05, 0xec, 0x95, 0x7e, 0x24, 0xa4, 0xbc, 0x4c, + 0xcd, 0x39, 0x14, 0xb5, 0x2a, 0x8f, 0xc1, 0xe3, 0x4e, 0xfa, 0xf8, 0x70, + 0x50, 0x8f, 0xd5, 0x8e, 0xc7, 0xb5, 0x32, 0x89, 0x4d, 0xbb, 0x6a, 0xc1, + 0xc1, 0xa2, 0x42, 0x57, 0x57, 0xbd, 0x2a, 0xdc, 0xa6, 0xfd, 0xc8, 0x86, + 0x44, 0x6a, 0x03, 0x5d, 0x4d, 0x28, 0xe1, 0xde, 0xb4, 0xa9, 0xa5, 0x03, + 0x61, 0x7a, 0x5f, 0xb1, 0x09, 0x17, 0x2b, 0x9c, 0xa2, 0x54, 0x28, 0xad, + 0x34, 0xc9, 0x5f, 0x6c, 0x9f, 0xb8, 0xd2, 0xa9, 0x78, 0xa7, 0xaa, 0xb3, + 0x11, 0x2f, 0x65, 0x9b, 0x4e, 0x67, 0x0c, 0xcc, 0x20, 0x36, 0xbf, 0x26, + 0x2b, 0x4e, 0xc0, 0xd4, 0xbd, 0x22, 0x64, 0xc4, 0x1c, 0x56, 0x69, 0xdb, + 0x5f, 0x89, 0xe1, 0x75, 0x68, 0x8d, 0x0e, 0xab, 0x1c, 0x10, 0x1a, 0xc0, + 0x12, 0x5d, 0x6f, 0xbd, 0x09, 0xbb, 0x47, 0xcb, 0xe7, 0x34, 0xef, 0x56, + 0xab, 0xea, 0xc3, 0xe9, 0x7f, 0x9a, 0x3d, 0xe9, 0x2d, 0x14, 0x61, 0x25, + 0x37, 0x5c, 0x3b, 0x4b, 0xaf, 0x5a, 0x4b, 0xc8, 0x99, 0x1a, 0x32, 0x8f, + 0x54, 0x07, 0xd3, 0x57, 0x8a, 0x3d, 0x2a, 0xf7, 0x9e, 0x7e, 0x92, 0x2a, + 0x50, 0xe9, 0xd8, 0xdb, 0xd6, 0x03, 0xd3, 0x8e, 0x54, 0x32, 0xce, 0x87, + 0x93, 0x92, 0xe7, 0x75, 0xe1, 0x6b, 0x78, 0x1a, 0x85, 0xc2, 0x46, 0xa1, + 0x31, 0xbb, 0xc7, 0xb9, 0x1d, 0xd1, 0x71, 0xe0, 0xe2, 0x9b, 0x9c, 0x0d, + 0xa3, 0xcf, 0x93, 0x4d, 0x87, 0x7b, 0x65, 0xd9, 0xda, 0x4c, 0xd9, 0x6a, + 0xa6, 0x36, 0xc2, 0xc7, 0xe3, 0x33, 0xe2, 0xc3, 0x83, 0xd1, 0x72, 0x54, + 0x30, 0x81, 0x5e, 0x34, 0x2c, 0x61, 0xee, 0xf4, 0x48, 0x97, 0xb6, 0xaa, + 0x47, 0x6a, 0x05, 0x09, 0xd8, 0x4d, 0x90, 0xaf, 0xa8, 0x4e, 0x82, 0xe4, + 0x8e, 0xb5, 0xe2, 0x65, 0x86, 0x67, 0xe9, 0x5b, 0x4b, 0x9a, 0x68, 0x08, + 0x30, 0xf6, 0x25, 0x8b, 0x20, 0xda, 0x26, 0x6f, 0xbd, 0x0d, 0xa5, 0xd8, + 0x6a, 0x7b, 0x01, 0x2f, 0xab, 0x7b, 0xb5, 0xfe, 0x62, 0x37, 0x2d, 0x94, + 0x43, 0x2f, 0x4d, 0x16, 0x01, 0x00, 0x01, 0x00, +}; + +// 2048 bit RSA signature. +const uint8_t kSignature2048[ANDROID_PUBKEY_MODULUS_SIZE] = { + 0x3a, 0x11, 0x84, 0x40, 0xc1, 0x2f, 0x13, 0x8c, 0xde, 0xb0, 0xc3, 0x89, + 0x8a, 0x63, 0xb2, 0x50, 0x93, 0x58, 0xc0, 0x0c, 0xb7, 0x08, 0xe7, 0x6c, + 0x52, 0x87, 0x4e, 0x78, 0x89, 0xa3, 0x9a, 0x47, 0xeb, 0x11, 0x57, 0xbc, + 0xb3, 0x97, 0xf8, 0x34, 0xf1, 0xf7, 0xbf, 0x3a, 0xfa, 0x1c, 0x6b, 0xdc, + 0xd1, 0x02, 0xde, 0x9a, 0x0d, 0x72, 0xe7, 0x19, 0x63, 0x81, 0x46, 0x68, + 0x1e, 0x63, 0x64, 0xc6, 0x59, 0xe7, 0x7c, 0x39, 0xed, 0x32, 0xd2, 0xd1, + 0xd5, 0x1f, 0x13, 0x9b, 0x52, 0xdf, 0x34, 0xa3, 0xc0, 0xc4, 0x9a, 0x63, + 0x9b, 0x9c, 0xbe, 0x22, 0xc8, 0xd8, 0x14, 0x2f, 0x4c, 0x78, 0x36, 0xdb, + 0x16, 0x41, 0x67, 0xc1, 0x21, 0x8a, 0x73, 0xb2, 0xe5, 0xb0, 0xd3, 0x80, + 0x91, 0x7a, 0xbf, 0xf9, 0x59, 0x4a, 0x4d, 0x78, 0x45, 0x44, 0xa1, 0x52, + 0x86, 0x29, 0x48, 0x4d, 0xf0, 0x5d, 0xf2, 0x55, 0xa7, 0xcd, 0xc5, 0x2b, + 0x7b, 0xe0, 0xb1, 0xf6, 0x2a, 0xd5, 0x61, 0xba, 0x1e, 0x1e, 0x3a, 0xf0, + 0x55, 0xbc, 0x8c, 0x44, 0x41, 0xfc, 0xb8, 0x8c, 0x76, 0xbf, 0x80, 0x58, + 0x82, 0x35, 0x4b, 0x0c, 0xfd, 0xef, 0xd5, 0x70, 0xd1, 0x64, 0xcb, 0x46, + 0x58, 0x37, 0xbc, 0xa9, 0x7d, 0xd4, 0x70, 0xac, 0xce, 0xec, 0xca, 0x48, + 0xcb, 0x0a, 0x40, 0x77, 0x04, 0x59, 0xca, 0x9c, 0x7d, 0x1a, 0x0b, 0xf0, + 0xb5, 0xdd, 0xde, 0x71, 0x18, 0xb8, 0xef, 0x90, 0x2a, 0x09, 0x42, 0x39, + 0x74, 0xff, 0x45, 0xa1, 0x39, 0x17, 0x50, 0x89, 0xa6, 0x5f, 0xbc, 0x9c, + 0x0c, 0x9b, 0x47, 0x25, 0x79, 0x3e, 0xe3, 0xaa, 0xaf, 0xbe, 0x73, 0x6b, + 0xcb, 0xe7, 0x35, 0xc1, 0x27, 0x09, 0xcd, 0xeb, 0xd7, 0xcf, 0x63, 0x83, + 0x64, 0x8c, 0x45, 0x1c, 0x1d, 0x58, 0xcc, 0xd2, 0xf8, 0x2b, 0x4c, 0x4e, + 0x14, 0x89, 0x2d, 0x70, +}; + +struct AndroidPubkeyTest : public ::testing::Test { + void SetUp() override { + RSA* new_key = nullptr; + ASSERT_TRUE(android_pubkey_decode(kKey2048, sizeof(kKey2048), &new_key)); + key_.reset(new_key); + } + + std::unique_ptr key_ = {nullptr, RSA_free}; +}; + +TEST_F(AndroidPubkeyTest, Decode) { + // Make sure the decoded key successfully verifies a valid signature. + EXPECT_TRUE(RSA_verify(NID_sha256, kDigest, sizeof(kDigest), kSignature2048, + sizeof(kSignature2048), key_.get())); +} + +TEST_F(AndroidPubkeyTest, Encode) { + uint8_t key_data[ANDROID_PUBKEY_ENCODED_SIZE]; + ASSERT_TRUE(android_pubkey_encode(key_.get(), key_data, sizeof(key_data))); + ASSERT_EQ(0, memcmp(kKey2048, key_data, sizeof(kKey2048))); +}