Make Keystore2's crypto operations their own crate
This cleanly separates out the underlying C++ code and allows clients
to depend only on the safe wrapper.
Test: keystore2_crypto_test
Test: keystore2_crypto_test_rust
Change-Id: I730ebe22ac66287a5650a36b7aeb61c69172e0f8
diff --git a/keystore2/src/crypto/Android.bp b/keystore2/src/crypto/Android.bp
new file mode 100644
index 0000000..061cf9a
--- /dev/null
+++ b/keystore2/src/crypto/Android.bp
@@ -0,0 +1,84 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+rust_library {
+ name: "libkeystore2_crypto_rust",
+ crate_name: "keystore2_crypto",
+ srcs: ["lib.rs"],
+ rustlibs: [
+ "libkeystore2_crypto_bindgen",
+ ],
+ static_libs: ["libkeystore2_crypto"],
+ shared_libs: ["libcrypto"],
+}
+
+cc_library {
+ name: "libkeystore2_crypto",
+ srcs: [
+ "crypto.cpp",
+ "certificate_utils.cpp",
+ ],
+ export_include_dirs: ["include",],
+ shared_libs: [
+ "libcrypto",
+ "liblog",
+ ],
+}
+
+rust_bindgen {
+ name: "libkeystore2_crypto_bindgen",
+ wrapper_src: "crypto.hpp",
+ crate_name: "keystore2_crypto_bindgen",
+ source_stem: "bindings",
+ host_supported: true,
+}
+
+rust_test {
+ name: "keystore2_crypto_test_rust",
+ crate_name: "keystore2_crypto_test_rust",
+ srcs: ["lib.rs"],
+ test_suites: ["general-tests"],
+ auto_gen_config: true,
+ rustlibs: [
+ "libkeystore2_crypto_bindgen",
+ "libkeystore2_crypto_rust",
+ ],
+ static_libs: [
+ "libkeystore2_crypto",
+ ],
+ shared_libs: [
+ "libc++",
+ "libcrypto",
+ "liblog",
+ ],
+}
+
+cc_test {
+ cflags: [
+ "-Wall",
+ "-Werror",
+ "-Wextra",
+ ],
+ srcs: [
+ "tests/certificate_utils_test.cpp",
+ "tests/gtest_main.cpp",
+ ],
+ static_libs: [
+ "libkeystore2_crypto",
+ ],
+ shared_libs: [
+ "libcrypto",
+ ],
+ name: "keystore2_crypto_test",
+}
diff --git a/keystore2/src/certificate_utils.cpp b/keystore2/src/crypto/certificate_utils.cpp
similarity index 100%
rename from keystore2/src/certificate_utils.cpp
rename to keystore2/src/crypto/certificate_utils.cpp
diff --git a/keystore2/src/crypto.cpp b/keystore2/src/crypto/crypto.cpp
similarity index 100%
rename from keystore2/src/crypto.cpp
rename to keystore2/src/crypto/crypto.cpp
diff --git a/keystore2/src/crypto.hpp b/keystore2/src/crypto/crypto.hpp
similarity index 100%
rename from keystore2/src/crypto.hpp
rename to keystore2/src/crypto/crypto.hpp
diff --git a/keystore2/src/crypto/include/certificate_utils.h b/keystore2/src/crypto/include/certificate_utils.h
new file mode 100644
index 0000000..9d41eb8
--- /dev/null
+++ b/keystore2/src/crypto/include/certificate_utils.h
@@ -0,0 +1,167 @@
+/*
+ * Copyright 2020, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <stdint.h>
+
+#include <memory>
+#include <optional>
+#include <variant>
+
+namespace keystore {
+// We use boringssl error codes. Error codes that we add are folded into LIB_USER.
+// The CertificateUtilsInternallErrorCodes enum should not be used by callers, instead use the
+// BoringSslError constant definitions below for error codes.
+using BoringSslError = unsigned long;
+
+#define DEFINE_OPENSSL_OBJECT_POINTER(name) using name##_Ptr = bssl::UniquePtr<name>
+
+DEFINE_OPENSSL_OBJECT_POINTER(ASN1_BIT_STRING);
+DEFINE_OPENSSL_OBJECT_POINTER(ASN1_STRING);
+DEFINE_OPENSSL_OBJECT_POINTER(ASN1_INTEGER);
+DEFINE_OPENSSL_OBJECT_POINTER(ASN1_OCTET_STRING);
+DEFINE_OPENSSL_OBJECT_POINTER(ASN1_TIME);
+DEFINE_OPENSSL_OBJECT_POINTER(EVP_PKEY);
+DEFINE_OPENSSL_OBJECT_POINTER(X509);
+DEFINE_OPENSSL_OBJECT_POINTER(X509_EXTENSION);
+DEFINE_OPENSSL_OBJECT_POINTER(X509_NAME);
+DEFINE_OPENSSL_OBJECT_POINTER(EVP_PKEY_CTX);
+
+class CertUtilsError {
+ public:
+ enum Error {
+ Ok = 0,
+ BoringSsl,
+ Encoding,
+ MemoryAllocation,
+ InvalidArgument,
+ UnexpectedNullPointer,
+ };
+
+ private:
+ Error e_;
+
+ public:
+ constexpr CertUtilsError(Error e) : e_(e) {}
+ explicit constexpr operator bool() const { return e_ != Ok; }
+};
+
+struct KeyUsageExtension {
+ bool isSigningKey;
+ bool isEncryptionKey;
+ bool isCertificationKey;
+};
+
+struct BasicConstraintsExtension {
+ bool isCa;
+ std::optional<int> pathLength;
+};
+
+/**
+ * This function allocates and prepares an X509 certificate structure with all of the information
+ * given. Next steps would be to set an Issuer with `setIssuer` and sign it with either
+ * `signCert` or `signCertWith`.
+ * @param evp_pkey The public key that the certificate is issued for.
+ * @param serial The certificate serial number.
+ * @param subject The subject common name.
+ * @param activeDateTimeMilliSeconds The not before date in epoch milliseconds.
+ * @param usageExpireDateTimeMilliSeconds The not after date in epoch milliseconds.
+ * @param addSubjectKeyIdEx If true, adds the subject key id extension.
+ * @param keyUsageEx If given adds, the key usage extension with the given flags.
+ * @param basicConstraints If given, adds the basic constraints extension with the given data.
+ * @return CertUtilsError::Ok on success.
+ */
+std::variant<CertUtilsError, X509_Ptr>
+makeCert(const EVP_PKEY* evp_pkey, //
+ const uint32_t serial, //
+ const char subject[], //
+ const uint64_t activeDateTimeMilliSeconds, //
+ const uint64_t usageExpireDateTimeMilliSeconds, //
+ bool addSubjectKeyIdEx, //
+ std::optional<KeyUsageExtension> keyUsageEx, //
+ std::optional<BasicConstraintsExtension> basicConstraints); //
+
+/**
+ * Takes the subject name from `signingCert` and sets it as issuer name in `cert`.
+ * if `addAuthKeyExt` is true it also generates the digest of the signing certificates's public key
+ * and sets it as authority key id extension in `cert`.
+ * For self signed certificates pass the same pointer to both `cert` and `signingCert`.
+ *
+ * @param cert
+ * @param signingCert
+ * @param addAuthKeyExt
+ * @return CertUtilsError::Ok on success.
+ */
+CertUtilsError setIssuer(X509* cert, const X509* signingCert, bool addAuthKeyExt);
+
+/**
+ * Takes a certificate, and private signing_key.
+ * Signs the certificate with the latter.
+ */
+CertUtilsError signCert(X509* certificate, EVP_PKEY* signing_key);
+
+enum class Digest {
+ SHA1,
+ SHA224,
+ SHA256,
+ SHA384,
+ SHA512,
+};
+
+enum class Algo {
+ ECDSA,
+ RSA,
+};
+
+enum class Padding {
+ Ignored,
+ PKCS1_5,
+ PSS,
+};
+
+/**
+ * Sets the signature specifier of the certificate and the signature according to the parameters
+ * c. Then it signs the certificate with the `sign` callback.
+ * IMPORTANT: The parameters `algo`, `padding`, and `digest` do not control the actual signing
+ * algorithm. The caller is responsible to provide a callback that actually performs the signature
+ * as described by this triplet.
+ * The `padding` argument is ignored if `algo` is Algo::EC.
+ * The `digest` field controls the message digest used, and, in case of RSA with PSS padding,
+ * also the MGF1 digest.
+ *
+ * @param certificate X509 certificate structure to be signed.
+ * @param sign Callback function used to digest and sign the DER encoded to-be-signed certificate.
+ * @param algo Algorithm specifier used to encode the signing algorithm id of the X509 certificate.
+ * @param padding Padding specifier used to encode the signing algorithm id of the X509 certificate.
+ * @param digest Digest specifier used to encode the signing algorithm id of the X509 certificate.
+ * @return CertUtilsError::Ok on success.
+ */
+CertUtilsError signCertWith(X509* certificate,
+ std::function<std::vector<uint8_t>(const uint8_t*, size_t)> sign,
+ Algo algo, Padding padding, Digest digest);
+
+/**
+ * Generates the DER representation of the given signed X509 certificate structure.
+ * @param certificate
+ * @return std::vector<uint8_t> with the DER encoded certificate on success. An error code
+ * otherwise.
+ */
+std::variant<CertUtilsError, std::vector<uint8_t>> encodeCert(X509* certificate);
+
+} // namespace keystore
diff --git a/keystore2/src/crypto.rs b/keystore2/src/crypto/lib.rs
similarity index 95%
rename from keystore2/src/crypto.rs
rename to keystore2/src/crypto/lib.rs
index b25b648..6ec5edb 100644
--- a/keystore2/src/crypto.rs
+++ b/keystore2/src/crypto/lib.rs
@@ -12,6 +12,9 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+// TODO: Once this is complete, remove this and document everything public.
+#![allow(missing_docs)]
+
#[cfg(test)]
mod tests {
diff --git a/keystore2/src/tests/certificate_utils_test.cpp b/keystore2/src/crypto/tests/certificate_utils_test.cpp
similarity index 100%
rename from keystore2/src/tests/certificate_utils_test.cpp
rename to keystore2/src/crypto/tests/certificate_utils_test.cpp
diff --git a/keystore2/src/tests/gtest_main.cpp b/keystore2/src/crypto/tests/gtest_main.cpp
similarity index 100%
rename from keystore2/src/tests/gtest_main.cpp
rename to keystore2/src/crypto/tests/gtest_main.cpp
diff --git a/keystore2/src/tests/test_keys.h b/keystore2/src/crypto/tests/test_keys.h
similarity index 100%
rename from keystore2/src/tests/test_keys.h
rename to keystore2/src/crypto/tests/test_keys.h
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index 3e13c5f..067399e 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -14,7 +14,6 @@
//! This crate implements the Android Keystore 2.0 service.
-mod crypto;
pub mod database;
pub mod error;
pub mod globals;