| Kenny Root | 6071179 | 2013-08-16 14:02:41 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2013 The Android Open Source Project |
| 3 | * |
| 4 | * Redistribution and use in source and binary forms, with or without |
| 5 | * modification, are permitted provided that the following conditions |
| 6 | * are met: |
| 7 | * 1. Redistributions of source code must retain the above copyright |
| 8 | * notice, this list of conditions and the following disclaimer. |
| 9 | * 2. Redistributions in binary form must reproduce the above copyright |
| 10 | * notice, this list of conditions and the following disclaimer in the |
| 11 | * documentation and/or other materials provided with the distribution. |
| 12 | * |
| 13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY |
| 14 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
| 15 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| 16 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY |
| 17 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
| 18 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 19 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| 20 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 23 | * |
| 24 | */ |
| 25 | |
| Kenny Root | 26cfc08 | 2013-09-11 14:38:56 -0700 | [diff] [blame] | 26 | #include <UniquePtr.h> |
| Kenny Root | 6071179 | 2013-08-16 14:02:41 -0700 | [diff] [blame] | 27 | |
| 28 | //#define LOG_NDEBUG 0 |
| 29 | #define LOG_TAG "OpenSSL-keystore-dsa" |
| 30 | #include <cutils/log.h> |
| 31 | |
| 32 | #include <binder/IServiceManager.h> |
| 33 | #include <keystore/IKeystoreService.h> |
| 34 | |
| 35 | #include <openssl/dsa.h> |
| 36 | #include <openssl/engine.h> |
| 37 | |
| 38 | #include "methods.h" |
| 39 | |
| 40 | |
| 41 | using namespace android; |
| 42 | |
| 43 | struct DSA_SIG_Delete { |
| 44 | void operator()(DSA_SIG* p) const { |
| 45 | DSA_SIG_free(p); |
| 46 | } |
| 47 | }; |
| 48 | typedef UniquePtr<DSA_SIG, struct DSA_SIG_Delete> Unique_DSA_SIG; |
| 49 | |
| 50 | static DSA_SIG* keystore_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { |
| 51 | ALOGV("keystore_dsa_do_sign(%p, %d, %p)", dgst, dlen, dsa); |
| 52 | |
| 53 | uint8_t* key_id = reinterpret_cast<uint8_t*>(DSA_get_ex_data(dsa, dsa_key_handle)); |
| 54 | if (key_id == NULL) { |
| 55 | ALOGE("key had no key_id!"); |
| 56 | return 0; |
| 57 | } |
| 58 | |
| 59 | sp<IServiceManager> sm = defaultServiceManager(); |
| 60 | sp<IBinder> binder = sm->getService(String16("android.security.keystore")); |
| 61 | sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder); |
| 62 | |
| 63 | if (service == NULL) { |
| 64 | ALOGE("could not contact keystore"); |
| 65 | return 0; |
| 66 | } |
| 67 | |
| 68 | int num = DSA_size(dsa); |
| 69 | |
| 70 | uint8_t* reply = NULL; |
| 71 | size_t replyLen; |
| 72 | int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), dgst, |
| 73 | dlen, &reply, &replyLen); |
| 74 | if (ret < 0) { |
| 75 | ALOGW("There was an error during dsa_do_sign: could not connect"); |
| 76 | return 0; |
| 77 | } else if (ret != 0) { |
| 78 | ALOGW("Error during sign from keystore: %d", ret); |
| 79 | return 0; |
| 80 | } else if (replyLen <= 0) { |
| 81 | ALOGW("No valid signature returned"); |
| 82 | return 0; |
| 83 | } else if (replyLen > (size_t) num) { |
| 84 | ALOGW("Signature is too large"); |
| 85 | return 0; |
| 86 | } |
| 87 | |
| 88 | Unique_DSA_SIG dsa_sig(d2i_DSA_SIG(NULL, |
| 89 | const_cast<const unsigned char**>(reinterpret_cast<unsigned char**>(&reply)), |
| 90 | replyLen)); |
| 91 | if (dsa_sig.get() == NULL) { |
| 92 | ALOGW("conversion from DER to DSA_SIG failed"); |
| 93 | return 0; |
| 94 | } |
| 95 | |
| Colin Cross | 20e90ad | 2014-02-06 20:38:48 -0800 | [diff] [blame] | 96 | ALOGV("keystore_dsa_do_sign(%p, %d, %p) => returning %p len %zu", dgst, dlen, dsa, |
| Kenny Root | 6071179 | 2013-08-16 14:02:41 -0700 | [diff] [blame] | 97 | dsa_sig.get(), replyLen); |
| 98 | return dsa_sig.release(); |
| 99 | } |
| 100 | |
| 101 | static DSA_METHOD keystore_dsa_meth = { |
| 102 | kKeystoreEngineId, /* name */ |
| 103 | keystore_dsa_do_sign, /* dsa_do_sign */ |
| 104 | NULL, /* dsa_sign_setup */ |
| 105 | NULL, /* dsa_do_verify */ |
| 106 | NULL, /* dsa_mod_exp */ |
| 107 | NULL, /* bn_mod_exp */ |
| 108 | NULL, /* init */ |
| 109 | NULL, /* finish */ |
| 110 | 0, /* flags */ |
| 111 | NULL, /* app_data */ |
| 112 | NULL, /* dsa_paramgen */ |
| 113 | NULL, /* dsa_keygen */ |
| 114 | }; |
| 115 | |
| 116 | static int register_dsa_methods() { |
| 117 | const DSA_METHOD* dsa_meth = DSA_OpenSSL(); |
| 118 | |
| 119 | keystore_dsa_meth.dsa_do_verify = dsa_meth->dsa_do_verify; |
| 120 | |
| 121 | return 1; |
| 122 | } |
| 123 | |
| 124 | int dsa_pkey_setup(ENGINE *e, EVP_PKEY *pkey, const char *key_id) { |
| 125 | Unique_DSA dsa(EVP_PKEY_get1_DSA(pkey)); |
| 126 | if (!DSA_set_ex_data(dsa.get(), dsa_key_handle, reinterpret_cast<void*>(strdup(key_id)))) { |
| 127 | ALOGW("Could not set ex_data for loaded DSA key"); |
| 128 | return 0; |
| 129 | } |
| 130 | |
| 131 | DSA_set_method(dsa.get(), &keystore_dsa_meth); |
| 132 | |
| 133 | /* |
| 134 | * "DSA_set_ENGINE()" should probably be an OpenSSL API. Since it isn't, |
| 135 | * and EVP_PKEY_free() calls ENGINE_finish(), we need to call ENGINE_init() |
| 136 | * here. |
| 137 | */ |
| 138 | ENGINE_init(e); |
| 139 | dsa->engine = e; |
| 140 | |
| 141 | return 1; |
| 142 | } |
| 143 | |
| 144 | int dsa_register(ENGINE* e) { |
| 145 | if (!ENGINE_set_DSA(e, &keystore_dsa_meth) |
| 146 | || !register_dsa_methods()) { |
| 147 | ALOGE("Could not set up keystore DSA methods"); |
| 148 | return 0; |
| 149 | } |
| 150 | |
| 151 | return 1; |
| 152 | } |