1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/android/keystore_openssl.h" 6 7 #include <jni.h> 8 #include <openssl/bn.h> 9 // This include is required to get the ECDSA_METHOD structure definition 10 // which isn't currently part of the OpenSSL official ABI. This should 11 // not be a concern for Chromium which always links against its own 12 // version of the library on Android. 13 #include <openssl/crypto/ecdsa/ecs_locl.h> 14 // And this one is needed for the EC_GROUP definition. 15 #include <openssl/crypto/ec/ec_lcl.h> 16 #include <openssl/dsa.h> 17 #include <openssl/ec.h> 18 #include <openssl/engine.h> 19 #include <openssl/evp.h> 20 #include <openssl/rsa.h> 21 22 #include "base/android/build_info.h" 23 #include "base/android/jni_android.h" 24 #include "base/android/scoped_java_ref.h" 25 #include "base/basictypes.h" 26 #include "base/lazy_instance.h" 27 #include "base/logging.h" 28 #include "crypto/openssl_util.h" 29 #include "net/android/keystore.h" 30 #include "net/ssl/ssl_client_cert_type.h" 31 32 // IMPORTANT NOTE: The following code will currently only work when used 33 // to implement client certificate support with OpenSSL. That's because 34 // only the signing operations used in this use case are implemented here. 35 // 36 // Generally speaking, OpenSSL provides many different ways to sign 37 // digests. This code doesn't support all these cases, only the ones that 38 // are required to sign the digest during the OpenSSL handshake for TLS. 39 // 40 // The OpenSSL EVP_PKEY type is a generic wrapper around key pairs. 41 // Internally, it can hold a pointer to a RSA, DSA or ECDSA structure, 42 // which model keypair implementations of each respective crypto 43 // algorithm. 44 // 45 // The RSA type has a 'method' field pointer to a vtable-like structure 46 // called a RSA_METHOD. This contains several function pointers that 47 // correspond to operations on RSA keys (e.g. decode/encode with public 48 // key, decode/encode with private key, signing, validation), as well as 49 // a few flags. 50 // 51 // For example, the RSA_sign() function will call "method->rsa_sign()" if 52 // method->rsa_sign is not NULL, otherwise, it will perform a regular 53 // signing operation using the other fields in the RSA structure (which 54 // are used to hold the typical modulus / exponent / parameters for the 55 // key pair). 56 // 57 // This source file thus defines a custom RSA_METHOD structure whose 58 // fields point to static methods used to implement the corresponding 59 // RSA operation using platform Android APIs. 60 // 61 // However, the platform APIs require a jobject JNI reference to work. 62 // It must be stored in the RSA instance, or made accessible when the 63 // custom RSA methods are called. This is done by using RSA_set_app_data() 64 // and RSA_get_app_data(). 65 // 66 // One can thus _directly_ create a new EVP_PKEY that uses a custom RSA 67 // object with the following: 68 // 69 // RSA* rsa = RSA_new() 70 // RSA_set_method(&custom_rsa_method); 71 // RSA_set_app_data(rsa, jni_private_key); 72 // 73 // EVP_PKEY* pkey = EVP_PKEY_new(); 74 // EVP_PKEY_assign_RSA(pkey, rsa); 75 // 76 // Note that because EVP_PKEY_assign_RSA() is used, instead of 77 // EVP_PKEY_set1_RSA(), the new EVP_PKEY now owns the RSA object, and 78 // will destroy it when it is itself destroyed. 79 // 80 // Unfortunately, such objects cannot be used with RSA_size(), which 81 // totally ignores the RSA_METHOD pointers. Instead, it is necessary 82 // to manually setup the modulus field (n) in the RSA object, with a 83 // value that matches the wrapped PrivateKey object. See GetRsaPkeyWrapper 84 // for full details. 85 // 86 // Similarly, custom DSA_METHOD and ECDSA_METHOD are defined by this source 87 // file, and appropriate field setups are performed to ensure that 88 // DSA_size() and ECDSA_size() work properly with the wrapper EVP_PKEY. 89 // 90 // Note that there is no need to define an OpenSSL ENGINE here. These 91 // are objects that can be used to expose custom methods (i.e. either 92 // RSA_METHOD, DSA_METHOD, ECDSA_METHOD, and a large number of other ones 93 // for types not related to this source file), and make them used by 94 // default for a lot of operations. Very fortunately, this is not needed 95 // here, which saves a lot of complexity. 96 97 using base::android::ScopedJavaGlobalRef; 98 99 namespace net { 100 namespace android { 101 102 namespace { 103 104 typedef crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ScopedEVP_PKEY; 105 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; 106 typedef crypto::ScopedOpenSSL<DSA, DSA_free> ScopedDSA; 107 typedef crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ScopedEC_KEY; 108 typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> ScopedEC_GROUP; 109 110 // Custom RSA_METHOD that uses the platform APIs. 111 // Note that for now, only signing through RSA_sign() is really supported. 112 // all other method pointers are either stubs returning errors, or no-ops. 113 // See <openssl/rsa.h> for exact declaration of RSA_METHOD. 114 115 int RsaMethodPubEnc(int flen, 116 const unsigned char* from, 117 unsigned char* to, 118 RSA* rsa, 119 int padding) { 120 NOTIMPLEMENTED(); 121 RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 122 return -1; 123 } 124 125 int RsaMethodPubDec(int flen, 126 const unsigned char* from, 127 unsigned char* to, 128 RSA* rsa, 129 int padding) { 130 NOTIMPLEMENTED(); 131 RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 132 return -1; 133 } 134 135 // See RSA_eay_private_encrypt in 136 // third_party/openssl/openssl/crypto/rsa/rsa_eay.c for the default 137 // implementation of this function. 138 int RsaMethodPrivEnc(int flen, 139 const unsigned char *from, 140 unsigned char *to, 141 RSA *rsa, 142 int padding) { 143 DCHECK_EQ(RSA_PKCS1_PADDING, padding); 144 if (padding != RSA_PKCS1_PADDING) { 145 // TODO(davidben): If we need to, we can implement RSA_NO_PADDING 146 // by using javax.crypto.Cipher and picking either the 147 // "RSA/ECB/NoPadding" or "RSA/ECB/PKCS1Padding" transformation as 148 // appropriate. I believe support for both of these was added in 149 // the same Android version as the "NONEwithRSA" 150 // java.security.Signature algorithm, so the same version checks 151 // for GetRsaLegacyKey should work. 152 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 153 return -1; 154 } 155 156 // Retrieve private key JNI reference. 157 jobject private_key = reinterpret_cast<jobject>(RSA_get_app_data(rsa)); 158 if (!private_key) { 159 LOG(WARNING) << "Null JNI reference passed to RsaMethodPrivEnc!"; 160 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 161 return -1; 162 } 163 164 base::StringPiece from_piece(reinterpret_cast<const char*>(from), flen); 165 std::vector<uint8> result; 166 // For RSA keys, this function behaves as RSA_private_encrypt with 167 // PKCS#1 padding. 168 if (!RawSignDigestWithPrivateKey(private_key, from_piece, &result)) { 169 LOG(WARNING) << "Could not sign message in RsaMethodPrivEnc!"; 170 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 171 return -1; 172 } 173 174 size_t expected_size = static_cast<size_t>(RSA_size(rsa)); 175 if (result.size() > expected_size) { 176 LOG(ERROR) << "RSA Signature size mismatch, actual: " 177 << result.size() << ", expected <= " << expected_size; 178 RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 179 return -1; 180 } 181 182 // Copy result to OpenSSL-provided buffer. RawSignDigestWithPrivateKey 183 // should pad with leading 0s, but if it doesn't, pad the result. 184 size_t zero_pad = expected_size - result.size(); 185 memset(to, 0, zero_pad); 186 memcpy(to + zero_pad, &result[0], result.size()); 187 188 return expected_size; 189 } 190 191 int RsaMethodPrivDec(int flen, 192 const unsigned char* from, 193 unsigned char* to, 194 RSA* rsa, 195 int padding) { 196 NOTIMPLEMENTED(); 197 RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED); 198 return -1; 199 } 200 201 int RsaMethodInit(RSA* rsa) { 202 return 0; 203 } 204 205 int RsaMethodFinish(RSA* rsa) { 206 // Ensure the global JNI reference created with this wrapper is 207 // properly destroyed with it. 208 jobject key = reinterpret_cast<jobject>(RSA_get_app_data(rsa)); 209 if (key != NULL) { 210 RSA_set_app_data(rsa, NULL); 211 ReleaseKey(key); 212 } 213 // Actual return value is ignored by OpenSSL. There are no docs 214 // explaining what this is supposed to be. 215 return 0; 216 } 217 218 const RSA_METHOD android_rsa_method = { 219 /* .name = */ "Android signing-only RSA method", 220 /* .rsa_pub_enc = */ RsaMethodPubEnc, 221 /* .rsa_pub_dec = */ RsaMethodPubDec, 222 /* .rsa_priv_enc = */ RsaMethodPrivEnc, 223 /* .rsa_priv_dec = */ RsaMethodPrivDec, 224 /* .rsa_mod_exp = */ NULL, 225 /* .bn_mod_exp = */ NULL, 226 /* .init = */ RsaMethodInit, 227 /* .finish = */ RsaMethodFinish, 228 // This flag is necessary to tell OpenSSL to avoid checking the content 229 // (i.e. internal fields) of the private key. Otherwise, it will complain 230 // it's not valid for the certificate. 231 /* .flags = */ RSA_METHOD_FLAG_NO_CHECK, 232 /* .app_data = */ NULL, 233 /* .rsa_sign = */ NULL, 234 /* .rsa_verify = */ NULL, 235 /* .rsa_keygen = */ NULL, 236 }; 237 238 // Copy the contents of an encoded big integer into an existing BIGNUM. 239 // This function modifies |*num| in-place. 240 // |new_bytes| is the byte encoding of the new value. 241 // |num| points to the BIGNUM which will be assigned with the new value. 242 // Returns true on success, false otherwise. On failure, |*num| is 243 // not modified. 244 bool CopyBigNumFromBytes(const std::vector<uint8>& new_bytes, 245 BIGNUM* num) { 246 BIGNUM* ret = BN_bin2bn( 247 reinterpret_cast<const unsigned char*>(&new_bytes[0]), 248 static_cast<int>(new_bytes.size()), 249 num); 250 return (ret != NULL); 251 } 252 253 // Decode the contents of an encoded big integer and either create a new 254 // BIGNUM object (if |*num_ptr| is NULL on input) or copy it (if 255 // |*num_ptr| is not NULL). 256 // |new_bytes| is the byte encoding of the new value. 257 // |num_ptr| is the address of a BIGNUM pointer. |*num_ptr| can be NULL. 258 // Returns true on success, false otherwise. On failure, |*num_ptr| is 259 // not modified. On success, |*num_ptr| will always be non-NULL and 260 // point to a valid BIGNUM object. 261 bool SwapBigNumPtrFromBytes(const std::vector<uint8>& new_bytes, 262 BIGNUM** num_ptr) { 263 BIGNUM* old_num = *num_ptr; 264 BIGNUM* new_num = BN_bin2bn( 265 reinterpret_cast<const unsigned char*>(&new_bytes[0]), 266 static_cast<int>(new_bytes.size()), 267 old_num); 268 if (new_num == NULL) 269 return false; 270 271 if (old_num == NULL) 272 *num_ptr = new_num; 273 return true; 274 } 275 276 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object. 277 // |private_key| is the JNI reference (local or global) to the object. 278 // |pkey| is the EVP_PKEY to setup as a wrapper. 279 // Returns true on success, false otherwise. 280 // On success, this creates a new global JNI reference to the object 281 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can 282 // free |private_key| after the call. 283 // IMPORTANT: The EVP_PKEY will *only* work on Android >= 4.2. For older 284 // platforms, use GetRsaLegacyKey() instead. 285 bool GetRsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { 286 ScopedRSA rsa(RSA_new()); 287 RSA_set_method(rsa.get(), &android_rsa_method); 288 289 // HACK: RSA_size() doesn't work with custom RSA_METHODs. To ensure that 290 // it will return the right value, set the 'n' field of the RSA object 291 // to match the private key's modulus. 292 std::vector<uint8> modulus; 293 if (!GetRSAKeyModulus(private_key, &modulus)) { 294 LOG(ERROR) << "Failed to get private key modulus"; 295 return false; 296 } 297 if (!SwapBigNumPtrFromBytes(modulus, &rsa.get()->n)) { 298 LOG(ERROR) << "Failed to decode private key modulus"; 299 return false; 300 } 301 302 ScopedJavaGlobalRef<jobject> global_key; 303 global_key.Reset(NULL, private_key); 304 if (global_key.is_null()) { 305 LOG(ERROR) << "Could not create global JNI reference"; 306 return false; 307 } 308 RSA_set_app_data(rsa.get(), global_key.Release()); 309 EVP_PKEY_assign_RSA(pkey, rsa.release()); 310 return true; 311 } 312 313 // On Android < 4.2, the libkeystore.so ENGINE uses CRYPTO_EX_DATA and is not 314 // added to the global engine list. If all references to it are dropped, OpenSSL 315 // will dlclose the module, leaving a dangling function pointer in the RSA 316 // CRYPTO_EX_DATA class. To work around this, leak an extra reference to the 317 // ENGINE we extract in GetRsaLegacyKey. 318 // 319 // In 4.2, this change avoids the problem: 320 // https://android.googlesource.com/platform/libcore/+/106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61 321 // 322 // https://crbug.com/381465 323 class KeystoreEngineWorkaround { 324 public: 325 KeystoreEngineWorkaround() : leaked_engine_(false) {} 326 327 void LeakRsaEngine(EVP_PKEY* pkey) { 328 if (leaked_engine_) 329 return; 330 ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey)); 331 if (!rsa.get() || 332 !rsa.get()->engine || 333 strcmp(ENGINE_get_id(rsa.get()->engine), "keystore") || 334 !ENGINE_init(rsa.get()->engine)) { 335 NOTREACHED(); 336 return; 337 } 338 leaked_engine_ = true; 339 } 340 341 private: 342 bool leaked_engine_; 343 }; 344 345 void LeakRsaEngine(EVP_PKEY* pkey) { 346 static base::LazyInstance<KeystoreEngineWorkaround>::Leaky s_instance = 347 LAZY_INSTANCE_INITIALIZER; 348 s_instance.Get().LeakRsaEngine(pkey); 349 } 350 351 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object 352 // for Android 4.0 to 4.1.x. Must only be used on Android < 4.2. 353 // |private_key| is a JNI reference (local or global) to the object. 354 // |pkey| is the EVP_PKEY to setup as a wrapper. 355 // Returns true on success, false otherwise. 356 EVP_PKEY* GetRsaLegacyKey(jobject private_key) { 357 EVP_PKEY* sys_pkey = 358 GetOpenSSLSystemHandleForPrivateKey(private_key); 359 if (sys_pkey != NULL) { 360 CRYPTO_add(&sys_pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); 361 LeakRsaEngine(sys_pkey); 362 } else { 363 // GetOpenSSLSystemHandleForPrivateKey() will fail on Android 364 // 4.0.3 and earlier. However, it is possible to get the key 365 // content with PrivateKey.getEncoded() on these platforms. 366 // Note that this method may return NULL on 4.0.4 and later. 367 std::vector<uint8> encoded; 368 if (!GetPrivateKeyEncodedBytes(private_key, &encoded)) { 369 LOG(ERROR) << "Can't get private key data!"; 370 return NULL; 371 } 372 const unsigned char* p = 373 reinterpret_cast<const unsigned char*>(&encoded[0]); 374 int len = static_cast<int>(encoded.size()); 375 sys_pkey = d2i_AutoPrivateKey(NULL, &p, len); 376 if (sys_pkey == NULL) { 377 LOG(ERROR) << "Can't convert private key data!"; 378 return NULL; 379 } 380 } 381 return sys_pkey; 382 } 383 384 // Custom DSA_METHOD that uses the platform APIs. 385 // Note that for now, only signing through DSA_sign() is really supported. 386 // all other method pointers are either stubs returning errors, or no-ops. 387 // See <openssl/dsa.h> for exact declaration of DSA_METHOD. 388 // 389 // Note: There is no DSA_set_app_data() and DSA_get_app_data() functions, 390 // but RSA_set_app_data() is defined as a simple macro that calls 391 // RSA_set_ex_data() with a hard-coded index of 0, so this code 392 // does the same thing here. 393 394 DSA_SIG* DsaMethodDoSign(const unsigned char* dgst, 395 int dlen, 396 DSA* dsa) { 397 // Extract the JNI reference to the PrivateKey object. 398 jobject private_key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa, 0)); 399 if (private_key == NULL) 400 return NULL; 401 402 // Sign the message with it, calling platform APIs. 403 std::vector<uint8> signature; 404 if (!RawSignDigestWithPrivateKey( 405 private_key, 406 base::StringPiece( 407 reinterpret_cast<const char*>(dgst), 408 static_cast<size_t>(dlen)), 409 &signature)) { 410 return NULL; 411 } 412 413 // Note: With DSA, the actual signature might be smaller than DSA_size(). 414 size_t max_expected_size = static_cast<size_t>(DSA_size(dsa)); 415 if (signature.size() > max_expected_size) { 416 LOG(ERROR) << "DSA Signature size mismatch, actual: " 417 << signature.size() << ", expected <= " 418 << max_expected_size; 419 return NULL; 420 } 421 422 // Convert the signature into a DSA_SIG object. 423 const unsigned char* sigbuf = 424 reinterpret_cast<const unsigned char*>(&signature[0]); 425 int siglen = static_cast<size_t>(signature.size()); 426 DSA_SIG* dsa_sig = d2i_DSA_SIG(NULL, &sigbuf, siglen); 427 return dsa_sig; 428 } 429 430 int DsaMethodSignSetup(DSA* dsa, 431 BN_CTX* ctx_in, 432 BIGNUM** kinvp, 433 BIGNUM** rp) { 434 NOTIMPLEMENTED(); 435 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_DIGEST_TYPE); 436 return -1; 437 } 438 439 int DsaMethodDoVerify(const unsigned char* dgst, 440 int dgst_len, 441 DSA_SIG* sig, 442 DSA* dsa) { 443 NOTIMPLEMENTED(); 444 DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_INVALID_DIGEST_TYPE); 445 return -1; 446 } 447 448 int DsaMethodFinish(DSA* dsa) { 449 // Free the global JNI reference that was created with this 450 // wrapper key. 451 jobject key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa,0)); 452 if (key != NULL) { 453 DSA_set_ex_data(dsa, 0, NULL); 454 ReleaseKey(key); 455 } 456 // Actual return value is ignored by OpenSSL. There are no docs 457 // explaining what this is supposed to be. 458 return 0; 459 } 460 461 const DSA_METHOD android_dsa_method = { 462 /* .name = */ "Android signing-only DSA method", 463 /* .dsa_do_sign = */ DsaMethodDoSign, 464 /* .dsa_sign_setup = */ DsaMethodSignSetup, 465 /* .dsa_do_verify = */ DsaMethodDoVerify, 466 /* .dsa_mod_exp = */ NULL, 467 /* .bn_mod_exp = */ NULL, 468 /* .init = */ NULL, // nothing to do here. 469 /* .finish = */ DsaMethodFinish, 470 /* .flags = */ 0, 471 /* .app_data = */ NULL, 472 /* .dsa_paramgem = */ NULL, 473 /* .dsa_keygen = */ NULL 474 }; 475 476 // Setup an EVP_PKEY to wrap an existing DSA platform PrivateKey object. 477 // |private_key| is a JNI reference (local or global) to the object. 478 // |pkey| is the EVP_PKEY to setup as a wrapper. 479 // Returns true on success, false otherwise. 480 // On success, this creates a global JNI reference to the same object 481 // that will be owned by and destroyed with the EVP_PKEY. 482 bool GetDsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { 483 ScopedDSA dsa(DSA_new()); 484 DSA_set_method(dsa.get(), &android_dsa_method); 485 486 // DSA_size() doesn't work with custom DSA_METHODs. To ensure it 487 // returns the right value, set the 'q' field in the DSA object to 488 // match the parameter from the platform key. 489 std::vector<uint8> q; 490 if (!GetDSAKeyParamQ(private_key, &q)) { 491 LOG(ERROR) << "Can't extract Q parameter from DSA private key"; 492 return false; 493 } 494 if (!SwapBigNumPtrFromBytes(q, &dsa.get()->q)) { 495 LOG(ERROR) << "Can't decode Q parameter from DSA private key"; 496 return false; 497 } 498 499 ScopedJavaGlobalRef<jobject> global_key; 500 global_key.Reset(NULL, private_key); 501 if (global_key.is_null()) { 502 LOG(ERROR) << "Could not create global JNI reference"; 503 return false; 504 } 505 DSA_set_ex_data(dsa.get(), 0, global_key.Release()); 506 EVP_PKEY_assign_DSA(pkey, dsa.release()); 507 return true; 508 } 509 510 // Custom ECDSA_METHOD that uses the platform APIs. 511 // Note that for now, only signing through ECDSA_sign() is really supported. 512 // all other method pointers are either stubs returning errors, or no-ops. 513 // 514 // Note: The ECDSA_METHOD structure doesn't have init/finish 515 // methods. As such, the only way to to ensure the global 516 // JNI reference is properly released when the EVP_PKEY is 517 // destroyed is to use a custom EX_DATA type. 518 519 // Used to ensure that the global JNI reference associated with a custom 520 // EC_KEY + ECDSA_METHOD wrapper is released when its EX_DATA is destroyed 521 // (this function is called when EVP_PKEY_free() is called on the wrapper). 522 void ExDataFree(void* parent, 523 void* ptr, 524 CRYPTO_EX_DATA* ad, 525 int idx, 526 long argl, 527 void* argp) { 528 jobject private_key = reinterpret_cast<jobject>(ptr); 529 if (private_key == NULL) 530 return; 531 532 CRYPTO_set_ex_data(ad, idx, NULL); 533 ReleaseKey(private_key); 534 } 535 536 int ExDataDup(CRYPTO_EX_DATA* to, 537 CRYPTO_EX_DATA* from, 538 void* from_d, 539 int idx, 540 long argl, 541 void* argp) { 542 // This callback shall never be called with the current OpenSSL 543 // implementation (the library only ever duplicates EX_DATA items 544 // for SSL and BIO objects). But provide this to catch regressions 545 // in the future. 546 CHECK(false) << "ExDataDup was called for ECDSA custom key !?"; 547 // Return value is currently ignored by OpenSSL. 548 return 0; 549 } 550 551 class EcdsaExDataIndex { 552 public: 553 int ex_data_index() { return ex_data_index_; } 554 555 EcdsaExDataIndex() { 556 ex_data_index_ = ECDSA_get_ex_new_index(0, // argl 557 NULL, // argp 558 NULL, // new_func 559 ExDataDup, // dup_func 560 ExDataFree); // free_func 561 } 562 563 private: 564 int ex_data_index_; 565 }; 566 567 // Returns the index of the custom EX_DATA used to store the JNI reference. 568 int EcdsaGetExDataIndex(void) { 569 // Use a LazyInstance to perform thread-safe lazy initialization. 570 // Use a leaky one, since OpenSSL doesn't provide a way to release 571 // allocated EX_DATA indices. 572 static base::LazyInstance<EcdsaExDataIndex>::Leaky s_instance = 573 LAZY_INSTANCE_INITIALIZER; 574 return s_instance.Get().ex_data_index(); 575 } 576 577 ECDSA_SIG* EcdsaMethodDoSign(const unsigned char* dgst, 578 int dgst_len, 579 const BIGNUM* inv, 580 const BIGNUM* rp, 581 EC_KEY* eckey) { 582 // Retrieve private key JNI reference. 583 jobject private_key = reinterpret_cast<jobject>( 584 ECDSA_get_ex_data(eckey, EcdsaGetExDataIndex())); 585 if (!private_key) { 586 LOG(WARNING) << "Null JNI reference passed to EcdsaMethodDoSign!"; 587 return NULL; 588 } 589 // Sign message with it through JNI. 590 std::vector<uint8> signature; 591 base::StringPiece digest( 592 reinterpret_cast<const char*>(dgst), 593 static_cast<size_t>(dgst_len)); 594 if (!RawSignDigestWithPrivateKey( 595 private_key, digest, &signature)) { 596 LOG(WARNING) << "Could not sign message in EcdsaMethodDoSign!"; 597 return NULL; 598 } 599 600 // Note: With ECDSA, the actual signature may be smaller than 601 // ECDSA_size(). 602 size_t max_expected_size = static_cast<size_t>(ECDSA_size(eckey)); 603 if (signature.size() > max_expected_size) { 604 LOG(ERROR) << "ECDSA Signature size mismatch, actual: " 605 << signature.size() << ", expected <= " 606 << max_expected_size; 607 return NULL; 608 } 609 610 // Convert signature to ECDSA_SIG object 611 const unsigned char* sigbuf = 612 reinterpret_cast<const unsigned char*>(&signature[0]); 613 long siglen = static_cast<long>(signature.size()); 614 return d2i_ECDSA_SIG(NULL, &sigbuf, siglen); 615 } 616 617 int EcdsaMethodSignSetup(EC_KEY* eckey, 618 BN_CTX* ctx, 619 BIGNUM** kinv, 620 BIGNUM** r) { 621 NOTIMPLEMENTED(); 622 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_ERR_EC_LIB); 623 return -1; 624 } 625 626 int EcdsaMethodDoVerify(const unsigned char* dgst, 627 int dgst_len, 628 const ECDSA_SIG* sig, 629 EC_KEY* eckey) { 630 NOTIMPLEMENTED(); 631 ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_ERR_EC_LIB); 632 return -1; 633 } 634 635 const ECDSA_METHOD android_ecdsa_method = { 636 /* .name = */ "Android signing-only ECDSA method", 637 /* .ecdsa_do_sign = */ EcdsaMethodDoSign, 638 /* .ecdsa_sign_setup = */ EcdsaMethodSignSetup, 639 /* .ecdsa_do_verify = */ EcdsaMethodDoVerify, 640 /* .flags = */ 0, 641 /* .app_data = */ NULL, 642 }; 643 644 // Setup an EVP_PKEY to wrap an existing platform PrivateKey object. 645 // |private_key| is the JNI reference (local or global) to the object. 646 // |pkey| is the EVP_PKEY to setup as a wrapper. 647 // Returns true on success, false otherwise. 648 // On success, this creates a global JNI reference to the object that 649 // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall 650 // always free |private_key| after the call. 651 bool GetEcdsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) { 652 ScopedEC_KEY eckey(EC_KEY_new()); 653 ECDSA_set_method(eckey.get(), &android_ecdsa_method); 654 655 // To ensure that ECDSA_size() works properly, craft a custom EC_GROUP 656 // that has the same order than the private key. 657 std::vector<uint8> order; 658 if (!GetECKeyOrder(private_key, &order)) { 659 LOG(ERROR) << "Can't extract order parameter from EC private key"; 660 return false; 661 } 662 ScopedEC_GROUP group(EC_GROUP_new(EC_GFp_nist_method())); 663 if (!group.get()) { 664 LOG(ERROR) << "Can't create new EC_GROUP"; 665 return false; 666 } 667 if (!CopyBigNumFromBytes(order, &group.get()->order)) { 668 LOG(ERROR) << "Can't decode order from PrivateKey"; 669 return false; 670 } 671 EC_KEY_set_group(eckey.get(), group.release()); 672 673 ScopedJavaGlobalRef<jobject> global_key; 674 global_key.Reset(NULL, private_key); 675 if (global_key.is_null()) { 676 LOG(ERROR) << "Can't create global JNI reference"; 677 return false; 678 } 679 ECDSA_set_ex_data(eckey.get(), 680 EcdsaGetExDataIndex(), 681 global_key.Release()); 682 683 EVP_PKEY_assign_EC_KEY(pkey, eckey.release()); 684 return true; 685 } 686 687 } // namespace 688 689 EVP_PKEY* GetOpenSSLPrivateKeyWrapper(jobject private_key) { 690 // Create new empty EVP_PKEY instance. 691 ScopedEVP_PKEY pkey(EVP_PKEY_new()); 692 if (!pkey.get()) 693 return NULL; 694 695 // Create sub key type, depending on private key's algorithm type. 696 PrivateKeyType key_type = GetPrivateKeyType(private_key); 697 switch (key_type) { 698 case PRIVATE_KEY_TYPE_RSA: 699 { 700 // Route around platform bug: if Android < 4.2, then 701 // base::android::RawSignDigestWithPrivateKey() cannot work, so 702 // instead, obtain a raw EVP_PKEY* to the system object 703 // backing this PrivateKey object. 704 const int kAndroid42ApiLevel = 17; 705 if (base::android::BuildInfo::GetInstance()->sdk_int() < 706 kAndroid42ApiLevel) { 707 EVP_PKEY* legacy_key = GetRsaLegacyKey(private_key); 708 if (legacy_key == NULL) 709 return NULL; 710 pkey.reset(legacy_key); 711 } else { 712 // Running on Android 4.2. 713 if (!GetRsaPkeyWrapper(private_key, pkey.get())) 714 return NULL; 715 } 716 } 717 break; 718 case PRIVATE_KEY_TYPE_DSA: 719 if (!GetDsaPkeyWrapper(private_key, pkey.get())) 720 return NULL; 721 break; 722 case PRIVATE_KEY_TYPE_ECDSA: 723 if (!GetEcdsaPkeyWrapper(private_key, pkey.get())) 724 return NULL; 725 break; 726 default: 727 LOG(WARNING) 728 << "GetOpenSSLPrivateKeyWrapper() called with invalid key type"; 729 return NULL; 730 } 731 return pkey.release(); 732 } 733 734 } // namespace android 735 } // namespace net 736