Home | History | Annotate | Download | only in keystore-engine 
      1 /*
      2  * Copyright 2013 The Android Open Source Project
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  * 1. Redistributions of source code must retain the above copyright
      8  *    notice, this list of conditions and the following disclaimer.
      9  * 2. Redistributions in binary form must reproduce the above copyright
     10  *    notice, this list of conditions and the following disclaimer in the
     11  *    documentation and/or other materials provided with the distribution.
     12  *
     13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
     14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
     15  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
     16  * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
     17  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
     18  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     19  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
     20  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     23  *
     24  */
     25 
     26 #include <UniquePtr.h>
     27 
     28 //#define LOG_NDEBUG 0
     29 #define LOG_TAG "OpenSSL-keystore-dsa"
     30 #include <cutils/log.h>
     31 
     32 #include <binder/IServiceManager.h>
     33 #include <keystore/IKeystoreService.h>
     34 
     35 #include <openssl/dsa.h>
     36 #include <openssl/engine.h>
     37 
     38 #include "methods.h"
     39 
     40 
     41 using namespace android;
     42 
     43 struct DSA_SIG_Delete {
     44     void operator()(DSA_SIG* p) const {
     45         DSA_SIG_free(p);
     46     }
     47 };
     48 typedef UniquePtr<DSA_SIG, struct DSA_SIG_Delete> Unique_DSA_SIG;
     49 
     50 static DSA_SIG* keystore_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) {
     51     ALOGV("keystore_dsa_do_sign(%p, %d, %p)", dgst, dlen, dsa);
     52 
     53     uint8_t* key_id = reinterpret_cast<uint8_t*>(DSA_get_ex_data(dsa, dsa_key_handle));
     54     if (key_id == NULL) {
     55         ALOGE("key had no key_id!");
     56         return 0;
     57     }
     58 
     59     sp<IServiceManager> sm = defaultServiceManager();
     60     sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
     61     sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
     62 
     63     if (service == NULL) {
     64         ALOGE("could not contact keystore");
     65         return 0;
     66     }
     67 
     68     int num = DSA_size(dsa);
     69 
     70     uint8_t* reply = NULL;
     71     size_t replyLen;
     72     int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), dgst,
     73             dlen, &reply, &replyLen);
     74     if (ret < 0) {
     75         ALOGW("There was an error during dsa_do_sign: could not connect");
     76         return 0;
     77     } else if (ret != 0) {
     78         ALOGW("Error during sign from keystore: %d", ret);
     79         return 0;
     80     } else if (replyLen <= 0) {
     81         ALOGW("No valid signature returned");
     82         return 0;
     83     } else if (replyLen > (size_t) num) {
     84         ALOGW("Signature is too large");
     85         return 0;
     86     }
     87 
     88     Unique_DSA_SIG dsa_sig(d2i_DSA_SIG(NULL,
     89             const_cast<const unsigned char**>(reinterpret_cast<unsigned char**>(&reply)),
     90             replyLen));
     91     if (dsa_sig.get() == NULL) {
     92         ALOGW("conversion from DER to DSA_SIG failed");
     93         return 0;
     94     }
     95 
     96     ALOGV("keystore_dsa_do_sign(%p, %d, %p) => returning %p len %zu", dgst, dlen, dsa,
     97             dsa_sig.get(), replyLen);
     98     return dsa_sig.release();
     99 }
    100 
    101 static DSA_METHOD keystore_dsa_meth = {
    102         kKeystoreEngineId, /* name */
    103         keystore_dsa_do_sign, /* dsa_do_sign */
    104         NULL, /* dsa_sign_setup */
    105         NULL, /* dsa_do_verify */
    106         NULL, /* dsa_mod_exp */
    107         NULL, /* bn_mod_exp */
    108         NULL, /* init */
    109         NULL, /* finish */
    110         0, /* flags */
    111         NULL, /* app_data */
    112         NULL, /* dsa_paramgen */
    113         NULL, /* dsa_keygen */
    114 };
    115 
    116 static int register_dsa_methods() {
    117     const DSA_METHOD* dsa_meth = DSA_OpenSSL();
    118 
    119     keystore_dsa_meth.dsa_do_verify = dsa_meth->dsa_do_verify;
    120 
    121     return 1;
    122 }
    123 
    124 int dsa_pkey_setup(ENGINE *e, EVP_PKEY *pkey, const char *key_id) {
    125     Unique_DSA dsa(EVP_PKEY_get1_DSA(pkey));
    126     if (!DSA_set_ex_data(dsa.get(), dsa_key_handle, reinterpret_cast<void*>(strdup(key_id)))) {
    127         ALOGW("Could not set ex_data for loaded DSA key");
    128         return 0;
    129     }
    130 
    131     DSA_set_method(dsa.get(), &keystore_dsa_meth);
    132 
    133     /*
    134      * "DSA_set_ENGINE()" should probably be an OpenSSL API. Since it isn't,
    135      * and EVP_PKEY_free() calls ENGINE_finish(), we need to call ENGINE_init()
    136      * here.
    137      */
    138     ENGINE_init(e);
    139     dsa->engine = e;
    140 
    141     return 1;
    142 }
    143 
    144 int dsa_register(ENGINE* e) {
    145     if (!ENGINE_set_DSA(e, &keystore_dsa_meth)
    146             || !register_dsa_methods()) {
    147         ALOGE("Could not set up keystore DSA methods");
    148         return 0;
    149     }
    150 
    151     return 1;
    152 }
    153