Home | History | Annotate | Download | only in softkeymaster
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 #include <errno.h>
     17 #include <string.h>
     18 #include <stdint.h>
     19 
     20 #include <keystore/keystore.h>
     21 #include <keymaster/softkeymaster.h>
     22 
     23 #include <hardware/hardware.h>
     24 #include <hardware/keymaster0.h>
     25 
     26 #include <openssl/evp.h>
     27 #include <openssl/bio.h>
     28 #include <openssl/rsa.h>
     29 #include <openssl/err.h>
     30 #include <openssl/x509.h>
     31 
     32 #include <UniquePtr.h>
     33 
     34 // For debugging
     35 // #define LOG_NDEBUG 0
     36 
     37 #define LOG_TAG "OpenSSLKeyMaster"
     38 #include <cutils/log.h>
     39 
     40 struct BIGNUM_Delete {
     41     void operator()(BIGNUM* p) const { BN_free(p); }
     42 };
     43 typedef UniquePtr<BIGNUM, BIGNUM_Delete> Unique_BIGNUM;
     44 
     45 struct EVP_PKEY_Delete {
     46     void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); }
     47 };
     48 typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY;
     49 
     50 struct PKCS8_PRIV_KEY_INFO_Delete {
     51     void operator()(PKCS8_PRIV_KEY_INFO* p) const { PKCS8_PRIV_KEY_INFO_free(p); }
     52 };
     53 typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> Unique_PKCS8_PRIV_KEY_INFO;
     54 
     55 struct DSA_Delete {
     56     void operator()(DSA* p) const { DSA_free(p); }
     57 };
     58 typedef UniquePtr<DSA, DSA_Delete> Unique_DSA;
     59 
     60 struct EC_KEY_Delete {
     61     void operator()(EC_KEY* p) const { EC_KEY_free(p); }
     62 };
     63 typedef UniquePtr<EC_KEY, EC_KEY_Delete> Unique_EC_KEY;
     64 
     65 struct EC_GROUP_Delete {
     66     void operator()(EC_GROUP* p) const { EC_GROUP_free(p); }
     67 };
     68 typedef UniquePtr<EC_GROUP, EC_GROUP_Delete> Unique_EC_GROUP;
     69 
     70 struct RSA_Delete {
     71     void operator()(RSA* p) const { RSA_free(p); }
     72 };
     73 typedef UniquePtr<RSA, RSA_Delete> Unique_RSA;
     74 
     75 struct Malloc_Free {
     76     void operator()(void* p) const { free(p); }
     77 };
     78 
     79 typedef UniquePtr<keymaster0_device_t> Unique_keymaster_device_t;
     80 
     81 /**
     82  * Many OpenSSL APIs take ownership of an argument on success but
     83  * don't free the argument on failure. This means we need to tell our
     84  * scoped pointers when we've transferred ownership, without
     85  * triggering a warning by not using the result of release().
     86  */
     87 template <typename T, typename Delete_T>
     88 inline void release_because_ownership_transferred(UniquePtr<T, Delete_T>& p) {
     89     T* val __attribute__((unused)) = p.release();
     90 }
     91 
     92 /*
     93  * Checks this thread's OpenSSL error queue and logs if
     94  * necessary.
     95  */
     96 static void logOpenSSLError(const char* location) {
     97     int error = ERR_get_error();
     98 
     99     if (error != 0) {
    100         char message[256];
    101         ERR_error_string_n(error, message, sizeof(message));
    102         ALOGE("OpenSSL error in %s %d: %s", location, error, message);
    103     }
    104 
    105     ERR_clear_error();
    106     ERR_remove_thread_state(NULL);
    107 }
    108 
    109 static int wrap_key(EVP_PKEY* pkey, int type, uint8_t** keyBlob, size_t* keyBlobLength) {
    110     /*
    111      * Find the length of each size. Public key is not needed anymore
    112      * but must be kept for alignment purposes.
    113      */
    114     int publicLen = 0;
    115     int privateLen = i2d_PrivateKey(pkey, NULL);
    116 
    117     if (privateLen <= 0) {
    118         ALOGE("private key size was too big");
    119         return -1;
    120     }
    121 
    122     /* int type + int size + private key data + int size + public key data */
    123     *keyBlobLength = get_softkey_header_size() + sizeof(type) + sizeof(publicLen) + privateLen +
    124                      sizeof(privateLen) + publicLen;
    125 
    126     // derData will be returned to the caller, so allocate it with malloc.
    127     UniquePtr<unsigned char, Malloc_Free> derData(
    128         static_cast<unsigned char*>(malloc(*keyBlobLength)));
    129     if (derData.get() == NULL) {
    130         ALOGE("could not allocate memory for key blob");
    131         return -1;
    132     }
    133     unsigned char* p = derData.get();
    134 
    135     /* Write the magic value for software keys. */
    136     p = add_softkey_header(p, *keyBlobLength);
    137 
    138     /* Write key type to allocated buffer */
    139     for (int i = sizeof(type) - 1; i >= 0; i--) {
    140         *p++ = (type >> (8 * i)) & 0xFF;
    141     }
    142 
    143     /* Write public key to allocated buffer */
    144     for (int i = sizeof(publicLen) - 1; i >= 0; i--) {
    145         *p++ = (publicLen >> (8 * i)) & 0xFF;
    146     }
    147 
    148     /* Write private key to allocated buffer */
    149     for (int i = sizeof(privateLen) - 1; i >= 0; i--) {
    150         *p++ = (privateLen >> (8 * i)) & 0xFF;
    151     }
    152     if (i2d_PrivateKey(pkey, &p) != privateLen) {
    153         logOpenSSLError("wrap_key");
    154         return -1;
    155     }
    156 
    157     *keyBlob = derData.release();
    158 
    159     return 0;
    160 }
    161 
    162 static EVP_PKEY* unwrap_key(const uint8_t* keyBlob, const size_t keyBlobLength) {
    163     long publicLen = 0;
    164     long privateLen = 0;
    165     const uint8_t* p = keyBlob;
    166     const uint8_t* const end = keyBlob + keyBlobLength;
    167 
    168     if (keyBlob == NULL) {
    169         ALOGE("supplied key blob was NULL");
    170         return NULL;
    171     }
    172 
    173     int type = 0;
    174     if (keyBlobLength < (get_softkey_header_size() + sizeof(type) + sizeof(publicLen) + 1 +
    175                          sizeof(privateLen) + 1)) {
    176         ALOGE("key blob appears to be truncated");
    177         return NULL;
    178     }
    179 
    180     if (!is_softkey(p, keyBlobLength)) {
    181         ALOGE("cannot read key; it was not made by this keymaster");
    182         return NULL;
    183     }
    184     p += get_softkey_header_size();
    185 
    186     for (size_t i = 0; i < sizeof(type); i++) {
    187         type = (type << 8) | *p++;
    188     }
    189 
    190     for (size_t i = 0; i < sizeof(type); i++) {
    191         publicLen = (publicLen << 8) | *p++;
    192     }
    193     if (p + publicLen > end) {
    194         ALOGE("public key length encoding error: size=%ld, end=%td", publicLen, end - p);
    195         return NULL;
    196     }
    197 
    198     p += publicLen;
    199     if (end - p < 2) {
    200         ALOGE("private key truncated");
    201         return NULL;
    202     }
    203     for (size_t i = 0; i < sizeof(type); i++) {
    204         privateLen = (privateLen << 8) | *p++;
    205     }
    206     if (p + privateLen > end) {
    207         ALOGE("private key length encoding error: size=%ld, end=%td", privateLen, end - p);
    208         return NULL;
    209     }
    210 
    211     Unique_EVP_PKEY pkey(EVP_PKEY_new());
    212     if (pkey.get() == NULL) {
    213         logOpenSSLError("unwrap_key");
    214         return NULL;
    215     }
    216     EVP_PKEY* tmp = pkey.get();
    217 
    218     if (d2i_PrivateKey(type, &tmp, &p, privateLen) == NULL) {
    219         logOpenSSLError("unwrap_key");
    220         return NULL;
    221     }
    222 
    223     return pkey.release();
    224 }
    225 
    226 static int generate_dsa_keypair(EVP_PKEY* pkey, const keymaster_dsa_keygen_params_t* dsa_params) {
    227     if (dsa_params->key_size < 512) {
    228         ALOGI("Requested DSA key size is too small (<512)");
    229         return -1;
    230     }
    231 
    232     Unique_DSA dsa(DSA_new());
    233 
    234     if (dsa_params->generator_len == 0 || dsa_params->prime_p_len == 0 ||
    235         dsa_params->prime_q_len == 0 || dsa_params->generator == NULL ||
    236         dsa_params->prime_p == NULL || dsa_params->prime_q == NULL) {
    237         if (DSA_generate_parameters_ex(dsa.get(), dsa_params->key_size, NULL, 0, NULL, NULL,
    238                                        NULL) != 1) {
    239             logOpenSSLError("generate_dsa_keypair");
    240             return -1;
    241         }
    242     } else {
    243         dsa->g = BN_bin2bn(dsa_params->generator, dsa_params->generator_len, NULL);
    244         if (dsa->g == NULL) {
    245             logOpenSSLError("generate_dsa_keypair");
    246             return -1;
    247         }
    248 
    249         dsa->p = BN_bin2bn(dsa_params->prime_p, dsa_params->prime_p_len, NULL);
    250         if (dsa->p == NULL) {
    251             logOpenSSLError("generate_dsa_keypair");
    252             return -1;
    253         }
    254 
    255         dsa->q = BN_bin2bn(dsa_params->prime_q, dsa_params->prime_q_len, NULL);
    256         if (dsa->q == NULL) {
    257             logOpenSSLError("generate_dsa_keypair");
    258             return -1;
    259         }
    260     }
    261 
    262     if (DSA_generate_key(dsa.get()) != 1) {
    263         logOpenSSLError("generate_dsa_keypair");
    264         return -1;
    265     }
    266 
    267     if (EVP_PKEY_assign_DSA(pkey, dsa.get()) == 0) {
    268         logOpenSSLError("generate_dsa_keypair");
    269         return -1;
    270     }
    271     release_because_ownership_transferred(dsa);
    272 
    273     return 0;
    274 }
    275 
    276 static int generate_ec_keypair(EVP_PKEY* pkey, const keymaster_ec_keygen_params_t* ec_params) {
    277     Unique_EC_GROUP group;
    278     switch (ec_params->field_size) {
    279     case 224:
    280         group.reset(EC_GROUP_new_by_curve_name(NID_secp224r1));
    281         break;
    282     case 256:
    283         group.reset(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
    284         break;
    285     case 384:
    286         group.reset(EC_GROUP_new_by_curve_name(NID_secp384r1));
    287         break;
    288     case 521:
    289         group.reset(EC_GROUP_new_by_curve_name(NID_secp521r1));
    290         break;
    291     default:
    292         break;
    293     }
    294 
    295     if (group.get() == NULL) {
    296         logOpenSSLError("generate_ec_keypair");
    297         return -1;
    298     }
    299 
    300 #if !defined(OPENSSL_IS_BORINGSSL)
    301     EC_GROUP_set_point_conversion_form(group.get(), POINT_CONVERSION_UNCOMPRESSED);
    302     EC_GROUP_set_asn1_flag(group.get(), OPENSSL_EC_NAMED_CURVE);
    303 #endif
    304 
    305     /* initialize EC key */
    306     Unique_EC_KEY eckey(EC_KEY_new());
    307     if (eckey.get() == NULL) {
    308         logOpenSSLError("generate_ec_keypair");
    309         return -1;
    310     }
    311 
    312     if (EC_KEY_set_group(eckey.get(), group.get()) != 1) {
    313         logOpenSSLError("generate_ec_keypair");
    314         return -1;
    315     }
    316 
    317     if (EC_KEY_generate_key(eckey.get()) != 1 || EC_KEY_check_key(eckey.get()) < 0) {
    318         logOpenSSLError("generate_ec_keypair");
    319         return -1;
    320     }
    321 
    322     if (EVP_PKEY_assign_EC_KEY(pkey, eckey.get()) == 0) {
    323         logOpenSSLError("generate_ec_keypair");
    324         return -1;
    325     }
    326     release_because_ownership_transferred(eckey);
    327 
    328     return 0;
    329 }
    330 
    331 static int generate_rsa_keypair(EVP_PKEY* pkey, const keymaster_rsa_keygen_params_t* rsa_params) {
    332     Unique_BIGNUM bn(BN_new());
    333     if (bn.get() == NULL) {
    334         logOpenSSLError("generate_rsa_keypair");
    335         return -1;
    336     }
    337 
    338     if (BN_set_word(bn.get(), rsa_params->public_exponent) == 0) {
    339         logOpenSSLError("generate_rsa_keypair");
    340         return -1;
    341     }
    342 
    343     /* initialize RSA */
    344     Unique_RSA rsa(RSA_new());
    345     if (rsa.get() == NULL) {
    346         logOpenSSLError("generate_rsa_keypair");
    347         return -1;
    348     }
    349 
    350     if (!RSA_generate_key_ex(rsa.get(), rsa_params->modulus_size, bn.get(), NULL) ||
    351         RSA_check_key(rsa.get()) < 0) {
    352         logOpenSSLError("generate_rsa_keypair");
    353         return -1;
    354     }
    355 
    356     if (EVP_PKEY_assign_RSA(pkey, rsa.get()) == 0) {
    357         logOpenSSLError("generate_rsa_keypair");
    358         return -1;
    359     }
    360     release_because_ownership_transferred(rsa);
    361 
    362     return 0;
    363 }
    364 
    365 __attribute__((visibility("default"))) int openssl_generate_keypair(
    366     const keymaster0_device_t*, const keymaster_keypair_t key_type, const void* key_params,
    367     uint8_t** keyBlob, size_t* keyBlobLength) {
    368     Unique_EVP_PKEY pkey(EVP_PKEY_new());
    369     if (pkey.get() == NULL) {
    370         logOpenSSLError("openssl_generate_keypair");
    371         return -1;
    372     }
    373 
    374     if (key_params == NULL) {
    375         ALOGW("key_params == null");
    376         return -1;
    377     } else if (key_type == TYPE_DSA) {
    378         const keymaster_dsa_keygen_params_t* dsa_params =
    379             (const keymaster_dsa_keygen_params_t*)key_params;
    380         generate_dsa_keypair(pkey.get(), dsa_params);
    381     } else if (key_type == TYPE_EC) {
    382         const keymaster_ec_keygen_params_t* ec_params =
    383             (const keymaster_ec_keygen_params_t*)key_params;
    384         generate_ec_keypair(pkey.get(), ec_params);
    385     } else if (key_type == TYPE_RSA) {
    386         const keymaster_rsa_keygen_params_t* rsa_params =
    387             (const keymaster_rsa_keygen_params_t*)key_params;
    388         generate_rsa_keypair(pkey.get(), rsa_params);
    389     } else {
    390         ALOGW("Unsupported key type %d", key_type);
    391         return -1;
    392     }
    393 
    394     if (wrap_key(pkey.get(), EVP_PKEY_type(pkey->type), keyBlob, keyBlobLength)) {
    395         return -1;
    396     }
    397 
    398     return 0;
    399 }
    400 
    401 __attribute__((visibility("default"))) int openssl_import_keypair(const keymaster0_device_t*,
    402                                                                   const uint8_t* key,
    403                                                                   const size_t key_length,
    404                                                                   uint8_t** key_blob,
    405                                                                   size_t* key_blob_length) {
    406     if (key == NULL) {
    407         ALOGW("input key == NULL");
    408         return -1;
    409     } else if (key_blob == NULL || key_blob_length == NULL) {
    410         ALOGW("output key blob or length == NULL");
    411         return -1;
    412     }
    413 
    414     Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &key, key_length));
    415     if (pkcs8.get() == NULL) {
    416         logOpenSSLError("openssl_import_keypair");
    417         return -1;
    418     }
    419 
    420     /* assign to EVP */
    421     Unique_EVP_PKEY pkey(EVP_PKCS82PKEY(pkcs8.get()));
    422     if (pkey.get() == NULL) {
    423         logOpenSSLError("openssl_import_keypair");
    424         return -1;
    425     }
    426 
    427     if (wrap_key(pkey.get(), EVP_PKEY_type(pkey->type), key_blob, key_blob_length)) {
    428         return -1;
    429     }
    430 
    431     return 0;
    432 }
    433 
    434 __attribute__((visibility("default"))) int openssl_get_keypair_public(const keymaster0_device_t*,
    435                                                                       const uint8_t* key_blob,
    436                                                                       const size_t key_blob_length,
    437                                                                       uint8_t** x509_data,
    438                                                                       size_t* x509_data_length) {
    439     if (x509_data == NULL || x509_data_length == NULL) {
    440         ALOGW("output public key buffer == NULL");
    441         return -1;
    442     }
    443 
    444     Unique_EVP_PKEY pkey(unwrap_key(key_blob, key_blob_length));
    445     if (pkey.get() == NULL) {
    446         return -1;
    447     }
    448 
    449     int len = i2d_PUBKEY(pkey.get(), NULL);
    450     if (len <= 0) {
    451         logOpenSSLError("openssl_get_keypair_public");
    452         return -1;
    453     }
    454 
    455     UniquePtr<uint8_t, Malloc_Free> key(static_cast<uint8_t*>(malloc(len)));
    456     if (key.get() == NULL) {
    457         ALOGE("Could not allocate memory for public key data");
    458         return -1;
    459     }
    460 
    461     unsigned char* tmp = reinterpret_cast<unsigned char*>(key.get());
    462     if (i2d_PUBKEY(pkey.get(), &tmp) != len) {
    463         logOpenSSLError("openssl_get_keypair_public");
    464         return -1;
    465     }
    466 
    467     ALOGV("Length of x509 data is %d", len);
    468     *x509_data_length = len;
    469     *x509_data = key.release();
    470 
    471     return 0;
    472 }
    473 
    474 static int sign_dsa(EVP_PKEY* pkey, keymaster_dsa_sign_params_t* sign_params, const uint8_t* data,
    475                     const size_t dataLength, uint8_t** signedData, size_t* signedDataLength) {
    476     if (sign_params->digest_type != DIGEST_NONE) {
    477         ALOGW("Cannot handle digest type %d", sign_params->digest_type);
    478         return -1;
    479     }
    480 
    481     Unique_DSA dsa(EVP_PKEY_get1_DSA(pkey));
    482     if (dsa.get() == NULL) {
    483         logOpenSSLError("openssl_sign_dsa");
    484         return -1;
    485     }
    486 
    487     unsigned int dsaSize = DSA_size(dsa.get());
    488     UniquePtr<uint8_t, Malloc_Free> signedDataPtr(reinterpret_cast<uint8_t*>(malloc(dsaSize)));
    489     if (signedDataPtr.get() == NULL) {
    490         logOpenSSLError("openssl_sign_dsa");
    491         return -1;
    492     }
    493 
    494     unsigned char* tmp = reinterpret_cast<unsigned char*>(signedDataPtr.get());
    495     if (DSA_sign(0, data, dataLength, tmp, &dsaSize, dsa.get()) <= 0) {
    496         logOpenSSLError("openssl_sign_dsa");
    497         return -1;
    498     }
    499 
    500     *signedDataLength = dsaSize;
    501     *signedData = signedDataPtr.release();
    502 
    503     return 0;
    504 }
    505 
    506 static int sign_ec(EVP_PKEY* pkey, keymaster_ec_sign_params_t* sign_params, const uint8_t* data,
    507                    const size_t dataLength, uint8_t** signedData, size_t* signedDataLength) {
    508     if (sign_params->digest_type != DIGEST_NONE) {
    509         ALOGW("Cannot handle digest type %d", sign_params->digest_type);
    510         return -1;
    511     }
    512 
    513     Unique_EC_KEY eckey(EVP_PKEY_get1_EC_KEY(pkey));
    514     if (eckey.get() == NULL) {
    515         logOpenSSLError("openssl_sign_ec");
    516         return -1;
    517     }
    518 
    519     unsigned int ecdsaSize = ECDSA_size(eckey.get());
    520     UniquePtr<uint8_t, Malloc_Free> signedDataPtr(reinterpret_cast<uint8_t*>(malloc(ecdsaSize)));
    521     if (signedDataPtr.get() == NULL) {
    522         logOpenSSLError("openssl_sign_ec");
    523         return -1;
    524     }
    525 
    526     unsigned char* tmp = reinterpret_cast<unsigned char*>(signedDataPtr.get());
    527     if (ECDSA_sign(0, data, dataLength, tmp, &ecdsaSize, eckey.get()) <= 0) {
    528         logOpenSSLError("openssl_sign_ec");
    529         return -1;
    530     }
    531 
    532     *signedDataLength = ecdsaSize;
    533     *signedData = signedDataPtr.release();
    534 
    535     return 0;
    536 }
    537 
    538 static int sign_rsa(EVP_PKEY* pkey, keymaster_rsa_sign_params_t* sign_params, const uint8_t* data,
    539                     const size_t dataLength, uint8_t** signedData, size_t* signedDataLength) {
    540     if (sign_params->digest_type != DIGEST_NONE) {
    541         ALOGW("Cannot handle digest type %d", sign_params->digest_type);
    542         return -1;
    543     } else if (sign_params->padding_type != PADDING_NONE) {
    544         ALOGW("Cannot handle padding type %d", sign_params->padding_type);
    545         return -1;
    546     }
    547 
    548     Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey));
    549     if (rsa.get() == NULL) {
    550         logOpenSSLError("openssl_sign_rsa");
    551         return -1;
    552     }
    553 
    554     UniquePtr<uint8_t, Malloc_Free> signedDataPtr(reinterpret_cast<uint8_t*>(malloc(dataLength)));
    555     if (signedDataPtr.get() == NULL) {
    556         logOpenSSLError("openssl_sign_rsa");
    557         return -1;
    558     }
    559 
    560     unsigned char* tmp = reinterpret_cast<unsigned char*>(signedDataPtr.get());
    561     if (RSA_private_encrypt(dataLength, data, tmp, rsa.get(), RSA_NO_PADDING) <= 0) {
    562         logOpenSSLError("openssl_sign_rsa");
    563         return -1;
    564     }
    565 
    566     *signedDataLength = dataLength;
    567     *signedData = signedDataPtr.release();
    568 
    569     return 0;
    570 }
    571 
    572 __attribute__((visibility("default"))) int openssl_sign_data(
    573     const keymaster0_device_t*, const void* params, const uint8_t* keyBlob,
    574     const size_t keyBlobLength, const uint8_t* data, const size_t dataLength, uint8_t** signedData,
    575     size_t* signedDataLength) {
    576     if (data == NULL) {
    577         ALOGW("input data to sign == NULL");
    578         return -1;
    579     } else if (signedData == NULL || signedDataLength == NULL) {
    580         ALOGW("output signature buffer == NULL");
    581         return -1;
    582     }
    583 
    584     Unique_EVP_PKEY pkey(unwrap_key(keyBlob, keyBlobLength));
    585     if (pkey.get() == NULL) {
    586         return -1;
    587     }
    588 
    589     int type = EVP_PKEY_type(pkey->type);
    590     if (type == EVP_PKEY_DSA) {
    591         const keymaster_dsa_sign_params_t* sign_params =
    592             reinterpret_cast<const keymaster_dsa_sign_params_t*>(params);
    593         return sign_dsa(pkey.get(), const_cast<keymaster_dsa_sign_params_t*>(sign_params), data,
    594                         dataLength, signedData, signedDataLength);
    595     } else if (type == EVP_PKEY_EC) {
    596         const keymaster_ec_sign_params_t* sign_params =
    597             reinterpret_cast<const keymaster_ec_sign_params_t*>(params);
    598         return sign_ec(pkey.get(), const_cast<keymaster_ec_sign_params_t*>(sign_params), data,
    599                        dataLength, signedData, signedDataLength);
    600     } else if (type == EVP_PKEY_RSA) {
    601         const keymaster_rsa_sign_params_t* sign_params =
    602             reinterpret_cast<const keymaster_rsa_sign_params_t*>(params);
    603         return sign_rsa(pkey.get(), const_cast<keymaster_rsa_sign_params_t*>(sign_params), data,
    604                         dataLength, signedData, signedDataLength);
    605     } else {
    606         ALOGW("Unsupported key type");
    607         return -1;
    608     }
    609 }
    610 
    611 static int verify_dsa(EVP_PKEY* pkey, keymaster_dsa_sign_params_t* sign_params,
    612                       const uint8_t* signedData, const size_t signedDataLength,
    613                       const uint8_t* signature, const size_t signatureLength) {
    614     if (sign_params->digest_type != DIGEST_NONE) {
    615         ALOGW("Cannot handle digest type %d", sign_params->digest_type);
    616         return -1;
    617     }
    618 
    619     Unique_DSA dsa(EVP_PKEY_get1_DSA(pkey));
    620     if (dsa.get() == NULL) {
    621         logOpenSSLError("openssl_verify_dsa");
    622         return -1;
    623     }
    624 
    625     if (DSA_verify(0, signedData, signedDataLength, signature, signatureLength, dsa.get()) <= 0) {
    626         logOpenSSLError("openssl_verify_dsa");
    627         return -1;
    628     }
    629 
    630     return 0;
    631 }
    632 
    633 static int verify_ec(EVP_PKEY* pkey, keymaster_ec_sign_params_t* sign_params,
    634                      const uint8_t* signedData, const size_t signedDataLength,
    635                      const uint8_t* signature, const size_t signatureLength) {
    636     if (sign_params->digest_type != DIGEST_NONE) {
    637         ALOGW("Cannot handle digest type %d", sign_params->digest_type);
    638         return -1;
    639     }
    640 
    641     Unique_EC_KEY eckey(EVP_PKEY_get1_EC_KEY(pkey));
    642     if (eckey.get() == NULL) {
    643         logOpenSSLError("openssl_verify_ec");
    644         return -1;
    645     }
    646 
    647     if (ECDSA_verify(0, signedData, signedDataLength, signature, signatureLength, eckey.get()) <=
    648         0) {
    649         logOpenSSLError("openssl_verify_ec");
    650         return -1;
    651     }
    652 
    653     return 0;
    654 }
    655 
    656 static int verify_rsa(EVP_PKEY* pkey, keymaster_rsa_sign_params_t* sign_params,
    657                       const uint8_t* signedData, const size_t signedDataLength,
    658                       const uint8_t* signature, const size_t signatureLength) {
    659     if (sign_params->digest_type != DIGEST_NONE) {
    660         ALOGW("Cannot handle digest type %d", sign_params->digest_type);
    661         return -1;
    662     } else if (sign_params->padding_type != PADDING_NONE) {
    663         ALOGW("Cannot handle padding type %d", sign_params->padding_type);
    664         return -1;
    665     } else if (signatureLength != signedDataLength) {
    666         ALOGW("signed data length must be signature length");
    667         return -1;
    668     }
    669 
    670     Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey));
    671     if (rsa.get() == NULL) {
    672         logOpenSSLError("openssl_verify_data");
    673         return -1;
    674     }
    675 
    676     UniquePtr<uint8_t[]> dataPtr(new uint8_t[signedDataLength]);
    677     if (dataPtr.get() == NULL) {
    678         logOpenSSLError("openssl_verify_data");
    679         return -1;
    680     }
    681 
    682     unsigned char* tmp = reinterpret_cast<unsigned char*>(dataPtr.get());
    683     if (!RSA_public_decrypt(signatureLength, signature, tmp, rsa.get(), RSA_NO_PADDING)) {
    684         logOpenSSLError("openssl_verify_data");
    685         return -1;
    686     }
    687 
    688     int result = 0;
    689     for (size_t i = 0; i < signedDataLength; i++) {
    690         result |= tmp[i] ^ signedData[i];
    691     }
    692 
    693     return result == 0 ? 0 : -1;
    694 }
    695 
    696 __attribute__((visibility("default"))) int openssl_verify_data(
    697     const keymaster0_device_t*, const void* params, const uint8_t* keyBlob,
    698     const size_t keyBlobLength, const uint8_t* signedData, const size_t signedDataLength,
    699     const uint8_t* signature, const size_t signatureLength) {
    700     if (signedData == NULL || signature == NULL) {
    701         ALOGW("data or signature buffers == NULL");
    702         return -1;
    703     }
    704 
    705     Unique_EVP_PKEY pkey(unwrap_key(keyBlob, keyBlobLength));
    706     if (pkey.get() == NULL) {
    707         return -1;
    708     }
    709 
    710     int type = EVP_PKEY_type(pkey->type);
    711     if (type == EVP_PKEY_DSA) {
    712         const keymaster_dsa_sign_params_t* sign_params =
    713             reinterpret_cast<const keymaster_dsa_sign_params_t*>(params);
    714         return verify_dsa(pkey.get(), const_cast<keymaster_dsa_sign_params_t*>(sign_params),
    715                           signedData, signedDataLength, signature, signatureLength);
    716     } else if (type == EVP_PKEY_RSA) {
    717         const keymaster_rsa_sign_params_t* sign_params =
    718             reinterpret_cast<const keymaster_rsa_sign_params_t*>(params);
    719         return verify_rsa(pkey.get(), const_cast<keymaster_rsa_sign_params_t*>(sign_params),
    720                           signedData, signedDataLength, signature, signatureLength);
    721     } else if (type == EVP_PKEY_EC) {
    722         const keymaster_ec_sign_params_t* sign_params =
    723             reinterpret_cast<const keymaster_ec_sign_params_t*>(params);
    724         return verify_ec(pkey.get(), const_cast<keymaster_ec_sign_params_t*>(sign_params),
    725                          signedData, signedDataLength, signature, signatureLength);
    726     } else {
    727         ALOGW("Unsupported key type %d", type);
    728         return -1;
    729     }
    730 }
    731 
    732 /* Close an opened OpenSSL instance */
    733 static int openssl_close(hw_device_t* dev) {
    734     delete dev;
    735     return 0;
    736 }
    737 
    738 /*
    739  * Generic device handling
    740  */
    741 __attribute__((visibility("default"))) int openssl_open(const hw_module_t* module, const char* name,
    742                                                         hw_device_t** device) {
    743     if (strcmp(name, KEYSTORE_KEYMASTER) != 0)
    744         return -EINVAL;
    745 
    746     Unique_keymaster_device_t dev(new keymaster0_device_t);
    747     if (dev.get() == NULL)
    748         return -ENOMEM;
    749 
    750     dev->common.tag = HARDWARE_DEVICE_TAG;
    751     dev->common.version = 1;
    752     dev->common.module = (struct hw_module_t*)module;
    753     dev->common.close = openssl_close;
    754 
    755     dev->flags = KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE | KEYMASTER_SUPPORTS_DSA |
    756                  KEYMASTER_SUPPORTS_EC;
    757 
    758     dev->generate_keypair = openssl_generate_keypair;
    759     dev->import_keypair = openssl_import_keypair;
    760     dev->get_keypair_public = openssl_get_keypair_public;
    761     dev->delete_keypair = NULL;
    762     dev->delete_all = NULL;
    763     dev->sign_data = openssl_sign_data;
    764     dev->verify_data = openssl_verify_data;
    765 
    766     ERR_load_crypto_strings();
    767     ERR_load_BIO_strings();
    768 
    769     *device = reinterpret_cast<hw_device_t*>(dev.release());
    770 
    771     return 0;
    772 }
    773 
    774 static struct hw_module_methods_t keystore_module_methods = {
    775     .open = openssl_open,
    776 };
    777 
    778 struct keystore_module softkeymaster_module __attribute__((visibility("default"))) = {
    779     .common =
    780         {
    781          .tag = HARDWARE_MODULE_TAG,
    782          .module_api_version = KEYMASTER_MODULE_API_VERSION_0_2,
    783          .hal_api_version = HARDWARE_HAL_API_VERSION,
    784          .id = KEYSTORE_HARDWARE_MODULE_ID,
    785          .name = "Keymaster OpenSSL HAL",
    786          .author = "The Android Open Source Project",
    787          .methods = &keystore_module_methods,
    788          .dso = 0,
    789          .reserved = {},
    790         },
    791 };
    792