| /* |
| * Copyright (C) 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package android.car.encryptionrunner; |
| |
| import android.annotation.IntDef; |
| import android.annotation.NonNull; |
| import android.annotation.Nullable; |
| import android.util.Log; |
| |
| import com.android.internal.annotations.VisibleForTesting; |
| |
| import com.google.security.cryptauth.lib.securegcm.D2DConnectionContext; |
| import com.google.security.cryptauth.lib.securegcm.Ukey2Handshake; |
| import com.google.security.cryptauth.lib.securemessage.CryptoOps; |
| |
| import java.io.ByteArrayOutputStream; |
| import java.io.IOException; |
| import java.security.InvalidKeyException; |
| import java.security.MessageDigest; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.SignatureException; |
| |
| import javax.crypto.spec.SecretKeySpec; |
| |
| /** |
| * An {@link EncryptionRunner} that uses Ukey2 as the underlying implementation. |
| */ |
| public class Ukey2EncryptionRunner implements EncryptionRunner { |
| |
| private static final Ukey2Handshake.HandshakeCipher CIPHER = |
| Ukey2Handshake.HandshakeCipher.P256_SHA512; |
| private static final int RESUME_HMAC_LENGTH = 32; |
| private static final byte[] RESUME = "RESUME".getBytes(); |
| private static final byte[] SERVER = "SERVER".getBytes(); |
| private static final byte[] CLIENT = "CLIENT".getBytes(); |
| private static final int AUTH_STRING_LENGTH = 6; |
| |
| @IntDef({Mode.UNKNOWN, Mode.CLIENT, Mode.SERVER}) |
| private @interface Mode { |
| int UNKNOWN = 0; |
| int CLIENT = 1; |
| int SERVER = 2; |
| } |
| |
| private Ukey2Handshake mUkey2client; |
| private boolean mRunnerIsInvalid; |
| private Key mCurrentKey; |
| private byte[] mCurrentUniqueSesion; |
| private byte[] mPrevUniqueSesion; |
| private boolean mIsReconnect; |
| private boolean mInitReconnectionVerification; |
| @Mode |
| private int mMode = Mode.UNKNOWN; |
| |
| @Override |
| public HandshakeMessage initHandshake() { |
| checkRunnerIsNew(); |
| mMode = Mode.CLIENT; |
| try { |
| mUkey2client = Ukey2Handshake.forInitiator(CIPHER); |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(getHandshakeState()) |
| .setNextMessage(mUkey2client.getNextHandshakeMessage()) |
| .build(); |
| } catch (com.google.security.cryptauth.lib.securegcm.HandshakeException e) { |
| Log.e(TAG, "unexpected exception", e); |
| throw new RuntimeException(e); |
| } |
| |
| } |
| |
| @Override |
| public void setIsReconnect(boolean isReconnect) { |
| mIsReconnect = isReconnect; |
| } |
| |
| @Override |
| public HandshakeMessage respondToInitRequest(byte[] initializationRequest) |
| throws HandshakeException { |
| checkRunnerIsNew(); |
| mMode = Mode.SERVER; |
| try { |
| if (mUkey2client != null) { |
| throw new IllegalStateException("Cannot reuse encryption runners, " |
| + "this one is already initialized"); |
| } |
| mUkey2client = Ukey2Handshake.forResponder(CIPHER); |
| mUkey2client.parseHandshakeMessage(initializationRequest); |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(getHandshakeState()) |
| .setNextMessage(mUkey2client.getNextHandshakeMessage()) |
| .build(); |
| |
| } catch (com.google.security.cryptauth.lib.securegcm.HandshakeException |
| | Ukey2Handshake.AlertException e) { |
| throw new HandshakeException(e); |
| } |
| } |
| |
| private void checkRunnerIsNew() { |
| if (mUkey2client != null) { |
| throw new IllegalStateException("This runner is already initialized."); |
| } |
| } |
| |
| |
| @Override |
| public HandshakeMessage continueHandshake(byte[] response) throws HandshakeException { |
| checkInitialized(); |
| try { |
| if (mUkey2client.getHandshakeState() != Ukey2Handshake.State.IN_PROGRESS) { |
| throw new IllegalStateException("handshake is not in progress, state =" |
| + mUkey2client.getHandshakeState()); |
| } |
| mUkey2client.parseHandshakeMessage(response); |
| |
| // Not obvious from ukey2 api, but getting the next message can change the state. |
| // calling getNext message might go from in progress to verification needed, on |
| // the assumption that we already send this message to the peer. |
| byte[] nextMessage = null; |
| if (mUkey2client.getHandshakeState() == Ukey2Handshake.State.IN_PROGRESS) { |
| nextMessage = mUkey2client.getNextHandshakeMessage(); |
| } |
| String verificationCode = null; |
| if (mUkey2client.getHandshakeState() == Ukey2Handshake.State.VERIFICATION_NEEDED) { |
| // getVerificationString() needs to be called before verifyPin(). |
| verificationCode = generateReadablePairingCode( |
| mUkey2client.getVerificationString(AUTH_STRING_LENGTH)); |
| if (mIsReconnect) { |
| HandshakeMessage handshakeMessage = verifyPin(); |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(handshakeMessage.getHandshakeState()) |
| .setNextMessage(nextMessage) |
| .build(); |
| } |
| } |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(getHandshakeState()) |
| .setNextMessage(nextMessage) |
| .setVerificationCode(verificationCode) |
| .build(); |
| } catch (com.google.security.cryptauth.lib.securegcm.HandshakeException |
| | Ukey2Handshake.AlertException e) { |
| throw new HandshakeException(e); |
| } |
| } |
| |
| /** |
| * Returns a human-readable pairing code string generated from the verification bytes. Converts |
| * each byte into a digit with a simple modulo. |
| * |
| * <p>This should match the implementation in the iOS and Android client libraries. |
| */ |
| @VisibleForTesting |
| String generateReadablePairingCode(byte[] verificationCode) { |
| StringBuilder outString = new StringBuilder(); |
| for (byte b : verificationCode) { |
| int unsignedInt = Byte.toUnsignedInt(b); |
| int digit = unsignedInt % 10; |
| outString.append(digit); |
| } |
| |
| return outString.toString(); |
| } |
| |
| private static class UKey2Key implements Key { |
| |
| private final D2DConnectionContext mConnectionContext; |
| |
| UKey2Key(@NonNull D2DConnectionContext connectionContext) { |
| this.mConnectionContext = connectionContext; |
| } |
| |
| @Override |
| public byte[] asBytes() { |
| return mConnectionContext.saveSession(); |
| } |
| |
| @Override |
| public byte[] encryptData(byte[] data) { |
| return mConnectionContext.encodeMessageToPeer(data); |
| } |
| |
| @Override |
| public byte[] decryptData(byte[] encryptedData) throws SignatureException { |
| return mConnectionContext.decodeMessageFromPeer(encryptedData); |
| } |
| |
| @Override |
| public byte[] getUniqueSession() throws NoSuchAlgorithmException { |
| return mConnectionContext.getSessionUnique(); |
| } |
| } |
| |
| @Override |
| public HandshakeMessage verifyPin() throws HandshakeException { |
| checkInitialized(); |
| mUkey2client.verifyHandshake(); |
| int state = getHandshakeState(); |
| try { |
| mCurrentKey = new UKey2Key(mUkey2client.toConnectionContext()); |
| } catch (com.google.security.cryptauth.lib.securegcm.HandshakeException e) { |
| throw new HandshakeException(e); |
| } |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(state) |
| .setKey(mCurrentKey) |
| .build(); |
| } |
| |
| /** |
| * <p>After getting message from the other device, authenticate the message with the previous |
| * stored key. |
| * |
| * If current device inits the reconnection authentication by calling {@code |
| * initReconnectAuthentication} and sends the message to the other device, the other device |
| * will call {@code authenticateReconnection()} with the received message and send its own |
| * message back to the init device. The init device will call {@code |
| * authenticateReconnection()} on the received message, but do not need to set the next |
| * message. |
| */ |
| @Override |
| public HandshakeMessage authenticateReconnection(byte[] message, byte[] previousKey) |
| throws HandshakeException { |
| if (!mIsReconnect) { |
| throw new HandshakeException( |
| "Reconnection authentication requires setIsReconnect(true)"); |
| } |
| if (mCurrentKey == null) { |
| throw new HandshakeException("Current key is null, make sure verifyPin() is called."); |
| } |
| if (message.length != RESUME_HMAC_LENGTH) { |
| mRunnerIsInvalid = true; |
| throw new HandshakeException("Failing because (message.length =" + message.length |
| + ") is not equal to " + RESUME_HMAC_LENGTH); |
| } |
| try { |
| mCurrentUniqueSesion = mCurrentKey.getUniqueSession(); |
| mPrevUniqueSesion = keyOf(previousKey).getUniqueSession(); |
| } catch (NoSuchAlgorithmException e) { |
| throw new HandshakeException(e); |
| } |
| switch (mMode) { |
| case Mode.SERVER: |
| if (!MessageDigest.isEqual( |
| message, computeMAC(mPrevUniqueSesion, mCurrentUniqueSesion, CLIENT))) { |
| mRunnerIsInvalid = true; |
| throw new HandshakeException("Reconnection authentication failed."); |
| } |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(HandshakeMessage.HandshakeState.FINISHED) |
| .setKey(mCurrentKey) |
| .setNextMessage(mInitReconnectionVerification ? null |
| : computeMAC(mPrevUniqueSesion, mCurrentUniqueSesion, SERVER)) |
| .build(); |
| case Mode.CLIENT: |
| if (!MessageDigest.isEqual( |
| message, computeMAC(mPrevUniqueSesion, mCurrentUniqueSesion, SERVER))) { |
| mRunnerIsInvalid = true; |
| throw new HandshakeException("Reconnection authentication failed."); |
| } |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(HandshakeMessage.HandshakeState.FINISHED) |
| .setKey(mCurrentKey) |
| .setNextMessage(mInitReconnectionVerification ? null |
| : computeMAC(mPrevUniqueSesion, mCurrentUniqueSesion, CLIENT)) |
| .build(); |
| default: |
| throw new IllegalStateException( |
| "Encountered unexpected role during authenticateReconnection: " + mMode); |
| } |
| } |
| |
| /** |
| * Both client and server can call this method to send authentication message to the other |
| * device. |
| */ |
| @Override |
| public HandshakeMessage initReconnectAuthentication(byte[] previousKey) |
| throws HandshakeException { |
| if (!mIsReconnect) { |
| throw new HandshakeException( |
| "Reconnection authentication requires setIsReconnect(true)."); |
| } |
| if (mCurrentKey == null) { |
| throw new HandshakeException("Current key is null, make sure verifyPin() is called."); |
| } |
| mInitReconnectionVerification = true; |
| try { |
| mCurrentUniqueSesion = mCurrentKey.getUniqueSession(); |
| mPrevUniqueSesion = keyOf(previousKey).getUniqueSession(); |
| } catch (NoSuchAlgorithmException e) { |
| throw new HandshakeException(e); |
| } |
| switch (mMode) { |
| case Mode.SERVER: |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(HandshakeMessage.HandshakeState.RESUMING_SESSION) |
| .setNextMessage(computeMAC(mPrevUniqueSesion, mCurrentUniqueSesion, SERVER)) |
| .build(); |
| case Mode.CLIENT: |
| return HandshakeMessage.newBuilder() |
| .setHandshakeState(HandshakeMessage.HandshakeState.RESUMING_SESSION) |
| .setNextMessage(computeMAC(mPrevUniqueSesion, mCurrentUniqueSesion, CLIENT)) |
| .build(); |
| default: |
| throw new IllegalStateException( |
| "Encountered unexpected role during authenticateReconnection: " + mMode); |
| } |
| } |
| |
| protected final Ukey2Handshake getUkey2Client() { |
| return mUkey2client; |
| } |
| |
| protected final boolean isReconnect() { |
| return mIsReconnect; |
| } |
| |
| @HandshakeMessage.HandshakeState |
| private int getHandshakeState() { |
| checkInitialized(); |
| switch (mUkey2client.getHandshakeState()) { |
| case ALREADY_USED: |
| case ERROR: |
| throw new IllegalStateException("unexpected error state"); |
| case FINISHED: |
| if (mIsReconnect) { |
| return HandshakeMessage.HandshakeState.RESUMING_SESSION; |
| } |
| return HandshakeMessage.HandshakeState.FINISHED; |
| case IN_PROGRESS: |
| return HandshakeMessage.HandshakeState.IN_PROGRESS; |
| case VERIFICATION_IN_PROGRESS: |
| case VERIFICATION_NEEDED: |
| return HandshakeMessage.HandshakeState.VERIFICATION_NEEDED; |
| default: |
| throw new IllegalStateException("unexpected handshake state"); |
| } |
| } |
| |
| @Override |
| public Key keyOf(byte[] serialized) { |
| return new UKey2Key(D2DConnectionContext.fromSavedSession(serialized)); |
| } |
| |
| @Override |
| public void invalidPin() { |
| mRunnerIsInvalid = true; |
| } |
| |
| private UKey2Key checkIsUkey2Key(Key key) { |
| if (!(key instanceof UKey2Key)) { |
| throw new IllegalArgumentException("wrong key type"); |
| } |
| return (UKey2Key) key; |
| } |
| |
| protected void checkInitialized() { |
| if (mUkey2client == null) { |
| throw new IllegalStateException("runner not initialized"); |
| } |
| if (mRunnerIsInvalid) { |
| throw new IllegalStateException("runner has been invalidated"); |
| } |
| } |
| |
| @Nullable |
| private byte[] computeMAC(byte[] previous, byte[] next, byte[] info) { |
| try { |
| SecretKeySpec inputKeyMaterial = new SecretKeySpec( |
| concatByteArrays(previous, next), "" /* key type is just plain raw bytes */); |
| return CryptoOps.hkdf(inputKeyMaterial, RESUME, info); |
| } catch (NoSuchAlgorithmException | InvalidKeyException e) { |
| // Does not happen in practice |
| Log.e(TAG, "Compute MAC failed"); |
| return null; |
| } |
| } |
| |
| private static byte[] concatByteArrays(@NonNull byte[] a, @NonNull byte[] b) { |
| ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); |
| try { |
| outputStream.write(a); |
| outputStream.write(b); |
| } catch (IOException e) { |
| return new byte[0]; |
| } |
| return outputStream.toByteArray(); |
| } |
| } |
