Revert "ECIES: add ECIES-KEM. This version supports HKDF and ECDH with NIST curves."
am: 1181779c5e
* commit '1181779c5e6c8627b94067d86db6a2f7d5309674':
Revert "ECIES: add ECIES-KEM. This version supports HKDF and ECDH with NIST curves."
diff --git a/.gitignore b/.gitignore
index 8c7799b..90f33d2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,14 @@
*.run
*.memcheck
*.massif
-/*_test
+/abstract_factory_registry_test
+/android_keymaster_messages_test
+/android_keymaster_test
+/authorization_set_test
/coverage.info
/coverage/
+/hkdf_test
+/hmac_test
+/key_blob_test
+/keymaster_enforcement_test
+/trusty_keymaster_device_test
diff --git a/Android.mk b/Android.mk
index 3bbfb70..d8a31b8 100644
--- a/Android.mk
+++ b/Android.mk
@@ -57,7 +57,6 @@
ec_key.cpp \
ec_key_factory.cpp \
ecdsa_operation.cpp \
- ecies_kem.cpp \
hkdf.cpp \
hmac.cpp \
hmac_key.cpp \
@@ -65,7 +64,6 @@
integrity_assured_key_blob.cpp \
key.cpp \
keymaster_enforcement.cpp \
- nist_curve_key_exchange.cpp \
ocb.c \
ocb_utils.cpp \
openssl_err.cpp \
diff --git a/Makefile b/Makefile
index cf67486..a90b0a0 100644
--- a/Makefile
+++ b/Makefile
@@ -80,8 +80,6 @@
ec_keymaster1_key.cpp \
ecdsa_keymaster1_operation.cpp \
ecdsa_operation.cpp \
- ecies_kem.cpp \
- ecies_kem_test.cpp \
gtest_main.cpp \
hkdf.cpp \
hkdf_test.cpp \
@@ -97,8 +95,6 @@
keymaster_enforcement.cpp \
keymaster_enforcement_test.cpp \
logger.cpp \
- nist_curve_key_exchange.cpp \
- nist_curve_key_exchange_test.cpp \
ocb_utils.cpp \
openssl_err.cpp \
openssl_utils.cpp \
@@ -125,12 +121,10 @@
android_keymaster_messages_test \
android_keymaster_test \
authorization_set_test \
- ecies_kem_test \
hkdf_test \
hmac_test \
key_blob_test \
keymaster_enforcement_test \
- nist_curve_key_exchange_test
.PHONY: coverage memcheck massif clean run
@@ -198,30 +192,6 @@
serializable.o \
$(GTEST_OBJS)
-nist_curve_key_exchange_test: nist_curve_key_exchange_test.o \
- android_keymaster_test_utils.o \
- authorization_set.o \
- logger.o \
- nist_curve_key_exchange.o \
- openssl_err.o \
- openssl_utils.o \
- serializable.o \
- $(GTEST_OBJS)
-
-ecies_kem_test: ecies_kem_test.o \
- android_keymaster_utils.o \
- android_keymaster_test_utils.o \
- authorization_set.o \
- ecies_kem.o \
- hkdf.o \
- hmac.o \
- logger.o \
- nist_curve_key_exchange.o \
- openssl_err.o \
- openssl_utils.o \
- serializable.o \
- $(GTEST_OBJS)
-
authorization_set_test: authorization_set_test.o \
android_keymaster_test_utils.o \
authorization_set.o \
diff --git a/ec_key.h b/ec_key.h
index 8230d23..96c2635 100644
--- a/ec_key.h
+++ b/ec_key.h
@@ -43,7 +43,7 @@
: AsymmetricKey(hw_enforced, sw_enforced, error), ec_key_(ec_key) {}
private:
- UniquePtr<EC_KEY, EC_KEY_Delete> ec_key_;
+ UniquePtr<EC_KEY, EC_Delete> ec_key_;
};
} // namespace keymaster
diff --git a/ec_key_factory.cpp b/ec_key_factory.cpp
index 14c8327..4ebe543 100644
--- a/ec_key_factory.cpp
+++ b/ec_key_factory.cpp
@@ -55,7 +55,7 @@
return KM_ERROR_UNSUPPORTED_KEY_SIZE;
}
- UniquePtr<EC_KEY, EC_KEY_Delete> ec_key(EC_KEY_new());
+ UniquePtr<EC_KEY, EC_Delete> ec_key(EC_KEY_new());
UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
if (ec_key.get() == NULL || pkey.get() == NULL)
return KM_ERROR_MEMORY_ALLOCATION_FAILED;
@@ -122,14 +122,14 @@
if (error != KM_ERROR_OK)
return error;
- UniquePtr<EC_KEY, EC_KEY_Delete> ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
+ UniquePtr<EC_KEY, EC_Delete> ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
if (!ec_key.get())
return TranslateLastOpenSslError();
updated_description->Reinitialize(key_description);
size_t extracted_key_size_bits;
- error = ec_get_group_size(EC_KEY_get0_group(ec_key.get()), &extracted_key_size_bits);
+ error = get_group_size(*EC_KEY_get0_group(ec_key.get()), &extracted_key_size_bits);
if (error != KM_ERROR_OK)
return error;
@@ -168,6 +168,26 @@
break;
}
}
+/* static */
+keymaster_error_t EcKeyFactory::get_group_size(const EC_GROUP& group, size_t* key_size_bits) {
+ switch (EC_GROUP_get_curve_name(&group)) {
+ case NID_secp224r1:
+ *key_size_bits = 224;
+ break;
+ case NID_X9_62_prime256v1:
+ *key_size_bits = 256;
+ break;
+ case NID_secp384r1:
+ *key_size_bits = 384;
+ break;
+ case NID_secp521r1:
+ *key_size_bits = 521;
+ break;
+ default:
+ return KM_ERROR_UNSUPPORTED_EC_FIELD;
+ }
+ return KM_ERROR_OK;
+}
keymaster_error_t EcKeyFactory::CreateEmptyKey(const AuthorizationSet& hw_enforced,
const AuthorizationSet& sw_enforced,
diff --git a/ec_keymaster0_key.cpp b/ec_keymaster0_key.cpp
index 705ee73..c2112da 100644
--- a/ec_keymaster0_key.cpp
+++ b/ec_keymaster0_key.cpp
@@ -106,7 +106,7 @@
if (sw_enforced.GetTagCount(TAG_ALGORITHM) == 1)
return super::LoadKey(key_material, additional_params, hw_enforced, sw_enforced, key);
- unique_ptr<EC_KEY, EC_KEY_Delete> ec_key(engine_->BlobToEcKey(key_material));
+ unique_ptr<EC_KEY, EC_Delete> ec_key(engine_->BlobToEcKey(key_material));
if (!ec_key)
return KM_ERROR_UNKNOWN_ERROR;
diff --git a/ec_keymaster1_key.cpp b/ec_keymaster1_key.cpp
index 5cc2539..f718408 100644
--- a/ec_keymaster1_key.cpp
+++ b/ec_keymaster1_key.cpp
@@ -89,7 +89,7 @@
return KM_ERROR_OUTPUT_PARAMETER_NULL;
keymaster_error_t error;
- unique_ptr<EC_KEY, EC_KEY_Delete> ecdsa(
+ unique_ptr<EC_KEY, EC_Delete> ecdsa(
engine_->BuildEcKey(key_material, additional_params, &error));
if (!ecdsa)
return error;
diff --git a/ecdsa_operation.cpp b/ecdsa_operation.cpp
index 0e56344..6da23f5 100644
--- a/ecdsa_operation.cpp
+++ b/ecdsa_operation.cpp
@@ -144,7 +144,7 @@
size_t siglen;
if (digest_ == KM_DIGEST_NONE) {
- UniquePtr<EC_KEY, EC_KEY_Delete> ecdsa(EVP_PKEY_get1_EC_KEY(ecdsa_key_));
+ UniquePtr<EC_KEY, EC_Delete> ecdsa(EVP_PKEY_get1_EC_KEY(ecdsa_key_));
if (!ecdsa.get())
return TranslateLastOpenSslError();
@@ -201,7 +201,7 @@
AuthorizationSet* /* output_params */,
Buffer* /* output */) {
if (digest_ == KM_DIGEST_NONE) {
- UniquePtr<EC_KEY, EC_KEY_Delete> ecdsa(EVP_PKEY_get1_EC_KEY(ecdsa_key_));
+ UniquePtr<EC_KEY, EC_Delete> ecdsa(EVP_PKEY_get1_EC_KEY(ecdsa_key_));
if (!ecdsa.get())
return TranslateLastOpenSslError();
diff --git a/ecies_kem.cpp b/ecies_kem.cpp
deleted file mode 100644
index d0920fa..0000000
--- a/ecies_kem.cpp
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "ecies_kem.h"
-
-#include "nist_curve_key_exchange.h"
-#include "openssl_err.h"
-
-namespace keymaster {
-
-EciesKem::EciesKem(const AuthorizationSet& kem_description, keymaster_error_t* error) {
- AuthorizationSet authorizations(kem_description);
-
- if (!authorizations.GetTagValue(TAG_EC_CURVE, &curve_)) {
- LOG_E("%s", "EciesKem: no curve specified");
- *error = KM_ERROR_INVALID_ARGUMENT;
- return;
- }
-
- switch (curve_) {
- case KM_EC_CURVE_P_224:
- case KM_EC_CURVE_P_256:
- case KM_EC_CURVE_P_384:
- case KM_EC_CURVE_P_521:
- break;
- default:
- LOG_E("EciesKem: curve %d is unsupported", curve_);
- *error = KM_ERROR_UNSUPPORTED_EC_CURVE;
- return;
- }
-
- keymaster_kdf_t kdf;
- if (!authorizations.GetTagValue(TAG_KDF, &kdf)) {
- LOG_E("EciesKem: No KDF specified", 0);
- *error = KM_ERROR_UNSUPPORTED_KDF;
- return;
- }
- switch (kdf) {
- case KM_KDF_RFC5869_SHA256:
- kdf_.reset(new Rfc5869Sha256Kdf());
- break;
- default:
- LOG_E("Kdf %d is unsupported", kdf);
- *error = KM_ERROR_UNSUPPORTED_KDF;
- return;
- }
- if (!kdf_.get()) {
- *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
- return;
- }
-
- if (!authorizations.GetTagValue(TAG_KEY_SIZE, &key_bytes_to_generate_)) {
- LOG_E("%s", "EciesKem: no key length specified");
- *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
- return;
- }
-
- keymaster_ec_point_format_t point_format_;
- if (!authorizations.GetTagValue(TAG_EC_POINT_FORMAT, &point_format_)) {
- LOG_E("%s", "EciesKem: no point format specify");
- *error = KM_ERROR_UNSUPPORTED_EC_POINT_FORMAT;
- return;
- }
- if (point_format_ != KM_EC_POINT_UNCOMPRESSED) {
- LOG_E("EciesKem: point format %d unsupported", point_format_);
- *error = KM_ERROR_UNSUPPORTED_EC_POINT_FORMAT;
- return;
- }
-
- single_hash_mode_ = authorizations.GetTagValue(TAG_ECIES_SINGLE_HASH_MODE);
- *error = KM_ERROR_OK;
-}
-
-bool EciesKem::Encrypt(const Buffer& peer_public_value, Buffer* output_clear_key,
- Buffer* output_encrypted_key) {
- return Encrypt(peer_public_value.peek_read(), peer_public_value.available_read(),
- output_clear_key, output_encrypted_key);
-}
-
-// http://www.shoup.net/iso/std6.pdf, section 10.2.3.
-bool EciesKem::Encrypt(const uint8_t* peer_public_value, size_t peer_public_value_len,
- Buffer* output_clear_key, Buffer* output_encrypted_key) {
-
- key_exchange_.reset(NistCurveKeyExchange::GenerateKeyExchange(curve_));
- if (!key_exchange_.get()) {
- return false;
- }
-
- Buffer shared_secret;
- if (!key_exchange_.get()->CalculateSharedKey(peer_public_value, peer_public_value_len,
- &shared_secret)) {
- LOG_E("EciesKem: ECDH failed, can't obtain shared secret", 0);
- return false;
- }
- if (!key_exchange_.get()->public_value(output_encrypted_key)) {
- LOG_E("EciesKem: Can't obtain public value", 0);
- return false;
- }
-
- Buffer z;
- if (single_hash_mode_) {
- // z is empty.
- } else {
- // z = C0
- z.Reinitialize(output_encrypted_key->peek_read(), output_encrypted_key->available_read());
- }
-
- Buffer actual_secret(z.available_read() + shared_secret.available_read());
- actual_secret.write(z.peek_read(), z.available_read());
- actual_secret.write(shared_secret.peek_read(), shared_secret.available_read());
-
- if (!kdf_->Init(actual_secret.peek_read(), actual_secret.available_read(), nullptr /* salt */,
- 0 /* salt_len */, nullptr /* info */, 0 /* info_len */,
- key_bytes_to_generate_)) {
- LOG_E("EciesKem: KDF failed, can't derived keys", 0);
- return false;
- }
-
- if (!kdf_.get()->secret_key(output_clear_key)) {
- LOG_E("EciesKem: KDF failed, can't derived keys", 0);
- return false;
- }
-
- return true;
-}
-
-bool EciesKem::Decrypt(EC_KEY* private_key, const Buffer& encrypted_key, Buffer* output_key) {
- return Decrypt(private_key, encrypted_key.peek_read(), encrypted_key.available_read(),
- output_key);
-}
-
-// http://www.shoup.net/iso/std6.pdf, section 10.2.4.
-bool EciesKem::Decrypt(EC_KEY* private_key, const uint8_t* encrypted_key, size_t encrypted_key_len,
- Buffer* output_key) {
-
- keymaster_error_t error;
- key_exchange_.reset(new NistCurveKeyExchange(private_key, &error));
- if (!key_exchange_.get() || error != KM_ERROR_OK) {
- return false;
- }
-
- Buffer shared_secret;
- if (!key_exchange_.get()->CalculateSharedKey(encrypted_key, encrypted_key_len,
- &shared_secret)) {
- LOG_E("EciesKem: ECDH failed, can't obtain shared secret", 0);
- return false;
- }
-
- Buffer public_value;
- if (!key_exchange_.get()->public_value(&public_value)) {
- LOG_E("%s", "EciesKem: Can't obtain public value");
- return false;
- }
-
- Buffer z;
- if (single_hash_mode_) {
- // z is empty.
- } else {
- // z = C0
- z.Reinitialize(public_value.peek_read(), public_value.available_read());
- }
-
- Buffer actual_secret(z.available_read() + shared_secret.available_read());
- actual_secret.write(z.peek_read(), z.available_read());
- actual_secret.write(shared_secret.peek_read(), shared_secret.available_read());
-
- if (!kdf_.get()->Init(actual_secret.peek_read(), actual_secret.available_read(),
- nullptr /* salt */, 0 /* salt_len */, nullptr /* info */,
- 0 /* info_len */, key_bytes_to_generate_)) {
- LOG_E("%s", "EciesKem: KDF failed, can't derived keys");
- return false;
- }
-
- if (!kdf_.get()->secret_key(output_key)) {
- LOG_E("%s", "EciesKem: KDF failed, can't derived keys");
- return false;
- }
-
- return true;
-}
-
-} // namespace keymaster
diff --git a/ecies_kem.h b/ecies_kem.h
deleted file mode 100644
index 8c1b330..0000000
--- a/ecies_kem.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_KEYMASTER_ECIES_KEM_H_
-#define SYSTEM_KEYMASTER_ECIES_KEM_H_
-
-#include "kem.h"
-
-#include <UniquePtr.h>
-#include <openssl/ec.h>
-
-#include <keymaster/authorization_set.h>
-
-#include "hkdf.h"
-#include "key_exchange.h"
-
-namespace keymaster {
-
-/**
- * EciesKem is an implementation of the key encapsulation mechanism ECIES-KEM described in
- * ISO 18033-2 (http://www.shoup.net/iso/std6.pdf, http://www.shoup.net/papers/iso-2_1.pdf).
- */
-class EciesKem : public Kem {
- public:
- virtual ~EciesKem() override {}
- EciesKem(const AuthorizationSet& kem_description, keymaster_error_t* error);
-
- /* Kem interface. */
- bool Encrypt(const Buffer& peer_public_value, Buffer* output_clear_key,
- Buffer* output_encrypted_key) override;
- bool Encrypt(const uint8_t* peer_public_value, size_t peer_public_value_len,
- Buffer* output_clear_key, Buffer* output_encrypted_key) override;
-
- bool Decrypt(EC_KEY* private_key, const Buffer& encrypted_key, Buffer* output_key) override;
- bool Decrypt(EC_KEY* private_key, const uint8_t* encrypted_key, size_t encrypted_key_len,
- Buffer* output_key) override;
-
- private:
- UniquePtr<KeyExchange> key_exchange_;
- UniquePtr<Rfc5869Sha256Kdf> kdf_;
- bool single_hash_mode_;
- uint32_t key_bytes_to_generate_;
- keymaster_ec_curve_t curve_;
-};
-
-} // namespace keymaster
-
-#endif // SYSTEM_KEYMASTER_ECIES_KEM_H_
diff --git a/ecies_kem_test.cpp b/ecies_kem_test.cpp
deleted file mode 100644
index a3617a7..0000000
--- a/ecies_kem_test.cpp
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "ecies_kem.h"
-
-#include <gtest/gtest.h>
-#include <openssl/evp.h>
-
-#include <hardware/keymaster_defs.h>
-#include <keymaster/android_keymaster_utils.h>
-
-#include "android_keymaster_test_utils.h"
-#include "nist_curve_key_exchange.h"
-
-using std::string;
-
-namespace keymaster {
-namespace test {
-
-StdoutLogger logger;
-
-static const keymaster_ec_curve_t kEcCurves[] = {KM_EC_CURVE_P_224, KM_EC_CURVE_P_256,
- KM_EC_CURVE_P_384, KM_EC_CURVE_P_521};
-
-/**
- * TestConsistency just tests that the basic key encapsulation hold.
- */
-TEST(EciesKem, TestConsistency) {
- static const uint32_t kKeyLen = 32;
- for (auto& curve : kEcCurves) {
- AuthorizationSet kem_description(
- AuthorizationSetBuilder()
- .Authorization(TAG_EC_CURVE, curve)
- .Authorization(TAG_KDF, KM_KDF_RFC5869_SHA256)
- .Authorization(TAG_ECIES_SINGLE_HASH_MODE)
- .Authorization(TAG_KEY_SIZE, kKeyLen)
- .Authorization(TAG_EC_POINT_FORMAT, KM_EC_POINT_UNCOMPRESSED));
- keymaster_error_t error;
- EciesKem* kem = new EciesKem(kem_description, &error);
- ASSERT_EQ(KM_ERROR_OK, error);
-
- NistCurveKeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve);
- Buffer peer_public_value;
- ASSERT_TRUE(key_exchange->public_value(&peer_public_value));
-
- Buffer output_clear_key;
- Buffer output_encrypted_key;
- ASSERT_TRUE(kem->Encrypt(peer_public_value, &output_clear_key, &output_encrypted_key));
- ASSERT_EQ(kKeyLen, output_clear_key.available_read());
- ASSERT_EQ(peer_public_value.available_read(), output_encrypted_key.available_read());
-
- Buffer decrypted_clear_key;
- ASSERT_TRUE(
- kem->Decrypt(key_exchange->private_key(), output_encrypted_key, &decrypted_clear_key));
- ASSERT_EQ(kKeyLen, decrypted_clear_key.available_read());
- EXPECT_EQ(0, memcmp(output_clear_key.peek_read(), decrypted_clear_key.peek_read(),
- output_clear_key.available_read()));
- }
-}
-
-} // namespace test
-} // namespace keymaster
diff --git a/hkdf.cpp b/hkdf.cpp
index 7a9e121..19c663d 100644
--- a/hkdf.cpp
+++ b/hkdf.cpp
@@ -16,6 +16,8 @@
#include "hkdf.h"
+#include <assert.h>
+
#include <new>
#include <keymaster/android_keymaster_utils.h>
@@ -26,16 +28,17 @@
const size_t kSHA256HashLength = 32;
-bool Rfc5869Sha256Kdf::Init(Buffer& secret, Buffer& salt, Buffer& info,
- size_t key_bytes_to_generate) {
- return Init(secret.peek_read(), secret.available_read(), salt.peek_read(),
- salt.available_read(), info.peek_read(), info.available_read(),
- key_bytes_to_generate);
+Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(Buffer& secret, Buffer& salt, Buffer& info,
+ size_t key_bytes_to_generate, keymaster_error_t* error) {
+ Rfc5869HmacSha256Kdf(secret.peek_read(), secret.available_read(), salt.peek_read(),
+ salt.available_read(), info.peek_read(), info.available_read(),
+ key_bytes_to_generate, error);
}
-bool Rfc5869Sha256Kdf::Init(const uint8_t* secret, size_t secret_len, const uint8_t* salt,
- size_t salt_len, const uint8_t* info, size_t info_len,
- size_t key_bytes_to_generate) {
+Rfc5869HmacSha256Kdf::Rfc5869HmacSha256Kdf(const uint8_t* secret, size_t secret_len,
+ const uint8_t* salt, size_t salt_len,
+ const uint8_t* info, size_t info_len,
+ size_t key_bytes_to_generate, keymaster_error_t* error) {
// Step 1. Extract: PRK = HMAC-SHA256(actual_salt, secret)
// https://tools.ietf.org/html/rfc5869#section-2.2
HmacSha256 prk_hmac;
@@ -48,37 +51,31 @@
memset(zeros, 0, sizeof(zeros));
result = prk_hmac.Init(zeros, sizeof(zeros));
}
- if (!result) {
- return false;
- }
+ assert(result);
+ // avoid the unused variable warning if asserts are disabled.
+ (void)result;
// |prk| is a pseudorandom key (of kSHA256HashLength octets).
uint8_t prk[kSHA256HashLength];
- if (sizeof(prk) != prk_hmac.DigestLength())
- return false;
+ assert(sizeof(prk) == prk_hmac.DigestLength());
result = prk_hmac.Sign(secret, secret_len, prk, sizeof(prk));
- if (!result) {
- return false;
- }
+ assert(result);
// Step 2. Expand: OUTPUT = HKDF-Expand(PRK, info)
// https://tools.ietf.org/html/rfc5869#section-2.3
const size_t n = (key_bytes_to_generate + kSHA256HashLength - 1) / kSHA256HashLength;
- if (n >= 256u) {
- return false;
- }
- output_.reset(new uint8_t[n * kSHA256HashLength]);
+ assert(n < 256u);
+ output_.reset(new (std::nothrow) uint8_t[n * kSHA256HashLength]);
if (!output_.get()) {
- return false;
+ *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
+ return;
}
uint8_t buf[kSHA256HashLength + info_len + 1];
uint8_t digest[kSHA256HashLength];
HmacSha256 hmac;
result = hmac.Init(prk, sizeof(prk));
- if (!result) {
- return false;
- }
+ assert(result);
for (size_t i = 1; i <= n; i++) {
size_t j = 0;
@@ -90,8 +87,7 @@
j += info_len;
buf[j++] = static_cast<uint8_t>(i);
result = hmac.Sign(buf, j, digest, sizeof(digest));
- if (!result)
- return false;
+ assert(result);
memcpy(output_.get() + (i - 1) * sizeof(digest), digest, sizeof(digest));
}
@@ -99,12 +95,11 @@
secret_key_len_ = key_bytes_to_generate;
secret_key_.reset(dup_buffer(output_.get(), key_bytes_to_generate));
if (!secret_key_.get()) {
- return false;
+ *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
+ return;
}
}
- initalized_ = true;
-
- return true;
+ *error = KM_ERROR_OK;
}
} // namespace keymaster
diff --git a/hkdf.h b/hkdf.h
index 8d84097..3ecdbe0 100644
--- a/hkdf.h
+++ b/hkdf.h
@@ -17,34 +17,39 @@
#ifndef SYSTEM_KEYMASTER_HKDF_H_
#define SYSTEM_KEYMASTER_HKDF_H_
-#include "kdf.h"
-
+#include <hardware/keymaster_defs.h>
#include <keymaster/serializable.h>
#include <UniquePtr.h>
namespace keymaster {
-// Rfc5869Sha256Kdf implements the key derivation function specified in RFC 5869 (using
+// Rfc5869HmacSha256Kdf implements the key derivation function specified in RFC 5869 (using
// SHA256) and outputs key material, as needed by ECIES.
// See https://tools.ietf.org/html/rfc5869 for details.
-class Rfc5869Sha256Kdf : public Kdf {
+class Rfc5869HmacSha256Kdf {
public:
- Rfc5869Sha256Kdf() : initalized_(false) {}
- ~Rfc5869Sha256Kdf() {}
+ // |secret|: the input shared secret (or, from RFC 5869, the IKM).
+ // |salt|: an (optional) public salt / non-secret random value. While
+ // optional, callers are strongly recommended to provide a salt. There is no
+ // added security value in making this larger than the SHA-256 block size of
+ // 64 bytes.
+ // |info|: an (optional) label to distinguish different uses of HKDF. It is
+ // optional context and application specific information (can be a zero-length
+ // string).
+ // |key_bytes_to_generate|: the number of bytes of key material to generate.
+ Rfc5869HmacSha256Kdf(Buffer& secret, Buffer& salt, Buffer& info, size_t key_bytes_to_generate,
+ keymaster_error_t* error);
- // Kdf interface.
- bool Init(Buffer& secret, Buffer& salt, Buffer& info, size_t key_bytes_to_generate);
-
- bool Init(const uint8_t* secret, size_t secret_len, const uint8_t* salt, size_t salt_len,
- const uint8_t* info, size_t info_len, size_t key_bytes_to_generate);
+ Rfc5869HmacSha256Kdf(const uint8_t* secret, size_t secret_len, const uint8_t* salt,
+ size_t salt_len, const uint8_t* info, size_t info_len,
+ size_t key_bytes_to_generate, keymaster_error_t* error);
bool secret_key(Buffer* buf) const {
- return initalized_ && buf->Reinitialize(secret_key_.get(), secret_key_len_);
- }
+ return buf->Reinitialize(secret_key_.get(), secret_key_len_);
+ };
private:
- bool initalized_;
UniquePtr<uint8_t[]> output_;
UniquePtr<uint8_t[]> secret_key_;
size_t secret_key_len_;
diff --git a/hkdf_test.cpp b/hkdf_test.cpp
index 8cf1e8d..f65a617 100644
--- a/hkdf_test.cpp
+++ b/hkdf_test.cpp
@@ -65,19 +65,20 @@
};
TEST(HkdfTest, Hkdf) {
- for (auto& test : kHkdfTests) {
+ for (size_t i = 0; i < 3; i++) {
+ const HkdfTest& test(kHkdfTests[i]);
const string key = hex2str(test.key_hex);
const string salt = hex2str(test.salt_hex);
const string info = hex2str(test.info_hex);
const string expected = hex2str(test.output_hex);
+ keymaster_error_t error;
// We set the key_length to the length of the expected output and then take
// the result.
- Rfc5869Sha256Kdf hkdf;
- ASSERT_TRUE(hkdf.Init(reinterpret_cast<const uint8_t*>(key.data()), key.size(),
- reinterpret_cast<const uint8_t*>(salt.data()), salt.size(),
- reinterpret_cast<const uint8_t*>(info.data()), info.size(),
- expected.size()));
-
+ Rfc5869HmacSha256Kdf hkdf(reinterpret_cast<const uint8_t*>(key.data()), key.size(),
+ reinterpret_cast<const uint8_t*>(salt.data()), salt.size(),
+ reinterpret_cast<const uint8_t*>(info.data()), info.size(),
+ expected.size(), &error);
+ ASSERT_EQ(error, KM_ERROR_OK);
Buffer secret_key;
bool result = hkdf.secret_key(&secret_key);
ASSERT_TRUE(result);
diff --git a/include/keymaster/ec_key_factory.h b/include/keymaster/ec_key_factory.h
index 2715e79..2371b7f 100644
--- a/include/keymaster/ec_key_factory.h
+++ b/include/keymaster/ec_key_factory.h
@@ -53,6 +53,7 @@
OperationFactory* GetOperationFactory(keymaster_purpose_t purpose) const override;
static EC_GROUP* choose_group(size_t key_size_bits);
+ static keymaster_error_t get_group_size(const EC_GROUP& group, size_t* key_size_bits);
};
} // namespace keymaster
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index 4cd2a6c..21d6966 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -164,7 +164,6 @@
DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_CALLER_NONCE);
DEFINE_KEYMASTER_TAG(KM_UINT, TAG_MIN_MAC_LENGTH);
DEFINE_KEYMASTER_TAG(KM_ULONG, TAG_RSA_PUBLIC_EXPONENT);
-DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_ECIES_SINGLE_HASH_MODE);
DEFINE_KEYMASTER_TAG(KM_DATE, TAG_ACTIVE_DATETIME);
DEFINE_KEYMASTER_TAG(KM_DATE, TAG_ORIGINATION_EXPIRE_DATETIME);
DEFINE_KEYMASTER_TAG(KM_DATE, TAG_USAGE_EXPIRE_DATETIME);
@@ -205,9 +204,6 @@
keymaster_key_blob_usage_requirements_t);
DEFINE_KEYMASTER_ENUM_TAG(KM_ENUM, TAG_ORIGIN, keymaster_key_origin_t);
DEFINE_KEYMASTER_ENUM_TAG(KM_ENUM, TAG_USER_AUTH_TYPE, hw_authenticator_type_t);
-DEFINE_KEYMASTER_ENUM_TAG(KM_ENUM, TAG_KDF, keymaster_kdf_t);
-DEFINE_KEYMASTER_ENUM_TAG(KM_ENUM, TAG_EC_CURVE, keymaster_ec_curve_t);
-DEFINE_KEYMASTER_ENUM_TAG(KM_ENUM, TAG_EC_POINT_FORMAT, keymaster_ec_point_format_t);
//
// Overloaded function "Authorization" to create keymaster_key_param_t objects for all of tags.
diff --git a/kdf.h b/kdf.h
deleted file mode 100644
index f65920d..0000000
--- a/kdf.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_KEYMASTER_KDF_H_
-#define SYSTEM_KEYMASTER_KDF_H_
-
-#include <keymaster/serializable.h>
-
-namespace keymaster {
-
-// Kdf is an abstract class that provides an interface to a
-// key derivation function.
-class Kdf {
- public:
- virtual ~Kdf() {}
-
- virtual bool Init(Buffer& secret, Buffer& salt, Buffer& info, size_t key_bytes_to_generate) = 0;
- virtual bool Init(const uint8_t* secret, size_t secret_len, const uint8_t* salt,
- size_t salt_len, const uint8_t* info, size_t info_len,
- size_t key_bytes_to_generate) = 0;
-
- virtual bool secret_key(Buffer* buf) const = 0;
-};
-
-} // namespace keymaster
-
-#endif // SYSTEM_KEYMASTER_KDF_H_
diff --git a/kem.h b/kem.h
deleted file mode 100644
index f2fa073..0000000
--- a/kem.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_KEYMASTER_KEM_H_
-#define SYSTEM_KEYMASTER_KEM_H_
-
-#include <keymaster/serializable.h>
-
-#include "openssl_utils.h"
-
-namespace keymaster {
-
-// Kem is an abstract class that provides an interface to a key encapsulation
-// mechansim primitive. A key encapsulation mechanism works just like a
-// public-key encryption scheme, except that the encryption algorithm takes no
-// input other than the recipient’s public key. Instead, the encryption algorithm
-// generates a pair (K, C0), where K is a bit string of some specified length,
-// and C0 is an encryption of K, that is, the decryption algorithm applied to C0
-// yields K.
-class Kem {
- public:
- virtual ~Kem(){};
-
- // For a key encapsulation mechanism, the goal of encryption is to take the recipient's public
- // key, and to generate a pair (K, C0), where K is a bit string of some specified length,
- // and C0 is an encryption of K.
- virtual bool Encrypt(const Buffer& peer_public_value, Buffer* output_clear_key,
- Buffer* output_encrypted_key) = 0;
- virtual bool Encrypt(const uint8_t* peer_public_value, size_t peer_public_value_len,
- Buffer* output_clear_key, Buffer* output_encrypted_key) = 0;
-
- // Decrypt takes an encrypted key, and outputs its clear text.
- // Decrypt takes ownership of \p private_key.
- virtual bool Decrypt(EC_KEY* private_key, const Buffer& encrypted_key, Buffer* output_key) = 0;
- virtual bool Decrypt(EC_KEY* private_key, const uint8_t* encrypted_key,
- size_t encrypted_key_len, Buffer* output_key) = 0;
-};
-
-} // namespace keymaster
-
-#endif // SYSTEM_KEYMASTER_KEM_H_
diff --git a/key_exchange.h b/key_exchange.h
deleted file mode 100644
index 1019e20..0000000
--- a/key_exchange.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_KEYMASTER_KEY_EXCHANGE_H_
-#define SYSTEM_KEYMASTER_KEY_EXCHANGE_H_
-
-#include <openssl/ec.h>
-
-#include <keymaster/serializable.h>
-
-namespace keymaster {
-
-/**
- * KeyExchange is an abstract class that provides an interface to a
- * key-exchange primitive.
- */
-class KeyExchange {
- public:
- virtual ~KeyExchange() {}
-
- /**
- * CalculateSharedKey computes the shared key between the local private key
- * (which is implicitly known by a KeyExchange object) and a public value
- * from the peer.
- */
- virtual bool CalculateSharedKey(const Buffer& peer_public_value, Buffer* shared_key) const = 0;
- virtual bool CalculateSharedKey(const uint8_t* peer_public_value, size_t peer_public_value_len,
- Buffer* shared_key) const = 0;
-
- /**
- * public_value writes to |public_value| the local public key which can be
- * sent to a peer in order to complete a key exchange.
- */
- virtual bool public_value(Buffer* public_value) const = 0;
-};
-
-} // namespace keymaster
-
-#endif // SYSTEM_KEYMASTER_KEY_EXCHANGE_H_
diff --git a/keymaster0_engine.cpp b/keymaster0_engine.cpp
index d752ae2..70c0d89 100644
--- a/keymaster0_engine.cpp
+++ b/keymaster0_engine.cpp
@@ -191,7 +191,7 @@
EC_KEY* Keymaster0Engine::BlobToEcKey(const KeymasterKeyBlob& blob) const {
// Create new EC key (with engine methods) and insert blob
- unique_ptr<EC_KEY, EC_KEY_Delete> ec_key(EC_KEY_new_method(engine_));
+ unique_ptr<EC_KEY, EC_Delete> ec_key(EC_KEY_new_method(engine_));
if (!ec_key)
return nullptr;
@@ -204,7 +204,7 @@
if (!pkey)
return nullptr;
- unique_ptr<EC_KEY, EC_KEY_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
+ unique_ptr<EC_KEY, EC_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
if (!public_ec_key)
return nullptr;
diff --git a/keymaster1_engine.cpp b/keymaster1_engine.cpp
index 6b40022..866a255 100644
--- a/keymaster1_engine.cpp
+++ b/keymaster1_engine.cpp
@@ -167,7 +167,7 @@
const AuthorizationSet& additional_params,
keymaster_error_t* error) const {
// Create new EC key (with engine methods) and insert blob
- unique_ptr<EC_KEY, EC_KEY_Delete> ec_key(EC_KEY_new_method(engine_.get()));
+ unique_ptr<EC_KEY, EC_Delete> ec_key(EC_KEY_new_method(engine_.get()));
if (!ec_key) {
*error = TranslateLastOpenSslError();
return nullptr;
@@ -188,7 +188,7 @@
return nullptr;
}
- unique_ptr<EC_KEY, EC_KEY_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
+ unique_ptr<EC_KEY, EC_Delete> public_ec_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
if (!public_ec_key) {
*error = TranslateLastOpenSslError();
return nullptr;
@@ -212,7 +212,7 @@
}
case EVP_PKEY_EC: {
- unique_ptr<EC_KEY, EC_KEY_Delete> ec_key(EVP_PKEY_get1_EC_KEY(key));
+ unique_ptr<EC_KEY, EC_Delete> ec_key(EVP_PKEY_get1_EC_KEY(key));
return GetData(ec_key.get());
}
diff --git a/keymaster_enforcement.cpp b/keymaster_enforcement.cpp
index ae44f54..4d0aaef 100644
--- a/keymaster_enforcement.cpp
+++ b/keymaster_enforcement.cpp
@@ -296,16 +296,12 @@
case KM_TAG_PADDING:
case KM_TAG_NONCE:
case KM_TAG_MIN_MAC_LENGTH:
- case KM_TAG_KDF:
- case KM_TAG_EC_CURVE:
- case KM_TAG_EC_POINT_FORMAT:
/* Tags not used for operations. */
case KM_TAG_BLOB_USAGE_REQUIREMENTS:
/* Algorithm specific parameters not used for access control. */
case KM_TAG_RSA_PUBLIC_EXPONENT:
- case KM_TAG_ECIES_SINGLE_HASH_MODE:
/* Informational tags. */
case KM_TAG_CREATION_DATETIME:
diff --git a/nist_curve_key_exchange.cpp b/nist_curve_key_exchange.cpp
deleted file mode 100644
index 0dd3a54..0000000
--- a/nist_curve_key_exchange.cpp
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "nist_curve_key_exchange.h"
-
-#include <openssl/ec.h>
-#include <openssl/ecdh.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-
-#include "openssl_err.h"
-
-namespace keymaster {
-
-NistCurveKeyExchange::NistCurveKeyExchange(EC_KEY* private_key, keymaster_error_t* error)
- : private_key_(private_key) {
- if (!private_key_.get() || !EC_KEY_check_key(private_key_.get())) {
- *error = KM_ERROR_INVALID_ARGUMENT;
- return;
- }
- *error = ExtractPublicKey();
-}
-
-/* static */
-NistCurveKeyExchange* NistCurveKeyExchange::GenerateKeyExchange(keymaster_ec_curve_t curve) {
- int curve_name;
- switch (curve) {
- case KM_EC_CURVE_P_224:
- curve_name = NID_secp224r1;
- break;
- case KM_EC_CURVE_P_256:
- curve_name = NID_X9_62_prime256v1;
- break;
- case KM_EC_CURVE_P_384:
- curve_name = NID_secp384r1;
- break;
- case KM_EC_CURVE_P_521:
- curve_name = NID_secp521r1;
- break;
- default:
- LOG_E("Not a NIST curve: %d", curve);
- return nullptr;
- }
-
- UniquePtr<EC_KEY, EC_KEY_Delete> key(EC_KEY_new_by_curve_name(curve_name));
- if (!key.get() || !EC_KEY_generate_key(key.get())) {
- return nullptr;
- }
- keymaster_error_t error;
- NistCurveKeyExchange* key_exchange = new NistCurveKeyExchange(key.release(), &error);
- if (error != KM_ERROR_OK) {
- return nullptr;
- }
- return key_exchange;
-}
-
-keymaster_error_t NistCurveKeyExchange::ExtractPublicKey() {
- const EC_GROUP* group = EC_KEY_get0_group(private_key_.get());
- size_t field_len_bits;
- keymaster_error_t error = ec_get_group_size(group, &field_len_bits);
- if (error != KM_ERROR_OK)
- return error;
-
- shared_secret_len_ = (field_len_bits + 7) / 8;
- public_key_len_ = 1 + 2 * shared_secret_len_;
- public_key_.reset(new uint8_t[public_key_len_]);
- if (EC_POINT_point2oct(group, EC_KEY_get0_public_key(private_key_.get()),
- POINT_CONVERSION_UNCOMPRESSED, public_key_.get(), public_key_len_,
- nullptr /* ctx */) != public_key_len_) {
- return TranslateLastOpenSslError();
- }
- return KM_ERROR_OK;
-}
-
-bool NistCurveKeyExchange::CalculateSharedKey(const Buffer& peer_public_value,
- Buffer* out_result) const {
-
- return CalculateSharedKey(peer_public_value.peek_read(), peer_public_value.available_read(),
- out_result);
-}
-
-bool NistCurveKeyExchange::CalculateSharedKey(const uint8_t* peer_public_value,
- size_t peer_public_value_len,
- Buffer* out_result) const {
- const EC_GROUP* group = EC_KEY_get0_group(private_key_.get());
- UniquePtr<EC_POINT, EC_POINT_Delete> point(EC_POINT_new(group));
- if (!point.get() ||
- !EC_POINT_oct2point(/* also test if point is on curve */
- group, point.get(), peer_public_value, peer_public_value_len,
- nullptr /* ctx */) ||
- !EC_POINT_is_on_curve(group, point.get(), nullptr /* ctx */)) {
- LOG_E("Can't convert peer public value to point: %d", TranslateLastOpenSslError());
- return false;
- }
-
- UniquePtr<uint8_t[]> result(new uint8_t[shared_secret_len_]);
- if (ECDH_compute_key(result.get(), shared_secret_len_, point.get(), private_key_.get(),
- nullptr /* kdf */) != static_cast<int>(shared_secret_len_)) {
- LOG_E("Can't compute ECDH shared key: %d", TranslateLastOpenSslError());
- return false;
- }
-
- out_result->Reinitialize(result.get(), shared_secret_len_);
- return true;
-}
-
-bool NistCurveKeyExchange::public_value(Buffer* public_value) const {
- if (public_key_.get() != nullptr && public_key_len_ != 0) {
- return public_value->Reinitialize(public_key_.get(), public_key_len_);
- }
- return false;
-}
-
-} // namespace keymaster
\ No newline at end of file
diff --git a/nist_curve_key_exchange.h b/nist_curve_key_exchange.h
deleted file mode 100644
index 0a93882..0000000
--- a/nist_curve_key_exchange.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_KEYMASTER_NIST_CURVE_KEY_EXCHANGE_H_
-#define SYSTEM_KEYMASTER_NIST_CURVE_KEY_EXCHANGE_H_
-
-#include "key_exchange.h"
-
-#include <keymaster/authorization_set.h>
-#include <hardware/keymaster_defs.h>
-
-#include <UniquePtr.h>
-
-#include "openssl_utils.h"
-
-namespace keymaster {
-
-/**
- * NistCurveKeyExchange implements a KeyExchange using elliptic-curve
- * Diffie-Hellman on NIST curves: P-224, P-256, P-384 and P-521.
- */
-class NistCurveKeyExchange : public KeyExchange {
- public:
- ~NistCurveKeyExchange() override {}
-
- /**
- * NistCurveKeyExchange takes ownership of \p private_key.
- */
- NistCurveKeyExchange(EC_KEY* private_key, keymaster_error_t* error);
-
- /**
- * GenerateKeyExchange generates a new public/private key pair on a NIST curve and returns
- * a new key exchange object.
- */
- static NistCurveKeyExchange* GenerateKeyExchange(keymaster_ec_curve_t curve);
-
- /**
- * KeyExchange interface.
- */
- bool CalculateSharedKey(const uint8_t* peer_public_value, size_t peer_public_value_len,
- Buffer* shared_key) const override;
- bool CalculateSharedKey(const Buffer& peer_public_value, Buffer* shared_key) const override;
- bool public_value(Buffer* public_value) const override;
-
- /* Caller takes ownership of \p private_key. */
- EC_KEY* private_key() { return private_key_.release(); }
-
- private:
- keymaster_error_t ExtractPublicKey();
-
- UniquePtr<EC_KEY, EC_KEY_Delete> private_key_;
- UniquePtr<uint8_t[]> public_key_;
- size_t public_key_len_;
- size_t shared_secret_len_;
-};
-
-} // namespace keymaster
-
-#endif // SYSTEM_KEYMASTER_NIST_CURVE_KEY_EXCHANGE_H_
\ No newline at end of file
diff --git a/nist_curve_key_exchange_test.cpp b/nist_curve_key_exchange_test.cpp
deleted file mode 100644
index 39ea38b..0000000
--- a/nist_curve_key_exchange_test.cpp
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "nist_curve_key_exchange.h"
-
-#include <gtest/gtest.h>
-#include <openssl/evp.h>
-
-#include <hardware/keymaster_defs.h>
-#include <keymaster/android_keymaster_utils.h>
-
-#include "android_keymaster_test_utils.h"
-
-using std::string;
-
-namespace keymaster {
-namespace test {
-
-StdoutLogger logger;
-
-static const keymaster_ec_curve_t kEcCurves[] = {KM_EC_CURVE_P_224, KM_EC_CURVE_P_256,
- KM_EC_CURVE_P_384, KM_EC_CURVE_P_521};
-
-/**
- * SharedKey just tests that the basic key exchange identity holds: that both
- * parties end up with the same key.
- */
-TEST(NistCurveKeyExchange, SharedKey) {
- for (auto& curve : kEcCurves) {
- AuthorizationSet kex_description(
- AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
- for (size_t j = 0; j < 5; j++) {
- NistCurveKeyExchange* alice_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve);
- NistCurveKeyExchange* bob_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve);
-
- ASSERT_TRUE(alice_keyex != nullptr);
- ASSERT_TRUE(bob_keyex != nullptr);
-
- Buffer alice_public_value;
- ASSERT_TRUE(alice_keyex->public_value(&alice_public_value));
- Buffer bob_public_value;
- ASSERT_TRUE(bob_keyex->public_value(&bob_public_value));
-
- Buffer alice_shared, bob_shared;
- ASSERT_TRUE(alice_keyex->CalculateSharedKey(bob_public_value, &alice_shared));
- ASSERT_TRUE(bob_keyex->CalculateSharedKey(alice_public_value, &bob_shared));
- EXPECT_EQ(alice_shared.available_read(), bob_shared.available_read());
- EXPECT_EQ(0, memcmp(alice_shared.peek_read(), bob_shared.peek_read(),
- alice_shared.available_read()));
- }
- }
-}
-
-/*
- * This test tries a key agreement with a false public key (i.e. with
- * a point not on the curve.)
- * The expected result of such a protocol should be that the
- * key agreement fails and returns an error.
-*/
-static const char* kInvalidPublicKeys[] = {
- "04" // uncompressed public key
- "deadbeef7f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287"
- "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
-};
-
-TEST(NistCurveKeyExchange, InvalidPublicKey) {
- for (auto& curve : kEcCurves) {
- AuthorizationSet kex_description(
- AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
- KeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve);
- ASSERT_TRUE(key_exchange != nullptr);
-
- string peer_public_key = hex2str(kInvalidPublicKeys[0]);
- Buffer computed_shared_secret;
- ASSERT_FALSE(key_exchange->CalculateSharedKey(
- reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
- &computed_shared_secret));
- }
-}
-
-/**
- * Test that key exchange fails when peer public key is the point at infinity.
- */
-TEST(NistCurveKeyExchange, TestInfinity) {
- for (auto& curve : kEcCurves) {
- /* Obtain the point at infinity */
- EC_GROUP* group = ec_get_group(curve);
- EC_POINT* point_at_infinity = EC_POINT_new(group);
- EC_POINT_set_to_infinity(group, point_at_infinity);
- EXPECT_EQ(1, EC_POINT_is_on_curve(group, point_at_infinity, nullptr));
- size_t field_len_in_bits;
- ec_get_group_size(group, &field_len_in_bits);
- size_t field_len = (field_len_in_bits + 7) / 8;
- size_t public_key_len = (field_len * 2) + 1;
- uint8_t* public_key = new uint8_t[public_key_len];
- public_key_len = EC_POINT_point2oct(group, point_at_infinity, POINT_CONVERSION_UNCOMPRESSED,
- public_key, public_key_len, nullptr /* ctx */);
-
- /* Perform the key exchange */
- AuthorizationSet kex_description(
- AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
- NistCurveKeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve);
- ASSERT_TRUE(key_exchange != nullptr);
- Buffer computed_shared_secret;
- /* It should fail */
- ASSERT_FALSE(key_exchange->CalculateSharedKey(reinterpret_cast<const uint8_t*>(public_key),
- public_key_len, &computed_shared_secret));
-
- /* Explicitly test that ECDH_compute_key fails when the public key is the point at infinity
- */
- UniquePtr<uint8_t[]> result(new uint8_t[field_len]);
- EXPECT_EQ(-1 /* error */, ECDH_compute_key(result.get(), field_len, point_at_infinity,
- key_exchange->private_key(), nullptr /* kdf */));
- }
-}
-
-/* Test vectors for P-256, downloaded from NIST. */
-struct NistCurveTest {
- const keymaster_ec_curve_t curve;
- const char* peer_public_key;
- const char* my_private_key;
- const char* shared_secret;
-};
-
-static const NistCurveTest kNistCurveTests[] = {
- {
- KM_EC_CURVE_P_256,
- "04" // uncompressed public key
- "700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287"
- "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
- // https://tools.ietf.org/html/rfc5915
- "30770201010420" // DER-encodeded EC private key header
- "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534" // private key
- "a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID,
- "04"
- "ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230"
- "28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141",
- "46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b",
- },
- {
- KM_EC_CURVE_P_256, "04"
- "809f04289c64348c01515eb03d5ce7ac1a8cb9498f5caa50197e58d43a86a7ae"
- "b29d84e811197f25eba8f5194092cb6ff440e26d4421011372461f579271cda3",
- // https://tools.ietf.org/html/rfc5915
- "30770201010420" // DER-encodeded EC private key header
- "38f65d6dce47676044d58ce5139582d568f64bb16098d179dbab07741dd5caf5" // private key
- "a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID,
- "04"
- "119f2f047902782ab0c9e27a54aff5eb9b964829ca99c06b02ddba95b0a3f6d0"
- "8f52b726664cac366fc98ac7a012b2682cbd962e5acb544671d41b9445704d1d",
- "057d636096cb80b67a8c038c890e887d1adfa4195e9b3ce241c8a778c59cda67",
- },
- {
- KM_EC_CURVE_P_256, "04"
- "df3989b9fa55495719b3cf46dccd28b5153f7808191dd518eff0c3cff2b705ed"
- "422294ff46003429d739a33206c8752552c8ba54a270defc06e221e0feaf6ac4",
- // https://tools.ietf.org/html/rfc5915
- "30770201010420" // DER-encodeded EC private key header
- "207c43a79bfee03db6f4b944f53d2fb76cc49ef1c9c4d34d51b6c65c4db6932d" // private key
- "a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID,
- "04"
- "24277c33f450462dcb3d4801d57b9ced05188f16c28eda873258048cd1607e0d"
- "c4789753e2b1f63b32ff014ec42cd6a69fac81dfe6d0d6fd4af372ae27c46f88",
- "96441259534b80f6aee3d287a6bb17b5094dd4277d9e294f8fe73e48bf2a0024",
- },
-};
-
-/**
- * Test that key exchange works with NIST test vectors.
- */
-TEST(NistCurveKeyExchange, NistTestVectors) {
- for (auto& test : kNistCurveTests) {
- string private_key = hex2str(test.my_private_key);
- string shared_secret = hex2str(test.shared_secret);
-
- const uint8_t* private_key_data = reinterpret_cast<const uint8_t*>(private_key.data());
- UniquePtr<EC_KEY, EC_KEY_Delete> ec_key(
- d2i_ECPrivateKey(nullptr, &private_key_data, private_key.size()));
- ASSERT_TRUE(ec_key.get() && EC_KEY_check_key(ec_key.get()));
-
- keymaster_error_t error;
- NistCurveKeyExchange* key_exchange = new NistCurveKeyExchange(ec_key.release(), &error);
- EXPECT_EQ(KM_ERROR_OK, error);
- ASSERT_TRUE(key_exchange != nullptr);
-
- Buffer computed_shared_secret;
- string peer_public_key = hex2str(test.peer_public_key);
- ASSERT_TRUE(key_exchange->CalculateSharedKey(
- reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
- &computed_shared_secret));
- EXPECT_EQ(shared_secret.size(), computed_shared_secret.available_read());
- EXPECT_EQ(0, memcmp(shared_secret.data(), computed_shared_secret.peek_read(),
- shared_secret.size()));
-
- for (size_t i = 0; i < peer_public_key.size(); i++) {
- // randomly flip some bits in the peer public key to make it invalid
- peer_public_key[i] ^= 0xff;
- ASSERT_FALSE(key_exchange->CalculateSharedKey(
- reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
- &computed_shared_secret));
- }
- }
-}
-
-} // namespace test
-} // namespace keymaster
diff --git a/openssl_utils.cpp b/openssl_utils.cpp
index 5d2cb1c..1e25ca5 100644
--- a/openssl_utils.cpp
+++ b/openssl_utils.cpp
@@ -22,52 +22,6 @@
namespace keymaster {
-keymaster_error_t ec_get_group_size(const EC_GROUP* group, size_t* key_size_bits) {
- switch (EC_GROUP_get_curve_name(group)) {
- case NID_secp224r1:
- *key_size_bits = 224;
- break;
- case NID_X9_62_prime256v1:
- *key_size_bits = 256;
- break;
- case NID_secp384r1:
- *key_size_bits = 384;
- break;
- case NID_secp521r1:
- *key_size_bits = 521;
- break;
- default:
- return KM_ERROR_UNSUPPORTED_EC_FIELD;
- }
- return KM_ERROR_OK;
-}
-
-EC_GROUP* ec_get_group(keymaster_ec_curve_t curve) {
- switch (curve) {
- case KM_EC_CURVE_P_224:
- return EC_GROUP_new_by_curve_name(NID_secp224r1);
- break;
- case KM_EC_CURVE_P_256:
- return EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
- break;
- case KM_EC_CURVE_P_384:
- return EC_GROUP_new_by_curve_name(NID_secp384r1);
- break;
- case KM_EC_CURVE_P_521:
- return EC_GROUP_new_by_curve_name(NID_secp521r1);
- break;
- default:
- return nullptr;
- break;
- }
-}
-
-void convert_bn_to_blob(BIGNUM* bn, keymaster_blob_t* blob) {
- blob->data_length = BN_num_bytes(bn);
- blob->data = new uint8_t[blob->data_length];
- BN_bn2bin(bn, const_cast<uint8_t*>(blob->data));
-}
-
static int convert_to_evp(keymaster_algorithm_t algorithm) {
switch (algorithm) {
case KM_ALGORITHM_RSA:
diff --git a/openssl_utils.h b/openssl_utils.h
index cd52ca1..a66ef43 100644
--- a/openssl_utils.h
+++ b/openssl_utils.h
@@ -32,14 +32,6 @@
struct KeymasterKeyBlob;
-struct EC_KEY_Delete {
- void operator()(EC_KEY* p) { EC_KEY_free(p); }
-};
-
-struct EC_POINT_Delete {
- void operator()(EC_POINT* p) { EC_POINT_free(p); }
-};
-
struct EVP_PKEY_Delete {
void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); }
};
@@ -64,13 +56,14 @@
void operator()(EC_GROUP* p) { EC_GROUP_free(p); }
};
+struct EC_Delete {
+ void operator()(EC_KEY* p) { EC_KEY_free(p); }
+};
+
struct ENGINE_Delete {
void operator()(ENGINE* p) { ENGINE_free(p); }
};
-keymaster_error_t ec_get_group_size(const EC_GROUP* group, size_t* key_size_bits);
-EC_GROUP* ec_get_group(keymaster_ec_curve_t curve);
-
/**
* Many OpenSSL APIs take ownership of an argument on success but don't free the argument on
* failure. This means we need to tell our scoped pointers when we've transferred ownership, without
diff --git a/soft_keymaster_context.cpp b/soft_keymaster_context.cpp
index 1b1fa39..5620457 100644
--- a/soft_keymaster_context.cpp
+++ b/soft_keymaster_context.cpp
@@ -470,12 +470,12 @@
sw_enforced->push_back(TAG_PURPOSE, KM_PURPOSE_SIGN);
sw_enforced->push_back(TAG_PURPOSE, KM_PURPOSE_VERIFY);
- UniquePtr<EC_KEY, EC_KEY_Delete> ec_key(EVP_PKEY_get1_EC_KEY(pubkey));
+ UniquePtr<EC_KEY, EC_Delete> ec_key(EVP_PKEY_get1_EC_KEY(pubkey));
if (!ec_key.get())
return TranslateLastOpenSslError();
size_t key_size_bits;
keymaster_error_t error =
- ec_get_group_size(EC_KEY_get0_group(ec_key.get()), &key_size_bits);
+ EcKeyFactory::get_group_size(*EC_KEY_get0_group(ec_key.get()), &key_size_bits);
if (error != KM_ERROR_OK)
return error;
hw_enforced->push_back(TAG_KEY_SIZE, key_size_bits);
