key_blob.cpp - platform/system/keymaster - Git at Google

 /*
  * Copyright 2014 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <assert.h>

 #include <keymaster/android_keymaster_utils.h>
 #include <keymaster/key_blob.h>
 #include <keymaster/logger.h>

 namespace keymaster {

 const size_t KeyBlob::NONCE_LENGTH;
 const size_t KeyBlob::TAG_LENGTH;

 KeyBlob::KeyBlob(const uint8_t* key_blob, size_t key_blob_length) : error_(KM_ERROR_OK) {
     Deserialize(&key_blob, key_blob + key_blob_length);
 }

 KeyBlob::KeyBlob(const keymaster_key_blob_t& key_blob) : error_(KM_ERROR_OK) {
     const uint8_t* key_material = key_blob.key_material;
     Deserialize(&key_material, key_blob.key_material + key_blob.key_material_size);
 }

 size_t KeyBlob::SerializedSize() const {
     return 1 /* version byte */ + sizeof(uint32_t) /* nonce length */ + NONCE_LENGTH +
            sizeof(uint32_t) + key_material_length() + sizeof(uint32_t) /* tag length */ +
            TAG_LENGTH + enforced_.SerializedSize() + unenforced_.SerializedSize();
 }

 const uint8_t BLOB_VERSION = 0;

 uint8_t* KeyBlob::Serialize(uint8_t* buf, const uint8_t* end) const {
     const uint8_t* start __attribute__((__unused__)) = buf;
     *buf++ = BLOB_VERSION;
     buf = append_size_and_data_to_buf(buf, end, nonce(), NONCE_LENGTH);
     buf = append_size_and_data_to_buf(buf, end, encrypted_key_material(), key_material_length());
     buf = append_size_and_data_to_buf(buf, end, tag(), TAG_LENGTH);
     buf = enforced_.Serialize(buf, end);
     buf = unenforced_.Serialize(buf, end);
     assert(buf - start == static_cast<ptrdiff_t>(SerializedSize()));
     return buf;
 }

 bool KeyBlob::Deserialize(const uint8_t** buf_ptr, const uint8_t* end) {
     const uint8_t* start = *buf_ptr;
     uint8_t version = *(*buf_ptr)++;
     size_t nonce_length;
     size_t tag_length;
     if (version != BLOB_VERSION ||
         !copy_size_and_data_from_buf(buf_ptr, end, &nonce_length, &nonce_) ||
         nonce_length != NONCE_LENGTH ||
         !copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_,
                                      &encrypted_key_material_) ||
         !copy_size_and_data_from_buf(buf_ptr, end, &tag_length, &tag_) ||
         tag_length != TAG_LENGTH || !enforced_.Deserialize(buf_ptr, end) ||
         !unenforced_.Deserialize(buf_ptr, end)) {
         *buf_ptr = start;
         // This blob failed to parse.  Either it's corrupted or it's a blob generated by an earlier
         // version of keymaster using a previous blob format which did not include the version byte
         // or the nonce or tag length fields.  So we try to parse it as that previous version.
         //
         // Note that it's not really a problem if we erronously parse a corrupted blob, because
         // decryption will fail the authentication check.
         //
         // A bigger potential problem is: What if a valid unversioned blob appears to parse
         // correctly as a versioned blob?  It would then be rejected during decryption, causing a
         // valid key to become unusable.  If this is a disk encryption key, upgrading to a keymaster
         // version with the new format would destroy the user's data.
         //
         // What is the probability that an unversioned key could be successfully parsed as a version
         // 0 key?  The first 12 bytes of an unversioned key are the nonce, which, in the only
         // keymaster version released with unversioned keys, is chosen randomly.  In order for an
         // unversioned key to parse as a version 0 key, the following must be true about the first
         // five of those random bytes:
         //
         // 1.  The first byte must be zero.  This will happen with probability 1/2^8.
         //
         // 2.  The second through fifth bytes must contain an unsigned integer value equal to
         //     NONCE_LENGTH.  This will happen with probability 1/2^32.
         //
         // Based on those two checks alone, the probability of interpreting an unversioned blob as a
         // version 0 blob is 1/2^40.  That's small enough to be negligible, but there are additional
         // checks which lower it further.
         LOG_I("Failed to deserialize versioned key blob.  Assuming unversioned.");
         *buf_ptr = start;
         if (!DeserializeUnversionedBlob(buf_ptr, end))
             return false;
     }
     return ExtractKeyCharacteristics();
 }

 bool KeyBlob::DeserializeUnversionedBlob(const uint8_t** buf_ptr, const uint8_t* end) {
     nonce_.reset(new uint8_t[NONCE_LENGTH]);
     tag_.reset(new uint8_t[TAG_LENGTH]);
     if (!nonce_.get() || !tag_.get()) {
         error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
         return false;
     }

     if (!copy_from_buf(buf_ptr, end, nonce_.get(), NONCE_LENGTH) ||
         !copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_,
                                      &encrypted_key_material_) ||
         !copy_from_buf(buf_ptr, end, tag_.get(), TAG_LENGTH) ||
         !enforced_.Deserialize(buf_ptr, end) || !unenforced_.Deserialize(buf_ptr, end)) {
         encrypted_key_material_.reset();
         LOG_E("Failed to deserialize unversioned blob", 0);
         error_ = KM_ERROR_INVALID_KEY_BLOB;
         return false;
     }
     return ExtractKeyCharacteristics();
 }

 KeyBlob::KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced)
     : error_(KM_ERROR_OK), enforced_(enforced), unenforced_(unenforced) {
 }

 void KeyBlob::SetEncryptedKey(uint8_t* encrypted_key_material, size_t encrypted_key_material_length,
                               uint8_t* nonce, uint8_t* tag) {
     ClearKeyData();
     encrypted_key_material_.reset(encrypted_key_material);
     key_material_length_ = encrypted_key_material_length;
     nonce_.reset(nonce);
     tag_.reset(tag);
 }

 bool KeyBlob::ExtractKeyCharacteristics() {
     if (!enforced_.GetTagValue(TAG_ALGORITHM, &algorithm_) &&
         !unenforced_.GetTagValue(TAG_ALGORITHM, &algorithm_)) {
         error_ = KM_ERROR_UNSUPPORTED_ALGORITHM;
         return false;
     }
     if (!enforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_) &&
         !unenforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_)) {
         error_ = KM_ERROR_UNSUPPORTED_KEY_SIZE;
         return false;
     }
     return true;
 }

 keymaster_key_origin_t KeyBlob::origin() const {
     keymaster_key_origin_t origin;
     if (!enforced_.GetTagValue(TAG_ORIGIN, &origin) &&
         !unenforced_.GetTagValue(TAG_ORIGIN, &origin))
         // This should be impossible.
         assert(false);
     return origin;
 }

 bool KeyBlob::is_hardware() const {
     keymaster_key_origin_t origin;
     return enforced_.GetTagValue(TAG_ORIGIN, &origin);
 }

 }  // namespace keymaster
	/*
	* Copyright 2014 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <assert.h>

	#include <keymaster/android_keymaster_utils.h>
	#include <keymaster/key_blob.h>
	#include <keymaster/logger.h>

	namespace keymaster {

	const size_t KeyBlob::NONCE_LENGTH;
	const size_t KeyBlob::TAG_LENGTH;

	KeyBlob::KeyBlob(const uint8_t* key_blob, size_t key_blob_length) : error_(KM_ERROR_OK) {
	Deserialize(&key_blob, key_blob + key_blob_length);
	}

	KeyBlob::KeyBlob(const keymaster_key_blob_t& key_blob) : error_(KM_ERROR_OK) {
	const uint8_t* key_material = key_blob.key_material;
	Deserialize(&key_material, key_blob.key_material + key_blob.key_material_size);
	}

	size_t KeyBlob::SerializedSize() const {
	return 1 /* version byte / + sizeof(uint32_t) / nonce length */ + NONCE_LENGTH +
	sizeof(uint32_t) + key_material_length() + sizeof(uint32_t) /* tag length */ +
	TAG_LENGTH + enforced_.SerializedSize() + unenforced_.SerializedSize();
	}

	const uint8_t BLOB_VERSION = 0;

	uint8_t* KeyBlob::Serialize(uint8_t* buf, const uint8_t* end) const {
	const uint8_t* start __attribute__((__unused__)) = buf;
	*buf++ = BLOB_VERSION;
	buf = append_size_and_data_to_buf(buf, end, nonce(), NONCE_LENGTH);
	buf = append_size_and_data_to_buf(buf, end, encrypted_key_material(), key_material_length());
	buf = append_size_and_data_to_buf(buf, end, tag(), TAG_LENGTH);
	buf = enforced_.Serialize(buf, end);
	buf = unenforced_.Serialize(buf, end);
	assert(buf - start == static_cast<ptrdiff_t>(SerializedSize()));
	return buf;
	}

	bool KeyBlob::Deserialize(const uint8_t** buf_ptr, const uint8_t* end) {
	const uint8_t* start = *buf_ptr;
	uint8_t version = (buf_ptr)++;
	size_t nonce_length;
	size_t tag_length;
	if (version != BLOB_VERSION \|\|
	!copy_size_and_data_from_buf(buf_ptr, end, &nonce_length, &nonce_) \|\|
	nonce_length != NONCE_LENGTH \|\|
	!copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_,
	&encrypted_key_material_) \|\|
	!copy_size_and_data_from_buf(buf_ptr, end, &tag_length, &tag_) \|\|
	tag_length != TAG_LENGTH \|\| !enforced_.Deserialize(buf_ptr, end) \|\|
	!unenforced_.Deserialize(buf_ptr, end)) {
	*buf_ptr = start;
	// This blob failed to parse. Either it's corrupted or it's a blob generated by an earlier
	// version of keymaster using a previous blob format which did not include the version byte
	// or the nonce or tag length fields. So we try to parse it as that previous version.
	//
	// Note that it's not really a problem if we erronously parse a corrupted blob, because
	// decryption will fail the authentication check.
	//
	// A bigger potential problem is: What if a valid unversioned blob appears to parse
	// correctly as a versioned blob? It would then be rejected during decryption, causing a
	// valid key to become unusable. If this is a disk encryption key, upgrading to a keymaster
	// version with the new format would destroy the user's data.
	//
	// What is the probability that an unversioned key could be successfully parsed as a version
	// 0 key? The first 12 bytes of an unversioned key are the nonce, which, in the only
	// keymaster version released with unversioned keys, is chosen randomly. In order for an
	// unversioned key to parse as a version 0 key, the following must be true about the first
	// five of those random bytes:
	//
	// 1. The first byte must be zero. This will happen with probability 1/2^8.
	//
	// 2. The second through fifth bytes must contain an unsigned integer value equal to
	// NONCE_LENGTH. This will happen with probability 1/2^32.
	//
	// Based on those two checks alone, the probability of interpreting an unversioned blob as a
	// version 0 blob is 1/2^40. That's small enough to be negligible, but there are additional
	// checks which lower it further.
	LOG_I("Failed to deserialize versioned key blob. Assuming unversioned.");
	*buf_ptr = start;
	if (!DeserializeUnversionedBlob(buf_ptr, end))
	return false;
	}
	return ExtractKeyCharacteristics();
	}

	bool KeyBlob::DeserializeUnversionedBlob(const uint8_t** buf_ptr, const uint8_t* end) {
	nonce_.reset(new uint8_t[NONCE_LENGTH]);
	tag_.reset(new uint8_t[TAG_LENGTH]);
	if (!nonce_.get() \|\| !tag_.get()) {
	error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
	return false;
	}

	if (!copy_from_buf(buf_ptr, end, nonce_.get(), NONCE_LENGTH) \|\|
	!copy_size_and_data_from_buf(buf_ptr, end, &key_material_length_,
	&encrypted_key_material_) \|\|
	!copy_from_buf(buf_ptr, end, tag_.get(), TAG_LENGTH) \|\|
	!enforced_.Deserialize(buf_ptr, end) \|\| !unenforced_.Deserialize(buf_ptr, end)) {
	encrypted_key_material_.reset();
	LOG_E("Failed to deserialize unversioned blob", 0);
	error_ = KM_ERROR_INVALID_KEY_BLOB;
	return false;
	}
	return ExtractKeyCharacteristics();
	}

	KeyBlob::KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced)
	: error_(KM_ERROR_OK), enforced_(enforced), unenforced_(unenforced) {
	}

	void KeyBlob::SetEncryptedKey(uint8_t* encrypted_key_material, size_t encrypted_key_material_length,
	uint8_t* nonce, uint8_t* tag) {
	ClearKeyData();
	encrypted_key_material_.reset(encrypted_key_material);
	key_material_length_ = encrypted_key_material_length;
	nonce_.reset(nonce);
	tag_.reset(tag);
	}

	bool KeyBlob::ExtractKeyCharacteristics() {
	if (!enforced_.GetTagValue(TAG_ALGORITHM, &algorithm_) &&
	!unenforced_.GetTagValue(TAG_ALGORITHM, &algorithm_)) {
	error_ = KM_ERROR_UNSUPPORTED_ALGORITHM;
	return false;
	}
	if (!enforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_) &&
	!unenforced_.GetTagValue(TAG_KEY_SIZE, &key_size_bits_)) {
	error_ = KM_ERROR_UNSUPPORTED_KEY_SIZE;
	return false;
	}
	return true;
	}

	keymaster_key_origin_t KeyBlob::origin() const {
	keymaster_key_origin_t origin;
	if (!enforced_.GetTagValue(TAG_ORIGIN, &origin) &&
	!unenforced_.GetTagValue(TAG_ORIGIN, &origin))
	// This should be impossible.
	assert(false);
	return origin;
	}

	bool KeyBlob::is_hardware() const {
	keymaster_key_origin_t origin;
	return enforced_.GetTagValue(TAG_ORIGIN, &origin);
	}

	} // namespace keymaster