| blob | afdca30de0d772d51261d9dfa7dbda242374e0bf |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <jni.h>
8 #include <openssl/bn.h>
9 // This include is required to get the ECDSA_METHOD structure definition
10 // which isn't currently part of the OpenSSL official ABI. This should
11 // not be a concern for Chromium which always links against its own
12 // version of the library on Android.
13 #include <openssl/crypto/ecdsa/ecs_locl.h>
14 // And this one is needed for the EC_GROUP definition.
15 #include <openssl/crypto/ec/ec_lcl.h>
16 #include <openssl/dsa.h>
17 #include <openssl/ec.h>
18 #include <openssl/engine.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
32 // IMPORTANT NOTE: The following code will currently only work when used
33 // to implement client certificate support with OpenSSL. That's because
34 // only the signing operations used in this use case are implemented here.
35 //
36 // Generally speaking, OpenSSL provides many different ways to sign
37 // digests. This code doesn't support all these cases, only the ones that
38 // are required to sign the digest during the OpenSSL handshake for TLS.
39 //
40 // The OpenSSL EVP_PKEY type is a generic wrapper around key pairs.
41 // Internally, it can hold a pointer to a RSA, DSA or ECDSA structure,
42 // which model keypair implementations of each respective crypto
43 // algorithm.
44 //
45 // The RSA type has a 'method' field pointer to a vtable-like structure
46 // called a RSA_METHOD. This contains several function pointers that
47 // correspond to operations on RSA keys (e.g. decode/encode with public
48 // key, decode/encode with private key, signing, validation), as well as
49 // a few flags.
50 //
51 // For example, the RSA_sign() function will call "method->rsa_sign()" if
52 // method->rsa_sign is not NULL, otherwise, it will perform a regular
53 // signing operation using the other fields in the RSA structure (which
54 // are used to hold the typical modulus / exponent / parameters for the
55 // key pair).
56 //
57 // This source file thus defines a custom RSA_METHOD structure whose
58 // fields point to static methods used to implement the corresponding
59 // RSA operation using platform Android APIs.
60 //
61 // However, the platform APIs require a jobject JNI reference to work.
62 // It must be stored in the RSA instance, or made accessible when the
63 // custom RSA methods are called. This is done by using RSA_set_app_data()
64 // and RSA_get_app_data().
65 //
66 // One can thus _directly_ create a new EVP_PKEY that uses a custom RSA
67 // object with the following:
68 //
69 // RSA* rsa = RSA_new()
70 // RSA_set_method(&custom_rsa_method);
71 // RSA_set_app_data(rsa, jni_private_key);
72 //
73 // EVP_PKEY* pkey = EVP_PKEY_new();
74 // EVP_PKEY_assign_RSA(pkey, rsa);
75 //
76 // Note that because EVP_PKEY_assign_RSA() is used, instead of
77 // EVP_PKEY_set1_RSA(), the new EVP_PKEY now owns the RSA object, and
78 // will destroy it when it is itself destroyed.
79 //
80 // Unfortunately, such objects cannot be used with RSA_size(), which
81 // totally ignores the RSA_METHOD pointers. Instead, it is necessary
82 // to manually setup the modulus field (n) in the RSA object, with a
83 // value that matches the wrapped PrivateKey object. See GetRsaPkeyWrapper
84 // for full details.
85 //
86 // Similarly, custom DSA_METHOD and ECDSA_METHOD are defined by this source
87 // file, and appropriate field setups are performed to ensure that
88 // DSA_size() and ECDSA_size() work properly with the wrapper EVP_PKEY.
89 //
90 // Note that there is no need to define an OpenSSL ENGINE here. These
91 // are objects that can be used to expose custom methods (i.e. either
92 // RSA_METHOD, DSA_METHOD, ECDSA_METHOD, and a large number of other ones
93 // for types not related to this source file), and make them used by
94 // default for a lot of operations. Very fortunately, this is not needed
95 // here, which saves a lot of complexity.
110 // Custom RSA_METHOD that uses the platform APIs.
111 // Note that for now, only signing through RSA_sign() is really supported.
112 // all other method pointers are either stubs returning errors, or no-ops.
113 // See <openssl/rsa.h> for exact declaration of RSA_METHOD.
123 }
133 }
135 // See RSA_eay_private_encrypt in
136 // third_party/openssl/openssl/crypto/rsa/rsa_eay.c for the default
137 // implementation of this function.
145 // TODO(davidben): If we need to, we can implement RSA_NO_PADDING
146 // by using javax.crypto.Cipher and picking either the
147 // "RSA/ECB/NoPadding" or "RSA/ECB/PKCS1Padding" transformation as
148 // appropriate. I believe support for both of these was added in
149 // the same Android version as the "NONEwithRSA"
150 // java.security.Signature algorithm, so the same version checks
151 // for GetRsaLegacyKey should work.
154 }
156 // Retrieve private key JNI reference.
162 }
166 // For RSA keys, this function behaves as RSA_private_encrypt with
167 // PKCS#1 padding.
172 }
180 }
182 // Copy result to OpenSSL-provided buffer. RawSignDigestWithPrivateKey
183 // should pad with leading 0s, but if it doesn't, pad the result.
189 }
199 }
203 }
206 // Ensure the global JNI reference created with this wrapper is
207 // properly destroyed with it.
212 }
213 // Actual return value is ignored by OpenSSL. There are no docs
214 // explaining what this is supposed to be.
216 }
228 // This flag is necessary to tell OpenSSL to avoid checking the content
229 // (i.e. internal fields) of the private key. Otherwise, it will complain
230 // it's not valid for the certificate.
236 };
238 // Copy the contents of an encoded big integer into an existing BIGNUM.
239 // This function modifies |*num| in-place.
240 // |new_bytes| is the byte encoding of the new value.
241 // |num| points to the BIGNUM which will be assigned with the new value.
242 // Returns true on success, false otherwise. On failure, |*num| is
243 // not modified.
249 num);
251 }
253 // Decode the contents of an encoded big integer and either create a new
254 // BIGNUM object (if |*num_ptr| is NULL on input) or copy it (if
255 // |*num_ptr| is not NULL).
256 // |new_bytes| is the byte encoding of the new value.
257 // |num_ptr| is the address of a BIGNUM pointer. |*num_ptr| can be NULL.
258 // Returns true on success, false otherwise. On failure, |*num_ptr| is
259 // not modified. On success, |*num_ptr| will always be non-NULL and
260 // point to a valid BIGNUM object.
267 old_num);
274 }
276 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object.
277 // |private_key| is the JNI reference (local or global) to the object.
278 // |pkey| is the EVP_PKEY to setup as a wrapper.
279 // Returns true on success, false otherwise.
280 // On success, this creates a new global JNI reference to the object
281 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can
282 // free |private_key| after the call.
283 // IMPORTANT: The EVP_PKEY will *only* work on Android >= 4.2. For older
284 // platforms, use GetRsaLegacyKey() instead.
289 // HACK: RSA_size() doesn't work with custom RSA_METHODs. To ensure that
290 // it will return the right value, set the 'n' field of the RSA object
291 // to match the private key's modulus.
296 }
300 }
307 }
311 }
313 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object
314 // for Android 4.0 to 4.1.x. Must only be used on Android < 4.2.
315 // |private_key| is a JNI reference (local or global) to the object.
316 // |pkey| is the EVP_PKEY to setup as a wrapper.
317 // Returns true on success, false otherwise.
324 // GetOpenSSLSystemHandleForPrivateKey() will fail on Android
325 // 4.0.3 and earlier. However, it is possible to get the key
326 // content with PrivateKey.getEncoded() on these platforms.
327 // Note that this method may return NULL on 4.0.4 and later.
332 }
340 }
341 }
343 }
345 // Custom DSA_METHOD that uses the platform APIs.
346 // Note that for now, only signing through DSA_sign() is really supported.
347 // all other method pointers are either stubs returning errors, or no-ops.
348 // See <openssl/dsa.h> for exact declaration of DSA_METHOD.
349 //
350 // Note: There is no DSA_set_app_data() and DSA_get_app_data() functions,
351 // but RSA_set_app_data() is defined as a simple macro that calls
352 // RSA_set_ex_data() with a hard-coded index of 0, so this code
353 // does the same thing here.
358 // Extract the JNI reference to the PrivateKey object.
363 // Sign the message with it, calling platform APIs.
366 private_key,
372 }
374 // Note: With DSA, the actual signature might be smaller than DSA_size().
381 }
383 // Convert the signature into a DSA_SIG object.
389 }
398 }
407 }
410 // Free the global JNI reference that was created with this
411 // wrapper key.
416 }
417 // Actual return value is ignored by OpenSSL. There are no docs
418 // explaining what this is supposed to be.
420 }
434 /* .dsa_keygen = */ NULL
435 };
437 // Setup an EVP_PKEY to wrap an existing DSA platform PrivateKey object.
438 // |private_key| is a JNI reference (local or global) to the object.
439 // |pkey| is the EVP_PKEY to setup as a wrapper.
440 // Returns true on success, false otherwise.
441 // On success, this creates a global JNI reference to the same object
442 // that will be owned by and destroyed with the EVP_PKEY.
447 // DSA_size() doesn't work with custom DSA_METHODs. To ensure it
448 // returns the right value, set the 'q' field in the DSA object to
449 // match the parameter from the platform key.
454 }
458 }
465 }
469 }
471 // Custom ECDSA_METHOD that uses the platform APIs.
472 // Note that for now, only signing through ECDSA_sign() is really supported.
473 // all other method pointers are either stubs returning errors, or no-ops.
474 //
475 // Note: The ECDSA_METHOD structure doesn't have init/finish
476 // methods. As such, the only way to to ensure the global
477 // JNI reference is properly released when the EVP_PKEY is
478 // destroyed is to use a custom EX_DATA type.
480 // Used to ensure that the global JNI reference associated with a custom
481 // EC_KEY + ECDSA_METHOD wrapper is released when its EX_DATA is destroyed
482 // (this function is called when EVP_PKEY_free() is called on the wrapper).
495 }
503 // This callback shall never be called with the current OpenSSL
504 // implementation (the library only ever duplicates EX_DATA items
505 // for SSL and BIO objects). But provide this to catch regressions
506 // in the future.
508 // Return value is currently ignored by OpenSSL.
510 }
522 }
526 };
528 // Returns the index of the custom EX_DATA used to store the JNI reference.
530 // Use a LazyInstance to perform thread-safe lazy initialization.
531 // Use a leaky one, since OpenSSL doesn't provide a way to release
532 // allocated EX_DATA indices.
534 LAZY_INSTANCE_INITIALIZER;
536 }
543 // Retrieve private key JNI reference.
549 }
550 // Sign message with it through JNI.
559 }
561 // Note: With ECDSA, the actual signature may be smaller than
562 // ECDSA_size().
569 }
571 // Convert signature to ECDSA_SIG object
576 }
585 }
594 }
603 };
605 // Setup an EVP_PKEY to wrap an existing platform PrivateKey object.
606 // |private_key| is the JNI reference (local or global) to the object.
607 // |pkey| is the EVP_PKEY to setup as a wrapper.
608 // Returns true on success, false otherwise.
609 // On success, this creates a global JNI reference to the object that
610 // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall
611 // always free |private_key| after the call.
616 // To ensure that ECDSA_size() works properly, craft a custom EC_GROUP
617 // that has the same order than the private key.
622 }
627 }
631 }
639 }
646 }
651 // Create new empty EVP_PKEY instance.
656 // Create sub key type, depending on private key's algorithm type.
660 {
661 // Route around platform bug: if Android < 4.2, then
662 // base::android::RawSignDigestWithPrivateKey() cannot work, so
663 // instead, obtain a raw EVP_PKEY* to the system object
664 // backing this PrivateKey object.
667 kAndroid42ApiLevel) {
673 // Running on Android 4.2.
676 }
677 }
691 }
693 }