| blob | fb0365c6a8d53f9500631b2be276b0acbde6dda0 |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <jni.h>
8 #include <openssl/bn.h>
9 #include <openssl/ec.h>
10 #include <openssl/engine.h>
11 #include <openssl/err.h>
12 #include <openssl/evp.h>
13 #include <openssl/rsa.h>
14 #include <stdint.h>
27 // IMPORTANT NOTE: The following code will currently only work when used
28 // to implement client certificate support with OpenSSL. That's because
29 // only the signing operations used in this use case are implemented here.
30 //
31 // Generally speaking, OpenSSL provides many different ways to sign
32 // digests. This code doesn't support all these cases, only the ones that
33 // are required to sign the digest during the OpenSSL handshake for TLS.
34 //
35 // The OpenSSL EVP_PKEY type is a generic wrapper around key pairs.
36 // Internally, it can hold a pointer to a RSA or ECDSA structure, which model
37 // keypair implementations of each respective crypto algorithm.
38 //
39 // The RSA type has a 'method' field pointer to a vtable-like structure
40 // called a RSA_METHOD. This contains several function pointers that
41 // correspond to operations on RSA keys (e.g. decode/encode with public
42 // key, decode/encode with private key, signing, validation), as well as
43 // a few flags.
44 //
45 // For example, the RSA_sign() function will call "method->rsa_sign()" if
46 // method->rsa_sign is not NULL, otherwise, it will perform a regular
47 // signing operation using the other fields in the RSA structure (which
48 // are used to hold the typical modulus / exponent / parameters for the
49 // key pair).
50 //
51 // This source file thus defines a custom RSA_METHOD structure whose
52 // fields point to static methods used to implement the corresponding
53 // RSA operation using platform Android APIs.
54 //
55 // However, the platform APIs require a jobject JNI reference to work. It must
56 // be stored in the RSA instance, or made accessible when the custom RSA
57 // methods are called. This is done by storing it in a |KeyExData| structure
58 // that's referenced by the key using |EX_DATA|.
71 // KeyExData contains the data that is contained in the EX_DATA of the RSA and
72 // EC_KEY objects that are created to wrap Android system keys.
74 // private_key contains a reference to a Java, private-key object.
75 jobject private_key;
76 // legacy_rsa, if not NULL, points to an RSA* in the system's OpenSSL (which
77 // might not be ABI compatible with Chromium).
79 // cached_size contains the "size" of the key. This is the size of the
80 // modulus (in bytes) for RSA, or the group order size for ECDSA. This
81 // avoids calling into Java to calculate the size.
83 };
85 // ExDataDup is called when one of the RSA or EC_KEY objects is duplicated. We
86 // don't support this and it should never happen.
95 }
97 // ExDataFree is called when one of the RSA or EC_KEY objects is freed.
104 // Ensure the global JNI reference created with this wrapper is
105 // properly destroyed with it.
110 }
111 }
113 // BoringSSLEngine is a BoringSSL ENGINE that implements RSA and ECDSA by
114 // forwarding the requested operations to the Java libraries.
121 ExDataDup,
122 ExDataFree)),
126 ExDataDup,
127 ExDataFree)),
133 }
144 };
147 LAZY_INSTANCE_INITIALIZER;
150 // VectorBignumSize returns the number of bytes needed to represent the bignum
151 // given in |v|, i.e. the length of |v| less any leading zero bytes.
154 // Ignore any leading zero bytes.
156 size--;
157 }
159 }
164 }
169 }
181 }
192 // TODO(davidben): If we need to, we can implement RSA_NO_PADDING
193 // by using javax.crypto.Cipher and picking either the
194 // "RSA/ECB/NoPadding" or "RSA/ECB/PKCS1Padding" transformation as
195 // appropriate. I believe support for both of these was added in
196 // the same Android version as the "NONEwithRSA"
197 // java.security.Signature algorithm, so the same version checks
198 // for GetRsaLegacyKey should work.
201 }
203 // Retrieve private key JNI reference.
209 }
211 // Pre-4.2 legacy codepath.
217 // System OpenSSL will use a separate error queue, so it is still
218 // necessary to push a new error.
219 //
220 // TODO(davidben): It would be good to also clear the system error queue
221 // if there were some way to convince Java to do it. (Without going
222 // through Java, it's difficult to get a handle on a system OpenSSL
223 // function; dlopen loads a second copy.)
226 }
229 }
233 // For RSA keys, this function behaves as RSA_private_encrypt with
234 // PKCS#1 padding.
239 }
247 }
252 }
254 // Copy result to OpenSSL-provided buffer. RawSignDigestWithPrivateKey
255 // should pad with leading 0s, but if it doesn't, pad the result.
262 }
274 }
286 }
289 {
297 RsaMethodSize,
300 RsaMethodEncrypt,
301 RsaMethodSignRaw,
302 RsaMethodDecrypt,
303 RsaMethodVerifyRaw,
307 RSA_FLAG_OPAQUE,
311 };
313 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object.
314 // |private_key| is the JNI reference (local or global) to the object.
315 // |legacy_rsa|, if non-NULL, is a pointer to the system OpenSSL RSA object
316 // backing |private_key|. This parameter is only used for Android < 4.2 to
317 // implement key operations not exposed by the platform.
318 // Returns a new EVP_PKEY on success, NULL otherwise.
319 // On success, this creates a new global JNI reference to the object
320 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can
321 // free |private_key| after the call.
323 jobject private_key,
334 }
340 }
353 }
355 }
357 // On Android < 4.2, the libkeystore.so ENGINE uses CRYPTO_EX_DATA and is not
358 // added to the global engine list. If all references to it are dropped, OpenSSL
359 // will dlclose the module, leaving a dangling function pointer in the RSA
360 // CRYPTO_EX_DATA class. To work around this, leak an extra reference to the
361 // ENGINE we extract in GetRsaLegacyKey.
362 //
363 // In 4.2, this change avoids the problem:
364 // https://android.googlesource.com/platform/libcore/+/106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61
365 //
366 // https://crbug.com/381465
379 }
381 }
385 };
389 LAZY_INSTANCE_INITIALIZER;
391 }
393 // Creates an EVP_PKEY wrapper corresponding to the RSA key
394 // |private_key|. Returns nullptr on failure.
400 kAndroid42ApiLevel) {
402 }
404 // Route around platform limitation: if Android < 4.2, then
405 // base::android::RawSignDigestWithPrivateKey() cannot work, so try to get the
406 // system OpenSSL's EVP_PKEY backing this PrivateKey object.
415 }
419 // |private_key| may not have an engine if the PrivateKey did not come
420 // from the key store, such as in unit tests.
425 }
426 }
429 }
431 // Custom ECDSA_METHOD that uses the platform APIs.
432 // Note that for now, only signing through ECDSA_sign() is really supported.
433 // all other method pointers are either stubs returning errors, or no-ops.
439 }
445 }
452 // Retrieve private key JNI reference.
457 }
458 // Sign message with it through JNI.
461 digest_len);
465 }
467 // Note: With ECDSA, the actual signature may be smaller than
468 // ECDSA_size().
475 }
480 }
490 }
492 // Setup an EVP_PKEY to wrap an existing platform PrivateKey object.
493 // |private_key| is the JNI reference (local or global) to the object.
494 // Returns a new EVP_PKEY on success, NULL otherwise.
495 // On success, this creates a global JNI reference to the object that
496 // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall
497 // always free |private_key| after the call.
508 }
514 }
528 }
530 }
533 {
541 EcdsaMethodGroupOrderSize,
542 EcdsaMethodSign,
543 EcdsaMethodVerify,
544 ECDSA_FLAG_OPAQUE,
545 };
550 // Create sub key type, depending on private key's algorithm type.
561 }
562 }