| blob | 1ca9bc1b3b19248df0e33a8a0d3d833e0e4bb0fd |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <jni.h>
8 #include <openssl/bn.h>
9 #include <openssl/dsa.h>
10 #include <openssl/ec.h>
11 #include <openssl/engine.h>
12 #include <openssl/err.h>
13 #include <openssl/evp.h>
14 #include <openssl/rsa.h>
27 // IMPORTANT NOTE: The following code will currently only work when used
28 // to implement client certificate support with OpenSSL. That's because
29 // only the signing operations used in this use case are implemented here.
30 //
31 // Generally speaking, OpenSSL provides many different ways to sign
32 // digests. This code doesn't support all these cases, only the ones that
33 // are required to sign the digest during the OpenSSL handshake for TLS.
34 //
35 // The OpenSSL EVP_PKEY type is a generic wrapper around key pairs.
36 // Internally, it can hold a pointer to a RSA, DSA or ECDSA structure,
37 // which model keypair implementations of each respective crypto
38 // algorithm.
39 //
40 // The RSA type has a 'method' field pointer to a vtable-like structure
41 // called a RSA_METHOD. This contains several function pointers that
42 // correspond to operations on RSA keys (e.g. decode/encode with public
43 // key, decode/encode with private key, signing, validation), as well as
44 // a few flags.
45 //
46 // For example, the RSA_sign() function will call "method->rsa_sign()" if
47 // method->rsa_sign is not NULL, otherwise, it will perform a regular
48 // signing operation using the other fields in the RSA structure (which
49 // are used to hold the typical modulus / exponent / parameters for the
50 // key pair).
51 //
52 // This source file thus defines a custom RSA_METHOD structure whose
53 // fields point to static methods used to implement the corresponding
54 // RSA operation using platform Android APIs.
55 //
56 // However, the platform APIs require a jobject JNI reference to work. It must
57 // be stored in the RSA instance, or made accessible when the custom RSA
58 // methods are called. This is done by storing it in a |KeyExData| structure
59 // that's referenced by the key using |EX_DATA|.
72 // KeyExData contains the data that is contained in the EX_DATA of the RSA, DSA
73 // and ECDSA objects that are created to wrap Android system keys.
75 // private_key contains a reference to a Java, private-key object.
76 jobject private_key;
77 // legacy_rsa, if not NULL, points to an RSA* in the system's OpenSSL (which
78 // might not be ABI compatible with Chromium).
80 // cached_size contains the "size" of the key. This is the size of the
81 // modulus (in bytes) for RSA, or the group order size for (EC)DSA. This
82 // avoids calling into Java to calculate the size.
84 };
86 // ExDataDup is called when one of the RSA, DSA or EC_KEY objects is
87 // duplicated. We don't support this and it should never happen.
96 }
98 // ExDataFree is called when one of the RSA, DSA or EC_KEY object is freed.
105 // Ensure the global JNI reference created with this wrapper is
106 // properly destroyed with it.
111 }
112 }
114 // BoringSSLEngine is a BoringSSL ENGINE that implements RSA, DSA and ECDSA by
115 // forwarding the requested operations to the Java libraries.
122 ExDataDup,
123 ExDataFree)),
127 ExDataDup,
128 ExDataFree)),
134 }
145 };
148 LAZY_INSTANCE_INITIALIZER;
151 // VectorBignumSize returns the number of bytes needed to represent the bignum
152 // given in |v|, i.e. the length of |v| less any leading zero bytes.
155 // Ignore any leading zero bytes.
157 size--;
158 }
160 }
165 }
170 }
182 }
193 // TODO(davidben): If we need to, we can implement RSA_NO_PADDING
194 // by using javax.crypto.Cipher and picking either the
195 // "RSA/ECB/NoPadding" or "RSA/ECB/PKCS1Padding" transformation as
196 // appropriate. I believe support for both of these was added in
197 // the same Android version as the "NONEwithRSA"
198 // java.security.Signature algorithm, so the same version checks
199 // for GetRsaLegacyKey should work.
202 }
204 // Retrieve private key JNI reference.
210 }
212 // Pre-4.2 legacy codepath.
218 // System OpenSSL will use a separate error queue, so it is still
219 // necessary to push a new error.
220 //
221 // TODO(davidben): It would be good to also clear the system error queue
222 // if there were some way to convince Java to do it. (Without going
223 // through Java, it's difficult to get a handle on a system OpenSSL
224 // function; dlopen loads a second copy.)
227 }
230 }
234 // For RSA keys, this function behaves as RSA_private_encrypt with
235 // PKCS#1 padding.
240 }
248 }
253 }
255 // Copy result to OpenSSL-provided buffer. RawSignDigestWithPrivateKey
256 // should pad with leading 0s, but if it doesn't, pad the result.
263 }
275 }
287 }
290 {
298 RsaMethodSize,
301 RsaMethodEncrypt,
302 RsaMethodSignRaw,
303 RsaMethodDecrypt,
304 RsaMethodVerifyRaw,
308 RSA_FLAG_OPAQUE,
310 };
312 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object.
313 // |private_key| is the JNI reference (local or global) to the object.
314 // |legacy_rsa|, if non-NULL, is a pointer to the system OpenSSL RSA object
315 // backing |private_key|. This parameter is only used for Android < 4.2 to
316 // implement key operations not exposed by the platform.
317 // Returns a new EVP_PKEY on success, NULL otherwise.
318 // On success, this creates a new global JNI reference to the object
319 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can
320 // free |private_key| after the call.
331 }
337 }
350 }
352 }
354 // On Android < 4.2, the libkeystore.so ENGINE uses CRYPTO_EX_DATA and is not
355 // added to the global engine list. If all references to it are dropped, OpenSSL
356 // will dlclose the module, leaving a dangling function pointer in the RSA
357 // CRYPTO_EX_DATA class. To work around this, leak an extra reference to the
358 // ENGINE we extract in GetRsaLegacyKey.
359 //
360 // In 4.2, this change avoids the problem:
361 // https://android.googlesource.com/platform/libcore/+/106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61
362 //
363 // https://crbug.com/381465
376 }
378 }
382 };
386 LAZY_INSTANCE_INITIALIZER;
388 }
390 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object
391 // for Android 4.0 to 4.1.x. Must only be used on Android < 4.2.
392 // |private_key| is a JNI reference (local or global) to the object.
393 // |pkey| is the EVP_PKEY to setup as a wrapper.
394 // Returns true on success, false otherwise.
402 }
406 // |private_key| may not have an engine if the PrivateKey did not come
407 // from the key store, such as in unit tests.
412 }
413 }
416 }
418 // GetOpenSSLSystemHandleForPrivateKey() will fail on Android 4.0.3 and
419 // earlier. However, it is possible to get the key content with
420 // PrivateKey.getEncoded() on these platforms. Note that this method may
421 // return NULL on 4.0.4 and later.
426 }
434 }
436 }
438 // Custom ECDSA_METHOD that uses the platform APIs.
439 // Note that for now, only signing through ECDSA_sign() is really supported.
440 // all other method pointers are either stubs returning errors, or no-ops.
446 }
452 }
459 // Retrieve private key JNI reference.
464 }
465 // Sign message with it through JNI.
468 digest_len);
472 }
474 // Note: With ECDSA, the actual signature may be smaller than
475 // ECDSA_size().
482 }
487 }
497 }
499 // Setup an EVP_PKEY to wrap an existing platform PrivateKey object.
500 // |private_key| is the JNI reference (local or global) to the object.
501 // Returns a new EVP_PKEY on success, NULL otherwise.
502 // On success, this creates a global JNI reference to the object that
503 // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall
504 // always free |private_key| after the call.
514 }
520 }
534 }
536 }
539 {
547 EcdsaMethodGroupOrderSize,
548 EcdsaMethodSign,
549 EcdsaMethodVerify,
550 ECDSA_FLAG_OPAQUE,
551 };
558 // Create sub key type, depending on private key's algorithm type.
562 // Route around platform bug: if Android < 4.2, then
563 // base::android::RawSignDigestWithPrivateKey() cannot work, so
564 // instead, obtain a raw EVP_PKEY* to the system object
565 // backing this PrivateKey object.
567 kAndroid42ApiLevel) {
570 // Running on Android 4.2.
572 }
579 }
580 }