libcrypto_utils/android_pubkey.cpp - third_party/android.googlesource.com/platform/system/core - Git at Google

 /*
  * Copyright (C) 2016 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <crypto_utils/android_pubkey.h>

 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>

 #include <openssl/bn.h>

 // Better safe than sorry.
 #if (ANDROID_PUBKEY_MODULUS_SIZE % 4) != 0
 #error RSA modulus size must be multiple of the word size!
 #endif

 // Size of the RSA modulus in words.
 #define ANDROID_PUBKEY_MODULUS_SIZE_WORDS (ANDROID_PUBKEY_MODULUS_SIZE / 4)

 // This file implements encoding and decoding logic for Android's custom RSA
 // public key binary format. Public keys are stored as a sequence of
 // little-endian 32 bit words. Note that Android only supports little-endian
 // processors, so we don't do any byte order conversions when parsing the binary
 // struct.
 struct RSAPublicKey {
   // Modulus length. This must be ANDROID_PUBKEY_MODULUS_SIZE.
   uint32_t modulus_size_words;

   // Precomputed montgomery parameter: -1 / n[0] mod 2^32
   uint32_t n0inv;

   // RSA modulus as a little-endian array.
   uint8_t modulus[ANDROID_PUBKEY_MODULUS_SIZE];

   // Montgomery parameter R^2 as a little-endian array.
   uint8_t rr[ANDROID_PUBKEY_MODULUS_SIZE];

   // RSA modulus: 3 or 65537
   uint32_t exponent;
 };

 bool android_pubkey_decode(const uint8_t* key_buffer, size_t size, RSA** key) {
   const RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
   bool ret = false;
   RSA* new_key = RSA_new();
   BIGNUM* n = NULL;
   BIGNUM* e = NULL;
   if (!new_key) {
     goto cleanup;
   }

   // Check |size| is large enough and the modulus size is correct.
   if (size < sizeof(RSAPublicKey)) {
     goto cleanup;
   }
   if (key_struct->modulus_size_words != ANDROID_PUBKEY_MODULUS_SIZE_WORDS) {
     goto cleanup;
   }

   // Convert the modulus to big-endian byte order as expected by BN_bin2bn.
   n = BN_le2bn(key_struct->modulus, ANDROID_PUBKEY_MODULUS_SIZE, NULL);
   if (!n) {
     goto cleanup;
   }

   // Read the exponent.
   e = BN_new();
   if (!e || !BN_set_word(e, key_struct->exponent)) {
     goto cleanup;
   }

   if (!RSA_set0_key(new_key, n, e, NULL)) {
     goto cleanup;
   }
   // RSA_set0_key takes ownership of its inputs on success.
   n = NULL;
   e = NULL;

   // Note that we don't extract the montgomery parameters n0inv and rr from
   // the RSAPublicKey structure. They assume a word size of 32 bits, but
   // BoringSSL may use a word size of 64 bits internally, so we're lacking the
   // top 32 bits of n0inv in general. For now, we just ignore the parameters
   // and have BoringSSL recompute them internally. More sophisticated logic can
   // be added here if/when we want the additional speedup from using the
   // pre-computed montgomery parameters.

   *key = new_key;
   new_key = NULL;
   ret = true;

 cleanup:
   RSA_free(new_key);
   BN_free(n);
   BN_free(e);
   return ret;
 }

 bool android_pubkey_encode(const RSA* key, uint8_t* key_buffer, size_t size) {
   RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
   bool ret = false;
   BN_CTX* ctx = BN_CTX_new();
   BIGNUM* r32 = BN_new();
   BIGNUM* n0inv = BN_new();
   BIGNUM* rr = BN_new();

   if (sizeof(RSAPublicKey) > size || RSA_size(key) != ANDROID_PUBKEY_MODULUS_SIZE) {
     goto cleanup;
   }

   // Store the modulus size.
   key_struct->modulus_size_words = ANDROID_PUBKEY_MODULUS_SIZE_WORDS;

   // Compute and store n0inv = -1 / N[0] mod 2^32.
   if (!ctx || !r32 || !n0inv || !BN_set_bit(r32, 32) || !BN_mod(n0inv, RSA_get0_n(key), r32, ctx) ||
       !BN_mod_inverse(n0inv, n0inv, r32, ctx) || !BN_sub(n0inv, r32, n0inv)) {
     goto cleanup;
   }
   key_struct->n0inv = (uint32_t)BN_get_word(n0inv);

   // Store the modulus.
   if (!BN_bn2le_padded(key_struct->modulus, ANDROID_PUBKEY_MODULUS_SIZE, RSA_get0_n(key))) {
     goto cleanup;
   }

   // Compute and store rr = (2^(rsa_size)) ^ 2 mod N.
   if (!ctx || !rr || !BN_set_bit(rr, ANDROID_PUBKEY_MODULUS_SIZE * 8) ||
       !BN_mod_sqr(rr, rr, RSA_get0_n(key), ctx) ||
       !BN_bn2le_padded(key_struct->rr, ANDROID_PUBKEY_MODULUS_SIZE, rr)) {
     goto cleanup;
   }

   // Store the exponent.
   key_struct->exponent = (uint32_t)BN_get_word(RSA_get0_e(key));

   ret = true;

 cleanup:
   BN_free(rr);
   BN_free(n0inv);
   BN_free(r32);
   BN_CTX_free(ctx);
   return ret;
 }
	/*
	* Copyright (C) 2016 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <crypto_utils/android_pubkey.h>

	#include <assert.h>
	#include <stdlib.h>
	#include <string.h>

	#include <openssl/bn.h>

	// Better safe than sorry.
	#if (ANDROID_PUBKEY_MODULUS_SIZE % 4) != 0
	#error RSA modulus size must be multiple of the word size!
	#endif

	// Size of the RSA modulus in words.
	#define ANDROID_PUBKEY_MODULUS_SIZE_WORDS (ANDROID_PUBKEY_MODULUS_SIZE / 4)

	// This file implements encoding and decoding logic for Android's custom RSA
	// public key binary format. Public keys are stored as a sequence of
	// little-endian 32 bit words. Note that Android only supports little-endian
	// processors, so we don't do any byte order conversions when parsing the binary
	// struct.
	struct RSAPublicKey {
	// Modulus length. This must be ANDROID_PUBKEY_MODULUS_SIZE.
	uint32_t modulus_size_words;

	// Precomputed montgomery parameter: -1 / n[0] mod 2^32
	uint32_t n0inv;

	// RSA modulus as a little-endian array.
	uint8_t modulus[ANDROID_PUBKEY_MODULUS_SIZE];

	// Montgomery parameter R^2 as a little-endian array.
	uint8_t rr[ANDROID_PUBKEY_MODULUS_SIZE];

	// RSA modulus: 3 or 65537
	uint32_t exponent;
	};

	bool android_pubkey_decode(const uint8_t* key_buffer, size_t size, RSA** key) {
	const RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
	bool ret = false;
	RSA* new_key = RSA_new();
	BIGNUM* n = NULL;
	BIGNUM* e = NULL;
	if (!new_key) {
	goto cleanup;
	}

	// Check \|size\| is large enough and the modulus size is correct.
	if (size < sizeof(RSAPublicKey)) {
	goto cleanup;
	}
	if (key_struct->modulus_size_words != ANDROID_PUBKEY_MODULUS_SIZE_WORDS) {
	goto cleanup;
	}

	// Convert the modulus to big-endian byte order as expected by BN_bin2bn.
	n = BN_le2bn(key_struct->modulus, ANDROID_PUBKEY_MODULUS_SIZE, NULL);
	if (!n) {
	goto cleanup;
	}

	// Read the exponent.
	e = BN_new();
	if (!e \|\| !BN_set_word(e, key_struct->exponent)) {
	goto cleanup;
	}

	if (!RSA_set0_key(new_key, n, e, NULL)) {
	goto cleanup;
	}
	// RSA_set0_key takes ownership of its inputs on success.
	n = NULL;
	e = NULL;

	// Note that we don't extract the montgomery parameters n0inv and rr from
	// the RSAPublicKey structure. They assume a word size of 32 bits, but
	// BoringSSL may use a word size of 64 bits internally, so we're lacking the
	// top 32 bits of n0inv in general. For now, we just ignore the parameters
	// and have BoringSSL recompute them internally. More sophisticated logic can
	// be added here if/when we want the additional speedup from using the
	// pre-computed montgomery parameters.

	*key = new_key;
	new_key = NULL;
	ret = true;

	cleanup:
	RSA_free(new_key);
	BN_free(n);
	BN_free(e);
	return ret;
	}

	bool android_pubkey_encode(const RSA* key, uint8_t* key_buffer, size_t size) {
	RSAPublicKey* key_struct = (RSAPublicKey*)key_buffer;
	bool ret = false;
	BN_CTX* ctx = BN_CTX_new();
	BIGNUM* r32 = BN_new();
	BIGNUM* n0inv = BN_new();
	BIGNUM* rr = BN_new();

	if (sizeof(RSAPublicKey) > size \|\| RSA_size(key) != ANDROID_PUBKEY_MODULUS_SIZE) {
	goto cleanup;
	}

	// Store the modulus size.
	key_struct->modulus_size_words = ANDROID_PUBKEY_MODULUS_SIZE_WORDS;

	// Compute and store n0inv = -1 / N[0] mod 2^32.
	if (!ctx \|\| !r32 \|\| !n0inv \|\| !BN_set_bit(r32, 32) \|\| !BN_mod(n0inv, RSA_get0_n(key), r32, ctx) \|\|
	!BN_mod_inverse(n0inv, n0inv, r32, ctx) \|\| !BN_sub(n0inv, r32, n0inv)) {
	goto cleanup;
	}
	key_struct->n0inv = (uint32_t)BN_get_word(n0inv);

	// Store the modulus.
	if (!BN_bn2le_padded(key_struct->modulus, ANDROID_PUBKEY_MODULUS_SIZE, RSA_get0_n(key))) {
	goto cleanup;
	}

	// Compute and store rr = (2^(rsa_size)) ^ 2 mod N.
	if (!ctx \|\| !rr \|\| !BN_set_bit(rr, ANDROID_PUBKEY_MODULUS_SIZE * 8) \|\|
	!BN_mod_sqr(rr, rr, RSA_get0_n(key), ctx) \|\|
	!BN_bn2le_padded(key_struct->rr, ANDROID_PUBKEY_MODULUS_SIZE, rr)) {
	goto cleanup;
	}

	// Store the exponent.
	key_struct->exponent = (uint32_t)BN_get_word(RSA_get0_e(key));

	ret = true;

	cleanup:
	BN_free(rr);
	BN_free(n0inv);
	BN_free(r32);
	BN_CTX_free(ctx);
	return ret;
	}