From c9b68db953e4ced11106411b721f750d04ac006b Mon Sep 17 00:00:00 2001 From: Shawn Willden Date: Thu, 28 Jan 2016 08:02:44 +0000 Subject: Revert "Add attestation support to Key classes." This reverts commit 4d0465999644336d636442a86795293298b22035. Change-Id: I53d386e0d95c25e794ef88801d80e80ccfeea768 --- asymmetric_key.cpp | 186 +------------------------------------------------ asymmetric_key.h | 6 -- attestation_record.cpp | 4 ++ key.h | 13 ---- openssl_utils.h | 57 ++++++++------- 5 files changed, 38 insertions(+), 228 deletions(-) diff --git a/asymmetric_key.cpp b/asymmetric_key.cpp index e0af5a5..2ead3c5 100644 --- a/asymmetric_key.cpp +++ b/asymmetric_key.cpp @@ -18,11 +18,8 @@ #include -#include -#include #include -#include "attestation_record.h" #include "openssl_err.h" #include "openssl_utils.h" @@ -37,7 +34,7 @@ keymaster_error_t AsymmetricKey::formatted_key_material(keymaster_key_format_t f if (material == NULL || size == NULL) return KM_ERROR_OUTPUT_PARAMETER_NULL; - EVP_PKEY_Ptr pkey(EVP_PKEY_new()); + UniquePtr pkey(EVP_PKEY_new()); if (!InternalToEvp(pkey.get())) return TranslateLastOpenSslError(); @@ -59,185 +56,4 @@ keymaster_error_t AsymmetricKey::formatted_key_material(keymaster_key_format_t f return KM_ERROR_OK; } -static keymaster_error_t build_attestation_extension(const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, - X509_EXTENSION_Ptr* extension) { - ASN1_OBJECT_Ptr oid( - OBJ_txt2obj(kAttestionRecordOid, 1 /* accept numerical dotted string form only */)); - if (!oid.get()) - return TranslateLastOpenSslError(); - - UniquePtr attest_bytes; - size_t attest_bytes_len; - keymaster_error_t error = - build_attestation_record(sw_enforced, tee_enforced, &attest_bytes, &attest_bytes_len); - if (error != KM_ERROR_OK) - return error; - - ASN1_OCTET_STRING_Ptr attest_str(ASN1_OCTET_STRING_new()); - if (!attest_str.get() || - !ASN1_OCTET_STRING_set(attest_str.get(), attest_bytes.get(), attest_bytes_len)) - return TranslateLastOpenSslError(); - - extension->reset( - X509_EXTENSION_create_by_OBJ(nullptr, oid.get(), 0 /* not critical */, attest_str.get())); - if (!extension->get()) - return TranslateLastOpenSslError(); - - return KM_ERROR_OK; -} - -static bool add_public_key(EVP_PKEY* key, X509* certificate, keymaster_error_t* error) { - if (!X509_set_pubkey(certificate, key)) { - *error = TranslateLastOpenSslError(); - return false; - } - return true; -} - -static bool add_attestation_extension(const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, X509* certificate, - keymaster_error_t* error) { - X509_EXTENSION_Ptr attest_extension; - *error = build_attestation_extension(tee_enforced, sw_enforced, &attest_extension); - if (*error != KM_ERROR_OK) - return false; - - if (!X509_add_ext(certificate, attest_extension.get() /* Don't release; copied */, - -1 /* insert at end */)) { - *error = TranslateLastOpenSslError(); - return false; - } - - return true; -} - -static keymaster_error_t get_certificate_blob(X509* certificate, keymaster_blob_t* blob) { - int len = i2d_X509(certificate, nullptr); - if (len < 0) - return TranslateLastOpenSslError(); - - uint8_t* data = new uint8_t[len]; - if (!data) - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - - uint8_t* p = data; - i2d_X509(certificate, &p); - - blob->data_length = len; - blob->data = data; - - return KM_ERROR_OK; -} - -static bool allocate_cert_chain(size_t entry_count, keymaster_cert_chain_t* chain, - keymaster_error_t* error) { - if (chain->entries) { - for (size_t i = 0; i < chain->entry_count; ++i) - delete[] chain->entries[i].data; - delete[] chain->entries; - } - - chain->entry_count = entry_count; - chain->entries = new keymaster_blob_t[entry_count]; - if (!chain->entries) { - *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; - return false; - } - return true; -} - -// Copies the intermediate and root certificates into chain, leaving the first slot for the leaf -// certificate. -static bool copy_attestation_chain(const KeymasterContext& context, - keymaster_algorithm_t sign_algorithm, - keymaster_cert_chain_t* chain, keymaster_error_t* error) { - - UniquePtr attest_key_chain( - context.AttestationChain(sign_algorithm, error)); - if (!attest_key_chain.get()) - return false; - - if (!allocate_cert_chain(attest_key_chain->entry_count + 1, chain, error)) - return false; - - chain->entries[0] = {}; // Leave empty for the leaf certificate. - for (size_t i = 0; i < attest_key_chain->entry_count; ++i) { - chain->entries[i + 1] = attest_key_chain->entries[i]; - attest_key_chain->entries[i].data = nullptr; - } - - return true; -} - -keymaster_error_t AsymmetricKey::GenerateAttestation(const KeymasterContext& context, - const AuthorizationSet& attest_params, - const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, - keymaster_cert_chain_t* cert_chain) const { - - keymaster_algorithm_t sign_algorithm; - if (!attest_params.GetTagValue(TAG_ALGORITHM, &sign_algorithm) || - (sign_algorithm != KM_ALGORITHM_RSA && sign_algorithm != KM_ALGORITHM_EC)) - return KM_ERROR_INCOMPATIBLE_ALGORITHM; - - EVP_PKEY_Ptr pkey(EVP_PKEY_new()); - if (!InternalToEvp(pkey.get())) - return TranslateLastOpenSslError(); - - X509_Ptr certificate(X509_new()); - if (!certificate.get()) - return TranslateLastOpenSslError(); - - if (!X509_set_version(certificate.get(), 2 /* version 3, but zero-based */)) - return TranslateLastOpenSslError(); - - ASN1_INTEGER_Ptr serialNumber(ASN1_INTEGER_new()); - if (!serialNumber.get() || - !ASN1_INTEGER_set( - serialNumber.get(), - 10000 /* TODO(swillden): Figure out what should go in serial number; probably a random - * value */) || - !X509_set_serialNumber(certificate.get(), serialNumber.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - // TODO(swillden): Find useful values (if possible) for issuerName and subjectName. - X509_NAME_Ptr issuerName(X509_NAME_new()); - if (!issuerName.get() || - !X509_set_subject_name(certificate.get(), issuerName.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - X509_NAME_Ptr subjectName(X509_NAME_new()); - if (!subjectName.get() || - !X509_set_subject_name(certificate.get(), subjectName.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - // TODO(swillden): Use key activity and expiration dates for notBefore and notAfter. - ASN1_TIME_Ptr notBefore(ASN1_TIME_new()); - if (!notBefore.get() || !ASN1_TIME_set(notBefore.get(), 0) || - !X509_set_notBefore(certificate.get(), notBefore.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - ASN1_TIME_Ptr notAfter(ASN1_TIME_new()); - if (!notAfter.get() || !ASN1_TIME_set(notAfter.get(), 10000) || - !X509_set_notAfter(certificate.get(), notAfter.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - keymaster_error_t error = KM_ERROR_OK; - EVP_PKEY_Ptr sign_key(context.AttestationKey(sign_algorithm, &error)); - - if (!sign_key.get() || // - !add_public_key(pkey.get(), certificate.get(), &error) || - !add_attestation_extension(tee_enforced, sw_enforced, certificate.get(), &error)) - return error; - - if (!X509_sign(certificate.get(), sign_key.get(), EVP_sha256())) - return TranslateLastOpenSslError(); - - if (!copy_attestation_chain(context, sign_algorithm, cert_chain, &error)) - return error; - - return get_certificate_blob(certificate.get(), &cert_chain->entries[0]); -} - } // namespace keymaster diff --git a/asymmetric_key.h b/asymmetric_key.h index 99ee585..1a3b09f 100644 --- a/asymmetric_key.h +++ b/asymmetric_key.h @@ -33,12 +33,6 @@ class AsymmetricKey : public Key { UniquePtr* material, size_t* size) const override; - keymaster_error_t GenerateAttestation(const KeymasterContext& context, - const AuthorizationSet& attest_params, - const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, - keymaster_cert_chain_t* certificate_chain) const override; - virtual bool InternalToEvp(EVP_PKEY* pkey) const = 0; virtual bool EvpToInternal(const EVP_PKEY* pkey) = 0; }; diff --git a/attestation_record.cpp b/attestation_record.cpp index 12da6ae..85bec2a 100644 --- a/attestation_record.cpp +++ b/attestation_record.cpp @@ -152,6 +152,10 @@ struct KM_KEY_DESCRIPTION_Delete { void operator()(KM_KEY_DESCRIPTION* p) { KM_KEY_DESCRIPTION_free(p); } }; +struct ASN1_INTEGER_Delete { + void operator()(ASN1_INTEGER* p) { ASN1_INTEGER_free(p); } +}; + static uint32_t get_uint32_value(const keymaster_key_param_t& param) { switch (keymaster_tag_get_type(param.tag)) { case KM_ENUM: diff --git a/key.h b/key.h index 9fb4063..959729e 100644 --- a/key.h +++ b/key.h @@ -20,10 +20,7 @@ #include #include - -#include #include -#include namespace keymaster { @@ -38,16 +35,6 @@ class Key { UniquePtr* material, size_t* size) const = 0; - /** - * Generate an attestation certificate chain. - */ - virtual keymaster_error_t GenerateAttestation( - const KeymasterContext& /* context */, const AuthorizationSet& /* attest_params */, - const AuthorizationSet& /* tee_enforced */, const AuthorizationSet& /* sw_enforced */, - keymaster_cert_chain_t* /* certificate_chain */) const { - return KM_ERROR_INCOMPATIBLE_ALGORITHM; - } - const AuthorizationSet& authorizations() const { return authorizations_; } protected: diff --git a/openssl_utils.h b/openssl_utils.h index 016aea8..db554cb 100644 --- a/openssl_utils.h +++ b/openssl_utils.h @@ -41,32 +41,41 @@ class EvpMdCtxCleaner { EVP_MD_CTX* ctx_; }; -template struct OpenSslObjectDeleter { - void operator()(T* p) { FreeFunc(p); } +struct EC_KEY_Delete { + void operator()(EC_KEY* p) { EC_KEY_free(p); } }; -#define DEFINE_OPENSSL_OBJECT_POINTER(name) \ - typedef OpenSslObjectDeleter name##_Delete; \ - typedef UniquePtr name##_Ptr; - -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_INTEGER) -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_OBJECT) -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_OCTET_STRING) -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_TIME) -DEFINE_OPENSSL_OBJECT_POINTER(BN_CTX); -DEFINE_OPENSSL_OBJECT_POINTER(EC_GROUP); -DEFINE_OPENSSL_OBJECT_POINTER(EC_KEY); -DEFINE_OPENSSL_OBJECT_POINTER(EC_POINT); -DEFINE_OPENSSL_OBJECT_POINTER(ENGINE); -DEFINE_OPENSSL_OBJECT_POINTER(EVP_PKEY); -DEFINE_OPENSSL_OBJECT_POINTER(PKCS8_PRIV_KEY_INFO); -DEFINE_OPENSSL_OBJECT_POINTER(RSA); -DEFINE_OPENSSL_OBJECT_POINTER(X509) -DEFINE_OPENSSL_OBJECT_POINTER(X509_EXTENSION) -DEFINE_OPENSSL_OBJECT_POINTER(X509_NAME) - -typedef OpenSslObjectDeleter BIGNUM_Delete; -typedef UniquePtr BIGNUM_Ptr; +struct EC_POINT_Delete { + void operator()(EC_POINT* p) { EC_POINT_free(p); } +}; + +struct EVP_PKEY_Delete { + void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); } +}; + +struct BIGNUM_Delete { + void operator()(BIGNUM* p) const { BN_free(p); } +}; + +struct BN_CTX_Delete { + void operator()(BN_CTX* p) const { BN_CTX_free(p); } +}; + +struct PKCS8_PRIV_KEY_INFO_Delete { + void operator()(PKCS8_PRIV_KEY_INFO* p) const { PKCS8_PRIV_KEY_INFO_free(p); } +}; + +struct RSA_Delete { + void operator()(RSA* p) { RSA_free(p); } +}; + +struct EC_GROUP_Delete { + void operator()(EC_GROUP* p) { EC_GROUP_free(p); } +}; + +struct ENGINE_Delete { + void operator()(ENGINE* p) { ENGINE_free(p); } +}; keymaster_error_t ec_get_group_size(const EC_GROUP* group, size_t* key_size_bits); EC_GROUP* ec_get_group(keymaster_ec_curve_t curve); -- cgit v1.2.3