1*789431f2SAndroid Build Coastguard Worker /*
2*789431f2SAndroid Build Coastguard Worker * Copyright 2015 The Android Open Source Project
3*789431f2SAndroid Build Coastguard Worker *
4*789431f2SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*789431f2SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*789431f2SAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*789431f2SAndroid Build Coastguard Worker *
8*789431f2SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*789431f2SAndroid Build Coastguard Worker *
10*789431f2SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*789431f2SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*789431f2SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*789431f2SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*789431f2SAndroid Build Coastguard Worker * limitations under the License.
15*789431f2SAndroid Build Coastguard Worker */
16*789431f2SAndroid Build Coastguard Worker
17*789431f2SAndroid Build Coastguard Worker #include <keymaster/km_openssl/ecies_kem.h>
18*789431f2SAndroid Build Coastguard Worker
19*789431f2SAndroid Build Coastguard Worker #include <keymaster/km_openssl/nist_curve_key_exchange.h>
20*789431f2SAndroid Build Coastguard Worker #include <keymaster/km_openssl/openssl_err.h>
21*789431f2SAndroid Build Coastguard Worker
22*789431f2SAndroid Build Coastguard Worker namespace keymaster {
23*789431f2SAndroid Build Coastguard Worker
EciesKem(const AuthorizationSet & kem_description,keymaster_error_t * error)24*789431f2SAndroid Build Coastguard Worker EciesKem::EciesKem(const AuthorizationSet& kem_description, keymaster_error_t* error) {
25*789431f2SAndroid Build Coastguard Worker const AuthorizationSet& authorizations(kem_description);
26*789431f2SAndroid Build Coastguard Worker
27*789431f2SAndroid Build Coastguard Worker if (!authorizations.GetTagValue(TAG_EC_CURVE, &curve_)) {
28*789431f2SAndroid Build Coastguard Worker LOG_E("%s", "EciesKem: no curve specified");
29*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_INVALID_ARGUMENT;
30*789431f2SAndroid Build Coastguard Worker return;
31*789431f2SAndroid Build Coastguard Worker }
32*789431f2SAndroid Build Coastguard Worker
33*789431f2SAndroid Build Coastguard Worker switch (curve_) {
34*789431f2SAndroid Build Coastguard Worker case KM_EC_CURVE_P_224:
35*789431f2SAndroid Build Coastguard Worker case KM_EC_CURVE_P_256:
36*789431f2SAndroid Build Coastguard Worker case KM_EC_CURVE_P_384:
37*789431f2SAndroid Build Coastguard Worker case KM_EC_CURVE_P_521:
38*789431f2SAndroid Build Coastguard Worker break;
39*789431f2SAndroid Build Coastguard Worker default:
40*789431f2SAndroid Build Coastguard Worker LOG_E("EciesKem: curve %d is unsupported", curve_);
41*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_UNSUPPORTED_EC_CURVE;
42*789431f2SAndroid Build Coastguard Worker return;
43*789431f2SAndroid Build Coastguard Worker }
44*789431f2SAndroid Build Coastguard Worker
45*789431f2SAndroid Build Coastguard Worker keymaster_kdf_t kdf;
46*789431f2SAndroid Build Coastguard Worker if (!authorizations.GetTagValue(TAG_KDF, &kdf)) {
47*789431f2SAndroid Build Coastguard Worker LOG_E("EciesKem: No KDF specified");
48*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_UNSUPPORTED_KDF;
49*789431f2SAndroid Build Coastguard Worker return;
50*789431f2SAndroid Build Coastguard Worker }
51*789431f2SAndroid Build Coastguard Worker switch (kdf) {
52*789431f2SAndroid Build Coastguard Worker case KM_KDF_RFC5869_SHA256:
53*789431f2SAndroid Build Coastguard Worker kdf_.reset(new (std::nothrow) Rfc5869Sha256Kdf());
54*789431f2SAndroid Build Coastguard Worker break;
55*789431f2SAndroid Build Coastguard Worker default:
56*789431f2SAndroid Build Coastguard Worker LOG_E("Kdf %d is unsupported", kdf);
57*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_UNSUPPORTED_KDF;
58*789431f2SAndroid Build Coastguard Worker return;
59*789431f2SAndroid Build Coastguard Worker }
60*789431f2SAndroid Build Coastguard Worker if (!kdf_.get()) {
61*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
62*789431f2SAndroid Build Coastguard Worker return;
63*789431f2SAndroid Build Coastguard Worker }
64*789431f2SAndroid Build Coastguard Worker
65*789431f2SAndroid Build Coastguard Worker if (!authorizations.GetTagValue(TAG_KEY_SIZE, &key_bytes_to_generate_)) {
66*789431f2SAndroid Build Coastguard Worker LOG_E("%s", "EciesKem: no key length specified");
67*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
68*789431f2SAndroid Build Coastguard Worker return;
69*789431f2SAndroid Build Coastguard Worker }
70*789431f2SAndroid Build Coastguard Worker
71*789431f2SAndroid Build Coastguard Worker single_hash_mode_ = authorizations.GetTagValue(TAG_ECIES_SINGLE_HASH_MODE);
72*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_OK;
73*789431f2SAndroid Build Coastguard Worker }
74*789431f2SAndroid Build Coastguard Worker
Encrypt(const Buffer & peer_public_value,Buffer * output_clear_key,Buffer * output_encrypted_key)75*789431f2SAndroid Build Coastguard Worker bool EciesKem::Encrypt(const Buffer& peer_public_value, Buffer* output_clear_key,
76*789431f2SAndroid Build Coastguard Worker Buffer* output_encrypted_key) {
77*789431f2SAndroid Build Coastguard Worker return Encrypt(peer_public_value.peek_read(), peer_public_value.available_read(),
78*789431f2SAndroid Build Coastguard Worker output_clear_key, output_encrypted_key);
79*789431f2SAndroid Build Coastguard Worker }
80*789431f2SAndroid Build Coastguard Worker
81*789431f2SAndroid Build Coastguard Worker // http://www.shoup.net/iso/std6.pdf, section 10.2.3.
Encrypt(const uint8_t * peer_public_value,size_t peer_public_value_len,Buffer * output_clear_key,Buffer * output_encrypted_key)82*789431f2SAndroid Build Coastguard Worker bool EciesKem::Encrypt(const uint8_t* peer_public_value, size_t peer_public_value_len,
83*789431f2SAndroid Build Coastguard Worker Buffer* output_clear_key, Buffer* output_encrypted_key) {
84*789431f2SAndroid Build Coastguard Worker
85*789431f2SAndroid Build Coastguard Worker key_exchange_.reset(NistCurveKeyExchange::GenerateKeyExchange(curve_));
86*789431f2SAndroid Build Coastguard Worker if (!key_exchange_.get()) {
87*789431f2SAndroid Build Coastguard Worker return false;
88*789431f2SAndroid Build Coastguard Worker }
89*789431f2SAndroid Build Coastguard Worker
90*789431f2SAndroid Build Coastguard Worker Buffer shared_secret;
91*789431f2SAndroid Build Coastguard Worker if (!key_exchange_->CalculateSharedKey(peer_public_value, peer_public_value_len,
92*789431f2SAndroid Build Coastguard Worker &shared_secret)) {
93*789431f2SAndroid Build Coastguard Worker LOG_E("EciesKem: ECDH failed, can't obtain shared secret");
94*789431f2SAndroid Build Coastguard Worker return false;
95*789431f2SAndroid Build Coastguard Worker }
96*789431f2SAndroid Build Coastguard Worker if (!key_exchange_->public_value(output_encrypted_key)) {
97*789431f2SAndroid Build Coastguard Worker LOG_E("EciesKem: Can't obtain public value");
98*789431f2SAndroid Build Coastguard Worker return false;
99*789431f2SAndroid Build Coastguard Worker }
100*789431f2SAndroid Build Coastguard Worker
101*789431f2SAndroid Build Coastguard Worker Buffer z;
102*789431f2SAndroid Build Coastguard Worker if (single_hash_mode_) {
103*789431f2SAndroid Build Coastguard Worker // z is empty.
104*789431f2SAndroid Build Coastguard Worker } else {
105*789431f2SAndroid Build Coastguard Worker // z = C0
106*789431f2SAndroid Build Coastguard Worker z.Reinitialize(output_encrypted_key->peek_read(), output_encrypted_key->available_read());
107*789431f2SAndroid Build Coastguard Worker }
108*789431f2SAndroid Build Coastguard Worker
109*789431f2SAndroid Build Coastguard Worker Buffer actual_secret(z.available_read() + shared_secret.available_read());
110*789431f2SAndroid Build Coastguard Worker actual_secret.write(z.peek_read(), z.available_read());
111*789431f2SAndroid Build Coastguard Worker actual_secret.write(shared_secret.peek_read(), shared_secret.available_read());
112*789431f2SAndroid Build Coastguard Worker
113*789431f2SAndroid Build Coastguard Worker if (!kdf_->Init(actual_secret.peek_read(), actual_secret.available_read(), nullptr /* salt */,
114*789431f2SAndroid Build Coastguard Worker 0 /* salt_len */)) {
115*789431f2SAndroid Build Coastguard Worker LOG_E("EciesKem: KDF failed, can't derived keys");
116*789431f2SAndroid Build Coastguard Worker return false;
117*789431f2SAndroid Build Coastguard Worker }
118*789431f2SAndroid Build Coastguard Worker output_clear_key->Reinitialize(key_bytes_to_generate_);
119*789431f2SAndroid Build Coastguard Worker if (!kdf_->GenerateKey(nullptr /* info */, 0 /* info length */, output_clear_key->peek_write(),
120*789431f2SAndroid Build Coastguard Worker key_bytes_to_generate_)) {
121*789431f2SAndroid Build Coastguard Worker LOG_E("EciesKem: KDF failed, can't derived keys");
122*789431f2SAndroid Build Coastguard Worker return false;
123*789431f2SAndroid Build Coastguard Worker }
124*789431f2SAndroid Build Coastguard Worker output_clear_key->advance_write(key_bytes_to_generate_);
125*789431f2SAndroid Build Coastguard Worker
126*789431f2SAndroid Build Coastguard Worker return true;
127*789431f2SAndroid Build Coastguard Worker }
128*789431f2SAndroid Build Coastguard Worker
Decrypt(EC_KEY * private_key,const Buffer & encrypted_key,Buffer * output_key)129*789431f2SAndroid Build Coastguard Worker bool EciesKem::Decrypt(EC_KEY* private_key, const Buffer& encrypted_key, Buffer* output_key) {
130*789431f2SAndroid Build Coastguard Worker return Decrypt(private_key, encrypted_key.peek_read(), encrypted_key.available_read(),
131*789431f2SAndroid Build Coastguard Worker output_key);
132*789431f2SAndroid Build Coastguard Worker }
133*789431f2SAndroid Build Coastguard Worker
134*789431f2SAndroid Build Coastguard Worker // http://www.shoup.net/iso/std6.pdf, section 10.2.4.
Decrypt(EC_KEY * private_key,const uint8_t * encrypted_key,size_t encrypted_key_len,Buffer * output_key)135*789431f2SAndroid Build Coastguard Worker bool EciesKem::Decrypt(EC_KEY* private_key, const uint8_t* encrypted_key, size_t encrypted_key_len,
136*789431f2SAndroid Build Coastguard Worker Buffer* output_key) {
137*789431f2SAndroid Build Coastguard Worker
138*789431f2SAndroid Build Coastguard Worker keymaster_error_t error;
139*789431f2SAndroid Build Coastguard Worker key_exchange_.reset(new (std::nothrow) NistCurveKeyExchange(private_key, &error));
140*789431f2SAndroid Build Coastguard Worker if (!key_exchange_.get() || error != KM_ERROR_OK) {
141*789431f2SAndroid Build Coastguard Worker return false;
142*789431f2SAndroid Build Coastguard Worker }
143*789431f2SAndroid Build Coastguard Worker
144*789431f2SAndroid Build Coastguard Worker Buffer shared_secret;
145*789431f2SAndroid Build Coastguard Worker if (!key_exchange_->CalculateSharedKey(encrypted_key, encrypted_key_len, &shared_secret)) {
146*789431f2SAndroid Build Coastguard Worker LOG_E("EciesKem: ECDH failed, can't obtain shared secret");
147*789431f2SAndroid Build Coastguard Worker return false;
148*789431f2SAndroid Build Coastguard Worker }
149*789431f2SAndroid Build Coastguard Worker
150*789431f2SAndroid Build Coastguard Worker Buffer public_value;
151*789431f2SAndroid Build Coastguard Worker if (!key_exchange_->public_value(&public_value)) {
152*789431f2SAndroid Build Coastguard Worker LOG_E("%s", "EciesKem: Can't obtain public value");
153*789431f2SAndroid Build Coastguard Worker return false;
154*789431f2SAndroid Build Coastguard Worker }
155*789431f2SAndroid Build Coastguard Worker
156*789431f2SAndroid Build Coastguard Worker Buffer z;
157*789431f2SAndroid Build Coastguard Worker if (single_hash_mode_) {
158*789431f2SAndroid Build Coastguard Worker // z is empty.
159*789431f2SAndroid Build Coastguard Worker } else {
160*789431f2SAndroid Build Coastguard Worker // z = C0
161*789431f2SAndroid Build Coastguard Worker z.Reinitialize(public_value.peek_read(), public_value.available_read());
162*789431f2SAndroid Build Coastguard Worker }
163*789431f2SAndroid Build Coastguard Worker
164*789431f2SAndroid Build Coastguard Worker Buffer actual_secret(z.available_read() + shared_secret.available_read());
165*789431f2SAndroid Build Coastguard Worker actual_secret.write(z.peek_read(), z.available_read());
166*789431f2SAndroid Build Coastguard Worker actual_secret.write(shared_secret.peek_read(), shared_secret.available_read());
167*789431f2SAndroid Build Coastguard Worker
168*789431f2SAndroid Build Coastguard Worker if (!kdf_->Init(actual_secret.peek_read(), actual_secret.available_read(), nullptr /* salt */,
169*789431f2SAndroid Build Coastguard Worker 0 /* salt_len */)) {
170*789431f2SAndroid Build Coastguard Worker LOG_E("%s", "EciesKem: KDF failed, can't derived keys");
171*789431f2SAndroid Build Coastguard Worker return false;
172*789431f2SAndroid Build Coastguard Worker }
173*789431f2SAndroid Build Coastguard Worker
174*789431f2SAndroid Build Coastguard Worker output_key->Reinitialize(key_bytes_to_generate_);
175*789431f2SAndroid Build Coastguard Worker if (!kdf_->GenerateKey(nullptr /* info */, 0 /* info_len */, output_key->peek_write(),
176*789431f2SAndroid Build Coastguard Worker key_bytes_to_generate_)) {
177*789431f2SAndroid Build Coastguard Worker LOG_E("%s", "EciesKem: KDF failed, can't derived keys");
178*789431f2SAndroid Build Coastguard Worker return false;
179*789431f2SAndroid Build Coastguard Worker }
180*789431f2SAndroid Build Coastguard Worker output_key->advance_write(key_bytes_to_generate_);
181*789431f2SAndroid Build Coastguard Worker
182*789431f2SAndroid Build Coastguard Worker return true;
183*789431f2SAndroid Build Coastguard Worker }
184*789431f2SAndroid Build Coastguard Worker
185*789431f2SAndroid Build Coastguard Worker } // namespace keymaster
186